]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog-2013-10-13
JavaScriptCore-7600.1.4.11.8.tar.gz
[apple/javascriptcore.git] / ChangeLog-2013-10-13
CommitLineData
81345200
A
12013-10-13 Anders Carlsson <andersca@apple.com>
2
3 Try to fix the Lion build.
4
5 * Configurations/JavaScriptCore.xcconfig:
6
72013-10-12 Alexey Proskuryakov <ap@apple.com>
8
9 Add a feature define for SubtleCrypto
10 https://bugs.webkit.org/show_bug.cgi?id=122683
11
12 Reviewed by Anders Carlsson.
13
14 * Configurations/FeatureDefines.xcconfig:
15
162013-10-12 Julien Brianceau <jbriance@cisco.com>
17
18 Fix potential register trampling in JIT since r157313.
19 https://bugs.webkit.org/show_bug.cgi?id=122691
20
21 Reviewed by Michael Saboff.
22
23 * jit/CCallHelpers.h:
24 (JSC::CCallHelpers::setupArgumentsWithExecState):
25
262013-10-12 Julien Brianceau <jbriance@cisco.com>
27
28 [sh4] Add missing spaces in JITStubsSH4.h
29 https://bugs.webkit.org/show_bug.cgi?id=122690
30
31 Reviewed by Andreas Kling.
32
33 * jit/JITStubsSH4.h: Space between string concatenation is mandatory with C++11
34
352013-10-12 Julien Brianceau <jbriance@cisco.com>
36
37 [sh4] Add missing test32 implementation in macro assembler.
38 https://bugs.webkit.org/show_bug.cgi?id=122689
39
40 Reviewed by Andreas Kling.
41
42 * assembler/MacroAssemblerSH4.h:
43 (JSC::MacroAssemblerSH4::test32):
44
452013-10-11 Darin Adler <darin@apple.com>
46
47 Change most call sites to call ICU directly instead of through WTF::Unicode
48 https://bugs.webkit.org/show_bug.cgi?id=122635
49
50 Reviewed by Alexey Proskuryakov.
51
52 * parser/Lexer.cpp:
53 (JSC::isNonLatin1IdentStart): Take a UChar since that's what the only caller wants to pass.
54 Use U_GET_GC_MASK instead of WTF::Unicode::category.
55 (JSC::isNonLatin1IdentPart): Ditto.
56
57 * parser/Lexer.h:
58 (JSC::Lexer::isWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.
59
60 * runtime/JSFunction.cpp: Removed "using namespace" for WTF::Unicode, this will no longer
61 compile since this doesn't include anything that defines that namespace.
62
63 * runtime/JSGlobalObjectFunctions.cpp:
64 (JSC::isStrWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.
65
66 * yarr/YarrInterpreter.cpp:
67 (JSC::Yarr::ByteCompiler::atomPatternCharacter): Use u_tolower and u_toupper instead of
68 Unicode::toLower and Unicode::toUpper. Also added some assertions since this code assumes
69 it can convert any UChar to lowercase or uppercase in another UChar, with no risk of needing
70 a UChar32 for the result. I guess that's probably true, but it would be good to know in a
71 debug build if not.
72
732013-10-11 Nadav Rotem <nrotem@apple.com>
74
75 DFG: Add JIT support for LogicalNot(String/StringIdent)
76 https://bugs.webkit.org/show_bug.cgi?id=122627
77
78 Reviewed by Filip Pizlo.
79
80 * dfg/DFGAbstractInterpreterInlines.h:
81 (JSC::DFG::::executeEffects):
82 * dfg/DFGFixupPhase.cpp:
83 (JSC::DFG::FixupPhase::fixupNode):
84 * dfg/DFGSpeculativeJIT.cpp:
85 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
86 * dfg/DFGSpeculativeJIT.h:
87 * dfg/DFGSpeculativeJIT32_64.cpp:
88 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
89 * dfg/DFGSpeculativeJIT64.cpp:
90 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
91
922013-10-11 Filip Pizlo <fpizlo@apple.com>
93
94 sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3)
95 https://bugs.webkit.org/show_bug.cgi?id=122462
96
97 Reviewed by Mark Hahnenberg.
98
99 This fixes two bugs, both of which led to GetByVal on Int32 trapping because the
100 array no longer had Int32 shape but the check wasn't executed:
101
102 1) We weren't snapshotting the structures of mustHandleValues. This led to an awesome
103 race where if a mustHandleValue JSValue's structure changed on the main thread
104 between runs of the AI, the AI would contradict each other and things would just
105 get corrupted in funny ways.
106
107 2) The constant folder has a long standing bug! It will fold a node to a constant if
108 the AI proved it to be a constant. But it's possible that the original node also
109 proved things about the constant's structure. In that case "folding" to a
110 JSConstant actually loses information since JSConstant doesn't guarantee anything
111 about a constant's structure. There are various things we could do here to ensure
112 that a folded constant's structure doesn't change, and that if it does, we
113 deoptimize the code. But for now we can just make this sound by disabling folding
114 in this pathological case.
115
116 * dfg/DFGConstantFoldingPhase.cpp:
117 (JSC::DFG::ConstantFoldingPhase::foldConstants):
118 * dfg/DFGGraph.cpp:
119 (JSC::DFG::Graph::Graph):
120 * dfg/DFGGraph.h:
121 * dfg/DFGInPlaceAbstractState.cpp:
122 (JSC::DFG::InPlaceAbstractState::initialize):
123
1242013-10-11 Filip Pizlo <fpizlo@apple.com>
125
126 Fix handling of indirect stackmap locations in FTL OSR exit
127 https://bugs.webkit.org/show_bug.cgi?id=122666
128
129 Reviewed by Mark Hahnenberg.
130
131 With this change, the llvm.webkit.stackmap-based OSR exit only fails one test, down from
132 five tests previously.
133
134 * ftl/FTLLocation.cpp:
135 (JSC::FTL::Location::gpr): It's OK to call this method when kind() == Indirect, so asserting that isGPR() is wrong; change to assert that involvesGPR().
136 (JSC::FTL::Location::restoreInto): Stack-related registers aren't saved to the scratch buffer, so use them directly.
137 * ftl/FTLLocation.h: Add comment about requirements for stack layout.
138 * ftl/FTLOSRExitCompiler.cpp:
139 (JSC::FTL::compileStubWithOSRExitStackmap): Make enough room on the stack so that saveAllRegisters() has a scratchpad to save things to. Without this, saveAllRegisters() may clobber a spilled value.
140
1412013-10-11 Commit Queue <commit-queue@webkit.org>
142
143 Unreviewed, rolling out r157307.
144 http://trac.webkit.org/changeset/157307
145 https://bugs.webkit.org/show_bug.cgi?id=122671
146
147 Many assertion failures (Requested by ap on #webkit).
148
149 * jit/ThunkGenerators.cpp:
150 (JSC::arrayIteratorNextThunkGenerator):
151 * jit/ThunkGenerators.h:
152 * runtime/ArrayIteratorPrototype.cpp:
153 (JSC::ArrayIteratorPrototype::finishCreation):
154 (JSC::createIteratorResult):
155 (JSC::arrayIteratorPrototypeNext):
156 * runtime/Intrinsic.h:
157 * runtime/JSArrayIterator.cpp:
158 (JSC::JSArrayIterator::finishCreation):
159 * runtime/VM.cpp:
160 (JSC::thunkGeneratorForIntrinsic):
161
1622013-10-11 Mark Lam <mark.lam@apple.com>
163
164 Transition op_new_* JITStubs to JIT operations.
165 https://bugs.webkit.org/show_bug.cgi?id=122460.
166
167 Reviewed by Michael Saboff.
168
169 Also:
170 - Removed the redundant operationNewFunctionExpression(). It is identical to
171 operationNewFunctionNoCheck().
172 - Sorted JIT operation signature keys in the comment in JITOperations.h.
173 - Removed the unused returnValue2Register definition for X86_64.
174
175 * dfg/DFGOperations.cpp:
176 * dfg/DFGOperations.h:
177 * dfg/DFGSpeculativeJIT.cpp:
178 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
179 * jit/CCallHelpers.h:
180 (JSC::CCallHelpers::setupArgumentsWithExecState):
181 * jit/JIT.h:
182 * jit/JITInlines.h:
183 (JSC::JIT::callOperation):
184 * jit/JITOpcodes.cpp:
185 (JSC::JIT::emitSlow_op_new_object):
186 (JSC::JIT::emit_op_new_func):
187 (JSC::JIT::emit_op_new_func_exp):
188 (JSC::JIT::emit_op_new_array):
189 (JSC::JIT::emit_op_new_array_with_size):
190 (JSC::JIT::emit_op_new_array_buffer):
191 * jit/JITOpcodes32_64.cpp:
192 (JSC::JIT::emitSlow_op_new_object):
193 * jit/JITOperations.cpp:
194 * jit/JITOperations.h:
195 * jit/JITStubs.cpp:
196 * jit/JITStubs.h:
197 * jit/JSInterfaceJIT.h:
198
1992013-10-11 Oliver Hunt <oliver@apple.com>
200
201 Separate out array iteration intrinsics
202 https://bugs.webkit.org/show_bug.cgi?id=122656
203
204 Reviewed by Michael Saboff.
205
206 Separate out the intrinsics for key and values iteration
207 of arrays.
208
209 This requires moving moving array iteration into the iterator
210 instance, rather than the prototype, but this is essentially
211 unobservable so we'll live with it for now.
212
213 * jit/ThunkGenerators.cpp:
214 (JSC::arrayIteratorNextThunkGenerator):
215 (JSC::arrayIteratorNextKeyThunkGenerator):
216 (JSC::arrayIteratorNextValueThunkGenerator):
217 * jit/ThunkGenerators.h:
218 * runtime/ArrayIteratorPrototype.cpp:
219 (JSC::ArrayIteratorPrototype::finishCreation):
220 * runtime/Intrinsic.h:
221 * runtime/JSArrayIterator.cpp:
222 (JSC::JSArrayIterator::finishCreation):
223 (JSC::createIteratorResult):
224 (JSC::arrayIteratorNext):
225 (JSC::arrayIteratorNextKey):
226 (JSC::arrayIteratorNextValue):
227 (JSC::arrayIteratorNextGeneric):
228 * runtime/VM.cpp:
229 (JSC::thunkGeneratorForIntrinsic):
230
2312013-10-11 Andreas Kling <akling@apple.com>
232
233 Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype.
234 <https://webkit.org/b/122632>
235
236 Reviewed by Sam Weinig.
237
238 This code was only using the ExecState to find the VM.
239
2402013-10-11 Julien Brianceau <jbriance@cisco.com>
241
242 [sh4] Fix build after r157209.
243 https://bugs.webkit.org/show_bug.cgi?id=122643
244
245 Reviewed by Ryosuke Niwa.
246
247 * assembler/MacroAssemblerSH4.h: Add framePointerRegister declaration.
248 * assembler/SH4Assembler.h: Add firstRegister() declaration.
249 (JSC::SH4Assembler::firstRegister):
250
2512013-10-10 Filip Pizlo <fpizlo@apple.com>
252
253 FTL shouldn't pass i1's into llvm.webkit.stackmap's
254 https://bugs.webkit.org/show_bug.cgi?id=122629
255 <rdar://problem/15203037>
256
257 Reviewed by Sam Weinig and Nadav Rotem.
258
259 LLVM's stackmap support requires that we only pass operands with legal types (i.e. types
260 that are hardware-representable). i1, which the FTL previously used for Booleans, is not
261 legal.
262
263 We have two options: either add support in LLVM to legalize stackmap operands, or add
264 support to the FTL to legalize stackmap operands. It's easier to fix this in FTL, and
265 that's what this patch does.
266
267 * ftl/FTLLowerDFGToLLVM.cpp:
268 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
269
2702013-10-09 Oliver Hunt <oliver@apple.com>
271
272 Further improve ArrayIterator performance
273 https://bugs.webkit.org/show_bug.cgi?id=122575
274
275 Reviewed by Mark Hahnenberg.
276
277 Add an assembly thunk for ArrayIterator.@@next so that we
278 can avoid marshalling costs when iterating arrays.
279
280 * jit/SpecializedThunkJIT.h:
281 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
282 (JSC::SpecializedThunkJIT::loadSpecificClassArgument):
283 * jit/ThunkGenerators.cpp:
284 (JSC::arrayIteratorNextThunkGenerator):
285 * jit/ThunkGenerators.h:
286 * runtime/ArrayIteratorPrototype.cpp:
287 (JSC::ArrayIteratorPrototype::finishCreation):
288 * runtime/Intrinsic.h:
289 * runtime/JSArrayIterator.h:
290 (JSC::JSArrayIterator::offsetOfIterationKind):
291 (JSC::JSArrayIterator::offsetOfIteratedObject):
292 (JSC::JSArrayIterator::offsetOfNextIndex):
293 * runtime/JSCJSValue.h:
294 (JSC::JSValue::offsetOfPayload):
295 * runtime/JSGlobalObject.cpp:
296 (JSC::JSGlobalObject::reset):
297 * runtime/JSGlobalObject.h:
298 (JSC::JSGlobalObject::iteratorResultStructureOffset):
299 * runtime/VM.cpp:
300 (JSC::thunkGeneratorForIntrinsic):
301
3022013-10-10 Michael Saboff <msaboff@apple.com>
303
304 transition cti_op_* methods returning int to JIT operations.
305 https://bugs.webkit.org/show_bug.cgi?id=122563
306
307 Reviewed by Oliver Hunt.
308
309 Moved serveral operationCompare* functions from DFGOperations to JITOperations as well as changing
310 dfgConvertJSValueToBoolean to operationConvertJSValueToBoolean so that they can be shared with the baseline JIT.
311 Added JITOperation operationHasProperty(). Added needed callOperation helpers and transitioned baseline JIT code
312 to use the new operations.
313
314 * dfg/DFGOperations.cpp:
315 * dfg/DFGOperations.h:
316 * dfg/DFGSpeculativeJIT32_64.cpp:
317 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
318 (JSC::DFG::SpeculativeJIT::emitBranch):
319 * dfg/DFGSpeculativeJIT64.cpp:
320 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
321 (JSC::DFG::SpeculativeJIT::emitBranch):
322 * jit/JIT.h:
323 * jit/JITArithmetic.cpp:
324 (JSC::JIT::emitSlow_op_jless):
325 (JSC::JIT::emitSlow_op_jlesseq):
326 (JSC::JIT::emitSlow_op_jgreater):
327 (JSC::JIT::emitSlow_op_jgreatereq):
328 (JSC::JIT::emitSlow_op_jnless):
329 (JSC::JIT::emitSlow_op_jnlesseq):
330 (JSC::JIT::emitSlow_op_jngreater):
331 (JSC::JIT::emitSlow_op_jngreatereq):
332 (JSC::JIT::emit_compareAndJumpSlow):
333 * jit/JITArithmetic32_64.cpp:
334 (JSC::JIT::emit_compareAndJumpSlow):
335 * jit/JITInlines.h:
336 (JSC::JIT::callOperation):
337 * jit/JITOpcodes.cpp:
338 (JSC::JIT::emit_op_next_pname):
339 (JSC::JIT::emitSlow_op_jfalse):
340 (JSC::JIT::emitSlow_op_jtrue):
341 (JSC::JIT::emitSlow_op_eq):
342 (JSC::JIT::emitSlow_op_neq):
343 * jit/JITOpcodes32_64.cpp:
344 (JSC::JIT::emitSlow_op_jfalse):
345 (JSC::JIT::emitSlow_op_jtrue):
346 (JSC::JIT::emitSlow_op_eq):
347 (JSC::JIT::emitSlow_op_neq):
348 (JSC::JIT::emit_op_next_pname):
349 * jit/JITOperations.cpp:
350 * jit/JITOperations.h:
351 * jit/JITStubs.cpp:
352 * jit/JITStubs.h:
353
3542013-10-10 Filip Pizlo <fpizlo@apple.com>
355
356 OSR exit using llvm.webkit.stackmap should pass more tests
357 https://bugs.webkit.org/show_bug.cgi?id=122518
358
359 Reviewed by Mark Hahnenberg.
360
361 - Make the X86Assembler capable of dealing with all XMM registers.
362
363 - Make the StackMaps code on WebKit's side capable of dealing with XMM registers.
364
365 - Factor out most of the smarts of StackMaps::Location into a self-contained object.
366 Previously you needed both StackMaps::Location and a StackMaps reference to do most
367 things since the Location might have referred to a constant. Now you can just get a
368 self-contained Location object.
369
370 - Fix a bug where OSR exit generation thunk generator was assuming that the call frame
371 register is already in argumentGPR0. In the future, the call frame will just be the
372 machine FP and we won't have to do anything special. But for now the "call frame" is
373 just a normal value in LLVM IR and may end up in any register. Make the OSR exit
374 generation thunk generator polymorphic over the call frame argument's Location.
375
376 - Move the stuff that depends on the polymorphic OSR exit generation thunk generator
377 into the finalizer, since generating and linking one of those thunks requires a cache
378 flush and we need to do that on the main thread.
379
380 * JavaScriptCore.xcodeproj/project.pbxproj:
381 * assembler/ARMv7Assembler.h:
382 (JSC::ARMv7Assembler::firstRegister):
383 (JSC::ARMv7Assembler::lastRegister):
384 (JSC::ARMv7Assembler::firstFPRegister):
385 (JSC::ARMv7Assembler::lastFPRegister):
386 * assembler/AbstractMacroAssembler.h:
387 (JSC::AbstractMacroAssembler::firstFPRegister):
388 (JSC::AbstractMacroAssembler::lastFPRegister):
389 * assembler/MacroAssembler.h:
390 (JSC::MacroAssembler::nextFPRegister):
391 * assembler/MacroAssemblerARMv7.h:
392 * assembler/MacroAssemblerX86Common.h:
393 * assembler/X86Assembler.h:
394 (JSC::X86Assembler::firstFPRegister):
395 (JSC::X86Assembler::lastFPRegister):
396 * dfg/DFGDriver.cpp:
397 (JSC::DFG::compileImpl):
398 * ftl/FTLCompile.cpp:
399 (JSC::FTL::fixFunctionBasedOnStackMaps):
400 * ftl/FTLExitThunkGenerator.cpp:
401 (JSC::FTL::ExitThunkGenerator::emitThunk):
402 (JSC::FTL::ExitThunkGenerator::emitThunks):
403 * ftl/FTLJITFinalizer.cpp:
404 (JSC::FTL::JITFinalizer::finalizeFunction):
405 * ftl/FTLJITFinalizer.h:
406 * ftl/FTLLink.cpp:
407 (JSC::FTL::link):
408 * ftl/FTLLocation.cpp: Added.
409 (JSC::FTL::Location::forStackmaps):
410 (JSC::FTL::Location::dump):
411 (JSC::FTL::Location::involvesGPR):
412 (JSC::FTL::Location::isGPR):
413 (JSC::FTL::Location::gpr):
414 (JSC::FTL::Location::isFPR):
415 (JSC::FTL::Location::fpr):
416 (JSC::FTL::Location::restoreInto):
417 (WTF::printInternal):
418 * ftl/FTLLocation.h: Added.
419 (JSC::FTL::Location::Location):
420 (JSC::FTL::Location::forRegister):
421 (JSC::FTL::Location::forIndirect):
422 (JSC::FTL::Location::forConstant):
423 (JSC::FTL::Location::kind):
424 (JSC::FTL::Location::hasDwarfRegNum):
425 (JSC::FTL::Location::dwarfRegNum):
426 (JSC::FTL::Location::hasOffset):
427 (JSC::FTL::Location::offset):
428 (JSC::FTL::Location::hasConstant):
429 (JSC::FTL::Location::constant):
430 (JSC::FTL::Location::operator!):
431 (JSC::FTL::Location::isHashTableDeletedValue):
432 (JSC::FTL::Location::operator==):
433 (JSC::FTL::Location::hash):
434 (JSC::FTL::LocationHash::hash):
435 (JSC::FTL::LocationHash::equal):
436 * ftl/FTLLowerDFGToLLVM.cpp:
437 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
438 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
439 * ftl/FTLSaveRestore.cpp:
440 (JSC::FTL::bytesForFPRs):
441 (JSC::FTL::requiredScratchMemorySizeInBytes):
442 (JSC::FTL::offsetOfFPR):
443 (JSC::FTL::saveAllRegisters):
444 (JSC::FTL::restoreAllRegisters):
445 * ftl/FTLSaveRestore.h:
446 * ftl/FTLStackMaps.cpp:
447 (JSC::FTL::StackMaps::Location::restoreInto):
448 * ftl/FTLStackMaps.h:
449 * ftl/FTLState.h:
450 * ftl/FTLThunks.cpp:
451 (JSC::FTL::osrExitGenerationWithoutStackMapThunkGenerator):
452 (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
453 * ftl/FTLThunks.h:
454 (JSC::FTL::generateIfNecessary):
455 (JSC::FTL::Thunks::getOSRExitGenerationThunk):
456 * runtime/VM.cpp:
457 (JSC::VM::VM):
458 * runtime/VM.h:
459
4602013-10-09 Filip Pizlo <fpizlo@apple.com>
461
462 FTL: Soft-link LLVM as a workaround for LLVM's static initializers and exit-time destructors
463 https://bugs.webkit.org/show_bug.cgi?id=122566
464
465 Reviewed by Mark Rowe.
466
467 The JSC project now builds a libllvmForJSC.dylib. If FTL is enabled, this
468 gets copied into JavaScriptCore.framework/Versions/A/Libraries. JSC will
469 load the dylib by finding it using NSBundle APIs and then doing dlopen().
470 That will only happen lazily, when something happens that requires LLVM.
471
472 This mostly takes care of LLVM static initialization overhead by deferring
473 it until it's really needed.
474
475 This takes care of LLVM's exit-time destructors because inside
476 libllvmForJSC.dylib, we override __cxa_atexit.
477
478 * Configurations/JavaScriptCore.xcconfig:
479 * Configurations/LLVMForJSC.xcconfig: Added.
480 * JavaScriptCore.xcodeproj/project.pbxproj:
481 * dfg/DFGPlan.cpp:
482 (JSC::DFG::Plan::compileInThreadImpl):
483 * disassembler/LLVMDisassembler.cpp:
484 (JSC::tryToDisassembleWithLLVM):
485 * ftl/FTLAbbreviatedTypes.h:
486 * ftl/FTLAbbreviations.h:
487 (JSC::FTL::voidType):
488 (JSC::FTL::int1Type):
489 (JSC::FTL::int8Type):
490 (JSC::FTL::int16Type):
491 (JSC::FTL::int32Type):
492 (JSC::FTL::int64Type):
493 (JSC::FTL::intPtrType):
494 (JSC::FTL::floatType):
495 (JSC::FTL::doubleType):
496 (JSC::FTL::pointerType):
497 (JSC::FTL::structType):
498 (JSC::FTL::functionType):
499 (JSC::FTL::typeOf):
500 (JSC::FTL::mdKindID):
501 (JSC::FTL::mdString):
502 (JSC::FTL::mdNode):
503 (JSC::FTL::setMetadata):
504 (JSC::FTL::addFunction):
505 (JSC::FTL::setLinkage):
506 (JSC::FTL::setFunctionCallingConv):
507 (JSC::FTL::getParam):
508 (JSC::FTL::constInt):
509 (JSC::FTL::constReal):
510 (JSC::FTL::constIntToPtr):
511 (JSC::FTL::constBitCast):
512 (JSC::FTL::appendBasicBlock):
513 (JSC::FTL::insertBasicBlock):
514 (JSC::FTL::buildPhi):
515 (JSC::FTL::addIncoming):
516 (JSC::FTL::buildAlloca):
517 (JSC::FTL::buildAdd):
518 (JSC::FTL::buildSub):
519 (JSC::FTL::buildMul):
520 (JSC::FTL::buildDiv):
521 (JSC::FTL::buildRem):
522 (JSC::FTL::buildNeg):
523 (JSC::FTL::buildFAdd):
524 (JSC::FTL::buildFSub):
525 (JSC::FTL::buildFMul):
526 (JSC::FTL::buildFDiv):
527 (JSC::FTL::buildFRem):
528 (JSC::FTL::buildFNeg):
529 (JSC::FTL::buildAnd):
530 (JSC::FTL::buildOr):
531 (JSC::FTL::buildXor):
532 (JSC::FTL::buildShl):
533 (JSC::FTL::buildAShr):
534 (JSC::FTL::buildLShr):
535 (JSC::FTL::buildNot):
536 (JSC::FTL::buildLoad):
537 (JSC::FTL::buildStore):
538 (JSC::FTL::buildSExt):
539 (JSC::FTL::buildZExt):
540 (JSC::FTL::buildFPToSI):
541 (JSC::FTL::buildFPToUI):
542 (JSC::FTL::buildSIToFP):
543 (JSC::FTL::buildUIToFP):
544 (JSC::FTL::buildIntCast):
545 (JSC::FTL::buildFPCast):
546 (JSC::FTL::buildIntToPtr):
547 (JSC::FTL::buildPtrToInt):
548 (JSC::FTL::buildBitCast):
549 (JSC::FTL::buildICmp):
550 (JSC::FTL::buildFCmp):
551 (JSC::FTL::buildCall):
552 (JSC::FTL::setTailCall):
553 (JSC::FTL::buildExtractValue):
554 (JSC::FTL::buildSelect):
555 (JSC::FTL::buildBr):
556 (JSC::FTL::buildCondBr):
557 (JSC::FTL::buildSwitch):
558 (JSC::FTL::addCase):
559 (JSC::FTL::buildRet):
560 (JSC::FTL::buildUnreachable):
561 (JSC::FTL::dumpModule):
562 (JSC::FTL::verifyModule):
563 * ftl/FTLCompile.cpp:
564 (JSC::FTL::compile):
565 * ftl/FTLFail.cpp:
566 (JSC::FTL::fail):
567 * ftl/FTLJITCode.h:
568 * ftl/FTLJITFinalizer.h:
569 * ftl/FTLLink.cpp:
570 * ftl/FTLLowerDFGToLLVM.cpp:
571 (JSC::FTL::LowerDFGToLLVM::lower):
572 * ftl/FTLOutput.cpp:
573 (JSC::FTL::Output::Output):
574 (JSC::FTL::Output::~Output):
575 * ftl/FTLOutput.h:
576 (JSC::FTL::Output::appendTo):
577 * ftl/FTLState.cpp:
578 (JSC::FTL::State::State):
579 (JSC::FTL::State::~State):
580 * ftl/WebKitLLVMLibraryAnchor.cpp: Removed.
581 * jsc.cpp:
582 (jscmain):
583 * llvm: Added.
584 * llvm/InitializeLLVM.cpp: Added.
585 (JSC::initializeLLVM):
586 * llvm/InitializeLLVM.h: Added.
587 * llvm/InitializeLLVMMac.mm: Added.
588 (JSC::initializeLLVMImpl):
589 * llvm/InitializeLLVMPOSIX.cpp: Added.
590 (JSC::initializeLLVMPOSIX):
591 * llvm/InitializeLLVMPOSIX.h: Added.
592 * llvm/LLVMAPI.cpp: Added.
593 * llvm/LLVMAPI.h: Added.
594 * llvm/LLVMAPIFunctions.h: Added.
595 * llvm/LLVMHeaders.h: Added.
596 * llvm/library: Added.
597 * llvm/library/LLVMAnchor.cpp: Added.
598 * llvm/library/LLVMExports.cpp: Added.
599 (initializeAndGetJSCLLVMAPI):
600 * llvm/library/LLVMOverrides.cpp: Added.
601 (__cxa_atexit):
602 * llvm/library/config_llvm.h: Added.
603 * runtime/InitializeThreading.cpp:
604 (JSC::initializeThreadingOnce):
605 * runtime/Options.h:
606
6072013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
608
609 currentThis and currentArguments crash if called from outside a callback
610 https://bugs.webkit.org/show_bug.cgi?id=122620
611
612 Reviewed by Filip Pizlo.
613
614 The documentation for these methods claims that they will return nil if called
615 from somewhere other than an API callback, but currently they both crash.
616
617 * API/JSContext.mm:
618 (+[JSContext currentThis]):
619 (+[JSContext currentArguments]):
620 * API/tests/testapi.mm:
621
6222013-10-10 Filip Pizlo <fpizlo@apple.com>
623
624 Minor clean-ups in the JSC Xcode project.
625
626 Rubber stamped by Mark Rowe.
627
628 - When we copy the jsc binary into the framework,
629 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
630 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
631
632 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
633 the project.
634
635 Roll back in after confirming that Mark's fixes make this work right.
636
637 * JavaScriptCore.xcodeproj/project.pbxproj:
638
6392013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
640
641 CallbackData unnecessarily caches the JSValue for currentThis
642 https://bugs.webkit.org/show_bug.cgi?id=122616
643
644 Reviewed by Oliver Hunt.
645
646 CallbackData implements its own version of caching the JSValue* for the JSValueRef it stores.
647 +[JSValue valueWithJSValueRef:inContext:] already does caching, thus obviating the need for
648 CallbackData to do its own caching.
649
650 * API/JSContext.mm:
651 (+[JSContext currentThis]):
652 (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]):
653 (-[JSContext endCallbackWithData:]):
654 * API/JSContextInternal.h:
655
6562013-10-10 Filip Pizlo <fpizlo@apple.com>
657
658 Unreviewed, roll out r157193. It broke some builds.
659
660 * JavaScriptCore.xcodeproj/project.pbxproj:
661
6622013-10-10 Mark Rowe <mrowe@apple.com>
663
664 <rdar://problem/13341666> WebKit should always build against an SDK.
665
666 Have all projects default to building against the OS X Internal SDK for the Production
667 configuration. For the Debug and Release configurations, look for UseInternalSDK.xcconfig
668 to determine whether the OS X Internal SDK should be used. If not, use the normal OS X SDK.
669
670 Reviewed by Dan Bernstein.
671
672 * Configurations/Base.xcconfig:
673 * Configurations/DebugRelease.xcconfig:
674
6752013-10-10 Mark Rowe <mrowe@apple.com>
676
677 <rdar://problem/13871507> JavaScriptCore fails to build with C++ 98 conformance changes
678
679 Reviewed by Andreas Kling.
680
681 * heap/VTableSpectrum.cpp:
682 (JSC::VTableSpectrum::dump): strrchr returns a const char* when passed one.
683 Update the type of the local variable to accommodate that.
684
6852013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
686
687 Objective-C API: blocks aren't callable via 'new'
688 https://bugs.webkit.org/show_bug.cgi?id=122561
689
690 Reviewed by Oliver Hunt.
691
692 Currently the only way for clients to vend new native objects to JavaScript code
693 is via factory methods in the form of exported class methods or blocks. Blocks can
694 be called like normal functions from JavaScript code, but they cannot be invoked
695 with 'new'. This would give a simple way for clients to expose constructor-like
696 behavior to their JavaScript code.
697
698 This patch adds the ability for blocks to be invoked as if they were a constructor.
699 Blocks invoked as constructors are required to return an object. If the block doesn't
700 return an object then an error is thrown. The 'this' object is not provided to the
701 block and must be created within the block itself.
702
703 This patch also unifies the native 'construct' callback used in both the C and Obj-C
704 APIs under the APICallbackFunction struct, similar to how we unified the 'call' callback
705 between ObjCCallbackFunction and JSCallbackFunction before.
706
707 This patch also adds tests to make sure that different blocks generate objects that
708 correctly behave when queried with instanceof. It also makes sure that the correct
709 JS exception is thrown when a block fails to return an object.
710
711 * API/APICallbackFunction.h:
712 (JSC::APICallbackFunction::call):
713 (JSC::APICallbackFunction::construct):
714 * API/JSCallbackConstructor.cpp:
715 (JSC::JSCallbackConstructor::getConstructData):
716 * API/JSCallbackConstructor.h:
717 (JSC::JSCallbackConstructor::constructCallback):
718 * API/JSCallbackFunction.h:
719 (JSC::JSCallbackFunction::functionCallback):
720 * API/ObjCCallbackFunction.h:
721 (JSC::ObjCCallbackFunction::functionCallback):
722 (JSC::ObjCCallbackFunction::constructCallback):
723 * API/ObjCCallbackFunction.mm:
724 (JSC::objCCallbackFunctionCallAsConstructor):
725 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
726 (JSC::ObjCCallbackFunction::create):
727 (JSC::ObjCCallbackFunction::getConstructData):
728 * API/tests/testapi.mm:
729
7302013-10-08 Filip Pizlo <fpizlo@apple.com>
731
732 FTL should be able to do simple OSR exits using llvm.webkit.stackmap
733 https://bugs.webkit.org/show_bug.cgi?id=122538
734
735 Reviewed by Oliver Hunt.
736
737 This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic.
738
739 - The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique
740 ID, passing a requested size that is big enough for own jump replacement.
741
742 - After LLVM compilation, we parse the new LLVM stackmap section.
743
744 - For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement,
745 which targets exit thunks that we generate.
746
747 - If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a
748 combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and
749 LLVM stackmap's accounting of where data actually ended up (register, indirect,
750 constant) to reconstruct bytecode state.
751
752 This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling
753 YMM registers will require adding some basic YMM support to our assemblers - really we
754 just need the ability to move a YMM's value into a GPR.
755
756 This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it
757 manages to pass all existing FTL tests even despite its incompleteness. I think that's
758 the right way to go since this is already a big patch, and anyway it would be great to
759 keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't
760 landed.
761
762 * JavaScriptCore.xcodeproj/project.pbxproj:
763 * assembler/AbstractMacroAssembler.h:
764 (JSC::AbstractMacroAssembler::firstRegister):
765 (JSC::AbstractMacroAssembler::lastRegister):
766 * assembler/MacroAssembler.h:
767 (JSC::MacroAssembler::isStackRelated):
768 (JSC::MacroAssembler::firstRealRegister):
769 (JSC::MacroAssembler::nextRegister):
770 (JSC::MacroAssembler::secondRealRegister):
771 * assembler/MacroAssemblerX86Common.h:
772 * assembler/X86Assembler.h:
773 (JSC::X86Assembler::firstRegister):
774 (JSC::X86Assembler::lastRegister):
775 * dfg/DFGPlan.cpp:
776 (JSC::DFG::Plan::compileInThreadImpl):
777 * ftl/FTLCArgumentGetter.cpp:
778 (JSC::FTL::CArgumentGetter::loadNextAndBox):
779 * ftl/FTLCArgumentGetter.h:
780 (JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR):
781 * ftl/FTLCompile.cpp:
782 (JSC::FTL::mmAllocateCodeSection):
783 (JSC::FTL::mmAllocateDataSection):
784 (JSC::FTL::dumpDataSection):
785 (JSC::FTL::fixFunctionBasedOnStackMaps):
786 (JSC::FTL::compile):
787 * ftl/FTLExitThunkGenerator.cpp:
788 (JSC::FTL::ExitThunkGenerator::emitThunk):
789 (JSC::FTL::ExitThunkGenerator::emitThunks):
790 * ftl/FTLExitThunkGenerator.h:
791 * ftl/FTLExitValue.h:
792 (JSC::FTL::ExitValue::isInJSStackSomehow):
793 (JSC::FTL::ExitValue::valueFormat):
794 * ftl/FTLFail.cpp:
795 (JSC::FTL::fail):
796 * ftl/FTLIntrinsicRepository.h:
797 * ftl/FTLJITCode.h:
798 * ftl/FTLLowerDFGToLLVM.cpp:
799 (JSC::FTL::generateExitThunks):
800 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
801 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
802 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
803 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
804 * ftl/FTLOSRExit.h:
805 * ftl/FTLOSRExitCompilationInfo.h:
806 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
807 * ftl/FTLOSRExitCompiler.cpp:
808 (JSC::FTL::compileStubWithOSRExitStackmap):
809 (JSC::FTL::compileStubWithoutOSRExitStackmap):
810 (JSC::FTL::compileFTLOSRExit):
811 * ftl/FTLSaveRestore.cpp: Added.
812 (JSC::FTL::bytesForGPRs):
813 (JSC::FTL::requiredScratchMemorySizeInBytes):
814 (JSC::FTL::offsetOfGPR):
815 (JSC::FTL::saveAllRegisters):
816 (JSC::FTL::restoreAllRegisters):
817 * ftl/FTLSaveRestore.h: Added.
818 * ftl/FTLStackMaps.cpp: Added.
819 (JSC::FTL::readObject):
820 (JSC::FTL::StackMaps::Constant::parse):
821 (JSC::FTL::StackMaps::Constant::dump):
822 (JSC::FTL::StackMaps::Location::parse):
823 (JSC::FTL::StackMaps::Location::dump):
824 (JSC::FTL::StackMaps::Location::involvesGPR):
825 (JSC::FTL::StackMaps::Location::isGPR):
826 (JSC::FTL::StackMaps::Location::gpr):
827 (JSC::FTL::StackMaps::Location::restoreInto):
828 (JSC::FTL::StackMaps::Record::parse):
829 (JSC::FTL::StackMaps::Record::dump):
830 (JSC::FTL::StackMaps::parse):
831 (JSC::FTL::StackMaps::dump):
832 (JSC::FTL::StackMaps::dumpMultiline):
833 (JSC::FTL::StackMaps::getRecordMap):
834 (WTF::printInternal):
835 * ftl/FTLStackMaps.h: Added.
836 * ftl/FTLState.h:
837 * ftl/FTLThunks.cpp:
838 (JSC::FTL::osrExitGenerationThunkGenerator):
839 * ftl/FTLValueFormat.cpp:
840 (JSC::FTL::reboxAccordingToFormat):
841 * ftl/FTLValueFormat.h:
842 * runtime/DataView.cpp:
843 (JSC::DataView::create):
844 * runtime/DataView.h:
845 (JSC::DataView::read):
846 * runtime/Options.h:
847
8482013-10-09 Filip Pizlo <fpizlo@apple.com>
849
850 Minor clean-ups in the JSC Xcode project.
851
852 Rubber stamped by Mark Rowe.
853
854 - When we copy the jsc binary into the framework,
855 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
856 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
857
858 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
859 the project.
860
861 * JavaScriptCore.xcodeproj/project.pbxproj:
862
8632013-10-09 Julien Brianceau <jbriance@cisco.com>
864
865 [arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp.
866 https://bugs.webkit.org/show_bug.cgi?id=122555
867
868 Reviewed by Michael Saboff.
869
870 * dfg/DFGSpeculativeJIT.h:
871 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
872 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
873
8742013-10-08 Michael Saboff <msaboff@apple.com>
875
876 Transition call and construct JITStubs to CCallHelper functions
877 https://bugs.webkit.org/show_bug.cgi?id=122453
878
879 Reviewed by Geoffrey Garen.
880
881 Transitioned cti_op_call_eval to operationCallEval. Migrated baseline JIT to use the same
882 call thunks as the DFG. Eliminated all of the "oldStyle" thunks and related functions.
883
884 * bytecode/CallLinkInfo.cpp:
885 (JSC::CallLinkInfo::unlink):
886 * jit/JIT.cpp:
887 (JSC::JIT::linkFor):
888 (JSC::JIT::linkSlowCall):
889 * jit/JIT.h:
890 * jit/JITCall.cpp:
891 (JSC::JIT::compileCallEval):
892 (JSC::JIT::compileCallEvalSlowCase):
893 (JSC::JIT::compileOpCallSlowCase):
894 (JSC::JIT::privateCompileClosureCall):
895 * jit/JITCall32_64.cpp:
896 (JSC::JIT::compileCallEval):
897 (JSC::JIT::compileCallEvalSlowCase):
898 (JSC::JIT::compileOpCallSlowCase):
899 (JSC::JIT::privateCompileClosureCall):
900 * jit/JITInlines.h:
901 (JSC::JIT::callOperationWithCallFrameRollbackOnException):
902 * jit/JITOperations.cpp:
903 * jit/JITOperations.h:
904 * jit/JITStubs.cpp:
905 * jit/JITStubs.h:
906 * jit/ThunkGenerators.cpp:
907 * jit/ThunkGenerators.h:
908
9092013-10-09 Julien Brianceau <jbriance@cisco.com>
910
911 [sh4] Fix lots of unused parameter warnings.
912 https://bugs.webkit.org/show_bug.cgi?id=122545
913
914 Reviewed by Csaba Osztrogonác.
915
916 * assembler/MacroAssemblerSH4.h:
917 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
918 * assembler/SH4Assembler.h:
919 (JSC::SH4Assembler::andlImm8r):
920 (JSC::SH4Assembler::orlImm8r):
921 (JSC::SH4Assembler::xorlImm8r):
922 (JSC::SH4Assembler::cmpEqImmR0):
923 (JSC::SH4Assembler::testlImm8r):
924 (JSC::SH4Assembler::movwPCReg):
925 (JSC::SH4Assembler::movwMemReg):
926 (JSC::SH4Assembler::movbMemReg):
927 (JSC::SH4Assembler::printInstr):
928 (JSC::SH4Assembler::printBlockInstr):
929
9302013-10-09 Julien Brianceau <jbriance@cisco.com>
931
932 [sh4] Add sh4 support when building with CMake.
933 https://bugs.webkit.org/show_bug.cgi?id=122542
934
935 Reviewed by Csaba Osztrogonác.
936
937 * CMakeLists.txt:
938
9392013-10-08 Oliver Hunt <oliver@apple.com>
940
941 Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation
942 https://bugs.webkit.org/show_bug.cgi?id=122532
943
944 Reviewed by Michael Saboff.
945
946 Switch for-of enumeration to use in band signalling to determine the end
947 of iteration. This allows us to trivially remove an otherwise unnecessary
948 object allocation, and paves the way for optimised thunks in future.
949
950 We can re-add explicit .next() functions in future that would marshall
951 the true iteration functions, but for now we'll ignore them.
952
953 This results in a huge improvement in the performance of for-of (in the order
954 of 2x) but there's still a long way to go in order to get the performance to
955 a satisfactory level.
956
957 * bytecompiler/NodesCodegen.cpp:
958 (JSC::ForOfNode::emitBytecode):
959 * runtime/ArrayIteratorPrototype.cpp:
960 (JSC::ArrayIteratorPrototype::finishCreation):
961 (JSC::createIteratorResult):
962 * runtime/CommonIdentifiers.cpp:
963 (JSC::CommonIdentifiers::CommonIdentifiers):
964 * runtime/CommonIdentifiers.h:
965 * runtime/Identifier.cpp:
966 (JSC::Identifier::addSlowCase):
967 * runtime/JSObject.h:
968 (JSC::JSFinalObject::create):
969 * runtime/VM.cpp:
970 (JSC::VM::VM):
971 * runtime/VM.h:
972
9732013-10-08 Alex Christensen <achristensen@webkit.org>
974
975 Fixed compile errors while compiling without the JIT enabled.
976 https://bugs.webkit.org/show_bug.cgi?id=122530
977
978 Reviewed by Brent Fulgham.
979
980 * jit/JITOperations.cpp:
981 Protected with #if ENABLE(JIT) like the rest of the JIT source.
982
9832013-10-07 Mark Hahnenberg <mhahnenberg@apple.com>
984
985 JSManagedValue should be able to store non-object JSValues
986 https://bugs.webkit.org/show_bug.cgi?id=122351
987
988 Reviewed by Oliver Hunt.
989
990 We decided not to support this because we thought it didn't make sense to have a
991 "weak" JSValue that wasn't an object.
992
993 Our general thought process was if you have a JSObject-ObjC object pair (i.e. an
994 Obj-C object that you exported to JavaScript-land), it makes more sense to store
995 a non-object JSValue on the JavaScript-land version of the object rather than as
996 an ivar in the Objective-C object.
997
998 In retrospect, this may not have been a good decision at least w.r.t. consistency
999 in client code. If you're storing a bag of JSValues off an Obj-C object, you'd
1000 like to store all of them either in ObjC-land or JavaScript-land, but doing some
1001 in one and some in the other doesn't sound too good. Also, what if the object you
1002 want to hang these values off of doesn't have a corresponding object in JavaScript-
1003 land in which to store them?
1004
1005 The solution is to fix JSManagedValue to be able to reference non-object JSValues.
1006 Right now, all JSManagedValues contain a Weak<JSObject>. We'll change this so that
1007 they can contain either a non-cell JSValue or a JSObject*, along with a weak
1008 reference to the JSGlobalObject for reconstructing a JSValue later on.
1009
1010 * API/JSManagedValue.mm:
1011 (PrimitiveOrObject::PrimitiveOrObject):
1012 (PrimitiveOrObject::~PrimitiveOrObject):
1013 (PrimitiveOrObject::clear):
1014 (PrimitiveOrObject::isClear):
1015 (PrimitiveOrObject::isSet):
1016 (PrimitiveOrObject::isPrimitive):
1017 (PrimitiveOrObject::isObject):
1018 (PrimitiveOrObject::setPrimitive):
1019 (PrimitiveOrObject::setObject):
1020 (PrimitiveOrObject::object):
1021 (PrimitiveOrObject::primitive):
1022 (-[JSManagedValue initWithValue:]):
1023 (-[JSManagedValue value]):
1024 (-[JSManagedValue disconnectValue]):
1025
10262013-10-08 Robert Plociennik <r.plociennik@samsung.com>
1027
1028 JavaScriptCore fails to build
1029 https://bugs.webkit.org/show_bug.cgi?id=122440
1030
1031 Reviewed by Darin Adler.
1032
1033 Compilation fails in debug due to 'comparison of unsigned expression >= 0 is
1034 always true'.
1035
1036 * debugger/DebuggerCallFrame.cpp:
1037 (JSC::DebuggerCallFrame::positionForCallFrame): Removed the offending ASSERTS.
1038
10392013-10-07 Andreas Kling <akling@apple.com>
1040
1041 Pass VM instead of ExecState to JSNotAnObject constructor.
1042 <https://webkit.org/b/122474>
1043
1044 Reviewed by Sam Weinig.
1045
1046 JSNotAnObject was only using the ExecState to find the VM.
1047
10482013-10-07 Filip Pizlo <fpizlo@apple.com>
1049
1050 FTL memory allocator should be able to allocate data sections in non-executable memory
1051 https://bugs.webkit.org/show_bug.cgi?id=116189
1052
1053 Reviewed by Sam Weinig.
1054
1055 Use a RefCountedArray<int64_t> for data sections. This works out great because
1056 RefCountedArray<> knows its own size and because the reference counting makes passing
1057 it around very easy (you don't have to stress out about ownership).
1058
1059 * ftl/FTLCompile.cpp:
1060 (JSC::FTL::mmAllocateDataSection):
1061 (JSC::FTL::compile):
1062 * ftl/FTLJITCode.cpp:
1063 (JSC::FTL::JITCode::addDataSection):
1064 * ftl/FTLJITCode.h:
1065 (JSC::FTL::JITCode::dataSections):
1066
10672013-10-07 Roger Fong <roger_fong@apple.com>
1068
1069 Modify JavascriptCore makefile for x64 build.
1070 https://bugs.webkit.org/show_bug.cgi?id=122467.
1071 <rdar://problem/15169174>.
1072
1073 Reviewed by Brent Fulgham.
1074
1075 * JavaScriptCore.vcxproj/JavaScriptCore.make:
1076
10772013-10-07 Nadav Rotem <nrotem@apple.com>
1078
1079 FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom()
1080 https://bugs.webkit.org/show_bug.cgi?id=122363
1081
1082 Reviewed by Filip Pizlo.
1083
1084 * dfg/DFGFixupPhase.cpp:
1085 (JSC::DFG::FixupPhase::fixupNode):
1086
10872013-10-04 Michael Saboff <msaboff@apple.com>
1088
1089 Transition stack check JITStubs to CCallHelper functions
1090 https://bugs.webkit.org/show_bug.cgi?id=122289
1091
1092 Reviewed by Filip Pizlo.
1093
1094 Replaced jit stubs cti_stack_check, cti_op_call_arityCheck and cti_op_construct_arityCheck with
1095 jit operations operationStackCheck, operationCallArityCheck & operationConstructArityCheck.
1096 Added new callOperationWithCallFrameRollbackOnException() in baseline and DFG JITs to call
1097 these new functions. Added code to unwind one frame in JIT::privateCompileExceptionHandlers()
1098 and JITCompiler::compileExceptionHandlers() for these cases that need to throw exceptions in
1099 their caller frame when the stack is exhausted.
1100
1101 * assembler/MacroAssembler.h:
1102 (JSC::MacroAssembler::andPtr): Added to handle masking a pointer with a literal.
1103 * assembler/MacroAssemblerX86_64.h:
1104 (JSC::MacroAssemblerX86_64::and64): Added to handle masking a pointer with a literal.
1105 * dfg/DFGJITCompiler.cpp:
1106 (JSC::DFG::JITCompiler::compileExceptionHandlers):
1107 (JSC::DFG::JITCompiler::compileFunction):
1108 (JSC::DFG::JITCompiler::linkFunction):
1109 * dfg/DFGJITCompiler.h:
1110 (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1111 * dfg/DFGSpeculativeJIT.h:
1112 (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1113 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1114 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1115 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
1116 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1117 * ftl/FTLLink.cpp:
1118 (JSC::FTL::link):
1119 * interpreter/CallFrame.h:
1120 (JSC::ExecState::hostCallFrameFlag):
1121 * jit/AssemblyHelpers.cpp:
1122 (JSC::AssemblyHelpers::jitAssertIsNull):
1123 * jit/AssemblyHelpers.h:
1124 (JSC::AssemblyHelpers::jitAssertIsNull):
1125 * jit/JIT.cpp:
1126 (JSC::JIT::privateCompile):
1127 (JSC::JIT::privateCompileExceptionHandlers):
1128 * jit/JIT.h:
1129 (JSC::JIT::exceptionCheckWithCallFrameRollback):
1130 * jit/JITInlines.h:
1131 (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1132 (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1133 * jit/JITOperations.cpp:
1134 * jit/JITOperations.h:
1135 * jit/JITStubs.cpp:
1136 * jit/JITStubs.h:
1137
11382013-10-07 Filip Pizlo <fpizlo@apple.com>
1139
1140 ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit
1141 https://bugs.webkit.org/show_bug.cgi?id=122419
1142
1143 Reviewed by Oliver Hunt.
1144
1145 AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is
1146 both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is
1147 instead dealing with an input that is always represented as a int32 but that has the
1148 meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast.
1149
1150 * dfg/DFGAbstractInterpreterInlines.h:
1151 (JSC::DFG::::executeEffects):
1152
11532013-10-07 Julien Brianceau <jbriance@cisco.com>
1154
1155 [sh4] Jump over maxJumpReplacementSize in revertJumpToMove.
1156 https://bugs.webkit.org/show_bug.cgi?id=120007
1157
1158 Reviewed by Oliver Hunt.
1159
1160 Jump over maxJumpReplacementSize in revertJumpToMove, even if there is no constant
1161 value within the area. This patch fixes debug ASSERTs failures for sh4 architecture.
1162
1163 * assembler/SH4Assembler.h:
1164 (JSC::SH4Assembler::revertJumpToMove):
1165
11662013-10-06 Anders Carlsson <andersca@apple.com>
1167
1168 Add OVERRIDE and virtual where appropriate
1169 https://bugs.webkit.org/show_bug.cgi?id=122439
1170
1171 Reviewed by Antti Koivisto.
1172
1173 * API/JSAPIWrapperObject.mm:
1174 * API/JSCallbackObject.h:
1175 (JSC::JSCallbackObjectData::~JSCallbackObjectData):
1176 * API/JSManagedValue.mm:
1177 * API/JSScriptRef.cpp:
1178 (OpaqueJSScript::~OpaqueJSScript):
1179 * bytecode/CodeBlock.h:
1180 * bytecode/StructureStubClearingWatchpoint.h:
1181 * dfg/DFGArrayifySlowPathGenerator.h:
1182 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1183 * dfg/DFGFailedFinalizer.h:
1184 * dfg/DFGJITCode.h:
1185 * dfg/DFGJITFinalizer.h:
1186 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1187 * dfg/DFGSlowPathGenerator.h:
1188 * dfg/DFGSpeculativeJIT64.cpp:
1189 * heap/Heap.h:
1190 * heap/IncrementalSweeper.h:
1191 * heap/SuperRegion.h:
1192 * jit/ClosureCallStubRoutine.h:
1193 * jit/ExecutableAllocatorFixedVMPool.cpp:
1194 * jit/GCAwareJITStubRoutine.h:
1195 * jit/JITCode.h:
1196 * jit/JITStubs.cpp:
1197 * jit/JITToDFGDeferredCompilationCallback.h:
1198 * jit/JumpReplacementWatchpoint.h:
1199 * parser/Nodes.h:
1200 * runtime/DataView.h:
1201 * runtime/GCActivityCallback.h:
1202 * runtime/GenericTypedArrayView.h:
1203 * runtime/RegExpCache.h:
1204 * runtime/SimpleTypedArrayController.h:
1205 * runtime/WeakMapData.h:
1206
12072013-10-07 Filip Pizlo <fpizlo@apple.com>
1208
1209 Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit
1210 https://bugs.webkit.org/show_bug.cgi?id=122420
1211
1212 Reviewed by Michael Saboff.
1213
1214 For the (-2^31/-1)|0 case, we were returning the left operand (i.e. -2^31) but we were
1215 failing to account for the possibility that this operand has high-bit garbage and
1216 int32Result() requires that the high bits are zero.
1217
1218 * dfg/DFGSpeculativeJIT.cpp:
1219 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1220
12212013-10-06 Filip Pizlo <fpizlo@apple.com>
1222
1223 ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit
1224 https://bugs.webkit.org/show_bug.cgi?id=122418
1225
1226 Reviewed by Oliver Hunt.
1227
1228 This is pretty awesome. With stack compression, Arguments created in the DFG will point
1229 their m_registers pointers into a different slab of stack than they would have in byte
1230 code.
1231
1232 Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously
1233 neglected to do so. This patch fixes that.
1234
1235 Fixing this unveiled another bug: the stack reversal broke the reification of inlined
1236 phantom arguments.
1237
1238 * dfg/DFGOSRExitCompiler32_64.cpp:
1239 (JSC::DFG::OSRExitCompiler::compileExit):
1240 * dfg/DFGOSRExitCompiler64.cpp:
1241 (JSC::DFG::OSRExitCompiler::compileExit):
1242 * dfg/DFGOSRExitCompilerCommon.cpp:
1243 (JSC::DFG::reifyInlinedCallFrames):
1244 * dfg/DFGSpeculativeJIT.cpp:
1245 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1246 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1247 * dfg/DFGSpeculativeJIT64.cpp:
1248 (JSC::DFG::SpeculativeJIT::compile):
1249 * runtime/Arguments.h:
1250 (JSC::Arguments::offsetOfNumArguments):
1251 (JSC::Arguments::offsetOfRegisters):
1252 (JSC::Arguments::offsetOfSlowArgumentData):
1253 (JSC::Arguments::offsetOfOverrodeLength):
1254
12552013-10-06 Filip Pizlo <fpizlo@apple.com>
1256
1257 Unified test infrastructure via the jsc shell
1258 https://bugs.webkit.org/show_bug.cgi?id=120696
1259
1260 Reviewed by Oliver Hunt.
1261
1262 Add a mozilla-tests.yaml list. This is autogenerated by create-mozilla-js-test-list.
1263 I think it's better to leave this checked in; we may even just edit it directly in
1264 the future. Also generating it is not cheap.
1265
1266 Fix some low-hanging fruit bugs that I caught by introducing more test coverage.
1267
1268 - We were not emitting labels for CFA-unreachable blocks, which caused link errors.
1269 It's possible for a CFA-unreachable block to be jumped to, if the thing that causes
1270 it to be unreachable is a speculation in a Branch or peephole compare.
1271
1272 - The register allocation assertions didn't handle peephole branches correctly. Since
1273 the peephole branch handling returns early from compile(), the clearBlahbittyBlah()
1274 method wasn't being called.
1275
1276 * dfg/DFGSpeculativeJIT.cpp:
1277 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1278 * dfg/DFGSpeculativeJIT32_64.cpp:
1279 (JSC::DFG::SpeculativeJIT::compile):
1280 * dfg/DFGSpeculativeJIT64.cpp:
1281 (JSC::DFG::SpeculativeJIT::compile):
1282 * tests/mozilla/mozilla-tests.yaml: Added.
1283
12842013-10-05 Andreas Kling <akling@apple.com>
1285
1286 Pass VM instead of ExecState to StringObject constructor.
1287 <https://webkit.org/b/122395>
1288
1289 Reviewed by Sam Weinig.
1290
1291 StringObject() only uses the ExecState to find the VM.
1292
12932013-10-05 Filip Pizlo <fpizlo@apple.com>
1294
1295 Compress DFG stack layout
1296 https://bugs.webkit.org/show_bug.cgi?id=122024
1297
1298 Reviewed by Oliver Hunt.
1299
1300 The DFG needs to be able to store things at a known offset from frame pointer so that
1301 the runtime can read those things. Prior to this patch, the DFG would use the exact
1302 offsets that the bytecode asked for, even in the case of inlining, where it would use
1303 the callsite stack offset to shift all of the inlined function's variables over just as
1304 they would have been if a bytecode interpreter had really made the call.
1305
1306 But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
1307 storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
1308 that, but it would seriously complicate LLVM's stack layout. But what we might be able
1309 to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
1310 alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
1311 variables in a contiguous range that can be expressed to LLVM as a struct that we
1312 alloca, then all of this can still work just fine.
1313
1314 Previously the flushed variables didn't fit in a contiguous range, but this patch makes
1315 them contiguous by allowing the stack layout to be compressed.
1316
1317 What this really means is that there is now a distinction between where the DFG saw a
1318 variable stored in bytecode and where it will actually store it in the resulting machine
1319 code. Henceforth when the DFG says "local" or "virtual register" it means the variable
1320 according to bytecode (with the stack offsetting for inlined code as before), but when
1321 it says "machine local" or "machine virtual register" it means the actual place where it
1322 will store things in the resulting machine code. All of the OSR exit, inlined arguments,
1323 captured variables, and various stack unwinding machine now knows about all of this.
1324
1325 Note that the DFG's abstract interpretation still uses bytecode variables rather than
1326 machine variables. Same for CSE and abstract heaps. This makes sense since it means that
1327 we don't have to decide on machine variable allocation just to do those optimizations.
1328
1329 The decision of what a local's machine location becomes is deferred to very late in
1330 compilation. We only need to assign machine locations to variables that must be stored
1331 to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
1332 decision and updates all data structures.
1333
1334 So far the way that this is being used is just to compress the DFG stack layout, which
1335 is something that we should have done anyway, a long time ago. And the compression isn't
1336 even that good - the current StackLayoutPhase just identifies local indices that are
1337 unused in machine code and slides all other variables towards zero. This doesn't achieve
1338 particularly good compression but it is better than nothing. Note that this phase makes
1339 it seem like the bytecode-machine mapping is based on bytecode local indices; for
1340 example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
1341 true for the current StackLayoutPhase but it _will not_ be true for all possible stack
1342 layout phases and it would be incorrect to assume that it should be true. This is why
1343 the current data structures have each VariableAccessData hold its own copy of the
1344 machine virtual register, and also have each InlineCallFrame report their own machine
1345 virtual registers for the various things. The DFG backend is likely to always use the
1346 dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
1347 eventually get a better one, where we do some kind of constraint-based coloring: we
1348 institute constraints where some VariableAccessData's must have the same indices as some
1349 other ones, and also must be right next to some other ones; then we process all
1350 VariableAccessData's and attempt to assign them machine locals while preserving those
1351 constraints. This could lead to two VariableAccessDatas for the same bytecode local
1352 ending up with different machine locals.
1353
1354 * CMakeLists.txt:
1355 * GNUmakefile.list.am:
1356 * JavaScriptCore.xcodeproj/project.pbxproj:
1357 * bytecode/CodeBlock.cpp:
1358 (JSC::CodeBlock::CodeBlock):
1359 (JSC::CodeBlock::isCaptured):
1360 (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
1361 (JSC::CodeBlock::machineSlowArguments):
1362 * bytecode/CodeBlock.h:
1363 (JSC::CodeBlock::hasSlowArguments):
1364 * bytecode/CodeOrigin.cpp:
1365 (JSC::CodeOrigin::dump):
1366 (JSC::InlineCallFrame::calleeForCallFrame):
1367 (JSC::InlineCallFrame::dumpInContext):
1368 * bytecode/CodeOrigin.h:
1369 (JSC::InlineCallFrame::InlineCallFrame):
1370 (JSC::InlineCallFrame::calleeConstant):
1371 * bytecode/Operands.h:
1372 (JSC::Operands::indexForOperand):
1373 * dfg/DFGBasicBlock.cpp:
1374 (JSC::DFG::BasicBlock::SSAData::SSAData):
1375 * dfg/DFGBasicBlock.h:
1376 * dfg/DFGByteCodeParser.cpp:
1377 (JSC::DFG::ByteCodeParser::ByteCodeParser):
1378 (JSC::DFG::ByteCodeParser::get):
1379 (JSC::DFG::ByteCodeParser::getLocal):
1380 (JSC::DFG::ByteCodeParser::flushDirect):
1381 (JSC::DFG::ByteCodeParser::flush):
1382 (JSC::DFG::ByteCodeParser::handleInlining):
1383 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1384 (JSC::DFG::ByteCodeParser::parse):
1385 * dfg/DFGCommon.h:
1386 * dfg/DFGCommonData.h:
1387 (JSC::DFG::CommonData::CommonData):
1388 * dfg/DFGDesiredWriteBarriers.cpp:
1389 (JSC::DFG::DesiredWriteBarrier::trigger):
1390 * dfg/DFGDesiredWriteBarriers.h:
1391 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1392 (JSC::DFG::FlushLivenessAnalysisPhase::run):
1393 (JSC::DFG::FlushLivenessAnalysisPhase::process):
1394 (JSC::DFG::FlushLivenessAnalysisPhase::reportError):
1395 * dfg/DFGFlushedAt.cpp: Added.
1396 (JSC::DFG::FlushedAt::dump):
1397 (JSC::DFG::FlushedAt::dumpInContext):
1398 * dfg/DFGFlushedAt.h: Added.
1399 (JSC::DFG::FlushedAt::FlushedAt):
1400 (JSC::DFG::FlushedAt::operator!):
1401 (JSC::DFG::FlushedAt::format):
1402 (JSC::DFG::FlushedAt::virtualRegister):
1403 (JSC::DFG::FlushedAt::operator==):
1404 (JSC::DFG::FlushedAt::operator!=):
1405 * dfg/DFGGraph.cpp:
1406 (JSC::DFG::Graph::Graph):
1407 (JSC::DFG::Graph::dump):
1408 * dfg/DFGGraph.h:
1409 (JSC::DFG::Graph::bytecodeRegisterForArgument):
1410 (JSC::DFG::Graph::argumentsRegisterFor):
1411 (JSC::DFG::Graph::machineArgumentsRegisterFor):
1412 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
1413 (JSC::DFG::Graph::activationRegister):
1414 (JSC::DFG::Graph::uncheckedActivationRegister):
1415 (JSC::DFG::Graph::machineActivationRegister):
1416 (JSC::DFG::Graph::uncheckedMachineActivationRegister):
1417 * dfg/DFGJITCompiler.cpp:
1418 (JSC::DFG::JITCompiler::link):
1419 * dfg/DFGJITCompiler.h:
1420 (JSC::DFG::JITCompiler::noticeOSREntry):
1421 * dfg/DFGNode.h:
1422 (JSC::DFG::Node::convertToGetLocalUnlinked):
1423 (JSC::DFG::Node::convertToGetLocal):
1424 (JSC::DFG::Node::machineLocal):
1425 (JSC::DFG::Node::hasUnlinkedMachineLocal):
1426 (JSC::DFG::Node::setUnlinkedMachineLocal):
1427 (JSC::DFG::Node::unlinkedMachineLocal):
1428 (JSC::DFG::Node::hasInlineStartData):
1429 (JSC::DFG::Node::inlineStartData):
1430 * dfg/DFGNodeFlags.cpp:
1431 (JSC::DFG::dumpNodeFlags):
1432 * dfg/DFGOSREntry.cpp:
1433 (JSC::DFG::prepareOSREntry):
1434 * dfg/DFGOSREntry.h:
1435 (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
1436 * dfg/DFGOSRExitCompiler64.cpp:
1437 (JSC::DFG::OSRExitCompiler::compileExit):
1438 * dfg/DFGOSRExitCompilerCommon.cpp:
1439 (JSC::DFG::reifyInlinedCallFrames):
1440 * dfg/DFGOperations.cpp:
1441 * dfg/DFGOperations.h:
1442 * dfg/DFGPlan.cpp:
1443 (JSC::DFG::Plan::compileInThreadImpl):
1444 * dfg/DFGScoreBoard.h:
1445 (JSC::DFG::ScoreBoard::ScoreBoard):
1446 * dfg/DFGSpeculativeJIT.cpp:
1447 (JSC::DFG::SpeculativeJIT::compileInlineStart):
1448 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1449 (JSC::DFG::SpeculativeJIT::createOSREntries):
1450 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1451 * dfg/DFGSpeculativeJIT.h:
1452 (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
1453 (JSC::DFG::SpeculativeJIT::callFrameSlot):
1454 (JSC::DFG::SpeculativeJIT::argumentSlot):
1455 (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
1456 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
1457 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
1458 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
1459 (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
1460 (JSC::DFG::SpeculativeJIT::callOperation):
1461 (JSC::DFG::SpeculativeJIT::recordSetLocal):
1462 * dfg/DFGSpeculativeJIT32_64.cpp:
1463 (JSC::DFG::SpeculativeJIT::emitCall):
1464 (JSC::DFG::SpeculativeJIT::compile):
1465 * dfg/DFGSpeculativeJIT64.cpp:
1466 (JSC::DFG::SpeculativeJIT::emitCall):
1467 (JSC::DFG::SpeculativeJIT::compile):
1468 * dfg/DFGStackLayoutPhase.cpp: Added.
1469 (JSC::DFG::StackLayoutPhase::StackLayoutPhase):
1470 (JSC::DFG::StackLayoutPhase::run):
1471 (JSC::DFG::performStackLayout):
1472 * dfg/DFGStackLayoutPhase.h: Added.
1473 * dfg/DFGValidate.cpp:
1474 (JSC::DFG::Validate::validate):
1475 * dfg/DFGVariableAccessData.h:
1476 (JSC::DFG::VariableAccessData::machineLocal):
1477 (JSC::DFG::VariableAccessData::flushedAt):
1478 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1479 (JSC::DFG::VirtualRegisterAllocationPhase::run):
1480 * ftl/FTLExitValue.h:
1481 (JSC::FTL::ExitValue::inJSStack):
1482 (JSC::FTL::ExitValue::inJSStackAsInt32):
1483 (JSC::FTL::ExitValue::inJSStackAsInt52):
1484 (JSC::FTL::ExitValue::inJSStackAsDouble):
1485 (JSC::FTL::ExitValue::virtualRegister):
1486 * ftl/FTLLowerDFGToLLVM.cpp:
1487 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
1489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1490 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
1491 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1492 * ftl/FTLOSRExitCompiler.cpp:
1493 (JSC::FTL::compileStub):
1494 * ftl/FTLValueSource.cpp:
1495 (JSC::FTL::ValueSource::dump):
1496 * ftl/FTLValueSource.h:
1497 (JSC::FTL::ValueSource::ValueSource):
1498 (JSC::FTL::ValueSource::kind):
1499 (JSC::FTL::ValueSource::operator!):
1500 (JSC::FTL::ValueSource::node):
1501 (JSC::FTL::ValueSource::virtualRegister):
1502 * interpreter/Interpreter.cpp:
1503 (JSC::unwindCallFrame):
1504 * interpreter/StackVisitor.cpp:
1505 (JSC::StackVisitor::readInlinedFrame):
1506 (JSC::StackVisitor::Frame::createArguments):
1507 (JSC::StackVisitor::Frame::existingArguments):
1508 * interpreter/StackVisitor.h:
1509 * jit/AssemblyHelpers.h:
1510 (JSC::AssemblyHelpers::addressFor):
1511 (JSC::AssemblyHelpers::tagFor):
1512 (JSC::AssemblyHelpers::payloadFor):
1513 (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
1514 * runtime/Arguments.cpp:
1515 (JSC::Arguments::tearOff):
1516 * runtime/Arguments.h:
1517 (JSC::Arguments::allocateSlowArguments):
1518 (JSC::Arguments::tryDeleteArgument):
1519 (JSC::Arguments::isDeletedArgument):
1520 (JSC::Arguments::isArgument):
1521 (JSC::Arguments::argument):
1522 (JSC::Arguments::finishCreation):
1523 * runtime/JSActivation.h:
1524 (JSC::JSActivation::create):
1525 (JSC::JSActivation::JSActivation):
1526 * runtime/JSFunction.cpp:
1527 (JSC::RetrieveArgumentsFunctor::operator()):
1528
15292013-10-05 Anders Carlsson <andersca@apple.com>
1530
1531 Remove createOwned
1532 https://bugs.webkit.org/show_bug.cgi?id=122388
1533
1534 Reviewed by Darin Adler.
1535
1536 * profiler/ProfilerDatabase.cpp:
1537 (JSC::Profiler::Database::save):
1538
15392013-10-05 Darin Adler <darin@apple.com>
1540
1541 Cut down on use of String::number
1542 https://bugs.webkit.org/show_bug.cgi?id=122382
1543
1544 Reviewed by Anders Carlsson.
1545
1546 * API/JSCallbackObjectFunctions.h:
1547 (JSC::JSCallbackObject::putByIndex): Use Identifier::from instead of calling
1548 String::number and creating an identifier from that. Can save creating and then
1549 destroying a string if an identifier already exists.
1550 * runtime/Arguments.cpp:
1551 (JSC::Arguments::getOwnPropertySlotByIndex): Ditto.
1552 (JSC::Arguments::getOwnPropertyNames): Ditto.
1553 (JSC::Arguments::putByIndex): Ditto.
1554 * runtime/JSGenericTypedArrayViewInlines.h:
1555 (JSC::::getOwnPropertyNames): Ditto.
1556 * runtime/StringObject.cpp:
1557 (JSC::StringObject::getOwnPropertyNames): Ditto.
1558
15592013-10-04 Mark Lam <mark.lam@apple.com>
1560
1561 Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame.
1562 https://bugs.webkit.org/show_bug.cgi?id=121969.
1563
1564 Reviewed by Geoffrey Garen.
1565
1566 1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
1567 DebuggerCallFrame now tracks whether it is valid instead of needing
1568 JavaScriptCallFrame do it.
1569 2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
1570 just before it pauses and calls back to its client, and then invalidates
1571 it immediately when the callback returns. Every subsequent callback to
1572 the client will use a new instance of the DebuggerCallFrame.
1573 3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
1574 it "pauses".
1575 4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
1576 it is needed i.e. when the client calls callerFrame(). Similarly,
1577 JavaScriptCallFrame only creates its caller when it's requested.
1578 5. DebuggerCallFrame's line() and column() now returns a base-zero int.
1579 6. WebScriptDebugDelegate now only caches the functionName of the frame
1580 instead of the entire DebuggerCallFrame because that is all that is
1581 needed.
1582 7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.
1583
1584 * debugger/Debugger.cpp:
1585 * debugger/Debugger.h:
1586 * debugger/DebuggerCallFrame.cpp:
1587 (JSC::DebuggerCallFrame::DebuggerCallFrame):
1588 (JSC::DebuggerCallFrame::callerFrame):
1589 (JSC::DebuggerCallFrame::dynamicGlobalObject):
1590 (JSC::DebuggerCallFrame::sourceId):
1591 (JSC::DebuggerCallFrame::functionName):
1592 (JSC::DebuggerCallFrame::scope):
1593 (JSC::DebuggerCallFrame::type):
1594 (JSC::DebuggerCallFrame::thisValue):
1595 (JSC::DebuggerCallFrame::evaluate):
1596 (JSC::DebuggerCallFrame::evaluateWithCallFrame):
1597 (JSC::DebuggerCallFrame::invalidate):
1598 (JSC::DebuggerCallFrame::positionForCallFrame):
1599 (JSC::DebuggerCallFrame::sourceIdForCallFrame):
1600 (JSC::DebuggerCallFrame::thisValueForCallFrame):
1601 * debugger/DebuggerCallFrame.h:
1602 (JSC::DebuggerCallFrame::create):
1603 (JSC::DebuggerCallFrame::exec):
1604 (JSC::DebuggerCallFrame::line):
1605 (JSC::DebuggerCallFrame::column):
1606 (JSC::DebuggerCallFrame::position):
1607 (JSC::DebuggerCallFrame::isValid):
1608 * interpreter/StackVisitor.cpp:
1609
16102013-10-04 Brent Fulgham <bfulgham@apple.com>
1611
1612 Silence compiler warning when building 64-bit (on Windows)
1613
1614 Reviewed by Geoffrey Garen.
1615
1616 * jit/JSInterfaceJIT.h: Add a static cast for assignment.
1617
16182013-10-04 Nadav Rotem <nrotem@apple.com>
1619
1620 FTL: Add support for ValueToInt32(bool(x))
1621 https://bugs.webkit.org/show_bug.cgi?id=122346
1622
1623 Reviewed by Geoffrey Garen.
1624
1625 * ftl/FTLCapabilities.cpp:
1626 (JSC::FTL::canCompile):
1627 * ftl/FTLLowerDFGToLLVM.cpp:
1628 (JSC::FTL::LowerDFGToLLVM::compileNode):
1629 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1630
16312013-10-04 Oliver Hunt <oliver@apple.com>
1632
1633 Build fix.
1634
1635 * runtime/JSArrayIterator.cpp:
1636
16372013-10-04 Oliver Hunt <oliver@apple.com>
1638
1639 Support for-of syntax
1640 https://bugs.webkit.org/show_bug.cgi?id=122339
1641
1642 Reviewed by Geoffrey Garen.
1643
1644 Add support for for-of syntax to JSC. As part of doing this I had to make
1645 us support unique empty strings as identifiers. In a follow on patch i'm
1646 going to remove the distinction entirely as it's purely a complicating
1647 separation.
1648
1649 Otherwise the logic here is fairly self-explanatory.
1650
1651 * bytecompiler/BytecodeGenerator.cpp:
1652 (JSC::BytecodeGenerator::addConstant):
1653 (JSC::BytecodeGenerator::emitCall):
1654 * bytecompiler/BytecodeGenerator.h:
1655 * bytecompiler/NodesCodegen.cpp:
1656 (JSC::CallArguments::CallArguments):
1657 (JSC::ForOfNode::emitBytecode):
1658 * jit/JITOperations.cpp:
1659 * parser/ASTBuilder.h:
1660 (JSC::ASTBuilder::createForOfLoop):
1661 * parser/NodeConstructors.h:
1662 (JSC::EnumerationNode::EnumerationNode):
1663 (JSC::ForInNode::ForInNode):
1664 (JSC::ForOfNode::ForOfNode):
1665 * parser/Nodes.h:
1666 * parser/Parser.cpp:
1667 (JSC::::parseVarDeclarationList):
1668 (JSC::::parseForStatement):
1669 * parser/Parser.h:
1670 (JSC::Parser::isofToken):
1671 * parser/SyntaxChecker.h:
1672 (JSC::SyntaxChecker::createForOfLoop):
1673 * runtime/ArrayIteratorPrototype.cpp:
1674 (JSC::ArrayIteratorPrototype::finishCreation):
1675 (JSC::arrayIteratorPrototypeIterate):
1676 * runtime/ArrayPrototype.cpp:
1677 (JSC::ArrayPrototype::create):
1678 (JSC::ArrayPrototype::finishCreation):
1679 * runtime/ArrayPrototype.h:
1680 * runtime/CommonIdentifiers.cpp:
1681 (JSC::CommonIdentifiers::CommonIdentifiers):
1682 * runtime/CommonIdentifiers.h:
1683 * runtime/Identifier.h:
1684 (JSC::Identifier::from):
1685 * runtime/JSCJSValue.cpp:
1686 (JSC::JSValue::dumpInContext):
1687 * runtime/JSGlobalObject.cpp:
1688 (JSC::JSGlobalObject::reset):
1689 * runtime/JSObject.cpp:
1690 (JSC::JSObject::putDirectNativeFunction):
1691 * runtime/PrivateName.h:
1692 (JSC::PrivateName::PrivateName):
1693 * runtime/PropertyName.h:
1694 (JSC::PropertyName::PropertyName):
1695
16962013-10-04 Michael Saboff <msaboff@apple.com>
1697
1698 FTL::OSRExit::convertToForward() shouldn't misuse Operands<>::operator[]
1699 https://bugs.webkit.org/show_bug.cgi?id=122336
1700
1701 Reviewed by Geoffrey Garen.
1702
1703 Changed code in change set r156900 to use the operand() accessor instead of operator[].
1704
1705 * ftl/FTLOSRExit.cpp:
1706 (JSC::FTL::OSRExit::convertToForward):
1707
17082013-10-04 Michael Saboff <msaboff@apple.com>
1709
1710 FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index
1711 https://bugs.webkit.org/show_bug.cgi?id=122332
1712
1713 Reviewed by Oliver Hunt.
1714
1715 Changed the uses of .offset(), which returns a negative number for locals, to be
1716 toLocal() which returns a local's ordinal number.
1717
1718 * ftl/FTLOSRExit.cpp:
1719 (JSC::FTL::OSRExit::convertToForward):
1720
17212013-10-04 Michael Saboff <msaboff@apple.com>
1722
1723 Add callOperation to Baseline JIT
1724 https://bugs.webkit.org/show_bug.cgi?id=122306
1725
1726 Reviewed by Geoffrey Garen.
1727
1728 Created baseline JIT compatible versions for a few flavors of callOperation().
1729 Migrated cti_op_new_regexp() and its caller to callOperation(operationNewRegexp()).
1730
1731 * dfg/DFGOperations.cpp: Moved operationNewRegexp() to JITOperations
1732 * dfg/DFGOperations.h:
1733 * jit/JIT.h:
1734 (JSC::JIT::appendCall):
1735 * jit/JITInlines.h:
1736 (JSC::JIT::appendCallWithExceptionCheck):
1737 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1738 (JSC::JIT::callOperation):
1739 * jit/JITOpcodes.cpp:
1740 (JSC::JIT::emit_op_new_regexp):
1741 * jit/JITOperations.cpp:
1742 * jit/JITOperations.h:
1743 * jit/JITStubs.cpp:
1744 * jit/JITStubs.h:
1745 * jit/JSInterfaceJIT.h:
1746
17472013-10-03 Mark Rowe <mrowe@apple.com>
1748
1749 REGRESSION (r156811): WebCore rebuilds from scratch when doing an incremental build
1750
1751 The change in r156811 resulted in several public headers in the JavaScriptCore framework having their modification
1752 date touched on every build, even if their contents had not changed. This resulted in a large portion of WebCore
1753 needing to rebuilt after an incremental build of JavaScriptCore.
1754
1755 Reviewed by Dan Bernstein.
1756
1757 * JavaScriptCore.xcodeproj/project.pbxproj: Have unifdef generate its output to a temporary file. If its exit status
1758 indicates that the content did not change, remove the temporary file. If the content changed, moved the temporary file
1759 over the destination.
1760
17612013-10-03 Brent Fulgham <bfulgham@apple.com>
1762
1763 [Win] Unreviewed gardening.
1764
1765 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Clean up the
1766 paths for various files added outside of Visual Studio. They are all
1767 displayed in the root of the project, rather than the proper sub-folder.
1768
17692013-10-03 Brent Fulgham <bfulgham@apple.com>
1770
1771 [Win] Update solutions and projects to support 64-bit builds.
1772 https://bugs.webkit.org/show_bug.cgi?id=122225
1773
1774 Reviewed by Anders Carlsson.
1775
1776 Revise ordering of CPU(X86) and CPU(X86_64) tests, because MSVC always defines
1777 both when targeting a 64-bit build.
1778
1779 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add an x64 target
1780 for 64-bit builds.
1781
17822013-10-03 Michael Saboff <msaboff@apple.com>
1783
1784 Eliminate unused JITStub function declarations
1785 https://bugs.webkit.org/show_bug.cgi?id=122288
1786
1787 Reviewed by Geoffrey Garen.
1788
1789 Removed unused JITStub declarations.
1790
1791 * jit/JITStubs.h:
1792
17932013-10-03 Sergio Correia <sergio.correia@openbossa.org>
1794
1795 [EFL] [DEBUG] JavaScriptCore fails to build
1796 https://bugs.webkit.org/show_bug.cgi?id=122267
1797
1798 Reviewed by Michael Saboff.
1799
1800 Build fails due to an expression containing comparison between signed
1801 and unsigned integer.
1802
1803 * llint/LLIntData.cpp:
1804 (JSC::LLInt::Data::performAssertions): Add cast to avoid signed vs.
1805 unsigned comparison warning.
1806
18072013-10-03 Nadav Rotem <nrotem@apple.com>
1808
1809 DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x)
1810 https://bugs.webkit.org/show_bug.cgi?id=122263
1811
1812 Reviewed by Geoffrey Garen.
1813
1814 * dfg/DFGAbstractInterpreterInlines.h:
1815 (JSC::DFG::::executeEffects):
1816
18172013-10-02 Dan Bernstein <mitz@apple.com>
1818
1819 REGRESSION (r156811): Objective-C JavaScriptCore API test failing on Mountain Lion bots
1820 https://bugs.webkit.org/show_bug.cgi?id=122260
1821
1822 Reviewed by Mark Rowe.
1823
1824 For the API to work, the tests need to be compiled with a newer version of the LLVM
1825 compiler. Until the bots are updated to that version, disable the tests on 10.8.
1826
1827 * API/tests/testapi.mm:
1828
18292013-10-02 Mark Lam <mark.lam@apple.com>
1830
1831 Make LLINT exception stack unwinding consistent with the JIT.
1832 https://bugs.webkit.org/show_bug.cgi?id=122255.
1833
1834 Reviewed by Filip Pizlo.
1835
1836 Previously, the CommonSlowPaths code is expected to behave in an
1837 inconsistent way in terms of whether to unwind the stack when handling
1838 exceptions or not. For the LLINT, the slow path should unwind the stack
1839 before returning. For the JIT, the slow path should not unwind the stack.
1840 This can result in the stack being unwound twice when the exception
1841 being handled is a TerminationException.
1842
1843 This patch fixes the LLINT's expectation so that it expects the same
1844 slow path behavior as the JIT does.
1845
1846 * llint/LLIntExceptions.cpp:
1847 (JSC::LLInt::returnToThrow):
1848 (JSC::LLInt::callToThrow):
1849 * llint/LLIntSlowPaths.cpp:
1850 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1851 * llint/LLIntSlowPaths.h:
1852 * llint/LowLevelInterpreter32_64.asm:
1853 * llint/LowLevelInterpreter64.asm:
1854 * runtime/CommonSlowPathsExceptions.cpp:
1855 (JSC::CommonSlowPaths::interpreterThrowInCaller):
1856
18572013-10-02 Filip Pizlo <fpizlo@apple.com>
1858
1859 The DFG should use always DFG::Graph methods for determining where special registers are
1860 https://bugs.webkit.org/show_bug.cgi?id=122248
1861
1862 Reviewed by Michael Saboff.
1863
1864 This makes it possible to have the DFG use different registers than the other engines
1865 for things like activation and arguments.
1866
1867 * dfg/DFGCSEPhase.cpp:
1868 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1869 * dfg/DFGClobberize.h:
1870 (JSC::DFG::clobberize):
1871 * dfg/DFGGraph.h:
1872 (JSC::DFG::Graph::activationRegister):
1873 (JSC::DFG::Graph::uncheckedActivationRegister):
1874 * dfg/DFGOSRExitCompiler32_64.cpp:
1875 (JSC::DFG::OSRExitCompiler::compileExit):
1876 * dfg/DFGOSRExitCompiler64.cpp:
1877 (JSC::DFG::OSRExitCompiler::compileExit):
1878 * dfg/DFGSpeculativeJIT32_64.cpp:
1879 (JSC::DFG::SpeculativeJIT::compile):
1880 * dfg/DFGSpeculativeJIT64.cpp:
1881 (JSC::DFG::SpeculativeJIT::compile):
1882 * jit/AssemblyHelpers.h:
1883 (JSC::AssemblyHelpers::baselineArgumentsRegisterFor):
1884
18852013-10-02 Dan Bernstein <mitz@apple.com>
1886
1887 The Objective-C API should be available in 10.8 builds
1888 https://bugs.webkit.org/show_bug.cgi?id=122245
1889
1890 Reviewed by Mark Rowe.
1891
1892 Enabled the Objective-C API when building on OS X 10.8 with the modern Objective-C runtime,
1893 but kept the availability attributes in API headers for 10.9 and later as they were.
1894
1895 * API/JSBase.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, made
1896 JSC_OBJC_API_ENABLED true on 10.8 and above.
1897 * API/JSContext.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, marked the class
1898 as available on all OS X versions.
1899 * API/JSManagedValue.h: Ditto.
1900 * API/JSValue.h: Ditto.
1901 * API/JSVirtualMachine.h: Ditto.
1902 * Configurations/Base.xcconfig: Added JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 to
1903 GCC_PREPROCESSOR_DEFINITIONS.
1904 * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase to unifdef the
1905 above header files with JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 either defined or not based on
1906 the OS X version we are targeting.
1907
19082013-10-02 Michael Saboff <msaboff@apple.com>
1909
1910 Make Baseline JIT exception handling work like the DFG JIT
1911 https://bugs.webkit.org/show_bug.cgi?id=122244
1912
1913 Reviewed by Filip Pizlo.
1914
1915 Added a jump list (m_exceptionChecks) to JIT as a common place for exception processing within
1916 generated code. Added exceptionCheck() helpers that check for an exception which add a branch
1917 to the list.
1918
1919 * jit/JIT.cpp:
1920 (JSC::JIT::privateCompile):
1921 (JSC::JIT::privateCompileExceptionHandlers):
1922 * jit/JIT.h:
1923 (JSC::JIT::exceptionCheck):
1924
19252013-10-02 Oliver Hunt <oliver@apple.com>
1926
1927 Fix MSVC build
1928
1929 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1930
19312013-10-02 Geoffrey Garen <ggaren@apple.com>
1932
1933 Optimized VM access from C++ code
1934 https://bugs.webkit.org/show_bug.cgi?id=122241
1935
1936 Reviewed by Filip Pizlo.
1937
1938 * runtime/JSScope.h:
1939 (JSC::JSScope::vm): Use MarkedBlock instead of Heap, since both have a
1940 pointer to the VM, and Heap is one extra load.
