]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog
projects / apple / javascriptcore.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
JavaScriptCore-7600.1.4.11.8.tar.gz
[apple/javascriptcore.git] / ChangeLog
CommitLineData
cb9aa269
A		 12014-09-15 Babak Shafiei <bshafiei@apple.com>
2
3 <rdar://problem/18327341> Disable Web Timing on this branch.
4
5 Reviewed originally by Sam Weinig.
6
7 Disable:
8 - WEB_TIMING
9
10 * Configurations/FeatureDefines.xcconfig:
11
81345200
A		 122014-08-03 Babak Shafiei <bshafiei@apple.com>
13
14 Merge patch for <rdar://problem/17887398>.
15
16 2014-07-30 Filip Pizlo <fpizlo@apple.com>
17
18 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
19 https://bugs.webkit.org/show_bug.cgi?id=135430
20
21 Reviewed by Mark Hahnenberg.
22
23 * dfg/DFGAbstractInterpreterInlines.h:
24 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25 * tests/stress/new-function-expression-has-structures.js: Added.
26 (foo.f):
27 (foo.f.prototype.f):
28 (foo):
29
302014-08-03 Babak Shafiei <bshafiei@apple.com>
31
32 Merge r171949.
33
34 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
35
36 URTBF after r171946 to fix non-Apple builds.
37
38 * bytecode/InlineCallFrameSet.cpp:
39
402014-08-03 Babak Shafiei <bshafiei@apple.com>
41
42 Merge r171946.
43
44 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
45
46 CodeBlock fails to visit the Executables of its InlineCallFrames
47 https://bugs.webkit.org/show_bug.cgi?id=135471
48
49 Reviewed by Geoffrey Garen.
50
51 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
52 can be prematurely collected and cause crashes.
53
54 * bytecode/CodeBlock.cpp:
55 (JSC::CodeBlock::stronglyVisitStrongReferences):
56 * bytecode/CodeOrigin.h:
57 (JSC::InlineCallFrame::visitAggregate):
58 * bytecode/InlineCallFrameSet.cpp:
59 (JSC::InlineCallFrameSet::visitAggregate):
60 * bytecode/InlineCallFrameSet.h:
61
622014-07-29 Matthew Hanson <matthew_hanson@apple.com>
63
64 Merge r171689. <rdar://problem/17844890>
65
66 2014-07-28 Filip Pizlo <fpizlo@apple.com>
67
68 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
69 https://bugs.webkit.org/show_bug.cgi?id=135350
70 <rdar://problem/17509889>
71
72 Reviewed by Mark Hahnenberg and Oliver Hunt.
73
74 If we have an exiting node that uses a conversion node, then that exiting node
75 needs to have a Phantom after it for the the original node. But we can't do that
76 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
77
78 * dfg/DFGFixupPhase.cpp:
79 (JSC::DFG::FixupPhase::fixupNode):
80 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
81 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
82 (foo):
83 (test):
84 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
85 (foo):
86 (test):
87
882014-07-29 Matthew Hanson <matthew_hanson@apple.com>
89
90 Merge r171688. <rdar://problem/17364180>
91
92 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
93
94 JSContext Inspector: crash when using step-into
95 https://bugs.webkit.org/show_bug.cgi?id=135345
96
97 Reviewed by Timothy Hatcher.
98
99 * inspector/agents/InspectorDebuggerAgent.cpp:
100 (Inspector::InspectorDebuggerAgent::stepInto):
101 Null check m_listener since it may not be set.
102
1032014-07-25 Lucas Forschler <lforschler@apple.com>
104
105 Merge r171578
106
107 2014-07-24 Brent Fulgham <bfulgham@apple.com>
108
109 [Win] Correct build order in JavaScriptCore.submit.sln
110 https://bugs.webkit.org/show_bug.cgi?id=135282
111 <rdar://problem/17805592>
112
113 Unreviewed build fix.
114
115 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
116 such that LLIntDesiredOffset is built prior to the rest of JSC.
117
1182014-07-24 Lucas Forschler <lforschler@apple.com>
119
120 Merge r171564
121
122 2014-07-24 Mark Lam <mark.lam@apple.com>
123
124 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
125 <https://webkit.org/b/135258>
126
127 Reviewed by Mark Hahnenberg.
128
129 Where needed, we cache the prototype object pointer in a stack local var.
130 This allows it to be scanned by the GC, and hence be kept alive until
131 we use it. The constructor object will in turn be kept alive by the
132 prototype object.
133
134 Also added some comments to warn against future code additions that could
135 regress this issue.
136
137 * API/JSWrapperMap.mm:
138 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
139 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
140 (-[JSObjCClassInfo wrapperForObject:]):
141 (-[JSObjCClassInfo constructor]):
142
1432014-07-24 Lucas Forschler <lforschler@apple.com>
144
145 Merge r171558
146
147 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
148
149 JSLock release should only modify the AtomicStringTable if it modified in acquire
150 https://bugs.webkit.org/show_bug.cgi?id=135143
151
152 Reviewed by Darin Adler.
153
154 * runtime/JSLock.cpp:
155 (JSC::JSLock::JSLock):
156 Initialize the member variable to nullptr.
157
158 (JSC::JSLock::willDestroyVM):
159 Update style to use nullptr instead of 0.
160
161 (JSC::JSLock::willReleaseLock):
162 We should only reset the thread data's atomic string table if
163 didAcquireLock changed it. m_entryAtomicStringTable will have
164 been set by didAcquireLock if it changed, or nullptr if it didn't.
165 This way we are sure we are balanced, regardless of m_vm changes.
166
1672014-07-24 Lucas Forschler <lforschler@apple.com>
168
169 Merge r171543
170
171 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
172
173 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
174 https://bugs.webkit.org/show_bug.cgi?id=135250
175
176 Reviewed by Geoffrey Garen.
177
178 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
179 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
180 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
181 the JSProxy's prototype fixes the issue.
182
183 * API/JSValueRef.cpp:
184 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
185 would claim it wasn't of the specified class, even if the target was of the specified class.
186 * API/tests/CustomGlobalObjectClassTest.c: Added.
187 (jsDoSomething):
188 (customGlobalObjectClassTest):
189 * API/tests/CustomGlobalObjectClassTest.h: Added.
190 * API/tests/testapi.c:
191 (assertTrue):
192 (main):
193 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
194 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
195 * JavaScriptCore.xcodeproj/project.pbxproj:
196 * runtime/JSGlobalObject.cpp:
197 (JSC::JSGlobalObject::resetPrototype):
198
1992014-07-24 Lucas Forschler <lforschler@apple.com>
200
201 Merge r171395
202
203 2014-07-22 Brent Fulgham <bfulgham@apple.com>
204
205 Build fix for non-clang compile.
206
207 * jsc.cpp:
208 (WTF::RuntimeArray::put): Remove incorrect return statement
209 I added.
210
2112014-07-24 Lucas Forschler <lforschler@apple.com>
212
213 Merge r171393
214
215 2014-07-22 Brent Fulgham <bfulgham@apple.com>
216
217 Build fix for non-clang compile.
218
219 * jsc.cpp:
220 (WTF::RuntimeArray::deleteProperty): Need (fake) return
221 value when NO_RETURN_DUE_TO_CRASH is not defined.
222
2232014-07-24 Lucas Forschler <lforschler@apple.com>
224
225 Merge r171390
226
227 2014-07-22 Mark Lam <mark.lam@apple.com>
228
229 Array.concat() should work on runtime arrays too.
230 <https://webkit.org/b/135179>
231
232 Reviewed by Geoffrey Garen.
233
234 * jsc.cpp:
235 (WTF::RuntimeArray::create):
236 (WTF::RuntimeArray::~RuntimeArray):
237 (WTF::RuntimeArray::destroy):
238 (WTF::RuntimeArray::getOwnPropertySlot):
239 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
240 (WTF::RuntimeArray::put):
241 (WTF::RuntimeArray::deleteProperty):
242 (WTF::RuntimeArray::getLength):
243 (WTF::RuntimeArray::createPrototype):
244 (WTF::RuntimeArray::createStructure):
245 (WTF::RuntimeArray::finishCreation):
246 (WTF::RuntimeArray::RuntimeArray):
247 (WTF::RuntimeArray::lengthGetter):
248 (GlobalObject::finishCreation):
249 (functionCreateRuntimeArray):
250 - Added support to create a runtime array for testing purpose.
251 * runtime/ArrayPrototype.cpp:
252 (JSC::getLength):
253 - Added fast case for when the array object is a JSArray.
254 (JSC::arrayProtoFuncJoin):
255 - Added a needed but missing exception check.
256 (JSC::arrayProtoFuncConcat):
257 - Use getLength() to compute the array length instead of assuming that
258 the array is a JSArray instance.
259 * tests/stress/regexp-matches-array.js: Added.
260 (testArrayConcat):
261 * tests/stress/runtime-array.js: Added.
262 (testArrayConcat):
263
2642014-07-24 Lucas Forschler <lforschler@apple.com>
265
266 Merge r171328
267
268 2014-07-21 Mark Lam <mark.lam@apple.com>
269
270 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
271 https://bugs.webkit.org/show_bug.cgi?id=135139.
272
273 Reviewed by Oliver Hunt.
274
275 - Specialize putProperty() to putLength() because it is only used for setting
276 the length property.
277 - Added a getLength() utility function to get the value of the length property.
278 - Use these getLength() and putLength() functions instead of the existing code
279 to get and put the length property. Less code to read, easier to understand.
280
281 * runtime/ArrayPrototype.cpp:
282 (JSC::getLength):
283 (JSC::putLength):
284 (JSC::arrayProtoFuncToString):
285 (JSC::arrayProtoFuncToLocaleString):
286 (JSC::arrayProtoFuncJoin):
287 (JSC::arrayProtoFuncPop):
288 (JSC::arrayProtoFuncPush):
289 (JSC::arrayProtoFuncReverse):
290 (JSC::arrayProtoFuncShift):
291 (JSC::arrayProtoFuncSlice):
292 (JSC::arrayProtoFuncSort):
293 (JSC::arrayProtoFuncSplice):
294 (JSC::arrayProtoFuncUnShift):
295 (JSC::arrayProtoFuncReduce):
296 (JSC::arrayProtoFuncReduceRight):
297 (JSC::arrayProtoFuncIndexOf):
298 (JSC::arrayProtoFuncLastIndexOf):
299 (JSC::putProperty): Deleted.
300
3012014-07-23 Matthew Hanson <matthew_hanson@apple.com>
302
303 Merge r171474 (rollout r171367 from trunk)
304
3052014-07-23 Lucas Forschler <lforschler@apple.com>
306
307 Merge r171367
308
309 2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
310
311 JSLock release should only modify the AtomicStringTable if it modified in acquire
312 https://bugs.webkit.org/show_bug.cgi?id=135143
313
314 Reviewed by Pratik Solanki.
315
316 * runtime/JSLock.cpp:
317 (JSC::JSLock::willDestroyVM):
318 (JSC::JSLock::willReleaseLock):
319 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
320
3212014-07-23 Lucas Forschler <lforschler@apple.com>
322
323 Merge r171355
324
325 2014-07-21 Sam Weinig <sam@webkit.org>
326
327 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
328 https://bugs.webkit.org/show_bug.cgi?id=135148
329
330 Reviewed by Geoffrey Garen.
331
332 * runtime/CommonIdentifiers.h:
333 Add a common identifier for the string "webkit".
334
3352014-07-23 Lucas Forschler <lforschler@apple.com>
336
337 Merge r171354
338
339 2014-07-22 Filip Pizlo <fpizlo@apple.com>
340
341 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
342 https://bugs.webkit.org/show_bug.cgi?id=135155
343 <rdar://problem/17763909>
344
345 Reviewed by Oliver Hunt.
346
347 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
348 contradiction, and that this is OK. In this case, we were speculating cell on an int.
349
350 * dfg/DFGSpeculativeJIT64.cpp:
351 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
352 * tests/stress/regress-135155.js: Added.
353 (run.t.length):
354 (run):
355
3562014-07-22 Dana Burkart <dburkart@apple.com>
357
358 Merge r171228.
359
360 2014-07-18 Filip Pizlo <fpizlo@apple.com>
361
362 Fix cloop build.
363
364 * jsc.cpp:
365 (jscmain):
366
3672014-07-22 Dana Burkart <dburkart@apple.com>
368
369 Merge r171213.
370
371 2014-07-15 Filip Pizlo <fpizlo@apple.com>
372
373 Need ability to fuzz exception throwing
374 https://bugs.webkit.org/show_bug.cgi?id=134945
375 <rdar://problem/17722027>
376
377 Reviewed by Sam Weinig.
378
379 Adds the ability to instrument exception checks, and to force some random
380 exception check to artificially throw an exception. Also adds new tests that
381 are suitable for testing this. Note that this is closely tied to the Tools
382 directory changes that are also part of this changeset.
383
384 This also fixes an activation tear-off bug that arises if we ever throw an
385 exception from operationOptimize, or if due to some other bug it's only due
386 to the operationOptimize exception check that we realize that there is an
387 exception to be thrown.
388
389 * dfg/DFGJITCompiler.h:
390 (JSC::DFG::JITCompiler::fastExceptionCheck):
391 * ftl/FTLIntrinsicRepository.h:
392 * ftl/FTLLowerDFGToLLVM.cpp:
393 (JSC::FTL::LowerDFGToLLVM::callCheck):
394 * interpreter/Interpreter.cpp:
395 (JSC::unwindCallFrame):
396 * jit/AssemblyHelpers.cpp:
397 (JSC::AssemblyHelpers::callExceptionFuzz):
398 (JSC::AssemblyHelpers::emitExceptionCheck):
399 * jit/AssemblyHelpers.h:
400 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
401 * jit/JIT.cpp:
402 (JSC::JIT::privateCompileMainPass):
403 * jit/JITOpcodes.cpp:
404 (JSC::JIT::emit_op_enter):
405 * jit/JITOperations.cpp:
406 (JSC::numberOfExceptionFuzzChecks):
407 * jit/JITOperations.h:
408 * jsc.cpp:
409 (jscmain):
410 * runtime/Options.h:
411 * runtime/TestRunnerUtils.h:
412 * tests/exceptionFuzz.yaml: Added.
413 * tests/exceptionFuzz: Added.
414 * tests/exceptionFuzz/3d-cube.js: Added.
415 * tests/exceptionFuzz/date-format-xparb.js: Added.
416 * tests/exceptionFuzz/earley-boyer.js: Added.
417
4182014-07-22 Dana Burkart <dburkart@apple.com>
419
420 Merge r171204.
421
422 2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
423
424 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
425
426 Rubber-stamped by Alexey Proskuryakov.
427
428 Null / empty titles should be fine. Tests pass in release builds
429 which allowed empty titles, and it looks like the LegacyProfiler
430 stopProfiling handles empty titles as expected already.
431
432 * profiler/LegacyProfiler.cpp:
433 (JSC::LegacyProfiler::startProfiling):
434
4352014-07-22 Dana Burkart <dburkart@apple.com>
436
437 Merge r171190.
438
439 2014-07-16 Filip Pizlo <fpizlo@apple.com>
440
441 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
442 https://bugs.webkit.org/show_bug.cgi?id=134988
443 <rdar://problem/17706349>
444
445 Reviewed by Oliver Hunt.
446
447 Luckily, we also don't need this optimization to be super powerful: the only place
448 where it really matters is for getting rid of the redundancy between op_enter and
449 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
450 two things. This change updates the store eliminator to know about only that small,
451 obviously safe, set of nodes over which we can store-eliminate.
452
453 This shouldn't have any performance impact in the DFG because this optimization kicks
454 in relatively rarely already. And once we tier up into the FTL, we get a much better
455 store elimination over LLVM IR, so this really shouldn't matter at all.
456
457 The tricky part of this patch is that there is a close relative of this optimization,
458 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
459 I make this work by splitting it into two different store eliminators.
460
461 Note that in the process of crafting the tests, I realized that we were incorrectly
462 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
463 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
464 to a check node followed by the actual allocation.
465
466 * dfg/DFGCSEPhase.cpp:
467 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
468 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
469 (JSC::DFG::CSEPhase::setLocalStoreElimination):
470 (JSC::DFG::CSEPhase::performNodeCSE):
471 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
472 * dfg/DFGNodeType.h:
473 * tests/stress/capture-escape-and-throw.js: Added.
474 (foo.f):
475 (foo):
476 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
477 (foo):
478 (bar):
479
4802014-07-17 Dean Jackson <dino@apple.com>
481
482 <rdar://problem/17675068> Disable some features on this branch.
483
484 Reviewed originally by Simon Fraser.
485
486 Disable:
487 - CSS_EXCLUSIONS
488 - CSS_GRID_LAYOUT
489 - INPUT_TYPE_COLOR
490 - INPUT_TYPE_COLOR_POPUP
491 - CANVAS_PATH
492 - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
493 - INDIE_UI
494 - SHARED_WORKERS
495 - NAVIGATOR_HWCONCURRENCY
496 - GAMEPAD
497 - PICTURE_SIZES
498 - CSS3_CONDITIONAL_RULES
499 - WILL_REVEAL_EDGE_EVENTS
500
501 * Configurations/FeatureDefines.xcconfig:
502
5032014-07-15 Benjamin Poulain <benjamin@webkit.org>
504
505 Reduce the overhead of updating the AssemblerBuffer
506 https://bugs.webkit.org/show_bug.cgi?id=134659
507
508 Reviewed by Gavin Barraclough.
509
510 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
511 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
512 there.
513
514 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
515 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
516
517 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
518 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
519 to make clang give up a bunch of optimizations.
520
521 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
522 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
523
524 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
525 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
526 specific way that would make it unusable for the Assembler.
527
528 -- Technical details --
529
530 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
531 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
532 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
533 exactly what code access the Assembler instance. The code that does access the instance is then moved
534 at the beginning, before we modify anything.
535
536 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
537 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
538 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
539
540 -- Perf impact --
541
542 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
543 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
544 time by ~20%.
545
546 I could not measure any difference on x86_64.
547
548 * assembler/ARM64Assembler.h:
549 (JSC::ARM64Assembler::jumpSizeDelta):
550 (JSC::ARM64Assembler::canCompact):
551 (JSC::ARM64Assembler::computeJumpType):
552 (JSC::ARM64Assembler::link):
553 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
554 * assembler/ARMv7Assembler.h:
555 (JSC::ARMv7Assembler::ifThenElseConditionBit):
556 (JSC::ARMv7Assembler::ifThenElse):
557 (JSC::ARMv7Assembler::jumpSizeDelta):
558 (JSC::ARMv7Assembler::canCompact):
559 (JSC::ARMv7Assembler::computeJumpType):
560 (JSC::ARMv7Assembler::link):
561 (JSC::ARMv7Assembler::linkJumpT1):
562 (JSC::ARMv7Assembler::linkJumpT3):
563 (JSC::ARMv7Assembler::linkConditionalJumpT4):
564 (JSC::ARMv7Assembler::linkConditionalBX):
565 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
566 * assembler/AssemblerBuffer.h:
567 (JSC::AssemblerData::AssemblerData):
568 (JSC::AssemblerData::operator=):
569 (JSC::AssemblerData::~AssemblerData):
570 (JSC::AssemblerData::buffer):
571 (JSC::AssemblerData::capacity):
572 (JSC::AssemblerData::grow):
573 (JSC::AssemblerBuffer::AssemblerBuffer):
574 (JSC::AssemblerBuffer::isAvailable):
575 (JSC::AssemblerBuffer::data):
576 (JSC::AssemblerBuffer::releaseAssemblerData):
577 (JSC::AssemblerBuffer::putIntegral):
578 (JSC::AssemblerBuffer::putIntegralUnchecked):
579 (JSC::AssemblerBuffer::append):
580 (JSC::AssemblerBuffer::grow):
581 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
582 (JSC::AssemblerBuffer::storage): Deleted.
583 * assembler/LinkBuffer.cpp:
584 (JSC::recordLinkOffsets):
585 (JSC::LinkBuffer::copyCompactAndLinkCode):
586 * assembler/LinkBuffer.h:
587 (JSC::LinkBuffer::LinkBuffer):
588 (JSC::LinkBuffer::executableOffsetFor):
589 * assembler/MacroAssemblerARM64.h:
590 (JSC::MacroAssemblerARM64::canCompact):
591 (JSC::MacroAssemblerARM64::computeJumpType):
592 (JSC::MacroAssemblerARM64::jumpSizeDelta):
593 (JSC::MacroAssemblerARM64::link):
594 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
595 * assembler/MacroAssemblerARMv7.h:
596 (JSC::MacroAssemblerARMv7::canCompact):
597 (JSC::MacroAssemblerARMv7::computeJumpType):
598 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
599 (JSC::MacroAssemblerARMv7::link):
600 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
601
6022014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
603
604 Stores to PropertyTable use the Structure as the owner
605 https://bugs.webkit.org/show_bug.cgi?id=134595
606
607 Reviewed by Darin Adler.
608
609 Since PropertyTable is the object that does the marking of these references, it should be the owner.
610
611 Also removed some unused parameters to other methods that historically used the Structure as the owner.
612
613 * runtime/JSPropertyNameIterator.h:
614 (JSC::StructureRareData::setEnumerationCache):
615 * runtime/ObjectPrototype.cpp:
616 (JSC::objectProtoFuncToString):
617 * runtime/PropertyMapHashTable.h:
618 (JSC::PropertyTable::copy):
619 * runtime/PropertyTable.cpp:
620 (JSC::PropertyTable::clone):
621 (JSC::PropertyTable::PropertyTable):
622 * runtime/Structure.cpp:
623 (JSC::Structure::Structure):
624 (JSC::Structure::materializePropertyMap):
625 (JSC::Structure::addPropertyTransition):
626 (JSC::Structure::changePrototypeTransition):
627 (JSC::Structure::despecifyFunctionTransition):
628 (JSC::Structure::attributeChangeTransition):
629 (JSC::Structure::toDictionaryTransition):
630 (JSC::Structure::preventExtensionsTransition):
631 (JSC::Structure::takePropertyTableOrCloneIfPinned):
632 (JSC::Structure::nonPropertyTransition):
633 (JSC::Structure::copyPropertyTable):
634 (JSC::Structure::copyPropertyTableForPinning):
635 (JSC::Structure::putSpecificValue):
636 * runtime/Structure.h:
637 (JSC::Structure::setObjectToStringValue):
638 (JSC::Structure::setPreviousID):
639 * runtime/StructureInlines.h:
640 (JSC::Structure::setEnumerationCache):
641 * runtime/StructureRareData.h:
642 * runtime/StructureRareDataInlines.h:
643 (JSC::StructureRareData::setPreviousID):
644 (JSC::StructureRareData::setObjectToStringValue):
645
6462014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
647
648 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
649 https://bugs.webkit.org/show_bug.cgi?id=134928
650
651 Reviewed by Andreas Kling.
652
653 * bytecode/CodeBlock.h:
654 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
655
6562014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
657
658 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
659 https://bugs.webkit.org/show_bug.cgi?id=133790
660
661 Reviewed by Mark Lam.
662
663 * llint/LLIntSlowPaths.cpp:
664 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
665
6662014-07-14 Filip Pizlo <fpizlo@apple.com>
667
668 Allow for Int52Rep to see things other than Int32, and make this testable
669 https://bugs.webkit.org/show_bug.cgi?id=134873
670 <rdar://problem/17641915>
671
672 Reviewed by Geoffrey Garen and Mark Hahnenberg.
673
674 A major premise of our type inference is that prediction propagation can say whatever it
675 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
676 We required some kind of agreement between prediction propagation and fixup over which
677 data flow paths were Int52 and which weren't.
678
679 It turns out that we basically had such an agreement, with the exception of code that was
680 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
681 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
682 be a bug! Normally, we allow sloppiness in prediction propagation.
683
684 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
685 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
686 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
687 empowered Int52Rep is actually correct - in case we end up using it on paths other than
688 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
689 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
690 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
691
692 Note that it would still be a bug for prediction propagation to ever cause us to create an
693 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
694 a crash bug.
695
696 * dfg/DFGAbstractInterpreterInlines.h:
697 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
698 * dfg/DFGAbstractValue.cpp:
699 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
700 * dfg/DFGByteCodeParser.cpp:
701 (JSC::DFG::ByteCodeParser::handleIntrinsic):
702 * dfg/DFGClobberize.h:
703 (JSC::DFG::clobberize):
704 * dfg/DFGFixupPhase.cpp:
705 (JSC::DFG::FixupPhase::fixupNode):
706 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
707 * dfg/DFGGraph.h:
708 (JSC::DFG::Graph::isMachineIntConstant):
709 * dfg/DFGNode.h:
710 (JSC::DFG::Node::isMachineIntConstant):
711 * dfg/DFGNodeType.h:
712 * dfg/DFGOperations.cpp:
713 * dfg/DFGOperations.h:
714 * dfg/DFGPredictionPropagationPhase.cpp:
715 (JSC::DFG::PredictionPropagationPhase::propagate):
716 * dfg/DFGSafeToExecute.h:
717 (JSC::DFG::SafeToExecuteEdge::operator()):
718 (JSC::DFG::safeToExecute):
719 * dfg/DFGSpeculativeJIT.cpp:
720 (JSC::DFG::SpeculativeJIT::speculate):
721 * dfg/DFGSpeculativeJIT.h:
722 (JSC::DFG::SpeculativeJIT::callOperation):
723 * dfg/DFGSpeculativeJIT32_64.cpp:
724 (JSC::DFG::SpeculativeJIT::compile):
725 * dfg/DFGSpeculativeJIT64.cpp:
726 (JSC::DFG::SpeculativeJIT::compile):
727 (JSC::DFG::SpeculativeJIT::convertMachineInt):
728 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
729 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
730 * dfg/DFGStrengthReductionPhase.cpp:
731 (JSC::DFG::StrengthReductionPhase::handleNode):
732 * dfg/DFGUseKind.cpp:
733 (WTF::printInternal):
734 * dfg/DFGUseKind.h:
735 (JSC::DFG::typeFilterFor):
736 (JSC::DFG::isNumerical):
737 (JSC::DFG::isDouble):
738 * dfg/DFGValidate.cpp:
739 (JSC::DFG::Validate::validate):
740 * ftl/FTLCapabilities.cpp:
741 (JSC::FTL::canCompile):
742 * ftl/FTLIntrinsicRepository.h:
743 * ftl/FTLLowerDFGToLLVM.cpp:
744 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
745 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
746 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
747 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
748 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
749 (JSC::FTL::LowerDFGToLLVM::speculate):
750 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
751 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
752 * jit/JITOperations.h:
753 * jsc.cpp:
754 (GlobalObject::finishCreation):
755 (functionIdentity):
756 * runtime/Intrinsic.h:
757 * runtime/JSCJSValue.h:
758 * runtime/JSCJSValueInlines.h:
759 (JSC::tryConvertToInt52):
760 (JSC::isInt52):
761 (JSC::JSValue::isMachineInt):
762 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
763 (foo):
764 * tests/stress/dead-fiat-double-to-int52.js: Added.
765 (foo):
766 * tests/stress/dead-fiat-int32-to-int52.js: Added.
767 (foo):
768 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
769 (foo):
770 (bar):
771 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
772 (foo):
773 (bar):
774 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
775 (foo):
776 (bar):
777 * tests/stress/dead-fiat-value-to-int52.js: Added.
778 (foo):
779 (bar):
780 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
781 (foo):
782 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
783 (foo):
784 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
785 (foo):
786 * tests/stress/fiat-double-to-int52.js: Added.
787 (foo):
788 * tests/stress/fiat-int32-to-int52.js: Added.
789 (foo):
790 * tests/stress/fiat-value-to-int52-double-path.js: Added.
791 (foo):
792 (bar):
793 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
794 (foo):
795 (bar):
796 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
797 (foo):
798 (bar):
799 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
800 (foo):
801 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
802 (foo):
803 * tests/stress/fiat-value-to-int52.js: Added.
804 (foo):
805 (bar):
806 * tests/stress/int52-force-osr-exit-path.js: Added.
807 (foo):
808
8092014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
810
811 Flattening dictionaries with oversize backing stores can cause crashes
812 https://bugs.webkit.org/show_bug.cgi?id=134906
813
814 Reviewed by Filip Pizlo.
815
816 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
817 of the CopiedBlock header. This was always the case except for when flattening a dictionary
818 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
819 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
820 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
821 choke on the Butterfly pointer.
822
823 This patch fixes this issue by detect this situation during flattening and memmove-ing
824 the Butterfly down to where the old base was.
825
826 * runtime/JSObject.cpp:
827 (JSC::JSObject::shiftButterflyAfterFlattening):
828 * runtime/JSObject.h:
829 (JSC::JSObject::butterflyPreCapacity):
830 (JSC::JSObject::butterflyTotalSize):
831 * runtime/Structure.cpp:
832 (JSC::Structure::flattenDictionaryStructure):
833 * tests/stress/flatten-oversize-dictionary-object.js: Added.
834 (foo):
835
8362014-07-14 Benjamin Poulain <benjamin@webkit.org>
837
838 Remove some dead code from FTLJITFinalizer
839 https://bugs.webkit.org/show_bug.cgi?id=134874
840
841 Reviewed by Geoffrey Garen.
842
843 Not sure what that code was for...but it does not do anything :)
844
845 * ftl/FTLJITFinalizer.cpp:
846 (JSC::FTL::JITFinalizer::finalizeFunction):
847 The pointer of the label is computed but never used.
848
849 * ftl/FTLJITFinalizer.h:
850 * ftl/FTLLink.cpp:
851 (JSC::FTL::link):
852 The label is never set to anything.
853
8542014-07-14 Bear Travis <betravis@adobe.com>
855
856 [Feature Queries] Enable Feature Queries on Mac
857 https://bugs.webkit.org/show_bug.cgi?id=134404
858
859 Reviewed by Antti Koivisto.
860
861 Enable Feature Queries on Mac and resume running the
862 feature tests.
863
864 * Configurations/FeatureDefines.xcconfig: Turn on
865 ENABLE_CSS3_CONDITIONAL_RULES.
866
8672014-07-11 Joseph Pecoraro <pecoraro@apple.com>
868
869 Web Inspector: Debugger Pause button does not work
870 https://bugs.webkit.org/show_bug.cgi?id=134785
871
872 Reviewed by Timothy Hatcher.
873
874 * CMakeLists.txt:
875 * DerivedSources.make:
876 Minification strips the sourceURL command. Add it back with minification.
877
8782014-07-11 peavo@outlook.com <peavo@outlook.com>
879
880 [Win] Enable DFG JIT.
881 https://bugs.webkit.org/show_bug.cgi?id=123615
882
883 Reviewed by Mark Lam.
884
885 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
886 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
887 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
888 since the register allocation differs on 64-bit Windows.
889
890 * assembler/MacroAssemblerX86_64.h:
891 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
892 * jit/CCallHelpers.h:
893 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
894 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
895 * jit/JIT.h:
896 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
897 * jit/JITInlines.h:
898 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
899 (JSC::JIT::callOperation): Call new method.
900
9012014-07-09 Benjamin Poulain <benjamin@webkit.org>
902
903 Use 16bits instructions for push/pop on ARMv7 when possible
904 https://bugs.webkit.org/show_bug.cgi?id=134753
905
906 Reviewed by Geoffrey Garen.
907
908 The patch r170839 mixed the code for push/pop pair and single push/pop.
909 That part was reverted in r170909.
910
911 This patch puts the code back but specialized for single push/pop.
912
913 * assembler/ARMv7Assembler.h:
914 (JSC::ARMv7Assembler::pop):
915 (JSC::ARMv7Assembler::push):
916 * assembler/MacroAssemblerARMv7.h:
917 (JSC::MacroAssemblerARMv7::pop):
918 (JSC::MacroAssemblerARMv7::push):
919
9202014-07-09 Brent Fulgham <bfulgham@apple.com>
921
922 [Win] Remove uses of 'bash' in build system
923 https://bugs.webkit.org/show_bug.cgi?id=134782
924 <rdar://problem/17615533>
925
926 Reviewed by Dean Jackson.
927
928 Remove uses of 'bash' by replacing Windows-specific bash scripts
929 with Perl equivalents.
930
931 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
932 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
933 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
934 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
935 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
936 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
937 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
938 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
939 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
940 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
941 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
942 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
943 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
944 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
945 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
946 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
947 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
948
9492014-07-09 Brent Fulgham <bfulgham@apple.com>
950
951 [Win] Remove use of 'grep' in build steps
952 https://bugs.webkit.org/show_bug.cgi?id=134770
953 <rdar://problem/17608783>
954
955 Reviewed by Tim Horton.
956
957 Replace uses of the grep command in Windows builds with the equivalent
958 Perl program.
959
960 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
961 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
962 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
963 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
964
9652014-07-08 Benjamin Poulain <benjamin@webkit.org>
966
967 Restore the assertion changed with 170839
968
969 * assembler/ARMv7Assembler.h:
970 (JSC::ARMv7Assembler::pop):
971 (JSC::ARMv7Assembler::push):
972 Revert the Assembler part of 170839. The assertions do not match both encoding.
973
974 I'll add specific version of push and pop instead.
975
9762014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
977
978 RemoteInspector::shared() should not call WTF::initializeMainThread()
979 <https://bugs.webkit.org/show_bug.cgi?id=134747>
980 <rdar://problem/17161482>
981
982 Reviewed by Joseph Pecoraro.
983
984 * inspector/remote/RemoteInspector.mm:
985 (Inspector::RemoteInspector::shared):
986 Don't call WTF::initializeMainThread(). WTF threading is initialized by
987 JSC::initializeThreading().
988
9892014-07-08 Andreas Kling <akling@apple.com>
990
991 VM::lastCachedString should be a Strong, not a Weak.
992 <https://webkit.org/b/134746>
993
994 Using Weak<JSString> for this regressed some of our bindings perf tests
995 due to Weak having to allocate a new WeakImpl every time the last cached
996 string changed. Make it a Strong instead should make that problem go away.
997
998 Reviewed by Geoffrey Garen.
999
1000 * runtime/JSString.cpp:
1001 (JSC::jsStringWithCacheSlowCase):
1002 * runtime/VM.h:
1003
10042014-07-07 Benjamin Poulain <bpoulain@apple.com>
1005
1006 Fix the build after r170876
1007
1008 * assembler/LinkBuffer.cpp:
1009 (JSC::LinkBuffer::linkCode):
1010
10112014-07-07 Benjamin Poulain <benjamin@webkit.org>
1012
1013 LinkBuffer should not keep a reference to the MacroAssembler
1014 https://bugs.webkit.org/show_bug.cgi?id=134668
1015
1016 Reviewed by Geoffrey Garen.
1017
1018 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1019 When that happens, the pointer m_assembler points to released memory. That was not causing
1020 issues because the attribute is not used after linking, but that was not particularily
1021 future proof.
1022
1023 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1024 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1025
1026 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1027 everywhere. I refactored some #include to avoid that.
1028
1029 * assembler/LinkBuffer.cpp:
1030 (JSC::LinkBuffer::copyCompactAndLinkCode):
1031 (JSC::LinkBuffer::linkCode):
1032 * assembler/LinkBuffer.h:
1033 (JSC::LinkBuffer::LinkBuffer):
1034 * bytecode/Watchpoint.cpp:
1035 * dfg/DFGDisassembler.cpp:
1036 * dfg/DFGDisassembler.h:
1037 * dfg/DFGJITCompiler.cpp:
1038 (JSC::DFG::JITCompiler::link):
1039 (JSC::DFG::JITCompiler::linkFunction):
1040 * dfg/DFGOSRExitCompiler.cpp:
1041 * dfg/DFGPlan.cpp:
1042 * dfg/DFGThunks.cpp:
1043 (JSC::DFG::osrExitGenerationThunkGenerator):
1044 (JSC::DFG::osrEntryThunkGenerator):
1045 * ftl/FTLCompile.cpp:
1046 (JSC::FTL::generateICFastPath):
1047 (JSC::FTL::fixFunctionBasedOnStackMaps):
1048 * ftl/FTLJSCall.cpp:
1049 * ftl/FTLJSCall.h:
1050 * ftl/FTLLink.cpp:
1051 (JSC::FTL::link):
1052 * ftl/FTLLowerDFGToLLVM.cpp:
1053 * ftl/FTLOSRExitCompiler.cpp:
1054 (JSC::FTL::compileStub):
1055 * ftl/FTLThunks.cpp:
1056 (JSC::FTL::osrExitGenerationThunkGenerator):
1057 (JSC::FTL::slowPathCallThunkGenerator):
1058 * jit/ArityCheckFailReturnThunks.cpp:
1059 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1060 * jit/JIT.cpp:
1061 (JSC::JIT::privateCompile):
1062 * jit/JITCall.cpp:
1063 (JSC::JIT::privateCompileClosureCall):
1064 * jit/JITCall32_64.cpp:
1065 (JSC::JIT::privateCompileClosureCall):
1066 * jit/JITDisassembler.cpp:
1067 * jit/JITDisassembler.h:
1068 * jit/JITOpcodes.cpp:
1069 * jit/JITPropertyAccess.cpp:
1070 (JSC::JIT::stringGetByValStubGenerator):
1071 (JSC::JIT::privateCompileGetByVal):
1072 (JSC::JIT::privateCompilePutByVal):
1073 * jit/JITPropertyAccess32_64.cpp:
1074 (JSC::JIT::stringGetByValStubGenerator):
1075 * jit/RegisterPreservationWrapperGenerator.cpp:
1076 (JSC::generateRegisterPreservationWrapper):
1077 (JSC::registerRestorationThunkGenerator):
1078 * jit/Repatch.cpp:
1079 (JSC::generateByIdStub):
1080 (JSC::tryCacheGetByID):
1081 (JSC::emitPutReplaceStub):
1082 (JSC::emitPutTransitionStub):
1083 (JSC::tryRepatchIn):
1084 (JSC::linkClosureCall):
1085 * jit/SpecializedThunkJIT.h:
1086 (JSC::SpecializedThunkJIT::finalize):
1087 * jit/ThunkGenerators.cpp:
1088 (JSC::throwExceptionFromCallSlowPathGenerator):
1089 (JSC::linkForThunkGenerator):
1090 (JSC::linkClosureCallForThunkGenerator):
1091 (JSC::virtualForThunkGenerator):
1092 (JSC::nativeForGenerator):
1093 (JSC::arityFixup):
1094 * llint/LLIntThunks.cpp:
1095 (JSC::LLInt::generateThunkWithJumpTo):
1096 * yarr/YarrJIT.cpp:
1097 (JSC::Yarr::YarrGenerator::compile):
1098
10992014-07-07 Andreas Kling <akling@apple.com>
1100
1101 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1102 <https://webkit.org/b/134635>
1103
1104 Reviewed by Darin Adler.
1105
1106 Follow-up to r170818 addressing a review comment by Geoff Garen.
1107
1108 * runtime/JSString.cpp:
1109 (JSC::jsStringWithCacheSlowCase):
1110
11112014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1112
1113 Add missing ENABLE(FTL_JIT) guards
1114 https://bugs.webkit.org/show_bug.cgi?id=134680
1115
1116 Reviewed by Darin Adler.
1117
1118 * ftl/FTLDWARFDebugLineInfo.cpp:
1119 * ftl/FTLDWARFDebugLineInfo.h:
1120 * ftl/FTLGeneratedFunction.h:
1121
11222014-07-07 Zan Dobersek <zdobersek@igalia.com>
1123
1124 Enable ARMv7 disassembler for the GTK port
1125 https://bugs.webkit.org/show_bug.cgi?id=134676
1126
1127 Reviewed by Benjamin Poulain.
1128
1129 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
1130 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
1131
11322014-07-06 Benjamin Poulain <benjamin@webkit.org>
1133
1134 [ARMv7] Use 16 bits instructions for push/pop when possible
1135 https://bugs.webkit.org/show_bug.cgi?id=134656
1136
1137 Reviewed by Andreas Kling.
1138
1139 * assembler/ARMv7Assembler.h:
1140 (JSC::ARMv7Assembler::pop):
1141 (JSC::ARMv7Assembler::push):
1142 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
1143 Add the 16 bits version of push and pop.
1144
1145 * assembler/MacroAssemblerARMv7.h:
1146 (JSC::MacroAssemblerARMv7::pop):
1147 (JSC::MacroAssemblerARMv7::push):
1148 Use the new push/pop instead of a regular load/store.
1149
1150 * disassembler/ARMv7/ARMv7DOpcode.cpp:
1151 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
1152 * disassembler/ARMv7/ARMv7DOpcode.h:
1153 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
1154 Fix the disassembler for push/pop:
1155 -The register mask was on 7 bits for some reason.
1156 -The code printing the registers was comparing a register ID with a register
1157 mask.
1158
11592014-07-06 Yoav Weiss <yoav@yoav.ws>
1160
1161 Turn on img@sizes compile flag
1162 https://bugs.webkit.org/show_bug.cgi?id=134634
1163
1164 Reviewed by Benjamin Poulain.
1165
1166 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
1167
11682014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
1169
1170 Flags value of SourceCodeKey should be unique for each case.
1171 https://bugs.webkit.org/show_bug.cgi?id=134435
1172
1173 Reviewed by Darin Adler.
1174
1175 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
1176 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
1177 Shift the value of CodeType one bit farther to the left so those values don't overlap.
1178
1179 * runtime/CodeCache.h:
1180 (JSC::SourceCodeKey::SourceCodeKey):
1181
11822014-07-04 Andreas Kling <akling@apple.com>
1183
1184 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1185 <https://webkit.org/b/134635>
1186
1187 Also moved the whole thing from WebCore to JavaScriptCore since it
1188 makes more sense here, and inline the lightweight checks, leaving only
1189 the hashmap stuff out of line.
1190
1191 Reviewed by Darin Adler.
1192
1193 * runtime/JSString.cpp:
1194 (JSC::jsStringWithCacheSlowCase):
1195 * runtime/JSString.h:
1196 (JSC::jsStringWithCache):
1197 * runtime/VM.h:
1198
11992014-07-03 Daniel Bates <dabates@apple.com>
1200
1201 Add WTF::move()
1202 https://bugs.webkit.org/show_bug.cgi?id=134500
1203
1204 Rubber-stamped by Anders Carlsson.
1205
1206 Substitute WTF::move() for std::move().
1207
1208 * bytecode/CodeBlock.h:
1209 * bytecode/UnlinkedCodeBlock.cpp:
1210 * bytecompiler/BytecodeGenerator.cpp:
1211 * dfg/DFGGraph.cpp:
1212 * dfg/DFGJITCompiler.cpp:
1213 * dfg/DFGStackLayoutPhase.cpp:
1214 * dfg/DFGWorklist.cpp:
1215 * heap/DelayedReleaseScope.h:
1216 * heap/HeapInlines.h:
1217 [...]
1218
12192014-07-03 Filip Pizlo <fpizlo@apple.com>
1220
1221 SSA DCE should process blocks in forward order
1222 https://bugs.webkit.org/show_bug.cgi?id=134611
1223
1224 Reviewed by Andreas Kling.
1225
1226 * dfg/DFGDCEPhase.cpp:
1227 (JSC::DFG::DCEPhase::run):
1228 * ftl/FTLLowerDFGToLLVM.cpp:
1229 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1230 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
1231 (foo):
1232
12332014-07-03 Filip Pizlo <fpizlo@apple.com>
1234
1235 JSActivation::symbolTablePut() should invalidate variable watchpoints
1236 https://bugs.webkit.org/show_bug.cgi?id=134602
1237
1238 Reviewed by Oliver Hunt.
1239
1240 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
1241 during linking - we essentially assume that if it's at all possible for an inner function to store to a
1242 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
1243 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
1244 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
1245 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
1246
1247 * runtime/JSActivation.cpp:
1248 (JSC::JSActivation::symbolTablePut):
1249 * runtime/JSSymbolTableObject.h:
1250 (JSC::symbolTablePut):
1251 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
1252 (.):
1253
12542014-07-01 Mark Lam <mark.lam@apple.com>
1255
1256 Debugger's breakpoint list should not be a Vector.
1257 <https://webkit.org/b/134514>
1258
1259 Reviewed by Geoffrey Garen.
1260
1261 The debugger currently stores breakpoint data as entries in a Vector (see
1262 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
1263 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
1264 compact or reallocate its backing store, this can causes all sorts of havoc.
1265 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
1266 move in memory.
1267
1268 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
1269 doubly linked list.
1270
1271 * debugger/Breakpoint.h:
1272 (JSC::Breakpoint::Breakpoint):
1273 (JSC::BreakpointsList::~BreakpointsList):
1274 * debugger/Debugger.cpp:
1275 (JSC::Debugger::setBreakpoint):
1276 (JSC::Debugger::removeBreakpoint):
1277 (JSC::Debugger::hasBreakpoint):
1278 * debugger/Debugger.h:
1279
12802014-06-30 Michael Saboff <msaboff@apple.com>
1281
1282 Add option to run-jsc-stress-testes to filter out tests that use large heaps
1283 https://bugs.webkit.org/show_bug.cgi?id=134458
1284
1285 Reviewed by Filip Pizlo.
1286
1287 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
1288
1289 * tests/mozilla/mozilla-tests.yaml:
1290
12912014-06-30 Daniel Bates <dabates@apple.com>
1292
1293 Avoid copying closed variables vector; actually use move semantics
1294
1295 Rubber-stamped by Oliver Hunt.
1296
1297 Currently we always copy the closed variables vector passed by Parser::closedVariables()
1298 to ProgramNode::setClosedVariables() because these member functions return and take a const
1299 rvalue reference, respectively. Instead, these member functions should take an return a non-
1300 constant rvalue reference so that we actually move the closed variables vector from the Parser
1301 object to the Node object.
1302
1303 * parser/Nodes.cpp:
1304 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
1305 * parser/Nodes.h:
1306 (JSC::ScopeNode::setClosedVariables): Ditto.
1307 * parser/Parser.h:
1308 (JSC::Parser::closedVariables): Remove const qualifier on return type.
1309 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
1310 because Parser::closedVariables() returns an rvalue reference.
1311
13122014-06-30 Joseph Pecoraro <pecoraro@apple.com>
1313
1314 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
1315 https://bugs.webkit.org/show_bug.cgi?id=134371
1316
1317 Reviewed by Timothy Hatcher.
1318
1319 * API/JSContextPrivate.h:
1320 * API/JSContext.mm:
1321 (-[JSContext _debuggerRunLoop]):
1322 (-[JSContext _setDebuggerRunLoop:]):
1323 Private API for setting the CFRunLoop for a debugger to evaluate in.
1324
1325 * API/JSContextRefInternal.h: Added.
1326 * API/JSContextRef.cpp:
1327 (JSGlobalContextGetDebuggerRunLoop):
1328 (JSGlobalContextSetDebuggerRunLoop):
1329 Internal API for setting a CFRunLoop on a JSContextRef.
1330 Set this on the debuggable.
1331
1332 * inspector/remote/RemoteInspectorDebuggable.h:
1333 * inspector/remote/RemoteInspectorDebuggableConnection.h:
1334 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
1335 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
1336 (Inspector::RemoteInspectorBlock::operator=):
1337 (Inspector::RemoteInspectorBlock::operator()):
1338 Moved into the header.
1339
1340 * runtime/JSGlobalObject.h:
1341 (JSC::JSGlobalObject::inspectorDebuggable):
1342 Lets store the RunLoop on the debuggable instead of this core
1343 platform agnostic class, so expose the debuggable.
1344
1345 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1346 (Inspector::RemoteInspectorHandleRunSourceGlobal):
1347 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
1348 (Inspector::RemoteInspectorInitializeGlobalQueue):
1349 Rename the global functions for clarity.
1350
1351 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
1352 Handler for private run loops.
1353
1354 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1355 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
1356 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
1357 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1358 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
1359 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
1360 Setup and teardown and use private run loop sources if the debuggable needs it.
1361
13622014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1363
1364 Add missing ENABLE(DFG_JIT) guards
1365 https://bugs.webkit.org/show_bug.cgi?id=134444
1366
1367 Reviewed by Darin Adler.
1368
1369 * dfg/DFGFunctionWhitelist.cpp:
1370 * dfg/DFGFunctionWhitelist.h:
1371
13722014-06-29 Yoav Weiss <yoav@yoav.ws>
1373
1374 Add support for HTMLImageElement's sizes attribute
1375 https://bugs.webkit.org/show_bug.cgi?id=133620
1376
1377 Reviewed by Dean Jackson.
1378
1379 Added an ENABLE_PICTURE_SIZES compile flag.
1380
1381 * Configurations/FeatureDefines.xcconfig:
1382
13832014-06-27 Filip Pizlo <fpizlo@apple.com>
1384
1385 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
1386 https://bugs.webkit.org/show_bug.cgi?id=134412
1387
1388 Reviewed by Mark Hahnenberg.
1389
1390 * dfg/DFGCSEPhase.cpp:
1391 (JSC::DFG::CSEPhase::setReplacement):
1392 * dfg/DFGStrengthReductionPhase.cpp:
1393 (JSC::DFG::StrengthReductionPhase::handleNode):
1394 * dfg/DFGValidate.cpp:
1395 (JSC::DFG::Validate::validate):
1396 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
1397 (foo):
1398 (bar):
1399 (baz):
1400
14012014-06-27 Peyton Randolph <prandolph@apple.com>
1402
1403 Add feature flag for link long-press gesture.
1404 https://bugs.webkit.org/show_bug.cgi?id=134262
1405
1406 Reviewed by Enrica Casucci.
1407
1408 * Configurations/FeatureDefines.xcconfig:
1409 Add ENABLE_LINK_LONG_PRESS.
1410
14112014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
1412
1413 [JavaScriptCore] FTL buildfix for EFL platform.
1414 https://bugs.webkit.org/show_bug.cgi?id=133546
1415
1416 Reviewed by Darin Adler.
1417
1418 * ftl/FTLAbstractHeap.cpp:
1419 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1420 * ftl/FTLLocation.cpp:
1421 (JSC::FTL::Location::forStackmaps):
1422 * ftl/FTLLowerDFGToLLVM.cpp:
1423 (JSC::FTL::LowerDFGToLLVM::opposite):
1424 * ftl/FTLOSRExitCompiler.cpp:
1425 (JSC::FTL::compileStub):
1426 * ftl/FTLStackMaps.cpp:
1427 (JSC::FTL::StackMaps::Constant::dump):
1428 * llvm/InitializeLLVMPOSIX.cpp:
1429 (JSC::initializeLLVMPOSIX):
1430
14312014-06-26 Benjamin Poulain <benjamin@webkit.org>
1432
1433 iOS 8 beta 2 ES6 'Set' clear() broken
1434 https://bugs.webkit.org/show_bug.cgi?id=134346
1435
1436 Reviewed by Oliver Hunt.
1437
1438 The object map was not cleared :(.
1439
1440 Kudos to Ashley Gullen for tracking this and making a regression test.
1441 Credit to Oliver for finding the missing code.
1442
1443 * runtime/MapData.h:
1444 (JSC::MapData::clear):
1445
14462014-06-25 Brent Fulgham <bfulgham@apple.com>
1447
1448 [Win] Expose Cache Information to WinLauncher
1449 https://bugs.webkit.org/show_bug.cgi?id=134318
1450
1451 Reviewed by Dean Jackson.
1452
1453 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
1454 MemoryStatistics files to the WIndows build.
1455 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1456
14572014-06-26 David Kilzer <ddkilzer@apple.com>
1458
1459 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
1460 <http://webkit.org/b/134343>
1461 <rdar://problem/17459487>
1462
1463 Reviewed by Michael Saboff.
1464
1465 * dfg/DFGFunctionWhitelist.cpp:
1466 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1467 Close the file handle, and log an error on failure.
1468
14692014-06-25 Dana Burkart <dburkart@apple.com>
1470
1471 Add support for 5-tuple versioning.
1472
1473 Reviewed by David Farler.
1474
1475 * Configurations/Version.xcconfig:
1476
14772014-06-25 Geoffrey Garen <ggaren@apple.com>
1478
1479 Build fix.
1480
1481 Unreviewed.
1482
1483 * runtime/JSDateMath.cpp:
1484 (JSC::parseDateFromNullTerminatedCharacters):
1485 * runtime/VM.cpp:
1486 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
1487 constant since that constant doesn't exist anymore.
1488
14892014-06-25 Geoffrey Garen <ggaren@apple.com>
1490
1491 Unreviewed, rolling out r166876.
1492
1493 Caused some ECMA test262 failures
1494
1495 Reverted changeset:
1496
1497 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
1498 https://bugs.webkit.org/show_bug.cgi?id=131248
1499 http://trac.webkit.org/changeset/166876
1500
15012014-06-25 Brent Fulgham <bfulgham@apple.com>
1502
1503 [Win] Unreviewed gardening.
1504
1505 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
1506 put various files in proper IDE categories.
1507
15082014-06-25 peavo@outlook.com <peavo@outlook.com>
1509
1510 [Win64] ASM LLINT is not enabled.
1511 https://bugs.webkit.org/show_bug.cgi?id=130638
1512
1513 This patch adds a new LLINT assembler backend for Win64, and implements it.
1514 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
1515 Also, LLINT and JIT is enabled for Win64.
1516
1517 Reviewed by Mark Lam.
1518
1519 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
1520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1521 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
1522 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
1523 * assembler/MacroAssemblerX86_64.h:
1524 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
1525 * jit/JITStubsMSVC64.asm: Added.
1526 * jit/Repatch.cpp:
1527 (JSC::emitPutTransitionStub): Compile fix.
1528 * jit/ThunkGenerators.cpp:
1529 (JSC::nativeForGenerator): Follow Win64 ABI spec.
1530 * llint/LLIntData.cpp:
1531 (JSC::LLInt::Data::performAssertions): Ditto.
1532 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
1533 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
1534 * llint/LowLevelInterpreter64.asm: Ditto.
1535 * offlineasm/asm.rb: Compile fix.
1536 * offlineasm/backends.rb: Add new llint backend for Win64.
1537 * offlineasm/settings.rb: Compile fix.
1538 * offlineasm/x86.rb: Implement new llint Win64 backend.
1539
15402014-06-25 Laszlo Gombos <l.gombos@samsung.com>
1541
1542 Remove build guard for progress element
1543 https://bugs.webkit.org/show_bug.cgi?id=134292
1544
1545 Reviewed by Benjamin Poulain.
1546
1547 * Configurations/FeatureDefines.xcconfig:
1548
15492014-06-24 Michael Saboff <msaboff@apple.com>
1550
1551 Add support routines to provide descriptive JavaScript backtraces
1552 https://bugs.webkit.org/show_bug.cgi?id=134278
1553
1554 Reviewed by Mark Lam.
1555
1556 * interpreter/CallFrame.cpp:
1557 (JSC::CallFrame::dump):
1558 (JSC::CallFrame::describeFrame):
1559 * interpreter/CallFrame.h:
1560 * runtime/JSCJSValue.cpp:
1561 (JSC::JSValue::dumpForBacktrace):
1562 * runtime/JSCJSValue.h:
1563
15642014-06-24 Brady Eidson <beidson@apple.com>
1565
1566 Enable GAMEPAD in the Mac build, but disabled at runtime.
1567 https://bugs.webkit.org/show_bug.cgi?id=134255
1568
1569 Reviewed by Dean Jackson.
1570
1571 * Configurations/FeatureDefines.xcconfig:
1572
1573 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
1574 functions at runtime.
1575
15762014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
1577
1578 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
1579 https://bugs.webkit.org/show_bug.cgi?id=134046
1580
1581 Reviewed by Filip Pizlo.
1582
1583 * runtime/GetterSetter.h:
1584 (JSC::asGetterSetter):
1585 * runtime/JSObject.cpp:
1586 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
1587 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
1588 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
1589
15902014-06-24 Brent Fulgham <bfulgham@apple.com>
1591
1592 [Win] MSVC mishandles enums in bitfields
1593 https://bugs.webkit.org/show_bug.cgi?id=134237
1594
1595 Reviewed by Michael Saboff.
1596
1597 Replace uses of enum types in bit fields with unsigned to
1598 avoid losing a bit to hold the sign value. This can result
1599 in Windows interpreting the value of the field improperly.
1600
1601 * bytecode/StructureStubInfo.h:
1602 * parser/Nodes.h:
1603
16042014-06-23 Andreas Kling <akling@apple.com>
1605
1606 Inline the UnlinkedInstructionStream::Reader logic.
1607 <https://webkit.org/b/134203>
1608
1609 This class is only used by CodeBlock to unpack the unlinked instructions,
1610 and we were spending 0.5% of total time on PLT calling Reader::next().
1611 Move the logic to the header file and mark it ALWAYS_INLINE.
1612
1613 Reviewed by Geoffrey Garen.
1614
1615 * bytecode/UnlinkedInstructionStream.cpp:
1616 * bytecode/UnlinkedInstructionStream.h:
1617 (JSC::UnlinkedInstructionStream::Reader::Reader):
1618 (JSC::UnlinkedInstructionStream::Reader::read8):
1619 (JSC::UnlinkedInstructionStream::Reader::read32):
1620 (JSC::UnlinkedInstructionStream::Reader::next):
1621
16222014-06-20 Sam Weinig <sam@webkit.org>
1623
1624 Remove static tables for bindings that use eager reification
1625 https://bugs.webkit.org/show_bug.cgi?id=134126
1626
1627 Reviewed by Oliver Hunt.
1628
1629 * runtime/JSObject.cpp:
1630 (JSC::JSObject::putDirectCustomAccessor):
1631 * runtime/Structure.h:
1632 (JSC::Structure::setHasCustomGetterSetterProperties):
1633 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
1634 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
1635 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
1636 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
1637
16382014-06-21 Brady Eidson <beidson@apple.com>
1639
1640 Gamepad API - Deprecate the existing implementation
1641 https://bugs.webkit.org/show_bug.cgi?id=134108
1642
1643 Reviewed by Timothy Hatcher.
1644
1645 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1646 -Move some implementation files into a "deprecated" subdirectory.
1647
1648 * Configurations/FeatureDefines.xcconfig:
1649
16502014-06-21 Commit Queue <commit-queue@webkit.org>
1651
1652 Unreviewed, rolling out r170244.
1653 https://bugs.webkit.org/show_bug.cgi?id=134157
1654
1655 GTK/EFL bindings generator works differently, making this
1656 patch not work there. Will fix entire patch after a rollout.
1657 (Requested by bradee-oh on #webkit).
1658
1659 Reverted changeset:
1660
1661 "Gamepad API - Deprecate the existing implementation"
1662 https://bugs.webkit.org/show_bug.cgi?id=134108
1663 http://trac.webkit.org/changeset/170244
1664
16652014-06-21 Brady Eidson <beidson@apple.com>
1666
1667 Gamepad API - Deprecate the existing implementation
1668 https://bugs.webkit.org/show_bug.cgi?id=134108
1669
1670 Reviewed by Timothy Hatcher.
1671
1672 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1673 -Add the "Deprecated" suffix to some implementation files
1674
1675 * Configurations/FeatureDefines.xcconfig:
1676
16772014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1678
1679 Removing PAGE_VISIBILITY_API compile guard.
1680 https://bugs.webkit.org/show_bug.cgi?id=133844
1681
1682 Reviewed by Gavin Barraclough.
1683
1684 * Configurations/FeatureDefines.xcconfig:
1685
16862014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1687
1688 ARM traditional buildfix after r169942.
1689 https://bugs.webkit.org/show_bug.cgi?id=134100
1690
1691 Reviewed by Zoltan Herczeg.
1692
1693 * assembler/MacroAssemblerARM.h:
1694 (JSC::MacroAssemblerARM::abortWithReason): Added.
1695
16962014-06-20 Andreas Kling <akling@apple.com>
1697
1698 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
1699 <https://webkit.org/b/134112>
1700
1701 Reviewed by Mark Hahnenberg.
1702
1703 * heap/BlockAllocator.h:
1704
17052014-06-19 Alex Christensen <achristensen@webkit.org>
1706
1707 Unreviewed fix after r170130.
1708
1709 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
1710 Corrected directory so it can find common.props when opening Visual Studio.
1711
17122014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
1713
1714 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
1715 https://bugs.webkit.org/show_bug.cgi?id=130389
1716
1717 Reviewed by Mark Lam.
1718
1719 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
1720 into !ENABLE(JIT) since they are mutually exclusive.
1721
1722 * CMakeLists.txt:
1723 * assembler/MacroAssemblerCodeRef.h:
1724 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1725 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1726 * assembler/MaxFrameExtentForSlowPathCall.h:
1727 * bytecode/CallLinkStatus.cpp:
1728 (JSC::CallLinkStatus::computeFromLLInt):
1729 * bytecode/CodeBlock.cpp:
1730 (JSC::dumpStructure):
1731 (JSC::CodeBlock::printGetByIdCacheStatus):
1732 (JSC::CodeBlock::printCallOp):
1733 (JSC::CodeBlock::CodeBlock):
1734 (JSC::CodeBlock::~CodeBlock):
1735 (JSC::CodeBlock::propagateTransitions):
1736 (JSC::CodeBlock::finalizeUnconditionally):
1737 (JSC::CodeBlock::unlinkCalls):
1738 (JSC::CodeBlock::unlinkIncomingCalls):
1739 (JSC::CodeBlock::linkIncomingCall):
1740 (JSC::CodeBlock::frameRegisterCount):
1741 * bytecode/CodeBlock.h:
1742 * bytecode/GetByIdStatus.cpp:
1743 (JSC::GetByIdStatus::computeFromLLInt):
1744 * bytecode/Opcode.h:
1745 (JSC::padOpcodeName):
1746 * bytecode/PutByIdStatus.cpp:
1747 (JSC::PutByIdStatus::computeFromLLInt):
1748 * bytecompiler/BytecodeGenerator.cpp:
1749 (JSC::BytecodeGenerator::emitCall):
1750 (JSC::BytecodeGenerator::emitConstruct):
1751 * heap/Heap.cpp:
1752 (JSC::Heap::gatherJSStackRoots):
1753 * interpreter/Interpreter.cpp:
1754 (JSC::Interpreter::initialize):
1755 (JSC::Interpreter::isOpcode):
1756 * interpreter/Interpreter.h:
1757 (JSC::Interpreter::getOpcodeID):
1758 * interpreter/JSStack.cpp:
1759 (JSC::JSStack::JSStack):
1760 (JSC::JSStack::committedByteCount):
1761 * interpreter/JSStack.h:
1762 * interpreter/JSStackInlines.h:
1763 (JSC::JSStack::ensureCapacityFor):
1764 (JSC::JSStack::topOfFrameFor):
1765 (JSC::JSStack::setStackLimit):
1766 * jit/ExecutableAllocatorFixedVMPool.cpp:
1767 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1768 * jit/JIT.h:
1769 (JSC::JIT::compileCTINativeCall):
1770 * jit/JITExceptions.h:
1771 * jit/JITThunks.cpp:
1772 (JSC::JITThunks::ctiNativeCall):
1773 (JSC::JITThunks::ctiNativeConstruct):
1774 * llint/LLIntCLoop.cpp:
1775 * llint/LLIntCLoop.h:
1776 * llint/LLIntData.cpp:
1777 (JSC::LLInt::initialize):
1778 (JSC::LLInt::Data::performAssertions):
1779 * llint/LLIntData.h:
1780 (JSC::LLInt::Data::performAssertions): Deleted.
1781 * llint/LLIntEntrypoint.cpp:
1782 * llint/LLIntEntrypoint.h:
1783 * llint/LLIntExceptions.cpp:
1784 * llint/LLIntExceptions.h:
1785 * llint/LLIntOfflineAsmConfig.h:
1786 * llint/LLIntOffsetsExtractor.cpp:
1787 (JSC::LLIntOffsetsExtractor::dummy):
1788 * llint/LLIntOpcode.h:
1789 * llint/LLIntSlowPaths.cpp:
1790 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1791 * llint/LLIntSlowPaths.h:
1792 * llint/LLIntThunks.cpp:
1793 * llint/LLIntThunks.h:
1794 * llint/LowLevelInterpreter.cpp:
1795 * llint/LowLevelInterpreter.h:
1796 * runtime/CommonSlowPaths.cpp:
1797 * runtime/CommonSlowPaths.h:
1798 * runtime/ErrorHandlingScope.cpp:
1799 (JSC::ErrorHandlingScope::ErrorHandlingScope):
1800 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1801 * runtime/Executable.cpp:
1802 (JSC::setupLLInt):
1803 * runtime/InitializeThreading.cpp:
1804 (JSC::initializeThreading):
1805 * runtime/JSCJSValue.h:
1806 * runtime/JSCJSValueInlines.h:
1807 * runtime/Options.cpp:
1808 (JSC::recomputeDependentOptions):
1809 * runtime/VM.cpp:
1810 (JSC::VM::VM):
1811 (JSC::sanitizeStackForVM):
1812 * runtime/VM.h:
1813 (JSC::VM::canUseJIT): Deleted.
1814
18152014-06-18 Alex Christensen <achristensen@webkit.org>
1816
1817 Add FTL to Windows build.
1818 https://bugs.webkit.org/show_bug.cgi?id=134015
1819
1820 Reviewed by Filip Pizlo.
1821
1822 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1823 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1824 Added ftl source files.
1825 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1826 Added ftl and llvm directories to include path.
1827 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
1828 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
1829 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
1830 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
1831 * ftl/FTLLowerDFGToLLVM.cpp:
1832 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1833 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
1834 * llvm/InitializeLLVMWin.cpp: Added.
1835 (JSC::initializeLLVMImpl):
1836 Implemented dynamic loading and linking for Windows.
1837
18382014-06-18 Alex Christensen <achristensen@webkit.org>
1839
1840 Unreviewed build fix after r170107.
1841
1842 * dfg/DFGSpeculativeJIT.cpp:
1843 (JSC::DFG::SpeculativeJIT::compileArithMod):
1844 Use non-template sub for armv7s.
1845
18462014-06-18 David Kilzer <ddkilzer@apple.com>
1847
1848 -[JSContext setName:] leaks NSString
1849 <http://webkit.org/b/134038>
1850
1851 Reviewed by Joseph Pecoraro.
1852
1853 Fixes the following static analyzer warning:
1854
1855 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
1856 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
1857 ^
1858
1859 * API/JSContext.mm:
1860 (-[JSContext setName:]): Autorelease the copy of |name|.
1861
18622014-06-18 Mark Lam <mark.lam@apple.com>
1863
1864 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1865 <https://webkit.org/b/133994>
1866
1867 Reviewed by Geoffrey Garen.
1868
1869 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1870 because it means two unfortunate things:
1871 - It will probably break for zero.
1872 - It will think that -0 is the same as +0 under some circumstances, size
1873 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1874
1875 The fix is to use std::unordered_map which does not require special empty
1876 and deleted values, and to use the raw bits instead of the double value as
1877 the key.
1878
1879 * dfg/DFGGraph.h:
1880 * dfg/DFGJITCompiler.cpp:
1881 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1882
18832014-06-18 Alex Christensen <achristensen@webkit.org>
1884
1885 Remove duplicate code using sdiv.
1886 https://bugs.webkit.org/show_bug.cgi?id=133764
1887
1888 Reviewed by Daniel Bates.
1889
1890 * assembler/ARMv7Assembler.h:
1891 (JSC::ARMv7Assembler::sdiv):
1892 Make sdiv a template to match arm64.
1893 * dfg/DFGSpeculativeJIT.cpp:
1894 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1895 (JSC::DFG::SpeculativeJIT::compileArithMod):
1896 Remove duplicate code that was identical except for sdiv not being a template.
1897
18982014-06-17 Commit Queue <commit-queue@webkit.org>
1899
1900 Unreviewed, rolling out r170082.
1901 https://bugs.webkit.org/show_bug.cgi?id=134006
1902
1903 Breaks build. (Requested by mlam on #webkit).
1904
1905 Reverted changeset:
1906
1907 "DFGGraph::m_doubleConstantMap will not map 0 values
1908 correctly."
1909 https://bugs.webkit.org/show_bug.cgi?id=133994
1910 http://trac.webkit.org/changeset/170082
1911
19122014-06-17 Mark Lam <mark.lam@apple.com>
1913
1914 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1915 <https://webkit.org/b/133994>
1916
1917 Reviewed by Geoffrey Garen.
1918
1919 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1920 because it means two unfortunate things:
1921 - It will probably break for zero.
1922 - It will think that -0 is the same as +0 under some circumstances, size
1923 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1924
1925 The fix is to use std::unordered_map which does not require special empty
1926 and deleted values, and to use the raw bits instead of the double value as
1927 the key.
1928
1929 * dfg/DFGGraph.h:
1930 * dfg/DFGJITCompiler.cpp:
1931 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1932
19332014-06-17 Oliver Hunt <oliver@apple.com>
1934
1935 Fix error messages for incorrect hex literals
1936 https://bugs.webkit.org/show_bug.cgi?id=133998
1937
1938 Reviewed by Mark Lam.
1939
1940 Ensure that the error messages for bogus hex literals actually
1941 make sense.
1942
1943 * parser/Lexer.cpp:
1944 (JSC::Lexer<T>::lex):
1945 * parser/ParserTokens.h:
1946
19472014-06-17 Matthew Mirman <mmirman@apple.com>
1948
1949 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
1950 https://bugs.webkit.org/show_bug.cgi?id=133814
1951
1952 Reviewed by Filip Pizlo.
1953
1954 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
1955 script from using "*.o" as a file when no other files in the directory exist.
1956
1957 * build-symbol-table-index.sh: Added license.
1958 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
1959
19602014-06-16 Sam Weinig <sam@webkit.org>
1961
1962 Move forward declaration of bindings static functions into their implementation files
1963 https://bugs.webkit.org/show_bug.cgi?id=133943
1964
1965 Reviewed by Geoffrey Garen.
1966
1967 * runtime/CommonIdentifiers.h:
1968 Add a few identifiers that are needed by the DOM.
1969
19702014-06-16 Mark Lam <mark.lam@apple.com>
1971
1972 Parser statementDepth accounting needs to account for when a function body excludes its braces.
1973 <https://webkit.org/b/133832>
1974
1975 Reviewed by Oliver Hunt.
1976
1977 In some cases (e.g. when a Function object is instantiated from a string), the
1978 function body source may not include its braces. The parser needs to account
1979 for this when calculating its statementDepth.
1980
1981 * bytecode/UnlinkedCodeBlock.cpp:
1982 (JSC::generateFunctionCodeBlock):
1983 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
1984 * bytecode/UnlinkedCodeBlock.h:
1985 * parser/Parser.cpp:
1986 (JSC::Parser<LexerType>::parseStatement):
1987 - Also fixed the error message for declaring nested functions in strict mode
1988 to be more accurate.
1989 * parser/Parser.h:
1990 (JSC::Parser<LexerType>::parse):
1991 (JSC::parse):
1992 * runtime/Executable.cpp:
1993 (JSC::ScriptExecutable::newCodeBlockFor):
1994
19952014-06-16 Juergen Ributzka <juergen@apple.com>
1996
1997 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
1998 https://bugs.webkit.org/show_bug.cgi?id=133753
1999
2000 Reviewed by Geoffrey Garen.
2001
2002 The order in which the alias analysis passes are added affects also the
2003 order in which they are utilized. Change the order to align with the
2004 one use by LLVM itself. The last alias analysis pass added will be
2005 evaluated first. With this change we first perform a basic alias
2006 analysis and then use the type-based alias analysis (if required).
2007
2008 * ftl/FTLCompile.cpp:
2009 (JSC::FTL::compile):
2010
20112014-06-16 Juergen Ributzka <juergen@apple.com>
2012
2013 Fix the arguments passed to the LLVM dylib
2014 https://bugs.webkit.org/show_bug.cgi?id=133757
2015
2016 Reviewed by Geoffrey Garen.
2017
2018 The LLVM command line argument parser assumes that the first argument
2019 is the program name. We need to add a fake program name, otherwise the
2020 first argument will be parsed as program name and ignored.
2021
2022 * llvm/library/LLVMExports.cpp:
2023 (initializeAndGetJSCLLVMAPI):
2024
20252014-06-16 Michael Saboff <msaboff@apple.com>
2026
2027 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2028 https://bugs.webkit.org/show_bug.cgi?id=133903
2029
2030 Reviewed by Mark Hahnenberg.
2031
2032 Hardened code by Converting ASSERT to return CannotCompile.
2033
2034 * dfg/DFGCapabilities.h:
2035 (JSC::DFG::inlineFunctionForCapabilityLevel):
2036
20372014-06-13 Sam Weinig <sam@webkit.org>
2038
2039 Store DOM constants directly in the JS object rather than jumping through a custom accessor
2040 https://bugs.webkit.org/show_bug.cgi?id=133898
2041
2042 Reviewed by Oliver Hunt.
2043
2044 * runtime/Lookup.h:
2045 (JSC::HashTableValue::attributes):
2046 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2047 and will make adding more flags possibles.
2048
2049 (JSC::HashTableValue::propertyGetter):
2050 (JSC::HashTableValue::propertyPutter):
2051 Change assertion to use BuiltinOrFunctionOrConstant.
2052
2053 (JSC::HashTableValue::constantInteger):
2054 Added.
2055
2056 (JSC::getStaticPropertySlot):
2057 (JSC::getStaticValueSlot):
2058 Use PropertySlot::setValue() for constants during static lookup.
2059
2060 (JSC::reifyStaticProperties):
2061 Put the constant directly on the object when eagerly reifying.
2062
2063 * runtime/PropertySlot.h:
2064 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2065
20662014-06-14 Michael Saboff <msaboff@apple.com>
2067
2068 operationCreateArguments could cause a GC during OSR exit
2069 https://bugs.webkit.org/show_bug.cgi?id=133905
2070
2071 Reviewed by Filip Pizlo.
2072
2073 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2074 for use by OSR exit stubs.
2075
2076 * dfg/DFGOSRExitCompilerCommon.cpp:
2077 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2078 * dfg/DFGOperations.cpp:
2079 * dfg/DFGOperations.h:
2080 * jit/JITOperations.cpp:
2081 * jit/JITOperations.h:
2082
20832014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
2084
2085 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2086 https://bugs.webkit.org/show_bug.cgi?id=133880
2087
2088 Reviewed by Filip Pizlo.
2089
2090 We could have exited due to a value received from an inlined block that's no longer on
2091 the stack, so we should just barrier all InlineCallFrames.
2092
2093 * dfg/DFGOSRExitCompilerCommon.cpp:
2094 (JSC::DFG::adjustAndJumpToTarget):
2095
20962014-06-13 Alex Christensen <achristensen@webkit.org>
2097
2098 Make css jit compile for armv7.
2099 https://bugs.webkit.org/show_bug.cgi?id=133596
2100
2101 Reviewed by Benjamin Poulain.
2102
2103 * assembler/MacroAssembler.h:
2104 Use branchPtr on ARM_THUMB2.
2105 * assembler/MacroAssemblerARMv7.h:
2106 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2107 (JSC::MacroAssemblerARMv7::or32):
2108 (JSC::MacroAssemblerARMv7::test32):
2109 (JSC::MacroAssemblerARMv7::branch):
2110 (JSC::MacroAssemblerARMv7::branchPtr):
2111 Added macros necessary for css jit.
2112
21132014-06-13 Filip Pizlo <fpizlo@apple.com>
2114
2115 Unreviewed, fix ARMv7.
2116
2117 * assembler/MacroAssemblerARMv7.h:
2118 (JSC::MacroAssemblerARMv7::abortWithReason):
2119
21202014-06-12 Filip Pizlo <fpizlo@apple.com>
2121
2122 Even better diagnostics from DFG traps
2123 https://bugs.webkit.org/show_bug.cgi?id=133836
2124
2125 Reviewed by Oliver Hunt.
2126
2127 We now stuff the DFG::NodeType into a register before bailing. Also made the
2128 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
2129 different numbers than any previous abort reasons.
2130
2131 * assembler/AbortReason.h:
2132 * assembler/MacroAssemblerARM64.h:
2133 (JSC::MacroAssemblerARM64::abortWithReason):
2134 * assembler/MacroAssemblerARMv7.h:
2135 (JSC::MacroAssemblerARMv7::abortWithReason):
2136 * assembler/MacroAssemblerX86.h:
2137 (JSC::MacroAssemblerX86::abortWithReason):
2138 * assembler/MacroAssemblerX86_64.h:
2139 (JSC::MacroAssemblerX86_64::abortWithReason):
2140 * dfg/DFGSpeculativeJIT.cpp:
2141 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2142 (JSC::DFG::SpeculativeJIT::bail):
2143 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2144 * dfg/DFGSpeculativeJIT.h:
2145
21462014-06-12 Simon Fraser <simon.fraser@apple.com>
2147
2148 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
2149 https://bugs.webkit.org/show_bug.cgi?id=133840
2150
2151 Reviewed by Filip Pizlo.
2152
2153 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
2154 when running DFG tests.
2155
2156 * API/JSCTestRunnerUtils.cpp:
2157 (JSC::numberOfDFGCompiles):
2158 (JSC::setNeverInline):
2159
21602014-06-12 Brent Fulgham <bfulgham@apple.com>
2161
2162 [Win] Avoid fork bomb during build
2163 https://bugs.webkit.org/show_bug.cgi?id=133837
2164 <rdar://problem/17296034>
2165
2166 Reviewed by Tim Horton.
2167
2168 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
2169 reasonable default value when the 'num-cpus' script is not available.
2170
21712014-06-12 Mark Lam <mark.lam@apple.com>
2172
2173 Remove some dead / unused code.
2174 <https://webkit.org/b/133828>
2175
2176 Reviewed by Filip Pizlo.
2177
2178 * builtins/BuiltinExecutables.cpp:
2179 (JSC::BuiltinExecutables::createBuiltinExecutable):
2180 * bytecode/UnlinkedCodeBlock.cpp:
2181 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2182 * bytecode/UnlinkedCodeBlock.h:
2183 (JSC::UnlinkedFunctionExecutable::create):
2184 * bytecompiler/BytecodeGenerator.h:
2185 (JSC::BytecodeGenerator::makeFunction):
2186 * parser/Parser.h:
2187 (JSC::DepthManager::DepthManager): Deleted.
2188 (JSC::DepthManager::~DepthManager): Deleted.
