]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog-2014-10-07
projects / apple / javascriptcore.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
JavaScriptCore-7601.1.46.3.tar.gz
[apple/javascriptcore.git] / ChangeLog-2014-10-07
CommitLineData
ed1e77d3
A		 12014-10-07 Oliver Hunt <oliver@apple.com>
2
3 Remove op_new_captured_func
4 https://bugs.webkit.org/show_bug.cgi?id=137491
5
6 Reviewed by Mark Lam.
7
8 Removes the op_captured_new_func opcode as part of the work
9 towards having any magical opcodes that write directly to
10 named "registers" and then have a follow on op to ensure that
11 the environment record correctly represents the stack state.
12
13 For this we add a non-captured scratch register so we don't
14 have to have any kind of magic opcode, and instead simply
15 have sensible creation and move semantics for capturing new
16 functions.
17
18 * bytecode/BytecodeList.json:
19 * bytecode/BytecodeUseDef.h:
20 (JSC::computeUsesForBytecodeOffset):
21 (JSC::computeDefsForBytecodeOffset):
22 * bytecode/CodeBlock.cpp:
23 (JSC::CodeBlock::dumpBytecode):
24 (JSC::CodeBlock::CodeBlock):
25 * bytecompiler/BytecodeGenerator.cpp:
26 (JSC::BytecodeGenerator::BytecodeGenerator):
27 (JSC::BytecodeGenerator::emitNewFunction):
28 (JSC::BytecodeGenerator::emitLazyNewFunction):
29 (JSC::BytecodeGenerator::emitNewFunctionInternal):
30 * bytecompiler/BytecodeGenerator.h:
31 * dfg/DFGByteCodeParser.cpp:
32 (JSC::DFG::ByteCodeParser::parseBlock):
33 * dfg/DFGCapabilities.cpp:
34 (JSC::DFG::capabilityLevel):
35 * jit/JIT.cpp:
36 (JSC::JIT::privateCompileMainPass):
37 * jit/JIT.h:
38 * jit/JITOpcodes.cpp:
39 (JSC::JIT::emit_op_new_captured_func): Deleted.
40 * llint/LowLevelInterpreter32_64.asm:
41 * llint/LowLevelInterpreter64.asm:
42 * runtime/CommonSlowPaths.cpp:
43 (JSC::SLOW_PATH_DECL): Deleted.
44 * runtime/CommonSlowPaths.h:
45
462014-10-06 Andy Estes <aestes@apple.com>
47
48 Objective-C objects must be fully defined when used in a WTF::Vector
49 https://bugs.webkit.org/show_bug.cgi?id=137479
50
51 Reviewed by Mark Rowe.
52
53 When compiling an Objective-C++ file under ARC, @class types are considered non-trivially destructable, so
54 Vector needs to see their definition in order to call their destructor.
55
56 See <http://clang.llvm.org/docs/AutomaticReferenceCounting.html#ownership-qualified-fields-of-structs-and-unions> for details.
57
58 * API/ObjcRuntimeExtras.h: Imported <objc/Protocol.h>.
59
602014-10-06 Brent Fulgham <bfulgham@apple.com>
61
62 [Win] Use of 1-bit Enum type behaves improperly
63 https://bugs.webkit.org/show_bug.cgi?id=137471
64 <rdar://problem/18559172>
65
66 Reviewed by Mark Lam.
67
68 Represent 1-bit enum element as 'unsigned', as we have done elsewhere
69 in WebKit to avoid problems when building with MSVC.
70
71 * debugger/Debugger.h:
72
732014-10-06 Mark Lam <mark.lam@apple.com>
74
75 Fixed compiler warnings on Windows build.
76 <https://webkit.org/b/135205>
77
78 Reviewed by Geoffrey Garen.
79
80 Benchmarking with jsc shows that perf is neutral with this change.
81
82 * assembler/MacroAssemblerX86_64.h:
83 (JSC::MacroAssemblerX86_64::call):
84 * bytecode/CodeBlock.cpp:
85 (JSC::CodeBlock::CodeBlock):
86 * dfg/DFGArgumentPosition.h:
87 (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
88 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
89 * dfg/DFGEdge.h:
90 (JSC::DFG::Edge::makeWord):
91 * dfg/DFGNodeFlags.h:
92 (JSC::DFG::nodeMayOverflow):
93 (JSC::DFG::nodeMayNegZero):
94 * dfg/DFGOSRExitCompilerCommon.cpp:
95 (JSC::DFG::reifyInlinedCallFrames):
96 * dfg/DFGVariableAccessData.cpp:
97 (JSC::DFG::VariableAccessData::mergeIsCaptured):
98 * dfg/DFGVariableAccessData.h:
99 (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
100 (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
101 (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
102 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
103 (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
104 * runtime/JSDataViewPrototype.cpp:
105 (JSC::getData):
106
1072014-10-06 Oliver Hunt <oliver@apple.com>
108
109 Remove incorrect assertion.
110
111 * runtime/Arguments.cpp:
112 (JSC::Arguments::tearOff):
113
1142014-10-06 Oliver Hunt <oliver@apple.com>
115
116 Fix cloop build
117
118 * interpreter/Interpreter.cpp:
119 (JSC::unwindCallFrame):
120
1212014-10-06 Mark Lam <mark.lam@apple.com>
122
123 Unreviewed build fix.
124 <https://webkit.org/b/137279>
125
126 * jit/CCallHelpers.h:
127 (JSC::CCallHelpers::setupArgumentsWithExecState):
128
1292014-10-06 Oliver Hunt <oliver@apple.com>
130
131 REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
132 https://bugs.webkit.org/show_bug.cgi?id=137404
133
134 Reviewed by Michael Saboff.
135
136 Update the Arguments object to recognise that it must always have an
137 environment record if the referenced callee has one, and if such is not
138 present it should not try to extract one from the callframe, as that
139 path leads to madness.
140
141 Happily this makes some of the other code more sensible, and removes a
142 bunch of unnecessary and icky logic.
143
144 * interpreter/Interpreter.cpp:
145 (JSC::unwindCallFrame):
146 * jit/JITOperations.cpp:
147 * llint/LLIntSlowPaths.cpp:
148 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
149 * runtime/Arguments.cpp:
150 (JSC::Arguments::tearOff):
151 (JSC::Arguments::didTearOffActivation): Deleted.
152 * runtime/Arguments.h:
153 (JSC::Arguments::argument):
154 (JSC::Arguments::finishCreation):
155
1562014-10-04 Brian J. Burg <burg@cs.washington.edu>
157
158 Unreviewed, rolling out r174319.
159
160 Causes assertions in fast/profiler tests. Needs nontrivial
161 investigation, will take offline.
162
163 Reverted changeset:
164
165 "Web Inspector: timelines should not count time elapsed while
166 paused in the debugger"
167 https://bugs.webkit.org/show_bug.cgi?id=136351
168 http://trac.webkit.org/changeset/174319
169
1702014-10-04 Brian J. Burg <burg@cs.washington.edu>
171
172 Web Inspector: timelines should not count time elapsed while paused in the debugger
173 https://bugs.webkit.org/show_bug.cgi?id=136351
174
175 Reviewed by Timothy Hatcher.
176
177 Now that we have a stopwatch to provide pause-aware timing data, we can remove the
178 profiler's handling of debugger pause/continue callbacks. The timeline agent accounts
179 for debugger pauses by pausing and resuming the stopwatch.
180
181 * API/JSProfilerPrivate.cpp:
182 (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
183 * inspector/ScriptDebugServer.cpp:
184 (Inspector::ScriptDebugServer::handlePause):
185 * profiler/LegacyProfiler.cpp:
186 (JSC::LegacyProfiler::profiler): Use nullptr.
187 (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
188 (JSC::LegacyProfiler::stopProfiling): Use nullptr.
189 (JSC::LegacyProfiler::didPause): Deleted.
190 (JSC::LegacyProfiler::didContinue): Deleted.
191 * profiler/LegacyProfiler.h:
192 * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
193 timestamp member that was used to track time elapsed by the debugger. Just use the
194 stopwatch's elapsed times to generate start/elapsed times for function calls.
195 (JSC::ProfileGenerator::create):
196 (JSC::ProfileGenerator::ProfileGenerator):
197 (JSC::ProfileGenerator::beginCallEntry):
198 (JSC::ProfileGenerator::endCallEntry):
199 (JSC::ProfileGenerator::didPause): Deleted.
200 (JSC::ProfileGenerator::didContinue): Deleted.
201 * profiler/ProfileGenerator.h:
202
2032014-10-04 Filip Pizlo <fpizlo@apple.com>
204
205 FTL should sink PutLocals
206 https://bugs.webkit.org/show_bug.cgi?id=137168
207
208 Reviewed by Oliver Hunt.
209
210 We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
211 "pass" arguments to an inlined function call, because we need to enable the runtime to grab
212 those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
213 in that case but rather just relies on the arguments being flushed (i.e. a copy of their
214 values is spilled) at a well-known place in a well-known format.
215
216 The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
217 they look like escaping sites and so they inhibit object allocation sinking.
218
219 But in most cases, the PutLocals are unnecessary because the inlined code never performs any
220 side effect that could transitively lead to function.arguments. Even if the inlined code
221 could do such a side effect, it may be on a rare path so there is no need to penalize the
222 entire function.
223
224 This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
225 to the latest possible point. This is even more aggressive than the object allocation
226 sinking. That sinking algorithm avoids creating situations where an object could be
227 materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
228 this at all - both to make the phase cheaper and simpler and to make it more aggressive.
229 Every PutLocal is sunk no matter what.
230
231 The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
232 their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
233 lot of object allocation sinking and it removes a lot of pointless store instructions.
234
235 It also has downsites. Sinking PutLocals increases register pressure because it increases the
236 live ranges of things like inlined arguments.
237
238 This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
239 progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
240 regression. The biggest win is on Octane/raytrace, which improves by 27%.
241
242 Relanding after fixing internal builds. We have to be careful about implicit casts from int64
243 to int32.
244
245 * CMakeLists.txt:
246 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
247 * JavaScriptCore.xcodeproj/project.pbxproj:
248 * bytecode/CodeBlock.h:
249 * bytecode/Operands.h:
250 (JSC::Operands::dump): Deleted.
251 * bytecode/OperandsInlines.h:
252 (JSC::Traits>::dump):
253 * bytecode/VirtualRegister.h:
254 (JSC::VirtualRegister::isHeader):
255 * dfg/DFGByteCodeParser.cpp:
256 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
257 * dfg/DFGClobberSet.h:
258 (JSC::DFG::ClobberSetAdd::operator()):
259 (JSC::DFG::ClobberSetOverlaps::operator()):
260 * dfg/DFGClobberize.h:
261 (JSC::DFG::clobberize):
262 (JSC::DFG::NoOpClobberize::operator()):
263 (JSC::DFG::CheckClobberize::operator()):
264 (JSC::DFG::AbstractHeapOverlaps::operator()):
265 (JSC::DFG::ReadMethodClobberize::operator()):
266 (JSC::DFG::WriteMethodClobberize::operator()):
267 (JSC::DFG::DefMethodClobberize::operator()):
268 * dfg/DFGFlushFormat.h:
269 (JSC::DFG::merge):
270 * dfg/DFGGraph.cpp:
271 (JSC::DFG::Graph::Graph):
272 * dfg/DFGGraph.h:
273 (JSC::DFG::Graph::capturedVarsFor):
274 * dfg/DFGObjectAllocationSinkingPhase.cpp:
275 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
276 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
277 * dfg/DFGPlan.cpp:
278 (JSC::DFG::Plan::compileInThreadImpl):
279 * dfg/DFGPreciseLocalClobberize.h: Added.
280 (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
281 (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
282 (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
283 (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
284 (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
285 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
286 (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
287 (JSC::DFG::forEachLocalReadByUnwind):
288 (JSC::DFG::preciseLocalClobberize):
289 * dfg/DFGPutLocalSinkingPhase.cpp: Added.
290 (JSC::DFG::performPutLocalSinking):
291 * dfg/DFGPutLocalSinkingPhase.h: Added.
292 * dfg/DFGSSACalculator.h:
293 (JSC::DFG::SSACalculator::computePhis):
294 * dfg/DFGValidate.cpp:
295
2962014-10-03 Michael Saboff <msaboff@apple.com>
297
298 REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope
299 https://bugs.webkit.org/show_bug.cgi?id=137412
300
301 Reviewed by Mark Lam.
302
303 Added support for the JSNameScope::type opcode parameter in dumpBytecode().
304
305 * bytecode/CodeBlock.cpp:
306 (JSC::CodeBlock::dumpBytecode):
307
3082014-10-03 Saam Barati <saambarati1@gmail.com>
309
310 Implement op_profile_type in the 32-bit baseline JIT
311 https://bugs.webkit.org/show_bug.cgi?id=137181
312
313 Reviewed by Michael Saboff.
314
315 Generate inline code to write to the TypeProfilerLog inside the 32-bit
316 baseline JIT instead of unconditionally bailing out to the slow path
317 for op_profile_type.
318
319 * jit/JITOpcodes32_64.cpp:
320 (JSC::JIT::emit_op_profile_type):
321
3222014-10-03 Commit Queue <commit-queue@webkit.org>
323
324 Unreviewed, rolling out r174275.
325 https://bugs.webkit.org/show_bug.cgi?id=137408
326
327 Build failures on the internal bots. (Requested by dethbakin
328 on #webkit).
329
330 Reverted changeset:
331
332 "FTL should sink PutLocals"
333 https://bugs.webkit.org/show_bug.cgi?id=137168
334 http://trac.webkit.org/changeset/174275
335
3362014-10-03 Oliver Hunt <oliver@apple.com>
337
338 tearoff_arguments should always refer to the unmodified arguments register
339 https://bugs.webkit.org/show_bug.cgi?id=137406
340
341 Reviewed by Michael Saboff.
342
343 To simplify subsequent work, and remove unnecessary work from
344 actual execution this patch simply ensures that tear_off_arguments
345 refers to the actual unmodified arguments register.
346
347 * bytecompiler/BytecodeGenerator.cpp:
348 (JSC::BytecodeGenerator::emitReturn):
349 * dfg/DFGByteCodeParser.cpp:
350 (JSC::DFG::ByteCodeParser::parseBlock):
351 * jit/JITOpcodes.cpp:
352 (JSC::JIT::emit_op_tear_off_arguments):
353 * jit/JITOpcodes32_64.cpp:
354 (JSC::JIT::emit_op_tear_off_arguments):
355 * llint/LLIntSlowPaths.cpp:
356 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
357 * llint/LowLevelInterpreter32_64.asm:
358 * llint/LowLevelInterpreter64.asm:
359
3602014-10-03 Saam Barati <saambarati1@gmail.com>
361
362 Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
363 https://bugs.webkit.org/show_bug.cgi?id=137295
364
365 Reviewed by Timothy Hatcher.
366
367 Remove unnecessary functions and properties from JSC that are
368 now being computed inside the Web Inspector.
369
370 * inspector/agents/InspectorRuntimeAgent.cpp:
371 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
372 * inspector/protocol/Runtime.json:
373 * runtime/TypeSet.cpp:
374 (JSC::TypeSet::allPrimitiveTypeNames): Deleted.
375 * runtime/TypeSet.h:
376
3772014-10-02 Filip Pizlo <fpizlo@apple.com>
378
379 FTL should sink PutLocals
380 https://bugs.webkit.org/show_bug.cgi?id=137168
381
382 Reviewed by Oliver Hunt.
383
384 We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
385 "pass" arguments to an inlined function call, because we need to enable the runtime to grab
386 those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
387 in that case but rather just relies on the arguments being flushed (i.e. a copy of their
388 values is spilled) at a well-known place in a well-known format.
389
390 The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
391 they look like escaping sites and so they inhibit object allocation sinking.
392
393 But in most cases, the PutLocals are unnecessary because the inlined code never performs any
394 side effect that could transitively lead to function.arguments. Even if the inlined code
395 could do such a side effect, it may be on a rare path so there is no need to penalize the
396 entire function.
397
398 This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
399 to the latest possible point. This is even more aggressive than the object allocation
400 sinking. That sinking algorithm avoids creating situations where an object could be
401 materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
402 this at all - both to make the phase cheaper and simpler and to make it more aggressive.
403 Every PutLocal is sunk no matter what.
404
405 The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
406 their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
407 lot of object allocation sinking and it removes a lot of pointless store instructions.
408
409 It also has downsites. Sinking PutLocals increases register pressure because it increases the
410 live ranges of things like inlined arguments.
411
412 This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
413 progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
414 regression. The biggest win is on Octane/raytrace, which improves by 27%.
415
416 * CMakeLists.txt:
417 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
418 * JavaScriptCore.xcodeproj/project.pbxproj:
419 * bytecode/CodeBlock.h:
420 * bytecode/Operands.h:
421 (JSC::Operands::dump): Deleted.
422 * bytecode/OperandsInlines.h:
423 (JSC::Traits>::dump):
424 * bytecode/VirtualRegister.h:
425 (JSC::VirtualRegister::isHeader):
426 * dfg/DFGByteCodeParser.cpp:
427 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
428 * dfg/DFGClobberSet.h:
429 (JSC::DFG::ClobberSetAdd::operator()):
430 (JSC::DFG::ClobberSetOverlaps::operator()):
431 * dfg/DFGClobberize.h:
432 (JSC::DFG::clobberize):
433 (JSC::DFG::NoOpClobberize::operator()):
434 (JSC::DFG::CheckClobberize::operator()):
435 (JSC::DFG::AbstractHeapOverlaps::operator()):
436 (JSC::DFG::ReadMethodClobberize::operator()):
437 (JSC::DFG::WriteMethodClobberize::operator()):
438 (JSC::DFG::DefMethodClobberize::operator()):
439 * dfg/DFGFlushFormat.h:
440 (JSC::DFG::merge):
441 * dfg/DFGGraph.cpp:
442 (JSC::DFG::Graph::Graph):
443 * dfg/DFGGraph.h:
444 (JSC::DFG::Graph::capturedVarsFor):
445 * dfg/DFGObjectAllocationSinkingPhase.cpp:
446 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
447 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
448 * dfg/DFGPlan.cpp:
449 (JSC::DFG::Plan::compileInThreadImpl):
450 * dfg/DFGPreciseLocalClobberize.h: Added.
451 (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
452 (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
453 (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
454 (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
455 (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
456 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
457 (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
458 (JSC::DFG::forEachLocalReadByUnwind):
459 (JSC::DFG::preciseLocalClobberize):
460 * dfg/DFGPutLocalSinkingPhase.cpp: Added.
461 (JSC::DFG::performPutLocalSinking):
462 * dfg/DFGPutLocalSinkingPhase.h: Added.
463 * dfg/DFGSSACalculator.h:
464 (JSC::DFG::SSACalculator::computePhis):
465 * dfg/DFGValidate.cpp:
466
4672014-10-03 Saam Barati <saambarati1@gmail.com>
468
469 Change how 32-bit JSValues check if they are a Boolean
470
471 Rubber stamped by Filip Pizlo.
472
473 32-bit JSValue::isBoolean can simply check if its tag corresponds
474 to the boolean tag instead of checking if it's either true or false.
475
476 * runtime/JSCJSValueInlines.h:
477 (JSC::JSValue::isBoolean):
478
4792014-10-01 Oliver Hunt <oliver@apple.com>
480
481 Do all closed variable access through the local lexical object
482 https://bugs.webkit.org/show_bug.cgi?id=136869
483
484 Reviewed by Filip Pizlo.
485
486 This patch makes all reads and writes from captured registers
487 go through the lexical record, and by doing so removes the
488 need for record tearoff.
489
490 To keep the patch simple we still number variables as though
491 they are local stack allocated registers, but ::local() will
492 fail. When local fails we perform a generic resolve, and in
493 that resolve we now use a ResolveScopeInfo struct to pass
494 around information about whether a lookup is a statically
495 known captured variable, and its location in the activation.
496 To ensure correct behaviour during codeblock linking we also
497 add a LocalClosureVariable resolution type.
498
499 To ensure correct semantics for the Arguments object, we now
500 have to eagerly create the Arguments object for any function
501 that uses both the Arguments object and requires a lexical
502 record.
503
504 * bytecode/BytecodeList.json:
505 * bytecode/BytecodeUseDef.h:
506 (JSC::computeUsesForBytecodeOffset):
507 (JSC::computeDefsForBytecodeOffset):
508 * bytecode/CodeBlock.cpp:
509 (JSC::CodeBlock::dumpBytecode):
510 (JSC::CodeBlock::CodeBlock):
511 (JSC::CodeBlock::finalizeUnconditionally):
512 * bytecompiler/BytecodeGenerator.cpp:
513 (JSC::BytecodeGenerator::BytecodeGenerator):
514 (JSC::BytecodeGenerator::initializeCapturedVariable):
515 During the entry to a function we are not yet in a position
516 to allocate temporaries so we directly use the lexical
517 environment register.
518 (JSC::BytecodeGenerator::resolveCallee):
519 (JSC::BytecodeGenerator::emitMove):
520 (JSC::BytecodeGenerator::local):
521 (JSC::BytecodeGenerator::constLocal):
522 (JSC::BytecodeGenerator::emitResolveScope):
523 (JSC::BytecodeGenerator::emitResolveConstantLocal):
524 The two resolve scope operations could technically skip
525 the op_resolve_scope, and simply perform
526 op_mov dst, recordRegister
527 but for now it seemed best to maintain the same basic
528 behaviour.
529 (JSC::BytecodeGenerator::emitGetFromScope):
530 (JSC::BytecodeGenerator::emitPutToScope):
531 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
532 If we have an environment we've already created Arguments
533 so no need to check again.
534 (JSC::BytecodeGenerator::emitReturn):
535 Don't need to emit tearoff_environment
536 * bytecompiler/BytecodeGenerator.h:
537 (JSC::Local::Local):
538 (JSC::Local::operator bool):
539 (JSC::Local::get):
540 (JSC::Local::isReadOnly):
541 (JSC::Local::isSpecial):
542 (JSC::ResolveScopeInfo::ResolveScopeInfo):
543 (JSC::ResolveScopeInfo::isLocal):
544 (JSC::ResolveScopeInfo::localIndex):
545 (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
546 (JSC::Local::isCaptured): Deleted.
547 (JSC::Local::captureMode): Deleted.
548 * bytecompiler/NodesCodegen.cpp:
549 (JSC::ResolveNode::emitBytecode):
550 (JSC::EvalFunctionCallNode::emitBytecode):
551 (JSC::FunctionCallResolveNode::emitBytecode):
552 (JSC::PostfixNode::emitResolve):
553 (JSC::DeleteResolveNode::emitBytecode):
554 (JSC::TypeOfResolveNode::emitBytecode):
555 (JSC::PrefixNode::emitResolve):
556 (JSC::ReadModifyResolveNode::emitBytecode):
557 (JSC::AssignResolveNode::emitBytecode):
558 (JSC::ConstDeclNode::emitCodeSingle):
559 (JSC::EmptyVarExpression::emitBytecode):
560 (JSC::ForInNode::tryGetBoundLocal):
561 (JSC::ForInNode::emitLoopHeader):
562 (JSC::ForOfNode::emitBytecode):
563 (JSC::BindingNode::bindValue):
564 * dfg/DFGAbstractInterpreterInlines.h:
565 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
566 * dfg/DFGByteCodeParser.cpp:
567 (JSC::DFG::ByteCodeParser::parseBlock):
568 * dfg/DFGCapabilities.cpp:
569 (JSC::DFG::capabilityLevel):
570 * dfg/DFGClobberize.h:
571 (JSC::DFG::clobberize):
572 * dfg/DFGDoesGC.cpp:
573 (JSC::DFG::doesGC):
574 * dfg/DFGFixupPhase.cpp:
575 (JSC::DFG::FixupPhase::fixupNode):
576 * dfg/DFGGraph.cpp:
577 (JSC::DFG::Graph::tryGetRegisters):
578 * dfg/DFGNodeType.h:
579 * dfg/DFGPredictionPropagationPhase.cpp:
580 (JSC::DFG::PredictionPropagationPhase::propagate):
581 * dfg/DFGSafeToExecute.h:
582 (JSC::DFG::safeToExecute):
583 * dfg/DFGSpeculativeJIT32_64.cpp:
584 (JSC::DFG::SpeculativeJIT::compile):
585 * dfg/DFGSpeculativeJIT64.cpp:
586 (JSC::DFG::SpeculativeJIT::compile):
587 * ftl/FTLCapabilities.cpp:
588 (JSC::FTL::canCompile):
589 * interpreter/Interpreter.cpp:
590 (JSC::unwindCallFrame):
591 * jit/JIT.cpp:
592 (JSC::JIT::privateCompileMainPass):
593 (JSC::JIT::privateCompileSlowCases):
594 * jit/JIT.h:
595 * jit/JITOpcodes.cpp:
596 (JSC::JIT::emit_op_captured_mov): Deleted.
597 (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
598 (JSC::JIT::emitSlow_op_captured_mov): Deleted.
599 * jit/JITOpcodes32_64.cpp:
600 (JSC::JIT::emit_op_captured_mov): Deleted.
601 (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
602 * jit/JITOperations.cpp:
603 * jit/JITOperations.h:
604 * jit/JITPropertyAccess.cpp:
605 (JSC::JIT::emit_op_resolve_scope):
606 (JSC::JIT::emit_op_get_from_scope):
607 (JSC::JIT::emitPutClosureVar):
608 (JSC::JIT::emit_op_put_to_scope):
609 (JSC::JIT::emitSlow_op_put_to_scope):
610 * jit/JITPropertyAccess32_64.cpp:
611 (JSC::JIT::emit_op_resolve_scope):
612 (JSC::JIT::emit_op_get_from_scope):
613 (JSC::JIT::emitPutClosureVar):
614 (JSC::JIT::emit_op_put_to_scope):
615 (JSC::JIT::emitSlow_op_put_to_scope):
616 * llint/LLIntData.cpp:
617 (JSC::LLInt::Data::performAssertions):
618 * llint/LLIntSlowPaths.cpp:
619 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
620 * llint/LLIntSlowPaths.h:
621 * llint/LowLevelInterpreter.asm:
622 * llint/LowLevelInterpreter32_64.asm:
623 * llint/LowLevelInterpreter64.asm:
624 * runtime/Arguments.cpp:
625 (JSC::Arguments::tearOff):
626 * runtime/Arguments.h:
627 (JSC::Arguments::argument):
628 * runtime/CommonSlowPaths.cpp:
629 (JSC::SLOW_PATH_DECL): Deleted.
630 * runtime/CommonSlowPaths.h:
631 * runtime/JSLexicalEnvironment.cpp:
632 (JSC::JSLexicalEnvironment::visitChildren):
633 (JSC::JSLexicalEnvironment::symbolTableGet):
634 (JSC::JSLexicalEnvironment::symbolTablePut):
635 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
636 (JSC::JSLexicalEnvironment::getOwnPropertySlot):
637 (JSC::JSLexicalEnvironment::argumentsGetter):
638 * runtime/JSLexicalEnvironment.h:
639 (JSC::JSLexicalEnvironment::create):
640 (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
641 (JSC::JSLexicalEnvironment::tearOff): Deleted.
642 (JSC::JSLexicalEnvironment::isTornOff): Deleted.
643 * runtime/JSScope.cpp:
644 (JSC::resolveTypeName):
645 * runtime/JSScope.h:
646 (JSC::makeType):
647 (JSC::needsVarInjectionChecks):
648 * runtime/WriteBarrier.h:
649 (JSC::WriteBarrier<Unknown>::WriteBarrier):
650
6512014-10-02 Filip Pizlo <fpizlo@apple.com>
652
653 Object allocation sinking should have a sound story for picking materialization points
654 https://bugs.webkit.org/show_bug.cgi?id=137315
655
656 Reviewed by Oliver Hunt.
657
658 The only missing piece was having the object allocation sinking phase locate materialization
659 points that were at CFG edges.
660
661 The logic for how and why this "just works" relies on some properties of critical edge
662 breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
663 the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
664 and therefore is allowed to exit. We basically had support for such a notion before, but
665 didn't close the loop on it; this patch does that.
666
667 Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().
668
669 * dfg/DFGBasicBlock.cpp:
670 (JSC::DFG::BasicBlock::firstOriginNode):
671 (JSC::DFG::BasicBlock::firstOrigin):
672 * dfg/DFGBasicBlock.h:
673 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
674 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
675 * dfg/DFGGraph.cpp:
676 (JSC::DFG::crash):
677 (JSC::DFG::Graph::handleAssertionFailure):
678 * dfg/DFGGraph.h:
679 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
680 (JSC::DFG::createPreHeader):
681 * dfg/DFGNodeOrigin.h:
682 (JSC::DFG::NodeOrigin::isSet):
683 * dfg/DFGObjectAllocationSinkingPhase.cpp:
684 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
685 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
686 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
687 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
688 * dfg/DFGValidate.cpp:
689 (JSC::DFG::Validate::validate):
690 * runtime/Options.h:
691
6922014-10-02 Daniel Bates <dabates@apple.com>
693
694 Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
695 https://bugs.webkit.org/show_bug.cgi?id=137277
696
697 Reviewed by Alexey Proskuryakov.
698
699 Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
700 forward declaring XPC functions.
701
702 * inspector/remote/RemoteInspector.mm:
703 * inspector/remote/RemoteInspectorXPCConnection.h:
704 * inspector/remote/RemoteInspectorXPCConnection.mm:
705
7062014-10-01 Anders Carlsson <andersca@apple.com>
707
708 Use variadic templates for jsMakeNontrivialString
709 https://bugs.webkit.org/show_bug.cgi?id=137325
710
711 Reviewed by Sam Weinig.
712
713 * runtime/JSString.h:
714 (JSC::jsNontrivialString):
715 Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.
716
717 * runtime/JSStringBuilder.h:
718 (JSC::jsMakeNontrivialString):
719 Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.
720
7212014-10-02 Mark Lam <mark.lam@apple.com>
722
723 Fixed the Inspector to be able to properly distinguish between scope types.
724 <https://webkit.org/b/137279>
725
726 Reviewed by Geoffrey Garen.
727
728 The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
729 as With Scopes. This patch will fix this.
730
731 * bytecode/BytecodeList.json:
732 * bytecompiler/BytecodeGenerator.cpp:
733 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
734 (JSC::BytecodeGenerator::emitPushCatchScope):
735 - These now passes stores the desired JSNameScope::Type in a bytecode operand.
736 * debugger/DebuggerScope.cpp:
737 (JSC::DebuggerScope::isCatchScope):
738 (JSC::DebuggerScope::isFunctionNameScope):
739 - Added queries to be able to explicitly test if the scope is a CatchScope
740 or FunctionNameScope. The FunctionNameScope is the case where the
741 NameScope is used to capture the function name of a function expression.
742 * debugger/DebuggerScope.h:
743 * inspector/InjectedScriptSource.js:
744 * inspector/JSJavaScriptCallFrame.cpp:
745 (Inspector::JSJavaScriptCallFrame::scopeType):
746 * inspector/JSJavaScriptCallFrame.h:
747 * inspector/JSJavaScriptCallFramePrototype.cpp:
748 (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
749 (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
750 * inspector/protocol/Debugger.json:
751 * jit/CCallHelpers.h:
752 (JSC::CCallHelpers::setupArgumentsWithExecState):
753 * jit/JIT.h:
754 * jit/JITInlines.h:
755 (JSC::JIT::callOperation):
756 * jit/JITOpcodes.cpp:
757 (JSC::JIT::emit_op_push_name_scope):
758 * jit/JITOpcodes32_64.cpp:
759 (JSC::JIT::emit_op_push_name_scope):
760 * jit/JITOperations.cpp:
761 * jit/JITOperations.h:
762 * llint/LLIntSlowPaths.cpp:
763 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
764 * llint/LowLevelInterpreter.asm:
765 * runtime/JSFunction.cpp:
766 (JSC::JSFunction::addNameScopeIfNeeded):
767 * runtime/JSNameScope.h:
768 (JSC::JSNameScope::create):
769 (JSC::JSNameScope::isFunctionNameScope):
770 (JSC::JSNameScope::isCatchScope):
771 (JSC::JSNameScope::JSNameScope):
772 - Now stores the JSNameScope::Type in a field.
773
7742014-10-01 Commit Queue <commit-queue@webkit.org>
775
776 Unreviewed, rolling out r174180, r174183, and r174186.
777 https://bugs.webkit.org/show_bug.cgi?id=137320
778
779 Broke the Mac MountainLion build. Will investigate offline.
780 (Requested by dydz on #webkit).
781
782 Reverted changesets:
783
784 "Clean up: Move XPC forward declarations in JavaScriptCore to
785 WTF SPI wrapper header"
786 https://bugs.webkit.org/show_bug.cgi?id=137277
787 http://trac.webkit.org/changeset/174180
788
789 "Attempt to fix the build after
790 <https://trac.webkit.org/changeset/174180>"
791 https://bugs.webkit.org/show_bug.cgi?id=137277
792 http://trac.webkit.org/changeset/174183
793
794 "Another attempt to fix the Mac build after
795 <https://trac.webkit.org/changeset/174180>"
796 https://bugs.webkit.org/show_bug.cgi?id=137277
797 http://trac.webkit.org/changeset/174186
798
7992014-10-01 Daniel Bates <dabates@apple.com>
800
801 Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
802 https://bugs.webkit.org/show_bug.cgi?id=137277
803
804 Reviewed by Alexey Proskuryakov.
805
806 Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
807 forward declaring XPC functions.
808
809 * inspector/remote/RemoteInspector.mm:
810 * inspector/remote/RemoteInspectorXPCConnection.h:
811 * inspector/remote/RemoteInspectorXPCConnection.mm:
812
8132014-10-01 Brent Fulgham <bfulgham@apple.com>
814
815 [Win] Unreviewed build gardening.
816
817 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
818 folders in Visual Studio.
819
8202014-10-01 Filip Pizlo <fpizlo@apple.com>
821
822 Object allocation sinking is broken for escaping sites in loops
823 https://bugs.webkit.org/show_bug.cgi?id=137310
824
825 Reviewed by Michael Saboff.
826
827 I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
828 the phase for now and landing a test to demonstrate what it going on.
829
830 * dfg/DFGPlan.cpp:
831 (JSC::DFG::Plan::compileInThreadImpl):
832 * runtime/Options.h:
833 * tests/stress/object-escapes-in-loop.js: Added.
834 (foo):
835 (bar):
836
8372014-10-01 Saam Barati <saambarati1@gmail.com>
838
839 Support the type profiler in the DFG
840 https://bugs.webkit.org/show_bug.cgi?id=136712
841
842 Reviewed by Filip Pizlo.
843
844 This patch implements op_profile_type inside the DFG as the node: ProfileType.
845 The DFG will convert the ProfileType node into a Check node in the cases where
846 passing a type check is equivalent to writing to the TypeProfilerLog. This
847 gives the DFG the potential to optimize out multiple ProfileType nodes into
848 a single Check node.
849
850 When the DFG doesn't convert ProfileType into a Check node, it will generate
851 the same inline code as the baseline JIT does for writing an entry to the
852 TypeProfilerLog.
853
854 * dfg/DFGAbstractInterpreterInlines.h:
855 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
856 * dfg/DFGByteCodeParser.cpp:
857 (JSC::DFG::ByteCodeParser::parseBlock):
858 * dfg/DFGCapabilities.cpp:
859 (JSC::DFG::capabilityLevel):
860 * dfg/DFGClobberize.h:
861 (JSC::DFG::clobberize):
862 * dfg/DFGDoesGC.cpp:
863 (JSC::DFG::doesGC):
864 * dfg/DFGDriver.cpp:
865 (JSC::DFG::compileImpl):
866 * dfg/DFGFixupPhase.cpp:
867 (JSC::DFG::FixupPhase::fixupNode):
868 * dfg/DFGNode.h:
869 (JSC::DFG::Node::typeLocation):
870 * dfg/DFGNodeType.h:
871 * dfg/DFGOperations.cpp:
872 * dfg/DFGOperations.h:
873 * dfg/DFGPredictionPropagationPhase.cpp:
874 (JSC::DFG::PredictionPropagationPhase::propagate):
875 * dfg/DFGSafeToExecute.h:
876 (JSC::DFG::safeToExecute):
877 * dfg/DFGSpeculativeJIT.h:
878 (JSC::DFG::SpeculativeJIT::callOperation):
879 * dfg/DFGSpeculativeJIT32_64.cpp:
880 (JSC::DFG::SpeculativeJIT::compile):
881 * dfg/DFGSpeculativeJIT64.cpp:
882 (JSC::DFG::SpeculativeJIT::compile):
883 * runtime/TypeProfiler.cpp:
884 (JSC::TypeProfiler::logTypesForTypeLocation):
885 * runtime/TypeSet.cpp:
886 (JSC::TypeSet::dumpTypes):
887 (JSC::TypeSet::doesTypeConformTo):
888 Make this method public so others can reason about the types a TypeSet has seen.
889 (JSC::TypeSet::seenTypes): Deleted.
890 (JSC::TypeSet::dumpSeenTypes): Deleted.
891 Renamed to dumpTypes so the method seenTypes can be used as a public getter.
892 * runtime/TypeSet.h:
893 (JSC::TypeSet::seenTypes):
894 * tests/typeProfiler/dfg-jit-optimizations.js: Added.
895 (tierUpToDFG):
896 (funcs):
897 (.return):
898
8992014-10-01 Filip Pizlo <fpizlo@apple.com>
900
901 Unreviewed, fix 32-bit.
902
903 * dfg/DFGSpeculativeJIT32_64.cpp:
904 (JSC::DFG::SpeculativeJIT::compile):
905
9062014-09-30 Filip Pizlo <fpizlo@apple.com>
907
908 DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
909 https://bugs.webkit.org/show_bug.cgi?id=137242
910
911 Reviewed by Geoffrey Garen.
912
913 OSR availability has to do with telling you the various ways that you could go about getting
914 the value of a bytecode variable. It can give you two options: node availability means that
915 there is a node in the DFG IR that has the right value, and flush availability tells you
916 that the value was already stored to the stack. The clients of OSR availability would
917 typically prefer flush over node availability.
918
919 Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
920 set both the node and flush availability, MovHint set node availability and cleared flush
921 availability, GetArgument set both, and ZombieHint cleared both.
922
923 A MovHint could be turned into a ZombieHint if its source value was DCEd.
924
925 The fact that each node affected both node and flush availability caused weirdness. For
926 example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
927 variable was still live, because then those parts of the code would forget that they had an
928 availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
929 and so we would forget that a node was in fact available. This kind of "either-or" picking
930 was not only hackish but it led to interesting problems for IR transformation: for example
931 if you tried to do any kind of code motion on SetLocals, you had to be super careful because
932 you might violate the rule that "MovHints must exist for a live local if a flush is
933 unavailable".
934
935 The right thing to do is to have independent nodes for flushing and making nodes available.
936 They shouldn't interact with each other. This patch accomplishes this:
937
938 - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
939 - KillLocal means that the value stored to the stack is no longer available for the purposes
940 of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
941 would have been, so you have to fall back on node availability).
942 - MovHint means that a node is available. It has no effect on flush availability.
943 - ZombieHint means that a node is not available. It has no effect on flush availability.
944
945 This means that we will see a lot of KillLocals and MovHints right next to each other. It's
946 a bit verbose, but at least it's precise.
947
948 * dfg/DFGAbstractInterpreterInlines.h:
949 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
950 * dfg/DFGAvailability.h:
951 (JSC::DFG::Availability::setFlush):
952 (JSC::DFG::Availability::setNode):
953 (JSC::DFG::Availability::setNodeUnavailable):
954 * dfg/DFGClobberize.h:
955 (JSC::DFG::clobberize):
956 * dfg/DFGDoesGC.cpp:
957 (JSC::DFG::doesGC):
958 * dfg/DFGFixupPhase.cpp:
959 (JSC::DFG::FixupPhase::fixupNode):
960 * dfg/DFGNode.cpp:
961 (JSC::DFG::Node::hasVariableAccessData):
962 * dfg/DFGNode.h:
963 (JSC::DFG::Node::hasUnlinkedLocal):
964 (JSC::DFG::Node::willHaveCodeGenOrOSR):
965 * dfg/DFGNodeType.h:
966 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
967 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
968 * dfg/DFGPredictionPropagationPhase.cpp:
969 (JSC::DFG::PredictionPropagationPhase::propagate):
970 * dfg/DFGSSAConversionPhase.cpp:
971 (JSC::DFG::SSAConversionPhase::run):
972 * dfg/DFGSafeToExecute.h:
973 (JSC::DFG::safeToExecute):
974 * dfg/DFGSpeculativeJIT64.cpp:
975 (JSC::DFG::SpeculativeJIT::compile):
976 * dfg/DFGStackLayoutPhase.cpp:
977 (JSC::DFG::StackLayoutPhase::run):
978 * ftl/FTLCapabilities.cpp:
979 (JSC::FTL::canCompile):
980 * ftl/FTLLowerDFGToLLVM.cpp:
981 (JSC::FTL::LowerDFGToLLVM::compileNode):
982 (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
983 (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
984
9852014-10-01 Brent Fulgham <bfulgham@apple.com>
986
987 [Win] 32-bit JavaScriptCore should limit itself to the C loop
988 https://bugs.webkit.org/show_bug.cgi?id=137304
989 <rdar://problem/18375370>
990
991 Reviewed by Michael Saboff.
992
993 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
994 Use the C loop for 32-bit builds.
995
9962014-09-30 Brian J. Burg <burg@cs.washington.edu>
997
998 Web Inspector: ErrorString should be passed by reference
999 https://bugs.webkit.org/show_bug.cgi?id=137257
1000
1001 Reviewed by Joseph Pecoraro.
1002
1003 Pass the leading ErrorString argument by reference, since it is always an out parameter.
1004 Clean up callsites where the error message is written.
1005
1006 * inspector/InjectedScript.cpp:
1007 (Inspector::InjectedScript::evaluate):
1008 (Inspector::InjectedScript::callFunctionOn):
1009 (Inspector::InjectedScript::evaluateOnCallFrame):
1010 (Inspector::InjectedScript::getFunctionDetails):
1011 (Inspector::InjectedScript::getProperties):
1012 (Inspector::InjectedScript::getInternalProperties):
1013 * inspector/InjectedScript.h:
1014 * inspector/InjectedScriptBase.cpp:
1015 (Inspector::InjectedScriptBase::makeEvalCall):
1016 * inspector/InjectedScriptBase.h:
1017 * inspector/agents/InspectorAgent.cpp:
1018 (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
1019 (Inspector::InspectorAgent::enable):
1020 (Inspector::InspectorAgent::disable):
1021 (Inspector::InspectorAgent::initialized):
1022 * inspector/agents/InspectorAgent.h:
1023 * inspector/agents/InspectorConsoleAgent.cpp:
1024 (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
1025 (Inspector::InspectorConsoleAgent::enable):
1026 (Inspector::InspectorConsoleAgent::disable):
1027 (Inspector::InspectorConsoleAgent::clearMessages):
1028 (Inspector::InspectorConsoleAgent::reset):
1029 (Inspector::InspectorConsoleAgent::addMessageToConsole):
1030 * inspector/agents/InspectorConsoleAgent.h:
1031 * inspector/agents/InspectorDebuggerAgent.cpp:
1032 (Inspector::InspectorDebuggerAgent::enable):
1033 (Inspector::InspectorDebuggerAgent::disable):
1034 (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
1035 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1036 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1037 (Inspector::parseLocation):
1038 (Inspector::InspectorDebuggerAgent::setBreakpoint):
1039 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
1040 (Inspector::InspectorDebuggerAgent::continueToLocation):
1041 (Inspector::InspectorDebuggerAgent::searchInContent):
1042 (Inspector::InspectorDebuggerAgent::getScriptSource):
1043 (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1044 (Inspector::InspectorDebuggerAgent::pause):
1045 (Inspector::InspectorDebuggerAgent::resume):
1046 (Inspector::InspectorDebuggerAgent::stepOver):
1047 (Inspector::InspectorDebuggerAgent::stepInto):
1048 (Inspector::InspectorDebuggerAgent::stepOut):
1049 (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1050 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1051 (Inspector::InspectorDebuggerAgent::setOverlayMessage):
1052 (Inspector::InspectorDebuggerAgent::didParseSource):
1053 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
1054 (Inspector::InspectorDebuggerAgent::assertPaused):
1055 * inspector/agents/InspectorDebuggerAgent.h:
1056 * inspector/agents/InspectorRuntimeAgent.cpp:
1057 (Inspector::InspectorRuntimeAgent::parse):
1058 (Inspector::InspectorRuntimeAgent::evaluate):
1059 (Inspector::InspectorRuntimeAgent::callFunctionOn):
1060 (Inspector::InspectorRuntimeAgent::getProperties):
1061 (Inspector::InspectorRuntimeAgent::releaseObject):
1062 (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
1063 (Inspector::InspectorRuntimeAgent::run):
1064 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1065 (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
1066 (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
1067 * inspector/agents/InspectorRuntimeAgent.h:
1068 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1069 (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
1070 (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
1071 * inspector/agents/JSGlobalObjectConsoleAgent.h:
1072 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1073 (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1074 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
1075 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1076 (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1077 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1078 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
1079 (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1080 (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1081 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
1082 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1083 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
1084 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
1085 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
1086 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
1087
10882014-09-30 Mark Lam <mark.lam@apple.com>
1089
1090 Label some asserts as having security implications.
1091 <https://webkit.org/b/137260>
1092
1093 Reviewed by Filip Pizlo.
1094
1095 * dfg/DFGGraph.cpp:
1096 (JSC::DFG::Graph::handleAssertionFailure):
1097 * runtime/JSCell.h:
1098 (JSC::jsCast):
1099 * runtime/StructureIDTable.h:
1100 (JSC::StructureIDTable::get):
1101
11022014-09-30 Filip Pizlo <fpizlo@apple.com>
1103
1104 REGRESSION (r174025): Invalid cast in JSC::asString
1105 https://bugs.webkit.org/show_bug.cgi?id=137224
1106
1107 Reviewed by Geoffrey Garen.
1108
1109 Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
1110 when we speak of "the value being stored" we are really referring to the right value.
1111
1112 The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
1113 child3. So we were incorrectly removing all barriers from PutClosureVar.
1114
1115 * dfg/DFGFixupPhase.cpp:
1116 (JSC::DFG::FixupPhase::fixupNode):
1117
11182014-09-30 Brian J. Burg <burg@cs.washington.edu>
1119
1120 Web Replay: use static Strings instead of AtomicStrings for replay input type tags
1121 https://bugs.webkit.org/show_bug.cgi?id=137086
1122
1123 Reviewed by Joseph Pecoraro.
1124
1125 This pattern doesn't work when we want to define some inputs in WebKit2.
1126 The ReplayInputTypes class was generated from WebCore inputs only. This
1127 patch moves all input traits to use static local Strings as type tags.
1128
1129 * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
1130 type tags are generated, since all framework targets now generate the same code.
1131
1132 * replay/NondeterministicInput.h:
1133 * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
1134 (Generator.generate_input_trait_implementation):
1135 * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
1136
1137 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
1138 (JSC::InputTraits<Test::SavedMouseButton>::type):
1139 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
1140 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
1141 (JSC::InputTraits<Test::SavedMouseButton>::type):
1142 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
1143 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
1144 (JSC::InputTraits<Test::HandleWheelEvent>::type):
1145 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
1146 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
1147 (JSC::InputTraits<Test::FormCombo>::type):
1148 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
1149 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
1150 (JSC::InputTraits<Test::GetCurrentTime>::type):
1151 (JSC::InputTraits<Test::SetRandomSeed>::type):
1152 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
1153 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
1154 (JSC::InputTraits<Test::ArrayOfThings>::type):
1155 (JSC::InputTraits<Test::SavedHistory>::type):
1156 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
1157 * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
1158 (JSC::InputTraits<Test::ScalarInput1>::type):
1159 (JSC::InputTraits<Test::ScalarInput2>::type):
1160 * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
1161 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
1162 (JSC::InputTraits<Test::ScalarInput>::type):
1163 (JSC::InputTraits<Test::MapInput>::type):
1164 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
1165
11662014-09-30 Daniel Bates <dabates@apple.com>
1167
1168 REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
1169 https://bugs.webkit.org/show_bug.cgi?id=137170
1170 <rdar://problem/18477384>
1171
1172 Reviewed by Geoffrey Garen.
1173
1174 Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
1175 of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1176
1177 * API/JSBase.h:
1178 * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
1179 * API/JSVirtualMachine.mm: Ditto.
1180 * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
1181 * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
1182 #include directives such that they are sorted in alphabetical order.
1183
11842014-09-30 Oliver Hunt <oliver@apple.com>
1185
1186 Fix C API header
1187 https://bugs.webkit.org/show_bug.cgi?id=137254
1188 <rdar://problem/18487528>
1189
1190 Build fix
1191
1192 Guard extern "C" behind __cplusplus ifdef
1193
1194 * API/JSBase.h:
1195
11962014-09-29 Brian J. Burg <burg@cs.washington.edu>
1197
1198 Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
1199 https://bugs.webkit.org/show_bug.cgi?id=136806
1200
1201 Reviewed by Timothy Hatcher.
1202
1203 It doesn't make sense to show profile nodes for injected scripts when profiling user content.
1204 For now, omit nodes by suspending profiling before and after executing injected scripts.
1205
1206 * profiler/LegacyProfiler.cpp:
1207 (JSC::LegacyProfiler::suspendProfiling): Added.
1208 (JSC::LegacyProfiler::unsuspendProfiling): Added.
1209 * profiler/LegacyProfiler.h:
1210 * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
1211 (JSC::ProfileGenerator::ProfileGenerator):
1212 (JSC::ProfileGenerator::willExecute):
1213 (JSC::ProfileGenerator::didExecute):
1214 * profiler/ProfileGenerator.h:
1215 (JSC::ProfileGenerator::setIsSuspended): Added.
1216
12172014-09-29 Brian J. Burg <burg@cs.washington.edu>
1218
1219 Web Inspector: InspectorValues should use references for out parameters
1220 https://bugs.webkit.org/show_bug.cgi?id=137190
1221
1222 Reviewed by Joseph Pecoraro.
1223
1224 Use references for out parameters in asType() and getType() methods.
1225 Also convert to references in some miscellaneous code where we don't
1226 expect or handle null values.
1227
1228 Remove variants of asObject() and asArray() that return a nullable RefPtr.
1229 Now, client code is forced to use out parameters and check for cast failure.
1230
1231 Iron out control flow in some functions and fix some style issues.
1232
1233 * inspector/InjectedScript.cpp:
1234 (Inspector::InjectedScript::getFunctionDetails):
1235 (Inspector::InjectedScript::wrapObject):
1236 (Inspector::InjectedScript::wrapTable):
1237 * inspector/InjectedScriptBase.cpp:
1238 (Inspector::InjectedScriptBase::makeEvalCall):
1239 * inspector/InjectedScriptManager.cpp:
1240 (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
1241 * inspector/InspectorBackendDispatcher.cpp:
1242 (Inspector::InspectorBackendDispatcher::dispatch):
1243 (Inspector::getPropertyValue):
1244 (Inspector::AsMethodBridges::asInteger):
1245 (Inspector::AsMethodBridges::asDouble):
1246 (Inspector::AsMethodBridges::asString):
1247 (Inspector::AsMethodBridges::asBoolean):
1248 (Inspector::AsMethodBridges::asObject):
1249 (Inspector::AsMethodBridges::asArray):
1250 * inspector/InspectorProtocolTypes.h:
1251 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1252 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1253 * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
1254 (Inspector::InspectorValue::asBoolean):
1255 (Inspector::InspectorValue::asDouble):
1256 (Inspector::InspectorValue::asInteger):
1257 (Inspector::InspectorValue::asString):
1258 (Inspector::InspectorValue::asValue):
1259 (Inspector::InspectorValue::asObject):
1260 (Inspector::InspectorValue::asArray):
1261 (Inspector::InspectorValue::parseJSON):
1262 (Inspector::InspectorValue::toJSONString):
1263 (Inspector::InspectorValue::writeJSON):
1264 (Inspector::InspectorBasicValue::asBoolean):
1265 (Inspector::InspectorBasicValue::asDouble):
1266 (Inspector::InspectorBasicValue::asInteger):
1267 (Inspector::InspectorBasicValue::writeJSON):
1268 (Inspector::InspectorString::asString):
1269 (Inspector::InspectorString::writeJSON):
1270 (Inspector::InspectorObjectBase::asObject):
1271 (Inspector::InspectorObjectBase::openAccessors):
1272 (Inspector::InspectorObjectBase::getBoolean):
1273 (Inspector::InspectorObjectBase::getString):
1274 (Inspector::InspectorObjectBase::getObject):
1275 (Inspector::InspectorObjectBase::getArray):
1276 (Inspector::InspectorObjectBase::writeJSON):
1277 (Inspector::InspectorArrayBase::asArray):
1278 (Inspector::InspectorArrayBase::writeJSON):
1279 * inspector/InspectorValues.h:
1280 * inspector/agents/InspectorDebuggerAgent.cpp:
1281 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1282 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1283 (Inspector::parseLocation):
1284 (Inspector::InspectorDebuggerAgent::setBreakpoint):
1285 (Inspector::InspectorDebuggerAgent::continueToLocation):
1286 (Inspector::InspectorDebuggerAgent::didParseSource):
1287 * inspector/agents/InspectorRuntimeAgent.cpp:
1288 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1289 * inspector/scripts/codegen/generate_protocol_types_implementation.py:
1290 (ProtocolTypesImplementationGenerator):
1291 (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1292 * inspector/scripts/codegen/generator_templates.py:
1293 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
1294 * replay/EncodedValue.cpp:
1295 (JSC::EncodedValue::asObject):
1296 (JSC::EncodedValue::asArray):
1297 (JSC::EncodedValue::convertTo<bool>):
1298 (JSC::EncodedValue::convertTo<double>):
1299 (JSC::EncodedValue::convertTo<float>):
1300 (JSC::EncodedValue::convertTo<int32_t>):
1301 (JSC::EncodedValue::convertTo<int64_t>):
1302 (JSC::EncodedValue::convertTo<uint32_t>):
1303 (JSC::EncodedValue::convertTo<uint64_t>):
1304 (JSC::EncodedValue::convertTo<String>):
1305
13062014-09-29 Filip Pizlo <fpizlo@apple.com>
1307
1308 DFG HasStructureProperty codegen should use one fewer registers
1309 https://bugs.webkit.org/show_bug.cgi?id=137235
1310
1311 Reviewed by Andreas Kling.
1312
1313 This was an obvious source of inefficiency and it was causing us to run out of registers on
1314 x86-32.
1315
1316 * dfg/DFGSpeculativeJIT32_64.cpp:
1317 (JSC::DFG::SpeculativeJIT::compile):
1318 * dfg/DFGSpeculativeJIT64.cpp:
1319 (JSC::DFG::SpeculativeJIT::compile):
1320
13212014-09-29 Filip Pizlo <fpizlo@apple.com>
1322
1323 Don't use GPRResult unless you're flushing registers and making a runtime function call
1324 https://bugs.webkit.org/show_bug.cgi?id=137234
1325
1326 Rubber stamped by Andreas Kling.
1327
1328 Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
1329 general case.
1330
1331 Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
1332 would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
1333 result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
1334 Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
1335
1336 I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
1337
1338 * dfg/DFGSpeculativeJIT.cpp:
1339 (JSC::DFG::SpeculativeJIT::compileIn):
1340 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1341 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1342 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1343 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1344 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1345 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1346 * dfg/DFGSpeculativeJIT.h:
1347 (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
1348 (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
1349 (JSC::DFG::GPRResult::GPRResult): Deleted.
1350 (JSC::DFG::GPRResult2::GPRResult2): Deleted.
1351 * dfg/DFGSpeculativeJIT32_64.cpp:
1352 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1353 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1354 (JSC::DFG::SpeculativeJIT::emitCall):
1355 (JSC::DFG::SpeculativeJIT::compile):
1356 * dfg/DFGSpeculativeJIT64.cpp:
1357 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1358 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
1359 (JSC::DFG::SpeculativeJIT::emitCall):
1360 (JSC::DFG::SpeculativeJIT::compile):
1361 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1362
13632014-09-29 Diego Pino Garcia <dpino@igalia.com>
1364
1365 Missing changes from r174049
1366 https://bugs.webkit.org/show_bug.cgi?id=137206
1367
1368 Reviewed by Darin Adler.
1369
1370 * runtime/CommonIdentifiers.h:
1371
13722014-09-28 Diego Pino Garcia <dpino@igalia.com>
1373
1374 Simple ES6 feature: Number constructor extras
1375 https://bugs.webkit.org/show_bug.cgi?id=131707
1376
1377 Reviewed by Darin Adler.
1378
1379 * runtime/CommonIdentifiers.h:
1380 * runtime/NumberConstructor.cpp:
1381 (JSC::NumberConstructor::finishCreation): Setup constants and
1382 functions.
1383 (JSC::numberConstructorFuncIsFinite): Added.
1384 (JSC::numberConstructorFuncIsInteger): Added.
1385 (JSC::numberConstructorFuncIsNaN): Added.
1386 (JSC::numberConstructorFuncIsSafeInteger): Added.
1387 (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
1388 (JSC::numberConstructorNaNValue): Deleted.
1389 (JSC::numberConstructorNegInfinity): Deleted.
1390 (JSC::numberConstructorPosInfinity): Deleted.
1391 (JSC::numberConstructorMaxValue): Deleted.
1392 (JSC::numberConstructorMinValue): Deleted.
1393 * runtime/NumberConstructor.h:
1394
13952014-09-26 Filip Pizlo <fpizlo@apple.com>
1396
1397 Disable function.arguments
1398 https://bugs.webkit.org/show_bug.cgi?id=137167
1399
1400 Rubber stamped by Geoffrey Garen.
1401
1402 Add an option to disable function.arguments. Add a test for disabling it.
1403
1404 Disabling function.arguments means that it returns an Arguments object that claims that
1405 there were zero arguments. All other Arguments functionality still works, so any code
1406 that tries to inspect this object will still think that it is looking at a perfectly
1407 valid Arguments object.
1408
1409 This also makes function.arguments disabled by default. Note that the RJST harness will
1410 enable them by default, to continue to get test coverage for the code that implements
1411 the feature.
1412
1413 We will rip out that code once we're confident that it's really safe to remove this
1414 feature. Only once we rip out that support will we be able to do optimizations to
1415 leverage the lack of this feature. It's important to keep the support code, and the test
1416 infrastructure, in place before we are confident. The logic to keep this working touches
1417 the entire compiler and a large chunk of the runtime, so reimplementing it - or even
1418 merging it back in - would be a nightmare. That's also basically the reason why we want
1419 to rip it out if at all possible. It's a lot of terrible code.
1420
1421 * interpreter/StackVisitor.cpp:
1422 (JSC::StackVisitor::Frame::createArguments):
1423 * runtime/Arguments.h:
1424 (JSC::Arguments::create):
1425 (JSC::Arguments::finishCreation):
1426 * runtime/Options.h:
1427 * tests/stress/disable-function-dot-arguments.js: Added.
1428 (foo):
1429 (bar):
1430
14312014-09-26 Joseph Pecoraro <pecoraro@apple.com>
1432
1433 Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
1434 https://bugs.webkit.org/show_bug.cgi?id=137038
1435
1436 Reviewed by Timothy Hatcher.
1437
1438 Add a new protocol command "Inspector.initialized" that signifies to the backend
1439 when the frontend has sent all its initialization messages to the backend. This
1440 can include information like breakpoints, which we would want to have loaded
1441 before any JavaScript evaluates in the context.
1442
1443 * inspector/protocol/InspectorDomain.json:
1444 New protocol command, Inspector.initialized.
1445
1446 * inspector/agents/InspectorAgent.h:
1447 * inspector/agents/InspectorAgent.cpp:
1448 (Inspector::InspectorAgent::InspectorAgent):
1449 (Inspector::InspectorAgent::initialized):
1450 Tell the InspectorEnvironment (the Controller) the frontend has initialized.
1451
1452 * inspector/InspectorEnvironment.h:
1453 Abstract virtual method to handle frontend initialization. To be
1454 implemented by all of the InspectorControllers.
1455
1456 * inspector/JSGlobalObjectInspectorController.h:
1457 * inspector/JSGlobalObjectInspectorController.cpp:
1458 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1459 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1460 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1461 (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
1462 When a frontend is initialized, if it was automatic inspection unpause the debuggable.
1463
1464 * inspector/remote/RemoteInspectorDebuggable.cpp:
1465 (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
1466 Complete setup for this debuggable.
1467
1468 * inspector/remote/RemoteInspectorDebuggable.h:
1469 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1470 (Inspector::RemoteInspectorDebuggableConnection::setup):
1471 Move the setup complete to later, when the frontend sends an "initialized" message.
1472
1473 * inspector/remote/RemoteInspector.h:
1474 * inspector/remote/RemoteInspector.mm:
1475 (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1476 Provide a longer timeout now that the frontend must send messages after the connection
1477 has established. The longest I have seen in 600ms, but the average tends to be 200ms.
1478 So bump the timeout to 800ms for a buffer.
1479
1480 (Inspector::RemoteInspector::setupSucceeded): Deleted.
1481 (Inspector::RemoteInspector::setupCompleted):
1482 Rename, as this happens at a slightly different time.
1483
14842014-09-26 Filip Pizlo <fpizlo@apple.com>
1485
1486 DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
1487 https://bugs.webkit.org/show_bug.cgi?id=137161
1488
1489 Reviewed by Mark Hahnenberg.
1490
1491 This looks like a 1% Octane speed-up.
1492
1493 * bytecode/SpeculatedType.h:
1494 (JSC::isNotCellSpeculation):
1495 * dfg/DFGFixupPhase.cpp:
1496 (JSC::DFG::FixupPhase::fixupNode):
1497 (JSC::DFG::FixupPhase::insertStoreBarrier):
1498 (JSC::DFG::FixupPhase::insertCheck):
1499 * dfg/DFGNode.h:
1500 (JSC::DFG::Node::shouldSpeculateNotCell):
1501
15022014-09-26 Peter Varga <pvarga@webkit.org>
1503
1504 Fix typo in YARR at BOL check
1505 https://bugs.webkit.org/show_bug.cgi?id=137144
1506
1507 Reviewed by Darin Adler.
1508
1509 * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
1510 (JSC::Yarr::YarrPatternConstructor::assertionBOL):
1511
15122014-09-25 Saam Barati <saambarati1@gmail.com>
1513
1514 Web Inspector: console.assert(bitString) TypeSet:50
1515 https://bugs.webkit.org/show_bug.cgi?id=137051
1516
1517 Reviewed by Joseph Pecoraro.
1518
1519 This patch creates stricter requirements on a TypeDescription
1520 being valid. To be valid, a TypeDescription now ensures that
1521 the TypeSet it describes has non null type information.
1522
1523 * inspector/agents/InspectorRuntimeAgent.cpp:
1524 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1525 * runtime/TypeSet.h:
1526 (JSC::TypeSet::isEmpty):
1527
15282014-09-25 Filip Pizlo <fpizlo@apple.com>
1529
1530 FTL should sink object allocations
1531 https://bugs.webkit.org/show_bug.cgi?id=136330
1532
1533 Reviewed by Oliver Hunt.
1534
1535 This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
1536 ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
1537 eliminate it completely. The way sinking reasons about the CFG means that it resembles a
1538 partial escape analysis: we create paths through a function where some allocation(s) don't
1539 have to be done at all even if there are other paths along which those allocations still have
1540 to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
1541 along any path, the act of sinking reduces the number of barriers that have to execute.
1542
1543 Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
1544 sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
1545 successors; and to add more functor goodness to allow for more lambdas.
1546
1547 This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
1548 is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
1549 benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
1550 That's just an omission and there are likely others; we can easily fix them. I think it's
1551 best to land it in its current form and then to worry about the big benchmarks in subsequent
1552 work (see bug 137126).
1553
1554 * CMakeLists.txt:
1555 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1556 * JavaScriptCore.xcodeproj/project.pbxproj:
1557 * bytecode/StructureSet.h:
1558 (JSC::StructureSet::iterator::iterator):
1559 (JSC::StructureSet::iterator::operator*):
1560 (JSC::StructureSet::iterator::operator++):
1561 (JSC::StructureSet::iterator::operator==):
1562 (JSC::StructureSet::iterator::operator!=):
1563 (JSC::StructureSet::begin):
1564 (JSC::StructureSet::end):
1565 * dfg/DFGAbstractInterpreter.h:
1566 (JSC::DFG::AbstractInterpreter::phiChildren):
1567 * dfg/DFGAbstractInterpreterInlines.h:
1568 (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
1569 (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
1570 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1571 (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1572 * dfg/DFGAvailability.h:
1573 (JSC::DFG::Availability::shouldUseNode):
1574 (JSC::DFG::Availability::isFlushUseful):
1575 (JSC::DFG::Availability::isDead):
1576 (JSC::DFG::Availability::operator!=):
1577 * dfg/DFGAvailabilityMap.cpp: Added.
1578 (JSC::DFG::AvailabilityMap::prune):
1579 (JSC::DFG::AvailabilityMap::clear):
1580 (JSC::DFG::AvailabilityMap::dump):
1581 (JSC::DFG::AvailabilityMap::operator==):
1582 (JSC::DFG::AvailabilityMap::merge):
1583 * dfg/DFGAvailabilityMap.h: Added.
1584 (JSC::DFG::AvailabilityMap::forEachAvailability):
1585 * dfg/DFGBasicBlock.cpp:
1586 (JSC::DFG::BasicBlock::SSAData::SSAData):
1587 * dfg/DFGBasicBlock.h:
1588 (JSC::DFG::BasicBlock::begin):
1589 (JSC::DFG::BasicBlock::end):
1590 (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
1591 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
1592 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
1593 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
1594 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
1595 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
1596 (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
1597 (JSC::DFG::BasicBlock::SuccessorsIterable::end):
1598 (JSC::DFG::BasicBlock::successors):
1599 * dfg/DFGClobberize.h:
1600 (JSC::DFG::clobberize):
1601 * dfg/DFGConstantFoldingPhase.cpp:
1602 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1603 * dfg/DFGDoesGC.cpp:
1604 (JSC::DFG::doesGC):
1605 * dfg/DFGFixupPhase.cpp:
1606 (JSC::DFG::FixupPhase::fixupNode):
1607 * dfg/DFGFlushedAt.cpp:
1608 (JSC::DFG::FlushedAt::dump):
1609 * dfg/DFGFlushedAt.h:
1610 (JSC::DFG::FlushedAt::FlushedAt):
1611 * dfg/DFGGraph.cpp:
1612 (JSC::DFG::Graph::dump):
1613 (JSC::DFG::Graph::dumpBlockHeader):
1614 (JSC::DFG::Graph::mergeRelevantToOSR):
1615 (JSC::DFG::Graph::invalidateCFG):
1616 * dfg/DFGGraph.h:
1617 (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
1618 (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
1619 (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
1620 (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
1621 (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
1622 (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
1623 (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
1624 (JSC::DFG::Graph::NaturalBlockIterable::begin):
1625 (JSC::DFG::Graph::NaturalBlockIterable::end):
1626 (JSC::DFG::Graph::blocksInNaturalOrder):
1627 (JSC::DFG::Graph::doToChildrenWithNode):
1628 (JSC::DFG::Graph::doToChildren):
1629 * dfg/DFGHeapLocation.cpp:
1630 (WTF::printInternal):
1631 * dfg/DFGHeapLocation.h:
1632 * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
1633 (JSC::DFG::insertOSRHintsForUpdate):
1634 * dfg/DFGInsertOSRHintsForUpdate.h: Added.
1635 * dfg/DFGInsertionSet.h:
1636 (JSC::DFG::InsertionSet::graph):
1637 * dfg/DFGMayExit.cpp:
1638 (JSC::DFG::mayExit):
1639 * dfg/DFGNode.h:
1640 (JSC::DFG::Node::convertToPutByOffsetHint):
1641 (JSC::DFG::Node::convertToPutStructureHint):
1642 (JSC::DFG::Node::convertToPhantomNewObject):
1643 (JSC::DFG::Node::isCellConstant):
1644 (JSC::DFG::Node::castConstant):
1645 (JSC::DFG::Node::hasIdentifier):
1646 (JSC::DFG::Node::hasStorageAccessData):
1647 (JSC::DFG::Node::hasObjectMaterializationData):
1648 (JSC::DFG::Node::objectMaterializationData):
1649 (JSC::DFG::Node::isPhantomObjectAllocation):
1650 * dfg/DFGNodeType.h:
1651 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
1652 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1653 (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
1654 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
1655 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
1656 * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
1657 (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
1658 (JSC::DFG::ObjectAllocationSinkingPhase::run):
1659 (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
1660 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
1661 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
1662 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
1663 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
1664 (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
1665 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1666 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
1667 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
1668 (JSC::DFG::performObjectAllocationSinking):
1669 * dfg/DFGObjectAllocationSinkingPhase.h: Added.
1670 * dfg/DFGObjectMaterializationData.cpp: Added.
1671 (JSC::DFG::PhantomPropertyValue::dump):
1672 (JSC::DFG::ObjectMaterializationData::dump):
1673 (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
1674 (JSC::DFG::ObjectMaterializationData::similarityScore):
1675 * dfg/DFGObjectMaterializationData.h: Added.
1676 (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
1677 (JSC::DFG::PhantomPropertyValue::operator==):
1678 * dfg/DFGPhantomCanonicalizationPhase.cpp:
1679 (JSC::DFG::PhantomCanonicalizationPhase::run):
1680 * dfg/DFGPhantomRemovalPhase.cpp:
1681 (JSC::DFG::PhantomRemovalPhase::run):
1682 * dfg/DFGPhiChildren.cpp: Added.
1683 (JSC::DFG::PhiChildren::PhiChildren):
1684 (JSC::DFG::PhiChildren::~PhiChildren):
1685 (JSC::DFG::PhiChildren::upsilonsOf):
1686 * dfg/DFGPhiChildren.h: Added.
1687 (JSC::DFG::PhiChildren::forAllIncomingValues):
1688 (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
1689 * dfg/DFGPlan.cpp:
1690 (JSC::DFG::Plan::compileInThreadImpl):
1691 * dfg/DFGPrePostNumbering.cpp: Added.
1692 (JSC::DFG::PrePostNumbering::PrePostNumbering):
1693 (JSC::DFG::PrePostNumbering::~PrePostNumbering):
1694 (JSC::DFG::PrePostNumbering::compute):
1695 (WTF::printInternal):
1696 * dfg/DFGPrePostNumbering.h: Added.
1697 (JSC::DFG::PrePostNumbering::preNumber):
1698 (JSC::DFG::PrePostNumbering::postNumber):
1699 (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
1700 (JSC::DFG::PrePostNumbering::isAncestorOf):
1701 (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
1702 (JSC::DFG::PrePostNumbering::isDescendantOf):
1703 (JSC::DFG::PrePostNumbering::edgeKind):
1704 * dfg/DFGPredictionPropagationPhase.cpp:
1705 (JSC::DFG::PredictionPropagationPhase::propagate):
1706 * dfg/DFGPromoteHeapAccess.h: Added.
1707 (JSC::DFG::promoteHeapAccess):
1708 * dfg/DFGPromotedHeapLocation.cpp: Added.
1709 (JSC::DFG::PromotedLocationDescriptor::dump):
1710 (JSC::DFG::PromotedHeapLocation::createHint):
1711 (JSC::DFG::PromotedHeapLocation::dump):
1712 (WTF::printInternal):
1713 * dfg/DFGPromotedHeapLocation.h: Added.
1714 (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
1715 (JSC::DFG::PromotedLocationDescriptor::operator!):
1716 (JSC::DFG::PromotedLocationDescriptor::kind):
1717 (JSC::DFG::PromotedLocationDescriptor::info):
1718 (JSC::DFG::PromotedLocationDescriptor::hash):
1719 (JSC::DFG::PromotedLocationDescriptor::operator==):
1720 (JSC::DFG::PromotedLocationDescriptor::operator!=):
1721 (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
1722 (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
1723 (JSC::DFG::PromotedHeapLocation::operator!):
1724 (JSC::DFG::PromotedHeapLocation::kind):
1725 (JSC::DFG::PromotedHeapLocation::base):
1726 (JSC::DFG::PromotedHeapLocation::info):
1727 (JSC::DFG::PromotedHeapLocation::descriptor):
1728 (JSC::DFG::PromotedHeapLocation::hash):
1729 (JSC::DFG::PromotedHeapLocation::operator==):
1730 (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
1731 (JSC::DFG::PromotedHeapLocationHash::hash):
1732 (JSC::DFG::PromotedHeapLocationHash::equal):
1733 * dfg/DFGSSACalculator.cpp:
1734 (JSC::DFG::SSACalculator::reset):
1735 * dfg/DFGSSACalculator.h:
1736 * dfg/DFGSafeToExecute.h:
1737 (JSC::DFG::safeToExecute):
1738 * dfg/DFGSpeculativeJIT.cpp:
1739 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1740 * dfg/DFGSpeculativeJIT32_64.cpp:
1741 (JSC::DFG::SpeculativeJIT::compile):
1742 * dfg/DFGSpeculativeJIT64.cpp:
1743 (JSC::DFG::SpeculativeJIT::compile):
1744 * dfg/DFGStructureRegistrationPhase.cpp:
1745 (JSC::DFG::StructureRegistrationPhase::run):
1746 * dfg/DFGValidate.cpp:
1747 (JSC::DFG::Validate::validate):
1748 * ftl/FTLCapabilities.cpp:
1749 (JSC::FTL::canCompile):
1750 * ftl/FTLExitPropertyValue.cpp: Added.
1751 (JSC::FTL::ExitPropertyValue::dump):
1752 * ftl/FTLExitPropertyValue.h: Added.
1753 (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
1754 (JSC::FTL::ExitPropertyValue::operator!):
1755 (JSC::FTL::ExitPropertyValue::location):
1756 (JSC::FTL::ExitPropertyValue::value):
1757 * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
1758 (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
1759 (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
1760 (JSC::FTL::ExitTimeObjectMaterialization::add):
1761 (JSC::FTL::ExitTimeObjectMaterialization::get):
1762 (JSC::FTL::ExitTimeObjectMaterialization::dump):
1763 * ftl/FTLExitTimeObjectMaterialization.h: Added.
1764 (JSC::FTL::ExitTimeObjectMaterialization::type):
1765 (JSC::FTL::ExitTimeObjectMaterialization::properties):
1766 * ftl/FTLExitValue.cpp:
1767 (JSC::FTL::ExitValue::materializeNewObject):
1768 (JSC::FTL::ExitValue::dumpInContext):
1769 * ftl/FTLExitValue.h:
1770 (JSC::FTL::ExitValue::isObjectMaterialization):
1771 (JSC::FTL::ExitValue::objectMaterialization):
1772 (JSC::FTL::ExitValue::withVirtualRegister):
1773 (JSC::FTL::ExitValue::valueFormat):
1774 * ftl/FTLLowerDFGToLLVM.cpp:
1775 (JSC::FTL::LowerDFGToLLVM::compileNode):
1776 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
1777 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
1778 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
1779 (JSC::FTL::LowerDFGToLLVM::compileNewObject):
1780 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
1781 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
1782 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
1783 (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
1784 (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
1785 (JSC::FTL::LowerDFGToLLVM::checkStructure):
1786 (JSC::FTL::LowerDFGToLLVM::allocateCell):
1787 (JSC::FTL::LowerDFGToLLVM::storeStructure):
1788 (JSC::FTL::LowerDFGToLLVM::allocateObject):
1789 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
1790 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1791 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
1792 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
1793 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
1794 (JSC::FTL::LowerDFGToLLVM::weakStructureID):
1795 (JSC::FTL::LowerDFGToLLVM::weakStructure):
1796 (JSC::FTL::LowerDFGToLLVM::availabilityMap):
1797 (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
1798 * ftl/FTLOSRExit.h:
1799 * ftl/FTLOSRExitCompiler.cpp:
1800 (JSC::FTL::compileRecovery):
1801 (JSC::FTL::compileStub):
1802 * ftl/FTLOperations.cpp: Added.
1803 (JSC::FTL::operationNewObjectWithButterfly):
1804 (JSC::FTL::operationMaterializeObjectInOSR):
1805 * ftl/FTLOperations.h: Added.
1806 * ftl/FTLSwitchCase.h:
1807 (JSC::FTL::SwitchCase::SwitchCase):
1808 * runtime/JSObject.h:
1809 (JSC::JSObject::finishCreation):
1810 (JSC::JSFinalObject::JSFinalObject):
1811 (JSC::JSFinalObject::create):
1812 * runtime/Structure.cpp:
1813 (JSC::Structure::canUseForAllocationsOf):
1814 * runtime/Structure.h:
1815 * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
1816 (sumOfArithSeries):
1817 (foo):
1818 * tests/stress/elide-new-object-dag-then-exit.js: Added.
1819 (sumOfArithSeries):
1820 (bar):
1821 (verify):
1822 (foo):
1823 * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
1824 (sumOfArithSeries):
1825 (foo):
1826
18272014-09-25 Brian J. Burg <burg@cs.washington.edu>
1828
1829 Web Replay: Check event loop input extents during replaying too
1830 https://bugs.webkit.org/show_bug.cgi?id=136316
1831
1832 Reviewed by Timothy Hatcher.
1833
1834 Sometimes we see different nondeterminism during capture and replay
1835 executions, so we should add determinism checks during replay too.
1836
1837 Move the withinEventLoopInputExtent flag to the base class, and tighten
1838 the assertion to address <http://webkit.org/b/133019>.
1839
1840 * replay/InputCursor.h:
1841 (JSC::InputCursor::InputCursor):
1842 (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
1843 This assertion is slightly wrong because it does not account for nested run loops.
1844 We can be within two input extents when a nested run loop processes additional
1845 user inputs while the debugger is paused.
1846
1847 This should only be the case when execution is being neither captured or
1848 replayed. The debugger should not pause when capturing, and we should not replay
1849 event loop inputs while in a nested run loop.
1850
1851 (JSC::InputCursor::withinEventLoopInputExtent): Added.
1852
18532014-09-25 Csaba Osztrogonác <ossy@webkit.org>
1854
1855 Remove WinCE port from trunk
1856 https://bugs.webkit.org/show_bug.cgi?id=136951
1857
1858 Reviewed by Alex Christensen.
1859
1860 * assembler/ARMAssembler.h:
1861 (JSC::ARMAssembler::cacheFlush):
1862 * assembler/ARMv7Assembler.h:
1863 (JSC::ARMv7Assembler::cacheFlush):
1864 * config.h:
1865 * heap/MachineStackMarker.cpp:
1866 (JSC::MachineThreads::gatherFromCurrentThread):
1867 (JSC::MachineThreads::gatherFromOtherThread):
1868 (JSC::swapIfBackwards): Deleted.
1869 * jit/ExecutableAllocator.h:
1870 * jsc.cpp:
1871 (main):
1872 * runtime/DateConstructor.cpp:
1873 * runtime/Options.cpp:
1874 (JSC::overrideOptionWithHeuristic):
1875 * runtime/VM.cpp:
1876 (JSC::VM::VM):
1877 * testRegExp.cpp:
1878 (main):
1879 * tools/CodeProfiling.cpp:
1880 (JSC::CodeProfiling::notifyAllocator):
1881
18822014-09-24 Brian J. Burg <burg@cs.washington.edu>
1883
1884 Web Inspector: subtract elapsed time while debugger is paused from profile nodes
1885 https://bugs.webkit.org/show_bug.cgi?id=136796
1886
1887 Reviewed by Timothy Hatcher.
1888
1889 Rather than accruing no time to any profile node created while the debugger is paused,
1890 we can instead count a node's elapsed time and exclude time elapsed while paused.
1891
1892 Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
1893 didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
1894 start of the last such interval that accrues elapsed time.
1895
1896 * profiler/ProfileGenerator.cpp:
1897 (JSC::ProfileGenerator::ProfileGenerator):
1898 (JSC::ProfileGenerator::beginCallEntry):
1899 (JSC::ProfileGenerator::endCallEntry):
1900 (JSC::ProfileGenerator::didPause): Added.
1901 (JSC::ProfileGenerator::didContinue): Added.
1902 * profiler/ProfileGenerator.h:
1903 (JSC::ProfileGenerator::didPause): Deleted.
1904 (JSC::ProfileGenerator::didContinue): Deleted.
1905 * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
1906 (JSC::ProfileNode::Call::Call):
1907 (JSC::ProfileNode::Call::elapsedTime): Added.
1908 (JSC::ProfileNode::Call::setElapsedTime): Added.
1909 (JSC::CalculateProfileSubtreeDataFunctor::operator()):
1910 (JSC::ProfileNode::Call::totalTime): Deleted.
1911 (JSC::ProfileNode::Call::setTotalTime): Deleted.
1912
19132014-09-24 Commit Queue <commit-queue@webkit.org>
1914
1915 Unreviewed, rolling out r173839.
1916 https://bugs.webkit.org/show_bug.cgi?id=137062
1917
1918 NumberConstruct should no longer use static tables (Requested
1919 by dpino on #webkit).
1920
1921 Reverted changeset:
1922
1923 "Simple ES6 feature: Number constructor extras"
1924 https://bugs.webkit.org/show_bug.cgi?id=131707
1925 http://trac.webkit.org/changeset/173839
1926
19272014-09-23 Mark Lam <mark.lam@apple.com>
1928
1929 DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
1930 <https://webkit.org/b/137045>
1931
1932 Reviewed by Geoffrey Garen.
1933
1934 DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
1935 in the debugger stack, but only invalidates the DebuggerScope chain of the
1936 top most frame. We should also invalidate all the DebuggerScope chains of
1937 the other frames in the debugger stack.
1938
1939 * debugger/DebuggerCallFrame.cpp:
1940 (JSC::DebuggerCallFrame::invalidate):
1941 * debugger/DebuggerScope.cpp:
1942 (JSC::DebuggerScope::invalidateChain):
1943
19442014-09-23 Mark Lam <mark.lam@apple.com>
1945
1946 Renamed DebuggerCallFrameScope to DebuggerPausedScope.
1947 <https://webkit.org/b/137042>
1948
1949 Reviewed by Michael Saboff.
1950
1951 DebuggerPausedScope is a better name for this data structure because it
1952 is meant for tracking the period within which the debugger is paused,
1953 and doing clean ups after the pause ends.
1954
1955 * debugger/Debugger.cpp:
1956 (JSC::DebuggerPausedScope::DebuggerPausedScope):
1957 (JSC::DebuggerPausedScope::~DebuggerPausedScope):
1958 (JSC::Debugger::pauseIfNeeded):
1959 (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
1960 (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
1961 * debugger/Debugger.h:
1962 * debugger/DebuggerCallFrame.h:
1963
19642014-09-23 Tomas Popela <tpopela@redhat.com>
1965
1966 [CLoop] - Fix CLoop on the 32-bit Big-Endians
1967 https://bugs.webkit.org/show_bug.cgi?id=137020
1968
1969 Reviewed by Mark Lam.
1970
1971 * llint/LowLevelInterpreter.asm:
1972 * llint/LowLevelInterpreter32_64.asm:
1973
19742014-09-23 Joseph Pecoraro <pecoraro@apple.com>
1975
1976 Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
1977 https://bugs.webkit.org/show_bug.cgi?id=136893
1978
1979 Reviewed by Timothy Hatcher.
1980
1981 Adds new remote inspector protocol handling for automatic inspection.
1982 Debuggers can signal they have enabled automatic inspection, and
1983 when debuggables are created the current application will pause to
1984 see if the debugger will inspect or decline to inspect the debuggable.
1985
1986 * inspector/remote/RemoteInspectorConstants.h:
1987 * inspector/remote/RemoteInspector.h:
1988 * inspector/remote/RemoteInspector.mm:
1989 (Inspector::globalAutomaticInspectionState):
1990 (Inspector::RemoteInspector::RemoteInspector):
1991 (Inspector::RemoteInspector::start):
1992 When first starting, check the global "is there an auto-inspect" debugger state.
1993 This is necessary so that the current application knows if it should pause or
1994 not when a debuggable is created, even without having connected to webinspectord yet.
1995
1996 (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
1997 When a debuggable has enabled remote inspection, take this path to propose
1998 it as an automatic inspection candidate if there is an auto-inspect debugger.
1999
2000 (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2001 Send the automatic inspection candidate message.
2002
2003 (Inspector::RemoteInspector::receivedSetupMessage):
2004 (Inspector::RemoteInspector::setupFailed):
2005 (Inspector::RemoteInspector::setupSucceeded):
2006 After attempting to open an inspector, unpause if it was for the
2007 automatic inspection candidate.
2008
2009 (Inspector::RemoteInspector::waitingForAutomaticInspection):
2010 When running a nested runloop, check if we should remain paused.
2011
2012 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2013 If by the time we connect to webinspectord we have a candidate, then
2014 immediately send the candidate message.
2015
2016 (Inspector::RemoteInspector::stopInternal):
2017 (Inspector::RemoteInspector::xpcConnectionFailed):
2018 In error cases, clear our state.
2019
2020 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2021 (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2022 (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2023 Update state when receiving new messages.
2024
2025
2026 * inspector/remote/RemoteInspectorDebuggable.h:
2027 * inspector/remote/RemoteInspectorDebuggable.cpp:
2028 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2029 Special case when a debuggable is newly allowed to be debuggable.
2030
2031 (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2032 Run a nested run loop while this is an automatic inspection candidate.
2033
2034 * inspector/JSGlobalObjectInspectorController.h:
2035 * inspector/JSGlobalObjectInspectorController.cpp:
2036 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2037 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2038 When the inspector starts via automatic inspection automatically pause.
2039 We plan on removing this condition by having the frontend signal to the
2040 backend when it is completely initialized.
2041
2042 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2043 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2044 (Inspector::RemoteInspectorDebuggableConnection::setup):
2045 Pass on the flag of whether or not this was automatic inspection.
2046
2047 * runtime/JSGlobalObjectDebuggable.h:
2048 * runtime/JSGlobalObjectDebuggable.cpp:
2049 (JSC::JSGlobalObjectDebuggable::connect):
2050 (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2051 When pausing in a JSGlobalObject we need to release the API lock.
2052
20532014-09-22 Filip Pizlo <fpizlo@apple.com>
2054
2055 FTL allocatePropertyStorage code should involve less copy-paste
2056 https://bugs.webkit.org/show_bug.cgi?id=137006
2057
2058 Reviewed by Michael Saboff.
2059
2060 * ftl/FTLLowerDFGToLLVM.cpp:
2061 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
2062 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
2063 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
2064
20652014-09-22 Diego Pino Garcia <dpino@igalia.com>
2066
2067 Simple ES6 feature: Number constructor extras
2068 https://bugs.webkit.org/show_bug.cgi?id=131707
2069
2070 Reviewed by Darin Adler.
2071
2072 * runtime/CommonIdentifiers.h: Added new identifiers.
2073 * runtime/NumberConstructor.cpp:
2074 (JSC::NumberConstructor::getOwnPropertySlot):
2075 (JSC::NumberConstructor::isFunction): Added.
2076 (JSC::numberConstructorEpsilonValue): Added.
2077 (JSC::numberConstructorNegInfinity): Added.
2078 (JSC::numberConstructorPosInfinity): Added.
2079 (JSC::numberConstructorMaxValue): Added.
2080 (JSC::numberConstructorMinValue): Added.
2081 (JSC::numberConstructorMaxSafeInteger): Added.
2082 (JSC::numberConstructorMinSafeInteger): Added.
2083 (JSC::numberConstructorFuncIsFinite): Added.
2084 (JSC::numberConstructorFuncIsInteger): Added.
2085 (JSC::numberConstructorFuncIsNaN): Added.
2086 (JSC::numberConstructorFuncIsSafeInteger): Added.
2087 * runtime/NumberConstructor.h:
2088
20892014-09-21 Filip Pizlo <fpizlo@apple.com>
2090
2091 FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
2092 https://bugs.webkit.org/show_bug.cgi?id=136992
2093
2094 Reviewed by Sam Weinig.
2095
2096 LLVM ought to be able to do this optimization for us given how the code was written, but
2097 any such lower-level attempts to optimize this would get into trouble with the weird
2098 object materialization logic I'll be introducing in bug 136330. So, this brings the
2099 merging of the byte stores into the FTL lowering so that we can control it explicitly.
2100
2101 * ftl/FTLAbstractHeap.h:
2102 (JSC::FTL::AbstractHeap::changeParent):
2103 * ftl/FTLAbstractHeapRepository.cpp:
2104 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
2105 * ftl/FTLAbstractHeapRepository.h:
2106 * ftl/FTLLowerDFGToLLVM.cpp:
2107 (JSC::FTL::LowerDFGToLLVM::allocateCell):
2108
21092014-09-21 Saam Barati <saambarati1@gmail.com>
2110
2111 Web Inspector: fix TypeSet hierarchy in TypeTokenView
2112 https://bugs.webkit.org/show_bug.cgi?id=136982
2113
2114 Reviewed by Joseph Pecoraro.
2115
2116 TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet
2117 object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the
2118 type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see
2119 if type T is in the set of seen types, but not the entire set itself.
2120
2121 * runtime/TypeSet.cpp:
2122 (JSC::TypeSet::inspectorTypeSet):
2123
21242014-09-21 Filip Pizlo <fpizlo@apple.com>
2125
2126 Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
2127 https://bugs.webkit.org/show_bug.cgi?id=136983
2128
2129 Reviewed by Mark Hahnenberg.
2130
2131 * runtime/PropertyMapHashTable.h:
2132 (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
2133 * runtime/Structure.cpp:
2134 (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
2135 (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
2136 (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
2137 * runtime/Structure.h:
2138 (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
2139 * runtime/StructureInlines.h:
2140 (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
2141
21422014-09-21 Filip Pizlo <fpizlo@apple.com>
2143
2144 Structure::getConcurrently() doesn't need to take a VM& argument.
2145
2146 Rubber stamped by Dan Bernstein.
2147
2148 Removed the extra argument, and then removed similar arguments from other methods until
2149 I could build successfully again. It turned out that many methods took a VM& argument
2150 just for calling getConcurrently().
2151
2152 * bytecode/CodeBlock.cpp:
2153 (JSC::dumpStructure):
2154 (JSC::dumpChain):
2155 (JSC::CodeBlock::printGetByIdCacheStatus):
2156 (JSC::CodeBlock::printPutByIdCacheStatus):
2157 * bytecode/ComplexGetStatus.cpp:
2158 (JSC::ComplexGetStatus::computeFor):
2159 * bytecode/GetByIdStatus.cpp:
2160 (JSC::GetByIdStatus::computeFromLLInt):
2161 (JSC::GetByIdStatus::computeForStubInfo):
2162 (JSC::GetByIdStatus::computeFor):
2163 * bytecode/GetByIdStatus.h:
2164 * bytecode/PutByIdStatus.cpp:
2165 (JSC::PutByIdStatus::computeFromLLInt):
2166 (JSC::PutByIdStatus::computeForStubInfo):
2167 (JSC::PutByIdStatus::computeFor):
2168 * bytecode/PutByIdStatus.h:
2169 * dfg/DFGAbstractInterpreterInlines.h:
2170 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2171 * dfg/DFGByteCodeParser.cpp:
2172 (JSC::DFG::ByteCodeParser::parseBlock):
2173 * dfg/DFGConstantFoldingPhase.cpp:
2174 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2175 * dfg/DFGFixupPhase.cpp:
2176 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
2177 * runtime/IntendedStructureChain.cpp:
2178 (JSC::IntendedStructureChain::mayInterceptStoreTo):
2179 * runtime/IntendedStructureChain.h:
2180 * runtime/Structure.cpp:
2181 (JSC::Structure::getConcurrently):
2182 * runtime/Structure.h:
2183 * runtime/StructureInlines.h:
2184 (JSC::Structure::getConcurrently):
2185
21862014-09-20 Filip Pizlo <fpizlo@apple.com>
2187
2188 FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
2189 https://bugs.webkit.org/show_bug.cgi?id=136978
2190
2191 Reviewed by Dean Jackson.
2192
2193 * ftl/FTLLowerDFGToLLVM.cpp:
2194 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2195 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
2196 (JSC::FTL::LowerDFGToLLVM::exitArgument):
2197 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
2198 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
2199 (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
2200
22012014-09-20 Filip Pizlo <fpizlo@apple.com>
2202
2203 FTL OSR exit should do reboxing and value recovery in the same pass
2204 https://bugs.webkit.org/show_bug.cgi?id=136977
2205
2206 Reviewed by Oliver Hunt.
2207
2208 It's conceptually simpler to have all of the logic in one place. After the
2209 recover-and-rebox loop is done, all of the exit values are in the form that the baseline
2210 JIT would want them to be in; the only remaining task is to move them into the right
2211 place on the stack after we do all of the necessary stack adjustments.
2212
2213 * ftl/FTLOSRExitCompiler.cpp:
2214 (JSC::FTL::compileStub):
2215
22162014-09-19 Filip Pizlo <fpizlo@apple.com>
2217
2218 StorageAccessData should be referenced in a sensible way
2219 https://bugs.webkit.org/show_bug.cgi?id=136963
2220
2221 Reviewed and rubber stamped by Michael Saboff.
2222
2223 * dfg/DFGAbstractInterpreterInlines.h:
2224 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2225 * dfg/DFGByteCodeParser.cpp:
2226 (JSC::DFG::ByteCodeParser::handleGetByOffset):
2227 (JSC::DFG::ByteCodeParser::handlePutByOffset):
2228 (JSC::DFG::ByteCodeParser::handlePutById):
2229 * dfg/DFGClobberize.h:
2230 (JSC::DFG::clobberize):
2231 * dfg/DFGConstantFoldingPhase.cpp:
2232 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
2233 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
2234 * dfg/DFGGraph.cpp:
2235 (JSC::DFG::Graph::dump):
2236 * dfg/DFGGraph.h:
2237 * dfg/DFGNode.h:
2238 (JSC::DFG::Node::convertToGetByOffset):
2239 (JSC::DFG::Node::convertToPutByOffset):
2240 (JSC::DFG::Node::storageAccessData):
2241 (JSC::DFG::Node::storageAccessDataIndex): Deleted.
2242 * dfg/DFGSafeToExecute.h:
2243 (JSC::DFG::safeToExecute):
2244 * dfg/DFGSpeculativeJIT32_64.cpp:
2245 (JSC::DFG::SpeculativeJIT::compile):
2246 * dfg/DFGSpeculativeJIT64.cpp:
2247 (JSC::DFG::SpeculativeJIT::compile):
2248 * ftl/FTLLowerDFGToLLVM.cpp:
2249 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
2250 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2251
22522014-09-19 Ryosuke Niwa <rniwa@webkit.org>
2253
2254 Leak of mallocs under StructureSet::OutOfLineList::create
2255 https://bugs.webkit.org/show_bug.cgi?id=136970
2256
2257 Reviewed by Filip Pizlo.
2258
2259 addOutOfLine should free the old list when expanding the capacity.
2260
2261 * bytecode/StructureSet.cpp:
2262 (JSC::StructureSet::addOutOfLine):
2263
22642014-09-19 Daniel Bates <dabates@apple.com>
2265
2266 Always assume internal SDK when building configuration Production
2267 https://bugs.webkit.org/show_bug.cgi?id=136925
2268 <rdar://problem/18362399>
2269
2270 Reviewed by Dan Bernstein.
2271
2272 As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
2273 and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
2274
2275 * Configurations/Base.xcconfig:
2276
22772014-09-19 Diego Pino Garcia <dpino@igalia.com>
2278
2279 Simple ES6 feature:String prototype additions
2280 https://bugs.webkit.org/show_bug.cgi?id=131704
2281
2282 Reviewed by Darin Adler.
2283
2284 * runtime/StringPrototype.cpp:
2285 (JSC::StringPrototype::finishCreation):
2286 (JSC::stringProtoFuncStartsWith): Added.
2287 (JSC::stringProtoFuncEndsWith): Added.
2288 (JSC::stringProtoFuncContains): Added.
2289
22902014-09-18 Joseph Pecoraro <pecoraro@apple.com>
2291
2292 Unreviewed rollout r173731. Broke multiple builds.
2293
2294 * inspector/JSGlobalObjectInspectorController.cpp:
2295 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2296 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2297 * inspector/JSGlobalObjectInspectorController.h:
2298 * inspector/remote/RemoteInspector.h:
2299 * inspector/remote/RemoteInspector.mm:
2300 (Inspector::RemoteInspector::RemoteInspector):
2301 (Inspector::RemoteInspector::setupFailed):
2302 (Inspector::RemoteInspector::start):
2303 (Inspector::RemoteInspector::stopInternal):
2304 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2305 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2306 (Inspector::RemoteInspector::xpcConnectionFailed):
2307 (Inspector::RemoteInspector::receivedSetupMessage):
2308 (Inspector::globalAutomaticInspectionState): Deleted.
2309 (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
2310 (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
2311 (Inspector::RemoteInspector::setupSucceeded): Deleted.
2312 (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
2313 (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
2314 (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
2315 * inspector/remote/RemoteInspectorConstants.h:
2316 * inspector/remote/RemoteInspectorDebuggable.cpp:
2317 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2318 (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2319 * inspector/remote/RemoteInspectorDebuggable.h:
2320 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2321 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2322 (Inspector::RemoteInspectorDebuggableConnection::setup):
2323 * runtime/JSGlobalObjectDebuggable.cpp:
2324 (JSC::JSGlobalObjectDebuggable::connect):
2325 (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
2326 * runtime/JSGlobalObjectDebuggable.h:
2327
23282014-09-18 Joseph Pecoraro <pecoraro@apple.com>
2329
2330 Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
2331 https://bugs.webkit.org/show_bug.cgi?id=136893
2332
2333 Reviewed by Timothy Hatcher.
2334
2335 Adds new remote inspector protocol handling for automatic inspection.
2336 Debuggers can signal they have enabled automatic inspection, and
2337 when debuggables are created the current application will pause to
2338 see if the debugger will inspect or decline to inspect the debuggable.
2339
2340 * inspector/remote/RemoteInspectorConstants.h:
2341 * inspector/remote/RemoteInspector.h:
2342 * inspector/remote/RemoteInspector.mm:
2343 (Inspector::globalAutomaticInspectionState):
2344 (Inspector::RemoteInspector::RemoteInspector):
2345 (Inspector::RemoteInspector::start):
2346 When first starting, check the global "is there an auto-inspect" debugger state.
2347 This is necessary so that the current application knows if it should pause or
2348 not when a debuggable is created, even without having connected to webinspectord yet.
2349
2350 (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
2351 When a debuggable has enabled remote inspection, take this path to propose
2352 it as an automatic inspection candidate if there is an auto-inspect debugger.
2353
2354 (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
2355 Send the automatic inspection candidate message.
2356
2357 (Inspector::RemoteInspector::receivedSetupMessage):
2358 (Inspector::RemoteInspector::setupFailed):
2359 (Inspector::RemoteInspector::setupSucceeded):
2360 After attempting to open an inspector, unpause if it was for the
2361 automatic inspection candidate.
2362
2363 (Inspector::RemoteInspector::waitingForAutomaticInspection):
2364 When running a nested runloop, check if we should remain paused.
2365
2366 (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
2367 If by the time we connect to webinspectord we have a candidate, then
2368 immediately send the candidate message.
2369
2370 (Inspector::RemoteInspector::stopInternal):
2371 (Inspector::RemoteInspector::xpcConnectionFailed):
2372 In error cases, clear our state.
2373
2374 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
2375 (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
2376 (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
2377 Update state when receiving new messages.
2378
2379
2380 * inspector/remote/RemoteInspectorDebuggable.h:
2381 * inspector/remote/RemoteInspectorDebuggable.cpp:
2382 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
2383 Special case when a debuggable is newly allowed to be debuggable.
2384
2385 (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
2386 Run a nested run loop while this is an automatic inspection candidate.
2387
2388 * inspector/JSGlobalObjectInspectorController.h:
2389 * inspector/JSGlobalObjectInspectorController.cpp:
2390 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2391 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2392 When the inspector starts via automatic inspection automatically pause.
2393 We plan on removing this condition by having the frontend signal to the
2394 backend when it is completely initialized.
2395
2396 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2397 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2398 (Inspector::RemoteInspectorDebuggableConnection::setup):
2399 Pass on the flag of whether or not this was automatic inspection.
2400
2401 * runtime/JSGlobalObjectDebuggable.h:
2402 * runtime/JSGlobalObjectDebuggable.cpp:
2403 (JSC::JSGlobalObjectDebuggable::connect):
2404 (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
2405 When pausing in a JSGlobalObject we need to release the API lock.
2406
24072014-09-18 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2408
2409 Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
2410 https://bugs.webkit.org/show_bug.cgi?id=136912
2411
2412 Reviewed by Darin Adler.
2413
2414 * runtime/TypeSet.cpp:
2415 (JSC::TypeSet::leastCommonAncestor):
2416
24172014-09-17 Michael Saboff <msaboff@apple.com>
2418
2419 Change CallFrame to use Callee instead of JSScope to implement vm()
2420 https://bugs.webkit.org/show_bug.cgi?id=136894
2421
2422 Reviewed by Geoffrey Garen.
2423
2424 Added JSCell::vm() method that can be used on any JSObject. Changed CallFrame::vm() to
2425 use JSCell::vm with the Callee. Made similar changes in the LLInt.
2426 In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
2427 a chicken/egg problem with trying to use the Callee in the global exec before the Callee
2428 has been create. Besides, the vm is readily available in finishCreation(), the caller of
2429 init().
2430
2431 * llint/LowLevelInterpreter32_64.asm:
2432 * llint/LowLevelInterpreter64.asm:
2433 Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
2434
2435 * runtime/JSCell.h:
2436 * runtime/JSCellInlines.h:
2437 (JSC::JSCell::vm): New method for getting VM from the pointer.
2438 (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
2439 contains the implementation of JSCell::vm(), this file is included by all users
2440 of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
2441 many other .h files and possible the WebCore generator generate-bindings.pl.
2442
2443 * runtime/JSGlobalObject.cpp:
2444 (JSC::JSGlobalObject::init):
2445 * runtime/JSGlobalObject.h:
2446 (JSC::JSGlobalObject::finishCreation):
2447 Changed init() to take a VM parameter.
2448
2449 * runtime/JSScope.h:
2450 (JSC::ExecState::vm): Deleted.
2451
24522014-09-16 Filip Pizlo <fpizlo@apple.com>
2453
2454 Unreviewed, disable native inlining because it causes build failures.
2455
2456 * JavaScriptCore.xcodeproj/project.pbxproj:
2457
24582014-09-16 Joseph Pecoraro <pecoraro@apple.com>
2459
2460 Web Inspector: Reduce a bit of churn setting initial remote inspection state
2461 https://bugs.webkit.org/show_bug.cgi?id=136875
2462
2463 Reviewed by Timothy Hatcher.
2464
2465 * API/JSContextRef.cpp:
2466 (JSGlobalContextCreateInGroup):
2467 Set the defaultl remote debuggable state at the API boundary.
2468
2469 * runtime/JSGlobalObject.cpp:
2470 (JSC::JSGlobalObject::init):
2471 Do not set remote debuggable state here. Let clients set it.
2472
24732014-09-16 Yusuke Suzuki <utatane.tea@gmail.com>
2474
2475 Promise: Drop Promise.cast
2476 https://bugs.webkit.org/show_bug.cgi?id=136222
2477
2478 Reviewed by Sam Weinig.
2479
2480 Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
2481
2482 * runtime/CommonIdentifiers.h:
2483 * runtime/JSPromiseConstructor.cpp:
2484 (JSC::JSPromiseConstructorFuncResolve):
2485 (JSC::JSPromiseConstructorFuncRace):
2486 (JSC::JSPromiseConstructorFuncAll):
2487 (JSC::JSPromiseConstructorFuncCast): Deleted.
2488
24892014-09-16 Filip Pizlo <fpizlo@apple.com>
2490
2491 Local OSR availability calculation should be reusable
2492 https://bugs.webkit.org/show_bug.cgi?id=136860
2493
2494 Reviewed by Oliver Hunt.
2495
2496 Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
2497 phase. Humorously, it actually did this logic a bit differently; for example the phase
2498 would claim that a SetLocal makes both the flush and the node available while the FTL
2499 only claimed that the flush was available. This different was benign, but still: yuck!
2500
2501 Also, previously if you wanted to use availability information then you'd have to repeat
2502 some of the logic that both the phase itself and the FTL lowering already had.
2503 Presumably, you could get epic style points for finding other benign ways in which to
2504 make your copy of the logic different from the other two!
2505
2506 This reduces the amount of style points one could conceivably get in the future when
2507 hacking JSC, by creating a single reusable thingy for computing local OSR availability.
2508
2509 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2510 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
2511 (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
2512 (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
2513 (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
2514 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2515 * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2516 * ftl/FTLLowerDFGToLLVM.cpp:
2517 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
2518 (JSC::FTL::LowerDFGToLLVM::compileBlock):
2519 (JSC::FTL::LowerDFGToLLVM::compileNode):
2520 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2521 (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
2522 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
2523 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
2524 (JSC::FTL::LowerDFGToLLVM::availability):
2525 (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
2526 (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
2527 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
2528
25292014-09-16 Csaba Osztrogonác <ossy@webkit.org>
2530
2531 JSC test gardening
2532 https://bugs.webkit.org/show_bug.cgi?id=136823
2533
2534 Reviewed by Geoffrey Garen.
2535
2536 * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
2537
25382014-09-15 Michael Saboff <msaboff@apple.com>
2539
2540 Create a JSCallee for GlobalExec object
2541 https://bugs.webkit.org/show_bug.cgi?id=136840
2542
2543 Reviewed by Geoffrey Garen.
2544
2545 Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
2546
2547 * runtime/JSGlobalObject.cpp:
2548 (JSC::JSGlobalObject::init):
2549 (JSC::JSGlobalObject::visitChildren):
2550 * runtime/JSGlobalObject.h:
2551
25522014-09-14 Filip Pizlo <fpizlo@apple.com>
2553
2554 DFG ref count calculation should be reusable
2555 https://bugs.webkit.org/show_bug.cgi?id=136811
2556
2557 Reviewed by Oliver Hunt.
2558
2559 Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
2560 will be able to tell you how many places it is used from. Currently only DCE uses this,
2561 but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
2562
2563 * dfg/DFGDCEPhase.cpp:
2564 (JSC::DFG::DCEPhase::run):
2565 (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
2566 (JSC::DFG::DCEPhase::countNode): Deleted.
2567 (JSC::DFG::DCEPhase::countEdge): Deleted.
2568 * dfg/DFGGraph.cpp:
2569 (JSC::DFG::Graph::computeRefCounts):
2570 * dfg/DFGGraph.h:
2571
25722014-09-12 Michael Saboff <msaboff@apple.com>
2573
2574 Merge JSGlobalObject::reset() into ::init()
2575 https://bugs.webkit.org/show_bug.cgi?id=136800
2576
2577 Reviewed by Oliver Hunt.
2578
2579 Moved the contents of reset() into init().
2580 Note that the diff shows more changes.
2581
2582 * runtime/JSGlobalObject.cpp:
2583 (JSC::JSGlobalObject::init): Moved body of reset() into init.
2584 (JSC::JSGlobalObject::put):
2585 (JSC::JSGlobalObject::defineOwnProperty):
2586 (JSC::JSGlobalObject::addGlobalVar):
2587 (JSC::JSGlobalObject::addFunction):
2588 (JSC::lastInPrototypeChain):
2589 (JSC::JSGlobalObject::reset): Deleted.
2590 * runtime/JSGlobalObject.h:
2591
25922014-09-12 Michael Saboff <msaboff@apple.com>
2593
2594 Add JSCallee to program and eval CallFrames
2595 https://bugs.webkit.org/show_bug.cgi?id=136785
2596
2597 Reviewed by Mark Lam.
2598
2599 Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
2600 Made supporting changes including adding a JSCallee structure to global object and adding
2601 JSCallee::create() method. Added code so that the newly added callee object won't be
2602 returned by Function.caller. Changed null pointer checks of callee to check the if
2603 the type is JSFunction* or JSCallee*.
2604
2605 * debugger/DebuggerCallFrame.cpp:
2606 (JSC::DebuggerCallFrame::functionName):
2607 (JSC::DebuggerCallFrame::type):
2608 * profiler/LegacyProfiler.cpp:
2609 (JSC::LegacyProfiler::createCallIdentifier):
2610 * interpreter/Interpreter.cpp:
2611 (JSC::unwindCallFrame):
2612 Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
2613 if it is null or not.
2614
2615 * interpreter/Interpreter.cpp:
2616 (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
2617 and execute(ProgramExecutable, ...)
2618
2619 * jit/JITCode.cpp:
2620 (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
2621
2622 * runtime/JSCallee.cpp:
2623 (JSC::JSCallee::create): Not used, therefore deleted.
2624
2625 * runtime/JSCallee.h:
2626 (JSC::JSCallee::create): Added.
2627
2628 * runtime/JSFunction.cpp:
2629 (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
2630 JSFunction's. This can only be the case when the JSCallee comes from a program or
2631 call eval CallFrame.
2632
2633 * runtime/JSGlobalObject.cpp:
2634 (JSC::JSGlobalObject::reset):
2635 (JSC::JSGlobalObject::visitChildren):
2636 * runtime/JSGlobalObject.h:
2637 (JSC::JSGlobalObject::calleeStructure):
2638 Added new JSCallee structure.
2639
26402014-09-10 Jon Honeycutt <jhoneycutt@apple.com>
2641
2642 Re-add the request autocomplete feature
2643
2644 <https://bugs.webkit.org/show_bug.cgi?id=136730>
2645
2646 This feature was rolled out in r148731 because it was only used by
2647 Chromium. As we consider supporting this feature, roll it back in, but
2648 leave it disabled.
2649
2650 This rolls out r148731 (which removed the feature) with small changes
2651 needed to make the code build in ToT, to match modern style, to make
2652 the tests run, and to remove unused code.
2653
2654 Reviewed by Andy Estes.
2655
2656 * Configurations/FeatureDefines.xcconfig:
2657
26582014-09-12 Julien Brianceau <jbriance@cisco.com>
2659
2660 [x86] moveDoubleToInts() does not clobber its source register anymore
2661 https://bugs.webkit.org/show_bug.cgi?id=131690
2662
2663 Reviewed by Oliver Hunt.
2664
2665 * assembler/MacroAssemblerX86.h:
2666 (JSC::MacroAssemblerX86::moveDoubleToInts):
2667 * dfg/DFGSpeculativeJIT.cpp:
2668 (JSC::DFG::SpeculativeJIT::compileValueRep):
2669 * jit/SpecializedThunkJIT.h:
2670 (JSC::SpecializedThunkJIT::returnDouble):
2671
26722014-09-12 Mark Lam <mark.lam@apple.com>
2673
2674 Unreviewed build fix for CLOOP build.
2675
2676 * runtime/JSCallee.h:
2677
26782014-09-12 Michael Saboff <msaboff@apple.com>
2679
2680 Remove unneeded declarations from JSCallee.h
2681 https://bugs.webkit.org/show_bug.cgi?id=136783
2682
2683 Reviewed by Mark Lam.
2684
2685 * runtime/JSCallee.h:
2686 (JSCallee::name): Deleted.
2687 (JSCallee::displayName): Deleted.
2688 (JSCallee::calculatedDisplayName): Deleted.
2689
26902014-09-11 Brian J. Burg <burg@cs.washington.edu>
2691
2692 Web Inspector: disambiguate double and integer primitive types in the protocol
2693 https://bugs.webkit.org/show_bug.cgi?id=136606
2694
2695 Reviewed by Timothy Hatcher.
2696
2697 Right now it's really easy to mix up doubles and integers when serializing or deserializing
2698 values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
2699 so that it is clearer as to which type is intended.
2700
2701 A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
2702 The existing callsites for asNumber/getNumber/setNumber have been fixed.
2703
2704 Address various integration points to make sure the right type tag is assigned to InspectorValues.
2705
2706 * bindings/ScriptValue.cpp:
2707 (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
2708 * inspector/InjectedScriptManager.cpp:
2709 (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2710 * inspector/InspectorBackendDispatcher.cpp:
2711 (Inspector::InspectorBackendDispatcher::dispatch):
2712 (Inspector::InspectorBackendDispatcher::sendResponse):
2713 (Inspector::InspectorBackendDispatcher::reportProtocolError):
2714 (Inspector::AsMethodBridges::asInteger):
2715 (Inspector::AsMethodBridges::asDouble):
2716 (Inspector::InspectorBackendDispatcher::getInteger):
2717 (Inspector::InspectorBackendDispatcher::getDouble):
2718 (Inspector::AsMethodBridges::asInt): Deleted.
2719 (Inspector::InspectorBackendDispatcher::getInt): Deleted.
2720 * inspector/InspectorBackendDispatcher.h:
2721 * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
2722 (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
2723 (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
2724 (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
2725 * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
2726 (Inspector::InspectorValue::asDouble):
2727 (Inspector::InspectorValue::asInteger):
2728 (Inspector::InspectorBasicValue::asDouble):
2729 (Inspector::InspectorBasicValue::asInteger):
2730 (Inspector::InspectorBasicValue::writeJSON):
2731 (Inspector::InspectorValue::asNumber): Deleted.
2732 (Inspector::InspectorBasicValue::asNumber): Deleted.
2733 * inspector/InspectorValues.h:
2734 (Inspector::InspectorObjectBase::setInteger):
2735 (Inspector::InspectorObjectBase::setDouble):
2736 (Inspector::InspectorArrayBase::pushInteger):
2737 (Inspector::InspectorArrayBase::pushDouble):
2738 (Inspector::InspectorObjectBase::setNumber): Deleted.
2739 (Inspector::InspectorArrayBase::pushInt): Deleted.
2740 (Inspector::InspectorArrayBase::pushNumber): Deleted.
2741 * inspector/agents/InspectorDebuggerAgent.cpp:
2742 (Inspector::buildObjectForBreakpointCookie):
2743 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2744 (Inspector::parseLocation):
2745 (Inspector::InspectorDebuggerAgent::didParseSource):
2746 * inspector/agents/InspectorRuntimeAgent.cpp:
2747 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2748 * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
2749 (Generator.keyed_get_method_for_type):
2750 (Generator.keyed_set_method_for_type):
2751 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2752 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2753 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2754 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
2755 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2756 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2757 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2758 * replay/EncodedValue.cpp:
2759 (JSC::EncodedValue::convertTo<double>):
2760 (JSC::EncodedValue::convertTo<float>):
2761 (JSC::EncodedValue::convertTo<int32_t>):
2762 (JSC::EncodedValue::convertTo<int64_t>):
2763 (JSC::EncodedValue::convertTo<uint32_t>):
2764 (JSC::EncodedValue::convertTo<uint64_t>):
2765
27662014-09-11 Joseph Pecoraro <pecoraro@apple.com>
2767
2768 Web Inspector: Occasional ASSERT closing web inspector
2769 https://bugs.webkit.org/show_bug.cgi?id=136762
2770
2771 Reviewed by Timothy Hatcher.
2772
2773 It is harmless, and indeed possible to have an empty set of listeners
2774 now that each Page gets its own PageDebugServer instead of a shared
2775 global. So we should replace the null checks with isEmpty checks.
2776 Since nobody was ever returning null, convert to references as well.
2777
2778 * inspector/JSGlobalObjectScriptDebugServer.h:
2779 * inspector/ScriptDebugServer.cpp:
2780 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
2781 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
2782 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
2783 (Inspector::ScriptDebugServer::sourceParsed):
2784 (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
2785 (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
2786 (Inspector::ScriptDebugServer::handlePause):
2787 (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
2788 * inspector/ScriptDebugServer.h:
2789
27902014-09-10 Michael Saboff <msaboff@apple.com>
2791
2792 Move JSScope out of JSFunction into separate JSCallee class
2793 https://bugs.webkit.org/show_bug.cgi?id=136725
2794
2795 Reviewed by Oliver Hunt.
2796
2797 Created new JSCallee class that contains a JSScope*. Changed JSFunction to inherit from
2798 JSCallee.
2799
2800 * CMakeLists.txt:
2801 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2802 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2803 * JavaScriptCore.xcodeproj/project.pbxproj:
2804 Build changes. Added JSCallee.cpp and JSCallee.h.
2805
2806 * runtime/JSCallee.cpp: Added.
2807 (JSC::JSCallee::create):
2808 (JSC::JSCallee::destroy):
2809 (JSC::JSCallee::JSCallee):
2810 (JSC::JSCallee::finishCreation):
2811 (JSC::JSCallee::visitChildren):
2812 (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
2813 (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
2814 (JSC::JSCallee::put): Pass through wrapper function.
2815 (JSC::JSCallee::deleteProperty): Pass through wrapper function.
2816 (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
2817
2818 * runtime/JSCallee.h: Added.
2819 (JSC::JSCallee::scope):
2820 (JSC::JSCallee::scopeUnchecked):
2821 (JSC::JSCallee::setScope):
2822 (JSC::JSCallee::createStructure):
2823 (JSC::JSCallee::offsetOfScopeChain):
2824
2825 * runtime/JSFunction.cpp:
2826 (JSC::JSFunction::JSFunction):
2827 (JSC::JSFunction::addNameScopeIfNeeded):
2828 (JSC::JSFunction::visitChildren):
2829 * runtime/JSFunction.h:
2830 (JSC::JSFunction::scope): Deleted.
2831 (JSC::JSFunction::scopeUnchecked): Deleted.
2832 (JSC::JSFunction::setScope): Deleted.
2833 (JSC::JSFunction::offsetOfScopeChain): Deleted.
2834 * runtime/JSFunctionInlines.h:
2835 (JSC::JSFunction::JSFunction):
2836 Changed to reference JSCallee and its methods.
2837
2838 * runtime/JSType.h: Added JSCallee as a TypeEnum.
2839
28402014-09-11 Filip Pizlo <fpizlo@apple.com>
2841
2842 REGRESSION (r172129): Vine pages load as blank
2843 https://bugs.webkit.org/show_bug.cgi?id=136655
2844 rdar://problem/18281215
2845
2846 Reviewed by Michael Saboff.
2847
2848 If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
2849 that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
2850 Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
2851 conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
2852 reasonably compact; it's OK if we miss cases here.
2853
2854 * dfg/DFGPhantomRemovalPhase.cpp:
2855 (JSC::DFG::PhantomRemovalPhase::run):
2856 * tests/stress/remove-phantom-after-setlocal.js: Added.
2857
28582014-09-11 Bear Travis <betravis@adobe.com>
2859
2860 [CSS Font Loading] Enable CSS Font Loading on Mac
2861 https://bugs.webkit.org/show_bug.cgi?id=135473
2862
2863 Reviewed by Antti Koivisto.
2864
2865 Enable CSS Font Loading in FeatureDefines.
2866
2867 * Configurations/FeatureDefines.xcconfig:
2868
28692014-09-11 Joseph Pecoraro <pecoraro@apple.com>
2870
2871 Unreviewed rebaseline of inspector generator test results after r173120.
2872
2873 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
2874 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2875 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
2876 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2877
28782014-09-11 Oliver Hunt <oliver@apple.com>
2879
2880 Rename activation to be more in line with spec language
2881 https://bugs.webkit.org/show_bug.cgi?id=136721
2882
2883 Reviewed by Michael Saboff.
2884
2885 Somewhat bigger than the last one, but still just a rename.
2886
2887 * CMakeLists.txt:
2888 * JavaScriptCore.order:
2889 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2890 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2891 * JavaScriptCore.xcodeproj/project.pbxproj:
2892 * bytecode/BytecodeList.json:
2893 * bytecode/BytecodeUseDef.h:
2894 (JSC::computeUsesForBytecodeOffset):
2895 (JSC::computeDefsForBytecodeOffset):
2896 * bytecode/CallVariant.h:
2897 * bytecode/CodeBlock.cpp:
2898 (JSC::CodeBlock::dumpBytecode):
2899 (JSC::CodeBlock::CodeBlock):
2900 (JSC::CodeBlock::finalizeUnconditionally):
2901 (JSC::CodeBlock::isCaptured):
2902 (JSC::CodeBlock::nameForRegister):
2903 * bytecode/CodeBlock.h:
2904 (JSC::CodeBlock::setActivationRegister):
2905 (JSC::CodeBlock::activationRegister):
2906 (JSC::CodeBlock::uncheckedActivationRegister):
2907 (JSC::CodeBlock::needsActivation):
2908 * bytecode/Instruction.h:
2909 * bytecode/UnlinkedCodeBlock.h:
2910 (JSC::UnlinkedCodeBlock::setActivationRegister):
2911 (JSC::UnlinkedCodeBlock::activationRegister):
2912 (JSC::UnlinkedCodeBlock::hasActivationRegister):
2913 * bytecompiler/BytecodeGenerator.cpp:
2914 (JSC::BytecodeGenerator::BytecodeGenerator):
2915 (JSC::BytecodeGenerator::emitReturn):
2916 * bytecompiler/BytecodeGenerator.h:
2917 * debugger/DebuggerCallFrame.cpp:
2918 (JSC::DebuggerCallFrame::scope):
2919 * debugger/DebuggerScope.cpp:
2920 (JSC::DebuggerScope::isFunctionOrEvalScope):
2921 * dfg/DFGByteCodeParser.cpp:
2922 (JSC::DFG::ByteCodeParser::parseBlock):
2923 * dfg/DFGCapabilities.cpp:
2924 (JSC::DFG::capabilityLevel):
2925 * dfg/DFGGraph.cpp:
2926 (JSC::DFG::Graph::tryGetActivation):
2927 (JSC::DFG::Graph::tryGetRegisters):
2928 * dfg/DFGGraph.h:
2929 * dfg/DFGNodeType.h:
2930 * dfg/DFGOperations.cpp:
2931 * dfg/DFGSpeculativeJIT32_64.cpp:
2932 (JSC::DFG::SpeculativeJIT::compile):
2933 * dfg/DFGSpeculativeJIT64.cpp:
2934 (JSC::DFG::SpeculativeJIT::compile):
2935 * interpreter/CallFrame.cpp:
2936 (JSC::CallFrame::lexicalEnvironment):
2937 (JSC::CallFrame::setActivation):
2938 (JSC::CallFrame::activation): Deleted.
2939 * interpreter/CallFrame.h:
2940 * interpreter/Interpreter.cpp:
2941 (JSC::unwindCallFrame):
2942 * interpreter/Register.h:
2943 * jit/JIT.cpp:
2944 (JSC::JIT::privateCompileMainPass):
2945 * jit/JIT.h:
2946 * jit/JITOpcodes.cpp:
2947 (JSC::JIT::emit_op_tear_off_lexical_environment):
2948 (JSC::JIT::emit_op_tear_off_arguments):
2949 (JSC::JIT::emit_op_create_lexical_environment):
2950 (JSC::JIT::emit_op_tear_off_activation): Deleted.
2951 (JSC::JIT::emit_op_create_activation): Deleted.
2952 * jit/JITOpcodes32_64.cpp:
2953 (JSC::JIT::emit_op_tear_off_lexical_environment):
2954 (JSC::JIT::emit_op_tear_off_arguments):
2955 (JSC::JIT::emit_op_create_lexical_environment):
2956 (JSC::JIT::emit_op_tear_off_activation): Deleted.
2957 (JSC::JIT::emit_op_create_activation): Deleted.
2958 * jit/JITOperations.cpp:
2959 * jit/JITOperations.h:
2960 * llint/LLIntSlowPaths.cpp:
2961 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2962 * llint/LLIntSlowPaths.h:
2963 * llint/LowLevelInterpreter32_64.asm:
2964 * llint/LowLevelInterpreter64.asm:
2965 * runtime/Arguments.cpp:
2966 (JSC::Arguments::visitChildren):
2967 (JSC::Arguments::tearOff):
2968 (JSC::Arguments::didTearOffActivation):
2969 * runtime/Arguments.h:
2970 (JSC::Arguments::offsetOfActivation):
2971 (JSC::Arguments::argument):
2972 (JSC::Arguments::finishCreation):
2973 * runtime/CommonSlowPaths.cpp:
2974 * runtime/JSFunction.h:
2975 * runtime/JSGlobalObject.cpp:
2976 (JSC::JSGlobalObject::reset):
2977 (JSC::JSGlobalObject::visitChildren):
2978 * runtime/JSGlobalObject.h:
2979 (JSC::JSGlobalObject::activationStructure):
2980 * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
2981 (JSC::JSLexicalEnvironment::visitChildren):
2982 (JSC::JSLexicalEnvironment::symbolTableGet):
2983 (JSC::JSLexicalEnvironment::symbolTablePut):
2984 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2985 (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
2986 (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2987 (JSC::JSLexicalEnvironment::put):
2988 (JSC::JSLexicalEnvironment::deleteProperty):
2989 (JSC::JSLexicalEnvironment::toThis):
2990 (JSC::JSLexicalEnvironment::argumentsGetter):
2991 * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
2992 (JSC::JSLexicalEnvironment::create):
2993 (JSC::JSLexicalEnvironment::createStructure):
2994 (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
2995 (JSC::asActivation):
2996 (JSC::Register::lexicalEnvironment):
2997 (JSC::JSLexicalEnvironment::registersOffset):
2998 (JSC::JSLexicalEnvironment::tearOff):
2999 (JSC::JSLexicalEnvironment::isTornOff):
3000 (JSC::JSLexicalEnvironment::storageOffset):
3001 (JSC::JSLexicalEnvironment::storage):
3002 (JSC::JSLexicalEnvironment::allocationSize):
3003 (JSC::JSLexicalEnvironment::isValidIndex):
3004 (JSC::JSLexicalEnvironment::isValid):
3005 (JSC::JSLexicalEnvironment::registerAt):
3006 * runtime/JSObject.h:
3007 * runtime/JSScope.cpp:
3008 (JSC::abstractAccess):
3009 * runtime/JSScope.h:
3010 (JSC::ResolveOp::ResolveOp):
3011 * runtime/JSSymbolTableObject.cpp:
3012 * runtime/StrictEvalActivation.h:
3013 (JSC::StrictEvalActivation::create):
3014 * runtime/VM.cpp:
3015
30162014-09-11 László Langó <llango.u-szeged@partner.samsung.com>
3017
3018 [JavaScriptCore] Fix FTL on platform EFL.
3019 https://bugs.webkit.org/show_bug.cgi?id=133571
3020
3021 Reviewed by Filip Pizlo.
3022
3023 There are no compact_unwind sections on Linux systems so FTL crashes.
3024 We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
3025 and get the information for stack unwinding from there.
3026
3027 * CMakeLists.txt: Revert r169181.
3028 * ftl/FTLCompile.cpp:
3029 Change section name literals to use SECTION_NAME macro, because of architecture differencies.
3030 (JSC::FTL::mmAllocateCodeSection):
3031 (JSC::FTL::mmAllocateDataSection):
3032 (JSC::FTL::compile):
3033 * ftl/FTLJITCode.h:
3034 We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
3035 * ftl/FTLLink.cpp:
3036 (JSC::FTL::link):
3037 * ftl/FTLState.h:
3038 * ftl/FTLState.cpp:
3039 (JSC::FTL::State::State):
3040 * ftl/FTLUnwindInfo.h:
3041 * ftl/FTLUnwindInfo.cpp:
3042 Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
3043 Parse eh_frame on Linux instead of compact_unwind.
3044 (JSC::FTL::UnwindInfo::parse):
3045
30462014-09-10 Saam Barati <saambarati1@gmail.com>
3047
3048 Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
3049 https://bugs.webkit.org/show_bug.cgi?id=136500
3050
3051 Reviewed by Joseph Pecoraro.
3052
3053 This patch changes the type profiler protocol to the Web Inspector
3054 by moving the work of calculating computed properties that effect the UI
3055 into the Web Inspector. This makes the Web Inspector have control over the
3056 strings it displays as UI elements representing type information to the user
3057 instead of JavaScriptCore deciding on a convention for these strings.
3058 JavaScriptCore now sends enough information to the Web Inspector so that
3059 it can compute the properties JavaScriptCore used to compute.
3060
3061 * inspector/agents/InspectorRuntimeAgent.cpp:
3062 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3063 * inspector/protocol/Runtime.json:
3064 * runtime/TypeProfiler.cpp:
3065 (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
3066 * runtime/TypeProfiler.h:
3067 * runtime/TypeSet.cpp:
3068 (JSC::TypeSet::inspectorTypeSet):
3069 (JSC::StructureShape::leastCommonAncestor):
3070 (JSC::StructureShape::inspectorRepresentation):
3071 * runtime/TypeSet.h:
3072
30732014-09-10 Akos Kiss <akiss@inf.u-szeged.hu>
3074
3075 Apply ARM64-specific lowering to load/store instructions in offlineasm
3076 https://bugs.webkit.org/show_bug.cgi?id=136569
3077
3078 Reviewed by Michael Saboff.
3079
3080 The standard risc lowering of load/store instructions with base +
3081 immediate offset addresses is to move the offset to a temporary, add the
3082 base to the temporary, and then change the load/store to use the
3083 temporary + 0 immediate offset address. However, on ARM64, base +
3084 register offset addressing mode is available, so it is unnecessary to
3085 perform explicit register additions but it is enough to change load/store
3086 to use base + temporary as the address.
3087
3088 * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
3089
30902014-09-10 Oliver Hunt <oliver@apple.com>
3091
3092 Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
3093 https://bugs.webkit.org/show_bug.cgi?id=136710
3094
3095 Reviewed by Anders Carlsson.
3096
3097 This is a trivial rename.
3098
3099 * CMakeLists.txt:
3100 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3101 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3102 * JavaScriptCore.xcodeproj/project.pbxproj:
3103 * dfg/DFGAbstractHeap.h:
3104 * dfg/DFGClobberize.h:
3105 (JSC::DFG::clobberize):
3106 * dfg/DFGSpeculativeJIT32_64.cpp:
3107 (JSC::DFG::SpeculativeJIT::compile):
3108 * dfg/DFGSpeculativeJIT64.cpp:
3109 (JSC::DFG::SpeculativeJIT::compile):
3110 * ftl/FTLAbstractHeapRepository.cpp:
3111 * ftl/FTLAbstractHeapRepository.h:
3112 * ftl/FTLLowerDFGToLLVM.cpp:
3113 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
3114 * jit/JITOpcodes32_64.cpp:
3115 * jit/JITPropertyAccess.cpp:
3116 (JSC::JIT::emitGetClosureVar):
3117 (JSC::JIT::emitPutClosureVar):
3118 * jit/JITPropertyAccess32_64.cpp:
3119 (JSC::JIT::emitGetClosureVar):
3120 (JSC::JIT::emitPutClosureVar):
3121 * llint/LLIntOffsetsExtractor.cpp:
3122 * llint/LowLevelInterpreter32_64.asm:
3123 * llint/LowLevelInterpreter64.asm:
3124 * runtime/JSActivation.cpp:
3125 (JSC::JSActivation::getOwnNonIndexPropertyNames):
3126 * runtime/JSActivation.h:
3127 * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
3128 * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
3129 (JSC::JSEnvironmentRecord::registers):
3130 (JSC::JSEnvironmentRecord::registerAt):
3131 (JSC::JSEnvironmentRecord::addressOfRegisters):
3132 (JSC::JSEnvironmentRecord::offsetOfRegisters):
3133 (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
3134 * runtime/JSNameScope.h:
3135 * runtime/JSSegmentedVariableObject.h:
3136
31372014-09-10 Julien Brianceau <jbriance@cisco.com>
3138
3139 [mips] Add missing parts and fix LLINT mips backend
3140 https://bugs.webkit.org/show_bug.cgi?id=136706
3141
3142 Reviewed by Michael Saboff.
3143
3144 * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
3145 Implement initPCRelative and setEntryAddress macros.
3146 * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
3147 doVMEntry macro.
3148
31492014-09-10 Saam Barati <saambarati1@gmail.com>
3150
3151 TypeSet needs a mode where it no longer profiles structure shapes
3152 https://bugs.webkit.org/show_bug.cgi?id=136263
3153
3154 Reviewed by Filip Pizlo.
3155
3156 The TypeSet data structure used to gather as many StructureShape
3157 objects as it encountered during type profiling. But, this meant
3158 that there was no upper limit on how many objects it could allocate.
3159 This patch places a fixed upper bound on the number of StructureShapes
3160 allocated per TypeSet to prevent using too much memory for little gain
3161 in type profiling usefulness.
3162
3163 StructureShape objects are now also aware of when they are created
3164 from Structures which are dictionaries.
3165
3166 In total, this patch lays the final groundwork needed in refactoring
3167 the inspector protocol for the type profiler.
3168
3169 * runtime/Structure.cpp:
3170 (JSC::Structure::toStructureShape):
3171 * runtime/TypeProfiler.cpp:
3172 (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
3173 * runtime/TypeSet.cpp:
3174 (JSC::TypeSet::TypeSet):
3175 (JSC::TypeSet::addTypeInformation):
3176 (JSC::StructureShape::StructureShape):
3177 (JSC::StructureShape::toJSONString):
3178 (JSC::StructureShape::enterDictionaryMode):
3179 * runtime/TypeSet.h:
3180 (JSC::TypeSet::isOverflown):
3181 * tests/typeProfiler/dictionary-mode.js: Added.
3182 (wrapper):
3183 * tests/typeProfiler/driver/driver.js:
3184 * tests/typeProfiler/overflow.js: Added.
3185 (wrapper.Proto):
3186 (wrapper):
3187
31882014-09-10 Peter Gal <galpeter@inf.u-szeged.hu>
3189
3190 [MIPS] branch32WithPatch missing
3191 https://bugs.webkit.org/show_bug.cgi?id=136696
3192
3193 Reviewed by Michael Saboff.
3194
3195 Added the missing branch32WithPatch. The implementation
3196 is currently the same as the branchPtrithPatch because
3197 the macro assembler supports only 32 bit MIPS.
3198
3199 * assembler/MacroAssemblerMIPS.h:
3200 (JSC::MacroAssemblerMIPS::branch32WithPatch):
3201
32022014-09-10 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
3203
3204 Fix !ENABLE(DFG_JIT) build
3205 https://bugs.webkit.org/show_bug.cgi?id=136702
3206
3207 Reviewed by Michael Saboff.
3208
3209 * bytecode/CallEdgeProfile.h:
3210
32112014-09-09 Benjamin Poulain <bpoulain@apple.com>
3212
3213 Disable the "unreachable-code" warning
3214 https://bugs.webkit.org/show_bug.cgi?id=136677
3215
3216 Reviewed by Darin Adler.
3217
3218 * Configurations/Base.xcconfig:
3219
32202014-09-08 Filip Pizlo <fpizlo@apple.com>
3221
3222 DFG should have a reusable SSA builder
3223 https://bugs.webkit.org/show_bug.cgi?id=136331
3224
3225 Reviewed by Oliver Hunt.
3226
3227 We want to implement sophisticated SSA transformations like object allocation sinking
3228 (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
3229 updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
3230 Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
3231 implementation of this algorithm only worked when doing CPS->SSA conversion. The code
3232 could not be reused for cases where some phase happens to know that it introduced a few
3233 defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
3234 the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
3235 updates, since it requires first inserting maximal Phis. That scales well when the Phis
3236 were already there (like in our CPS form) but otherwise it's quite unnatural and may be
3237 difficult to make efficient.
3238
3239 The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
3240 algorithm based on dominance frontiers. For a while now, I've been working on creating a
3241 Cytron-based SSA calculator that can be used both as a replacement for our current SSA
3242 converter and as a reusable tool for any phase that needs to do SSA update. I previously
3243 optimized our dominator calculation and representation to use dominator trees computed
3244 using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
3245 the set of blocks that dominate you or vice-versa, and then I implemented a dominance
3246 frontier calculator. This patch implements the final step towards making SSA update
3247 available to all SSA phases: it implements an SSACalculator that can tell you where Phis
3248 go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
3249 good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
3250 SSA converter with one based on the SSACalculator.
3251
3252 This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
3253 But even better, it makes SSAConversionPhase have significantly less tricky logic. It
3254 mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
3255 just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
3256 In fact, using the Cytron et al approach means that there isn't really any "smoke and
3257 mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
3258 iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
3259 The complexity is mostly confined to Dominators, which computes various dominator-related
3260 properties over the control flow graph. That class can be difficult to understand, but at
3261 least it follows well-known graph theory wisdom.
3262
3263 * CMakeLists.txt:
3264 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3265 * JavaScriptCore.xcodeproj/project.pbxproj:
3266 * dfg/DFGAnalysis.h:
3267 * dfg/DFGCSEPhase.cpp:
3268 * dfg/DFGDCEPhase.cpp:
3269 (JSC::DFG::DCEPhase::run):
3270 * dfg/DFGDominators.h:
3271 (JSC::DFG::Dominators::immediateDominatorOf):
3272 (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
3273 (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
3274 * dfg/DFGGraph.cpp:
3275 (JSC::DFG::Graph::dump):
3276 (JSC::DFG::Graph::blocksInPreOrder):
3277 (JSC::DFG::Graph::blocksInPostOrder):
3278 (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
3279 (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
3280 * dfg/DFGGraph.h:
3281 * dfg/DFGLICMPhase.cpp:
3282 (JSC::DFG::LICMPhase::run):
3283 * dfg/DFGNodeFlags.h:
3284 * dfg/DFGPhase.cpp:
3285 (JSC::DFG::Phase::beginPhase):
3286 (JSC::DFG::Phase::endPhase):
3287 * dfg/DFGPhase.h:
3288 * dfg/DFGSSACalculator.cpp: Added.
3289 (JSC::DFG::SSACalculator::Variable::dump):
3290 (JSC::DFG::SSACalculator::Variable::dumpVerbose):
3291 (JSC::DFG::SSACalculator::Def::dump):
3292 (JSC::DFG::SSACalculator::SSACalculator):
3293 (JSC::DFG::SSACalculator::~SSACalculator):
3294 (JSC::DFG::SSACalculator::newVariable):
3295 (JSC::DFG::SSACalculator::newDef):
3296 (JSC::DFG::SSACalculator::nonLocalReachingDef):
3297 (JSC::DFG::SSACalculator::reachingDefAtTail):
3298 (JSC::DFG::SSACalculator::dump):
3299 * dfg/DFGSSACalculator.h: Added.
3300 (JSC::DFG::SSACalculator::Variable::index):
3301 (JSC::DFG::SSACalculator::Variable::Variable):
3302 (JSC::DFG::SSACalculator::Def::variable):
3303 (JSC::DFG::SSACalculator::Def::block):
3304 (JSC::DFG::SSACalculator::Def::value):
3305 (JSC::DFG::SSACalculator::Def::Def):
3306 (JSC::DFG::SSACalculator::variable):
3307 (JSC::DFG::SSACalculator::computePhis):
3308 (JSC::DFG::SSACalculator::phisForBlock):
3309 (JSC::DFG::SSACalculator::reachingDefAtHead):
3310 * dfg/DFGSSAConversionPhase.cpp:
3311 (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
3312 (JSC::DFG::SSAConversionPhase::run):
3313 (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
3314 (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
3315 (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
3316 (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
3317 * dfg/DFGSSAConversionPhase.h:
3318 * dfg/DFGValidate.cpp:
3319 (JSC::DFG::Validate::Validate):
3320 (JSC::DFG::Validate::dumpGraphIfAppropriate):
3321 (JSC::DFG::validate):
3322 * dfg/DFGValidate.h:
3323 * ftl/FTLLowerDFGToLLVM.cpp:
3324 (JSC::FTL::LowerDFGToLLVM::lower):
3325 * runtime/Options.h:
3326
33272014-09-08 Commit Queue <commit-queue@webkit.org>
3328
3329 Unreviewed, rolling out r173402.
3330 https://bugs.webkit.org/show_bug.cgi?id=136649
3331
3332 Breaking buildw with error "unable to restore file position to
3333 0x00000c60 for section __DWARF.__debug_info (errno = 9)"
3334 (Requested by mlam_ on #webkit).
3335
3336 Reverted changeset:
3337
3338 "Move CallFrame and Register inlines functions out of
3339 JSScope.h."
3340 https://bugs.webkit.org/show_bug.cgi?id=136579
3341 http://trac.webkit.org/changeset/173402
3342
33432014-09-08 Mark Lam <mark.lam@apple.com>
3344
3345 Move CallFrame and Register inlines functions out of JSScope.h.
3346 <https://webkit.org/b/136579>
3347
3348 Reviewed by Geoffrey Garen.
3349
3350 This include fixing up some files to #include JSCInlines.h to pick up
3351 these inline functions. I also added JSCellInlines.h to JSCInlines.h
3352 since it is included from many of the affected .cpp files.
3353
3354 * API/ObjCCallbackFunction.mm:
3355 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3356 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3357 * JavaScriptCore.xcodeproj/project.pbxproj:
3358 * bindings/ScriptValue.cpp:
3359 * inspector/InjectedScriptHost.cpp:
3360 * inspector/InjectedScriptManager.cpp:
3361 * inspector/JSGlobalObjectInspectorController.cpp:
3362 * inspector/JSJavaScriptCallFrame.cpp:
3363 * inspector/ScriptDebugServer.cpp:
3364 * interpreter/CallFrameInlines.h:
3365 (JSC::CallFrame::vm):
3366 (JSC::CallFrame::lexicalGlobalObject):
3367 (JSC::CallFrame::globalThisValue):
3368 * interpreter/RegisterInlines.h: Added.
3369 (JSC::Register::operator=):
3370 (JSC::Register::scope):
3371 * runtime/ArgumentsIteratorConstructor.cpp:
3372 * runtime/JSArrayIterator.cpp:
3373 * runtime/JSCInlines.h:
3374 * runtime/JSCJSValue.cpp:
3375 * runtime/JSMapIterator.cpp:
3376 * runtime/JSPromiseConstructor.cpp:
3377 * runtime/JSPromiseDeferred.cpp:
3378 * runtime/JSPromiseFunctions.cpp:
3379 * runtime/JSPromisePrototype.cpp:
3380 * runtime/JSPromiseReaction.cpp:
3381 * runtime/JSScope.h:
3382 (JSC::Register::operator=): Deleted.
3383 (JSC::Register::scope): Deleted.
3384 (JSC::ExecState::vm): Deleted.
3385 (JSC::ExecState::lexicalGlobalObject): Deleted.
3386 (JSC::ExecState::globalThisValue): Deleted.
3387 * runtime/JSSetIterator.cpp:
3388 * runtime/MapConstructor.cpp:
3389 * runtime/MapData.cpp:
3390 * runtime/MapIteratorPrototype.cpp:
3391 * runtime/MapPrototype.cpp:
3392 * runtime/SetConstructor.cpp:
3393 * runtime/SetIteratorPrototype.cpp:
3394 * runtime/SetPrototype.cpp:
3395 * runtime/WeakMapConstructor.cpp:
3396 * runtime/WeakMapPrototype.cpp:
3397
33982014-09-08 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3399
3400 Remove FILTERS flag
3401 https://bugs.webkit.org/show_bug.cgi?id=136571
3402
3403 Reviewed by Darin Adler.
3404
3405 * Configurations/FeatureDefines.xcconfig:
3406
34072014-09-08 Saam Barati <saambarati1@gmail.com>
3408
3409 Merge StructureShapes that share the same prototype chain
3410 https://bugs.webkit.org/show_bug.cgi?id=136549
3411
3412 Reviewed by Filip Pizlo.
3413
3414 Instead of keeping track of many discrete StructureShapes that share
3415 the same prototype chain, TypeSet should merge StructureShapes that
3416 have the same prototype chain and provide a new member variable for
3417 optional structure fields. This provides a cleaner and more concise
3418 interface for dealing with StructureShapes within TypeSet. Instead
3419 of having many discrete shapes that are almost identical, almost
3420 identical shapes will be merged together with an interface for
3421 understanding what fields the shapes being merged together differ in.
3422
3423 * runtime/TypeSet.cpp:
3424 (JSC::TypeSet::addTypeInformation):
3425 (JSC::StructureShape::addProperty):
3426 (JSC::StructureShape::toJSONString):
3427 (JSC::StructureShape::inspectorRepresentation):
3428 (JSC::StructureShape::hasSamePrototypeChain):
3429 (JSC::StructureShape::merge):
3430 * runtime/TypeSet.h:
3431 * tests/typeProfiler/optional-fields.js: Added.
3432 (wrapper.func):
3433 (wrapper):
3434
34352014-09-08 Jessie Berlin <jberlin@apple.com>
3436
3437 More 32-bit Release build fixes after r173364.
3438
3439 * dfg/DFGSpeculativeJIT32_64.cpp:
3440 (JSC::DFG::SpeculativeJIT::compile):
3441
34422014-09-07 Maciej Stachowiak <mjs@apple.com>
3443
3444 Fix typos in last patch to fix build.
3445
3446 Unreviewed build fix.
3447
3448 * dfg/DFGSpeculativeJIT.cpp:
3449 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3450 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
3451
34522014-09-07 Maciej Stachowiak <mjs@apple.com>
3453
3454 Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
3455 https://bugs.webkit.org/show_bug.cgi?id=136616
3456
3457 Reviewed by Darin Adler.
3458
3459 Many compilers will analyze unrechable code paths (e.g. after an
3460 unreachable code path), so sometimes they need dead code initializations.
3461 But clang with suitable warnings will complain about unreachable code. So
3462 use the quirk to include it conditionally.
3463
3464 * bytecode/CodeBlock.cpp:
3465 (JSC::CodeBlock::printGetByIdOp):
3466 * dfg/DFGOSRExitCompilerCommon.cpp:
3467 (JSC::DFG::handleExitCounts):
3468 * dfg/DFGPlan.cpp:
3469 (JSC::DFG::Plan::compileInThread):
3470 * dfg/DFGSpeculativeJIT.cpp:
3471 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
3472 * jsc.cpp:
3473 * runtime/JSArray.cpp:
3474 (JSC::JSArray::fillArgList):
3475 (JSC::JSArray::copyToArguments):
3476 * runtime/RegExp.cpp:
3477 (JSC::RegExp::compile):
3478 (JSC::RegExp::compileMatchOnly):
3479
34802014-09-06 Darin Adler <darin@apple.com>
3481
3482 Make updates suggested by new version of Xcode
3483 https://bugs.webkit.org/show_bug.cgi?id=136603
3484
3485 Reviewed by Mark Rowe.
3486
3487 * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
3488 and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
3489
3490 * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
3491
3492 * dfg/DFGSpeculativeJIT.cpp:
3493 (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
3494 for clang, since it understands the code is unreachable.
3495 * runtime/JSArray.cpp:
3496 (JSC::JSArray::fillArgList): Ditto.
3497 (JSC::JSArray::copyToArguments): Ditto.
3498
34992014-09-05 Matt Baker <mattbaker@apple.com>
3500
3501 Web Inspector: breakpoint actions should work regardless of Content Security Policy
3502 https://bugs.webkit.org/show_bug.cgi?id=136542
3503
3504 Reviewed by Mark Lam.
3505
3506 Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a
3507 JSGlobalObject for the duration of a scope, returning the eval enabled state to its
3508 original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate
3509 to allow breakpoint actions to execute JS in pages with a Content Security Policy
3510 that would normally prohibit this (such as Inspector's Main.html).
3511
3512 Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
3513 setting eval enabled and then resetting the original eval enabled state.
3514
3515 NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
3516 for null to be equivalent with the original code in Inspector::InjectedScriptBase.
3517 InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
3518 can currently be null.
3519
3520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3521 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3522 * JavaScriptCore.xcodeproj/project.pbxproj:
3523 * debugger/DebuggerCallFrame.cpp:
3524 (JSC::DebuggerCallFrame::evaluate):
3525 * debugger/DebuggerEvalEnabler.h: Added.
3526 (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
3527 (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
3528 * inspector/InjectedScriptBase.cpp:
3529 (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
3530
35312014-09-05 peavo@outlook.com <peavo@outlook.com>
3532
3533 [WinCairo] jsc.exe won't run.
3534 https://bugs.webkit.org/show_bug.cgi?id=136481
3535
3536 Reviewed by Alex Christensen.
3537
3538 We need to define WIN_CAIRO to avoid looking for the AAS folder.
3539
3540 * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
3541 * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
3542 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
3543 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
3544 * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
3545
35462014-09-05 David Kilzer <ddkilzer@apple.com>
3547
3548 JavaScriptCore should build with newer clang
3549 <http://webkit.org/b/136002>
3550 <rdar://problem/18020616>
3551
3552 Reviewed by Geoffrey Garen.
3553
3554 Other than the JSC::SourceProvider::asID() change (which simply
3555 removes code that the optimizing compiler would have discarded
3556 in Release builds), we move the |this| checks in OpaqueJSString
3557 to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
3558 JSStringRef{CF} and JSValueRef.
3559
3560 Note that the following function arguments are _not_ NULL-checked
3561 since doing so would just cover up bugs (and were not needed to
3562 prevent any tests from failing):
3563 - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
3564 - |body| in JSObjectMakeFunction();
3565 - |source| in JSScriptCreateReferencingImmortalASCIIText()
3566 (which is a const char* anyway);
3567 - |source| in JSScriptCreateFromString().
3568
3569 * API/JSBase.cpp:
3570 (JSEvaluateScript): Add NULL check for |sourceURL|.
3571 (JSCheckScriptSyntax): Ditto.
3572 * API/JSObjectRef.cpp:
3573 (JSObjectMakeFunction): Ditto.
3574 * API/JSScriptRef.cpp:
3575 (JSScriptCreateReferencingImmortalASCIIText): Ditto.
3576 (JSScriptCreateFromString): Add NULL check for |url|.
3577 * API/JSStringRef.cpp:
3578 (JSStringGetLength): Return early if NULL pointer is passed in.
3579 (JSStringGetCharactersPtr): Ditto.
3580 (JSStringGetUTF8CString): Ditto. Also check |buffer| parameter.
3581 * API/JSStringRefCF.cpp:
3582 (JSStringCopyCFString): Ditto.
3583 * API/JSValueRef.cpp:
3584 (JSValueMakeString): Add NULL check for |string|.
3585
3586 * API/OpaqueJSString.cpp:
3587 (OpaqueJSString::string): Remove code that checks |this|.
3588 (OpaqueJSString::identifier): Ditto.
3589 (OpaqueJSString::characters): Ditto.
3590 * API/OpaqueJSString.h:
3591 (OpaqueJSString::is8Bit): Remove code that checks |this|.
3592 (OpaqueJSString::characters8): Ditto.
3593 (OpaqueJSString::characters16): Ditto.
3594 (OpaqueJSString::length): Ditto.
3595
3596 * parser/SourceProvider.h:
3597 (JSC::SourceProvider::asID): Remove code that checks |this|.
3598
35992014-06-06 Jer Noble <jer.noble@apple.com>
3600
3601 Refactoring: make MediaTime the primary time type for audiovisual times.
3602 https://bugs.webkit.org/show_bug.cgi?id=133579
3603
3604 Reviewed by Eric Carlson.
3605
3606 Add a utility function which converts a MediaTime to a JSNumber.
3607
3608 * runtime/JSCJSValue.h:
3609 (JSC::jsNumber):
3610
36112014-09-04 Michael Saboff <msaboff@apple.com>
3612
3613 ARM: Add more coverage to ARMv7 disassembler
3614 https://bugs.webkit.org/show_bug.cgi?id=136565
3615
3616 Reviewed by Mark Lam.
3617
3618 Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
3619 VCMP, VCVT[R] between floating point and integer, and VLDR.
3620
3621 * disassembler/ARMv7/ARMv7DOpcode.cpp:
3622 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
3623 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
3624 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
3625 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
3626 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
3627 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
3628 * disassembler/ARMv7/ARMv7DOpcode.h:
3629 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
3630 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
3631 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
3632 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
3633 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
3634 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
3635 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
3636 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
3637 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
3638 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
3639 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
3640 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
3641 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
3642 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
3643 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
3644 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
3645 (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
3646 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
3647 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
3648 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
3649 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
3650 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
3651 (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
3652
36532014-09-04 Mark Lam <mark.lam@apple.com>
3654
3655 Move PropertySlot's inline functions back to PropertySlot.h.
3656 <https://webkit.org/b/136547>
3657
3658 Reviewed by Filip Pizlo.
3659
3660 * runtime/JSObject.h:
3661 (JSC::PropertySlot::getValue): Deleted.
3662 * runtime/PropertySlot.h:
3663 (JSC::PropertySlot::getValue):
3664
36652014-09-04 Filip Pizlo <fpizlo@apple.com>
3666
3667 Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
3668
3669 Rubber stamped by Sam Weinig.
3670
3671 * debugger/Debugger.cpp:
3672 (JSC::Debugger::forEachCodeBlock):
3673 (JSC::Debugger::setSteppingMode):
3674 (JSC::Debugger::recompileAllJSFunctions):
3675 * inspector/agents/InspectorRuntimeAgent.cpp:
3676 (Inspector::recompileAllJSFunctionsForTypeProfiling):
3677 * runtime/Options.h: Reenable call edge profiling.
3678 * runtime/VM.cpp:
3679 (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
3680 (JSC::VM::discardAllCode):
3681 (JSC::VM::releaseExecutableMemory):
3682 (JSC::VM::setEnabledProfiler):
3683 (JSC::VM::waitForCompilationsToComplete): Deleted.
3684 * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
3685
36862014-09-04 Akos Kiss <akiss@inf.u-szeged.hu>
3687
3688 Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
3689 https://bugs.webkit.org/show_bug.cgi?id=136485
3690
3691 Reviewed by Michael Saboff.
3692
3693 Changed makeHostFunctionCall to keep the stack pointer above the call
3694 frame set up by doVMEntry. Thus the callee will/can not override the top
3695 of the call frame.
3696
3697 Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
3698 more alike to help future maintenance.
3699
3700 * llint/LowLevelInterpreter32_64.asm:
3701 * llint/LowLevelInterpreter64.asm:
3702
37032014-09-04 Michael Saboff <msaboff@apple.com>
3704
3705 REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
3706 https://bugs.webkit.org/show_bug.cgi?id=136436
3707
3708 Reviewed by Geoffrey Garen.
3709
3710 Instead of trying to calculate a stack pointer that allows for possible
3711 stacked argument space, just use the "home" stack pointer location.
3712 That stack pointer provides space for the worst case number of stacked
3713 arguments on architectures that use stacked arguments. It also provides
3714 stack space so that the return PC and caller frame pointer that are stored
3715 as part of making the call to operationCallEval will not override any part
3716 of the callee frame created on the stack.
3717
3718 Changed compileCallEval() to use the stackPointer value of the calling
3719 function. That stack pointer is calculated to have enough space for
3720 outgoing stacked arguments. By moving the stack pointer to its "home"
3721 position, the caller frame and return PC are not set as part of making
3722 the call to operationCallEval(). Moved the explicit setting of the
3723 callerFrame field of the callee CallFrame from operationCallEval() to
3724 compileCallEval() since it has been the artifact of making a call for
3725 most architectures. Simplified the exception logic in compileCallEval()
3726 as a result of the change. To be compliant with the stack state
3727 expected by virtualCallThunkGenerator(), moved the stack pointer to
3728 point above the CallerFrameAndPC of the callee CallFrame.
3729
3730 * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
3731 to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
3732 check.
3733 * jit/JITCall.cpp & jit/JITCall32_64.cpp:
3734 (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
3735 to operationCallEval. Since the stack pointer adjustment no longer needs
3736 to be done after making the call to operationCallEval(), the exception check
3737 logic can be simplified.