1941
19422013-10-02 Michael Saboff <msaboff@apple.com>
1943
1944 The LLInt should not use JITStackFrame
1945 https://bugs.webkit.org/show_bug.cgi?id=122231
1946
1947 Reviewed by Filip Pizlo.
1948
1949 Replaced uses of JITStackFrame::vm with code to either access the vm via the CodeBlock from
1950 known JavaScript call frames or via the JSScope* for host call frames. This eliminates
1951 all uses of JITStackFrame from the LLInt.
1952
1953 * heap/MarkedBlock.h: Made LLIntOffsetsExtractor a friend to access member offsets.
1954 * heap/WeakSet.h: Made LLIntOffsetsExtractor a friend to access member offsets.
1955 * llint/LLIntData.cpp:
1956 (JSC::LLInt::Data::performAssertions): Added an ASSERT for the newly added MarkedBlockMask
1957 * llint/LowLevelInterpreter.asm:
1958 * llint/LowLevelInterpreter32_64.asm:
1959 * llint/LowLevelInterpreter64.asm:
1960
19612013-10-01 Oliver Hunt <oliver@apple.com>
1962
1963 Implement Array key, value and entries iterators
1964 https://bugs.webkit.org/show_bug.cgi?id=122195
1965
1966 Reviewed by Filip Pizlo.
1967
1968 Add implementation of ES6 Array iterators for keys(), values() and entries()
1969
1970 Fairly self explanatory as we just need a simple implementation so that we can
1971 implement and test other features.
1972
1973 * JavaScriptCore.xcodeproj/project.pbxproj:
1974 * runtime/ArrayIteratorConstructor.cpp: Added.
1975 (JSC::ArrayIteratorConstructor::finishCreation):
1976 * runtime/ArrayIteratorConstructor.h: Added.
1977 (JSC::ArrayIteratorConstructor::create):
1978 (JSC::ArrayIteratorConstructor::createStructure):
1979 (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor):
1980 * runtime/ArrayIteratorPrototype.cpp: Added.
1981 (JSC::ArrayIteratorPrototype::finishCreation):
1982 (JSC::createIteratorResult):
1983 (JSC::arrayIteratorPrototypeNext):
1984 * runtime/ArrayIteratorPrototype.h: Added.
1985 (JSC::ArrayIteratorPrototype::create):
1986 (JSC::ArrayIteratorPrototype::createStructure):
1987 (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
1988 * runtime/ArrayPrototype.cpp:
1989 (JSC::arrayProtoFuncValues):
1990 (JSC::arrayProtoFuncEntries):
1991 (JSC::arrayProtoFuncKeys):
1992 * runtime/CommonIdentifiers.h:
1993 * runtime/Identifier.h:
1994 (JSC::Identifier::createEmptyUnique):
1995 * runtime/JSArrayIterator.cpp: Added.
1996 (JSC::JSArrayIterator::finishCreation):
1997 * runtime/JSArrayIterator.h: Added.
1998 (JSC::JSArrayIterator::createStructure):
1999 (JSC::JSArrayIterator::create):
2000 (JSC::JSArrayIterator::iterationKind):
2001 (JSC::JSArrayIterator::iteratedObject):
2002 (JSC::JSArrayIterator::nextIndex):
2003 (JSC::JSArrayIterator::setNextIndex):
2004 (JSC::JSArrayIterator::finish):
2005 (JSC::JSArrayIterator::JSArrayIterator):
2006 * runtime/JSGlobalObject.cpp:
2007 (JSC::JSGlobalObject::reset):
2008 * runtime/JSGlobalObject.h:
2009 (JSC::JSGlobalObject::iteratorResultStructure):
2010
20112013-10-02 Mark Hahnenberg <mhahnenberg@apple.com>
2012
2013 get_callee and to_this aren't properly cleared during finalizeUnconditionally
2014 https://bugs.webkit.org/show_bug.cgi?id=122224
2015
2016 Reviewed by Geoffrey Garen.
2017
2018 Even though there is code to clear unmarked inline cache objects in finalizeUnconditionally,
2019 it will never run because get_callee and to_this weren't added to the proper Vector in the
2020 UnlinkedCodeBlock that is iterated during finalizeUnconditionally.
2021
2022 * bytecompiler/BytecodeGenerator.cpp:
2023 (JSC::BytecodeGenerator::BytecodeGenerator):
2024 (JSC::BytecodeGenerator::emitCreateThis):
2025
20262013-09-25 Oliver Hunt <oliver@apple.com>
2027
2028 Implement prefixed-destructuring assignment
2029 https://bugs.webkit.org/show_bug.cgi?id=121930
2030
2031 Reviewed by Mark Hahnenberg.
2032
2033 Relanding with fix after rollout - it helps to not completely destroy
2034 optimisations for no reason.
2035
20362013-10-02 Nadav Rotem <nrotem@apple.com>
2037
2038 FTL: Refactor compileArithDiv and compileArithMod into one function.
2039 https://bugs.webkit.org/show_bug.cgi?id=122205
2040
2041 Reviewed by Filip Pizlo.
2042
2043 * ftl/FTLLowerDFGToLLVM.cpp:
2044 (JSC::FTL::LowerDFGToLLVM::compileNode):
2045 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2046 (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):
2047
20482013-10-02 Anders Carlsson <andersca@apple.com>
2049
2050 Get rid of Qt code from JavaScriptCore
2051 https://bugs.webkit.org/show_bug.cgi?id=122223
2052
2053 Reviewed by Oliver Hunt.
2054
2055 * API/JSStringRefQt.cpp: Removed.
2056 * API/JSStringRefQt.h: Removed.
2057 * API/OpaqueJSString.h:
2058 * DerivedSources.pri: Removed.
2059 * JavaScriptCore.pri: Removed.
2060 * JavaScriptCore.pro: Removed.
2061 * LLIntOffsetsExtractor.pro: Removed.
2062 * Target.pri: Removed.
2063 * assembler/AbstractMacroAssembler.h:
2064 * assembler/MacroAssembler.h:
2065 (JSC::MacroAssembler::urshift32):
2066 * assembler/MacroAssemblerARMv7.h:
2067 (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
2068 * assembler/MacroAssemblerX86Common.h:
2069 * dfg/DFGSpeculativeJIT.cpp:
2070 (JSC::DFG::SpeculativeJIT::compileArithSub):
2071 * heap/HeapTimer.cpp:
2072 (JSC::HeapTimer::timerEvent):
2073 * heap/HeapTimer.h:
2074 * heap/IncrementalSweeper.cpp:
2075 (JSC::IncrementalSweeper::scheduleTimer):
2076 * heap/IncrementalSweeper.h:
2077 * jit/JITArithmetic32_64.cpp:
2078 (JSC::JIT::emitSub32Constant):
2079 * jsc.cpp:
2080 (main):
2081 * jsc.pro: Removed.
2082 * runtime/DateConstructor.cpp:
2083 * runtime/GCActivityCallback.cpp:
2084 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2085 (JSC::DefaultGCActivityCallback::cancelTimer):
2086 * runtime/GCActivityCallback.h:
2087 * testRegExp.cpp:
2088 (main):
2089 * yarr/yarr.pri: Removed.
2090
20912013-10-01 Filip Pizlo <fpizlo@apple.com>
2092
2093 FTL should use the new version of LLVM MCJIT memory manager APIs that take a SectionName
2094 https://bugs.webkit.org/show_bug.cgi?id=122193
2095
2096 Reviewed by Geoffrey Garen.
2097
2098 Update our usage of the LLVM C API since the API is about to change.
2099
2100 * ftl/FTLCompile.cpp:
2101 (JSC::FTL::mmAllocateCodeSection):
2102 (JSC::FTL::mmAllocateDataSection):
2103
21042013-10-01 Filip Pizlo <fpizlo@apple.com>
2105
2106 REGRESSION(156464): 50% regression on SunSpider/string-fasta
2107 https://bugs.webkit.org/show_bug.cgi?id=122202
2108
2109 Unreviewed, roll out r156464.
2110
2111 This is a progression on string-fasta, since it fixes the regression.
2112
2113 * bytecode/UnlinkedCodeBlock.cpp:
2114 (JSC::UnlinkedFunctionExecutable::paramString):
2115 * bytecompiler/BytecodeGenerator.cpp:
2116 (JSC::BytecodeGenerator::BytecodeGenerator):
2117 * bytecompiler/BytecodeGenerator.h:
2118 (JSC::BytecodeGenerator::emitExpressionInfo):
2119 * bytecompiler/NodesCodegen.cpp:
2120 (JSC::ForInNode::emitBytecode):
2121 (JSC::FuncExprNode::emitBytecode):
2122 * parser/ASTBuilder.h:
2123 (JSC::ASTBuilder::createFormalParameterList):
2124 (JSC::ASTBuilder::createForInLoop):
2125 (JSC::ASTBuilder::addVar):
2126 * parser/NodeConstructors.h:
2127 (JSC::CommaNode::CommaNode):
2128 (JSC::ParameterNode::ParameterNode):
2129 (JSC::ForInNode::ForInNode):
2130 * parser/Nodes.cpp:
2131 (JSC::FunctionParameters::create):
2132 (JSC::FunctionParameters::FunctionParameters):
2133 (JSC::FunctionParameters::~FunctionParameters):
2134 * parser/Nodes.h:
2135 (JSC::ExpressionNode::isDotAccessorNode):
2136 (JSC::CommaNode::append):
2137 (JSC::ParameterNode::ident):
2138 (JSC::FunctionParameters::at):
2139 (JSC::FunctionParameters::identifiers):
2140 * parser/Parser.cpp:
2141 (JSC::::Parser):
2142 (JSC::::parseVarDeclaration):
2143 (JSC::::parseVarDeclarationList):
2144 (JSC::::parseForStatement):
2145 (JSC::::parseFormalParameters):
2146 (JSC::::parseAssignmentExpression):
2147 * parser/Parser.h:
2148 (JSC::Scope::declareParameter):
2149 (JSC::Parser::declareParameter):
2150 * parser/SyntaxChecker.h:
2151 (JSC::SyntaxChecker::createFormalParameterList):
2152 (JSC::SyntaxChecker::createForInLoop):
2153 (JSC::SyntaxChecker::operatorStackPop):
2154 * runtime/JSONObject.cpp:
2155 * runtime/JSONObject.h:
2156
21572013-10-01 Filip Pizlo <fpizlo@apple.com>
2158
2159 Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value
2160 https://bugs.webkit.org/show_bug.cgi?id=122178
2161
2162 Reviewed by Geoffrey Garen.
2163
2164 Now if the DFG stores the value of a variable into the stack explicitly via a SetLocal,
2165 it will record where on the stack it stored the value in addition to recording where on
2166 the stack the bytecode would have done the SetLocal. Previously it just recorded the
2167 format and the bytecode variable. Recording just the bytecode variable is currently fine
2168 since the DFG always executes SetLocal's to the same stack location that the bytecode
2169 would have used. But that prevents stack compression (webkit.org/b/122024) so this patch
2170 allows the SetLocal to say both the bytecode variable that we're speaking of and the
2171 actual stack location to which the SetLocal stored the value.
2172
2173 This had to touch a lot of code, so I took the opportunity to also resolve
2174 webkit.org/b/108019.
2175
2176 * bytecode/Operands.h:
2177 (JSC::Operands::hasOperand):
2178 * dfg/DFGFlushFormat.h:
2179 (JSC::DFG::dataFormatFor):
2180 * dfg/DFGMinifiedID.h:
2181 (JSC::DFG::MinifiedID::bits):
2182 (JSC::DFG::MinifiedID::invalidID):
2183 (JSC::DFG::MinifiedID::otherInvalidID):
2184 * dfg/DFGSpeculativeJIT.cpp:
2185 (JSC::DFG::SpeculativeJIT::compileMovHint):
2186 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2187 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2188 * dfg/DFGSpeculativeJIT.h:
2189 (JSC::DFG::SpeculativeJIT::recordSetLocal):
2190 * dfg/DFGSpeculativeJIT32_64.cpp:
2191 (JSC::DFG::SpeculativeJIT::compile):
2192 * dfg/DFGSpeculativeJIT64.cpp:
2193 (JSC::DFG::SpeculativeJIT::compile):
2194 * dfg/DFGValueSource.cpp:
2195 (JSC::DFG::ValueSource::dump):
2196 * dfg/DFGValueSource.h:
2197 (JSC::DFG::ValueSource::ValueSource):
2198 (JSC::DFG::ValueSource::forFlushFormat):
2199 (JSC::DFG::ValueSource::forDataFormat):
2200 (JSC::DFG::ValueSource::isSet):
2201 (JSC::DFG::ValueSource::kind):
2202 (JSC::DFG::ValueSource::valueRecovery):
2203 (JSC::DFG::ValueSource::id):
2204 (JSC::DFG::ValueSource::virtualRegister):
2205 * dfg/DFGVariableEvent.cpp:
2206 (JSC::DFG::VariableEvent::dump):
2207 (JSC::DFG::VariableEvent::dumpSpillInfo):
2208 * dfg/DFGVariableEvent.h:
2209 (JSC::DFG::VariableEvent::fillGPR):
2210 (JSC::DFG::VariableEvent::fillPair):
2211 (JSC::DFG::VariableEvent::fillFPR):
2212 (JSC::DFG::VariableEvent::spill):
2213 (JSC::DFG::VariableEvent::death):
2214 (JSC::DFG::VariableEvent::setLocal):
2215 (JSC::DFG::VariableEvent::movHint):
2216 (JSC::DFG::VariableEvent::id):
2217 (JSC::DFG::VariableEvent::gpr):
2218 (JSC::DFG::VariableEvent::tagGPR):
2219 (JSC::DFG::VariableEvent::payloadGPR):
2220 (JSC::DFG::VariableEvent::fpr):
2221 (JSC::DFG::VariableEvent::spillRegister):
2222 (JSC::DFG::VariableEvent::bytecodeRegister):
2223 (JSC::DFG::VariableEvent::machineRegister):
2224 (JSC::DFG::VariableEvent::variableRepresentation):
2225 * dfg/DFGVariableEventStream.cpp:
2226 (JSC::DFG::VariableEventStream::reconstruct):
2227
22282013-10-01 Nadav Rotem <nrotem@apple.com>
2229
2230 FTL: split overflow checks into non-overflow arithmetic and an additional call to the overflow intrinsic check.
2231 https://bugs.webkit.org/show_bug.cgi?id=122170
2232
2233 Reviewed by Filip Pizlo.
2234
2235 Overflow intrinsics are preventing SCEV and other LLVM analysis passes from analyzing loops. This patch changes the FTL-IR gen by splitting arithmetic calculations into two parts:
2236 1. Generate the arithmetic calculation (that may overflow)
2237 2. Generate the overflow check (that is only used by the OSR-exit logic).
2238
2239 We trust LLVM (SelectionDAG) to merge these calculations into a single opcode.
2240
2241 This JS function:
2242
2243 function foo() {
2244 for (i=0; i < 10000000; i++) { }
2245 }
2246
2247 Is now compiled into this LLVM-IR:
2248
2249 "OSR exit continuation for @24<Int32>": ; preds = %"Block #0", %"OSR exit continuation for @24<Int32>2"
2250 %4 = phi i64 [ %10, %"OSR exit continuation for @24<Int32>2" ], [ -281474976710656, %"Block #0" ]
2251 %5 = trunc i64 %4 to i32
2252 %6 = add i32 %5, 1
2253 %7 = tail call { i32, i1 } @llvm.sadd.with.overflow.i32(i32 %5, i32 1)
2254 %8 = extractvalue { i32, i1 } %7, 1
2255 br i1 %8, label %"OSR exit failCase for @24<Int32>1", label %"OSR exit continuation for @24<Int32>2"
2256
2257 And into this assembly:
2258
2259 LBB0_1: ## %OSR exit continuation for @24<Int32>
2260 ## =>This Inner Loop Header: Depth=1
2261 movl %ecx, %esi
2262 incl %esi
2263 jo LBB0_4
2264
2265 * ftl/FTLLowerDFGToLLVM.cpp:
2266 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2267 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2268 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2269
22702013-10-01 Nadav Rotem <nrotem@apple.com>
2271
2272 Consolidate multiple OSRExit calls into one.
2273 https://bugs.webkit.org/show_bug.cgi?id=122168
2274
2275 Reviewed by Filip Pizlo.
2276
2277 * ftl/FTLLowerDFGToLLVM.cpp:
2278 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2279 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2280 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2281
22822013-09-30 Filip Pizlo <fpizlo@apple.com>
2283
2284 SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone
2285 https://bugs.webkit.org/show_bug.cgi?id=122140
2286
2287 Reviewed by Darin Adler.
2288
2289 Just killing code.
2290
2291 * dfg/DFGSpeculativeJIT.cpp:
2292 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2293 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2294 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2295 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2296 * dfg/DFGSpeculativeJIT.h:
2297 (JSC::DFG::SpeculativeJIT::recordSetLocal):
2298
22992013-10-01 Daniel Bates <dabates@apple.com>
2300
2301 [iOS] JavaScriptCore fails to build with newer versions of clang
2302 https://bugs.webkit.org/show_bug.cgi?id=122162
2303
2304 Reviewed by Darin Adler.
2305
2306 * runtime/GCActivityCallback.cpp: Add !PLATFORM(IOS)-guard around constant pagingTimeOut
2307 as we don't compile the code that uses it on iOS.
2308
23092013-09-30 Sam Weinig <sam@webkit.org>
2310
2311 Remove support for DOMFileSystem
2312 https://bugs.webkit.org/show_bug.cgi?id=122137
2313
2314 Reviewed by Anders Carlsson.
2315
2316 * Configurations/FeatureDefines.xcconfig:
2317
23182013-09-30 Dan Bernstein <mitz@apple.com>
2319
2320 <rdar://problem/15114974> Assertion failure under -[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:] if no classes conform to JSExport
2321 https://bugs.webkit.org/show_bug.cgi?id=122124
2322
2323 Reviewed by Darin Adler.
2324
2325 * API/JSWrapperMap.mm: Defined an empty class that conforms to the JSExport protocol, to
2326 ensure that the protocol is always registered with the runtime by the time
2327 getJSExportProtocol() is called.
2328
23292013-09-30 Benjamin Poulain <benjamin@webkit.org>
2330
2331 Remove the code guarded by STYLE_SCOPED
2332 https://bugs.webkit.org/show_bug.cgi?id=122123
2333
2334 Reviewed by Anders Carlsson.
2335
2336 * Configurations/FeatureDefines.xcconfig:
2337
23382013-09-30 Andreas Kling <akling@apple.com>
2339
2340 Pass VM instead of ExecState to ObjectPrototype constructor.
2341 <https://webkit.org/b/122116>
2342
2343 Reviewed by Geoffrey Garen.
2344
2345 The ObjectPrototype constructor was only using the ExecState to get
2346 to the VM.
2347
23482013-09-30 Andreas Kling <akling@apple.com>
2349
2350 Pass VM instead of JSGlobalObject to MathObject constructor.
2351 <https://webkit.org/b/122119>
2352
2353 Reviewed by Geoffrey Garen.
2354
2355 The MathObject constructor was only using the global object to get
2356 to the VM. finishCreation() still uses it to set up functions.
2357
23582013-09-30 Filip Pizlo <fpizlo@apple.com>
2359
2360 Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries
2361 https://bugs.webkit.org/show_bug.cgi?id=122065
2362
2363 Reviewed by Mark Hahnenberg.
2364
2365 This mostly just kills a bunch of code.
2366
2367 But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint
2368 creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes.
2369 If we hoist some type check into the local, then we might inject a conversion node
2370 between the ExtractOSREntryLocal and the SetLocal - for example we might put in a
2371 Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed
2372 on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery.
2373 When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting
2374 node to the first node that has a different CodeOrigin. This only works if the nodes
2375 after the forward exit are MovHints or other tnings that the OSR exit compiler can
2376 forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal
2377 nodes for the same bytecode index. Two possible solutions exist. We could teach the
2378 forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals.
2379 This would be a lot of complexity; right now it just needs to deal with exactly one
2380 SetLocal-like operation. The alternative is to make sure that the conversion node that
2381 we inject ends up exiting *backward* rather than forward.
2382
2383 But making the conversion nodes exit backward is somewhat tricky. Before this patch,
2384 conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out
2385 that the solution is to rationalize how we choose the speculation direciton for a
2386 conversion node. The conversion node's speculation direction should be the same as the
2387 speculation direction of the node for which it is doing a conversion. Since SetLocal's
2388 already exit forward by default, this policy preserves our previous behavior. But it
2389 also allows the OSR entrypoint creation phase to make its SetLocals exit backward
2390 instead.
2391
2392 Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need
2393 to make sure that the OSR exit machine knows that the local variables are indeed live.
2394 Consider that if we have:
2395
2396 a: ExtractOSREntryLocal(loc1)
2397 b: SetLocal(@a, loc1)
2398 c: ExtractOSRentryLocal(loc2)
2399 d: SetLocal(@c, loc2)
2400
2401 Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit
2402 compiler will clobber loc2 with Undefined. So we need to make sure that we actually
2403 emit code like:
2404
2405 a: ExtractOSREntryLocal(loc1)
2406 b: ExtractOSREntryLocal(loc2)
2407 c: SetLocal(@a, loc1)
2408 d: SetLocal(@b, loc2)
2409 e: SetLocal(@a, loc1)
2410 f: SetLocal(@b, loc2)
2411
2412 * CMakeLists.txt:
2413 * GNUmakefile.list.am:
2414 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2415 * JavaScriptCore.xcodeproj/project.pbxproj:
2416 * Target.pri:
2417 * bytecode/CodeOrigin.h:
2418 * bytecode/ValueRecovery.cpp: Added.
2419 (JSC::ValueRecovery::recover):
2420 (JSC::ValueRecovery::dumpInContext):
2421 (JSC::ValueRecovery::dump):
2422 * bytecode/ValueRecovery.h:
2423 * dfg/DFGFixupPhase.cpp:
2424 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
2425 (JSC::DFG::FixupPhase::fixEdge):
2426 * dfg/DFGJITCode.cpp:
2427 (JSC::DFG::JITCode::reconstruct):
2428 * dfg/DFGNode.h:
2429 (JSC::DFG::Node::speculationDirection):
2430 (JSC::DFG::Node::setSpeculationDirection):
2431 * dfg/DFGOSREntrypointCreationPhase.cpp:
2432 (JSC::DFG::OSREntrypointCreationPhase::run):
2433 * dfg/DFGOSRExitCompiler32_64.cpp:
2434 (JSC::DFG::OSRExitCompiler::compileExit):
2435 * dfg/DFGOSRExitCompiler64.cpp:
2436 (JSC::DFG::OSRExitCompiler::compileExit):
2437 * dfg/DFGSpeculativeJIT.cpp:
2438 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2439 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2440 * dfg/DFGSpeculativeJIT.h:
2441 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2442 * dfg/DFGValueSource.h:
2443 (JSC::DFG::ValueSource::valueRecovery):
2444 * dfg/DFGVariableEventStream.cpp:
2445 (JSC::DFG::VariableEventStream::reconstruct):
2446 * ftl/FTLLowerDFGToLLVM.cpp:
2447 (JSC::FTL::LowerDFGToLLVM::speculate):
2448 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
2449 * interpreter/Register.h:
2450 (JSC::Register::unboxedStrictInt52):
2451 * runtime/Arguments.cpp:
2452 (JSC::Arguments::tearOff):
2453 * runtime/Arguments.h:
2454
24552013-09-30 Alex Christensen <alex.christensen@flexsim.com>
2456
2457 Win64 compile fix after r1256490.
2458 https://bugs.webkit.org/show_bug.cgi?id=122117
2459
2460 Reviewed by Michael Saboff.
2461
2462 * jit/JITStubsMSVC64.asm:
2463 Implemented getHostCallReturnValue for Windows x86_64 processors.
2464
24652013-09-30 Andreas Kling <akling@apple.com>
2466
2467 Pass VM instead of JSGlobalObject to RegExp constructor.
2468 <https://webkit.org/b/122113>
2469
2470 Reviewed by Darin Adler.
2471
2472 RegExps don't need anything from the global object during their
2473 construction and only use it to get to the VM. Reduce loads by
2474 simply passing the VM around instead.
2475
2476 JSC release binary size -= 120 bytes(!)
2477
24782013-09-30 Patrick Gansterer <paroga@webkit.org>
2479
2480 Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490.
2481 https://bugs.webkit.org/show_bug.cgi?id=122102
2482
2483 Reviewed by Geoffrey Garen.
2484
2485 _AddressOfReturnAddress() is supported for all platforms of
2486 ths Microsoft compiler, so we can use it for !CPU(X86) too.
2487
2488 * jit/JITOperationWrappers.h:
2489
24902013-09-30 Gabor Rapcsanyi <rgabor@webkit.org>
2491
2492 Unreviewed. Build fix for DEBUG_VERBOSE mode after r156511.
2493
2494 * dfg/DFGSpeculativeJIT.cpp:
2495 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2496
24972013-09-30 Gabor Rapcsanyi <rgabor@webkit.org>
2498
2499 Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490.
2500
2501 * dfg/DFGSpeculativeJIT.cpp:
2502 (JSC::DFG::fmodAsDFGOperation):
2503
25042013-09-29 Nadav Rotem <nrotem@apple.com>
2505
2506 FTL: refactor compileAdd and compileArithSub into one function.
2507 https://bugs.webkit.org/show_bug.cgi?id=122081
2508
2509 Reviewed by Geoffrey Garen.
2510
2511 * ftl/FTLLowerDFGToLLVM.cpp:
2512 (JSC::FTL::LowerDFGToLLVM::compileNode):
2513 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2514
25152013-09-29 Andreas Kling <akling@apple.com>
2516
2517 Pass VM instead of JSGlobalObject to function constructors.
2518 <https://webkit.org/b/122082>
2519
2520 Reviewed by Darin Adler.
2521
2522 Functions don't need anything from the global object during their
2523 construction and only use it to get to the VM. Reduce loads by
2524 simply passing the VM around instead.
2525
2526 This patch is mostly mechanical, I just changed the signature of
2527 InternalFunction and worked my way from there until it built.
2528
2529 JSC release binary size -= 4840 bytes.
2530
25312013-09-29 Andreas Kling <akling@apple.com>
2532
2533 Pass VM instead of JSGlobalObject to ArrayPrototype constructor.
2534 <https://webkit.org/b/122079>
2535
2536 Reviewed by Geoffrey Garen.
2537
2538 ArrayPrototype doesn't need the global object for anything during
2539 construction, so reduce the amount of loads by just passing the VM.
2540
25412013-09-29 Andreas Kling <akling@apple.com>
2542
2543 Pass VM instead of ExecState to simple builtin constructors.
2544 <https://webkit.org/b/122077>
2545
2546 Reviewed by Sam Weinig.
2547
2548 None of the simple builtins need the ExecState for anything during
2549 their construction, so reduce the amount of loads by just passing
2550 the VM around instead.
2551
25522013-09-29 Nadav Rotem <nrotem@apple.com>
2553
2554 Refactor code for finding x86 scratch register.
2555 https://bugs.webkit.org/show_bug.cgi?id=122072
2556
2557 Reviewed by Geoffrey Garen.
2558
2559 * assembler/MacroAssemblerX86Common.h:
2560 (JSC::MacroAssemblerX86Common::getUnusedRegister):
2561 (JSC::MacroAssemblerX86Common::store8):
2562 (JSC::MacroAssemblerX86Common::store16):
2563
25642013-09-28 Mark Rowe <mrowe@apple.com>
2565
2566 Take Xcode's advice and enable some extra warnings.
2567
2568 Reviewed by Sam Weinig.
2569
2570 * Configurations/Base.xcconfig:
2571 * JavaScriptCore.xcodeproj/project.pbxproj:
2572
25732013-09-28 Andreas Kling <akling@apple.com>
2574
2575 Pass VM instead of ExecState to JSFunction constructors.
2576 <https://webkit.org/b/122014>
2577
2578 Reviewed by Geoffrey Garen.
2579
2580 JSFunction doesn't need the ExecState for anything during its
2581 construction, so reduce the amount of loads by just passing the
2582 VM around instead.
2583
2584 Factored out putDirectNonIndexAccessor() from the existing
2585 putDirectAccessor() to avoid snowballing the patch (and because
2586 it's kinda neat to avoid the extra branch.)
2587
2588 JSC release binary size -= 9680 bytes.
2589
25902013-09-28 Mark Rowe <mrowe@apple.com>
2591
2592 JavaScriptCore fails to build with newer versions of clang.
2593
2594 Reviewed by Sam Weinig.
2595
2596 * interpreter/Interpreter.cpp: Remove an unused function.
2597 * parser/SourceProvider.cpp: Ditto.
2598 * runtime/GCActivityCallback.cpp: #if a constant that's only used on non-CF platforms.
2599 * runtime/JSCJSValue.cpp: Remove an unused constant.
2600 * runtime/JSString.cpp: Ditto.
2601
26022013-09-27 Filip Pizlo <fpizlo@apple.com>
2603
2604 Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures
2605 https://bugs.webkit.org/show_bug.cgi?id=122047
2606
2607 Reviewed by Oliver Hunt.
2608
2609 Currently we have the DFG reserve space for inline call frames at exactly the same stack
2610 offsets that you would have gotten if the baseline interpreter/JIT had made the calls.
2611 We need to get rid of that. One of the weirder parts of this is that we have special DFG
2612 operations for accessing these inlined call frame headers. It's really hard for any
2613 analysis of DFG IR to see what the liveness of any of those frame header "variables" is;
2614 the liveness behaves like flushed arguments (it's all live until end of the inlinee) but
2615 we don't have anything like a Flush node for those special variables.
2616
2617 This patch gets rid of the special operations for accessing inline call frame headers.
2618 GetMyScope and GetCallee still remain, and are only for accessing the machine call
2619 frame's scope/callee entries. The inline call frame's scope/callee now behave like
2620 normal variables, and have Flush behavior just like inline arguments.
2621
2622 * dfg/DFGAbstractInterpreterInlines.h:
2623 (JSC::DFG::::executeEffects):
2624 * dfg/DFGByteCodeParser.cpp:
2625 (JSC::DFG::ByteCodeParser::getDirect):
2626 (JSC::DFG::ByteCodeParser::get):
2627 (JSC::DFG::ByteCodeParser::setDirect):
2628 (JSC::DFG::ByteCodeParser::set):
2629 (JSC::DFG::ByteCodeParser::setLocal):
2630 (JSC::DFG::ByteCodeParser::setArgument):
2631 (JSC::DFG::ByteCodeParser::flush):
2632 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2633 (JSC::DFG::ByteCodeParser::handleInlining):
2634 (JSC::DFG::ByteCodeParser::getScope):
2635 * dfg/DFGCSEPhase.cpp:
2636 (JSC::DFG::CSEPhase::getCalleeLoadElimination):
2637 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
2638 (JSC::DFG::CSEPhase::performNodeCSE):
2639 * dfg/DFGClobberize.h:
2640 (JSC::DFG::clobberize):
2641 * dfg/DFGFixupPhase.cpp:
2642 (JSC::DFG::FixupPhase::fixupNode):
2643 * dfg/DFGNodeType.h:
2644 * dfg/DFGPredictionPropagationPhase.cpp:
2645 (JSC::DFG::PredictionPropagationPhase::propagate):
2646 * dfg/DFGSafeToExecute.h:
2647 (JSC::DFG::safeToExecute):
2648 * dfg/DFGSpeculativeJIT32_64.cpp:
2649 (JSC::DFG::SpeculativeJIT::compile):
2650 * dfg/DFGSpeculativeJIT64.cpp:
2651 (JSC::DFG::SpeculativeJIT::compile):
2652
26532013-09-27 Filip Pizlo <fpizlo@apple.com>
2654
2655 Deoptimize 32-bit deoptimization
2656 https://bugs.webkit.org/show_bug.cgi?id=122025
2657
2658 Reviewed by Oliver Hunt.
2659
2660 Just simplifying a bunch of code. I don't want the old, super-complicated,
2661 deoptimization code to get in the way of changes I'll be making to DFG stack layout.
2662
2663 * bytecode/ValueRecovery.h:
2664 (JSC::ValueRecovery::inGPR):
2665 (JSC::ValueRecovery::isInRegisters):
2666 (JSC::ValueRecovery::gpr):
2667 (JSC::ValueRecovery::dumpInContext):
2668 * dfg/DFGOSRExitCompiler32_64.cpp:
2669 (JSC::DFG::OSRExitCompiler::compileExit):
2670 * dfg/DFGOSRExitCompiler64.cpp:
2671 (JSC::DFG::OSRExitCompiler::compileExit):
2672
26732013-09-27 Alex Christensen <alex.christensen@flexsim.com>
2674
2675 Fixed Win64 build after r156184.
2676 https://bugs.webkit.org/show_bug.cgi?id=121994
2677
2678 Reviewed by Oliver Hunt.
2679
2680 * jit/CCallHelpers.h:
2681 (JSC::CCallHelpers::setupTwoStubArgsGPR):
2682 (JSC::CCallHelpers::setupTwoStubArgsFPR):
2683 Renamed from setupTwoStubArgs.
2684 Visual Studio x64 compiler fails to see that this is an overloaded template function.
2685 (JSC::CCallHelpers::setupStubArguments):
2686 (JSC::CCallHelpers::setupArguments):
2687 (JSC::CCallHelpers::setupArgumentsWithExecState):
2688 Use setupTwoStubArgsGPR or setupTwoStubArgsFPR instead of setupTwoStubArgs.
2689
26902013-09-27 Gabor Rapcsanyi <rgabor@webkit.org>
2691
2692 LLInt alignment problem on ARM in debug mode
2693 https://bugs.webkit.org/show_bug.cgi?id=122012
2694
2695 Reviewed by Michael Saboff.
2696
2697 Force GCC to put the LLInt code to .text section.
2698
2699 * llint/LowLevelInterpreter.cpp:
2700
27012013-09-06 Jer Noble <jer.noble@apple.com>
2702
2703 [Mac] Implement the media controls in JavaScript.
2704 https://bugs.webkit.org/show_bug.cgi?id=120895
2705
2706 Reviewed by Dean Jackson.
2707
2708 Define and turn on ENABLE_MEDIA_CONTROLS_SCRIPT.
2709
2710 * Configurations/FeatureDefines.xcconfig:
2711
27122013-09-27 Andreas Kling <akling@apple.com>
2713
2714 Pass VM instead of ExecState to JSDateMath functions.
2715 <https://webkit.org/b/121997>
2716
2717 Reviewed by Geoffrey Garen.
2718
2719 The JSC date math functions only need the VM, so pass that from
2720 callers instead of the whole ExecState.
2721
27222013-09-26 Andreas Kling <akling@apple.com>
2723
2724 GetterSetter construction should take a VM instead of ExecState.
2725 <https://webkit.org/b/121993>
2726
2727 Reviewed by Sam Weinig.
2728
2729 Pass VM& instead of ExecState* to GetterSetter. Updated surrounding
2730 code at touched sites to cache VM in a local for fewer loads.
2731
2732 JSC release binary size -= 4120 bytes.
2733
27342013-09-26 Oliver Hunt <oliver@apple.com>
2735
2736 Make GCC happy
2737
2738 * parser/Parser.h:
2739
27402013-09-25 Oliver Hunt <oliver@apple.com>
2741
2742 Implement prefixed-destructuring assignment
2743 https://bugs.webkit.org/show_bug.cgi?id=121930
2744
2745 Reviewed by Mark Hahnenberg.
2746
2747 Relanding with fix after rollout
2748
27492013-09-26 Michael Saboff <msaboff@apple.com>
2750
2751 VirtualRegister should be a class
2752 https://bugs.webkit.org/show_bug.cgi?id=121732
2753
2754 Reviewed by Geoffrey Garen.
2755
2756 This is a refactoring change. Changed VirtualRegister from an enum to a class.
2757 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
2758 and the similar functions for locals to VirtualRegister class.
2759
2760 This is in preparation for changing the offset for the first local register from
2761 0 to -1. This is needed since most native calling conventions have the architected
2762 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
2763 pointer. Local values start below that address.
2764
2765 * bytecode/CodeBlock.cpp:
2766 * bytecode/CodeBlock.h:
2767 * bytecode/Instruction.h:
2768 * bytecode/LazyOperandValueProfile.h:
2769 * bytecode/MethodOfGettingAValueProfile.cpp:
2770 * bytecode/Operands.h:
2771 * bytecode/UnlinkedCodeBlock.cpp:
2772 * bytecode/UnlinkedCodeBlock.h:
2773 * bytecode/ValueRecovery.h:
2774 * bytecode/VirtualRegister.h:
2775 * bytecompiler/BytecodeGenerator.cpp:
2776 * bytecompiler/BytecodeGenerator.h:
2777 * bytecompiler/RegisterID.h:
2778 * debugger/DebuggerCallFrame.cpp:
2779 * dfg/DFGAbstractHeap.h:
2780 * dfg/DFGAbstractInterpreterInlines.h:
2781 * dfg/DFGArgumentPosition.h:
2782 * dfg/DFGArgumentsSimplificationPhase.cpp:
2783 * dfg/DFGByteCodeParser.cpp:
2784 * dfg/DFGCFGSimplificationPhase.cpp:
2785 * dfg/DFGCPSRethreadingPhase.cpp:
2786 * dfg/DFGCapabilities.cpp:
2787 * dfg/DFGConstantFoldingPhase.cpp:
2788 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2789 * dfg/DFGGraph.cpp:
2790 * dfg/DFGGraph.h:
2791 * dfg/DFGJITCode.cpp:
2792 * dfg/DFGNode.h:
2793 * dfg/DFGOSREntry.cpp:
2794 * dfg/DFGOSREntrypointCreationPhase.cpp:
2795 * dfg/DFGOSRExit.h:
2796 * dfg/DFGOSRExitCompiler32_64.cpp:
2797 * dfg/DFGOSRExitCompiler64.cpp:
2798 * dfg/DFGRegisterBank.h:
2799 * dfg/DFGScoreBoard.h:
2800 * dfg/DFGSpeculativeJIT.cpp:
2801 * dfg/DFGSpeculativeJIT.h:
2802 * dfg/DFGSpeculativeJIT32_64.cpp:
2803 * dfg/DFGSpeculativeJIT64.cpp:
2804 * dfg/DFGValidate.cpp:
2805 * dfg/DFGValueRecoveryOverride.h:
2806 * dfg/DFGVariableAccessData.h:
2807 * dfg/DFGVariableEvent.h:
2808 * dfg/DFGVariableEventStream.cpp:
2809 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2810 * ftl/FTLExitArgumentForOperand.h:
2811 * ftl/FTLLink.cpp:
2812 * ftl/FTLLowerDFGToLLVM.cpp:
2813 * ftl/FTLOSREntry.cpp:
2814 * ftl/FTLOSRExit.cpp:
2815 * ftl/FTLOSRExit.h:
2816 * ftl/FTLOSRExitCompiler.cpp:
2817 * interpreter/CallFrame.h:
2818 * interpreter/Interpreter.cpp:
2819 * jit/AssemblyHelpers.h:
2820 * jit/JIT.h:
2821 * jit/JITCall.cpp:
2822 * jit/JITCall32_64.cpp:
2823 * jit/JITInlines.h:
2824 * jit/JITOpcodes.cpp:
2825 * jit/JITOpcodes32_64.cpp:
2826 * jit/JITPropertyAccess32_64.cpp:
2827 * jit/JITStubs.cpp:
2828 * llint/LLIntSlowPaths.cpp:
2829 * profiler/ProfilerBytecodeSequence.cpp:
2830 * runtime/CommonSlowPaths.cpp:
2831 * runtime/JSActivation.cpp:
2832
28332013-09-26 Anders Carlsson <andersca@apple.com>
2834
2835 Work around another MSVC bug.
2836
2837 * runtime/PrototypeMap.cpp:
2838 (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2839
28402013-09-26 Anders Carlsson <andersca@apple.com>
2841
2842 Attempt to fix the FTL build.
2843
2844 * ftl/FTLAbstractHeap.cpp:
2845 (JSC::FTL::IndexedAbstractHeap::atSlow):
2846
28472013-09-26 Andreas Kling <akling@apple.com>
2848
2849 Pass VM instead of ExecState to many finishCreation() functions.
2850 <https://webkit.org/b/121975>
2851
2852 Reviewed by Sam Weinig.
2853
2854 Reduce unnecessary loads by passing the VM to object creation
2855 functions that don't need the ExecState.
2856
2857 There are tons of opportunities in this area, I'm just scratching
2858 the surface.
2859
28602013-09-26 Commit Queue <commit-queue@webkit.org>
2861
2862 Unreviewed, rolling out r156464 and r156480.
2863 http://trac.webkit.org/changeset/156464
2864 http://trac.webkit.org/changeset/156480
2865 https://bugs.webkit.org/show_bug.cgi?id=121981
2866
2867 Leaking too much and killi\1cng buildbot. (Requested by xenon on
2868 #webkit).
2869
2870 * bytecode/UnlinkedCodeBlock.cpp:
2871 (JSC::UnlinkedFunctionExecutable::paramString):
2872 * bytecompiler/BytecodeGenerator.cpp:
2873 (JSC::BytecodeGenerator::BytecodeGenerator):
2874 * bytecompiler/BytecodeGenerator.h:
2875 (JSC::BytecodeGenerator::emitExpressionInfo):
2876 * bytecompiler/NodesCodegen.cpp:
2877 (JSC::ForInNode::emitBytecode):
2878 (JSC::FuncExprNode::emitBytecode):
2879 * parser/ASTBuilder.h:
2880 (JSC::ASTBuilder::createFormalParameterList):
2881 (JSC::ASTBuilder::createForInLoop):
2882 (JSC::ASTBuilder::addVar):
2883 * parser/NodeConstructors.h:
2884 (JSC::CommaNode::CommaNode):
2885 (JSC::ParameterNode::ParameterNode):
2886 (JSC::ForInNode::ForInNode):
2887 * parser/Nodes.cpp:
2888 (JSC::FunctionParameters::create):
2889 (JSC::FunctionParameters::FunctionParameters):
2890 (JSC::FunctionParameters::~FunctionParameters):
2891 * parser/Nodes.h:
2892 (JSC::CommaNode::append):
2893 (JSC::ParameterNode::ident):
2894 (JSC::FunctionParameters::at):
2895 (JSC::FunctionParameters::identifiers):
2896 * parser/Parser.cpp:
2897 (JSC::::Parser):
2898 (JSC::::parseVarDeclaration):
2899 (JSC::::parseVarDeclarationList):
2900 (JSC::::parseForStatement):
2901 (JSC::::parseFormalParameters):
2902 (JSC::::parseAssignmentExpression):
2903 * parser/Parser.h:
2904 (JSC::Scope::declareParameter):
2905 * parser/SyntaxChecker.h:
2906 (JSC::SyntaxChecker::createFormalParameterList):
2907 (JSC::SyntaxChecker::createForInLoop):
2908 (JSC::SyntaxChecker::operatorStackPop):
2909 * runtime/JSONObject.cpp:
2910 * runtime/JSONObject.h:
2911
29122013-09-26 Anders Carlsson <andersca@apple.com>
2913
2914 Try to fix the Windows build.
2915
2916 * jit/JITThunks.cpp:
2917 (JSC::JITThunks::hostFunctionStub):
2918 * jit/JITThunks.h:
2919
29202013-09-26 Anders Carlsson <andersca@apple.com>
2921
2922 Change a couple of HashMap value types from OwnPtr to std::unique_ptr
2923 https://bugs.webkit.org/show_bug.cgi?id=121973
2924
2925 Reviewed by Andreas Kling.
2926
2927 * API/JSClassRef.cpp:
2928 (OpaqueJSClassContextData::OpaqueJSClassContextData):
2929 (OpaqueJSClass::contextData):
2930 * API/JSClassRef.h:
2931 * bytecode/SamplingTool.h:
2932 * ftl/FTLAbstractHeap.h:
2933 * parser/Parser.cpp:
2934 (JSC::::parseFunctionInfo):
2935 * parser/SourceProviderCache.cpp:
2936 (JSC::SourceProviderCache::add):
2937 * parser/SourceProviderCache.h:
2938 * parser/SourceProviderCacheItem.h:
2939 (JSC::SourceProviderCacheItem::create):
2940 * profiler/ProfilerCompilation.cpp:
2941 (JSC::Profiler::Compilation::executionCounterFor):
2942 (JSC::Profiler::Compilation::toJS):
2943 * profiler/ProfilerCompilation.h:
2944 * runtime/JSGlobalObject.h:
2945
29462013-09-26 Mark Lam <mark.lam@apple.com>
2947
2948 Move DFG inline caching logic into jit/.
2949 https://bugs.webkit.org/show_bug.cgi?id=121749.
2950
2951 Reviewed by Geoffrey Garen.
2952
2953 Relanding http://trac.webkit.org/changeset/156235 after rebasing to latest
2954 revision and fixing build breakages on Windows.
2955
2956 * CMakeLists.txt:
2957 * GNUmakefile.list.am:
2958 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2959 * JavaScriptCore.xcodeproj/project.pbxproj:
2960 * Target.pri:
2961 * bytecode/CallLinkInfo.cpp:
2962 (JSC::CallLinkInfo::unlink):
2963 * bytecode/CodeBlock.cpp:
2964 (JSC::CodeBlock::resetStubInternal):
2965 * bytecode/StructureStubInfo.h:
2966 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2967 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
2968 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
2969 * dfg/DFGJITCompiler.h:
2970 * dfg/DFGOSRExitCompiler.h:
2971 * dfg/DFGOperations.cpp:
2972 (JSC::DFG::operationPutByValInternal):
2973 * dfg/DFGOperations.h:
2974 (JSC::DFG::operationNewTypedArrayWithSizeForType):
2975 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
2976 * dfg/DFGRegisterSet.h: Removed.
2977 * dfg/DFGRepatch.cpp: Removed.
2978 * dfg/DFGRepatch.h: Removed.
2979 * dfg/DFGScratchRegisterAllocator.h: Removed.
2980 * dfg/DFGSpeculativeJIT.cpp:
2981 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
2982 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2983 (JSC::DFG::SpeculativeJIT::compare):
2984 * dfg/DFGSpeculativeJIT.h:
2985 (JSC::DFG::SpeculativeJIT::callOperation):
2986 * dfg/DFGSpeculativeJIT32_64.cpp:
2987 (JSC::DFG::SpeculativeJIT::cachedPutById):
2988 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2989 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
2990 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2991 (JSC::DFG::SpeculativeJIT::compile):
2992 * dfg/DFGSpeculativeJIT64.cpp:
2993 (JSC::DFG::SpeculativeJIT::cachedPutById):
2994 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2995 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
2996 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2997 (JSC::DFG::SpeculativeJIT::compile):
2998 * dfg/DFGThunks.cpp:
2999 * dfg/DFGThunks.h:
3000 * ftl/FTLIntrinsicRepository.h:
3001 * ftl/FTLLowerDFGToLLVM.cpp:
3002 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3003 * ftl/FTLOSRExitCompiler.h:
3004 * jit/AssemblyHelpers.h:
3005 (JSC::AssemblyHelpers::writeBarrier):
3006 * jit/JIT.cpp:
3007 (JSC::JIT::linkFor):
3008 (JSC::JIT::linkSlowCall):
3009 * jit/JITCall.cpp:
3010 (JSC::JIT::compileCallEvalSlowCase):
3011 (JSC::JIT::compileOpCallSlowCase):
3012 (JSC::JIT::privateCompileClosureCall):
3013 * jit/JITCall32_64.cpp:
3014 (JSC::JIT::compileCallEvalSlowCase):
3015 (JSC::JIT::compileOpCallSlowCase):
3016 (JSC::JIT::privateCompileClosureCall):
3017 * jit/JITOperationWrappers.h: Copied from Source/JavaScriptCore/jit/JITOperationWrappers.h.
3018 * jit/JITOperations.cpp: Copied from Source/JavaScriptCore/jit/JITOperations.cpp.
3019 (JSC::getHostCallReturnValueWithExecState):
3020 * jit/JITOperations.h: Copied from Source/JavaScriptCore/jit/JITOperations.h.
3021 * jit/RegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
3022 * jit/Repatch.cpp: Copied from Source/JavaScriptCore/jit/Repatch.cpp.
3023 (JSC::tryBuildGetByIDList):
3024 * jit/Repatch.h: Copied from Source/JavaScriptCore/jit/Repatch.h.
3025 * jit/ScratchRegisterAllocator.h: Copied from Source/JavaScriptCore/jit/ScratchRegisterAllocator.h.
3026 * jit/ThunkGenerators.cpp:
3027 (JSC::oldStyleGenerateSlowCaseFor):
3028 (JSC::oldStyleLinkForGenerator):
3029 (JSC::oldStyleLinkCallGenerator):
3030 (JSC::oldStyleLinkConstructGenerator):
3031 (JSC::oldStyleLinkClosureCallGenerator):
3032 (JSC::oldStyleVirtualForGenerator):
3033 (JSC::oldStyleVirtualCallGenerator):
3034 (JSC::oldStyleVirtualConstructGenerator):
3035 (JSC::emitPointerValidation):
3036 (JSC::throwExceptionFromCallSlowPathGenerator):
3037 (JSC::slowPathFor):
3038 (JSC::linkForThunkGenerator):
3039 (JSC::linkCallThunkGenerator):
3040 (JSC::linkConstructThunkGenerator):
3041 (JSC::linkClosureCallThunkGenerator):
3042 (JSC::virtualForThunkGenerator):
3043 (JSC::virtualCallThunkGenerator):
3044 (JSC::virtualConstructThunkGenerator):
3045 * jit/ThunkGenerators.h:
3046
30472013-09-26 Anders Carlsson <andersca@apple.com>
3048
3049 Remove PassWeak.h
3050 https://bugs.webkit.org/show_bug.cgi?id=121971
3051
3052 Reviewed by Geoffrey Garen.
3053
3054 * GNUmakefile.list.am:
3055 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3056 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3057 * JavaScriptCore.xcodeproj/project.pbxproj:
3058 * heap/PassWeak.h: Removed.
3059 * heap/WeakInlines.h:
3060
30612013-09-26 Anders Carlsson <andersca@apple.com>
3062
3063 Stop using PassWeak
3064 https://bugs.webkit.org/show_bug.cgi?id=121968
3065
3066 Reviewed by Sam Weinig.
3067
3068 * heap/Weak.h:
3069 Remove all knowledge of PassWeak.
3070
3071 (JSC::Weak::Weak):
3072 These constructors don't need to be explicit.
3073
3074 * heap/WeakInlines.h:
3075 (JSC::weakAdd):
3076 Change Value to be an rvalue reference and use std::forward.
3077
3078 * jit/JITThunks.cpp:
3079 (JSC::JITThunks::hostFunctionStub):
3080 Remove PassWeak.
3081
3082 * runtime/RegExpCache.cpp:
3083 (JSC::RegExpCache::lookupOrCreate):
3084 Use Weak instead of PassWeak.
3085
3086 * runtime/SimpleTypedArrayController.cpp:
3087 Change add and set to take Weak by value and std::move into place.
3088
3089 * runtime/WeakGCMap.h:
3090 (JSC::WeakGCMap::get):
3091 (JSC::WeakGCMap::set):
3092 (JSC::WeakGCMap::add):
3093
30942013-09-26 Commit Queue <commit-queue@webkit.org>
3095
3096 Unreviewed, rolling out r156474.
3097 http://trac.webkit.org/changeset/156474
3098 https://bugs.webkit.org/show_bug.cgi?id=121966
3099
3100 Broke the builds. (Requested by xenon on #webkit).
3101
3102 * bytecode/CodeBlock.cpp:
3103 (JSC::CodeBlock::registerName):
3104 (JSC::CodeBlock::dumpBytecode):
3105 (JSC::CodeBlock::CodeBlock):
3106 (JSC::CodeBlock::createActivation):
3107 (JSC::CodeBlock::nameForRegister):
3108 * bytecode/CodeBlock.h:
3109 (JSC::unmodifiedArgumentsRegister):
3110 (JSC::CodeBlock::isKnownNotImmediate):
3111 (JSC::CodeBlock::setThisRegister):
3112 (JSC::CodeBlock::thisRegister):
3113 (JSC::CodeBlock::setArgumentsRegister):
3114 (JSC::CodeBlock::argumentsRegister):
3115 (JSC::CodeBlock::uncheckedArgumentsRegister):
3116 (JSC::CodeBlock::setActivationRegister):
3117 (JSC::CodeBlock::activationRegister):
3118 (JSC::CodeBlock::uncheckedActivationRegister):
3119 (JSC::CodeBlock::usesArguments):
3120 (JSC::CodeBlock::isCaptured):
3121 * bytecode/Instruction.h:
3122 * bytecode/LazyOperandValueProfile.h:
3123 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
3124 (JSC::LazyOperandValueProfileKey::operator!):
3125 (JSC::LazyOperandValueProfileKey::hash):
3126 (JSC::LazyOperandValueProfileKey::operand):
3127 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
3128 (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
3129 * bytecode/MethodOfGettingAValueProfile.cpp:
3130 (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
3131 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
3132 * bytecode/Operands.h:
3133 (JSC::localToOperand):
3134 (JSC::operandIsLocal):
3135 (JSC::operandToLocal):
3136 (JSC::operandIsArgument):
3137 (JSC::operandToArgument):
3138 (JSC::argumentToOperand):
3139 (JSC::Operands::operand):
3140 (JSC::Operands::hasOperand):
3141 (JSC::Operands::setOperand):
3142 (JSC::Operands::operandForIndex):
3143 (JSC::Operands::setOperandFirstTime):
3144 * bytecode/UnlinkedCodeBlock.cpp:
3145 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3146 * bytecode/UnlinkedCodeBlock.h:
3147 (JSC::UnlinkedCodeBlock::setThisRegister):
3148 (JSC::UnlinkedCodeBlock::setActivationRegister):
3149 (JSC::UnlinkedCodeBlock::setArgumentsRegister):
3150 (JSC::UnlinkedCodeBlock::usesArguments):
3151 (JSC::UnlinkedCodeBlock::argumentsRegister):
3152 (JSC::UnlinkedCodeBlock::usesGlobalObject):
3153 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
3154 (JSC::UnlinkedCodeBlock::globalObjectRegister):
3155 (JSC::UnlinkedCodeBlock::thisRegister):
3156 (JSC::UnlinkedCodeBlock::activationRegister):
3157 * bytecode/ValueRecovery.h:
3158 (JSC::ValueRecovery::displacedInJSStack):
3159 (JSC::ValueRecovery::virtualRegister):
3160 (JSC::ValueRecovery::dumpInContext):
3161 * bytecode/VirtualRegister.h:
3162 (WTF::printInternal):
3163 * bytecompiler/BytecodeGenerator.cpp:
3164 (JSC::BytecodeGenerator::generate):
3165 (JSC::BytecodeGenerator::addVar):
3166 (JSC::BytecodeGenerator::BytecodeGenerator):
3167 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
3168 (JSC::BytecodeGenerator::newRegister):
3169 (JSC::BytecodeGenerator::emitLoadGlobalObject):
3170 (JSC::BytecodeGenerator::emitGetArgumentsLength):
3171 (JSC::BytecodeGenerator::emitGetArgumentByVal):
3172 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3173 (JSC::BytecodeGenerator::emitReturn):
3174 * bytecompiler/BytecodeGenerator.h:
3175 (JSC::BytecodeGenerator::registerFor):
3176 * bytecompiler/RegisterID.h:
3177 (JSC::RegisterID::RegisterID):
3178 (JSC::RegisterID::setIndex):
3179 (JSC::RegisterID::index):
3180 * debugger/DebuggerCallFrame.cpp:
3181 (JSC::DebuggerCallFrame::thisObject):
3182 * dfg/DFGAbstractHeap.h:
3183 (JSC::DFG::AbstractHeap::Payload::Payload):
3184 * dfg/DFGAbstractInterpreterInlines.h:
3185 (JSC::DFG::::executeEffects):
3186 (JSC::DFG::::clobberCapturedVars):
3187 * dfg/DFGArgumentPosition.h:
3188 (JSC::DFG::ArgumentPosition::dump):
3189 * dfg/DFGArgumentsSimplificationPhase.cpp:
3190 (JSC::DFG::ArgumentsSimplificationPhase::run):
3191 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
3192 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
3193 * dfg/DFGByteCodeParser.cpp:
3194 (JSC::DFG::ByteCodeParser::newVariableAccessData):
3195 (JSC::DFG::ByteCodeParser::getDirect):
3196 (JSC::DFG::ByteCodeParser::get):
3197 (JSC::DFG::ByteCodeParser::setDirect):
3198 (JSC::DFG::ByteCodeParser::set):
3199 (JSC::DFG::ByteCodeParser::getLocal):
3200 (JSC::DFG::ByteCodeParser::setLocal):
3201 (JSC::DFG::ByteCodeParser::getArgument):
3202 (JSC::DFG::ByteCodeParser::setArgument):
3203 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3204 (JSC::DFG::ByteCodeParser::findArgumentPosition):
3205 (JSC::DFG::ByteCodeParser::flush):
3206 (JSC::DFG::ByteCodeParser::flushDirect):
3207 (JSC::DFG::ByteCodeParser::getToInt32):
3208 (JSC::DFG::ByteCodeParser::getThis):
3209 (JSC::DFG::ByteCodeParser::addCall):
3210 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
3211 (JSC::DFG::ByteCodeParser::handleCall):
3212 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3213 (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
3214 (JSC::DFG::ByteCodeParser::handleInlining):
3215 (JSC::DFG::ByteCodeParser::handleMinMax):
3216 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3217 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3218 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3219 (JSC::DFG::ByteCodeParser::handleGetByOffset):
3220 (JSC::DFG::ByteCodeParser::handleGetById):
3221 (JSC::DFG::ByteCodeParser::parseBlock):
3222 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3223 (JSC::DFG::ByteCodeParser::parse):
3224 * dfg/DFGCFGSimplificationPhase.cpp:
3225 * dfg/DFGCPSRethreadingPhase.cpp:
3226 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
3227 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
3228 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
3229 * dfg/DFGCapabilities.cpp:
3230 (JSC::DFG::capabilityLevel):
3231 * dfg/DFGConstantFoldingPhase.cpp:
3232 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3233 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3234 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
3235 * dfg/DFGGraph.cpp:
3236 (JSC::DFG::Graph::dump):
3237 * dfg/DFGGraph.h:
3238 (JSC::DFG::Graph::argumentsRegisterFor):
3239 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
3240 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
3241 (JSC::DFG::Graph::valueProfileFor):
3242 * dfg/DFGJITCode.cpp:
3243 (JSC::DFG::JITCode::reconstruct):
3244 * dfg/DFGNode.h:
3245 (JSC::DFG::Node::Node):
3246 (JSC::DFG::Node::convertToGetLocalUnlinked):
3247 (JSC::DFG::Node::hasVirtualRegister):
3248 (JSC::DFG::Node::virtualRegister):
3249 (JSC::DFG::Node::setVirtualRegister):
3250 * dfg/DFGOSREntry.cpp:
3251 (JSC::DFG::prepareOSREntry):
3252 * dfg/DFGOSREntrypointCreationPhase.cpp:
3253 (JSC::DFG::OSREntrypointCreationPhase::run):
3254 * dfg/DFGOSRExit.h:
3255 * dfg/DFGOSRExitCompiler32_64.cpp:
3256 (JSC::DFG::OSRExitCompiler::compileExit):
3257 * dfg/DFGOSRExitCompiler64.cpp:
3258 (JSC::DFG::OSRExitCompiler::compileExit):
3259 * dfg/DFGRegisterBank.h:
3260 (JSC::DFG::RegisterBank::tryAllocate):
3261 (JSC::DFG::RegisterBank::allocateSpecific):
3262 (JSC::DFG::RegisterBank::retain):
3263 (JSC::DFG::RegisterBank::isInUse):
3264 (JSC::DFG::RegisterBank::dump):
3265 (JSC::DFG::RegisterBank::releaseAtIndex):
3266 (JSC::DFG::RegisterBank::allocateInternal):
3267 (JSC::DFG::RegisterBank::MapEntry::MapEntry):
3268 * dfg/DFGScoreBoard.h:
3269 (JSC::DFG::ScoreBoard::allocate):
3270 (JSC::DFG::ScoreBoard::use):
3271 * dfg/DFGSpeculativeJIT.cpp:
3272 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3273 (JSC::DFG::SpeculativeJIT::checkConsistency):
3274 (JSC::DFG::SpeculativeJIT::compileMovHint):
3275 (JSC::DFG::SpeculativeJIT::compileInlineStart):
3276 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3277 * dfg/DFGSpeculativeJIT.h:
3278 (JSC::DFG::SpeculativeJIT::allocate):
3279 (JSC::DFG::SpeculativeJIT::fprAllocate):
3280 (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
3281 (JSC::DFG::SpeculativeJIT::flushRegisters):
3282 (JSC::DFG::SpeculativeJIT::isFlushed):
3283 (JSC::DFG::SpeculativeJIT::argumentSlot):
3284 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
3285 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
3286 (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
3287 (JSC::DFG::SpeculativeJIT::setNodeForOperand):
3288 (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
3289 (JSC::DFG::SpeculativeJIT::recordSetLocal):
3290 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
3291 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3292 * dfg/DFGSpeculativeJIT64.cpp:
3293 (JSC::DFG::SpeculativeJIT::compile):
3294 * dfg/DFGValidate.cpp:
3295 (JSC::DFG::Validate::validate):
3296 (JSC::DFG::Validate::validateCPS):
3297 (JSC::DFG::Validate::checkOperand):
3298 (JSC::DFG::Validate::reportValidationContext):
3299 * dfg/DFGValueRecoveryOverride.h:
3300 (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
3301 * dfg/DFGVariableAccessData.h:
3302 (JSC::DFG::VariableAccessData::operand):
3303 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
3304 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
3305 (JSC::DFG::VariableAccessData::flushFormat):
3306 * dfg/DFGVariableEvent.h:
3307 (JSC::DFG::VariableEvent::spill):
3308 (JSC::DFG::VariableEvent::setLocal):
3309 * dfg/DFGVariableEventStream.cpp:
3310 (JSC::DFG::VariableEventStream::reconstruct):
3311 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3312 (JSC::DFG::VirtualRegisterAllocationPhase::run):
3313 * ftl/FTLExitArgumentForOperand.h:
3314 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
3315 (JSC::FTL::ExitArgumentForOperand::operand):
3316 * ftl/FTLLink.cpp:
3317 (JSC::FTL::link):
3318 * ftl/FTLLowerDFGToLLVM.cpp:
3319 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3320 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3321 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
3322 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3323 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3324 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
3325 (JSC::FTL::LowerDFGToLLVM::addressFor):
3326 (JSC::FTL::LowerDFGToLLVM::payloadFor):
3327 (JSC::FTL::LowerDFGToLLVM::tagFor):
3328 * ftl/FTLOSREntry.cpp:
3329 (JSC::FTL::prepareOSREntry):
3330 * ftl/FTLOSRExit.cpp:
3331 (JSC::FTL::OSRExit::convertToForward):
3332 * ftl/FTLOSRExit.h:
3333 * ftl/FTLOSRExitCompiler.cpp:
3334 (JSC::FTL::compileStub):
3335 * interpreter/CallFrame.h:
3336 * interpreter/Interpreter.cpp:
3337 (JSC::Interpreter::dumpRegisters):
3338 (JSC::unwindCallFrame):
3339 (JSC::Interpreter::unwind):
3340 * jit/AssemblyHelpers.h:
3341 (JSC::AssemblyHelpers::addressFor):
3342 (JSC::AssemblyHelpers::tagFor):
3343 (JSC::AssemblyHelpers::payloadFor):
3344 (JSC::AssemblyHelpers::argumentsRegisterFor):
3345 * jit/JIT.h:
3346 * jit/JITCall.cpp:
3347 (JSC::JIT::compileLoadVarargs):
3348 * jit/JITInlines.h:
3349 (JSC::JIT::emitGetVirtualRegister):
3350 * jit/JITOpcodes.cpp:
3351 (JSC::JIT::emit_op_tear_off_arguments):
3352 (JSC::JIT::emit_op_get_pnames):
3353 (JSC::JIT::emit_op_enter):
3354 (JSC::JIT::emit_op_create_arguments):
3355 (JSC::JIT::emitSlow_op_get_argument_by_val):
3356 * jit/JITOpcodes32_64.cpp:
3357 (JSC::JIT::emit_op_enter):
3358 * jit/JITStubs.cpp:
3359 (JSC::DEFINE_STUB_FUNCTION):
3360 * llint/LLIntSlowPaths.cpp:
3361 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3362 * profiler/ProfilerBytecodeSequence.cpp:
3363 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3364 * runtime/CommonSlowPaths.cpp:
3365 (JSC::SLOW_PATH_DECL):
3366 * runtime/JSActivation.cpp:
3367 (JSC::JSActivation::argumentsGetter):
3368
33692013-09-26 Oliver Hunt <oliver@apple.com>
3370
3371 Attempt to fix MSVC build
3372
3373 * parser/Parser.cpp:
3374 (JSC::::createBindingPattern):
3375 (JSC::::parseDeconstructionPattern):
3376 * parser/Parser.h:
3377
33782013-09-26 Julien Brianceau <jbriance@cisco.com>
3379
3380 [sh4] JSValue* exception is unused since r70703 in JITStackFrame.
3381 https://bugs.webkit.org/show_bug.cgi?id=121962
3382
3383 This is a cosmetic change, but it could avoid people reading sh4 part to
3384 waste time to understand why there is a JSValue* here.
3385
3386 Reviewed by Darin Adler.
3387
3388 * jit/JITStubs.h:
3389
33902013-09-26 Anders Carlsson <andersca@apple.com>
3391
3392 WeakGCMap should not inherit from HashMap
3393 https://bugs.webkit.org/show_bug.cgi?id=121964
3394
3395 Reviewed by Geoffrey Garen.
3396
3397 Add the HashMap as a member variable instead and implement the missing member functions.
3398
3399 * runtime/WeakGCMap.h:
3400
34012013-09-25 Michael Saboff <msaboff@apple.com>
3402
3403 VirtualRegister should be a class
3404 https://bugs.webkit.org/show_bug.cgi?id=121732
3405
3406 Reviewed by Geoffrey Garen.
3407
3408 This is a refactoring change. Changed VirtualRegister from an enum to a class.
3409 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
3410 and the similar functions for locals to VirtualRegister class.
3411
3412 This is in preparation for changing the offset for the first local register from
3413 0 to -1. This is needed since most native calling conventions have the architected
3414 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
3415 pointer. Local values start below that address.
3416
3417 * bytecode/CodeBlock.cpp:
3418 * bytecode/CodeBlock.h:
3419 * bytecode/Instruction.h:
3420 * bytecode/LazyOperandValueProfile.h:
3421 * bytecode/MethodOfGettingAValueProfile.cpp:
3422 * bytecode/Operands.h:
3423 * bytecode/UnlinkedCodeBlock.cpp:
3424 * bytecode/UnlinkedCodeBlock.h:
3425 * bytecode/ValueRecovery.h:
3426 * bytecode/VirtualRegister.h:
3427 * bytecompiler/BytecodeGenerator.cpp:
3428 * bytecompiler/BytecodeGenerator.h:
3429 * bytecompiler/RegisterID.h:
3430 * debugger/DebuggerCallFrame.cpp:
3431 * dfg/DFGAbstractHeap.h:
3432 * dfg/DFGAbstractInterpreterInlines.h:
3433 * dfg/DFGArgumentPosition.h:
3434 * dfg/DFGArgumentsSimplificationPhase.cpp:
3435 * dfg/DFGByteCodeParser.cpp:
3436 * dfg/DFGCFGSimplificationPhase.cpp:
3437 * dfg/DFGCPSRethreadingPhase.cpp:
3438 * dfg/DFGCapabilities.cpp:
3439 * dfg/DFGConstantFoldingPhase.cpp:
3440 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3441 * dfg/DFGGraph.cpp:
3442 * dfg/DFGGraph.h:
3443 * dfg/DFGJITCode.cpp:
3444 * dfg/DFGNode.h:
3445 * dfg/DFGOSREntry.cpp:
3446 * dfg/DFGOSREntrypointCreationPhase.cpp:
3447 * dfg/DFGOSRExit.h:
3448 * dfg/DFGOSRExitCompiler32_64.cpp:
3449 * dfg/DFGOSRExitCompiler64.cpp:
3450 * dfg/DFGRegisterBank.h:
3451 * dfg/DFGScoreBoard.h:
3452 * dfg/DFGSpeculativeJIT.cpp:
3453 * dfg/DFGSpeculativeJIT.h:
3454 * dfg/DFGSpeculativeJIT64.cpp:
3455 * dfg/DFGValidate.cpp:
3456 * dfg/DFGValueRecoveryOverride.h:
3457 * dfg/DFGVariableAccessData.h:
3458 * dfg/DFGVariableEvent.h:
3459 * dfg/DFGVariableEventStream.cpp:
3460 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3461 * ftl/FTLExitArgumentForOperand.h:
3462 * ftl/FTLLink.cpp:
3463 * ftl/FTLLowerDFGToLLVM.cpp:
3464 * ftl/FTLOSREntry.cpp:
3465 * ftl/FTLOSRExit.cpp:
3466 * ftl/FTLOSRExit.h:
3467 * ftl/FTLOSRExitCompiler.cpp:
3468 * interpreter/CallFrame.h:
3469 * interpreter/Interpreter.cpp:
3470 * jit/AssemblyHelpers.h:
3471 * jit/JIT.h:
3472 * jit/JITCall.cpp:
3473 * jit/JITInlines.h:
3474 * jit/JITOpcodes.cpp:
3475 * jit/JITOpcodes32_64.cpp:
3476 * jit/JITStubs.cpp:
3477 * llint/LLIntSlowPaths.cpp:
3478 * profiler/ProfilerBytecodeSequence.cpp:
3479 * runtime/CommonSlowPaths.cpp:
3480 * runtime/JSActivation.cpp:
3481
34822013-09-26 Anders Carlsson <andersca@apple.com>
3483
3484 Weak should have a move constructor and move assignment operator
3485 https://bugs.webkit.org/show_bug.cgi?id=121963
3486
3487 Reviewed by Oliver Hunt.
3488
3489 This is the first step towards getting rid of PassWeak.
3490
3491 * API/JSClassRef.cpp:
3492 (OpaqueJSClass::prototype):
3493 * heap/Weak.h:
3494 * heap/WeakInlines.h:
3495 (JSC::::Weak):
3496 (JSC::::leakImpl):
3497 * runtime/SimpleTypedArrayController.cpp:
3498 (JSC::SimpleTypedArrayController::toJS):
3499
35002013-09-26 Mark Hahnenberg <mhahnenberg@apple.com>
3501
3502 op_to_this shouldn't use value profiling
3503 https://bugs.webkit.org/show_bug.cgi?id=121920
3504
3505 Reviewed by Geoffrey Garen.
3506
3507 Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is
3508 to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables
3509 during nursery collections.
3510
3511 This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
3512 m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
3513 ValueProfile.
3514
3515 * bytecode/CodeBlock.cpp:
3516 (JSC::CodeBlock::CodeBlock):
3517 (JSC::CodeBlock::finalizeUnconditionally):
3518 (JSC::CodeBlock::stronglyVisitStrongReferences):
3519 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3520 (JSC::CodeBlock::updateAllValueProfilePredictions):
3521 (JSC::CodeBlock::updateAllPredictions):
3522 (JSC::CodeBlock::shouldOptimizeNow):
3523 * bytecode/CodeBlock.h:
3524 (JSC::CodeBlock::updateAllValueProfilePredictions):
3525 (JSC::CodeBlock::updateAllPredictions):
3526 * bytecode/LazyOperandValueProfile.cpp:
3527 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
3528 * bytecode/LazyOperandValueProfile.h:
3529 * bytecode/ValueProfile.h:
3530 (JSC::ValueProfileBase::ValueProfileBase):
3531 (JSC::ValueProfileBase::briefDescription):
3532 (JSC::ValueProfileBase::dump):
3533 (JSC::ValueProfileBase::computeUpdatedPrediction):
3534 * bytecompiler/BytecodeGenerator.cpp:
3535 (JSC::BytecodeGenerator::BytecodeGenerator):
3536 * dfg/DFGByteCodeParser.cpp:
3537 (JSC::DFG::ByteCodeParser::parseBlock):
3538 * jit/JITOpcodes.cpp:
3539 (JSC::JIT::emit_op_to_this):
3540 (JSC::JIT::emitSlow_op_to_this):
3541 * jit/JITOpcodes32_64.cpp:
3542 (JSC::JIT::emit_op_to_this):
3543 (JSC::JIT::emitSlow_op_to_this):
3544 * llint/LowLevelInterpreter32_64.asm:
3545 * llint/LowLevelInterpreter64.asm:
3546 * runtime/CommonSlowPaths.cpp:
3547 (JSC::SLOW_PATH_DECL):
3548
35492013-09-25 Oliver Hunt <oliver@apple.com>
3550
3551 Implement prefixed-destructuring assignment
3552 https://bugs.webkit.org/show_bug.cgi?id=121930
3553
3554 Reviewed by Mark Hahnenberg.
3555
3556 This is mostly simple - the semantics of deconstruction are already
3557 present in the language, so most of the complexity (if you call it
3558 that) is addition of new AST nodes, and parsing the syntax.
3559
3560 In order to get correct semantics for the parameter lists, FunctionParameters
3561 now needs to store refcounted references to the parameter patterns.
3562 There's also a little work to ensure that variable creation and assignment
3563 occurs in the correct order while the BytecodeGenerator is being constructed.
3564
3565 * bytecode/UnlinkedCodeBlock.cpp:
3566 (JSC::UnlinkedFunctionExecutable::paramString):
3567 * bytecompiler/BytecodeGenerator.cpp:
3568 (JSC::BytecodeGenerator::BytecodeGenerator):
3569 * bytecompiler/BytecodeGenerator.h:
3570 (JSC::BytecodeGenerator::emitExpressionInfo):
3571 * bytecompiler/NodesCodegen.cpp:
3572 (JSC::ForInNode::emitBytecode):
3573 (JSC::DeconstructingAssignmentNode::emitBytecode):
3574 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
3575 (JSC::ArrayPatternNode::emitBytecode):
3576 (JSC::ArrayPatternNode::emitDirectBinding):
3577 (JSC::ArrayPatternNode::toString):
3578 (JSC::ArrayPatternNode::collectBoundIdentifiers):
3579 (JSC::ObjectPatternNode::toString):
3580 (JSC::ObjectPatternNode::emitBytecode):
3581 (JSC::ObjectPatternNode::collectBoundIdentifiers):
3582 (JSC::BindingNode::emitBytecode):
3583 (JSC::BindingNode::toString):
3584 (JSC::BindingNode::collectBoundIdentifiers):
3585 * parser/ASTBuilder.h:
3586 (JSC::ASTBuilder::createFormalParameterList):
3587 (JSC::ASTBuilder::createForInLoop):
3588 (JSC::ASTBuilder::addVar):
3589 (JSC::ASTBuilder::createDeconstructingAssignment):
3590 (JSC::ASTBuilder::createArrayPattern):
3591 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3592 (JSC::ASTBuilder::appendArrayPatternEntry):
3593 (JSC::ASTBuilder::createObjectPattern):
3594 (JSC::ASTBuilder::appendObjectPatternEntry):
3595 (JSC::ASTBuilder::createBindingLocation):
3596 * parser/NodeConstructors.h:
3597 (JSC::CommaNode::CommaNode):
3598 (JSC::ParameterNode::ParameterNode):
3599 (JSC::ForInNode::ForInNode):
3600 (JSC::DeconstructionPatternNode::DeconstructionPatternNode):
3601 (JSC::ArrayPatternNode::ArrayPatternNode):
3602 (JSC::ArrayPatternNode::create):
3603 (JSC::ObjectPatternNode::ObjectPatternNode):
3604 (JSC::ObjectPatternNode::create):
3605 (JSC::BindingNode::create):
3606 (JSC::BindingNode::BindingNode):
3607 (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode):
3608 * parser/Nodes.cpp:
3609 (JSC::FunctionParameters::create):
3610 (JSC::FunctionParameters::FunctionParameters):
3611 (JSC::FunctionParameters::~FunctionParameters):
3612 * parser/Nodes.h:
3613 (JSC::ExpressionNode::isDeconstructionNode):
3614 (JSC::ArrayNode::elements):
3615 (JSC::CommaNode::append):
3616 (JSC::ParameterNode::pattern):
3617 (JSC::FunctionParameters::at):
3618 (JSC::FunctionParameters::patterns):
3619 (JSC::DeconstructionPatternNode::isBindingNode):
3620 (JSC::DeconstructionPatternNode::emitDirectBinding):
3621 (JSC::ArrayPatternNode::appendIndex):
3622 (JSC::ObjectPatternNode::appendEntry):
3623 (JSC::ObjectPatternNode::Entry::Entry):
3624 (JSC::BindingNode::boundProperty):
3625 (JSC::BindingNode::isBindingNode):
3626 (JSC::DeconstructingAssignmentNode::bindings):
3627 (JSC::DeconstructingAssignmentNode::isLocation):
3628 (JSC::DeconstructingAssignmentNode::isDeconstructionNode):
3629 * parser/Parser.cpp:
3630 (JSC::::Parser):
3631 (JSC::::parseVarDeclaration):
3632 (JSC::::parseVarDeclarationList):
3633 (JSC::::createBindingPattern):
3634 (JSC::::parseDeconstructionPattern):
3635 (JSC::::parseForStatement):
3636 (JSC::::parseFormalParameters):
3637 (JSC::::parseAssignmentExpression):
3638 * parser/Parser.h:
3639 (JSC::Scope::declareBoundParameter):
3640 (JSC::Parser::declareBoundParameter):
3641 * parser/SyntaxChecker.h:
3642 (JSC::SyntaxChecker::createFormalParameterList):
3643 (JSC::SyntaxChecker::addVar):
3644 (JSC::SyntaxChecker::operatorStackPop):
3645 * runtime/JSONObject.cpp:
3646 (JSC::escapeStringToBuilder):
3647 * runtime/JSONObject.h:
3648
36492013-09-25 Brady Eidson <beidson@apple.com>
3650
3651 Enable the IndexedDB build on Mac, but leave the feature non-functional
3652 https://bugs.webkit.org/show_bug.cgi?id=121918
3653
3654 Reviewed by Alexey Proskuryakov.
3655
3656 * Configurations/FeatureDefines.xcconfig:
3657
36582013-09-25 Commit Queue <commit-queue@webkit.org>
3659
3660 Unreviewed, rolling out r156432.
3661 http://trac.webkit.org/changeset/156432
3662 https://bugs.webkit.org/show_bug.cgi?id=121932
3663
3664 some integer conversion things that need brady to fix
3665 (Requested by thorton on #webkit).
3666
3667 * Configurations/FeatureDefines.xcconfig:
3668
36692013-09-25 Anders Carlsson <andersca@apple.com>
3670
3671 Move KeyValuePairTraits inside HashMap
3672 https://bugs.webkit.org/show_bug.cgi?id=121931
3673
3674 Reviewed by Sam Weinig.
3675
3676 * tools/ProfileTreeNode.h:
3677
36782013-09-25 Brady Eidson <beidson@apple.com>
3679
3680 Enable the IndexedDB build on Mac, but leave the feature non-functional
3681 https://bugs.webkit.org/show_bug.cgi?id=121918
3682
3683 Reviewed by Alexey Proskuryakov.
3684
3685 * Configurations/FeatureDefines.xcconfig:
3686
36872013-09-25 Brady Eidson <beidson@apple.com>
3688
3689 FeatureDefine.xcconfig cleanup (They should all be identical).
3690 https://bugs.webkit.org/show_bug.cgi?id=121921
3691
3692 Reviewed by Mark Rowe.
3693
3694 * Configurations/FeatureDefines.xcconfig:
3695
36962013-09-25 Patrick Gansterer <paroga@webkit.org>
3697
3698 Build fix for WinCE after r155098.
3699
3700 Windows CE does not support getenv().
3701
3702 * jsc.cpp:
3703 (main):
3704
37052013-09-24 Mark Hahnenberg <mhahnenberg@apple.com>
3706
3707 op_get_callee shouldn't use value profiling
3708 https://bugs.webkit.org/show_bug.cgi?id=121821
3709
3710 Reviewed by Filip Pizlo.
3711
3712 Currently it's one of the two opcodes that uses m_singletonValue, which is unnecessary.
3713 Our current plan is to remove m_singletonValue so that GenGC can have a simpler story
3714 for handling CodeBlocks/FunctionExecutables during nursery collections.
3715
3716 Instead of using a ValueProfile op_get_callee now has a simple inline cache of the most
3717 recent JSFunction that we saw.
3718
3719 * bytecode/CodeBlock.cpp:
3720 (JSC::CodeBlock::CodeBlock):
3721 (JSC::CodeBlock::finalizeUnconditionally):
3722 * bytecompiler/BytecodeGenerator.cpp:
3723 (JSC::BytecodeGenerator::emitCreateThis):
3724 * dfg/DFGByteCodeParser.cpp:
3725 (JSC::DFG::ByteCodeParser::parseBlock):
3726 * jit/JIT.cpp:
3727 (JSC::JIT::privateCompileSlowCases):
3728 * jit/JIT.h:
3729 * jit/JITOpcodes.cpp:
3730 (JSC::JIT::emit_op_get_callee):
3731 (JSC::JIT::emitSlow_op_get_callee):
3732 * jit/JITOpcodes32_64.cpp:
3733 (JSC::JIT::emit_op_get_callee):
3734 (JSC::JIT::emitSlow_op_get_callee):
3735 * llint/LowLevelInterpreter32_64.asm:
3736 * llint/LowLevelInterpreter64.asm:
3737 * runtime/CommonSlowPaths.cpp:
3738 (JSC::SLOW_PATH_DECL):
3739 * runtime/CommonSlowPaths.h:
3740
37412013-09-24 Mark Lam <mark.lam@apple.com>
3742
3743 Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame.
3744 https://bugs.webkit.org/show_bug.cgi?id=121867.
3745
3746 Reviewed by Geoffrey Garen.
3747
3748 1. Removed the need for passing the line and column info to the debug hook
3749 callbacks. We now get the line and column info from the CallFrame.
3750
3751 2. Simplify BytecodeGenerator::emitDebugHook() to only take 1 line number
3752 argument. The caller can determine whether to pass in the first or last
3753 line number of the block of source code as appropriate.
3754 Note: we still need to pass in the line and column info to emitDebugHook()
3755 because it uses this info to emit expression info which is later used by
3756 the StackVisitor to determine the line and column info for its "pc".
3757
3758 3. Pass the exceptionValue explicitly to the exception() debug hook
3759 callback. It should not be embedded in the CallFrame / DebuggerCallFrame.
3760
3761 4. Change the op_debug opcode size to 2 (from 5) since we've removing 3 arg
3762 values. Update the LLINT and JIT code to handle this.
3763
3764 * bytecode/CodeBlock.cpp:
3765 (JSC::CodeBlock::dumpBytecode):
3766 (JSC::CodeBlock::CodeBlock):
3767 * bytecode/Opcode.h:
3768 (JSC::padOpcodeName):
3769 * bytecompiler/BytecodeGenerator.cpp:
3770 (JSC::BytecodeGenerator::emitDebugHook):
3771 * bytecompiler/BytecodeGenerator.h:
3772 * bytecompiler/NodesCodegen.cpp:
3773 (JSC::ConstStatementNode::emitBytecode):
3774 (JSC::EmptyStatementNode::emitBytecode):
3775 (JSC::DebuggerStatementNode::emitBytecode):
3776 (JSC::ExprStatementNode::emitBytecode):
3777 (JSC::VarStatementNode::emitBytecode):
3778 (JSC::IfElseNode::emitBytecode):
3779 (JSC::DoWhileNode::emitBytecode):
3780 (JSC::WhileNode::emitBytecode):
3781 (JSC::ForNode::emitBytecode):
3782 (JSC::ForInNode::emitBytecode):
3783 (JSC::ContinueNode::emitBytecode):
3784 (JSC::BreakNode::emitBytecode):
3785 (JSC::ReturnNode::emitBytecode):
3786 (JSC::WithNode::emitBytecode):
3787 (JSC::SwitchNode::emitBytecode):
3788 (JSC::LabelNode::emitBytecode):
3789 (JSC::ThrowNode::emitBytecode):
3790 (JSC::TryNode::emitBytecode):
3791 (JSC::ProgramNode::emitBytecode):
3792 (JSC::EvalNode::emitBytecode):
3793 (JSC::FunctionBodyNode::emitBytecode):
3794 * debugger/Debugger.h:
3795 * debugger/DebuggerCallFrame.cpp:
3796 (JSC::LineAndColumnFunctor::operator()):
3797 (JSC::LineAndColumnFunctor::line):
3798 (JSC::LineAndColumnFunctor::column):
3799 (JSC::DebuggerCallFrame::DebuggerCallFrame):
3800 (JSC::DebuggerCallFrame::clear):
3801 * debugger/DebuggerCallFrame.h:
3802 (JSC::DebuggerCallFrame::line):
3803 (JSC::DebuggerCallFrame::column):
3804 * interpreter/Interpreter.cpp:
3805 (JSC::unwindCallFrame):
3806 (JSC::UnwindFunctor::UnwindFunctor):
3807 (JSC::UnwindFunctor::operator()):
3808 (JSC::Interpreter::unwind):
3809 (JSC::Interpreter::debug):
3810 * interpreter/Interpreter.h:
3811 * jit/JITOpcodes.cpp:
3812 (JSC::JIT::emit_op_debug):
3813 * jit/JITOpcodes32_64.cpp:
3814 (JSC::JIT::emit_op_debug):
3815 * jit/JITStubs.cpp:
3816 (JSC::DEFINE_STUB_FUNCTION):
3817 * llint/LLIntSlowPaths.cpp:
3818 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3819 * llint/LowLevelInterpreter.asm:
3820
38212013-09-24 Filip Pizlo <fpizlo@apple.com>
3822
3823 Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
3824 https://bugs.webkit.org/show_bug.cgi?id=121844
3825
3826 Reviewed by Mark Hahnenberg.
3827
3828 Fix some int52 bugs that caused this.
3829
3830 * bytecode/ValueRecovery.h:
3831 (JSC::ValueRecovery::dumpInContext): There's no such thing as int53.