2189 * runtime/CodeCache.cpp:
2190 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2191
21922014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
2193
2194 Move structureHasRareData out of TypeInfo
2195 https://bugs.webkit.org/show_bug.cgi?id=133800
2196
2197 Reviewed by Andreas Kling.
2198
2199 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
2200 but we have a few spare bits in Structure so it would be nice to remove this hack.
2201
2202 * runtime/JSTypeInfo.h:
2203 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
2204 (JSC::TypeInfo::structureHasRareData): Deleted.
2205 * runtime/Structure.cpp:
2206 (JSC::Structure::Structure):
2207 (JSC::Structure::allocateRareData):
2208 (JSC::Structure::cloneRareDataFrom):
2209 * runtime/Structure.h:
2210 (JSC::Structure::previousID):
2211 (JSC::Structure::objectToStringValue):
2212 (JSC::Structure::setObjectToStringValue):
2213 (JSC::Structure::setPreviousID):
2214 (JSC::Structure::clearPreviousID):
2215 (JSC::Structure::previous):
2216 (JSC::Structure::rareData):
2217 * runtime/StructureInlines.h:
2218 (JSC::Structure::setEnumerationCache):
2219 (JSC::Structure::enumerationCache):
2220
22212014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2222
2223 Allow enum guards to be generated from the replay json files
2224 https://bugs.webkit.org/show_bug.cgi?id=133399
2225
2226 Reviewed by Csaba Osztrogonác.
2227
2228 * replay/scripts/CodeGeneratorReplayInputs.py:
2229 (Type.__init__):
2230 (InputsModel.parse_type_with_framework_name):
2231 (Generator.generate_header):
2232 (Generator.generate_implementation):
2233 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
2234 (Test::HandleWheelEvent::HandleWheelEvent):
2235 (Test::HandleWheelEvent::~HandleWheelEvent):
2236 (JSC::InputTraits<Test::HandleWheelEvent>::type):
2237 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
2238 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
2239 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
2240 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
2241 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
2242 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
2243 (Test::HandleWheelEvent::platformEvent):
2244 * replay/scripts/tests/generate-enum-with-guard.json: Added.
2245
22462014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
2247
2248 Unreviewed. Fix GTK+ build after r169823.
2249
2250 Include StructureInlines.h in a few more files to fix linking
2251 issues due to JSC::Structure::get undefined symbol.
2252
2253 * runtime/ArrayIteratorConstructor.cpp:
2254 * runtime/ArrayIteratorPrototype.cpp:
2255 * runtime/JSConsole.cpp:
2256 * runtime/JSMapIterator.cpp:
2257 * runtime/JSSet.cpp:
2258 * runtime/JSSetIterator.cpp:
2259 * runtime/JSWeakMap.cpp:
2260 * runtime/MapIteratorPrototype.cpp:
2261 * runtime/MapPrototype.cpp:
2262 * runtime/SetIteratorPrototype.cpp:
2263 * runtime/SetPrototype.cpp:
2264 * runtime/WeakMapPrototype.cpp:
2265
22662014-06-12 Csaba Osztrogonác <ossy@webkit.org>
2267
2268 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
2269
2270 * runtime/JSMap.cpp:
2271
22722014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
2273
2274 Inline caching should try to flatten uncacheable dictionaries
2275 https://bugs.webkit.org/show_bug.cgi?id=133683
2276
2277 Reviewed by Geoffrey Garen.
2278
2279 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
2280 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
2281 If properties are deleted out of the object during its initialization, we can enable caching for that object by
2282 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
2283 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
2284 state then we can just give up on caching that object.
2285
2286 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
2287 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
2288 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
2289 returning.
2290
2291 * jit/Repatch.cpp:
2292 (JSC::actionForCell):
2293 (JSC::tryCacheGetByID):
2294 (JSC::repatchGetByID):
2295 (JSC::tryBuildGetByIDList):
2296 (JSC::buildGetByIDList):
2297 (JSC::tryCachePutByID):
2298 (JSC::repatchPutByID):
2299 (JSC::tryBuildPutByIdList):
2300 (JSC::buildPutByIdList):
2301 (JSC::tryRepatchIn):
2302 (JSC::repatchIn):
2303 * runtime/Structure.cpp:
2304 (JSC::Structure::Structure):
2305 (JSC::Structure::flattenDictionaryStructure):
2306 * runtime/Structure.h:
2307 (JSC::Structure::hasBeenFlattenedBefore):
2308
23092014-06-11 Csaba Osztrogonác <ossy@webkit.org>
2310
2311 [EFL] URTBF after r169823.
2312
2313 * bindings/ScriptValue.cpp: Missing include added.
2314
23152014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2316
2317 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
2318
2319 Rubber-stamped by Andreas Kling.
2320
2321 * runtime/JSObject.h:
2322 (JSC::JSObject::fastGetOwnPropertySlot):
2323
23242014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2325
2326 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
2327 https://bugs.webkit.org/show_bug.cgi?id=133673
2328
2329 Reviewed by Andreas Kling.
2330
2331 Rewrote the property map statistics code because the old code wasn't building,
2332 and it was also mixing numbers for lookups and insertions/removals.
2333
2334 New logging code records the number of calls to PropertyTable::find (finds) and
2335 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
2336 the number of probing during updates and lookups.
2337
2338 * jsc.cpp:
2339 * runtime/PropertyMapHashTable.h:
2340 (JSC::PropertyTable::find):
2341 (JSC::PropertyTable::get):
2342 (JSC::PropertyTable::findWithString):
2343 (JSC::PropertyTable::add):
2344 (JSC::PropertyTable::remove):
2345 (JSC::PropertyTable::reinsert):
2346 (JSC::PropertyTable::rehash):
2347 * runtime/Structure.cpp:
2348 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
2349 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
2350
23512014-06-11 Andreas Kling <akling@apple.com>
2352
2353 Always inline JSValue::get() and Structure::get().
2354 <https://webkit.org/b/133755>
2355
2356 Reviewed by Ryosuke Niwa.
2357
2358 These functions get really hot, so ask the compiler to be more
2359 aggressive about inlining them.
2360
2361 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
2362 through GetByVal.
2363
2364 * runtime/JSArrayIterator.cpp:
2365 * runtime/JSCJSValue.cpp:
2366 * runtime/JSCJSValueInlines.h:
2367 (JSC::JSValue::get):
2368 * runtime/JSPromiseDeferred.cpp:
2369 * runtime/StructureInlines.h:
2370 (JSC::Structure::get):
2371
23722014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2373
2374 Structure::get should instantiate DeferGC only when materializing property map
2375 https://bugs.webkit.org/show_bug.cgi?id=133727
2376
2377 Rubber-stamped by Andreas Kling.
2378
2379 Make materializePropertyMapIfNecessary always inline.
2380
2381 This is ~12% improvement on the microbenchmark attached in the bug.
2382
2383 * runtime/Structure.h:
2384 (JSC::Structure::materializePropertyMapIfNecessary):
2385 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2386
23872014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2388
2389 Structure::get should instantiate DeferGC only when materializing property map
2390 https://bugs.webkit.org/show_bug.cgi?id=133727
2391
2392 Reviewed by Geoffrey Garen.
2393
2394 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
2395 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
2396 when GCSafeConcurrentJITLocker goes out of scope.
2397
2398 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
2399 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
2400 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
2401
2402 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
2403 and immediately storing a pointer to the newly created property table in the stack before DeferGC
2404 goes out of scope so that the property table will be marked.
2405
2406 This shows 13-16% improvement on the microbenchmark attached in the bug.
2407
2408 * runtime/JSCJSValue.cpp:
2409 * runtime/JSObject.h:
2410 (JSC::JSObject::fastGetOwnPropertySlot):
2411 * runtime/Structure.h:
2412 (JSC::Structure::materializePropertyMapIfNecessary):
2413 * runtime/StructureInlines.h:
2414 (JSC::Structure::get):
2415
24162014-06-11 Andreas Kling <akling@apple.com>
2417
2418 Some JSValue::get() micro-optimzations.
2419 <https://webkit.org/b/133739>
2420
2421 Tighten some of the property lookup code to improve performance of the
2422 eagerly reified prototype attributes:
2423
2424 - Instead of converting the property name to an integer at every step
2425 in the prototype chain, move that to a separate pass at the end
2426 since it should be a rare case.
2427
2428 - Cache the StructureIDTable in a local instead of fetching it from
2429 the Heap on every step.
2430
2431 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
2432 on the assumption that clients would mostly be cacheable GetByIds,
2433 and it gets pretty hot (~1%) in GetByVal.
2434
2435 - Pass the Structure directly to fillCustomGetterPropertySlot instead
2436 of refetching it from the StructureIDTable.
2437
2438 Reviewed by Geoff Garen.
2439
2440 * runtime/JSObject.cpp:
2441 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
2442 * runtime/JSObject.h:
2443 (JSC::JSObject::inlineGetOwnPropertySlot):
2444 (JSC::JSObject::fillCustomGetterPropertySlot):
2445 (JSC::JSObject::getOwnPropertySlot):
2446 (JSC::JSObject::fastGetOwnPropertySlot):
2447 (JSC::JSObject::getPropertySlot):
2448 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2449
24502014-06-10 Sam Weinig <sam@webkit.org>
2451
2452 Don't create a HashTable for JSObjects that use eager reification
2453 https://bugs.webkit.org/show_bug.cgi?id=133705
2454
2455 Reviewed by Geoffrey Garen.
2456
2457 * runtime/Lookup.h:
2458 (JSC::reifyStaticProperties):
2459 Add a version of reifyStaticProperties that takes an array of HashTableValues
2460 rather than a HashTable.
2461
24622014-06-10 Filip Pizlo <fpizlo@apple.com>
2463
2464 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
2465 https://bugs.webkit.org/show_bug.cgi?id=133698
2466
2467 Reviewed by Geoffrey Garen and Mark Hahnenberg.
2468
2469 * dfg/DFGPredictionPropagationPhase.cpp:
2470 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
2471 * dfg/DFGVariableAccessData.cpp:
2472 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
2473 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2474 (JSC::DFG::VariableAccessData::flushFormat):
2475 * dfg/DFGVariableAccessData.h:
2476 * tests/stress/int52-inlined-call-argument.js: Added.
2477 (foo):
2478 (bar):
2479
24802014-06-10 Mark Lam <mark.lam@apple.com>
2481
2482 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
2483 <https://webkit.org/b/133356>
2484
2485 Reviewed by Mark Hahnenberg.
2486
2487 The root cause of this issue is that a nonPropertyTransition can transition
2488 a pinned dictionary structure to an unpinned dictionary structure. The new
2489 structure will get a copy of the property table from the original structure.
2490 However, when a GC occurs, the property table in the new structure will be
2491 cleared because it is unpinned. This leads to complications in subsequent
2492 derivative structures when flattening occurs, which eventually leads to the
2493 assertion failure in this bug.
2494
2495 The fix is to ensure that the new dictionary structure generated by the
2496 nonPropertyTransition will have a copy of its predecessor's property table
2497 and is pinned.
2498
2499 * runtime/Structure.cpp:
2500 (JSC::Structure::nonPropertyTransition):
2501
25022014-06-10 Michael Saboff <msaboff@apple.com>
2503
2504 In a certain app state, Array.prototype.filter() returns incorrect results
2505 https://bugs.webkit.org/show_bug.cgi?id=133577
2506
2507 Reviewed by Oliver Hunt.
2508
2509 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
2510
2511 * llint/LowLevelInterpreter32_64.asm:
2512 * llint/LowLevelInterpreter64.asm:
2513
25142014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2515
2516 Global HashTables contain references to atomic StringImpls
2517 https://bugs.webkit.org/show_bug.cgi?id=133661
2518
2519 Reviewed by Geoffrey Garen.
2520
2521 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
2522 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
2523 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
2524 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
2525
2526 * runtime/JSObject.cpp:
2527 (JSC::getClassPropertyNames):
2528 * runtime/Lookup.cpp:
2529 (JSC::HashTable::createTable):
2530 (JSC::HashTable::deleteTable):
2531 * runtime/Lookup.h:
2532 (JSC::HashTable::ConstIterator::key):
2533 (JSC::HashTable::entry):
2534
25352014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2536
2537 Build fix after r169703
2538
2539 * JavaScriptCore.xcodeproj/project.pbxproj:
2540
25412014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
2542
2543 Eagerly reify DOM prototype attributes
2544 https://bugs.webkit.org/show_bug.cgi?id=133558
2545
2546 Reviewed by Oliver Hunt.
2547
2548 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
2549 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
2550 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
2551 DOM wrappers.
2552
2553 * CMakeLists.txt:
2554 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2555 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2556 * JavaScriptCore.xcodeproj/project.pbxproj:
2557 * llint/LLIntData.cpp:
2558 (JSC::LLInt::Data::performAssertions):
2559 * llint/LowLevelInterpreter.asm:
2560 * runtime/BatchedTransitionOptimizer.h:
2561 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2562 * runtime/CustomGetterSetter.cpp: Added.
2563 (JSC::callCustomSetter):
2564 * runtime/CustomGetterSetter.h: Added.
2565 (JSC::CustomGetterSetter::create):
2566 (JSC::CustomGetterSetter::getter):
2567 (JSC::CustomGetterSetter::setter):
2568 (JSC::CustomGetterSetter::createStructure):
2569 (JSC::CustomGetterSetter::CustomGetterSetter):
2570 * runtime/JSCJSValue.cpp:
2571 (JSC::JSValue::putToPrimitive):
2572 * runtime/JSCJSValue.h:
2573 * runtime/JSCJSValueInlines.h:
2574 (JSC::JSValue::isCustomGetterSetter):
2575 * runtime/JSCell.h:
2576 * runtime/JSCellInlines.h:
2577 (JSC::JSCell::isCustomGetterSetter):
2578 (JSC::JSCell::canUseFastGetOwnProperty):
2579 * runtime/JSFunction.cpp:
2580 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
2581 (JSC::JSFunction::isBuiltinFunction): Deleted.
2582 * runtime/JSFunction.h:
2583 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
2584 (JSC::JSFunction::isBuiltinFunction):
2585 (JSC::JSFunction::isHostOrBuiltinFunction):
2586 * runtime/JSObject.cpp:
2587 (JSC::JSObject::put):
2588 (JSC::JSObject::putDirectCustomAccessor):
2589 (JSC::JSObject::fillGetterPropertySlot):
2590 (JSC::JSObject::fillCustomGetterPropertySlot):
2591 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2592 * runtime/JSObject.h:
2593 (JSC::JSObject::hasCustomGetterSetterProperties):
2594 (JSC::JSObject::convertToDictionary):
2595 (JSC::JSObject::inlineGetOwnPropertySlot):
2596 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
2597 (JSC::JSObject::putOwnDataProperty):
2598 (JSC::JSObject::putDirect):
2599 (JSC::JSObject::putDirectWithoutTransition):
2600 * runtime/JSType.h:
2601 * runtime/Lookup.h:
2602 (JSC::reifyStaticProperties):
2603 * runtime/PropertyDescriptor.h:
2604 (JSC::PropertyDescriptor::PropertyDescriptor):
2605 * runtime/Structure.cpp:
2606 (JSC::Structure::Structure):
2607 (JSC::nextOutOfLineStorageCapacity): Deleted.
2608 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2609 (JSC::Structure::get): Deleted.
2610 * runtime/Structure.h:
2611 (JSC::Structure::hasCustomGetterSetterProperties):
2612 (JSC::Structure::setHasCustomGetterSetterProperties):
2613 * runtime/StructureInlines.h:
2614 (JSC::Structure::get): Inlined due to hotness.
2615 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
2616 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
2617 * runtime/VM.cpp:
2618 (JSC::VM::VM):
2619 * runtime/VM.h:
2620 * runtime/WriteBarrier.h:
2621 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
2622
26232014-06-07 Mark Lam <mark.lam@apple.com>
2624
2625 Structure should initialize its previousID in its constructor.
2626 <https://webkit.org/b/133606>
2627
2628 Reviewed by Mark Hahnenberg.
2629
2630 Currently, the Structure constructor that takes a previous structure will
2631 initialize its previousID to point to the previous structure's previousID.
2632 This is incorrect. However, the caller of the Structure::create() factory
2633 method (which instantiated the Structure) will later call setPreviousID()
2634 to set the previousID to the correct previous structure. This makes the
2635 code confusing to read and more error prone in that the structure relies
2636 on client code to fix its invalid previousID.
2637
2638 This patch fixes this by making the Structure constructor initialize
2639 previousID correctly.
2640
2641 * runtime/Structure.cpp:
2642 (JSC::Structure::Structure):
2643 (JSC::Structure::addPropertyTransition):
2644 (JSC::Structure::nonPropertyTransition):
2645 * runtime/Structure.h:
2646 * runtime/StructureInlines.h:
2647 (JSC::Structure::create):
2648
26492014-06-06 Andreas Kling <akling@apple.com>
2650
2651 Indexed getters should return values directly on the PropertySlot.
2652 <https://webkit.org/b/133586>
2653
2654 Remove PropertySlot's custom index mode.
2655
2656 Reviewed by Darin Adler.
2657
2658 * runtime/JSObject.h:
2659 (JSC::PropertySlot::getValue):
2660 * runtime/PropertySlot.h:
2661 (JSC::PropertySlot::setCustomIndex): Deleted.
2662
26632014-06-04 Timothy Horton <timothy_horton@apple.com>
2664
2665 iOS Debug build fix
2666
2667 Rubber-stamped by Filip Pizlo.
2668
2669 * Configurations/LLVMForJSC.xcconfig:
2670 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
2671
26722014-06-04 Oliver Hunt <oliver@apple.com>
2673
2674 ArrayIterator should not be exposed in Safari 8
2675 https://bugs.webkit.org/show_bug.cgi?id=133494
2676
2677 Reviewed by Michael Saboff.
2678
2679 Separate out types that require constructor objects, and don't
2680 include the iterator types in that list.
2681
2682 * runtime/JSGlobalObject.cpp:
2683 (JSC::JSGlobalObject::reset):
2684 * runtime/JSGlobalObject.h:
2685
26862014-06-04 Filip Pizlo <fpizlo@apple.com>
2687
2688 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
2689 https://bugs.webkit.org/show_bug.cgi?id=133525
2690 <rdar://problem/16790296>
2691
2692 Reviewed by Oliver Hunt.
2693
2694 * dfg/DFGSafepoint.cpp:
2695 (JSC::DFG::Safepoint::begin):
2696
26972014-06-03 Filip Pizlo <fpizlo@apple.com>
2698
2699 LLVM soft-linking should be truly fail-silent
2700 https://bugs.webkit.org/show_bug.cgi?id=133482
2701
2702 Reviewed by Mark Lam.
2703
2704 * llvm/InitializeLLVMPOSIX.cpp:
2705 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
2706
27072014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2708
2709 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
2710 https://bugs.webkit.org/show_bug.cgi?id=133149
2711
2712 Reviewed by Csaba Osztrogonác.
2713
2714 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
2715
27162014-05-31 Anders Carlsson <andersca@apple.com>
2717
2718 Add a LazyNeverDestroyed class template and use it
2719 https://bugs.webkit.org/show_bug.cgi?id=133425
2720
2721 Reviewed by Darin Adler.
2722
2723 * dfg/DFGFunctionWhitelist.cpp:
2724 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2725 * dfg/DFGFunctionWhitelist.h:
2726
27272014-05-28 Filip Pizlo <fpizlo@apple.com>
2728
2729 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
2730 https://bugs.webkit.org/show_bug.cgi?id=133368
2731
2732 Reviewed by Mark Lam.
2733
2734 * dfg/DFGDCEPhase.cpp:
2735 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
2736 * tests/stress/new-array-dead.js: Added.
2737 (foo):
2738
27392014-05-28 Filip Pizlo <fpizlo@apple.com>
2740
2741 Unreviewed, fix not-x86 32-bit.
2742
2743 * llint/LowLevelInterpreter32_64.asm:
2744
27452014-05-27 Filip Pizlo <fpizlo@apple.com>
2746
2747 Arrayify neglects to inform the clobberizer that it might fire watchpoints
2748 https://bugs.webkit.org/show_bug.cgi?id=133340
2749
2750 Reviewed by Mark Lam.
2751
2752 * dfg/DFGClobberize.h:
2753 (JSC::DFG::clobberize): Be honest.
2754 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
2755 * tests/stress/arrayify-fires-watchpoint.js: Added.
2756 (foo):
2757 (test):
2758 (makeObjectArray):
2759 * tests/stress/arrayify-structure-bad-test.js: Added.
2760 (foo):
2761 (test):
2762
27632014-05-27 Jon Lee <jonlee@apple.com>
2764
2765 Update ENABLE(MEDIA_SOURCE) on Mac
2766 https://bugs.webkit.org/show_bug.cgi?id=133141
2767
2768 Reviewed by Darin Adler.
2769
2770 * Configurations/FeatureDefines.xcconfig:
2771
27722014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2773
2774 Remove BLOB guards
2775 https://bugs.webkit.org/show_bug.cgi?id=132863
2776
2777 Reviewed by Csaba Osztrogonác.
2778
2779 * Configurations/FeatureDefines.xcconfig:
2780
27812014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2782
2783 Allow building CMake based ports with WEB_REPLAY
2784 https://bugs.webkit.org/show_bug.cgi?id=133154
2785
2786 Reviewed by Csaba Osztrogonác.
2787
2788 * CMakeLists.txt:
2789
27902014-05-25 Filip Pizlo <fpizlo@apple.com>
2791
2792 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
2793 https://bugs.webkit.org/show_bug.cgi?id=133136
2794
2795 Reviewed by Oliver Hunt.
2796
2797 Some key concepts:
2798
2799 - Except for the prediction propagation and type fixup phases, which are super early in
2800 the pipeline, nobody has to know about the fact that booleans may flow into numerical
2801 operations because there will just be a BooleanToNumber node that will take a value
2802 and, if that value is a boolean, will convert it to the equivalent numerical value. It
2803 will have a BooleanUse mode where it will also speculate that the input is a boolean
2804 but it can also do UntypedUse in which case it will pass through any non-booleans.
2805 This operation is very easy to model in all of the compiler tiers.
2806
2807 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
2808 inputs require taking the slow path and it will still report that it took slow path
2809 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
2810 path profiling on operations that were known to have had boolean inputs. That's a
2811 little quirky, but it's probably easier than modifying the baseline JIT to track
2812 booleans correctly.
2813
2814 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
2815
2816 * bytecode/SpeculatedType.h:
2817 (JSC::isInt32OrBooleanSpeculation):
2818 (JSC::isInt32SpeculationForArithmetic):
2819 (JSC::isInt32OrBooleanSpeculationForArithmetic):
2820 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
2821 (JSC::isInt52Speculation):
2822 (JSC::isMachineIntSpeculation):
2823 (JSC::isFullNumberOrBooleanSpeculation):
2824 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
2825 (JSC::isInt32SpeculationExpectingDefined): Deleted.
2826 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
2827 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
2828 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
2829 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
2830 * dfg/DFGAbstractInterpreterInlines.h:
2831 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2832 * dfg/DFGAllocator.h:
2833 (JSC::DFG::Allocator<T>::indexOf):
2834 * dfg/DFGByteCodeParser.cpp:
2835 (JSC::DFG::ByteCodeParser::makeSafe):
2836 (JSC::DFG::ByteCodeParser::makeDivSafe):
2837 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2838 * dfg/DFGCSEPhase.cpp:
2839 (JSC::DFG::CSEPhase::performNodeCSE):
2840 * dfg/DFGClobberize.h:
2841 (JSC::DFG::clobberize):
2842 * dfg/DFGCommon.h:
2843 * dfg/DFGConstantFoldingPhase.cpp:
2844 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2845 * dfg/DFGFixupPhase.cpp:
2846 (JSC::DFG::FixupPhase::fixupNode):
2847 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2848 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
2849 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
2850 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2851 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
2852 * dfg/DFGGraph.h:
2853 (JSC::DFG::Graph::addSpeculationMode):
2854 (JSC::DFG::Graph::valueAddSpeculationMode):
2855 (JSC::DFG::Graph::arithAddSpeculationMode):
2856 (JSC::DFG::Graph::addShouldSpeculateInt32):
2857 (JSC::DFG::Graph::mulShouldSpeculateInt32):
2858 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
2859 (JSC::DFG::Graph::negateShouldSpeculateInt32):
2860 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
2861 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2862 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2863 * dfg/DFGNode.h:
2864 (JSC::DFG::Node::sawBooleans):
2865 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
2866 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
2867 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
2868 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
2869 (JSC::DFG::Node::shouldSpeculateMachineInt):
2870 (JSC::DFG::Node::shouldSpeculateDouble):
2871 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
2872 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
2873 (JSC::DFG::Node::shouldSpeculateNumber):
2874 (JSC::DFG::Node::canSpeculateInt32):
2875 (JSC::DFG::Node::canSpeculateInt52):
2876 (JSC::DFG::Node::sourceFor):
2877 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
2878 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
2879 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
2880 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
2881 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
2882 * dfg/DFGNodeFlags.cpp:
2883 (JSC::DFG::dumpNodeFlags):
2884 * dfg/DFGNodeFlags.h:
2885 (JSC::DFG::nodeMayOverflow):
2886 (JSC::DFG::nodeMayNegZero):
2887 (JSC::DFG::nodeCanSpeculateInt32):
2888 (JSC::DFG::nodeCanSpeculateInt52):
2889 * dfg/DFGNodeType.h:
2890 * dfg/DFGPredictionPropagationPhase.cpp:
2891 (JSC::DFG::PredictionPropagationPhase::run):
2892 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
2893 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2894 (JSC::DFG::PredictionPropagationPhase::propagate):
2895 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2896 * dfg/DFGSafeToExecute.h:
2897 (JSC::DFG::safeToExecute):
2898 * dfg/DFGSpeculativeJIT.cpp:
2899 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2900 * dfg/DFGSpeculativeJIT32_64.cpp:
2901 (JSC::DFG::SpeculativeJIT::compile):
2902 * dfg/DFGSpeculativeJIT64.cpp:
2903 (JSC::DFG::SpeculativeJIT::compile):
2904 * ftl/FTLCapabilities.cpp:
2905 (JSC::FTL::canCompile):
2906 * ftl/FTLLowerDFGToLLVM.cpp:
2907 (JSC::FTL::LowerDFGToLLVM::compileNode):
2908 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2909 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
2910 * runtime/JSCJSValue.h:
2911 * runtime/JSCJSValueInlines.h:
2912 (JSC::JSValue::asInt32ForArithmetic):
2913 * tests/stress/max-boolean-exit.js: Added.
2914 (foo):
2915 (test):
2916 * tests/stress/mul-boolean-exit.js: Added.
2917 (foo):
2918 (test):
2919 * tests/stress/plus-boolean-exit.js: Added.
2920 (foo):
2921 (test):
2922 * tests/stress/plus-boolean-or-double.js: Added.
2923 (foo):
2924 (test):
2925 * tests/stress/plus-boolean-or-int.js: Added.
2926 (foo):
2927 (test):
2928
29292014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2930
2931 Remove dead code from VM.cpp
2932 https://bugs.webkit.org/show_bug.cgi?id=133284
2933
2934 Reviewed by Darin Adler.
2935
2936 This workaround was added in r127505. Since the clang is the
2937 only used compiler in this case, this workaround is obsolete.
2938
2939 * runtime/VM.cpp:
2940 (JSC::enableAssembler):
2941
29422014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2943
2944 JSC CLoop warning fix
2945 https://bugs.webkit.org/show_bug.cgi?id=133259
2946
2947 Reviewed by Darin Adler.
2948
2949 * llint/LLIntSlowPaths.cpp:
2950 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2951
29522014-05-24 Andreas Kling <akling@apple.com>
2953
2954 Object.prototype.toString() should use cached strings for null/undefined.
2955 <https://webkit.org/b/133261>
2956
2957 Normally, when calling Object.prototype.toString() on a regular object,
2958 we'd cache the result of the stringification on the object's structure,
2959 making repeated calls fast.
2960
2961 For null and undefined, we were not as smart. We'd instead construct a
2962 new string with either "[object Null]" or "[object Undefined]" each time.
2963
2964 This was exposed by Dromaeo's JS library tests, where some prototype.js
2965 subtests generate millions of strings this way.
2966
2967 This patch adds two VM-permanent cached strings to the SmallStrings.
2968 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
2969
2970 Reviewed by Darin Adler.
2971
2972 * runtime/ObjectPrototype.cpp:
2973 (JSC::objectProtoFuncToString):
2974 * runtime/SmallStrings.cpp:
2975 (JSC::SmallStrings::SmallStrings):
2976 (JSC::SmallStrings::initializeCommonStrings):
2977 (JSC::SmallStrings::visitStrongReferences):
2978 * runtime/SmallStrings.h:
2979 (JSC::SmallStrings::nullObjectString):
2980 (JSC::SmallStrings::undefinedObjectString):
2981
29822014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
2983
2984 Remove operationCallGetter
2985
2986 Rubber stamped by Filip Pizlo.
2987
2988 Nobody calls this function.
2989
2990 * JavaScriptCore.order:
2991 * jit/JITOperations.cpp:
2992 * jit/JITOperations.h:
2993
29942014-05-23 Andreas Kling <akling@apple.com>
2995
2996 Templatize GC's destructor invocation for dtor type.
2997 <https://webkit.org/b/133231>
2998
2999 Get rid of a branch in callDestructor() by templatizing it for
3000 the DestructorType. Removed JSCell::methodTableForDestruction()
3001 since this was the only call site and it was jumping through
3002 a bunch of unnecessary hoops.
3003
3004 Reviewed by Geoffrey Garen.
3005
3006 * heap/MarkedBlock.cpp:
3007 (JSC::MarkedBlock::callDestructor):
3008 (JSC::MarkedBlock::specializedSweep):
3009 * heap/MarkedBlock.h:
3010 * runtime/JSCell.h:
3011 * runtime/JSCellInlines.h:
3012 (JSC::JSCell::methodTableForDestruction): Deleted.
3013
30142014-05-23 Andreas Kling <akling@apple.com>
3015
3016 Support inline caching of RegExpMatchesArray.length
3017 <https://webkit.org/b/133234>
3018
3019 Give RegExpMatchesArray.length the same treatment as JSArray in
3020 repatch so we don't have to go out of line on every access.
3021
3022 ~13% speed-up on Octane/regexp.
3023
3024 Reviewed by Geoffrey Garen.
3025
3026 * jit/Repatch.cpp:
3027 (JSC::tryCacheGetByID):
3028 * runtime/RegExpMatchesArray.h:
3029 (JSC::isRegExpMatchesArray):
3030
30312014-05-22 Mark Lam <mark.lam@apple.com>
3032
3033 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
3034 <https://webkit.org/b/133182>
3035
3036 Reviewed by Oliver Hunt.
3037
3038 Before r154797, we used to clear the VM exception before calling into the
3039 debugger. After r154797, we don't. This patch will restore this clearing
3040 of the exception before calling into the debugger.
3041
3042 Also added assertions after returning from calls into the debugger to
3043 ensure that the debugger did not introduce any exceptions.
3044
3045 * interpreter/Interpreter.cpp:
3046 (JSC::unwindCallFrame):
3047 (JSC::Interpreter::unwind):
3048 (JSC::Interpreter::debug):
3049 - Fixed the assertion here. Interpreter::debug() should never be called
3050 with a pending exception. Debugger callbacks for exceptions should be
3051 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
3052
30532014-05-21 Filip Pizlo <fpizlo@apple.com>
3054
3055 Store barrier elision should run after DCE in both the DFG path and the FTL path
3056 https://bugs.webkit.org/show_bug.cgi?id=129718
3057
3058 Rubber stamped by Mark Hahnenberg.
3059
3060 * dfg/DFGPlan.cpp:
3061 (JSC::DFG::Plan::compileInThreadImpl):
3062
30632014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3064
3065 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
3066 https://bugs.webkit.org/show_bug.cgi?id=132907
3067
3068 Reviewed by Gyuyoung Kim.
3069
3070 * CMakeLists.txt:
3071
30722014-05-16 Martin Robinson <mrobinson@igalia.com>
3073
3074 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
3075 https://bugs.webkit.org/show_bug.cgi?id=132819
3076
3077 Reviewed by Carlos Garcia Campos.
3078
3079 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
3080 use the common CMake ones directly.
3081
30822014-05-21 Filip Pizlo <fpizlo@apple.com>
3083
3084 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
3085
3086 This was a unilateral change and wasn't properly reviewed.
3087
3088 * tests/mozilla/mozilla-tests.yaml:
3089
30902014-05-21 Antoine Quint <graouts@webkit.org>
3091
3092 Array.prototype.find and findIndex should skip holes
3093 https://bugs.webkit.org/show_bug.cgi?id=132658
3094
3095 Reviewed by Geoffrey Garen.
3096
3097 Skip holes in the array when iterating such that callback isn't called.
3098
3099 * builtins/Array.prototype.js:
3100 (find):
3101 (findIndex):
3102
31032014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3104
3105 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
3106 https://bugs.webkit.org/show_bug.cgi?id=133149
3107
3108 Reviewed by Csaba Osztrogonác.
3109
3110 * tests/mozilla/mozilla-tests.yaml:
3111
31122014-05-20 Geoffrey Garen <ggaren@apple.com>
3113
3114 Rolled out <http://trac.webkit.org/changeset/166184>
3115 https://bugs.webkit.org/show_bug.cgi?id=133144
3116
3117 Reviewed by Gavin Barraclough.
3118
3119 It caused a performance regression.
3120
3121 * heap/BlockAllocator.cpp:
3122 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
3123
31242014-05-20 Filip Pizlo <fpizlo@apple.com>
3125
3126 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
3127 https://bugs.webkit.org/show_bug.cgi?id=133134
3128
3129 Reviewed by Mark Hahnenberg.
3130
3131 Make prediction propagator use ArrayMode refinement to decide the return type.
3132
3133 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
3134 like this. The only way we'll see a mismatch like this in the real world is probably
3135 through a gnarly race condition.
3136
3137 * dfg/DFGByteCodeParser.cpp:
3138 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3139 * dfg/DFGNode.h:
3140 (JSC::DFG::Node::setHeapPrediction):
3141 * dfg/DFGPredictionPropagationPhase.cpp:
3142 (JSC::DFG::PredictionPropagationPhase::propagate):
3143 * jsc.cpp:
3144 (GlobalObject::finishCreation):
3145 (functionFalse1):
3146 (functionFalse2):
3147 (functionUndefined1):
3148 (functionUndefined2):
3149 (functionFalse): Deleted.
3150 (functionOtherFalse): Deleted.
3151 (functionUndefined): Deleted.
3152 * runtime/Intrinsic.h:
3153 * tests/stress/get-by-val-double-predicted-int.js: Added.
3154 (foo):
3155
31562014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
3157
3158 Watchdog timer should be lazily allocated
3159 https://bugs.webkit.org/show_bug.cgi?id=133135
3160
3161 Reviewed by Geoffrey Garen.
3162
3163 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
3164 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
3165 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
3166
3167 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
3168 these two API functions (which is true of most clients).
3169
3170 * API/JSContextRef.cpp:
3171 (JSContextGroupSetExecutionTimeLimit):
3172 (JSContextGroupClearExecutionTimeLimit):
3173 * dfg/DFGByteCodeParser.cpp:
3174 (JSC::DFG::ByteCodeParser::parseBlock):
3175 * dfg/DFGSpeculativeJIT32_64.cpp:
3176 (JSC::DFG::SpeculativeJIT::compile):
3177 * dfg/DFGSpeculativeJIT64.cpp:
3178 (JSC::DFG::SpeculativeJIT::compile):
3179 * interpreter/Interpreter.cpp:
3180 (JSC::Interpreter::execute):
3181 (JSC::Interpreter::executeCall):
3182 (JSC::Interpreter::executeConstruct):
3183 * jit/JITOpcodes.cpp:
3184 (JSC::JIT::emit_op_loop_hint):
3185 (JSC::JIT::emitSlow_op_loop_hint):
3186 * jit/JITOperations.cpp:
3187 * llint/LLIntSlowPaths.cpp:
3188 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3189 * runtime/VM.h:
3190 * runtime/Watchdog.cpp:
3191 (JSC::Watchdog::Scope::Scope): Deleted.
3192 (JSC::Watchdog::Scope::~Scope): Deleted.
3193 * runtime/Watchdog.h:
3194 (JSC::Watchdog::Scope::Scope):
3195 (JSC::Watchdog::Scope::~Scope):
3196
31972014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
3198
3199 JSArray::shiftCountWith* could be more efficient
3200 https://bugs.webkit.org/show_bug.cgi?id=133011
3201
3202 Reviewed by Geoffrey Garen.
3203
3204 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
3205 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
3206 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
3207
3208 * runtime/ArrayStorage.h:
3209 (JSC::ArrayStorage::indexingHeader):
3210 (JSC::ArrayStorage::length):
3211 (JSC::ArrayStorage::hasHoles):
3212 * runtime/IndexingHeader.h:
3213 (JSC::IndexingHeader::publicLength):
3214 (JSC::IndexingHeader::from):
3215 * runtime/JSArray.cpp:
3216 (JSC::JSArray::shiftCountWithArrayStorage):
3217 (JSC::JSArray::shiftCountWithAnyIndexingType):
3218 (JSC::JSArray::unshiftCountWithArrayStorage):
3219 * runtime/JSArray.h:
3220 (JSC::JSArray::shiftCountForShift):
3221 (JSC::JSArray::shiftCountForSplice):
3222 (JSC::JSArray::shiftCount):
3223 * runtime/Structure.cpp:
3224 (JSC::Structure::holesRequireSpecialBehavior):
3225 * runtime/Structure.h:
3226
32272014-05-19 Filip Pizlo <fpizlo@apple.com>
3228
3229 Test gardening: skip some failing tests on not-X86.
3230
3231 * tests/mozilla/mozilla-tests.yaml:
3232
32332014-05-19 Mark Lam <mark.lam@apple.com>
3234
3235 operationOptimize() should defer the GC for a while.
3236 <https://webkit.org/b/133103>
3237
3238 Reviewed by Filip Pizlo.
3239
3240 Currently, operationOptimize() only defers the GC until its end. As a result,
3241 a GC may be triggered just before we return from operationOptimize(), and it may
3242 jettison the optimize codeBlock that we're planning to OSR enter into when we
3243 return from this function. This is because the OSR entry on-ramp code hasn't
3244 been executed yet, and hence, there is not yet a reference to this new codeBlock
3245 from the stack, and there won't be until we've had a chance to return out of
3246 operationOptimize() to run the OSR entry on-ramp code.
3247
3248 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
3249 ensures that the GC will be deferred until after the OSR entry on-ramp can be
3250 executed.
3251
3252 * jit/JITOperations.cpp:
3253
32542014-05-19 Filip Pizlo <fpizlo@apple.com>
3255
3256 Take care of some ARM64 test failures
3257 https://bugs.webkit.org/show_bug.cgi?id=133090
3258
3259 Reviewed by Geoffrey Garen.
3260
3261 Constant blinding on ARM64 cannot use the scratch register.
3262
3263 * assembler/MacroAssembler.h:
3264 (JSC::MacroAssembler::convertInt32ToDouble):
3265 (JSC::MacroAssembler::branchPtr):
3266 (JSC::MacroAssembler::storePtr):
3267 (JSC::MacroAssembler::store64):
3268 * assembler/MacroAssemblerARM64.h:
3269 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
3270
32712014-05-19 Tanay C <tanay.c@samsung.com>
3272
3273 Removing some check-webkit-style warnings from ./dfg
3274 https://bugs.webkit.org/show_bug.cgi?id=132854
3275
3276 Reviewed by Darin Adler.
3277
3278 * dfg/DFGAbstractInterpreter.h:
3279 * dfg/DFGAbstractValue.h:
3280 * dfg/DFGBlockInsertionSet.h:
3281 * dfg/DFGCommonData.h:
3282 * dfg/DFGDominators.h:
3283 * dfg/DFGGraph.h:
3284 * dfg/DFGInPlaceAbstractState.h:
3285 * dfg/DFGPredictionPropagationPhase.h:
3286
32872014-05-18 Filip Pizlo <fpizlo@apple.com>
3288
3289 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
3290 That was a long time ago.
3291
3292 * ftl/FTLLowerDFGToLLVM.cpp:
3293 (JSC::FTL::LowerDFGToLLVM::compileReturn):
3294
32952014-05-18 Rik Cabanier <cabanier@adobe.com>
3296
3297 support for navigator.hardwareConcurrency
3298 https://bugs.webkit.org/show_bug.cgi?id=132588
3299
3300 Reviewed by Filip Pizlo.
3301
3302 * Configurations/FeatureDefines.xcconfig:
3303
33042014-05-16 Michael Saboff <msaboff@apple.com>
3305
3306 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
3307 https://bugs.webkit.org/show_bug.cgi?id=133009
3308
3309 Reviewed by Oliver Hunt.
3310
3311 If we determine that any alternative requires a minumum match size greater than
3312 INT_MAX, we handle the match in the interpreter.
3313
3314 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
3315 * runtime/RegExp.cpp:
3316 (JSC::RegExp::compile):
3317 (JSC::RegExp::compileMatchOnly):
3318
3319 * tests/stress/large-regexp.js: New test added.
3320
3321 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
3322 doesn't fit in an int.
3323 * yarr/YarrPattern.cpp:
3324 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
3325
3326 Clear new m_containsUnsignedLengthPattern flag.
3327 * yarr/YarrPattern.cpp:
3328 (JSC::Yarr::YarrPattern::YarrPattern):
3329 * yarr/YarrPattern.h:
3330 (JSC::Yarr::YarrPattern::reset):
3331 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
3332
33332014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
3334
3335 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
3336 https://bugs.webkit.org/show_bug.cgi?id=132918
3337
3338 Reviewed by Geoffrey Garen.
3339
3340 * jit/Repatch.cpp:
3341 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
3342
33432014-05-15 Alex Christensen <achristensen@webkit.org>
3344
3345 Add pointer lock to features without enabling it.
3346 https://bugs.webkit.org/show_bug.cgi?id=132961
3347
3348 Reviewed by Sam Weinig.
3349
3350 * Configurations/FeatureDefines.xcconfig:
3351 Added ENABLE_POINTER_LOCK to list of features.
3352
33532014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
3354
3355 Inline caching for proxies clobbers baseGPR too early
3356 https://bugs.webkit.org/show_bug.cgi?id=132916
3357
3358 Reviewed by Filip Pizlo.
3359
3360 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
3361 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
3362 until we know the inline cache is going to succeed.
3363
3364 * jit/Repatch.cpp:
3365 (JSC::generateByIdStub):
3366
33672014-05-14 Brent Fulgham <bfulgham@apple.com>
3368
3369 [Win] Unreviewed build fix.
3370
3371 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
3372 was missing commands to build LLInt portions of JSC.
3373 * llint/LLIntData.cpp: 64-bit build fix.
3374
33752014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3376
3377 ARM Traditional buildfix after r168776.
3378 https://bugs.webkit.org/show_bug.cgi?id=132903
3379
3380 Reviewed by Darin Adler.
3381
3382 * assembler/MacroAssemblerARM.h:
3383 (JSC::MacroAssemblerARM::abortWithReason): Added.
3384
33852014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
3386
3387 Remove CSS_STICKY_POSITION guards
3388 https://bugs.webkit.org/show_bug.cgi?id=132676
3389
3390 Reviewed by Simon Fraser.
3391
3392 * Configurations/FeatureDefines.xcconfig:
3393
33942014-05-13 Filip Pizlo <fpizlo@apple.com>
3395
3396 JIT breakpoints should be more informative
3397 https://bugs.webkit.org/show_bug.cgi?id=132882
3398
3399 Reviewed by Oliver Hunt.
3400
3401 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
3402 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
3403 at that platform's abort reason register (r11 on X86-64 for example).
3404
3405 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3406 * JavaScriptCore.xcodeproj/project.pbxproj:
3407 * assembler/AbortReason.h: Added.
3408 * assembler/AbstractMacroAssembler.h:
3409 * assembler/MacroAssemblerARM64.h:
3410 (JSC::MacroAssemblerARM64::abortWithReason):
3411 * assembler/MacroAssemblerARMv7.h:
3412 (JSC::MacroAssemblerARMv7::abortWithReason):
3413 * assembler/MacroAssemblerX86.h:
3414 (JSC::MacroAssemblerX86::abortWithReason):
3415 * assembler/MacroAssemblerX86_64.h:
3416 (JSC::MacroAssemblerX86_64::abortWithReason):
3417 * dfg/DFGSlowPathGenerator.h:
3418 (JSC::DFG::SlowPathGenerator::generate):
3419 * dfg/DFGSpeculativeJIT.cpp:
3420 (JSC::DFG::SpeculativeJIT::bail):
3421 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3422 (JSC::DFG::SpeculativeJIT::compileMakeRope):
3423 * dfg/DFGSpeculativeJIT.h:
3424 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
3425 * dfg/DFGSpeculativeJIT32_64.cpp:
3426 (JSC::DFG::SpeculativeJIT::compile):
3427 * dfg/DFGSpeculativeJIT64.cpp:
3428 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3429 (JSC::DFG::SpeculativeJIT::compile):
3430 * dfg/DFGThunks.cpp:
3431 (JSC::DFG::osrEntryThunkGenerator):
3432 * jit/AssemblyHelpers.cpp:
3433 (JSC::AssemblyHelpers::jitAssertIsInt32):
3434 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
3435 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
3436 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
3437 (JSC::AssemblyHelpers::jitAssertIsCell):
3438 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
3439 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
3440 (JSC::AssemblyHelpers::jitAssertIsNull):
3441 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
3442 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3443 * jit/AssemblyHelpers.h:
3444 (JSC::AssemblyHelpers::checkStackPointerAlignment):
3445 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
3446 * jit/JIT.h:
3447 * jit/JITArithmetic.cpp:
3448 (JSC::JIT::emitSlow_op_div):
3449 * jit/JITOpcodes.cpp:
3450 (JSC::JIT::emitSlow_op_loop_hint):
3451 * jit/JITOpcodes32_64.cpp:
3452 (JSC::JIT::privateCompileCTINativeCall):
3453 * jit/JITPropertyAccess.cpp:
3454 (JSC::JIT::emit_op_get_by_val):
3455 (JSC::JIT::compileGetDirectOffset):
3456 (JSC::JIT::addStructureTransitionCheck): Deleted.
3457 (JSC::JIT::testPrototype): Deleted.
3458 * jit/JITPropertyAccess32_64.cpp:
3459 (JSC::JIT::emit_op_get_by_val):
3460 (JSC::JIT::compileGetDirectOffset):
3461 * jit/RegisterPreservationWrapperGenerator.cpp:
3462 (JSC::generateRegisterRestoration):
3463 * jit/Repatch.cpp:
3464 (JSC::addStructureTransitionCheck):
3465 (JSC::linkClosureCall):
3466 * jit/ThunkGenerators.cpp:
3467 (JSC::emitPointerValidation):
3468 (JSC::nativeForGenerator):
3469 * yarr/YarrJIT.cpp:
3470 (JSC::Yarr::YarrGenerator::generate):
3471
34722014-05-13 peavo@outlook.com <peavo@outlook.com>
3473
3474 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3475 https://bugs.webkit.org/show_bug.cgi?id=132772
3476
3477 Reviewed by Geoffrey Garen.
3478
3479 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3480 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3481 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3482 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3483
3484 * assembler/MacroAssemblerARM.h:
3485 (JSC::MacroAssemblerARM::loadDouble):
3486 (JSC::MacroAssemblerARM::storeDouble):
3487 * assembler/MacroAssemblerARM64.h:
3488 (JSC::MacroAssemblerARM64::loadDouble):
3489 (JSC::MacroAssemblerARM64::storeDouble):
3490 * assembler/MacroAssemblerARMv7.h:
3491 (JSC::MacroAssemblerARMv7::loadDouble):
3492 (JSC::MacroAssemblerARMv7::storeDouble):
3493 * assembler/MacroAssemblerMIPS.h:
3494 (JSC::MacroAssemblerMIPS::loadDouble):
3495 (JSC::MacroAssemblerMIPS::storeDouble):
3496 * assembler/MacroAssemblerSH4.h:
3497 (JSC::MacroAssemblerSH4::loadDouble):
3498 (JSC::MacroAssemblerSH4::storeDouble):
3499 * assembler/MacroAssemblerX86.h:
3500 (JSC::MacroAssemblerX86::storeDouble):
3501 * assembler/MacroAssemblerX86Common.h:
3502 (JSC::MacroAssemblerX86Common::absDouble):
3503 (JSC::MacroAssemblerX86Common::negateDouble):
3504 (JSC::MacroAssemblerX86Common::loadDouble):
3505 * dfg/DFGSpeculativeJIT.cpp:
3506 (JSC::DFG::SpeculativeJIT::silentFill):
3507 (JSC::DFG::compileClampDoubleToByte):
3508 * dfg/DFGSpeculativeJIT32_64.cpp:
3509 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3510 (JSC::DFG::SpeculativeJIT::compile):
3511 * jit/AssemblyHelpers.cpp:
3512 (JSC::AssemblyHelpers::purifyNaN):
3513 * jit/JITInlines.h:
3514 (JSC::JIT::emitLoadDouble):
3515 * jit/JITPropertyAccess.cpp:
3516 (JSC::JIT::emitFloatTypedArrayGetByVal):
3517 * jit/ThunkGenerators.cpp:
3518 (JSC::floorThunkGenerator):
3519 (JSC::roundThunkGenerator):
3520 (JSC::powThunkGenerator):
3521
35222014-05-12 Commit Queue <commit-queue@webkit.org>
3523
3524 Unreviewed, rolling out r168642.
3525 https://bugs.webkit.org/show_bug.cgi?id=132839
3526
3527 Broke ARM build (Requested by jpfau on #webkit).
3528
3529 Reverted changeset:
3530
3531 "[Win] Enum type with value zero is compatible with void*,
3532 potential cause of crashes."
3533 https://bugs.webkit.org/show_bug.cgi?id=132772
3534 http://trac.webkit.org/changeset/168642
3535
35362014-05-12 peavo@outlook.com <peavo@outlook.com>
3537
3538 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3539 https://bugs.webkit.org/show_bug.cgi?id=132772
3540
3541 Reviewed by Geoffrey Garen.
3542
3543 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3544 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3545 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3546 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3547
3548 * assembler/MacroAssemblerARM.h:
3549 (JSC::MacroAssemblerARM::loadDouble):
3550 (JSC::MacroAssemblerARM::storeDouble):
3551 * assembler/MacroAssemblerARM64.h:
3552 (JSC::MacroAssemblerARM64::loadDouble):
3553 (JSC::MacroAssemblerARM64::storeDouble):
3554 * assembler/MacroAssemblerARMv7.h:
3555 (JSC::MacroAssemblerARMv7::loadDouble):
3556 (JSC::MacroAssemblerARMv7::storeDouble):
3557 * assembler/MacroAssemblerMIPS.h:
3558 (JSC::MacroAssemblerMIPS::loadDouble):
3559 (JSC::MacroAssemblerMIPS::storeDouble):
3560 * assembler/MacroAssemblerSH4.h:
3561 (JSC::MacroAssemblerSH4::loadDouble):
3562 (JSC::MacroAssemblerSH4::storeDouble):
3563 * assembler/MacroAssemblerX86.h:
3564 (JSC::MacroAssemblerX86::storeDouble):
3565 * assembler/MacroAssemblerX86Common.h:
3566 (JSC::MacroAssemblerX86Common::absDouble):
3567 (JSC::MacroAssemblerX86Common::negateDouble):
3568 (JSC::MacroAssemblerX86Common::loadDouble):
3569 * dfg/DFGSpeculativeJIT.cpp:
3570 (JSC::DFG::SpeculativeJIT::silentFill):
3571 (JSC::DFG::compileClampDoubleToByte):
3572 * dfg/DFGSpeculativeJIT32_64.cpp:
3573 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3574 (JSC::DFG::SpeculativeJIT::compile):
3575 * jit/AssemblyHelpers.cpp:
3576 (JSC::AssemblyHelpers::purifyNaN):
3577 * jit/JITInlines.h:
3578 (JSC::JIT::emitLoadDouble):
3579 * jit/JITPropertyAccess.cpp:
3580 (JSC::JIT::emitFloatTypedArrayGetByVal):
3581 * jit/ThunkGenerators.cpp:
3582 (JSC::floorThunkGenerator):
3583 (JSC::roundThunkGenerator):
3584 (JSC::powThunkGenerator):
3585
35862014-05-12 Andreas Kling <akling@apple.com>
3587
3588 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
3589 <https://webkit.org/b/132828>
3590 <rdar://problem/16886285>
3591
3592 Reviewed by Michael Saboff.
3593
3594 * runtime/JSObject.cpp:
3595 (JSC::JSObject::visitButterfly):
3596 (JSC::JSObject::visitChildren):
3597
3598 Use JSCell::structure(VM&) to reduce the number of hoops we jump
3599 through to find Structures during marking.
3600
36012014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
3602
3603 [cmake] Add missing FTL source files to the build system.
3604
3605 Reviewed by Csaba Osztrogonác.
3606
3607 * CMakeLists.txt:
3608
36092014-05-09 Joseph Pecoraro <pecoraro@apple.com>
3610
3611 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
3612 https://bugs.webkit.org/show_bug.cgi?id=132409
3613
3614 Reviewed by Timothy Hatcher.
3615
3616 Proxy applications are applications which hold WebViews for other
3617 applications. The WebProcess (Web Content Service) is a proxy application.
3618 For legacy reasons we were supporting a scenario where proxy applications
3619 could potentially host WebViews for more then one other application. That
3620 was never the case for WebProcess and it is now a scenario we don't need
3621 to worry about supporting.
3622
3623 With this change, a proxy application more naturally only holds WebViews
3624 for a single parent / host application. The proxy process can set the
3625 parent pid / audit_token data on the RemoteInspector singleton, and
3626 that data will be sent on to webinspectord later on to be validated.
3627 In the WebProcess<->UIProcess relationship that information is known
3628 and set immediately. In the Legacy iOS case that information is set
3629 soon after, but not immediately known at the point the WebView is created.
3630
3631 This allows us to simplify the RemoteInspectorDebuggable interface.
3632 We no longer need a pid per-Debuggable.
3633
3634 * inspector/remote/RemoteInspector.h:
3635 * inspector/remote/RemoteInspector.mm:
3636 (Inspector::RemoteInspector::RemoteInspector):
3637 (Inspector::RemoteInspector::setParentProcessInformation):
3638 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3639 (Inspector::RemoteInspector::listingForDebuggable):
3640 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3641 Handle new proxy application setup message, and provide an API
3642 for a proxy application to set the parent process information.
3643
3644 * inspector/remote/RemoteInspectorConstants.h:
3645 New setup and response message for proxy applications to pass
3646 their parent / host application information to webinspectord.
3647
3648 * inspector/remote/RemoteInspectorDebuggable.cpp:
3649 (Inspector::RemoteInspectorDebuggable::info):
3650 * inspector/remote/RemoteInspectorDebuggable.h:
3651 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3652 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
3653 pid per debuggable is no longer needed.
3654
36552014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
3656
3657 JSDOMWindow should disable property caching after a certain point
3658 https://bugs.webkit.org/show_bug.cgi?id=132751
3659
3660 Reviewed by Filip Pizlo.
3661
3662 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
3663 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
3664 that it has provided a cacheable value.
3665
3666 * runtime/PropertySlot.h:
3667 (JSC::PropertySlot::PropertySlot):
3668 (JSC::PropertySlot::isCacheable):
3669 (JSC::PropertySlot::disableCaching):
3670
36712014-05-09 Andreas Kling <akling@apple.com>
3672
3673 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
3674 <https://webkit.org/b/132749>
3675
3676 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
3677 in Object.prototype.* by using JSString::toIdentifier() in the cases where
3678 we are converting JSString -> String -> Identifier.
3679
3680 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
3681 "The Great HTML5 Gaming Performance Test: 2014 edition"
3682 <http://www.scirra.com/demos/c2/sbperftest/>
3683
3684 Reviewed by Oliver Hunt.
3685
3686 * runtime/ObjectPrototype.cpp:
3687 (JSC::objectProtoFuncHasOwnProperty):
3688 (JSC::objectProtoFuncDefineGetter):
3689 (JSC::objectProtoFuncDefineSetter):
3690 (JSC::objectProtoFuncLookupGetter):
3691 (JSC::objectProtoFuncLookupSetter):
3692
36932014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3694
3695 JSDOMWindow should have a WatchpointSet to fire on window close
3696 https://bugs.webkit.org/show_bug.cgi?id=132721
3697
3698 Reviewed by Filip Pizlo.
3699
3700 This patch allows us to reset the inline caches that assumed they could skip
3701 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
3702 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
3703
3704 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
3705 to see if it should create a new Watchpoint for that particular inline cache site.
3706
3707 * bytecode/Watchpoint.h:
3708 * jit/Repatch.cpp:
3709 (JSC::generateByIdStub):
3710 (JSC::tryBuildGetByIDList):
3711 (JSC::tryCachePutByID):
3712 (JSC::tryBuildPutByIdList):
3713 * runtime/PropertySlot.h:
3714 (JSC::PropertySlot::PropertySlot):
3715 (JSC::PropertySlot::watchpointSet):
3716 (JSC::PropertySlot::setWatchpointSet):
3717
37182014-05-09 Tanay C <tanay.c@samsung.com>
3719
3720 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
3721 https://bugs.webkit.org/show_bug.cgi?id=132331
3722
3723 Reviewed by Darin Adler.
3724
3725 * dfg/DFGFixupPhase.cpp:
3726 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3727
37282014-05-09 peavo@outlook.com <peavo@outlook.com>
3729
3730 [Win] Crash when enabling DFG JIT.
3731 https://bugs.webkit.org/show_bug.cgi?id=132683
3732
3733 Reviewed by Geoffrey Garen.
3734
3735 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
3736 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
3737 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
3738 This causes the register to be written to address 0, hence the crash.
3739
3740 * dfg/DFGOSRExitCompiler32_64.cpp:
3741 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
3742 * dfg/DFGOSRExitCompiler64.cpp:
3743 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
3744
37452014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3746
3747 REGRESSION(r167094): JSC crashes on ARM Traditional
3748 https://bugs.webkit.org/show_bug.cgi?id=132738
3749
3750 Reviewed by Zoltan Herczeg.
3751
3752 PC is two instructions ahead of the current instruction
3753 on ARM Traditional, so the distance is 8 bytes not 2.
3754
3755 * llint/LowLevelInterpreter.asm:
3756
37572014-05-09 Alberto Garcia <berto@igalia.com>
3758
3759 jsmin.py license header confusing, mentions non-free license
3760 https://bugs.webkit.org/show_bug.cgi?id=123665
3761
3762 Reviewed by Darin Adler.
3763
3764 Pull the most recent version from upstream, which has a clear
3765 license.
3766
3767 * inspector/scripts/jsmin.py:
3768
37692014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3770
3771 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
3772 https://bugs.webkit.org/show_bug.cgi?id=132695
3773
3774 Reviewed by Filip Pizlo.
3775
3776 We check in the case where we're accessing something other than the base object (e.g. the prototype),
3777 but we fail to do so for the base object.
3778
3779 * jit/Repatch.cpp:
3780 (JSC::tryCacheGetByID):
3781 (JSC::tryBuildGetByIDList):
3782 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
3783 because all of the values that are returned that could be impure are set to uncacheable anyways.
3784 (WTF::ImpureGetter::ImpureGetter):
3785 (WTF::ImpureGetter::createStructure):
3786 (WTF::ImpureGetter::create):
3787 (WTF::ImpureGetter::finishCreation):
3788 (WTF::ImpureGetter::getOwnPropertySlot):
3789 (WTF::ImpureGetter::visitChildren):
3790 (WTF::ImpureGetter::setDelegate):
3791 (GlobalObject::finishCreation):
3792 (functionCreateImpureGetter):
3793 (functionSetImpureGetterDelegate):
3794 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
3795 (foo):
3796
37972014-05-08 Filip Pizlo <fpizlo@apple.com>
3798
3799 deleteAllCompiledCode() shouldn't use the suspension worklist
3800 https://bugs.webkit.org/show_bug.cgi?id=132708
3801
3802 Reviewed by Mark Hahnenberg.
3803
3804 * bytecode/CodeBlock.cpp:
3805 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3806 * dfg/DFGPlan.cpp:
3807 (JSC::DFG::Plan::isStillValid):
3808 * heap/Heap.cpp:
3809 (JSC::Heap::deleteAllCompiledCode):
3810
38112014-05-08 Filip Pizlo <fpizlo@apple.com>
3812
3813 SSA conversion should delete PhantomLocals for captured variables
3814 https://bugs.webkit.org/show_bug.cgi?id=132693
3815
3816 Reviewed by Mark Hahnenberg.
3817
3818 * dfg/DFGCommon.cpp:
3819 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
3820 * dfg/DFGCommon.h:
3821 * dfg/DFGFixupPhase.cpp:
3822 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
3823 * dfg/DFGLivenessAnalysisPhase.cpp:
3824 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
3825 * dfg/DFGSSAConversionPhase.cpp:
3826 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
3827 * dfg/DFGValidate.cpp: Use the workaround.
3828 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
3829 (foo):
3830 (bar):
3831
38322014-05-07 Commit Queue <commit-queue@webkit.org>
3833
3834 Unreviewed, rolling out r168451.
3835 https://bugs.webkit.org/show_bug.cgi?id=132670
3836
3837 Not a speed-up, just do what other compilers do. (Requested by
3838 kling on #webkit).
3839
3840 Reverted changeset:
3841
3842 "[X86] Emit BT instruction for single-bit tests."
3843 https://bugs.webkit.org/show_bug.cgi?id=132650
3844 http://trac.webkit.org/changeset/168451
3845
38462014-05-07 Filip Pizlo <fpizlo@apple.com>
3847
3848 Make Executable::clearCode() actually clear all of the entrypoints, and
3849 clean up some other FTL-related calling convention stuff.
3850 <rdar://problem/16720172>
3851
3852 Rubber stamped by Mark Hahnenberg.
3853
3854 * dfg/DFGOperations.cpp:
3855 * dfg/DFGOperations.h:
3856 * dfg/DFGWorklist.cpp:
3857 (JSC::DFG::Worklist::Worklist):
3858 (JSC::DFG::Worklist::finishCreation):
3859 (JSC::DFG::Worklist::create):
3860 (JSC::DFG::ensureGlobalDFGWorklist):
3861 (JSC::DFG::ensureGlobalFTLWorklist):
3862 * dfg/DFGWorklist.h:
3863 * heap/CodeBlockSet.cpp:
3864 (JSC::CodeBlockSet::dump):
3865 * heap/CodeBlockSet.h:
3866 * runtime/Executable.cpp:
3867 (JSC::ExecutableBase::clearCode):
3868
38692014-05-07 Andreas Kling <akling@apple.com>
3870
3871 [X86] Emit BT instruction for single-bit tests.
3872 <https://webkit.org/b/132650>
3873
3874 Implement test-bit-and-branch slightly more efficiently by using
3875 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
3876 a single bit.
3877
3878 Reviewed by Michael Saboff.
3879
3880 * assembler/MacroAssemblerX86Common.h:
3881 (JSC::MacroAssemblerX86Common::singleBitIndex):
3882 (JSC::MacroAssemblerX86Common::branchTest32):
3883 * assembler/X86Assembler.h:
3884 (JSC::X86Assembler::bt_i8r):
3885 (JSC::X86Assembler::bt_i8m):
3886
38872014-05-07 Mark Lam <mark.lam@apple.com>
3888
3889 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
3890 <https://webkit.org/b/131356>
3891
3892 Reviewed by Geoffrey Garen.
3893
3894 The issue is that GC needs to be made aware of writes to m_inferredValue
3895 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
3896 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
3897 does not survive an eden GC shortly after, we will end up with a stale
3898 JSCell pointer left in the m_inferredValue.
3899
3900 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
3901 using DumpRenderTree with the VM heap in zombie mode.
3902
3903 The fix is to change VariableWatchpointSet m_inferredValue to type
3904 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
3905 is executed by all the execution engines so that the WriteBarrier semantics
3906 are honored.
3907
3908 We still check if the value to be written is the same as the one in the
3909 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
3910 values are the same.
3911
3912 * JavaScriptCore.xcodeproj/project.pbxproj:
3913 * bytecode/CodeBlock.cpp:
3914 (JSC::CodeBlock::CodeBlock):
3915 - need to pass the symbolTable to prepareToWatch() because it will be needed
3916 for instantiating the VariableWatchpointSet in prepareToWatch().
3917
3918 * bytecode/VariableWatchpointSet.h:
3919 (JSC::VariableWatchpointSet::VariableWatchpointSet):
3920 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
3921 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
3922 (JSC::VariableWatchpointSet::inferredValue):
3923 (JSC::VariableWatchpointSet::invalidate):
3924 (JSC::VariableWatchpointSet::finalizeUnconditionally):
3925 (JSC::VariableWatchpointSet::addressOfInferredValue):
3926 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
3927 * bytecode/VariableWatchpointSetInlines.h: Added.
3928 (JSC::VariableWatchpointSet::notifyWrite):
3929
3930 * dfg/DFGByteCodeParser.cpp:
3931 (JSC::DFG::ByteCodeParser::cellConstant):
3932 - Added an assert in case we try to make constants of zombified JSCells again.
3933
3934 * dfg/DFGOperations.cpp:
3935 * dfg/DFGOperations.h:
3936 * dfg/DFGSpeculativeJIT.h:
3937 (JSC::DFG::SpeculativeJIT::callOperation):
3938 * dfg/DFGSpeculativeJIT32_64.cpp:
3939 (JSC::DFG::SpeculativeJIT::compile):
3940 * dfg/DFGSpeculativeJIT64.cpp:
3941 (JSC::DFG::SpeculativeJIT::compile):
3942 - We now let the slow path handle the cases when the VariableWatchpointSet is
3943 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
3944 we handle the needed write barrier semantics correctly.
3945 We will by-pass the slow path if the value being written is the same as the
3946 inferred value.
3947
3948 * ftl/FTLIntrinsicRepository.h:
3949 * ftl/FTLLowerDFGToLLVM.cpp:
3950 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
3951 - Let the slow path handle the cases when the VariableWatchpointSet is
3952 in state ClearWatchpoint and IsWatched.
3953 We will by-pass the slow path if the value being written is the same as the
3954 inferred value.
3955
3956 * heap/Heap.cpp:
3957 (JSC::Zombify::operator()):
3958 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
3959 which is used everywhere else).
3960 * heap/Heap.h:
3961 (JSC::Heap::isZombified):
3962 - Provide a convenience test function to check if JSCells are zombified. This is
3963 currently only used in an assertion in the DFG bytecode parser, but the intent
3964 it that we'll apply this test in other strategic places later to help with early
3965 detection of usage of GC'ed objects when we run in zombie mode.
3966
3967 * jit/JITOpcodes.cpp:
3968 (JSC::JIT::emitSlow_op_captured_mov):
3969 * jit/JITOperations.h:
3970 * jit/JITPropertyAccess.cpp:
3971 (JSC::JIT::emitNotifyWrite):
3972 * jit/JITPropertyAccess32_64.cpp:
3973 (JSC::JIT::emitNotifyWrite):
3974 (JSC::JIT::emitSlow_op_put_to_scope):
3975 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
3976 is in state ClearWatchpoint and IsWatched.
3977 We will by-pass the slow path if the value being written is the same as the
3978 inferred value.
3979
3980 * llint/LowLevelInterpreter32_64.asm:
3981 * llint/LowLevelInterpreter64.asm:
3982 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
3983 is in state ClearWatchpoint and IsWatched.
3984 We will by-pass the slow path if the value being written is the same as the
3985 inferred value.
3986
3987 * runtime/CommonSlowPaths.cpp:
3988
3989 * runtime/JSCJSValue.h: Fixed some typos in the comments.
3990 * runtime/JSGlobalObject.cpp:
3991 (JSC::JSGlobalObject::addGlobalVar):
3992 (JSC::JSGlobalObject::addFunction):
3993 * runtime/JSSymbolTableObject.h:
3994 (JSC::symbolTablePut):
3995 (JSC::symbolTablePutWithAttributes):
3996 * runtime/SymbolTable.cpp:
3997 (JSC::SymbolTableEntry::prepareToWatch):
3998 (JSC::SymbolTableEntry::notifyWriteSlow):
3999 * runtime/SymbolTable.h:
4000 (JSC::SymbolTableEntry::notifyWrite):
4001
40022014-05-06 Michael Saboff <msaboff@apple.com>
4003
4004 Unreviewd build fix for C-LOOP after r168396.
4005
4006 * runtime/TestRunnerUtils.cpp:
4007 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
4008
40092014-05-06 Michael Saboff <msaboff@apple.com>
4010
4011 Add test for deleteAllCompiledCode
4012 https://bugs.webkit.org/show_bug.cgi?id=132632
4013
4014 Reviewed by Phil Pizlo.
4015
4016 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
4017 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
4018 to write a test that will queue up loads of DFG compiles and then call
4019 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
4020 code as well as code being compiled.
4021
4022 * jsc.cpp:
4023 (GlobalObject::finishCreation):
4024 (functionDeleteAllCompiledCode):
4025 (functionOptimizeNextInvocation):
4026 * runtime/TestRunnerUtils.cpp:
4027 (JSC::optimizeNextInvocation):
4028 * runtime/TestRunnerUtils.h:
4029 * tests/stress/deleteAllCompiledCode.js: Added.
4030 (functionList):
4031 (runTest):
4032
40332014-05-06 Andreas Kling <akling@apple.com>
4034
4035 JSString::toAtomicString() should return AtomicString.
4036 <https://webkit.org/b/132627>
4037
4038 Remove premature optimization where I was trying to avoid refcount
4039 churn when returning an already atomicized String.
4040
4041 Instead of using reinterpret_cast to mangle the String member into
4042 a const AtomicString& return value, just return AtomicString.
4043
4044 Reviewed by Geoff Garen.
4045
4046 * runtime/JSString.h:
4047 (JSC::JSString::toAtomicString):
4048
40492014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
4050
4051 Roll out r167889
4052
4053 Rubber stamped by Geoff Garen.
4054
4055 It broke some websites.
4056
4057 * runtime/JSPropertyNameIterator.cpp:
4058 (JSC::JSPropertyNameIterator::create):
4059 * runtime/PropertyMapHashTable.h:
4060 (JSC::PropertyTable::hasDeletedOffset):
4061 (JSC::PropertyTable::hadDeletedOffset): Deleted.
4062 * runtime/Structure.cpp:
4063 (JSC::Structure::Structure):
4064 (JSC::Structure::materializePropertyMap):
4065 (JSC::Structure::removePropertyTransition):
4066 (JSC::Structure::changePrototypeTransition):
4067 (JSC::Structure::despecifyFunctionTransition):
4068 (JSC::Structure::attributeChangeTransition):
4069 (JSC::Structure::toDictionaryTransition):
4070 (JSC::Structure::preventExtensionsTransition):
4071 (JSC::Structure::addPropertyWithoutTransition):
4072 (JSC::Structure::removePropertyWithoutTransition):
4073 (JSC::Structure::pin):
4074 (JSC::Structure::pinAndPreventTransitions): Deleted.
4075 * runtime/Structure.h:
4076 * runtime/StructureInlines.h:
4077 (JSC::Structure::setEnumerationCache):
4078 (JSC::Structure::propertyTable):
4079 (JSC::Structure::checkOffsetConsistency):
4080 (JSC::Structure::hadDeletedOffsets): Deleted.
4081 * tests/stress/for-in-after-delete.js:
4082 (foo): Deleted.
4083
40842014-05-05 Andreas Kling <akling@apple.com>
4085
4086 Fix debug build.
4087
4088 * runtime/JSCellInlines.h:
4089 (JSC::JSCell::fastGetOwnProperty):
4090
40912014-05-05 Andreas Kling <akling@apple.com>
4092
4093 Optimize GetByVal when subscript is a rope string.
4094 <https://webkit.org/b/132590>
4095
4096 Use JSString::toIdentifier() in the various GetByVal implementations
4097 to try and avoid allocating extra strings.
4098
4099 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
4100 in that, to avoid calling JSString::value() which always resolves ropes
4101 into new strings and de-optimizes subsequent toIdentifier() calls.
4102
4103 My iMac says ~9% progression on Dromaeo/dom-attr.html
4104
4105 Reviewed by Phil Pizlo.
4106
4107 * dfg/DFGOperations.cpp:
4108 * jit/JITOperations.cpp:
4109 (JSC::getByVal):
4110 * llint/LLIntSlowPaths.cpp:
4111 (JSC::LLInt::getByVal):
4112 * runtime/JSCell.h:
4113 * runtime/JSCellInlines.h:
4114 (JSC::JSCell::fastGetOwnProperty):
4115 (JSC::JSCell::canUseFastGetOwnProperty):
4116
41172014-05-05 Andreas Kling <akling@apple.com>
4118
4119 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4120 <https://webkit.org/b/168256>
4121 <rdar://problem/16816316>
4122
4123 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
4124 clear the fibers. The caller takes care of this.
4125
4126 Test: fast/dom/getElementById-with-rope-string-arg.html
4127
4128 Reviewed by Geoffrey Garen.
4129
4130 * runtime/JSString.cpp:
4131 (JSC::JSRopeString::resolveRopeSlowCase8):
4132
41332014-05-05 Michael Saboff <msaboff@apple.com>
4134
4135 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
4136 https://bugs.webkit.org/show_bug.cgi?id=132581
4137
4138 Reviewed by Filip Pizlo.
4139
4140 * dfg/DFGPlan.cpp:
4141 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
4142 started compiling for is still the same at the end of compilation.
4143 Also did some minor restructuring.
4144
41452014-05-05 Andreas Kling <akling@apple.com>
4146
4147 Optimize PutByVal when subscript is a rope string.
4148 <https://webkit.org/b/132572>
4149
4150 Add a JSString::toIdentifier() that is smarter when the JSString is
4151 really a rope string. Use this in baseline & DFG's PutByVal to avoid
4152 allocating new StringImpls that we immediately deduplicate anyway.
4153
4154 Reviewed by Antti Koivisto.
4155
4156 * dfg/DFGOperations.cpp:
4157 (JSC::DFG::operationPutByValInternal):
4158 * jit/JITOperations.cpp:
4159 * runtime/JSString.h:
4160 (JSC::JSString::toIdentifier):
4161
41622014-05-05 Andreas Kling <akling@apple.com>
4163
4164 Remove two now-incorrect assertions after r168256.
4165
4166 * runtime/JSString.cpp:
4167 (JSC::JSRopeString::resolveRopeSlowCase8):
4168 (JSC::JSRopeString::resolveRopeSlowCase):
4169
41702014-05-04 Andreas Kling <akling@apple.com>
4171
4172 Optimize JSRopeString for resolving directly to AtomicString.
4173 <https://webkit.org/b/132548>
4174
4175 If we know that the JSRopeString we are resolving is going to be used
4176 as an AtomicString, we can try to avoid creating a new string.
4177
4178 We do this by first resolving the rope into a stack buffer, and using
4179 that buffer as a key into the AtomicString table. If there is already
4180 an AtomicString with the same characters, we reuse that instead of
4181 constructing a new StringImpl.
4182
4183 JSString gains these two public functions:
4184
4185 - AtomicString toAtomicString()
4186
4187 Returns an AtomicString, tries to avoid allocating a new string
4188 if possible.
4189
4190 - AtomicStringImpl* toExistingAtomicString()
4191
4192 Returns a non-null AtomicStringImpl* if one already exists in the
4193 AtomicString table. If none is found, the rope is left unresolved.
4194
4195 Reviewed by Filip Pizlo.
4196
4197 * runtime/JSString.cpp:
4198 (JSC::JSRopeString::resolveRopeInternal8):
4199 (JSC::JSRopeString::resolveRopeInternal16):
4200 (JSC::JSRopeString::resolveRopeToAtomicString):
4201 (JSC::JSRopeString::clearFibers):
4202 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4203 (JSC::JSRopeString::resolveRope):
4204 (JSC::JSRopeString::outOfMemory):
4205 * runtime/JSString.h:
4206 (JSC::JSString::toAtomicString):
4207 (JSC::JSString::toExistingAtomicString):
4208
42092014-05-04 Andreas Kling <akling@apple.com>
4210
4211 Unreviewed, rolling out r168254.
4212
4213 Very crashy on debug JSC tests.
4214
4215 Reverted changeset:
4216
4217 "jsSubstring() should be lazy"
4218 https://bugs.webkit.org/show_bug.cgi?id=132556
4219 http://trac.webkit.org/changeset/168254
4220
42212014-05-04 Filip Pizlo <fpizlo@apple.com>
4222
4223 jsSubstring() should be lazy
4224 https://bugs.webkit.org/show_bug.cgi?id=132556
4225
4226 Reviewed by Andreas Kling.
4227
4228 jsSubstring() is now lazy by using a special rope that is a substring instead of a
4229 concatenation. To make this patch super simple, we require that a substring's base is
4230 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
4231 path, or we go down a concatenation path which may see exactly one level of substrings in
4232 its fibers.
4233
4234 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
4235
4236 * heap/MarkedBlock.cpp:
4237 (JSC::MarkedBlock::specializedSweep):
4238 * runtime/JSString.cpp:
4239 (JSC::JSRopeString::visitFibers):
4240 (JSC::JSRopeString::resolveRope):
4241 (JSC::JSRopeString::resolveRopeSlowCase8):
4242 (JSC::JSRopeString::resolveRopeSlowCase):
4243 (JSC::JSRopeString::outOfMemory):
4244 * runtime/JSString.h:
4245 (JSC::JSRopeString::finishCreation):
4246 (JSC::JSRopeString::append):
4247 (JSC::JSRopeString::create):
4248 (JSC::JSRopeString::offsetOfFibers):
4249 (JSC::JSRopeString::fiber):
4250 (JSC::JSRopeString::substringBase):
4251 (JSC::JSRopeString::substringOffset):
4252 (JSC::JSRopeString::substringSentinel):
4253 (JSC::JSRopeString::isSubstring):
4254 (JSC::jsSubstring):
4255 * runtime/RegExpMatchesArray.cpp:
4256 (JSC::RegExpMatchesArray::reifyAllProperties):
4257 * runtime/StringPrototype.cpp:
4258 (JSC::stringProtoFuncSubstring):
4259
42602014-05-02 Michael Saboff <msaboff@apple.com>
4261
4262 "arm64 function not 4-byte aligned" warnings when building JSC
4263 https://bugs.webkit.org/show_bug.cgi?id=132495
4264
4265 Reviewed by Geoffrey Garen.
4266
4267 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
4268
4269 * llint/LowLevelInterpreter.cpp:
4270
42712014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
4272
4273 Fix cloop build after r168178
4274
4275 * bytecode/CodeBlock.cpp:
4276
42772014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
4278
4279 Add a DFG function whitelist
4280 https://bugs.webkit.org/show_bug.cgi?id=132437
4281
4282 Reviewed by Geoffrey Garen.
4283
4284 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
4285 particular DFG block that's causing issues. This patch adds the ability to whitelist
4286 specific functions specified in a file to enable further filtering without having to recompile.