3738 (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
3739 to above the calleeFrame as this is what the generated thunk expects.
3740 * jit/JITInlines.h:
3741 (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
3742 with the addition of a standard exception check.
3743 (JSC::JIT::callOperationNoExceptionCheck): Deleted.
3744 * jit/JITOperations.cpp:
3745 (JSC::operationCallEval): Eliminated the explicit setting of caller frame
3746 as that is now done in the code generated by compileCallEval().
3747
37482014-09-03 Filip Pizlo <fpizlo@apple.com>
3749
3750 Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
3751 https://bugs.webkit.org/show_bug.cgi?id=136520
3752
3753 Reviewed by Geoffrey Garen.
3754
3755 Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
3756 this patch also makes BlockSet a lot more user-friendly.
3757
3758 * CMakeLists.txt:
3759 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3760 * JavaScriptCore.xcodeproj/project.pbxproj:
3761 * dfg/DFGBasicBlock.h:
3762 * dfg/DFGBlockSet.cpp: Added.
3763 (JSC::DFG::BlockSet::dump):
3764 * dfg/DFGBlockSet.h:
3765 (JSC::DFG::BlockSet::iterator::iterator):
3766 (JSC::DFG::BlockSet::iterator::operator++):
3767 (JSC::DFG::BlockSet::iterator::operator==):
3768 (JSC::DFG::BlockSet::iterator::operator!=):
3769 (JSC::DFG::BlockSet::Iterable::Iterable):
3770 (JSC::DFG::BlockSet::Iterable::begin):
3771 (JSC::DFG::BlockSet::Iterable::end):
3772 (JSC::DFG::BlockSet::iterable):
3773 (JSC::DFG::BlockAdder::BlockAdder):
3774 (JSC::DFG::BlockAdder::operator()):
3775 * dfg/DFGBlockSetInlines.h: Added.
3776 (JSC::DFG::BlockSet::iterator::operator*):
3777 * dfg/DFGDominators.cpp:
3778 (JSC::DFG::Dominators::strictDominatorsOf):
3779 (JSC::DFG::Dominators::dominatorsOf):
3780 (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
3781 (JSC::DFG::Dominators::blocksDominatedBy):
3782 (JSC::DFG::Dominators::dominanceFrontierOf):
3783 (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
3784 * dfg/DFGDominators.h:
3785 (JSC::DFG::Dominators::forAllStrictDominatorsOf):
3786 (JSC::DFG::Dominators::forAllDominatorsOf):
3787 (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
3788 (JSC::DFG::Dominators::forAllBlocksDominatedBy):
3789 (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
3790 (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
3791 (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
3792 (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
3793 * dfg/DFGGraph.cpp:
3794 (JSC::DFG::Graph::dumpBlockHeader):
3795 * dfg/DFGInvalidationPointInjectionPhase.cpp:
3796 (JSC::DFG::InvalidationPointInjectionPhase::run):
3797
37982014-09-04 Mark Lam <mark.lam@apple.com>
3799
3800 Fixed indentations and some style warnings in JavaScriptCore/runtime.
3801 <https://webkit.org/b/136518>
3802
3803 Reviewed by Michael Saboff.
3804
3805 Also removed some superflous spaces. There are no semantic changes.
3806
3807 * runtime/Completion.h:
3808 * runtime/ConstructData.h:
3809 * runtime/DateConstructor.h:
3810 * runtime/DateInstance.h:
3811 * runtime/DateInstanceCache.h:
3812 * runtime/DatePrototype.h:
3813 * runtime/Error.h:
3814 * runtime/ErrorConstructor.h:
3815 * runtime/ErrorInstance.h:
3816 * runtime/ErrorPrototype.h:
3817 * runtime/FunctionConstructor.h:
3818 * runtime/FunctionPrototype.h:
3819 * runtime/GetterSetter.h:
3820 * runtime/Identifier.h:
3821 * runtime/InitializeThreading.h:
3822 * runtime/InternalFunction.h:
3823 * runtime/JSAPIValueWrapper.h:
3824 * runtime/JSFunction.h:
3825 * runtime/JSLock.h:
3826 * runtime/JSNotAnObject.h:
3827 * runtime/JSONObject.h:
3828 * runtime/JSString.h:
3829 * runtime/JSTypeInfo.h:
3830 * runtime/JSWrapperObject.h:
3831 * runtime/Lookup.h:
3832 * runtime/MathObject.h:
3833 * runtime/NativeErrorConstructor.h:
3834 * runtime/NativeErrorPrototype.h:
3835 * runtime/NumberConstructor.h:
3836 * runtime/NumberObject.h:
3837 * runtime/NumberPrototype.h:
3838 * runtime/NumericStrings.h:
3839 * runtime/ObjectConstructor.h:
3840 * runtime/ObjectPrototype.h:
3841 * runtime/PropertyDescriptor.h:
3842 * runtime/Protect.h:
3843 * runtime/PutPropertySlot.h:
3844 * runtime/RegExp.h:
3845 * runtime/RegExpCachedResult.h:
3846 * runtime/RegExpConstructor.h:
3847 * runtime/RegExpMatchesArray.h:
3848 * runtime/RegExpObject.h:
3849 * runtime/RegExpPrototype.h:
3850 * runtime/SmallStrings.h:
3851 * runtime/StringConstructor.h:
3852 * runtime/StringObject.h:
3853 * runtime/StringPrototype.h:
3854 * runtime/StructureChain.h:
3855 * runtime/VM.h:
3856
38572014-09-04 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3858
3859 Remove CSS_FILTERS flag
3860 https://bugs.webkit.org/show_bug.cgi?id=136529
3861
3862 Reviewed by Dirk Schulze.
3863
3864 * Configurations/FeatureDefines.xcconfig:
3865
38662014-09-04 Commit Queue <commit-queue@webkit.org>
3867
3868 Unreviewed, rolling out r173248.
3869 https://bugs.webkit.org/show_bug.cgi?id=136536
3870
3871 call edge profiling and polymorphic call inlining are still
3872 causing crashes (Requested by eric_carlson on #webkit).
3873
3874 Reverted changeset:
3875
3876 "Reenable call edge profiling and polymorphic call inlining,
3877 now that a bunch of the bugs"
3878 http://trac.webkit.org/changeset/173248
3879
38802014-09-04 Brian J. Burg <burg@cs.washington.edu>
3881
3882 Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
3883 https://bugs.webkit.org/show_bug.cgi?id=136352
3884
3885 Reviewed by Timothy Hatcher.
3886
3887 Hook up pause/continue events to the LegacyProfiler and any active
3888 ProfilerGenerators. If the debugger is paused, all intervening call
3889 entries will be created with totalTime as 0.0.
3890
3891 * inspector/ScriptDebugServer.cpp:
3892 (Inspector::ScriptDebugServer::handlePause):
3893 * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
3894 std::function. This allows callbacks to take different argument types.
3895
3896 (JSC::callFunctionForProfilesWithGroup):
3897 (JSC::LegacyProfiler::willExecute):
3898 (JSC::LegacyProfiler::didExecute):
3899 (JSC::LegacyProfiler::exceptionUnwind):
3900 (JSC::LegacyProfiler::didPause):
3901 (JSC::LegacyProfiler::didContinue):
3902 (JSC::dispatchFunctionToProfiles): Deleted.
3903 * profiler/LegacyProfiler.h:
3904 * profiler/ProfileGenerator.cpp:
3905 (JSC::ProfileGenerator::ProfileGenerator):
3906 (JSC::ProfileGenerator::endCallEntry):
3907 (JSC::ProfileGenerator::didExecute): Deleted.
3908 * profiler/ProfileGenerator.h:
3909 (JSC::ProfileGenerator::didPause):
3910 (JSC::ProfileGenerator::didContinue):
3911
39122014-09-04 Commit Queue <commit-queue@webkit.org>
3913
3914 Unreviewed, rolling out r173245.
3915 https://bugs.webkit.org/show_bug.cgi?id=136533
3916
3917 Broke JSC tests. (Requested by ddkilzer on #webkit).
3918
3919 Reverted changeset:
3920
3921 "JavaScriptCore should build with newer clang"
3922 https://bugs.webkit.org/show_bug.cgi?id=136002
3923 http://trac.webkit.org/changeset/173245
3924
39252014-09-04 Brian J. Burg <burg@cs.washington.edu>
3926
3927 LegacyProfiler: ProfileNodes should be used more like structs
3928 https://bugs.webkit.org/show_bug.cgi?id=136381
3929
3930 Reviewed by Timothy Hatcher.
3931
3932 Previously, both the profile generator and individual profile nodes
3933 were collectively responsible for creating new Call entries and
3934 maintaining data structure invariants. This complexity is unnecessary.
3935
3936 This patch centralizes profile data creation inside the profile generator.
3937 The profile nodes manage nextSibling and parent pointers, but do not
3938 collect the current time or create new Call entries themselves.
3939
3940 Since ProfileNode::nextSibling and its callers are only used within
3941 debug printing code, it should be compiled out for release builds.
3942
3943 * profiler/ProfileGenerator.cpp:
3944 (JSC::ProfileGenerator::ProfileGenerator):
3945 (JSC::AddParentForConsoleStartFunctor::operator()):
3946 (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
3947 (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
3948 (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
3949 (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
3950 (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
3951 (JSC::ProfileGenerator::removeProfileStart):
3952 (JSC::ProfileGenerator::removeProfileEnd):
3953 * profiler/ProfileGenerator.h:
3954 * profiler/ProfileNode.cpp:
3955 (JSC::ProfileNode::ProfileNode):
3956 (JSC::ProfileNode::addChild):
3957 (JSC::ProfileNode::removeChild):
3958 (JSC::ProfileNode::spliceNode): Renamed from insertNode.
3959 (JSC::ProfileNode::debugPrintRecursively):
3960 (JSC::ProfileNode::willExecute): Deleted.
3961 (JSC::ProfileNode::insertNode): Deleted.
3962 (JSC::ProfileNode::stopProfiling): Deleted.
3963 (JSC::ProfileNode::traverseNextNodePostOrder):
3964 (JSC::ProfileNode::endAndRecordCall): Deleted.
3965 (JSC::ProfileNode::debugPrintDataSampleStyle):
3966 * profiler/ProfileNode.h:
3967 (JSC::ProfileNode::Call::setStartTime):
3968 (JSC::ProfileNode::Call::setTotalTime):
3969 (JSC::ProfileNode::appendCall):
3970 (JSC::ProfileNode::firstChild):
3971 (JSC::ProfileNode::lastChild):
3972 (JSC::ProfileNode::nextSibling):
3973 (JSC::ProfileNode::setNextSibling):
3974
39752014-09-02 Brian J. Burg <burg@cs.washington.edu>
3976
3977 Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
3978 https://bugs.webkit.org/show_bug.cgi?id=136476
3979
3980 Reviewed by Timothy Hatcher.
3981
3982 * CMakeLists.txt:
3983 * JavaScriptCore.xcodeproj/project.pbxproj:
3984 * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
3985 * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
3986 * inspector/JSGlobalObjectInspectorController.cpp:
3987 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3988 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3989 * inspector/JSGlobalObjectInspectorController.h:
3990
39912014-09-03 Filip Pizlo <fpizlo@apple.com>
3992
3993 Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
3994 are fixed.
3995
3996 * runtime/Options.h:
3997
39982014-09-03 David Kilzer <ddkilzer@apple.com>
3999
4000 JavaScriptCore should build with newer clang
4001 <http://webkit.org/b/136002>
4002 <rdar://problem/18020616>
4003
4004 Reviewed by Geoffrey Garen.
4005
4006 Other than the JSC::SourceProvider::asID() change (which simply
4007 removes code that the optimizing compiler would have discarded
4008 in Release builds), we move the |this| checks in OpaqueJSString
4009 to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
4010 JSValueRef.
4011
4012 * API/JSBase.cpp:
4013 (JSEvaluateScript): Use String() in case |script| or |sourceURL|
4014 are NULL.
4015 * API/JSScriptRef.cpp:
4016 (JSScriptCreateReferencingImmortalASCIIText): Use String() in
4017 case |url| is NULL.
4018 * API/JSStringRef.cpp:
4019 (JSStringGetLength): Return early if NULL pointer is passed in.
4020 (JSStringGetCharactersPtr): Ditto.
4021 (JSStringGetUTF8CString): Ditto. Also check |buffer| parameter.
4022 * API/JSStringRefCF.cpp:
4023 (JSStringCopyCFString): Ditto.
4024 * API/JSValueRef.cpp:
4025 (JSValueMakeString): Use String() in case |string| is NULL.
4026
4027 * API/OpaqueJSString.cpp:
4028 (OpaqueJSString::string): Remove code that checks |this|.
4029 (OpaqueJSString::identifier): Ditto.
4030 (OpaqueJSString::characters): Ditto.
4031 * API/OpaqueJSString.h:
4032 (OpaqueJSString::is8Bit): Remove code that checks |this|.
4033 (OpaqueJSString::characters8): Ditto.
4034 (OpaqueJSString::characters16): Ditto.
4035 (OpaqueJSString::length): Ditto.
4036
4037 * parser/SourceProvider.h:
4038 (JSC::SourceProvider::asID): Remove code that checks |this|.
4039
40402014-09-03 Filip Pizlo <fpizlo@apple.com>
4041
4042 CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
4043 https://bugs.webkit.org/show_bug.cgi?id=136511
4044
4045 Reviewed by Geoffrey Garen.
4046
4047 * bytecode/CallEdgeProfile.cpp:
4048 (JSC::CallEdgeProfile::worthDespecifying):
4049 (JSC::CallEdgeProfile::visitWeak):
4050 (JSC::CallEdgeProfile::mergeBack):
4051
40522014-09-03 David Kilzer <ddkilzer@apple.com>
4053
4054 REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
4055 <http://webkit.org/b/136509>
4056
4057 Reviewed by Daniel Bates.
4058
4059 * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
4060 entry left behind when JSBoundFunction.h was removed.
4061
40622014-09-03 Joseph Pecoraro <pecoraro@apple.com>
4063
4064 Avoid warning if a process does not have access to com.apple.webinspector
4065 https://bugs.webkit.org/show_bug.cgi?id=136473
4066
4067 Reviewed by Alexey Proskuryakov.
4068
4069 Pre-check for access to the mach port to avoid emitting warnings
4070 in syslog for processes that do not have access.
4071
4072 * inspector/remote/RemoteInspector.mm:
4073 (Inspector::canAccessWebInspectorMachPort):
4074 (Inspector::RemoteInspector::shared):
4075
40762014-09-03 Filip Pizlo <fpizlo@apple.com>
4077
4078 Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
4079 them.
4080
4081 * runtime/Options.h:
4082
40832014-09-03 Balazs Kilvady <kilvadyb@homejinni.com>
4084
4085 [MIPS] Wrong register usage in LLInt op_catch.
4086 https://bugs.webkit.org/show_bug.cgi?id=125168
4087
4088 Reviewed by Geoffrey Garen.
4089
4090 Fix register usage and add PIC header to all the ops in LLInt.
4091
4092 * offlineasm/instructions.rb:
4093 * offlineasm/mips.rb:
4094
40952014-09-03 Saam Barati <saambarati1@gmail.com>
4096
4097 Create tests for type profiling
4098 https://bugs.webkit.org/show_bug.cgi?id=136161
4099
4100 Reviewed by Geoffrey Garen.
4101
4102 The type profiler is now being tested. These are basic tests that don't
4103 check every edge case, but will catch any major failures in the type profiler.
4104 These tests cover:
4105 - The basic, inheritance-based type system in TypeSet.
4106 - Function return types.
4107 - Correct merging of types for multiple assignments to one variable.
4108
4109 This patch also provides an API for writing new tests for
4110 the type profiler. The API works by passing in a function and a
4111 unique substring of an expression contained in that function, and
4112 returns an object representing type information for that expression.
4113
4114 * jsc.cpp:
4115 (GlobalObject::finishCreation):
4116 (functionFindTypeForExpression):
4117 (functionReturnTypeFor):
4118 * runtime/TypeProfiler.cpp:
4119 (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
4120 * runtime/TypeProfiler.h:
4121 * runtime/TypeProfilerLog.h:
4122 * runtime/TypeSet.cpp:
4123 (JSC::TypeSet::toJSONString):
4124 (JSC::StructureShape::toJSONString):
4125 * runtime/TypeSet.h:
4126 * tests/typeProfiler: Added.
4127 * tests/typeProfiler.yaml: Added.
4128 * tests/typeProfiler/basic.js: Added.
4129 (wrapper.foo):
4130 (wrapper):
4131 * tests/typeProfiler/captured.js: Added.
4132 (wrapper.changeFoo):
4133 (wrapper):
4134 * tests/typeProfiler/driver: Added.
4135 * tests/typeProfiler/driver/driver.js: Added.
4136 (assert):
4137 * tests/typeProfiler/inheritance.js: Added.
4138 (wrapper.A):
4139 (wrapper.B):
4140 (wrapper.C):
4141 (wrapper):
4142 * tests/typeProfiler/return.js: Added.
4143 (foo):
4144 (Ctor):
4145
41462014-09-03 Julien Brianceau <jbriance@cisco.com>
4147
4148 Add missing implementations to fix build for sh4 architecture
4149 https://bugs.webkit.org/show_bug.cgi?id=136455
4150
4151 Reviewed by Geoffrey Garen.
4152
4153 * assembler/MacroAssemblerSH4.h:
4154 (JSC::MacroAssemblerSH4::store8):
4155 (JSC::MacroAssemblerSH4::moveWithPatch):
4156 (JSC::MacroAssemblerSH4::branchAdd32):
4157 (JSC::MacroAssemblerSH4::branch32WithPatch):
4158 (JSC::MacroAssemblerSH4::abortWithReason):
4159 (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
4160 (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
4161 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
4162 * jit/AssemblyHelpers.h:
4163 (JSC::AssemblyHelpers::emitFunctionPrologue):
4164 (JSC::AssemblyHelpers::emitFunctionEpilogue):
4165
41662014-09-03 Dan Bernstein <mitz@apple.com>
4167
4168 Get rid of HIGH_DPI_CANVAS leftovers
4169 https://bugs.webkit.org/show_bug.cgi?id=136491
4170
4171 Reviewed by Benjamin Poulain.
4172
4173 * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
4174 and removed it from FEATURE_DEFINES.
4175
41762014-09-03 Filip Pizlo <fpizlo@apple.com>
4177
4178 CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
4179 https://bugs.webkit.org/show_bug.cgi?id=136490
4180
4181 Reviewed by Geoffrey Garen.
4182
4183 * bytecode/CallEdgeProfile.cpp:
4184 (JSC::CallEdgeProfile::visitWeak):
4185
41862014-09-03 Filip Pizlo <fpizlo@apple.com>
4187
4188 FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
4189 https://bugs.webkit.org/show_bug.cgi?id=136488
4190
4191 Reviewed by Mark Hahnenberg.
4192
4193 * ftl/FTLCompile.cpp:
4194 (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
4195 * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
4196 (foo):
4197
41982014-09-03 Akos Kiss <akiss@inf.u-szeged.hu>
4199
4200 Don't generate superfluous mov instructions for move immediate on ARM64.
4201 https://bugs.webkit.org/show_bug.cgi?id=136435
4202
4203 Reviewed by Michael Saboff.
4204
4205 On ARM64, the size of an immediate operand for a mov instruction is 16
4206 bits. Thus, a move immediate offlineasm instruction may potentially be
4207 split up to several machine level instructions. The current
4208 implementation always emits a mov for the least significant 16 bits of
4209 the value. However, if any of the bits 63:16 are significant then the
4210 first emitted mov already filled bits 15:0 with zeroes (or ones, for
4211 negative values). So, if bits 15:0 of the value are all zeroes (or ones)
4212 then the last mov does not need to be emitted.
4213
4214 * offlineasm/arm64.rb:
4215
42162014-09-02 Brian J. Burg <burg@cs.washington.edu>
4217
4218 LegacyProfiler: remove redundant ProfileNode members and other cleanup
4219 https://bugs.webkit.org/show_bug.cgi?id=136380
4220
4221 Reviewed by Timothy Hatcher.
4222
4223 ProfileNode's selfTime and totalTime members are redundant and only used
4224 for dumping profile data from debug-only code. Remove the members and compute
4225 the same data on-demand when necessary using a postorder traversal functor.
4226
4227 Remove ProfileNode.head since it is only used to calculate percentages for
4228 dumped profile data. This can be explicitly passed around when needed.
4229
4230 Rename Profile.head to Profile.rootNode, and other various renamings.
4231
4232 Rearrange some header includes so that touching LegacyProfiler-related headers
4233 will no longer cause a full rebuild.
4234
4235 * inspector/JSConsoleClient.cpp: Add header include.
4236 * inspector/agents/InspectorProfilerAgent.cpp:
4237 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
4238 * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
4239 * jit/JIT.h: Remove header include.
4240 * jit/JITCode.h: Remove header include.
4241 * jit/JITOperations.cpp: Sort and add header include.
4242 * llint/LLIntSlowPaths.cpp: Sort and add header include.
4243 * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
4244 postorder traversal code to ProfileNode so we can traverse any subtree.
4245 (JSC::Profile::Profile):
4246 (JSC::Profile::debugPrint):
4247 (JSC::Profile::debugPrintSampleStyle):
4248 (JSC::Profile::forEach): Deleted.
4249 (JSC::Profile::debugPrintData): Deleted.
4250 (JSC::Profile::debugPrintDataSampleStyle): Deleted.
4251 * profiler/Profile.h:
4252 * profiler/ProfileGenerator.cpp:
4253 (JSC::ProfileGenerator::ProfileGenerator):
4254 (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
4255 (JSC::AddParentForConsoleStartFunctor::operator()):
4256 (JSC::ProfileGenerator::addParentForConsoleStart):
4257 (JSC::ProfileGenerator::didExecute):
4258 (JSC::StopProfilingFunctor::operator()):
4259 (JSC::ProfileGenerator::stopProfiling):
4260 (JSC::ProfileGenerator::removeProfileStart):
4261 (JSC::ProfileGenerator::removeProfileEnd):
4262 * profiler/ProfileGenerator.h:
4263 * profiler/ProfileNode.cpp:
4264 (JSC::ProfileNode::ProfileNode):
4265 (JSC::ProfileNode::willExecute):
4266 (JSC::ProfileNode::removeChild):
4267 (JSC::ProfileNode::stopProfiling):
4268 (JSC::ProfileNode::endAndRecordCall):
4269 (JSC::ProfileNode::debugPrint):
4270 (JSC::ProfileNode::debugPrintSampleStyle):
4271 (JSC::ProfileNode::debugPrintRecursively):
4272 (JSC::ProfileNode::debugPrintSampleStyleRecursively):
4273 (JSC::ProfileNode::debugPrintData): Deleted.
4274 (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
4275 * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
4276 The forEachNodePostorder functor traverses the subtree rooted at |this|.
4277 (JSC::ProfileNode::create):
4278 (JSC::ProfileNode::calls):
4279 (JSC::ProfileNode::forEachNodePostorder):
4280 (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
4281 (JSC::CalculateProfileSubtreeDataFunctor::operator()):
4282 (JSC::ProfileNode::head): Deleted.
4283 (JSC::ProfileNode::setHead): Deleted.
4284 (JSC::ProfileNode::totalTime): Deleted.
4285 (JSC::ProfileNode::setTotalTime): Deleted.
4286 (JSC::ProfileNode::selfTime): Deleted.
4287 (JSC::ProfileNode::setSelfTime): Deleted.
4288 (JSC::ProfileNode::totalPercent): Deleted.
4289 (JSC::ProfileNode::selfPercent): Deleted.
4290 * runtime/ConsoleClient.h: Remove header include.
4291
42922014-09-02 Brian J. Burg <burg@cs.washington.edu>
4293
4294 Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
4295 https://bugs.webkit.org/show_bug.cgi?id=136462
4296
4297 Reviewed by Timothy Hatcher.
4298
4299 It's not used by the frontend anymore.
4300
4301 * CMakeLists.txt:
4302 * DerivedSources.make:
4303 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4304 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4305 * JavaScriptCore.xcodeproj/project.pbxproj:
4306
4307 * inspector/JSConsoleClient.cpp:
4308 (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
4309 methods since they didn't work for JSContexts anyway.
4310 (Inspector::JSConsoleClient::profile):
4311 (Inspector::JSConsoleClient::profileEnd):
4312 * inspector/JSConsoleClient.h:
4313
4314 * inspector/JSGlobalObjectInspectorController.cpp:
4315 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
4316 * inspector/agents/InspectorProfilerAgent.cpp: Removed.
4317 * inspector/agents/InspectorProfilerAgent.h: Removed.
4318 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
4319 * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
4320 * inspector/protocol/Profiler.json: Removed.
4321
43222014-09-02 Andreas Kling <akling@apple.com>
4323
4324 Optimize own property GetByVals with rope string subscripts.
4325 <https://webkit.org/b/136458>
4326
4327 For simple JSObjects that don't override getOwnPropertySlot to implement
4328 custom properties, we have a fast path that grabs directly at the object
4329 property storage.
4330
4331 Make this fast path even faster when the property name is an unresolved
4332 rope string by using JSString::toExistingAtomicString(). This is faster
4333 because it avoids allocating a new StringImpl if the string is already
4334 a known Identifier, which is guaranteed to be the case if it's present
4335 as an own property on the object.)
4336
4337 ~10% speed-up on Dromaeo/dom-attr.html
4338
4339 Reviewed by Geoffrey Garen.
4340
4341 * dfg/DFGOperations.cpp:
4342 * jit/JITOperations.cpp:
4343 (JSC::getByVal):
4344 * llint/LLIntSlowPaths.cpp:
4345 (JSC::LLInt::getByVal):
4346
4347 When using the fastGetOwnProperty() optimization, get the String
4348 out of JSString by using toExistingAtomicString(). This avoids
4349 StringImpl allocation and lets us bypass the PropertyTable lookup
4350 entirely if no AtomicString is found.
4351
4352 * runtime/JSCell.h:
4353 * runtime/JSCellInlines.h:
4354 (JSC::JSCell::fastGetOwnProperty):
4355
4356 Make fastGetOwnProperty() take a PropertyName instead of a String.
4357 This avoids churning the ref count, since we don't need to create
4358 a temporary wrapper around the AtomicStringImpl* found in GetByVal.
4359
4360 * runtime/PropertyName.h:
4361 (JSC::PropertyName::PropertyName):
4362
4363 Add constructor: PropertyName(AtomicStringImpl*)
4364
4365 * runtime/PropertyMapHashTable.h:
4366 (JSC::PropertyTable::get):
4367 (JSC::PropertyTable::findWithString): Deleted.
4368 * runtime/Structure.h:
4369 * runtime/StructureInlines.h:
4370 (JSC::Structure::get):
4371
4372 Remove code for querying a PropertyTable with an unhashed string key
4373 since the only client is now gone.
4374
43752014-09-02 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
4376
4377 [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
4378 https://bugs.webkit.org/show_bug.cgi?id=136429
4379
4380 Reviewed by Csaba Osztrogonác.
4381
4382 Changed test32 to use tst to check if reg is zero, instead of cmp.
4383
4384 * assembler/MacroAssemblerARM.h:
4385 (JSC::MacroAssemblerARM::test32):
4386
43872014-09-02 Michael Saboff <msaboff@apple.com>
4388
4389 Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
4390 https://bugs.webkit.org/show_bug.cgi?id=136305
4391
4392 Reviewed by Filip Pizlo.
4393
4394 While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
4395 and then JITCode::execute() calls the normal entrypoint. This is incompatible
4396 with the expectation of FTL generated functions. Changed ProtoCallFrame to not
4397 perform the arity fix, but just flag an arity mismatch. now JITCode::execute()
4398 uses that arity mismatch condition to select the normal or arity check
4399 entrypoint. The entrypoint selection is only done for functions, programs
4400 and eval always have one parameter.
4401
4402 * interpreter/ProtoCallFrame.cpp:
4403 (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
4404 * interpreter/ProtoCallFrame.h:
4405 (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
4406 should be called.
4407 * jit/JITCode.cpp:
4408 (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
4409
44102014-09-02 peavo@outlook.com <peavo@outlook.com>
4411
4412 [WinCairo] testapi.exe is not built.
4413 https://bugs.webkit.org/show_bug.cgi?id=136369
4414
4415 Reviewed by Alex Christensen.
4416
4417 The testapi project should be of type Application.
4418
4419 * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
4420 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
4421 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
4422 * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
4423
44242014-09-01 Akos Kiss <akiss@inf.u-szeged.hu>
4425
4426 [CMAKE] Add missing offlineasm dependencies
4427 https://bugs.webkit.org/show_bug.cgi?id=136437
4428
4429 Reviewed by Csaba Osztrogonác.
4430
4431 Add the ARM64, MIPS and SH4 backends to the dependencies.
4432
4433 * CMakeLists.txt:
4434
44352014-09-01 Brian J. Burg <burg@cs.washington.edu>
4436
4437 Provide column numbers to DTrace willExecute/didExecute probes
4438 https://bugs.webkit.org/show_bug.cgi?id=136434
4439
4440 Reviewed by Antti Koivisto.
4441
4442 Provide the columnNumber and update stubs for !HAVE(DTRACE).
4443
4444 * profiler/ProfileGenerator.cpp:
4445 (JSC::ProfileGenerator::willExecute):
4446 (JSC::ProfileGenerator::didExecute):
4447 * runtime/Tracing.d:
4448 * runtime/Tracing.h:
4449
44502014-09-01 Gyuyoung Kim <gyuyoung.kim@samsung.com>
4451
4452 [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
4453 https://bugs.webkit.org/show_bug.cgi?id=136194
4454
4455 Reviewed by Csaba Osztrogonác.
4456
4457 Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
4458
4459 * CMakeLists.txt:
4460
44612014-08-26 Maciej Stachowiak <mjs@apple.com>
4462
4463 Use RetainPtr::autorelease in some places where it seems appropriate
4464 https://bugs.webkit.org/show_bug.cgi?id=136280
4465
4466 Reviewed by Darin Adler.
4467
4468 * API/JSContext.mm:
4469 (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
4470 * API/JSValue.mm:
4471 (valueToString): Make appropriate use of RetainPtr
4472
44732014-08-29 Akos Kiss <akiss@inf.u-szeged.hu>
4474
4475 Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
4476 https://bugs.webkit.org/show_bug.cgi?id=136391
4477
4478 Reviewed by Michael Saboff.
4479
4480 Do not rely on calling conventions to fill in the CallerFrame component
4481 of the ExecState* parameter of the called function.
4482
4483 * llint/LowLevelInterpreter32_64.asm:
4484 * llint/LowLevelInterpreter64.asm:
4485
44862014-08-29 Saam Barati <sbarati@apple.com>
4487
4488 emit op_profile_type for deconstruction assignments
4489 https://bugs.webkit.org/show_bug.cgi?id=136274
4490
4491 Reviewed by Filip Pizlo.
4492
4493 Enable type profiling for ES6 deconstruction expressions.
4494
4495 * bytecompiler/NodesCodegen.cpp:
4496 (JSC::BindingNode::bindValue):
4497
44982014-08-29 Joseph Pecoraro <pecoraro@apple.com>
4499
4500 JavaScriptCore: Use ASCIILiteral where possible
4501 https://bugs.webkit.org/show_bug.cgi?id=136179
4502
4503 Reviewed by Michael Saboff.
4504
4505 General string / character related changes. Use ASCIILiteral where
4506 possible, jsNontrivialString where possible, and replace string
4507 literals with character literals in some places.
4508
4509 No new tests, no changes to functionality.
4510
4511 * bytecode/CodeBlock.cpp:
4512 (JSC::CodeBlock::nameForRegister):
4513 * bytecompiler/NodesCodegen.cpp:
4514 (JSC::PostfixNode::emitBytecode):
4515 (JSC::PrefixNode::emitBytecode):
4516 (JSC::AssignErrorNode::emitBytecode):
4517 (JSC::ForInNode::emitMultiLoopBytecode):
4518 (JSC::ForOfNode::emitBytecode):
4519 (JSC::ObjectPatternNode::toString):
4520 * dfg/DFGFunctionWhitelist.cpp:
4521 (JSC::DFG::FunctionWhitelist::contains):
4522 * dfg/DFGOperations.cpp:
4523 (JSC::DFG::newTypedArrayWithSize):
4524 (JSC::DFG::newTypedArrayWithOneArgument):
4525 * inspector/ConsoleMessage.cpp:
4526 (Inspector::ConsoleMessage::addToFrontend):
4527 * inspector/InspectorBackendDispatcher.cpp:
4528 (Inspector::InspectorBackendDispatcher::dispatch):
4529 * inspector/ScriptCallStackFactory.cpp:
4530 (Inspector::extractSourceInformationFromException):
4531 * inspector/scripts/codegen/generator_templates.py:
4532 * interpreter/StackVisitor.cpp:
4533 (JSC::StackVisitor::Frame::functionName):
4534 (JSC::StackVisitor::Frame::sourceURL):
4535 * jit/JITOperations.cpp:
4536 * jsc.cpp:
4537 (functionDescribeArray):
4538 (functionRun):
4539 (functionLoad):
4540 (functionReadFile):
4541 (functionCheckSyntax):
4542 (functionTransferArrayBuffer):
4543 (runWithScripts):
4544 (runInteractive):
4545 * parser/Lexer.cpp:
4546 (JSC::Lexer<T>::invalidCharacterMessage):
4547 (JSC::Lexer<T>::parseString):
4548 (JSC::Lexer<T>::parseStringSlowCase):
4549 (JSC::Lexer<T>::lex):
4550 * profiler/Profile.cpp:
4551 (JSC::Profile::Profile):
4552 * runtime/Arguments.cpp:
4553 (JSC::argumentsFuncIterator):
4554 * runtime/ArrayPrototype.cpp:
4555 (JSC::performSlowSort):
4556 (JSC::arrayProtoFuncSort):
4557 * runtime/ExceptionHelpers.cpp:
4558 (JSC::createError):
4559 (JSC::createInvalidParameterError):
4560 (JSC::createNotAConstructorError):
4561 (JSC::createNotAFunctionError):
4562 (JSC::createNotAnObjectError):
4563 (JSC::createErrorForInvalidGlobalAssignment):
4564 * runtime/FunctionPrototype.cpp:
4565 (JSC::insertSemicolonIfNeeded):
4566 * runtime/JSArray.cpp:
4567 (JSC::JSArray::defineOwnProperty):
4568 (JSC::JSArray::pop):
4569 (JSC::JSArray::push):
4570 * runtime/JSArrayBufferConstructor.cpp:
4571 (JSC::JSArrayBufferConstructor::finishCreation):
4572 * runtime/JSArrayBufferPrototype.cpp:
4573 (JSC::arrayBufferProtoFuncSlice):
4574 * runtime/JSDataView.cpp:
4575 (JSC::JSDataView::create):
4576 * runtime/JSDataViewPrototype.cpp:
4577 (JSC::getData):
4578 (JSC::setData):
4579 * runtime/JSGlobalObject.cpp:
4580 (JSC::JSGlobalObject::reset):
4581 * runtime/JSGlobalObjectFunctions.cpp:
4582 (JSC::globalFuncProtoSetter):
4583 * runtime/JSPromiseConstructor.cpp:
4584 (JSC::JSPromiseConstructor::finishCreation):
4585 * runtime/LiteralParser.cpp:
4586 (JSC::LiteralParser<CharType>::Lexer::lex):
4587 (JSC::LiteralParser<CharType>::Lexer::lexString):
4588 (JSC::LiteralParser<CharType>::parse):
4589 * runtime/LiteralParser.h:
4590 (JSC::LiteralParser::getErrorMessage):
4591 * runtime/TypeSet.cpp:
4592 (JSC::TypeSet::seenTypes):
4593 (JSC::TypeSet::displayName):
4594 (JSC::TypeSet::allPrimitiveTypeNames):
4595 (JSC::StructureShape::propertyHash):
4596 (JSC::StructureShape::stringRepresentation):
4597
45982014-08-29 Csaba Osztrogonác <ossy@webkit.org>
4599
4600 Unreviwed, remove empty directories.
4601
4602 * qt: Removed.
4603
46042014-08-28 Mark Lam <mark.lam@apple.com>
4605
4606 DebuggerCallFrame::scope() should return a DebuggerScope.
4607 <https://webkit.org/b/134420>
4608
4609 Reviewed by Geoffrey Garen.
4610
4611 Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
4612
4613 Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
4614 peers) which the WebInspector will use to introspect CallFrame variables.
4615 Instead, we should be returning a DebuggerScope as an abstraction layer that
4616 provides the introspection functionality that the WebInspector needs. This
4617 is the first step towards not forcing every frame to have a JSActivation
4618 object just because the debugger is enabled.
4619
4620 1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
4621 instead of the VM. This allows JSObject::globalObject() to be able to
4622 return the global object for the DebuggerScope.
4623
4624 2. On the DebuggerScope's life-cycle management:
4625
4626 The DebuggerCallFrame is designed to be "valid" only during a debugging session
4627 (while the debugger is broken) through the use of a DebuggerCallFrameScope in
4628 Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the
4629 DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
4630 We can't guarantee (from this code alone) that the Inspector code isn't still
4631 holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
4632 the frame will be invalidated, and any attempt to query it will return null values.
4633 This is pre-existing behavior.
4634
4635 Now, we're adding the DebuggerScope into the picture. While a single debugger
4636 pause session is in progress, the Inspector may request the scope from the
4637 DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want
4638 DebuggerCallFrame::scope() to always return the same DebuggerScope object.
4639 This is why we hold on to the DebuggerScope with a strong ref.
4640
4641 If we use a weak ref instead, the following cooky behavior can manifest:
4642 1. The Inspector calls Debugger::scope() to get the top scope.
4643 2. The Inspector iterates down the scope chain and is now only holding a
4644 reference to a parent scope. It is no longer referencing the top scope.
4645 3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
4646 gets cleared.
4647 4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
4648 a different DebuggerScope instance.
4649 5. The Inspector iterates down the scope chain but never sees the parent scope
4650 instance that retained a ref to in step 2 above. This is because when iterating
4651 this new DebuggerScope instance (which has no knowledge of the previous parent
4652 DebuggerScope instance), a new DebuggerScope instance will get created for the
4653 same parent scope.
4654
4655 Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
4656 However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
4657 When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
4658 instantiated) will also get invalidated. This is why we need the
4659 DebuggerScope::invalidateChain() method. The Inspector should not be using the
4660 DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does,
4661 those methods will do nothing or returned a failed status.
4662
4663 Fix for <https://webkit.org/b/135656>:
4664 3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
4665 m_thisValue in the returned slot to the wrapped scope object. Previously,
4666 it was pointing to the DebuggerScope though the rest of the fields in the
4667 returned slot will be set to data pertaining the wrapped scope object.
4668
4669 4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
4670 wrapped scope. This is because JSObject::getPropertySlot() cannot be
4671 overridden, and when called on a DebuggerScope, will not know to look in
4672 the ptototype chain of the DebuggerScope's wrapped scope. Hence, we'll
4673 treat all properties in the wrapped scope as own properties in the
4674 DebuggerScope. This is fine because the WebInspector does not presently
4675 care about where in the prototype chain the scope property comes from.
4676
4677 Note that the DebuggerScope and the JSActivation objects that it wraps do
4678 not have prototypes. They are always jsNull(). This works perfectly with
4679 the above change to use getPropertySlot() instead of getOwnPropertySlot().
4680 To make this an explicit invariant, I also changed DebuggerScope::createStructure()
4681 and JSActivation::createStructure() to not take a prototype argument, and
4682 to always use jsNull() for their prototype value.
4683
4684 * debugger/Debugger.h:
4685 * debugger/DebuggerCallFrame.cpp:
4686 (JSC::DebuggerCallFrame::scope):
4687 (JSC::DebuggerCallFrame::evaluate):
4688 (JSC::DebuggerCallFrame::invalidate):
4689 * debugger/DebuggerCallFrame.h:
4690 * debugger/DebuggerScope.cpp:
4691 (JSC::DebuggerScope::DebuggerScope):
4692 (JSC::DebuggerScope::finishCreation):
4693 (JSC::DebuggerScope::visitChildren):
4694 (JSC::DebuggerScope::className):
4695 (JSC::DebuggerScope::getOwnPropertySlot):
4696 (JSC::DebuggerScope::put):
4697 (JSC::DebuggerScope::deleteProperty):
4698 (JSC::DebuggerScope::getOwnPropertyNames):
4699 (JSC::DebuggerScope::defineOwnProperty):
4700 (JSC::DebuggerScope::next):
4701 (JSC::DebuggerScope::invalidateChain):
4702 (JSC::DebuggerScope::isWithScope):
4703 (JSC::DebuggerScope::isGlobalScope):
4704 (JSC::DebuggerScope::isFunctionOrEvalScope):
4705 * debugger/DebuggerScope.h:
4706 (JSC::DebuggerScope::create):
4707 (JSC::DebuggerScope::createStructure):
4708 (JSC::DebuggerScope::iterator::iterator):
4709 (JSC::DebuggerScope::iterator::get):
4710 (JSC::DebuggerScope::iterator::operator++):
4711 (JSC::DebuggerScope::iterator::operator==):
4712 (JSC::DebuggerScope::iterator::operator!=):
4713 (JSC::DebuggerScope::isValid):
4714 (JSC::DebuggerScope::jsScope):
4715 (JSC::DebuggerScope::begin):
4716 (JSC::DebuggerScope::end):
4717 * inspector/JSJavaScriptCallFrame.cpp:
4718 (Inspector::JSJavaScriptCallFrame::scopeType):
4719 (Inspector::JSJavaScriptCallFrame::scopeChain):
4720 * inspector/JavaScriptCallFrame.h:
4721 (Inspector::JavaScriptCallFrame::scopeChain):
4722 * inspector/ScriptDebugServer.cpp:
4723 * runtime/JSActivation.h:
4724 (JSC::JSActivation::createStructure):
4725 * runtime/JSGlobalObject.cpp:
4726 (JSC::JSGlobalObject::reset):
4727 (JSC::JSGlobalObject::visitChildren):
4728 * runtime/JSGlobalObject.h:
4729 (JSC::JSGlobalObject::debuggerScopeStructure):
4730 * runtime/JSObject.cpp:
4731 * runtime/JSObject.h:
4732 (JSC::JSObject::isWithScope):
4733 * runtime/JSScope.h:
4734 * runtime/PropertySlot.h:
4735 (JSC::PropertySlot::setThisValue):
4736 * runtime/PutPropertySlot.h:
4737 (JSC::PutPropertySlot::setThisValue):
4738 * runtime/VM.cpp:
4739 (JSC::VM::VM):
4740 * runtime/VM.h:
4741
47422014-08-28 Andreas Kling <akling@apple.com>
4743
4744 Use JSString::toIdentifier() in more places.
4745 <https://webkit.org/b/136348>
4746
4747 Call sites that grab the WTF::String from a JSString using value() can
4748 use the more efficient toIdentifier() if the string is going to be used
4749 to construct an Identifier.
4750
4751 If the JSString is a rope that resolves to something that is already
4752 present in the VM's Identifier table, using toIdentifier() can avoid
4753 allocating a new StringImpl.
4754
4755 Reviewed by Geoffrey Garen.
4756
4757 * jit/JITOperations.cpp:
4758 * llint/LLIntSlowPaths.cpp:
4759 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
4760 * runtime/CommonSlowPaths.cpp:
4761 (JSC::SLOW_PATH_DECL):
4762 * runtime/CommonSlowPaths.h:
4763 (JSC::CommonSlowPaths::opIn):
4764 * runtime/JSONObject.cpp:
4765 (JSC::Stringifier::Stringifier):
4766 * runtime/ObjectConstructor.cpp:
4767 (JSC::objectConstructorGetOwnPropertyDescriptor):
4768 (JSC::objectConstructorDefineProperty):
4769 * runtime/ObjectPrototype.cpp:
4770 (JSC::objectProtoFuncPropertyIsEnumerable):
4771
47722014-08-27 Filip Pizlo <fpizlo@apple.com>
4773
4774 DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
4775 https://bugs.webkit.org/show_bug.cgi?id=93361
4776
4777 Reviewed by Mark Hahnenberg.
4778
4779 This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
4780 and block worklists. It changes preexisting code to use these abstractions.
4781
4782 The main effect of this code is that all current clients of dominators end up using the
4783 results of the new idom calculation. We convert the dom tree to a dominance test using
4784 Dietz's pre/post number range check trick.
4785
4786 * CMakeLists.txt:
4787 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4788 * JavaScriptCore.xcodeproj/project.pbxproj:
4789 * dfg/DFGAnalysis.h:
4790 (JSC::DFG::Analysis::computeIfNecessary):
4791 (JSC::DFG::Analysis::computeDependencies):
4792 * dfg/DFGBlockMap.h: Added.
4793 (JSC::DFG::BlockMap::BlockMap):
4794 (JSC::DFG::BlockMap::size):
4795 (JSC::DFG::BlockMap::atIndex):
4796 (JSC::DFG::BlockMap::operator[]):
4797 * dfg/DFGBlockMapInlines.h: Added.
4798 (JSC::DFG::BlockMap<T>::BlockMap):
4799 * dfg/DFGBlockSet.h: Added.
4800 (JSC::DFG::BlockSet::BlockSet):
4801 (JSC::DFG::BlockSet::add):
4802 (JSC::DFG::BlockSet::contains):
4803 * dfg/DFGBlockWorklist.cpp: Added.
4804 (JSC::DFG::BlockWorklist::BlockWorklist):
4805 (JSC::DFG::BlockWorklist::~BlockWorklist):
4806 (JSC::DFG::BlockWorklist::push):
4807 (JSC::DFG::BlockWorklist::pop):
4808 (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
4809 (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
4810 (JSC::DFG::PostOrderBlockWorklist::pushPre):
4811 (JSC::DFG::PostOrderBlockWorklist::pushPost):
4812 (JSC::DFG::PostOrderBlockWorklist::pop):
4813 * dfg/DFGBlockWorklist.h: Added.
4814 (JSC::DFG::BlockWorklist::notEmpty):
4815 (JSC::DFG::BlockWith::BlockWith):
4816 (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
4817 (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
4818 (JSC::DFG::ExtendedBlockWorklist::forcePush):
4819 (JSC::DFG::ExtendedBlockWorklist::push):
4820 (JSC::DFG::ExtendedBlockWorklist::notEmpty):
4821 (JSC::DFG::ExtendedBlockWorklist::pop):
4822 (JSC::DFG::BlockWithOrder::BlockWithOrder):
4823 (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
4824 (JSC::DFG::PostOrderBlockWorklist::push):
4825 (JSC::DFG::PostOrderBlockWorklist::notEmpty):
4826 * dfg/DFGCSEPhase.cpp:
4827 * dfg/DFGDominators.cpp:
4828 (JSC::DFG::Dominators::compute):
4829 (JSC::DFG::Dominators::naiveDominates):
4830 (JSC::DFG::Dominators::dump):
4831 (JSC::DFG::Dominators::pruneDominators): Deleted.
4832 * dfg/DFGDominators.h:
4833 (JSC::DFG::Dominators::strictlyDominates):
4834 (JSC::DFG::Dominators::dominates):
4835 (JSC::DFG::Dominators::BlockData::BlockData):
4836 * dfg/DFGGraph.cpp:
4837 (JSC::DFG::Graph::dumpBlockHeader):
4838 (JSC::DFG::Graph::getBlocksInPreOrder):
4839 (JSC::DFG::Graph::getBlocksInPostOrder):
4840 * dfg/DFGInvalidationPointInjectionPhase.cpp:
4841 (JSC::DFG::InvalidationPointInjectionPhase::run):
4842 * dfg/DFGNaiveDominators.cpp: Added.
4843 (JSC::DFG::NaiveDominators::NaiveDominators):
4844 (JSC::DFG::NaiveDominators::~NaiveDominators):
4845 (JSC::DFG::NaiveDominators::compute):
4846 (JSC::DFG::NaiveDominators::pruneDominators):
4847 (JSC::DFG::NaiveDominators::dump):
4848 * dfg/DFGNaiveDominators.h: Added.
4849 (JSC::DFG::NaiveDominators::dominates):
4850 * dfg/DFGNaturalLoops.cpp:
4851 (JSC::DFG::NaturalLoops::computeDependencies):
4852 (JSC::DFG::NaturalLoops::compute):
4853 * dfg/DFGNaturalLoops.h:
4854
48552014-08-27 Filip Pizlo <fpizlo@apple.com>
4856
4857 FTL should be able to do polymorphic call inlining
4858 https://bugs.webkit.org/show_bug.cgi?id=135145
4859
4860 Reviewed by Geoffrey Garen.
4861
4862 Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
4863 baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
4864 inlining sites use the call edge profile if it is available, but they will still fall back
4865 on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
4866 multiple possible callees can be inlined with a switch to guard them. The slow path may
4867 either be an OSR exit or a virtual call.
4868
4869 The call edge profiling added in this patch is very precise - it will tell you about every
4870 call that has ever happened. It took some effort to reduce the overhead of this profiling.
4871 This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
4872 in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
4873 it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
4874 I also experimented with reducing the precision of the profiling. This led to a significant
4875 reduction in the speed-up, so I avoided this approach. I also explored making log processing
4876 concurrent, but that didn't help. Also, I tested the overhead of the log processing and
4877 found that most of the overhead of this profiling is actually in putting things into the log
4878 rather than in processing the log - that part appears to be surprisingly cheap.
4879
4880 Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
4881 and if we guarded such inlining sites with some profiling mechanism to detect
4882 polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
4883 it's actually monomorphic).
4884
4885 This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
4886 other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
4887 on anything we care about. Some aggregates, like V8Spider, see a regression. This is
4888 highlighting the increase in profiling overhead. But since this doesn't show up on any major
4889 score (code-load or SunSpider), it's probably not relevant.
4890
4891 Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
4892
4893 * CMakeLists.txt:
4894 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4895 * JavaScriptCore.xcodeproj/project.pbxproj:
4896 * bytecode/CallEdge.cpp: Added.
4897 (JSC::CallEdge::dump):
4898 * bytecode/CallEdge.h: Added.
4899 (JSC::CallEdge::operator!):
4900 (JSC::CallEdge::callee):
4901 (JSC::CallEdge::count):
4902 (JSC::CallEdge::despecifiedClosure):
4903 (JSC::CallEdge::CallEdge):
4904 * bytecode/CallEdgeProfile.cpp: Added.
4905 (JSC::CallEdgeProfile::callEdges):
4906 (JSC::CallEdgeProfile::numCallsToKnownCells):
4907 (JSC::worthDespecifying):
4908 (JSC::CallEdgeProfile::worthDespecifying):
4909 (JSC::CallEdgeProfile::visitWeak):
4910 (JSC::CallEdgeProfile::addSlow):
4911 (JSC::CallEdgeProfile::mergeBack):
4912 (JSC::CallEdgeProfile::fadeByHalf):
4913 (JSC::CallEdgeLog::CallEdgeLog):
4914 (JSC::CallEdgeLog::~CallEdgeLog):
4915 (JSC::CallEdgeLog::isEnabled):
4916 (JSC::operationProcessCallEdgeLog):
4917 (JSC::CallEdgeLog::emitLogCode):
4918 (JSC::CallEdgeLog::processLog):
4919 * bytecode/CallEdgeProfile.h: Added.
4920 (JSC::CallEdgeProfile::numCallsToNotCell):
4921 (JSC::CallEdgeProfile::numCallsToUnknownCell):
4922 (JSC::CallEdgeProfile::totalCalls):
4923 * bytecode/CallEdgeProfileInlines.h: Added.
4924 (JSC::CallEdgeProfile::CallEdgeProfile):
4925 (JSC::CallEdgeProfile::add):
4926 * bytecode/CallLinkInfo.cpp:
4927 (JSC::CallLinkInfo::visitWeak):
4928 * bytecode/CallLinkInfo.h:
4929 * bytecode/CallLinkStatus.cpp:
4930 (JSC::CallLinkStatus::CallLinkStatus):
4931 (JSC::CallLinkStatus::computeFromLLInt):
4932 (JSC::CallLinkStatus::computeFor):
4933 (JSC::CallLinkStatus::computeExitSiteData):
4934 (JSC::CallLinkStatus::computeFromCallLinkInfo):
4935 (JSC::CallLinkStatus::computeFromCallEdgeProfile):
4936 (JSC::CallLinkStatus::computeDFGStatuses):
4937 (JSC::CallLinkStatus::isClosureCall):
4938 (JSC::CallLinkStatus::makeClosureCall):
4939 (JSC::CallLinkStatus::dump):
4940 (JSC::CallLinkStatus::function): Deleted.
4941 (JSC::CallLinkStatus::internalFunction): Deleted.
4942 (JSC::CallLinkStatus::intrinsicFor): Deleted.
4943 * bytecode/CallLinkStatus.h:
4944 (JSC::CallLinkStatus::CallLinkStatus):
4945 (JSC::CallLinkStatus::isSet):
4946 (JSC::CallLinkStatus::couldTakeSlowPath):
4947 (JSC::CallLinkStatus::edges):
4948 (JSC::CallLinkStatus::size):
4949 (JSC::CallLinkStatus::at):
4950 (JSC::CallLinkStatus::operator[]):
4951 (JSC::CallLinkStatus::canOptimize):
4952 (JSC::CallLinkStatus::canTrustCounts):
4953 (JSC::CallLinkStatus::isClosureCall): Deleted.
4954 (JSC::CallLinkStatus::callTarget): Deleted.
4955 (JSC::CallLinkStatus::executable): Deleted.
4956 (JSC::CallLinkStatus::makeClosureCall): Deleted.
4957 * bytecode/CallVariant.cpp: Added.
4958 (JSC::CallVariant::dump):
4959 * bytecode/CallVariant.h: Added.
4960 (JSC::CallVariant::CallVariant):
4961 (JSC::CallVariant::operator!):
4962 (JSC::CallVariant::despecifiedClosure):
4963 (JSC::CallVariant::rawCalleeCell):
4964 (JSC::CallVariant::internalFunction):
4965 (JSC::CallVariant::function):
4966 (JSC::CallVariant::isClosureCall):
4967 (JSC::CallVariant::executable):
4968 (JSC::CallVariant::nonExecutableCallee):
4969 (JSC::CallVariant::intrinsicFor):
4970 (JSC::CallVariant::functionExecutable):
4971 (JSC::CallVariant::isHashTableDeletedValue):
4972 (JSC::CallVariant::operator==):
4973 (JSC::CallVariant::operator!=):
4974 (JSC::CallVariant::operator<):
4975 (JSC::CallVariant::operator>):
4976 (JSC::CallVariant::operator<=):
4977 (JSC::CallVariant::operator>=):
4978 (JSC::CallVariant::hash):
4979 (JSC::CallVariant::deletedToken):
4980 (JSC::CallVariantHash::hash):
4981 (JSC::CallVariantHash::equal):
4982 * bytecode/CodeOrigin.h:
4983 (JSC::InlineCallFrame::isNormalCall):
4984 * bytecode/ExitKind.cpp:
4985 (JSC::exitKindToString):
4986 * bytecode/ExitKind.h:
4987 * bytecode/GetByIdStatus.cpp:
4988 (JSC::GetByIdStatus::computeForStubInfo):
4989 * bytecode/PutByIdStatus.cpp:
4990 (JSC::PutByIdStatus::computeForStubInfo):
4991 * dfg/DFGAbstractInterpreterInlines.h:
4992 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4993 * dfg/DFGBackwardsPropagationPhase.cpp:
4994 (JSC::DFG::BackwardsPropagationPhase::propagate):
4995 * dfg/DFGBasicBlock.cpp:
4996 (JSC::DFG::BasicBlock::~BasicBlock):
4997 * dfg/DFGBasicBlock.h:
4998 (JSC::DFG::BasicBlock::takeLast):
4999 (JSC::DFG::BasicBlock::didLink):
5000 * dfg/DFGByteCodeParser.cpp:
5001 (JSC::DFG::ByteCodeParser::processSetLocalQueue):
5002 (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
5003 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
5004 (JSC::DFG::ByteCodeParser::addCall):
5005 (JSC::DFG::ByteCodeParser::handleCall):
5006 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
5007 (JSC::DFG::ByteCodeParser::undoFunctionChecks):
5008 (JSC::DFG::ByteCodeParser::inliningCost):
5009 (JSC::DFG::ByteCodeParser::inlineCall):
5010 (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
5011 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
5012 (JSC::DFG::ByteCodeParser::handleInlining):
5013 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
5014 (JSC::DFG::ByteCodeParser::prepareToParseBlock):
5015 (JSC::DFG::ByteCodeParser::clearCaches):
5016 (JSC::DFG::ByteCodeParser::parseBlock):
5017 (JSC::DFG::ByteCodeParser::linkBlock):
5018 (JSC::DFG::ByteCodeParser::linkBlocks):
5019 (JSC::DFG::ByteCodeParser::parseCodeBlock):
5020 * dfg/DFGCPSRethreadingPhase.cpp:
5021 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
5022 * dfg/DFGClobberize.h:
5023 (JSC::DFG::clobberize):
5024 * dfg/DFGCommon.h:
5025 * dfg/DFGConstantFoldingPhase.cpp:
5026 (JSC::DFG::ConstantFoldingPhase::foldConstants):
5027 * dfg/DFGDoesGC.cpp:
5028 (JSC::DFG::doesGC):
5029 * dfg/DFGDriver.cpp:
5030 (JSC::DFG::compileImpl):
5031 * dfg/DFGFixupPhase.cpp:
5032 (JSC::DFG::FixupPhase::fixupNode):
5033 * dfg/DFGGraph.cpp:
5034 (JSC::DFG::Graph::dump):
5035 (JSC::DFG::Graph::getBlocksInPreOrder):
5036 (JSC::DFG::Graph::visitChildren):
5037 * dfg/DFGJITCompiler.cpp:
5038 (JSC::DFG::JITCompiler::link):
5039 * dfg/DFGLazyJSValue.cpp:
5040 (JSC::DFG::LazyJSValue::switchLookupValue):
5041 * dfg/DFGLazyJSValue.h:
5042 (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
5043 * dfg/DFGNode.cpp:
5044 (WTF::printInternal):
5045 * dfg/DFGNode.h:
5046 (JSC::DFG::OpInfo::OpInfo):
5047 (JSC::DFG::Node::hasHeapPrediction):
5048 (JSC::DFG::Node::hasCellOperand):
5049 (JSC::DFG::Node::cellOperand):
5050 (JSC::DFG::Node::setCellOperand):
5051 (JSC::DFG::Node::canBeKnownFunction): Deleted.
5052 (JSC::DFG::Node::hasKnownFunction): Deleted.
5053 (JSC::DFG::Node::knownFunction): Deleted.
5054 (JSC::DFG::Node::giveKnownFunction): Deleted.
5055 (JSC::DFG::Node::hasFunction): Deleted.
5056 (JSC::DFG::Node::function): Deleted.
5057 (JSC::DFG::Node::hasExecutable): Deleted.
5058 (JSC::DFG::Node::executable): Deleted.
5059 * dfg/DFGNodeType.h:
5060 * dfg/DFGPhantomCanonicalizationPhase.cpp:
5061 (JSC::DFG::PhantomCanonicalizationPhase::run):
5062 * dfg/DFGPhantomRemovalPhase.cpp:
5063 (JSC::DFG::PhantomRemovalPhase::run):
5064 * dfg/DFGPredictionPropagationPhase.cpp:
5065 (JSC::DFG::PredictionPropagationPhase::propagate):
5066 * dfg/DFGSafeToExecute.h:
5067 (JSC::DFG::safeToExecute):
5068 * dfg/DFGSpeculativeJIT.cpp:
5069 (JSC::DFG::SpeculativeJIT::emitSwitch):
5070 * dfg/DFGSpeculativeJIT32_64.cpp:
5071 (JSC::DFG::SpeculativeJIT::emitCall):
5072 (JSC::DFG::SpeculativeJIT::compile):
5073 * dfg/DFGSpeculativeJIT64.cpp:
5074 (JSC::DFG::SpeculativeJIT::emitCall):
5075 (JSC::DFG::SpeculativeJIT::compile):
5076 * dfg/DFGStructureRegistrationPhase.cpp:
5077 (JSC::DFG::StructureRegistrationPhase::run):
5078 * dfg/DFGTierUpCheckInjectionPhase.cpp:
5079 (JSC::DFG::TierUpCheckInjectionPhase::run):
5080 (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
5081 * dfg/DFGValidate.cpp:
5082 (JSC::DFG::Validate::validate):
5083 * dfg/DFGWatchpointCollectionPhase.cpp:
5084 (JSC::DFG::WatchpointCollectionPhase::handle):
5085 * ftl/FTLCapabilities.cpp:
5086 (JSC::FTL::canCompile):
5087 * ftl/FTLLowerDFGToLLVM.cpp:
5088 (JSC::FTL::ftlUnreachable):
5089 (JSC::FTL::LowerDFGToLLVM::lower):
5090 (JSC::FTL::LowerDFGToLLVM::compileNode):
5091 (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
5092 (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
5093 (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
5094 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
5095 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
5096 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
5097 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
5098 (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
5099 * heap/Heap.cpp:
5100 (JSC::Heap::collect):
5101 * jit/AssemblyHelpers.h:
5102 (JSC::AssemblyHelpers::storeValue):
5103 (JSC::AssemblyHelpers::loadValue):
5104 * jit/CCallHelpers.h:
5105 (JSC::CCallHelpers::setupArguments):
5106 * jit/GPRInfo.h:
5107 (JSC::JSValueRegs::uses):
5108 * jit/JITCall.cpp:
5109 (JSC::JIT::compileOpCall):
5110 * jit/JITCall32_64.cpp:
5111 (JSC::JIT::compileOpCall):
5112 * runtime/Options.h:
5113 * runtime/VM.cpp:
5114 (JSC::VM::ensureCallEdgeLog):
5115 * runtime/VM.h:
5116 * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
5117 * tests/stress/new-array-then-exit.js: Added.
5118 * tests/stress/poly-call-exit-this.js: Added.
5119 * tests/stress/poly-call-exit.js: Added.
5120
51212014-08-28 Julien Brianceau <jbriance@cisco.com>
5122
5123 Correct GC length unit and prevent division by 0 in showObjectStatistics.
5124 https://bugs.webkit.org/show_bug.cgi?id=136340
5125
5126 Reviewed by Mark Hahnenberg.
5127
5128 * heap/HeapStatistics.cpp:
5129 (JSC::HeapStatistics::showObjectStatistics):
5130
51312014-08-27 Akos Kiss <akiss@inf.u-szeged.hu>
5132
5133 Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
5134 https://bugs.webkit.org/show_bug.cgi?id=136313
5135
5136 Reviewed by Michael Saboff.
5137
5138 Do not rely on calling conventions to fill in the CallerFrame component
5139 of the execCallee parameter of JSC::operationCallEval.
5140
5141 * jit/JITOperations.cpp:
5142
51432014-08-27 Saam Barati <sbarati@apple.com>
5144
5145 Deconstruction object pattern node emits the wrong start/end text positions
5146 https://bugs.webkit.org/show_bug.cgi?id=136304
5147
5148 Reviewed by Geoffrey Garen.
5149
5150 Object pattern nodes that used the syntactic sugar binding:
5151 'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}'
5152 would get the wrong text position for variable 'foo'. The position
5153 would be placed on the comma(s)/closing brace instead of the identifier.
5154 This patch fixes this bug by caching the identifier's JSToken before
5155 trying to parse an optional colon.
5156
5157 * parser/Parser.cpp:
5158 (JSC::Parser<LexerType>::parseVarDeclarationList):
5159 (JSC::Parser<LexerType>::createBindingPattern):
5160 (JSC::Parser<LexerType>::parseDeconstructionPattern):
5161 * parser/Parser.h:
5162
51632014-08-27 Brent Fulgham <bfulgham@apple.com>
5164
5165 [Win] Build fix after last commit.
5166
5167 Check in new DLLLauncherMain.cpp file.
5168
5169 * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
5170 (enableTerminationOnHeapCorruption):
5171 (getStringValue):
5172 (applePathFromRegistry):
5173 (appleApplicationSupportDirectory):
5174 (copyEnvironmentVariable):
5175 (prependPath):
5176 (fatalError):
5177 (directoryExists):
5178 (modifyPath):
5179 (getLastErrorString):
5180 (wWinMain):
5181
51822014-08-27 Brent Fulgham <bfulgham@apple.com>
5183
5184 [Win] testapi and testRegExp need to find support libraries.
5185 https://bugs.webkit.org/show_bug.cgi?id=136008.
5186
5187 Reviewed by Dean Jackson.
5188
5189 Revise the Windows build of jsc, testapi, and testRegExp so that they
5190 find and use the proper runtime support libraries.
5191
5192 These locations vary between the Apple Windows build and WinCairo, and
5193 are generally not in the system PATH environment setting. Consequently,
5194 these applications fail on launch unless the user modifies their
5195 PATH.
5196
5197 This patch revises these tools to work like WinLauncher and DumpRenderTree
5198 so that they run reliably.
5199
5200 * API/tests/testapi.c:
5201 (dllLauncherEntryPoint): Added.
5202 * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
5203 provide proper dependencies with existing projects.
5204 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
5205 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
5206 a DLL, rather than an executable.
5207 * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
5208 to the list of libraries needed at link-time, and to use
5209 the DLL/Console combination entry point.
5210 * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
5211 * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
5212 * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
5213 * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
5214 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
5215 a DLL, rather than an executable.
5216 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
5217 to the list of libraries needed at link-time, and to use
5218 the DLL/Console combination entry point.
5219 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
5220 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
5221 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
5222 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
5223 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
5224 a DLL, rather than an executable.
5225 * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
5226 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
5227 to the list of libraries needed at link-time, and to use
5228 the DLL/Console combination entry point.
5229 * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
5230 * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
5231 * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
5232 * jsc.cpp:
5233 (dllLauncherEntryPoint): Added.
5234 * testRegExp.cpp:
5235 (dllLauncherEntryPoint): Added.
5236
52372014-08-27 Julien Brianceau <jbriance@cisco.com>
5238
5239 Take advantage of 3 parameters or32() calls
5240 https://bugs.webkit.org/show_bug.cgi?id=136287
5241
5242 Reviewed by Michael Saboff.
5243
5244 For specific architectures (arm and mips for instance), or32() calls
5245 with 3 parameters are likely to produce a single instruction.
5246
5247 * dfg/DFGSpeculativeJIT32_64.cpp:
5248 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
5249 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
5250 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
5251 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
5252 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
5253 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
5254 (JSC::DFG::SpeculativeJIT::branchIsOther):
5255 (JSC::DFG::SpeculativeJIT::branchNotOther):
5256
52572014-08-26 Brian J. Burg <burg@cs.washington.edu>
5258
5259 Web Inspector: put feature flags for Inspector domains in the protocol specification
5260 https://bugs.webkit.org/show_bug.cgi?id=136027
5261
5262 Reviewed by Timothy Hatcher.
5263
5264 Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
5265
5266 Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
5267
5268 * inspector/scripts/codegen/generator.py:
5269 (Generator.wrap_with_guard_for_domain):
5270 * inspector/scripts/codegen/models.py:
5271 (Protocol.parse_domain):
5272 (Domain.__init__):
5273 (Domains):
5274 * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
5275 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
5276 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
5277 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
5278 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
5279 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
5280
52812014-08-26 Andy Estes <aestes@apple.com>
5282
5283 [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
5284 https://bugs.webkit.org/show_bug.cgi?id=136267
5285
5286 Reviewed by Dan Bernstein.
5287
5288 INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
5289 Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
5290 engineering configurations.
5291
5292 Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
5293 used instead.
5294
5295 * JavaScriptCore.xcodeproj/project.pbxproj:
5296
52972014-08-26 Michael Saboff <msaboff@apple.com>
5298
5299 [Win] 64-bit JavaScriptCore crashes on launch
5300 https://bugs.webkit.org/show_bug.cgi?id=136241
5301
5302 Reviewed by Mark Lam.
5303
5304 * llint/LowLevelInterpreter.asm:
5305 (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
5306 "t2" (rcx). Changed to get the input parameter using the correct register.
5307
53082014-08-26 Saam Barati <sbarati@apple.com>
5309
5310 TypeSet caches structureIDs even after the corresponding Structure could be GCed
5311 https://bugs.webkit.org/show_bug.cgi?id=136178
5312
5313 Reviewed by Geoffrey Garen.
5314
5315 Currently, TypeSet will never remove StructureIDs from its cache,
5316 even after the corresponding Structures could be garbage collected.
5317 Now, when the Garbage Collector collects, and type profiling is
5318 enabled, the Garbage Collector will invalidate all TypeSet caches.
5319
5320 * heap/Heap.cpp:
5321 (JSC::Heap::collect):
5322 * runtime/TypeSet.cpp:
5323 (JSC::TypeSet::addTypeInformation):
5324 (JSC::TypeSet::invalidateCache):
5325 * runtime/TypeSet.h:
5326 * runtime/VM.cpp:
5327 (JSC::VM::invalidateTypeSetCache):
5328 * runtime/VM.h:
5329
53302014-08-26 Michael Saboff <msaboff@apple.com>
5331
5332 REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
5333 https://bugs.webkit.org/show_bug.cgi?id=136187
5334
5335 Reviewed by Mark Hahnenberg.
5336
5337 Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
5338 doesn't require a tag for the second argument, instead it fills in a CellTag. This is
5339 used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
5340 haven't set up a register with a tag and we know that argument 2 is a cell.
5341
5342 * dfg/DFGSpeculativeJIT.h:
5343 (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
5344 * dfg/DFGSpeculativeJIT32_64.cpp:
5345 (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
5346 with CellTag as it wasn't in the control flow for the slow path that needed the tag.
5347 Instead changed to calling new version of callOperation with an implicit CellTag.
5348
53492014-08-26 Commit Queue <commit-queue@webkit.org>
5350
5351 Unreviewed, rolling out r172940.
5352 https://bugs.webkit.org/show_bug.cgi?id=136256
5353
5354 Caused assertions on fast/storage/serialized-script-
5355 value.html, and possibly flakiness on more tests (Requested by
5356 ap on #webkit).
5357
5358 Reverted changeset:
5359
5360 "FTL should be able to do polymorphic call inlining"
5361 https://bugs.webkit.org/show_bug.cgi?id=135145
5362 http://trac.webkit.org/changeset/172940
5363
53642014-08-26 Michael Saboff <msaboff@apple.com>
5365
5366 REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
5367 https://bugs.webkit.org/show_bug.cgi?id=136165
5368
5369 Reviewed by Mark Hahnenberg.
5370
5371 Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
5372 6 registers available, but the code requires 7.
5373
5374 * dfg/DFGSpeculativeJIT32_64.cpp:
5375 (JSC::DFG::SpeculativeJIT::compile):
5376
53772014-08-25 Saam Barati <sbarati@apple.com>
5378
5379 TypeProfiler search breaks on return statements
5380 https://bugs.webkit.org/show_bug.cgi?id=136201
5381
5382 Reviewed by Filip Pizlo.
5383
5384 Searching for return statements in the TypeProfiler currently
5385 breaks down because it expected to see the search descriptor
5386 TypeProfilerSearchDescriptorFunctionReturn when looking for
5387 return statements in the actual source code of the program.
5388 But, TypeProfilerSearchDescriptorFunctionReturn search descriptor
5389 is reserved for looking for return statements that aren't in the
5390 actual source code of the program, but when asking for the
5391 aggregate return type of a function. Now, searching for
5392 return statements in the actual source code of the program will
5393 work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.
5394
5395 * bytecode/CodeBlock.cpp:
5396 (JSC::CodeBlock::CodeBlock):
5397 * runtime/TypeProfiler.cpp:
5398 (JSC::TypeProfiler::findLocation):
5399 (JSC::descriptorMatchesTypeLocation): Deleted.
5400
54012014-08-25 Saam Barati <sbarati@apple.com>
5402
5403 Return statement TypeSet's might be duplicated
5404 https://bugs.webkit.org/show_bug.cgi?id=136200
5405
5406 Reviewed by Filip Pizlo.
5407
5408 Currently, the globalTypeSet that converges the types of all
5409 return statements in a function lives off of CodeBlock. It lives
5410 off CodeBlock because of a faulty assumption that CodeBlock
5411 will have a one to one mapping with a function in the source
5412 text of the program. (Currently, there isn't an actual bug
5413 with this design because TypeLocationCache will hash cons to
5414 the same TypeLocation, but this is still an incorrect design).
5415 In this patch, the globalTypeSet for function return statements
5416 is moved to the FunctionExecutable object which does have a one
5417 to one mapping with functions in the source text of a program.
5418
5419 * bytecode/CodeBlock.cpp:
5420 (JSC::CodeBlock::CodeBlock):
5421 * bytecode/CodeBlock.h:
5422 (JSC::CodeBlock::returnStatementTypeSet): Deleted.
5423 * runtime/Executable.h:
5424 (JSC::FunctionExecutable::returnStatementTypeSet):
5425
54262014-08-24 Filip Pizlo <fpizlo@apple.com>
5427
5428 FTL should be able to do polymorphic call inlining
5429 https://bugs.webkit.org/show_bug.cgi?id=135145
5430
5431 Reviewed by Geoffrey Garen.
5432
5433 Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
5434 baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
5435 inlining sites use the call edge profile if it is available, but they will still fall back
5436 on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
5437 multiple possible callees can be inlined with a switch to guard them. The slow path may
5438 either be an OSR exit or a virtual call.
5439
5440 The call edge profiling added in this patch is very precise - it will tell you about every
5441 call that has ever happened. It took some effort to reduce the overhead of this profiling.
5442 This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
5443 in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
5444 it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
5445 I also experimented with reducing the precision of the profiling. This led to a significant
5446 reduction in the speed-up, so I avoided this approach. I also explored making log processing
5447 concurrent, but that didn't help. Also, I tested the overhead of the log processing and
5448 found that most of the overhead of this profiling is actually in putting things into the log
5449 rather than in processing the log - that part appears to be surprisingly cheap.
5450
5451 Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
5452 and if we guarded such inlining sites with some profiling mechanism to detect
5453 polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
5454 it's actually monomorphic).
5455
5456 This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
5457 other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
5458 on anything we care about. Some aggregates, like V8Spider, see a regression. This is
5459 highlighting the increase in profiling overhead. But since this doesn't show up on any major
5460 score (code-load or SunSpider), it's probably not relevant.
5461
5462 * CMakeLists.txt:
5463 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5464 * JavaScriptCore.xcodeproj/project.pbxproj:
5465 * bytecode/CallEdge.cpp: Added.
5466 (JSC::CallEdge::dump):
5467 * bytecode/CallEdge.h: Added.
5468 (JSC::CallEdge::operator!):
5469 (JSC::CallEdge::callee):
5470 (JSC::CallEdge::count):
5471 (JSC::CallEdge::despecifiedClosure):
5472 (JSC::CallEdge::CallEdge):
5473 * bytecode/CallEdgeProfile.cpp: Added.
5474 (JSC::CallEdgeProfile::callEdges):
5475 (JSC::CallEdgeProfile::numCallsToKnownCells):
5476 (JSC::worthDespecifying):
5477 (JSC::CallEdgeProfile::worthDespecifying):
5478 (JSC::CallEdgeProfile::visitWeak):
5479 (JSC::CallEdgeProfile::addSlow):
5480 (JSC::CallEdgeProfile::mergeBack):
5481 (JSC::CallEdgeProfile::fadeByHalf):
5482 (JSC::CallEdgeLog::CallEdgeLog):
5483 (JSC::CallEdgeLog::~CallEdgeLog):
5484 (JSC::CallEdgeLog::isEnabled):
5485 (JSC::operationProcessCallEdgeLog):
5486 (JSC::CallEdgeLog::emitLogCode):
5487 (JSC::CallEdgeLog::processLog):
5488 * bytecode/CallEdgeProfile.h: Added.
5489 (JSC::CallEdgeProfile::numCallsToNotCell):
5490 (JSC::CallEdgeProfile::numCallsToUnknownCell):
5491 (JSC::CallEdgeProfile::totalCalls):
5492 * bytecode/CallEdgeProfileInlines.h: Added.
5493 (JSC::CallEdgeProfile::CallEdgeProfile):
5494 (JSC::CallEdgeProfile::add):
5495 * bytecode/CallLinkInfo.cpp:
5496 (JSC::CallLinkInfo::visitWeak):
5497 * bytecode/CallLinkInfo.h:
5498 * bytecode/CallLinkStatus.cpp:
5499 (JSC::CallLinkStatus::CallLinkStatus):
5500 (JSC::CallLinkStatus::computeFromLLInt):
5501 (JSC::CallLinkStatus::computeFor):
5502 (JSC::CallLinkStatus::computeExitSiteData):
5503 (JSC::CallLinkStatus::computeFromCallLinkInfo):
5504 (JSC::CallLinkStatus::computeFromCallEdgeProfile):
5505 (JSC::CallLinkStatus::computeDFGStatuses):
5506 (JSC::CallLinkStatus::isClosureCall):
5507 (JSC::CallLinkStatus::makeClosureCall):
5508 (JSC::CallLinkStatus::dump):
5509 (JSC::CallLinkStatus::function): Deleted.
5510 (JSC::CallLinkStatus::internalFunction): Deleted.
5511 (JSC::CallLinkStatus::intrinsicFor): Deleted.
5512 * bytecode/CallLinkStatus.h:
5513 (JSC::CallLinkStatus::CallLinkStatus):
5514 (JSC::CallLinkStatus::isSet):
5515 (JSC::CallLinkStatus::couldTakeSlowPath):
5516 (JSC::CallLinkStatus::edges):
5517 (JSC::CallLinkStatus::size):
5518 (JSC::CallLinkStatus::at):
5519 (JSC::CallLinkStatus::operator[]):
5520 (JSC::CallLinkStatus::canOptimize):
5521 (JSC::CallLinkStatus::canTrustCounts):
5522 (JSC::CallLinkStatus::isClosureCall): Deleted.
5523 (JSC::CallLinkStatus::callTarget): Deleted.
5524 (JSC::CallLinkStatus::executable): Deleted.
5525 (JSC::CallLinkStatus::makeClosureCall): Deleted.
5526 * bytecode/CallVariant.cpp: Added.
5527 (JSC::CallVariant::dump):
5528 * bytecode/CallVariant.h: Added.
5529 (JSC::CallVariant::CallVariant):
5530 (JSC::CallVariant::operator!):
5531 (JSC::CallVariant::despecifiedClosure):
5532 (JSC::CallVariant::rawCalleeCell):
5533 (JSC::CallVariant::internalFunction):
5534 (JSC::CallVariant::function):
5535 (JSC::CallVariant::isClosureCall):
5536 (JSC::CallVariant::executable):
5537 (JSC::CallVariant::nonExecutableCallee):
5538 (JSC::CallVariant::intrinsicFor):
5539 (JSC::CallVariant::functionExecutable):
5540 (JSC::CallVariant::isHashTableDeletedValue):
5541 (JSC::CallVariant::operator==):
5542 (JSC::CallVariant::operator!=):
5543 (JSC::CallVariant::operator<):
5544 (JSC::CallVariant::operator>):
5545 (JSC::CallVariant::operator<=):
5546 (JSC::CallVariant::operator>=):
5547 (JSC::CallVariant::hash):
5548 (JSC::CallVariant::deletedToken):
5549 (JSC::CallVariantHash::hash):
5550 (JSC::CallVariantHash::equal):
5551 * bytecode/CodeOrigin.h:
5552 (JSC::InlineCallFrame::isNormalCall):
5553 * bytecode/ExitKind.cpp:
5554 (JSC::exitKindToString):
5555 * bytecode/ExitKind.h:
5556 * bytecode/GetByIdStatus.cpp:
5557 (JSC::GetByIdStatus::computeForStubInfo):
5558 * bytecode/PutByIdStatus.cpp:
5559 (JSC::PutByIdStatus::computeForStubInfo):
5560 * dfg/DFGAbstractInterpreterInlines.h:
5561 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5562 * dfg/DFGBackwardsPropagationPhase.cpp:
5563 (JSC::DFG::BackwardsPropagationPhase::propagate):
5564 * dfg/DFGBasicBlock.cpp:
5565 (JSC::DFG::BasicBlock::~BasicBlock):
5566 * dfg/DFGBasicBlock.h:
5567 (JSC::DFG::BasicBlock::takeLast):
5568 (JSC::DFG::BasicBlock::didLink):
5569 * dfg/DFGByteCodeParser.cpp:
5570 (JSC::DFG::ByteCodeParser::processSetLocalQueue):
5571 (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
5572 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
5573 (JSC::DFG::ByteCodeParser::addCall):
5574 (JSC::DFG::ByteCodeParser::handleCall):
5575 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
5576 (JSC::DFG::ByteCodeParser::undoFunctionChecks):
5577 (JSC::DFG::ByteCodeParser::inliningCost):
5578 (JSC::DFG::ByteCodeParser::inlineCall):
5579 (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
5580 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
5581 (JSC::DFG::ByteCodeParser::handleInlining):
5582 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
5583 (JSC::DFG::ByteCodeParser::prepareToParseBlock):
5584 (JSC::DFG::ByteCodeParser::clearCaches):
5585 (JSC::DFG::ByteCodeParser::parseBlock):
5586 (JSC::DFG::ByteCodeParser::linkBlock):
5587 (JSC::DFG::ByteCodeParser::linkBlocks):
5588 (JSC::DFG::ByteCodeParser::parseCodeBlock):
5589 * dfg/DFGCPSRethreadingPhase.cpp:
5590 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
5591 * dfg/DFGClobberize.h:
5592 (JSC::DFG::clobberize):
5593 * dfg/DFGCommon.h:
5594 * dfg/DFGConstantFoldingPhase.cpp:
5595 (JSC::DFG::ConstantFoldingPhase::foldConstants):
5596 * dfg/DFGDoesGC.cpp:
5597 (JSC::DFG::doesGC):
5598 * dfg/DFGDriver.cpp:
5599 (JSC::DFG::compileImpl):
5600 * dfg/DFGFixupPhase.cpp:
5601 (JSC::DFG::FixupPhase::fixupNode):
5602 * dfg/DFGGraph.cpp:
5603 (JSC::DFG::Graph::dump):
5604 (JSC::DFG::Graph::visitChildren):
5605 * dfg/DFGJITCompiler.cpp:
5606 (JSC::DFG::JITCompiler::link):
5607 * dfg/DFGLazyJSValue.cpp:
5608 (JSC::DFG::LazyJSValue::switchLookupValue):
5609 * dfg/DFGLazyJSValue.h:
5610 (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
5611 * dfg/DFGNode.cpp:
5612 (WTF::printInternal):
5613 * dfg/DFGNode.h:
5614 (JSC::DFG::OpInfo::OpInfo):
5615 (JSC::DFG::Node::hasHeapPrediction):
5616 (JSC::DFG::Node::hasCellOperand):
5617 (JSC::DFG::Node::cellOperand):
5618 (JSC::DFG::Node::setCellOperand):
5619 (JSC::DFG::Node::canBeKnownFunction): Deleted.
5620 (JSC::DFG::Node::hasKnownFunction): Deleted.
5621 (JSC::DFG::Node::knownFunction): Deleted.
5622 (JSC::DFG::Node::giveKnownFunction): Deleted.
5623 (JSC::DFG::Node::hasFunction): Deleted.
5624 (JSC::DFG::Node::function): Deleted.
5625 (JSC::DFG::Node::hasExecutable): Deleted.
5626 (JSC::DFG::Node::executable): Deleted.
5627 * dfg/DFGNodeType.h:
5628 * dfg/DFGPhantomCanonicalizationPhase.cpp:
5629 (JSC::DFG::PhantomCanonicalizationPhase::run):
5630 * dfg/DFGPhantomRemovalPhase.cpp:
5631 (JSC::DFG::PhantomRemovalPhase::run):
5632 * dfg/DFGPredictionPropagationPhase.cpp:
5633 (JSC::DFG::PredictionPropagationPhase::propagate):
5634 * dfg/DFGSafeToExecute.h:
5635 (JSC::DFG::safeToExecute):
5636 * dfg/DFGSpeculativeJIT.cpp:
5637 (JSC::DFG::SpeculativeJIT::emitSwitch):
5638 * dfg/DFGSpeculativeJIT32_64.cpp:
5639 (JSC::DFG::SpeculativeJIT::emitCall):
5640 (JSC::DFG::SpeculativeJIT::compile):
5641 * dfg/DFGSpeculativeJIT64.cpp:
5642 (JSC::DFG::SpeculativeJIT::emitCall):
5643 (JSC::DFG::SpeculativeJIT::compile):
5644 * dfg/DFGStructureRegistrationPhase.cpp:
5645 (JSC::DFG::StructureRegistrationPhase::run):
5646 * dfg/DFGTierUpCheckInjectionPhase.cpp:
5647 (JSC::DFG::TierUpCheckInjectionPhase::run):
5648 (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
5649 * dfg/DFGValidate.cpp:
5650 (JSC::DFG::Validate::validate):
5651 * dfg/DFGWatchpointCollectionPhase.cpp:
5652 (JSC::DFG::WatchpointCollectionPhase::handle):
5653 * ftl/FTLCapabilities.cpp:
5654 (JSC::FTL::canCompile):
5655 * ftl/FTLLowerDFGToLLVM.cpp:
5656 (JSC::FTL::ftlUnreachable):
5657 (JSC::FTL::LowerDFGToLLVM::lower):
5658 (JSC::FTL::LowerDFGToLLVM::compileNode):
5659 (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
5660 (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
5661 (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
5662 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
5663 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
5664 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
5665 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
5666 (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
5667 * heap/Heap.cpp:
5668 (JSC::Heap::collect):
5669 * jit/AssemblyHelpers.h:
5670 (JSC::AssemblyHelpers::storeValue):
5671 (JSC::AssemblyHelpers::loadValue):
5672 * jit/CCallHelpers.h:
5673 (JSC::CCallHelpers::setupArguments):
5674 * jit/GPRInfo.h:
5675 (JSC::JSValueRegs::uses):
5676 * jit/JITCall.cpp:
5677 (JSC::JIT::compileOpCall):
5678 * jit/JITCall32_64.cpp:
5679 (JSC::JIT::compileOpCall):
5680 * runtime/Options.h:
5681 * runtime/VM.cpp:
5682 (JSC::VM::ensureCallEdgeLog):
5683 * runtime/VM.h:
5684 * tests/stress/new-array-then-exit.js: Added.
5685 (foo):
5686 * tests/stress/poly-call-exit-this.js: Added.
5687 * tests/stress/poly-call-exit.js: Added.
5688
56892014-08-22 Michael Saboff <msaboff@apple.com>
5690
5691 After r172867 another crash in in js/dom/line-column-numbers.html
5692 https://bugs.webkit.org/show_bug.cgi?id=136192
5693
5694 Reviewed by Geoffrey Garen.
5695
5696 In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
5697 and VMEntryFrame when calling genericUnwind(). NativeCallFrameTracerWithRestore()
5698 does that for us.
5699
5700 In general, NativeCallFrameTracerWithRestore(), restores the values because we may
5701 do more processing that requires the current callFrame and vmEntryFrame before we
5702 get to the catch handler where we change these to the catch values. In this
5703 particular case, that restoration isn't currently needed, but we add complexity
5704 and possible future confusion if we create another NativeCallFrameTracerXXX()
5705 version that doesn't restore the values.
5706
5707 * jit/JITOperations.cpp:
5708 (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
5709 NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
5710 before calling genericUnwind().
5711
57122014-08-24 Brian J. Burg <burg@cs.washington.edu>
5713
5714 Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
5715 https://bugs.webkit.org/show_bug.cgi?id=136031
5716
5717 Reviewed by Timothy Hatcher.
5718
5719 Rename TypeBuilder namespace to Protocol. Disambiguate where
5720 necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
5721
5722 * CMakeLists.txt:
5723 * DerivedSources.make:
5724 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5725 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5726 * JavaScriptCore.vcxproj/copy-files.cmd:
5727 * JavaScriptCore.xcodeproj/project.pbxproj:
5728 * inspector/ConsoleMessage.cpp:
5729 (Inspector::messageSourceValue):
5730 (Inspector::messageTypeValue):
5731 (Inspector::messageLevelValue):
5732 (Inspector::ConsoleMessage::addToFrontend):
5733 * inspector/ContentSearchUtilities.cpp:
5734 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
5735 (Inspector::ContentSearchUtilities::searchInTextByLines):
5736 * inspector/ContentSearchUtilities.h:
5737 * inspector/InjectedScript.cpp:
5738 (Inspector::InjectedScript::evaluate):
5739 (Inspector::InjectedScript::callFunctionOn):
5740 (Inspector::InjectedScript::evaluateOnCallFrame):
5741 (Inspector::InjectedScript::getFunctionDetails):
5742 (Inspector::InjectedScript::getProperties):
5743 (Inspector::InjectedScript::getInternalProperties):
5744 (Inspector::InjectedScript::wrapCallFrames):
5745 (Inspector::InjectedScript::wrapObject):
5746 (Inspector::InjectedScript::wrapTable):
5747 * inspector/InjectedScript.h:
5748 * inspector/InjectedScriptBase.cpp:
5749 (Inspector::InjectedScriptBase::makeEvalCall):
5750 * inspector/InjectedScriptBase.h:
5751 * inspector/InspectorTypeBuilder.h: Removed.
5752 * inspector/ScriptCallFrame.cpp:
5753 (Inspector::ScriptCallFrame::buildInspectorObject):
5754 * inspector/ScriptCallFrame.h:
5755 * inspector/ScriptCallStack.cpp:
5756 (Inspector::ScriptCallStack::buildInspectorArray):
5757 * inspector/ScriptCallStack.h:
5758 * inspector/agents/InspectorAgent.cpp:
5759 (Inspector::InspectorAgent::inspect):
5760 * inspector/agents/InspectorAgent.h:
5761 * inspector/agents/InspectorDebuggerAgent.cpp:
5762 (Inspector::breakpointActionTypeForString):
5763 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
5764 (Inspector::InspectorDebuggerAgent::setBreakpoint):
5765 (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
5766 (Inspector::InspectorDebuggerAgent::searchInContent):
5767 (Inspector::InspectorDebuggerAgent::getFunctionDetails):
5768 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
5769 (Inspector::InspectorDebuggerAgent::currentCallFrames):
5770 (Inspector::InspectorDebuggerAgent::didParseSource):
5771 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
5772 * inspector/agents/InspectorDebuggerAgent.h:
5773 * inspector/agents/InspectorProfilerAgent.cpp:
5774 (Inspector::InspectorProfilerAgent::createProfileHeader):
5775 (Inspector::InspectorProfilerAgent::getProfileHeaders):
5776 (Inspector::buildInspectorObject):
5777 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
5778 (Inspector::InspectorProfilerAgent::getCPUProfile):
5779 * inspector/agents/InspectorProfilerAgent.h:
5780 * inspector/agents/InspectorRuntimeAgent.cpp:
5781 (Inspector::buildErrorRangeObject):
5782 (Inspector::InspectorRuntimeAgent::parse):
5783 (Inspector::InspectorRuntimeAgent::evaluate):
5784 (Inspector::InspectorRuntimeAgent::callFunctionOn):
5785 (Inspector::InspectorRuntimeAgent::getProperties):
5786 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
5787 * inspector/agents/InspectorRuntimeAgent.h:
5788 * inspector/scripts/codegen/__init__.py:
5789 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
5790 (BackendDispatcherHeaderGenerator.generate_output):
5791 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
5792 (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
5793 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
5794 * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
5795 (FrontendDispatcherHeaderGenerator.generate_output):
5796 * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
5797 (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
5798 * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
5799 * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
5800 * inspector/scripts/codegen/generator.py:
5801 (Generator.protocol_type_string_for_type):
5802 (Generator.protocol_type_string_for_type_member):
5803 (Generator.type_string_for_type_with_name):
5804 (Generator.type_string_for_formal_out_parameter):
5805 (Generator.type_string_for_formal_async_parameter):
5806 (Generator.type_string_for_stack_in_parameter):
5807 (Generator.type_string_for_stack_out_parameter):
5808 (Generator.assertion_method_for_type_member.assertion_method_for_type):
5809 (Generator.assertion_method_for_type_member):
5810 (Generator.type_builder_string_for_type): Deleted.
5811 (Generator.type_builder_string_for_type_member): Deleted.
5812 * inspector/scripts/codegen/generator_templates.py:
5813 (Inspector):
5814 * inspector/scripts/generate-inspector-protocol-bindings.py:
5815 (generate_from_specification):
5816 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
5817 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
5818 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
5819 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
5820 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
5821 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
5822 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
5823 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
5824 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
5825 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
5826 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
5827 * runtime/HighFidelityTypeProfiler.cpp:
5828 (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
5829 * runtime/HighFidelityTypeProfiler.h:
5830 * runtime/TypeSet.cpp:
5831 (JSC::TypeSet::allPrimitiveTypeNames):
5832 (JSC::TypeSet::allStructureRepresentations):
5833 (JSC::StructureShape::inspectorRepresentation):
5834 * runtime/TypeSet.h:
5835
58362014-08-24 Brian J. Burg <burg@cs.washington.edu>
5837
5838 Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
5839 https://bugs.webkit.org/show_bug.cgi?id=136025
5840
5841 Reviewed by Joseph Pecoraro.
5842
5843 This workaround can be removed since it is no longer necessary.
5844
5845 * inspector/scripts/codegen/models.py:
5846 (TypeReference.__init__):
5847 (Type.raw_name):
5848 (TypeDeclaration.__init__):
5849 * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
5850 * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
5851
58522014-08-23 Joseph Pecoraro <pecoraro@apple.com>
5853
5854 Web Inspector: Do not copy large module source strings
5855 https://bugs.webkit.org/show_bug.cgi?id=136191
5856
5857 Reviewed by Benjamin Poulain.
5858
5859 * inspector/InjectedScriptManager.cpp:
5860 (Inspector::InjectedScriptManager::injectedScriptSource):
5861
58622014-08-21 Michael Saboff <msaboff@apple.com>
5863
5864 REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
5865 https://bugs.webkit.org/show_bug.cgi?id=136111
5866
5867 Reviewed by Filip Pizlo.
5868
5869 The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
5870
5871 First in the case where we get an exception of a stack overflow during setup of the direct
5872 callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
5873 This requires unrolling topVMEntryFrame while creating the exception object. This is
5874 accomplished with the renamed NativeCallFrameTracerWithRestore object. As part of this,
5875 split the JIT rollback exception handling to call a new helper,
5876 callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
5877
5878 Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
5879 case where we end up (re)throwing another exception after entering the catch block, but
5880 before another vmEntry call. Added VM::vmEntryFrameForThrow as a way similar to
5881 VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
5882
5883
5884 * dfg/DFGJITCompiler.cpp:
5885 (JSC::DFG::JITCompiler::compileExceptionHandlers):
5886 * ftl/FTLCompile.cpp:
5887 (JSC::FTL::fixFunctionBasedOnStackMaps):
5888 * jit/JIT.cpp:
5889 (JSC::JIT::privateCompileExceptionHandlers):
5890 Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
5891 to unwind both the callFrame and topVMEntryFrame.
5892
5893 * interpreter/Interpreter.cpp:
5894 (JSC::UnwindFunctor::UnwindFunctor):
5895 (JSC::UnwindFunctor::operator()):
5896 (JSC::Interpreter::unwind):
5897 * jit/JITExceptions.cpp:
5898 (JSC::genericUnwind):
5899 Added VMEntryFrame as another component to unwind.
5900
5901 * interpreter/Interpreter.h:
5902 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
5903 (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
5904 (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
5905 Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
5906 both values.
5907
5908 * interpreter/StackVisitor.cpp:
5909 (JSC::StackVisitor::gotoNextFrame):
5910 (JSC::StackVisitor::readNonInlinedFrame):
5911 * interpreter/StackVisitor.h:
5912 (JSC::StackVisitor::Frame::vmEntryFrame):
5913 Added code to unwind the VMEntryFrame.
5914
5915 * jit/CCallHelpers.h:
5916 (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
5917 the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
5918
5919 * jit/JITOpcodes.cpp:
5920 (JSC::JIT::emit_op_catch):
5921 * jit/JITOpcodes32_64.cpp:
5922 (JSC::JIT::emit_op_catch):
5923 * llint/LowLevelInterpreter32_64.asm:
5924 * llint/LowLevelInterpreter64.asm:
5925 Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
5926
5927 * jit/JITOperations.cpp:
5928 * jit/JITOperations.h:
5929 (JSC::operationThrowStackOverflowError):
5930 (JSC::operationCallArityCheck):
5931 (JSC::operationConstructArityCheck):
5932
5933 * runtime/VM.h:
5934 (JSC::VM::vmEntryFrameForThrowOffset):
5935 (JSC::VM::topVMEntryFrameOffset):
5936 Added as the side channel to return the topVMEntryFrame that the handler should use.
5937
59382014-08-22 Daniel Bates <dabates@apple.com>
5939
5940 [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
5941 and ENABLE_XSLT when building with the iOS public SDK
5942 https://bugs.webkit.org/show_bug.cgi?id=135945
5943
5944 Reviewed by Andy Estes.
5945
5946 * Configurations/FeatureDefines.xcconfig:
5947
59482014-08-22 Jon Lee <jonlee@apple.com>
5949
5950 Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
5951 https://bugs.webkit.org/show_bug.cgi?id=136157
5952
5953 Reviewed by Simon Fraser.
5954
5955 * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
5956
59572014-08-21 Mark Lam <mark.lam@apple.com>
5958
5959 r171362 accidentally increased the size of InlineCallFrame.
5960 <https://webkit.org/b/136141>
5961
5962 Reviewed by Filip Pizlo.
5963
5964 r171362 increased the size of InlineCallFrame::kind to 2 bits. This increased
5965 the size of InlineCallFrame from 72 to 80 though not intentionally. The fix
5966 is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
5967
5968 Also added an assert to ensure that we never set a value that exceeds the size
5969 of InlineCallFrame::stackOffset.
5970
5971 * bytecode/CodeOrigin.h:
5972 (JSC::InlineCallFrame::setStackOffset):
5973 * dfg/DFGByteCodeParser.cpp:
5974 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5975
59762014-08-21 Joseph Pecoraro <pecoraro@apple.com>
5977
5978 Web Inspector: RetainPtr misuse, CFRunLoopSource leak
5979 https://bugs.webkit.org/show_bug.cgi?id=136143
5980
5981 Reviewed by Timothy Hatcher.
5982
5983 Adopt a Create into the RetainPtr to avoid leaking.
5984
5985 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
5986 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
5987
59882014-08-21 Mark Lam <mark.lam@apple.com>
5989
5990 REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
5991 <https://webkit.org/b/136123>
5992
5993 Reviewed by Filip Pizlo.
5994
5995 The original patch in r172808 removed the code to skip the top scope in
5996 the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
5997 This patch fixes that and achieves parity.
5998
5999 * jit/JITPropertyAccess32_64.cpp:
6000 (JSC::JIT::emitResolveClosure):
6001
60022014-08-21 Zalan Bujtas <zalan@apple.com>
6003
6004 Enable SATURATED_LAYOUT_ARITHMETIC.
6005 https://bugs.webkit.org/show_bug.cgi?id=136106
6006
6007 Reviewed by Simon Fraser.
6008
6009 SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
6010 (No measurable performance regression on Mac.)
6011
6012 * Configurations/FeatureDefines.xcconfig:
6013
60142014-08-20 Saam Barati <sbarati@apple.com>
6015
6016 Fix how CodeBlock dumps the opcode op_profile_type
6017 https://bugs.webkit.org/show_bug.cgi?id=136088
6018
6019 Reviewed by Filip Pizlo.
6020
6021 op_profile_type was modified to receive two extra arguments,
6022 but its dump in CodeBlock::dumpBytecode wasn't changed to
6023 account for this, so it broke CodeBlock::dumpBytecode when
6024 op_profile_type was in the stream of bytecode instructions.
6025 CodeBlock::dumpBytecode now accounts for the change in
6026 op_profile_type's arity.
6027
6028 * bytecode/CodeBlock.cpp:
6029 (JSC::CodeBlock::dumpBytecode):
6030
60312014-08-20 Saam Barati <sbarati@apple.com>
6032
6033 Rename HighFidelityTypeProfiling variables for more clarity
6034 https://bugs.webkit.org/show_bug.cgi?id=135899
6035
6036 Reviewed by Geoffrey Garen.
6037
6038 Many names that are used in the type profiling infrastructure
6039 prefix themselves with "HighFidelity" or include the words "high"
6040 and/or "fidelity" in some way. But the words "high" and "fidelity" don't
6041 add anything descriptive to the names surrounding type profiling.
6042 So this patch removes all uses of "HighFidelity" and its variants.
6043
6044 Most renamings change "HighFidelity*" to "TypeProfiler*" or simply
6045 drop the prefix "HighFidelity" all together. Now, almost all names
6046 in relation to type profiling contain in them "TypeProfiler" or
6047 "TypeProfiling" or some combination of the words "type" and "profile".
6048
6049 This patch also changes how we check if type profiling is enabled:
6050 We no longer call vm::isProfilingTypesWithHighFidelity. We now just
6051 check that vm::typeProfiler is not null.
6052
6053 This patch also changes all calls to TypeProfilerLog::processLogEntries
6054 to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
6055
6056 * CMakeLists.txt:
6057 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6058 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6059 * JavaScriptCore.xcodeproj/project.pbxproj:
6060 * bytecode/BytecodeList.json:
6061 * bytecode/BytecodeUseDef.h:
6062 (JSC::computeUsesForBytecodeOffset):
6063 (JSC::computeDefsForBytecodeOffset):
6064 * bytecode/CodeBlock.cpp:
6065 (JSC::CodeBlock::dumpBytecode):
6066 (JSC::CodeBlock::CodeBlock):
6067 * bytecode/TypeLocation.h:
6068 * bytecode/UnlinkedCodeBlock.cpp:
6069 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
6070 (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
6071 (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
6072 (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
6073 (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
6074 * bytecode/UnlinkedCodeBlock.h:
6075 (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
6076 (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
6077 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
6078 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
6079 * bytecompiler/BytecodeGenerator.cpp:
6080 (JSC::BytecodeGenerator::generate):
6081 (JSC::BytecodeGenerator::BytecodeGenerator):
6082 (JSC::BytecodeGenerator::emitMove):
6083 (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
6084 (JSC::BytecodeGenerator::emitProfileType):
6085 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
6086 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
6087 * bytecompiler/BytecodeGenerator.h:
6088 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
6089 * bytecompiler/NodesCodegen.cpp:
6090 (JSC::ThisNode::emitBytecode):
6091 (JSC::ResolveNode::emitBytecode):
6092 (JSC::BracketAccessorNode::emitBytecode):
6093 (JSC::DotAccessorNode::emitBytecode):
6094 (JSC::FunctionCallValueNode::emitBytecode):
6095 (JSC::FunctionCallResolveNode::emitBytecode):
6096 (JSC::FunctionCallBracketNode::emitBytecode):
6097 (JSC::FunctionCallDotNode::emitBytecode):
6098 (JSC::CallFunctionCallDotNode::emitBytecode):
6099 (JSC::ApplyFunctionCallDotNode::emitBytecode):
6100 (JSC::PostfixNode::emitResolve):
6101 (JSC::PostfixNode::emitBracket):
6102 (JSC::PostfixNode::emitDot):
6103 (JSC::PrefixNode::emitResolve):
6104 (JSC::PrefixNode::emitBracket):
6105 (JSC::PrefixNode::emitDot):
6106 (JSC::ReadModifyResolveNode::emitBytecode):
6107 (JSC::AssignResolveNode::emitBytecode):
6108 (JSC::AssignDotNode::emitBytecode):
6109 (JSC::ReadModifyDotNode::emitBytecode):
6110 (JSC::AssignBracketNode::emitBytecode):
6111 (JSC::ReadModifyBracketNode::emitBytecode):
6112 (JSC::ConstDeclNode::emitCodeSingle):
6113 (JSC::EmptyVarExpression::emitBytecode):
6114 (JSC::ReturnNode::emitBytecode):
6115 (JSC::FunctionBodyNode::emitBytecode):
6116 * heap/Heap.cpp:
6117 (JSC::Heap::collect):
6118 * inspector/agents/InspectorRuntimeAgent.cpp:
6119 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
6120 (Inspector::recompileAllJSFunctionsForTypeProfiling):
6121 (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
6122 (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
6123 (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
6124 (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
6125 (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
6126 (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
6127 (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
6128 * inspector/agents/InspectorRuntimeAgent.h:
6129 * inspector/protocol/Runtime.json:
6130 * jit/JIT.cpp:
6131 (JSC::JIT::privateCompileMainPass):
6132 (JSC::JIT::privateCompile):
6133 * jit/JIT.h:
6134 * jit/JITOpcodes.cpp:
6135 (JSC::JIT::emit_op_profile_type):
6136 (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
6137 * jit/JITOpcodes32_64.cpp:
6138 (JSC::JIT::emit_op_profile_type):
6139 (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
6140 * jit/JITOperations.cpp:
6141 * jsc.cpp:
6142 (functionDumpTypesForAllVariables):
6143 * llint/LLIntSlowPaths.cpp:
6144 * llint/LowLevelInterpreter.asm:
6145 * runtime/CodeCache.cpp:
6146 (JSC::CodeCache::getGlobalCodeBlock):
6147 * runtime/CommonSlowPaths.cpp:
6148 (JSC::SLOW_PATH_DECL):
6149 * runtime/CommonSlowPaths.h:
6150 * runtime/Executable.cpp:
6151 (JSC::ScriptExecutable::ScriptExecutable):
6152 (JSC::ProgramExecutable::ProgramExecutable):
6153 (JSC::FunctionExecutable::FunctionExecutable):
6154 (JSC::ProgramExecutable::initializeGlobalProperties):
6155 * runtime/Executable.h:
6156 (JSC::ScriptExecutable::typeProfilingStartOffset):
6157 (JSC::ScriptExecutable::typeProfilingEndOffset):
6158 (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
6159 (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
6160 * runtime/HighFidelityLog.cpp: Removed.
6161 * runtime/HighFidelityLog.h: Removed.
6162 * runtime/HighFidelityTypeProfiler.cpp: Removed.
6163 * runtime/HighFidelityTypeProfiler.h: Removed.
6164 * runtime/Options.h:
6165 * runtime/SymbolTable.cpp:
6166 (JSC::SymbolTable::prepareForTypeProfiling):
6167 (JSC::SymbolTable::uniqueIDForVariable):
6168 (JSC::SymbolTable::uniqueIDForRegister):
6169 (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
6170 * runtime/SymbolTable.h:
6171 * runtime/TypeProfiler.cpp: Added.
6172 (JSC::TypeProfiler::logTypesForTypeLocation):
6173 (JSC::TypeProfiler::insertNewLocation):
6174 (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
6175 (JSC::descriptorMatchesTypeLocation):
6176 (JSC::TypeProfiler::findLocation):
6177 * runtime/TypeProfiler.h: Added.
6178 (JSC::QueryKey::QueryKey):
6179 (JSC::QueryKey::isHashTableDeletedValue):
6180 (JSC::QueryKey::operator==):
6181 (JSC::QueryKey::hash):
6182 (JSC::QueryKeyHash::hash):
6183 (JSC::QueryKeyHash::equal):
6184 (JSC::TypeProfiler::functionHasExecutedCache):
6185 (JSC::TypeProfiler::typeLocationCache):
6186 * runtime/TypeProfilerLog.cpp: Added.
6187 (JSC::TypeProfilerLog::initializeLog):
6188 (JSC::TypeProfilerLog::~TypeProfilerLog):
6189 (JSC::TypeProfilerLog::processLogEntries):
6190 * runtime/TypeProfilerLog.h: Added.
6191 (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
6192 (JSC::TypeProfilerLog::LogEntry::valueOffset):
6193 (JSC::TypeProfilerLog::LogEntry::locationOffset):
6194 (JSC::TypeProfilerLog::TypeProfilerLog):
6195 (JSC::TypeProfilerLog::recordTypeInformationForLocation):
6196 (JSC::TypeProfilerLog::logEndPtr):
6197 (JSC::TypeProfilerLog::logStartOffset):
6198 (JSC::TypeProfilerLog::currentLogEntryOffset):
6199 * runtime/VM.cpp:
6200 (JSC::VM::VM):
6201 (JSC::VM::enableTypeProfiler):
6202 (JSC::VM::disableTypeProfiler):
6203 (JSC::VM::dumpTypeProfilerData):
6204 (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
6205 (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
6206 (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
6207 * runtime/VM.h:
6208 (JSC::VM::typeProfilerLog):
6209 (JSC::VM::typeProfiler):
6210 (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
6211 (JSC::VM::highFidelityLog): Deleted.
6212 (JSC::VM::highFidelityTypeProfiler): Deleted.
6213
62142014-08-20 Csaba Osztrogonác <ossy@webkit.org>
6215
6216 URTBF after r172799.
6217
6218 * disassembler/ARM64/A64DOpcode.cpp:
6219 * disassembler/ARM64Disassembler.cpp:
6220
62212014-08-20 Oliver Hunt <oliver@apple.com>
6222
6223 Stop implicitly skipping a function's own activation when walking the scope chain
6224 https://bugs.webkit.org/show_bug.cgi?id=136118
6225
6226 Reviewed by Geoffrey Garen.
6227
6228 Remove the current logic that implicitly skips a function's
6229 own activation when walking the scope chain. This is ground
6230 work for ensuring that all closed variable access is made
6231 through the function's activation. This leads to a further
6232 10% regression on earley, but we're already tracking the
6233 overall performance regression.
6234
6235 * bytecode/CodeBlock.cpp:
6236 (JSC::CodeBlock::CodeBlock):
6237 * dfg/DFGAbstractInterpreterInlines.h:
6238 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6239 * dfg/DFGByteCodeParser.cpp:
6240 (JSC::DFG::ByteCodeParser::getScope):
6241 (JSC::DFG::ByteCodeParser::parseBlock):
6242 * dfg/DFGClobberize.h:
6243 (JSC::DFG::clobberize):
6244 * dfg/DFGDoesGC.cpp:
6245 (JSC::DFG::doesGC):
6246 * dfg/DFGFixupPhase.cpp:
6247 (JSC::DFG::FixupPhase::fixupNode):
6248 * dfg/DFGHeapLocation.cpp:
6249 (WTF::printInternal):
6250 * dfg/DFGHeapLocation.h:
6251 * dfg/DFGNodeType.h:
6252 * dfg/DFGPredictionPropagationPhase.cpp:
6253 (JSC::DFG::PredictionPropagationPhase::propagate):
6254 * dfg/DFGSafeToExecute.h:
6255 (JSC::DFG::safeToExecute):
6256 * dfg/DFGSpeculativeJIT32_64.cpp:
6257 (JSC::DFG::SpeculativeJIT::compile):
6258 * dfg/DFGSpeculativeJIT64.cpp:
6259 (JSC::DFG::SpeculativeJIT::compile):
6260 * jit/JITPropertyAccess.cpp:
6261 (JSC::JIT::emitResolveClosure):
6262 * llint/LowLevelInterpreter32_64.asm:
6263 * llint/LowLevelInterpreter64.asm:
6264 * runtime/JSScope.cpp:
6265 (JSC::JSScope::abstractResolve):
6266 * runtime/JSScope.h:
6267
62682014-08-20 Michael Saboff <msaboff@apple.com>
6269
6270 REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
6271 https://bugs.webkit.org/show_bug.cgi?id=136034
6272
6273 Reviewed by Mark Lam.
6274
6275 DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
6276 of the stack. Hardened StackVisitor to skip over the frames between the current top frame
6277 and the requested start frame.
6278
6279 * interpreter/StackVisitor.cpp:
6280 (JSC::StackVisitor::StackVisitor):
6281
62822014-08-20 Brent Fulgham <bfulgham@apple.com>
6283
6284 [Win] JavaScriptCore.dll is missing version information.
6285 https://bugs.webkit.org/show_bug.cgi?id=136105
6286 <rdar://problem/18075852>
6287
6288 Reviewed by Dean Jackson.
6289
6290 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
6291 version information for intermediary build path.
6292
62932014-08-20 Saam Barati <sbarati@apple.com>
6294
6295 Fix a memory leak in TypeSet
6296 https://bugs.webkit.org/show_bug.cgi?id=135913
6297
6298 Reviewed by Filip Pizlo.
6299
6300 Currently, TypeSet unconditionally allocates memory for its member
6301 variable m_structureHistory, but never deallocates it. Change this
6302 from being a pointer that is unconditionally allocated to a member
6303 variable that will be deallocated when TypeSet itself is deallocated.
6304
6305 * runtime/TypeSet.cpp:
6306 (JSC::TypeSet::TypeSet):
6307 (JSC::TypeSet::addTypeInformation):
6308 (JSC::TypeSet::seenTypes):
6309 (JSC::TypeSet::displayName):
6310 (JSC::TypeSet::allStructureRepresentations):
6311 (JSC::StructureShape::leastCommonAncestor):
6312 * runtime/TypeSet.h:
6313
63142014-08-20 peavo@outlook.com <peavo@outlook.com>
6315
6316 [Win] Assertion fails when running JSC stress tests.
6317 https://bugs.webkit.org/show_bug.cgi?id=136103
6318
6319 Reviewed by Darin Adler.
6320
6321 Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
6322
6323 * bytecode/CodeOrigin.h: Use unsigned bitfield member.
6324 (JSC::InlineCallFrame::specializationKind): Compile fix.
6325
63262014-08-20 Akos Kiss <akiss@inf.u-szeged.hu>
6327
6328 Enable ARM64 disassembler on EFL
6329 https://bugs.webkit.org/show_bug.cgi?id=136089
6330
6331 Reviewed by Filip Pizlo.
6332
6333 * CMakeLists.txt:
6334 Added disassembler/ARM64Disassembler.cpp and
6335 disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
6336
6337 * disassembler/ARM64/A64DOpcode.cpp:
6338 Added USE(ARM64_DISASSEMBLER) guard around implementation.
6339
6340 * disassembler/ARM64/A64DOpcode.h:
6341 (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
6342 (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
6343 Made format strings portable by changing "%llx" to "%" PRIx64 for
6344 uint64_t arguments.
6345
63462014-08-19 Filip Pizlo <fpizlo@apple.com>
6347
6348 REGRESSION(r172401): for-in optimization no longer works at all
6349 https://bugs.webkit.org/show_bug.cgi?id=136056
6350
6351 Reviewed by Geoffrey Garen.
6352
6353 Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
6354 would instacrash every time.
6355
6356 * bytecompiler/BytecodeGenerator.cpp:
6357 (JSC::BytecodeGenerator::emitGetByVal):
6358 (JSC::BytecodeGenerator::pushIndexedForInScope):
6359 (JSC::BytecodeGenerator::pushStructureForInScope):
6360 * bytecompiler/BytecodeGenerator.h:
6361 (JSC::ForInContext::ForInContext):
6362 (JSC::StructureForInContext::StructureForInContext):
6363 (JSC::IndexedForInContext::IndexedForInContext):
6364 (JSC::ForInContext::base): Deleted.
6365 * bytecompiler/NodesCodegen.cpp:
6366 (JSC::ForInNode::emitMultiLoopBytecode):
6367 * runtime/JSProxy.cpp:
6368 (JSC::JSProxy::getStructurePropertyNames):
6369 (JSC::JSProxy::getGenericPropertyNames):
6370 * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
6371 (foo):
6372 * tests/stress/for-in-base-reassigned-later.js: Added.
6373 (foo):
6374 * tests/stress/for-in-base-reassigned.js: Added.
6375 (foo):
6376 * tests/stress/for-in-proxy-target-changed-structure.js: Added.
6377 (deleteAll):
6378 (foo):
6379 * tests/stress/for-in-proxy.js: Added.
6380 (foo):
6381
63822014-08-19 Jaehun Lim <ljaehun.lim@samsung.com>
6383
6384 Unreviewed, fix EFL build after r17275
6385
6386 Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
6387
6388 * runtime/JSDataViewPrototype.cpp:
6389 Add #if COMPILER(CLANG) and #endif.
6390
63912014-08-19 Michael Saboff <msaboff@apple.com>
6392
6393 Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
6394 https://bugs.webkit.org/show_bug.cgi?id=136080
6395
6396 Reviewed by Mark Lam.
6397
6398 Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
6399 to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
6400 frame. In that case, the caller will have the prior VM entry frame.
6401
6402 The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
6403 an exception from a caller frame. The value to use for the VMEntryFrame should be a
6404 value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
6405
6406 * interpreter/Interpreter.h:
6407 (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
6408 VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
6409 is below the current vmEntryFrame.
6410
6411 * jit/JITOperations.cpp:
6412 (JSC::operationThrowStackOverflowError):
6413 (JSC::operationCallArityCheck):
6414 (JSC::operationConstructArityCheck):
6415 Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
6416
64172014-08-19 Andy Estes <aestes@apple.com>
6418
6419 [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
6420 https://bugs.webkit.org/show_bug.cgi?id=136086
6421
6422 Reviewed by Filip Pizlo.
6423
6424 Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
6425 whitespace. Also let Xcode have its way with an unrelated part of the project file.
6426
6427 * JavaScriptCore.xcodeproj/project.pbxproj:
6428
64292014-08-19 Filip Pizlo <fpizlo@apple.com>
6430
6431 LLInt build should be way faster
6432 https://bugs.webkit.org/show_bug.cgi?id=136085
6433
6434 Reviewed by Geoffrey Garen.
6435
6436 This does three things to improve the LLInt build performance. One of them is only for
6437 Xcode for now while the others should benefit all platforms:
6438
6439 - Don't exponentially build settings combinations that correspond to being on two backends
6440 simultaneously. This is by far the biggest win.
6441
6442 - Don't generate offset extraction code for backends that aren't supported by the current
6443 port. This currently only works on Xcode-based ports. This is a relatively small win.
6444
6445 - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
6446 used this one in a long time. Anyway, setting this option could be emulated by just
6447 directly hacking the code.
6448
6449 This is an enormous speed-up in the LLInt build.
6450
6451 * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
6452 * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
6453 * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
6454 * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
6455 * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
6456 * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
6457
64582014-08-19 Filip Pizlo <fpizlo@apple.com>
6459
6460 Fix indentation and style in LowLevelInterpreter.asm
6461 https://bugs.webkit.org/show_bug.cgi?id=136083
6462
6463 Reviewed by Mark Lam.
6464
6465 * llint/LowLevelInterpreter.asm:
6466
64672014-08-19 Magnus Granberg <zorry@gentoo.org>
6468
6469 TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
6470 https://bugs.webkit.org/show_bug.cgi?id=70610
6471
6472 Reviewed by Darin Adler.
6473
6474 Setup %ebx so we can use the plt.
6475
6476 * jit/ThunkGenerators.cpp:
6477
64782014-08-19 Zalan Bujtas <zalan@apple.com>
6479
6480 Remove ENABLE(SUBPIXEL_LAYOUT).
6481 https://bugs.webkit.org/show_bug.cgi?id=136077
6482
6483 Reviewed by Simon Fraser.
6484
6485 Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
6486
6487 * Configurations/FeatureDefines.xcconfig:
6488
64892014-08-19 Alex Christensen <achristensen@webkit.org>
6490
6491 [CMake] Generate LLInt assembly correctly on Windows.
6492 https://bugs.webkit.org/show_bug.cgi?id=135888
6493
6494 Reviewed by Oliver Hunt.
6495
6496 * CMakeLists.txt:
6497 Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
6498 * PlatformWin.cmake:
6499 Don't build JSGlobalObjectInspectorController.cpp on Windows.
6500 * offlineasm/x86.rb:
6501 Detect non-cygwin ruby installations correctly.
6502
65032014-08-19 Michael Saboff <msaboff@apple.com>
6504
6505 REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
6506 https://bugs.webkit.org/show_bug.cgi?id=136028
6507
6508 Reviewed by Oliver Hunt.
6509
6510 Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
6511 the behavior for those ops are undefined. This was originally done in changeset 163179.
6512
6513 * llint/LowLevelInterpreter32_64.asm:
6514
65152014-08-18 Commit Queue <commit-queue@webkit.org>
6516
6517 Unreviewed, rolling out r172741.
6518 https://bugs.webkit.org/show_bug.cgi?id=136058
6519
6520 This change is breaking PLT. (Requested by mlam on #webkit).
6521
6522 Reverted changeset:
6523
6524 "REGRESSION(r172401): for-in optimization no longer works at
6525 all"
6526 https://bugs.webkit.org/show_bug.cgi?id=136056
6527 http://trac.webkit.org/changeset/172741
6528
65292014-08-18 Filip Pizlo <fpizlo@apple.com>
6530
6531 REGRESSION(r172401): for-in optimization no longer works at all
6532 https://bugs.webkit.org/show_bug.cgi?id=136056
6533
6534 Reviewed by Mark Hahnenberg.
6535
6536 This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
6537 real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
6538 structure check) and it was actually breaking the entire for-in optimization (since there is
6539 no way that we can statically prove that the base matches, because the base we see is a
6540 newly created temporary, and anyway doing it right would be really hard in our bytecode
6541 because it's 3AC form).
6542
6543 But, I added a new test for the problem, and kept the original test. Both the old test and
6544 the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
6545 that it resolved crashes it was because it just disabled the for-in optimization entirely.
6546
6547 * bytecompiler/BytecodeGenerator.cpp:
6548 (JSC::BytecodeGenerator::emitGetByVal):
6549 (JSC::BytecodeGenerator::pushIndexedForInScope):
6550 (JSC::BytecodeGenerator::pushStructureForInScope):
6551 * bytecompiler/BytecodeGenerator.h:
6552 (JSC::ForInContext::ForInContext):
6553 (JSC::StructureForInContext::StructureForInContext):
6554 (JSC::IndexedForInContext::IndexedForInContext):
6555 (JSC::ForInContext::base): Deleted.
6556 * bytecompiler/NodesCodegen.cpp:
6557 (JSC::ForInNode::emitMultiLoopBytecode):
6558 * tests/stress/for-in-base-reassigned.js: Added.
6559 * tests/stress/for-in-base-reassigned-later.js: Added.
6560 * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
6561
65622014-08-18 Mark Lam <mark.lam@apple.com>
6563
6564 Gardening: build fix for non-Mac builds after r172737.
6565 https://bugs.webkit.org/show_bug.cgi?id=135750
6566
6567 Not reviewed.
6568
6569 * CMakeLists.txt:
6570 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6571 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6572
65732014-08-18 Filip Pizlo <fpizlo@apple.com>
6574
6575 REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
6576 https://bugs.webkit.org/show_bug.cgi?id=135750
6577
6578 Reviewed by Mark Lam.
6579
6580 This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
6581 could sometimes perform an optimization that requires a structure to be alive but forget to
6582 ensure that the structure is actually kept alive. In particular, any watchpoint-based
6583 optimizations involve setting watchpoints even if the code that got optimized is eventually
6584 deleted because it is unreachable. All such optimizations would leave behind something in
6585 the IR to tell us that we are interested in the structure and that therefore it should be
6586 kept alive. But, IR can be deleted if it is unreachable.
6587
6588 The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
6589 to the set of weak references.
6590
6591 * JavaScriptCore.xcodeproj/project.pbxproj:
6592 * dfg/DFGAbstractInterpreterInlines.h:
6593 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6594 * dfg/DFGAbstractValue.cpp:
6595 (JSC::DFG::AbstractValue::setOSREntryValue):
6596 (JSC::DFG::AbstractValue::set):
6597 (JSC::DFG::AbstractValue::normalizeClarity):
6598 (JSC::DFG::AbstractValue::assertIsRegistered):
6599 (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
6600 * dfg/DFGAbstractValue.h:
6601 (JSC::DFG::AbstractValue::assertIsRegistered):
6602 (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
6603 * dfg/DFGCommon.h:
6604 * dfg/DFGConstantFoldingPhase.cpp:
6605 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
6606 * dfg/DFGDesiredWeakReferences.cpp:
6607 (JSC::DFG::DesiredWeakReferences::addLazily):
6608 (JSC::DFG::DesiredWeakReferences::contains):
6609 (JSC::DFG::DesiredWeakReferences::reallyAdd):
6610 (JSC::DFG::DesiredWeakReferences::visitChildren):
6611 * dfg/DFGDesiredWeakReferences.h:
6612 * dfg/DFGFixupPhase.cpp:
6613 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
6614 * dfg/DFGGraph.cpp:
6615 (JSC::DFG::Graph::Graph):
6616 (JSC::DFG::Graph::registerFrozenValues):
6617 (JSC::DFG::Graph::convertToConstant):
6618 (JSC::DFG::Graph::registerStructure):
6619 (JSC::DFG::Graph::assertIsRegistered):
6620 (JSC::DFG::Graph::assertIsWatched): Deleted.
6621 * dfg/DFGGraph.h:
6622 * dfg/DFGPlan.cpp:
6623 (JSC::DFG::Plan::compileInThreadImpl):
6624 * dfg/DFGStructureAbstractValue.cpp:
6625 (JSC::DFG::StructureAbstractValue::assertIsRegistered):
6626 (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
6627 * dfg/DFGStructureAbstractValue.h:
6628 (JSC::DFG::StructureAbstractValue::assertIsRegistered):
6629 (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
6630 * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
6631 (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
6632 (JSC::DFG::StructureRegistrationPhase::run):
6633 (JSC::DFG::StructureRegistrationPhase::registerStructures):
6634 (JSC::DFG::StructureRegistrationPhase::registerStructure):
6635 (JSC::DFG::performStructureRegistration):
6636 (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
6637 (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
6638 (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
6639 (JSC::DFG::performWatchableStructureWatching): Deleted.
6640 * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
6641 * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
6642 * dfg/DFGWatchableStructureWatchingPhase.h: Removed.
6643
66442014-08-18 Akos Kiss <akiss@inf.u-szeged.hu>
6645
6646 Fix ASSERT in ARM64's JSC::GPRInfo::debugName
6647 https://bugs.webkit.org/show_bug.cgi?id=136050
6648
6649 Reviewed by Darin Adler.
6650
6651 Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
6652 error.
6653
6654 * jit/GPRInfo.h:
6655 (JSC::GPRInfo::debugName):
6656
66572014-08-18 Andreas Kling <akling@apple.com>
6658
6659 REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
6660 <https://webkit.org/b/133574>
6661 <rdar://problem/18051847>
6662
6663 The optimization that resolves JSRopeStrings into an existing
6664 AtomicString (to save time and memory by avoiding StringImpl allocation)
6665 had a bug that it wasn't copying the 8-bit flag from the AtomicString.
6666
6667 This could lead to a situation where a 16-bit StringImpl containing
6668 only 8-bit characters is sitting in the AtomicString table, is found
6669 by the rope resolution optimization, and gives you a rope that thinks
6670 it's all 8-bit, but has a fiber with 16-bit characters.
6671
6672 Resolving that rope will then yield incorrect results.
6673
6674 This was all caught by an assertion, but very hard to reproduce.
6675
6676 Test: js/dopey-rope-with-16-bit-propertyname.html
6677
6678 Reviewed by Darin Adler.
6679
6680 * runtime/JSString.cpp:
6681 (JSC::JSRopeString::resolveRopeToAtomicString):
6682 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
6683 * runtime/JSString.h:
6684 (JSC::JSString::setIs8Bit):
6685 (JSC::JSString::toExistingAtomicString):
6686
66872014-08-18 Matthew Mirman <mmirman@apple.com>
6688
6689 Merges the two native inlining passes from the build.
6690 Also adds the AvailableExternallyLinkage assertion to linked
6691 functions to allow unused and duplicate ones to be removed.
6692 https://bugs.webkit.org/show_bug.cgi?id=135526
6693
6694 Reviewed by Filip Pizlo.
6695
6696 * JavaScriptCore.xcodeproj/project.pbxproj:
6697 Removed second generation of llvm binary files.
6698 Fixed the flags on the first pass.
6699 * build-symbol-table-index.py: Modified some paths.
6700 * build-symbol-table-index.sh: Removed.
6701 * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
6702 * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
6703 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
6704 * runtime/ArrayPrototype.cpp: Removed static declarations.
6705 * runtime/DateConstructor.cpp: ditto.
6706 (JSC::dateParse):
6707 (JSC::dateNow):
6708 (JSC::dateUTC):
6709 * runtime/DatePrototype.cpp: ditto.
6710 * runtime/JSDataViewPrototype.cpp: ditto on both.
6711 (JSC::dataViewProtoFuncGetInt8):
6712 (JSC::dataViewProtoFuncGetInt16):
6713 (JSC::dataViewProtoFuncGetInt32):
6714 (JSC::dataViewProtoFuncGetUint8):
6715 (JSC::dataViewProtoFuncGetUint16):
6716 (JSC::dataViewProtoFuncGetUint32):
6717 (JSC::dataViewProtoFuncGetFloat32):
6718 (JSC::dataViewProtoFuncGetFloat64):
6719 (JSC::dataViewProtoFuncSetInt8):
6720 (JSC::dataViewProtoFuncSetInt16):
6721 (JSC::dataViewProtoFuncSetInt32):
6722 (JSC::dataViewProtoFuncSetUint8):
6723 (JSC::dataViewProtoFuncSetUint16):
6724 (JSC::dataViewProtoFuncSetUint32):
6725 (JSC::dataViewProtoFuncSetFloat32):
6726 (JSC::dataViewProtoFuncSetFloat64):
6727 * runtime/JSONObject.cpp: ditto.
6728 * runtime/ObjectConstructor.cpp: ditto.
6729 * runtime/StringPrototype.cpp: ditto.
6730
67312014-08-18 Saam Barati <sbarati@apple.com>
6732
6733 The parser should generate AST nodes the var declarations with no initializers
6734 https://bugs.webkit.org/show_bug.cgi?id=135545
6735
6736 Reviewed by Geoffrey Garen.
6737
6738 Currently, JSC's parser ignores variable declarations
6739 that have no assignment initializer value because all
6740 variables are implicitly assigned to undefined. But,
6741 type profiling needs an AST node to be generated for these
6742 empty variable declarations because it needs to be able to
6743 profile their text locations and to see that their type
6744 is undefined.
6745
6746 * bytecompiler/NodesCodegen.cpp:
6747 (JSC::EmptyVarExpression::emitBytecode):
6748 * parser/ASTBuilder.h:
6749 (JSC::ASTBuilder::createVarStatement):
6750 (JSC::ASTBuilder::createEmptyVarExpression):
6751 * parser/NodeConstructors.h:
6752 (JSC::EmptyVarExpression::EmptyVarExpression):
6753 * parser/Nodes.h:
6754 * parser/Parser.cpp:
6755 (JSC::Parser<LexerType>::parseVarDeclarationList):
6756 * parser/SyntaxChecker.h:
6757 (JSC::SyntaxChecker::createEmptyVarExpression):
6758
67592014-08-18 Diego Pino Garcia <dpino@igalia.com>
6760
6761 Completed iterator can be revived by adding more than one new entry to the target object
6762 https://bugs.webkit.org/show_bug.cgi?id=129993
6763
6764 Reviewed by Oliver Hunt.
6765
6766 When iterator reaches end, finish iterator.
6767
6768 * runtime/JSMapIterator.h:
6769 (JSC::JSMapIterator::finish):
6770 * runtime/JSSetIterator.h:
6771 (JSC::JSSetIterator::finish):
6772 * runtime/MapData.h:
6773 (JSC::MapData::const_iterator::finish): set index of iterator to max
6774 Int32.
6775 * runtime/MapIteratorPrototype.cpp:
6776 (JSC::MapIteratorPrototypeFuncNext):
6777 * runtime/SetIteratorPrototype.cpp:
6778 (JSC::SetIteratorPrototypeFuncNext):
6779
67802014-08-15 Brian J. Burg <burg@cs.washington.edu>
6781
6782 Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
6783 https://bugs.webkit.org/show_bug.cgi?id=131596
6784
6785 Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
6786
6787 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
6788 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
6789 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
6790 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
6791 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
6792 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
6793 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
6794 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
6795 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
6796 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
6797 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
6798
67992014-08-15 Brian J. Burg <burg@cs.washington.edu>
6800
6801 Unreviewed build fix for some GTK bots after r172655.
6802
6803 Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
6804
6805 * inspector/scripts/codegen/generator.py:
6806 (Generator.stylized_name_for_enum_value): Do things the old-school way.
6807
68082014-08-15 Michael Saboff <msaboff@apple.com>
6809
6810 Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
6811 https://bugs.webkit.org/show_bug.cgi?id=131578
6812
6813 Reviewed by Geoffrey Garen.
6814
6815 Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
6816 respectively. Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
6817 that appears in the "locals" area of a VM entry stack frame. Changed the order that
6818 vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
6819 convention compliant. That is to save prior frame pointer, save callee save registers, then
6820 allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
6821 that vmEntryToJavaScript will invoke. The top most vm entry frame pointer is saved in
6822 VM::topVMEntryFrame. The vmEntry functions save prior contents of VM::topVMEntryFrame
6823 along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack. Starting
6824 at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
6825
6826 Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
6827 into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
6828 Given that the stack is effectively a singly linked list, general stack unwinding needs to use
6829 one of these two methods.
6830
6831 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6832 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6833 * JavaScriptCore.xcodeproj/project.pbxproj:
6834 Addition of VMEntryRecord.h
6835
6836 * bytecode/BytecodeList.json:
6837 Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
6838
6839 * debugger/Debugger.cpp:
6840 (JSC::Debugger::stepOutOfFunction):
6841 (JSC::Debugger::returnEvent):
6842 (JSC::Debugger::didExecuteProgram):
6843 * jsc.cpp:
6844 (functionDumpCallFrame):
6845 * jit/JITOperations.cpp:
6846 Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
6847
6848 * bytecode/CodeBlock.cpp:
6849 (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
6850 (JSC::RecursionCheckFunctor::operator()):
6851 (JSC::RecursionCheckFunctor::didRecurse):
6852 (JSC::CodeBlock::noticeIncomingCall):
6853 * debugger/DebuggerCallFrame.cpp:
6854 (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
6855 (JSC::FindCallerMidStackFunctor::operator()):
6856 (JSC::FindCallerMidStackFunctor::getCallerFrame):
6857 (JSC::DebuggerCallFrame::callerFrame):
6858 * interpreter/VMInspector.cpp:
6859 (JSC::CountFramesFunctor::CountFramesFunctor):
6860 (JSC::CountFramesFunctor::operator()):
6861 (JSC::CountFramesFunctor::count):
6862 (JSC::VMInspector::countFrames):
6863 * runtime/VM.cpp:
6864 (JSC::VM::VM):
6865 (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
6866 (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
6867 (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
6868 (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
6869 (JSC::VM::throwException):
6870 Changed unwinding to use StackVisitor including added functor classes.
6871
6872 * interpreter/CallFrame.cpp:
6873 (JSC::CallFrame::callerFrame):
6874 Added new flavor of callerFrame() that can iteratively unwind the stack.
6875
6876 * interpreter/CallFrame.h:
6877 (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
6878 (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
6879 (JSC::ExecState::isVMEntrySentinel): Deleted.
6880 (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
6881 (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
6882 (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
6883 (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
6884
6885 * interpreter/CallFrame.h:
6886 (JSC::ExecState::init):
6887 (JSC::ExecState::topOfFrame):
6888 (JSC::ExecState::currentVPC):
6889 (JSC::ExecState::setCurrentVPC):
6890 Eliminated unneded checking of sentinel frame.
6891
6892 * interpreter/Interpreter.cpp:
6893 (JSC::unwindCallFrame):
6894 (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
6895 (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
6896
6897 * interpreter/Interpreter.cpp:
6898 (JSC::Interpreter::executeCall):
6899 (JSC::Interpreter::executeConstruct):
6900 * jit/JITStubs.h:
6901 * llint/LLIntThunks.cpp:
6902 (JSC::callToJavaScript): Deleted.
6903 (JSC::callToNativetion): Deleted.
6904 (JSC::vmEntryToJavaScript):
6905 (JSC::vmEntryToNative):
6906 * llint/LLIntThunks.h:
6907 Updated for vmEntryToJavaScript and vmEntryToNative name changes.
6908
6909 * interpreter/Interpreter.h:
6910 (JSC::TopCallFrameSetter::TopCallFrameSetter):
6911 (JSC::TopCallFrameSetter::~TopCallFrameSetter):
6912 Eliminated unneeded sentinel frame check.
6913
6914 * interpreter/Interpreter.h:
6915 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
6916 Removed sentinel specific constructor.
6917
6918 * interpreter/StackVisitor.cpp:
6919 (JSC::StackVisitor::StackVisitor):
6920 (JSC::StackVisitor::readFrame):
6921 (JSC::StackVisitor::readNonInlinedFrame):
6922 (JSC::StackVisitor::readInlinedFrame):
6923 (JSC::StackVisitor::Frame::print):
6924 * interpreter/StackVisitor.h:
6925 (JSC::StackVisitor::Frame::callerIsVMEntry):
6926 Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&). Also added field that
6927 indicates when about to step over a VM entry frame.
6928
6929 * interpreter/VMEntryRecord.h: Added.
6930 (JSC::VMEntryRecord::prevTopCallFrame):
6931 (JSC::VMEntryRecord::prevTopVMEntryFrame):
6932 New struct to record prior state of VM's notion of VM entry and top call frames.
6933
6934 * jit/JITCode.cpp:
6935 (JSC::JITCode::execute):
6936 Use new vmEntryToJavaScript and vmEntryToNative name.
6937
6938 * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
6939
6940 * llint/LowLevelInterpreter.asm:
6941 * llint/LowLevelInterpreter32_64.asm:
6942 * llint/LowLevelInterpreter64.asm:
6943 Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring
6944 relevent VM fields when exiting the VM. Added a helper that returns a VMEntryRecord given
6945 a pointer to the VM entry frame.
6946
6947 * llint/LLIntThunks.cpp:
6948 (JSC::vmEntryRecord):
6949 * llint/LowLevelInterpreter.cpp:
6950 (JSC::CLoop::execute):
6951 C Loop changes to mirror the assembly changes.
6952
6953 * runtime/VM.h:
6954 Added topVMEntryFrame field.
6955
69562014-08-15 Brian J. Burg <burg@cs.washington.edu>
6957
6958 Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
6959 https://bugs.webkit.org/show_bug.cgi?id=131596
6960
6961 Reviewed by Joseph Pecoraro.
6962
6963 Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
6964 The new generator decouples parsing and typechecking a model of the protocol from
6965 code generation. Each generated file is created by a different subclass of Generator.
6966 Helper methods to compute various type signatures are shared among generators.
6967
6968 This patch introduces a test harness and a test suite that covers all functionality.
6969
6970 Aside from hooking up the new inspector bindings generator to the build system,
6971 there are a few comingled changes that would be painful to split from the main
6972 patch:
6973
6974 Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
6975
6976 Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
6977 methods of BindingTraits specializations.
6978
6979 Together, these changes reduce duplication and make it possible to forward-declare
6980 all protocol enum and object types, reducing weird ordering dependencies between domains.
6981
6982 * CMakeLists.txt:
6983 * DerivedSources.make:
6984 * JavaScriptCore.vcxproj/copy-files.cmd:
6985 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6986 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
6987 * JavaScriptCore.xcodeproj/project.pbxproj:
6988 * inspector/ConsoleMessage.cpp: Convert to scoped enums.
6989 (Inspector::messageSourceValue):
6990 (Inspector::messageTypeValue):
6991 (Inspector::messageLevelValue):
6992 * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
6993 (Inspector::InjectedScript::getFunctionDetails):
6994 (Inspector::InjectedScript::getProperties):
6995 (Inspector::InjectedScript::getInternalProperties):
6996 (Inspector::InjectedScript::wrapCallFrames):
6997 (Inspector::InjectedScript::wrapObject):
6998 (Inspector::InjectedScript::wrapTable):
6999 * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
7000 (Inspector::InjectedScriptBase::makeEvalCall):
7001 * inspector/InjectedScriptManager.cpp:
7002 (Inspector::InjectedScriptManager::injectedScriptForObjectId):
7003 * inspector/InspectorTypeBuilder.h:
7004 (Inspector::TypeBuilder::Array::create):
7005 (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
7006 (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
7007 (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
7008 (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
7009 (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
7010 (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
7011 (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
7012 (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
7013 (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
7014 (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
7015 (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
7016 (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
7017 (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
7018 (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
7019 (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
7020 (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
7021 (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
7022 (Inspector::TypeBuilder::int>): Deleted.
7023 (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
7024 (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
7025 (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
7026 (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
7027 (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
7028 (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
7029 (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
7030 (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
7031 (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
7032 (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
7033 (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
7034 (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
7035 (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
7036 (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
7037
7038 * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
7039 (Inspector::InspectorValue::writeJSON):
7040 (Inspector::InspectorBasicValue::asBoolean):
7041 (Inspector::InspectorBasicValue::asNumber):
7042 (Inspector::InspectorBasicValue::writeJSON):
7043 (Inspector::InspectorString::writeJSON):
7044 (Inspector::InspectorObjectBase::InspectorObjectBase):
7045 (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
7046 (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
7047 (Inspector::InspectorArrayBase::InspectorArrayBase):
7048 * inspector/InspectorValues.h:
7049
7050 * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
7051 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
7052 (Inspector::InspectorDebuggerAgent::breakProgram):
7053 * inspector/agents/InspectorDebuggerAgent.h:
7054 * inspector/agents/InspectorRuntimeAgent.cpp:
7055 (Inspector::InspectorRuntimeAgent::parse):
7056 * inspector/agents/InspectorRuntimeAgent.h:
7057
7058 * inspector/scripts/CodeGeneratorInspector.py: Removed.
7059 * inspector/scripts/codegen/__init__.py: Added.
7060 * inspector/scripts/codegen/generate_backend_commands.py: Added.
7061 (BackendCommandsGenerator):
7062 (BackendCommandsGenerator.__init__):
7063 (BackendCommandsGenerator.model):
7064 (BackendCommandsGenerator.output_filename):
7065 (BackendCommandsGenerator.generate_license):
7066 (BackendCommandsGenerator.generate_output):
7067 (BackendCommandsGenerator.generate_domain):
7068 (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
7069 (BackendCommandsGenerator.generate_domain.generate_parameter_object):
7070 * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
7071 (BackendDispatcherHeaderGenerator):
7072 (BackendDispatcherHeaderGenerator.__init__):
7073 (BackendDispatcherHeaderGenerator.model):
7074 (BackendDispatcherHeaderGenerator.output_filename):
7075 (BackendDispatcherHeaderGenerator.generate_license):
7076 (BackendDispatcherHeaderGenerator.generate_output):
7077 (BackendDispatcherHeaderGenerator.generate_output.for):
7078 (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
7079 (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
7080 (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
7081 (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
7082 (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
7083 (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
7084 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
7085 (BackendDispatcherImplementationGenerator):
7086 (BackendDispatcherImplementationGenerator.__init__):
7087 (BackendDispatcherImplementationGenerator.model):
7088 (BackendDispatcherImplementationGenerator.output_filename):
7089 (BackendDispatcherImplementationGenerator.generate_license):
7090 (BackendDispatcherImplementationGenerator.generate_output):
7091 (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
7092 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
7093 (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
7094 (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
7095 (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
7096 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
7097 * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
7098 (FrontendDispatcherHeaderGenerator):
7099 (FrontendDispatcherHeaderGenerator.__init__):
7100 (FrontendDispatcherHeaderGenerator.model):
7101 (FrontendDispatcherHeaderGenerator.output_filename):
7102 (FrontendDispatcherHeaderGenerator.generate_license):
7103 (FrontendDispatcherHeaderGenerator.generate_output):
7104 (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
7105 (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
7106 (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
7107 * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
7108 (FrontendDispatcherImplementationGenerator):
7109 (FrontendDispatcherImplementationGenerator.__init__):
7110 (FrontendDispatcherImplementationGenerator.model):
7111 (FrontendDispatcherImplementationGenerator.output_filename):
7112 (FrontendDispatcherImplementationGenerator.generate_license):
7113 (FrontendDispatcherImplementationGenerator.generate_output):
7114 (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
7115 (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
7116 * inspector/scripts/codegen/generate_type_builder_header.py: Added.
7117 (TypeBuilderHeaderGenerator):
7118 (TypeBuilderHeaderGenerator.__init__):
7119 (TypeBuilderHeaderGenerator.model):
7120 (TypeBuilderHeaderGenerator.output_filename):
7121 (TypeBuilderHeaderGenerator.generate_license):
7122 (TypeBuilderHeaderGenerator.generate_output):
7123 (TypeBuilderHeaderGenerator._generate_forward_declarations):
7124 (_generate_typedefs):
7125 (_generate_typedefs_for_domain):
7126 (_generate_builders_for_domain):
7127 (_generate_class_for_object_declaration):
7128 (_generate_struct_for_enum_declaration):
7129 (_generate_struct_for_anonymous_enum_member):
7130 (_generate_struct_for_anonymous_enum_member.apply_indentation):
7131 (_generate_struct_for_enum_type):
7132 (_generate_builder_state_enum):
7133 (_generate_builder_setter_for_member):
7134 (_generate_unchecked_setter_for_member):
7135 (_generate_forward_declarations_for_binding_traits):
7136 * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
7137 (TypeBuilderImplementationGenerator):
7138 (TypeBuilderImplementationGenerator.__init__):
7139 (TypeBuilderImplementationGenerator.model):
7140 (TypeBuilderImplementationGenerator.output_filename):
7141 (TypeBuilderImplementationGenerator.generate_license):
7142 (TypeBuilderImplementationGenerator.generate_output):
7143 (TypeBuilderImplementationGenerator._generate_enum_mapping):
7144 (TypeBuilderImplementationGenerator._generate_open_field_names):
7145 (TypeBuilderImplementationGenerator._generate_builders_for_domain):
7146 (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
7147 (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
7148 (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
7149 * inspector/scripts/codegen/generator.py: Added.
7150 (ucfirst):
7151 (Generator):
7152 (Generator.__init__):
7153 (Generator.model):
7154 (Generator.generate_license):
7155 (Generator.domains_to_generate):
7156 (Generator.generate_output):
7157 (Generator.output_filename):
7158 (Generator.encoding_for_enum_value):
7159 (Generator.assigned_enum_values):
7160 (Generator.type_needs_runtime_casts):
7161 (Generator.type_has_open_fields):
7162 (Generator.type_needs_shape_assertions):
7163 (Generator.calculate_types_requiring_shape_assertions):
7164 (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
7165 (Generator._traverse_and_assign_enum_values):
7166 (Generator._assign_encoding_for_enum_value):
7167 (Generator.wrap_with_guard_for_domain):
7168 (Generator.stylized_name_for_enum_value):
7169 (Generator.stylized_name_for_enum_value.replaceCallback):
7170 (Generator.keyed_get_method_for_type):
7171 (Generator.keyed_set_method_for_type):
7172 (Generator.type_builder_string_for_type):
7173 (Generator.type_builder_string_for_type_member):
7174 (Generator.type_string_for_unchecked_formal_in_parameter):
7175 (Generator.type_string_for_checked_formal_event_parameter):
7176 (Generator.type_string_for_type_member):
7177 (Generator.type_string_for_type_with_name):
7178 (Generator.type_string_for_formal_out_parameter):
7179 (Generator.type_string_for_formal_async_parameter):
7180 (Generator.type_string_for_stack_in_parameter):
7181 (Generator.type_string_for_stack_out_parameter):
7182 (Generator.assertion_method_for_type_member):
7183 (Generator.assertion_method_for_type_member.assertion_method_for_type):
7184 (Generator.cpp_name_for_primitive_type):
7185 (Generator.js_name_for_parameter_type):
7186 (Generator.should_use_wrapper_for_return_type):
7187 (Generator.should_pass_by_copy_for_return_type):
7188 * inspector/scripts/codegen/generator_templates.py: Added.
7189 (GeneratorTemplates):
7190 (void):
7191 (HashMap):
7192 (Builder):
7193 (Inspector):
7194 * inspector/scripts/codegen/models.py: Added.
7195 (ucfirst):
7196 (ParseException):
7197 (TypecheckException):
7198 (Framework):
7199 (Framework.__init__):
7200 (Framework.setting):
7201 (Framework.fromString):
7202 (Frameworks):
7203 (TypeReference):
7204 (TypeReference.__init__):
7205 (TypeReference.referenced_name):
7206 (Type):
7207 (Type.__init__):
7208 (Type.__eq__):
7209 (Type.__hash__):
7210 (Type.raw_name):
7211 (Type.is_enum):
7212 (Type.type_domain):
7213 (Type.qualified_name):
7214 (Type.resolve_type_references):
7215 (PrimitiveType):
7216 (PrimitiveType.__init__):
7217 (PrimitiveType.__repr__):
7218 (PrimitiveType.type_domain):
7219 (PrimitiveType.qualified_name):
7220 (AliasedType):
7221 (AliasedType.__init__):
7222 (AliasedType.__repr__):
7223 (AliasedType.is_enum):
7224 (AliasedType.type_domain):
7225 (AliasedType.qualified_name):
7226 (AliasedType.resolve_type_references):
7227 (EnumType):
7228 (EnumType.__init__):
7229 (EnumType.__repr__):
7230 (EnumType.is_enum):
7231 (EnumType.type_domain):
7232 (EnumType.enum_values):
7233 (EnumType.qualified_name):
7234 (EnumType.resolve_type_references):
7235 (ArrayType):
7236 (ArrayType.__init__):
7237 (ArrayType.__repr__):
7238 (ArrayType.type_domain):
7239 (ArrayType.qualified_name):
7240 (ArrayType.resolve_type_references):
7241 (ObjectType):
7242 (ObjectType.__init__):
7243 (ObjectType.__repr__):
7244 (ObjectType.type_domain):
7245 (ObjectType.qualified_name):
7246 (check_for_required_properties):
7247 (Protocol):
7248 (Protocol.__init__):
7249 (Protocol.parse_specification):
7250 (Protocol.parse_domain):
7251 (Protocol.parse_type_declaration):
7252 (Protocol.parse_type_member):
7253 (Protocol.parse_command):
7254 (Protocol.parse_event):
7255 (Protocol.parse_call_or_return_parameter):
7256 (Protocol.resolve_types):
7257 (Protocol.lookup_type_for_declaration):
7258 (Protocol.lookup_type_reference):
7259 (Domain):
7260 (Domain.__init__):
7261 (Domain.resolve_type_references):
7262 (Domains):
7263 (TypeDeclaration):
7264 (TypeDeclaration.__init__):
7265 (TypeDeclaration.resolve_type_references):
7266 (TypeMember):
7267 (TypeMember.__init__):
7268 (TypeMember.resolve_type_references):
7269 (Parameter):
7270 (Parameter.__init__):
7271 (Parameter.resolve_type_references):
7272 (Command):
7273 (Command.__init__):
7274 (Command.resolve_type_references):
7275 (Event):
7276 (Event.__init__):
7277 (Event.resolve_type_references):
7278 * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
7279 (IncrementalFileWriter):
7280 (IncrementalFileWriter.__init__):
7281 (IncrementalFileWriter.write):
7282 (IncrementalFileWriter.close):
7283 (generate_from_specification):
7284 (generate_from_specification.load_specification):
7285 * inspector/scripts/tests/commands-with-async-attribute.json: Added.
7286 * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
7287 * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
7288 * inspector/scripts/tests/events-with-optional-parameters.json: Added.
7289 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
7290 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
7291 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
7292 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
7293 * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
7294 * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
7295 * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
7296 * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
7297 * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
7298 * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
7299 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
7300 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
7301 * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
7302 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
7303 * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
7304 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
7305 * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
7306 * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
7307 * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
7308 * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
7309 * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
7310 * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
7311 * inspector/scripts/tests/same-type-id-different-domain.json: Added.
7312 * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
7313 * inspector/scripts/tests/type-declaration-array-type.json: Added.
7314 * inspector/scripts/tests/type-declaration-enum-type.json: Added.
7315 * inspector/scripts/tests/type-declaration-object-type.json: Added.
7316 * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
7317
73182014-08-15 Matthew Mirman <mmirman@apple.com>
7319
7320 Made native inlining errors not segfault.
7321 https://bugs.webkit.org/show_bug.cgi?id=135988
7322
7323 Reviewed by Geoffrey Garen.
7324
7325 * ftl/FTLAbbreviations.h:
7326 (JSC::FTL::disposeMessage): Added.
7327 * ftl/FTLLowerDFGToLLVM.cpp:
7328 (JSC::FTL::LowerDFGToLLVM::compilePutById):
7329 abstracted out Options::verboseCompilation as was the case in the rest of the file.
7330 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
7331 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
7332 added output error messages for llvm module loading.
7333
73342014-08-14 Andreas Kling <akling@apple.com>
7335
7336 Allocate the whole RegExpMatchesArray backing store up front.
7337 <https://webkit.org/b/135217>
7338
7339 We were using the generic array backing store allocation path for
7340 RegExpMatchesArray which meant starting with 4 slots and then growing
7341 it dynamically as we append. Since we always know the final number of
7342 entries up front, allocate a perfectly-sized backing store right away.
7343
7344 ~2% progression on Octane/regexp.
7345
7346 Reviewed by Geoffrey Garen.
7347
7348 * runtime/JSArray.h:
7349 (JSC::createArrayButterflyWithExactLength):
7350 * runtime/RegExpMatchesArray.cpp:
7351 (JSC::RegExpMatchesArray::create):
7352
73532014-08-14 Saam Barati <sbarati@apple.com>
7354
7355 Allow high fidelity type profiling to be enabled and disabled.
7356 https://bugs.webkit.org/show_bug.cgi?id=135423
7357
7358 Reviewed by Geoffrey Garen.
7359
7360 - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
7361 op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
7362 - Altered SymbolTable to use less memory by adding a rare data structure for
7363 type profiling.
7364 - Created an interface to turn on and off type profiling from the Web
7365 Inspector.
7366 - Refactored how entries are written to HighFidelityLog to make it
7367 easier to inline when generating machine code.
7368 - Implemented op_profile_types_with_high_fidelity in the baseline JIT
7369 by inlining the process of writing to the log and doing a small amount
7370 of type inference optimizations.
7371
7372 * bytecode/BytecodeList.json:
7373 * bytecode/BytecodeUseDef.h:
7374 (JSC::computeUsesForBytecodeOffset):
7375 (JSC::computeDefsForBytecodeOffset):
7376 * bytecode/CodeBlock.cpp:
7377 (JSC::CodeBlock::dumpBytecode):
7378 (JSC::CodeBlock::CodeBlock):
7379 (JSC::CodeBlock::finalizeUnconditionally):
7380 (JSC::CodeBlock::scopeDependentProfile): Deleted.