3832 * dfg/DFGSpeculativeJIT.h:
3833 (JSC::DFG::SpeculativeJIT::spill): Actually spill int52's, instead of hitting an assert and crashing.
3834 * dfg/DFGSpeculativeJIT64.cpp:
3835 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): Use the right format (from before when we clobber it).
3836
38372013-09-24 Mark Rowe <mrowe@apple.com>
3838
3839 <rdar://problem/14971518> WebKit should build against the Xcode default toolchain when targeting OS X 10.8
3840
3841 Reviewed by Dan Bernstein.
3842
3843 * Configurations/Base.xcconfig:
3844
38452013-09-23 Patrick Gansterer <paroga@webkit.org>
3846
3847 use NOMINMAX instead of #define min min
3848 https://bugs.webkit.org/show_bug.cgi?id=73563
3849
3850 Reviewed by Brent Fulgham.
3851
3852 Use NOMINMAX instead of #define min/max as a cleaner
3853 way of ensuring that Windows system header files don't
3854 define min/max as macro in the first place.
3855
3856 * config.h:
3857
38582013-09-23 Filip Pizlo <fpizlo@apple.com>
3859
3860 Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index
3861 https://bugs.webkit.org/show_bug.cgi?id=121734
3862
3863 Reviewed by Mark Hahnenberg.
3864
3865 Exception handling can deduce where the exception was thrown from by looking at the
3866 code origin that was stored into the call frame header. There is no need to pass any
3867 additional meta-data into the exception throwing logic. But the DFG was still doing it
3868 anyway.
3869
3870 This removes all of the logic to pass extra meta-data into lookupExceptionHandler()
3871 and friends. It simplifies a lot of code.
3872
3873 * CMakeLists.txt:
3874 * GNUmakefile.list.am:
3875 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3876 * JavaScriptCore.xcodeproj/project.pbxproj:
3877 * Target.pri:
3878 * bytecode/CodeBlock.cpp:
3879 (JSC::CodeBlock::shrinkToFit):
3880 * bytecode/CodeBlock.h:
3881 (JSC::CodeBlock::codeOrigins):
3882 (JSC::CodeBlock::hasCodeOrigins):
3883 (JSC::CodeBlock::canGetCodeOrigin):
3884 (JSC::CodeBlock::codeOrigin):
3885 * bytecode/CodeOrigin.h:
3886 (JSC::InlineCallFrame::InlineCallFrame):
3887 * bytecode/InlineCallFrameSet.cpp: Added.
3888 (JSC::InlineCallFrameSet::InlineCallFrameSet):
3889 (JSC::InlineCallFrameSet::~InlineCallFrameSet):
3890 (JSC::InlineCallFrameSet::add):
3891 (JSC::InlineCallFrameSet::shrinkToFit):
3892 * bytecode/InlineCallFrameSet.h: Added.
3893 (JSC::InlineCallFrameSet::isEmpty):
3894 (JSC::InlineCallFrameSet::size):
3895 (JSC::InlineCallFrameSet::at):
3896 * dfg/DFGArgumentsSimplificationPhase.cpp:
3897 (JSC::DFG::ArgumentsSimplificationPhase::run):
3898 * dfg/DFGByteCodeParser.cpp:
3899 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3900 * dfg/DFGCommonData.cpp:
3901 (JSC::DFG::CommonData::addCodeOrigin):
3902 (JSC::DFG::CommonData::shrinkToFit):
3903 * dfg/DFGCommonData.h:
3904 * dfg/DFGDesiredWriteBarriers.cpp:
3905 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
3906 (JSC::DFG::DesiredWriteBarrier::trigger):
3907 * dfg/DFGDesiredWriteBarriers.h:
3908 (JSC::DFG::DesiredWriteBarriers::add):
3909 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
3910 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
3911 * dfg/DFGGraph.cpp:
3912 (JSC::DFG::Graph::Graph):
3913 * dfg/DFGGraph.h:
3914 * dfg/DFGJITCompiler.cpp:
3915 (JSC::DFG::JITCompiler::JITCompiler):
3916 (JSC::DFG::JITCompiler::compileExceptionHandlers):
3917 (JSC::DFG::JITCompiler::link):
3918 (JSC::DFG::JITCompiler::compileFunction):
3919 * dfg/DFGJITCompiler.h:
3920 (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
3921 (JSC::DFG::JITCompiler::exceptionCheck):
3922 (JSC::DFG::JITCompiler::fastExceptionCheck):
3923 * dfg/DFGOperations.cpp:
3924 * dfg/DFGOperations.h:
3925 * dfg/DFGRepatch.cpp:
3926 (JSC::DFG::tryBuildGetByIDList):
3927 * dfg/DFGSpeculativeJIT.h:
3928 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
3929 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3930 (JSC::DFG::SpeculativeJIT::appendCall):
3931 * dfg/DFGSpeculativeJIT32_64.cpp:
3932 (JSC::DFG::SpeculativeJIT::emitCall):
3933 * dfg/DFGSpeculativeJIT64.cpp:
3934 (JSC::DFG::SpeculativeJIT::emitCall):
3935 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3936 (JSC::DFG::VirtualRegisterAllocationPhase::run):
3937 * ftl/FTLLowerDFGToLLVM.cpp:
3938 (JSC::FTL::LowerDFGToLLVM::callPreflight):
3939 * jit/AssemblyHelpers.h:
3940 (JSC::AssemblyHelpers::emitExceptionCheck):
3941
39422013-09-23 Oliver Hunt <oliver@apple.com>
3943
3944 CodeLoad performance regression
3945
3946 Reviewed by Filip Pizlo.
3947
3948 Temporarily remove the ExpressionInfo compression until we can
3949 work out how to make it not clobber performance.
3950
3951 * bytecode/UnlinkedCodeBlock.cpp:
3952 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
3953 (JSC::UnlinkedCodeBlock::addExpressionInfo):
3954 * bytecode/UnlinkedCodeBlock.h:
3955
39562013-09-23 Patrick Gansterer <paroga@webkit.org>
3957
3958 Cleanup CMake files in JavaScriptCore
3959 https://bugs.webkit.org/show_bug.cgi?id=121762
3960
3961 Reviewed by Gyuyoung Kim.
3962
3963 Sort files and unify style.
3964
3965 * CMakeLists.txt:
3966 * shell/CMakeLists.txt:
3967 * shell/PlatformBlackBerry.cmake:
3968 * shell/PlatformEfl.cmake:
3969
39702013-09-22 Filip Pizlo <fpizlo@apple.com>
3971
3972 Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced
3973 https://bugs.webkit.org/show_bug.cgi?id=121766
3974
3975 Reviewed by Andreas Kling.
3976
3977 * bytecode/CodeBlock.cpp:
3978 (JSC::CodeBlock::shrinkToFit):
3979 * bytecode/CodeBlock.h:
3980 * dfg/DFGJITCompiler.cpp:
3981 (JSC::DFG::JITCompiler::compileExceptionHandlers):
3982 (JSC::DFG::JITCompiler::link):
3983 * jit/JIT.cpp:
3984 (JSC::JIT::privateCompile):
3985
39862013-09-21 Filip Pizlo <fpizlo@apple.com>
3987
3988 Interpreter::unwind() has no need for the bytecodeOffset
3989 https://bugs.webkit.org/show_bug.cgi?id=121755
3990
3991 Reviewed by Oliver Hunt.
3992
3993 It was only using the bytecodeOffset for some debugger stuff, but the debugger could
3994 just get the bytecodeOffset the same way the rest of the machinery does: by using the
3995 CallFrame's location.
3996
3997 It turns out that a lot of really ugly code was in place just to supply this
3998 bytecodeOffset. This patch kills most of that code, and allows us to kill even more
3999 code in a future patch - though most likely that killage will involve further
4000 refactorings as well, see https://bugs.webkit.org/show_bug.cgi?id=121734.
4001
4002 * dfg/DFGOperations.cpp:
4003 * interpreter/CallFrame.cpp:
4004 (JSC::CallFrame::bytecodeOffset):
4005 (JSC::CallFrame::codeOrigin):
4006 * interpreter/CallFrame.h:
4007 * interpreter/Interpreter.cpp:
4008 (JSC::Interpreter::unwind):
4009 * interpreter/Interpreter.h:
4010 * jit/JITExceptions.cpp:
4011 (JSC::genericUnwind):
4012 * jit/JITExceptions.h:
4013 * jit/JITStubs.cpp:
4014 (JSC::DEFINE_STUB_FUNCTION):
4015 (JSC::cti_vm_handle_exception):
4016 * llint/LLIntExceptions.cpp:
4017 (JSC::LLInt::doThrow):
4018 (JSC::LLInt::returnToThrow):
4019 (JSC::LLInt::callToThrow):
4020 * llint/LLIntExceptions.h:
4021 * llint/LLIntSlowPaths.cpp:
4022 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
4023 * runtime/CommonSlowPaths.cpp:
4024 (JSC::SLOW_PATH_DECL):
4025 * runtime/CommonSlowPathsExceptions.cpp:
4026 (JSC::CommonSlowPaths::interpreterThrowInCaller):
4027 * runtime/CommonSlowPathsExceptions.h:
4028
40292013-09-21 Darin Adler <darin@apple.com>
4030
4031 Add ExecState::uncheckedArgument and use where possible to shrink a bit
4032 https://bugs.webkit.org/show_bug.cgi?id=121750
4033
4034 Reviewed by Andreas Kling.
4035
4036 * interpreter/CallFrame.h:
4037 (JSC::ExecState::uncheckedArgument): Added. Like argument, but with an
4038 assertion rather than a runtime check.
4039
4040 * API/APICallbackFunction.h:
4041 (JSC::APICallbackFunction::call): Use uncheckedArgument because we are
4042 already in a loop over arguments, so don't need a range check.
4043 * API/JSCallbackConstructor.cpp:
4044 (JSC::constructJSCallback): Ditto.
4045 * API/JSCallbackObjectFunctions.h:
4046 (JSC::JSCallbackObject::construct): Ditto.
4047 (JSC::JSCallbackObject::call): Ditto.
4048 * jsc.cpp:
4049 (functionPrint): Ditto.
4050 (functionRun): Ditto.
4051 (functionSetSamplingFlags): Ditto.
4052 (functionClearSamplingFlags): Ditto.
4053 * runtime/ArrayPrototype.cpp:
4054 (JSC::arrayProtoFuncConcat): Ditto.
4055 (JSC::arrayProtoFuncPush): Use uncheckedArgument because there is already
4056 code that explicitly checks argumentCount.
4057 (JSC::arrayProtoFuncSplice): Ditto.
4058 (JSC::arrayProtoFuncUnShift): Ditto.
4059 (JSC::arrayProtoFuncReduce): Ditto.
4060 (JSC::arrayProtoFuncReduceRight): Ditto.
4061 (JSC::arrayProtoFuncLastIndexOf): Ditto.
4062 * runtime/DatePrototype.cpp:
4063 (JSC::fillStructuresUsingTimeArgs): Ditto.
4064 (JSC::fillStructuresUsingDateArgs): Ditto.
4065 * runtime/JSArrayBufferConstructor.cpp:
4066 (JSC::constructArrayBuffer): Ditto.
4067 * runtime/JSArrayBufferPrototype.cpp:
4068 (JSC::arrayBufferProtoFuncSlice): Ditto.
4069 * runtime/JSBoundFunction.cpp:
4070 (JSC::boundFunctionCall): Ditto.
4071 (JSC::boundFunctionConstruct): Ditto.
4072 * runtime/JSDataViewPrototype.cpp:
4073 (JSC::getData): Ditto.
4074 (JSC::setData): Ditto.
4075 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
4076 (JSC::constructGenericTypedArrayView): Ditto.
4077 * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
4078 (JSC::genericTypedArrayViewProtoFuncSet): Ditto.
4079 (JSC::genericTypedArrayViewProtoFuncSubarray): Ditto.
4080 * runtime/JSONObject.cpp:
4081 (JSC::JSONProtoFuncParse): Ditto.
4082 (JSC::JSONProtoFuncStringify): Ditto.
4083 * runtime/JSPromiseConstructor.cpp:
4084 (JSC::constructPromise): Ditto.
4085 (JSC::JSPromiseConstructorFuncFulfill): Ditto.
4086 (JSC::JSPromiseConstructorFuncResolve): Ditto.
4087 (JSC::JSPromiseConstructorFuncReject): Ditto.
4088 * runtime/MathObject.cpp:
4089 (JSC::mathProtoFuncMax): Ditto.
4090 (JSC::mathProtoFuncMin): Ditto.
4091
4092 * runtime/NameConstructor.cpp:
4093 (JSC::constructPrivateName): Removed unneeded check of argumentCout
4094 that simply repeats what argument already does.
4095 * runtime/NativeErrorConstructor.cpp:
4096 (JSC::Interpreter::constructWithNativeErrorConstructor): Ditto.
4097 (JSC::Interpreter::callNativeErrorConstructor): Ditto.
4098
4099 * runtime/NumberConstructor.cpp:
4100 (JSC::constructWithNumberConstructor): Use uncheckedArgument since
4101 there is already code that explicitly checks argument count.
4102 (JSC::callNumberConstructor): Ditto.
4103
4104 * runtime/ObjectConstructor.cpp:
4105 (JSC::objectConstructorCreate): Small refactoring to not call argument(0)
4106 three times.
4107
4108 * runtime/SetConstructor.cpp:
4109 (JSC::constructSet): Use uncheckedArgument since we are already in a loop
4110 over arguments.
4111
4112 * runtime/StringConstructor.cpp:
4113 (JSC::stringFromCharCodeSlowCase): In a loop.
4114 (JSC::stringFromCharCode): Already checked count.
4115 (JSC::constructWithStringConstructor): Ditto.
4116 (JSC::callStringConstructor): Ditto.
4117 * runtime/StringPrototype.cpp:
4118 (JSC::stringProtoFuncConcat): Already checked count.
4119 * runtime/TestRunnerUtils.cpp:
4120 (JSC::numberOfDFGCompiles): Ditto.
4121 (JSC::setNeverInline): Ditto.
4122
41232013-09-21 Filip Pizlo <fpizlo@apple.com>
4124
4125 Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore
4126 https://bugs.webkit.org/show_bug.cgi?id=121753
4127
4128 Reviewed by Darin Adler.
4129
4130 * interpreter/CallFrame.cpp:
4131 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
4132 * interpreter/CallFrame.h:
4133 * interpreter/Register.h:
4134
41352013-09-21 Filip Pizlo <fpizlo@apple.com>
4136
4137 Unreviewed, fix the revert.
4138
4139 * dfg/DFGRepatch.cpp:
4140
41412013-09-21 Filip Pizlo <fpizlo@apple.com>
4142
4143 Unreviewed, revert http://trac.webkit.org/changeset/156235. It won't work on Windows.
4144
4145 * CMakeLists.txt:
4146 * GNUmakefile.list.am:
4147 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4148 * JavaScriptCore.xcodeproj/project.pbxproj:
4149 * Target.pri:
4150 * bytecode/CallLinkInfo.cpp:
4151 (JSC::CallLinkInfo::unlink):
4152 * bytecode/CodeBlock.cpp:
4153 (JSC::CodeBlock::resetStubInternal):
4154 * bytecode/StructureStubInfo.h:
4155 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
4156 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
4157 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
4158 * dfg/DFGJITCompiler.h:
4159 * dfg/DFGOSRExitCompiler.h:
4160 * dfg/DFGOperations.cpp:
4161 (JSC::DFG::operationPutByValInternal):
4162 * dfg/DFGOperations.h:
4163 (JSC::DFG::operationNewTypedArrayWithSizeForType):
4164 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
4165 * dfg/DFGRegisterSet.h: Added.
4166 (JSC::DFG::RegisterSet::RegisterSet):
4167 (JSC::DFG::RegisterSet::asPOD):
4168 (JSC::DFG::RegisterSet::copyInfo):
4169 (JSC::DFG::RegisterSet::set):
4170 (JSC::DFG::RegisterSet::setGPRByIndex):
4171 (JSC::DFG::RegisterSet::clear):
4172 (JSC::DFG::RegisterSet::get):
4173 (JSC::DFG::RegisterSet::getGPRByIndex):
4174 (JSC::DFG::RegisterSet::getFreeGPR):
4175 (JSC::DFG::RegisterSet::setFPRByIndex):
4176 (JSC::DFG::RegisterSet::getFPRByIndex):
4177 (JSC::DFG::RegisterSet::setByIndex):
4178 (JSC::DFG::RegisterSet::getByIndex):
4179 (JSC::DFG::RegisterSet::numberOfSetGPRs):
4180 (JSC::DFG::RegisterSet::numberOfSetFPRs):
4181 (JSC::DFG::RegisterSet::numberOfSetRegisters):
4182 (JSC::DFG::RegisterSet::setBit):
4183 (JSC::DFG::RegisterSet::clearBit):
4184 (JSC::DFG::RegisterSet::getBit):
4185 * dfg/DFGRepatch.cpp: Added.
4186 (JSC::DFG::repatchCall):
4187 (JSC::DFG::repatchByIdSelfAccess):
4188 (JSC::DFG::addStructureTransitionCheck):
4189 (JSC::DFG::replaceWithJump):
4190 (JSC::DFG::emitRestoreScratch):
4191 (JSC::DFG::linkRestoreScratch):
4192 (JSC::DFG::generateProtoChainAccessStub):
4193 (JSC::DFG::tryCacheGetByID):
4194 (JSC::DFG::repatchGetByID):
4195 (JSC::DFG::getPolymorphicStructureList):
4196 (JSC::DFG::patchJumpToGetByIdStub):
4197 (JSC::DFG::tryBuildGetByIDList):
4198 (JSC::DFG::buildGetByIDList):
4199 (JSC::DFG::appropriateGenericPutByIdFunction):
4200 (JSC::DFG::appropriateListBuildingPutByIdFunction):
4201 (JSC::DFG::emitPutReplaceStub):
4202 (JSC::DFG::emitPutTransitionStub):
4203 (JSC::DFG::tryCachePutByID):
4204 (JSC::DFG::repatchPutByID):
4205 (JSC::DFG::tryBuildPutByIdList):
4206 (JSC::DFG::buildPutByIdList):
4207 (JSC::DFG::tryRepatchIn):
4208 (JSC::DFG::repatchIn):
4209 (JSC::DFG::linkSlowFor):
4210 (JSC::DFG::linkFor):
4211 (JSC::DFG::linkClosureCall):
4212 (JSC::DFG::resetGetByID):
4213 (JSC::DFG::resetPutByID):
4214 (JSC::DFG::resetIn):
4215 * dfg/DFGRepatch.h: Added.
4216 (JSC::DFG::resetGetByID):
4217 (JSC::DFG::resetPutByID):
4218 (JSC::DFG::resetIn):
4219 * dfg/DFGScratchRegisterAllocator.h: Added.
4220 (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
4221 (JSC::DFG::ScratchRegisterAllocator::lock):
4222 (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
4223 (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
4224 (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
4225 (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
4226 (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
4227 (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
4228 (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
4229 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
4230 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
4231 * dfg/DFGSpeculativeJIT.cpp:
4232 (JSC::DFG::SpeculativeJIT::writeBarrier):
4233 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
4234 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
4235 (JSC::DFG::SpeculativeJIT::compare):
4236 * dfg/DFGSpeculativeJIT.h:
4237 (JSC::DFG::SpeculativeJIT::callOperation):
4238 * dfg/DFGSpeculativeJIT32_64.cpp:
4239 (JSC::DFG::SpeculativeJIT::cachedPutById):
4240 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4241 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4242 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4243 (JSC::DFG::SpeculativeJIT::compile):
4244 * dfg/DFGSpeculativeJIT64.cpp:
4245 (JSC::DFG::SpeculativeJIT::cachedPutById):
4246 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4247 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4248 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4249 (JSC::DFG::SpeculativeJIT::compile):
4250 * dfg/DFGThunks.cpp:
4251 (JSC::DFG::emitPointerValidation):
4252 (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
4253 (JSC::DFG::slowPathFor):
4254 (JSC::DFG::linkForThunkGenerator):
4255 (JSC::DFG::linkCallThunkGenerator):
4256 (JSC::DFG::linkConstructThunkGenerator):
4257 (JSC::DFG::linkClosureCallThunkGenerator):
4258 (JSC::DFG::virtualForThunkGenerator):
4259 (JSC::DFG::virtualCallThunkGenerator):
4260 (JSC::DFG::virtualConstructThunkGenerator):
4261 * dfg/DFGThunks.h:
4262 * ftl/FTLIntrinsicRepository.h:
4263 * ftl/FTLLowerDFGToLLVM.cpp:
4264 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
4265 * ftl/FTLOSRExitCompiler.h:
4266 * jit/AssemblyHelpers.h:
4267 * jit/JIT.cpp:
4268 (JSC::JIT::linkFor):
4269 (JSC::JIT::linkSlowCall):
4270 * jit/JITCall.cpp:
4271 (JSC::JIT::compileCallEvalSlowCase):
4272 (JSC::JIT::compileOpCallSlowCase):
4273 (JSC::JIT::privateCompileClosureCall):
4274 * jit/JITCall32_64.cpp:
4275 (JSC::JIT::compileCallEvalSlowCase):
4276 (JSC::JIT::compileOpCallSlowCase):
4277 (JSC::JIT::privateCompileClosureCall):
4278 * jit/JITOperationWrappers.h: Removed.
4279 * jit/JITOperations.cpp: Removed.
4280 * jit/JITOperations.h: Removed.
4281 * jit/RegisterSet.h: Removed.
4282 * jit/Repatch.cpp: Removed.
4283 * jit/Repatch.h: Removed.
4284 * jit/ScratchRegisterAllocator.h: Removed.
4285 * jit/ThunkGenerators.cpp:
4286 (JSC::generateSlowCaseFor):
4287 (JSC::linkForGenerator):
4288 (JSC::linkCallGenerator):
4289 (JSC::linkConstructGenerator):
4290 (JSC::linkClosureCallGenerator):
4291 (JSC::virtualForGenerator):
4292 (JSC::virtualCallGenerator):
4293 (JSC::virtualConstructGenerator):
4294 * jit/ThunkGenerators.h:
4295
42962013-09-21 Filip Pizlo <fpizlo@apple.com>
4297
4298 Move DFG inline caching logic into jit/
4299 https://bugs.webkit.org/show_bug.cgi?id=121749
4300
4301 Rubber stamped by Sam Weinig.
4302
4303 We want to get rid of the baseline JIT's inline caching machinery and have it use the
4304 DFG's instead. But before we do that we need to move the DFG's inline caching machine
4305 out from behind its ENABLE(DFG_JIT) guards and make it available to the whole system.
4306 This patch does that:
4307
4308 - dfg/DFGRepatch becomes jit/Repatch.
4309
4310 - The thunks used by the DFG IC go into jit/ThunkGenerators, instead of dfg/DFGThunks.
4311
4312 - The operations used by the DFG IC go into jit/JITOperations, instead of
4313 dfg/DFGOperations.
4314
4315 - The old JIT's thunk generators for calls are renamed to reduce confusion. Previously
4316 it was easy to know which generators belong to which JIT because the old JIT used
4317 JSC::virtualCallBlah and the DFG used JSC::DFG::virtualCallBlah, but that's not the
4318 case anymore. Note that the old JIT's thunk generators will die in a future patch.
4319
4320 No functional changes beyond those moves.
4321
4322 * CMakeLists.txt:
4323 * GNUmakefile.list.am:
4324 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4325 * JavaScriptCore.xcodeproj/project.pbxproj:
4326 * Target.pri:
4327 * bytecode/CallLinkInfo.cpp:
4328 (JSC::CallLinkInfo::unlink):
4329 * bytecode/CodeBlock.cpp:
4330 (JSC::CodeBlock::resetStubInternal):
4331 * bytecode/StructureStubInfo.h:
4332 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
4333 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
4334 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
4335 * dfg/DFGJITCompiler.h:
4336 * dfg/DFGOSRExitCompiler.h:
4337 * dfg/DFGOperations.cpp:
4338 (JSC::DFG::operationPutByValInternal):
4339 * dfg/DFGOperations.h:
4340 (JSC::DFG::operationNewTypedArrayWithSizeForType):
4341 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
4342 * dfg/DFGRegisterSet.h: Removed.
4343 * dfg/DFGRepatch.cpp: Removed.
4344 * dfg/DFGRepatch.h: Removed.
4345 * dfg/DFGScratchRegisterAllocator.h: Removed.
4346 * dfg/DFGSpeculativeJIT.cpp:
4347 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
4348 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
4349 (JSC::DFG::SpeculativeJIT::compare):
4350 * dfg/DFGSpeculativeJIT.h:
4351 (JSC::DFG::SpeculativeJIT::callOperation):
4352 * dfg/DFGSpeculativeJIT32_64.cpp:
4353 (JSC::DFG::SpeculativeJIT::cachedPutById):
4354 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4355 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4356 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4357 (JSC::DFG::SpeculativeJIT::compile):
4358 * dfg/DFGSpeculativeJIT64.cpp:
4359 (JSC::DFG::SpeculativeJIT::cachedPutById):
4360 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4361 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4362 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4363 (JSC::DFG::SpeculativeJIT::compile):
4364 * dfg/DFGThunks.cpp:
4365 * dfg/DFGThunks.h:
4366 * ftl/FTLIntrinsicRepository.h:
4367 * ftl/FTLLowerDFGToLLVM.cpp:
4368 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
4369 * jit/AssemblyHelpers.h:
4370 (JSC::AssemblyHelpers::writeBarrier):
4371 * jit/JIT.cpp:
4372 (JSC::JIT::linkFor):
4373 (JSC::JIT::linkSlowCall):
4374 * jit/JITCall.cpp:
4375 (JSC::JIT::compileCallEval):
4376 (JSC::JIT::compileCallEvalSlowCase):
4377 (JSC::JIT::compileOpCallSlowCase):
4378 (JSC::JIT::privateCompileClosureCall):
4379 * jit/JITCall32_64.cpp:
4380 (JSC::JIT::compileCallEvalSlowCase):
4381 (JSC::JIT::compileOpCallSlowCase):
4382 (JSC::JIT::privateCompileClosureCall):
4383 * jit/JITOperationWrappers.h: Added.
4384 * jit/JITOperations.cpp: Added.
4385 * jit/JITOperations.h: Added.
4386 * jit/RegisterSet.h: Added.
4387 (JSC::RegisterSet::RegisterSet):
4388 (JSC::RegisterSet::asPOD):
4389 (JSC::RegisterSet::copyInfo):
4390 (JSC::RegisterSet::set):
4391 (JSC::RegisterSet::setGPRByIndex):
4392 (JSC::RegisterSet::clear):
4393 (JSC::RegisterSet::get):
4394 (JSC::RegisterSet::getGPRByIndex):
4395 (JSC::RegisterSet::getFreeGPR):
4396 (JSC::RegisterSet::setFPRByIndex):
4397 (JSC::RegisterSet::getFPRByIndex):
4398 (JSC::RegisterSet::setByIndex):
4399 (JSC::RegisterSet::getByIndex):
4400 (JSC::RegisterSet::numberOfSetGPRs):
4401 (JSC::RegisterSet::numberOfSetFPRs):
4402 (JSC::RegisterSet::numberOfSetRegisters):
4403 (JSC::RegisterSet::setBit):
4404 (JSC::RegisterSet::clearBit):
4405 (JSC::RegisterSet::getBit):
4406 * jit/Repatch.cpp: Added.
4407 (JSC::repatchCall):
4408 (JSC::repatchByIdSelfAccess):
4409 (JSC::addStructureTransitionCheck):
4410 (JSC::replaceWithJump):
4411 (JSC::emitRestoreScratch):
4412 (JSC::linkRestoreScratch):
4413 (JSC::generateProtoChainAccessStub):
4414 (JSC::tryCacheGetByID):
4415 (JSC::repatchGetByID):
4416 (JSC::getPolymorphicStructureList):
4417 (JSC::patchJumpToGetByIdStub):
4418 (JSC::tryBuildGetByIDList):
4419 (JSC::buildGetByIDList):
4420 (JSC::appropriateGenericPutByIdFunction):
4421 (JSC::appropriateListBuildingPutByIdFunction):
4422 (JSC::emitPutReplaceStub):
4423 (JSC::emitPutTransitionStub):
4424 (JSC::tryCachePutByID):
4425 (JSC::repatchPutByID):
4426 (JSC::tryBuildPutByIdList):
4427 (JSC::buildPutByIdList):
4428 (JSC::tryRepatchIn):
4429 (JSC::repatchIn):
4430 (JSC::linkSlowFor):
4431 (JSC::linkFor):
4432 (JSC::linkClosureCall):
4433 (JSC::resetGetByID):
4434 (JSC::resetPutByID):
4435 (JSC::resetIn):
4436 * jit/Repatch.h: Added.
4437 (JSC::resetGetByID):
4438 (JSC::resetPutByID):
4439 (JSC::resetIn):
4440 * jit/ScratchRegisterAllocator.h: Added.
4441 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
4442 (JSC::ScratchRegisterAllocator::lock):
4443 (JSC::ScratchRegisterAllocator::allocateScratch):
4444 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
4445 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
4446 (JSC::ScratchRegisterAllocator::didReuseRegisters):
4447 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
4448 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
4449 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
4450 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
4451 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
4452 * jit/ThunkGenerators.cpp:
4453 (JSC::oldStyleGenerateSlowCaseFor):
4454 (JSC::oldStyleLinkForGenerator):
4455 (JSC::oldStyleLinkCallGenerator):
4456 (JSC::oldStyleLinkConstructGenerator):
4457 (JSC::oldStyleLinkClosureCallGenerator):
4458 (JSC::oldStyleVirtualForGenerator):
4459 (JSC::oldStyleVirtualCallGenerator):
4460 (JSC::oldStyleVirtualConstructGenerator):
4461 (JSC::emitPointerValidation):
4462 (JSC::throwExceptionFromCallSlowPathGenerator):
4463 (JSC::slowPathFor):
4464 (JSC::linkForThunkGenerator):
4465 (JSC::linkCallThunkGenerator):
4466 (JSC::linkConstructThunkGenerator):
4467 (JSC::linkClosureCallThunkGenerator):
4468 (JSC::virtualForThunkGenerator):
4469 (JSC::virtualCallThunkGenerator):
4470 (JSC::virtualConstructThunkGenerator):
4471 * jit/ThunkGenerators.h:
4472
44732013-09-21 Anders Carlsson <andersca@apple.com>
4474
4475 Fix the non-DFG build.
4476
4477 * interpreter/Interpreter.cpp:
4478 (JSC::unwindCallFrame):
4479 * interpreter/StackVisitor.cpp:
4480 (JSC::StackVisitor::Frame::r):
4481
44822013-09-21 Filip Pizlo <fpizlo@apple.com>
4483
4484 Get rid of IsInlinedCodeTag and its associated methods since it's unused
4485 https://bugs.webkit.org/show_bug.cgi?id=121737
4486
4487 Reviewed by Sam Weinig.
4488
4489 This was meant to be easy, but I kept wondering if it was safe to remove the
4490 inline call frame check in Arguments::tearOff(). The check was clearly dead
4491 since the bit wasn't being set anywhere.
4492
4493 It turns out that the unwindCallFrame() function was relying on tearOff()
4494 doing the right thing for inlined code, but it wasn't even passing it an
4495 inline call frame. I fixed this by having unwindCallFrame() inlining check,
4496 while also making sure that the code uses the right operand index for the
4497 arguments register.
4498
4499 * interpreter/CallFrame.h:
4500 * interpreter/CallFrameInlines.h:
4501 * interpreter/Interpreter.cpp:
4502 (JSC::unwindCallFrame):
4503 * interpreter/StackVisitor.cpp:
4504 (JSC::StackVisitor::Frame::r):
4505 * interpreter/StackVisitor.h:
4506 * runtime/Arguments.cpp:
4507 (JSC::Arguments::tearOff):
4508
45092013-09-20 Mark Hahnenberg <mhahnenberg@apple.com>
4510
4511 (un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole
4512 https://bugs.webkit.org/show_bug.cgi?id=121717
4513
4514 Reviewed by Oliver Hunt.
4515
4516 This bug caused the array to become corrupted. We now check for holes before we start moving things,
4517 and start moving things only once we've determined that there are none.
4518
4519 * runtime/JSArray.cpp:
4520 (JSC::JSArray::shiftCountWithAnyIndexingType):
4521 (JSC::JSArray::unshiftCountWithAnyIndexingType):
4522
45232013-09-20 Filip Pizlo <fpizlo@apple.com>
4524
4525 REGRESSION(r156047): WebCore hangs inside JSC::toInt32(double)
4526 https://bugs.webkit.org/show_bug.cgi?id=121648
4527
4528 Reviewed by Mark Hahnenberg.
4529
4530 The Int52<->StrictInt52 conversion did the opposite fill() than what it was
4531 supposed to. For example when converting a Int52 to a StrictInt52 it would fill
4532 as Int52, and vice-versa.
4533
4534 * dfg/DFGSpeculativeJIT64.cpp:
4535 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
4536
45372013-09-20 Oliver Hunt <oliver@apple.com>
4538
4539 REGRESSION(r153215): New iCloud site crashes
4540 https://bugs.webkit.org/show_bug.cgi?id=121710
4541
4542 Reviewed by Filip Pizlo.
4543
4544 Don't claim to be able to rely on the arguments structure, use the Arguments
4545 speculation type
4546
4547 * dfg/DFGAbstractInterpreterInlines.h:
4548 (JSC::DFG::::executeEffects):
4549
45502013-09-20 Mark Hahnenberg <mhahnenberg@apple.com>
4551
4552 Clobberize phase forgets to indicate that it writes GCState for several node types
4553 https://bugs.webkit.org/show_bug.cgi?id=121702
4554
4555 Reviewed by Oliver Hunt.
4556
4557 Added read and write for GCState to the nodes that could end up allocating (and thereby
4558 cause a garbage collection).
4559
4560 * dfg/DFGClobberize.h:
4561 (JSC::DFG::clobberize):
4562
45632013-09-19 Filip Pizlo <fpizlo@apple.com>
4564
4565 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
4566 https://bugs.webkit.org/show_bug.cgi?id=121637
4567
4568 Rubber stamped by Michael Saboff.
4569
4570 Also moved GPRInfo/FPRInfo into jit/. Rolling back in after fixing JIT-only build
4571 and tests.
4572
4573 * CMakeLists.txt:
4574 * GNUmakefile.list.am:
4575 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4576 * JavaScriptCore.xcodeproj/project.pbxproj:
4577 * Target.pri:
4578 * bytecode/ValueRecovery.h:
4579 (JSC::ValueRecovery::dumpInContext):
4580 * dfg/DFGAssemblyHelpers.cpp: Removed.
4581 * dfg/DFGAssemblyHelpers.h: Removed.
4582 * dfg/DFGBinarySwitch.h:
4583 * dfg/DFGByteCodeParser.cpp:
4584 * dfg/DFGCCallHelpers.h: Removed.
4585 * dfg/DFGDisassembler.cpp:
4586 * dfg/DFGFPRInfo.h: Removed.
4587 * dfg/DFGGPRInfo.h: Removed.
4588 * dfg/DFGGraph.cpp:
4589 * dfg/DFGGraph.h:
4590 * dfg/DFGJITCompiler.h:
4591 * dfg/DFGOSRExit.cpp:
4592 * dfg/DFGOSRExit.h:
4593 * dfg/DFGOSRExitCompiler.h:
4594 * dfg/DFGOSRExitCompilerCommon.h:
4595 * dfg/DFGRegisterBank.h:
4596 * dfg/DFGRegisterSet.h:
4597 * dfg/DFGRepatch.cpp:
4598 * dfg/DFGSilentRegisterSavePlan.h:
4599 * dfg/DFGThunks.cpp:
4600 * dfg/DFGVariableEvent.cpp:
4601 * ftl/FTLCArgumentGetter.h:
4602 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4603 (JSC::FTL::CArgumentGetter::loadNext8):
4604 (JSC::FTL::CArgumentGetter::loadNext32):
4605 (JSC::FTL::CArgumentGetter::loadNext64):
4606 (JSC::FTL::CArgumentGetter::loadNextPtr):
4607 (JSC::FTL::CArgumentGetter::loadNextDouble):
4608 * ftl/FTLCompile.cpp:
4609 * ftl/FTLExitThunkGenerator.h:
4610 * ftl/FTLLink.cpp:
4611 * ftl/FTLThunks.cpp:
4612 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
4613 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
4614 (JSC::AssemblyHelpers::AssemblyHelpers):
4615 (JSC::AssemblyHelpers::debugCall):
4616 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
4617 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
4618 (WTF::printInternal):
4619 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
4620 (WTF::printInternal):
4621 * jit/JIT.cpp:
4622 (JSC::JIT::JIT):
4623 * jit/JIT.h:
4624 * jit/JITPropertyAccess.cpp:
4625 (JSC::JIT::stringGetByValStubGenerator):
4626 * jit/JITPropertyAccess32_64.cpp:
4627 (JSC::JIT::stringGetByValStubGenerator):
4628 * jit/JSInterfaceJIT.h:
4629 (JSC::JSInterfaceJIT::JSInterfaceJIT):
4630 * jit/SpecializedThunkJIT.h:
4631 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4632 (JSC::SpecializedThunkJIT::finalize):
4633 * jit/ThunkGenerators.cpp:
4634 (JSC::linkForGenerator):
4635 (JSC::virtualForGenerator):
4636 (JSC::stringLengthTrampolineGenerator):
4637 (JSC::nativeForGenerator):
4638 (JSC::arityFixup):
4639 (JSC::charCodeAtThunkGenerator):
4640 (JSC::charAtThunkGenerator):
4641 (JSC::fromCharCodeThunkGenerator):
4642 (JSC::sqrtThunkGenerator):
4643 (JSC::floorThunkGenerator):
4644 (JSC::ceilThunkGenerator):
4645 (JSC::roundThunkGenerator):
4646 (JSC::expThunkGenerator):
4647 (JSC::logThunkGenerator):
4648 (JSC::absThunkGenerator):
4649 (JSC::powThunkGenerator):
4650 (JSC::imulThunkGenerator):
4651 * llint/LLIntThunks.cpp:
4652 (JSC::LLInt::generateThunkWithJumpTo):
4653 * runtime/JSCJSValue.h:
4654
46552013-09-20 Allan Sandfeld Jensen <allan.jensen@digia.com>
4656
4657 Inline method exported
4658 https://bugs.webkit.org/show_bug.cgi?id=121664
4659
4660 Reviewed by Darin Adler.
4661
4662 WatchDog::didFire() is marked as an exported symbol eventhough it is
4663 defined inline. This breaks the build on MinGW since it results in dllimport
4664 being declared on a definition.
4665
4666 * runtime/Watchdog.h:
4667 (JSC::Watchdog::didFire):
4668
46692013-09-20 Patrick Gansterer <paroga@webkit.org>
4670
4671 [CMake] Use COMPILE_DEFINITIONS target property for setting BUILDING_* defines
4672 https://bugs.webkit.org/show_bug.cgi?id=121672
4673
4674 Reviewed by Gyuyoung Kim.
4675
4676 Since the scope of add_definitions() is always a whole file, we need to use
4677 target properties instead to set definitions only for specific targets.
4678
4679 * CMakeLists.txt:
4680
46812013-09-19 Commit Queue <commit-queue@webkit.org>
4682
4683 Unreviewed, rolling out r156120.
4684 http://trac.webkit.org/changeset/156120
4685 https://bugs.webkit.org/show_bug.cgi?id=121651
4686
4687 Broke windows runtime and all tests (Requested by bfulgham on
4688 #webkit).
4689
4690 * CMakeLists.txt:
4691 * GNUmakefile.list.am:
4692 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4693 * JavaScriptCore.xcodeproj/project.pbxproj:
4694 * Target.pri:
4695 * bytecode/ValueRecovery.h:
4696 (JSC::ValueRecovery::dumpInContext):
4697 * dfg/DFGAssemblyHelpers.cpp: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.cpp.
4698 (JSC::DFG::AssemblyHelpers::executableFor):
4699 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
4700 (JSC::DFG::AssemblyHelpers::setSamplingFlag):
4701 (JSC::DFG::AssemblyHelpers::clearSamplingFlag):
4702 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
4703 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
4704 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
4705 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
4706 (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
4707 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
4708 * dfg/DFGAssemblyHelpers.h: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.h.
4709 (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
4710 (JSC::DFG::AssemblyHelpers::codeBlock):
4711 (JSC::DFG::AssemblyHelpers::vm):
4712 (JSC::DFG::AssemblyHelpers::assembler):
4713 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
4714 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
4715 (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
4716 (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
4717 (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
4718 (JSC::DFG::AssemblyHelpers::branchIfNotCell):
4719 (JSC::DFG::AssemblyHelpers::addressFor):
4720 (JSC::DFG::AssemblyHelpers::tagFor):
4721 (JSC::DFG::AssemblyHelpers::payloadFor):
4722 (JSC::DFG::AssemblyHelpers::branchIfNotObject):
4723 (JSC::DFG::AssemblyHelpers::selectScratchGPR):
4724 (JSC::DFG::AssemblyHelpers::debugCall):
4725 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
4726 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
4727 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
4728 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
4729 (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
4730 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
4731 (JSC::DFG::AssemblyHelpers::boxDouble):
4732 (JSC::DFG::AssemblyHelpers::unboxDouble):
4733 (JSC::DFG::AssemblyHelpers::boxInt52):
4734 (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
4735 (JSC::DFG::AssemblyHelpers::emitCount):
4736 (JSC::DFG::AssemblyHelpers::globalObjectFor):
4737 (JSC::DFG::AssemblyHelpers::strictModeFor):
4738 (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
4739 (JSC::DFG::AssemblyHelpers::baselineCodeBlock):
4740 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
4741 (JSC::DFG::AssemblyHelpers::symbolTableFor):
4742 (JSC::DFG::AssemblyHelpers::offsetOfLocals):
4743 (JSC::DFG::AssemblyHelpers::offsetOfArgumentsIncludingThis):
4744 * dfg/DFGBinarySwitch.h:
4745 * dfg/DFGByteCodeParser.cpp:
4746 * dfg/DFGCCallHelpers.h: Renamed from Source/JavaScriptCore/jit/CCallHelpers.h.
4747 (JSC::DFG::CCallHelpers::CCallHelpers):
4748 (JSC::DFG::CCallHelpers::resetCallArguments):
4749 (JSC::DFG::CCallHelpers::addCallArgument):
4750 (JSC::DFG::CCallHelpers::setupArguments):
4751 (JSC::DFG::CCallHelpers::setupArgumentsExecState):
4752 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
4753 (JSC::DFG::CCallHelpers::setupTwoStubArgs):
4754 (JSC::DFG::CCallHelpers::setupStubArguments):
4755 (JSC::DFG::CCallHelpers::setupResults):
4756 * dfg/DFGDisassembler.cpp:
4757 * dfg/DFGFPRInfo.h: Renamed from Source/JavaScriptCore/jit/FPRInfo.h.
4758 (JSC::DFG::FPRInfo::toRegister):
4759 (JSC::DFG::FPRInfo::toIndex):
4760 (JSC::DFG::FPRInfo::toArgumentRegister):
4761 (JSC::DFG::FPRInfo::debugName):
4762 * dfg/DFGGPRInfo.h: Renamed from Source/JavaScriptCore/jit/GPRInfo.h.
4763 (JSC::DFG::JSValueRegs::JSValueRegs):
4764 (JSC::DFG::JSValueRegs::payloadOnly):
4765 (JSC::DFG::JSValueRegs::operator!):
4766 (JSC::DFG::JSValueRegs::gpr):
4767 (JSC::DFG::JSValueRegs::payloadGPR):
4768 (JSC::DFG::JSValueSource::JSValueSource):
4769 (JSC::DFG::JSValueSource::unboxedCell):
4770 (JSC::DFG::JSValueSource::operator!):
4771 (JSC::DFG::JSValueSource::isAddress):
4772 (JSC::DFG::JSValueSource::offset):
4773 (JSC::DFG::JSValueSource::base):
4774 (JSC::DFG::JSValueSource::gpr):
4775 (JSC::DFG::JSValueSource::asAddress):
4776 (JSC::DFG::JSValueSource::notAddress):
4777 (JSC::DFG::JSValueRegs::tagGPR):
4778 (JSC::DFG::JSValueSource::tagGPR):
4779 (JSC::DFG::JSValueSource::payloadGPR):
4780 (JSC::DFG::JSValueSource::hasKnownTag):
4781 (JSC::DFG::JSValueSource::tag):
4782 (JSC::DFG::GPRInfo::toRegister):
4783 (JSC::DFG::GPRInfo::toIndex):
4784 (JSC::DFG::GPRInfo::debugName):
4785 (JSC::DFG::GPRInfo::toArgumentRegister):
4786 * dfg/DFGGraph.cpp:
4787 * dfg/DFGGraph.h:
4788 * dfg/DFGJITCompiler.h:
4789 * dfg/DFGOSRExit.cpp:
4790 * dfg/DFGOSRExit.h:
4791 * dfg/DFGOSRExitCompiler.h:
4792 * dfg/DFGOSRExitCompilerCommon.h:
4793 * dfg/DFGRegisterBank.h:
4794 * dfg/DFGRegisterSet.h:
4795 * dfg/DFGRepatch.cpp:
4796 * dfg/DFGSilentRegisterSavePlan.h:
4797 * dfg/DFGThunks.cpp:
4798 * dfg/DFGVariableEvent.cpp:
4799 * ftl/FTLCArgumentGetter.h:
4800 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4801 (JSC::FTL::CArgumentGetter::loadNext8):
4802 (JSC::FTL::CArgumentGetter::loadNext32):
4803 (JSC::FTL::CArgumentGetter::loadNext64):
4804 (JSC::FTL::CArgumentGetter::loadNextPtr):
4805 (JSC::FTL::CArgumentGetter::loadNextDouble):
4806 * ftl/FTLCompile.cpp:
4807 * ftl/FTLExitThunkGenerator.h:
4808 * ftl/FTLLink.cpp:
4809 * ftl/FTLThunks.cpp:
4810 * jit/JIT.cpp:
4811 (JSC::JIT::JIT):
4812 * jit/JIT.h:
4813 * jit/JITPropertyAccess.cpp:
4814 (JSC::JIT::stringGetByValStubGenerator):
4815 * jit/JITPropertyAccess32_64.cpp:
4816 (JSC::JIT::stringGetByValStubGenerator):
4817 * jit/JSInterfaceJIT.h:
4818 (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
4819 (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
4820 * jit/SpecializedThunkJIT.h:
4821 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4822 (JSC::SpecializedThunkJIT::finalize):
4823 * jit/ThunkGenerators.cpp:
4824 (JSC::linkForGenerator):
4825 (JSC::virtualForGenerator):
4826 (JSC::stringLengthTrampolineGenerator):
4827 (JSC::nativeForGenerator):
4828 (JSC::arityFixup):
4829 (JSC::charCodeAtThunkGenerator):
4830 (JSC::charAtThunkGenerator):
4831 (JSC::fromCharCodeThunkGenerator):
4832 (JSC::sqrtThunkGenerator):
4833 (JSC::floorThunkGenerator):
4834 (JSC::ceilThunkGenerator):
4835 (JSC::roundThunkGenerator):
4836 (JSC::expThunkGenerator):
4837 (JSC::logThunkGenerator):
4838 (JSC::absThunkGenerator):
4839 (JSC::powThunkGenerator):
4840 (JSC::imulThunkGenerator):
4841 * llint/LLIntThunks.cpp:
4842 (JSC::LLInt::generateThunkWithJumpTo):
4843 * runtime/JSCJSValue.h:
4844
48452013-09-19 Filip Pizlo <fpizlo@apple.com>
4846
4847 Unreviewed, fix Windows build part 2. m_jitCodeMap should always be there.
4848
4849 * bytecode/CodeBlock.h:
4850 (JSC::CodeBlock::jitCodeMap):
4851
48522013-09-19 Filip Pizlo <fpizlo@apple.com>
4853
4854 Remove some of the tautologies in DFGRepatch function naming.
4855
4856 Rubber stamped by Mark Hahnenberg.
4857
4858 For example change DFG::dfgLinkFor() to be DFG::linkFor().
4859
4860 * bytecode/CodeBlock.cpp:
4861 (JSC::CodeBlock::resetStubInternal):
4862 * dfg/DFGOperations.cpp:
4863 * dfg/DFGRepatch.cpp:
4864 (JSC::DFG::repatchCall):
4865 (JSC::DFG::repatchByIdSelfAccess):
4866 (JSC::DFG::tryCacheGetByID):
4867 (JSC::DFG::repatchGetByID):
4868 (JSC::DFG::buildGetByIDList):
4869 (JSC::DFG::tryCachePutByID):
4870 (JSC::DFG::repatchPutByID):
4871 (JSC::DFG::buildPutByIdList):
4872 (JSC::DFG::repatchIn):
4873 (JSC::DFG::linkFor):
4874 (JSC::DFG::linkSlowFor):
4875 (JSC::DFG::linkClosureCall):
4876 (JSC::DFG::resetGetByID):
4877 (JSC::DFG::resetPutByID):
4878 (JSC::DFG::resetIn):
4879 * dfg/DFGRepatch.h:
4880 (JSC::DFG::resetGetByID):
4881 (JSC::DFG::resetPutByID):
4882 (JSC::DFG::resetIn):
4883
48842013-09-19 Filip Pizlo <fpizlo@apple.com>
4885
4886 Unreviewed, fix Windows build. ScratchBuffer should always be available regardless of
4887 ENABLE_DFG_JIT.
4888
4889 * runtime/VM.h:
4890
48912013-09-19 Daniel Bates <dabates@apple.com>
4892
4893 [iOS] Add more iOS logic to the JavaScriptCore build configuration files
4894 https://bugs.webkit.org/show_bug.cgi?id=121635
4895
4896 Reviewed by Geoffrey Garen.
4897
4898 Towards building JavaScriptCore for both OS X and iOS using the same
4899 set of configuration files, add more iOS logic.
4900
4901 * Configurations/Base.xcconfig:
4902 * Configurations/JSC.xcconfig:
4903 * Configurations/JavaScriptCore.xcconfig:
4904 * Configurations/ToolExecutable.xcconfig:
4905
49062013-09-19 Filip Pizlo <fpizlo@apple.com>
4907
4908 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
4909 https://bugs.webkit.org/show_bug.cgi?id=121637
4910
4911 Rubber stamped by Michael Saboff.
4912
4913 Also moved GPRInfo/FPRInfo into jit/.
4914
4915 * CMakeLists.txt:
4916 * GNUmakefile.list.am:
4917 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4918 * JavaScriptCore.xcodeproj/project.pbxproj:
4919 * Target.pri:
4920 * bytecode/ValueRecovery.h:
4921 (JSC::ValueRecovery::dumpInContext):
4922 * dfg/DFGAssemblyHelpers.cpp: Removed.
4923 * dfg/DFGAssemblyHelpers.h: Removed.
4924 * dfg/DFGBinarySwitch.h:
4925 * dfg/DFGByteCodeParser.cpp:
4926 * dfg/DFGCCallHelpers.h: Removed.
4927 * dfg/DFGDisassembler.cpp:
4928 * dfg/DFGFPRInfo.h: Removed.
4929 * dfg/DFGGPRInfo.h: Removed.
4930 * dfg/DFGGraph.cpp:
4931 * dfg/DFGGraph.h:
4932 * dfg/DFGJITCompiler.h:
4933 * dfg/DFGOSRExit.cpp:
4934 * dfg/DFGOSRExit.h:
4935 * dfg/DFGOSRExitCompiler.h:
4936 * dfg/DFGOSRExitCompilerCommon.h:
4937 * dfg/DFGRegisterBank.h:
4938 * dfg/DFGRegisterSet.h:
4939 * dfg/DFGRepatch.cpp:
4940 * dfg/DFGSilentRegisterSavePlan.h:
4941 * dfg/DFGThunks.cpp:
4942 * dfg/DFGVariableEvent.cpp:
4943 * ftl/FTLCArgumentGetter.h:
4944 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4945 (JSC::FTL::CArgumentGetter::loadNext8):
4946 (JSC::FTL::CArgumentGetter::loadNext32):
4947 (JSC::FTL::CArgumentGetter::loadNext64):
4948 (JSC::FTL::CArgumentGetter::loadNextPtr):
4949 (JSC::FTL::CArgumentGetter::loadNextDouble):
4950 * ftl/FTLCompile.cpp:
4951 * ftl/FTLExitThunkGenerator.h:
4952 * ftl/FTLLink.cpp:
4953 * ftl/FTLThunks.cpp:
4954 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
4955 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
4956 (JSC::AssemblyHelpers::AssemblyHelpers):
4957 (JSC::AssemblyHelpers::debugCall):
4958 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
4959 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
4960 (WTF::printInternal):
4961 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
4962 (WTF::printInternal):
4963 * jit/JIT.cpp:
4964 (JSC::JIT::JIT):
4965 * jit/JIT.h:
4966 * jit/JITPropertyAccess.cpp:
4967 (JSC::JIT::stringGetByValStubGenerator):
4968 * jit/JITPropertyAccess32_64.cpp:
4969 (JSC::JIT::stringGetByValStubGenerator):
4970 * jit/JSInterfaceJIT.h:
4971 (JSC::JSInterfaceJIT::JSInterfaceJIT):
4972 * jit/SpecializedThunkJIT.h:
4973 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4974 (JSC::SpecializedThunkJIT::finalize):
4975 * jit/ThunkGenerators.cpp:
4976 (JSC::linkForGenerator):
4977 (JSC::virtualForGenerator):
4978 (JSC::stringLengthTrampolineGenerator):
4979 (JSC::nativeForGenerator):
4980 (JSC::arityFixup):
4981 (JSC::charCodeAtThunkGenerator):
4982 (JSC::charAtThunkGenerator):
4983 (JSC::fromCharCodeThunkGenerator):
4984 (JSC::sqrtThunkGenerator):
4985 (JSC::floorThunkGenerator):
4986 (JSC::ceilThunkGenerator):
4987 (JSC::roundThunkGenerator):
4988 (JSC::expThunkGenerator):
4989 (JSC::logThunkGenerator):
4990 (JSC::absThunkGenerator):
4991 (JSC::powThunkGenerator):
4992 (JSC::imulThunkGenerator):
4993 * llint/LLIntThunks.cpp:
4994 (JSC::LLInt::generateThunkWithJumpTo):
4995 * runtime/JSCJSValue.h:
4996
49972013-09-19 Daniel Bates <dabates@apple.com>
4998
4999 [iOS] Substitute UNREACHABLE_FOR_PLATFORM() for RELEASE_ASSERT_NOT_REACHED()
5000
5001 Rubber-stamped by Joseph Pecoraro.
5002
5003 Use UNREACHABLE_FOR_PLATFORM() instead of RELEASE_ASSERT_NOT_REACHED() in
5004 the non-x86/x86-64 variant of JIT::emitSlow_op_mod() so as to avoid a missing
5005 noreturn warning in Clang while simultaneously asserting unreachable code.
5006
5007 * jit/JITArithmetic.cpp:
5008 (JSC::JIT::emitSlow_op_mod):
5009
50102013-09-19 Michael Saboff <msaboff@apple.com>
5011
5012 JSC: X86 disassembler shows 16, 32 and 64 bit displacements as unsigned
5013 https://bugs.webkit.org/show_bug.cgi?id=121625
5014
5015 Rubber-stamped by Filip Pizlo.
5016
5017 Chenged 16, 32 and 64 bit offsets to be signed. Kept the original tab indented
5018 spacing to match the rest of the file.
5019
5020 * disassembler/udis86/udis86_syn-att.c:
5021 (gen_operand):
5022
50232013-09-19 Daniel Bates <dabates@apple.com>
5024
5025 Remove names of unused arguments from the non-x86/x86-64 function prototype
5026 for JIT::emitSlow_op_mod()
5027
5028 Rubber-stamped by Ryosuke Niwa.
5029
5030 * jit/JITArithmetic.cpp:
5031 (JSC::JIT::emitSlow_op_mod):
5032
50332013-09-18 Sam Weinig <sam@webkit.org>
5034
5035 Replace use of OwnArrayPtr<Foo> with std::unique_ptr<Foo[]> in JavaScriptCore
5036 https://bugs.webkit.org/show_bug.cgi?id=121583
5037
5038 Reviewed by Anders Carlsson.
5039
5040 * API/JSStringRefCF.cpp:
5041 (JSStringCreateWithCFString):
5042 * API/JSStringRefQt.cpp:
5043 * bytecompiler/BytecodeGenerator.cpp:
5044 (JSC::BytecodeGenerator::BytecodeGenerator):
5045 * dfg/DFGByteCodeParser.cpp:
5046 (JSC::DFG::ByteCodeParser::parseBlock):
5047 * dfg/DFGDisassembler.cpp:
5048 (JSC::DFG::Disassembler::dumpDisassembly):
5049 * runtime/Arguments.cpp:
5050 (JSC::Arguments::tearOff):
5051 * runtime/Arguments.h:
5052 (JSC::Arguments::isTornOff):
5053 (JSC::Arguments::allocateSlowArguments):
5054 * runtime/JSPropertyNameIterator.cpp:
5055 (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
5056 * runtime/JSPropertyNameIterator.h:
5057 * runtime/JSSegmentedVariableObject.h:
5058 * runtime/JSVariableObject.h:
5059 * runtime/PropertyNameArray.h:
5060 * runtime/RegExp.cpp:
5061 * runtime/StructureChain.h:
5062 (JSC::StructureChain::finishCreation):
5063 * runtime/SymbolTable.h:
5064 (JSC::SharedSymbolTable::setSlowArguments):
5065
50662013-09-18 Brent Fulgham <bfulgham@apple.com>
5067
5068 [Windows] Unreviewed build fix after r156064.
5069
5070 * jsc.cpp:
5071 (jscmain): Need a temporary to perform '&' in VS2010.
5072
50732013-09-18 Filip Pizlo <fpizlo@apple.com>
5074
5075 Give 'jsc' commandline an option to disable deleting the VM.
5076
5077 Reviewed by Mark Hahnenberg.
5078
5079 * jsc.cpp:
5080 (jscmain):
5081 * runtime/Options.h:
5082
50832013-09-18 Anders Carlsson <andersca@apple.com>
5084
5085 RefPtrHashMap should work with move only types
5086 https://bugs.webkit.org/show_bug.cgi?id=121564
5087
5088 Reviewed by Andreas Kling.
5089
5090 * runtime/VM.cpp:
5091 (JSC::VM::addSourceProviderCache):
5092
50932013-09-17 Mark Hahnenberg <mhahnenberg@apple.com>
5094
5095 Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header
5096 https://bugs.webkit.org/show_bug.cgi?id=121534
5097
5098 Reviewed by Geoffrey Garen.
5099
5100 OperationInProgress is a silly name.
5101
5102 Many parts of the Heap would like to know what HeapOperation is currently underway, but
5103 since they are included in Heap.h they can't directly reference HeapOperation if it also
5104 lives in Heap.h. The simplest thing to do is to give HeapOperation its own header. While
5105 a bit overkill, it simplifies including it wherever its needed.
5106
5107 * JavaScriptCore.xcodeproj/project.pbxproj:
5108 * bytecode/CodeBlock.cpp:
5109 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
5110 (JSC::CodeBlock::updateAllValueProfilePredictions):
5111 (JSC::CodeBlock::updateAllPredictions):
5112 * bytecode/CodeBlock.h:
5113 (JSC::CodeBlock::updateAllValueProfilePredictions):
5114 (JSC::CodeBlock::updateAllPredictions):
5115 * bytecode/LazyOperandValueProfile.cpp:
5116 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
5117 * bytecode/LazyOperandValueProfile.h:
5118 * bytecode/ValueProfile.h:
5119 (JSC::ValueProfileBase::computeUpdatedPrediction):
5120 * heap/Heap.h:
5121 * heap/HeapOperation.h: Added.
5122
51232013-09-18 Filip Pizlo <fpizlo@apple.com>
5124
5125 DFG should support Int52 for local variables
5126 https://bugs.webkit.org/show_bug.cgi?id=121064
5127
5128 Reviewed by Oliver Hunt.
5129
5130 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
5131 programs that have local int32 overflows but where a larger int representation can
5132 prevent us from having to convert all the way up to double.
5133
5134 It's a small speed-up for now. But we're just supporting Int52 for a handful of
5135 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
5136 the groundwork for adding Int52 to JSValue, which will probably be a bigger
5137 speed-up.
5138
5139 The basic approach is:
5140
5141 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
5142 or HeapTop - i.e. it doesn't arise from JSValues.
5143
5144 - DFG treats Int52 as being part of its FullTop and will treat it as being a
5145 subtype of double unless instructed otherwise.
5146
5147 - Prediction propagator creates Int52s whenever we have a node going doubly but due
5148 to large values rather than fractional values, and that node is known to be able
5149 to produce Int52 natively in the DFG backend.
5150
5151 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
5152 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
5153 input.
5154
5155 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
5156 are left-shifted by 16 (great for overflow checks) and ones that are
5157 sign-extended. Both backends know how to convert between Int52s and the other
5158 representations.
5159
5160 * assembler/MacroAssemblerX86_64.h:
5161 (JSC::MacroAssemblerX86_64::rshift64):
5162 (JSC::MacroAssemblerX86_64::mul64):
5163 (JSC::MacroAssemblerX86_64::branchMul64):
5164 (JSC::MacroAssemblerX86_64::branchNeg64):
5165 (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
5166 * assembler/X86Assembler.h:
5167 (JSC::X86Assembler::imulq_rr):
5168 (JSC::X86Assembler::cvtsi2sdq_rr):
5169 * bytecode/DataFormat.h:
5170 (JSC::dataFormatToString):
5171 * bytecode/ExitKind.cpp:
5172 (JSC::exitKindToString):
5173 * bytecode/ExitKind.h:
5174 * bytecode/OperandsInlines.h:
5175 (JSC::::dumpInContext):
5176 * bytecode/SpeculatedType.cpp:
5177 (JSC::dumpSpeculation):
5178 (JSC::speculationToAbbreviatedString):
5179 (JSC::speculationFromValue):
5180 * bytecode/SpeculatedType.h:
5181 (JSC::isInt32SpeculationForArithmetic):
5182 (JSC::isInt52Speculation):
5183 (JSC::isMachineIntSpeculationForArithmetic):
5184 (JSC::isInt52AsDoubleSpeculation):
5185 (JSC::isBytecodeRealNumberSpeculation):
5186 (JSC::isFullRealNumberSpeculation):
5187 (JSC::isBytecodeNumberSpeculation):
5188 (JSC::isFullNumberSpeculation):
5189 (JSC::isBytecodeNumberSpeculationExpectingDefined):
5190 (JSC::isFullNumberSpeculationExpectingDefined):
5191 * bytecode/ValueRecovery.h:
5192 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
5193 (JSC::ValueRecovery::inGPR):
5194 (JSC::ValueRecovery::displacedInJSStack):
5195 (JSC::ValueRecovery::isAlreadyInJSStack):
5196 (JSC::ValueRecovery::gpr):
5197 (JSC::ValueRecovery::virtualRegister):
5198 (JSC::ValueRecovery::dumpInContext):
5199 * dfg/DFGAbstractInterpreter.h:
5200 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5201 (JSC::DFG::AbstractInterpreter::filterByType):
5202 * dfg/DFGAbstractInterpreterInlines.h:
5203 (JSC::DFG::::executeEffects):
5204 * dfg/DFGAbstractValue.cpp:
5205 (JSC::DFG::AbstractValue::set):
5206 (JSC::DFG::AbstractValue::checkConsistency):
5207 * dfg/DFGAbstractValue.h:
5208 (JSC::DFG::AbstractValue::couldBeType):
5209 (JSC::DFG::AbstractValue::isType):
5210 (JSC::DFG::AbstractValue::checkConsistency):
5211 (JSC::DFG::AbstractValue::validateType):
5212 * dfg/DFGArrayMode.cpp:
5213 (JSC::DFG::ArrayMode::refine):
5214 * dfg/DFGAssemblyHelpers.h:
5215 (JSC::DFG::AssemblyHelpers::boxInt52):
5216 * dfg/DFGByteCodeParser.cpp:
5217 (JSC::DFG::ByteCodeParser::makeSafe):
5218 * dfg/DFGCSEPhase.cpp:
5219 (JSC::DFG::CSEPhase::pureCSE):
5220 (JSC::DFG::CSEPhase::getByValLoadElimination):
5221 (JSC::DFG::CSEPhase::performNodeCSE):
5222 * dfg/DFGClobberize.h:
5223 (JSC::DFG::clobberize):
5224 * dfg/DFGCommon.h:
5225 (JSC::DFG::enableInt52):
5226 * dfg/DFGDCEPhase.cpp:
5227 (JSC::DFG::DCEPhase::fixupBlock):
5228 * dfg/DFGFixupPhase.cpp:
5229 (JSC::DFG::FixupPhase::run):
5230 (JSC::DFG::FixupPhase::fixupNode):
5231 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5232 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
5233 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5234 (JSC::DFG::FixupPhase::fixEdge):
5235 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5236 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5237 * dfg/DFGFlushFormat.cpp:
5238 (WTF::printInternal):
5239 * dfg/DFGFlushFormat.h:
5240 (JSC::DFG::resultFor):
5241 (JSC::DFG::useKindFor):
5242 * dfg/DFGGenerationInfo.h:
5243 (JSC::DFG::GenerationInfo::initInt52):
5244 (JSC::DFG::GenerationInfo::initStrictInt52):
5245 (JSC::DFG::GenerationInfo::isFormat):
5246 (JSC::DFG::GenerationInfo::isInt52):
5247 (JSC::DFG::GenerationInfo::isStrictInt52):
5248 (JSC::DFG::GenerationInfo::fillInt52):
5249 (JSC::DFG::GenerationInfo::fillStrictInt52):
5250 * dfg/DFGGraph.cpp:
5251 (JSC::DFG::Graph::dump):
5252 * dfg/DFGGraph.h:
5253 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5254 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5255 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5256 * dfg/DFGInPlaceAbstractState.cpp:
5257 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5258 * dfg/DFGJITCode.cpp:
5259 (JSC::DFG::JITCode::reconstruct):
5260 * dfg/DFGJITCompiler.h:
5261 (JSC::DFG::JITCompiler::noticeOSREntry):
5262 * dfg/DFGMinifiedNode.h:
5263 (JSC::DFG::belongsInMinifiedGraph):
5264 (JSC::DFG::MinifiedNode::hasChild):
5265 * dfg/DFGNode.h:
5266 (JSC::DFG::Node::shouldSpeculateNumber):
5267 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5268 (JSC::DFG::Node::canSpeculateInt52):
5269 * dfg/DFGNodeFlags.h:
5270 (JSC::DFG::nodeCanSpeculateInt52):
5271 * dfg/DFGNodeType.h:
5272 (JSC::DFG::permitsOSRBackwardRewiring):
5273 (JSC::DFG::forwardRewiringSelectionScore):
5274 * dfg/DFGOSREntry.cpp:
5275 (JSC::DFG::prepareOSREntry):
5276 * dfg/DFGOSREntry.h:
5277 * dfg/DFGOSRExitCompiler.cpp:
5278 * dfg/DFGOSRExitCompiler64.cpp:
5279 (JSC::DFG::OSRExitCompiler::compileExit):
5280 * dfg/DFGPredictionPropagationPhase.cpp:
5281 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5282 (JSC::DFG::PredictionPropagationPhase::propagate):
5283 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5284 * dfg/DFGSafeToExecute.h:
5285 (JSC::DFG::SafeToExecuteEdge::operator()):
5286 (JSC::DFG::safeToExecute):
5287 * dfg/DFGSilentRegisterSavePlan.h:
5288 * dfg/DFGSpeculativeJIT.cpp:
5289 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5290 (JSC::DFG::SpeculativeJIT::silentFill):
5291 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5292 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5293 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5294 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5295 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5296 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5297 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5298 (JSC::DFG::SpeculativeJIT::compileAdd):
5299 (JSC::DFG::SpeculativeJIT::compileArithSub):
5300 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5301 (JSC::DFG::SpeculativeJIT::compileArithMul):
5302 (JSC::DFG::SpeculativeJIT::compare):
5303 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5304 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
5305 (JSC::DFG::SpeculativeJIT::speculateNumber):
5306 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5307 (JSC::DFG::SpeculativeJIT::speculate):
5308 * dfg/DFGSpeculativeJIT.h:
5309 (JSC::DFG::SpeculativeJIT::canReuse):
5310 (JSC::DFG::SpeculativeJIT::isFilled):
5311 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5312 (JSC::DFG::SpeculativeJIT::use):
5313 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5314 (JSC::DFG::SpeculativeJIT::isKnownCell):
5315 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5316 (JSC::DFG::SpeculativeJIT::int52Result):
5317 (JSC::DFG::SpeculativeJIT::strictInt52Result):
5318 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5319 (JSC::DFG::SpeculativeJIT::isInteger):
5320 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
5321 (JSC::DFG::SpeculativeJIT::generationInfo):
5322 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
5323 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
5324 (JSC::DFG::SpeculateInt52Operand::edge):
5325 (JSC::DFG::SpeculateInt52Operand::node):
5326 (JSC::DFG::SpeculateInt52Operand::gpr):
5327 (JSC::DFG::SpeculateInt52Operand::use):
5328 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
5329 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
5330 (JSC::DFG::SpeculateStrictInt52Operand::edge):
5331 (JSC::DFG::SpeculateStrictInt52Operand::node):
5332 (JSC::DFG::SpeculateStrictInt52Operand::gpr):
5333 (JSC::DFG::SpeculateStrictInt52Operand::use):
5334 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
5335 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
5336 (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
5337 (JSC::DFG::SpeculateWhicheverInt52Operand::node):
5338 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
5339 (JSC::DFG::SpeculateWhicheverInt52Operand::use):
5340 (JSC::DFG::SpeculateWhicheverInt52Operand::format):
5341 * dfg/DFGSpeculativeJIT32_64.cpp:
5342 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5343 (JSC::DFG::SpeculativeJIT::compile):
5344 * dfg/DFGSpeculativeJIT64.cpp:
5345 (JSC::DFG::SpeculativeJIT::boxInt52):
5346 (JSC::DFG::SpeculativeJIT::fillJSValue):
5347 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5348 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
5349 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5350 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5351 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5352 (JSC::DFG::SpeculativeJIT::compileInt52Compare):
5353 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
5354 (JSC::DFG::SpeculativeJIT::compile):
5355 * dfg/DFGUseKind.cpp:
5356 (WTF::printInternal):
5357 * dfg/DFGUseKind.h:
5358 (JSC::DFG::typeFilterFor):
5359 (JSC::DFG::isNumerical):
5360 * dfg/DFGValueSource.cpp:
5361 (JSC::DFG::ValueSource::dump):
5362 * dfg/DFGValueSource.h:
5363 (JSC::DFG::dataFormatToValueSourceKind):
5364 (JSC::DFG::valueSourceKindToDataFormat):
5365 (JSC::DFG::ValueSource::forFlushFormat):
5366 (JSC::DFG::ValueSource::valueRecovery):
5367 * dfg/DFGVariableAccessData.h:
5368 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5369 (JSC::DFG::VariableAccessData::flushFormat):
5370 * ftl/FTLCArgumentGetter.cpp:
5371 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5372 * ftl/FTLCArgumentGetter.h:
5373 * ftl/FTLCapabilities.cpp:
5374 (JSC::FTL::canCompile):
5375 * ftl/FTLExitValue.cpp:
5376 (JSC::FTL::ExitValue::dumpInContext):
5377 * ftl/FTLExitValue.h:
5378 (JSC::FTL::ExitValue::inJSStackAsInt52):
5379 * ftl/FTLIntrinsicRepository.h:
5380 * ftl/FTLLowerDFGToLLVM.cpp:
5381 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5382 (JSC::FTL::LowerDFGToLLVM::compileNode):
5383 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5384 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5385 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5386 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5387 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5388 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5389 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5390 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5391 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5392 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5393 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5394 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5395 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5396 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5397 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5398 (JSC::FTL::LowerDFGToLLVM::lowInt52):
5399 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
5400 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
5401 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
5402 (JSC::FTL::LowerDFGToLLVM::opposite):
5403 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
5404 (JSC::FTL::LowerDFGToLLVM::lowCell):
5405 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5406 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5407 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5408 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
5409 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
5410 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
5411 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
5412 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
5413 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
5414 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5415 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5416 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5417 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5418 (JSC::FTL::LowerDFGToLLVM::setInt52):
5419 (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
5420 * ftl/FTLOSRExitCompiler.cpp:
5421 (JSC::FTL::compileStub):
5422 * ftl/FTLOutput.h:
5423 (JSC::FTL::Output::addWithOverflow64):
5424 (JSC::FTL::Output::subWithOverflow64):
5425 (JSC::FTL::Output::mulWithOverflow64):
5426 * ftl/FTLValueFormat.cpp:
5427 (WTF::printInternal):
5428 * ftl/FTLValueFormat.h:
5429 * ftl/FTLValueSource.cpp:
5430 (JSC::FTL::ValueSource::dump):
5431 * ftl/FTLValueSource.h:
5432 * interpreter/Register.h:
5433 (JSC::Register::unboxedInt52):
5434 * runtime/Arguments.cpp:
5435 (JSC::Arguments::tearOffForInlineCallFrame):
5436 * runtime/IndexingType.cpp:
5437 (JSC::leastUpperBoundOfIndexingTypeAndType):
5438 * runtime/JSCJSValue.h:
5439 * runtime/JSCJSValueInlines.h:
5440 (JSC::JSValue::isMachineInt):
5441 (JSC::JSValue::asMachineInt):
5442
54432013-09-17 Michael Saboff <msaboff@apple.com>
5444
5445 REGRESSION(r155771): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms
5446 https://bugs.webkit.org/show_bug.cgi?id=121376
5447
5448 Reviewed by Oliver Hunt.
5449
5450 Fix stack grow() call for stack growing down. This should catch running out of stack space before
5451 we try to move the frame down due to arity mismatch.
5452
5453 * runtime/CommonSlowPaths.h:
5454 (JSC::CommonSlowPaths::arityCheckFor):
5455
54562013-09-18 Andreas Kling <akling@apple.com>
5457
5458 YARR: Put UCS2 canonicalization tables in read-only memory.
5459 <https://webkit.org/b/121547>
5460
5461 Reviewed by Sam Weinig.
5462
5463 These tables never mutate so mark them const.
5464
54652013-09-18 Commit Queue <commit-queue@webkit.org>
5466
5467 Unreviewed, rolling out r156019 and r156020.
5468 http://trac.webkit.org/changeset/156019
5469 http://trac.webkit.org/changeset/156020
5470 https://bugs.webkit.org/show_bug.cgi?id=121540
5471
5472 Broke tests (Requested by ap on #webkit).
5473
5474 * assembler/MacroAssemblerX86_64.h:
5475 * assembler/X86Assembler.h:
5476 * bytecode/DataFormat.h:
5477 (JSC::dataFormatToString):
5478 * bytecode/ExitKind.cpp:
5479 (JSC::exitKindToString):
5480 * bytecode/ExitKind.h:
5481 * bytecode/OperandsInlines.h:
5482 (JSC::::dumpInContext):
5483 * bytecode/SpeculatedType.cpp:
5484 (JSC::dumpSpeculation):
5485 (JSC::speculationToAbbreviatedString):
5486 (JSC::speculationFromValue):
5487 * bytecode/SpeculatedType.h:
5488 (JSC::isInt32SpeculationForArithmetic):
5489 (JSC::isInt48Speculation):
5490 (JSC::isMachineIntSpeculationForArithmetic):
5491 (JSC::isInt48AsDoubleSpeculation):
5492 (JSC::isRealNumberSpeculation):
5493 (JSC::isNumberSpeculation):
5494 (JSC::isNumberSpeculationExpectingDefined):
5495 * bytecode/ValueRecovery.h:
5496 (JSC::ValueRecovery::inGPR):
5497 (JSC::ValueRecovery::displacedInJSStack):
5498 (JSC::ValueRecovery::isAlreadyInJSStack):
5499 (JSC::ValueRecovery::gpr):
5500 (JSC::ValueRecovery::virtualRegister):
5501 (JSC::ValueRecovery::dumpInContext):
5502 * dfg/DFGAbstractInterpreter.h:
5503 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5504 (JSC::DFG::AbstractInterpreter::filterByType):
5505 * dfg/DFGAbstractInterpreterInlines.h:
5506 (JSC::DFG::::executeEffects):
5507 * dfg/DFGAbstractValue.cpp:
5508 (JSC::DFG::AbstractValue::set):
5509 (JSC::DFG::AbstractValue::checkConsistency):
5510 * dfg/DFGAbstractValue.h:
5511 (JSC::DFG::AbstractValue::validateType):
5512 * dfg/DFGArrayMode.cpp:
5513 (JSC::DFG::ArrayMode::refine):
5514 * dfg/DFGAssemblyHelpers.h:
5515 (JSC::DFG::AssemblyHelpers::unboxDouble):
5516 * dfg/DFGByteCodeParser.cpp:
5517 (JSC::DFG::ByteCodeParser::makeSafe):
5518 * dfg/DFGCSEPhase.cpp:
5519 (JSC::DFG::CSEPhase::canonicalize):
5520 (JSC::DFG::CSEPhase::pureCSE):
5521 (JSC::DFG::CSEPhase::getByValLoadElimination):
5522 (JSC::DFG::CSEPhase::performNodeCSE):
5523 * dfg/DFGClobberize.h:
5524 (JSC::DFG::clobberize):
5525 * dfg/DFGCommon.h:
5526 * dfg/DFGFixupPhase.cpp:
5527 (JSC::DFG::FixupPhase::run):
5528 (JSC::DFG::FixupPhase::fixupNode):
5529 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5530 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5531 (JSC::DFG::FixupPhase::fixEdge):
5532 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5533 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5534 * dfg/DFGFlushFormat.cpp:
5535 (WTF::printInternal):
5536 * dfg/DFGFlushFormat.h:
5537 (JSC::DFG::resultFor):
5538 (JSC::DFG::useKindFor):
5539 * dfg/DFGGenerationInfo.h:
5540 (JSC::DFG::GenerationInfo::initInt32):
5541 (JSC::DFG::GenerationInfo::fillInt32):
5542 * dfg/DFGGraph.cpp:
5543 (JSC::DFG::Graph::dump):
5544 * dfg/DFGGraph.h:
5545 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5546 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5547 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5548 * dfg/DFGInPlaceAbstractState.cpp:
5549 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5550 * dfg/DFGJITCode.cpp:
5551 (JSC::DFG::JITCode::reconstruct):
5552 * dfg/DFGMinifiedNode.h:
5553 (JSC::DFG::belongsInMinifiedGraph):
5554 (JSC::DFG::MinifiedNode::hasChild):
5555 * dfg/DFGNode.h:
5556 (JSC::DFG::Node::shouldSpeculateNumber):
5557 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5558 (JSC::DFG::Node::canSpeculateInt48):
5559 * dfg/DFGNodeFlags.h:
5560 (JSC::DFG::nodeCanSpeculateInt48):
5561 * dfg/DFGNodeType.h:
5562 (JSC::DFG::forwardRewiringSelectionScore):
5563 * dfg/DFGOSRExitCompiler.cpp:
5564 (JSC::DFG::shortOperandsDump):
5565 * dfg/DFGOSRExitCompiler64.cpp:
5566 (JSC::DFG::OSRExitCompiler::compileExit):
5567 * dfg/DFGPredictionPropagationPhase.cpp:
5568 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5569 (JSC::DFG::PredictionPropagationPhase::propagate):
5570 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5571 * dfg/DFGSafeToExecute.h:
5572 (JSC::DFG::SafeToExecuteEdge::operator()):
5573 (JSC::DFG::safeToExecute):
5574 * dfg/DFGSilentRegisterSavePlan.h:
5575 * dfg/DFGSpeculativeJIT.cpp:
5576 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5577 (JSC::DFG::SpeculativeJIT::silentFill):
5578 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5579 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5580 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5581 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5582 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5583 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5584 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5585 (JSC::DFG::SpeculativeJIT::compileAdd):
5586 (JSC::DFG::SpeculativeJIT::compileArithSub):
5587 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5588 (JSC::DFG::SpeculativeJIT::compileArithMul):
5589 (JSC::DFG::SpeculativeJIT::compare):
5590 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5591 (JSC::DFG::SpeculativeJIT::speculateNumber):
5592 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5593 (JSC::DFG::SpeculativeJIT::speculate):
5594 * dfg/DFGSpeculativeJIT.h:
5595 (JSC::DFG::SpeculativeJIT::canReuse):
5596 (JSC::DFG::SpeculativeJIT::isFilled):
5597 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5598 (JSC::DFG::SpeculativeJIT::use):
5599 (JSC::DFG::SpeculativeJIT::boxDouble):
5600 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5601 (JSC::DFG::SpeculativeJIT::isKnownCell):
5602 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5603 (JSC::DFG::SpeculativeJIT::int32Result):
5604 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5605 (JSC::DFG::SpeculativeJIT::isInteger):
5606 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
5607 * dfg/DFGSpeculativeJIT32_64.cpp:
5608 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5609 (JSC::DFG::SpeculativeJIT::compile):
5610 * dfg/DFGSpeculativeJIT64.cpp:
5611 (JSC::DFG::SpeculativeJIT::fillJSValue):
5612 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5613 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5614 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5615 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5616 (JSC::DFG::SpeculativeJIT::compile):
5617 * dfg/DFGUseKind.cpp:
5618 (WTF::printInternal):
5619 * dfg/DFGUseKind.h:
5620 (JSC::DFG::typeFilterFor):
5621 (JSC::DFG::isNumerical):
5622 * dfg/DFGValueSource.cpp:
5623 (JSC::DFG::ValueSource::dump):
5624 * dfg/DFGValueSource.h:
5625 (JSC::DFG::dataFormatToValueSourceKind):
5626 (JSC::DFG::valueSourceKindToDataFormat):
5627 (JSC::DFG::ValueSource::forFlushFormat):
5628 (JSC::DFG::ValueSource::valueRecovery):
5629 * dfg/DFGVariableAccessData.h:
5630 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5631 (JSC::DFG::VariableAccessData::flushFormat):
5632 * ftl/FTLCArgumentGetter.cpp:
5633 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5634 * ftl/FTLCArgumentGetter.h:
5635 * ftl/FTLCapabilities.cpp:
5636 (JSC::FTL::canCompile):
5637 * ftl/FTLExitValue.cpp:
5638 (JSC::FTL::ExitValue::dumpInContext):
5639 * ftl/FTLExitValue.h:
5640 * ftl/FTLIntrinsicRepository.h:
5641 * ftl/FTLLowerDFGToLLVM.cpp:
5642 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5643 (JSC::FTL::LowerDFGToLLVM::compileNode):
5644 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5645 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5646 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5647 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5648 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5649 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5650 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5651 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5652 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5653 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5654 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5655 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5656 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5657 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5658 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5659 (JSC::FTL::LowerDFGToLLVM::lowCell):
5660 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5661 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5662 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5663 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5664 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5665 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5666 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5667 (JSC::FTL::LowerDFGToLLVM::setInt32):
5668 * ftl/FTLOSRExitCompiler.cpp:
5669 (JSC::FTL::compileStub):
5670 * ftl/FTLOutput.h:
5671 (JSC::FTL::Output::mulWithOverflow32):
5672 * ftl/FTLValueFormat.cpp:
5673 (WTF::printInternal):
5674 * ftl/FTLValueFormat.h:
5675 * ftl/FTLValueSource.cpp:
5676 (JSC::FTL::ValueSource::dump):
5677 * ftl/FTLValueSource.h:
5678 * interpreter/Register.h:
5679 * runtime/Arguments.cpp:
5680 (JSC::Arguments::tearOffForInlineCallFrame):
5681 * runtime/IndexingType.cpp:
5682 (JSC::leastUpperBoundOfIndexingTypeAndType):
5683 * runtime/JSCJSValue.h:
5684 * runtime/JSCJSValueInlines.h:
5685
56862013-09-17 Filip Pizlo <fpizlo@apple.com>
5687
5688 Unreviewed, fix 32-bit build.
5689
5690 * runtime/JSCJSValue.h:
5691
56922013-09-16 Filip Pizlo <fpizlo@apple.com>
5693
5694 DFG should support Int52 for local variables
5695 https://bugs.webkit.org/show_bug.cgi?id=121064
5696
5697 Reviewed by Oliver Hunt.
5698
5699 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
5700 programs that have local int32 overflows but where a larger int representation can
5701 prevent us from having to convert all the way up to double.
5702
5703 It's a small speed-up for now. But we're just supporting Int52 for a handful of
5704 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
5705 the groundwork for adding Int52 to JSValue, which will probably be a bigger
5706 speed-up.
5707
5708 The basic approach is:
5709
5710 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
5711 or HeapTop - i.e. it doesn't arise from JSValues.
5712
5713 - DFG treats Int52 as being part of its FullTop and will treat it as being a
5714 subtype of double unless instructed otherwise.
5715
5716 - Prediction propagator creates Int52s whenever we have a node going doubly but due
5717 to large values rather than fractional values, and that node is known to be able
5718 to produce Int52 natively in the DFG backend.
5719
5720 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
5721 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
5722 input.
5723
5724 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
5725 are left-shifted by 16 (great for overflow checks) and ones that are
5726 sign-extended. Both backends know how to convert between Int52s and the other
5727 representations.