4287
4288 * CMakeLists.txt:
4289 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4290 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4291 * JavaScriptCore.xcodeproj/project.pbxproj:
4292 * dfg/DFGCapabilities.cpp:
4293 (JSC::DFG::isSupported):
4294 (JSC::DFG::mightInlineFunctionForCall):
4295 (JSC::DFG::mightInlineFunctionForClosureCall):
4296 (JSC::DFG::mightInlineFunctionForConstruct):
4297 * dfg/DFGFunctionWhitelist.cpp: Added.
4298 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
4299 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
4300 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
4301 (JSC::DFG::FunctionWhitelist::contains):
4302 * dfg/DFGFunctionWhitelist.h: Added.
4303 * runtime/Options.cpp:
4304 (JSC::parse):
4305 (JSC::Options::dumpOption):
4306 * runtime/Options.h:
4307
43082014-05-02 Filip Pizlo <fpizlo@apple.com>
4309
4310 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
4311 https://bugs.webkit.org/show_bug.cgi?id=132446
4312
4313 Reviewed by Mark Hahnenberg.
4314
4315 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
4316 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
4317 to indicate a bound on the value. This is useful for knowing, for example, that
4318 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
4319 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
4320 But this means that all arithmetic operations must be careful to note that they may
4321 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
4322
4323 * dfg/DFGAbstractInterpreterInlines.h:
4324 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4325 * dfg/DFGByteCodeParser.cpp:
4326 (JSC::DFG::ByteCodeParser::makeSafe):
4327 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
4328 (foo):
4329 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
4330 (foo):
4331 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
4332 (foo):
4333 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
4334 (foo):
4335 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
4336 (foo):
4337 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
4338 (foo):
4339
43402014-05-01 Geoffrey Garen <ggaren@apple.com>
4341
4342 JavaScriptCore fails to build with some versions of clang
4343 https://bugs.webkit.org/show_bug.cgi?id=132436
4344
4345 Reviewed by Anders Carlsson.
4346
4347 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
4348 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
4349 and both are marked inline, it's valid for the compiler to decide
4350 to inline both and emit neither in the binary. Therefore, we need
4351 both inline definitions to be available in the translation unit at
4352 compile time, or we'll try to link against a function that doesn't exist.
4353
43542014-05-01 Commit Queue <commit-queue@webkit.org>
4355
4356 Unreviewed, rolling out r167964.
4357 https://bugs.webkit.org/show_bug.cgi?id=132431
4358
4359 Memory improvements should not regress memory usage (Requested
4360 by olliej on #webkit).
4361
4362 Reverted changeset:
4363
4364 "Don't hold on to parameter BindingNodes forever"
4365 https://bugs.webkit.org/show_bug.cgi?id=132360
4366 http://trac.webkit.org/changeset/167964
4367
43682014-05-01 Filip Pizlo <fpizlo@apple.com>
4369
4370 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
4371 https://bugs.webkit.org/show_bug.cgi?id=132427
4372
4373 Reviewed by Mark Hahnenberg.
4374
4375 * bytecode/CallLinkStatus.cpp:
4376 (JSC::CallLinkStatus::computeFor):
4377
43782014-04-30 Simon Fraser <simon.fraser@apple.com>
4379
4380 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
4381 https://bugs.webkit.org/show_bug.cgi?id=132396
4382
4383 Reviewed by Eric Carlson.
4384
4385 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
4386
4387 * Configurations/FeatureDefines.xcconfig:
4388
43892014-04-30 Filip Pizlo <fpizlo@apple.com>
4390
4391 Argument flush formats should not be presumed to be JSValue since 'this' is weird
4392 https://bugs.webkit.org/show_bug.cgi?id=132404
4393
4394 Reviewed by Michael Saboff.
4395
4396 * dfg/DFGSpeculativeJIT.cpp:
4397 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
4398 * dfg/DFGSpeculativeJIT32_64.cpp:
4399 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
4400 * dfg/DFGSpeculativeJIT64.cpp:
4401 (JSC::DFG::SpeculativeJIT::compile): Ditto.
4402 * dfg/DFGValueSource.cpp:
4403 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
4404 * dfg/DFGValueSource.h:
4405 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
4406 * ftl/FTLOSREntry.cpp:
4407 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
4408 * tests/stress/strict-to-this-int.js: Added.
4409 (foo):
4410 (Number.prototype.valueOf):
4411 (test):
4412
44132014-04-29 Oliver Hunt <oliver@apple.com>
4414
4415 Don't hold on to parameterBindingNodes forever
4416 https://bugs.webkit.org/show_bug.cgi?id=132360
4417
4418 Reviewed by Geoffrey Garen.
4419
4420 Don't keep the parameter nodes anymore. Instead we store the
4421 original parameter string and reparse whenever we actually
4422 need them. Because we only actually need them for compilation
4423 this only results in a single extra parse.
4424
4425 * bytecode/UnlinkedCodeBlock.cpp:
4426 (JSC::generateFunctionCodeBlock):
4427 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
4428 (JSC::UnlinkedFunctionExecutable::visitChildren):
4429 (JSC::UnlinkedFunctionExecutable::finishCreation):
4430 (JSC::UnlinkedFunctionExecutable::paramString):
4431 (JSC::UnlinkedFunctionExecutable::parameters):
4432 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
4433 * bytecode/UnlinkedCodeBlock.h:
4434 (JSC::UnlinkedFunctionExecutable::create):
4435 (JSC::UnlinkedFunctionExecutable::parameterCount):
4436 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
4437 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
4438 * parser/ASTBuilder.h:
4439 (JSC::ASTBuilder::ASTBuilder):
4440 (JSC::ASTBuilder::setFunctionBodyParameters):
4441 * parser/Nodes.h:
4442 (JSC::FunctionBodyNode::parametersStartOffset):
4443 (JSC::FunctionBodyNode::parametersEndOffset):
4444 (JSC::FunctionBodyNode::setParameterLocation):
4445 * parser/Parser.cpp:
4446 (JSC::Parser<LexerType>::parseFunctionInfo):
4447 (JSC::parseParameters):
4448 * parser/Parser.h:
4449 (JSC::parse):
4450 * parser/SourceCode.h:
4451 (JSC::SourceCode::subExpression):
4452 * parser/SyntaxChecker.h:
4453 (JSC::SyntaxChecker::setFunctionBodyParameters):
4454
44552014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
4456
4457 JSProxies should be cacheable
4458 https://bugs.webkit.org/show_bug.cgi?id=132351
4459
4460 Reviewed by Geoffrey Garen.
4461
4462 Whenever we encounter a proxy in an inline cache we should try to cache on the
4463 proxy's target instead of giving up.
4464
4465 This patch adds support for a simple "recursive" inline cache if the base object
4466 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
4467 are the only ones to benefit from this right now.
4468
4469 This is performance neutral on the benchmarks we track. Currently we won't
4470 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
4471
4472 * jit/Repatch.cpp:
4473 (JSC::generateByIdStub):
4474 (JSC::tryBuildGetByIDList):
4475 (JSC::tryCachePutByID):
4476 (JSC::tryBuildPutByIdList):
4477 * jsc.cpp:
4478 (GlobalObject::finishCreation):
4479 (functionCreateProxy):
4480 * runtime/IntendedStructureChain.cpp:
4481 (JSC::IntendedStructureChain::isNormalized):
4482 * runtime/JSCellInlines.h:
4483 (JSC::JSCell::isProxy):
4484 * runtime/JSGlobalObject.h:
4485 (JSC::JSGlobalObject::finishCreation):
4486 * runtime/JSProxy.h:
4487 (JSC::JSProxy::createStructure):
4488 (JSC::JSProxy::targetOffset):
4489 * runtime/JSType.h:
4490 * runtime/Operations.h:
4491 (JSC::isPrototypeChainNormalized):
4492 * runtime/Structure.h:
4493 (JSC::Structure::isProxy):
4494 * tests/stress/proxy-inline-cache.js: Added.
4495 (cacheOnTarget.getX):
4496 (cacheOnTarget):
4497 (cacheOnPrototypeOfTarget.getX):
4498 (cacheOnPrototypeOfTarget):
4499 (dontCacheOnProxyInPrototypeChain.getX):
4500 (dontCacheOnProxyInPrototypeChain):
4501 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
4502 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
4503
45042014-04-29 Filip Pizlo <fpizlo@apple.com>
4505
4506 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
4507 https://bugs.webkit.org/show_bug.cgi?id=112840
4508
4509 Rubber stamped by Geoffrey Garen.
4510
4511 * Configurations/FeatureDefines.xcconfig:
4512
45132014-04-29 Geoffrey Garen <ggaren@apple.com>
4514
4515 String.prototype.trim removes U+200B from strings.
4516 https://bugs.webkit.org/show_bug.cgi?id=130184
4517
4518 Reviewed by Michael Saboff.
4519
4520 * runtime/StringPrototype.cpp:
4521 (JSC::trimString):
4522 (JSC::isTrimWhitespace): Deleted.
4523
45242014-04-29 Mark Lam <mark.lam@apple.com>
4525
4526 Zombifying sweep should ignore retired blocks.
4527 <https://webkit.org/b/132344>
4528
4529 Reviewed by Mark Hahnenberg.
4530
4531 By definition, retired blocks do not have "dead" objects, or at least
4532 none that we know of yet until the next marking phase has been run
4533 over it. So, we should not be sweeping them (even for zombie mode).
4534
4535 * heap/Heap.cpp:
4536 (JSC::Heap::zombifyDeadObjects):
4537 * heap/MarkedSpace.cpp:
4538 (JSC::MarkedSpace::zombifySweep):
4539 * heap/MarkedSpace.h:
4540 (JSC::ZombifySweep::operator()):
4541
45422014-04-29 Mark Lam <mark.lam@apple.com>
4543
4544 Fix bit rot in zombie mode heap code.
4545 <https://webkit.org/b/132342>
4546
4547 Reviewed by Mark Hahnenberg.
4548
4549 Need to enter a DelayedReleaseScope before doing a sweep.
4550
4551 * heap/Heap.cpp:
4552 (JSC::Heap::zombifyDeadObjects):
4553
45542014-04-29 Tomas Popela <tpopela@redhat.com>
4555
4556 LLINT loadisFromInstruction doesn't need special case for big endians
4557 https://bugs.webkit.org/show_bug.cgi?id=132330
4558
4559 Reviewed by Mark Lam.
4560
4561 The change introduced in r167076 was wrong. We should not apply the offset
4562 adjustment on loadisFromInstruction usage as the instruction
4563 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
4564 operand variable). The offset of the other union members will be the
4565 same as the offset of the first one, that is 0. The behavior here is the
4566 same on little and big endian architectures. Thus we don't need
4567 special case for big endians.
4568
4569 * llint/LowLevelInterpreter.asm:
4570
45712014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4572
4573 Simplify tryCacheGetById
4574 https://bugs.webkit.org/show_bug.cgi?id=132314
4575
4576 Reviewed by Oliver Hunt and Filip Pizlo.
4577
4578 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
4579
4580 * jit/Repatch.cpp:
4581 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
4582
45832014-04-28 Michael Saboff <msaboff@apple.com>
4584
4585 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
4586 https://bugs.webkit.org/show_bug.cgi?id=132315
4587
4588 Reviewed by Mark Hahnenberg.
4589
4590 Used the StringImpl version of utf8() instead of creating a String first.
4591
4592 * bytecode/CodeBlock.cpp:
4593 (JSC::CodeBlock::dumpBytecode):
4594
45952014-04-28 Filip Pizlo <fpizlo@apple.com>
4596
4597 The LLInt is awesome and it should get more of the action.
4598
4599 Rubber stamped by Geoffrey Garen.
4600
4601 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
4602
4603 * runtime/Options.h:
4604
46052014-04-27 Filip Pizlo <fpizlo@apple.com>
4606
4607 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
4608 https://bugs.webkit.org/show_bug.cgi?id=132166
4609
4610 Reviewed by Oliver Hunt and Mark Hahnenberg.
4611
4612 The GC can aid type inference by removing structures that are dead and jettisoning
4613 code that relies on those structures. This can dramatically accelerate type inference
4614 for some tricky programs.
4615
4616 Unfortunately, we previously pinned any structures that enqueued compilations depended
4617 on. This means that if you're on a machine that only runs a single compilation thread
4618 and where compilations are relatively slow, you have a high chance of large numbers of
4619 structures being pinned during any GC since the compilation queue is likely to be full
4620 of random stuff.
4621
4622 This comprehensively fixes this issue by allowing the GC to remove compilation plans
4623 if the things they depend on are dead, and to even cancel safepointed compilations.
4624
4625 * bytecode/CodeBlock.cpp:
4626 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
4627 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
4628 (JSC::CodeBlock::finalizeUnconditionally):
4629 * bytecode/CodeBlock.h:
4630 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
4631 * dfg/DFGDesiredIdentifiers.cpp:
4632 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
4633 * dfg/DFGDesiredIdentifiers.h:
4634 * dfg/DFGDesiredWatchpoints.h:
4635 * dfg/DFGDesiredWeakReferences.cpp:
4636 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
4637 * dfg/DFGDesiredWeakReferences.h:
4638 * dfg/DFGGraphSafepoint.cpp:
4639 (JSC::DFG::GraphSafepoint::GraphSafepoint):
4640 * dfg/DFGGraphSafepoint.h:
4641 * dfg/DFGPlan.cpp:
4642 (JSC::DFG::Plan::Plan):
4643 (JSC::DFG::Plan::compileInThread):
4644 (JSC::DFG::Plan::compileInThreadImpl):
4645 (JSC::DFG::Plan::notifyCompiling):
4646 (JSC::DFG::Plan::notifyCompiled):
4647 (JSC::DFG::Plan::notifyReady):
4648 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
4649 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
4650 (JSC::DFG::Plan::cancel):
4651 (JSC::DFG::Plan::visitChildren): Deleted.
4652 * dfg/DFGPlan.h:
4653 * dfg/DFGSafepoint.cpp:
4654 (JSC::DFG::Safepoint::Result::~Result):
4655 (JSC::DFG::Safepoint::Result::didGetCancelled):
4656 (JSC::DFG::Safepoint::Safepoint):
4657 (JSC::DFG::Safepoint::~Safepoint):
4658 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
4659 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
4660 (JSC::DFG::Safepoint::cancel):
4661 (JSC::DFG::Safepoint::visitChildren): Deleted.
4662 * dfg/DFGSafepoint.h:
4663 (JSC::DFG::Safepoint::Result::Result):
4664 * dfg/DFGWorklist.cpp:
4665 (JSC::DFG::Worklist::compilationState):
4666 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
4667 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
4668 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
4669 (JSC::DFG::Worklist::visitWeakReferences):
4670 (JSC::DFG::Worklist::removeDeadPlans):
4671 (JSC::DFG::Worklist::runThread):
4672 (JSC::DFG::Worklist::visitChildren): Deleted.
4673 * dfg/DFGWorklist.h:
4674 * ftl/FTLCompile.cpp:
4675 (JSC::FTL::compile):
4676 * ftl/FTLCompile.h:
4677 * heap/CodeBlockSet.cpp:
4678 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
4679 * heap/Heap.cpp:
4680 (JSC::Heap::markRoots):
4681 (JSC::Heap::visitCompilerWorklistWeakReferences):
4682 (JSC::Heap::removeDeadCompilerWorklistEntries):
4683 (JSC::Heap::visitWeakHandles):
4684 (JSC::Heap::collect):
4685 (JSC::Heap::visitCompilerWorklists): Deleted.
4686 * heap/Heap.h:
4687
46882014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4689
4690 Deleting properties poisons objects
4691 https://bugs.webkit.org/show_bug.cgi?id=131551
4692
4693 Reviewed by Oliver Hunt.
4694
4695 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
4696
4697 * runtime/JSPropertyNameIterator.cpp:
4698 (JSC::JSPropertyNameIterator::create):
4699 * runtime/PropertyMapHashTable.h:
4700 (JSC::PropertyTable::hasDeletedOffset):
4701 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
4702 iterating properties because we're required to iterate properties in insertion order.
4703 * runtime/Structure.cpp:
4704 (JSC::Structure::Structure):
4705 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
4706 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
4707 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
4708 delete transitions, but we allow transitioning from them.
4709 (JSC::Structure::changePrototypeTransition):
4710 (JSC::Structure::despecifyFunctionTransition):
4711 (JSC::Structure::attributeChangeTransition):
4712 (JSC::Structure::toDictionaryTransition):
4713 (JSC::Structure::preventExtensionsTransition):
4714 (JSC::Structure::addPropertyWithoutTransition):
4715 (JSC::Structure::removePropertyWithoutTransition):
4716 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
4717 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
4718 * runtime/Structure.h:
4719 * runtime/StructureInlines.h:
4720 (JSC::Structure::setEnumerationCache):
4721 (JSC::Structure::hadDeletedOffsets):
4722 (JSC::Structure::propertyTable):
4723 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
4724 * tests/stress/for-in-after-delete.js: Added.
4725 (foo):
4726
47272014-04-25 Andreas Kling <akling@apple.com>
4728
4729 Inline (C++) GetByVal with numeric indices more aggressively.
4730 <https://webkit.org/b/132218>
4731
4732 We were already inlining the string indexed GetByVal path pretty well,
4733 while the path for numeric indices got neglected. No more!
4734
4735 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
4736
4737 Before: 199.50 runs/s
4738 After: 218.58 runs/s
4739
4740 Reviewed by Phil Pizlo.
4741
4742 * dfg/DFGOperations.cpp:
4743 * runtime/JSCJSValueInlines.h:
4744 (JSC::JSValue::get):
4745
4746 ALWAYS_INLINE all the things.
4747
4748 * runtime/JSObject.h:
4749 (JSC::JSObject::getPropertySlot):
4750
4751 Avoid fetching the Structure more than once. We have the same
4752 optimization in the string-indexed code path.
4753
47542014-04-25 Oliver Hunt <oliver@apple.com>
4755
4756 Need earlier cell test
4757 https://bugs.webkit.org/show_bug.cgi?id=132211
4758
4759 Reviewed by Mark Lam.
4760
4761 Move cell test to before the function call repatch
4762 location, as the repatch logic for 32bit assumes that the
4763 caller will already have performed a cell check.
4764
4765 * jit/JITCall32_64.cpp:
4766 (JSC::JIT::compileOpCall):
4767
47682014-04-25 Andreas Kling <akling@apple.com>
4769
4770 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
4771
4772 * runtime/JSGlobalObject.h:
4773 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
4774 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
4775
47762014-04-25 Andreas Kling <akling@apple.com>
4777
4778 Windows build fix attempt.
4779
4780 * runtime/JSGlobalObject.h:
4781 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
4782
47832014-04-25 Mark Lam <mark.lam@apple.com>
4784
4785 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
4786 <https://webkit.org/b/132201>
4787
4788 Reviewed by Joseph Pecoraro.
4789
4790 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
4791 BreakpointActions everywhere.
4792
4793 * inspector/ScriptBreakpoint.h:
4794 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
4795 * inspector/ScriptDebugServer.cpp:
4796 (Inspector::ScriptDebugServer::setBreakpoint):
4797 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
4798 * inspector/ScriptDebugServer.h:
4799 * inspector/agents/InspectorDebuggerAgent.cpp:
4800 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
4801 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
4802 (Inspector::InspectorDebuggerAgent::setBreakpoint):
4803 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
4804 * inspector/agents/InspectorDebuggerAgent.h:
4805
48062014-04-24 Filip Pizlo <fpizlo@apple.com>
4807
4808 DFG worklist scanning should not treat the key as a separate entity
4809 https://bugs.webkit.org/show_bug.cgi?id=132167
4810
4811 Reviewed by Mark Hahnenberg.
4812
4813 This simplifies the interface to the GC and will enable more optimizations.
4814
4815 * dfg/DFGCompilationKey.cpp:
4816 (JSC::DFG::CompilationKey::visitChildren): Deleted.
4817 * dfg/DFGCompilationKey.h:
4818 * dfg/DFGPlan.cpp:
4819 (JSC::DFG::Plan::visitChildren):
4820 * dfg/DFGWorklist.cpp:
4821 (JSC::DFG::Worklist::visitChildren):
4822
48232014-04-25 Oliver Hunt <oliver@apple.com>
4824
4825 Remove unused parameter from codeblock linking function
4826 https://bugs.webkit.org/show_bug.cgi?id=132199
4827
4828 Reviewed by Anders Carlsson.
4829
4830 No change in behaviour. This is just a small change to make it
4831 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
4832 actually mean.
4833
4834 * bytecode/UnlinkedCodeBlock.cpp:
4835 (JSC::UnlinkedFunctionExecutable::link):
4836 * bytecode/UnlinkedCodeBlock.h:
4837 * runtime/Executable.cpp:
4838 (JSC::ProgramExecutable::initializeGlobalProperties):
4839
48402014-04-25 Andreas Kling <akling@apple.com>
4841
4842 Mark some things with WTF_MAKE_FAST_ALLOCATED.
4843 <https://webkit.org/b/132198>
4844
4845 Use FastMalloc for more things.
4846
4847 Reviewed by Anders Carlsson.
4848
4849 * builtins/BuiltinExecutables.h:
4850 * heap/GCThreadSharedData.h:
4851 * inspector/JSConsoleClient.h:
4852 * inspector/agents/InspectorAgent.h:
4853 * runtime/CodeCache.h:
4854 * runtime/JSGlobalObject.h:
4855 * runtime/Lookup.cpp:
4856 (JSC::HashTable::createTable):
4857 (JSC::HashTable::deleteTable):
4858 * runtime/WeakGCMap.h:
4859
48602014-04-25 Antoine Quint <graouts@webkit.org>
4861
4862 Implement Array.prototype.find()
4863 https://bugs.webkit.org/show_bug.cgi?id=130966
4864
4865 Reviewed by Oliver Hunt.
4866
4867 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
4868
4869 * builtins/Array.prototype.js:
4870 (find):
4871 (findIndex):
4872 * runtime/ArrayPrototype.cpp:
4873
48742014-04-24 Brady Eidson <beidson@apple.com>
4875
4876 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
4877 https://bugs.webkit.org/show_bug.cgi?id=132155
4878
4879 Reviewed by Tim Horton.
4880
4881 * Configurations/FeatureDefines.xcconfig:
4882
48832014-04-24 Michael Saboff <msaboff@apple.com>
4884
4885 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
4886 https://bugs.webkit.org/show_bug.cgi?id=132147
4887
4888 Reviewed by Mark Lam.
4889
4890 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
4891
4892 * assembler/MacroAssemblerARM64.h:
4893 (JSC::MacroAssemblerARM64::or64):
4894 (JSC::MacroAssemblerARM64::xor32):
4895 (JSC::MacroAssemblerARM64::xor64):
4896 * tests/stress/regress-132147.js: Added test.
4897
48982014-04-24 Mark Lam <mark.lam@apple.com>
4899
4900 Make slowPathAllocsBetweenGCs a runtime option.
4901 <https://webkit.org/b/132137>
4902
4903 Reviewed by Mark Hahnenberg.
4904
4905 This will make it easier to more casually run tests with this configuration
4906 as well as to reproduce issues (instead of requiring a code mod and rebuild).
4907 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
4908 slow path allocations before we trigger a collection.
4909
4910 The option defaults to 0, which is reserved to mean that we will not trigger
4911 any collections there.
4912
4913 * heap/Heap.h:
4914 * heap/MarkedAllocator.cpp:
4915 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
4916 (JSC::MarkedAllocator::allocateSlowCase):
4917 * heap/MarkedAllocator.h:
4918 * runtime/Options.h:
4919
49202014-04-23 Mark Lam <mark.lam@apple.com>
4921
4922 The GC should only resume compiler threads that it suspended in the same GC pass.
4923 <https://webkit.org/b/132088>
4924
4925 Reviewed by Mark Hahnenberg.
4926
4927 Previously, this scenario can occur:
4928 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
4929 no worklists were created yet at the that time.
4930 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
4931 acquires the worklist thread's lock.
4932 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
4933 This time, it sees the worklist created by Thread 2 and ends up unlocking
4934 the worklist thread's lock that is supposedly held by Thread 2.
4935 Thereafter, chaos ensues.
4936
4937 The fix is to cache the worklists that were actually suspended by each GC pass,
4938 and only resume those when the GC is done.
4939
4940 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
4941 the fast/workers layout tests.
4942
4943 * heap/Heap.cpp:
4944 (JSC::Heap::visitCompilerWorklists):
4945 (JSC::Heap::deleteAllCompiledCode):
4946 (JSC::Heap::suspendCompilerThreads):
4947 (JSC::Heap::resumeCompilerThreads):
4948 * heap/Heap.h:
4949
49502014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
4951
4952 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
4953 https://bugs.webkit.org/show_bug.cgi?id=132079
4954
4955 Reviewed by Michael Saboff.
4956
4957 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
4958
4959 Also added a test that previously triggered this bug.
4960
4961 * runtime/Arguments.cpp:
4962 (JSC::Arguments::copyBackingStore): D'oh!
4963 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
4964 (foo):
4965 (bar):
4966
49672014-04-23 Mark Rowe <mrowe@apple.com>
4968
4969 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
4970 <https://webkit.org/b/132053>
4971
4972 Reviewed by Dan Bernstein.
4973
4974 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
4975 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
4976 from /bin/sh since that generates unnecessary output.
4977
49782014-04-22 Mark Lam <mark.lam@apple.com>
4979
4980 DFG::Worklist should acquire the m_lock before iterating DFG plans.
4981 <https://webkit.org/b/132032>
4982
4983 Reviewed by Filip Pizlo.
4984
4985 Currently, there's a rightToRun mechanism that ensures that no compilation
4986 threads are running when the GC is iterating through the DFG worklists.
4987 However, this does not prevent a Worker thread from doing a DFG compilation
4988 and modifying the plans in the worklists thereby invalidating the plan
4989 iterator that the GC is using. This patch fixes the issue by acquiring
4990 the worklist m_lock before iterating the worklist plans.
4991
4992 This issue was uncovered by running the fast/workers layout tests with
4993 COLLECT_ON_EVERY_ALLOCATION enabled.
4994
4995 * dfg/DFGWorklist.cpp:
4996 (JSC::DFG::Worklist::isActiveForVM):
4997 (JSC::DFG::Worklist::visitChildren):
4998
49992014-04-22 Brent Fulgham <bfulgham@apple.com>
5000
5001 [Win] Support Python 2.7 in Cygwin
5002 https://bugs.webkit.org/show_bug.cgi?id=132023
5003
5004 Reviewed by Michael Saboff.
5005
5006 * DerivedSources.make: Use a conditional variable to define
5007 the path to Python/Perl.
5008
50092014-04-22 Filip Pizlo <fpizlo@apple.com>
5010
5011 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
5012 https://bugs.webkit.org/show_bug.cgi?id=130867
5013 <rdar://problem/16432456>
5014
5015 Reviewed by Mark Hahnenberg.
5016
5017 * Configurations/Base.xcconfig:
5018 * Configurations/LLVMForJSC.xcconfig:
5019
50202014-04-22 Alex Christensen <achristensen@webkit.org>
5021
5022 [Win] Unreviewed build fix after my r167666.
5023
5024 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5025 Added ../../../ again to include headers in Source/JavaScriptCore.
5026
50272014-04-22 Alex Christensen <achristensen@webkit.org>
5028
5029 Removed old stdbool and inttypes headers.
5030 https://bugs.webkit.org/show_bug.cgi?id=131966
5031
5032 Reviewed by Brent Fulgham.
5033
5034 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5035 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
5036 Removed references to os-win32 directory.
5037 * os-win32: Removed.
5038 * os-win32/inttypes.h: Removed.
5039 * os-win32/stdbool.h: Removed.
5040
50412014-04-21 Filip Pizlo <fpizlo@apple.com>
5042
5043 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
5044 https://bugs.webkit.org/show_bug.cgi?id=131971
5045 <rdar://problem/16676511>
5046
5047 Reviewed by Mark Lam.
5048
5049 * dfg/DFGClobberize.h:
5050 (JSC::DFG::clobberize):
5051
50522014-04-21 Filip Pizlo <fpizlo@apple.com>
5053
5054 Switch statements that skip the baseline JIT should work
5055 https://bugs.webkit.org/show_bug.cgi?id=131965
5056
5057 Reviewed by Mark Hahnenberg.
5058
5059 * bytecode/JumpTable.h:
5060 (JSC::SimpleJumpTable::ensureCTITable):
5061 * dfg/DFGSpeculativeJIT.cpp:
5062 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
5063 * jit/JITOpcodes.cpp:
5064 (JSC::JIT::emit_op_switch_imm):
5065 (JSC::JIT::emit_op_switch_char):
5066 * jit/JITOpcodes32_64.cpp:
5067 (JSC::JIT::emit_op_switch_imm):
5068 (JSC::JIT::emit_op_switch_char):
5069 * tests/stress/inline-llint-with-switch.js: Added.
5070 (foo):
5071 (bar):
5072 (test):
5073
50742014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5075
5076 Arguments objects shouldn't need a destructor
5077 https://bugs.webkit.org/show_bug.cgi?id=131899
5078
5079 Reviewed by Oliver Hunt.
5080
5081 This patch rids Arguments objects of their destructors. It does this by
5082 switching their backing stores to use CopiedSpace rather than malloc memory.
5083
5084 * dfg/DFGSpeculativeJIT.cpp:
5085 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
5086 Arguments allocation so that it only emits an extra write for strict mode code rather
5087 than unconditionally.
5088 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
5089 * runtime/Arguments.cpp:
5090 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
5091 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
5092 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
5093 (JSC::Arguments::deleteProperty):
5094 (JSC::Arguments::defineOwnProperty):
5095 (JSC::Arguments::allocateRegisterArray):
5096 (JSC::Arguments::tearOff):
5097 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
5098 * runtime/Arguments.h:
5099 (JSC::Arguments::registerArraySizeInBytes):
5100 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
5101 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
5102 allocation.
5103 (JSC::Arguments::SlowArgumentData::slowArguments):
5104 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
5105 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
5106 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
5107 (JSC::Arguments::Arguments):
5108 (JSC::Arguments::allocateSlowArguments):
5109 (JSC::Arguments::tryDeleteArgument):
5110 (JSC::Arguments::isDeletedArgument):
5111 (JSC::Arguments::isArgument):
5112 (JSC::Arguments::argument):
5113 (JSC::Arguments::finishCreation):
5114 * runtime/SymbolTable.h:
5115
51162014-04-21 Eric Carlson <eric.carlson@apple.com>
5117
5118 [Mac] implement WebKitDataCue
5119 https://bugs.webkit.org/show_bug.cgi?id=131799
5120
5121 Reviewed by Dean Jackson.
5122
5123 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5124
51252014-04-21 Filip Pizlo <fpizlo@apple.com>
5126
5127 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
5128
5129 * tests/stress/float32-repeat-out-of-bounds.js:
5130 * tests/stress/int8-repeat-out-of-bounds.js:
5131
51322014-04-21 Filip Pizlo <fpizlo@apple.com>
5133
5134 OSR exit should know about Int52 and Double constants
5135 https://bugs.webkit.org/show_bug.cgi?id=131945
5136
5137 Reviewed by Oliver Hunt.
5138
5139 The DFG OSR exit machinery's ignorance would lead to some constants becoming
5140 jsUndefined() after OSR exit.
5141
5142 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
5143 stackmap constant rather than baking the constant into the OSRExit data structure.
5144 So, not a big deal, but worth fixing.
5145
5146 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
5147
5148 * dfg/DFGByteCodeParser.cpp:
5149 (JSC::DFG::ByteCodeParser::handleIntrinsic):
5150 * dfg/DFGMinifiedNode.h:
5151 (JSC::DFG::belongsInMinifiedGraph):
5152 (JSC::DFG::MinifiedNode::hasConstantNumber):
5153 * ftl/FTLLowerDFGToLLVM.cpp:
5154 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
5155 * jsc.cpp:
5156 (GlobalObject::finishCreation):
5157 (functionOtherFalse):
5158 (functionUndefined):
5159 * runtime/Intrinsic.h:
5160 * tests/stress/fold-to-double-constant-then-exit.js: Added.
5161 (foo):
5162 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
5163 (foo):
5164
51652014-04-21 Filip Pizlo <fpizlo@apple.com>
5166
5167 Provide feedback when we encounter an unrecognied node in the FTL backend.
5168
5169 Rubber stamped by Alexey Proskuryakov.
5170
5171 * ftl/FTLLowerDFGToLLVM.cpp:
5172 (JSC::FTL::LowerDFGToLLVM::compileNode):
5173
51742014-04-21 Andreas Kling <akling@apple.com>
5175
5176 Move the JSString cache from DOMWrapperWorld to VM.
5177 <https://webkit.org/b/131940>
5178
5179 Reviewed by Geoff Garen.
5180
5181 * runtime/VM.h:
5182
51832014-04-19 Filip Pizlo <fpizlo@apple.com>
5184
5185 Take block execution count estimates into account when voting double
5186 https://bugs.webkit.org/show_bug.cgi?id=131906
5187
5188 Reviewed by Geoffrey Garen.
5189
5190 This was a drama in three acts.
5191
5192 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
5193 number of uses of a variable that want double or non-double. Easy as pie. This
5194 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
5195 else.
5196
5197 Act II: Realize that there were some programs where our previous double voting was
5198 just on the edge of disaster and making it more precise tipped it over. In
5199 particular, if you had an integer variable that would infrequently be used in a
5200 computation that resulted in a variable that was frequently used as an array index,
5201 the outer infrequentness would be the thing we'd use in the vote. So, an array
5202 index would become double. We fix this by reviving global backwards propagation
5203 and introducing the concept of ReallyWantsInt, which is used just for array
5204 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
5205 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
5206 be set in bitops for RageConversion but using it for double forcing is too much.
5207 Basically, it's cheaper to have to convert a double to an int for a bitop than it
5208 is to convert a double to an int for an array index; also a variable being used as
5209 an array index is a much stronger hint that it ought to be an int. This recovered
5210 performance on everything except programs that used FTL OSR entry.
5211
5212 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
5213 count, which then completely pollutes the weighting - essentially all votes go
5214 NaN. Fix this with some surgical defenses. Basically, any client of execution
5215 counts should allow for them to be NaN and shouldn't completely fall off a cliff
5216 when it happens.
5217
5218 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
5219 7% speed-up on AsmBench and 2% speed-up on Kraken.
5220
5221 * CMakeLists.txt:
5222 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5223 * JavaScriptCore.xcodeproj/project.pbxproj:
5224 * dfg/DFGBackwardsPropagationPhase.cpp:
5225 (JSC::DFG::BackwardsPropagationPhase::run):
5226 (JSC::DFG::BackwardsPropagationPhase::propagate):
5227 * dfg/DFGGraph.cpp:
5228 (JSC::DFG::Graph::dumpBlockHeader):
5229 * dfg/DFGGraph.h:
5230 (JSC::DFG::Graph::voteNode):
5231 (JSC::DFG::Graph::voteChildren):
5232 * dfg/DFGNodeFlags.cpp:
5233 (JSC::DFG::dumpNodeFlags):
5234 * dfg/DFGNodeFlags.h:
5235 * dfg/DFGOSREntrypointCreationPhase.cpp:
5236 (JSC::DFG::OSREntrypointCreationPhase::run):
5237 * dfg/DFGPlan.cpp:
5238 (JSC::DFG::Plan::compileInThreadImpl):
5239 * dfg/DFGPredictionPropagationPhase.cpp:
5240 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5241 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
5242 * dfg/DFGVariableAccessData.cpp: Added.
5243 (JSC::DFG::VariableAccessData::VariableAccessData):
5244 (JSC::DFG::VariableAccessData::mergeIsCaptured):
5245 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
5246 (JSC::DFG::VariableAccessData::predict):
5247 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
5248 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5249 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
5250 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
5251 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5252 (JSC::DFG::VariableAccessData::flushFormat):
5253 * dfg/DFGVariableAccessData.h:
5254 (JSC::DFG::VariableAccessData::vote):
5255 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
5256 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
5257 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
5258 (JSC::DFG::VariableAccessData::predict): Deleted.
5259 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
5260 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
5261 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
5262 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
5263 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
5264 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
5265
52662014-04-21 Michael Saboff <msaboff@apple.com>
5267
5268 REGRESSION(r167591): ARM64 and ARM traditional builds broken
5269 https://bugs.webkit.org/show_bug.cgi?id=131935
5270
5271 Reviewed by Mark Hahnenberg.
5272
5273 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
5274 macro assemblers. Added a new test for the original patch.
5275
5276 * assembler/MacroAssemblerARM.h:
5277 (JSC::MacroAssemblerARM::store8):
5278 * assembler/MacroAssemblerARM64.h:
5279 (JSC::MacroAssemblerARM64::store8):
5280 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
5281
52822014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5283
5284 Inline allocate Arguments objects in the DFG
5285 https://bugs.webkit.org/show_bug.cgi?id=131897
5286
5287 Reviewed by Geoffrey Garen.
5288
5289 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
5290 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
5291 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
5292
5293 * dfg/DFGSpeculativeJIT.cpp:
5294 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
5295 * dfg/DFGSpeculativeJIT.h:
5296 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
5297 * dfg/DFGSpeculativeJIT32_64.cpp:
5298 (JSC::DFG::SpeculativeJIT::compile):
5299 * dfg/DFGSpeculativeJIT64.cpp:
5300 (JSC::DFG::SpeculativeJIT::compile):
5301 * runtime/Arguments.h:
5302 (JSC::Arguments::offsetOfActivation):
5303 (JSC::Arguments::offsetOfOverrodeLength):
5304 (JSC::Arguments::offsetOfIsStrictMode):
5305 (JSC::Arguments::offsetOfRegisterArray):
5306 (JSC::Arguments::offsetOfCallee):
5307 (JSC::Arguments::allocationSize):
5308
53092014-04-20 Andreas Kling <akling@apple.com>
5310
5311 Speed up jsStringWithCache() through WeakGCMap inlining.
5312 <https://webkit.org/b/131923>
5313
5314 Always inline WeakGCMap::add() but move the slow garbage collecting
5315 path out-of-line.
5316
5317 Reviewed by Darin Adler.
5318
5319 * runtime/WeakGCMap.h:
5320 (JSC::WeakGCMap::add):
5321 (JSC::WeakGCMap::gcMap):
5322
53232014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
5324
5325 JavaScriptCore: ARM build fix after r167094.
5326 https://bugs.webkit.org/show_bug.cgi?id=131612
5327
5328 Reviewed by Michael Saboff.
5329
5330 After r167094 there are many build errors on ARM like these:
5331
5332 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
5333 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
5334 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
5335 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
5336
5337 Problem is caused by the wrong generated assembly like:
5338 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
5339
5340 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
5341 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
5342 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
5343 use case: move rn, (label1-label2) which is translated to movw and movt.
5344
5345 * llint/LowLevelInterpreter.asm:
5346 * offlineasm/arm.rb:
5347 * offlineasm/instructions.rb:
5348
53492014-04-20 Csaba Osztrogonác <ossy@webkit.org>
5350
5351 [ARM] Unreviewed build fix after r167336.
5352
5353 * assembler/MacroAssemblerARM.h:
5354 (JSC::MacroAssemblerARM::branchAdd32):
5355
53562014-04-20 Commit Queue <commit-queue@webkit.org>
5357
5358 Unreviewed, rolling out r167501.
5359 https://bugs.webkit.org/show_bug.cgi?id=131913
5360
5361 It broke DYEBench (Requested by mhahnenberg on #webkit).
5362
5363 Reverted changeset:
5364
5365 "Deleting properties poisons objects"
5366 https://bugs.webkit.org/show_bug.cgi?id=131551
5367 http://trac.webkit.org/changeset/167501
5368
53692014-04-19 Filip Pizlo <fpizlo@apple.com>
5370
5371 It should be OK to store new fields into objects that have no prototypes
5372 https://bugs.webkit.org/show_bug.cgi?id=131905
5373
5374 Reviewed by Mark Hahnenberg.
5375
5376 * dfg/DFGByteCodeParser.cpp:
5377 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
5378 * tests/stress/put-by-id-transition-null-prototype.js: Added.
5379 (foo):
5380
53812014-04-19 Benjamin Poulain <bpoulain@apple.com>
5382
5383 Make the CSS JIT compile for ARM64
5384 https://bugs.webkit.org/show_bug.cgi?id=131834
5385
5386 Reviewed by Gavin Barraclough.
5387
5388 Extend the ARM64 MacroAssembler to support the code generation required by
5389 the CSS JIT.
5390
5391 * assembler/MacroAssembler.h:
5392 * assembler/MacroAssemblerARM64.h:
5393 (JSC::MacroAssemblerARM64::addPtrNoFlags):
5394 (JSC::MacroAssemblerARM64::or32):
5395 (JSC::MacroAssemblerARM64::branchPtr):
5396 (JSC::MacroAssemblerARM64::test32):
5397 (JSC::MacroAssemblerARM64::branch):
5398 * assembler/MacroAssemblerX86Common.h:
5399 (JSC::MacroAssemblerX86Common::test32):
5400
54012014-04-19 Andreas Kling <akling@apple.com>
5402
5403 Two little shortcuts to the JSType.
5404 <https://webkit.org/b/131896>
5405
5406 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
5407 to look at data that's already in JSCell::type().
5408
5409 Reviewed by Darin Adler.
5410
5411 * runtime/NameInstance.h:
5412 (JSC::isName):
5413 * runtime/NumberPrototype.cpp:
5414 (JSC::toThisNumber):
5415
54162014-04-19 Filip Pizlo <fpizlo@apple.com>
5417
5418 Make it easier to check if an integer sum would overflow
5419 https://bugs.webkit.org/show_bug.cgi?id=131900
5420
5421 Reviewed by Darin Adler.
5422
5423 * dfg/DFGOperations.cpp:
5424 * runtime/Operations.h:
5425 (JSC::jsString):
5426
54272014-04-19 Filip Pizlo <fpizlo@apple.com>
5428
5429 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
5430
5431 * dfg/DFGOperations.cpp:
5432 * runtime/JSString.h:
5433 (JSC::JSRopeString::RopeBuilder::append):
5434
54352014-04-18 Mark Lam <mark.lam@apple.com>
5436
5437 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
5438 <https://webkit.org/b/130539>
5439
5440 Reviewed by Geoffrey Garen.
5441
5442 prepareOSREntry() prepares for OSR entry by first copying the local var
5443 values from the baseline frame to a scartch buffer, which is then used
5444 to fill in the locals in their new position in the DFG frame. Unfortunately,
5445 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
5446 size of the baseline frame. As a result, some values of locals in the
5447 baseline frame were not saved off, and the DFG frame may get initialized
5448 with random content that happened to be in the uninitialized (and possibly
5449 unallocated) portions of the scratch buffer.
5450
5451 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
5452 number of locals in the baseline frame that we want to copy to the scratch
5453 buffer.
5454
5455 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
5456 at offset 0 in the scratch buffer. So, we continue to write that value
5457 there, not the baseline frame size.
5458
5459 * dfg/DFGOSREntry.cpp:
5460 (JSC::DFG::prepareOSREntry):
5461
54622014-04-18 Timothy Hatcher <timothy@apple.com>
5463
5464 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
5465 https://bugs.webkit.org/show_bug.cgi?id=131673
5466
5467 Passes existing profiler and inspector tests.
5468
5469 Reviewed by Joseph Pecoraro.
5470
5471 * CMakeLists.txt:
5472 * DerivedSources.make:
5473 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5474 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5475 * JavaScriptCore.xcodeproj/project.pbxproj:
5476 * inspector/JSConsoleClient.cpp:
5477 (Inspector::JSConsoleClient::JSConsoleClient):
5478 (Inspector::JSConsoleClient::profile):
5479 (Inspector::JSConsoleClient::profileEnd):
5480 (Inspector::JSConsoleClient::count): Deleted.
5481 * inspector/JSConsoleClient.h:
5482 * inspector/JSGlobalObjectInspectorController.cpp:
5483 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
5484 * inspector/agents/InspectorProfilerAgent.cpp: Added.
5485 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
5486 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
5487 (Inspector::InspectorProfilerAgent::addProfile):
5488 (Inspector::InspectorProfilerAgent::createProfileHeader):
5489 (Inspector::InspectorProfilerAgent::enable):
5490 (Inspector::InspectorProfilerAgent::disable):
5491 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
5492 (Inspector::InspectorProfilerAgent::getProfileHeaders):
5493 (Inspector::buildInspectorObject):
5494 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
5495 (Inspector::InspectorProfilerAgent::getCPUProfile):
5496 (Inspector::InspectorProfilerAgent::removeProfile):
5497 (Inspector::InspectorProfilerAgent::reset):
5498 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
5499 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
5500 (Inspector::InspectorProfilerAgent::start):
5501 (Inspector::InspectorProfilerAgent::stop):
5502 (Inspector::InspectorProfilerAgent::setRecordingProfile):
5503 (Inspector::InspectorProfilerAgent::startProfiling):
5504 (Inspector::InspectorProfilerAgent::stopProfiling):
5505 * inspector/agents/InspectorProfilerAgent.h: Added.
5506 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5507 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
5508 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
5509 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5510 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
5511 * profiler/Profile.h:
5512 * runtime/ConsoleClient.h:
5513
55142014-04-18 Commit Queue <commit-queue@webkit.org>
5515
5516 Unreviewed, rolling out r167527.
5517 https://bugs.webkit.org/show_bug.cgi?id=131883
5518
5519 Broke 32-bit build (Requested by ap on #webkit).
5520
5521 Reverted changeset:
5522
5523 "[Mac] implement WebKitDataCue"
5524 https://bugs.webkit.org/show_bug.cgi?id=131799
5525 http://trac.webkit.org/changeset/167527
5526
55272014-04-18 Eric Carlson <eric.carlson@apple.com>
5528
5529 [Mac] implement WebKitDataCue
5530 https://bugs.webkit.org/show_bug.cgi?id=131799
5531
5532 Reviewed by Dean Jackson.
5533
5534 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5535
55362014-04-18 Filip Pizlo <fpizlo@apple.com>
5537
5538 Actually address Mark's review feedback.
5539
5540 * dfg/DFGOSRExitCompilerCommon.cpp:
5541 (JSC::DFG::handleExitCounts):
5542
55432014-04-18 Filip Pizlo <fpizlo@apple.com>
5544
5545 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
5546 https://bugs.webkit.org/show_bug.cgi?id=131850
5547
5548 Reviewed by Mark Hahnenberg.
5549
5550 Templatize ExecutionCounter to allow for two different styles of calculating the
5551 checkpoint threshold.
5552
5553 Appears to be a slight speed-up on DYEBench.
5554
5555 * bytecode/CodeBlock.h:
5556 (JSC::CodeBlock::llintExecuteCounter):
5557 (JSC::CodeBlock::offsetOfJITExecuteCounter):
5558 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
5559 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
5560 (JSC::CodeBlock::jitExecuteCounter):
5561 * bytecode/ExecutionCounter.cpp:
5562 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
5563 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
5564 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
5565 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
5566 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
5567 (JSC::applyMemoryUsageHeuristics):
5568 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
5569 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
5570 (JSC::ExecutionCounter<countingVariant>::setThreshold):
5571 (JSC::ExecutionCounter<countingVariant>::reset):
5572 (JSC::ExecutionCounter<countingVariant>::dump):
5573 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
5574 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
5575 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
5576 (JSC::ExecutionCounter::setNewThreshold): Deleted.
5577 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
5578 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
5579 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
5580 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
5581 (JSC::ExecutionCounter::setThreshold): Deleted.
5582 (JSC::ExecutionCounter::reset): Deleted.
5583 (JSC::ExecutionCounter::dump): Deleted.
5584 * bytecode/ExecutionCounter.h:
5585 (JSC::formattedTotalExecutionCount):
5586 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
5587 (JSC::ExecutionCounter::clippedThreshold):
5588 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
5589 * dfg/DFGJITCode.h:
5590 * dfg/DFGOSRExitCompilerCommon.cpp:
5591 (JSC::DFG::handleExitCounts):
5592 * llint/LowLevelInterpreter.asm:
5593 * runtime/Options.h:
5594
55952014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
5596
5597 Deleting properties poisons objects
5598 https://bugs.webkit.org/show_bug.cgi?id=131551
5599
5600 Reviewed by Geoffrey Garen.
5601
5602 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
5603
5604 * runtime/Structure.cpp:
5605 (JSC::Structure::Structure):
5606 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
5607 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
5608 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
5609 delete transitions, but we allow transitioning from them.
5610 (JSC::Structure::changePrototypeTransition):
5611 (JSC::Structure::despecifyFunctionTransition):
5612 (JSC::Structure::attributeChangeTransition):
5613 (JSC::Structure::toDictionaryTransition):
5614 (JSC::Structure::preventExtensionsTransition):
5615 (JSC::Structure::addPropertyWithoutTransition):
5616 (JSC::Structure::removePropertyWithoutTransition):
5617 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
5618 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
5619 * runtime/Structure.h:
5620 * runtime/StructureInlines.h:
5621 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
5622
56232014-04-17 Filip Pizlo <fpizlo@apple.com>
5624
5625 InlineCallFrameSet should be refcounted
5626 https://bugs.webkit.org/show_bug.cgi?id=131829
5627
5628 Reviewed by Geoffrey Garen.
5629
5630 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
5631 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
5632 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
5633 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
5634
5635 So, just make the darn thing refcounted.
5636
5637 * bytecode/InlineCallFrameSet.h:
5638 * dfg/DFGArgumentsSimplificationPhase.cpp:
5639 (JSC::DFG::ArgumentsSimplificationPhase::run):
5640 * dfg/DFGByteCodeParser.cpp:
5641 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5642 * dfg/DFGCommonData.h:
5643 * dfg/DFGGraph.cpp:
5644 (JSC::DFG::Graph::Graph):
5645 (JSC::DFG::Graph::requiredRegisterCountForExit):
5646 * dfg/DFGGraph.h:
5647 * dfg/DFGJITCompiler.cpp:
5648 (JSC::DFG::JITCompiler::link):
5649 * dfg/DFGPlan.cpp:
5650 (JSC::DFG::Plan::Plan):
5651 * dfg/DFGPlan.h:
5652 * dfg/DFGStackLayoutPhase.cpp:
5653 (JSC::DFG::StackLayoutPhase::run):
5654 * ftl/FTLFail.cpp:
5655 (JSC::FTL::fail):
5656 * ftl/FTLLink.cpp:
5657 (JSC::FTL::link):
5658
56592014-04-17 Filip Pizlo <fpizlo@apple.com>
5660
5661 FTL::fail() should manage memory "correctly"
5662 https://bugs.webkit.org/show_bug.cgi?id=131823
5663 <rdar://problem/16384297>
5664
5665 Reviewed by Oliver Hunt.
5666
5667 * ftl/FTLFail.cpp:
5668 (JSC::FTL::fail):
5669
56702014-04-17 Filip Pizlo <fpizlo@apple.com>
5671
5672 Prediction propagator should correctly model Int52s flowing through arguments
5673 https://bugs.webkit.org/show_bug.cgi?id=131822
5674 <rdar://problem/16641408>
5675
5676 Reviewed by Oliver Hunt.
5677
5678 * dfg/DFGPredictionPropagationPhase.cpp:
5679 (JSC::DFG::PredictionPropagationPhase::propagate):
5680 * tests/stress/int52-argument.js: Added.
5681 (foo):
5682 * tests/stress/int52-variable.js: Added.
5683 (foo):
5684
56852014-04-17 Filip Pizlo <fpizlo@apple.com>
5686
5687 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
5688 https://bugs.webkit.org/show_bug.cgi?id=131798
5689
5690 Reviewed by Alexey Proskuryakov.
5691
5692 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
5693 of this assertion can return. For now, it's not clear that the assertion is guarding
5694 any truly undesirable behavior - so it should just go away and be replaced with a
5695 FIXME.
5696
5697 * bytecode/GetByIdStatus.cpp:
5698 (JSC::GetByIdStatus::computeForStubInfo):
5699 * runtime/Structure.h:
5700 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
5701
57022014-04-17 David Kilzer <ddkilzer@apple.com>
5703
5704 Blind attempt to fix Windows build after r166837
5705 <http://webkit.org/b/131246>
5706
5707 Hoping to fix this build error:
5708
5709 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
5710
5711 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
5712 boo-boo by changing the GCLogging.cpp ClCompile entry to a
5713 GCLogging.h ClInclude entry.
5714
57152014-04-16 Filip Pizlo <fpizlo@apple.com>
5716
5717 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
5718 https://bugs.webkit.org/show_bug.cgi?id=131764
5719
5720 Reviewed by Geoffrey Garen.
5721
5722 The attached test case can be made to not crash by deleting old code. It used to be
5723 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
5724 long ago. At this point, these guards just make life difficult. So get rid of them.
5725
5726 * dfg/DFGAbstractInterpreterInlines.h:
5727 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5728 * dfg/DFGSpeculativeJIT32_64.cpp:
5729 (JSC::DFG::SpeculativeJIT::compile):
5730 * dfg/DFGSpeculativeJIT64.cpp:
5731 (JSC::DFG::SpeculativeJIT::compile):
5732 * tests/stress/bug-131764.js: Added.
5733 (test1):
5734 (test2):
5735
57362014-04-17 Darin Adler <darin@apple.com>
5737
5738 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
5739 https://bugs.webkit.org/show_bug.cgi?id=131785
5740 rdar://problem/16003108
5741
5742 Reviewed by Brady Eidson.
5743
5744 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
5745
57462014-04-16 Alexey Proskuryakov <ap@apple.com>
5747
5748 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
5749
5750 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
5751
57522014-04-16 Filip Pizlo <fpizlo@apple.com>
5753
5754 Extra error reporting for invalid value conversions
5755 https://bugs.webkit.org/show_bug.cgi?id=131786
5756
5757 Rubber stamped by Ryosuke Niwa.
5758
5759 * dfg/DFGFixupPhase.cpp:
5760 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5761
57622014-04-16 Filip Pizlo <fpizlo@apple.com>
5763
5764 Sink NaN sanitization to uses and remove it when it's unnecessary
5765 https://bugs.webkit.org/show_bug.cgi?id=131419
5766
5767 Reviewed by Oliver Hunt.
5768
5769 This moves NaN purification to stores that could see an impure NaN.
5770
5771 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
5772 though, because of the other bug that causes that benchmark to box doubles in a loop.
5773
5774 * bytecode/SpeculatedType.h:
5775 (JSC::isInt32SpeculationForArithmetic):
5776 (JSC::isMachineIntSpeculationForArithmetic):
5777 (JSC::isDoubleSpeculation):
5778 (JSC::isDoubleSpeculationForArithmetic):
5779 * dfg/DFGAbstractInterpreterInlines.h:
5780 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5781 * dfg/DFGAbstractValue.cpp:
5782 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
5783 * dfg/DFGFixupPhase.cpp:
5784 (JSC::DFG::FixupPhase::fixupNode):
5785 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5786 * dfg/DFGInPlaceAbstractState.cpp:
5787 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5788 * dfg/DFGPredictionPropagationPhase.cpp:
5789 (JSC::DFG::PredictionPropagationPhase::propagate):
5790 * dfg/DFGSpeculativeJIT.cpp:
5791 (JSC::DFG::SpeculativeJIT::compileValueRep):
5792 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5793 * dfg/DFGUseKind.h:
5794 (JSC::DFG::typeFilterFor):
5795 * ftl/FTLLowerDFGToLLVM.cpp:
5796 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
5797 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5798 * runtime/PureNaN.h:
5799 * tests/stress/float32-array-nan-inlined.js: Added.
5800 (foo):
5801 (test):
5802 * tests/stress/float32-array-nan.js: Added.
5803 (foo):
5804 (test):
5805 * tests/stress/float64-array-nan-inlined.js: Added.
5806 (foo):
5807 (isBigEndian):
5808 (test):
5809 * tests/stress/float64-array-nan.js: Added.
5810 (foo):
5811 (isBigEndian):
5812 (test):
5813
58142014-04-16 Brent Fulgham <bfulgham@apple.com>
5815
5816 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
5817 to 32-bit builds, and revise the comment to explain what we are
5818 doing.
5819
5820 * runtime/JSCJSValueInlines.h:
5821 (JSC::JSValue::isMachineInt): Provide motivation for the new
5822 'isinf' check for our 32-bit code path.
5823
58242014-04-16 Juergen Ributzka <juergen@apple.com>
5825
5826 Allocate the data section on the heap again for FTL on ARM64
5827 https://bugs.webkit.org/show_bug.cgi?id=130156
5828
5829 Reviewed by Geoffrey Garen and Filip Pizlo.
5830
5831 * ftl/FTLCompile.cpp:
5832 (JSC::FTL::mmAllocateDataSection):
5833 * ftl/FTLDataSection.cpp:
5834 (JSC::FTL::DataSection::DataSection):
5835 (JSC::FTL::DataSection::~DataSection):
5836 * ftl/FTLDataSection.h:
5837
58382014-04-16 Mark Lam <mark.lam@apple.com>
5839
5840 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
5841 <https://webkit.org/b/131747>
5842
5843 Reviewed by Filip Pizlo.
5844
5845 When the debugger is about to activate (e.g. enter stepping mode), it first
5846 waits for all DFG compilations to complete. However, when the DFG completes,
5847 if compilation is successful, it will install a new DFG codeBlock. The
5848 CodeBlock installation process is required to register codeBlocks with the
5849 debugger. Debugger::registerCodeBlock() will eventually call
5850 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
5851 trying to install. Thereafter, chaos ensues.
5852
5853 This jettison'ing only happens because the debugger currently set its
5854 m_steppingMode flag before waiting for compilation to complete. The fix is
5855 simply to set that flag only after compilation is complete.
5856
5857 * debugger/Debugger.cpp:
5858 (JSC::Debugger::setSteppingMode):
5859 (JSC::Debugger::registerCodeBlock):
5860
58612014-04-16 Filip Pizlo <fpizlo@apple.com>
5862
5863 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
5864 https://bugs.webkit.org/show_bug.cgi?id=131420
5865
5866 Reviewed by Oliver Hunt.
5867
5868 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
5869 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
5870 goes through the purifyNaN() API.
5871
5872 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
5873
5874 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
5875 have to be too cautious since most prediction-based logic only cares about whether or not
5876 a value could be an integer.
5877
5878 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
5879 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
5880 soundly and precisely.
5881
5882 No performance change because this just unblocks
5883 https://bugs.webkit.org/show_bug.cgi?id=131419.
5884
5885 * API/JSValueRef.cpp:
5886 (JSValueMakeNumber):
5887 (JSValueToNumber):
5888 * JavaScriptCore.xcodeproj/project.pbxproj:
5889 * bytecode/SpeculatedType.cpp:
5890 (JSC::dumpSpeculation):
5891 (JSC::speculationFromValue):
5892 (JSC::typeOfDoubleSum):
5893 (JSC::typeOfDoubleDifference):
5894 (JSC::typeOfDoubleProduct):
5895 (JSC::polluteDouble):
5896 (JSC::typeOfDoubleQuotient):
5897 (JSC::typeOfDoubleMinMax):
5898 (JSC::typeOfDoubleNegation):
5899 (JSC::typeOfDoubleAbs):
5900 (JSC::typeOfDoubleFRound):
5901 (JSC::typeOfDoubleBinaryOp):
5902 (JSC::typeOfDoubleUnaryOp):
5903 * bytecode/SpeculatedType.h:
5904 * dfg/DFGAbstractInterpreterInlines.h:
5905 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5906 * dfg/DFGByteCodeParser.cpp:
5907 (JSC::DFG::ByteCodeParser::handleInlining):
5908 (JSC::DFG::ByteCodeParser::parseCodeBlock):
5909 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
5910 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
5911 * dfg/DFGInPlaceAbstractState.cpp:
5912 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5913 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
5914 (JSC::DFG::createPreHeader):
5915 * dfg/DFGNode.h:
5916 (JSC::DFG::BranchTarget::BranchTarget):
5917 * dfg/DFGOSREntrypointCreationPhase.cpp:
5918 (JSC::DFG::OSREntrypointCreationPhase::run):
5919 * dfg/DFGOSRExitCompiler32_64.cpp:
5920 (JSC::DFG::OSRExitCompiler::compileExit):
5921 * dfg/DFGOSRExitCompiler64.cpp:
5922 (JSC::DFG::OSRExitCompiler::compileExit):
5923 * dfg/DFGPredictionPropagationPhase.cpp:
5924 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5925 (JSC::DFG::PredictionPropagationPhase::propagate):
5926 * dfg/DFGSpeculativeJIT.cpp:
5927 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
5928 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5929 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5930 * dfg/DFGSpeculativeJIT32_64.cpp:
5931 (JSC::DFG::SpeculativeJIT::compile):
5932 * dfg/DFGSpeculativeJIT64.cpp:
5933 (JSC::DFG::SpeculativeJIT::compile):
5934 * dfg/DFGVariableAccessData.h:
5935 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5936 * ftl/FTLLowerDFGToLLVM.cpp:
5937 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5938 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5939 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
5940 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
5941 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
5942 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
5943 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
5944 * ftl/FTLValueFormat.cpp:
5945 (JSC::FTL::reboxAccordingToFormat):
5946 * jit/AssemblyHelpers.cpp:
5947 (JSC::AssemblyHelpers::purifyNaN):
5948 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
5949 * jit/AssemblyHelpers.h:
5950 * jit/JITPropertyAccess.cpp:
5951 (JSC::JIT::emitFloatTypedArrayGetByVal):
5952 * runtime/DateConstructor.cpp:
5953 (JSC::constructDate):
5954 * runtime/DateInstanceCache.h:
5955 (JSC::DateInstanceData::DateInstanceData):
5956 (JSC::DateInstanceCache::reset):
5957 * runtime/ExceptionHelpers.cpp:
5958 (JSC::TerminatedExecutionError::defaultValue):
5959 * runtime/JSArray.cpp:
5960 (JSC::JSArray::setLength):
5961 (JSC::JSArray::pop):
5962 (JSC::JSArray::shiftCountWithAnyIndexingType):
5963 (JSC::JSArray::sortVector):
5964 (JSC::JSArray::compactForSorting):
5965 * runtime/JSArray.h:
5966 (JSC::JSArray::create):
5967 (JSC::JSArray::tryCreateUninitialized):
5968 * runtime/JSCJSValue.cpp:
5969 (JSC::JSValue::toNumberSlowCase):
5970 * runtime/JSCJSValue.h:
5971 * runtime/JSCJSValueInlines.h:
5972 (JSC::jsNaN):
5973 (JSC::JSValue::JSValue):
5974 (JSC::JSValue::getPrimitiveNumber):
5975 * runtime/JSGlobalObjectFunctions.cpp:
5976 (JSC::parseInt):
5977 (JSC::jsStrDecimalLiteral):
5978 (JSC::toDouble):
5979 (JSC::jsToNumber):
5980 (JSC::parseFloat):
5981 * runtime/JSObject.cpp:
5982 (JSC::JSObject::createInitialDouble):
5983 (JSC::JSObject::convertUndecidedToDouble):
5984 (JSC::JSObject::convertInt32ToDouble):
5985 (JSC::JSObject::deletePropertyByIndex):
5986 (JSC::JSObject::ensureLengthSlow):
5987 * runtime/MathObject.cpp:
5988 (JSC::mathProtoFuncMax):
5989 (JSC::mathProtoFuncMin):
5990 * runtime/PureNaN.h: Added.
5991 (JSC::pureNaN):
5992 (JSC::isImpureNaN):
5993 (JSC::purifyNaN):
5994 * runtime/TypedArrayAdaptors.h:
5995 (JSC::FloatTypedArrayAdaptor::toJSValue):
5996
59972014-04-16 Juergen Ributzka <juergen@apple.com>
5998
5999 Enable system library calls in FTL for ARM64
6000 https://bugs.webkit.org/show_bug.cgi?id=130154
6001
6002 Reviewed by Geoffrey Garen and Filip Pizlo.
6003
6004 * ftl/FTLIntrinsicRepository.h:
6005 * ftl/FTLOutput.h:
6006 (JSC::FTL::Output::doubleRem):
6007 (JSC::FTL::Output::doubleSin):
6008 (JSC::FTL::Output::doubleCos):
6009
60102014-04-16 peavo@outlook.com <peavo@outlook.com>
6011
6012 Fix JSC Debug Regressions on Windows
6013 https://bugs.webkit.org/show_bug.cgi?id=131182
6014
6015 Reviewed by Brent Fulgham.
6016
6017 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
6018 and set the st floating point register tags, if the value of the number parameter is infinite.
6019 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
6020 This can be avoided by checking for infinity first.
6021
6022 * runtime/JSCJSValueInlines.h:
6023 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
6024 * runtime/Options.cpp:
6025 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
6026
60272014-04-16 Oliver Hunt <oliver@apple.com>
6028
6029 Simple ES6 feature:Array.prototype.fill
6030 https://bugs.webkit.org/show_bug.cgi?id=131703
6031
6032 Reviewed by David Hyatt.
6033
6034 Add support for Array.prototype.fill
6035
6036 * builtins/Array.prototype.js:
6037 (fill):
6038 * runtime/ArrayPrototype.cpp:
6039
60402014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
6041
6042 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
6043 https://bugs.webkit.org/show_bug.cgi?id=131728
6044
6045 Reviewed by Darin Adler.
6046
6047 * runtime/JSObject.cpp:
6048 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
6049 path we expect to never take. Also shut up confused compilers about uninitialized things.
6050
60512014-04-16 Filip Pizlo <fpizlo@apple.com>
6052
6053 Unreviewed, ARMv7 build fix after r167336.
6054
6055 * assembler/MacroAssemblerARMv7.h:
6056 (JSC::MacroAssemblerARMv7::branchAdd32):
6057
60582014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
6059
6060 Unreviewed, ARM64 buildfix after r167336.
6061
6062 * assembler/MacroAssemblerARM64.h:
6063 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
6064
60652014-04-15 Filip Pizlo <fpizlo@apple.com>
6066
6067 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
6068
6069 * dfg/DFGAbstractInterpreterInlines.h:
6070 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6071
60722014-04-15 Filip Pizlo <fpizlo@apple.com>
6073
6074 compileMakeRope does not emit necessary bounds checks
6075 https://bugs.webkit.org/show_bug.cgi?id=130684
6076 <rdar://problem/16398388>
6077
6078 Reviewed by Oliver Hunt.
6079
6080 Add string length bounds checks in a bunch of places. We should never allow a string
6081 to have a length greater than 2^31-1 because it's not clear that the language has
6082 semantics for it and because there is code that assumes that this cannot happen.
6083
6084 Also add a bunch of tests to that effect to cover the various ways in which this was
6085 previously allowed to happen.
6086
6087 * dfg/DFGOperations.cpp:
6088 * dfg/DFGSpeculativeJIT.cpp:
6089 (JSC::DFG::SpeculativeJIT::compileMakeRope):
6090 * ftl/FTLLowerDFGToLLVM.cpp:
6091 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
6092 * runtime/JSString.cpp:
6093 (JSC::JSRopeString::RopeBuilder::expand):
6094 * runtime/JSString.h:
6095 (JSC::JSString::create):
6096 (JSC::JSRopeString::RopeBuilder::append):
6097 (JSC::JSRopeString::RopeBuilder::release):
6098 (JSC::JSRopeString::append):
6099 * runtime/Operations.h:
6100 (JSC::jsString):
6101 (JSC::jsStringFromRegisterArray):
6102 (JSC::jsStringFromArguments):
6103 * runtime/StringPrototype.cpp:
6104 (JSC::stringProtoFuncIndexOf):
6105 (JSC::stringProtoFuncSlice):
6106 (JSC::stringProtoFuncSubstring):
6107 (JSC::stringProtoFuncToLowerCase):
6108 * tests/stress/make-large-string-jit-strcat.js: Added.
6109 (foo):
6110 * tests/stress/make-large-string-jit.js: Added.
6111 (foo):
6112 * tests/stress/make-large-string-strcat.js: Added.
6113 * tests/stress/make-large-string.js: Added.
6114
61152014-04-15 Julien Brianceau <jbriance@cisco.com>
6116
6117 Remove invalid sh4 specific code in JITInlines header.
6118 https://bugs.webkit.org/show_bug.cgi?id=131692
6119
6120 Reviewed by Geoffrey Garen.
6121
6122 * jit/JITInlines.h:
6123 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
6124 anymore since r160244, so the sh4 specific code is invalid now
6125 and has to be removed.
6126
61272014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6128
6129 Fix precedence issue in JSCell:setRemembered
6130
6131 Rubber stamped by Filip Pizlo.
6132
6133 * runtime/JSCell.h:
6134 (JSC::JSCell::setRemembered):
6135
61362014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6137
6138 Objective-C API external object graphs don't handle generational collection properly
6139 https://bugs.webkit.org/show_bug.cgi?id=131634
6140
6141 Reviewed by Geoffrey Garen.
6142
6143 If the set of Objective-C objects transitively reachable through an object changes, we
6144 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
6145 won't rescan the external object graph, which would lead us to consider a newly allocated
6146 JSManagedValue to be dead.
6147
6148 * API/JSBase.cpp:
6149 (JSSynchronousEdenCollectForDebugging):
6150 * API/JSVirtualMachine.mm:
6151 (-[JSVirtualMachine initWithContextGroupRef:]):
6152 (-[JSVirtualMachine dealloc]):
6153 (-[JSVirtualMachine isOldExternalObject:]):
6154 (-[JSVirtualMachine addExternalRememberedObject:]):
6155 (-[JSVirtualMachine addManagedReference:withOwner:]):
6156 (-[JSVirtualMachine removeManagedReference:withOwner:]):
6157 (-[JSVirtualMachine externalRememberedSet]):
6158 (scanExternalObjectGraph):
6159 (scanExternalRememberedSet):
6160 * API/JSVirtualMachineInternal.h:
6161 * API/tests/testapi.mm:
6162 * heap/Heap.cpp:
6163 (JSC::Heap::markRoots):
6164 * heap/Heap.h:
6165 (JSC::Heap::slotVisitor):
6166 * heap/SlotVisitor.h:
6167 * heap/SlotVisitorInlines.h:
6168 (JSC::SlotVisitor::containsOpaqueRoot):
6169 (JSC::SlotVisitor::containsOpaqueRootTriState):
6170
61712014-04-15 Filip Pizlo <fpizlo@apple.com>
6172
6173 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
6174 https://bugs.webkit.org/show_bug.cgi?id=131423
6175
6176 Reviewed by Geoffrey Garen.
6177
6178 This introduces more static typing into DFG IR. Previously we just had the notion of
6179 JSValues and Storage. This was weird because doubles weren't always convertible to
6180 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
6181 sort of insert explicit conversion nodes just for the places where we knew that an
6182 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
6183 we'd get bugs from forgetting to do the right conversion.
6184
6185 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
6186 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
6187 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
6188 conversions. They are like Identity but return the same value using a different
6189 representation. Likewise, constants may now be represented using either JSConstant,
6190 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
6191 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
6192 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
6193 we speculate DoubleReal and expect Double representation.
6194
6195 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
6196 this also makes it easier to introduce optimizations in the future. It's now possible for
6197 AI to model when/how conversion take place. For example if doing a conversion results in
6198 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
6199 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
6200
6201 This was a big change, so I had to do some interesting things, like finally get rid of
6202 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
6203 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
6204
6205 No performance change because this mostly just rationalizes preexisting behavior.
6206
6207 * JavaScriptCore.xcodeproj/project.pbxproj:
6208 * assembler/MacroAssemblerX86.h:
6209 * bytecode/CodeBlock.cpp:
6210 * bytecode/CodeBlock.h:
6211 * dfg/DFGAbstractInterpreter.h:
6212 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6213 (JSC::DFG::AbstractInterpreter::setConstant):
6214 * dfg/DFGAbstractInterpreterInlines.h:
6215 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6216 * dfg/DFGAbstractValue.cpp:
6217 (JSC::DFG::AbstractValue::set):
6218 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6219 (JSC::DFG::AbstractValue::checkConsistency):
6220 * dfg/DFGAbstractValue.h:
6221 * dfg/DFGBackwardsPropagationPhase.cpp:
6222 (JSC::DFG::BackwardsPropagationPhase::propagate):
6223 * dfg/DFGBasicBlock.h:
6224 * dfg/DFGBasicBlockInlines.h:
6225 (JSC::DFG::BasicBlock::appendNode):
6226 (JSC::DFG::BasicBlock::appendNonTerminal):
6227 * dfg/DFGByteCodeParser.cpp:
6228 (JSC::DFG::ByteCodeParser::parseBlock):
6229 * dfg/DFGCSEPhase.cpp:
6230 (JSC::DFG::CSEPhase::constantCSE):
6231 (JSC::DFG::CSEPhase::performNodeCSE):
6232 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
6233 * dfg/DFGCapabilities.h:
6234 * dfg/DFGClobberize.h:
6235 (JSC::DFG::clobberize):
6236 * dfg/DFGConstantFoldingPhase.cpp:
6237 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6238 * dfg/DFGDCEPhase.cpp:
6239 (JSC::DFG::DCEPhase::fixupBlock):
6240 * dfg/DFGEdge.h:
6241 (JSC::DFG::Edge::willNotHaveCheck):
6242 * dfg/DFGFixupPhase.cpp:
6243 (JSC::DFG::FixupPhase::run):
6244 (JSC::DFG::FixupPhase::fixupNode):
6245 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
6246 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6247 (JSC::DFG::FixupPhase::fixIntEdge):
6248 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6249 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6250 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
6251 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
6252 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6253 (JSC::DFG::FixupPhase::addRequiredPhantom):
6254 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6255 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6256 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
6257 * dfg/DFGFlushFormat.h:
6258 (JSC::DFG::resultFor):
6259 (JSC::DFG::useKindFor):
6260 * dfg/DFGGraph.cpp:
6261 (JSC::DFG::Graph::dump):
6262 * dfg/DFGGraph.h:
6263 (JSC::DFG::Graph::addNode):
6264 * dfg/DFGInPlaceAbstractState.cpp:
6265 (JSC::DFG::InPlaceAbstractState::initialize):
6266 * dfg/DFGInsertionSet.h:
6267 (JSC::DFG::InsertionSet::insertNode):
6268 (JSC::DFG::InsertionSet::insertConstant):
6269 (JSC::DFG::InsertionSet::insertConstantForUse):
6270 * dfg/DFGIntegerCheckCombiningPhase.cpp:
6271 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
6272 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
6273 * dfg/DFGNode.cpp:
6274 (JSC::DFG::Node::convertToIdentity):
6275 (WTF::printInternal):
6276 * dfg/DFGNode.h:
6277 (JSC::DFG::Node::Node):
6278 (JSC::DFG::Node::setResult):
6279 (JSC::DFG::Node::result):
6280 (JSC::DFG::Node::isConstant):
6281 (JSC::DFG::Node::hasConstant):
6282 (JSC::DFG::Node::convertToConstant):
6283 (JSC::DFG::Node::valueOfJSConstant):
6284 (JSC::DFG::Node::hasResult):
6285 (JSC::DFG::Node::hasInt32Result):
6286 (JSC::DFG::Node::hasInt52Result):
6287 (JSC::DFG::Node::hasNumberResult):
6288 (JSC::DFG::Node::hasDoubleResult):
6289 (JSC::DFG::Node::hasJSResult):
6290 (JSC::DFG::Node::hasBooleanResult):
6291 (JSC::DFG::Node::hasStorageResult):
6292 (JSC::DFG::Node::defaultUseKind):
6293 (JSC::DFG::Node::defaultEdge):
6294 (JSC::DFG::Node::convertToIdentity): Deleted.