7381 * bytecode/CodeBlock.h:
7382 * bytecode/TypeLocation.h:
7383 (JSC::TypeLocation::TypeLocation):
7384 * bytecompiler/BytecodeGenerator.cpp:
7385 (JSC::BytecodeGenerator::generate):
7386 (JSC::BytecodeGenerator::emitMove):
7387 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
7388 (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
7389 (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
7390 * bytecompiler/BytecodeGenerator.h:
7391 * bytecompiler/NodesCodegen.cpp:
7392 (JSC::ThisNode::emitBytecode):
7393 (JSC::ResolveNode::emitBytecode):
7394 (JSC::BracketAccessorNode::emitBytecode):
7395 (JSC::DotAccessorNode::emitBytecode):
7396 (JSC::FunctionCallValueNode::emitBytecode):
7397 (JSC::FunctionCallResolveNode::emitBytecode):
7398 (JSC::FunctionCallBracketNode::emitBytecode):
7399 (JSC::FunctionCallDotNode::emitBytecode):
7400 (JSC::CallFunctionCallDotNode::emitBytecode):
7401 (JSC::ApplyFunctionCallDotNode::emitBytecode):
7402 (JSC::PostfixNode::emitResolve):
7403 (JSC::PostfixNode::emitBracket):
7404 (JSC::PostfixNode::emitDot):
7405 (JSC::PrefixNode::emitResolve):
7406 (JSC::PrefixNode::emitBracket):
7407 (JSC::PrefixNode::emitDot):
7408 (JSC::ReadModifyResolveNode::emitBytecode):
7409 (JSC::AssignResolveNode::emitBytecode):
7410 (JSC::AssignDotNode::emitBytecode):
7411 (JSC::ReadModifyDotNode::emitBytecode):
7412 (JSC::AssignBracketNode::emitBytecode):
7413 (JSC::ReadModifyBracketNode::emitBytecode):
7414 (JSC::ReturnNode::emitBytecode):
7415 (JSC::FunctionBodyNode::emitBytecode):
7416 * inspector/agents/InspectorRuntimeAgent.cpp:
7417 (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
7418 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
7419 (Inspector::TypeRecompiler::operator()):
7420 (Inspector::recompileAllJSFunctionsForTypeProfiling):
7421 (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
7422 (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
7423 (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
7424 (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
7425 * inspector/agents/InspectorRuntimeAgent.h:
7426 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
7427 (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
7428 * inspector/protocol/Runtime.json:
7429 * jit/JIT.cpp:
7430 (JSC::JIT::privateCompileMainPass):
7431 (JSC::JIT::privateCompile):
7432 * jit/JIT.h:
7433 * jit/JITOpcodes.cpp:
7434 (JSC::JIT::emit_op_profile_types_with_high_fidelity):
7435 * jit/JITOpcodes32_64.cpp:
7436 (JSC::JIT::emit_op_profile_types_with_high_fidelity):
7437 * jit/JITOperations.cpp:
7438 * jit/JITOperations.h:
7439 * llint/LLIntSlowPaths.cpp:
7440 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7441 (JSC::LLInt::getFromScopeCommon): Deleted.
7442 (JSC::LLInt::putToScopeCommon): Deleted.
7443 * llint/LLIntSlowPaths.h:
7444 * llint/LowLevelInterpreter.asm:
7445 * runtime/CodeCache.cpp:
7446 (JSC::CodeCache::getGlobalCodeBlock):
7447 * runtime/CommonSlowPaths.cpp:
7448 (JSC::SLOW_PATH_DECL):
7449 * runtime/CommonSlowPaths.h:
7450 * runtime/HighFidelityLog.cpp:
7451 (JSC::HighFidelityLog::initializeHighFidelityLog):
7452 (JSC::HighFidelityLog::~HighFidelityLog):
7453 (JSC::HighFidelityLog::processHighFidelityLog):
7454 * runtime/HighFidelityLog.h:
7455 (JSC::HighFidelityLog::LogEntry::structureIDOffset):
7456 (JSC::HighFidelityLog::LogEntry::valueOffset):
7457 (JSC::HighFidelityLog::LogEntry::locationOffset):
7458 (JSC::HighFidelityLog::recordTypeInformationForLocation):
7459 (JSC::HighFidelityLog::logEndPtr):
7460 (JSC::HighFidelityLog::logStartOffset):
7461 (JSC::HighFidelityLog::currentLogEntryOffset):
7462 * runtime/HighFidelityTypeProfiler.cpp:
7463 (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
7464 (JSC::descriptorMatchesTypeLocation):
7465 * runtime/HighFidelityTypeProfiler.h:
7466 * runtime/SymbolTable.cpp:
7467 (JSC::SymbolTable::SymbolTable):
7468 (JSC::SymbolTable::cloneCapturedNames):
7469 (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
7470 (JSC::SymbolTable::uniqueIDForVariable):
7471 (JSC::SymbolTable::uniqueIDForRegister):
7472 (JSC::SymbolTable::globalTypeSetForRegister):
7473 (JSC::SymbolTable::globalTypeSetForVariable):
7474 * runtime/SymbolTable.h:
7475 (JSC::SymbolTable::add):
7476 (JSC::SymbolTable::set):
7477 * runtime/TypeLocationCache.cpp:
7478 (JSC::TypeLocationCache::getTypeLocation):
7479 * runtime/TypeSet.cpp:
7480 (JSC::TypeSet::getRuntimeTypeForValue):
7481 (JSC::TypeSet::addTypeInformation):
7482 (JSC::TypeSet::allPrimitiveTypeNames):
7483 (JSC::TypeSet::addTypeForValue): Deleted.
7484 * runtime/TypeSet.h:
7485 * runtime/VM.cpp:
7486 (JSC::VM::VM):
7487 (JSC::VM::nextTypeLocation):
7488 (JSC::VM::enableHighFidelityTypeProfiling):
7489 (JSC::VM::disableHighFidelityTypeProfiling):
7490 (JSC::VM::dumpHighFidelityProfilingTypes):
7491 * runtime/VM.h:
7492 (JSC::VM::nextLocation): Deleted.
7493
74942014-08-14 Oliver Hunt <oliver@apple.com>
7495
7496 Update scope resolution to assume that the parent activation is always there
7497 https://bugs.webkit.org/show_bug.cgi?id=135947
7498
7499 Reviewed by Andreas Kling.
7500
7501 Another incremental step in removing the idea of lazily created
7502 activations.
7503
7504 * dfg/DFGSpeculativeJIT32_64.cpp:
7505 (JSC::DFG::SpeculativeJIT::compile):
7506 * dfg/DFGSpeculativeJIT64.cpp:
7507 (JSC::DFG::SpeculativeJIT::compile):
7508 * jit/JITPropertyAccess.cpp:
7509 (JSC::JIT::emitResolveClosure):
7510 * jit/JITPropertyAccess32_64.cpp:
7511 (JSC::JIT::emitResolveClosure):
7512 * llint/LowLevelInterpreter32_64.asm:
7513 * llint/LowLevelInterpreter64.asm:
7514
75152014-08-14 Oliver Hunt <oliver@apple.com>
7516
7517 Create activations eagerly
7518 https://bugs.webkit.org/show_bug.cgi?id=135942
7519
7520 Reviewed by Geoffrey Garen.
7521
7522 Prepare to rewrite activation objects into a more
7523 sane implementation. Step 1 is reverting to eager
7524 creation of the activation object. This results in
7525 a 1.35x regression in earley, but otherwise has a
7526 minimal performance impact.
7527
7528 The earley regression is being tracked by bug #135943
7529
7530 * bytecompiler/BytecodeGenerator.cpp:
7531 (JSC::BytecodeGenerator::BytecodeGenerator):
7532 (JSC::BytecodeGenerator::emitNewFunctionInternal):
7533 (JSC::BytecodeGenerator::emitNewFunctionExpression):
7534 (JSC::BytecodeGenerator::emitCallEval):
7535 (JSC::BytecodeGenerator::emitPushWithScope):
7536 (JSC::BytecodeGenerator::emitPushCatchScope):
7537 (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
7538 * bytecompiler/BytecodeGenerator.h:
7539 * jit/JITOpcodes.cpp:
7540 (JSC::JIT::emit_op_create_activation):
7541 * jit/JITOpcodes32_64.cpp:
7542 (JSC::JIT::emit_op_create_activation):
7543 * llint/LowLevelInterpreter32_64.asm:
7544 * llint/LowLevelInterpreter64.asm:
7545
75462014-08-14 Oliver Hunt <oliver@apple.com>
7547
7548 Create activations eagerly
7549 https://bugs.webkit.org/show_bug.cgi?id=135942
7550
7551 Reviewed by Geoffrey Garen.
7552
7553 Prepare to rewrite activation objects into a more
7554 sane implementation. Step 1 is reverting to eager
7555 creation of the activation object. This results in
7556 a 1.35x regression in earley, but otherwise has a
7557 minimal performance impact.
7558
7559 The earley regression is being tracked by
7560 http://webkit.org/b/135943
7561
7562 * bytecompiler/BytecodeGenerator.cpp:
7563 (JSC::BytecodeGenerator::BytecodeGenerator):
7564 (JSC::BytecodeGenerator::emitNewFunctionInternal):
7565 (JSC::BytecodeGenerator::emitNewFunctionExpression):
7566 (JSC::BytecodeGenerator::emitCallEval):
7567 (JSC::BytecodeGenerator::emitPushWithScope):
7568 (JSC::BytecodeGenerator::emitPushCatchScope):
7569 (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
7570 * bytecompiler/BytecodeGenerator.h:
7571 * jit/JITOpcodes.cpp:
7572 (JSC::JIT::emit_op_create_activation):
7573 * jit/JITOpcodes32_64.cpp:
7574 (JSC::JIT::emit_op_create_activation):
7575 * llint/LowLevelInterpreter32_64.asm:
7576 * llint/LowLevelInterpreter64.asm:
7577
75782014-08-14 Tomas Popela <tpopela@redhat.com>
7579
7580 Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
7581 https://bugs.webkit.org/show_bug.cgi?id=135937
7582
7583 Reviewed by Carlos Garcia Campos.
7584
7585 * CMakeLists.txt:
7586
75872014-08-14 Akos Kiss <akiss@inf.u-szeged.hu>
7588
7589 Fix JSC::ARM64Assembler::LinkRecord::RealTypes
7590 https://bugs.webkit.org/show_bug.cgi?id=135906
7591
7592 Reviewed by Michael Saboff.
7593
7594 JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
7595 to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
7596 increase the size of the bit field and also reorganize the struct to
7597 better align with word boundaries.
7598
7599 * assembler/ARM64Assembler.h:
7600
76012014-08-13 Akos Kiss <akiss@inf.u-szeged.hu>
7602
7603 Add ARM64 support to CMake-based builds
7604 https://bugs.webkit.org/show_bug.cgi?id=135912
7605
7606 Reviewed by Gyuyoung Kim.
7607
7608 This patch ensures that CMake does not fail with Unknown CPU error when
7609 building for ARM64.
7610
7611 * CMakeLists.txt:
7612
76132014-08-13 Wenson Hsieh <wenson_hsieh@apple.com>
7614
7615 Enable CSS_SCROLL_SNAP for iOS
7616 https://bugs.webkit.org/show_bug.cgi?id=135915
7617
7618 Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
7619
7620 Reviewed by Tim Horton.
7621
7622 * Configurations/FeatureDefines.xcconfig:
7623
76242014-08-13 Alex Christensen <achristensen@webkit.org>
7625
7626 Progress towards CMake on Mac.
7627 https://bugs.webkit.org/show_bug.cgi?id=135819
7628
7629 Reviewed by Laszlo Gombos.
7630
7631 * CMakeLists.txt:
7632 Add the remote inspector headers to the forwarding headers list.
7633
76342014-08-13 Daniel Bates <dabates@apple.com>
7635
7636 [iOS] Make JavaScriptCore and bmalloc build with the public SDK
7637 https://bugs.webkit.org/show_bug.cgi?id=135848
7638
7639 Reviewed by Geoffrey Garen.
7640
7641 * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
7642 header <Foundation/NSMapTablePriv.h>.
7643 * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
7644 without the system header <xpc/xpc.h>.
7645 * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
7646 without the system header <xpc/xpc.h>.
7647 * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
7648 building without without the system header <xpc/xpc.h>.
7649 (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
7650 (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
7651
76522014-08-12 Peyton Randolph <prandolph@apple.com>
7653
7654 Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
7655 https://bugs.webkit.org/show_bug.cgi?id=135682
7656
7657 Reviewed by Tim Horton.
7658
7659 * Configurations/FeatureDefines.xcconfig:
7660 Remove ENABLE_LONG_MOUSE_PRESS feature flag.
7661
76622014-08-12 Alex Christensen <achristensen@webkit.org>
7663
7664 Generate header detection headers for CMake on Windows.
7665 https://bugs.webkit.org/show_bug.cgi?id=135807
7666
7667 Reviewed by Brent Fulgham.
7668
7669 * CMakeLists.txt:
7670 Include the derived sources directory to find WTF/WTFHeaderDetection.h.
7671
76722014-08-11 Andy Estes <aestes@apple.com>
7673
7674 [iOS] Get rid of iOS.xcconfig
7675 https://bugs.webkit.org/show_bug.cgi?id=135809
7676
7677 Reviewed by Joseph Pecoraro.
7678
7679 All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
7680
7681 * Configurations/Base.xcconfig:
7682 * Configurations/iOS.xcconfig: Removed.
7683 * JavaScriptCore.xcodeproj/project.pbxproj:
7684
76852014-08-11 Michael Saboff <msaboff@apple.com>
7686
7687 Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
7688 https://bugs.webkit.org/show_bug.cgi?id=127155
7689
7690 Reviewed by Geoffrey Garen.
7691
7692 Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
7693 ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
7694 instructions. Where the registers referenced by the added push and pop instructions
7695 are not part of the offline assembler register aliases, used a newly added "emit"
7696 offline assembler instruction which takes a string literal and outputs that
7697 string as a native instruction.
7698
7699 * llint/LowLevelInterpreter.asm:
7700 * offlineasm/arm.rb:
7701 * offlineasm/arm64.rb:
7702 * offlineasm/ast.rb:
7703 * offlineasm/cloop.rb:
7704 * offlineasm/instructions.rb:
7705 * offlineasm/mips.rb:
7706 * offlineasm/parser.rb:
7707 * offlineasm/sh4.rb:
7708 * offlineasm/transform.rb:
7709 * offlineasm/x86.rb:
7710
77112014-08-11 Mark Lam <mark.lam@apple.com>
7712
7713 Re-landing r172401 with fixed test.
7714 <https://webkit.org/b/135782>
7715
7716 Not reviewed.
7717
7718 * bytecompiler/BytecodeGenerator.cpp:
7719 (JSC::BytecodeGenerator::emitGetByVal):
7720 (JSC::BytecodeGenerator::pushIndexedForInScope):
7721 (JSC::BytecodeGenerator::pushStructureForInScope):
7722 * bytecompiler/BytecodeGenerator.h:
7723 (JSC::ForInContext::ForInContext):
7724 (JSC::ForInContext::base):
7725 (JSC::StructureForInContext::StructureForInContext):
7726 (JSC::IndexedForInContext::IndexedForInContext):
7727 * bytecompiler/NodesCodegen.cpp:
7728 (JSC::ForInNode::emitMultiLoopBytecode):
7729 * tests/stress/for-in-tests.js:
7730
77312014-08-11 Commit Queue <commit-queue@webkit.org>
7732
7733 Unreviewed, rolling out r172401.
7734 https://bugs.webkit.org/show_bug.cgi?id=135812
7735
7736 Failing stress/for-in-tests.js
7737 http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
7738 /jscore-test/logs/stdio (Requested by mlam on #webkit).
7739
7740 Reverted changeset:
7741
7742 "for-in optimization should also make sure the base matches
7743 the object being iterated"
7744 https://bugs.webkit.org/show_bug.cgi?id=135782
7745 http://trac.webkit.org/changeset/172401
7746
77472014-08-11 Brian J. Burg <burg@cs.washington.edu>
7748
7749 Web Inspector: use type builders to construct high fidelity type information payloads
7750 https://bugs.webkit.org/show_bug.cgi?id=135803
7751
7752 Reviewed by Timothy Hatcher.
7753
7754 Due to some typos in the protocol file, the code had worked with raw objects
7755 rather than with type builders. Convert to using builders.
7756
7757 * inspector/agents/InspectorRuntimeAgent.cpp:
7758 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
7759 * inspector/agents/InspectorRuntimeAgent.h:
7760 * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
7761 * runtime/HighFidelityTypeProfiler.cpp:
7762 (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
7763 * runtime/HighFidelityTypeProfiler.h:
7764 * runtime/TypeSet.cpp:
7765 (JSC::TypeSet::allStructureRepresentations):
7766 (JSC::StructureShape::stringRepresentation):
7767 (JSC::StructureShape::inspectorRepresentation):
7768 * runtime/TypeSet.h:
7769
77702014-08-11 Mark Hahnenberg <mhahnenberg@apple.com>
7771
7772 for-in optimization should also make sure the base matches the object being iterated
7773 https://bugs.webkit.org/show_bug.cgi?id=135782
7774
7775 Reviewed by Geoffrey Garen.
7776
7777 If we access a different base object with the same index, we shouldn't try to randomly
7778 load from that object's backing store.
7779
7780 * bytecompiler/BytecodeGenerator.cpp:
7781 (JSC::BytecodeGenerator::emitGetByVal):
7782 (JSC::BytecodeGenerator::pushIndexedForInScope):
7783 (JSC::BytecodeGenerator::pushStructureForInScope):
7784 * bytecompiler/BytecodeGenerator.h:
7785 (JSC::ForInContext::ForInContext):
7786 (JSC::ForInContext::base):
7787 (JSC::StructureForInContext::StructureForInContext):
7788 (JSC::IndexedForInContext::IndexedForInContext):
7789 * bytecompiler/NodesCodegen.cpp:
7790 (JSC::ForInNode::emitMultiLoopBytecode):
7791 * tests/stress/for-in-tests.js:
7792
77932014-08-11 Brent Fulgham <bfulgham@apple.com>
7794
7795 [Win] Unreviewed gardening.
7796
7797 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
7798 proper folder categories..
7799
78002014-08-11 Mark Hahnenberg <mhahnenberg@apple.com>
7801
7802 JIT should use full 64-bit stores for jsBoolean and jsNull
7803 https://bugs.webkit.org/show_bug.cgi?id=135784
7804
7805 Reviewed by Michael Saboff.
7806
7807 This guarantees that we set the high bits of the register with the correct tag.
7808
7809 * dfg/DFGSpeculativeJIT64.cpp:
7810 (JSC::DFG::SpeculativeJIT::compile):
7811 * jit/JITOpcodes.cpp:
7812 (JSC::JIT::emit_op_has_structure_property):
7813 (JSC::JIT::emit_op_next_enumerator_pname):
7814
78152014-08-11 Brent Fulgham <bfulgham@apple.com>
7816
7817 [Win] Adjust build script for Windows production build.
7818 https://bugs.webkit.org/show_bug.cgi?id=135806
7819 <rdar://problem/17978299>
7820
7821 Reviewed by Timothy Hatcher.
7822
7823 * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
7824 in WebInspectorUI build.
7825
78262014-08-10 Oliver Hunt <oliver@apple.com>
7827
7828 Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
7829 https://bugs.webkit.org/show_bug.cgi?id=135773
7830
7831 Reviewed by Michael Saboff.
7832
7833 We should be using parseAssignment expression in order to get the correct
7834 precedence.
7835
7836 * parser/Parser.cpp:
7837 (JSC::Parser<LexerType>::parseVarDeclarationList):
7838
78392014-08-10 Diego Pino Garcia <dpino@igalia.com>
7840
7841 JSC Lexer is allowing octals 08 and 09 in strict mode functions
7842 https://bugs.webkit.org/show_bug.cgi?id=135704
7843
7844 Reviewed by Oliver Hunt.
7845
7846 Return syntax error ("Decimal integer literals with a leading zero are
7847 forbidden in strict mode") if a number starts with 0 and is followed
7848 by a digit.
7849
7850 * parser/Lexer.cpp:
7851 (JSC::Lexer<T>::lex):
7852
78532014-08-08 Mark Lam <mark.lam@apple.com>
7854
7855 REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
7856 <https://webkit.org/b/135656>
7857
7858 Not reviewed.
7859
7860 Rolling out r170680 which was merged to ToT in r172129.
7861
7862 * debugger/Debugger.h:
7863 * debugger/DebuggerCallFrame.cpp:
7864 (JSC::DebuggerCallFrame::scope):
7865 (JSC::DebuggerCallFrame::evaluate):
7866 (JSC::DebuggerCallFrame::invalidate):
7867 * debugger/DebuggerCallFrame.h:
7868 * debugger/DebuggerScope.cpp:
7869 (JSC::DebuggerScope::DebuggerScope):
7870 (JSC::DebuggerScope::finishCreation):
7871 (JSC::DebuggerScope::visitChildren):
7872 (JSC::DebuggerScope::className):
7873 (JSC::DebuggerScope::getOwnPropertySlot):
7874 (JSC::DebuggerScope::put):
7875 (JSC::DebuggerScope::deleteProperty):
7876 (JSC::DebuggerScope::getOwnPropertyNames):
7877 (JSC::DebuggerScope::defineOwnProperty):
7878 (JSC::DebuggerScope::next): Deleted.
7879 (JSC::DebuggerScope::invalidateChain): Deleted.
7880 (JSC::DebuggerScope::isWithScope): Deleted.
7881 (JSC::DebuggerScope::isGlobalScope): Deleted.
7882 (JSC::DebuggerScope::isFunctionScope): Deleted.
7883 * debugger/DebuggerScope.h:
7884 (JSC::DebuggerScope::create):
7885 (JSC::DebuggerScope::Iterator::Iterator): Deleted.
7886 (JSC::DebuggerScope::Iterator::get): Deleted.
7887 (JSC::DebuggerScope::Iterator::operator++): Deleted.
7888 (JSC::DebuggerScope::Iterator::operator==): Deleted.
7889 (JSC::DebuggerScope::Iterator::operator!=): Deleted.
7890 (JSC::DebuggerScope::isValid): Deleted.
7891 (JSC::DebuggerScope::jsScope): Deleted.
7892 (JSC::DebuggerScope::begin): Deleted.
7893 (JSC::DebuggerScope::end): Deleted.
7894 * inspector/JSJavaScriptCallFrame.cpp:
7895 (Inspector::JSJavaScriptCallFrame::scopeType):
7896 (Inspector::JSJavaScriptCallFrame::scopeChain):
7897 * inspector/JavaScriptCallFrame.h:
7898 (Inspector::JavaScriptCallFrame::scopeChain):
7899 * inspector/ScriptDebugServer.cpp:
7900 * runtime/JSGlobalObject.cpp:
7901 (JSC::JSGlobalObject::reset):
7902 (JSC::JSGlobalObject::visitChildren):
7903 * runtime/JSGlobalObject.h:
7904 (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
7905 * runtime/JSObject.h:
7906 (JSC::JSObject::isWithScope): Deleted.
7907 * runtime/JSScope.h:
7908 * runtime/VM.cpp:
7909 (JSC::VM::VM):
7910 * runtime/VM.h:
7911
79122014-08-07 Saam Barati <sbarati@apple.com>
7913
7914 Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
7915 https://bugs.webkit.org/show_bug.cgi?id=135358
7916
7917 Reviewed by Geoffrey Garen.
7918
7919 When VMEntryScope is destroyed, and it has a flag set indicating that the
7920 Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
7921 This flag is only used by Debugger to have VMEntryScope notify it when the
7922 Debugger is safe to recompile all functions. This patch will substitute this
7923 Debugger-specific recompilation flag with a list of callbacks that are notified
7924 when the outermost VMEntryScope dies. This creates a general purpose interface
7925 for being notified when the VM stops executing code via the event of the outermost
7926 VMEntryScope dying.
7927
7928 * debugger/Debugger.cpp:
7929 (JSC::Debugger::recompileAllJSFunctions):
7930 * runtime/VMEntryScope.cpp:
7931 (JSC::VMEntryScope::VMEntryScope):
7932 (JSC::VMEntryScope::setEntryScopeDidPopListener):
7933 (JSC::VMEntryScope::~VMEntryScope):
7934 * runtime/VMEntryScope.h:
7935 (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
7936
79372014-08-07 Benjamin Poulain <bpoulain@apple.com>
7938
7939 Get rid of SCRIPTED_SPEECH
7940 https://bugs.webkit.org/show_bug.cgi?id=135729
7941
7942 Reviewed by Brent Fulgham.
7943
7944 * Configurations/FeatureDefines.xcconfig:
7945
79462014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
7947
7948 SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
7949 https://bugs.webkit.org/show_bug.cgi?id=135722
7950
7951 Reviewed by Filip Pizlo.
7952
7953 We should be using SpeculateStrictInt32Operand instead.
7954
7955 * dfg/DFGSpeculativeJIT64.cpp:
7956 (JSC::DFG::SpeculativeJIT::compile):
7957
79582014-08-07 Benjamin Poulain <bpoulain@apple.com>
7959
7960 Get rid of INPUT_SPEECH
7961 https://bugs.webkit.org/show_bug.cgi?id=135672
7962
7963 Reviewed by Andreas Kling.
7964
7965 * Configurations/FeatureDefines.xcconfig:
7966
79672014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
7968
7969 for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
7970 https://bugs.webkit.org/show_bug.cgi?id=135681
7971
7972 Reviewed by Filip Pizlo.
7973
7974 * runtime/Structure.cpp:
7975 (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire
7976 prototype chain for overridesGetPropertyNames, but we were neglecting to check the
7977 base object's Structure. D'oh!
7978
79792014-08-06 Mark Lam <mark.lam@apple.com>
7980
7981 Gardening: fix for build failure on EFL bots.
7982
7983 Not reviewed.
7984
7985 * runtime/EnumerationMode.h:
7986 (JSC::shouldIncludeJSObjectPropertyNames):
7987 (JSC::modeThatSkipsJSObject):
7988 * runtime/JSCell.cpp:
7989 (JSC::JSCell::getEnumerableLength):
7990 * runtime/JSCell.h:
7991
79922014-08-06 Dean Jackson <dino@apple.com>
7993
7994 ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
7995 https://bugs.webkit.org/show_bug.cgi?id=135675
7996
7997 Reviewed by Sam Weinig.
7998
7999 * Configurations/FeatureDefines.xcconfig:
8000
80012014-08-06 Wenson Hsieh <wenson_hsieh@apple.com>
8002
8003 Implement parsing for CSS scroll snap points
8004 https://bugs.webkit.org/show_bug.cgi?id=134301
8005
8006 Reviewed by Dean Jackson.
8007
8008 * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
8009
80102014-08-06 Mark Lam <mark.lam@apple.com>
8011
8012 Gardening: fix for build failure on GTK bots.
8013
8014 Not reviewed.
8015
8016 * runtime/FunctionHasExecutedCache.cpp:
8017 - #include <limits.h> for UINT_MAX's definition.
8018
80192014-08-06 Mark Lam <mark.lam@apple.com>
8020
8021 Gardening: fix for build failure on EFL bots.
8022
8023 Not reviewed.
8024
8025 * jit/JITInlines.h:
8026 (JSC::JIT::emitLoadForArrayMode):
8027
80282014-08-06 Mark Lam <mark.lam@apple.com>
8029
8030 Gardening: adding missing build file changes from the FTLOPT merge at r172176.
8031
8032 Not reviewed.
8033
8034 * CMakeLists.txt:
8035 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8036 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8037
80382014-08-06 Ryuan Choi <ryuan.choi@samsung.com>
8039
8040 Unreviewed build fix attempt since r172184
8041
8042 * CMakeLists.txt: Removed TypeLocation.cpp
8043
80442014-08-06 Mark Lam <mark.lam@apple.com>
8045
8046 Gardening: adding missing build file changes from r171510.
8047 <https://webkit.org/b/134860>
8048
8049 Not reviewed.
8050
8051 * CMakeLists.txt:
8052 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8053 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8054
80552014-08-06 Mark Lam <mark.lam@apple.com>
8056
8057 Gardening: adding missing build file changes from r170490.
8058 <https://webkit.org/b/133395>
8059
8060 Not reviewed.
8061
8062 * CMakeLists.txt:
8063 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8064
80652014-08-06 Filip Pizlo <fpizlo@apple.com>
8066
8067 Silence a debug assertion.
8068
8069 Reviewed by Mark Hahnenberg.
8070
8071 * runtime/JSPropertyNameEnumerator.h:
8072 (JSC::JSPropertyNameEnumerator::cachedStructure):
8073
80742014-08-06 Filip Pizlo <fpizlo@apple.com>
8075
8076 Fix 32-bit build.
8077
8078 * jit/JITOpcodes32_64.cpp:
8079 (JSC::JIT::privateCompileHasIndexedProperty):
8080
80812014-08-06 Filip Pizlo <fpizlo@apple.com>
8082
8083 Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
8084
8085 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
8086
8087 Support for-in in the FTL
8088 https://bugs.webkit.org/show_bug.cgi?id=134140
8089
8090 Reviewed by Filip Pizlo.
8091
8092 * dfg/DFGSSALoweringPhase.cpp:
8093 (JSC::DFG::SSALoweringPhase::handleNode):
8094 * ftl/FTLAbstractHeapRepository.cpp:
8095 * ftl/FTLAbstractHeapRepository.h:
8096 * ftl/FTLCapabilities.cpp:
8097 (JSC::FTL::canCompile):
8098 * ftl/FTLIntrinsicRepository.h:
8099 * ftl/FTLLowerDFGToLLVM.cpp:
8100 (JSC::FTL::LowerDFGToLLVM::compileNode):
8101 (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
8102 (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
8103 (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
8104 (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
8105 (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
8106 (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
8107 (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
8108 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
8109 (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
8110
8111 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
8112
8113 Remove JSPropertyNameIterator
8114 https://bugs.webkit.org/show_bug.cgi?id=135066
8115
8116 Reviewed by Geoffrey Garen.
8117
8118 It has been replaced by JSPropertyNameEnumerator.
8119
8120 * JavaScriptCore.order:
8121 * bytecode/BytecodeBasicBlock.cpp:
8122 (JSC::isBranch):
8123 * bytecode/BytecodeList.json:
8124 * bytecode/BytecodeUseDef.h:
8125 (JSC::computeUsesForBytecodeOffset):
8126 (JSC::computeDefsForBytecodeOffset):
8127 * bytecode/CodeBlock.cpp:
8128 (JSC::CodeBlock::dumpBytecode):
8129 * bytecode/PreciseJumpTargets.cpp:
8130 (JSC::getJumpTargetsForBytecodeOffset):
8131 * bytecompiler/BytecodeGenerator.cpp:
8132 (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
8133 (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
8134 * bytecompiler/BytecodeGenerator.h:
8135 * interpreter/Interpreter.cpp:
8136 * interpreter/Register.h:
8137 * jit/JIT.cpp:
8138 (JSC::JIT::privateCompileMainPass):
8139 (JSC::JIT::privateCompileSlowCases):
8140 * jit/JIT.h:
8141 * jit/JITOpcodes.cpp:
8142 (JSC::JIT::emit_op_get_pnames): Deleted.
8143 (JSC::JIT::emit_op_next_pname): Deleted.
8144 * jit/JITOpcodes32_64.cpp:
8145 (JSC::JIT::emit_op_get_pnames): Deleted.
8146 (JSC::JIT::emit_op_next_pname): Deleted.
8147 * jit/JITOperations.cpp:
8148 * jit/JITPropertyAccess.cpp:
8149 (JSC::JIT::emit_op_get_by_pname): Deleted.
8150 (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
8151 * jit/JITPropertyAccess32_64.cpp:
8152 (JSC::JIT::emit_op_get_by_pname): Deleted.
8153 (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
8154 * llint/LLIntOffsetsExtractor.cpp:
8155 * llint/LLIntSlowPaths.cpp:
8156 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
8157 * llint/LLIntSlowPaths.h:
8158 * llint/LowLevelInterpreter.asm:
8159 * llint/LowLevelInterpreter32_64.asm:
8160 * llint/LowLevelInterpreter64.asm:
8161 * runtime/CommonSlowPaths.cpp:
8162 * runtime/JSPropertyNameIterator.cpp:
8163 (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
8164 (JSC::JSPropertyNameIterator::create): Deleted.
8165 (JSC::JSPropertyNameIterator::destroy): Deleted.
8166 (JSC::JSPropertyNameIterator::get): Deleted.
8167 (JSC::JSPropertyNameIterator::visitChildren): Deleted.
8168 * runtime/JSPropertyNameIterator.h:
8169 (JSC::JSPropertyNameIterator::createStructure): Deleted.
8170 (JSC::JSPropertyNameIterator::size): Deleted.
8171 (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
8172 (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
8173 (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
8174 (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
8175 (JSC::JSPropertyNameIterator::finishCreation): Deleted.
8176 (JSC::Register::propertyNameIterator): Deleted.
8177 (JSC::StructureRareData::enumerationCache): Deleted.
8178 (JSC::StructureRareData::setEnumerationCache): Deleted.
8179 * runtime/Structure.cpp:
8180 (JSC::Structure::addPropertyWithoutTransition):
8181 (JSC::Structure::removePropertyWithoutTransition):
8182 * runtime/Structure.h:
8183 * runtime/StructureInlines.h:
8184 (JSC::Structure::setEnumerationCache): Deleted.
8185 (JSC::Structure::enumerationCache): Deleted.
8186 * runtime/StructureRareData.cpp:
8187 (JSC::StructureRareData::visitChildren):
8188 * runtime/StructureRareData.h:
8189 * runtime/VM.cpp:
8190 (JSC::VM::VM):
8191
8192 2014-07-25 Saam Barati <sbarati@apple.com>
8193
8194 Fix 32-bit build breakage for type profiling
8195 https://bugs.webkit.org/process_bug.cgi
8196
8197 Reviewed by Mark Hahnenberg.
8198
8199 32-bit builds currently break because global variable IDs for high
8200 fidelity type profiling are int64_t. Change this to intptr_t so that
8201 it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
8202
8203 * bytecode/CodeBlock.cpp:
8204 (JSC::CodeBlock::CodeBlock):
8205 (JSC::CodeBlock::scopeDependentProfile):
8206 * bytecode/TypeLocation.h:
8207 * runtime/SymbolTable.cpp:
8208 (JSC::SymbolTable::uniqueIDForVariable):
8209 (JSC::SymbolTable::uniqueIDForRegister):
8210 * runtime/SymbolTable.h:
8211 * runtime/TypeLocationCache.cpp:
8212 (JSC::TypeLocationCache::getTypeLocation):
8213 * runtime/TypeLocationCache.h:
8214 * runtime/VM.h:
8215 (JSC::VM::getNextUniqueVariableID):
8216
8217 2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
8218
8219 Reindent PropertyNameArray.h
8220 https://bugs.webkit.org/show_bug.cgi?id=135067
8221
8222 Reviewed by Geoffrey Garen.
8223
8224 * runtime/PropertyNameArray.h:
8225 (JSC::RefCountedIdentifierSet::contains):
8226 (JSC::RefCountedIdentifierSet::size):
8227 (JSC::RefCountedIdentifierSet::add):
8228 (JSC::PropertyNameArrayData::create):
8229 (JSC::PropertyNameArrayData::propertyNameVector):
8230 (JSC::PropertyNameArrayData::PropertyNameArrayData):
8231 (JSC::PropertyNameArray::PropertyNameArray):
8232 (JSC::PropertyNameArray::vm):
8233 (JSC::PropertyNameArray::add):
8234 (JSC::PropertyNameArray::addKnownUnique):
8235 (JSC::PropertyNameArray::operator[]):
8236 (JSC::PropertyNameArray::setData):
8237 (JSC::PropertyNameArray::data):
8238 (JSC::PropertyNameArray::releaseData):
8239 (JSC::PropertyNameArray::identifierSet):
8240 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
8241 (JSC::PropertyNameArray::size):
8242 (JSC::PropertyNameArray::begin):
8243 (JSC::PropertyNameArray::end):
8244 (JSC::PropertyNameArray::numCacheableSlots):
8245 (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
8246 (JSC::PropertyNameArray::setBaseObject):
8247 (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
8248
8249 2014-07-23 Mark Hahnenberg <mhahnenberg@apple.com>
8250
8251 Refactor our current implementation of for-in
8252 https://bugs.webkit.org/show_bug.cgi?id=134142
8253
8254 Reviewed by Filip Pizlo.
8255
8256 This patch splits for-in loops into three distinct parts:
8257
8258 - Iterating over the indexed properties in the base object.
8259 - Iterating over the Structure properties in the base object.
8260 - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
8261
8262 It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
8263 support the various operations required for each loop.
8264
8265 * API/JSCallbackObjectFunctions.h:
8266 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
8267 * JavaScriptCore.xcodeproj/project.pbxproj:
8268 * bytecode/BytecodeList.json:
8269 * bytecode/BytecodeUseDef.h:
8270 (JSC::computeUsesForBytecodeOffset):
8271 (JSC::computeDefsForBytecodeOffset):
8272 * bytecode/CallLinkStatus.h:
8273 (JSC::CallLinkStatus::CallLinkStatus):
8274 * bytecode/CodeBlock.cpp:
8275 (JSC::CodeBlock::dumpBytecode):
8276 (JSC::CodeBlock::CodeBlock):
8277 * bytecompiler/BytecodeGenerator.cpp:
8278 (JSC::BytecodeGenerator::emitGetByVal):
8279 (JSC::BytecodeGenerator::emitComplexPopScopes):
8280 (JSC::BytecodeGenerator::emitGetEnumerableLength):
8281 (JSC::BytecodeGenerator::emitHasGenericProperty):
8282 (JSC::BytecodeGenerator::emitHasIndexedProperty):
8283 (JSC::BytecodeGenerator::emitHasStructureProperty):
8284 (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
8285 (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
8286 (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
8287 (JSC::BytecodeGenerator::emitToIndexString):
8288 (JSC::BytecodeGenerator::pushIndexedForInScope):
8289 (JSC::BytecodeGenerator::popIndexedForInScope):
8290 (JSC::BytecodeGenerator::pushStructureForInScope):
8291 (JSC::BytecodeGenerator::popStructureForInScope):
8292 (JSC::BytecodeGenerator::invalidateForInContextForLocal):
8293 * bytecompiler/BytecodeGenerator.h:
8294 (JSC::ForInContext::ForInContext):
8295 (JSC::ForInContext::~ForInContext):
8296 (JSC::ForInContext::isValid):
8297 (JSC::ForInContext::invalidate):
8298 (JSC::ForInContext::local):
8299 (JSC::StructureForInContext::StructureForInContext):
8300 (JSC::StructureForInContext::type):
8301 (JSC::StructureForInContext::index):
8302 (JSC::StructureForInContext::property):
8303 (JSC::StructureForInContext::enumerator):
8304 (JSC::IndexedForInContext::IndexedForInContext):
8305 (JSC::IndexedForInContext::type):
8306 (JSC::IndexedForInContext::index):
8307 (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
8308 (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
8309 * bytecompiler/NodesCodegen.cpp:
8310 (JSC::ReadModifyResolveNode::emitBytecode):
8311 (JSC::AssignResolveNode::emitBytecode):
8312 (JSC::ForInNode::tryGetBoundLocal):
8313 (JSC::ForInNode::emitLoopHeader):
8314 (JSC::ForInNode::emitMultiLoopBytecode):
8315 (JSC::ForInNode::emitBytecode):
8316 * debugger/DebuggerScope.h:
8317 * dfg/DFGAbstractHeap.h:
8318 * dfg/DFGAbstractInterpreterInlines.h:
8319 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8320 * dfg/DFGByteCodeParser.cpp:
8321 (JSC::DFG::ByteCodeParser::parseBlock):
8322 * dfg/DFGCapabilities.cpp:
8323 (JSC::DFG::capabilityLevel):
8324 * dfg/DFGClobberize.h:
8325 (JSC::DFG::clobberize):
8326 * dfg/DFGDoesGC.cpp:
8327 (JSC::DFG::doesGC):
8328 * dfg/DFGFixupPhase.cpp:
8329 (JSC::DFG::FixupPhase::fixupNode):
8330 * dfg/DFGHeapLocation.cpp:
8331 (WTF::printInternal):
8332 * dfg/DFGHeapLocation.h:
8333 * dfg/DFGNode.h:
8334 (JSC::DFG::Node::hasHeapPrediction):
8335 (JSC::DFG::Node::hasArrayMode):
8336 * dfg/DFGNodeType.h:
8337 * dfg/DFGPredictionPropagationPhase.cpp:
8338 (JSC::DFG::PredictionPropagationPhase::propagate):
8339 * dfg/DFGSafeToExecute.h:
8340 (JSC::DFG::safeToExecute):
8341 * dfg/DFGSpeculativeJIT.h:
8342 (JSC::DFG::SpeculativeJIT::callOperation):
8343 * dfg/DFGSpeculativeJIT32_64.cpp:
8344 (JSC::DFG::SpeculativeJIT::compile):
8345 * dfg/DFGSpeculativeJIT64.cpp:
8346 (JSC::DFG::SpeculativeJIT::compile):
8347 * jit/JIT.cpp:
8348 (JSC::JIT::privateCompileMainPass):
8349 (JSC::JIT::privateCompileSlowCases):
8350 * jit/JIT.h:
8351 (JSC::JIT::compileHasIndexedProperty):
8352 (JSC::JIT::emitInt32Load):
8353 * jit/JITInlines.h:
8354 (JSC::JIT::emitDoubleGetByVal):
8355 (JSC::JIT::emitLoadForArrayMode):
8356 (JSC::JIT::emitContiguousGetByVal):
8357 (JSC::JIT::emitArrayStorageGetByVal):
8358 * jit/JITOpcodes.cpp:
8359 (JSC::JIT::emit_op_get_enumerable_length):
8360 (JSC::JIT::emit_op_has_structure_property):
8361 (JSC::JIT::emitSlow_op_has_structure_property):
8362 (JSC::JIT::emit_op_has_generic_property):
8363 (JSC::JIT::privateCompileHasIndexedProperty):
8364 (JSC::JIT::emit_op_has_indexed_property):
8365 (JSC::JIT::emitSlow_op_has_indexed_property):
8366 (JSC::JIT::emit_op_get_direct_pname):
8367 (JSC::JIT::emitSlow_op_get_direct_pname):
8368 (JSC::JIT::emit_op_get_structure_property_enumerator):
8369 (JSC::JIT::emit_op_get_generic_property_enumerator):
8370 (JSC::JIT::emit_op_next_enumerator_pname):
8371 (JSC::JIT::emit_op_to_index_string):
8372 * jit/JITOpcodes32_64.cpp:
8373 (JSC::JIT::emit_op_get_enumerable_length):
8374 (JSC::JIT::emit_op_has_structure_property):
8375 (JSC::JIT::emitSlow_op_has_structure_property):
8376 (JSC::JIT::emit_op_has_generic_property):
8377 (JSC::JIT::privateCompileHasIndexedProperty):
8378 (JSC::JIT::emit_op_has_indexed_property):
8379 (JSC::JIT::emitSlow_op_has_indexed_property):
8380 (JSC::JIT::emit_op_get_direct_pname):
8381 (JSC::JIT::emitSlow_op_get_direct_pname):
8382 (JSC::JIT::emit_op_get_structure_property_enumerator):
8383 (JSC::JIT::emit_op_get_generic_property_enumerator):
8384 (JSC::JIT::emit_op_next_enumerator_pname):
8385 (JSC::JIT::emit_op_to_index_string):
8386 * jit/JITOperations.cpp:
8387 * jit/JITOperations.h:
8388 * jit/JITPropertyAccess.cpp:
8389 (JSC::JIT::emitDoubleLoad):
8390 (JSC::JIT::emitContiguousLoad):
8391 (JSC::JIT::emitArrayStorageLoad):
8392 (JSC::JIT::emitDoubleGetByVal): Deleted.
8393 (JSC::JIT::emitContiguousGetByVal): Deleted.
8394 (JSC::JIT::emitArrayStorageGetByVal): Deleted.
8395 * jit/JITPropertyAccess32_64.cpp:
8396 (JSC::JIT::emitContiguousLoad):
8397 (JSC::JIT::emitDoubleLoad):
8398 (JSC::JIT::emitArrayStorageLoad):
8399 (JSC::JIT::emitContiguousGetByVal): Deleted.
8400 (JSC::JIT::emitDoubleGetByVal): Deleted.
8401 (JSC::JIT::emitArrayStorageGetByVal): Deleted.
8402 * llint/LowLevelInterpreter.asm:
8403 * parser/Nodes.h:
8404 * runtime/Arguments.cpp:
8405 (JSC::Arguments::getOwnPropertyNames):
8406 * runtime/ClassInfo.h:
8407 * runtime/CommonSlowPaths.cpp:
8408 (JSC::SLOW_PATH_DECL):
8409 * runtime/CommonSlowPaths.h:
8410 * runtime/EnumerationMode.h: Added.
8411 (JSC::shouldIncludeDontEnumProperties):
8412 (JSC::shouldExcludeDontEnumProperties):
8413 (JSC::shouldIncludeJSObjectPropertyNames):
8414 (JSC::modeThatSkipsJSObject):
8415 * runtime/JSActivation.cpp:
8416 (JSC::JSActivation::getOwnNonIndexPropertyNames):
8417 * runtime/JSArray.cpp:
8418 (JSC::JSArray::getOwnNonIndexPropertyNames):
8419 * runtime/JSArrayBuffer.cpp:
8420 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
8421 * runtime/JSArrayBufferView.cpp:
8422 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
8423 * runtime/JSCell.cpp:
8424 (JSC::JSCell::getEnumerableLength):
8425 (JSC::JSCell::getStructurePropertyNames):
8426 (JSC::JSCell::getGenericPropertyNames):
8427 * runtime/JSCell.h:
8428 * runtime/JSFunction.cpp:
8429 (JSC::JSFunction::getOwnNonIndexPropertyNames):
8430 * runtime/JSGenericTypedArrayViewInlines.h:
8431 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
8432 * runtime/JSObject.cpp:
8433 (JSC::getClassPropertyNames):
8434 (JSC::JSObject::hasOwnProperty):
8435 (JSC::JSObject::getOwnPropertyNames):
8436 (JSC::JSObject::getOwnNonIndexPropertyNames):
8437 (JSC::JSObject::getEnumerableLength):
8438 (JSC::JSObject::getStructurePropertyNames):
8439 (JSC::JSObject::getGenericPropertyNames):
8440 * runtime/JSObject.h:
8441 * runtime/JSPropertyNameEnumerator.cpp: Added.
8442 (JSC::JSPropertyNameEnumerator::create):
8443 (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
8444 (JSC::JSPropertyNameEnumerator::finishCreation):
8445 (JSC::JSPropertyNameEnumerator::destroy):
8446 (JSC::JSPropertyNameEnumerator::visitChildren):
8447 * runtime/JSPropertyNameEnumerator.h: Added.
8448 (JSC::JSPropertyNameEnumerator::createStructure):
8449 (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
8450 (JSC::JSPropertyNameEnumerator::identifierSet):
8451 (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
8452 (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
8453 (JSC::JSPropertyNameEnumerator::cachedStructure):
8454 (JSC::JSPropertyNameEnumerator::cachedStructureID):
8455 (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
8456 (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
8457 (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
8458 (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
8459 (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
8460 (JSC::structurePropertyNameEnumerator):
8461 (JSC::genericPropertyNameEnumerator):
8462 * runtime/JSProxy.cpp:
8463 (JSC::JSProxy::getEnumerableLength):
8464 (JSC::JSProxy::getStructurePropertyNames):
8465 (JSC::JSProxy::getGenericPropertyNames):
8466 * runtime/JSProxy.h:
8467 * runtime/JSSymbolTableObject.cpp:
8468 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
8469 * runtime/PropertyNameArray.cpp:
8470 (JSC::PropertyNameArray::add):
8471 (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
8472 * runtime/PropertyNameArray.h:
8473 (JSC::RefCountedIdentifierSet::contains):
8474 (JSC::RefCountedIdentifierSet::size):
8475 (JSC::RefCountedIdentifierSet::add):
8476 (JSC::PropertyNameArray::PropertyNameArray):
8477 (JSC::PropertyNameArray::add):
8478 (JSC::PropertyNameArray::addKnownUnique):
8479 (JSC::PropertyNameArray::identifierSet):
8480 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
8481 (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
8482 * runtime/RegExpObject.cpp:
8483 (JSC::RegExpObject::getOwnNonIndexPropertyNames):
8484 (JSC::RegExpObject::getPropertyNames):
8485 (JSC::RegExpObject::getGenericPropertyNames):
8486 * runtime/RegExpObject.h:
8487 * runtime/StringObject.cpp:
8488 (JSC::StringObject::getOwnPropertyNames):
8489 * runtime/Structure.cpp:
8490 (JSC::Structure::getPropertyNamesFromStructure):
8491 (JSC::Structure::setCachedStructurePropertyNameEnumerator):
8492 (JSC::Structure::cachedStructurePropertyNameEnumerator):
8493 (JSC::Structure::setCachedGenericPropertyNameEnumerator):
8494 (JSC::Structure::cachedGenericPropertyNameEnumerator):
8495 (JSC::Structure::canCacheStructurePropertyNameEnumerator):
8496 (JSC::Structure::canCacheGenericPropertyNameEnumerator):
8497 (JSC::Structure::canAccessPropertiesQuickly):
8498 * runtime/Structure.h:
8499 * runtime/StructureRareData.cpp:
8500 (JSC::StructureRareData::visitChildren):
8501 (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
8502 (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
8503 (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
8504 (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
8505 * runtime/StructureRareData.h:
8506 * runtime/VM.cpp:
8507 (JSC::VM::VM):
8508 * runtime/VM.h:
8509
8510 2014-07-23 Saam Barati <sbarati@apple.com>
8511
8512 Make improvements to Type Profiling
8513 https://bugs.webkit.org/show_bug.cgi?id=134860
8514
8515 Reviewed by Filip Pizlo.
8516
8517 I improved the API between the inspector and JSC. We no longer send one huge
8518 string to the inspector. We now send structured data that represents the type
8519 information that JSC has collected. I've also created a beginning implementation
8520 of a type lattice that allows us to resolve a display name for a type that
8521 consists of a single word.
8522
8523 I created a data structure that knows which functions have executed. This
8524 solves the bug where types inside an un-executed function will resolve
8525 to the type of the enclosing expression of that function. This data
8526 structure may also be useful later if the inspector chooses to create a UI
8527 around showing which functions have executed.
8528
8529 Better type information is gathered for objects. StructureShape now
8530 represents an object's prototype chain. StructureShape also collects
8531 the constructor name for an object.
8532
8533 Expression ranges are now zero indexed.
8534
8535 Removed some extraneous methods.
8536
8537 * JavaScriptCore.xcodeproj/project.pbxproj:
8538 * bytecode/CodeBlock.cpp:
8539 (JSC::CodeBlock::CodeBlock):
8540 (JSC::CodeBlock::scopeDependentProfile):
8541 * bytecode/CodeBlock.h:
8542 * bytecode/TypeLocation.h:
8543 (JSC::TypeLocation::TypeLocation):
8544 * bytecode/UnlinkedCodeBlock.cpp:
8545 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
8546 * bytecode/UnlinkedCodeBlock.h:
8547 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
8548 (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
8549 * bytecompiler/BytecodeGenerator.cpp:
8550 (JSC::BytecodeGenerator::BytecodeGenerator):
8551 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
8552 * bytecompiler/BytecodeGenerator.h:
8553 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
8554 * heap/Heap.cpp:
8555 (JSC::Heap::collect):
8556 * inspector/agents/InspectorRuntimeAgent.cpp:
8557 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
8558 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
8559 * inspector/agents/InspectorRuntimeAgent.h:
8560 * inspector/protocol/Runtime.json:
8561 * runtime/Executable.cpp:
8562 (JSC::ScriptExecutable::ScriptExecutable):
8563 (JSC::ProgramExecutable::ProgramExecutable):
8564 (JSC::FunctionExecutable::FunctionExecutable):
8565 (JSC::ProgramExecutable::initializeGlobalProperties):
8566 * runtime/Executable.h:
8567 (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
8568 (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
8569 * runtime/FunctionHasExecutedCache.cpp: Added.
8570 (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
8571 (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
8572 (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
8573 * runtime/FunctionHasExecutedCache.h: Added.
8574 (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
8575 (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
8576 (JSC::FunctionHasExecutedCache::FunctionRange::hash):
8577 * runtime/HighFidelityLog.cpp:
8578 (JSC::HighFidelityLog::processHighFidelityLog):
8579 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
8580 * runtime/HighFidelityLog.h:
8581 (JSC::HighFidelityLog::recordTypeInformationForLocation):
8582 * runtime/HighFidelityTypeProfiler.cpp:
8583 (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
8584 (JSC::HighFidelityTypeProfiler::insertNewLocation):
8585 (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
8586 (JSC::descriptorMatchesTypeLocation):
8587 (JSC::HighFidelityTypeProfiler::findLocation):
8588 (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
8589 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
8590 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
8591 * runtime/HighFidelityTypeProfiler.h:
8592 (JSC::QueryKey::QueryKey):
8593 (JSC::QueryKey::isHashTableDeletedValue):
8594 (JSC::QueryKey::operator==):
8595 (JSC::QueryKey::hash):
8596 (JSC::QueryKeyHash::hash):
8597 (JSC::QueryKeyHash::equal):
8598 (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
8599 (JSC::HighFidelityTypeProfiler::typeLocationCache):
8600 * runtime/Structure.cpp:
8601 (JSC::Structure::toStructureShape):
8602 * runtime/Structure.h:
8603 * runtime/TypeLocationCache.cpp: Added.
8604 (JSC::TypeLocationCache::getTypeLocation):
8605 * runtime/TypeLocationCache.h: Added.
8606 (JSC::TypeLocationCache::LocationKey::LocationKey):
8607 (JSC::TypeLocationCache::LocationKey::operator==):
8608 (JSC::TypeLocationCache::LocationKey::hash):
8609 * runtime/TypeSet.cpp:
8610 (JSC::TypeSet::getRuntimeTypeForValue):
8611 (JSC::TypeSet::addTypeForValue):
8612 (JSC::TypeSet::seenTypes):
8613 (JSC::TypeSet::doesTypeConformTo):
8614 (JSC::TypeSet::displayName):
8615 (JSC::TypeSet::allPrimitiveTypeNames):
8616 (JSC::TypeSet::allStructureRepresentations):
8617 (JSC::TypeSet::leastCommonAncestor):
8618 (JSC::StructureShape::StructureShape):
8619 (JSC::StructureShape::addProperty):
8620 (JSC::StructureShape::propertyHash):
8621 (JSC::StructureShape::leastCommonAncestor):
8622 (JSC::StructureShape::stringRepresentation):
8623 (JSC::StructureShape::inspectorRepresentation):
8624 (JSC::StructureShape::leastUpperBound): Deleted.
8625 * runtime/TypeSet.h:
8626 (JSC::StructureShape::setConstructorName):
8627 (JSC::StructureShape::constructorName):
8628 (JSC::StructureShape::setProto):
8629 * runtime/VM.cpp:
8630 (JSC::VM::dumpHighFidelityProfilingTypes):
8631 (JSC::VM::getTypesForVariableAtOffset): Deleted.
8632 (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
8633 * runtime/VM.h:
8634 (JSC::VM::isProfilingTypesWithHighFidelity):
8635 (JSC::VM::highFidelityTypeProfiler):
8636
8637 2014-07-23 Filip Pizlo <fpizlo@apple.com>
8638
8639 Fix debug build.
8640
8641 * bytecode/CallLinkStatus.h:
8642 (JSC::CallLinkStatus::CallLinkStatus):
8643
8644 2014-07-20 Filip Pizlo <fpizlo@apple.com>
8645
8646 [ftlopt] Phantoms in SSA form should be aggressively hoisted
8647 https://bugs.webkit.org/show_bug.cgi?id=135111
8648
8649 Reviewed by Oliver Hunt.
8650
8651 In CPS form, Phantom means three things: (1) that the children should be kept alive so long
8652 as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
8653 at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
8654 second meaning is not used but the other two stay.
8655
8656 The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
8657 even in a totally different basic block, complicates some SSA transformations. It's not
8658 possible to just jettison some successor, since tha successor could have a Phantom that we
8659 care about.
8660
8661 This change rationalizes how Phantoms work so that:
8662
8663 1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
8664 in both CPS and SSA. This was true before and it's true now.
8665
8666 2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
8667 now, except that now we also don't bother preserving the live-in-bytecode information
8668 that Phantoms convey, when we are in SSA.
8669
8670 3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
8671 use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
8672 Phantom.
8673
8674 The biggest part of this change is that in SSA, we canonicalize Phantoms:
8675
8676 - All Phantoms are replaced with Check nodes that include only those edges that have
8677 checks.
8678
8679 - Nodes that were the children of any Phantoms have a Phantom right after them.
8680
8681 For example, the following code:
8682
8683 5: ArithAdd(@1, @2)
8684 6: ArithSub(@5, @3)
8685 7: Phantom(Int32:@5)
8686
8687 would be turned into the following:
8688
8689 5: ArithAdd(@1, @2)
8690 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
8691 // @5. This is the only Phantom we will have for @5.
8692 6: ArithSub(@5, @3)
8693 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
8694 // a checking edge, we leave it.
8695
8696 This is a slight speed-up across the board, presumably because we now do a better job of
8697 reducing the size of the graph during compilation. It could also be a fluke, though. The
8698 main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
8699 become a requirement to run phantom canonicalization prior to some SSA phases. None of the
8700 current phases need it, but future phases probably will.
8701
8702 * CMakeLists.txt:
8703 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8704 * JavaScriptCore.xcodeproj/project.pbxproj:
8705 * dfg/DFGAbstractInterpreterInlines.h:
8706 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8707 * dfg/DFGConstantFoldingPhase.cpp:
8708 (JSC::DFG::ConstantFoldingPhase::foldConstants):
8709 * dfg/DFGDCEPhase.cpp:
8710 (JSC::DFG::DCEPhase::run):
8711 (JSC::DFG::DCEPhase::findTypeCheckRoot):
8712 (JSC::DFG::DCEPhase::countEdge):
8713 (JSC::DFG::DCEPhase::fixupBlock):
8714 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
8715 * dfg/DFGEdge.cpp:
8716 (JSC::DFG::Edge::dump):
8717 * dfg/DFGEdge.h:
8718 (JSC::DFG::Edge::isProved):
8719 (JSC::DFG::Edge::needsCheck): Deleted.
8720 * dfg/DFGNodeFlags.h:
8721 * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
8722 (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
8723 (JSC::DFG::PhantomCanonicalizationPhase::run):
8724 (JSC::DFG::performPhantomCanonicalization):
8725 * dfg/DFGPhantomCanonicalizationPhase.h: Added.
8726 * dfg/DFGPhantomRemovalPhase.cpp:
8727 (JSC::DFG::PhantomRemovalPhase::run):
8728 * dfg/DFGPhantomRemovalPhase.h:
8729 * dfg/DFGPlan.cpp:
8730 (JSC::DFG::Plan::compileInThreadImpl):
8731 * ftl/FTLLowerDFGToLLVM.cpp:
8732 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
8733 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
8734
8735 2014-07-22 Filip Pizlo <fpizlo@apple.com>
8736
8737 [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
8738 https://bugs.webkit.org/show_bug.cgi?id=135146
8739
8740 Reviewed by Oliver Hunt.
8741
8742 This greatly simplifies our closure call optimizations by taking advantage of the type
8743 bits available in the cell header.
8744
8745 * bytecode/CallLinkInfo.cpp:
8746 (JSC::CallLinkInfo::visitWeak):
8747 * bytecode/CallLinkStatus.cpp:
8748 (JSC::CallLinkStatus::CallLinkStatus):
8749 (JSC::CallLinkStatus::computeFor):
8750 (JSC::CallLinkStatus::dump):
8751 * bytecode/CallLinkStatus.h:
8752 (JSC::CallLinkStatus::CallLinkStatus):
8753 (JSC::CallLinkStatus::executable):
8754 (JSC::CallLinkStatus::structure): Deleted.
8755 * dfg/DFGByteCodeParser.cpp:
8756 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
8757 * dfg/DFGFixupPhase.cpp:
8758 (JSC::DFG::FixupPhase::fixupNode):
8759 (JSC::DFG::FixupPhase::observeUseKindOnNode):
8760 * dfg/DFGSafeToExecute.h:
8761 (JSC::DFG::SafeToExecuteEdge::operator()):
8762 * dfg/DFGSpeculativeJIT.cpp:
8763 (JSC::DFG::SpeculativeJIT::checkArray):
8764 (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
8765 (JSC::DFG::SpeculativeJIT::speculateCellType):
8766 (JSC::DFG::SpeculativeJIT::speculateFunction):
8767 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
8768 (JSC::DFG::SpeculativeJIT::speculate):
8769 * dfg/DFGSpeculativeJIT.h:
8770 * dfg/DFGSpeculativeJIT32_64.cpp:
8771 (JSC::DFG::SpeculativeJIT::compile):
8772 * dfg/DFGSpeculativeJIT64.cpp:
8773 (JSC::DFG::SpeculativeJIT::compile):
8774 * dfg/DFGUseKind.cpp:
8775 (WTF::printInternal):
8776 * dfg/DFGUseKind.h:
8777 (JSC::DFG::typeFilterFor):
8778 (JSC::DFG::isCell):
8779 * ftl/FTLCapabilities.cpp:
8780 (JSC::FTL::canCompile):
8781 * ftl/FTLLowerDFGToLLVM.cpp:
8782 (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
8783 (JSC::FTL::LowerDFGToLLVM::speculate):
8784 (JSC::FTL::LowerDFGToLLVM::isFunction):
8785 (JSC::FTL::LowerDFGToLLVM::isNotFunction):
8786 (JSC::FTL::LowerDFGToLLVM::speculateFunction):
8787 * jit/ClosureCallStubRoutine.cpp:
8788 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
8789 (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
8790 * jit/ClosureCallStubRoutine.h:
8791 (JSC::ClosureCallStubRoutine::structure): Deleted.
8792 * jit/JIT.h:
8793 (JSC::JIT::compileClosureCall): Deleted.
8794 * jit/JITCall.cpp:
8795 (JSC::JIT::privateCompileClosureCall): Deleted.
8796 * jit/JITCall32_64.cpp:
8797 (JSC::JIT::privateCompileClosureCall): Deleted.
8798 * jit/JITOperations.cpp:
8799 * jit/Repatch.cpp:
8800 (JSC::linkClosureCall):
8801 * jit/Repatch.h:
8802
88032014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8804
8805 [ARM] Incorrect handling of Unicode characters
8806 https://bugs.webkit.org/show_bug.cgi?id=135380
8807
8808 Reviewed by Darin Adler.
8809
8810 Removed erroneous fast case from stringFromUTF(), since it assumed that
8811 char is always implemented as signed.
8812
8813 * jsc.cpp:
8814 (stringFromUTF):
8815
88162014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8817
8818 [JSC] Build fix for FTL on EFL after ftlopt merge
8819 https://bugs.webkit.org/show_bug.cgi?id=135565
8820
8821 Reviewed by Mark Lam.
8822
8823 Adding an enable guard for native inlining, since it now requires the bitcode
8824 emitted from Clang, and we don't have a good way of creating it from other compilers.
8825
8826 * dfg/DFGByteCodeParser.cpp:
8827 (JSC::DFG::ByteCodeParser::handleCall):
8828 * ftl/FTLLowerDFGToLLVM.cpp:
8829 (JSC::FTL::LowerDFGToLLVM::compileNode):
8830 * ftl/FTLState.cpp:
8831 (JSC::FTL::State::State):
8832 * ftl/FTLState.h:
8833
88342014-08-05 Csaba Osztrogonác <ossy@webkit.org>
8835
8836 URTBF after r172129. (ftlopt branch merge)
8837
8838 Remove the duplicated friend declaration to fix this build failure:
8839 "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
8840
8841 * runtime/StructureRareData.h:
8842
88432014-08-05 Filip Pizlo <fpizlo@apple.com>
8844
8845 Attempt to fix CMake-based builds, part 3.
8846
8847 * CMakeLists.txt:
8848
88492014-08-05 Filip Pizlo <fpizlo@apple.com>
8850
8851 Attempt to fix CMake-based builds, part 2.
8852
8853 * CMakeLists.txt:
8854
88552014-08-05 Filip Pizlo <fpizlo@apple.com>
8856
8857 Attempt to fix Windows build, part 2.
8858
8859 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8860
88612014-08-05 Filip Pizlo <fpizlo@apple.com>
8862
8863 Attempt to fix CMake-based builds.
8864
8865 * CMakeLists.txt:
8866
88672014-08-05 Filip Pizlo <fpizlo@apple.com>
8868
8869 Attempt to fix Windows build.
8870
8871 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8872
88732014-08-05 Filip Pizlo <fpizlo@apple.com>
8874
8875 Fix cloop build.
8876
8877 * bytecode/CodeBlock.cpp:
8878 (JSC::CodeBlock::jettison):
8879
88802014-07-29 Filip Pizlo <fpizlo@apple.com>
8881
8882 Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
8883
8884 This part of the merge delivers roughly a 2% across-the-board performance
8885 improvement, mostly due to immutable property inference and DFG-side GCSE. It also
8886 almost completely resolves accessor performance issues; in the common case the DFG
8887 will compile a getter/setter access into code that is just as efficient as a normal
8888 property access.
8889
8890 Another major highlight of this part of the merge is the work to add a type profiler
8891 to the inspector. This work is still on-going but this greatly increases coverage.
8892
8893 Note that this merge fixes a minor bug in the GetterSetter refactoring from
8894 http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
8895 It also adds a new tests to tests/stress to cover that bug. That bug was previously only
8896 covered by layout tests.
8897
8898 2014-07-17 Filip Pizlo <fpizlo@apple.com>
8899
8900 [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
8901 https://bugs.webkit.org/show_bug.cgi?id=135019
8902
8903 Reviewed by Oliver Hunt.
8904
8905 Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
8906 has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
8907 different code.
8908
8909 * dfg/DFGNodeType.h:
8910 * dfg/DFGStrengthReductionPhase.cpp:
8911 (JSC::DFG::StrengthReductionPhase::handleNode):
8912 * tests/stress/capture-escape-and-throw.js: Added.
8913 (foo.f):
8914 (foo):
8915 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
8916 (foo):
8917 (bar):
8918
8919 2014-07-15 Filip Pizlo <fpizlo@apple.com>
8920
8921 [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
8922 https://bugs.webkit.org/show_bug.cgi?id=134962
8923
8924 Reviewed by Oliver Hunt.
8925
8926 This removes yet another steady-state-throughput implication of using getters and setters:
8927 if your accessor call is monomorphic then you'll just get a structure check, nothing more.
8928 No more loads to get to the GetterSetter object or the accessor function object.
8929
8930 * dfg/DFGAbstractInterpreterInlines.h:
8931 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8932 * runtime/GetterSetter.h:
8933 (JSC::GetterSetter::getterConcurrently):
8934 (JSC::GetterSetter::setGetter):
8935 (JSC::GetterSetter::setterConcurrently):
8936 (JSC::GetterSetter::setSetter):
8937
8938 2014-07-15 Filip Pizlo <fpizlo@apple.com>
8939
8940 [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
8941 https://bugs.webkit.org/show_bug.cgi?id=134893
8942
8943 Reviewed by Oliver Hunt.
8944
8945 Replace Identity with Check instead of Phantom. Phantom means that the child of the
8946 Identity should be unconditionally live. The liveness semantics of Identity are such that
8947 if the parents of Identity are live then the child is live. Removing the Identity entirely
8948 preserves such liveness semantics. So, the only thing that should be left behind is the
8949 type check on the child, which is what Check means: do the check but don't keep the child
8950 alive if the check isn't needed.
8951
8952 * dfg/DFGCSEPhase.cpp:
8953 * dfg/DFGNode.h:
8954 (JSC::DFG::Node::convertToCheck):
8955
8956 2014-07-13 Filip Pizlo <fpizlo@apple.com>
8957
8958 [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
8959 https://bugs.webkit.org/show_bug.cgi?id=134677
8960
8961 Reviewed by Sam Weinig.
8962
8963 This removes the old local CSE phase, which was based on manually written backward-search
8964 rules for all of the different kinds of things we cared about, and adds a new local/global
8965 CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
8966 clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
8967 structures used for storing sets of available values. This results in a large reduction in
8968 code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
8969 global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
8970 structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
8971 that this is a significant (~0.7%) throughput improvement.
8972
8973 This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
8974 means that the node being analyzed makes available some value in some DFG node, and that
8975 future attempts to compute that value can simply use that node. In other words, it
8976 establishes an available value mapping of the form value=>node. There are two kinds of
8977 values that can be passed to def():
8978
8979 PureValue. This captures everything needed to determine whether two pure nodes - nodes that
8980 neither read nor write, and produce a value that is a CSE candidate - are identical. It
8981 carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
8982 usually used for things like the arithmetic mode or constant pointer. Passing a
8983 PureValue to def() means that the node produces a value that is valid anywhere that the
8984 node dominates.
8985
8986 HeapLocation. This describes a location in the heap that could be written to or read from.
8987 Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
8988 heap that both serves as part of the "name" of the heap location (together with the
8989 other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
8990 write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
8991 then it means that the values for that location are no longer available.
8992
8993 This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
8994 tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
8995 interpreting the semantics of different DFG node types - that is now almost entirely in
8996 clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
8997 CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
8998 and the LocalCSE rule for turning PutByVal into PutByValAlias.
8999
9000 This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
9001 not a bigger win because LLVM was already giving us most of what we needed in its GVN.
9002 Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
9003 is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
9004 generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
9005 it improves both the quality of the code we generate and the speed with which we generate
9006 it. Also, any future optimizations that depend on GCSE will now be easier to implement.
9007
9008 During the development of this patch I also rationalized some other stuff, like Graph's
9009 ordered traversals - we now have preorder and postorder rather than just "depth first".
9010
9011 * CMakeLists.txt:
9012 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9013 * JavaScriptCore.xcodeproj/project.pbxproj:
9014 * dfg/DFGAbstractHeap.h:
9015 * dfg/DFGAdjacencyList.h:
9016 (JSC::DFG::AdjacencyList::hash):
9017 (JSC::DFG::AdjacencyList::operator==):
9018 * dfg/DFGBasicBlock.h:
9019 * dfg/DFGCSEPhase.cpp:
9020 (JSC::DFG::performLocalCSE):
9021 (JSC::DFG::performGlobalCSE):
9022 (JSC::DFG::CSEPhase::CSEPhase): Deleted.
9023 (JSC::DFG::CSEPhase::run): Deleted.
9024 (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
9025 (JSC::DFG::CSEPhase::pureCSE): Deleted.
9026 (JSC::DFG::CSEPhase::constantCSE): Deleted.
9027 (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
9028 (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
9029 (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
9030 (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
9031 (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
9032 (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
9033 (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
9034 (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
9035 (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
9036 (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
9037 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
9038 (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
9039 (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
9040 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
9041 (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
9042 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
9043 (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
9044 (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
9045 (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
9046 (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
9047 (JSC::DFG::CSEPhase::setReplacement): Deleted.
9048 (JSC::DFG::CSEPhase::eliminate): Deleted.
9049 (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
9050 (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
9051 (JSC::DFG::performCSE): Deleted.
9052 * dfg/DFGCSEPhase.h:
9053 * dfg/DFGClobberSet.cpp:
9054 (JSC::DFG::addReads):
9055 (JSC::DFG::addWrites):
9056 (JSC::DFG::addReadsAndWrites):
9057 (JSC::DFG::readsOverlap):
9058 (JSC::DFG::writesOverlap):
9059 * dfg/DFGClobberize.cpp:
9060 (JSC::DFG::doesWrites):
9061 (JSC::DFG::accessesOverlap):
9062 (JSC::DFG::writesOverlap):
9063 * dfg/DFGClobberize.h:
9064 (JSC::DFG::clobberize):
9065 (JSC::DFG::NoOpClobberize::operator()):
9066 (JSC::DFG::CheckClobberize::operator()):
9067 (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
9068 (JSC::DFG::ReadMethodClobberize::operator()):
9069 (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
9070 (JSC::DFG::WriteMethodClobberize::operator()):
9071 (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
9072 (JSC::DFG::DefMethodClobberize::operator()):
9073 * dfg/DFGDCEPhase.cpp:
9074 (JSC::DFG::DCEPhase::run):
9075 (JSC::DFG::DCEPhase::fixupBlock):
9076 * dfg/DFGGraph.cpp:
9077 (JSC::DFG::Graph::getBlocksInPreOrder):
9078 (JSC::DFG::Graph::getBlocksInPostOrder):
9079 (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
9080 (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
9081 * dfg/DFGGraph.h:
9082 * dfg/DFGHeapLocation.cpp: Added.
9083 (JSC::DFG::HeapLocation::dump):
9084 (WTF::printInternal):
9085 * dfg/DFGHeapLocation.h: Added.
9086 (JSC::DFG::HeapLocation::HeapLocation):
9087 (JSC::DFG::HeapLocation::operator!):
9088 (JSC::DFG::HeapLocation::kind):
9089 (JSC::DFG::HeapLocation::heap):
9090 (JSC::DFG::HeapLocation::base):
9091 (JSC::DFG::HeapLocation::index):
9092 (JSC::DFG::HeapLocation::hash):
9093 (JSC::DFG::HeapLocation::operator==):
9094 (JSC::DFG::HeapLocation::isHashTableDeletedValue):
9095 (JSC::DFG::HeapLocationHash::hash):
9096 (JSC::DFG::HeapLocationHash::equal):
9097 * dfg/DFGLICMPhase.cpp:
9098 (JSC::DFG::LICMPhase::run):
9099 * dfg/DFGNode.h:
9100 (JSC::DFG::Node::replaceWith):
9101 (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
9102 * dfg/DFGPlan.cpp:
9103 (JSC::DFG::Plan::compileInThreadImpl):
9104 * dfg/DFGPureValue.cpp: Added.
9105 (JSC::DFG::PureValue::dump):
9106 * dfg/DFGPureValue.h: Added.
9107 (JSC::DFG::PureValue::PureValue):
9108 (JSC::DFG::PureValue::operator!):
9109 (JSC::DFG::PureValue::op):
9110 (JSC::DFG::PureValue::children):
9111 (JSC::DFG::PureValue::info):
9112 (JSC::DFG::PureValue::hash):
9113 (JSC::DFG::PureValue::operator==):
9114 (JSC::DFG::PureValue::isHashTableDeletedValue):
9115 (JSC::DFG::PureValueHash::hash):
9116 (JSC::DFG::PureValueHash::equal):
9117 * dfg/DFGSSAConversionPhase.cpp:
9118 (JSC::DFG::SSAConversionPhase::run):
9119 * ftl/FTLLowerDFGToLLVM.cpp:
9120 (JSC::FTL::LowerDFGToLLVM::lower):
9121
9122 2014-07-13 Filip Pizlo <fpizlo@apple.com>
9123
9124 Unreviewed, revert unintended change in r171051.
9125
9126 * dfg/DFGCSEPhase.cpp:
9127
9128 2014-07-08 Filip Pizlo <fpizlo@apple.com>
9129
9130 [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
9131 https://bugs.webkit.org/show_bug.cgi?id=134739
9132
9133 Reviewed by Mark Hahnenberg.
9134
9135 I'm going to streamline CSE around clobberize() as part of
9136 https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
9137 elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
9138 means that it belongs in StrengthReductionPhase, since that's intended to be our
9139 dumping ground.
9140
9141 To do this I had to add some missing smarts to clobberize(). Previously clobberize()
9142 could play a bit loose with reads of Variables because it wasn't used for store
9143 elimination. The main client of read() was LICM, but it would only use it to
9144 determine hoistability and anything that did a write() was not hoistable - so, we had
9145 benign (but still wrong) missing read() calls in places that did write()s. This fixes
9146 a bunch of those cases.
9147
9148 * dfg/DFGCSEPhase.cpp:
9149 (JSC::DFG::CSEPhase::performNodeCSE):
9150 (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
9151 * dfg/DFGClobberize.cpp:
9152 (JSC::DFG::accessesOverlap):
9153 * dfg/DFGClobberize.h:
9154 (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
9155 * dfg/DFGStrengthReductionPhase.cpp:
9156 (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
9157
9158 2014-07-08 Filip Pizlo <fpizlo@apple.com>
9159
9160 [ftlopt] Phantom simplification should be in its own phase
9161 https://bugs.webkit.org/show_bug.cgi?id=134742
9162
9163 Reviewed by Geoffrey Garen.
9164
9165 This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
9166 more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
9167 this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
9168 SSA.
9169
9170 * CMakeLists.txt:
9171 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9172 * JavaScriptCore.xcodeproj/project.pbxproj:
9173 * dfg/DFGAdjacencyList.h:
9174 * dfg/DFGCSEPhase.cpp:
9175 (JSC::DFG::CSEPhase::run):
9176 (JSC::DFG::CSEPhase::setReplacement):
9177 (JSC::DFG::CSEPhase::eliminate):
9178 (JSC::DFG::CSEPhase::performNodeCSE):
9179 (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
9180 * dfg/DFGPhantomRemovalPhase.cpp: Added.
9181 (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
9182 (JSC::DFG::PhantomRemovalPhase::run):
9183 (JSC::DFG::performCleanUp):
9184 * dfg/DFGPhantomRemovalPhase.h: Added.
9185 * dfg/DFGPlan.cpp:
9186 (JSC::DFG::Plan::compileInThreadImpl):
9187
9188 2014-07-08 Filip Pizlo <fpizlo@apple.com>
9189
9190 [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
9191 https://bugs.webkit.org/show_bug.cgi?id=134730
9192
9193 Reviewed by Mark Lam.
9194
9195 This will allow for a better GCSE implementation.
9196
9197 * dfg/DFGCPSRethreadingPhase.cpp:
9198 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
9199 * dfg/DFGCSEPhase.cpp:
9200 (JSC::DFG::CSEPhase::setReplacement):
9201 * dfg/DFGEdgeDominates.h:
9202 (JSC::DFG::EdgeDominates::operator()):
9203 * dfg/DFGGraph.cpp:
9204 (JSC::DFG::Graph::clearReplacements):
9205 (JSC::DFG::Graph::initializeNodeOwners):
9206 * dfg/DFGGraph.h:
9207 (JSC::DFG::Graph::performSubstitutionForEdge):
9208 * dfg/DFGLICMPhase.cpp:
9209 (JSC::DFG::LICMPhase::attemptHoist):
9210 * dfg/DFGNode.h:
9211 (JSC::DFG::Node::Node):
9212 * dfg/DFGSSAConversionPhase.cpp:
9213 (JSC::DFG::SSAConversionPhase::run):
9214
9215 2014-07-04 Filip Pizlo <fpizlo@apple.com>
9216
9217 [ftlopt] Infer immutable object properties
9218 https://bugs.webkit.org/show_bug.cgi?id=134567
9219
9220 Reviewed by Mark Hahnenberg.
9221
9222 This introduces a new way of inferring immutable object properties. A property is said to
9223 be immutable if after its creation (i.e. the transition that creates it), we never
9224 overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
9225 property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
9226 directly and not on a prototype. More specifically, the immutability inference will prove
9227 that a property on some structure is immutable. This means that, for example, we may have a
9228 structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
9229 transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
9230 mutable. This is mainly for convenience; it allows us to decouple immutability logic from
9231 transition logic. Immutability can be used to constant-fold accesses to objects at
9232 DFG-time. The DFG needs to prove the following to constant-fold the access:
9233
9234 - The base of the access must be a constant object pointer. We prove that a property at a
9235 structure is immutable, but that says nothing of its value; each actual instance of that
9236 property may have a different value. So, a constant object pointer is needed to get an
9237 actual constant instance of the immutable value.
9238
9239 - A check (or watchpoint) must have been emitted proving that the object has a structure
9240 that allows loading the property in question.
9241
9242 - The replacement watchpoint set of the property in the structure that we've proven the
9243 object to have is still valid and we add a watchpoint to it lazily. The replacement
9244 watchpoint set is the key new mechanism that this change adds. It's possible that we have
9245 proven that the object has one of many structures, in which case each of those structures
9246 needs a valid replacement watchpoint set.
9247
9248 The replacement watchpoint set is created the first time that any access to the property is
9249 cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
9250 get cache will create the watchpoint set and make it start watching. Any non-cached put
9251 access will invalidate the watchpoint set if one had been created; the underlying algorithm
9252 ensures that checking for the existence of a replacement watchpoint set is very fast in the
9253 common case. This algorithm ensures that no cached access needs to ever do any work to
9254 invalidate, or check the validity of, any replacement watchpoint sets. It also has some
9255 other nice properties:
9256
9257 - It's very robust in its definition of immutability. The strictest that it will ever be is
9258 that for any instance of the object, the property must be written to only once,
9259 specifically at the time that the property is created. But it's looser than this in
9260 practice. For example, the property may be written to any number of times before we add
9261 the final property that the object will have before anyone reads the property; this works
9262 since for optimization purposes we only care if we detect immutability on the structure
9263 that the object will have when it is most frequently read from, not any previous
9264 structure that the object had. Also, we may write to the property any number of times
9265 before anyone caches accesses to it.
9266
9267 - It is mostly orthogonal to structure transitions. No new structures need to be created to
9268 track the immutability of a property. Hence, there is no risk from this feature causing
9269 more polymorphism. This is different from the previous "specificValue" constant
9270 inference, which did cause additional structures to be created and sometimes those
9271 structures led to fake polymorphism. This feature does leverage existing transitions to
9272 do some of the watchpointing: property deletions don't fire the replacement watchpoint
9273 set because that would cause a new structure and so the mandatory structure check would
9274 fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
9275 because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
9276 this feature to be enabled.
9277
9278 - No memory overhead is incurred except when accesses to the property are cached.
9279 Dictionary properties will typically have no meta-data for immutability. The number of
9280 replacement watchpoint sets we allocate is proportional to the number of inline caches in
9281 the program, which is typically must smaller than the number of structures or even the
9282 number of objects.
9283
9284 This inference is far more powerful than the previous "specificValue" inference, so this
9285 change also removes all of that code. It's interesting that the amount of code that is
9286 changed to remove that feature is almost as big as the amount of code added to support the
9287 new inference - and that's if you include the new tests in the tally. Without new tests,
9288 it appears that the new feature actually touches less code!
9289
9290 There is one corner case where the previous "specificValue" inference was more powerful.
9291 You can imagine someone creating objects with functions as self properties on those
9292 objects, such that each object instance had the same function pointers - essentially,
9293 someone might be trying to create a vtable but failing at the whole "one vtable for many
9294 instances" concept. The "specificValue" inference would do very well for such programs,
9295 because a structure check would be sufficient to prove a constant value for all of the
9296 function properties. This new inference will fail because it doesn't track the constant
9297 values of constant properties; instead it detects the immutability of otherwise variable
9298 properties (in the sense that each instance of the property may have a different value).
9299 So, the new inference requires having a particular object instance to actually get the
9300 constant value. I think it's OK to lose this antifeature. It took a lot of code to support
9301 and was a constant source of grief in our transition logic, and there doesn't appear to be
9302 any real evidence that programs benefited from that particular kind of inference since
9303 usually it's the singleton prototype instance that has all of the functions.
9304
9305 This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
9306 V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
9307 speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
9308 one case.
9309
9310 * bytecode/ComplexGetStatus.cpp:
9311 (JSC::ComplexGetStatus::computeFor):
9312 * bytecode/GetByIdStatus.cpp:
9313 (JSC::GetByIdStatus::computeFromLLInt):
9314 (JSC::GetByIdStatus::computeForStubInfo):
9315 (JSC::GetByIdStatus::computeFor):
9316 * bytecode/GetByIdVariant.cpp:
9317 (JSC::GetByIdVariant::GetByIdVariant):
9318 (JSC::GetByIdVariant::operator=):
9319 (JSC::GetByIdVariant::attemptToMerge):
9320 (JSC::GetByIdVariant::dumpInContext):
9321 * bytecode/GetByIdVariant.h:
9322 (JSC::GetByIdVariant::alternateBase):
9323 (JSC::GetByIdVariant::specificValue): Deleted.
9324 * bytecode/PutByIdStatus.cpp:
9325 (JSC::PutByIdStatus::computeForStubInfo):
9326 (JSC::PutByIdStatus::computeFor):
9327 * bytecode/PutByIdVariant.cpp:
9328 (JSC::PutByIdVariant::operator=):
9329 (JSC::PutByIdVariant::setter):
9330 (JSC::PutByIdVariant::dumpInContext):
9331 * bytecode/PutByIdVariant.h:
9332 (JSC::PutByIdVariant::specificValue): Deleted.
9333 * bytecode/Watchpoint.cpp:
9334 (JSC::WatchpointSet::fireAllSlow):
9335 (JSC::WatchpointSet::fireAll): Deleted.
9336 * bytecode/Watchpoint.h:
9337 (JSC::WatchpointSet::fireAll):
9338 * dfg/DFGAbstractInterpreterInlines.h:
9339 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9340 * dfg/DFGByteCodeParser.cpp:
9341 (JSC::DFG::ByteCodeParser::handleGetByOffset):
9342 (JSC::DFG::ByteCodeParser::handleGetById):
9343 (JSC::DFG::ByteCodeParser::handlePutById):
9344 (JSC::DFG::ByteCodeParser::parseBlock):
9345 * dfg/DFGConstantFoldingPhase.cpp:
9346 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
9347 * dfg/DFGFixupPhase.cpp:
9348 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
9349 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
9350 * dfg/DFGGraph.cpp:
9351 (JSC::DFG::Graph::tryGetConstantProperty):
9352 (JSC::DFG::Graph::visitChildren):
9353 * dfg/DFGGraph.h:
9354 * dfg/DFGWatchableStructureWatchingPhase.cpp:
9355 (JSC::DFG::WatchableStructureWatchingPhase::run):
9356 * ftl/FTLLowerDFGToLLVM.cpp:
9357 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
9358 * jit/JITOperations.cpp:
9359 * jit/Repatch.cpp:
9360 (JSC::repatchByIdSelfAccess):
9361 (JSC::generateByIdStub):
9362 (JSC::tryCacheGetByID):
9363 (JSC::tryCachePutByID):
9364 (JSC::tryBuildPutByIdList):
9365 * llint/LLIntSlowPaths.cpp:
9366 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9367 (JSC::LLInt::putToScopeCommon):
9368 * runtime/CommonSlowPaths.h:
9369 (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
9370 * runtime/IntendedStructureChain.cpp:
9371 (JSC::IntendedStructureChain::mayInterceptStoreTo):
9372 * runtime/JSCJSValue.cpp:
9373 (JSC::JSValue::putToPrimitive):
9374 * runtime/JSGlobalObject.cpp:
9375 (JSC::JSGlobalObject::reset):
9376 * runtime/JSObject.cpp:
9377 (JSC::JSObject::put):
9378 (JSC::JSObject::putDirectNonIndexAccessor):
9379 (JSC::JSObject::deleteProperty):
9380 (JSC::JSObject::defaultValue):
9381 (JSC::getCallableObjectSlow): Deleted.
9382 (JSC::JSObject::getPropertySpecificValue): Deleted.
9383 * runtime/JSObject.h:
9384 (JSC::JSObject::getDirect):
9385 (JSC::JSObject::getDirectOffset):
9386 (JSC::JSObject::inlineGetOwnPropertySlot):
9387 (JSC::JSObject::putDirectInternal):
9388 (JSC::JSObject::putOwnDataProperty):
9389 (JSC::JSObject::putDirect):
9390 (JSC::JSObject::putDirectWithoutTransition):
9391 (JSC::getCallableObject): Deleted.
9392 * runtime/JSScope.cpp:
9393 (JSC::abstractAccess):
9394 * runtime/PropertyMapHashTable.h:
9395 (JSC::PropertyMapEntry::PropertyMapEntry):
9396 (JSC::PropertyTable::copy):
9397 * runtime/PropertyTable.cpp:
9398 (JSC::PropertyTable::clone):
9399 (JSC::PropertyTable::PropertyTable):
9400 (JSC::PropertyTable::visitChildren): Deleted.
9401 * runtime/Structure.cpp:
9402 (JSC::Structure::Structure):
9403 (JSC::Structure::materializePropertyMap):
9404 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
9405 (JSC::Structure::addPropertyTransitionToExistingStructure):
9406 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
9407 (JSC::Structure::addPropertyTransition):
9408 (JSC::Structure::changePrototypeTransition):
9409 (JSC::Structure::attributeChangeTransition):
9410 (JSC::Structure::toDictionaryTransition):
9411 (JSC::Structure::preventExtensionsTransition):
9412 (JSC::Structure::takePropertyTableOrCloneIfPinned):
9413 (JSC::Structure::nonPropertyTransition):
9414 (JSC::Structure::addPropertyWithoutTransition):
9415 (JSC::Structure::allocateRareData):
9416 (JSC::Structure::ensurePropertyReplacementWatchpointSet):
9417 (JSC::Structure::startWatchingPropertyForReplacements):
9418 (JSC::Structure::didCachePropertyReplacement):
9419 (JSC::Structure::startWatchingInternalProperties):
9420 (JSC::Structure::copyPropertyTable):
9421 (JSC::Structure::copyPropertyTableForPinning):
9422 (JSC::Structure::getConcurrently):
9423 (JSC::Structure::get):
9424 (JSC::Structure::add):
9425 (JSC::Structure::visitChildren):
9426 (JSC::Structure::prototypeChainMayInterceptStoreTo):
9427 (JSC::Structure::dump):
9428 (JSC::Structure::despecifyDictionaryFunction): Deleted.
9429 (JSC::Structure::despecifyFunctionTransition): Deleted.
9430 (JSC::Structure::despecifyFunction): Deleted.
9431 (JSC::Structure::despecifyAllFunctions): Deleted.
9432 (JSC::Structure::putSpecificValue): Deleted.
9433 * runtime/Structure.h:
9434 (JSC::Structure::startWatchingPropertyForReplacements):
9435 (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
9436 (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
9437 (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
9438 (JSC::Structure::disableSpecificFunctionTracking): Deleted.
9439 * runtime/StructureInlines.h:
9440 (JSC::Structure::getConcurrently):
9441 (JSC::Structure::didReplaceProperty):
9442 (JSC::Structure::propertyReplacementWatchpointSet):
9443 * runtime/StructureRareData.cpp:
9444 (JSC::StructureRareData::destroy):
9445 * runtime/StructureRareData.h:
9446 * tests/stress/infer-constant-global-property.js: Added.
9447 (foo.Math.sin):
9448 (foo):
9449 * tests/stress/infer-constant-property.js: Added.
9450 (foo):
9451 * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
9452 (foo):
9453 (bar):
9454 * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
9455 (foo):
9456 (bar):
9457 * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
9458 (foo):
9459 (bar):
9460 * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
9461 (foo):
9462 (bar):
9463 * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
9464 (foo):
9465 (bar):
9466 * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
9467 (foo):
9468 (bar):
9469
9470 2014-07-03 Saam Barati <sbarati@apple.com>
9471
9472 Add more coverage for the profile_types_with_high_fidelity op code.
9473 https://bugs.webkit.org/show_bug.cgi?id=134616
9474
9475 Reviewed by Filip Pizlo.
9476
9477 More operations are now being recorded by the profile_types_with_high_fidelity
9478 opcode. Specifically: function parameters, function return values,
9479 function 'this' value, get_by_id, get_by_value, resolve nodes, function return
9480 values at the call site. Added more flags to the profile_types_with_high_fidelity
9481 opcode so more focused tasks can take place when the instruction is
9482 being linked in CodeBlock. Re-worked the type profiler to search
9483 through character offset ranges when asked for the type of an expression
9484 at a given offset. Removed redundant calls to Structure::toStructureShape
9485 in HighFidelityLog and TypeSet by caching calls based on StructureID.
9486
9487 * bytecode/BytecodeList.json:
9488 * bytecode/BytecodeUseDef.h:
9489 (JSC::computeUsesForBytecodeOffset):
9490 (JSC::computeDefsForBytecodeOffset):
9491 * bytecode/CodeBlock.cpp:
9492 (JSC::CodeBlock::CodeBlock):
9493 (JSC::CodeBlock::finalizeUnconditionally):
9494 (JSC::CodeBlock::scopeDependentProfile):
9495 * bytecode/CodeBlock.h:
9496 (JSC::CodeBlock::returnStatementTypeSet):
9497 * bytecode/TypeLocation.h:
9498 * bytecode/UnlinkedCodeBlock.cpp:
9499 (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
9500 (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
9501 * bytecode/UnlinkedCodeBlock.h:
9502 * bytecompiler/BytecodeGenerator.cpp:
9503 (JSC::BytecodeGenerator::emitMove):
9504 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
9505 (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
9506 (JSC::BytecodeGenerator::emitPutToScope):
9507 (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
9508 (JSC::BytecodeGenerator::emitPutById):
9509 (JSC::BytecodeGenerator::emitPutByVal):
9510 * bytecompiler/BytecodeGenerator.h:
9511 (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
9512 * bytecompiler/NodesCodegen.cpp:
9513 (JSC::ResolveNode::emitBytecode):
9514 (JSC::BracketAccessorNode::emitBytecode):
9515 (JSC::DotAccessorNode::emitBytecode):
9516 (JSC::FunctionCallValueNode::emitBytecode):
9517 (JSC::FunctionCallResolveNode::emitBytecode):
9518 (JSC::FunctionCallBracketNode::emitBytecode):
9519 (JSC::FunctionCallDotNode::emitBytecode):
9520 (JSC::CallFunctionCallDotNode::emitBytecode):
9521 (JSC::ApplyFunctionCallDotNode::emitBytecode):
9522 (JSC::PostfixNode::emitResolve):
9523 (JSC::PostfixNode::emitBracket):
9524 (JSC::PostfixNode::emitDot):
9525 (JSC::PrefixNode::emitResolve):
9526 (JSC::PrefixNode::emitBracket):
9527 (JSC::PrefixNode::emitDot):
9528 (JSC::ReadModifyResolveNode::emitBytecode):
9529 (JSC::AssignResolveNode::emitBytecode):
9530 (JSC::AssignDotNode::emitBytecode):
9531 (JSC::ReadModifyDotNode::emitBytecode):
9532 (JSC::AssignBracketNode::emitBytecode):
9533 (JSC::ReadModifyBracketNode::emitBytecode):
9534 (JSC::ReturnNode::emitBytecode):
9535 (JSC::FunctionBodyNode::emitBytecode):
9536 * inspector/agents/InspectorRuntimeAgent.cpp:
9537 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
9538 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
9539 * inspector/agents/InspectorRuntimeAgent.h:
9540 * inspector/protocol/Runtime.json:
9541 * llint/LLIntSlowPaths.cpp:
9542 (JSC::LLInt::getFromScopeCommon):
9543 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9544 * llint/LLIntSlowPaths.h:
9545 * llint/LowLevelInterpreter.asm:
9546 * runtime/HighFidelityLog.cpp:
9547 (JSC::HighFidelityLog::processHighFidelityLog):
9548 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
9549 (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
9550 * runtime/HighFidelityLog.h:
9551 (JSC::HighFidelityLog::recordTypeInformationForLocation):
9552 * runtime/HighFidelityTypeProfiler.cpp:
9553 (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
9554 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
9555 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
9556 (JSC::HighFidelityTypeProfiler::insertNewLocation):
9557 (JSC::HighFidelityTypeProfiler::findLocation):
9558 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
9559 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
9560 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
9561 (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
9562 * runtime/HighFidelityTypeProfiler.h:
9563 (JSC::LocationKey::LocationKey): Deleted.
9564 (JSC::LocationKey::hash): Deleted.
9565 (JSC::LocationKey::operator==): Deleted.
9566 * runtime/Structure.cpp:
9567 (JSC::Structure::toStructureShape):
9568 * runtime/Structure.h:
9569 * runtime/TypeSet.cpp:
9570 (JSC::TypeSet::TypeSet):
9571 (JSC::TypeSet::addTypeForValue):
9572 (JSC::TypeSet::seenTypes):
9573 (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
9574 * runtime/TypeSet.h:
9575 (JSC::StructureShape::setConstructorName):
9576 * runtime/VM.cpp:
9577 (JSC::VM::getTypesForVariableAtOffset):
9578 (JSC::VM::dumpHighFidelityProfilingTypes):
9579 (JSC::VM::getTypesForVariableInRange): Deleted.
9580 * runtime/VM.h:
9581
9582 2014-07-04 Filip Pizlo <fpizlo@apple.com>
9583
9584 [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
9585 https://bugs.webkit.org/show_bug.cgi?id=134642
9586
9587 Rubber stamped by Andreas Kling.
9588
9589 * ftl/FTLLowerDFGToLLVM.cpp:
9590 (JSC::FTL::LowerDFGToLLVM::compileNode):
9591
9592 2014-07-01 Filip Pizlo <fpizlo@apple.com>
9593
9594 [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
9595 https://bugs.webkit.org/show_bug.cgi?id=134518
9596
9597 Reviewed by Mark Hahnenberg.
9598
9599 This has no real effect right now, particularly since almost all uses of
9600 setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
9601 doing more aggressive constant property inference, this change will allow us to remove
9602 all runtime checks from getter/setter calls.
9603
9604 * runtime/GetterSetter.cpp:
9605 (JSC::GetterSetter::withGetter):
9606 (JSC::GetterSetter::withSetter):
9607 * runtime/GetterSetter.h:
9608 (JSC::GetterSetter::setGetter):
9609 (JSC::GetterSetter::setSetter):
9610 * runtime/JSObject.cpp:
9611 (JSC::JSObject::defineOwnNonIndexProperty):
9612
9613 2014-07-02 Filip Pizlo <fpizlo@apple.com>
9614
9615 [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
9616
9617 Rubber stamped by Mark Hahnenberg.
9618
9619 * runtime/Structure.cpp:
9620 (JSC::Structure::Structure):
9621 (JSC::Structure::nonPropertyTransition):
9622 (JSC::Structure::didTransitionFromThisStructure):
9623 (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
9624 * runtime/Structure.h:
9625
9626 2014-07-02 Filip Pizlo <fpizlo@apple.com>
9627
9628 [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
9629
9630 Rubber stamped by Mark Hahnenberg.
9631
9632 * runtime/Structure.cpp:
9633 (JSC::Structure::Structure):
9634 (JSC::Structure::cloneRareDataFrom): Deleted.
9635 * runtime/Structure.h:
9636 * runtime/StructureRareData.cpp:
9637 (JSC::StructureRareData::clone): Deleted.
9638 (JSC::StructureRareData::StructureRareData): Deleted.
9639 * runtime/StructureRareData.h:
9640 (JSC::StructureRareData::needsCloning): Deleted.
9641
9642 2014-07-01 Mark Lam <mark.lam@apple.com>
9643
9644 [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
9645 <https://webkit.org/b/134420>
9646
9647 Reviewed by Geoffrey Garen.
9648
9649 Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
9650 peers) which the WebInspector will use to introspect CallFrame variables.
9651 Instead, we should be returning a DebuggerScope as an abstraction layer that
9652 provides the introspection functionality that the WebInspector needs. This
9653 is the first step towards not forcing every frame to have a JSActivation
9654 object just because the debugger is enabled.
9655
9656 1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
9657 instead of the VM. This allows JSObject::globalObject() to be able to
9658 return the global object for the DebuggerScope.
9659
9660 2. On the DebuggerScope's life-cycle management:
9661
9662 The DebuggerCallFrame is designed to be "valid" only during a debugging session
9663 (while the debugger is broken) through the use of a DebuggerCallFrameScope in
9664 Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the
9665 DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
9666 We can't guarantee (from this code alone) that the Inspector code isn't still
9667 holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
9668 the frame will be invalidated, and any attempt to query it will return null values.
9669 This is pre-existing behavior.
9670
9671 Now, we're adding the DebuggerScope into the picture. While a single debugger
9672 pause session is in progress, the Inspector may request the scope from the
9673 DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want
9674 DebuggerCallFrame::scope() to always return the same DebuggerScope object.
9675 This is why we hold on to the DebuggerScope with a strong ref.
9676
9677 If we use a weak ref instead, the following cooky behavior can manifest:
9678 1. The Inspector calls Debugger::scope() to get the top scope.
9679 2. The Inspector iterates down the scope chain and is now only holding a
9680 reference to a parent scope. It is no longer referencing the top scope.
9681 3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
9682 gets cleared.
9683 4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
9684 a different DebuggerScope instance.
9685 5. The Inspector iterates down the scope chain but never sees the parent scope
9686 instance that retained a ref to in step 2 above. This is because when iterating
9687 this new DebuggerScope instance (which has no knowledge of the previous parent
9688 DebuggerScope instance), a new DebuggerScope instance will get created for the
9689 same parent scope.
9690
9691 Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
9692 However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
9693 When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
9694 instantiated) will also get invalidated. This is why we need the
9695 DebuggerScope::invalidateChain() method. The Inspector should not be using the
9696 DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does,
9697 those methods will do nothing or returned a failed status.
9698
9699 * debugger/Debugger.h:
9700 * debugger/DebuggerCallFrame.cpp:
9701 (JSC::DebuggerCallFrame::scope):
9702 (JSC::DebuggerCallFrame::evaluate):
9703 (JSC::DebuggerCallFrame::invalidate):
9704 (JSC::DebuggerCallFrame::vm):
9705 (JSC::DebuggerCallFrame::lexicalGlobalObject):
9706 * debugger/DebuggerCallFrame.h:
9707 * debugger/DebuggerScope.cpp:
9708 (JSC::DebuggerScope::DebuggerScope):
9709 (JSC::DebuggerScope::finishCreation):
9710 (JSC::DebuggerScope::visitChildren):
9711 (JSC::DebuggerScope::className):
9712 (JSC::DebuggerScope::getOwnPropertySlot):
9713 (JSC::DebuggerScope::put):
9714 (JSC::DebuggerScope::deleteProperty):
9715 (JSC::DebuggerScope::getOwnPropertyNames):
9716 (JSC::DebuggerScope::defineOwnProperty):
9717 (JSC::DebuggerScope::next):
9718 (JSC::DebuggerScope::invalidateChain):
9719 (JSC::DebuggerScope::isWithScope):
9720 (JSC::DebuggerScope::isGlobalScope):
9721 (JSC::DebuggerScope::isFunctionScope):
9722 * debugger/DebuggerScope.h:
9723 (JSC::DebuggerScope::create):
9724 (JSC::DebuggerScope::Iterator::Iterator):
9725 (JSC::DebuggerScope::Iterator::get):
9726 (JSC::DebuggerScope::Iterator::operator++):
9727 (JSC::DebuggerScope::Iterator::operator==):
9728 (JSC::DebuggerScope::Iterator::operator!=):
9729 (JSC::DebuggerScope::isValid):
9730 (JSC::DebuggerScope::jsScope):
9731 (JSC::DebuggerScope::begin):
9732 (JSC::DebuggerScope::end):
9733 * inspector/JSJavaScriptCallFrame.cpp:
9734 (Inspector::JSJavaScriptCallFrame::scopeType):
9735 (Inspector::JSJavaScriptCallFrame::scopeChain):
9736 * inspector/JavaScriptCallFrame.h:
9737 (Inspector::JavaScriptCallFrame::scopeChain):
9738 * inspector/ScriptDebugServer.cpp:
9739 * runtime/JSGlobalObject.cpp:
9740 (JSC::JSGlobalObject::reset):
9741 (JSC::JSGlobalObject::visitChildren):
9742 * runtime/JSGlobalObject.h:
9743 (JSC::JSGlobalObject::debuggerScopeStructure):
9744 * runtime/JSObject.h:
9745 (JSC::JSObject::isWithScope):
9746 * runtime/JSScope.h:
9747 * runtime/VM.cpp:
9748 (JSC::VM::VM):
9749 * runtime/VM.h:
9750
9751 2014-07-01 Filip Pizlo <fpizlo@apple.com>
9752
9753 [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
9754 https://bugs.webkit.org/show_bug.cgi?id=130756
9755
9756 Reviewed by Oliver Hunt.
9757
9758 The enables exposing the call to setters in the DFG, and then inlining it. Previously we
9759 already supproted inlined-cached calls to setters from within put_by_id inline caches,
9760 and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
9761 will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
9762 better and inline the call.
9763
9764 A lot of the core functionality was already available from the previous work to inline
9765 getters. So, there are some refactorings in this patch that move preexisting
9766 functionality around. For example, the work to figure out how the DFG should go about
9767 getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
9768 the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
9769 PutByIdStatus use it. This means that we can keep the safety checks common. This patch
9770 also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
9771 handleCall() for all of the various kinds of calls we can now emit.
9772
9773 83% speed-up on getter-richards, 2% speed-up on box2d.
9774
9775 * CMakeLists.txt:
9776 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9777 * JavaScriptCore.xcodeproj/project.pbxproj:
9778 * bytecode/ComplexGetStatus.cpp: Added.
9779 (JSC::ComplexGetStatus::computeFor):
9780 * bytecode/ComplexGetStatus.h: Added.
9781 (JSC::ComplexGetStatus::ComplexGetStatus):
9782 (JSC::ComplexGetStatus::skip):
9783 (JSC::ComplexGetStatus::takesSlowPath):
9784 (JSC::ComplexGetStatus::kind):
9785 (JSC::ComplexGetStatus::attributes):
9786 (JSC::ComplexGetStatus::specificValue):
9787 (JSC::ComplexGetStatus::offset):
9788 (JSC::ComplexGetStatus::chain):
9789 * bytecode/GetByIdStatus.cpp:
9790 (JSC::GetByIdStatus::computeForStubInfo):
9791 * bytecode/GetByIdVariant.cpp:
9792 (JSC::GetByIdVariant::GetByIdVariant):
9793 * bytecode/PolymorphicPutByIdList.h:
9794 (JSC::PutByIdAccess::PutByIdAccess):
9795 (JSC::PutByIdAccess::setter):
9796 (JSC::PutByIdAccess::structure):
9797 (JSC::PutByIdAccess::chainCount):
9798 * bytecode/PutByIdStatus.cpp:
9799 (JSC::PutByIdStatus::computeFromLLInt):
9800 (JSC::PutByIdStatus::computeFor):
9801 (JSC::PutByIdStatus::computeForStubInfo):
9802 (JSC::PutByIdStatus::makesCalls):
9803 * bytecode/PutByIdStatus.h:
9804 (JSC::PutByIdStatus::makesCalls): Deleted.
9805 * bytecode/PutByIdVariant.cpp:
9806 (JSC::PutByIdVariant::PutByIdVariant):
9807 (JSC::PutByIdVariant::operator=):
9808 (JSC::PutByIdVariant::replace):
9809 (JSC::PutByIdVariant::transition):
9810 (JSC::PutByIdVariant::setter):
9811 (JSC::PutByIdVariant::writesStructures):
9812 (JSC::PutByIdVariant::reallocatesStorage):
9813 (JSC::PutByIdVariant::makesCalls):
9814 (JSC::PutByIdVariant::dumpInContext):
9815 * bytecode/PutByIdVariant.h:
9816 (JSC::PutByIdVariant::PutByIdVariant):
9817 (JSC::PutByIdVariant::structure):
9818 (JSC::PutByIdVariant::oldStructure):
9819 (JSC::PutByIdVariant::alternateBase):
9820 (JSC::PutByIdVariant::specificValue):
9821 (JSC::PutByIdVariant::callLinkStatus):
9822 (JSC::PutByIdVariant::replace): Deleted.
9823 (JSC::PutByIdVariant::transition): Deleted.
9824 * dfg/DFGByteCodeParser.cpp:
9825 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
9826 (JSC::DFG::ByteCodeParser::addCall):
9827 (JSC::DFG::ByteCodeParser::handleCall):
9828 (JSC::DFG::ByteCodeParser::handleInlining):
9829 (JSC::DFG::ByteCodeParser::handleGetById):
9830 (JSC::DFG::ByteCodeParser::handlePutById):
9831 (JSC::DFG::ByteCodeParser::parseBlock):
9832 * jit/Repatch.cpp:
9833 (JSC::tryCachePutByID):
9834 (JSC::tryBuildPutByIdList):
9835 * runtime/IntendedStructureChain.cpp:
9836 (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
9837 * runtime/IntendedStructureChain.h:
9838 * tests/stress/exit-from-setter.js: Added.
9839 * tests/stress/poly-chain-setter.js: Added.
9840 (Cons):
9841 (foo):
9842 (test):
9843 * tests/stress/poly-chain-then-setter.js: Added.
9844 (Cons1):
9845 (Cons2):
9846 (foo):
9847 (test):
9848 * tests/stress/poly-setter-combo.js: Added.
9849 (Cons1):
9850 (Cons2):
9851 (foo):
9852 (test):
9853 (.test):
9854 * tests/stress/poly-setter-then-self.js: Added.
9855 (foo):
9856 (test):
9857 (.test):
9858 * tests/stress/weird-setter-counter.js: Added.
9859 (foo):
9860 (test):
9861 * tests/stress/weird-setter-counter-syntactic.js: Added.
9862 (foo):
9863 (test):
9864
9865 2014-07-01 Matthew Mirman <mmirman@apple.com>
9866
9867 Added an implementation of the "in" check to FTL.
9868 https://bugs.webkit.org/show_bug.cgi?id=134508
9869
9870 Reviewed by Filip Pizlo.
9871
9872 * ftl/FTLCapabilities.cpp: enabled compilation for "in"
9873 (JSC::FTL::canCompile): ditto
9874 * ftl/FTLCompile.cpp:
9875 (JSC::FTL::generateCheckInICFastPath): added.
9876 (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
9877 * ftl/FTLInlineCacheDescriptor.h:
9878 (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
9879 (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
9880 * ftl/FTLInlineCacheSize.cpp:
9881 (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
9882 * ftl/FTLInlineCacheSize.h: ditto
9883 * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
9884 * ftl/FTLLowerDFGToLLVM.cpp:
9885 (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
9886 (JSC::FTL::LowerDFGToLLVM::compileIn): added.
9887 * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
9888 (JSC::FTL::callOperation): ditto
9889 * ftl/FTLSlowPathCall.h: ditto
9890 * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
9891 * jit/JITOperations.h: made operationIns internal.
9892 * tests/stress/ftl-checkin.js: Added.
9893 * tests/stress/ftl-checkin-variable.js: Added.
9894
9895 2014-06-30 Mark Hahnenberg <mhahnenberg@apple.com>
9896
9897 CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
9898 https://bugs.webkit.org/show_bug.cgi?id=134455
9899
9900 Reviewed by Geoffrey Garen.
9901
9902 Otherwise we get hanging pointers which can cause us to die later.
9903
9904 * bytecode/CodeBlock.cpp:
9905 (JSC::CodeBlock::stronglyVisitWeakReferences):
9906
9907 2014-06-27 Filip Pizlo <fpizlo@apple.com>
9908
9909 [ftlopt] Reduce the GC's influence on optimization decisions
9910 https://bugs.webkit.org/show_bug.cgi?id=134427
9911
9912 Reviewed by Oliver Hunt.
9913
9914 This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
9915 while trying to make the GC keep more structures alive
9916 (https://bugs.webkit.org/show_bug.cgi?id=128072).
9917
9918 The fixes are, roughly:
9919
9920 - If the GC clears an inline cache, then this no longer causes the IC to be forever
9921 polymorphic.
9922
9923 - If we exit in inlined code into a function that tries to OSR enter, then we jettison
9924 sooner.
9925
9926 - Some variables being uninitialized led to rage-recompilations.
9927
9928 This is a pretty strong step in the direction of keeping more Structures alive and not
9929 blowing away code just because a Structure died. But, it seems like there is still a slight
9930 speed-up to be had from blowing away code that references dead Structures.
9931
9932 * bytecode/CodeBlock.cpp:
9933 (JSC::CodeBlock::dumpAssumingJITType):
9934 (JSC::shouldMarkTransition):
9935 (JSC::CodeBlock::propagateTransitions):
9936 (JSC::CodeBlock::determineLiveness):
9937 * bytecode/GetByIdStatus.cpp:
9938 (JSC::GetByIdStatus::computeForStubInfo):
9939 * bytecode/PutByIdStatus.cpp:
9940 (JSC::PutByIdStatus::computeForStubInfo):
9941 * dfg/DFGCapabilities.cpp:
9942 (JSC::DFG::isSupportedForInlining):
9943 (JSC::DFG::mightInlineFunctionForCall):
9944 (JSC::DFG::mightInlineFunctionForClosureCall):
9945 (JSC::DFG::mightInlineFunctionForConstruct):
9946 * dfg/DFGCapabilities.h:
9947 * dfg/DFGCommonData.h:
9948 * dfg/DFGDesiredWeakReferences.cpp:
9949 (JSC::DFG::DesiredWeakReferences::reallyAdd):
9950 * dfg/DFGOSREntry.cpp:
9951 (JSC::DFG::prepareOSREntry):
9952 * dfg/DFGOSRExitCompilerCommon.cpp:
9953 (JSC::DFG::handleExitCounts):
9954 * dfg/DFGOperations.cpp:
9955 * dfg/DFGOperations.h:
9956 * ftl/FTLForOSREntryJITCode.cpp:
9957 (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
9958 * ftl/FTLOSREntry.cpp:
9959 (JSC::FTL::prepareOSREntry):
9960 * runtime/Executable.cpp:
9961 (JSC::ExecutableBase::destroy):
9962 (JSC::NativeExecutable::destroy):
9963 (JSC::ScriptExecutable::ScriptExecutable):
9964 (JSC::ScriptExecutable::destroy):
9965 (JSC::ScriptExecutable::installCode):
9966 (JSC::EvalExecutable::EvalExecutable):
9967 (JSC::ProgramExecutable::ProgramExecutable):
9968 * runtime/Executable.h:
9969 (JSC::ScriptExecutable::setDidTryToEnterInLoop):
9970 (JSC::ScriptExecutable::didTryToEnterInLoop):
9971 (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
9972 (JSC::ScriptExecutable::ScriptExecutable): Deleted.
9973 * runtime/StructureInlines.h:
9974 (JSC::Structure::storedPrototypeObject):
9975 (JSC::Structure::storedPrototypeStructure):
9976
9977 2014-06-25 Filip Pizlo <fpizlo@apple.com>
9978
9979 [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
9980 https://bugs.webkit.org/show_bug.cgi?id=134333
9981
9982 Reviewed by Geoffrey Garen.
9983
9984 This is engineered to provide loads of information to the profiler without incurring any
9985 costs when the profiler is disabled. It's the oldest trick in the book: the thing that
9986 fires the watchpoint doesn't actually create anything to describe the reason why it was
9987 fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
9988 FireDetail::dump() virtual method is called does anything happen.
9989
9990 Currently we use this to produce very fine-grained data for Structure watchpoints and
9991 some cases of variable watchpoints. For all other situations, the given reason is just a
9992 string constant, by using StringFireDetail. If we find a situation where that string
9993 constant is insufficient to diagnose an issue then we can change it to provide more
9994 fine-grained information.
9995
9996 * JavaScriptCore.xcodeproj/project.pbxproj:
9997 * bytecode/CodeBlock.cpp:
9998 (JSC::CodeBlock::CodeBlock):
9999 (JSC::CodeBlock::jettison):
10000 * bytecode/CodeBlock.h:
10001 * bytecode/CodeBlockJettisoningWatchpoint.cpp:
10002 (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
10003 * bytecode/CodeBlockJettisoningWatchpoint.h:
10004 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
10005 * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
10006 * bytecode/StructureStubClearingWatchpoint.cpp:
10007 (JSC::StructureStubClearingWatchpoint::fireInternal):
10008 * bytecode/StructureStubClearingWatchpoint.h:
10009 * bytecode/VariableWatchpointSet.h:
10010 (JSC::VariableWatchpointSet::invalidate):
10011 (JSC::VariableWatchpointSet::finalizeUnconditionally):
10012 * bytecode/VariableWatchpointSetInlines.h:
10013 (JSC::VariableWatchpointSet::notifyWrite):
10014 * bytecode/Watchpoint.cpp:
10015 (JSC::StringFireDetail::dump):
10016 (JSC::WatchpointSet::fireAll):
10017 (JSC::WatchpointSet::fireAllSlow):
10018 (JSC::WatchpointSet::fireAllWatchpoints):
10019 (JSC::InlineWatchpointSet::fireAll):
10020 * bytecode/Watchpoint.h:
10021 (JSC::FireDetail::FireDetail):
10022 (JSC::FireDetail::~FireDetail):
10023 (JSC::StringFireDetail::StringFireDetail):
10024 (JSC::Watchpoint::fire):
10025 (JSC::WatchpointSet::fireAll):
10026 (JSC::WatchpointSet::touch):
10027 (JSC::WatchpointSet::invalidate):
10028 (JSC::InlineWatchpointSet::fireAll):
10029 (JSC::InlineWatchpointSet::touch):
10030 * dfg/DFGCommonData.h:
10031 * dfg/DFGOperations.cpp:
10032 * interpreter/Interpreter.cpp:
10033 (JSC::Interpreter::execute):
10034 * jsc.cpp:
10035 (WTF::Masquerader::create):
10036 * profiler/ProfilerCompilation.cpp:
10037 (JSC::Profiler::Compilation::setJettisonReason):
10038 (JSC::Profiler::Compilation::toJS):
10039 * profiler/ProfilerCompilation.h:
10040 (JSC::Profiler::Compilation::setJettisonReason): Deleted.
10041 * runtime/ArrayBuffer.cpp:
10042 (JSC::ArrayBuffer::transfer):
10043 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
10044 (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
10045 * runtime/ArrayBufferNeuteringWatchpoint.h:
10046 * runtime/CommonIdentifiers.h:
10047 * runtime/CommonSlowPaths.cpp:
10048 (JSC::SLOW_PATH_DECL):
10049 * runtime/Identifier.cpp:
10050 (JSC::Identifier::dump):
10051 * runtime/Identifier.h:
10052 * runtime/JSFunction.cpp:
10053 (JSC::JSFunction::put):
10054 (JSC::JSFunction::defineOwnProperty):
10055 * runtime/JSGlobalObject.cpp:
10056 (JSC::JSGlobalObject::addFunction):
10057 (JSC::JSGlobalObject::haveABadTime):
10058 * runtime/JSSymbolTableObject.cpp:
10059 (JSC::VariableWriteFireDetail::dump):
10060 * runtime/JSSymbolTableObject.h:
10061 (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
10062 (JSC::symbolTablePut):
10063 (JSC::symbolTablePutWithAttributes):
10064 * runtime/PropertyName.h:
10065 (JSC::PropertyName::dump):
10066 * runtime/Structure.cpp:
10067 (JSC::Structure::notifyTransitionFromThisStructure):
10068 * runtime/Structure.h:
10069 (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
10070 * runtime/SymbolTable.cpp:
10071 (JSC::SymbolTableEntry::notifyWriteSlow):
10072 (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
10073 * runtime/SymbolTable.h:
10074 (JSC::SymbolTableEntry::notifyWrite):
10075 * runtime/VM.cpp:
10076 (JSC::VM::addImpureProperty):
10077
100782014-08-05 Commit Queue <commit-queue@webkit.org>
10079
10080 Unreviewed, rolling out r172099.
10081 https://bugs.webkit.org/show_bug.cgi?id=135635
10082
10083 Needs a do-over. (Requested by kling on #webkit).
10084
10085 Reverted changeset:
10086
10087 "The JIT should cache property lookup misses."
10088 https://bugs.webkit.org/show_bug.cgi?id=135578
10089 http://trac.webkit.org/changeset/172099
10090
100912014-08-05 Przemyslaw Kuczynski <p.kuczynski@samsung.com>
10092
10093 Fix resource leak of unclosed file descriptor.
10094 https://bugs.webkit.org/show_bug.cgi?id=135417
10095
10096 Reviewed by Darin Adler.
10097
10098 When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
10099 with (fd != -1).
10100
10101 * assembler/MacroAssemblerARM.cpp:
10102 (JSC::isVFPPresent):
10103
101042014-08-05 Andreas Kling <akling@apple.com>
10105
10106 The JIT should cache property lookup misses.
10107 <https://webkit.org/b/135578>
10108
10109 Add support for inline caching of object properties that don't exist.
10110 Previously we'd fall back to the C++ slow-path whenever a property was missing.
10111
10112 It's implemented as a simple GetById-style stub that returns jsUndefined() as
10113 long as the Structure chain check passes.
10114
10115 10x speedup on the included microbenchmark.
10116
10117 Reviewed by Geoffrey Garen.
10118
10119 * jit/Repatch.cpp:
10120 (JSC::toString):
10121 (JSC::kindFor):
10122 (JSC::generateByIdStub):
10123 (JSC::tryCacheGetByID):
10124 (JSC::patchJumpToGetByIdStub):
10125 * runtime/PropertySlot.h:
10126 (JSC::PropertySlot::isUnset):
10127
101282014-08-05 Commit Queue <commit-queue@webkit.org>
10129
10130 Unreviewed, rolling out r172009.
10131 https://bugs.webkit.org/show_bug.cgi?id=135627
10132
10133 "Commit landed on trunk instead of ftlopt branch." (Requested
10134 by saamyjoon on #webkit).
10135
10136 Reverted changeset:
10137
10138 "Create a more generic way for VMEntryScope to notify those
10139 interested that it will be destroyed"
10140 https://bugs.webkit.org/show_bug.cgi?id=135358
10141 http://trac.webkit.org/changeset/172009
10142
101432014-08-05 Alex Christensen <achristensen@webkit.org>
10144
10145 More work on CMake.
10146 https://bugs.webkit.org/show_bug.cgi?id=135620
10147
10148 Reviewed by Laszlo Gombos.
10149
10150 * CMakeLists.txt:
10151 Added missing source files.
10152 * PlatformEfl.cmake:
10153 * PlatformGTK.cmake:
10154 Include glib directories and libraries to find glib.h in EventLoop.cpp.
10155 * PlatformMac.cmake:
10156 Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
10157 because it should not be defined on Windows.
10158 Added remote inspector source files.
10159
101602014-08-05 Peyton Randolph <prandolph@apple.com>
10161
10162 Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
10163 https://bugs.webkit.org/show_bug.cgi?id=135276
10164
10165 Reviewed by Beth Dakin.
10166
10167 * Configurations/FeatureDefines.xcconfig:
10168
101692014-08-04 Benjamin Poulain <benjamin@webkit.org>
10170
10171 Add a flag for the CSS Selectors level 4 implementation
10172 https://bugs.webkit.org/show_bug.cgi?id=135535
10173
10174 Reviewed by Andreas Kling.
10175
10176 * Configurations/FeatureDefines.xcconfig:
10177
101782014-08-04 Alex Christensen <achristensen@webkit.org>
10179
10180 Progress towards CMake on Mac.
10181 https://bugs.webkit.org/show_bug.cgi?id=135528
10182
10183 Reviewed by Gyuyoung Kim.
10184
10185 * CMakeLists.txt:
10186 Include necessary directories and copy all necessary forwarding headers.
10187 Only compile UDis86Disassembler.cpp if we're using UDIS86.
10188 * PlatformMac.cmake: Added.
10189 * tools/CodeProfiling.cpp:
10190 Compile fix. Include sys/time.h on darwin, too.
10191
101922014-08-04 Saam Barati <sbarati@apple.com>
10193
10194 Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
10195 https://bugs.webkit.org/show_bug.cgi?id=135358
10196
10197 Reviewed by Geoffrey Garen.
10198
10199 When VMEntryScope is destroyed, and it has a flag set indicating that the
10200 Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
10201 This flag is only used by Debugger to have VMEntryScope notify it when the
10202 Debugger is safe to recompile all functions. This patch will substitute this
10203 Debugger-specific recompilation flag with a list of callbacks that are notified
10204 when the outermost VMEntryScope dies. This creates a general purpose interface
10205 for being notified when the VM stops executing code via the event of the outermost
10206 VMEntryScope dying.
10207
10208 * debugger/Debugger.cpp:
10209 (JSC::Debugger::recompileAllJSFunctions):
10210 * runtime/VMEntryScope.cpp:
10211 (JSC::VMEntryScope::VMEntryScope):
10212 (JSC::VMEntryScope::addEntryScopeDidPopListener):
10213 (JSC::VMEntryScope::~VMEntryScope):
10214 * runtime/VMEntryScope.h:
10215 (JSC::VMEntryScope::setRecompilationNeeded): Deleted.
10216
102172014-08-01 Carlos Alberto Lopez Perez <clopez@igalia.com>
10218
10219 REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
10220 https://bugs.webkit.org/show_bug.cgi?id=135522
10221
10222 Reviewed by Martin Robinson.
10223
10224 * CMakeLists.txt: Output the inspector headers inside inspector
10225 subdirectory.
10226
102272014-08-01 Mark Lam <mark.lam@apple.com>
10228
10229 Add some structure related assertions.
10230 <https://webkit.org/b/135523>
10231
10232 Reviewed by Geoffrey Garen.
10233
10234 Adding 2 assertions:
10235 1. assert that we don't index pass the end of the StructureIDTable.
10236 This should never happen, but this assertion will help catch bugs
10237 where a bad structureID gets passed in.
10238 2. assert that cells in MarkedBlock::callDestructor() that are not
10239 zapped should have a non-null StructureID. This will help us catch
10240 bugs where the other cell header flag bits get set after the cell is
10241 zapped, thereby making the cell look like an unzapped cell but has a
10242 null structureID.
10243
10244 * heap/MarkedBlock.cpp:
10245 (JSC::MarkedBlock::callDestructor):
10246 * runtime/StructureIDTable.h:
10247 (JSC::StructureIDTable::get):
10248
102492014-08-01 Csaba Osztrogonác <ossy@webkit.org>
10250
10251 URTBF after r171946 to fix non-Apple builds.
10252
10253 * bytecode/InlineCallFrameSet.cpp:
10254
102552014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
10256
10257 CodeBlock fails to visit the Executables of its InlineCallFrames
10258 https://bugs.webkit.org/show_bug.cgi?id=135471
10259
10260 Reviewed by Geoffrey Garen.
10261
10262 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
10263 can be prematurely collected and cause crashes.
10264
10265 * bytecode/CodeBlock.cpp:
10266 (JSC::CodeBlock::stronglyVisitStrongReferences):
10267 * bytecode/CodeOrigin.h:
10268 (JSC::InlineCallFrame::visitAggregate):
10269 * bytecode/InlineCallFrameSet.cpp:
10270 (JSC::InlineCallFrameSet::visitAggregate):
10271 * bytecode/InlineCallFrameSet.h:
10272
102732014-08-01 Alex Christensen <achristensen@webkit.org>
10274
10275 Progress towards cmake on Windows.
10276 https://bugs.webkit.org/show_bug.cgi?id=135484
10277
10278 Reviewed by Martin Robinson.
10279
10280 * CMakeLists.txt:
10281 Generate code directly to inspector directory to avoid using the cp command
10282 which is not available on Windows.
10283 * PlatformWin.cmake: Added.
10284
102852014-07-31 Andreas Kling <akling@apple.com>
10286
10287 Remove the JSC::OverridesVisitChildren flag.
10288 <https://webkit.org/b/135489>
10289
10290 Except for 3 special classes, the visitChildren() call is always
10291 dispatched through the method table (see SlotVisitor.cpp.)
10292
10293 The OverridesVisitChildren flag doesn't actually do anything.
10294 It could be used to implement a non-virtual direct call to
10295 JSCell::visitChildren, bypassing the method table for some objects,
10296 but such a micro-optimization seems like a weak trade for all this
10297 code complexity. Instead, just remove the flag.
10298
10299 This change frees up an inline flag bit in JSCell.
10300
10301 Reviewed by Geoffrey Garen.
10302
10303 * API/JSAPIWrapperObject.h:
10304 * API/JSAPIWrapperObject.mm:
10305 (JSC::JSAPIWrapperObject::visitChildren):
10306 * API/JSCallbackObject.h:
10307 (JSC::JSCallbackObject::visitChildren):
10308 * bytecode/UnlinkedCodeBlock.cpp:
10309 (JSC::UnlinkedFunctionExecutable::visitChildren):
10310 (JSC::UnlinkedCodeBlock::visitChildren):
10311 (JSC::UnlinkedProgramCodeBlock::visitChildren):
10312 * bytecode/UnlinkedCodeBlock.h:
10313 * debugger/DebuggerScope.cpp:
10314 (JSC::DebuggerScope::visitChildren):
10315 * debugger/DebuggerScope.h:
10316 * jsc.cpp:
10317 * runtime/Arguments.cpp:
10318 (JSC::Arguments::visitChildren):
10319 * runtime/Arguments.h:
10320 * runtime/Executable.cpp:
10321 (JSC::EvalExecutable::visitChildren):
10322 (JSC::ProgramExecutable::visitChildren):
10323 (JSC::FunctionExecutable::visitChildren):
10324 * runtime/Executable.h:
10325 * runtime/GetterSetter.cpp:
10326 (JSC::GetterSetter::visitChildren):
10327 * runtime/GetterSetter.h:
10328 (JSC::GetterSetter::createStructure):
10329 * runtime/JSAPIValueWrapper.h:
10330 (JSC::JSAPIValueWrapper::createStructure):
10331 * runtime/JSActivation.cpp:
10332 (JSC::JSActivation::visitChildren):
10333 * runtime/JSActivation.h:
10334 * runtime/JSArrayIterator.cpp:
10335 (JSC::JSArrayIterator::visitChildren):
10336 * runtime/JSArrayIterator.h:
10337 * runtime/JSBoundFunction.cpp:
10338 (JSC::JSBoundFunction::visitChildren):
10339 * runtime/JSBoundFunction.h:
10340 * runtime/JSCellInlines.h:
10341 (JSC::JSCell::setStructure):
10342 * runtime/JSFunction.cpp:
10343 (JSC::JSFunction::visitChildren):
10344 * runtime/JSFunction.h:
10345 * runtime/JSGlobalObject.cpp:
10346 (JSC::JSGlobalObject::visitChildren):
10347 * runtime/JSGlobalObject.h:
10348 * runtime/JSMap.h:
10349 * runtime/JSMapIterator.cpp:
10350 (JSC::JSMapIterator::visitChildren):
10351 * runtime/JSMapIterator.h:
10352 * runtime/JSNameScope.cpp:
10353 (JSC::JSNameScope::visitChildren):
10354 * runtime/JSNameScope.h:
10355 * runtime/JSPromise.cpp:
10356 (JSC::JSPromise::visitChildren):
10357 * runtime/JSPromise.h:
10358 * runtime/JSPromiseDeferred.cpp:
10359 (JSC::JSPromiseDeferred::visitChildren):
10360 * runtime/JSPromiseDeferred.h:
10361 * runtime/JSPromiseReaction.cpp:
10362 (JSC::JSPromiseReaction::visitChildren):
10363 * runtime/JSPromiseReaction.h:
10364 * runtime/JSPropertyNameIterator.cpp:
10365 (JSC::JSPropertyNameIterator::visitChildren):
10366 * runtime/JSPropertyNameIterator.h:
10367 * runtime/JSProxy.cpp:
10368 (JSC::JSProxy::visitChildren):
10369 * runtime/JSProxy.h:
10370 * runtime/JSScope.cpp:
10371 (JSC::JSScope::visitChildren):
10372 * runtime/JSScope.h:
10373 * runtime/JSSegmentedVariableObject.cpp:
10374 (JSC::JSSegmentedVariableObject::visitChildren):
10375 * runtime/JSSegmentedVariableObject.h:
10376 * runtime/JSSet.h:
10377 * runtime/JSSetIterator.cpp:
10378 (JSC::JSSetIterator::visitChildren):
10379 * runtime/JSSetIterator.h:
10380 * runtime/JSSymbolTableObject.cpp:
10381 (JSC::JSSymbolTableObject::visitChildren):
10382 * runtime/JSSymbolTableObject.h:
10383 * runtime/JSTypeInfo.h:
10384 (JSC::TypeInfo::overridesVisitChildren): Deleted.
10385 * runtime/JSWeakMap.h:
10386 * runtime/JSWithScope.cpp:
10387 (JSC::JSWithScope::visitChildren):
10388 * runtime/JSWithScope.h:
10389 * runtime/JSWrapperObject.cpp:
10390 (JSC::JSWrapperObject::visitChildren):
10391 * runtime/JSWrapperObject.h:
10392 * runtime/MapData.h:
10393 * runtime/NativeErrorConstructor.cpp:
10394 (JSC::NativeErrorConstructor::visitChildren):
10395 * runtime/NativeErrorConstructor.h:
10396 * runtime/PropertyMapHashTable.h:
10397 * runtime/PropertyTable.cpp:
10398 (JSC::PropertyTable::visitChildren):
10399 * runtime/RegExpConstructor.cpp:
10400 (JSC::RegExpConstructor::visitChildren):
10401 * runtime/RegExpConstructor.h:
10402 * runtime/RegExpMatchesArray.cpp:
10403 (JSC::RegExpMatchesArray::visitChildren):
10404 * runtime/RegExpMatchesArray.h:
10405 * runtime/RegExpObject.cpp:
10406 (JSC::RegExpObject::visitChildren):
10407 * runtime/RegExpObject.h:
10408 * runtime/SparseArrayValueMap.h:
10409 * runtime/Structure.cpp:
10410 (JSC::Structure::Structure):
10411 (JSC::Structure::visitChildren):
10412 * runtime/StructureChain.cpp:
10413 (JSC::StructureChain::visitChildren):
10414 * runtime/StructureChain.h:
10415 * runtime/StructureRareData.cpp:
10416 (JSC::StructureRareData::visitChildren):
10417 * runtime/StructureRareData.h:
10418 * runtime/WeakMapData.h:
10419
104202014-07-31 Mark Lam <mark.lam@apple.com>
10421
10422 JSCell::classInfo() belongs in JSCellInlines.h.
10423 <https://webkit.org/b/135475>
10424
10425 Reviewed by Mark Hahnenberg.
10426
10427 * runtime/JSCellInlines.h:
10428 (JSC::JSCell::classInfo):
10429 * runtime/JSDestructibleObject.h:
10430 (JSC::JSCell::classInfo): Deleted.
10431
104322014-07-31 Tanay C <tanay.c@samsung.com>
10433
10434 Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
10435 https://bugs.webkit.org/show_bug.cgi?id=135414
10436
10437 Reviewed by Csaba Osztrogonác.
10438
10439 * llint/LLIntSlowPaths.cpp:
10440 (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
10441
104422014-07-30 Filip Pizlo <fpizlo@apple.com>
10443
10444 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
10445 https://bugs.webkit.org/show_bug.cgi?id=135430
10446
10447 Reviewed by Mark Hahnenberg.
10448
10449 We already handled this correctly after the ftlopt merge, but it's useful to have the test.
10450
10451 * tests/stress/new-function-expression-has-structures.js: Added.
10452 (foo.f):
10453 (foo.f.prototype.f):
10454 (foo):
10455
104562014-07-30 Andreas Kling <akling@apple.com>
10457
10458 Speculative Windows build fix.
10459
10460 Try to dllimport the dllexported global object HashTable.
10461
10462 * jsc.cpp:
10463 * testRegExp.cpp:
10464
104652014-07-30 Andreas Kling <akling@apple.com>
10466
10467 PropertyName's internal string is always atomic.
10468 <https://webkit.org/b/135451>
10469
10470 Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
10471 we know that any string that's an Identifier is guaranteed to be atomic.
10472
10473 A PropertyName can be either an Identifier or a PrivateName, and the
10474 private names are also guaranteed to be atomic internally.
10475
10476 Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
10477
10478 Reviewed by Benjamin Poulain.
10479
10480 * runtime/PropertyName.h:
10481 (JSC::PropertyName::PropertyName):
10482 (JSC::PropertyName::uid):
10483 (JSC::PropertyName::publicName):
10484
104852014-07-30 Andy Estes <aestes@apple.com>
10486
10487 USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
10488 https://bugs.webkit.org/show_bug.cgi?id=135439
10489
10490 Reviewed by Tim Horton.
10491
10492 We now support two different platform content filters, and will soon support a mock content filter (as part of
10493 webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
10494 library. ENABLE() is the correct macro to use for such a feature.
10495
10496 * Configurations/FeatureDefines.xcconfig:
10497
104982014-07-30 Andreas Kling <akling@apple.com>
10499
10500 Static hash tables no longer need to be coupled with a VM.
10501 <https://webkit.org/b/135421>
10502
10503 Now that the static hash tables are using char** instead of StringImpl**,
10504 it's no longer necessary to make them per-VM.
10505
10506 This patch removes the hook in ClassInfo for providing your own static
10507 hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
10508 Most of this patch is tweaking ClassInfo construction sites to pass one
10509 less null pointer.
10510
10511 Also simplified Lookup.h to stop requiring ExecState/VM to access the
10512 static hash tables.
10513
10514 Reviewed by Geoffrey Garen.
10515
10516 * API/JSAPIWrapperObject.mm:
10517 * API/JSCallbackConstructor.cpp:
10518 * API/JSCallbackFunction.cpp:
10519 * API/JSCallbackObject.cpp:
10520 * API/ObjCCallbackFunction.mm:
10521 * bytecode/UnlinkedCodeBlock.cpp:
10522 * create_hash_table:
10523 * debugger/DebuggerScope.cpp:
10524 * inspector/JSInjectedScriptHost.cpp:
10525 * inspector/JSInjectedScriptHostPrototype.cpp:
10526 * inspector/JSJavaScriptCallFrame.cpp:
10527 * inspector/JSJavaScriptCallFramePrototype.cpp:
10528 * interpreter/CallFrame.h:
10529 (JSC::ExecState::arrayConstructorTable): Deleted.
10530 (JSC::ExecState::arrayPrototypeTable): Deleted.
10531 (JSC::ExecState::booleanPrototypeTable): Deleted.
10532 (JSC::ExecState::dataViewTable): Deleted.
10533 (JSC::ExecState::dateTable): Deleted.
10534 (JSC::ExecState::dateConstructorTable): Deleted.
10535 (JSC::ExecState::errorPrototypeTable): Deleted.
10536 (JSC::ExecState::globalObjectTable): Deleted.
10537 (JSC::ExecState::jsonTable): Deleted.
10538 (JSC::ExecState::numberConstructorTable): Deleted.
10539 (JSC::ExecState::numberPrototypeTable): Deleted.
10540 (JSC::ExecState::objectConstructorTable): Deleted.
10541 (JSC::ExecState::privateNamePrototypeTable): Deleted.
10542 (JSC::ExecState::regExpTable): Deleted.
10543 (JSC::ExecState::regExpConstructorTable): Deleted.
10544 (JSC::ExecState::regExpPrototypeTable): Deleted.
10545 (JSC::ExecState::stringConstructorTable): Deleted.
10546 (JSC::ExecState::promisePrototypeTable): Deleted.
10547 (JSC::ExecState::promiseConstructorTable): Deleted.
10548 * jsc.cpp:
10549 * parser/Lexer.h:
10550 (JSC::Keywords::isKeyword):
10551 (JSC::Keywords::getKeyword):
10552 * runtime/Arguments.cpp:
10553 * runtime/ArgumentsIteratorConstructor.cpp:
10554 * runtime/ArgumentsIteratorPrototype.cpp:
10555 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
10556 * runtime/ArrayConstructor.cpp:
10557 (JSC::ArrayConstructor::getOwnPropertySlot):
10558 * runtime/ArrayIteratorConstructor.cpp:
10559 * runtime/ArrayIteratorPrototype.cpp:
10560 * runtime/ArrayPrototype.cpp:
10561 (JSC::ArrayPrototype::getOwnPropertySlot):
10562 * runtime/BooleanConstructor.cpp:
10563 * runtime/BooleanObject.cpp:
10564 * runtime/BooleanPrototype.cpp:
10565 (JSC::BooleanPrototype::getOwnPropertySlot):
10566 * runtime/ClassInfo.h:
10567 (JSC::ClassInfo::hasStaticProperties):
10568 (JSC::ClassInfo::propHashTable): Deleted.
10569 * runtime/ConsolePrototype.cpp:
10570 * runtime/CustomGetterSetter.cpp:
10571 * runtime/DateConstructor.cpp:
10572 (JSC::DateConstructor::getOwnPropertySlot):
10573 * runtime/DateInstance.cpp:
10574 * runtime/DatePrototype.cpp:
10575 (JSC::DatePrototype::getOwnPropertySlot):
10576 * runtime/Error.cpp:
10577 * runtime/ErrorConstructor.cpp:
10578 * runtime/ErrorInstance.cpp:
10579 * runtime/ErrorPrototype.cpp:
10580 (JSC::ErrorPrototype::getOwnPropertySlot):
10581 * runtime/ExceptionHelpers.cpp:
10582 * runtime/Executable.cpp:
10583 * runtime/FunctionConstructor.cpp:
10584 * runtime/FunctionPrototype.cpp:
10585 * runtime/GetterSetter.cpp:
10586 * runtime/InternalFunction.cpp:
10587 * runtime/JSAPIValueWrapper.cpp:
10588 * runtime/JSActivation.cpp:
10589 * runtime/JSArgumentsIterator.cpp:
10590 * runtime/JSArray.cpp:
10591 * runtime/JSArrayBuffer.cpp:
10592 * runtime/JSArrayBufferConstructor.cpp:
10593 * runtime/JSArrayBufferPrototype.cpp:
10594 * runtime/JSArrayBufferView.cpp:
10595 * runtime/JSArrayIterator.cpp:
10596 * runtime/JSBoundFunction.cpp:
10597 * runtime/JSConsole.cpp:
10598 * runtime/JSDataView.cpp:
10599 * runtime/JSDataViewPrototype.cpp:
10600 (JSC::JSDataViewPrototype::getOwnPropertySlot):
10601 * runtime/JSFunction.cpp:
10602 * runtime/JSGlobalObject.cpp:
10603 (JSC::JSGlobalObject::getOwnPropertySlot):
10604 * runtime/JSMap.cpp:
10605 * runtime/JSMapIterator.cpp:
10606 * runtime/JSNameScope.cpp:
10607 * runtime/JSNotAnObject.cpp:
10608 * runtime/JSONObject.cpp:
10609 (JSC::JSONObject::getOwnPropertySlot):
10610 * runtime/JSObject.cpp:
10611 (JSC::getClassPropertyNames):
10612 (JSC::JSObject::put):
10613 (JSC::JSObject::deleteProperty):
10614 (JSC::JSObject::findPropertyHashEntry):
10615 (JSC::JSObject::reifyStaticFunctionsForDelete):
10616 * runtime/JSObject.h:
10617 * runtime/JSPromise.cpp:
10618 * runtime/JSPromiseConstructor.cpp:
10619 (JSC::JSPromiseConstructor::getOwnPropertySlot):
10620 * runtime/JSPromiseDeferred.cpp:
10621 * runtime/JSPromisePrototype.cpp:
10622 (JSC::JSPromisePrototype::getOwnPropertySlot):
10623 * runtime/JSPromiseReaction.cpp:
10624 * runtime/JSPropertyNameIterator.cpp:
10625 * runtime/JSProxy.cpp:
10626 * runtime/JSSet.cpp:
10627 * runtime/JSSetIterator.cpp:
10628 * runtime/JSString.cpp:
10629 * runtime/JSTypedArrayConstructors.cpp:
10630 * runtime/JSTypedArrayPrototypes.cpp:
10631 * runtime/JSTypedArrays.cpp:
10632 * runtime/JSVariableObject.cpp:
10633 * runtime/JSWeakMap.cpp:
10634 * runtime/JSWithScope.cpp:
10635 * runtime/Lookup.cpp:
10636 (JSC::HashTable::createTable):
10637 * runtime/Lookup.h:
10638 (JSC::HashTable::initializeIfNeeded):
10639 (JSC::HashTable::entry):
10640 (JSC::HashTable::begin):
10641 (JSC::HashTable::end):
10642 (JSC::getStaticPropertySlot):
10643 (JSC::getStaticFunctionSlot):
10644 (JSC::getStaticValueSlot):
10645 (JSC::lookupPut):
10646 * runtime/MapConstructor.cpp:
10647 * runtime/MapData.cpp:
10648 * runtime/MapIteratorConstructor.cpp:
10649 * runtime/MapIteratorPrototype.cpp:
10650 * runtime/MapPrototype.cpp:
10651 * runtime/MathObject.cpp:
10652 * runtime/NameConstructor.cpp:
10653 * runtime/NameInstance.cpp:
10654 * runtime/NamePrototype.cpp:
10655 (JSC::NamePrototype::getOwnPropertySlot):
10656 * runtime/NativeErrorConstructor.cpp:
10657 * runtime/NumberConstructor.cpp:
10658 (JSC::NumberConstructor::getOwnPropertySlot):
10659 * runtime/NumberObject.cpp:
10660 * runtime/NumberPrototype.cpp:
10661 (JSC::NumberPrototype::getOwnPropertySlot):
10662 * runtime/ObjectConstructor.cpp:
10663 (JSC::ObjectConstructor::getOwnPropertySlot):
10664 * runtime/ObjectPrototype.cpp:
10665 * runtime/PropertyTable.cpp:
10666 * runtime/RegExp.cpp:
10667 * runtime/RegExpConstructor.cpp:
10668 (JSC::RegExpConstructor::getOwnPropertySlot):
10669 * runtime/RegExpMatchesArray.cpp:
10670 * runtime/RegExpObject.cpp:
10671 (JSC::RegExpObject::getOwnPropertySlot):
10672 * runtime/RegExpPrototype.cpp:
10673 (JSC::RegExpPrototype::getOwnPropertySlot):
10674 * runtime/SetConstructor.cpp:
10675 * runtime/SetIteratorConstructor.cpp:
10676 * runtime/SetIteratorPrototype.cpp:
10677 * runtime/SetPrototype.cpp:
10678 * runtime/SparseArrayValueMap.cpp:
10679 * runtime/StrictEvalActivation.cpp:
10680 * runtime/StringConstructor.cpp:
10681 (JSC::StringConstructor::getOwnPropertySlot):
10682 * runtime/StringObject.cpp:
10683 * runtime/StringPrototype.cpp:
10684 * runtime/Structure.cpp:
10685 (JSC::Structure::Structure):
10686 (JSC::Structure::freezeTransition):
10687 (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
10688 * runtime/StructureChain.cpp:
10689 * runtime/StructureRareData.cpp:
10690 * runtime/SymbolTable.cpp:
10691 * runtime/VM.cpp:
10692 (JSC::VM::VM):
10693 (JSC::VM::~VM):
10694 * runtime/VM.h:
10695 * runtime/WeakMapConstructor.cpp:
10696 * runtime/WeakMapData.cpp:
10697 * runtime/WeakMapPrototype.cpp:
10698 * testRegExp.cpp:
10699
107002014-07-29 Brent Fulgham <bfulgham@apple.com>
10701
10702 [Win] Modify version numbering scheme to support 5-tuple versions
10703 https://bugs.webkit.org/show_bug.cgi?id=135400
10704 <rdar://problem/17849033>
10705
10706 Reviewed by David Kilzer.
10707
10708 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
10709 new version-stamp.pl script to version JavaScriptCore.dll.
10710
107112014-07-29 Daniel Bates <dabates@apple.com>
10712
10713 Use WTF::move() instead of std::move() to help ensure move semantics
10714 https://bugs.webkit.org/show_bug.cgi?id=135351
10715
10716 Reviewed by Alexey Proskuryakov.
10717
10718 * bytecode/GetByIdStatus.cpp:
10719 (JSC::GetByIdStatus::computeForStubInfo):
10720 * bytecode/GetByIdVariant.cpp:
10721 (JSC::GetByIdVariant::GetByIdVariant):
10722
107232014-07-28 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
10724
10725 BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
10726 https://bugs.webkit.org/show_bug.cgi?id=135287
10727
10728 Reviewed by Darin Adler.
10729
10730 The set() method tries to use a part of the old value (the reservedFlag bit) which
10731 was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
10732
10733 * bytecode/StructureSet.h:
10734 (JSC::StructureSet::StructureSet):
10735
107362014-07-28 Benjamin Poulain <bpoulain@apple.com>
10737
10738 [JSC] JIT::assertStackPointerOffset() crashes on ARM64
10739 https://bugs.webkit.org/show_bug.cgi?id=135316
10740
10741 Reviewed by Geoffrey Garen.
10742
10743 JIT::assertStackPointerOffset() does a compare between an arbitrary register
10744 and the stack pointer. This was not supported by the ARM64 assembler.
10745
10746 There are no variation that can take a stack pointer for Xd. There is one version of subs
10747 that can take a stack pointer, but only for the Xn: the shift+extend one.
10748 To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
10749 the implementation of sub.
10750
10751 * assembler/ARM64Assembler.h:
10752 (JSC::ARM64Assembler::sub):
10753 In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
10754 with either version of sub.
10755
10756 In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
10757 the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
10758 gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
10759
10760 Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
10761 not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
10762 the shift value must be zero, it is safe to call either variant.
10763
10764 * assembler/MacroAssemblerARM64.h:
10765 (JSC::MacroAssemblerARM64::branch64):
10766 With the changes described above, we can now use SP for the left register. What do we do if the rightmost
10767 register is SP?
10768
10769 For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
10770 we just switch the registers before generating the instruction.
10771
10772 For the generic case, just move the value of SP to a GPR before doing the CMP.
10773
107742014-07-28 Brian J. Burg <burg@cs.washington.edu>
10775
10776 Unreviewed build fix after r171682.
10777
10778 * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
10779 as an exported symbol.
10780
107812014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
10782
10783 REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
10784 https://bugs.webkit.org/show_bug.cgi?id=135322
10785
10786 Reviewed by Oliver Hunt.
10787
10788 The prototype chain of the JSProxy object should match that of the JSGlobalObject.
10789
10790 This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
10791 account for JSProxies. I also audited the rest of the C API to check that we correctly
10792 handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
10793 and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
10794 passed a JSProxy.
10795
10796 I also added some new tests for these cases.
10797
10798 * API/JSObjectRef.cpp:
10799 (JSObjectSetPrototype):
10800 (JSObjectGetPrivateProperty):
10801 (JSObjectSetPrivateProperty):
10802 (JSObjectDeletePrivateProperty):
10803 * API/JSWeakObjectMapRefPrivate.cpp:
10804 * API/tests/CustomGlobalObjectClassTest.c:
10805 (globalObjectSetPrototypeTest):
10806 (globalObjectPrivatePropertyTest):
10807 * API/tests/CustomGlobalObjectClassTest.h:
10808 * API/tests/testapi.c:
10809 (main):
10810
108112014-07-28 Filip Pizlo <fpizlo@apple.com>
10812
10813 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
10814 https://bugs.webkit.org/show_bug.cgi?id=135350
10815 <rdar://problem/17509889>
10816
10817 Reviewed by Mark Hahnenberg and Oliver Hunt.
10818
10819 If we have an exiting node that uses a conversion node, then that exiting node
10820 needs to have a Phantom after it for the the original node. But we can't do that
10821 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
10822
10823 * dfg/DFGFixupPhase.cpp:
10824 (JSC::DFG::FixupPhase::fixupNode):
10825 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
10826 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
10827 (foo):
10828 (test):
10829 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
10830 (foo):
10831 (test):
10832
108332014-07-28 Joseph Pecoraro <pecoraro@apple.com>
10834
10835 JSContext Inspector: crash when using step-into
10836 https://bugs.webkit.org/show_bug.cgi?id=135345
10837
10838 Reviewed by Timothy Hatcher.
10839
10840 * inspector/agents/InspectorDebuggerAgent.cpp:
10841 (Inspector::InspectorDebuggerAgent::stepInto):
10842 Null check m_listener since it may not be set.
10843
108442014-07-28 Brian J. Burg <burg@cs.washington.edu>
10845
10846 Web Replay: auto-decoding of parameterized vector's elements is incorrect
10847 https://bugs.webkit.org/show_bug.cgi?id=135343
10848
10849 Reviewed by Timothy Hatcher.
10850
10851 Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
10852 that was using the element's decoded type as the type parameter to
10853 EncodedValue::append<T>. It should instead be the raw type T. This
10854 causes problems when encoding Vector<RefPtr<T>>, as it later tries to
10855 use encoding traits for RefPtr<T> rather than for T.
10856
10857 Fix incorrect generated encoding traits argument for vectors of
10858 RefCounted objects. Updated test to cover this scenario.
10859
10860 * replay/scripts/CodeGeneratorReplayInputs.py:
10861 (Type.encoding_type_argument):
10862 (VectorType.type_name):
10863 (VectorType):
10864 (VectorType.encoding_type_argument):
10865 (Generator.generate_input_encode_implementation):
10866 (Generator.generate_input_decode_implementation):
10867 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
10868 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
10869 * replay/scripts/tests/generate-input-with-vector-members.json: Updated.
10870
108712014-07-28 Brian J. Burg <burg@cs.washington.edu>
10872
10873 Web Replay: incorrect serialization code generated for enum classes inside class scope
10874 https://bugs.webkit.org/show_bug.cgi?id=135342
10875
10876 Reviewed by Timothy Hatcher.
10877
10878 If an enum class is defined inside of a class scope, then the enum class
10879 cannot be forward-declared and the relevant header should be included.
10880 Some generated code used incorrectly-scoped enum values in this situation.
10881
10882 * replay/scripts/CodeGeneratorReplayInputs.py:
10883 (Generator.generate_includes.declaration.is):
10884 (Generator.generate_enum_trait_implementation.is):
10885 (Generator.generate_enum_trait_implementation):
10886
10887 Tests:
10888
10889 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
10890 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
10891 * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
10892 class types to this test case.
10893
108942014-07-28 Brian J. Burg <burg@cs.washington.edu>
10895
10896 Web Replay: vectors of characters should be base64-encoded
10897 https://bugs.webkit.org/show_bug.cgi?id=135341
10898
10899 Reviewed by Timothy Hatcher.
10900
10901 Without this specialization, encode/decode methods try to create an
10902 array of single characters in JSON, rather than treating the
10903 vector as a binary blob.
10904
10905 * replay/EncodedValue.cpp:
10906 (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
10907 (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
10908 * replay/EncodedValue.h:
10909
109102014-07-28 Brent Fulgham <bfulgham@apple.com>
10911
10912 [Win] Unreviewed build fix.
10913
10914 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
10915 builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
10916
109172014-07-27 Ryuan Choi <ryuan.choi@samsung.com>
10918
10919 Unreviewed build fix on the EFL port
10920
10921 Build break because of -Werror=return-type
10922
10923 * bytecode/PutByIdVariant.cpp:
10924 (JSC::PutByIdVariant::oldStructureForTransition):
10925 * dfg/DFGValueStrength.h:
10926 (JSC::DFG::merge):
10927
109282014-07-27 Filip Pizlo <fpizlo@apple.com>
10929
10930 [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
10931 https://bugs.webkit.org/show_bug.cgi?id=135323
10932
10933 Reviewed by Oliver Hunt.
10934
10935 SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
10936 then it's a constant that can be represented using that node's current DataFormat.
10937 This doesn't work if the constant had been filled as a JSValue, and then one of the
10938 fillSpeculateBlah() methods had speculated that it's of some type that the constant
10939 isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
10940 a constant that claims to have a contradictory data format.
10941
10942 This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
10943 fillSpeculateCell() appears to not have this bug, but I added a similar defense
10944 mechanism anyway just in case, since this is one of those mistakes that keeps
10945 reappearing.
10946
10947 * dfg/DFGSpeculativeJIT.cpp:
10948 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
10949 * dfg/DFGSpeculativeJIT32_64.cpp:
10950 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10951 * dfg/DFGSpeculativeJIT64.cpp:
10952 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10953
109542014-07-27 Filip Pizlo <fpizlo@apple.com>
10955
10956 Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
10957
10958 This fixes the previous mismerge and adds test coverage for the thing that went wrong.
10959
10960 Additional changes listed here:
10961
10962 * jsc.cpp:
10963 (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
10964 * runtime/Structure.cpp:
10965 (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
10966 * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
10967
10968 2014-06-27 Michael Saboff <msaboff@apple.com>
10969
10970 Unreviewed build fix after r169795.
10971
10972 Fixed ASSERT for 32 bit build.
10973
10974 * dfg/DFGSpeculativeJIT.cpp:
10975 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
10976
10977 2014-06-24 Saam Barati <sbarati@apple.com>
10978
10979 Web Inspector: debugger should be able to show variable types
10980 https://bugs.webkit.org/show_bug.cgi?id=133395
10981
10982 Reviewed by Filip Pizlo.
10983
10984 Increase the amount of type information the VM gathers when directed
10985 to do so. This initial commit is working towards the goal of
10986 capturing, and then showing (via the Web Inspector) type information for all
10987 assignment and load operations. This patch doesn't have the feature fully
10988 implemented, but it ensures the VM has no performance regressions
10989 unless the feature is specifically turned on.