5728
5729 * assembler/MacroAssemblerX86_64.h:
5730 (JSC::MacroAssemblerX86_64::rshift64):
5731 (JSC::MacroAssemblerX86_64::mul64):
5732 (JSC::MacroAssemblerX86_64::branchMul64):
5733 (JSC::MacroAssemblerX86_64::branchNeg64):
5734 (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
5735 * assembler/X86Assembler.h:
5736 (JSC::X86Assembler::imulq_rr):
5737 (JSC::X86Assembler::cvtsi2sdq_rr):
5738 * bytecode/DataFormat.h:
5739 (JSC::dataFormatToString):
5740 * bytecode/OperandsInlines.h:
5741 (JSC::::dumpInContext):
5742 * bytecode/SpeculatedType.cpp:
5743 (JSC::dumpSpeculation):
5744 (JSC::speculationToAbbreviatedString):
5745 (JSC::speculationFromValue):
5746 * bytecode/SpeculatedType.h:
5747 (JSC::isInt32SpeculationForArithmetic):
5748 (JSC::isMachineIntSpeculationForArithmetic):
5749 (JSC::isBytecodeRealNumberSpeculation):
5750 (JSC::isFullRealNumberSpeculation):
5751 (JSC::isBytecodeNumberSpeculation):
5752 (JSC::isFullNumberSpeculation):
5753 (JSC::isBytecodeNumberSpeculationExpectingDefined):
5754 (JSC::isFullNumberSpeculationExpectingDefined):
5755 * bytecode/ValueRecovery.h:
5756 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
5757 (JSC::ValueRecovery::inGPR):
5758 (JSC::ValueRecovery::displacedInJSStack):
5759 (JSC::ValueRecovery::isAlreadyInJSStack):
5760 (JSC::ValueRecovery::gpr):
5761 (JSC::ValueRecovery::virtualRegister):
5762 (JSC::ValueRecovery::dumpInContext):
5763 * dfg/DFGAbstractInterpreter.h:
5764 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5765 (JSC::DFG::AbstractInterpreter::filterByType):
5766 * dfg/DFGAbstractInterpreterInlines.h:
5767 (JSC::DFG::::executeEffects):
5768 * dfg/DFGAbstractValue.cpp:
5769 (JSC::DFG::AbstractValue::set):
5770 (JSC::DFG::AbstractValue::checkConsistency):
5771 * dfg/DFGAbstractValue.h:
5772 (JSC::DFG::AbstractValue::couldBeType):
5773 (JSC::DFG::AbstractValue::isType):
5774 (JSC::DFG::AbstractValue::checkConsistency):
5775 (JSC::DFG::AbstractValue::validateType):
5776 * dfg/DFGArrayMode.cpp:
5777 (JSC::DFG::ArrayMode::refine):
5778 * dfg/DFGAssemblyHelpers.h:
5779 (JSC::DFG::AssemblyHelpers::boxInt52):
5780 * dfg/DFGCSEPhase.cpp:
5781 (JSC::DFG::CSEPhase::pureCSE):
5782 (JSC::DFG::CSEPhase::getByValLoadElimination):
5783 (JSC::DFG::CSEPhase::performNodeCSE):
5784 * dfg/DFGClobberize.h:
5785 (JSC::DFG::clobberize):
5786 * dfg/DFGCommon.h:
5787 (JSC::DFG::enableInt52):
5788 * dfg/DFGFixupPhase.cpp:
5789 (JSC::DFG::FixupPhase::run):
5790 (JSC::DFG::FixupPhase::fixupNode):
5791 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5792 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
5793 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5794 (JSC::DFG::FixupPhase::fixEdge):
5795 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5796 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5797 * dfg/DFGFlushFormat.cpp:
5798 (WTF::printInternal):
5799 * dfg/DFGFlushFormat.h:
5800 (JSC::DFG::resultFor):
5801 (JSC::DFG::useKindFor):
5802 * dfg/DFGGenerationInfo.h:
5803 (JSC::DFG::GenerationInfo::initInt52):
5804 (JSC::DFG::GenerationInfo::initStrictInt52):
5805 (JSC::DFG::GenerationInfo::isFormat):
5806 (JSC::DFG::GenerationInfo::isInt52):
5807 (JSC::DFG::GenerationInfo::isStrictInt52):
5808 (JSC::DFG::GenerationInfo::fillInt52):
5809 (JSC::DFG::GenerationInfo::fillStrictInt52):
5810 * dfg/DFGGraph.cpp:
5811 (JSC::DFG::Graph::dump):
5812 * dfg/DFGGraph.h:
5813 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5814 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5815 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5816 * dfg/DFGInPlaceAbstractState.cpp:
5817 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5818 * dfg/DFGJITCode.cpp:
5819 (JSC::DFG::JITCode::reconstruct):
5820 * dfg/DFGMinifiedNode.h:
5821 (JSC::DFG::belongsInMinifiedGraph):
5822 (JSC::DFG::MinifiedNode::hasChild):
5823 * dfg/DFGNode.h:
5824 (JSC::DFG::Node::shouldSpeculateNumber):
5825 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5826 * dfg/DFGNodeFlags.h:
5827 * dfg/DFGNodeType.h:
5828 (JSC::DFG::forwardRewiringSelectionScore):
5829 * dfg/DFGOSRExitCompiler.cpp:
5830 * dfg/DFGOSRExitCompiler64.cpp:
5831 (JSC::DFG::OSRExitCompiler::compileExit):
5832 * dfg/DFGPredictionPropagationPhase.cpp:
5833 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5834 (JSC::DFG::PredictionPropagationPhase::propagate):
5835 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5836 * dfg/DFGSafeToExecute.h:
5837 (JSC::DFG::SafeToExecuteEdge::operator()):
5838 (JSC::DFG::safeToExecute):
5839 * dfg/DFGSilentRegisterSavePlan.h:
5840 * dfg/DFGSpeculativeJIT.cpp:
5841 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5842 (JSC::DFG::SpeculativeJIT::silentFill):
5843 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5844 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5845 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5846 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5847 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5848 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5849 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5850 (JSC::DFG::SpeculativeJIT::compileAdd):
5851 (JSC::DFG::SpeculativeJIT::compileArithSub):
5852 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5853 (JSC::DFG::SpeculativeJIT::compileArithMul):
5854 (JSC::DFG::SpeculativeJIT::compare):
5855 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5856 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
5857 (JSC::DFG::SpeculativeJIT::speculateNumber):
5858 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5859 (JSC::DFG::SpeculativeJIT::speculate):
5860 * dfg/DFGSpeculativeJIT.h:
5861 (JSC::DFG::SpeculativeJIT::canReuse):
5862 (JSC::DFG::SpeculativeJIT::isFilled):
5863 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5864 (JSC::DFG::SpeculativeJIT::use):
5865 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5866 (JSC::DFG::SpeculativeJIT::isKnownCell):
5867 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5868 (JSC::DFG::SpeculativeJIT::int52Result):
5869 (JSC::DFG::SpeculativeJIT::strictInt52Result):
5870 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5871 (JSC::DFG::SpeculativeJIT::isInteger):
5872 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
5873 (JSC::DFG::SpeculativeJIT::generationInfo):
5874 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
5875 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
5876 (JSC::DFG::SpeculateInt52Operand::edge):
5877 (JSC::DFG::SpeculateInt52Operand::node):
5878 (JSC::DFG::SpeculateInt52Operand::gpr):
5879 (JSC::DFG::SpeculateInt52Operand::use):
5880 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
5881 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
5882 (JSC::DFG::SpeculateStrictInt52Operand::edge):
5883 (JSC::DFG::SpeculateStrictInt52Operand::node):
5884 (JSC::DFG::SpeculateStrictInt52Operand::gpr):
5885 (JSC::DFG::SpeculateStrictInt52Operand::use):
5886 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
5887 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
5888 (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
5889 (JSC::DFG::SpeculateWhicheverInt52Operand::node):
5890 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
5891 (JSC::DFG::SpeculateWhicheverInt52Operand::use):
5892 (JSC::DFG::SpeculateWhicheverInt52Operand::format):
5893 * dfg/DFGSpeculativeJIT32_64.cpp:
5894 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5895 (JSC::DFG::SpeculativeJIT::compile):
5896 * dfg/DFGSpeculativeJIT64.cpp:
5897 (JSC::DFG::SpeculativeJIT::boxInt52):
5898 (JSC::DFG::SpeculativeJIT::fillJSValue):
5899 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5900 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
5901 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5902 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5903 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5904 (JSC::DFG::SpeculativeJIT::compileInt52Compare):
5905 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
5906 (JSC::DFG::SpeculativeJIT::compile):
5907 * dfg/DFGUseKind.cpp:
5908 (WTF::printInternal):
5909 * dfg/DFGUseKind.h:
5910 (JSC::DFG::typeFilterFor):
5911 (JSC::DFG::isNumerical):
5912 * dfg/DFGValueSource.cpp:
5913 (JSC::DFG::ValueSource::dump):
5914 * dfg/DFGValueSource.h:
5915 (JSC::DFG::dataFormatToValueSourceKind):
5916 (JSC::DFG::valueSourceKindToDataFormat):
5917 (JSC::DFG::ValueSource::forFlushFormat):
5918 (JSC::DFG::ValueSource::valueRecovery):
5919 * dfg/DFGVariableAccessData.h:
5920 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5921 (JSC::DFG::VariableAccessData::flushFormat):
5922 * ftl/FTLCArgumentGetter.cpp:
5923 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5924 * ftl/FTLCArgumentGetter.h:
5925 * ftl/FTLCapabilities.cpp:
5926 (JSC::FTL::canCompile):
5927 * ftl/FTLExitValue.cpp:
5928 (JSC::FTL::ExitValue::dumpInContext):
5929 * ftl/FTLExitValue.h:
5930 (JSC::FTL::ExitValue::inJSStackAsInt52):
5931 * ftl/FTLIntrinsicRepository.h:
5932 * ftl/FTLLowerDFGToLLVM.cpp:
5933 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5934 (JSC::FTL::LowerDFGToLLVM::compileNode):
5935 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5936 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5937 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5938 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5939 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5940 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5941 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5942 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5943 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5944 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5945 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5946 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5947 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5948 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5949 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5950 (JSC::FTL::LowerDFGToLLVM::lowInt52):
5951 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
5952 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
5953 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
5954 (JSC::FTL::LowerDFGToLLVM::opposite):
5955 (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
5956 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
5957 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
5958 (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
5959 (JSC::FTL::LowerDFGToLLVM::lowCell):
5960 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5961 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5962 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5963 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
5964 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
5965 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
5966 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
5967 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
5968 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
5969 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5970 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5971 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5972 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5973 (JSC::FTL::LowerDFGToLLVM::setInt52):
5974 (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
5975 * ftl/FTLOSRExitCompiler.cpp:
5976 (JSC::FTL::compileStub):
5977 * ftl/FTLOutput.h:
5978 (JSC::FTL::Output::addWithOverflow64):
5979 (JSC::FTL::Output::subWithOverflow64):
5980 (JSC::FTL::Output::mulWithOverflow64):
5981 * ftl/FTLValueFormat.cpp:
5982 (WTF::printInternal):
5983 * ftl/FTLValueFormat.h:
5984 * ftl/FTLValueSource.cpp:
5985 (JSC::FTL::ValueSource::dump):
5986 * ftl/FTLValueSource.h:
5987 * interpreter/Register.h:
5988 (JSC::Register::unboxedInt52):
5989 * runtime/Arguments.cpp:
5990 (JSC::Arguments::tearOffForInlineCallFrame):
5991 * runtime/IndexingType.cpp:
5992 (JSC::leastUpperBoundOfIndexingTypeAndType):
5993 * runtime/JSCJSValue.h:
5994 * runtime/JSCJSValueInlines.h:
5995 (JSC::JSValue::isMachineInt):
5996 (JSC::JSValue::asMachineInt):
5997
59982013-09-17 Filip Pizlo <fpizlo@apple.com>
5999
6000 Use CheckStructure for checking the types of typed arrays whenever possible
6001 https://bugs.webkit.org/show_bug.cgi?id=121514
6002
6003 Reviewed by Oliver Hunt.
6004
6005 * bytecode/ArrayProfile.cpp:
6006 (JSC::ArrayProfile::computeUpdatedPrediction):
6007 * dfg/DFGArrayMode.cpp:
6008 (JSC::DFG::ArrayMode::fromObserved):
6009 (JSC::DFG::ArrayMode::refine):
6010 (JSC::DFG::ArrayMode::originalArrayStructure):
6011 (JSC::DFG::arrayClassToString):
6012 * dfg/DFGArrayMode.h:
6013 (JSC::DFG::ArrayMode::ArrayMode):
6014 (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
6015 * runtime/JSGlobalObject.h:
6016 (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
6017
60182013-09-17 Filip Pizlo <fpizlo@apple.com>
6019
6020 DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go
6021 https://bugs.webkit.org/show_bug.cgi?id=121520
6022
6023 Reviewed by Oliver Hunt.
6024
6025 * dfg/DFGSpeculativeJIT.cpp:
6026 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6027 * ftl/FTLLowerDFGToLLVM.cpp:
6028 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
6029
60302013-09-17 Andreas Kling <akling@apple.com>
6031
6032 Pack create_hash_table tables better.
6033 <https://webkit.org/b/121517>
6034
6035 Reviewed by Sam Weinig.
6036
6037 Reduces JavaScriptCore binary size by 4648 bytes.
6038
6039 * create_hash_table:
6040 * runtime/Lookup.h:
6041
6042 Reorder HashTableValue members to avoid unnecessary padding.
6043
60442013-09-17 Mark Hahnenberg <mhahnenberg@apple.com>
6045
6046 DFG doesn't properly keep scope alive for op_put_to_scope
6047 https://bugs.webkit.org/show_bug.cgi?id=121519
6048
6049 Reviewed by Michael Saboff.
6050
6051 This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow
6052 path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but
6053 which were necessary for gen GC).
6054
6055 * dfg/DFGByteCodeParser.cpp:
6056 (JSC::DFG::ByteCodeParser::parseBlock):
6057
60582013-09-17 Filip Pizlo <fpizlo@apple.com>
6059
6060 Don't GC while OSR compiling
6061 https://bugs.webkit.org/show_bug.cgi?id=121513
6062
6063 Reviewed by Mark Hahnenberg.
6064
6065 Fixes some rare crashes that I see in ConservativeRoots, while in a GC from OSR exit
6066 compilation.
6067
6068 * dfg/DFGOSRExitCompiler.cpp:
6069 * ftl/FTLOSRExitCompiler.cpp:
6070 (JSC::FTL::compileFTLOSRExit):
6071
60722013-09-17 Alberto Garcia <berto@igalia.com>
6073
6074 Unreviewed make distcheck fix.
6075
6076 * GNUmakefile.list.am:
6077
60782013-09-13 Mark Hahnenberg <mhahnenberg@apple.com>
6079
6080 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
6081 https://bugs.webkit.org/show_bug.cgi?id=121236
6082
6083 Reviewed by Geoffrey Garen.
6084
6085 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping
6086 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(),
6087 which moves the block into the Allocated block state. This happens to both the block that was
6088 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full.
6089 We should distinguish between these two cases: m_currentBlock should transition to
6090 Allocated (because we were just allocating out of it) and any subsequent block that returns an
6091 empty free list should transition back to the Marked state. This will make the block state more
6092 consistent with the actual state the block is in, and it will also allow us to speed up moving
6093 all blocks the the Marked state during generational collection.
6094
6095 Added new RAII-style HeapIterationScope class that notifies the Heap when it is about to be
6096 iterated and when iteration has finished. Any clients that need accurate liveness data when
6097 iterating over the Heap now need to use a HeapIterationScope so that the state of Heap can
6098 be properly restored after they are done iterating. No new GC-allocated objects can be created
6099 until this object goes out of scope.
6100
6101 * JavaScriptCore.xcodeproj/project.pbxproj:
6102 * debugger/Debugger.cpp:
6103 (JSC::Debugger::recompileAllJSFunctions): Added HeapIterationScope for the Recompiler iteration.
6104 * heap/Heap.cpp:
6105 (JSC::Heap::willStartIterating): Callback used by HeapIterationScope to indicate that iteration of
6106 the Heap is about to begin. This will cause cell liveness data to be canonicalized by calling stopAllocating.
6107 (JSC::Heap::didFinishIterating): Same, but indicates that iteration has finished.
6108 (JSC::Heap::globalObjectCount): Used HeapIterationScope.
6109 (JSC::Heap::objectTypeCounts): Ditto.
6110 (JSC::Heap::markDeadObjects): Ditto.
6111 (JSC::Heap::zombifyDeadObjects): Ditto.
6112 * heap/Heap.h:
6113 * heap/HeapIterationScope.h: Added. New RAII-style object for indicating to the Heap that it's about
6114 to be iterated or that iteration has finished.
6115 (JSC::HeapIterationScope::HeapIterationScope):
6116 (JSC::HeapIterationScope::~HeapIterationScope):
6117 * heap/HeapStatistics.cpp:
6118 (JSC::HeapStatistics::showObjectStatistics): Used new HeapIterationScope.
6119 * heap/MarkedAllocator.cpp:
6120 (JSC::MarkedAllocator::tryAllocateHelper): We now treat the case where we have just finished
6121 allocating out of the current block differently from the case where we sweep a block and it
6122 returns an empty free list. This was the primary point of this patch.
6123 (JSC::MarkedAllocator::allocateSlowCase): ASSERT that nobody is currently iterating the Heap
6124 when allocating.
6125 * heap/MarkedAllocator.h:
6126 (JSC::MarkedAllocator::reset): All allocators are reset after every collection. We need to make
6127 sure that the m_lastActiveBlock gets cleared, which it might not always because we don't call
6128 takeCanonicalizedBlock on blocks in the large allocators.
6129 (JSC::MarkedAllocator::stopAllocating): We shouldn't already have a last active block,
6130 so ASSERT as much.
6131 (JSC::MarkedAllocator::resumeAllocating): Do the opposite of what stopAllocating
6132 does. So, if we don't have a m_lastActiveBlock then we don't have to worry about undoing anything
6133 done by stopAllocating. If we do, then we call resumeAllocating on the block, which returns the FreeList
6134 as it was prior to stopping allocation. We then set the current block to the last active block and
6135 clear the last active block.
6136 * heap/MarkedBlock.cpp:
6137 (JSC::MarkedBlock::resumeAllocating): Any block resuming allocation should be in
6138 the Marked state, so ASSERT as much. We always allocate a m_newlyAllocated Bitmap if we're
6139 FreeListed, so if we didn't allocate one then we know we were Marked when allocation was stopped,
6140 so just return early with an empty FreeList. If we do have a non-null m_newlyAllocated Bitmap
6141 then we need to be swept in order to rebuild our FreeList.
6142 * heap/MarkedBlock.h:
6143 (JSC::MarkedBlock::didConsumeEmptyFreeList): This is called if we ever sweep a block and get back
6144 an empty free list. Instead of transitioning to the Allocated state, we now go straight back to the
6145 Marked state. This makes sense because we weren't actually allocated out of, so we shouldn't be in
6146 the allocated state. Also added some ASSERTs to make sure that we're in the state that we expect: all of
6147 our mark bits should be set and we should not have a m_newlyAllocated Bitmap.
6148 * heap/MarkedSpace.cpp:
6149 (JSC::MarkedSpace::MarkedSpace):
6150 (JSC::MarkedSpace::forEachAllocator): Added a new functor-style iteration method so that we can
6151 easily iterate over each allocator for, e.g., stopping and resuming allocators without
6152 duplicating code.
6153 (JSC::StopAllocatingFunctor::operator()): New functors for use with forEachAllocator.
6154 (JSC::MarkedSpace::stopAllocating): Ditto.
6155 (JSC::ResumeAllocatingFunctor::operator()): Ditto.
6156 (JSC::MarkedSpace::resumeAllocating): Ditto.
6157 (JSC::MarkedSpace::willStartIterating): Callback that notifies MarkedSpace that it is being iterated.
6158 Does some ASSERTs, sets a flag, canonicalizes cell liveness data by calling stopAllocating.
6159 (JSC::MarkedSpace::didFinishIterating): Ditto, but to signal that iteration has completed.
6160 * heap/MarkedSpace.h:
6161 (JSC::MarkedSpace::iterationInProgress): Returns true if a HeapIterationScope is currently active.
6162 (JSC::MarkedSpace::forEachLiveCell): Accepts a HeapIterationScope to enforce the rule that you have to
6163 create one prior to iterating over the Heap.
6164 (JSC::MarkedSpace::forEachDeadCell): Ditto.
6165 * runtime/JSGlobalObject.cpp:
6166 (JSC::JSGlobalObject::haveABadTime): Changed to use new HeapIterationScope.
6167 * runtime/VM.cpp:
6168 (JSC::VM::releaseExecutableMemory): Ditto.
6169
61702013-09-16 Filip Pizlo <fpizlo@apple.com>
6171
6172 Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse())
6173 https://bugs.webkit.org/show_bug.cgi?id=121444
6174
6175 Reviewed by Mark Hahnenberg.
6176
6177 * dfg/DFGArgumentPosition.h: Fix a bug discovered by reenabling inlining. ArgumentPosition may point to the non-canonical VariableAccessData but users of someVariable() want the canonical one.
6178 (JSC::DFG::ArgumentPosition::someVariable):
6179 * runtime/Executable.cpp: Call recordParse() so that the Executable knows things about itself (like if it has captured variables). Otherwise those fields are uninitialized.
6180 (JSC::ScriptExecutable::newCodeBlockFor):
6181
61822013-09-16 Balazs Kilvady <kilvadyb@homejinni.com>
6183
6184 Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS.
6185 https://bugs.webkit.org/show_bug.cgi?id=121439
6186
6187 Reviewed by Geoffrey Garen.
6188
6189 Missing implementations of setupArgumentsWithExecState added.
6190
6191 * dfg/DFGCCallHelpers.h:
6192 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6193
61942013-09-16 Julien Brianceau <jbriance@cisco.com>
6195
6196 [sh4] Fix typo in subp implementation in LLINT.
6197 https://bugs.webkit.org/show_bug.cgi?id=121438
6198
6199 Reviewed by Andreas Kling.
6200
6201 * offlineasm/sh4.rb:
6202
62032013-09-16 Julien Brianceau <jbriance@cisco.com>
6204
6205 [sh4] Handle subp opcode with 3 operands and bpbeq opcode in LLINT.
6206 https://bugs.webkit.org/show_bug.cgi?id=121412
6207
6208 Reviewed by Andreas Kling.
6209
6210 * offlineasm/sh4.rb:
6211
62122013-09-15 Gustavo Noronha Silva <gns@gnome.org>
6213
6214 Unreviewed make distcheck fix.
6215
6216 * GNUmakefile.list.am:
6217
62182013-09-15 Filip Pizlo <fpizlo@apple.com>
6219
6220 Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable
6221 https://bugs.webkit.org/show_bug.cgi?id=121374
6222
6223 Reviewed by Geoffrey Garen.
6224
6225 This reduces the size of DFGOSRExitCompiler64.cpp by almost 50%, and makes it
6226 super easy to add new recovery kinds. For recoveries that involve reboxing, it
6227 allows you to keep most of the code common between the on-stack and in-reg
6228 cases: they all get funneled through the "load from scratch buffer, convert,
6229 and then store to stack" logic.
6230
6231 This opens up a bunch of possibilities. It'll make adding Int48 much easier,
6232 and it probably will come in handy as we do various DFG stack layout changes in
6233 support of the FTL.
6234
6235 * bytecode/ValueRecovery.h:
6236 (JSC::ValueRecovery::dumpInContext):
6237 (JSC::ValueRecovery::dump):
6238 * dfg/DFGOSRExitCompiler.cpp:
6239 (JSC::DFG::shortOperandsDump):
6240 * dfg/DFGOSRExitCompiler64.cpp:
6241 (JSC::DFG::OSRExitCompiler::compileExit):
6242
62432013-09-14 Filip Pizlo <fpizlo@apple.com>
6244
6245 It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL
6246 https://bugs.webkit.org/show_bug.cgi?id=121371
6247
6248 Reviewed by Sam Weinig.
6249
6250 Forward rewiring is a tricky part of OSR that handles the following:
6251
6252 a: Something(...)
6253 SetLocal(@a, locX)
6254 b: Int32ToDouble(@a)
6255 c: SomethingThatExits(@b)
6256 <no further uses of @a or @b>
6257
6258 Note that at @c, OSR will think that locX->@a, but @a will be dead. So it must be
6259 smart enough to find @b, which contains an equivalent value. It must do this for
6260 any identity functions we support. Currently we support four such functions.
6261
6262 Currently the code for doing this is basically duplicated between the DFG and the
6263 FTL. Also both versions of the code have some really weirdly written logic for
6264 picking the "best" identity function to use.
6265
6266 We should fix this by simply having a way to ask "is this node an identity
6267 function, and if so, then how good is it?" Then both the DFG and FTL could use
6268 this and have no hard-wired knowledge of those identity functions.
6269
6270 While we're at it, this also changes some terminology because I found the use of
6271 the word "needs" confusing. Note that this retains the somewhat confusing behavior
6272 that we don't search all possible forward/backward uses. We only search one step
6273 in each direction. This is because we only need to handle cases that FixupPhase
6274 and the parser insert. All other code that tries to insert intermediate conversion
6275 nodes should ensure to Phantom the original node. For example, the following
6276 transformation is illegal:
6277
6278 Before:
6279 x: SomethingThatExits(@a)
6280
6281 After:
6282 w: Conversion(@a)
6283 x: SomethingThatExits(@w)
6284
6285 The correct form of that transformation is one of these:
6286
6287 Correct #1:
6288
6289 v: DoAllChecks(@a) // exit here
6290 w: Conversion(@a)
6291 x: Something(@w) // no exit
6292
6293 Correct #2:
6294
6295 w: Conversion(@a)
6296 x: SomethingThatExits(@w)
6297 y: Phantom(@a)
6298
6299 Correct #3:
6300
6301 w: Conversion(@a)
6302 x: SomethingThatExits(@w, @a)
6303
6304 Note that we use #3 for some heap accesses, but of course it requires that the
6305 node you're using has an extra slot for a "dummy" use child.
6306
6307 Broadly speaking though, such transformations should be relegated to something
6308 below DFG IR, like LLVM IR.
6309
6310 * dfg/DFGNodeType.h:
6311 (JSC::DFG::forwardRewiringSelectionScore):
6312 (JSC::DFG::needsOSRForwardRewiring):
6313 * dfg/DFGVariableEventStream.cpp:
6314 (JSC::DFG::VariableEventStream::reconstruct):
6315 * ftl/FTLLowerDFGToLLVM.cpp:
6316 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
6317
63182013-09-14 Filip Pizlo <fpizlo@apple.com>
6319
6320 Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare.
6321
6322 Rubber stamped by Mark Hahnenberg.
6323
6324 * dfg/DFGSpeculativeJIT.cpp:
6325 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
6326 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
6327 (JSC::DFG::SpeculativeJIT::compare):
6328 (JSC::DFG::SpeculativeJIT::compileStrictEq):
6329 * dfg/DFGSpeculativeJIT.h:
6330 * dfg/DFGSpeculativeJIT32_64.cpp:
6331 (JSC::DFG::SpeculativeJIT::compileInt32Compare):
6332 * dfg/DFGSpeculativeJIT64.cpp:
6333 (JSC::DFG::SpeculativeJIT::compileInt32Compare):
6334
63352013-09-13 Filip Pizlo <fpizlo@apple.com>
6336
6337 Rename SpeculativeJIT::integerResult() to int32Result().
6338
6339 Rubber stamped by Mark Hahnenberg.
6340
6341 * dfg/DFGSpeculativeJIT.cpp:
6342 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
6343 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6344 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6345 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
6346 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
6347 (JSC::DFG::SpeculativeJIT::compileAdd):
6348 (JSC::DFG::SpeculativeJIT::compileArithSub):
6349 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6350 (JSC::DFG::SpeculativeJIT::compileArithIMul):
6351 (JSC::DFG::SpeculativeJIT::compileArithMul):
6352 (JSC::DFG::SpeculativeJIT::compileArithDiv):
6353 (JSC::DFG::SpeculativeJIT::compileArithMod):
6354 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
6355 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
6356 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
6357 * dfg/DFGSpeculativeJIT.h:
6358 (JSC::DFG::SpeculativeJIT::int32Result):
6359 * dfg/DFGSpeculativeJIT32_64.cpp:
6360 (JSC::DFG::SpeculativeJIT::compile):
6361 * dfg/DFGSpeculativeJIT64.cpp:
6362 (JSC::DFG::SpeculativeJIT::compile):
6363
63642013-09-13 Michael Saboff <msaboff@apple.com>
6365
6366 FTL JIT broke after r155711
6367 https://bugs.webkit.org/show_bug.cgi?id=121332
6368
6369 Reviewed by Geoffrey Garen.
6370
6371 Fixed OSR entry to use the local variable's index instead of its VirtualRegister.
6372 Initialized ExitArgumentForOperand::m_operand to InvalidVirtualRegister instead of -1.
6373 Fixed compileCallOrConstruct() to update locals on callframe going down.
6374 Fixed prepareOSREntry() to grow stack down if needed.
6375
6376 * ftl/FTLExitArgumentForOperand.h:
6377 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
6378 * ftl/FTLLink.cpp:
6379 (JSC::FTL::link):
6380 * ftl/FTLLowerDFGToLLVM.cpp:
6381 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
6382 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
6383 * ftl/FTLOSREntry.cpp:
6384 (JSC::FTL::prepareOSREntry):
6385
63862013-09-13 Anders Carlsson <andersca@apple.com>
6387
6388 Avoid a couple of zero-sized fastMalloc calls
6389 https://bugs.webkit.org/show_bug.cgi?id=121333
6390
6391 Reviewed by Geoffrey Garen.
6392
6393 * API/JSStringRefCF.cpp:
6394 (JSStringCopyCFString):
6395 Return an empty constant CFStringRef if the JSStringRef is empty.
6396
6397 * runtime/JSPropertyNameIterator.cpp:
6398 (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
6399 Don't allocate an empty m_jsStrings array if m_jsStringsSize is 0.
6400
64012013-09-13 Filip Pizlo <fpizlo@apple.com>
6402
6403 DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
6404 https://bugs.webkit.org/show_bug.cgi?id=121330
6405
6406 Reviewed by Mark Hahnenberg and Oliver Hunt.
6407
6408 Also print whether a function is strict mode in debug dumps.
6409
6410 * bytecode/CodeBlock.cpp:
6411 (JSC::CodeBlock::dumpAssumingJITType):
6412 * bytecode/CodeOrigin.cpp:
6413 (JSC::InlineCallFrame::dumpInContext):
6414 * dfg/DFGAbstractInterpreterInlines.h:
6415 (JSC::DFG::::executeEffects):
6416 * dfg/DFGOperations.cpp:
6417 * dfg/DFGOperations.h:
6418 * dfg/DFGSpeculativeJIT32_64.cpp:
6419 (JSC::DFG::SpeculativeJIT::compile):
6420 * dfg/DFGSpeculativeJIT64.cpp:
6421 (JSC::DFG::SpeculativeJIT::compile):
6422
64232013-09-13 Anders Carlsson <andersca@apple.com>
6424
6425 Use nullptr instead of 0 in calls to HashMap::add
6426 https://bugs.webkit.org/show_bug.cgi?id=121322
6427
6428 Reviewed by Sam Weinig.
6429
6430 * bytecompiler/BytecodeGenerator.cpp:
6431 (JSC::BytecodeGenerator::emitLoad):
6432 (JSC::BytecodeGenerator::addStringConstant):
6433 * dfg/DFGByteCodeParser.cpp:
6434 (JSC::DFG::ByteCodeParser::cellConstant):
6435
64362013-09-13 Oliver Hunt <oliver@apple.com>
6437
6438 Try to kill initialiser expression in for-in statements
6439 https://bugs.webkit.org/show_bug.cgi?id=121311
6440
6441 Reviewed by Gavin Barraclough.
6442
6443 We'd like to get rid of this pointless initialiser expression
6444 in for-in statements. Unfortunately we have to keep the no_in
6445 variant of expression parsing to avoid ambiguity in the grammar.
6446 There's a possibility that this will need to be rolled out, but
6447 we'll need to live on it to see.
6448
6449 * bytecompiler/NodesCodegen.cpp:
6450 (JSC::ForInNode::emitBytecode):
6451 * parser/ASTBuilder.h:
6452 (JSC::ASTBuilder::createForInLoop):
6453 * parser/NodeConstructors.h:
6454 (JSC::ForInNode::ForInNode):
6455 * parser/Nodes.h:
6456 * parser/Parser.cpp:
6457 (JSC::::parseForStatement):
6458 * parser/SyntaxChecker.h:
6459 (JSC::SyntaxChecker::createForInLoop):
6460
64612013-09-12 Michael Saboff <msaboff@apple.com>
6462
6463 fourthTier: Change JSStack to grow from high to low addresses
6464 https://bugs.webkit.org/show_bug.cgi?id=118758
6465
6466 Reviewed by Oliver Hunt.
6467
6468 Changed the JSC stack to grow down. Effectively the JSC stack frame is flipped from
6469 what it was. See JSStack.h for the new offsets. Changed JSStack begin() and end()
6470 to be getBaseOfStack() and getLimitOfStack(). Most of the changes are address or offset
6471 calculation changes. Decoupled a local register ordinal (loop variable or array index)
6472 from the offset into the callFrame using localToOperand() and the inverse operandToLocal().
6473
6474 * assembler/MacroAssembler.h:
6475 (JSC::MacroAssembler::trustedImm32ForShift):
6476 (JSC::MacroAssembler::lshiftPtr): Added to create scaled addresses with a negative index
6477 * assembler/MacroAssemblerX86_64.h:
6478 (JSC::MacroAssemblerX86_64::lshift64): Added to create scaled addresses with a negative index
6479 * assembler/X86Assembler.h:
6480 (JSC::X86Assembler::shlq_i8r): Added to create scaled addresses with a negative index
6481 * bytecode/CodeBlock.cpp:
6482 (JSC::CodeBlock::dumpBytecode):
6483 * bytecode/CodeBlock.h:
6484 (JSC::unmodifiedArgumentsRegister):
6485 (JSC::CodeBlock::isCaptured):
6486 * bytecode/CodeOrigin.h:
6487 (JSC::CodeOrigin::stackOffset):
6488 * bytecode/Operands.h:
6489 (JSC::localToOperand):
6490 (JSC::operandIsLocal):
6491 (JSC::operandToLocal):
6492 (JSC::operandIsArgument):
6493 (JSC::operandToArgument):
6494 (JSC::argumentToOperand):
6495 * bytecode/VirtualRegister.h: Made InvalidVirtualRegister a positive value that fits in
6496 31 bits since it can be placed into the 31 bit field "stackOffset" in struct InlineCallFrame.
6497 * bytecompiler/BytecodeGenerator.cpp:
6498 (JSC::BytecodeGenerator::addVar):
6499 (JSC::BytecodeGenerator::BytecodeGenerator):
6500 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
6501 (JSC::BytecodeGenerator::newRegister):
6502 (JSC::BytecodeGenerator::emitNewArray):
6503 * bytecompiler/BytecodeGenerator.h:
6504 (JSC::CallArguments::registerOffset):
6505 * bytecompiler/NodesCodegen.cpp:
6506 (JSC::CallArguments::CallArguments):
6507 * dfg/DFGByteCodeParser.cpp:
6508 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
6509 (JSC::DFG::ByteCodeParser::addCall):
6510 (JSC::DFG::ByteCodeParser::handleCall):
6511 (JSC::DFG::ByteCodeParser::handleInlining):
6512 (JSC::DFG::ByteCodeParser::parseBlock):
6513 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6514 * dfg/DFGJITCompiler.cpp:
6515 (JSC::DFG::JITCompiler::compileFunction):
6516 * dfg/DFGOSREntry.cpp:
6517 (JSC::DFG::prepareOSREntry):
6518 * dfg/DFGOSRExitCompiler32_64.cpp:
6519 (JSC::DFG::OSRExitCompiler::compileExit):
6520 * dfg/DFGOSRExitCompiler64.cpp:
6521 (JSC::DFG::OSRExitCompiler::compileExit):
6522 * dfg/DFGOperations.cpp:
6523 * dfg/DFGScoreBoard.h:
6524 (JSC::DFG::ScoreBoard::allocate):
6525 * dfg/DFGSpeculativeJIT.cpp:
6526 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
6527 * dfg/DFGSpeculativeJIT.h:
6528 (JSC::DFG::SpeculativeJIT::callFrameSlot):
6529 (JSC::DFG::SpeculativeJIT::argumentSlot):
6530 (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
6531 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
6532 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
6533 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
6534 * dfg/DFGSpeculativeJIT32_64.cpp:
6535 (JSC::DFG::SpeculativeJIT::emitCall):
6536 (JSC::DFG::SpeculativeJIT::compile):
6537 * dfg/DFGSpeculativeJIT64.cpp:
6538 (JSC::DFG::SpeculativeJIT::emitCall):
6539 (JSC::DFG::SpeculativeJIT::compile):
6540 * dfg/DFGValidate.cpp:
6541 (JSC::DFG::Validate::reportValidationContext):
6542 * ftl/FTLLink.cpp:
6543 (JSC::FTL::link):
6544 * heap/ConservativeRoots.cpp:
6545 (JSC::ConservativeRoots::genericAddSpan):
6546 * interpreter/CallFrame.cpp:
6547 (JSC::CallFrame::frameExtentInternal):
6548 * interpreter/CallFrame.h:
6549 (JSC::ExecState::init):
6550 (JSC::ExecState::argumentOffset):
6551 (JSC::ExecState::argumentOffsetIncludingThis):
6552 (JSC::ExecState::argIndexForRegister):
6553 * interpreter/Interpreter.cpp:
6554 (JSC::loadVarargs):
6555 (JSC::Interpreter::dumpRegisters):
6556 * interpreter/JSStack.cpp:
6557 (JSC::JSStack::JSStack):
6558 (JSC::JSStack::~JSStack):
6559 (JSC::JSStack::growSlowCase):
6560 (JSC::JSStack::gatherConservativeRoots):
6561 (JSC::JSStack::releaseExcessCapacity):
6562 (JSC::JSStack::disableErrorStackReserve):
6563 * interpreter/JSStack.h:
6564 (JSC::JSStack::getBaseOfStack):
6565 (JSC::JSStack::getLimitOfStack):
6566 (JSC::JSStack::size):
6567 (JSC::JSStack::end):
6568 (JSC::JSStack::containsAddress):
6569 (JSC::JSStack::lowAddress):
6570 (JSC::JSStack::highAddress):
6571 (JSC::JSStack::reservationEnd):
6572 (JSC::JSStack::shrink):
6573 (JSC::JSStack::grow):
6574 * interpreter/JSStackInlines.h:
6575 (JSC::JSStack::getTopOfFrame):
6576 (JSC::JSStack::pushFrame):
6577 (JSC::JSStack::popFrame):
6578 (JSC::JSStack::installTrapsAfterFrame):
6579 * interpreter/StackVisitor.cpp:
6580 (JSC::inlinedFrameOffset):
6581 (JSC::StackVisitor::readInlinedFrame):
6582 * jit/JIT.cpp:
6583 (JSC::JIT::privateCompile):
6584 * jit/JITCall.cpp:
6585 (JSC::JIT::compileLoadVarargs):
6586 (JSC::JIT::compileOpCall):
6587 * jit/JITCall32_64.cpp:
6588 (JSC::JIT::compileLoadVarargs):
6589 (JSC::JIT::compileOpCall):
6590 * jit/JITOpcodes.cpp:
6591 (JSC::JIT::emit_op_create_activation):
6592 (JSC::JIT::emit_op_get_argument_by_val):
6593 * jit/JITOpcodes32_64.cpp:
6594 (JSC::JIT::emit_op_get_argument_by_val):
6595 * jit/JITStubs.cpp:
6596 (JSC::throwExceptionFromOpCall):
6597 (JSC::DEFINE_STUB_FUNCTION):
6598 * jit/ThunkGenerators.cpp:
6599 (JSC::arityFixup):
6600 * llint/LLIntData.cpp:
6601 (JSC::LLInt::Data::performAssertions):
6602 * llint/LLIntSlowPaths.cpp:
6603 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6604 (JSC::LLInt::genericCall):
6605 * llint/LowLevelInterpreter.asm:
6606 * llint/LowLevelInterpreter32_64.asm:
6607 * llint/LowLevelInterpreter64.asm:
6608 * runtime/ArgList.cpp:
6609 (JSC::ArgList::getSlice):
6610 (JSC::MarkedArgumentBuffer::slowAppend):
6611 * runtime/ArgList.h:
6612 (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
6613 (JSC::MarkedArgumentBuffer::slotFor):
6614 (JSC::MarkedArgumentBuffer::mallocBase):
6615 (JSC::ArgList::at):
6616 * runtime/Arguments.cpp:
6617 (JSC::Arguments::tearOff):
6618 * runtime/ArrayConstructor.cpp:
6619 (JSC::constructArrayWithSizeQuirk):
6620 * runtime/CommonSlowPaths.cpp:
6621 (JSC::SLOW_PATH_DECL):
6622 * runtime/JSActivation.h:
6623 (JSC::JSActivation::registersOffset):
6624 (JSC::JSActivation::tearOff):
6625 (JSC::JSActivation::isValidIndex):
6626 * runtime/JSArray.h:
6627 (JSC::constructArrayNegativeIndexed): New method to create an array from registers that grow down.
6628 * runtime/JSGlobalObject.cpp:
6629 (JSC::JSGlobalObject::globalExec):
6630 * runtime/JSGlobalObject.h:
6631 (JSC::constructArrayNegativeIndexed):
6632 * runtime/JSString.h:
6633 * runtime/Operations.h:
6634 (JSC::jsStringFromRegisterArray):
6635 * runtime/SymbolTable.h:
6636 (JSC::SharedSymbolTable::captureCount):
6637
66382013-09-13 Csaba Osztrogonác <ossy@webkit.org>
6639
6640 ARM EABI hardfp buildfix after r155675
6641 https://bugs.webkit.org/show_bug.cgi?id=121287
6642
6643 Reviewed by Geoffrey Garen.
6644
6645 * dfg/DFGCCallHelpers.h:
6646 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6647
66482013-09-13 Youngho Yoo <youngho33.yoo@lge.com>
6649
6650 Fixed crash in V8 benchmark suite in ARM,softp,EABI environment.
6651 https://bugs.webkit.org/show_bug.cgi?id=117281
6652
6653 Reviewed by Michael Saboff.
6654
6655 Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function.
6656
6657 Test 1 : fast/js/array-with-double-assign.html
6658 Test 2 : fast/js/array-with-double-push.html
6659
6660 * dfg/DFGCCallHelpers.h:
6661 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6662 * dfg/DFGSpeculativeJIT.h:
6663 (JSC::DFG::SpeculativeJIT::callOperation):
6664
66652013-09-12 Filip Pizlo <fpizlo@apple.com>
6666
6667 DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand
6668 https://bugs.webkit.org/show_bug.cgi?id=121268
6669
6670 Reviewed by Oliver Hunt.
6671
6672 * dfg/DFGSpeculativeJIT.cpp:
6673 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6674 * dfg/DFGSpeculativeJIT.h:
6675 * dfg/DFGSpeculativeJIT32_64.cpp:
6676 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6677 * dfg/DFGSpeculativeJIT64.cpp:
6678 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6679
66802013-09-12 Geoffrey Garen <ggaren@apple.com>
6681
6682 Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it
6683 https://bugs.webkit.org/show_bug.cgi?id=121206
6684 <rdar://problem/6911886>
6685
6686 Reviewed by Joseph Pecoraro.
6687
6688 This is a step toward better tools, and a 23% speedup in a simple
6689 JavaScript benchmark run with the Web Inspector open.
6690
6691 We want the Web Inspector to be fast, and we want it to produce reliable
6692 CPU and memory profiles. We can't do that if just opening the Web Inspector
6693 incurs huge CPU/memory penalties like the arguments object.
6694
6695 Also, since use of the 'arguments' identifier is an API for allocating
6696 an object, I think it's good for the UI to let developers know when
6697 they've invoked that API and when they haven't.
6698
6699 * bytecompiler/BytecodeGenerator.cpp:
6700 (JSC::BytecodeGenerator::BytecodeGenerator): No need to allocate the
6701 arguments object artificially for the debugger's sake. The activation
6702 object no longer assumes that the stack frame is laid out for one.
6703
6704 (Long-term, this code will move out of the activation object, into a
6705 special object for interfacing with the debugger.)
6706
6707 * runtime/JSActivation.cpp:
6708 (JSC::JSActivation::getOwnNonIndexPropertyNames):
6709 (JSC::JSActivation::getOwnPropertySlot): Don't advertise or provide an
6710 arguments object if the user function didn't include one. The bytecode
6711 generator will not have laid out the stack frame to support one.
6712
6713 (Eventually, we do want the Web Inspector to see an arguments
6714 object in scope in the console. That's a one-line change in JSActivation,
6715 but it's blocked by https://bugs.webkit.org/show_bug.cgi?id=121208.)
6716
6717 (JSC::JSActivation::argumentsGetter):
6718 * runtime/JSActivation.h: Removed this obsolete performance
6719 work-around. C++ property access to an activation object is no longer
6720 hot.
6721
67222013-09-12 Mark Hahnenberg <mhahnenberg@apple.com>
6723
6724 Rolling out r155632
6725
6726 Broke some tests.
6727
6728 * heap/MarkedAllocator.cpp:
6729 (JSC::MarkedAllocator::tryAllocateHelper):
6730 * heap/MarkedBlock.h:
6731
67322013-09-12 Ryosuke Niwa <rniwa@webkit.org>
6733
6734 Qt build fix. Add a return to make the compiler happy.
6735
6736 * dfg/DFGGPRInfo.h:
6737 (JSC::DFG::JSValueRegs::gpr):
6738
67392013-09-12 Filip Pizlo <fpizlo@apple.com>
6740
6741 DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic
6742 https://bugs.webkit.org/show_bug.cgi?id=121253
6743
6744 Reviewed by Oliver Hunt.
6745
6746 * dfg/DFGGenerationInfo.h:
6747 (JSC::DFG::GenerationInfo::initGPR):
6748 (JSC::DFG::GenerationInfo::initInt32):
6749 (JSC::DFG::GenerationInfo::initJSValue):
6750 (JSC::DFG::GenerationInfo::initCell):
6751 (JSC::DFG::GenerationInfo::initBoolean):
6752 (JSC::DFG::GenerationInfo::initStorage):
6753 (JSC::DFG::GenerationInfo::fillGPR):
6754 (JSC::DFG::GenerationInfo::fillJSValue):
6755 (JSC::DFG::GenerationInfo::fillCell):
6756 (JSC::DFG::GenerationInfo::fillInt32):
6757 (JSC::DFG::GenerationInfo::fillBoolean):
6758 (JSC::DFG::GenerationInfo::fillStorage):
6759
67602013-09-12 Filip Pizlo <fpizlo@apple.com>
6761
6762 Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an
6763 earlier patch.
6764
6765 * dfg/DFGSpeculativeJIT.h:
6766 (JSC::DFG::SpeculateInt32Operand::gpr):
6767 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
6768 * dfg/DFGSpeculativeJIT32_64.cpp:
6769 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6770 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
6771 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
6772 * dfg/DFGSpeculativeJIT64.cpp:
6773 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6774 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
6775 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
6776
67772013-09-12 Filip Pizlo <fpizlo@apple.com>
6778
6779 GPRTemporary's reuse constructor should be templatized to reduce code duplication, and the bool to denote tag or payload should be replaced with an enum
6780 https://bugs.webkit.org/show_bug.cgi?id=121250
6781
6782 Reviewed by Oliver Hunt.
6783
6784 * dfg/DFGGPRInfo.h:
6785 (JSC::DFG::JSValueRegs::gpr):
6786 * dfg/DFGSpeculativeJIT.cpp:
6787 (JSC::DFG::GPRTemporary::GPRTemporary):
6788 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6789 (JSC::DFG::SpeculativeJIT::compileAdd):
6790 (JSC::DFG::SpeculativeJIT::compileStringEquality):
6791 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
6792 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
6793 * dfg/DFGSpeculativeJIT.h:
6794 (JSC::DFG::JSValueOperand::gpr):
6795 (JSC::DFG::GPRTemporary::GPRTemporary):
6796 * dfg/DFGSpeculativeJIT32_64.cpp:
6797 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6798 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
6799 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
6800 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
6801 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
6802 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
6803 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
6804 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6805 (JSC::DFG::SpeculativeJIT::compile):
6806 * dfg/DFGSpeculativeJIT64.cpp:
6807 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6808 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
6809 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
6810 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
6811 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
6812 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
6813 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
6814 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6815 (JSC::DFG::SpeculativeJIT::compile):
6816 * runtime/JSCJSValue.h:
6817
68182013-09-12 Mark Hahnenberg <mhahnenberg@apple.com>
6819
6820 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
6821 https://bugs.webkit.org/show_bug.cgi?id=121236
6822
6823 Reviewed by Geoffrey Garen.
6824
6825 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping
6826 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(),
6827 which moves the block into the Allocated block state. This happens to both the block that was
6828 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full.
6829 We should distinguish between these two cases: m_currentBlock should transition to
6830 Allocated (because we were just allocating out of it) and any subsequent block that returns an
6831 empty free list should transition back to the Marked state. This will make the block state more
6832 consistent with the actual state the block is in, and it will also allow us to speed up moving
6833 all blocks to the Marked state during generational collection.
6834
6835 * heap/MarkedAllocator.cpp:
6836 (JSC::MarkedAllocator::tryAllocateHelper):
6837 * heap/MarkedBlock.h:
6838 (JSC::MarkedBlock::didConsumeEmptyFreeList):
6839
68402013-09-12 Mark Lam <mark.lam@apple.com>
6841
6842 Change debug hooks to pass sourceID and position info via the DebuggerCallFrame.
6843 https://bugs.webkit.org/show_bug.cgi?id=121214.
6844
6845 Reviewed by Geoffrey Garen.
6846
6847 * debugger/Debugger.h:
6848 * debugger/DebuggerCallFrame.cpp:
6849 (JSC::DebuggerCallFrame::sourceId):
6850 (JSC::DebuggerCallFrame::clear):
6851 * debugger/DebuggerCallFrame.h:
6852 (JSC::DebuggerCallFrame::DebuggerCallFrame):
6853 (JSC::DebuggerCallFrame::line):
6854 (JSC::DebuggerCallFrame::column):
6855 * interpreter/Interpreter.cpp:
6856 (JSC::unwindCallFrame):
6857 (JSC::Interpreter::unwind):
6858 (JSC::Interpreter::debug):
6859
68602013-09-12 Csaba Osztrogonác <ossy@webkit.org>
6861
6862 Add back c++11 features removed by buildfixes after all ports did the switch
6863 https://bugs.webkit.org/show_bug.cgi?id=119266
6864
6865 Reviewed by Anders Carlsson.
6866
6867 * bytecode/GetByIdStatus.h:
6868 (JSC::GetByIdStatus::GetByIdStatus):
6869 * dfg/DFGWorklist.cpp:
6870 (JSC::DFG::Worklist::~Worklist):
6871 * interpreter/StackVisitor.cpp:
6872 (JSC::StackVisitor::Frame::codeType):
6873 (JSC::StackVisitor::Frame::functionName):
6874 (JSC::StackVisitor::Frame::sourceURL):
6875 (JSC::StackVisitor::Frame::print):
6876
68772013-09-12 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
6878
6879 Remove home-brewed nullptr
6880 https://bugs.webkit.org/show_bug.cgi?id=119624
6881
6882 Reviewed by Anders Carlsson.
6883
6884 The standard C++11 nullptr and std::nullptr_t type should be used now.
6885
6886 * heap/PassWeak.h:
6887 * heap/Weak.h:
6888
68892013-09-11 Filip Pizlo <fpizlo@apple.com>
6890
6891 Rename initInteger() to initInt32()
6892
6893 Rubber stamped by Mark Hahnenberg.
6894
6895 * dfg/DFGGenerationInfo.h:
6896 (JSC::DFG::GenerationInfo::initInt32):
6897 * dfg/DFGSpeculativeJIT.h:
6898 (JSC::DFG::SpeculativeJIT::integerResult):
6899 * dfg/DFGSpeculativeJIT32_64.cpp:
6900 (JSC::DFG::SpeculativeJIT::compile):
6901 * dfg/DFGSpeculativeJIT64.cpp:
6902 (JSC::DFG::SpeculativeJIT::compile):
6903
69042013-09-11 Filip Pizlo <fpizlo@apple.com>
6905
6906 Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32().
6907
6908 Rubber stamped by Mark Hahnenberg.
6909
6910 * dfg/DFGGenerationInfo.h:
6911 (JSC::DFG::GenerationInfo::fillInt32):
6912 * dfg/DFGSpeculativeJIT.cpp:
6913 (JSC::DFG::GPRTemporary::GPRTemporary):
6914 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6915 * dfg/DFGSpeculativeJIT.h:
6916 (JSC::DFG::Int32Operand::Int32Operand):
6917 (JSC::DFG::Int32Operand::~Int32Operand):
6918 (JSC::DFG::Int32Operand::gpr):
6919 * dfg/DFGSpeculativeJIT32_64.cpp:
6920 (JSC::DFG::SpeculativeJIT::fillInt32):
6921 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6922 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
6923 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6924 * dfg/DFGSpeculativeJIT64.cpp:
6925 (JSC::DFG::SpeculativeJIT::fillInt32):
6926 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6927 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
6928 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6929
69302013-09-11 Filip Pizlo <fpizlo@apple.com>
6931
6932 FixupPhase should always call fixEdge() exactly once for every edge
6933 https://bugs.webkit.org/show_bug.cgi?id=121211
6934
6935 Reviewed by Geoffrey Garen.
6936
6937 Previously we only call fixEdge() on edges that we want to make typed. UntypedUse
6938 edges don't get fixEdge() called. This makes it difficult to add functionality in
6939 fixEdge() that runs for UntypedUses. It's difficult to remember to call fixEdge()
6940 for every edge that we don't want to turn into a typed edge; in an alternative
6941 universe where we did this, it would mean that every case in FixupPhase would
6942 have to make a fixEdge() call for *every* edge even ones that it doesn't want to
6943 modify.
6944
6945 This patch takes a different path. fixEdge() must never be called explicitly with
6946 UntypedUse. fixEdge() should be used to set the UseKind of edges. Consequently,
6947 all that FixupPhase has to do is call fixEdge<UntypedUse>(edge) for every edge
6948 that was still UntypedUse after we are done processing a node.
6949
6950 This is cheap and easy to implement and ought to be easy to maintain. We won't
6951 have a need to call fixEdge<UntypedUse>(edge) explicitly, so depending on that is
6952 only natural.
6953
6954 * dfg/DFGFixupPhase.cpp:
6955 (JSC::DFG::FixupPhase::fixupNode):
6956 (JSC::DFG::FixupPhase::observeUntypedEdge):
6957 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6958
69592013-09-11 Filip Pizlo <fpizlo@apple.com>
6960
6961 FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names
6962 https://bugs.webkit.org/show_bug.cgi?id=121202
6963
6964 Reviewed by Geoffrey Garen.
6965
6966 Got rid of a method whose name was so descriptive that I couldn't ever remember
6967 it. And despite the descriptive name, I always had to look at its implementation
6968 to remind myself what it did, anyway.
6969
6970 Now that method is called fixEdge(). This is a good name because we're in a phase
6971 called FixupPhase, and we call this fixEdge() method on pretty much every edge.
6972 For the Int48 work, it makes more sense for this method to be a kind of hook into
6973 which we can place various things: it's just a way of observing edges that need
6974 attention.
6975
6976 As part of this refactoring, I also fold fixDoubleEdge into fixEdge. This makes
6977 sense because previously it was never correct to call fixDoubleEdge with non-
6978 double use kinds; and conversely it was never correct to call fixEdge with double
6979 use kinds.
6980
6981 Also I found that isDouble() in DFGUseKind.h would return true for KnownInt32Use.
6982 That's almost certainly wrong, and removing that behavior doesn't fail any tests.
6983 I'm assuming that was just a bug.
6984
6985 * dfg/DFGFixupPhase.cpp:
6986 (JSC::DFG::FixupPhase::fixupNode):
6987 (JSC::DFG::FixupPhase::fixupToPrimitive):
6988 (JSC::DFG::FixupPhase::fixupToString):
6989 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
6990 (JSC::DFG::FixupPhase::fixEdge):
6991 (JSC::DFG::FixupPhase::fixIntEdge):
6992 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6993 (JSC::DFG::FixupPhase::convertToGetArrayLength):
6994 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
6995 * dfg/DFGUseKind.h:
6996 (JSC::DFG::isDouble):
6997
69982013-09-11 Mark Lam <mark.lam@apple.com>
6999
7000 Fixed indentation in JSC Debugger header files.
7001 https://bugs.webkit.org/show_bug.cgi?id=121203.
7002
7003 Reviewed by Ryosuke Niwa.
7004
7005 * debugger/Debugger.h:
7006 * debugger/DebuggerActivation.h:
7007 (JSC::DebuggerActivation::create):
7008 (JSC::DebuggerActivation::createStructure):
7009 * debugger/DebuggerCallFrame.h:
7010 (JSC::DebuggerCallFrame::DebuggerCallFrame):
7011 (JSC::DebuggerCallFrame::callFrame):
7012 (JSC::DebuggerCallFrame::dynamicGlobalObject):
7013 (JSC::DebuggerCallFrame::scope):
7014 (JSC::DebuggerCallFrame::exception):
7015
70162013-09-11 Filip Pizlo <fpizlo@apple.com>
7017
7018 Remove needsDataFormatConversion because it is unused.
7019
7020 Rubber stamped by Mark Hahnenberg.
7021
7022 * bytecode/DataFormat.h:
7023
70242013-09-11 Filip Pizlo <fpizlo@apple.com>
7025
7026 Rename fillSpeculateInt to fillSpeculateInt32.
7027
7028 Rubber stamped by Mark Hahnenberg.
7029
7030 * dfg/DFGSpeculativeJIT.h:
7031 (JSC::DFG::SpeculateInt32Operand::gpr):
7032 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
7033 * dfg/DFGSpeculativeJIT32_64.cpp:
7034 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
7035 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
7036 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):
7037 * dfg/DFGSpeculativeJIT64.cpp:
7038 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
7039 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
7040 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):
7041
70422013-09-11 Filip Pizlo <fpizlo@apple.com>
7043
7044 Rename DataFormatInteger to DataFormatInt32.
7045
7046 Rubber stamped by Mark Hahnenberg.
7047
7048 * bytecode/DataFormat.h:
7049 (JSC::dataFormatToString):
7050 (JSC::needDataFormatConversion):
7051 (JSC::isJSInt32):
7052 * bytecode/ValueRecovery.h:
7053 (JSC::ValueRecovery::inGPR):
7054 (JSC::ValueRecovery::displacedInJSStack):
7055 * dfg/DFGGenerationInfo.h:
7056 (JSC::DFG::GenerationInfo::initInteger):
7057 (JSC::DFG::GenerationInfo::isJSInt32):
7058 (JSC::DFG::GenerationInfo::fillInteger):
7059 * dfg/DFGSpeculativeJIT.cpp:
7060 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
7061 (JSC::DFG::SpeculativeJIT::checkConsistency):
7062 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
7063 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7064 * dfg/DFGSpeculativeJIT.h:
7065 (JSC::DFG::SpeculativeJIT::spill):
7066 (JSC::DFG::SpeculativeJIT::integerResult):
7067 (JSC::DFG::SpeculativeJIT::jsValueResult):
7068 (JSC::DFG::SpeculativeJIT::isInteger):
7069 (JSC::DFG::IntegerOperand::format):
7070 (JSC::DFG::SpeculateInt32Operand::format):
7071 * dfg/DFGSpeculativeJIT32_64.cpp:
7072 (JSC::DFG::SpeculativeJIT::fillInteger):
7073 (JSC::DFG::SpeculativeJIT::fillJSValue):
7074 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
7075 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
7076 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7077 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7078 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7079 * dfg/DFGSpeculativeJIT64.cpp:
7080 (JSC::DFG::SpeculativeJIT::fillInteger):
7081 (JSC::DFG::SpeculativeJIT::fillJSValue):
7082 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
7083 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
7084 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7085 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7086 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7087 (JSC::DFG::SpeculativeJIT::compile):
7088 * dfg/DFGValueSource.h:
7089 (JSC::DFG::dataFormatToValueSourceKind):
7090 (JSC::DFG::valueSourceKindToDataFormat):
7091
70922013-09-11 Filip Pizlo <fpizlo@apple.com>
7093
7094 Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding
7095 https://bugs.webkit.org/show_bug.cgi?id=121141
7096
7097 Reviewed by Oliver Hunt.
7098
7099 Just changing Int32ToDouble to be predicted SpecInt48 breaks constant folding on that
7100 node because of soooper old code that prevented constant folding on mismatched
7101 predictions. Kill that code.
7102
7103 * dfg/DFGAbstractInterpreter.h:
7104 (JSC::DFG::AbstractInterpreter::setConstant):
7105 * dfg/DFGAbstractInterpreterInlines.h:
7106 (JSC::DFG::::executeEffects):
7107 * dfg/DFGFixupPhase.cpp:
7108 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
7109
71102013-09-10 Filip Pizlo <fpizlo@apple.com>
7111
7112 VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted
7113 https://bugs.webkit.org/show_bug.cgi?id=121142
7114
7115 Reviewed by Geoffrey Garen.
7116
7117 Make everyone rely on VariableAccessData::flushFormat() instead of trying to
7118 compute that information from scratch. The FTL already used flushFormat(), now
7119 the DFG does, too.
7120
7121 * dfg/DFGArgumentPosition.h:
7122 (JSC::DFG::ArgumentPosition::someVariable):
7123 (JSC::DFG::ArgumentPosition::flushFormat):
7124 * dfg/DFGCSEPhase.cpp:
7125 (JSC::DFG::CSEPhase::performNodeCSE):
7126 * dfg/DFGFixupPhase.cpp:
7127 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
7128 * dfg/DFGGraph.cpp:
7129 (JSC::DFG::Graph::dump):
7130 * dfg/DFGInPlaceAbstractState.cpp:
7131 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
7132 * dfg/DFGJITCompiler.h:
7133 (JSC::DFG::JITCompiler::noticeOSREntry):
7134 * dfg/DFGSpeculativeJIT.cpp:
7135 (JSC::DFG::SpeculativeJIT::compileInlineStart):
7136 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
7137 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
7138 * dfg/DFGSpeculativeJIT32_64.cpp:
7139 (JSC::DFG::SpeculativeJIT::compile):
7140 * dfg/DFGSpeculativeJIT64.cpp:
7141 (JSC::DFG::SpeculativeJIT::compile):
7142 * dfg/DFGValueSource.h:
7143 (JSC::DFG::ValueSource::forFlushFormat):
7144 * dfg/DFGVariableAccessDataDump.cpp:
7145 (JSC::DFG::VariableAccessDataDump::dump):
7146 * ftl/FTLLowerDFGToLLVM.cpp:
7147 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
7148
71492013-09-11 Oliver Hunt <oliver@apple.com>
7150
7151 Partial Information Leakage in Hash Table implementations (PrivateName)
7152 https://bugs.webkit.org/show_bug.cgi?id=120663
7153
7154 Reviewed by Michael Saboff.
7155
7156 Undo change to the PropertyTable in my last patch, instead lets just
7157 use a random value as the initial hash for unique strings.
7158
7159 * runtime/PropertyMapHashTable.h:
7160 (JSC::PropertyTable::find):
7161 (JSC::PropertyTable::findWithString):
7162 (JSC::PropertyTable::rehash):
7163
71642013-09-11 Oliver Hunt <oliver@apple.com>
7165
7166 Partial Information Leakage in Hash Table implementations (PrivateName)
7167 https://bugs.webkit.org/show_bug.cgi?id=120663
7168
7169 Reviewed by Michael Saboff.
7170
7171 These hashtables mix keys that are hashed on pointers or user controlled
7172 data. To prevent any potential information leak we mask the keys with
7173 a per table entropy value.
7174
7175 * runtime/MapData.cpp:
7176 (JSC::MapData::MapData):
7177 (JSC::MapData::find):
7178 (JSC::MapData::add):
7179 (JSC::MapData::remove):
7180 * runtime/MapData.h:
7181 * runtime/PropertyMapHashTable.h:
7182 (JSC::PropertyTable::find):
7183 (JSC::PropertyTable::findWithString):
7184 (JSC::PropertyTable::rehash):
7185 * runtime/PropertyTable.cpp:
7186 (JSC::PropertyTable::PropertyTable):
7187
71882013-09-11 Sam Weinig <sam@webkit.org>
7189
7190 MapData and WeakMapData don't need to be objects
7191 https://bugs.webkit.org/show_bug.cgi?id=121167
7192
7193 Reviewed by Geoffrey Garen.
7194
7195 * runtime/JSGlobalObject.cpp:
7196 (JSC::JSGlobalObject::reset):
7197 (JSC::JSGlobalObject::visitChildren):
7198 * runtime/JSGlobalObject.h:
7199 (JSC::JSGlobalObject::mapStructure):
7200 Remove MapData and WeakMapData structures (they moved to VM with other non-object Structures).
7201
7202 * runtime/JSMap.cpp:
7203 (JSC::JSMap::finishCreation):
7204 * runtime/JSMap.h:
7205 (JSC::JSMap::create):
7206 * runtime/JSSet.cpp:
7207 (JSC::JSSet::finishCreation):
7208 * runtime/JSSet.h:
7209 (JSC::JSSet::create):
7210 * runtime/JSWeakMap.cpp:
7211 (JSC::JSWeakMap::finishCreation):
7212 * runtime/JSWeakMap.h:
7213 (JSC::JSWeakMap::create):
7214 Update to not pass a global object to the MapData or WeakMapData Structure.
7215
7216 * runtime/MapData.cpp:
7217 (JSC::MapData::MapData):
7218 * runtime/MapData.h:
7219 (JSC::MapData::create):
7220 (JSC::MapData::createStructure):
7221 * runtime/WeakMapData.cpp:
7222 (JSC::WeakMapData::WeakMapData):
7223 (JSC::WeakMapData::set): Change to take a VM rather than a CallFrame, as that it all it needs.
7224 * runtime/WeakMapData.h:
7225 (JSC::WeakMapData::create):
7226 (JSC::WeakMapData::createStructure):
7227 Instead of inheriting from JSDestructibleObject, inherit from JSCell and mark self as needing destruction
7228 and having an immortal structure.
7229
7230 * runtime/VM.cpp:
7231 (JSC::VM::VM):
7232 * runtime/VM.h:
7233 Add MapData and WeakMapData Structures.
7234
7235 * runtime/WeakMapPrototype.cpp:
7236 (JSC::protoFuncWeakMapSet):
7237 Pass a VM rather than an ExecState.
7238
72392013-09-10 Filip Pizlo <fpizlo@apple.com>
7240
7241 Propagate the Int48 stuff into the prediction propagator.
7242 https://bugs.webkit.org/show_bug.cgi?id=121132
7243
7244 Reviewed by Mark Hahnenberg.
7245
7246 This still has no effect on codegen since Int48 still looks like a Double right now.
7247
7248 * bytecode/ExitKind.cpp:
7249 (JSC::exitKindToString):
7250 * bytecode/ExitKind.h:
7251 * bytecode/SpeculatedType.cpp:
7252 (JSC::speculationFromValue):
7253 * bytecode/SpeculatedType.h:
7254 (JSC::isMachineIntSpeculation):
7255 (JSC::isMachineIntSpeculationExpectingDefined):
7256 (JSC::isMachineIntSpeculationForArithmetic):
7257 * dfg/DFGGraph.cpp:
7258 (JSC::DFG::Graph::dump):
7259 * dfg/DFGGraph.h:
7260 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
7261 (JSC::DFG::Graph::mulShouldSpeculateInt32):
7262 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
7263 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
7264 (JSC::DFG::Graph::hasExitSite):
7265 * dfg/DFGNode.h:
7266 (JSC::DFG::Node::shouldSpeculateMachineInt):
7267 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic):
7268 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined):
7269 (JSC::DFG::Node::canSpeculateInt48):
7270 * dfg/DFGNodeFlags.h:
7271 (JSC::DFG::nodeCanSpeculateInt48):
7272 * dfg/DFGPredictionPropagationPhase.cpp:
7273 (JSC::DFG::PredictionPropagationPhase::propagate):
7274
72752013-09-10 Filip Pizlo <fpizlo@apple.com>
7276
7277 Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code.
7278
7279 Rubber stamped by Mark Hahnenberg.
7280
7281 We need to care about escaping to bytecode if we're doing a lossy optimization,
7282 i.e. the optimization means we produce less information and so we can't rescue
7283 ourselves during OSR exit.
7284
7285 We only need to care about escaping within the DFG code (and can ignore what
7286 might happen in bytecode) if we're doing an optimization that is lossless, i.e.
7287 we can always still reconstruct the values that bytecode wants.
7288
7289 Example #1:
7290
7291 Large int32 + int32 which overflows. We want to optimize away the overflow
7292 check and just do a 32-bit add.
7293
7294 This is lossy; the result should have one extra bit but we simply throw
7295 that bit away by doing a check-less 32-bit add. Hence we need to know that
7296 even the bytecode wouldn't have cared about that bit. This is true in cases
7297 like (a + b) | 0.
7298
7299 Example #2:
7300
7301 Larbe int32 + int32 which overflows. We want to optimize away the overflow
7302 check by doing a 64-bit add.
7303
7304 This is lossless. We can always convert the resulting 64-bit int back to a
7305 double if that's what bytecode wants. Hence we only need to know that the
7306 DFG code won't want to do something to this value that would make 64-bit
7307 ints either unprofitable or unsound.
7308
7309 The backwards propagator's notions of flags (NodeUsedAsValue, etc) are for lossy
7310 optimizations and so should be named in a way that reflects this. This patch
7311 calls then NodeBytecodeUsesAsValue, etc.
7312
7313 * dfg/DFGAbstractInterpreterInlines.h:
7314 (JSC::DFG::::executeEffects):
7315 * dfg/DFGArrayMode.cpp:
7316 (JSC::DFG::ArrayMode::refine):
7317 * dfg/DFGBackwardsPropagationPhase.cpp:
7318 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
7319 (JSC::DFG::BackwardsPropagationPhase::propagate):
7320 * dfg/DFGFixupPhase.cpp:
7321 (JSC::DFG::FixupPhase::fixupNode):
7322 * dfg/DFGGraph.h:
7323 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
7324 * dfg/DFGNode.h:
7325 (JSC::DFG::Node::arithNodeFlags):
7326 * dfg/DFGNodeFlags.cpp:
7327 (JSC::DFG::dumpNodeFlags):
7328 * dfg/DFGNodeFlags.h:
7329 (JSC::DFG::bytecodeUsesAsNumber):
7330 (JSC::DFG::bytecodeCanTruncateInteger):
7331 (JSC::DFG::bytecodeCanIgnoreNegativeZero):
7332 (JSC::DFG::nodeMayNegZero):
7333 (JSC::DFG::nodeCanSpeculateInt32):
7334 * dfg/DFGPredictionPropagationPhase.cpp:
7335 (JSC::DFG::PredictionPropagationPhase::propagate):
7336 * dfg/DFGSpeculativeJIT.cpp:
7337 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
7338 (JSC::DFG::SpeculativeJIT::compileAdd):
7339 (JSC::DFG::SpeculativeJIT::compileArithSub):
7340 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7341 (JSC::DFG::SpeculativeJIT::compileArithMul):
7342 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7343 (JSC::DFG::SpeculativeJIT::compileArithMod):
7344 * dfg/DFGVariableAccessData.h:
7345 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
7346 * ftl/FTLLowerDFGToLLVM.cpp:
7347 (JSC::FTL::LowerDFGToLLVM::compileAdd):
7348 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
7349 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
7350 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
7351 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
7352 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
7353
73542013-09-10 Chris Curtis <chris_curtis@apple.com>
7355
7356 WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook
7357 https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment
7358 Reviewed by Geoffrey Garen.
7359
7360 The codeBlock was assumed to exist when appendSourceToMessage was set.
7361 This was an invalid assumption. I added a check to ensure that there is a
7362 valid codeBlock before accessing it.
7363
7364 * API/tests/testapi.c:
7365 (valueToObjectExceptionCallAsFunction):
7366 (valueToObjectExceptionTest):
7367 (main):
7368 * runtime/VM.cpp:
7369 (JSC::VM::throwException):
7370
73712013-09-10 Mark Lam <mark.lam@apple.com>
7372
7373 Fix some indentation in Interpreter.cpp.
7374 https://bugs.webkit.org/show_bug.cgi?id=121136.
7375
7376 Reviewed by Darin Adler.
7377
7378 * interpreter/Interpreter.cpp:
7379 (JSC::UnwindFunctor::operator()):
7380
73812013-09-10 Mark Hahnenberg <mhahnenberg@apple.com>
7382
7383 MapData has some issues
7384 https://bugs.webkit.org/show_bug.cgi?id=121118
7385
7386 Reviewed by Geoffrey Garen.
7387
7388 * heap/CopiedBlock.h: Added some debug-only consistency checking logic. We now make sure that
7389 m_liveBytes is consistent with another field, m_liveObjects. m_liveObjects is the number of
7390 "objects" that currently reside in the CopiedBlock. If we have zero live bytes then we should have
7391 zero live objects. The converse and the inverse should also be true.
7392 (JSC::CopiedBlock::CopiedBlock):
7393 (JSC::CopiedBlock::didSurviveGC):
7394 (JSC::CopiedBlock::didEvacuateBytes):
7395 (JSC::CopiedBlock::canBeRecycled):
7396 (JSC::CopiedBlock::shouldEvacuate):
7397 (JSC::CopiedBlock::liveBytes):
7398 (JSC::CopiedBlock::checkConsistency):
7399 * heap/CopiedBlockInlines.h:
7400 (JSC::CopiedBlock::reportLiveBytes):
7401 * heap/CopyVisitorInlines.h:
7402 (JSC::CopyVisitor::didCopy):
7403 * runtime/MapData.cpp:
7404 (JSC::MapData::replaceAndPackBackingStore): Renamed parameter to be consistent with its meaning.
7405 (JSC::MapData::replaceBackingStore): Ditto. Also removed an unnecessary local variable.
7406 (JSC::MapData::visitChildren): Before we passed the size of the MapData to copyLater(), which
7407 was wrong. Now we pass capacity * sizeof(Entry).
7408 (JSC::MapData::copyBackingStore): Before when we reassigned the newly copied backing store, we
7409 set the capacity (in elements) to the size (in bytes) of the backing store. This made us think
7410 we're way bigger than we actually are. Now we just pass the old capacity in.
7411 * runtime/MapData.h:
7412 (JSC::MapData::capacityInBytes): Helper function to calculate the size of the backing store.
7413
74142013-09-10 Filip Pizlo <fpizlo@apple.com>
7415
7416 We should say Int32 when we mean Int32. Saying Integer is just weird.
7417
7418 Rubber stamped by Mark Hahnenberg.
7419
7420 * dfg/DFGAbstractInterpreterInlines.h:
7421 (JSC::DFG::::executeEffects):
7422 * dfg/DFGFixupPhase.cpp:
7423 (JSC::DFG::FixupPhase::fixupNode):
7424 (JSC::DFG::FixupPhase::fixupToPrimitive):
7425 (JSC::DFG::FixupPhase::fixIntEdge):
7426 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
7427 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
7428 * dfg/DFGGraph.h:
7429 (JSC::DFG::Graph::addSpeculationMode):
7430 (JSC::DFG::Graph::valueAddSpeculationMode):
7431 (JSC::DFG::Graph::arithAddSpeculationMode):
7432 (JSC::DFG::Graph::addShouldSpeculateInt32):
7433 (JSC::DFG::Graph::mulShouldSpeculateInt32):
7434 (JSC::DFG::Graph::negateShouldSpeculateInt32):
7435 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
7436 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32):
7437 * dfg/DFGNode.h:
7438 (JSC::DFG::Node::shouldSpeculateInt32):
7439 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
7440 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined):
7441 (JSC::DFG::Node::canSpeculateInt32):
7442 * dfg/DFGNodeFlags.h:
7443 (JSC::DFG::nodeCanSpeculateInt32):
7444 * dfg/DFGPredictionPropagationPhase.cpp:
7445 (JSC::DFG::PredictionPropagationPhase::propagate):
7446 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
7447 * dfg/DFGSpeculativeJIT.cpp:
7448 (JSC::DFG::SpeculativeJIT::arrayify):
7449 (JSC::DFG::GPRTemporary::GPRTemporary):
7450 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
7451 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7452 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
7453 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
7454 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
7455 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7456 (JSC::DFG::SpeculativeJIT::compileAdd):
7457 (JSC::DFG::SpeculativeJIT::compileArithSub):
7458 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7459 (JSC::DFG::SpeculativeJIT::compileArithIMul):
7460 (JSC::DFG::SpeculativeJIT::compileArithMul):
7461 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7462 (JSC::DFG::SpeculativeJIT::compileArithMod):
7463 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
7464 (JSC::DFG::SpeculativeJIT::speculateInt32):
7465 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
7466 * dfg/DFGSpeculativeJIT.h:
7467 (JSC::DFG::SpeculateInt32Operand::SpeculateInt32Operand):
7468 (JSC::DFG::SpeculateInt32Operand::~SpeculateInt32Operand):
7469 * dfg/DFGSpeculativeJIT32_64.cpp:
7470 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
7471 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7472 (JSC::DFG::SpeculativeJIT::emitBranch):
7473 (JSC::DFG::SpeculativeJIT::compile):
7474 * dfg/DFGSpeculativeJIT64.cpp:
7475 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
7476 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7477 (JSC::DFG::SpeculativeJIT::emitBranch):
7478 (JSC::DFG::SpeculativeJIT::compile):
7479 * ftl/FTLLowerDFGToLLVM.cpp:
7480 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
7481 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
7482
74832013-09-10 Filip Pizlo <fpizlo@apple.com>
7484
7485 Introduce a SpecInt48 type and be more careful about what we mean by "Top"
7486 https://bugs.webkit.org/show_bug.cgi?id=121116
7487
7488 Reviewed by Oliver Hunt.
7489
7490 SpecInt48 will mean that we have something that would be a double if it was a JSValue,
7491 but it's profitable to represent it as something other than a double.
7492
7493 SpecInt48AsDouble means that it has a value that could have been represented like
7494 SpecInt48, but we're making a heuristic decision not to do it.
7495
7496 * bytecode/SpeculatedType.h:
7497 (JSC::isInt48Speculation):
7498 * dfg/DFGAbstractInterpreterInlines.h:
7499 (JSC::DFG::::executeEffects):
7500 (JSC::DFG::::clobberCapturedVars):
7501 * dfg/DFGAbstractValue.cpp:
7502 (JSC::DFG::AbstractValue::filter):
7503 * dfg/DFGAbstractValue.h:
7504 (JSC::DFG::AbstractValue::makeHeapTop):
7505 (JSC::DFG::AbstractValue::makeBytecodeTop):
7506 (JSC::DFG::AbstractValue::isHeapTop):
7507 (JSC::DFG::AbstractValue::heapTop):
7508 (JSC::DFG::AbstractValue::validateType):
7509 (JSC::DFG::AbstractValue::validate):
7510 (JSC::DFG::AbstractValue::makeTop):
7511 * dfg/DFGInPlaceAbstractState.cpp:
7512 (JSC::DFG::InPlaceAbstractState::initialize):
7513 * dfg/DFGJITCompiler.h:
7514 (JSC::DFG::JITCompiler::noticeOSREntry):
7515 * dfg/DFGUseKind.h:
7516 (JSC::DFG::typeFilterFor):
7517
75182013-09-09 Oliver Hunt <oliver@apple.com>
7519
7520 Support WeakMap
7521 https://bugs.webkit.org/show_bug.cgi?id=120912
7522
7523 Reviewed by Geoffrey Garen.
7524
7525 Add support for ES6 WeakMap. Add the cluster of boilerplate
7526 classes around the core WeakMapData class.
7527
7528 WeakMapData is a simple object->value hash table that uses a
7529 combo of WeakReferenceHarvester to conditionally keep the weak
7530 value reference live, and UnconditionalFinalizer to clean the
7531 dead keys from the table post-GC.
7532
7533 * CMakeLists.txt:
7534 * GNUmakefile.list.am:
7535 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7536 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7537 * JavaScriptCore.xcodeproj/project.pbxproj:
7538 * Target.pri:
7539 * runtime/CommonIdentifiers.h:
7540 * runtime/JSGlobalObject.cpp:
7541 * runtime/JSGlobalObject.h:
7542 (JSC::JSGlobalObject::weakMapDataStructure):
7543 * runtime/JSWeakMap.cpp: Added.
7544 (JSC::JSWeakMap::finishCreation):
7545 (JSC::JSWeakMap::visitChildren):
7546 * runtime/JSWeakMap.h: Added.
7547 (JSC::JSWeakMap::createStructure):
7548 (JSC::JSWeakMap::create):
7549 (JSC::JSWeakMap::weakMapData):
7550 (JSC::JSWeakMap::JSWeakMap):
7551 * runtime/WeakMapConstructor.cpp: Added.
7552 (JSC::WeakMapConstructor::finishCreation):
7553 (JSC::constructWeakMap):
7554 (JSC::WeakMapConstructor::getConstructData):
7555 (JSC::WeakMapConstructor::getCallData):
7556 * runtime/WeakMapConstructor.h: Added.
7557 (JSC::WeakMapConstructor::create):
7558 (JSC::WeakMapConstructor::createStructure):
7559 (JSC::WeakMapConstructor::WeakMapConstructor):
7560 * runtime/WeakMapData.cpp: Added.
7561 (JSC::WeakMapData::WeakMapData):
7562 (JSC::WeakMapData::finishCreation):
7563 (JSC::WeakMapData::destroy):
7564 (JSC::WeakMapData::visitChildren):
7565 (JSC::WeakMapData::set):
7566 (JSC::WeakMapData::get):
7567 (JSC::WeakMapData::remove):
7568 (JSC::WeakMapData::contains):
7569 (JSC::WeakMapData::clear):
7570 (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
7571 (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
7572 * runtime/WeakMapData.h: Added.
7573 (JSC::WeakMapData::create):
7574 (JSC::WeakMapData::createStructure):
7575 (JSC::WeakMapData::DeadKeyCleaner::DeadKeyCleaner):
7576 * runtime/WeakMapPrototype.cpp: Added.
7577 (JSC::WeakMapPrototype::finishCreation):
7578 (JSC::getWeakMapData):
7579 (JSC::protoFuncWeakMapClear):
7580 (JSC::protoFuncWeakMapDelete):
7581 (JSC::protoFuncWeakMapGet):
7582 (JSC::protoFuncWeakMapHas):
7583 (JSC::protoFuncWeakMapSet):
7584 * runtime/WeakMapPrototype.h: Added.
7585 (JSC::WeakMapPrototype::create):
7586 (JSC::WeakMapPrototype::createStructure):
7587 (JSC::WeakMapPrototype::WeakMapPrototype):
7588
75892013-09-10 Joseph Pecoraro <pecoraro@apple.com>
7590
7591 Web Inspector: [JSC] Caught exception is treated as uncaught
7592 https://bugs.webkit.org/show_bug.cgi?id=93607
7593
7594 Reviewed by Geoff Garen.
7595
7596 Check up the entire call stack to see if there is an exception handler.
7597
7598 * interpreter/Interpreter.cpp:
7599 (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor):
7600 (JSC::GetExceptionHandlerFunctor::handler):
7601 (JSC::GetExceptionHandlerFunctor::operator()):
7602
76032013-09-10 Filip Pizlo <fpizlo@apple.com>
7604
7605 SpecType should have SpecInt48AsDouble
7606 https://bugs.webkit.org/show_bug.cgi?id=121065
7607
7608 Reviewed by Oliver Hunt.
7609
7610 * bytecode/SpeculatedType.cpp:
7611 (JSC::dumpSpeculation):
7612 (JSC::speculationToAbbreviatedString):
7613 (JSC::speculationFromValue):
7614 * bytecode/SpeculatedType.h:
7615 (JSC::isInt48AsDoubleSpeculation):
7616 (JSC::isIntegerSpeculation):
7617 (JSC::isDoubleRealSpeculation):
7618
76192013-09-10 Filip Pizlo <fpizlo@apple.com>
7620
7621 Don't GC while in the OSR-triggered jettison code
7622 https://bugs.webkit.org/show_bug.cgi?id=121106
7623
7624 Reviewed by Mark Hahnenberg.
7625
7626 * dfg/DFGOperations.cpp:
7627
76282013-09-10 Filip Pizlo <fpizlo@apple.com>
7629
7630 jsc commandline's run() function should take extra arguments
7631 https://bugs.webkit.org/show_bug.cgi?id=121098
7632
7633 Reviewed by Michael Saboff.
7634
7635 * jsc.cpp:
7636 (functionRun):
7637
76382013-09-09 Michael Saboff <msaboff@apple.com>
7639
7640 There should be one "invalid" virtual register constant
7641 https://bugs.webkit.org/show_bug.cgi?id=121057
7642
7643 Reviewed by Filip Pizlo.
7644
7645 Unify all references to an invalid virtual register to be the enum InvalidVirtualRegister.
7646 Changed the value of InvalidVirtualRegister to be maximum integer value.
7647
7648 * bytecode/CodeBlock.h:
7649 (JSC::CodeBlock::setArgumentsRegister):
7650 (JSC::CodeBlock::usesArguments):
7651 * bytecode/LazyOperandValueProfile.h:
7652 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
7653 (JSC::LazyOperandValueProfileKey::operator!):
7654 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
7655 (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
7656 * bytecode/UnlinkedCodeBlock.cpp:
7657 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
7658 * bytecode/UnlinkedCodeBlock.h:
7659 (JSC::UnlinkedCodeBlock::usesArguments):
7660 (JSC::UnlinkedCodeBlock::usesGlobalObject):
7661 * bytecode/VirtualRegister.h:
7662
76632013-09-09 Michael Saboff <msaboff@apple.com>
7664
7665 Change virtual register function arguments from unsigned to int
7666 https://bugs.webkit.org/show_bug.cgi?id=121055
7667
7668 Reviewed by Filip Pizlo.
7669
7670 This is a largely mechanical change. This changes function paramaters and local variables used to
7671 represent bytecode operands from being unsigned to be int.
7672
7673 * bytecode/CodeOrigin.h:
7674 * dfg/DFGByteCodeParser.cpp:
7675 * jit/JIT.h:
7676 * jit/JITArithmetic.cpp:
7677 * jit/JITArithmetic32_64.cpp:
7678 * jit/JITInlines.h:
7679 * jit/JITOpcodes.cpp:
7680 * jit/JITOpcodes32_64.cpp:
7681 * jit/JITPropertyAccess.cpp:
7682 * jit/JITPropertyAccess32_64.cpp:
7683 * jit/JITStubCall.h:
7684
76852013-09-09 Michael Saboff <msaboff@apple.com>
7686
7687 Add local to/from operand helpers similar to argument to/from operand2
7688 https://bugs.webkit.org/show_bug.cgi?id=121056
7689
7690 Reviewed by Geoffrey Garen.
7691
7692 Added localToOperand(), operandToLocal() and operandIsLocal() to Operands.h, very similar to
7693 argumentToOperand(), et al. Used the new helpers everywhere where an index into a data
7694 structure is intended instead of the actual virtual register offset. When the stack is
7695 changed to grow down, local register offsets can be negative. Also added the helper
7696 DFG::SpeculativeJIT::generationInfoFromVirtualRegister() for the common case accessing
7697 m_generationInfo[operandToLocal(val)].