6295 * dfg/DFGNodeFlags.cpp:
6296 (JSC::DFG::dumpNodeFlags):
6297 * dfg/DFGNodeFlags.h:
6298 (JSC::DFG::canonicalResultRepresentation):
6299 * dfg/DFGNodeType.h:
6300 * dfg/DFGOSRExitCompiler32_64.cpp:
6301 (JSC::DFG::OSRExitCompiler::compileExit):
6302 * dfg/DFGOSRExitCompiler64.cpp:
6303 (JSC::DFG::OSRExitCompiler::compileExit):
6304 * dfg/DFGPredictionPropagationPhase.cpp:
6305 (JSC::DFG::PredictionPropagationPhase::propagate):
6306 * dfg/DFGResurrectionForValidationPhase.cpp:
6307 (JSC::DFG::ResurrectionForValidationPhase::run):
6308 * dfg/DFGSSAConversionPhase.cpp:
6309 (JSC::DFG::SSAConversionPhase::run):
6310 * dfg/DFGSafeToExecute.h:
6311 (JSC::DFG::SafeToExecuteEdge::operator()):
6312 (JSC::DFG::safeToExecute):
6313 * dfg/DFGSpeculativeJIT.cpp:
6314 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
6315 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
6316 (JSC::DFG::SpeculativeJIT::silentFill):
6317 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
6318 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
6319 (JSC::DFG::JSValueRegsTemporary::regs):
6320 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
6321 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
6322 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6323 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
6324 (JSC::DFG::SpeculativeJIT::compileValueRep):
6325 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
6326 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6327 (JSC::DFG::SpeculativeJIT::compileAdd):
6328 (JSC::DFG::SpeculativeJIT::compileArithSub):
6329 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6330 (JSC::DFG::SpeculativeJIT::compileArithMul):
6331 (JSC::DFG::SpeculativeJIT::compileArithDiv):
6332 (JSC::DFG::SpeculativeJIT::compileArithMod):
6333 (JSC::DFG::SpeculativeJIT::compare):
6334 (JSC::DFG::SpeculativeJIT::compileStrictEq):
6335 (JSC::DFG::SpeculativeJIT::speculateNumber):
6336 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
6337 (JSC::DFG::SpeculativeJIT::speculate):
6338 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
6339 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
6340 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
6341 * dfg/DFGSpeculativeJIT.h:
6342 (JSC::DFG::SpeculativeJIT::allocate):
6343 (JSC::DFG::SpeculativeJIT::use):
6344 (JSC::DFG::SpeculativeJIT::boxDouble):
6345 (JSC::DFG::SpeculativeJIT::spill):
6346 (JSC::DFG::SpeculativeJIT::jsValueResult):
6347 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
6348 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
6349 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
6350 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
6351 * dfg/DFGSpeculativeJIT32_64.cpp:
6352 (JSC::DFG::SpeculativeJIT::fillJSValue):
6353 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6354 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6355 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6356 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6357 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6358 (JSC::DFG::SpeculativeJIT::emitBranch):
6359 (JSC::DFG::SpeculativeJIT::compile):
6360 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6361 * dfg/DFGSpeculativeJIT64.cpp:
6362 (JSC::DFG::SpeculativeJIT::fillJSValue):
6363 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6364 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
6365 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6366 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6367 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6368 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6369 (JSC::DFG::SpeculativeJIT::emitBranch):
6370 (JSC::DFG::SpeculativeJIT::compile):
6371 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6372 * dfg/DFGStrengthReductionPhase.cpp:
6373 (JSC::DFG::StrengthReductionPhase::handleNode):
6374 * dfg/DFGUseKind.cpp:
6375 (WTF::printInternal):
6376 * dfg/DFGUseKind.h:
6377 (JSC::DFG::typeFilterFor):
6378 (JSC::DFG::shouldNotHaveTypeCheck):
6379 (JSC::DFG::mayHaveTypeCheck):
6380 (JSC::DFG::isNumerical):
6381 (JSC::DFG::isDouble):
6382 (JSC::DFG::isCell):
6383 (JSC::DFG::usesStructure):
6384 (JSC::DFG::useKindForResult):
6385 * dfg/DFGValidate.cpp:
6386 (JSC::DFG::Validate::validate):
6387 * dfg/DFGVariadicFunction.h: Removed.
6388 * ftl/FTLCapabilities.cpp:
6389 (JSC::FTL::canCompile):
6390 * ftl/FTLLowerDFGToLLVM.cpp:
6391 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
6392 (JSC::FTL::LowerDFGToLLVM::compileNode):
6393 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
6394 (JSC::FTL::LowerDFGToLLVM::compilePhi):
6395 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
6396 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
6397 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
6398 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
6399 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
6400 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
6401 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
6402 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
6403 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
6404 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
6405 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
6406 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
6407 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
6408 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
6409 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
6410 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
6411 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
6412 (JSC::FTL::LowerDFGToLLVM::compare):
6413 (JSC::FTL::LowerDFGToLLVM::boolify):
6414 (JSC::FTL::LowerDFGToLLVM::lowInt52):
6415 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
6416 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
6417 (JSC::FTL::LowerDFGToLLVM::lowDouble):
6418 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
6419 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
6420 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
6421 (JSC::FTL::LowerDFGToLLVM::speculate):
6422 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
6423 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
6424 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
6425 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
6426 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
6427 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
6428 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
6429 * ftl/FTLValueFormat.cpp:
6430 (JSC::FTL::reboxAccordingToFormat):
6431 * jit/AssemblyHelpers.cpp:
6432 (JSC::AssemblyHelpers::sanitizeDouble):
6433 * jit/AssemblyHelpers.h:
6434 (JSC::AssemblyHelpers::boxDouble):
6435
64362014-04-15 Commit Queue <commit-queue@webkit.org>
6437
6438 Unreviewed, rolling out r167199 and r167251.
6439 https://bugs.webkit.org/show_bug.cgi?id=131678
6440
6441 Caused a DYEBench regression and does not seem to improve perf
6442 on relevant websites (Requested by rniwa on #webkit).
6443
6444 Reverted changesets:
6445
6446 "Rewrite Function.bind as a builtin"
6447 https://bugs.webkit.org/show_bug.cgi?id=131083
6448 http://trac.webkit.org/changeset/167199
6449
6450 "Update test result"
6451 http://trac.webkit.org/changeset/167251
6452
64532014-04-14 Commit Queue <commit-queue@webkit.org>
6454
6455 Unreviewed, rolling out r167272.
6456 https://bugs.webkit.org/show_bug.cgi?id=131666
6457
6458 Broke multiple tests (Requested by ap on #webkit).
6459
6460 Reverted changeset:
6461
6462 "Function.bind itself is too slow"
6463 https://bugs.webkit.org/show_bug.cgi?id=131636
6464 http://trac.webkit.org/changeset/167272
6465
64662014-04-14 Geoffrey Garen <ggaren@apple.com>
6467
6468 ASSERT when firing low memory warning
6469 https://bugs.webkit.org/show_bug.cgi?id=131659
6470
6471 Reviewed by Mark Hahnenberg.
6472
6473 * heap/Heap.cpp:
6474 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
6475 called when no GC is happening because that is what we do when a low
6476 memory warning fires, and it is harmless.
6477
64782014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
6479
6480 emit_op_put_by_id should not emit a write barrier that filters on value
6481 https://bugs.webkit.org/show_bug.cgi?id=131654
6482
6483 Reviewed by Filip Pizlo.
6484
6485 The 32-bit implementation does this, and it can cause crashes if we later repatch the
6486 code to allocate and store new Butterflies.
6487
6488 * jit/JITPropertyAccess.cpp:
6489 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
6490 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
6491 load down into the if statement so that we don't do it if we're not filtering on the value.
6492 * jit/JITPropertyAccess32_64.cpp:
6493 (JSC::JIT::emit_op_put_by_id):
6494
64952014-04-14 Oliver Hunt <oliver@apple.com>
6496
6497 Function.bind itself is too slow
6498 https://bugs.webkit.org/show_bug.cgi?id=131636
6499
6500 Reviewed by Geoffrey Garen.
6501
6502 Rather than forcing creation of an activation, we now store
6503 bound function properties directly on the returned closure.
6504 This is necessary to deal with code that creates many function
6505 bindings, but does not call them very often.
6506
6507 This is a 60% speed up in the included js/regress test.
6508
6509 * builtins/BuiltinExecutables.cpp:
6510 (JSC::BuiltinExecutables::createBuiltinExecutable):
6511 * builtins/Function.prototype.js:
6512 (bind.bindingFunction):
6513 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6514 (bind.else.switch.case.1.bindingFunction):
6515 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6516 (bind.else.switch.case.2.bindingFunction):
6517 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6518 (bind.else.switch.case.3.bindingFunction):
6519 (bind.else.switch.bindingFunction):
6520 (bind):
6521 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
6522 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
6523 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
6524 * runtime/CommonIdentifiers.h:
6525
65262014-04-14 Julien Brianceau <jbriance@cisco.com>
6527
6528 [sh4] Allow use of SubImmediates in LLINT.
6529 https://bugs.webkit.org/show_bug.cgi?id=131608
6530
6531 Reviewed by Mark Lam.
6532
6533 Allow use of SubImmediates with const pool so the sh4 architecture can
6534 share the arm path for setEntryAddress macro. It reduces architecture
6535 specific code and lead to a more optimal generated code for sh4.
6536
6537 * llint/LowLevelInterpreter.asm:
6538 * offlineasm/sh4.rb:
6539
65402014-04-14 Andreas Kling <akling@apple.com>
6541
6542 Array.prototype.concat should allocate output storage only once.
6543 <https://webkit.org/b/131609>
6544
6545 Do a first pass across 'this' and any arguments to compute the
6546 final size of the resulting array from Array.prototype.concat.
6547 This avoids having to grow the output incrementally as we go.
6548
6549 This also includes two other micro-optimizations:
6550
6551 - Mark getProperty() with ALWAYS_INLINE.
6552
6553 - Use JSArray::length() instead of taking the generic property
6554 lookup path when we know an argument is an Array.
6555
6556 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6557
6558 Reviewed by Oliver & Darin.
6559
6560 * runtime/ArrayPrototype.cpp:
6561 (JSC::getProperty):
6562 (JSC::arrayProtoFuncConcat):
6563
65642014-04-14 Commit Queue <commit-queue@webkit.org>
6565
6566 Unreviewed, rolling out r167249.
6567 https://bugs.webkit.org/show_bug.cgi?id=131621
6568
6569 broke 3 tests on cloop (Requested by kling on #webkit).
6570
6571 Reverted changeset:
6572
6573 "Array.prototype.concat should allocate output storage only
6574 once."
6575 https://bugs.webkit.org/show_bug.cgi?id=131609
6576 http://trac.webkit.org/changeset/167249
6577
65782014-04-14 Alex Christensen <achristensen@webkit.org>
6579
6580 Fixed potential integer truncation.
6581 https://bugs.webkit.org/show_bug.cgi?id=131615
6582
6583 Reviewed by Darin Adler.
6584
6585 * assembler/X86Assembler.h:
6586 (JSC::X86Assembler::fillNops):
6587 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
6588
65892014-04-14 Andreas Kling <akling@apple.com>
6590
6591 Array.prototype.concat should allocate output storage only once.
6592 <https://webkit.org/b/131609>
6593
6594 Do a first pass across 'this' and any arguments to compute the
6595 final size of the resulting array from Array.prototype.concat.
6596 This avoids having to grow the output incrementally as we go.
6597
6598 This also includes two other micro-optimizations:
6599
6600 - Mark getProperty() with ALWAYS_INLINE.
6601
6602 - Use JSArray::length() instead of taking the generic property
6603 lookup path when we know an argument is an Array.
6604
6605 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6606
6607 Reviewed by Darin Adler.
6608
6609 * runtime/ArrayPrototype.cpp:
6610 (JSC::getProperty):
6611 (JSC::arrayProtoFuncConcat):
6612
66132014-04-14 Benjamin Poulain <benjamin@webkit.org>
6614
6615 [JSC] Improve the call site of string comparison in some hot path
6616 https://bugs.webkit.org/show_bug.cgi?id=131605
6617
6618 Reviewed by Darin Adler.
6619
6620 When resolved, the String of a JSString is never null. It can be empty but not null.
6621 The null value is reserved for ropes but those would be resolved when getting the value.
6622
6623 Consequently, we should use the equal() operation that do not handle null values.
6624 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
6625
6626 * jit/JITOperations.cpp:
6627 * runtime/JSCJSValueInlines.h:
6628 (JSC::JSValue::equalSlowCaseInline):
6629 (JSC::JSValue::strictEqualSlowCaseInline):
6630 (JSC::JSValue::pureStrictEqual):
6631
66322014-04-08 Oliver Hunt <oliver@apple.com>
6633
6634 Rewrite Function.bind as a builtin
6635 https://bugs.webkit.org/show_bug.cgi?id=131083
6636
6637 Reviewed by Geoffrey Garen.
6638
6639 This change removes the existing function.bind implementation
6640 entirely so JSBoundFunction is no more.
6641
6642 Instead we just return a regular JS closure with a few
6643 private properties hanging off it that allow us to perform
6644 the necessary bound function fakery. While most of this is
6645 simple, a couple of key changes:
6646
6647 - The parser and lexer now directly track whether they're
6648 parsing code for call or construct and convert the private
6649 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
6650 This automatically gives us the ability to vary behaviour
6651 from within the builtin. It also leaves a lot of headroom
6652 for trivial future improvements.
6653 - The instanceof operator now uses the prototypeForHasInstance
6654 private name, and we have a helper function to ensure that
6655 all objects that need to can update their magical 'prototype'
6656 property pair correctly.
6657
6658 * API/JSScriptRef.cpp:
6659 (parseScript):
6660 * JavaScriptCore.xcodeproj/project.pbxproj:
6661 * builtins/BuiltinExecutables.cpp:
6662 (JSC::BuiltinExecutables::createBuiltinExecutable):
6663 * builtins/Function.prototype.js:
6664 (bind.bindingFunction):
6665 (bind.else.bindingFunction):
6666 (bind):
6667 * bytecode/UnlinkedCodeBlock.cpp:
6668 (JSC::generateFunctionCodeBlock):
6669 * bytecompiler/NodesCodegen.cpp:
6670 (JSC::InstanceOfNode::emitBytecode):
6671 * interpreter/Interpreter.cpp:
6672 * parser/Lexer.cpp:
6673 (JSC::Lexer<T>::Lexer):
6674 (JSC::Lexer<LChar>::parseIdentifier):
6675 (JSC::Lexer<UChar>::parseIdentifier):
6676 * parser/Lexer.h:
6677 * parser/Parser.cpp:
6678 (JSC::Parser<LexerType>::Parser):
6679 (JSC::Parser<LexerType>::parseInner):
6680 * parser/Parser.h:
6681 (JSC::parse):
6682 * parser/ParserModes.h:
6683 * runtime/CodeCache.cpp:
6684 (JSC::CodeCache::getGlobalCodeBlock):
6685 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6686 * runtime/CommonIdentifiers.h:
6687 * runtime/Completion.cpp:
6688 (JSC::checkSyntax):
6689 * runtime/Executable.cpp:
6690 (JSC::ProgramExecutable::checkSyntax):
6691 * runtime/FunctionPrototype.cpp:
6692 (JSC::FunctionPrototype::addFunctionProperties):
6693 (JSC::functionProtoFuncBind): Deleted.
6694 * runtime/JSBoundFunction.cpp: Removed.
6695 * runtime/JSBoundFunction.h: Removed.
6696 * runtime/JSFunction.cpp:
6697 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6698 (JSC::RetrieveCallerFunctionFunctor::operator()):
6699 (JSC::retrieveCallerFunction):
6700 (JSC::JSFunction::getOwnPropertySlot):
6701 (JSC::JSFunction::defineOwnProperty):
6702 * runtime/JSGlobalObject.cpp:
6703 (JSC::JSGlobalObject::reset):
6704 * runtime/JSGlobalObjectFunctions.cpp:
6705 (JSC::globalFuncSetTypeErrorAccessor):
6706 * runtime/JSGlobalObjectFunctions.h:
6707 * runtime/JSObject.h:
6708 (JSC::JSObject::inlineGetOwnPropertySlot):
6709
67102014-04-12 Filip Pizlo <fpizlo@apple.com>
6711
6712 Math.fround() should be an intrinsic
6713 https://bugs.webkit.org/show_bug.cgi?id=131583
6714
6715 Reviewed by Geoffrey Garen.
6716
6717 Makes programs that use Math.fround() run up to 6x faster.
6718
6719 * dfg/DFGAbstractInterpreterInlines.h:
6720 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6721 * dfg/DFGByteCodeParser.cpp:
6722 (JSC::DFG::ByteCodeParser::handleIntrinsic):
6723 * dfg/DFGCSEPhase.cpp:
6724 (JSC::DFG::CSEPhase::performNodeCSE):
6725 * dfg/DFGClobberize.h:
6726 (JSC::DFG::clobberize):
6727 * dfg/DFGFixupPhase.cpp:
6728 (JSC::DFG::FixupPhase::fixupNode):
6729 * dfg/DFGNodeType.h:
6730 * dfg/DFGPredictionPropagationPhase.cpp:
6731 (JSC::DFG::PredictionPropagationPhase::propagate):
6732 * dfg/DFGSafeToExecute.h:
6733 (JSC::DFG::safeToExecute):
6734 * dfg/DFGSpeculativeJIT32_64.cpp:
6735 (JSC::DFG::SpeculativeJIT::compile):
6736 * dfg/DFGSpeculativeJIT64.cpp:
6737 (JSC::DFG::SpeculativeJIT::compile):
6738 * ftl/FTLCapabilities.cpp:
6739 (JSC::FTL::canCompile):
6740 * ftl/FTLLowerDFGToLLVM.cpp:
6741 (JSC::FTL::LowerDFGToLLVM::compileNode):
6742 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
6743 * runtime/Intrinsic.h:
6744 * runtime/MathObject.cpp:
6745 (JSC::MathObject::finishCreation):
6746
67472014-04-12 Filip Pizlo <fpizlo@apple.com>
6748
6749 FTL should use stackmap register liveness
6750 https://bugs.webkit.org/show_bug.cgi?id=130791
6751
6752 Reviewed by Goeffrey Garen.
6753
6754 Enable the stackmap register liveness support by fixing the two last bugs:
6755
6756 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
6757 then we shouldn't crash due to a null scratch buffer.
6758
6759 - Always consider callee-saves as if they were live. More precisely, we should
6760 consider those callee-saves that are not saved by the enclosing function to be live.
6761 For now we do the much simpler thing and consider callee-saves to be always live
6762 since it has minimal impact on the scratch register allocator. It will know not to
6763 preserve those for calls, anyway.
6764
6765 I tried writing a test for the null scratch buffer thing, but failed. I will land the
6766 test anyway since it seems useful.
6767
6768 * ftl/FTLCompile.cpp:
6769 (JSC::FTL::usedRegistersFor):
6770 * jit/ScratchRegisterAllocator.cpp:
6771 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
6772 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
6773 * runtime/Options.h:
6774 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
6775 (foo):
6776
67772014-04-11 Filip Pizlo <fpizlo@apple.com>
6778
6779 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
6780 https://bugs.webkit.org/show_bug.cgi?id=131424
6781
6782 Reviewed by Geoffrey Garen.
6783
6784 This defers type conversion injection until we've decided on types. This makes the
6785 process of deciding types a bit more flexible - for example we can naturally fixpoint
6786 and change our minds. Only when things are settled do we actually insert conversions.
6787
6788 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
6789 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
6790 that there are typed uses. If we were eagerly inserting type conversions then we would
6791 first insert a to/from-JSValue conversion in some cases only to then replace it by
6792 the other conversions. It's probably trivial to remove those redundant conversions later
6793 but I think it's better if we don't insert them to begin with.
6794
6795 * bytecode/CodeOrigin.h:
6796 (JSC::CodeOrigin::operator!):
6797 * dfg/DFGFixupPhase.cpp:
6798 (JSC::DFG::FixupPhase::run):
6799 (JSC::DFG::FixupPhase::fixupBlock):
6800 (JSC::DFG::FixupPhase::fixupNode):
6801 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
6802 (JSC::DFG::FixupPhase::fixEdge):
6803 (JSC::DFG::FixupPhase::fixIntEdge):
6804 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6805 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6806 (JSC::DFG::FixupPhase::addRequiredPhantom):
6807 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6808 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6809 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
6810 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
6811 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
6812
68132014-04-11 Brian J. Burg <burg@cs.washington.edu>
6814
6815 Web Replay: code generator should consider enclosing class when computing duplicate type names
6816 https://bugs.webkit.org/show_bug.cgi?id=131554
6817
6818 Reviewed by Timothy Hatcher.
6819
6820 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
6821 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
6822 by the enclosing class and enum name.
6823
6824 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
6825
6826 * replay/scripts/CodeGeneratorReplayInputs.py:
6827 (Type.type_name): Prepend the enclosing class name.
6828 (Type.type_name.is):
6829 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
6830 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
6831 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
6832 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
6833 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
6834 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
6835
68362014-04-11 Gavin Barraclough <baraclough@apple.com>
6837
6838 Rollout - Rewrite Function.bind as a builtin
6839 https://bugs.webkit.org/show_bug.cgi?id=131083
6840
6841 Unreviewed.
6842
6843 Rolling out r167020 while investigating a performance regression.
6844
6845 * API/JSObjectRef.cpp:
6846 (JSObjectMakeConstructor):
6847 * API/JSScriptRef.cpp:
6848 (parseScript):
6849 * CMakeLists.txt:
6850 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6851 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6852 * JavaScriptCore.xcodeproj/project.pbxproj:
6853 * builtins/BuiltinExecutables.cpp:
6854 (JSC::BuiltinExecutables::createBuiltinExecutable):
6855 * builtins/Function.prototype.js:
6856 (apply):
6857 (bind.bindingFunction): Deleted.
6858 (bind.else.bindingFunction): Deleted.
6859 (bind): Deleted.
6860 * bytecode/UnlinkedCodeBlock.cpp:
6861 (JSC::generateFunctionCodeBlock):
6862 * bytecompiler/NodesCodegen.cpp:
6863 (JSC::InstanceOfNode::emitBytecode):
6864 * interpreter/Interpreter.cpp:
6865 * parser/Lexer.cpp:
6866 (JSC::Lexer<T>::Lexer):
6867 (JSC::Lexer<LChar>::parseIdentifier):
6868 (JSC::Lexer<UChar>::parseIdentifier):
6869 * parser/Lexer.h:
6870 * parser/Parser.cpp:
6871 (JSC::Parser<LexerType>::Parser):
6872 (JSC::Parser<LexerType>::parseInner):
6873 * parser/Parser.h:
6874 (JSC::parse):
6875 * parser/ParserModes.h:
6876 * runtime/ArgumentsIteratorConstructor.cpp:
6877 (JSC::ArgumentsIteratorConstructor::finishCreation):
6878 * runtime/ArrayConstructor.cpp:
6879 (JSC::ArrayConstructor::finishCreation):
6880 * runtime/BooleanConstructor.cpp:
6881 (JSC::BooleanConstructor::finishCreation):
6882 * runtime/CodeCache.cpp:
6883 (JSC::CodeCache::getGlobalCodeBlock):
6884 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6885 * runtime/CommonIdentifiers.h:
6886 * runtime/Completion.cpp:
6887 (JSC::checkSyntax):
6888 * runtime/DateConstructor.cpp:
6889 (JSC::DateConstructor::finishCreation):
6890 * runtime/ErrorConstructor.cpp:
6891 (JSC::ErrorConstructor::finishCreation):
6892 * runtime/Executable.cpp:
6893 (JSC::ProgramExecutable::checkSyntax):
6894 * runtime/FunctionConstructor.cpp:
6895 (JSC::FunctionConstructor::finishCreation):
6896 * runtime/FunctionPrototype.cpp:
6897 (JSC::FunctionPrototype::addFunctionProperties):
6898 (JSC::functionProtoFuncBind):
6899 * runtime/JSArrayBufferConstructor.cpp:
6900 (JSC::JSArrayBufferConstructor::finishCreation):
6901 * runtime/JSBoundFunction.cpp: Added.
6902 (JSC::boundFunctionCall):
6903 (JSC::boundFunctionConstruct):
6904 (JSC::JSBoundFunction::create):
6905 (JSC::JSBoundFunction::destroy):
6906 (JSC::JSBoundFunction::customHasInstance):
6907 (JSC::JSBoundFunction::JSBoundFunction):
6908 (JSC::JSBoundFunction::finishCreation):
6909 (JSC::JSBoundFunction::visitChildren):
6910 * runtime/JSBoundFunction.h: Added.
6911 (JSC::JSBoundFunction::targetFunction):
6912 (JSC::JSBoundFunction::boundThis):
6913 (JSC::JSBoundFunction::boundArgs):
6914 (JSC::JSBoundFunction::createStructure):
6915 * runtime/JSFunction.cpp:
6916 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6917 (JSC::RetrieveCallerFunctionFunctor::operator()):
6918 (JSC::retrieveCallerFunction):
6919 (JSC::JSFunction::getOwnPropertySlot):
6920 (JSC::JSFunction::getOwnNonIndexPropertyNames):
6921 (JSC::JSFunction::put):
6922 (JSC::JSFunction::defineOwnProperty):
6923 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
6924 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
6925 * runtime/JSGlobalObject.cpp:
6926 (JSC::JSGlobalObject::reset):
6927 * runtime/JSGlobalObjectFunctions.cpp:
6928 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
6929 * runtime/JSGlobalObjectFunctions.h:
6930 * runtime/JSObject.cpp:
6931 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
6932 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
6933 * runtime/JSObject.h:
6934 * runtime/JSPromiseConstructor.cpp:
6935 (JSC::JSPromiseConstructor::finishCreation):
6936 * runtime/MapConstructor.cpp:
6937 (JSC::MapConstructor::finishCreation):
6938 * runtime/MapIteratorConstructor.cpp:
6939 (JSC::MapIteratorConstructor::finishCreation):
6940 * runtime/NameConstructor.cpp:
6941 (JSC::NameConstructor::finishCreation):
6942 * runtime/NativeErrorConstructor.cpp:
6943 (JSC::NativeErrorConstructor::finishCreation):
6944 * runtime/NumberConstructor.cpp:
6945 (JSC::NumberConstructor::finishCreation):
6946 * runtime/ObjectConstructor.cpp:
6947 (JSC::ObjectConstructor::finishCreation):
6948 * runtime/RegExpConstructor.cpp:
6949 (JSC::RegExpConstructor::finishCreation):
6950 * runtime/SetConstructor.cpp:
6951 (JSC::SetConstructor::finishCreation):
6952 * runtime/SetIteratorConstructor.cpp:
6953 (JSC::SetIteratorConstructor::finishCreation):
6954 * runtime/StringConstructor.cpp:
6955 (JSC::StringConstructor::finishCreation):
6956 * runtime/WeakMapConstructor.cpp:
6957 (JSC::WeakMapConstructor::finishCreation):
6958
69592014-04-11 David Kilzer <ddkilzer@apple.com>
6960
6961 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
6962 <http://webkit.org/b/131556>
6963 <rdar://problem/16591856>
6964
6965 Reviewed by Brent Fulgham.
6966
6967 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
6968 OTHER_LDFLAGS so the ASan build does not try to link to
6969 libclang_rt.asan_osx_dynamic.dylib.
6970
69712014-04-11 Mark Lam <mark.lam@apple.com>
6972
6973 JSMainThreadExecState::call() should clear exceptions before returning.
6974 <https://webkit.org/b/131530>
6975
6976 Reviewed by Geoffrey Garen.
6977
6978 Added a version of JSC::call() that return any uncaught exception instead
6979 of leaving it pending in the VM.
6980
6981 As part of this change, I updated various parts of the code base to use the
6982 new API as needed.
6983
6984 * bindings/ScriptFunctionCall.cpp:
6985 (Deprecated::ScriptFunctionCall::call):
6986 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
6987 The injected scripts that will include Inspector scripts that should catch
6988 and handle any exceptions that were thrown. We should not be seeing any
6989 exceptions returned from this call. However, we do have checks for
6990 exceptions in case there are bugs in the Inspector scripts which allowed
6991 the exception to leak through. Hence, it is proper to clear the exception
6992 here, and only record the fact that an exception was seen (if present).
6993
6994 * bindings/ScriptFunctionCall.h:
6995 * inspector/InspectorEnvironment.h:
6996 * runtime/CallData.cpp:
6997 (JSC::call):
6998 * runtime/CallData.h:
6999
70002014-04-11 Oliver Hunt <oliver@apple.com>
7001
7002 Add BuiltinLog function to make debugging builtins easier
7003 https://bugs.webkit.org/show_bug.cgi?id=131550
7004
7005 Reviewed by Andreas Kling.
7006
7007 Add a logging function that builtins can use for debugging.
7008
7009 * runtime/CommonIdentifiers.h:
7010 * runtime/JSGlobalObject.cpp:
7011 (JSC::JSGlobalObject::reset):
7012 * runtime/JSGlobalObjectFunctions.cpp:
7013 (JSC::globalFuncBuiltinLog):
7014 * runtime/JSGlobalObjectFunctions.h:
7015
70162014-04-11 Julien Brianceau <jbriance@cisco.com>
7017
7018 Fix LLInt for sh4 architecture (broken since C stack merge).
7019 https://bugs.webkit.org/show_bug.cgi?id=131532
7020
7021 Reviewed by Mark Lam.
7022
7023 This patch fixes build and also implements sh4 parts for initPCRelative and
7024 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
7025
7026 * llint/LowLevelInterpreter.asm:
7027 * llint/LowLevelInterpreter32_64.asm:
7028 * offlineasm/instructions.rb:
7029 * offlineasm/sh4.rb:
7030
70312014-04-10 Michael Saboff <msaboff@apple.com>
7032
7033 Crash beneath DFG JIT code @ video.disney.com
7034 https://bugs.webkit.org/show_bug.cgi?id=131447
7035
7036 Reviewed by Geoffrey Garen.
7037
7038 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
7039 'tag not less than Undefined' check. The first check was incorrectly elided if we
7040 knew that the value *was* an int32, when it should have been elided if we already
7041 knew that the value *was not* an int32.
7042
7043 * dfg/DFGSpeculativeJIT.cpp:
7044 (JSC::DFG::SpeculativeJIT::speculateMisc):
7045 * tests/stress/test-spec-misc.js: Added test.
7046 (getX):
7047 (foo):
7048 (bar):
7049
70502014-04-08 Filip Pizlo <fpizlo@apple.com>
7051
7052 Make room for additional types in SpeculatedType.h
7053 https://bugs.webkit.org/show_bug.cgi?id=131422
7054
7055 Reviewed by Sam Weinig.
7056
7057 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
7058
7059 * bytecode/SpeculatedType.h:
7060
70612014-04-10 Alex Christensen <achristensen@webkit.org>
7062
7063 Compile fix for Win64.
7064 https://bugs.webkit.org/show_bug.cgi?id=131508
7065
7066 Reviewed by Geoffrey Garen.
7067
7068 * assembler/X86Assembler.h:
7069 (JSC::X86Assembler::fillNops):
7070 Added unsigned template parameter to distinguish between size_t and unsigned long.
7071
70722014-04-10 Michael Saboff <msaboff@apple.com>
7073
7074 LLInt interpreter code should be generated as part of one function
7075 https://bugs.webkit.org/show_bug.cgi?id=131205
7076
7077 Reviewed by Mark Lam.
7078
7079 Changed the generation of llint opcodes so that they are all part of the same
7080 global function, llint_entry. That function is used to fill in an entry point
7081 table that includes each of the opcodes and helpers.
7082
7083 * CMakeLists.txt:
7084 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
7085 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
7086 * JavaScriptCore.xcodeproj/project.pbxproj:
7087 Added appropriate use of new -I option to offline assembler and offset
7088 generator scripts.
7089
7090 * llint/LowLevelInterpreter.asm:
7091 * llint/LowLevelInterpreter.cpp:
7092 * llint/LowLevelInterpreter.h:
7093 * offlineasm/arm.rb:
7094 * offlineasm/arm64.rb:
7095 * offlineasm/asm.rb:
7096 * offlineasm/ast.rb:
7097 * offlineasm/backends.rb:
7098 * offlineasm/cloop.rb:
7099 * offlineasm/generate_offset_extractor.rb:
7100 * offlineasm/instructions.rb:
7101 * offlineasm/parser.rb:
7102 * offlineasm/registers.rb:
7103 * offlineasm/self_hash.rb:
7104 * offlineasm/settings.rb:
7105 * offlineasm/transform.rb:
7106 * offlineasm/x86.rb:
7107 Added a new "global" keyword to the offline assembler that denotes a label that
7108 should be exported. Added opcode and operand support to get the absolute
7109 address of a local label using position independent calculations. Updated the
7110 offline assembler to handle included files, both when generating the checksum
7111 as well as including files from other than the local directory via a newly
7112 added -I option. The offline assembler now automatically determines external
7113 functions by keeping track of referenced functions that are defined within the
7114 assembly source. This is used both for choosing the correct macro for external
7115 references as well as generating the needed EXTERN directives for masm.
7116 Updated the generation of the masm only .sym file to be written once at the end
7117 of the offline assembler.
7118
7119 * assembler/MacroAssemblerCodeRef.h:
7120 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
7121 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
7122 * bytecode/CodeBlock.cpp:
7123 (JSC::CodeBlock::dumpBytecode):
7124 (JSC::CodeBlock::CodeBlock):
7125 * bytecode/GetByIdStatus.cpp:
7126 (JSC::GetByIdStatus::computeFromLLInt):
7127 * bytecode/Opcode.h:
7128 (JSC::padOpcodeName):
7129 * bytecode/PutByIdStatus.cpp:
7130 (JSC::PutByIdStatus::computeFromLLInt):
7131 * jit/JIT.cpp:
7132 (JSC::JIT::privateCompileMainPass):
7133 * jit/JITStubs.h:
7134 * llint/LLIntCLoop.cpp:
7135 (JSC::LLInt::initialize):
7136 * llint/LLIntData.h:
7137 (JSC::LLInt::getCodeFunctionPtr):
7138 (JSC::LLInt::getOpcode): Deleted.
7139 (JSC::LLInt::getCodePtr): Deleted.
7140 * llint/LLIntOpcode.h:
7141 * llint/LLIntSlowPaths.cpp:
7142 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7143 * llint/LLIntThunks.cpp:
7144 (JSC::LLInt::functionForCallEntryThunkGenerator):
7145 (JSC::LLInt::functionForConstructEntryThunkGenerator):
7146 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
7147 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
7148 (JSC::LLInt::evalEntryThunkGenerator):
7149 (JSC::LLInt::programEntryThunkGenerator):
7150 * llint/LLIntThunks.h:
7151 Changed references to llint helpers to go through the entry point table populated
7152 by llint_entry. Added helpers to OpcodeID enum for all builds.
7153
7154 * bytecode/BytecodeList.json:
7155 * generate-bytecode-files:
7156 * llint/LLIntCLoop.cpp:
7157 (JSC::LLInt::CLoop::initialize):
7158 Reordered sections to match the order that the functions are added to the entry point
7159 table. Added new "asmPrefix" property for symbols that have one name but are generated
7160 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
7161 as we are using enums for all bytecode references. Changed the C Loop only
7162 llint_c_loop_init to llint_entry.
7163
71642014-04-10 Matthew Mirman <mmirman@apple.com>
7165
7166 WIP for inlining C++. Added a build target to produce LLVM IR.
7167 https://bugs.webkit.org/show_bug.cgi?id=130523
7168
7169 Reviewed by Mark Rowe.
7170
7171 * JavaScriptCore.xcodeproj/project.pbxproj:
7172 * build-symbol-table-index.py: Added.
7173 * build-symbol-table-index.sh: Added.
7174 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
7175 * copy-llvm-ir-to-derived-sources.sh: Added.
7176
71772014-04-10 Brian J. Burg <burg@cs.washington.edu>
7178
7179 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
7180 https://bugs.webkit.org/show_bug.cgi?id=131341
7181
7182 Reviewed by Timothy Hatcher.
7183
7184 Add support for encoding/decoding unsigned long with EncodedValue.
7185 It is a distinct type from uint32_t and uint64_t.
7186
7187 * replay/EncodedValue.cpp:
7188 (JSC::EncodedValue::convertTo<unsigned long>):
7189 * replay/EncodedValue.h:
7190
71912014-04-10 Mark Lam <mark.lam@apple.com>
7192
7193 LLINT loadisFromInstruction should handle the big endian case.
7194 <https://webkit.org/b/131495>
7195
7196 Reviewed by Mark Hahnenberg.
7197
7198 The LLINT loadisFromInstruction macro aims to load the least significant
7199 32-bit word from the 64-bit bytecode instruction stream and sign extend
7200 it. For big endian machines, the current implementation would load the
7201 wrong 32-bit word.
7202
7203 Without this fix, the JSC tests will crash on big endian machines.
7204 Thanks to Tomas Popela for diagnosing this issue.
7205
7206 * llint/LowLevelInterpreter.asm:
7207
72082014-04-09 Mark Lam <mark.lam@apple.com>
7209
7210 Temporarily disable the JIT for the Windows port.
7211 <https://webkit.org/b/131470>
7212
7213 Reviewed by Brent Fulgham.
7214
7215 This is a temporary stop gap measure to green the Windows bots until
7216 we have a fix for https://webkit.org/b/131182.
7217
7218 * runtime/Options.cpp:
7219 (JSC::recomputeDependentOptions):
7220
72212014-04-09 Juergen Ributzka <juergen@apple.com>
7222
7223 [FTL] Emit multibyte NOPs on X86-64
7224 https://bugs.webkit.org/show_bug.cgi?id=131394
7225
7226 Reviewed by Michael Saboff.
7227
7228 * assembler/X86Assembler.h:
7229 (JSC::X86Assembler::fillNops):
7230
72312014-04-09 Julien Brianceau <jbriance@cisco.com>
7232
7233 Get rid of JITOperationWrappers.h header file.
7234 https://bugs.webkit.org/show_bug.cgi?id=131450
7235
7236 Reviewed by Michael Saboff.
7237
7238 JITOperationWrappers header file contains architecture specific code that is
7239 not needed anymore, so get rid of it.
7240
7241 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7242 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7243 * JavaScriptCore.xcodeproj/project.pbxproj:
7244 * dfg/DFGOperations.cpp:
7245 * jit/JITOperationWrappers.h: Removed.
7246 * jit/JITOperations.cpp:
7247
72482014-04-09 Mark Lam <mark.lam@apple.com>
7249
7250 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
7251 <https://webkit.org/b/131449>
7252
7253 Reviewed by Mark Hahnenberg.
7254
7255 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
7256 that it pads is of type int anyway. It doesn't need to be 64 bit. This
7257 also makes it work with the LLINT which is loading it with a loadi
7258 instruction.
7259
7260 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
7261 when loading the argCount.
7262
7263 The paddedArgCount issue was causing failures when running the JSC tests on a
7264 64-bit big endian machine. In this case, the paddedArgCount in the
7265 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
7266 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
7267 that field, the LLINT got a value of 0 instead of the expected 2. With this
7268 patch, we now have a matching store and load of a 32-bit value, and endianness
7269 no longer comes into play.
7270
7271 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
7272 the payload field of the Register. In the definition of EncodedValueDescriptor,
7273 We already ensure that that the payload is in the least significant 32-bits for
7274 little endian machines, and in the most significant 32-bits for big endian
7275 machines. This means that there is no endianness bug when loading this value
7276 using loadi. However, adding the PayLoadOffset clarifies the intent of the
7277 code to load the payload part of the Register value.
7278
7279 * interpreter/ProtoCallFrame.h:
7280 (JSC::ProtoCallFrame::setPaddedArgCount):
7281 * llint/LowLevelInterpreter32_64.asm:
7282 * llint/LowLevelInterpreter64.asm:
7283
72842014-04-08 Oliver Hunt <oliver@apple.com>
7285
7286 Rewrite Function.bind as a builtin
7287 https://bugs.webkit.org/show_bug.cgi?id=131083
7288
7289 Reviewed by Geoffrey Garen.
7290
7291 This change removes the existing function.bind implementation
7292 entirely so JSBoundFunction is no more.
7293
7294 Instead we just return a regular JS closure with a few
7295 private properties hanging off it that allow us to perform
7296 the necessary bound function fakery. While most of this is
7297 simple, a couple of key changes:
7298
7299 - The parser and lexer now directly track whether they're
7300 parsing code for call or construct and convert the private
7301 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7302 This automatically gives us the ability to vary behaviour
7303 from within the builtin. It also leaves a lot of headroom
7304 for trivial future improvements.
7305 - The instanceof operator now uses the prototypeForHasInstance
7306 private name, and we have a helper function to ensure that
7307 all objects that need to can update their magical 'prototype'
7308 property pair correctly.
7309
7310 * API/JSScriptRef.cpp:
7311 (parseScript):
7312 * JavaScriptCore.xcodeproj/project.pbxproj:
7313 * builtins/BuiltinExecutables.cpp:
7314 (JSC::BuiltinExecutables::createBuiltinExecutable):
7315 * builtins/Function.prototype.js:
7316 (bind.bindingFunction):
7317 (bind.else.bindingFunction):
7318 (bind):
7319 * bytecode/UnlinkedCodeBlock.cpp:
7320 (JSC::generateFunctionCodeBlock):
7321 * bytecompiler/NodesCodegen.cpp:
7322 (JSC::InstanceOfNode::emitBytecode):
7323 * interpreter/Interpreter.cpp:
7324 * parser/Lexer.cpp:
7325 (JSC::Lexer<T>::Lexer):
7326 (JSC::Lexer<LChar>::parseIdentifier):
7327 (JSC::Lexer<UChar>::parseIdentifier):
7328 * parser/Lexer.h:
7329 * parser/Parser.cpp:
7330 (JSC::Parser<LexerType>::Parser):
7331 (JSC::Parser<LexerType>::parseInner):
7332 * parser/Parser.h:
7333 (JSC::parse):
7334 * parser/ParserModes.h:
7335 * runtime/CodeCache.cpp:
7336 (JSC::CodeCache::getGlobalCodeBlock):
7337 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7338 * runtime/CommonIdentifiers.h:
7339 * runtime/Completion.cpp:
7340 (JSC::checkSyntax):
7341 * runtime/Executable.cpp:
7342 (JSC::ProgramExecutable::checkSyntax):
7343 * runtime/FunctionPrototype.cpp:
7344 (JSC::FunctionPrototype::addFunctionProperties):
7345 (JSC::functionProtoFuncBind): Deleted.
7346 * runtime/JSBoundFunction.cpp: Removed.
7347 * runtime/JSBoundFunction.h: Removed.
7348 * runtime/JSFunction.cpp:
7349 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7350 (JSC::RetrieveCallerFunctionFunctor::operator()):
7351 (JSC::retrieveCallerFunction):
7352 (JSC::JSFunction::getOwnPropertySlot):
7353 (JSC::JSFunction::defineOwnProperty):
7354 * runtime/JSGlobalObject.cpp:
7355 (JSC::JSGlobalObject::reset):
7356 * runtime/JSGlobalObjectFunctions.cpp:
7357 (JSC::globalFuncSetTypeErrorAccessor):
7358 * runtime/JSGlobalObjectFunctions.h:
7359 * runtime/JSObject.h:
7360 (JSC::JSObject::inlineGetOwnPropertySlot):
7361
73622014-04-08 Jon Lee <jonlee@apple.com>
7363
7364 Turn MSE on by default
7365 https://bugs.webkit.org/show_bug.cgi?id=131313
7366 <rdar://problem/16525223>
7367
7368 Reviewed by Jer Noble.
7369
7370 * Configurations/FeatureDefines.xcconfig:
7371
73722014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7373
7374 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
7375 https://bugs.webkit.org/show_bug.cgi?id=131406
7376
7377 Reviewed by Timothy Hatcher.
7378
7379 * inspector/remote/RemoteInspector.h:
7380 * inspector/remote/RemoteInspector.mm:
7381 (Inspector::RemoteInspector::stop):
7382 (Inspector::RemoteInspector::stopInternal):
7383 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7384 Provide a way to stop externally and a path to stop when in
7385 the middle of handling a message already with the locked mutex.
7386
7387 * inspector/remote/RemoteInspectorXPCConnection.h:
7388 * inspector/remote/RemoteInspectorXPCConnection.mm:
7389 (Inspector::RemoteInspectorXPCConnection::close):
7390 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
7391 Provide a way to close externally and a path to close when in
7392 the middle of handling a message already with a mutex.
7393
73942014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7395
7396 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
7397 https://bugs.webkit.org/show_bug.cgi?id=131398
7398
7399 Reviewed by Timothy Hatcher.
7400
7401 * inspector/InjectedScriptSource.js:
7402 The console object can be deleted from a page or JSContext,
7403 so keep code that expects that it could have been deleted
7404 to be resilient in those cases.
7405
7406 * inspector/JSGlobalObjectScriptDebugServer.h:
7407 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
7408 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
7409 Change the FIXMEs to NOTEs that explain why these functions
7410 have empty implementations for JSContext inspection.
7411
74122014-04-08 Filip Pizlo <fpizlo@apple.com>
7413
7414 Unreviewed, fix a goofy assertion to fix debug.
7415
7416 * bytecode/PolymorphicPutByIdList.h:
7417 (JSC::PutByIdAccess::isSetter):
7418 (JSC::PutByIdAccess::oldStructure):
7419 (JSC::PutByIdAccess::chain):
7420 (JSC::PutByIdAccess::stubRoutine):
7421 (JSC::PutByIdAccess::customSetter):
7422
74232014-04-08 Filip Pizlo <fpizlo@apple.com>
7424
7425 Fail silently if the LLVM dylib isn't found
7426 https://bugs.webkit.org/show_bug.cgi?id=131385
7427
7428 Reviewed by Mark Hahnenberg.
7429
7430 * dfg/DFGPlan.cpp:
7431 (JSC::DFG::Plan::compileInThreadImpl):
7432 * llvm/InitializeLLVM.cpp:
7433 (JSC::initializeLLVM):
7434 * llvm/InitializeLLVM.h:
7435 * llvm/InitializeLLVMPOSIX.cpp:
7436 (JSC::initializeLLVMPOSIX):
7437
74382014-04-07 Filip Pizlo <fpizlo@apple.com>
7439
7440 Repatch should support setters and plant calls to them directly
7441 https://bugs.webkit.org/show_bug.cgi?id=130750
7442
7443 Reviewed by Geoffrey Garen.
7444
7445 All of the infrastructure was in place so this just enables setter optimization.
7446
7447 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
7448
7449 * bytecode/PolymorphicPutByIdList.cpp:
7450 (JSC::PutByIdAccess::visitWeak):
7451 * bytecode/PolymorphicPutByIdList.h:
7452 (JSC::PutByIdAccess::setter):
7453 (JSC::PutByIdAccess::customSetter): Deleted.
7454 * bytecode/PutByIdStatus.cpp:
7455 (JSC::PutByIdStatus::computeForStubInfo):
7456 * jit/Repatch.cpp:
7457 (JSC::toString):
7458 (JSC::kindFor):
7459 (JSC::customFor):
7460 (JSC::generateByIdStub):
7461 (JSC::tryCachePutByID):
7462 (JSC::tryBuildPutByIdList):
7463 * runtime/JSObject.cpp:
7464 (JSC::JSObject::put):
7465 * runtime/Lookup.h:
7466 (JSC::putEntry):
7467 * runtime/PutPropertySlot.h:
7468 (JSC::PutPropertySlot::setCacheableSetter):
7469 (JSC::PutPropertySlot::isCacheableSetter):
7470 (JSC::PutPropertySlot::isCacheableCustom):
7471 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
7472 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
7473 * tests/stress/setter.js: Added.
7474 (foo):
7475
74762014-04-07 Filip Pizlo <fpizlo@apple.com>
7477
7478 Setters are just getters that take an extra argument and don't return a value
7479 https://bugs.webkit.org/show_bug.cgi?id=131336
7480
7481 Reviewed by Geoffrey Garen.
7482
7483 Other than that, they're totally the same thing.
7484
7485 This isn't as dumb as it sounds.
7486
7487 Most of the work in calling an accessor has to do with emitting the necessary checks for
7488 figuring out whether we're calling the accessor we expected, followed by the boilerplate
7489 needed for setting up a call inside of a stub. It makes sense for the code to be totally
7490 common.
7491
7492 * jit/AssemblyHelpers.h:
7493 (JSC::AssemblyHelpers::storeValue):
7494 (JSC::AssemblyHelpers::moveTrustedValue):
7495 * jit/CCallHelpers.h:
7496 (JSC::CCallHelpers::setupResults):
7497 * jit/Repatch.cpp:
7498 (JSC::kindFor):
7499 (JSC::customFor):
7500 (JSC::generateByIdStub):
7501 (JSC::tryCacheGetByID):
7502 (JSC::tryBuildGetByIDList):
7503 (JSC::tryCachePutByID):
7504 (JSC::tryBuildPutByIdList):
7505 (JSC::generateGetByIdStub): Deleted.
7506 (JSC::emitCustomSetterStub): Deleted.
7507 * runtime/JSCJSValue.h:
7508 (JSC::JSValue::asValue):
7509 * runtime/PutPropertySlot.h:
7510 (JSC::PutPropertySlot::cachedOffset):
7511
75122014-04-07 Joseph Pecoraro <pecoraro@apple.com>
7513
7514 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
7515 https://bugs.webkit.org/show_bug.cgi?id=131321
7516
7517 Reviewed by Mark Rowe.
7518
7519 * inspector/remote/RemoteInspector.mm:
7520 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7521 Avoid attempting to take the same lock twice. Move the received message
7522 lock grab after the WIRPermissionDenied branch, which takes the lock
7523 inside RemoteInspector::stop.
7524
75252014-04-07 Filip Pizlo <fpizlo@apple.com>
7526
7527 Make it possible to disable some of the FTL's more interesting features
7528 https://bugs.webkit.org/show_bug.cgi?id=131312
7529
7530 Reviewed by Mark Hahnenberg.
7531
7532 * dfg/DFGByteCodeParser.cpp:
7533 (JSC::DFG::ByteCodeParser::handleGetById):
7534 (JSC::DFG::ByteCodeParser::handlePutById):
7535 (JSC::DFG::ByteCodeParser::parse):
7536 * runtime/Options.h:
7537
75382014-04-04 Mark Lam <mark.lam@apple.com>
7539
7540 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
7541 <https://webkit.org/b/131248>
7542
7543 Reviewed by Mark Hahnenberg.
7544
7545 The current Date object code does not adequately check for the ES5
7546 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
7547 / overflow and produce unexpected results.
7548
7549 For example, we were getting an assertion failure in
7550 WTF::equivalentYearForDST() due int underflows in this function, which
7551 in turn were due to an int overflow in WTF::msToYear().
7552
7553 This patch adds the needed checks, and adds some assertions to ensure
7554 that the used values are sane.
7555
7556 The changes have no noticeable impact on benchmark results.
7557
7558 * runtime/DateConstructor.cpp:
7559 (JSC::callDate):
7560 * runtime/JSDateMath.cpp:
7561 (JSC::localTimeOffset):
7562 (JSC::gregorianDateTimeToMS):
7563 (JSC::msToGregorianDateTime):
7564 (JSC::parseDateFromNullTerminatedCharacters):
7565 (JSC::parseDate):
7566 * runtime/JSDateMath.h:
7567 - parseDateFromNullTerminatedCharacters() does not need to be public.
7568 Made it a static function.
7569 * runtime/VM.cpp:
7570 (JSC::VM::resetDateCache):
7571 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
7572 to be consistent with other Date code.
7573
75742014-04-06 Csaba Osztrogonác <ossy@webkit.org>
7575
7576 Unreviewed speculative 32-bit buildfix after r166837.
7577
7578 * heap/Heap.cpp:
7579 (JSC::Heap::updateObjectCounts):
7580
75812014-04-06 Dan Bernstein <mitz@apple.com>
7582
7583 32-bit build fix.
7584
7585 * runtime/JSGlobalObject.cpp:
7586 (JSC::JSGlobalObject::setInputCursor):
7587
75882014-04-04 Brian J. Burg <burg@cs.washington.edu>
7589
7590 Enable WEB_REPLAY for PLATFORM(MAC)
7591 https://bugs.webkit.org/show_bug.cgi?id=130700
7592
7593 Reviewed by Timothy Hatcher.
7594
7595 * Configurations/FeatureDefines.xcconfig:
7596
75972014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7598
7599 Add missing files from r166837
7600
7601 * heap/GCLogging.cpp: Added.
7602 (JSC::GCLogging::levelAsString):
7603 (JSC::LoggingFunctor::LoggingFunctor):
7604 (JSC::LoggingFunctor::~LoggingFunctor):
7605 (JSC::LoggingFunctor::operator()):
7606 (JSC::LoggingFunctor::log):
7607 (JSC::LoggingFunctor::reviveCells):
7608 (JSC::LoggingFunctor::returnValue):
7609 (JSC::GCLogging::dumpObjectGraph):
7610 * heap/GCLogging.h: Added.
7611
76122014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7613
7614 Enhanced GC logging
7615 https://bugs.webkit.org/show_bug.cgi?id=131246
7616
7617 Reviewed by Geoff Garen.
7618
7619 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
7620 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
7621 recompile to turn it on. It would be nice if we could runtime enable our GC logging
7622 infrastructure while incurring minimal cost when it is disabled.
7623
7624 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
7625 provides us with the discovered roots along with parent-child relationships as objects
7626 are scanned. However, once an object is scanned it will never be declared as the child
7627 of another object during that collection. This gives us a tree-like view of the
7628 Heap (i.e. each scanned node only reports having a single parent), where the actual
7629 Heap can be an arbitrary graph.
7630
7631 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
7632 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
7633 logging levels. None means no logging is done, Basic is what logGC() = true would have done
7634 prior to this patch, and Verbose logs all object relationships.
7635
7636 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
7637 subclasses to override the default string representation that will be dumped. These
7638 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
7639 the logging infrastructure in our compilers.
7640
7641 This patch also adds a GCLogging class that handles dumping the relationships between objects.
7642 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
7643 children of each live cell at the end of garbage collection.
7644
7645 This change meets our goal of being neutral on the benchmarks we track.
7646
7647 * JavaScriptCore.xcodeproj/project.pbxproj:
7648 * heap/GCLogging.cpp: Added.
7649 (JSC::GCLogging::levelAsString):
7650 (JSC::LoggingFunctor::LoggingFunctor):
7651 (JSC::LoggingFunctor::operator()):
7652 (JSC::LoggingFunctor::log):
7653 (JSC::LoggingFunctor::reviveCells):
7654 (JSC::LoggingFunctor::returnValue):
7655 (JSC::GCLogging::dumpObjectGraph):
7656 * heap/GCLogging.h: Added.
7657 * heap/GCSegmentedArray.h:
7658 (JSC::GCSegmentedArray::begin):
7659 (JSC::GCSegmentedArray::end):
7660 * heap/Heap.cpp:
7661 (JSC::Heap::markRoots):
7662 (JSC::Heap::visitSmallStrings):
7663 (JSC::Heap::visitConservativeRoots):
7664 (JSC::Heap::visitCompilerWorklists):
7665 (JSC::Heap::visitProtectedObjects):
7666 (JSC::Heap::visitTempSortVectors):
7667 (JSC::Heap::visitArgumentBuffers):
7668 (JSC::Heap::visitException):
7669 (JSC::Heap::visitStrongHandles):
7670 (JSC::Heap::visitHandleStack):
7671 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
7672 (JSC::Heap::visitWeakHandles):
7673 (JSC::Heap::updateObjectCounts):
7674 (JSC::Heap::collect):
7675 (JSC::Heap::didFinishCollection):
7676 * heap/Heap.h:
7677 * heap/MarkStack.h:
7678 * heap/SlotVisitor.cpp:
7679 (JSC::SlotVisitor::dump):
7680 * heap/SlotVisitor.h:
7681 (JSC::SlotVisitor::markStack):
7682 * heap/SlotVisitorInlines.h:
7683 (JSC::SlotVisitor::internalAppend):
7684 * runtime/ClassInfo.h:
7685 * runtime/JSCell.cpp:
7686 (JSC::JSCell::dump):
7687 (JSC::JSCell::dumpToStream):
7688 (JSC::JSCell::className):
7689 * runtime/JSCell.h:
7690 * runtime/JSCellInlines.h:
7691 (JSC::JSCell::visitChildren):
7692 * runtime/JSString.cpp:
7693 (JSC::JSString::dumpToStream):
7694 (JSC::JSString::visitChildren):
7695 * runtime/JSString.h:
7696 (JSC::JSString::length):
7697 (JSC::JSRopeString::RopeBuilder::length):
7698 * runtime/Options.cpp:
7699 (JSC::parse):
7700 (JSC::Options::setOption):
7701 (JSC::Options::dumpOption):
7702 * runtime/Options.h:
7703
77042014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7705
7706 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
7707 https://bugs.webkit.org/show_bug.cgi?id=131251
7708
7709 Reviewed by Geoffrey Garen.
7710
7711 * API/JSVirtualMachine.mm:
7712 (scanExternalObjectGraph):
7713 * API/tests/testapi.mm:
7714
77152014-04-03 Brian J. Burg <burg@cs.washington.edu>
7716
7717 Web Inspector: hook up probe samples to TimelineAgent's records
7718 https://bugs.webkit.org/show_bug.cgi?id=131127
7719
7720 Reviewed by Timothy Hatcher.
7721
7722 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
7723
77242014-04-04 Commit Queue <commit-queue@webkit.org>
7725
7726 Unreviewed, rolling out r166820.
7727 https://bugs.webkit.org/show_bug.cgi?id=131256
7728
7729 Broke builds. (Requested by bdash on #webkit).
7730
7731 Reverted changeset:
7732
7733 "WIP for inlining C++. Added a build target to produce llvm
7734 ir."
7735 https://bugs.webkit.org/show_bug.cgi?id=130523
7736 http://trac.webkit.org/changeset/166820
7737
77382014-04-04 Matthew Mirman <mmirman@apple.com>
7739
7740 WIP for inlining C++. Added a build target to produce llvm ir.
7741 https://bugs.webkit.org/show_bug.cgi?id=130523
7742
7743 Reviewed by Filip Pizlo.
7744
7745 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
7746
7747 * JavaScriptCore.xcodeproj/project.pbxproj:
7748 * build_index.py: Added.
7749 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
7750
77512014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7752
7753 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
7754 https://bugs.webkit.org/show_bug.cgi?id=131241
7755
7756 Reviewed by Timothy Hatcher.
7757
7758 * inspector/JSGlobalObjectInspectorController.cpp:
7759 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7760 Log the exception to the system console if system console output is enabled.
7761
77622014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7763
7764 Web Inspector: Provide a way for JSContext console to log to system console
7765 https://bugs.webkit.org/show_bug.cgi?id=131050
7766
7767 Reviewed by Timothy Hatcher.
7768
7769 Applications often re-expose some log -> NSLog functionality.
7770 We already have the capability ourselves, which includes extra
7771 information such as sourceURL:line:column, all arguments instead
7772 of just one argument, and backtrace information on console.trace.
7773 Therefore it would be convenient if developers could just use
7774 the built-in console.log and get rich output in both the inspector
7775 and the console, without writing their own logger.
7776
7777 The logging will be enabled in debug builds by default, and can be enabled
7778 otherwise by setting a user default before creating the first context.
7779
7780 For example, in the application itself:
7781
7782 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
7783
7784 Or from outside the application:
7785
7786 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
7787
7788 * inspector/JSConsoleClient.h:
7789 * inspector/JSConsoleClient.cpp:
7790 (Inspector::JSConsoleClient::logToSystemConsole):
7791 (Inspector::JSConsoleClient::setLogToSystemConsole):
7792 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
7793 (Inspector::JSConsoleClient::JSConsoleClient):
7794 Global setting for logging to system console. Enabled on
7795 debug builds, and by a user default on supported platforms.
7796
7797 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
7798 Log to system console when the static setting is enabled.
7799
7800 * runtime/ConsoleClient.h:
7801 * runtime/ConsoleClient.cpp:
7802 (JSC::appendURLAndPosition):
7803 (JSC::appendMessagePrefix):
7804 (JSC::ConsoleClient::printConsoleMessage):
7805 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7806 Clean up printing. Build strings and use WTFLogAlways instead of printf
7807 for consistant logging.
7808
7809 * runtime/ConsoleClient.cpp:
7810 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7811 Clean up printing. If there is no source URL, don't print a leading colon.
7812
78132014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7814
7815 Use JSCell::indexingType instead of Structure::indexingType wherever possible
7816 https://bugs.webkit.org/show_bug.cgi?id=131230
7817
7818 Reviewed by Mark Lam.
7819
7820 Avoid the indirection through the Structure.
7821
7822 * bytecode/ArrayAllocationProfile.cpp:
7823 (JSC::ArrayAllocationProfile::updateIndexingType):
7824 * bytecode/ArrayAllocationProfile.h:
7825 (JSC::ArrayAllocationProfile::selectIndexingType):
7826 * heap/HeapStatistics.cpp:
7827 (JSC::StorageStatistics::operator()):
7828 * runtime/ArrayPrototype.cpp:
7829 (JSC::attemptFastSort):
7830 * runtime/JSGlobalObject.cpp:
7831 (JSC::JSGlobalObject::objectPrototypeIsSane):
7832 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
7833 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
7834 * runtime/JSPropertyNameIterator.cpp:
7835 (JSC::JSPropertyNameIterator::create):
7836
78372014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7838
7839 Use JSCell::type instead of TypeInfo::type wherever possible
7840 https://bugs.webkit.org/show_bug.cgi?id=131229
7841
7842 Reviewed by Michael Saboff.
7843
7844 Avoid going through the Structure and reifying the TypeInfo.
7845
7846 * runtime/Executable.h:
7847 (JSC::ExecutableBase::isEvalExecutable):
7848 (JSC::ExecutableBase::isProgramExecutable):
7849
78502014-04-03 Andreas Kling <akling@apple.com>
7851
7852 Fast-path for casting JS wrappers to JSNode.
7853 <https://webkit.org/b/131196>
7854
7855 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
7856 a little bit. We do this by exposing a LastJSCObjectType constant so
7857 WebCore can encode its own wrapper types after that.
7858
7859 Reviewed by Mark Hahnenberg and Geoff Garen.
7860
7861 * runtime/JSType.h:
7862
7863 Added LastJSCObjectType for use by WebCore.
7864
7865 * runtime/JSObject.h:
7866 (JSC::JSObject::isVariableObject):
7867
7868 Updated since this can no longer assume that types >= VariableObjectType
7869 are all variable objects.
7870
78712014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
7872
7873 All Heap::writeBarriers should be inline
7874 https://bugs.webkit.org/show_bug.cgi?id=131197
7875
7876 Reviewed by Mark Lam.
7877
7878 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
7879 enough and small enough to belong in HeapInlines.h. Also added the proper
7880 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
7881
7882 * heap/Heap.cpp:
7883 (JSC::Heap::writeBarrier): Deleted.
7884 * heap/Heap.h:
7885 * heap/HeapInlines.h:
7886 (JSC::Heap::writeBarrier):
7887 * runtime/JSCellInlines.h:
7888 (JSC::Heap::writeBarrier): Deleted.
7889
78902014-04-03 Joseph Pecoraro <pecoraro@apple.com>
7891
7892 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
7893 https://bugs.webkit.org/show_bug.cgi?id=131186
7894
7895 Reviewed by Geoffrey Garen.
7896
7897 * API/JSContextPrivate.h:
7898 * API/JSContext.mm:
7899 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
7900 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
7901 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
7902
7903 * API/JSContextRefPrivate.h:
7904 * API/JSContextRef.cpp:
7905 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
7906 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
7907 JSContext C SPI to opt-out of including native call stacks in exceptions.
7908
7909 * inspector/JSGlobalObjectInspectorController.h:
7910 * inspector/JSGlobalObjectInspectorController.cpp:
7911 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
7912 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7913 Only include the native call stack if the setting is enabled. It is enabled by default.
7914
79152014-04-03 Mark Lam <mark.lam@apple.com>
7916
7917 Fix bit rot in ARMv7 JIT probe mechanism.
7918 <https://webkit.org/b/131167>
7919
7920 Reviewed by Geoffrey Garen.
7921
7922 1. The macro assembler does not support pushing the SP register. Worked
7923 around this by pushing the LR register as a placeholder, and then
7924 writing the original SP value to that slot.
7925 2. The CPUState field in the ProbeContext needs to be aligned on a 4
7926 byte boundary, not an 8 byte boundary.
7927
7928 * assembler/MacroAssemblerARMv7.cpp:
7929 (JSC::MacroAssemblerARMv7::probe):
7930 * jit/JITStubsARMv7.h:
7931
79322014-04-02 Mark Lam <mark.lam@apple.com>
7933
7934 ARMv7 compare32() should not use TST to do CMP's job.
7935 <https://webkit.org/b/131146>
7936
7937 Reviewed by Geoffrey Garen.
7938
7939 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
7940 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
7941 instruction doesn't set the Overflow (V) flag and this results in random
7942 results depending on whether there was a preceeding instruction that did set
7943 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
7944 with a lot of OSR exits where not expected as well as producing wrong results.
7945
7946 The fix is to use "cmp reg, #0" to do the job properly.
7947
7948 * assembler/MacroAssemblerARMv7.h:
7949 (JSC::MacroAssemblerARMv7::compare32):
7950
79512014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
7952
7953 CodeBlockSet should be generational
7954 https://bugs.webkit.org/show_bug.cgi?id=127152
7955
7956 Reviewed by Geoffrey Garen.
7957
7958 During EdenCollections we now only visit those CodeBlocks that:
7959 a) Are new since the last collection if they were somehow otherwise reachable.
7960 b) Are reachable from an Executable that is part of the remembered set.
7961
7962 * bytecode/CodeBlock.cpp:
7963 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
7964 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
7965 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
7966 * bytecode/CodeBlock.h:
7967 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
7968 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
7969 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
7970 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
7971 * heap/CodeBlockSet.cpp:
7972 (JSC::CodeBlockSet::~CodeBlockSet):
7973 (JSC::CodeBlockSet::add):
7974 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
7975 the set of old CodeBlocks.
7976 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
7977 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
7978 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
7979 with its CodeBlock.
7980 (JSC::CodeBlockSet::clearMarks):
7981 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
7982 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
7983 (JSC::CodeBlockSet::remove):
7984 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
7985 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
7986 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
7987 * heap/CodeBlockSet.h:
7988 (JSC::CodeBlockSet::iterate):
7989 * heap/Heap.cpp:
7990 (JSC::Heap::markRoots):
7991 (JSC::Heap::deleteAllCompiledCode):
7992 (JSC::Heap::deleteUnmarkedCompiledCode):
7993 * runtime/Executable.cpp:
7994 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
7995 a) A CodeBlock is created and is compiled on a DFG worker thread.
7996 b) No GC happens.
7997 c) The CodeBlock has finished being compiled and is installed in the Executable.
7998 d) The function never executes before the next GC.
7999 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
8000 it's added to the remembered set.
8001
80022014-04-02 Mark Lam <mark.lam@apple.com>
8003
8004 Added some more dataLog info for OSR exits.
8005 <https://webkit.org/b/131120>
8006
8007 Reviewed by Michael Saboff.
8008
8009 Adding info about the OSR exit index, the bytecode index of the bytecode
8010 that is OSR exiting, and the reason for the OSR exit. This change is
8011 for debugging code which only comes into play when we use the
8012 --printEachOSRExit option.
8013
8014 * dfg/DFGOSRExit.h:
8015 * dfg/DFGOSRExitCompiler32_64.cpp:
8016 (JSC::DFG::OSRExitCompiler::compileExit):
8017 * dfg/DFGOSRExitCompiler64.cpp:
8018 (JSC::DFG::OSRExitCompiler::compileExit):
8019 * dfg/DFGOperations.cpp:
8020
80212014-04-02 Martin Robinson <mrobinson@igalia.com>
8022
8023 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
8024 https://bugs.webkit.org/show_bug.cgi?id=130343
8025
8026 Reviewed by Gustavo Noronha Silva.
8027
8028 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
8029 in which it should be distributed. This allows us to more easily package it for GTK+.
8030
80312014-04-01 Timothy Hatcher <timothy@apple.com>
8032
8033 Remove HeapProfiler from the Web Inspector protocol.
8034
8035 https://bugs.webkit.org/show_bug.cgi?id=131070
8036
8037 Reviewed by Joseph Pecoraro.
8038
8039 * inspector/agents/InspectorConsoleAgent.h:
8040 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
8041 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
8042 * inspector/agents/JSGlobalObjectConsoleAgent.h:
8043 * inspector/protocol/Console.json:
8044
80452014-03-31 Simon Fraser <simon.fraser@apple.com>
8046
8047 Enable WEB_TIMING on Mac and iOS
8048 https://bugs.webkit.org/show_bug.cgi?id=128064
8049
8050 Reviewed by Sam Weinig, Brent Fulgham.
8051
8052 Enable WEB_TIMING.
8053
8054 * Configurations/FeatureDefines.xcconfig:
8055
80562014-03-31 Michael Saboff <msaboff@apple.com>
8057
8058 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
8059 https://bugs.webkit.org/show_bug.cgi?id=130992
8060
8061 Reviewed by Mark Hahnenberg.
8062
8063 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
8064
8065 * API/JSObjectRef.cpp:
8066 (JSObjectGetPrivate):
8067 (JSObjectSetPrivate):
8068 * API/tests/testapi.c:
8069 (main): Added new test case to validate we are properly foarwarding.
8070
80712014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
8072
8073 Improve GC_LOGGING
8074 https://bugs.webkit.org/show_bug.cgi?id=130988
8075
8076 Reviewed by Geoffrey Garen.
8077
8078 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
8079 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
8080 patch updates it so that it can. It also adds the process ID to the beginning of each line
8081 of input to be able to distinguish between the output of multiple processes exiting at the
8082 same time.
8083
8084 * heap/Heap.cpp:
8085 (JSC::Heap::collect):
8086
80872014-03-31 Dean Jackson <dino@apple.com>
8088
8089 Remove WEB_ANIMATIONS
8090 https://bugs.webkit.org/show_bug.cgi?id=130989
8091
8092 Reviewed by Simon Fraser.
8093
8094 Remove this feature flag until we plan to implement.
8095
8096 * Configurations/FeatureDefines.xcconfig:
8097
80982014-03-31 Filip Pizlo <fpizlo@apple.com>
8099
8100 More validation for FTL inline caches
8101 https://bugs.webkit.org/show_bug.cgi?id=130948
8102
8103 Reviewed by Geoffrey Garen.
8104
8105 * dfg/DFGByteCodeParser.cpp:
8106 (JSC::DFG::ByteCodeParser::handleGetById):
8107 (JSC::DFG::ByteCodeParser::handlePutById):
8108 * runtime/Options.h:
8109
81102014-03-31 Filip Pizlo <fpizlo@apple.com>
8111
8112 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
8113 https://bugs.webkit.org/show_bug.cgi?id=130950
8114
8115 Reviewed by Mark Hahnenberg.
8116
8117 * ftl/FTLLowerDFGToLLVM.cpp:
8118 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
8119
81202014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
8121
8122 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
8123 https://bugs.webkit.org/show_bug.cgi?id=130965
8124
8125 Reviewed by Martin Robinson.
8126
8127 This is somewhat of a follow-up to r162782, which got rid of
8128 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
8129 CMakeLists.txt. This meant the includes and libraries were not
8130 being properly included since then.
8131
8132 * CMakeLists.txt:
8133
81342014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8135
8136 Remove hostThisRegister() and hostThisValue()
8137 https://bugs.webkit.org/show_bug.cgi?id=130895
8138
8139 Reviewed by Geoffrey Garen.
8140
8141 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
8142
8143 * API/APICallbackFunction.h:
8144 (JSC::APICallbackFunction::call):
8145 * API/JSCallbackObjectFunctions.h:
8146 (JSC::JSCallbackObject<Parent>::call):
8147 * dfg/DFGOSREntry.cpp:
8148 (JSC::DFG::prepareOSREntry):
8149 * inspector/JSInjectedScriptHostPrototype.cpp:
8150 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
8151 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
8152 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
8153 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
8154 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
8155 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
8156 * inspector/JSJavaScriptCallFramePrototype.cpp:
8157 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
8158 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
8159 (Inspector::jsJavaScriptCallFrameAttributeCaller):
8160 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
8161 (Inspector::jsJavaScriptCallFrameAttributeLine):
8162 (Inspector::jsJavaScriptCallFrameAttributeColumn):
8163 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
8164 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
8165 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
8166 (Inspector::jsJavaScriptCallFrameAttributeType):
8167 * interpreter/CallFrame.h:
8168 (JSC::ExecState::hostThisRegister): Deleted.
8169 (JSC::ExecState::hostThisValue): Deleted.
8170 * runtime/Arguments.cpp:
8171 (JSC::argumentsFuncIterator):
8172 * runtime/ArrayPrototype.cpp:
8173 (JSC::arrayProtoFuncToString):
8174 (JSC::arrayProtoFuncToLocaleString):
8175 (JSC::arrayProtoFuncJoin):
8176 (JSC::arrayProtoFuncConcat):
8177 (JSC::arrayProtoFuncPop):
8178 (JSC::arrayProtoFuncPush):
8179 (JSC::arrayProtoFuncReverse):
8180 (JSC::arrayProtoFuncShift):
8181 (JSC::arrayProtoFuncSlice):
8182 (JSC::arrayProtoFuncSort):
8183 (JSC::arrayProtoFuncSplice):
8184 (JSC::arrayProtoFuncUnShift):
8185 (JSC::arrayProtoFuncReduce):
8186 (JSC::arrayProtoFuncReduceRight):
8187 (JSC::arrayProtoFuncIndexOf):
8188 (JSC::arrayProtoFuncLastIndexOf):
8189 (JSC::arrayProtoFuncValues):
8190 (JSC::arrayProtoFuncEntries):
8191 (JSC::arrayProtoFuncKeys):
8192 * runtime/BooleanPrototype.cpp:
8193 (JSC::booleanProtoFuncToString):
8194 (JSC::booleanProtoFuncValueOf):
8195 * runtime/ConsolePrototype.cpp:
8196 (JSC::consoleLogWithLevel):
8197 (JSC::consoleProtoFuncClear):
8198 (JSC::consoleProtoFuncDir):
8199 (JSC::consoleProtoFuncDirXML):
8200 (JSC::consoleProtoFuncTable):
8201 (JSC::consoleProtoFuncTrace):
8202 (JSC::consoleProtoFuncAssert):
8203 (JSC::consoleProtoFuncCount):
8204 (JSC::consoleProtoFuncProfile):
8205 (JSC::consoleProtoFuncProfileEnd):
8206 (JSC::consoleProtoFuncTime):
8207 (JSC::consoleProtoFuncTimeEnd):
8208 (JSC::consoleProtoFuncTimeStamp):
8209 (JSC::consoleProtoFuncGroup):
8210 (JSC::consoleProtoFuncGroupCollapsed):
8211 (JSC::consoleProtoFuncGroupEnd):
8212 * runtime/DatePrototype.cpp:
8213 (JSC::formateDateInstance):
8214 (JSC::dateProtoFuncToISOString):
8215 (JSC::dateProtoFuncToLocaleString):
8216 (JSC::dateProtoFuncToLocaleDateString):
8217 (JSC::dateProtoFuncToLocaleTimeString):
8218 (JSC::dateProtoFuncGetTime):
8219 (JSC::dateProtoFuncGetFullYear):
8220 (JSC::dateProtoFuncGetUTCFullYear):
8221 (JSC::dateProtoFuncGetMonth):
8222 (JSC::dateProtoFuncGetUTCMonth):
8223 (JSC::dateProtoFuncGetDate):
8224 (JSC::dateProtoFuncGetUTCDate):
8225 (JSC::dateProtoFuncGetDay):
8226 (JSC::dateProtoFuncGetUTCDay):
8227 (JSC::dateProtoFuncGetHours):
8228 (JSC::dateProtoFuncGetUTCHours):
8229 (JSC::dateProtoFuncGetMinutes):
8230 (JSC::dateProtoFuncGetUTCMinutes):
8231 (JSC::dateProtoFuncGetSeconds):
8232 (JSC::dateProtoFuncGetUTCSeconds):
8233 (JSC::dateProtoFuncGetMilliSeconds):
8234 (JSC::dateProtoFuncGetUTCMilliseconds):
8235 (JSC::dateProtoFuncGetTimezoneOffset):
8236 (JSC::dateProtoFuncSetTime):
8237 (JSC::setNewValueFromTimeArgs):
8238 (JSC::setNewValueFromDateArgs):
8239 (JSC::dateProtoFuncSetYear):
8240 (JSC::dateProtoFuncGetYear):
8241 (JSC::dateProtoFuncToJSON):
8242 * runtime/ErrorPrototype.cpp:
8243 (JSC::errorProtoFuncToString):
8244 * runtime/FunctionPrototype.cpp:
8245 (JSC::functionProtoFuncToString):
8246 (JSC::functionProtoFuncBind):
8247 * runtime/NamePrototype.cpp:
8248 (JSC::privateNameProtoFuncToString):
8249 * runtime/NumberPrototype.cpp:
8250 (JSC::numberProtoFuncToExponential):
8251 (JSC::numberProtoFuncToFixed):
8252 (JSC::numberProtoFuncToPrecision):
8253 (JSC::numberProtoFuncClz):
8254 (JSC::numberProtoFuncToString):
8255 (JSC::numberProtoFuncToLocaleString):
8256 (JSC::numberProtoFuncValueOf):
8257 * runtime/ObjectPrototype.cpp:
8258 (JSC::objectProtoFuncValueOf):
8259 (JSC::objectProtoFuncHasOwnProperty):
8260 (JSC::objectProtoFuncIsPrototypeOf):
8261 (JSC::objectProtoFuncDefineGetter):
8262 (JSC::objectProtoFuncDefineSetter):
8263 (JSC::objectProtoFuncLookupGetter):
8264 (JSC::objectProtoFuncLookupSetter):
8265 (JSC::objectProtoFuncPropertyIsEnumerable):
8266 (JSC::objectProtoFuncToLocaleString):
8267 (JSC::objectProtoFuncToString):
8268 * runtime/RegExpPrototype.cpp:
8269 (JSC::regExpProtoFuncTest):
8270 (JSC::regExpProtoFuncExec):
8271 (JSC::regExpProtoFuncCompile):
8272 (JSC::regExpProtoFuncToString):
8273 * runtime/StringPrototype.cpp:
8274 (JSC::stringProtoFuncReplace):
8275 (JSC::stringProtoFuncToString):
8276 (JSC::stringProtoFuncCharAt):
8277 (JSC::stringProtoFuncCharCodeAt):
8278 (JSC::stringProtoFuncConcat):
8279 (JSC::stringProtoFuncIndexOf):
8280 (JSC::stringProtoFuncLastIndexOf):
8281 (JSC::stringProtoFuncMatch):
8282 (JSC::stringProtoFuncSearch):
8283 (JSC::stringProtoFuncSlice):
8284 (JSC::stringProtoFuncSplit):
8285 (JSC::stringProtoFuncSubstr):
8286 (JSC::stringProtoFuncSubstring):
8287 (JSC::stringProtoFuncToLowerCase):
8288 (JSC::stringProtoFuncToUpperCase):
8289 (JSC::stringProtoFuncLocaleCompare):
8290 (JSC::stringProtoFuncBig):
8291 (JSC::stringProtoFuncSmall):
8292 (JSC::stringProtoFuncBlink):
8293 (JSC::stringProtoFuncBold):
8294 (JSC::stringProtoFuncFixed):
8295 (JSC::stringProtoFuncItalics):
8296 (JSC::stringProtoFuncStrike):
8297 (JSC::stringProtoFuncSub):
8298 (JSC::stringProtoFuncSup):
8299 (JSC::stringProtoFuncFontcolor):
8300 (JSC::stringProtoFuncFontsize):
8301 (JSC::stringProtoFuncAnchor):
8302 (JSC::stringProtoFuncLink):
8303 (JSC::stringProtoFuncTrim):
8304 (JSC::stringProtoFuncTrimLeft):
8305 (JSC::stringProtoFuncTrimRight):
8306
83072014-03-28 Filip Pizlo <fpizlo@apple.com>
8308
8309 Land the stackmap register liveness glue with the uses of the liveness disabled
8310 https://bugs.webkit.org/show_bug.cgi?id=130924
8311
8312 Reviewed by Oliver Hunt.
8313
8314 Add the liveness and fix other bugs I found.
8315
8316 * bytecode/PutByIdStatus.cpp:
8317 (JSC::PutByIdStatus::computeFor):
8318 * ftl/FTLCompile.cpp:
8319 (JSC::FTL::usedRegistersFor):
8320 (JSC::FTL::fixFunctionBasedOnStackMaps):
8321 * ftl/FTLSlowPathCall.cpp:
8322 * ftl/FTLSlowPathCallKey.cpp:
8323 (JSC::FTL::SlowPathCallKey::dump):
8324 * ftl/FTLSlowPathCallKey.h:
8325 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
8326 (JSC::FTL::SlowPathCallKey::argumentRegisters):
8327 (JSC::FTL::SlowPathCallKey::withCallTarget):
8328 * ftl/FTLStackMaps.cpp:
8329 (JSC::FTL::StackMaps::Record::locationSet):
8330 (JSC::FTL::StackMaps::Record::liveOutsSet):
8331 (JSC::FTL::StackMaps::Record::usedRegisterSet):
8332 * ftl/FTLStackMaps.h:
8333 * ftl/FTLThunks.cpp:
8334 (JSC::FTL::registerClobberCheck):
8335 (JSC::FTL::slowPathCallThunkGenerator):
8336 * jit/RegisterSet.cpp:
8337 (JSC::RegisterSet::stackRegisters):
8338 (JSC::RegisterSet::reservedHardwareRegisters):
8339 (JSC::RegisterSet::runtimeRegisters):
8340 (JSC::RegisterSet::specialRegisters):
8341 (JSC::RegisterSet::dump):
8342 * jit/RegisterSet.h:
8343 (JSC::RegisterSet::RegisterSet):
8344 (JSC::RegisterSet::setAny):
8345 (JSC::RegisterSet::setMany):
8346 * jit/Repatch.cpp:
8347 (JSC::tryCacheGetByID):
8348 (JSC::tryCachePutByID):
8349 (JSC::tryRepatchIn):
8350 * runtime/Options.cpp:
8351 (JSC::recomputeDependentOptions):
8352 * runtime/Options.h:
8353
83542014-03-28 Mark Lam <mark.lam@apple.com>
8355
8356 mandreel throws a checksum error on 32-bit x86.