10990
10991 * JavaScriptCore.xcodeproj/project.pbxproj:
10992 * bytecode/BytecodeList.json:
10993 * bytecode/BytecodeUseDef.h:
10994 (JSC::computeUsesForBytecodeOffset):
10995 (JSC::computeDefsForBytecodeOffset):
10996 * bytecode/CodeBlock.cpp:
10997 (JSC::CodeBlock::dumpBytecode):
10998 (JSC::CodeBlock::CodeBlock):
10999 (JSC::CodeBlock::finalizeUnconditionally):
11000 * bytecode/CodeBlock.h:
11001 * bytecode/Instruction.h:
11002 * bytecode/TypeLocation.h: Added.
11003 (JSC::TypeLocation::TypeLocation):
11004 * bytecompiler/BytecodeGenerator.cpp:
11005 (JSC::BytecodeGenerator::emitMove):
11006 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
11007 (JSC::BytecodeGenerator::emitPutToScope):
11008 (JSC::BytecodeGenerator::emitPutById):
11009 (JSC::BytecodeGenerator::emitPutByVal):
11010 * bytecompiler/BytecodeGenerator.h:
11011 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
11012 * bytecompiler/NodesCodegen.cpp:
11013 (JSC::PostfixNode::emitResolve):
11014 (JSC::PrefixNode::emitResolve):
11015 (JSC::ReadModifyResolveNode::emitBytecode):
11016 (JSC::AssignResolveNode::emitBytecode):
11017 (JSC::ConstDeclNode::emitCodeSingle):
11018 (JSC::ForInNode::emitBytecode):
11019 * heap/Heap.cpp:
11020 (JSC::Heap::collect):
11021 * inspector/agents/InspectorRuntimeAgent.cpp:
11022 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
11023 * inspector/agents/InspectorRuntimeAgent.h:
11024 * inspector/protocol/Runtime.json:
11025 * jsc.cpp:
11026 (GlobalObject::finishCreation):
11027 (functionDumpTypesForAllVariables):
11028 * llint/LLIntSlowPaths.cpp:
11029 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11030 (JSC::LLInt::putToScopeCommon):
11031 * llint/LLIntSlowPaths.h:
11032 * llint/LowLevelInterpreter.asm:
11033 * runtime/HighFidelityLog.cpp: Added.
11034 (JSC::HighFidelityLog::initializeHighFidelityLog):
11035 (JSC::HighFidelityLog::~HighFidelityLog):
11036 (JSC::HighFidelityLog::recordTypeInformationForLocation):
11037 (JSC::HighFidelityLog::processHighFidelityLog):
11038 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
11039 * runtime/HighFidelityLog.h: Added.
11040 (JSC::HighFidelityLog::HighFidelityLog):
11041 * runtime/HighFidelityTypeProfiler.cpp: Added.
11042 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
11043 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
11044 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
11045 (JSC::HighFidelityTypeProfiler::insertNewLocation):
11046 (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
11047 * runtime/HighFidelityTypeProfiler.h: Added.
11048 * runtime/Options.h:
11049 * runtime/Structure.cpp:
11050 (JSC::Structure::toStructureShape):
11051 * runtime/Structure.h:
11052 * runtime/SymbolTable.cpp:
11053 (JSC::SymbolTable::SymbolTable):
11054 (JSC::SymbolTable::cloneCapturedNames):
11055 (JSC::SymbolTable::uniqueIDForVariable):
11056 (JSC::SymbolTable::uniqueIDForRegister):
11057 (JSC::SymbolTable::globalTypeSetForRegister):
11058 (JSC::SymbolTable::globalTypeSetForVariable):
11059 * runtime/SymbolTable.h:
11060 (JSC::SymbolTable::add):
11061 (JSC::SymbolTable::set):
11062 * runtime/TypeSet.cpp: Added.
11063 (JSC::TypeSet::TypeSet):
11064 (JSC::TypeSet::getRuntimeTypeForValue):
11065 (JSC::TypeSet::addTypeForValue):
11066 (JSC::TypeSet::removeDuplicatesInStructureHistory):
11067 (JSC::TypeSet::seenTypes):
11068 (JSC::TypeSet::dumpSeenTypes):
11069 (JSC::StructureShape::StructureShape):
11070 (JSC::StructureShape::markAsFinal):
11071 (JSC::StructureShape::addProperty):
11072 (JSC::StructureShape::propertyHash):
11073 (JSC::StructureShape::leastUpperBound):
11074 (JSC::StructureShape::stringRepresentation):
11075 * runtime/TypeSet.h: Added.
11076 (JSC::StructureShape::create):
11077 (JSC::TypeSet::create):
11078 * runtime/VM.cpp:
11079 (JSC::VM::VM):
11080 (JSC::VM::getTypesForVariableInRange):
11081 (JSC::VM::updateHighFidelityTypeProfileState):
11082 (JSC::VM::dumpHighFidelityProfilingTypes):
11083 * runtime/VM.h:
11084 (JSC::VM::isProfilingTypesWithHighFidelity):
11085 (JSC::VM::highFidelityLog):
11086 (JSC::VM::highFidelityTypeProfiler):
11087 (JSC::VM::nextLocation):
11088 (JSC::VM::getNextUniqueVariableID):
11089
11090 2014-06-26 Mark Lam <mark.lam@apple.com>
11091
11092 Remove unused instantiation of the WithScope structure.
11093 <https://webkit.org/b/134331>
11094
11095 Reviewed by Oliver Hunt.
11096
11097 The WithScope structure instance is the VM is unused, and is now removed.
11098
11099 * runtime/VM.cpp:
11100 (JSC::VM::VM):
11101 * runtime/VM.h:
11102
11103 2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
11104
11105 Structure bit fields should have a consistent format
11106 https://bugs.webkit.org/show_bug.cgi?id=134307
11107
11108 Reviewed by Filip Pizlo.
11109
11110 Currently we use C-style bit fields for a number of member variables in Structure to save space.
11111 This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
11112 format to make it easy to load and test these variables in JIT code.
11113
11114 * runtime/JSObject.cpp:
11115 (JSC::JSObject::putDirectNonIndexAccessor):
11116 (JSC::JSObject::reifyStaticFunctionsForDelete):
11117 * runtime/Structure.cpp:
11118 (JSC::StructureTransitionTable::contains):
11119 (JSC::StructureTransitionTable::get):
11120 (JSC::StructureTransitionTable::add):
11121 (JSC::Structure::Structure):
11122 (JSC::Structure::materializePropertyMap):
11123 (JSC::Structure::addPropertyTransition):
11124 (JSC::Structure::despecifyFunctionTransition):
11125 (JSC::Structure::toDictionaryTransition):
11126 (JSC::Structure::freezeTransition):
11127 (JSC::Structure::preventExtensionsTransition):
11128 (JSC::Structure::takePropertyTableOrCloneIfPinned):
11129 (JSC::Structure::nonPropertyTransition):
11130 (JSC::Structure::flattenDictionaryStructure):
11131 (JSC::Structure::addPropertyWithoutTransition):
11132 (JSC::Structure::pin):
11133 (JSC::Structure::allocateRareData):
11134 (JSC::Structure::cloneRareDataFrom):
11135 (JSC::Structure::getConcurrently):
11136 (JSC::Structure::putSpecificValue):
11137 (JSC::Structure::getPropertyNamesFromStructure):
11138 (JSC::Structure::visitChildren):
11139 (JSC::Structure::checkConsistency):
11140 * runtime/Structure.h:
11141 (JSC::Structure::isExtensible):
11142 (JSC::Structure::isDictionary):
11143 (JSC::Structure::isUncacheableDictionary):
11144 (JSC::Structure::propertyAccessesAreCacheable):
11145 (JSC::Structure::previousID):
11146 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
11147 (JSC::Structure::setContainsReadOnlyProperties):
11148 (JSC::Structure::disableSpecificFunctionTracking):
11149 (JSC::Structure::objectToStringValue):
11150 (JSC::Structure::setObjectToStringValue):
11151 (JSC::Structure::setPreviousID):
11152 (JSC::Structure::clearPreviousID):
11153 (JSC::Structure::previous):
11154 (JSC::Structure::rareData):
11155 (JSC::Structure::didTransition): Deleted.
11156 (JSC::Structure::hasGetterSetterProperties): Deleted.
11157 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
11158 (JSC::Structure::setHasGetterSetterProperties): Deleted.
11159 (JSC::Structure::hasNonEnumerableProperties): Deleted.
11160 (JSC::Structure::staticFunctionsReified): Deleted.
11161 (JSC::Structure::setStaticFunctionsReified): Deleted.
11162 * runtime/StructureInlines.h:
11163 (JSC::Structure::setEnumerationCache):
11164 (JSC::Structure::enumerationCache):
11165 (JSC::Structure::checkOffsetConsistency):
11166
11167 2014-06-24 Mark Lam <mark.lam@apple.com>
11168
11169 [ftlopt] Renamed DebuggerActivation to DebuggerScope.
11170 <https://webkit.org/b/134273>
11171
11172 Reviewed by Michael Saboff.
11173
11174 * CMakeLists.txt:
11175 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11176 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11177 * JavaScriptCore.xcodeproj/project.pbxproj:
11178 * debugger/DebuggerActivation.cpp: Removed.
11179 * debugger/DebuggerActivation.h: Removed.
11180 * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
11181 (JSC::DebuggerScope::DebuggerScope):
11182 (JSC::DebuggerScope::finishCreation):
11183 (JSC::DebuggerScope::visitChildren):
11184 (JSC::DebuggerScope::className):
11185 (JSC::DebuggerScope::getOwnPropertySlot):
11186 (JSC::DebuggerScope::put):
11187 (JSC::DebuggerScope::deleteProperty):
11188 (JSC::DebuggerScope::getOwnPropertyNames):
11189 (JSC::DebuggerScope::defineOwnProperty):
11190 (JSC::DebuggerActivation::DebuggerActivation): Deleted.
11191 (JSC::DebuggerActivation::finishCreation): Deleted.
11192 (JSC::DebuggerActivation::visitChildren): Deleted.
11193 (JSC::DebuggerActivation::className): Deleted.
11194 (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
11195 (JSC::DebuggerActivation::put): Deleted.
11196 (JSC::DebuggerActivation::deleteProperty): Deleted.
11197 (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
11198 (JSC::DebuggerActivation::defineOwnProperty): Deleted.
11199 * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
11200 (JSC::DebuggerScope::create):
11201 (JSC::DebuggerActivation::create): Deleted.
11202 * runtime/VM.cpp:
11203 (JSC::VM::VM):
11204 * runtime/VM.h:
11205
11206 2014-06-24 Filip Pizlo <fpizlo@apple.com>
11207
11208 [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
11209 https://bugs.webkit.org/show_bug.cgi?id=134265
11210
11211 Reviewed by Geoffrey Garen.
11212
11213 More assertion fallout from the PutById folding work.
11214
11215 * dfg/DFGNode.h:
11216 (JSC::DFG::Node::convertToPutByOffset):
11217
11218 2014-06-24 Filip Pizlo <fpizlo@apple.com>
11219
11220 [ftlopt] GC should notify us if it resets to_this
11221 https://bugs.webkit.org/show_bug.cgi?id=128231
11222
11223 Reviewed by Geoffrey Garen.
11224
11225 * CMakeLists.txt:
11226 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11227 * JavaScriptCore.xcodeproj/project.pbxproj:
11228 * bytecode/BytecodeList.json:
11229 * bytecode/CodeBlock.cpp:
11230 (JSC::CodeBlock::dumpBytecode):
11231 (JSC::CodeBlock::finalizeUnconditionally):
11232 * bytecode/Instruction.h:
11233 * bytecode/ToThisStatus.cpp: Added.
11234 (JSC::merge):
11235 (WTF::printInternal):
11236 * bytecode/ToThisStatus.h: Added.
11237 * bytecompiler/BytecodeGenerator.cpp:
11238 (JSC::BytecodeGenerator::BytecodeGenerator):
11239 * dfg/DFGByteCodeParser.cpp:
11240 (JSC::DFG::ByteCodeParser::parseBlock):
11241 * llint/LowLevelInterpreter32_64.asm:
11242 * llint/LowLevelInterpreter64.asm:
11243 * runtime/CommonSlowPaths.cpp:
11244 (JSC::SLOW_PATH_DECL):
11245
11246 2014-06-24 Filip Pizlo <fpizlo@apple.com>
11247
11248 [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
11249 https://bugs.webkit.org/show_bug.cgi?id=134256
11250
11251 Reviewed by Michael Saboff.
11252
11253 This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
11254 point is to be able to precisely model what goes on in the snippets of code between a
11255 side-effect and an InvalidationPoint.
11256
11257 This patch also cleans up onlyStructure() by delegating more work to
11258 StructureSet::onlyStructure().
11259
11260 * dfg/DFGStructureAbstractValue.h:
11261 (JSC::DFG::StructureAbstractValue::onlyStructure):
11262
11263 2014-06-24 Filip Pizlo <fpizlo@apple.com>
11264
11265 [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
11266 https://bugs.webkit.org/show_bug.cgi?id=134260
11267
11268 Reviewed by Geoffrey Garen.
11269
11270 This was causing loads of assertion failures in debug builds.
11271
11272 * dfg/DFGAbstractInterpreterInlines.h:
11273 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11274
11275 2014-06-21 Filip Pizlo <fpizlo@apple.com>
11276
11277 [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
11278 https://bugs.webkit.org/show_bug.cgi?id=134090
11279
11280 Reviewed by Oliver Hunt.
11281
11282 This pretty much finishes off the work to eliminate the special-casing of singleton
11283 structure sets by making it possible to fold GetById and PutById to various polymorphic
11284 forms of the ByOffset nodes.
11285
11286 * bytecode/GetByIdStatus.cpp:
11287 (JSC::GetByIdStatus::computeForStubInfo):
11288 (JSC::GetByIdStatus::computeFor):
11289 * bytecode/GetByIdStatus.h:
11290 * bytecode/PutByIdStatus.cpp:
11291 (JSC::PutByIdStatus::computeFor):
11292 * bytecode/PutByIdStatus.h:
11293 * bytecode/PutByIdVariant.h:
11294 (JSC::PutByIdVariant::constantChecks):
11295 * dfg/DFGAbstractInterpreterInlines.h:
11296 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11297 * dfg/DFGByteCodeParser.cpp:
11298 (JSC::DFG::ByteCodeParser::parseBlock):
11299 * dfg/DFGConstantFoldingPhase.cpp:
11300 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11301 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11302 (JSC::DFG::ConstantFoldingPhase::addChecks):
11303 * dfg/DFGNode.h:
11304 (JSC::DFG::Node::convertToMultiGetByOffset):
11305 (JSC::DFG::Node::convertToMultiPutByOffset):
11306 * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
11307 (JSC::DFG::SpeculativeJIT::fillJSValue):
11308 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
11309 (JSC::DFG::SpeculativeJIT::emitCall):
11310 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
11311 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
11312 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
11313 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
11314 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
11315 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
11316 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
11317 (JSC::DFG::SpeculativeJIT::emitBranch):
11318 (JSC::DFG::SpeculativeJIT::compile):
11319 * dfg/DFGStructureAbstractValue.h:
11320 (JSC::DFG::StructureAbstractValue::set):
11321
11322 2014-06-19 Filip Pizlo <fpizlo@apple.com>
11323
11324 [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
11325 https://bugs.webkit.org/show_bug.cgi?id=134077
11326
11327 Reviewed by Sam Weinig.
11328
11329 This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
11330 in the abstract interpreter.
11331
11332 * bytecode/StructureSet.h:
11333 (JSC::StructureSet::onlyStructure):
11334
11335 2014-06-18 Filip Pizlo <fpizlo@apple.com>
11336
11337 DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
11338 https://bugs.webkit.org/show_bug.cgi?id=133918
11339
11340 Reviewed by Mark Hahnenberg.
11341
11342 This also adds pruning of PutStructure, since I basically had no choice but
11343 to implement such logic within MultiPutByOffset.
11344
11345 Also adds a bunch of PutById cache status dumping to bytecode dumping.
11346
11347 * bytecode/GetByIdVariant.cpp:
11348 (JSC::GetByIdVariant::dumpInContext):
11349 * bytecode/GetByIdVariant.h:
11350 (JSC::GetByIdVariant::structureSet):
11351 * bytecode/PutByIdVariant.h:
11352 (JSC::PutByIdVariant::oldStructure):
11353 * bytecode/StructureSet.cpp:
11354 (JSC::StructureSet::filter):
11355 (JSC::StructureSet::filterArrayModes):
11356 * bytecode/StructureSet.h:
11357 * dfg/DFGAbstractInterpreterInlines.h:
11358 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11359 * dfg/DFGAbstractValue.cpp:
11360 (JSC::DFG::AbstractValue::changeStructure):
11361 (JSC::DFG::AbstractValue::contains):
11362 * dfg/DFGAbstractValue.h:
11363 (JSC::DFG::AbstractValue::couldBeType):
11364 (JSC::DFG::AbstractValue::isType):
11365 * dfg/DFGConstantFoldingPhase.cpp:
11366 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11367 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
11368 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11369 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
11370 * dfg/DFGGraph.cpp:
11371 (JSC::DFG::Graph::freezeStrong):
11372 * dfg/DFGGraph.h:
11373 * dfg/DFGStructureAbstractValue.h:
11374 (JSC::DFG::StructureAbstractValue::operator=):
11375 * ftl/FTLLowerDFGToLLVM.cpp:
11376 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
11377 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
11378 (foo):
11379 (fu):
11380 (bar):
11381 (baz):
11382 (.bar):
11383 (.baz):
11384 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
11385 (foo):
11386 (fu):
11387 (bar):
11388 (baz):
11389 (.bar):
11390 (.baz):
11391 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
11392 (foo):
11393 (fu):
11394 (bar):
11395 (baz):
11396 (.bar):
11397 (.baz):
11398
11399 2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
11400
11401 Remove CompoundType and LeafType
11402 https://bugs.webkit.org/show_bug.cgi?id=134037
11403
11404 Reviewed by Filip Pizlo.
11405
11406 We don't use them for anything. We'll replace them with a generic CellType type for all
11407 the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
11408 their JSType at runtime.
11409
11410 * llint/LLIntData.cpp:
11411 (JSC::LLInt::Data::performAssertions):
11412 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
11413 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
11414 * runtime/Executable.h:
11415 (JSC::ExecutableBase::createStructure):
11416 (JSC::NativeExecutable::createStructure):
11417 * runtime/JSPromiseDeferred.h:
11418 (JSC::JSPromiseDeferred::createStructure):
11419 * runtime/JSPromiseReaction.h:
11420 (JSC::JSPromiseReaction::createStructure):
11421 * runtime/JSPropertyNameIterator.h:
11422 (JSC::JSPropertyNameIterator::createStructure):
11423 * runtime/JSType.h:
11424 * runtime/JSTypeInfo.h:
11425 (JSC::TypeInfo::TypeInfo):
11426 * runtime/MapData.h:
11427 (JSC::MapData::createStructure):
11428 * runtime/PropertyMapHashTable.h:
11429 (JSC::PropertyTable::createStructure):
11430 * runtime/RegExp.h:
11431 (JSC::RegExp::createStructure):
11432 * runtime/SparseArrayValueMap.cpp:
11433 (JSC::SparseArrayValueMap::createStructure):
11434 * runtime/Structure.cpp:
11435 (JSC::Structure::Structure):
11436 * runtime/StructureChain.h:
11437 (JSC::StructureChain::createStructure):
11438 * runtime/StructureRareData.cpp:
11439 (JSC::StructureRareData::createStructure):
11440 * runtime/SymbolTable.h:
11441 (JSC::SymbolTable::createStructure):
11442 * runtime/WeakMapData.h:
11443 (JSC::WeakMapData::createStructure):
11444
11445 2014-06-17 Filip Pizlo <fpizlo@apple.com>
11446
11447 [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
11448 https://bugs.webkit.org/show_bug.cgi?id=134002
11449
11450 Reviewed by Mark Hahnenberg.
11451
11452 The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
11453 JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
11454 of the structure if that structure was watchable.
11455
11456 Also kill PhantomPutStructure.
11457
11458 * dfg/DFGAbstractInterpreterInlines.h:
11459 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11460 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
11461 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
11462 * dfg/DFGClobberize.h:
11463 (JSC::DFG::clobberize):
11464 * dfg/DFGDoesGC.cpp:
11465 (JSC::DFG::doesGC):
11466 * dfg/DFGFixupPhase.cpp:
11467 (JSC::DFG::FixupPhase::fixupNode):
11468 * dfg/DFGGraph.cpp:
11469 (JSC::DFG::Graph::visitChildren):
11470 * dfg/DFGNode.h:
11471 (JSC::DFG::Node::hasTransition):
11472 * dfg/DFGNodeType.h:
11473 * dfg/DFGPredictionPropagationPhase.cpp:
11474 (JSC::DFG::PredictionPropagationPhase::propagate):
11475 * dfg/DFGSafeToExecute.h:
11476 (JSC::DFG::safeToExecute):
11477 * dfg/DFGSpeculativeJIT32_64.cpp:
11478 (JSC::DFG::SpeculativeJIT::compile):
11479 * dfg/DFGSpeculativeJIT64.cpp:
11480 (JSC::DFG::SpeculativeJIT::compile):
11481 * dfg/DFGStructureAbstractValue.cpp:
11482 (JSC::DFG::StructureAbstractValue::observeTransition):
11483 (JSC::DFG::StructureAbstractValue::observeTransitions):
11484 * dfg/DFGValidate.cpp:
11485 (JSC::DFG::Validate::validate):
11486 * dfg/DFGWatchableStructureWatchingPhase.cpp:
11487 (JSC::DFG::WatchableStructureWatchingPhase::run):
11488 * ftl/FTLCapabilities.cpp:
11489 (JSC::FTL::canCompile):
11490 * ftl/FTLLowerDFGToLLVM.cpp:
11491 (JSC::FTL::LowerDFGToLLVM::compileNode):
11492 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
11493
11494 2014-06-17 Filip Pizlo <fpizlo@apple.com>
11495
11496 [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
11497 https://bugs.webkit.org/show_bug.cgi?id=133964
11498
11499 Reviewed by Mark Hahnenberg.
11500
11501 * bytecode/PutByIdStatus.cpp:
11502 (JSC::PutByIdStatus::appendVariant):
11503 (JSC::PutByIdStatus::computeForStubInfo):
11504 * bytecode/PutByIdVariant.cpp:
11505 (JSC::PutByIdVariant::oldStructureForTransition):
11506 (JSC::PutByIdVariant::writesStructures):
11507 (JSC::PutByIdVariant::reallocatesStorage):
11508 (JSC::PutByIdVariant::attemptToMerge):
11509 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
11510 (JSC::PutByIdVariant::dumpInContext):
11511 * bytecode/PutByIdVariant.h:
11512 (JSC::PutByIdVariant::PutByIdVariant):
11513 (JSC::PutByIdVariant::replace):
11514 (JSC::PutByIdVariant::transition):
11515 (JSC::PutByIdVariant::structure):
11516 (JSC::PutByIdVariant::oldStructure):
11517 * dfg/DFGAbstractInterpreterInlines.h:
11518 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11519 * dfg/DFGByteCodeParser.cpp:
11520 (JSC::DFG::ByteCodeParser::handlePutById):
11521 (JSC::DFG::ByteCodeParser::parseBlock):
11522 * dfg/DFGConstantFoldingPhase.cpp:
11523 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11524 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11525 * dfg/DFGGraph.cpp:
11526 (JSC::DFG::Graph::visitChildren):
11527 * dfg/DFGNode.cpp:
11528 (JSC::DFG::MultiPutByOffsetData::writesStructures):
11529 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
11530 * ftl/FTLAbbreviations.h:
11531 (JSC::FTL::getLinkage):
11532 * ftl/FTLLowerDFGToLLVM.cpp:
11533 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
11534 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
11535
115362014-07-26 Filip Pizlo <fpizlo@apple.com>
11537
11538 Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
11539 reland later.
11540
11541 * CMakeLists.txt:
11542 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11543 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11544 * JavaScriptCore.xcodeproj/project.pbxproj:
11545 * bytecode/BytecodeList.json:
11546 * bytecode/BytecodeUseDef.h:
11547 (JSC::computeUsesForBytecodeOffset):
11548 (JSC::computeDefsForBytecodeOffset):
11549 * bytecode/CodeBlock.cpp:
11550 (JSC::CodeBlock::dumpBytecode):
11551 (JSC::CodeBlock::CodeBlock):
11552 (JSC::CodeBlock::finalizeUnconditionally):
11553 (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
11554 * bytecode/CodeBlock.h:
11555 * bytecode/GetByIdStatus.cpp:
11556 (JSC::GetByIdStatus::computeForStubInfo):
11557 (JSC::GetByIdStatus::computeFor):
11558 * bytecode/GetByIdStatus.h:
11559 * bytecode/GetByIdVariant.cpp:
11560 (JSC::GetByIdVariant::dumpInContext):
11561 * bytecode/GetByIdVariant.h:
11562 (JSC::GetByIdVariant::structureSet):
11563 * bytecode/Instruction.h:
11564 * bytecode/PutByIdStatus.cpp:
11565 (JSC::PutByIdStatus::appendVariant):
11566 (JSC::PutByIdStatus::computeForStubInfo):
11567 (JSC::PutByIdStatus::computeFor):
11568 * bytecode/PutByIdStatus.h:
11569 * bytecode/PutByIdVariant.cpp:
11570 (JSC::PutByIdVariant::dumpInContext):
11571 (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
11572 (JSC::PutByIdVariant::writesStructures): Deleted.
11573 (JSC::PutByIdVariant::reallocatesStorage): Deleted.
11574 (JSC::PutByIdVariant::attemptToMerge): Deleted.
11575 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
11576 * bytecode/PutByIdVariant.h:
11577 (JSC::PutByIdVariant::PutByIdVariant):
11578 (JSC::PutByIdVariant::replace):
11579 (JSC::PutByIdVariant::transition):
11580 (JSC::PutByIdVariant::structure):
11581 (JSC::PutByIdVariant::oldStructure):
11582 (JSC::PutByIdVariant::newStructure):
11583 (JSC::PutByIdVariant::constantChecks):
11584 * bytecode/StructureSet.cpp:
11585 (JSC::StructureSet::filter): Deleted.
11586 (JSC::StructureSet::filterArrayModes): Deleted.
11587 * bytecode/StructureSet.h:
11588 (JSC::StructureSet::onlyStructure):
11589 * bytecode/ToThisStatus.cpp: Removed.
11590 * bytecode/ToThisStatus.h: Removed.
11591 * bytecode/TypeLocation.h: Removed.
11592 * bytecompiler/BytecodeGenerator.cpp:
11593 (JSC::BytecodeGenerator::BytecodeGenerator):
11594 (JSC::BytecodeGenerator::emitMove):
11595 (JSC::BytecodeGenerator::emitPutToScope):
11596 (JSC::BytecodeGenerator::emitPutById):
11597 (JSC::BytecodeGenerator::emitPutByVal):
11598 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
11599 * bytecompiler/BytecodeGenerator.h:
11600 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
11601 * bytecompiler/NodesCodegen.cpp:
11602 (JSC::PostfixNode::emitResolve):
11603 (JSC::PrefixNode::emitResolve):
11604 (JSC::ReadModifyResolveNode::emitBytecode):
11605 (JSC::AssignResolveNode::emitBytecode):
11606 (JSC::ConstDeclNode::emitCodeSingle):
11607 (JSC::ForInNode::emitBytecode):
11608 * debugger/DebuggerActivation.cpp: Added.
11609 (JSC::DebuggerActivation::DebuggerActivation):
11610 (JSC::DebuggerActivation::finishCreation):
11611 (JSC::DebuggerActivation::visitChildren):
11612 (JSC::DebuggerActivation::className):
11613 (JSC::DebuggerActivation::getOwnPropertySlot):
11614 (JSC::DebuggerActivation::put):
11615 (JSC::DebuggerActivation::deleteProperty):
11616 (JSC::DebuggerActivation::getOwnPropertyNames):
11617 (JSC::DebuggerActivation::defineOwnProperty):
11618 * debugger/DebuggerActivation.h: Added.
11619 (JSC::DebuggerActivation::create):
11620 (JSC::DebuggerActivation::createStructure):
11621 * debugger/DebuggerScope.cpp: Removed.
11622 * debugger/DebuggerScope.h: Removed.
11623 * dfg/DFGAbstractInterpreterInlines.h:
11624 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11625 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
11626 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
11627 * dfg/DFGAbstractValue.cpp:
11628 (JSC::DFG::AbstractValue::changeStructure): Deleted.
11629 (JSC::DFG::AbstractValue::contains): Deleted.
11630 * dfg/DFGAbstractValue.h:
11631 (JSC::DFG::AbstractValue::couldBeType):
11632 (JSC::DFG::AbstractValue::isType):
11633 * dfg/DFGByteCodeParser.cpp:
11634 (JSC::DFG::ByteCodeParser::handlePutById):
11635 (JSC::DFG::ByteCodeParser::parseBlock):
11636 * dfg/DFGClobberize.h:
11637 (JSC::DFG::clobberize):
11638 * dfg/DFGConstantFoldingPhase.cpp:
11639 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11640 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
11641 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11642 (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
11643 (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
11644 * dfg/DFGDoesGC.cpp:
11645 (JSC::DFG::doesGC):
11646 * dfg/DFGFixupPhase.cpp:
11647 (JSC::DFG::FixupPhase::fixupNode):
11648 * dfg/DFGGraph.cpp:
11649 (JSC::DFG::Graph::visitChildren):
11650 (JSC::DFG::Graph::freezeStrong):
11651 * dfg/DFGGraph.h:
11652 * dfg/DFGNode.cpp:
11653 (JSC::DFG::MultiPutByOffsetData::writesStructures):
11654 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
11655 * dfg/DFGNode.h:
11656 (JSC::DFG::Node::convertToPutByOffset):
11657 (JSC::DFG::Node::hasTransition):
11658 (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
11659 (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
11660 * dfg/DFGNodeType.h:
11661 * dfg/DFGPredictionPropagationPhase.cpp:
11662 (JSC::DFG::PredictionPropagationPhase::propagate):
11663 * dfg/DFGSafeToExecute.h:
11664 (JSC::DFG::safeToExecute):
11665 * dfg/DFGSpeculativeJIT.cpp:
11666 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
11667 * dfg/DFGSpeculativeJIT32_64.cpp:
11668 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
11669 (JSC::DFG::SpeculativeJIT::compile):
11670 * dfg/DFGSpeculativeJIT64.cpp:
11671 (JSC::DFG::SpeculativeJIT::fillJSValue):
11672 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
11673 (JSC::DFG::SpeculativeJIT::emitCall):
11674 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
11675 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
11676 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
11677 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
11678 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
11679 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
11680 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
11681 (JSC::DFG::SpeculativeJIT::emitBranch):
11682 (JSC::DFG::SpeculativeJIT::compile):
11683 * dfg/DFGStructureAbstractValue.cpp:
11684 (JSC::DFG::StructureAbstractValue::observeTransition):
11685 (JSC::DFG::StructureAbstractValue::observeTransitions):
11686 * dfg/DFGStructureAbstractValue.h:
11687 (JSC::DFG::StructureAbstractValue::onlyStructure):
11688 (JSC::DFG::StructureAbstractValue::operator=): Deleted.
11689 (JSC::DFG::StructureAbstractValue::set): Deleted.
11690 * dfg/DFGValidate.cpp:
11691 (JSC::DFG::Validate::validate):
11692 * dfg/DFGWatchableStructureWatchingPhase.cpp:
11693 (JSC::DFG::WatchableStructureWatchingPhase::run):
11694 * ftl/FTLAbbreviations.h:
11695 (JSC::FTL::getLinkage): Deleted.
11696 * ftl/FTLCapabilities.cpp:
11697 (JSC::FTL::canCompile):
11698 * ftl/FTLLowerDFGToLLVM.cpp:
11699 (JSC::FTL::LowerDFGToLLVM::compileNode):
11700 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
11701 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
11702 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
11703 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
11704 * heap/Heap.cpp:
11705 (JSC::Heap::collect):
11706 * inspector/agents/InspectorRuntimeAgent.cpp:
11707 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
11708 * inspector/agents/InspectorRuntimeAgent.h:
11709 * inspector/protocol/Runtime.json:
11710 * jsc.cpp:
11711 (GlobalObject::finishCreation):
11712 (functionDumpTypesForAllVariables): Deleted.
11713 * llint/LLIntData.cpp:
11714 (JSC::LLInt::Data::performAssertions):
11715 * llint/LLIntSlowPaths.cpp:
11716 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11717 (JSC::LLInt::putToScopeCommon): Deleted.
11718 * llint/LLIntSlowPaths.h:
11719 * llint/LowLevelInterpreter.asm:
11720 * llint/LowLevelInterpreter32_64.asm:
11721 * llint/LowLevelInterpreter64.asm:
11722 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
11723 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
11724 * runtime/CommonSlowPaths.cpp:
11725 (JSC::SLOW_PATH_DECL):
11726 * runtime/Executable.h:
11727 (JSC::ExecutableBase::createStructure):
11728 (JSC::NativeExecutable::createStructure):
11729 * runtime/HighFidelityLog.cpp: Removed.
11730 * runtime/HighFidelityLog.h: Removed.
11731 * runtime/HighFidelityTypeProfiler.cpp: Removed.
11732 * runtime/HighFidelityTypeProfiler.h: Removed.
11733 * runtime/JSObject.cpp:
11734 (JSC::JSObject::putDirectCustomAccessor):
11735 (JSC::JSObject::putDirectNonIndexAccessor):
11736 (JSC::JSObject::reifyStaticFunctionsForDelete):
11737 * runtime/JSPromiseDeferred.h:
11738 (JSC::JSPromiseDeferred::createStructure):
11739 * runtime/JSPromiseReaction.h:
11740 (JSC::JSPromiseReaction::createStructure):
11741 * runtime/JSPropertyNameIterator.h:
11742 (JSC::JSPropertyNameIterator::createStructure):
11743 * runtime/JSType.h:
11744 * runtime/JSTypeInfo.h:
11745 (JSC::TypeInfo::TypeInfo):
11746 * runtime/MapData.h:
11747 (JSC::MapData::createStructure):
11748 * runtime/Options.h:
11749 * runtime/PropertyMapHashTable.h:
11750 (JSC::PropertyTable::createStructure):
11751 * runtime/RegExp.h:
11752 (JSC::RegExp::createStructure):
11753 * runtime/SparseArrayValueMap.cpp:
11754 (JSC::SparseArrayValueMap::createStructure):
11755 * runtime/Structure.cpp:
11756 (JSC::StructureTransitionTable::contains):
11757 (JSC::StructureTransitionTable::get):
11758 (JSC::StructureTransitionTable::add):
11759 (JSC::Structure::Structure):
11760 (JSC::Structure::materializePropertyMap):
11761 (JSC::Structure::addPropertyTransition):
11762 (JSC::Structure::despecifyFunctionTransition):
11763 (JSC::Structure::toDictionaryTransition):
11764 (JSC::Structure::freezeTransition):
11765 (JSC::Structure::preventExtensionsTransition):
11766 (JSC::Structure::takePropertyTableOrCloneIfPinned):
11767 (JSC::Structure::nonPropertyTransition):
11768 (JSC::Structure::flattenDictionaryStructure):
11769 (JSC::Structure::addPropertyWithoutTransition):
11770 (JSC::Structure::pin):
11771 (JSC::Structure::allocateRareData):
11772 (JSC::Structure::cloneRareDataFrom):
11773 (JSC::Structure::getConcurrently):
11774 (JSC::Structure::putSpecificValue):
11775 (JSC::Structure::getPropertyNamesFromStructure):
11776 (JSC::Structure::visitChildren):
11777 (JSC::Structure::checkConsistency):
11778 (JSC::Structure::toStructureShape): Deleted.
11779 * runtime/Structure.h:
11780 (JSC::Structure::isExtensible):
11781 (JSC::Structure::didTransition):
11782 (JSC::Structure::isDictionary):
11783 (JSC::Structure::isUncacheableDictionary):
11784 (JSC::Structure::hasBeenFlattenedBefore):
11785 (JSC::Structure::propertyAccessesAreCacheable):
11786 (JSC::Structure::previousID):
11787 (JSC::Structure::hasGetterSetterProperties):
11788 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
11789 (JSC::Structure::setHasGetterSetterProperties):
11790 (JSC::Structure::hasCustomGetterSetterProperties):
11791 (JSC::Structure::setHasCustomGetterSetterProperties):
11792 (JSC::Structure::setContainsReadOnlyProperties):
11793 (JSC::Structure::hasNonEnumerableProperties):
11794 (JSC::Structure::disableSpecificFunctionTracking):
11795 (JSC::Structure::objectToStringValue):
11796 (JSC::Structure::setObjectToStringValue):
11797 (JSC::Structure::staticFunctionsReified):
11798 (JSC::Structure::setStaticFunctionsReified):
11799 (JSC::Structure::transitionWatchpointSet):
11800 (JSC::Structure::setPreviousID):
11801 (JSC::Structure::clearPreviousID):
11802 (JSC::Structure::previous):
11803 (JSC::Structure::rareData):
11804 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
11805 (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
11806 * runtime/StructureChain.h:
11807 (JSC::StructureChain::createStructure):
11808 * runtime/StructureInlines.h:
11809 (JSC::Structure::setEnumerationCache):
11810 (JSC::Structure::enumerationCache):
11811 (JSC::Structure::checkOffsetConsistency):
11812 * runtime/StructureRareData.cpp:
11813 (JSC::StructureRareData::createStructure):
11814 * runtime/SymbolTable.cpp:
11815 (JSC::SymbolTable::SymbolTable):
11816 (JSC::SymbolTable::cloneCapturedNames):
11817 (JSC::SymbolTable::uniqueIDForVariable): Deleted.
11818 (JSC::SymbolTable::uniqueIDForRegister): Deleted.
11819 (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
11820 (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
11821 * runtime/SymbolTable.h:
11822 (JSC::SymbolTable::createStructure):
11823 (JSC::SymbolTable::add):
11824 (JSC::SymbolTable::set):
11825 * runtime/TypeSet.cpp: Removed.
11826 * runtime/TypeSet.h: Removed.
11827 * runtime/VM.cpp:
11828 (JSC::VM::VM):
11829 (JSC::VM::getTypesForVariableInRange): Deleted.
11830 (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
11831 (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
11832 * runtime/VM.h:
11833 (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
11834 (JSC::VM::highFidelityLog): Deleted.
11835 (JSC::VM::highFidelityTypeProfiler): Deleted.
11836 (JSC::VM::nextLocation): Deleted.
11837 (JSC::VM::getNextUniqueVariableID): Deleted.
11838 * runtime/WeakMapData.h:
11839 (JSC::WeakMapData::createStructure):
11840 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
11841 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
11842 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
11843
118442014-07-25 Filip Pizlo <fpizlo@apple.com>
11845
11846 Attempt to fix non-Xcode platforms.
11847
11848 * CMakeLists.txt:
11849 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11850
118512014-07-25 Filip Pizlo <fpizlo@apple.com>
11852
11853 Fix cloop.
11854
11855 * bytecode/CodeBlock.cpp:
11856 (JSC::dumpChain):
11857 (JSC::CodeBlock::printPutByIdCacheStatus):
11858 * bytecode/StructureSet.cpp:
11859 * bytecode/StructureSet.h:
11860
118612014-07-25 Filip Pizlo <fpizlo@apple.com>
11862
11863 Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
11864
11865 2014-06-27 Michael Saboff <msaboff@apple.com>
11866
11867 Unreviewed build fix after r169795.
11868
11869 Fixed ASSERT for 32 bit build.
11870
11871 * dfg/DFGSpeculativeJIT.cpp:
11872 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
11873
11874 2014-06-24 Saam Barati <sbarati@apple.com>
11875
11876 Web Inspector: debugger should be able to show variable types
11877 https://bugs.webkit.org/show_bug.cgi?id=133395
11878
11879 Reviewed by Filip Pizlo.
11880
11881 Increase the amount of type information the VM gathers when directed
11882 to do so. This initial commit is working towards the goal of
11883 capturing, and then showing (via the Web Inspector) type information for all
11884 assignment and load operations. This patch doesn't have the feature fully
11885 implemented, but it ensures the VM has no performance regressions
11886 unless the feature is specifically turned on.
11887
11888 * JavaScriptCore.xcodeproj/project.pbxproj:
11889 * bytecode/BytecodeList.json:
11890 * bytecode/BytecodeUseDef.h:
11891 (JSC::computeUsesForBytecodeOffset):
11892 (JSC::computeDefsForBytecodeOffset):
11893 * bytecode/CodeBlock.cpp:
11894 (JSC::CodeBlock::dumpBytecode):
11895 (JSC::CodeBlock::CodeBlock):
11896 (JSC::CodeBlock::finalizeUnconditionally):
11897 * bytecode/CodeBlock.h:
11898 * bytecode/Instruction.h:
11899 * bytecode/TypeLocation.h: Added.
11900 (JSC::TypeLocation::TypeLocation):
11901 * bytecompiler/BytecodeGenerator.cpp:
11902 (JSC::BytecodeGenerator::emitMove):
11903 (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
11904 (JSC::BytecodeGenerator::emitPutToScope):
11905 (JSC::BytecodeGenerator::emitPutById):
11906 (JSC::BytecodeGenerator::emitPutByVal):
11907 * bytecompiler/BytecodeGenerator.h:
11908 (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
11909 * bytecompiler/NodesCodegen.cpp:
11910 (JSC::PostfixNode::emitResolve):
11911 (JSC::PrefixNode::emitResolve):
11912 (JSC::ReadModifyResolveNode::emitBytecode):
11913 (JSC::AssignResolveNode::emitBytecode):
11914 (JSC::ConstDeclNode::emitCodeSingle):
11915 (JSC::ForInNode::emitBytecode):
11916 * heap/Heap.cpp:
11917 (JSC::Heap::collect):
11918 * inspector/agents/InspectorRuntimeAgent.cpp:
11919 (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
11920 * inspector/agents/InspectorRuntimeAgent.h:
11921 * inspector/protocol/Runtime.json:
11922 * jsc.cpp:
11923 (GlobalObject::finishCreation):
11924 (functionDumpTypesForAllVariables):
11925 * llint/LLIntSlowPaths.cpp:
11926 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11927 (JSC::LLInt::putToScopeCommon):
11928 * llint/LLIntSlowPaths.h:
11929 * llint/LowLevelInterpreter.asm:
11930 * runtime/HighFidelityLog.cpp: Added.
11931 (JSC::HighFidelityLog::initializeHighFidelityLog):
11932 (JSC::HighFidelityLog::~HighFidelityLog):
11933 (JSC::HighFidelityLog::recordTypeInformationForLocation):
11934 (JSC::HighFidelityLog::processHighFidelityLog):
11935 (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
11936 * runtime/HighFidelityLog.h: Added.
11937 (JSC::HighFidelityLog::HighFidelityLog):
11938 * runtime/HighFidelityTypeProfiler.cpp: Added.
11939 (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
11940 (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
11941 (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
11942 (JSC::HighFidelityTypeProfiler::insertNewLocation):
11943 (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
11944 * runtime/HighFidelityTypeProfiler.h: Added.
11945 * runtime/Options.h:
11946 * runtime/Structure.cpp:
11947 (JSC::Structure::toStructureShape):
11948 * runtime/Structure.h:
11949 * runtime/SymbolTable.cpp:
11950 (JSC::SymbolTable::SymbolTable):
11951 (JSC::SymbolTable::cloneCapturedNames):
11952 (JSC::SymbolTable::uniqueIDForVariable):
11953 (JSC::SymbolTable::uniqueIDForRegister):
11954 (JSC::SymbolTable::globalTypeSetForRegister):
11955 (JSC::SymbolTable::globalTypeSetForVariable):
11956 * runtime/SymbolTable.h:
11957 (JSC::SymbolTable::add):
11958 (JSC::SymbolTable::set):
11959 * runtime/TypeSet.cpp: Added.
11960 (JSC::TypeSet::TypeSet):
11961 (JSC::TypeSet::getRuntimeTypeForValue):
11962 (JSC::TypeSet::addTypeForValue):
11963 (JSC::TypeSet::removeDuplicatesInStructureHistory):
11964 (JSC::TypeSet::seenTypes):
11965 (JSC::TypeSet::dumpSeenTypes):
11966 (JSC::StructureShape::StructureShape):
11967 (JSC::StructureShape::markAsFinal):
11968 (JSC::StructureShape::addProperty):
11969 (JSC::StructureShape::propertyHash):
11970 (JSC::StructureShape::leastUpperBound):
11971 (JSC::StructureShape::stringRepresentation):
11972 * runtime/TypeSet.h: Added.
11973 (JSC::StructureShape::create):
11974 (JSC::TypeSet::create):
11975 * runtime/VM.cpp:
11976 (JSC::VM::VM):
11977 (JSC::VM::getTypesForVariableInRange):
11978 (JSC::VM::updateHighFidelityTypeProfileState):
11979 (JSC::VM::dumpHighFidelityProfilingTypes):
11980 * runtime/VM.h:
11981 (JSC::VM::isProfilingTypesWithHighFidelity):
11982 (JSC::VM::highFidelityLog):
11983 (JSC::VM::highFidelityTypeProfiler):
11984 (JSC::VM::nextLocation):
11985 (JSC::VM::getNextUniqueVariableID):
11986
11987 2014-06-26 Mark Lam <mark.lam@apple.com>
11988
11989 Remove unused instantiation of the WithScope structure.
11990 <https://webkit.org/b/134331>
11991
11992 Reviewed by Oliver Hunt.
11993
11994 The WithScope structure instance is the VM is unused, and is now removed.
11995
11996 * runtime/VM.cpp:
11997 (JSC::VM::VM):
11998 * runtime/VM.h:
11999
12000 2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
12001
12002 Structure bit fields should have a consistent format
12003 https://bugs.webkit.org/show_bug.cgi?id=134307
12004
12005 Reviewed by Filip Pizlo.
12006
12007 Currently we use C-style bit fields for a number of member variables in Structure to save space.
12008 This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
12009 format to make it easy to load and test these variables in JIT code.
12010
12011 * runtime/JSObject.cpp:
12012 (JSC::JSObject::putDirectNonIndexAccessor):
12013 (JSC::JSObject::reifyStaticFunctionsForDelete):
12014 * runtime/Structure.cpp:
12015 (JSC::StructureTransitionTable::contains):
12016 (JSC::StructureTransitionTable::get):
12017 (JSC::StructureTransitionTable::add):
12018 (JSC::Structure::Structure):
12019 (JSC::Structure::materializePropertyMap):
12020 (JSC::Structure::addPropertyTransition):
12021 (JSC::Structure::despecifyFunctionTransition):
12022 (JSC::Structure::toDictionaryTransition):
12023 (JSC::Structure::freezeTransition):
12024 (JSC::Structure::preventExtensionsTransition):
12025 (JSC::Structure::takePropertyTableOrCloneIfPinned):
12026 (JSC::Structure::nonPropertyTransition):
12027 (JSC::Structure::flattenDictionaryStructure):
12028 (JSC::Structure::addPropertyWithoutTransition):
12029 (JSC::Structure::pin):
12030 (JSC::Structure::allocateRareData):
12031 (JSC::Structure::cloneRareDataFrom):
12032 (JSC::Structure::getConcurrently):
12033 (JSC::Structure::putSpecificValue):
12034 (JSC::Structure::getPropertyNamesFromStructure):
12035 (JSC::Structure::visitChildren):
12036 (JSC::Structure::checkConsistency):
12037 * runtime/Structure.h:
12038 (JSC::Structure::isExtensible):
12039 (JSC::Structure::isDictionary):
12040 (JSC::Structure::isUncacheableDictionary):
12041 (JSC::Structure::propertyAccessesAreCacheable):
12042 (JSC::Structure::previousID):
12043 (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
12044 (JSC::Structure::setContainsReadOnlyProperties):
12045 (JSC::Structure::disableSpecificFunctionTracking):
12046 (JSC::Structure::objectToStringValue):
12047 (JSC::Structure::setObjectToStringValue):
12048 (JSC::Structure::setPreviousID):
12049 (JSC::Structure::clearPreviousID):
12050 (JSC::Structure::previous):
12051 (JSC::Structure::rareData):
12052 (JSC::Structure::didTransition): Deleted.
12053 (JSC::Structure::hasGetterSetterProperties): Deleted.
12054 (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
12055 (JSC::Structure::setHasGetterSetterProperties): Deleted.
12056 (JSC::Structure::hasNonEnumerableProperties): Deleted.
12057 (JSC::Structure::staticFunctionsReified): Deleted.
12058 (JSC::Structure::setStaticFunctionsReified): Deleted.
12059 * runtime/StructureInlines.h:
12060 (JSC::Structure::setEnumerationCache):
12061 (JSC::Structure::enumerationCache):
12062 (JSC::Structure::checkOffsetConsistency):
12063
12064 2014-06-24 Mark Lam <mark.lam@apple.com>
12065
12066 [ftlopt] Renamed DebuggerActivation to DebuggerScope.
12067 <https://webkit.org/b/134273>
12068
12069 Reviewed by Michael Saboff.
12070
12071 * CMakeLists.txt:
12072 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12073 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12074 * JavaScriptCore.xcodeproj/project.pbxproj:
12075 * debugger/DebuggerActivation.cpp: Removed.
12076 * debugger/DebuggerActivation.h: Removed.
12077 * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
12078 (JSC::DebuggerScope::DebuggerScope):
12079 (JSC::DebuggerScope::finishCreation):
12080 (JSC::DebuggerScope::visitChildren):
12081 (JSC::DebuggerScope::className):
12082 (JSC::DebuggerScope::getOwnPropertySlot):
12083 (JSC::DebuggerScope::put):
12084 (JSC::DebuggerScope::deleteProperty):
12085 (JSC::DebuggerScope::getOwnPropertyNames):
12086 (JSC::DebuggerScope::defineOwnProperty):
12087 (JSC::DebuggerActivation::DebuggerActivation): Deleted.
12088 (JSC::DebuggerActivation::finishCreation): Deleted.
12089 (JSC::DebuggerActivation::visitChildren): Deleted.
12090 (JSC::DebuggerActivation::className): Deleted.
12091 (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
12092 (JSC::DebuggerActivation::put): Deleted.
12093 (JSC::DebuggerActivation::deleteProperty): Deleted.
12094 (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
12095 (JSC::DebuggerActivation::defineOwnProperty): Deleted.
12096 * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
12097 (JSC::DebuggerScope::create):
12098 (JSC::DebuggerActivation::create): Deleted.
12099 * runtime/VM.cpp:
12100 (JSC::VM::VM):
12101 * runtime/VM.h:
12102
12103 2014-06-24 Filip Pizlo <fpizlo@apple.com>
12104
12105 [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
12106 https://bugs.webkit.org/show_bug.cgi?id=134265
12107
12108 Reviewed by Geoffrey Garen.
12109
12110 More assertion fallout from the PutById folding work.
12111
12112 * dfg/DFGNode.h:
12113 (JSC::DFG::Node::convertToPutByOffset):
12114
12115 2014-06-24 Filip Pizlo <fpizlo@apple.com>
12116
12117 [ftlopt] GC should notify us if it resets to_this
12118 https://bugs.webkit.org/show_bug.cgi?id=128231
12119
12120 Reviewed by Geoffrey Garen.
12121
12122 * CMakeLists.txt:
12123 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12124 * JavaScriptCore.xcodeproj/project.pbxproj:
12125 * bytecode/BytecodeList.json:
12126 * bytecode/CodeBlock.cpp:
12127 (JSC::CodeBlock::dumpBytecode):
12128 (JSC::CodeBlock::finalizeUnconditionally):
12129 * bytecode/Instruction.h:
12130 * bytecode/ToThisStatus.cpp: Added.
12131 (JSC::merge):
12132 (WTF::printInternal):
12133 * bytecode/ToThisStatus.h: Added.
12134 * bytecompiler/BytecodeGenerator.cpp:
12135 (JSC::BytecodeGenerator::BytecodeGenerator):
12136 * dfg/DFGByteCodeParser.cpp:
12137 (JSC::DFG::ByteCodeParser::parseBlock):
12138 * llint/LowLevelInterpreter32_64.asm:
12139 * llint/LowLevelInterpreter64.asm:
12140 * runtime/CommonSlowPaths.cpp:
12141 (JSC::SLOW_PATH_DECL):
12142
12143 2014-06-24 Filip Pizlo <fpizlo@apple.com>
12144
12145 [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
12146 https://bugs.webkit.org/show_bug.cgi?id=134256
12147
12148 Reviewed by Michael Saboff.
12149
12150 This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
12151 point is to be able to precisely model what goes on in the snippets of code between a
12152 side-effect and an InvalidationPoint.
12153
12154 This patch also cleans up onlyStructure() by delegating more work to
12155 StructureSet::onlyStructure().
12156
12157 * dfg/DFGStructureAbstractValue.h:
12158 (JSC::DFG::StructureAbstractValue::onlyStructure):
12159
12160 2014-06-24 Filip Pizlo <fpizlo@apple.com>
12161
12162 [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
12163 https://bugs.webkit.org/show_bug.cgi?id=134260
12164
12165 Reviewed by Geoffrey Garen.
12166
12167 This was causing loads of assertion failures in debug builds.
12168
12169 * dfg/DFGAbstractInterpreterInlines.h:
12170 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12171
12172 2014-06-21 Filip Pizlo <fpizlo@apple.com>
12173
12174 [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
12175 https://bugs.webkit.org/show_bug.cgi?id=134090
12176
12177 Reviewed by Oliver Hunt.
12178
12179 This pretty much finishes off the work to eliminate the special-casing of singleton
12180 structure sets by making it possible to fold GetById and PutById to various polymorphic
12181 forms of the ByOffset nodes.
12182
12183 * bytecode/GetByIdStatus.cpp:
12184 (JSC::GetByIdStatus::computeForStubInfo):
12185 (JSC::GetByIdStatus::computeFor):
12186 * bytecode/GetByIdStatus.h:
12187 * bytecode/PutByIdStatus.cpp:
12188 (JSC::PutByIdStatus::computeFor):
12189 * bytecode/PutByIdStatus.h:
12190 * bytecode/PutByIdVariant.h:
12191 (JSC::PutByIdVariant::constantChecks):
12192 * dfg/DFGAbstractInterpreterInlines.h:
12193 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12194 * dfg/DFGByteCodeParser.cpp:
12195 (JSC::DFG::ByteCodeParser::parseBlock):
12196 * dfg/DFGConstantFoldingPhase.cpp:
12197 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12198 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12199 (JSC::DFG::ConstantFoldingPhase::addChecks):
12200 * dfg/DFGNode.h:
12201 (JSC::DFG::Node::convertToMultiGetByOffset):
12202 (JSC::DFG::Node::convertToMultiPutByOffset):
12203 * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
12204 (JSC::DFG::SpeculativeJIT::fillJSValue):
12205 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
12206 (JSC::DFG::SpeculativeJIT::emitCall):
12207 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
12208 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
12209 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
12210 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
12211 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
12212 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
12213 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
12214 (JSC::DFG::SpeculativeJIT::emitBranch):
12215 (JSC::DFG::SpeculativeJIT::compile):
12216 * dfg/DFGStructureAbstractValue.h:
12217 (JSC::DFG::StructureAbstractValue::set):
12218
12219 2014-06-19 Filip Pizlo <fpizlo@apple.com>
12220
12221 [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
12222 https://bugs.webkit.org/show_bug.cgi?id=134077
12223
12224 Reviewed by Sam Weinig.
12225
12226 This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
12227 in the abstract interpreter.
12228
12229 * bytecode/StructureSet.h:
12230 (JSC::StructureSet::onlyStructure):
12231
12232 2014-06-18 Filip Pizlo <fpizlo@apple.com>
12233
12234 DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
12235 https://bugs.webkit.org/show_bug.cgi?id=133918
12236
12237 Reviewed by Mark Hahnenberg.
12238
12239 This also adds pruning of PutStructure, since I basically had no choice but
12240 to implement such logic within MultiPutByOffset.
12241
12242 Also adds a bunch of PutById cache status dumping to bytecode dumping.
12243
12244 * bytecode/GetByIdVariant.cpp:
12245 (JSC::GetByIdVariant::dumpInContext):
12246 * bytecode/GetByIdVariant.h:
12247 (JSC::GetByIdVariant::structureSet):
12248 * bytecode/PutByIdVariant.h:
12249 (JSC::PutByIdVariant::oldStructure):
12250 * bytecode/StructureSet.cpp:
12251 (JSC::StructureSet::filter):
12252 (JSC::StructureSet::filterArrayModes):
12253 * bytecode/StructureSet.h:
12254 * dfg/DFGAbstractInterpreterInlines.h:
12255 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12256 * dfg/DFGAbstractValue.cpp:
12257 (JSC::DFG::AbstractValue::changeStructure):
12258 (JSC::DFG::AbstractValue::contains):
12259 * dfg/DFGAbstractValue.h:
12260 (JSC::DFG::AbstractValue::couldBeType):
12261 (JSC::DFG::AbstractValue::isType):
12262 * dfg/DFGConstantFoldingPhase.cpp:
12263 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12264 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
12265 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12266 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
12267 * dfg/DFGGraph.cpp:
12268 (JSC::DFG::Graph::freezeStrong):
12269 * dfg/DFGGraph.h:
12270 * dfg/DFGStructureAbstractValue.h:
12271 (JSC::DFG::StructureAbstractValue::operator=):
12272 * ftl/FTLLowerDFGToLLVM.cpp:
12273 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
12274 * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
12275 (foo):
12276 (fu):
12277 (bar):
12278 (baz):
12279 (.bar):
12280 (.baz):
12281 * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
12282 (foo):
12283 (fu):
12284 (bar):
12285 (baz):
12286 (.bar):
12287 (.baz):
12288 * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
12289 (foo):
12290 (fu):
12291 (bar):
12292 (baz):
12293 (.bar):
12294 (.baz):
12295
12296 2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
12297
12298 Remove CompoundType and LeafType
12299 https://bugs.webkit.org/show_bug.cgi?id=134037
12300
12301 Reviewed by Filip Pizlo.
12302
12303 We don't use them for anything. We'll replace them with a generic CellType type for all
12304 the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
12305 their JSType at runtime.
12306
12307 * llint/LLIntData.cpp:
12308 (JSC::LLInt::Data::performAssertions):
12309 * runtime/ArrayBufferNeuteringWatchpoint.cpp:
12310 (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
12311 * runtime/Executable.h:
12312 (JSC::ExecutableBase::createStructure):
12313 (JSC::NativeExecutable::createStructure):
12314 * runtime/JSPromiseDeferred.h:
12315 (JSC::JSPromiseDeferred::createStructure):
12316 * runtime/JSPromiseReaction.h:
12317 (JSC::JSPromiseReaction::createStructure):
12318 * runtime/JSPropertyNameIterator.h:
12319 (JSC::JSPropertyNameIterator::createStructure):
12320 * runtime/JSType.h:
12321 * runtime/JSTypeInfo.h:
12322 (JSC::TypeInfo::TypeInfo):
12323 * runtime/MapData.h:
12324 (JSC::MapData::createStructure):
12325 * runtime/PropertyMapHashTable.h:
12326 (JSC::PropertyTable::createStructure):
12327 * runtime/RegExp.h:
12328 (JSC::RegExp::createStructure):
12329 * runtime/SparseArrayValueMap.cpp:
12330 (JSC::SparseArrayValueMap::createStructure):
12331 * runtime/Structure.cpp:
12332 (JSC::Structure::Structure):
12333 * runtime/StructureChain.h:
12334 (JSC::StructureChain::createStructure):
12335 * runtime/StructureRareData.cpp:
12336 (JSC::StructureRareData::createStructure):
12337 * runtime/SymbolTable.h:
12338 (JSC::SymbolTable::createStructure):
12339 * runtime/WeakMapData.h:
12340 (JSC::WeakMapData::createStructure):
12341
12342 2014-06-17 Filip Pizlo <fpizlo@apple.com>
12343
12344 [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
12345 https://bugs.webkit.org/show_bug.cgi?id=134002
12346
12347 Reviewed by Mark Hahnenberg.
12348
12349 The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
12350 JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
12351 of the structure if that structure was watchable.
12352
12353 Also kill PhantomPutStructure.
12354
12355 * dfg/DFGAbstractInterpreterInlines.h:
12356 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12357 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
12358 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
12359 * dfg/DFGClobberize.h:
12360 (JSC::DFG::clobberize):
12361 * dfg/DFGDoesGC.cpp:
12362 (JSC::DFG::doesGC):
12363 * dfg/DFGFixupPhase.cpp:
12364 (JSC::DFG::FixupPhase::fixupNode):
12365 * dfg/DFGGraph.cpp:
12366 (JSC::DFG::Graph::visitChildren):
12367 * dfg/DFGNode.h:
12368 (JSC::DFG::Node::hasTransition):
12369 * dfg/DFGNodeType.h:
12370 * dfg/DFGPredictionPropagationPhase.cpp:
12371 (JSC::DFG::PredictionPropagationPhase::propagate):
12372 * dfg/DFGSafeToExecute.h:
12373 (JSC::DFG::safeToExecute):
12374 * dfg/DFGSpeculativeJIT32_64.cpp:
12375 (JSC::DFG::SpeculativeJIT::compile):
12376 * dfg/DFGSpeculativeJIT64.cpp:
12377 (JSC::DFG::SpeculativeJIT::compile):
12378 * dfg/DFGStructureAbstractValue.cpp:
12379 (JSC::DFG::StructureAbstractValue::observeTransition):
12380 (JSC::DFG::StructureAbstractValue::observeTransitions):
12381 * dfg/DFGValidate.cpp:
12382 (JSC::DFG::Validate::validate):
12383 * dfg/DFGWatchableStructureWatchingPhase.cpp:
12384 (JSC::DFG::WatchableStructureWatchingPhase::run):
12385 * ftl/FTLCapabilities.cpp:
12386 (JSC::FTL::canCompile):
12387 * ftl/FTLLowerDFGToLLVM.cpp:
12388 (JSC::FTL::LowerDFGToLLVM::compileNode):
12389 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
12390
12391 2014-06-17 Filip Pizlo <fpizlo@apple.com>
12392
12393 [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
12394 https://bugs.webkit.org/show_bug.cgi?id=133964
12395
12396 Reviewed by Mark Hahnenberg.
12397
12398 * bytecode/PutByIdStatus.cpp:
12399 (JSC::PutByIdStatus::appendVariant):
12400 (JSC::PutByIdStatus::computeForStubInfo):
12401 * bytecode/PutByIdVariant.cpp:
12402 (JSC::PutByIdVariant::oldStructureForTransition):
12403 (JSC::PutByIdVariant::writesStructures):
12404 (JSC::PutByIdVariant::reallocatesStorage):
12405 (JSC::PutByIdVariant::attemptToMerge):
12406 (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
12407 (JSC::PutByIdVariant::dumpInContext):
12408 * bytecode/PutByIdVariant.h:
12409 (JSC::PutByIdVariant::PutByIdVariant):
12410 (JSC::PutByIdVariant::replace):
12411 (JSC::PutByIdVariant::transition):
12412 (JSC::PutByIdVariant::structure):
12413 (JSC::PutByIdVariant::oldStructure):
12414 * dfg/DFGAbstractInterpreterInlines.h:
12415 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12416 * dfg/DFGByteCodeParser.cpp:
12417 (JSC::DFG::ByteCodeParser::handlePutById):
12418 (JSC::DFG::ByteCodeParser::parseBlock):
12419 * dfg/DFGConstantFoldingPhase.cpp:
12420 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12421 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12422 * dfg/DFGGraph.cpp:
12423 (JSC::DFG::Graph::visitChildren):
12424 * dfg/DFGNode.cpp:
12425 (JSC::DFG::MultiPutByOffsetData::writesStructures):
12426 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
12427 * ftl/FTLAbbreviations.h:
12428 (JSC::FTL::getLinkage):
12429 * ftl/FTLLowerDFGToLLVM.cpp:
12430 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
12431 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
12432
124332014-07-25 Filip Pizlo <fpizlo@apple.com>
12434
12435 Add an option to disable native call inlining. Disable it for now to see how it
12436 affects the bots.
12437
12438 * dfg/DFGByteCodeParser.cpp:
12439 (JSC::DFG::ByteCodeParser::handleCall):
12440 * runtime/Options.h:
12441
124422014-07-25 Filip Pizlo <fpizlo@apple.com>
12443
12444 Fix cloop.
12445
12446 * dfg/DFGMayExit.cpp:
12447
124482014-07-25 Filip Pizlo <fpizlo@apple.com>
12449
12450 Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
12451
12452 2014-06-17 Filip Pizlo <fpizlo@apple.com>
12453
12454 [ftlopt] Fold constant Phis
12455 https://bugs.webkit.org/show_bug.cgi?id=133967
12456
12457 Reviewed by Mark Hahnenberg.
12458
12459 It's surprising but we didn't really do this before. Or, rather, we only did it
12460 incidentally when we would likely crash if it ever happened.
12461
12462 Making this work required cleaning up the validater a bit, so I did that too. I also added
12463 mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
12464 the Phi header of basic blocks). But this required beefing up mayExit() a bit.
12465
12466 * dfg/DFGAbstractInterpreterInlines.h:
12467 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12468 * dfg/DFGAdjacencyList.h:
12469 (JSC::DFG::AdjacencyList::isEmpty):
12470 * dfg/DFGConstantFoldingPhase.cpp:
12471 (JSC::DFG::ConstantFoldingPhase::run):
12472 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12473 (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
12474 * dfg/DFGInPlaceAbstractState.h:
12475 * dfg/DFGLICMPhase.cpp:
12476 (JSC::DFG::LICMPhase::run):
12477 (JSC::DFG::LICMPhase::attemptHoist):
12478 * dfg/DFGMayExit.cpp:
12479 (JSC::DFG::mayExit):
12480 * dfg/DFGValidate.cpp:
12481 (JSC::DFG::Validate::validate):
12482 (JSC::DFG::Validate::validateSSA):
12483
12484 2014-06-17 Filip Pizlo <fpizlo@apple.com>
12485
12486 [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
12487 https://bugs.webkit.org/show_bug.cgi?id=133985
12488
12489 Reviewed by Michael Saboff and Mark Hahnenberg.
12490
12491 Store elimination phase has never been very profitable, and now that LLVM can do dead
12492 store elimination for us, this phase is just completely pointless.
12493
12494 This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
12495 computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
12496 maintain.
12497
12498 This patch does introduce a new mayExit() calculator that is independent of the CFA and
12499 should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
12500 for assertions in the DFG backend, but we could use it if we ever brought back any of the
12501 other optimizations that previously relied upon NodeDoesNotExit.
12502
12503 This is performance-neutral, except for SunSpider, where it's a speed-up.
12504
12505 * CMakeLists.txt:
12506 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12507 * JavaScriptCore.xcodeproj/project.pbxproj:
12508 * dfg/DFGAbstractInterpreter.h:
12509 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
12510 (JSC::DFG::AbstractInterpreter::filterByType):
12511 * dfg/DFGAbstractInterpreterInlines.h:
12512 (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
12513 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12514 * dfg/DFGCSEPhase.cpp:
12515 (JSC::DFG::CSEPhase::CSEPhase):
12516 (JSC::DFG::CSEPhase::invalidationPointElimination):
12517 (JSC::DFG::CSEPhase::setLocalStoreElimination):
12518 (JSC::DFG::CSEPhase::performNodeCSE):
12519 (JSC::DFG::CSEPhase::performBlockCSE):
12520 (JSC::DFG::performCSE):
12521 (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
12522 (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
12523 (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
12524 (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
12525 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
12526 (JSC::DFG::performStoreElimination): Deleted.
12527 * dfg/DFGCSEPhase.h:
12528 * dfg/DFGFixupPhase.cpp:
12529 (JSC::DFG::FixupPhase::fixupNode):
12530 * dfg/DFGGraph.cpp:
12531 (JSC::DFG::Graph::resetExitStates): Deleted.
12532 * dfg/DFGGraph.h:
12533 * dfg/DFGMayExit.cpp: Added.
12534 (JSC::DFG::mayExit):
12535 * dfg/DFGMayExit.h: Added.
12536 * dfg/DFGNode.h:
12537 (JSC::DFG::Node::mergeFlags):
12538 (JSC::DFG::Node::filterFlags):
12539 (JSC::DFG::Node::setCanExit): Deleted.
12540 (JSC::DFG::Node::canExit): Deleted.
12541 * dfg/DFGNodeFlags.cpp:
12542 (JSC::DFG::dumpNodeFlags):
12543 * dfg/DFGNodeFlags.h:
12544 * dfg/DFGNodeType.h:
12545 * dfg/DFGPlan.cpp:
12546 (JSC::DFG::Plan::compileInThreadImpl):
12547 * dfg/DFGSpeculativeJIT.cpp:
12548 (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
12549 (JSC::DFG::SpeculativeJIT::bail):
12550 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
12551 * dfg/DFGSpeculativeJIT32_64.cpp:
12552 (JSC::DFG::SpeculativeJIT::compile):
12553 * dfg/DFGSpeculativeJIT64.cpp:
12554 (JSC::DFG::SpeculativeJIT::compile):
12555
12556 2014-06-15 Filip Pizlo <fpizlo@apple.com>
12557
12558 [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
12559 https://bugs.webkit.org/show_bug.cgi?id=133931
12560
12561 Reviewed by Oliver Hunt.
12562
12563 * dfg/DFGAbstractInterpreterInlines.h:
12564 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
12565 * dfg/DFGConstantFoldingPhase.cpp:
12566 (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
12567 * dfg/DFGPlan.cpp:
12568 (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
12569
12570 2014-06-15 Filip Pizlo <fpizlo@apple.com>
12571
12572 [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
12573 https://bugs.webkit.org/show_bug.cgi?id=133935
12574
12575 Reviewed by Oliver Hunt.
12576
12577 * bytecode/Operands.h:
12578 (JSC::Operands::Operands):
12579 (JSC::Operands::ensureLocals):
12580 * dfg/DFGAbstractValue.cpp:
12581 (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
12582 * dfg/DFGAbstractValue.h:
12583 (JSC::DFG::AbstractValue::makeFullTop): Completeness.
12584 (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
12585 (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
12586 * dfg/DFGBasicBlock.cpp:
12587 (JSC::DFG::BasicBlock::BasicBlock):
12588 (JSC::DFG::BasicBlock::ensureLocals):
12589 * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
12590 * dfg/DFGCFAPhase.cpp:
12591 (JSC::DFG::CFAPhase::run): Compute the intersection.
12592 * dfg/DFGConstantFoldingPhase.cpp:
12593 (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
12594 * dfg/DFGGraph.cpp:
12595 (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
12596 (JSC::DFG::Graph::dump): Better dumping.
12597 * dfg/DFGJITCompiler.h:
12598 (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
12599 * dfg/DFGSpeculativeJIT.cpp:
12600 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
12601
12602 2014-06-12 Filip Pizlo <fpizlo@apple.com>
12603
12604 [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
12605 https://bugs.webkit.org/show_bug.cgi?id=133821
12606
12607 Reviewed by Mark Hahnenberg.
12608
12609 This allows us to efficiently cache accesses that differ only in the prototypes on the path
12610 from the base to the prototype that has the field.
12611
12612 It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
12613 data structure.
12614
12615 * CMakeLists.txt:
12616 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12617 * JavaScriptCore.xcodeproj/project.pbxproj:
12618 * bytecode/ConstantStructureCheck.cpp: Added.
12619 (JSC::ConstantStructureCheck::dumpInContext):
12620 (JSC::ConstantStructureCheck::dump):
12621 (JSC::structureFor):
12622 (JSC::areCompatible):
12623 (JSC::mergeInto):
12624 * bytecode/ConstantStructureCheck.h: Added.
12625 (JSC::ConstantStructureCheck::ConstantStructureCheck):
12626 (JSC::ConstantStructureCheck::operator!):
12627 (JSC::ConstantStructureCheck::constant):
12628 (JSC::ConstantStructureCheck::structure):
12629 * bytecode/GetByIdStatus.cpp:
12630 (JSC::GetByIdStatus::computeForStubInfo):
12631 * bytecode/GetByIdVariant.cpp:
12632 (JSC::GetByIdVariant::GetByIdVariant):
12633 (JSC::GetByIdVariant::operator=):
12634 (JSC::GetByIdVariant::attemptToMerge):
12635 (JSC::GetByIdVariant::dumpInContext):
12636 * bytecode/GetByIdVariant.h:
12637 (JSC::GetByIdVariant::constantChecks):
12638 (JSC::GetByIdVariant::alternateBase):
12639 (JSC::GetByIdVariant::GetByIdVariant): Deleted.
12640 (JSC::GetByIdVariant::chain): Deleted.
12641 * bytecode/PutByIdVariant.cpp:
12642 (JSC::PutByIdVariant::dumpInContext):
12643 * bytecode/PutByIdVariant.h:
12644 (JSC::PutByIdVariant::transition):
12645 (JSC::PutByIdVariant::constantChecks):
12646 (JSC::PutByIdVariant::structureChain): Deleted.
12647 * dfg/DFGAbstractInterpreterInlines.h:
12648 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12649 * dfg/DFGByteCodeParser.cpp:
12650 (JSC::DFG::ByteCodeParser::emitChecks):
12651 (JSC::DFG::ByteCodeParser::handleGetById):
12652 (JSC::DFG::ByteCodeParser::handlePutById):
12653 (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
12654 (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
12655 (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
12656 * dfg/DFGConstantFoldingPhase.cpp:
12657 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12658 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
12659 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12660 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
12661 * dfg/DFGDesiredStructureChains.cpp: Removed.
12662 * dfg/DFGDesiredStructureChains.h: Removed.
12663 * dfg/DFGGraph.h:
12664 (JSC::DFG::Graph::watchpoints):
12665 (JSC::DFG::Graph::chains): Deleted.
12666 * dfg/DFGPlan.cpp:
12667 (JSC::DFG::Plan::isStillValid):
12668 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
12669 (JSC::DFG::Plan::cancel):
12670 * dfg/DFGPlan.h:
12671 * ftl/FTLLowerDFGToLLVM.cpp:
12672 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
12673 * runtime/IntendedStructureChain.cpp:
12674 (JSC::IntendedStructureChain::gatherChecks):
12675 * runtime/IntendedStructureChain.h:
12676 (JSC::IntendedStructureChain::at):
12677 (JSC::IntendedStructureChain::operator[]):
12678
12679 2014-06-12 Filip Pizlo <fpizlo@apple.com>
12680
12681 [ftlopt] Constant folding and strength reduction should work in SSA
12682 https://bugs.webkit.org/show_bug.cgi?id=133839
12683
12684 Reviewed by Oliver Hunt.
12685
12686 * dfg/DFGAtTailAbstractState.cpp:
12687 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
12688 (JSC::DFG::AtTailAbstractState::forNode):
12689 * dfg/DFGAtTailAbstractState.h:
12690 * dfg/DFGConstantFoldingPhase.cpp:
12691 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12692 * dfg/DFGGraph.cpp:
12693 (JSC::DFG::Graph::convertToConstant):
12694 * dfg/DFGIntegerCheckCombiningPhase.cpp:
12695 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
12696 * dfg/DFGLICMPhase.cpp:
12697 (JSC::DFG::LICMPhase::LICMPhase):
12698 * dfg/DFGPlan.cpp:
12699 (JSC::DFG::Plan::compileInThreadImpl):
12700
12701 2014-06-11 Filip Pizlo <fpizlo@apple.com>
12702
12703 [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
12704 https://bugs.webkit.org/show_bug.cgi?id=133751
12705
12706 Reviewed by Mark Hahnenberg.
12707
12708 * bytecode/GetByIdStatus.cpp:
12709 (JSC::GetByIdStatus::appendVariant):
12710 (JSC::GetByIdStatus::computeForStubInfo):
12711 * bytecode/GetByIdVariant.cpp:
12712 (JSC::GetByIdVariant::attemptToMerge):
12713 * bytecode/GetByIdVariant.h:
12714 * bytecode/PutByIdStatus.cpp:
12715 (JSC::PutByIdStatus::computeFor):
12716 * dfg/DFGByteCodeParser.cpp:
12717 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
12718 (JSC::DFG::ByteCodeParser::handleGetById):
12719 (JSC::DFG::ByteCodeParser::handlePutById):
12720 * runtime/IntendedStructureChain.cpp:
12721 (JSC::IntendedStructureChain::IntendedStructureChain):
12722 (JSC::IntendedStructureChain::isStillValid):
12723 (JSC::IntendedStructureChain::isNormalized):
12724 (JSC::IntendedStructureChain::terminalPrototype):
12725 (JSC::IntendedStructureChain::operator==):
12726 (JSC::IntendedStructureChain::visitChildren):
12727 (JSC::IntendedStructureChain::dumpInContext):
12728 (JSC::IntendedStructureChain::chain): Deleted.
12729 * runtime/IntendedStructureChain.h:
12730 (JSC::IntendedStructureChain::prototype):
12731 (JSC::IntendedStructureChain::operator!=):
12732 (JSC::IntendedStructureChain::head): Deleted.
12733
12734 2014-06-11 Matthew Mirman <mmirman@apple.com>
12735
12736 Readded native calling to the FTL and Split the DFG nodes
12737 Call and Construct into NativeCall and NativeConstruct
12738 to better represent their semantics.
12739 https://bugs.webkit.org/show_bug.cgi?id=133660
12740
12741 Reviewed by Filip Pizlo.
12742
12743 * dfg/DFGAbstractInterpreterInlines.h:
12744 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12745 Added NativeCall and NativeConstruct case
12746 * dfg/DFGByteCodeParser.cpp:
12747 (JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
12748 (JSC::DFG::ByteCodeParser::handleCall):
12749 set to return NativeCall or NativeConstruct instead of Call or Construct
12750 in the presence of a native function.
12751 * dfg/DFGClobberize.h:
12752 (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
12753 * dfg/DFGDoesGC.cpp:
12754 (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
12755 * dfg/DFGFixupPhase.cpp:
12756 (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
12757 * dfg/DFGNode.h:
12758 (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
12759 (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
12760 (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
12761 * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
12762 * dfg/DFGPredictionPropagationPhase.cpp:
12763 (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
12764 * dfg/DFGSafeToExecute.h:
12765 (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
12766 * dfg/DFGSpeculativeJIT32_64.cpp:
12767 (JSC::DFG::SpeculativeJIT::emitCall): ditto
12768 (JSC::DFG::SpeculativeJIT::compile): ditto
12769 * dfg/DFGSpeculativeJIT64.cpp:
12770 (JSC::DFG::SpeculativeJIT::emitCall): ditto
12771 (JSC::DFG::SpeculativeJIT::compile): ditto
12772 * ftl/FTLCapabilities.cpp:
12773 (JSC::FTL::canCompile): ditto
12774 * ftl/FTLLowerDFGToLLVM.cpp:
12775 (JSC::FTL::LowerDFGToLLVM::lower): ditto
12776 (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
12777 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
12778 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
12779 (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
12780 * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
12781
12782 2014-06-11 Matthew Mirman <mmirman@apple.com>
12783
12784 Ensured Native Calls and Construct and associated checks
12785 are only emitted during ftl mode.
12786 https://bugs.webkit.org/show_bug.cgi?id=133718
12787
12788 Reviewed by Filip Pizlo.
12789
12790 * dfg/DFGByteCodeParser.cpp:
12791 (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
12792 before attaching the native function to Call or Construct.
12793
12794 2014-06-10 Filip Pizlo <fpizlo@apple.com>
12795
12796 [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
12797 https://bugs.webkit.org/show_bug.cgi?id=133426
12798
12799 Reviewed by Geoffrey Garen.
12800
12801 The impetus for this was to provide some sense and reason to race conditions arising from
12802 cell constants having their structure changed on the main thread - this is harmess because
12803 we defend against it, but when it goes wrong, it can be difficult to reproduce because it
12804 requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
12805
12806 But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
12807 about constants. It no longer relies on the CodeBlock constant pool at all, which allows
12808 for a more object-oriented approach: for example a Node that has a constant can tell you
12809 what constant it has without needing a CodeBlock.
12810
12811 * CMakeLists.txt:
12812 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12813 * JavaScriptCore.xcodeproj/project.pbxproj:
12814 * bytecode/CallLinkStatus.cpp:
12815 (JSC::CallLinkStatus::computeExitSiteData):
12816 * bytecode/ExitKind.cpp:
12817 (JSC::exitKindToString):
12818 (JSC::exitKindIsCountable):
12819 * bytecode/ExitKind.h:
12820 (JSC::isWatchpoint): Deleted.
12821 * bytecode/GetByIdStatus.cpp:
12822 (JSC::GetByIdStatus::hasExitSite):
12823 * bytecode/PutByIdStatus.cpp:
12824 (JSC::PutByIdStatus::hasExitSite):
12825 * dfg/DFGAbstractInterpreter.h:
12826 (JSC::DFG::AbstractInterpreter::filterByValue):
12827 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
12828 (JSC::DFG::AbstractInterpreter::setConstant):
12829 * dfg/DFGAbstractInterpreterInlines.h:
12830 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12831 (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
12832 * dfg/DFGAbstractValue.cpp:
12833 (JSC::DFG::AbstractValue::setOSREntryValue):
12834 (JSC::DFG::AbstractValue::set):
12835 (JSC::DFG::AbstractValue::filterByValue):
12836 (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
12837 * dfg/DFGAbstractValue.h:
12838 * dfg/DFGArgumentsSimplificationPhase.cpp:
12839 (JSC::DFG::ArgumentsSimplificationPhase::run):
12840 * dfg/DFGBackwardsPropagationPhase.cpp:
12841 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
12842 (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
12843 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
12844 (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
12845 * dfg/DFGByteCodeParser.cpp:
12846 (JSC::DFG::ByteCodeParser::ByteCodeParser):
12847 (JSC::DFG::ByteCodeParser::getDirect):
12848 (JSC::DFG::ByteCodeParser::get):
12849 (JSC::DFG::ByteCodeParser::getLocal):
12850 (JSC::DFG::ByteCodeParser::setLocal):
12851 (JSC::DFG::ByteCodeParser::setArgument):
12852 (JSC::DFG::ByteCodeParser::jsConstant):
12853 (JSC::DFG::ByteCodeParser::weakJSConstant):
12854 (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
12855 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
12856 (JSC::DFG::ByteCodeParser::handleCall):
12857 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
12858 (JSC::DFG::ByteCodeParser::handleInlining):
12859 (JSC::DFG::ByteCodeParser::handleMinMax):
12860 (JSC::DFG::ByteCodeParser::handleIntrinsic):
12861 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
12862 (JSC::DFG::ByteCodeParser::handleGetById):
12863 (JSC::DFG::ByteCodeParser::prepareToParseBlock):
12864 (JSC::DFG::ByteCodeParser::parseBlock):
12865 (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
12866 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
12867 (JSC::DFG::ByteCodeParser::parseCodeBlock):
12868 (JSC::DFG::ByteCodeParser::addConstant): Deleted.
12869 (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
12870 (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
12871 (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
12872 (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
12873 (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
12874 (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
12875 (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
12876 (JSC::DFG::ByteCodeParser::constantNull): Deleted.
12877 (JSC::DFG::ByteCodeParser::one): Deleted.
12878 (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
12879 (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
12880 (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
12881 (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
12882 * dfg/DFGCFGSimplificationPhase.cpp:
12883 (JSC::DFG::CFGSimplificationPhase::run):
12884 * dfg/DFGCSEPhase.cpp:
12885 (JSC::DFG::CSEPhase::constantCSE):
12886 (JSC::DFG::CSEPhase::checkFunctionElimination):
12887 (JSC::DFG::CSEPhase::performNodeCSE):
12888 (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
12889 * dfg/DFGClobberize.h:
12890 (JSC::DFG::clobberize):
12891 * dfg/DFGCommon.h:
12892 * dfg/DFGConstantFoldingPhase.cpp:
12893 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12894 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
12895 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
12896 * dfg/DFGDoesGC.cpp:
12897 (JSC::DFG::doesGC):
12898 * dfg/DFGFixupPhase.cpp:
12899 (JSC::DFG::FixupPhase::fixupNode):
12900 (JSC::DFG::FixupPhase::fixupMakeRope):
12901 (JSC::DFG::FixupPhase::truncateConstantToInt32):
12902 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
12903 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
12904 * dfg/DFGFrozenValue.cpp: Added.
12905 (JSC::DFG::FrozenValue::emptySingleton):
12906 (JSC::DFG::FrozenValue::dumpInContext):
12907 (JSC::DFG::FrozenValue::dump):
12908 * dfg/DFGFrozenValue.h: Added.
12909 (JSC::DFG::FrozenValue::FrozenValue):
12910 (JSC::DFG::FrozenValue::operator!):
12911 (JSC::DFG::FrozenValue::value):
12912 (JSC::DFG::FrozenValue::structure):
12913 (JSC::DFG::FrozenValue::strengthenTo):
12914 (JSC::DFG::FrozenValue::strength):
12915 (JSC::DFG::FrozenValue::freeze):
12916 * dfg/DFGGraph.cpp:
12917 (JSC::DFG::Graph::Graph):
12918 (JSC::DFG::Graph::dump):
12919 (JSC::DFG::Graph::tryGetActivation):
12920 (JSC::DFG::Graph::tryGetFoldableView):
12921 (JSC::DFG::Graph::registerFrozenValues):
12922 (JSC::DFG::Graph::visitChildren):
12923 (JSC::DFG::Graph::freezeFragile):
12924 (JSC::DFG::Graph::freeze):
12925 (JSC::DFG::Graph::freezeStrong):
12926 (JSC::DFG::Graph::convertToConstant):
12927 (JSC::DFG::Graph::convertToStrongConstant):
12928 (JSC::DFG::Graph::assertIsWatched):
12929 * dfg/DFGGraph.h:
12930 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
12931 (JSC::DFG::Graph::convertToConstant): Deleted.
12932 (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
12933 (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
12934 (JSC::DFG::Graph::isConstant): Deleted.
12935 (JSC::DFG::Graph::isJSConstant): Deleted.
12936 (JSC::DFG::Graph::isInt32Constant): Deleted.
12937 (JSC::DFG::Graph::isDoubleConstant): Deleted.
12938 (JSC::DFG::Graph::isNumberConstant): Deleted.
12939 (JSC::DFG::Graph::isBooleanConstant): Deleted.
12940 (JSC::DFG::Graph::isCellConstant): Deleted.
12941 (JSC::DFG::Graph::isFunctionConstant): Deleted.
12942 (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
12943 (JSC::DFG::Graph::valueOfJSConstant): Deleted.
12944 (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
12945 (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
12946 (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
12947 (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
12948 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
12949 * dfg/DFGInPlaceAbstractState.cpp:
12950 (JSC::DFG::InPlaceAbstractState::initialize):
12951 * dfg/DFGInsertionSet.h:
12952 (JSC::DFG::InsertionSet::insertConstant):
12953 (JSC::DFG::InsertionSet::insertConstantForUse):
12954 * dfg/DFGIntegerCheckCombiningPhase.cpp:
12955 (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
12956 * dfg/DFGJITCompiler.cpp:
12957 (JSC::DFG::JITCompiler::link):
12958 * dfg/DFGLazyJSValue.cpp:
12959 (JSC::DFG::LazyJSValue::getValue):
12960 (JSC::DFG::LazyJSValue::strictEqual):
12961 (JSC::DFG::LazyJSValue::dumpInContext):
12962 * dfg/DFGLazyJSValue.h:
12963 (JSC::DFG::LazyJSValue::LazyJSValue):
12964 (JSC::DFG::LazyJSValue::tryGetValue):
12965 (JSC::DFG::LazyJSValue::value):
12966 (JSC::DFG::LazyJSValue::switchLookupValue):
12967 * dfg/DFGMinifiedNode.cpp:
12968 (JSC::DFG::MinifiedNode::fromNode):
12969 * dfg/DFGMinifiedNode.h:
12970 (JSC::DFG::belongsInMinifiedGraph):
12971 (JSC::DFG::MinifiedNode::hasConstant):
12972 (JSC::DFG::MinifiedNode::constant):
12973 (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
12974 (JSC::DFG::MinifiedNode::constantNumber): Deleted.
12975 (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
12976 (JSC::DFG::MinifiedNode::weakConstant): Deleted.
12977 * dfg/DFGNode.h:
12978 (JSC::DFG::Node::hasConstant):
12979 (JSC::DFG::Node::constant):
12980 (JSC::DFG::Node::convertToConstant):
12981 (JSC::DFG::Node::asJSValue):
12982 (JSC::DFG::Node::isInt32Constant):
12983 (JSC::DFG::Node::asInt32):
12984 (JSC::DFG::Node::asUInt32):
12985 (JSC::DFG::Node::isDoubleConstant):
12986 (JSC::DFG::Node::isNumberConstant):
12987 (JSC::DFG::Node::asNumber):
12988 (JSC::DFG::Node::isMachineIntConstant):
12989 (JSC::DFG::Node::asMachineInt):
12990 (JSC::DFG::Node::isBooleanConstant):
12991 (JSC::DFG::Node::asBoolean):
12992 (JSC::DFG::Node::isCellConstant):
12993 (JSC::DFG::Node::asCell):
12994 (JSC::DFG::Node::dynamicCastConstant):
12995 (JSC::DFG::Node::function):
12996 (JSC::DFG::Node::isWeakConstant): Deleted.
12997 (JSC::DFG::Node::constantNumber): Deleted.
12998 (JSC::DFG::Node::convertToWeakConstant): Deleted.
12999 (JSC::DFG::Node::weakConstant): Deleted.
13000 (JSC::DFG::Node::valueOfJSConstant): Deleted.
13001 * dfg/DFGNodeType.h:
13002 * dfg/DFGOSRExitCompiler.cpp:
13003 * dfg/DFGPredictionPropagationPhase.cpp:
13004 (JSC::DFG::PredictionPropagationPhase::propagate):
13005 * dfg/DFGSafeToExecute.h:
13006 (JSC::DFG::safeToExecute):
13007 * dfg/DFGSpeculativeJIT.cpp:
13008 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
13009 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
13010 (JSC::DFG::SpeculativeJIT::silentFill):
13011 (JSC::DFG::SpeculativeJIT::compileIn):
13012 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
13013 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
13014 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
13015 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
13016 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
13017 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
13018 (JSC::DFG::SpeculativeJIT::compileAdd):
13019 (JSC::DFG::SpeculativeJIT::compileArithSub):
13020 (JSC::DFG::SpeculativeJIT::compileArithMod):
13021 * dfg/DFGSpeculativeJIT.h:
13022 (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
13023 (JSC::DFG::SpeculativeJIT::initConstantInfo):
13024 (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
13025 (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
13026 (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
13027 (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
13028 (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
13029 (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
13030 (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
13031 (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
13032 (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
13033 (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
13034 (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
13035 (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
13036 (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
13037 (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
13038 (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
13039 * dfg/DFGSpeculativeJIT32_64.cpp:
13040 (JSC::DFG::SpeculativeJIT::fillJSValue):
13041 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
13042 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
13043 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
13044 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
13045 (JSC::DFG::SpeculativeJIT::compile):
13046 * dfg/DFGSpeculativeJIT64.cpp:
13047 (JSC::DFG::SpeculativeJIT::fillJSValue):
13048 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
13049 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
13050 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
13051 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
13052 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
13053 (JSC::DFG::SpeculativeJIT::compile):
13054 * dfg/DFGStrengthReductionPhase.cpp:
13055 (JSC::DFG::StrengthReductionPhase::handleNode):
13056 * dfg/DFGValidate.cpp:
13057 (JSC::DFG::Validate::validate):
13058 * dfg/DFGValueStrength.cpp: Added.
13059 (WTF::printInternal):
13060 * dfg/DFGValueStrength.h: Added.
13061 (JSC::DFG::merge):
13062 * dfg/DFGVariableEventStream.cpp:
13063 (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
13064 (JSC::DFG::VariableEventStream::reconstruct):
13065 * dfg/DFGVariableEventStream.h:
13066 * dfg/DFGWatchableStructureWatchingPhase.cpp:
13067 (JSC::DFG::WatchableStructureWatchingPhase::run):
13068 (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
13069 * dfg/DFGWatchpointCollectionPhase.cpp:
13070 (JSC::DFG::WatchpointCollectionPhase::handle):
13071 * ftl/FTLCapabilities.cpp:
13072 (JSC::FTL::canCompile):
13073 * ftl/FTLLink.cpp:
13074 (JSC::FTL::link):
13075 * ftl/FTLLowerDFGToLLVM.cpp:
13076 (JSC::FTL::LowerDFGToLLVM::compileNode):
13077 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
13078 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
13079 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
13080 (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
13081 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
13082 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
13083 (JSC::FTL::LowerDFGToLLVM::lowInt32):
13084 (JSC::FTL::LowerDFGToLLVM::lowCell):
13085 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
13086 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
13087 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
13088 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
13089 * ftl/FTLOSRExitCompiler.cpp:
13090 (JSC::FTL::compileStub):
13091 * runtime/JSCJSValue.cpp:
13092 (JSC::JSValue::dumpInContext):
13093 (JSC::JSValue::dumpInContextAssumingStructure):
13094 * runtime/JSCJSValue.h:
13095
130962014-07-24 Brent Fulgham <bfulgham@apple.com>
13097
13098 [Win] Correct build order in JavaScriptCore.submit.sln
13099 https://bugs.webkit.org/show_bug.cgi?id=135282
13100 <rdar://problem/17805592>
13101
13102 Unreviewed build fix.
13103
13104 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
13105 such that LLIntDesiredOffset is built prior to the rest of JSC.
13106
131072014-07-24 Mark Lam <mark.lam@apple.com>
13108
13109 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
13110 <https://webkit.org/b/135258>
13111
13112 Reviewed by Mark Hahnenberg.
13113
13114 Where needed, we cache the prototype object pointer in a stack local var.
13115 This allows it to be scanned by the GC, and hence be kept alive until
13116 we use it. The constructor object will in turn be kept alive by the
13117 prototype object.
13118
13119 Also added some comments to warn against future code additions that could
13120 regress this issue.
13121
13122 * API/JSWrapperMap.mm:
13123 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
13124 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
13125 (-[JSObjCClassInfo wrapperForObject:]):
13126 (-[JSObjCClassInfo constructor]):
13127
131282014-07-24 Joseph Pecoraro <pecoraro@apple.com>
13129
13130 JSLock release should only modify the AtomicStringTable if it modified in acquire
13131 https://bugs.webkit.org/show_bug.cgi?id=135143
13132
13133 Reviewed by Darin Adler.
13134
13135 * runtime/JSLock.cpp:
13136 (JSC::JSLock::JSLock):
13137 Initialize the member variable to nullptr.
13138
13139 (JSC::JSLock::willDestroyVM):
13140 Update style to use nullptr instead of 0.
13141
13142 (JSC::JSLock::willReleaseLock):
13143 We should only reset the thread data's atomic string table if
13144 didAcquireLock changed it. m_entryAtomicStringTable will have
13145 been set by didAcquireLock if it changed, or nullptr if it didn't.
13146 This way we are sure we are balanced, regardless of m_vm changes.
13147
131482014-07-24 Peyton Randolph <prandolph@apple.com>
13149
13150 Rename feature flag for long-press gesture on Mac.
13151 https://bugs.webkit.org/show_bug.cgi?id=135259
13152
13153 Reviewed by Beth Dakin.
13154
13155 * Configurations/FeatureDefines.xcconfig:
13156 Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
13157
131582014-07-24 Commit Queue <commit-queue@webkit.org>
13159
13160 Unreviewed, rolling out r171527.
13161 https://bugs.webkit.org/show_bug.cgi?id=135265
13162
13163 Breaks JSC API tests (Requested by mlam on #webkit).
13164
13165 Reverted changeset:
13166
13167 "JSWrapperMap's jsWrapperForObject() needs to defer GC."
13168 https://bugs.webkit.org/show_bug.cgi?id=135258
13169 http://trac.webkit.org/changeset/171527
13170
131712014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
13172
13173 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
13174 https://bugs.webkit.org/show_bug.cgi?id=135250
13175
13176 Reviewed by Geoffrey Garen.
13177
13178 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
13179 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
13180 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
13181 the JSProxy's prototype fixes the issue.
13182
13183 * API/JSValueRef.cpp:
13184 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
13185 would claim it wasn't of the specified class, even if the target was of the specified class.
13186 * API/tests/CustomGlobalObjectClassTest.c: Added.
13187 (jsDoSomething):
13188 (customGlobalObjectClassTest):
13189 * API/tests/CustomGlobalObjectClassTest.h: Added.
13190 * API/tests/testapi.c:
13191 (assertTrue):
13192 (main):
13193 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
13194 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
13195 * JavaScriptCore.xcodeproj/project.pbxproj:
13196 * runtime/JSGlobalObject.cpp:
13197 (JSC::JSGlobalObject::resetPrototype):
13198
131992014-07-24 Brian J. Burg <burg@cs.washington.edu>
13200
13201 Web Replay: don't encode/decode primitive types that lack explicit sizes
13202 https://bugs.webkit.org/show_bug.cgi?id=133430
13203
13204 Reviewed by Anders Carlsson.
13205
13206 Don't support encode/decode of unsigned long, since its size is compiler-dependent.
13207
13208 * replay/EncodedValue.cpp:
13209 (JSC::EncodedValue::convertTo<unsigned long>):
13210 (JSC::unsigned long>::encodeValue): Deleted.
13211 * replay/EncodedValue.h:
13212
132132014-07-24 Mark Lam <mark.lam@apple.com>
13214
13215 JSWrapperMap's jsWrapperForObject() needs to defer GC.
13216 <https://webkit.org/b/135258>
13217
13218 Reviewed by Oliver Hunt.
13219
13220 In the process of creating a JS wrapper, jsWrapperForObject() will create
13221 the prototype and constructor of the corresponding ObjC class, as well as
13222 for classes in its inheritance chain. These prototypes and constructors
13223 are stored in Weak references in the JSObjCClassInfo objects. During all
13224 the allocation that is being done to create all the prototypes and
13225 constructors as well as the wrapper objects, a GC may occur thereby
13226 collecting one or more of these newly created prototype and constructor
13227 objects.
13228
13229 One example of where this problem can manifest is in wrapperForObject()
13230 which is called from jsWrapperForObject(). In wrapperFoObject(), we do
13231 the following steps:
13232
13233 1. reallocateConstructorAndOrPrototype() which creates the prototype
13234 object and store it in JSObjCClassInfo's m_prototype which is a Weak
13235 ref.
13236 2. makeWrapper() to create the wrapper object, which may trigger a GC.
13237 GC will collect the prototype object and nullify the corresponding
13238 JSObjCClassInfo's m_prototype Weak ref.
13239 3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
13240 in the newly created wrapper. This results in the wrapper getting a
13241 jsNull as a prototype instead of the expected prototype object.
13242
13243 To ensure that the prototype and constructor objects are retained until
13244 they can be referenced properly from the wrapper object,
13245 jsWrapperForObject() should defer GC until it's done with its work.
13246
13247 * API/JSWrapperMap.mm:
13248 (-[JSWrapperMap jsWrapperForObject:]):
13249
132502014-07-23 Brent Fulgham <bfulgham@apple.com>
13251
13252 Build fix after r171482.
13253
13254 Rubberstamped by Joe Pecoraro.
13255
13256 * runtime/Identifier.h: Make header declarations match
13257 implementation file.
13258
132592014-07-23 Brent Fulgham <bfulgham@apple.com>
13260
13261 [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
13262 https://bugs.webkit.org/show_bug.cgi?id=135199
13263
13264 Reviewed by Mark Lam.
13265
13266 * jsc.cpp:
13267 (WTF::RuntimeArray::deleteProperty): Stop using ugly
13268 compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
13269 codepath instead.
13270 * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
13271 to header so function declaration matches implementation.
13272
132732014-07-23 Bem Jones-Bey <bjonesbe@adobe.com>
13274
13275 Remove CSS_EXCLUSIONS compile flag and leftover code
13276 https://bugs.webkit.org/show_bug.cgi?id=135175
13277
13278 Reviewed by Zoltan Horvath.
13279
13280 At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
13281 stubs. This removes the flag and the useless code.
13282
13283 * Configurations/FeatureDefines.xcconfig:
13284
132852014-07-23 Commit Queue <commit-queue@webkit.org>
13286
13287 Unreviewed, rolling out r171367.
13288 https://bugs.webkit.org/show_bug.cgi?id=135192
13289
13290 broke three API tests (Requested by thorton on #webkit).
13291
13292 Reverted changeset:
13293
13294 "JSLock release should only modify the AtomicStringTable if it
13295 modified in acquire"
13296 https://bugs.webkit.org/show_bug.cgi?id=135143
13297 http://trac.webkit.org/changeset/171367
13298
132992014-07-22 László Langó <llango.u-szeged@partner.samsung.com>
13300
13301 [EFL] Build fix after the [ftlopt] branch merge.
13302
13303 Reviewed by Csaba Osztrogonác.
13304
13305 * dfg/DFGBranchDirection.h:
13306 (JSC::DFG::branchDirectionToString):
13307 * dfg/DFGStructureClobberState.h:
13308 (JSC::DFG::merge):
13309
133102014-07-22 Brent Fulgham <bfulgham@apple.com>
13311
13312 Build fix for non-clang compile.
13313
13314 * jsc.cpp:
13315 (WTF::RuntimeArray::put): Remove incorrect return statement
13316 I added.
13317
133182014-07-22 Brent Fulgham <bfulgham@apple.com>
13319
13320 Build fix for non-clang compile.
13321
13322 * jsc.cpp:
13323 (WTF::RuntimeArray::deleteProperty): Need (fake) return
13324 value when NO_RETURN_DUE_TO_CRASH is not defined.
13325
133262014-07-22 Filip Pizlo <fpizlo@apple.com>
13327
13328 Merge r169628 from ftlopt.
13329
13330 2014-06-04 Matthew Mirman <mmirman@apple.com>
13331
13332 Added system for inlining native functions via the FTL.
13333 https://bugs.webkit.org/show_bug.cgi?id=131515
13334
13335 Reviewed by Filip Pizlo.
13336
13337 Also fixed the build to not compress the bitcode and to
13338 include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO,
13339 the produced bitcode files are a 100th the size they were before.
13340 Now we can include all of the relevant runtime files with only a 3mb overhead.
13341 This is the same overhead as for two compressed files before,
13342 but done more efficiently (on both ends) and with less code.
13343
13344 Deciding whether to inline native functions is left up to LLVM.
13345 The entire module containing the function is linked into the current
13346 compiled JS so that inlining the native functions shouldn't make them smaller.
13347
13348 Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file
13349 InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.
13350
13351 * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
13352 * build-symbol-table-index.py: Changed bitcode suffix.
13353 Added inclusion of only tested symbols.
13354 Added output to InlineRuntimeSymbolTable.h.
13355 * build-symbol-table-index.sh: Changed bitcode suffix.
13356 * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
13357 * tested-symbols.symlst: Added.
13358 * dfg/DFGByteCodeParser.cpp:
13359 (JSC::DFG::ByteCodeParser::handleCall):
13360 Now sets the knownFunction of the call node if such a function exists
13361 and emits a check that during runtime the callee is in fact known.
13362 * dfg/DFGNode.h:
13363 Added functions to set the known function of a call node.
13364 (JSC::DFG::Node::canBeKnownFunction): Added.
13365 (JSC::DFG::Node::hasKnownFunction): Added.
13366 (JSC::DFG::Node::knownFunction): Added.
13367 (JSC::DFG::Node::giveKnownFunction): Added.
13368 * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
13369 * ftl/FTLAbbreviations.h: Added some abbreviations.
13370 * ftl/FTLLowerDFGToLLVM.cpp:
13371 (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
13372 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
13373 (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
13374 (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
13375 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
13376 Added call to possiblyCompileInlineableNativeCall
13377 * ftl/FTLOutput.h:
13378 (JSC::FTL::Output::allocaName): Added. Useful for debugging.
13379 * ftl/FTLState.cpp:
13380 (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
13381 * ftl/FTLState.h: Added symbol table hash table.
13382 * ftl/FTLCompile.cpp:
13383 (JSC::FTL::compile): Added inlining and dead function elimination passes.
13384 * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
13385 * llvm/InitializeLLVMMac.mm: Deleted.
13386 * llvm/InitializeLLVMMac.cpp: Added.
13387 * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
13388 * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
13389 * runtime/BundlePath.h: Added.
13390 * runtime/BundlePath.mm: Added.
13391 * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
13392 * runtime/DateInstance.h: ditto.
13393 * runtime/DateConversion.h: ditto.
13394 * runtime/ExceptionHelpers.h: ditto.
13395 * runtime/JSCJSValue.h: ditto.
13396 * runtime/JSArray.h: ditto.
13397 * runtime/JSDateMath.h: ditto.
13398 * runtime/JSObject.h: ditto.
13399 * runtime/JSObject.h: ditto.
13400 * runtime/RegExp.h: ditto.
13401 * runtime/Structure.h: ditto.
13402 * runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining.
13403
134042014-07-22 Mark Lam <mark.lam@apple.com>
13405
13406 Array.concat() should work on runtime arrays too.
13407 <https://webkit.org/b/135179>
13408
13409 Reviewed by Geoffrey Garen.
13410
13411 * jsc.cpp:
13412 (WTF::RuntimeArray::create):
13413 (WTF::RuntimeArray::~RuntimeArray):
13414 (WTF::RuntimeArray::destroy):
13415 (WTF::RuntimeArray::getOwnPropertySlot):
13416 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
13417 (WTF::RuntimeArray::put):
13418 (WTF::RuntimeArray::deleteProperty):
13419 (WTF::RuntimeArray::getLength):
13420 (WTF::RuntimeArray::createPrototype):
13421 (WTF::RuntimeArray::createStructure):
13422 (WTF::RuntimeArray::finishCreation):
13423 (WTF::RuntimeArray::RuntimeArray):
13424 (WTF::RuntimeArray::lengthGetter):
13425 (GlobalObject::finishCreation):
13426 (functionCreateRuntimeArray):
13427 - Added support to create a runtime array for testing purpose.
13428 * runtime/ArrayPrototype.cpp:
13429 (JSC::getLength):
13430 - Added fast case for when the array object is a JSArray.
13431 (JSC::arrayProtoFuncJoin):
13432 - Added a needed but missing exception check.
13433 (JSC::arrayProtoFuncConcat):
13434 - Use getLength() to compute the array length instead of assuming that
13435 the array is a JSArray instance.
13436 * tests/stress/regexp-matches-array.js: Added.
13437 (testArrayConcat):
13438 * tests/stress/runtime-array.js: Added.
13439 (testArrayConcat):
13440
134412014-07-22 Brent Fulgham <bfulgham@apple.com>
13442
13443 Fix Windows (return a value!)
13444
13445 * jsc.cpp:
13446 (functionQuit): Satisfy compiler's need for
13447 a return value.
13448
134492014-07-22 Brent Fulgham <bfulgham@apple.com>
13450
13451 Fix Windows (sleep -> Sleep)
13452
13453 * jsc.cpp:
13454 (WTF::jscExit):
13455
134562014-07-22 Filip Pizlo <fpizlo@apple.com>
13457
13458 Fix Windows.
13459
13460 * jsc.cpp:
13461 (WTF::jscExit):
13462
134632014-07-22 Filip Pizlo <fpizlo@apple.com>
13464
13465 Fix 32-bit.
13466
13467 * dfg/DFGSpeculativeJIT32_64.cpp:
13468 (JSC::DFG::SpeculativeJIT::compile):
13469
134702014-07-22 Filip Pizlo <fpizlo@apple.com>
13471
13472 Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
13473
13474 Note that r169753 is merged out of order because it fixes a bug in r169588.
13475
13476 2014-06-10 Filip Pizlo <fpizlo@apple.com>
13477
13478 [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
13479 https://bugs.webkit.org/show_bug.cgi?id=133624
13480
13481 Reviewed by Mark Hahnenberg.
13482
13483 * runtime/Structure.h:
13484 (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
13485
13486 2014-06-04 Filip Pizlo <fpizlo@apple.com>
13487
13488 [ftlopt] AI should be able track structure sets larger than 1
13489 https://bugs.webkit.org/show_bug.cgi?id=128073
13490
13491 Reviewed by Oliver Hunt.
13492
13493 This makes two major changes to how AI (abstract interpreter) proves that a value has
13494 some structure:
13495
13496 - StructureAbstractValue can now track an arbitrary number of structures. A set whose
13497 size is greater than one means that the value may have any of the structures, and we
13498 don't know which - but we do know that it cannot be any structure not in the set. The
13499 structure abstract value can still be TOP, which means the set of all structures. We
13500 artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
13501 memory explosion on pathological programs. This limit is big enough that it wouldn't
13502 kick in for normal code, since we have other heuristics that limit the number of
13503 structures that we would allow an inline cache to know about.
13504
13505 - We eagerly set watchpoints on all watchable structures and then we assume that
13506 watchable structures are being watched, and that the watchpoint will jettison the code.
13507 This allows tracking of watchable structures to be far simpler than before. Previously,
13508 a structure being tracked as "future possible" was predicated on it being watchable but
13509 we might not actually watch it. This makes algebra over sets of future possible
13510 structures quite weird. But watching all watchable structures means that we simple say
13511 that a structure set can be in the following states: unclobbered, which means it's just
13512 a set of structures and it doesn't matter what is watchable or what isn't because we've
13513 proven that the value must have one of these structures right now; and clobbered, which
13514 means that we have a set of structures, plus all possible structures temporarily, with
13515 invalidation removing the "plus all possible structures". Clobbering a set means that
13516 if any of its structures are unwatchable, the set just becomes TOP; but if all
13517 structures in the set are watchable then we just set the clobbered bit to add the "plus
13518 all possible structures temporarily" thing. This precisely tracks the exact meaning of
13519 watchability and invalidation points.
13520
13521 Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
13522 we will ultimately undo the SunSpider slow-down by making further improvements to the set
13523 representation. I believe that Octane perfromance will ultimately improve once we remove
13524 remaining singleton special-cases. The ultimate goal of this is to remove the need to
13525 try quite so desperately hard to make everything monomorphic as we do currently.
13526
13527 * CMakeLists.txt:
13528 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13529 * JavaScriptCore.xcodeproj/project.pbxproj:
13530 * bytecode/StructureSet.cpp:
13531 (JSC::StructureSet::clear):
13532 (JSC::StructureSet::remove):
13533 (JSC::StructureSet::filter):
13534 (JSC::StructureSet::copyFromOutOfLine):
13535 (JSC::StructureSet::StructureSet): Deleted.
13536 (JSC::StructureSet::operator=): Deleted.
13537 (JSC::StructureSet::copyFrom): Deleted.
13538 * bytecode/StructureSet.h:
13539 (JSC::StructureSet::StructureSet):
13540 (JSC::StructureSet::operator=):
13541 (JSC::StructureSet::isEmpty):
13542 (JSC::StructureSet::genericFilter):
13543 (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
13544 (JSC::StructureSet::ContainsOutOfLine::operator()):
13545 (JSC::StructureSet::copyFrom):
13546 (JSC::StructureSet::deleteStructureListIfNecessary):
13547 (JSC::StructureSet::setEmpty):
13548 (JSC::StructureSet::getReservedFlag):
13549 (JSC::StructureSet::setReservedFlag):
13550 * dfg/DFGAbstractInterpreter.h:
13551 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
13552 * dfg/DFGAbstractInterpreterInlines.h:
13553 (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
13554 (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
13555 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13556 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
13557 (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
13558 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
13559 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
13560 (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
13561 (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
13562 (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
13563 * dfg/DFGAbstractValue.cpp:
13564 (JSC::DFG::AbstractValue::observeTransitions):
13565 (JSC::DFG::AbstractValue::setMostSpecific):
13566 (JSC::DFG::AbstractValue::set):
13567 (JSC::DFG::AbstractValue::filter):
13568 (JSC::DFG::AbstractValue::shouldBeClear):
13569 (JSC::DFG::AbstractValue::normalizeClarity):
13570 (JSC::DFG::AbstractValue::checkConsistency):
13571 (JSC::DFG::AbstractValue::assertIsWatched):
13572 (JSC::DFG::AbstractValue::dumpInContext):
13573 (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
13574 * dfg/DFGAbstractValue.h:
13575 (JSC::DFG::AbstractValue::clear):
13576 (JSC::DFG::AbstractValue::clobberStructures):
13577 (JSC::DFG::AbstractValue::clobberStructuresFor):
13578 (JSC::DFG::AbstractValue::observeInvalidationPoint):
13579 (JSC::DFG::AbstractValue::observeInvalidationPointFor):
13580 (JSC::DFG::AbstractValue::observeTransition):
13581 (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
13582 (JSC::DFG::AbstractValue::TransitionObserver::operator()):
13583 (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
13584 (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
13585 (JSC::DFG::AbstractValue::isHeapTop):
13586 (JSC::DFG::AbstractValue::setType):
13587 (JSC::DFG::AbstractValue::operator==):
13588 (JSC::DFG::AbstractValue::merge):
13589 (JSC::DFG::AbstractValue::validate):
13590 (JSC::DFG::AbstractValue::hasClobberableState):
13591 (JSC::DFG::AbstractValue::assertIsWatched):
13592 (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
13593 (JSC::DFG::AbstractValue::makeTop):
13594 (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
13595 * dfg/DFGAllocator.h:
13596 * dfg/DFGArgumentsSimplificationPhase.cpp:
13597 (JSC::DFG::ArgumentsSimplificationPhase::run):
13598 * dfg/DFGArrayMode.cpp:
13599 (JSC::DFG::ArrayMode::alreadyChecked):
13600 * dfg/DFGAtTailAbstractState.h:
13601 (JSC::DFG::AtTailAbstractState::structureClobberState):
13602 (JSC::DFG::AtTailAbstractState::setStructureClobberState):
13603 (JSC::DFG::AtTailAbstractState::setFoundConstants):
13604 (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
13605 (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
13606 * dfg/DFGBasicBlock.cpp:
13607 (JSC::DFG::BasicBlock::BasicBlock):
13608 * dfg/DFGBasicBlock.h:
13609 * dfg/DFGBranchDirection.h:
13610 (JSC::DFG::branchDirectionToString):
13611 (WTF::printInternal):
13612 * dfg/DFGByteCodeParser.cpp:
13613 (JSC::DFG::ByteCodeParser::handlePutById):
13614 * dfg/DFGCFAPhase.cpp:
13615 (JSC::DFG::CFAPhase::performBlockCFA):
13616 * dfg/DFGCSEPhase.cpp:
13617 (JSC::DFG::CSEPhase::checkStructureElimination):
13618 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
13619 (JSC::DFG::CSEPhase::performNodeCSE):
13620 * dfg/DFGClobberize.h:
13621 (JSC::DFG::clobberize):
13622 * dfg/DFGCommon.cpp:
13623 (JSC::DFG::startCrashing):
13624 (JSC::DFG::isCrashing):
13625 * dfg/DFGCommon.h:
13626 * dfg/DFGCommonData.cpp:
13627 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
13628 * dfg/DFGConstantFoldingPhase.cpp:
13629 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13630 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
13631 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
13632 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
13633 * dfg/DFGDesiredWatchpoints.cpp:
13634 (JSC::DFG::DesiredWatchpoints::consider):
13635 (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
13636 * dfg/DFGDesiredWatchpoints.h:
13637 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
13638 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
13639 (JSC::DFG::GenericDesiredWatchpoints::isWatched):
13640 (JSC::DFG::DesiredWatchpoints::isWatched):
13641 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
13642 (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
13643 (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
13644 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
13645 (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
13646 (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
13647 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
13648 (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
13649 * dfg/DFGDoesGC.cpp:
13650 (JSC::DFG::doesGC):
13651 * dfg/DFGFixupPhase.cpp:
13652 (JSC::DFG::FixupPhase::fixupNode):
13653 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
13654 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
13655 * dfg/DFGGraph.cpp:
13656 (JSC::DFG::Graph::~Graph):
13657 (JSC::DFG::Graph::dump):
13658 (JSC::DFG::Graph::dumpBlockHeader):
13659 (JSC::DFG::Graph::tryGetFoldableView):
13660 (JSC::DFG::Graph::visitChildren):
13661 (JSC::DFG::Graph::assertIsWatched):
13662 (JSC::DFG::Graph::handleAssertionFailure):
13663 * dfg/DFGGraph.h:
13664 (JSC::DFG::Graph::convertToConstant):
13665 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
13666 (JSC::DFG::Graph::addStructureTransitionData): Deleted.
13667 * dfg/DFGInPlaceAbstractState.cpp:
13668 (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
13669 (JSC::DFG::InPlaceAbstractState::initialize):
13670 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
13671 (JSC::DFG::InPlaceAbstractState::reset):
13672 (JSC::DFG::InPlaceAbstractState::merge):
13673 * dfg/DFGInPlaceAbstractState.h:
13674 (JSC::DFG::InPlaceAbstractState::structureClobberState):
13675 (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
13676 (JSC::DFG::InPlaceAbstractState::setFoundConstants):
13677 (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
13678 (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
13679 * dfg/DFGLivenessAnalysisPhase.cpp:
13680 (JSC::DFG::LivenessAnalysisPhase::run):
13681 * dfg/DFGNode.h:
13682 (JSC::DFG::Node::hasTransition):
13683 (JSC::DFG::Node::transition):
13684 (JSC::DFG::Node::hasStructure):
13685 (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
13686 (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
13687 (JSC::DFG::Node::hasStructureTransitionData): Deleted.
13688 (JSC::DFG::Node::structureTransitionData): Deleted.
13689 * dfg/DFGNodeType.h:
13690 * dfg/DFGPlan.cpp:
13691 (JSC::DFG::Plan::compileInThreadImpl):
13692 * dfg/DFGPredictionPropagationPhase.cpp:
13693 (JSC::DFG::PredictionPropagationPhase::propagate):
13694 * dfg/DFGSafeToExecute.h:
13695 (JSC::DFG::safeToExecute):
13696 * dfg/DFGSpeculativeJIT.cpp:
13697 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
13698 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
13699 * dfg/DFGSpeculativeJIT.h:
13700 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
13701 * dfg/DFGSpeculativeJIT32_64.cpp:
13702 (JSC::DFG::SpeculativeJIT::compile):
13703 * dfg/DFGSpeculativeJIT64.cpp:
13704 (JSC::DFG::SpeculativeJIT::compile):
13705 * dfg/DFGStructureAbstractValue.cpp: Added.
13706 (JSC::DFG::StructureAbstractValue::assertIsWatched):
13707 (JSC::DFG::StructureAbstractValue::clobber):
13708 (JSC::DFG::StructureAbstractValue::observeTransition):
13709 (JSC::DFG::StructureAbstractValue::observeTransitions):
13710 (JSC::DFG::StructureAbstractValue::add):
13711 (JSC::DFG::StructureAbstractValue::merge):
13712 (JSC::DFG::StructureAbstractValue::mergeSlow):
13713 (JSC::DFG::StructureAbstractValue::mergeNotTop):
13714 (JSC::DFG::StructureAbstractValue::filter):
13715 (JSC::DFG::StructureAbstractValue::filterSlow):
13716 (JSC::DFG::StructureAbstractValue::contains):
13717 (JSC::DFG::StructureAbstractValue::isSubsetOf):
13718 (JSC::DFG::StructureAbstractValue::isSupersetOf):
13719 (JSC::DFG::StructureAbstractValue::overlaps):
13720 (JSC::DFG::StructureAbstractValue::equalsSlow):
13721 (JSC::DFG::StructureAbstractValue::dumpInContext):
13722 (JSC::DFG::StructureAbstractValue::dump):
13723 * dfg/DFGStructureAbstractValue.h:
13724 (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
13725 (JSC::DFG::StructureAbstractValue::operator=):
13726 (JSC::DFG::StructureAbstractValue::clear):
13727 (JSC::DFG::StructureAbstractValue::makeTop):
13728 (JSC::DFG::StructureAbstractValue::assertIsWatched):
13729 (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
13730 (JSC::DFG::StructureAbstractValue::top):
13731 (JSC::DFG::StructureAbstractValue::isClear):
13732 (JSC::DFG::StructureAbstractValue::isTop):
13733 (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
13734 (JSC::DFG::StructureAbstractValue::isClobbered):
13735 (JSC::DFG::StructureAbstractValue::merge):
13736 (JSC::DFG::StructureAbstractValue::filter):
13737 (JSC::DFG::StructureAbstractValue::operator==):
13738 (JSC::DFG::StructureAbstractValue::size):
13739 (JSC::DFG::StructureAbstractValue::at):
13740 (JSC::DFG::StructureAbstractValue::operator[]):
13741 (JSC::DFG::StructureAbstractValue::onlyStructure):
13742 (JSC::DFG::StructureAbstractValue::isSupersetOf):
13743 (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
13744 (JSC::DFG::StructureAbstractValue::setClobbered):
13745 (JSC::DFG::StructureAbstractValue::add): Deleted.
13746 (JSC::DFG::StructureAbstractValue::addAll): Deleted.
13747 (JSC::DFG::StructureAbstractValue::contains): Deleted.
13748 (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
13749 (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
13750 (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
13751 (JSC::DFG::StructureAbstractValue::last): Deleted.
13752 (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
13753 (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
13754 (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
13755 (JSC::DFG::StructureAbstractValue::singleton): Deleted.
13756 (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
13757 (JSC::DFG::StructureAbstractValue::dump): Deleted.
13758 (JSC::DFG::StructureAbstractValue::topValue): Deleted.
13759 * dfg/DFGStructureClobberState.h: Added.
13760 (JSC::DFG::merge):
13761 (WTF::printInternal):
13762 * dfg/DFGTransition.cpp: Added.
13763 (JSC::DFG::Transition::dumpInContext):
13764 (JSC::DFG::Transition::dump):
13765 * dfg/DFGTransition.h: Added.
13766 (JSC::DFG::Transition::Transition):
13767 * dfg/DFGTypeCheckHoistingPhase.cpp:
13768 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
13769 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
13770 * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
13771 (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
13772 (JSC::DFG::WatchableStructureWatchingPhase::run):
13773 (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
13774 (JSC::DFG::performWatchableStructureWatching):
13775 * dfg/DFGWatchableStructureWatchingPhase.h: Added.
13776 * dfg/DFGWatchpointCollectionPhase.cpp:
13777 (JSC::DFG::WatchpointCollectionPhase::handle):
13778 (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
13779 * ftl/FTLCapabilities.cpp:
13780 (JSC::FTL::canCompile):
13781 * ftl/FTLIntrinsicRepository.h:
13782 * ftl/FTLLowerDFGToLLVM.cpp:
13783 (JSC::FTL::ftlUnreachable):
13784 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
13785 (JSC::FTL::LowerDFGToLLVM::compileBlock):
13786 (JSC::FTL::LowerDFGToLLVM::compileNode):
13787 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
13788 (JSC::FTL::LowerDFGToLLVM::compilePhi):
13789 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
13790 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
13791 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
13792 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
13793 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
13794 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
13795 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
13796 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
13797 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
13798 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
13799 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
13800 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
13801 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
13802 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
13803 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
13804 (JSC::FTL::LowerDFGToLLVM::compileGetById):
13805 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
13806 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
13807 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
13808 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
13809 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
13810 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
13811 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
13812 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
13813 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
13814 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
13815 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
13816 (JSC::FTL::LowerDFGToLLVM::compileToString):
13817 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
13818 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
13819 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
13820 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13821 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13822 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
13823 (JSC::FTL::LowerDFGToLLVM::compare):
13824 (JSC::FTL::LowerDFGToLLVM::boolify):
13825 (JSC::FTL::LowerDFGToLLVM::terminate):
13826 (JSC::FTL::LowerDFGToLLVM::lowInt32):
13827 (JSC::FTL::LowerDFGToLLVM::lowInt52):
13828 (JSC::FTL::LowerDFGToLLVM::opposite):
13829 (JSC::FTL::LowerDFGToLLVM::lowCell):
13830 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
13831 (JSC::FTL::LowerDFGToLLVM::lowDouble):
13832 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
13833 (JSC::FTL::LowerDFGToLLVM::speculate):
13834 (JSC::FTL::LowerDFGToLLVM::isArrayType):
13835 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
13836 (JSC::FTL::LowerDFGToLLVM::callCheck):
13837 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
13838 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
13839 (JSC::FTL::LowerDFGToLLVM::setInt52):
13840 (JSC::FTL::LowerDFGToLLVM::crash):
13841 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
13842 * ftl/FTLOutput.cpp:
13843 (JSC::FTL::Output::crashNonTerminal): Deleted.
13844 * ftl/FTLOutput.h:
13845 (JSC::FTL::Output::crash): Deleted.
13846 * jit/JITOperations.h:
13847 * jsc.cpp:
13848 (WTF::jscExit):
13849 (functionQuit):
13850 (main):
13851 (printUsageStatement):
13852 (CommandLine::parseArguments):
13853 * runtime/Structure.h:
13854 (JSC::Structure::dfgShouldWatchIfPossible):
13855 (JSC::Structure::dfgShouldWatch):
13856 * tests/stress/arrayify-to-structure-contradiction.js: Added.
13857 (foo):
13858 * tests/stress/ftl-getmyargumentslength-inline.js: Added.
13859 (foo):
13860 * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
13861 (foo):
13862 (Foo):
13863 * tests/stress/throw-from-ftl-in-loop.js: Added.
13864 * tests/stress/throw-from-ftl.js: Added.
13865 (foo):
13866
13867 2014-06-03 Filip Pizlo <fpizlo@apple.com>
13868
13869 [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
13870
13871 * InlineRuntimeSymbolTable.h: Removed.
13872 * JavaScriptCore.xcodeproj/project.pbxproj:
13873 * build-symbol-table-index.py:
13874 * build-symbol-table-index.sh:
13875 * copy-llvm-ir-to-derived-sources.sh:
13876 * dfg/DFGByteCodeParser.cpp:
13877 (JSC::DFG::ByteCodeParser::handleCall):
13878 * dfg/DFGNode.h:
13879 (JSC::DFG::Node::canBeKnownFunction): Deleted.
13880 (JSC::DFG::Node::hasKnownFunction): Deleted.
13881 (JSC::DFG::Node::knownFunction): Deleted.
13882 (JSC::DFG::Node::giveKnownFunction): Deleted.
13883 * ftl/FTLAbbreviatedTypes.h:
13884 * ftl/FTLCompile.cpp:
13885 (JSC::FTL::compile):
13886 * ftl/FTLLowerDFGToLLVM.cpp:
13887 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
13888 (JSC::FTL::LowerDFGToLLVM::lower):
13889 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
13890 (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
13891 (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
13892 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
13893 (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
13894 * ftl/FTLState.cpp:
13895 (JSC::FTL::State::State):
13896 * ftl/FTLState.h:
13897 * heap/HandleStack.h:
13898 * llvm/InitializeLLVM.h:
13899 * llvm/InitializeLLVMMac.cpp: Removed.
13900 * llvm/InitializeLLVMMac.mm: Added.
13901 (JSC::initializeLLVMImpl):
13902 * llvm/LLVMAPIFunctions.h:
13903 * llvm/LLVMHeaders.h:
13904 * runtime/BundlePath.h: Removed.
13905 * runtime/BundlePath.mm: Removed.
13906 * runtime/DateConversion.h:
13907 * runtime/DateInstance.h:
13908 * runtime/ExceptionHelpers.h:
13909 * runtime/JSArray.h:
13910 * runtime/JSCJSValue.h:
13911 (JSC::JSValue::toFloat):
13912 * runtime/JSDateMath.h:
13913 * runtime/JSObject.h:
13914 * runtime/JSWrapperObject.h:
13915 * runtime/Options.h:
13916 * runtime/RegExp.h:
13917 * runtime/StringObject.h:
13918 * runtime/Structure.h:
13919 * tested-symbols.symlst: Removed.
13920
13921 2014-06-03 Filip Pizlo <fpizlo@apple.com>
13922
13923 [ftlopt] FTL native inlining tests take far too long
13924 https://bugs.webkit.org/show_bug.cgi?id=133498
13925
13926 Unreviewed test gardening.
13927
13928 Added a new exceptions test since the other one appears to not work.
13929
13930 * tests/stress/ftl-library-exception.js:
13931 * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
13932 (foo):
13933 * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
13934 (foo):
13935 * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
13936 * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
13937 * tests/stress/ftl-library-inlining-random.js:
13938 * tests/stress/ftl-library-substring.js:
13939
13940 2014-06-03 Matthew Mirman <mmirman@apple.com>
13941
13942 [ftlopt] Added system for inlining native functions via the FTL.
13943 https://bugs.webkit.org/show_bug.cgi?id=131515
13944
13945 Reviewed by Filip Pizlo.
13946
13947 Also fixed the build to not compress the bitcode and to
13948 include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO,
13949 the produced bitcode files are a 100th the size they were before.
13950 Now we can include all of the relevant runtime files with only a 3mb overhead.
13951 This is the same overhead as for two compressed files before,
13952 but done more efficiently (on both ends) and with less code.
13953
13954 Deciding whether to inline native functions is left up to LLVM.
13955 The entire module containing the function is linked into the current
13956 compiled JS so that inlining the native functions shouldn't make them smaller.
13957
13958 Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file
13959 InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.
13960 Currently build-symbol-table-index.py updates this file from the
13961 contents of tested-symbols.symlst when done building as a matter of convenience.
13962 However, in order to include the new contents of the file in the build
13963 you'd need to build twice. This will be fixed in future versions.
13964
13965 * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
13966 * build-symbol-table-index.py: Changed bitcode suffix.
13967 Added inclusion of only tested symbols.
13968 Added output to InlineRuntimeSymbolTable.h.
13969 * build-symbol-table-index.sh: Changed bitcode suffix.
13970 * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
13971 * tested-symbols.symlst: Added.
13972 * dfg/DFGByteCodeParser.cpp:
13973 (JSC::DFG::ByteCodeParser::handleCall):
13974 Now sets the knownFunction of the call node if such a function exists
13975 and emits a check that during runtime the callee is in fact known.
13976 * dfg/DFGNode.h:
13977 Added functions to set the known function of a call node.
13978 (JSC::DFG::Node::canBeKnownFunction): Added.
13979 (JSC::DFG::Node::hasKnownFunction): Added.
13980 (JSC::DFG::Node::knownFunction): Added.
13981 (JSC::DFG::Node::giveKnownFunction): Added.
13982 * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
13983 * ftl/FTLLowerDFGToLLVM.cpp:
13984 (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
13985 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
13986 (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
13987 (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
13988 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
13989 Added call to possiblyCompileInlineableNativeCall
13990 * ftl/FTLOutput.h:
13991 (JSC::FTL::Output::allocaName): Added. Useful for debugging.
13992 * ftl/FTLState.cpp:
13993 (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
13994 * ftl/FTLState.h: Added symbol table hash table.
13995 * ftl/FTLCompile.cpp:
13996 (JSC::FTL::compile): Added inlining and dead function elimination passes.
13997 * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
13998 * InlineRuntimeSymbolTable.h: Added.
13999 * llvm/InitializeLLVMMac.mm: Deleted.
14000 * llvm/InitializeLLVMMac.cpp: Added.
14001 * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
14002 * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
14003 * runtime/BundlePath.h: Added.
14004 * runtime/BundlePath.mm: Added.
14005 * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
14006 * runtime/DateInstance.h: ditto.
14007 * runtime/DateConversion.h: ditto.
14008 * runtime/ExceptionHelpers.h: ditto.
14009 * runtime/JSCJSValue.h: ditto.
14010 * runtime/JSArray.h: ditto.
14011 * runtime/JSDateMath.h: ditto.
14012 * runtime/JSObject.h: ditto.
14013 * runtime/JSObject.h: ditto.
14014 * runtime/RegExp.h: ditto.
14015 * runtime/Structure.h: ditto.
14016 * runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining.
14017 * tests/stress/ftl-library-inlining-random.js: Added.
14018 * tests/stress/ftl-library-substring.js: Added.
14019
14020 2014-05-21 Filip Pizlo <fpizlo@apple.com>
14021
14022 [ftlopt] DFG::clobberize should be blind to the effects of GC
14023 https://bugs.webkit.org/show_bug.cgi?id=133166
14024
14025 Reviewed by Goeffrey Garen.
14026
14027 Move the computation of where GCs happen to DFG::doesGC().
14028
14029 Large (>5x) speed-up on programs that do loop-invariant string concatenations.
14030
14031 * CMakeLists.txt:
14032 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14033 * JavaScriptCore.xcodeproj/project.pbxproj:
14034 * dfg/DFGAbstractHeap.h:
14035 * dfg/DFGClobberize.h:
14036 (JSC::DFG::clobberize):
14037 (JSC::DFG::clobberizeForAllocation): Deleted.
14038 * dfg/DFGDoesGC.cpp: Added.
14039 (JSC::DFG::doesGC):
14040 * dfg/DFGDoesGC.h: Added.
14041 * dfg/DFGStoreBarrierElisionPhase.cpp:
14042 (JSC::DFG::StoreBarrierElisionPhase::handleNode):
14043 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
14044
14045 2014-05-16 Filip Pizlo <fpizlo@apple.com>
14046
14047 [ftlopt] A StructureSet with one element should only require one word and no allocation
14048 https://bugs.webkit.org/show_bug.cgi?id=133014
14049
14050 Reviewed by Oliver Hunt.
14051
14052 This makes it more efficient to use StructureSet in situations where the common case is
14053 just one structure.
14054
14055 I also took the opportunity to use the same set terminology we use in BitVector: merge,
14056 filter, exclude, contains, etc.
14057
14058 Eventually, this will be used to implement StructureAbstractValue as well.
14059
14060 * CMakeLists.txt:
14061 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14062 * JavaScriptCore.xcodeproj/project.pbxproj:
14063 * bytecode/StructureSet.cpp: Added.
14064 (JSC::StructureSet::StructureSet):
14065 (JSC::StructureSet::operator=):
14066 (JSC::StructureSet::clear):
14067 (JSC::StructureSet::add):
14068 (JSC::StructureSet::remove):
14069 (JSC::StructureSet::contains):
14070 (JSC::StructureSet::merge):
14071 (JSC::StructureSet::filter):
14072 (JSC::StructureSet::exclude):
14073 (JSC::StructureSet::isSubsetOf):
14074 (JSC::StructureSet::overlaps):
14075 (JSC::StructureSet::operator==):
14076 (JSC::StructureSet::speculationFromStructures):
14077 (JSC::StructureSet::arrayModesFromStructures):
14078 (JSC::StructureSet::dumpInContext):
14079 (JSC::StructureSet::dump):
14080 (JSC::StructureSet::addOutOfLine):
14081 (JSC::StructureSet::containsOutOfLine):
14082 (JSC::StructureSet::copyFrom):
14083 (JSC::StructureSet::OutOfLineList::create):
14084 (JSC::StructureSet::OutOfLineList::destroy):
14085 * bytecode/StructureSet.h:
14086 (JSC::StructureSet::StructureSet):
14087 (JSC::StructureSet::~StructureSet):
14088 (JSC::StructureSet::onlyStructure):
14089 (JSC::StructureSet::isEmpty):
14090 (JSC::StructureSet::size):
14091 (JSC::StructureSet::at):
14092 (JSC::StructureSet::operator[]):
14093 (JSC::StructureSet::last):
14094 (JSC::StructureSet::OutOfLineList::list):
14095 (JSC::StructureSet::OutOfLineList::OutOfLineList):
14096 (JSC::StructureSet::deleteStructureListIfNecessary):
14097 (JSC::StructureSet::isThin):
14098 (JSC::StructureSet::pointer):
14099 (JSC::StructureSet::singleStructure):
14100 (JSC::StructureSet::structureList):
14101 (JSC::StructureSet::set):
14102 (JSC::StructureSet::clear): Deleted.
14103 (JSC::StructureSet::add): Deleted.
14104 (JSC::StructureSet::addAll): Deleted.
14105 (JSC::StructureSet::remove): Deleted.
14106 (JSC::StructureSet::contains): Deleted.
14107 (JSC::StructureSet::containsOnly): Deleted.
14108 (JSC::StructureSet::isSubsetOf): Deleted.
14109 (JSC::StructureSet::overlaps): Deleted.
14110 (JSC::StructureSet::singletonStructure): Deleted.
14111 (JSC::StructureSet::speculationFromStructures): Deleted.
14112 (JSC::StructureSet::arrayModesFromStructures): Deleted.
14113 (JSC::StructureSet::operator==): Deleted.
14114 (JSC::StructureSet::dumpInContext): Deleted.
14115 (JSC::StructureSet::dump): Deleted.
14116 * dfg/DFGAbstractInterpreterInlines.h:
14117 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14118 * dfg/DFGByteCodeParser.cpp:
14119 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
14120 (JSC::DFG::ByteCodeParser::handleGetById):
14121 (JSC::DFG::ByteCodeParser::parseBlock):
14122 * dfg/DFGCSEPhase.cpp:
14123 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
14124 * dfg/DFGNode.h:
14125 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
14126 * dfg/DFGTypeCheckHoistingPhase.cpp:
14127 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
14128
141292014-07-22 Ryuan Choi <ryuan.choi@samsung.com>
14130
14131 Unreviewed build fix attempt on the EFL port after r171362.
14132
14133 Build break because of -Werror=return-type
14134
14135 * bytecode/GetByIdStatus.cpp:
14136 (JSC::GetByIdStatus::makesCalls):
14137
141382014-07-22 Joseph Pecoraro <pecoraro@apple.com>
14139
14140 JSLock release should only modify the AtomicStringTable if it modified in acquire
14141 https://bugs.webkit.org/show_bug.cgi?id=135143
14142
14143 Reviewed by Pratik Solanki.
14144
14145 * runtime/JSLock.cpp:
14146 (JSC::JSLock::willDestroyVM):
14147 (JSC::JSLock::willReleaseLock):
14148 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
14149
141502014-07-22 Filip Pizlo <fpizlo@apple.com>
14151
14152 Fix cloop build.
14153
14154 * bytecode/CallLinkStatus.cpp:
14155 (JSC::CallLinkStatus::computeExitSiteData):
14156
141572014-07-22 Filip Pizlo <fpizlo@apple.com>
14158
14159 Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt.
14160
14161 2014-05-20 Filip Pizlo <fpizlo@apple.com>
14162
14163 [ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
14164 https://bugs.webkit.org/show_bug.cgi?id=133105
14165
14166 Reviewed by Michael Saboff.
14167
14168 - GetByIdStatus now knows about getters and can report intelligent things about them.
14169 As is usually the case with how we do these things, GetByIdStatus knows more about
14170 getters than the DFG can actually handle: it'll report details about polymorphic
14171 getter calls even though the DFG won't be able to handle those. This is fine; the DFG
14172 will see those statuses and bail to a generic slow path.
14173
14174 - The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call.
14175 This can, and usually does, result in inlining of getters!
14176
14177 - CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an
14178 inlined getter, we set the return PC to a getter return thunk that fixes up the stack.
14179 We use the usual offset-true-return-PC trick, where OSR exit places the true return PC
14180 of the getter's caller as a phony argument that only the thunk knows how to find.
14181
14182 - Removed a bunch of dead monomorphic chain support from StructureStubInfo.
14183
14184 - A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and
14185 GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except
14186 that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract
14187 the getter, or setter, from the GetterSetter.
14188
14189 This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none
14190 of the "real" benchmarks exercise getters enough for this to matter. But I noticed that
14191 some of the variants of the Richards benchmark in other languages - for example
14192 Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use
14193 getters and setters extensively. So, I created a getter/setter JavaScript version of
14194 Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x
14195 speed-up from this patch, which is very reassuring.
14196
14197 * bytecode/CodeBlock.cpp:
14198 (JSC::CodeBlock::printGetByIdCacheStatus):
14199 (JSC::CodeBlock::findStubInfo):
14200 * bytecode/CodeBlock.h:
14201 * bytecode/CodeOrigin.cpp:
14202 (WTF::printInternal):
14203 * bytecode/CodeOrigin.h:
14204 (JSC::InlineCallFrame::specializationKindFor):
14205 * bytecode/GetByIdStatus.cpp:
14206 (JSC::GetByIdStatus::computeFor):
14207 (JSC::GetByIdStatus::computeForStubInfo):
14208 (JSC::GetByIdStatus::makesCalls):
14209 (JSC::GetByIdStatus::computeForChain): Deleted.
14210 * bytecode/GetByIdStatus.h:
14211 (JSC::GetByIdStatus::makesCalls): Deleted.
14212 * bytecode/GetByIdVariant.cpp:
14213 (JSC::GetByIdVariant::~GetByIdVariant):
14214 (JSC::GetByIdVariant::GetByIdVariant):
14215 (JSC::GetByIdVariant::operator=):
14216 (JSC::GetByIdVariant::dumpInContext):
14217 * bytecode/GetByIdVariant.h:
14218 (JSC::GetByIdVariant::GetByIdVariant):
14219 (JSC::GetByIdVariant::callLinkStatus):
14220 * bytecode/PolymorphicGetByIdList.cpp:
14221 (JSC::GetByIdAccess::fromStructureStubInfo):
14222 (JSC::PolymorphicGetByIdList::from):
14223 * bytecode/SpeculatedType.h:
14224 * bytecode/StructureStubInfo.cpp:
14225 (JSC::StructureStubInfo::deref):
14226 (JSC::StructureStubInfo::visitWeakReferences):
14227 * bytecode/StructureStubInfo.h:
14228 (JSC::isGetByIdAccess):
14229 (JSC::StructureStubInfo::initGetByIdChain): Deleted.
14230 * dfg/DFGAbstractHeap.h:
14231 * dfg/DFGAbstractInterpreterInlines.h:
14232 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14233 * dfg/DFGByteCodeParser.cpp:
14234 (JSC::DFG::ByteCodeParser::addCall):
14235 (JSC::DFG::ByteCodeParser::handleCall):
14236 (JSC::DFG::ByteCodeParser::handleInlining):
14237 (JSC::DFG::ByteCodeParser::handleGetByOffset):
14238 (JSC::DFG::ByteCodeParser::handleGetById):
14239 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
14240 (JSC::DFG::ByteCodeParser::parse):
14241 * dfg/DFGCSEPhase.cpp:
14242 (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination):
14243 (JSC::DFG::CSEPhase::getInternalFieldLoadElimination):
14244 (JSC::DFG::CSEPhase::performNodeCSE):
14245 (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted.
14246 * dfg/DFGClobberize.h:
14247 (JSC::DFG::clobberize):
14248 * dfg/DFGFixupPhase.cpp:
14249 (JSC::DFG::FixupPhase::fixupNode):
14250 * dfg/DFGJITCompiler.cpp:
14251 (JSC::DFG::JITCompiler::linkFunction):
14252 * dfg/DFGNode.h:
14253 (JSC::DFG::Node::hasStorageAccessData):
14254 * dfg/DFGNodeType.h:
14255 * dfg/DFGOSRExitCompilerCommon.cpp:
14256 (JSC::DFG::reifyInlinedCallFrames):
14257 * dfg/DFGPredictionPropagationPhase.cpp:
14258 (JSC::DFG::PredictionPropagationPhase::propagate):
14259 * dfg/DFGSafeToExecute.h:
14260 (JSC::DFG::safeToExecute):
14261 * dfg/DFGSpeculativeJIT32_64.cpp:
14262 (JSC::DFG::SpeculativeJIT::compile):
14263 * dfg/DFGSpeculativeJIT64.cpp:
14264 (JSC::DFG::SpeculativeJIT::compile):
14265 * ftl/FTLAbstractHeapRepository.cpp:
14266 * ftl/FTLAbstractHeapRepository.h:
14267 * ftl/FTLCapabilities.cpp:
14268 (JSC::FTL::canCompile):
14269 * ftl/FTLLink.cpp:
14270 (JSC::FTL::link):
14271 * ftl/FTLLowerDFGToLLVM.cpp:
14272 (JSC::FTL::LowerDFGToLLVM::compileNode):
14273 (JSC::FTL::LowerDFGToLLVM::compileGetGetter):
14274 (JSC::FTL::LowerDFGToLLVM::compileGetSetter):
14275 * jit/AccessorCallJITStubRoutine.h:
14276 * jit/JIT.cpp:
14277 (JSC::JIT::assertStackPointerOffset):
14278 (JSC::JIT::privateCompile):
14279 * jit/JIT.h:
14280 * jit/JITPropertyAccess.cpp:
14281 (JSC::JIT::emit_op_get_by_id):
14282 * jit/ThunkGenerators.cpp:
14283 (JSC::arityFixupGenerator):
14284 (JSC::baselineGetterReturnThunkGenerator):
14285 (JSC::baselineSetterReturnThunkGenerator):
14286 (JSC::arityFixup): Deleted.
14287 * jit/ThunkGenerators.h:
14288 * runtime/CommonSlowPaths.cpp:
14289 (JSC::setupArityCheckData):
14290 * tests/stress/exit-from-getter.js: Added.
14291 * tests/stress/poly-chain-getter.js: Added.
14292 (Cons):
14293 (foo):
14294 (test):
14295 * tests/stress/poly-chain-then-getter.js: Added.
14296 (Cons1):
14297 (Cons2):
14298 (foo):
14299 (test):
14300 * tests/stress/poly-getter-combo.js: Added.
14301 (Cons1):
14302 (Cons2):
14303 (foo):
14304 (test):
14305 (.test):
14306 * tests/stress/poly-getter-then-chain.js: Added.
14307 (Cons1):
14308 (Cons2):
14309 (foo):
14310 (test):
14311 * tests/stress/poly-getter-then-self.js: Added.
14312 (foo):
14313 (test):
14314 (.test):
14315 * tests/stress/poly-self-getter.js: Added.
14316 (foo):
14317 (test):
14318 (getter):
14319 * tests/stress/poly-self-then-getter.js: Added.
14320 (foo):
14321 (test):
14322 * tests/stress/weird-getter-counter.js: Added.
14323 (foo):
14324 (test):
14325
14326 2014-05-17 Filip Pizlo <fpizlo@apple.com>
14327
14328 [ftlopt] Factor out how CallLinkStatus uses exit site data
14329 https://bugs.webkit.org/show_bug.cgi?id=133042
14330
14331 Reviewed by Anders Carlsson.
14332
14333 This makes it easier to use CallLinkStatus from clients that are calling into after
14334 already holding some of the relevant locks. This is necessary because we use a "one lock
14335 at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire
14336 any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort
14337 of lock one, do some stuff, release it, then lock another, and then do more stuff. The
14338 exit site data corresponds to the stuff you do while holding the baseline lock, while the
14339 CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's
14340 lock.
14341
14342 * bytecode/CallLinkStatus.cpp:
14343 (JSC::CallLinkStatus::computeFor):
14344 (JSC::CallLinkStatus::computeExitSiteData):
14345 (JSC::CallLinkStatus::computeDFGStatuses):
14346 * bytecode/CallLinkStatus.h:
14347 (JSC::CallLinkStatus::ExitSiteData::ExitSiteData):
14348
14349 2014-05-17 Filip Pizlo <fpizlo@apple.com>
14350
14351 [ftlopt] InlineCallFrame::isCall should be an enumeration
14352 https://bugs.webkit.org/show_bug.cgi?id=133034
14353
14354 Reviewed by Sam Weinig.
14355
14356 Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell
14357 us that the inlined call was a getter call or a setter call. Initially I thought I would
14358 have a new field called "kind" that would have components NormalCall, GetterCall, and
14359 SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall
14360 would have to be true. Hence, It makes more sense to have one enumeration that is Call,
14361 Construct, GetterCall, or SetterCall. This patch is a first step towards this.
14362
14363 It's interesting that isClosureCall should probably still be separate, since getter and
14364 setter inlining could inline closure calls.
14365
14366 * bytecode/CodeBlock.h:
14367 (JSC::baselineCodeBlockForInlineCallFrame):
14368 * bytecode/CodeOrigin.cpp:
14369 (JSC::InlineCallFrame::dumpInContext):
14370 (WTF::printInternal):
14371 * bytecode/CodeOrigin.h:
14372 (JSC::InlineCallFrame::kindFor):
14373 (JSC::InlineCallFrame::specializationKindFor):
14374 (JSC::InlineCallFrame::InlineCallFrame):
14375 (JSC::InlineCallFrame::specializationKind):
14376 * dfg/DFGByteCodeParser.cpp:
14377 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
14378 * dfg/DFGOSRExitPreparation.cpp:
14379 (JSC::DFG::prepareCodeOriginForOSRExit):
14380 * runtime/Arguments.h:
14381 (JSC::Arguments::finishCreation):
14382
14383 2014-05-13 Filip Pizlo <fpizlo@apple.com>
14384
14385 [ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals
14386 https://bugs.webkit.org/show_bug.cgi?id=132896
14387
14388 Reviewed by Geoffrey Garen.
14389
14390 This is a slight win on SunSpider, but it's meant to ultimately help us on
14391 embenchen/lua. We already do well on that benchmark but our convergence is slower than
14392 I'd like.
14393
14394 * dfg/DFGArrayMode.cpp:
14395 (JSC::DFG::ArrayMode::refine):
14396 * dfg/DFGByteCodeParser.cpp:
14397 (JSC::DFG::ByteCodeParser::parseBlock):
14398 * dfg/DFGFixupPhase.cpp:
14399 (JSC::DFG::FixupPhase::fixupNode):
14400 * dfg/DFGPredictionPropagationPhase.cpp:
14401 (JSC::DFG::PredictionPropagationPhase::propagate):
14402
14403 2014-05-08 Filip Pizlo <fpizlo@apple.com>
14404
14405 jsSubstring() should be lazy
14406 https://bugs.webkit.org/show_bug.cgi?id=132556
14407
14408 Reviewed by Andreas Kling.
14409
14410 jsSubstring() is now lazy by using a special rope that is a substring instead of a
14411 concatenation. To make this patch super simple, we require that a substring's base is
14412 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
14413 path, or we go down a concatenation path which may see exactly one level of substrings in
14414 its fibers.
14415
14416 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
14417
14418 Relanding this with assertion fixes.
14419
14420 * heap/MarkedBlock.cpp:
14421 (JSC::MarkedBlock::specializedSweep):
14422 * runtime/JSString.cpp:
14423 (JSC::JSRopeString::visitFibers):
14424 (JSC::JSRopeString::resolveRopeInternal8):
14425 (JSC::JSRopeString::resolveRopeInternal16):
14426 (JSC::JSRopeString::clearFibers):
14427 (JSC::JSRopeString::resolveRope):
14428 (JSC::JSRopeString::resolveRopeSlowCase8):
14429 (JSC::JSRopeString::resolveRopeSlowCase):
14430 * runtime/JSString.h:
14431 (JSC::JSRopeString::finishCreation):
14432 (JSC::JSRopeString::append):
14433 (JSC::JSRopeString::create):
14434 (JSC::JSRopeString::offsetOfFibers):
14435 (JSC::JSRopeString::fiber):
14436 (JSC::JSRopeString::substringBase):
14437 (JSC::JSRopeString::substringOffset):
14438 (JSC::JSRopeString::notSubstringSentinel):
14439 (JSC::JSRopeString::substringSentinel):
14440 (JSC::JSRopeString::isSubstring):
14441 (JSC::JSRopeString::setIsSubstring):
14442 (JSC::jsSubstring):
14443 * runtime/RegExpMatchesArray.cpp:
14444 (JSC::RegExpMatchesArray::reifyAllProperties):
14445 * runtime/StringPrototype.cpp:
14446 (JSC::stringProtoFuncSubstring):
14447
144482014-07-21 Sam Weinig <sam@webkit.org>
14449
14450 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
14451 https://bugs.webkit.org/show_bug.cgi?id=135148
14452
14453 Reviewed by Geoffrey Garen.
14454
14455 * runtime/CommonIdentifiers.h:
14456 Add a common identifier for the string "webkit".
14457
144582014-07-22 Filip Pizlo <fpizlo@apple.com>
14459
14460 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
14461 https://bugs.webkit.org/show_bug.cgi?id=135155
14462 <rdar://problem/17763909>
14463
14464 Reviewed by Oliver Hunt.
14465
14466 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
14467 contradiction, and that this is OK. In this case, we were speculating cell on an int.
14468
14469 * dfg/DFGSpeculativeJIT64.cpp:
14470 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14471 * tests/stress/regress-135155.js: Added.
14472 (run.t.length):
14473 (run):
14474
144752014-07-18 Filip Pizlo <fpizlo@apple.com>
14476
14477 Extend exception fuzzing to the LLInt
14478 https://bugs.webkit.org/show_bug.cgi?id=135076
14479
14480 Reviewed by Oliver Hunt.
14481
14482 * CMakeLists.txt:
14483 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14484 * JavaScriptCore.xcodeproj/project.pbxproj:
14485 * jit/JITOperations.cpp:
14486 (JSC::numberOfExceptionFuzzChecks): Deleted.
14487 * llint/LLIntSlowPaths.cpp:
14488 (JSC::LLInt::setUpCall):
14489 * runtime/CommonSlowPaths.cpp:
14490 * runtime/ExceptionFuzz.cpp: Added.
14491 (JSC::numberOfExceptionFuzzChecks):
14492 (JSC::doExceptionFuzzing):
14493 * runtime/ExceptionFuzz.h: Added.
14494 (JSC::doExceptionFuzzingIfEnabled):
14495
144962014-07-21 Mark Lam <mark.lam@apple.com>
14497
14498 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
14499 https://bugs.webkit.org/show_bug.cgi?id=135139.
14500
14501 Reviewed by Oliver Hunt.
14502
14503 - Specialize putProperty() to putLength() because it is only used for setting
14504 the length property.
14505 - Added a getLength() utility function to get the value of the length property.
14506 - Use these getLength() and putLength() functions instead of the existing code
14507 to get and put the length property. Less code to read, easier to understand.
14508
14509 * runtime/ArrayPrototype.cpp:
14510 (JSC::getLength):
14511 (JSC::putLength):
14512 (JSC::arrayProtoFuncToString):
14513 (JSC::arrayProtoFuncToLocaleString):
14514 (JSC::arrayProtoFuncJoin):
14515 (JSC::arrayProtoFuncPop):
14516 (JSC::arrayProtoFuncPush):
14517 (JSC::arrayProtoFuncReverse):
14518 (JSC::arrayProtoFuncShift):
14519 (JSC::arrayProtoFuncSlice):
14520 (JSC::arrayProtoFuncSort):
14521 (JSC::arrayProtoFuncSplice):
14522 (JSC::arrayProtoFuncUnShift):
14523 (JSC::arrayProtoFuncReduce):
14524 (JSC::arrayProtoFuncReduceRight):
14525 (JSC::arrayProtoFuncIndexOf):
14526 (JSC::arrayProtoFuncLastIndexOf):
14527 (JSC::putProperty): Deleted.