7698
7699 * bytecode/CodeBlock.cpp:
7700 * bytecode/CodeBlock.h:
7701 * bytecode/Operands.h:
7702 (JSC::localToOperand):
7703 (JSC::operandIsLocal):
7704 (JSC::operandToLocal):
7705 * bytecompiler/BytecodeGenerator.h:
7706 * dfg/DFGAbstractInterpreterInlines.h:
7707 * dfg/DFGByteCodeParser.cpp:
7708 * dfg/DFGCFGSimplificationPhase.cpp:
7709 * dfg/DFGCPSRethreadingPhase.cpp:
7710 * dfg/DFGOSREntry.cpp:
7711 * dfg/DFGOSRExitCompiler32_64.cpp:
7712 * dfg/DFGOSRExitCompiler64.cpp:
7713 * dfg/DFGScoreBoard.h:
7714 * dfg/DFGSpeculativeJIT.cpp:
7715 * dfg/DFGSpeculativeJIT.h:
7716 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
7717 * dfg/DFGSpeculativeJIT32_64.cpp:
7718 * dfg/DFGSpeculativeJIT64.cpp:
7719 * dfg/DFGValidate.cpp:
7720 * dfg/DFGVariableEventStream.cpp:
7721 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
7722 * jit/JITInlines.h:
7723 * jit/JITOpcodes.cpp:
7724 * jit/JITOpcodes32_64.cpp:
7725
77262013-09-09 Filip Pizlo <fpizlo@apple.com>
7727
7728 Unreviewed, disable GC logging.
7729
7730 * heap/Heap.cpp:
7731
77322013-09-09 Mark Hahnenberg <mhahnenberg@apple.com>
7733
7734 CopiedSpace::startedCopying should not call MarkedSpace::capacity
7735 https://bugs.webkit.org/show_bug.cgi?id=121045
7736
7737 Reviewed by Geoffrey Garen.
7738
7739 MarkedSpace::capacity() iterates every block in MarkedSpace. Instead we should just
7740 keep track of our total capacity in MarkedSpace as we add and remove MarkedBlocks.
7741
7742 * heap/MarkedSpace.cpp:
7743 (JSC::MarkedSpace::freeBlock):
7744 * heap/MarkedSpace.h:
7745 (JSC::MarkedSpace::didAddBlock):
7746 (JSC::MarkedSpace::capacity):
7747
77482013-09-09 Michael Saboff <msaboff@apple.com>
7749
7750 Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call
7751 https://bugs.webkit.org/show_bug.cgi?id=120537
7752
7753 Reviewed by Geoffrey Garen.
7754
7755 Changed JITSlowPathCall::call() to update vm.topCallFrame from the callFrameRegister instead of the
7756 other way around.
7757
7758 * jit/JIT.h:
7759 * jit/JITInlines.h:
7760 * jit/SlowPathCall.h:
7761 (JSC::JITSlowPathCall::call):
7762
77632013-08-29 Mark Hahnenberg <mhahnenberg@apple.com>
7764
7765 JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector
7766 https://bugs.webkit.org/show_bug.cgi?id=120389
7767
7768 Reviewed by Michael Saboff.
7769
7770 Went through and cleaned up shiftCountWithArrayStorage. Gave meaningful variable names
7771 and commented the confusing parts. This led to realizing how to fix this bug, which has
7772 been done. The issue was that we were modifying the vector length unconditionally, even
7773 when we weren't logically changing the length of the vector. Instead, we should only modify
7774 the vector length when we modify the index bias.
7775
7776 * runtime/JSArray.cpp:
7777 (JSC::JSArray::shiftCountWithArrayStorage):
7778
77792013-09-08 Anders Carlsson <andersca@apple.com>
7780
7781 Begin moving off of TypeTraits.h
7782 https://bugs.webkit.org/show_bug.cgi?id=121006
7783
7784 Reviewed by Darin Adler.
7785
7786 Convert uses of WTF type traits to STL type traits.
7787
7788 * heap/PassWeak.h:
7789 * runtime/JSCell.h:
7790 (JSC::jsCast):
7791 (JSC::jsDynamicCast):
7792 * runtime/WriteBarrier.h:
7793 (JSC::validateCell):
7794
77952013-09-08 Mark Hahnenberg <mhahnenberg@apple.com>
7796
7797 Calculating the size of the Heap should not require walking over it
7798 https://bugs.webkit.org/show_bug.cgi?id=120910
7799
7800 Reviewed by Geoffrey Garen.
7801
7802 Currently Heap::size() is O(sizeof(Heap)). This is too expensive to
7803 call during a collection. We should keep a count of visited and copied
7804 bytes as each collection progresses so as to avoid re-walking the Heap
7805 at the end of collection.
7806
7807 * heap/GCThreadSharedData.cpp:
7808 (JSC::GCThreadSharedData::childBytesVisited):
7809 (JSC::GCThreadSharedData::childBytesCopied):
7810 * heap/GCThreadSharedData.h:
7811 * heap/Heap.cpp:
7812 (JSC::Heap::Heap):
7813 (JSC::Heap::markRoots):
7814 (JSC::Heap::sizeAfterCollect):
7815 (JSC::Heap::collect):
7816 * heap/Heap.h:
7817 * heap/SlotVisitor.cpp:
7818 (JSC::SlotVisitor::SlotVisitor):
7819 (JSC::SlotVisitor::reset):
7820 * heap/SlotVisitor.h:
7821 (JSC::SlotVisitor::bytesVisited):
7822 (JSC::SlotVisitor::bytesCopied):
7823 * heap/SlotVisitorInlines.h:
7824 (JSC::SlotVisitor::internalAppend):
7825 (JSC::SlotVisitor::copyLater):
7826
78272013-09-08 Mark Hahnenberg <mhahnenberg@apple.com>
7828
7829 Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks
7830 https://bugs.webkit.org/show_bug.cgi?id=121007
7831
7832 Reviewed by Oliver Hunt.
7833
7834 We call clearMarks on every MarkedBlock in the Heap, whereas we only need to clear
7835 m_newlyAllocated for the m_currentBlock at the time of the last canonicalizeCellLiveness()
7836 for each MarkedAllocator. We also need to call it on every block in the largeAllocators
7837 because each one of their blocks is canonicalized as it is used.
7838
7839 * heap/Heap.cpp:
7840 (JSC::Heap::markRoots):
7841 * heap/MarkedAllocator.h:
7842 (JSC::MarkedAllocator::getAndClearCanonicalizedBlock):
7843 (JSC::MarkedAllocator::MarkedAllocator):
7844 (JSC::MarkedAllocator::canonicalizeCellLivenessData):
7845 * heap/MarkedBlock.h:
7846 (JSC::MarkedBlock::lastChanceToFinalize):
7847 (JSC::MarkedBlock::clearMarks):
7848 (JSC::MarkedBlock::clearNewlyAllocated):
7849 * heap/MarkedSpace.cpp:
7850 (JSC::clearNewlyAllocatedInBlock):
7851 (JSC::ClearNewlyAllocated::operator()):
7852 (JSC::MarkedSpace::clearNewlyAllocated):
7853 * heap/MarkedSpace.h:
7854
78552013-09-07 Filip Pizlo <fpizlo@apple.com>
7856
7857 FTL should support typed array PutByVal
7858 https://bugs.webkit.org/show_bug.cgi?id=120972
7859
7860 Reviewed by Oliver Hunt.
7861
7862 Due to increased FTL coverage, this revealed a bug in LICM where we were trying to
7863 have AI execute the tail of a block that !cfaDidFinish. We don't need to execute AI
7864 for such blocks since LICM will bail for them anyway, and AI asserts that cfaDidFinish
7865 is true.
7866
7867 * dfg/DFGLICMPhase.cpp:
7868 (JSC::DFG::LICMPhase::attemptHoist):
7869 * ftl/FTLAbbreviations.h:
7870 (JSC::FTL::buildFPToUI):
7871 * ftl/FTLCapabilities.cpp:
7872 (JSC::FTL::canCompile):
7873 * ftl/FTLIntrinsicRepository.h:
7874 * ftl/FTLLowerDFGToLLVM.cpp:
7875 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
7876 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
7877 (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
7878 * ftl/FTLOutput.h:
7879 (JSC::FTL::Output::fpToUInt):
7880 (JSC::FTL::Output::fpToUInt32):
7881 (JSC::FTL::Output::store8):
7882 (JSC::FTL::Output::store16):
7883 (JSC::FTL::Output::storeFloat):
7884
78852013-09-07 Filip Pizlo <fpizlo@apple.com>
7886
7887 FTL should support basic closure operations
7888 https://bugs.webkit.org/show_bug.cgi?id=120987
7889
7890 Reviewed by Oliver Hunt.
7891
7892 * ftl/FTLAbstractHeapRepository.cpp:
7893 * ftl/FTLAbstractHeapRepository.h:
7894 * ftl/FTLCapabilities.cpp:
7895 (JSC::FTL::canCompile):
7896 * ftl/FTLLowerDFGToLLVM.cpp:
7897 (JSC::FTL::LowerDFGToLLVM::compileNode):
7898 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
7899 (JSC::FTL::LowerDFGToLLVM::compileSkipScope):
7900 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
7901 (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
7902 (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
7903
79042013-09-07 Filip Pizlo <fpizlo@apple.com>
7905
7906 Only run FTL tests if we have the FTL
7907 https://bugs.webkit.org/show_bug.cgi?id=120974
7908
7909 Reviewed by Geoffrey Garen.
7910
7911 The test infrastructure is now smart enough to not pass --useExperimentalFTL=true
7912 unless it knows that we have the FTL.
7913
7914 * dfg/DFGTierUpCheckInjectionPhase.cpp:
7915 (JSC::DFG::TierUpCheckInjectionPhase::run):
7916
79172013-09-07 Anders Carlsson <andersca@apple.com>
7918
7919 Get rid of PassOwnArrayPtr
7920 https://bugs.webkit.org/show_bug.cgi?id=120964
7921
7922 Reviewed by Andreas Kling.
7923
7924 Use OwnArrayPtr instead of PassOwnArrayPtr.
7925
7926 * bytecompiler/BytecodeGenerator.cpp:
7927 (JSC::BytecodeGenerator::BytecodeGenerator):
7928 * runtime/SymbolTable.h:
7929 (JSC::SharedSymbolTable::setSlowArguments):
7930
79312013-09-07 Filip Pizlo <fpizlo@apple.com>
7932
7933 FTL should support typed array GetByVal and related ops
7934 https://bugs.webkit.org/show_bug.cgi?id=120965
7935
7936 Reviewed by Oliver Hunt.
7937
7938 This adds support for typed array instantiations of the following DFG IR ops:
7939
7940 - GetByVal
7941
7942 - GetIndexedPropertyStorage
7943
7944 - CheckArray
7945
7946 - GetArrayLength
7947
7948 This also adds CheckArray for Int32/Double/Contiguous arrays.
7949
7950 * dfg/DFGArrayMode.cpp:
7951 (JSC::DFG::toIndexingShape):
7952 * dfg/DFGArrayMode.h:
7953 (JSC::DFG::ArrayMode::shapeMask):
7954 * ftl/FTLAbbreviations.h:
7955 (JSC::FTL::floatType):
7956 (JSC::FTL::buildSExt):
7957 (JSC::FTL::buildFPCast):
7958 * ftl/FTLAbstractHeapRepository.h:
7959 * ftl/FTLCapabilities.cpp:
7960 (JSC::FTL::canCompile):
7961 * ftl/FTLCommonValues.cpp:
7962 (JSC::FTL::CommonValues::CommonValues):
7963 * ftl/FTLCommonValues.h:
7964 * ftl/FTLLowerDFGToLLVM.cpp:
7965 (JSC::FTL::LowerDFGToLLVM::compileNode):
7966 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
7967 (JSC::FTL::LowerDFGToLLVM::compileCheckArray):
7968 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
7969 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
7970 (JSC::FTL::LowerDFGToLLVM::isArrayType):
7971 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
7972 * ftl/FTLOutput.h:
7973 (JSC::FTL::Output::constIntPtr):
7974 (JSC::FTL::Output::signExt):
7975 (JSC::FTL::Output::fpCast):
7976 (JSC::FTL::Output::loadFloat):
7977
79782013-09-07 Anders Carlsson <andersca@apple.com>
7979
7980 VectorMover should use std::move
7981 https://bugs.webkit.org/show_bug.cgi?id=120959
7982
7983 Reviewed by Geoffrey Garen.
7984
7985 Work around a bug in GCC by changing the type of the callType bitfield
7986 in CallLinkInfo to be unsigned instead of CallType.
7987
7988 * bytecode/CallLinkInfo.h:
7989
79902013-09-07 Anders Carlsson <andersca@apple.com>
7991
7992 Get rid of FastAllocBase.h
7993 https://bugs.webkit.org/show_bug.cgi?id=120952
7994
7995 Reviewed by Antti Koivisto.
7996
7997 Include FastMalloc.h instead of FastAllocBase.h.
7998
7999 * assembler/LinkBuffer.h:
8000 * bytecode/CodeBlock.h:
8001 * bytecode/StructureStubClearingWatchpoint.h:
8002 * dfg/DFGFinalizer.h:
8003 * dfg/DFGLongLivedState.h:
8004 * dfg/DFGSlowPathGenerator.h:
8005 * ftl/FTLAbstractHeap.h:
8006 * heap/JITStubRoutineSet.h:
8007 * jit/CompactJITCodeMap.h:
8008 * profiler/ProfilerDatabase.h:
8009 * profiler/ProfilerExecutionCounter.h:
8010
80112013-09-06 Filip Pizlo <fpizlo@apple.com>
8012
8013 FTL should support Call/Construct in the worst way possible
8014 https://bugs.webkit.org/show_bug.cgi?id=120916
8015
8016 Reviewed by Oliver Hunt.
8017
8018 This adds support for Call/Construct by just calling out to C code that uses
8019 the JSC::call/JSC::construct runtime functions for making calls. This is slow
8020 and terrible, but it dramatically extends FTL coverage.
8021
8022 Supporting calls in a meaningful way meant also supporting
8023 GlobalVarWatchpoint.
8024
8025 The extension of coverage helped to find a bunch of bugs:
8026
8027 - ObjectOrOtherUse was claimed to be supported in the FTL but speculate()
8028 didn't support it. That means that any node with an ObjectOrOtherUse edge
8029 that got DCE'd would cause the FTL to ICE.
8030
8031 - There was a bad fall-through compileCompareStrictEq() that led to ICE.
8032
8033 - The OSR exit reconstruction code was assuming it could do fast checks on
8034 node->child1() before even determining the type of node; that crashes if
8035 the node is HasVarArgs. Fixed by checking HasVarArgs first.
8036
8037 - The OSR exit compiler was using the wrong peekOffset for CArgumentGetter.
8038 The default is 1, which assumes that you didn't push anything onto the
8039 stack after getting called. The OSR exit thunks push FP, so the offset
8040 should be 2.
8041
8042 This passes stress tests and is probably huge performance regression if you
8043 --useExperimentalFTL=true. The regression will be fixed in
8044 https://bugs.webkit.org/show_bug.cgi?id=113621.
8045
8046 * dfg/DFGOperations.cpp:
8047 * dfg/DFGOperations.h:
8048 * ftl/FTLCapabilities.cpp:
8049 (JSC::FTL::canCompile):
8050 * ftl/FTLIntrinsicRepository.h:
8051 * ftl/FTLLowerDFGToLLVM.cpp:
8052 (JSC::FTL::LowerDFGToLLVM::compileNode):
8053 (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
8054 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
8055 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
8056 (JSC::FTL::LowerDFGToLLVM::speculate):
8057 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
8058 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
8059 * ftl/FTLOSRExitCompiler.cpp:
8060 (JSC::FTL::compileStub):
8061
80622013-09-06 Filip Pizlo <fpizlo@apple.com>
8063
8064 jsc shell should destroy VM as a workaround for LLVM's exit-time destructors
8065 https://bugs.webkit.org/show_bug.cgi?id=120921
8066
8067 Reviewed by Oliver Hunt.
8068
8069 LLVM's exit-time destructors will fire when we exit. If there is an on-going
8070 FTL compile at exit, which will happen if the VM that triggered the compile
8071 isn't shut down, then we will crash.
8072
8073 We should get rid of LLVM's exit-time destructors. But before we do that, we
8074 should just do a clean VM shutdown to suppress spurious crashes. This will
8075 help in expanding LLVM coverage for now.
8076
8077 * jsc.cpp:
8078 (jscmain):
8079
80802013-09-06 Filip Pizlo <fpizlo@apple.com>
8081
8082 FTL ArithMod Int32Use doesn't check for negative zero correctly
8083 https://bugs.webkit.org/show_bug.cgi?id=120905
8084
8085 Reviewed by Mark Hahnenberg.
8086
8087 * ftl/FTLLowerDFGToLLVM.cpp:
8088 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
8089
80902013-09-06 Filip Pizlo <fpizlo@apple.com>
8091
8092 FTL ArithNeg Int32Use doesn't check negative zero
8093 https://bugs.webkit.org/show_bug.cgi?id=120900
8094
8095 Reviewed by Mark Hahnenberg.
8096
8097 * ftl/FTLLowerDFGToLLVM.cpp:
8098 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
8099
81002013-09-06 Anders Carlsson <andersca@apple.com>
8101
8102 Stop using fastNew/fastDelete in JavaScriptCore
8103 https://bugs.webkit.org/show_bug.cgi?id=120898
8104
8105 Reviewed by Oliver Hunt.
8106
8107 Change all the hash table members in ExecState to be OwnPtrs and use
8108 adoptPtr instead. Also, since none of the hash tables can be null, change their getters
8109 to return references and propagate the reference types wherever we know that a HashTable can't be null.
8110
8111 * interpreter/CallFrame.h:
8112 (JSC::ExecState::arrayConstructorTable):
8113 (JSC::ExecState::arrayPrototypeTable):
8114 (JSC::ExecState::booleanPrototypeTable):
8115 (JSC::ExecState::dataViewTable):
8116 (JSC::ExecState::dateTable):
8117 (JSC::ExecState::dateConstructorTable):
8118 (JSC::ExecState::errorPrototypeTable):
8119 (JSC::ExecState::globalObjectTable):
8120 (JSC::ExecState::jsonTable):
8121 (JSC::ExecState::numberConstructorTable):
8122 (JSC::ExecState::numberPrototypeTable):
8123 (JSC::ExecState::objectConstructorTable):
8124 (JSC::ExecState::privateNamePrototypeTable):
8125 (JSC::ExecState::regExpTable):
8126 (JSC::ExecState::regExpConstructorTable):
8127 (JSC::ExecState::regExpPrototypeTable):
8128 (JSC::ExecState::stringConstructorTable):
8129 (JSC::ExecState::promisePrototypeTable):
8130 (JSC::ExecState::promiseConstructorTable):
8131 (JSC::ExecState::promiseResolverPrototypeTable):
8132 * runtime/ClassInfo.h:
8133 (JSC::ClassInfo::propHashTable):
8134 * runtime/Lookup.h:
8135 (JSC::getStaticPropertySlot):
8136 (JSC::getStaticFunctionSlot):
8137 (JSC::getStaticValueSlot):
8138 (JSC::lookupPut):
8139 * runtime/VM.cpp:
8140 (JSC::VM::VM):
8141 (JSC::VM::~VM):
8142 * runtime/VM.h:
8143
81442013-09-06 Filip Pizlo <fpizlo@apple.com>
8145
8146 Concurrent FTL causes !hasOptimizedReplacement() asserts in cti_optimize
8147 https://bugs.webkit.org/show_bug.cgi?id=120890
8148
8149 Reviewed by Mark Hahnenberg.
8150
8151 Don't install an FTL code block if the DFG code block has already been jettisoned.
8152
8153 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
8154 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
8155
81562013-09-06 Filip Pizlo <fpizlo@apple.com>
8157
8158 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
8159 https://bugs.webkit.org/show_bug.cgi?id=120781
8160
8161 Reviewed by Mark Hahnenberg.
8162
8163 Roll this back in with a build fix.
8164
8165 - Use some method table hacks to detect if the CheckStructure optimization is
8166 valid for to_this.
8167
8168 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
8169
8170 This looks like it might be perf-neutral on the major benchmarks, but it
8171 introduces some horrible performance cliffs. For example if you add methods to
8172 the Array prototype, you'll get horrible performance cliffs. As in virtual calls
8173 to C++ every time you call a JS function even if it's inlined.
8174 LongSpider/3d-cube appears to hit this.
8175
8176 * dfg/DFGAbstractInterpreterInlines.h:
8177 (JSC::DFG::::executeEffects):
8178 * dfg/DFGByteCodeParser.cpp:
8179 (JSC::DFG::ByteCodeParser::parseBlock):
8180 * dfg/DFGFixupPhase.cpp:
8181 (JSC::DFG::FixupPhase::fixupNode):
8182 * dfg/DFGRepatch.cpp:
8183 (JSC::DFG::emitPutTransitionStub):
8184 * dfg/DFGSafeToExecute.h:
8185 (JSC::DFG::SafeToExecuteEdge::operator()):
8186 * dfg/DFGSpeculativeJIT.cpp:
8187 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
8188 (JSC::DFG::SpeculativeJIT::speculate):
8189 * dfg/DFGSpeculativeJIT.h:
8190 * dfg/DFGSpeculativeJIT32_64.cpp:
8191 (JSC::DFG::SpeculativeJIT::compile):
8192 * dfg/DFGSpeculativeJIT64.cpp:
8193 (JSC::DFG::SpeculativeJIT::compile):
8194 * dfg/DFGUseKind.cpp:
8195 (WTF::printInternal):
8196 * dfg/DFGUseKind.h:
8197 (JSC::DFG::typeFilterFor):
8198 (JSC::DFG::isCell):
8199
82002013-09-05 Filip Pizlo <fpizlo@apple.com>
8201
8202 Introduce a way to run benchmarks and JSRegress as stress tests with different jsc command-line options
8203 https://bugs.webkit.org/show_bug.cgi?id=120808
8204
8205 Reviewed by Mark Hahnenberg and rubber stamped by Geoffrey Garen.
8206
8207 Allow --useExperimentalFTL=true even if FTL isn't built since this simplifies
8208 testing.
8209
8210 * dfg/DFGTierUpCheckInjectionPhase.cpp:
8211 (JSC::DFG::TierUpCheckInjectionPhase::run):
8212
82132013-09-06 Zan Dobersek <zdobersek@igalia.com>
8214
8215 Unreviewed build fix for the GTK port when building with FTL JIT enabled.
8216
8217 * GNUmakefile.list.am: Add the missing files to the build.
8218
82192013-09-05 Oliver Hunt <oliver@apple.com>
8220
8221 Make it simpler to introduce new data types to the global object
8222 https://bugs.webkit.org/show_bug.cgi?id=120801
8223
8224 Reviewed by Gavin Barraclough.
8225
8226 Add an iterator macro that lists all the "simple" ES types (e.g. type
8227 consists of instance, constructor, and prototype classes). So that
8228 we don't need to have every new type litter JSGlobalObject.{cpp,h} with
8229 members, accessors, and manual GC visiting.
8230
8231 * runtime/JSGlobalObject.cpp:
8232 (JSC::JSGlobalObject::visitChildren):
8233 * runtime/JSGlobalObject.h:
8234
82352013-09-05 Mark Rowe <mrowe@apple.com>
8236
8237 Roll out r155149 since it broke the build.
8238
82392013-09-05 Michael Saboff <msaboff@apple.com>
8240
8241 Cleanup formatting of byte code debug output
8242 Source/JavaScriptCore/ChangeLog
8243
8244 Rubber stamped by Filip Pizlo.
8245
8246 Put the formatting of the byte code offset and operation into one common function to
8247 simplify and unify formatting. Changed CodeBlock::registerName() to return
8248 "thist" for argument register 0, "argN" for other argument registers and "locN" for
8249 local registers.
8250
8251 * bytecode/CodeBlock.cpp:
8252 (JSC::CodeBlock::registerName):
8253 (JSC::CodeBlock::printUnaryOp):
8254 (JSC::CodeBlock::printBinaryOp):
8255 (JSC::CodeBlock::printConditionalJump):
8256 (JSC::CodeBlock::printGetByIdOp):
8257 (JSC::CodeBlock::printCallOp):
8258 (JSC::CodeBlock::printPutByIdOp):
8259 (JSC::CodeBlock::dumpBytecode):
8260 * bytecode/CodeBlock.h:
8261 (JSC::CodeBlock::printLocationAndOp):
8262 (JSC::CodeBlock::printLocationOpAndRegisterOperand):
8263
82642013-09-05 Filip Pizlo <fpizlo@apple.com>
8265
8266 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
8267 https://bugs.webkit.org/show_bug.cgi?id=120781
8268
8269 Reviewed by Mark Hahnenberg.
8270
8271 - Use some method table hacks to detect if the CheckStructure optimization is
8272 valid for to_this.
8273
8274 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
8275
8276 This looks like it might be perf-neutral on the major benchmarks, but it
8277 introduces some horrible performance cliffs. For example if you add methods to
8278 the Array prototype, you'll get horrible performance cliffs. As in virtual calls
8279 to C++ every time you call a JS function even if it's inlined.
8280 LongSpider/3d-cube appears to hit this.
8281
8282 * dfg/DFGAbstractInterpreterInlines.h:
8283 (JSC::DFG::::executeEffects):
8284 * dfg/DFGByteCodeParser.cpp:
8285 (JSC::DFG::ByteCodeParser::parseBlock):
8286 * dfg/DFGFixupPhase.cpp:
8287 (JSC::DFG::FixupPhase::fixupNode):
8288 * dfg/DFGSafeToExecute.h:
8289 (JSC::DFG::SafeToExecuteEdge::operator()):
8290 * dfg/DFGSpeculativeJIT.cpp:
8291 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
8292 (JSC::DFG::SpeculativeJIT::speculate):
8293 * dfg/DFGSpeculativeJIT.h:
8294 * dfg/DFGSpeculativeJIT32_64.cpp:
8295 (JSC::DFG::SpeculativeJIT::compile):
8296 * dfg/DFGSpeculativeJIT64.cpp:
8297 (JSC::DFG::SpeculativeJIT::compile):
8298 * dfg/DFGUseKind.cpp:
8299 (WTF::printInternal):
8300 * dfg/DFGUseKind.h:
8301 (JSC::DFG::typeFilterFor):
8302 (JSC::DFG::isCell):
8303
83042013-09-05 Anders Carlsson <andersca@apple.com>
8305
8306 GCAssertions.h should use STL type traits and static_assert
8307 https://bugs.webkit.org/show_bug.cgi?id=120785
8308
8309 Reviewed by Andreas Kling.
8310
8311 There's no need to rely on compiler specific support to figure out if a class is trivially destructable,
8312 we can just use type traits from STL. Do this, fix the assert macro to use static_assert directly and
8313 rename it from ASSERT_HAS_TRIVIAL_DESTRUCTOR to STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE to clarify that
8314 it's a static assert and to match the STL nomenclature.
8315
8316 * API/JSCallbackFunction.cpp:
8317 * debugger/DebuggerActivation.cpp:
8318 * heap/GCAssertions.h:
8319 * runtime/ArrayConstructor.cpp:
8320 * runtime/BooleanConstructor.cpp:
8321 * runtime/BooleanObject.cpp:
8322 * runtime/BooleanPrototype.cpp:
8323 * runtime/DateConstructor.cpp:
8324 * runtime/ErrorConstructor.cpp:
8325 * runtime/ErrorInstance.cpp:
8326 * runtime/ErrorPrototype.cpp:
8327 * runtime/ExceptionHelpers.cpp:
8328 * runtime/FunctionConstructor.cpp:
8329 * runtime/FunctionPrototype.cpp:
8330 * runtime/GetterSetter.cpp:
8331 * runtime/InternalFunction.cpp:
8332 * runtime/JSAPIValueWrapper.cpp:
8333 * runtime/JSArray.cpp:
8334 * runtime/JSCell.cpp:
8335 * runtime/JSNotAnObject.cpp:
8336 * runtime/JSONObject.cpp:
8337 * runtime/JSObject.cpp:
8338 * runtime/JSPromiseConstructor.cpp:
8339 * runtime/JSPromisePrototype.cpp:
8340 * runtime/JSPromiseResolverConstructor.cpp:
8341 * runtime/JSPromiseResolverPrototype.cpp:
8342 * runtime/JSProxy.cpp:
8343 * runtime/JSScope.cpp:
8344 * runtime/JSWrapperObject.cpp:
8345 * runtime/MathObject.cpp:
8346 * runtime/NameConstructor.cpp:
8347 * runtime/NativeErrorConstructor.cpp:
8348 * runtime/NumberConstructor.cpp:
8349 * runtime/NumberObject.cpp:
8350 * runtime/NumberPrototype.cpp:
8351 * runtime/ObjectConstructor.cpp:
8352 * runtime/ObjectPrototype.cpp:
8353 * runtime/RegExpObject.cpp:
8354 * runtime/StrictEvalActivation.cpp:
8355 * runtime/StringConstructor.cpp:
8356 * runtime/StringObject.cpp:
8357 * runtime/StringPrototype.cpp:
8358
83592013-09-05 Brent Fulgham <bfulgham@apple.com>
8360
8361 [Windows] Unreviewed build fix for DebugSuffix target.
8362
8363 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Don't build 64-bit assembly in 32-bit build.
8364 Also correct 'filters' file so that files appear in categories that match their on-disk locations.
8365
83662013-09-04 Filip Pizlo <fpizlo@apple.com>
8367
8368 jsc tests should have timeouts
8369 https://bugs.webkit.org/show_bug.cgi?id=120725
8370
8371 Reviewed by Geoffrey Garen.
8372
8373 Add the timeout logic directly to 'jsc' because that's easier to do than
8374 writing shell/perl code for it.
8375
8376 * jsc.cpp:
8377 (timeoutThreadMain):
8378 (main):
8379
83802013-09-04 Filip Pizlo <fpizlo@apple.com>
8381
8382 fast/js/dfg-* tests should wait for the concurrent JIT
8383 https://bugs.webkit.org/show_bug.cgi?id=120723
8384
8385 Reviewed by Geoffrey Garen.
8386
8387 * runtime/TestRunnerUtils.cpp:
8388 (JSC::numberOfDFGCompiles): This should also handle constructors.
8389
83902013-09-04 Filip Pizlo <fpizlo@apple.com>
8391
8392 run-fast-jsc should work with new-school fast/js tests that loop until the DFG tiers up
8393 https://bugs.webkit.org/show_bug.cgi?id=120697
8394
8395 Reviewed by Mark Hahnenberg.
8396
8397 * API/JSCTestRunnerUtils.cpp:
8398 (JSC::numberOfDFGCompiles):
8399 (JSC::setNeverInline):
8400 * CMakeLists.txt:
8401 * GNUmakefile.list.am:
8402 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8403 * JavaScriptCore.xcodeproj/project.pbxproj:
8404 * Target.pri:
8405 * jsc.cpp:
8406 (GlobalObject::finishCreation):
8407 (functionNeverInlineFunction):
8408 (functionNumberOfDFGCompiles):
8409 * runtime/TestRunnerUtils.cpp: Added.
8410 (JSC::getExecutable):
8411 (JSC::numberOfDFGCompiles):
8412 (JSC::setNeverInline):
8413 * runtime/TestRunnerUtils.h: Added.
8414
84152013-09-04 Mark Lam <mark.lam@apple.com>
8416
8417 Renamed StackIterator to StackVisitor.
8418 https://bugs.webkit.org/show_bug.cgi?id=120706.
8419
8420 Reviewed by Geoffrey Garen.
8421
8422 Also did some minor refactoring:
8423 - Renamed StackIterator::iterate() to StackVisitor::visit().
8424 - Make StackVisitor::visit() a static method.
8425 - Move the instantiation of the StackVisitor instance into StackVisitor::visit()
8426 from CallFrame::iterate().
8427 - Removed StackIterator::resetIterator() and inline its body into the
8428 StackVisitor constructor since this is the only remaining caller of it.
8429
8430 * API/JSContextRef.cpp:
8431 (BacktraceFunctor::operator()):
8432 * CMakeLists.txt:
8433 * GNUmakefile.list.am:
8434 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8435 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8436 * JavaScriptCore.xcodeproj/project.pbxproj:
8437 * Target.pri:
8438 * interpreter/CallFrame.h:
8439 (JSC::ExecState::iterate):
8440 * interpreter/Interpreter.cpp:
8441 (JSC::DumpRegisterFunctor::operator()):
8442 (JSC::unwindCallFrame):
8443 (JSC::getStackFrameCodeType):
8444 (JSC::GetStackTraceFunctor::operator()):
8445 (JSC::UnwindFunctor::operator()):
8446 * interpreter/Interpreter.h:
8447 * interpreter/StackIterator.cpp: Removed.
8448 * interpreter/StackIterator.h: Removed.
8449 * interpreter/StackVisitor.cpp: Copied from Source/JavaScriptCore/interpreter/StackIterator.cpp.
8450 (JSC::StackVisitor::StackVisitor):
8451 (JSC::StackVisitor::gotoNextFrame):
8452 (JSC::StackVisitor::readFrame):
8453 (JSC::StackVisitor::readNonInlinedFrame):
8454 (JSC::StackVisitor::readInlinedFrame):
8455 (JSC::StackVisitor::Frame::codeType):
8456 (JSC::StackVisitor::Frame::functionName):
8457 (JSC::StackVisitor::Frame::sourceURL):
8458 (JSC::StackVisitor::Frame::toString):
8459 (JSC::StackVisitor::Frame::arguments):
8460 (JSC::StackVisitor::Frame::computeLineAndColumn):
8461 (JSC::StackVisitor::Frame::retrieveExpressionInfo):
8462 (JSC::StackVisitor::Frame::setToEnd):
8463 (JSC::StackVisitor::Frame::print):
8464 (DebugPrintFrameFunctor::operator()):
8465 * interpreter/StackVisitor.h: Copied from Source/JavaScriptCore/interpreter/StackIterator.h.
8466 (JSC::StackVisitor::visit):
8467 * jsc.cpp:
8468 (FunctionJSCStackFunctor::operator()):
8469 * profiler/ProfileGenerator.cpp:
8470 (JSC::AddParentForConsoleStartFunctor::operator()):
8471 * runtime/JSFunction.cpp:
8472 (JSC::RetrieveArgumentsFunctor::operator()):
8473 (JSC::RetrieveCallerFunctionFunctor::operator()):
8474 * runtime/JSGlobalObjectFunctions.cpp:
8475 (JSC::GlobalFuncProtoGetterFunctor::operator()):
8476 (JSC::GlobalFuncProtoSetterFunctor::operator()):
8477 * runtime/ObjectConstructor.cpp:
8478 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
8479
84802013-09-04 Roger Fong <roger_fong@apple.com>
8481
8482 Unreviewed Build fix for Windows DebugSuffix configuration.
8483
8484 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8485 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8486
84872013-09-04 Mark Lam <mark.lam@apple.com>
8488
8489 Refining the StackIterator callback interface.
8490 https://bugs.webkit.org/show_bug.cgi?id=120695.
8491
8492 Reviewed by Geoffrey Garen.
8493
8494 Introduce CallFrame::iterate() which instantiates a StackIterator and
8495 invoke its iterate() method with the passed in functor. The only place
8496 where the client code gets access to the StackIterator now is as an
8497 argument to the client's functor.
8498
8499 * API/JSContextRef.cpp:
8500 (JSContextCreateBacktrace):
8501 * interpreter/CallFrame.cpp:
8502 * interpreter/CallFrame.h:
8503 (JSC::ExecState::iterate):
8504 * interpreter/Interpreter.cpp:
8505 (JSC::Interpreter::dumpRegisters):
8506 (JSC::Interpreter::getStackTrace):
8507 (JSC::Interpreter::unwind):
8508 * interpreter/StackIterator.cpp:
8509 (JSC::StackIterator::StackIterator):
8510 (DebugPrintFrameFunctor::DebugPrintFrameFunctor):
8511 (DebugPrintFrameFunctor::operator()):
8512 (debugPrintCallFrame):
8513 (debugPrintStack):
8514 * interpreter/StackIterator.h:
8515 (JSC::StackIterator::iterate):
8516 * jsc.cpp:
8517 (functionJSCStack):
8518 * profiler/ProfileGenerator.cpp:
8519 (JSC::ProfileGenerator::addParentForConsoleStart):
8520 * runtime/JSFunction.cpp:
8521 (JSC::retrieveArguments):
8522 (JSC::RetrieveCallerFunctionFunctor::operator()):
8523 (JSC::retrieveCallerFunction):
8524 * runtime/JSGlobalObjectFunctions.cpp:
8525 (JSC::globalFuncProtoGetter):
8526 (JSC::globalFuncProtoSetter):
8527 * runtime/ObjectConstructor.cpp:
8528 (JSC::objectConstructorGetPrototypeOf):
8529
85302013-09-04 Benjamin Poulain <benjamin@webkit.org>
8531
8532 JSGenericTypedArrayViewConstructor.h is referenced twice in the XCode project build section, causing warnings
8533 https://bugs.webkit.org/show_bug.cgi?id=120698
8534
8535 Reviewed by Darin Adler.
8536
8537 * JavaScriptCore.xcodeproj/project.pbxproj:
8538
85392013-09-04 Mark Hahnenberg <mhahnenberg@apple.com>
8540
8541 ASSERT in MarkedAllocator::allocateSlowCase is wrong
8542 https://bugs.webkit.org/show_bug.cgi?id=120639
8543
8544 Reviewed by Oliver Hunt.
8545
8546 ASSERT(!m_heap->shouldCollect()) is no longer true due to our use of the GC
8547 deferral mechanism. We could technically be beyond our byte allocation limit,
8548 but still not try to collect due to deferral. This patch amends shouldCollect()
8549 to return false if GC is currently deferred.
8550
8551 * heap/Heap.h:
8552 (JSC::Heap::shouldCollect):
8553
85542013-09-03 Filip Pizlo <fpizlo@apple.com>
8555
8556 The DFG should be able to tier-up and OSR enter into the FTL
8557 https://bugs.webkit.org/show_bug.cgi?id=112838
8558
8559 Reviewed by Mark Hahnenberg.
8560
8561 This adds the ability for the DFG to tier-up into the FTL. This works in both
8562 of the expected tier-up modes:
8563
8564 Replacement: frequently called functions eventually have their entrypoint
8565 replaced with one that goes into FTL-compiled code. Note, this will be a
8566 slow-down for now since we don't yet have LLVM calling convention integration.
8567
8568 OSR entry: code stuck in hot loops gets OSR'd into the FTL from the DFG.
8569
8570 This means that if the DFG detects that a function is an FTL candidate, it
8571 inserts execution counting code similar to the kind that the baseline JIT
8572 would use. If you trip on a loop count in a loop header that is an OSR
8573 candidate (it's not an inlined loop), we do OSR; otherwise we do replacement.
8574 OSR almost always also implies future replacement.
8575
8576 OSR entry into the FTL is really cool. It uses a specialized FTL compile of
8577 the code, where early in the DFG pipeline we replace the original root block
8578 with an OSR entrypoint block that jumps to the pre-header of the hot loop.
8579 The OSR entrypoint loads all live state at the loop pre-header using loads
8580 from a scratch buffer, which gets populated by the runtime's OSR entry
8581 preparation code (FTL::prepareOSREntry()). This approach appears to work well
8582 with all of our subsequent optimizations, including prediction propagation,
8583 CFA, and LICM. LLVM seems happy with it, too. Best of all, it works naturally
8584 with concurrent compilation: when we hit the tier-up trigger we spawn a
8585 compilation plan at the bytecode index from which we triggered; once the
8586 compilation finishes the next trigger will try to enter, at that bytecode
8587 index. If it can't - for example because the code has moved on to another
8588 loop - then we just try again. Loops that get hot enough for OSR entry (about
8589 25,000 iterations) will probably still be running when a concurrent compile
8590 finishes, so this doesn't appear to be a big problem.
8591
8592 This immediately gives us a 70% speed-up on imaging-gaussian-blur. We could
8593 get a bigger speed-up by adding some more intelligence and tweaking LLVM to
8594 compile code faster. Those things will happen eventually but this is a good
8595 start. Probably this code will see more tuning as we get more coverage in the
8596 FTL JIT, but I'll worry about that in future patches.
8597
8598 * CMakeLists.txt:
8599 * GNUmakefile.list.am:
8600 * JavaScriptCore.xcodeproj/project.pbxproj:
8601 * Target.pri:
8602 * bytecode/CodeBlock.cpp:
8603 (JSC::CodeBlock::CodeBlock):
8604 (JSC::CodeBlock::hasOptimizedReplacement):
8605 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
8606 * bytecode/CodeBlock.h:
8607 * dfg/DFGAbstractInterpreterInlines.h:
8608 (JSC::DFG::::executeEffects):
8609 * dfg/DFGByteCodeParser.cpp:
8610 (JSC::DFG::ByteCodeParser::parseBlock):
8611 (JSC::DFG::ByteCodeParser::parse):
8612 * dfg/DFGCFGSimplificationPhase.cpp:
8613 (JSC::DFG::CFGSimplificationPhase::run):
8614 * dfg/DFGClobberize.h:
8615 (JSC::DFG::clobberize):
8616 * dfg/DFGDriver.cpp:
8617 (JSC::DFG::compileImpl):
8618 (JSC::DFG::compile):
8619 * dfg/DFGDriver.h:
8620 * dfg/DFGFixupPhase.cpp:
8621 (JSC::DFG::FixupPhase::fixupNode):
8622 * dfg/DFGGraph.cpp:
8623 (JSC::DFG::Graph::dump):
8624 (JSC::DFG::Graph::killBlockAndItsContents):
8625 (JSC::DFG::Graph::killUnreachableBlocks):
8626 * dfg/DFGGraph.h:
8627 * dfg/DFGInPlaceAbstractState.cpp:
8628 (JSC::DFG::InPlaceAbstractState::initialize):
8629 * dfg/DFGJITCode.cpp:
8630 (JSC::DFG::JITCode::reconstruct):
8631 (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
8632 (JSC::DFG::JITCode::optimizeNextInvocation):
8633 (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
8634 (JSC::DFG::JITCode::optimizeAfterWarmUp):
8635 (JSC::DFG::JITCode::optimizeSoon):
8636 (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
8637 (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
8638 * dfg/DFGJITCode.h:
8639 * dfg/DFGJITFinalizer.cpp:
8640 (JSC::DFG::JITFinalizer::finalize):
8641 (JSC::DFG::JITFinalizer::finalizeFunction):
8642 (JSC::DFG::JITFinalizer::finalizeCommon):
8643 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
8644 (JSC::DFG::createPreHeader):
8645 (JSC::DFG::LoopPreHeaderCreationPhase::run):
8646 * dfg/DFGLoopPreHeaderCreationPhase.h:
8647 * dfg/DFGNode.h:
8648 (JSC::DFG::Node::hasUnlinkedLocal):
8649 (JSC::DFG::Node::unlinkedLocal):
8650 * dfg/DFGNodeType.h:
8651 * dfg/DFGOSREntry.cpp:
8652 (JSC::DFG::prepareOSREntry):
8653 * dfg/DFGOSREntrypointCreationPhase.cpp: Added.
8654 (JSC::DFG::OSREntrypointCreationPhase::OSREntrypointCreationPhase):
8655 (JSC::DFG::OSREntrypointCreationPhase::run):
8656 (JSC::DFG::performOSREntrypointCreation):
8657 * dfg/DFGOSREntrypointCreationPhase.h: Added.
8658 * dfg/DFGOperations.cpp:
8659 * dfg/DFGOperations.h:
8660 * dfg/DFGPlan.cpp:
8661 (JSC::DFG::Plan::Plan):
8662 (JSC::DFG::Plan::compileInThread):
8663 (JSC::DFG::Plan::compileInThreadImpl):
8664 * dfg/DFGPlan.h:
8665 * dfg/DFGPredictionInjectionPhase.cpp:
8666 (JSC::DFG::PredictionInjectionPhase::run):
8667 * dfg/DFGPredictionPropagationPhase.cpp:
8668 (JSC::DFG::PredictionPropagationPhase::propagate):
8669 * dfg/DFGSafeToExecute.h:
8670 (JSC::DFG::safeToExecute):
8671 * dfg/DFGSpeculativeJIT32_64.cpp:
8672 (JSC::DFG::SpeculativeJIT::compile):
8673 * dfg/DFGSpeculativeJIT64.cpp:
8674 (JSC::DFG::SpeculativeJIT::compile):
8675 * dfg/DFGTierUpCheckInjectionPhase.cpp: Added.
8676 (JSC::DFG::TierUpCheckInjectionPhase::TierUpCheckInjectionPhase):
8677 (JSC::DFG::TierUpCheckInjectionPhase::run):
8678 (JSC::DFG::performTierUpCheckInjection):
8679 * dfg/DFGTierUpCheckInjectionPhase.h: Added.
8680 * dfg/DFGToFTLDeferredCompilationCallback.cpp: Added.
8681 (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
8682 (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
8683 (JSC::DFG::ToFTLDeferredCompilationCallback::create):
8684 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
8685 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
8686 * dfg/DFGToFTLDeferredCompilationCallback.h: Added.
8687 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: Added.
8688 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
8689 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
8690 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create):
8691 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
8692 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
8693 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: Added.
8694 * dfg/DFGWorklist.cpp:
8695 (JSC::DFG::globalWorklist):
8696 * dfg/DFGWorklist.h:
8697 * ftl/FTLCapabilities.cpp:
8698 (JSC::FTL::canCompile):
8699 * ftl/FTLCapabilities.h:
8700 * ftl/FTLForOSREntryJITCode.cpp: Added.
8701 (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode):
8702 (JSC::FTL::ForOSREntryJITCode::~ForOSREntryJITCode):
8703 (JSC::FTL::ForOSREntryJITCode::ftlForOSREntry):
8704 (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer):
8705 * ftl/FTLForOSREntryJITCode.h: Added.
8706 (JSC::FTL::ForOSREntryJITCode::entryBuffer):
8707 (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex):
8708 (JSC::FTL::ForOSREntryJITCode::bytecodeIndex):
8709 (JSC::FTL::ForOSREntryJITCode::countEntryFailure):
8710 (JSC::FTL::ForOSREntryJITCode::entryFailureCount):
8711 * ftl/FTLJITFinalizer.cpp:
8712 (JSC::FTL::JITFinalizer::finalizeFunction):
8713 * ftl/FTLLink.cpp:
8714 (JSC::FTL::link):
8715 * ftl/FTLLowerDFGToLLVM.cpp:
8716 (JSC::FTL::LowerDFGToLLVM::compileBlock):
8717 (JSC::FTL::LowerDFGToLLVM::compileNode):
8718 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
8719 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
8720 (JSC::FTL::LowerDFGToLLVM::addWeakReference):
8721 * ftl/FTLOSREntry.cpp: Added.
8722 (JSC::FTL::prepareOSREntry):
8723 * ftl/FTLOSREntry.h: Added.
8724 * ftl/FTLOutput.h:
8725 (JSC::FTL::Output::crashNonTerminal):
8726 (JSC::FTL::Output::crash):
8727 * ftl/FTLState.cpp:
8728 (JSC::FTL::State::State):
8729 * interpreter/Register.h:
8730 (JSC::Register::unboxedDouble):
8731 * jit/JIT.cpp:
8732 (JSC::JIT::emitEnterOptimizationCheck):
8733 * jit/JITCode.cpp:
8734 (JSC::JITCode::ftlForOSREntry):
8735 * jit/JITCode.h:
8736 * jit/JITStubs.cpp:
8737 (JSC::DEFINE_STUB_FUNCTION):
8738 * runtime/Executable.cpp:
8739 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
8740 * runtime/Options.h:
8741 * runtime/VM.cpp:
8742 (JSC::VM::ensureWorklist):
8743 * runtime/VM.h:
8744
87452013-09-03 Filip Pizlo <fpizlo@apple.com>
8746
8747 CodeBlock memory cost reporting should be rationalized
8748 https://bugs.webkit.org/show_bug.cgi?id=120615
8749
8750 Reviewed by Darin Adler.
8751
8752 Report the size of the instruction stream, and then remind the GC that we're
8753 using memory when we trace.
8754
8755 This is a slight slow-down on some JSBench tests because it makes us GC a
8756 bit more frequently. But I think it's well worth it; if we really want those
8757 tests to GC less frequently then we can achieve that through other kinds of
8758 tuning. It's better that the GC knows that CodeBlocks do in fact use memory;
8759 what it does with that information is a somewhat orthogonal question.
8760
8761 * bytecode/CodeBlock.cpp:
8762 (JSC::CodeBlock::CodeBlock):
8763 (JSC::CodeBlock::visitAggregate):
8764
87652013-09-03 Mark Lam <mark.lam@apple.com>
8766
8767 Converting StackIterator to a callback interface.
8768 https://bugs.webkit.org/show_bug.cgi?id=120564.
8769
8770 Reviewed by Filip Pizlo.
8771
8772 * API/JSContextRef.cpp:
8773 (BacktraceFunctor::BacktraceFunctor):
8774 (BacktraceFunctor::operator()):
8775 (JSContextCreateBacktrace):
8776 * interpreter/CallFrame.cpp:
8777 * interpreter/CallFrame.h:
8778 * interpreter/Interpreter.cpp:
8779 (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
8780 (JSC::DumpRegisterFunctor::operator()):
8781 (JSC::Interpreter::dumpRegisters):
8782 (JSC::unwindCallFrame):
8783 (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
8784 (JSC::GetStackTraceFunctor::operator()):
8785 (JSC::Interpreter::getStackTrace):
8786 (JSC::Interpreter::stackTraceAsString):
8787 (JSC::UnwindFunctor::UnwindFunctor):
8788 (JSC::UnwindFunctor::operator()):
8789 (JSC::Interpreter::unwind):
8790 * interpreter/Interpreter.h:
8791 * interpreter/StackIterator.cpp:
8792 (JSC::StackIterator::numberOfFrames):
8793 (JSC::StackIterator::gotoFrameAtIndex):
8794 (JSC::StackIterator::gotoNextFrameWithFilter):
8795 (JSC::StackIterator::resetIterator):
8796 (JSC::StackIterator::Frame::print):
8797 (debugPrintCallFrame):
8798 (DebugPrintStackFunctor::operator()):
8799 (debugPrintStack): Added for debugging convenience.
8800 * interpreter/StackIterator.h:
8801 (JSC::StackIterator::Frame::index):
8802 (JSC::StackIterator::iterate):
8803 * jsc.cpp:
8804 (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
8805 (FunctionJSCStackFunctor::operator()):
8806 (functionJSCStack):
8807 * profiler/ProfileGenerator.cpp:
8808 (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
8809 (JSC::AddParentForConsoleStartFunctor::foundParent):
8810 (JSC::AddParentForConsoleStartFunctor::operator()):
8811 (JSC::ProfileGenerator::addParentForConsoleStart):
8812 * runtime/JSFunction.cpp:
8813 (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
8814 (JSC::RetrieveArgumentsFunctor::result):
8815 (JSC::RetrieveArgumentsFunctor::operator()):
8816 (JSC::retrieveArguments):
8817 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
8818 (JSC::RetrieveCallerFunctionFunctor::result):
8819 (JSC::RetrieveCallerFunctionFunctor::operator()):
8820 (JSC::retrieveCallerFunction):
8821 * runtime/JSGlobalObjectFunctions.cpp:
8822 (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
8823 (JSC::GlobalFuncProtoGetterFunctor::result):
8824 (JSC::GlobalFuncProtoGetterFunctor::operator()):
8825 (JSC::globalFuncProtoGetter):
8826 (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
8827 (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
8828 (JSC::GlobalFuncProtoSetterFunctor::operator()):
8829 (JSC::globalFuncProtoSetter):
8830 * runtime/ObjectConstructor.cpp:
8831 (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
8832 (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
8833 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
8834 (JSC::objectConstructorGetPrototypeOf):
8835
88362013-09-03 Oliver Hunt <oliver@apple.com>
8837
8838 Support structured clone of Map and Set
8839 https://bugs.webkit.org/show_bug.cgi?id=120654
8840
8841 Reviewed by Simon Fraser.
8842
8843 Make xcode copy the required headers, and add appropriate export attributes
8844
8845 * JavaScriptCore.xcodeproj/project.pbxproj:
8846 * runtime/JSMap.h:
8847 * runtime/JSSet.h:
8848 * runtime/MapData.h:
8849
88502013-09-02 Ryosuke Niwa <rniwa@webkit.org>
8851
8852 Support the "json" responseType and JSON response entity in XHR
8853 https://bugs.webkit.org/show_bug.cgi?id=73648
8854
8855 Reviewed by Oliver Hunt.
8856
8857 Based on the patch written by Jarred Nicholls.
8858
8859 Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'.
8860
8861 * JavaScriptCore.xcodeproj/project.pbxproj:
8862 * runtime/JSONObject.cpp:
8863 (JSC::JSONParse):
8864 * runtime/JSONObject.h:
8865
88662013-09-02 Filip Pizlo <fpizlo@apple.com>
8867
8868 CodeBlock::jettison() should be implicit
8869 https://bugs.webkit.org/show_bug.cgi?id=120567
8870
8871 Reviewed by Oliver Hunt.
8872
8873 This is a risky change from a performance standpoint, but I believe it's
8874 necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC
8875 can delete CodeBlocks because the GC always holds a reference to them.
8876 Once a CodeBlock reaches just one reference (i.e. the one from the GC)
8877 then the GC will free it only if it's not on the stack.
8878
8879 This allows me to get rid of the jettisoning logic. We need this for FTL
8880 tier-up. Well; we don't need it, but it will help prevent a lot of bugs.
8881 Previously, if you wanted to to replace one code block with another, you
8882 had to remember to tell the GC that the previous code block is
8883 "jettisoned". We would need to do this when tiering up from DFG to FTL
8884 and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot
8885 of permutations here - tiering up to the FTL, OSR entering into the FTL,
8886 deciding that an OSR entry code block is not relevant anymore - just to
8887 name a few. In each of these cases we'd have to jettison the previous
8888 code block. It smells like a huge source of future bugs.
8889
8890 So I made jettisoning implicit by making the GC always watch out for a
8891 CodeBlock being owned solely by the GC.
8892
8893 This change is performance neutral.
8894
8895 * CMakeLists.txt:
8896 * GNUmakefile.list.am:
8897 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8898 * JavaScriptCore.xcodeproj/project.pbxproj:
8899 * Target.pri:
8900 * bytecode/CodeBlock.cpp:
8901 (JSC::CodeBlock::CodeBlock):
8902 (JSC::CodeBlock::~CodeBlock):
8903 (JSC::CodeBlock::visitAggregate):
8904 (JSC::CodeBlock::jettison):
8905 * bytecode/CodeBlock.h:
8906 (JSC::CodeBlock::setJITCode):
8907 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
8908 (JSC::CodeBlockSet::mark):
8909 * dfg/DFGCommonData.h:
8910 (JSC::DFG::CommonData::CommonData):
8911 * heap/CodeBlockSet.cpp: Added.
8912 (JSC::CodeBlockSet::CodeBlockSet):
8913 (JSC::CodeBlockSet::~CodeBlockSet):
8914 (JSC::CodeBlockSet::add):
8915 (JSC::CodeBlockSet::clearMarks):
8916 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
8917 (JSC::CodeBlockSet::traceMarked):
8918 * heap/CodeBlockSet.h: Added.
8919 * heap/ConservativeRoots.cpp:
8920 (JSC::ConservativeRoots::add):
8921 * heap/ConservativeRoots.h:
8922 * heap/DFGCodeBlocks.cpp: Removed.
8923 * heap/DFGCodeBlocks.h: Removed.
8924 * heap/Heap.cpp:
8925 (JSC::Heap::markRoots):
8926 (JSC::Heap::deleteAllCompiledCode):
8927 (JSC::Heap::deleteUnmarkedCompiledCode):
8928 * heap/Heap.h:
8929 * interpreter/JSStack.cpp:
8930 (JSC::JSStack::gatherConservativeRoots):
8931 * interpreter/JSStack.h:
8932 * runtime/Executable.cpp:
8933 (JSC::ScriptExecutable::installCode):
8934 * runtime/Executable.h:
8935 * runtime/VM.h:
8936
89372013-09-02 Darin Adler <darin@apple.com>
8938
8939 [Mac] No need for HardAutorelease, which is same as CFBridgingRelease
8940 https://bugs.webkit.org/show_bug.cgi?id=120569
8941
8942 Reviewed by Andy Estes.
8943
8944 * API/JSValue.mm:
8945 (valueToString): Use CFBridgingRelease.
8946
89472013-08-30 Filip Pizlo <fpizlo@apple.com>
8948
8949 CodeBlock refactoring broke profile dumping
8950 https://bugs.webkit.org/show_bug.cgi?id=120551
8951
8952 Reviewed by Michael Saboff.
8953
8954 Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot
8955 of the problems we have with code like CodeBlock::baselineVersion() is that we
8956 were trying *way too hard* to side-step the fact that Executable can't return a
8957 CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a
8958 CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it
8959 did have a CodeBlock, you were really going to have a bad time. Also it really
8960 bugs me that the methods were called generatedBytecode(). In all other contexts
8961 if you ask for a CodeBlock, then method to call is codeBlock(). So I made all
8962 of those changes.
8963
8964 * bytecode/CodeBlock.cpp:
8965 (JSC::CodeBlock::baselineVersion):
8966 (JSC::ProgramCodeBlock::replacement):
8967 (JSC::EvalCodeBlock::replacement):
8968 (JSC::FunctionCodeBlock::replacement):
8969 (JSC::CodeBlock::globalObjectFor):
8970 * bytecode/CodeOrigin.cpp:
8971 (JSC::InlineCallFrame::hash):
8972 * dfg/DFGOperations.cpp:
8973 * interpreter/Interpreter.cpp:
8974 (JSC::Interpreter::execute):
8975 (JSC::Interpreter::executeCall):
8976 (JSC::Interpreter::executeConstruct):
8977 (JSC::Interpreter::prepareForRepeatCall):
8978 * jit/JITCode.h:
8979 (JSC::JITCode::isExecutableScript):
8980 (JSC::JITCode::isLowerTier):
8981 * jit/JITStubs.cpp:
8982 (JSC::lazyLinkFor):
8983 (JSC::DEFINE_STUB_FUNCTION):
8984 * llint/LLIntSlowPaths.cpp:
8985 (JSC::LLInt::traceFunctionPrologue):
8986 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8987 (JSC::LLInt::setUpCall):
8988 * runtime/ArrayPrototype.cpp:
8989 (JSC::isNumericCompareFunction):
8990 * runtime/CommonSlowPaths.h:
8991 (JSC::CommonSlowPaths::arityCheckFor):
8992 * runtime/Executable.cpp:
8993 (JSC::ScriptExecutable::installCode):
8994 * runtime/Executable.h:
8995 (JSC::EvalExecutable::codeBlock):
8996 (JSC::ProgramExecutable::codeBlock):
8997 (JSC::FunctionExecutable::eitherCodeBlock):
8998 (JSC::FunctionExecutable::codeBlockForCall):
8999 (JSC::FunctionExecutable::codeBlockForConstruct):
9000 (JSC::FunctionExecutable::codeBlockFor):
9001 * runtime/FunctionExecutableDump.cpp:
9002 (JSC::FunctionExecutableDump::dump):
9003
90042013-08-30 Oliver Hunt <oliver@apple.com>
9005
9006 Implement ES6 Set class
9007 https://bugs.webkit.org/show_bug.cgi?id=120549
9008
9009 Reviewed by Filip Pizlo.
9010
9011 We simply reuse the MapData type from JSMap making the
9012 it much simpler.
9013
9014 * JavaScriptCore.xcodeproj/project.pbxproj:
9015 * runtime/CommonIdentifiers.h:
9016 * runtime/JSGlobalObject.cpp:
9017 (JSC::JSGlobalObject::reset):
9018 (JSC::JSGlobalObject::visitChildren):
9019 * runtime/JSGlobalObject.h:
9020 (JSC::JSGlobalObject::setStructure):
9021 * runtime/JSSet.cpp: Added.
9022 (JSC::JSSet::visitChildren):
9023 (JSC::JSSet::finishCreation):
9024 * runtime/JSSet.h: Added.
9025 (JSC::JSSet::createStructure):
9026 (JSC::JSSet::create):
9027 (JSC::JSSet::mapData):
9028 (JSC::JSSet::JSSet):
9029 * runtime/SetConstructor.cpp: Added.
9030 (JSC::SetConstructor::finishCreation):
9031 (JSC::callSet):
9032 (JSC::constructSet):
9033 (JSC::SetConstructor::getConstructData):
9034 (JSC::SetConstructor::getCallData):
9035 * runtime/SetConstructor.h: Added.
9036 (JSC::SetConstructor::create):
9037 (JSC::SetConstructor::createStructure):
9038 (JSC::SetConstructor::SetConstructor):
9039 * runtime/SetPrototype.cpp: Added.
9040 (JSC::SetPrototype::finishCreation):
9041 (JSC::getMapData):
9042 (JSC::setProtoFuncAdd):
9043 (JSC::setProtoFuncClear):
9044 (JSC::setProtoFuncDelete):
9045 (JSC::setProtoFuncForEach):
9046 (JSC::setProtoFuncHas):
9047 (JSC::setProtoFuncSize):
9048 * runtime/SetPrototype.h: Added.
9049 (JSC::SetPrototype::create):
9050 (JSC::SetPrototype::createStructure):
9051 (JSC::SetPrototype::SetPrototype):
9052
90532013-08-30 Oliver Hunt <oliver@apple.com>
9054
9055 Make JSValue bool conversion less dangerous
9056 https://bugs.webkit.org/show_bug.cgi?id=120505
9057
9058 Reviewed by Darin Adler.
9059
9060 Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
9061 we do elsewhere. Then fix the places where terrible type coercion was
9062 happening. All of the changes made had no fundamental behavioural impact
9063 as they were coercion results that were ignored (returning undefined
9064 after an exception).
9065
9066 * dfg/DFGOperations.cpp:
9067 * interpreter/CallFrame.h:
9068 (JSC::ExecState::hadException):
9069 * runtime/JSCJSValue.h:
9070 * runtime/JSCJSValueInlines.h:
9071 (JSC::JSValue::operator UnspecifiedBoolType*):
9072 * runtime/JSGlobalObjectFunctions.cpp:
9073 (JSC::globalFuncEval):
9074 * runtime/PropertyDescriptor.cpp:
9075 (JSC::PropertyDescriptor::equalTo)
9076
90772013-08-30 Chris Curtis <chris_curtis@apple.com>
9078
9079 Cleaning errorDescriptionForValue after r154839
9080 https://bugs.webkit.org/show_bug.cgi?id=120531
9081
9082 Reviewed by Darin Adler.
9083
9084 Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue
9085 can assert again that the parameterized JSValue is !isEmpty().
9086
9087 * runtime/ExceptionHelpers.cpp:
9088 (JSC::errorDescriptionForValue):
9089
90902013-08-30 Antti Koivisto <antti@apple.com>
9091
9092 Remove code behind ENABLE(DIALOG_ELEMENT)
9093 https://bugs.webkit.org/show_bug.cgi?id=120467
9094
9095 Reviewed by Darin Adler.
9096
9097 * Configurations/FeatureDefines.xcconfig:
9098
90992013-08-29 Andreas Kling <akling@apple.com>
9100
9101 De-bork Qt build.
9102
9103 * Target.pri:
9104
91052013-08-29 Ryuan Choi <ryuan.choi@samsung.com>
9106
9107 Unreviewed build fix attempt for Windows.
9108
9109 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9110 Renamed JSMapConstructor and JSMapPrototype.
9111
91122013-08-29 Ryuan Choi <ryuan.choi@samsung.com>
9113
9114 Fix build break after r154861
9115 https://bugs.webkit.org/show_bug.cgi?id=120503
9116
9117 Reviewed by Geoffrey Garen.
9118
9119 Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
9120
9121 * CMakeLists.txt:
9122 * GNUmakefile.list.am:
9123 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9124 * Target.pri:
9125 * runtime/MapData.h:
9126 (JSC::MapData::KeyType::KeyType):
9127
91282013-08-29 Andreas Kling <akling@apple.com>
9129
9130 CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
9131 <https://webkit.org/b/120487>
9132
9133 Reviewed by Oliver Hunt.
9134
9135 CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
9136 instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
9137 exact amount of space needed.
9138
9139 * bytecode/CodeBlock.h:
9140 * bytecode/CodeBlock.cpp:
9141 (JSC::CodeBlock::CodeBlock):
9142 (JSC::CodeBlock::shrinkToFit):
9143
91442013-08-29 Oliver Hunt <oliver@apple.com>
9145
9146 Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
9147
9148 * runtime/MapData.h:
9149 (JSC::MapData::KeyType::KeyType):
9150
91512013-08-29 Oliver Hunt <oliver@apple.com>
9152
9153
9154 Implement ES6 Map object
9155 https://bugs.webkit.org/show_bug.cgi?id=120333
9156
9157 Reviewed by Geoffrey Garen.
9158
9159 Implement support for the ES6 Map type and related classes.
9160
9161 * JavaScriptCore.xcodeproj/project.pbxproj:
9162 * heap/CopyToken.h: Add a new token to track copying the backing store
9163 * runtime/CommonIdentifiers.h: Add new identifiers
9164 * runtime/JSGlobalObject.cpp:
9165 * runtime/JSGlobalObject.h:
9166 Add new structures and prototypes
9167
9168 * runtime/JSMap.cpp: Added.
9169 * runtime/JSMap.h: Added.
9170 New JSMap class to represent a Map instance
9171
9172 * runtime/MapConstructor.cpp: Added.
9173 * runtime/MapConstructor.h: Added.
9174 The Map constructor
9175
9176 * runtime/MapData.cpp: Added.
9177 * runtime/MapData.h: Added.
9178 The most interesting data structure. The roughly corresponds
9179 to the ES6 notion of MapData. It provides the core JSValue->JSValue
9180 map implementation. We implement it using 2 hashtables and a flat
9181 table. Due to the different semantics of string comparisons vs.
9182 all others we need have one map keyed by String and the other by
9183 generic JSValue. The actual table is represented more or less
9184 exactly as described in the ES6 draft - a single contiguous list of
9185 key/value pairs. The entire map could be achieved with just this
9186 table, however we need the HashMaps in order to maintain O(1) lookup.
9187
9188 Deleted values are simply cleared as the draft says, however the
9189 implementation compacts the storage on copy as long as the are no
9190 active iterators.
9191
9192 * runtime/MapPrototype.cpp: Added.
9193 * runtime/MapPrototype.h: Added.
9194 Implement Map prototype functions
9195
9196 * runtime/VM.cpp:
9197 Add new structures.
9198
91992013-08-29 Filip Pizlo <fpizlo@apple.com>
9200
9201 Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
9202 https://bugs.webkit.org/show_bug.cgi?id=120489
9203
9204 Reviewed by Geoffrey Garen.
9205
9206 If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
9207 DFG compilation but we've also started one or more FTL compilations, then we
9208 shouldn't get confused. Previously we would have gotten confused because we would
9209 see an in-process deferred compile (the FTL compile) and also an optimized
9210 replacement (the DFG code).
9211
9212 If the baseline JIT hits an OSR entry trigger into the DFG and we previously
9213 did two things in this order: triggered a tier-up compilation from the DFG into
9214 the FTL, and then jettisoned the DFG code because it exited a bunch, then we
9215 shouldn't be confused by the presence of an in-process deferred compile (the FTL
9216 compile). Previously we would have waited for that compile to finish; but the more
9217 sensible thing to do is to let it complete and then invalidate it, while at the
9218 same time enqueueing a DFG compile to create a new, more valid, DFG code block.
9219
9220 If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
9221 triggered an FTL compile for replacement, then it should fire off a second compile
9222 instead of thinking that it can wait for that one to finish. Or vice-versa. We
9223 need to allow for two FTL compiles to be enqueued at the same time (one for
9224 replacement and one for OSR entry in a loop).
9225
9226 Then there's also the problem that DFG::compile() is almost certainly going to be
9227 the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
9228 right now there is no way to tell it which one you want.
9229
9230 This fixes these problems and removes a bunch of potential confusion by making the
9231 key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
9232 FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
9233
9234 Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
9235 DFG::compile() is always passed DFGMode and then it might do an FTL compile if
9236 possible. Fixing that is a bigger issue for a later changeset.
9237
9238 * CMakeLists.txt:
9239 * GNUmakefile.list.am:
9240 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9241 * JavaScriptCore.xcodeproj/project.pbxproj:
9242 * Target.pri:
9243 * bytecode/CodeBlock.cpp:
9244 (JSC::CodeBlock::checkIfOptimizationThresholdReached):
9245 * dfg/DFGCompilationKey.cpp: Added.
9246 (JSC::DFG::CompilationKey::dump):
9247 * dfg/DFGCompilationKey.h: Added.
9248 (JSC::DFG::CompilationKey::CompilationKey):
9249 (JSC::DFG::CompilationKey::operator!):
9250 (JSC::DFG::CompilationKey::isHashTableDeletedValue):
9251 (JSC::DFG::CompilationKey::profiledBlock):
9252 (JSC::DFG::CompilationKey::mode):
9253 (JSC::DFG::CompilationKey::operator==):
9254 (JSC::DFG::CompilationKey::hash):
9255 (JSC::DFG::CompilationKeyHash::hash):
9256 (JSC::DFG::CompilationKeyHash::equal):
9257 * dfg/DFGCompilationMode.cpp: Added.
9258 (WTF::printInternal):
9259 * dfg/DFGCompilationMode.h: Added.
9260 * dfg/DFGDriver.cpp:
9261 (JSC::DFG::compileImpl):
9262 (JSC::DFG::compile):
9263 * dfg/DFGDriver.h:
9264 * dfg/DFGPlan.cpp:
9265 (JSC::DFG::Plan::Plan):
9266 (JSC::DFG::Plan::key):
9267 * dfg/DFGPlan.h:
9268 * dfg/DFGWorklist.cpp:
9269 (JSC::DFG::Worklist::enqueue):
9270 (JSC::DFG::Worklist::compilationState):
9271 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9272 (JSC::DFG::Worklist::runThread):
9273 * dfg/DFGWorklist.h:
9274 * jit/JITStubs.cpp:
9275 (JSC::DEFINE_STUB_FUNCTION):
9276
92772013-08-29 Brent Fulgham <bfulgham@apple.com>
9278
9279 [Windows] Unreviewed build fix after r154847.
9280 If you are going to exclude promises, actually exclude the build components.
9281
9282 * interpreter/CallFrame.h: Exclude promise declarations
9283 * runtime/JSGlobalObject.cpp:
9284 (JSC::JSGlobalObject::reset): Exclude promise code.
9285 (JSC::JSGlobalObject::visitChildren): Ditto.
9286 * runtime/VM.cpp: Ditto.
9287 (JSC::VM::VM):
9288 (JSC::VM::~VM):
9289 * runtime/VM.h:
9290
92912013-08-29 Sam Weinig <sam@webkit.org>
9292
9293 Add ENABLE guards for Promises
9294 https://bugs.webkit.org/show_bug.cgi?id=120488
9295
9296 Reviewed by Andreas Kling.
9297
9298 * Configurations/FeatureDefines.xcconfig:
9299 * runtime/JSGlobalObject.cpp:
9300 * runtime/JSGlobalObject.h:
9301 * runtime/JSPromise.cpp:
9302 * runtime/JSPromise.h:
9303 * runtime/JSPromiseCallback.cpp:
9304 * runtime/JSPromiseCallback.h:
9305 * runtime/JSPromiseConstructor.cpp:
9306 * runtime/JSPromiseConstructor.h:
9307 * runtime/JSPromisePrototype.cpp:
9308 * runtime/JSPromisePrototype.h:
9309 * runtime/JSPromiseResolver.cpp:
9310 * runtime/JSPromiseResolver.h:
9311 * runtime/JSPromiseResolverConstructor.cpp:
9312 * runtime/JSPromiseResolverConstructor.h:
9313 * runtime/JSPromiseResolverPrototype.cpp:
9314 * runtime/JSPromiseResolverPrototype.h:
9315
93162013-08-29 Filip Pizlo <fpizlo@apple.com>
9317
9318 Unreviewed, fix FTL build.
9319
9320 * ftl/FTLLowerDFGToLLVM.cpp:
9321 (JSC::FTL::LowerDFGToLLVM::callCheck):
9322
93232013-08-29 Julien Brianceau <jbriance@cisco.com>
9324
9325 REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
9326 https://bugs.webkit.org/show_bug.cgi?id=120080
9327
9328 Reviewed by Michael Saboff.
9329
9330 * jit/JITOpcodes32_64.cpp:
9331 (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
9332
93332013-08-29 Filip Pizlo <fpizlo@apple.com>
9334
9335 Kill code that became dead after http://trac.webkit.org/changeset/154833
9336
9337 Rubber stamped by Oliver Hunt.
9338
9339 * dfg/DFGDriver.h:
9340
93412013-08-29 Filip Pizlo <fpizlo@apple.com>
9342
9343 CodeBlock's magic for scaling tier-up thresholds should be more reusable
9344 https://bugs.webkit.org/show_bug.cgi?id=120486
9345
9346 Reviewed by Oliver Hunt.
9347
9348 Removed the counterValueForBlah() methods and exposed the reusable scaling logic
9349 as a adjustedCounterValue() method.
9350
9351 * bytecode/CodeBlock.cpp:
9352 (JSC::CodeBlock::adjustedCounterValue):
9353 (JSC::CodeBlock::optimizeAfterWarmUp):
9354 (JSC::CodeBlock::optimizeAfterLongWarmUp):
9355 (JSC::CodeBlock::optimizeSoon):
9356 * bytecode/CodeBlock.h:
9357 * dfg/DFGOSRExitCompilerCommon.cpp:
9358 (JSC::DFG::handleExitCounts):
9359
93602013-08-29 Filip Pizlo <fpizlo@apple.com>
9361
9362 CodeBlock::prepareForExecution() is silly
9363 https://bugs.webkit.org/show_bug.cgi?id=120453
9364
9365 Reviewed by Oliver Hunt.
9366
9367 Instead of saying:
9368
9369 codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
9370
9371 we should just say:
9372
9373 JIT::compile(stuff, codeBlock, more stuff);
9374
9375 And similarly for the LLInt and DFG.
9376
9377 This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
9378 wrapper that uses the JITType argument to call into the appropriate execution
9379 engine, which is what the user wanted to do in the first place.
9380
9381 * CMakeLists.txt:
9382 * GNUmakefile.list.am:
9383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9384 * JavaScriptCore.xcodeproj/project.pbxproj:
9385 * Target.pri:
9386 * bytecode/CodeBlock.cpp:
9387 * bytecode/CodeBlock.h:
9388 * dfg/DFGDriver.cpp:
9389 (JSC::DFG::compileImpl):
9390 (JSC::DFG::compile):
9391 * dfg/DFGDriver.h:
9392 (JSC::DFG::tryCompile):
9393 * dfg/DFGOSRExitPreparation.cpp:
9394 (JSC::DFG::prepareCodeOriginForOSRExit):
9395 * dfg/DFGWorklist.cpp:
9396 (JSC::DFG::globalWorklist):
9397 * dfg/DFGWorklist.h:
9398 * jit/JIT.cpp:
9399 (JSC::JIT::privateCompile):
9400 * jit/JIT.h:
9401 (JSC::JIT::compile):
9402 * jit/JITStubs.cpp:
9403 (JSC::DEFINE_STUB_FUNCTION):
9404 * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
9405 (JSC::LLInt::setFunctionEntrypoint):
9406 (JSC::LLInt::setEvalEntrypoint):
9407 (JSC::LLInt::setProgramEntrypoint):
9408 (JSC::LLInt::setEntrypoint):
9409 * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
9410 * llint/LLIntEntrypoints.cpp: Removed.
9411 * llint/LLIntEntrypoints.h: Removed.
9412 * llint/LLIntSlowPaths.cpp:
9413 (JSC::LLInt::jitCompileAndSetHeuristics):
9414 * runtime/Executable.cpp:
9415 (JSC::ScriptExecutable::prepareForExecutionImpl):
9416
94172013-08-29 Mark Lam <mark.lam@apple.com>
9418
9419 Gardening: fixed broken non-DFG build.
9420 https://bugs.webkit.org/show_bug.cgi?id=120481.
9421
9422 Not reviewed.
9423
9424 * interpreter/StackIterator.h:
9425
94262013-08-29 Filip Pizlo <fpizlo@apple.com>
9427
9428 CodeBlock compilation and installation should be simplified and rationalized
9429 https://bugs.webkit.org/show_bug.cgi?id=120326
9430
9431 Reviewed by Oliver Hunt.
9432
9433 Rolling r154804 back in after fixing no-LLInt build.
9434
9435 Previously Executable owned the code for generating JIT code; you always had
9436 to go through Executable. But often you also had to go through CodeBlock,
9437 because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
9438 So you'd ask CodeBlock to do something, which would dispatch through a
9439 virtual method that would select the appropriate Executable subtype's method.
9440 This all meant that the same code would often be duplicated, because most of
9441 the work needed to compile something was identical regardless of code type.
9442 But then we tried to fix this, by having templatized helpers in
9443 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
9444 out what happened when you asked for something to be compiled, you'd go on a
9445 wild ride that started with CodeBlock, touched upon Executable, and then
9446 ricocheted into either ExecutionHarness or JITDriver (likely both).
9447
9448 Another awkwardness was that for concurrent compiles, the DFG::Worklist had
9449 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
9450 done once the compilation finished.
9451
9452 Also, most of the DFG JIT drivers assumed that they couldn't install the
9453 JITCode into the CodeBlock directly - instead they would return it via a
9454 reference, which happened to be a reference to the JITCode pointer in
9455 Executable. This was super weird.
9456
9457 Finally, there was no notion of compiling code into a special CodeBlock that
9458 wasn't used for handling calls into an Executable. I'd like this for FTL OSR
9459 entry.
9460
9461 This patch solves these problems by reducing all of that complexity into just
9462 three primitives:
9463
9464 - Executable::newCodeBlock(). This gives you a new code block, either for call
9465 or for construct, and either to serve as the baseline code or the optimized
9466 code. The new code block is then owned by the caller; Executable doesn't
9467 register it anywhere. The new code block has no JITCode and isn't callable,
9468 but it has all of the bytecode.
9469
9470 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
9471 produces a JITCode, and then installs the JITCode into the CodeBlock. This
9472 method takes a JITType, and always compiles with that JIT. If you ask for
9473 JITCode::InterpreterThunk then you'll get JITCode that just points to the
9474 LLInt entrypoints. Once this returns, it is possible to call into the
9475 CodeBlock if you do so manually - but the Executable still won't know about
9476 it so JS calls to that Executable will still be routed to whatever CodeBlock
9477 is associated with the Executable.
9478
9479 - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
9480 entry for that Executable. This involves unlinking the Executable's last
9481 CodeBlock, if there was one. This also tells the GC about any effect on
9482 memory usage and does a bunch of weird data structure rewiring, since
9483 Executable caches some of CodeBlock's fields for the benefit of virtual call
9484 fast paths.
9485
9486 This functionality is then wrapped around three convenience methods:
9487
9488 - Executable::prepareForExecution(). If there is no code block for that
9489 Executable, then one is created (newCodeBlock()), compiled
9490 (CodeBlock::prepareForExecution()) and installed (installCode()).
9491
9492 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
9493 can serve as an optimized replacement of the current one.
9494
9495 - CodeBlock::install(). Asks the Executable to install this code block.
9496
9497 This patch allows me to kill *a lot* of code and to remove a lot of
9498 specializations for functions vs. not-functions, and a lot of places where we
9499 pass around JITCode references and such. ExecutionHarness and JITDriver are
9500 both gone. Overall this patch has more red than green.
9501
9502 It also allows me to work on FTL OSR entry and tier-up:
9503
9504 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
9505 to do some compilation, but it will require the DFG::Worklist to do
9506 something different than what JITStubs.cpp would want, once the compilation
9507 finishes. This patch introduces a callback mechanism for that purpose.
9508
9509 - FTL OSR entry: this will involve creating a special auto-jettisoned
9510 CodeBlock that is used only for FTL OSR entry. The new set of primitives
9511 allows for this: Executable can vend you a fresh new CodeBlock, and you can
9512 ask that CodeBlock to compile itself with any JIT of your choosing. Or you
9513 can take that CodeBlock and compile it yourself. Previously the act of
9514 producing a CodeBlock-for-optimization and the act of compiling code for it
9515 were tightly coupled; now you can separate them and you can create such
9516 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
9517
9518 * CMakeLists.txt:
9519 * GNUmakefile.list.am:
9520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9521 * JavaScriptCore.xcodeproj/project.pbxproj:
9522 * Target.pri:
9523 * bytecode/CodeBlock.cpp:
9524 (JSC::CodeBlock::unlinkIncomingCalls):
9525 (JSC::CodeBlock::prepareForExecutionImpl):
9526 (JSC::CodeBlock::prepareForExecution):
9527 (JSC::CodeBlock::prepareForExecutionAsynchronously):
9528 (JSC::CodeBlock::install):
9529 (JSC::CodeBlock::newReplacement):
9530 (JSC::FunctionCodeBlock::jettisonImpl):
9531 * bytecode/CodeBlock.h:
9532 (JSC::CodeBlock::hasBaselineJITProfiling):
9533 * bytecode/DeferredCompilationCallback.cpp: Added.
9534 (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
9535 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
9536 * bytecode/DeferredCompilationCallback.h: Added.
9537 * dfg/DFGDriver.cpp:
9538 (JSC::DFG::tryCompile):
9539 * dfg/DFGDriver.h:
9540 (JSC::DFG::tryCompile):
9541 * dfg/DFGFailedFinalizer.cpp:
9542 (JSC::DFG::FailedFinalizer::finalize):
9543 (JSC::DFG::FailedFinalizer::finalizeFunction):
9544 * dfg/DFGFailedFinalizer.h:
9545 * dfg/DFGFinalizer.h:
9546 * dfg/DFGJITFinalizer.cpp:
9547 (JSC::DFG::JITFinalizer::finalize):
9548 (JSC::DFG::JITFinalizer::finalizeFunction):
9549 * dfg/DFGJITFinalizer.h:
9550 * dfg/DFGOSRExitPreparation.cpp:
9551 (JSC::DFG::prepareCodeOriginForOSRExit):
9552 * dfg/DFGOperations.cpp:
9553 * dfg/DFGPlan.cpp:
9554 (JSC::DFG::Plan::Plan):
9555 (JSC::DFG::Plan::compileInThreadImpl):
9556 (JSC::DFG::Plan::notifyReady):
9557 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
9558 (JSC::DFG::Plan::finalizeAndNotifyCallback):
9559 * dfg/DFGPlan.h:
9560 * dfg/DFGSpeculativeJIT32_64.cpp:
9561 (JSC::DFG::SpeculativeJIT::compile):
9562 * dfg/DFGWorklist.cpp:
9563 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9564 (JSC::DFG::Worklist::runThread):
9565 * ftl/FTLJITFinalizer.cpp:
9566 (JSC::FTL::JITFinalizer::finalize):
9567 (JSC::FTL::JITFinalizer::finalizeFunction):
9568 * ftl/FTLJITFinalizer.h:
9569 * heap/Heap.h:
9570 (JSC::Heap::isDeferred):
9571 * interpreter/Interpreter.cpp:
9572 (JSC::Interpreter::execute):
9573 (JSC::Interpreter::executeCall):
9574 (JSC::Interpreter::executeConstruct):
9575 (JSC::Interpreter::prepareForRepeatCall):
9576 * jit/JITDriver.h: Removed.
9577 * jit/JITStubs.cpp:
9578 (JSC::DEFINE_STUB_FUNCTION):
9579 (JSC::jitCompileFor):
9580 (JSC::lazyLinkFor):
9581 * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
9582 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
9583 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
9584 (JSC::JITToDFGDeferredCompilationCallback::create):
9585 (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
9586 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
9587 * jit/JITToDFGDeferredCompilationCallback.h: Added.
9588 * llint/LLIntEntrypoints.cpp:
9589 (JSC::LLInt::setFunctionEntrypoint):
9590 (JSC::LLInt::setEvalEntrypoint):
9591 (JSC::LLInt::setProgramEntrypoint):
9592 * llint/LLIntEntrypoints.h:
9593 * llint/LLIntSlowPaths.cpp:
9594 (JSC::LLInt::jitCompileAndSetHeuristics):
9595 (JSC::LLInt::setUpCall):
9596 * runtime/ArrayPrototype.cpp:
9597 (JSC::isNumericCompareFunction):
9598 * runtime/CommonSlowPaths.cpp:
9599 * runtime/CompilationResult.cpp:
9600 (WTF::printInternal):
9601 * runtime/CompilationResult.h:
9602 * runtime/Executable.cpp:
9603 (JSC::ScriptExecutable::installCode):
9604 (JSC::ScriptExecutable::newCodeBlockFor):
9605 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
9606 (JSC::ScriptExecutable::prepareForExecutionImpl):
9607 * runtime/Executable.h:
9608 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
9609 (JSC::ExecutableBase::offsetOfNumParametersFor):
9610 (JSC::ScriptExecutable::prepareForExecution):
9611 (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
9612 * runtime/ExecutionHarness.h: Removed.
9613
96142013-08-29 Mark Lam <mark.lam@apple.com>
9615
9616 Change StackIterator to not require writes to the JS stack.
9617 https://bugs.webkit.org/show_bug.cgi?id=119657.
9618
9619 Reviewed by Geoffrey Garen.
9620
9621 * GNUmakefile.list.am:
9622 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9624 * JavaScriptCore.xcodeproj/project.pbxproj:
9625 * interpreter/CallFrame.h:
9626 - Removed references to StackIteratorPrivate.h.
9627 * interpreter/StackIterator.cpp:
9628 (JSC::StackIterator::numberOfFrames):
9629 (JSC::StackIterator::gotoFrameAtIndex):
9630 (JSC::StackIterator::gotoNextFrame):
9631 (JSC::StackIterator::resetIterator):
9632 (JSC::StackIterator::find):
9633 (JSC::StackIterator::readFrame):
9634 (JSC::StackIterator::readNonInlinedFrame):
9635 - Reads in the current CallFrame's data for non-inlined frames.