8357 <https://webkit.org/b/125706>
8358
8359 Reviewed by Filip Pizlo.
8360
8361 The 32-bit DFG can emit code that loads double constants from its
8362 CodeBlock's m_constantRegisters vector. The emitted instruction will
8363 embed the address of the constant from the vector's backing store.
8364 Subsequently, while inserting new constants, the DFG may resize the
8365 vector, thereby reallocating the backing store. This renders the
8366 previously embedded constant addresses stale.
8367
8368 The fix is to use a dedicated doubles constant pool stored in the DFG
8369 CommonData instead. This constant pool won't be reallocated, and
8370 hence will not manifest this issue.
8371
8372 * dfg/DFGCommonData.h:
8373 * dfg/DFGGraph.h:
8374 * dfg/DFGJITCompiler.cpp:
8375 (JSC::DFG::JITCompiler::link):
8376 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
8377 * dfg/DFGJITCompiler.h:
8378 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
8379
83802014-03-28 Joseph Pecoraro <pecoraro@apple.com>
8381
8382 Web Inspector: console.warn is showing as error instead of warning
8383 https://bugs.webkit.org/show_bug.cgi?id=130921
8384
8385 Reviewed by Timothy Hatcher.
8386
8387 * runtime/ConsolePrototype.cpp:
8388 (JSC::consoleProtoFuncWarn):
8389 console.warn should be MessageLevel Warning, not Error.
8390
83912014-03-28 Oliver Hunt <oliver@apple.com>
8392
8393 Fix cloop build.
8394
8395 * bytecode/BytecodeList.json:
8396
83972014-03-28 Michael Saboff <msaboff@apple.com>
8398
8399 Unreviewed, rolling r166248 back in.
8400
8401 Turns out r166070 didn't cause a 2% performance loss in page load times
8402
8403 Reverted changeset:
8404
8405 Unreviewed, rolling out r166126.
8406 Rollout r166126 in prepartion to roll out prerequisite r166070
8407
84082014-03-27 Commit Queue <commit-queue@webkit.org>
8409
8410 Unreviewed, rolling out r166376.
8411 https://bugs.webkit.org/show_bug.cgi?id=130887
8412
8413 This was a misguided optimization. (Requested by kling on
8414 #webkit).
8415
8416 Reverted changeset:
8417
8418 "Avoid fetching JSObject::structure() repeatedly in
8419 putDirectInternal."
8420 https://bugs.webkit.org/show_bug.cgi?id=130857
8421 http://trac.webkit.org/changeset/166376
8422
84232014-03-27 Oliver Hunt <oliver@apple.com>
8424
8425 Support spread operand in |new| expressions
8426 https://bugs.webkit.org/show_bug.cgi?id=130877
8427
8428 Reviewed by Michael Saboff.
8429
8430 Add support for the spread operator being applied in
8431 |new| expressions. This required adding support for
8432 a new opcode, op_construct_varargs. This is a relatively
8433 simple refactoring of the call_varargs implementation.
8434
8435 * bytecode/BytecodeList.json:
8436 * bytecode/BytecodeUseDef.h:
8437 (JSC::computeUsesForBytecodeOffset):
8438 (JSC::computeDefsForBytecodeOffset):
8439 * bytecode/CallLinkInfo.cpp:
8440 (JSC::CallLinkInfo::unlink):
8441 * bytecode/CallLinkInfo.h:
8442 (JSC::CallLinkInfo::callTypeFor):
8443 (JSC::CallLinkInfo::specializationKind):
8444 * bytecode/CodeBlock.cpp:
8445 (JSC::CodeBlock::dumpBytecode):
8446 (JSC::CodeBlock::CodeBlock):
8447 * bytecompiler/BytecodeGenerator.cpp:
8448 (JSC::BytecodeGenerator::emitCallVarargs):
8449 (JSC::BytecodeGenerator::emitConstructVarargs):
8450 (JSC::BytecodeGenerator::emitConstruct):
8451 * bytecompiler/BytecodeGenerator.h:
8452 * jit/JIT.cpp:
8453 (JSC::JIT::privateCompileMainPass):
8454 (JSC::JIT::privateCompileSlowCases):
8455 * jit/JIT.h:
8456 * jit/JITCall.cpp:
8457 (JSC::JIT::compileOpCall):
8458 (JSC::JIT::compileOpCallSlowCase):
8459 (JSC::JIT::emit_op_construct_varargs):
8460 (JSC::JIT::emitSlow_op_construct_varargs):
8461 * jit/JITCall32_64.cpp:
8462 (JSC::JIT::emitSlow_op_construct_varargs):
8463 (JSC::JIT::emit_op_construct_varargs):
8464 (JSC::JIT::compileOpCall):
8465 (JSC::JIT::compileOpCallSlowCase):
8466 * jit/JITOperations.cpp:
8467 * llint/LLIntSlowPaths.cpp:
8468 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8469 * llint/LLIntSlowPaths.h:
8470 * llint/LowLevelInterpreter.asm:
8471 * parser/Parser.cpp:
8472 (JSC::Parser<LexerType>::parseMemberExpression):
8473
84742014-03-27 Filip Pizlo <fpizlo@apple.com>
8475
8476 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
8477
8478 * Configurations/Base.xcconfig:
8479 * Configurations/LLVMForJSC.xcconfig:
8480
84812014-03-27 Filip Pizlo <fpizlo@apple.com>
8482
8483 Unreviewed, skip this test for now.
8484
8485 * tests/stress/recurse-infinitely-on-getter.js:
8486
84872014-03-27 Filip Pizlo <fpizlo@apple.com>
8488
8489 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
8490 https://bugs.webkit.org/show_bug.cgi?id=130867
8491 <rdar://problem/16432456>
8492
8493 Reviewed by Mark Hahnenberg.
8494
8495 * Configurations/Base.xcconfig:
8496 * Configurations/LLVMForJSC.xcconfig:
8497
84982014-03-27 Andreas Kling <akling@apple.com>
8499
8500 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
8501 <https://webkit.org/b/130857>
8502
8503 Use the cached Structure* instead of re-fetching it over and over since
8504 that's a non-trivial operation these days.
8505
8506 Reviewed by Mark Hahnenberg.
8507
8508 * runtime/JSObject.h:
8509 (JSC::JSObject::putDirectInternal):
8510
85112014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8512
8513 Check the remembered set bit faster
8514 https://bugs.webkit.org/show_bug.cgi?id=130860
8515
8516 Reviewed by Oliver Hunt.
8517
8518 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
8519 that bit is also stored in the object. We should look it up there whenever possible.
8520
8521 * heap/CopiedBlockInlines.h:
8522 (JSC::CopiedBlock::shouldReportLiveBytes):
8523 * heap/Heap.cpp:
8524 (JSC::Heap::addToRememberedSet):
8525 * heap/Heap.h:
8526 * heap/HeapInlines.h: Removed.
8527 * heap/SlotVisitorInlines.h:
8528 (JSC::SlotVisitor::reportExtraMemoryUsage):
8529
85302014-03-27 Joseph Pecoraro <pecoraro@apple.com>
8531
8532 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
8533 https://bugs.webkit.org/show_bug.cgi?id=130853
8534
8535 Reviewed by Timothy Hatcher.
8536
8537 * API/JSContextPrivate.h: Added.
8538 * API/JSContext.mm:
8539 (-[JSContext _remoteInspectionEnabled]):
8540 (-[JSContext _setRemoteInspectionEnabled:]):
8541 ObjC SPI to enable/disable remote inspection.
8542
8543 * API/JSContextRefPrivate.h:
8544 * API/JSContextRef.cpp:
8545 (JSGlobalContextGetRemoteInspectionEnabled):
8546 (JSGlobalContextSetRemoteInspectionEnabled):
8547 C SPI to enable/disable remote inspection.
8548
8549 * JavaScriptCore.xcodeproj/project.pbxproj:
8550 Add new private header, and export as a private header.
8551
85522014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8553
8554 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
8555 https://bugs.webkit.org/show_bug.cgi?id=130845
8556
8557 Reviewed by Filip Pizlo.
8558
8559 There was a hack added to make sure C Loop LLInt worked which included overriding the
8560 global Options::useLLInt setting, which makes no sense to do here. We should put the
8561 update of the global setting in Options::recomputeDependentOptions along with the other
8562 execution engine flags.
8563
8564 * runtime/Executable.cpp:
8565 (JSC::ScriptExecutable::prepareForExecutionImpl):
8566 * runtime/Options.cpp:
8567 (JSC::recomputeDependentOptions):
8568
85692014-03-26 Filip Pizlo <fpizlo@apple.com>
8570
8571 Enable LLVM stackmap liveOuts computation
8572 https://bugs.webkit.org/show_bug.cgi?id=130821
8573
8574 Reviewed by Andy Estes and Sam Weinig.
8575
8576 * ftl/FTLStackMaps.cpp:
8577 (JSC::FTL::StackMaps::Record::dump):
8578 * llvm/library/LLVMExports.cpp:
8579 (initializeAndGetJSCLLVMAPI):
8580
85812014-03-26 Filip Pizlo <fpizlo@apple.com>
8582
8583 Parse stackmaps liveOuts
8584 https://bugs.webkit.org/show_bug.cgi?id=130801
8585
8586 Reviewed by Geoffrey Garen.
8587
8588 This just adds the code to parse them but doesn't do anything with them, yet.
8589
8590 * ftl/FTLLocation.cpp:
8591 (JSC::FTL::Location::forStackmaps):
8592 * ftl/FTLLocation.h:
8593 (JSC::FTL::Location::forRegister):
8594 (JSC::FTL::Location::forIndirect):
8595 * ftl/FTLStackMaps.cpp:
8596 (JSC::FTL::StackMaps::Location::parse):
8597 (JSC::FTL::StackMaps::Location::dump):
8598 (JSC::FTL::StackMaps::LiveOut::parse):
8599 (JSC::FTL::StackMaps::LiveOut::dump):
8600 (JSC::FTL::StackMaps::Record::parse):
8601 (JSC::FTL::StackMaps::Record::dump):
8602 * ftl/FTLStackMaps.h:
8603
86042014-03-26 Mark Lam <mark.lam@apple.com>
8605
8606 Build fix after r166307.
8607
8608 Not reviewed.
8609
8610 * runtime/JSCell.h:
8611 - The inline function isAPIValueWrapper() should not be exported. This
8612 was causing a linkage error when building for 32-bit x86 on Mac.
8613
86142014-03-26 Filip Pizlo <fpizlo@apple.com>
8615
8616 Reasoning about DWARF register numbers should be moved out of FTL::Location
8617 https://bugs.webkit.org/show_bug.cgi?id=130792
8618
8619 Reviewed by Oliver Hunt.
8620
8621 Moving this code makes it possible for things other than FTL::Location to reason about
8622 DWARF register encoding. This refactoring also appears to reduce some code duplication
8623 and makes FTLLocation.cpp cleaner.
8624
8625 * JavaScriptCore.xcodeproj/project.pbxproj:
8626 * ftl/FTLCompile.cpp:
8627 (JSC::FTL::fixFunctionBasedOnStackMaps):
8628 * ftl/FTLDWARFRegister.cpp: Added.
8629 (JSC::FTL::DWARFRegister::reg):
8630 (JSC::FTL::DWARFRegister::dump):
8631 * ftl/FTLDWARFRegister.h: Added.
8632 (JSC::FTL::DWARFRegister::DWARFRegister):
8633 (JSC::FTL::DWARFRegister::dwarfRegNum):
8634 * ftl/FTLLocation.cpp:
8635 (JSC::FTL::Location::dump):
8636 (JSC::FTL::Location::isGPR):
8637 (JSC::FTL::Location::gpr):
8638 (JSC::FTL::Location::isFPR):
8639 (JSC::FTL::Location::fpr):
8640 * ftl/FTLLocation.h:
8641 (JSC::FTL::Location::hasDwarfReg):
8642 (JSC::FTL::Location::dwarfReg):
8643
86442014-03-26 Brent Fulgham <bfulgham@apple.com>
8645
8646 Unreviewed build fix.
8647
8648 * runtime/JSCell.h: VS2013 confused about argument type.
8649
86502014-03-26 Zoltan Horvath <zoltan@webkit.org>
8651
8652 [CSS Shapes] Remove shape-inside support
8653 https://bugs.webkit.org/show_bug.cgi?id=130698
8654
8655 Reviewed by David Hyatt.
8656
8657 * Configurations/FeatureDefines.xcconfig:
8658
86592014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8660
8661 Rename hasFastArrayStorage to be more appropriate
8662 https://bugs.webkit.org/show_bug.cgi?id=130773
8663
8664 Reviewed by Filip Pizlo.
8665
8666 * dfg/DFGArrayMode.cpp:
8667 (JSC::DFG::ArrayMode::alreadyChecked):
8668 * dfg/DFGSpeculativeJIT32_64.cpp:
8669 (JSC::DFG::SpeculativeJIT::compile):
8670 * dfg/DFGSpeculativeJIT64.cpp:
8671 (JSC::DFG::SpeculativeJIT::compile):
8672 * dfg/DFGWatchpointCollectionPhase.cpp:
8673 (JSC::DFG::WatchpointCollectionPhase::handle):
8674 * ftl/FTLLowerDFGToLLVM.cpp:
8675 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
8676 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
8677 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
8678 * runtime/ButterflyInlines.h:
8679 (JSC::Butterfly::unshift):
8680 (JSC::Butterfly::shift):
8681 * runtime/IndexingHeaderInlines.h:
8682 (JSC::IndexingHeader::preCapacity):
8683 * runtime/IndexingType.h:
8684 (JSC::hasArrayStorage):
8685 (JSC::hasAnyArrayStorage):
8686 (JSC::hasFastArrayStorage): Deleted.
8687 * runtime/JSArray.cpp:
8688 (JSC::JSArray::sortVector):
8689 (JSC::JSArray::compactForSorting):
8690 * runtime/JSArray.h:
8691 (JSC::JSArray::create):
8692 (JSC::JSArray::tryCreateUninitialized):
8693 * runtime/JSGlobalObject.cpp:
8694 * runtime/JSObject.cpp:
8695 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
8696 * runtime/JSObject.h:
8697 (JSC::JSObject::ensureArrayStorage):
8698 (JSC::JSObject::arrayStorage):
8699 * runtime/StructureTransitionTable.h:
8700 (JSC::newIndexingType):
8701
87022014-03-26 Zan Dobersek <zdobersek@igalia.com>
8703
8704 Unreviewed. Removing the remaining Automake cruft.
8705
8706 * GNUmakefile.list.am: Removed.
8707
87082014-03-25 Filip Pizlo <fpizlo@apple.com>
8709
8710 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
8711 https://bugs.webkit.org/show_bug.cgi?id=130764
8712 <rdar://problem/16304788>
8713
8714 Reviewed by Sam Weinig.
8715
8716 Being an arguments alias just means that your OSR exit recovery should attempt arguments
8717 creation. This is true of arguments locals. We had special cases that tried to make it not
8718 true of arguments locals. The only consequence of those special cases was to cause crashes
8719 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
8720 change just removes those special cases.
8721
8722 This change means that the FTL will now see SetLocals with a FlushedArguments format.
8723 Previously you wouldn't see them because previously only non-captured variable would be
8724 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
8725 left. Adding handling for FlushedArguments is a benign and simple change since its
8726 behavior is identical to FlushedJSValue for that code's purposes.
8727
8728 * dfg/DFGArgumentsSimplificationPhase.cpp:
8729 (JSC::DFG::ArgumentsSimplificationPhase::run):
8730 * ftl/FTLLowerDFGToLLVM.cpp:
8731 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
8732 * tests/stress/captured-arguments-variable.js: Added.
8733 (foo):
8734 (noInline):
8735
87362014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
8737
8738 Add HeapInlines
8739 https://bugs.webkit.org/show_bug.cgi?id=130759
8740
8741 Reviewed by Filip Pizlo.
8742
8743 * GNUmakefile.list.am:
8744 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8745 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8746 * JavaScriptCore.xcodeproj/project.pbxproj:
8747 * heap/Heap.cpp:
8748 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
8749 (JSC::MarkedBlockSnapshotFunctor::operator()):
8750 * heap/Heap.h: Also reindented while we're here.
8751 (JSC::Heap::writeBarrierBuffer):
8752 (JSC::Heap::vm):
8753 (JSC::Heap::objectSpace):
8754 (JSC::Heap::machineThreads):
8755 (JSC::Heap::operationInProgress):
8756 (JSC::Heap::allocatorForObjectWithoutDestructor):
8757 (JSC::Heap::allocatorForObjectWithNormalDestructor):
8758 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
8759 (JSC::Heap::storageAllocator):
8760 (JSC::Heap::notifyIsSafeToCollect):
8761 (JSC::Heap::isSafeToCollect):
8762 (JSC::Heap::handleSet):
8763 (JSC::Heap::handleStack):
8764 (JSC::Heap::lastFullGCLength):
8765 (JSC::Heap::lastEdenGCLength):
8766 (JSC::Heap::increaseLastFullGCLength):
8767 (JSC::Heap::sizeBeforeLastEdenCollection):
8768 (JSC::Heap::sizeAfterLastEdenCollection):
8769 (JSC::Heap::sizeBeforeLastFullCollection):
8770 (JSC::Heap::sizeAfterLastFullCollection):
8771 (JSC::Heap::jitStubRoutines):
8772 (JSC::Heap::isDeferred):
8773 (JSC::Heap::structureIDTable):
8774 (JSC::Heap::removeCodeBlock):
8775 * heap/HeapInlines.h: Added.
8776 (JSC::Heap::shouldCollect):
8777 (JSC::Heap::isBusy):
8778 (JSC::Heap::isCollecting):
8779 (JSC::Heap::heap):
8780 (JSC::Heap::isLive):
8781 (JSC::Heap::isInRememberedSet):
8782 (JSC::Heap::isMarked):
8783 (JSC::Heap::testAndSetMarked):
8784 (JSC::Heap::setMarked):
8785 (JSC::Heap::isWriteBarrierEnabled):
8786 (JSC::Heap::writeBarrier):
8787 (JSC::Heap::reportExtraMemoryCost):
8788 (JSC::Heap::forEachProtectedCell):
8789 (JSC::Heap::forEachCodeBlock):
8790 (JSC::Heap::allocateWithNormalDestructor):
8791 (JSC::Heap::allocateWithImmortalStructureDestructor):
8792 (JSC::Heap::allocateWithoutDestructor):
8793 (JSC::Heap::tryAllocateStorage):
8794 (JSC::Heap::tryReallocateStorage):
8795 (JSC::Heap::ascribeOwner):
8796 (JSC::Heap::blockAllocator):
8797 (JSC::Heap::releaseSoon):
8798 (JSC::Heap::incrementDeferralDepth):
8799 (JSC::Heap::decrementDeferralDepth):
8800 (JSC::Heap::collectIfNecessaryOrDefer):
8801 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
8802 (JSC::Heap::markListSet):
8803 * runtime/JSCInlines.h:
8804
88052014-03-25 Filip Pizlo <fpizlo@apple.com>
8806
8807 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
8808 https://bugs.webkit.org/show_bug.cgi?id=130760
8809
8810 Reviewed by Mark Hahnenberg.
8811
8812 * dfg/DFGByteCodeParser.cpp:
8813 (JSC::DFG::ByteCodeParser::setLocal):
8814 (JSC::DFG::ByteCodeParser::setArgument):
8815 (JSC::DFG::ByteCodeParser::handleInlining):
8816 (JSC::DFG::ByteCodeParser::parseBlock):
8817 * tests/stress/assign-argument-in-inlined-call.js: Added.
8818 (f1):
8819 (getF2Arguments):
8820 (f2):
8821 (f3):
8822 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
8823 (f1):
8824 (f2):
8825 (f3):
8826
88272014-03-25 Filip Pizlo <fpizlo@apple.com>
8828
8829 Fix 32-bit getter call alignment.
8830
8831 Reviewed by Mark Hahnenberg.
8832
8833 * jit/Repatch.cpp:
8834 (JSC::generateGetByIdStub):
8835
88362014-03-25 Filip Pizlo <fpizlo@apple.com>
8837
8838 Repatch should plant calls to getters directly rather than through a C helper
8839 https://bugs.webkit.org/show_bug.cgi?id=129589
8840
8841 Reviewed by Mark Hahnenberg.
8842
8843 As the title says. All of the superstructure for this was already in place, so now it
8844 was just a matter of actually emitting the call.
8845
8846 8x speed-up for getter microbenchmarks.
8847
8848 * CMakeLists.txt:
8849 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8850 * JavaScriptCore.xcodeproj/project.pbxproj:
8851 * bytecode/PolymorphicGetByIdList.h:
8852 (JSC::GetByIdAccess::doesCalls):
8853 * jit/AccessorCallJITStubRoutine.cpp: Added.
8854 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
8855 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
8856 (JSC::AccessorCallJITStubRoutine::visitWeak):
8857 * jit/AccessorCallJITStubRoutine.h: Added.
8858 * jit/AssemblyHelpers.h:
8859 (JSC::AssemblyHelpers::storeCell):
8860 * jit/GCAwareJITStubRoutine.h:
8861 * jit/Repatch.cpp:
8862 (JSC::generateGetByIdStub):
8863 * runtime/GetterSetter.h:
8864 (JSC::GetterSetter::offsetOfGetter):
8865 (JSC::GetterSetter::offsetOfSetter):
8866
88672014-03-25 Michael Saboff <msaboff@apple.com>
8868
8869 Unreviewed, rolling out r166126.
8870
8871 Rollout r166126 in prepartion to roll out prerequisite r166070
8872
8873 Reverted changeset:
8874
8875 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
8876 not undefined"
8877 https://bugs.webkit.org/show_bug.cgi?id=130554
8878 http://trac.webkit.org/changeset/166126
8879
88802014-03-25 Oliver Hunt <oliver@apple.com>
8881
8882 AST incorrectly conflates readable and writable locations
8883 https://bugs.webkit.org/show_bug.cgi?id=130734
8884
8885 Reviewed by Filip Pizlo.
8886
8887 We need to distinguish between "locations" that are valid for reading
8888 and writing, vs those that may only be written.
8889
8890 * bytecompiler/NodesCodegen.cpp:
8891 (JSC::ForInNode::emitBytecode):
8892 (JSC::ForOfNode::emitBytecode):
8893 * parser/Nodes.h:
8894 (JSC::ExpressionNode::isAssignmentLocation):
8895
88962014-03-24 Oliver Hunt <oliver@apple.com>
8897
8898 ASSERTION FAILED in Parser: dst != localReg
8899 https://bugs.webkit.org/show_bug.cgi?id=130710
8900
8901 Reviewed by Filip Pizlo.
8902
8903 Just make sure we don't try to write to a captured constant,
8904 following the change to track captured variables separately.
8905
8906 * bytecompiler/NodesCodegen.cpp:
8907 (JSC::PostfixNode::emitResolve):
8908 (JSC::PrefixNode::emitResolve):
8909
89102014-03-25 Martin Robinson <mrobinson@igalia.com>
8911
8912 [GTK] Remove the autotools build
8913 https://bugs.webkit.org/show_bug.cgi?id=130717
8914
8915 Reviewed by Anders Carlsson.
8916
8917 * GNUmakefile.am: Removed.
8918 * config.h: Remove references to the autotools configure file.
8919
89202014-03-24 Filip Pizlo <fpizlo@apple.com>
8921
8922 More scaffolding for a stub routine to have a stub recursively embedded inside it
8923 https://bugs.webkit.org/show_bug.cgi?id=130770
8924
8925 Reviewed by Oliver Hunt.
8926
8927 * bytecode/CallLinkInfo.cpp:
8928 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
8929 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
8930 * bytecode/CallLinkInfo.h:
8931 * bytecode/CodeBlock.cpp:
8932 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
8933 (JSC::CodeBlock::unlinkCalls):
8934 (JSC::CodeBlock::unlinkIncomingCalls):
8935 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8936 (JSC::GetByIdAccess::visitWeak):
8937 (JSC::PolymorphicGetByIdList::visitWeak):
8938 * bytecode/PolymorphicGetByIdList.h:
8939 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8940 (JSC::PutByIdAccess::visitWeak):
8941 (JSC::PolymorphicPutByIdList::visitWeak):
8942 * bytecode/PolymorphicPutByIdList.h:
8943 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
8944 (JSC::StructureStubInfo::visitWeakReferences):
8945 * bytecode/StructureStubInfo.h:
8946 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
8947 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
8948 * jit/GCAwareJITStubRoutine.cpp:
8949 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
8950 (JSC::createJITStubRoutine):
8951 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
8952 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
8953 * jit/JITStubRoutine.cpp:
8954 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
8955 * jit/JITStubRoutine.h:
8956 * jit/Repatch.cpp:
8957 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
8958 (JSC::emitCustomSetterStub): Clean up some code.
8959
89602014-03-24 Geoffrey Garen <ggaren@apple.com>
8961
8962 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
8963 when WebKit is compiled with fcatch-undefined-behavior
8964 https://bugs.webkit.org/show_bug.cgi?id=130652
8965
8966 Reviewed by Mark Hahnenberg.
8967
8968 Use a static member function because the butterfly we pass in might be
8969 NULL, and passing NULL to a member function is undefined behavior.
8970
8971 Stylistically, I think this new way reads a little more clearly, since it
8972 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
8973 might not exist yet.
8974
8975 * runtime/Butterfly.h:
8976 * runtime/ButterflyInlines.h:
8977 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
8978 because we might create. Split out the create path to avoid using NULL
8979 in a member function expression.
8980
8981 Removed some unused versions of this function.
8982
8983 * runtime/JSObject.cpp:
8984 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
8985
89862014-03-24 Oliver Hunt <oliver@apple.com>
8987
8988 Strict mode destructuring assignment crashes the parser.
8989 https://bugs.webkit.org/show_bug.cgi?id=130538
8990
8991 Reviewed by Michael Saboff.
8992
8993 The SyntaxChecker mode always return 1 for success, except
8994 for a small subset of functions where we needed exact information.
8995 This ends up just being a poor design decision as it means
8996 the parser can get confused between a function return 1, and
8997 the Resolve constant which was also 1. So we now use a unique
8998 type for every creation method.
8999
9000 * parser/SyntaxChecker.h:
9001 (JSC::SyntaxChecker::createSourceElements):
9002 (JSC::SyntaxChecker::createFunctionBody):
9003 (JSC::SyntaxChecker::createArguments):
9004 (JSC::SyntaxChecker::createSpreadExpression):
9005 (JSC::SyntaxChecker::createArgumentsList):
9006 (JSC::SyntaxChecker::createPropertyList):
9007 (JSC::SyntaxChecker::createElementList):
9008 (JSC::SyntaxChecker::createFormalParameterList):
9009 (JSC::SyntaxChecker::createClause):
9010 (JSC::SyntaxChecker::createClauseList):
9011 (JSC::SyntaxChecker::createFuncDeclStatement):
9012 (JSC::SyntaxChecker::createBlockStatement):
9013 (JSC::SyntaxChecker::createExprStatement):
9014 (JSC::SyntaxChecker::createIfStatement):
9015 (JSC::SyntaxChecker::createForLoop):
9016 (JSC::SyntaxChecker::createForInLoop):
9017 (JSC::SyntaxChecker::createForOfLoop):
9018 (JSC::SyntaxChecker::createEmptyStatement):
9019 (JSC::SyntaxChecker::createVarStatement):
9020 (JSC::SyntaxChecker::createReturnStatement):
9021 (JSC::SyntaxChecker::createBreakStatement):
9022 (JSC::SyntaxChecker::createContinueStatement):
9023 (JSC::SyntaxChecker::createTryStatement):
9024 (JSC::SyntaxChecker::createSwitchStatement):
9025 (JSC::SyntaxChecker::createWhileStatement):
9026 (JSC::SyntaxChecker::createWithStatement):
9027 (JSC::SyntaxChecker::createDoWhileStatement):
9028 (JSC::SyntaxChecker::createLabelStatement):
9029 (JSC::SyntaxChecker::createThrowStatement):
9030 (JSC::SyntaxChecker::createDebugger):
9031 (JSC::SyntaxChecker::createConstStatement):
9032 (JSC::SyntaxChecker::appendConstDecl):
9033 (JSC::SyntaxChecker::combineCommaNodes):
9034 (JSC::SyntaxChecker::operatorStackPop):
9035
90362014-03-24 Brent Fulgham <bfulgham@apple.com>
9037
9038 Activate WebVTT Tests Once Merging is Complete
9039 https://bugs.webkit.org/show_bug.cgi?id=130420
9040
9041 Reviewed by Eric Carlson.
9042
9043 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
9044
90452014-03-24 Andreas Kling <akling@apple.com>
9046
9047 Stop pulling in all the macro assemblers from VM.h
9048 <https://webkit.org/b/130691>
9049
9050 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
9051 on macro assemblers headers and removes 8 includes from every
9052 .cpp file in the JS bindings.
9053
9054 Reviewed by Geoff Garen.
9055
9056 * runtime/VM.h:
9057
90582014-03-24 Gavin Barraclough <barraclough@apple.com>
9059
9060 Add support for thread QoS
9061 https://bugs.webkit.org/show_bug.cgi?id=130688
9062
9063 Reviewed by Andreas Kling.
9064
9065 * heap/BlockAllocator.cpp:
9066 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
9067 - block freeing is a utility activity.
9068
90692014-03-24 Filip Pizlo <fpizlo@apple.com>
9070
9071 Unreviewed, fix CLOOP build.
9072
9073 * bytecode/CallLinkStatus.cpp:
9074 (JSC::CallLinkStatus::computeFor):
9075 * bytecode/CodeBlock.cpp:
9076 (JSC::CodeBlock::printCallOp):
9077 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9078 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
9079 * bytecode/CodeBlock.h:
9080 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
9081
90822014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
9083
9084 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
9085 https://bugs.webkit.org/show_bug.cgi?id=130453
9086
9087 Reviewed by Filip Pizlo.
9088
9089 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
9090 at sxtw and uxtw instructions.
9091
9092 * offlineasm/arm64.rb:
9093
90942014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
9095
9096 Move all EFL typedefs into EflTypedefs.h.
9097 https://bugs.webkit.org/show_bug.cgi?id=130511
9098
9099 Reviewed by Gyuyoung Kim
9100
9101 * heap/HeapTimer.h: Remove EFL typedefs.
9102
91032014-03-23 Filip Pizlo <fpizlo@apple.com>
9104
9105 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
9106 https://bugs.webkit.org/show_bug.cgi?id=130650
9107 <rdar://problem/16122966>
9108
9109 Reviewed by Michael Saboff.
9110
9111 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
9112 previously established numLocals limit. But then we added generalized op_call_varargs
9113 handling, which results in us emitting SetLocals that didn't previously exist in the
9114 bytecode.
9115
9116 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
9117
9118 * dfg/DFGByteCodeParser.cpp:
9119 (JSC::DFG::ByteCodeParser::ensureLocals):
9120 (JSC::DFG::ByteCodeParser::handleInlining):
9121 (JSC::DFG::ByteCodeParser::parseBlock):
9122 (JSC::DFG::ByteCodeParser::parse):
9123 * ftl/FTLOSRExitCompiler.cpp:
9124 (JSC::FTL::compileStub): Make this do alignment correctly.
9125 * runtime/Options.h:
9126 * tests/stress/call-varargs-from-inlined-code.js: Added.
9127 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
9128
91292014-03-22 Filip Pizlo <fpizlo@apple.com>
9130
9131 Unreviewed, adjust sizes for ARM64.
9132
9133 * ftl/FTLInlineCacheSize.cpp:
9134 (JSC::FTL::sizeOfCall):
9135
91362014-03-22 Filip Pizlo <fpizlo@apple.com>
9137
9138 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
9139 https://bugs.webkit.org/show_bug.cgi?id=130649
9140 <rdar://problem/16399949>
9141
9142 Reviewed by Andreas Kling.
9143
9144 * dfg/DFGSpeculativeJIT32_64.cpp:
9145 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9146 * dfg/DFGSpeculativeJIT64.cpp:
9147 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9148 * tests/stress/fuzz-bug-16399949.js: Added.
9149 (tryItOut.f):
9150 (tryItOut):
9151
91522014-03-22 Filip Pizlo <fpizlo@apple.com>
9153
9154 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
9155 https://bugs.webkit.org/show_bug.cgi?id=130644
9156
9157 Reviewed by Andreas Kling.
9158
9159 This is conceptually a really simple change but it involves the following:
9160
9161 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
9162
9163 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
9164
9165 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
9166 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
9167
9168 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
9169 and not all relinking.
9170
9171 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
9172 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
9173 with a op_call/op_construct instruction and a machine code return PC within such an
9174 instruction.
9175
9176 * bytecode/CallLinkInfo.h:
9177 (JSC::getCallLinkInfoCodeOrigin):
9178 * bytecode/CallLinkStatus.cpp:
9179 (JSC::CallLinkStatus::computeFor):
9180 (JSC::CallLinkStatus::computeDFGStatuses):
9181 * bytecode/CallLinkStatus.h:
9182 * bytecode/CodeBlock.cpp:
9183 (JSC::CodeBlock::printCallOp):
9184 (JSC::CodeBlock::dumpBytecode):
9185 (JSC::CodeBlock::finalizeUnconditionally):
9186 (JSC::CodeBlock::getCallLinkInfoMap):
9187 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9188 (JSC::CodeBlock::addCallLinkInfo):
9189 (JSC::CodeBlock::unlinkCalls):
9190 * bytecode/CodeBlock.h:
9191 (JSC::CodeBlock::stubInfoBegin):
9192 (JSC::CodeBlock::stubInfoEnd):
9193 (JSC::CodeBlock::callLinkInfosBegin):
9194 (JSC::CodeBlock::callLinkInfosEnd):
9195 (JSC::CodeBlock::byValInfo):
9196 * dfg/DFGByteCodeParser.cpp:
9197 (JSC::DFG::ByteCodeParser::handleCall):
9198 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
9199 * dfg/DFGJITCode.h:
9200 * dfg/DFGJITCompiler.cpp:
9201 (JSC::DFG::JITCompiler::link):
9202 * dfg/DFGJITCompiler.h:
9203 (JSC::DFG::JITCompiler::addJSCall):
9204 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
9205 * dfg/DFGOSRExitCompilerCommon.cpp:
9206 (JSC::DFG::reifyInlinedCallFrames):
9207 * dfg/DFGSpeculativeJIT.cpp:
9208 (JSC::DFG::SpeculativeJIT::compile):
9209 * dfg/DFGSpeculativeJIT.h:
9210 * dfg/DFGSpeculativeJIT32_64.cpp:
9211 (JSC::DFG::SpeculativeJIT::emitCall):
9212 * dfg/DFGSpeculativeJIT64.cpp:
9213 (JSC::DFG::SpeculativeJIT::emitCall):
9214 * ftl/FTLCompile.cpp:
9215 (JSC::FTL::fixFunctionBasedOnStackMaps):
9216 * ftl/FTLInlineCacheSize.cpp:
9217 (JSC::FTL::sizeOfCall):
9218 * ftl/FTLJSCall.cpp:
9219 (JSC::FTL::JSCall::JSCall):
9220 (JSC::FTL::JSCall::emit):
9221 (JSC::FTL::JSCall::link):
9222 * ftl/FTLJSCall.h:
9223 * jit/JIT.cpp:
9224 (JSC::JIT::privateCompileMainPass):
9225 (JSC::JIT::privateCompileSlowCases):
9226 (JSC::JIT::privateCompile):
9227 * jit/JIT.h:
9228 * jit/JITCall.cpp:
9229 (JSC::JIT::compileOpCall):
9230 (JSC::JIT::compileOpCallSlowCase):
9231 * jit/JITCall32_64.cpp:
9232 (JSC::JIT::compileOpCall):
9233 (JSC::JIT::compileOpCallSlowCase):
9234 * jit/JITOperations.cpp:
9235 * jit/JITOperations.h:
9236 (JSC::operationLinkFor):
9237 (JSC::operationVirtualFor):
9238 (JSC::operationLinkClosureCallFor):
9239 * jit/Repatch.cpp:
9240 (JSC::linkClosureCall):
9241 * jit/ThunkGenerators.cpp:
9242 (JSC::slowPathFor):
9243 (JSC::virtualForThunkGenerator):
9244 * tests/stress/eval-that-is-not-eval.js: Added.
9245
92462014-03-22 Filip Pizlo <fpizlo@apple.com>
9247
9248 Unreviewed, fix mispelled test name.
9249
9250 * tests/stress/constand-folding-osr-exit.js: Removed.
9251 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
9252
92532014-03-22 Andreas Kling <akling@apple.com>
9254
9255 CREATE_DOM_WRAPPER doesn't need the ExecState.
9256 <https://webkit.org/b/130648>
9257
9258 Add a fast path from JSGlobalObject to the VM so we don't have
9259 to dance via the Heap.
9260
9261 Reviewed by Darin Adler.
9262
9263 * runtime/JSGlobalObject.cpp:
9264 (JSC::JSGlobalObject::JSGlobalObject):
9265 * runtime/JSGlobalObject.h:
9266 (JSC::JSGlobalObject::vm):
9267
92682014-03-22 Filip Pizlo <fpizlo@apple.com>
9269
9270 Unreviewed, fix FTL build.
9271
9272 * ftl/FTLJITFinalizer.cpp:
9273
92742014-03-22 Michael Saboff <msaboff@apple.com>
9275
9276 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
9277 https://bugs.webkit.org/show_bug.cgi?id=130554
9278
9279 Reviewed by Geoffrey Garen.
9280
9281 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
9282 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
9283 happen in finishCreation() so that it will also happen for other derived classes including
9284 JSWorkerGlobalScopeBase.
9285
9286 * API/JSContextRef.cpp:
9287 (JSGlobalContextCreateInGroup):
9288 * jsc.cpp:
9289 (GlobalObject::create):
9290 * API/tests/testapi.c:
9291 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
9292 the result from JSContextGetGlobalObject() as that will return the proxy.
9293 * runtime/JSGlobalObject.cpp:
9294 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
9295 we now call setGlobalThis in finishCreation().
9296 * runtime/JSGlobalObject.h:
9297 (JSC::JSGlobalObject::finishCreation):
9298 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
9299
93002014-03-22 Andreas Kling <akling@apple.com>
9301
9302 Fix debug build.
9303
9304 * bytecode/CodeBlock.cpp:
9305 * runtime/Executable.cpp:
9306
93072014-03-22 Andreas Kling <akling@apple.com>
9308
9309 Cut down on JSC profiler includes in WebCore & co.
9310 <https://webkit.org/b/130637>
9311
9312 Most of WebKit was pulling in JSC's profiler headers via VM.h.
9313
9314 Reviewed by Darin Adler.
9315
9316 * dfg/DFGDisassembler.cpp:
9317 * dfg/DFGDisassembler.h:
9318 * dfg/DFGJITFinalizer.cpp:
9319 * jsc.cpp:
9320 * runtime/VM.cpp:
9321 * runtime/VM.h:
9322
93232014-03-22 Landry Breuil <landry@openbsd.org>
9324
9325 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
9326 https://bugs.webkit.org/show_bug.cgi?id=129965
9327
9328 Reviewed By Anders Carlsson.
9329
93302014-03-21 Mark Lam <mark.lam@apple.com>
9331
9332 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
9333 <https://webkit.org/b/124508>
9334
9335 Reviewed by Oliver Hunt.
9336
9337 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
9338 pointer from the BytecodeGenerator's m_localScopes vector, and then it
9339 calls emitPopScopes(). emitPopScopes() may do finally clause handling
9340 which will require the m_localScopes to be cloned so that it can change
9341 the local scopes for the finally block, and then restore it after
9342 handling the finally clause. These modifications of the m_localScopes
9343 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
9344 becoming stale, thereby causing the crash.
9345
9346 The same issue applies to the ContinueNode as well.
9347
9348 The fix is to use the existing LabelScopePtr abstraction instead of raw
9349 LabelScope pointers. The LabelScopePtr is resilient to the underlying
9350 vector re-allocating its backing store.
9351
9352 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
9353 to expect a reference to the owner store instead of a pointer because the
9354 owner store should never be a null pointer.
9355
9356 * bytecompiler/BytecodeGenerator.cpp:
9357 (JSC::BytecodeGenerator::newLabelScope):
9358 (JSC::BytecodeGenerator::breakTarget):
9359 (JSC::BytecodeGenerator::continueTarget):
9360 * bytecompiler/BytecodeGenerator.h:
9361 * bytecompiler/LabelScope.h:
9362 (JSC::LabelScopePtr::LabelScopePtr):
9363 (JSC::LabelScopePtr::operator bool):
9364 (JSC::LabelScopePtr::null):
9365 * bytecompiler/NodesCodegen.cpp:
9366 (JSC::ContinueNode::trivialTarget):
9367 (JSC::ContinueNode::emitBytecode):
9368 (JSC::BreakNode::trivialTarget):
9369 (JSC::BreakNode::emitBytecode):
9370
93712014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
9372
9373 6% SunSpider commandline regression due to r165940
9374 https://bugs.webkit.org/show_bug.cgi?id=130617
9375
9376 Reviewed by Michael Saboff.
9377
9378 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
9379 before. Some of the benchmarks are never running a single EdenCollection, which causes
9380 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
9381 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
9382 magnitude more than we normally would.
9383
9384 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
9385
9386 * heap/Heap.cpp:
9387 (JSC::Heap::Heap):
9388
93892014-03-21 Filip Pizlo <fpizlo@apple.com>
9390
9391 Constants folded by DFG::ByteCodeParser should not be dead.
9392 https://bugs.webkit.org/show_bug.cgi?id=130576
9393
9394 Reviewed by Mark Hahnenberg.
9395
9396 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
9397 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
9398 or more folders in LLVM). Doing so has no performance impact since the other constant folders
9399 already subsume this one.
9400
9401 Also added a test case for the specific bug that instigated this.
9402
9403 * dfg/DFGByteCodeParser.cpp:
9404 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
9405 (JSC::DFG::ByteCodeParser::getJSConstant):
9406 (JSC::DFG::ByteCodeParser::inferredConstant):
9407 (JSC::DFG::ByteCodeParser::handleIntrinsic):
9408 (JSC::DFG::ByteCodeParser::parseBlock):
9409 * dfg/DFGNode.h:
9410 * dfg/DFGNodeFlags.h:
9411 * tests/stress/constand-folding-osr-exit.js: Added.
9412 (foo):
9413 (test):
9414 (.var):
9415
94162014-03-21 Mark Lam <mark.lam@apple.com>
9417
9418 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
9419 <https://webkit.org/b/130566>
9420
9421 Reviewed by Filip Pizlo.
9422
9423 * dfg/DFGStackLayoutPhase.cpp:
9424 (JSC::DFG::StackLayoutPhase::run):
9425
94262014-03-20 Filip Pizlo <fpizlo@apple.com>
9427
9428 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
9429 https://bugs.webkit.org/show_bug.cgi?id=130562
9430 <rdar://problem/16382842>
9431
9432 Reviewed by Geoffrey Garen.
9433
9434 * ftl/FTLLowerDFGToLLVM.cpp:
9435 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
9436 * tests/stress/uint32array-unsigned-load.js: Added.
9437 (foo):
9438
94392014-03-20 Brian Burg <bburg@apple.com>
9440
9441 Web Inspector: add frontend controller and models for replay sessions
9442 https://bugs.webkit.org/show_bug.cgi?id=130145
9443
9444 Reviewed by Joseph Pecoraro.
9445
9446 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
9447
94482014-03-20 Filip Pizlo <fpizlo@apple.com>
9449
9450 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
9451 https://bugs.webkit.org/show_bug.cgi?id=130546
9452 <rdar://problem/16383308>
9453
9454 Reviewed by Mark Hahnenberg.
9455
9456 Make AI do a better job of folding this.
9457
9458 Also made the FTL backend be more tolerant of data representations. In this case it
9459 didn't know that "constant" was a valid representation. There is a finite set of
9460 possible representations, but broadly, we don't write code that presumes anything
9461 about the representation of an input; that's what methods like lowJSValue() are for.
9462 ValueToInt32 was previously not relying on those methods at all because it had some
9463 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
9464 to lowJSValue().
9465
9466 * dfg/DFGAbstractInterpreterInlines.h:
9467 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9468 * ftl/FTLLowerDFGToLLVM.cpp:
9469 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
9470 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
9471 * tests/stress/value-to-int32-undefined-constant.js: Added.
9472 (foo):
9473 * tests/stress/value-to-int32-undefined.js: Added.
9474 (foo):
9475
94762014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
9477
9478 Add some assertions back
9479 https://bugs.webkit.org/show_bug.cgi?id=130531
9480
9481 Reviewed by Geoffrey Garen.
9482
9483 We removed a useful set of assertions for verifying that MarkedBlocks were
9484 in the state that we expected them to be in after clearing marks in the Heap.
9485 We should add these back to catch bugs earlier.
9486
9487 * heap/MarkedBlock.h:
9488 * heap/MarkedSpace.cpp:
9489 (JSC::VerifyMarkedOrRetired::operator()):
9490 (JSC::MarkedSpace::clearMarks):
9491
94922014-03-20 Filip Pizlo <fpizlo@apple.com>
9493
9494 Implement stackmap header version check and support new stackmap formats
9495 https://bugs.webkit.org/show_bug.cgi?id=130535
9496 <rdar://problem/16164284>
9497
9498 Reviewed by Geoffrey Garen.
9499
9500 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
9501 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
9502 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
9503 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
9504 happy to move backward in time to older versions of LLVM.
9505
9506 * ftl/FTLStackMaps.cpp:
9507 (JSC::FTL::readObject):
9508 (JSC::FTL::StackMaps::Constant::parse):
9509 (JSC::FTL::StackMaps::StackSize::parse):
9510 (JSC::FTL::StackMaps::Location::parse):
9511 (JSC::FTL::StackMaps::Record::parse):
9512 (JSC::FTL::StackMaps::parse):
9513 (JSC::FTL::StackMaps::dump):
9514 (JSC::FTL::StackMaps::dumpMultiline):
9515 * ftl/FTLStackMaps.h:
9516
95172014-03-20 Filip Pizlo <fpizlo@apple.com>
9518
9519 Crash beneath operationTearOffActivation running this JS compression demo
9520 https://bugs.webkit.org/show_bug.cgi?id=130295
9521 <rdar://problem/16332337>
9522
9523 Reviewed by Oliver Hunt.
9524
9525 Make sure that we flush things as if we were at a terminal, if we are at a block with
9526 no forward edges. This fixes infinitely loopy code with captured variables.
9527
9528 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
9529
9530 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
9531 it by itself. Now it's an artifact of CPS rethreading.
9532
9533 Add a bunch of tests. All of them previously either crashed or returned bad output due
9534 to memory corruption.
9535
9536 * bytecode/CodeBlock.cpp:
9537 (JSC::CodeBlock::isCaptured):
9538 * dfg/DFGByteCodeParser.cpp:
9539 (JSC::DFG::ByteCodeParser::flushForTerminal):
9540 (JSC::DFG::ByteCodeParser::flushForReturn):
9541 (JSC::DFG::ByteCodeParser::flushIfTerminal):
9542 (JSC::DFG::ByteCodeParser::branchData):
9543 (JSC::DFG::ByteCodeParser::parseBlock):
9544 * dfg/DFGCFGSimplificationPhase.cpp:
9545 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
9546 * dfg/DFGCPSRethreadingPhase.cpp:
9547 (JSC::DFG::CPSRethreadingPhase::run):
9548 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
9549 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
9550 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
9551 * dfg/DFGCSEPhase.cpp:
9552 (JSC::DFG::CSEPhase::performNodeCSE):
9553 * dfg/DFGGraph.cpp:
9554 (JSC::DFG::Graph::clearFlagsOnAllNodes):
9555 * dfg/DFGGraph.h:
9556 * dfg/DFGNode.h:
9557 * dfg/DFGNodeFlags.cpp:
9558 (JSC::DFG::dumpNodeFlags):
9559 * dfg/DFGNodeFlags.h:
9560 * dfg/DFGSSAConversionPhase.cpp:
9561 (JSC::DFG::SSAConversionPhase::run):
9562 * tests/stress/activation-test-loop.js: Added.
9563 (Inner.this.doStuff):
9564 (Inner):
9565 (foo.inner.isDone):
9566 (foo):
9567 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
9568 (bar):
9569 (foo):
9570 (noInline):
9571 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
9572 (bar):
9573 (foo):
9574 (noInline):
9575 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
9576 (bar):
9577 (foo):
9578 (noInline):
9579 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
9580 (bar):
9581 (foo):
9582 (noInline):
9583 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
9584 (bar):
9585 (foo):
9586 (noInline):
9587 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9588 (bar):
9589 (fuzz):
9590 (foo.f):
9591 (foo):
9592 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9593 (bar):
9594 (foo.f):
9595 (foo):
9596 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9597 (bar):
9598 (foo.f):
9599 (foo):
9600 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
9601 (bar):
9602 (foo):
9603 (noInline):
9604
96052014-03-20 Oliver Hunt <oliver@apple.com>
9606
9607 Incorrect behavior when mutating a typed array during set.
9608 https://bugs.webkit.org/show_bug.cgi?id=130428
9609
9610 Reviewed by Geoffrey Garen.
9611
9612 This fixes a null derefence that occurs if a typed array
9613 is mutated during the set() operation. The patch gets rid
9614 of the "Quickly" version of setIndex that is assigning
9615 JSValues of unknown type, as the numeric conversion can trigger
9616 side effects that lead to neutering, and so we deref null.
9617
9618 * runtime/JSGenericTypedArrayView.h:
9619 (JSC::JSGenericTypedArrayView::setIndex):
9620 * runtime/JSGenericTypedArrayViewInlines.h:
9621 (JSC::JSGenericTypedArrayView<Adaptor>::set):
9622 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
9623
96242014-03-20 Gavin Barraclough <barraclough@apple.com>
9625
9626 Remove IdentifierTable typedef, isIdentifier()
9627 https://bugs.webkit.org/show_bug.cgi?id=130533
9628
9629 Rubber stamped by Geoff Garen.
9630
9631 Code should use AtomicStringTable, isAtomic() directly.
9632
9633 * API/JSClassRef.cpp:
9634 (OpaqueJSClass::~OpaqueJSClass):
9635 (OpaqueJSClassContextData::OpaqueJSClassContextData):
9636 (OpaqueJSClass::className):
9637 * API/JSClassRef.h:
9638 * bytecode/SpeculatedType.cpp:
9639 (JSC::speculationFromCell):
9640 * bytecompiler/BytecodeGenerator.cpp:
9641 (JSC::BytecodeGenerator::BytecodeGenerator):
9642 * dfg/DFGSpeculativeJIT.cpp:
9643 (JSC::DFG::SpeculativeJIT::compileIn):
9644 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
9645 * ftl/FTLLowerDFGToLLVM.cpp:
9646 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
9647 * heap/Heap.cpp:
9648 (JSC::Heap::collect):
9649 * interpreter/CallFrame.h:
9650 (JSC::ExecState::atomicStringTable):
9651 * parser/ASTBuilder.h:
9652 (JSC::ASTBuilder::addVar):
9653 * parser/Parser.cpp:
9654 (JSC::Parser<LexerType>::createBindingPattern):
9655 * runtime/Completion.cpp:
9656 (JSC::checkSyntax):
9657 (JSC::evaluate):
9658 * runtime/Identifier.cpp:
9659 (JSC::Identifier::checkCurrentAtomicStringTable):
9660 * runtime/Identifier.h:
9661 (JSC::Identifier::Identifier):
9662 * runtime/IdentifierInlines.h:
9663 (JSC::Identifier::add):
9664 * runtime/JSCJSValue.cpp:
9665 (JSC::JSValue::dumpInContext):
9666 * runtime/JSLock.cpp:
9667 (JSC::JSLock::didAcquireLock):
9668 (JSC::JSLock::willReleaseLock):
9669 (JSC::JSLock::DropAllLocks::DropAllLocks):
9670 (JSC::JSLock::DropAllLocks::~DropAllLocks):
9671 * runtime/JSLock.h:
9672 * runtime/PropertyMapHashTable.h:
9673 (JSC::PropertyTable::find):
9674 (JSC::PropertyTable::get):
9675 (JSC::PropertyTable::findWithString):
9676 * runtime/PropertyName.h:
9677 (JSC::PropertyName::PropertyName):
9678 * runtime/PropertyNameArray.cpp:
9679 (JSC::PropertyNameArray::add):
9680 * runtime/VM.cpp:
9681 (JSC::VM::VM):
9682 (JSC::VM::~VM):
9683 * runtime/VM.h:
9684 (JSC::VM::atomicStringTable):
9685
96862014-03-20 Gavin Barraclough <barraclough@apple.com>
9687
9688 Merge AtomicString, Identifier
9689 https://bugs.webkit.org/show_bug.cgi?id=128624
9690
9691 Reviewed by Geoff Garen.
9692
9693 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
9694 Identifer - that is one too many.
9695
9696 Remove Identifier in favour of AtomicString. Identifier had two interesting
9697 mechanisms that we preserve.
9698
9699 (1) JSC API VMs each get their own string table, switch the string table on
9700 API entry/exit.
9701 (2) JSC caches a pointer to the string table on the VM to avoid a thread
9702 specific access. Adds a new AtomicString::add method to support this.
9703
9704 * API/JSAPIWrapperObject.mm:
9705 - updated includes.
9706 * JavaScriptCore.xcodeproj/project.pbxproj:
9707 - added IdentifierInlines.h.
9708 * inspector/JSInjectedScriptHostPrototype.cpp:
9709 * inspector/JSJavaScriptCallFramePrototype.cpp:
9710 - updated includes.
9711 * interpreter/CallFrame.h:
9712 (JSC::ExecState::atomicStringTable):
9713 - added, used via AtomicString::add to avoid thread-specific access.
9714 * runtime/ConsolePrototype.cpp:
9715 - updated includes.
9716 * runtime/Identifier.cpp:
9717 (JSC::Identifier::add):
9718 (JSC::Identifier::add8):
9719 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9720 * runtime/Identifier.h:
9721 (JSC::Identifier::Identifier):
9722 - added ASSERTS.
9723 (JSC::Identifier::add):
9724 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9725 * runtime/IdentifierInlines.h: Added.
9726 (JSC::Identifier::add):
9727 - moved from Identifier.h, use AtomicString::add.
9728 * runtime/JSCInlines.h:
9729 - added IdentifierInlines.h.
9730 * runtime/JSLock.h:
9731 - removed IdentifierTable.
9732 * runtime/PropertyNameArray.cpp:
9733 - updated includes.
9734 * runtime/SmallStrings.cpp:
9735 (JSC::SmallStringsStorage::SmallStringsStorage):
9736 - ensure all single character strings are Atomic.
9737 * runtime/VM.cpp:
9738 (JSC::VM::VM):
9739 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
9740 * runtime/VM.h:
9741 (JSC::VM::atomicStringTable):
9742 - added, used via AtomicString::add to avoid thread-specific access.
9743
97442014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
9745
9746 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
9747 https://bugs.webkit.org/show_bug.cgi?id=130502
9748
9749 Reviewed by Michael Saboff.
9750
9751 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
9752 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
9753 Add cacheFlush support for Linux.
9754
9755 * assembler/ARM64Assembler.h:
9756 (JSC::ARM64Assembler::linuxPageFlush):
9757 (JSC::ARM64Assembler::cacheFlush):
9758 * assembler/MacroAssemblerARM64.h:
9759 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
9760
97612014-03-19 Gavin Barraclough <barraclough@apple.com>
9762
9763 https://bugs.webkit.org/show_bug.cgi?id=130494
9764 EmptyUnique strings are Identifiers/Atomic
9765
9766 Reviewed by Geoff Garen.
9767
9768 EmptyUnique strings should set the Identifier/Atomic flag.
9769
9770 This fixes an unreproducible bug we believe exists in Identifier handling.
9771 Expected behaviour is that while Identifiers may reference EmptyUniques
9772 (StringImpls allocated as UIDs for PrivateNames), these are not created
9773 through the main Identifier constructor, the Identifier flag is not set
9774 on PrivateNames, and we should never lookup EmptyUnique strings in the
9775 IdentifierTable.
9776
9777 Unfortunately that was happening. Some tables used to implement property
9778 access in the JIT hold StringImpl*s, and turn these back into Identifiers
9779 using the identfiier constructor. Since the code generator will now plant
9780 by-id (cachable) accesses to PrivateNames we can end up passing an
9781 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
9782 uniqued together (though hard to prove, since the hash codes are random).
9783
9784 * runtime/PropertyName.h:
9785 (JSC::PropertyName::PropertyName):
9786 (JSC::PropertyName::uid):
9787 (JSC::PropertyName::publicName):
9788 (JSC::PropertyName::asIndex):
9789 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9790 * runtime/Structure.cpp:
9791 (JSC::Structure::getPropertyNamesFromStructure):
9792 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9793
97942014-03-19 Filip Pizlo <fpizlo@apple.com>
9795
9796 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
9797
9798 * dfg/DFGCommon.h:
9799
98002014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9801
9802 GC timer should intelligently choose between EdenCollections and FullCollections
9803 https://bugs.webkit.org/show_bug.cgi?id=128261
9804
9805 Reviewed by Geoffrey Garen.
9806
9807 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9808 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9809 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9810 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9811 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
9812 be detected by an EdenCollection).
9813
9814 * CMakeLists.txt:
9815 * GNUmakefile.list.am:
9816 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9817 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9818 * JavaScriptCore.xcodeproj/project.pbxproj:
9819 * heap/EdenGCActivityCallback.cpp: Added.
9820 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9821 (JSC::EdenGCActivityCallback::doCollection):
9822 (JSC::EdenGCActivityCallback::lastGCLength):
9823 (JSC::EdenGCActivityCallback::deathRate):
9824 (JSC::EdenGCActivityCallback::gcTimeSlice):
9825 * heap/EdenGCActivityCallback.h: Added.
9826 (JSC::GCActivityCallback::createEdenTimer):
9827 * heap/FullGCActivityCallback.cpp: Added.
9828 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9829 (JSC::FullGCActivityCallback::doCollection):
9830 (JSC::FullGCActivityCallback::lastGCLength):
9831 (JSC::FullGCActivityCallback::deathRate):
9832 (JSC::FullGCActivityCallback::gcTimeSlice):
9833 * heap/FullGCActivityCallback.h: Added.
9834 (JSC::GCActivityCallback::createFullTimer):
9835 * heap/GCActivityCallback.cpp:
9836 (JSC::GCActivityCallback::GCActivityCallback):
9837 (JSC::GCActivityCallback::doWork):
9838 (JSC::GCActivityCallback::scheduleTimer):
9839 (JSC::GCActivityCallback::cancelTimer):
9840 (JSC::GCActivityCallback::didAllocate):
9841 (JSC::GCActivityCallback::willCollect):
9842 (JSC::GCActivityCallback::cancel):
9843 * heap/GCActivityCallback.h:
9844 * heap/Heap.cpp:
9845 (JSC::Heap::Heap):
9846 (JSC::Heap::reportAbandonedObjectGraph):
9847 (JSC::Heap::didAbandon):
9848 (JSC::Heap::collectAllGarbage):
9849 (JSC::Heap::collect):
9850 (JSC::Heap::willStartCollection):
9851 (JSC::Heap::updateAllocationLimits):
9852 (JSC::Heap::didFinishCollection):
9853 (JSC::Heap::setFullActivityCallback):
9854 (JSC::Heap::setEdenActivityCallback):
9855 (JSC::Heap::fullActivityCallback):
9856 (JSC::Heap::edenActivityCallback):
9857 (JSC::Heap::setGarbageCollectionTimerEnabled):
9858 (JSC::Heap::didAllocate):
9859 (JSC::Heap::shouldDoFullCollection):
9860 * heap/Heap.h:
9861 (JSC::Heap::lastFullGCLength):
9862 (JSC::Heap::lastEdenGCLength):
9863 (JSC::Heap::increaseLastFullGCLength):
9864 (JSC::Heap::sizeBeforeLastEdenCollection):
9865 (JSC::Heap::sizeAfterLastEdenCollection):
9866 (JSC::Heap::sizeBeforeLastFullCollection):
9867 (JSC::Heap::sizeAfterLastFullCollection):
9868 * heap/HeapOperation.h:
9869 * heap/HeapStatistics.cpp:
9870 (JSC::HeapStatistics::showObjectStatistics):
9871 * heap/HeapTimer.cpp:
9872 (JSC::HeapTimer::timerDidFire):
9873 * jsc.cpp:
9874 (functionFullGC):
9875 (functionEdenGC):
9876 * runtime/Options.h:
9877
98782014-03-19 Commit Queue <commit-queue@webkit.org>
9879
9880 Unreviewed, rolling out r165926.
9881 https://bugs.webkit.org/show_bug.cgi?id=130488
9882
9883 broke the iOS build (Requested by estes on #webkit).
9884
9885 Reverted changeset:
9886
9887 "GC timer should intelligently choose between EdenCollections
9888 and FullCollections"
9889 https://bugs.webkit.org/show_bug.cgi?id=128261
9890 http://trac.webkit.org/changeset/165926
9891
98922014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
9893
9894 GC timer should intelligently choose between EdenCollections and FullCollections
9895 https://bugs.webkit.org/show_bug.cgi?id=128261
9896
9897 Reviewed by Geoffrey Garen.
9898
9899 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9900 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9901 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9902 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9903 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
9904 detected by an EdenCollection).
9905
9906 * heap/GCActivityCallback.cpp:
9907 (JSC::GCActivityCallback::GCActivityCallback):
9908 (JSC::GCActivityCallback::doWork):
9909 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9910 (JSC::FullGCActivityCallback::doCollection):
9911 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9912 (JSC::EdenGCActivityCallback::doCollection):
9913 (JSC::GCActivityCallback::scheduleTimer):
9914 (JSC::GCActivityCallback::cancelTimer):
9915 (JSC::GCActivityCallback::didAllocate):
9916 (JSC::GCActivityCallback::willCollect):
9917 (JSC::GCActivityCallback::cancel):
9918 * heap/GCActivityCallback.h:
9919 (JSC::GCActivityCallback::GCActivityCallback):
9920 (JSC::GCActivityCallback::createFullTimer):
9921 (JSC::GCActivityCallback::createEdenTimer):
9922 * heap/Heap.cpp:
9923 (JSC::Heap::Heap):
9924 (JSC::Heap::didAbandon):
9925 (JSC::Heap::willStartCollection):
9926 (JSC::Heap::updateAllocationLimits):
9927 (JSC::Heap::setFullActivityCallback):
9928 (JSC::Heap::setEdenActivityCallback):
9929 (JSC::Heap::fullActivityCallback):
9930 (JSC::Heap::edenActivityCallback):
9931 (JSC::Heap::setGarbageCollectionTimerEnabled):
9932 (JSC::Heap::didAllocate):
9933 * heap/Heap.h:
9934 * heap/HeapTimer.cpp:
9935 (JSC::HeapTimer::timerDidFire):
9936
99372014-03-19 Filip Pizlo <fpizlo@apple.com>
9938
9939 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
9940 https://bugs.webkit.org/show_bug.cgi?id=130134
9941
9942 Reviewed by Mark Hahnenberg.
9943
9944 * dfg/DFGFixupPhase.cpp:
9945 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
9946 * dfg/DFGSpeculativeJIT32_64.cpp:
9947 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
9948 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
9949 * jit/JITInlineCacheGenerator.cpp:
9950 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
9951 * jit/JITInlineCacheGenerator.h:
9952 * jit/Repatch.cpp:
9953 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
9954
99552014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9956
9957 Normalize some of the older JSC options
9958 https://bugs.webkit.org/show_bug.cgi?id=128753
9959
9960 Reviewed by Michael Saboff.
9961
9962 * runtime/Options.cpp:
9963 (JSC::Options::initialize):
9964
99652014-03-12 Mark Lam <mark.lam@apple.com>
9966
9967 Update type of local vars to match the type of String length.
9968 <https://webkit.org/b/130077>
9969
9970 Reviewed by Geoffrey Garen.
9971
9972 * runtime/JSStringJoiner.cpp:
9973 (JSC::JSStringJoiner::join):
9974
99752014-03-18 Filip Pizlo <fpizlo@apple.com>
9976
9977 Get rid of Flush in SSA
9978 https://bugs.webkit.org/show_bug.cgi?id=130440
9979
9980 Reviewed by Sam Weinig.
9981
9982 This is basically a red patch. We used to use backwards flow for determining what was
9983 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
9984 accomplish anything. Keeping them around in SSA can only make things hard.
9985
9986 * CMakeLists.txt:
9987 * GNUmakefile.list.am:
9988 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9989 * JavaScriptCore.xcodeproj/project.pbxproj:
9990 * dfg/DFGBasicBlock.cpp:
9991 (JSC::DFG::BasicBlock::SSAData::SSAData):
9992 * dfg/DFGBasicBlock.h:
9993 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
9994 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
9995 * dfg/DFGGraph.cpp:
9996 (JSC::DFG::Graph::dump):
9997 * dfg/DFGPlan.cpp:
9998 (JSC::DFG::Plan::compileInThreadImpl):
9999 * dfg/DFGSSAConversionPhase.cpp:
10000 (JSC::DFG::SSAConversionPhase::run):
10001 * ftl/FTLLowerDFGToLLVM.cpp:
10002 (JSC::FTL::LowerDFGToLLVM::compileNode):
10003
100042014-03-18 Filip Pizlo <fpizlo@apple.com>
10005
10006 Unreviewed, fix iOS production build.
10007
10008 * JavaScriptCore.xcodeproj/project.pbxproj:
10009
100102014-03-18 Michael Saboff <msaboff@apple.com>
10011
10012 Update RegExp Tracing code
10013 https://bugs.webkit.org/show_bug.cgi?id=130381
10014
10015 Reviewed by Andreas Kling.
10016
10017 Updated the regular expression tracing code for 8/16 bit JIT as
10018 well as match only entry points. Also added average string length
10019 metric.
10020
10021 * runtime/RegExp.cpp:
10022 (JSC::RegExp::RegExp):
10023 (JSC::RegExp::match):
10024 (JSC::RegExp::printTraceData):
10025 * runtime/RegExp.h:
10026 * runtime/VM.cpp:
10027 (JSC::VM::addRegExpToTrace):
10028 (JSC::VM::dumpRegExpTrace):
10029 * runtime/VM.h:
10030 * yarr/YarrJIT.h:
10031 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
10032 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
10033 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
10034 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
10035
100362014-03-17 Filip Pizlo <fpizlo@apple.com>
10037
10038 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
10039 https://bugs.webkit.org/show_bug.cgi?id=130300
10040
10041 Reviewed by Mark Hahnenberg.
10042
10043 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
10044 This makes the DFG aware of this.
10045
10046 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
10047 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
10048
10049 This also gives the DFG some abstractions for checking something is a cell or is other.
10050 This made this patch easier to write and also simplified a bunch of other stuff.
10051
10052 1% speed-up on Octane.
10053
10054 * assembler/AbstractMacroAssembler.h:
10055 (JSC::AbstractMacroAssembler::JumpList::JumpList):
10056 * bytecode/SpeculatedType.h:
10057 (JSC::isNotStringVarSpeculation):
10058 * dfg/DFGFixupPhase.cpp:
10059 (JSC::DFG::FixupPhase::fixupNode):
10060 * dfg/DFGNode.h:
10061 (JSC::DFG::Node::childFor):
10062 (JSC::DFG::Node::shouldSpeculateNotStringVar):
10063 * dfg/DFGSafeToExecute.h:
10064 (JSC::DFG::SafeToExecuteEdge::operator()):
10065 * dfg/DFGSpeculativeJIT.cpp:
10066 (JSC::DFG::SpeculativeJIT::compileIn):
10067 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
10068 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
10069 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
10070 (JSC::DFG::SpeculativeJIT::compileStrictEq):
10071 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
10072 (JSC::DFG::SpeculativeJIT::compileStringEquality):
10073 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
10074 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
10075 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
10076 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
10077 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
10078 (JSC::DFG::SpeculativeJIT::speculateString):
10079 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10080 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
10081 (JSC::DFG::SpeculativeJIT::speculateNotCell):
10082 (JSC::DFG::SpeculativeJIT::speculateOther):
10083 (JSC::DFG::SpeculativeJIT::speculate):
10084 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
10085 (JSC::DFG::SpeculativeJIT::emitSwitchString):
10086 * dfg/DFGSpeculativeJIT.h:
10087 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
10088 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
10089 (JSC::DFG::SpeculativeJIT::booleanResult):
10090 * dfg/DFGSpeculativeJIT32_64.cpp:
10091 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10092 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10093 (JSC::DFG::SpeculativeJIT::emitCall):
10094 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10095 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10096 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10097 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10098 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10099 (JSC::DFG::SpeculativeJIT::compile):
10100 (JSC::DFG::branchIsCell):
10101 (JSC::DFG::branchNotCell):
10102 (JSC::DFG::SpeculativeJIT::branchIsOther):
10103 (JSC::DFG::SpeculativeJIT::branchNotOther):
10104 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10105 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10106 (JSC::DFG::SpeculativeJIT::blessBoolean):
10107 * dfg/DFGSpeculativeJIT64.cpp:
10108 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10109 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10110 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10111 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10112 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10113 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10114 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10115 (JSC::DFG::SpeculativeJIT::compile):
10116 (JSC::DFG::SpeculativeJIT::writeBarrier):
10117 (JSC::DFG::SpeculativeJIT::branchIsCell):
10118 (JSC::DFG::SpeculativeJIT::branchNotCell):
10119 (JSC::DFG::SpeculativeJIT::branchIsOther):
10120 (JSC::DFG::SpeculativeJIT::branchNotOther):
10121 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10122 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10123 (JSC::DFG::SpeculativeJIT::blessBoolean):
10124 * dfg/DFGUseKind.cpp:
10125 (WTF::printInternal):
10126 * dfg/DFGUseKind.h:
10127 (JSC::DFG::typeFilterFor):
10128 * ftl/FTLCapabilities.cpp:
10129 (JSC::FTL::canCompile):
10130 * ftl/FTLLowerDFGToLLVM.cpp:
10131 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
10132 (JSC::FTL::LowerDFGToLLVM::lowString):
10133 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
10134 (JSC::FTL::LowerDFGToLLVM::speculate):
10135 (JSC::FTL::LowerDFGToLLVM::speculateString):
10136 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10137 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
10138 * runtime/JSCJSValue.h:
10139 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
10140 (foo):
10141 (bar):
10142 (test):
10143
101442014-03-18 Joseph Pecoraro <pecoraro@apple.com>
10145
10146 Add Copyright to framework.sb
10147 https://bugs.webkit.org/show_bug.cgi?id=130413
10148
10149 Reviewed by Timothy Hatcher.
10150
10151 Other sb files got the copyright. Follow suit.
10152
10153 * framework.sb:
10154
101552014-03-18 Matthew Mirman <mmirman@apple.com>
10156
10157 Removed extra parens from if statement in a preprocessor define.
10158 https://bugs.webkit.org/show_bug.cgi?id=130408
10159
10160 Reviewed by Filip Pizlo.
10161
10162 * parser/Parser.cpp:
10163
101642014-03-18 Filip Pizlo <fpizlo@apple.com>
10165
10166 More FTL enabling.
10167
10168 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
10169
10170 * Configurations/FeatureDefines.xcconfig:
10171 * ftl/FTLCompile.cpp:
10172 (JSC::FTL::compile):
10173
101742014-03-17 Michael Saboff <msaboff@apple.com>
10175
10176 V8 regexp spends most of its time in operationGetById
10177 https://bugs.webkit.org/show_bug.cgi?id=130380
10178
10179 Reviewed by Filip Pizlo.
10180
10181 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
10182 When V8 regexp is run from the command line, this nets a 2% performance improvement.
10183 When the test is run for a longer amount of time, there is much less benefit as the
10184 DFG will emit the appropriate code for String.length. This does remove
10185 operationGetById as the hottest function whne run from the command line.
10186
10187 * jit/Repatch.cpp:
10188 (JSC::tryCacheGetByID):
10189
101902014-03-17 Andreas Kling <akling@apple.com>
10191
10192 Add one-deep cache to opaque roots hashset.
10193 <https://webkit.org/b/130357>
10194
10195 The vast majority of WebCore JS wrappers will have their Document*
10196 as the root(). This change adds a simple optimization where we cache
10197 the last lookup and avoid going to the hashset for repeated queries.
10198
10199 Looks like 0.4% progression on DYEB on my MBP.
10200
10201 Reviewed by Mark Hahnenberg.
10202
10203 * JavaScriptCore.xcodeproj/project.pbxproj:
10204 * heap/OpaqueRootSet.h: Added.
10205 (JSC::OpaqueRootSet::OpaqueRootSet):
10206 (JSC::OpaqueRootSet::contains):
10207 (JSC::OpaqueRootSet::isEmpty):
10208 (JSC::OpaqueRootSet::clear):
10209 (JSC::OpaqueRootSet::add):
10210 (JSC::OpaqueRootSet::size):
10211 (JSC::OpaqueRootSet::begin):
10212 (JSC::OpaqueRootSet::end):
10213 * heap/SlotVisitor.h:
10214
102152014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
10216
10217 Implement Math.hypot
10218 https://bugs.webkit.org/show_bug.cgi?id=129486
10219
10220 Reviewed by Darin Adler.
10221
10222 * runtime/MathObject.cpp:
10223 (JSC::MathObject::finishCreation):
10224 (JSC::mathProtoFuncHypot):
10225
102262014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
10227
10228 Fix the !ENABLE(PROMISES) build
10229 https://bugs.webkit.org/show_bug.cgi?id=130328
10230
10231 Reviewed by Darin Adler.
10232
10233 Add missing ENABLE(PROMISES) guards.
10234
10235 * runtime/JSGlobalObject.cpp:
10236 (JSC::JSGlobalObject::reset):
10237 (JSC::JSGlobalObject::visitChildren):
10238 * runtime/JSGlobalObject.h:
10239 * runtime/JSPromiseDeferred.cpp:
10240 * runtime/JSPromiseDeferred.h:
10241 * runtime/JSPromiseReaction.cpp:
10242 * runtime/JSPromiseReaction.h:
10243 * runtime/VM.cpp:
10244 (JSC::VM::VM):
10245 * runtime/VM.h:
10246
102472014-03-16 Andreas Kling <akling@apple.com>
10248
10249 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
10250 <https://webkit.org/b/130304>
10251
10252 Reviewed by Anders Carlsson.
10253
10254 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
10255 that doesn't put a potentially unwanted string into the Identifier table.
10256
10257 * API/OpaqueJSString.cpp:
10258 (OpaqueJSString::identifier):
10259
102602014-03-16 Brian Burg <bburg@apple.com>
10261
10262 Web Inspector: generated backend commands should reflect build system ENABLE settings
10263 https://bugs.webkit.org/show_bug.cgi?id=130111
10264
10265 Reviewed by Timothy Hatcher.
10266
10267 * CMakeLists.txt:
10268
10269 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
10270 instead of globbing any .json file.
10271
10272 * DerivedSources.make:
10273
10274 Force the combined inspector protocol file to be regenerated if
10275 the content or list of domains itself changes.
10276
102772014-03-16 Brian Burg <bburg@apple.com>
10278
10279 Web Inspector: vended backend commands file should be generated as part of the build
10280 https://bugs.webkit.org/show_bug.cgi?id=130110
10281
10282 Reviewed by Timothy Hatcher.
10283
10284 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
10285 private headers directory.