14528
145292014-07-21 Diego Pino Garcia <dpino@igalia.com>
14530
14531 new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer"
14532 https://bugs.webkit.org/show_bug.cgi?id=125391
14533
14534 Reviewed by Darin Adler.
14535
14536 Create own method for verifying byte offset alignment.
14537
14538 * runtime/ArrayBufferView.h:
14539 (JSC::ArrayBufferView::verifyByteOffsetAlignment):
14540 (JSC::ArrayBufferView::verifySubRangeLength):
14541 (JSC::ArrayBufferView::verifySubRange): Deleted.
14542 * runtime/GenericTypedArrayViewInlines.h:
14543 (JSC::GenericTypedArrayView<Adaptor>::create):
14544 * runtime/JSDataView.cpp:
14545 (JSC::JSDataView::create):
14546 * runtime/JSGenericTypedArrayViewInlines.h:
14547 (JSC::JSGenericTypedArrayView<Adaptor>::create):
14548
145492014-07-20 Diego Pino Garcia <dpino@igalia.com>
14550
14551 ES6: Implement Math.sign()
14552 https://bugs.webkit.org/show_bug.cgi?id=134980
14553
14554 Reviewed by Darin Adler.
14555
14556 * runtime/MathObject.cpp:
14557 (JSC::MathObject::finishCreation):
14558 (JSC::mathProtoFuncSign):
14559
145602014-07-18 Filip Pizlo <fpizlo@apple.com>
14561
14562 Exception fuzzing should work on iOS
14563 https://bugs.webkit.org/show_bug.cgi?id=135070
14564
14565 Reviewed by Mark Hahnenberg.
14566
14567 * tests/exceptionFuzz.yaml:
14568
145692014-07-18 Filip Pizlo <fpizlo@apple.com>
14570
14571 Fix cloop build.
14572
14573 * jsc.cpp:
14574 (jscmain):
14575
145762014-07-15 Filip Pizlo <fpizlo@apple.com>
14577
14578 Need ability to fuzz exception throwing
14579 https://bugs.webkit.org/show_bug.cgi?id=134945
14580 <rdar://problem/17722027>
14581
14582 Reviewed by Sam Weinig.
14583
14584 Adds the ability to instrument exception checks, and to force some random
14585 exception check to artificially throw an exception. Also adds new tests that
14586 are suitable for testing this. Note that this is closely tied to the Tools
14587 directory changes that are also part of this changeset.
14588
14589 This also fixes an activation tear-off bug that arises if we ever throw an
14590 exception from operationOptimize, or if due to some other bug it's only due
14591 to the operationOptimize exception check that we realize that there is an
14592 exception to be thrown.
14593
14594 * dfg/DFGJITCompiler.h:
14595 (JSC::DFG::JITCompiler::fastExceptionCheck):
14596 * ftl/FTLIntrinsicRepository.h:
14597 * ftl/FTLLowerDFGToLLVM.cpp:
14598 (JSC::FTL::LowerDFGToLLVM::callCheck):
14599 * interpreter/Interpreter.cpp:
14600 (JSC::unwindCallFrame):
14601 * jit/AssemblyHelpers.cpp:
14602 (JSC::AssemblyHelpers::callExceptionFuzz):
14603 (JSC::AssemblyHelpers::emitExceptionCheck):
14604 * jit/AssemblyHelpers.h:
14605 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
14606 * jit/JIT.cpp:
14607 (JSC::JIT::privateCompileMainPass):
14608 * jit/JITOpcodes.cpp:
14609 (JSC::JIT::emit_op_enter):
14610 * jit/JITOperations.cpp:
14611 (JSC::numberOfExceptionFuzzChecks):
14612 * jit/JITOperations.h:
14613 * jsc.cpp:
14614 (jscmain):
14615 * runtime/Options.h:
14616 * runtime/TestRunnerUtils.h:
14617 * tests/exceptionFuzz.yaml: Added.
14618 * tests/exceptionFuzz: Added.
14619 * tests/exceptionFuzz/3d-cube.js: Added.
14620 * tests/exceptionFuzz/date-format-xparb.js: Added.
14621 * tests/exceptionFuzz/earley-boyer.js: Added.
14622
146232014-07-17 David Kilzer <ddkilzer@apple.com>
14624
14625 SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig
14626 <http://webkit.org/b/135006>
14627
14628 Reviewed by Darin Adler.
14629
14630 * Configurations/Base.xcconfig: Move SECTORDER_FLAGS to
14631 JavaScriptCore.xcconfig.
14632 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty
14633 SECTORDER_FLAGS definition.
14634 * Configurations/DebugRelease.xcconfig: Ditto.
14635 * Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION)
14636 so SECTORDER_FLAGS is only set on Production builds.
14637
146382014-07-17 Juergen Ributzka <juergen@apple.com>
14639
14640 Disable live-out calculation for stackmap intrinsics.
14641 https://bugs.webkit.org/show_bug.cgi?id=134366
14642
14643 The live-out variables are not required for the stackmaps, because we
14644 don't care about preserving the state when we perform destructive
14645 patching.
14646
14647 Reviewed by Filip Pizlo.
14648
14649 * llvm/library/LLVMExports.cpp:
14650 (initializeAndGetJSCLLVMAPI):
14651
146522014-07-17 Joseph Pecoraro <pecoraro@apple.com>
14653
14654 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
14655
14656 Rubber-stamped by Alexey Proskuryakov.
14657
14658 Null / empty titles should be fine. Tests pass in release builds
14659 which allowed empty titles, and it looks like the LegacyProfiler
14660 stopProfiling handles empty titles as expected already.
14661
14662 * profiler/LegacyProfiler.cpp:
14663 (JSC::LegacyProfiler::startProfiling):
14664
146652014-07-16 Filip Pizlo <fpizlo@apple.com>
14666
14667 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
14668 https://bugs.webkit.org/show_bug.cgi?id=134988
14669 <rdar://problem/17706349>
14670
14671 Reviewed by Oliver Hunt.
14672
14673 Luckily, we also don't need this optimization to be super powerful: the only place
14674 where it really matters is for getting rid of the redundancy between op_enter and
14675 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
14676 two things. This change updates the store eliminator to know about only that small,
14677 obviously safe, set of nodes over which we can store-eliminate.
14678
14679 This shouldn't have any performance impact in the DFG because this optimization kicks
14680 in relatively rarely already. And once we tier up into the FTL, we get a much better
14681 store elimination over LLVM IR, so this really shouldn't matter at all.
14682
14683 The tricky part of this patch is that there is a close relative of this optimization,
14684 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
14685 I make this work by splitting it into two different store eliminators.
14686
14687 Note that in the process of crafting the tests, I realized that we were incorrectly
14688 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
14689 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
14690 to a check node followed by the actual allocation.
14691
14692 * dfg/DFGCSEPhase.cpp:
14693 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
14694 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
14695 (JSC::DFG::CSEPhase::setLocalStoreElimination):
14696 (JSC::DFG::CSEPhase::performNodeCSE):
14697 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
14698 * dfg/DFGNodeType.h:
14699 * tests/stress/capture-escape-and-throw.js: Added.
14700 (foo.f):
14701 (foo):
14702 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
14703 (foo):
14704 (bar):
14705
147062014-07-15 Benjamin Poulain <benjamin@webkit.org>
14707
14708 Reduce the overhead of updating the AssemblerBuffer
14709 https://bugs.webkit.org/show_bug.cgi?id=134659
14710
14711 Reviewed by Gavin Barraclough.
14712
14713 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
14714 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
14715 there.
14716
14717 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
14718 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
14719
14720 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
14721 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
14722 to make clang give up a bunch of optimizations.
14723
14724 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
14725 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
14726
14727 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
14728 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
14729 specific way that would make it unusable for the Assembler.
14730
14731 -- Technical details --
14732
14733 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
14734 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
14735 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
14736 exactly what code access the Assembler instance. The code that does access the instance is then moved
14737 at the beginning, before we modify anything.
14738
14739 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
14740 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
14741 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
14742
14743 -- Perf impact --
14744
14745 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
14746 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
14747 time by ~20%.
14748
14749 I could not measure any difference on x86_64.
14750
14751 * assembler/ARM64Assembler.h:
14752 (JSC::ARM64Assembler::jumpSizeDelta):
14753 (JSC::ARM64Assembler::canCompact):
14754 (JSC::ARM64Assembler::computeJumpType):
14755 (JSC::ARM64Assembler::link):
14756 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
14757 * assembler/ARMv7Assembler.h:
14758 (JSC::ARMv7Assembler::ifThenElseConditionBit):
14759 (JSC::ARMv7Assembler::ifThenElse):
14760 (JSC::ARMv7Assembler::jumpSizeDelta):
14761 (JSC::ARMv7Assembler::canCompact):
14762 (JSC::ARMv7Assembler::computeJumpType):
14763 (JSC::ARMv7Assembler::link):
14764 (JSC::ARMv7Assembler::linkJumpT1):
14765 (JSC::ARMv7Assembler::linkJumpT3):
14766 (JSC::ARMv7Assembler::linkConditionalJumpT4):
14767 (JSC::ARMv7Assembler::linkConditionalBX):
14768 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
14769 * assembler/AssemblerBuffer.h:
14770 (JSC::AssemblerData::AssemblerData):
14771 (JSC::AssemblerData::operator=):
14772 (JSC::AssemblerData::~AssemblerData):
14773 (JSC::AssemblerData::buffer):
14774 (JSC::AssemblerData::capacity):
14775 (JSC::AssemblerData::grow):
14776 (JSC::AssemblerBuffer::AssemblerBuffer):
14777 (JSC::AssemblerBuffer::isAvailable):
14778 (JSC::AssemblerBuffer::data):
14779 (JSC::AssemblerBuffer::releaseAssemblerData):
14780 (JSC::AssemblerBuffer::putIntegral):
14781 (JSC::AssemblerBuffer::putIntegralUnchecked):
14782 (JSC::AssemblerBuffer::append):
14783 (JSC::AssemblerBuffer::grow):
14784 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
14785 (JSC::AssemblerBuffer::storage): Deleted.
14786 * assembler/LinkBuffer.cpp:
14787 (JSC::recordLinkOffsets):
14788 (JSC::LinkBuffer::copyCompactAndLinkCode):
14789 * assembler/LinkBuffer.h:
14790 (JSC::LinkBuffer::LinkBuffer):
14791 (JSC::LinkBuffer::executableOffsetFor):
14792 * assembler/MacroAssemblerARM64.h:
14793 (JSC::MacroAssemblerARM64::canCompact):
14794 (JSC::MacroAssemblerARM64::computeJumpType):
14795 (JSC::MacroAssemblerARM64::jumpSizeDelta):
14796 (JSC::MacroAssemblerARM64::link):
14797 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
14798 * assembler/MacroAssemblerARMv7.h:
14799 (JSC::MacroAssemblerARMv7::canCompact):
14800 (JSC::MacroAssemblerARMv7::computeJumpType):
14801 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
14802 (JSC::MacroAssemblerARMv7::link):
14803 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
14804
148052014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
14806
14807 Stores to PropertyTable use the Structure as the owner
14808 https://bugs.webkit.org/show_bug.cgi?id=134595
14809
14810 Reviewed by Darin Adler.
14811
14812 Since PropertyTable is the object that does the marking of these references, it should be the owner.
14813
14814 Also removed some unused parameters to other methods that historically used the Structure as the owner.
14815
14816 * runtime/JSPropertyNameIterator.h:
14817 (JSC::StructureRareData::setEnumerationCache):
14818 * runtime/ObjectPrototype.cpp:
14819 (JSC::objectProtoFuncToString):
14820 * runtime/PropertyMapHashTable.h:
14821 (JSC::PropertyTable::copy):
14822 * runtime/PropertyTable.cpp:
14823 (JSC::PropertyTable::clone):
14824 (JSC::PropertyTable::PropertyTable):
14825 * runtime/Structure.cpp:
14826 (JSC::Structure::Structure):
14827 (JSC::Structure::materializePropertyMap):
14828 (JSC::Structure::addPropertyTransition):
14829 (JSC::Structure::changePrototypeTransition):
14830 (JSC::Structure::despecifyFunctionTransition):
14831 (JSC::Structure::attributeChangeTransition):
14832 (JSC::Structure::toDictionaryTransition):
14833 (JSC::Structure::preventExtensionsTransition):
14834 (JSC::Structure::takePropertyTableOrCloneIfPinned):
14835 (JSC::Structure::nonPropertyTransition):
14836 (JSC::Structure::copyPropertyTable):
14837 (JSC::Structure::copyPropertyTableForPinning):
14838 (JSC::Structure::putSpecificValue):
14839 * runtime/Structure.h:
14840 (JSC::Structure::setObjectToStringValue):
14841 (JSC::Structure::setPreviousID):
14842 * runtime/StructureInlines.h:
14843 (JSC::Structure::setEnumerationCache):
14844 * runtime/StructureRareData.h:
14845 * runtime/StructureRareDataInlines.h:
14846 (JSC::StructureRareData::setPreviousID):
14847 (JSC::StructureRareData::setObjectToStringValue):
14848
148492014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
14850
14851 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
14852 https://bugs.webkit.org/show_bug.cgi?id=134928
14853
14854 Reviewed by Andreas Kling.
14855
14856 * bytecode/CodeBlock.h:
14857 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
14858
148592014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
14860
14861 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
14862 https://bugs.webkit.org/show_bug.cgi?id=133790
14863
14864 Reviewed by Mark Lam.
14865
14866 * llint/LLIntSlowPaths.cpp:
14867 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
14868
148692014-07-14 Filip Pizlo <fpizlo@apple.com>
14870
14871 Allow for Int52Rep to see things other than Int32, and make this testable
14872 https://bugs.webkit.org/show_bug.cgi?id=134873
14873 <rdar://problem/17641915>
14874
14875 Reviewed by Geoffrey Garen and Mark Hahnenberg.
14876
14877 A major premise of our type inference is that prediction propagation can say whatever it
14878 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
14879 We required some kind of agreement between prediction propagation and fixup over which
14880 data flow paths were Int52 and which weren't.
14881
14882 It turns out that we basically had such an agreement, with the exception of code that was
14883 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
14884 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
14885 be a bug! Normally, we allow sloppiness in prediction propagation.
14886
14887 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
14888 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
14889 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
14890 empowered Int52Rep is actually correct - in case we end up using it on paths other than
14891 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
14892 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
14893 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
14894
14895 Note that it would still be a bug for prediction propagation to ever cause us to create an
14896 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
14897 a crash bug.
14898
14899 * dfg/DFGAbstractInterpreterInlines.h:
14900 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14901 * dfg/DFGAbstractValue.cpp:
14902 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
14903 * dfg/DFGByteCodeParser.cpp:
14904 (JSC::DFG::ByteCodeParser::handleIntrinsic):
14905 * dfg/DFGClobberize.h:
14906 (JSC::DFG::clobberize):
14907 * dfg/DFGFixupPhase.cpp:
14908 (JSC::DFG::FixupPhase::fixupNode):
14909 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
14910 * dfg/DFGGraph.h:
14911 (JSC::DFG::Graph::isMachineIntConstant):
14912 * dfg/DFGNode.h:
14913 (JSC::DFG::Node::isMachineIntConstant):
14914 * dfg/DFGNodeType.h:
14915 * dfg/DFGOperations.cpp:
14916 * dfg/DFGOperations.h:
14917 * dfg/DFGPredictionPropagationPhase.cpp:
14918 (JSC::DFG::PredictionPropagationPhase::propagate):
14919 * dfg/DFGSafeToExecute.h:
14920 (JSC::DFG::SafeToExecuteEdge::operator()):
14921 (JSC::DFG::safeToExecute):
14922 * dfg/DFGSpeculativeJIT.cpp:
14923 (JSC::DFG::SpeculativeJIT::speculate):
14924 * dfg/DFGSpeculativeJIT.h:
14925 (JSC::DFG::SpeculativeJIT::callOperation):
14926 * dfg/DFGSpeculativeJIT32_64.cpp:
14927 (JSC::DFG::SpeculativeJIT::compile):
14928 * dfg/DFGSpeculativeJIT64.cpp:
14929 (JSC::DFG::SpeculativeJIT::compile):
14930 (JSC::DFG::SpeculativeJIT::convertMachineInt):
14931 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
14932 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
14933 * dfg/DFGStrengthReductionPhase.cpp:
14934 (JSC::DFG::StrengthReductionPhase::handleNode):
14935 * dfg/DFGUseKind.cpp:
14936 (WTF::printInternal):
14937 * dfg/DFGUseKind.h:
14938 (JSC::DFG::typeFilterFor):
14939 (JSC::DFG::isNumerical):
14940 (JSC::DFG::isDouble):
14941 * dfg/DFGValidate.cpp:
14942 (JSC::DFG::Validate::validate):
14943 * ftl/FTLCapabilities.cpp:
14944 (JSC::FTL::canCompile):
14945 * ftl/FTLIntrinsicRepository.h:
14946 * ftl/FTLLowerDFGToLLVM.cpp:
14947 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
14948 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
14949 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
14950 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
14951 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
14952 (JSC::FTL::LowerDFGToLLVM::speculate):
14953 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
14954 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
14955 * jit/JITOperations.h:
14956 * jsc.cpp:
14957 (GlobalObject::finishCreation):
14958 (functionIdentity):
14959 * runtime/Intrinsic.h:
14960 * runtime/JSCJSValue.h:
14961 * runtime/JSCJSValueInlines.h:
14962 (JSC::tryConvertToInt52):
14963 (JSC::isInt52):
14964 (JSC::JSValue::isMachineInt):
14965 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
14966 (foo):
14967 * tests/stress/dead-fiat-double-to-int52.js: Added.
14968 (foo):
14969 * tests/stress/dead-fiat-int32-to-int52.js: Added.
14970 (foo):
14971 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
14972 (foo):
14973 (bar):
14974 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
14975 (foo):
14976 (bar):
14977 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
14978 (foo):
14979 (bar):
14980 * tests/stress/dead-fiat-value-to-int52.js: Added.
14981 (foo):
14982 (bar):
14983 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
14984 (foo):
14985 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
14986 (foo):
14987 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
14988 (foo):
14989 * tests/stress/fiat-double-to-int52.js: Added.
14990 (foo):
14991 * tests/stress/fiat-int32-to-int52.js: Added.
14992 (foo):
14993 * tests/stress/fiat-value-to-int52-double-path.js: Added.
14994 (foo):
14995 (bar):
14996 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
14997 (foo):
14998 (bar):
14999 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
15000 (foo):
15001 (bar):
15002 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
15003 (foo):
15004 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
15005 (foo):
15006 * tests/stress/fiat-value-to-int52.js: Added.
15007 (foo):
15008 (bar):
15009 * tests/stress/int52-force-osr-exit-path.js: Added.
15010 (foo):
15011
150122014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
15013
15014 Flattening dictionaries with oversize backing stores can cause crashes
15015 https://bugs.webkit.org/show_bug.cgi?id=134906
15016
15017 Reviewed by Filip Pizlo.
15018
15019 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
15020 of the CopiedBlock header. This was always the case except for when flattening a dictionary
15021 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
15022 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
15023 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
15024 choke on the Butterfly pointer.
15025
15026 This patch fixes this issue by detect this situation during flattening and memmove-ing
15027 the Butterfly down to where the old base was.
15028
15029 * runtime/JSObject.cpp:
15030 (JSC::JSObject::shiftButterflyAfterFlattening):
15031 * runtime/JSObject.h:
15032 (JSC::JSObject::butterflyPreCapacity):
15033 (JSC::JSObject::butterflyTotalSize):
15034 * runtime/Structure.cpp:
15035 (JSC::Structure::flattenDictionaryStructure):
15036 * tests/stress/flatten-oversize-dictionary-object.js: Added.
15037 (foo):
15038
150392014-07-14 Benjamin Poulain <benjamin@webkit.org>
15040
15041 Remove some dead code from FTLJITFinalizer
15042 https://bugs.webkit.org/show_bug.cgi?id=134874
15043
15044 Reviewed by Geoffrey Garen.
15045
15046 Not sure what that code was for...but it does not do anything :)
15047
15048 * ftl/FTLJITFinalizer.cpp:
15049 (JSC::FTL::JITFinalizer::finalizeFunction):
15050 The pointer of the label is computed but never used.
15051
15052 * ftl/FTLJITFinalizer.h:
15053 * ftl/FTLLink.cpp:
15054 (JSC::FTL::link):
15055 The label is never set to anything.
15056
150572014-07-14 Bear Travis <betravis@adobe.com>
15058
15059 [Feature Queries] Enable Feature Queries on Mac
15060 https://bugs.webkit.org/show_bug.cgi?id=134404
15061
15062 Reviewed by Antti Koivisto.
15063
15064 Enable Feature Queries on Mac and resume running the
15065 feature tests.
15066
15067 * Configurations/FeatureDefines.xcconfig: Turn on
15068 ENABLE_CSS3_CONDITIONAL_RULES.
15069
150702014-07-11 Joseph Pecoraro <pecoraro@apple.com>
15071
15072 Web Inspector: Debugger Pause button does not work
15073 https://bugs.webkit.org/show_bug.cgi?id=134785
15074
15075 Reviewed by Timothy Hatcher.
15076
15077 * CMakeLists.txt:
15078 * DerivedSources.make:
15079 Minification strips the sourceURL command. Add it back with minification.
15080
150812014-07-11 peavo@outlook.com <peavo@outlook.com>
15082
15083 [Win] Enable DFG JIT.
15084 https://bugs.webkit.org/show_bug.cgi?id=123615
15085
15086 Reviewed by Mark Lam.
15087
15088 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
15089 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
15090 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
15091 since the register allocation differs on 64-bit Windows.
15092
15093 * assembler/MacroAssemblerX86_64.h:
15094 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
15095 * jit/CCallHelpers.h:
15096 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
15097 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
15098 * jit/JIT.h:
15099 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
15100 * jit/JITInlines.h:
15101 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
15102 (JSC::JIT::callOperation): Call new method.
15103
151042014-07-09 Benjamin Poulain <benjamin@webkit.org>
15105
15106 Use 16bits instructions for push/pop on ARMv7 when possible
15107 https://bugs.webkit.org/show_bug.cgi?id=134753
15108
15109 Reviewed by Geoffrey Garen.
15110
15111 The patch r170839 mixed the code for push/pop pair and single push/pop.
15112 That part was reverted in r170909.
15113
15114 This patch puts the code back but specialized for single push/pop.
15115
15116 * assembler/ARMv7Assembler.h:
15117 (JSC::ARMv7Assembler::pop):
15118 (JSC::ARMv7Assembler::push):
15119 * assembler/MacroAssemblerARMv7.h:
15120 (JSC::MacroAssemblerARMv7::pop):
15121 (JSC::MacroAssemblerARMv7::push):
15122
151232014-07-09 Brent Fulgham <bfulgham@apple.com>
15124
15125 [Win] Remove uses of 'bash' in build system
15126 https://bugs.webkit.org/show_bug.cgi?id=134782
15127 <rdar://problem/17615533>
15128
15129 Reviewed by Dean Jackson.
15130
15131 Remove uses of 'bash' by replacing Windows-specific bash scripts
15132 with Perl equivalents.
15133
15134 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
15135 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
15136 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
15137 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
15138 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
15139 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
15140 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
15141 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
15142 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
15143 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
15144 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
15145 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
15146 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
15147 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
15148 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
15149 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
15150 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
15151
151522014-07-09 Brent Fulgham <bfulgham@apple.com>
15153
15154 [Win] Remove use of 'grep' in build steps
15155 https://bugs.webkit.org/show_bug.cgi?id=134770
15156 <rdar://problem/17608783>
15157
15158 Reviewed by Tim Horton.
15159
15160 Replace uses of the grep command in Windows builds with the equivalent
15161 Perl program.
15162
15163 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
15164 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
15165 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
15166 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
15167
151682014-07-08 Benjamin Poulain <benjamin@webkit.org>
15169
15170 Restore the assertion changed with 170839
15171
15172 * assembler/ARMv7Assembler.h:
15173 (JSC::ARMv7Assembler::pop):
15174 (JSC::ARMv7Assembler::push):
15175 Revert the Assembler part of 170839. The assertions do not match both encoding.
15176
15177 I'll add specific version of push and pop instead.
15178
151792014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
15180
15181 RemoteInspector::shared() should not call WTF::initializeMainThread()
15182 <https://bugs.webkit.org/show_bug.cgi?id=134747>
15183 <rdar://problem/17161482>
15184
15185 Reviewed by Joseph Pecoraro.
15186
15187 * inspector/remote/RemoteInspector.mm:
15188 (Inspector::RemoteInspector::shared):
15189 Don't call WTF::initializeMainThread(). WTF threading is initialized by
15190 JSC::initializeThreading().
15191
151922014-07-08 Andreas Kling <akling@apple.com>
15193
15194 VM::lastCachedString should be a Strong, not a Weak.
15195 <https://webkit.org/b/134746>
15196
15197 Using Weak<JSString> for this regressed some of our bindings perf tests
15198 due to Weak having to allocate a new WeakImpl every time the last cached
15199 string changed. Make it a Strong instead should make that problem go away.
15200
15201 Reviewed by Geoffrey Garen.
15202
15203 * runtime/JSString.cpp:
15204 (JSC::jsStringWithCacheSlowCase):
15205 * runtime/VM.h:
15206
152072014-07-07 Benjamin Poulain <bpoulain@apple.com>
15208
15209 Fix the build after r170876
15210
15211 * assembler/LinkBuffer.cpp:
15212 (JSC::LinkBuffer::linkCode):
15213
152142014-07-07 Benjamin Poulain <benjamin@webkit.org>
15215
15216 LinkBuffer should not keep a reference to the MacroAssembler
15217 https://bugs.webkit.org/show_bug.cgi?id=134668
15218
15219 Reviewed by Geoffrey Garen.
15220
15221 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
15222 When that happens, the pointer m_assembler points to released memory. That was not causing
15223 issues because the attribute is not used after linking, but that was not particularily
15224 future proof.
15225
15226 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
15227 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
15228
15229 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
15230 everywhere. I refactored some #include to avoid that.
15231
15232 * assembler/LinkBuffer.cpp:
15233 (JSC::LinkBuffer::copyCompactAndLinkCode):
15234 (JSC::LinkBuffer::linkCode):
15235 * assembler/LinkBuffer.h:
15236 (JSC::LinkBuffer::LinkBuffer):
15237 * bytecode/Watchpoint.cpp:
15238 * dfg/DFGDisassembler.cpp:
15239 * dfg/DFGDisassembler.h:
15240 * dfg/DFGJITCompiler.cpp:
15241 (JSC::DFG::JITCompiler::link):
15242 (JSC::DFG::JITCompiler::linkFunction):
15243 * dfg/DFGOSRExitCompiler.cpp:
15244 * dfg/DFGPlan.cpp:
15245 * dfg/DFGThunks.cpp:
15246 (JSC::DFG::osrExitGenerationThunkGenerator):
15247 (JSC::DFG::osrEntryThunkGenerator):
15248 * ftl/FTLCompile.cpp:
15249 (JSC::FTL::generateICFastPath):
15250 (JSC::FTL::fixFunctionBasedOnStackMaps):
15251 * ftl/FTLJSCall.cpp:
15252 * ftl/FTLJSCall.h:
15253 * ftl/FTLLink.cpp:
15254 (JSC::FTL::link):
15255 * ftl/FTLLowerDFGToLLVM.cpp:
15256 * ftl/FTLOSRExitCompiler.cpp:
15257 (JSC::FTL::compileStub):
15258 * ftl/FTLThunks.cpp:
15259 (JSC::FTL::osrExitGenerationThunkGenerator):
15260 (JSC::FTL::slowPathCallThunkGenerator):
15261 * jit/ArityCheckFailReturnThunks.cpp:
15262 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
15263 * jit/JIT.cpp:
15264 (JSC::JIT::privateCompile):
15265 * jit/JITCall.cpp:
15266 (JSC::JIT::privateCompileClosureCall):
15267 * jit/JITCall32_64.cpp:
15268 (JSC::JIT::privateCompileClosureCall):
15269 * jit/JITDisassembler.cpp:
15270 * jit/JITDisassembler.h:
15271 * jit/JITOpcodes.cpp:
15272 * jit/JITPropertyAccess.cpp:
15273 (JSC::JIT::stringGetByValStubGenerator):
15274 (JSC::JIT::privateCompileGetByVal):
15275 (JSC::JIT::privateCompilePutByVal):
15276 * jit/JITPropertyAccess32_64.cpp:
15277 (JSC::JIT::stringGetByValStubGenerator):
15278 * jit/RegisterPreservationWrapperGenerator.cpp:
15279 (JSC::generateRegisterPreservationWrapper):
15280 (JSC::registerRestorationThunkGenerator):
15281 * jit/Repatch.cpp:
15282 (JSC::generateByIdStub):
15283 (JSC::tryCacheGetByID):
15284 (JSC::emitPutReplaceStub):
15285 (JSC::emitPutTransitionStub):
15286 (JSC::tryRepatchIn):
15287 (JSC::linkClosureCall):
15288 * jit/SpecializedThunkJIT.h:
15289 (JSC::SpecializedThunkJIT::finalize):
15290 * jit/ThunkGenerators.cpp:
15291 (JSC::throwExceptionFromCallSlowPathGenerator):
15292 (JSC::linkForThunkGenerator):
15293 (JSC::linkClosureCallForThunkGenerator):
15294 (JSC::virtualForThunkGenerator):
15295 (JSC::nativeForGenerator):
15296 (JSC::arityFixup):
15297 * llint/LLIntThunks.cpp:
15298 (JSC::LLInt::generateThunkWithJumpTo):
15299 * yarr/YarrJIT.cpp:
15300 (JSC::Yarr::YarrGenerator::compile):
15301
153022014-07-07 Andreas Kling <akling@apple.com>
15303
15304 Fast path for jsStringWithCache() when asked for the same string repeatedly.
15305 <https://webkit.org/b/134635>
15306
15307 Reviewed by Darin Adler.
15308
15309 Follow-up to r170818 addressing a review comment by Geoff Garen.
15310
15311 * runtime/JSString.cpp:
15312 (JSC::jsStringWithCacheSlowCase):
15313
153142014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
15315
15316 Add missing ENABLE(FTL_JIT) guards
15317 https://bugs.webkit.org/show_bug.cgi?id=134680
15318
15319 Reviewed by Darin Adler.
15320
15321 * ftl/FTLDWARFDebugLineInfo.cpp:
15322 * ftl/FTLDWARFDebugLineInfo.h:
15323 * ftl/FTLGeneratedFunction.h:
15324
153252014-07-07 Zan Dobersek <zdobersek@igalia.com>
15326
15327 Enable ARMv7 disassembler for the GTK port
15328 https://bugs.webkit.org/show_bug.cgi?id=134676
15329
15330 Reviewed by Benjamin Poulain.
15331
15332 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
15333 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
15334
153352014-07-06 Benjamin Poulain <benjamin@webkit.org>
15336
15337 [ARMv7] Use 16 bits instructions for push/pop when possible
15338 https://bugs.webkit.org/show_bug.cgi?id=134656
15339
15340 Reviewed by Andreas Kling.
15341
15342 * assembler/ARMv7Assembler.h:
15343 (JSC::ARMv7Assembler::pop):
15344 (JSC::ARMv7Assembler::push):
15345 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
15346 Add the 16 bits version of push and pop.
15347
15348 * assembler/MacroAssemblerARMv7.h:
15349 (JSC::MacroAssemblerARMv7::pop):
15350 (JSC::MacroAssemblerARMv7::push):
15351 Use the new push/pop instead of a regular load/store.
15352
15353 * disassembler/ARMv7/ARMv7DOpcode.cpp:
15354 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
15355 * disassembler/ARMv7/ARMv7DOpcode.h:
15356 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
15357 Fix the disassembler for push/pop:
15358 -The register mask was on 7 bits for some reason.
15359 -The code printing the registers was comparing a register ID with a register
15360 mask.
15361
153622014-07-06 Yoav Weiss <yoav@yoav.ws>
15363
15364 Turn on img@sizes compile flag
15365 https://bugs.webkit.org/show_bug.cgi?id=134634
15366
15367 Reviewed by Benjamin Poulain.
15368
15369 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
15370
153712014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
15372
15373 Flags value of SourceCodeKey should be unique for each case.
15374 https://bugs.webkit.org/show_bug.cgi?id=134435
15375
15376 Reviewed by Darin Adler.
15377
15378 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
15379 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
15380 Shift the value of CodeType one bit farther to the left so those values don't overlap.
15381
15382 * runtime/CodeCache.h:
15383 (JSC::SourceCodeKey::SourceCodeKey):
15384
153852014-07-04 Andreas Kling <akling@apple.com>
15386
15387 Fast path for jsStringWithCache() when asked for the same string repeatedly.
15388 <https://webkit.org/b/134635>
15389
15390 Also moved the whole thing from WebCore to JavaScriptCore since it
15391 makes more sense here, and inline the lightweight checks, leaving only
15392 the hashmap stuff out of line.
15393
15394 Reviewed by Darin Adler.
15395
15396 * runtime/JSString.cpp:
15397 (JSC::jsStringWithCacheSlowCase):
15398 * runtime/JSString.h:
15399 (JSC::jsStringWithCache):
15400 * runtime/VM.h:
15401
154022014-07-03 Daniel Bates <dabates@apple.com>
15403
15404 Add WTF::move()
15405 https://bugs.webkit.org/show_bug.cgi?id=134500
15406
15407 Rubber-stamped by Anders Carlsson.
15408
15409 Substitute WTF::move() for std::move().
15410
15411 * bytecode/CodeBlock.h:
15412 * bytecode/UnlinkedCodeBlock.cpp:
15413 * bytecompiler/BytecodeGenerator.cpp:
15414 * dfg/DFGGraph.cpp:
15415 * dfg/DFGJITCompiler.cpp:
15416 * dfg/DFGStackLayoutPhase.cpp:
15417 * dfg/DFGWorklist.cpp:
15418 * heap/DelayedReleaseScope.h:
15419 * heap/HeapInlines.h:
15420 [...]
15421
154222014-07-03 Filip Pizlo <fpizlo@apple.com>
15423
15424 SSA DCE should process blocks in forward order
15425 https://bugs.webkit.org/show_bug.cgi?id=134611
15426
15427 Reviewed by Andreas Kling.
15428
15429 * dfg/DFGDCEPhase.cpp:
15430 (JSC::DFG::DCEPhase::run):
15431 * ftl/FTLLowerDFGToLLVM.cpp:
15432 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
15433 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
15434 (foo):
15435
154362014-07-03 Filip Pizlo <fpizlo@apple.com>
15437
15438 JSActivation::symbolTablePut() should invalidate variable watchpoints
15439 https://bugs.webkit.org/show_bug.cgi?id=134602
15440
15441 Reviewed by Oliver Hunt.
15442
15443 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
15444 during linking - we essentially assume that if it's at all possible for an inner function to store to a
15445 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
15446 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
15447 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
15448 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
15449
15450 * runtime/JSActivation.cpp:
15451 (JSC::JSActivation::symbolTablePut):
15452 * runtime/JSSymbolTableObject.h:
15453 (JSC::symbolTablePut):
15454 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
15455 (.):
15456
154572014-07-01 Mark Lam <mark.lam@apple.com>
15458
15459 Debugger's breakpoint list should not be a Vector.
15460 <https://webkit.org/b/134514>
15461
15462 Reviewed by Geoffrey Garen.
15463
15464 The debugger currently stores breakpoint data as entries in a Vector (see
15465 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
15466 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
15467 compact or reallocate its backing store, this can causes all sorts of havoc.
15468 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
15469 move in memory.
15470
15471 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
15472 doubly linked list.
15473
15474 * debugger/Breakpoint.h:
15475 (JSC::Breakpoint::Breakpoint):
15476 (JSC::BreakpointsList::~BreakpointsList):
15477 * debugger/Debugger.cpp:
15478 (JSC::Debugger::setBreakpoint):
15479 (JSC::Debugger::removeBreakpoint):
15480 (JSC::Debugger::hasBreakpoint):
15481 * debugger/Debugger.h:
15482
154832014-06-30 Michael Saboff <msaboff@apple.com>
15484
15485 Add option to run-jsc-stress-testes to filter out tests that use large heaps
15486 https://bugs.webkit.org/show_bug.cgi?id=134458
15487
15488 Reviewed by Filip Pizlo.
15489
15490 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
15491
15492 * tests/mozilla/mozilla-tests.yaml:
15493
154942014-06-30 Daniel Bates <dabates@apple.com>
15495
15496 Avoid copying closed variables vector; actually use move semantics
15497
15498 Rubber-stamped by Oliver Hunt.
15499
15500 Currently we always copy the closed variables vector passed by Parser::closedVariables()
15501 to ProgramNode::setClosedVariables() because these member functions return and take a const
15502 rvalue reference, respectively. Instead, these member functions should take an return a non-
15503 constant rvalue reference so that we actually move the closed variables vector from the Parser
15504 object to the Node object.
15505
15506 * parser/Nodes.cpp:
15507 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
15508 * parser/Nodes.h:
15509 (JSC::ScopeNode::setClosedVariables): Ditto.
15510 * parser/Parser.h:
15511 (JSC::Parser::closedVariables): Remove const qualifier on return type.
15512 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
15513 because Parser::closedVariables() returns an rvalue reference.
15514
155152014-06-30 Joseph Pecoraro <pecoraro@apple.com>
15516
15517 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
15518 https://bugs.webkit.org/show_bug.cgi?id=134371
15519
15520 Reviewed by Timothy Hatcher.
15521
15522 * API/JSContextPrivate.h:
15523 * API/JSContext.mm:
15524 (-[JSContext _debuggerRunLoop]):
15525 (-[JSContext _setDebuggerRunLoop:]):
15526 Private API for setting the CFRunLoop for a debugger to evaluate in.
15527
15528 * API/JSContextRefInternal.h: Added.
15529 * API/JSContextRef.cpp:
15530 (JSGlobalContextGetDebuggerRunLoop):
15531 (JSGlobalContextSetDebuggerRunLoop):
15532 Internal API for setting a CFRunLoop on a JSContextRef.
15533 Set this on the debuggable.
15534
15535 * inspector/remote/RemoteInspectorDebuggable.h:
15536 * inspector/remote/RemoteInspectorDebuggableConnection.h:
15537 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
15538 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
15539 (Inspector::RemoteInspectorBlock::operator=):
15540 (Inspector::RemoteInspectorBlock::operator()):
15541 Moved into the header.
15542
15543 * runtime/JSGlobalObject.h:
15544 (JSC::JSGlobalObject::inspectorDebuggable):
15545 Lets store the RunLoop on the debuggable instead of this core
15546 platform agnostic class, so expose the debuggable.
15547
15548 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
15549 (Inspector::RemoteInspectorHandleRunSourceGlobal):
15550 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
15551 (Inspector::RemoteInspectorInitializeGlobalQueue):
15552 Rename the global functions for clarity.
15553
15554 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
15555 Handler for private run loops.
15556
15557 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
15558 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
15559 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
15560 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
15561 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
15562 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
15563 Setup and teardown and use private run loop sources if the debuggable needs it.
15564
155652014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
15566
15567 Add missing ENABLE(DFG_JIT) guards
15568 https://bugs.webkit.org/show_bug.cgi?id=134444
15569
15570 Reviewed by Darin Adler.
15571
15572 * dfg/DFGFunctionWhitelist.cpp:
15573 * dfg/DFGFunctionWhitelist.h:
15574
155752014-06-29 Yoav Weiss <yoav@yoav.ws>
15576
15577 Add support for HTMLImageElement's sizes attribute
15578 https://bugs.webkit.org/show_bug.cgi?id=133620
15579
15580 Reviewed by Dean Jackson.
15581
15582 Added an ENABLE_PICTURE_SIZES compile flag.
15583
15584 * Configurations/FeatureDefines.xcconfig:
15585
155862014-06-27 Filip Pizlo <fpizlo@apple.com>
15587
15588 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
15589 https://bugs.webkit.org/show_bug.cgi?id=134412
15590
15591 Reviewed by Mark Hahnenberg.
15592
15593 * dfg/DFGCSEPhase.cpp:
15594 (JSC::DFG::CSEPhase::setReplacement):
15595 * dfg/DFGStrengthReductionPhase.cpp:
15596 (JSC::DFG::StrengthReductionPhase::handleNode):
15597 * dfg/DFGValidate.cpp:
15598 (JSC::DFG::Validate::validate):
15599 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
15600 (foo):
15601 (bar):
15602 (baz):
15603
156042014-06-27 Peyton Randolph <prandolph@apple.com>
15605
15606 Add feature flag for link long-press gesture.
15607 https://bugs.webkit.org/show_bug.cgi?id=134262
15608
15609 Reviewed by Enrica Casucci.
15610
15611 * Configurations/FeatureDefines.xcconfig:
15612 Add ENABLE_LINK_LONG_PRESS.
15613
156142014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
15615
15616 [JavaScriptCore] FTL buildfix for EFL platform.
15617 https://bugs.webkit.org/show_bug.cgi?id=133546
15618
15619 Reviewed by Darin Adler.
15620
15621 * ftl/FTLAbstractHeap.cpp:
15622 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
15623 * ftl/FTLLocation.cpp:
15624 (JSC::FTL::Location::forStackmaps):
15625 * ftl/FTLLowerDFGToLLVM.cpp:
15626 (JSC::FTL::LowerDFGToLLVM::opposite):
15627 * ftl/FTLOSRExitCompiler.cpp:
15628 (JSC::FTL::compileStub):
15629 * ftl/FTLStackMaps.cpp:
15630 (JSC::FTL::StackMaps::Constant::dump):
15631 * llvm/InitializeLLVMPOSIX.cpp:
15632 (JSC::initializeLLVMPOSIX):
15633
156342014-06-26 Benjamin Poulain <benjamin@webkit.org>
15635
15636 iOS 8 beta 2 ES6 'Set' clear() broken
15637 https://bugs.webkit.org/show_bug.cgi?id=134346
15638
15639 Reviewed by Oliver Hunt.
15640
15641 The object map was not cleared :(.
15642
15643 Kudos to Ashley Gullen for tracking this and making a regression test.
15644 Credit to Oliver for finding the missing code.
15645
15646 * runtime/MapData.h:
15647 (JSC::MapData::clear):
15648
156492014-06-25 Brent Fulgham <bfulgham@apple.com>
15650
15651 [Win] Expose Cache Information to WinLauncher
15652 https://bugs.webkit.org/show_bug.cgi?id=134318
15653
15654 Reviewed by Dean Jackson.
15655
15656 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
15657 MemoryStatistics files to the WIndows build.
15658 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15659
156602014-06-26 David Kilzer <ddkilzer@apple.com>
15661
15662 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
15663 <http://webkit.org/b/134343>
15664 <rdar://problem/17459487>
15665
15666 Reviewed by Michael Saboff.
15667
15668 * dfg/DFGFunctionWhitelist.cpp:
15669 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
15670 Close the file handle, and log an error on failure.
15671
156722014-06-25 Dana Burkart <dburkart@apple.com>
15673
15674 Add support for 5-tuple versioning.
15675
15676 Reviewed by David Farler.
15677
15678 * Configurations/Version.xcconfig:
15679
156802014-06-25 Geoffrey Garen <ggaren@apple.com>
15681
15682 Build fix.
15683
15684 Unreviewed.
15685
15686 * runtime/JSDateMath.cpp:
15687 (JSC::parseDateFromNullTerminatedCharacters):
15688 * runtime/VM.cpp:
15689 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
15690 constant since that constant doesn't exist anymore.
15691
156922014-06-25 Geoffrey Garen <ggaren@apple.com>
15693
15694 Unreviewed, rolling out r166876.
15695
15696 Caused some ECMA test262 failures
15697
15698 Reverted changeset:
15699
15700 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
15701 https://bugs.webkit.org/show_bug.cgi?id=131248
15702 http://trac.webkit.org/changeset/166876
15703
157042014-06-25 Brent Fulgham <bfulgham@apple.com>
15705
15706 [Win] Unreviewed gardening.
15707
15708 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
15709 put various files in proper IDE categories.
15710
157112014-06-25 peavo@outlook.com <peavo@outlook.com>
15712
15713 [Win64] ASM LLINT is not enabled.
15714 https://bugs.webkit.org/show_bug.cgi?id=130638
15715
15716 This patch adds a new LLINT assembler backend for Win64, and implements it.
15717 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
15718 Also, LLINT and JIT is enabled for Win64.
15719
15720 Reviewed by Mark Lam.
15721
15722 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
15723 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
15724 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
15725 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
15726 * assembler/MacroAssemblerX86_64.h:
15727 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
15728 * jit/JITStubsMSVC64.asm: Added.
15729 * jit/Repatch.cpp:
15730 (JSC::emitPutTransitionStub): Compile fix.
15731 * jit/ThunkGenerators.cpp:
15732 (JSC::nativeForGenerator): Follow Win64 ABI spec.
15733 * llint/LLIntData.cpp:
15734 (JSC::LLInt::Data::performAssertions): Ditto.
15735 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
15736 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
15737 * llint/LowLevelInterpreter64.asm: Ditto.
15738 * offlineasm/asm.rb: Compile fix.
15739 * offlineasm/backends.rb: Add new llint backend for Win64.
15740 * offlineasm/settings.rb: Compile fix.
15741 * offlineasm/x86.rb: Implement new llint Win64 backend.
15742
157432014-06-25 Laszlo Gombos <l.gombos@samsung.com>
15744
15745 Remove build guard for progress element
15746 https://bugs.webkit.org/show_bug.cgi?id=134292
15747
15748 Reviewed by Benjamin Poulain.
15749
15750 * Configurations/FeatureDefines.xcconfig:
15751
157522014-06-24 Michael Saboff <msaboff@apple.com>
15753
15754 Add support routines to provide descriptive JavaScript backtraces
15755 https://bugs.webkit.org/show_bug.cgi?id=134278
15756
15757 Reviewed by Mark Lam.
15758
15759 * interpreter/CallFrame.cpp:
15760 (JSC::CallFrame::dump):
15761 (JSC::CallFrame::describeFrame):
15762 * interpreter/CallFrame.h:
15763 * runtime/JSCJSValue.cpp:
15764 (JSC::JSValue::dumpForBacktrace):
15765 * runtime/JSCJSValue.h:
15766
157672014-06-24 Brady Eidson <beidson@apple.com>
15768
15769 Enable GAMEPAD in the Mac build, but disabled at runtime.
15770 https://bugs.webkit.org/show_bug.cgi?id=134255
15771
15772 Reviewed by Dean Jackson.
15773
15774 * Configurations/FeatureDefines.xcconfig:
15775
15776 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
15777 functions at runtime.
15778
157792014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
15780
15781 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
15782 https://bugs.webkit.org/show_bug.cgi?id=134046
15783
15784 Reviewed by Filip Pizlo.
15785
15786 * runtime/GetterSetter.h:
15787 (JSC::asGetterSetter):
15788 * runtime/JSObject.cpp:
15789 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
15790 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
15791 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
15792
157932014-06-24 Brent Fulgham <bfulgham@apple.com>
15794
15795 [Win] MSVC mishandles enums in bitfields
15796 https://bugs.webkit.org/show_bug.cgi?id=134237
15797
15798 Reviewed by Michael Saboff.
15799
15800 Replace uses of enum types in bit fields with unsigned to
15801 avoid losing a bit to hold the sign value. This can result
15802 in Windows interpreting the value of the field improperly.
15803
15804 * bytecode/StructureStubInfo.h:
15805 * parser/Nodes.h:
15806
158072014-06-23 Andreas Kling <akling@apple.com>
15808
15809 Inline the UnlinkedInstructionStream::Reader logic.
15810 <https://webkit.org/b/134203>
15811
15812 This class is only used by CodeBlock to unpack the unlinked instructions,
15813 and we were spending 0.5% of total time on PLT calling Reader::next().
15814 Move the logic to the header file and mark it ALWAYS_INLINE.
15815
15816 Reviewed by Geoffrey Garen.
15817
15818 * bytecode/UnlinkedInstructionStream.cpp:
15819 * bytecode/UnlinkedInstructionStream.h:
15820 (JSC::UnlinkedInstructionStream::Reader::Reader):
15821 (JSC::UnlinkedInstructionStream::Reader::read8):
15822 (JSC::UnlinkedInstructionStream::Reader::read32):
15823 (JSC::UnlinkedInstructionStream::Reader::next):
15824
158252014-06-20 Sam Weinig <sam@webkit.org>
15826
15827 Remove static tables for bindings that use eager reification
15828 https://bugs.webkit.org/show_bug.cgi?id=134126
15829
15830 Reviewed by Oliver Hunt.
15831
15832 * runtime/JSObject.cpp:
15833 (JSC::JSObject::putDirectCustomAccessor):
15834 * runtime/Structure.h:
15835 (JSC::Structure::setHasCustomGetterSetterProperties):
15836 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
15837 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
15838 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
15839 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
15840
158412014-06-21 Brady Eidson <beidson@apple.com>
15842
15843 Gamepad API - Deprecate the existing implementation
15844 https://bugs.webkit.org/show_bug.cgi?id=134108
15845
15846 Reviewed by Timothy Hatcher.
15847
15848 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
15849 -Move some implementation files into a "deprecated" subdirectory.
15850
15851 * Configurations/FeatureDefines.xcconfig:
15852
158532014-06-21 Commit Queue <commit-queue@webkit.org>
15854
15855 Unreviewed, rolling out r170244.
15856 https://bugs.webkit.org/show_bug.cgi?id=134157
15857
15858 GTK/EFL bindings generator works differently, making this
15859 patch not work there. Will fix entire patch after a rollout.
15860 (Requested by bradee-oh on #webkit).
15861
15862 Reverted changeset:
15863
15864 "Gamepad API - Deprecate the existing implementation"
15865 https://bugs.webkit.org/show_bug.cgi?id=134108
15866 http://trac.webkit.org/changeset/170244
15867
158682014-06-21 Brady Eidson <beidson@apple.com>
15869
15870 Gamepad API - Deprecate the existing implementation
15871 https://bugs.webkit.org/show_bug.cgi?id=134108
15872
15873 Reviewed by Timothy Hatcher.
15874
15875 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
15876 -Add the "Deprecated" suffix to some implementation files
15877
15878 * Configurations/FeatureDefines.xcconfig:
15879
158802014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
15881
15882 Removing PAGE_VISIBILITY_API compile guard.
15883 https://bugs.webkit.org/show_bug.cgi?id=133844
15884
15885 Reviewed by Gavin Barraclough.
15886
15887 * Configurations/FeatureDefines.xcconfig:
15888
158892014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
15890
15891 ARM traditional buildfix after r169942.
15892 https://bugs.webkit.org/show_bug.cgi?id=134100
15893
15894 Reviewed by Zoltan Herczeg.
15895
15896 * assembler/MacroAssemblerARM.h:
15897 (JSC::MacroAssemblerARM::abortWithReason): Added.
15898
158992014-06-20 Andreas Kling <akling@apple.com>
15900
15901 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
15902 <https://webkit.org/b/134112>
15903
15904 Reviewed by Mark Hahnenberg.
15905
15906 * heap/BlockAllocator.h:
15907
159082014-06-19 Alex Christensen <achristensen@webkit.org>
15909
15910 Unreviewed fix after r170130.
15911
15912 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
15913 Corrected directory so it can find common.props when opening Visual Studio.
15914
159152014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
15916
15917 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
15918 https://bugs.webkit.org/show_bug.cgi?id=130389
15919
15920 Reviewed by Mark Lam.
15921
15922 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
15923 into !ENABLE(JIT) since they are mutually exclusive.
15924
15925 * CMakeLists.txt:
15926 * assembler/MacroAssemblerCodeRef.h:
15927 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
15928 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
15929 * assembler/MaxFrameExtentForSlowPathCall.h:
15930 * bytecode/CallLinkStatus.cpp:
15931 (JSC::CallLinkStatus::computeFromLLInt):
15932 * bytecode/CodeBlock.cpp:
15933 (JSC::dumpStructure):
15934 (JSC::CodeBlock::printGetByIdCacheStatus):
15935 (JSC::CodeBlock::printCallOp):
15936 (JSC::CodeBlock::CodeBlock):
15937 (JSC::CodeBlock::~CodeBlock):
15938 (JSC::CodeBlock::propagateTransitions):
15939 (JSC::CodeBlock::finalizeUnconditionally):
15940 (JSC::CodeBlock::unlinkCalls):
15941 (JSC::CodeBlock::unlinkIncomingCalls):
15942 (JSC::CodeBlock::linkIncomingCall):
15943 (JSC::CodeBlock::frameRegisterCount):
15944 * bytecode/CodeBlock.h:
15945 * bytecode/GetByIdStatus.cpp:
15946 (JSC::GetByIdStatus::computeFromLLInt):
15947 * bytecode/Opcode.h:
15948 (JSC::padOpcodeName):
15949 * bytecode/PutByIdStatus.cpp:
15950 (JSC::PutByIdStatus::computeFromLLInt):
15951 * bytecompiler/BytecodeGenerator.cpp:
15952 (JSC::BytecodeGenerator::emitCall):
15953 (JSC::BytecodeGenerator::emitConstruct):
15954 * heap/Heap.cpp:
15955 (JSC::Heap::gatherJSStackRoots):
15956 * interpreter/Interpreter.cpp:
15957 (JSC::Interpreter::initialize):
15958 (JSC::Interpreter::isOpcode):
15959 * interpreter/Interpreter.h:
15960 (JSC::Interpreter::getOpcodeID):
15961 * interpreter/JSStack.cpp:
15962 (JSC::JSStack::JSStack):
15963 (JSC::JSStack::committedByteCount):
15964 * interpreter/JSStack.h:
15965 * interpreter/JSStackInlines.h:
15966 (JSC::JSStack::ensureCapacityFor):
15967 (JSC::JSStack::topOfFrameFor):
15968 (JSC::JSStack::setStackLimit):
15969 * jit/ExecutableAllocatorFixedVMPool.cpp:
15970 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
15971 * jit/JIT.h:
15972 (JSC::JIT::compileCTINativeCall):
15973 * jit/JITExceptions.h:
15974 * jit/JITThunks.cpp:
15975 (JSC::JITThunks::ctiNativeCall):
15976 (JSC::JITThunks::ctiNativeConstruct):
15977 * llint/LLIntCLoop.cpp:
15978 * llint/LLIntCLoop.h:
15979 * llint/LLIntData.cpp:
15980 (JSC::LLInt::initialize):
15981 (JSC::LLInt::Data::performAssertions):
15982 * llint/LLIntData.h:
15983 (JSC::LLInt::Data::performAssertions): Deleted.
15984 * llint/LLIntEntrypoint.cpp:
15985 * llint/LLIntEntrypoint.h:
15986 * llint/LLIntExceptions.cpp:
15987 * llint/LLIntExceptions.h:
15988 * llint/LLIntOfflineAsmConfig.h:
15989 * llint/LLIntOffsetsExtractor.cpp:
15990 (JSC::LLIntOffsetsExtractor::dummy):
15991 * llint/LLIntOpcode.h:
15992 * llint/LLIntSlowPaths.cpp:
15993 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
15994 * llint/LLIntSlowPaths.h:
15995 * llint/LLIntThunks.cpp:
15996 * llint/LLIntThunks.h:
15997 * llint/LowLevelInterpreter.cpp:
15998 * llint/LowLevelInterpreter.h:
15999 * runtime/CommonSlowPaths.cpp:
16000 * runtime/CommonSlowPaths.h:
16001 * runtime/ErrorHandlingScope.cpp:
16002 (JSC::ErrorHandlingScope::ErrorHandlingScope):
16003 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
16004 * runtime/Executable.cpp:
16005 (JSC::setupLLInt):
16006 * runtime/InitializeThreading.cpp:
16007 (JSC::initializeThreading):
16008 * runtime/JSCJSValue.h:
16009 * runtime/JSCJSValueInlines.h:
16010 * runtime/Options.cpp:
16011 (JSC::recomputeDependentOptions):
16012 * runtime/VM.cpp:
16013 (JSC::VM::VM):
16014 (JSC::sanitizeStackForVM):
16015 * runtime/VM.h:
16016 (JSC::VM::canUseJIT): Deleted.
16017
160182014-06-18 Alex Christensen <achristensen@webkit.org>
16019
16020 Add FTL to Windows build.
16021 https://bugs.webkit.org/show_bug.cgi?id=134015
16022
16023 Reviewed by Filip Pizlo.
16024
16025 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16026 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
16027 Added ftl source files.
16028 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
16029 Added ftl and llvm directories to include path.
16030 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
16031 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
16032 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
16033 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
16034 * ftl/FTLLowerDFGToLLVM.cpp:
16035 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
16036 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
16037 * llvm/InitializeLLVMWin.cpp: Added.
16038 (JSC::initializeLLVMImpl):
16039 Implemented dynamic loading and linking for Windows.
16040
160412014-06-18 Alex Christensen <achristensen@webkit.org>
16042
16043 Unreviewed build fix after r170107.
16044
16045 * dfg/DFGSpeculativeJIT.cpp:
16046 (JSC::DFG::SpeculativeJIT::compileArithMod):
16047 Use non-template sub for armv7s.
16048
160492014-06-18 David Kilzer <ddkilzer@apple.com>
16050
16051 -[JSContext setName:] leaks NSString
16052 <http://webkit.org/b/134038>
16053
16054 Reviewed by Joseph Pecoraro.
16055
16056 Fixes the following static analyzer warning:
16057
16058 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
16059 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
16060 ^
16061
16062 * API/JSContext.mm:
16063 (-[JSContext setName:]): Autorelease the copy of |name|.
16064
160652014-06-18 Mark Lam <mark.lam@apple.com>
16066
16067 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
16068 <https://webkit.org/b/133994>
16069
16070 Reviewed by Geoffrey Garen.
16071
16072 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
16073 because it means two unfortunate things:
16074 - It will probably break for zero.
16075 - It will think that -0 is the same as +0 under some circumstances, size
16076 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
16077
16078 The fix is to use std::unordered_map which does not require special empty
16079 and deleted values, and to use the raw bits instead of the double value as
16080 the key.
16081
16082 * dfg/DFGGraph.h:
16083 * dfg/DFGJITCompiler.cpp:
16084 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
16085
160862014-06-18 Alex Christensen <achristensen@webkit.org>
16087
16088 Remove duplicate code using sdiv.
16089 https://bugs.webkit.org/show_bug.cgi?id=133764
16090
16091 Reviewed by Daniel Bates.
16092
16093 * assembler/ARMv7Assembler.h:
16094 (JSC::ARMv7Assembler::sdiv):
16095 Make sdiv a template to match arm64.
16096 * dfg/DFGSpeculativeJIT.cpp:
16097 (JSC::DFG::SpeculativeJIT::compileArithDiv):
16098 (JSC::DFG::SpeculativeJIT::compileArithMod):
16099 Remove duplicate code that was identical except for sdiv not being a template.
16100
161012014-06-17 Commit Queue <commit-queue@webkit.org>
16102
16103 Unreviewed, rolling out r170082.
16104 https://bugs.webkit.org/show_bug.cgi?id=134006
16105
16106 Breaks build. (Requested by mlam on #webkit).
16107
16108 Reverted changeset:
16109
16110 "DFGGraph::m_doubleConstantMap will not map 0 values
16111 correctly."
16112 https://bugs.webkit.org/show_bug.cgi?id=133994
16113 http://trac.webkit.org/changeset/170082
16114
161152014-06-17 Mark Lam <mark.lam@apple.com>
16116
16117 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
16118 <https://webkit.org/b/133994>
16119
16120 Reviewed by Geoffrey Garen.
16121
16122 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
16123 because it means two unfortunate things:
16124 - It will probably break for zero.
16125 - It will think that -0 is the same as +0 under some circumstances, size
16126 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
16127
16128 The fix is to use std::unordered_map which does not require special empty
16129 and deleted values, and to use the raw bits instead of the double value as
16130 the key.
16131
16132 * dfg/DFGGraph.h:
16133 * dfg/DFGJITCompiler.cpp:
16134 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
16135
161362014-06-17 Oliver Hunt <oliver@apple.com>
16137
16138 Fix error messages for incorrect hex literals
16139 https://bugs.webkit.org/show_bug.cgi?id=133998
16140
16141 Reviewed by Mark Lam.
16142
16143 Ensure that the error messages for bogus hex literals actually
16144 make sense.
16145
16146 * parser/Lexer.cpp:
16147 (JSC::Lexer<T>::lex):
16148 * parser/ParserTokens.h:
16149
161502014-06-17 Matthew Mirman <mmirman@apple.com>
16151
16152 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
16153 https://bugs.webkit.org/show_bug.cgi?id=133814
16154
16155 Reviewed by Filip Pizlo.
16156
16157 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
16158 script from using "*.o" as a file when no other files in the directory exist.
16159
16160 * build-symbol-table-index.sh: Added license.
16161 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
16162
161632014-06-16 Sam Weinig <sam@webkit.org>
16164
16165 Move forward declaration of bindings static functions into their implementation files
16166 https://bugs.webkit.org/show_bug.cgi?id=133943
16167
16168 Reviewed by Geoffrey Garen.
16169
16170 * runtime/CommonIdentifiers.h:
16171 Add a few identifiers that are needed by the DOM.
16172
161732014-06-16 Mark Lam <mark.lam@apple.com>
16174
16175 Parser statementDepth accounting needs to account for when a function body excludes its braces.
16176 <https://webkit.org/b/133832>
16177
16178 Reviewed by Oliver Hunt.
16179
16180 In some cases (e.g. when a Function object is instantiated from a string), the
16181 function body source may not include its braces. The parser needs to account
16182 for this when calculating its statementDepth.
16183
16184 * bytecode/UnlinkedCodeBlock.cpp:
16185 (JSC::generateFunctionCodeBlock):
16186 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
16187 * bytecode/UnlinkedCodeBlock.h:
16188 * parser/Parser.cpp:
16189 (JSC::Parser<LexerType>::parseStatement):
16190 - Also fixed the error message for declaring nested functions in strict mode
16191 to be more accurate.
16192 * parser/Parser.h:
16193 (JSC::Parser<LexerType>::parse):
16194 (JSC::parse):
16195 * runtime/Executable.cpp:
16196 (JSC::ScriptExecutable::newCodeBlockFor):
16197
161982014-06-16 Juergen Ributzka <juergen@apple.com>
16199
16200 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
16201 https://bugs.webkit.org/show_bug.cgi?id=133753
16202
16203 Reviewed by Geoffrey Garen.
16204
16205 The order in which the alias analysis passes are added affects also the
16206 order in which they are utilized. Change the order to align with the
16207 one use by LLVM itself. The last alias analysis pass added will be
16208 evaluated first. With this change we first perform a basic alias
16209 analysis and then use the type-based alias analysis (if required).
16210
16211 * ftl/FTLCompile.cpp:
16212 (JSC::FTL::compile):
16213
162142014-06-16 Juergen Ributzka <juergen@apple.com>
16215
16216 Fix the arguments passed to the LLVM dylib
16217 https://bugs.webkit.org/show_bug.cgi?id=133757
16218
16219 Reviewed by Geoffrey Garen.
16220
16221 The LLVM command line argument parser assumes that the first argument
16222 is the program name. We need to add a fake program name, otherwise the
16223 first argument will be parsed as program name and ignored.
16224
16225 * llvm/library/LLVMExports.cpp:
16226 (initializeAndGetJSCLLVMAPI):
16227
162282014-06-16 Michael Saboff <msaboff@apple.com>
16229
16230 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
16231 https://bugs.webkit.org/show_bug.cgi?id=133903
16232
16233 Reviewed by Mark Hahnenberg.
16234
16235 Hardened code by Converting ASSERT to return CannotCompile.
16236
16237 * dfg/DFGCapabilities.h:
16238 (JSC::DFG::inlineFunctionForCapabilityLevel):
16239
162402014-06-13 Sam Weinig <sam@webkit.org>
16241
16242 Store DOM constants directly in the JS object rather than jumping through a custom accessor
16243 https://bugs.webkit.org/show_bug.cgi?id=133898
16244
16245 Reviewed by Oliver Hunt.
16246
16247 * runtime/Lookup.h:
16248 (JSC::HashTableValue::attributes):
16249 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
16250 and will make adding more flags possibles.
16251
16252 (JSC::HashTableValue::propertyGetter):
16253 (JSC::HashTableValue::propertyPutter):
16254 Change assertion to use BuiltinOrFunctionOrConstant.
16255
16256 (JSC::HashTableValue::constantInteger):
16257 Added.
16258
16259 (JSC::getStaticPropertySlot):
16260 (JSC::getStaticValueSlot):
16261 Use PropertySlot::setValue() for constants during static lookup.
16262
16263 (JSC::reifyStaticProperties):
16264 Put the constant directly on the object when eagerly reifying.
16265
16266 * runtime/PropertySlot.h:
16267 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
16268
162692014-06-14 Michael Saboff <msaboff@apple.com>
16270
16271 operationCreateArguments could cause a GC during OSR exit
16272 https://bugs.webkit.org/show_bug.cgi?id=133905
16273
16274 Reviewed by Filip Pizlo.
16275
16276 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
16277 for use by OSR exit stubs.
16278
16279 * dfg/DFGOSRExitCompilerCommon.cpp:
16280 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
16281 * dfg/DFGOperations.cpp:
16282 * dfg/DFGOperations.h:
16283 * jit/JITOperations.cpp:
16284 * jit/JITOperations.h:
16285
162862014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
16287
16288 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
16289 https://bugs.webkit.org/show_bug.cgi?id=133880
16290
16291 Reviewed by Filip Pizlo.
16292
16293 We could have exited due to a value received from an inlined block that's no longer on
16294 the stack, so we should just barrier all InlineCallFrames.
16295
16296 * dfg/DFGOSRExitCompilerCommon.cpp:
16297 (JSC::DFG::adjustAndJumpToTarget):
16298
162992014-06-13 Alex Christensen <achristensen@webkit.org>
16300
16301 Make css jit compile for armv7.
16302 https://bugs.webkit.org/show_bug.cgi?id=133596
16303
16304 Reviewed by Benjamin Poulain.
16305
16306 * assembler/MacroAssembler.h:
16307 Use branchPtr on ARM_THUMB2.
16308 * assembler/MacroAssemblerARMv7.h:
16309 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
16310 (JSC::MacroAssemblerARMv7::or32):
16311 (JSC::MacroAssemblerARMv7::test32):
16312 (JSC::MacroAssemblerARMv7::branch):
16313 (JSC::MacroAssemblerARMv7::branchPtr):
16314 Added macros necessary for css jit.
16315
163162014-06-13 Filip Pizlo <fpizlo@apple.com>
16317
16318 Unreviewed, fix ARMv7.
16319
16320 * assembler/MacroAssemblerARMv7.h:
16321 (JSC::MacroAssemblerARMv7::abortWithReason):
16322
163232014-06-12 Filip Pizlo <fpizlo@apple.com>
16324
16325 Even better diagnostics from DFG traps
16326 https://bugs.webkit.org/show_bug.cgi?id=133836
16327
16328 Reviewed by Oliver Hunt.
16329
16330 We now stuff the DFG::NodeType into a register before bailing. Also made the
16331 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
16332 different numbers than any previous abort reasons.
16333
16334 * assembler/AbortReason.h:
16335 * assembler/MacroAssemblerARM64.h:
16336 (JSC::MacroAssemblerARM64::abortWithReason):
16337 * assembler/MacroAssemblerARMv7.h:
16338 (JSC::MacroAssemblerARMv7::abortWithReason):
16339 * assembler/MacroAssemblerX86.h:
16340 (JSC::MacroAssemblerX86::abortWithReason):
16341 * assembler/MacroAssemblerX86_64.h:
16342 (JSC::MacroAssemblerX86_64::abortWithReason):
16343 * dfg/DFGSpeculativeJIT.cpp:
16344 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
16345 (JSC::DFG::SpeculativeJIT::bail):
16346 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
16347 * dfg/DFGSpeculativeJIT.h:
16348
163492014-06-12 Simon Fraser <simon.fraser@apple.com>
16350
16351 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
16352 https://bugs.webkit.org/show_bug.cgi?id=133840
16353
16354 Reviewed by Filip Pizlo.
16355
16356 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
16357 when running DFG tests.
16358
16359 * API/JSCTestRunnerUtils.cpp:
16360 (JSC::numberOfDFGCompiles):
16361 (JSC::setNeverInline):
16362
163632014-06-12 Brent Fulgham <bfulgham@apple.com>
16364
16365 [Win] Avoid fork bomb during build
16366 https://bugs.webkit.org/show_bug.cgi?id=133837
16367 <rdar://problem/17296034>
16368
16369 Reviewed by Tim Horton.
16370
16371 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
16372 reasonable default value when the 'num-cpus' script is not available.
16373
163742014-06-12 Mark Lam <mark.lam@apple.com>
16375
16376 Remove some dead / unused code.
16377 <https://webkit.org/b/133828>
16378
16379 Reviewed by Filip Pizlo.
16380
16381 * builtins/BuiltinExecutables.cpp:
16382 (JSC::BuiltinExecutables::createBuiltinExecutable):
16383 * bytecode/UnlinkedCodeBlock.cpp:
16384 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
16385 * bytecode/UnlinkedCodeBlock.h:
16386 (JSC::UnlinkedFunctionExecutable::create):
16387 * bytecompiler/BytecodeGenerator.h:
16388 (JSC::BytecodeGenerator::makeFunction):
16389 * parser/Parser.h:
16390 (JSC::DepthManager::DepthManager): Deleted.
16391 (JSC::DepthManager::~DepthManager): Deleted.
16392 * runtime/CodeCache.cpp:
16393 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
16394
163952014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
16396
16397 Move structureHasRareData out of TypeInfo
16398 https://bugs.webkit.org/show_bug.cgi?id=133800
16399
16400 Reviewed by Andreas Kling.
16401
16402 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
16403 but we have a few spare bits in Structure so it would be nice to remove this hack.
16404
16405 * runtime/JSTypeInfo.h:
16406 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
16407 (JSC::TypeInfo::structureHasRareData): Deleted.
16408 * runtime/Structure.cpp:
16409 (JSC::Structure::Structure):
16410 (JSC::Structure::allocateRareData):
16411 (JSC::Structure::cloneRareDataFrom):
16412 * runtime/Structure.h:
16413 (JSC::Structure::previousID):
16414 (JSC::Structure::objectToStringValue):
16415 (JSC::Structure::setObjectToStringValue):
16416 (JSC::Structure::setPreviousID):
16417 (JSC::Structure::clearPreviousID):
16418 (JSC::Structure::previous):
16419 (JSC::Structure::rareData):
16420 * runtime/StructureInlines.h:
16421 (JSC::Structure::setEnumerationCache):
16422 (JSC::Structure::enumerationCache):
16423
164242014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
16425
16426 Allow enum guards to be generated from the replay json files
16427 https://bugs.webkit.org/show_bug.cgi?id=133399
16428
16429 Reviewed by Csaba Osztrogonác.
16430
16431 * replay/scripts/CodeGeneratorReplayInputs.py:
16432 (Type.__init__):
16433 (InputsModel.parse_type_with_framework_name):
16434 (Generator.generate_header):
16435 (Generator.generate_implementation):
16436 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
16437 (Test::HandleWheelEvent::HandleWheelEvent):
16438 (Test::HandleWheelEvent::~HandleWheelEvent):
16439 (JSC::InputTraits<Test::HandleWheelEvent>::type):
16440 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
16441 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
16442 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
16443 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
16444 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
16445 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
16446 (Test::HandleWheelEvent::platformEvent):
16447 * replay/scripts/tests/generate-enum-with-guard.json: Added.
16448
164492014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
16450
16451 Unreviewed. Fix GTK+ build after r169823.
16452
16453 Include StructureInlines.h in a few more files to fix linking
16454 issues due to JSC::Structure::get undefined symbol.
16455
16456 * runtime/ArrayIteratorConstructor.cpp:
16457 * runtime/ArrayIteratorPrototype.cpp:
16458 * runtime/JSConsole.cpp:
16459 * runtime/JSMapIterator.cpp:
16460 * runtime/JSSet.cpp:
16461 * runtime/JSSetIterator.cpp:
16462 * runtime/JSWeakMap.cpp:
16463 * runtime/MapIteratorPrototype.cpp:
16464 * runtime/MapPrototype.cpp:
16465 * runtime/SetIteratorPrototype.cpp:
16466 * runtime/SetPrototype.cpp:
16467 * runtime/WeakMapPrototype.cpp:
16468
164692014-06-12 Csaba Osztrogonác <ossy@webkit.org>
16470
16471 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
16472
16473 * runtime/JSMap.cpp:
16474
164752014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
16476
16477 Inline caching should try to flatten uncacheable dictionaries
16478 https://bugs.webkit.org/show_bug.cgi?id=133683
16479
16480 Reviewed by Geoffrey Garen.
16481
16482 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
16483 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
16484 If properties are deleted out of the object during its initialization, we can enable caching for that object by
16485 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
16486 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
16487 state then we can just give up on caching that object.
16488
16489 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
16490 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
16491 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
16492 returning.
16493
16494 * jit/Repatch.cpp:
16495 (JSC::actionForCell):
16496 (JSC::tryCacheGetByID):
16497 (JSC::repatchGetByID):
16498 (JSC::tryBuildGetByIDList):
16499 (JSC::buildGetByIDList):
16500 (JSC::tryCachePutByID):
16501 (JSC::repatchPutByID):
16502 (JSC::tryBuildPutByIdList):
16503 (JSC::buildPutByIdList):
16504 (JSC::tryRepatchIn):
16505 (JSC::repatchIn):
16506 * runtime/Structure.cpp:
16507 (JSC::Structure::Structure):
16508 (JSC::Structure::flattenDictionaryStructure):
16509 * runtime/Structure.h:
16510 (JSC::Structure::hasBeenFlattenedBefore):
16511
165122014-06-11 Csaba Osztrogonác <ossy@webkit.org>
16513
16514 [EFL] URTBF after r169823.
16515
16516 * bindings/ScriptValue.cpp: Missing include added.
16517
165182014-06-11 Ryosuke Niwa <rniwa@webkit.org>
16519
16520 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
16521
16522 Rubber-stamped by Andreas Kling.
16523
16524 * runtime/JSObject.h:
16525 (JSC::JSObject::fastGetOwnPropertySlot):
16526
165272014-06-11 Ryosuke Niwa <rniwa@webkit.org>
16528
16529 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
16530 https://bugs.webkit.org/show_bug.cgi?id=133673
16531
16532 Reviewed by Andreas Kling.
16533
16534 Rewrote the property map statistics code because the old code wasn't building,
16535 and it was also mixing numbers for lookups and insertions/removals.
16536
16537 New logging code records the number of calls to PropertyTable::find (finds) and
16538 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
16539 the number of probing during updates and lookups.
16540
16541 * jsc.cpp:
16542 * runtime/PropertyMapHashTable.h:
16543 (JSC::PropertyTable::find):
16544 (JSC::PropertyTable::get):
16545 (JSC::PropertyTable::findWithString):
16546 (JSC::PropertyTable::add):
16547 (JSC::PropertyTable::remove):
16548 (JSC::PropertyTable::reinsert):
16549 (JSC::PropertyTable::rehash):
16550 * runtime/Structure.cpp:
16551 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
16552 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
16553
165542014-06-11 Andreas Kling <akling@apple.com>
16555
16556 Always inline JSValue::get() and Structure::get().
16557 <https://webkit.org/b/133755>
16558
16559 Reviewed by Ryosuke Niwa.
16560
16561 These functions get really hot, so ask the compiler to be more
16562 aggressive about inlining them.
16563
16564 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
16565 through GetByVal.
16566
16567 * runtime/JSArrayIterator.cpp:
16568 * runtime/JSCJSValue.cpp:
16569 * runtime/JSCJSValueInlines.h:
16570 (JSC::JSValue::get):
16571 * runtime/JSPromiseDeferred.cpp:
16572 * runtime/StructureInlines.h:
16573 (JSC::Structure::get):
16574
165752014-06-11 Ryosuke Niwa <rniwa@webkit.org>
16576
16577 Structure::get should instantiate DeferGC only when materializing property map
16578 https://bugs.webkit.org/show_bug.cgi?id=133727
16579
16580 Rubber-stamped by Andreas Kling.
16581
16582 Make materializePropertyMapIfNecessary always inline.
16583
16584 This is ~12% improvement on the microbenchmark attached in the bug.
16585
16586 * runtime/Structure.h:
16587 (JSC::Structure::materializePropertyMapIfNecessary):
16588 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
16589
165902014-06-11 Ryosuke Niwa <rniwa@webkit.org>
16591
16592 Structure::get should instantiate DeferGC only when materializing property map
16593 https://bugs.webkit.org/show_bug.cgi?id=133727
16594
16595 Reviewed by Geoffrey Garen.
16596
16597 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
16598 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
16599 when GCSafeConcurrentJITLocker goes out of scope.
16600
16601 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
16602 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
16603 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
16604
16605 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
16606 and immediately storing a pointer to the newly created property table in the stack before DeferGC
16607 goes out of scope so that the property table will be marked.
16608
16609 This shows 13-16% improvement on the microbenchmark attached in the bug.
16610
16611 * runtime/JSCJSValue.cpp:
16612 * runtime/JSObject.h:
16613 (JSC::JSObject::fastGetOwnPropertySlot):
16614 * runtime/Structure.h:
16615 (JSC::Structure::materializePropertyMapIfNecessary):
16616 * runtime/StructureInlines.h:
16617 (JSC::Structure::get):
16618
166192014-06-11 Andreas Kling <akling@apple.com>
16620
16621 Some JSValue::get() micro-optimzations.
16622 <https://webkit.org/b/133739>
16623
16624 Tighten some of the property lookup code to improve performance of the
16625 eagerly reified prototype attributes:
16626
16627 - Instead of converting the property name to an integer at every step
16628 in the prototype chain, move that to a separate pass at the end
16629 since it should be a rare case.
16630
16631 - Cache the StructureIDTable in a local instead of fetching it from
16632 the Heap on every step.
16633
16634 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
16635 on the assumption that clients would mostly be cacheable GetByIds,
16636 and it gets pretty hot (~1%) in GetByVal.
16637
16638 - Pass the Structure directly to fillCustomGetterPropertySlot instead
16639 of refetching it from the StructureIDTable.
16640
16641 Reviewed by Geoff Garen.
16642
16643 * runtime/JSObject.cpp:
16644 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
16645 * runtime/JSObject.h:
16646 (JSC::JSObject::inlineGetOwnPropertySlot):
16647 (JSC::JSObject::fillCustomGetterPropertySlot):
16648 (JSC::JSObject::getOwnPropertySlot):
16649 (JSC::JSObject::fastGetOwnPropertySlot):
16650 (JSC::JSObject::getPropertySlot):
16651 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
16652
166532014-06-10 Sam Weinig <sam@webkit.org>
16654
16655 Don't create a HashTable for JSObjects that use eager reification
16656 https://bugs.webkit.org/show_bug.cgi?id=133705
16657
16658 Reviewed by Geoffrey Garen.
16659
16660 * runtime/Lookup.h:
16661 (JSC::reifyStaticProperties):
16662 Add a version of reifyStaticProperties that takes an array of HashTableValues
16663 rather than a HashTable.
16664
166652014-06-10 Filip Pizlo <fpizlo@apple.com>
16666
16667 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
16668 https://bugs.webkit.org/show_bug.cgi?id=133698
16669
16670 Reviewed by Geoffrey Garen and Mark Hahnenberg.
16671
16672 * dfg/DFGPredictionPropagationPhase.cpp:
16673 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
16674 * dfg/DFGVariableAccessData.cpp:
16675 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
16676 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
16677 (JSC::DFG::VariableAccessData::flushFormat):
16678 * dfg/DFGVariableAccessData.h:
16679 * tests/stress/int52-inlined-call-argument.js: Added.
16680 (foo):
16681 (bar):
16682
166832014-06-10 Mark Lam <mark.lam@apple.com>
16684
16685 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
16686 <https://webkit.org/b/133356>
16687
16688 Reviewed by Mark Hahnenberg.
16689
16690 The root cause of this issue is that a nonPropertyTransition can transition
16691 a pinned dictionary structure to an unpinned dictionary structure. The new
16692 structure will get a copy of the property table from the original structure.
16693 However, when a GC occurs, the property table in the new structure will be
16694 cleared because it is unpinned. This leads to complications in subsequent
16695 derivative structures when flattening occurs, which eventually leads to the
16696 assertion failure in this bug.
16697
16698 The fix is to ensure that the new dictionary structure generated by the
16699 nonPropertyTransition will have a copy of its predecessor's property table
16700 and is pinned.
16701
16702 * runtime/Structure.cpp:
16703 (JSC::Structure::nonPropertyTransition):
16704
167052014-06-10 Michael Saboff <msaboff@apple.com>
16706
16707 In a certain app state, Array.prototype.filter() returns incorrect results
16708 https://bugs.webkit.org/show_bug.cgi?id=133577
16709
16710 Reviewed by Oliver Hunt.
16711
16712 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
16713
16714 * llint/LowLevelInterpreter32_64.asm:
16715 * llint/LowLevelInterpreter64.asm:
16716
167172014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
16718
16719 Global HashTables contain references to atomic StringImpls
16720 https://bugs.webkit.org/show_bug.cgi?id=133661
16721
16722 Reviewed by Geoffrey Garen.
16723
16724 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
16725 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
16726 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
16727 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
16728
16729 * runtime/JSObject.cpp:
16730 (JSC::getClassPropertyNames):
16731 * runtime/Lookup.cpp:
16732 (JSC::HashTable::createTable):
16733 (JSC::HashTable::deleteTable):
16734 * runtime/Lookup.h:
16735 (JSC::HashTable::ConstIterator::key):
16736 (JSC::HashTable::entry):
16737
167382014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
16739
16740 Build fix after r169703
16741
16742 * JavaScriptCore.xcodeproj/project.pbxproj:
16743
167442014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
16745
16746 Eagerly reify DOM prototype attributes
16747 https://bugs.webkit.org/show_bug.cgi?id=133558
16748
16749 Reviewed by Oliver Hunt.
16750
16751 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
16752 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
16753 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
16754 DOM wrappers.
16755
16756 * CMakeLists.txt:
16757 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16758 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
16759 * JavaScriptCore.xcodeproj/project.pbxproj:
16760 * llint/LLIntData.cpp:
16761 (JSC::LLInt::Data::performAssertions):
16762 * llint/LowLevelInterpreter.asm:
16763 * runtime/BatchedTransitionOptimizer.h:
16764 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
16765 * runtime/CustomGetterSetter.cpp: Added.
16766 (JSC::callCustomSetter):
16767 * runtime/CustomGetterSetter.h: Added.
16768 (JSC::CustomGetterSetter::create):
16769 (JSC::CustomGetterSetter::getter):
16770 (JSC::CustomGetterSetter::setter):
16771 (JSC::CustomGetterSetter::createStructure):
16772 (JSC::CustomGetterSetter::CustomGetterSetter):
16773 * runtime/JSCJSValue.cpp:
16774 (JSC::JSValue::putToPrimitive):
16775 * runtime/JSCJSValue.h:
16776 * runtime/JSCJSValueInlines.h:
16777 (JSC::JSValue::isCustomGetterSetter):
16778 * runtime/JSCell.h:
16779 * runtime/JSCellInlines.h:
16780 (JSC::JSCell::isCustomGetterSetter):
16781 (JSC::JSCell::canUseFastGetOwnProperty):
16782 * runtime/JSFunction.cpp:
16783 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
16784 (JSC::JSFunction::isBuiltinFunction): Deleted.
16785 * runtime/JSFunction.h:
16786 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
16787 (JSC::JSFunction::isBuiltinFunction):
16788 (JSC::JSFunction::isHostOrBuiltinFunction):
16789 * runtime/JSObject.cpp:
16790 (JSC::JSObject::put):
16791 (JSC::JSObject::putDirectCustomAccessor):
16792 (JSC::JSObject::fillGetterPropertySlot):
16793 (JSC::JSObject::fillCustomGetterPropertySlot):
16794 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
16795 * runtime/JSObject.h:
16796 (JSC::JSObject::hasCustomGetterSetterProperties):
16797 (JSC::JSObject::convertToDictionary):
16798 (JSC::JSObject::inlineGetOwnPropertySlot):
16799 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
16800 (JSC::JSObject::putOwnDataProperty):
16801 (JSC::JSObject::putDirect):
16802 (JSC::JSObject::putDirectWithoutTransition):
16803 * runtime/JSType.h:
16804 * runtime/Lookup.h:
16805 (JSC::reifyStaticProperties):
16806 * runtime/PropertyDescriptor.h:
16807 (JSC::PropertyDescriptor::PropertyDescriptor):
16808 * runtime/Structure.cpp:
16809 (JSC::Structure::Structure):
16810 (JSC::nextOutOfLineStorageCapacity): Deleted.
16811 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
16812 (JSC::Structure::get): Deleted.
16813 * runtime/Structure.h:
16814 (JSC::Structure::hasCustomGetterSetterProperties):
16815 (JSC::Structure::setHasCustomGetterSetterProperties):
16816 * runtime/StructureInlines.h:
16817 (JSC::Structure::get): Inlined due to hotness.
16818 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
16819 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
16820 * runtime/VM.cpp:
16821 (JSC::VM::VM):
16822 * runtime/VM.h:
16823 * runtime/WriteBarrier.h:
16824 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
16825
168262014-06-07 Mark Lam <mark.lam@apple.com>
16827
16828 Structure should initialize its previousID in its constructor.
16829 <https://webkit.org/b/133606>
16830
16831 Reviewed by Mark Hahnenberg.
16832
16833 Currently, the Structure constructor that takes a previous structure will
16834 initialize its previousID to point to the previous structure's previousID.
16835 This is incorrect. However, the caller of the Structure::create() factory
16836 method (which instantiated the Structure) will later call setPreviousID()
16837 to set the previousID to the correct previous structure. This makes the
16838 code confusing to read and more error prone in that the structure relies
16839 on client code to fix its invalid previousID.
16840
16841 This patch fixes this by making the Structure constructor initialize
16842 previousID correctly.
16843
16844 * runtime/Structure.cpp:
16845 (JSC::Structure::Structure):
16846 (JSC::Structure::addPropertyTransition):
16847 (JSC::Structure::nonPropertyTransition):
16848 * runtime/Structure.h:
16849 * runtime/StructureInlines.h:
16850 (JSC::Structure::create):
16851
168522014-06-06 Andreas Kling <akling@apple.com>
16853
16854 Indexed getters should return values directly on the PropertySlot.
16855 <https://webkit.org/b/133586>
16856
16857 Remove PropertySlot's custom index mode.
16858
16859 Reviewed by Darin Adler.
16860
16861 * runtime/JSObject.h:
16862 (JSC::PropertySlot::getValue):
16863 * runtime/PropertySlot.h:
16864 (JSC::PropertySlot::setCustomIndex): Deleted.
16865
168662014-06-04 Timothy Horton <timothy_horton@apple.com>
16867
16868 iOS Debug build fix
16869
16870 Rubber-stamped by Filip Pizlo.
16871
16872 * Configurations/LLVMForJSC.xcconfig:
16873 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
16874
168752014-06-04 Oliver Hunt <oliver@apple.com>
16876
16877 ArrayIterator should not be exposed in Safari 8
16878 https://bugs.webkit.org/show_bug.cgi?id=133494
16879
16880 Reviewed by Michael Saboff.
16881
16882 Separate out types that require constructor objects, and don't
16883 include the iterator types in that list.
16884
16885 * runtime/JSGlobalObject.cpp:
16886 (JSC::JSGlobalObject::reset):
16887 * runtime/JSGlobalObject.h:
16888
168892014-06-04 Filip Pizlo <fpizlo@apple.com>
16890
16891 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
16892 https://bugs.webkit.org/show_bug.cgi?id=133525
16893 <rdar://problem/16790296>
16894
16895 Reviewed by Oliver Hunt.
16896
16897 * dfg/DFGSafepoint.cpp:
16898 (JSC::DFG::Safepoint::begin):
16899
169002014-06-03 Filip Pizlo <fpizlo@apple.com>
16901
16902 LLVM soft-linking should be truly fail-silent
16903 https://bugs.webkit.org/show_bug.cgi?id=133482
16904
16905 Reviewed by Mark Lam.
16906
16907 * llvm/InitializeLLVMPOSIX.cpp:
16908 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
16909
169102014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
16911
16912 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
16913 https://bugs.webkit.org/show_bug.cgi?id=133149
16914
16915 Reviewed by Csaba Osztrogonác.
16916
16917 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
16918
169192014-05-31 Anders Carlsson <andersca@apple.com>
16920
16921 Add a LazyNeverDestroyed class template and use it
16922 https://bugs.webkit.org/show_bug.cgi?id=133425
16923
16924 Reviewed by Darin Adler.
16925
16926 * dfg/DFGFunctionWhitelist.cpp:
16927 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
16928 * dfg/DFGFunctionWhitelist.h:
16929
169302014-05-28 Filip Pizlo <fpizlo@apple.com>
16931
16932 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
16933 https://bugs.webkit.org/show_bug.cgi?id=133368
16934
16935 Reviewed by Mark Lam.
16936
16937 * dfg/DFGDCEPhase.cpp:
16938 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
16939 * tests/stress/new-array-dead.js: Added.
16940 (foo):
16941
169422014-05-28 Filip Pizlo <fpizlo@apple.com>
16943
16944 Unreviewed, fix not-x86 32-bit.
16945
16946 * llint/LowLevelInterpreter32_64.asm:
16947
169482014-05-27 Filip Pizlo <fpizlo@apple.com>
16949
16950 Arrayify neglects to inform the clobberizer that it might fire watchpoints
16951 https://bugs.webkit.org/show_bug.cgi?id=133340
16952
16953 Reviewed by Mark Lam.
16954
16955 * dfg/DFGClobberize.h:
16956 (JSC::DFG::clobberize): Be honest.
16957 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
16958 * tests/stress/arrayify-fires-watchpoint.js: Added.
16959 (foo):
16960 (test):
16961 (makeObjectArray):
16962 * tests/stress/arrayify-structure-bad-test.js: Added.
16963 (foo):
16964 (test):
16965
169662014-05-27 Jon Lee <jonlee@apple.com>
16967
16968 Update ENABLE(MEDIA_SOURCE) on Mac
16969 https://bugs.webkit.org/show_bug.cgi?id=133141
16970
16971 Reviewed by Darin Adler.
16972
16973 * Configurations/FeatureDefines.xcconfig:
16974
169752014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
16976
16977 Remove BLOB guards
16978 https://bugs.webkit.org/show_bug.cgi?id=132863
16979
16980 Reviewed by Csaba Osztrogonác.
16981
16982 * Configurations/FeatureDefines.xcconfig:
16983
169842014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
16985
16986 Allow building CMake based ports with WEB_REPLAY
16987 https://bugs.webkit.org/show_bug.cgi?id=133154
16988
16989 Reviewed by Csaba Osztrogonác.
16990
16991 * CMakeLists.txt:
16992
169932014-05-25 Filip Pizlo <fpizlo@apple.com>
16994
16995 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
16996 https://bugs.webkit.org/show_bug.cgi?id=133136
16997
16998 Reviewed by Oliver Hunt.
16999
17000 Some key concepts:
17001
17002 - Except for the prediction propagation and type fixup phases, which are super early in
17003 the pipeline, nobody has to know about the fact that booleans may flow into numerical
17004 operations because there will just be a BooleanToNumber node that will take a value
17005 and, if that value is a boolean, will convert it to the equivalent numerical value. It
17006 will have a BooleanUse mode where it will also speculate that the input is a boolean
17007 but it can also do UntypedUse in which case it will pass through any non-booleans.
17008 This operation is very easy to model in all of the compiler tiers.
17009
17010 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
17011 inputs require taking the slow path and it will still report that it took slow path
17012 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
17013 path profiling on operations that were known to have had boolean inputs. That's a
17014 little quirky, but it's probably easier than modifying the baseline JIT to track
17015 booleans correctly.
17016
17017 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
17018
17019 * bytecode/SpeculatedType.h:
17020 (JSC::isInt32OrBooleanSpeculation):
17021 (JSC::isInt32SpeculationForArithmetic):
17022 (JSC::isInt32OrBooleanSpeculationForArithmetic):
17023 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
17024 (JSC::isInt52Speculation):
17025 (JSC::isMachineIntSpeculation):
17026 (JSC::isFullNumberOrBooleanSpeculation):
17027 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
17028 (JSC::isInt32SpeculationExpectingDefined): Deleted.
17029 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
17030 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
17031 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
17032 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
17033 * dfg/DFGAbstractInterpreterInlines.h:
17034 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
17035 * dfg/DFGAllocator.h:
17036 (JSC::DFG::Allocator<T>::indexOf):
17037 * dfg/DFGByteCodeParser.cpp:
17038 (JSC::DFG::ByteCodeParser::makeSafe):
17039 (JSC::DFG::ByteCodeParser::makeDivSafe):
17040 (JSC::DFG::ByteCodeParser::handleIntrinsic):
17041 * dfg/DFGCSEPhase.cpp:
17042 (JSC::DFG::CSEPhase::performNodeCSE):
17043 * dfg/DFGClobberize.h:
17044 (JSC::DFG::clobberize):
17045 * dfg/DFGCommon.h:
17046 * dfg/DFGConstantFoldingPhase.cpp:
17047 (JSC::DFG::ConstantFoldingPhase::foldConstants):
17048 * dfg/DFGFixupPhase.cpp:
17049 (JSC::DFG::FixupPhase::fixupNode):
17050 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
17051 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
17052 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
17053 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
17054 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
17055 * dfg/DFGGraph.h:
17056 (JSC::DFG::Graph::addSpeculationMode):
17057 (JSC::DFG::Graph::valueAddSpeculationMode):
17058 (JSC::DFG::Graph::arithAddSpeculationMode):
17059 (JSC::DFG::Graph::addShouldSpeculateInt32):
17060 (JSC::DFG::Graph::mulShouldSpeculateInt32):
17061 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
17062 (JSC::DFG::Graph::negateShouldSpeculateInt32):
17063 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
17064 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
17065 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
17066 * dfg/DFGNode.h:
17067 (JSC::DFG::Node::sawBooleans):
17068 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
17069 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
17070 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
17071 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
17072 (JSC::DFG::Node::shouldSpeculateMachineInt):
17073 (JSC::DFG::Node::shouldSpeculateDouble):
17074 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
17075 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
17076 (JSC::DFG::Node::shouldSpeculateNumber):
17077 (JSC::DFG::Node::canSpeculateInt32):
17078 (JSC::DFG::Node::canSpeculateInt52):
17079 (JSC::DFG::Node::sourceFor):
17080 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
17081 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
17082 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
17083 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
17084 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
17085 * dfg/DFGNodeFlags.cpp:
17086 (JSC::DFG::dumpNodeFlags):
17087 * dfg/DFGNodeFlags.h:
17088 (JSC::DFG::nodeMayOverflow):
17089 (JSC::DFG::nodeMayNegZero):
17090 (JSC::DFG::nodeCanSpeculateInt32):
17091 (JSC::DFG::nodeCanSpeculateInt52):
17092 * dfg/DFGNodeType.h:
17093 * dfg/DFGPredictionPropagationPhase.cpp:
17094 (JSC::DFG::PredictionPropagationPhase::run):
17095 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
17096 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
17097 (JSC::DFG::PredictionPropagationPhase::propagate):
17098 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
17099 * dfg/DFGSafeToExecute.h:
17100 (JSC::DFG::safeToExecute):
17101 * dfg/DFGSpeculativeJIT.cpp:
17102 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
17103 * dfg/DFGSpeculativeJIT32_64.cpp:
17104 (JSC::DFG::SpeculativeJIT::compile):
17105 * dfg/DFGSpeculativeJIT64.cpp:
17106 (JSC::DFG::SpeculativeJIT::compile):
17107 * ftl/FTLCapabilities.cpp:
17108 (JSC::FTL::canCompile):
17109 * ftl/FTLLowerDFGToLLVM.cpp:
17110 (JSC::FTL::LowerDFGToLLVM::compileNode):
17111 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
17112 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
17113 * runtime/JSCJSValue.h:
17114 * runtime/JSCJSValueInlines.h:
17115 (JSC::JSValue::asInt32ForArithmetic):
17116 * tests/stress/max-boolean-exit.js: Added.
17117 (foo):
17118 (test):
17119 * tests/stress/mul-boolean-exit.js: Added.
17120 (foo):
17121 (test):
17122 * tests/stress/plus-boolean-exit.js: Added.
17123 (foo):
17124 (test):
17125 * tests/stress/plus-boolean-or-double.js: Added.
17126 (foo):
17127 (test):
17128 * tests/stress/plus-boolean-or-int.js: Added.
17129 (foo):
17130 (test):
17131
171322014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
17133
17134 Remove dead code from VM.cpp
17135 https://bugs.webkit.org/show_bug.cgi?id=133284
17136
17137 Reviewed by Darin Adler.
17138
17139 This workaround was added in r127505. Since the clang is the
17140 only used compiler in this case, this workaround is obsolete.
17141
17142 * runtime/VM.cpp:
17143 (JSC::enableAssembler):
17144
171452014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
17146
17147 JSC CLoop warning fix
17148 https://bugs.webkit.org/show_bug.cgi?id=133259
17149
17150 Reviewed by Darin Adler.
17151
17152 * llint/LLIntSlowPaths.cpp:
17153 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17154
171552014-05-24 Andreas Kling <akling@apple.com>
17156
17157 Object.prototype.toString() should use cached strings for null/undefined.
17158 <https://webkit.org/b/133261>
17159
17160 Normally, when calling Object.prototype.toString() on a regular object,
17161 we'd cache the result of the stringification on the object's structure,
17162 making repeated calls fast.
17163
17164 For null and undefined, we were not as smart. We'd instead construct a
17165 new string with either "[object Null]" or "[object Undefined]" each time.
17166
17167 This was exposed by Dromaeo's JS library tests, where some prototype.js
17168 subtests generate millions of strings this way.
17169
17170 This patch adds two VM-permanent cached strings to the SmallStrings.
17171 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
17172
17173 Reviewed by Darin Adler.
17174
17175 * runtime/ObjectPrototype.cpp:
17176 (JSC::objectProtoFuncToString):
17177 * runtime/SmallStrings.cpp:
17178 (JSC::SmallStrings::SmallStrings):
17179 (JSC::SmallStrings::initializeCommonStrings):
17180 (JSC::SmallStrings::visitStrongReferences):
17181 * runtime/SmallStrings.h:
17182 (JSC::SmallStrings::nullObjectString):
17183 (JSC::SmallStrings::undefinedObjectString):
17184
171852014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
17186
17187 Remove operationCallGetter
17188
17189 Rubber stamped by Filip Pizlo.
17190
17191 Nobody calls this function.
17192
17193 * JavaScriptCore.order:
17194 * jit/JITOperations.cpp:
17195 * jit/JITOperations.h:
17196
171972014-05-23 Andreas Kling <akling@apple.com>
17198
17199 Templatize GC's destructor invocation for dtor type.
17200 <https://webkit.org/b/133231>
17201
17202 Get rid of a branch in callDestructor() by templatizing it for
17203 the DestructorType. Removed JSCell::methodTableForDestruction()
17204 since this was the only call site and it was jumping through
17205 a bunch of unnecessary hoops.
17206
17207 Reviewed by Geoffrey Garen.
17208
17209 * heap/MarkedBlock.cpp:
17210 (JSC::MarkedBlock::callDestructor):
17211 (JSC::MarkedBlock::specializedSweep):
17212 * heap/MarkedBlock.h:
17213 * runtime/JSCell.h:
17214 * runtime/JSCellInlines.h:
17215 (JSC::JSCell::methodTableForDestruction): Deleted.
17216
172172014-05-23 Andreas Kling <akling@apple.com>
17218
17219 Support inline caching of RegExpMatchesArray.length
17220 <https://webkit.org/b/133234>
17221
17222 Give RegExpMatchesArray.length the same treatment as JSArray in
17223 repatch so we don't have to go out of line on every access.
17224
17225 ~13% speed-up on Octane/regexp.
17226
17227 Reviewed by Geoffrey Garen.
17228
17229 * jit/Repatch.cpp:
17230 (JSC::tryCacheGetByID):
17231 * runtime/RegExpMatchesArray.h:
17232 (JSC::isRegExpMatchesArray):
17233
172342014-05-22 Mark Lam <mark.lam@apple.com>
17235
17236 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
17237 <https://webkit.org/b/133182>
17238
17239 Reviewed by Oliver Hunt.
17240
17241 Before r154797, we used to clear the VM exception before calling into the
17242 debugger. After r154797, we don't. This patch will restore this clearing
17243 of the exception before calling into the debugger.
17244
17245 Also added assertions after returning from calls into the debugger to
17246 ensure that the debugger did not introduce any exceptions.
17247
17248 * interpreter/Interpreter.cpp:
17249 (JSC::unwindCallFrame):
17250 (JSC::Interpreter::unwind):
17251 (JSC::Interpreter::debug):
17252 - Fixed the assertion here. Interpreter::debug() should never be called
17253 with a pending exception. Debugger callbacks for exceptions should be
17254 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
17255
172562014-05-21 Filip Pizlo <fpizlo@apple.com>
17257
17258 Store barrier elision should run after DCE in both the DFG path and the FTL path
17259 https://bugs.webkit.org/show_bug.cgi?id=129718
17260
17261 Rubber stamped by Mark Hahnenberg.
17262
17263 * dfg/DFGPlan.cpp:
17264 (JSC::DFG::Plan::compileInThreadImpl):
17265
172662014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
17267
17268 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
17269 https://bugs.webkit.org/show_bug.cgi?id=132907
17270
17271 Reviewed by Gyuyoung Kim.
17272
17273 * CMakeLists.txt:
17274
172752014-05-16 Martin Robinson <mrobinson@igalia.com>
17276
17277 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
17278 https://bugs.webkit.org/show_bug.cgi?id=132819
17279
17280 Reviewed by Carlos Garcia Campos.
17281
17282 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
17283 use the common CMake ones directly.
17284
172852014-05-21 Filip Pizlo <fpizlo@apple.com>
17286
17287 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
17288
17289 This was a unilateral change and wasn't properly reviewed.
17290
17291 * tests/mozilla/mozilla-tests.yaml:
17292
172932014-05-21 Antoine Quint <graouts@webkit.org>
17294
17295 Array.prototype.find and findIndex should skip holes
17296 https://bugs.webkit.org/show_bug.cgi?id=132658
17297
17298 Reviewed by Geoffrey Garen.
17299
17300 Skip holes in the array when iterating such that callback isn't called.
17301
17302 * builtins/Array.prototype.js:
17303 (find):
17304 (findIndex):
17305
173062014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
17307
17308 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
17309 https://bugs.webkit.org/show_bug.cgi?id=133149
17310
17311 Reviewed by Csaba Osztrogonác.
17312
17313 * tests/mozilla/mozilla-tests.yaml:
17314
173152014-05-20 Geoffrey Garen <ggaren@apple.com>
17316
17317 Rolled out <http://trac.webkit.org/changeset/166184>
17318 https://bugs.webkit.org/show_bug.cgi?id=133144
17319
17320 Reviewed by Gavin Barraclough.
17321
17322 It caused a performance regression.
17323
17324 * heap/BlockAllocator.cpp:
17325 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
17326
173272014-05-20 Filip Pizlo <fpizlo@apple.com>
17328
17329 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
17330 https://bugs.webkit.org/show_bug.cgi?id=133134
17331
17332 Reviewed by Mark Hahnenberg.
17333
17334 Make prediction propagator use ArrayMode refinement to decide the return type.
17335
17336 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
17337 like this. The only way we'll see a mismatch like this in the real world is probably
17338 through a gnarly race condition.
17339
17340 * dfg/DFGByteCodeParser.cpp:
17341 (JSC::DFG::ByteCodeParser::handleIntrinsic):
17342 * dfg/DFGNode.h:
17343 (JSC::DFG::Node::setHeapPrediction):
17344 * dfg/DFGPredictionPropagationPhase.cpp:
17345 (JSC::DFG::PredictionPropagationPhase::propagate):
17346 * jsc.cpp:
17347 (GlobalObject::finishCreation):
17348 (functionFalse1):
17349 (functionFalse2):
17350 (functionUndefined1):
17351 (functionUndefined2):
17352 (functionFalse): Deleted.
17353 (functionOtherFalse): Deleted.
17354 (functionUndefined): Deleted.
17355 * runtime/Intrinsic.h:
17356 * tests/stress/get-by-val-double-predicted-int.js: Added.
17357 (foo):
17358
173592014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
17360
17361 Watchdog timer should be lazily allocated
17362 https://bugs.webkit.org/show_bug.cgi?id=133135
17363
17364 Reviewed by Geoffrey Garen.
17365
17366 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
17367 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
17368 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
17369
17370 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
17371 these two API functions (which is true of most clients).
17372
17373 * API/JSContextRef.cpp:
17374 (JSContextGroupSetExecutionTimeLimit):
17375 (JSContextGroupClearExecutionTimeLimit):
17376 * dfg/DFGByteCodeParser.cpp:
17377 (JSC::DFG::ByteCodeParser::parseBlock):
17378 * dfg/DFGSpeculativeJIT32_64.cpp:
17379 (JSC::DFG::SpeculativeJIT::compile):
17380 * dfg/DFGSpeculativeJIT64.cpp:
17381 (JSC::DFG::SpeculativeJIT::compile):
17382 * interpreter/Interpreter.cpp:
17383 (JSC::Interpreter::execute):
17384 (JSC::Interpreter::executeCall):
17385 (JSC::Interpreter::executeConstruct):
17386 * jit/JITOpcodes.cpp:
17387 (JSC::JIT::emit_op_loop_hint):
17388 (JSC::JIT::emitSlow_op_loop_hint):
17389 * jit/JITOperations.cpp:
17390 * llint/LLIntSlowPaths.cpp:
17391 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17392 * runtime/VM.h:
17393 * runtime/Watchdog.cpp:
17394 (JSC::Watchdog::Scope::Scope): Deleted.
17395 (JSC::Watchdog::Scope::~Scope): Deleted.
17396 * runtime/Watchdog.h:
17397 (JSC::Watchdog::Scope::Scope):
17398 (JSC::Watchdog::Scope::~Scope):
17399
174002014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
17401
17402 JSArray::shiftCountWith* could be more efficient
17403 https://bugs.webkit.org/show_bug.cgi?id=133011
17404
17405 Reviewed by Geoffrey Garen.
17406
17407 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
17408 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
17409 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
17410
17411 * runtime/ArrayStorage.h:
17412 (JSC::ArrayStorage::indexingHeader):
17413 (JSC::ArrayStorage::length):
17414 (JSC::ArrayStorage::hasHoles):
17415 * runtime/IndexingHeader.h:
17416 (JSC::IndexingHeader::publicLength):
17417 (JSC::IndexingHeader::from):
17418 * runtime/JSArray.cpp:
17419 (JSC::JSArray::shiftCountWithArrayStorage):
17420 (JSC::JSArray::shiftCountWithAnyIndexingType):
17421 (JSC::JSArray::unshiftCountWithArrayStorage):
17422 * runtime/JSArray.h:
17423 (JSC::JSArray::shiftCountForShift):
17424 (JSC::JSArray::shiftCountForSplice):
17425 (JSC::JSArray::shiftCount):
17426 * runtime/Structure.cpp:
17427 (JSC::Structure::holesRequireSpecialBehavior):
17428 * runtime/Structure.h:
17429
174302014-05-19 Filip Pizlo <fpizlo@apple.com>
17431
17432 Test gardening: skip some failing tests on not-X86.
17433
17434 * tests/mozilla/mozilla-tests.yaml:
17435
174362014-05-19 Mark Lam <mark.lam@apple.com>
17437
17438 operationOptimize() should defer the GC for a while.
17439 <https://webkit.org/b/133103>
17440
17441 Reviewed by Filip Pizlo.
17442
17443 Currently, operationOptimize() only defers the GC until its end. As a result,
17444 a GC may be triggered just before we return from operationOptimize(), and it may
17445 jettison the optimize codeBlock that we're planning to OSR enter into when we
17446 return from this function. This is because the OSR entry on-ramp code hasn't
17447 been executed yet, and hence, there is not yet a reference to this new codeBlock
17448 from the stack, and there won't be until we've had a chance to return out of
17449 operationOptimize() to run the OSR entry on-ramp code.
17450
17451 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
17452 ensures that the GC will be deferred until after the OSR entry on-ramp can be
17453 executed.
17454
17455 * jit/JITOperations.cpp:
17456
174572014-05-19 Filip Pizlo <fpizlo@apple.com>
17458
17459 Take care of some ARM64 test failures
17460 https://bugs.webkit.org/show_bug.cgi?id=133090
17461
17462 Reviewed by Geoffrey Garen.
17463
17464 Constant blinding on ARM64 cannot use the scratch register.
17465
17466 * assembler/MacroAssembler.h:
17467 (JSC::MacroAssembler::convertInt32ToDouble):
17468 (JSC::MacroAssembler::branchPtr):
17469 (JSC::MacroAssembler::storePtr):
17470 (JSC::MacroAssembler::store64):
17471 * assembler/MacroAssemblerARM64.h:
17472 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
17473
174742014-05-19 Tanay C <tanay.c@samsung.com>
17475
17476 Removing some check-webkit-style warnings from ./dfg
17477 https://bugs.webkit.org/show_bug.cgi?id=132854
17478
17479 Reviewed by Darin Adler.
17480
17481 * dfg/DFGAbstractInterpreter.h:
17482 * dfg/DFGAbstractValue.h:
17483 * dfg/DFGBlockInsertionSet.h:
17484 * dfg/DFGCommonData.h:
17485 * dfg/DFGDominators.h:
17486 * dfg/DFGGraph.h:
17487 * dfg/DFGInPlaceAbstractState.h:
17488 * dfg/DFGPredictionPropagationPhase.h:
17489
174902014-05-18 Filip Pizlo <fpizlo@apple.com>
17491
17492 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
17493 That was a long time ago.
17494
17495 * ftl/FTLLowerDFGToLLVM.cpp:
17496 (JSC::FTL::LowerDFGToLLVM::compileReturn):
17497
174982014-05-18 Rik Cabanier <cabanier@adobe.com>
17499
17500 support for navigator.hardwareConcurrency
17501 https://bugs.webkit.org/show_bug.cgi?id=132588
17502
17503 Reviewed by Filip Pizlo.
17504
17505 * Configurations/FeatureDefines.xcconfig:
17506
175072014-05-16 Michael Saboff <msaboff@apple.com>
17508
17509 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
17510 https://bugs.webkit.org/show_bug.cgi?id=133009
17511
17512 Reviewed by Oliver Hunt.
17513
17514 If we determine that any alternative requires a minumum match size greater than
17515 INT_MAX, we handle the match in the interpreter.
17516
17517 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
17518 * runtime/RegExp.cpp:
17519 (JSC::RegExp::compile):
17520 (JSC::RegExp::compileMatchOnly):
17521
17522 * tests/stress/large-regexp.js: New test added.
17523
17524 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
17525 doesn't fit in an int.
17526 * yarr/YarrPattern.cpp:
17527 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
17528
17529 Clear new m_containsUnsignedLengthPattern flag.
17530 * yarr/YarrPattern.cpp:
17531 (JSC::Yarr::YarrPattern::YarrPattern):
17532 * yarr/YarrPattern.h:
17533 (JSC::Yarr::YarrPattern::reset):
17534 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
17535
175362014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
17537
17538 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
17539 https://bugs.webkit.org/show_bug.cgi?id=132918
17540
17541 Reviewed by Geoffrey Garen.
17542
17543 * jit/Repatch.cpp:
17544 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
17545
175462014-05-15 Alex Christensen <achristensen@webkit.org>
17547
17548 Add pointer lock to features without enabling it.
17549 https://bugs.webkit.org/show_bug.cgi?id=132961
17550
17551 Reviewed by Sam Weinig.
17552
17553 * Configurations/FeatureDefines.xcconfig:
17554 Added ENABLE_POINTER_LOCK to list of features.
17555
175562014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
17557
17558 Inline caching for proxies clobbers baseGPR too early
17559 https://bugs.webkit.org/show_bug.cgi?id=132916
17560
17561 Reviewed by Filip Pizlo.
17562
17563 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
17564 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
17565 until we know the inline cache is going to succeed.
17566
17567 * jit/Repatch.cpp:
17568 (JSC::generateByIdStub):
17569
175702014-05-14 Brent Fulgham <bfulgham@apple.com>
17571
17572 [Win] Unreviewed build fix.
17573
17574 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
17575 was missing commands to build LLInt portions of JSC.
17576 * llint/LLIntData.cpp: 64-bit build fix.
17577
175782014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
17579
17580 ARM Traditional buildfix after r168776.
17581 https://bugs.webkit.org/show_bug.cgi?id=132903
17582
17583 Reviewed by Darin Adler.
17584
17585 * assembler/MacroAssemblerARM.h:
17586 (JSC::MacroAssemblerARM::abortWithReason): Added.
17587
175882014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
17589
17590 Remove CSS_STICKY_POSITION guards
17591 https://bugs.webkit.org/show_bug.cgi?id=132676
17592
17593 Reviewed by Simon Fraser.
17594
17595 * Configurations/FeatureDefines.xcconfig:
17596
175972014-05-13 Filip Pizlo <fpizlo@apple.com>
17598
17599 JIT breakpoints should be more informative
17600 https://bugs.webkit.org/show_bug.cgi?id=132882
17601
17602 Reviewed by Oliver Hunt.
17603
17604 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
17605 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
17606 at that platform's abort reason register (r11 on X86-64 for example).
17607
17608 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17609 * JavaScriptCore.xcodeproj/project.pbxproj:
17610 * assembler/AbortReason.h: Added.
17611 * assembler/AbstractMacroAssembler.h:
17612 * assembler/MacroAssemblerARM64.h:
17613 (JSC::MacroAssemblerARM64::abortWithReason):
17614 * assembler/MacroAssemblerARMv7.h:
17615 (JSC::MacroAssemblerARMv7::abortWithReason):
17616 * assembler/MacroAssemblerX86.h:
17617 (JSC::MacroAssemblerX86::abortWithReason):
17618 * assembler/MacroAssemblerX86_64.h:
17619 (JSC::MacroAssemblerX86_64::abortWithReason):
17620 * dfg/DFGSlowPathGenerator.h:
17621 (JSC::DFG::SlowPathGenerator::generate):
17622 * dfg/DFGSpeculativeJIT.cpp:
17623 (JSC::DFG::SpeculativeJIT::bail):
17624 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
17625 (JSC::DFG::SpeculativeJIT::compileMakeRope):
17626 * dfg/DFGSpeculativeJIT.h:
17627 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
17628 * dfg/DFGSpeculativeJIT32_64.cpp:
17629 (JSC::DFG::SpeculativeJIT::compile):
17630 * dfg/DFGSpeculativeJIT64.cpp:
17631 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
17632 (JSC::DFG::SpeculativeJIT::compile):
17633 * dfg/DFGThunks.cpp:
17634 (JSC::DFG::osrEntryThunkGenerator):
17635 * jit/AssemblyHelpers.cpp:
17636 (JSC::AssemblyHelpers::jitAssertIsInt32):
17637 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
17638 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
17639 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
17640 (JSC::AssemblyHelpers::jitAssertIsCell):
17641 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
17642 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
17643 (JSC::AssemblyHelpers::jitAssertIsNull):
17644 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
17645 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
17646 * jit/AssemblyHelpers.h:
17647 (JSC::AssemblyHelpers::checkStackPointerAlignment):
17648 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
17649 * jit/JIT.h:
17650 * jit/JITArithmetic.cpp:
17651 (JSC::JIT::emitSlow_op_div):
17652 * jit/JITOpcodes.cpp:
17653 (JSC::JIT::emitSlow_op_loop_hint):
17654 * jit/JITOpcodes32_64.cpp:
17655 (JSC::JIT::privateCompileCTINativeCall):
17656 * jit/JITPropertyAccess.cpp:
17657 (JSC::JIT::emit_op_get_by_val):
17658 (JSC::JIT::compileGetDirectOffset):
17659 (JSC::JIT::addStructureTransitionCheck): Deleted.
17660 (JSC::JIT::testPrototype): Deleted.
17661 * jit/JITPropertyAccess32_64.cpp:
17662 (JSC::JIT::emit_op_get_by_val):
17663 (JSC::JIT::compileGetDirectOffset):
17664 * jit/RegisterPreservationWrapperGenerator.cpp:
17665 (JSC::generateRegisterRestoration):
17666 * jit/Repatch.cpp:
17667 (JSC::addStructureTransitionCheck):
17668 (JSC::linkClosureCall):
17669 * jit/ThunkGenerators.cpp:
17670 (JSC::emitPointerValidation):
17671 (JSC::nativeForGenerator):
17672 * yarr/YarrJIT.cpp:
17673 (JSC::Yarr::YarrGenerator::generate):
17674
176752014-05-13 peavo@outlook.com <peavo@outlook.com>
17676
17677 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
17678 https://bugs.webkit.org/show_bug.cgi?id=132772
17679
17680 Reviewed by Geoffrey Garen.
17681
17682 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
17683 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
17684 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
17685 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
17686
17687 * assembler/MacroAssemblerARM.h:
17688 (JSC::MacroAssemblerARM::loadDouble):
17689 (JSC::MacroAssemblerARM::storeDouble):
17690 * assembler/MacroAssemblerARM64.h:
17691 (JSC::MacroAssemblerARM64::loadDouble):
17692 (JSC::MacroAssemblerARM64::storeDouble):
17693 * assembler/MacroAssemblerARMv7.h:
17694 (JSC::MacroAssemblerARMv7::loadDouble):
17695 (JSC::MacroAssemblerARMv7::storeDouble):
17696 * assembler/MacroAssemblerMIPS.h:
17697 (JSC::MacroAssemblerMIPS::loadDouble):
17698 (JSC::MacroAssemblerMIPS::storeDouble):
17699 * assembler/MacroAssemblerSH4.h:
17700 (JSC::MacroAssemblerSH4::loadDouble):
17701 (JSC::MacroAssemblerSH4::storeDouble):
17702 * assembler/MacroAssemblerX86.h:
17703 (JSC::MacroAssemblerX86::storeDouble):
17704 * assembler/MacroAssemblerX86Common.h:
17705 (JSC::MacroAssemblerX86Common::absDouble):
17706 (JSC::MacroAssemblerX86Common::negateDouble):
17707 (JSC::MacroAssemblerX86Common::loadDouble):
17708 * dfg/DFGSpeculativeJIT.cpp:
17709 (JSC::DFG::SpeculativeJIT::silentFill):
17710 (JSC::DFG::compileClampDoubleToByte):
17711 * dfg/DFGSpeculativeJIT32_64.cpp:
17712 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
17713 (JSC::DFG::SpeculativeJIT::compile):
17714 * jit/AssemblyHelpers.cpp:
17715 (JSC::AssemblyHelpers::purifyNaN):
17716 * jit/JITInlines.h:
17717 (JSC::JIT::emitLoadDouble):
17718 * jit/JITPropertyAccess.cpp:
17719 (JSC::JIT::emitFloatTypedArrayGetByVal):
17720 * jit/ThunkGenerators.cpp:
17721 (JSC::floorThunkGenerator):
17722 (JSC::roundThunkGenerator):
17723 (JSC::powThunkGenerator):
17724
177252014-05-12 Commit Queue <commit-queue@webkit.org>
17726
17727 Unreviewed, rolling out r168642.
17728 https://bugs.webkit.org/show_bug.cgi?id=132839
17729
17730 Broke ARM build (Requested by jpfau on #webkit).
17731
17732 Reverted changeset:
17733
17734 "[Win] Enum type with value zero is compatible with void*,
17735 potential cause of crashes."
17736 https://bugs.webkit.org/show_bug.cgi?id=132772
17737 http://trac.webkit.org/changeset/168642
17738
177392014-05-12 peavo@outlook.com <peavo@outlook.com>
17740
17741 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
17742 https://bugs.webkit.org/show_bug.cgi?id=132772
17743
17744 Reviewed by Geoffrey Garen.
17745
17746 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
17747 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
17748 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
17749 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
17750
17751 * assembler/MacroAssemblerARM.h:
17752 (JSC::MacroAssemblerARM::loadDouble):
17753 (JSC::MacroAssemblerARM::storeDouble):
17754 * assembler/MacroAssemblerARM64.h:
17755 (JSC::MacroAssemblerARM64::loadDouble):
17756 (JSC::MacroAssemblerARM64::storeDouble):
17757 * assembler/MacroAssemblerARMv7.h:
17758 (JSC::MacroAssemblerARMv7::loadDouble):
17759 (JSC::MacroAssemblerARMv7::storeDouble):
17760 * assembler/MacroAssemblerMIPS.h:
17761 (JSC::MacroAssemblerMIPS::loadDouble):
17762 (JSC::MacroAssemblerMIPS::storeDouble):
17763 * assembler/MacroAssemblerSH4.h:
17764 (JSC::MacroAssemblerSH4::loadDouble):
17765 (JSC::MacroAssemblerSH4::storeDouble):
17766 * assembler/MacroAssemblerX86.h:
17767 (JSC::MacroAssemblerX86::storeDouble):
17768 * assembler/MacroAssemblerX86Common.h:
17769 (JSC::MacroAssemblerX86Common::absDouble):
17770 (JSC::MacroAssemblerX86Common::negateDouble):
17771 (JSC::MacroAssemblerX86Common::loadDouble):
17772 * dfg/DFGSpeculativeJIT.cpp:
17773 (JSC::DFG::SpeculativeJIT::silentFill):
17774 (JSC::DFG::compileClampDoubleToByte):
17775 * dfg/DFGSpeculativeJIT32_64.cpp:
17776 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
17777 (JSC::DFG::SpeculativeJIT::compile):
17778 * jit/AssemblyHelpers.cpp:
17779 (JSC::AssemblyHelpers::purifyNaN):
17780 * jit/JITInlines.h:
17781 (JSC::JIT::emitLoadDouble):
17782 * jit/JITPropertyAccess.cpp:
17783 (JSC::JIT::emitFloatTypedArrayGetByVal):
17784 * jit/ThunkGenerators.cpp:
17785 (JSC::floorThunkGenerator):
17786 (JSC::roundThunkGenerator):
17787 (JSC::powThunkGenerator):
17788
177892014-05-12 Andreas Kling <akling@apple.com>
17790
17791 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
17792 <https://webkit.org/b/132828>
17793 <rdar://problem/16886285>
17794
17795 Reviewed by Michael Saboff.
17796
17797 * runtime/JSObject.cpp:
17798 (JSC::JSObject::visitButterfly):
17799 (JSC::JSObject::visitChildren):
17800
17801 Use JSCell::structure(VM&) to reduce the number of hoops we jump
17802 through to find Structures during marking.
17803
178042014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
17805
17806 [cmake] Add missing FTL source files to the build system.
17807
17808 Reviewed by Csaba Osztrogonác.
17809
17810 * CMakeLists.txt:
17811
178122014-05-09 Joseph Pecoraro <pecoraro@apple.com>
17813
17814 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
17815 https://bugs.webkit.org/show_bug.cgi?id=132409
17816
17817 Reviewed by Timothy Hatcher.
17818
17819 Proxy applications are applications which hold WebViews for other
17820 applications. The WebProcess (Web Content Service) is a proxy application.
17821 For legacy reasons we were supporting a scenario where proxy applications
17822 could potentially host WebViews for more then one other application. That
17823 was never the case for WebProcess and it is now a scenario we don't need
17824 to worry about supporting.
17825
17826 With this change, a proxy application more naturally only holds WebViews
17827 for a single parent / host application. The proxy process can set the
17828 parent pid / audit_token data on the RemoteInspector singleton, and
17829 that data will be sent on to webinspectord later on to be validated.
17830 In the WebProcess<->UIProcess relationship that information is known
17831 and set immediately. In the Legacy iOS case that information is set
17832 soon after, but not immediately known at the point the WebView is created.
17833
17834 This allows us to simplify the RemoteInspectorDebuggable interface.
17835 We no longer need a pid per-Debuggable.
17836
17837 * inspector/remote/RemoteInspector.h:
17838 * inspector/remote/RemoteInspector.mm:
17839 (Inspector::RemoteInspector::RemoteInspector):
17840 (Inspector::RemoteInspector::setParentProcessInformation):
17841 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
17842 (Inspector::RemoteInspector::listingForDebuggable):
17843 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
17844 Handle new proxy application setup message, and provide an API
17845 for a proxy application to set the parent process information.
17846
17847 * inspector/remote/RemoteInspectorConstants.h:
17848 New setup and response message for proxy applications to pass
17849 their parent / host application information to webinspectord.
17850
17851 * inspector/remote/RemoteInspectorDebuggable.cpp:
17852 (Inspector::RemoteInspectorDebuggable::info):
17853 * inspector/remote/RemoteInspectorDebuggable.h:
17854 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
17855 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
17856 pid per debuggable is no longer needed.
17857
178582014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
17859
17860 JSDOMWindow should disable property caching after a certain point
17861 https://bugs.webkit.org/show_bug.cgi?id=132751
17862
17863 Reviewed by Filip Pizlo.
17864
17865 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
17866 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
17867 that it has provided a cacheable value.
17868
17869 * runtime/PropertySlot.h:
17870 (JSC::PropertySlot::PropertySlot):
17871 (JSC::PropertySlot::isCacheable):
17872 (JSC::PropertySlot::disableCaching):
17873
178742014-05-09 Andreas Kling <akling@apple.com>
17875
17876 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
17877 <https://webkit.org/b/132749>
17878
17879 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
17880 in Object.prototype.* by using JSString::toIdentifier() in the cases where
17881 we are converting JSString -> String -> Identifier.
17882
17883 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
17884 "The Great HTML5 Gaming Performance Test: 2014 edition"
17885 <http://www.scirra.com/demos/c2/sbperftest/>
17886
17887 Reviewed by Oliver Hunt.
17888
17889 * runtime/ObjectPrototype.cpp:
17890 (JSC::objectProtoFuncHasOwnProperty):
17891 (JSC::objectProtoFuncDefineGetter):
17892 (JSC::objectProtoFuncDefineSetter):
17893 (JSC::objectProtoFuncLookupGetter):
17894 (JSC::objectProtoFuncLookupSetter):
17895
178962014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
17897
17898 JSDOMWindow should have a WatchpointSet to fire on window close
17899 https://bugs.webkit.org/show_bug.cgi?id=132721
17900
17901 Reviewed by Filip Pizlo.
17902
17903 This patch allows us to reset the inline caches that assumed they could skip
17904 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
17905 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
17906
17907 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
17908 to see if it should create a new Watchpoint for that particular inline cache site.
17909
17910 * bytecode/Watchpoint.h:
17911 * jit/Repatch.cpp:
17912 (JSC::generateByIdStub):
17913 (JSC::tryBuildGetByIDList):
17914 (JSC::tryCachePutByID):
17915 (JSC::tryBuildPutByIdList):
17916 * runtime/PropertySlot.h:
17917 (JSC::PropertySlot::PropertySlot):
17918 (JSC::PropertySlot::watchpointSet):
17919 (JSC::PropertySlot::setWatchpointSet):
17920
179212014-05-09 Tanay C <tanay.c@samsung.com>
17922
17923 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
17924 https://bugs.webkit.org/show_bug.cgi?id=132331
17925
17926 Reviewed by Darin Adler.
17927
17928 * dfg/DFGFixupPhase.cpp:
17929 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
17930
179312014-05-09 peavo@outlook.com <peavo@outlook.com>
17932
17933 [Win] Crash when enabling DFG JIT.
17934 https://bugs.webkit.org/show_bug.cgi?id=132683
17935
17936 Reviewed by Geoffrey Garen.
17937
17938 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
17939 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
17940 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
17941 This causes the register to be written to address 0, hence the crash.
17942
17943 * dfg/DFGOSRExitCompiler32_64.cpp:
17944 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
17945 * dfg/DFGOSRExitCompiler64.cpp:
17946 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
17947
179482014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
17949
17950 REGRESSION(r167094): JSC crashes on ARM Traditional
17951 https://bugs.webkit.org/show_bug.cgi?id=132738
17952
17953 Reviewed by Zoltan Herczeg.
17954
17955 PC is two instructions ahead of the current instruction
17956 on ARM Traditional, so the distance is 8 bytes not 2.
17957
17958 * llint/LowLevelInterpreter.asm:
17959
179602014-05-09 Alberto Garcia <berto@igalia.com>
17961
17962 jsmin.py license header confusing, mentions non-free license
17963 https://bugs.webkit.org/show_bug.cgi?id=123665
17964
17965 Reviewed by Darin Adler.
17966
17967 Pull the most recent version from upstream, which has a clear
17968 license.
17969
17970 * inspector/scripts/jsmin.py:
17971
179722014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
17973
17974 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
17975 https://bugs.webkit.org/show_bug.cgi?id=132695
17976
17977 Reviewed by Filip Pizlo.
17978
17979 We check in the case where we're accessing something other than the base object (e.g. the prototype),
17980 but we fail to do so for the base object.
17981
17982 * jit/Repatch.cpp:
17983 (JSC::tryCacheGetByID):
17984 (JSC::tryBuildGetByIDList):
17985 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
17986 because all of the values that are returned that could be impure are set to uncacheable anyways.
17987 (WTF::ImpureGetter::ImpureGetter):
17988 (WTF::ImpureGetter::createStructure):
17989 (WTF::ImpureGetter::create):
17990 (WTF::ImpureGetter::finishCreation):
17991 (WTF::ImpureGetter::getOwnPropertySlot):
17992 (WTF::ImpureGetter::visitChildren):
17993 (WTF::ImpureGetter::setDelegate):
17994 (GlobalObject::finishCreation):
17995 (functionCreateImpureGetter):
17996 (functionSetImpureGetterDelegate):
17997 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
17998 (foo):
17999
180002014-05-08 Filip Pizlo <fpizlo@apple.com>
18001
18002 deleteAllCompiledCode() shouldn't use the suspension worklist
18003 https://bugs.webkit.org/show_bug.cgi?id=132708
18004
18005 Reviewed by Mark Hahnenberg.
18006
18007 * bytecode/CodeBlock.cpp:
18008 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
18009 * dfg/DFGPlan.cpp:
18010 (JSC::DFG::Plan::isStillValid):
18011 * heap/Heap.cpp:
18012 (JSC::Heap::deleteAllCompiledCode):
18013
180142014-05-08 Filip Pizlo <fpizlo@apple.com>
18015
18016 SSA conversion should delete PhantomLocals for captured variables
18017 https://bugs.webkit.org/show_bug.cgi?id=132693
18018
18019 Reviewed by Mark Hahnenberg.
18020
18021 * dfg/DFGCommon.cpp:
18022 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
18023 * dfg/DFGCommon.h:
18024 * dfg/DFGFixupPhase.cpp:
18025 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
18026 * dfg/DFGLivenessAnalysisPhase.cpp:
18027 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
18028 * dfg/DFGSSAConversionPhase.cpp:
18029 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
18030 * dfg/DFGValidate.cpp: Use the workaround.
18031 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
18032 (foo):
18033 (bar):
18034
180352014-05-07 Commit Queue <commit-queue@webkit.org>
18036
18037 Unreviewed, rolling out r168451.
18038 https://bugs.webkit.org/show_bug.cgi?id=132670
18039
18040 Not a speed-up, just do what other compilers do. (Requested by
18041 kling on #webkit).
18042
18043 Reverted changeset:
18044
18045 "[X86] Emit BT instruction for single-bit tests."
18046 https://bugs.webkit.org/show_bug.cgi?id=132650
18047 http://trac.webkit.org/changeset/168451
18048
180492014-05-07 Filip Pizlo <fpizlo@apple.com>
18050
18051 Make Executable::clearCode() actually clear all of the entrypoints, and
18052 clean up some other FTL-related calling convention stuff.
18053 <rdar://problem/16720172>
18054
18055 Rubber stamped by Mark Hahnenberg.
18056
18057 * dfg/DFGOperations.cpp:
18058 * dfg/DFGOperations.h:
18059 * dfg/DFGWorklist.cpp:
18060 (JSC::DFG::Worklist::Worklist):
18061 (JSC::DFG::Worklist::finishCreation):
18062 (JSC::DFG::Worklist::create):
18063 (JSC::DFG::ensureGlobalDFGWorklist):
18064 (JSC::DFG::ensureGlobalFTLWorklist):
18065 * dfg/DFGWorklist.h:
18066 * heap/CodeBlockSet.cpp:
18067 (JSC::CodeBlockSet::dump):
18068 * heap/CodeBlockSet.h:
18069 * runtime/Executable.cpp:
18070 (JSC::ExecutableBase::clearCode):
18071
180722014-05-07 Andreas Kling <akling@apple.com>
18073
18074 [X86] Emit BT instruction for single-bit tests.
18075 <https://webkit.org/b/132650>
18076
18077 Implement test-bit-and-branch slightly more efficiently by using
18078 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
18079 a single bit.
18080
18081 Reviewed by Michael Saboff.
18082
18083 * assembler/MacroAssemblerX86Common.h:
18084 (JSC::MacroAssemblerX86Common::singleBitIndex):
18085 (JSC::MacroAssemblerX86Common::branchTest32):
18086 * assembler/X86Assembler.h:
18087 (JSC::X86Assembler::bt_i8r):
18088 (JSC::X86Assembler::bt_i8m):
18089
180902014-05-07 Mark Lam <mark.lam@apple.com>
18091
18092 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
18093 <https://webkit.org/b/131356>
18094
18095 Reviewed by Geoffrey Garen.
18096
18097 The issue is that GC needs to be made aware of writes to m_inferredValue
18098 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
18099 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
18100 does not survive an eden GC shortly after, we will end up with a stale
18101 JSCell pointer left in the m_inferredValue.
18102
18103 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
18104 using DumpRenderTree with the VM heap in zombie mode.
18105
18106 The fix is to change VariableWatchpointSet m_inferredValue to type
18107 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
18108 is executed by all the execution engines so that the WriteBarrier semantics
18109 are honored.
18110
18111 We still check if the value to be written is the same as the one in the
18112 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
18113 values are the same.
18114
18115 * JavaScriptCore.xcodeproj/project.pbxproj:
18116 * bytecode/CodeBlock.cpp:
18117 (JSC::CodeBlock::CodeBlock):
18118 - need to pass the symbolTable to prepareToWatch() because it will be needed
18119 for instantiating the VariableWatchpointSet in prepareToWatch().
18120
18121 * bytecode/VariableWatchpointSet.h:
18122 (JSC::VariableWatchpointSet::VariableWatchpointSet):
18123 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
18124 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
18125 (JSC::VariableWatchpointSet::inferredValue):
18126 (JSC::VariableWatchpointSet::invalidate):
18127 (JSC::VariableWatchpointSet::finalizeUnconditionally):
18128 (JSC::VariableWatchpointSet::addressOfInferredValue):
18129 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
18130 * bytecode/VariableWatchpointSetInlines.h: Added.
18131 (JSC::VariableWatchpointSet::notifyWrite):
18132
18133 * dfg/DFGByteCodeParser.cpp:
18134 (JSC::DFG::ByteCodeParser::cellConstant):
18135 - Added an assert in case we try to make constants of zombified JSCells again.
18136
18137 * dfg/DFGOperations.cpp:
18138 * dfg/DFGOperations.h:
18139 * dfg/DFGSpeculativeJIT.h:
18140 (JSC::DFG::SpeculativeJIT::callOperation):
18141 * dfg/DFGSpeculativeJIT32_64.cpp:
18142 (JSC::DFG::SpeculativeJIT::compile):
18143 * dfg/DFGSpeculativeJIT64.cpp:
18144 (JSC::DFG::SpeculativeJIT::compile):
18145 - We now let the slow path handle the cases when the VariableWatchpointSet is
18146 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
18147 we handle the needed write barrier semantics correctly.
18148 We will by-pass the slow path if the value being written is the same as the
18149 inferred value.
18150
18151 * ftl/FTLIntrinsicRepository.h:
18152 * ftl/FTLLowerDFGToLLVM.cpp:
18153 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
18154 - Let the slow path handle the cases when the VariableWatchpointSet is
18155 in state ClearWatchpoint and IsWatched.
18156 We will by-pass the slow path if the value being written is the same as the
18157 inferred value.
18158
18159 * heap/Heap.cpp:
18160 (JSC::Zombify::operator()):
18161 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
18162 which is used everywhere else).
18163 * heap/Heap.h:
18164 (JSC::Heap::isZombified):
18165 - Provide a convenience test function to check if JSCells are zombified. This is
18166 currently only used in an assertion in the DFG bytecode parser, but the intent
18167 it that we'll apply this test in other strategic places later to help with early
18168 detection of usage of GC'ed objects when we run in zombie mode.
18169
18170 * jit/JITOpcodes.cpp:
18171 (JSC::JIT::emitSlow_op_captured_mov):
18172 * jit/JITOperations.h:
18173 * jit/JITPropertyAccess.cpp:
18174 (JSC::JIT::emitNotifyWrite):
18175 * jit/JITPropertyAccess32_64.cpp:
18176 (JSC::JIT::emitNotifyWrite):
18177 (JSC::JIT::emitSlow_op_put_to_scope):
18178 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
18179 is in state ClearWatchpoint and IsWatched.
18180 We will by-pass the slow path if the value being written is the same as the
18181 inferred value.
18182
18183 * llint/LowLevelInterpreter32_64.asm:
18184 * llint/LowLevelInterpreter64.asm:
18185 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
18186 is in state ClearWatchpoint and IsWatched.
18187 We will by-pass the slow path if the value being written is the same as the
18188 inferred value.
18189
18190 * runtime/CommonSlowPaths.cpp:
18191
18192 * runtime/JSCJSValue.h: Fixed some typos in the comments.
18193 * runtime/JSGlobalObject.cpp:
18194 (JSC::JSGlobalObject::addGlobalVar):
18195 (JSC::JSGlobalObject::addFunction):
18196 * runtime/JSSymbolTableObject.h:
18197 (JSC::symbolTablePut):
18198 (JSC::symbolTablePutWithAttributes):
18199 * runtime/SymbolTable.cpp:
18200 (JSC::SymbolTableEntry::prepareToWatch):
18201 (JSC::SymbolTableEntry::notifyWriteSlow):
18202 * runtime/SymbolTable.h:
18203 (JSC::SymbolTableEntry::notifyWrite):
18204
182052014-05-06 Michael Saboff <msaboff@apple.com>
18206
18207 Unreviewd build fix for C-LOOP after r168396.
18208
18209 * runtime/TestRunnerUtils.cpp:
18210 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
18211
182122014-05-06 Michael Saboff <msaboff@apple.com>
18213
18214 Add test for deleteAllCompiledCode
18215 https://bugs.webkit.org/show_bug.cgi?id=132632
18216
18217 Reviewed by Phil Pizlo.
18218
18219 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
18220 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
18221 to write a test that will queue up loads of DFG compiles and then call
18222 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
18223 code as well as code being compiled.
18224
18225 * jsc.cpp:
18226 (GlobalObject::finishCreation):
18227 (functionDeleteAllCompiledCode):
18228 (functionOptimizeNextInvocation):
18229 * runtime/TestRunnerUtils.cpp:
18230 (JSC::optimizeNextInvocation):
18231 * runtime/TestRunnerUtils.h:
18232 * tests/stress/deleteAllCompiledCode.js: Added.
18233 (functionList):
18234 (runTest):
18235
182362014-05-06 Andreas Kling <akling@apple.com>
18237
18238 JSString::toAtomicString() should return AtomicString.
18239 <https://webkit.org/b/132627>
18240
18241 Remove premature optimization where I was trying to avoid refcount
18242 churn when returning an already atomicized String.
18243
18244 Instead of using reinterpret_cast to mangle the String member into
18245 a const AtomicString& return value, just return AtomicString.
18246
18247 Reviewed by Geoff Garen.
18248
18249 * runtime/JSString.h:
18250 (JSC::JSString::toAtomicString):
18251
182522014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
18253
18254 Roll out r167889
18255
18256 Rubber stamped by Geoff Garen.
18257
18258 It broke some websites.
18259
18260 * runtime/JSPropertyNameIterator.cpp:
18261 (JSC::JSPropertyNameIterator::create):
18262 * runtime/PropertyMapHashTable.h:
18263 (JSC::PropertyTable::hasDeletedOffset):
18264 (JSC::PropertyTable::hadDeletedOffset): Deleted.
18265 * runtime/Structure.cpp:
18266 (JSC::Structure::Structure):
18267 (JSC::Structure::materializePropertyMap):
18268 (JSC::Structure::removePropertyTransition):
18269 (JSC::Structure::changePrototypeTransition):
18270 (JSC::Structure::despecifyFunctionTransition):
18271 (JSC::Structure::attributeChangeTransition):
18272 (JSC::Structure::toDictionaryTransition):
18273 (JSC::Structure::preventExtensionsTransition):
18274 (JSC::Structure::addPropertyWithoutTransition):
18275 (JSC::Structure::removePropertyWithoutTransition):
18276 (JSC::Structure::pin):
18277 (JSC::Structure::pinAndPreventTransitions): Deleted.
18278 * runtime/Structure.h:
18279 * runtime/StructureInlines.h:
18280 (JSC::Structure::setEnumerationCache):
18281 (JSC::Structure::propertyTable):
18282 (JSC::Structure::checkOffsetConsistency):
18283 (JSC::Structure::hadDeletedOffsets): Deleted.
18284 * tests/stress/for-in-after-delete.js:
18285 (foo): Deleted.
18286
182872014-05-05 Andreas Kling <akling@apple.com>
18288
18289 Fix debug build.
18290
18291 * runtime/JSCellInlines.h:
18292 (JSC::JSCell::fastGetOwnProperty):
18293
182942014-05-05 Andreas Kling <akling@apple.com>
18295
18296 Optimize GetByVal when subscript is a rope string.
18297 <https://webkit.org/b/132590>
18298
18299 Use JSString::toIdentifier() in the various GetByVal implementations
18300 to try and avoid allocating extra strings.
18301
18302 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
18303 in that, to avoid calling JSString::value() which always resolves ropes
18304 into new strings and de-optimizes subsequent toIdentifier() calls.
18305
18306 My iMac says ~9% progression on Dromaeo/dom-attr.html
18307
18308 Reviewed by Phil Pizlo.
18309
18310 * dfg/DFGOperations.cpp:
18311 * jit/JITOperations.cpp:
18312 (JSC::getByVal):
18313 * llint/LLIntSlowPaths.cpp:
18314 (JSC::LLInt::getByVal):
18315 * runtime/JSCell.h:
18316 * runtime/JSCellInlines.h:
18317 (JSC::JSCell::fastGetOwnProperty):
18318 (JSC::JSCell::canUseFastGetOwnProperty):
18319
183202014-05-05 Andreas Kling <akling@apple.com>
18321
18322 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
18323 <https://webkit.org/b/168256>
18324 <rdar://problem/16816316>
18325
18326 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
18327 clear the fibers. The caller takes care of this.
18328
18329 Test: fast/dom/getElementById-with-rope-string-arg.html
18330
18331 Reviewed by Geoffrey Garen.
18332
18333 * runtime/JSString.cpp:
18334 (JSC::JSRopeString::resolveRopeSlowCase8):
18335
183362014-05-05 Michael Saboff <msaboff@apple.com>
18337
18338 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
18339 https://bugs.webkit.org/show_bug.cgi?id=132581
18340
18341 Reviewed by Filip Pizlo.
18342
18343 * dfg/DFGPlan.cpp:
18344 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
18345 started compiling for is still the same at the end of compilation.
18346 Also did some minor restructuring.
18347
183482014-05-05 Andreas Kling <akling@apple.com>
18349
18350 Optimize PutByVal when subscript is a rope string.
18351 <https://webkit.org/b/132572>
18352
18353 Add a JSString::toIdentifier() that is smarter when the JSString is
18354 really a rope string. Use this in baseline & DFG's PutByVal to avoid
18355 allocating new StringImpls that we immediately deduplicate anyway.
18356
18357 Reviewed by Antti Koivisto.
18358
18359 * dfg/DFGOperations.cpp:
18360 (JSC::DFG::operationPutByValInternal):
18361 * jit/JITOperations.cpp:
18362 * runtime/JSString.h:
18363 (JSC::JSString::toIdentifier):
18364
183652014-05-05 Andreas Kling <akling@apple.com>
18366
18367 Remove two now-incorrect assertions after r168256.
18368
18369 * runtime/JSString.cpp:
18370 (JSC::JSRopeString::resolveRopeSlowCase8):
18371 (JSC::JSRopeString::resolveRopeSlowCase):
18372
183732014-05-04 Andreas Kling <akling@apple.com>
18374
18375 Optimize JSRopeString for resolving directly to AtomicString.
18376 <https://webkit.org/b/132548>
18377
18378 If we know that the JSRopeString we are resolving is going to be used
18379 as an AtomicString, we can try to avoid creating a new string.
18380
18381 We do this by first resolving the rope into a stack buffer, and using
18382 that buffer as a key into the AtomicString table. If there is already
18383 an AtomicString with the same characters, we reuse that instead of
18384 constructing a new StringImpl.
18385
18386 JSString gains these two public functions:
18387
18388 - AtomicString toAtomicString()
18389
18390 Returns an AtomicString, tries to avoid allocating a new string
18391 if possible.
18392
18393 - AtomicStringImpl* toExistingAtomicString()
18394
18395 Returns a non-null AtomicStringImpl* if one already exists in the
18396 AtomicString table. If none is found, the rope is left unresolved.
18397
18398 Reviewed by Filip Pizlo.
18399
18400 * runtime/JSString.cpp:
18401 (JSC::JSRopeString::resolveRopeInternal8):
18402 (JSC::JSRopeString::resolveRopeInternal16):
18403 (JSC::JSRopeString::resolveRopeToAtomicString):
18404 (JSC::JSRopeString::clearFibers):
18405 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
18406 (JSC::JSRopeString::resolveRope):
18407 (JSC::JSRopeString::outOfMemory):
18408 * runtime/JSString.h:
18409 (JSC::JSString::toAtomicString):
18410 (JSC::JSString::toExistingAtomicString):
18411
184122014-05-04 Andreas Kling <akling@apple.com>
18413
18414 Unreviewed, rolling out r168254.
18415
18416 Very crashy on debug JSC tests.
18417
18418 Reverted changeset:
18419
18420 "jsSubstring() should be lazy"
18421 https://bugs.webkit.org/show_bug.cgi?id=132556
18422 http://trac.webkit.org/changeset/168254
18423
184242014-05-04 Filip Pizlo <fpizlo@apple.com>
18425
18426 jsSubstring() should be lazy
18427 https://bugs.webkit.org/show_bug.cgi?id=132556
18428
18429 Reviewed by Andreas Kling.
18430
18431 jsSubstring() is now lazy by using a special rope that is a substring instead of a
18432 concatenation. To make this patch super simple, we require that a substring's base is
18433 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
18434 path, or we go down a concatenation path which may see exactly one level of substrings in
18435 its fibers.
18436
18437 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
18438
18439 * heap/MarkedBlock.cpp:
18440 (JSC::MarkedBlock::specializedSweep):
18441 * runtime/JSString.cpp:
18442 (JSC::JSRopeString::visitFibers):
18443 (JSC::JSRopeString::resolveRope):
18444 (JSC::JSRopeString::resolveRopeSlowCase8):
18445 (JSC::JSRopeString::resolveRopeSlowCase):
18446 (JSC::JSRopeString::outOfMemory):
18447 * runtime/JSString.h:
18448 (JSC::JSRopeString::finishCreation):
18449 (JSC::JSRopeString::append):
18450 (JSC::JSRopeString::create):
18451 (JSC::JSRopeString::offsetOfFibers):
18452 (JSC::JSRopeString::fiber):
18453 (JSC::JSRopeString::substringBase):
18454 (JSC::JSRopeString::substringOffset):
18455 (JSC::JSRopeString::substringSentinel):
18456 (JSC::JSRopeString::isSubstring):
18457 (JSC::jsSubstring):
18458 * runtime/RegExpMatchesArray.cpp:
18459 (JSC::RegExpMatchesArray::reifyAllProperties):
18460 * runtime/StringPrototype.cpp:
18461 (JSC::stringProtoFuncSubstring):
18462
184632014-05-02 Michael Saboff <msaboff@apple.com>
18464
18465 "arm64 function not 4-byte aligned" warnings when building JSC
18466 https://bugs.webkit.org/show_bug.cgi?id=132495
18467
18468 Reviewed by Geoffrey Garen.
18469
18470 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
18471
18472 * llint/LowLevelInterpreter.cpp:
18473
184742014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
18475
18476 Fix cloop build after r168178
18477
18478 * bytecode/CodeBlock.cpp:
18479
184802014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
18481
18482 Add a DFG function whitelist
18483 https://bugs.webkit.org/show_bug.cgi?id=132437
18484
18485 Reviewed by Geoffrey Garen.
18486
18487 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
18488 particular DFG block that's causing issues. This patch adds the ability to whitelist
18489 specific functions specified in a file to enable further filtering without having to recompile.
18490
18491 * CMakeLists.txt:
18492 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
18493 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
18494 * JavaScriptCore.xcodeproj/project.pbxproj:
18495 * dfg/DFGCapabilities.cpp:
18496 (JSC::DFG::isSupported):
18497 (JSC::DFG::mightInlineFunctionForCall):
18498 (JSC::DFG::mightInlineFunctionForClosureCall):
18499 (JSC::DFG::mightInlineFunctionForConstruct):
18500 * dfg/DFGFunctionWhitelist.cpp: Added.
18501 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
18502 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
18503 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
18504 (JSC::DFG::FunctionWhitelist::contains):
18505 * dfg/DFGFunctionWhitelist.h: Added.
18506 * runtime/Options.cpp:
18507 (JSC::parse):
18508 (JSC::Options::dumpOption):
18509 * runtime/Options.h:
18510
185112014-05-02 Filip Pizlo <fpizlo@apple.com>
18512
18513 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
18514 https://bugs.webkit.org/show_bug.cgi?id=132446
18515
18516 Reviewed by Mark Hahnenberg.
18517
18518 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
18519 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
18520 to indicate a bound on the value. This is useful for knowing, for example, that
18521 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
18522 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
18523 But this means that all arithmetic operations must be careful to note that they may
18524 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
18525
18526 * dfg/DFGAbstractInterpreterInlines.h:
18527 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
18528 * dfg/DFGByteCodeParser.cpp:
18529 (JSC::DFG::ByteCodeParser::makeSafe):
18530 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
18531 (foo):
18532 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
18533 (foo):
18534 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
18535 (foo):
18536 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
18537 (foo):
18538 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
18539 (foo):
18540 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
18541 (foo):
18542
185432014-05-01 Geoffrey Garen <ggaren@apple.com>
18544
18545 JavaScriptCore fails to build with some versions of clang
18546 https://bugs.webkit.org/show_bug.cgi?id=132436
18547
18548 Reviewed by Anders Carlsson.
18549
18550 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
18551 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
18552 and both are marked inline, it's valid for the compiler to decide
18553 to inline both and emit neither in the binary. Therefore, we need
18554 both inline definitions to be available in the translation unit at
18555 compile time, or we'll try to link against a function that doesn't exist.
18556
185572014-05-01 Commit Queue <commit-queue@webkit.org>
18558
18559 Unreviewed, rolling out r167964.
18560 https://bugs.webkit.org/show_bug.cgi?id=132431
18561
18562 Memory improvements should not regress memory usage (Requested
18563 by olliej on #webkit).
18564
18565 Reverted changeset:
18566
18567 "Don't hold on to parameter BindingNodes forever"
18568 https://bugs.webkit.org/show_bug.cgi?id=132360
18569 http://trac.webkit.org/changeset/167964
18570
185712014-05-01 Filip Pizlo <fpizlo@apple.com>
18572
18573 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
18574 https://bugs.webkit.org/show_bug.cgi?id=132427
18575
18576 Reviewed by Mark Hahnenberg.
18577
18578 * bytecode/CallLinkStatus.cpp:
18579 (JSC::CallLinkStatus::computeFor):
18580
185812014-04-30 Simon Fraser <simon.fraser@apple.com>
18582
18583 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
18584 https://bugs.webkit.org/show_bug.cgi?id=132396
18585
18586 Reviewed by Eric Carlson.
18587
18588 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
18589
18590 * Configurations/FeatureDefines.xcconfig:
18591
185922014-04-30 Filip Pizlo <fpizlo@apple.com>
18593
18594 Argument flush formats should not be presumed to be JSValue since 'this' is weird
18595 https://bugs.webkit.org/show_bug.cgi?id=132404
18596
18597 Reviewed by Michael Saboff.
18598
18599 * dfg/DFGSpeculativeJIT.cpp:
18600 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
18601 * dfg/DFGSpeculativeJIT32_64.cpp:
18602 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
18603 * dfg/DFGSpeculativeJIT64.cpp:
18604 (JSC::DFG::SpeculativeJIT::compile): Ditto.
18605 * dfg/DFGValueSource.cpp:
18606 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
18607 * dfg/DFGValueSource.h:
18608 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
18609 * ftl/FTLOSREntry.cpp:
18610 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
18611 * tests/stress/strict-to-this-int.js: Added.
18612 (foo):
18613 (Number.prototype.valueOf):
18614 (test):
18615
186162014-04-29 Oliver Hunt <oliver@apple.com>
18617
18618 Don't hold on to parameterBindingNodes forever
18619 https://bugs.webkit.org/show_bug.cgi?id=132360
18620
18621 Reviewed by Geoffrey Garen.
18622
18623 Don't keep the parameter nodes anymore. Instead we store the
18624 original parameter string and reparse whenever we actually
18625 need them. Because we only actually need them for compilation
18626 this only results in a single extra parse.
18627
18628 * bytecode/UnlinkedCodeBlock.cpp:
18629 (JSC::generateFunctionCodeBlock):
18630 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
18631 (JSC::UnlinkedFunctionExecutable::visitChildren):
18632 (JSC::UnlinkedFunctionExecutable::finishCreation):
18633 (JSC::UnlinkedFunctionExecutable::paramString):
18634 (JSC::UnlinkedFunctionExecutable::parameters):
18635 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
18636 * bytecode/UnlinkedCodeBlock.h:
18637 (JSC::UnlinkedFunctionExecutable::create):
18638 (JSC::UnlinkedFunctionExecutable::parameterCount):
18639 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
18640 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
18641 * parser/ASTBuilder.h:
18642 (JSC::ASTBuilder::ASTBuilder):
18643 (JSC::ASTBuilder::setFunctionBodyParameters):
18644 * parser/Nodes.h:
18645 (JSC::FunctionBodyNode::parametersStartOffset):
18646 (JSC::FunctionBodyNode::parametersEndOffset):
18647 (JSC::FunctionBodyNode::setParameterLocation):
18648 * parser/Parser.cpp:
18649 (JSC::Parser<LexerType>::parseFunctionInfo):
18650 (JSC::parseParameters):
18651 * parser/Parser.h:
18652 (JSC::parse):
18653 * parser/SourceCode.h:
18654 (JSC::SourceCode::subExpression):
18655 * parser/SyntaxChecker.h:
18656 (JSC::SyntaxChecker::setFunctionBodyParameters):
18657
186582014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
18659
18660 JSProxies should be cacheable
18661 https://bugs.webkit.org/show_bug.cgi?id=132351
18662
18663 Reviewed by Geoffrey Garen.
18664
18665 Whenever we encounter a proxy in an inline cache we should try to cache on the
18666 proxy's target instead of giving up.