9636 (JSC::inlinedFrameOffset):
9637 - Convenience function to compute the inlined frame offset based on the
9638 CodeOrigin. If the offset is 0, then we're looking at the physical frame.
9639 Otherwise, it's an inlined frame.
9640 (JSC::StackIterator::readInlinedFrame):
9641 - Determines the inlined frame's caller frame. Will read in the caller
9642 frame if it is also an inlined frame i.e. we haven't reached the
9643 outer most frame yet. Otherwise, will call readNonInlinedFrame() to
9644 read on the outer most frame.
9645 This is based on the old StackIterator::Frame::logicalFrame().
9646 (JSC::StackIterator::updateFrame):
9647 - Reads the data of the caller frame of the current one. This function
9648 is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
9649 but is now simplified because it delegates to the readInlinedFrame()
9650 to get the caller for inlined frames.
9651 (JSC::StackIterator::Frame::arguments):
9652 - Fixed to use the inlined frame versions of Arguments::create() and
9653 Arguments::tearOff() when the frame is an inlined frame.
9654 (JSC::StackIterator::Frame::print):
9655 (debugPrintCallFrame):
9656 (debugPrintStack):
9657 - Because sometimes, we want to see the whole stack while debugging.
9658 * interpreter/StackIterator.h:
9659 (JSC::StackIterator::Frame::argumentCount):
9660 (JSC::StackIterator::Frame::callerFrame):
9661 (JSC::StackIterator::Frame::callee):
9662 (JSC::StackIterator::Frame::scope):
9663 (JSC::StackIterator::Frame::codeBlock):
9664 (JSC::StackIterator::Frame::bytecodeOffset):
9665 (JSC::StackIterator::Frame::inlinedFrameInfo):
9666 (JSC::StackIterator::Frame::isJSFrame):
9667 (JSC::StackIterator::Frame::isInlinedFrame):
9668 (JSC::StackIterator::Frame::callFrame):
9669 (JSC::StackIterator::Frame::Frame):
9670 (JSC::StackIterator::Frame::~Frame):
9671 - StackIterator::Frame now caches commonly used accessed values from
9672 the CallFrame. It still delegates argument queries to the CallFrame.
9673 (JSC::StackIterator::operator*):
9674 (JSC::StackIterator::operator->):
9675 (JSC::StackIterator::operator!=):
9676 (JSC::StackIterator::operator++):
9677 (JSC::StackIterator::end):
9678 (JSC::StackIterator::operator==):
9679 * interpreter/StackIteratorPrivate.h: Removed.
9680
96812013-08-29 Chris Curtis <chris_curtis@apple.com>
9682
9683 VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
9684 https://bugs.webkit.org/show_bug.cgi?id=120472
9685
9686 Reviewed by Filip Pizlo.
9687
9688 With the JIT disabled, interpreterThrowInCaller was attempting to throw an error,
9689 but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
9690 throwException can be called when topCallFrame is set.
9691 * llint/LLIntSlowPaths.cpp:
9692 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9693 * runtime/CommonSlowPaths.cpp:
9694 (JSC::SLOW_PATH_DECL):
9695 * runtime/CommonSlowPathsExceptions.cpp:
9696 (JSC::CommonSlowPaths::interpreterThrowInCaller):
9697 * runtime/CommonSlowPathsExceptions.h:
9698
9699 Renamed genericThrow -> genericUnwind, because this function no longer has the ability
9700 to throw errors. It unwinds the stack in order to report them.
9701 * dfg/DFGOperations.cpp:
9702 * jit/JITExceptions.cpp:
9703 (JSC::genericUnwind):
9704 (JSC::jitThrowNew):
9705 (JSC::jitThrow):
9706 * jit/JITExceptions.h:
9707 * llint/LLIntExceptions.cpp:
9708 (JSC::LLInt::doThrow):
9709
97102013-08-29 Commit Queue <commit-queue@webkit.org>
9711
9712 Unreviewed, rolling out r154804.
9713 http://trac.webkit.org/changeset/154804
9714 https://bugs.webkit.org/show_bug.cgi?id=120477
9715
9716 Broke Windows build (assumes LLInt features not enabled on
9717 this build) (Requested by bfulgham on #webkit).
9718
9719 * CMakeLists.txt:
9720 * GNUmakefile.list.am:
9721 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9722 * JavaScriptCore.xcodeproj/project.pbxproj:
9723 * Target.pri:
9724 * bytecode/CodeBlock.cpp:
9725 (JSC::CodeBlock::linkIncomingCall):
9726 (JSC::CodeBlock::unlinkIncomingCalls):
9727 (JSC::CodeBlock::reoptimize):
9728 (JSC::ProgramCodeBlock::replacement):
9729 (JSC::EvalCodeBlock::replacement):
9730 (JSC::FunctionCodeBlock::replacement):
9731 (JSC::ProgramCodeBlock::compileOptimized):
9732 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
9733 (JSC::EvalCodeBlock::compileOptimized):
9734 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
9735 (JSC::FunctionCodeBlock::compileOptimized):
9736 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
9737 (JSC::ProgramCodeBlock::jitCompileImpl):
9738 (JSC::EvalCodeBlock::jitCompileImpl):
9739 (JSC::FunctionCodeBlock::jitCompileImpl):
9740 * bytecode/CodeBlock.h:
9741 (JSC::CodeBlock::jitType):
9742 (JSC::CodeBlock::jitCompile):
9743 * bytecode/DeferredCompilationCallback.cpp: Removed.
9744 * bytecode/DeferredCompilationCallback.h: Removed.
9745 * dfg/DFGDriver.cpp:
9746 (JSC::DFG::compile):
9747 (JSC::DFG::tryCompile):
9748 (JSC::DFG::tryCompileFunction):
9749 (JSC::DFG::tryFinalizePlan):
9750 * dfg/DFGDriver.h:
9751 (JSC::DFG::tryCompile):
9752 (JSC::DFG::tryCompileFunction):
9753 (JSC::DFG::tryFinalizePlan):
9754 * dfg/DFGFailedFinalizer.cpp:
9755 (JSC::DFG::FailedFinalizer::finalize):
9756 (JSC::DFG::FailedFinalizer::finalizeFunction):
9757 * dfg/DFGFailedFinalizer.h:
9758 * dfg/DFGFinalizer.h:
9759 * dfg/DFGJITFinalizer.cpp:
9760 (JSC::DFG::JITFinalizer::finalize):
9761 (JSC::DFG::JITFinalizer::finalizeFunction):
9762 * dfg/DFGJITFinalizer.h:
9763 * dfg/DFGOSRExitPreparation.cpp:
9764 (JSC::DFG::prepareCodeOriginForOSRExit):
9765 * dfg/DFGOperations.cpp:
9766 * dfg/DFGPlan.cpp:
9767 (JSC::DFG::Plan::Plan):
9768 (JSC::DFG::Plan::compileInThreadImpl):
9769 (JSC::DFG::Plan::finalize):
9770 * dfg/DFGPlan.h:
9771 * dfg/DFGSpeculativeJIT32_64.cpp:
9772 (JSC::DFG::SpeculativeJIT::compile):
9773 * dfg/DFGWorklist.cpp:
9774 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9775 (JSC::DFG::Worklist::runThread):
9776 * ftl/FTLJITFinalizer.cpp:
9777 (JSC::FTL::JITFinalizer::finalize):
9778 (JSC::FTL::JITFinalizer::finalizeFunction):
9779 * ftl/FTLJITFinalizer.h:
9780 * heap/Heap.h:
9781 * interpreter/Interpreter.cpp:
9782 (JSC::Interpreter::execute):
9783 (JSC::Interpreter::executeCall):
9784 (JSC::Interpreter::executeConstruct):
9785 (JSC::Interpreter::prepareForRepeatCall):
9786 * jit/JITDriver.h: Added.
9787 (JSC::jitCompileIfAppropriateImpl):
9788 (JSC::jitCompileFunctionIfAppropriateImpl):
9789 (JSC::jitCompileIfAppropriate):
9790 (JSC::jitCompileFunctionIfAppropriate):
9791 * jit/JITStubs.cpp:
9792 (JSC::DEFINE_STUB_FUNCTION):
9793 (JSC::jitCompileFor):
9794 (JSC::lazyLinkFor):
9795 * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
9796 * jit/JITToDFGDeferredCompilationCallback.h: Removed.
9797 * llint/LLIntEntrypoints.cpp:
9798 (JSC::LLInt::getFunctionEntrypoint):
9799 (JSC::LLInt::getEvalEntrypoint):
9800 (JSC::LLInt::getProgramEntrypoint):
9801 * llint/LLIntEntrypoints.h:
9802 (JSC::LLInt::getEntrypoint):
9803 * llint/LLIntSlowPaths.cpp:
9804 (JSC::LLInt::jitCompileAndSetHeuristics):
9805 (JSC::LLInt::setUpCall):
9806 * runtime/ArrayPrototype.cpp:
9807 (JSC::isNumericCompareFunction):
9808 * runtime/CommonSlowPaths.cpp:
9809 * runtime/CompilationResult.cpp:
9810 (WTF::printInternal):
9811 * runtime/CompilationResult.h:
9812 * runtime/Executable.cpp:
9813 (JSC::EvalExecutable::compileOptimized):
9814 (JSC::EvalExecutable::jitCompile):
9815 (JSC::EvalExecutable::compileInternal):
9816 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
9817 (JSC::ProgramExecutable::compileOptimized):
9818 (JSC::ProgramExecutable::jitCompile):
9819 (JSC::ProgramExecutable::compileInternal):
9820 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
9821 (JSC::FunctionExecutable::compileOptimizedForCall):
9822 (JSC::FunctionExecutable::compileOptimizedForConstruct):
9823 (JSC::FunctionExecutable::jitCompileForCall):
9824 (JSC::FunctionExecutable::jitCompileForConstruct):
9825 (JSC::FunctionExecutable::produceCodeBlockFor):
9826 (JSC::FunctionExecutable::compileForCallInternal):
9827 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
9828 (JSC::FunctionExecutable::compileForConstructInternal):
9829 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
9830 * runtime/Executable.h:
9831 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
9832 (JSC::ExecutableBase::offsetOfNumParametersFor):
9833 (JSC::ExecutableBase::catchRoutineFor):
9834 (JSC::EvalExecutable::compile):
9835 (JSC::ProgramExecutable::compile):
9836 (JSC::FunctionExecutable::compileForCall):
9837 (JSC::FunctionExecutable::compileForConstruct):
9838 (JSC::FunctionExecutable::compileFor):
9839 (JSC::FunctionExecutable::compileOptimizedFor):
9840 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
9841 (JSC::FunctionExecutable::jitCompileFor):
9842 * runtime/ExecutionHarness.h: Added.
9843 (JSC::prepareForExecutionImpl):
9844 (JSC::prepareFunctionForExecutionImpl):
9845 (JSC::installOptimizedCode):
9846 (JSC::prepareForExecution):
9847 (JSC::prepareFunctionForExecution):
9848 (JSC::replaceWithDeferredOptimizedCode):
9849
98502013-08-28 Filip Pizlo <fpizlo@apple.com>
9851
9852 CodeBlock compilation and installation should be simplified and rationalized
9853 https://bugs.webkit.org/show_bug.cgi?id=120326
9854
9855 Reviewed by Oliver Hunt.
9856
9857 Previously Executable owned the code for generating JIT code; you always had
9858 to go through Executable. But often you also had to go through CodeBlock,
9859 because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
9860 So you'd ask CodeBlock to do something, which would dispatch through a
9861 virtual method that would select the appropriate Executable subtype's method.
9862 This all meant that the same code would often be duplicated, because most of
9863 the work needed to compile something was identical regardless of code type.
9864 But then we tried to fix this, by having templatized helpers in
9865 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
9866 out what happened when you asked for something to be compiled, you'd go on a
9867 wild ride that started with CodeBlock, touched upon Executable, and then
9868 ricocheted into either ExecutionHarness or JITDriver (likely both).
9869
9870 Another awkwardness was that for concurrent compiles, the DFG::Worklist had
9871 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
9872 done once the compilation finished.
9873
9874 Also, most of the DFG JIT drivers assumed that they couldn't install the
9875 JITCode into the CodeBlock directly - instead they would return it via a
9876 reference, which happened to be a reference to the JITCode pointer in
9877 Executable. This was super weird.
9878
9879 Finally, there was no notion of compiling code into a special CodeBlock that
9880 wasn't used for handling calls into an Executable. I'd like this for FTL OSR
9881 entry.
9882
9883 This patch solves these problems by reducing all of that complexity into just
9884 three primitives:
9885
9886 - Executable::newCodeBlock(). This gives you a new code block, either for call
9887 or for construct, and either to serve as the baseline code or the optimized
9888 code. The new code block is then owned by the caller; Executable doesn't
9889 register it anywhere. The new code block has no JITCode and isn't callable,
9890 but it has all of the bytecode.
9891
9892 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
9893 produces a JITCode, and then installs the JITCode into the CodeBlock. This
9894 method takes a JITType, and always compiles with that JIT. If you ask for
9895 JITCode::InterpreterThunk then you'll get JITCode that just points to the
9896 LLInt entrypoints. Once this returns, it is possible to call into the
9897 CodeBlock if you do so manually - but the Executable still won't know about
9898 it so JS calls to that Executable will still be routed to whatever CodeBlock
9899 is associated with the Executable.
9900
9901 - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
9902 entry for that Executable. This involves unlinking the Executable's last
9903 CodeBlock, if there was one. This also tells the GC about any effect on
9904 memory usage and does a bunch of weird data structure rewiring, since
9905 Executable caches some of CodeBlock's fields for the benefit of virtual call
9906 fast paths.
9907
9908 This functionality is then wrapped around three convenience methods:
9909
9910 - Executable::prepareForExecution(). If there is no code block for that
9911 Executable, then one is created (newCodeBlock()), compiled
9912 (CodeBlock::prepareForExecution()) and installed (installCode()).
9913
9914 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
9915 can serve as an optimized replacement of the current one.
9916
9917 - CodeBlock::install(). Asks the Executable to install this code block.
9918
9919 This patch allows me to kill *a lot* of code and to remove a lot of
9920 specializations for functions vs. not-functions, and a lot of places where we
9921 pass around JITCode references and such. ExecutionHarness and JITDriver are
9922 both gone. Overall this patch has more red than green.
9923
9924 It also allows me to work on FTL OSR entry and tier-up:
9925
9926 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
9927 to do some compilation, but it will require the DFG::Worklist to do
9928 something different than what JITStubs.cpp would want, once the compilation
9929 finishes. This patch introduces a callback mechanism for that purpose.
9930
9931 - FTL OSR entry: this will involve creating a special auto-jettisoned
9932 CodeBlock that is used only for FTL OSR entry. The new set of primitives
9933 allows for this: Executable can vend you a fresh new CodeBlock, and you can
9934 ask that CodeBlock to compile itself with any JIT of your choosing. Or you
9935 can take that CodeBlock and compile it yourself. Previously the act of
9936 producing a CodeBlock-for-optimization and the act of compiling code for it
9937 were tightly coupled; now you can separate them and you can create such
9938 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
9939
9940 * CMakeLists.txt:
9941 * GNUmakefile.list.am:
9942 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9943 * JavaScriptCore.xcodeproj/project.pbxproj:
9944 * Target.pri:
9945 * bytecode/CodeBlock.cpp:
9946 (JSC::CodeBlock::prepareForExecution):
9947 (JSC::CodeBlock::install):
9948 (JSC::CodeBlock::newReplacement):
9949 (JSC::FunctionCodeBlock::jettisonImpl):
9950 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
9951 * bytecode/CodeBlock.h:
9952 (JSC::CodeBlock::hasBaselineJITProfiling):
9953 * bytecode/DeferredCompilationCallback.cpp: Added.
9954 (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
9955 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
9956 * bytecode/DeferredCompilationCallback.h: Added.
9957 * dfg/DFGDriver.cpp:
9958 (JSC::DFG::tryCompile):
9959 * dfg/DFGDriver.h:
9960 (JSC::DFG::tryCompile):
9961 * dfg/DFGFailedFinalizer.cpp:
9962 (JSC::DFG::FailedFinalizer::finalize):
9963 (JSC::DFG::FailedFinalizer::finalizeFunction):
9964 * dfg/DFGFailedFinalizer.h:
9965 * dfg/DFGFinalizer.h:
9966 * dfg/DFGJITFinalizer.cpp:
9967 (JSC::DFG::JITFinalizer::finalize):
9968 (JSC::DFG::JITFinalizer::finalizeFunction):
9969 * dfg/DFGJITFinalizer.h:
9970 * dfg/DFGOSRExitPreparation.cpp:
9971 (JSC::DFG::prepareCodeOriginForOSRExit):
9972 * dfg/DFGOperations.cpp:
9973 * dfg/DFGPlan.cpp:
9974 (JSC::DFG::Plan::Plan):
9975 (JSC::DFG::Plan::compileInThreadImpl):
9976 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
9977 (JSC::DFG::Plan::finalizeAndNotifyCallback):
9978 * dfg/DFGPlan.h:
9979 * dfg/DFGWorklist.cpp:
9980 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9981 * ftl/FTLJITFinalizer.cpp:
9982 (JSC::FTL::JITFinalizer::finalize):
9983 (JSC::FTL::JITFinalizer::finalizeFunction):
9984 * ftl/FTLJITFinalizer.h:
9985 * heap/Heap.h:
9986 (JSC::Heap::isDeferred):
9987 * interpreter/Interpreter.cpp:
9988 (JSC::Interpreter::execute):
9989 (JSC::Interpreter::executeCall):
9990 (JSC::Interpreter::executeConstruct):
9991 (JSC::Interpreter::prepareForRepeatCall):
9992 * jit/JITDriver.h: Removed.
9993 * jit/JITStubs.cpp:
9994 (JSC::DEFINE_STUB_FUNCTION):
9995 (JSC::jitCompileFor):
9996 (JSC::lazyLinkFor):
9997 * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
9998 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
9999 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
10000 (JSC::JITToDFGDeferredCompilationCallback::create):
10001 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
10002 * jit/JITToDFGDeferredCompilationCallback.h: Added.
10003 * llint/LLIntEntrypoints.cpp:
10004 (JSC::LLInt::setFunctionEntrypoint):
10005 (JSC::LLInt::setEvalEntrypoint):
10006 (JSC::LLInt::setProgramEntrypoint):
10007 * llint/LLIntEntrypoints.h:
10008 * llint/LLIntSlowPaths.cpp:
10009 (JSC::LLInt::jitCompileAndSetHeuristics):
10010 (JSC::LLInt::setUpCall):
10011 * runtime/ArrayPrototype.cpp:
10012 (JSC::isNumericCompareFunction):
10013 * runtime/CommonSlowPaths.cpp:
10014 * runtime/CompilationResult.cpp:
10015 (WTF::printInternal):
10016 * runtime/CompilationResult.h:
10017 * runtime/Executable.cpp:
10018 (JSC::ScriptExecutable::installCode):
10019 (JSC::ScriptExecutable::newCodeBlockFor):
10020 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
10021 (JSC::ScriptExecutable::prepareForExecutionImpl):
10022 * runtime/Executable.h:
10023 (JSC::ScriptExecutable::prepareForExecution):
10024 (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
10025 * runtime/ExecutionHarness.h: Removed.
10026
100272013-08-28 Chris Curtis <chris_curtis@apple.com>
10028
10029 https://bugs.webkit.org/show_bug.cgi?id=119548
10030 Refactoring Exception throws.
10031
10032 Reviewed by Geoffrey Garen.
10033
10034 Gardening of exception throws. The act of throwing an exception was being handled in
10035 different ways depending on whether the code was running in the LLint, Baseline JIT,
10036 or the DFG Jit. This made development in the vm exception and error objects difficult.
10037
10038 * runtime/VM.cpp:
10039 (JSC::appendSourceToError):
10040 This function moved from the interpreter into the VM. It views the developers code
10041 (if there is a codeBlock) to extract what was trying to be evaluated when the error
10042 occurred.
10043
10044 (JSC::VM::throwException):
10045 This function takes in the error object and sets the following:
10046 1: The VM's exception stack
10047 2: The VM's exception
10048 3: Appends extra information on the error message(via appendSourceToError)
10049 4: The error object's line number
10050 5: The error object's column number
10051 6: The error object's sourceURL
10052 7: The error object's stack trace (unless it already exists because the developer
10053 created the error object).
10054
10055 (JSC::VM::getExceptionInfo):
10056 (JSC::VM::setExceptionInfo):
10057 (JSC::VM::clearException):
10058 (JSC::clearExceptionStack):
10059 * runtime/VM.h:
10060 (JSC::VM::exceptionOffset):
10061 (JSC::VM::exception):
10062 (JSC::VM::addressOfException):
10063 (JSC::VM::exceptionStack):
10064 VM exception and exceptionStack are now private data members.
10065
10066 * interpreter/Interpreter.h:
10067 (JSC::ClearExceptionScope::ClearExceptionScope):
10068 Created this structure to temporarily clear the exception within the VM. This
10069 needed to see if addition errors occur when setting the debugger as we are
10070 unwinding the stack.
10071
10072 * interpreter/Interpreter.cpp:
10073 (JSC::Interpreter::unwind):
10074 Removed the code that would try to add error information if it did not exist.
10075 All of this functionality has moved into the VM and all error information is set
10076 at the time the error occurs.
10077
10078 The rest of these functions reference the new calling convention to throw an error.
10079
10080 * API/APICallbackFunction.h:
10081 (JSC::APICallbackFunction::call):
10082 * API/JSCallbackConstructor.cpp:
10083 (JSC::constructJSCallback):
10084 * API/JSCallbackObjectFunctions.h:
10085 (JSC::::getOwnPropertySlot):
10086 (JSC::::defaultValue):
10087 (JSC::::put):
10088 (JSC::::putByIndex):
10089 (JSC::::deleteProperty):
10090 (JSC::::construct):
10091 (JSC::::customHasInstance):
10092 (JSC::::call):
10093 (JSC::::getStaticValue):
10094 (JSC::::staticFunctionGetter):
10095 (JSC::::callbackGetter):
10096 * debugger/Debugger.cpp:
10097 (JSC::evaluateInGlobalCallFrame):
10098 * debugger/DebuggerCallFrame.cpp:
10099 (JSC::DebuggerCallFrame::evaluate):
10100 * dfg/DFGAssemblyHelpers.h:
10101 (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
10102 * dfg/DFGOperations.cpp:
10103 (JSC::DFG::operationPutByValInternal):
10104 * ftl/FTLLowerDFGToLLVM.cpp:
10105 (JSC::FTL::LowerDFGToLLVM::callCheck):
10106 * heap/Heap.cpp:
10107 (JSC::Heap::markRoots):
10108 * interpreter/CallFrame.h:
10109 (JSC::ExecState::clearException):
10110 (JSC::ExecState::exception):
10111 (JSC::ExecState::hadException):
10112 * interpreter/Interpreter.cpp:
10113 (JSC::eval):
10114 (JSC::loadVarargs):
10115 (JSC::stackTraceAsString):
10116 (JSC::Interpreter::execute):
10117 (JSC::Interpreter::executeCall):
10118 (JSC::Interpreter::executeConstruct):
10119 (JSC::Interpreter::prepareForRepeatCall):
10120 * interpreter/Interpreter.h:
10121 (JSC::ClearExceptionScope::ClearExceptionScope):
10122 * jit/JITCode.cpp:
10123 (JSC::JITCode::execute):
10124 * jit/JITExceptions.cpp:
10125 (JSC::genericThrow):
10126 * jit/JITOpcodes.cpp:
10127 (JSC::JIT::emit_op_catch):
10128 * jit/JITOpcodes32_64.cpp:
10129 (JSC::JIT::privateCompileCTINativeCall):
10130 (JSC::JIT::emit_op_catch):
10131 * jit/JITStubs.cpp:
10132 (JSC::returnToThrowTrampoline):
10133 (JSC::throwExceptionFromOpCall):
10134 (JSC::DEFINE_STUB_FUNCTION):
10135 (JSC::jitCompileFor):
10136 (JSC::lazyLinkFor):
10137 (JSC::putByVal):
10138 (JSC::cti_vm_handle_exception):
10139 * jit/SlowPathCall.h:
10140 (JSC::JITSlowPathCall::call):
10141 * jit/ThunkGenerators.cpp:
10142 (JSC::nativeForGenerator):
10143 * jsc.cpp:
10144 (functionRun):
10145 (functionLoad):
10146 (functionCheckSyntax):
10147 * llint/LLIntExceptions.cpp:
10148 (JSC::LLInt::doThrow):
10149 (JSC::LLInt::returnToThrow):
10150 (JSC::LLInt::callToThrow):
10151 * llint/LLIntSlowPaths.cpp:
10152 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10153 * llint/LowLevelInterpreter.cpp:
10154 (JSC::CLoop::execute):
10155 * llint/LowLevelInterpreter32_64.asm:
10156 * llint/LowLevelInterpreter64.asm:
10157 * runtime/ArrayConstructor.cpp:
10158 (JSC::constructArrayWithSizeQuirk):
10159 * runtime/CommonSlowPaths.cpp:
10160 (JSC::SLOW_PATH_DECL):
10161 * runtime/CommonSlowPaths.h:
10162 (JSC::CommonSlowPaths::opIn):
10163 * runtime/CommonSlowPathsExceptions.cpp:
10164 (JSC::CommonSlowPaths::interpreterThrowInCaller):
10165 * runtime/Completion.cpp:
10166 (JSC::evaluate):
10167 * runtime/Error.cpp:
10168 (JSC::addErrorInfo):
10169 (JSC::throwTypeError):
10170 (JSC::throwSyntaxError):
10171 * runtime/Error.h:
10172 (JSC::throwVMError):
10173 * runtime/ExceptionHelpers.cpp:
10174 (JSC::throwOutOfMemoryError):
10175 (JSC::throwStackOverflowError):
10176 (JSC::throwTerminatedExecutionException):
10177 * runtime/Executable.cpp:
10178 (JSC::EvalExecutable::create):
10179 (JSC::FunctionExecutable::produceCodeBlockFor):
10180 * runtime/FunctionConstructor.cpp:
10181 (JSC::constructFunction):
10182 (JSC::constructFunctionSkippingEvalEnabledCheck):
10183 * runtime/JSArray.cpp:
10184 (JSC::JSArray::defineOwnProperty):
10185 (JSC::JSArray::put):
10186 (JSC::JSArray::push):
10187 * runtime/JSCJSValue.cpp:
10188 (JSC::JSValue::toObjectSlowCase):
10189 (JSC::JSValue::synthesizePrototype):
10190 (JSC::JSValue::putToPrimitive):
10191 * runtime/JSFunction.cpp:
10192 (JSC::JSFunction::defineOwnProperty):
10193 * runtime/JSGenericTypedArrayViewInlines.h:
10194 (JSC::::create):
10195 (JSC::::createUninitialized):
10196 (JSC::::validateRange):
10197 (JSC::::setWithSpecificType):
10198 * runtime/JSGlobalObjectFunctions.cpp:
10199 (JSC::encode):
10200 (JSC::decode):
10201 (JSC::globalFuncProtoSetter):
10202 * runtime/JSNameScope.cpp:
10203 (JSC::JSNameScope::put):
10204 * runtime/JSONObject.cpp:
10205 (JSC::Stringifier::appendStringifiedValue):
10206 (JSC::Walker::walk):
10207 * runtime/JSObject.cpp:
10208 (JSC::JSObject::put):
10209 (JSC::JSObject::defaultValue):
10210 (JSC::JSObject::hasInstance):
10211 (JSC::JSObject::defaultHasInstance):
10212 (JSC::JSObject::defineOwnNonIndexProperty):
10213 (JSC::throwTypeError):
10214 * runtime/ObjectConstructor.cpp:
10215 (JSC::toPropertyDescriptor):
10216 * runtime/RegExpConstructor.cpp:
10217 (JSC::constructRegExp):
10218 * runtime/StringObject.cpp:
10219 (JSC::StringObject::defineOwnProperty):
10220 * runtime/StringRecursionChecker.cpp:
10221 (JSC::StringRecursionChecker::throwStackOverflowError):
10222
102232013-08-28 Zan Dobersek <zdobersek@igalia.com>
10224
10225 [GTK] Add support for building JSC with FTL JIT enabled
10226 https://bugs.webkit.org/show_bug.cgi?id=120270
10227
10228 Reviewed by Filip Pizlo.
10229
10230 * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
10231 compiler flags for the JSC library.
10232 * GNUmakefile.list.am: Add the missing build targets.
10233 * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
10234 failures when using the Clang compiler with the libstdc++ standard library.
10235 (JSC::FTL::mdKindID):
10236 (JSC::FTL::mdString):
10237
102382013-08-23 Andy Estes <aestes@apple.com>
10239
10240 Fix issues found by the Clang Static Analyzer
10241 https://bugs.webkit.org/show_bug.cgi?id=120230
10242
10243 Reviewed by Darin Adler.
10244
10245 * API/JSValue.mm:
10246 (valueToString): Don't leak every CFStringRef when in Objective-C GC.
10247 * API/ObjCCallbackFunction.mm:
10248 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
10249 release m_invocation's target since NSInvocation will do it for us on
10250 -dealloc.
10251 (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
10252 and -release our reference to the copied block.
10253 * API/tests/minidom.c:
10254 (createStringWithContentsOfFile): Free buffer before returning.
10255 * API/tests/testapi.c:
10256 (createStringWithContentsOfFile): Ditto.
10257
102582013-08-26 Brent Fulgham <bfulgham@apple.com>
10259
10260 [Windows] Unreviewed build fix after r154629.
10261
10262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
10263 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
10264
102652013-08-26 Ryosuke Niwa <rniwa@webkit.org>
10266
10267 Windows build fix attempt after r154629.
10268
10269 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10270
102712013-08-25 Mark Hahnenberg <mhahnenberg@apple.com>
10272
10273 JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
10274 https://bugs.webkit.org/show_bug.cgi?id=120278
10275
10276 Reviewed by Geoffrey Garen.
10277
10278 * runtime/JSObject.cpp:
10279 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
10280
102812013-08-26 Filip Pizlo <fpizlo@apple.com>
10282
10283 Fix indention of Executable.h.
10284
10285 Rubber stamped by Mark Hahnenberg.
10286
10287 * runtime/Executable.h:
10288
102892013-08-26 Mark Hahnenberg <mhahnenberg@apple.com>
10290
10291 Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
10292 https://bugs.webkit.org/show_bug.cgi?id=120314
10293
10294 Reviewed by Darin Adler.
10295
10296 Currently with the way that defineProperty works, we leave a stray low bit set in
10297 PropertyDescriptor::m_attributes in the following code:
10298
10299 var o = {};
10300 Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
10301
10302 This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1
10303 instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF,
10304 but only the top three bits mean anything. Even in the case above, the top three bits are set
10305 to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
10306
10307 Since some of these attributes and their corresponding values are exposed in the JavaScriptCore
10308 framework's public C API, it's safer to just change how we calculate the default value, which is
10309 where the weirdness was originating from in the first place.
10310
10311 * runtime/PropertyDescriptor.cpp:
10312
103132013-08-24 Sam Weinig <sam@webkit.org>
10314
10315 Add support for Promises
10316 https://bugs.webkit.org/show_bug.cgi?id=120260
10317
10318 Reviewed by Darin Adler.
10319
10320 Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
10321 - Despite Promises being defined in the DOM, the implementation is being put in JSC
10322 in preparation for the Promises eventually being defined in ECMAScript.
10323
10324 * CMakeLists.txt:
10325 * DerivedSources.make:
10326 * DerivedSources.pri:
10327 * GNUmakefile.list.am:
10328 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10329 * JavaScriptCore.xcodeproj/project.pbxproj:
10330 * Target.pri:
10331 Add new files.
10332
10333 * jsc.cpp:
10334 Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
10335 you can't quite use Promises with with the command line tool yet.
10336
10337 * interpreter/CallFrame.h:
10338 (JSC::ExecState::promisePrototypeTable):
10339 (JSC::ExecState::promiseConstructorTable):
10340 (JSC::ExecState::promiseResolverPrototypeTable):
10341 * runtime/VM.cpp:
10342 (JSC::VM::VM):
10343 (JSC::VM::~VM):
10344 * runtime/VM.h:
10345 Add supporting code for the new static lookup tables.
10346
10347 * runtime/CommonIdentifiers.h:
10348 Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
10349
10350 * runtime/JSGlobalObject.cpp:
10351 (JSC::JSGlobalObject::reset):
10352 (JSC::JSGlobalObject::visitChildren):
10353 Add supporting code Promise and PromiseResolver's constructors and structures.
10354
10355 * runtime/JSGlobalObject.h:
10356 (JSC::TaskContext::~TaskContext):
10357 Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
10358
10359 (JSC::JSGlobalObject::promisePrototype):
10360 (JSC::JSGlobalObject::promiseResolverPrototype):
10361 (JSC::JSGlobalObject::promiseStructure):
10362 (JSC::JSGlobalObject::promiseResolverStructure):
10363 (JSC::JSGlobalObject::promiseCallbackStructure):
10364 (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
10365 Add supporting code Promise and PromiseResolver's constructors and structures.
10366
10367 * runtime/JSPromise.cpp: Added.
10368 * runtime/JSPromise.h: Added.
10369 * runtime/JSPromiseCallback.cpp: Added.
10370 * runtime/JSPromiseCallback.h: Added.
10371 * runtime/JSPromiseConstructor.cpp: Added.
10372 * runtime/JSPromiseConstructor.h: Added.
10373 * runtime/JSPromisePrototype.cpp: Added.
10374 * runtime/JSPromisePrototype.h: Added.
10375 * runtime/JSPromiseResolver.cpp: Added.
10376 * runtime/JSPromiseResolver.h: Added.
10377 * runtime/JSPromiseResolverConstructor.cpp: Added.
10378 * runtime/JSPromiseResolverConstructor.h: Added.
10379 * runtime/JSPromiseResolverPrototype.cpp: Added.
10380 * runtime/JSPromiseResolverPrototype.h: Added.
10381 Add Promise implementation.
10382
103832013-08-26 Zan Dobersek <zdobersek@igalia.com>
10384
10385 Plenty of -Wcast-align warnings in KeywordLookup.h
10386 https://bugs.webkit.org/show_bug.cgi?id=120316
10387
10388 Reviewed by Darin Adler.
10389
10390 * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
10391 the character pointers to types of larger size. This avoids spewing lots of warnings
10392 in the KeywordLookup.h header when compiling with the -Wcast-align option.
10393
103942013-08-26 Gavin Barraclough <barraclough@apple.com>
10395
10396 RegExpMatchesArray should not call [[put]]
10397 https://bugs.webkit.org/show_bug.cgi?id=120317
10398
10399 Reviewed by Oliver Hunt.
10400
10401 This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
10402 property called index or input to either of these prototypes will result in broken behavior.
10403
10404 * runtime/RegExpMatchesArray.cpp:
10405 (JSC::RegExpMatchesArray::reifyAllProperties):
10406 - put -> putDirect
10407
104082013-08-24 Filip Pizlo <fpizlo@apple.com>
10409
10410 FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
10411 https://bugs.webkit.org/show_bug.cgi?id=120228
10412
10413 Reviewed by Oliver Hunt.
10414
10415 It turns out that there were three problems:
10416
10417 - Using jsNumber() meant that we were converting doubles to integers and then
10418 possibly back again whenever doing a set() between floating point arrays.
10419
10420 - Slow-path accesses to double typed arrays were slower than necessary because
10421 of the to-int conversion attempt.
10422
10423 - The use of JSValue as an intermediate for converting between differen types
10424 in typedArray.set() resulted in worse code than I had previously expected.
10425
10426 This patch solves the problem by using template double-dispatch to ensure that
10427 that C++ compiler sees the simplest possible combination of casts between any
10428 combination of typed array types, while still preserving JS and typed array
10429 conversion semantics. Conversions are done as follows:
10430
10431 SourceAdaptor::convertTo<TargetAdaptor>(value)
10432
10433 Internally, convertTo() calls one of three possible methods on TargetAdaptor,
10434 with one method for each of int32_t, uint32_t, and double. This means that the
10435 C++ compiler will at worst see a widening cast to one of those types followed
10436 by a narrowing conversion (not necessarily a cast - may have clamping or the
10437 JS toInt32() function).
10438
10439 This change doesn't just affect typedArray.set(); it also affects slow-path
10440 accesses to typed arrays as well. This patch also adds a bunch of new test
10441 coverage.
10442
10443 This change is a ~50% speed-up on typedArray.set() involving floating point
10444 types.
10445
10446 * GNUmakefile.list.am:
10447 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10448 * JavaScriptCore.xcodeproj/project.pbxproj:
10449 * runtime/GenericTypedArrayView.h:
10450 (JSC::GenericTypedArrayView::set):
10451 * runtime/JSDataViewPrototype.cpp:
10452 (JSC::setData):
10453 * runtime/JSGenericTypedArrayView.h:
10454 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
10455 (JSC::JSGenericTypedArrayView::setIndexQuickly):
10456 * runtime/JSGenericTypedArrayViewInlines.h:
10457 (JSC::::setWithSpecificType):
10458 (JSC::::set):
10459 * runtime/ToNativeFromValue.h: Added.
10460 (JSC::toNativeFromValue):
10461 * runtime/TypedArrayAdaptors.h:
10462 (JSC::IntegralTypedArrayAdaptor::toJSValue):
10463 (JSC::IntegralTypedArrayAdaptor::toDouble):
10464 (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
10465 (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
10466 (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
10467 (JSC::IntegralTypedArrayAdaptor::convertTo):
10468 (JSC::FloatTypedArrayAdaptor::toJSValue):
10469 (JSC::FloatTypedArrayAdaptor::toDouble):
10470 (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
10471 (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
10472 (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
10473 (JSC::FloatTypedArrayAdaptor::convertTo):
10474 (JSC::Uint8ClampedAdaptor::toJSValue):
10475 (JSC::Uint8ClampedAdaptor::toDouble):
10476 (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
10477 (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
10478 (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
10479 (JSC::Uint8ClampedAdaptor::convertTo):
10480
104812013-08-24 Dan Bernstein <mitz@apple.com>
10482
10483 [mac] link against libz in a more civilized manner
10484 https://bugs.webkit.org/show_bug.cgi?id=120258
10485
10486 Reviewed by Darin Adler.
10487
10488 * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
10489 * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
10490 Link Binary With Libraries build phase.
10491
104922013-08-23 Laszlo Papp <lpapp@kde.org>
10493
10494 Failure building with python3
10495 https://bugs.webkit.org/show_bug.cgi?id=106645
10496
10497 Reviewed by Benjamin Poulain.
10498
10499 Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
10500 Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
10501
10502 * disassembler/udis86/itab.py:
10503 (UdItabGenerator.genInsnTable):
10504 * disassembler/udis86/ud_opcode.py:
10505 (UdOpcodeTables.print_table):
10506 * disassembler/udis86/ud_optable.py:
10507 (UdOptableXmlParser.parseDef):
10508 (UdOptableXmlParser.parse):
10509 (printFn):
10510
105112013-08-23 Filip Pizlo <fpizlo@apple.com>
10512
10513 Incorrect TypedArray#set behavior
10514 https://bugs.webkit.org/show_bug.cgi?id=83818
10515
10516 Reviewed by Oliver Hunt and Mark Hahnenberg.
10517
10518 This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
10519 not smart enough to figure out optimal versions for *all* of the cases. But I
10520 did come up with optimal implementations for most of the cases, and I wrote
10521 spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
10522 enough to write optimal code for.
10523
10524 * runtime/JSArrayBufferView.h:
10525 (JSC::JSArrayBufferView::hasArrayBuffer):
10526 * runtime/JSArrayBufferViewInlines.h:
10527 (JSC::JSArrayBufferView::buffer):
10528 (JSC::JSArrayBufferView::existingBufferInButterfly):
10529 (JSC::JSArrayBufferView::neuter):
10530 (JSC::JSArrayBufferView::byteOffset):
10531 * runtime/JSGenericTypedArrayView.h:
10532 * runtime/JSGenericTypedArrayViewInlines.h:
10533 (JSC::::setWithSpecificType):
10534 (JSC::::set):
10535 (JSC::::existingBuffer):
10536
105372013-08-23 Alex Christensen <achristensen@apple.com>
10538
10539 Re-separating Win32 and Win64 builds.
10540 https://bugs.webkit.org/show_bug.cgi?id=120178
10541
10542 Reviewed by Brent Fulgham.
10543
10544 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10545 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10546 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10547 Pass PlatformArchitecture as a command line parameter to bash scripts.
10548 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10549 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10550 * JavaScriptCore.vcxproj/build-generated-files.sh:
10551 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
10552
105532013-08-22 Filip Pizlo <fpizlo@apple.com>
10554
10555 build-jsc --ftl-jit should work
10556 https://bugs.webkit.org/show_bug.cgi?id=120194
10557
10558 Reviewed by Oliver Hunt.
10559
10560 * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
10561 * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
10562 * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
10563 * ftl/FTLLowerDFGToLLVM.cpp: Build fix
10564 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
10565 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
10566
105672013-08-23 Oliver Hunt <oliver@apple.com>
10568
10569 Re-sort xcode project file
10570
10571 * JavaScriptCore.xcodeproj/project.pbxproj:
10572
105732013-08-23 Oliver Hunt <oliver@apple.com>
10574
10575 Support in memory compression of rarely used data
10576 https://bugs.webkit.org/show_bug.cgi?id=120143
10577
10578 Reviewed by Gavin Barraclough.
10579
10580 Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector. This saves ~200k on google maps.
10581
10582 * Configurations/JavaScriptCore.xcconfig:
10583 * bytecode/UnlinkedCodeBlock.cpp:
10584 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
10585 (JSC::UnlinkedCodeBlock::addExpressionInfo):
10586 * bytecode/UnlinkedCodeBlock.h:
10587
105882013-08-22 Mark Hahnenberg <mhahnenberg@apple.com>
10589
10590 JSObject and JSArray code shouldn't have to tiptoe around garbage collection
10591 https://bugs.webkit.org/show_bug.cgi?id=120179
10592
10593 Reviewed by Geoffrey Garen.
10594
10595 There are many places in the code for JSObject and JSArray where they are manipulating their
10596 Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within
10597 these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks
10598 like it will make this dance even more intricate. To make everybody's lives easier we should use
10599 the DeferGC mechanism in these functions to make these GC critical sections both obvious in the
10600 code and trivially safe. Deferring collections will usually only last marginally longer, thus we
10601 should not incur any additional overhead.
10602
10603 * heap/Heap.h:
10604 * runtime/JSArray.cpp:
10605 (JSC::JSArray::unshiftCountSlowCase):
10606 * runtime/JSObject.cpp:
10607 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
10608 (JSC::JSObject::createInitialUndecided):
10609 (JSC::JSObject::createInitialInt32):
10610 (JSC::JSObject::createInitialDouble):
10611 (JSC::JSObject::createInitialContiguous):
10612 (JSC::JSObject::createArrayStorage):
10613 (JSC::JSObject::convertUndecidedToArrayStorage):
10614 (JSC::JSObject::convertInt32ToArrayStorage):
10615 (JSC::JSObject::convertDoubleToArrayStorage):
10616 (JSC::JSObject::convertContiguousToArrayStorage):
10617 (JSC::JSObject::increaseVectorLength):
10618 (JSC::JSObject::ensureLengthSlow):
10619 * runtime/JSObject.h:
10620 (JSC::JSObject::putDirectInternal):
10621 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
10622 (JSC::JSObject::putDirectWithoutTransition):
10623
106242013-08-22 Filip Pizlo <fpizlo@apple.com>
10625
10626 Update LLVM binary drops and scripts to the latest version from SVN
10627 https://bugs.webkit.org/show_bug.cgi?id=120184
10628
10629 Reviewed by Mark Hahnenberg.
10630
10631 * dfg/DFGPlan.cpp:
10632 (JSC::DFG::Plan::compileInThreadImpl):
10633
106342013-08-22 Gavin Barraclough <barraclough@apple.com>
10635
10636 Don't leak registers for redeclared variables
10637 https://bugs.webkit.org/show_bug.cgi?id=120174
10638
10639 Reviewed by Geoff Garen.
10640
10641 We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
10642 Only allocate new registers when necessary.
10643
10644 No performance impact.
10645
10646 * interpreter/Interpreter.cpp:
10647 (JSC::Interpreter::execute):
10648 * runtime/Executable.cpp:
10649 (JSC::ProgramExecutable::initializeGlobalProperties):
10650 - Don't allocate the register here.
10651 * runtime/JSGlobalObject.cpp:
10652 (JSC::JSGlobalObject::addGlobalVar):
10653 - Allocate the register here instead.
10654
106552013-08-22 Gavin Barraclough <barraclough@apple.com>
10656
10657 https://bugs.webkit.org/show_bug.cgi?id=120128
10658 Remove putDirectVirtual
10659
10660 Unreviewed, checked in commented out code. :-(
10661
10662 * interpreter/Interpreter.cpp:
10663 (JSC::Interpreter::execute):
10664 - delete commented out code
10665
106662013-08-22 Gavin Barraclough <barraclough@apple.com>
10667
10668 Error.stack should not be enumerable
10669 https://bugs.webkit.org/show_bug.cgi?id=120171
10670
10671 Reviewed by Oliver Hunt.
10672
10673 Breaks ECMA tests.
10674
10675 * runtime/ErrorInstance.cpp:
10676 (JSC::ErrorInstance::finishCreation):
10677 - None -> DontEnum
10678
106792013-08-21 Gavin Barraclough <barraclough@apple.com>
10680
10681 https://bugs.webkit.org/show_bug.cgi?id=120128
10682 Remove putDirectVirtual
10683
10684 Reviewed by Sam Weinig.
10685
10686 This could most generously be described as 'vestigial'.
10687 No performance impact.
10688
10689 * API/JSObjectRef.cpp:
10690 (JSObjectSetProperty):
10691 - changed to use defineOwnProperty
10692 * debugger/DebuggerActivation.cpp:
10693 * debugger/DebuggerActivation.h:
10694 - remove putDirectVirtual
10695 * interpreter/Interpreter.cpp:
10696 (JSC::Interpreter::execute):
10697 - changed to use defineOwnProperty
10698 * runtime/ClassInfo.h:
10699 * runtime/JSActivation.cpp:
10700 * runtime/JSActivation.h:
10701 * runtime/JSCell.cpp:
10702 * runtime/JSCell.h:
10703 * runtime/JSGlobalObject.cpp:
10704 * runtime/JSGlobalObject.h:
10705 * runtime/JSObject.cpp:
10706 * runtime/JSObject.h:
10707 * runtime/JSProxy.cpp:
10708 * runtime/JSProxy.h:
10709 * runtime/JSSymbolTableObject.cpp:
10710 * runtime/JSSymbolTableObject.h:
10711 - remove putDirectVirtual
10712 * runtime/PropertyDescriptor.h:
10713 (JSC::PropertyDescriptor::PropertyDescriptor):
10714 - added constructor for convenience
10715
107162013-08-22 Chris Curtis <chris_curtis@apple.com>
10717
10718 errorDescriptionForValue() should not assume error value is an Object
10719 https://bugs.webkit.org/show_bug.cgi?id=119812
10720
10721 Reviewed by Geoffrey Garen.
10722
10723 Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
10724 has no type, the function now returns the empty string.
10725 * runtime/ExceptionHelpers.cpp:
10726 (JSC::errorDescriptionForValue):
10727
107282013-08-22 Julien Brianceau <jbrianceau@nds.com>
10729
10730 Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
10731 https://bugs.webkit.org/show_bug.cgi?id=120107
10732
10733 Reviewed by Yong Li.
10734
10735 EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
10736
10737 * dfg/DFGSpeculativeJIT.h:
10738 (JSC::DFG::SpeculativeJIT::callOperation):
10739
107402013-08-21 Commit Queue <commit-queue@webkit.org>
10741
10742 Unreviewed, rolling out r154416.
10743 http://trac.webkit.org/changeset/154416
10744 https://bugs.webkit.org/show_bug.cgi?id=120147
10745
10746 Broke Windows builds (Requested by rniwa on #webkit).
10747
10748 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10749 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10750 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10751 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10752 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10753 * JavaScriptCore.vcxproj/build-generated-files.sh:
10754
107552013-08-21 Gavin Barraclough <barraclough@apple.com>
10756
10757 Clarify var/const/function declaration
10758 https://bugs.webkit.org/show_bug.cgi?id=120144
10759
10760 Reviewed by Sam Weinig.
10761
10762 Add methods to JSGlobalObject to declare vars, consts, and functions.
10763
10764 * runtime/Executable.cpp:
10765 (JSC::ProgramExecutable::initializeGlobalProperties):
10766 * runtime/Executable.h:
10767 - Moved declaration code to JSGlobalObject
10768 * runtime/JSGlobalObject.cpp:
10769 (JSC::JSGlobalObject::addGlobalVar):
10770 - internal implementation of addVar, addConst, addFunction
10771 * runtime/JSGlobalObject.h:
10772 (JSC::JSGlobalObject::addVar):
10773 (JSC::JSGlobalObject::addConst):
10774 (JSC::JSGlobalObject::addFunction):
10775 - Added methods to declare vars, consts, and functions
10776
107772013-08-21 Yi Shen <max.hong.shen@gmail.com>
10778
10779 https://bugs.webkit.org/show_bug.cgi?id=119900
10780 Exception in global setter doesn't unwind correctly
10781
10782 Reviewed by Geoffrey Garen.
10783
10784 Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
10785
10786 * jit/JITStubs.cpp:
10787 (JSC::DEFINE_STUB_FUNCTION):
10788
107892013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
10790
10791 Rename/refactor setButterfly/setStructure
10792 https://bugs.webkit.org/show_bug.cgi?id=120138
10793
10794 Reviewed by Geoffrey Garen.
10795
10796 setButterfly becomes setStructureAndButterfly.
10797
10798 Also removed the Butterfly* argument from setStructure and just implicitly
10799 used m_butterfly internally since that's what every single client of setStructure
10800 was doing already.
10801
10802 * jit/JITStubs.cpp:
10803 (JSC::DEFINE_STUB_FUNCTION):
10804 * runtime/JSObject.cpp:
10805 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
10806 (JSC::JSObject::createInitialUndecided):
10807 (JSC::JSObject::createInitialInt32):
10808 (JSC::JSObject::createInitialDouble):
10809 (JSC::JSObject::createInitialContiguous):
10810 (JSC::JSObject::createArrayStorage):
10811 (JSC::JSObject::convertUndecidedToInt32):
10812 (JSC::JSObject::convertUndecidedToDouble):
10813 (JSC::JSObject::convertUndecidedToContiguous):
10814 (JSC::JSObject::convertUndecidedToArrayStorage):
10815 (JSC::JSObject::convertInt32ToDouble):
10816 (JSC::JSObject::convertInt32ToContiguous):
10817 (JSC::JSObject::convertInt32ToArrayStorage):
10818 (JSC::JSObject::genericConvertDoubleToContiguous):
10819 (JSC::JSObject::convertDoubleToArrayStorage):
10820 (JSC::JSObject::convertContiguousToArrayStorage):
10821 (JSC::JSObject::switchToSlowPutArrayStorage):
10822 (JSC::JSObject::setPrototype):
10823 (JSC::JSObject::putDirectAccessor):
10824 (JSC::JSObject::seal):
10825 (JSC::JSObject::freeze):
10826 (JSC::JSObject::preventExtensions):
10827 (JSC::JSObject::reifyStaticFunctionsForDelete):
10828 (JSC::JSObject::removeDirect):
10829 * runtime/JSObject.h:
10830 (JSC::JSObject::setStructureAndButterfly):
10831 (JSC::JSObject::setStructure):
10832 (JSC::JSObject::putDirectInternal):
10833 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
10834 (JSC::JSObject::putDirectWithoutTransition):
10835 * runtime/Structure.cpp:
10836 (JSC::Structure::flattenDictionaryStructure):
10837
108382013-08-21 Gavin Barraclough <barraclough@apple.com>
10839
10840 https://bugs.webkit.org/show_bug.cgi?id=120127
10841 Remove JSObject::propertyIsEnumerable
10842
10843 Unreviewed typo fix
10844
10845 * runtime/JSObject.h:
10846 - fix typo
10847
108482013-08-21 Gavin Barraclough <barraclough@apple.com>
10849
10850 https://bugs.webkit.org/show_bug.cgi?id=120139
10851 PropertyDescriptor argument to define methods should be const
10852
10853 Rubber stamped by Sam Weinig.
10854
10855 This should never be modified, and this way we can use rvalues.
10856
10857 * debugger/DebuggerActivation.cpp:
10858 (JSC::DebuggerActivation::defineOwnProperty):
10859 * debugger/DebuggerActivation.h:
10860 * runtime/Arguments.cpp:
10861 (JSC::Arguments::defineOwnProperty):
10862 * runtime/Arguments.h:
10863 * runtime/ClassInfo.h:
10864 * runtime/JSArray.cpp:
10865 (JSC::JSArray::defineOwnProperty):
10866 * runtime/JSArray.h:
10867 * runtime/JSArrayBuffer.cpp:
10868 (JSC::JSArrayBuffer::defineOwnProperty):
10869 * runtime/JSArrayBuffer.h:
10870 * runtime/JSArrayBufferView.cpp:
10871 (JSC::JSArrayBufferView::defineOwnProperty):
10872 * runtime/JSArrayBufferView.h:
10873 * runtime/JSCell.cpp:
10874 (JSC::JSCell::defineOwnProperty):
10875 * runtime/JSCell.h:
10876 * runtime/JSFunction.cpp:
10877 (JSC::JSFunction::defineOwnProperty):
10878 * runtime/JSFunction.h:
10879 * runtime/JSGenericTypedArrayView.h:
10880 * runtime/JSGenericTypedArrayViewInlines.h:
10881 (JSC::::defineOwnProperty):
10882 * runtime/JSGlobalObject.cpp:
10883 (JSC::JSGlobalObject::defineOwnProperty):
10884 * runtime/JSGlobalObject.h:
10885 * runtime/JSObject.cpp:
10886 (JSC::JSObject::putIndexedDescriptor):
10887 (JSC::JSObject::defineOwnIndexedProperty):
10888 (JSC::putDescriptor):
10889 (JSC::JSObject::defineOwnNonIndexProperty):
10890 (JSC::JSObject::defineOwnProperty):
10891 * runtime/JSObject.h:
10892 * runtime/JSProxy.cpp:
10893 (JSC::JSProxy::defineOwnProperty):
10894 * runtime/JSProxy.h:
10895 * runtime/RegExpMatchesArray.h:
10896 (JSC::RegExpMatchesArray::defineOwnProperty):
10897 * runtime/RegExpObject.cpp:
10898 (JSC::RegExpObject::defineOwnProperty):
10899 * runtime/RegExpObject.h:
10900 * runtime/StringObject.cpp:
10901 (JSC::StringObject::defineOwnProperty):
10902 * runtime/StringObject.h:
10903 - make PropertyDescriptor const
10904
109052013-08-21 Filip Pizlo <fpizlo@apple.com>
10906
10907 REGRESSION: Crash under JITCompiler::link while loading Gmail
10908 https://bugs.webkit.org/show_bug.cgi?id=119872
10909
10910 Reviewed by Mark Hahnenberg.
10911
10912 Apparently, unsigned + signed = unsigned. Work around it with a cast.
10913
10914 * dfg/DFGByteCodeParser.cpp:
10915 (JSC::DFG::ByteCodeParser::parseBlock):
10916
109172013-08-21 Alex Christensen <achristensen@apple.com>
10918
10919 <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
10920
10921 Reviewed by Brent Fulgham.
10922
10923 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10924 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10925 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10926 Pass PlatformArchitecture as a command line parameter to bash scripts.
10927 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10928 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10929 * JavaScriptCore.vcxproj/build-generated-files.sh:
10930 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
10931
109322013-08-21 Filip Pizlo <fpizlo@apple.com>
10933
10934 Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
10935 https://bugs.webkit.org/show_bug.cgi?id=120099
10936
10937 Reviewed by Mark Hahnenberg.
10938
10939 JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
10940 JSDataView may have ordinary JS indexed properties.
10941
10942 * runtime/ClassInfo.h:
10943 * runtime/JSArrayBufferView.cpp:
10944 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
10945 (JSC::JSArrayBufferView::finishCreation):
10946 * runtime/JSArrayBufferView.h:
10947 (JSC::hasArrayBuffer):
10948 * runtime/JSArrayBufferViewInlines.h:
10949 (JSC::JSArrayBufferView::buffer):
10950 (JSC::JSArrayBufferView::neuter):
10951 (JSC::JSArrayBufferView::byteOffset):
10952 * runtime/JSCell.cpp:
10953 (JSC::JSCell::slowDownAndWasteMemory):
10954 * runtime/JSCell.h:
10955 * runtime/JSDataView.cpp:
10956 (JSC::JSDataView::JSDataView):
10957 (JSC::JSDataView::create):
10958 (JSC::JSDataView::slowDownAndWasteMemory):
10959 * runtime/JSDataView.h:
10960 (JSC::JSDataView::buffer):
10961 * runtime/JSGenericTypedArrayView.h:
10962 * runtime/JSGenericTypedArrayViewInlines.h:
10963 (JSC::::visitChildren):
10964 (JSC::::slowDownAndWasteMemory):
10965
109662013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
10967
10968 Remove incorrect ASSERT from CopyVisitor::visitItem
10969
10970 Rubber stamped by Filip Pizlo.
10971
10972 * heap/CopyVisitorInlines.h:
10973 (JSC::CopyVisitor::visitItem):
10974
109752013-08-21 Gavin Barraclough <barraclough@apple.com>
10976
10977 https://bugs.webkit.org/show_bug.cgi?id=120127
10978 Remove JSObject::propertyIsEnumerable
10979
10980 Reviewed by Sam Weinig.
10981
10982 This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
10983
10984 * runtime/JSObject.cpp:
10985 * runtime/JSObject.h:
10986 - remove propertyIsEnumerable
10987 * runtime/ObjectPrototype.cpp:
10988 (JSC::objectProtoFuncPropertyIsEnumerable):
10989 - Move implementation here using getOwnPropertyDescriptor directly.
10990
109912013-08-20 Filip Pizlo <fpizlo@apple.com>
10992
10993 DFG should inline new typedArray()
10994 https://bugs.webkit.org/show_bug.cgi?id=120022
10995
10996 Reviewed by Oliver Hunt.
10997
10998 Adds inlining of typed array allocations in the DFG. Any operation of the
10999 form:
11000
11001 new foo(blah)
11002
11003 or:
11004
11005 foo(blah)
11006
11007 where 'foo' is a typed array constructor and 'blah' is exactly one argument,
11008 is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
11009 is predicted integer, we generate inline code for an allocation. Otherwise
11010 it turns into a call to an operation that behaves like the constructor would
11011 if it was passed one argument (i.e. it may wrap a buffer or it may create a
11012 copy or another array, or it may allocate an array of that length).
11013
11014 * bytecode/SpeculatedType.cpp:
11015 (JSC::speculationFromTypedArrayType):
11016 (JSC::speculationFromClassInfo):
11017 * bytecode/SpeculatedType.h:
11018 * dfg/DFGAbstractInterpreterInlines.h:
11019 (JSC::DFG::::executeEffects):
11020 * dfg/DFGBackwardsPropagationPhase.cpp:
11021 (JSC::DFG::BackwardsPropagationPhase::propagate):
11022 * dfg/DFGByteCodeParser.cpp:
11023 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
11024 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
11025 * dfg/DFGCCallHelpers.h:
11026 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
11027 * dfg/DFGCSEPhase.cpp:
11028 (JSC::DFG::CSEPhase::putStructureStoreElimination):
11029 * dfg/DFGClobberize.h:
11030 (JSC::DFG::clobberize):
11031 * dfg/DFGFixupPhase.cpp:
11032 (JSC::DFG::FixupPhase::fixupNode):
11033 * dfg/DFGGraph.cpp:
11034 (JSC::DFG::Graph::dump):
11035 * dfg/DFGNode.h:
11036 (JSC::DFG::Node::hasTypedArrayType):
11037 (JSC::DFG::Node::typedArrayType):
11038 * dfg/DFGNodeType.h:
11039 * dfg/DFGOperations.cpp:
11040 (JSC::DFG::newTypedArrayWithSize):
11041 (JSC::DFG::newTypedArrayWithOneArgument):
11042 * dfg/DFGOperations.h:
11043 (JSC::DFG::operationNewTypedArrayWithSizeForType):
11044 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
11045 * dfg/DFGPredictionPropagationPhase.cpp:
11046 (JSC::DFG::PredictionPropagationPhase::propagate):
11047 * dfg/DFGSafeToExecute.h:
11048 (JSC::DFG::safeToExecute):
11049 * dfg/DFGSpeculativeJIT.cpp:
11050 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
11051 * dfg/DFGSpeculativeJIT.h:
11052 (JSC::DFG::SpeculativeJIT::callOperation):
11053 * dfg/DFGSpeculativeJIT32_64.cpp:
11054 (JSC::DFG::SpeculativeJIT::compile):
11055 * dfg/DFGSpeculativeJIT64.cpp:
11056 (JSC::DFG::SpeculativeJIT::compile):
11057 * jit/JITOpcodes.cpp:
11058 (JSC::JIT::emit_op_new_object):
11059 * jit/JITOpcodes32_64.cpp:
11060 (JSC::JIT::emit_op_new_object):
11061 * runtime/JSArray.h:
11062 (JSC::JSArray::allocationSize):
11063 * runtime/JSArrayBufferView.h:
11064 (JSC::JSArrayBufferView::allocationSize):
11065 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
11066 (JSC::constructGenericTypedArrayView):
11067 * runtime/JSObject.h:
11068 (JSC::JSFinalObject::allocationSize):
11069 * runtime/TypedArrayType.cpp:
11070 (JSC::constructorClassInfoForType):
11071 * runtime/TypedArrayType.h:
11072 (JSC::indexToTypedArrayType):
11073
110742013-08-21 Julien Brianceau <jbrianceau@nds.com>
11075
11076 <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
11077
11078 Reviewed by Geoffrey Garen.
11079
11080 * dfg/DFGOperations.h:
11081
110822013-08-20 Gavin Barraclough <barraclough@apple.com>
11083
11084 https://bugs.webkit.org/show_bug.cgi?id=120093
11085 Remove getOwnPropertyDescriptor trap
11086
11087 Reviewed by Geoff Garen.
11088
11089 All implementations of this method are now called via the method table, and equivalent in behaviour.
11090 Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
11091
11092 * API/JSCallbackObject.h:
11093 * API/JSCallbackObjectFunctions.h:
11094 * debugger/DebuggerActivation.cpp:
11095 * debugger/DebuggerActivation.h:
11096 * runtime/Arguments.cpp:
11097 * runtime/Arguments.h:
11098 * runtime/ArrayConstructor.cpp:
11099 * runtime/ArrayConstructor.h:
11100 * runtime/ArrayPrototype.cpp:
11101 * runtime/ArrayPrototype.h:
11102 * runtime/BooleanPrototype.cpp:
11103 * runtime/BooleanPrototype.h:
11104 - remove getOwnPropertyDescriptor
11105 * runtime/ClassInfo.h:
11106 - remove getOwnPropertyDescriptor from MethodTable
11107 * runtime/DateConstructor.cpp:
11108 * runtime/DateConstructor.h:
11109 * runtime/DatePrototype.cpp:
11110 * runtime/DatePrototype.h:
11111 * runtime/ErrorPrototype.cpp:
11112 * runtime/ErrorPrototype.h:
11113 * runtime/JSActivation.cpp:
11114 * runtime/JSActivation.h:
11115 * runtime/JSArray.cpp:
11116 * runtime/JSArray.h:
11117 * runtime/JSArrayBuffer.cpp:
11118 * runtime/JSArrayBuffer.h:
11119 * runtime/JSArrayBufferView.cpp:
11120 * runtime/JSArrayBufferView.h:
11121 * runtime/JSCell.cpp:
11122 * runtime/JSCell.h:
11123 * runtime/JSDataView.cpp:
11124 * runtime/JSDataView.h:
11125 * runtime/JSDataViewPrototype.cpp:
11126 * runtime/JSDataViewPrototype.h:
11127 * runtime/JSFunction.cpp:
11128 * runtime/JSFunction.h:
11129 * runtime/JSGenericTypedArrayView.h:
11130 * runtime/JSGenericTypedArrayViewInlines.h:
11131 * runtime/JSGlobalObject.cpp:
11132 * runtime/JSGlobalObject.h:
11133 * runtime/JSNotAnObject.cpp:
11134 * runtime/JSNotAnObject.h:
11135 * runtime/JSONObject.cpp:
11136 * runtime/JSONObject.h:
11137 - remove getOwnPropertyDescriptor
11138 * runtime/JSObject.cpp:
11139 (JSC::JSObject::propertyIsEnumerable):
11140 - switch to call new getOwnPropertyDescriptor member function
11141 (JSC::JSObject::getOwnPropertyDescriptor):
11142 - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
11143 (JSC::JSObject::defineOwnNonIndexProperty):
11144 - switch to call new getOwnPropertyDescriptor member function
11145 * runtime/JSObject.h:
11146 * runtime/JSProxy.cpp:
11147 * runtime/JSProxy.h:
11148 * runtime/NamePrototype.cpp:
11149 * runtime/NamePrototype.h:
11150 * runtime/NumberConstructor.cpp:
11151 * runtime/NumberConstructor.h:
11152 * runtime/NumberPrototype.cpp:
11153 * runtime/NumberPrototype.h:
11154 - remove getOwnPropertyDescriptor
11155 * runtime/ObjectConstructor.cpp:
11156 (JSC::objectConstructorGetOwnPropertyDescriptor):
11157 (JSC::objectConstructorSeal):
11158 (JSC::objectConstructorFreeze):
11159 (JSC::objectConstructorIsSealed):
11160 (JSC::objectConstructorIsFrozen):
11161 - switch to call new getOwnPropertyDescriptor member function
11162 * runtime/ObjectConstructor.h:
11163 - remove getOwnPropertyDescriptor
11164 * runtime/PropertyDescriptor.h:
11165 - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
11166 * runtime/RegExpConstructor.cpp:
11167 * runtime/RegExpConstructor.h:
11168 * runtime/RegExpMatchesArray.cpp:
11169 * runtime/RegExpMatchesArray.h:
11170 * runtime/RegExpObject.cpp:
11171 * runtime/RegExpObject.h:
11172 * runtime/RegExpPrototype.cpp:
11173 * runtime/RegExpPrototype.h:
11174 * runtime/StringConstructor.cpp:
11175 * runtime/StringConstructor.h:
11176 * runtime/StringObject.cpp:
11177 * runtime/StringObject.h:
11178 - remove getOwnPropertyDescriptor
11179
111802013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
11181
11182 <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
11183
11184 Reviewed by Oliver Hunt.
11185
11186 When we flatten an object in dictionary mode, we compact its properties. If the object
11187 had out-of-line storage in the form of a Butterfly prior to this compaction, and after
11188 compaction its properties fit inline, the object's Structure "forgets" that the object
11189 has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
11190 with bytes = 0, which causes all sorts of badness in CopiedSpace.
11191
11192 Instead, after we flatten a dictionary, if properties fit inline we should clear the
11193 Butterfly pointer so that the GC doesn't get confused later.
11194
11195 This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
11196 JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
11197 agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
11198 that the number of bytes reported to SlotVisitor::copyLater is non-zero.
11199
11200 * heap/SlotVisitorInlines.h:
11201 (JSC::SlotVisitor::copyLater):
11202 * runtime/JSObject.cpp:
11203 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
11204 (JSC::JSObject::convertUndecidedToInt32):
11205 (JSC::JSObject::convertUndecidedToDouble):
11206 (JSC::JSObject::convertUndecidedToContiguous):
11207 (JSC::JSObject::convertInt32ToDouble):
11208 (JSC::JSObject::convertInt32ToContiguous):
11209 (JSC::JSObject::genericConvertDoubleToContiguous):
11210 (JSC::JSObject::switchToSlowPutArrayStorage):
11211 (JSC::JSObject::setPrototype):
11212 (JSC::JSObject::putDirectAccessor):
11213 (JSC::JSObject::seal):
11214 (JSC::JSObject::freeze):
11215 (JSC::JSObject::preventExtensions):
11216 (JSC::JSObject::reifyStaticFunctionsForDelete):
11217 (JSC::JSObject::removeDirect):
11218 * runtime/JSObject.h:
11219 (JSC::JSObject::setButterfly):
11220 (JSC::JSObject::putDirectInternal):
11221 (JSC::JSObject::setStructure):
11222 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
11223 * runtime/Structure.cpp:
11224 (JSC::Structure::flattenDictionaryStructure):
11225
112262013-08-20 Alex Christensen <achristensen@apple.com>
11227
11228 Compile fix for Win64 after r154156.
11229
11230 Rubber stamped by Oliver Hunt.
11231
11232 * jit/JITStubsMSVC64.asm:
11233 Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
11234 cti_vm_throw_slowpath to cti_vm_handle_exception.
11235
112362013-08-20 Alex Christensen <achristensen@apple.com>
11237
11238 <https://webkit.org/b/120076> More work towards a Win64 build
11239
11240 Reviewed by Brent Fulgham.
11241
11242 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
11243 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
11244 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
11245 * JavaScriptCore.vcxproj/copy-files.cmd:
11246 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
11247 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
11248 Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
11249
112502013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
11251
11252 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
11253
11254 Reviewed by Geoffrey Garen.
11255
11256 More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the
11257 initializeLazyWriteBarrierFor* wrapper functions more sane.
11258
11259 Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
11260 and index when triggering the WriteBarrier at the end of compilation.
11261
11262 The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
11263 in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a
11264 little extra work that really shouldn't have been its responsibility.
11265
11266 * dfg/DFGByteCodeParser.cpp:
11267 (JSC::DFG::ByteCodeParser::addConstant):
11268 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
11269 * dfg/DFGDesiredWriteBarriers.cpp:
11270 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11271 (JSC::DFG::DesiredWriteBarrier::trigger):
11272 * dfg/DFGDesiredWriteBarriers.h:
11273 (JSC::DFG::DesiredWriteBarriers::add):
11274 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
11275 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
11276 (JSC::DFG::initializeLazyWriteBarrierForConstant):
11277 * dfg/DFGFixupPhase.cpp:
11278 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11279 * dfg/DFGGraph.h:
11280 (JSC::DFG::Graph::constantRegisterForConstant):
11281
112822013-08-20 Michael Saboff <msaboff@apple.com>
11283
11284 https://bugs.webkit.org/show_bug.cgi?id=120075
11285 REGRESSION (r128400): BBC4 website not displaying pictures
11286
11287 Reviewed by Oliver Hunt.
11288
11289 * runtime/RegExpMatchesArray.h:
11290 (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
11291 so that the match results will be reified before any other modification to the results array.
11292
112932013-08-19 Filip Pizlo <fpizlo@apple.com>
11294
11295 Incorrect behavior on emscripten-compiled cube2hash
11296 https://bugs.webkit.org/show_bug.cgi?id=120033
11297
11298 Reviewed by Mark Hahnenberg.
11299
11300 If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
11301 then we should bail attempts to CSE.
11302
11303 * dfg/DFGCSEPhase.cpp:
11304 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
11305 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
11306
113072013-08-20 Gavin Barraclough <barraclough@apple.com>
11308
11309 https://bugs.webkit.org/show_bug.cgi?id=120073
11310 Remove use of GOPD from JSFunction::defineProperty
11311
11312 Reviewed by Oliver Hunt.
11313
11314 Call getOwnPropertySlot to check for existing properties instead.
11315
11316 * runtime/JSFunction.cpp:
11317 (JSC::JSFunction::defineOwnProperty):
11318 - getOwnPropertyDescriptor -> getOwnPropertySlot
11319
113202013-08-20 Gavin Barraclough <barraclough@apple.com>
11321
11322 https://bugs.webkit.org/show_bug.cgi?id=120067
11323 Remove getPropertyDescriptor
11324
11325 Reviewed by Oliver Hunt.
11326
11327 This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
11328 Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
11329
11330 * runtime/JSObject.cpp:
11331 * runtime/JSObject.h:
11332 - remove getPropertyDescriptor
11333 * runtime/ObjectPrototype.cpp:
11334 (JSC::objectProtoFuncLookupGetter):
11335 (JSC::objectProtoFuncLookupSetter):
11336 - replace call to getPropertyDescriptor with getPropertySlot
11337 * runtime/PropertyDescriptor.h:
11338 * runtime/PropertySlot.h:
11339 (JSC::PropertySlot::isAccessor):
11340 (JSC::PropertySlot::isCacheableGetter):
11341 (JSC::PropertySlot::getterSetter):
11342 - rename isGetter() to isAccessor()
11343
113442013-08-20 Gavin Barraclough <barraclough@apple.com>
11345
11346 https://bugs.webkit.org/show_bug.cgi?id=120054
11347 Remove some dead code following getOwnPropertyDescriptor cleanup
11348
11349 Reviewed by Oliver Hunt.
11350
11351 * runtime/Lookup.h:
11352 (JSC::getStaticFunctionSlot):
11353 - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
11354
113552013-08-20 Gavin Barraclough <barraclough@apple.com>
11356
11357 https://bugs.webkit.org/show_bug.cgi?id=120052
11358 Remove custom getOwnPropertyDescriptor for JSProxy
11359
11360 Reviewed by Geoff Garen.
11361
11362 GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
11363 Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
11364 object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
11365 assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
11366 the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
11367
11368 * runtime/JSProxy.cpp:
11369 - Remove custom getOwnPropertyDescriptor implementation.
11370 * runtime/PropertyDescriptor.h:
11371 - Modify own property access check to perform toThis conversion.
11372
113732013-08-20 Alex Christensen <achristensen@apple.com>
11374
11375 Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
11376 https://bugs.webkit.org/show_bug.cgi?id=119512
11377
11378 Reviewed by Brent Fulgham.
11379
11380 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11381 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11382 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
11383 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
11384 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
11385 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
11386 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
11387 Replaced obj32, bin32, and lib32 with macros for 64-bit build.
11388
113892013-08-20 Julien Brianceau <jbrianceau@nds.com>
11390
11391 <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
11392
11393 Reviewed by Allan Sandfeld Jensen.
11394
11395 branchPtrWithPatch() of baseline JIT must ensure that space is available for its
11396 instructions and two constants now DFG is enabled for sh4 architecture.
11397 These missing ensureSpace calls lead to random crashes.
11398
11399 * assembler/MacroAssemblerSH4.h:
11400 (JSC::MacroAssemblerSH4::branchPtrWithPatch):
11401
114022013-08-19 Gavin Barraclough <barraclough@apple.com>
11403
11404 https://bugs.webkit.org/show_bug.cgi?id=120034
11405 Remove custom getOwnPropertyDescriptor for global objects
11406
11407 Reviewed by Geoff Garen.
11408
11409 Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
11410
11411 * runtime/JSGlobalObject.cpp:
11412 - Remove custom getOwnPropertyDescriptor implementation.
11413 * runtime/JSSymbolTableObject.h:
11414 (JSC::symbolTableGet):
11415 - The symbol table does not store the DontDelete attribute, we should be adding it back in.
11416 * runtime/PropertyDescriptor.h:
11417 - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
11418 * runtime/PropertySlot.h:
11419 (JSC::PropertySlot::setUndefined):
11420 - This is used by WebCore when blocking access to properties on cross-frame access.
11421 Mark blocked properties as read-only, non-configurable to prevent defineProperty.
11422
114232013-08-17 Filip Pizlo <fpizlo@apple.com>
11424
11425 DFG should inline typedArray.byteOffset
11426 https://bugs.webkit.org/show_bug.cgi?id=119962
11427
11428 Reviewed by Oliver Hunt.
11429
11430 This adds a new node, GetTypedArrayByteOffset, which inlines
11431 typedArray.byteOffset.
11432
11433 Also, I improved a bunch of the clobbering logic related to typed arrays
11434 and clobbering in general. For example, PutByOffset/PutStructure are not
11435 clobber-world so they can be handled by most default cases in CSE. Also,
11436 It's better to use the 'Class_field' notation for typed arrays now that
11437 they no longer involve magical descriptor thingies.
11438
11439 * bytecode/SpeculatedType.h:
11440 * dfg/DFGAbstractHeap.h:
11441 * dfg/DFGAbstractInterpreterInlines.h:
11442 (JSC::DFG::::executeEffects):
11443 * dfg/DFGArrayMode.h:
11444 (JSC::DFG::neverNeedsStorage):
11445 * dfg/DFGCSEPhase.cpp:
11446 (JSC::DFG::CSEPhase::getByValLoadElimination):
11447 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
11448 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
11449 (JSC::DFG::CSEPhase::checkArrayElimination):
11450 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
11451 (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
11452 (JSC::DFG::CSEPhase::performNodeCSE):
11453 * dfg/DFGClobberize.h:
11454 (JSC::DFG::clobberize):
11455 * dfg/DFGFixupPhase.cpp:
11456 (JSC::DFG::FixupPhase::fixupNode):
11457 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
11458 (JSC::DFG::FixupPhase::convertToGetArrayLength):
11459 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
11460 * dfg/DFGNodeType.h:
11461 * dfg/DFGPredictionPropagationPhase.cpp:
11462 (JSC::DFG::PredictionPropagationPhase::propagate):
11463 * dfg/DFGSafeToExecute.h:
11464 (JSC::DFG::safeToExecute):
11465 * dfg/DFGSpeculativeJIT.cpp:
11466 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
11467 * dfg/DFGSpeculativeJIT.h:
11468 * dfg/DFGSpeculativeJIT32_64.cpp:
11469 (JSC::DFG::SpeculativeJIT::compile):
11470 * dfg/DFGSpeculativeJIT64.cpp:
11471 (JSC::DFG::SpeculativeJIT::compile):
11472 * dfg/DFGTypeCheckHoistingPhase.cpp:
11473 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
11474 * runtime/ArrayBuffer.h:
11475 (JSC::ArrayBuffer::offsetOfData):
11476 * runtime/Butterfly.h:
11477 (JSC::Butterfly::offsetOfArrayBuffer):
11478 * runtime/IndexingHeader.h:
11479 (JSC::IndexingHeader::offsetOfArrayBuffer):
11480
114812013-08-18 Filip Pizlo <fpizlo@apple.com>
11482
11483 <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
11484
11485 Reviewed by Geoffrey Garen.
11486
11487 * dfg/DFGByteCodeParser.cpp:
11488 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
11489
114902013-08-18 Gavin Barraclough <barraclough@apple.com>
11491
11492 https://bugs.webkit.org/show_bug.cgi?id=119995
11493 Start removing custom implementations of getOwnPropertyDescriptor
11494
11495 Reviewed by Oliver Hunt.
11496
11497 This can now typically implemented in terms of getOwnPropertySlot.
11498 Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
11499 Switch over most classes in JSC & the WebCore bindings generator to use this.
11500
11501 * API/JSCallbackObjectFunctions.h:
11502 * debugger/DebuggerActivation.cpp:
11503 * runtime/Arguments.cpp:
11504 * runtime/ArrayConstructor.cpp:
11505 * runtime/ArrayPrototype.cpp:
11506 * runtime/BooleanPrototype.cpp:
11507 * runtime/DateConstructor.cpp:
11508 * runtime/DatePrototype.cpp:
11509 * runtime/ErrorPrototype.cpp:
11510 * runtime/JSActivation.cpp:
11511 * runtime/JSArray.cpp:
11512 * runtime/JSArrayBuffer.cpp:
11513 * runtime/JSArrayBufferView.cpp:
11514 * runtime/JSCell.cpp:
11515 * runtime/JSDataView.cpp:
11516 * runtime/JSDataViewPrototype.cpp:
11517 * runtime/JSFunction.cpp:
11518 * runtime/JSGenericTypedArrayViewInlines.h:
11519 * runtime/JSNotAnObject.cpp:
11520 * runtime/JSONObject.cpp:
11521 * runtime/JSObject.cpp:
11522 * runtime/NamePrototype.cpp:
11523 * runtime/NumberConstructor.cpp:
11524 * runtime/NumberPrototype.cpp:
11525 * runtime/ObjectConstructor.cpp:
11526 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
11527 * runtime/PropertyDescriptor.h:
11528 - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
11529 * runtime/PropertySlot.h:
11530 (JSC::PropertySlot::isValue):
11531 (JSC::PropertySlot::isGetter):
11532 (JSC::PropertySlot::isCustom):
11533 (JSC::PropertySlot::isCacheableValue):
11534 (JSC::PropertySlot::isCacheableGetter):
11535 (JSC::PropertySlot::isCacheableCustom):
11536 (JSC::PropertySlot::attributes):
11537 (JSC::PropertySlot::getterSetter):
11538 - Add accessors necessary to convert PropertySlot to descriptor.
11539 * runtime/RegExpConstructor.cpp:
11540 * runtime/RegExpMatchesArray.cpp:
11541 * runtime/RegExpMatchesArray.h:
11542 * runtime/RegExpObject.cpp:
11543 * runtime/RegExpPrototype.cpp:
11544 * runtime/StringConstructor.cpp:
11545 * runtime/StringObject.cpp:
11546 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
11547
115482013-08-19 Michael Saboff <msaboff@apple.com>
11549
11550 https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
11551
11552 Reviewed by Sam Weinig.
11553
11554 * dfg/DFGSpeculativeJIT32_64.cpp:
11555 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
11556 DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
11557 all versions of fillSpeculateBoolean().
11558
115592013-08-19 Michael Saboff <msaboff@apple.com>
11560
11561 https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
11562
11563 Reviewed by Benjamin Poulain.
11564
11565 Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
11566 Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
11567
11568 * assembler/MacroAssemblerX86Common.h:
11569 (JSC::MacroAssemblerX86Common::branchTest32):
11570
115712013-08-16 Oliver Hunt <oliver@apple.com>
11572
11573 <https://webkit.org/b/119860> Crash during exception unwinding
11574
11575 Reviewed by Filip Pizlo.
11576
11577 Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
11578 to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
11579
11580 We need this so that Throw and ThrowReferenceError no longer need to be treated as
11581 terminals and the subsequent flush keeps the activation (and other registers) live.
11582
11583 * dfg/DFGAbstractInterpreterInlines.h:
11584 (JSC::DFG::::executeEffects):
11585 * dfg/DFGByteCodeParser.cpp:
11586 (JSC::DFG::ByteCodeParser::parseBlock):
11587 * dfg/DFGClobberize.h:
11588 (JSC::DFG::clobberize):
11589 * dfg/DFGFixupPhase.cpp:
11590 (JSC::DFG::FixupPhase::fixupNode):
11591 * dfg/DFGNode.h:
11592 (JSC::DFG::Node::isTerminal):
11593 * dfg/DFGNodeType.h:
11594 * dfg/DFGPredictionPropagationPhase.cpp:
11595 (JSC::DFG::PredictionPropagationPhase::propagate):
11596 * dfg/DFGSafeToExecute.h:
11597 (JSC::DFG::safeToExecute):
11598 * dfg/DFGSpeculativeJIT32_64.cpp:
11599 (JSC::DFG::SpeculativeJIT::compile):
11600 * dfg/DFGSpeculativeJIT64.cpp:
11601 (JSC::DFG::SpeculativeJIT::compile):
11602
116032013-08-19 Víctor Manuel Jáquez Leal <vjaquez@igalia.com>
11604
11605 <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
11606
11607 Reviewed by Oliver Hunt.
11608
11609 Guard the compilation of these files only if DFG_JIT is enabled.
11610
11611 * dfg/DFGDesiredTransitions.cpp:
11612 * dfg/DFGDesiredTransitions.h:
11613 * dfg/DFGDesiredWeakReferences.cpp:
11614 * dfg/DFGDesiredWeakReferences.h:
11615 * dfg/DFGDesiredWriteBarriers.cpp:
11616 * dfg/DFGDesiredWriteBarriers.h:
11617
116182013-08-17 Filip Pizlo <fpizlo@apple.com>
11619
11620 REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
11621 https://bugs.webkit.org/show_bug.cgi?id=119961
11622
11623 Reviewed by Mark Hahnenberg.
11624
11625 * dfg/DFGFixupPhase.cpp:
11626 (JSC::DFG::FixupPhase::fixupNode):
11627
116282013-08-18 Gavin Barraclough <barraclough@apple.com>
11629
11630 https://bugs.webkit.org/show_bug.cgi?id=119972
11631 Add attributes field to PropertySlot
11632
11633 Reviewed by Geoff Garen.
11634
11635 For all JSC types, this makes getOwnPropertyDescriptor redundant.
11636 There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
11637 (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
11638
11639 No performance impact.
11640
11641 * runtime/PropertySlot.h:
11642 (JSC::PropertySlot::setValue):
11643 (JSC::PropertySlot::setCustom):
11644 (JSC::PropertySlot::setCacheableCustom):
11645 (JSC::PropertySlot::setCustomIndex):
11646 (JSC::PropertySlot::setGetterSlot):
11647 (JSC::PropertySlot::setCacheableGetterSlot):
11648 - These mathods now all require 'attributes'.
11649 * runtime/JSObject.h:
11650 (JSC::JSObject::getDirect):
11651 (JSC::JSObject::getDirectOffset):
11652 (JSC::JSObject::inlineGetOwnPropertySlot):
11653 - Added variants of getDirect, getDirectOffset that return the attributes.
11654 * API/JSCallbackObjectFunctions.h:
11655 (JSC::::getOwnPropertySlot):
11656 * runtime/Arguments.cpp:
11657 (JSC::Arguments::getOwnPropertySlotByIndex):
11658 (JSC::Arguments::getOwnPropertySlot):
11659 * runtime/JSActivation.cpp:
11660 (JSC::JSActivation::symbolTableGet):
11661 (JSC::JSActivation::getOwnPropertySlot):
11662 * runtime/JSArray.cpp:
11663 (JSC::JSArray::getOwnPropertySlot):
11664 * runtime/JSArrayBuffer.cpp:
11665 (JSC::JSArrayBuffer::getOwnPropertySlot):
11666 * runtime/JSArrayBufferView.cpp:
11667 (JSC::JSArrayBufferView::getOwnPropertySlot):
11668 * runtime/JSDataView.cpp:
11669 (JSC::JSDataView::getOwnPropertySlot):
11670 * runtime/JSFunction.cpp:
11671 (JSC::JSFunction::getOwnPropertySlot):
11672 * runtime/JSGenericTypedArrayViewInlines.h:
11673 (JSC::::getOwnPropertySlot):
11674 (JSC::::getOwnPropertySlotByIndex):
11675 * runtime/JSObject.cpp:
11676 (JSC::JSObject::getOwnPropertySlotByIndex):
11677 (JSC::JSObject::fillGetterPropertySlot):
11678 * runtime/JSString.h:
11679 (JSC::JSString::getStringPropertySlot):
11680 * runtime/JSSymbolTableObject.h:
11681 (JSC::symbolTableGet):
11682 * runtime/Lookup.cpp:
11683 (JSC::setUpStaticFunctionSlot):
11684 * runtime/Lookup.h:
11685 (JSC::getStaticPropertySlot):
11686 (JSC::getStaticPropertyDescriptor):
11687 (JSC::getStaticValueSlot):
11688 (JSC::getStaticValueDescriptor):
11689 * runtime/RegExpObject.cpp:
11690 (JSC::RegExpObject::getOwnPropertySlot):
11691 * runtime/SparseArrayValueMap.cpp:
11692 (JSC::SparseArrayEntry::get):
11693 - Pass attributes to PropertySlot::set* methods.