10286
102872014-03-16 Darin Adler <darin@apple.com>
10288
10289 Remove all uses of deprecatedCharacters from JavaScriptCore
10290 https://bugs.webkit.org/show_bug.cgi?id=130304
10291
10292 Reviewed by Anders Carlsson.
10293
10294 * API/JSValueRef.cpp:
10295 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
10296 * API/OpaqueJSString.cpp:
10297 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
10298 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
10299 juse use the standard one that takes a String.
10300 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
10301 hand-written alternative.
10302
10303 * bindings/ScriptValue.cpp:
10304 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
10305 instead of involving a character pointer. Use the String from Identifier
10306 directly instead of making a new String.
10307
10308 * inspector/ContentSearchUtilities.cpp:
10309 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
10310 instead of building a String a character at a time. This is still a very slow
10311 way to do this. Also use strchr to search for a character instead of building
10312 a String every time just to use find on it.
10313
10314 * inspector/InspectorValues.cpp:
10315 (Inspector::doubleQuoteString): Remove unnecessary trip through a
10316 character pointer. This is still a really slow way to do this.
10317 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
10318 instead of String::deprecatedCharacters. Still slow to always upconvert.
10319
10320 * runtime/DateConstructor.cpp: Removed unneeded include.
10321 * runtime/DatePrototype.cpp: Ditto.
10322
10323 * runtime/Identifier.h: Removed deprecatedCharacters function.
10324
10325 * runtime/JSGlobalObjectFunctions.cpp:
10326 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
10327 appending functions from JSStringBuilder. Removed unneeded code duplicating
10328 what JSStringBuilder already does in its character append function.
10329 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
10330 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
10331 is used outside this file have external linkage. Added a new overload that takes
10332 a StringView.
10333 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
10334 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
10335 single character.
10336
10337 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
10338
10339 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
10340 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
10341 Made one overload private. Fixed a performance bug where we would reserve capacity
10342 in the 8-bit buffer but then append to the 16-bit buffer.
10343
10344 * runtime/ObjectPrototype.cpp: Removed unneeded include.
10345
10346 * runtime/StringPrototype.cpp:
10347 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
10348 (JSC::stringProtoFuncLink): Ditto.
10349
103502014-03-15 Filip Pizlo <fpizlo@apple.com>
10351
10352 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
10353 https://bugs.webkit.org/show_bug.cgi?id=130296
10354
10355 Reviewed by Andreas Kling.
10356
10357 During the 32-bit structure ID work, the second load of the structure was removed.
10358 That's wrong. The whole point of loading the structure ID again is that the structure
10359 ID would have been changed by the arrayification call, and we're verifying that the
10360 arrayification succeeded in changing the structure. If we check the old structure - as
10361 the code was doing after the 32-bit structure ID work - then this check is guaranteed
10362 to fail, causing a significant performance regression.
10363
10364 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
10365 code pathologically exits but the equivalent DFG code doesn't, then the exponential
10366 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
10367 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
10368
10369 * ftl/FTLLowerDFGToLLVM.cpp:
10370 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
10371
103722014-03-15 Filip Pizlo <fpizlo@apple.com>
10373
10374 FTL should support CheckHasInstance/InstanceOf
10375 https://bugs.webkit.org/show_bug.cgi?id=130285
10376
10377 Reviewed by Sam Weinig.
10378
10379 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
10380
10381 * dfg/DFGFixupPhase.cpp:
10382 (JSC::DFG::FixupPhase::fixupNode):
10383 * ftl/FTLAbstractHeapRepository.h:
10384 * ftl/FTLCapabilities.cpp:
10385 (JSC::FTL::canCompile):
10386 * ftl/FTLLowerDFGToLLVM.cpp:
10387 (JSC::FTL::LowerDFGToLLVM::compileNode):
10388 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
10389 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
10390 * ftl/FTLOutput.h:
10391 (JSC::FTL::Output::phi):
10392 * tests/stress/instanceof.js: Added.
10393 * tests/stress/instanceof-not-cell.js: Added.
10394
103952014-03-15 Michael Saboff <msaboff@apple.com>
10396
10397 It should be possible to adjust DFG and FTL compiler thread priorities
10398 https://bugs.webkit.org/show_bug.cgi?id=130288
10399
10400 Reviewed by Filip Pizlo.
10401
10402 Added ability to change thread priorities relative to its current priority.
10403 Created options to adjust the priority of the DFG and FTL compilation work thread
10404 pools. For two core systems, there might be three runnable threads, the main thread,
10405 the DFG compilation thread and the FTL compilation thread. With the same priority,
10406 the scheduler is free to schedule whatever thread it wants. By lowering the
10407 compilation threads, the main thread can run. Further tests may suggest better values
10408 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
10409
10410 For a two-core device, this change has a net positive improvement of 1-3% across
10411 SunSpider, Octane, Kraken and AsmBench.
10412
10413 * dfg/DFGWorklist.cpp:
10414 (JSC::DFG::Worklist::finishCreation):
10415 (JSC::DFG::Worklist::create):
10416 (JSC::DFG::ensureGlobalDFGWorklist):
10417 (JSC::DFG::ensureGlobalFTLWorklist):
10418 * dfg/DFGWorklist.h:
10419 * runtime/Options.cpp:
10420 (JSC::computePriorityDeltaOfWorkerThreads):
10421 * runtime/Options.h:
10422
104232014-03-15 David Kilzer <ddkilzer@apple.com>
10424
10425 [iOS] Define SYSTEM_VERSION_PREFIX consistently
10426 <http://webkit.org/b/130293>
10427 <rdar://problem/15926359>
10428
10429 Reviewed by Dan Bernstein.
10430
10431 * Configurations/Version.xcconfig:
10432 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
10433 Source/WebKit/mac/Version.xcconfig.
10434
104352014-03-15 David Kilzer <ddkilzer@apple.com>
10436
10437 Fix build: using integer absolute value function 'abs' when argument is of floating point type
10438 <http://webkit.org/b/130286>
10439
10440 Reviewed by Filip Pizlo.
10441
10442 Fixes the following build failure using trunk clang:
10443
10444 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
10445 value = abs(value);
10446 ^
10447 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
10448 value = abs(value);
10449 ^~~
10450 fabs
10451
10452 * assembler/MacroAssembler.h:
10453 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
10454 fabs().
10455
104562014-03-14 Oliver Hunt <oliver@apple.com>
10457
10458 Reinstate intialiser syntax in for-in loops
10459 https://bugs.webkit.org/show_bug.cgi?id=130269
10460
10461 Reviewed by Michael Saboff.
10462
10463 Disallowing the initialiser broke some sites so this patch re-allows
10464 the syntax. We still disallow the syntax in 'of' and pattern based
10465 enumeration.
10466
10467 * parser/ASTBuilder.h:
10468 (JSC::ASTBuilder::isBindingNode):
10469 * parser/Parser.cpp:
10470 (JSC::Parser<LexerType>::parseVarDeclarationList):
10471 (JSC::Parser<LexerType>::parseForStatement):
10472 * parser/SyntaxChecker.h:
10473 (JSC::SyntaxChecker::operatorStackPop):
10474
104752014-03-14 Mark Lam <mark.lam@apple.com>
10476
10477 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
10478 <https://webkit.org/b/130279>
10479
10480 Reviewed by Filip Pizlo.
10481
10482 If neither the getter nor setter are defined, accessing __lookupGetter__
10483 and __lookupSetter__ will return undefined as expected. However, if the
10484 getter is defined but the setter is not, accessing __lookupSetter__ will
10485 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
10486 is defined will crash the VM.
10487
10488 The reason is because objectProtoFuncLookupGetter() and
10489 objectProtoFuncLookupSetter() did not check if the getter and setter
10490 value is non-null before returning it as an EncodedJSValue. The fix is
10491 to add the appropriate null checks.
10492
10493 * runtime/ObjectPrototype.cpp:
10494 (JSC::objectProtoFuncLookupGetter):
10495 (JSC::objectProtoFuncLookupSetter):
10496
104972014-03-14 Mark Rowe <mrowe@apple.com>
10498
10499 Fix the production build.
10500
10501 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
10502 be at the expected relative path when working from installed source.
10503
10504 * Configurations/Base.xcconfig:
10505
105062014-03-14 Maciej Stachowiak <mjs@apple.com>
10507
10508 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
10509 https://bugs.webkit.org/show_bug.cgi?id=130276
10510 <rdar://problem/16266927>
10511
10512 Reviewed by Simon Fraser.
10513
10514 * API/APICast.h:
10515 * API/JSBase.cpp:
10516 * API/JSBase.h:
10517 * API/JSBasePrivate.h:
10518 * API/JSCallbackConstructor.cpp:
10519 * API/JSCallbackConstructor.h:
10520 * API/JSCallbackFunction.cpp:
10521 * API/JSCallbackFunction.h:
10522 * API/JSCallbackObject.cpp:
10523 * API/JSCallbackObject.h:
10524 * API/JSCallbackObjectFunctions.h:
10525 * API/JSClassRef.cpp:
10526 * API/JSClassRef.h:
10527 * API/JSContextRef.cpp:
10528 * API/JSContextRef.h:
10529 * API/JSContextRefPrivate.h:
10530 * API/JSObjectRef.cpp:
10531 * API/JSObjectRef.h:
10532 * API/JSProfilerPrivate.cpp:
10533 * API/JSProfilerPrivate.h:
10534 * API/JSRetainPtr.h:
10535 * API/JSStringRef.cpp:
10536 * API/JSStringRef.h:
10537 * API/JSStringRefBSTR.cpp:
10538 * API/JSStringRefBSTR.h:
10539 * API/JSStringRefCF.cpp:
10540 * API/JSStringRefCF.h:
10541 * API/JSValueRef.cpp:
10542 * API/JSValueRef.h:
10543 * API/JavaScript.h:
10544 * API/JavaScriptCore.h:
10545 * API/OpaqueJSString.cpp:
10546 * API/OpaqueJSString.h:
10547 * API/tests/JSNode.c:
10548 * API/tests/JSNode.h:
10549 * API/tests/JSNodeList.c:
10550 * API/tests/JSNodeList.h:
10551 * API/tests/Node.c:
10552 * API/tests/Node.h:
10553 * API/tests/NodeList.c:
10554 * API/tests/NodeList.h:
10555 * API/tests/minidom.c:
10556 * API/tests/minidom.js:
10557 * API/tests/testapi.c:
10558 * API/tests/testapi.js:
10559 * DerivedSources.make:
10560 * bindings/ScriptValue.cpp:
10561 * bytecode/CodeBlock.cpp:
10562 * bytecode/CodeBlock.h:
10563 * bytecode/EvalCodeCache.h:
10564 * bytecode/Instruction.h:
10565 * bytecode/JumpTable.cpp:
10566 * bytecode/JumpTable.h:
10567 * bytecode/Opcode.cpp:
10568 * bytecode/Opcode.h:
10569 * bytecode/SamplingTool.cpp:
10570 * bytecode/SamplingTool.h:
10571 * bytecode/SpeculatedType.cpp:
10572 * bytecode/SpeculatedType.h:
10573 * bytecode/ValueProfile.h:
10574 * bytecompiler/BytecodeGenerator.cpp:
10575 * bytecompiler/BytecodeGenerator.h:
10576 * bytecompiler/Label.h:
10577 * bytecompiler/LabelScope.h:
10578 * bytecompiler/RegisterID.h:
10579 * debugger/DebuggerCallFrame.cpp:
10580 * debugger/DebuggerCallFrame.h:
10581 * dfg/DFGDesiredStructureChains.cpp:
10582 * dfg/DFGDesiredStructureChains.h:
10583 * heap/GCActivityCallback.cpp:
10584 * heap/GCActivityCallback.h:
10585 * inspector/ConsoleMessage.cpp:
10586 * inspector/ConsoleMessage.h:
10587 * inspector/IdentifiersFactory.cpp:
10588 * inspector/IdentifiersFactory.h:
10589 * inspector/InjectedScriptManager.cpp:
10590 * inspector/InjectedScriptManager.h:
10591 * inspector/InjectedScriptSource.js:
10592 * inspector/ScriptBreakpoint.h:
10593 * inspector/ScriptDebugListener.h:
10594 * inspector/ScriptDebugServer.cpp:
10595 * inspector/ScriptDebugServer.h:
10596 * inspector/agents/InspectorAgent.cpp:
10597 * inspector/agents/InspectorAgent.h:
10598 * inspector/agents/InspectorDebuggerAgent.cpp:
10599 * inspector/agents/InspectorDebuggerAgent.h:
10600 * interpreter/Interpreter.cpp:
10601 * interpreter/Interpreter.h:
10602 * interpreter/JSStack.cpp:
10603 * interpreter/JSStack.h:
10604 * interpreter/Register.h:
10605 * jit/CompactJITCodeMap.h:
10606 * jit/JITStubs.cpp:
10607 * jit/JITStubs.h:
10608 * jit/JITStubsARM.h:
10609 * jit/JITStubsARMv7.h:
10610 * jit/JITStubsX86.h:
10611 * jit/JITStubsX86_64.h:
10612 * os-win32/stdbool.h:
10613 * parser/SourceCode.h:
10614 * parser/SourceProvider.h:
10615 * profiler/LegacyProfiler.cpp:
10616 * profiler/LegacyProfiler.h:
10617 * profiler/ProfileNode.cpp:
10618 * profiler/ProfileNode.h:
10619 * runtime/ArrayBufferView.cpp:
10620 * runtime/ArrayBufferView.h:
10621 * runtime/BatchedTransitionOptimizer.h:
10622 * runtime/CallData.h:
10623 * runtime/ConstructData.h:
10624 * runtime/DumpContext.cpp:
10625 * runtime/DumpContext.h:
10626 * runtime/ExceptionHelpers.cpp:
10627 * runtime/ExceptionHelpers.h:
10628 * runtime/InitializeThreading.cpp:
10629 * runtime/InitializeThreading.h:
10630 * runtime/IntegralTypedArrayBase.h:
10631 * runtime/IntendedStructureChain.cpp:
10632 * runtime/IntendedStructureChain.h:
10633 * runtime/JSActivation.cpp:
10634 * runtime/JSActivation.h:
10635 * runtime/JSExportMacros.h:
10636 * runtime/JSGlobalObject.cpp:
10637 * runtime/JSNotAnObject.cpp:
10638 * runtime/JSNotAnObject.h:
10639 * runtime/JSPropertyNameIterator.cpp:
10640 * runtime/JSPropertyNameIterator.h:
10641 * runtime/JSSegmentedVariableObject.cpp:
10642 * runtime/JSSegmentedVariableObject.h:
10643 * runtime/JSSymbolTableObject.cpp:
10644 * runtime/JSSymbolTableObject.h:
10645 * runtime/JSTypeInfo.h:
10646 * runtime/JSVariableObject.cpp:
10647 * runtime/JSVariableObject.h:
10648 * runtime/PropertyTable.cpp:
10649 * runtime/PutPropertySlot.h:
10650 * runtime/SamplingCounter.cpp:
10651 * runtime/SamplingCounter.h:
10652 * runtime/Structure.cpp:
10653 * runtime/Structure.h:
10654 * runtime/StructureChain.cpp:
10655 * runtime/StructureChain.h:
10656 * runtime/StructureInlines.h:
10657 * runtime/StructureTransitionTable.h:
10658 * runtime/SymbolTable.cpp:
10659 * runtime/SymbolTable.h:
10660 * runtime/TypedArrayBase.h:
10661 * runtime/TypedArrayType.cpp:
10662 * runtime/TypedArrayType.h:
10663 * runtime/VM.cpp:
10664 * runtime/VM.h:
10665 * yarr/RegularExpression.cpp:
10666 * yarr/RegularExpression.h:
10667
106682014-03-14 Filip Pizlo <fpizlo@apple.com>
10669
10670 Final FTL iOS build magic
10671 https://bugs.webkit.org/show_bug.cgi?id=130281
10672
10673 Reviewed by Michael Saboff.
10674
10675 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
10676 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
10677
106782014-03-14 Joseph Pecoraro <pecoraro@apple.com>
10679
10680 Web Inspector: Gracefully handle nil name -[JSContext setName:]
10681 https://bugs.webkit.org/show_bug.cgi?id=130262
10682
10683 Reviewed by Mark Hahnenberg.
10684
10685 * API/JSContext.mm:
10686 (-[JSContext setName:]):
10687 Gracefully handle nil input.
10688
10689 * API/tests/testapi.c:
10690 (globalContextNameTest):
10691 * API/tests/testapi.mm:
10692 Test for nil / NULL names in the ObjC and C APIs.
10693
106942014-03-11 Oliver Hunt <oliver@apple.com>
10695
10696 Improve dom error messages
10697 https://bugs.webkit.org/show_bug.cgi?id=130103
10698
10699 Reviewed by Andreas Kling.
10700
10701 Add new helper function.
10702
10703 * runtime/Error.h:
10704 (JSC::throwVMTypeError):
10705
107062014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
10707
10708 Remove unused method declaration.
10709 https://bugs.webkit.org/show_bug.cgi?id=130238
10710
10711 Reviewed by Filip Pizlo.
10712
10713 The implementation of CallFrame::dumpCaller was removed in
10714 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
10715
10716 * interpreter/CallFrame.h:
10717 Remove CallFrame::dumpCaller() method declaration.
10718
107192014-03-12 Sergio Villar Senin <svillar@igalia.com>
10720
10721 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
10722 https://bugs.webkit.org/show_bug.cgi?id=129612
10723
10724 Reviewed by Darin Adler.
10725
10726 For new code use static NeverDestroyed<T> instead.
10727
10728 * API/JSAPIWrapperObject.mm:
10729 (jsAPIWrapperObjectHandleOwner):
10730 * API/JSManagedValue.mm:
10731 (managedValueHandleOwner):
10732 * inspector/agents/InspectorDebuggerAgent.cpp:
10733 (Inspector::objectGroupForBreakpointAction):
10734 * inspector/scripts/CodeGeneratorInspectorStrings.py:
10735 * interpreter/JSStack.cpp:
10736 (JSC::stackStatisticsMutex):
10737 * jit/ExecutableAllocator.cpp:
10738 (JSC::DemandExecutableAllocator::allocators):
10739
107402014-03-12 Gavin Barraclough <barraclough@apple.com>
10741
10742 Reduce memory use for static property maps
10743 https://bugs.webkit.org/show_bug.cgi?id=129986
10744
10745 Reviewed by Andreas Kling.
10746
10747 Static property tables are currently duplicated on first use from read-only memory into dirty memory
10748 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
10749 (we use a custom hash table without a rehash) a lot of memory may be wasted.
10750
10751 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
10752 from string hashes to indicies into a densely packed array of values. Compute the index table at
10753 compile time as a part of the derived sources step, such that this may be read-only data.
10754
10755 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
10756 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
10757 keys, which are Identifiers.
10758
10759 * create_hash_table:
10760 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
10761 * parser/Lexer.cpp:
10762 (JSC::Lexer<LChar>::parseIdentifier):
10763 (JSC::Lexer<UChar>::parseIdentifier):
10764 (JSC::Lexer<T>::parseIdentifierSlowCase):
10765 - HashEntry -> HashTableValue.
10766 * parser/Lexer.h:
10767 (JSC::Keywords::getKeyword):
10768 - HashEntry -> HashTableValue.
10769 * runtime/ClassInfo.h:
10770 - removed HashEntry.
10771 * runtime/JSObject.cpp:
10772 (JSC::getClassPropertyNames):
10773 - use HashTable::ConstIterator.
10774 (JSC::JSObject::put):
10775 (JSC::JSObject::deleteProperty):
10776 (JSC::JSObject::findPropertyHashEntry):
10777 - HashEntry -> HashTableValue.
10778 (JSC::JSObject::reifyStaticFunctionsForDelete):
10779 - changed HashTable::ConstIterator interface.
10780 * runtime/JSObject.h:
10781 - HashEntry -> HashTableValue.
10782 * runtime/Lookup.cpp:
10783 (JSC::HashTable::createTable):
10784 - table -> keys, keys array is now densely packed.
10785 (JSC::HashTable::deleteTable):
10786 - table -> keys.
10787 (JSC::setUpStaticFunctionSlot):
10788 - HashEntry -> HashTableValue.
10789 * runtime/Lookup.h:
10790 (JSC::HashTableValue::builtinGenerator):
10791 (JSC::HashTableValue::function):
10792 (JSC::HashTableValue::functionLength):
10793 (JSC::HashTableValue::propertyGetter):
10794 (JSC::HashTableValue::propertyPutter):
10795 (JSC::HashTableValue::lexerValue):
10796 - added accessor methods from HashEntry.
10797 (JSC::HashTable::copy):
10798 - fields changed.
10799 (JSC::HashTable::initializeIfNeeded):
10800 - table -> keys.
10801 (JSC::HashTable::entry):
10802 - HashEntry -> HashTableValue.
10803 (JSC::HashTable::ConstIterator::ConstIterator):
10804 - iterate packed value array, so no need to skipInvalidKeys().
10805 (JSC::HashTable::ConstIterator::value):
10806 (JSC::HashTable::ConstIterator::key):
10807 (JSC::HashTable::ConstIterator::operator->):
10808 - accessors now get HashTableValue/StringImpl* separately.
10809 (JSC::HashTable::ConstIterator::operator++):
10810 - iterate packed value array, so no need to skipInvalidKeys().
10811 (JSC::HashTable::end):
10812 - end is now size of dense not sparse array.
10813 (JSC::getStaticPropertySlot):
10814 (JSC::getStaticFunctionSlot):
10815 (JSC::getStaticValueSlot):
10816 (JSC::putEntry):
10817 (JSC::lookupPut):
10818 - HashEntry -> HashTableValue.
10819
108202014-03-13 Filip Pizlo <fpizlo@apple.com>
10821
10822 Unreviewed, fix Mac no-FTL build.
10823
10824 * llvm/library/LLVMExports.cpp:
10825 (initializeAndGetJSCLLVMAPI):
10826
108272014-03-13 Juergen Ributzka <juergen@apple.com>
10828
10829 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
10830 https://bugs.webkit.org/show_bug.cgi?id=130224
10831
10832 Reviewed by Filip Pizlo.
10833
10834 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
10835 the LLVM dylib. This allows the dylib to be safely used with other LLVM
10836 dylibs on the same system. It also reduces the dynamic linking overhead
10837 and also reduces the size by 6MB, because the linker can now dead strip
10838 many unused functions.
10839
10840 * Configurations/LLVMForJSC.xcconfig:
10841
108422014-03-13 Andreas Kling <akling@apple.com>
10843
10844 VM::discardAllCode() should clear the RegExp cache.
10845 <https://webkit.org/b/130144>
10846
10847 Reviewed by Michael Saboff.
10848
10849 * runtime/VM.cpp:
10850 (JSC::VM::discardAllCode):
10851
108522014-03-13 Andreas Kling <akling@apple.com>
10853
10854 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
10855 <https://webkit.org/b/129995>
10856
10857 This code path is not taken anymore on DYEB, and I can't explain why
10858 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
10859
10860 * inspector/JSGlobalObjectInspectorController.cpp:
10861 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
10862
108632014-03-13 Filip Pizlo <fpizlo@apple.com>
10864
10865 FTL should support IsBlah
10866 https://bugs.webkit.org/show_bug.cgi?id=130202
10867
10868 Reviewed by Geoffrey Garen.
10869
10870 * ftl/FTLCapabilities.cpp:
10871 (JSC::FTL::canCompile):
10872 * ftl/FTLIntrinsicRepository.h:
10873 * ftl/FTLLowerDFGToLLVM.cpp:
10874 (JSC::FTL::LowerDFGToLLVM::compileNode):
10875 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
10876 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
10877 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
10878 (JSC::FTL::LowerDFGToLLVM::compileIsString):
10879 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
10880 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
10881 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
10882 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
10883 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
10884 (JSC::FTL::LowerDFGToLLVM::isNumber):
10885 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
10886 (JSC::FTL::LowerDFGToLLVM::isBoolean):
10887 * ftl/FTLOSRExitCompiler.cpp:
10888 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
10889 (bar):
10890 (foo):
10891 (test):
10892 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
10893 (foo):
10894 (test):
10895 * tests/stress/is-undefined-masquerader.js: Added.
10896 (foo):
10897 (test):
10898
108992014-03-13 Mark Lam <mark.lam@apple.com>
10900
10901 JS benchmarks crash with a bus error on 32-bit x86.
10902 <https://webkit.org/b/130203>
10903
10904 Reviewed by Geoffrey Garen.
10905
10906 The issue is that generateGetByIdStub() can potentially use the same register
10907 for the JSValue base register and the target tag register. After loading the
10908 tag value into the target tag register, the JSValue base address is lost.
10909 The code then proceeds to load the payload value using the base register, and
10910 this results in a crash.
10911
10912 The fix is to check if the base register is the same as the target tag register.
10913 If so, we should make a copy the base register first before loading the tag
10914 value, and use the copy to load the payload value instead.
10915
10916 * jit/Repatch.cpp:
10917 (JSC::generateGetByIdStub):
10918
109192014-03-12 Filip Pizlo <fpizlo@apple.com>
10920
10921 WebKit shouldn't crash on uniprocessor machines
10922 https://bugs.webkit.org/show_bug.cgi?id=130176
10923
10924 Reviewed by Michael Saboff.
10925
10926 Previously the math for computing the number of JIT compiler threads would come up with
10927 zero threads on uniprocessor machines, and then the Worklist code would assert.
10928
10929 * runtime/Options.cpp:
10930 (JSC::computeNumberOfWorkerThreads):
10931 * runtime/Options.h:
10932
109332014-03-13 Radu Stavila <stavila@adobe.com>
10934
10935 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
10936 https://bugs.webkit.org/show_bug.cgi?id=130087
10937
10938 Reviewed by Mark Rowe.
10939
10940 Disable garbage collection on macosx when not using internal SDK.
10941
10942 * Configurations/Base.xcconfig:
10943
109442014-03-10 Darin Adler <darin@apple.com>
10945
10946 Avoid copy-prone idiom "for (auto item : collection)"
10947 https://bugs.webkit.org/show_bug.cgi?id=129990
10948
10949 Reviewed by Geoffrey Garen.
10950
10951 * heap/CodeBlockSet.h:
10952 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
10953 * inspector/ScriptDebugServer.cpp:
10954 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
10955 make explicit that we are iterating through pointers.
10956 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
10957 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
10958 * inspector/agents/InspectorDebuggerAgent.cpp:
10959 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
10960 get rid of an unneeded local variable.
10961
109622014-03-13 Brian Burg <bburg@apple.com>
10963
10964 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
10965 https://bugs.webkit.org/show_bug.cgi?id=129744
10966
10967 Reviewed by Timothy Hatcher.
10968
10969 * inspector/agents/InspectorAgent.cpp:
10970 (Inspector::InspectorAgent::enable):
10971 (Inspector::InspectorAgent::evaluateForTestInFrontend):
10972 * inspector/agents/InspectorAgent.h:
10973 * inspector/protocol/InspectorDomain.json:
10974
109752014-03-11 Filip Pizlo <fpizlo@apple.com>
10976
10977 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
10978 https://bugs.webkit.org/show_bug.cgi?id=130069
10979
10980 Reviewed by Geoffrey Garen.
10981
10982 This was a great assertion, and it represents our strictest interpretation of the rules of
10983 our intermediate representation. However, fixing DCE to actually preserve the relevant
10984 property would be hard, and it wouldn't have an observable effect right now because nobody
10985 actually uses the propery of CPS that this assertion is checking for.
10986
10987 In particular, we do always require, and rely on, the fact that non-captured variables
10988 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
10989 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
10990 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
10991 broken in this regard. But, in the strictest sense, CPS also means that for captured
10992 variables, variablesAtTail also continues to point to the last relevant use of the
10993 variable. In particular, if there are multiple GetLocals, then it should point to the last
10994 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
10995 variables, except to check the VariableAccessData; but in that case, we don't really need
10996 the *last* relevant use of the variable - any node that mentions the same variable will do
10997 just fine.
10998
10999 So, this change loosens the assertion and adds a detailed FIXME describing what we would
11000 have to do if we wanted to preserve the more strict property.
11001
11002 This also makes changes to various debug printing paths so that validation doesn't crash
11003 during graph dump. This also adds tests for the interesting cases of DCE failing to
11004 preserve CPS in the strictest sense. This also attempts to win the record for longest test
11005 name.
11006
11007 * bytecode/CodeBlock.cpp:
11008 (JSC::CodeBlock::hashAsStringIfPossible):
11009 (JSC::CodeBlock::dumpAssumingJITType):
11010 * bytecode/CodeBlock.h:
11011 * bytecode/CodeOrigin.cpp:
11012 (JSC::InlineCallFrame::hashAsStringIfPossible):
11013 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
11014 * bytecode/CodeOrigin.h:
11015 * dfg/DFGCPSRethreadingPhase.cpp:
11016 (JSC::DFG::CPSRethreadingPhase::run):
11017 * dfg/DFGDCEPhase.cpp:
11018 (JSC::DFG::DCEPhase::cleanVariables):
11019 * dfg/DFGInPlaceAbstractState.cpp:
11020 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
11021 * runtime/FunctionExecutableDump.cpp:
11022 (JSC::FunctionExecutableDump::dump):
11023 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
11024 (foo):
11025 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
11026 (foo):
11027
110282014-03-12 Brian Burg <bburg@apple.com>
11029
11030 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
11031 https://bugs.webkit.org/show_bug.cgi?id=129445
11032
11033 Reviewed by Timothy Hatcher.
11034
11035 There was a bug in the replay inputs code generator that would include
11036 headers for definitions of enum classes, even though they can be safely
11037 forward-declared.
11038
11039 * replay/scripts/CodeGeneratorReplayInputs.py:
11040 (Generator.generate_includes): Only include for copy constructor if the
11041 type is a heavy scalar (i.e., String, URL), not a normal scalar
11042 (i.e., int, double, enum classes).
11043
11044 (Generator.generate_type_forward_declarations): Forward-declare scalars
11045 that are enums or enum classes.
11046
110472014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11048
11049 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
11050 https://bugs.webkit.org/show_bug.cgi?id=130118
11051
11052 Reviewed by Timothy Hatcher.
11053
11054 * Configurations/FeatureDefines.xcconfig:
11055
110562014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11057
11058 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
11059 https://bugs.webkit.org/show_bug.cgi?id=130032
11060
11061 Reviewed by Timothy Hatcher.
11062
11063 * inspector/EventLoop.h:
11064 * inspector/EventLoop.cpp:
11065 (Inspector::EventLoop::remoteInspectorRunLoopMode):
11066 (Inspector::EventLoop::cycle):
11067 Expose the run loop mode name so it can be used if needed by others.
11068
11069 * inspector/remote/RemoteInspectorDebuggableConnection.h:
11070 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
11071 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
11072 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
11073 (Inspector::RemoteInspectorBlock::operator=):
11074 (Inspector::RemoteInspectorBlock::operator()):
11075 (Inspector::RemoteInspectorQueueTask):
11076 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
11077
11078 (Inspector::RemoteInspectorHandleRunSource):
11079 (Inspector::RemoteInspectorInitializeQueue):
11080 Initialize the static queue and run loop source. When the run loop source
11081 fires, it will exhaust the queue of debugger messages.
11082
11083 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
11084 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
11085 When we get a debuggable connection add a run loop source for inspector commands.
11086
11087 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
11088 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
11089 Enqueue blocks on our Vector instead of our dispatch_queue.
11090
110912014-03-12 Commit Queue <commit-queue@webkit.org>
11092
11093 Unreviewed, rolling out r165482.
11094 https://bugs.webkit.org/show_bug.cgi?id=130157
11095
11096 Broke the windows build; "error C2466: cannot allocate an
11097 array of constant size 0" (Requested by jernoble on #webkit).
11098
11099 Reverted changeset:
11100
11101 "Reduce memory use for static property maps"
11102 https://bugs.webkit.org/show_bug.cgi?id=129986
11103 http://trac.webkit.org/changeset/165482
11104
111052014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11106
11107 Remove HandleSet::m_nextToFinalize
11108 https://bugs.webkit.org/show_bug.cgi?id=130109
11109
11110 Reviewed by Mark Lam.
11111
11112 This is a remnant of when HandleSet contained things that needed to be finalized.
11113
11114 * heap/HandleSet.cpp:
11115 (JSC::HandleSet::HandleSet):
11116 (JSC::HandleSet::writeBarrier):
11117 * heap/HandleSet.h:
11118 (JSC::HandleSet::allocate):
11119 (JSC::HandleSet::deallocate):
11120
111212014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11122
11123 Layout Test fast/workers/worker-gc.html is failing
11124 https://bugs.webkit.org/show_bug.cgi?id=130135
11125
11126 Reviewed by Geoffrey Garen.
11127
11128 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
11129 main list of blocks, i.e. not in the retired list. When shutting down the VM this
11130 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
11131 so that allocators are notified with lastChanceToFinalize. This will give them
11132 the chance to move their retired blocks back into the main list before removing them all.
11133
11134 * heap/MarkedAllocator.cpp:
11135 (JSC::LastChanceToFinalize::operator()):
11136 (JSC::MarkedAllocator::lastChanceToFinalize):
11137 * heap/MarkedAllocator.h:
11138 * heap/MarkedSpace.cpp:
11139 (JSC::LastChanceToFinalize::operator()):
11140 (JSC::MarkedSpace::lastChanceToFinalize):
11141
111422014-03-12 Gavin Barraclough <barraclough@apple.com>
11143
11144 Reduce memory use for static property maps
11145 https://bugs.webkit.org/show_bug.cgi?id=129986
11146
11147 Reviewed by Andreas Kling.
11148
11149 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11150 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11151 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11152
11153 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11154 from string hashes to indicies into a densely packed array of values. Compute the index table at
11155 compile time as a part of the derived sources step, such that this may be read-only data.
11156
11157 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11158 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11159 keys, which are Identifiers.
11160
11161 * create_hash_table:
11162 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11163 * parser/Lexer.cpp:
11164 (JSC::Lexer<LChar>::parseIdentifier):
11165 (JSC::Lexer<UChar>::parseIdentifier):
11166 (JSC::Lexer<T>::parseIdentifierSlowCase):
11167 - HashEntry -> HashTableValue.
11168 * parser/Lexer.h:
11169 (JSC::Keywords::getKeyword):
11170 - HashEntry -> HashTableValue.
11171 * runtime/ClassInfo.h:
11172 - removed HashEntry.
11173 * runtime/JSObject.cpp:
11174 (JSC::getClassPropertyNames):
11175 - use HashTable::ConstIterator.
11176 (JSC::JSObject::put):
11177 (JSC::JSObject::deleteProperty):
11178 (JSC::JSObject::findPropertyHashEntry):
11179 - HashEntry -> HashTableValue.
11180 (JSC::JSObject::reifyStaticFunctionsForDelete):
11181 - changed HashTable::ConstIterator interface.
11182 * runtime/JSObject.h:
11183 - HashEntry -> HashTableValue.
11184 * runtime/Lookup.cpp:
11185 (JSC::HashTable::createTable):
11186 - table -> keys, keys array is now densely packed.
11187 (JSC::HashTable::deleteTable):
11188 - table -> keys.
11189 (JSC::setUpStaticFunctionSlot):
11190 - HashEntry -> HashTableValue.
11191 * runtime/Lookup.h:
11192 (JSC::HashTableValue::builtinGenerator):
11193 (JSC::HashTableValue::function):
11194 (JSC::HashTableValue::functionLength):
11195 (JSC::HashTableValue::propertyGetter):
11196 (JSC::HashTableValue::propertyPutter):
11197 (JSC::HashTableValue::lexerValue):
11198 - added accessor methods from HashEntry.
11199 (JSC::HashTable::copy):
11200 - fields changed.
11201 (JSC::HashTable::initializeIfNeeded):
11202 - table -> keys.
11203 (JSC::HashTable::entry):
11204 - HashEntry -> HashTableValue.
11205 (JSC::HashTable::ConstIterator::ConstIterator):
11206 - iterate packed value array, so no need to skipInvalidKeys().
11207 (JSC::HashTable::ConstIterator::value):
11208 (JSC::HashTable::ConstIterator::key):
11209 (JSC::HashTable::ConstIterator::operator->):
11210 - accessors now get HashTableValue/StringImpl* separately.
11211 (JSC::HashTable::ConstIterator::operator++):
11212 - iterate packed value array, so no need to skipInvalidKeys().
11213 (JSC::HashTable::end):
11214 - end is now size of dense not sparse array.
11215 (JSC::getStaticPropertySlot):
11216 (JSC::getStaticFunctionSlot):
11217 (JSC::getStaticValueSlot):
11218 (JSC::putEntry):
11219 (JSC::lookupPut):
11220 - HashEntry -> HashTableValue.
11221
112222014-03-11 Filip Pizlo <fpizlo@apple.com>
11223
11224 It should be possible to build WebKit with FTL on iOS
11225 https://bugs.webkit.org/show_bug.cgi?id=130116
11226
11227 Reviewed by Dan Bernstein.
11228
11229 * Configurations/Base.xcconfig:
11230
112312014-03-10 Filip Pizlo <fpizlo@apple.com>
11232
11233 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
11234 https://bugs.webkit.org/show_bug.cgi?id=129778
11235
11236 Reviewed by Geoffrey Garen.
11237
11238 Also deduplicate the GetById getter call caching. Also add some small tests for
11239 get stubs.
11240
11241 This change reduces the amount of code involved in GetById access caching and it
11242 creates data structures that can serve as an elegant scaffold for introducing other
11243 kinds of caches or improving current caching styles. It will definitely make getter
11244 performance improvements easier to implement.
11245
11246 * CMakeLists.txt:
11247 * GNUmakefile.list.am:
11248 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11249 * JavaScriptCore.xcodeproj/project.pbxproj:
11250 * bytecode/CodeBlock.cpp:
11251 (JSC::CodeBlock::printGetByIdCacheStatus):
11252 * bytecode/GetByIdStatus.cpp:
11253 (JSC::GetByIdStatus::computeForStubInfo):
11254 * bytecode/PolymorphicGetByIdList.cpp: Added.
11255 (JSC::GetByIdAccess::GetByIdAccess):
11256 (JSC::GetByIdAccess::~GetByIdAccess):
11257 (JSC::GetByIdAccess::fromStructureStubInfo):
11258 (JSC::GetByIdAccess::visitWeak):
11259 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
11260 (JSC::PolymorphicGetByIdList::from):
11261 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
11262 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
11263 (JSC::PolymorphicGetByIdList::addAccess):
11264 (JSC::PolymorphicGetByIdList::isFull):
11265 (JSC::PolymorphicGetByIdList::isAlmostFull):
11266 (JSC::PolymorphicGetByIdList::didSelfPatching):
11267 (JSC::PolymorphicGetByIdList::visitWeak):
11268 * bytecode/PolymorphicGetByIdList.h: Added.
11269 (JSC::GetByIdAccess::GetByIdAccess):
11270 (JSC::GetByIdAccess::isSet):
11271 (JSC::GetByIdAccess::operator!):
11272 (JSC::GetByIdAccess::type):
11273 (JSC::GetByIdAccess::structure):
11274 (JSC::GetByIdAccess::chain):
11275 (JSC::GetByIdAccess::chainCount):
11276 (JSC::GetByIdAccess::stubRoutine):
11277 (JSC::GetByIdAccess::doesCalls):
11278 (JSC::PolymorphicGetByIdList::isEmpty):
11279 (JSC::PolymorphicGetByIdList::size):
11280 (JSC::PolymorphicGetByIdList::at):
11281 (JSC::PolymorphicGetByIdList::operator[]):
11282 * bytecode/StructureStubInfo.cpp:
11283 (JSC::StructureStubInfo::deref):
11284 (JSC::StructureStubInfo::visitWeakReferences):
11285 * bytecode/StructureStubInfo.h:
11286 (JSC::isGetByIdAccess):
11287 (JSC::StructureStubInfo::initGetByIdList):
11288 * jit/Repatch.cpp:
11289 (JSC::generateGetByIdStub):
11290 (JSC::tryCacheGetByID):
11291 (JSC::patchJumpToGetByIdStub):
11292 (JSC::tryBuildGetByIDList):
11293 (JSC::tryBuildPutByIdList):
11294 * tests/stress/getter.js: Added.
11295 (foo):
11296 (.o):
11297 * tests/stress/polymorphic-prototype-accesses.js: Added.
11298 (Foo):
11299 (Bar):
11300 (foo):
11301 * tests/stress/prototype-getter.js: Added.
11302 (Foo):
11303 (foo):
11304 * tests/stress/simple-prototype-accesses.js: Added.
11305 (Foo):
11306 (foo):
11307
113082014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
11309
11310 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
11311 https://bugs.webkit.org/show_bug.cgi?id=129920
11312
11313 Reviewed by Geoffrey Garen.
11314
11315 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
11316 when the amount of free space in a MarkedBlock drops below a certain threshold.
11317 Retired blocks are not considered for sweeping.
11318
11319 This is profitable because it reduces churn during sweeping. To build a free list,
11320 we have to scan through each cell in a block. After a collection, all objects that
11321 are live in the block will remain live until the next FullCollection, at which time
11322 we un-retire all previously retired blocks. Thus, a small number of objects in a block
11323 that die during each EdenCollection could cause us to do a disproportiante amount of
11324 sweeping for how much free memory we get back.
11325
11326 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
11327
11328 * heap/Heap.h:
11329 (JSC::Heap::didRetireBlockWithFreeListSize):
11330 * heap/MarkedAllocator.cpp:
11331 (JSC::MarkedAllocator::tryAllocateHelper):
11332 (JSC::MarkedAllocator::removeBlock):
11333 (JSC::MarkedAllocator::reset):
11334 * heap/MarkedAllocator.h:
11335 (JSC::MarkedAllocator::MarkedAllocator):
11336 (JSC::MarkedAllocator::forEachBlock):
11337 * heap/MarkedBlock.cpp:
11338 (JSC::MarkedBlock::sweepHelper):
11339 (JSC::MarkedBlock::clearMarksWithCollectionType):
11340 (JSC::MarkedBlock::didRetireBlock):
11341 * heap/MarkedBlock.h:
11342 (JSC::MarkedBlock::willRemoveBlock):
11343 (JSC::MarkedBlock::isLive):
11344 * heap/MarkedSpace.cpp:
11345 (JSC::MarkedSpace::clearNewlyAllocated):
11346 (JSC::MarkedSpace::clearMarks):
11347 * runtime/Options.h:
11348
113492014-03-11 Andreas Kling <akling@apple.com>
11350
11351 Streamline PropertyTable for lookup-only access.
11352 <https://webkit.org/b/130060>
11353
11354 The PropertyTable lookup algorithm was written to support both read
11355 and write access. This wasn't actually needed in most places.
11356
11357 This change adds a PropertyTable::get() that just returns the value
11358 type (instead of an insertion iterator.) It also adds an early return
11359 for empty tables.
11360
11361 Finally, up the minimum table capacity from 8 to 16. It was lowered
11362 to 8 in order to save memory, but that was before PropertyTables were
11363 GC allocated. Nowadays we don't have nearly as many tables, since all
11364 the unpinned transitions die off.
11365
11366 Reviewed by Darin Adler.
11367
11368 * runtime/PropertyMapHashTable.h:
11369 (JSC::PropertyTable::get):
11370 * runtime/Structure.cpp:
11371 (JSC::Structure::despecifyDictionaryFunction):
11372 (JSC::Structure::attributeChangeTransition):
11373 (JSC::Structure::get):
11374 (JSC::Structure::despecifyFunction):
11375 * runtime/StructureInlines.h:
11376 (JSC::Structure::get):
11377
113782014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11379
11380 REGRESSION(r165407): DoYouEvenBench crashes in DRT
11381 https://bugs.webkit.org/show_bug.cgi?id=130066
11382
11383 Reviewed by Geoffrey Garen.
11384
11385 The baseline JIT does a conditional store barrier for the put_by_id, but we need
11386 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
11387
11388 * jit/JIT.h:
11389 * jit/JITPropertyAccess.cpp:
11390 (JSC::JIT::emit_op_put_by_id):
11391 (JSC::JIT::emitWriteBarrier):
11392
113932014-03-10 Mark Lam <mark.lam@apple.com>
11394
11395 Resurrect bit-rotted JIT::probe() mechanism.
11396 <https://webkit.org/b/130067>
11397
11398 Reviewed by Geoffrey Garen.
11399
11400 * jit/JITStubs.cpp:
11401 - Added the needed #include <wtf/InlineASM.h>.
11402
114032014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11404
11405 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
11406
11407 Rubber-stamped by Dan Bernstein.
11408
11409 * Configurations/JavaScriptCore.xcconfig:
11410
114112014-03-10 Mark Lam <mark.lam@apple.com>
11412
11413 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
11414 <https://webkit.org/b/130065>
11415
11416 Reviewed by Michael Saboff.
11417
11418 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
11419 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
11420 FPRInfo::toIndex().
11421
11422 The fix is to remove the "result != InvalidIndex" assertions.
11423
11424 * jit/FPRInfo.h:
11425 (JSC::FPRInfo::toIndex):
11426 * jit/GPRInfo.h:
11427 (JSC::GPRInfo::toIndex):
11428
114292014-03-10 Mark Lam <mark.lam@apple.com>
11430
11431 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
11432 <https://webkit.org/b/129955>
11433
11434 Reviewed by Geoffrey Garen.
11435
11436 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
11437 stack memory every time it was called. This is now fixed.
11438
11439 * jit/JITOperations.cpp:
11440
114412014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11442
11443 Better JSContext API for named evaluations (other than //# sourceURL)
11444 https://bugs.webkit.org/show_bug.cgi?id=129911
11445
11446 Reviewed by Geoffrey Garen.
11447
11448 * API/JSBase.h:
11449 * API/JSContext.h:
11450 * API/JSContext.mm:
11451 (-[JSContext evaluateScript:]):
11452 (-[JSContext evaluateScript:withSourceURL:]):
11453 Add new evaluateScript:withSourceURL:.
11454
11455 * API/tests/testapi.c:
11456 (main):
11457 * API/tests/testapi.mm:
11458 (testObjectiveCAPI):
11459 Add tests for sourceURL in evaluate APIs. It should
11460 affect the exception objects.
11461
114622014-03-10 Filip Pizlo <fpizlo@apple.com>
11463
11464 Repatch should save and restore all used registers - not just temp ones - when making a call
11465 https://bugs.webkit.org/show_bug.cgi?id=130041
11466
11467 Reviewed by Geoffrey Garen and Mark Hahnenberg.
11468
11469 The save/restore code was written back when the only client was the DFG, which only uses a
11470 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
11471 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
11472 lead to data corruption on ARM64.
11473
11474 * jit/RegisterSet.cpp:
11475 (JSC::RegisterSet::calleeSaveRegisters):
11476 (JSC::RegisterSet::numberOfSetGPRs):
11477 (JSC::RegisterSet::numberOfSetFPRs):
11478 * jit/RegisterSet.h:
11479 * jit/Repatch.cpp:
11480 (JSC::storeToWriteBarrierBuffer):
11481 (JSC::emitPutTransitionStub):
11482 * jit/ScratchRegisterAllocator.cpp:
11483 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11484 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11485 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11486 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
11487 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
11488 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
11489 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
11490 * jit/ScratchRegisterAllocator.h:
11491
114922014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11493
11494 Remove ConditionalStore barrier
11495 https://bugs.webkit.org/show_bug.cgi?id=130040
11496
11497 Reviewed by Geoffrey Garen.
11498
11499 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
11500 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
11501 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
11502 on the base object in the case where we are allocating and storing a new Butterfly into it.
11503 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
11504 so we'd have to emit a write barrier in the transition case.
11505
11506 This is performance neutral on the benchmarks we track.
11507
11508 * dfg/DFGAbstractInterpreterInlines.h:
11509 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11510 * dfg/DFGClobberize.h:
11511 (JSC::DFG::clobberize):
11512 * dfg/DFGConstantFoldingPhase.cpp:
11513 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11514 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11515 * dfg/DFGFixupPhase.cpp:
11516 (JSC::DFG::FixupPhase::fixupNode):
11517 (JSC::DFG::FixupPhase::insertStoreBarrier):
11518 * dfg/DFGNode.h:
11519 (JSC::DFG::Node::isStoreBarrier):
11520 * dfg/DFGNodeType.h:
11521 * dfg/DFGPredictionPropagationPhase.cpp:
11522 (JSC::DFG::PredictionPropagationPhase::propagate):
11523 * dfg/DFGSafeToExecute.h:
11524 (JSC::DFG::safeToExecute):
11525 * dfg/DFGSpeculativeJIT.cpp:
11526 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
11527 * dfg/DFGSpeculativeJIT32_64.cpp:
11528 (JSC::DFG::SpeculativeJIT::compile):
11529 * dfg/DFGSpeculativeJIT64.cpp:
11530 (JSC::DFG::SpeculativeJIT::compile):
11531 * ftl/FTLCapabilities.cpp:
11532 (JSC::FTL::canCompile):
11533 * ftl/FTLLowerDFGToLLVM.cpp:
11534 (JSC::FTL::LowerDFGToLLVM::compileNode):
11535 * jit/Repatch.cpp:
11536 (JSC::emitPutTransitionStub):
11537
115382014-03-10 Filip Pizlo <fpizlo@apple.com>
11539
11540 DFG and FTL should know that comparing anything to Misc is cheap and easy
11541 https://bugs.webkit.org/show_bug.cgi?id=130001
11542
11543 Reviewed by Geoffrey Garen.
11544
11545 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
11546 comparison is just Untyped:.
11547
11548 - This obviates the need for CompareStrictEqConstant, so remove it.
11549
11550 - FTL had a thing called "Nully" which is really "Other". Rename it and add
11551 OtherUse.
11552
11553 9% speed-up on box2d.
11554
11555 * dfg/DFGAbstractInterpreterInlines.h:
11556 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11557 * dfg/DFGByteCodeParser.cpp:
11558 (JSC::DFG::ByteCodeParser::parseBlock):
11559 * dfg/DFGClobberize.h:
11560 (JSC::DFG::clobberize):
11561 * dfg/DFGFixupPhase.cpp:
11562 (JSC::DFG::FixupPhase::fixupNode):
11563 * dfg/DFGNode.h:
11564 (JSC::DFG::Node::isBinaryUseKind):
11565 (JSC::DFG::Node::shouldSpeculateOther):
11566 * dfg/DFGNodeType.h:
11567 * dfg/DFGPredictionPropagationPhase.cpp:
11568 (JSC::DFG::PredictionPropagationPhase::propagate):
11569 * dfg/DFGSafeToExecute.h:
11570 (JSC::DFG::safeToExecute):
11571 * dfg/DFGSpeculativeJIT.cpp:
11572 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
11573 (JSC::DFG::SpeculativeJIT::compare):
11574 (JSC::DFG::SpeculativeJIT::compileStrictEq):
11575 * dfg/DFGSpeculativeJIT.h:
11576 * dfg/DFGSpeculativeJIT32_64.cpp:
11577 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11578 (JSC::DFG::SpeculativeJIT::compile):
11579 * dfg/DFGSpeculativeJIT64.cpp:
11580 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11581 (JSC::DFG::SpeculativeJIT::compile):
11582 * ftl/FTLCapabilities.cpp:
11583 (JSC::FTL::canCompile):
11584 * ftl/FTLLowerDFGToLLVM.cpp:
11585 (JSC::FTL::LowerDFGToLLVM::compileNode):
11586 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
11587 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
11588 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
11589 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
11590 (JSC::FTL::LowerDFGToLLVM::isNotOther):
11591 (JSC::FTL::LowerDFGToLLVM::isOther):
11592 (JSC::FTL::LowerDFGToLLVM::speculate):
11593 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
11594 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
11595 (JSC::FTL::LowerDFGToLLVM::speculateOther):
11596 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
11597 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
11598
115992014-03-10 Filip Pizlo <fpizlo@apple.com>
11600
11601 Unreviewed, remove unintended change.
11602
11603 * dfg/DFGDriver.cpp:
11604 (JSC::DFG::compileImpl):
11605
116062014-03-10 Filip Pizlo <fpizlo@apple.com>
11607
11608 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
11609 that they're running in the browser.
11610
11611 Rubber stamped by Mark Hahnenberg.
11612
11613 * jsc.cpp:
11614 (GlobalObject::finishCreation):
11615
116162014-03-10 Filip Pizlo <fpizlo@apple.com>
11617
11618 Out-line ScratchRegisterAllocator
11619
11620 Rubber stamped by Mark Hahnenberg.
11621
11622 * CMakeLists.txt:
11623 * GNUmakefile.list.am:
11624 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11625 * JavaScriptCore.xcodeproj/project.pbxproj:
11626 * dfg/DFGDriver.cpp:
11627 (JSC::DFG::compileImpl):
11628 * jit/ScratchRegisterAllocator.cpp: Added.
11629 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11630 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
11631 (JSC::ScratchRegisterAllocator::lock):
11632 (JSC::ScratchRegisterAllocator::allocateScratch):
11633 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
11634 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
11635 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11636 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11637 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
11638 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
11639 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
11640 * jit/ScratchRegisterAllocator.h:
11641
116422014-03-10 Brent Fulgham <bfulgham@apple.com>
11643
11644 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
11645 https://bugs.webkit.org/show_bug.cgi?id=130023
11646
11647 Reviewed by Dean Jackson.
11648
11649 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
11650 path names to avoid accidental escaping of later string substitutions.
11651
116522014-03-10 Andreas Kling <akling@apple.com>
11653
11654 [X86_64] Smaller code for testb_i8r when register is accumulator.
11655 <https://webkit.org/b/130026>
11656
11657 Generate the shorthand version of "test al, imm" when possible.
11658
11659 Reviewed by Michael Saboff.
11660
11661 * assembler/X86Assembler.h:
11662 (JSC::X86Assembler::testb_i8r):
11663
116642014-03-10 Andreas Kling <akling@apple.com>
11665
11666 [X86_64] Smaller code for sub_ir when register is accumulator.
11667 <https://webkit.org/b/130025>
11668
11669 Generate the shorthand version of "sub eax, imm" when possible.
11670
11671 Reviewed by Michael Saboff.
11672
11673 * assembler/X86Assembler.h:
11674 (JSC::X86Assembler::subl_ir):
11675 (JSC::X86Assembler::subq_ir):
11676
116772014-03-10 Andreas Kling <akling@apple.com>
11678
11679 [X86_64] Smaller code for add_ir when register is accumulator.
11680 <https://webkit.org/b/130024>
11681
11682 Generate the shorthand version of "add eax, imm" when possible.
11683
11684 Reviewed by Michael Saboff.
11685
11686 * assembler/X86Assembler.h:
11687 (JSC::X86Assembler::addl_ir):
11688 (JSC::X86Assembler::addq_ir):
11689
116902014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11691
11692 writeBarrier in emitPutReplaceStub is unnecessary
11693 https://bugs.webkit.org/show_bug.cgi?id=130030
11694
11695 Reviewed by Filip Pizlo.
11696
11697 We already emit write barriers for each put-by-id when they're first compiled, so it's
11698 redundant to emit a write barrier as part of the repatched code.
11699
11700 * jit/Repatch.cpp:
11701 (JSC::emitPutReplaceStub):
11702
117032014-03-10 Andreas Kling <akling@apple.com>
11704
11705 [X86_64] Smaller code for xor_ir when register is accumulator.
11706 <https://webkit.org/b/130008>
11707
11708 Generate the shorthand version of "xor eax, imm" when possible.
11709
11710 Reviewed by Benjamin Poulain.
11711
11712 * assembler/X86Assembler.h:
11713 (JSC::X86Assembler::xorl_ir):
11714 (JSC::X86Assembler::xorq_ir):
11715
117162014-03-10 Andreas Kling <akling@apple.com>
11717
11718 [X86_64] Smaller code for or_ir when register is accumulator.
11719 <https://webkit.org/b/130007>
11720
11721 Generate the shorthand version of "or eax, imm" when possible.
11722
11723 Reviewed by Benjamin Poulain.
11724
11725 * assembler/X86Assembler.h:
11726 (JSC::X86Assembler::orl_ir):
11727 (JSC::X86Assembler::orq_ir):
11728
117292014-03-10 Andreas Kling <akling@apple.com>
11730
11731 [X86_64] Smaller code for test_ir when register is accumulator.
11732 <https://webkit.org/b/130006>
11733
11734 Generate the shorthand version of "test eax, imm" when possible.
11735
11736 Reviewed by Benjamin Poulain.
11737
11738 * assembler/X86Assembler.h:
11739 (JSC::X86Assembler::testl_i32r):
11740 (JSC::X86Assembler::testq_i32r):
11741
117422014-03-10 Andreas Kling <akling@apple.com>
11743
11744 [X86_64] Smaller code for cmp_ir when register is accumulator.
11745 <https://webkit.org/b/130005>
11746
11747 Generate the shorthand version of "cmp eax, imm" when possible.
11748
11749 Reviewed by Benjamin Poulain.
11750
11751 * assembler/X86Assembler.h:
11752 (JSC::X86Assembler::cmpl_ir):
11753 (JSC::X86Assembler::cmpq_ir):
11754
117552014-03-10 Andreas Kling <akling@apple.com>
11756
11757 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
11758 <https://webkit.org/b/130002>
11759
11760 Generate this:
11761
11762 mov [address], imm32
11763
11764 Instead of this:
11765
11766 mov scratchRegister, imm32
11767 mov [address], scratchRegister
11768
11769 For store64(imm, address) where the 64-bit immediate can be passed as
11770 a sign-extended 32-bit value.
11771
11772 Reviewed by Benjamin Poulain.
11773
11774 * assembler/MacroAssemblerX86_64.h:
11775 (CAN_SIGN_EXTEND_32_64):
11776 (JSC::MacroAssemblerX86_64::store64):
11777
117782014-03-10 Andreas Kling <akling@apple.com>
11779
11780 [X86_64] Smaller code for xchg_rr when one register is accumulator.
11781 <https://webkit.org/b/130004>
11782
11783 Generate the 1-byte version of "xchg eax, reg" when possible.
11784
11785 Reviewed by Benjamin Poulain.
11786
11787 * assembler/X86Assembler.h:
11788 (JSC::X86Assembler::xchgl_rr):
11789 (JSC::X86Assembler::xchgq_rr):
11790
117912014-03-09 Filip Pizlo <fpizlo@apple.com>
11792
11793 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
11794 https://bugs.webkit.org/show_bug.cgi?id=129998
11795
11796 Reviewed by Geoffrey Garen.
11797
11798 Not only is that the established contract, but this is used to signal to
11799 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
11800 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
11801 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
11802 fine but previously it would have led to either an assertion failure, or data corruption, in
11803 the ScratchRegisterAllocator.
11804
11805 * jit/GPRInfo.h:
11806 (JSC::GPRInfo::toIndex):
11807
118082014-03-09 Filip Pizlo <fpizlo@apple.com>
11809
11810 FTL fails the new equals-masquerader strictEqualConstant test
11811 https://bugs.webkit.org/show_bug.cgi?id=129996
11812
11813 Reviewed by Mark Lam.
11814
11815 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
11816 that's wrong since none of the other engines do it. The DFG even had an ancient
11817 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
11818 don't do it and JSValue::strictEqual() doesn't do it.
11819
11820 Remove the FIXME and remove the extra checks in the FTL.
11821
11822 This is a glorious patch: nothing but red and it fixes a test failure.
11823
11824 * dfg/DFGSpeculativeJIT.cpp:
11825 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
11826 * ftl/FTLLowerDFGToLLVM.cpp:
11827 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
11828
118292014-03-09 Andreas Kling <akling@apple.com>
11830
11831 Short-circuit JSGlobalObjectInspectorController when not inspecting.
11832 <https://webkit.org/b/129995>
11833
11834 Add an early return in reportAPIException() when the console agent
11835 is disabled. This avoids expensive symbolication during exceptions
11836 if there's nobody expecting the fancy backtrace anyway.
11837
11838 ~2% progression on DYEB on my MBP.
11839
11840 Reviewed by Geoff Garen.
11841
11842 * inspector/JSGlobalObjectInspectorController.cpp:
11843 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
11844
118452014-03-09 Andreas Kling <akling@apple.com>
11846
11847 Inline the trivial parts of GC deferral.
11848 <https://webkit.org/b/129984>
11849
11850 Made most of the functions called by the DeferGC RAII object inline
11851 to avoid function call overhead.
11852
11853 Looks like ~1% progression on DYEB.
11854
11855 Reviewed by Geoffrey Garen.
11856
11857 * heap/Heap.cpp:
11858 * heap/Heap.h:
11859 (JSC::Heap::incrementDeferralDepth):
11860 (JSC::Heap::decrementDeferralDepth):
11861 (JSC::Heap::collectIfNecessaryOrDefer):
11862 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
11863
118642014-03-08 Mark Lam <mark.lam@apple.com>
11865
11866 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
11867 <https://webkit.org/b/129969>
11868
11869 Reviewed by Geoffrey Garen.
11870
11871 The 32-bit version of handleUncaughtException was missing the handling of an
11872 edge case for stack overflows where the current frame may already be the
11873 sentinel frame. This edge case was handled in the 64-bit version. The fix
11874 is to bring the 32-bit version up to parity.
11875
11876 * jit/JIT.cpp:
11877 (JSC::JIT::privateCompile):
11878 * llint/LowLevelInterpreter32_64.asm:
11879
118802014-03-07 Mark Lam <mark.lam@apple.com>
11881
11882 Fix bugs in 32-bit Structure implementation.
11883 <https://webkit.org/b/129947>
11884
11885 Reviewed by Mark Hahnenberg.
11886
11887 Added the loading of the Structure (from the JSCell) before use that was
11888 missing in a few places. Also added more test cases to equals-masquerader.js.
11889
11890 * dfg/DFGSpeculativeJIT32_64.cpp:
11891 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
11892 (JSC::DFG::SpeculativeJIT::compile):
11893 * dfg/DFGSpeculativeJIT64.cpp:
11894 (JSC::DFG::SpeculativeJIT::compile):
11895 * llint/LowLevelInterpreter32_64.asm:
11896 * tests/stress/equals-masquerader.js:
11897 (equalsNull):
11898 (notEqualsNull):
11899 (strictEqualsNull):
11900 (strictNotEqualsNull):
11901 (equalsUndefined):
11902 (notEqualsUndefined):
11903 (strictEqualsUndefined):
11904 (strictNotEqualsUndefined):
11905 (isFalsey):
11906 (test):
11907
119082014-03-07 Andrew Trick <atrick@apple.com>
11909
11910 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
11911 https://bugs.webkit.org/show_bug.cgi?id=129954
11912
11913 Reviewed by Filip Pizlo.
11914
11915 * tests/stress/float32-repeat-out-of-bounds.js:
11916 * tests/stress/int8-repeat-out-of-bounds.js:
11917
119182014-03-07 Michael Saboff <msaboff@apple.com>
11919
11920 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
11921 https://bugs.webkit.org/show_bug.cgi?id=129945
11922
11923 Reviewed by Mark Lam.
11924
11925 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
11926 or in lldb.
11927
11928 * llint/LowLevelInterpreter.cpp:
11929
119302014-03-07 Oliver Hunt <oliver@apple.com>
11931
11932 Continue hangs when performing for-of over arguments
11933 https://bugs.webkit.org/show_bug.cgi?id=129915
11934
11935 Reviewed by Geoffrey Garen.
11936
11937 Put the continue label in the right place
11938
11939 * bytecompiler/BytecodeGenerator.cpp:
11940 (JSC::BytecodeGenerator::emitEnumeration):
11941
119422014-03-07 peavo@outlook.com <peavo@outlook.com>
11943
11944 [Win64] Compile error after r165128.
11945 https://bugs.webkit.org/show_bug.cgi?id=129807
11946
11947 Reviewed by Mark Lam.
11948
11949 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
11950 Check platform environment variable to determine if an assembler file should be generated.
11951
119522014-03-07 Michael Saboff <msaboff@apple.com>
11953
11954 Clarify how we deal with "special" registers
11955 https://bugs.webkit.org/show_bug.cgi?id=129806
11956
11957 Already reviewed change being relanded.
11958
11959 Relanding change set r165196 as it wasn't responsible for the breakage reported in
11960 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
11961
11962 Reviewed by Michael Saboff.
11963 configuration issue.
11964
11965 * assembler/ARM64Assembler.h:
11966 (JSC::ARM64Assembler::lastRegister):
11967 * assembler/MacroAssembler.h:
11968 (JSC::MacroAssembler::nextRegister):
11969 * ftl/FTLLocation.cpp:
11970 (JSC::FTL::Location::restoreInto):
11971 * ftl/FTLSaveRestore.cpp:
11972 (JSC::FTL::saveAllRegisters):
11973 (JSC::FTL::restoreAllRegisters):
11974 * ftl/FTLSlowPathCall.cpp:
11975 * jit/RegisterSet.cpp:
11976 (JSC::RegisterSet::reservedHardwareRegisters):
11977 (JSC::RegisterSet::runtimeRegisters):
11978 (JSC::RegisterSet::specialRegisters):
11979 (JSC::RegisterSet::calleeSaveRegisters):
11980 * jit/RegisterSet.h:
11981
119822014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
11983
11984 Move GCActivityCallback to heap
11985 https://bugs.webkit.org/show_bug.cgi?id=129457
11986
11987 Reviewed by Geoffrey Garen.
11988
11989 All the other GC timer related stuff is there already.
11990
11991 * CMakeLists.txt:
11992 * GNUmakefile.list.am:
11993 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11994 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11995 * JavaScriptCore.xcodeproj/project.pbxproj:
11996 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
11997 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
11998 * runtime/GCActivityCallback.cpp: Removed.
11999 * runtime/GCActivityCallback.h: Removed.
12000
120012014-03-07 Andrew Trick <atrick@apple.com>
12002
12003 Correct a comment typo from:
12004 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12005 https://bugs.webkit.org/show_bug.cgi?id=129865
12006
12007 Reviewed by Mark Lam.
12008
12009 * ftl/FTLOutput.h:
12010 (JSC::FTL::Output::doubleRem):
12011
120122014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12013
12014 Use OwnPtr in StructureIDTable
12015 https://bugs.webkit.org/show_bug.cgi?id=129828
12016
12017 Reviewed by Geoffrey Garen.
12018
12019 This reduces the amount of boilerplate and fixes a memory leak.
12020
12021 * runtime/StructureIDTable.cpp:
12022 (JSC::StructureIDTable::StructureIDTable):
12023 (JSC::StructureIDTable::resize):
12024 (JSC::StructureIDTable::flushOldTables):
12025 (JSC::StructureIDTable::allocateID):
12026 (JSC::StructureIDTable::deallocateID):
12027 * runtime/StructureIDTable.h:
12028 (JSC::StructureIDTable::table):
12029 (JSC::StructureIDTable::get):
12030
120312014-03-07 Andrew Trick <atrick@apple.com>
12032
12033 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12034 https://bugs.webkit.org/show_bug.cgi?id=129865
12035
12036 Reviewed by Filip Pizlo.
12037
12038 * ftl/FTLIntrinsicRepository.h:
12039 * ftl/FTLOutput.h:
12040 (JSC::FTL::Output::doubleRem):
12041
120422014-03-06 Filip Pizlo <fpizlo@apple.com>
12043
12044 If the FTL is build-time enabled then it should be run-time enabled.
12045
12046 Rubber stamped by Geoffrey Garen.
12047
12048 * runtime/Options.cpp:
12049 (JSC::recomputeDependentOptions):
12050 * runtime/Options.h:
12051
120522014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12053
12054 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
12055 https://bugs.webkit.org/show_bug.cgi?id=129852
12056
12057 Reviewed by Geoffrey Garen.
12058
12059 * framework.sb: Added.
12060 Sandbox extension to allow access to "com.apple.webinspector".
12061
12062 * JavaScriptCore.xcodeproj/project.pbxproj:
12063 Add a Copy Resources build phase and include framework.sb.
12064
12065 * Configurations/JavaScriptCore.xcconfig:
12066 Do not copy framework.sb on iOS.
12067
120682014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12069
12070 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
12071 https://bugs.webkit.org/show_bug.cgi?id=129858
12072
12073 Reviewed by Mark Lam.
12074
12075 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
12076 but now it ends up overwriting the IdentifierTable that JSLock just restored.
12077
12078 * API/JSContextRef.cpp:
12079 (JSGlobalContextRelease):
12080
120812014-03-06 Oliver Hunt <oliver@apple.com>
12082
12083 Fix FTL build.
12084
12085 * dfg/DFGConstantFoldingPhase.cpp:
12086 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12087
120882014-03-06 Brent Fulgham <bfulgham@apple.com>
12089
12090 Unreviewed build fix after r165128.
12091
12092 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
12093 performing 'Production' and 'DebugSuffix' type builds.
12094
120952014-03-06 Julien Brianceau <jbriance@cisco.com>
12096
12097 Unreviewed, fix style in my previous commit.
12098 https://bugs.webkit.org/show_bug.cgi?id=129833
12099
12100 * runtime/JSConsole.cpp:
12101
121022014-03-06 Julien Brianceau <jbriance@cisco.com>
12103
12104 Build fix: add missing include in JSConole.cpp.
12105 https://bugs.webkit.org/show_bug.cgi?id=129833
12106
12107 Reviewed by Oliver Hunt.
12108
12109 * runtime/JSConsole.cpp:
12110
121112014-03-06 Oliver Hunt <oliver@apple.com>
12112
12113 Fix ARMv7
12114
12115 * jit/CCallHelpers.h:
12116 (JSC::CCallHelpers::setupArgumentsWithExecState):
12117
121182014-03-06 Commit Queue <commit-queue@webkit.org>
12119
12120 Unreviewed, rolling out r165196.
12121 http://trac.webkit.org/changeset/165196
12122 https://bugs.webkit.org/show_bug.cgi?id=129822
12123
12124 broke arm64 on hardware (Requested by bfulgham on #webkit).
12125
12126 * assembler/ARM64Assembler.h:
12127 (JSC::ARM64Assembler::lastRegister):
12128 * assembler/MacroAssembler.h:
12129 (JSC::MacroAssembler::isStackRelated):
12130 (JSC::MacroAssembler::firstRealRegister):
12131 (JSC::MacroAssembler::nextRegister):
12132 (JSC::MacroAssembler::secondRealRegister):
12133 * ftl/FTLLocation.cpp:
12134 (JSC::FTL::Location::restoreInto):
12135 * ftl/FTLSaveRestore.cpp:
12136 (JSC::FTL::saveAllRegisters):
12137 (JSC::FTL::restoreAllRegisters):
12138 * ftl/FTLSlowPathCall.cpp:
12139 * jit/RegisterSet.cpp:
12140 (JSC::RegisterSet::specialRegisters):
12141 (JSC::RegisterSet::calleeSaveRegisters):
12142 * jit/RegisterSet.h:
12143
121442014-03-06 Mark Lam <mark.lam@apple.com>
12145
12146 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
12147 <https://webkit.org/b/129813>
12148
12149 Reviewed by Michael Saboff.
12150
12151 Fixed broken C loop LLINT build.
12152
12153 * llint/LowLevelInterpreter.cpp:
12154 (JSC::CLoop::execute):
12155 * offlineasm/cloop.rb:
12156
121572014-03-03 Oliver Hunt <oliver@apple.com>
12158
12159 Support caching of custom setters
12160 https://bugs.webkit.org/show_bug.cgi?id=129519
12161
12162 Reviewed by Filip Pizlo.
12163
12164 This patch adds caching of assignment to properties that
12165 are backed by C functions. This provides most of the leg
12166 work required to start supporting setters, and resolves
12167 the remaining regressions from moving DOM properties up
12168 the prototype chain.
12169
12170 * JavaScriptCore.xcodeproj/project.pbxproj:
12171 * bytecode/PolymorphicPutByIdList.cpp:
12172 (JSC::PutByIdAccess::visitWeak):
12173 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12174 (JSC::PolymorphicPutByIdList::from):
12175 * bytecode/PolymorphicPutByIdList.h:
12176 (JSC::PutByIdAccess::transition):
12177 (JSC::PutByIdAccess::replace):
12178 (JSC::PutByIdAccess::customSetter):
12179 (JSC::PutByIdAccess::isCustom):
12180 (JSC::PutByIdAccess::oldStructure):
12181 (JSC::PutByIdAccess::chain):
12182 (JSC::PutByIdAccess::stubRoutine):
12183 * bytecode/PutByIdStatus.cpp:
12184 (JSC::PutByIdStatus::computeForStubInfo):
12185 (JSC::PutByIdStatus::computeFor):
12186 (JSC::PutByIdStatus::dump):
12187 * bytecode/PutByIdStatus.h:
12188 (JSC::PutByIdStatus::PutByIdStatus):
12189 (JSC::PutByIdStatus::takesSlowPath):
12190 (JSC::PutByIdStatus::makesCalls):
12191 * bytecode/StructureStubInfo.h:
12192 * dfg/DFGAbstractInterpreterInlines.h:
12193 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12194 * dfg/DFGByteCodeParser.cpp:
12195 (JSC::DFG::ByteCodeParser::emitPutById):
12196 (JSC::DFG::ByteCodeParser::handlePutById):
12197 * dfg/DFGClobberize.h:
12198 (JSC::DFG::clobberize):
12199 * dfg/DFGCommon.h:
12200 * dfg/DFGConstantFoldingPhase.cpp:
12201 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12202 * dfg/DFGFixupPhase.cpp:
12203 (JSC::DFG::FixupPhase::fixupNode):
12204 * dfg/DFGNode.h:
12205 (JSC::DFG::Node::hasIdentifier):
12206 * dfg/DFGNodeType.h:
12207 * dfg/DFGPredictionPropagationPhase.cpp:
12208 (JSC::DFG::PredictionPropagationPhase::propagate):
12209 * dfg/DFGSafeToExecute.h:
12210 (JSC::DFG::safeToExecute):
12211 * dfg/DFGSpeculativeJIT.cpp:
12212 (JSC::DFG::SpeculativeJIT::compileIn):
12213 * dfg/DFGSpeculativeJIT.h:
12214 * dfg/DFGSpeculativeJIT32_64.cpp:
12215 (JSC::DFG::SpeculativeJIT::cachedGetById):
12216 (JSC::DFG::SpeculativeJIT::cachedPutById):
12217 (JSC::DFG::SpeculativeJIT::compile):
12218 * dfg/DFGSpeculativeJIT64.cpp:
12219 (JSC::DFG::SpeculativeJIT::cachedGetById):
12220 (JSC::DFG::SpeculativeJIT::cachedPutById):
12221 (JSC::DFG::SpeculativeJIT::compile):
12222 * jit/CCallHelpers.h:
12223 (JSC::CCallHelpers::setupArgumentsWithExecState):
12224 * jit/JITInlineCacheGenerator.cpp:
12225 (JSC::JITByIdGenerator::JITByIdGenerator):
12226 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12227 * jit/JITInlineCacheGenerator.h:
12228 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12229 * jit/JITOperations.cpp:
12230 * jit/JITOperations.h:
12231 * jit/JITPropertyAccess.cpp:
12232 (JSC::JIT::emit_op_get_by_id):
12233 (JSC::JIT::emit_op_put_by_id):
12234 * jit/JITPropertyAccess32_64.cpp:
12235 (JSC::JIT::emit_op_get_by_id):
12236 (JSC::JIT::emit_op_put_by_id):
12237 * jit/Repatch.cpp:
12238 (JSC::tryCacheGetByID):
12239 (JSC::tryBuildGetByIDList):
12240 (JSC::emitCustomSetterStub):
12241 (JSC::tryCachePutByID):
12242 (JSC::tryBuildPutByIdList):
12243 * jit/SpillRegistersMode.h: Added.
12244 * llint/LLIntSlowPaths.cpp:
12245 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12246 * runtime/Lookup.h:
12247 (JSC::putEntry):
12248 * runtime/PutPropertySlot.h:
12249 (JSC::PutPropertySlot::setCacheableCustomProperty):
12250 (JSC::PutPropertySlot::customSetter):
12251 (JSC::PutPropertySlot::isCacheablePut):
12252 (JSC::PutPropertySlot::isCacheableCustomProperty):
12253 (JSC::PutPropertySlot::cachedOffset):
12254
122552014-03-06 Filip Pizlo <fpizlo@apple.com>
12256
12257 FTL arity fixup should work on ARM64
12258 https://bugs.webkit.org/show_bug.cgi?id=129810
12259
12260 Reviewed by Michael Saboff.
12261
12262 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
12263 callee-save.
12264
12265 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
12266
12267 This makes some more tests pass.
12268
12269 * dfg/DFGJITCompiler.cpp:
12270 (JSC::DFG::JITCompiler::compileFunction):
12271 * ftl/FTLLink.cpp:
12272 (JSC::FTL::link):
12273 * jit/AssemblyHelpers.h:
12274 (JSC::AssemblyHelpers::prologueStackPointerDelta):
12275 * jit/JIT.cpp:
12276 (JSC::JIT::privateCompile):
12277 * jit/ThunkGenerators.cpp:
12278 (JSC::arityFixup):
12279 * llint/LowLevelInterpreter64.asm:
12280 * offlineasm/arm64.rb:
12281 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
12282
122832014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12284
12285 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
12286 https://bugs.webkit.org/show_bug.cgi?id=129760
12287
12288 Reviewed by Geoffrey Garen.
12289
12290 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
12291 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
12292
12293 * dfg/DFGSpeculativeJIT.cpp:
12294 (JSC::DFG::SpeculativeJIT::writeBarrier):
12295 * dfg/DFGSpeculativeJIT.h:
12296 * dfg/DFGSpeculativeJIT32_64.cpp:
12297 (JSC::DFG::SpeculativeJIT::writeBarrier):
12298 * dfg/DFGSpeculativeJIT64.cpp:
12299 (JSC::DFG::SpeculativeJIT::writeBarrier):
12300 * jit/AssemblyHelpers.h:
12301 (JSC::AssemblyHelpers::checkMarkByte):
12302 * jit/JIT.h:
12303 * jit/JITPropertyAccess.cpp:
12304 * jit/Repatch.cpp:
12305 (JSC::writeBarrier):
12306
123072014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12308
12309 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
12310 https://bugs.webkit.org/show_bug.cgi?id=127944
12311
12312 Reviewed by Geoffrey Garen.
12313
12314 Always expose the Console object in JSContexts, just like we
12315 do for web pages. The default behavior will route to an
12316 attached JSContext inspector. This can be overriden by
12317 setting the ConsoleClient on the JSGlobalObject, which WebCore
12318 does to get slightly different behavior.