18667
18668 This patch adds support for a simple "recursive" inline cache if the base object
18669 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
18670 are the only ones to benefit from this right now.
18671
18672 This is performance neutral on the benchmarks we track. Currently we won't
18673 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
18674
18675 * jit/Repatch.cpp:
18676 (JSC::generateByIdStub):
18677 (JSC::tryBuildGetByIDList):
18678 (JSC::tryCachePutByID):
18679 (JSC::tryBuildPutByIdList):
18680 * jsc.cpp:
18681 (GlobalObject::finishCreation):
18682 (functionCreateProxy):
18683 * runtime/IntendedStructureChain.cpp:
18684 (JSC::IntendedStructureChain::isNormalized):
18685 * runtime/JSCellInlines.h:
18686 (JSC::JSCell::isProxy):
18687 * runtime/JSGlobalObject.h:
18688 (JSC::JSGlobalObject::finishCreation):
18689 * runtime/JSProxy.h:
18690 (JSC::JSProxy::createStructure):
18691 (JSC::JSProxy::targetOffset):
18692 * runtime/JSType.h:
18693 * runtime/Operations.h:
18694 (JSC::isPrototypeChainNormalized):
18695 * runtime/Structure.h:
18696 (JSC::Structure::isProxy):
18697 * tests/stress/proxy-inline-cache.js: Added.
18698 (cacheOnTarget.getX):
18699 (cacheOnTarget):
18700 (cacheOnPrototypeOfTarget.getX):
18701 (cacheOnPrototypeOfTarget):
18702 (dontCacheOnProxyInPrototypeChain.getX):
18703 (dontCacheOnProxyInPrototypeChain):
18704 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
18705 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
18706
187072014-04-29 Filip Pizlo <fpizlo@apple.com>
18708
18709 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
18710 https://bugs.webkit.org/show_bug.cgi?id=112840
18711
18712 Rubber stamped by Geoffrey Garen.
18713
18714 * Configurations/FeatureDefines.xcconfig:
18715
187162014-04-29 Geoffrey Garen <ggaren@apple.com>
18717
18718 String.prototype.trim removes U+200B from strings.
18719 https://bugs.webkit.org/show_bug.cgi?id=130184
18720
18721 Reviewed by Michael Saboff.
18722
18723 * runtime/StringPrototype.cpp:
18724 (JSC::trimString):
18725 (JSC::isTrimWhitespace): Deleted.
18726
187272014-04-29 Mark Lam <mark.lam@apple.com>
18728
18729 Zombifying sweep should ignore retired blocks.
18730 <https://webkit.org/b/132344>
18731
18732 Reviewed by Mark Hahnenberg.
18733
18734 By definition, retired blocks do not have "dead" objects, or at least
18735 none that we know of yet until the next marking phase has been run
18736 over it. So, we should not be sweeping them (even for zombie mode).
18737
18738 * heap/Heap.cpp:
18739 (JSC::Heap::zombifyDeadObjects):
18740 * heap/MarkedSpace.cpp:
18741 (JSC::MarkedSpace::zombifySweep):
18742 * heap/MarkedSpace.h:
18743 (JSC::ZombifySweep::operator()):
18744
187452014-04-29 Mark Lam <mark.lam@apple.com>
18746
18747 Fix bit rot in zombie mode heap code.
18748 <https://webkit.org/b/132342>
18749
18750 Reviewed by Mark Hahnenberg.
18751
18752 Need to enter a DelayedReleaseScope before doing a sweep.
18753
18754 * heap/Heap.cpp:
18755 (JSC::Heap::zombifyDeadObjects):
18756
187572014-04-29 Tomas Popela <tpopela@redhat.com>
18758
18759 LLINT loadisFromInstruction doesn't need special case for big endians
18760 https://bugs.webkit.org/show_bug.cgi?id=132330
18761
18762 Reviewed by Mark Lam.
18763
18764 The change introduced in r167076 was wrong. We should not apply the offset
18765 adjustment on loadisFromInstruction usage as the instruction
18766 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
18767 operand variable). The offset of the other union members will be the
18768 same as the offset of the first one, that is 0. The behavior here is the
18769 same on little and big endian architectures. Thus we don't need
18770 special case for big endians.
18771
18772 * llint/LowLevelInterpreter.asm:
18773
187742014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
18775
18776 Simplify tryCacheGetById
18777 https://bugs.webkit.org/show_bug.cgi?id=132314
18778
18779 Reviewed by Oliver Hunt and Filip Pizlo.
18780
18781 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
18782
18783 * jit/Repatch.cpp:
18784 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
18785
187862014-04-28 Michael Saboff <msaboff@apple.com>
18787
18788 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
18789 https://bugs.webkit.org/show_bug.cgi?id=132315
18790
18791 Reviewed by Mark Hahnenberg.
18792
18793 Used the StringImpl version of utf8() instead of creating a String first.
18794
18795 * bytecode/CodeBlock.cpp:
18796 (JSC::CodeBlock::dumpBytecode):
18797
187982014-04-28 Filip Pizlo <fpizlo@apple.com>
18799
18800 The LLInt is awesome and it should get more of the action.
18801
18802 Rubber stamped by Geoffrey Garen.
18803
18804 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
18805
18806 * runtime/Options.h:
18807
188082014-04-27 Filip Pizlo <fpizlo@apple.com>
18809
18810 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
18811 https://bugs.webkit.org/show_bug.cgi?id=132166
18812
18813 Reviewed by Oliver Hunt and Mark Hahnenberg.
18814
18815 The GC can aid type inference by removing structures that are dead and jettisoning
18816 code that relies on those structures. This can dramatically accelerate type inference
18817 for some tricky programs.
18818
18819 Unfortunately, we previously pinned any structures that enqueued compilations depended
18820 on. This means that if you're on a machine that only runs a single compilation thread
18821 and where compilations are relatively slow, you have a high chance of large numbers of
18822 structures being pinned during any GC since the compilation queue is likely to be full
18823 of random stuff.
18824
18825 This comprehensively fixes this issue by allowing the GC to remove compilation plans
18826 if the things they depend on are dead, and to even cancel safepointed compilations.
18827
18828 * bytecode/CodeBlock.cpp:
18829 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
18830 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
18831 (JSC::CodeBlock::finalizeUnconditionally):
18832 * bytecode/CodeBlock.h:
18833 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
18834 * dfg/DFGDesiredIdentifiers.cpp:
18835 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
18836 * dfg/DFGDesiredIdentifiers.h:
18837 * dfg/DFGDesiredWatchpoints.h:
18838 * dfg/DFGDesiredWeakReferences.cpp:
18839 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
18840 * dfg/DFGDesiredWeakReferences.h:
18841 * dfg/DFGGraphSafepoint.cpp:
18842 (JSC::DFG::GraphSafepoint::GraphSafepoint):
18843 * dfg/DFGGraphSafepoint.h:
18844 * dfg/DFGPlan.cpp:
18845 (JSC::DFG::Plan::Plan):
18846 (JSC::DFG::Plan::compileInThread):
18847 (JSC::DFG::Plan::compileInThreadImpl):
18848 (JSC::DFG::Plan::notifyCompiling):
18849 (JSC::DFG::Plan::notifyCompiled):
18850 (JSC::DFG::Plan::notifyReady):
18851 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
18852 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
18853 (JSC::DFG::Plan::cancel):
18854 (JSC::DFG::Plan::visitChildren): Deleted.
18855 * dfg/DFGPlan.h:
18856 * dfg/DFGSafepoint.cpp:
18857 (JSC::DFG::Safepoint::Result::~Result):
18858 (JSC::DFG::Safepoint::Result::didGetCancelled):
18859 (JSC::DFG::Safepoint::Safepoint):
18860 (JSC::DFG::Safepoint::~Safepoint):
18861 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
18862 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
18863 (JSC::DFG::Safepoint::cancel):
18864 (JSC::DFG::Safepoint::visitChildren): Deleted.
18865 * dfg/DFGSafepoint.h:
18866 (JSC::DFG::Safepoint::Result::Result):
18867 * dfg/DFGWorklist.cpp:
18868 (JSC::DFG::Worklist::compilationState):
18869 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
18870 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
18871 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
18872 (JSC::DFG::Worklist::visitWeakReferences):
18873 (JSC::DFG::Worklist::removeDeadPlans):
18874 (JSC::DFG::Worklist::runThread):
18875 (JSC::DFG::Worklist::visitChildren): Deleted.
18876 * dfg/DFGWorklist.h:
18877 * ftl/FTLCompile.cpp:
18878 (JSC::FTL::compile):
18879 * ftl/FTLCompile.h:
18880 * heap/CodeBlockSet.cpp:
18881 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
18882 * heap/Heap.cpp:
18883 (JSC::Heap::markRoots):
18884 (JSC::Heap::visitCompilerWorklistWeakReferences):
18885 (JSC::Heap::removeDeadCompilerWorklistEntries):
18886 (JSC::Heap::visitWeakHandles):
18887 (JSC::Heap::collect):
18888 (JSC::Heap::visitCompilerWorklists): Deleted.
18889 * heap/Heap.h:
18890
188912014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
18892
18893 Deleting properties poisons objects
18894 https://bugs.webkit.org/show_bug.cgi?id=131551
18895
18896 Reviewed by Oliver Hunt.
18897
18898 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
18899
18900 * runtime/JSPropertyNameIterator.cpp:
18901 (JSC::JSPropertyNameIterator::create):
18902 * runtime/PropertyMapHashTable.h:
18903 (JSC::PropertyTable::hasDeletedOffset):
18904 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
18905 iterating properties because we're required to iterate properties in insertion order.
18906 * runtime/Structure.cpp:
18907 (JSC::Structure::Structure):
18908 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
18909 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
18910 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
18911 delete transitions, but we allow transitioning from them.
18912 (JSC::Structure::changePrototypeTransition):
18913 (JSC::Structure::despecifyFunctionTransition):
18914 (JSC::Structure::attributeChangeTransition):
18915 (JSC::Structure::toDictionaryTransition):
18916 (JSC::Structure::preventExtensionsTransition):
18917 (JSC::Structure::addPropertyWithoutTransition):
18918 (JSC::Structure::removePropertyWithoutTransition):
18919 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
18920 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
18921 * runtime/Structure.h:
18922 * runtime/StructureInlines.h:
18923 (JSC::Structure::setEnumerationCache):
18924 (JSC::Structure::hadDeletedOffsets):
18925 (JSC::Structure::propertyTable):
18926 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
18927 * tests/stress/for-in-after-delete.js: Added.
18928 (foo):
18929
189302014-04-25 Andreas Kling <akling@apple.com>
18931
18932 Inline (C++) GetByVal with numeric indices more aggressively.
18933 <https://webkit.org/b/132218>
18934
18935 We were already inlining the string indexed GetByVal path pretty well,
18936 while the path for numeric indices got neglected. No more!
18937
18938 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
18939
18940 Before: 199.50 runs/s
18941 After: 218.58 runs/s
18942
18943 Reviewed by Phil Pizlo.
18944
18945 * dfg/DFGOperations.cpp:
18946 * runtime/JSCJSValueInlines.h:
18947 (JSC::JSValue::get):
18948
18949 ALWAYS_INLINE all the things.
18950
18951 * runtime/JSObject.h:
18952 (JSC::JSObject::getPropertySlot):
18953
18954 Avoid fetching the Structure more than once. We have the same
18955 optimization in the string-indexed code path.
18956
189572014-04-25 Oliver Hunt <oliver@apple.com>
18958
18959 Need earlier cell test
18960 https://bugs.webkit.org/show_bug.cgi?id=132211
18961
18962 Reviewed by Mark Lam.
18963
18964 Move cell test to before the function call repatch
18965 location, as the repatch logic for 32bit assumes that the
18966 caller will already have performed a cell check.
18967
18968 * jit/JITCall32_64.cpp:
18969 (JSC::JIT::compileOpCall):
18970
189712014-04-25 Andreas Kling <akling@apple.com>
18972
18973 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
18974
18975 * runtime/JSGlobalObject.h:
18976 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
18977 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
18978
189792014-04-25 Andreas Kling <akling@apple.com>
18980
18981 Windows build fix attempt.
18982
18983 * runtime/JSGlobalObject.h:
18984 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
18985
189862014-04-25 Mark Lam <mark.lam@apple.com>
18987
18988 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
18989 <https://webkit.org/b/132201>
18990
18991 Reviewed by Joseph Pecoraro.
18992
18993 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
18994 BreakpointActions everywhere.
18995
18996 * inspector/ScriptBreakpoint.h:
18997 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
18998 * inspector/ScriptDebugServer.cpp:
18999 (Inspector::ScriptDebugServer::setBreakpoint):
19000 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
19001 * inspector/ScriptDebugServer.h:
19002 * inspector/agents/InspectorDebuggerAgent.cpp:
19003 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
19004 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
19005 (Inspector::InspectorDebuggerAgent::setBreakpoint):
19006 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
19007 * inspector/agents/InspectorDebuggerAgent.h:
19008
190092014-04-24 Filip Pizlo <fpizlo@apple.com>
19010
19011 DFG worklist scanning should not treat the key as a separate entity
19012 https://bugs.webkit.org/show_bug.cgi?id=132167
19013
19014 Reviewed by Mark Hahnenberg.
19015
19016 This simplifies the interface to the GC and will enable more optimizations.
19017
19018 * dfg/DFGCompilationKey.cpp:
19019 (JSC::DFG::CompilationKey::visitChildren): Deleted.
19020 * dfg/DFGCompilationKey.h:
19021 * dfg/DFGPlan.cpp:
19022 (JSC::DFG::Plan::visitChildren):
19023 * dfg/DFGWorklist.cpp:
19024 (JSC::DFG::Worklist::visitChildren):
19025
190262014-04-25 Oliver Hunt <oliver@apple.com>
19027
19028 Remove unused parameter from codeblock linking function
19029 https://bugs.webkit.org/show_bug.cgi?id=132199
19030
19031 Reviewed by Anders Carlsson.
19032
19033 No change in behaviour. This is just a small change to make it
19034 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
19035 actually mean.
19036
19037 * bytecode/UnlinkedCodeBlock.cpp:
19038 (JSC::UnlinkedFunctionExecutable::link):
19039 * bytecode/UnlinkedCodeBlock.h:
19040 * runtime/Executable.cpp:
19041 (JSC::ProgramExecutable::initializeGlobalProperties):
19042
190432014-04-25 Andreas Kling <akling@apple.com>
19044
19045 Mark some things with WTF_MAKE_FAST_ALLOCATED.
19046 <https://webkit.org/b/132198>
19047
19048 Use FastMalloc for more things.
19049
19050 Reviewed by Anders Carlsson.
19051
19052 * builtins/BuiltinExecutables.h:
19053 * heap/GCThreadSharedData.h:
19054 * inspector/JSConsoleClient.h:
19055 * inspector/agents/InspectorAgent.h:
19056 * runtime/CodeCache.h:
19057 * runtime/JSGlobalObject.h:
19058 * runtime/Lookup.cpp:
19059 (JSC::HashTable::createTable):
19060 (JSC::HashTable::deleteTable):
19061 * runtime/WeakGCMap.h:
19062
190632014-04-25 Antoine Quint <graouts@webkit.org>
19064
19065 Implement Array.prototype.find()
19066 https://bugs.webkit.org/show_bug.cgi?id=130966
19067
19068 Reviewed by Oliver Hunt.
19069
19070 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
19071
19072 * builtins/Array.prototype.js:
19073 (find):
19074 (findIndex):
19075 * runtime/ArrayPrototype.cpp:
19076
190772014-04-24 Brady Eidson <beidson@apple.com>
19078
19079 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
19080 https://bugs.webkit.org/show_bug.cgi?id=132155
19081
19082 Reviewed by Tim Horton.
19083
19084 * Configurations/FeatureDefines.xcconfig:
19085
190862014-04-24 Michael Saboff <msaboff@apple.com>
19087
19088 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
19089 https://bugs.webkit.org/show_bug.cgi?id=132147
19090
19091 Reviewed by Mark Lam.
19092
19093 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
19094
19095 * assembler/MacroAssemblerARM64.h:
19096 (JSC::MacroAssemblerARM64::or64):
19097 (JSC::MacroAssemblerARM64::xor32):
19098 (JSC::MacroAssemblerARM64::xor64):
19099 * tests/stress/regress-132147.js: Added test.
19100
191012014-04-24 Mark Lam <mark.lam@apple.com>
19102
19103 Make slowPathAllocsBetweenGCs a runtime option.
19104 <https://webkit.org/b/132137>
19105
19106 Reviewed by Mark Hahnenberg.
19107
19108 This will make it easier to more casually run tests with this configuration
19109 as well as to reproduce issues (instead of requiring a code mod and rebuild).
19110 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
19111 slow path allocations before we trigger a collection.
19112
19113 The option defaults to 0, which is reserved to mean that we will not trigger
19114 any collections there.
19115
19116 * heap/Heap.h:
19117 * heap/MarkedAllocator.cpp:
19118 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
19119 (JSC::MarkedAllocator::allocateSlowCase):
19120 * heap/MarkedAllocator.h:
19121 * runtime/Options.h:
19122
191232014-04-23 Mark Lam <mark.lam@apple.com>
19124
19125 The GC should only resume compiler threads that it suspended in the same GC pass.
19126 <https://webkit.org/b/132088>
19127
19128 Reviewed by Mark Hahnenberg.
19129
19130 Previously, this scenario can occur:
19131 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
19132 no worklists were created yet at the that time.
19133 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
19134 acquires the worklist thread's lock.
19135 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
19136 This time, it sees the worklist created by Thread 2 and ends up unlocking
19137 the worklist thread's lock that is supposedly held by Thread 2.
19138 Thereafter, chaos ensues.
19139
19140 The fix is to cache the worklists that were actually suspended by each GC pass,
19141 and only resume those when the GC is done.
19142
19143 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
19144 the fast/workers layout tests.
19145
19146 * heap/Heap.cpp:
19147 (JSC::Heap::visitCompilerWorklists):
19148 (JSC::Heap::deleteAllCompiledCode):
19149 (JSC::Heap::suspendCompilerThreads):
19150 (JSC::Heap::resumeCompilerThreads):
19151 * heap/Heap.h:
19152
191532014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
19154
19155 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
19156 https://bugs.webkit.org/show_bug.cgi?id=132079
19157
19158 Reviewed by Michael Saboff.
19159
19160 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
19161
19162 Also added a test that previously triggered this bug.
19163
19164 * runtime/Arguments.cpp:
19165 (JSC::Arguments::copyBackingStore): D'oh!
19166 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
19167 (foo):
19168 (bar):
19169
191702014-04-23 Mark Rowe <mrowe@apple.com>
19171
19172 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
19173 <https://webkit.org/b/132053>
19174
19175 Reviewed by Dan Bernstein.
19176
19177 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
19178 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
19179 from /bin/sh since that generates unnecessary output.
19180
191812014-04-22 Mark Lam <mark.lam@apple.com>
19182
19183 DFG::Worklist should acquire the m_lock before iterating DFG plans.
19184 <https://webkit.org/b/132032>
19185
19186 Reviewed by Filip Pizlo.
19187
19188 Currently, there's a rightToRun mechanism that ensures that no compilation
19189 threads are running when the GC is iterating through the DFG worklists.
19190 However, this does not prevent a Worker thread from doing a DFG compilation
19191 and modifying the plans in the worklists thereby invalidating the plan
19192 iterator that the GC is using. This patch fixes the issue by acquiring
19193 the worklist m_lock before iterating the worklist plans.
19194
19195 This issue was uncovered by running the fast/workers layout tests with
19196 COLLECT_ON_EVERY_ALLOCATION enabled.
19197
19198 * dfg/DFGWorklist.cpp:
19199 (JSC::DFG::Worklist::isActiveForVM):
19200 (JSC::DFG::Worklist::visitChildren):
19201
192022014-04-22 Brent Fulgham <bfulgham@apple.com>
19203
19204 [Win] Support Python 2.7 in Cygwin
19205 https://bugs.webkit.org/show_bug.cgi?id=132023
19206
19207 Reviewed by Michael Saboff.
19208
19209 * DerivedSources.make: Use a conditional variable to define
19210 the path to Python/Perl.
19211
192122014-04-22 Filip Pizlo <fpizlo@apple.com>
19213
19214 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
19215 https://bugs.webkit.org/show_bug.cgi?id=130867
19216 <rdar://problem/16432456>
19217
19218 Reviewed by Mark Hahnenberg.
19219
19220 * Configurations/Base.xcconfig:
19221 * Configurations/LLVMForJSC.xcconfig:
19222
192232014-04-22 Alex Christensen <achristensen@webkit.org>
19224
19225 [Win] Unreviewed build fix after my r167666.
19226
19227 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
19228 Added ../../../ again to include headers in Source/JavaScriptCore.
19229
192302014-04-22 Alex Christensen <achristensen@webkit.org>
19231
19232 Removed old stdbool and inttypes headers.
19233 https://bugs.webkit.org/show_bug.cgi?id=131966
19234
19235 Reviewed by Brent Fulgham.
19236
19237 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
19238 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
19239 Removed references to os-win32 directory.
19240 * os-win32: Removed.
19241 * os-win32/inttypes.h: Removed.
19242 * os-win32/stdbool.h: Removed.
19243
192442014-04-21 Filip Pizlo <fpizlo@apple.com>
19245
19246 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
19247 https://bugs.webkit.org/show_bug.cgi?id=131971
19248 <rdar://problem/16676511>
19249
19250 Reviewed by Mark Lam.
19251
19252 * dfg/DFGClobberize.h:
19253 (JSC::DFG::clobberize):
19254
192552014-04-21 Filip Pizlo <fpizlo@apple.com>
19256
19257 Switch statements that skip the baseline JIT should work
19258 https://bugs.webkit.org/show_bug.cgi?id=131965
19259
19260 Reviewed by Mark Hahnenberg.
19261
19262 * bytecode/JumpTable.h:
19263 (JSC::SimpleJumpTable::ensureCTITable):
19264 * dfg/DFGSpeculativeJIT.cpp:
19265 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
19266 * jit/JITOpcodes.cpp:
19267 (JSC::JIT::emit_op_switch_imm):
19268 (JSC::JIT::emit_op_switch_char):
19269 * jit/JITOpcodes32_64.cpp:
19270 (JSC::JIT::emit_op_switch_imm):
19271 (JSC::JIT::emit_op_switch_char):
19272 * tests/stress/inline-llint-with-switch.js: Added.
19273 (foo):
19274 (bar):
19275 (test):
19276
192772014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
19278
19279 Arguments objects shouldn't need a destructor
19280 https://bugs.webkit.org/show_bug.cgi?id=131899
19281
19282 Reviewed by Oliver Hunt.
19283
19284 This patch rids Arguments objects of their destructors. It does this by
19285 switching their backing stores to use CopiedSpace rather than malloc memory.
19286
19287 * dfg/DFGSpeculativeJIT.cpp:
19288 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
19289 Arguments allocation so that it only emits an extra write for strict mode code rather
19290 than unconditionally.
19291 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
19292 * runtime/Arguments.cpp:
19293 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
19294 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
19295 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
19296 (JSC::Arguments::deleteProperty):
19297 (JSC::Arguments::defineOwnProperty):
19298 (JSC::Arguments::allocateRegisterArray):
19299 (JSC::Arguments::tearOff):
19300 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
19301 * runtime/Arguments.h:
19302 (JSC::Arguments::registerArraySizeInBytes):
19303 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
19304 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
19305 allocation.
19306 (JSC::Arguments::SlowArgumentData::slowArguments):
19307 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
19308 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
19309 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
19310 (JSC::Arguments::Arguments):
19311 (JSC::Arguments::allocateSlowArguments):
19312 (JSC::Arguments::tryDeleteArgument):
19313 (JSC::Arguments::isDeletedArgument):
19314 (JSC::Arguments::isArgument):
19315 (JSC::Arguments::argument):
19316 (JSC::Arguments::finishCreation):
19317 * runtime/SymbolTable.h:
19318
193192014-04-21 Eric Carlson <eric.carlson@apple.com>
19320
19321 [Mac] implement WebKitDataCue
19322 https://bugs.webkit.org/show_bug.cgi?id=131799
19323
19324 Reviewed by Dean Jackson.
19325
19326 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
19327
193282014-04-21 Filip Pizlo <fpizlo@apple.com>
19329
19330 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
19331
19332 * tests/stress/float32-repeat-out-of-bounds.js:
19333 * tests/stress/int8-repeat-out-of-bounds.js:
19334
193352014-04-21 Filip Pizlo <fpizlo@apple.com>
19336
19337 OSR exit should know about Int52 and Double constants
19338 https://bugs.webkit.org/show_bug.cgi?id=131945
19339
19340 Reviewed by Oliver Hunt.
19341
19342 The DFG OSR exit machinery's ignorance would lead to some constants becoming
19343 jsUndefined() after OSR exit.
19344
19345 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
19346 stackmap constant rather than baking the constant into the OSRExit data structure.
19347 So, not a big deal, but worth fixing.
19348
19349 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
19350
19351 * dfg/DFGByteCodeParser.cpp:
19352 (JSC::DFG::ByteCodeParser::handleIntrinsic):
19353 * dfg/DFGMinifiedNode.h:
19354 (JSC::DFG::belongsInMinifiedGraph):
19355 (JSC::DFG::MinifiedNode::hasConstantNumber):
19356 * ftl/FTLLowerDFGToLLVM.cpp:
19357 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
19358 * jsc.cpp:
19359 (GlobalObject::finishCreation):
19360 (functionOtherFalse):
19361 (functionUndefined):
19362 * runtime/Intrinsic.h:
19363 * tests/stress/fold-to-double-constant-then-exit.js: Added.
19364 (foo):
19365 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
19366 (foo):
19367
193682014-04-21 Filip Pizlo <fpizlo@apple.com>
19369
19370 Provide feedback when we encounter an unrecognied node in the FTL backend.
19371
19372 Rubber stamped by Alexey Proskuryakov.
19373
19374 * ftl/FTLLowerDFGToLLVM.cpp:
19375 (JSC::FTL::LowerDFGToLLVM::compileNode):
19376
193772014-04-21 Andreas Kling <akling@apple.com>
19378
19379 Move the JSString cache from DOMWrapperWorld to VM.
19380 <https://webkit.org/b/131940>
19381
19382 Reviewed by Geoff Garen.
19383
19384 * runtime/VM.h:
19385
193862014-04-19 Filip Pizlo <fpizlo@apple.com>
19387
19388 Take block execution count estimates into account when voting double
19389 https://bugs.webkit.org/show_bug.cgi?id=131906
19390
19391 Reviewed by Geoffrey Garen.
19392
19393 This was a drama in three acts.
19394
19395 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
19396 number of uses of a variable that want double or non-double. Easy as pie. This
19397 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
19398 else.
19399
19400 Act II: Realize that there were some programs where our previous double voting was
19401 just on the edge of disaster and making it more precise tipped it over. In
19402 particular, if you had an integer variable that would infrequently be used in a
19403 computation that resulted in a variable that was frequently used as an array index,
19404 the outer infrequentness would be the thing we'd use in the vote. So, an array
19405 index would become double. We fix this by reviving global backwards propagation
19406 and introducing the concept of ReallyWantsInt, which is used just for array
19407 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
19408 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
19409 be set in bitops for RageConversion but using it for double forcing is too much.
19410 Basically, it's cheaper to have to convert a double to an int for a bitop than it
19411 is to convert a double to an int for an array index; also a variable being used as
19412 an array index is a much stronger hint that it ought to be an int. This recovered
19413 performance on everything except programs that used FTL OSR entry.
19414
19415 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
19416 count, which then completely pollutes the weighting - essentially all votes go
19417 NaN. Fix this with some surgical defenses. Basically, any client of execution
19418 counts should allow for them to be NaN and shouldn't completely fall off a cliff
19419 when it happens.
19420
19421 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
19422 7% speed-up on AsmBench and 2% speed-up on Kraken.
19423
19424 * CMakeLists.txt:
19425 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19426 * JavaScriptCore.xcodeproj/project.pbxproj:
19427 * dfg/DFGBackwardsPropagationPhase.cpp:
19428 (JSC::DFG::BackwardsPropagationPhase::run):
19429 (JSC::DFG::BackwardsPropagationPhase::propagate):
19430 * dfg/DFGGraph.cpp:
19431 (JSC::DFG::Graph::dumpBlockHeader):
19432 * dfg/DFGGraph.h:
19433 (JSC::DFG::Graph::voteNode):
19434 (JSC::DFG::Graph::voteChildren):
19435 * dfg/DFGNodeFlags.cpp:
19436 (JSC::DFG::dumpNodeFlags):
19437 * dfg/DFGNodeFlags.h:
19438 * dfg/DFGOSREntrypointCreationPhase.cpp:
19439 (JSC::DFG::OSREntrypointCreationPhase::run):
19440 * dfg/DFGPlan.cpp:
19441 (JSC::DFG::Plan::compileInThreadImpl):
19442 * dfg/DFGPredictionPropagationPhase.cpp:
19443 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
19444 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
19445 * dfg/DFGVariableAccessData.cpp: Added.
19446 (JSC::DFG::VariableAccessData::VariableAccessData):
19447 (JSC::DFG::VariableAccessData::mergeIsCaptured):
19448 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
19449 (JSC::DFG::VariableAccessData::predict):
19450 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
19451 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
19452 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
19453 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
19454 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
19455 (JSC::DFG::VariableAccessData::flushFormat):
19456 * dfg/DFGVariableAccessData.h:
19457 (JSC::DFG::VariableAccessData::vote):
19458 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
19459 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
19460 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
19461 (JSC::DFG::VariableAccessData::predict): Deleted.
19462 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
19463 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
19464 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
19465 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
19466 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
19467 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
19468
194692014-04-21 Michael Saboff <msaboff@apple.com>
19470
19471 REGRESSION(r167591): ARM64 and ARM traditional builds broken
19472 https://bugs.webkit.org/show_bug.cgi?id=131935
19473
19474 Reviewed by Mark Hahnenberg.
19475
19476 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
19477 macro assemblers. Added a new test for the original patch.
19478
19479 * assembler/MacroAssemblerARM.h:
19480 (JSC::MacroAssemblerARM::store8):
19481 * assembler/MacroAssemblerARM64.h:
19482 (JSC::MacroAssemblerARM64::store8):
19483 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
19484
194852014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
19486
19487 Inline allocate Arguments objects in the DFG
19488 https://bugs.webkit.org/show_bug.cgi?id=131897
19489
19490 Reviewed by Geoffrey Garen.
19491
19492 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
19493 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
19494 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
19495
19496 * dfg/DFGSpeculativeJIT.cpp:
19497 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
19498 * dfg/DFGSpeculativeJIT.h:
19499 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
19500 * dfg/DFGSpeculativeJIT32_64.cpp:
19501 (JSC::DFG::SpeculativeJIT::compile):
19502 * dfg/DFGSpeculativeJIT64.cpp:
19503 (JSC::DFG::SpeculativeJIT::compile):
19504 * runtime/Arguments.h:
19505 (JSC::Arguments::offsetOfActivation):
19506 (JSC::Arguments::offsetOfOverrodeLength):
19507 (JSC::Arguments::offsetOfIsStrictMode):
19508 (JSC::Arguments::offsetOfRegisterArray):
19509 (JSC::Arguments::offsetOfCallee):
19510 (JSC::Arguments::allocationSize):
19511
195122014-04-20 Andreas Kling <akling@apple.com>
19513
19514 Speed up jsStringWithCache() through WeakGCMap inlining.
19515 <https://webkit.org/b/131923>
19516
19517 Always inline WeakGCMap::add() but move the slow garbage collecting
19518 path out-of-line.
19519
19520 Reviewed by Darin Adler.
19521
19522 * runtime/WeakGCMap.h:
19523 (JSC::WeakGCMap::add):
19524 (JSC::WeakGCMap::gcMap):
19525
195262014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
19527
19528 JavaScriptCore: ARM build fix after r167094.
19529 https://bugs.webkit.org/show_bug.cgi?id=131612
19530
19531 Reviewed by Michael Saboff.
19532
19533 After r167094 there are many build errors on ARM like these:
19534
19535 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
19536 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
19537 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
19538 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
19539
19540 Problem is caused by the wrong generated assembly like:
19541 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
19542
19543 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
19544 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
19545 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
19546 use case: move rn, (label1-label2) which is translated to movw and movt.
19547
19548 * llint/LowLevelInterpreter.asm:
19549 * offlineasm/arm.rb:
19550 * offlineasm/instructions.rb:
19551
195522014-04-20 Csaba Osztrogonác <ossy@webkit.org>
19553
19554 [ARM] Unreviewed build fix after r167336.
19555
19556 * assembler/MacroAssemblerARM.h:
19557 (JSC::MacroAssemblerARM::branchAdd32):
19558
195592014-04-20 Commit Queue <commit-queue@webkit.org>
19560
19561 Unreviewed, rolling out r167501.
19562 https://bugs.webkit.org/show_bug.cgi?id=131913
19563
19564 It broke DYEBench (Requested by mhahnenberg on #webkit).
19565
19566 Reverted changeset:
19567
19568 "Deleting properties poisons objects"
19569 https://bugs.webkit.org/show_bug.cgi?id=131551
19570 http://trac.webkit.org/changeset/167501
19571
195722014-04-19 Filip Pizlo <fpizlo@apple.com>
19573
19574 It should be OK to store new fields into objects that have no prototypes
19575 https://bugs.webkit.org/show_bug.cgi?id=131905
19576
19577 Reviewed by Mark Hahnenberg.
19578
19579 * dfg/DFGByteCodeParser.cpp:
19580 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
19581 * tests/stress/put-by-id-transition-null-prototype.js: Added.
19582 (foo):
19583
195842014-04-19 Benjamin Poulain <bpoulain@apple.com>
19585
19586 Make the CSS JIT compile for ARM64
19587 https://bugs.webkit.org/show_bug.cgi?id=131834
19588
19589 Reviewed by Gavin Barraclough.
19590
19591 Extend the ARM64 MacroAssembler to support the code generation required by
19592 the CSS JIT.
19593
19594 * assembler/MacroAssembler.h:
19595 * assembler/MacroAssemblerARM64.h:
19596 (JSC::MacroAssemblerARM64::addPtrNoFlags):
19597 (JSC::MacroAssemblerARM64::or32):
19598 (JSC::MacroAssemblerARM64::branchPtr):
19599 (JSC::MacroAssemblerARM64::test32):
19600 (JSC::MacroAssemblerARM64::branch):
19601 * assembler/MacroAssemblerX86Common.h:
19602 (JSC::MacroAssemblerX86Common::test32):
19603
196042014-04-19 Andreas Kling <akling@apple.com>
19605
19606 Two little shortcuts to the JSType.
19607 <https://webkit.org/b/131896>
19608
19609 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
19610 to look at data that's already in JSCell::type().
19611
19612 Reviewed by Darin Adler.
19613
19614 * runtime/NameInstance.h:
19615 (JSC::isName):
19616 * runtime/NumberPrototype.cpp:
19617 (JSC::toThisNumber):
19618
196192014-04-19 Filip Pizlo <fpizlo@apple.com>
19620
19621 Make it easier to check if an integer sum would overflow
19622 https://bugs.webkit.org/show_bug.cgi?id=131900
19623
19624 Reviewed by Darin Adler.
19625
19626 * dfg/DFGOperations.cpp:
19627 * runtime/Operations.h:
19628 (JSC::jsString):
19629
196302014-04-19 Filip Pizlo <fpizlo@apple.com>
19631
19632 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
19633
19634 * dfg/DFGOperations.cpp:
19635 * runtime/JSString.h:
19636 (JSC::JSRopeString::RopeBuilder::append):
19637
196382014-04-18 Mark Lam <mark.lam@apple.com>
19639
19640 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
19641 <https://webkit.org/b/130539>
19642
19643 Reviewed by Geoffrey Garen.
19644
19645 prepareOSREntry() prepares for OSR entry by first copying the local var
19646 values from the baseline frame to a scartch buffer, which is then used
19647 to fill in the locals in their new position in the DFG frame. Unfortunately,
19648 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
19649 size of the baseline frame. As a result, some values of locals in the
19650 baseline frame were not saved off, and the DFG frame may get initialized
19651 with random content that happened to be in the uninitialized (and possibly
19652 unallocated) portions of the scratch buffer.
19653
19654 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
19655 number of locals in the baseline frame that we want to copy to the scratch
19656 buffer.
19657
19658 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
19659 at offset 0 in the scratch buffer. So, we continue to write that value
19660 there, not the baseline frame size.
19661
19662 * dfg/DFGOSREntry.cpp:
19663 (JSC::DFG::prepareOSREntry):
19664
196652014-04-18 Timothy Hatcher <timothy@apple.com>
19666
19667 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
19668 https://bugs.webkit.org/show_bug.cgi?id=131673
19669
19670 Passes existing profiler and inspector tests.
19671
19672 Reviewed by Joseph Pecoraro.
19673
19674 * CMakeLists.txt:
19675 * DerivedSources.make:
19676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19677 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19678 * JavaScriptCore.xcodeproj/project.pbxproj:
19679 * inspector/JSConsoleClient.cpp:
19680 (Inspector::JSConsoleClient::JSConsoleClient):
19681 (Inspector::JSConsoleClient::profile):
19682 (Inspector::JSConsoleClient::profileEnd):
19683 (Inspector::JSConsoleClient::count): Deleted.
19684 * inspector/JSConsoleClient.h:
19685 * inspector/JSGlobalObjectInspectorController.cpp:
19686 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
19687 * inspector/agents/InspectorProfilerAgent.cpp: Added.
19688 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
19689 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
19690 (Inspector::InspectorProfilerAgent::addProfile):
19691 (Inspector::InspectorProfilerAgent::createProfileHeader):
19692 (Inspector::InspectorProfilerAgent::enable):
19693 (Inspector::InspectorProfilerAgent::disable):
19694 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
19695 (Inspector::InspectorProfilerAgent::getProfileHeaders):
19696 (Inspector::buildInspectorObject):
19697 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
19698 (Inspector::InspectorProfilerAgent::getCPUProfile):
19699 (Inspector::InspectorProfilerAgent::removeProfile):
19700 (Inspector::InspectorProfilerAgent::reset):
19701 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
19702 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
19703 (Inspector::InspectorProfilerAgent::start):
19704 (Inspector::InspectorProfilerAgent::stop):
19705 (Inspector::InspectorProfilerAgent::setRecordingProfile):
19706 (Inspector::InspectorProfilerAgent::startProfiling):
19707 (Inspector::InspectorProfilerAgent::stopProfiling):
19708 * inspector/agents/InspectorProfilerAgent.h: Added.
19709 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
19710 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
19711 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
19712 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
19713 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
19714 * profiler/Profile.h:
19715 * runtime/ConsoleClient.h:
19716
197172014-04-18 Commit Queue <commit-queue@webkit.org>
19718
19719 Unreviewed, rolling out r167527.
19720 https://bugs.webkit.org/show_bug.cgi?id=131883
19721
19722 Broke 32-bit build (Requested by ap on #webkit).
19723
19724 Reverted changeset:
19725
19726 "[Mac] implement WebKitDataCue"
19727 https://bugs.webkit.org/show_bug.cgi?id=131799
19728 http://trac.webkit.org/changeset/167527
19729
197302014-04-18 Eric Carlson <eric.carlson@apple.com>
19731
19732 [Mac] implement WebKitDataCue
19733 https://bugs.webkit.org/show_bug.cgi?id=131799
19734
19735 Reviewed by Dean Jackson.
19736
19737 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
19738
197392014-04-18 Filip Pizlo <fpizlo@apple.com>
19740
19741 Actually address Mark's review feedback.
19742
19743 * dfg/DFGOSRExitCompilerCommon.cpp:
19744 (JSC::DFG::handleExitCounts):
19745
197462014-04-18 Filip Pizlo <fpizlo@apple.com>
19747
19748 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
19749 https://bugs.webkit.org/show_bug.cgi?id=131850
19750
19751 Reviewed by Mark Hahnenberg.
19752
19753 Templatize ExecutionCounter to allow for two different styles of calculating the
19754 checkpoint threshold.
19755
19756 Appears to be a slight speed-up on DYEBench.
19757
19758 * bytecode/CodeBlock.h:
19759 (JSC::CodeBlock::llintExecuteCounter):
19760 (JSC::CodeBlock::offsetOfJITExecuteCounter):
19761 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
19762 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
19763 (JSC::CodeBlock::jitExecuteCounter):
19764 * bytecode/ExecutionCounter.cpp:
19765 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
19766 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
19767 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
19768 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
19769 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
19770 (JSC::applyMemoryUsageHeuristics):
19771 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
19772 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
19773 (JSC::ExecutionCounter<countingVariant>::setThreshold):
19774 (JSC::ExecutionCounter<countingVariant>::reset):
19775 (JSC::ExecutionCounter<countingVariant>::dump):
19776 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
19777 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
19778 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
19779 (JSC::ExecutionCounter::setNewThreshold): Deleted.
19780 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
19781 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
19782 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
19783 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
19784 (JSC::ExecutionCounter::setThreshold): Deleted.
19785 (JSC::ExecutionCounter::reset): Deleted.
19786 (JSC::ExecutionCounter::dump): Deleted.
19787 * bytecode/ExecutionCounter.h:
19788 (JSC::formattedTotalExecutionCount):
19789 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
19790 (JSC::ExecutionCounter::clippedThreshold):
19791 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
19792 * dfg/DFGJITCode.h:
19793 * dfg/DFGOSRExitCompilerCommon.cpp:
19794 (JSC::DFG::handleExitCounts):
19795 * llint/LowLevelInterpreter.asm:
19796 * runtime/Options.h:
19797
197982014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
19799
19800 Deleting properties poisons objects
19801 https://bugs.webkit.org/show_bug.cgi?id=131551
19802
19803 Reviewed by Geoffrey Garen.
19804
19805 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
19806
19807 * runtime/Structure.cpp:
19808 (JSC::Structure::Structure):
19809 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
19810 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
19811 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
19812 delete transitions, but we allow transitioning from them.
19813 (JSC::Structure::changePrototypeTransition):
19814 (JSC::Structure::despecifyFunctionTransition):
19815 (JSC::Structure::attributeChangeTransition):
19816 (JSC::Structure::toDictionaryTransition):
19817 (JSC::Structure::preventExtensionsTransition):
19818 (JSC::Structure::addPropertyWithoutTransition):
19819 (JSC::Structure::removePropertyWithoutTransition):
19820 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
19821 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
19822 * runtime/Structure.h:
19823 * runtime/StructureInlines.h:
19824 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
19825
198262014-04-17 Filip Pizlo <fpizlo@apple.com>
19827
19828 InlineCallFrameSet should be refcounted
19829 https://bugs.webkit.org/show_bug.cgi?id=131829
19830
19831 Reviewed by Geoffrey Garen.
19832
19833 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
19834 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
19835 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
19836 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
19837
19838 So, just make the darn thing refcounted.
19839
19840 * bytecode/InlineCallFrameSet.h:
19841 * dfg/DFGArgumentsSimplificationPhase.cpp:
19842 (JSC::DFG::ArgumentsSimplificationPhase::run):
19843 * dfg/DFGByteCodeParser.cpp:
19844 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
19845 * dfg/DFGCommonData.h:
19846 * dfg/DFGGraph.cpp:
19847 (JSC::DFG::Graph::Graph):
19848 (JSC::DFG::Graph::requiredRegisterCountForExit):
19849 * dfg/DFGGraph.h:
19850 * dfg/DFGJITCompiler.cpp:
19851 (JSC::DFG::JITCompiler::link):
19852 * dfg/DFGPlan.cpp:
19853 (JSC::DFG::Plan::Plan):
19854 * dfg/DFGPlan.h:
19855 * dfg/DFGStackLayoutPhase.cpp:
19856 (JSC::DFG::StackLayoutPhase::run):
19857 * ftl/FTLFail.cpp:
19858 (JSC::FTL::fail):
19859 * ftl/FTLLink.cpp:
19860 (JSC::FTL::link):
19861
198622014-04-17 Filip Pizlo <fpizlo@apple.com>
19863
19864 FTL::fail() should manage memory "correctly"
19865 https://bugs.webkit.org/show_bug.cgi?id=131823
19866 <rdar://problem/16384297>
19867
19868 Reviewed by Oliver Hunt.
19869
19870 * ftl/FTLFail.cpp:
19871 (JSC::FTL::fail):
19872
198732014-04-17 Filip Pizlo <fpizlo@apple.com>
19874
19875 Prediction propagator should correctly model Int52s flowing through arguments
19876 https://bugs.webkit.org/show_bug.cgi?id=131822
19877 <rdar://problem/16641408>
19878
19879 Reviewed by Oliver Hunt.
19880
19881 * dfg/DFGPredictionPropagationPhase.cpp:
19882 (JSC::DFG::PredictionPropagationPhase::propagate):
19883 * tests/stress/int52-argument.js: Added.
19884 (foo):
19885 * tests/stress/int52-variable.js: Added.
19886 (foo):
19887
198882014-04-17 Filip Pizlo <fpizlo@apple.com>
19889
19890 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
19891 https://bugs.webkit.org/show_bug.cgi?id=131798
19892
19893 Reviewed by Alexey Proskuryakov.
19894
19895 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
19896 of this assertion can return. For now, it's not clear that the assertion is guarding
19897 any truly undesirable behavior - so it should just go away and be replaced with a
19898 FIXME.
19899
19900 * bytecode/GetByIdStatus.cpp:
19901 (JSC::GetByIdStatus::computeForStubInfo):
19902 * runtime/Structure.h:
19903 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
19904
199052014-04-17 David Kilzer <ddkilzer@apple.com>
19906
19907 Blind attempt to fix Windows build after r166837
19908 <http://webkit.org/b/131246>
19909
19910 Hoping to fix this build error:
19911
19912 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
19913
19914 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
19915 boo-boo by changing the GCLogging.cpp ClCompile entry to a
19916 GCLogging.h ClInclude entry.
19917
199182014-04-16 Filip Pizlo <fpizlo@apple.com>
19919
19920 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
19921 https://bugs.webkit.org/show_bug.cgi?id=131764
19922
19923 Reviewed by Geoffrey Garen.
19924
19925 The attached test case can be made to not crash by deleting old code. It used to be
19926 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
19927 long ago. At this point, these guards just make life difficult. So get rid of them.
19928
19929 * dfg/DFGAbstractInterpreterInlines.h:
19930 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
19931 * dfg/DFGSpeculativeJIT32_64.cpp:
19932 (JSC::DFG::SpeculativeJIT::compile):
19933 * dfg/DFGSpeculativeJIT64.cpp:
19934 (JSC::DFG::SpeculativeJIT::compile):
19935 * tests/stress/bug-131764.js: Added.
19936 (test1):
19937 (test2):
19938
199392014-04-17 Darin Adler <darin@apple.com>
19940
19941 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
19942 https://bugs.webkit.org/show_bug.cgi?id=131785
19943 rdar://problem/16003108
19944
19945 Reviewed by Brady Eidson.
19946
19947 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
19948
199492014-04-16 Alexey Proskuryakov <ap@apple.com>
19950
19951 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
19952
19953 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
19954
199552014-04-16 Filip Pizlo <fpizlo@apple.com>
19956
19957 Extra error reporting for invalid value conversions
19958 https://bugs.webkit.org/show_bug.cgi?id=131786
19959
19960 Rubber stamped by Ryosuke Niwa.
19961
19962 * dfg/DFGFixupPhase.cpp:
19963 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
19964
199652014-04-16 Filip Pizlo <fpizlo@apple.com>
19966
19967 Sink NaN sanitization to uses and remove it when it's unnecessary
19968 https://bugs.webkit.org/show_bug.cgi?id=131419
19969
19970 Reviewed by Oliver Hunt.
19971
19972 This moves NaN purification to stores that could see an impure NaN.
19973
19974 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
19975 though, because of the other bug that causes that benchmark to box doubles in a loop.
19976
19977 * bytecode/SpeculatedType.h:
19978 (JSC::isInt32SpeculationForArithmetic):
19979 (JSC::isMachineIntSpeculationForArithmetic):
19980 (JSC::isDoubleSpeculation):
19981 (JSC::isDoubleSpeculationForArithmetic):
19982 * dfg/DFGAbstractInterpreterInlines.h:
19983 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
19984 * dfg/DFGAbstractValue.cpp:
19985 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
19986 * dfg/DFGFixupPhase.cpp:
19987 (JSC::DFG::FixupPhase::fixupNode):
19988 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
19989 * dfg/DFGInPlaceAbstractState.cpp:
19990 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
19991 * dfg/DFGPredictionPropagationPhase.cpp:
19992 (JSC::DFG::PredictionPropagationPhase::propagate):
19993 * dfg/DFGSpeculativeJIT.cpp:
19994 (JSC::DFG::SpeculativeJIT::compileValueRep):
19995 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
19996 * dfg/DFGUseKind.h:
19997 (JSC::DFG::typeFilterFor):
19998 * ftl/FTLLowerDFGToLLVM.cpp:
19999 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
20000 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
20001 * runtime/PureNaN.h:
20002 * tests/stress/float32-array-nan-inlined.js: Added.
20003 (foo):
20004 (test):
20005 * tests/stress/float32-array-nan.js: Added.
20006 (foo):
20007 (test):
20008 * tests/stress/float64-array-nan-inlined.js: Added.
20009 (foo):
20010 (isBigEndian):
20011 (test):
20012 * tests/stress/float64-array-nan.js: Added.
20013 (foo):
20014 (isBigEndian):
20015 (test):
20016
200172014-04-16 Brent Fulgham <bfulgham@apple.com>
20018
20019 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
20020 to 32-bit builds, and revise the comment to explain what we are
20021 doing.
20022
20023 * runtime/JSCJSValueInlines.h:
20024 (JSC::JSValue::isMachineInt): Provide motivation for the new
20025 'isinf' check for our 32-bit code path.
20026
200272014-04-16 Juergen Ributzka <juergen@apple.com>
20028
20029 Allocate the data section on the heap again for FTL on ARM64
20030 https://bugs.webkit.org/show_bug.cgi?id=130156
20031
20032 Reviewed by Geoffrey Garen and Filip Pizlo.
20033
20034 * ftl/FTLCompile.cpp:
20035 (JSC::FTL::mmAllocateDataSection):
20036 * ftl/FTLDataSection.cpp:
20037 (JSC::FTL::DataSection::DataSection):
20038 (JSC::FTL::DataSection::~DataSection):
20039 * ftl/FTLDataSection.h:
20040
200412014-04-16 Mark Lam <mark.lam@apple.com>
20042
20043 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
20044 <https://webkit.org/b/131747>
20045
20046 Reviewed by Filip Pizlo.
20047
20048 When the debugger is about to activate (e.g. enter stepping mode), it first
20049 waits for all DFG compilations to complete. However, when the DFG completes,
20050 if compilation is successful, it will install a new DFG codeBlock. The
20051 CodeBlock installation process is required to register codeBlocks with the
20052 debugger. Debugger::registerCodeBlock() will eventually call
20053 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
20054 trying to install. Thereafter, chaos ensues.
20055
20056 This jettison'ing only happens because the debugger currently set its
20057 m_steppingMode flag before waiting for compilation to complete. The fix is
20058 simply to set that flag only after compilation is complete.
20059
20060 * debugger/Debugger.cpp:
20061 (JSC::Debugger::setSteppingMode):
20062 (JSC::Debugger::registerCodeBlock):
20063
200642014-04-16 Filip Pizlo <fpizlo@apple.com>
20065
20066 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
20067 https://bugs.webkit.org/show_bug.cgi?id=131420
20068
20069 Reviewed by Oliver Hunt.
20070
20071 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
20072 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
20073 goes through the purifyNaN() API.
20074
20075 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
20076
20077 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
20078 have to be too cautious since most prediction-based logic only cares about whether or not
20079 a value could be an integer.
20080
20081 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
20082 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
20083 soundly and precisely.
20084
20085 No performance change because this just unblocks
20086 https://bugs.webkit.org/show_bug.cgi?id=131419.
20087
20088 * API/JSValueRef.cpp:
20089 (JSValueMakeNumber):
20090 (JSValueToNumber):
20091 * JavaScriptCore.xcodeproj/project.pbxproj:
20092 * bytecode/SpeculatedType.cpp:
20093 (JSC::dumpSpeculation):
20094 (JSC::speculationFromValue):
20095 (JSC::typeOfDoubleSum):
20096 (JSC::typeOfDoubleDifference):
20097 (JSC::typeOfDoubleProduct):
20098 (JSC::polluteDouble):
20099 (JSC::typeOfDoubleQuotient):
20100 (JSC::typeOfDoubleMinMax):
20101 (JSC::typeOfDoubleNegation):
20102 (JSC::typeOfDoubleAbs):
20103 (JSC::typeOfDoubleFRound):
20104 (JSC::typeOfDoubleBinaryOp):
20105 (JSC::typeOfDoubleUnaryOp):
20106 * bytecode/SpeculatedType.h:
20107 * dfg/DFGAbstractInterpreterInlines.h:
20108 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20109 * dfg/DFGByteCodeParser.cpp:
20110 (JSC::DFG::ByteCodeParser::handleInlining):
20111 (JSC::DFG::ByteCodeParser::parseCodeBlock):
20112 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
20113 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
20114 * dfg/DFGInPlaceAbstractState.cpp:
20115 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
20116 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
20117 (JSC::DFG::createPreHeader):
20118 * dfg/DFGNode.h:
20119 (JSC::DFG::BranchTarget::BranchTarget):
20120 * dfg/DFGOSREntrypointCreationPhase.cpp:
20121 (JSC::DFG::OSREntrypointCreationPhase::run):
20122 * dfg/DFGOSRExitCompiler32_64.cpp:
20123 (JSC::DFG::OSRExitCompiler::compileExit):
20124 * dfg/DFGOSRExitCompiler64.cpp:
20125 (JSC::DFG::OSRExitCompiler::compileExit):
20126 * dfg/DFGPredictionPropagationPhase.cpp:
20127 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
20128 (JSC::DFG::PredictionPropagationPhase::propagate):
20129 * dfg/DFGSpeculativeJIT.cpp:
20130 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
20131 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
20132 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
20133 * dfg/DFGSpeculativeJIT32_64.cpp:
20134 (JSC::DFG::SpeculativeJIT::compile):
20135 * dfg/DFGSpeculativeJIT64.cpp:
20136 (JSC::DFG::SpeculativeJIT::compile):
20137 * dfg/DFGVariableAccessData.h:
20138 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
20139 * ftl/FTLLowerDFGToLLVM.cpp:
20140 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
20141 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
20142 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
20143 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
20144 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
20145 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
20146 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
20147 * ftl/FTLValueFormat.cpp:
20148 (JSC::FTL::reboxAccordingToFormat):
20149 * jit/AssemblyHelpers.cpp:
20150 (JSC::AssemblyHelpers::purifyNaN):
20151 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
20152 * jit/AssemblyHelpers.h:
20153 * jit/JITPropertyAccess.cpp:
20154 (JSC::JIT::emitFloatTypedArrayGetByVal):
20155 * runtime/DateConstructor.cpp:
20156 (JSC::constructDate):
20157 * runtime/DateInstanceCache.h:
20158 (JSC::DateInstanceData::DateInstanceData):
20159 (JSC::DateInstanceCache::reset):
20160 * runtime/ExceptionHelpers.cpp:
20161 (JSC::TerminatedExecutionError::defaultValue):
20162 * runtime/JSArray.cpp:
20163 (JSC::JSArray::setLength):
20164 (JSC::JSArray::pop):
20165 (JSC::JSArray::shiftCountWithAnyIndexingType):
20166 (JSC::JSArray::sortVector):
20167 (JSC::JSArray::compactForSorting):
20168 * runtime/JSArray.h:
20169 (JSC::JSArray::create):
20170 (JSC::JSArray::tryCreateUninitialized):
20171 * runtime/JSCJSValue.cpp:
20172 (JSC::JSValue::toNumberSlowCase):
20173 * runtime/JSCJSValue.h:
20174 * runtime/JSCJSValueInlines.h:
20175 (JSC::jsNaN):
20176 (JSC::JSValue::JSValue):
20177 (JSC::JSValue::getPrimitiveNumber):
20178 * runtime/JSGlobalObjectFunctions.cpp:
20179 (JSC::parseInt):
20180 (JSC::jsStrDecimalLiteral):
20181 (JSC::toDouble):
20182 (JSC::jsToNumber):
20183 (JSC::parseFloat):
20184 * runtime/JSObject.cpp:
20185 (JSC::JSObject::createInitialDouble):
20186 (JSC::JSObject::convertUndecidedToDouble):
20187 (JSC::JSObject::convertInt32ToDouble):
20188 (JSC::JSObject::deletePropertyByIndex):
20189 (JSC::JSObject::ensureLengthSlow):
20190 * runtime/MathObject.cpp:
20191 (JSC::mathProtoFuncMax):
20192 (JSC::mathProtoFuncMin):
20193 * runtime/PureNaN.h: Added.
20194 (JSC::pureNaN):
20195 (JSC::isImpureNaN):
20196 (JSC::purifyNaN):
20197 * runtime/TypedArrayAdaptors.h:
20198 (JSC::FloatTypedArrayAdaptor::toJSValue):
20199
202002014-04-16 Juergen Ributzka <juergen@apple.com>
20201
20202 Enable system library calls in FTL for ARM64
20203 https://bugs.webkit.org/show_bug.cgi?id=130154
20204
20205 Reviewed by Geoffrey Garen and Filip Pizlo.
20206
20207 * ftl/FTLIntrinsicRepository.h:
20208 * ftl/FTLOutput.h:
20209 (JSC::FTL::Output::doubleRem):
20210 (JSC::FTL::Output::doubleSin):
20211 (JSC::FTL::Output::doubleCos):
20212
202132014-04-16 peavo@outlook.com <peavo@outlook.com>
20214
20215 Fix JSC Debug Regressions on Windows
20216 https://bugs.webkit.org/show_bug.cgi?id=131182
20217
20218 Reviewed by Brent Fulgham.
20219
20220 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
20221 and set the st floating point register tags, if the value of the number parameter is infinite.
20222 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
20223 This can be avoided by checking for infinity first.
20224
20225 * runtime/JSCJSValueInlines.h:
20226 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
20227 * runtime/Options.cpp:
20228 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
20229
202302014-04-16 Oliver Hunt <oliver@apple.com>
20231
20232 Simple ES6 feature:Array.prototype.fill
20233 https://bugs.webkit.org/show_bug.cgi?id=131703
20234
20235 Reviewed by David Hyatt.
20236
20237 Add support for Array.prototype.fill
20238
20239 * builtins/Array.prototype.js:
20240 (fill):
20241 * runtime/ArrayPrototype.cpp:
20242
202432014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
20244
20245 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
20246 https://bugs.webkit.org/show_bug.cgi?id=131728
20247
20248 Reviewed by Darin Adler.
20249
20250 * runtime/JSObject.cpp:
20251 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
20252 path we expect to never take. Also shut up confused compilers about uninitialized things.
20253
202542014-04-16 Filip Pizlo <fpizlo@apple.com>
20255
20256 Unreviewed, ARMv7 build fix after r167336.
20257
20258 * assembler/MacroAssemblerARMv7.h:
20259 (JSC::MacroAssemblerARMv7::branchAdd32):
20260
202612014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
20262
20263 Unreviewed, ARM64 buildfix after r167336.
20264
20265 * assembler/MacroAssemblerARM64.h:
20266 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
20267
202682014-04-15 Filip Pizlo <fpizlo@apple.com>
20269
20270 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
20271
20272 * dfg/DFGAbstractInterpreterInlines.h:
20273 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20274
202752014-04-15 Filip Pizlo <fpizlo@apple.com>
20276
20277 compileMakeRope does not emit necessary bounds checks
20278 https://bugs.webkit.org/show_bug.cgi?id=130684
20279 <rdar://problem/16398388>
20280
20281 Reviewed by Oliver Hunt.
20282
20283 Add string length bounds checks in a bunch of places. We should never allow a string
20284 to have a length greater than 2^31-1 because it's not clear that the language has
20285 semantics for it and because there is code that assumes that this cannot happen.
20286
20287 Also add a bunch of tests to that effect to cover the various ways in which this was
20288 previously allowed to happen.
20289
20290 * dfg/DFGOperations.cpp:
20291 * dfg/DFGSpeculativeJIT.cpp:
20292 (JSC::DFG::SpeculativeJIT::compileMakeRope):
20293 * ftl/FTLLowerDFGToLLVM.cpp:
20294 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
20295 * runtime/JSString.cpp:
20296 (JSC::JSRopeString::RopeBuilder::expand):
20297 * runtime/JSString.h:
20298 (JSC::JSString::create):
20299 (JSC::JSRopeString::RopeBuilder::append):
20300 (JSC::JSRopeString::RopeBuilder::release):
20301 (JSC::JSRopeString::append):
20302 * runtime/Operations.h:
20303 (JSC::jsString):
20304 (JSC::jsStringFromRegisterArray):
20305 (JSC::jsStringFromArguments):
20306 * runtime/StringPrototype.cpp:
20307 (JSC::stringProtoFuncIndexOf):
20308 (JSC::stringProtoFuncSlice):
20309 (JSC::stringProtoFuncSubstring):
20310 (JSC::stringProtoFuncToLowerCase):
20311 * tests/stress/make-large-string-jit-strcat.js: Added.
20312 (foo):
20313 * tests/stress/make-large-string-jit.js: Added.
20314 (foo):
20315 * tests/stress/make-large-string-strcat.js: Added.
20316 * tests/stress/make-large-string.js: Added.
20317
203182014-04-15 Julien Brianceau <jbriance@cisco.com>
20319
20320 Remove invalid sh4 specific code in JITInlines header.
20321 https://bugs.webkit.org/show_bug.cgi?id=131692
20322
20323 Reviewed by Geoffrey Garen.
20324
20325 * jit/JITInlines.h:
20326 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
20327 anymore since r160244, so the sh4 specific code is invalid now
20328 and has to be removed.
20329
203302014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
20331
20332 Fix precedence issue in JSCell:setRemembered
20333
20334 Rubber stamped by Filip Pizlo.
20335
20336 * runtime/JSCell.h:
20337 (JSC::JSCell::setRemembered):
20338
203392014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
20340
20341 Objective-C API external object graphs don't handle generational collection properly
20342 https://bugs.webkit.org/show_bug.cgi?id=131634
20343
20344 Reviewed by Geoffrey Garen.
20345
20346 If the set of Objective-C objects transitively reachable through an object changes, we
20347 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
20348 won't rescan the external object graph, which would lead us to consider a newly allocated
20349 JSManagedValue to be dead.
20350
20351 * API/JSBase.cpp:
20352 (JSSynchronousEdenCollectForDebugging):
20353 * API/JSVirtualMachine.mm:
20354 (-[JSVirtualMachine initWithContextGroupRef:]):
20355 (-[JSVirtualMachine dealloc]):
20356 (-[JSVirtualMachine isOldExternalObject:]):
20357 (-[JSVirtualMachine addExternalRememberedObject:]):
20358 (-[JSVirtualMachine addManagedReference:withOwner:]):
20359 (-[JSVirtualMachine removeManagedReference:withOwner:]):
20360 (-[JSVirtualMachine externalRememberedSet]):
20361 (scanExternalObjectGraph):
20362 (scanExternalRememberedSet):
20363 * API/JSVirtualMachineInternal.h:
20364 * API/tests/testapi.mm:
20365 * heap/Heap.cpp:
20366 (JSC::Heap::markRoots):
20367 * heap/Heap.h:
20368 (JSC::Heap::slotVisitor):
20369 * heap/SlotVisitor.h:
20370 * heap/SlotVisitorInlines.h:
20371 (JSC::SlotVisitor::containsOpaqueRoot):
20372 (JSC::SlotVisitor::containsOpaqueRootTriState):
20373
203742014-04-15 Filip Pizlo <fpizlo@apple.com>
20375
20376 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
20377 https://bugs.webkit.org/show_bug.cgi?id=131423
20378
20379 Reviewed by Geoffrey Garen.
20380
20381 This introduces more static typing into DFG IR. Previously we just had the notion of
20382 JSValues and Storage. This was weird because doubles weren't always convertible to
20383 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
20384 sort of insert explicit conversion nodes just for the places where we knew that an
20385 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
20386 we'd get bugs from forgetting to do the right conversion.
20387
20388 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
20389 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
20390 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
20391 conversions. They are like Identity but return the same value using a different
20392 representation. Likewise, constants may now be represented using either JSConstant,
20393 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
20394 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
20395 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
20396 we speculate DoubleReal and expect Double representation.
20397
20398 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
20399 this also makes it easier to introduce optimizations in the future. It's now possible for
20400 AI to model when/how conversion take place. For example if doing a conversion results in
20401 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
20402 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
20403
20404 This was a big change, so I had to do some interesting things, like finally get rid of
20405 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
20406 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
20407
20408 No performance change because this mostly just rationalizes preexisting behavior.
20409
20410 * JavaScriptCore.xcodeproj/project.pbxproj:
20411 * assembler/MacroAssemblerX86.h:
20412 * bytecode/CodeBlock.cpp:
20413 * bytecode/CodeBlock.h:
20414 * dfg/DFGAbstractInterpreter.h:
20415 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
20416 (JSC::DFG::AbstractInterpreter::setConstant):
20417 * dfg/DFGAbstractInterpreterInlines.h:
20418 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20419 * dfg/DFGAbstractValue.cpp:
20420 (JSC::DFG::AbstractValue::set):
20421 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
20422 (JSC::DFG::AbstractValue::checkConsistency):
20423 * dfg/DFGAbstractValue.h:
20424 * dfg/DFGBackwardsPropagationPhase.cpp:
20425 (JSC::DFG::BackwardsPropagationPhase::propagate):
20426 * dfg/DFGBasicBlock.h:
20427 * dfg/DFGBasicBlockInlines.h:
20428 (JSC::DFG::BasicBlock::appendNode):
20429 (JSC::DFG::BasicBlock::appendNonTerminal):
20430 * dfg/DFGByteCodeParser.cpp:
20431 (JSC::DFG::ByteCodeParser::parseBlock):
20432 * dfg/DFGCSEPhase.cpp:
20433 (JSC::DFG::CSEPhase::constantCSE):
20434 (JSC::DFG::CSEPhase::performNodeCSE):
20435 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
20436 * dfg/DFGCapabilities.h:
20437 * dfg/DFGClobberize.h:
20438 (JSC::DFG::clobberize):
20439 * dfg/DFGConstantFoldingPhase.cpp:
20440 (JSC::DFG::ConstantFoldingPhase::foldConstants):
20441 * dfg/DFGDCEPhase.cpp:
20442 (JSC::DFG::DCEPhase::fixupBlock):
20443 * dfg/DFGEdge.h:
20444 (JSC::DFG::Edge::willNotHaveCheck):
20445 * dfg/DFGFixupPhase.cpp:
20446 (JSC::DFG::FixupPhase::run):
20447 (JSC::DFG::FixupPhase::fixupNode):
20448 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
20449 (JSC::DFG::FixupPhase::observeUseKindOnNode):
20450 (JSC::DFG::FixupPhase::fixIntEdge):
20451 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
20452 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
20453 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
20454 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
20455 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
20456 (JSC::DFG::FixupPhase::addRequiredPhantom):
20457 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
20458 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
20459 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
20460 * dfg/DFGFlushFormat.h:
20461 (JSC::DFG::resultFor):
20462 (JSC::DFG::useKindFor):
20463 * dfg/DFGGraph.cpp:
20464 (JSC::DFG::Graph::dump):
20465 * dfg/DFGGraph.h:
20466 (JSC::DFG::Graph::addNode):
20467 * dfg/DFGInPlaceAbstractState.cpp:
20468 (JSC::DFG::InPlaceAbstractState::initialize):
20469 * dfg/DFGInsertionSet.h:
20470 (JSC::DFG::InsertionSet::insertNode):
20471 (JSC::DFG::InsertionSet::insertConstant):
20472 (JSC::DFG::InsertionSet::insertConstantForUse):
20473 * dfg/DFGIntegerCheckCombiningPhase.cpp:
20474 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
20475 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
20476 * dfg/DFGNode.cpp:
20477 (JSC::DFG::Node::convertToIdentity):
20478 (WTF::printInternal):
20479 * dfg/DFGNode.h:
20480 (JSC::DFG::Node::Node):
20481 (JSC::DFG::Node::setResult):
20482 (JSC::DFG::Node::result):
20483 (JSC::DFG::Node::isConstant):
20484 (JSC::DFG::Node::hasConstant):
20485 (JSC::DFG::Node::convertToConstant):
20486 (JSC::DFG::Node::valueOfJSConstant):
20487 (JSC::DFG::Node::hasResult):
20488 (JSC::DFG::Node::hasInt32Result):
20489 (JSC::DFG::Node::hasInt52Result):
20490 (JSC::DFG::Node::hasNumberResult):
20491 (JSC::DFG::Node::hasDoubleResult):
20492 (JSC::DFG::Node::hasJSResult):
20493 (JSC::DFG::Node::hasBooleanResult):
20494 (JSC::DFG::Node::hasStorageResult):
20495 (JSC::DFG::Node::defaultUseKind):
20496 (JSC::DFG::Node::defaultEdge):
20497 (JSC::DFG::Node::convertToIdentity): Deleted.
20498 * dfg/DFGNodeFlags.cpp:
20499 (JSC::DFG::dumpNodeFlags):
20500 * dfg/DFGNodeFlags.h:
20501 (JSC::DFG::canonicalResultRepresentation):
20502 * dfg/DFGNodeType.h:
20503 * dfg/DFGOSRExitCompiler32_64.cpp:
20504 (JSC::DFG::OSRExitCompiler::compileExit):
20505 * dfg/DFGOSRExitCompiler64.cpp:
20506 (JSC::DFG::OSRExitCompiler::compileExit):
20507 * dfg/DFGPredictionPropagationPhase.cpp:
20508 (JSC::DFG::PredictionPropagationPhase::propagate):
20509 * dfg/DFGResurrectionForValidationPhase.cpp:
20510 (JSC::DFG::ResurrectionForValidationPhase::run):
20511 * dfg/DFGSSAConversionPhase.cpp:
20512 (JSC::DFG::SSAConversionPhase::run):
20513 * dfg/DFGSafeToExecute.h:
20514 (JSC::DFG::SafeToExecuteEdge::operator()):
20515 (JSC::DFG::safeToExecute):
20516 * dfg/DFGSpeculativeJIT.cpp:
20517 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
20518 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
20519 (JSC::DFG::SpeculativeJIT::silentFill):
20520 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
20521 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
20522 (JSC::DFG::JSValueRegsTemporary::regs):
20523 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
20524 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
20525 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
20526 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
20527 (JSC::DFG::SpeculativeJIT::compileValueRep):
20528 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
20529 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
20530 (JSC::DFG::SpeculativeJIT::compileAdd):
20531 (JSC::DFG::SpeculativeJIT::compileArithSub):
20532 (JSC::DFG::SpeculativeJIT::compileArithNegate):
20533 (JSC::DFG::SpeculativeJIT::compileArithMul):
20534 (JSC::DFG::SpeculativeJIT::compileArithDiv):
20535 (JSC::DFG::SpeculativeJIT::compileArithMod):
20536 (JSC::DFG::SpeculativeJIT::compare):
20537 (JSC::DFG::SpeculativeJIT::compileStrictEq):
20538 (JSC::DFG::SpeculativeJIT::speculateNumber):
20539 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
20540 (JSC::DFG::SpeculativeJIT::speculate):
20541 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
20542 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
20543 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
20544 * dfg/DFGSpeculativeJIT.h:
20545 (JSC::DFG::SpeculativeJIT::allocate):
20546 (JSC::DFG::SpeculativeJIT::use):
20547 (JSC::DFG::SpeculativeJIT::boxDouble):
20548 (JSC::DFG::SpeculativeJIT::spill):
20549 (JSC::DFG::SpeculativeJIT::jsValueResult):
20550 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
20551 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
20552 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
20553 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
20554 * dfg/DFGSpeculativeJIT32_64.cpp:
20555 (JSC::DFG::SpeculativeJIT::fillJSValue):
20556 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
20557 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
20558 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
20559 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
20560 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
20561 (JSC::DFG::SpeculativeJIT::emitBranch):
20562 (JSC::DFG::SpeculativeJIT::compile):
20563 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
20564 * dfg/DFGSpeculativeJIT64.cpp:
20565 (JSC::DFG::SpeculativeJIT::fillJSValue):
20566 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
20567 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
20568 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
20569 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
20570 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
20571 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
20572 (JSC::DFG::SpeculativeJIT::emitBranch):
20573 (JSC::DFG::SpeculativeJIT::compile):
20574 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
20575 * dfg/DFGStrengthReductionPhase.cpp:
20576 (JSC::DFG::StrengthReductionPhase::handleNode):
20577 * dfg/DFGUseKind.cpp:
20578 (WTF::printInternal):
20579 * dfg/DFGUseKind.h:
20580 (JSC::DFG::typeFilterFor):
20581 (JSC::DFG::shouldNotHaveTypeCheck):
20582 (JSC::DFG::mayHaveTypeCheck):
20583 (JSC::DFG::isNumerical):
20584 (JSC::DFG::isDouble):
20585 (JSC::DFG::isCell):
20586 (JSC::DFG::usesStructure):
20587 (JSC::DFG::useKindForResult):
20588 * dfg/DFGValidate.cpp:
20589 (JSC::DFG::Validate::validate):
20590 * dfg/DFGVariadicFunction.h: Removed.
20591 * ftl/FTLCapabilities.cpp:
20592 (JSC::FTL::canCompile):
20593 * ftl/FTLLowerDFGToLLVM.cpp:
20594 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
20595 (JSC::FTL::LowerDFGToLLVM::compileNode):
20596 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
20597 (JSC::FTL::LowerDFGToLLVM::compilePhi):
20598 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
20599 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
20600 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
20601 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
20602 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
20603 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
20604 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
20605 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
20606 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
20607 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
20608 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
20609 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
20610 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
20611 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
20612 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
20613 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
20614 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
20615 (JSC::FTL::LowerDFGToLLVM::compare):
20616 (JSC::FTL::LowerDFGToLLVM::boolify):
20617 (JSC::FTL::LowerDFGToLLVM::lowInt52):
20618 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
20619 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
20620 (JSC::FTL::LowerDFGToLLVM::lowDouble):
20621 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
20622 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
20623 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
20624 (JSC::FTL::LowerDFGToLLVM::speculate):
20625 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
20626 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
20627 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
20628 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
20629 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
20630 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
20631 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
20632 * ftl/FTLValueFormat.cpp:
20633 (JSC::FTL::reboxAccordingToFormat):
20634 * jit/AssemblyHelpers.cpp:
20635 (JSC::AssemblyHelpers::sanitizeDouble):
20636 * jit/AssemblyHelpers.h:
20637 (JSC::AssemblyHelpers::boxDouble):
20638
206392014-04-15 Commit Queue <commit-queue@webkit.org>
20640
20641 Unreviewed, rolling out r167199 and r167251.
20642 https://bugs.webkit.org/show_bug.cgi?id=131678
20643
20644 Caused a DYEBench regression and does not seem to improve perf
20645 on relevant websites (Requested by rniwa on #webkit).
20646
20647 Reverted changesets:
20648
20649 "Rewrite Function.bind as a builtin"
20650 https://bugs.webkit.org/show_bug.cgi?id=131083
20651 http://trac.webkit.org/changeset/167199
20652
20653 "Update test result"
20654 http://trac.webkit.org/changeset/167251
20655
206562014-04-14 Commit Queue <commit-queue@webkit.org>
20657
20658 Unreviewed, rolling out r167272.
20659 https://bugs.webkit.org/show_bug.cgi?id=131666
20660
20661 Broke multiple tests (Requested by ap on #webkit).
20662
20663 Reverted changeset:
20664
20665 "Function.bind itself is too slow"
20666 https://bugs.webkit.org/show_bug.cgi?id=131636
20667 http://trac.webkit.org/changeset/167272
20668
206692014-04-14 Geoffrey Garen <ggaren@apple.com>
20670
20671 ASSERT when firing low memory warning
20672 https://bugs.webkit.org/show_bug.cgi?id=131659
20673
20674 Reviewed by Mark Hahnenberg.
20675
20676 * heap/Heap.cpp:
20677 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
20678 called when no GC is happening because that is what we do when a low
20679 memory warning fires, and it is harmless.
20680
206812014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
20682
20683 emit_op_put_by_id should not emit a write barrier that filters on value
20684 https://bugs.webkit.org/show_bug.cgi?id=131654
20685
20686 Reviewed by Filip Pizlo.
20687
20688 The 32-bit implementation does this, and it can cause crashes if we later repatch the
20689 code to allocate and store new Butterflies.
20690
20691 * jit/JITPropertyAccess.cpp:
20692 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
20693 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
20694 load down into the if statement so that we don't do it if we're not filtering on the value.
20695 * jit/JITPropertyAccess32_64.cpp:
20696 (JSC::JIT::emit_op_put_by_id):
20697
206982014-04-14 Oliver Hunt <oliver@apple.com>
20699
20700 Function.bind itself is too slow
20701 https://bugs.webkit.org/show_bug.cgi?id=131636
20702
20703 Reviewed by Geoffrey Garen.
20704
20705 Rather than forcing creation of an activation, we now store
20706 bound function properties directly on the returned closure.
20707 This is necessary to deal with code that creates many function
20708 bindings, but does not call them very often.
20709
20710 This is a 60% speed up in the included js/regress test.
20711
20712 * builtins/BuiltinExecutables.cpp:
20713 (JSC::BuiltinExecutables::createBuiltinExecutable):
20714 * builtins/Function.prototype.js:
20715 (bind.bindingFunction):
20716 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
20717 (bind.else.switch.case.1.bindingFunction):
20718 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
20719 (bind.else.switch.case.2.bindingFunction):
20720 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
20721 (bind.else.switch.case.3.bindingFunction):
20722 (bind.else.switch.bindingFunction):
20723 (bind):
20724 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
20725 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
20726 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
20727 * runtime/CommonIdentifiers.h:
20728
207292014-04-14 Julien Brianceau <jbriance@cisco.com>
20730
20731 [sh4] Allow use of SubImmediates in LLINT.
20732 https://bugs.webkit.org/show_bug.cgi?id=131608
20733
20734 Reviewed by Mark Lam.
20735
20736 Allow use of SubImmediates with const pool so the sh4 architecture can
20737 share the arm path for setEntryAddress macro. It reduces architecture
20738 specific code and lead to a more optimal generated code for sh4.
20739
20740 * llint/LowLevelInterpreter.asm:
20741 * offlineasm/sh4.rb:
20742
207432014-04-14 Andreas Kling <akling@apple.com>
20744
20745 Array.prototype.concat should allocate output storage only once.
20746 <https://webkit.org/b/131609>
20747
20748 Do a first pass across 'this' and any arguments to compute the
20749 final size of the resulting array from Array.prototype.concat.
20750 This avoids having to grow the output incrementally as we go.
20751
20752 This also includes two other micro-optimizations:
20753
20754 - Mark getProperty() with ALWAYS_INLINE.
20755
20756 - Use JSArray::length() instead of taking the generic property
20757 lookup path when we know an argument is an Array.
20758
20759 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
20760
20761 Reviewed by Oliver & Darin.
20762
20763 * runtime/ArrayPrototype.cpp:
20764 (JSC::getProperty):
20765 (JSC::arrayProtoFuncConcat):
20766
207672014-04-14 Commit Queue <commit-queue@webkit.org>
20768
20769 Unreviewed, rolling out r167249.
20770 https://bugs.webkit.org/show_bug.cgi?id=131621
20771
20772 broke 3 tests on cloop (Requested by kling on #webkit).
20773
20774 Reverted changeset:
20775
20776 "Array.prototype.concat should allocate output storage only
20777 once."
20778 https://bugs.webkit.org/show_bug.cgi?id=131609
20779 http://trac.webkit.org/changeset/167249
20780
207812014-04-14 Alex Christensen <achristensen@webkit.org>
20782
20783 Fixed potential integer truncation.
20784 https://bugs.webkit.org/show_bug.cgi?id=131615
20785
20786 Reviewed by Darin Adler.
20787
20788 * assembler/X86Assembler.h:
20789 (JSC::X86Assembler::fillNops):
20790 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
20791
207922014-04-14 Andreas Kling <akling@apple.com>
20793
20794 Array.prototype.concat should allocate output storage only once.
20795 <https://webkit.org/b/131609>
20796
20797 Do a first pass across 'this' and any arguments to compute the
20798 final size of the resulting array from Array.prototype.concat.
20799 This avoids having to grow the output incrementally as we go.
20800
20801 This also includes two other micro-optimizations:
20802
20803 - Mark getProperty() with ALWAYS_INLINE.
20804
20805 - Use JSArray::length() instead of taking the generic property
20806 lookup path when we know an argument is an Array.
20807
20808 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
20809
20810 Reviewed by Darin Adler.
20811
20812 * runtime/ArrayPrototype.cpp:
20813 (JSC::getProperty):
20814 (JSC::arrayProtoFuncConcat):
20815
208162014-04-14 Benjamin Poulain <benjamin@webkit.org>
20817
20818 [JSC] Improve the call site of string comparison in some hot path
20819 https://bugs.webkit.org/show_bug.cgi?id=131605
20820
20821 Reviewed by Darin Adler.
20822
20823 When resolved, the String of a JSString is never null. It can be empty but not null.
20824 The null value is reserved for ropes but those would be resolved when getting the value.
20825
20826 Consequently, we should use the equal() operation that do not handle null values.
20827 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
20828
20829 * jit/JITOperations.cpp:
20830 * runtime/JSCJSValueInlines.h:
20831 (JSC::JSValue::equalSlowCaseInline):
20832 (JSC::JSValue::strictEqualSlowCaseInline):
20833 (JSC::JSValue::pureStrictEqual):
20834
208352014-04-08 Oliver Hunt <oliver@apple.com>
20836
20837 Rewrite Function.bind as a builtin
20838 https://bugs.webkit.org/show_bug.cgi?id=131083
20839
20840 Reviewed by Geoffrey Garen.
20841
20842 This change removes the existing function.bind implementation
20843 entirely so JSBoundFunction is no more.
20844
20845 Instead we just return a regular JS closure with a few
20846 private properties hanging off it that allow us to perform
20847 the necessary bound function fakery. While most of this is
20848 simple, a couple of key changes:
20849
20850 - The parser and lexer now directly track whether they're
20851 parsing code for call or construct and convert the private
20852 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
20853 This automatically gives us the ability to vary behaviour
20854 from within the builtin. It also leaves a lot of headroom
20855 for trivial future improvements.
20856 - The instanceof operator now uses the prototypeForHasInstance
20857 private name, and we have a helper function to ensure that
20858 all objects that need to can update their magical 'prototype'
20859 property pair correctly.
20860
20861 * API/JSScriptRef.cpp:
20862 (parseScript):
20863 * JavaScriptCore.xcodeproj/project.pbxproj:
20864 * builtins/BuiltinExecutables.cpp:
20865 (JSC::BuiltinExecutables::createBuiltinExecutable):
20866 * builtins/Function.prototype.js:
20867 (bind.bindingFunction):
20868 (bind.else.bindingFunction):
20869 (bind):
20870 * bytecode/UnlinkedCodeBlock.cpp:
20871 (JSC::generateFunctionCodeBlock):
20872 * bytecompiler/NodesCodegen.cpp:
20873 (JSC::InstanceOfNode::emitBytecode):
20874 * interpreter/Interpreter.cpp:
20875 * parser/Lexer.cpp:
20876 (JSC::Lexer<T>::Lexer):
20877 (JSC::Lexer<LChar>::parseIdentifier):
20878 (JSC::Lexer<UChar>::parseIdentifier):
20879 * parser/Lexer.h:
20880 * parser/Parser.cpp:
20881 (JSC::Parser<LexerType>::Parser):
20882 (JSC::Parser<LexerType>::parseInner):
20883 * parser/Parser.h:
20884 (JSC::parse):
20885 * parser/ParserModes.h:
20886 * runtime/CodeCache.cpp:
20887 (JSC::CodeCache::getGlobalCodeBlock):
20888 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
20889 * runtime/CommonIdentifiers.h:
20890 * runtime/Completion.cpp:
20891 (JSC::checkSyntax):
20892 * runtime/Executable.cpp:
20893 (JSC::ProgramExecutable::checkSyntax):
20894 * runtime/FunctionPrototype.cpp:
20895 (JSC::FunctionPrototype::addFunctionProperties):
20896 (JSC::functionProtoFuncBind): Deleted.
20897 * runtime/JSBoundFunction.cpp: Removed.
20898 * runtime/JSBoundFunction.h: Removed.
20899 * runtime/JSFunction.cpp:
20900 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
20901 (JSC::RetrieveCallerFunctionFunctor::operator()):
20902 (JSC::retrieveCallerFunction):
20903 (JSC::JSFunction::getOwnPropertySlot):
20904 (JSC::JSFunction::defineOwnProperty):
20905 * runtime/JSGlobalObject.cpp:
20906 (JSC::JSGlobalObject::reset):
20907 * runtime/JSGlobalObjectFunctions.cpp:
20908 (JSC::globalFuncSetTypeErrorAccessor):
20909 * runtime/JSGlobalObjectFunctions.h:
20910 * runtime/JSObject.h:
20911 (JSC::JSObject::inlineGetOwnPropertySlot):
20912
209132014-04-12 Filip Pizlo <fpizlo@apple.com>
20914
20915 Math.fround() should be an intrinsic
20916 https://bugs.webkit.org/show_bug.cgi?id=131583
20917
20918 Reviewed by Geoffrey Garen.
20919
20920 Makes programs that use Math.fround() run up to 6x faster.
20921
20922 * dfg/DFGAbstractInterpreterInlines.h:
20923 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20924 * dfg/DFGByteCodeParser.cpp:
20925 (JSC::DFG::ByteCodeParser::handleIntrinsic):
20926 * dfg/DFGCSEPhase.cpp:
20927 (JSC::DFG::CSEPhase::performNodeCSE):
20928 * dfg/DFGClobberize.h:
20929 (JSC::DFG::clobberize):
20930 * dfg/DFGFixupPhase.cpp:
20931 (JSC::DFG::FixupPhase::fixupNode):
20932 * dfg/DFGNodeType.h:
20933 * dfg/DFGPredictionPropagationPhase.cpp:
20934 (JSC::DFG::PredictionPropagationPhase::propagate):
20935 * dfg/DFGSafeToExecute.h:
20936 (JSC::DFG::safeToExecute):
20937 * dfg/DFGSpeculativeJIT32_64.cpp:
20938 (JSC::DFG::SpeculativeJIT::compile):
20939 * dfg/DFGSpeculativeJIT64.cpp:
20940 (JSC::DFG::SpeculativeJIT::compile):
20941 * ftl/FTLCapabilities.cpp:
20942 (JSC::FTL::canCompile):
20943 * ftl/FTLLowerDFGToLLVM.cpp:
20944 (JSC::FTL::LowerDFGToLLVM::compileNode):
20945 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
20946 * runtime/Intrinsic.h:
20947 * runtime/MathObject.cpp:
20948 (JSC::MathObject::finishCreation):
20949
209502014-04-12 Filip Pizlo <fpizlo@apple.com>
20951
20952 FTL should use stackmap register liveness
20953 https://bugs.webkit.org/show_bug.cgi?id=130791
20954
20955 Reviewed by Goeffrey Garen.
20956
20957 Enable the stackmap register liveness support by fixing the two last bugs:
20958
20959 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
20960 then we shouldn't crash due to a null scratch buffer.
20961
20962 - Always consider callee-saves as if they were live. More precisely, we should
20963 consider those callee-saves that are not saved by the enclosing function to be live.
20964 For now we do the much simpler thing and consider callee-saves to be always live
20965 since it has minimal impact on the scratch register allocator. It will know not to
20966 preserve those for calls, anyway.
20967
20968 I tried writing a test for the null scratch buffer thing, but failed. I will land the
20969 test anyway since it seems useful.
20970
20971 * ftl/FTLCompile.cpp:
20972 (JSC::FTL::usedRegistersFor):
20973 * jit/ScratchRegisterAllocator.cpp:
20974 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
20975 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
20976 * runtime/Options.h:
20977 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
20978 (foo):
20979
209802014-04-11 Filip Pizlo <fpizlo@apple.com>
20981
20982 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
20983 https://bugs.webkit.org/show_bug.cgi?id=131424
20984
20985 Reviewed by Geoffrey Garen.
20986
20987 This defers type conversion injection until we've decided on types. This makes the
20988 process of deciding types a bit more flexible - for example we can naturally fixpoint
20989 and change our minds. Only when things are settled do we actually insert conversions.
20990
20991 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
20992 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
20993 that there are typed uses. If we were eagerly inserting type conversions then we would
20994 first insert a to/from-JSValue conversion in some cases only to then replace it by
20995 the other conversions. It's probably trivial to remove those redundant conversions later
20996 but I think it's better if we don't insert them to begin with.
20997
20998 * bytecode/CodeOrigin.h:
20999 (JSC::CodeOrigin::operator!):
21000 * dfg/DFGFixupPhase.cpp:
21001 (JSC::DFG::FixupPhase::run):
21002 (JSC::DFG::FixupPhase::fixupBlock):
21003 (JSC::DFG::FixupPhase::fixupNode):
21004 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
21005 (JSC::DFG::FixupPhase::fixEdge):
21006 (JSC::DFG::FixupPhase::fixIntEdge):
21007 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
21008 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
21009 (JSC::DFG::FixupPhase::addRequiredPhantom):
21010 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
21011 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
21012 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
21013 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
21014 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
21015
210162014-04-11 Brian J. Burg <burg@cs.washington.edu>
21017
21018 Web Replay: code generator should consider enclosing class when computing duplicate type names
21019 https://bugs.webkit.org/show_bug.cgi?id=131554
21020
21021 Reviewed by Timothy Hatcher.
21022
21023 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
21024 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
21025 by the enclosing class and enum name.
21026
21027 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
21028
21029 * replay/scripts/CodeGeneratorReplayInputs.py:
21030 (Type.type_name): Prepend the enclosing class name.
21031 (Type.type_name.is):
21032 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
21033 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
21034 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
21035 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
21036 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
21037 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
21038
210392014-04-11 Gavin Barraclough <baraclough@apple.com>
21040
21041 Rollout - Rewrite Function.bind as a builtin
21042 https://bugs.webkit.org/show_bug.cgi?id=131083
21043
21044 Unreviewed.
21045
21046 Rolling out r167020 while investigating a performance regression.
21047
21048 * API/JSObjectRef.cpp:
21049 (JSObjectMakeConstructor):
21050 * API/JSScriptRef.cpp:
21051 (parseScript):
21052 * CMakeLists.txt:
21053 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21054 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21055 * JavaScriptCore.xcodeproj/project.pbxproj:
21056 * builtins/BuiltinExecutables.cpp:
21057 (JSC::BuiltinExecutables::createBuiltinExecutable):
21058 * builtins/Function.prototype.js:
21059 (apply):
21060 (bind.bindingFunction): Deleted.
21061 (bind.else.bindingFunction): Deleted.
21062 (bind): Deleted.
21063 * bytecode/UnlinkedCodeBlock.cpp:
21064 (JSC::generateFunctionCodeBlock):
21065 * bytecompiler/NodesCodegen.cpp:
21066 (JSC::InstanceOfNode::emitBytecode):
21067 * interpreter/Interpreter.cpp:
21068 * parser/Lexer.cpp:
21069 (JSC::Lexer<T>::Lexer):
21070 (JSC::Lexer<LChar>::parseIdentifier):
21071 (JSC::Lexer<UChar>::parseIdentifier):
21072 * parser/Lexer.h:
21073 * parser/Parser.cpp:
21074 (JSC::Parser<LexerType>::Parser):
21075 (JSC::Parser<LexerType>::parseInner):
21076 * parser/Parser.h:
21077 (JSC::parse):
21078 * parser/ParserModes.h:
21079 * runtime/ArgumentsIteratorConstructor.cpp:
21080 (JSC::ArgumentsIteratorConstructor::finishCreation):
21081 * runtime/ArrayConstructor.cpp:
21082 (JSC::ArrayConstructor::finishCreation):
21083 * runtime/BooleanConstructor.cpp:
21084 (JSC::BooleanConstructor::finishCreation):
21085 * runtime/CodeCache.cpp:
21086 (JSC::CodeCache::getGlobalCodeBlock):
21087 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
21088 * runtime/CommonIdentifiers.h:
21089 * runtime/Completion.cpp:
21090 (JSC::checkSyntax):
21091 * runtime/DateConstructor.cpp:
21092 (JSC::DateConstructor::finishCreation):
21093 * runtime/ErrorConstructor.cpp:
21094 (JSC::ErrorConstructor::finishCreation):
21095 * runtime/Executable.cpp:
21096 (JSC::ProgramExecutable::checkSyntax):
21097 * runtime/FunctionConstructor.cpp:
21098 (JSC::FunctionConstructor::finishCreation):
21099 * runtime/FunctionPrototype.cpp:
21100 (JSC::FunctionPrototype::addFunctionProperties):
21101 (JSC::functionProtoFuncBind):
21102 * runtime/JSArrayBufferConstructor.cpp:
21103 (JSC::JSArrayBufferConstructor::finishCreation):
21104 * runtime/JSBoundFunction.cpp: Added.
21105 (JSC::boundFunctionCall):
21106 (JSC::boundFunctionConstruct):
21107 (JSC::JSBoundFunction::create):
21108 (JSC::JSBoundFunction::destroy):
21109 (JSC::JSBoundFunction::customHasInstance):
21110 (JSC::JSBoundFunction::JSBoundFunction):
21111 (JSC::JSBoundFunction::finishCreation):
21112 (JSC::JSBoundFunction::visitChildren):
21113 * runtime/JSBoundFunction.h: Added.
21114 (JSC::JSBoundFunction::targetFunction):
21115 (JSC::JSBoundFunction::boundThis):
21116 (JSC::JSBoundFunction::boundArgs):
21117 (JSC::JSBoundFunction::createStructure):
21118 * runtime/JSFunction.cpp:
21119 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
21120 (JSC::RetrieveCallerFunctionFunctor::operator()):
21121 (JSC::retrieveCallerFunction):
21122 (JSC::JSFunction::getOwnPropertySlot):
21123 (JSC::JSFunction::getOwnNonIndexPropertyNames):
21124 (JSC::JSFunction::put):
21125 (JSC::JSFunction::defineOwnProperty):
21126 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
21127 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
21128 * runtime/JSGlobalObject.cpp:
21129 (JSC::JSGlobalObject::reset):
21130 * runtime/JSGlobalObjectFunctions.cpp:
21131 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
21132 * runtime/JSGlobalObjectFunctions.h:
21133 * runtime/JSObject.cpp:
21134 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
21135 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
21136 * runtime/JSObject.h:
21137 * runtime/JSPromiseConstructor.cpp:
21138 (JSC::JSPromiseConstructor::finishCreation):
21139 * runtime/MapConstructor.cpp:
21140 (JSC::MapConstructor::finishCreation):
21141 * runtime/MapIteratorConstructor.cpp:
21142 (JSC::MapIteratorConstructor::finishCreation):
21143 * runtime/NameConstructor.cpp:
21144 (JSC::NameConstructor::finishCreation):
21145 * runtime/NativeErrorConstructor.cpp:
21146 (JSC::NativeErrorConstructor::finishCreation):
21147 * runtime/NumberConstructor.cpp:
21148 (JSC::NumberConstructor::finishCreation):
21149 * runtime/ObjectConstructor.cpp:
21150 (JSC::ObjectConstructor::finishCreation):
21151 * runtime/RegExpConstructor.cpp:
21152 (JSC::RegExpConstructor::finishCreation):
21153 * runtime/SetConstructor.cpp:
21154 (JSC::SetConstructor::finishCreation):
21155 * runtime/SetIteratorConstructor.cpp:
21156 (JSC::SetIteratorConstructor::finishCreation):
21157 * runtime/StringConstructor.cpp:
21158 (JSC::StringConstructor::finishCreation):
21159 * runtime/WeakMapConstructor.cpp:
21160 (JSC::WeakMapConstructor::finishCreation):
21161
211622014-04-11 David Kilzer <ddkilzer@apple.com>
21163
21164 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
21165 <http://webkit.org/b/131556>
21166 <rdar://problem/16591856>
21167
21168 Reviewed by Brent Fulgham.
21169
21170 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
21171 OTHER_LDFLAGS so the ASan build does not try to link to
21172 libclang_rt.asan_osx_dynamic.dylib.
21173
211742014-04-11 Mark Lam <mark.lam@apple.com>
21175
21176 JSMainThreadExecState::call() should clear exceptions before returning.
21177 <https://webkit.org/b/131530>
21178
21179 Reviewed by Geoffrey Garen.
21180
21181 Added a version of JSC::call() that return any uncaught exception instead
21182 of leaving it pending in the VM.
21183
21184 As part of this change, I updated various parts of the code base to use the
21185 new API as needed.
21186
21187 * bindings/ScriptFunctionCall.cpp:
21188 (Deprecated::ScriptFunctionCall::call):
21189 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
21190 The injected scripts that will include Inspector scripts that should catch
21191 and handle any exceptions that were thrown. We should not be seeing any
21192 exceptions returned from this call. However, we do have checks for
21193 exceptions in case there are bugs in the Inspector scripts which allowed
21194 the exception to leak through. Hence, it is proper to clear the exception
21195 here, and only record the fact that an exception was seen (if present).
21196
21197 * bindings/ScriptFunctionCall.h:
21198 * inspector/InspectorEnvironment.h:
21199 * runtime/CallData.cpp:
21200 (JSC::call):
21201 * runtime/CallData.h:
21202
212032014-04-11 Oliver Hunt <oliver@apple.com>
21204
21205 Add BuiltinLog function to make debugging builtins easier
21206 https://bugs.webkit.org/show_bug.cgi?id=131550
21207
21208 Reviewed by Andreas Kling.
21209
21210 Add a logging function that builtins can use for debugging.
21211
21212 * runtime/CommonIdentifiers.h:
21213 * runtime/JSGlobalObject.cpp:
21214 (JSC::JSGlobalObject::reset):
21215 * runtime/JSGlobalObjectFunctions.cpp:
21216 (JSC::globalFuncBuiltinLog):
21217 * runtime/JSGlobalObjectFunctions.h:
21218
212192014-04-11 Julien Brianceau <jbriance@cisco.com>
21220
21221 Fix LLInt for sh4 architecture (broken since C stack merge).
21222 https://bugs.webkit.org/show_bug.cgi?id=131532
21223
21224 Reviewed by Mark Lam.
21225
21226 This patch fixes build and also implements sh4 parts for initPCRelative and
21227 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
21228
21229 * llint/LowLevelInterpreter.asm:
21230 * llint/LowLevelInterpreter32_64.asm:
21231 * offlineasm/instructions.rb:
21232 * offlineasm/sh4.rb:
21233
212342014-04-10 Michael Saboff <msaboff@apple.com>
21235
21236 Crash beneath DFG JIT code @ video.disney.com
21237 https://bugs.webkit.org/show_bug.cgi?id=131447
21238
21239 Reviewed by Geoffrey Garen.
21240
21241 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
21242 'tag not less than Undefined' check. The first check was incorrectly elided if we
21243 knew that the value *was* an int32, when it should have been elided if we already
21244 knew that the value *was not* an int32.
21245
21246 * dfg/DFGSpeculativeJIT.cpp:
21247 (JSC::DFG::SpeculativeJIT::speculateMisc):
21248 * tests/stress/test-spec-misc.js: Added test.
21249 (getX):
21250 (foo):
21251 (bar):
21252
212532014-04-08 Filip Pizlo <fpizlo@apple.com>
21254
21255 Make room for additional types in SpeculatedType.h
21256 https://bugs.webkit.org/show_bug.cgi?id=131422
21257
21258 Reviewed by Sam Weinig.
21259
21260 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
21261
21262 * bytecode/SpeculatedType.h:
21263
212642014-04-10 Alex Christensen <achristensen@webkit.org>
21265
21266 Compile fix for Win64.
21267 https://bugs.webkit.org/show_bug.cgi?id=131508
21268
21269 Reviewed by Geoffrey Garen.
21270
21271 * assembler/X86Assembler.h:
21272 (JSC::X86Assembler::fillNops):
21273 Added unsigned template parameter to distinguish between size_t and unsigned long.
21274
212752014-04-10 Michael Saboff <msaboff@apple.com>
21276
21277 LLInt interpreter code should be generated as part of one function
21278 https://bugs.webkit.org/show_bug.cgi?id=131205
21279
21280 Reviewed by Mark Lam.
21281
21282 Changed the generation of llint opcodes so that they are all part of the same
21283 global function, llint_entry. That function is used to fill in an entry point
21284 table that includes each of the opcodes and helpers.
21285
21286 * CMakeLists.txt:
21287 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
21288 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
21289 * JavaScriptCore.xcodeproj/project.pbxproj:
21290 Added appropriate use of new -I option to offline assembler and offset
21291 generator scripts.
21292
21293 * llint/LowLevelInterpreter.asm:
21294 * llint/LowLevelInterpreter.cpp:
21295 * llint/LowLevelInterpreter.h:
21296 * offlineasm/arm.rb:
21297 * offlineasm/arm64.rb:
21298 * offlineasm/asm.rb:
21299 * offlineasm/ast.rb:
21300 * offlineasm/backends.rb:
21301 * offlineasm/cloop.rb:
21302 * offlineasm/generate_offset_extractor.rb:
21303 * offlineasm/instructions.rb:
21304 * offlineasm/parser.rb:
21305 * offlineasm/registers.rb:
21306 * offlineasm/self_hash.rb:
21307 * offlineasm/settings.rb:
21308 * offlineasm/transform.rb:
21309 * offlineasm/x86.rb:
21310 Added a new "global" keyword to the offline assembler that denotes a label that
21311 should be exported. Added opcode and operand support to get the absolute
21312 address of a local label using position independent calculations. Updated the
21313 offline assembler to handle included files, both when generating the checksum
21314 as well as including files from other than the local directory via a newly
21315 added -I option. The offline assembler now automatically determines external
21316 functions by keeping track of referenced functions that are defined within the
21317 assembly source. This is used both for choosing the correct macro for external
21318 references as well as generating the needed EXTERN directives for masm.
21319 Updated the generation of the masm only .sym file to be written once at the end
21320 of the offline assembler.
21321
21322 * assembler/MacroAssemblerCodeRef.h:
21323 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
21324 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
21325 * bytecode/CodeBlock.cpp:
21326 (JSC::CodeBlock::dumpBytecode):
21327 (JSC::CodeBlock::CodeBlock):
21328 * bytecode/GetByIdStatus.cpp:
21329 (JSC::GetByIdStatus::computeFromLLInt):
21330 * bytecode/Opcode.h:
21331 (JSC::padOpcodeName):
21332 * bytecode/PutByIdStatus.cpp:
21333 (JSC::PutByIdStatus::computeFromLLInt):
21334 * jit/JIT.cpp:
21335 (JSC::JIT::privateCompileMainPass):
21336 * jit/JITStubs.h:
21337 * llint/LLIntCLoop.cpp:
21338 (JSC::LLInt::initialize):
21339 * llint/LLIntData.h:
21340 (JSC::LLInt::getCodeFunctionPtr):
21341 (JSC::LLInt::getOpcode): Deleted.
21342 (JSC::LLInt::getCodePtr): Deleted.
21343 * llint/LLIntOpcode.h:
21344 * llint/LLIntSlowPaths.cpp:
21345 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
21346 * llint/LLIntThunks.cpp:
21347 (JSC::LLInt::functionForCallEntryThunkGenerator):
21348 (JSC::LLInt::functionForConstructEntryThunkGenerator):
21349 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
21350 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
21351 (JSC::LLInt::evalEntryThunkGenerator):
21352 (JSC::LLInt::programEntryThunkGenerator):
21353 * llint/LLIntThunks.h:
21354 Changed references to llint helpers to go through the entry point table populated
21355 by llint_entry. Added helpers to OpcodeID enum for all builds.
21356
21357 * bytecode/BytecodeList.json:
21358 * generate-bytecode-files:
21359 * llint/LLIntCLoop.cpp:
21360 (JSC::LLInt::CLoop::initialize):
21361 Reordered sections to match the order that the functions are added to the entry point
21362 table. Added new "asmPrefix" property for symbols that have one name but are generated
21363 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
21364 as we are using enums for all bytecode references. Changed the C Loop only
21365 llint_c_loop_init to llint_entry.
21366
213672014-04-10 Matthew Mirman <mmirman@apple.com>
21368
21369 WIP for inlining C++. Added a build target to produce LLVM IR.
21370 https://bugs.webkit.org/show_bug.cgi?id=130523
21371
21372 Reviewed by Mark Rowe.
21373
21374 * JavaScriptCore.xcodeproj/project.pbxproj:
21375 * build-symbol-table-index.py: Added.
21376 * build-symbol-table-index.sh: Added.
21377 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
21378 * copy-llvm-ir-to-derived-sources.sh: Added.
21379
213802014-04-10 Brian J. Burg <burg@cs.washington.edu>
21381
21382 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
21383 https://bugs.webkit.org/show_bug.cgi?id=131341
21384
21385 Reviewed by Timothy Hatcher.
21386
21387 Add support for encoding/decoding unsigned long with EncodedValue.
21388 It is a distinct type from uint32_t and uint64_t.
21389
21390 * replay/EncodedValue.cpp:
21391 (JSC::EncodedValue::convertTo<unsigned long>):
21392 * replay/EncodedValue.h:
21393
213942014-04-10 Mark Lam <mark.lam@apple.com>
21395
21396 LLINT loadisFromInstruction should handle the big endian case.
21397 <https://webkit.org/b/131495>
21398
21399 Reviewed by Mark Hahnenberg.
21400
21401 The LLINT loadisFromInstruction macro aims to load the least significant
21402 32-bit word from the 64-bit bytecode instruction stream and sign extend
21403 it. For big endian machines, the current implementation would load the
21404 wrong 32-bit word.
21405
21406 Without this fix, the JSC tests will crash on big endian machines.
21407 Thanks to Tomas Popela for diagnosing this issue.
21408
21409 * llint/LowLevelInterpreter.asm:
21410
214112014-04-09 Mark Lam <mark.lam@apple.com>
21412
21413 Temporarily disable the JIT for the Windows port.
21414 <https://webkit.org/b/131470>
21415
21416 Reviewed by Brent Fulgham.
21417
21418 This is a temporary stop gap measure to green the Windows bots until
21419 we have a fix for https://webkit.org/b/131182.
21420
21421 * runtime/Options.cpp:
21422 (JSC::recomputeDependentOptions):
21423
214242014-04-09 Juergen Ributzka <juergen@apple.com>
21425
21426 [FTL] Emit multibyte NOPs on X86-64
21427 https://bugs.webkit.org/show_bug.cgi?id=131394
21428
21429 Reviewed by Michael Saboff.
21430
21431 * assembler/X86Assembler.h:
21432 (JSC::X86Assembler::fillNops):
21433
214342014-04-09 Julien Brianceau <jbriance@cisco.com>
21435
21436 Get rid of JITOperationWrappers.h header file.
21437 https://bugs.webkit.org/show_bug.cgi?id=131450
21438
21439 Reviewed by Michael Saboff.
21440
21441 JITOperationWrappers header file contains architecture specific code that is
21442 not needed anymore, so get rid of it.
21443
21444 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21445 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21446 * JavaScriptCore.xcodeproj/project.pbxproj:
21447 * dfg/DFGOperations.cpp:
21448 * jit/JITOperationWrappers.h: Removed.
21449 * jit/JITOperations.cpp:
21450
214512014-04-09 Mark Lam <mark.lam@apple.com>
21452
21453 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
21454 <https://webkit.org/b/131449>
21455
21456 Reviewed by Mark Hahnenberg.
21457
21458 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
21459 that it pads is of type int anyway. It doesn't need to be 64 bit. This
21460 also makes it work with the LLINT which is loading it with a loadi
21461 instruction.
21462
21463 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
21464 when loading the argCount.
21465
21466 The paddedArgCount issue was causing failures when running the JSC tests on a
21467 64-bit big endian machine. In this case, the paddedArgCount in the
21468 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
21469 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
21470 that field, the LLINT got a value of 0 instead of the expected 2. With this
21471 patch, we now have a matching store and load of a 32-bit value, and endianness
21472 no longer comes into play.
21473
21474 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
21475 the payload field of the Register. In the definition of EncodedValueDescriptor,
21476 We already ensure that that the payload is in the least significant 32-bits for
21477 little endian machines, and in the most significant 32-bits for big endian
21478 machines. This means that there is no endianness bug when loading this value
21479 using loadi. However, adding the PayLoadOffset clarifies the intent of the
21480 code to load the payload part of the Register value.
21481
21482 * interpreter/ProtoCallFrame.h:
21483 (JSC::ProtoCallFrame::setPaddedArgCount):
21484 * llint/LowLevelInterpreter32_64.asm:
21485 * llint/LowLevelInterpreter64.asm:
21486
214872014-04-08 Oliver Hunt <oliver@apple.com>
21488
21489 Rewrite Function.bind as a builtin
21490 https://bugs.webkit.org/show_bug.cgi?id=131083
21491
21492 Reviewed by Geoffrey Garen.
21493
21494 This change removes the existing function.bind implementation
21495 entirely so JSBoundFunction is no more.
21496
21497 Instead we just return a regular JS closure with a few
21498 private properties hanging off it that allow us to perform
21499 the necessary bound function fakery. While most of this is
21500 simple, a couple of key changes:
21501
21502 - The parser and lexer now directly track whether they're
21503 parsing code for call or construct and convert the private
21504 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
21505 This automatically gives us the ability to vary behaviour
21506 from within the builtin. It also leaves a lot of headroom
21507 for trivial future improvements.
21508 - The instanceof operator now uses the prototypeForHasInstance
21509 private name, and we have a helper function to ensure that
21510 all objects that need to can update their magical 'prototype'
21511 property pair correctly.
21512
21513 * API/JSScriptRef.cpp:
21514 (parseScript):
21515 * JavaScriptCore.xcodeproj/project.pbxproj:
21516 * builtins/BuiltinExecutables.cpp:
21517 (JSC::BuiltinExecutables::createBuiltinExecutable):
21518 * builtins/Function.prototype.js:
21519 (bind.bindingFunction):
21520 (bind.else.bindingFunction):
21521 (bind):
21522 * bytecode/UnlinkedCodeBlock.cpp:
21523 (JSC::generateFunctionCodeBlock):
21524 * bytecompiler/NodesCodegen.cpp:
21525 (JSC::InstanceOfNode::emitBytecode):
21526 * interpreter/Interpreter.cpp:
21527 * parser/Lexer.cpp:
21528 (JSC::Lexer<T>::Lexer):
21529 (JSC::Lexer<LChar>::parseIdentifier):
21530 (JSC::Lexer<UChar>::parseIdentifier):
21531 * parser/Lexer.h:
21532 * parser/Parser.cpp:
21533 (JSC::Parser<LexerType>::Parser):
21534 (JSC::Parser<LexerType>::parseInner):
21535 * parser/Parser.h:
21536 (JSC::parse):
21537 * parser/ParserModes.h:
21538 * runtime/CodeCache.cpp:
21539 (JSC::CodeCache::getGlobalCodeBlock):
21540 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
21541 * runtime/CommonIdentifiers.h:
21542 * runtime/Completion.cpp:
21543 (JSC::checkSyntax):
21544 * runtime/Executable.cpp:
21545 (JSC::ProgramExecutable::checkSyntax):
21546 * runtime/FunctionPrototype.cpp:
21547 (JSC::FunctionPrototype::addFunctionProperties):
21548 (JSC::functionProtoFuncBind): Deleted.
21549 * runtime/JSBoundFunction.cpp: Removed.
21550 * runtime/JSBoundFunction.h: Removed.
21551 * runtime/JSFunction.cpp:
21552 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
21553 (JSC::RetrieveCallerFunctionFunctor::operator()):
21554 (JSC::retrieveCallerFunction):
21555 (JSC::JSFunction::getOwnPropertySlot):
21556 (JSC::JSFunction::defineOwnProperty):
21557 * runtime/JSGlobalObject.cpp:
21558 (JSC::JSGlobalObject::reset):
21559 * runtime/JSGlobalObjectFunctions.cpp:
21560 (JSC::globalFuncSetTypeErrorAccessor):
21561 * runtime/JSGlobalObjectFunctions.h:
21562 * runtime/JSObject.h:
21563 (JSC::JSObject::inlineGetOwnPropertySlot):
21564
215652014-04-08 Jon Lee <jonlee@apple.com>
21566
21567 Turn MSE on by default
21568 https://bugs.webkit.org/show_bug.cgi?id=131313
21569 <rdar://problem/16525223>
21570
21571 Reviewed by Jer Noble.
21572
21573 * Configurations/FeatureDefines.xcconfig:
21574
215752014-04-08 Joseph Pecoraro <pecoraro@apple.com>
21576
21577 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
21578 https://bugs.webkit.org/show_bug.cgi?id=131406
21579
21580 Reviewed by Timothy Hatcher.
21581
21582 * inspector/remote/RemoteInspector.h:
21583 * inspector/remote/RemoteInspector.mm:
21584 (Inspector::RemoteInspector::stop):
21585 (Inspector::RemoteInspector::stopInternal):
21586 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
21587 Provide a way to stop externally and a path to stop when in
21588 the middle of handling a message already with the locked mutex.
21589
21590 * inspector/remote/RemoteInspectorXPCConnection.h:
21591 * inspector/remote/RemoteInspectorXPCConnection.mm:
21592 (Inspector::RemoteInspectorXPCConnection::close):
21593 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
21594 Provide a way to close externally and a path to close when in
21595 the middle of handling a message already with a mutex.
21596
215972014-04-08 Joseph Pecoraro <pecoraro@apple.com>
21598
21599 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
21600 https://bugs.webkit.org/show_bug.cgi?id=131398
21601
21602 Reviewed by Timothy Hatcher.
21603
21604 * inspector/InjectedScriptSource.js:
21605 The console object can be deleted from a page or JSContext,
21606 so keep code that expects that it could have been deleted
21607 to be resilient in those cases.
21608
21609 * inspector/JSGlobalObjectScriptDebugServer.h:
21610 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
21611 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
21612 Change the FIXMEs to NOTEs that explain why these functions
21613 have empty implementations for JSContext inspection.
21614
216152014-04-08 Filip Pizlo <fpizlo@apple.com>
21616
21617 Unreviewed, fix a goofy assertion to fix debug.
21618
21619 * bytecode/PolymorphicPutByIdList.h:
21620 (JSC::PutByIdAccess::isSetter):
21621 (JSC::PutByIdAccess::oldStructure):
21622 (JSC::PutByIdAccess::chain):
21623 (JSC::PutByIdAccess::stubRoutine):
21624 (JSC::PutByIdAccess::customSetter):
21625
216262014-04-08 Filip Pizlo <fpizlo@apple.com>
21627
21628 Fail silently if the LLVM dylib isn't found
21629 https://bugs.webkit.org/show_bug.cgi?id=131385
21630
21631 Reviewed by Mark Hahnenberg.
21632
21633 * dfg/DFGPlan.cpp:
21634 (JSC::DFG::Plan::compileInThreadImpl):
21635 * llvm/InitializeLLVM.cpp:
21636 (JSC::initializeLLVM):
21637 * llvm/InitializeLLVM.h:
21638 * llvm/InitializeLLVMPOSIX.cpp:
21639 (JSC::initializeLLVMPOSIX):
21640
216412014-04-07 Filip Pizlo <fpizlo@apple.com>
21642
21643 Repatch should support setters and plant calls to them directly
21644 https://bugs.webkit.org/show_bug.cgi?id=130750
21645
21646 Reviewed by Geoffrey Garen.
21647
21648 All of the infrastructure was in place so this just enables setter optimization.
21649
21650 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
21651
21652 * bytecode/PolymorphicPutByIdList.cpp:
21653 (JSC::PutByIdAccess::visitWeak):
21654 * bytecode/PolymorphicPutByIdList.h:
21655 (JSC::PutByIdAccess::setter):
21656 (JSC::PutByIdAccess::customSetter): Deleted.
21657 * bytecode/PutByIdStatus.cpp:
21658 (JSC::PutByIdStatus::computeForStubInfo):
21659 * jit/Repatch.cpp:
21660 (JSC::toString):
21661 (JSC::kindFor):
21662 (JSC::customFor):
21663 (JSC::generateByIdStub):
21664 (JSC::tryCachePutByID):
21665 (JSC::tryBuildPutByIdList):
21666 * runtime/JSObject.cpp:
21667 (JSC::JSObject::put):
21668 * runtime/Lookup.h:
21669 (JSC::putEntry):
21670 * runtime/PutPropertySlot.h:
21671 (JSC::PutPropertySlot::setCacheableSetter):
21672 (JSC::PutPropertySlot::isCacheableSetter):
21673 (JSC::PutPropertySlot::isCacheableCustom):
21674 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
21675 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
21676 * tests/stress/setter.js: Added.
21677 (foo):
21678
216792014-04-07 Filip Pizlo <fpizlo@apple.com>
21680
21681 Setters are just getters that take an extra argument and don't return a value
21682 https://bugs.webkit.org/show_bug.cgi?id=131336
21683
21684 Reviewed by Geoffrey Garen.
21685
21686 Other than that, they're totally the same thing.
21687
21688 This isn't as dumb as it sounds.
21689
21690 Most of the work in calling an accessor has to do with emitting the necessary checks for
21691 figuring out whether we're calling the accessor we expected, followed by the boilerplate
21692 needed for setting up a call inside of a stub. It makes sense for the code to be totally
21693 common.
21694
21695 * jit/AssemblyHelpers.h:
21696 (JSC::AssemblyHelpers::storeValue):
21697 (JSC::AssemblyHelpers::moveTrustedValue):
21698 * jit/CCallHelpers.h:
21699 (JSC::CCallHelpers::setupResults):
21700 * jit/Repatch.cpp:
21701 (JSC::kindFor):
21702 (JSC::customFor):
21703 (JSC::generateByIdStub):
21704 (JSC::tryCacheGetByID):
21705 (JSC::tryBuildGetByIDList):
21706 (JSC::tryCachePutByID):
21707 (JSC::tryBuildPutByIdList):
21708 (JSC::generateGetByIdStub): Deleted.
21709 (JSC::emitCustomSetterStub): Deleted.
21710 * runtime/JSCJSValue.h:
21711 (JSC::JSValue::asValue):
21712 * runtime/PutPropertySlot.h:
21713 (JSC::PutPropertySlot::cachedOffset):
21714
217152014-04-07 Joseph Pecoraro <pecoraro@apple.com>
21716
21717 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
21718 https://bugs.webkit.org/show_bug.cgi?id=131321
21719
21720 Reviewed by Mark Rowe.
21721
21722 * inspector/remote/RemoteInspector.mm:
21723 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
21724 Avoid attempting to take the same lock twice. Move the received message
21725 lock grab after the WIRPermissionDenied branch, which takes the lock
21726 inside RemoteInspector::stop.
21727
217282014-04-07 Filip Pizlo <fpizlo@apple.com>
21729
21730 Make it possible to disable some of the FTL's more interesting features
21731 https://bugs.webkit.org/show_bug.cgi?id=131312
21732
21733 Reviewed by Mark Hahnenberg.
21734
21735 * dfg/DFGByteCodeParser.cpp:
21736 (JSC::DFG::ByteCodeParser::handleGetById):
21737 (JSC::DFG::ByteCodeParser::handlePutById):
21738 (JSC::DFG::ByteCodeParser::parse):
21739 * runtime/Options.h:
21740
217412014-04-04 Mark Lam <mark.lam@apple.com>
21742
21743 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
21744 <https://webkit.org/b/131248>
21745
21746 Reviewed by Mark Hahnenberg.
21747
21748 The current Date object code does not adequately check for the ES5
21749 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
21750 / overflow and produce unexpected results.
21751
21752 For example, we were getting an assertion failure in
21753 WTF::equivalentYearForDST() due int underflows in this function, which
21754 in turn were due to an int overflow in WTF::msToYear().
21755
21756 This patch adds the needed checks, and adds some assertions to ensure
21757 that the used values are sane.
21758
21759 The changes have no noticeable impact on benchmark results.
21760
21761 * runtime/DateConstructor.cpp:
21762 (JSC::callDate):
21763 * runtime/JSDateMath.cpp:
21764 (JSC::localTimeOffset):
21765 (JSC::gregorianDateTimeToMS):
21766 (JSC::msToGregorianDateTime):
21767 (JSC::parseDateFromNullTerminatedCharacters):
21768 (JSC::parseDate):
21769 * runtime/JSDateMath.h:
21770 - parseDateFromNullTerminatedCharacters() does not need to be public.
21771 Made it a static function.
21772 * runtime/VM.cpp:
21773 (JSC::VM::resetDateCache):
21774 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
21775 to be consistent with other Date code.
21776
217772014-04-06 Csaba Osztrogonác <ossy@webkit.org>
21778
21779 Unreviewed speculative 32-bit buildfix after r166837.
21780
21781 * heap/Heap.cpp:
21782 (JSC::Heap::updateObjectCounts):
21783
217842014-04-06 Dan Bernstein <mitz@apple.com>
21785
21786 32-bit build fix.
21787
21788 * runtime/JSGlobalObject.cpp:
21789 (JSC::JSGlobalObject::setInputCursor):
21790
217912014-04-04 Brian J. Burg <burg@cs.washington.edu>
21792
21793 Enable WEB_REPLAY for PLATFORM(MAC)
21794 https://bugs.webkit.org/show_bug.cgi?id=130700
21795
21796 Reviewed by Timothy Hatcher.
21797
21798 * Configurations/FeatureDefines.xcconfig:
21799
218002014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
21801
21802 Add missing files from r166837
21803
21804 * heap/GCLogging.cpp: Added.
21805 (JSC::GCLogging::levelAsString):
21806 (JSC::LoggingFunctor::LoggingFunctor):
21807 (JSC::LoggingFunctor::~LoggingFunctor):
21808 (JSC::LoggingFunctor::operator()):
21809 (JSC::LoggingFunctor::log):
21810 (JSC::LoggingFunctor::reviveCells):
21811 (JSC::LoggingFunctor::returnValue):
21812 (JSC::GCLogging::dumpObjectGraph):
21813 * heap/GCLogging.h: Added.
21814
218152014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
21816
21817 Enhanced GC logging
21818 https://bugs.webkit.org/show_bug.cgi?id=131246
21819
21820 Reviewed by Geoff Garen.
21821
21822 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
21823 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
21824 recompile to turn it on. It would be nice if we could runtime enable our GC logging
21825 infrastructure while incurring minimal cost when it is disabled.
21826
21827 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
21828 provides us with the discovered roots along with parent-child relationships as objects
21829 are scanned. However, once an object is scanned it will never be declared as the child
21830 of another object during that collection. This gives us a tree-like view of the
21831 Heap (i.e. each scanned node only reports having a single parent), where the actual
21832 Heap can be an arbitrary graph.
21833
21834 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
21835 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
21836 logging levels. None means no logging is done, Basic is what logGC() = true would have done
21837 prior to this patch, and Verbose logs all object relationships.
21838
21839 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
21840 subclasses to override the default string representation that will be dumped. These
21841 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
21842 the logging infrastructure in our compilers.
21843
21844 This patch also adds a GCLogging class that handles dumping the relationships between objects.
21845 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
21846 children of each live cell at the end of garbage collection.
21847
21848 This change meets our goal of being neutral on the benchmarks we track.
21849
21850 * JavaScriptCore.xcodeproj/project.pbxproj:
21851 * heap/GCLogging.cpp: Added.
21852 (JSC::GCLogging::levelAsString):
21853 (JSC::LoggingFunctor::LoggingFunctor):
21854 (JSC::LoggingFunctor::operator()):
21855 (JSC::LoggingFunctor::log):
21856 (JSC::LoggingFunctor::reviveCells):
21857 (JSC::LoggingFunctor::returnValue):
21858 (JSC::GCLogging::dumpObjectGraph):
21859 * heap/GCLogging.h: Added.
21860 * heap/GCSegmentedArray.h:
21861 (JSC::GCSegmentedArray::begin):
21862 (JSC::GCSegmentedArray::end):
21863 * heap/Heap.cpp:
21864 (JSC::Heap::markRoots):
21865 (JSC::Heap::visitSmallStrings):
21866 (JSC::Heap::visitConservativeRoots):
21867 (JSC::Heap::visitCompilerWorklists):
21868 (JSC::Heap::visitProtectedObjects):
21869 (JSC::Heap::visitTempSortVectors):
21870 (JSC::Heap::visitArgumentBuffers):
21871 (JSC::Heap::visitException):
21872 (JSC::Heap::visitStrongHandles):
21873 (JSC::Heap::visitHandleStack):
21874 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
21875 (JSC::Heap::visitWeakHandles):
21876 (JSC::Heap::updateObjectCounts):
21877 (JSC::Heap::collect):
21878 (JSC::Heap::didFinishCollection):
21879 * heap/Heap.h:
21880 * heap/MarkStack.h:
21881 * heap/SlotVisitor.cpp:
21882 (JSC::SlotVisitor::dump):
21883 * heap/SlotVisitor.h:
21884 (JSC::SlotVisitor::markStack):
21885 * heap/SlotVisitorInlines.h:
21886 (JSC::SlotVisitor::internalAppend):
21887 * runtime/ClassInfo.h:
21888 * runtime/JSCell.cpp:
21889 (JSC::JSCell::dump):
21890 (JSC::JSCell::dumpToStream):
21891 (JSC::JSCell::className):
21892 * runtime/JSCell.h:
21893 * runtime/JSCellInlines.h:
21894 (JSC::JSCell::visitChildren):
21895 * runtime/JSString.cpp:
21896 (JSC::JSString::dumpToStream):
21897 (JSC::JSString::visitChildren):
21898 * runtime/JSString.h:
21899 (JSC::JSString::length):
21900 (JSC::JSRopeString::RopeBuilder::length):
21901 * runtime/Options.cpp:
21902 (JSC::parse):
21903 (JSC::Options::setOption):
21904 (JSC::Options::dumpOption):
21905 * runtime/Options.h:
21906
219072014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
21908
21909 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
21910 https://bugs.webkit.org/show_bug.cgi?id=131251
21911
21912 Reviewed by Geoffrey Garen.
21913
21914 * API/JSVirtualMachine.mm:
21915 (scanExternalObjectGraph):
21916 * API/tests/testapi.mm:
21917
219182014-04-03 Brian J. Burg <burg@cs.washington.edu>
21919
21920 Web Inspector: hook up probe samples to TimelineAgent's records
21921 https://bugs.webkit.org/show_bug.cgi?id=131127
21922
21923 Reviewed by Timothy Hatcher.
21924
21925 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
21926
219272014-04-04 Commit Queue <commit-queue@webkit.org>
21928
21929 Unreviewed, rolling out r166820.
21930 https://bugs.webkit.org/show_bug.cgi?id=131256
21931
21932 Broke builds. (Requested by bdash on #webkit).
21933
21934 Reverted changeset:
21935
21936 "WIP for inlining C++. Added a build target to produce llvm
21937 ir."
21938 https://bugs.webkit.org/show_bug.cgi?id=130523
21939 http://trac.webkit.org/changeset/166820
21940
219412014-04-04 Matthew Mirman <mmirman@apple.com>
21942
21943 WIP for inlining C++. Added a build target to produce llvm ir.
21944 https://bugs.webkit.org/show_bug.cgi?id=130523
21945
21946 Reviewed by Filip Pizlo.
21947
21948 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
21949
21950 * JavaScriptCore.xcodeproj/project.pbxproj:
21951 * build_index.py: Added.
21952 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
21953
219542014-04-04 Joseph Pecoraro <pecoraro@apple.com>
21955
21956 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
21957 https://bugs.webkit.org/show_bug.cgi?id=131241
21958
21959 Reviewed by Timothy Hatcher.
21960
21961 * inspector/JSGlobalObjectInspectorController.cpp:
21962 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
21963 Log the exception to the system console if system console output is enabled.
21964
219652014-04-04 Joseph Pecoraro <pecoraro@apple.com>
21966
21967 Web Inspector: Provide a way for JSContext console to log to system console
21968 https://bugs.webkit.org/show_bug.cgi?id=131050
21969
21970 Reviewed by Timothy Hatcher.
21971
21972 Applications often re-expose some log -> NSLog functionality.
21973 We already have the capability ourselves, which includes extra
21974 information such as sourceURL:line:column, all arguments instead
21975 of just one argument, and backtrace information on console.trace.
21976 Therefore it would be convenient if developers could just use
21977 the built-in console.log and get rich output in both the inspector
21978 and the console, without writing their own logger.
21979
21980 The logging will be enabled in debug builds by default, and can be enabled
21981 otherwise by setting a user default before creating the first context.
21982
21983 For example, in the application itself:
21984
21985 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
21986
21987 Or from outside the application:
21988
21989 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
21990
21991 * inspector/JSConsoleClient.h:
21992 * inspector/JSConsoleClient.cpp:
21993 (Inspector::JSConsoleClient::logToSystemConsole):
21994 (Inspector::JSConsoleClient::setLogToSystemConsole):
21995 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
21996 (Inspector::JSConsoleClient::JSConsoleClient):
21997 Global setting for logging to system console. Enabled on
21998 debug builds, and by a user default on supported platforms.
21999
22000 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
22001 Log to system console when the static setting is enabled.
22002
22003 * runtime/ConsoleClient.h:
22004 * runtime/ConsoleClient.cpp:
22005 (JSC::appendURLAndPosition):
22006 (JSC::appendMessagePrefix):
22007 (JSC::ConsoleClient::printConsoleMessage):
22008 (JSC::ConsoleClient::printConsoleMessageWithArguments):
22009 Clean up printing. Build strings and use WTFLogAlways instead of printf
22010 for consistant logging.
22011
22012 * runtime/ConsoleClient.cpp:
22013 (JSC::ConsoleClient::printConsoleMessageWithArguments):
22014 Clean up printing. If there is no source URL, don't print a leading colon.
22015
220162014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
22017
22018 Use JSCell::indexingType instead of Structure::indexingType wherever possible
22019 https://bugs.webkit.org/show_bug.cgi?id=131230
22020
22021 Reviewed by Mark Lam.
22022
22023 Avoid the indirection through the Structure.
22024
22025 * bytecode/ArrayAllocationProfile.cpp:
22026 (JSC::ArrayAllocationProfile::updateIndexingType):
22027 * bytecode/ArrayAllocationProfile.h:
22028 (JSC::ArrayAllocationProfile::selectIndexingType):
22029 * heap/HeapStatistics.cpp:
22030 (JSC::StorageStatistics::operator()):
22031 * runtime/ArrayPrototype.cpp:
22032 (JSC::attemptFastSort):
22033 * runtime/JSGlobalObject.cpp:
22034 (JSC::JSGlobalObject::objectPrototypeIsSane):
22035 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
22036 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
22037 * runtime/JSPropertyNameIterator.cpp:
22038 (JSC::JSPropertyNameIterator::create):
22039
220402014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
22041
22042 Use JSCell::type instead of TypeInfo::type wherever possible
22043 https://bugs.webkit.org/show_bug.cgi?id=131229
22044
22045 Reviewed by Michael Saboff.
22046
22047 Avoid going through the Structure and reifying the TypeInfo.
22048
22049 * runtime/Executable.h:
22050 (JSC::ExecutableBase::isEvalExecutable):
22051 (JSC::ExecutableBase::isProgramExecutable):
22052
220532014-04-03 Andreas Kling <akling@apple.com>
22054
22055 Fast-path for casting JS wrappers to JSNode.
22056 <https://webkit.org/b/131196>
22057
22058 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
22059 a little bit. We do this by exposing a LastJSCObjectType constant so
22060 WebCore can encode its own wrapper types after that.
22061
22062 Reviewed by Mark Hahnenberg and Geoff Garen.
22063
22064 * runtime/JSType.h:
22065
22066 Added LastJSCObjectType for use by WebCore.
22067
22068 * runtime/JSObject.h:
22069 (JSC::JSObject::isVariableObject):
22070
22071 Updated since this can no longer assume that types >= VariableObjectType
22072 are all variable objects.
22073
220742014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
22075
22076 All Heap::writeBarriers should be inline
22077 https://bugs.webkit.org/show_bug.cgi?id=131197
22078
22079 Reviewed by Mark Lam.
22080
22081 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
22082 enough and small enough to belong in HeapInlines.h. Also added the proper
22083 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
22084
22085 * heap/Heap.cpp:
22086 (JSC::Heap::writeBarrier): Deleted.
22087 * heap/Heap.h:
22088 * heap/HeapInlines.h:
22089 (JSC::Heap::writeBarrier):
22090 * runtime/JSCellInlines.h:
22091 (JSC::Heap::writeBarrier): Deleted.
22092
220932014-04-03 Joseph Pecoraro <pecoraro@apple.com>
22094
22095 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
22096 https://bugs.webkit.org/show_bug.cgi?id=131186
22097
22098 Reviewed by Geoffrey Garen.
22099
22100 * API/JSContextPrivate.h:
22101 * API/JSContext.mm:
22102 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
22103 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
22104 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
22105
22106 * API/JSContextRefPrivate.h:
22107 * API/JSContextRef.cpp:
22108 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
22109 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
22110 JSContext C SPI to opt-out of including native call stacks in exceptions.
22111
22112 * inspector/JSGlobalObjectInspectorController.h:
22113 * inspector/JSGlobalObjectInspectorController.cpp:
22114 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
22115 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
22116 Only include the native call stack if the setting is enabled. It is enabled by default.
22117
221182014-04-03 Mark Lam <mark.lam@apple.com>
22119
22120 Fix bit rot in ARMv7 JIT probe mechanism.
22121 <https://webkit.org/b/131167>
22122
22123 Reviewed by Geoffrey Garen.
22124
22125 1. The macro assembler does not support pushing the SP register. Worked
22126 around this by pushing the LR register as a placeholder, and then
22127 writing the original SP value to that slot.
22128 2. The CPUState field in the ProbeContext needs to be aligned on a 4
22129 byte boundary, not an 8 byte boundary.
22130
22131 * assembler/MacroAssemblerARMv7.cpp:
22132 (JSC::MacroAssemblerARMv7::probe):
22133 * jit/JITStubsARMv7.h:
22134
221352014-04-02 Mark Lam <mark.lam@apple.com>
22136
22137 ARMv7 compare32() should not use TST to do CMP's job.
22138 <https://webkit.org/b/131146>
22139
22140 Reviewed by Geoffrey Garen.
22141
22142 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
22143 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
22144 instruction doesn't set the Overflow (V) flag and this results in random
22145 results depending on whether there was a preceeding instruction that did set
22146 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
22147 with a lot of OSR exits where not expected as well as producing wrong results.
22148
22149 The fix is to use "cmp reg, #0" to do the job properly.
22150
22151 * assembler/MacroAssemblerARMv7.h:
22152 (JSC::MacroAssemblerARMv7::compare32):
22153
221542014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
22155
22156 CodeBlockSet should be generational
22157 https://bugs.webkit.org/show_bug.cgi?id=127152
22158
22159 Reviewed by Geoffrey Garen.
22160
22161 During EdenCollections we now only visit those CodeBlocks that:
22162 a) Are new since the last collection if they were somehow otherwise reachable.
22163 b) Are reachable from an Executable that is part of the remembered set.
22164
22165 * bytecode/CodeBlock.cpp:
22166 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
22167 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
22168 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
22169 * bytecode/CodeBlock.h:
22170 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
22171 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
22172 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
22173 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
22174 * heap/CodeBlockSet.cpp:
22175 (JSC::CodeBlockSet::~CodeBlockSet):
22176 (JSC::CodeBlockSet::add):
22177 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
22178 the set of old CodeBlocks.
22179 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
22180 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
22181 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
22182 with its CodeBlock.
22183 (JSC::CodeBlockSet::clearMarks):
22184 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
22185 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
22186 (JSC::CodeBlockSet::remove):
22187 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
22188 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
22189 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
22190 * heap/CodeBlockSet.h:
22191 (JSC::CodeBlockSet::iterate):
22192 * heap/Heap.cpp:
22193 (JSC::Heap::markRoots):
22194 (JSC::Heap::deleteAllCompiledCode):
22195 (JSC::Heap::deleteUnmarkedCompiledCode):
22196 * runtime/Executable.cpp:
22197 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
22198 a) A CodeBlock is created and is compiled on a DFG worker thread.
22199 b) No GC happens.
22200 c) The CodeBlock has finished being compiled and is installed in the Executable.
22201 d) The function never executes before the next GC.
22202 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
22203 it's added to the remembered set.
22204
222052014-04-02 Mark Lam <mark.lam@apple.com>
22206
22207 Added some more dataLog info for OSR exits.
22208 <https://webkit.org/b/131120>
22209
22210 Reviewed by Michael Saboff.
22211
22212 Adding info about the OSR exit index, the bytecode index of the bytecode
22213 that is OSR exiting, and the reason for the OSR exit. This change is
22214 for debugging code which only comes into play when we use the
22215 --printEachOSRExit option.
22216
22217 * dfg/DFGOSRExit.h:
22218 * dfg/DFGOSRExitCompiler32_64.cpp:
22219 (JSC::DFG::OSRExitCompiler::compileExit):
22220 * dfg/DFGOSRExitCompiler64.cpp:
22221 (JSC::DFG::OSRExitCompiler::compileExit):
22222 * dfg/DFGOperations.cpp:
22223
222242014-04-02 Martin Robinson <mrobinson@igalia.com>
22225
22226 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
22227 https://bugs.webkit.org/show_bug.cgi?id=130343
22228
22229 Reviewed by Gustavo Noronha Silva.
22230
22231 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
22232 in which it should be distributed. This allows us to more easily package it for GTK+.
22233
222342014-04-01 Timothy Hatcher <timothy@apple.com>
22235
22236 Remove HeapProfiler from the Web Inspector protocol.
22237
22238 https://bugs.webkit.org/show_bug.cgi?id=131070
22239
22240 Reviewed by Joseph Pecoraro.
22241
22242 * inspector/agents/InspectorConsoleAgent.h:
22243 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
22244 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
22245 * inspector/agents/JSGlobalObjectConsoleAgent.h:
22246 * inspector/protocol/Console.json:
22247
222482014-03-31 Simon Fraser <simon.fraser@apple.com>
22249
22250 Enable WEB_TIMING on Mac and iOS
22251 https://bugs.webkit.org/show_bug.cgi?id=128064
22252
22253 Reviewed by Sam Weinig, Brent Fulgham.
22254
22255 Enable WEB_TIMING.
22256
22257 * Configurations/FeatureDefines.xcconfig:
22258
222592014-03-31 Michael Saboff <msaboff@apple.com>
22260
22261 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
22262 https://bugs.webkit.org/show_bug.cgi?id=130992
22263
22264 Reviewed by Mark Hahnenberg.
22265
22266 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
22267
22268 * API/JSObjectRef.cpp:
22269 (JSObjectGetPrivate):
22270 (JSObjectSetPrivate):
22271 * API/tests/testapi.c:
22272 (main): Added new test case to validate we are properly foarwarding.
22273
222742014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
22275
22276 Improve GC_LOGGING
22277 https://bugs.webkit.org/show_bug.cgi?id=130988
22278
22279 Reviewed by Geoffrey Garen.
22280
22281 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
22282 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
22283 patch updates it so that it can. It also adds the process ID to the beginning of each line
22284 of input to be able to distinguish between the output of multiple processes exiting at the
22285 same time.
22286
22287 * heap/Heap.cpp:
22288 (JSC::Heap::collect):
22289
222902014-03-31 Dean Jackson <dino@apple.com>
22291
22292 Remove WEB_ANIMATIONS
22293 https://bugs.webkit.org/show_bug.cgi?id=130989
22294
22295 Reviewed by Simon Fraser.
22296
22297 Remove this feature flag until we plan to implement.
22298
22299 * Configurations/FeatureDefines.xcconfig:
22300
223012014-03-31 Filip Pizlo <fpizlo@apple.com>
22302
22303 More validation for FTL inline caches
22304 https://bugs.webkit.org/show_bug.cgi?id=130948
22305
22306 Reviewed by Geoffrey Garen.
22307
22308 * dfg/DFGByteCodeParser.cpp:
22309 (JSC::DFG::ByteCodeParser::handleGetById):
22310 (JSC::DFG::ByteCodeParser::handlePutById):
22311 * runtime/Options.h:
22312
223132014-03-31 Filip Pizlo <fpizlo@apple.com>
22314
22315 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
22316 https://bugs.webkit.org/show_bug.cgi?id=130950
22317
22318 Reviewed by Mark Hahnenberg.
22319
22320 * ftl/FTLLowerDFGToLLVM.cpp:
22321 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
22322
223232014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
22324
22325 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
22326 https://bugs.webkit.org/show_bug.cgi?id=130965
22327
22328 Reviewed by Martin Robinson.
22329
22330 This is somewhat of a follow-up to r162782, which got rid of
22331 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
22332 CMakeLists.txt. This meant the includes and libraries were not
22333 being properly included since then.
22334
22335 * CMakeLists.txt:
22336
223372014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
22338
22339 Remove hostThisRegister() and hostThisValue()
22340 https://bugs.webkit.org/show_bug.cgi?id=130895
22341
22342 Reviewed by Geoffrey Garen.
22343
22344 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
22345
22346 * API/APICallbackFunction.h:
22347 (JSC::APICallbackFunction::call):
22348 * API/JSCallbackObjectFunctions.h:
22349 (JSC::JSCallbackObject<Parent>::call):
22350 * dfg/DFGOSREntry.cpp:
22351 (JSC::DFG::prepareOSREntry):
22352 * inspector/JSInjectedScriptHostPrototype.cpp:
22353 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
22354 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
22355 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
22356 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
22357 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
22358 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
22359 * inspector/JSJavaScriptCallFramePrototype.cpp:
22360 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
22361 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
22362 (Inspector::jsJavaScriptCallFrameAttributeCaller):
22363 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
22364 (Inspector::jsJavaScriptCallFrameAttributeLine):
22365 (Inspector::jsJavaScriptCallFrameAttributeColumn):
22366 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
22367 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
22368 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
22369 (Inspector::jsJavaScriptCallFrameAttributeType):
22370 * interpreter/CallFrame.h:
22371 (JSC::ExecState::hostThisRegister): Deleted.
22372 (JSC::ExecState::hostThisValue): Deleted.
22373 * runtime/Arguments.cpp:
22374 (JSC::argumentsFuncIterator):
22375 * runtime/ArrayPrototype.cpp:
22376 (JSC::arrayProtoFuncToString):
22377 (JSC::arrayProtoFuncToLocaleString):
22378 (JSC::arrayProtoFuncJoin):
22379 (JSC::arrayProtoFuncConcat):
22380 (JSC::arrayProtoFuncPop):
22381 (JSC::arrayProtoFuncPush):
22382 (JSC::arrayProtoFuncReverse):
22383 (JSC::arrayProtoFuncShift):
22384 (JSC::arrayProtoFuncSlice):
22385 (JSC::arrayProtoFuncSort):
22386 (JSC::arrayProtoFuncSplice):
22387 (JSC::arrayProtoFuncUnShift):
22388 (JSC::arrayProtoFuncReduce):
22389 (JSC::arrayProtoFuncReduceRight):
22390 (JSC::arrayProtoFuncIndexOf):
22391 (JSC::arrayProtoFuncLastIndexOf):
22392 (JSC::arrayProtoFuncValues):
22393 (JSC::arrayProtoFuncEntries):
22394 (JSC::arrayProtoFuncKeys):
22395 * runtime/BooleanPrototype.cpp:
22396 (JSC::booleanProtoFuncToString):
22397 (JSC::booleanProtoFuncValueOf):
22398 * runtime/ConsolePrototype.cpp:
22399 (JSC::consoleLogWithLevel):
22400 (JSC::consoleProtoFuncClear):
22401 (JSC::consoleProtoFuncDir):
22402 (JSC::consoleProtoFuncDirXML):
22403 (JSC::consoleProtoFuncTable):
22404 (JSC::consoleProtoFuncTrace):
22405 (JSC::consoleProtoFuncAssert):
22406 (JSC::consoleProtoFuncCount):
22407 (JSC::consoleProtoFuncProfile):
22408 (JSC::consoleProtoFuncProfileEnd):
22409 (JSC::consoleProtoFuncTime):
22410 (JSC::consoleProtoFuncTimeEnd):
22411 (JSC::consoleProtoFuncTimeStamp):
22412 (JSC::consoleProtoFuncGroup):
22413 (JSC::consoleProtoFuncGroupCollapsed):
22414 (JSC::consoleProtoFuncGroupEnd):
22415 * runtime/DatePrototype.cpp:
22416 (JSC::formateDateInstance):
22417 (JSC::dateProtoFuncToISOString):
22418 (JSC::dateProtoFuncToLocaleString):
22419 (JSC::dateProtoFuncToLocaleDateString):
22420 (JSC::dateProtoFuncToLocaleTimeString):
22421 (JSC::dateProtoFuncGetTime):
22422 (JSC::dateProtoFuncGetFullYear):
22423 (JSC::dateProtoFuncGetUTCFullYear):
22424 (JSC::dateProtoFuncGetMonth):
22425 (JSC::dateProtoFuncGetUTCMonth):
22426 (JSC::dateProtoFuncGetDate):
22427 (JSC::dateProtoFuncGetUTCDate):
22428 (JSC::dateProtoFuncGetDay):
22429 (JSC::dateProtoFuncGetUTCDay):
22430 (JSC::dateProtoFuncGetHours):
22431 (JSC::dateProtoFuncGetUTCHours):
22432 (JSC::dateProtoFuncGetMinutes):
22433 (JSC::dateProtoFuncGetUTCMinutes):
22434 (JSC::dateProtoFuncGetSeconds):
22435 (JSC::dateProtoFuncGetUTCSeconds):
22436 (JSC::dateProtoFuncGetMilliSeconds):
22437 (JSC::dateProtoFuncGetUTCMilliseconds):
22438 (JSC::dateProtoFuncGetTimezoneOffset):
22439 (JSC::dateProtoFuncSetTime):
22440 (JSC::setNewValueFromTimeArgs):
22441 (JSC::setNewValueFromDateArgs):
22442 (JSC::dateProtoFuncSetYear):
22443 (JSC::dateProtoFuncGetYear):
22444 (JSC::dateProtoFuncToJSON):
22445 * runtime/ErrorPrototype.cpp:
22446 (JSC::errorProtoFuncToString):
22447 * runtime/FunctionPrototype.cpp:
22448 (JSC::functionProtoFuncToString):
22449 (JSC::functionProtoFuncBind):
22450 * runtime/NamePrototype.cpp:
22451 (JSC::privateNameProtoFuncToString):
22452 * runtime/NumberPrototype.cpp:
22453 (JSC::numberProtoFuncToExponential):
22454 (JSC::numberProtoFuncToFixed):
22455 (JSC::numberProtoFuncToPrecision):
22456 (JSC::numberProtoFuncClz):
22457 (JSC::numberProtoFuncToString):
22458 (JSC::numberProtoFuncToLocaleString):
22459 (JSC::numberProtoFuncValueOf):
22460 * runtime/ObjectPrototype.cpp:
22461 (JSC::objectProtoFuncValueOf):
22462 (JSC::objectProtoFuncHasOwnProperty):
22463 (JSC::objectProtoFuncIsPrototypeOf):
22464 (JSC::objectProtoFuncDefineGetter):
22465 (JSC::objectProtoFuncDefineSetter):
22466 (JSC::objectProtoFuncLookupGetter):
22467 (JSC::objectProtoFuncLookupSetter):
22468 (JSC::objectProtoFuncPropertyIsEnumerable):
22469 (JSC::objectProtoFuncToLocaleString):
22470 (JSC::objectProtoFuncToString):
22471 * runtime/RegExpPrototype.cpp:
22472 (JSC::regExpProtoFuncTest):
22473 (JSC::regExpProtoFuncExec):
22474 (JSC::regExpProtoFuncCompile):
22475 (JSC::regExpProtoFuncToString):
22476 * runtime/StringPrototype.cpp:
22477 (JSC::stringProtoFuncReplace):
22478 (JSC::stringProtoFuncToString):
22479 (JSC::stringProtoFuncCharAt):
22480 (JSC::stringProtoFuncCharCodeAt):
22481 (JSC::stringProtoFuncConcat):
22482 (JSC::stringProtoFuncIndexOf):
22483 (JSC::stringProtoFuncLastIndexOf):
22484 (JSC::stringProtoFuncMatch):
22485 (JSC::stringProtoFuncSearch):
22486 (JSC::stringProtoFuncSlice):
22487 (JSC::stringProtoFuncSplit):
22488 (JSC::stringProtoFuncSubstr):
22489 (JSC::stringProtoFuncSubstring):
22490 (JSC::stringProtoFuncToLowerCase):
22491 (JSC::stringProtoFuncToUpperCase):
22492 (JSC::stringProtoFuncLocaleCompare):
22493 (JSC::stringProtoFuncBig):
22494 (JSC::stringProtoFuncSmall):
22495 (JSC::stringProtoFuncBlink):
22496 (JSC::stringProtoFuncBold):
22497 (JSC::stringProtoFuncFixed):
22498 (JSC::stringProtoFuncItalics):
22499 (JSC::stringProtoFuncStrike):
22500 (JSC::stringProtoFuncSub):
22501 (JSC::stringProtoFuncSup):
22502 (JSC::stringProtoFuncFontcolor):
22503 (JSC::stringProtoFuncFontsize):
22504 (JSC::stringProtoFuncAnchor):
22505 (JSC::stringProtoFuncLink):
22506 (JSC::stringProtoFuncTrim):
22507 (JSC::stringProtoFuncTrimLeft):
22508 (JSC::stringProtoFuncTrimRight):
22509
225102014-03-28 Filip Pizlo <fpizlo@apple.com>
22511
22512 Land the stackmap register liveness glue with the uses of the liveness disabled
22513 https://bugs.webkit.org/show_bug.cgi?id=130924
22514
22515 Reviewed by Oliver Hunt.
22516
22517 Add the liveness and fix other bugs I found.
22518
22519 * bytecode/PutByIdStatus.cpp:
22520 (JSC::PutByIdStatus::computeFor):
22521 * ftl/FTLCompile.cpp:
22522 (JSC::FTL::usedRegistersFor):
22523 (JSC::FTL::fixFunctionBasedOnStackMaps):
22524 * ftl/FTLSlowPathCall.cpp:
22525 * ftl/FTLSlowPathCallKey.cpp:
22526 (JSC::FTL::SlowPathCallKey::dump):
22527 * ftl/FTLSlowPathCallKey.h:
22528 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
22529 (JSC::FTL::SlowPathCallKey::argumentRegisters):
22530 (JSC::FTL::SlowPathCallKey::withCallTarget):
22531 * ftl/FTLStackMaps.cpp:
22532 (JSC::FTL::StackMaps::Record::locationSet):
22533 (JSC::FTL::StackMaps::Record::liveOutsSet):
22534 (JSC::FTL::StackMaps::Record::usedRegisterSet):
22535 * ftl/FTLStackMaps.h:
22536 * ftl/FTLThunks.cpp:
22537 (JSC::FTL::registerClobberCheck):
22538 (JSC::FTL::slowPathCallThunkGenerator):
22539 * jit/RegisterSet.cpp:
22540 (JSC::RegisterSet::stackRegisters):
22541 (JSC::RegisterSet::reservedHardwareRegisters):
22542 (JSC::RegisterSet::runtimeRegisters):
22543 (JSC::RegisterSet::specialRegisters):
22544 (JSC::RegisterSet::dump):
22545 * jit/RegisterSet.h:
22546 (JSC::RegisterSet::RegisterSet):
22547 (JSC::RegisterSet::setAny):
22548 (JSC::RegisterSet::setMany):
22549 * jit/Repatch.cpp:
22550 (JSC::tryCacheGetByID):
22551 (JSC::tryCachePutByID):
22552 (JSC::tryRepatchIn):
22553 * runtime/Options.cpp:
22554 (JSC::recomputeDependentOptions):
22555 * runtime/Options.h:
22556
225572014-03-28 Mark Lam <mark.lam@apple.com>
22558
22559 mandreel throws a checksum error on 32-bit x86.
22560 <https://webkit.org/b/125706>
22561
22562 Reviewed by Filip Pizlo.
22563
22564 The 32-bit DFG can emit code that loads double constants from its
22565 CodeBlock's m_constantRegisters vector. The emitted instruction will
22566 embed the address of the constant from the vector's backing store.
22567 Subsequently, while inserting new constants, the DFG may resize the
22568 vector, thereby reallocating the backing store. This renders the
22569 previously embedded constant addresses stale.
22570
22571 The fix is to use a dedicated doubles constant pool stored in the DFG
22572 CommonData instead. This constant pool won't be reallocated, and
22573 hence will not manifest this issue.
22574
22575 * dfg/DFGCommonData.h:
22576 * dfg/DFGGraph.h:
22577 * dfg/DFGJITCompiler.cpp:
22578 (JSC::DFG::JITCompiler::link):
22579 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
22580 * dfg/DFGJITCompiler.h:
22581 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
22582
225832014-03-28 Joseph Pecoraro <pecoraro@apple.com>
22584
22585 Web Inspector: console.warn is showing as error instead of warning
22586 https://bugs.webkit.org/show_bug.cgi?id=130921
22587
22588 Reviewed by Timothy Hatcher.
22589
22590 * runtime/ConsolePrototype.cpp:
22591 (JSC::consoleProtoFuncWarn):
22592 console.warn should be MessageLevel Warning, not Error.
22593
225942014-03-28 Oliver Hunt <oliver@apple.com>
22595
22596 Fix cloop build.
22597
22598 * bytecode/BytecodeList.json:
22599
226002014-03-28 Michael Saboff <msaboff@apple.com>
22601
22602 Unreviewed, rolling r166248 back in.
22603
22604 Turns out r166070 didn't cause a 2% performance loss in page load times
22605
22606 Reverted changeset:
22607
22608 Unreviewed, rolling out r166126.
22609 Rollout r166126 in prepartion to roll out prerequisite r166070
22610
226112014-03-27 Commit Queue <commit-queue@webkit.org>
22612
22613 Unreviewed, rolling out r166376.
22614 https://bugs.webkit.org/show_bug.cgi?id=130887
22615
22616 This was a misguided optimization. (Requested by kling on
22617 #webkit).
22618
22619 Reverted changeset:
22620
22621 "Avoid fetching JSObject::structure() repeatedly in
22622 putDirectInternal."
22623 https://bugs.webkit.org/show_bug.cgi?id=130857
22624 http://trac.webkit.org/changeset/166376
22625
226262014-03-27 Oliver Hunt <oliver@apple.com>
22627
22628 Support spread operand in |new| expressions
22629 https://bugs.webkit.org/show_bug.cgi?id=130877
22630
22631 Reviewed by Michael Saboff.
22632
22633 Add support for the spread operator being applied in
22634 |new| expressions. This required adding support for
22635 a new opcode, op_construct_varargs. This is a relatively
22636 simple refactoring of the call_varargs implementation.