11694
116952013-08-17 Mark Hahnenberg <mhahnenberg@apple.com>
11696
11697 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
11698
11699 Reviewed by Filip Pizlo.
11700
11701 Added a new mode for DesiredWriteBarrier that allows it to track a position in a
11702 Vector of WriteBarriers rather than the specific address. The fact that we were
11703 arbitrarily storing into a Vector's backing store for constants at the end of
11704 compilation after the Vector could have resized was causing crashes.
11705
11706 * bytecode/CodeBlock.h:
11707 (JSC::CodeBlock::constants):
11708 (JSC::CodeBlock::addConstantLazily):
11709 * dfg/DFGByteCodeParser.cpp:
11710 (JSC::DFG::ByteCodeParser::addConstant):
11711 * dfg/DFGDesiredWriteBarriers.cpp:
11712 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11713 (JSC::DFG::DesiredWriteBarrier::trigger):
11714 (JSC::DFG::initializeLazyWriteBarrierForConstant):
11715 * dfg/DFGDesiredWriteBarriers.h:
11716 (JSC::DFG::DesiredWriteBarriers::add):
11717 * dfg/DFGFixupPhase.cpp:
11718 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11719 * dfg/DFGGraph.h:
11720 (JSC::DFG::Graph::constantRegisterForConstant):
11721
117222013-08-16 Filip Pizlo <fpizlo@apple.com>
11723
11724 DFG should optimize typedArray.byteLength
11725 https://bugs.webkit.org/show_bug.cgi?id=119909
11726
11727 Reviewed by Oliver Hunt.
11728
11729 This adds typedArray.byteLength inlining to the DFG, and does so without changing
11730 the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
11731 legal since the byteLength of a typed array cannot exceed
11732 numeric_limits<int32_t>::max().
11733
11734 * bytecode/SpeculatedType.cpp:
11735 (JSC::typedArrayTypeFromSpeculation):
11736 * bytecode/SpeculatedType.h:
11737 * dfg/DFGArrayMode.cpp:
11738 (JSC::DFG::toArrayType):
11739 * dfg/DFGArrayMode.h:
11740 * dfg/DFGFixupPhase.cpp:
11741 (JSC::DFG::FixupPhase::fixupNode):
11742 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
11743 (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
11744 (JSC::DFG::FixupPhase::convertToGetArrayLength):
11745 (JSC::DFG::FixupPhase::prependGetArrayLength):
11746 * dfg/DFGGraph.h:
11747 (JSC::DFG::Graph::constantRegisterForConstant):
11748 (JSC::DFG::Graph::convertToConstant):
11749 * runtime/TypedArrayType.h:
11750 (JSC::logElementSize):
11751 (JSC::elementSize):
11752
117532013-08-16 Filip Pizlo <fpizlo@apple.com>
11754
11755 DFG optimizes out strict mode arguments tear off
11756 https://bugs.webkit.org/show_bug.cgi?id=119504
11757
11758 Reviewed by Mark Hahnenberg and Oliver Hunt.
11759
11760 Don't do the optimization for strict mode.
11761
11762 * dfg/DFGArgumentsSimplificationPhase.cpp:
11763 (JSC::DFG::ArgumentsSimplificationPhase::run):
11764 (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
11765
117662013-08-16 Benjamin Poulain <benjamin@webkit.org>
11767
11768 [JSC] x86: improve code generation for xxxTest32
11769 https://bugs.webkit.org/show_bug.cgi?id=119876
11770
11771 Reviewed by Geoffrey Garen.
11772
11773 Try to use testb whenever possible when testing for an immediate value.
11774
11775 When the input is an address and an offset, we can tweak the mask
11776 and offset to be able to generate testb for any byte of the mask.
11777
11778 When the input is a register, we can use testb if we are only interested
11779 in testing the low bits.
11780
11781 * assembler/MacroAssemblerX86Common.h:
11782 (JSC::MacroAssemblerX86Common::branchTest32):
11783 (JSC::MacroAssemblerX86Common::test32):
11784 (JSC::MacroAssemblerX86Common::generateTest32):
11785
117862013-08-16 Mark Lam <mark.lam@apple.com>
11787
11788 <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
11789 error message that an object is not a constructor though it expects a function
11790
11791 Reviewed by Michael Saboff.
11792
11793 * jit/JITStubs.cpp:
11794 (JSC::DEFINE_STUB_FUNCTION):
11795
117962013-08-16 Filip Pizlo <fpizlo@apple.com>
11797
11798 Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
11799 https://bugs.webkit.org/show_bug.cgi?id=119897
11800
11801 Reviewed by Oliver Hunt.
11802
11803 6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
11804 on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
11805 to turn objects into dictionaries when you're storing using bracket syntax or using
11806 eval is still in place.
11807
11808 * bytecode/CodeBlock.h:
11809 (JSC::CodeBlock::putByIdContext):
11810 * dfg/DFGOperations.cpp:
11811 * jit/JITStubs.cpp:
11812 (JSC::DEFINE_STUB_FUNCTION):
11813 * llint/LLIntSlowPaths.cpp:
11814 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11815 * runtime/JSObject.h:
11816 (JSC::JSObject::putDirectInternal):
11817 * runtime/PutPropertySlot.h:
11818 (JSC::PutPropertySlot::PutPropertySlot):
11819 (JSC::PutPropertySlot::context):
11820 * runtime/Structure.cpp:
11821 (JSC::Structure::addPropertyTransition):
11822 * runtime/Structure.h:
11823
118242013-08-16 Balazs Kilvady <kilvadyb@homejinni.com>
11825
11826 <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
11827
11828 Reviewed by Allan Sandfeld Jensen.
11829
11830 ctiVMHandleException must jump/return using register ra (r31).
11831
11832 * jit/JITStubsMIPS.h:
11833
118342013-08-16 Julien Brianceau <jbrianceau@nds.com>
11835
11836 <https://webkit.org/b/119879> Fix sh4 build after r154156.
11837
11838 Reviewed by Allan Sandfeld Jensen.
11839
11840 Fix typo in JITStubsSH4.h file.
11841
11842 * jit/JITStubsSH4.h:
11843
118442013-08-15 Mark Hahnenberg <mhahnenberg@apple.com>
11845
11846 <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
11847
11848 Reviewed by Oliver Hunt.
11849
11850 The concurrent compilation thread should interact minimally with the Heap, including not
11851 triggering WriteBarriers. This is a prerequisite for generational GC.
11852
11853 * JavaScriptCore.xcodeproj/project.pbxproj:
11854 * bytecode/CodeBlock.cpp:
11855 (JSC::CodeBlock::addOrFindConstant):
11856 (JSC::CodeBlock::findConstant):
11857 * bytecode/CodeBlock.h:
11858 (JSC::CodeBlock::addConstantLazily):
11859 * dfg/DFGByteCodeParser.cpp:
11860 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
11861 (JSC::DFG::ByteCodeParser::constantUndefined):
11862 (JSC::DFG::ByteCodeParser::constantNull):
11863 (JSC::DFG::ByteCodeParser::one):
11864 (JSC::DFG::ByteCodeParser::constantNaN):
11865 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
11866 * dfg/DFGCommonData.cpp:
11867 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
11868 * dfg/DFGCommonData.h:
11869 * dfg/DFGDesiredTransitions.cpp: Added.
11870 (JSC::DFG::DesiredTransition::DesiredTransition):
11871 (JSC::DFG::DesiredTransition::reallyAdd):
11872 (JSC::DFG::DesiredTransitions::DesiredTransitions):
11873 (JSC::DFG::DesiredTransitions::~DesiredTransitions):
11874 (JSC::DFG::DesiredTransitions::addLazily):
11875 (JSC::DFG::DesiredTransitions::reallyAdd):
11876 * dfg/DFGDesiredTransitions.h: Added.
11877 * dfg/DFGDesiredWeakReferences.cpp: Added.
11878 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
11879 (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
11880 (JSC::DFG::DesiredWeakReferences::addLazily):
11881 (JSC::DFG::DesiredWeakReferences::reallyAdd):
11882 * dfg/DFGDesiredWeakReferences.h: Added.
11883 * dfg/DFGDesiredWriteBarriers.cpp: Added.
11884 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11885 (JSC::DFG::DesiredWriteBarrier::trigger):
11886 (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
11887 (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
11888 (JSC::DFG::DesiredWriteBarriers::addImpl):
11889 (JSC::DFG::DesiredWriteBarriers::trigger):
11890 * dfg/DFGDesiredWriteBarriers.h: Added.
11891 (JSC::DFG::DesiredWriteBarriers::add):
11892 (JSC::DFG::initializeLazyWriteBarrier):
11893 * dfg/DFGFixupPhase.cpp:
11894 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11895 * dfg/DFGGraph.h:
11896 (JSC::DFG::Graph::convertToConstant):
11897 * dfg/DFGJITCompiler.h:
11898 (JSC::DFG::JITCompiler::addWeakReference):
11899 * dfg/DFGPlan.cpp:
11900 (JSC::DFG::Plan::Plan):
11901 (JSC::DFG::Plan::reallyAdd):
11902 * dfg/DFGPlan.h:
11903 * dfg/DFGSpeculativeJIT32_64.cpp:
11904 (JSC::DFG::SpeculativeJIT::compile):
11905 * dfg/DFGSpeculativeJIT64.cpp:
11906 (JSC::DFG::SpeculativeJIT::compile):
11907 * runtime/WriteBarrier.h:
11908 (JSC::WriteBarrierBase::set):
11909 (JSC::WriteBarrier::WriteBarrier):
11910
119112013-08-15 Benjamin Poulain <benjamin@webkit.org>
11912
11913 Fix x86 32bits build after r154158
11914
11915 * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
11916
119172013-08-15 Ryosuke Niwa <rniwa@webkit.org>
11918
11919 Build fix attempt after r154156.
11920
11921 * jit/JITStubs.cpp:
11922 (JSC::cti_vm_handle_exception): encode!
11923
119242013-08-15 Benjamin Poulain <benjamin@webkit.org>
11925
11926 [JSC] x86: Use inc and dec when possible
11927 https://bugs.webkit.org/show_bug.cgi?id=119831
11928
11929 Reviewed by Geoffrey Garen.
11930
11931 When incrementing or decrementing by an immediate of 1, use the insctructions
11932 inc and dec instead of add and sub.
11933 The instructions have good timing and their encoding is smaller.
11934
11935 * assembler/MacroAssemblerX86Common.h:
11936 (JSC::MacroAssemblerX86_64::add32):
11937 (JSC::MacroAssemblerX86_64::sub32):
11938 * assembler/MacroAssemblerX86_64.h:
11939 (JSC::MacroAssemblerX86_64::add64):
11940 (JSC::MacroAssemblerX86_64::sub64):
11941 * assembler/X86Assembler.h:
11942 (JSC::X86Assembler::dec_r):
11943 (JSC::X86Assembler::decq_r):
11944 (JSC::X86Assembler::inc_r):
11945 (JSC::X86Assembler::incq_r):
11946
119472013-08-15 Filip Pizlo <fpizlo@apple.com>
11948
11949 Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
11950 https://bugs.webkit.org/show_bug.cgi?id=119874
11951
11952 Reviewed by Oliver Hunt and Mark Hahnenberg.
11953
11954 It was a confusion between heuristics in DFG::ArrayMode that are assuming that
11955 you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
11956 sometimes for typed array length accesses, and the FixupPhase assuming that a
11957 ForceExit ArrayMode means that it should continue using a generic GetById.
11958
11959 This fixes the confusion.
11960
11961 * dfg/DFGFixupPhase.cpp:
11962 (JSC::DFG::FixupPhase::fixupNode):
11963
119642013-08-15 Mark Lam <mark.lam@apple.com>
11965
11966 Fix crash when performing activation tearoff.
11967 https://bugs.webkit.org/show_bug.cgi?id=119848
11968
11969 Reviewed by Oliver Hunt.
11970
11971 The activation tearoff crash was due to a bug in the baseline JIT.
11972 If we have a scenario where the a baseline JIT frame calls a LLINT
11973 frame, an exception may be thrown while in the LLINT.
11974
11975 Interpreter::throwException() which handles the exception will unwind
11976 all frames until it finds a catcher or sees a host frame. When we
11977 return from the LLINT to the baseline JIT code, the baseline JIT code
11978 errorneously sets topCallFrame to the value in its call frame register,
11979 and starts unwinding the stack frames that have already been unwound.
11980
11981 The fix is:
11982 1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
11983 This is a more accurate description of what this runtime function
11984 is supposed to do i.e. it handles the exception which include doing
11985 nothing (if there are no more frames to unwind).
11986 2. Fix up topCallFrame values so that the HostCallFrameFlag is never
11987 set on it.
11988 3. Reloading the call frame register from topCallFrame when we're
11989 returning from a callee and detect exception handling in progress.
11990
11991 * interpreter/Interpreter.cpp:
11992 (JSC::Interpreter::unwindCallFrame):
11993 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
11994 (JSC::Interpreter::getStackTrace):
11995 * interpreter/Interpreter.h:
11996 (JSC::TopCallFrameSetter::TopCallFrameSetter):
11997 (JSC::TopCallFrameSetter::~TopCallFrameSetter):
11998 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
11999 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12000 * jit/JIT.h:
12001 * jit/JITExceptions.cpp:
12002 (JSC::uncaughtExceptionHandler):
12003 - Convenience function to get the handler for uncaught exceptions.
12004 * jit/JITExceptions.h:
12005 * jit/JITInlines.h:
12006 (JSC::JIT::reloadCallFrameFromTopCallFrame):
12007 * jit/JITOpcodes32_64.cpp:
12008 (JSC::JIT::privateCompileCTINativeCall):
12009 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12010 * jit/JITStubs.cpp:
12011 (JSC::throwExceptionFromOpCall):
12012 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12013 (JSC::cti_vm_handle_exception):
12014 - Check for the case when there are no more frames to unwind.
12015 * jit/JITStubs.h:
12016 * jit/JITStubsARM.h:
12017 * jit/JITStubsARMv7.h:
12018 * jit/JITStubsMIPS.h:
12019 * jit/JITStubsSH4.h:
12020 * jit/JITStubsX86.h:
12021 * jit/JITStubsX86_64.h:
12022 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12023 * jit/SlowPathCall.h:
12024 (JSC::JITSlowPathCall::call):
12025 - reload cfr from topcallFrame when handling an exception.
12026 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12027 * jit/ThunkGenerators.cpp:
12028 (JSC::nativeForGenerator):
12029 * llint/LowLevelInterpreter32_64.asm:
12030 * llint/LowLevelInterpreter64.asm:
12031 - reload cfr from topcallFrame when handling an exception.
12032 * runtime/VM.cpp:
12033 (JSC::VM::VM):
12034 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12035
120362013-08-15 Filip Pizlo <fpizlo@apple.com>
12037
12038 Remove some code duplication.
12039
12040 Rubber stamped by Mark Hahnenberg.
12041
12042 * runtime/JSDataViewPrototype.cpp:
12043 (JSC::getData):
12044 (JSC::setData):
12045
120462013-08-15 Julien Brianceau <jbrianceau@nds.com>
12047
12048 [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
12049 https://bugs.webkit.org/show_bug.cgi?id=119794
12050
12051 Reviewed by Filip Pizlo.
12052
12053 This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
12054
12055 * dfg/DFGUseKind.h:
12056 (JSC::DFG::isNumerical):
12057 (JSC::DFG::isDouble):
12058
120592013-08-15 Filip Pizlo <fpizlo@apple.com>
12060
12061 http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
12062
12063 Rubber stamped by Oliver Hunt.
12064
12065 This was causing some test crashes for me.
12066
12067 * dfg/DFGCapabilities.cpp:
12068 (JSC::DFG::capabilityLevel):
12069
120702013-08-15 Brent Fulgham <bfulgham@apple.com>
12071
12072 [Windows] Clear up improper export declaration.
12073
12074 * runtime/ArrayBufferView.h:
12075
120762013-08-15 Filip Pizlo <fpizlo@apple.com>
12077
12078 Unreviewed, remove some unnecessary periods from exceptions.
12079
12080 * runtime/JSDataViewPrototype.cpp:
12081 (JSC::getData):
12082 (JSC::setData):
12083
120842013-08-15 Filip Pizlo <fpizlo@apple.com>
12085
12086 Unreviewed, fix 32-bit build.
12087
12088 * dfg/DFGSpeculativeJIT32_64.cpp:
12089 (JSC::DFG::SpeculativeJIT::compile):
12090
120912013-08-14 Filip Pizlo <fpizlo@apple.com>
12092
12093 Typed arrays should be rewritten
12094 https://bugs.webkit.org/show_bug.cgi?id=119064
12095
12096 Reviewed by Oliver Hunt.
12097
12098 Typed arrays were previously deficient in several major ways:
12099
12100 - They were defined separately in WebCore and in the jsc shell. The two
12101 implementations were different, and the jsc shell one was basically wrong.
12102 The WebCore one was quite awful, also.
12103
12104 - Typed arrays were not visible to the JIT except through some weird hooks.
12105 For example, the JIT could not ask "what is the Structure that this typed
12106 array would have if I just allocated it from this global object". Also,
12107 it was difficult to wire any of the typed array intrinsics, because most
12108 of the functionality wasn't visible anywhere in JSC.
12109
12110 - Typed array allocation was brain-dead. Allocating a typed array involved
12111 two JS objects, two GC weak handles, and three malloc allocations.
12112
12113 - Neutering. It involved keeping tabs on all native views but not the view
12114 wrappers, even though the native views can autoneuter just by asking the
12115 buffer if it was neutered anytime you touch them; while the JS view
12116 wrappers are the ones that you really want to reach out to.
12117
12118 - Common case-ing. Most typed arrays have one buffer and one view, and
12119 usually nobody touches the buffer. Yet we created all of that stuff
12120 anyway, using data structures optimized for the case where you had a lot
12121 of views.
12122
12123 - Semantic goofs. Typed arrays should, in the future, behave like ES
12124 features rather than DOM features, for example when it comes to exceptions.
12125 Firefox already does this and I agree with them.
12126
12127 This patch cleanses our codebase of these sins:
12128
12129 - Typed arrays are almost entirely defined in JSC. Only the lifecycle
12130 management of native references to buffers is left to WebCore.
12131
12132 - Allocating a typed array requires either two GC allocations (a cell and a
12133 copied storage vector) or one GC allocation, a malloc allocation, and a
12134 weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
12135 latter). The latter is only used for oversize arrays. Remember that before
12136 it was 7 allocations no matter what.
12137
12138 - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
12139 mode/length, void* vector. Before it was a lot more than that - remember,
12140 there were five additional objects that did absolutely nothing for anybody.
12141
12142 - Native views aren't tracked by the buffer, or by the wrappers. They are
12143 transient. In the future we'll probably switch to not even having them be
12144 malloc'd.
12145
12146 - Native array buffers have an efficient way of tracking all of their JS view
12147 wrappers, both for neutering, and for lifecycle management. The GC
12148 special-cases native array buffers. This saves a bunch of grief; for example
12149 it means that a JS view wrapper can refer to its buffer via the butterfly,
12150 which would be dead by the time we went to finalize.
12151
12152 - Typed array semantics now match Firefox, which also happens to be where the
12153 standards are going. The discussion on webkit-dev seemed to confirm that
12154 Chrome is also heading in this direction. This includes making
12155 Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
12156 ArrayBufferView as a JS-visible construct.
12157
12158 This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
12159 It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
12160 further typed array optimizations in the JSC JITs, including inlining typed
12161 array allocation, inlining more of the accessors, reducing the cost of type
12162 checks, etc.
12163
12164 An additional property of this patch is that typed arrays are mostly
12165 implemented using templates. This deduplicates a bunch of code, but does mean
12166 that we need some hacks for exporting s_info's of template classes. See
12167 JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
12168 low-impact compared to code duplication.
12169
12170 Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
12171
12172 * CMakeLists.txt:
12173 * DerivedSources.make:
12174 * GNUmakefile.list.am:
12175 * JSCTypedArrayStubs.h: Removed.
12176 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12177 * JavaScriptCore.xcodeproj/project.pbxproj:
12178 * Target.pri:
12179 * bytecode/ByValInfo.h:
12180 (JSC::hasOptimizableIndexingForClassInfo):
12181 (JSC::jitArrayModeForClassInfo):
12182 (JSC::typedArrayTypeForJITArrayMode):
12183 * bytecode/SpeculatedType.cpp:
12184 (JSC::speculationFromClassInfo):
12185 * dfg/DFGArrayMode.cpp:
12186 (JSC::DFG::toTypedArrayType):
12187 * dfg/DFGArrayMode.h:
12188 (JSC::DFG::ArrayMode::typedArrayType):
12189 * dfg/DFGSpeculativeJIT.cpp:
12190 (JSC::DFG::SpeculativeJIT::checkArray):
12191 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
12192 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
12193 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
12194 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
12195 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
12196 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
12197 * dfg/DFGSpeculativeJIT.h:
12198 * dfg/DFGSpeculativeJIT32_64.cpp:
12199 (JSC::DFG::SpeculativeJIT::compile):
12200 * dfg/DFGSpeculativeJIT64.cpp:
12201 (JSC::DFG::SpeculativeJIT::compile):
12202 * heap/CopyToken.h:
12203 * heap/DeferGC.h:
12204 (JSC::DeferGCForAWhile::DeferGCForAWhile):
12205 (JSC::DeferGCForAWhile::~DeferGCForAWhile):
12206 * heap/GCIncomingRefCounted.h: Added.
12207 (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
12208 (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
12209 (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
12210 (JSC::GCIncomingRefCounted::incomingReferenceAt):
12211 (JSC::GCIncomingRefCounted::singletonFlag):
12212 (JSC::GCIncomingRefCounted::hasVectorOfCells):
12213 (JSC::GCIncomingRefCounted::hasAnyIncoming):
12214 (JSC::GCIncomingRefCounted::hasSingleton):
12215 (JSC::GCIncomingRefCounted::singleton):
12216 (JSC::GCIncomingRefCounted::vectorOfCells):
12217 * heap/GCIncomingRefCountedInlines.h: Added.
12218 (JSC::::addIncomingReference):
12219 (JSC::::filterIncomingReferences):
12220 * heap/GCIncomingRefCountedSet.h: Added.
12221 (JSC::GCIncomingRefCountedSet::size):
12222 * heap/GCIncomingRefCountedSetInlines.h: Added.
12223 (JSC::::GCIncomingRefCountedSet):
12224 (JSC::::~GCIncomingRefCountedSet):
12225 (JSC::::addReference):
12226 (JSC::::sweep):
12227 (JSC::::removeAll):
12228 (JSC::::removeDead):
12229 * heap/Heap.cpp:
12230 (JSC::Heap::addReference):
12231 (JSC::Heap::extraSize):
12232 (JSC::Heap::size):
12233 (JSC::Heap::capacity):
12234 (JSC::Heap::collect):
12235 (JSC::Heap::decrementDeferralDepth):
12236 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
12237 * heap/Heap.h:
12238 * interpreter/CallFrame.h:
12239 (JSC::ExecState::dataViewTable):
12240 * jit/JIT.h:
12241 * jit/JITPropertyAccess.cpp:
12242 (JSC::JIT::privateCompileGetByVal):
12243 (JSC::JIT::privateCompilePutByVal):
12244 (JSC::JIT::emitIntTypedArrayGetByVal):
12245 (JSC::JIT::emitFloatTypedArrayGetByVal):
12246 (JSC::JIT::emitIntTypedArrayPutByVal):
12247 (JSC::JIT::emitFloatTypedArrayPutByVal):
12248 * jsc.cpp:
12249 (GlobalObject::finishCreation):
12250 * runtime/ArrayBuffer.cpp:
12251 (JSC::ArrayBuffer::transfer):
12252 * runtime/ArrayBuffer.h:
12253 (JSC::ArrayBuffer::createAdopted):
12254 (JSC::ArrayBuffer::ArrayBuffer):
12255 (JSC::ArrayBuffer::gcSizeEstimateInBytes):
12256 (JSC::ArrayBuffer::pin):
12257 (JSC::ArrayBuffer::unpin):
12258 (JSC::ArrayBufferContents::tryAllocate):
12259 * runtime/ArrayBufferView.cpp:
12260 (JSC::ArrayBufferView::ArrayBufferView):
12261 (JSC::ArrayBufferView::~ArrayBufferView):
12262 (JSC::ArrayBufferView::setNeuterable):
12263 * runtime/ArrayBufferView.h:
12264 (JSC::ArrayBufferView::isNeutered):
12265 (JSC::ArrayBufferView::buffer):
12266 (JSC::ArrayBufferView::baseAddress):
12267 (JSC::ArrayBufferView::byteOffset):
12268 (JSC::ArrayBufferView::verifySubRange):
12269 (JSC::ArrayBufferView::clampOffsetAndNumElements):
12270 (JSC::ArrayBufferView::calculateOffsetAndLength):
12271 * runtime/ClassInfo.h:
12272 * runtime/CommonIdentifiers.h:
12273 * runtime/DataView.cpp: Added.
12274 (JSC::DataView::DataView):
12275 (JSC::DataView::create):
12276 (JSC::DataView::wrap):
12277 * runtime/DataView.h: Added.
12278 (JSC::DataView::byteLength):
12279 (JSC::DataView::getType):
12280 (JSC::DataView::get):
12281 (JSC::DataView::set):
12282 * runtime/Float32Array.h:
12283 * runtime/Float64Array.h:
12284 * runtime/GenericTypedArrayView.h: Added.
12285 (JSC::GenericTypedArrayView::data):
12286 (JSC::GenericTypedArrayView::set):
12287 (JSC::GenericTypedArrayView::setRange):
12288 (JSC::GenericTypedArrayView::zeroRange):
12289 (JSC::GenericTypedArrayView::zeroFill):
12290 (JSC::GenericTypedArrayView::length):
12291 (JSC::GenericTypedArrayView::byteLength):
12292 (JSC::GenericTypedArrayView::item):
12293 (JSC::GenericTypedArrayView::checkInboundData):
12294 (JSC::GenericTypedArrayView::getType):
12295 * runtime/GenericTypedArrayViewInlines.h: Added.
12296 (JSC::::GenericTypedArrayView):
12297 (JSC::::create):
12298 (JSC::::createUninitialized):
12299 (JSC::::subarray):
12300 (JSC::::wrap):
12301 * runtime/IndexingHeader.h:
12302 (JSC::IndexingHeader::arrayBuffer):
12303 (JSC::IndexingHeader::setArrayBuffer):
12304 * runtime/Int16Array.h:
12305 * runtime/Int32Array.h:
12306 * runtime/Int8Array.h:
12307 * runtime/JSArrayBuffer.cpp: Added.
12308 (JSC::JSArrayBuffer::JSArrayBuffer):
12309 (JSC::JSArrayBuffer::finishCreation):
12310 (JSC::JSArrayBuffer::create):
12311 (JSC::JSArrayBuffer::createStructure):
12312 (JSC::JSArrayBuffer::getOwnPropertySlot):
12313 (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
12314 (JSC::JSArrayBuffer::put):
12315 (JSC::JSArrayBuffer::defineOwnProperty):
12316 (JSC::JSArrayBuffer::deleteProperty):
12317 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
12318 * runtime/JSArrayBuffer.h: Added.
12319 (JSC::JSArrayBuffer::impl):
12320 (JSC::toArrayBuffer):
12321 * runtime/JSArrayBufferConstructor.cpp: Added.
12322 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
12323 (JSC::JSArrayBufferConstructor::finishCreation):
12324 (JSC::JSArrayBufferConstructor::create):
12325 (JSC::JSArrayBufferConstructor::createStructure):
12326 (JSC::constructArrayBuffer):
12327 (JSC::JSArrayBufferConstructor::getConstructData):
12328 (JSC::JSArrayBufferConstructor::getCallData):
12329 * runtime/JSArrayBufferConstructor.h: Added.
12330 * runtime/JSArrayBufferPrototype.cpp: Added.
12331 (JSC::arrayBufferProtoFuncSlice):
12332 (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
12333 (JSC::JSArrayBufferPrototype::finishCreation):
12334 (JSC::JSArrayBufferPrototype::create):
12335 (JSC::JSArrayBufferPrototype::createStructure):
12336 * runtime/JSArrayBufferPrototype.h: Added.
12337 * runtime/JSArrayBufferView.cpp: Added.
12338 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
12339 (JSC::JSArrayBufferView::JSArrayBufferView):
12340 (JSC::JSArrayBufferView::finishCreation):
12341 (JSC::JSArrayBufferView::getOwnPropertySlot):
12342 (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
12343 (JSC::JSArrayBufferView::put):
12344 (JSC::JSArrayBufferView::defineOwnProperty):
12345 (JSC::JSArrayBufferView::deleteProperty):
12346 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
12347 (JSC::JSArrayBufferView::finalize):
12348 * runtime/JSArrayBufferView.h: Added.
12349 (JSC::JSArrayBufferView::sizeOf):
12350 (JSC::JSArrayBufferView::ConstructionContext::operator!):
12351 (JSC::JSArrayBufferView::ConstructionContext::structure):
12352 (JSC::JSArrayBufferView::ConstructionContext::vector):
12353 (JSC::JSArrayBufferView::ConstructionContext::length):
12354 (JSC::JSArrayBufferView::ConstructionContext::mode):
12355 (JSC::JSArrayBufferView::ConstructionContext::butterfly):
12356 (JSC::JSArrayBufferView::mode):
12357 (JSC::JSArrayBufferView::vector):
12358 (JSC::JSArrayBufferView::length):
12359 (JSC::JSArrayBufferView::offsetOfVector):
12360 (JSC::JSArrayBufferView::offsetOfLength):
12361 (JSC::JSArrayBufferView::offsetOfMode):
12362 * runtime/JSArrayBufferViewInlines.h: Added.
12363 (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
12364 (JSC::JSArrayBufferView::buffer):
12365 (JSC::JSArrayBufferView::impl):
12366 (JSC::JSArrayBufferView::neuter):
12367 (JSC::JSArrayBufferView::byteOffset):
12368 * runtime/JSCell.cpp:
12369 (JSC::JSCell::slowDownAndWasteMemory):
12370 (JSC::JSCell::getTypedArrayImpl):
12371 * runtime/JSCell.h:
12372 * runtime/JSDataView.cpp: Added.
12373 (JSC::JSDataView::JSDataView):
12374 (JSC::JSDataView::create):
12375 (JSC::JSDataView::createUninitialized):
12376 (JSC::JSDataView::set):
12377 (JSC::JSDataView::typedImpl):
12378 (JSC::JSDataView::getOwnPropertySlot):
12379 (JSC::JSDataView::getOwnPropertyDescriptor):
12380 (JSC::JSDataView::slowDownAndWasteMemory):
12381 (JSC::JSDataView::getTypedArrayImpl):
12382 (JSC::JSDataView::createStructure):
12383 * runtime/JSDataView.h: Added.
12384 * runtime/JSDataViewPrototype.cpp: Added.
12385 (JSC::JSDataViewPrototype::JSDataViewPrototype):
12386 (JSC::JSDataViewPrototype::create):
12387 (JSC::JSDataViewPrototype::createStructure):
12388 (JSC::JSDataViewPrototype::getOwnPropertySlot):
12389 (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
12390 (JSC::getData):
12391 (JSC::setData):
12392 (JSC::dataViewProtoFuncGetInt8):
12393 (JSC::dataViewProtoFuncGetInt16):
12394 (JSC::dataViewProtoFuncGetInt32):
12395 (JSC::dataViewProtoFuncGetUint8):
12396 (JSC::dataViewProtoFuncGetUint16):
12397 (JSC::dataViewProtoFuncGetUint32):
12398 (JSC::dataViewProtoFuncGetFloat32):
12399 (JSC::dataViewProtoFuncGetFloat64):
12400 (JSC::dataViewProtoFuncSetInt8):
12401 (JSC::dataViewProtoFuncSetInt16):
12402 (JSC::dataViewProtoFuncSetInt32):
12403 (JSC::dataViewProtoFuncSetUint8):
12404 (JSC::dataViewProtoFuncSetUint16):
12405 (JSC::dataViewProtoFuncSetUint32):
12406 (JSC::dataViewProtoFuncSetFloat32):
12407 (JSC::dataViewProtoFuncSetFloat64):
12408 * runtime/JSDataViewPrototype.h: Added.
12409 * runtime/JSFloat32Array.h: Added.
12410 * runtime/JSFloat64Array.h: Added.
12411 * runtime/JSGenericTypedArrayView.h: Added.
12412 (JSC::JSGenericTypedArrayView::byteLength):
12413 (JSC::JSGenericTypedArrayView::byteSize):
12414 (JSC::JSGenericTypedArrayView::typedVector):
12415 (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
12416 (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
12417 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
12418 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
12419 (JSC::JSGenericTypedArrayView::getIndexQuickly):
12420 (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
12421 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
12422 (JSC::JSGenericTypedArrayView::setIndexQuickly):
12423 (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
12424 (JSC::JSGenericTypedArrayView::typedImpl):
12425 (JSC::JSGenericTypedArrayView::createStructure):
12426 (JSC::JSGenericTypedArrayView::info):
12427 (JSC::toNativeTypedView):
12428 * runtime/JSGenericTypedArrayViewConstructor.h: Added.
12429 * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
12430 (JSC::::JSGenericTypedArrayViewConstructor):
12431 (JSC::::finishCreation):
12432 (JSC::::create):
12433 (JSC::::createStructure):
12434 (JSC::constructGenericTypedArrayView):
12435 (JSC::::getConstructData):
12436 (JSC::::getCallData):
12437 * runtime/JSGenericTypedArrayViewInlines.h: Added.
12438 (JSC::::JSGenericTypedArrayView):
12439 (JSC::::create):
12440 (JSC::::createUninitialized):
12441 (JSC::::validateRange):
12442 (JSC::::setWithSpecificType):
12443 (JSC::::set):
12444 (JSC::::getOwnPropertySlot):
12445 (JSC::::getOwnPropertyDescriptor):
12446 (JSC::::put):
12447 (JSC::::defineOwnProperty):
12448 (JSC::::deleteProperty):
12449 (JSC::::getOwnPropertySlotByIndex):
12450 (JSC::::putByIndex):
12451 (JSC::::deletePropertyByIndex):
12452 (JSC::::getOwnNonIndexPropertyNames):
12453 (JSC::::getOwnPropertyNames):
12454 (JSC::::visitChildren):
12455 (JSC::::copyBackingStore):
12456 (JSC::::slowDownAndWasteMemory):
12457 (JSC::::getTypedArrayImpl):
12458 * runtime/JSGenericTypedArrayViewPrototype.h: Added.
12459 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
12460 (JSC::genericTypedArrayViewProtoFuncSet):
12461 (JSC::genericTypedArrayViewProtoFuncSubarray):
12462 (JSC::::JSGenericTypedArrayViewPrototype):
12463 (JSC::::finishCreation):
12464 (JSC::::create):
12465 (JSC::::createStructure):
12466 * runtime/JSGlobalObject.cpp:
12467 (JSC::JSGlobalObject::reset):
12468 (JSC::JSGlobalObject::visitChildren):
12469 * runtime/JSGlobalObject.h:
12470 (JSC::JSGlobalObject::arrayBufferPrototype):
12471 (JSC::JSGlobalObject::arrayBufferStructure):
12472 (JSC::JSGlobalObject::typedArrayStructure):
12473 * runtime/JSInt16Array.h: Added.
12474 * runtime/JSInt32Array.h: Added.
12475 * runtime/JSInt8Array.h: Added.
12476 * runtime/JSTypedArrayConstructors.cpp: Added.
12477 * runtime/JSTypedArrayConstructors.h: Added.
12478 * runtime/JSTypedArrayPrototypes.cpp: Added.
12479 * runtime/JSTypedArrayPrototypes.h: Added.
12480 * runtime/JSTypedArrays.cpp: Added.
12481 * runtime/JSTypedArrays.h: Added.
12482 * runtime/JSUint16Array.h: Added.
12483 * runtime/JSUint32Array.h: Added.
12484 * runtime/JSUint8Array.h: Added.
12485 * runtime/JSUint8ClampedArray.h: Added.
12486 * runtime/Operations.h:
12487 * runtime/Options.h:
12488 * runtime/SimpleTypedArrayController.cpp: Added.
12489 (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
12490 (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
12491 (JSC::SimpleTypedArrayController::toJS):
12492 * runtime/SimpleTypedArrayController.h: Added.
12493 * runtime/Structure.h:
12494 (JSC::Structure::couldHaveIndexingHeader):
12495 * runtime/StructureInlines.h:
12496 (JSC::Structure::hasIndexingHeader):
12497 * runtime/TypedArrayAdaptors.h: Added.
12498 (JSC::IntegralTypedArrayAdaptor::toNative):
12499 (JSC::IntegralTypedArrayAdaptor::toJSValue):
12500 (JSC::IntegralTypedArrayAdaptor::toDouble):
12501 (JSC::FloatTypedArrayAdaptor::toNative):
12502 (JSC::FloatTypedArrayAdaptor::toJSValue):
12503 (JSC::FloatTypedArrayAdaptor::toDouble):
12504 (JSC::Uint8ClampedAdaptor::toNative):
12505 (JSC::Uint8ClampedAdaptor::toJSValue):
12506 (JSC::Uint8ClampedAdaptor::toDouble):
12507 (JSC::Uint8ClampedAdaptor::clamp):
12508 * runtime/TypedArrayController.cpp: Added.
12509 (JSC::TypedArrayController::TypedArrayController):
12510 (JSC::TypedArrayController::~TypedArrayController):
12511 * runtime/TypedArrayController.h: Added.
12512 * runtime/TypedArrayDescriptor.h: Removed.
12513 * runtime/TypedArrayInlines.h: Added.
12514 * runtime/TypedArrayType.cpp: Added.
12515 (JSC::classInfoForType):
12516 (WTF::printInternal):
12517 * runtime/TypedArrayType.h: Added.
12518 (JSC::toIndex):
12519 (JSC::isTypedView):
12520 (JSC::elementSize):
12521 (JSC::isInt):
12522 (JSC::isFloat):
12523 (JSC::isSigned):
12524 (JSC::isClamped):
12525 * runtime/TypedArrays.h: Added.
12526 * runtime/Uint16Array.h:
12527 * runtime/Uint32Array.h:
12528 * runtime/Uint8Array.h:
12529 * runtime/Uint8ClampedArray.h:
12530 * runtime/VM.cpp:
12531 (JSC::VM::VM):
12532 (JSC::VM::~VM):
12533 * runtime/VM.h:
12534
125352013-08-15 Oliver Hunt <oliver@apple.com>
12536
12537 <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
12538
12539 Reviewed by Filip Pizlo.
12540
12541 Make sure dfgCapabilities doesn't report a Dynamic put as
12542 being compilable when we don't actually support it.
12543
12544 * bytecode/CodeBlock.cpp:
12545 (JSC::CodeBlock::dumpBytecode):
12546 * dfg/DFGCapabilities.cpp:
12547 (JSC::DFG::capabilityLevel):
12548
125492013-08-15 Brent Fulgham <bfulgham@apple.com>
12550
12551 [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
12552 https://bugs.webkit.org/show_bug.cgi?id=119847
12553
12554 Reviewed by Oliver Hunt.
12555
12556 * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
12557 * runtime/ArrayBufferView.h: Ditto.
12558
125592013-08-15 Gavin Barraclough <barraclough@apple.com>
12560
12561 https://bugs.webkit.org/show_bug.cgi?id=119843
12562 PropertySlot::setValue is ambiguous
12563
12564 Reviewed by Geoff Garen.
12565
12566 There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
12567 The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
12568 Unify on always providing the object, and remove the version that just takes a value.
12569 This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
12570 Provide a version of setValue that takes a JSString as the owner of the property.
12571 We won't store this, but it makes it clear that this interface should only be used from JSString.
12572
12573 * API/JSCallbackObjectFunctions.h:
12574 (JSC::::getOwnPropertySlot):
12575 * JSCTypedArrayStubs.h:
12576 * runtime/Arguments.cpp:
12577 (JSC::Arguments::getOwnPropertySlotByIndex):
12578 (JSC::Arguments::getOwnPropertySlot):
12579 * runtime/JSActivation.cpp:
12580 (JSC::JSActivation::symbolTableGet):
12581 (JSC::JSActivation::getOwnPropertySlot):
12582 * runtime/JSArray.cpp:
12583 (JSC::JSArray::getOwnPropertySlot):
12584 * runtime/JSObject.cpp:
12585 (JSC::JSObject::getOwnPropertySlotByIndex):
12586 * runtime/JSString.h:
12587 (JSC::JSString::getStringPropertySlot):
12588 * runtime/JSSymbolTableObject.h:
12589 (JSC::symbolTableGet):
12590 * runtime/SparseArrayValueMap.cpp:
12591 (JSC::SparseArrayEntry::get):
12592 - Pass object containing property to PropertySlot::setValue
12593 * runtime/PropertySlot.h:
12594 (JSC::PropertySlot::setValue):
12595 - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
12596 (JSC::PropertySlot::setUndefined):
12597 - removed setValue(JSValue), added setValue(JSString*, JSValue)
12598
125992013-08-15 Oliver Hunt <oliver@apple.com>
12600
12601 Remove bogus assertion.
12602
12603 RS=Filip Pizlo
12604
12605 * dfg/DFGAbstractInterpreterInlines.h:
12606 (JSC::DFG::::executeEffects):
12607
126082013-08-15 Allan Sandfeld Jensen <allan.jensen@digia.com>
12609
12610 REGRESSION(r148790) Made 7 tests fail on x86 32bit
12611 https://bugs.webkit.org/show_bug.cgi?id=114913
12612
12613 Reviewed by Filip Pizlo.
12614
12615 The X87 register was not freed before some calls. Instead
12616 of inserting resetX87Registers to the last call sites,
12617 the two X87 registers are now freed in every call.
12618
12619 * llint/LowLevelInterpreter32_64.asm:
12620 * llint/LowLevelInterpreter64.asm:
12621 * offlineasm/instructions.rb:
12622 * offlineasm/x86.rb:
12623
126242013-08-14 Michael Saboff <msaboff@apple.com>
12625
12626 Fixed jit on Win64.
12627 https://bugs.webkit.org/show_bug.cgi?id=119601
12628
12629 Reviewed by Oliver Hunt.
12630
12631 * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
12632 * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
12633 * jit/SlowPathCall.h:
12634 (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
12635
126362013-08-14 Alex Christensen <achristensen@apple.com>
12637
12638 Compile fix for Win64 with jit disabled.
12639 https://bugs.webkit.org/show_bug.cgi?id=119804
12640
12641 Reviewed by Michael Saboff.
12642
12643 * offlineasm/cloop.rb: Added std:: before isnan.
12644
126452013-08-14 Julien Brianceau <jbrianceau@nds.com>
12646
12647 DFG_JIT implementation for sh4 architecture.
12648 https://bugs.webkit.org/show_bug.cgi?id=119737
12649
12650 Reviewed by Oliver Hunt.
12651
12652 * assembler/MacroAssemblerSH4.h:
12653 (JSC::MacroAssemblerSH4::invert):
12654 (JSC::MacroAssemblerSH4::add32):
12655 (JSC::MacroAssemblerSH4::and32):
12656 (JSC::MacroAssemblerSH4::lshift32):
12657 (JSC::MacroAssemblerSH4::mul32):
12658 (JSC::MacroAssemblerSH4::or32):
12659 (JSC::MacroAssemblerSH4::rshift32):
12660 (JSC::MacroAssemblerSH4::sub32):
12661 (JSC::MacroAssemblerSH4::xor32):
12662 (JSC::MacroAssemblerSH4::store32):
12663 (JSC::MacroAssemblerSH4::swapDouble):
12664 (JSC::MacroAssemblerSH4::storeDouble):
12665 (JSC::MacroAssemblerSH4::subDouble):
12666 (JSC::MacroAssemblerSH4::mulDouble):
12667 (JSC::MacroAssemblerSH4::divDouble):
12668 (JSC::MacroAssemblerSH4::negateDouble):
12669 (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
12670 (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
12671 (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
12672 (JSC::MacroAssemblerSH4::swap):
12673 (JSC::MacroAssemblerSH4::jump):
12674 (JSC::MacroAssemblerSH4::branchNeg32):
12675 (JSC::MacroAssemblerSH4::branchAdd32):
12676 (JSC::MacroAssemblerSH4::branchMul32):
12677 (JSC::MacroAssemblerSH4::urshift32):
12678 * assembler/SH4Assembler.h:
12679 (JSC::SH4Assembler::SH4Assembler):
12680 (JSC::SH4Assembler::labelForWatchpoint):
12681 (JSC::SH4Assembler::label):
12682 (JSC::SH4Assembler::debugOffset):
12683 * dfg/DFGAssemblyHelpers.h:
12684 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
12685 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
12686 (JSC::DFG::AssemblyHelpers::debugCall):
12687 * dfg/DFGCCallHelpers.h:
12688 (JSC::DFG::CCallHelpers::setupArguments):
12689 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
12690 * dfg/DFGFPRInfo.h:
12691 (JSC::DFG::FPRInfo::toRegister):
12692 (JSC::DFG::FPRInfo::toIndex):
12693 (JSC::DFG::FPRInfo::debugName):
12694 * dfg/DFGGPRInfo.h:
12695 (JSC::DFG::GPRInfo::toRegister):
12696 (JSC::DFG::GPRInfo::toIndex):
12697 (JSC::DFG::GPRInfo::debugName):
12698 * dfg/DFGOperations.cpp:
12699 * dfg/DFGSpeculativeJIT.h:
12700 (JSC::DFG::SpeculativeJIT::callOperation):
12701 * jit/JITStubs.h:
12702 * jit/JITStubsSH4.h:
12703
127042013-08-13 Filip Pizlo <fpizlo@apple.com>
12705
12706 Unreviewed, fix build.
12707
12708 * API/JSValue.mm:
12709 (isDate):
12710 (isArray):
12711 * API/JSWrapperMap.mm:
12712 (tryUnwrapObjcObject):
12713 * API/ObjCCallbackFunction.mm:
12714 (tryUnwrapBlock):
12715
127162013-08-13 Filip Pizlo <fpizlo@apple.com>
12717
12718 Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
12719 https://bugs.webkit.org/show_bug.cgi?id=119770
12720
12721 Reviewed by Mark Hahnenberg.
12722
12723 * API/JSCallbackConstructor.cpp:
12724 (JSC::JSCallbackConstructor::finishCreation):
12725 * API/JSCallbackConstructor.h:
12726 (JSC::JSCallbackConstructor::createStructure):
12727 * API/JSCallbackFunction.cpp:
12728 (JSC::JSCallbackFunction::finishCreation):
12729 * API/JSCallbackFunction.h:
12730 (JSC::JSCallbackFunction::createStructure):
12731 * API/JSCallbackObject.cpp:
12732 (JSC::::createStructure):
12733 * API/JSCallbackObject.h:
12734 (JSC::JSCallbackObject::visitChildren):
12735 * API/JSCallbackObjectFunctions.h:
12736 (JSC::::asCallbackObject):
12737 (JSC::::finishCreation):
12738 * API/JSObjectRef.cpp:
12739 (JSObjectGetPrivate):
12740 (JSObjectSetPrivate):
12741 (JSObjectGetPrivateProperty):
12742 (JSObjectSetPrivateProperty):
12743 (JSObjectDeletePrivateProperty):
12744 * API/JSValueRef.cpp:
12745 (JSValueIsObjectOfClass):
12746 * API/JSWeakObjectMapRefPrivate.cpp:
12747 * API/ObjCCallbackFunction.h:
12748 (JSC::ObjCCallbackFunction::createStructure):
12749 * JSCTypedArrayStubs.h:
12750 * bytecode/CallLinkStatus.cpp:
12751 (JSC::CallLinkStatus::CallLinkStatus):
12752 (JSC::CallLinkStatus::function):
12753 (JSC::CallLinkStatus::internalFunction):
12754 * bytecode/CodeBlock.h:
12755 (JSC::baselineCodeBlockForInlineCallFrame):
12756 * bytecode/SpeculatedType.cpp:
12757 (JSC::speculationFromClassInfo):
12758 * bytecode/UnlinkedCodeBlock.cpp:
12759 (JSC::UnlinkedFunctionExecutable::visitChildren):
12760 (JSC::UnlinkedCodeBlock::visitChildren):
12761 (JSC::UnlinkedProgramCodeBlock::visitChildren):
12762 * bytecode/UnlinkedCodeBlock.h:
12763 (JSC::UnlinkedFunctionExecutable::createStructure):
12764 (JSC::UnlinkedProgramCodeBlock::createStructure):
12765 (JSC::UnlinkedEvalCodeBlock::createStructure):
12766 (JSC::UnlinkedFunctionCodeBlock::createStructure):
12767 * debugger/Debugger.cpp:
12768 * debugger/DebuggerActivation.cpp:
12769 (JSC::DebuggerActivation::visitChildren):
12770 * debugger/DebuggerActivation.h:
12771 (JSC::DebuggerActivation::createStructure):
12772 * debugger/DebuggerCallFrame.cpp:
12773 (JSC::DebuggerCallFrame::functionName):
12774 * dfg/DFGAbstractInterpreterInlines.h:
12775 (JSC::DFG::::executeEffects):
12776 * dfg/DFGByteCodeParser.cpp:
12777 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
12778 (JSC::DFG::ByteCodeParser::parseBlock):
12779 * dfg/DFGFixupPhase.cpp:
12780 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
12781 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
12782 * dfg/DFGGraph.cpp:
12783 (JSC::DFG::Graph::dump):
12784 * dfg/DFGGraph.h:
12785 (JSC::DFG::Graph::isInternalFunctionConstant):
12786 * dfg/DFGOperations.cpp:
12787 * dfg/DFGSpeculativeJIT.cpp:
12788 (JSC::DFG::SpeculativeJIT::checkArray):
12789 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
12790 * dfg/DFGThunks.cpp:
12791 (JSC::DFG::virtualForThunkGenerator):
12792 * interpreter/Interpreter.cpp:
12793 (JSC::loadVarargs):
12794 * jsc.cpp:
12795 (GlobalObject::createStructure):
12796 * profiler/LegacyProfiler.cpp:
12797 (JSC::LegacyProfiler::createCallIdentifier):
12798 * runtime/Arguments.cpp:
12799 (JSC::Arguments::visitChildren):
12800 * runtime/Arguments.h:
12801 (JSC::Arguments::createStructure):
12802 (JSC::asArguments):
12803 (JSC::Arguments::finishCreation):
12804 * runtime/ArrayConstructor.cpp:
12805 (JSC::arrayConstructorIsArray):
12806 * runtime/ArrayConstructor.h:
12807 (JSC::ArrayConstructor::createStructure):
12808 * runtime/ArrayPrototype.cpp:
12809 (JSC::ArrayPrototype::finishCreation):
12810 (JSC::arrayProtoFuncConcat):
12811 (JSC::attemptFastSort):
12812 * runtime/ArrayPrototype.h:
12813 (JSC::ArrayPrototype::createStructure):
12814 * runtime/BooleanConstructor.h:
12815 (JSC::BooleanConstructor::createStructure):
12816 * runtime/BooleanObject.cpp:
12817 (JSC::BooleanObject::finishCreation):
12818 * runtime/BooleanObject.h:
12819 (JSC::BooleanObject::createStructure):
12820 (JSC::asBooleanObject):
12821 * runtime/BooleanPrototype.cpp:
12822 (JSC::BooleanPrototype::finishCreation):
12823 (JSC::booleanProtoFuncToString):
12824 (JSC::booleanProtoFuncValueOf):
12825 * runtime/BooleanPrototype.h:
12826 (JSC::BooleanPrototype::createStructure):
12827 * runtime/DateConstructor.cpp:
12828 (JSC::constructDate):
12829 * runtime/DateConstructor.h:
12830 (JSC::DateConstructor::createStructure):
12831 * runtime/DateInstance.cpp:
12832 (JSC::DateInstance::finishCreation):
12833 * runtime/DateInstance.h:
12834 (JSC::DateInstance::createStructure):
12835 (JSC::asDateInstance):
12836 * runtime/DatePrototype.cpp:
12837 (JSC::formateDateInstance):
12838 (JSC::DatePrototype::finishCreation):
12839 (JSC::dateProtoFuncToISOString):
12840 (JSC::dateProtoFuncToLocaleString):
12841 (JSC::dateProtoFuncToLocaleDateString):
12842 (JSC::dateProtoFuncToLocaleTimeString):
12843 (JSC::dateProtoFuncGetTime):
12844 (JSC::dateProtoFuncGetFullYear):
12845 (JSC::dateProtoFuncGetUTCFullYear):
12846 (JSC::dateProtoFuncGetMonth):
12847 (JSC::dateProtoFuncGetUTCMonth):
12848 (JSC::dateProtoFuncGetDate):
12849 (JSC::dateProtoFuncGetUTCDate):
12850 (JSC::dateProtoFuncGetDay):
12851 (JSC::dateProtoFuncGetUTCDay):
12852 (JSC::dateProtoFuncGetHours):
12853 (JSC::dateProtoFuncGetUTCHours):
12854 (JSC::dateProtoFuncGetMinutes):
12855 (JSC::dateProtoFuncGetUTCMinutes):
12856 (JSC::dateProtoFuncGetSeconds):
12857 (JSC::dateProtoFuncGetUTCSeconds):
12858 (JSC::dateProtoFuncGetMilliSeconds):
12859 (JSC::dateProtoFuncGetUTCMilliseconds):
12860 (JSC::dateProtoFuncGetTimezoneOffset):
12861 (JSC::dateProtoFuncSetTime):
12862 (JSC::setNewValueFromTimeArgs):
12863 (JSC::setNewValueFromDateArgs):
12864 (JSC::dateProtoFuncSetYear):
12865 (JSC::dateProtoFuncGetYear):
12866 * runtime/DatePrototype.h:
12867 (JSC::DatePrototype::createStructure):
12868 * runtime/Error.h:
12869 (JSC::StrictModeTypeErrorFunction::createStructure):
12870 * runtime/ErrorConstructor.h:
12871 (JSC::ErrorConstructor::createStructure):
12872 * runtime/ErrorInstance.cpp:
12873 (JSC::ErrorInstance::finishCreation):
12874 * runtime/ErrorInstance.h:
12875 (JSC::ErrorInstance::createStructure):
12876 * runtime/ErrorPrototype.cpp:
12877 (JSC::ErrorPrototype::finishCreation):
12878 * runtime/ErrorPrototype.h:
12879 (JSC::ErrorPrototype::createStructure):
12880 * runtime/ExceptionHelpers.cpp:
12881 (JSC::isTerminatedExecutionException):
12882 * runtime/ExceptionHelpers.h:
12883 (JSC::TerminatedExecutionError::createStructure):
12884 * runtime/Executable.cpp:
12885 (JSC::EvalExecutable::visitChildren):
12886 (JSC::ProgramExecutable::visitChildren):
12887 (JSC::FunctionExecutable::visitChildren):
12888 (JSC::ExecutableBase::hashFor):
12889 * runtime/Executable.h:
12890 (JSC::ExecutableBase::createStructure):
12891 (JSC::NativeExecutable::createStructure):
12892 (JSC::EvalExecutable::createStructure):
12893 (JSC::ProgramExecutable::createStructure):
12894 (JSC::FunctionExecutable::compileFor):
12895 (JSC::FunctionExecutable::compileOptimizedFor):
12896 (JSC::FunctionExecutable::createStructure):
12897 * runtime/FunctionConstructor.h:
12898 (JSC::FunctionConstructor::createStructure):
12899 * runtime/FunctionPrototype.cpp:
12900 (JSC::functionProtoFuncToString):
12901 (JSC::functionProtoFuncApply):
12902 (JSC::functionProtoFuncBind):
12903 * runtime/FunctionPrototype.h:
12904 (JSC::FunctionPrototype::createStructure):
12905 * runtime/GetterSetter.cpp:
12906 (JSC::GetterSetter::visitChildren):
12907 * runtime/GetterSetter.h:
12908 (JSC::GetterSetter::createStructure):
12909 * runtime/InternalFunction.cpp:
12910 (JSC::InternalFunction::finishCreation):
12911 * runtime/InternalFunction.h:
12912 (JSC::InternalFunction::createStructure):
12913 (JSC::asInternalFunction):
12914 * runtime/JSAPIValueWrapper.h:
12915 (JSC::JSAPIValueWrapper::createStructure):
12916 * runtime/JSActivation.cpp:
12917 (JSC::JSActivation::visitChildren):
12918 (JSC::JSActivation::argumentsGetter):
12919 * runtime/JSActivation.h:
12920 (JSC::JSActivation::createStructure):
12921 (JSC::asActivation):
12922 * runtime/JSArray.h:
12923 (JSC::JSArray::createStructure):
12924 (JSC::asArray):
12925 (JSC::isJSArray):
12926 * runtime/JSBoundFunction.cpp:
12927 (JSC::JSBoundFunction::finishCreation):
12928 (JSC::JSBoundFunction::visitChildren):
12929 * runtime/JSBoundFunction.h:
12930 (JSC::JSBoundFunction::createStructure):
12931 * runtime/JSCJSValue.cpp:
12932 (JSC::JSValue::dumpInContext):
12933 * runtime/JSCJSValueInlines.h:
12934 (JSC::JSValue::isFunction):
12935 * runtime/JSCell.h:
12936 (JSC::jsCast):
12937 (JSC::jsDynamicCast):
12938 * runtime/JSCellInlines.h:
12939 (JSC::allocateCell):
12940 * runtime/JSFunction.cpp:
12941 (JSC::JSFunction::finishCreation):
12942 (JSC::JSFunction::visitChildren):
12943 (JSC::skipOverBoundFunctions):
12944 (JSC::JSFunction::callerGetter):
12945 * runtime/JSFunction.h:
12946 (JSC::JSFunction::createStructure):
12947 * runtime/JSGlobalObject.cpp:
12948 (JSC::JSGlobalObject::visitChildren):
12949 (JSC::slowValidateCell):
12950 * runtime/JSGlobalObject.h:
12951 (JSC::JSGlobalObject::createStructure):
12952 * runtime/JSNameScope.cpp:
12953 (JSC::JSNameScope::visitChildren):
12954 * runtime/JSNameScope.h:
12955 (JSC::JSNameScope::createStructure):
12956 * runtime/JSNotAnObject.h:
12957 (JSC::JSNotAnObject::createStructure):
12958 * runtime/JSONObject.cpp:
12959 (JSC::JSONObject::finishCreation):
12960 (JSC::unwrapBoxedPrimitive):
12961 (JSC::Stringifier::Stringifier):
12962 (JSC::Stringifier::appendStringifiedValue):
12963 (JSC::Stringifier::Holder::Holder):
12964 (JSC::Walker::walk):
12965 (JSC::JSONProtoFuncStringify):
12966 * runtime/JSONObject.h:
12967 (JSC::JSONObject::createStructure):
12968 * runtime/JSObject.cpp:
12969 (JSC::getCallableObjectSlow):
12970 (JSC::JSObject::visitChildren):
12971 (JSC::JSObject::copyBackingStore):
12972 (JSC::JSFinalObject::visitChildren):
12973 (JSC::JSObject::ensureInt32Slow):
12974 (JSC::JSObject::ensureDoubleSlow):
12975 (JSC::JSObject::ensureContiguousSlow):
12976 (JSC::JSObject::ensureArrayStorageSlow):
12977 * runtime/JSObject.h:
12978 (JSC::JSObject::finishCreation):
12979 (JSC::JSObject::createStructure):
12980 (JSC::JSNonFinalObject::createStructure):
12981 (JSC::JSFinalObject::createStructure):
12982 (JSC::isJSFinalObject):
12983 * runtime/JSPropertyNameIterator.cpp:
12984 (JSC::JSPropertyNameIterator::visitChildren):
12985 * runtime/JSPropertyNameIterator.h:
12986 (JSC::JSPropertyNameIterator::createStructure):
12987 * runtime/JSProxy.cpp:
12988 (JSC::JSProxy::visitChildren):
12989 * runtime/JSProxy.h:
12990 (JSC::JSProxy::createStructure):
12991 * runtime/JSScope.cpp:
12992 (JSC::JSScope::visitChildren):
12993 * runtime/JSSegmentedVariableObject.cpp:
12994 (JSC::JSSegmentedVariableObject::visitChildren):
12995 * runtime/JSString.h:
12996 (JSC::JSString::createStructure):
12997 (JSC::isJSString):
12998 * runtime/JSSymbolTableObject.cpp:
12999 (JSC::JSSymbolTableObject::visitChildren):
13000 * runtime/JSVariableObject.h:
13001 * runtime/JSWithScope.cpp:
13002 (JSC::JSWithScope::visitChildren):
13003 * runtime/JSWithScope.h:
13004 (JSC::JSWithScope::createStructure):
13005 * runtime/JSWrapperObject.cpp:
13006 (JSC::JSWrapperObject::visitChildren):
13007 * runtime/JSWrapperObject.h:
13008 (JSC::JSWrapperObject::createStructure):
13009 * runtime/MathObject.cpp:
13010 (JSC::MathObject::finishCreation):
13011 * runtime/MathObject.h:
13012 (JSC::MathObject::createStructure):
13013 * runtime/NameConstructor.h:
13014 (JSC::NameConstructor::createStructure):
13015 * runtime/NameInstance.h:
13016 (JSC::NameInstance::createStructure):
13017 (JSC::NameInstance::finishCreation):
13018 * runtime/NamePrototype.cpp:
13019 (JSC::NamePrototype::finishCreation):
13020 (JSC::privateNameProtoFuncToString):
13021 * runtime/NamePrototype.h:
13022 (JSC::NamePrototype::createStructure):
13023 * runtime/NativeErrorConstructor.cpp:
13024 (JSC::NativeErrorConstructor::visitChildren):
13025 * runtime/NativeErrorConstructor.h:
13026 (JSC::NativeErrorConstructor::createStructure):
13027 (JSC::NativeErrorConstructor::finishCreation):
13028 * runtime/NumberConstructor.cpp:
13029 (JSC::NumberConstructor::finishCreation):
13030 * runtime/NumberConstructor.h:
13031 (JSC::NumberConstructor::createStructure):
13032 * runtime/NumberObject.cpp:
13033 (JSC::NumberObject::finishCreation):
13034 * runtime/NumberObject.h:
13035 (JSC::NumberObject::createStructure):
13036 * runtime/NumberPrototype.cpp:
13037 (JSC::NumberPrototype::finishCreation):
13038 * runtime/NumberPrototype.h:
13039 (JSC::NumberPrototype::createStructure):
13040 * runtime/ObjectConstructor.h:
13041 (JSC::ObjectConstructor::createStructure):
13042 * runtime/ObjectPrototype.cpp:
13043 (JSC::ObjectPrototype::finishCreation):
13044 * runtime/ObjectPrototype.h:
13045 (JSC::ObjectPrototype::createStructure):
13046 * runtime/PropertyMapHashTable.h:
13047 (JSC::PropertyTable::createStructure):
13048 * runtime/PropertyTable.cpp:
13049 (JSC::PropertyTable::visitChildren):
13050 * runtime/RegExp.h:
13051 (JSC::RegExp::createStructure):
13052 * runtime/RegExpConstructor.cpp:
13053 (JSC::RegExpConstructor::finishCreation):
13054 (JSC::RegExpConstructor::visitChildren):
13055 (JSC::constructRegExp):
13056 * runtime/RegExpConstructor.h:
13057 (JSC::RegExpConstructor::createStructure):
13058 (JSC::asRegExpConstructor):
13059 * runtime/RegExpMatchesArray.cpp:
13060 (JSC::RegExpMatchesArray::visitChildren):
13061 * runtime/RegExpMatchesArray.h:
13062 (JSC::RegExpMatchesArray::createStructure):
13063 * runtime/RegExpObject.cpp:
13064 (JSC::RegExpObject::finishCreation):
13065 (JSC::RegExpObject::visitChildren):
13066 * runtime/RegExpObject.h:
13067 (JSC::RegExpObject::createStructure):
13068 (JSC::asRegExpObject):
13069 * runtime/RegExpPrototype.cpp:
13070 (JSC::regExpProtoFuncTest):
13071 (JSC::regExpProtoFuncExec):
13072 (JSC::regExpProtoFuncCompile):
13073 (JSC::regExpProtoFuncToString):
13074 * runtime/RegExpPrototype.h:
13075 (JSC::RegExpPrototype::createStructure):
13076 * runtime/SparseArrayValueMap.cpp:
13077 (JSC::SparseArrayValueMap::createStructure):
13078 * runtime/SparseArrayValueMap.h:
13079 * runtime/StrictEvalActivation.h:
13080 (JSC::StrictEvalActivation::createStructure):
13081 * runtime/StringConstructor.h:
13082 (JSC::StringConstructor::createStructure):
13083 * runtime/StringObject.cpp:
13084 (JSC::StringObject::finishCreation):
13085 * runtime/StringObject.h:
13086 (JSC::StringObject::createStructure):
13087 (JSC::asStringObject):
13088 * runtime/StringPrototype.cpp:
13089 (JSC::StringPrototype::finishCreation):
13090 (JSC::stringProtoFuncReplace):
13091 (JSC::stringProtoFuncToString):
13092 (JSC::stringProtoFuncMatch):
13093 (JSC::stringProtoFuncSearch):
13094 (JSC::stringProtoFuncSplit):
13095 * runtime/StringPrototype.h:
13096 (JSC::StringPrototype::createStructure):
13097 * runtime/Structure.cpp:
13098 (JSC::Structure::Structure):
13099 (JSC::Structure::materializePropertyMap):
13100 (JSC::Structure::get):
13101 (JSC::Structure::visitChildren):
13102 * runtime/Structure.h:
13103 (JSC::Structure::typeInfo):
13104 (JSC::Structure::previousID):
13105 (JSC::Structure::outOfLineSize):
13106 (JSC::Structure::totalStorageCapacity):
13107 (JSC::Structure::materializePropertyMapIfNecessary):
13108 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
13109 * runtime/StructureChain.cpp:
13110 (JSC::StructureChain::visitChildren):
13111 * runtime/StructureChain.h:
13112 (JSC::StructureChain::createStructure):
13113 * runtime/StructureInlines.h:
13114 (JSC::Structure::get):
13115 * runtime/StructureRareData.cpp:
13116 (JSC::StructureRareData::createStructure):
13117 (JSC::StructureRareData::visitChildren):
13118 * runtime/StructureRareData.h:
13119 * runtime/SymbolTable.h:
13120 (JSC::SharedSymbolTable::createStructure):
13121 * runtime/VM.cpp:
13122 (JSC::VM::VM):
13123 (JSC::StackPreservingRecompiler::operator()):
13124 (JSC::VM::releaseExecutableMemory):
13125 * runtime/WriteBarrier.h:
13126 (JSC::validateCell):
13127 * testRegExp.cpp:
13128 (GlobalObject::createStructure):
13129
131302013-08-13 Arunprasad Rajkumar <arurajku@cisco.com>
13131
13132 [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
13133 https://bugs.webkit.org/show_bug.cgi?id=119762
13134
13135 Reviewed by Geoffrey Garen.
13136
13137 * heap/Heap.cpp:
13138 (JSC::Heap::Heap):
13139 (JSC::Heap::markRoots):
13140 (JSC::Heap::collect):
13141 * jsc.cpp:
13142 (StopWatch::start):
13143 (StopWatch::stop):
13144 * testRegExp.cpp:
13145 (StopWatch::start):
13146 (StopWatch::stop):
13147
131482013-08-13 Julien Brianceau <jbrianceau@nds.com>
13149
13150 [sh4] Prepare LLINT for DFG_JIT implementation.
13151 https://bugs.webkit.org/show_bug.cgi?id=119755
13152
13153 Reviewed by Oliver Hunt.
13154
13155 * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
13156 * offlineasm/sh4.rb:
13157 - Handle storeb opcode.
13158 - Make relative jumps when possible using braf opcode.
13159 - Update bmulio implementation to be consistent with baseline JIT.
13160 - Remove useless code from leap opcode.
13161 - Fix incorrect comment.
13162
131632013-08-13 Julien Brianceau <jbrianceau@nds.com>
13164
13165 [sh4] Prepare baseline JIT for DFG_JIT implementation.
13166 https://bugs.webkit.org/show_bug.cgi?id=119758
13167
13168 Reviewed by Oliver Hunt.
13169
13170 * assembler/MacroAssemblerSH4.h:
13171 - Introduce a loadEffectiveAddress function to avoid code duplication.
13172 - Add ASSERTs and clean code.
13173 * assembler/SH4Assembler.h:
13174 - Prepare DFG_JIT implementation.
13175 - Add ASSERTs.
13176 * jit/JITStubs.cpp:
13177 - Add SH4 specific call for assertions.
13178 * jit/JITStubs.h:
13179 - Cosmetic change.
13180 * jit/JITStubsSH4.h:
13181 - Use constants to be more flexible with sh4 JIT stack frame.
13182 * jit/JSInterfaceJIT.h:
13183 - Cosmetic change.
13184
131852013-08-13 Oliver Hunt <oliver@apple.com>
13186
13187 Harden executeConstruct against incorrect return types from host functions
13188 https://bugs.webkit.org/show_bug.cgi?id=119757
13189
13190 Reviewed by Mark Hahnenberg.
13191
13192 Add logic to guard against bogus return types. There doesn't seem to be any
13193 class in webkit that does this wrong, but the typed array stubs in debug JSC
13194 do exhibit this bad behaviour.
13195
13196 * interpreter/Interpreter.cpp:
13197 (JSC::Interpreter::executeConstruct):
13198
131992013-08-13 Allan Sandfeld Jensen <allan.jensen@digia.com>
13200
13201 [Qt] Fix C++11 build with gcc 4.4 and 4.5
13202 https://bugs.webkit.org/show_bug.cgi?id=119736
13203
13204 Reviewed by Anders Carlsson.
13205
13206 Don't force C++11 mode off anymore.
13207
13208 * Target.pri:
13209
132102013-08-12 Oliver Hunt <oliver@apple.com>
13211
13212 Remove CodeBlock's notion of adding identifiers entirely
13213 https://bugs.webkit.org/show_bug.cgi?id=119708
13214
13215 Reviewed by Geoffrey Garen.
13216
13217 Remove addAdditionalIdentifier entirely, including the bogus assertion.
13218 Move the addition of identifiers to DFGPlan::reallyAdd
13219
13220 * bytecode/CodeBlock.h:
13221 * dfg/DFGDesiredIdentifiers.cpp:
13222 (JSC::DFG::DesiredIdentifiers::reallyAdd):
13223 * dfg/DFGDesiredIdentifiers.h:
13224 * dfg/DFGPlan.cpp:
13225 (JSC::DFG::Plan::reallyAdd):
13226 (JSC::DFG::Plan::finalize):
13227 * dfg/DFGPlan.h:
13228
132292013-08-12 Oliver Hunt <oliver@apple.com>
13230
13231 Build fix
13232
13233 * runtime/JSCell.h:
13234
132352013-08-12 Oliver Hunt <oliver@apple.com>
13236
13237 Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
13238 https://bugs.webkit.org/show_bug.cgi?id=119705
13239
13240 Reviewed by Geoffrey Garen.
13241
13242 Relatively trivial refactoring
13243
13244 * bytecode/CodeBlock.h:
13245 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
13246 (JSC::CodeBlock::addAdditionalIdentifier):
13247 (JSC::CodeBlock::identifier):
13248 (JSC::CodeBlock::numberOfIdentifiers):
13249 * dfg/DFGCommonData.h:
13250
132512013-08-12 Oliver Hunt <oliver@apple.com>
13252
13253 Stop making unnecessary copy of CodeBlock Identifier Vector
13254 https://bugs.webkit.org/show_bug.cgi?id=119702
13255
13256 Reviewed by Michael Saboff.
13257
13258 Make CodeBlock simply use a separate Vector for additional Identifiers
13259 and use the UnlinkedCodeBlock for the initial set of identifiers.
13260
13261 * bytecode/CodeBlock.cpp:
13262 (JSC::CodeBlock::printGetByIdOp):
13263 (JSC::dumpStructure):
13264 (JSC::dumpChain):
13265 (JSC::CodeBlock::printGetByIdCacheStatus):
13266 (JSC::CodeBlock::printPutByIdOp):
13267 (JSC::CodeBlock::dumpBytecode):
13268 (JSC::CodeBlock::CodeBlock):
13269 (JSC::CodeBlock::shrinkToFit):
13270 * bytecode/CodeBlock.h:
13271 (JSC::CodeBlock::numberOfIdentifiers):
13272 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
13273 (JSC::CodeBlock::addAdditionalIdentifier):
13274 (JSC::CodeBlock::identifier):
13275 * dfg/DFGDesiredIdentifiers.cpp:
13276 (JSC::DFG::DesiredIdentifiers::reallyAdd):
13277 * jit/JIT.h:
13278 * jit/JITOpcodes.cpp:
13279 (JSC::JIT::emitSlow_op_get_arguments_length):
13280 * jit/JITPropertyAccess.cpp:
13281 (JSC::JIT::emit_op_get_by_id):
13282 (JSC::JIT::compileGetByIdHotPath):
13283 (JSC::JIT::emitSlow_op_get_by_id):
13284 (JSC::JIT::compileGetByIdSlowCase):
13285 (JSC::JIT::emitSlow_op_put_by_id):
13286 * jit/JITPropertyAccess32_64.cpp:
13287 (JSC::JIT::emit_op_get_by_id):
13288 (JSC::JIT::compileGetByIdHotPath):
13289 (JSC::JIT::compileGetByIdSlowCase):
13290 * jit/JITStubs.cpp:
13291 (JSC::DEFINE_STUB_FUNCTION):
13292 * llint/LLIntSlowPaths.cpp:
13293 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13294
132952013-08-08 Mark Lam <mark.lam@apple.com>
13296
13297 Restoring use of StackIterator instead of Interpreter::getStacktrace().
13298 https://bugs.webkit.org/show_bug.cgi?id=119575.
13299
13300 Reviewed by Oliver Hunt.
13301
13302 * interpreter/Interpreter.h:
13303 - Made getStackTrace() private.
13304 * interpreter/StackIterator.cpp:
13305 (JSC::StackIterator::StackIterator):
13306 (JSC::StackIterator::numberOfFrames):
13307 - Computes the number of frames by iterating through the whole stack
13308 from the starting frame. The iterator will save its current frame
13309 position before counting the frames, and then restoring it after
13310 the counting.
13311 (JSC::StackIterator::gotoFrameAtIndex):
13312 (JSC::StackIterator::gotoNextFrame):
13313 (JSC::StackIterator::resetIterator):
13314 - Points the iterator to the starting frame.
13315 * interpreter/StackIteratorPrivate.h:
13316
133172013-08-08 Mark Lam <mark.lam@apple.com>
13318
13319 Moved ErrorConstructor and NativeErrorConstructor helper functions into
13320 the Interpreter class.
13321 https://bugs.webkit.org/show_bug.cgi?id=119576.
13322
13323 Reviewed by Oliver Hunt.
13324
13325 This change is needed to prepare for making Interpreter::getStackTrace()
13326 private. It does not change the behavior of the code, only the lexical
13327 scoping.
13328
13329 * interpreter/Interpreter.h:
13330 - Added helper functions for ErrorConstructor and NativeErrorConstructor.
13331 * runtime/ErrorConstructor.cpp:
13332 (JSC::Interpreter::constructWithErrorConstructor):
13333 (JSC::ErrorConstructor::getConstructData):
13334 (JSC::Interpreter::callErrorConstructor):
13335 (JSC::ErrorConstructor::getCallData):
13336 - Don't want ErrorConstructor to call Interpreter::getStackTrace()
13337 directly. So, we moved the helper functions into the Interpreter
13338 class.
13339 * runtime/NativeErrorConstructor.cpp:
13340 (JSC::Interpreter::constructWithNativeErrorConstructor):
13341 (JSC::NativeErrorConstructor::getConstructData):
13342 (JSC::Interpreter::callNativeErrorConstructor):
13343 (JSC::NativeErrorConstructor::getCallData):
13344 - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
13345 directly. So, we moved the helper functions into the Interpreter
13346 class.
13347
133482013-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
13349
13350 32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
13351 https://bugs.webkit.org/show_bug.cgi?id=119555
13352
13353 Reviewed by Geoffrey Garen.
13354
13355 It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
13356 This was causing crashes on maps.google.com in 32-bit debug builds.
13357
13358 * dfg/DFGSpeculativeJIT32_64.cpp:
13359 (JSC::DFG::SpeculativeJIT::compile):
13360
133612013-08-06 Michael Saboff <msaboff@apple.com>
13362
13363 REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
13364 https://bugs.webkit.org/show_bug.cgi?id=119405
13365
13366 Reviewed by Geoffrey Garen.
13367
13368 * dfg/DFGSpeculativeJIT.cpp:
13369 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
13370 ourselves to save a register and then load from it.
13371
133722013-08-06 Filip Pizlo <fpizlo@apple.com>
13373
13374 DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
13375 https://bugs.webkit.org/show_bug.cgi?id=119528
13376
13377 Reviewed by Geoffrey Garen.
13378
13379 Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
13380 uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
13381 the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
13382 format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
13383 from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
13384
13385 This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
13386
13387 * bytecode/CodeBlock.cpp:
13388 (JSC::CodeBlock::finalizeUnconditionally):
13389 * dfg/DFGDriver.cpp:
13390 (JSC::DFG::compile):
13391 * dfg/DFGFixupPhase.cpp:
13392 (JSC::DFG::FixupPhase::fixupNode):
13393 * dfg/DFGGraph.cpp:
13394 (JSC::DFG::Graph::dump):
13395 * dfg/DFGSpeculativeJIT64.cpp:
13396 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
13397 * runtime/JSObject.h:
13398 (JSC::JSObject::getIndexQuickly):
13399 (JSC::JSObject::tryGetIndexQuickly):
13400
134012013-08-08 Stephanie Lewis <slewis@apple.com>
13402
13403 <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
13404
13405 Unreviewed.
13406
13407 Ensure llint symbols are in source order.
13408
13409 * JavaScriptCore.order:
13410
134112013-08-06 Mark Lam <mark.lam@apple.com>
13412
13413 Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
13414 https://bugs.webkit.org/show_bug.cgi?id=119532.
13415
13416 Reviewed by Oliver Hunt.
13417
13418 * parser/Parser.cpp:
13419 (JSC::::Parser):
13420 - Just need to initialize the Parser's JSTokenLocation's initial line and
13421 startOffset as well during Parser construction.
13422
134232013-08-06 Stephanie Lewis <slewis@apple.com>
13424
13425 Update Order Files for Safari
13426 <rdar://problem/14517392>
13427
13428 Unreviewed.
13429
13430 * JavaScriptCore.order:
13431
134322013-08-04 Sam Weinig <sam@webkit.org>
13433
13434 Remove support for HTML5 MicroData
13435 https://bugs.webkit.org/show_bug.cgi?id=119480
13436
13437 Reviewed by Anders Carlsson.
13438
13439 * Configurations/FeatureDefines.xcconfig:
13440
134412013-08-05 Oliver Hunt <oliver@apple.com>
13442
13443 Delay Arguments creation in strict mode
13444 https://bugs.webkit.org/show_bug.cgi?id=119505
13445
13446 Reviewed by Geoffrey Garen.
13447
13448 Make use of the write tracking performed by the parser to
13449 allow us to know if we're modifying the parameters to a function.
13450 Then use that information to make strict mode function opt out
13451 of eager arguments creation.
13452
13453 * bytecompiler/BytecodeGenerator.cpp:
13454 (JSC::BytecodeGenerator::BytecodeGenerator):
13455 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
13456 (JSC::BytecodeGenerator::emitReturn):
13457 * bytecompiler/BytecodeGenerator.h:
13458 (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
13459 * parser/Nodes.h:
13460 (JSC::ScopeNode::modifiesParameter):
13461 * parser/Parser.cpp:
13462 (JSC::::parseInner):
13463 * parser/Parser.h:
13464 (JSC::Scope::declareParameter):
13465 (JSC::Scope::getCapturedVariables):
13466 (JSC::Parser::declareWrite):
13467 * parser/ParserModes.h:
13468
134692013-08-06 Patrick Gansterer <paroga@webkit.org>
13470
13471 Remove useless code from COMPILER(RVCT) JITStubs
13472 https://bugs.webkit.org/show_bug.cgi?id=119521
13473
13474 Reviewed by Geoffrey Garen.
13475
13476 * jit/JITStubsARMv7.h:
13477 (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
13478 (JSC::ctiOpThrowNotCaught): Ditto.
13479
134802013-07-23 David Farler <dfarler@apple.com>
13481
13482 Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
13483 https://bugs.webkit.org/show_bug.cgi?id=117762
13484
13485 Reviewed by Mark Rowe.
13486
13487 * Configurations/DebugRelease.xcconfig:
13488 Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
13489 * Configurations/JavaScriptCore.xcconfig:
13490 Add ASAN_OTHER_LDFLAGS.
13491 * Configurations/ToolExecutable.xcconfig:
13492 Don't use ASAN for build tools.
13493
134942013-08-06 Patrick Gansterer <paroga@webkit.org>
13495
13496 Build fix for ARM MSVC after r153222 and r153648.
13497
13498 * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
13499
135002013-08-06 Patrick Gansterer <paroga@webkit.org>
13501
13502 Build fix for ARM MSVC after r150109.
13503
13504 Read the stub template from a header files instead of the JITStubs.cpp.
13505
13506 * CMakeLists.txt:
13507 * DerivedSources.pri:
13508 * create_jit_stubs:
13509
135102013-08-05 Oliver Hunt <oliver@apple.com>
13511
13512 Move TypedArray implementation into JSC
13513 https://bugs.webkit.org/show_bug.cgi?id=119489
13514
13515 Reviewed by Filip Pizlo.
13516
13517 Move TypedArray implementation into JSC in advance of re-implementation
13518
13519 * GNUmakefile.list.am:
13520 * JSCTypedArrayStubs.h:
13521 * JavaScriptCore.xcodeproj/project.pbxproj:
13522 * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
13523 (JSC::ArrayBuffer::transfer):
13524 (JSC::ArrayBuffer::addView):
13525 (JSC::ArrayBuffer::removeView):
13526 * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
13527 (JSC::ArrayBufferContents::ArrayBufferContents):
13528 (JSC::ArrayBufferContents::data):
13529 (JSC::ArrayBufferContents::sizeInBytes):
13530 (JSC::ArrayBufferContents::transfer):
13531 (JSC::ArrayBufferContents::copyTo):
13532 (JSC::ArrayBuffer::isNeutered):
13533 (JSC::ArrayBuffer::~ArrayBuffer):
13534 (JSC::ArrayBuffer::clampValue):
13535 (JSC::ArrayBuffer::create):
13536 (JSC::ArrayBuffer::createUninitialized):
13537 (JSC::ArrayBuffer::ArrayBuffer):
13538 (JSC::ArrayBuffer::data):
13539 (JSC::ArrayBuffer::byteLength):
13540 (JSC::ArrayBuffer::slice):
13541 (JSC::ArrayBuffer::sliceImpl):
13542 (JSC::ArrayBuffer::clampIndex):
13543 (JSC::ArrayBufferContents::tryAllocate):
13544 (JSC::ArrayBufferContents::~ArrayBufferContents):
13545 * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
13546 (JSC::ArrayBufferView::ArrayBufferView):
13547 (JSC::ArrayBufferView::~ArrayBufferView):
13548 (JSC::ArrayBufferView::neuter):
13549 * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
13550 (JSC::ArrayBufferView::buffer):
13551 (JSC::ArrayBufferView::baseAddress):
13552 (JSC::ArrayBufferView::byteOffset):
13553 (JSC::ArrayBufferView::setNeuterable):
13554 (JSC::ArrayBufferView::isNeuterable):
13555 (JSC::ArrayBufferView::verifySubRange):
13556 (JSC::ArrayBufferView::clampOffsetAndNumElements):
13557 (JSC::ArrayBufferView::setImpl):
13558 (JSC::ArrayBufferView::setRangeImpl):
13559 (JSC::ArrayBufferView::zeroRangeImpl):
13560 (JSC::ArrayBufferView::calculateOffsetAndLength):
13561 * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
13562 (JSC::Float32Array::set):
13563 (JSC::Float32Array::getType):
13564 (JSC::Float32Array::create):
13565 (JSC::Float32Array::createUninitialized):
13566 (JSC::Float32Array::Float32Array):
13567 (JSC::Float32Array::subarray):
13568 * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
13569 (JSC::Float64Array::set):
13570 (JSC::Float64Array::getType):
13571 (JSC::Float64Array::create):
13572 (JSC::Float64Array::createUninitialized):
13573 (JSC::Float64Array::Float64Array):
13574 (JSC::Float64Array::subarray):
13575 * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
13576 (JSC::Int16Array::getType):
13577 (JSC::Int16Array::create):
13578 (JSC::Int16Array::createUninitialized):
13579 (JSC::Int16Array::Int16Array):
13580 (JSC::Int16Array::subarray):
13581 * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
13582 (JSC::Int32Array::getType):
13583 (JSC::Int32Array::create):
13584 (JSC::Int32Array::createUninitialized):
13585 (JSC::Int32Array::Int32Array):
13586 (JSC::Int32Array::subarray):
13587 * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
13588 (JSC::Int8Array::getType):
13589 (JSC::Int8Array::create):
13590 (JSC::Int8Array::createUninitialized):
13591 (JSC::Int8Array::Int8Array):
13592 (JSC::Int8Array::subarray):
13593 * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
13594 (JSC::IntegralTypedArrayBase::set):
13595 (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
13596 * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
13597 (JSC::TypedArrayBase::data):
13598 (JSC::TypedArrayBase::set):
13599 (JSC::TypedArrayBase::setRange):
13600 (JSC::TypedArrayBase::zeroRange):
13601 (JSC::TypedArrayBase::length):
13602 (JSC::TypedArrayBase::byteLength):
13603 (JSC::TypedArrayBase::item):
13604 (JSC::TypedArrayBase::checkInboundData):
13605 (JSC::TypedArrayBase::TypedArrayBase):
13606 (JSC::TypedArrayBase::create):
13607 (JSC::TypedArrayBase::createUninitialized):
13608 (JSC::TypedArrayBase::subarrayImpl):
13609 (JSC::TypedArrayBase::neuter):
13610 * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
13611 (JSC::Uint16Array::getType):
13612 (JSC::Uint16Array::create):
13613 (JSC::Uint16Array::createUninitialized):
13614 (JSC::Uint16Array::Uint16Array):
13615 (JSC::Uint16Array::subarray):
13616 * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
13617 (JSC::Uint32Array::getType):
13618 (JSC::Uint32Array::create):
13619 (JSC::Uint32Array::createUninitialized):
13620 (JSC::Uint32Array::Uint32Array):
13621 (JSC::Uint32Array::subarray):
13622 * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
13623 (JSC::Uint8Array::getType):
13624 (JSC::Uint8Array::create):
13625 (JSC::Uint8Array::createUninitialized):
13626 (JSC::Uint8Array::Uint8Array):
13627 (JSC::Uint8Array::subarray):
13628 * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
13629 (JSC::Uint8ClampedArray::getType):
13630 (JSC::Uint8ClampedArray::create):
13631 (JSC::Uint8ClampedArray::createUninitialized):
13632 (JSC::Uint8ClampedArray::zeroFill):
13633 (JSC::Uint8ClampedArray::set):
13634 (JSC::Uint8ClampedArray::Uint8ClampedArray):
13635 (JSC::Uint8ClampedArray::subarray):
13636 * runtime/VM.h:
13637
136382013-08-03 Filip Pizlo <fpizlo@apple.com>
13639
13640 Copied space should be able to handle more than one copied backing store per JSCell
13641 https://bugs.webkit.org/show_bug.cgi?id=119471
13642
13643 Reviewed by Mark Hahnenberg.
13644
13645 This allows a cell to call copyLater() multiple times for multiple different
13646 backing stores, and then have copyBackingStore() called exactly once for each
13647 of those. A token tells it which backing store to copy. All backing stores
13648 must be named using the CopyToken, an enumeration which currently cannot
13649 exceed eight entries.