12319
12320 * CMakeLists.txt:
12321 * GNUmakefile.list.am:
12322 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12323 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12324 * JavaScriptCore.xcodeproj/project.pbxproj:
12325 Update build systems.
12326
12327 * API/tests/testapi.js:
12328 * API/tests/testapi.mm:
12329 Test that "console" exists in C and ObjC contexts.
12330
12331 * runtime/ConsoleClient.cpp: Added.
12332 (JSC::ConsoleClient::printURLAndPosition):
12333 (JSC::ConsoleClient::printMessagePrefix):
12334 (JSC::ConsoleClient::printConsoleMessage):
12335 (JSC::ConsoleClient::printConsoleMessageWithArguments):
12336 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
12337 (JSC::ConsoleClient::logWithLevel):
12338 (JSC::ConsoleClient::clear):
12339 (JSC::ConsoleClient::dir):
12340 (JSC::ConsoleClient::dirXML):
12341 (JSC::ConsoleClient::table):
12342 (JSC::ConsoleClient::trace):
12343 (JSC::ConsoleClient::assertCondition):
12344 (JSC::ConsoleClient::group):
12345 (JSC::ConsoleClient::groupCollapsed):
12346 (JSC::ConsoleClient::groupEnd):
12347 * runtime/ConsoleClient.h: Added.
12348 (JSC::ConsoleClient::~ConsoleClient):
12349 New private interface for handling the console object's methods.
12350 A lot of the methods funnel through messageWithTypeAndLevel.
12351
12352 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
12353 Moved to JSC namespace.
12354
12355 * runtime/JSGlobalObject.cpp:
12356 (JSC::JSGlobalObject::JSGlobalObject):
12357 (JSC::JSGlobalObject::init):
12358 (JSC::JSGlobalObject::reset):
12359 (JSC::JSGlobalObject::visitChildren):
12360 Create the "console" object when initializing the environment.
12361 Also set the default console client to be the JS context inspector.
12362
12363 * runtime/JSGlobalObject.h:
12364 (JSC::JSGlobalObject::setConsoleClient):
12365 (JSC::JSGlobalObject::consoleClient):
12366 Ability to change the console client, so WebCore can set a custom client.
12367
12368 * runtime/ConsolePrototype.cpp: Added.
12369 (JSC::ConsolePrototype::finishCreation):
12370 (JSC::valueToStringWithUndefinedOrNullCheck):
12371 (JSC::consoleLogWithLevel):
12372 (JSC::consoleProtoFuncDebug):
12373 (JSC::consoleProtoFuncError):
12374 (JSC::consoleProtoFuncLog):
12375 (JSC::consoleProtoFuncWarn):
12376 (JSC::consoleProtoFuncClear):
12377 (JSC::consoleProtoFuncDir):
12378 (JSC::consoleProtoFuncDirXML):
12379 (JSC::consoleProtoFuncTable):
12380 (JSC::consoleProtoFuncTrace):
12381 (JSC::consoleProtoFuncAssert):
12382 (JSC::consoleProtoFuncCount):
12383 (JSC::consoleProtoFuncProfile):
12384 (JSC::consoleProtoFuncProfileEnd):
12385 (JSC::consoleProtoFuncTime):
12386 (JSC::consoleProtoFuncTimeEnd):
12387 (JSC::consoleProtoFuncTimeStamp):
12388 (JSC::consoleProtoFuncGroup):
12389 (JSC::consoleProtoFuncGroupCollapsed):
12390 (JSC::consoleProtoFuncGroupEnd):
12391 * runtime/ConsolePrototype.h: Added.
12392 (JSC::ConsolePrototype::create):
12393 (JSC::ConsolePrototype::createStructure):
12394 (JSC::ConsolePrototype::ConsolePrototype):
12395 Define the console object interface. Parse out required / expected
12396 arguments and throw expcetions when methods are misused.
12397
12398 * runtime/JSConsole.cpp: Added.
12399 * runtime/JSConsole.h: Added.
12400 (JSC::JSConsole::createStructure):
12401 (JSC::JSConsole::create):
12402 (JSC::JSConsole::JSConsole):
12403 Empty "console" object. Everything is in the prototype.
12404
12405 * inspector/JSConsoleClient.cpp: Added.
12406 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
12407 (Inspector::JSConsoleClient::count):
12408 (Inspector::JSConsoleClient::profile):
12409 (Inspector::JSConsoleClient::profileEnd):
12410 (Inspector::JSConsoleClient::time):
12411 (Inspector::JSConsoleClient::timeEnd):
12412 (Inspector::JSConsoleClient::timeStamp):
12413 (Inspector::JSConsoleClient::warnUnimplemented):
12414 (Inspector::JSConsoleClient::internalAddMessage):
12415 * inspector/JSConsoleClient.h: Added.
12416 * inspector/JSGlobalObjectInspectorController.cpp:
12417 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
12418 (Inspector::JSGlobalObjectInspectorController::consoleClient):
12419 * inspector/JSGlobalObjectInspectorController.h:
12420 Default JSContext ConsoleClient implementation. Handle nearly
12421 everything exception profile/profileEnd and timeStamp.
12422
124232014-03-06 Andreas Kling <akling@apple.com>
12424
12425 Drop unlinked function code on memory pressure.
12426 <https://webkit.org/b/129789>
12427
12428 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
12429 are not currently being compiled.
12430
12431 4.5 MB progression on Membuster.
12432
12433 Reviewed by Geoffrey Garen.
12434
12435 * heap/Heap.cpp:
12436 (JSC::Heap::deleteAllUnlinkedFunctionCode):
12437 * heap/Heap.h:
12438 * runtime/VM.cpp:
12439 (JSC::VM::discardAllCode):
12440
124412014-03-06 Filip Pizlo <fpizlo@apple.com>
12442
12443 Clarify how we deal with "special" registers
12444 https://bugs.webkit.org/show_bug.cgi?id=129806
12445
12446 Reviewed by Michael Saboff.
12447
12448 Previously we had two different places that defined what "stack" registers are, a thing
12449 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
12450 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
12451 one place and had a baked-in notion of what it meant for a register to be "real" or not.
12452
12453 It's not cool to use words like "real" and "special" to describe registers, especially if you
12454 fail to qualify what that means. This originally made sense on X86 - "real" registers were
12455 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
12456 you also have to worry about the LR register, which we'd want to say is "not real" but it's
12457 also not a "stack" register. This got super confusing.
12458
12459 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
12460 a "stack" register, and uses the word special only in places where it's clearly defined and
12461 where no better word comes to mind.
12462
12463 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
12464 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
12465 magically didn't break anything because you never need to save/restore either FP or Q0, but
12466 it was still super weird.
12467
12468 * assembler/ARM64Assembler.h:
12469 (JSC::ARM64Assembler::lastRegister):
12470 * assembler/MacroAssembler.h:
12471 (JSC::MacroAssembler::nextRegister):
12472 * ftl/FTLLocation.cpp:
12473 (JSC::FTL::Location::restoreInto):
12474 * ftl/FTLSaveRestore.cpp:
12475 (JSC::FTL::saveAllRegisters):
12476 (JSC::FTL::restoreAllRegisters):
12477 * ftl/FTLSlowPathCall.cpp:
12478 * jit/RegisterSet.cpp:
12479 (JSC::RegisterSet::reservedHardwareRegisters):
12480 (JSC::RegisterSet::runtimeRegisters):
12481 (JSC::RegisterSet::specialRegisters):
12482 (JSC::RegisterSet::calleeSaveRegisters):
12483 * jit/RegisterSet.h:
12484
124852014-03-06 Filip Pizlo <fpizlo@apple.com>
12486
12487 Unreviewed, fix build.
12488
12489 * disassembler/ARM64Disassembler.cpp:
12490
124912014-03-06 Filip Pizlo <fpizlo@apple.com>
12492
12493 Use the LLVM disassembler on ARM64 if we are enabling the FTL
12494 https://bugs.webkit.org/show_bug.cgi?id=129785
12495
12496 Reviewed by Geoffrey Garen.
12497
12498 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
12499 is strictly more capable at this point. Use it if it's available.
12500
12501 * disassembler/ARM64Disassembler.cpp:
12502 (JSC::tryToDisassemble):
12503
125042014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12505
12506 Web Inspector: Reduce RWI message frequency
12507 https://bugs.webkit.org/show_bug.cgi?id=129767
12508
12509 Reviewed by Timothy Hatcher.
12510
12511 This used to be 0.2s and changed by accident to 0.02s.
12512
12513 * inspector/remote/RemoteInspector.mm:
12514 (Inspector::RemoteInspector::pushListingSoon):
12515
125162014-03-05 Commit Queue <commit-queue@webkit.org>
12517
12518 Unreviewed, rolling out r165141, r165157, and r165158.
12519 http://trac.webkit.org/changeset/165141
12520 http://trac.webkit.org/changeset/165157
12521 http://trac.webkit.org/changeset/165158
12522 https://bugs.webkit.org/show_bug.cgi?id=129772
12523
12524 "broke ftl" (Requested by olliej_ on #webkit).
12525
12526 * JavaScriptCore.xcodeproj/project.pbxproj:
12527 * bytecode/PolymorphicPutByIdList.cpp:
12528 (JSC::PutByIdAccess::visitWeak):
12529 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12530 (JSC::PolymorphicPutByIdList::from):
12531 * bytecode/PolymorphicPutByIdList.h:
12532 (JSC::PutByIdAccess::transition):
12533 (JSC::PutByIdAccess::replace):
12534 (JSC::PutByIdAccess::oldStructure):
12535 (JSC::PutByIdAccess::chain):
12536 (JSC::PutByIdAccess::stubRoutine):
12537 * bytecode/PutByIdStatus.cpp:
12538 (JSC::PutByIdStatus::computeForStubInfo):
12539 (JSC::PutByIdStatus::computeFor):
12540 (JSC::PutByIdStatus::dump):
12541 * bytecode/PutByIdStatus.h:
12542 (JSC::PutByIdStatus::PutByIdStatus):
12543 (JSC::PutByIdStatus::takesSlowPath):
12544 * bytecode/StructureStubInfo.h:
12545 * dfg/DFGAbstractInterpreterInlines.h:
12546 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12547 * dfg/DFGByteCodeParser.cpp:
12548 (JSC::DFG::ByteCodeParser::emitPutById):
12549 (JSC::DFG::ByteCodeParser::handlePutById):
12550 * dfg/DFGClobberize.h:
12551 (JSC::DFG::clobberize):
12552 * dfg/DFGCommon.h:
12553 * dfg/DFGConstantFoldingPhase.cpp:
12554 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12555 * dfg/DFGFixupPhase.cpp:
12556 (JSC::DFG::FixupPhase::fixupNode):
12557 * dfg/DFGNode.h:
12558 (JSC::DFG::Node::hasIdentifier):
12559 * dfg/DFGNodeType.h:
12560 * dfg/DFGPredictionPropagationPhase.cpp:
12561 (JSC::DFG::PredictionPropagationPhase::propagate):
12562 * dfg/DFGSafeToExecute.h:
12563 (JSC::DFG::safeToExecute):
12564 * dfg/DFGSpeculativeJIT.cpp:
12565 (JSC::DFG::SpeculativeJIT::compileIn):
12566 * dfg/DFGSpeculativeJIT.h:
12567 * dfg/DFGSpeculativeJIT32_64.cpp:
12568 (JSC::DFG::SpeculativeJIT::cachedGetById):
12569 (JSC::DFG::SpeculativeJIT::cachedPutById):
12570 (JSC::DFG::SpeculativeJIT::compile):
12571 * dfg/DFGSpeculativeJIT64.cpp:
12572 (JSC::DFG::SpeculativeJIT::cachedGetById):
12573 (JSC::DFG::SpeculativeJIT::cachedPutById):
12574 (JSC::DFG::SpeculativeJIT::compile):
12575 * ftl/FTLCompile.cpp:
12576 (JSC::FTL::fixFunctionBasedOnStackMaps):
12577 * jit/CCallHelpers.h:
12578 (JSC::CCallHelpers::setupArgumentsWithExecState):
12579 * jit/JITInlineCacheGenerator.cpp:
12580 (JSC::JITByIdGenerator::JITByIdGenerator):
12581 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12582 * jit/JITInlineCacheGenerator.h:
12583 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12584 * jit/JITOperations.cpp:
12585 * jit/JITOperations.h:
12586 * jit/JITPropertyAccess.cpp:
12587 (JSC::JIT::emit_op_get_by_id):
12588 (JSC::JIT::emit_op_put_by_id):
12589 * jit/JITPropertyAccess32_64.cpp:
12590 (JSC::JIT::emit_op_get_by_id):
12591 (JSC::JIT::emit_op_put_by_id):
12592 * jit/Repatch.cpp:
12593 (JSC::tryCacheGetByID):
12594 (JSC::tryBuildGetByIDList):
12595 (JSC::tryCachePutByID):
12596 (JSC::tryBuildPutByIdList):
12597 * jit/SpillRegistersMode.h: Removed.
12598 * llint/LLIntSlowPaths.cpp:
12599 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12600 * runtime/Lookup.h:
12601 (JSC::putEntry):
12602 * runtime/PutPropertySlot.h:
12603 (JSC::PutPropertySlot::isCacheable):
12604 (JSC::PutPropertySlot::cachedOffset):
12605
126062014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12607
12608 Web Inspector: Prevent possible deadlock in view indication
12609 https://bugs.webkit.org/show_bug.cgi?id=129766
12610
12611 Reviewed by Geoffrey Garen.
12612
12613 * inspector/remote/RemoteInspector.mm:
12614 (Inspector::RemoteInspector::receivedIndicateMessage):
12615
126162014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12617
12618 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
12619 https://bugs.webkit.org/show_bug.cgi?id=129754
12620
12621 Reviewed by Geoffrey Garen.
12622
12623 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
12624
12625 * runtime/JSCell.h:
12626 (JSC::JSCell::inlineTypeFlags):
12627 * runtime/JSObject.h:
12628 (JSC::JSObject::fastGetOwnPropertySlot):
12629 * runtime/JSTypeInfo.h:
12630 (JSC::TypeInfo::TypeInfo):
12631 (JSC::TypeInfo::overridesGetOwnPropertySlot):
12632
126332014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12634
12635 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
12636 https://bugs.webkit.org/show_bug.cgi?id=129763
12637
12638 Reviewed by Geoffrey Garen.
12639
12640 Clear the list of all breakpoints, including unresolved breakpoints.
12641
12642 * inspector/agents/InspectorDebuggerAgent.cpp:
12643 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
12644
126452014-03-05 Mark Lam <mark.lam@apple.com>
12646
12647 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
12648 <https://webkit.org/b/129768>
12649
12650 Reviewed by Mark Hahnenberg.
12651
12652 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
12653 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
12654 path llint_slow_path_check_has_instance(), and execute a code path that does the
12655 following:
12656 1. Adjusts the byte code PC to the jump target PC.
12657 2. For the purpose of storing the result, get the result registerIndex from the
12658 1st operand using the PC as if the PC is still pointing to op_check_has_instance
12659 bytecode.
12660
12661 The result is that whatever value resides after where the jump target PC is will
12662 be used as a result register value. Depending on what that value is, the result
12663 can be:
12664 1. the code coincidently works correctly
12665 2. memory corruption
12666 3. crashes
12667
12668 The fix is to only adjust the byte code PC after we have stored the result.
12669
12670 * llint/LLIntSlowPaths.cpp:
12671 (llint_slow_path_check_has_instance):
12672
126732014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12674
12675 Another build fix attempt after r165141.
12676
12677 * ftl/FTLCompile.cpp:
12678 (JSC::FTL::fixFunctionBasedOnStackMaps):
12679
126802014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12681
12682 FTL build fix attempt after r165141.
12683
12684 * ftl/FTLCompile.cpp:
12685 (JSC::FTL::fixFunctionBasedOnStackMaps):
12686
126872014-03-05 Gavin Barraclough <barraclough@apple.com>
12688
12689 https://bugs.webkit.org/show_bug.cgi?id=128625
12690 Add fast mapping from StringImpl to JSString
12691
12692 Unreviewed roll-out.
12693
12694 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
12695
12696 * runtime/JSString.cpp:
12697 * runtime/JSString.h:
12698 * runtime/VM.cpp:
12699 (JSC::VM::createLeaked):
12700 * runtime/VM.h:
12701
127022014-03-03 Oliver Hunt <oliver@apple.com>
12703
12704 Support caching of custom setters
12705 https://bugs.webkit.org/show_bug.cgi?id=129519
12706
12707 Reviewed by Filip Pizlo.
12708
12709 This patch adds caching of assignment to properties that
12710 are backed by C functions. This provides most of the leg
12711 work required to start supporting setters, and resolves
12712 the remaining regressions from moving DOM properties up
12713 the prototype chain.
12714
12715 * JavaScriptCore.xcodeproj/project.pbxproj:
12716 * bytecode/PolymorphicPutByIdList.cpp:
12717 (JSC::PutByIdAccess::visitWeak):
12718 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12719 (JSC::PolymorphicPutByIdList::from):
12720 * bytecode/PolymorphicPutByIdList.h:
12721 (JSC::PutByIdAccess::transition):
12722 (JSC::PutByIdAccess::replace):
12723 (JSC::PutByIdAccess::customSetter):
12724 (JSC::PutByIdAccess::isCustom):
12725 (JSC::PutByIdAccess::oldStructure):
12726 (JSC::PutByIdAccess::chain):
12727 (JSC::PutByIdAccess::stubRoutine):
12728 * bytecode/PutByIdStatus.cpp:
12729 (JSC::PutByIdStatus::computeForStubInfo):
12730 (JSC::PutByIdStatus::computeFor):
12731 (JSC::PutByIdStatus::dump):
12732 * bytecode/PutByIdStatus.h:
12733 (JSC::PutByIdStatus::PutByIdStatus):
12734 (JSC::PutByIdStatus::takesSlowPath):
12735 (JSC::PutByIdStatus::makesCalls):
12736 * bytecode/StructureStubInfo.h:
12737 * dfg/DFGAbstractInterpreterInlines.h:
12738 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12739 * dfg/DFGByteCodeParser.cpp:
12740 (JSC::DFG::ByteCodeParser::emitPutById):
12741 (JSC::DFG::ByteCodeParser::handlePutById):
12742 * dfg/DFGClobberize.h:
12743 (JSC::DFG::clobberize):
12744 * dfg/DFGCommon.h:
12745 * dfg/DFGConstantFoldingPhase.cpp:
12746 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12747 * dfg/DFGFixupPhase.cpp:
12748 (JSC::DFG::FixupPhase::fixupNode):
12749 * dfg/DFGNode.h:
12750 (JSC::DFG::Node::hasIdentifier):
12751 * dfg/DFGNodeType.h:
12752 * dfg/DFGPredictionPropagationPhase.cpp:
12753 (JSC::DFG::PredictionPropagationPhase::propagate):
12754 * dfg/DFGSafeToExecute.h:
12755 (JSC::DFG::safeToExecute):
12756 * dfg/DFGSpeculativeJIT.cpp:
12757 (JSC::DFG::SpeculativeJIT::compileIn):
12758 * dfg/DFGSpeculativeJIT.h:
12759 * dfg/DFGSpeculativeJIT32_64.cpp:
12760 (JSC::DFG::SpeculativeJIT::cachedGetById):
12761 (JSC::DFG::SpeculativeJIT::cachedPutById):
12762 (JSC::DFG::SpeculativeJIT::compile):
12763 * dfg/DFGSpeculativeJIT64.cpp:
12764 (JSC::DFG::SpeculativeJIT::cachedGetById):
12765 (JSC::DFG::SpeculativeJIT::cachedPutById):
12766 (JSC::DFG::SpeculativeJIT::compile):
12767 * jit/CCallHelpers.h:
12768 (JSC::CCallHelpers::setupArgumentsWithExecState):
12769 * jit/JITInlineCacheGenerator.cpp:
12770 (JSC::JITByIdGenerator::JITByIdGenerator):
12771 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12772 * jit/JITInlineCacheGenerator.h:
12773 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12774 * jit/JITOperations.cpp:
12775 * jit/JITOperations.h:
12776 * jit/JITPropertyAccess.cpp:
12777 (JSC::JIT::emit_op_get_by_id):
12778 (JSC::JIT::emit_op_put_by_id):
12779 * jit/JITPropertyAccess32_64.cpp:
12780 (JSC::JIT::emit_op_get_by_id):
12781 (JSC::JIT::emit_op_put_by_id):
12782 * jit/Repatch.cpp:
12783 (JSC::tryCacheGetByID):
12784 (JSC::tryBuildGetByIDList):
12785 (JSC::emitCustomSetterStub):
12786 (JSC::tryCachePutByID):
12787 (JSC::tryBuildPutByIdList):
12788 * jit/SpillRegistersMode.h: Added.
12789 * llint/LLIntSlowPaths.cpp:
12790 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12791 * runtime/Lookup.h:
12792 (JSC::putEntry):
12793 * runtime/PutPropertySlot.h:
12794 (JSC::PutPropertySlot::setCacheableCustomProperty):
12795 (JSC::PutPropertySlot::customSetter):
12796 (JSC::PutPropertySlot::isCacheablePut):
12797 (JSC::PutPropertySlot::isCacheableCustomProperty):
12798 (JSC::PutPropertySlot::cachedOffset):
12799
128002014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12801
12802 JSCell::m_gcData should encode its information differently
12803 https://bugs.webkit.org/show_bug.cgi?id=129741
12804
12805 Reviewed by Geoffrey Garen.
12806
12807 We want to keep track of three GC states for an object:
12808
12809 1. Not marked (which implies not in the remembered set)
12810 2. Marked but not in the remembered set
12811 3. Marked and in the remembered set
12812
12813 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
12814 barrier, we only want to take the slow path if the object being stored to is in state #2.
12815 We'd like to make the test for state #2 as fast as possible, which means making it a
12816 compare against 0.
12817
12818 * dfg/DFGOSRExitCompilerCommon.cpp:
12819 (JSC::DFG::osrWriteBarrier):
12820 * dfg/DFGSpeculativeJIT.cpp:
12821 (JSC::DFG::SpeculativeJIT::checkMarkByte):
12822 (JSC::DFG::SpeculativeJIT::writeBarrier):
12823 * dfg/DFGSpeculativeJIT.h:
12824 * dfg/DFGSpeculativeJIT32_64.cpp:
12825 (JSC::DFG::SpeculativeJIT::writeBarrier):
12826 * dfg/DFGSpeculativeJIT64.cpp:
12827 (JSC::DFG::SpeculativeJIT::writeBarrier):
12828 * ftl/FTLLowerDFGToLLVM.cpp:
12829 (JSC::FTL::LowerDFGToLLVM::allocateCell):
12830 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
12831 * heap/Heap.cpp:
12832 (JSC::Heap::clearRememberedSet):
12833 (JSC::Heap::addToRememberedSet):
12834 * jit/AssemblyHelpers.h:
12835 (JSC::AssemblyHelpers::checkMarkByte):
12836 * jit/JIT.h:
12837 * jit/JITPropertyAccess.cpp:
12838 (JSC::JIT::checkMarkByte):
12839 (JSC::JIT::emitWriteBarrier):
12840 * jit/Repatch.cpp:
12841 (JSC::writeBarrier):
12842 * llint/LowLevelInterpreter.asm:
12843 * llint/LowLevelInterpreter32_64.asm:
12844 * llint/LowLevelInterpreter64.asm:
12845 * runtime/JSCell.h:
12846 (JSC::JSCell::mark):
12847 (JSC::JSCell::remember):
12848 (JSC::JSCell::forget):
12849 (JSC::JSCell::isMarked):
12850 (JSC::JSCell::isRemembered):
12851 * runtime/JSCellInlines.h:
12852 (JSC::JSCell::JSCell):
12853 * runtime/StructureIDBlob.h:
12854 (JSC::StructureIDBlob::StructureIDBlob):
12855
128562014-03-05 Filip Pizlo <fpizlo@apple.com>
12857
12858 More FTL ARM fixes
12859 https://bugs.webkit.org/show_bug.cgi?id=129755
12860
12861 Reviewed by Geoffrey Garen.
12862
12863 - Be more defensive about inline caches that have degenerate chains.
12864
12865 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
12866 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
12867
12868 - Don't even emit intrinsic declarations on non-x86 platforms.
12869
12870 - More debug printing support.
12871
12872 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
12873 but somehow it gets lucky on x86.
12874
12875 * bytecode/GetByIdStatus.cpp:
12876 (JSC::GetByIdStatus::appendVariant):
12877 (JSC::GetByIdStatus::computeForChain):
12878 (JSC::GetByIdStatus::computeForStubInfo):
12879 * bytecode/GetByIdStatus.h:
12880 * bytecode/PutByIdStatus.cpp:
12881 (JSC::PutByIdStatus::appendVariant):
12882 (JSC::PutByIdStatus::computeForStubInfo):
12883 * bytecode/PutByIdStatus.h:
12884 * bytecode/StructureSet.h:
12885 (JSC::StructureSet::overlaps):
12886 * ftl/FTLCompile.cpp:
12887 (JSC::FTL::mmAllocateDataSection):
12888 * ftl/FTLDataSection.cpp:
12889 (JSC::FTL::DataSection::DataSection):
12890 (JSC::FTL::DataSection::~DataSection):
12891 * ftl/FTLDataSection.h:
12892 * ftl/FTLLowerDFGToLLVM.cpp:
12893 (JSC::FTL::LowerDFGToLLVM::lower):
12894 * ftl/FTLOutput.h:
12895 (JSC::FTL::Output::doubleSin):
12896 (JSC::FTL::Output::doubleCos):
12897 * runtime/JSCJSValue.cpp:
12898 (JSC::JSValue::dumpInContext):
12899 * runtime/JSCell.h:
12900 (JSC::JSCell::structureID):
12901
129022014-03-05 peavo@outlook.com <peavo@outlook.com>
12903
12904 [Win32][LLINT] Crash when running JSC stress tests.
12905 https://bugs.webkit.org/show_bug.cgi?id=129429
12906
12907 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
12908 where the guard page is a barrier between committed and uncommitted memory.
12909 When data from the guard page is read or written, the guard page is moved, and memory is committed.
12910 This is how the system grows the stack.
12911 When using the C stack on Windows we need to precommit the needed stack space.
12912 Otherwise we might crash later if we access uncommitted stack memory.
12913 This can happen if we allocate stack space larger than the page guard size (4K).
12914 The system does not get the chance to move the guard page, and commit more memory,
12915 and we crash if uncommitted memory is accessed.
12916 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
12917 when needed, see http://support.microsoft.com/kb/100775.
12918
12919 Reviewed by Geoffrey Garen.
12920
12921 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
12922 * jit/Repatch.cpp:
12923 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
12924 * offlineasm/x86.rb: Compile fix, and small simplification.
12925 * runtime/VM.cpp:
12926 (JSC::preCommitStackMemory): Added function to precommit stack memory.
12927 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
12928
129292014-03-05 Michael Saboff <msaboff@apple.com>
12930
12931 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
12932 https://bugs.webkit.org/show_bug.cgi?id=129746
12933
12934 Reviewed by Filip Pizlo.
12935
12936 Changed to use a union to manually assemble or disassemble the various types
12937 from / to the corresponding bytes. All memory access is now done using
12938 byte accesses.
12939
12940 * runtime/JSDataViewPrototype.cpp:
12941 (JSC::getData):
12942 (JSC::setData):
12943
129442014-03-05 Filip Pizlo <fpizlo@apple.com>
12945
12946 FTL loadStructure always generates invalid IR
12947 https://bugs.webkit.org/show_bug.cgi?id=129747
12948
12949 Reviewed by Mark Hahnenberg.
12950
12951 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
12952 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
12953 to have a pointer to a type, and you can only load things of that type from that
12954 pointer. Pointer arithmetic is basically not possible except through the bizarre
12955 getelementptr operator. This doesn't fit with how the JS object model works since
12956 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
12957 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
12958 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
12959 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
12960 this for us, but that would require that to use the FTL, JSC itself would have to
12961 be compiled with clang. Worse, it would have to be compiled with a clang that uses
12962 a version of LLVM that is compatible with the one against which the FTL is linked.
12963 Yuck!
12964
12965 The solution is to NEVER use LLVM pointers. This has always been the case in the
12966 FTL. But it causes some confusion.
12967
12968 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
12969 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
12970 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
12971 pointer that has the type that we want. The load and store operations over pointers
12972 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
12973 "64", "Ptr", "Float", or "Double.
12974
12975 There is unavoidable confusion here. It would be bizarre for the FTL to call its
12976 "pointer-wide integers" anything other than "pointers", since they are, in all
12977 respects that we care about, simply pointers. But they are *not* LLVM pointers and
12978 they never will be that.
12979
12980 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
12981 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
12982 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
12983 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
12984 methods for access called Output::get and Output::set. These lower to LLVM load
12985 and store, since FTL references are just LLVM pointers.
12986
12987 This confusion appears to have led to incorrect code in loadStructure().
12988 loadStructure() was using get() and set() to access FTL pointers. But those methods
12989 don't work on FTL pointers and never will, since they are for FTL references.
12990
12991 The worst part of this is that it was previously impossible to have test coverage
12992 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
12993 patch fixes this by introducing a Masquerader object to jsc.cpp.
12994
12995 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
12996 * ftl/FTLLowerDFGToLLVM.cpp:
12997 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
12998 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
12999 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
13000 (WTF::Masquerader::Masquerader):
13001 (WTF::Masquerader::create):
13002 (WTF::Masquerader::createStructure):
13003 (GlobalObject::finishCreation):
13004 (functionMakeMasquerader):
13005 * tests/stress/equals-masquerader.js: Added.
13006 (foo):
13007 (test):
13008
130092014-03-05 Anders Carlsson <andersca@apple.com>
13010
13011 Tweak after r165109 to avoid extra copies
13012 https://bugs.webkit.org/show_bug.cgi?id=129745
13013
13014 Reviewed by Geoffrey Garen.
13015
13016 * heap/Heap.cpp:
13017 (JSC::Heap::visitProtectedObjects):
13018 (JSC::Heap::visitTempSortVectors):
13019 (JSC::Heap::clearRememberedSet):
13020 * heap/Heap.h:
13021 (JSC::Heap::forEachProtectedCell):
13022
130232014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13024
13025 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
13026 https://bugs.webkit.org/show_bug.cgi?id=129717
13027
13028 Reviewed by Filip Pizlo.
13029
13030 * dfg/DFGStoreBarrierElisionPhase.cpp:
13031 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
13032 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
13033
130342014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13035
13036 Use range-based loops where possible in Heap methods
13037 https://bugs.webkit.org/show_bug.cgi?id=129513
13038
13039 Reviewed by Mark Lam.
13040
13041 Replace old school iterator based loops with the new range-based loop hotness
13042 for a better tomorrow.
13043
13044 * heap/CodeBlockSet.cpp:
13045 (JSC::CodeBlockSet::~CodeBlockSet):
13046 (JSC::CodeBlockSet::clearMarks):
13047 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
13048 (JSC::CodeBlockSet::traceMarked):
13049 * heap/Heap.cpp:
13050 (JSC::Heap::visitProtectedObjects):
13051 (JSC::Heap::visitTempSortVectors):
13052 (JSC::Heap::clearRememberedSet):
13053 * heap/Heap.h:
13054 (JSC::Heap::forEachProtectedCell):
13055
130562014-03-04 Filip Pizlo <fpizlo@apple.com>
13057
13058 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13059 https://bugs.webkit.org/show_bug.cgi?id=129563
13060
13061 Reviewed by Geoffrey Garen.
13062
13063 Rolling this back in after fixing an assertion failure. speculateMisc() should have
13064 said DFG_TYPE_CHECK instead of typeCheck.
13065
13066 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13067 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13068 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13069 comparing undefined, null, and booleans to each other.
13070
13071 This also adds support for miscellaneous things that I needed to make my various test
13072 cases work. This includes comparison over booleans and the various Throw-related node
13073 types.
13074
13075 This also improves constant folding of CompareStrictEq and CompareEq.
13076
13077 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13078 based on profiling, which caused some downstream badness. We don't actually support
13079 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13080 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13081 shouldn't factor out the bounds check since the access is not InBounds but then the
13082 backend would ignore the flag and assume that the bounds check was already emitted.
13083 This showed up on an existing test but I added a test for this explicitly to have more
13084 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13085 that we'll have a bounds check anyway.
13086
13087 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13088 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13089 still a lot more coverage work to be done there.
13090
13091 * bytecode/SpeculatedType.cpp:
13092 (JSC::speculationToAbbreviatedString):
13093 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13094 (JSC::valuesCouldBeEqual):
13095 * bytecode/SpeculatedType.h:
13096 (JSC::isMiscSpeculation):
13097 * dfg/DFGAbstractInterpreterInlines.h:
13098 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13099 * dfg/DFGArrayMode.cpp:
13100 (JSC::DFG::ArrayMode::refine):
13101 * dfg/DFGArrayMode.h:
13102 * dfg/DFGFixupPhase.cpp:
13103 (JSC::DFG::FixupPhase::fixupNode):
13104 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13105 * dfg/DFGNode.h:
13106 (JSC::DFG::Node::shouldSpeculateMisc):
13107 * dfg/DFGSafeToExecute.h:
13108 (JSC::DFG::SafeToExecuteEdge::operator()):
13109 * dfg/DFGSpeculativeJIT.cpp:
13110 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13111 (JSC::DFG::SpeculativeJIT::speculateMisc):
13112 (JSC::DFG::SpeculativeJIT::speculate):
13113 * dfg/DFGSpeculativeJIT.h:
13114 * dfg/DFGSpeculativeJIT32_64.cpp:
13115 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13116 * dfg/DFGSpeculativeJIT64.cpp:
13117 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13118 * dfg/DFGUseKind.cpp:
13119 (WTF::printInternal):
13120 * dfg/DFGUseKind.h:
13121 (JSC::DFG::typeFilterFor):
13122 * ftl/FTLCapabilities.cpp:
13123 (JSC::FTL::canCompile):
13124 * ftl/FTLLowerDFGToLLVM.cpp:
13125 (JSC::FTL::LowerDFGToLLVM::compileNode):
13126 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13127 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13128 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13129 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13130 (JSC::FTL::LowerDFGToLLVM::isMisc):
13131 (JSC::FTL::LowerDFGToLLVM::speculate):
13132 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13133 * tests/stress/float32-array-out-of-bounds.js: Added.
13134 * tests/stress/weird-equality-folding-cases.js: Added.
13135
131362014-03-04 Commit Queue <commit-queue@webkit.org>
13137
13138 Unreviewed, rolling out r165085.
13139 http://trac.webkit.org/changeset/165085
13140 https://bugs.webkit.org/show_bug.cgi?id=129729
13141
13142 Broke imported/w3c/html-templates/template-element/template-
13143 content.html (Requested by ap on #webkit).
13144
13145 * bytecode/SpeculatedType.cpp:
13146 (JSC::speculationToAbbreviatedString):
13147 * bytecode/SpeculatedType.h:
13148 * dfg/DFGAbstractInterpreterInlines.h:
13149 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13150 * dfg/DFGArrayMode.cpp:
13151 (JSC::DFG::ArrayMode::refine):
13152 * dfg/DFGArrayMode.h:
13153 * dfg/DFGFixupPhase.cpp:
13154 (JSC::DFG::FixupPhase::fixupNode):
13155 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13156 * dfg/DFGNode.h:
13157 (JSC::DFG::Node::shouldSpeculateBoolean):
13158 * dfg/DFGSafeToExecute.h:
13159 (JSC::DFG::SafeToExecuteEdge::operator()):
13160 * dfg/DFGSpeculativeJIT.cpp:
13161 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13162 (JSC::DFG::SpeculativeJIT::speculate):
13163 * dfg/DFGSpeculativeJIT.h:
13164 * dfg/DFGSpeculativeJIT32_64.cpp:
13165 * dfg/DFGSpeculativeJIT64.cpp:
13166 * dfg/DFGUseKind.cpp:
13167 (WTF::printInternal):
13168 * dfg/DFGUseKind.h:
13169 (JSC::DFG::typeFilterFor):
13170 * ftl/FTLCapabilities.cpp:
13171 (JSC::FTL::canCompile):
13172 * ftl/FTLLowerDFGToLLVM.cpp:
13173 (JSC::FTL::LowerDFGToLLVM::compileNode):
13174 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13175 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13176 (JSC::FTL::LowerDFGToLLVM::speculate):
13177 * tests/stress/float32-array-out-of-bounds.js: Removed.
13178 * tests/stress/weird-equality-folding-cases.js: Removed.
13179
131802014-03-04 Brian Burg <bburg@apple.com>
13181
13182 Inspector does not restore breakpoints after a page reload
13183 https://bugs.webkit.org/show_bug.cgi?id=129655
13184
13185 Reviewed by Joseph Pecoraro.
13186
13187 Fix a regression introduced by r162096 that erroneously removed
13188 the inspector backend's mapping of files to breakpoints whenever the
13189 global object was cleared.
13190
13191 The inspector's breakpoint mappings should only be cleared when the
13192 debugger agent is disabled or destroyed. We should only clear the
13193 debugger's breakpoint state when the global object is cleared.
13194
13195 To make it clearer what state is being cleared, the two cases have
13196 been split into separate methods.
13197
13198 * inspector/agents/InspectorDebuggerAgent.cpp:
13199 (Inspector::InspectorDebuggerAgent::disable):
13200 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13201 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
13202 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
13203 * inspector/agents/InspectorDebuggerAgent.h:
13204
132052014-03-04 Andreas Kling <akling@apple.com>
13206
13207 Streamline JSValue::get().
13208 <https://webkit.org/b/129720>
13209
13210 Fetch each Structure and VM only once when walking the prototype chain
13211 in JSObject::getPropertySlot(), then pass it along to the functions
13212 we call from there, so they don't have to re-fetch it.
13213
13214 Reviewed by Geoff Garen.
13215
13216 * runtime/JSObject.h:
13217 (JSC::JSObject::inlineGetOwnPropertySlot):
13218 (JSC::JSObject::fastGetOwnPropertySlot):
13219 (JSC::JSObject::getPropertySlot):
13220
132212014-03-01 Filip Pizlo <fpizlo@apple.com>
13222
13223 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13224 https://bugs.webkit.org/show_bug.cgi?id=129563
13225
13226 Reviewed by Geoffrey Garen.
13227
13228 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13229 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13230 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13231 comparing undefined, null, and booleans to each other.
13232
13233 This also adds support for miscellaneous things that I needed to make my various test
13234 cases work. This includes comparison over booleans and the various Throw-related node
13235 types.
13236
13237 This also improves constant folding of CompareStrictEq and CompareEq.
13238
13239 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13240 based on profiling, which caused some downstream badness. We don't actually support
13241 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13242 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13243 shouldn't factor out the bounds check since the access is not InBounds but then the
13244 backend would ignore the flag and assume that the bounds check was already emitted.
13245 This showed up on an existing test but I added a test for this explicitly to have more
13246 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13247 that we'll have a bounds check anyway.
13248
13249 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13250 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13251 still a lot more coverage work to be done there.
13252
13253 * bytecode/SpeculatedType.cpp:
13254 (JSC::speculationToAbbreviatedString):
13255 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13256 (JSC::valuesCouldBeEqual):
13257 * bytecode/SpeculatedType.h:
13258 (JSC::isMiscSpeculation):
13259 * dfg/DFGAbstractInterpreterInlines.h:
13260 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13261 * dfg/DFGFixupPhase.cpp:
13262 (JSC::DFG::FixupPhase::fixupNode):
13263 * dfg/DFGNode.h:
13264 (JSC::DFG::Node::shouldSpeculateMisc):
13265 * dfg/DFGSafeToExecute.h:
13266 (JSC::DFG::SafeToExecuteEdge::operator()):
13267 * dfg/DFGSpeculativeJIT.cpp:
13268 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13269 (JSC::DFG::SpeculativeJIT::speculateMisc):
13270 (JSC::DFG::SpeculativeJIT::speculate):
13271 * dfg/DFGSpeculativeJIT.h:
13272 * dfg/DFGSpeculativeJIT32_64.cpp:
13273 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13274 * dfg/DFGSpeculativeJIT64.cpp:
13275 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13276 * dfg/DFGUseKind.cpp:
13277 (WTF::printInternal):
13278 * dfg/DFGUseKind.h:
13279 (JSC::DFG::typeFilterFor):
13280 * ftl/FTLCapabilities.cpp:
13281 (JSC::FTL::canCompile):
13282 * ftl/FTLLowerDFGToLLVM.cpp:
13283 (JSC::FTL::LowerDFGToLLVM::compileNode):
13284 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13285 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13286 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13287 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13288 (JSC::FTL::LowerDFGToLLVM::isMisc):
13289 (JSC::FTL::LowerDFGToLLVM::speculate):
13290 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13291 * tests/stress/float32-array-out-of-bounds.js: Added.
13292 * tests/stress/weird-equality-folding-cases.js: Added.
13293
132942014-03-04 Andreas Kling <akling@apple.com>
13295
13296 Spam static branch prediction hints on JS bindings.
13297 <https://webkit.org/b/129703>
13298
13299 Add LIKELY hint to jsDynamicCast since it's always used in a context
13300 where we expect it to succeed and takes an error path when it doesn't.
13301
13302 Reviewed by Geoff Garen.
13303
13304 * runtime/JSCell.h:
13305 (JSC::jsDynamicCast):
13306
133072014-03-04 Andreas Kling <akling@apple.com>
13308
13309 Get to Structures more efficiently in JSCell::methodTable().
13310 <https://webkit.org/b/129702>
13311
13312 In JSCell::methodTable(), get the VM once and pass that along to
13313 structure(VM&) instead of using the heavier structure().
13314
13315 In JSCell::methodTable(VM&), replace calls to structure() with
13316 calls to structure(VM&).
13317
13318 Reviewed by Mark Hahnenberg.
13319
13320 * runtime/JSCellInlines.h:
13321 (JSC::JSCell::methodTable):
13322
133232014-03-04 Joseph Pecoraro <pecoraro@apple.com>
13324
13325 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
13326 https://bugs.webkit.org/show_bug.cgi?id=129697
13327
13328 Reviewed by Timothy Hatcher.
13329
13330 * inspector/remote/RemoteInspectorXPCConnection.mm:
13331 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13332 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13333
133342014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
13335
13336 Merge API shims and JSLock
13337 https://bugs.webkit.org/show_bug.cgi?id=129650
13338
13339 Reviewed by Mark Lam.
13340
13341 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
13342 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
13343
13344 * API/APICallbackFunction.h:
13345 (JSC::APICallbackFunction::call):
13346 (JSC::APICallbackFunction::construct):
13347 * API/APIShims.h: Removed.
13348 * API/JSBase.cpp:
13349 (JSEvaluateScript):
13350 (JSCheckScriptSyntax):
13351 (JSGarbageCollect):
13352 (JSReportExtraMemoryCost):
13353 (JSSynchronousGarbageCollectForDebugging):
13354 * API/JSCallbackConstructor.cpp:
13355 * API/JSCallbackFunction.cpp:
13356 * API/JSCallbackObjectFunctions.h:
13357 (JSC::JSCallbackObject<Parent>::init):
13358 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
13359 (JSC::JSCallbackObject<Parent>::put):
13360 (JSC::JSCallbackObject<Parent>::putByIndex):
13361 (JSC::JSCallbackObject<Parent>::deleteProperty):
13362 (JSC::JSCallbackObject<Parent>::construct):
13363 (JSC::JSCallbackObject<Parent>::customHasInstance):
13364 (JSC::JSCallbackObject<Parent>::call):
13365 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
13366 (JSC::JSCallbackObject<Parent>::getStaticValue):
13367 (JSC::JSCallbackObject<Parent>::callbackGetter):
13368 * API/JSContext.mm:
13369 (-[JSContext setException:]):
13370 (-[JSContext wrapperForObjCObject:]):
13371 (-[JSContext wrapperForJSObject:]):
13372 * API/JSContextRef.cpp:
13373 (JSContextGroupRelease):
13374 (JSContextGroupSetExecutionTimeLimit):
13375 (JSContextGroupClearExecutionTimeLimit):
13376 (JSGlobalContextCreateInGroup):
13377 (JSGlobalContextRetain):
13378 (JSGlobalContextRelease):
13379 (JSContextGetGlobalObject):
13380 (JSContextGetGlobalContext):
13381 (JSGlobalContextCopyName):
13382 (JSGlobalContextSetName):
13383 * API/JSManagedValue.mm:
13384 (-[JSManagedValue value]):
13385 * API/JSObjectRef.cpp:
13386 (JSObjectMake):
13387 (JSObjectMakeFunctionWithCallback):
13388 (JSObjectMakeConstructor):
13389 (JSObjectMakeFunction):
13390 (JSObjectMakeArray):
13391 (JSObjectMakeDate):
13392 (JSObjectMakeError):
13393 (JSObjectMakeRegExp):
13394 (JSObjectGetPrototype):
13395 (JSObjectSetPrototype):
13396 (JSObjectHasProperty):
13397 (JSObjectGetProperty):
13398 (JSObjectSetProperty):
13399 (JSObjectGetPropertyAtIndex):
13400 (JSObjectSetPropertyAtIndex):
13401 (JSObjectDeleteProperty):
13402 (JSObjectGetPrivateProperty):
13403 (JSObjectSetPrivateProperty):
13404 (JSObjectDeletePrivateProperty):
13405 (JSObjectIsFunction):
13406 (JSObjectCallAsFunction):
13407 (JSObjectCallAsConstructor):
13408 (JSObjectCopyPropertyNames):
13409 (JSPropertyNameArrayRelease):
13410 (JSPropertyNameAccumulatorAddName):
13411 * API/JSScriptRef.cpp:
13412 * API/JSValue.mm:
13413 (isDate):
13414 (isArray):
13415 (containerValueToObject):
13416 (valueToArray):
13417 (valueToDictionary):
13418 (objectToValue):
13419 * API/JSValueRef.cpp:
13420 (JSValueGetType):
13421 (JSValueIsUndefined):
13422 (JSValueIsNull):
13423 (JSValueIsBoolean):
13424 (JSValueIsNumber):
13425 (JSValueIsString):
13426 (JSValueIsObject):
13427 (JSValueIsObjectOfClass):
13428 (JSValueIsEqual):
13429 (JSValueIsStrictEqual):
13430 (JSValueIsInstanceOfConstructor):
13431 (JSValueMakeUndefined):
13432 (JSValueMakeNull):
13433 (JSValueMakeBoolean):
13434 (JSValueMakeNumber):
13435 (JSValueMakeString):
13436 (JSValueMakeFromJSONString):
13437 (JSValueCreateJSONString):
13438 (JSValueToBoolean):
13439 (JSValueToNumber):
13440 (JSValueToStringCopy):
13441 (JSValueToObject):
13442 (JSValueProtect):
13443 (JSValueUnprotect):
13444 * API/JSVirtualMachine.mm:
13445 (-[JSVirtualMachine addManagedReference:withOwner:]):
13446 (-[JSVirtualMachine removeManagedReference:withOwner:]):
13447 * API/JSWeakObjectMapRefPrivate.cpp:
13448 * API/JSWrapperMap.mm:
13449 (constructorHasInstance):
13450 (makeWrapper):
13451 (tryUnwrapObjcObject):
13452 * API/ObjCCallbackFunction.mm:
13453 (JSC::objCCallbackFunctionCallAsFunction):
13454 (JSC::objCCallbackFunctionCallAsConstructor):
13455 (objCCallbackFunctionForInvocation):
13456 * CMakeLists.txt:
13457 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
13458 * GNUmakefile.list.am:
13459 * JavaScriptCore.xcodeproj/project.pbxproj:
13460 * dfg/DFGWorklist.cpp:
13461 * heap/DelayedReleaseScope.h:
13462 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
13463 * heap/HeapTimer.cpp:
13464 (JSC::HeapTimer::timerDidFire):
13465 (JSC::HeapTimer::timerEvent):
13466 * heap/IncrementalSweeper.cpp:
13467 * inspector/InjectedScriptModule.cpp:
13468 (Inspector::InjectedScriptModule::ensureInjected):
13469 * jsc.cpp:
13470 (jscmain):
13471 * runtime/GCActivityCallback.cpp:
13472 (JSC::DefaultGCActivityCallback::doWork):
13473 * runtime/JSGlobalObjectDebuggable.cpp:
13474 (JSC::JSGlobalObjectDebuggable::connect):
13475 (JSC::JSGlobalObjectDebuggable::disconnect):
13476 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
13477 * runtime/JSLock.cpp:
13478 (JSC::JSLock::lock):
13479 (JSC::JSLock::didAcquireLock):
13480 (JSC::JSLock::unlock):
13481 (JSC::JSLock::willReleaseLock):
13482 (JSC::JSLock::DropAllLocks::DropAllLocks):
13483 (JSC::JSLock::DropAllLocks::~DropAllLocks):
13484 * runtime/JSLock.h:
13485 * testRegExp.cpp:
13486 (realMain):
13487
134882014-03-04 Commit Queue <commit-queue@webkit.org>
13489
13490 Unreviewed, rolling out r164812.
13491 http://trac.webkit.org/changeset/164812
13492 https://bugs.webkit.org/show_bug.cgi?id=129699
13493
13494 it made things run slower (Requested by pizlo on #webkit).
13495
13496 * interpreter/Interpreter.cpp:
13497 (JSC::Interpreter::execute):
13498 * jsc.cpp:
13499 (GlobalObject::finishCreation):
13500 * runtime/BatchedTransitionOptimizer.h:
13501 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
13502 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
13503
135042014-03-02 Filip Pizlo <fpizlo@apple.com>
13505
13506 GetMyArgumentByVal in FTL
13507 https://bugs.webkit.org/show_bug.cgi?id=128850
13508
13509 Reviewed by Oliver Hunt.
13510
13511 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
13512 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
13513 caused it to think that the arity check had failed if the caller had passed more
13514 arguments than needed. This would cause the call frame copying to sort of go into
13515 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
13516 throwing off a bunch of math) and the stack would end up being corrupted.
13517
13518 The bug was revealed by two existing tests although as far as I could tell, neither
13519 test was intending to cover this case directly. So, I added a new test.
13520
13521 * ftl/FTLCapabilities.cpp:
13522 (JSC::FTL::canCompile):
13523 * ftl/FTLLowerDFGToLLVM.cpp:
13524 (JSC::FTL::LowerDFGToLLVM::compileNode):
13525 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
13526 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
13527 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
13528 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
13529 * ftl/FTLOSRExitCompiler.cpp:
13530 (JSC::FTL::compileStub):
13531 * ftl/FTLState.h:
13532 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
13533 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
13534 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
13535 * tests/stress/ftl-get-my-argument-by-val.js: Added.
13536
135372014-03-04 Zan Dobersek <zdobersek@igalia.com>
13538
13539 [GTK] Build the Udis86 disassembler
13540 https://bugs.webkit.org/show_bug.cgi?id=129679
13541
13542 Reviewed by Michael Saboff.
13543
13544 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
13545 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
13546
135472014-03-04 Andreas Kling <akling@apple.com>
13548
13549 Fix too-narrow assertion I added in r165054.
13550
13551 It's okay for a 1-character string to come in here. This will happen
13552 if the VM small string optimization doesn't apply (ch > 0xFF)
13553
13554 * runtime/JSString.h:
13555 (JSC::jsStringWithWeakOwner):
13556
135572014-03-04 Andreas Kling <akling@apple.com>
13558
13559 Micro-optimize Strings in JS bindings.
13560 <https://webkit.org/b/129673>
13561
13562 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
13563 This avoids branches in length() and operator[].
13564
13565 Also call JSString::create() directly instead of jsString() and just
13566 assert that the string length is >1. This way we don't duplicate the
13567 optimizations for empty and single-character strings.
13568
13569 Reviewed by Ryosuke Niwa.
13570
13571 * runtime/JSString.h:
13572 (JSC::jsStringWithWeakOwner):
13573
135742014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
13575
13576 Implement Number.prototype.clz()
13577 https://bugs.webkit.org/show_bug.cgi?id=129479
13578
13579 Reviewed by Oliver Hunt.
13580
13581 Implemented Number.prototype.clz() as specified in the ES6 standard.
13582
13583 * runtime/NumberPrototype.cpp:
13584 (JSC::numberProtoFuncClz):
13585
135862014-03-03 Joseph Pecoraro <pecoraro@apple.com>
13587
13588 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
13589 https://bugs.webkit.org/show_bug.cgi?id=129631
13590
13591 Reviewed by Timothy Hatcher.
13592
13593 Avoid deref() too early if a client calls close(). The xpc_connection_close
13594 will cause another XPC_ERROR event to come in from the queue, deref then.
13595 Likewise, protect multithreaded access to m_client. If a client calls
13596 close() we want to immediately clear the pointer to prevent calls to it.
13597
13598 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
13599 growing too complicated for probably little benefit. We may want to
13600 clean this up later.
13601
13602 * inspector/remote/RemoteInspector.mm:
13603 (Inspector::RemoteInspector::xpcConnectionFailed):
13604 * inspector/remote/RemoteInspectorXPCConnection.h:
13605 * inspector/remote/RemoteInspectorXPCConnection.mm:
13606 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13607 (Inspector::RemoteInspectorXPCConnection::close):
13608 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
13609 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
13610 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13611 (Inspector::RemoteInspectorXPCConnection::sendMessage):
13612
136132014-03-03 Michael Saboff <msaboff@apple.com>
13614
13615 AbstractMacroAssembler::CachedTempRegister should start out invalid
13616 https://bugs.webkit.org/show_bug.cgi?id=129657
13617
13618 Reviewed by Filip Pizlo.
13619
13620 * assembler/AbstractMacroAssembler.h:
13621 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
13622 - Invalidate all cached registers in constructor as we don't know the
13623 contents of any register at the entry to the code we are going to
13624 generate.
13625
136262014-03-03 Andreas Kling <akling@apple.com>
13627
13628 StructureOrOffset should be fastmalloced.
13629 <https://webkit.org/b/129640>
13630
13631 Reviewed by Geoffrey Garen.
13632
13633 * runtime/StructureIDTable.h:
13634
136352014-03-03 Michael Saboff <msaboff@apple.com>
13636
13637 Crash in JIT code while watching a video @ storyboard.tumblr.com
13638 https://bugs.webkit.org/show_bug.cgi?id=129635
13639
13640 Reviewed by Filip Pizlo.
13641
13642 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
13643 construtor.
13644
13645 * jit/TempRegisterSet.cpp:
13646 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
13647 * jit/TempRegisterSet.h:
13648 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
13649 (JSC::TempRegisterSet::clearAll): New private helper.
13650
136512014-03-03 Benjamin Poulain <benjamin@webkit.org>
13652
13653 [x86] Improve code generation of byte test
13654 https://bugs.webkit.org/show_bug.cgi?id=129597
13655
13656 Reviewed by Geoffrey Garen.
13657
13658 When possible, test the 8 bit register to itself instead of comparing it
13659 to a literal.
13660
13661 * assembler/MacroAssemblerX86Common.h:
13662 (JSC::MacroAssemblerX86Common::test32):
13663
136642014-03-03 Mark Lam <mark.lam@apple.com>
13665
13666 Web Inspector: debugger statements do not break.
13667 <https://webkit.org/b/129524>
13668
13669 Reviewed by Geoff Garen.
13670
13671 Since we no longer call op_debug hooks unless there is a debugger request
13672 made on the CodeBlock, the op_debug for the debugger statement never gets
13673 serviced.
13674
13675 With this fix, we check in the CodeBlock constructor if any debugger
13676 statements are present. If so, we set a m_hasDebuggerStatement flag that
13677 causes the CodeBlock to show as having debugger requests. Hence,
13678 breaking at debugger statements is now restored.
13679
13680 * bytecode/CodeBlock.cpp:
13681 (JSC::CodeBlock::CodeBlock):
13682 * bytecode/CodeBlock.h:
13683 (JSC::CodeBlock::hasDebuggerRequests):
13684 (JSC::CodeBlock::clearDebuggerRequests):
13685
136862014-03-03 Mark Lam <mark.lam@apple.com>
13687
13688 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
13689 <https://webkit.org/b/129393>
13690
13691 Reviewed by Geoffrey Garen.
13692
13693 The issue manifests because the debugger will iterate all CodeBlocks in
13694 the heap when setting / clearing breakpoints, but it is possible for a
13695 CodeBlock to have been instantiate but is not yet registered with the
13696 debugger. This can happen because of the following:
13697
13698 1. DFG worklist compilation is still in progress, and the target
13699 codeBlock is not ready for installation in its executable yet.
13700
13701 2. DFG compilation failed and we have a codeBlock that will never be
13702 installed in its executable, and the codeBlock has not been cleaned
13703 up by the GC yet.
13704
13705 The code for installing the codeBlock in its executable is the same code
13706 that registers it with the debugger. Hence, these codeBlocks are not
13707 registered with the debugger, and any pending breakpoints that would map
13708 to that CodeBlock is as yet unset or will never be set. As such, an
13709 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
13710
13711 To fix this, we do the following:
13712
13713 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
13714 compilation. This is achieved by providing a
13715 DeferredCompilationCallback::compilationDidComplete() that does this
13716 clean up, and have all sub classes call it at the end of their
13717 compilationDidComplete() methods.
13718
13719 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
13720 will wait for all compilations to complete before proceeding. This
13721 ensures that:
13722 1. any zombie CodeBlocks would have been cleaned up, and won't be
13723 seen by the debugger or profiler.
13724 2. all CodeBlocks that the debugger and profiler needs to operate on
13725 will be "ready" for whatever needs to be done to them e.g.
13726 jettison'ing of DFG codeBlocks.
13727
13728 * bytecode/DeferredCompilationCallback.cpp:
13729 (JSC::DeferredCompilationCallback::compilationDidComplete):
13730 * bytecode/DeferredCompilationCallback.h:
13731 - Provide default implementation method to clean up zombie CodeBlocks.
13732
13733 * debugger/Debugger.cpp:
13734 (JSC::Debugger::forEachCodeBlock):
13735 - Utility function to iterate CodeBlocks. It ensures that all compilations
13736 are complete before proceeding.
13737 (JSC::Debugger::setSteppingMode):
13738 (JSC::Debugger::toggleBreakpoint):
13739 (JSC::Debugger::recompileAllJSFunctions):
13740 (JSC::Debugger::clearBreakpoints):
13741 (JSC::Debugger::clearDebuggerRequests):
13742 - Use the utility iterator function.
13743
13744 * debugger/Debugger.h:
13745 * dfg/DFGOperations.cpp:
13746 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13747
13748 * dfg/DFGPlan.cpp:
13749 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
13750 - Remove unneeded code (that was not the best solution anyway) for ensuring
13751 that we don't generate new DFG codeBlocks after enabling the debugger or
13752 profiler. Now that we wait for compilations to complete before proceeding
13753 with debugger and profiler work, this scenario will never happen.
13754
13755 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
13756 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
13757 - Call the super class method to clean up zombie codeBlocks.
13758
13759 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
13760 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
13761 - Call the super class method to clean up zombie codeBlocks.
13762
13763 * heap/CodeBlockSet.cpp:
13764 (JSC::CodeBlockSet::remove):
13765 * heap/CodeBlockSet.h:
13766 * heap/Heap.h:
13767 (JSC::Heap::removeCodeBlock):
13768 - New method to remove a codeBlock from the codeBlock set.
13769
13770 * jit/JITOperations.cpp:
13771 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13772
13773 * jit/JITToDFGDeferredCompilationCallback.cpp:
13774 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
13775 - Call the super class method to clean up zombie codeBlocks.
13776
13777 * runtime/VM.cpp:
13778 (JSC::VM::waitForCompilationsToComplete):
13779 - Renamed from prepareToDiscardCode() to be clearer about what it does.
13780
13781 (JSC::VM::discardAllCode):
13782 (JSC::VM::releaseExecutableMemory):
13783 (JSC::VM::setEnabledProfiler):
13784 - Wait for compilation to complete before enabling the profiler.
13785
13786 * runtime/VM.h:
13787
137882014-03-03 Brian Burg <bburg@apple.com>
13789
13790 Another unreviewed build fix attempt for Windows after r164986.
13791
13792 We never told Visual Studio to copy over the web replay code generator scripts
13793 and the generated headers for JavaScriptCore replay inputs as if they were
13794 private headers.
13795
13796 * JavaScriptCore.vcxproj/copy-files.cmd:
13797
137982014-03-03 Brian Burg <bburg@apple.com>
13799
13800 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
13801 https://bugs.webkit.org/show_bug.cgi?id=128782
13802
13803 Reviewed by Timothy Hatcher.
13804
13805 Alter the replay inputs code generator so that it knows when it is necessary to
13806 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
13807
13808 * JavaScriptCore.xcodeproj/project.pbxproj:
13809 * replay/scripts/CodeGeneratorReplayInputs.py:
13810 (Framework.fromString):
13811 (Frameworks): Add WTF as an allowed framework for code generation.
13812 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
13813 (Generator.generate_includes.declaration):
13814 (Generator.generate_includes.or):
13815 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
13816
138172014-03-02 Filip Pizlo <fpizlo@apple.com>
13818
13819 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
13820 https://bugs.webkit.org/show_bug.cgi?id=129591
13821
13822 Reviewed by Michael Saboff.
13823
13824 * bytecode/PolymorphicPutByIdList.cpp:
13825 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
13826 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
13827 (JSC::PolymorphicPutByIdList::from):
13828 * bytecode/PolymorphicPutByIdList.h:
13829 (JSC::PutByIdAccess::stubRoutine):
13830 * jit/Repatch.cpp:
13831 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
13832
138332014-03-02 Filip Pizlo <fpizlo@apple.com>
13834
13835 Debugging improvements from my gbemu investigation session
13836 https://bugs.webkit.org/show_bug.cgi?id=129599
13837
13838 Reviewed by Mark Lam.
13839
13840 Various improvements from when I was investigating bug 129411.
13841
13842 * bytecode/CodeBlock.cpp:
13843 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
13844 * jsc.cpp:
13845 (GlobalObject::finishCreation):
13846 (functionDescribe): Make describe() return a string rather than printing the string.
13847 (functionDescribeArray): Like describe(), but prints details about arrays.
13848
138492014-02-25 Andreas Kling <akling@apple.com>
13850
13851 JSDOMWindow::commonVM() should return a reference.
13852 <https://webkit.org/b/129293>
13853
13854 Added a DropAllLocks constructor that takes VM& without null checks.
13855
13856 Reviewed by Geoff Garen.
13857
138582014-03-02 Mark Lam <mark.lam@apple.com>
13859
13860 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
13861 <https://webkit.org/b/129584>
13862
13863 Reviewed by Darin Adler.
13864
13865 * bytecode/CodeBlock.h:
13866 (JSC::CodeBlock::hasDebuggerRequests):
13867
138682014-03-02 Mark Lam <mark.lam@apple.com>
13869
13870 Clean up use of Options::enableConcurrentJIT().
13871 <https://webkit.org/b/129582>
13872
13873 Reviewed by Filip Pizlo.
13874
13875 DFG Driver was conditionally checking Options::enableConcurrentJIT()
13876 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
13877 enableConcurrentJIT set to false.
13878
13879 Instead we should configure Options::enableConcurrentJIT() to be false
13880 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
13881 check Options::enableConcurrentJIT(). This makes the code read a little
13882 cleaner.
13883
13884 * dfg/DFGDriver.cpp:
13885 (JSC::DFG::compileImpl):
13886 * runtime/Options.cpp:
13887 (JSC::recomputeDependentOptions):
13888
138892014-03-01 Filip Pizlo <fpizlo@apple.com>
13890
13891 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
13892 stress tests.
13893
13894 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
13895
138962014-03-01 Andreas Kling <akling@apple.com>
13897
13898 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
13899 <https://webkit.org/b/129560>
13900
13901 Now that structure() is nontrivial and we have a faster structure(VM&),
13902 make use of that in fastGetOwnProperty() since we already have VM.
13903
13904 Reviewed by Sam Weinig.
13905
13906 * runtime/JSCellInlines.h:
13907 (JSC::JSCell::fastGetOwnProperty):
13908
139092014-03-01 Andreas Kling <akling@apple.com>
13910
13911 Avoid going through ExecState for VM when we already have it (in some places.)
13912 <https://webkit.org/b/129554>
13913
13914 Tweak some places that jump through unnecessary hoops to get the VM.
13915 There are many more like this.
13916
13917 Reviewed by Sam Weinig.
13918
13919 * runtime/JSObject.cpp:
13920 (JSC::JSObject::putByIndexBeyondVectorLength):
13921 (JSC::JSObject::putDirectIndexBeyondVectorLength):
13922 * runtime/ObjectPrototype.cpp:
13923 (JSC::objectProtoFuncToString):
13924
139252014-02-28 Filip Pizlo <fpizlo@apple.com>
13926
13927 FTL should support PhantomArguments
13928 https://bugs.webkit.org/show_bug.cgi?id=113986
13929
13930 Reviewed by Oliver Hunt.
13931
13932 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
13933 object into the FTL's OSR exit compiler.
13934
13935 This isn't a speed-up yet, since there is still more to be done to fully support
13936 all of the arguments craziness that our varargs benchmarks do.
13937
13938 * dfg/DFGOSRExitCompiler32_64.cpp:
13939 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13940 * dfg/DFGOSRExitCompiler64.cpp:
13941 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13942 * dfg/DFGOSRExitCompilerCommon.cpp:
13943 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
13944 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
13945 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
13946 * dfg/DFGOSRExitCompilerCommon.h:
13947 * ftl/FTLCapabilities.cpp:
13948 (JSC::FTL::canCompile):
13949 * ftl/FTLExitValue.cpp:
13950 (JSC::FTL::ExitValue::dumpInContext):
13951 * ftl/FTLExitValue.h:
13952 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
13953 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
13954 (JSC::FTL::ExitValue::valueFormat):
13955 * ftl/FTLLowerDFGToLLVM.cpp:
13956 (JSC::FTL::LowerDFGToLLVM::compileNode):
13957 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
13958 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
13959 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
13960 * ftl/FTLOSRExitCompiler.cpp:
13961 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
13962 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
13963 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
13964
139652014-02-28 Filip Pizlo <fpizlo@apple.com>
13966
13967 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
13968
13969 * dfg/DFGCSEPhase.cpp:
13970 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
13971
139722014-02-28 Andreas Kling <akling@apple.com>
13973
13974 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
13975 <https://webkit.org/b/129529>
13976
13977 Callers already have VM in a local, and findPropertyHashEntry() only
13978 uses the VM, no need to go all the way through ExecState.
13979
13980 Reviewed by Geoffrey Garen.
13981
13982 * runtime/JSObject.cpp:
13983 (JSC::JSObject::put):
13984 (JSC::JSObject::deleteProperty):
13985 (JSC::JSObject::findPropertyHashEntry):
13986 * runtime/JSObject.h:
13987
139882014-02-28 Joseph Pecoraro <pecoraro@apple.com>
13989
13990 Deadlock remotely inspecting iOS Simulator
13991 https://bugs.webkit.org/show_bug.cgi?id=129511
13992
13993 Reviewed by Timothy Hatcher.
13994
13995 Avoid synchronous setup. Do it asynchronously, and let
13996 the RemoteInspector singleton know later if it failed.
13997
13998 * inspector/remote/RemoteInspector.h:
13999 * inspector/remote/RemoteInspector.mm:
14000 (Inspector::RemoteInspector::setupFailed):
14001 * inspector/remote/RemoteInspectorDebuggableConnection.h:
14002 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14003 (Inspector::RemoteInspectorDebuggableConnection::setup):
14004
140052014-02-28 Oliver Hunt <oliver@apple.com>
14006
14007 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
14008 https://bugs.webkit.org/show_bug.cgi?id=129488
14009
14010 Reviewed by Mark Lam.
14011
14012 Whoops, modify the right register.
14013
14014 * jit/JITCall32_64.cpp:
14015 (JSC::JIT::compileLoadVarargs):
14016
140172014-02-28 Filip Pizlo <fpizlo@apple.com>
14018
14019 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
14020 https://bugs.webkit.org/show_bug.cgi?id=129503
14021
14022 Reviewed by Mark Lam.
14023
14024 * ftl/FTLIntrinsicRepository.h:
14025 * ftl/FTLOutput.h:
14026 (JSC::FTL::Output::doubleSin):
14027 (JSC::FTL::Output::doubleCos):
14028 (JSC::FTL::Output::intrinsicOrOperation):
14029
140302014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
14031
14032 Fix !ENABLE(GGC) builds
14033
14034 * heap/Heap.cpp:
14035 (JSC::Heap::markRoots):
14036 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
14037
140382014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14039
14040 Clean up Heap::collect and Heap::markRoots
14041 https://bugs.webkit.org/show_bug.cgi?id=129464
14042
14043 Reviewed by Geoffrey Garen.
14044
14045 These functions have built up a lot of cruft recently.
14046 We should do a bit of cleanup to make them easier to grok.
14047
14048 * heap/Heap.cpp:
14049 (JSC::Heap::finalizeUnconditionalFinalizers):
14050 (JSC::Heap::gatherStackRoots):
14051 (JSC::Heap::gatherJSStackRoots):
14052 (JSC::Heap::gatherScratchBufferRoots):
14053 (JSC::Heap::clearLivenessData):
14054 (JSC::Heap::visitSmallStrings):
14055 (JSC::Heap::visitConservativeRoots):
14056 (JSC::Heap::visitCompilerWorklists):
14057 (JSC::Heap::markProtectedObjects):
14058 (JSC::Heap::markTempSortVectors):
14059 (JSC::Heap::markArgumentBuffers):
14060 (JSC::Heap::visitException):
14061 (JSC::Heap::visitStrongHandles):
14062 (JSC::Heap::visitHandleStack):
14063 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
14064 (JSC::Heap::converge):
14065 (JSC::Heap::visitWeakHandles):
14066 (JSC::Heap::clearRememberedSet):
14067 (JSC::Heap::updateObjectCounts):
14068 (JSC::Heap::resetVisitors):
14069 (JSC::Heap::markRoots):
14070 (JSC::Heap::copyBackingStores):
14071 (JSC::Heap::deleteUnmarkedCompiledCode):
14072 (JSC::Heap::collect):
14073 (JSC::Heap::collectIfNecessaryOrDefer):
14074 (JSC::Heap::suspendCompilerThreads):
14075 (JSC::Heap::willStartCollection):
14076 (JSC::Heap::deleteOldCode):
14077 (JSC::Heap::flushOldStructureIDTables):
14078 (JSC::Heap::flushWriteBarrierBuffer):
14079 (JSC::Heap::stopAllocation):
14080 (JSC::Heap::reapWeakHandles):
14081 (JSC::Heap::sweepArrayBuffers):
14082 (JSC::Heap::snapshotMarkedSpace):
14083 (JSC::Heap::deleteSourceProviderCaches):
14084 (JSC::Heap::notifyIncrementalSweeper):
14085 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
14086 (JSC::Heap::resetAllocators):
14087 (JSC::Heap::updateAllocationLimits):
14088 (JSC::Heap::didFinishCollection):
14089 (JSC::Heap::resumeCompilerThreads):
14090 * heap/Heap.h:
14091
140922014-02-27 Ryosuke Niwa <rniwa@webkit.org>
14093
14094 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
14095 https://bugs.webkit.org/show_bug.cgi?id=129466
14096
14097 Reviewed by Michael Saboff.
14098
14099 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
14100
14101 * runtime/StringPrototype.cpp:
14102 (JSC::stringProtoFuncIndexOf):
14103 (JSC::stringProtoFuncLastIndexOf):
14104
141052014-02-27 Timothy Hatcher <timothy@apple.com>
14106
14107 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
14108
14109 https://bugs.webkit.org/show_bug.cgi?id=129458
14110
14111 Reviewed by Joseph Pecoraro.
14112
14113 * inspector/ContentSearchUtilities.cpp:
14114 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
14115 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
14116 line ending type and don't try to strip the line ending. Use size_t
14117 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
14118 This will include the line ending in the lines, but that is okay.
14119 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
14120 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
14121
141222014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14123
14124 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
14125 https://bugs.webkit.org/show_bug.cgi?id=129446
14126
14127 Reviewed by Timothy Hatcher.
14128
14129 Remove duplicate header entries in Copy Header build phase.
14130
14131 * JavaScriptCore.xcodeproj/project.pbxproj:
14132
141332014-02-27 Oliver Hunt <oliver@apple.com>
14134
14135 Whoops, include all of last patch.
14136
14137 * jit/JITCall32_64.cpp:
14138 (JSC::JIT::compileLoadVarargs):
14139
141402014-02-27 Oliver Hunt <oliver@apple.com>
14141
14142 Slow cases for function.apply and function.call should not require vm re-entry
14143 https://bugs.webkit.org/show_bug.cgi?id=129454
14144
14145 Reviewed by Geoffrey Garen.
14146
14147 Implement call and apply using builtins. Happily the use
14148 of @call and @apply don't perform function equality checks
14149 and just plant direct var_args calls. This did expose a few
14150 codegen issues, but they're all covered by existing tests
14151 once call and apply are implemented in JS.
14152
14153 * JavaScriptCore.xcodeproj/project.pbxproj:
14154 * builtins/Function.prototype.js: Added.
14155 (call):
14156 (apply):
14157 * bytecompiler/NodesCodegen.cpp:
14158 (JSC::CallFunctionCallDotNode::emitBytecode):
14159 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14160 * dfg/DFGCapabilities.cpp:
14161 (JSC::DFG::capabilityLevel):
14162 * interpreter/Interpreter.cpp:
14163 (JSC::sizeFrameForVarargs):
14164 (JSC::loadVarargs):
14165 * interpreter/Interpreter.h:
14166 * jit/JITCall.cpp:
14167 (JSC::JIT::compileLoadVarargs):
14168 * parser/ASTBuilder.h:
14169 (JSC::ASTBuilder::makeFunctionCallNode):
14170 * parser/Lexer.cpp:
14171 (JSC::isSafeBuiltinIdentifier):
14172 * runtime/CommonIdentifiers.h:
14173 * runtime/FunctionPrototype.cpp:
14174 (JSC::FunctionPrototype::addFunctionProperties):
14175 * runtime/JSObject.cpp:
14176 (JSC::JSObject::putDirectBuiltinFunction):
14177 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
14178 * runtime/JSObject.h:
14179
141802014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14181
14182 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
14183 https://bugs.webkit.org/show_bug.cgi?id=129443
14184
14185 Reviewed by Timothy Hatcher.
14186
14187 This queue is specific to the JSContext debuggable connections,
14188 there is no XPC involved. Give it a better name.
14189
14190 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14191 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
14192
141932014-02-27 David Kilzer <ddkilzer@apple.com>
14194
14195 Remove jsc symlink if it already exists
14196
14197 This is a follow-up fix for:
14198
14199 Create symlink to /usr/local/bin/jsc during installation
14200 <http://webkit.org/b/129399>
14201 <rdar://problem/16168734>
14202
14203 * JavaScriptCore.xcodeproj/project.pbxproj:
14204 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
14205 exists where we're about to create the symlink, remove the old
14206 one first.
14207
142082014-02-27 Michael Saboff <msaboff@apple.com>
14209
14210 Unreviewed build fix for Mac tools after r164814
14211
14212 * Configurations/ToolExecutable.xcconfig:
14213 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
14214 * JavaScriptCore.xcodeproj/project.pbxproj:
14215 - Changed productName to testRegExp for testRegExp target.
14216
142172014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14218
14219 Web Inspector: JSContext inspection should report exceptions in the console
14220 https://bugs.webkit.org/show_bug.cgi?id=128776
14221
14222 Reviewed by Timothy Hatcher.
14223
14224 When JavaScript API functions have an exception, let the inspector
14225 know so it can log the JavaScript and Native backtrace that caused
14226 the exception.
14227
14228 Include some clean up of ConsoleMessage and ScriptCallStack construction.
14229
14230 * API/JSBase.cpp:
14231 (JSEvaluateScript):
14232 (JSCheckScriptSyntax):
14233 * API/JSObjectRef.cpp:
14234 (JSObjectMakeFunction):
14235 (JSObjectMakeArray):
14236 (JSObjectMakeDate):
14237 (JSObjectMakeError):
14238 (JSObjectMakeRegExp):
14239 (JSObjectGetProperty):
14240 (JSObjectSetProperty):
14241 (JSObjectGetPropertyAtIndex):
14242 (JSObjectSetPropertyAtIndex):
14243 (JSObjectDeleteProperty):
14244 (JSObjectCallAsFunction):
14245 (JSObjectCallAsConstructor):
14246 * API/JSValue.mm:
14247 (reportExceptionToInspector):
14248 (valueToArray):
14249 (valueToDictionary):
14250 * API/JSValueRef.cpp:
14251 (JSValueIsEqual):
14252 (JSValueIsInstanceOfConstructor):
14253 (JSValueCreateJSONString):
14254 (JSValueToNumber):
14255 (JSValueToStringCopy):
14256 (JSValueToObject):
14257 When seeing an exception, let the inspector know there was an exception.
14258
14259 * inspector/JSGlobalObjectInspectorController.h:
14260 * inspector/JSGlobalObjectInspectorController.cpp:
14261 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
14262 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
14263 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
14264 Log API exceptions by also grabbing the native backtrace.
14265
14266 * inspector/ScriptCallStack.h:
14267 * inspector/ScriptCallStack.cpp:
14268 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
14269 (Inspector::ScriptCallStack::append):
14270 Minor extensions to ScriptCallStack to make it easier to work with.
14271
14272 * inspector/ConsoleMessage.cpp:
14273 (Inspector::ConsoleMessage::ConsoleMessage):
14274 (Inspector::ConsoleMessage::autogenerateMetadata):
14275 Provide better default information if the first call frame was native.
14276
14277 * inspector/ScriptCallStackFactory.cpp:
14278 (Inspector::createScriptCallStack):
14279 (Inspector::extractSourceInformationFromException):
14280 (Inspector::createScriptCallStackFromException):
14281 Perform the handling here of inserting a fake call frame for exceptions
14282 if there was no call stack (e.g. a SyntaxError) or if the first call
14283 frame had no information.