22637
22638 * bytecode/BytecodeList.json:
22639 * bytecode/BytecodeUseDef.h:
22640 (JSC::computeUsesForBytecodeOffset):
22641 (JSC::computeDefsForBytecodeOffset):
22642 * bytecode/CallLinkInfo.cpp:
22643 (JSC::CallLinkInfo::unlink):
22644 * bytecode/CallLinkInfo.h:
22645 (JSC::CallLinkInfo::callTypeFor):
22646 (JSC::CallLinkInfo::specializationKind):
22647 * bytecode/CodeBlock.cpp:
22648 (JSC::CodeBlock::dumpBytecode):
22649 (JSC::CodeBlock::CodeBlock):
22650 * bytecompiler/BytecodeGenerator.cpp:
22651 (JSC::BytecodeGenerator::emitCallVarargs):
22652 (JSC::BytecodeGenerator::emitConstructVarargs):
22653 (JSC::BytecodeGenerator::emitConstruct):
22654 * bytecompiler/BytecodeGenerator.h:
22655 * jit/JIT.cpp:
22656 (JSC::JIT::privateCompileMainPass):
22657 (JSC::JIT::privateCompileSlowCases):
22658 * jit/JIT.h:
22659 * jit/JITCall.cpp:
22660 (JSC::JIT::compileOpCall):
22661 (JSC::JIT::compileOpCallSlowCase):
22662 (JSC::JIT::emit_op_construct_varargs):
22663 (JSC::JIT::emitSlow_op_construct_varargs):
22664 * jit/JITCall32_64.cpp:
22665 (JSC::JIT::emitSlow_op_construct_varargs):
22666 (JSC::JIT::emit_op_construct_varargs):
22667 (JSC::JIT::compileOpCall):
22668 (JSC::JIT::compileOpCallSlowCase):
22669 * jit/JITOperations.cpp:
22670 * llint/LLIntSlowPaths.cpp:
22671 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22672 * llint/LLIntSlowPaths.h:
22673 * llint/LowLevelInterpreter.asm:
22674 * parser/Parser.cpp:
22675 (JSC::Parser<LexerType>::parseMemberExpression):
22676
226772014-03-27 Filip Pizlo <fpizlo@apple.com>
22678
22679 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
22680
22681 * Configurations/Base.xcconfig:
22682 * Configurations/LLVMForJSC.xcconfig:
22683
226842014-03-27 Filip Pizlo <fpizlo@apple.com>
22685
22686 Unreviewed, skip this test for now.
22687
22688 * tests/stress/recurse-infinitely-on-getter.js:
22689
226902014-03-27 Filip Pizlo <fpizlo@apple.com>
22691
22692 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
22693 https://bugs.webkit.org/show_bug.cgi?id=130867
22694 <rdar://problem/16432456>
22695
22696 Reviewed by Mark Hahnenberg.
22697
22698 * Configurations/Base.xcconfig:
22699 * Configurations/LLVMForJSC.xcconfig:
22700
227012014-03-27 Andreas Kling <akling@apple.com>
22702
22703 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
22704 <https://webkit.org/b/130857>
22705
22706 Use the cached Structure* instead of re-fetching it over and over since
22707 that's a non-trivial operation these days.
22708
22709 Reviewed by Mark Hahnenberg.
22710
22711 * runtime/JSObject.h:
22712 (JSC::JSObject::putDirectInternal):
22713
227142014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
22715
22716 Check the remembered set bit faster
22717 https://bugs.webkit.org/show_bug.cgi?id=130860
22718
22719 Reviewed by Oliver Hunt.
22720
22721 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
22722 that bit is also stored in the object. We should look it up there whenever possible.
22723
22724 * heap/CopiedBlockInlines.h:
22725 (JSC::CopiedBlock::shouldReportLiveBytes):
22726 * heap/Heap.cpp:
22727 (JSC::Heap::addToRememberedSet):
22728 * heap/Heap.h:
22729 * heap/HeapInlines.h: Removed.
22730 * heap/SlotVisitorInlines.h:
22731 (JSC::SlotVisitor::reportExtraMemoryUsage):
22732
227332014-03-27 Joseph Pecoraro <pecoraro@apple.com>
22734
22735 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
22736 https://bugs.webkit.org/show_bug.cgi?id=130853
22737
22738 Reviewed by Timothy Hatcher.
22739
22740 * API/JSContextPrivate.h: Added.
22741 * API/JSContext.mm:
22742 (-[JSContext _remoteInspectionEnabled]):
22743 (-[JSContext _setRemoteInspectionEnabled:]):
22744 ObjC SPI to enable/disable remote inspection.
22745
22746 * API/JSContextRefPrivate.h:
22747 * API/JSContextRef.cpp:
22748 (JSGlobalContextGetRemoteInspectionEnabled):
22749 (JSGlobalContextSetRemoteInspectionEnabled):
22750 C SPI to enable/disable remote inspection.
22751
22752 * JavaScriptCore.xcodeproj/project.pbxproj:
22753 Add new private header, and export as a private header.
22754
227552014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
22756
22757 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
22758 https://bugs.webkit.org/show_bug.cgi?id=130845
22759
22760 Reviewed by Filip Pizlo.
22761
22762 There was a hack added to make sure C Loop LLInt worked which included overriding the
22763 global Options::useLLInt setting, which makes no sense to do here. We should put the
22764 update of the global setting in Options::recomputeDependentOptions along with the other
22765 execution engine flags.
22766
22767 * runtime/Executable.cpp:
22768 (JSC::ScriptExecutable::prepareForExecutionImpl):
22769 * runtime/Options.cpp:
22770 (JSC::recomputeDependentOptions):
22771
227722014-03-26 Filip Pizlo <fpizlo@apple.com>
22773
22774 Enable LLVM stackmap liveOuts computation
22775 https://bugs.webkit.org/show_bug.cgi?id=130821
22776
22777 Reviewed by Andy Estes and Sam Weinig.
22778
22779 * ftl/FTLStackMaps.cpp:
22780 (JSC::FTL::StackMaps::Record::dump):
22781 * llvm/library/LLVMExports.cpp:
22782 (initializeAndGetJSCLLVMAPI):
22783
227842014-03-26 Filip Pizlo <fpizlo@apple.com>
22785
22786 Parse stackmaps liveOuts
22787 https://bugs.webkit.org/show_bug.cgi?id=130801
22788
22789 Reviewed by Geoffrey Garen.
22790
22791 This just adds the code to parse them but doesn't do anything with them, yet.
22792
22793 * ftl/FTLLocation.cpp:
22794 (JSC::FTL::Location::forStackmaps):
22795 * ftl/FTLLocation.h:
22796 (JSC::FTL::Location::forRegister):
22797 (JSC::FTL::Location::forIndirect):
22798 * ftl/FTLStackMaps.cpp:
22799 (JSC::FTL::StackMaps::Location::parse):
22800 (JSC::FTL::StackMaps::Location::dump):
22801 (JSC::FTL::StackMaps::LiveOut::parse):
22802 (JSC::FTL::StackMaps::LiveOut::dump):
22803 (JSC::FTL::StackMaps::Record::parse):
22804 (JSC::FTL::StackMaps::Record::dump):
22805 * ftl/FTLStackMaps.h:
22806
228072014-03-26 Mark Lam <mark.lam@apple.com>
22808
22809 Build fix after r166307.
22810
22811 Not reviewed.
22812
22813 * runtime/JSCell.h:
22814 - The inline function isAPIValueWrapper() should not be exported. This
22815 was causing a linkage error when building for 32-bit x86 on Mac.
22816
228172014-03-26 Filip Pizlo <fpizlo@apple.com>
22818
22819 Reasoning about DWARF register numbers should be moved out of FTL::Location
22820 https://bugs.webkit.org/show_bug.cgi?id=130792
22821
22822 Reviewed by Oliver Hunt.
22823
22824 Moving this code makes it possible for things other than FTL::Location to reason about
22825 DWARF register encoding. This refactoring also appears to reduce some code duplication
22826 and makes FTLLocation.cpp cleaner.
22827
22828 * JavaScriptCore.xcodeproj/project.pbxproj:
22829 * ftl/FTLCompile.cpp:
22830 (JSC::FTL::fixFunctionBasedOnStackMaps):
22831 * ftl/FTLDWARFRegister.cpp: Added.
22832 (JSC::FTL::DWARFRegister::reg):
22833 (JSC::FTL::DWARFRegister::dump):
22834 * ftl/FTLDWARFRegister.h: Added.
22835 (JSC::FTL::DWARFRegister::DWARFRegister):
22836 (JSC::FTL::DWARFRegister::dwarfRegNum):
22837 * ftl/FTLLocation.cpp:
22838 (JSC::FTL::Location::dump):
22839 (JSC::FTL::Location::isGPR):
22840 (JSC::FTL::Location::gpr):
22841 (JSC::FTL::Location::isFPR):
22842 (JSC::FTL::Location::fpr):
22843 * ftl/FTLLocation.h:
22844 (JSC::FTL::Location::hasDwarfReg):
22845 (JSC::FTL::Location::dwarfReg):
22846
228472014-03-26 Brent Fulgham <bfulgham@apple.com>
22848
22849 Unreviewed build fix.
22850
22851 * runtime/JSCell.h: VS2013 confused about argument type.
22852
228532014-03-26 Zoltan Horvath <zoltan@webkit.org>
22854
22855 [CSS Shapes] Remove shape-inside support
22856 https://bugs.webkit.org/show_bug.cgi?id=130698
22857
22858 Reviewed by David Hyatt.
22859
22860 * Configurations/FeatureDefines.xcconfig:
22861
228622014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
22863
22864 Rename hasFastArrayStorage to be more appropriate
22865 https://bugs.webkit.org/show_bug.cgi?id=130773
22866
22867 Reviewed by Filip Pizlo.
22868
22869 * dfg/DFGArrayMode.cpp:
22870 (JSC::DFG::ArrayMode::alreadyChecked):
22871 * dfg/DFGSpeculativeJIT32_64.cpp:
22872 (JSC::DFG::SpeculativeJIT::compile):
22873 * dfg/DFGSpeculativeJIT64.cpp:
22874 (JSC::DFG::SpeculativeJIT::compile):
22875 * dfg/DFGWatchpointCollectionPhase.cpp:
22876 (JSC::DFG::WatchpointCollectionPhase::handle):
22877 * ftl/FTLLowerDFGToLLVM.cpp:
22878 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
22879 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
22880 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
22881 * runtime/ButterflyInlines.h:
22882 (JSC::Butterfly::unshift):
22883 (JSC::Butterfly::shift):
22884 * runtime/IndexingHeaderInlines.h:
22885 (JSC::IndexingHeader::preCapacity):
22886 * runtime/IndexingType.h:
22887 (JSC::hasArrayStorage):
22888 (JSC::hasAnyArrayStorage):
22889 (JSC::hasFastArrayStorage): Deleted.
22890 * runtime/JSArray.cpp:
22891 (JSC::JSArray::sortVector):
22892 (JSC::JSArray::compactForSorting):
22893 * runtime/JSArray.h:
22894 (JSC::JSArray::create):
22895 (JSC::JSArray::tryCreateUninitialized):
22896 * runtime/JSGlobalObject.cpp:
22897 * runtime/JSObject.cpp:
22898 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
22899 * runtime/JSObject.h:
22900 (JSC::JSObject::ensureArrayStorage):
22901 (JSC::JSObject::arrayStorage):
22902 * runtime/StructureTransitionTable.h:
22903 (JSC::newIndexingType):
22904
229052014-03-26 Zan Dobersek <zdobersek@igalia.com>
22906
22907 Unreviewed. Removing the remaining Automake cruft.
22908
22909 * GNUmakefile.list.am: Removed.
22910
229112014-03-25 Filip Pizlo <fpizlo@apple.com>
22912
22913 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
22914 https://bugs.webkit.org/show_bug.cgi?id=130764
22915 <rdar://problem/16304788>
22916
22917 Reviewed by Sam Weinig.
22918
22919 Being an arguments alias just means that your OSR exit recovery should attempt arguments
22920 creation. This is true of arguments locals. We had special cases that tried to make it not
22921 true of arguments locals. The only consequence of those special cases was to cause crashes
22922 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
22923 change just removes those special cases.
22924
22925 This change means that the FTL will now see SetLocals with a FlushedArguments format.
22926 Previously you wouldn't see them because previously only non-captured variable would be
22927 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
22928 left. Adding handling for FlushedArguments is a benign and simple change since its
22929 behavior is identical to FlushedJSValue for that code's purposes.
22930
22931 * dfg/DFGArgumentsSimplificationPhase.cpp:
22932 (JSC::DFG::ArgumentsSimplificationPhase::run):
22933 * ftl/FTLLowerDFGToLLVM.cpp:
22934 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
22935 * tests/stress/captured-arguments-variable.js: Added.
22936 (foo):
22937 (noInline):
22938
229392014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
22940
22941 Add HeapInlines
22942 https://bugs.webkit.org/show_bug.cgi?id=130759
22943
22944 Reviewed by Filip Pizlo.
22945
22946 * GNUmakefile.list.am:
22947 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22948 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
22949 * JavaScriptCore.xcodeproj/project.pbxproj:
22950 * heap/Heap.cpp:
22951 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
22952 (JSC::MarkedBlockSnapshotFunctor::operator()):
22953 * heap/Heap.h: Also reindented while we're here.
22954 (JSC::Heap::writeBarrierBuffer):
22955 (JSC::Heap::vm):
22956 (JSC::Heap::objectSpace):
22957 (JSC::Heap::machineThreads):
22958 (JSC::Heap::operationInProgress):
22959 (JSC::Heap::allocatorForObjectWithoutDestructor):
22960 (JSC::Heap::allocatorForObjectWithNormalDestructor):
22961 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
22962 (JSC::Heap::storageAllocator):
22963 (JSC::Heap::notifyIsSafeToCollect):
22964 (JSC::Heap::isSafeToCollect):
22965 (JSC::Heap::handleSet):
22966 (JSC::Heap::handleStack):
22967 (JSC::Heap::lastFullGCLength):
22968 (JSC::Heap::lastEdenGCLength):
22969 (JSC::Heap::increaseLastFullGCLength):
22970 (JSC::Heap::sizeBeforeLastEdenCollection):
22971 (JSC::Heap::sizeAfterLastEdenCollection):
22972 (JSC::Heap::sizeBeforeLastFullCollection):
22973 (JSC::Heap::sizeAfterLastFullCollection):
22974 (JSC::Heap::jitStubRoutines):
22975 (JSC::Heap::isDeferred):
22976 (JSC::Heap::structureIDTable):
22977 (JSC::Heap::removeCodeBlock):
22978 * heap/HeapInlines.h: Added.
22979 (JSC::Heap::shouldCollect):
22980 (JSC::Heap::isBusy):
22981 (JSC::Heap::isCollecting):
22982 (JSC::Heap::heap):
22983 (JSC::Heap::isLive):
22984 (JSC::Heap::isInRememberedSet):
22985 (JSC::Heap::isMarked):
22986 (JSC::Heap::testAndSetMarked):
22987 (JSC::Heap::setMarked):
22988 (JSC::Heap::isWriteBarrierEnabled):
22989 (JSC::Heap::writeBarrier):
22990 (JSC::Heap::reportExtraMemoryCost):
22991 (JSC::Heap::forEachProtectedCell):
22992 (JSC::Heap::forEachCodeBlock):
22993 (JSC::Heap::allocateWithNormalDestructor):
22994 (JSC::Heap::allocateWithImmortalStructureDestructor):
22995 (JSC::Heap::allocateWithoutDestructor):
22996 (JSC::Heap::tryAllocateStorage):
22997 (JSC::Heap::tryReallocateStorage):
22998 (JSC::Heap::ascribeOwner):
22999 (JSC::Heap::blockAllocator):
23000 (JSC::Heap::releaseSoon):
23001 (JSC::Heap::incrementDeferralDepth):
23002 (JSC::Heap::decrementDeferralDepth):
23003 (JSC::Heap::collectIfNecessaryOrDefer):
23004 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
23005 (JSC::Heap::markListSet):
23006 * runtime/JSCInlines.h:
23007
230082014-03-25 Filip Pizlo <fpizlo@apple.com>
23009
23010 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
23011 https://bugs.webkit.org/show_bug.cgi?id=130760
23012
23013 Reviewed by Mark Hahnenberg.
23014
23015 * dfg/DFGByteCodeParser.cpp:
23016 (JSC::DFG::ByteCodeParser::setLocal):
23017 (JSC::DFG::ByteCodeParser::setArgument):
23018 (JSC::DFG::ByteCodeParser::handleInlining):
23019 (JSC::DFG::ByteCodeParser::parseBlock):
23020 * tests/stress/assign-argument-in-inlined-call.js: Added.
23021 (f1):
23022 (getF2Arguments):
23023 (f2):
23024 (f3):
23025 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
23026 (f1):
23027 (f2):
23028 (f3):
23029
230302014-03-25 Filip Pizlo <fpizlo@apple.com>
23031
23032 Fix 32-bit getter call alignment.
23033
23034 Reviewed by Mark Hahnenberg.
23035
23036 * jit/Repatch.cpp:
23037 (JSC::generateGetByIdStub):
23038
230392014-03-25 Filip Pizlo <fpizlo@apple.com>
23040
23041 Repatch should plant calls to getters directly rather than through a C helper
23042 https://bugs.webkit.org/show_bug.cgi?id=129589
23043
23044 Reviewed by Mark Hahnenberg.
23045
23046 As the title says. All of the superstructure for this was already in place, so now it
23047 was just a matter of actually emitting the call.
23048
23049 8x speed-up for getter microbenchmarks.
23050
23051 * CMakeLists.txt:
23052 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
23053 * JavaScriptCore.xcodeproj/project.pbxproj:
23054 * bytecode/PolymorphicGetByIdList.h:
23055 (JSC::GetByIdAccess::doesCalls):
23056 * jit/AccessorCallJITStubRoutine.cpp: Added.
23057 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
23058 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
23059 (JSC::AccessorCallJITStubRoutine::visitWeak):
23060 * jit/AccessorCallJITStubRoutine.h: Added.
23061 * jit/AssemblyHelpers.h:
23062 (JSC::AssemblyHelpers::storeCell):
23063 * jit/GCAwareJITStubRoutine.h:
23064 * jit/Repatch.cpp:
23065 (JSC::generateGetByIdStub):
23066 * runtime/GetterSetter.h:
23067 (JSC::GetterSetter::offsetOfGetter):
23068 (JSC::GetterSetter::offsetOfSetter):
23069
230702014-03-25 Michael Saboff <msaboff@apple.com>
23071
23072 Unreviewed, rolling out r166126.
23073
23074 Rollout r166126 in prepartion to roll out prerequisite r166070
23075
23076 Reverted changeset:
23077
23078 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
23079 not undefined"
23080 https://bugs.webkit.org/show_bug.cgi?id=130554
23081 http://trac.webkit.org/changeset/166126
23082
230832014-03-25 Oliver Hunt <oliver@apple.com>
23084
23085 AST incorrectly conflates readable and writable locations
23086 https://bugs.webkit.org/show_bug.cgi?id=130734
23087
23088 Reviewed by Filip Pizlo.
23089
23090 We need to distinguish between "locations" that are valid for reading
23091 and writing, vs those that may only be written.
23092
23093 * bytecompiler/NodesCodegen.cpp:
23094 (JSC::ForInNode::emitBytecode):
23095 (JSC::ForOfNode::emitBytecode):
23096 * parser/Nodes.h:
23097 (JSC::ExpressionNode::isAssignmentLocation):
23098
230992014-03-24 Oliver Hunt <oliver@apple.com>
23100
23101 ASSERTION FAILED in Parser: dst != localReg
23102 https://bugs.webkit.org/show_bug.cgi?id=130710
23103
23104 Reviewed by Filip Pizlo.
23105
23106 Just make sure we don't try to write to a captured constant,
23107 following the change to track captured variables separately.
23108
23109 * bytecompiler/NodesCodegen.cpp:
23110 (JSC::PostfixNode::emitResolve):
23111 (JSC::PrefixNode::emitResolve):
23112
231132014-03-25 Martin Robinson <mrobinson@igalia.com>
23114
23115 [GTK] Remove the autotools build
23116 https://bugs.webkit.org/show_bug.cgi?id=130717
23117
23118 Reviewed by Anders Carlsson.
23119
23120 * GNUmakefile.am: Removed.
23121 * config.h: Remove references to the autotools configure file.
23122
231232014-03-24 Filip Pizlo <fpizlo@apple.com>
23124
23125 More scaffolding for a stub routine to have a stub recursively embedded inside it
23126 https://bugs.webkit.org/show_bug.cgi?id=130770
23127
23128 Reviewed by Oliver Hunt.
23129
23130 * bytecode/CallLinkInfo.cpp:
23131 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
23132 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
23133 * bytecode/CallLinkInfo.h:
23134 * bytecode/CodeBlock.cpp:
23135 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
23136 (JSC::CodeBlock::unlinkCalls):
23137 (JSC::CodeBlock::unlinkIncomingCalls):
23138 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
23139 (JSC::GetByIdAccess::visitWeak):
23140 (JSC::PolymorphicGetByIdList::visitWeak):
23141 * bytecode/PolymorphicGetByIdList.h:
23142 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
23143 (JSC::PutByIdAccess::visitWeak):
23144 (JSC::PolymorphicPutByIdList::visitWeak):
23145 * bytecode/PolymorphicPutByIdList.h:
23146 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
23147 (JSC::StructureStubInfo::visitWeakReferences):
23148 * bytecode/StructureStubInfo.h:
23149 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
23150 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
23151 * jit/GCAwareJITStubRoutine.cpp:
23152 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
23153 (JSC::createJITStubRoutine):
23154 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
23155 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
23156 * jit/JITStubRoutine.cpp:
23157 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
23158 * jit/JITStubRoutine.h:
23159 * jit/Repatch.cpp:
23160 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
23161 (JSC::emitCustomSetterStub): Clean up some code.
23162
231632014-03-24 Geoffrey Garen <ggaren@apple.com>
23164
23165 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
23166 when WebKit is compiled with fcatch-undefined-behavior
23167 https://bugs.webkit.org/show_bug.cgi?id=130652
23168
23169 Reviewed by Mark Hahnenberg.
23170
23171 Use a static member function because the butterfly we pass in might be
23172 NULL, and passing NULL to a member function is undefined behavior.
23173
23174 Stylistically, I think this new way reads a little more clearly, since it
23175 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
23176 might not exist yet.
23177
23178 * runtime/Butterfly.h:
23179 * runtime/ButterflyInlines.h:
23180 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
23181 because we might create. Split out the create path to avoid using NULL
23182 in a member function expression.
23183
23184 Removed some unused versions of this function.
23185
23186 * runtime/JSObject.cpp:
23187 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
23188
231892014-03-24 Oliver Hunt <oliver@apple.com>
23190
23191 Strict mode destructuring assignment crashes the parser.
23192 https://bugs.webkit.org/show_bug.cgi?id=130538
23193
23194 Reviewed by Michael Saboff.
23195
23196 The SyntaxChecker mode always return 1 for success, except
23197 for a small subset of functions where we needed exact information.
23198 This ends up just being a poor design decision as it means
23199 the parser can get confused between a function return 1, and
23200 the Resolve constant which was also 1. So we now use a unique
23201 type for every creation method.
23202
23203 * parser/SyntaxChecker.h:
23204 (JSC::SyntaxChecker::createSourceElements):
23205 (JSC::SyntaxChecker::createFunctionBody):
23206 (JSC::SyntaxChecker::createArguments):
23207 (JSC::SyntaxChecker::createSpreadExpression):
23208 (JSC::SyntaxChecker::createArgumentsList):
23209 (JSC::SyntaxChecker::createPropertyList):
23210 (JSC::SyntaxChecker::createElementList):
23211 (JSC::SyntaxChecker::createFormalParameterList):
23212 (JSC::SyntaxChecker::createClause):
23213 (JSC::SyntaxChecker::createClauseList):
23214 (JSC::SyntaxChecker::createFuncDeclStatement):
23215 (JSC::SyntaxChecker::createBlockStatement):
23216 (JSC::SyntaxChecker::createExprStatement):
23217 (JSC::SyntaxChecker::createIfStatement):
23218 (JSC::SyntaxChecker::createForLoop):
23219 (JSC::SyntaxChecker::createForInLoop):
23220 (JSC::SyntaxChecker::createForOfLoop):
23221 (JSC::SyntaxChecker::createEmptyStatement):
23222 (JSC::SyntaxChecker::createVarStatement):
23223 (JSC::SyntaxChecker::createReturnStatement):
23224 (JSC::SyntaxChecker::createBreakStatement):
23225 (JSC::SyntaxChecker::createContinueStatement):
23226 (JSC::SyntaxChecker::createTryStatement):
23227 (JSC::SyntaxChecker::createSwitchStatement):
23228 (JSC::SyntaxChecker::createWhileStatement):
23229 (JSC::SyntaxChecker::createWithStatement):
23230 (JSC::SyntaxChecker::createDoWhileStatement):
23231 (JSC::SyntaxChecker::createLabelStatement):
23232 (JSC::SyntaxChecker::createThrowStatement):
23233 (JSC::SyntaxChecker::createDebugger):
23234 (JSC::SyntaxChecker::createConstStatement):
23235 (JSC::SyntaxChecker::appendConstDecl):
23236 (JSC::SyntaxChecker::combineCommaNodes):
23237 (JSC::SyntaxChecker::operatorStackPop):
23238
232392014-03-24 Brent Fulgham <bfulgham@apple.com>
23240
23241 Activate WebVTT Tests Once Merging is Complete
23242 https://bugs.webkit.org/show_bug.cgi?id=130420
23243
23244 Reviewed by Eric Carlson.
23245
23246 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
23247
232482014-03-24 Andreas Kling <akling@apple.com>
23249
23250 Stop pulling in all the macro assemblers from VM.h
23251 <https://webkit.org/b/130691>
23252
23253 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
23254 on macro assemblers headers and removes 8 includes from every
23255 .cpp file in the JS bindings.
23256
23257 Reviewed by Geoff Garen.
23258
23259 * runtime/VM.h:
23260
232612014-03-24 Gavin Barraclough <barraclough@apple.com>
23262
23263 Add support for thread QoS
23264 https://bugs.webkit.org/show_bug.cgi?id=130688
23265
23266 Reviewed by Andreas Kling.
23267
23268 * heap/BlockAllocator.cpp:
23269 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
23270 - block freeing is a utility activity.
23271
232722014-03-24 Filip Pizlo <fpizlo@apple.com>
23273
23274 Unreviewed, fix CLOOP build.
23275
23276 * bytecode/CallLinkStatus.cpp:
23277 (JSC::CallLinkStatus::computeFor):
23278 * bytecode/CodeBlock.cpp:
23279 (JSC::CodeBlock::printCallOp):
23280 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
23281 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
23282 * bytecode/CodeBlock.h:
23283 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
23284
232852014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
23286
23287 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
23288 https://bugs.webkit.org/show_bug.cgi?id=130453
23289
23290 Reviewed by Filip Pizlo.
23291
23292 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
23293 at sxtw and uxtw instructions.
23294
23295 * offlineasm/arm64.rb:
23296
232972014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
23298
23299 Move all EFL typedefs into EflTypedefs.h.
23300 https://bugs.webkit.org/show_bug.cgi?id=130511
23301
23302 Reviewed by Gyuyoung Kim
23303
23304 * heap/HeapTimer.h: Remove EFL typedefs.
23305
233062014-03-23 Filip Pizlo <fpizlo@apple.com>
23307
23308 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
23309 https://bugs.webkit.org/show_bug.cgi?id=130650
23310 <rdar://problem/16122966>
23311
23312 Reviewed by Michael Saboff.
23313
23314 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
23315 previously established numLocals limit. But then we added generalized op_call_varargs
23316 handling, which results in us emitting SetLocals that didn't previously exist in the
23317 bytecode.
23318
23319 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
23320
23321 * dfg/DFGByteCodeParser.cpp:
23322 (JSC::DFG::ByteCodeParser::ensureLocals):
23323 (JSC::DFG::ByteCodeParser::handleInlining):
23324 (JSC::DFG::ByteCodeParser::parseBlock):
23325 (JSC::DFG::ByteCodeParser::parse):
23326 * ftl/FTLOSRExitCompiler.cpp:
23327 (JSC::FTL::compileStub): Make this do alignment correctly.
23328 * runtime/Options.h:
23329 * tests/stress/call-varargs-from-inlined-code.js: Added.
23330 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
23331
233322014-03-22 Filip Pizlo <fpizlo@apple.com>
23333
23334 Unreviewed, adjust sizes for ARM64.
23335
23336 * ftl/FTLInlineCacheSize.cpp:
23337 (JSC::FTL::sizeOfCall):
23338
233392014-03-22 Filip Pizlo <fpizlo@apple.com>
23340
23341 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
23342 https://bugs.webkit.org/show_bug.cgi?id=130649
23343 <rdar://problem/16399949>
23344
23345 Reviewed by Andreas Kling.
23346
23347 * dfg/DFGSpeculativeJIT32_64.cpp:
23348 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
23349 * dfg/DFGSpeculativeJIT64.cpp:
23350 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
23351 * tests/stress/fuzz-bug-16399949.js: Added.
23352 (tryItOut.f):
23353 (tryItOut):
23354
233552014-03-22 Filip Pizlo <fpizlo@apple.com>
23356
23357 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
23358 https://bugs.webkit.org/show_bug.cgi?id=130644
23359
23360 Reviewed by Andreas Kling.
23361
23362 This is conceptually a really simple change but it involves the following:
23363
23364 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
23365
23366 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
23367
23368 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
23369 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
23370
23371 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
23372 and not all relinking.
23373
23374 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
23375 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
23376 with a op_call/op_construct instruction and a machine code return PC within such an
23377 instruction.
23378
23379 * bytecode/CallLinkInfo.h:
23380 (JSC::getCallLinkInfoCodeOrigin):
23381 * bytecode/CallLinkStatus.cpp:
23382 (JSC::CallLinkStatus::computeFor):
23383 (JSC::CallLinkStatus::computeDFGStatuses):
23384 * bytecode/CallLinkStatus.h:
23385 * bytecode/CodeBlock.cpp:
23386 (JSC::CodeBlock::printCallOp):
23387 (JSC::CodeBlock::dumpBytecode):
23388 (JSC::CodeBlock::finalizeUnconditionally):
23389 (JSC::CodeBlock::getCallLinkInfoMap):
23390 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
23391 (JSC::CodeBlock::addCallLinkInfo):
23392 (JSC::CodeBlock::unlinkCalls):
23393 * bytecode/CodeBlock.h:
23394 (JSC::CodeBlock::stubInfoBegin):
23395 (JSC::CodeBlock::stubInfoEnd):
23396 (JSC::CodeBlock::callLinkInfosBegin):
23397 (JSC::CodeBlock::callLinkInfosEnd):
23398 (JSC::CodeBlock::byValInfo):
23399 * dfg/DFGByteCodeParser.cpp:
23400 (JSC::DFG::ByteCodeParser::handleCall):
23401 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
23402 * dfg/DFGJITCode.h:
23403 * dfg/DFGJITCompiler.cpp:
23404 (JSC::DFG::JITCompiler::link):
23405 * dfg/DFGJITCompiler.h:
23406 (JSC::DFG::JITCompiler::addJSCall):
23407 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
23408 * dfg/DFGOSRExitCompilerCommon.cpp:
23409 (JSC::DFG::reifyInlinedCallFrames):
23410 * dfg/DFGSpeculativeJIT.cpp:
23411 (JSC::DFG::SpeculativeJIT::compile):
23412 * dfg/DFGSpeculativeJIT.h:
23413 * dfg/DFGSpeculativeJIT32_64.cpp:
23414 (JSC::DFG::SpeculativeJIT::emitCall):
23415 * dfg/DFGSpeculativeJIT64.cpp:
23416 (JSC::DFG::SpeculativeJIT::emitCall):
23417 * ftl/FTLCompile.cpp:
23418 (JSC::FTL::fixFunctionBasedOnStackMaps):
23419 * ftl/FTLInlineCacheSize.cpp:
23420 (JSC::FTL::sizeOfCall):
23421 * ftl/FTLJSCall.cpp:
23422 (JSC::FTL::JSCall::JSCall):
23423 (JSC::FTL::JSCall::emit):
23424 (JSC::FTL::JSCall::link):
23425 * ftl/FTLJSCall.h:
23426 * jit/JIT.cpp:
23427 (JSC::JIT::privateCompileMainPass):
23428 (JSC::JIT::privateCompileSlowCases):
23429 (JSC::JIT::privateCompile):
23430 * jit/JIT.h:
23431 * jit/JITCall.cpp:
23432 (JSC::JIT::compileOpCall):
23433 (JSC::JIT::compileOpCallSlowCase):
23434 * jit/JITCall32_64.cpp:
23435 (JSC::JIT::compileOpCall):
23436 (JSC::JIT::compileOpCallSlowCase):
23437 * jit/JITOperations.cpp:
23438 * jit/JITOperations.h:
23439 (JSC::operationLinkFor):
23440 (JSC::operationVirtualFor):
23441 (JSC::operationLinkClosureCallFor):
23442 * jit/Repatch.cpp:
23443 (JSC::linkClosureCall):
23444 * jit/ThunkGenerators.cpp:
23445 (JSC::slowPathFor):
23446 (JSC::virtualForThunkGenerator):
23447 * tests/stress/eval-that-is-not-eval.js: Added.
23448
234492014-03-22 Filip Pizlo <fpizlo@apple.com>
23450
23451 Unreviewed, fix mispelled test name.
23452
23453 * tests/stress/constand-folding-osr-exit.js: Removed.
23454 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
23455
234562014-03-22 Andreas Kling <akling@apple.com>
23457
23458 CREATE_DOM_WRAPPER doesn't need the ExecState.
23459 <https://webkit.org/b/130648>
23460
23461 Add a fast path from JSGlobalObject to the VM so we don't have
23462 to dance via the Heap.
23463
23464 Reviewed by Darin Adler.
23465
23466 * runtime/JSGlobalObject.cpp:
23467 (JSC::JSGlobalObject::JSGlobalObject):
23468 * runtime/JSGlobalObject.h:
23469 (JSC::JSGlobalObject::vm):
23470
234712014-03-22 Filip Pizlo <fpizlo@apple.com>
23472
23473 Unreviewed, fix FTL build.
23474
23475 * ftl/FTLJITFinalizer.cpp:
23476
234772014-03-22 Michael Saboff <msaboff@apple.com>
23478
23479 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
23480 https://bugs.webkit.org/show_bug.cgi?id=130554
23481
23482 Reviewed by Geoffrey Garen.
23483
23484 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
23485 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
23486 happen in finishCreation() so that it will also happen for other derived classes including
23487 JSWorkerGlobalScopeBase.
23488
23489 * API/JSContextRef.cpp:
23490 (JSGlobalContextCreateInGroup):
23491 * jsc.cpp:
23492 (GlobalObject::create):
23493 * API/tests/testapi.c:
23494 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
23495 the result from JSContextGetGlobalObject() as that will return the proxy.
23496 * runtime/JSGlobalObject.cpp:
23497 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
23498 we now call setGlobalThis in finishCreation().
23499 * runtime/JSGlobalObject.h:
23500 (JSC::JSGlobalObject::finishCreation):
23501 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
23502
235032014-03-22 Andreas Kling <akling@apple.com>
23504
23505 Fix debug build.
23506
23507 * bytecode/CodeBlock.cpp:
23508 * runtime/Executable.cpp:
23509
235102014-03-22 Andreas Kling <akling@apple.com>
23511
23512 Cut down on JSC profiler includes in WebCore & co.
23513 <https://webkit.org/b/130637>
23514
23515 Most of WebKit was pulling in JSC's profiler headers via VM.h.
23516
23517 Reviewed by Darin Adler.
23518
23519 * dfg/DFGDisassembler.cpp:
23520 * dfg/DFGDisassembler.h:
23521 * dfg/DFGJITFinalizer.cpp:
23522 * jsc.cpp:
23523 * runtime/VM.cpp:
23524 * runtime/VM.h:
23525
235262014-03-22 Landry Breuil <landry@openbsd.org>
23527
23528 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
23529 https://bugs.webkit.org/show_bug.cgi?id=129965
23530
23531 Reviewed By Anders Carlsson.
23532
235332014-03-21 Mark Lam <mark.lam@apple.com>
23534
23535 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
23536 <https://webkit.org/b/124508>
23537
23538 Reviewed by Oliver Hunt.
23539
23540 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
23541 pointer from the BytecodeGenerator's m_localScopes vector, and then it
23542 calls emitPopScopes(). emitPopScopes() may do finally clause handling
23543 which will require the m_localScopes to be cloned so that it can change
23544 the local scopes for the finally block, and then restore it after
23545 handling the finally clause. These modifications of the m_localScopes
23546 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
23547 becoming stale, thereby causing the crash.
23548
23549 The same issue applies to the ContinueNode as well.
23550
23551 The fix is to use the existing LabelScopePtr abstraction instead of raw
23552 LabelScope pointers. The LabelScopePtr is resilient to the underlying
23553 vector re-allocating its backing store.
23554
23555 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
23556 to expect a reference to the owner store instead of a pointer because the
23557 owner store should never be a null pointer.
23558
23559 * bytecompiler/BytecodeGenerator.cpp:
23560 (JSC::BytecodeGenerator::newLabelScope):
23561 (JSC::BytecodeGenerator::breakTarget):
23562 (JSC::BytecodeGenerator::continueTarget):
23563 * bytecompiler/BytecodeGenerator.h:
23564 * bytecompiler/LabelScope.h:
23565 (JSC::LabelScopePtr::LabelScopePtr):
23566 (JSC::LabelScopePtr::operator bool):
23567 (JSC::LabelScopePtr::null):
23568 * bytecompiler/NodesCodegen.cpp:
23569 (JSC::ContinueNode::trivialTarget):
23570 (JSC::ContinueNode::emitBytecode):
23571 (JSC::BreakNode::trivialTarget):
23572 (JSC::BreakNode::emitBytecode):
23573
235742014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
23575
23576 6% SunSpider commandline regression due to r165940
23577 https://bugs.webkit.org/show_bug.cgi?id=130617
23578
23579 Reviewed by Michael Saboff.
23580
23581 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
23582 before. Some of the benchmarks are never running a single EdenCollection, which causes
23583 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
23584 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
23585 magnitude more than we normally would.
23586
23587 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
23588
23589 * heap/Heap.cpp:
23590 (JSC::Heap::Heap):
23591
235922014-03-21 Filip Pizlo <fpizlo@apple.com>
23593
23594 Constants folded by DFG::ByteCodeParser should not be dead.
23595 https://bugs.webkit.org/show_bug.cgi?id=130576
23596
23597 Reviewed by Mark Hahnenberg.
23598
23599 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
23600 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
23601 or more folders in LLVM). Doing so has no performance impact since the other constant folders
23602 already subsume this one.
23603
23604 Also added a test case for the specific bug that instigated this.
23605
23606 * dfg/DFGByteCodeParser.cpp:
23607 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
23608 (JSC::DFG::ByteCodeParser::getJSConstant):
23609 (JSC::DFG::ByteCodeParser::inferredConstant):
23610 (JSC::DFG::ByteCodeParser::handleIntrinsic):
23611 (JSC::DFG::ByteCodeParser::parseBlock):
23612 * dfg/DFGNode.h:
23613 * dfg/DFGNodeFlags.h:
23614 * tests/stress/constand-folding-osr-exit.js: Added.
23615 (foo):
23616 (test):
23617 (.var):
23618
236192014-03-21 Mark Lam <mark.lam@apple.com>
23620
23621 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
23622 <https://webkit.org/b/130566>
23623
23624 Reviewed by Filip Pizlo.
23625
23626 * dfg/DFGStackLayoutPhase.cpp:
23627 (JSC::DFG::StackLayoutPhase::run):
23628
236292014-03-20 Filip Pizlo <fpizlo@apple.com>
23630
23631 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
23632 https://bugs.webkit.org/show_bug.cgi?id=130562
23633 <rdar://problem/16382842>
23634
23635 Reviewed by Geoffrey Garen.
23636
23637 * ftl/FTLLowerDFGToLLVM.cpp:
23638 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23639 * tests/stress/uint32array-unsigned-load.js: Added.
23640 (foo):
23641
236422014-03-20 Brian Burg <bburg@apple.com>
23643
23644 Web Inspector: add frontend controller and models for replay sessions
23645 https://bugs.webkit.org/show_bug.cgi?id=130145
23646
23647 Reviewed by Joseph Pecoraro.
23648
23649 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
23650
236512014-03-20 Filip Pizlo <fpizlo@apple.com>
23652
23653 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
23654 https://bugs.webkit.org/show_bug.cgi?id=130546
23655 <rdar://problem/16383308>
23656
23657 Reviewed by Mark Hahnenberg.
23658
23659 Make AI do a better job of folding this.
23660
23661 Also made the FTL backend be more tolerant of data representations. In this case it
23662 didn't know that "constant" was a valid representation. There is a finite set of
23663 possible representations, but broadly, we don't write code that presumes anything
23664 about the representation of an input; that's what methods like lowJSValue() are for.
23665 ValueToInt32 was previously not relying on those methods at all because it had some
23666 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
23667 to lowJSValue().
23668
23669 * dfg/DFGAbstractInterpreterInlines.h:
23670 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
23671 * ftl/FTLLowerDFGToLLVM.cpp:
23672 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
23673 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
23674 * tests/stress/value-to-int32-undefined-constant.js: Added.
23675 (foo):
23676 * tests/stress/value-to-int32-undefined.js: Added.
23677 (foo):
23678
236792014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
23680
23681 Add some assertions back
23682 https://bugs.webkit.org/show_bug.cgi?id=130531
23683
23684 Reviewed by Geoffrey Garen.
23685
23686 We removed a useful set of assertions for verifying that MarkedBlocks were
23687 in the state that we expected them to be in after clearing marks in the Heap.
23688 We should add these back to catch bugs earlier.
23689
23690 * heap/MarkedBlock.h:
23691 * heap/MarkedSpace.cpp:
23692 (JSC::VerifyMarkedOrRetired::operator()):
23693 (JSC::MarkedSpace::clearMarks):
23694
236952014-03-20 Filip Pizlo <fpizlo@apple.com>
23696
23697 Implement stackmap header version check and support new stackmap formats
23698 https://bugs.webkit.org/show_bug.cgi?id=130535
23699 <rdar://problem/16164284>
23700
23701 Reviewed by Geoffrey Garen.
23702
23703 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
23704 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
23705 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
23706 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
23707 happy to move backward in time to older versions of LLVM.
23708
23709 * ftl/FTLStackMaps.cpp:
23710 (JSC::FTL::readObject):
23711 (JSC::FTL::StackMaps::Constant::parse):
23712 (JSC::FTL::StackMaps::StackSize::parse):
23713 (JSC::FTL::StackMaps::Location::parse):
23714 (JSC::FTL::StackMaps::Record::parse):
23715 (JSC::FTL::StackMaps::parse):
23716 (JSC::FTL::StackMaps::dump):
23717 (JSC::FTL::StackMaps::dumpMultiline):
23718 * ftl/FTLStackMaps.h:
23719
237202014-03-20 Filip Pizlo <fpizlo@apple.com>
23721
23722 Crash beneath operationTearOffActivation running this JS compression demo
23723 https://bugs.webkit.org/show_bug.cgi?id=130295
23724 <rdar://problem/16332337>
23725
23726 Reviewed by Oliver Hunt.
23727
23728 Make sure that we flush things as if we were at a terminal, if we are at a block with
23729 no forward edges. This fixes infinitely loopy code with captured variables.
23730
23731 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
23732
23733 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
23734 it by itself. Now it's an artifact of CPS rethreading.
23735
23736 Add a bunch of tests. All of them previously either crashed or returned bad output due
23737 to memory corruption.
23738
23739 * bytecode/CodeBlock.cpp:
23740 (JSC::CodeBlock::isCaptured):
23741 * dfg/DFGByteCodeParser.cpp:
23742 (JSC::DFG::ByteCodeParser::flushForTerminal):
23743 (JSC::DFG::ByteCodeParser::flushForReturn):
23744 (JSC::DFG::ByteCodeParser::flushIfTerminal):
23745 (JSC::DFG::ByteCodeParser::branchData):
23746 (JSC::DFG::ByteCodeParser::parseBlock):
23747 * dfg/DFGCFGSimplificationPhase.cpp:
23748 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
23749 * dfg/DFGCPSRethreadingPhase.cpp:
23750 (JSC::DFG::CPSRethreadingPhase::run):
23751 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
23752 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
23753 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
23754 * dfg/DFGCSEPhase.cpp:
23755 (JSC::DFG::CSEPhase::performNodeCSE):
23756 * dfg/DFGGraph.cpp:
23757 (JSC::DFG::Graph::clearFlagsOnAllNodes):
23758 * dfg/DFGGraph.h:
23759 * dfg/DFGNode.h:
23760 * dfg/DFGNodeFlags.cpp:
23761 (JSC::DFG::dumpNodeFlags):
23762 * dfg/DFGNodeFlags.h:
23763 * dfg/DFGSSAConversionPhase.cpp:
23764 (JSC::DFG::SSAConversionPhase::run):
23765 * tests/stress/activation-test-loop.js: Added.
23766 (Inner.this.doStuff):
23767 (Inner):
23768 (foo.inner.isDone):
23769 (foo):
23770 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
23771 (bar):
23772 (foo):
23773 (noInline):
23774 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
23775 (bar):
23776 (foo):
23777 (noInline):
23778 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
23779 (bar):
23780 (foo):
23781 (noInline):
23782 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
23783 (bar):
23784 (foo):
23785 (noInline):
23786 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
23787 (bar):
23788 (foo):
23789 (noInline):
23790 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
23791 (bar):
23792 (fuzz):
23793 (foo.f):
23794 (foo):
23795 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
23796 (bar):
23797 (foo.f):
23798 (foo):
23799 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
23800 (bar):
23801 (foo.f):
23802 (foo):
23803 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
23804 (bar):
23805 (foo):
23806 (noInline):
23807
238082014-03-20 Oliver Hunt <oliver@apple.com>
23809
23810 Incorrect behavior when mutating a typed array during set.
23811 https://bugs.webkit.org/show_bug.cgi?id=130428
23812
23813 Reviewed by Geoffrey Garen.
23814
23815 This fixes a null derefence that occurs if a typed array
23816 is mutated during the set() operation. The patch gets rid
23817 of the "Quickly" version of setIndex that is assigning
23818 JSValues of unknown type, as the numeric conversion can trigger
23819 side effects that lead to neutering, and so we deref null.
23820
23821 * runtime/JSGenericTypedArrayView.h:
23822 (JSC::JSGenericTypedArrayView::setIndex):
23823 * runtime/JSGenericTypedArrayViewInlines.h:
23824 (JSC::JSGenericTypedArrayView<Adaptor>::set):
23825 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
23826
238272014-03-20 Gavin Barraclough <barraclough@apple.com>
23828
23829 Remove IdentifierTable typedef, isIdentifier()
23830 https://bugs.webkit.org/show_bug.cgi?id=130533
23831
23832 Rubber stamped by Geoff Garen.
23833
23834 Code should use AtomicStringTable, isAtomic() directly.
23835
23836 * API/JSClassRef.cpp:
23837 (OpaqueJSClass::~OpaqueJSClass):
23838 (OpaqueJSClassContextData::OpaqueJSClassContextData):
23839 (OpaqueJSClass::className):
23840 * API/JSClassRef.h:
23841 * bytecode/SpeculatedType.cpp:
23842 (JSC::speculationFromCell):
23843 * bytecompiler/BytecodeGenerator.cpp:
23844 (JSC::BytecodeGenerator::BytecodeGenerator):
23845 * dfg/DFGSpeculativeJIT.cpp:
23846 (JSC::DFG::SpeculativeJIT::compileIn):
23847 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
23848 * ftl/FTLLowerDFGToLLVM.cpp:
23849 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
23850 * heap/Heap.cpp:
23851 (JSC::Heap::collect):
23852 * interpreter/CallFrame.h:
23853 (JSC::ExecState::atomicStringTable):
23854 * parser/ASTBuilder.h:
23855 (JSC::ASTBuilder::addVar):
23856 * parser/Parser.cpp:
23857 (JSC::Parser<LexerType>::createBindingPattern):
23858 * runtime/Completion.cpp:
23859 (JSC::checkSyntax):
23860 (JSC::evaluate):
23861 * runtime/Identifier.cpp:
23862 (JSC::Identifier::checkCurrentAtomicStringTable):
23863 * runtime/Identifier.h:
23864 (JSC::Identifier::Identifier):
23865 * runtime/IdentifierInlines.h:
23866 (JSC::Identifier::add):
23867 * runtime/JSCJSValue.cpp:
23868 (JSC::JSValue::dumpInContext):
23869 * runtime/JSLock.cpp:
23870 (JSC::JSLock::didAcquireLock):
23871 (JSC::JSLock::willReleaseLock):
23872 (JSC::JSLock::DropAllLocks::DropAllLocks):
23873 (JSC::JSLock::DropAllLocks::~DropAllLocks):
23874 * runtime/JSLock.h:
23875 * runtime/PropertyMapHashTable.h:
23876 (JSC::PropertyTable::find):
23877 (JSC::PropertyTable::get):
23878 (JSC::PropertyTable::findWithString):
23879 * runtime/PropertyName.h:
23880 (JSC::PropertyName::PropertyName):
23881 * runtime/PropertyNameArray.cpp:
23882 (JSC::PropertyNameArray::add):
23883 * runtime/VM.cpp:
23884 (JSC::VM::VM):
23885 (JSC::VM::~VM):
23886 * runtime/VM.h:
23887 (JSC::VM::atomicStringTable):
23888
238892014-03-20 Gavin Barraclough <barraclough@apple.com>
23890
23891 Merge AtomicString, Identifier
23892 https://bugs.webkit.org/show_bug.cgi?id=128624
23893
23894 Reviewed by Geoff Garen.
23895
23896 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
23897 Identifer - that is one too many.
23898
23899 Remove Identifier in favour of AtomicString. Identifier had two interesting
23900 mechanisms that we preserve.
23901
23902 (1) JSC API VMs each get their own string table, switch the string table on
23903 API entry/exit.
23904 (2) JSC caches a pointer to the string table on the VM to avoid a thread
23905 specific access. Adds a new AtomicString::add method to support this.
23906
23907 * API/JSAPIWrapperObject.mm:
23908 - updated includes.
23909 * JavaScriptCore.xcodeproj/project.pbxproj:
23910 - added IdentifierInlines.h.
23911 * inspector/JSInjectedScriptHostPrototype.cpp:
23912 * inspector/JSJavaScriptCallFramePrototype.cpp:
23913 - updated includes.
23914 * interpreter/CallFrame.h:
23915 (JSC::ExecState::atomicStringTable):
23916 - added, used via AtomicString::add to avoid thread-specific access.
23917 * runtime/ConsolePrototype.cpp:
23918 - updated includes.
23919 * runtime/Identifier.cpp:
23920 (JSC::Identifier::add):
23921 (JSC::Identifier::add8):
23922 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
23923 * runtime/Identifier.h:
23924 (JSC::Identifier::Identifier):
23925 - added ASSERTS.
23926 (JSC::Identifier::add):
23927 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
23928 * runtime/IdentifierInlines.h: Added.
23929 (JSC::Identifier::add):
23930 - moved from Identifier.h, use AtomicString::add.
23931 * runtime/JSCInlines.h:
23932 - added IdentifierInlines.h.
23933 * runtime/JSLock.h:
23934 - removed IdentifierTable.
23935 * runtime/PropertyNameArray.cpp:
23936 - updated includes.
23937 * runtime/SmallStrings.cpp:
23938 (JSC::SmallStringsStorage::SmallStringsStorage):
23939 - ensure all single character strings are Atomic.
23940 * runtime/VM.cpp:
23941 (JSC::VM::VM):
23942 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
23943 * runtime/VM.h:
23944 (JSC::VM::atomicStringTable):
23945 - added, used via AtomicString::add to avoid thread-specific access.
23946
239472014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
23948
23949 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
23950 https://bugs.webkit.org/show_bug.cgi?id=130502
23951
23952 Reviewed by Michael Saboff.
23953
23954 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
23955 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
23956 Add cacheFlush support for Linux.
23957
23958 * assembler/ARM64Assembler.h:
23959 (JSC::ARM64Assembler::linuxPageFlush):
23960 (JSC::ARM64Assembler::cacheFlush):
23961 * assembler/MacroAssemblerARM64.h:
23962 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
23963
239642014-03-19 Gavin Barraclough <barraclough@apple.com>
23965
23966 https://bugs.webkit.org/show_bug.cgi?id=130494
23967 EmptyUnique strings are Identifiers/Atomic
23968
23969 Reviewed by Geoff Garen.
23970
23971 EmptyUnique strings should set the Identifier/Atomic flag.
23972
23973 This fixes an unreproducible bug we believe exists in Identifier handling.
23974 Expected behaviour is that while Identifiers may reference EmptyUniques
23975 (StringImpls allocated as UIDs for PrivateNames), these are not created
23976 through the main Identifier constructor, the Identifier flag is not set
23977 on PrivateNames, and we should never lookup EmptyUnique strings in the
23978 IdentifierTable.
23979
23980 Unfortunately that was happening. Some tables used to implement property
23981 access in the JIT hold StringImpl*s, and turn these back into Identifiers
23982 using the identfiier constructor. Since the code generator will now plant
23983 by-id (cachable) accesses to PrivateNames we can end up passing an
23984 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
23985 uniqued together (though hard to prove, since the hash codes are random).
23986
23987 * runtime/PropertyName.h:
23988 (JSC::PropertyName::PropertyName):
23989 (JSC::PropertyName::uid):
23990 (JSC::PropertyName::publicName):
23991 (JSC::PropertyName::asIndex):
23992 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
23993 * runtime/Structure.cpp:
23994 (JSC::Structure::getPropertyNamesFromStructure):
23995 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
23996
239972014-03-19 Filip Pizlo <fpizlo@apple.com>
23998
23999 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
24000
24001 * dfg/DFGCommon.h:
24002
240032014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
24004
24005 GC timer should intelligently choose between EdenCollections and FullCollections
24006 https://bugs.webkit.org/show_bug.cgi?id=128261
24007
24008 Reviewed by Geoffrey Garen.
24009
24010 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
24011 always does FullCollections. To reduce the impact of the GC timer on the system this patch
24012 changes Heap so that it has two timers, one for each type of collection. The FullCollection
24013 timer is notified at the end of EdenCollections how much the Heap has grown since the last
24014 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
24015 be detected by an EdenCollection).
24016
24017 * CMakeLists.txt:
24018 * GNUmakefile.list.am:
24019 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24020 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
24021 * JavaScriptCore.xcodeproj/project.pbxproj:
24022 * heap/EdenGCActivityCallback.cpp: Added.
24023 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
24024 (JSC::EdenGCActivityCallback::doCollection):
24025 (JSC::EdenGCActivityCallback::lastGCLength):
24026 (JSC::EdenGCActivityCallback::deathRate):
24027 (JSC::EdenGCActivityCallback::gcTimeSlice):
24028 * heap/EdenGCActivityCallback.h: Added.
24029 (JSC::GCActivityCallback::createEdenTimer):
24030 * heap/FullGCActivityCallback.cpp: Added.
24031 (JSC::FullGCActivityCallback::FullGCActivityCallback):
24032 (JSC::FullGCActivityCallback::doCollection):
24033 (JSC::FullGCActivityCallback::lastGCLength):
24034 (JSC::FullGCActivityCallback::deathRate):
24035 (JSC::FullGCActivityCallback::gcTimeSlice):
24036 * heap/FullGCActivityCallback.h: Added.
24037 (JSC::GCActivityCallback::createFullTimer):
24038 * heap/GCActivityCallback.cpp:
24039 (JSC::GCActivityCallback::GCActivityCallback):
24040 (JSC::GCActivityCallback::doWork):
24041 (JSC::GCActivityCallback::scheduleTimer):
24042 (JSC::GCActivityCallback::cancelTimer):
24043 (JSC::GCActivityCallback::didAllocate):
24044 (JSC::GCActivityCallback::willCollect):
24045 (JSC::GCActivityCallback::cancel):
24046 * heap/GCActivityCallback.h:
24047 * heap/Heap.cpp:
24048 (JSC::Heap::Heap):
24049 (JSC::Heap::reportAbandonedObjectGraph):
24050 (JSC::Heap::didAbandon):
24051 (JSC::Heap::collectAllGarbage):
24052 (JSC::Heap::collect):
24053 (JSC::Heap::willStartCollection):
24054 (JSC::Heap::updateAllocationLimits):
24055 (JSC::Heap::didFinishCollection):
24056 (JSC::Heap::setFullActivityCallback):
24057 (JSC::Heap::setEdenActivityCallback):
24058 (JSC::Heap::fullActivityCallback):
24059 (JSC::Heap::edenActivityCallback):
24060 (JSC::Heap::setGarbageCollectionTimerEnabled):
24061 (JSC::Heap::didAllocate):
24062 (JSC::Heap::shouldDoFullCollection):
24063 * heap/Heap.h:
24064 (JSC::Heap::lastFullGCLength):
24065 (JSC::Heap::lastEdenGCLength):
24066 (JSC::Heap::increaseLastFullGCLength):
24067 (JSC::Heap::sizeBeforeLastEdenCollection):
24068 (JSC::Heap::sizeAfterLastEdenCollection):
24069 (JSC::Heap::sizeBeforeLastFullCollection):
24070 (JSC::Heap::sizeAfterLastFullCollection):
24071 * heap/HeapOperation.h:
24072 * heap/HeapStatistics.cpp:
24073 (JSC::HeapStatistics::showObjectStatistics):
24074 * heap/HeapTimer.cpp:
24075 (JSC::HeapTimer::timerDidFire):
24076 * jsc.cpp:
24077 (functionFullGC):
24078 (functionEdenGC):
24079 * runtime/Options.h:
24080
240812014-03-19 Commit Queue <commit-queue@webkit.org>
24082
24083 Unreviewed, rolling out r165926.
24084 https://bugs.webkit.org/show_bug.cgi?id=130488
24085
24086 broke the iOS build (Requested by estes on #webkit).
24087
24088 Reverted changeset:
24089
24090 "GC timer should intelligently choose between EdenCollections
24091 and FullCollections"
24092 https://bugs.webkit.org/show_bug.cgi?id=128261
24093 http://trac.webkit.org/changeset/165926
24094
240952014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
24096
24097 GC timer should intelligently choose between EdenCollections and FullCollections
24098 https://bugs.webkit.org/show_bug.cgi?id=128261
24099
24100 Reviewed by Geoffrey Garen.
24101
24102 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
24103 always does FullCollections. To reduce the impact of the GC timer on the system this patch
24104 changes Heap so that it has two timers, one for each type of collection. The FullCollection
24105 timer is notified at the end of EdenCollections how much the Heap has grown since the last
24106 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
24107 detected by an EdenCollection).
24108
24109 * heap/GCActivityCallback.cpp:
24110 (JSC::GCActivityCallback::GCActivityCallback):
24111 (JSC::GCActivityCallback::doWork):
24112 (JSC::FullGCActivityCallback::FullGCActivityCallback):
24113 (JSC::FullGCActivityCallback::doCollection):
24114 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
24115 (JSC::EdenGCActivityCallback::doCollection):
24116 (JSC::GCActivityCallback::scheduleTimer):
24117 (JSC::GCActivityCallback::cancelTimer):
24118 (JSC::GCActivityCallback::didAllocate):
24119 (JSC::GCActivityCallback::willCollect):
24120 (JSC::GCActivityCallback::cancel):
24121 * heap/GCActivityCallback.h:
24122 (JSC::GCActivityCallback::GCActivityCallback):
24123 (JSC::GCActivityCallback::createFullTimer):
24124 (JSC::GCActivityCallback::createEdenTimer):
24125 * heap/Heap.cpp:
24126 (JSC::Heap::Heap):
24127 (JSC::Heap::didAbandon):
24128 (JSC::Heap::willStartCollection):
24129 (JSC::Heap::updateAllocationLimits):
24130 (JSC::Heap::setFullActivityCallback):
24131 (JSC::Heap::setEdenActivityCallback):
24132 (JSC::Heap::fullActivityCallback):
24133 (JSC::Heap::edenActivityCallback):
24134 (JSC::Heap::setGarbageCollectionTimerEnabled):
24135 (JSC::Heap::didAllocate):
24136 * heap/Heap.h:
24137 * heap/HeapTimer.cpp:
24138 (JSC::HeapTimer::timerDidFire):
24139
241402014-03-19 Filip Pizlo <fpizlo@apple.com>
24141
24142 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
24143 https://bugs.webkit.org/show_bug.cgi?id=130134
24144
24145 Reviewed by Mark Hahnenberg.
24146
24147 * dfg/DFGFixupPhase.cpp:
24148 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
24149 * dfg/DFGSpeculativeJIT32_64.cpp:
24150 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
24151 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
24152 * jit/JITInlineCacheGenerator.cpp:
24153 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
24154 * jit/JITInlineCacheGenerator.h:
24155 * jit/Repatch.cpp:
24156 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
24157
241582014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
24159
24160 Normalize some of the older JSC options
24161 https://bugs.webkit.org/show_bug.cgi?id=128753
24162
24163 Reviewed by Michael Saboff.
24164
24165 * runtime/Options.cpp:
24166 (JSC::Options::initialize):
24167
241682014-03-12 Mark Lam <mark.lam@apple.com>
24169
24170 Update type of local vars to match the type of String length.
24171 <https://webkit.org/b/130077>
24172
24173 Reviewed by Geoffrey Garen.
24174
24175 * runtime/JSStringJoiner.cpp:
24176 (JSC::JSStringJoiner::join):
24177
241782014-03-18 Filip Pizlo <fpizlo@apple.com>
24179
24180 Get rid of Flush in SSA
24181 https://bugs.webkit.org/show_bug.cgi?id=130440
24182
24183 Reviewed by Sam Weinig.
24184
24185 This is basically a red patch. We used to use backwards flow for determining what was
24186 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
24187 accomplish anything. Keeping them around in SSA can only make things hard.
24188
24189 * CMakeLists.txt:
24190 * GNUmakefile.list.am:
24191 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24192 * JavaScriptCore.xcodeproj/project.pbxproj:
24193 * dfg/DFGBasicBlock.cpp:
24194 (JSC::DFG::BasicBlock::SSAData::SSAData):
24195 * dfg/DFGBasicBlock.h:
24196 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
24197 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
24198 * dfg/DFGGraph.cpp:
24199 (JSC::DFG::Graph::dump):
24200 * dfg/DFGPlan.cpp:
24201 (JSC::DFG::Plan::compileInThreadImpl):
24202 * dfg/DFGSSAConversionPhase.cpp:
24203 (JSC::DFG::SSAConversionPhase::run):
24204 * ftl/FTLLowerDFGToLLVM.cpp:
24205 (JSC::FTL::LowerDFGToLLVM::compileNode):
24206
242072014-03-18 Filip Pizlo <fpizlo@apple.com>
24208
24209 Unreviewed, fix iOS production build.
24210
24211 * JavaScriptCore.xcodeproj/project.pbxproj:
24212
242132014-03-18 Michael Saboff <msaboff@apple.com>
24214
24215 Update RegExp Tracing code
24216 https://bugs.webkit.org/show_bug.cgi?id=130381
24217
24218 Reviewed by Andreas Kling.
24219
24220 Updated the regular expression tracing code for 8/16 bit JIT as
24221 well as match only entry points. Also added average string length
24222 metric.
24223
24224 * runtime/RegExp.cpp:
24225 (JSC::RegExp::RegExp):
24226 (JSC::RegExp::match):
24227 (JSC::RegExp::printTraceData):
24228 * runtime/RegExp.h:
24229 * runtime/VM.cpp:
24230 (JSC::VM::addRegExpToTrace):
24231 (JSC::VM::dumpRegExpTrace):
24232 * runtime/VM.h:
24233 * yarr/YarrJIT.h:
24234 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
24235 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
24236 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
24237 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
24238
242392014-03-17 Filip Pizlo <fpizlo@apple.com>
24240
24241 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
24242 https://bugs.webkit.org/show_bug.cgi?id=130300
24243
24244 Reviewed by Mark Hahnenberg.
24245
24246 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
24247 This makes the DFG aware of this.
24248
24249 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
24250 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
24251
24252 This also gives the DFG some abstractions for checking something is a cell or is other.
24253 This made this patch easier to write and also simplified a bunch of other stuff.
24254
24255 1% speed-up on Octane.
24256
24257 * assembler/AbstractMacroAssembler.h:
24258 (JSC::AbstractMacroAssembler::JumpList::JumpList):
24259 * bytecode/SpeculatedType.h:
24260 (JSC::isNotStringVarSpeculation):
24261 * dfg/DFGFixupPhase.cpp:
24262 (JSC::DFG::FixupPhase::fixupNode):
24263 * dfg/DFGNode.h:
24264 (JSC::DFG::Node::childFor):
24265 (JSC::DFG::Node::shouldSpeculateNotStringVar):
24266 * dfg/DFGSafeToExecute.h:
24267 (JSC::DFG::SafeToExecuteEdge::operator()):
24268 * dfg/DFGSpeculativeJIT.cpp:
24269 (JSC::DFG::SpeculativeJIT::compileIn):
24270 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
24271 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
24272 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
24273 (JSC::DFG::SpeculativeJIT::compileStrictEq):
24274 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
24275 (JSC::DFG::SpeculativeJIT::compileStringEquality):
24276 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
24277 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
24278 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
24279 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
24280 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
24281 (JSC::DFG::SpeculativeJIT::speculateString):
24282 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
24283 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
24284 (JSC::DFG::SpeculativeJIT::speculateNotCell):
24285 (JSC::DFG::SpeculativeJIT::speculateOther):
24286 (JSC::DFG::SpeculativeJIT::speculate):
24287 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
24288 (JSC::DFG::SpeculativeJIT::emitSwitchString):
24289 * dfg/DFGSpeculativeJIT.h:
24290 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
24291 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
24292 (JSC::DFG::SpeculativeJIT::booleanResult):
24293 * dfg/DFGSpeculativeJIT32_64.cpp:
24294 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
24295 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
24296 (JSC::DFG::SpeculativeJIT::emitCall):
24297 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
24298 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
24299 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
24300 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
24301 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
24302 (JSC::DFG::SpeculativeJIT::compile):
24303 (JSC::DFG::branchIsCell):
24304 (JSC::DFG::branchNotCell):
24305 (JSC::DFG::SpeculativeJIT::branchIsOther):
24306 (JSC::DFG::SpeculativeJIT::branchNotOther):
24307 (JSC::DFG::SpeculativeJIT::moveTrueTo):
24308 (JSC::DFG::SpeculativeJIT::moveFalseTo):
24309 (JSC::DFG::SpeculativeJIT::blessBoolean):
24310 * dfg/DFGSpeculativeJIT64.cpp:
24311 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
24312 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
24313 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
24314 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
24315 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
24316 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
24317 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
24318 (JSC::DFG::SpeculativeJIT::compile):
24319 (JSC::DFG::SpeculativeJIT::writeBarrier):
24320 (JSC::DFG::SpeculativeJIT::branchIsCell):
24321 (JSC::DFG::SpeculativeJIT::branchNotCell):
24322 (JSC::DFG::SpeculativeJIT::branchIsOther):
24323 (JSC::DFG::SpeculativeJIT::branchNotOther):
24324 (JSC::DFG::SpeculativeJIT::moveTrueTo):
24325 (JSC::DFG::SpeculativeJIT::moveFalseTo):
24326 (JSC::DFG::SpeculativeJIT::blessBoolean):
24327 * dfg/DFGUseKind.cpp:
24328 (WTF::printInternal):
24329 * dfg/DFGUseKind.h:
24330 (JSC::DFG::typeFilterFor):
24331 * ftl/FTLCapabilities.cpp:
24332 (JSC::FTL::canCompile):
24333 * ftl/FTLLowerDFGToLLVM.cpp:
24334 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
24335 (JSC::FTL::LowerDFGToLLVM::lowString):
24336 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
24337 (JSC::FTL::LowerDFGToLLVM::speculate):
24338 (JSC::FTL::LowerDFGToLLVM::speculateString):
24339 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
24340 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
24341 * runtime/JSCJSValue.h:
24342 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
24343 (foo):
24344 (bar):
24345 (test):
24346
243472014-03-18 Joseph Pecoraro <pecoraro@apple.com>
24348
24349 Add Copyright to framework.sb
24350 https://bugs.webkit.org/show_bug.cgi?id=130413
24351
24352 Reviewed by Timothy Hatcher.
24353
24354 Other sb files got the copyright. Follow suit.
24355
24356 * framework.sb:
24357
243582014-03-18 Matthew Mirman <mmirman@apple.com>
24359
24360 Removed extra parens from if statement in a preprocessor define.
24361 https://bugs.webkit.org/show_bug.cgi?id=130408
24362
24363 Reviewed by Filip Pizlo.
24364
24365 * parser/Parser.cpp:
24366
243672014-03-18 Filip Pizlo <fpizlo@apple.com>
24368
24369 More FTL enabling.
24370
24371 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
24372
24373 * Configurations/FeatureDefines.xcconfig:
24374 * ftl/FTLCompile.cpp:
24375 (JSC::FTL::compile):
24376
243772014-03-17 Michael Saboff <msaboff@apple.com>
24378
24379 V8 regexp spends most of its time in operationGetById
24380 https://bugs.webkit.org/show_bug.cgi?id=130380
24381
24382 Reviewed by Filip Pizlo.
24383
24384 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
24385 When V8 regexp is run from the command line, this nets a 2% performance improvement.
24386 When the test is run for a longer amount of time, there is much less benefit as the
24387 DFG will emit the appropriate code for String.length. This does remove
24388 operationGetById as the hottest function whne run from the command line.
24389
24390 * jit/Repatch.cpp:
24391 (JSC::tryCacheGetByID):
24392
243932014-03-17 Andreas Kling <akling@apple.com>
24394
24395 Add one-deep cache to opaque roots hashset.
24396 <https://webkit.org/b/130357>
24397
24398 The vast majority of WebCore JS wrappers will have their Document*
24399 as the root(). This change adds a simple optimization where we cache
24400 the last lookup and avoid going to the hashset for repeated queries.
24401
24402 Looks like 0.4% progression on DYEB on my MBP.
24403
24404 Reviewed by Mark Hahnenberg.
24405
24406 * JavaScriptCore.xcodeproj/project.pbxproj:
24407 * heap/OpaqueRootSet.h: Added.
24408 (JSC::OpaqueRootSet::OpaqueRootSet):
24409 (JSC::OpaqueRootSet::contains):
24410 (JSC::OpaqueRootSet::isEmpty):
24411 (JSC::OpaqueRootSet::clear):
24412 (JSC::OpaqueRootSet::add):
24413 (JSC::OpaqueRootSet::size):
24414 (JSC::OpaqueRootSet::begin):
24415 (JSC::OpaqueRootSet::end):
24416 * heap/SlotVisitor.h:
24417
244182014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
24419
24420 Implement Math.hypot
24421 https://bugs.webkit.org/show_bug.cgi?id=129486
24422
24423 Reviewed by Darin Adler.
24424
24425 * runtime/MathObject.cpp:
24426 (JSC::MathObject::finishCreation):
24427 (JSC::mathProtoFuncHypot):
24428
244292014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
24430
24431 Fix the !ENABLE(PROMISES) build
24432 https://bugs.webkit.org/show_bug.cgi?id=130328
24433
24434 Reviewed by Darin Adler.
24435
24436 Add missing ENABLE(PROMISES) guards.
24437
24438 * runtime/JSGlobalObject.cpp:
24439 (JSC::JSGlobalObject::reset):
24440 (JSC::JSGlobalObject::visitChildren):
24441 * runtime/JSGlobalObject.h:
24442 * runtime/JSPromiseDeferred.cpp:
24443 * runtime/JSPromiseDeferred.h:
24444 * runtime/JSPromiseReaction.cpp:
24445 * runtime/JSPromiseReaction.h:
24446 * runtime/VM.cpp:
24447 (JSC::VM::VM):
24448 * runtime/VM.h:
24449
244502014-03-16 Andreas Kling <akling@apple.com>
24451
24452 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
24453 <https://webkit.org/b/130304>
24454
24455 Reviewed by Anders Carlsson.
24456
24457 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
24458 that doesn't put a potentially unwanted string into the Identifier table.
24459
24460 * API/OpaqueJSString.cpp:
24461 (OpaqueJSString::identifier):
24462
244632014-03-16 Brian Burg <bburg@apple.com>
24464
24465 Web Inspector: generated backend commands should reflect build system ENABLE settings
24466 https://bugs.webkit.org/show_bug.cgi?id=130111
24467
24468 Reviewed by Timothy Hatcher.
24469
24470 * CMakeLists.txt:
24471
24472 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
24473 instead of globbing any .json file.
24474
24475 * DerivedSources.make:
24476
24477 Force the combined inspector protocol file to be regenerated if
24478 the content or list of domains itself changes.
24479
244802014-03-16 Brian Burg <bburg@apple.com>
24481
24482 Web Inspector: vended backend commands file should be generated as part of the build
24483 https://bugs.webkit.org/show_bug.cgi?id=130110
24484
24485 Reviewed by Timothy Hatcher.
24486
24487 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
24488 private headers directory.
24489
244902014-03-16 Darin Adler <darin@apple.com>
24491
24492 Remove all uses of deprecatedCharacters from JavaScriptCore
24493 https://bugs.webkit.org/show_bug.cgi?id=130304
24494
24495 Reviewed by Anders Carlsson.
24496
24497 * API/JSValueRef.cpp:
24498 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
24499 * API/OpaqueJSString.cpp:
24500 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
24501 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
24502 juse use the standard one that takes a String.
24503 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
24504 hand-written alternative.
24505
24506 * bindings/ScriptValue.cpp:
24507 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
24508 instead of involving a character pointer. Use the String from Identifier
24509 directly instead of making a new String.
24510
24511 * inspector/ContentSearchUtilities.cpp:
24512 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
24513 instead of building a String a character at a time. This is still a very slow
24514 way to do this. Also use strchr to search for a character instead of building
24515 a String every time just to use find on it.
24516
24517 * inspector/InspectorValues.cpp:
24518 (Inspector::doubleQuoteString): Remove unnecessary trip through a
24519 character pointer. This is still a really slow way to do this.
24520 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
24521 instead of String::deprecatedCharacters. Still slow to always upconvert.
24522
24523 * runtime/DateConstructor.cpp: Removed unneeded include.
24524 * runtime/DatePrototype.cpp: Ditto.
24525
24526 * runtime/Identifier.h: Removed deprecatedCharacters function.
24527
24528 * runtime/JSGlobalObjectFunctions.cpp:
24529 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
24530 appending functions from JSStringBuilder. Removed unneeded code duplicating
24531 what JSStringBuilder already does in its character append function.
24532 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
24533 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
24534 is used outside this file have external linkage. Added a new overload that takes
24535 a StringView.
24536 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
24537 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
24538 single character.
24539
24540 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
24541
24542 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
24543 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
24544 Made one overload private. Fixed a performance bug where we would reserve capacity
24545 in the 8-bit buffer but then append to the 16-bit buffer.
24546
24547 * runtime/ObjectPrototype.cpp: Removed unneeded include.
24548
24549 * runtime/StringPrototype.cpp:
24550 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
24551 (JSC::stringProtoFuncLink): Ditto.
24552
245532014-03-15 Filip Pizlo <fpizlo@apple.com>
24554
24555 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
24556 https://bugs.webkit.org/show_bug.cgi?id=130296
24557
24558 Reviewed by Andreas Kling.
24559
24560 During the 32-bit structure ID work, the second load of the structure was removed.
24561 That's wrong. The whole point of loading the structure ID again is that the structure
24562 ID would have been changed by the arrayification call, and we're verifying that the
24563 arrayification succeeded in changing the structure. If we check the old structure - as
24564 the code was doing after the 32-bit structure ID work - then this check is guaranteed
24565 to fail, causing a significant performance regression.
24566
24567 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
24568 code pathologically exits but the equivalent DFG code doesn't, then the exponential
24569 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
24570 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
24571
24572 * ftl/FTLLowerDFGToLLVM.cpp:
24573 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
24574
245752014-03-15 Filip Pizlo <fpizlo@apple.com>
24576
24577 FTL should support CheckHasInstance/InstanceOf
24578 https://bugs.webkit.org/show_bug.cgi?id=130285
24579
24580 Reviewed by Sam Weinig.
24581
24582 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
24583
24584 * dfg/DFGFixupPhase.cpp:
24585 (JSC::DFG::FixupPhase::fixupNode):
24586 * ftl/FTLAbstractHeapRepository.h:
24587 * ftl/FTLCapabilities.cpp:
24588 (JSC::FTL::canCompile):
24589 * ftl/FTLLowerDFGToLLVM.cpp:
24590 (JSC::FTL::LowerDFGToLLVM::compileNode):
24591 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
24592 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
24593 * ftl/FTLOutput.h:
24594 (JSC::FTL::Output::phi):
24595 * tests/stress/instanceof.js: Added.
24596 * tests/stress/instanceof-not-cell.js: Added.
24597
245982014-03-15 Michael Saboff <msaboff@apple.com>
24599
24600 It should be possible to adjust DFG and FTL compiler thread priorities
24601 https://bugs.webkit.org/show_bug.cgi?id=130288
24602
24603 Reviewed by Filip Pizlo.
24604
24605 Added ability to change thread priorities relative to its current priority.
24606 Created options to adjust the priority of the DFG and FTL compilation work thread
24607 pools. For two core systems, there might be three runnable threads, the main thread,
24608 the DFG compilation thread and the FTL compilation thread. With the same priority,
24609 the scheduler is free to schedule whatever thread it wants. By lowering the
24610 compilation threads, the main thread can run. Further tests may suggest better values
24611 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
24612
24613 For a two-core device, this change has a net positive improvement of 1-3% across
24614 SunSpider, Octane, Kraken and AsmBench.
24615
24616 * dfg/DFGWorklist.cpp:
24617 (JSC::DFG::Worklist::finishCreation):
24618 (JSC::DFG::Worklist::create):
24619 (JSC::DFG::ensureGlobalDFGWorklist):
24620 (JSC::DFG::ensureGlobalFTLWorklist):
24621 * dfg/DFGWorklist.h:
24622 * runtime/Options.cpp:
24623 (JSC::computePriorityDeltaOfWorkerThreads):
24624 * runtime/Options.h:
24625
246262014-03-15 David Kilzer <ddkilzer@apple.com>
24627
24628 [iOS] Define SYSTEM_VERSION_PREFIX consistently
24629 <http://webkit.org/b/130293>
24630 <rdar://problem/15926359>
24631
24632 Reviewed by Dan Bernstein.
24633
24634 * Configurations/Version.xcconfig:
24635 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
24636 Source/WebKit/mac/Version.xcconfig.
24637
246382014-03-15 David Kilzer <ddkilzer@apple.com>
24639
24640 Fix build: using integer absolute value function 'abs' when argument is of floating point type
24641 <http://webkit.org/b/130286>
24642
24643 Reviewed by Filip Pizlo.
24644
24645 Fixes the following build failure using trunk clang:
24646
24647 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
24648 value = abs(value);
24649 ^
24650 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
24651 value = abs(value);
24652 ^~~
24653 fabs
24654
24655 * assembler/MacroAssembler.h:
24656 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
24657 fabs().
24658
246592014-03-14 Oliver Hunt <oliver@apple.com>
24660
24661 Reinstate intialiser syntax in for-in loops
24662 https://bugs.webkit.org/show_bug.cgi?id=130269
24663
24664 Reviewed by Michael Saboff.
24665
24666 Disallowing the initialiser broke some sites so this patch re-allows
24667 the syntax. We still disallow the syntax in 'of' and pattern based
24668 enumeration.
24669
24670 * parser/ASTBuilder.h:
24671 (JSC::ASTBuilder::isBindingNode):
24672 * parser/Parser.cpp:
24673 (JSC::Parser<LexerType>::parseVarDeclarationList):
24674 (JSC::Parser<LexerType>::parseForStatement):
24675 * parser/SyntaxChecker.h:
24676 (JSC::SyntaxChecker::operatorStackPop):
24677
246782014-03-14 Mark Lam <mark.lam@apple.com>
24679
24680 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
24681 <https://webkit.org/b/130279>
24682
24683 Reviewed by Filip Pizlo.
24684
24685 If neither the getter nor setter are defined, accessing __lookupGetter__
24686 and __lookupSetter__ will return undefined as expected. However, if the
24687 getter is defined but the setter is not, accessing __lookupSetter__ will
24688 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
24689 is defined will crash the VM.
24690
24691 The reason is because objectProtoFuncLookupGetter() and
24692 objectProtoFuncLookupSetter() did not check if the getter and setter
24693 value is non-null before returning it as an EncodedJSValue. The fix is
24694 to add the appropriate null checks.
24695
24696 * runtime/ObjectPrototype.cpp:
24697 (JSC::objectProtoFuncLookupGetter):
24698 (JSC::objectProtoFuncLookupSetter):
24699
247002014-03-14 Mark Rowe <mrowe@apple.com>
24701
24702 Fix the production build.
24703
24704 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
24705 be at the expected relative path when working from installed source.
24706
24707 * Configurations/Base.xcconfig:
24708
247092014-03-14 Maciej Stachowiak <mjs@apple.com>
24710
24711 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
24712 https://bugs.webkit.org/show_bug.cgi?id=130276
24713 <rdar://problem/16266927>
24714
24715 Reviewed by Simon Fraser.
24716
24717 * API/APICast.h:
24718 * API/JSBase.cpp:
24719 * API/JSBase.h:
24720 * API/JSBasePrivate.h:
24721 * API/JSCallbackConstructor.cpp:
24722 * API/JSCallbackConstructor.h:
24723 * API/JSCallbackFunction.cpp:
24724 * API/JSCallbackFunction.h:
24725 * API/JSCallbackObject.cpp:
24726 * API/JSCallbackObject.h:
24727 * API/JSCallbackObjectFunctions.h:
24728 * API/JSClassRef.cpp:
24729 * API/JSClassRef.h:
24730 * API/JSContextRef.cpp:
24731 * API/JSContextRef.h:
24732 * API/JSContextRefPrivate.h:
24733 * API/JSObjectRef.cpp:
24734 * API/JSObjectRef.h:
24735 * API/JSProfilerPrivate.cpp:
24736 * API/JSProfilerPrivate.h:
24737 * API/JSRetainPtr.h:
24738 * API/JSStringRef.cpp:
24739 * API/JSStringRef.h:
24740 * API/JSStringRefBSTR.cpp:
24741 * API/JSStringRefBSTR.h:
24742 * API/JSStringRefCF.cpp:
24743 * API/JSStringRefCF.h:
24744 * API/JSValueRef.cpp:
24745 * API/JSValueRef.h:
24746 * API/JavaScript.h:
24747 * API/JavaScriptCore.h:
24748 * API/OpaqueJSString.cpp:
24749 * API/OpaqueJSString.h:
24750 * API/tests/JSNode.c:
24751 * API/tests/JSNode.h:
24752 * API/tests/JSNodeList.c:
24753 * API/tests/JSNodeList.h:
24754 * API/tests/Node.c:
24755 * API/tests/Node.h:
24756 * API/tests/NodeList.c:
24757 * API/tests/NodeList.h:
24758 * API/tests/minidom.c:
24759 * API/tests/minidom.js:
24760 * API/tests/testapi.c:
24761 * API/tests/testapi.js:
24762 * DerivedSources.make:
24763 * bindings/ScriptValue.cpp:
24764 * bytecode/CodeBlock.cpp:
24765 * bytecode/CodeBlock.h:
24766 * bytecode/EvalCodeCache.h:
24767 * bytecode/Instruction.h:
24768 * bytecode/JumpTable.cpp:
24769 * bytecode/JumpTable.h:
24770 * bytecode/Opcode.cpp:
24771 * bytecode/Opcode.h:
24772 * bytecode/SamplingTool.cpp:
24773 * bytecode/SamplingTool.h:
24774 * bytecode/SpeculatedType.cpp:
24775 * bytecode/SpeculatedType.h:
24776 * bytecode/ValueProfile.h:
24777 * bytecompiler/BytecodeGenerator.cpp:
24778 * bytecompiler/BytecodeGenerator.h:
24779 * bytecompiler/Label.h:
24780 * bytecompiler/LabelScope.h:
24781 * bytecompiler/RegisterID.h:
24782 * debugger/DebuggerCallFrame.cpp:
24783 * debugger/DebuggerCallFrame.h:
24784 * dfg/DFGDesiredStructureChains.cpp:
24785 * dfg/DFGDesiredStructureChains.h:
24786 * heap/GCActivityCallback.cpp:
24787 * heap/GCActivityCallback.h:
24788 * inspector/ConsoleMessage.cpp:
24789 * inspector/ConsoleMessage.h:
24790 * inspector/IdentifiersFactory.cpp:
24791 * inspector/IdentifiersFactory.h:
24792 * inspector/InjectedScriptManager.cpp:
24793 * inspector/InjectedScriptManager.h:
24794 * inspector/InjectedScriptSource.js:
24795 * inspector/ScriptBreakpoint.h:
24796 * inspector/ScriptDebugListener.h:
24797 * inspector/ScriptDebugServer.cpp:
24798 * inspector/ScriptDebugServer.h:
24799 * inspector/agents/InspectorAgent.cpp:
24800 * inspector/agents/InspectorAgent.h:
24801 * inspector/agents/InspectorDebuggerAgent.cpp:
24802 * inspector/agents/InspectorDebuggerAgent.h:
24803 * interpreter/Interpreter.cpp:
24804 * interpreter/Interpreter.h:
24805 * interpreter/JSStack.cpp:
24806 * interpreter/JSStack.h:
24807 * interpreter/Register.h:
24808 * jit/CompactJITCodeMap.h:
24809 * jit/JITStubs.cpp:
24810 * jit/JITStubs.h:
24811 * jit/JITStubsARM.h:
24812 * jit/JITStubsARMv7.h:
24813 * jit/JITStubsX86.h:
24814 * jit/JITStubsX86_64.h:
24815 * os-win32/stdbool.h:
24816 * parser/SourceCode.h:
24817 * parser/SourceProvider.h:
24818 * profiler/LegacyProfiler.cpp:
24819 * profiler/LegacyProfiler.h:
24820 * profiler/ProfileNode.cpp:
24821 * profiler/ProfileNode.h:
24822 * runtime/ArrayBufferView.cpp:
24823 * runtime/ArrayBufferView.h:
24824 * runtime/BatchedTransitionOptimizer.h:
24825 * runtime/CallData.h:
24826 * runtime/ConstructData.h:
24827 * runtime/DumpContext.cpp:
24828 * runtime/DumpContext.h:
24829 * runtime/ExceptionHelpers.cpp:
24830 * runtime/ExceptionHelpers.h:
24831 * runtime/InitializeThreading.cpp:
24832 * runtime/InitializeThreading.h:
24833 * runtime/IntegralTypedArrayBase.h:
24834 * runtime/IntendedStructureChain.cpp:
24835 * runtime/IntendedStructureChain.h:
24836 * runtime/JSActivation.cpp:
24837 * runtime/JSActivation.h:
24838 * runtime/JSExportMacros.h:
24839 * runtime/JSGlobalObject.cpp:
24840 * runtime/JSNotAnObject.cpp:
24841 * runtime/JSNotAnObject.h:
24842 * runtime/JSPropertyNameIterator.cpp:
24843 * runtime/JSPropertyNameIterator.h:
24844 * runtime/JSSegmentedVariableObject.cpp:
24845 * runtime/JSSegmentedVariableObject.h:
24846 * runtime/JSSymbolTableObject.cpp:
24847 * runtime/JSSymbolTableObject.h:
24848 * runtime/JSTypeInfo.h:
24849 * runtime/JSVariableObject.cpp:
24850 * runtime/JSVariableObject.h:
24851 * runtime/PropertyTable.cpp:
24852 * runtime/PutPropertySlot.h:
24853 * runtime/SamplingCounter.cpp:
24854 * runtime/SamplingCounter.h:
24855 * runtime/Structure.cpp:
24856 * runtime/Structure.h:
24857 * runtime/StructureChain.cpp:
24858 * runtime/StructureChain.h:
24859 * runtime/StructureInlines.h:
24860 * runtime/StructureTransitionTable.h:
24861 * runtime/SymbolTable.cpp:
24862 * runtime/SymbolTable.h:
24863 * runtime/TypedArrayBase.h:
24864 * runtime/TypedArrayType.cpp:
24865 * runtime/TypedArrayType.h:
24866 * runtime/VM.cpp:
24867 * runtime/VM.h:
24868 * yarr/RegularExpression.cpp:
24869 * yarr/RegularExpression.h:
24870
248712014-03-14 Filip Pizlo <fpizlo@apple.com>
24872
24873 Final FTL iOS build magic
24874 https://bugs.webkit.org/show_bug.cgi?id=130281
24875
24876 Reviewed by Michael Saboff.
24877
24878 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
24879 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
24880
248812014-03-14 Joseph Pecoraro <pecoraro@apple.com>
24882
24883 Web Inspector: Gracefully handle nil name -[JSContext setName:]
24884 https://bugs.webkit.org/show_bug.cgi?id=130262
24885
24886 Reviewed by Mark Hahnenberg.
24887
24888 * API/JSContext.mm:
24889 (-[JSContext setName:]):
24890 Gracefully handle nil input.
24891
24892 * API/tests/testapi.c:
24893 (globalContextNameTest):
24894 * API/tests/testapi.mm:
24895 Test for nil / NULL names in the ObjC and C APIs.
24896
248972014-03-11 Oliver Hunt <oliver@apple.com>
24898
24899 Improve dom error messages
24900 https://bugs.webkit.org/show_bug.cgi?id=130103
24901
24902 Reviewed by Andreas Kling.
24903
24904 Add new helper function.
24905
24906 * runtime/Error.h:
24907 (JSC::throwVMTypeError):
24908
249092014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
24910
24911 Remove unused method declaration.
24912 https://bugs.webkit.org/show_bug.cgi?id=130238
24913
24914 Reviewed by Filip Pizlo.
24915
24916 The implementation of CallFrame::dumpCaller was removed in
24917 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
24918
24919 * interpreter/CallFrame.h:
24920 Remove CallFrame::dumpCaller() method declaration.
24921
249222014-03-12 Sergio Villar Senin <svillar@igalia.com>
24923
24924 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
24925 https://bugs.webkit.org/show_bug.cgi?id=129612
24926
24927 Reviewed by Darin Adler.
24928
24929 For new code use static NeverDestroyed<T> instead.
24930
24931 * API/JSAPIWrapperObject.mm:
24932 (jsAPIWrapperObjectHandleOwner):
24933 * API/JSManagedValue.mm:
24934 (managedValueHandleOwner):
24935 * inspector/agents/InspectorDebuggerAgent.cpp:
24936 (Inspector::objectGroupForBreakpointAction):
24937 * inspector/scripts/CodeGeneratorInspectorStrings.py:
24938 * interpreter/JSStack.cpp:
24939 (JSC::stackStatisticsMutex):
24940 * jit/ExecutableAllocator.cpp:
24941 (JSC::DemandExecutableAllocator::allocators):
24942
249432014-03-12 Gavin Barraclough <barraclough@apple.com>
24944
24945 Reduce memory use for static property maps
24946 https://bugs.webkit.org/show_bug.cgi?id=129986
24947
24948 Reviewed by Andreas Kling.
24949
24950 Static property tables are currently duplicated on first use from read-only memory into dirty memory
24951 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
24952 (we use a custom hash table without a rehash) a lot of memory may be wasted.
24953
24954 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
24955 from string hashes to indicies into a densely packed array of values. Compute the index table at
24956 compile time as a part of the derived sources step, such that this may be read-only data.
24957
24958 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
24959 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
24960 keys, which are Identifiers.
24961
24962 * create_hash_table:
24963 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
24964 * parser/Lexer.cpp:
24965 (JSC::Lexer<LChar>::parseIdentifier):
24966 (JSC::Lexer<UChar>::parseIdentifier):
24967 (JSC::Lexer<T>::parseIdentifierSlowCase):
24968 - HashEntry -> HashTableValue.
24969 * parser/Lexer.h:
24970 (JSC::Keywords::getKeyword):
24971 - HashEntry -> HashTableValue.
24972 * runtime/ClassInfo.h:
24973 - removed HashEntry.
24974 * runtime/JSObject.cpp:
24975 (JSC::getClassPropertyNames):
24976 - use HashTable::ConstIterator.
24977 (JSC::JSObject::put):
24978 (JSC::JSObject::deleteProperty):
24979 (JSC::JSObject::findPropertyHashEntry):
24980 - HashEntry -> HashTableValue.
24981 (JSC::JSObject::reifyStaticFunctionsForDelete):
24982 - changed HashTable::ConstIterator interface.
24983 * runtime/JSObject.h:
24984 - HashEntry -> HashTableValue.
24985 * runtime/Lookup.cpp:
24986 (JSC::HashTable::createTable):
24987 - table -> keys, keys array is now densely packed.
24988 (JSC::HashTable::deleteTable):
24989 - table -> keys.
24990 (JSC::setUpStaticFunctionSlot):
24991 - HashEntry -> HashTableValue.
24992 * runtime/Lookup.h:
24993 (JSC::HashTableValue::builtinGenerator):
24994 (JSC::HashTableValue::function):
24995 (JSC::HashTableValue::functionLength):
24996 (JSC::HashTableValue::propertyGetter):
24997 (JSC::HashTableValue::propertyPutter):
24998 (JSC::HashTableValue::lexerValue):
24999 - added accessor methods from HashEntry.
25000 (JSC::HashTable::copy):
25001 - fields changed.
25002 (JSC::HashTable::initializeIfNeeded):
25003 - table -> keys.
25004 (JSC::HashTable::entry):
25005 - HashEntry -> HashTableValue.
25006 (JSC::HashTable::ConstIterator::ConstIterator):
25007 - iterate packed value array, so no need to skipInvalidKeys().
25008 (JSC::HashTable::ConstIterator::value):
25009 (JSC::HashTable::ConstIterator::key):
25010 (JSC::HashTable::ConstIterator::operator->):
25011 - accessors now get HashTableValue/StringImpl* separately.
25012 (JSC::HashTable::ConstIterator::operator++):
25013 - iterate packed value array, so no need to skipInvalidKeys().
25014 (JSC::HashTable::end):
25015 - end is now size of dense not sparse array.
25016 (JSC::getStaticPropertySlot):
25017 (JSC::getStaticFunctionSlot):
25018 (JSC::getStaticValueSlot):
25019 (JSC::putEntry):
25020 (JSC::lookupPut):
25021 - HashEntry -> HashTableValue.
25022
250232014-03-13 Filip Pizlo <fpizlo@apple.com>
25024
25025 Unreviewed, fix Mac no-FTL build.
25026
25027 * llvm/library/LLVMExports.cpp:
25028 (initializeAndGetJSCLLVMAPI):
25029
250302014-03-13 Juergen Ributzka <juergen@apple.com>
25031
25032 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
25033 https://bugs.webkit.org/show_bug.cgi?id=130224
25034
25035 Reviewed by Filip Pizlo.
25036
25037 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
25038 the LLVM dylib. This allows the dylib to be safely used with other LLVM
25039 dylibs on the same system. It also reduces the dynamic linking overhead
25040 and also reduces the size by 6MB, because the linker can now dead strip
25041 many unused functions.
25042
25043 * Configurations/LLVMForJSC.xcconfig:
25044
250452014-03-13 Andreas Kling <akling@apple.com>
25046
25047 VM::discardAllCode() should clear the RegExp cache.
25048 <https://webkit.org/b/130144>
25049
25050 Reviewed by Michael Saboff.
25051
25052 * runtime/VM.cpp:
25053 (JSC::VM::discardAllCode):
25054
250552014-03-13 Andreas Kling <akling@apple.com>
25056
25057 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
25058 <https://webkit.org/b/129995>
25059
25060 This code path is not taken anymore on DYEB, and I can't explain why
25061 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
25062
25063 * inspector/JSGlobalObjectInspectorController.cpp:
25064 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
25065
250662014-03-13 Filip Pizlo <fpizlo@apple.com>
25067
25068 FTL should support IsBlah
25069 https://bugs.webkit.org/show_bug.cgi?id=130202
25070
25071 Reviewed by Geoffrey Garen.
25072
25073 * ftl/FTLCapabilities.cpp:
25074 (JSC::FTL::canCompile):
25075 * ftl/FTLIntrinsicRepository.h:
25076 * ftl/FTLLowerDFGToLLVM.cpp:
25077 (JSC::FTL::LowerDFGToLLVM::compileNode):
25078 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
25079 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
25080 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
25081 (JSC::FTL::LowerDFGToLLVM::compileIsString):
25082 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
25083 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
25084 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
25085 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
25086 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
25087 (JSC::FTL::LowerDFGToLLVM::isNumber):
25088 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
25089 (JSC::FTL::LowerDFGToLLVM::isBoolean):
25090 * ftl/FTLOSRExitCompiler.cpp:
25091 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
25092 (bar):
25093 (foo):
25094 (test):
25095 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
25096 (foo):
25097 (test):
25098 * tests/stress/is-undefined-masquerader.js: Added.
25099 (foo):
25100 (test):
25101
251022014-03-13 Mark Lam <mark.lam@apple.com>
25103
25104 JS benchmarks crash with a bus error on 32-bit x86.
25105 <https://webkit.org/b/130203>
25106
25107 Reviewed by Geoffrey Garen.
25108
25109 The issue is that generateGetByIdStub() can potentially use the same register
25110 for the JSValue base register and the target tag register. After loading the
25111 tag value into the target tag register, the JSValue base address is lost.
25112 The code then proceeds to load the payload value using the base register, and
25113 this results in a crash.
25114
25115 The fix is to check if the base register is the same as the target tag register.
25116 If so, we should make a copy the base register first before loading the tag
25117 value, and use the copy to load the payload value instead.
25118
25119 * jit/Repatch.cpp:
25120 (JSC::generateGetByIdStub):
25121
251222014-03-12 Filip Pizlo <fpizlo@apple.com>
25123
25124 WebKit shouldn't crash on uniprocessor machines
25125 https://bugs.webkit.org/show_bug.cgi?id=130176
25126
25127 Reviewed by Michael Saboff.
25128
25129 Previously the math for computing the number of JIT compiler threads would come up with
25130 zero threads on uniprocessor machines, and then the Worklist code would assert.
25131
25132 * runtime/Options.cpp:
25133 (JSC::computeNumberOfWorkerThreads):
25134 * runtime/Options.h:
25135
251362014-03-13 Radu Stavila <stavila@adobe.com>
25137
25138 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
25139 https://bugs.webkit.org/show_bug.cgi?id=130087
25140
25141 Reviewed by Mark Rowe.
25142
25143 Disable garbage collection on macosx when not using internal SDK.
25144
25145 * Configurations/Base.xcconfig:
25146
251472014-03-10 Darin Adler <darin@apple.com>
25148
25149 Avoid copy-prone idiom "for (auto item : collection)"
25150 https://bugs.webkit.org/show_bug.cgi?id=129990
25151
25152 Reviewed by Geoffrey Garen.
25153
25154 * heap/CodeBlockSet.h:
25155 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
25156 * inspector/ScriptDebugServer.cpp:
25157 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
25158 make explicit that we are iterating through pointers.
25159 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
25160 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
25161 * inspector/agents/InspectorDebuggerAgent.cpp:
25162 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
25163 get rid of an unneeded local variable.
25164
251652014-03-13 Brian Burg <bburg@apple.com>
25166
25167 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
25168 https://bugs.webkit.org/show_bug.cgi?id=129744
25169
25170 Reviewed by Timothy Hatcher.
25171
25172 * inspector/agents/InspectorAgent.cpp:
25173 (Inspector::InspectorAgent::enable):
25174 (Inspector::InspectorAgent::evaluateForTestInFrontend):
25175 * inspector/agents/InspectorAgent.h:
25176 * inspector/protocol/InspectorDomain.json:
25177
251782014-03-11 Filip Pizlo <fpizlo@apple.com>
25179
25180 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
25181 https://bugs.webkit.org/show_bug.cgi?id=130069
25182
25183 Reviewed by Geoffrey Garen.
25184
25185 This was a great assertion, and it represents our strictest interpretation of the rules of
25186 our intermediate representation. However, fixing DCE to actually preserve the relevant
25187 property would be hard, and it wouldn't have an observable effect right now because nobody
25188 actually uses the propery of CPS that this assertion is checking for.
25189
25190 In particular, we do always require, and rely on, the fact that non-captured variables
25191 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
25192 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
25193 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
25194 broken in this regard. But, in the strictest sense, CPS also means that for captured
25195 variables, variablesAtTail also continues to point to the last relevant use of the
25196 variable. In particular, if there are multiple GetLocals, then it should point to the last
25197 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
25198 variables, except to check the VariableAccessData; but in that case, we don't really need
25199 the *last* relevant use of the variable - any node that mentions the same variable will do
25200 just fine.
25201
25202 So, this change loosens the assertion and adds a detailed FIXME describing what we would
25203 have to do if we wanted to preserve the more strict property.
25204
25205 This also makes changes to various debug printing paths so that validation doesn't crash
25206 during graph dump. This also adds tests for the interesting cases of DCE failing to
25207 preserve CPS in the strictest sense. This also attempts to win the record for longest test
25208 name.
25209
25210 * bytecode/CodeBlock.cpp:
25211 (JSC::CodeBlock::hashAsStringIfPossible):
25212 (JSC::CodeBlock::dumpAssumingJITType):
25213 * bytecode/CodeBlock.h:
25214 * bytecode/CodeOrigin.cpp:
25215 (JSC::InlineCallFrame::hashAsStringIfPossible):
25216 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
25217 * bytecode/CodeOrigin.h:
25218 * dfg/DFGCPSRethreadingPhase.cpp:
25219 (JSC::DFG::CPSRethreadingPhase::run):
25220 * dfg/DFGDCEPhase.cpp:
25221 (JSC::DFG::DCEPhase::cleanVariables):
25222 * dfg/DFGInPlaceAbstractState.cpp:
25223 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
25224 * runtime/FunctionExecutableDump.cpp:
25225 (JSC::FunctionExecutableDump::dump):
25226 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
25227 (foo):
25228 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
25229 (foo):
25230
252312014-03-12 Brian Burg <bburg@apple.com>
25232
25233 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
25234 https://bugs.webkit.org/show_bug.cgi?id=129445
25235
25236 Reviewed by Timothy Hatcher.
25237
25238 There was a bug in the replay inputs code generator that would include
25239 headers for definitions of enum classes, even though they can be safely
25240 forward-declared.
25241
25242 * replay/scripts/CodeGeneratorReplayInputs.py:
25243 (Generator.generate_includes): Only include for copy constructor if the
25244 type is a heavy scalar (i.e., String, URL), not a normal scalar
25245 (i.e., int, double, enum classes).
25246
25247 (Generator.generate_type_forward_declarations): Forward-declare scalars
25248 that are enums or enum classes.
25249
252502014-03-12 Joseph Pecoraro <pecoraro@apple.com>
25251
25252 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
25253 https://bugs.webkit.org/show_bug.cgi?id=130118
25254
25255 Reviewed by Timothy Hatcher.
25256
25257 * Configurations/FeatureDefines.xcconfig:
25258
252592014-03-12 Joseph Pecoraro <pecoraro@apple.com>
25260
25261 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
25262 https://bugs.webkit.org/show_bug.cgi?id=130032
25263
25264 Reviewed by Timothy Hatcher.
25265
25266 * inspector/EventLoop.h:
25267 * inspector/EventLoop.cpp:
25268 (Inspector::EventLoop::remoteInspectorRunLoopMode):
25269 (Inspector::EventLoop::cycle):
25270 Expose the run loop mode name so it can be used if needed by others.
25271
25272 * inspector/remote/RemoteInspectorDebuggableConnection.h:
25273 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
25274 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
25275 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
25276 (Inspector::RemoteInspectorBlock::operator=):
25277 (Inspector::RemoteInspectorBlock::operator()):
25278 (Inspector::RemoteInspectorQueueTask):
25279 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
25280
25281 (Inspector::RemoteInspectorHandleRunSource):
25282 (Inspector::RemoteInspectorInitializeQueue):
25283 Initialize the static queue and run loop source. When the run loop source
25284 fires, it will exhaust the queue of debugger messages.
25285
25286 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
25287 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
25288 When we get a debuggable connection add a run loop source for inspector commands.
25289
25290 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
25291 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
25292 Enqueue blocks on our Vector instead of our dispatch_queue.
25293
252942014-03-12 Commit Queue <commit-queue@webkit.org>
25295
25296 Unreviewed, rolling out r165482.
25297 https://bugs.webkit.org/show_bug.cgi?id=130157
25298
25299 Broke the windows build; "error C2466: cannot allocate an
25300 array of constant size 0" (Requested by jernoble on #webkit).
25301
25302 Reverted changeset:
25303
25304 "Reduce memory use for static property maps"
25305 https://bugs.webkit.org/show_bug.cgi?id=129986
25306 http://trac.webkit.org/changeset/165482
25307
253082014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
25309
25310 Remove HandleSet::m_nextToFinalize
25311 https://bugs.webkit.org/show_bug.cgi?id=130109
25312
25313 Reviewed by Mark Lam.
25314
25315 This is a remnant of when HandleSet contained things that needed to be finalized.
25316
25317 * heap/HandleSet.cpp:
25318 (JSC::HandleSet::HandleSet):
25319 (JSC::HandleSet::writeBarrier):
25320 * heap/HandleSet.h:
25321 (JSC::HandleSet::allocate):
25322 (JSC::HandleSet::deallocate):
25323
253242014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
25325
25326 Layout Test fast/workers/worker-gc.html is failing
25327 https://bugs.webkit.org/show_bug.cgi?id=130135
25328
25329 Reviewed by Geoffrey Garen.
25330
25331 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
25332 main list of blocks, i.e. not in the retired list. When shutting down the VM this
25333 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
25334 so that allocators are notified with lastChanceToFinalize. This will give them
25335 the chance to move their retired blocks back into the main list before removing them all.
25336
25337 * heap/MarkedAllocator.cpp:
25338 (JSC::LastChanceToFinalize::operator()):
25339 (JSC::MarkedAllocator::lastChanceToFinalize):
25340 * heap/MarkedAllocator.h:
25341 * heap/MarkedSpace.cpp:
25342 (JSC::LastChanceToFinalize::operator()):
25343 (JSC::MarkedSpace::lastChanceToFinalize):
25344
253452014-03-12 Gavin Barraclough <barraclough@apple.com>
25346
25347 Reduce memory use for static property maps
25348 https://bugs.webkit.org/show_bug.cgi?id=129986
25349
25350 Reviewed by Andreas Kling.
25351
25352 Static property tables are currently duplicated on first use from read-only memory into dirty memory
25353 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
25354 (we use a custom hash table without a rehash) a lot of memory may be wasted.
25355
25356 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
25357 from string hashes to indicies into a densely packed array of values. Compute the index table at
25358 compile time as a part of the derived sources step, such that this may be read-only data.
25359
25360 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
25361 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
25362 keys, which are Identifiers.
25363
25364 * create_hash_table:
25365 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
25366 * parser/Lexer.cpp:
25367 (JSC::Lexer<LChar>::parseIdentifier):
25368 (JSC::Lexer<UChar>::parseIdentifier):
25369 (JSC::Lexer<T>::parseIdentifierSlowCase):
25370 - HashEntry -> HashTableValue.
25371 * parser/Lexer.h:
25372 (JSC::Keywords::getKeyword):
25373 - HashEntry -> HashTableValue.
25374 * runtime/ClassInfo.h:
25375 - removed HashEntry.
25376 * runtime/JSObject.cpp:
25377 (JSC::getClassPropertyNames):
25378 - use HashTable::ConstIterator.
25379 (JSC::JSObject::put):
25380 (JSC::JSObject::deleteProperty):
25381 (JSC::JSObject::findPropertyHashEntry):
25382 - HashEntry -> HashTableValue.
25383 (JSC::JSObject::reifyStaticFunctionsForDelete):
25384 - changed HashTable::ConstIterator interface.
25385 * runtime/JSObject.h:
25386 - HashEntry -> HashTableValue.
25387 * runtime/Lookup.cpp:
25388 (JSC::HashTable::createTable):
25389 - table -> keys, keys array is now densely packed.
25390 (JSC::HashTable::deleteTable):
25391 - table -> keys.
25392 (JSC::setUpStaticFunctionSlot):
25393 - HashEntry -> HashTableValue.
25394 * runtime/Lookup.h:
25395 (JSC::HashTableValue::builtinGenerator):
25396 (JSC::HashTableValue::function):
25397 (JSC::HashTableValue::functionLength):
25398 (JSC::HashTableValue::propertyGetter):
25399 (JSC::HashTableValue::propertyPutter):
25400 (JSC::HashTableValue::lexerValue):
25401 - added accessor methods from HashEntry.
25402 (JSC::HashTable::copy):
25403 - fields changed.
25404 (JSC::HashTable::initializeIfNeeded):
25405 - table -> keys.
25406 (JSC::HashTable::entry):
25407 - HashEntry -> HashTableValue.
25408 (JSC::HashTable::ConstIterator::ConstIterator):
25409 - iterate packed value array, so no need to skipInvalidKeys().
25410 (JSC::HashTable::ConstIterator::value):
25411 (JSC::HashTable::ConstIterator::key):
25412 (JSC::HashTable::ConstIterator::operator->):
25413 - accessors now get HashTableValue/StringImpl* separately.
25414 (JSC::HashTable::ConstIterator::operator++):
25415 - iterate packed value array, so no need to skipInvalidKeys().
25416 (JSC::HashTable::end):
25417 - end is now size of dense not sparse array.
25418 (JSC::getStaticPropertySlot):
25419 (JSC::getStaticFunctionSlot):
25420 (JSC::getStaticValueSlot):
25421 (JSC::putEntry):
25422 (JSC::lookupPut):
25423 - HashEntry -> HashTableValue.
25424
254252014-03-11 Filip Pizlo <fpizlo@apple.com>
25426
25427 It should be possible to build WebKit with FTL on iOS
25428 https://bugs.webkit.org/show_bug.cgi?id=130116
25429
25430 Reviewed by Dan Bernstein.
25431
25432 * Configurations/Base.xcconfig:
25433
254342014-03-10 Filip Pizlo <fpizlo@apple.com>
25435
25436 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
25437 https://bugs.webkit.org/show_bug.cgi?id=129778
25438
25439 Reviewed by Geoffrey Garen.
25440
25441 Also deduplicate the GetById getter call caching. Also add some small tests for
25442 get stubs.
25443
25444 This change reduces the amount of code involved in GetById access caching and it
25445 creates data structures that can serve as an elegant scaffold for introducing other
25446 kinds of caches or improving current caching styles. It will definitely make getter
25447 performance improvements easier to implement.
25448
25449 * CMakeLists.txt:
25450 * GNUmakefile.list.am:
25451 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25452 * JavaScriptCore.xcodeproj/project.pbxproj:
25453 * bytecode/CodeBlock.cpp:
25454 (JSC::CodeBlock::printGetByIdCacheStatus):
25455 * bytecode/GetByIdStatus.cpp:
25456 (JSC::GetByIdStatus::computeForStubInfo):
25457 * bytecode/PolymorphicGetByIdList.cpp: Added.
25458 (JSC::GetByIdAccess::GetByIdAccess):
25459 (JSC::GetByIdAccess::~GetByIdAccess):
25460 (JSC::GetByIdAccess::fromStructureStubInfo):
25461 (JSC::GetByIdAccess::visitWeak):
25462 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
25463 (JSC::PolymorphicGetByIdList::from):
25464 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
25465 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
25466 (JSC::PolymorphicGetByIdList::addAccess):
25467 (JSC::PolymorphicGetByIdList::isFull):
25468 (JSC::PolymorphicGetByIdList::isAlmostFull):
25469 (JSC::PolymorphicGetByIdList::didSelfPatching):
25470 (JSC::PolymorphicGetByIdList::visitWeak):
25471 * bytecode/PolymorphicGetByIdList.h: Added.
25472 (JSC::GetByIdAccess::GetByIdAccess):
25473 (JSC::GetByIdAccess::isSet):
25474 (JSC::GetByIdAccess::operator!):
25475 (JSC::GetByIdAccess::type):
25476 (JSC::GetByIdAccess::structure):
25477 (JSC::GetByIdAccess::chain):
25478 (JSC::GetByIdAccess::chainCount):
25479 (JSC::GetByIdAccess::stubRoutine):
25480 (JSC::GetByIdAccess::doesCalls):
25481 (JSC::PolymorphicGetByIdList::isEmpty):
25482 (JSC::PolymorphicGetByIdList::size):
25483 (JSC::PolymorphicGetByIdList::at):
25484 (JSC::PolymorphicGetByIdList::operator[]):
25485 * bytecode/StructureStubInfo.cpp:
25486 (JSC::StructureStubInfo::deref):
25487 (JSC::StructureStubInfo::visitWeakReferences):
25488 * bytecode/StructureStubInfo.h:
25489 (JSC::isGetByIdAccess):
25490 (JSC::StructureStubInfo::initGetByIdList):
25491 * jit/Repatch.cpp:
25492 (JSC::generateGetByIdStub):
25493 (JSC::tryCacheGetByID):
25494 (JSC::patchJumpToGetByIdStub):
25495 (JSC::tryBuildGetByIDList):
25496 (JSC::tryBuildPutByIdList):
25497 * tests/stress/getter.js: Added.
25498 (foo):
25499 (.o):
25500 * tests/stress/polymorphic-prototype-accesses.js: Added.
25501 (Foo):
25502 (Bar):
25503 (foo):
25504 * tests/stress/prototype-getter.js: Added.
25505 (Foo):
25506 (foo):
25507 * tests/stress/simple-prototype-accesses.js: Added.
25508 (Foo):
25509 (foo):
25510
255112014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
25512
25513 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
25514 https://bugs.webkit.org/show_bug.cgi?id=129920
25515
25516 Reviewed by Geoffrey Garen.
25517
25518 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
25519 when the amount of free space in a MarkedBlock drops below a certain threshold.
25520 Retired blocks are not considered for sweeping.
25521
25522 This is profitable because it reduces churn during sweeping. To build a free list,
25523 we have to scan through each cell in a block. After a collection, all objects that
25524 are live in the block will remain live until the next FullCollection, at which time
25525 we un-retire all previously retired blocks. Thus, a small number of objects in a block
25526 that die during each EdenCollection could cause us to do a disproportiante amount of
25527 sweeping for how much free memory we get back.
25528
25529 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
25530
25531 * heap/Heap.h:
25532 (JSC::Heap::didRetireBlockWithFreeListSize):
25533 * heap/MarkedAllocator.cpp:
25534 (JSC::MarkedAllocator::tryAllocateHelper):
25535 (JSC::MarkedAllocator::removeBlock):
25536 (JSC::MarkedAllocator::reset):
25537 * heap/MarkedAllocator.h:
25538 (JSC::MarkedAllocator::MarkedAllocator):
25539 (JSC::MarkedAllocator::forEachBlock):
25540 * heap/MarkedBlock.cpp:
25541 (JSC::MarkedBlock::sweepHelper):
25542 (JSC::MarkedBlock::clearMarksWithCollectionType):
25543 (JSC::MarkedBlock::didRetireBlock):
25544 * heap/MarkedBlock.h:
25545 (JSC::MarkedBlock::willRemoveBlock):
25546 (JSC::MarkedBlock::isLive):
25547 * heap/MarkedSpace.cpp:
25548 (JSC::MarkedSpace::clearNewlyAllocated):
25549 (JSC::MarkedSpace::clearMarks):
25550 * runtime/Options.h:
25551
255522014-03-11 Andreas Kling <akling@apple.com>
25553
25554 Streamline PropertyTable for lookup-only access.
25555 <https://webkit.org/b/130060>
25556
25557 The PropertyTable lookup algorithm was written to support both read
25558 and write access. This wasn't actually needed in most places.
25559
25560 This change adds a PropertyTable::get() that just returns the value
25561 type (instead of an insertion iterator.) It also adds an early return
25562 for empty tables.
25563
25564 Finally, up the minimum table capacity from 8 to 16. It was lowered
25565 to 8 in order to save memory, but that was before PropertyTables were
25566 GC allocated. Nowadays we don't have nearly as many tables, since all
25567 the unpinned transitions die off.
25568
25569 Reviewed by Darin Adler.
25570
25571 * runtime/PropertyMapHashTable.h:
25572 (JSC::PropertyTable::get):
25573 * runtime/Structure.cpp:
25574 (JSC::Structure::despecifyDictionaryFunction):
25575 (JSC::Structure::attributeChangeTransition):
25576 (JSC::Structure::get):
25577 (JSC::Structure::despecifyFunction):
25578 * runtime/StructureInlines.h:
25579 (JSC::Structure::get):
25580
255812014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
25582
25583 REGRESSION(r165407): DoYouEvenBench crashes in DRT
25584 https://bugs.webkit.org/show_bug.cgi?id=130066
25585
25586 Reviewed by Geoffrey Garen.
25587
25588 The baseline JIT does a conditional store barrier for the put_by_id, but we need
25589 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
25590
25591 * jit/JIT.h:
25592 * jit/JITPropertyAccess.cpp:
25593 (JSC::JIT::emit_op_put_by_id):
25594 (JSC::JIT::emitWriteBarrier):
25595
255962014-03-10 Mark Lam <mark.lam@apple.com>
25597
25598 Resurrect bit-rotted JIT::probe() mechanism.
25599 <https://webkit.org/b/130067>
25600
25601 Reviewed by Geoffrey Garen.
25602
25603 * jit/JITStubs.cpp:
25604 - Added the needed #include <wtf/InlineASM.h>.
25605
256062014-03-10 Joseph Pecoraro <pecoraro@apple.com>
25607
25608 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
25609
25610 Rubber-stamped by Dan Bernstein.
25611
25612 * Configurations/JavaScriptCore.xcconfig:
25613
256142014-03-10 Mark Lam <mark.lam@apple.com>
25615
25616 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
25617 <https://webkit.org/b/130065>
25618
25619 Reviewed by Michael Saboff.
25620
25621 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
25622 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
25623 FPRInfo::toIndex().
25624
25625 The fix is to remove the "result != InvalidIndex" assertions.
25626
25627 * jit/FPRInfo.h:
25628 (JSC::FPRInfo::toIndex):
25629 * jit/GPRInfo.h:
25630 (JSC::GPRInfo::toIndex):
25631
256322014-03-10 Mark Lam <mark.lam@apple.com>
25633
25634 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
25635 <https://webkit.org/b/129955>
25636
25637 Reviewed by Geoffrey Garen.
25638
25639 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
25640 stack memory every time it was called. This is now fixed.
25641
25642 * jit/JITOperations.cpp:
25643
256442014-03-10 Joseph Pecoraro <pecoraro@apple.com>
25645
25646 Better JSContext API for named evaluations (other than //# sourceURL)
25647 https://bugs.webkit.org/show_bug.cgi?id=129911
25648
25649 Reviewed by Geoffrey Garen.
25650
25651 * API/JSBase.h:
25652 * API/JSContext.h:
25653 * API/JSContext.mm:
25654 (-[JSContext evaluateScript:]):
25655 (-[JSContext evaluateScript:withSourceURL:]):
25656 Add new evaluateScript:withSourceURL:.
25657
25658 * API/tests/testapi.c:
25659 (main):
25660 * API/tests/testapi.mm:
25661 (testObjectiveCAPI):
25662 Add tests for sourceURL in evaluate APIs. It should
25663 affect the exception objects.
25664
256652014-03-10 Filip Pizlo <fpizlo@apple.com>
25666
25667 Repatch should save and restore all used registers - not just temp ones - when making a call
25668 https://bugs.webkit.org/show_bug.cgi?id=130041
25669
25670 Reviewed by Geoffrey Garen and Mark Hahnenberg.
25671
25672 The save/restore code was written back when the only client was the DFG, which only uses a
25673 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
25674 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
25675 lead to data corruption on ARM64.
25676
25677 * jit/RegisterSet.cpp:
25678 (JSC::RegisterSet::calleeSaveRegisters):
25679 (JSC::RegisterSet::numberOfSetGPRs):
25680 (JSC::RegisterSet::numberOfSetFPRs):
25681 * jit/RegisterSet.h:
25682 * jit/Repatch.cpp:
25683 (JSC::storeToWriteBarrierBuffer):
25684 (JSC::emitPutTransitionStub):
25685 * jit/ScratchRegisterAllocator.cpp:
25686 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
25687 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
25688 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
25689 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
25690 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
25691 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
25692 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
25693 * jit/ScratchRegisterAllocator.h:
25694
256952014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
25696
25697 Remove ConditionalStore barrier
25698 https://bugs.webkit.org/show_bug.cgi?id=130040
25699
25700 Reviewed by Geoffrey Garen.
25701
25702 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
25703 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
25704 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
25705 on the base object in the case where we are allocating and storing a new Butterfly into it.
25706 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
25707 so we'd have to emit a write barrier in the transition case.
25708
25709 This is performance neutral on the benchmarks we track.
25710
25711 * dfg/DFGAbstractInterpreterInlines.h:
25712 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25713 * dfg/DFGClobberize.h:
25714 (JSC::DFG::clobberize):
25715 * dfg/DFGConstantFoldingPhase.cpp:
25716 (JSC::DFG::ConstantFoldingPhase::foldConstants):
25717 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
25718 * dfg/DFGFixupPhase.cpp:
25719 (JSC::DFG::FixupPhase::fixupNode):
25720 (JSC::DFG::FixupPhase::insertStoreBarrier):
25721 * dfg/DFGNode.h:
25722 (JSC::DFG::Node::isStoreBarrier):
25723 * dfg/DFGNodeType.h:
25724 * dfg/DFGPredictionPropagationPhase.cpp:
25725 (JSC::DFG::PredictionPropagationPhase::propagate):
25726 * dfg/DFGSafeToExecute.h:
25727 (JSC::DFG::safeToExecute):
25728 * dfg/DFGSpeculativeJIT.cpp:
25729 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
25730 * dfg/DFGSpeculativeJIT32_64.cpp:
25731 (JSC::DFG::SpeculativeJIT::compile):
25732 * dfg/DFGSpeculativeJIT64.cpp:
25733 (JSC::DFG::SpeculativeJIT::compile):
25734 * ftl/FTLCapabilities.cpp:
25735 (JSC::FTL::canCompile):
25736 * ftl/FTLLowerDFGToLLVM.cpp:
25737 (JSC::FTL::LowerDFGToLLVM::compileNode):
25738 * jit/Repatch.cpp:
25739 (JSC::emitPutTransitionStub):
25740
257412014-03-10 Filip Pizlo <fpizlo@apple.com>
25742
25743 DFG and FTL should know that comparing anything to Misc is cheap and easy
25744 https://bugs.webkit.org/show_bug.cgi?id=130001
25745
25746 Reviewed by Geoffrey Garen.
25747
25748 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
25749 comparison is just Untyped:.
25750
25751 - This obviates the need for CompareStrictEqConstant, so remove it.
25752
25753 - FTL had a thing called "Nully" which is really "Other". Rename it and add
25754 OtherUse.
25755
25756 9% speed-up on box2d.
25757
25758 * dfg/DFGAbstractInterpreterInlines.h:
25759 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25760 * dfg/DFGByteCodeParser.cpp:
25761 (JSC::DFG::ByteCodeParser::parseBlock):
25762 * dfg/DFGClobberize.h:
25763 (JSC::DFG::clobberize):
25764 * dfg/DFGFixupPhase.cpp:
25765 (JSC::DFG::FixupPhase::fixupNode):
25766 * dfg/DFGNode.h:
25767 (JSC::DFG::Node::isBinaryUseKind):
25768 (JSC::DFG::Node::shouldSpeculateOther):
25769 * dfg/DFGNodeType.h:
25770 * dfg/DFGPredictionPropagationPhase.cpp:
25771 (JSC::DFG::PredictionPropagationPhase::propagate):
25772 * dfg/DFGSafeToExecute.h:
25773 (JSC::DFG::safeToExecute):
25774 * dfg/DFGSpeculativeJIT.cpp:
25775 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
25776 (JSC::DFG::SpeculativeJIT::compare):
25777 (JSC::DFG::SpeculativeJIT::compileStrictEq):
25778 * dfg/DFGSpeculativeJIT.h:
25779 * dfg/DFGSpeculativeJIT32_64.cpp:
25780 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
25781 (JSC::DFG::SpeculativeJIT::compile):
25782 * dfg/DFGSpeculativeJIT64.cpp:
25783 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
25784 (JSC::DFG::SpeculativeJIT::compile):
25785 * ftl/FTLCapabilities.cpp:
25786 (JSC::FTL::canCompile):
25787 * ftl/FTLLowerDFGToLLVM.cpp:
25788 (JSC::FTL::LowerDFGToLLVM::compileNode):
25789 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
25790 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
25791 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
25792 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
25793 (JSC::FTL::LowerDFGToLLVM::isNotOther):
25794 (JSC::FTL::LowerDFGToLLVM::isOther):
25795 (JSC::FTL::LowerDFGToLLVM::speculate):
25796 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
25797 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
25798 (JSC::FTL::LowerDFGToLLVM::speculateOther):
25799 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
25800 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
25801
258022014-03-10 Filip Pizlo <fpizlo@apple.com>
25803
25804 Unreviewed, remove unintended change.
25805
25806 * dfg/DFGDriver.cpp:
25807 (JSC::DFG::compileImpl):
25808
258092014-03-10 Filip Pizlo <fpizlo@apple.com>
25810
25811 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
25812 that they're running in the browser.
25813
25814 Rubber stamped by Mark Hahnenberg.
25815
25816 * jsc.cpp:
25817 (GlobalObject::finishCreation):
25818
258192014-03-10 Filip Pizlo <fpizlo@apple.com>
25820
25821 Out-line ScratchRegisterAllocator
25822
25823 Rubber stamped by Mark Hahnenberg.
25824
25825 * CMakeLists.txt:
25826 * GNUmakefile.list.am:
25827 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25828 * JavaScriptCore.xcodeproj/project.pbxproj:
25829 * dfg/DFGDriver.cpp:
25830 (JSC::DFG::compileImpl):
25831 * jit/ScratchRegisterAllocator.cpp: Added.
25832 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
25833 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
25834 (JSC::ScratchRegisterAllocator::lock):
25835 (JSC::ScratchRegisterAllocator::allocateScratch):
25836 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
25837 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
25838 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
25839 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
25840 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
25841 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
25842 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
25843 * jit/ScratchRegisterAllocator.h:
25844
258452014-03-10 Brent Fulgham <bfulgham@apple.com>
25846
25847 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
25848 https://bugs.webkit.org/show_bug.cgi?id=130023
25849
25850 Reviewed by Dean Jackson.
25851
25852 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
25853 path names to avoid accidental escaping of later string substitutions.
25854
258552014-03-10 Andreas Kling <akling@apple.com>
25856
25857 [X86_64] Smaller code for testb_i8r when register is accumulator.
25858 <https://webkit.org/b/130026>
25859
25860 Generate the shorthand version of "test al, imm" when possible.
25861
25862 Reviewed by Michael Saboff.
25863
25864 * assembler/X86Assembler.h:
25865 (JSC::X86Assembler::testb_i8r):
25866
258672014-03-10 Andreas Kling <akling@apple.com>
25868
25869 [X86_64] Smaller code for sub_ir when register is accumulator.
25870 <https://webkit.org/b/130025>
25871
25872 Generate the shorthand version of "sub eax, imm" when possible.
25873
25874 Reviewed by Michael Saboff.
25875
25876 * assembler/X86Assembler.h:
25877 (JSC::X86Assembler::subl_ir):
25878 (JSC::X86Assembler::subq_ir):
25879
258802014-03-10 Andreas Kling <akling@apple.com>
25881
25882 [X86_64] Smaller code for add_ir when register is accumulator.
25883 <https://webkit.org/b/130024>
25884
25885 Generate the shorthand version of "add eax, imm" when possible.
25886
25887 Reviewed by Michael Saboff.
25888
25889 * assembler/X86Assembler.h:
25890 (JSC::X86Assembler::addl_ir):
25891 (JSC::X86Assembler::addq_ir):
25892
258932014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
25894
25895 writeBarrier in emitPutReplaceStub is unnecessary
25896 https://bugs.webkit.org/show_bug.cgi?id=130030
25897
25898 Reviewed by Filip Pizlo.
25899
25900 We already emit write barriers for each put-by-id when they're first compiled, so it's
25901 redundant to emit a write barrier as part of the repatched code.
25902
25903 * jit/Repatch.cpp:
25904 (JSC::emitPutReplaceStub):
25905
259062014-03-10 Andreas Kling <akling@apple.com>
25907
25908 [X86_64] Smaller code for xor_ir when register is accumulator.
25909 <https://webkit.org/b/130008>
25910
25911 Generate the shorthand version of "xor eax, imm" when possible.
25912
25913 Reviewed by Benjamin Poulain.
25914
25915 * assembler/X86Assembler.h:
25916 (JSC::X86Assembler::xorl_ir):
25917 (JSC::X86Assembler::xorq_ir):
25918
259192014-03-10 Andreas Kling <akling@apple.com>
25920
25921 [X86_64] Smaller code for or_ir when register is accumulator.
25922 <https://webkit.org/b/130007>
25923
25924 Generate the shorthand version of "or eax, imm" when possible.
25925
25926 Reviewed by Benjamin Poulain.
25927
25928 * assembler/X86Assembler.h:
25929 (JSC::X86Assembler::orl_ir):
25930 (JSC::X86Assembler::orq_ir):
25931
259322014-03-10 Andreas Kling <akling@apple.com>
25933
25934 [X86_64] Smaller code for test_ir when register is accumulator.
25935 <https://webkit.org/b/130006>
25936
25937 Generate the shorthand version of "test eax, imm" when possible.
25938
25939 Reviewed by Benjamin Poulain.
25940
25941 * assembler/X86Assembler.h:
25942 (JSC::X86Assembler::testl_i32r):
25943 (JSC::X86Assembler::testq_i32r):
25944
259452014-03-10 Andreas Kling <akling@apple.com>
25946
25947 [X86_64] Smaller code for cmp_ir when register is accumulator.
25948 <https://webkit.org/b/130005>
25949
25950 Generate the shorthand version of "cmp eax, imm" when possible.
25951
25952 Reviewed by Benjamin Poulain.
25953
25954 * assembler/X86Assembler.h:
25955 (JSC::X86Assembler::cmpl_ir):
25956 (JSC::X86Assembler::cmpq_ir):
25957
259582014-03-10 Andreas Kling <akling@apple.com>
25959
25960 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
25961 <https://webkit.org/b/130002>
25962
25963 Generate this:
25964
25965 mov [address], imm32
25966
25967 Instead of this:
25968
25969 mov scratchRegister, imm32
25970 mov [address], scratchRegister
25971
25972 For store64(imm, address) where the 64-bit immediate can be passed as
25973 a sign-extended 32-bit value.
25974
25975 Reviewed by Benjamin Poulain.
25976
25977 * assembler/MacroAssemblerX86_64.h:
25978 (CAN_SIGN_EXTEND_32_64):
25979 (JSC::MacroAssemblerX86_64::store64):
25980
259812014-03-10 Andreas Kling <akling@apple.com>
25982
25983 [X86_64] Smaller code for xchg_rr when one register is accumulator.
25984 <https://webkit.org/b/130004>
25985
25986 Generate the 1-byte version of "xchg eax, reg" when possible.
25987
25988 Reviewed by Benjamin Poulain.
25989
25990 * assembler/X86Assembler.h:
25991 (JSC::X86Assembler::xchgl_rr):
25992 (JSC::X86Assembler::xchgq_rr):
25993
259942014-03-09 Filip Pizlo <fpizlo@apple.com>
25995
25996 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
25997 https://bugs.webkit.org/show_bug.cgi?id=129998
25998
25999 Reviewed by Geoffrey Garen.
26000
26001 Not only is that the established contract, but this is used to signal to
26002 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
26003 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
26004 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
26005 fine but previously it would have led to either an assertion failure, or data corruption, in
26006 the ScratchRegisterAllocator.
26007
26008 * jit/GPRInfo.h:
26009 (JSC::GPRInfo::toIndex):
26010
260112014-03-09 Filip Pizlo <fpizlo@apple.com>
26012
26013 FTL fails the new equals-masquerader strictEqualConstant test
26014 https://bugs.webkit.org/show_bug.cgi?id=129996
26015
26016 Reviewed by Mark Lam.
26017
26018 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
26019 that's wrong since none of the other engines do it. The DFG even had an ancient
26020 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
26021 don't do it and JSValue::strictEqual() doesn't do it.
26022
26023 Remove the FIXME and remove the extra checks in the FTL.
26024
26025 This is a glorious patch: nothing but red and it fixes a test failure.
26026
26027 * dfg/DFGSpeculativeJIT.cpp:
26028 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
26029 * ftl/FTLLowerDFGToLLVM.cpp:
26030 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
26031
260322014-03-09 Andreas Kling <akling@apple.com>
26033
26034 Short-circuit JSGlobalObjectInspectorController when not inspecting.
26035 <https://webkit.org/b/129995>
26036
26037 Add an early return in reportAPIException() when the console agent
26038 is disabled. This avoids expensive symbolication during exceptions
26039 if there's nobody expecting the fancy backtrace anyway.
26040
26041 ~2% progression on DYEB on my MBP.
26042
26043 Reviewed by Geoff Garen.
26044
26045 * inspector/JSGlobalObjectInspectorController.cpp:
26046 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
26047
260482014-03-09 Andreas Kling <akling@apple.com>
26049
26050 Inline the trivial parts of GC deferral.
26051 <https://webkit.org/b/129984>
26052
26053 Made most of the functions called by the DeferGC RAII object inline
26054 to avoid function call overhead.
26055
26056 Looks like ~1% progression on DYEB.
26057
26058 Reviewed by Geoffrey Garen.
26059
26060 * heap/Heap.cpp:
26061 * heap/Heap.h:
26062 (JSC::Heap::incrementDeferralDepth):
26063 (JSC::Heap::decrementDeferralDepth):
26064 (JSC::Heap::collectIfNecessaryOrDefer):
26065 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
26066
260672014-03-08 Mark Lam <mark.lam@apple.com>
26068
26069 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
26070 <https://webkit.org/b/129969>
26071
26072 Reviewed by Geoffrey Garen.
26073
26074 The 32-bit version of handleUncaughtException was missing the handling of an
26075 edge case for stack overflows where the current frame may already be the
26076 sentinel frame. This edge case was handled in the 64-bit version. The fix
26077 is to bring the 32-bit version up to parity.
26078
26079 * jit/JIT.cpp:
26080 (JSC::JIT::privateCompile):
26081 * llint/LowLevelInterpreter32_64.asm:
26082
260832014-03-07 Mark Lam <mark.lam@apple.com>
26084
26085 Fix bugs in 32-bit Structure implementation.
26086 <https://webkit.org/b/129947>
26087
26088 Reviewed by Mark Hahnenberg.
26089
26090 Added the loading of the Structure (from the JSCell) before use that was
26091 missing in a few places. Also added more test cases to equals-masquerader.js.
26092
26093 * dfg/DFGSpeculativeJIT32_64.cpp:
26094 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
26095 (JSC::DFG::SpeculativeJIT::compile):
26096 * dfg/DFGSpeculativeJIT64.cpp:
26097 (JSC::DFG::SpeculativeJIT::compile):
26098 * llint/LowLevelInterpreter32_64.asm:
26099 * tests/stress/equals-masquerader.js:
26100 (equalsNull):
26101 (notEqualsNull):
26102 (strictEqualsNull):
26103 (strictNotEqualsNull):
26104 (equalsUndefined):
26105 (notEqualsUndefined):
26106 (strictEqualsUndefined):
26107 (strictNotEqualsUndefined):
26108 (isFalsey):
26109 (test):
26110
261112014-03-07 Andrew Trick <atrick@apple.com>
26112
26113 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
26114 https://bugs.webkit.org/show_bug.cgi?id=129954
26115
26116 Reviewed by Filip Pizlo.
26117
26118 * tests/stress/float32-repeat-out-of-bounds.js:
26119 * tests/stress/int8-repeat-out-of-bounds.js:
26120
261212014-03-07 Michael Saboff <msaboff@apple.com>
26122
26123 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
26124 https://bugs.webkit.org/show_bug.cgi?id=129945
26125
26126 Reviewed by Mark Lam.
26127
26128 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
26129 or in lldb.
26130
26131 * llint/LowLevelInterpreter.cpp:
26132
261332014-03-07 Oliver Hunt <oliver@apple.com>
26134
26135 Continue hangs when performing for-of over arguments
26136 https://bugs.webkit.org/show_bug.cgi?id=129915
26137
26138 Reviewed by Geoffrey Garen.
26139
26140 Put the continue label in the right place
26141
26142 * bytecompiler/BytecodeGenerator.cpp:
26143 (JSC::BytecodeGenerator::emitEnumeration):
26144
261452014-03-07 peavo@outlook.com <peavo@outlook.com>
26146
26147 [Win64] Compile error after r165128.
26148 https://bugs.webkit.org/show_bug.cgi?id=129807
26149
26150 Reviewed by Mark Lam.
26151
26152 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
26153 Check platform environment variable to determine if an assembler file should be generated.
26154
261552014-03-07 Michael Saboff <msaboff@apple.com>
26156
26157 Clarify how we deal with "special" registers
26158 https://bugs.webkit.org/show_bug.cgi?id=129806
26159
26160 Already reviewed change being relanded.
26161
26162 Relanding change set r165196 as it wasn't responsible for the breakage reported in
26163 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
26164
26165 Reviewed by Michael Saboff.
26166 configuration issue.
26167
26168 * assembler/ARM64Assembler.h:
26169 (JSC::ARM64Assembler::lastRegister):
26170 * assembler/MacroAssembler.h:
26171 (JSC::MacroAssembler::nextRegister):
26172 * ftl/FTLLocation.cpp:
26173 (JSC::FTL::Location::restoreInto):
26174 * ftl/FTLSaveRestore.cpp:
26175 (JSC::FTL::saveAllRegisters):
26176 (JSC::FTL::restoreAllRegisters):
26177 * ftl/FTLSlowPathCall.cpp:
26178 * jit/RegisterSet.cpp:
26179 (JSC::RegisterSet::reservedHardwareRegisters):
26180 (JSC::RegisterSet::runtimeRegisters):
26181 (JSC::RegisterSet::specialRegisters):
26182 (JSC::RegisterSet::calleeSaveRegisters):
26183 * jit/RegisterSet.h:
26184
261852014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
26186
26187 Move GCActivityCallback to heap
26188 https://bugs.webkit.org/show_bug.cgi?id=129457
26189
26190 Reviewed by Geoffrey Garen.
26191
26192 All the other GC timer related stuff is there already.
26193
26194 * CMakeLists.txt:
26195 * GNUmakefile.list.am:
26196 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26197 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26198 * JavaScriptCore.xcodeproj/project.pbxproj:
26199 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
26200 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
26201 * runtime/GCActivityCallback.cpp: Removed.
26202 * runtime/GCActivityCallback.h: Removed.
26203
262042014-03-07 Andrew Trick <atrick@apple.com>
26205
26206 Correct a comment typo from:
26207 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
26208 https://bugs.webkit.org/show_bug.cgi?id=129865
26209
26210 Reviewed by Mark Lam.
26211
26212 * ftl/FTLOutput.h:
26213 (JSC::FTL::Output::doubleRem):
26214
262152014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
26216
26217 Use OwnPtr in StructureIDTable
26218 https://bugs.webkit.org/show_bug.cgi?id=129828
26219
26220 Reviewed by Geoffrey Garen.
26221
26222 This reduces the amount of boilerplate and fixes a memory leak.
26223
26224 * runtime/StructureIDTable.cpp:
26225 (JSC::StructureIDTable::StructureIDTable):
26226 (JSC::StructureIDTable::resize):
26227 (JSC::StructureIDTable::flushOldTables):
26228 (JSC::StructureIDTable::allocateID):
26229 (JSC::StructureIDTable::deallocateID):
26230 * runtime/StructureIDTable.h:
26231 (JSC::StructureIDTable::table):
26232 (JSC::StructureIDTable::get):
26233
262342014-03-07 Andrew Trick <atrick@apple.com>
26235
26236 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
26237 https://bugs.webkit.org/show_bug.cgi?id=129865
26238
26239 Reviewed by Filip Pizlo.
26240
26241 * ftl/FTLIntrinsicRepository.h:
26242 * ftl/FTLOutput.h:
26243 (JSC::FTL::Output::doubleRem):
26244
262452014-03-06 Filip Pizlo <fpizlo@apple.com>
26246
26247 If the FTL is build-time enabled then it should be run-time enabled.
26248
26249 Rubber stamped by Geoffrey Garen.
26250
26251 * runtime/Options.cpp:
26252 (JSC::recomputeDependentOptions):
26253 * runtime/Options.h:
26254
262552014-03-06 Joseph Pecoraro <pecoraro@apple.com>
26256
26257 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
26258 https://bugs.webkit.org/show_bug.cgi?id=129852
26259
26260 Reviewed by Geoffrey Garen.
26261
26262 * framework.sb: Added.
26263 Sandbox extension to allow access to "com.apple.webinspector".
26264
26265 * JavaScriptCore.xcodeproj/project.pbxproj:
26266 Add a Copy Resources build phase and include framework.sb.
26267
26268 * Configurations/JavaScriptCore.xcconfig:
26269 Do not copy framework.sb on iOS.
26270
262712014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
26272
26273 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
26274 https://bugs.webkit.org/show_bug.cgi?id=129858
26275
26276 Reviewed by Mark Lam.
26277
26278 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
26279 but now it ends up overwriting the IdentifierTable that JSLock just restored.
26280
26281 * API/JSContextRef.cpp:
26282 (JSGlobalContextRelease):
26283
262842014-03-06 Oliver Hunt <oliver@apple.com>
26285
26286 Fix FTL build.
26287
26288 * dfg/DFGConstantFoldingPhase.cpp:
26289 (JSC::DFG::ConstantFoldingPhase::foldConstants):
26290
262912014-03-06 Brent Fulgham <bfulgham@apple.com>
26292
26293 Unreviewed build fix after r165128.
26294
26295 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
26296 performing 'Production' and 'DebugSuffix' type builds.
26297
262982014-03-06 Julien Brianceau <jbriance@cisco.com>
26299
26300 Unreviewed, fix style in my previous commit.
26301 https://bugs.webkit.org/show_bug.cgi?id=129833
26302
26303 * runtime/JSConsole.cpp:
26304
263052014-03-06 Julien Brianceau <jbriance@cisco.com>
26306
26307 Build fix: add missing include in JSConole.cpp.
26308 https://bugs.webkit.org/show_bug.cgi?id=129833
26309
26310 Reviewed by Oliver Hunt.
26311
26312 * runtime/JSConsole.cpp:
26313
263142014-03-06 Oliver Hunt <oliver@apple.com>
26315
26316 Fix ARMv7
26317
26318 * jit/CCallHelpers.h:
26319 (JSC::CCallHelpers::setupArgumentsWithExecState):
26320
263212014-03-06 Commit Queue <commit-queue@webkit.org>
26322
26323 Unreviewed, rolling out r165196.
26324 http://trac.webkit.org/changeset/165196
26325 https://bugs.webkit.org/show_bug.cgi?id=129822
26326
26327 broke arm64 on hardware (Requested by bfulgham on #webkit).
26328
26329 * assembler/ARM64Assembler.h:
26330 (JSC::ARM64Assembler::lastRegister):
26331 * assembler/MacroAssembler.h:
26332 (JSC::MacroAssembler::isStackRelated):
26333 (JSC::MacroAssembler::firstRealRegister):
26334 (JSC::MacroAssembler::nextRegister):
26335 (JSC::MacroAssembler::secondRealRegister):
26336 * ftl/FTLLocation.cpp:
26337 (JSC::FTL::Location::restoreInto):
26338 * ftl/FTLSaveRestore.cpp:
26339 (JSC::FTL::saveAllRegisters):
26340 (JSC::FTL::restoreAllRegisters):
26341 * ftl/FTLSlowPathCall.cpp:
26342 * jit/RegisterSet.cpp:
26343 (JSC::RegisterSet::specialRegisters):
26344 (JSC::RegisterSet::calleeSaveRegisters):
26345 * jit/RegisterSet.h:
26346
263472014-03-06 Mark Lam <mark.lam@apple.com>
26348
26349 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
26350 <https://webkit.org/b/129813>
26351
26352 Reviewed by Michael Saboff.
26353
26354 Fixed broken C loop LLINT build.
26355
26356 * llint/LowLevelInterpreter.cpp:
26357 (JSC::CLoop::execute):
26358 * offlineasm/cloop.rb:
26359
263602014-03-03 Oliver Hunt <oliver@apple.com>
26361
26362 Support caching of custom setters
26363 https://bugs.webkit.org/show_bug.cgi?id=129519
26364
26365 Reviewed by Filip Pizlo.
26366
26367 This patch adds caching of assignment to properties that
26368 are backed by C functions. This provides most of the leg
26369 work required to start supporting setters, and resolves
26370 the remaining regressions from moving DOM properties up
26371 the prototype chain.
26372
26373 * JavaScriptCore.xcodeproj/project.pbxproj:
26374 * bytecode/PolymorphicPutByIdList.cpp:
26375 (JSC::PutByIdAccess::visitWeak):
26376 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
26377 (JSC::PolymorphicPutByIdList::from):
26378 * bytecode/PolymorphicPutByIdList.h:
26379 (JSC::PutByIdAccess::transition):
26380 (JSC::PutByIdAccess::replace):
26381 (JSC::PutByIdAccess::customSetter):
26382 (JSC::PutByIdAccess::isCustom):
26383 (JSC::PutByIdAccess::oldStructure):
26384 (JSC::PutByIdAccess::chain):
26385 (JSC::PutByIdAccess::stubRoutine):
26386 * bytecode/PutByIdStatus.cpp:
26387 (JSC::PutByIdStatus::computeForStubInfo):
26388 (JSC::PutByIdStatus::computeFor):
26389 (JSC::PutByIdStatus::dump):
26390 * bytecode/PutByIdStatus.h:
26391 (JSC::PutByIdStatus::PutByIdStatus):
26392 (JSC::PutByIdStatus::takesSlowPath):
26393 (JSC::PutByIdStatus::makesCalls):
26394 * bytecode/StructureStubInfo.h:
26395 * dfg/DFGAbstractInterpreterInlines.h:
26396 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
26397 * dfg/DFGByteCodeParser.cpp:
26398 (JSC::DFG::ByteCodeParser::emitPutById):
26399 (JSC::DFG::ByteCodeParser::handlePutById):
26400 * dfg/DFGClobberize.h:
26401 (JSC::DFG::clobberize):
26402 * dfg/DFGCommon.h:
26403 * dfg/DFGConstantFoldingPhase.cpp:
26404 (JSC::DFG::ConstantFoldingPhase::foldConstants):
26405 * dfg/DFGFixupPhase.cpp:
26406 (JSC::DFG::FixupPhase::fixupNode):
26407 * dfg/DFGNode.h:
26408 (JSC::DFG::Node::hasIdentifier):
26409 * dfg/DFGNodeType.h:
26410 * dfg/DFGPredictionPropagationPhase.cpp:
26411 (JSC::DFG::PredictionPropagationPhase::propagate):
26412 * dfg/DFGSafeToExecute.h:
26413 (JSC::DFG::safeToExecute):
26414 * dfg/DFGSpeculativeJIT.cpp:
26415 (JSC::DFG::SpeculativeJIT::compileIn):
26416 * dfg/DFGSpeculativeJIT.h:
26417 * dfg/DFGSpeculativeJIT32_64.cpp:
26418 (JSC::DFG::SpeculativeJIT::cachedGetById):
26419 (JSC::DFG::SpeculativeJIT::cachedPutById):
26420 (JSC::DFG::SpeculativeJIT::compile):
26421 * dfg/DFGSpeculativeJIT64.cpp:
26422 (JSC::DFG::SpeculativeJIT::cachedGetById):
26423 (JSC::DFG::SpeculativeJIT::cachedPutById):
26424 (JSC::DFG::SpeculativeJIT::compile):
26425 * jit/CCallHelpers.h:
26426 (JSC::CCallHelpers::setupArgumentsWithExecState):
26427 * jit/JITInlineCacheGenerator.cpp:
26428 (JSC::JITByIdGenerator::JITByIdGenerator):
26429 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
26430 * jit/JITInlineCacheGenerator.h:
26431 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
26432 * jit/JITOperations.cpp:
26433 * jit/JITOperations.h:
26434 * jit/JITPropertyAccess.cpp:
26435 (JSC::JIT::emit_op_get_by_id):
26436 (JSC::JIT::emit_op_put_by_id):
26437 * jit/JITPropertyAccess32_64.cpp:
26438 (JSC::JIT::emit_op_get_by_id):
26439 (JSC::JIT::emit_op_put_by_id):
26440 * jit/Repatch.cpp:
26441 (JSC::tryCacheGetByID):
26442 (JSC::tryBuildGetByIDList):
26443 (JSC::emitCustomSetterStub):
26444 (JSC::tryCachePutByID):
26445 (JSC::tryBuildPutByIdList):
26446 * jit/SpillRegistersMode.h: Added.
26447 * llint/LLIntSlowPaths.cpp:
26448 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
26449 * runtime/Lookup.h:
26450 (JSC::putEntry):
26451 * runtime/PutPropertySlot.h:
26452 (JSC::PutPropertySlot::setCacheableCustomProperty):
26453 (JSC::PutPropertySlot::customSetter):
26454 (JSC::PutPropertySlot::isCacheablePut):
26455 (JSC::PutPropertySlot::isCacheableCustomProperty):
26456 (JSC::PutPropertySlot::cachedOffset):
26457
264582014-03-06 Filip Pizlo <fpizlo@apple.com>
26459
26460 FTL arity fixup should work on ARM64
26461 https://bugs.webkit.org/show_bug.cgi?id=129810
26462
26463 Reviewed by Michael Saboff.
26464
26465 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
26466 callee-save.
26467
26468 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
26469
26470 This makes some more tests pass.
26471
26472 * dfg/DFGJITCompiler.cpp:
26473 (JSC::DFG::JITCompiler::compileFunction):
26474 * ftl/FTLLink.cpp:
26475 (JSC::FTL::link):
26476 * jit/AssemblyHelpers.h:
26477 (JSC::AssemblyHelpers::prologueStackPointerDelta):
26478 * jit/JIT.cpp:
26479 (JSC::JIT::privateCompile):
26480 * jit/ThunkGenerators.cpp:
26481 (JSC::arityFixup):
26482 * llint/LowLevelInterpreter64.asm:
26483 * offlineasm/arm64.rb:
26484 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
26485
264862014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
26487
26488 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
26489 https://bugs.webkit.org/show_bug.cgi?id=129760
26490
26491 Reviewed by Geoffrey Garen.
26492
26493 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
26494 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
26495
26496 * dfg/DFGSpeculativeJIT.cpp:
26497 (JSC::DFG::SpeculativeJIT::writeBarrier):
26498 * dfg/DFGSpeculativeJIT.h:
26499 * dfg/DFGSpeculativeJIT32_64.cpp:
26500 (JSC::DFG::SpeculativeJIT::writeBarrier):
26501 * dfg/DFGSpeculativeJIT64.cpp:
26502 (JSC::DFG::SpeculativeJIT::writeBarrier):
26503 * jit/AssemblyHelpers.h:
26504 (JSC::AssemblyHelpers::checkMarkByte):
26505 * jit/JIT.h:
26506 * jit/JITPropertyAccess.cpp:
26507 * jit/Repatch.cpp:
26508 (JSC::writeBarrier):
26509
265102014-03-06 Joseph Pecoraro <pecoraro@apple.com>
26511
26512 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
26513 https://bugs.webkit.org/show_bug.cgi?id=127944
26514
26515 Reviewed by Geoffrey Garen.
26516
26517 Always expose the Console object in JSContexts, just like we
26518 do for web pages. The default behavior will route to an
26519 attached JSContext inspector. This can be overriden by
26520 setting the ConsoleClient on the JSGlobalObject, which WebCore
26521 does to get slightly different behavior.
26522
26523 * CMakeLists.txt:
26524 * GNUmakefile.list.am:
26525 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26526 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26527 * JavaScriptCore.xcodeproj/project.pbxproj:
26528 Update build systems.
26529
26530 * API/tests/testapi.js:
26531 * API/tests/testapi.mm:
26532 Test that "console" exists in C and ObjC contexts.
26533
26534 * runtime/ConsoleClient.cpp: Added.
26535 (JSC::ConsoleClient::printURLAndPosition):
26536 (JSC::ConsoleClient::printMessagePrefix):
26537 (JSC::ConsoleClient::printConsoleMessage):
26538 (JSC::ConsoleClient::printConsoleMessageWithArguments):
26539 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
26540 (JSC::ConsoleClient::logWithLevel):
26541 (JSC::ConsoleClient::clear):
26542 (JSC::ConsoleClient::dir):
26543 (JSC::ConsoleClient::dirXML):
26544 (JSC::ConsoleClient::table):
26545 (JSC::ConsoleClient::trace):
26546 (JSC::ConsoleClient::assertCondition):
26547 (JSC::ConsoleClient::group):
26548 (JSC::ConsoleClient::groupCollapsed):
26549 (JSC::ConsoleClient::groupEnd):
26550 * runtime/ConsoleClient.h: Added.
26551 (JSC::ConsoleClient::~ConsoleClient):
26552 New private interface for handling the console object's methods.
26553 A lot of the methods funnel through messageWithTypeAndLevel.
26554
26555 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
26556 Moved to JSC namespace.
26557
26558 * runtime/JSGlobalObject.cpp:
26559 (JSC::JSGlobalObject::JSGlobalObject):
26560 (JSC::JSGlobalObject::init):
26561 (JSC::JSGlobalObject::reset):
26562 (JSC::JSGlobalObject::visitChildren):
26563 Create the "console" object when initializing the environment.
26564 Also set the default console client to be the JS context inspector.
26565
26566 * runtime/JSGlobalObject.h:
26567 (JSC::JSGlobalObject::setConsoleClient):
26568 (JSC::JSGlobalObject::consoleClient):
26569 Ability to change the console client, so WebCore can set a custom client.
26570
26571 * runtime/ConsolePrototype.cpp: Added.
26572 (JSC::ConsolePrototype::finishCreation):
26573 (JSC::valueToStringWithUndefinedOrNullCheck):
26574 (JSC::consoleLogWithLevel):
26575 (JSC::consoleProtoFuncDebug):
26576 (JSC::consoleProtoFuncError):
26577 (JSC::consoleProtoFuncLog):
26578 (JSC::consoleProtoFuncWarn):
26579 (JSC::consoleProtoFuncClear):
26580 (JSC::consoleProtoFuncDir):
26581 (JSC::consoleProtoFuncDirXML):
26582 (JSC::consoleProtoFuncTable):
26583 (JSC::consoleProtoFuncTrace):
26584 (JSC::consoleProtoFuncAssert):
26585 (JSC::consoleProtoFuncCount):
26586 (JSC::consoleProtoFuncProfile):
26587 (JSC::consoleProtoFuncProfileEnd):
26588 (JSC::consoleProtoFuncTime):
26589 (JSC::consoleProtoFuncTimeEnd):
26590 (JSC::consoleProtoFuncTimeStamp):
26591 (JSC::consoleProtoFuncGroup):
26592 (JSC::consoleProtoFuncGroupCollapsed):
26593 (JSC::consoleProtoFuncGroupEnd):
26594 * runtime/ConsolePrototype.h: Added.