14284
14285 * inspector/ConsoleMessage.cpp:
14286 (Inspector::ConsoleMessage::ConsoleMessage):
14287 (Inspector::ConsoleMessage::autogenerateMetadata):
14288 * inspector/ConsoleMessage.h:
14289 * inspector/ScriptCallStackFactory.cpp:
14290 (Inspector::createScriptCallStack):
14291 (Inspector::createScriptCallStackForConsole):
14292 * inspector/ScriptCallStackFactory.h:
14293 * inspector/agents/InspectorConsoleAgent.cpp:
14294 (Inspector::InspectorConsoleAgent::enable):
14295 (Inspector::InspectorConsoleAgent::addMessageToConsole):
14296 (Inspector::InspectorConsoleAgent::count):
14297 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
14298 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
14299 ConsoleMessage cleanup.
14300
143012014-02-27 David Kilzer <ddkilzer@apple.com>
14302
14303 Create symlink to /usr/local/bin/jsc during installation
14304 <http://webkit.org/b/129399>
14305 <rdar://problem/16168734>
14306
14307 Reviewed by Dan Bernstein.
14308
14309 * JavaScriptCore.xcodeproj/project.pbxproj:
14310 - Add "Create /usr/local/bin/jsc symlink" build phase script to
14311 create the symlink during installation.
14312
143132014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
14314
14315 Math.{max, min}() must not return after first NaN value
14316 https://bugs.webkit.org/show_bug.cgi?id=104147
14317
14318 Reviewed by Oliver Hunt.
14319
14320 According to the spec, ToNumber going to be called on each argument
14321 even if a `NaN` value was already found
14322
14323 * runtime/MathObject.cpp:
14324 (JSC::mathProtoFuncMax):
14325 (JSC::mathProtoFuncMin):
14326
143272014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
14328
14329 JSType upper limit (0xff) assertion can be removed.
14330 https://bugs.webkit.org/show_bug.cgi?id=129424
14331
14332 Reviewed by Geoffrey Garen.
14333
14334 * runtime/JSTypeInfo.h:
14335 (JSC::TypeInfo::TypeInfo):
14336
143372014-02-26 Michael Saboff <msaboff@apple.com>
14338
14339 Auto generate bytecode information for bytecode parser and LLInt
14340 https://bugs.webkit.org/show_bug.cgi?id=129181
14341
14342 Reviewed by Mark Lam.
14343
14344 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
14345 helpers. It also includes bytecode length and other information used to generate files.
14346 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
14347 in DerivedSources/JavaScriptCore/.
14348
14349 Added the generation of these files to the "DerivedSource" build step.
14350 Slighty changed the build order, since the Bytecodes.h file is needed by
14351 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
14352 to be run after JSCLLIntOffsetsExtractor.
14353
14354 Made related changes to OPCODE macros and their use.
14355
14356 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
14357 jsc to resolve Mac build issue.
14358
14359 * CMakeLists.txt:
14360 * Configurations/JSC.xcconfig:
14361 * DerivedSources.make:
14362 * GNUmakefile.am:
14363 * GNUmakefile.list.am:
14364 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14365 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14366 * JavaScriptCore.vcxproj/copy-files.cmd:
14367 * JavaScriptCore.xcodeproj/project.pbxproj:
14368 * bytecode/Opcode.h:
14369 (JSC::padOpcodeName):
14370 * llint/LLIntCLoop.cpp:
14371 (JSC::LLInt::CLoop::initialize):
14372 * llint/LLIntCLoop.h:
14373 * llint/LLIntData.cpp:
14374 (JSC::LLInt::initialize):
14375 * llint/LLIntOpcode.h:
14376 * llint/LowLevelInterpreter.asm:
14377
143782014-02-27 Julien Brianceau <jbriance@cisco.com>
14379
14380 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
14381 https://bugs.webkit.org/show_bug.cgi?id=129420
14382
14383 Reviewed by Geoffrey Garen.
14384
14385 * dfg/DFGSpeculativeJIT.h:
14386 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
14387 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
14388
143892014-02-27 Filip Pizlo <fpizlo@apple.com>
14390
14391 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
14392 https://bugs.webkit.org/show_bug.cgi?id=129435
14393
14394 Reviewed by Oliver Hunt.
14395
14396 This is a 5-10% speed-up on Octane/closure.
14397
14398 * interpreter/Interpreter.cpp:
14399 (JSC::Interpreter::execute):
14400 * jsc.cpp:
14401 (GlobalObject::finishCreation):
14402 (functionClearCodeCache):
14403 * runtime/BatchedTransitionOptimizer.h:
14404 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
14405 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
14406
144072014-02-27 Alexey Proskuryakov <ap@apple.com>
14408
14409 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
14410
14411 * inspector/scripts: Added property svn:ignore.
14412 * replay/scripts: Added property svn:ignore.
14413
144142014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
14415
14416 r164764 broke the ARM build
14417 https://bugs.webkit.org/show_bug.cgi?id=129415
14418
14419 Reviewed by Zoltan Herczeg.
14420
14421 * assembler/MacroAssemblerARM.h:
14422 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
14423 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
14424 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
14425 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
14426
144272014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14428
14429 r164764 broke the ARM build
14430 https://bugs.webkit.org/show_bug.cgi?id=129415
14431
14432 Reviewed by Geoffrey Garen.
14433
14434 * assembler/MacroAssemblerARM.h:
14435 (JSC::MacroAssemblerARM::moveWithPatch):
14436
144372014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14438
14439 r164764 broke the ARM build
14440 https://bugs.webkit.org/show_bug.cgi?id=129415
14441
14442 Reviewed by Geoffrey Garen.
14443
14444 * assembler/MacroAssemblerARM.h:
14445 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
14446
144472014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14448
14449 EFL build fix
14450
14451 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
14452 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14453 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14454
144552014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
14456
14457 Make JSCells have 32-bit Structure pointers
14458 https://bugs.webkit.org/show_bug.cgi?id=123195
14459
14460 Reviewed by Filip Pizlo.
14461
14462 This patch changes JSCells such that they no longer have a full 64-bit Structure
14463 pointer in their header. Instead they now have a 32-bit index into
14464 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
14465 pointers.
14466
14467 This change frees up an additional 32 bits of information in our object headers.
14468 We then use this extra space to store the indexing type of the object, the JSType
14469 of the object, some various type flags, and garbage collection data (e.g. mark bit).
14470 Because this inline type information is now faster to read, it pays for the slowdown
14471 incurred by having to perform an extra indirection through the StructureIDTable.
14472
14473 This patch also threads a reference to the current VM through more of the C++ runtime
14474 to offset the cost of having to look up the VM to get the actual Structure pointer.
14475
14476 * API/JSContext.mm:
14477 (-[JSContext setException:]):
14478 (-[JSContext wrapperForObjCObject:]):
14479 (-[JSContext wrapperForJSObject:]):
14480 * API/JSContextRef.cpp:
14481 (JSContextGroupRelease):
14482 (JSGlobalContextRelease):
14483 * API/JSObjectRef.cpp:
14484 (JSObjectIsFunction):
14485 (JSObjectCopyPropertyNames):
14486 * API/JSValue.mm:
14487 (containerValueToObject):
14488 * API/JSWrapperMap.mm:
14489 (tryUnwrapObjcObject):
14490 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14491 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14492 * JavaScriptCore.xcodeproj/project.pbxproj:
14493 * assembler/AbstractMacroAssembler.h:
14494 * assembler/MacroAssembler.h:
14495 (JSC::MacroAssembler::patchableBranch32WithPatch):
14496 (JSC::MacroAssembler::patchableBranch32):
14497 * assembler/MacroAssemblerARM64.h:
14498 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
14499 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
14500 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
14501 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
14502 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
14503 * assembler/MacroAssemblerARMv7.h:
14504 (JSC::MacroAssemblerARMv7::store8):
14505 (JSC::MacroAssemblerARMv7::branch32WithPatch):
14506 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
14507 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
14508 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
14509 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
14510 * assembler/MacroAssemblerX86.h:
14511 (JSC::MacroAssemblerX86::branch32WithPatch):
14512 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
14513 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
14514 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
14515 * assembler/MacroAssemblerX86_64.h:
14516 (JSC::MacroAssemblerX86_64::store32):
14517 (JSC::MacroAssemblerX86_64::moveWithPatch):
14518 (JSC::MacroAssemblerX86_64::branch32WithPatch):
14519 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
14520 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
14521 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
14522 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
14523 * assembler/RepatchBuffer.h:
14524 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
14525 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
14526 * assembler/X86Assembler.h:
14527 (JSC::X86Assembler::revertJumpTo_movq_i64r):
14528 (JSC::X86Assembler::revertJumpTo_movl_i32r):
14529 * bytecode/ArrayProfile.cpp:
14530 (JSC::ArrayProfile::computeUpdatedPrediction):
14531 * bytecode/ArrayProfile.h:
14532 (JSC::ArrayProfile::ArrayProfile):
14533 (JSC::ArrayProfile::addressOfLastSeenStructureID):
14534 (JSC::ArrayProfile::observeStructure):
14535 * bytecode/CodeBlock.h:
14536 (JSC::CodeBlock::heap):
14537 * bytecode/UnlinkedCodeBlock.h:
14538 * debugger/Debugger.h:
14539 * dfg/DFGAbstractHeap.h:
14540 * dfg/DFGArrayifySlowPathGenerator.h:
14541 * dfg/DFGClobberize.h:
14542 (JSC::DFG::clobberize):
14543 * dfg/DFGJITCompiler.h:
14544 (JSC::DFG::JITCompiler::branchWeakStructure):
14545 (JSC::DFG::JITCompiler::branchStructurePtr):
14546 * dfg/DFGOSRExitCompiler32_64.cpp:
14547 (JSC::DFG::OSRExitCompiler::compileExit):
14548 * dfg/DFGOSRExitCompiler64.cpp:
14549 (JSC::DFG::OSRExitCompiler::compileExit):
14550 * dfg/DFGOSRExitCompilerCommon.cpp:
14551 (JSC::DFG::osrWriteBarrier):
14552 (JSC::DFG::adjustAndJumpToTarget):
14553 * dfg/DFGOperations.cpp:
14554 (JSC::DFG::putByVal):
14555 * dfg/DFGSpeculativeJIT.cpp:
14556 (JSC::DFG::SpeculativeJIT::checkArray):
14557 (JSC::DFG::SpeculativeJIT::arrayify):
14558 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
14559 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
14560 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
14561 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
14562 (JSC::DFG::SpeculativeJIT::speculateObject):
14563 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
14564 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
14565 (JSC::DFG::SpeculativeJIT::speculateString):
14566 (JSC::DFG::SpeculativeJIT::speculateStringObject):
14567 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
14568 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
14569 (JSC::DFG::SpeculativeJIT::emitSwitchString):
14570 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
14571 (JSC::DFG::SpeculativeJIT::writeBarrier):
14572 * dfg/DFGSpeculativeJIT.h:
14573 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
14574 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
14575 * dfg/DFGSpeculativeJIT32_64.cpp:
14576 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14577 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14578 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14579 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14580 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14581 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14582 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14583 (JSC::DFG::SpeculativeJIT::compile):
14584 (JSC::DFG::SpeculativeJIT::writeBarrier):
14585 * dfg/DFGSpeculativeJIT64.cpp:
14586 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14587 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14588 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14589 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14590 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14591 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14592 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14593 (JSC::DFG::SpeculativeJIT::compile):
14594 (JSC::DFG::SpeculativeJIT::writeBarrier):
14595 * dfg/DFGWorklist.cpp:
14596 * ftl/FTLAbstractHeapRepository.cpp:
14597 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
14598 * ftl/FTLAbstractHeapRepository.h:
14599 * ftl/FTLLowerDFGToLLVM.cpp:
14600 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
14601 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
14602 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
14603 (JSC::FTL::LowerDFGToLLVM::compileToString):
14604 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
14605 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
14606 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
14607 (JSC::FTL::LowerDFGToLLVM::allocateCell):
14608 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
14609 (JSC::FTL::LowerDFGToLLVM::isObject):
14610 (JSC::FTL::LowerDFGToLLVM::isString):
14611 (JSC::FTL::LowerDFGToLLVM::isArrayType):
14612 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
14613 (JSC::FTL::LowerDFGToLLVM::isType):
14614 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
14615 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
14616 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
14617 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
14618 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
14619 (JSC::FTL::LowerDFGToLLVM::loadStructure):
14620 (JSC::FTL::LowerDFGToLLVM::weakStructure):
14621 * ftl/FTLOSRExitCompiler.cpp:
14622 (JSC::FTL::compileStub):
14623 * ftl/FTLOutput.h:
14624 (JSC::FTL::Output::store8):
14625 * heap/GCAssertions.h:
14626 * heap/Heap.cpp:
14627 (JSC::Heap::getConservativeRegisterRoots):
14628 (JSC::Heap::collect):
14629 (JSC::Heap::writeBarrier):
14630 * heap/Heap.h:
14631 (JSC::Heap::structureIDTable):
14632 * heap/MarkedSpace.h:
14633 (JSC::MarkedSpace::forEachBlock):
14634 * heap/SlotVisitorInlines.h:
14635 (JSC::SlotVisitor::internalAppend):
14636 * jit/AssemblyHelpers.h:
14637 (JSC::AssemblyHelpers::branchIfCellNotObject):
14638 (JSC::AssemblyHelpers::genericWriteBarrier):
14639 (JSC::AssemblyHelpers::emitLoadStructure):
14640 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
14641 * jit/JIT.h:
14642 * jit/JITCall.cpp:
14643 (JSC::JIT::compileOpCall):
14644 (JSC::JIT::privateCompileClosureCall):
14645 * jit/JITCall32_64.cpp:
14646 (JSC::JIT::emit_op_ret_object_or_this):
14647 (JSC::JIT::compileOpCall):
14648 (JSC::JIT::privateCompileClosureCall):
14649 * jit/JITInlineCacheGenerator.cpp:
14650 (JSC::JITByIdGenerator::generateFastPathChecks):
14651 * jit/JITInlineCacheGenerator.h:
14652 * jit/JITInlines.h:
14653 (JSC::JIT::emitLoadCharacterString):
14654 (JSC::JIT::checkStructure):
14655 (JSC::JIT::emitJumpIfCellNotObject):
14656 (JSC::JIT::emitAllocateJSObject):
14657 (JSC::JIT::emitArrayProfilingSiteWithCell):
14658 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
14659 (JSC::JIT::branchStructure):
14660 (JSC::branchStructure):
14661 * jit/JITOpcodes.cpp:
14662 (JSC::JIT::emit_op_check_has_instance):
14663 (JSC::JIT::emit_op_instanceof):
14664 (JSC::JIT::emit_op_is_undefined):
14665 (JSC::JIT::emit_op_is_string):
14666 (JSC::JIT::emit_op_ret_object_or_this):
14667 (JSC::JIT::emit_op_to_primitive):
14668 (JSC::JIT::emit_op_jeq_null):
14669 (JSC::JIT::emit_op_jneq_null):
14670 (JSC::JIT::emit_op_get_pnames):
14671 (JSC::JIT::emit_op_next_pname):
14672 (JSC::JIT::emit_op_eq_null):
14673 (JSC::JIT::emit_op_neq_null):
14674 (JSC::JIT::emit_op_to_this):
14675 (JSC::JIT::emitSlow_op_to_this):
14676 * jit/JITOpcodes32_64.cpp:
14677 (JSC::JIT::emit_op_check_has_instance):
14678 (JSC::JIT::emit_op_instanceof):
14679 (JSC::JIT::emit_op_is_undefined):
14680 (JSC::JIT::emit_op_is_string):
14681 (JSC::JIT::emit_op_to_primitive):
14682 (JSC::JIT::emit_op_jeq_null):
14683 (JSC::JIT::emit_op_jneq_null):
14684 (JSC::JIT::emitSlow_op_eq):
14685 (JSC::JIT::emitSlow_op_neq):
14686 (JSC::JIT::compileOpStrictEq):
14687 (JSC::JIT::emit_op_eq_null):
14688 (JSC::JIT::emit_op_neq_null):
14689 (JSC::JIT::emit_op_get_pnames):
14690 (JSC::JIT::emit_op_next_pname):
14691 (JSC::JIT::emit_op_to_this):
14692 * jit/JITOperations.cpp:
14693 * jit/JITPropertyAccess.cpp:
14694 (JSC::JIT::stringGetByValStubGenerator):
14695 (JSC::JIT::emit_op_get_by_val):
14696 (JSC::JIT::emitSlow_op_get_by_val):
14697 (JSC::JIT::emit_op_get_by_pname):
14698 (JSC::JIT::emit_op_put_by_val):
14699 (JSC::JIT::emit_op_get_by_id):
14700 (JSC::JIT::emitLoadWithStructureCheck):
14701 (JSC::JIT::emitSlow_op_get_from_scope):
14702 (JSC::JIT::emitSlow_op_put_to_scope):
14703 (JSC::JIT::checkMarkWord):
14704 (JSC::JIT::emitWriteBarrier):
14705 (JSC::JIT::addStructureTransitionCheck):
14706 (JSC::JIT::emitIntTypedArrayGetByVal):
14707 (JSC::JIT::emitFloatTypedArrayGetByVal):
14708 (JSC::JIT::emitIntTypedArrayPutByVal):
14709 (JSC::JIT::emitFloatTypedArrayPutByVal):
14710 * jit/JITPropertyAccess32_64.cpp:
14711 (JSC::JIT::stringGetByValStubGenerator):
14712 (JSC::JIT::emit_op_get_by_val):
14713 (JSC::JIT::emitSlow_op_get_by_val):
14714 (JSC::JIT::emit_op_put_by_val):
14715 (JSC::JIT::emit_op_get_by_id):
14716 (JSC::JIT::emit_op_get_by_pname):
14717 (JSC::JIT::emitLoadWithStructureCheck):
14718 * jit/JSInterfaceJIT.h:
14719 (JSC::JSInterfaceJIT::emitJumpIfNotType):
14720 * jit/Repatch.cpp:
14721 (JSC::repatchByIdSelfAccess):
14722 (JSC::addStructureTransitionCheck):
14723 (JSC::replaceWithJump):
14724 (JSC::generateProtoChainAccessStub):
14725 (JSC::tryCacheGetByID):
14726 (JSC::tryBuildGetByIDList):
14727 (JSC::writeBarrier):
14728 (JSC::emitPutReplaceStub):
14729 (JSC::emitPutTransitionStub):
14730 (JSC::tryBuildPutByIdList):
14731 (JSC::tryRepatchIn):
14732 (JSC::linkClosureCall):
14733 (JSC::resetGetByID):
14734 (JSC::resetPutByID):
14735 * jit/SpecializedThunkJIT.h:
14736 (JSC::SpecializedThunkJIT::loadJSStringArgument):
14737 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
14738 * jit/ThunkGenerators.cpp:
14739 (JSC::virtualForThunkGenerator):
14740 (JSC::arrayIteratorNextThunkGenerator):
14741 * jit/UnusedPointer.h:
14742 * llint/LowLevelInterpreter.asm:
14743 * llint/LowLevelInterpreter32_64.asm:
14744 * llint/LowLevelInterpreter64.asm:
14745 * runtime/Arguments.cpp:
14746 (JSC::Arguments::createStrictModeCallerIfNecessary):
14747 (JSC::Arguments::createStrictModeCalleeIfNecessary):
14748 * runtime/Arguments.h:
14749 (JSC::Arguments::createStructure):
14750 * runtime/ArrayPrototype.cpp:
14751 (JSC::shift):
14752 (JSC::unshift):
14753 (JSC::arrayProtoFuncToString):
14754 (JSC::arrayProtoFuncPop):
14755 (JSC::arrayProtoFuncReverse):
14756 (JSC::performSlowSort):
14757 (JSC::arrayProtoFuncSort):
14758 (JSC::arrayProtoFuncSplice):
14759 (JSC::arrayProtoFuncUnShift):
14760 * runtime/CommonSlowPaths.cpp:
14761 (JSC::SLOW_PATH_DECL):
14762 * runtime/Executable.h:
14763 (JSC::ExecutableBase::isFunctionExecutable):
14764 (JSC::ExecutableBase::clearCodeVirtual):
14765 (JSC::ScriptExecutable::unlinkCalls):
14766 * runtime/GetterSetter.cpp:
14767 (JSC::callGetter):
14768 (JSC::callSetter):
14769 * runtime/InitializeThreading.cpp:
14770 * runtime/JSArray.cpp:
14771 (JSC::JSArray::unshiftCountSlowCase):
14772 (JSC::JSArray::setLength):
14773 (JSC::JSArray::pop):
14774 (JSC::JSArray::push):
14775 (JSC::JSArray::shiftCountWithArrayStorage):
14776 (JSC::JSArray::shiftCountWithAnyIndexingType):
14777 (JSC::JSArray::unshiftCountWithArrayStorage):
14778 (JSC::JSArray::unshiftCountWithAnyIndexingType):
14779 (JSC::JSArray::sortNumericVector):
14780 (JSC::JSArray::sortNumeric):
14781 (JSC::JSArray::sortCompactedVector):
14782 (JSC::JSArray::sort):
14783 (JSC::JSArray::sortVector):
14784 (JSC::JSArray::fillArgList):
14785 (JSC::JSArray::copyToArguments):
14786 (JSC::JSArray::compactForSorting):
14787 * runtime/JSCJSValueInlines.h:
14788 (JSC::JSValue::toThis):
14789 (JSC::JSValue::put):
14790 (JSC::JSValue::putByIndex):
14791 (JSC::JSValue::equalSlowCaseInline):
14792 * runtime/JSCell.cpp:
14793 (JSC::JSCell::put):
14794 (JSC::JSCell::putByIndex):
14795 (JSC::JSCell::deleteProperty):
14796 (JSC::JSCell::deletePropertyByIndex):
14797 * runtime/JSCell.h:
14798 (JSC::JSCell::clearStructure):
14799 (JSC::JSCell::mark):
14800 (JSC::JSCell::isMarked):
14801 (JSC::JSCell::structureIDOffset):
14802 (JSC::JSCell::typeInfoFlagsOffset):
14803 (JSC::JSCell::typeInfoTypeOffset):
14804 (JSC::JSCell::indexingTypeOffset):
14805 (JSC::JSCell::gcDataOffset):
14806 * runtime/JSCellInlines.h:
14807 (JSC::JSCell::JSCell):
14808 (JSC::JSCell::finishCreation):
14809 (JSC::JSCell::type):
14810 (JSC::JSCell::indexingType):
14811 (JSC::JSCell::structure):
14812 (JSC::JSCell::visitChildren):
14813 (JSC::JSCell::isObject):
14814 (JSC::JSCell::isString):
14815 (JSC::JSCell::isGetterSetter):
14816 (JSC::JSCell::isProxy):
14817 (JSC::JSCell::isAPIValueWrapper):
14818 (JSC::JSCell::setStructure):
14819 (JSC::JSCell::methodTable):
14820 (JSC::Heap::writeBarrier):
14821 * runtime/JSDataView.cpp:
14822 (JSC::JSDataView::createStructure):
14823 * runtime/JSDestructibleObject.h:
14824 (JSC::JSCell::classInfo):
14825 * runtime/JSFunction.cpp:
14826 (JSC::JSFunction::getOwnNonIndexPropertyNames):
14827 (JSC::JSFunction::put):
14828 (JSC::JSFunction::defineOwnProperty):
14829 * runtime/JSGenericTypedArrayView.h:
14830 (JSC::JSGenericTypedArrayView::createStructure):
14831 * runtime/JSObject.cpp:
14832 (JSC::getCallableObjectSlow):
14833 (JSC::JSObject::copyButterfly):
14834 (JSC::JSObject::visitButterfly):
14835 (JSC::JSFinalObject::visitChildren):
14836 (JSC::JSObject::getOwnPropertySlotByIndex):
14837 (JSC::JSObject::put):
14838 (JSC::JSObject::putByIndex):
14839 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
14840 (JSC::JSObject::enterDictionaryIndexingMode):
14841 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
14842 (JSC::JSObject::createInitialIndexedStorage):
14843 (JSC::JSObject::createInitialUndecided):
14844 (JSC::JSObject::createInitialInt32):
14845 (JSC::JSObject::createInitialDouble):
14846 (JSC::JSObject::createInitialContiguous):
14847 (JSC::JSObject::createArrayStorage):
14848 (JSC::JSObject::convertUndecidedToInt32):
14849 (JSC::JSObject::convertUndecidedToDouble):
14850 (JSC::JSObject::convertUndecidedToContiguous):
14851 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
14852 (JSC::JSObject::convertUndecidedToArrayStorage):
14853 (JSC::JSObject::convertInt32ToDouble):
14854 (JSC::JSObject::convertInt32ToContiguous):
14855 (JSC::JSObject::convertInt32ToArrayStorage):
14856 (JSC::JSObject::genericConvertDoubleToContiguous):
14857 (JSC::JSObject::convertDoubleToArrayStorage):
14858 (JSC::JSObject::convertContiguousToArrayStorage):
14859 (JSC::JSObject::ensureInt32Slow):
14860 (JSC::JSObject::ensureDoubleSlow):
14861 (JSC::JSObject::ensureContiguousSlow):
14862 (JSC::JSObject::ensureArrayStorageSlow):
14863 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
14864 (JSC::JSObject::switchToSlowPutArrayStorage):
14865 (JSC::JSObject::setPrototype):
14866 (JSC::JSObject::setPrototypeWithCycleCheck):
14867 (JSC::JSObject::putDirectNonIndexAccessor):
14868 (JSC::JSObject::deleteProperty):
14869 (JSC::JSObject::hasOwnProperty):
14870 (JSC::JSObject::deletePropertyByIndex):
14871 (JSC::JSObject::getPrimitiveNumber):
14872 (JSC::JSObject::hasInstance):
14873 (JSC::JSObject::getPropertySpecificValue):
14874 (JSC::JSObject::getPropertyNames):
14875 (JSC::JSObject::getOwnPropertyNames):
14876 (JSC::JSObject::getOwnNonIndexPropertyNames):
14877 (JSC::JSObject::seal):
14878 (JSC::JSObject::freeze):
14879 (JSC::JSObject::preventExtensions):
14880 (JSC::JSObject::reifyStaticFunctionsForDelete):
14881 (JSC::JSObject::removeDirect):
14882 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
14883 (JSC::JSObject::putByIndexBeyondVectorLength):
14884 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
14885 (JSC::JSObject::putDirectIndexBeyondVectorLength):
14886 (JSC::JSObject::getNewVectorLength):
14887 (JSC::JSObject::countElements):
14888 (JSC::JSObject::increaseVectorLength):
14889 (JSC::JSObject::ensureLengthSlow):
14890 (JSC::JSObject::growOutOfLineStorage):
14891 (JSC::JSObject::getOwnPropertyDescriptor):
14892 (JSC::putDescriptor):
14893 (JSC::JSObject::defineOwnNonIndexProperty):
14894 * runtime/JSObject.h:
14895 (JSC::getJSFunction):
14896 (JSC::JSObject::getArrayLength):
14897 (JSC::JSObject::getVectorLength):
14898 (JSC::JSObject::putByIndexInline):
14899 (JSC::JSObject::canGetIndexQuickly):
14900 (JSC::JSObject::getIndexQuickly):
14901 (JSC::JSObject::tryGetIndexQuickly):
14902 (JSC::JSObject::getDirectIndex):
14903 (JSC::JSObject::canSetIndexQuickly):
14904 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
14905 (JSC::JSObject::setIndexQuickly):
14906 (JSC::JSObject::initializeIndex):
14907 (JSC::JSObject::hasSparseMap):
14908 (JSC::JSObject::inSparseIndexingMode):
14909 (JSC::JSObject::getDirect):
14910 (JSC::JSObject::getDirectOffset):
14911 (JSC::JSObject::isSealed):
14912 (JSC::JSObject::isFrozen):
14913 (JSC::JSObject::flattenDictionaryObject):
14914 (JSC::JSObject::ensureInt32):
14915 (JSC::JSObject::ensureDouble):
14916 (JSC::JSObject::ensureContiguous):
14917 (JSC::JSObject::rageEnsureContiguous):
14918 (JSC::JSObject::ensureArrayStorage):
14919 (JSC::JSObject::arrayStorage):
14920 (JSC::JSObject::arrayStorageOrNull):
14921 (JSC::JSObject::ensureLength):
14922 (JSC::JSObject::currentIndexingData):
14923 (JSC::JSObject::getHolyIndexQuickly):
14924 (JSC::JSObject::currentRelevantLength):
14925 (JSC::JSObject::isGlobalObject):
14926 (JSC::JSObject::isVariableObject):
14927 (JSC::JSObject::isStaticScopeObject):
14928 (JSC::JSObject::isNameScopeObject):
14929 (JSC::JSObject::isActivationObject):
14930 (JSC::JSObject::isErrorInstance):
14931 (JSC::JSObject::inlineGetOwnPropertySlot):
14932 (JSC::JSObject::fastGetOwnPropertySlot):
14933 (JSC::JSObject::getPropertySlot):
14934 (JSC::JSObject::putDirectInternal):
14935 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
14936 * runtime/JSPropertyNameIterator.h:
14937 (JSC::JSPropertyNameIterator::createStructure):
14938 * runtime/JSProxy.cpp:
14939 (JSC::JSProxy::getOwnPropertySlot):
14940 (JSC::JSProxy::getOwnPropertySlotByIndex):
14941 (JSC::JSProxy::put):
14942 (JSC::JSProxy::putByIndex):
14943 (JSC::JSProxy::defineOwnProperty):
14944 (JSC::JSProxy::deleteProperty):
14945 (JSC::JSProxy::deletePropertyByIndex):
14946 (JSC::JSProxy::getPropertyNames):
14947 (JSC::JSProxy::getOwnPropertyNames):
14948 * runtime/JSScope.cpp:
14949 (JSC::JSScope::objectAtScope):
14950 * runtime/JSString.h:
14951 (JSC::JSString::createStructure):
14952 (JSC::isJSString):
14953 * runtime/JSType.h:
14954 * runtime/JSTypeInfo.h:
14955 (JSC::TypeInfo::TypeInfo):
14956 (JSC::TypeInfo::isObject):
14957 (JSC::TypeInfo::structureIsImmortal):
14958 (JSC::TypeInfo::zeroedGCDataOffset):
14959 (JSC::TypeInfo::inlineTypeFlags):
14960 * runtime/MapData.h:
14961 * runtime/ObjectConstructor.cpp:
14962 (JSC::objectConstructorGetOwnPropertyNames):
14963 (JSC::objectConstructorKeys):
14964 (JSC::objectConstructorDefineProperty):
14965 (JSC::defineProperties):
14966 (JSC::objectConstructorSeal):
14967 (JSC::objectConstructorFreeze):
14968 (JSC::objectConstructorIsSealed):
14969 (JSC::objectConstructorIsFrozen):
14970 * runtime/ObjectPrototype.cpp:
14971 (JSC::objectProtoFuncDefineGetter):
14972 (JSC::objectProtoFuncDefineSetter):
14973 (JSC::objectProtoFuncToString):
14974 * runtime/Operations.cpp:
14975 (JSC::jsTypeStringForValue):
14976 (JSC::jsIsObjectType):
14977 * runtime/Operations.h:
14978 (JSC::normalizePrototypeChainForChainAccess):
14979 (JSC::normalizePrototypeChain):
14980 * runtime/PropertyMapHashTable.h:
14981 (JSC::PropertyTable::createStructure):
14982 * runtime/RegExp.h:
14983 (JSC::RegExp::createStructure):
14984 * runtime/SparseArrayValueMap.h:
14985 * runtime/Structure.cpp:
14986 (JSC::Structure::Structure):
14987 (JSC::Structure::~Structure):
14988 (JSC::Structure::prototypeChainMayInterceptStoreTo):
14989 * runtime/Structure.h:
14990 (JSC::Structure::id):
14991 (JSC::Structure::idBlob):
14992 (JSC::Structure::objectInitializationFields):
14993 (JSC::Structure::structureIDOffset):
14994 * runtime/StructureChain.h:
14995 (JSC::StructureChain::createStructure):
14996 * runtime/StructureIDTable.cpp: Added.
14997 (JSC::StructureIDTable::StructureIDTable):
14998 (JSC::StructureIDTable::~StructureIDTable):
14999 (JSC::StructureIDTable::resize):
15000 (JSC::StructureIDTable::flushOldTables):
15001 (JSC::StructureIDTable::allocateID):
15002 (JSC::StructureIDTable::deallocateID):
15003 * runtime/StructureIDTable.h: Added.
15004 (JSC::StructureIDTable::base):
15005 (JSC::StructureIDTable::get):
15006 * runtime/SymbolTable.h:
15007 * runtime/TypedArrayType.cpp:
15008 (JSC::typeForTypedArrayType):
15009 * runtime/TypedArrayType.h:
15010 * runtime/WeakMapData.h:
15011
150122014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15013
15014 Unconditional logging in compileFTLOSRExit
15015 https://bugs.webkit.org/show_bug.cgi?id=129407
15016
15017 Reviewed by Michael Saboff.
15018
15019 This was causing tests to fail with the FTL enabled.
15020
15021 * ftl/FTLOSRExitCompiler.cpp:
15022 (JSC::FTL::compileFTLOSRExit):
15023
150242014-02-26 Oliver Hunt <oliver@apple.com>
15025
15026 Remove unused access types
15027 https://bugs.webkit.org/show_bug.cgi?id=129385
15028
15029 Reviewed by Filip Pizlo.
15030
15031 Remove unused cruft.
15032
15033 * bytecode/CodeBlock.cpp:
15034 (JSC::CodeBlock::printGetByIdCacheStatus):
15035 * bytecode/StructureStubInfo.cpp:
15036 (JSC::StructureStubInfo::deref):
15037 * bytecode/StructureStubInfo.h:
15038 (JSC::isGetByIdAccess):
15039 (JSC::isPutByIdAccess):
15040
150412014-02-26 Oliver Hunt <oliver@apple.com>
15042
15043 Function.prototype.apply has a bad time with the spread operator
15044 https://bugs.webkit.org/show_bug.cgi?id=129381
15045
15046 Reviewed by Mark Hahnenberg.
15047
15048 Make sure our apply logic handle the spread operator correctly.
15049 To do this we simply emit the enumeration logic that we'd normally
15050 use for other enumerations, but only store the first two results
15051 to registers. Then perform a varargs call.
15052
15053 * bytecompiler/NodesCodegen.cpp:
15054 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15055
150562014-02-26 Mark Lam <mark.lam@apple.com>
15057
15058 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
15059 <https://webkit.org/b/129355>
15060
15061 Reviewed by Filip Pizlo.
15062
15063 By compilation policy, I mean the rules for determining whether to
15064 compile, when to compile, when to attempt compilation again, etc. The
15065 few of these policy decisions that were previously being made in the
15066 DFG driver are now moved to operationOptimize() where we keep the rest
15067 of the policy logic. Decisions that are based on the capabilities
15068 supported by the DFG are moved to DFG capabiliityLevel().
15069
15070 I've run the following benchmarks:
15071 1. the collection of jsc benchmarks on the jsc executable vs. its
15072 baseline.
15073 2. Octane 2.0 in browser without the WebInspector.
15074 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
15075 set somewhere where it won't break.
15076
15077 In all of these, the results came out to be a wash as expected.
15078
15079 * dfg/DFGCapabilities.cpp:
15080 (JSC::DFG::isSupported):
15081 (JSC::DFG::mightCompileEval):
15082 (JSC::DFG::mightCompileProgram):
15083 (JSC::DFG::mightCompileFunctionForCall):
15084 (JSC::DFG::mightCompileFunctionForConstruct):
15085 (JSC::DFG::mightInlineFunctionForCall):
15086 (JSC::DFG::mightInlineFunctionForClosureCall):
15087 (JSC::DFG::mightInlineFunctionForConstruct):
15088 * dfg/DFGCapabilities.h:
15089 * dfg/DFGDriver.cpp:
15090 (JSC::DFG::compileImpl):
15091 * jit/JITOperations.cpp:
15092
150932014-02-26 Mark Lam <mark.lam@apple.com>
15094
15095 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
15096 <https://webkit.org/b/129364>
15097
15098 Reviewed by Alexey Proskuryakov.
15099
15100 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
15101
15102 * inspector/InjectedScriptModule.cpp:
15103 (Inspector::InjectedScriptModule::ensureInjected):
15104 - Added the needed but missing APIEntryShim.
15105
151062014-02-25 Mark Lam <mark.lam@apple.com>
15107
15108 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
15109 <https://webkit.org/b/128766>
15110
15111 Reviewed by Geoffrey Garen.
15112
15113 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
15114 The reasoning is that we don't know of any clients that need unordered
15115 re-entry into the VM from different threads. So, we're enforcing ordered
15116 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
15117
15118 The crash in this bug happened because we were allowing unordered re-entry,
15119 and the following type of scenario occurred:
15120
15121 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
15122 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
15123 first time it entered the VM.
15124 T1 sets VM::m_entryScope to T1's entryScope.
15125 3. T1 drops all locks.
15126
15127 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
15128 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
15129 does not set the entryScope.
15130 5. T2 drops all locks.
15131
15132 6. T1 re-grabs locks.
15133 7. T1 returns all the way out of JS code. On exit from the outer most
15134 JS function, T1 clears VM::m_entryScope (because T1 was the one who
15135 set it).
15136 8. T1 unlocks the VM.
15137
15138 9. T2 re-grabs locks.
15139 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
15140 NOT null, but it turns out to be null. Assertion failures and
15141 crashes ensue.
15142
15143 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
15144 the VM. Hence, the issue will no longer manifest.
15145
15146 * runtime/JSLock.cpp:
15147 (JSC::JSLock::dropAllLocks):
15148 (JSC::JSLock::grabAllLocks):
15149 * runtime/JSLock.h:
15150 (JSC::JSLock::DropAllLocks::dropDepth):
15151
151522014-02-25 Mark Lam <mark.lam@apple.com>
15153
15154 Need to initialize VM stack data even when the VM is on an exclusive thread.
15155 <https://webkit.org/b/129265>
15156
15157 Not reviewed.
15158
15159 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
15160
15161 * API/APIShims.h:
15162 (JSC::APIEntryShim::APIEntryShim):
15163 (JSC::APICallbackShim::shouldDropAllLocks):
15164 * heap/MachineStackMarker.cpp:
15165 (JSC::MachineThreads::addCurrentThread):
15166 * runtime/JSLock.cpp:
15167 (JSC::JSLockHolder::JSLockHolder):
15168 (JSC::JSLockHolder::init):
15169 (JSC::JSLockHolder::~JSLockHolder):
15170 (JSC::JSLock::JSLock):
15171 (JSC::JSLock::setExclusiveThread):
15172 (JSC::JSLock::lock):
15173 (JSC::JSLock::unlock):
15174 (JSC::JSLock::currentThreadIsHoldingLock):
15175 (JSC::JSLock::dropAllLocks):
15176 (JSC::JSLock::grabAllLocks):
15177 * runtime/JSLock.h:
15178 (JSC::JSLock::hasExclusiveThread):
15179 (JSC::JSLock::exclusiveThread):
15180 * runtime/VM.cpp:
15181 (JSC::VM::VM):
15182 * runtime/VM.h:
15183 (JSC::VM::hasExclusiveThread):
15184 (JSC::VM::exclusiveThread):
15185 (JSC::VM::setExclusiveThread):
15186 (JSC::VM::currentThreadIsHoldingAPILock):
15187
151882014-02-25 Filip Pizlo <fpizlo@apple.com>
15189
15190 Inline caching in the FTL on ARM64 should "work"
15191 https://bugs.webkit.org/show_bug.cgi?id=129334
15192
15193 Reviewed by Mark Hahnenberg.
15194
15195 Gets us to the point where simple tests that use inline caching are passing.
15196
15197 * assembler/LinkBuffer.cpp:
15198 (JSC::LinkBuffer::copyCompactAndLinkCode):
15199 (JSC::LinkBuffer::shrink):
15200 * ftl/FTLInlineCacheSize.cpp:
15201 (JSC::FTL::sizeOfGetById):
15202 (JSC::FTL::sizeOfPutById):
15203 (JSC::FTL::sizeOfCall):
15204 * ftl/FTLOSRExitCompiler.cpp:
15205 (JSC::FTL::compileFTLOSRExit):
15206 * ftl/FTLThunks.cpp:
15207 (JSC::FTL::osrExitGenerationThunkGenerator):
15208 * jit/GPRInfo.h:
15209 * offlineasm/arm64.rb:
15210
152112014-02-25 Commit Queue <commit-queue@webkit.org>
15212
15213 Unreviewed, rolling out r164627.
15214 http://trac.webkit.org/changeset/164627
15215 https://bugs.webkit.org/show_bug.cgi?id=129325
15216
15217 Broke SubtleCrypto tests (Requested by ap on #webkit).
15218
15219 * API/APIShims.h:
15220 (JSC::APIEntryShim::APIEntryShim):
15221 (JSC::APICallbackShim::shouldDropAllLocks):
15222 * heap/MachineStackMarker.cpp:
15223 (JSC::MachineThreads::addCurrentThread):
15224 * runtime/JSLock.cpp:
15225 (JSC::JSLockHolder::JSLockHolder):
15226 (JSC::JSLockHolder::init):
15227 (JSC::JSLockHolder::~JSLockHolder):
15228 (JSC::JSLock::JSLock):
15229 (JSC::JSLock::lock):
15230 (JSC::JSLock::unlock):
15231 (JSC::JSLock::currentThreadIsHoldingLock):
15232 (JSC::JSLock::dropAllLocks):
15233 (JSC::JSLock::grabAllLocks):
15234 * runtime/JSLock.h:
15235 * runtime/VM.cpp:
15236 (JSC::VM::VM):
15237 * runtime/VM.h:
15238 (JSC::VM::currentThreadIsHoldingAPILock):
15239
152402014-02-25 Filip Pizlo <fpizlo@apple.com>
15241
15242 ARM64 rshift64 should be an arithmetic shift
15243 https://bugs.webkit.org/show_bug.cgi?id=129323
15244
15245 Reviewed by Mark Hahnenberg.
15246
15247 * assembler/MacroAssemblerARM64.h:
15248 (JSC::MacroAssemblerARM64::rshift64):
15249
152502014-02-25 Sergio Villar Senin <svillar@igalia.com>
15251
15252 [CSS Grid Layout] Add ENABLE flag
15253 https://bugs.webkit.org/show_bug.cgi?id=129153
15254
15255 Reviewed by Simon Fraser.
15256
15257 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
15258
152592014-02-25 Michael Saboff <msaboff@apple.com>
15260
15261 JIT Engines use the wrong stack limit for stack checks
15262 https://bugs.webkit.org/show_bug.cgi?id=129314
15263
15264 Reviewed by Filip Pizlo.
15265
15266 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
15267
15268 * dfg/DFGJITCompiler.cpp:
15269 (JSC::DFG::JITCompiler::compileFunction):
15270 * jit/JIT.cpp:
15271 (JSC::JIT::privateCompile):
15272 * jit/JITCall.cpp:
15273 (JSC::JIT::compileLoadVarargs):
15274 * jit/JITCall32_64.cpp:
15275 (JSC::JIT::compileLoadVarargs):
15276 * runtime/VM.h:
15277 (JSC::VM::addressOfStackLimit):
15278
152792014-02-25 Filip Pizlo <fpizlo@apple.com>
15280
15281 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
15282
15283 It causes crashes, apparently because it's removing too many barriers. I will investigate
15284 later.
15285
15286 * bytecode/SpeculatedType.cpp:
15287 (JSC::speculationToAbbreviatedString):
15288 * bytecode/SpeculatedType.h:
15289 * dfg/DFGFixupPhase.cpp:
15290 (JSC::DFG::FixupPhase::fixupNode):
15291 (JSC::DFG::FixupPhase::insertStoreBarrier):
15292 * dfg/DFGNode.h:
15293 * ftl/FTLCapabilities.cpp:
15294 (JSC::FTL::canCompile):
15295 * ftl/FTLLowerDFGToLLVM.cpp:
15296 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15297 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15298 (JSC::FTL::LowerDFGToLLVM::isNotNully):
15299 (JSC::FTL::LowerDFGToLLVM::isNully):
15300 (JSC::FTL::LowerDFGToLLVM::speculate):
15301 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15302 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15303
153042014-02-24 Oliver Hunt <oliver@apple.com>
15305
15306 Fix build.
15307
15308 * jit/CCallHelpers.h:
15309 (JSC::CCallHelpers::setupArgumentsWithExecState):
15310
153112014-02-24 Oliver Hunt <oliver@apple.com>
15312
15313 Spread operator has a bad time when applied to call function
15314 https://bugs.webkit.org/show_bug.cgi?id=128853
15315
15316 Reviewed by Geoffrey Garen.
15317
15318 Follow on from the previous patch the added an extra slot to
15319 op_call_varargs (and _call, _call_eval, _construct). We now
15320 use the slot as an offset to in effect act as a 'slice' on
15321 the spread subject. This allows us to automatically retain
15322 all our existing argument and array optimisatons. Most of
15323 this patch is simply threading the offset around.
15324
15325 * bytecode/CodeBlock.cpp:
15326 (JSC::CodeBlock::dumpBytecode):
15327 * bytecompiler/BytecodeGenerator.cpp:
15328 (JSC::BytecodeGenerator::emitCall):
15329 (JSC::BytecodeGenerator::emitCallVarargs):
15330 * bytecompiler/BytecodeGenerator.h:
15331 * bytecompiler/NodesCodegen.cpp:
15332 (JSC::getArgumentByVal):
15333 (JSC::CallFunctionCallDotNode::emitBytecode):
15334 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15335 * interpreter/Interpreter.cpp:
15336 (JSC::sizeFrameForVarargs):
15337 (JSC::loadVarargs):
15338 * interpreter/Interpreter.h:
15339 * jit/CCallHelpers.h:
15340 (JSC::CCallHelpers::setupArgumentsWithExecState):
15341 * jit/JIT.h:
15342 * jit/JITCall.cpp:
15343 (JSC::JIT::compileLoadVarargs):
15344 * jit/JITInlines.h:
15345 (JSC::JIT::callOperation):
15346 * jit/JITOperations.cpp:
15347 * jit/JITOperations.h:
15348 * llint/LLIntSlowPaths.cpp:
15349 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
15350 * runtime/Arguments.cpp:
15351 (JSC::Arguments::copyToArguments):
15352 * runtime/Arguments.h:
15353 * runtime/JSArray.cpp:
15354 (JSC::JSArray::copyToArguments):
15355 * runtime/JSArray.h:
15356
153572014-02-24 Mark Lam <mark.lam@apple.com>
15358
15359 Need to initialize VM stack data even when the VM is on an exclusive thread.
15360 <https://webkit.org/b/129265>
15361
15362 Reviewed by Geoffrey Garen.
15363
15364 We check VM::exclusiveThread as an optimization to forego the need to do
15365 JSLock locking. However, we recently started piggy backing on JSLock's
15366 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
15367 and lastStackTop) to appropriate values for the current thread. This is
15368 needed because we may be acquiring the lock to enter the VM on a different
15369 thread.
15370
15371 As a result, we ended up not initializing the VM stack data when
15372 VM::exclusiveThread causes us to bypass the locking activity. Even though
15373 the VM::exclusiveThread will not have to deal with the VM being entered
15374 on a different thread, it still needs to initialize the VM stack data.
15375 The VM relies on that data being initialized properly once it has been
15376 entered.
15377
15378 With this fix, we push the check for exclusiveThread down into the JSLock,
15379 and handle the bypassing of unneeded locking activity there while still
15380 executing the necessary the VM stack data initialization.
15381
15382 * API/APIShims.h:
15383 (JSC::APIEntryShim::APIEntryShim):
15384 (JSC::APICallbackShim::shouldDropAllLocks):
15385 * heap/MachineStackMarker.cpp:
15386 (JSC::MachineThreads::addCurrentThread):
15387 * runtime/JSLock.cpp:
15388 (JSC::JSLockHolder::JSLockHolder):
15389 (JSC::JSLockHolder::init):
15390 (JSC::JSLockHolder::~JSLockHolder):
15391 (JSC::JSLock::JSLock):
15392 (JSC::JSLock::setExclusiveThread):
15393 (JSC::JSLock::lock):
15394 (JSLock::unlock):
15395 (JSLock::currentThreadIsHoldingLock):
15396 (JSLock::dropAllLocks):
15397 (JSLock::grabAllLocks):
15398 * runtime/JSLock.h:
15399 (JSC::JSLock::exclusiveThread):
15400 * runtime/VM.cpp:
15401 (JSC::VM::VM):
15402 * runtime/VM.h:
15403 (JSC::VM::exclusiveThread):
15404 (JSC::VM::setExclusiveThread):
15405 (JSC::VM::currentThreadIsHoldingAPILock):
15406
154072014-02-24 Filip Pizlo <fpizlo@apple.com>
15408
15409 FTL should do polymorphic PutById inlining
15410 https://bugs.webkit.org/show_bug.cgi?id=129210
15411
15412 Reviewed by Mark Hahnenberg and Oliver Hunt.
15413
15414 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
15415 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
15416 selection of multiple inlined PutByIdVariants.
15417
15418 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
15419 http://trac.webkit.org/changeset/164207.
15420
15421 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
15422 that generate similar code.
15423
15424 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
15425 sometimes swaps field insertion order, creating fake polymorphism.
15426
15427 * CMakeLists.txt:
15428 * GNUmakefile.list.am:
15429 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15430 * JavaScriptCore.xcodeproj/project.pbxproj:
15431 * bytecode/PutByIdStatus.cpp:
15432 (JSC::PutByIdStatus::computeFromLLInt):
15433 (JSC::PutByIdStatus::computeFor):
15434 (JSC::PutByIdStatus::computeForStubInfo):
15435 (JSC::PutByIdStatus::dump):
15436 * bytecode/PutByIdStatus.h:
15437 (JSC::PutByIdStatus::PutByIdStatus):
15438 (JSC::PutByIdStatus::isSimple):
15439 (JSC::PutByIdStatus::numVariants):
15440 (JSC::PutByIdStatus::variants):
15441 (JSC::PutByIdStatus::at):
15442 (JSC::PutByIdStatus::operator[]):
15443 * bytecode/PutByIdVariant.cpp: Added.
15444 (JSC::PutByIdVariant::dump):
15445 (JSC::PutByIdVariant::dumpInContext):
15446 * bytecode/PutByIdVariant.h: Added.
15447 (JSC::PutByIdVariant::PutByIdVariant):
15448 (JSC::PutByIdVariant::replace):
15449 (JSC::PutByIdVariant::transition):
15450 (JSC::PutByIdVariant::kind):
15451 (JSC::PutByIdVariant::isSet):
15452 (JSC::PutByIdVariant::operator!):
15453 (JSC::PutByIdVariant::structure):
15454 (JSC::PutByIdVariant::oldStructure):
15455 (JSC::PutByIdVariant::newStructure):
15456 (JSC::PutByIdVariant::structureChain):
15457 (JSC::PutByIdVariant::offset):
15458 * dfg/DFGAbstractInterpreterInlines.h:
15459 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15460 * dfg/DFGByteCodeParser.cpp:
15461 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
15462 (JSC::DFG::ByteCodeParser::handleGetById):
15463 (JSC::DFG::ByteCodeParser::emitPutById):
15464 (JSC::DFG::ByteCodeParser::handlePutById):
15465 (JSC::DFG::ByteCodeParser::parseBlock):
15466 * dfg/DFGCSEPhase.cpp:
15467 (JSC::DFG::CSEPhase::checkStructureElimination):
15468 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
15469 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15470 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
15471 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
15472 * dfg/DFGClobberize.h:
15473 (JSC::DFG::clobberize):
15474 * dfg/DFGConstantFoldingPhase.cpp:
15475 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15476 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
15477 * dfg/DFGFixupPhase.cpp:
15478 (JSC::DFG::FixupPhase::fixupNode):
15479 * dfg/DFGGraph.cpp:
15480 (JSC::DFG::Graph::dump):
15481 * dfg/DFGGraph.h:
15482 * dfg/DFGNode.cpp:
15483 (JSC::DFG::MultiPutByOffsetData::writesStructures):
15484 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
15485 * dfg/DFGNode.h:
15486 (JSC::DFG::Node::convertToPutByOffset):
15487 (JSC::DFG::Node::hasMultiPutByOffsetData):
15488 (JSC::DFG::Node::multiPutByOffsetData):
15489 * dfg/DFGNodeType.h:
15490 * dfg/DFGPredictionPropagationPhase.cpp:
15491 (JSC::DFG::PredictionPropagationPhase::propagate):
15492 * dfg/DFGSafeToExecute.h:
15493 (JSC::DFG::safeToExecute):
15494 * dfg/DFGSpeculativeJIT32_64.cpp:
15495 (JSC::DFG::SpeculativeJIT::compile):
15496 * dfg/DFGSpeculativeJIT64.cpp:
15497 (JSC::DFG::SpeculativeJIT::compile):
15498 * dfg/DFGTypeCheckHoistingPhase.cpp:
15499 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
15500 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
15501 * ftl/FTLCapabilities.cpp:
15502 (JSC::FTL::canCompile):
15503 * ftl/FTLLowerDFGToLLVM.cpp:
15504 (JSC::FTL::LowerDFGToLLVM::compileNode):
15505 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
15506 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
15507 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
15508 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
15509 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
15510 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
15511 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
15512 (JSC::FTL::LowerDFGToLLVM::loadProperty):
15513 (JSC::FTL::LowerDFGToLLVM::storeProperty):
15514 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
15515 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
15516 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
15517 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
15518 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
15519 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
15520 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
15521 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
15522
155232014-02-24 peavo@outlook.com <peavo@outlook.com>
15524
15525 JSC regressions after r164494
15526 https://bugs.webkit.org/show_bug.cgi?id=129272
15527
15528 Reviewed by Mark Lam.
15529
15530 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
15531
155322014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
15533
15534 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
15535 https://bugs.webkit.org/show_bug.cgi?id=129255
15536
15537 Reviewed by Csaba Osztrogonác.
15538
15539 ENABLE_WORKERS macro was removed in r159679.
15540 Support is now also removed from xcconfig files.
15541
15542 * Configurations/FeatureDefines.xcconfig:
15543
155442014-02-24 David Kilzer <ddkilzer@apple.com>
15545
15546 Remove redundant setting in FeatureDefines.xcconfig
15547
15548 * Configurations/FeatureDefines.xcconfig:
15549
155502014-02-23 Sam Weinig <sam@webkit.org>
15551
15552 Update FeatureDefines.xcconfig
15553
15554 Rubber-stamped by Anders Carlsson.
15555
15556 * Configurations/FeatureDefines.xcconfig:
15557
155582014-02-23 Dean Jackson <dino@apple.com>
15559
15560 Sort the project file with sort-Xcode-project-file.
15561
15562 Rubber-stamped by Sam Weinig.
15563
15564 * JavaScriptCore.xcodeproj/project.pbxproj:
15565
155662014-02-23 Sam Weinig <sam@webkit.org>
15567
15568 Move telephone number detection behind its own ENABLE macro
15569 https://bugs.webkit.org/show_bug.cgi?id=129236
15570
15571 Reviewed by Dean Jackson.
15572
15573 * Configurations/FeatureDefines.xcconfig:
15574 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
15575
155762014-02-22 Filip Pizlo <fpizlo@apple.com>
15577
15578 Refine DFG+FTL inlining and compilation limits
15579 https://bugs.webkit.org/show_bug.cgi?id=129212
15580
15581 Reviewed by Mark Hahnenberg.
15582
15583 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
15584 and set that limit quite high. Institute a limit on inlining-into. The idea here is
15585 that large functions tend to be autogenerated, and code generators like emscripten
15586 appear to leave few inlining opportunities anyway. Also, we don't want the code
15587 size explosion that we would risk if we allowed compilation of a large function and
15588 then inlined a ton of stuff into it.
15589
15590 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
15591 regression. This is a 9% speed-up on AsmBench.
15592
15593 * bytecode/CodeBlock.cpp:
15594 (JSC::CodeBlock::noticeIncomingCall):
15595 * dfg/DFGByteCodeParser.cpp:
15596 (JSC::DFG::ByteCodeParser::handleInlining):
15597 * dfg/DFGCapabilities.h:
15598 (JSC::DFG::isSmallEnoughToInlineCodeInto):
15599 * ftl/FTLCapabilities.cpp:
15600 (JSC::FTL::canCompile):
15601 * ftl/FTLState.h:
15602 (JSC::FTL::shouldShowDisassembly):
15603 * runtime/Options.h:
15604
156052014-02-22 Dan Bernstein <mitz@apple.com>
15606
15607 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
15608 https://bugs.webkit.org/show_bug.cgi?id=129227
15609
15610 Reviewed by Eric Carlson.
15611
15612 Reverted r164507.
15613
15614 * API/JSBase.cpp:
15615 (JSEvaluateScript):
15616 (JSCheckScriptSyntax):
15617 * API/JSObjectRef.cpp:
15618 (JSObjectMakeFunction):
15619 (JSObjectMakeArray):
15620 (JSObjectMakeDate):
15621 (JSObjectMakeError):
15622 (JSObjectMakeRegExp):
15623 (JSObjectGetProperty):
15624 (JSObjectSetProperty):
15625 (JSObjectGetPropertyAtIndex):
15626 (JSObjectSetPropertyAtIndex):
15627 (JSObjectDeleteProperty):
15628 (JSObjectCallAsFunction):
15629 (JSObjectCallAsConstructor):
15630 * API/JSValue.mm:
15631 (valueToArray):
15632 (valueToDictionary):
15633 * API/JSValueRef.cpp:
15634 (JSValueIsEqual):
15635 (JSValueIsInstanceOfConstructor):
15636 (JSValueCreateJSONString):
15637 (JSValueToNumber):
15638 (JSValueToStringCopy):
15639 (JSValueToObject):
15640 * inspector/ConsoleMessage.cpp:
15641 (Inspector::ConsoleMessage::ConsoleMessage):
15642 (Inspector::ConsoleMessage::autogenerateMetadata):
15643 * inspector/ConsoleMessage.h:
15644 * inspector/JSGlobalObjectInspectorController.cpp:
15645 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15646 * inspector/JSGlobalObjectInspectorController.h:
15647 * inspector/ScriptCallStack.cpp:
15648 * inspector/ScriptCallStack.h:
15649 * inspector/ScriptCallStackFactory.cpp:
15650 (Inspector::createScriptCallStack):
15651 (Inspector::createScriptCallStackForConsole):
15652 (Inspector::createScriptCallStackFromException):
15653 * inspector/ScriptCallStackFactory.h:
15654 * inspector/agents/InspectorConsoleAgent.cpp:
15655 (Inspector::InspectorConsoleAgent::enable):
15656 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15657 (Inspector::InspectorConsoleAgent::count):
15658 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15659 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15660
156612014-02-22 Joseph Pecoraro <pecoraro@apple.com>
15662
15663 Remove some unreachable code (-Wunreachable-code)
15664 https://bugs.webkit.org/show_bug.cgi?id=129220
15665
15666 Reviewed by Eric Carlson.
15667
15668 * API/tests/testapi.c:
15669 (EvilExceptionObject_convertToType):
15670 * disassembler/udis86/udis86_decode.c:
15671 (decode_operand):
15672
156732014-02-22 Filip Pizlo <fpizlo@apple.com>
15674
15675 Unreviewed, ARMv7 build fix.
15676
15677 * assembler/ARMv7Assembler.h:
15678
156792014-02-21 Filip Pizlo <fpizlo@apple.com>
15680
15681 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
15682 https://bugs.webkit.org/show_bug.cgi?id=124733
15683
15684 Reviewed by Oliver Hunt.
15685
15686 This also takes the opportunity to de-duplicate some branch compaction code.
15687
15688 * assembler/ARM64Assembler.h:
15689 * assembler/ARMv7Assembler.h:
15690 (JSC::ARMv7Assembler::buffer):
15691 * assembler/AssemblerBuffer.h:
15692 (JSC::AssemblerData::AssemblerData):
15693 (JSC::AssemblerBuffer::AssemblerBuffer):
15694 (JSC::AssemblerBuffer::storage):
15695 (JSC::AssemblerBuffer::grow):
15696 * assembler/LinkBuffer.h:
15697 (JSC::LinkBuffer::LinkBuffer):
15698 (JSC::LinkBuffer::executableOffsetFor):
15699 (JSC::LinkBuffer::applyOffset):
15700 * assembler/MacroAssemblerARM64.h:
15701 (JSC::MacroAssemblerARM64::link):
15702 * assembler/MacroAssemblerARMv7.h:
15703
157042014-02-21 Brent Fulgham <bfulgham@apple.com>
15705
15706 Extend media support for WebVTT sources
15707 https://bugs.webkit.org/show_bug.cgi?id=129156
15708
15709 Reviewed by Eric Carlson.
15710
15711 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
15712
157132014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15714
15715 Web Inspector: JSContext inspection should report exceptions in the console
15716 https://bugs.webkit.org/show_bug.cgi?id=128776
15717
15718 Reviewed by Timothy Hatcher.
15719
15720 When JavaScript API functions have an exception, let the inspector
15721 know so it can log the JavaScript and Native backtrace that caused
15722 the exception.
15723
15724 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15725
15726 * API/JSBase.cpp:
15727 (JSEvaluateScript):
15728 (JSCheckScriptSyntax):
15729 * API/JSObjectRef.cpp:
15730 (JSObjectMakeFunction):
15731 (JSObjectMakeArray):
15732 (JSObjectMakeDate):
15733 (JSObjectMakeError):
15734 (JSObjectMakeRegExp):
15735 (JSObjectGetProperty):
15736 (JSObjectSetProperty):
15737 (JSObjectGetPropertyAtIndex):
15738 (JSObjectSetPropertyAtIndex):
15739 (JSObjectDeleteProperty):
15740 (JSObjectCallAsFunction):
15741 (JSObjectCallAsConstructor):
15742 * API/JSValue.mm:
15743 (reportExceptionToInspector):
15744 (valueToArray):
15745 (valueToDictionary):
15746 * API/JSValueRef.cpp:
15747 (JSValueIsEqual):
15748 (JSValueIsInstanceOfConstructor):
15749 (JSValueCreateJSONString):
15750 (JSValueToNumber):
15751 (JSValueToStringCopy):
15752 (JSValueToObject):
15753 When seeing an exception, let the inspector know there was an exception.
15754
15755 * inspector/JSGlobalObjectInspectorController.h:
15756 * inspector/JSGlobalObjectInspectorController.cpp:
15757 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15758 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15759 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15760 Log API exceptions by also grabbing the native backtrace.
15761
15762 * inspector/ScriptCallStack.h:
15763 * inspector/ScriptCallStack.cpp:
15764 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15765 (Inspector::ScriptCallStack::append):
15766 Minor extensions to ScriptCallStack to make it easier to work with.
15767
15768 * inspector/ConsoleMessage.cpp:
15769 (Inspector::ConsoleMessage::ConsoleMessage):
15770 (Inspector::ConsoleMessage::autogenerateMetadata):
15771 Provide better default information if the first call frame was native.
15772
15773 * inspector/ScriptCallStackFactory.cpp:
15774 (Inspector::createScriptCallStack):
15775 (Inspector::extractSourceInformationFromException):
15776 (Inspector::createScriptCallStackFromException):
15777 Perform the handling here of inserting a fake call frame for exceptions
15778 if there was no call stack (e.g. a SyntaxError) or if the first call
15779 frame had no information.
15780
15781 * inspector/ConsoleMessage.cpp:
15782 (Inspector::ConsoleMessage::ConsoleMessage):
15783 (Inspector::ConsoleMessage::autogenerateMetadata):
15784 * inspector/ConsoleMessage.h:
15785 * inspector/ScriptCallStackFactory.cpp:
15786 (Inspector::createScriptCallStack):
15787 (Inspector::createScriptCallStackForConsole):
15788 * inspector/ScriptCallStackFactory.h:
15789 * inspector/agents/InspectorConsoleAgent.cpp:
15790 (Inspector::InspectorConsoleAgent::enable):
15791 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15792 (Inspector::InspectorConsoleAgent::count):
15793 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15794 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15795 ConsoleMessage cleanup.
15796
157972014-02-21 Oliver Hunt <oliver@apple.com>
15798
15799 Add extra space to op_call and related opcodes
15800 https://bugs.webkit.org/show_bug.cgi?id=129170
15801
15802 Reviewed by Mark Lam.
15803
15804 No change in behaviour, just some refactoring to add an extra
15805 slot to the op_call instructions, and refactoring to make similar
15806 changes easier in future.
15807
15808 * bytecode/CodeBlock.cpp:
15809 (JSC::CodeBlock::printCallOp):
15810 * bytecode/Opcode.h:
15811 (JSC::padOpcodeName):
15812 * bytecompiler/BytecodeGenerator.cpp:
15813 (JSC::BytecodeGenerator::emitCall):
15814 (JSC::BytecodeGenerator::emitCallVarargs):
15815 (JSC::BytecodeGenerator::emitConstruct):
15816 * dfg/DFGByteCodeParser.cpp:
15817 (JSC::DFG::ByteCodeParser::handleIntrinsic):
15818 * jit/JITCall.cpp:
15819 (JSC::JIT::compileOpCall):
15820 * jit/JITCall32_64.cpp:
15821 (JSC::JIT::compileOpCall):
15822 * llint/LowLevelInterpreter.asm:
15823 * llint/LowLevelInterpreter32_64.asm:
15824 * llint/LowLevelInterpreter64.asm:
15825
158262014-02-21 Mark Lam <mark.lam@apple.com>
15827
15828 gatherFromOtherThread() needs to align the sp before gathering roots.
15829 <https://webkit.org/b/129169>
15830
15831 Reviewed by Geoffrey Garen.
15832
15833 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
15834 gatherFromOtherThread() defines the range of the other thread's stack as
15835 being bounded by the other thread's stack pointer and stack base. While
15836 the stack base will always be aligned to sizeof(void*), the stack pointer
15837 may not be. This is because the other thread may have just pushed a 32-bit
15838 value on its stack before we suspended it for scanning.
15839
15840 The fix is to round the stack pointer up to the next aligned address of
15841 sizeof(void*) and start scanning from there. On 64-bit systems, we will
15842 effectively ignore the 32-bit word at the bottom of the stack (top of the
15843 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
15844 64-bit pointers should always be stored on 64-bit aligned boundaries (our
15845 conservative scan algorithm already depends on this assumption).
15846
15847 On 32-bit systems, the rounding is effectively a no-op.
15848
15849 * heap/ConservativeRoots.cpp:
15850 (JSC::ConservativeRoots::genericAddSpan):
15851 - Hardened somne assertions so that we can catch misalignment issues on
15852 release builds as well.
15853 * heap/MachineStackMarker.cpp:
15854 (JSC::MachineThreads::gatherFromOtherThread):
15855
158562014-02-21 Matthew Mirman <mmirman@apple.com>
15857
15858 Added a GetMyArgumentsLengthSafe and added a speculation check.
15859 https://bugs.webkit.org/show_bug.cgi?id=129051
15860
15861 Reviewed by Filip Pizlo.
15862
15863 * ftl/FTLLowerDFGToLLVM.cpp:
15864 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
15865
158662014-02-21 peavo@outlook.com <peavo@outlook.com>
15867
15868 [Win][LLINT] Many JSC stress test failures.
15869 https://bugs.webkit.org/show_bug.cgi?id=129155
15870
15871 Reviewed by Michael Saboff.
15872
15873 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
15874 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
15875 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
15876
15877 * offlineasm/x86.rb: Swap operand order on Windows.
15878
158792014-02-21 Filip Pizlo <fpizlo@apple.com>
15880
15881 DFG write barriers should do more speculations
15882 https://bugs.webkit.org/show_bug.cgi?id=129160
15883
15884 Reviewed by Mark Hahnenberg.
15885
15886 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
15887 instead.
15888
15889 Miniscule speed-up on some things. It's a decent difference in code size, though.
15890
15891 * bytecode/SpeculatedType.cpp:
15892 (JSC::speculationToAbbreviatedString):
15893 * bytecode/SpeculatedType.h:
15894 (JSC::isNotCellSpeculation):
15895 * dfg/DFGFixupPhase.cpp:
15896 (JSC::DFG::FixupPhase::fixupNode):
15897 (JSC::DFG::FixupPhase::insertStoreBarrier):
15898 (JSC::DFG::FixupPhase::insertPhantomCheck):
15899 * dfg/DFGNode.h:
15900 (JSC::DFG::Node::shouldSpeculateOther):
15901 (JSC::DFG::Node::shouldSpeculateNotCell):
15902 * ftl/FTLCapabilities.cpp:
15903 (JSC::FTL::canCompile):
15904 * ftl/FTLLowerDFGToLLVM.cpp:
15905 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15906 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15907 (JSC::FTL::LowerDFGToLLVM::isNotOther):
15908 (JSC::FTL::LowerDFGToLLVM::isOther):
15909 (JSC::FTL::LowerDFGToLLVM::speculate):
15910 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15911 (JSC::FTL::LowerDFGToLLVM::speculateOther):
15912 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15913
159142014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15915
15916 Revert r164486, causing a number of test failures.
15917
15918 Unreviewed rollout.
15919
159202014-02-21 Filip Pizlo <fpizlo@apple.com>
15921
15922 Revive SABI (aka shouldAlwaysBeInlined)
15923 https://bugs.webkit.org/show_bug.cgi?id=129159
15924
15925 Reviewed by Mark Hahnenberg.
15926
15927 This is a small Octane speed-up.
15928
15929 * jit/Repatch.cpp:
15930 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
15931
159322014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15933
15934 Web Inspector: JSContext inspection should report exceptions in the console
15935 https://bugs.webkit.org/show_bug.cgi?id=128776
15936
15937 Reviewed by Timothy Hatcher.
15938
15939 When JavaScript API functions have an exception, let the inspector
15940 know so it can log the JavaScript and Native backtrace that caused
15941 the exception.
15942
15943 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15944
15945 * API/JSBase.cpp:
15946 (JSEvaluateScript):
15947 (JSCheckScriptSyntax):
15948 * API/JSObjectRef.cpp:
15949 (JSObjectMakeFunction):
15950 (JSObjectMakeArray):
15951 (JSObjectMakeDate):
15952 (JSObjectMakeError):
15953 (JSObjectMakeRegExp):
15954 (JSObjectGetProperty):
15955 (JSObjectSetProperty):
15956 (JSObjectGetPropertyAtIndex):
15957 (JSObjectSetPropertyAtIndex):
15958 (JSObjectDeleteProperty):
15959 (JSObjectCallAsFunction):
15960 (JSObjectCallAsConstructor):
15961 * API/JSValue.mm:
15962 (reportExceptionToInspector):
15963 (valueToArray):
15964 (valueToDictionary):
15965 * API/JSValueRef.cpp:
15966 (JSValueIsEqual):
15967 (JSValueIsInstanceOfConstructor):
15968 (JSValueCreateJSONString):
15969 (JSValueToNumber):
15970 (JSValueToStringCopy):
15971 (JSValueToObject):
15972 When seeing an exception, let the inspector know there was an exception.
15973
15974 * inspector/JSGlobalObjectInspectorController.h:
15975 * inspector/JSGlobalObjectInspectorController.cpp:
15976 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15977 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15978 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15979 Log API exceptions by also grabbing the native backtrace.
15980
15981 * inspector/ScriptCallStack.h:
15982 * inspector/ScriptCallStack.cpp:
15983 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15984 (Inspector::ScriptCallStack::append):
15985 Minor extensions to ScriptCallStack to make it easier to work with.
15986
15987 * inspector/ConsoleMessage.cpp:
15988 (Inspector::ConsoleMessage::ConsoleMessage):
15989 (Inspector::ConsoleMessage::autogenerateMetadata):
15990 Provide better default information if the first call frame was native.
15991
15992 * inspector/ScriptCallStackFactory.cpp:
15993 (Inspector::createScriptCallStack):
15994 (Inspector::extractSourceInformationFromException):
15995 (Inspector::createScriptCallStackFromException):
15996 Perform the handling here of inserting a fake call frame for exceptions
15997 if there was no call stack (e.g. a SyntaxError) or if the first call
15998 frame had no information.
15999
16000 * inspector/ConsoleMessage.cpp:
16001 (Inspector::ConsoleMessage::ConsoleMessage):
16002 (Inspector::ConsoleMessage::autogenerateMetadata):
16003 * inspector/ConsoleMessage.h:
16004 * inspector/ScriptCallStackFactory.cpp:
16005 (Inspector::createScriptCallStack):
16006 (Inspector::createScriptCallStackForConsole):
16007 * inspector/ScriptCallStackFactory.h:
16008 * inspector/agents/InspectorConsoleAgent.cpp:
16009 (Inspector::InspectorConsoleAgent::enable):
16010 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16011 (Inspector::InspectorConsoleAgent::count):
16012 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16013 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16014 ConsoleMessage cleanup.
16015
160162014-02-20 Anders Carlsson <andersca@apple.com>
16017
16018 Modernize JSGlobalLock and JSLockHolder
16019 https://bugs.webkit.org/show_bug.cgi?id=129105
16020
16021 Reviewed by Michael Saboff.
16022
16023 Use std::mutex and std::thread::id where possible.
16024
16025 * runtime/JSLock.cpp:
16026 (JSC::GlobalJSLock::GlobalJSLock):
16027 (JSC::GlobalJSLock::~GlobalJSLock):
16028 (JSC::GlobalJSLock::initialize):
16029 (JSC::JSLock::JSLock):
16030 (JSC::JSLock::lock):
16031 (JSC::JSLock::unlock):
16032 (JSC::JSLock::currentThreadIsHoldingLock):
16033 * runtime/JSLock.h:
16034
160352014-02-20 Mark Lam <mark.lam@apple.com>
16036
16037 virtualForWithFunction() should not throw an exception with a partially initialized frame.
16038 <https://webkit.org/b/129134>
16039
16040 Reviewed by Michael Saboff.
16041
16042 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
16043 prepare the callee function for execution, it proceeds to throw the
16044 exception using the callee frame which is only partially initialized
16045 thus far. Instead, it should be throwing the exception using the caller
16046 frame because:
16047 1. the error happened "in" the caller while preparing the callee for
16048 execution i.e. the caller frame is the top fully initialized frame
16049 on the stack.
16050 2. the callee frame is not fully initialized yet, and the unwind
16051 mechanism cannot depend on the data in it.
16052
16053 * jit/JITOperations.cpp:
16054
160552014-02-20 Mark Lam <mark.lam@apple.com>
16056
16057 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
16058 <https://webkit.org/b/129131>
16059
16060 Reviewed by Mark Hahnenberg.
16061
16062 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
16063 needs to be deferred before commencing. As a result, the GC may crash
16064 and/or corrupt data because the VM is not in the consistent state needed
16065 for the GC to run. With this fix, doWork() now checks if the GC is
16066 supposed to be deferred and re-schedules if needed. It only commences
16067 with GC'ing when it's safe to do so.
16068
16069 * runtime/GCActivityCallback.cpp:
16070 (JSC::DefaultGCActivityCallback::doWork):
16071
160722014-02-20 Geoffrey Garen <ggaren@apple.com>
16073
16074 Math.imul gives wrong results
16075 https://bugs.webkit.org/show_bug.cgi?id=126345
16076
16077 Reviewed by Mark Hahnenberg.
16078
16079 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
16080 Instead, take a slow path that will do the right thing.
16081
16082 * jit/ThunkGenerators.cpp:
16083 (JSC::imulThunkGenerator):
16084
160852014-02-20 Filip Pizlo <fpizlo@apple.com>
16086
16087 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
16088 https://bugs.webkit.org/show_bug.cgi?id=129129
16089
16090 Reviewed by Geoffrey Garen.
16091
16092 We estimate execution counts based on loop depth, and then use those to estimate branch
16093 weights. These weights then get carried all the way down to LLVM prof branch_weights
16094 meta-data.
16095
16096 This is better than letting LLVM do its own static estimates, since by the time we
16097 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
16098 course, it would be even better if we just slurped in some kind of execution counts
16099 from profiling, but we don't do that, yet.
16100
16101 * CMakeLists.txt:
16102 * GNUmakefile.list.am:
16103 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16104 * JavaScriptCore.xcodeproj/project.pbxproj:
16105 * dfg/DFGBasicBlock.cpp:
16106 (JSC::DFG::BasicBlock::BasicBlock):
16107 * dfg/DFGBasicBlock.h:
16108 * dfg/DFGBlockInsertionSet.cpp:
16109 (JSC::DFG::BlockInsertionSet::insert):
16110 (JSC::DFG::BlockInsertionSet::insertBefore):
16111 * dfg/DFGBlockInsertionSet.h:
16112 * dfg/DFGByteCodeParser.cpp:
16113 (JSC::DFG::ByteCodeParser::handleInlining):
16114 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16115 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16116 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16117 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
16118 (JSC::DFG::createPreHeader):
16119 * dfg/DFGNaturalLoops.h:
16120 (JSC::DFG::NaturalLoops::loopDepth):
16121 * dfg/DFGOSREntrypointCreationPhase.cpp:
16122 (JSC::DFG::OSREntrypointCreationPhase::run):
16123 * dfg/DFGPlan.cpp:
16124 (JSC::DFG::Plan::compileInThreadImpl):
16125 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
16126 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
16127 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
16128 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
16129 (JSC::DFG::performStaticExecutionCountEstimation):
16130 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
16131
161322014-02-20 Filip Pizlo <fpizlo@apple.com>
16133
16134 FTL may not see a compact_unwind section if there weren't any stackmaps
16135 https://bugs.webkit.org/show_bug.cgi?id=129125
16136
16137 Reviewed by Geoffrey Garen.
16138
16139 It's OK to not have an unwind section, so long as the function also doesn't have any
16140 OSR exits.
16141
16142 * ftl/FTLCompile.cpp:
16143 (JSC::FTL::fixFunctionBasedOnStackMaps):
16144 (JSC::FTL::compile):
16145 * ftl/FTLUnwindInfo.cpp:
16146 (JSC::FTL::UnwindInfo::parse):
16147 * ftl/FTLUnwindInfo.h:
16148
16149== Rolled over to ChangeLog-2014-02-20 ==
mirror of JavaScriptCore