26595 (JSC::ConsolePrototype::create):
26596 (JSC::ConsolePrototype::createStructure):
26597 (JSC::ConsolePrototype::ConsolePrototype):
26598 Define the console object interface. Parse out required / expected
26599 arguments and throw expcetions when methods are misused.
26600
26601 * runtime/JSConsole.cpp: Added.
26602 * runtime/JSConsole.h: Added.
26603 (JSC::JSConsole::createStructure):
26604 (JSC::JSConsole::create):
26605 (JSC::JSConsole::JSConsole):
26606 Empty "console" object. Everything is in the prototype.
26607
26608 * inspector/JSConsoleClient.cpp: Added.
26609 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
26610 (Inspector::JSConsoleClient::count):
26611 (Inspector::JSConsoleClient::profile):
26612 (Inspector::JSConsoleClient::profileEnd):
26613 (Inspector::JSConsoleClient::time):
26614 (Inspector::JSConsoleClient::timeEnd):
26615 (Inspector::JSConsoleClient::timeStamp):
26616 (Inspector::JSConsoleClient::warnUnimplemented):
26617 (Inspector::JSConsoleClient::internalAddMessage):
26618 * inspector/JSConsoleClient.h: Added.
26619 * inspector/JSGlobalObjectInspectorController.cpp:
26620 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
26621 (Inspector::JSGlobalObjectInspectorController::consoleClient):
26622 * inspector/JSGlobalObjectInspectorController.h:
26623 Default JSContext ConsoleClient implementation. Handle nearly
26624 everything exception profile/profileEnd and timeStamp.
26625
266262014-03-06 Andreas Kling <akling@apple.com>
26627
26628 Drop unlinked function code on memory pressure.
26629 <https://webkit.org/b/129789>
26630
26631 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
26632 are not currently being compiled.
26633
26634 4.5 MB progression on Membuster.
26635
26636 Reviewed by Geoffrey Garen.
26637
26638 * heap/Heap.cpp:
26639 (JSC::Heap::deleteAllUnlinkedFunctionCode):
26640 * heap/Heap.h:
26641 * runtime/VM.cpp:
26642 (JSC::VM::discardAllCode):
26643
266442014-03-06 Filip Pizlo <fpizlo@apple.com>
26645
26646 Clarify how we deal with "special" registers
26647 https://bugs.webkit.org/show_bug.cgi?id=129806
26648
26649 Reviewed by Michael Saboff.
26650
26651 Previously we had two different places that defined what "stack" registers are, a thing
26652 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
26653 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
26654 one place and had a baked-in notion of what it meant for a register to be "real" or not.
26655
26656 It's not cool to use words like "real" and "special" to describe registers, especially if you
26657 fail to qualify what that means. This originally made sense on X86 - "real" registers were
26658 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
26659 you also have to worry about the LR register, which we'd want to say is "not real" but it's
26660 also not a "stack" register. This got super confusing.
26661
26662 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
26663 a "stack" register, and uses the word special only in places where it's clearly defined and
26664 where no better word comes to mind.
26665
26666 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
26667 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
26668 magically didn't break anything because you never need to save/restore either FP or Q0, but
26669 it was still super weird.
26670
26671 * assembler/ARM64Assembler.h:
26672 (JSC::ARM64Assembler::lastRegister):
26673 * assembler/MacroAssembler.h:
26674 (JSC::MacroAssembler::nextRegister):
26675 * ftl/FTLLocation.cpp:
26676 (JSC::FTL::Location::restoreInto):
26677 * ftl/FTLSaveRestore.cpp:
26678 (JSC::FTL::saveAllRegisters):
26679 (JSC::FTL::restoreAllRegisters):
26680 * ftl/FTLSlowPathCall.cpp:
26681 * jit/RegisterSet.cpp:
26682 (JSC::RegisterSet::reservedHardwareRegisters):
26683 (JSC::RegisterSet::runtimeRegisters):
26684 (JSC::RegisterSet::specialRegisters):
26685 (JSC::RegisterSet::calleeSaveRegisters):
26686 * jit/RegisterSet.h:
26687
266882014-03-06 Filip Pizlo <fpizlo@apple.com>
26689
26690 Unreviewed, fix build.
26691
26692 * disassembler/ARM64Disassembler.cpp:
26693
266942014-03-06 Filip Pizlo <fpizlo@apple.com>
26695
26696 Use the LLVM disassembler on ARM64 if we are enabling the FTL
26697 https://bugs.webkit.org/show_bug.cgi?id=129785
26698
26699 Reviewed by Geoffrey Garen.
26700
26701 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
26702 is strictly more capable at this point. Use it if it's available.
26703
26704 * disassembler/ARM64Disassembler.cpp:
26705 (JSC::tryToDisassemble):
26706
267072014-03-05 Joseph Pecoraro <pecoraro@apple.com>
26708
26709 Web Inspector: Reduce RWI message frequency
26710 https://bugs.webkit.org/show_bug.cgi?id=129767
26711
26712 Reviewed by Timothy Hatcher.
26713
26714 This used to be 0.2s and changed by accident to 0.02s.
26715
26716 * inspector/remote/RemoteInspector.mm:
26717 (Inspector::RemoteInspector::pushListingSoon):
26718
267192014-03-05 Commit Queue <commit-queue@webkit.org>
26720
26721 Unreviewed, rolling out r165141, r165157, and r165158.
26722 http://trac.webkit.org/changeset/165141
26723 http://trac.webkit.org/changeset/165157
26724 http://trac.webkit.org/changeset/165158
26725 https://bugs.webkit.org/show_bug.cgi?id=129772
26726
26727 "broke ftl" (Requested by olliej_ on #webkit).
26728
26729 * JavaScriptCore.xcodeproj/project.pbxproj:
26730 * bytecode/PolymorphicPutByIdList.cpp:
26731 (JSC::PutByIdAccess::visitWeak):
26732 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
26733 (JSC::PolymorphicPutByIdList::from):
26734 * bytecode/PolymorphicPutByIdList.h:
26735 (JSC::PutByIdAccess::transition):
26736 (JSC::PutByIdAccess::replace):
26737 (JSC::PutByIdAccess::oldStructure):
26738 (JSC::PutByIdAccess::chain):
26739 (JSC::PutByIdAccess::stubRoutine):
26740 * bytecode/PutByIdStatus.cpp:
26741 (JSC::PutByIdStatus::computeForStubInfo):
26742 (JSC::PutByIdStatus::computeFor):
26743 (JSC::PutByIdStatus::dump):
26744 * bytecode/PutByIdStatus.h:
26745 (JSC::PutByIdStatus::PutByIdStatus):
26746 (JSC::PutByIdStatus::takesSlowPath):
26747 * bytecode/StructureStubInfo.h:
26748 * dfg/DFGAbstractInterpreterInlines.h:
26749 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
26750 * dfg/DFGByteCodeParser.cpp:
26751 (JSC::DFG::ByteCodeParser::emitPutById):
26752 (JSC::DFG::ByteCodeParser::handlePutById):
26753 * dfg/DFGClobberize.h:
26754 (JSC::DFG::clobberize):
26755 * dfg/DFGCommon.h:
26756 * dfg/DFGConstantFoldingPhase.cpp:
26757 (JSC::DFG::ConstantFoldingPhase::foldConstants):
26758 * dfg/DFGFixupPhase.cpp:
26759 (JSC::DFG::FixupPhase::fixupNode):
26760 * dfg/DFGNode.h:
26761 (JSC::DFG::Node::hasIdentifier):
26762 * dfg/DFGNodeType.h:
26763 * dfg/DFGPredictionPropagationPhase.cpp:
26764 (JSC::DFG::PredictionPropagationPhase::propagate):
26765 * dfg/DFGSafeToExecute.h:
26766 (JSC::DFG::safeToExecute):
26767 * dfg/DFGSpeculativeJIT.cpp:
26768 (JSC::DFG::SpeculativeJIT::compileIn):
26769 * dfg/DFGSpeculativeJIT.h:
26770 * dfg/DFGSpeculativeJIT32_64.cpp:
26771 (JSC::DFG::SpeculativeJIT::cachedGetById):
26772 (JSC::DFG::SpeculativeJIT::cachedPutById):
26773 (JSC::DFG::SpeculativeJIT::compile):
26774 * dfg/DFGSpeculativeJIT64.cpp:
26775 (JSC::DFG::SpeculativeJIT::cachedGetById):
26776 (JSC::DFG::SpeculativeJIT::cachedPutById):
26777 (JSC::DFG::SpeculativeJIT::compile):
26778 * ftl/FTLCompile.cpp:
26779 (JSC::FTL::fixFunctionBasedOnStackMaps):
26780 * jit/CCallHelpers.h:
26781 (JSC::CCallHelpers::setupArgumentsWithExecState):
26782 * jit/JITInlineCacheGenerator.cpp:
26783 (JSC::JITByIdGenerator::JITByIdGenerator):
26784 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
26785 * jit/JITInlineCacheGenerator.h:
26786 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
26787 * jit/JITOperations.cpp:
26788 * jit/JITOperations.h:
26789 * jit/JITPropertyAccess.cpp:
26790 (JSC::JIT::emit_op_get_by_id):
26791 (JSC::JIT::emit_op_put_by_id):
26792 * jit/JITPropertyAccess32_64.cpp:
26793 (JSC::JIT::emit_op_get_by_id):
26794 (JSC::JIT::emit_op_put_by_id):
26795 * jit/Repatch.cpp:
26796 (JSC::tryCacheGetByID):
26797 (JSC::tryBuildGetByIDList):
26798 (JSC::tryCachePutByID):
26799 (JSC::tryBuildPutByIdList):
26800 * jit/SpillRegistersMode.h: Removed.
26801 * llint/LLIntSlowPaths.cpp:
26802 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
26803 * runtime/Lookup.h:
26804 (JSC::putEntry):
26805 * runtime/PutPropertySlot.h:
26806 (JSC::PutPropertySlot::isCacheable):
26807 (JSC::PutPropertySlot::cachedOffset):
26808
268092014-03-05 Joseph Pecoraro <pecoraro@apple.com>
26810
26811 Web Inspector: Prevent possible deadlock in view indication
26812 https://bugs.webkit.org/show_bug.cgi?id=129766
26813
26814 Reviewed by Geoffrey Garen.
26815
26816 * inspector/remote/RemoteInspector.mm:
26817 (Inspector::RemoteInspector::receivedIndicateMessage):
26818
268192014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
26820
26821 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
26822 https://bugs.webkit.org/show_bug.cgi?id=129754
26823
26824 Reviewed by Geoffrey Garen.
26825
26826 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
26827
26828 * runtime/JSCell.h:
26829 (JSC::JSCell::inlineTypeFlags):
26830 * runtime/JSObject.h:
26831 (JSC::JSObject::fastGetOwnPropertySlot):
26832 * runtime/JSTypeInfo.h:
26833 (JSC::TypeInfo::TypeInfo):
26834 (JSC::TypeInfo::overridesGetOwnPropertySlot):
26835
268362014-03-05 Joseph Pecoraro <pecoraro@apple.com>
26837
26838 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
26839 https://bugs.webkit.org/show_bug.cgi?id=129763
26840
26841 Reviewed by Geoffrey Garen.
26842
26843 Clear the list of all breakpoints, including unresolved breakpoints.
26844
26845 * inspector/agents/InspectorDebuggerAgent.cpp:
26846 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
26847
268482014-03-05 Mark Lam <mark.lam@apple.com>
26849
26850 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
26851 <https://webkit.org/b/129768>
26852
26853 Reviewed by Mark Hahnenberg.
26854
26855 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
26856 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
26857 path llint_slow_path_check_has_instance(), and execute a code path that does the
26858 following:
26859 1. Adjusts the byte code PC to the jump target PC.
26860 2. For the purpose of storing the result, get the result registerIndex from the
26861 1st operand using the PC as if the PC is still pointing to op_check_has_instance
26862 bytecode.
26863
26864 The result is that whatever value resides after where the jump target PC is will
26865 be used as a result register value. Depending on what that value is, the result
26866 can be:
26867 1. the code coincidently works correctly
26868 2. memory corruption
26869 3. crashes
26870
26871 The fix is to only adjust the byte code PC after we have stored the result.
26872
26873 * llint/LLIntSlowPaths.cpp:
26874 (llint_slow_path_check_has_instance):
26875
268762014-03-05 Ryosuke Niwa <rniwa@webkit.org>
26877
26878 Another build fix attempt after r165141.
26879
26880 * ftl/FTLCompile.cpp:
26881 (JSC::FTL::fixFunctionBasedOnStackMaps):
26882
268832014-03-05 Ryosuke Niwa <rniwa@webkit.org>
26884
26885 FTL build fix attempt after r165141.
26886
26887 * ftl/FTLCompile.cpp:
26888 (JSC::FTL::fixFunctionBasedOnStackMaps):
26889
268902014-03-05 Gavin Barraclough <barraclough@apple.com>
26891
26892 https://bugs.webkit.org/show_bug.cgi?id=128625
26893 Add fast mapping from StringImpl to JSString
26894
26895 Unreviewed roll-out.
26896
26897 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
26898
26899 * runtime/JSString.cpp:
26900 * runtime/JSString.h:
26901 * runtime/VM.cpp:
26902 (JSC::VM::createLeaked):
26903 * runtime/VM.h:
26904
269052014-03-03 Oliver Hunt <oliver@apple.com>
26906
26907 Support caching of custom setters
26908 https://bugs.webkit.org/show_bug.cgi?id=129519
26909
26910 Reviewed by Filip Pizlo.
26911
26912 This patch adds caching of assignment to properties that
26913 are backed by C functions. This provides most of the leg
26914 work required to start supporting setters, and resolves
26915 the remaining regressions from moving DOM properties up
26916 the prototype chain.
26917
26918 * JavaScriptCore.xcodeproj/project.pbxproj:
26919 * bytecode/PolymorphicPutByIdList.cpp:
26920 (JSC::PutByIdAccess::visitWeak):
26921 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
26922 (JSC::PolymorphicPutByIdList::from):
26923 * bytecode/PolymorphicPutByIdList.h:
26924 (JSC::PutByIdAccess::transition):
26925 (JSC::PutByIdAccess::replace):
26926 (JSC::PutByIdAccess::customSetter):
26927 (JSC::PutByIdAccess::isCustom):
26928 (JSC::PutByIdAccess::oldStructure):
26929 (JSC::PutByIdAccess::chain):
26930 (JSC::PutByIdAccess::stubRoutine):
26931 * bytecode/PutByIdStatus.cpp:
26932 (JSC::PutByIdStatus::computeForStubInfo):
26933 (JSC::PutByIdStatus::computeFor):
26934 (JSC::PutByIdStatus::dump):
26935 * bytecode/PutByIdStatus.h:
26936 (JSC::PutByIdStatus::PutByIdStatus):
26937 (JSC::PutByIdStatus::takesSlowPath):
26938 (JSC::PutByIdStatus::makesCalls):
26939 * bytecode/StructureStubInfo.h:
26940 * dfg/DFGAbstractInterpreterInlines.h:
26941 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
26942 * dfg/DFGByteCodeParser.cpp:
26943 (JSC::DFG::ByteCodeParser::emitPutById):
26944 (JSC::DFG::ByteCodeParser::handlePutById):
26945 * dfg/DFGClobberize.h:
26946 (JSC::DFG::clobberize):
26947 * dfg/DFGCommon.h:
26948 * dfg/DFGConstantFoldingPhase.cpp:
26949 (JSC::DFG::ConstantFoldingPhase::foldConstants):
26950 * dfg/DFGFixupPhase.cpp:
26951 (JSC::DFG::FixupPhase::fixupNode):
26952 * dfg/DFGNode.h:
26953 (JSC::DFG::Node::hasIdentifier):
26954 * dfg/DFGNodeType.h:
26955 * dfg/DFGPredictionPropagationPhase.cpp:
26956 (JSC::DFG::PredictionPropagationPhase::propagate):
26957 * dfg/DFGSafeToExecute.h:
26958 (JSC::DFG::safeToExecute):
26959 * dfg/DFGSpeculativeJIT.cpp:
26960 (JSC::DFG::SpeculativeJIT::compileIn):
26961 * dfg/DFGSpeculativeJIT.h:
26962 * dfg/DFGSpeculativeJIT32_64.cpp:
26963 (JSC::DFG::SpeculativeJIT::cachedGetById):
26964 (JSC::DFG::SpeculativeJIT::cachedPutById):
26965 (JSC::DFG::SpeculativeJIT::compile):
26966 * dfg/DFGSpeculativeJIT64.cpp:
26967 (JSC::DFG::SpeculativeJIT::cachedGetById):
26968 (JSC::DFG::SpeculativeJIT::cachedPutById):
26969 (JSC::DFG::SpeculativeJIT::compile):
26970 * jit/CCallHelpers.h:
26971 (JSC::CCallHelpers::setupArgumentsWithExecState):
26972 * jit/JITInlineCacheGenerator.cpp:
26973 (JSC::JITByIdGenerator::JITByIdGenerator):
26974 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
26975 * jit/JITInlineCacheGenerator.h:
26976 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
26977 * jit/JITOperations.cpp:
26978 * jit/JITOperations.h:
26979 * jit/JITPropertyAccess.cpp:
26980 (JSC::JIT::emit_op_get_by_id):
26981 (JSC::JIT::emit_op_put_by_id):
26982 * jit/JITPropertyAccess32_64.cpp:
26983 (JSC::JIT::emit_op_get_by_id):
26984 (JSC::JIT::emit_op_put_by_id):
26985 * jit/Repatch.cpp:
26986 (JSC::tryCacheGetByID):
26987 (JSC::tryBuildGetByIDList):
26988 (JSC::emitCustomSetterStub):
26989 (JSC::tryCachePutByID):
26990 (JSC::tryBuildPutByIdList):
26991 * jit/SpillRegistersMode.h: Added.
26992 * llint/LLIntSlowPaths.cpp:
26993 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
26994 * runtime/Lookup.h:
26995 (JSC::putEntry):
26996 * runtime/PutPropertySlot.h:
26997 (JSC::PutPropertySlot::setCacheableCustomProperty):
26998 (JSC::PutPropertySlot::customSetter):
26999 (JSC::PutPropertySlot::isCacheablePut):
27000 (JSC::PutPropertySlot::isCacheableCustomProperty):
27001 (JSC::PutPropertySlot::cachedOffset):
27002
270032014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
27004
27005 JSCell::m_gcData should encode its information differently
27006 https://bugs.webkit.org/show_bug.cgi?id=129741
27007
27008 Reviewed by Geoffrey Garen.
27009
27010 We want to keep track of three GC states for an object:
27011
27012 1. Not marked (which implies not in the remembered set)
27013 2. Marked but not in the remembered set
27014 3. Marked and in the remembered set
27015
27016 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
27017 barrier, we only want to take the slow path if the object being stored to is in state #2.
27018 We'd like to make the test for state #2 as fast as possible, which means making it a
27019 compare against 0.
27020
27021 * dfg/DFGOSRExitCompilerCommon.cpp:
27022 (JSC::DFG::osrWriteBarrier):
27023 * dfg/DFGSpeculativeJIT.cpp:
27024 (JSC::DFG::SpeculativeJIT::checkMarkByte):
27025 (JSC::DFG::SpeculativeJIT::writeBarrier):
27026 * dfg/DFGSpeculativeJIT.h:
27027 * dfg/DFGSpeculativeJIT32_64.cpp:
27028 (JSC::DFG::SpeculativeJIT::writeBarrier):
27029 * dfg/DFGSpeculativeJIT64.cpp:
27030 (JSC::DFG::SpeculativeJIT::writeBarrier):
27031 * ftl/FTLLowerDFGToLLVM.cpp:
27032 (JSC::FTL::LowerDFGToLLVM::allocateCell):
27033 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
27034 * heap/Heap.cpp:
27035 (JSC::Heap::clearRememberedSet):
27036 (JSC::Heap::addToRememberedSet):
27037 * jit/AssemblyHelpers.h:
27038 (JSC::AssemblyHelpers::checkMarkByte):
27039 * jit/JIT.h:
27040 * jit/JITPropertyAccess.cpp:
27041 (JSC::JIT::checkMarkByte):
27042 (JSC::JIT::emitWriteBarrier):
27043 * jit/Repatch.cpp:
27044 (JSC::writeBarrier):
27045 * llint/LowLevelInterpreter.asm:
27046 * llint/LowLevelInterpreter32_64.asm:
27047 * llint/LowLevelInterpreter64.asm:
27048 * runtime/JSCell.h:
27049 (JSC::JSCell::mark):
27050 (JSC::JSCell::remember):
27051 (JSC::JSCell::forget):
27052 (JSC::JSCell::isMarked):
27053 (JSC::JSCell::isRemembered):
27054 * runtime/JSCellInlines.h:
27055 (JSC::JSCell::JSCell):
27056 * runtime/StructureIDBlob.h:
27057 (JSC::StructureIDBlob::StructureIDBlob):
27058
270592014-03-05 Filip Pizlo <fpizlo@apple.com>
27060
27061 More FTL ARM fixes
27062 https://bugs.webkit.org/show_bug.cgi?id=129755
27063
27064 Reviewed by Geoffrey Garen.
27065
27066 - Be more defensive about inline caches that have degenerate chains.
27067
27068 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
27069 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
27070
27071 - Don't even emit intrinsic declarations on non-x86 platforms.
27072
27073 - More debug printing support.
27074
27075 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
27076 but somehow it gets lucky on x86.
27077
27078 * bytecode/GetByIdStatus.cpp:
27079 (JSC::GetByIdStatus::appendVariant):
27080 (JSC::GetByIdStatus::computeForChain):
27081 (JSC::GetByIdStatus::computeForStubInfo):
27082 * bytecode/GetByIdStatus.h:
27083 * bytecode/PutByIdStatus.cpp:
27084 (JSC::PutByIdStatus::appendVariant):
27085 (JSC::PutByIdStatus::computeForStubInfo):
27086 * bytecode/PutByIdStatus.h:
27087 * bytecode/StructureSet.h:
27088 (JSC::StructureSet::overlaps):
27089 * ftl/FTLCompile.cpp:
27090 (JSC::FTL::mmAllocateDataSection):
27091 * ftl/FTLDataSection.cpp:
27092 (JSC::FTL::DataSection::DataSection):
27093 (JSC::FTL::DataSection::~DataSection):
27094 * ftl/FTLDataSection.h:
27095 * ftl/FTLLowerDFGToLLVM.cpp:
27096 (JSC::FTL::LowerDFGToLLVM::lower):
27097 * ftl/FTLOutput.h:
27098 (JSC::FTL::Output::doubleSin):
27099 (JSC::FTL::Output::doubleCos):
27100 * runtime/JSCJSValue.cpp:
27101 (JSC::JSValue::dumpInContext):
27102 * runtime/JSCell.h:
27103 (JSC::JSCell::structureID):
27104
271052014-03-05 peavo@outlook.com <peavo@outlook.com>
27106
27107 [Win32][LLINT] Crash when running JSC stress tests.
27108 https://bugs.webkit.org/show_bug.cgi?id=129429
27109
27110 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
27111 where the guard page is a barrier between committed and uncommitted memory.
27112 When data from the guard page is read or written, the guard page is moved, and memory is committed.
27113 This is how the system grows the stack.
27114 When using the C stack on Windows we need to precommit the needed stack space.
27115 Otherwise we might crash later if we access uncommitted stack memory.
27116 This can happen if we allocate stack space larger than the page guard size (4K).
27117 The system does not get the chance to move the guard page, and commit more memory,
27118 and we crash if uncommitted memory is accessed.
27119 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
27120 when needed, see http://support.microsoft.com/kb/100775.
27121
27122 Reviewed by Geoffrey Garen.
27123
27124 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
27125 * jit/Repatch.cpp:
27126 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
27127 * offlineasm/x86.rb: Compile fix, and small simplification.
27128 * runtime/VM.cpp:
27129 (JSC::preCommitStackMemory): Added function to precommit stack memory.
27130 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
27131
271322014-03-05 Michael Saboff <msaboff@apple.com>
27133
27134 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
27135 https://bugs.webkit.org/show_bug.cgi?id=129746
27136
27137 Reviewed by Filip Pizlo.
27138
27139 Changed to use a union to manually assemble or disassemble the various types
27140 from / to the corresponding bytes. All memory access is now done using
27141 byte accesses.
27142
27143 * runtime/JSDataViewPrototype.cpp:
27144 (JSC::getData):
27145 (JSC::setData):
27146
271472014-03-05 Filip Pizlo <fpizlo@apple.com>
27148
27149 FTL loadStructure always generates invalid IR
27150 https://bugs.webkit.org/show_bug.cgi?id=129747
27151
27152 Reviewed by Mark Hahnenberg.
27153
27154 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
27155 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
27156 to have a pointer to a type, and you can only load things of that type from that
27157 pointer. Pointer arithmetic is basically not possible except through the bizarre
27158 getelementptr operator. This doesn't fit with how the JS object model works since
27159 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
27160 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
27161 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
27162 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
27163 this for us, but that would require that to use the FTL, JSC itself would have to
27164 be compiled with clang. Worse, it would have to be compiled with a clang that uses
27165 a version of LLVM that is compatible with the one against which the FTL is linked.
27166 Yuck!
27167
27168 The solution is to NEVER use LLVM pointers. This has always been the case in the
27169 FTL. But it causes some confusion.
27170
27171 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
27172 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
27173 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
27174 pointer that has the type that we want. The load and store operations over pointers
27175 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
27176 "64", "Ptr", "Float", or "Double.
27177
27178 There is unavoidable confusion here. It would be bizarre for the FTL to call its
27179 "pointer-wide integers" anything other than "pointers", since they are, in all
27180 respects that we care about, simply pointers. But they are *not* LLVM pointers and
27181 they never will be that.
27182
27183 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
27184 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
27185 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
27186 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
27187 methods for access called Output::get and Output::set. These lower to LLVM load
27188 and store, since FTL references are just LLVM pointers.
27189
27190 This confusion appears to have led to incorrect code in loadStructure().
27191 loadStructure() was using get() and set() to access FTL pointers. But those methods
27192 don't work on FTL pointers and never will, since they are for FTL references.
27193
27194 The worst part of this is that it was previously impossible to have test coverage
27195 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
27196 patch fixes this by introducing a Masquerader object to jsc.cpp.
27197
27198 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
27199 * ftl/FTLLowerDFGToLLVM.cpp:
27200 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
27201 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
27202 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
27203 (WTF::Masquerader::Masquerader):
27204 (WTF::Masquerader::create):
27205 (WTF::Masquerader::createStructure):
27206 (GlobalObject::finishCreation):
27207 (functionMakeMasquerader):
27208 * tests/stress/equals-masquerader.js: Added.
27209 (foo):
27210 (test):
27211
272122014-03-05 Anders Carlsson <andersca@apple.com>
27213
27214 Tweak after r165109 to avoid extra copies
27215 https://bugs.webkit.org/show_bug.cgi?id=129745
27216
27217 Reviewed by Geoffrey Garen.
27218
27219 * heap/Heap.cpp:
27220 (JSC::Heap::visitProtectedObjects):
27221 (JSC::Heap::visitTempSortVectors):
27222 (JSC::Heap::clearRememberedSet):
27223 * heap/Heap.h:
27224 (JSC::Heap::forEachProtectedCell):
27225
272262014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
27227
27228 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
27229 https://bugs.webkit.org/show_bug.cgi?id=129717
27230
27231 Reviewed by Filip Pizlo.
27232
27233 * dfg/DFGStoreBarrierElisionPhase.cpp:
27234 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
27235 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
27236
272372014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
27238
27239 Use range-based loops where possible in Heap methods
27240 https://bugs.webkit.org/show_bug.cgi?id=129513
27241
27242 Reviewed by Mark Lam.
27243
27244 Replace old school iterator based loops with the new range-based loop hotness
27245 for a better tomorrow.
27246
27247 * heap/CodeBlockSet.cpp:
27248 (JSC::CodeBlockSet::~CodeBlockSet):
27249 (JSC::CodeBlockSet::clearMarks):
27250 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
27251 (JSC::CodeBlockSet::traceMarked):
27252 * heap/Heap.cpp:
27253 (JSC::Heap::visitProtectedObjects):
27254 (JSC::Heap::visitTempSortVectors):
27255 (JSC::Heap::clearRememberedSet):
27256 * heap/Heap.h:
27257 (JSC::Heap::forEachProtectedCell):
27258
272592014-03-04 Filip Pizlo <fpizlo@apple.com>
27260
27261 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
27262 https://bugs.webkit.org/show_bug.cgi?id=129563
27263
27264 Reviewed by Geoffrey Garen.
27265
27266 Rolling this back in after fixing an assertion failure. speculateMisc() should have
27267 said DFG_TYPE_CHECK instead of typeCheck.
27268
27269 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
27270 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
27271 user of this was EarleyBoyer, and in that benchmark what it was really doing was
27272 comparing undefined, null, and booleans to each other.
27273
27274 This also adds support for miscellaneous things that I needed to make my various test
27275 cases work. This includes comparison over booleans and the various Throw-related node
27276 types.
27277
27278 This also improves constant folding of CompareStrictEq and CompareEq.
27279
27280 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
27281 based on profiling, which caused some downstream badness. We don't actually support
27282 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
27283 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
27284 shouldn't factor out the bounds check since the access is not InBounds but then the
27285 backend would ignore the flag and assume that the bounds check was already emitted.
27286 This showed up on an existing test but I added a test for this explicitly to have more
27287 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
27288 that we'll have a bounds check anyway.
27289
27290 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
27291 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
27292 still a lot more coverage work to be done there.
27293
27294 * bytecode/SpeculatedType.cpp:
27295 (JSC::speculationToAbbreviatedString):
27296 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
27297 (JSC::valuesCouldBeEqual):
27298 * bytecode/SpeculatedType.h:
27299 (JSC::isMiscSpeculation):
27300 * dfg/DFGAbstractInterpreterInlines.h:
27301 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
27302 * dfg/DFGArrayMode.cpp:
27303 (JSC::DFG::ArrayMode::refine):
27304 * dfg/DFGArrayMode.h:
27305 * dfg/DFGFixupPhase.cpp:
27306 (JSC::DFG::FixupPhase::fixupNode):
27307 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
27308 * dfg/DFGNode.h:
27309 (JSC::DFG::Node::shouldSpeculateMisc):
27310 * dfg/DFGSafeToExecute.h:
27311 (JSC::DFG::SafeToExecuteEdge::operator()):
27312 * dfg/DFGSpeculativeJIT.cpp:
27313 (JSC::DFG::SpeculativeJIT::compileStrictEq):
27314 (JSC::DFG::SpeculativeJIT::speculateMisc):
27315 (JSC::DFG::SpeculativeJIT::speculate):
27316 * dfg/DFGSpeculativeJIT.h:
27317 * dfg/DFGSpeculativeJIT32_64.cpp:
27318 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
27319 * dfg/DFGSpeculativeJIT64.cpp:
27320 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
27321 * dfg/DFGUseKind.cpp:
27322 (WTF::printInternal):
27323 * dfg/DFGUseKind.h:
27324 (JSC::DFG::typeFilterFor):
27325 * ftl/FTLCapabilities.cpp:
27326 (JSC::FTL::canCompile):
27327 * ftl/FTLLowerDFGToLLVM.cpp:
27328 (JSC::FTL::LowerDFGToLLVM::compileNode):
27329 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
27330 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
27331 (JSC::FTL::LowerDFGToLLVM::compileThrow):
27332 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
27333 (JSC::FTL::LowerDFGToLLVM::isMisc):
27334 (JSC::FTL::LowerDFGToLLVM::speculate):
27335 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
27336 * tests/stress/float32-array-out-of-bounds.js: Added.
27337 * tests/stress/weird-equality-folding-cases.js: Added.
27338
273392014-03-04 Commit Queue <commit-queue@webkit.org>
27340
27341 Unreviewed, rolling out r165085.
27342 http://trac.webkit.org/changeset/165085
27343 https://bugs.webkit.org/show_bug.cgi?id=129729
27344
27345 Broke imported/w3c/html-templates/template-element/template-
27346 content.html (Requested by ap on #webkit).
27347
27348 * bytecode/SpeculatedType.cpp:
27349 (JSC::speculationToAbbreviatedString):
27350 * bytecode/SpeculatedType.h:
27351 * dfg/DFGAbstractInterpreterInlines.h:
27352 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
27353 * dfg/DFGArrayMode.cpp:
27354 (JSC::DFG::ArrayMode::refine):
27355 * dfg/DFGArrayMode.h:
27356 * dfg/DFGFixupPhase.cpp:
27357 (JSC::DFG::FixupPhase::fixupNode):
27358 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
27359 * dfg/DFGNode.h:
27360 (JSC::DFG::Node::shouldSpeculateBoolean):
27361 * dfg/DFGSafeToExecute.h:
27362 (JSC::DFG::SafeToExecuteEdge::operator()):
27363 * dfg/DFGSpeculativeJIT.cpp:
27364 (JSC::DFG::SpeculativeJIT::compileStrictEq):
27365 (JSC::DFG::SpeculativeJIT::speculate):
27366 * dfg/DFGSpeculativeJIT.h:
27367 * dfg/DFGSpeculativeJIT32_64.cpp:
27368 * dfg/DFGSpeculativeJIT64.cpp:
27369 * dfg/DFGUseKind.cpp:
27370 (WTF::printInternal):
27371 * dfg/DFGUseKind.h:
27372 (JSC::DFG::typeFilterFor):
27373 * ftl/FTLCapabilities.cpp:
27374 (JSC::FTL::canCompile):
27375 * ftl/FTLLowerDFGToLLVM.cpp:
27376 (JSC::FTL::LowerDFGToLLVM::compileNode):
27377 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
27378 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
27379 (JSC::FTL::LowerDFGToLLVM::speculate):
27380 * tests/stress/float32-array-out-of-bounds.js: Removed.
27381 * tests/stress/weird-equality-folding-cases.js: Removed.
27382
273832014-03-04 Brian Burg <bburg@apple.com>
27384
27385 Inspector does not restore breakpoints after a page reload
27386 https://bugs.webkit.org/show_bug.cgi?id=129655
27387
27388 Reviewed by Joseph Pecoraro.
27389
27390 Fix a regression introduced by r162096 that erroneously removed
27391 the inspector backend's mapping of files to breakpoints whenever the
27392 global object was cleared.
27393
27394 The inspector's breakpoint mappings should only be cleared when the
27395 debugger agent is disabled or destroyed. We should only clear the
27396 debugger's breakpoint state when the global object is cleared.
27397
27398 To make it clearer what state is being cleared, the two cases have
27399 been split into separate methods.
27400
27401 * inspector/agents/InspectorDebuggerAgent.cpp:
27402 (Inspector::InspectorDebuggerAgent::disable):
27403 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
27404 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
27405 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
27406 * inspector/agents/InspectorDebuggerAgent.h:
27407
274082014-03-04 Andreas Kling <akling@apple.com>
27409
27410 Streamline JSValue::get().
27411 <https://webkit.org/b/129720>
27412
27413 Fetch each Structure and VM only once when walking the prototype chain
27414 in JSObject::getPropertySlot(), then pass it along to the functions
27415 we call from there, so they don't have to re-fetch it.
27416
27417 Reviewed by Geoff Garen.
27418
27419 * runtime/JSObject.h:
27420 (JSC::JSObject::inlineGetOwnPropertySlot):
27421 (JSC::JSObject::fastGetOwnPropertySlot):
27422 (JSC::JSObject::getPropertySlot):
27423
274242014-03-01 Filip Pizlo <fpizlo@apple.com>
27425
27426 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
27427 https://bugs.webkit.org/show_bug.cgi?id=129563
27428
27429 Reviewed by Geoffrey Garen.
27430
27431 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
27432 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
27433 user of this was EarleyBoyer, and in that benchmark what it was really doing was
27434 comparing undefined, null, and booleans to each other.
27435
27436 This also adds support for miscellaneous things that I needed to make my various test
27437 cases work. This includes comparison over booleans and the various Throw-related node
27438 types.
27439
27440 This also improves constant folding of CompareStrictEq and CompareEq.
27441
27442 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
27443 based on profiling, which caused some downstream badness. We don't actually support
27444 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
27445 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
27446 shouldn't factor out the bounds check since the access is not InBounds but then the
27447 backend would ignore the flag and assume that the bounds check was already emitted.
27448 This showed up on an existing test but I added a test for this explicitly to have more
27449 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
27450 that we'll have a bounds check anyway.
27451
27452 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
27453 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
27454 still a lot more coverage work to be done there.
27455
27456 * bytecode/SpeculatedType.cpp:
27457 (JSC::speculationToAbbreviatedString):
27458 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
27459 (JSC::valuesCouldBeEqual):
27460 * bytecode/SpeculatedType.h:
27461 (JSC::isMiscSpeculation):
27462 * dfg/DFGAbstractInterpreterInlines.h:
27463 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
27464 * dfg/DFGFixupPhase.cpp:
27465 (JSC::DFG::FixupPhase::fixupNode):
27466 * dfg/DFGNode.h:
27467 (JSC::DFG::Node::shouldSpeculateMisc):
27468 * dfg/DFGSafeToExecute.h:
27469 (JSC::DFG::SafeToExecuteEdge::operator()):
27470 * dfg/DFGSpeculativeJIT.cpp:
27471 (JSC::DFG::SpeculativeJIT::compileStrictEq):
27472 (JSC::DFG::SpeculativeJIT::speculateMisc):
27473 (JSC::DFG::SpeculativeJIT::speculate):
27474 * dfg/DFGSpeculativeJIT.h:
27475 * dfg/DFGSpeculativeJIT32_64.cpp:
27476 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
27477 * dfg/DFGSpeculativeJIT64.cpp:
27478 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
27479 * dfg/DFGUseKind.cpp:
27480 (WTF::printInternal):
27481 * dfg/DFGUseKind.h:
27482 (JSC::DFG::typeFilterFor):
27483 * ftl/FTLCapabilities.cpp:
27484 (JSC::FTL::canCompile):
27485 * ftl/FTLLowerDFGToLLVM.cpp:
27486 (JSC::FTL::LowerDFGToLLVM::compileNode):
27487 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
27488 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
27489 (JSC::FTL::LowerDFGToLLVM::compileThrow):
27490 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
27491 (JSC::FTL::LowerDFGToLLVM::isMisc):
27492 (JSC::FTL::LowerDFGToLLVM::speculate):
27493 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
27494 * tests/stress/float32-array-out-of-bounds.js: Added.
27495 * tests/stress/weird-equality-folding-cases.js: Added.
27496
274972014-03-04 Andreas Kling <akling@apple.com>
27498
27499 Spam static branch prediction hints on JS bindings.
27500 <https://webkit.org/b/129703>
27501
27502 Add LIKELY hint to jsDynamicCast since it's always used in a context
27503 where we expect it to succeed and takes an error path when it doesn't.
27504
27505 Reviewed by Geoff Garen.
27506
27507 * runtime/JSCell.h:
27508 (JSC::jsDynamicCast):
27509
275102014-03-04 Andreas Kling <akling@apple.com>
27511
27512 Get to Structures more efficiently in JSCell::methodTable().
27513 <https://webkit.org/b/129702>
27514
27515 In JSCell::methodTable(), get the VM once and pass that along to
27516 structure(VM&) instead of using the heavier structure().
27517
27518 In JSCell::methodTable(VM&), replace calls to structure() with
27519 calls to structure(VM&).
27520
27521 Reviewed by Mark Hahnenberg.
27522
27523 * runtime/JSCellInlines.h:
27524 (JSC::JSCell::methodTable):
27525
275262014-03-04 Joseph Pecoraro <pecoraro@apple.com>
27527
27528 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
27529 https://bugs.webkit.org/show_bug.cgi?id=129697
27530
27531 Reviewed by Timothy Hatcher.
27532
27533 * inspector/remote/RemoteInspectorXPCConnection.mm:
27534 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
27535 (Inspector::RemoteInspectorXPCConnection::handleEvent):
27536
275372014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
27538
27539 Merge API shims and JSLock
27540 https://bugs.webkit.org/show_bug.cgi?id=129650
27541
27542 Reviewed by Mark Lam.
27543
27544 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
27545 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
27546
27547 * API/APICallbackFunction.h:
27548 (JSC::APICallbackFunction::call):
27549 (JSC::APICallbackFunction::construct):
27550 * API/APIShims.h: Removed.
27551 * API/JSBase.cpp:
27552 (JSEvaluateScript):
27553 (JSCheckScriptSyntax):
27554 (JSGarbageCollect):
27555 (JSReportExtraMemoryCost):
27556 (JSSynchronousGarbageCollectForDebugging):
27557 * API/JSCallbackConstructor.cpp:
27558 * API/JSCallbackFunction.cpp:
27559 * API/JSCallbackObjectFunctions.h:
27560 (JSC::JSCallbackObject<Parent>::init):
27561 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
27562 (JSC::JSCallbackObject<Parent>::put):
27563 (JSC::JSCallbackObject<Parent>::putByIndex):
27564 (JSC::JSCallbackObject<Parent>::deleteProperty):
27565 (JSC::JSCallbackObject<Parent>::construct):
27566 (JSC::JSCallbackObject<Parent>::customHasInstance):
27567 (JSC::JSCallbackObject<Parent>::call):
27568 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
27569 (JSC::JSCallbackObject<Parent>::getStaticValue):
27570 (JSC::JSCallbackObject<Parent>::callbackGetter):
27571 * API/JSContext.mm:
27572 (-[JSContext setException:]):
27573 (-[JSContext wrapperForObjCObject:]):
27574 (-[JSContext wrapperForJSObject:]):
27575 * API/JSContextRef.cpp:
27576 (JSContextGroupRelease):
27577 (JSContextGroupSetExecutionTimeLimit):
27578 (JSContextGroupClearExecutionTimeLimit):
27579 (JSGlobalContextCreateInGroup):
27580 (JSGlobalContextRetain):
27581 (JSGlobalContextRelease):
27582 (JSContextGetGlobalObject):
27583 (JSContextGetGlobalContext):
27584 (JSGlobalContextCopyName):
27585 (JSGlobalContextSetName):
27586 * API/JSManagedValue.mm:
27587 (-[JSManagedValue value]):
27588 * API/JSObjectRef.cpp:
27589 (JSObjectMake):
27590 (JSObjectMakeFunctionWithCallback):
27591 (JSObjectMakeConstructor):
27592 (JSObjectMakeFunction):
27593 (JSObjectMakeArray):
27594 (JSObjectMakeDate):
27595 (JSObjectMakeError):
27596 (JSObjectMakeRegExp):
27597 (JSObjectGetPrototype):
27598 (JSObjectSetPrototype):
27599 (JSObjectHasProperty):
27600 (JSObjectGetProperty):
27601 (JSObjectSetProperty):
27602 (JSObjectGetPropertyAtIndex):
27603 (JSObjectSetPropertyAtIndex):
27604 (JSObjectDeleteProperty):
27605 (JSObjectGetPrivateProperty):
27606 (JSObjectSetPrivateProperty):
27607 (JSObjectDeletePrivateProperty):
27608 (JSObjectIsFunction):
27609 (JSObjectCallAsFunction):
27610 (JSObjectCallAsConstructor):
27611 (JSObjectCopyPropertyNames):
27612 (JSPropertyNameArrayRelease):
27613 (JSPropertyNameAccumulatorAddName):
27614 * API/JSScriptRef.cpp:
27615 * API/JSValue.mm:
27616 (isDate):
27617 (isArray):
27618 (containerValueToObject):
27619 (valueToArray):
27620 (valueToDictionary):
27621 (objectToValue):
27622 * API/JSValueRef.cpp:
27623 (JSValueGetType):
27624 (JSValueIsUndefined):
27625 (JSValueIsNull):
27626 (JSValueIsBoolean):
27627 (JSValueIsNumber):
27628 (JSValueIsString):
27629 (JSValueIsObject):
27630 (JSValueIsObjectOfClass):
27631 (JSValueIsEqual):
27632 (JSValueIsStrictEqual):
27633 (JSValueIsInstanceOfConstructor):
27634 (JSValueMakeUndefined):
27635 (JSValueMakeNull):
27636 (JSValueMakeBoolean):
27637 (JSValueMakeNumber):
27638 (JSValueMakeString):
27639 (JSValueMakeFromJSONString):
27640 (JSValueCreateJSONString):
27641 (JSValueToBoolean):
27642 (JSValueToNumber):
27643 (JSValueToStringCopy):
27644 (JSValueToObject):
27645 (JSValueProtect):
27646 (JSValueUnprotect):
27647 * API/JSVirtualMachine.mm:
27648 (-[JSVirtualMachine addManagedReference:withOwner:]):
27649 (-[JSVirtualMachine removeManagedReference:withOwner:]):
27650 * API/JSWeakObjectMapRefPrivate.cpp:
27651 * API/JSWrapperMap.mm:
27652 (constructorHasInstance):
27653 (makeWrapper):
27654 (tryUnwrapObjcObject):
27655 * API/ObjCCallbackFunction.mm:
27656 (JSC::objCCallbackFunctionCallAsFunction):
27657 (JSC::objCCallbackFunctionCallAsConstructor):
27658 (objCCallbackFunctionForInvocation):
27659 * CMakeLists.txt:
27660 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
27661 * GNUmakefile.list.am:
27662 * JavaScriptCore.xcodeproj/project.pbxproj:
27663 * dfg/DFGWorklist.cpp:
27664 * heap/DelayedReleaseScope.h:
27665 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
27666 * heap/HeapTimer.cpp:
27667 (JSC::HeapTimer::timerDidFire):
27668 (JSC::HeapTimer::timerEvent):
27669 * heap/IncrementalSweeper.cpp:
27670 * inspector/InjectedScriptModule.cpp:
27671 (Inspector::InjectedScriptModule::ensureInjected):
27672 * jsc.cpp:
27673 (jscmain):
27674 * runtime/GCActivityCallback.cpp:
27675 (JSC::DefaultGCActivityCallback::doWork):
27676 * runtime/JSGlobalObjectDebuggable.cpp:
27677 (JSC::JSGlobalObjectDebuggable::connect):
27678 (JSC::JSGlobalObjectDebuggable::disconnect):
27679 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
27680 * runtime/JSLock.cpp:
27681 (JSC::JSLock::lock):
27682 (JSC::JSLock::didAcquireLock):
27683 (JSC::JSLock::unlock):
27684 (JSC::JSLock::willReleaseLock):
27685 (JSC::JSLock::DropAllLocks::DropAllLocks):
27686 (JSC::JSLock::DropAllLocks::~DropAllLocks):
27687 * runtime/JSLock.h:
27688 * testRegExp.cpp:
27689 (realMain):
27690
276912014-03-04 Commit Queue <commit-queue@webkit.org>
27692
27693 Unreviewed, rolling out r164812.
27694 http://trac.webkit.org/changeset/164812
27695 https://bugs.webkit.org/show_bug.cgi?id=129699
27696
27697 it made things run slower (Requested by pizlo on #webkit).
27698
27699 * interpreter/Interpreter.cpp:
27700 (JSC::Interpreter::execute):
27701 * jsc.cpp:
27702 (GlobalObject::finishCreation):
27703 * runtime/BatchedTransitionOptimizer.h:
27704 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
27705 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
27706
277072014-03-02 Filip Pizlo <fpizlo@apple.com>
27708
27709 GetMyArgumentByVal in FTL
27710 https://bugs.webkit.org/show_bug.cgi?id=128850
27711
27712 Reviewed by Oliver Hunt.
27713
27714 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
27715 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
27716 caused it to think that the arity check had failed if the caller had passed more
27717 arguments than needed. This would cause the call frame copying to sort of go into
27718 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
27719 throwing off a bunch of math) and the stack would end up being corrupted.
27720
27721 The bug was revealed by two existing tests although as far as I could tell, neither
27722 test was intending to cover this case directly. So, I added a new test.
27723
27724 * ftl/FTLCapabilities.cpp:
27725 (JSC::FTL::canCompile):
27726 * ftl/FTLLowerDFGToLLVM.cpp:
27727 (JSC::FTL::LowerDFGToLLVM::compileNode):
27728 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
27729 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
27730 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
27731 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
27732 * ftl/FTLOSRExitCompiler.cpp:
27733 (JSC::FTL::compileStub):
27734 * ftl/FTLState.h:
27735 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
27736 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
27737 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
27738 * tests/stress/ftl-get-my-argument-by-val.js: Added.
27739
277402014-03-04 Zan Dobersek <zdobersek@igalia.com>
27741
27742 [GTK] Build the Udis86 disassembler
27743 https://bugs.webkit.org/show_bug.cgi?id=129679
27744
27745 Reviewed by Michael Saboff.
27746
27747 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
27748 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
27749
277502014-03-04 Andreas Kling <akling@apple.com>
27751
27752 Fix too-narrow assertion I added in r165054.
27753
27754 It's okay for a 1-character string to come in here. This will happen
27755 if the VM small string optimization doesn't apply (ch > 0xFF)
27756
27757 * runtime/JSString.h:
27758 (JSC::jsStringWithWeakOwner):
27759
277602014-03-04 Andreas Kling <akling@apple.com>
27761
27762 Micro-optimize Strings in JS bindings.
27763 <https://webkit.org/b/129673>
27764
27765 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
27766 This avoids branches in length() and operator[].
27767
27768 Also call JSString::create() directly instead of jsString() and just
27769 assert that the string length is >1. This way we don't duplicate the
27770 optimizations for empty and single-character strings.
27771
27772 Reviewed by Ryosuke Niwa.
27773
27774 * runtime/JSString.h:
27775 (JSC::jsStringWithWeakOwner):
27776
277772014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
27778
27779 Implement Number.prototype.clz()
27780 https://bugs.webkit.org/show_bug.cgi?id=129479
27781
27782 Reviewed by Oliver Hunt.
27783
27784 Implemented Number.prototype.clz() as specified in the ES6 standard.
27785
27786 * runtime/NumberPrototype.cpp:
27787 (JSC::numberProtoFuncClz):
27788
277892014-03-03 Joseph Pecoraro <pecoraro@apple.com>
27790
27791 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
27792 https://bugs.webkit.org/show_bug.cgi?id=129631
27793
27794 Reviewed by Timothy Hatcher.
27795
27796 Avoid deref() too early if a client calls close(). The xpc_connection_close
27797 will cause another XPC_ERROR event to come in from the queue, deref then.
27798 Likewise, protect multithreaded access to m_client. If a client calls
27799 close() we want to immediately clear the pointer to prevent calls to it.
27800
27801 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
27802 growing too complicated for probably little benefit. We may want to
27803 clean this up later.
27804
27805 * inspector/remote/RemoteInspector.mm:
27806 (Inspector::RemoteInspector::xpcConnectionFailed):
27807 * inspector/remote/RemoteInspectorXPCConnection.h:
27808 * inspector/remote/RemoteInspectorXPCConnection.mm:
27809 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
27810 (Inspector::RemoteInspectorXPCConnection::close):
27811 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
27812 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
27813 (Inspector::RemoteInspectorXPCConnection::handleEvent):
27814 (Inspector::RemoteInspectorXPCConnection::sendMessage):
27815
278162014-03-03 Michael Saboff <msaboff@apple.com>
27817
27818 AbstractMacroAssembler::CachedTempRegister should start out invalid
27819 https://bugs.webkit.org/show_bug.cgi?id=129657
27820
27821 Reviewed by Filip Pizlo.
27822
27823 * assembler/AbstractMacroAssembler.h:
27824 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
27825 - Invalidate all cached registers in constructor as we don't know the
27826 contents of any register at the entry to the code we are going to
27827 generate.
27828
278292014-03-03 Andreas Kling <akling@apple.com>
27830
27831 StructureOrOffset should be fastmalloced.
27832 <https://webkit.org/b/129640>
27833
27834 Reviewed by Geoffrey Garen.
27835
27836 * runtime/StructureIDTable.h:
27837
278382014-03-03 Michael Saboff <msaboff@apple.com>
27839
27840 Crash in JIT code while watching a video @ storyboard.tumblr.com
27841 https://bugs.webkit.org/show_bug.cgi?id=129635
27842
27843 Reviewed by Filip Pizlo.
27844
27845 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
27846 construtor.
27847
27848 * jit/TempRegisterSet.cpp:
27849 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
27850 * jit/TempRegisterSet.h:
27851 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
27852 (JSC::TempRegisterSet::clearAll): New private helper.
27853
278542014-03-03 Benjamin Poulain <benjamin@webkit.org>
27855
27856 [x86] Improve code generation of byte test
27857 https://bugs.webkit.org/show_bug.cgi?id=129597
27858
27859 Reviewed by Geoffrey Garen.
27860
27861 When possible, test the 8 bit register to itself instead of comparing it
27862 to a literal.
27863
27864 * assembler/MacroAssemblerX86Common.h:
27865 (JSC::MacroAssemblerX86Common::test32):
27866
278672014-03-03 Mark Lam <mark.lam@apple.com>
27868
27869 Web Inspector: debugger statements do not break.
27870 <https://webkit.org/b/129524>
27871
27872 Reviewed by Geoff Garen.
27873
27874 Since we no longer call op_debug hooks unless there is a debugger request
27875 made on the CodeBlock, the op_debug for the debugger statement never gets
27876 serviced.
27877
27878 With this fix, we check in the CodeBlock constructor if any debugger
27879 statements are present. If so, we set a m_hasDebuggerStatement flag that
27880 causes the CodeBlock to show as having debugger requests. Hence,
27881 breaking at debugger statements is now restored.
27882
27883 * bytecode/CodeBlock.cpp:
27884 (JSC::CodeBlock::CodeBlock):
27885 * bytecode/CodeBlock.h:
27886 (JSC::CodeBlock::hasDebuggerRequests):
27887 (JSC::CodeBlock::clearDebuggerRequests):
27888
278892014-03-03 Mark Lam <mark.lam@apple.com>
27890
27891 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
27892 <https://webkit.org/b/129393>
27893
27894 Reviewed by Geoffrey Garen.
27895
27896 The issue manifests because the debugger will iterate all CodeBlocks in
27897 the heap when setting / clearing breakpoints, but it is possible for a
27898 CodeBlock to have been instantiate but is not yet registered with the
27899 debugger. This can happen because of the following:
27900
27901 1. DFG worklist compilation is still in progress, and the target
27902 codeBlock is not ready for installation in its executable yet.
27903
27904 2. DFG compilation failed and we have a codeBlock that will never be
27905 installed in its executable, and the codeBlock has not been cleaned
27906 up by the GC yet.
27907
27908 The code for installing the codeBlock in its executable is the same code
27909 that registers it with the debugger. Hence, these codeBlocks are not
27910 registered with the debugger, and any pending breakpoints that would map
27911 to that CodeBlock is as yet unset or will never be set. As such, an
27912 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
27913
27914 To fix this, we do the following:
27915
27916 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
27917 compilation. This is achieved by providing a
27918 DeferredCompilationCallback::compilationDidComplete() that does this
27919 clean up, and have all sub classes call it at the end of their
27920 compilationDidComplete() methods.
27921
27922 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
27923 will wait for all compilations to complete before proceeding. This
27924 ensures that:
27925 1. any zombie CodeBlocks would have been cleaned up, and won't be
27926 seen by the debugger or profiler.
27927 2. all CodeBlocks that the debugger and profiler needs to operate on
27928 will be "ready" for whatever needs to be done to them e.g.
27929 jettison'ing of DFG codeBlocks.
27930
27931 * bytecode/DeferredCompilationCallback.cpp:
27932 (JSC::DeferredCompilationCallback::compilationDidComplete):
27933 * bytecode/DeferredCompilationCallback.h:
27934 - Provide default implementation method to clean up zombie CodeBlocks.
27935
27936 * debugger/Debugger.cpp:
27937 (JSC::Debugger::forEachCodeBlock):
27938 - Utility function to iterate CodeBlocks. It ensures that all compilations
27939 are complete before proceeding.
27940 (JSC::Debugger::setSteppingMode):
27941 (JSC::Debugger::toggleBreakpoint):
27942 (JSC::Debugger::recompileAllJSFunctions):
27943 (JSC::Debugger::clearBreakpoints):
27944 (JSC::Debugger::clearDebuggerRequests):
27945 - Use the utility iterator function.
27946
27947 * debugger/Debugger.h:
27948 * dfg/DFGOperations.cpp:
27949 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
27950
27951 * dfg/DFGPlan.cpp:
27952 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
27953 - Remove unneeded code (that was not the best solution anyway) for ensuring
27954 that we don't generate new DFG codeBlocks after enabling the debugger or
27955 profiler. Now that we wait for compilations to complete before proceeding
27956 with debugger and profiler work, this scenario will never happen.
27957
27958 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
27959 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
27960 - Call the super class method to clean up zombie codeBlocks.
27961
27962 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
27963 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
27964 - Call the super class method to clean up zombie codeBlocks.
27965
27966 * heap/CodeBlockSet.cpp:
27967 (JSC::CodeBlockSet::remove):
27968 * heap/CodeBlockSet.h:
27969 * heap/Heap.h:
27970 (JSC::Heap::removeCodeBlock):
27971 - New method to remove a codeBlock from the codeBlock set.
27972
27973 * jit/JITOperations.cpp:
27974 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
27975
27976 * jit/JITToDFGDeferredCompilationCallback.cpp:
27977 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
27978 - Call the super class method to clean up zombie codeBlocks.
27979
27980 * runtime/VM.cpp:
27981 (JSC::VM::waitForCompilationsToComplete):
27982 - Renamed from prepareToDiscardCode() to be clearer about what it does.
27983
27984 (JSC::VM::discardAllCode):
27985 (JSC::VM::releaseExecutableMemory):
27986 (JSC::VM::setEnabledProfiler):
27987 - Wait for compilation to complete before enabling the profiler.
27988
27989 * runtime/VM.h:
27990
279912014-03-03 Brian Burg <bburg@apple.com>
27992
27993 Another unreviewed build fix attempt for Windows after r164986.
27994
27995 We never told Visual Studio to copy over the web replay code generator scripts
27996 and the generated headers for JavaScriptCore replay inputs as if they were
27997 private headers.
27998
27999 * JavaScriptCore.vcxproj/copy-files.cmd:
28000
280012014-03-03 Brian Burg <bburg@apple.com>
28002
28003 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
28004 https://bugs.webkit.org/show_bug.cgi?id=128782
28005
28006 Reviewed by Timothy Hatcher.
28007
28008 Alter the replay inputs code generator so that it knows when it is necessary to
28009 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
28010
28011 * JavaScriptCore.xcodeproj/project.pbxproj:
28012 * replay/scripts/CodeGeneratorReplayInputs.py:
28013 (Framework.fromString):
28014 (Frameworks): Add WTF as an allowed framework for code generation.
28015 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
28016 (Generator.generate_includes.declaration):
28017 (Generator.generate_includes.or):
28018 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
28019
280202014-03-02 Filip Pizlo <fpizlo@apple.com>
28021
28022 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
28023 https://bugs.webkit.org/show_bug.cgi?id=129591
28024
28025 Reviewed by Michael Saboff.
28026
28027 * bytecode/PolymorphicPutByIdList.cpp:
28028 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
28029 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
28030 (JSC::PolymorphicPutByIdList::from):
28031 * bytecode/PolymorphicPutByIdList.h:
28032 (JSC::PutByIdAccess::stubRoutine):
28033 * jit/Repatch.cpp:
28034 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
28035
280362014-03-02 Filip Pizlo <fpizlo@apple.com>
28037
28038 Debugging improvements from my gbemu investigation session
28039 https://bugs.webkit.org/show_bug.cgi?id=129599
28040
28041 Reviewed by Mark Lam.
28042
28043 Various improvements from when I was investigating bug 129411.
28044
28045 * bytecode/CodeBlock.cpp:
28046 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
28047 * jsc.cpp:
28048 (GlobalObject::finishCreation):
28049 (functionDescribe): Make describe() return a string rather than printing the string.
28050 (functionDescribeArray): Like describe(), but prints details about arrays.
28051
280522014-02-25 Andreas Kling <akling@apple.com>
28053
28054 JSDOMWindow::commonVM() should return a reference.
28055 <https://webkit.org/b/129293>
28056
28057 Added a DropAllLocks constructor that takes VM& without null checks.
28058
28059 Reviewed by Geoff Garen.
28060
280612014-03-02 Mark Lam <mark.lam@apple.com>
28062
28063 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
28064 <https://webkit.org/b/129584>
28065
28066 Reviewed by Darin Adler.
28067
28068 * bytecode/CodeBlock.h:
28069 (JSC::CodeBlock::hasDebuggerRequests):
28070
280712014-03-02 Mark Lam <mark.lam@apple.com>
28072
28073 Clean up use of Options::enableConcurrentJIT().
28074 <https://webkit.org/b/129582>
28075
28076 Reviewed by Filip Pizlo.
28077
28078 DFG Driver was conditionally checking Options::enableConcurrentJIT()
28079 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
28080 enableConcurrentJIT set to false.
28081
28082 Instead we should configure Options::enableConcurrentJIT() to be false
28083 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
28084 check Options::enableConcurrentJIT(). This makes the code read a little
28085 cleaner.
28086
28087 * dfg/DFGDriver.cpp:
28088 (JSC::DFG::compileImpl):
28089 * runtime/Options.cpp:
28090 (JSC::recomputeDependentOptions):
28091
280922014-03-01 Filip Pizlo <fpizlo@apple.com>
28093
28094 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
28095 stress tests.
28096
28097 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
28098
280992014-03-01 Andreas Kling <akling@apple.com>
28100
28101 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
28102 <https://webkit.org/b/129560>
28103
28104 Now that structure() is nontrivial and we have a faster structure(VM&),
28105 make use of that in fastGetOwnProperty() since we already have VM.
28106
28107 Reviewed by Sam Weinig.
28108
28109 * runtime/JSCellInlines.h:
28110 (JSC::JSCell::fastGetOwnProperty):
28111
281122014-03-01 Andreas Kling <akling@apple.com>
28113
28114 Avoid going through ExecState for VM when we already have it (in some places.)
28115 <https://webkit.org/b/129554>
28116
28117 Tweak some places that jump through unnecessary hoops to get the VM.
28118 There are many more like this.
28119
28120 Reviewed by Sam Weinig.
28121
28122 * runtime/JSObject.cpp:
28123 (JSC::JSObject::putByIndexBeyondVectorLength):
28124 (JSC::JSObject::putDirectIndexBeyondVectorLength):
28125 * runtime/ObjectPrototype.cpp:
28126 (JSC::objectProtoFuncToString):
28127
281282014-02-28 Filip Pizlo <fpizlo@apple.com>
28129
28130 FTL should support PhantomArguments
28131 https://bugs.webkit.org/show_bug.cgi?id=113986
28132
28133 Reviewed by Oliver Hunt.
28134
28135 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
28136 object into the FTL's OSR exit compiler.
28137
28138 This isn't a speed-up yet, since there is still more to be done to fully support
28139 all of the arguments craziness that our varargs benchmarks do.
28140
28141 * dfg/DFGOSRExitCompiler32_64.cpp:
28142 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
28143 * dfg/DFGOSRExitCompiler64.cpp:
28144 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
28145 * dfg/DFGOSRExitCompilerCommon.cpp:
28146 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
28147 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
28148 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
28149 * dfg/DFGOSRExitCompilerCommon.h:
28150 * ftl/FTLCapabilities.cpp:
28151 (JSC::FTL::canCompile):
28152 * ftl/FTLExitValue.cpp:
28153 (JSC::FTL::ExitValue::dumpInContext):
28154 * ftl/FTLExitValue.h:
28155 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
28156 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
28157 (JSC::FTL::ExitValue::valueFormat):
28158 * ftl/FTLLowerDFGToLLVM.cpp:
28159 (JSC::FTL::LowerDFGToLLVM::compileNode):
28160 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
28161 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
28162 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
28163 * ftl/FTLOSRExitCompiler.cpp:
28164 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
28165 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
28166 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
28167
281682014-02-28 Filip Pizlo <fpizlo@apple.com>
28169
28170 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
28171
28172 * dfg/DFGCSEPhase.cpp:
28173 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
28174
281752014-02-28 Andreas Kling <akling@apple.com>
28176
28177 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
28178 <https://webkit.org/b/129529>
28179
28180 Callers already have VM in a local, and findPropertyHashEntry() only
28181 uses the VM, no need to go all the way through ExecState.
28182
28183 Reviewed by Geoffrey Garen.
28184
28185 * runtime/JSObject.cpp:
28186 (JSC::JSObject::put):
28187 (JSC::JSObject::deleteProperty):
28188 (JSC::JSObject::findPropertyHashEntry):
28189 * runtime/JSObject.h:
28190
281912014-02-28 Joseph Pecoraro <pecoraro@apple.com>
28192
28193 Deadlock remotely inspecting iOS Simulator
28194 https://bugs.webkit.org/show_bug.cgi?id=129511
28195
28196 Reviewed by Timothy Hatcher.
28197
28198 Avoid synchronous setup. Do it asynchronously, and let
28199 the RemoteInspector singleton know later if it failed.
28200
28201 * inspector/remote/RemoteInspector.h:
28202 * inspector/remote/RemoteInspector.mm:
28203 (Inspector::RemoteInspector::setupFailed):
28204 * inspector/remote/RemoteInspectorDebuggableConnection.h:
28205 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
28206 (Inspector::RemoteInspectorDebuggableConnection::setup):
28207
282082014-02-28 Oliver Hunt <oliver@apple.com>
28209
28210 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
28211 https://bugs.webkit.org/show_bug.cgi?id=129488
28212
28213 Reviewed by Mark Lam.
28214
28215 Whoops, modify the right register.
28216
28217 * jit/JITCall32_64.cpp:
28218 (JSC::JIT::compileLoadVarargs):
28219
282202014-02-28 Filip Pizlo <fpizlo@apple.com>
28221
28222 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
28223 https://bugs.webkit.org/show_bug.cgi?id=129503
28224
28225 Reviewed by Mark Lam.
28226
28227 * ftl/FTLIntrinsicRepository.h:
28228 * ftl/FTLOutput.h:
28229 (JSC::FTL::Output::doubleSin):
28230 (JSC::FTL::Output::doubleCos):
28231 (JSC::FTL::Output::intrinsicOrOperation):
28232
282332014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
28234
28235 Fix !ENABLE(GGC) builds
28236
28237 * heap/Heap.cpp:
28238 (JSC::Heap::markRoots):
28239 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
28240
282412014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
28242
28243 Clean up Heap::collect and Heap::markRoots
28244 https://bugs.webkit.org/show_bug.cgi?id=129464
28245
28246 Reviewed by Geoffrey Garen.
28247
28248 These functions have built up a lot of cruft recently.
28249 We should do a bit of cleanup to make them easier to grok.
28250
28251 * heap/Heap.cpp:
28252 (JSC::Heap::finalizeUnconditionalFinalizers):
28253 (JSC::Heap::gatherStackRoots):
28254 (JSC::Heap::gatherJSStackRoots):
28255 (JSC::Heap::gatherScratchBufferRoots):
28256 (JSC::Heap::clearLivenessData):
28257 (JSC::Heap::visitSmallStrings):
28258 (JSC::Heap::visitConservativeRoots):
28259 (JSC::Heap::visitCompilerWorklists):
28260 (JSC::Heap::markProtectedObjects):
28261 (JSC::Heap::markTempSortVectors):
28262 (JSC::Heap::markArgumentBuffers):
28263 (JSC::Heap::visitException):
28264 (JSC::Heap::visitStrongHandles):
28265 (JSC::Heap::visitHandleStack):
28266 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
28267 (JSC::Heap::converge):
28268 (JSC::Heap::visitWeakHandles):
28269 (JSC::Heap::clearRememberedSet):
28270 (JSC::Heap::updateObjectCounts):
28271 (JSC::Heap::resetVisitors):
28272 (JSC::Heap::markRoots):
28273 (JSC::Heap::copyBackingStores):
28274 (JSC::Heap::deleteUnmarkedCompiledCode):
28275 (JSC::Heap::collect):
28276 (JSC::Heap::collectIfNecessaryOrDefer):
28277 (JSC::Heap::suspendCompilerThreads):
28278 (JSC::Heap::willStartCollection):
28279 (JSC::Heap::deleteOldCode):
28280 (JSC::Heap::flushOldStructureIDTables):
28281 (JSC::Heap::flushWriteBarrierBuffer):
28282 (JSC::Heap::stopAllocation):
28283 (JSC::Heap::reapWeakHandles):
28284 (JSC::Heap::sweepArrayBuffers):
28285 (JSC::Heap::snapshotMarkedSpace):
28286 (JSC::Heap::deleteSourceProviderCaches):
28287 (JSC::Heap::notifyIncrementalSweeper):
28288 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
28289 (JSC::Heap::resetAllocators):
28290 (JSC::Heap::updateAllocationLimits):
28291 (JSC::Heap::didFinishCollection):
28292 (JSC::Heap::resumeCompilerThreads):
28293 * heap/Heap.h:
28294
282952014-02-27 Ryosuke Niwa <rniwa@webkit.org>
28296
28297 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
28298 https://bugs.webkit.org/show_bug.cgi?id=129466
28299
28300 Reviewed by Michael Saboff.
28301
28302 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
28303
28304 * runtime/StringPrototype.cpp:
28305 (JSC::stringProtoFuncIndexOf):
28306 (JSC::stringProtoFuncLastIndexOf):
28307
283082014-02-27 Timothy Hatcher <timothy@apple.com>
28309
28310 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
28311
28312 https://bugs.webkit.org/show_bug.cgi?id=129458
28313
28314 Reviewed by Joseph Pecoraro.
28315
28316 * inspector/ContentSearchUtilities.cpp:
28317 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
28318 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
28319 line ending type and don't try to strip the line ending. Use size_t
28320 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
28321 This will include the line ending in the lines, but that is okay.
28322 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
28323 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
28324
283252014-02-27 Joseph Pecoraro <pecoraro@apple.com>
28326
28327 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
28328 https://bugs.webkit.org/show_bug.cgi?id=129446
28329
28330 Reviewed by Timothy Hatcher.
28331
28332 Remove duplicate header entries in Copy Header build phase.
28333
28334 * JavaScriptCore.xcodeproj/project.pbxproj:
28335
283362014-02-27 Oliver Hunt <oliver@apple.com>
28337
28338 Whoops, include all of last patch.
28339
28340 * jit/JITCall32_64.cpp:
28341 (JSC::JIT::compileLoadVarargs):
28342
283432014-02-27 Oliver Hunt <oliver@apple.com>
28344
28345 Slow cases for function.apply and function.call should not require vm re-entry
28346 https://bugs.webkit.org/show_bug.cgi?id=129454
28347
28348 Reviewed by Geoffrey Garen.
28349
28350 Implement call and apply using builtins. Happily the use
28351 of @call and @apply don't perform function equality checks
28352 and just plant direct var_args calls. This did expose a few
28353 codegen issues, but they're all covered by existing tests
28354 once call and apply are implemented in JS.
28355
28356 * JavaScriptCore.xcodeproj/project.pbxproj:
28357 * builtins/Function.prototype.js: Added.
28358 (call):
28359 (apply):
28360 * bytecompiler/NodesCodegen.cpp:
28361 (JSC::CallFunctionCallDotNode::emitBytecode):
28362 (JSC::ApplyFunctionCallDotNode::emitBytecode):
28363 * dfg/DFGCapabilities.cpp:
28364 (JSC::DFG::capabilityLevel):
28365 * interpreter/Interpreter.cpp:
28366 (JSC::sizeFrameForVarargs):
28367 (JSC::loadVarargs):
28368 * interpreter/Interpreter.h:
28369 * jit/JITCall.cpp:
28370 (JSC::JIT::compileLoadVarargs):
28371 * parser/ASTBuilder.h:
28372 (JSC::ASTBuilder::makeFunctionCallNode):
28373 * parser/Lexer.cpp:
28374 (JSC::isSafeBuiltinIdentifier):
28375 * runtime/CommonIdentifiers.h:
28376 * runtime/FunctionPrototype.cpp:
28377 (JSC::FunctionPrototype::addFunctionProperties):
28378 * runtime/JSObject.cpp:
28379 (JSC::JSObject::putDirectBuiltinFunction):
28380 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
28381 * runtime/JSObject.h:
28382
283832014-02-27 Joseph Pecoraro <pecoraro@apple.com>
28384
28385 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
28386 https://bugs.webkit.org/show_bug.cgi?id=129443
28387
28388 Reviewed by Timothy Hatcher.
28389
28390 This queue is specific to the JSContext debuggable connections,
28391 there is no XPC involved. Give it a better name.
28392
28393 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
28394 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
28395
283962014-02-27 David Kilzer <ddkilzer@apple.com>
28397
28398 Remove jsc symlink if it already exists
28399
28400 This is a follow-up fix for:
28401
28402 Create symlink to /usr/local/bin/jsc during installation
28403 <http://webkit.org/b/129399>
28404 <rdar://problem/16168734>
28405
28406 * JavaScriptCore.xcodeproj/project.pbxproj:
28407 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
28408 exists where we're about to create the symlink, remove the old
28409 one first.
28410
284112014-02-27 Michael Saboff <msaboff@apple.com>
28412
28413 Unreviewed build fix for Mac tools after r164814
28414
28415 * Configurations/ToolExecutable.xcconfig:
28416 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
28417 * JavaScriptCore.xcodeproj/project.pbxproj:
28418 - Changed productName to testRegExp for testRegExp target.
28419
284202014-02-27 Joseph Pecoraro <pecoraro@apple.com>
28421
28422 Web Inspector: JSContext inspection should report exceptions in the console
28423 https://bugs.webkit.org/show_bug.cgi?id=128776
28424
28425 Reviewed by Timothy Hatcher.
28426
28427 When JavaScript API functions have an exception, let the inspector
28428 know so it can log the JavaScript and Native backtrace that caused
28429 the exception.
28430
28431 Include some clean up of ConsoleMessage and ScriptCallStack construction.
28432
28433 * API/JSBase.cpp:
28434 (JSEvaluateScript):
28435 (JSCheckScriptSyntax):
28436 * API/JSObjectRef.cpp:
28437 (JSObjectMakeFunction):
28438 (JSObjectMakeArray):
28439 (JSObjectMakeDate):
28440 (JSObjectMakeError):
28441 (JSObjectMakeRegExp):
28442 (JSObjectGetProperty):
28443 (JSObjectSetProperty):
28444 (JSObjectGetPropertyAtIndex):
28445 (JSObjectSetPropertyAtIndex):
28446 (JSObjectDeleteProperty):
28447 (JSObjectCallAsFunction):
28448 (JSObjectCallAsConstructor):
28449 * API/JSValue.mm:
28450 (reportExceptionToInspector):
28451 (valueToArray):
28452 (valueToDictionary):
28453 * API/JSValueRef.cpp:
28454 (JSValueIsEqual):
28455 (JSValueIsInstanceOfConstructor):
28456 (JSValueCreateJSONString):
28457 (JSValueToNumber):
28458 (JSValueToStringCopy):
28459 (JSValueToObject):
28460 When seeing an exception, let the inspector know there was an exception.
28461
28462 * inspector/JSGlobalObjectInspectorController.h:
28463 * inspector/JSGlobalObjectInspectorController.cpp:
28464 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
28465 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
28466 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
28467 Log API exceptions by also grabbing the native backtrace.
28468
28469 * inspector/ScriptCallStack.h:
28470 * inspector/ScriptCallStack.cpp:
28471 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
28472 (Inspector::ScriptCallStack::append):
28473 Minor extensions to ScriptCallStack to make it easier to work with.
28474
28475 * inspector/ConsoleMessage.cpp:
28476 (Inspector::ConsoleMessage::ConsoleMessage):
28477 (Inspector::ConsoleMessage::autogenerateMetadata):
28478 Provide better default information if the first call frame was native.
28479
28480 * inspector/ScriptCallStackFactory.cpp:
28481 (Inspector::createScriptCallStack):
28482 (Inspector::extractSourceInformationFromException):
28483 (Inspector::createScriptCallStackFromException):
28484 Perform the handling here of inserting a fake call frame for exceptions
28485 if there was no call stack (e.g. a SyntaxError) or if the first call
28486 frame had no information.
28487
28488 * inspector/ConsoleMessage.cpp:
28489 (Inspector::ConsoleMessage::ConsoleMessage):
28490 (Inspector::ConsoleMessage::autogenerateMetadata):
28491 * inspector/ConsoleMessage.h:
28492 * inspector/ScriptCallStackFactory.cpp:
28493 (Inspector::createScriptCallStack):
28494 (Inspector::createScriptCallStackForConsole):
28495 * inspector/ScriptCallStackFactory.h:
28496 * inspector/agents/InspectorConsoleAgent.cpp:
28497 (Inspector::InspectorConsoleAgent::enable):
28498 (Inspector::InspectorConsoleAgent::addMessageToConsole):
28499 (Inspector::InspectorConsoleAgent::count):
28500 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
28501 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
28502 ConsoleMessage cleanup.
28503
285042014-02-27 David Kilzer <ddkilzer@apple.com>
28505
28506 Create symlink to /usr/local/bin/jsc during installation
28507 <http://webkit.org/b/129399>
28508 <rdar://problem/16168734>
28509
28510 Reviewed by Dan Bernstein.
28511
28512 * JavaScriptCore.xcodeproj/project.pbxproj:
28513 - Add "Create /usr/local/bin/jsc symlink" build phase script to
28514 create the symlink during installation.
28515
285162014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
28517
28518 Math.{max, min}() must not return after first NaN value
28519 https://bugs.webkit.org/show_bug.cgi?id=104147
28520
28521 Reviewed by Oliver Hunt.
28522
28523 According to the spec, ToNumber going to be called on each argument
28524 even if a `NaN` value was already found
28525
28526 * runtime/MathObject.cpp:
28527 (JSC::mathProtoFuncMax):
28528 (JSC::mathProtoFuncMin):
28529
285302014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
28531
28532 JSType upper limit (0xff) assertion can be removed.
28533 https://bugs.webkit.org/show_bug.cgi?id=129424
28534
28535 Reviewed by Geoffrey Garen.
28536
28537 * runtime/JSTypeInfo.h:
28538 (JSC::TypeInfo::TypeInfo):
28539
285402014-02-26 Michael Saboff <msaboff@apple.com>
28541
28542 Auto generate bytecode information for bytecode parser and LLInt
28543 https://bugs.webkit.org/show_bug.cgi?id=129181
28544
28545 Reviewed by Mark Lam.
28546
28547 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
28548 helpers. It also includes bytecode length and other information used to generate files.
28549 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
28550 in DerivedSources/JavaScriptCore/.
28551
28552 Added the generation of these files to the "DerivedSource" build step.
28553 Slighty changed the build order, since the Bytecodes.h file is needed by
28554 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
28555 to be run after JSCLLIntOffsetsExtractor.
28556
28557 Made related changes to OPCODE macros and their use.
28558
28559 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
28560 jsc to resolve Mac build issue.
28561
28562 * CMakeLists.txt:
28563 * Configurations/JSC.xcconfig:
28564 * DerivedSources.make:
28565 * GNUmakefile.am:
28566 * GNUmakefile.list.am:
28567 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
28568 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
28569 * JavaScriptCore.vcxproj/copy-files.cmd:
28570 * JavaScriptCore.xcodeproj/project.pbxproj:
28571 * bytecode/Opcode.h:
28572 (JSC::padOpcodeName):
28573 * llint/LLIntCLoop.cpp:
28574 (JSC::LLInt::CLoop::initialize):
28575 * llint/LLIntCLoop.h:
28576 * llint/LLIntData.cpp:
28577 (JSC::LLInt::initialize):
28578 * llint/LLIntOpcode.h:
28579 * llint/LowLevelInterpreter.asm:
28580
285812014-02-27 Julien Brianceau <jbriance@cisco.com>
28582
28583 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
28584 https://bugs.webkit.org/show_bug.cgi?id=129420
28585
28586 Reviewed by Geoffrey Garen.
28587
28588 * dfg/DFGSpeculativeJIT.h:
28589 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
28590 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
28591
285922014-02-27 Filip Pizlo <fpizlo@apple.com>
28593
28594 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
28595 https://bugs.webkit.org/show_bug.cgi?id=129435
28596
28597 Reviewed by Oliver Hunt.
28598
28599 This is a 5-10% speed-up on Octane/closure.
28600
28601 * interpreter/Interpreter.cpp:
28602 (JSC::Interpreter::execute):
28603 * jsc.cpp:
28604 (GlobalObject::finishCreation):
28605 (functionClearCodeCache):
28606 * runtime/BatchedTransitionOptimizer.h:
28607 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
28608 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
28609
286102014-02-27 Alexey Proskuryakov <ap@apple.com>
28611
28612 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
28613
28614 * inspector/scripts: Added property svn:ignore.
28615 * replay/scripts: Added property svn:ignore.
28616
286172014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
28618
28619 r164764 broke the ARM build
28620 https://bugs.webkit.org/show_bug.cgi?id=129415
28621
28622 Reviewed by Zoltan Herczeg.
28623
28624 * assembler/MacroAssemblerARM.h:
28625 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
28626 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
28627 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
28628 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
28629
286302014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
28631
28632 r164764 broke the ARM build
28633 https://bugs.webkit.org/show_bug.cgi?id=129415
28634
28635 Reviewed by Geoffrey Garen.
28636
28637 * assembler/MacroAssemblerARM.h:
28638 (JSC::MacroAssemblerARM::moveWithPatch):
28639
286402014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
28641
28642 r164764 broke the ARM build
28643 https://bugs.webkit.org/show_bug.cgi?id=129415
28644
28645 Reviewed by Geoffrey Garen.
28646
28647 * assembler/MacroAssemblerARM.h:
28648 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
28649
286502014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
28651
28652 EFL build fix
28653
28654 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
28655 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
28656 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
28657
286582014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
28659
28660 Make JSCells have 32-bit Structure pointers
28661 https://bugs.webkit.org/show_bug.cgi?id=123195
28662
28663 Reviewed by Filip Pizlo.
28664
28665 This patch changes JSCells such that they no longer have a full 64-bit Structure
28666 pointer in their header. Instead they now have a 32-bit index into
28667 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
28668 pointers.
28669
28670 This change frees up an additional 32 bits of information in our object headers.
28671 We then use this extra space to store the indexing type of the object, the JSType
28672 of the object, some various type flags, and garbage collection data (e.g. mark bit).
28673 Because this inline type information is now faster to read, it pays for the slowdown
28674 incurred by having to perform an extra indirection through the StructureIDTable.
28675
28676 This patch also threads a reference to the current VM through more of the C++ runtime
28677 to offset the cost of having to look up the VM to get the actual Structure pointer.
28678
28679 * API/JSContext.mm:
28680 (-[JSContext setException:]):
28681 (-[JSContext wrapperForObjCObject:]):
28682 (-[JSContext wrapperForJSObject:]):
28683 * API/JSContextRef.cpp:
28684 (JSContextGroupRelease):
28685 (JSGlobalContextRelease):
28686 * API/JSObjectRef.cpp:
28687 (JSObjectIsFunction):
28688 (JSObjectCopyPropertyNames):
28689 * API/JSValue.mm:
28690 (containerValueToObject):
28691 * API/JSWrapperMap.mm:
28692 (tryUnwrapObjcObject):
28693 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
28694 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
28695 * JavaScriptCore.xcodeproj/project.pbxproj:
28696 * assembler/AbstractMacroAssembler.h:
28697 * assembler/MacroAssembler.h:
28698 (JSC::MacroAssembler::patchableBranch32WithPatch):
28699 (JSC::MacroAssembler::patchableBranch32):
28700 * assembler/MacroAssemblerARM64.h:
28701 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
28702 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
28703 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
28704 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
28705 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
28706 * assembler/MacroAssemblerARMv7.h:
28707 (JSC::MacroAssemblerARMv7::store8):
28708 (JSC::MacroAssemblerARMv7::branch32WithPatch):
28709 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
28710 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
28711 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
28712 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
28713 * assembler/MacroAssemblerX86.h:
28714 (JSC::MacroAssemblerX86::branch32WithPatch):
28715 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
28716 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
28717 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
28718 * assembler/MacroAssemblerX86_64.h:
28719 (JSC::MacroAssemblerX86_64::store32):
28720 (JSC::MacroAssemblerX86_64::moveWithPatch):
28721 (JSC::MacroAssemblerX86_64::branch32WithPatch):
28722 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
28723 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
28724 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
28725 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
28726 * assembler/RepatchBuffer.h:
28727 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
28728 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
28729 * assembler/X86Assembler.h:
28730 (JSC::X86Assembler::revertJumpTo_movq_i64r):
28731 (JSC::X86Assembler::revertJumpTo_movl_i32r):
28732 * bytecode/ArrayProfile.cpp:
28733 (JSC::ArrayProfile::computeUpdatedPrediction):
28734 * bytecode/ArrayProfile.h:
28735 (JSC::ArrayProfile::ArrayProfile):
28736 (JSC::ArrayProfile::addressOfLastSeenStructureID):
28737 (JSC::ArrayProfile::observeStructure):
28738 * bytecode/CodeBlock.h:
28739 (JSC::CodeBlock::heap):
28740 * bytecode/UnlinkedCodeBlock.h:
28741 * debugger/Debugger.h:
28742 * dfg/DFGAbstractHeap.h:
28743 * dfg/DFGArrayifySlowPathGenerator.h:
28744 * dfg/DFGClobberize.h:
28745 (JSC::DFG::clobberize):
28746 * dfg/DFGJITCompiler.h:
28747 (JSC::DFG::JITCompiler::branchWeakStructure):
28748 (JSC::DFG::JITCompiler::branchStructurePtr):
28749 * dfg/DFGOSRExitCompiler32_64.cpp:
28750 (JSC::DFG::OSRExitCompiler::compileExit):
28751 * dfg/DFGOSRExitCompiler64.cpp:
28752 (JSC::DFG::OSRExitCompiler::compileExit):
28753 * dfg/DFGOSRExitCompilerCommon.cpp:
28754 (JSC::DFG::osrWriteBarrier):
28755 (JSC::DFG::adjustAndJumpToTarget):
28756 * dfg/DFGOperations.cpp:
28757 (JSC::DFG::putByVal):
28758 * dfg/DFGSpeculativeJIT.cpp:
28759 (JSC::DFG::SpeculativeJIT::checkArray):
28760 (JSC::DFG::SpeculativeJIT::arrayify):
28761 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
28762 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
28763 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
28764 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
28765 (JSC::DFG::SpeculativeJIT::speculateObject):
28766 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
28767 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
28768 (JSC::DFG::SpeculativeJIT::speculateString):
28769 (JSC::DFG::SpeculativeJIT::speculateStringObject):
28770 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
28771 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
28772 (JSC::DFG::SpeculativeJIT::emitSwitchString):
28773 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
28774 (JSC::DFG::SpeculativeJIT::writeBarrier):
28775 * dfg/DFGSpeculativeJIT.h:
28776 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
28777 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
28778 * dfg/DFGSpeculativeJIT32_64.cpp:
28779 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
28780 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
28781 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
28782 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
28783 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
28784 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
28785 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
28786 (JSC::DFG::SpeculativeJIT::compile):
28787 (JSC::DFG::SpeculativeJIT::writeBarrier):
28788 * dfg/DFGSpeculativeJIT64.cpp:
28789 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
28790 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
28791 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
28792 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
28793 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
28794 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
28795 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
28796 (JSC::DFG::SpeculativeJIT::compile):
28797 (JSC::DFG::SpeculativeJIT::writeBarrier):
28798 * dfg/DFGWorklist.cpp:
28799 * ftl/FTLAbstractHeapRepository.cpp:
28800 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
28801 * ftl/FTLAbstractHeapRepository.h:
28802 * ftl/FTLLowerDFGToLLVM.cpp:
28803 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
28804 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
28805 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
28806 (JSC::FTL::LowerDFGToLLVM::compileToString):
28807 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
28808 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
28809 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
28810 (JSC::FTL::LowerDFGToLLVM::allocateCell):
28811 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
28812 (JSC::FTL::LowerDFGToLLVM::isObject):
28813 (JSC::FTL::LowerDFGToLLVM::isString):
28814 (JSC::FTL::LowerDFGToLLVM::isArrayType):
28815 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
28816 (JSC::FTL::LowerDFGToLLVM::isType):
28817 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
28818 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
28819 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
28820 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
28821 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
28822 (JSC::FTL::LowerDFGToLLVM::loadStructure):
28823 (JSC::FTL::LowerDFGToLLVM::weakStructure):
28824 * ftl/FTLOSRExitCompiler.cpp:
28825 (JSC::FTL::compileStub):
28826 * ftl/FTLOutput.h:
28827 (JSC::FTL::Output::store8):
28828 * heap/GCAssertions.h:
28829 * heap/Heap.cpp:
28830 (JSC::Heap::getConservativeRegisterRoots):
28831 (JSC::Heap::collect):
28832 (JSC::Heap::writeBarrier):
28833 * heap/Heap.h:
28834 (JSC::Heap::structureIDTable):
28835 * heap/MarkedSpace.h:
28836 (JSC::MarkedSpace::forEachBlock):
28837 * heap/SlotVisitorInlines.h:
28838 (JSC::SlotVisitor::internalAppend):
28839 * jit/AssemblyHelpers.h:
28840 (JSC::AssemblyHelpers::branchIfCellNotObject):
28841 (JSC::AssemblyHelpers::genericWriteBarrier):
28842 (JSC::AssemblyHelpers::emitLoadStructure):
28843 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
28844 * jit/JIT.h:
28845 * jit/JITCall.cpp:
28846 (JSC::JIT::compileOpCall):
28847 (JSC::JIT::privateCompileClosureCall):
28848 * jit/JITCall32_64.cpp:
28849 (JSC::JIT::emit_op_ret_object_or_this):
28850 (JSC::JIT::compileOpCall):
28851 (JSC::JIT::privateCompileClosureCall):
28852 * jit/JITInlineCacheGenerator.cpp:
28853 (JSC::JITByIdGenerator::generateFastPathChecks):
28854 * jit/JITInlineCacheGenerator.h:
28855 * jit/JITInlines.h:
28856 (JSC::JIT::emitLoadCharacterString):
28857 (JSC::JIT::checkStructure):
28858 (JSC::JIT::emitJumpIfCellNotObject):
28859 (JSC::JIT::emitAllocateJSObject):
28860 (JSC::JIT::emitArrayProfilingSiteWithCell):
28861 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
28862 (JSC::JIT::branchStructure):
28863 (JSC::branchStructure):
28864 * jit/JITOpcodes.cpp:
28865 (JSC::JIT::emit_op_check_has_instance):
28866 (JSC::JIT::emit_op_instanceof):
28867 (JSC::JIT::emit_op_is_undefined):
28868 (JSC::JIT::emit_op_is_string):
28869 (JSC::JIT::emit_op_ret_object_or_this):
28870 (JSC::JIT::emit_op_to_primitive):
28871 (JSC::JIT::emit_op_jeq_null):
28872 (JSC::JIT::emit_op_jneq_null):
28873 (JSC::JIT::emit_op_get_pnames):
28874 (JSC::JIT::emit_op_next_pname):
28875 (JSC::JIT::emit_op_eq_null):
28876 (JSC::JIT::emit_op_neq_null):
28877 (JSC::JIT::emit_op_to_this):
28878 (JSC::JIT::emitSlow_op_to_this):
28879 * jit/JITOpcodes32_64.cpp:
28880 (JSC::JIT::emit_op_check_has_instance):
28881 (JSC::JIT::emit_op_instanceof):
28882 (JSC::JIT::emit_op_is_undefined):
28883 (JSC::JIT::emit_op_is_string):
28884 (JSC::JIT::emit_op_to_primitive):
28885 (JSC::JIT::emit_op_jeq_null):
28886 (JSC::JIT::emit_op_jneq_null):
28887 (JSC::JIT::emitSlow_op_eq):
28888 (JSC::JIT::emitSlow_op_neq):
28889 (JSC::JIT::compileOpStrictEq):
28890 (JSC::JIT::emit_op_eq_null):
28891 (JSC::JIT::emit_op_neq_null):
28892 (JSC::JIT::emit_op_get_pnames):
28893 (JSC::JIT::emit_op_next_pname):
28894 (JSC::JIT::emit_op_to_this):
28895 * jit/JITOperations.cpp:
28896 * jit/JITPropertyAccess.cpp:
28897 (JSC::JIT::stringGetByValStubGenerator):
28898 (JSC::JIT::emit_op_get_by_val):
28899 (JSC::JIT::emitSlow_op_get_by_val):
28900 (JSC::JIT::emit_op_get_by_pname):
28901 (JSC::JIT::emit_op_put_by_val):
28902 (JSC::JIT::emit_op_get_by_id):
28903 (JSC::JIT::emitLoadWithStructureCheck):
28904 (JSC::JIT::emitSlow_op_get_from_scope):
28905 (JSC::JIT::emitSlow_op_put_to_scope):
28906 (JSC::JIT::checkMarkWord):
28907 (JSC::JIT::emitWriteBarrier):
28908 (JSC::JIT::addStructureTransitionCheck):
28909 (JSC::JIT::emitIntTypedArrayGetByVal):
28910 (JSC::JIT::emitFloatTypedArrayGetByVal):
28911 (JSC::JIT::emitIntTypedArrayPutByVal):
28912 (JSC::JIT::emitFloatTypedArrayPutByVal):
28913 * jit/JITPropertyAccess32_64.cpp:
28914 (JSC::JIT::stringGetByValStubGenerator):
28915 (JSC::JIT::emit_op_get_by_val):
28916 (JSC::JIT::emitSlow_op_get_by_val):
28917 (JSC::JIT::emit_op_put_by_val):
28918 (JSC::JIT::emit_op_get_by_id):
28919 (JSC::JIT::emit_op_get_by_pname):
28920 (JSC::JIT::emitLoadWithStructureCheck):
28921 * jit/JSInterfaceJIT.h:
28922 (JSC::JSInterfaceJIT::emitJumpIfNotType):
28923 * jit/Repatch.cpp:
28924 (JSC::repatchByIdSelfAccess):
28925 (JSC::addStructureTransitionCheck):
28926 (JSC::replaceWithJump):
28927 (JSC::generateProtoChainAccessStub):
28928 (JSC::tryCacheGetByID):
28929 (JSC::tryBuildGetByIDList):
28930 (JSC::writeBarrier):
28931 (JSC::emitPutReplaceStub):
28932 (JSC::emitPutTransitionStub):
28933 (JSC::tryBuildPutByIdList):
28934 (JSC::tryRepatchIn):
28935 (JSC::linkClosureCall):
28936 (JSC::resetGetByID):
28937 (JSC::resetPutByID):
28938 * jit/SpecializedThunkJIT.h:
28939 (JSC::SpecializedThunkJIT::loadJSStringArgument):
28940 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
28941 * jit/ThunkGenerators.cpp:
28942 (JSC::virtualForThunkGenerator):
28943 (JSC::arrayIteratorNextThunkGenerator):
28944 * jit/UnusedPointer.h:
28945 * llint/LowLevelInterpreter.asm:
28946 * llint/LowLevelInterpreter32_64.asm:
28947 * llint/LowLevelInterpreter64.asm:
28948 * runtime/Arguments.cpp:
28949 (JSC::Arguments::createStrictModeCallerIfNecessary):
28950 (JSC::Arguments::createStrictModeCalleeIfNecessary):
28951 * runtime/Arguments.h:
28952 (JSC::Arguments::createStructure):
28953 * runtime/ArrayPrototype.cpp:
28954 (JSC::shift):
28955 (JSC::unshift):
28956 (JSC::arrayProtoFuncToString):
28957 (JSC::arrayProtoFuncPop):
28958 (JSC::arrayProtoFuncReverse):
28959 (JSC::performSlowSort):
28960 (JSC::arrayProtoFuncSort):
28961 (JSC::arrayProtoFuncSplice):
28962 (JSC::arrayProtoFuncUnShift):
28963 * runtime/CommonSlowPaths.cpp:
28964 (JSC::SLOW_PATH_DECL):
28965 * runtime/Executable.h:
28966 (JSC::ExecutableBase::isFunctionExecutable):
28967 (JSC::ExecutableBase::clearCodeVirtual):
28968 (JSC::ScriptExecutable::unlinkCalls):
28969 * runtime/GetterSetter.cpp:
28970 (JSC::callGetter):
28971 (JSC::callSetter):
28972 * runtime/InitializeThreading.cpp:
28973 * runtime/JSArray.cpp:
28974 (JSC::JSArray::unshiftCountSlowCase):
28975 (JSC::JSArray::setLength):
28976 (JSC::JSArray::pop):
28977 (JSC::JSArray::push):
28978 (JSC::JSArray::shiftCountWithArrayStorage):
28979 (JSC::JSArray::shiftCountWithAnyIndexingType):
28980 (JSC::JSArray::unshiftCountWithArrayStorage):
28981 (JSC::JSArray::unshiftCountWithAnyIndexingType):
28982 (JSC::JSArray::sortNumericVector):
28983 (JSC::JSArray::sortNumeric):
28984 (JSC::JSArray::sortCompactedVector):
28985 (JSC::JSArray::sort):
28986 (JSC::JSArray::sortVector):
28987 (JSC::JSArray::fillArgList):
28988 (JSC::JSArray::copyToArguments):
28989 (JSC::JSArray::compactForSorting):
28990 * runtime/JSCJSValueInlines.h:
28991 (JSC::JSValue::toThis):
28992 (JSC::JSValue::put):
28993 (JSC::JSValue::putByIndex):
28994 (JSC::JSValue::equalSlowCaseInline):
28995 * runtime/JSCell.cpp:
28996 (JSC::JSCell::put):
28997 (JSC::JSCell::putByIndex):
28998 (JSC::JSCell::deleteProperty):
28999 (JSC::JSCell::deletePropertyByIndex):
29000 * runtime/JSCell.h:
29001 (JSC::JSCell::clearStructure):
29002 (JSC::JSCell::mark):
29003 (JSC::JSCell::isMarked):
29004 (JSC::JSCell::structureIDOffset):
29005 (JSC::JSCell::typeInfoFlagsOffset):
29006 (JSC::JSCell::typeInfoTypeOffset):
29007 (JSC::JSCell::indexingTypeOffset):
29008 (JSC::JSCell::gcDataOffset):
29009 * runtime/JSCellInlines.h:
29010 (JSC::JSCell::JSCell):
29011 (JSC::JSCell::finishCreation):
29012 (JSC::JSCell::type):
29013 (JSC::JSCell::indexingType):
29014 (JSC::JSCell::structure):
29015 (JSC::JSCell::visitChildren):
29016 (JSC::JSCell::isObject):
29017 (JSC::JSCell::isString):
29018 (JSC::JSCell::isGetterSetter):
29019 (JSC::JSCell::isProxy):
29020 (JSC::JSCell::isAPIValueWrapper):
29021 (JSC::JSCell::setStructure):
29022 (JSC::JSCell::methodTable):
29023 (JSC::Heap::writeBarrier):
29024 * runtime/JSDataView.cpp:
29025 (JSC::JSDataView::createStructure):
29026 * runtime/JSDestructibleObject.h:
29027 (JSC::JSCell::classInfo):
29028 * runtime/JSFunction.cpp:
29029 (JSC::JSFunction::getOwnNonIndexPropertyNames):
29030 (JSC::JSFunction::put):
29031 (JSC::JSFunction::defineOwnProperty):
29032 * runtime/JSGenericTypedArrayView.h:
29033 (JSC::JSGenericTypedArrayView::createStructure):
29034 * runtime/JSObject.cpp:
29035 (JSC::getCallableObjectSlow):
29036 (JSC::JSObject::copyButterfly):
29037 (JSC::JSObject::visitButterfly):
29038 (JSC::JSFinalObject::visitChildren):
29039 (JSC::JSObject::getOwnPropertySlotByIndex):
29040 (JSC::JSObject::put):
29041 (JSC::JSObject::putByIndex):
29042 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
29043 (JSC::JSObject::enterDictionaryIndexingMode):
29044 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
29045 (JSC::JSObject::createInitialIndexedStorage):
29046 (JSC::JSObject::createInitialUndecided):
29047 (JSC::JSObject::createInitialInt32):
29048 (JSC::JSObject::createInitialDouble):
29049 (JSC::JSObject::createInitialContiguous):
29050 (JSC::JSObject::createArrayStorage):
29051 (JSC::JSObject::convertUndecidedToInt32):
29052 (JSC::JSObject::convertUndecidedToDouble):
29053 (JSC::JSObject::convertUndecidedToContiguous):
29054 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
29055 (JSC::JSObject::convertUndecidedToArrayStorage):
29056 (JSC::JSObject::convertInt32ToDouble):
29057 (JSC::JSObject::convertInt32ToContiguous):
29058 (JSC::JSObject::convertInt32ToArrayStorage):
29059 (JSC::JSObject::genericConvertDoubleToContiguous):
29060 (JSC::JSObject::convertDoubleToArrayStorage):
29061 (JSC::JSObject::convertContiguousToArrayStorage):
29062 (JSC::JSObject::ensureInt32Slow):
29063 (JSC::JSObject::ensureDoubleSlow):
29064 (JSC::JSObject::ensureContiguousSlow):
29065 (JSC::JSObject::ensureArrayStorageSlow):
29066 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
29067 (JSC::JSObject::switchToSlowPutArrayStorage):
29068 (JSC::JSObject::setPrototype):
29069 (JSC::JSObject::setPrototypeWithCycleCheck):
29070 (JSC::JSObject::putDirectNonIndexAccessor):
29071 (JSC::JSObject::deleteProperty):
29072 (JSC::JSObject::hasOwnProperty):
29073 (JSC::JSObject::deletePropertyByIndex):
29074 (JSC::JSObject::getPrimitiveNumber):
29075 (JSC::JSObject::hasInstance):
29076 (JSC::JSObject::getPropertySpecificValue):
29077 (JSC::JSObject::getPropertyNames):
29078 (JSC::JSObject::getOwnPropertyNames):
29079 (JSC::JSObject::getOwnNonIndexPropertyNames):
29080 (JSC::JSObject::seal):
29081 (JSC::JSObject::freeze):
29082 (JSC::JSObject::preventExtensions):
29083 (JSC::JSObject::reifyStaticFunctionsForDelete):
29084 (JSC::JSObject::removeDirect):
29085 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
29086 (JSC::JSObject::putByIndexBeyondVectorLength):
29087 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
29088 (JSC::JSObject::putDirectIndexBeyondVectorLength):
29089 (JSC::JSObject::getNewVectorLength):
29090 (JSC::JSObject::countElements):
29091 (JSC::JSObject::increaseVectorLength):
29092 (JSC::JSObject::ensureLengthSlow):
29093 (JSC::JSObject::growOutOfLineStorage):
29094 (JSC::JSObject::getOwnPropertyDescriptor):
29095 (JSC::putDescriptor):
29096 (JSC::JSObject::defineOwnNonIndexProperty):
29097 * runtime/JSObject.h:
29098 (JSC::getJSFunction):
29099 (JSC::JSObject::getArrayLength):
29100 (JSC::JSObject::getVectorLength):
29101 (JSC::JSObject::putByIndexInline):
29102 (JSC::JSObject::canGetIndexQuickly):
29103 (JSC::JSObject::getIndexQuickly):
29104 (JSC::JSObject::tryGetIndexQuickly):
29105 (JSC::JSObject::getDirectIndex):
29106 (JSC::JSObject::canSetIndexQuickly):
29107 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
29108 (JSC::JSObject::setIndexQuickly):
29109 (JSC::JSObject::initializeIndex):
29110 (JSC::JSObject::hasSparseMap):
29111 (JSC::JSObject::inSparseIndexingMode):
29112 (JSC::JSObject::getDirect):
29113 (JSC::JSObject::getDirectOffset):
29114 (JSC::JSObject::isSealed):
29115 (JSC::JSObject::isFrozen):
29116 (JSC::JSObject::flattenDictionaryObject):
29117 (JSC::JSObject::ensureInt32):
29118 (JSC::JSObject::ensureDouble):
29119 (JSC::JSObject::ensureContiguous):
29120 (JSC::JSObject::rageEnsureContiguous):
29121 (JSC::JSObject::ensureArrayStorage):
29122 (JSC::JSObject::arrayStorage):
29123 (JSC::JSObject::arrayStorageOrNull):
29124 (JSC::JSObject::ensureLength):
29125 (JSC::JSObject::currentIndexingData):
29126 (JSC::JSObject::getHolyIndexQuickly):
29127 (JSC::JSObject::currentRelevantLength):
29128 (JSC::JSObject::isGlobalObject):
29129 (JSC::JSObject::isVariableObject):
29130 (JSC::JSObject::isStaticScopeObject):
29131 (JSC::JSObject::isNameScopeObject):
29132 (JSC::JSObject::isActivationObject):
29133 (JSC::JSObject::isErrorInstance):
29134 (JSC::JSObject::inlineGetOwnPropertySlot):
29135 (JSC::JSObject::fastGetOwnPropertySlot):
29136 (JSC::JSObject::getPropertySlot):
29137 (JSC::JSObject::putDirectInternal):
29138 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
29139 * runtime/JSPropertyNameIterator.h:
29140 (JSC::JSPropertyNameIterator::createStructure):
29141 * runtime/JSProxy.cpp:
29142 (JSC::JSProxy::getOwnPropertySlot):
29143 (JSC::JSProxy::getOwnPropertySlotByIndex):
29144 (JSC::JSProxy::put):
29145 (JSC::JSProxy::putByIndex):
29146 (JSC::JSProxy::defineOwnProperty):
29147 (JSC::JSProxy::deleteProperty):
29148 (JSC::JSProxy::deletePropertyByIndex):
29149 (JSC::JSProxy::getPropertyNames):
29150 (JSC::JSProxy::getOwnPropertyNames):
29151 * runtime/JSScope.cpp:
29152 (JSC::JSScope::objectAtScope):
29153 * runtime/JSString.h:
29154 (JSC::JSString::createStructure):
29155 (JSC::isJSString):
29156 * runtime/JSType.h:
29157 * runtime/JSTypeInfo.h:
29158 (JSC::TypeInfo::TypeInfo):
29159 (JSC::TypeInfo::isObject):
29160 (JSC::TypeInfo::structureIsImmortal):
29161 (JSC::TypeInfo::zeroedGCDataOffset):
29162 (JSC::TypeInfo::inlineTypeFlags):
29163 * runtime/MapData.h:
29164 * runtime/ObjectConstructor.cpp:
29165 (JSC::objectConstructorGetOwnPropertyNames):
29166 (JSC::objectConstructorKeys):
29167 (JSC::objectConstructorDefineProperty):
29168 (JSC::defineProperties):
29169 (JSC::objectConstructorSeal):
29170 (JSC::objectConstructorFreeze):
29171 (JSC::objectConstructorIsSealed):
29172 (JSC::objectConstructorIsFrozen):
29173 * runtime/ObjectPrototype.cpp:
29174 (JSC::objectProtoFuncDefineGetter):
29175 (JSC::objectProtoFuncDefineSetter):
29176 (JSC::objectProtoFuncToString):
29177 * runtime/Operations.cpp:
29178 (JSC::jsTypeStringForValue):
29179 (JSC::jsIsObjectType):
29180 * runtime/Operations.h:
29181 (JSC::normalizePrototypeChainForChainAccess):
29182 (JSC::normalizePrototypeChain):
29183 * runtime/PropertyMapHashTable.h:
29184 (JSC::PropertyTable::createStructure):
29185 * runtime/RegExp.h:
29186 (JSC::RegExp::createStructure):
29187 * runtime/SparseArrayValueMap.h:
29188 * runtime/Structure.cpp:
29189 (JSC::Structure::Structure):
29190 (JSC::Structure::~Structure):
29191 (JSC::Structure::prototypeChainMayInterceptStoreTo):
29192 * runtime/Structure.h:
29193 (JSC::Structure::id):
29194 (JSC::Structure::idBlob):
29195 (JSC::Structure::objectInitializationFields):
29196 (JSC::Structure::structureIDOffset):
29197 * runtime/StructureChain.h:
29198 (JSC::StructureChain::createStructure):
29199 * runtime/StructureIDTable.cpp: Added.
29200 (JSC::StructureIDTable::StructureIDTable):
29201 (JSC::StructureIDTable::~StructureIDTable):
29202 (JSC::StructureIDTable::resize):
29203 (JSC::StructureIDTable::flushOldTables):
29204 (JSC::StructureIDTable::allocateID):
29205 (JSC::StructureIDTable::deallocateID):
29206 * runtime/StructureIDTable.h: Added.
29207 (JSC::StructureIDTable::base):
29208 (JSC::StructureIDTable::get):
29209 * runtime/SymbolTable.h:
29210 * runtime/TypedArrayType.cpp:
29211 (JSC::typeForTypedArrayType):
29212 * runtime/TypedArrayType.h:
29213 * runtime/WeakMapData.h:
29214
292152014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
29216
29217 Unconditional logging in compileFTLOSRExit
29218 https://bugs.webkit.org/show_bug.cgi?id=129407
29219
29220 Reviewed by Michael Saboff.
29221
29222 This was causing tests to fail with the FTL enabled.
29223
29224 * ftl/FTLOSRExitCompiler.cpp:
29225 (JSC::FTL::compileFTLOSRExit):
29226
292272014-02-26 Oliver Hunt <oliver@apple.com>
29228
29229 Remove unused access types
29230 https://bugs.webkit.org/show_bug.cgi?id=129385
29231
29232 Reviewed by Filip Pizlo.
29233
29234 Remove unused cruft.
29235
29236 * bytecode/CodeBlock.cpp:
29237 (JSC::CodeBlock::printGetByIdCacheStatus):
29238 * bytecode/StructureStubInfo.cpp:
29239 (JSC::StructureStubInfo::deref):
29240 * bytecode/StructureStubInfo.h:
29241 (JSC::isGetByIdAccess):
29242 (JSC::isPutByIdAccess):
29243
292442014-02-26 Oliver Hunt <oliver@apple.com>
29245
29246 Function.prototype.apply has a bad time with the spread operator
29247 https://bugs.webkit.org/show_bug.cgi?id=129381
29248
29249 Reviewed by Mark Hahnenberg.
29250
29251 Make sure our apply logic handle the spread operator correctly.
29252 To do this we simply emit the enumeration logic that we'd normally
29253 use for other enumerations, but only store the first two results
29254 to registers. Then perform a varargs call.
29255
29256 * bytecompiler/NodesCodegen.cpp:
29257 (JSC::ApplyFunctionCallDotNode::emitBytecode):
29258
292592014-02-26 Mark Lam <mark.lam@apple.com>
29260
29261 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
29262 <https://webkit.org/b/129355>
29263
29264 Reviewed by Filip Pizlo.
29265
29266 By compilation policy, I mean the rules for determining whether to
29267 compile, when to compile, when to attempt compilation again, etc. The
29268 few of these policy decisions that were previously being made in the
29269 DFG driver are now moved to operationOptimize() where we keep the rest
29270 of the policy logic. Decisions that are based on the capabilities
29271 supported by the DFG are moved to DFG capabiliityLevel().
29272
29273 I've run the following benchmarks:
29274 1. the collection of jsc benchmarks on the jsc executable vs. its
29275 baseline.
29276 2. Octane 2.0 in browser without the WebInspector.
29277 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
29278 set somewhere where it won't break.
29279
29280 In all of these, the results came out to be a wash as expected.
29281
29282 * dfg/DFGCapabilities.cpp:
29283 (JSC::DFG::isSupported):
29284 (JSC::DFG::mightCompileEval):
29285 (JSC::DFG::mightCompileProgram):
29286 (JSC::DFG::mightCompileFunctionForCall):
29287 (JSC::DFG::mightCompileFunctionForConstruct):
29288 (JSC::DFG::mightInlineFunctionForCall):
29289 (JSC::DFG::mightInlineFunctionForClosureCall):
29290 (JSC::DFG::mightInlineFunctionForConstruct):
29291 * dfg/DFGCapabilities.h:
29292 * dfg/DFGDriver.cpp:
29293 (JSC::DFG::compileImpl):
29294 * jit/JITOperations.cpp:
29295
292962014-02-26 Mark Lam <mark.lam@apple.com>
29297
29298 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
29299 <https://webkit.org/b/129364>
29300
29301 Reviewed by Alexey Proskuryakov.
29302
29303 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
29304
29305 * inspector/InjectedScriptModule.cpp:
29306 (Inspector::InjectedScriptModule::ensureInjected):
29307 - Added the needed but missing APIEntryShim.
29308
293092014-02-25 Mark Lam <mark.lam@apple.com>
29310
29311 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
29312 <https://webkit.org/b/128766>
29313
29314 Reviewed by Geoffrey Garen.
29315
29316 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
29317 The reasoning is that we don't know of any clients that need unordered
29318 re-entry into the VM from different threads. So, we're enforcing ordered
29319 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
29320
29321 The crash in this bug happened because we were allowing unordered re-entry,
29322 and the following type of scenario occurred:
29323
29324 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
29325 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
29326 first time it entered the VM.
29327 T1 sets VM::m_entryScope to T1's entryScope.
29328 3. T1 drops all locks.
29329
29330 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
29331 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
29332 does not set the entryScope.
29333 5. T2 drops all locks.
29334
29335 6. T1 re-grabs locks.
29336 7. T1 returns all the way out of JS code. On exit from the outer most
29337 JS function, T1 clears VM::m_entryScope (because T1 was the one who
29338 set it).
29339 8. T1 unlocks the VM.
29340
29341 9. T2 re-grabs locks.
29342 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
29343 NOT null, but it turns out to be null. Assertion failures and
29344 crashes ensue.
29345
29346 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
29347 the VM. Hence, the issue will no longer manifest.
29348
29349 * runtime/JSLock.cpp:
29350 (JSC::JSLock::dropAllLocks):
29351 (JSC::JSLock::grabAllLocks):
29352 * runtime/JSLock.h:
29353 (JSC::JSLock::DropAllLocks::dropDepth):
29354
293552014-02-25 Mark Lam <mark.lam@apple.com>
29356
29357 Need to initialize VM stack data even when the VM is on an exclusive thread.
29358 <https://webkit.org/b/129265>
29359
29360 Not reviewed.
29361
29362 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
29363
29364 * API/APIShims.h:
29365 (JSC::APIEntryShim::APIEntryShim):
29366 (JSC::APICallbackShim::shouldDropAllLocks):
29367 * heap/MachineStackMarker.cpp:
29368 (JSC::MachineThreads::addCurrentThread):
29369 * runtime/JSLock.cpp:
29370 (JSC::JSLockHolder::JSLockHolder):
29371 (JSC::JSLockHolder::init):
29372 (JSC::JSLockHolder::~JSLockHolder):
29373 (JSC::JSLock::JSLock):
29374 (JSC::JSLock::setExclusiveThread):
29375 (JSC::JSLock::lock):
29376 (JSC::JSLock::unlock):
29377 (JSC::JSLock::currentThreadIsHoldingLock):
29378 (JSC::JSLock::dropAllLocks):
29379 (JSC::JSLock::grabAllLocks):
29380 * runtime/JSLock.h:
29381 (JSC::JSLock::hasExclusiveThread):
29382 (JSC::JSLock::exclusiveThread):
29383 * runtime/VM.cpp:
29384 (JSC::VM::VM):
29385 * runtime/VM.h:
29386 (JSC::VM::hasExclusiveThread):
29387 (JSC::VM::exclusiveThread):
29388 (JSC::VM::setExclusiveThread):
29389 (JSC::VM::currentThreadIsHoldingAPILock):
29390
293912014-02-25 Filip Pizlo <fpizlo@apple.com>
29392
29393 Inline caching in the FTL on ARM64 should "work"
29394 https://bugs.webkit.org/show_bug.cgi?id=129334
29395
29396 Reviewed by Mark Hahnenberg.
29397
29398 Gets us to the point where simple tests that use inline caching are passing.
29399
29400 * assembler/LinkBuffer.cpp:
29401 (JSC::LinkBuffer::copyCompactAndLinkCode):
29402 (JSC::LinkBuffer::shrink):
29403 * ftl/FTLInlineCacheSize.cpp:
29404 (JSC::FTL::sizeOfGetById):
29405 (JSC::FTL::sizeOfPutById):
29406 (JSC::FTL::sizeOfCall):
29407 * ftl/FTLOSRExitCompiler.cpp:
29408 (JSC::FTL::compileFTLOSRExit):
29409 * ftl/FTLThunks.cpp:
29410 (JSC::FTL::osrExitGenerationThunkGenerator):
29411 * jit/GPRInfo.h:
29412 * offlineasm/arm64.rb:
29413
294142014-02-25 Commit Queue <commit-queue@webkit.org>
29415
29416 Unreviewed, rolling out r164627.
29417 http://trac.webkit.org/changeset/164627
29418 https://bugs.webkit.org/show_bug.cgi?id=129325
29419
29420 Broke SubtleCrypto tests (Requested by ap on #webkit).
29421
29422 * API/APIShims.h:
29423 (JSC::APIEntryShim::APIEntryShim):
29424 (JSC::APICallbackShim::shouldDropAllLocks):
29425 * heap/MachineStackMarker.cpp:
29426 (JSC::MachineThreads::addCurrentThread):
29427 * runtime/JSLock.cpp:
29428 (JSC::JSLockHolder::JSLockHolder):
29429 (JSC::JSLockHolder::init):
29430 (JSC::JSLockHolder::~JSLockHolder):
29431 (JSC::JSLock::JSLock):
29432 (JSC::JSLock::lock):
29433 (JSC::JSLock::unlock):
29434 (JSC::JSLock::currentThreadIsHoldingLock):
29435 (JSC::JSLock::dropAllLocks):
29436 (JSC::JSLock::grabAllLocks):
29437 * runtime/JSLock.h:
29438 * runtime/VM.cpp:
29439 (JSC::VM::VM):
29440 * runtime/VM.h:
29441 (JSC::VM::currentThreadIsHoldingAPILock):
29442
294432014-02-25 Filip Pizlo <fpizlo@apple.com>
29444
29445 ARM64 rshift64 should be an arithmetic shift
29446 https://bugs.webkit.org/show_bug.cgi?id=129323
29447
29448 Reviewed by Mark Hahnenberg.
29449
29450 * assembler/MacroAssemblerARM64.h:
29451 (JSC::MacroAssemblerARM64::rshift64):
29452
294532014-02-25 Sergio Villar Senin <svillar@igalia.com>
29454
29455 [CSS Grid Layout] Add ENABLE flag
29456 https://bugs.webkit.org/show_bug.cgi?id=129153
29457
29458 Reviewed by Simon Fraser.
29459
29460 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
29461
294622014-02-25 Michael Saboff <msaboff@apple.com>
29463
29464 JIT Engines use the wrong stack limit for stack checks
29465 https://bugs.webkit.org/show_bug.cgi?id=129314
29466
29467 Reviewed by Filip Pizlo.
29468
29469 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
29470
29471 * dfg/DFGJITCompiler.cpp:
29472 (JSC::DFG::JITCompiler::compileFunction):
29473 * jit/JIT.cpp:
29474 (JSC::JIT::privateCompile):
29475 * jit/JITCall.cpp:
29476 (JSC::JIT::compileLoadVarargs):
29477 * jit/JITCall32_64.cpp:
29478 (JSC::JIT::compileLoadVarargs):
29479 * runtime/VM.h:
29480 (JSC::VM::addressOfStackLimit):
29481
294822014-02-25 Filip Pizlo <fpizlo@apple.com>
29483
29484 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
29485
29486 It causes crashes, apparently because it's removing too many barriers. I will investigate
29487 later.
29488
29489 * bytecode/SpeculatedType.cpp:
29490 (JSC::speculationToAbbreviatedString):
29491 * bytecode/SpeculatedType.h:
29492 * dfg/DFGFixupPhase.cpp:
29493 (JSC::DFG::FixupPhase::fixupNode):
29494 (JSC::DFG::FixupPhase::insertStoreBarrier):
29495 * dfg/DFGNode.h:
29496 * ftl/FTLCapabilities.cpp:
29497 (JSC::FTL::canCompile):
29498 * ftl/FTLLowerDFGToLLVM.cpp:
29499 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
29500 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
29501 (JSC::FTL::LowerDFGToLLVM::isNotNully):
29502 (JSC::FTL::LowerDFGToLLVM::isNully):
29503 (JSC::FTL::LowerDFGToLLVM::speculate):
29504 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
29505 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
29506
295072014-02-24 Oliver Hunt <oliver@apple.com>
29508
29509 Fix build.
29510
29511 * jit/CCallHelpers.h:
29512 (JSC::CCallHelpers::setupArgumentsWithExecState):
29513
295142014-02-24 Oliver Hunt <oliver@apple.com>
29515
29516 Spread operator has a bad time when applied to call function
29517 https://bugs.webkit.org/show_bug.cgi?id=128853
29518
29519 Reviewed by Geoffrey Garen.
29520
29521 Follow on from the previous patch the added an extra slot to
29522 op_call_varargs (and _call, _call_eval, _construct). We now
29523 use the slot as an offset to in effect act as a 'slice' on
29524 the spread subject. This allows us to automatically retain
29525 all our existing argument and array optimisatons. Most of
29526 this patch is simply threading the offset around.
29527
29528 * bytecode/CodeBlock.cpp:
29529 (JSC::CodeBlock::dumpBytecode):
29530 * bytecompiler/BytecodeGenerator.cpp:
29531 (JSC::BytecodeGenerator::emitCall):
29532 (JSC::BytecodeGenerator::emitCallVarargs):
29533 * bytecompiler/BytecodeGenerator.h:
29534 * bytecompiler/NodesCodegen.cpp:
29535 (JSC::getArgumentByVal):
29536 (JSC::CallFunctionCallDotNode::emitBytecode):
29537 (JSC::ApplyFunctionCallDotNode::emitBytecode):
29538 * interpreter/Interpreter.cpp:
29539 (JSC::sizeFrameForVarargs):
29540 (JSC::loadVarargs):
29541 * interpreter/Interpreter.h:
29542 * jit/CCallHelpers.h:
29543 (JSC::CCallHelpers::setupArgumentsWithExecState):
29544 * jit/JIT.h:
29545 * jit/JITCall.cpp:
29546 (JSC::JIT::compileLoadVarargs):
29547 * jit/JITInlines.h:
29548 (JSC::JIT::callOperation):
29549 * jit/JITOperations.cpp:
29550 * jit/JITOperations.h:
29551 * llint/LLIntSlowPaths.cpp:
29552 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
29553 * runtime/Arguments.cpp:
29554 (JSC::Arguments::copyToArguments):
29555 * runtime/Arguments.h:
29556 * runtime/JSArray.cpp:
29557 (JSC::JSArray::copyToArguments):
29558 * runtime/JSArray.h:
29559
295602014-02-24 Mark Lam <mark.lam@apple.com>
29561
29562 Need to initialize VM stack data even when the VM is on an exclusive thread.
29563 <https://webkit.org/b/129265>
29564
29565 Reviewed by Geoffrey Garen.
29566
29567 We check VM::exclusiveThread as an optimization to forego the need to do
29568 JSLock locking. However, we recently started piggy backing on JSLock's
29569 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
29570 and lastStackTop) to appropriate values for the current thread. This is
29571 needed because we may be acquiring the lock to enter the VM on a different
29572 thread.
29573
29574 As a result, we ended up not initializing the VM stack data when
29575 VM::exclusiveThread causes us to bypass the locking activity. Even though
29576 the VM::exclusiveThread will not have to deal with the VM being entered
29577 on a different thread, it still needs to initialize the VM stack data.
29578 The VM relies on that data being initialized properly once it has been
29579 entered.
29580
29581 With this fix, we push the check for exclusiveThread down into the JSLock,
29582 and handle the bypassing of unneeded locking activity there while still
29583 executing the necessary the VM stack data initialization.
29584
29585 * API/APIShims.h:
29586 (JSC::APIEntryShim::APIEntryShim):
29587 (JSC::APICallbackShim::shouldDropAllLocks):
29588 * heap/MachineStackMarker.cpp:
29589 (JSC::MachineThreads::addCurrentThread):
29590 * runtime/JSLock.cpp:
29591 (JSC::JSLockHolder::JSLockHolder):
29592 (JSC::JSLockHolder::init):
29593 (JSC::JSLockHolder::~JSLockHolder):
29594 (JSC::JSLock::JSLock):
29595 (JSC::JSLock::setExclusiveThread):
29596 (JSC::JSLock::lock):
29597 (JSLock::unlock):
29598 (JSLock::currentThreadIsHoldingLock):
29599 (JSLock::dropAllLocks):
29600 (JSLock::grabAllLocks):
29601 * runtime/JSLock.h:
29602 (JSC::JSLock::exclusiveThread):
29603 * runtime/VM.cpp:
29604 (JSC::VM::VM):
29605 * runtime/VM.h:
29606 (JSC::VM::exclusiveThread):
29607 (JSC::VM::setExclusiveThread):
29608 (JSC::VM::currentThreadIsHoldingAPILock):
29609
296102014-02-24 Filip Pizlo <fpizlo@apple.com>
29611
29612 FTL should do polymorphic PutById inlining
29613 https://bugs.webkit.org/show_bug.cgi?id=129210
29614
29615 Reviewed by Mark Hahnenberg and Oliver Hunt.
29616
29617 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
29618 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
29619 selection of multiple inlined PutByIdVariants.
29620
29621 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
29622 http://trac.webkit.org/changeset/164207.
29623
29624 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
29625 that generate similar code.
29626
29627 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
29628 sometimes swaps field insertion order, creating fake polymorphism.
29629
29630 * CMakeLists.txt:
29631 * GNUmakefile.list.am:
29632 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
29633 * JavaScriptCore.xcodeproj/project.pbxproj:
29634 * bytecode/PutByIdStatus.cpp:
29635 (JSC::PutByIdStatus::computeFromLLInt):
29636 (JSC::PutByIdStatus::computeFor):
29637 (JSC::PutByIdStatus::computeForStubInfo):
29638 (JSC::PutByIdStatus::dump):
29639 * bytecode/PutByIdStatus.h:
29640 (JSC::PutByIdStatus::PutByIdStatus):
29641 (JSC::PutByIdStatus::isSimple):
29642 (JSC::PutByIdStatus::numVariants):
29643 (JSC::PutByIdStatus::variants):
29644 (JSC::PutByIdStatus::at):
29645 (JSC::PutByIdStatus::operator[]):
29646 * bytecode/PutByIdVariant.cpp: Added.
29647 (JSC::PutByIdVariant::dump):
29648 (JSC::PutByIdVariant::dumpInContext):
29649 * bytecode/PutByIdVariant.h: Added.
29650 (JSC::PutByIdVariant::PutByIdVariant):
29651 (JSC::PutByIdVariant::replace):
29652 (JSC::PutByIdVariant::transition):
29653 (JSC::PutByIdVariant::kind):
29654 (JSC::PutByIdVariant::isSet):
29655 (JSC::PutByIdVariant::operator!):
29656 (JSC::PutByIdVariant::structure):
29657 (JSC::PutByIdVariant::oldStructure):
29658 (JSC::PutByIdVariant::newStructure):
29659 (JSC::PutByIdVariant::structureChain):
29660 (JSC::PutByIdVariant::offset):
29661 * dfg/DFGAbstractInterpreterInlines.h:
29662 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
29663 * dfg/DFGByteCodeParser.cpp:
29664 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
29665 (JSC::DFG::ByteCodeParser::handleGetById):
29666 (JSC::DFG::ByteCodeParser::emitPutById):
29667 (JSC::DFG::ByteCodeParser::handlePutById):
29668 (JSC::DFG::ByteCodeParser::parseBlock):
29669 * dfg/DFGCSEPhase.cpp:
29670 (JSC::DFG::CSEPhase::checkStructureElimination):
29671 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
29672 (JSC::DFG::CSEPhase::putStructureStoreElimination):
29673 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
29674 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
29675 * dfg/DFGClobberize.h:
29676 (JSC::DFG::clobberize):
29677 * dfg/DFGConstantFoldingPhase.cpp:
29678 (JSC::DFG::ConstantFoldingPhase::foldConstants):
29679 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
29680 * dfg/DFGFixupPhase.cpp:
29681 (JSC::DFG::FixupPhase::fixupNode):
29682 * dfg/DFGGraph.cpp:
29683 (JSC::DFG::Graph::dump):
29684 * dfg/DFGGraph.h:
29685 * dfg/DFGNode.cpp:
29686 (JSC::DFG::MultiPutByOffsetData::writesStructures):
29687 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
29688 * dfg/DFGNode.h:
29689 (JSC::DFG::Node::convertToPutByOffset):
29690 (JSC::DFG::Node::hasMultiPutByOffsetData):
29691 (JSC::DFG::Node::multiPutByOffsetData):
29692 * dfg/DFGNodeType.h:
29693 * dfg/DFGPredictionPropagationPhase.cpp:
29694 (JSC::DFG::PredictionPropagationPhase::propagate):
29695 * dfg/DFGSafeToExecute.h:
29696 (JSC::DFG::safeToExecute):
29697 * dfg/DFGSpeculativeJIT32_64.cpp:
29698 (JSC::DFG::SpeculativeJIT::compile):
29699 * dfg/DFGSpeculativeJIT64.cpp:
29700 (JSC::DFG::SpeculativeJIT::compile):
29701 * dfg/DFGTypeCheckHoistingPhase.cpp:
29702 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
29703 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
29704 * ftl/FTLCapabilities.cpp:
29705 (JSC::FTL::canCompile):
29706 * ftl/FTLLowerDFGToLLVM.cpp:
29707 (JSC::FTL::LowerDFGToLLVM::compileNode):
29708 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
29709 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
29710 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
29711 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
29712 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
29713 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
29714 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
29715 (JSC::FTL::LowerDFGToLLVM::loadProperty):
29716 (JSC::FTL::LowerDFGToLLVM::storeProperty):
29717 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
29718 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
29719 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
29720 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
29721 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
29722 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
29723 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
29724 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
29725
297262014-02-24 peavo@outlook.com <peavo@outlook.com>
29727
29728 JSC regressions after r164494
29729 https://bugs.webkit.org/show_bug.cgi?id=129272
29730
29731 Reviewed by Mark Lam.
29732
29733 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
29734
297352014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
29736
29737 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
29738 https://bugs.webkit.org/show_bug.cgi?id=129255
29739
29740 Reviewed by Csaba Osztrogonác.
29741
29742 ENABLE_WORKERS macro was removed in r159679.
29743 Support is now also removed from xcconfig files.
29744
29745 * Configurations/FeatureDefines.xcconfig:
29746
297472014-02-24 David Kilzer <ddkilzer@apple.com>
29748
29749 Remove redundant setting in FeatureDefines.xcconfig
29750
29751 * Configurations/FeatureDefines.xcconfig:
29752
297532014-02-23 Sam Weinig <sam@webkit.org>
29754
29755 Update FeatureDefines.xcconfig
29756
29757 Rubber-stamped by Anders Carlsson.
29758
29759 * Configurations/FeatureDefines.xcconfig:
29760
297612014-02-23 Dean Jackson <dino@apple.com>
29762
29763 Sort the project file with sort-Xcode-project-file.
29764
29765 Rubber-stamped by Sam Weinig.
29766
29767 * JavaScriptCore.xcodeproj/project.pbxproj:
29768
297692014-02-23 Sam Weinig <sam@webkit.org>
29770
29771 Move telephone number detection behind its own ENABLE macro
29772 https://bugs.webkit.org/show_bug.cgi?id=129236
29773
29774 Reviewed by Dean Jackson.
29775
29776 * Configurations/FeatureDefines.xcconfig:
29777 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
29778
297792014-02-22 Filip Pizlo <fpizlo@apple.com>
29780
29781 Refine DFG+FTL inlining and compilation limits
29782 https://bugs.webkit.org/show_bug.cgi?id=129212
29783
29784 Reviewed by Mark Hahnenberg.
29785
29786 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
29787 and set that limit quite high. Institute a limit on inlining-into. The idea here is
29788 that large functions tend to be autogenerated, and code generators like emscripten
29789 appear to leave few inlining opportunities anyway. Also, we don't want the code
29790 size explosion that we would risk if we allowed compilation of a large function and
29791 then inlined a ton of stuff into it.
29792
29793 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
29794 regression. This is a 9% speed-up on AsmBench.
29795
29796 * bytecode/CodeBlock.cpp:
29797 (JSC::CodeBlock::noticeIncomingCall):
29798 * dfg/DFGByteCodeParser.cpp:
29799 (JSC::DFG::ByteCodeParser::handleInlining):
29800 * dfg/DFGCapabilities.h:
29801 (JSC::DFG::isSmallEnoughToInlineCodeInto):
29802 * ftl/FTLCapabilities.cpp:
29803 (JSC::FTL::canCompile):
29804 * ftl/FTLState.h:
29805 (JSC::FTL::shouldShowDisassembly):
29806 * runtime/Options.h:
29807
298082014-02-22 Dan Bernstein <mitz@apple.com>
29809
29810 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
29811 https://bugs.webkit.org/show_bug.cgi?id=129227
29812
29813 Reviewed by Eric Carlson.
29814
29815 Reverted r164507.
29816
29817 * API/JSBase.cpp:
29818 (JSEvaluateScript):
29819 (JSCheckScriptSyntax):
29820 * API/JSObjectRef.cpp:
29821 (JSObjectMakeFunction):
29822 (JSObjectMakeArray):
29823 (JSObjectMakeDate):
29824 (JSObjectMakeError):
29825 (JSObjectMakeRegExp):
29826 (JSObjectGetProperty):
29827 (JSObjectSetProperty):
29828 (JSObjectGetPropertyAtIndex):
29829 (JSObjectSetPropertyAtIndex):
29830 (JSObjectDeleteProperty):
29831 (JSObjectCallAsFunction):
29832 (JSObjectCallAsConstructor):
29833 * API/JSValue.mm:
29834 (valueToArray):
29835 (valueToDictionary):
29836 * API/JSValueRef.cpp:
29837 (JSValueIsEqual):
29838 (JSValueIsInstanceOfConstructor):
29839 (JSValueCreateJSONString):
29840 (JSValueToNumber):
29841 (JSValueToStringCopy):
29842 (JSValueToObject):
29843 * inspector/ConsoleMessage.cpp:
29844 (Inspector::ConsoleMessage::ConsoleMessage):
29845 (Inspector::ConsoleMessage::autogenerateMetadata):
29846 * inspector/ConsoleMessage.h:
29847 * inspector/JSGlobalObjectInspectorController.cpp:
29848 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
29849 * inspector/JSGlobalObjectInspectorController.h:
29850 * inspector/ScriptCallStack.cpp:
29851 * inspector/ScriptCallStack.h:
29852 * inspector/ScriptCallStackFactory.cpp:
29853 (Inspector::createScriptCallStack):
29854 (Inspector::createScriptCallStackForConsole):
29855 (Inspector::createScriptCallStackFromException):
29856 * inspector/ScriptCallStackFactory.h:
29857 * inspector/agents/InspectorConsoleAgent.cpp:
29858 (Inspector::InspectorConsoleAgent::enable):
29859 (Inspector::InspectorConsoleAgent::addMessageToConsole):
29860 (Inspector::InspectorConsoleAgent::count):
29861 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
29862 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
29863
298642014-02-22 Joseph Pecoraro <pecoraro@apple.com>
29865
29866 Remove some unreachable code (-Wunreachable-code)
29867 https://bugs.webkit.org/show_bug.cgi?id=129220
29868
29869 Reviewed by Eric Carlson.
29870
29871 * API/tests/testapi.c:
29872 (EvilExceptionObject_convertToType):
29873 * disassembler/udis86/udis86_decode.c:
29874 (decode_operand):
29875
298762014-02-22 Filip Pizlo <fpizlo@apple.com>
29877
29878 Unreviewed, ARMv7 build fix.
29879
29880 * assembler/ARMv7Assembler.h:
29881
298822014-02-21 Filip Pizlo <fpizlo@apple.com>
29883
29884 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
29885 https://bugs.webkit.org/show_bug.cgi?id=124733
29886
29887 Reviewed by Oliver Hunt.
29888
29889 This also takes the opportunity to de-duplicate some branch compaction code.
29890
29891 * assembler/ARM64Assembler.h:
29892 * assembler/ARMv7Assembler.h:
29893 (JSC::ARMv7Assembler::buffer):
29894 * assembler/AssemblerBuffer.h:
29895 (JSC::AssemblerData::AssemblerData):
29896 (JSC::AssemblerBuffer::AssemblerBuffer):
29897 (JSC::AssemblerBuffer::storage):
29898 (JSC::AssemblerBuffer::grow):
29899 * assembler/LinkBuffer.h:
29900 (JSC::LinkBuffer::LinkBuffer):
29901 (JSC::LinkBuffer::executableOffsetFor):
29902 (JSC::LinkBuffer::applyOffset):
29903 * assembler/MacroAssemblerARM64.h:
29904 (JSC::MacroAssemblerARM64::link):
29905 * assembler/MacroAssemblerARMv7.h:
29906
299072014-02-21 Brent Fulgham <bfulgham@apple.com>
29908
29909 Extend media support for WebVTT sources
29910 https://bugs.webkit.org/show_bug.cgi?id=129156
29911
29912 Reviewed by Eric Carlson.
29913
29914 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
29915
299162014-02-21 Joseph Pecoraro <pecoraro@apple.com>
29917
29918 Web Inspector: JSContext inspection should report exceptions in the console
29919 https://bugs.webkit.org/show_bug.cgi?id=128776
29920
29921 Reviewed by Timothy Hatcher.
29922
29923 When JavaScript API functions have an exception, let the inspector
29924 know so it can log the JavaScript and Native backtrace that caused
29925 the exception.
29926
29927 Include some clean up of ConsoleMessage and ScriptCallStack construction.
29928
29929 * API/JSBase.cpp:
29930 (JSEvaluateScript):
29931 (JSCheckScriptSyntax):
29932 * API/JSObjectRef.cpp:
29933 (JSObjectMakeFunction):
29934 (JSObjectMakeArray):
29935 (JSObjectMakeDate):
29936 (JSObjectMakeError):
29937 (JSObjectMakeRegExp):
29938 (JSObjectGetProperty):
29939 (JSObjectSetProperty):
29940 (JSObjectGetPropertyAtIndex):
29941 (JSObjectSetPropertyAtIndex):
29942 (JSObjectDeleteProperty):
29943 (JSObjectCallAsFunction):
29944 (JSObjectCallAsConstructor):
29945 * API/JSValue.mm:
29946 (reportExceptionToInspector):
29947 (valueToArray):
29948 (valueToDictionary):
29949 * API/JSValueRef.cpp:
29950 (JSValueIsEqual):
29951 (JSValueIsInstanceOfConstructor):
29952 (JSValueCreateJSONString):
29953 (JSValueToNumber):
29954 (JSValueToStringCopy):
29955 (JSValueToObject):
29956 When seeing an exception, let the inspector know there was an exception.
29957
29958 * inspector/JSGlobalObjectInspectorController.h:
29959 * inspector/JSGlobalObjectInspectorController.cpp:
29960 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
29961 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
29962 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
29963 Log API exceptions by also grabbing the native backtrace.
29964
29965 * inspector/ScriptCallStack.h:
29966 * inspector/ScriptCallStack.cpp:
29967 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
29968 (Inspector::ScriptCallStack::append):
29969 Minor extensions to ScriptCallStack to make it easier to work with.
29970
29971 * inspector/ConsoleMessage.cpp:
29972 (Inspector::ConsoleMessage::ConsoleMessage):
29973 (Inspector::ConsoleMessage::autogenerateMetadata):
29974 Provide better default information if the first call frame was native.
29975
29976 * inspector/ScriptCallStackFactory.cpp:
29977 (Inspector::createScriptCallStack):
29978 (Inspector::extractSourceInformationFromException):
29979 (Inspector::createScriptCallStackFromException):
29980 Perform the handling here of inserting a fake call frame for exceptions
29981 if there was no call stack (e.g. a SyntaxError) or if the first call
29982 frame had no information.
29983
29984 * inspector/ConsoleMessage.cpp:
29985 (Inspector::ConsoleMessage::ConsoleMessage):
29986 (Inspector::ConsoleMessage::autogenerateMetadata):
29987 * inspector/ConsoleMessage.h:
29988 * inspector/ScriptCallStackFactory.cpp:
29989 (Inspector::createScriptCallStack):
29990 (Inspector::createScriptCallStackForConsole):
29991 * inspector/ScriptCallStackFactory.h:
29992 * inspector/agents/InspectorConsoleAgent.cpp:
29993 (Inspector::InspectorConsoleAgent::enable):
29994 (Inspector::InspectorConsoleAgent::addMessageToConsole):
29995 (Inspector::InspectorConsoleAgent::count):
29996 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
29997 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
29998 ConsoleMessage cleanup.
29999
300002014-02-21 Oliver Hunt <oliver@apple.com>
30001
30002 Add extra space to op_call and related opcodes
30003 https://bugs.webkit.org/show_bug.cgi?id=129170
30004
30005 Reviewed by Mark Lam.
30006
30007 No change in behaviour, just some refactoring to add an extra
30008 slot to the op_call instructions, and refactoring to make similar
30009 changes easier in future.
30010
30011 * bytecode/CodeBlock.cpp:
30012 (JSC::CodeBlock::printCallOp):
30013 * bytecode/Opcode.h:
30014 (JSC::padOpcodeName):
30015 * bytecompiler/BytecodeGenerator.cpp:
30016 (JSC::BytecodeGenerator::emitCall):
30017 (JSC::BytecodeGenerator::emitCallVarargs):
30018 (JSC::BytecodeGenerator::emitConstruct):
30019 * dfg/DFGByteCodeParser.cpp:
30020 (JSC::DFG::ByteCodeParser::handleIntrinsic):
30021 * jit/JITCall.cpp:
30022 (JSC::JIT::compileOpCall):
30023 * jit/JITCall32_64.cpp:
30024 (JSC::JIT::compileOpCall):
30025 * llint/LowLevelInterpreter.asm:
30026 * llint/LowLevelInterpreter32_64.asm:
30027 * llint/LowLevelInterpreter64.asm:
30028
300292014-02-21 Mark Lam <mark.lam@apple.com>
30030
30031 gatherFromOtherThread() needs to align the sp before gathering roots.
30032 <https://webkit.org/b/129169>
30033
30034 Reviewed by Geoffrey Garen.
30035
30036 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
30037 gatherFromOtherThread() defines the range of the other thread's stack as
30038 being bounded by the other thread's stack pointer and stack base. While
30039 the stack base will always be aligned to sizeof(void*), the stack pointer
30040 may not be. This is because the other thread may have just pushed a 32-bit
30041 value on its stack before we suspended it for scanning.
30042
30043 The fix is to round the stack pointer up to the next aligned address of
30044 sizeof(void*) and start scanning from there. On 64-bit systems, we will
30045 effectively ignore the 32-bit word at the bottom of the stack (top of the
30046 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
30047 64-bit pointers should always be stored on 64-bit aligned boundaries (our
30048 conservative scan algorithm already depends on this assumption).
30049
30050 On 32-bit systems, the rounding is effectively a no-op.
30051
30052 * heap/ConservativeRoots.cpp:
30053 (JSC::ConservativeRoots::genericAddSpan):
30054 - Hardened somne assertions so that we can catch misalignment issues on
30055 release builds as well.
30056 * heap/MachineStackMarker.cpp:
30057 (JSC::MachineThreads::gatherFromOtherThread):
30058
300592014-02-21 Matthew Mirman <mmirman@apple.com>
30060
30061 Added a GetMyArgumentsLengthSafe and added a speculation check.
30062 https://bugs.webkit.org/show_bug.cgi?id=129051
30063
30064 Reviewed by Filip Pizlo.
30065
30066 * ftl/FTLLowerDFGToLLVM.cpp:
30067 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
30068
300692014-02-21 peavo@outlook.com <peavo@outlook.com>
30070
30071 [Win][LLINT] Many JSC stress test failures.
30072 https://bugs.webkit.org/show_bug.cgi?id=129155
30073
30074 Reviewed by Michael Saboff.
30075
30076 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
30077 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
30078 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
30079
30080 * offlineasm/x86.rb: Swap operand order on Windows.
30081
300822014-02-21 Filip Pizlo <fpizlo@apple.com>
30083
30084 DFG write barriers should do more speculations
30085 https://bugs.webkit.org/show_bug.cgi?id=129160
30086
30087 Reviewed by Mark Hahnenberg.
30088
30089 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
30090 instead.
30091
30092 Miniscule speed-up on some things. It's a decent difference in code size, though.
30093
30094 * bytecode/SpeculatedType.cpp:
30095 (JSC::speculationToAbbreviatedString):
30096 * bytecode/SpeculatedType.h:
30097 (JSC::isNotCellSpeculation):
30098 * dfg/DFGFixupPhase.cpp:
30099 (JSC::DFG::FixupPhase::fixupNode):
30100 (JSC::DFG::FixupPhase::insertStoreBarrier):
30101 (JSC::DFG::FixupPhase::insertPhantomCheck):
30102 * dfg/DFGNode.h:
30103 (JSC::DFG::Node::shouldSpeculateOther):
30104 (JSC::DFG::Node::shouldSpeculateNotCell):
30105 * ftl/FTLCapabilities.cpp:
30106 (JSC::FTL::canCompile):
30107 * ftl/FTLLowerDFGToLLVM.cpp:
30108 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
30109 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
30110 (JSC::FTL::LowerDFGToLLVM::isNotOther):
30111 (JSC::FTL::LowerDFGToLLVM::isOther):
30112 (JSC::FTL::LowerDFGToLLVM::speculate):
30113 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
30114 (JSC::FTL::LowerDFGToLLVM::speculateOther):
30115 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
30116
301172014-02-21 Joseph Pecoraro <pecoraro@apple.com>
30118
30119 Revert r164486, causing a number of test failures.
30120
30121 Unreviewed rollout.
30122
301232014-02-21 Filip Pizlo <fpizlo@apple.com>
30124
30125 Revive SABI (aka shouldAlwaysBeInlined)
30126 https://bugs.webkit.org/show_bug.cgi?id=129159
30127
30128 Reviewed by Mark Hahnenberg.
30129
30130 This is a small Octane speed-up.
30131
30132 * jit/Repatch.cpp:
30133 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
30134
301352014-02-21 Joseph Pecoraro <pecoraro@apple.com>
30136
30137 Web Inspector: JSContext inspection should report exceptions in the console
30138 https://bugs.webkit.org/show_bug.cgi?id=128776
30139
30140 Reviewed by Timothy Hatcher.
30141
30142 When JavaScript API functions have an exception, let the inspector
30143 know so it can log the JavaScript and Native backtrace that caused
30144 the exception.
30145
30146 Include some clean up of ConsoleMessage and ScriptCallStack construction.
30147
30148 * API/JSBase.cpp:
30149 (JSEvaluateScript):
30150 (JSCheckScriptSyntax):
30151 * API/JSObjectRef.cpp:
30152 (JSObjectMakeFunction):
30153 (JSObjectMakeArray):
30154 (JSObjectMakeDate):
30155 (JSObjectMakeError):
30156 (JSObjectMakeRegExp):
30157 (JSObjectGetProperty):
30158 (JSObjectSetProperty):
30159 (JSObjectGetPropertyAtIndex):
30160 (JSObjectSetPropertyAtIndex):
30161 (JSObjectDeleteProperty):
30162 (JSObjectCallAsFunction):
30163 (JSObjectCallAsConstructor):
30164 * API/JSValue.mm:
30165 (reportExceptionToInspector):
30166 (valueToArray):
30167 (valueToDictionary):
30168 * API/JSValueRef.cpp:
30169 (JSValueIsEqual):
30170 (JSValueIsInstanceOfConstructor):
30171 (JSValueCreateJSONString):
30172 (JSValueToNumber):
30173 (JSValueToStringCopy):
30174 (JSValueToObject):
30175 When seeing an exception, let the inspector know there was an exception.
30176
30177 * inspector/JSGlobalObjectInspectorController.h:
30178 * inspector/JSGlobalObjectInspectorController.cpp:
30179 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
30180 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
30181 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
30182 Log API exceptions by also grabbing the native backtrace.
30183
30184 * inspector/ScriptCallStack.h:
30185 * inspector/ScriptCallStack.cpp:
30186 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
30187 (Inspector::ScriptCallStack::append):
30188 Minor extensions to ScriptCallStack to make it easier to work with.
30189
30190 * inspector/ConsoleMessage.cpp:
30191 (Inspector::ConsoleMessage::ConsoleMessage):
30192 (Inspector::ConsoleMessage::autogenerateMetadata):
30193 Provide better default information if the first call frame was native.
30194
30195 * inspector/ScriptCallStackFactory.cpp:
30196 (Inspector::createScriptCallStack):
30197 (Inspector::extractSourceInformationFromException):
30198 (Inspector::createScriptCallStackFromException):
30199 Perform the handling here of inserting a fake call frame for exceptions
30200 if there was no call stack (e.g. a SyntaxError) or if the first call
30201 frame had no information.
30202
30203 * inspector/ConsoleMessage.cpp:
30204 (Inspector::ConsoleMessage::ConsoleMessage):
30205 (Inspector::ConsoleMessage::autogenerateMetadata):
30206 * inspector/ConsoleMessage.h:
30207 * inspector/ScriptCallStackFactory.cpp:
30208 (Inspector::createScriptCallStack):
30209 (Inspector::createScriptCallStackForConsole):
30210 * inspector/ScriptCallStackFactory.h:
30211 * inspector/agents/InspectorConsoleAgent.cpp:
30212 (Inspector::InspectorConsoleAgent::enable):
30213 (Inspector::InspectorConsoleAgent::addMessageToConsole):
30214 (Inspector::InspectorConsoleAgent::count):
30215 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
30216 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
30217 ConsoleMessage cleanup.
30218
302192014-02-20 Anders Carlsson <andersca@apple.com>
30220
30221 Modernize JSGlobalLock and JSLockHolder
30222 https://bugs.webkit.org/show_bug.cgi?id=129105
30223
30224 Reviewed by Michael Saboff.
30225
30226 Use std::mutex and std::thread::id where possible.
30227
30228 * runtime/JSLock.cpp:
30229 (JSC::GlobalJSLock::GlobalJSLock):
30230 (JSC::GlobalJSLock::~GlobalJSLock):
30231 (JSC::GlobalJSLock::initialize):
30232 (JSC::JSLock::JSLock):
30233 (JSC::JSLock::lock):
30234 (JSC::JSLock::unlock):
30235 (JSC::JSLock::currentThreadIsHoldingLock):
30236 * runtime/JSLock.h:
30237
302382014-02-20 Mark Lam <mark.lam@apple.com>
30239
30240 virtualForWithFunction() should not throw an exception with a partially initialized frame.
30241 <https://webkit.org/b/129134>
30242
30243 Reviewed by Michael Saboff.
30244
30245 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
30246 prepare the callee function for execution, it proceeds to throw the
30247 exception using the callee frame which is only partially initialized
30248 thus far. Instead, it should be throwing the exception using the caller
30249 frame because:
30250 1. the error happened "in" the caller while preparing the callee for
30251 execution i.e. the caller frame is the top fully initialized frame
30252 on the stack.
30253 2. the callee frame is not fully initialized yet, and the unwind
30254 mechanism cannot depend on the data in it.
30255
30256 * jit/JITOperations.cpp:
30257
302582014-02-20 Mark Lam <mark.lam@apple.com>
30259
30260 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
30261 <https://webkit.org/b/129131>
30262
30263 Reviewed by Mark Hahnenberg.
30264
30265 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
30266 needs to be deferred before commencing. As a result, the GC may crash
30267 and/or corrupt data because the VM is not in the consistent state needed
30268 for the GC to run. With this fix, doWork() now checks if the GC is
30269 supposed to be deferred and re-schedules if needed. It only commences
30270 with GC'ing when it's safe to do so.
30271
30272 * runtime/GCActivityCallback.cpp:
30273 (JSC::DefaultGCActivityCallback::doWork):
30274
302752014-02-20 Geoffrey Garen <ggaren@apple.com>
30276
30277 Math.imul gives wrong results
30278 https://bugs.webkit.org/show_bug.cgi?id=126345
30279
30280 Reviewed by Mark Hahnenberg.
30281
30282 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
30283 Instead, take a slow path that will do the right thing.
30284
30285 * jit/ThunkGenerators.cpp:
30286 (JSC::imulThunkGenerator):
30287
302882014-02-20 Filip Pizlo <fpizlo@apple.com>
30289
30290 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
30291 https://bugs.webkit.org/show_bug.cgi?id=129129
30292
30293 Reviewed by Geoffrey Garen.
30294
30295 We estimate execution counts based on loop depth, and then use those to estimate branch
30296 weights. These weights then get carried all the way down to LLVM prof branch_weights
30297 meta-data.
30298
30299 This is better than letting LLVM do its own static estimates, since by the time we
30300 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
30301 course, it would be even better if we just slurped in some kind of execution counts
30302 from profiling, but we don't do that, yet.
30303
30304 * CMakeLists.txt:
30305 * GNUmakefile.list.am:
30306 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
30307 * JavaScriptCore.xcodeproj/project.pbxproj:
30308 * dfg/DFGBasicBlock.cpp:
30309 (JSC::DFG::BasicBlock::BasicBlock):
30310 * dfg/DFGBasicBlock.h:
30311 * dfg/DFGBlockInsertionSet.cpp:
30312 (JSC::DFG::BlockInsertionSet::insert):
30313 (JSC::DFG::BlockInsertionSet::insertBefore):
30314 * dfg/DFGBlockInsertionSet.h:
30315 * dfg/DFGByteCodeParser.cpp:
30316 (JSC::DFG::ByteCodeParser::handleInlining):
30317 (JSC::DFG::ByteCodeParser::parseCodeBlock):
30318 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
30319 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
30320 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
30321 (JSC::DFG::createPreHeader):
30322 * dfg/DFGNaturalLoops.h:
30323 (JSC::DFG::NaturalLoops::loopDepth):
30324 * dfg/DFGOSREntrypointCreationPhase.cpp:
30325 (JSC::DFG::OSREntrypointCreationPhase::run):
30326 * dfg/DFGPlan.cpp:
30327 (JSC::DFG::Plan::compileInThreadImpl):
30328 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
30329 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
30330 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
30331 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
30332 (JSC::DFG::performStaticExecutionCountEstimation):
30333 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
30334
303352014-02-20 Filip Pizlo <fpizlo@apple.com>
30336
30337 FTL may not see a compact_unwind section if there weren't any stackmaps
30338 https://bugs.webkit.org/show_bug.cgi?id=129125
30339
30340 Reviewed by Geoffrey Garen.
30341
30342 It's OK to not have an unwind section, so long as the function also doesn't have any
30343 OSR exits.
30344
30345 * ftl/FTLCompile.cpp:
30346 (JSC::FTL::fixFunctionBasedOnStackMaps):
30347 (JSC::FTL::compile):
30348 * ftl/FTLUnwindInfo.cpp:
30349 (JSC::FTL::UnwindInfo::parse):
30350 * ftl/FTLUnwindInfo.h:
30351
30352== Rolled over to ChangeLog-2014-02-20 ==
mirror of JavaScriptCore