13650
13651 When copyBackingStore() is called, it's up to the callee to (a) use the token
13652 to decide what to copy and (b) call its base class's copyBackingStore() in
13653 case the base class had something that needed copying. The only exception is
13654 that JSCell never asks anything to be copied, and so if your base is JSCell
13655 then you don't have to do anything.
13656
13657 * GNUmakefile.list.am:
13658 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13659 * JavaScriptCore.xcodeproj/project.pbxproj:
13660 * heap/CopiedBlock.h:
13661 * heap/CopiedBlockInlines.h:
13662 (JSC::CopiedBlock::reportLiveBytes):
13663 * heap/CopyToken.h: Added.
13664 * heap/CopyVisitor.cpp:
13665 (JSC::CopyVisitor::copyFromShared):
13666 * heap/CopyVisitor.h:
13667 * heap/CopyVisitorInlines.h:
13668 (JSC::CopyVisitor::visitItem):
13669 * heap/CopyWorkList.h:
13670 (JSC::CopyWorklistItem::CopyWorklistItem):
13671 (JSC::CopyWorklistItem::cell):
13672 (JSC::CopyWorklistItem::token):
13673 (JSC::CopyWorkListSegment::get):
13674 (JSC::CopyWorkListSegment::append):
13675 (JSC::CopyWorkListSegment::data):
13676 (JSC::CopyWorkListIterator::get):
13677 (JSC::CopyWorkListIterator::operator*):
13678 (JSC::CopyWorkListIterator::operator->):
13679 (JSC::CopyWorkList::append):
13680 * heap/SlotVisitor.h:
13681 * heap/SlotVisitorInlines.h:
13682 (JSC::SlotVisitor::copyLater):
13683 * runtime/ClassInfo.h:
13684 * runtime/JSCell.cpp:
13685 (JSC::JSCell::copyBackingStore):
13686 * runtime/JSCell.h:
13687 * runtime/JSObject.cpp:
13688 (JSC::JSObject::visitButterfly):
13689 (JSC::JSObject::copyBackingStore):
13690 * runtime/JSObject.h:
13691
136922013-08-05 Zan Dobersek <zdobersek@igalia.com>
13693
13694 [Automake] Define ENABLE_JIT through the Autoconf header
13695 https://bugs.webkit.org/show_bug.cgi?id=119445
13696
13697 Reviewed by Martin Robinson.
13698
13699 * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
13700
137012013-08-03 Filip Pizlo <fpizlo@apple.com>
13702
13703 hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
13704 https://bugs.webkit.org/show_bug.cgi?id=119470
13705
13706 Reviewed by Oliver Hunt.
13707
13708 Structure can still tell you if the object "could" (in the conservative sense)
13709 have an indexing header; that's used by the compiler.
13710
13711 Most of the time if you want to know if there's an indexing header, you ask the
13712 JSObject.
13713
13714 In some cases, the JSObject wants to know if it would have an indexing header if
13715 it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
13716
13717 * dfg/DFGRepatch.cpp:
13718 (JSC::DFG::tryCachePutByID):
13719 (JSC::DFG::tryBuildPutByIdList):
13720 * dfg/DFGSpeculativeJIT.cpp:
13721 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
13722 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
13723 * runtime/ButterflyInlines.h:
13724 (JSC::Butterfly::create):
13725 (JSC::Butterfly::growPropertyStorage):
13726 (JSC::Butterfly::growArrayRight):
13727 (JSC::Butterfly::resizeArray):
13728 * runtime/JSObject.cpp:
13729 (JSC::JSObject::copyButterfly):
13730 (JSC::JSObject::visitButterfly):
13731 * runtime/JSObject.h:
13732 (JSC::JSObject::hasIndexingHeader):
13733 (JSC::JSObject::setButterfly):
13734 * runtime/Structure.h:
13735 (JSC::Structure::couldHaveIndexingHeader):
13736 (JSC::Structure::hasIndexingHeader):
13737
137382013-08-02 Chris Curtis <chris_curtis@apple.com>
13739
13740 Give the error object's stack property accessor attributes.
13741 https://bugs.webkit.org/show_bug.cgi?id=119404
13742
13743 Reviewed by Geoffrey Garen.
13744
13745 Changed the attributes of error object's stack property to allow developers to write
13746 and delete the stack property. This will match the functionality of Chrome. Firefox
13747 allows developers to write the error's stack, but not delete it.
13748
13749 * interpreter/Interpreter.cpp:
13750 (JSC::Interpreter::addStackTraceIfNecessary):
13751 * runtime/ErrorInstance.cpp:
13752 (JSC::ErrorInstance::finishCreation):
13753
137542013-08-02 Oliver Hunt <oliver@apple.com>
13755
13756 Incorrect type speculation reported by ToPrimitive
13757 https://bugs.webkit.org/show_bug.cgi?id=119458
13758
13759 Reviewed by Mark Hahnenberg.
13760
13761 Make sure that we report the correct type possibilities for the output
13762 from ToPrimitive
13763
13764 * dfg/DFGAbstractInterpreterInlines.h:
13765 (JSC::DFG::::executeEffects):
13766
137672013-08-02 Gavin Barraclough <barraclough@apple.com>
13768
13769 Remove no-arguments constructor to PropertySlot
13770 https://bugs.webkit.org/show_bug.cgi?id=119460
13771
13772 Reviewed by Geoff Garen.
13773
13774 This constructor was unsafe if getValue is subsequently called,
13775 and the property is a getter. Simplest to just remove it.
13776
13777 * runtime/Arguments.cpp:
13778 (JSC::Arguments::defineOwnProperty):
13779 * runtime/JSActivation.cpp:
13780 (JSC::JSActivation::getOwnPropertyDescriptor):
13781 * runtime/JSFunction.cpp:
13782 (JSC::JSFunction::getOwnPropertyDescriptor):
13783 (JSC::JSFunction::getOwnNonIndexPropertyNames):
13784 (JSC::JSFunction::put):
13785 (JSC::JSFunction::defineOwnProperty):
13786 * runtime/JSGlobalObject.cpp:
13787 (JSC::JSGlobalObject::defineOwnProperty):
13788 * runtime/JSGlobalObject.h:
13789 (JSC::JSGlobalObject::hasOwnPropertyForWrite):
13790 * runtime/JSNameScope.cpp:
13791 (JSC::JSNameScope::put):
13792 * runtime/JSONObject.cpp:
13793 (JSC::Stringifier::Holder::appendNextProperty):
13794 (JSC::Walker::walk):
13795 * runtime/JSObject.cpp:
13796 (JSC::JSObject::hasProperty):
13797 (JSC::JSObject::hasOwnProperty):
13798 (JSC::JSObject::reifyStaticFunctionsForDelete):
13799 * runtime/Lookup.h:
13800 (JSC::getStaticPropertyDescriptor):
13801 (JSC::getStaticFunctionDescriptor):
13802 (JSC::getStaticValueDescriptor):
13803 * runtime/ObjectConstructor.cpp:
13804 (JSC::defineProperties):
13805 * runtime/PropertySlot.h:
13806
138072013-08-02 Mark Hahnenberg <mhahnenberg@apple.com>
13808
13809 DFG validation can cause assertion failures due to dumping
13810 https://bugs.webkit.org/show_bug.cgi?id=119456
13811
13812 Reviewed by Geoffrey Garen.
13813
13814 * bytecode/CodeBlock.cpp:
13815 (JSC::CodeBlock::hasHash):
13816 (JSC::CodeBlock::isSafeToComputeHash):
13817 (JSC::CodeBlock::hash):
13818 (JSC::CodeBlock::dumpAssumingJITType):
13819 * bytecode/CodeBlock.h:
13820
138212013-08-02 Chris Curtis <chris_curtis@apple.com>
13822
13823 Have vm's exceptionStack match java's vm's exceptionStack.
13824 https://bugs.webkit.org/show_bug.cgi?id=119362
13825
13826 Reviewed by Geoffrey Garen.
13827
13828 The error object's stack is only updated if it does not exist yet. This matches
13829 the functionality of other browsers, and Java VMs.
13830
13831 * interpreter/Interpreter.cpp:
13832 (JSC::Interpreter::addStackTraceIfNecessary):
13833 (JSC::Interpreter::throwException):
13834 * runtime/VM.cpp:
13835 (JSC::VM::clearExceptionStack):
13836 * runtime/VM.h:
13837 (JSC::VM::lastExceptionStack):
13838
138392013-08-02 Julien Brianceau <jbrianceau@nds.com>
13840
13841 REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
13842 https://bugs.webkit.org/show_bug.cgi?id=119447
13843
13844 Reviewed by Geoffrey Garen.
13845
13846 Fix .cpload, update call frame and do not restore registers from JIT stack frame in
13847 mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
13848 r153583 (sh4) and r153648 (ARM).
13849
13850 * jit/JITStubsMIPS.h:
13851
138522013-08-01 Filip Pizlo <fpizlo@apple.com>
13853
13854 hasIndexingHeader should be a property of the Structure, not just the IndexingType
13855 https://bugs.webkit.org/show_bug.cgi?id=119422
13856
13857 Reviewed by Oliver Hunt.
13858
13859 This simplifies some code and also allows Structure to claim that an object
13860 has an indexing header even if it doesn't have indexed properties.
13861
13862 I also changed some calls to use hasIndexedProperties() since in some cases,
13863 that's what we actually meant. Currently the two are synonyms.
13864
13865 * dfg/DFGRepatch.cpp:
13866 (JSC::DFG::tryCachePutByID):
13867 (JSC::DFG::tryBuildPutByIdList):
13868 * dfg/DFGSpeculativeJIT.cpp:
13869 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
13870 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
13871 * runtime/ButterflyInlines.h:
13872 (JSC::Butterfly::create):
13873 (JSC::Butterfly::growPropertyStorage):
13874 (JSC::Butterfly::growArrayRight):
13875 (JSC::Butterfly::resizeArray):
13876 * runtime/IndexingType.h:
13877 * runtime/JSObject.cpp:
13878 (JSC::JSObject::copyButterfly):
13879 (JSC::JSObject::visitButterfly):
13880 (JSC::JSObject::setPrototype):
13881 * runtime/JSObject.h:
13882 (JSC::JSObject::setButterfly):
13883 * runtime/JSPropertyNameIterator.cpp:
13884 (JSC::JSPropertyNameIterator::create):
13885 * runtime/Structure.h:
13886 (JSC::Structure::hasIndexingHeader):
13887
138882013-08-02 Julien Brianceau <jbrianceau@nds.com>
13889
13890 REGRESSION: ARM still crashes after change set r153612.
13891 https://bugs.webkit.org/show_bug.cgi?id=119433
13892
13893 Reviewed by Michael Saboff.
13894
13895 Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
13896 implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
13897 for sh4 architecture.
13898
13899 * jit/JITStubsARM.h:
13900 * jit/JITStubsARMv7.h:
13901
139022013-08-02 Michael Saboff <msaboff@apple.com>
13903
13904 REGRESSION(r153612): It made jsc and layout tests crash
13905 https://bugs.webkit.org/show_bug.cgi?id=119440
13906
13907 Reviewed by Csaba Osztrogonác.
13908
13909 Made the changes if changeset r153612 only apply to 32 bit builds.
13910
13911 * jit/JITExceptions.cpp:
13912 * jit/JITExceptions.h:
13913 * jit/JITStubs.cpp:
13914 (JSC::cti_vm_throw_slowpath):
13915 * jit/JITStubs.h:
13916
139172013-08-02 Patrick Gansterer <paroga@webkit.org>
13918
13919 Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
13920
13921 * CMakeLists.txt:
13922
139232013-08-01 Ruth Fong <ruth_fong@apple.com>
13924
13925 [Forms: color] <input type='color'> popover color well implementation
13926 <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
13927
13928 Reviewed by Benjamin Poulain.
13929
13930 * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
13931
139322013-08-01 Oliver Hunt <oliver@apple.com>
13933
13934 DFG is not enforcing correct ordering of ToString conversion in MakeRope
13935 https://bugs.webkit.org/show_bug.cgi?id=119408
13936
13937 Reviewed by Filip Pizlo.
13938
13939 Construct ToString and Phantom nodes in advance of MakeRope
13940 nodes to ensure that ordering is ensured, and correct values
13941 will be reified on OSR exit.
13942
13943 * dfg/DFGByteCodeParser.cpp:
13944 (JSC::DFG::ByteCodeParser::parseBlock):
13945
139462013-08-01 Michael Saboff <msaboff@apple.com>
13947
13948 REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
13949 https://bugs.webkit.org/show_bug.cgi?id=119140
13950
13951 Reviewed by Filip Pizlo.
13952
13953 Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
13954
13955 * jit/JITExceptions.cpp:
13956 (JSC::encode):
13957 * jit/JITExceptions.h:
13958 * jit/JITStubs.cpp:
13959 (JSC::cti_vm_throw_slowpath):
13960 * jit/JITStubs.h:
13961
139622013-08-01 Julien Brianceau <jbrianceau@nds.com>
13963
13964 REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
13965 https://bugs.webkit.org/show_bug.cgi?id=119391
13966
13967 Reviewed by Csaba Osztrogonác.
13968
13969 * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
13970 - Call frame is in r14 register.
13971 - Do not restore registers from JIT stack frame here.
13972
139732013-07-31 Gavin Barraclough <barraclough@apple.com>
13974
13975 More cleanup in PropertySlot
13976 https://bugs.webkit.org/show_bug.cgi?id=119359
13977
13978 Reviewed by Geoff Garen.
13979
13980 m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
13981 This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
13982
13983 * dfg/DFGRepatch.cpp:
13984 (JSC::DFG::tryCacheGetByID):
13985 (JSC::DFG::tryBuildGetByIDList):
13986 - No need to ASSERT slotBase is an object.
13987 * jit/JITStubs.cpp:
13988 (JSC::tryCacheGetByID):
13989 (JSC::DEFINE_STUB_FUNCTION):
13990 - No need to ASSERT slotBase is an object.
13991 * runtime/JSObject.cpp:
13992 (JSC::JSObject::getOwnPropertySlotByIndex):
13993 (JSC::JSObject::fillGetterPropertySlot):
13994 - Pass an object through to setGetterSlot.
13995 * runtime/JSObject.h:
13996 (JSC::PropertySlot::getValue):
13997 - Moved from PropertySlot (need to know anout JSObject).
13998 * runtime/PropertySlot.cpp:
13999 (JSC::PropertySlot::functionGetter):
14000 - update per member name changes
14001 * runtime/PropertySlot.h:
14002 (JSC::PropertySlot::PropertySlot):
14003 - Argument to constructor set to 'thisValue'.
14004 (JSC::PropertySlot::slotBase):
14005 - This returns a JSObject*.
14006 (JSC::PropertySlot::setValue):
14007 (JSC::PropertySlot::setCustom):
14008 (JSC::PropertySlot::setCacheableCustom):
14009 (JSC::PropertySlot::setCustomIndex):
14010 (JSC::PropertySlot::setGetterSlot):
14011 (JSC::PropertySlot::setCacheableGetterSlot):
14012 - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
14013 * runtime/SparseArrayValueMap.cpp:
14014 (JSC::SparseArrayEntry::get):
14015 - Pass an object through to setGetterSlot.
14016 * runtime/SparseArrayValueMap.h:
14017 - Pass an object through to setGetterSlot.
14018
140192013-07-31 Yi Shen <max.hong.shen@gmail.com>
14020
14021 Reduce JSC API static value setter/getter overhead.
14022 https://bugs.webkit.org/show_bug.cgi?id=119277
14023
14024 Reviewed by Geoffrey Garen.
14025
14026 Add property name to the static value entry, so that OpaqueJSString::create() doesn't
14027 need to get called every time when set or get the static value.
14028
14029 * API/JSCallbackObjectFunctions.h:
14030 (JSC::::put):
14031 (JSC::::putByIndex):
14032 (JSC::::getStaticValue):
14033 * API/JSClassRef.cpp:
14034 (OpaqueJSClassContextData::OpaqueJSClassContextData):
14035 * API/JSClassRef.h:
14036 (StaticValueEntry::StaticValueEntry):
14037
140382013-07-31 Kwang Yul Seo <skyul@company100.net>
14039
14040 Use emptyString instead of String("")
14041 https://bugs.webkit.org/show_bug.cgi?id=119335
14042
14043 Reviewed by Darin Adler.
14044
14045 Use emptyString() instead of String("") because it is better style and
14046 faster. This is a followup to r116908, removing all occurrences of
14047 String("") from WebKit.
14048
14049 * runtime/RegExpConstructor.cpp:
14050 (JSC::constructRegExp):
14051 * runtime/RegExpPrototype.cpp:
14052 (JSC::regExpProtoFuncCompile):
14053 * runtime/StringPrototype.cpp:
14054 (JSC::stringProtoFuncMatch):
14055 (JSC::stringProtoFuncSearch):
14056
140572013-07-31 Ruth Fong <ruth_fong@apple.com>
14058
14059 <input type=color> Mac UI behaviour
14060 <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
14061
14062 Reviewed by Brady Eidson.
14063
14064 * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
14065
140662013-07-31 Mark Hahnenberg <mhahnenberg@apple.com>
14067
14068 DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
14069 https://bugs.webkit.org/show_bug.cgi?id=119349
14070
14071 Reviewed by Geoffrey Garen.
14072
14073 Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for
14074 SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
14075 on code it compiled with any switch statements to have been run in the baseline JIT first.
14076 However, if the DFG chooses to inline a function that has never been compiled by the baseline
14077 JIT then this resizing never happens and we crash at link time in the DFG.
14078
14079 We can fix this by also doing the resize in the DFG to catch this case.
14080
14081 * dfg/DFGJITCompiler.cpp:
14082 (JSC::DFG::JITCompiler::link):
14083
140842013-07-31 Gavin Barraclough <barraclough@apple.com>
14085
14086 Speculative Windows build fix.
14087
14088 Reviewed by NOBODY
14089
14090 * runtime/JSString.cpp:
14091 (JSC::JSRopeString::getIndexSlowCase):
14092 * runtime/JSString.h:
14093
140942013-07-30 Gavin Barraclough <barraclough@apple.com>
14095
14096 Some cleanup in JSValue::get
14097 https://bugs.webkit.org/show_bug.cgi?id=119343
14098
14099 Reviewed by Geoff Garen.
14100
14101 JSValue::get is implemented to:
14102 1) Check if the value is a cell – if not, synthesize a prototype to search,
14103 2) call getOwnPropertySlot on the cell,
14104 3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
14105 By all rights this should crash when passed a string and accessing a property that does not exist, because
14106 the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
14107 To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
14108 prototype chain, and faking out a return value of undefined if no property is found.
14109
14110 This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
14111 from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
14112
14113 The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
14114 slots anyway.
14115
14116 Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
14117
141182013-07-31 Michael Saboff <msaboff@apple.com>
14119
14120 [Win] JavaScript crash.
14121 https://bugs.webkit.org/show_bug.cgi?id=119339
14122
14123 Reviewed by Mark Hahnenberg.
14124
14125 * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
14126 ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
14127
141282013-07-30 Mark Hahnenberg <mhahnenberg@apple.com>
14129
14130 GetByVal on Arguments does the wrong size load when checking the Arguments object length
14131 https://bugs.webkit.org/show_bug.cgi?id=119281
14132
14133 Reviewed by Geoffrey Garen.
14134
14135 This leads to out of bounds accesses and subsequent crashes.
14136
14137 * dfg/DFGSpeculativeJIT.cpp:
14138 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
14139 * dfg/DFGSpeculativeJIT64.cpp:
14140 (JSC::DFG::SpeculativeJIT::compile):
14141
141422013-07-30 Oliver Hunt <oliver@apple.com>
14143
14144 Add an assertion to SpeculateCellOperand
14145 https://bugs.webkit.org/show_bug.cgi?id=119276
14146
14147 Reviewed by Michael Saboff.
14148
14149 More assertions are better
14150
14151 * dfg/DFGSpeculativeJIT64.cpp:
14152 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14153 (JSC::DFG::SpeculativeJIT::compile):
14154
141552013-07-30 Mark Lam <mark.lam@apple.com>
14156
14157 Fix problems with divot and lineStart mismatches.
14158 https://bugs.webkit.org/show_bug.cgi?id=118662.
14159
14160 Reviewed by Oliver Hunt.
14161
14162 r152494 added the recording of lineStart values for divot positions.
14163 This is needed for the computation of column numbers. Similarly, it also
14164 added the recording of line numbers for the divot positions. One problem
14165 with the approach taken was that the line and lineStart values were
14166 recorded independently, and hence were not always guaranteed to be
14167 sampled at the same place that the divot position is recorded. This
14168 resulted in potential mismatches that cause some assertions to fail.
14169
14170 The solution is to introduce a JSTextPosition abstraction that records
14171 the divot position, line, and lineStart as a single quantity. Wherever
14172 we record the divot position as an unsigned int previously, we now record
14173 its JSTextPosition which captures all 3 values in one go. This ensures
14174 that the captured line and lineStart will always match the captured divot
14175 position.
14176
14177 * bytecompiler/BytecodeGenerator.cpp:
14178 (JSC::BytecodeGenerator::emitCall):
14179 (JSC::BytecodeGenerator::emitCallEval):
14180 (JSC::BytecodeGenerator::emitCallVarargs):
14181 (JSC::BytecodeGenerator::emitConstruct):
14182 (JSC::BytecodeGenerator::emitDebugHook):
14183 - Use JSTextPosition instead of passing line and lineStart explicitly.
14184 * bytecompiler/BytecodeGenerator.h:
14185 (JSC::BytecodeGenerator::emitExpressionInfo):
14186 - Use JSTextPosition instead of passing line and lineStart explicitly.
14187 * bytecompiler/NodesCodegen.cpp:
14188 (JSC::ThrowableExpressionData::emitThrowReferenceError):
14189 (JSC::ResolveNode::emitBytecode):
14190 (JSC::BracketAccessorNode::emitBytecode):
14191 (JSC::DotAccessorNode::emitBytecode):
14192 (JSC::NewExprNode::emitBytecode):
14193 (JSC::EvalFunctionCallNode::emitBytecode):
14194 (JSC::FunctionCallValueNode::emitBytecode):
14195 (JSC::FunctionCallResolveNode::emitBytecode):
14196 (JSC::FunctionCallBracketNode::emitBytecode):
14197 (JSC::FunctionCallDotNode::emitBytecode):
14198 (JSC::CallFunctionCallDotNode::emitBytecode):
14199 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14200 (JSC::PostfixNode::emitResolve):
14201 (JSC::PostfixNode::emitBracket):
14202 (JSC::PostfixNode::emitDot):
14203 (JSC::DeleteResolveNode::emitBytecode):
14204 (JSC::DeleteBracketNode::emitBytecode):
14205 (JSC::DeleteDotNode::emitBytecode):
14206 (JSC::PrefixNode::emitResolve):
14207 (JSC::PrefixNode::emitBracket):
14208 (JSC::PrefixNode::emitDot):
14209 (JSC::UnaryOpNode::emitBytecode):
14210 (JSC::BinaryOpNode::emitStrcat):
14211 (JSC::BinaryOpNode::emitBytecode):
14212 (JSC::ThrowableBinaryOpNode::emitBytecode):
14213 (JSC::InstanceOfNode::emitBytecode):
14214 (JSC::emitReadModifyAssignment):
14215 (JSC::ReadModifyResolveNode::emitBytecode):
14216 (JSC::AssignResolveNode::emitBytecode):
14217 (JSC::AssignDotNode::emitBytecode):
14218 (JSC::ReadModifyDotNode::emitBytecode):
14219 (JSC::AssignBracketNode::emitBytecode):
14220 (JSC::ReadModifyBracketNode::emitBytecode):
14221 (JSC::ForInNode::emitBytecode):
14222 (JSC::WithNode::emitBytecode):
14223 (JSC::ThrowNode::emitBytecode):
14224 - Use JSTextPosition instead of passing line and lineStart explicitly.
14225 * parser/ASTBuilder.h:
14226 - Replaced ASTBuilder::PositionInfo with JSTextPosition.
14227 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
14228 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
14229 (JSC::ASTBuilder::createResolve):
14230 (JSC::ASTBuilder::createBracketAccess):
14231 (JSC::ASTBuilder::createDotAccess):
14232 (JSC::ASTBuilder::createRegExp):
14233 (JSC::ASTBuilder::createNewExpr):
14234 (JSC::ASTBuilder::createAssignResolve):
14235 (JSC::ASTBuilder::createExprStatement):
14236 (JSC::ASTBuilder::createForInLoop):
14237 (JSC::ASTBuilder::createReturnStatement):
14238 (JSC::ASTBuilder::createBreakStatement):
14239 (JSC::ASTBuilder::createContinueStatement):
14240 (JSC::ASTBuilder::createLabelStatement):
14241 (JSC::ASTBuilder::createWithStatement):
14242 (JSC::ASTBuilder::createThrowStatement):
14243 (JSC::ASTBuilder::appendBinaryExpressionInfo):
14244 (JSC::ASTBuilder::appendUnaryToken):
14245 (JSC::ASTBuilder::unaryTokenStackLastStart):
14246 (JSC::ASTBuilder::assignmentStackAppend):
14247 (JSC::ASTBuilder::createAssignment):
14248 (JSC::ASTBuilder::setExceptionLocation):
14249 (JSC::ASTBuilder::makeDeleteNode):
14250 (JSC::ASTBuilder::makeFunctionCallNode):
14251 (JSC::ASTBuilder::makeBinaryNode):
14252 (JSC::ASTBuilder::makeAssignNode):
14253 (JSC::ASTBuilder::makePrefixNode):
14254 (JSC::ASTBuilder::makePostfixNode):
14255 - Use JSTextPosition instead of passing line and lineStart explicitly.
14256 * parser/Lexer.cpp:
14257 (JSC::::lex):
14258 - Added support for capturing the appropriate JSTextPositions instead
14259 of just the character offset.
14260 * parser/Lexer.h:
14261 (JSC::Lexer::currentPosition):
14262 (JSC::::lexExpectIdentifier):
14263 - Added support for capturing the appropriate JSTextPositions instead
14264 of just the character offset.
14265 * parser/NodeConstructors.h:
14266 (JSC::Node::Node):
14267 (JSC::ResolveNode::ResolveNode):
14268 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
14269 (JSC::FunctionCallValueNode::FunctionCallValueNode):
14270 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
14271 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
14272 (JSC::FunctionCallDotNode::FunctionCallDotNode):
14273 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
14274 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
14275 (JSC::PostfixNode::PostfixNode):
14276 (JSC::DeleteResolveNode::DeleteResolveNode):
14277 (JSC::DeleteBracketNode::DeleteBracketNode):
14278 (JSC::DeleteDotNode::DeleteDotNode):
14279 (JSC::PrefixNode::PrefixNode):
14280 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
14281 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
14282 (JSC::AssignBracketNode::AssignBracketNode):
14283 (JSC::AssignDotNode::AssignDotNode):
14284 (JSC::ReadModifyDotNode::ReadModifyDotNode):
14285 (JSC::AssignErrorNode::AssignErrorNode):
14286 (JSC::WithNode::WithNode):
14287 (JSC::ForInNode::ForInNode):
14288 - Use JSTextPosition instead of passing line and lineStart explicitly.
14289 * parser/Nodes.cpp:
14290 (JSC::StatementNode::setLoc):
14291 - Use JSTextPosition instead of passing line and lineStart explicitly.
14292 * parser/Nodes.h:
14293 (JSC::Node::lineNo):
14294 (JSC::Node::startOffset):
14295 (JSC::Node::lineStartOffset):
14296 (JSC::Node::position):
14297 (JSC::ThrowableExpressionData::ThrowableExpressionData):
14298 (JSC::ThrowableExpressionData::setExceptionSourceCode):
14299 (JSC::ThrowableExpressionData::divot):
14300 (JSC::ThrowableExpressionData::divotStart):
14301 (JSC::ThrowableExpressionData::divotEnd):
14302 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
14303 (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
14304 (JSC::ThrowableSubExpressionData::subexpressionDivot):
14305 (JSC::ThrowableSubExpressionData::subexpressionStart):
14306 (JSC::ThrowableSubExpressionData::subexpressionEnd):
14307 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
14308 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
14309 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
14310 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
14311 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
14312 - Use JSTextPosition instead of passing line and lineStart explicitly.
14313 * parser/Parser.cpp:
14314 (JSC::::Parser):
14315 (JSC::::parseInner):
14316 - Use JSTextPosition instead of passing line and lineStart explicitly.
14317 (JSC::::didFinishParsing):
14318 - Remove setting of m_lastLine value. We always pass in the value from
14319 m_lastLine anyway. So, this assignment is effectively a nop.
14320 (JSC::::parseVarDeclaration):
14321 (JSC::::parseVarDeclarationList):
14322 (JSC::::parseForStatement):
14323 (JSC::::parseBreakStatement):
14324 (JSC::::parseContinueStatement):
14325 (JSC::::parseReturnStatement):
14326 (JSC::::parseThrowStatement):
14327 (JSC::::parseWithStatement):
14328 (JSC::::parseTryStatement):
14329 (JSC::::parseBlockStatement):
14330 (JSC::::parseFunctionDeclaration):
14331 (JSC::LabelInfo::LabelInfo):
14332 (JSC::::parseExpressionOrLabelStatement):
14333 (JSC::::parseExpressionStatement):
14334 (JSC::::parseAssignmentExpression):
14335 (JSC::::parseBinaryExpression):
14336 (JSC::::parseProperty):
14337 (JSC::::parsePrimaryExpression):
14338 (JSC::::parseMemberExpression):
14339 (JSC::::parseUnaryExpression):
14340 - Use JSTextPosition instead of passing line and lineStart explicitly.
14341 * parser/Parser.h:
14342 (JSC::Parser::next):
14343 (JSC::Parser::nextExpectIdentifier):
14344 (JSC::Parser::getToken):
14345 (JSC::Parser::tokenStartPosition):
14346 (JSC::Parser::tokenEndPosition):
14347 (JSC::Parser::lastTokenEndPosition):
14348 (JSC::::parse):
14349 - Use JSTextPosition instead of passing line and lineStart explicitly.
14350 * parser/ParserTokens.h:
14351 (JSC::JSTextPosition::JSTextPosition):
14352 (JSC::JSTextPosition::operator+):
14353 (JSC::JSTextPosition::operator-):
14354 (JSC::JSTextPosition::operator int):
14355 - Added JSTextPosition.
14356 * parser/SyntaxChecker.h:
14357 (JSC::SyntaxChecker::makeFunctionCallNode):
14358 (JSC::SyntaxChecker::makeAssignNode):
14359 (JSC::SyntaxChecker::makePrefixNode):
14360 (JSC::SyntaxChecker::makePostfixNode):
14361 (JSC::SyntaxChecker::makeDeleteNode):
14362 (JSC::SyntaxChecker::createResolve):
14363 (JSC::SyntaxChecker::createBracketAccess):
14364 (JSC::SyntaxChecker::createDotAccess):
14365 (JSC::SyntaxChecker::createRegExp):
14366 (JSC::SyntaxChecker::createNewExpr):
14367 (JSC::SyntaxChecker::createAssignResolve):
14368 (JSC::SyntaxChecker::createForInLoop):
14369 (JSC::SyntaxChecker::createReturnStatement):
14370 (JSC::SyntaxChecker::createBreakStatement):
14371 (JSC::SyntaxChecker::createContinueStatement):
14372 (JSC::SyntaxChecker::createWithStatement):
14373 (JSC::SyntaxChecker::createLabelStatement):
14374 (JSC::SyntaxChecker::createThrowStatement):
14375 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
14376 (JSC::SyntaxChecker::operatorStackPop):
14377 - Use JSTextPosition instead of passing line and lineStart explicitly.
14378
143792013-07-29 Carlos Garcia Campos <cgarcia@igalia.com>
14380
14381 Unreviewed. Fix make distcheck.
14382
14383 * GNUmakefile.list.am: Add missing files to compilation.
14384 * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
14385 include FTL header files not included in the compilation.
14386 * dfg/DFGDriver.cpp: Ditto.
14387 * dfg/DFGPlan.cpp: Ditto.
14388
143892013-07-29 Chris Curtis <chris_curtis@apple.com>
14390
14391 Eager stack trace for error objects.
14392 https://bugs.webkit.org/show_bug.cgi?id=118918
14393
14394 Reviewed by Geoffrey Garen.
14395
14396 Chrome and Firefox give error objects the stack property and we wanted to match
14397 that functionality. This allows developers to see the stack without throwing an object.
14398
14399 * runtime/ErrorInstance.cpp:
14400 (JSC::ErrorInstance::finishCreation):
14401 For error objects that are not thrown as an exception, we pass the stackTrace in
14402 as a parameter. This allows the error object to have the stack property.
14403
14404 * interpreter/Interpreter.cpp:
14405 (JSC::stackTraceAsString):
14406 Helper function used to eliminate duplicate code.
14407
14408 (JSC::Interpreter::addStackTraceIfNecessary):
14409 When an error object is created by the user the vm->exceptionStack is not set.
14410 If the user throws this error object later the stack that is in the error object
14411 may not be the correct stack for the throw, so when we set the vm->exception stack,
14412 the stack property on the error object is set as well.
14413
14414 * runtime/ErrorConstructor.cpp:
14415 (JSC::constructWithErrorConstructor):
14416 (JSC::callErrorConstructor):
14417 * runtime/NativeErrorConstructor.cpp:
14418 (JSC::constructWithNativeErrorConstructor):
14419 (JSC::callNativeErrorConstructor):
14420 These functions indicate that the user created an error object. For all error objects
14421 that the user explicitly creates, the topCallFrame is at a new frame created to
14422 handle the user's call. In this case though, the error object needs the caller's
14423 frame to create the stack trace correctly.
14424
14425 * interpreter/Interpreter.h:
14426 * runtime/ErrorInstance.h:
14427 (JSC::ErrorInstance::create):
14428
144292013-07-29 Gavin Barraclough <barraclough@apple.com>
14430
14431 Some cleanup in PropertySlot
14432 https://bugs.webkit.org/show_bug.cgi?id=119189
14433
14434 Reviewed by Geoff Garen.
14435
14436 PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
14437 The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
14438 is set to a special value to indicate the type (other than custom), and the type is also tracked by
14439 an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
14440 (this is invalidOffset if not cacheable).
14441
14442 * Internally, always track the type of the property using an enum value, PropertyType.
14443 * Use m_offset to indicate cacheable.
14444 * Keep the external interface (CachedPropertyType) unchanged.
14445 * Better pack data into the m_data union.
14446
14447 Performance neutral.
14448
14449 * dfg/DFGRepatch.cpp:
14450 (JSC::DFG::tryCacheGetByID):
14451 (JSC::DFG::tryBuildGetByIDList):
14452 - cachedPropertyType() -> isCacheable*()
14453 * jit/JITPropertyAccess.cpp:
14454 (JSC::JIT::privateCompileGetByIdProto):
14455 (JSC::JIT::privateCompileGetByIdSelfList):
14456 (JSC::JIT::privateCompileGetByIdProtoList):
14457 (JSC::JIT::privateCompileGetByIdChainList):
14458 (JSC::JIT::privateCompileGetByIdChain):
14459 - cachedPropertyType() -> isCacheable*()
14460 * jit/JITPropertyAccess32_64.cpp:
14461 (JSC::JIT::privateCompileGetByIdProto):
14462 (JSC::JIT::privateCompileGetByIdSelfList):
14463 (JSC::JIT::privateCompileGetByIdProtoList):
14464 (JSC::JIT::privateCompileGetByIdChainList):
14465 (JSC::JIT::privateCompileGetByIdChain):
14466 - cachedPropertyType() -> isCacheable*()
14467 * jit/JITStubs.cpp:
14468 (JSC::tryCacheGetByID):
14469 - cachedPropertyType() -> isCacheable*()
14470 * llint/LLIntSlowPaths.cpp:
14471 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
14472 - cachedPropertyType() -> isCacheable*()
14473 * runtime/PropertySlot.cpp:
14474 (JSC::PropertySlot::functionGetter):
14475 - refactoring described above.
14476 * runtime/PropertySlot.h:
14477 (JSC::PropertySlot::PropertySlot):
14478 (JSC::PropertySlot::getValue):
14479 (JSC::PropertySlot::isCacheable):
14480 (JSC::PropertySlot::isCacheableValue):
14481 (JSC::PropertySlot::isCacheableGetter):
14482 (JSC::PropertySlot::isCacheableCustom):
14483 (JSC::PropertySlot::cachedOffset):
14484 (JSC::PropertySlot::customGetter):
14485 (JSC::PropertySlot::setValue):
14486 (JSC::PropertySlot::setCustom):
14487 (JSC::PropertySlot::setCacheableCustom):
14488 (JSC::PropertySlot::setCustomIndex):
14489 (JSC::PropertySlot::setGetterSlot):
14490 (JSC::PropertySlot::setCacheableGetterSlot):
14491 (JSC::PropertySlot::setUndefined):
14492 (JSC::PropertySlot::slotBase):
14493 (JSC::PropertySlot::setBase):
14494 - refactoring described above.
14495
144962013-07-28 Oliver Hunt <oliver@apple.com>
14497
14498 REGRESSION: Crash when opening Facebook.com
14499 https://bugs.webkit.org/show_bug.cgi?id=119155
14500
14501 Reviewed by Andreas Kling.
14502
14503 Scope nodes are always objects, so we should be using SpecObjectOther
14504 rather than SpecCellOther. Marking Scopes as CellOther leads to a
14505 contradiction in the CFA, resulting in bogus codegen.
14506
14507 * dfg/DFGAbstractInterpreterInlines.h:
14508 (JSC::DFG::::executeEffects):
14509 * dfg/DFGPredictionPropagationPhase.cpp:
14510 (JSC::DFG::PredictionPropagationPhase::propagate):
14511
145122013-07-26 Oliver Hunt <oliver@apple.com>
14513
14514 REGRESSION(FTL?): Crashes in plugin tests
14515 https://bugs.webkit.org/show_bug.cgi?id=119141
14516
14517 Reviewed by Michael Saboff.
14518
14519 Re-export getStackTrace
14520
14521 * interpreter/Interpreter.h:
14522
145232013-07-26 Filip Pizlo <fpizlo@apple.com>
14524
14525 REGRESSION: Crash when opening a message on Gmail
14526 https://bugs.webkit.org/show_bug.cgi?id=119105
14527
14528 Reviewed by Oliver Hunt and Mark Hahnenberg.
14529
14530 - GetById patching in the DFG needs to be more disciplined about how it derives the
14531 slow path.
14532
14533 - Fix some dumping code thread safety issues.
14534
14535 * bytecode/CallLinkStatus.cpp:
14536 (JSC::CallLinkStatus::dump):
14537 * bytecode/CodeBlock.cpp:
14538 (JSC::CodeBlock::dumpBytecode):
14539 * dfg/DFGRepatch.cpp:
14540 (JSC::DFG::getPolymorphicStructureList):
14541 (JSC::DFG::tryBuildGetByIDList):
14542
145432013-07-26 Balazs Kilvady <kilvadyb@homejinni.com>
14544
14545 [mips] Fix LLINT build for mips backend
14546 https://bugs.webkit.org/show_bug.cgi?id=119152
14547
14548 Reviewed by Oliver Hunt.
14549
14550 * offlineasm/mips.rb:
14551
145522013-07-19 Mark Hahnenberg <mhahnenberg@apple.com>
14553
14554 Setting a large numeric property on an object causes it to allocate a huge backing store
14555 https://bugs.webkit.org/show_bug.cgi?id=118914
14556
14557 Reviewed by Geoffrey Garen.
14558
14559 There are two distinct actions that we're trying to optimize for:
14560
14561 new Array(100000);
14562
14563 and:
14564
14565 a = [];
14566 a[100000] = 42;
14567
14568 In the first case, the programmer has indicated that they expect this Array to be very big,
14569 so they should get a contiguous array up until some threshold, above which we perform density
14570 calculations to see if it is indeed dense enough to warrant being contiguous.
14571
14572 In the second case, the programmer hasn't indicated anything about the size of the Array, so
14573 we should be more conservative and assume it should be sparse until we've proven otherwise.
14574
14575 Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish
14576 between them for the purposes of not over-allocating large backing stores like we see on
14577 http://www.peekanalytics.com/burgerjoints/
14578
14579 The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and
14580 introduce a new heuristic for the second case. If we are putting to an index above a certain
14581 threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse
14582 map instead. So for example, in the second case above the empty array has a blank indexing
14583 type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
14584
14585 This fix is ~800x speedup on the accompanying regression test :-o
14586
14587 * runtime/ArrayConventions.h:
14588 (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
14589 * runtime/JSObject.cpp:
14590 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
14591 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
14592 (JSC::JSObject::putByIndexBeyondVectorLength):
14593 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
14594
145952013-07-26 Julien Brianceau <jbrianceau@nds.com>
14596
14597 REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
14598 https://bugs.webkit.org/show_bug.cgi?id=119148
14599
14600 Reviewed by Csaba Osztrogonác.
14601
14602 * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
14603 * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
14604 in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
14605 code duplication.
14606
146072013-07-26 Julien Brianceau <jbrianceau@nds.com>
14608
14609 REGRESSION(FTL): Crash in sh4 baseline JIT.
14610 https://bugs.webkit.org/show_bug.cgi?id=119138
14611
14612 Reviewed by Csaba Osztrogonác.
14613
14614 This crash is due to incomplete report of r150146 and r148474.
14615
14616 * jit/JITStubsSH4.h:
14617
146182013-07-26 Zan Dobersek <zdobersek@igalia.com>
14619
14620 Unreviewed.
14621
14622 * Target.pri: Adding missing DFG files to the Qt build.
14623
146242013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14625
14626 GTK and Qt buildfix after the intrusive win buildfix r153360.
14627
14628 * GNUmakefile.list.am:
14629 * Target.pri:
14630
146312013-07-25 Gyuyoung Kim <gyuyoung.kim@samsung.com>
14632
14633 Unreviewed, fix build break after r153360.
14634
14635 * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
14636
146372013-07-25 Roger Fong <roger_fong@apple.com>
14638
14639 Unreviewed build fix, AppleWin port.
14640
14641 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14642 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14643 * JavaScriptCore.vcxproj/copy-files.cmd:
14644
146452013-07-25 Roger Fong <roger_fong@apple.com>
14646
14647 Unreviewed. Followup to r153360.
14648
14649 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14650 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14651
146522013-07-25 Michael Saboff <msaboff@apple.com>
14653
14654 [Windows] Speculative build fix.
14655
14656 Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
14657 that is always compiled. Made LLInt::returnToThrow() conditional on LLINT being enabled.
14658
14659 * JavaScriptCore.xcodeproj/project.pbxproj:
14660 * llint/LLIntExceptions.cpp:
14661 * llint/LLIntExceptions.h:
14662 * llint/LLIntSlowPaths.cpp:
14663 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
14664 * runtime/CommonSlowPaths.cpp:
14665 (JSC::SLOW_PATH_DECL):
14666 * runtime/CommonSlowPathsExceptions.cpp: Added.
14667 (JSC::CommonSlowPaths::interpreterThrowInCaller):
14668 * runtime/CommonSlowPathsExceptions.h: Added.
14669
146702013-07-25 Brent Fulgham <bfulgham@apple.com>
14671
14672 [Windows] Unreviewed build fix.
14673
14674 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
14675 parser/SourceCode.h,.cpp.
14676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
14677
146782013-07-25 Anders Carlsson <andersca@apple.com>
14679
14680 ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
14681 https://bugs.webkit.org/show_bug.cgi?id=119108
14682
14683 Reviewed by Mark Hahnenberg.
14684
14685 Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
14686
14687 * heap/CopiedSpace.cpp:
14688 (JSC::CopiedSpace::tryAllocateSlowCase):
14689 * heap/Heap.cpp:
14690 (JSC::Heap::protect):
14691 (JSC::Heap::unprotect):
14692 (JSC::Heap::collect):
14693 * heap/MarkedAllocator.cpp:
14694 (JSC::MarkedAllocator::allocateSlowCase):
14695 * runtime/JSGlobalObject.cpp:
14696 (JSC::JSGlobalObject::init):
14697 * runtime/VM.h:
14698 (JSC::VM::currentThreadIsHoldingAPILock):
14699
147002013-07-25 Zan Dobersek <zdobersek@igalia.com>
14701
14702 REGRESSION(FTL): Most layout tests crashes
14703 https://bugs.webkit.org/show_bug.cgi?id=119089
14704
14705 Reviewed by Oliver Hunt.
14706
14707 * runtime/ExecutionHarness.h:
14708 (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
14709 code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
14710 RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
14711 Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
14712 JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
14713 (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
14714
147152013-07-25 Brent Fulgham <bfulgham@apple.com>
14716
14717 [Windows] Unreviewed build fix.
14718
14719 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
14720 include path.
14721
147222013-07-25 Brent Fulgham <bfulgham@apple.com>
14723
14724 [Windows] Unreviewed build fix.
14725
14726 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
14727 runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
14728 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
14729
147302013-07-25 Oliver Hunt <oliver@apple.com>
14731
14732 Make all jit & non-jit combos build cleanly
14733 https://bugs.webkit.org/show_bug.cgi?id=119102
14734
14735 Reviewed by Anders Carlsson.
14736
14737 * bytecode/CodeBlock.cpp:
14738 (JSC::CodeBlock::counterValueForOptimizeSoon):
14739 * bytecode/CodeBlock.h:
14740 (JSC::CodeBlock::optimizeAfterWarmUp):
14741 (JSC::CodeBlock::numberOfDFGCompiles):
14742
147432013-07-25 Oliver Hunt <oliver@apple.com>
14744
14745 32 bit portion of load validation logic
14746 https://bugs.webkit.org/show_bug.cgi?id=118878
14747
14748 Reviewed by NOBODY (Build fix).
14749
14750 * dfg/DFGSpeculativeJIT32_64.cpp:
14751 (JSC::DFG::SpeculativeJIT::compile):
14752
147532013-07-25 Oliver Hunt <oliver@apple.com>
14754
14755 More 32bit build fixes
14756
14757 - Apparnetly some compilers don't track the fastcall directive everywhere we expect
14758
14759 * API/APICallbackFunction.h:
14760 (JSC::APICallbackFunction::call):
14761 * bytecode/CodeBlock.cpp:
14762 * runtime/Structure.cpp:
14763
147642013-07-25 Yi Shen <max.hong.shen@gmail.com>
14765
14766 Optimize the thread locks for API Shims
14767 https://bugs.webkit.org/show_bug.cgi?id=118573
14768
14769 Reviewed by Geoffrey Garen.
14770
14771 Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM
14772 only used by WebCore's main thread).
14773
14774 * API/APIShims.h:
14775 (JSC::APIEntryShim::APIEntryShim):
14776 (JSC::APICallbackShim::APICallbackShim):
14777 * runtime/JSLock.cpp:
14778 (JSC::JSLockHolder::JSLockHolder):
14779 (JSC::JSLockHolder::init):
14780 (JSC::JSLockHolder::~JSLockHolder):
14781 (JSC::JSLock::DropAllLocks::DropAllLocks):
14782 (JSC::JSLock::DropAllLocks::~DropAllLocks):
14783 * runtime/VM.cpp:
14784 (JSC::VM::VM):
14785 * runtime/VM.h:
14786
147872013-07-25 Christophe Dumez <ch.dumez@sisa.samsung.com>
14788
14789 Unreviewed build fix after r153218.
14790
14791 Broke the EFL port build with gcc 4.7.
14792
14793 * interpreter/StackIterator.cpp:
14794 (JSC::printif):
14795
147962013-07-25 Julien Brianceau <jbrianceau@nds.com>
14797
14798 Build fix: add missing #include.
14799 https://bugs.webkit.org/show_bug.cgi?id=119087
14800
14801 Reviewed by Allan Sandfeld Jensen.
14802
14803 * bytecode/ArrayProfile.cpp:
14804
148052013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
14806
14807 Unreviewed, build fix on the EFL port.
14808
14809 * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
14810
148112013-07-25 Julien Brianceau <jbrianceau@nds.com>
14812
14813 [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
14814 https://bugs.webkit.org/show_bug.cgi?id=119083
14815
14816 Reviewed by Allan Sandfeld Jensen.
14817
14818 * assembler/MacroAssemblerSH4.h:
14819 (JSC::MacroAssemblerSH4::store8):
14820
148212013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
14822
14823 [Qt] Fix test build after FTL upstream
14824
14825 Unreviewed build fix.
14826
14827 * Target.pri:
14828
148292013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
14830
14831 [Qt] Build fix after FTL.
14832
14833 Un Reviewed build fix.
14834
14835 * Target.pri:
14836 * interpreter/StackIterator.cpp:
14837 (JSC::StackIterator::Frame::print):
14838
148392013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
14840
14841 Unreviewed build fix after FTL upstream.
14842
14843 * dfg/DFGWorklist.cpp:
14844 (JSC::DFG::Worklist::~Worklist):
14845
148462013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
14847
14848 Unreviewed, build fix on the EFL port.
14849
14850 * CMakeLists.txt:
14851 Added SourceCode.cpp and removed BlackBerry file.
14852 * jit/JITCode.h:
14853 (JSC::JITCode::nextTierJIT):
14854 Fixed to build break because of -Werror=return-type
14855 * parser/Lexer.cpp: Includes JSFunctionInlines.h
14856 * runtime/JSScope.h:
14857 (JSC::makeType):
14858 Fixed to build break because of -Werror=return-type
14859
148602013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14861
14862 Unreviewed build fixing after FTL upstream.
14863
14864 * runtime/Executable.cpp:
14865 (JSC::FunctionExecutable::produceCodeBlockFor):
14866
148672013-07-25 Julien Brianceau <jbrianceau@nds.com>
14868
14869 Add missing implementation of bxxxnz in sh4 LLINT.
14870 https://bugs.webkit.org/show_bug.cgi?id=119079
14871
14872 Reviewed by Allan Sandfeld Jensen.
14873
14874 * offlineasm/sh4.rb:
14875
148762013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
14877
14878 Unreviewed, build fix on the Qt port.
14879
14880 * Target.pri: Add additional build files for the FTL.
14881
148822013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14883
14884 Unreviewed buildfix after FTL upstream..
14885
14886 * interpreter/StackIterator.cpp:
14887 (JSC::StackIterator::Frame::codeType):
14888 (JSC::StackIterator::Frame::functionName):
14889 (JSC::StackIterator::Frame::sourceURL):
14890 (JSC::StackIterator::Frame::logicalFrame):
14891
148922013-07-25 Zan Dobersek <zdobersek@igalia.com>
14893
14894 Unreviewed.
14895
14896 * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
14897 method is not left undefined, causing build failures on (at least) the GTK port.
14898
148992013-07-25 Zan Dobersek <zdobersek@igalia.com>
14900
14901 Unreviewed, further build fixing on the GTK port.
14902
14903 * GNUmakefile.list.am: Add CompilationResult source files to the build.
14904
149052013-07-25 Zan Dobersek <zdobersek@igalia.com>
14906
14907 Unreviewed GTK build fixing.
14908
14909 * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
14910 * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
14911
149122013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14913
14914 Buildfix after this error:
14915 error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
14916
14917 * dfg/DFGPlan.cpp:
14918 (JSC::DFG::Plan::compileInThread):
14919
149202013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14921
14922 One more buildfix after FTL upstream.
14923
14924 Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
14925
14926 * dfg/DFGLazyJSValue.cpp:
14927 (JSC::DFG::LazyJSValue::getValue):
14928 (JSC::DFG::LazyJSValue::strictEqual):
14929
149302013-07-25 Julien Brianceau <jbrianceau@nds.com>
14931
14932 Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
14933 https://bugs.webkit.org/show_bug.cgi?id=119076
14934
14935 Reviewed by Allan Sandfeld Jensen.
14936
14937 * offlineasm/mips.rb:
14938 * offlineasm/sh4.rb:
14939
149402013-07-25 Zan Dobersek <zdobersek@igalia.com>
14941
14942 Unreviewed GTK build fix.
14943
14944 * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
14945
149462013-07-25 Zan Dobersek <zdobersek@igalia.com>
14947
14948 Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
14949 for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
14950
14951 * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
14952
149532013-07-25 Zan Dobersek <zdobersek@igalia.com>
14954
14955 Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
14956
14957 * GNUmakefile.am:
14958 * GNUmakefile.list.am:
14959
149602013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14961
14962 Unreviewed buildfix after FTL upstream.
14963
14964 * runtime/JSScope.h:
14965 (JSC::needsVarInjectionChecks):
14966
149672013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14968
14969 One more fix after FTL upstream.
14970
14971 * Target.pri:
14972 * bytecode/CodeBlock.h:
14973 * bytecode/GetByIdStatus.h:
14974 (JSC::GetByIdStatus::GetByIdStatus):
14975
149762013-07-24 Csaba Osztrogonác <ossy@webkit.org>
14977
14978 Unreviewed buildfix after FTL upstream.
14979
14980 Add ftl directory as include path.
14981
14982 * CMakeLists.txt:
14983 * JavaScriptCore.pri:
14984
149852013-07-24 Csaba Osztrogonác <ossy@webkit.org>
14986
14987 Unreviewed buildfix after FTL upstream for non C++11 builds.
14988
14989 * interpreter/CallFrame.h:
14990 * interpreter/StackIteratorPrivate.h:
14991 (JSC::StackIterator::end):
14992
149932013-07-24 Oliver Hunt <oliver@apple.com>
14994
14995 Endeavour to fix CMakelist builds
14996
14997 * CMakeLists.txt:
14998
149992013-07-24 Filip Pizlo <fpizlo@apple.com>
15000
15001 fourthTier: DFG IR dumps should be easier to read
15002 https://bugs.webkit.org/show_bug.cgi?id=119050
15003
15004 Reviewed by Mark Hahnenberg.
15005
15006 Added a DumpContext that includes support for printing an endnote
15007 that describes all structures in full, while the main flow of the
15008 dump just uses made-up names for the structures. This is helpful
15009 since Structure::dump() may print a lot. The stuff it prints is
15010 useful, but if it's all inline with the surrounding thing you're
15011 dumping (often, a node in the DFG), then you get a ridiculously
15012 long print-out. All classes that dump structures (including
15013 Structure itself) now have dumpInContext() methods that use
15014 inContext() for dumping anything that might transitively print a
15015 structure. If Structure::dumpInContext() is called with a NULL
15016 context, it just uses dump() like before. Hence you don't have to
15017 know anything about DumpContext unless you want to.
15018
15019 inContext(*structure, context) dumps something like %B4:Array,
15020 and the endnote will have something like:
15021
15022 %B4:Array = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
15023
15024 where B4 is the inferred name that StringHashDumpContext came up
15025 with.
15026
15027 Also shortened a bunch of other dumps, removing information that
15028 isn't so important.
15029
15030 * JavaScriptCore.xcodeproj/project.pbxproj:
15031 * bytecode/ArrayProfile.cpp:
15032 (JSC::dumpArrayModes):
15033 * bytecode/CodeBlockHash.cpp:
15034 (JSC):
15035 (JSC::CodeBlockHash::CodeBlockHash):
15036 (JSC::CodeBlockHash::dump):
15037 * bytecode/CodeOrigin.cpp:
15038 (JSC::CodeOrigin::dumpInContext):
15039 (JSC):
15040 (JSC::InlineCallFrame::dumpInContext):
15041 (JSC::InlineCallFrame::dump):
15042 * bytecode/CodeOrigin.h:
15043 (CodeOrigin):
15044 (InlineCallFrame):
15045 * bytecode/Operands.h:
15046 (JSC::OperandValueTraits::isEmptyForDump):
15047 (Operands):
15048 (JSC::Operands::dump):
15049 (JSC):
15050 * bytecode/OperandsInlines.h: Added.
15051 (JSC):
15052 (JSC::::dumpInContext):
15053 * bytecode/StructureSet.h:
15054 (JSC::StructureSet::dumpInContext):
15055 (JSC::StructureSet::dump):
15056 (StructureSet):
15057 * dfg/DFGAbstractValue.cpp:
15058 (JSC::DFG::AbstractValue::dump):
15059 (DFG):
15060 (JSC::DFG::AbstractValue::dumpInContext):
15061 * dfg/DFGAbstractValue.h:
15062 (JSC::DFG::AbstractValue::operator!):
15063 (AbstractValue):
15064 * dfg/DFGCFAPhase.cpp:
15065 (JSC::DFG::CFAPhase::performBlockCFA):
15066 * dfg/DFGCommon.cpp:
15067 * dfg/DFGCommon.h:
15068 (JSC::DFG::NodePointerTraits::isEmptyForDump):
15069 * dfg/DFGDisassembler.cpp:
15070 (JSC::DFG::Disassembler::createDumpList):
15071 * dfg/DFGDisassembler.h:
15072 (Disassembler):
15073 * dfg/DFGFlushFormat.h:
15074 (WTF::inContext):
15075 (WTF):
15076 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
15077 * dfg/DFGGraph.cpp:
15078 (JSC::DFG::Graph::dumpCodeOrigin):
15079 (JSC::DFG::Graph::dump):
15080 (JSC::DFG::Graph::dumpBlockHeader):
15081 * dfg/DFGGraph.h:
15082 (Graph):
15083 * dfg/DFGLazyJSValue.cpp:
15084 (JSC::DFG::LazyJSValue::dumpInContext):
15085 (JSC::DFG::LazyJSValue::dump):
15086 (DFG):
15087 * dfg/DFGLazyJSValue.h:
15088 (LazyJSValue):
15089 * dfg/DFGNode.h:
15090 (JSC::DFG::nodeMapDump):
15091 (WTF::inContext):
15092 (WTF):
15093 * dfg/DFGOSRExitCompiler32_64.cpp:
15094 (JSC::DFG::OSRExitCompiler::compileExit):
15095 * dfg/DFGOSRExitCompiler64.cpp:
15096 (JSC::DFG::OSRExitCompiler::compileExit):
15097 * dfg/DFGStructureAbstractValue.h:
15098 (JSC::DFG::StructureAbstractValue::dumpInContext):
15099 (JSC::DFG::StructureAbstractValue::dump):
15100 (StructureAbstractValue):
15101 * ftl/FTLExitValue.cpp:
15102 (JSC::FTL::ExitValue::dumpInContext):
15103 (JSC::FTL::ExitValue::dump):
15104 (FTL):
15105 * ftl/FTLExitValue.h:
15106 (ExitValue):
15107 * ftl/FTLLowerDFGToLLVM.cpp:
15108 * ftl/FTLValueSource.cpp:
15109 (JSC::FTL::ValueSource::dumpInContext):
15110 (FTL):
15111 * ftl/FTLValueSource.h:
15112 (ValueSource):
15113 * runtime/DumpContext.cpp: Added.
15114 (JSC):
15115 (JSC::DumpContext::DumpContext):
15116 (JSC::DumpContext::~DumpContext):
15117 (JSC::DumpContext::isEmpty):
15118 (JSC::DumpContext::dump):
15119 * runtime/DumpContext.h: Added.
15120 (JSC):
15121 (DumpContext):
15122 * runtime/JSCJSValue.cpp:
15123 (JSC::JSValue::dump):
15124 (JSC):
15125 (JSC::JSValue::dumpInContext):
15126 * runtime/JSCJSValue.h:
15127 (JSC):
15128 (JSValue):
15129 * runtime/Structure.cpp:
15130 (JSC::Structure::dumpInContext):
15131 (JSC):
15132 (JSC::Structure::dumpBrief):
15133 (JSC::Structure::dumpContextHeader):
15134 * runtime/Structure.h:
15135 (JSC):
15136 (Structure):
15137
151382013-07-22 Filip Pizlo <fpizlo@apple.com>
15139
15140 fourthTier: DFG should do a high-level LICM before going to FTL
15141 https://bugs.webkit.org/show_bug.cgi?id=118749
15142
15143 Reviewed by Oliver Hunt.
15144
15145 Implements LICM hoisting for nodes that never write anything and never read
15146 things that are clobbered by the loop. There are some other preconditions for
15147 hoisting, see DFGLICMPhase.cpp.
15148
15149 Also did a few fixes:
15150
15151 - ClobberSet::add was failing to switch Super entries to Direct entries in
15152 some cases.
15153
15154 - DFGClobberize.cpp needed to #include "Operations.h".
15155
15156 - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
15157
15158 - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
15159 Knowing the indexInBlock is an optional optimization that all other clients
15160 of AI still opt into, but LICM doesn't.
15161
15162 This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
15163
15164 * JavaScriptCore.xcodeproj/project.pbxproj:
15165 * dfg/DFGAbstractInterpreter.h:
15166 (AbstractInterpreter):
15167 * dfg/DFGAbstractInterpreterInlines.h:
15168 (JSC::DFG::::executeEffects):
15169 (JSC::DFG::::execute):
15170 (DFG):
15171 (JSC::DFG::::clobberWorld):
15172 (JSC::DFG::::clobberStructures):
15173 * dfg/DFGAtTailAbstractState.cpp: Added.
15174 (DFG):
15175 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
15176 (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
15177 (JSC::DFG::AtTailAbstractState::createValueForNode):
15178 (JSC::DFG::AtTailAbstractState::forNode):
15179 * dfg/DFGAtTailAbstractState.h: Added.
15180 (DFG):
15181 (AtTailAbstractState):
15182 (JSC::DFG::AtTailAbstractState::initializeTo):
15183 (JSC::DFG::AtTailAbstractState::forNode):
15184 (JSC::DFG::AtTailAbstractState::variables):
15185 (JSC::DFG::AtTailAbstractState::block):
15186 (JSC::DFG::AtTailAbstractState::isValid):
15187 (JSC::DFG::AtTailAbstractState::setDidClobber):
15188 (JSC::DFG::AtTailAbstractState::setIsValid):
15189 (JSC::DFG::AtTailAbstractState::setBranchDirection):
15190 (JSC::DFG::AtTailAbstractState::setFoundConstants):
15191 (JSC::DFG::AtTailAbstractState::haveStructures):
15192 (JSC::DFG::AtTailAbstractState::setHaveStructures):
15193 * dfg/DFGBasicBlock.h:
15194 (JSC::DFG::BasicBlock::insertBeforeLast):
15195 * dfg/DFGBasicBlockInlines.h:
15196 (DFG):
15197 * dfg/DFGClobberSet.cpp:
15198 (JSC::DFG::ClobberSet::add):
15199 (JSC::DFG::ClobberSet::addAll):
15200 * dfg/DFGClobberize.cpp:
15201 (JSC::DFG::doesWrites):
15202 * dfg/DFGClobberize.h:
15203 (DFG):
15204 * dfg/DFGDCEPhase.cpp:
15205 (JSC::DFG::DCEPhase::DCEPhase):
15206 (JSC::DFG::DCEPhase::run):
15207 (JSC::DFG::DCEPhase::fixupBlock):
15208 (DCEPhase):
15209 * dfg/DFGEdgeDominates.h: Added.
15210 (DFG):
15211 (EdgeDominates):
15212 (JSC::DFG::EdgeDominates::EdgeDominates):
15213 (JSC::DFG::EdgeDominates::operator()):
15214 (JSC::DFG::EdgeDominates::result):
15215 (JSC::DFG::edgesDominate):
15216 * dfg/DFGFixupPhase.cpp:
15217 (JSC::DFG::FixupPhase::fixupNode):
15218 (JSC::DFG::FixupPhase::checkArray):
15219 * dfg/DFGLICMPhase.cpp: Added.
15220 (LICMPhase):
15221 (JSC::DFG::LICMPhase::LICMPhase):
15222 (JSC::DFG::LICMPhase::run):
15223 (JSC::DFG::LICMPhase::attemptHoist):
15224 (DFG):
15225 (JSC::DFG::performLICM):
15226 * dfg/DFGLICMPhase.h: Added.
15227 (DFG):
15228 * dfg/DFGPlan.cpp:
15229 (JSC::DFG::Plan::compileInThreadImpl):
15230
152312013-07-21 Filip Pizlo <fpizlo@apple.com>
15232
15233 fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
15234 https://bugs.webkit.org/show_bug.cgi?id=118910
15235
15236 Reviewed by Sam Weinig.
15237
15238 Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
15239 the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
15240 engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
15241 be inexpensive to use (they just give you a TBAA node) but expensive to create (you
15242 create them all up front). FTL AbstractHeaps also don't actually give you the
15243 ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
15244 The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
15245 They also give you aliasing machinery. The DFG AbstractHeaps are represented
15246 internally by a int64_t. Many comparisons between them are just integer comaprisons.
15247 AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
15248 Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
15249 payload is the direct subtype of its corresponding TOP Kind).
15250
15251 Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
15252 clobbered. It represents the set that results from unifying a bunch of
15253 AbstractHeaps, and is intended to quickly answer overlap questions: does the given
15254 AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
15255 AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
15256 its ancestors. An AbstractHeap is said to overlap a set if any direct or super
15257 member is equal to it, or if any of its ancestors are equal to a direct member.
15258
15259 Example #1:
15260
15261 - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
15262 is a subtype of Variables, which is a subtype of World.
15263 - You query Variables. I.e. Variables with a TOP payload, which is the
15264 supertype of Variables(X) for any X, and a subtype of World.
15265
15266 The set will have Variables(5) as a direct member, and Variables and World as
15267 super members. The Variables query will immediately return true, because
15268 Variables is indeed a super member.
15269
15270 Example #2:
15271
15272 - I add Variables(5)
15273 - You query NamedProperties
15274
15275 NamedProperties is not a member at all (neither direct or super). We next
15276 query World. World is a member, but it's a super member, so we return false.
15277
15278 Example #3:
15279
15280 - I add Variables
15281 - You query Variables(5)
15282
15283 The set will have Variables as a direct member, and World as a super member.
15284 The Variables(5) query will not find Variables(5) in the set, but then it
15285 will query Variables. Variables is a direct member, so we return true.
15286
15287 Example #4:
15288
15289 - I add Variables
15290 - You query NamedProperties(5)
15291
15292 Neither NamedProperties nor NamedProperties(5) are members. We next query
15293 World. World is a member, but it's a super member, so we return false.
15294
15295 Overlap queries require that either the heap being queried is in the set (either
15296 direct or super), or that one of its ancestors is a direct member. Another way to
15297 think about how this works is that two heaps A and B are said to overlap if
15298 A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
15299 single-inheritance heirarchy. Consider that we wanted to implement a set that holds
15300 heaps and answers the question, "is any member in the set an ancestor (i.e.
15301 supertype) of some other heap". We would have the set contain the heaps themselves,
15302 and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
15303 chain of A, and repeatedly querying its membership in the set. This is what the
15304 "direct" members of our set do. Now consider the other part, where we want to ask if
15305 any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
15306 would implement this by implementing set.add(B) as adding not just B but also all of
15307 B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
15308 in the set. With two such sets - one that answers isSubtypeOfAny() and another that
15309 answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
15310 heap" question. ClobberSet does this, but combines the two sets into a single
15311 HashMap. The HashMap's value, "direct", means that the key is a member of both the
15312 supertype set and the subtype set; if it's false then it's only a member of one of
15313 them.
15314
15315 Finally, this adds a functorized clobberize() method that adds the read and write
15316 clobbers of a DFG::Node to read and write functors. Common functors for adding to
15317 ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
15318 are also provided. This allows you to say things like:
15319
15320 ClobberSet set;
15321 addWrites(graph, node1, set);
15322 if (readsOverlap(graph, node2, set))
15323 // We know that node1 may write to something that node2 may read from.
15324
15325 Currently this facility is only used to improve graph dumping, but it will be
15326 instrumental in both LICM and GVN. In the future, I want to completely kill the
15327 NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
15328 of accomplishing almost exactly what AbstractHeap gives you.
15329
15330 * JavaScriptCore.xcodeproj/project.pbxproj:
15331 * dfg/DFGAbstractHeap.cpp: Added.
15332 (DFG):
15333 (JSC::DFG::AbstractHeap::Payload::dump):
15334 (JSC::DFG::AbstractHeap::dump):
15335 (WTF):
15336 (WTF::printInternal):
15337 * dfg/DFGAbstractHeap.h: Added.
15338 (DFG):
15339 (AbstractHeap):
15340 (Payload):
15341 (JSC::DFG::AbstractHeap::Payload::Payload):
15342 (JSC::DFG::AbstractHeap::Payload::top):
15343 (JSC::DFG::AbstractHeap::Payload::isTop):
15344 (JSC::DFG::AbstractHeap::Payload::value):
15345 (JSC::DFG::AbstractHeap::Payload::valueImpl):
15346 (JSC::DFG::AbstractHeap::Payload::operator==):
15347 (JSC::DFG::AbstractHeap::Payload::operator!=):
15348 (JSC::DFG::AbstractHeap::Payload::operator<):
15349 (JSC::DFG::AbstractHeap::Payload::isDisjoint):
15350 (JSC::DFG::AbstractHeap::Payload::overlaps):
15351 (JSC::DFG::AbstractHeap::AbstractHeap):
15352 (JSC::DFG::AbstractHeap::operator!):
15353 (JSC::DFG::AbstractHeap::kind):
15354 (JSC::DFG::AbstractHeap::payload):
15355 (JSC::DFG::AbstractHeap::isDisjoint):
15356 (JSC::DFG::AbstractHeap::overlaps):
15357 (JSC::DFG::AbstractHeap::supertype):
15358 (JSC::DFG::AbstractHeap::hash):
15359 (JSC::DFG::AbstractHeap::operator==):
15360 (JSC::DFG::AbstractHeap::operator!=):
15361 (JSC::DFG::AbstractHeap::operator<):
15362 (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
15363 (JSC::DFG::AbstractHeap::payloadImpl):
15364 (JSC::DFG::AbstractHeap::encode):
15365 (JSC::DFG::AbstractHeapHash::hash):
15366 (JSC::DFG::AbstractHeapHash::equal):
15367 (AbstractHeapHash):
15368 (WTF):
15369 * dfg/DFGClobberSet.cpp: Added.
15370 (DFG):
15371 (JSC::DFG::ClobberSet::ClobberSet):
15372 (JSC::DFG::ClobberSet::~ClobberSet):
15373 (JSC::DFG::ClobberSet::add):
15374 (JSC::DFG::ClobberSet::addAll):
15375 (JSC::DFG::ClobberSet::contains):
15376 (JSC::DFG::ClobberSet::overlaps):
15377 (JSC::DFG::ClobberSet::clear):
15378 (JSC::DFG::ClobberSet::direct):
15379 (JSC::DFG::ClobberSet::super):
15380 (JSC::DFG::ClobberSet::dump):
15381 (JSC::DFG::ClobberSet::setOf):
15382 (JSC::DFG::addReads):
15383 (JSC::DFG::addWrites):
15384 (JSC::DFG::addReadsAndWrites):
15385 (JSC::DFG::readsOverlap):
15386 (JSC::DFG::writesOverlap):
15387 * dfg/DFGClobberSet.h: Added.
15388 (DFG):
15389 (ClobberSet):
15390 (JSC::DFG::ClobberSet::isEmpty):
15391 (ClobberSetAdd):
15392 (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
15393 (JSC::DFG::ClobberSetAdd::operator()):
15394 (ClobberSetOverlaps):
15395 (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
15396 (JSC::DFG::ClobberSetOverlaps::operator()):
15397 (JSC::DFG::ClobberSetOverlaps::result):
15398 * dfg/DFGClobberize.cpp: Added.
15399 (DFG):
15400 (JSC::DFG::didWrites):
15401 * dfg/DFGClobberize.h: Added.
15402 (DFG):
15403 (JSC::DFG::clobberize):
15404 (NoOpClobberize):
15405 (JSC::DFG::NoOpClobberize::NoOpClobberize):
15406 (JSC::DFG::NoOpClobberize::operator()):
15407 (CheckClobberize):
15408 (JSC::DFG::CheckClobberize::CheckClobberize):
15409 (JSC::DFG::CheckClobberize::operator()):
15410 (JSC::DFG::CheckClobberize::result):
15411 * dfg/DFGGraph.cpp:
15412 (JSC::DFG::Graph::dump):
15413
154142013-07-21 Filip Pizlo <fpizlo@apple.com>
15415
15416 fourthTier: It should be easy to figure out which blocks nodes belong to
15417 https://bugs.webkit.org/show_bug.cgi?id=118957
15418
15419 Reviewed by Sam Weinig.
15420
15421 * dfg/DFGGraph.cpp:
15422 (DFG):
15423 (JSC::DFG::Graph::initializeNodeOwners):
15424 * dfg/DFGGraph.h:
15425 (Graph):
15426 * dfg/DFGNode.h:
15427
154282013-07-21 Filip Pizlo <fpizlo@apple.com>
15429
15430 fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
15431 https://bugs.webkit.org/show_bug.cgi?id=118956
15432
15433 Reviewed by Sam Weinig.
15434
15435 We had two way of expressing that something exits forward: the NodeExitsForward
15436 flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
15437 makes it just be a flag.
15438
15439 * dfg/DFGAbstractInterpreterInlines.h:
15440 (JSC::DFG::::executeEffects):
15441 * dfg/DFGArgumentsSimplificationPhase.cpp:
15442 (JSC::DFG::ArgumentsSimplificationPhase::run):
15443 * dfg/DFGCSEPhase.cpp:
15444 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
15445 (JSC::DFG::CSEPhase::checkStructureElimination):
15446 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
15447 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15448 (JSC::DFG::CSEPhase::checkArrayElimination):
15449 (JSC::DFG::CSEPhase::performNodeCSE):
15450 * dfg/DFGConstantFoldingPhase.cpp:
15451 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15452 * dfg/DFGFixupPhase.cpp:
15453 (JSC::DFG::FixupPhase::fixupNode):
15454 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
15455 * dfg/DFGMinifiedNode.h:
15456 (JSC::DFG::belongsInMinifiedGraph):
15457 (JSC::DFG::MinifiedNode::hasChild):
15458 * dfg/DFGNode.h:
15459 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
15460 (JSC::DFG::Node::hasStructureSet):
15461 (JSC::DFG::Node::hasStructure):
15462 (JSC::DFG::Node::hasArrayMode):
15463 (JSC::DFG::Node::willHaveCodeGenOrOSR):
15464 * dfg/DFGNodeType.h:
15465 (DFG):
15466 (JSC::DFG::needsOSRForwardRewiring):
15467 * dfg/DFGPredictionPropagationPhase.cpp:
15468 (JSC::DFG::PredictionPropagationPhase::propagate):
15469 * dfg/DFGSafeToExecute.h:
15470 (JSC::DFG::safeToExecute):
15471 * dfg/DFGSpeculativeJIT.cpp:
15472 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
15473 * dfg/DFGSpeculativeJIT32_64.cpp:
15474 (JSC::DFG::SpeculativeJIT::compile):
15475 * dfg/DFGSpeculativeJIT64.cpp:
15476 (JSC::DFG::SpeculativeJIT::compile):
15477 * dfg/DFGTypeCheckHoistingPhase.cpp:
15478 (JSC::DFG::TypeCheckHoistingPhase::run):
15479 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
15480 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
15481 * dfg/DFGVariableEventStream.cpp:
15482 (JSC::DFG::VariableEventStream::reconstruct):
15483 * ftl/FTLCapabilities.cpp:
15484 (JSC::FTL::canCompile):
15485 * ftl/FTLLowerDFGToLLVM.cpp:
15486 (JSC::FTL::LowerDFGToLLVM::compileNode):
15487 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
15488
154892013-07-21 Filip Pizlo <fpizlo@apple.com>
15490
15491 fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
15492 https://bugs.webkit.org/show_bug.cgi?id=118946
15493
15494 Reviewed by Geoffrey Garen.
15495
15496 We want to decouple the exit target code origin of a node from the code origin
15497 for all other purposes. The purposes of code origins are:
15498
15499 - Where the node will exit, if it exits. The exit target should be consistent with
15500 the surrounding nodes, in that if you just looked at the code origins of nodes in
15501 the graph, they would be consistent with the code origins in bytecode. This is
15502 necessary for live-at-bytecode analyses to work, and to preserve the original
15503 bytecode semantics when exiting.
15504
15505 - What kind of code the node came from, for semantics thingies. For example, we
15506 might use the code origin to find the node's global object for doing an original
15507 array check. Or we might use it to determine if the code is in strict mode. Or
15508 other similar things. When we use the code origin in this way, we're basically
15509 using it as a way of describing the node's meta-data without putting it into the
15510 node directly, to save space. In the absurd extreme you could imagine nodes not
15511 even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
15512 what bytecode the node originated from. We won't do that, but you can think of
15513 this use of code origins as just a way of compressing meta-data.
15514
15515 - What code origin we should supply profiling to, if we exit. This is closely
15516 related to the semantics thingies, in that the exit profiling is a persistent
15517 kind of semantic meta-data that survives between recompiles, and the only way to
15518 do that is to ascribe it to the original bytecode via the code origin.
15519
15520 If we hoist a node, we need to change the exit target code origin, but we must not
15521 change the code origin for other purposes. The best way to do this is to decouple
15522 the two kinds of code origin.
15523
15524 OSR exit data structures already do this, because they may edit the exit target
15525 code origin while keeping the code origin for profiling intact. This happens for
15526 forward exits. So, we just need to thread separation all the way back to DFG::Node.
15527 That's what this patch does.
15528
15529 * dfg/DFGNode.h:
15530 (JSC::DFG::Node::Node):
15531 (Node):
15532 * dfg/DFGOSRExit.cpp:
15533 (JSC::DFG::OSRExit::OSRExit):
15534 * dfg/DFGOSRExitBase.h:
15535 (JSC::DFG::OSRExitBase::OSRExitBase):
15536 * dfg/DFGSpeculativeJIT.cpp:
15537 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
15538 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
15539 * dfg/DFGSpeculativeJIT.h:
15540 (SpeculativeJIT):
15541 * ftl/FTLLowerDFGToLLVM.cpp:
15542 (JSC::FTL::LowerDFGToLLVM::compileNode):
15543 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
15544 (LowerDFGToLLVM):
15545 * ftl/FTLOSRExit.cpp:
15546 (JSC::FTL::OSRExit::OSRExit):
15547 * ftl/FTLOSRExit.h:
15548 (OSRExit):
15549
155502013-07-20 Filip Pizlo <fpizlo@apple.com>
15551
15552 fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
15553 https://bugs.webkit.org/show_bug.cgi?id=118866
15554
15555 Reviewed by Sam Weinig.
15556
15557 Adds a safeToExecute() method that takes a node and an abstract state and tells you
15558 if the node will run without crashing under that state.
15559
15560 * JavaScriptCore.xcodeproj/project.pbxproj:
15561 * bytecode/CodeBlock.cpp:
15562 (JSC::CodeBlock::CodeBlock):
15563 * dfg/DFGCFAPhase.cpp:
15564 (CFAPhase):
15565 (JSC::DFG::CFAPhase::CFAPhase):
15566 (JSC::DFG::CFAPhase::run):
15567 (JSC::DFG::CFAPhase::performBlockCFA):
15568 (JSC::DFG::CFAPhase::performForwardCFA):
15569 * dfg/DFGSafeToExecute.h: Added.
15570 (DFG):
15571 (SafeToExecuteEdge):
15572 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
15573 (JSC::DFG::SafeToExecuteEdge::operator()):
15574 (JSC::DFG::SafeToExecuteEdge::result):
15575 (JSC::DFG::safeToExecute):
15576 * dfg/DFGStructureAbstractValue.h:
15577 (JSC::DFG::StructureAbstractValue::isValidOffset):
15578 (StructureAbstractValue):
15579 * runtime/Options.h:
15580 (JSC):
15581
155822013-07-20 Filip Pizlo <fpizlo@apple.com>
15583
15584 fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
15585 https://bugs.webkit.org/show_bug.cgi?id=118948
15586
15587 Reviewed by Sam Weinig.
15588
15589 - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
15590 This allows doing "what if" experiments with IR generation, even if the generated IR
15591 can't yet execute.
15592
15593 - Add an OSR exit path that just calls an intrinsic that combines the branch and the
15594 off-ramp.
15595
15596 * JavaScriptCore.xcodeproj/project.pbxproj:
15597 * dfg/DFGPlan.cpp:
15598 (JSC::DFG::Plan::compileInThreadImpl):
15599 * ftl/FTLFail.cpp: Added.
15600 (FTL):
15601 (JSC::FTL::fail):
15602 * ftl/FTLFail.h: Added.
15603 (FTL):
15604 * ftl/FTLIntrinsicRepository.h:
15605 (FTL):
15606 * ftl/FTLLowerDFGToLLVM.cpp:
15607 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
15608 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
15609 * runtime/Options.h:
15610 (JSC):
15611
156122013-07-19 Filip Pizlo <fpizlo@apple.com>
15613
15614 fourthTier: StringObjectUse uses structures, and CSE should know that
15615 https://bugs.webkit.org/show_bug.cgi?id=118940
15616
15617 Reviewed by Geoffrey Garen.
15618
15619 This is asymptomatic right now, but we should fix it.
15620
15621 * JavaScriptCore.xcodeproj/project.pbxproj:
15622 * dfg/DFGCSEPhase.cpp:
15623 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15624 * dfg/DFGEdgeUsesStructure.h: Added.
15625 (DFG):
15626 (EdgeUsesStructure):
15627 (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
15628 (JSC::DFG::EdgeUsesStructure::operator()):
15629 (JSC::DFG::EdgeUsesStructure::result):
15630 (JSC::DFG::edgesUseStructure):
15631 * dfg/DFGUseKind.h:
15632 (DFG):
15633 (JSC::DFG::usesStructure):
15634
156352013-07-19 Filip Pizlo <fpizlo@apple.com>
15636
15637 fourthTier: String GetByVal out-of-bounds handling is so wrong
15638 https://bugs.webkit.org/show_bug.cgi?id=118935
15639
15640 Reviewed by Geoffrey Garen.
15641
15642 Bunch of String GetByVal out-of-bounds fixes:
15643
15644 - Even if the string proto chain is sane, we need to watch out for negative
15645 indices. They may get values or call getters in the prototypes, since proto
15646 sanity doesn't check for negative indexed properties, as they are not
15647 technically indexed properties.
15648
15649 - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
15650 given this information.
15651
15652 - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
15653 given this information.
15654
15655 Also fixed some other things:
15656
15657 - If the DFG is disabled, the testRunner should pretend that we've done a
15658 bunch of DFG compiles. That's necessary to prevent the tests from timing
15659 out.
15660
15661 - Disassembler shouldn't try to dump source code since it's not safe in the
15662 concurrent JIT.
15663
15664 * API/JSCTestRunnerUtils.cpp:
15665 (JSC::numberOfDFGCompiles):
15666 * JavaScriptCore.xcodeproj/project.pbxproj:
15667 * dfg/DFGAbstractInterpreterInlines.h:
15668 (JSC::DFG::::executeEffects):
15669 * dfg/DFGDisassembler.cpp:
15670 (JSC::DFG::Disassembler::dumpHeader):
15671 * dfg/DFGGraph.h:
15672 (JSC::DFG::Graph::byValIsPure):
15673 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
15674 (DFG):
15675 (SaneStringGetByValSlowPathGenerator):
15676 (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
15677 (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
15678 * dfg/DFGSpeculativeJIT.cpp:
15679 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
15680
156812013-07-19 Filip Pizlo <fpizlo@apple.com>
15682
15683 fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
15684 https://bugs.webkit.org/show_bug.cgi?id=118911
15685
15686 Reviewed by Geoffrey Garen.
15687
15688 We could also have a separate method like "willNotCrash(offset)", but that's not
15689 what isValidOffset() is intended to mean.
15690
15691 * runtime/Structure.h:
15692 (JSC::Structure::isValidOffset):
15693
156942013-07-19 Filip Pizlo <fpizlo@apple.com>
15695
15696 fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
15697 https://bugs.webkit.org/show_bug.cgi?id=118878
15698
15699 Reviewed by Oliver Hunt.
15700
15701 - Change Structure::isValidOffset() to actually answer the question "If I attempted
15702 to load from an object of this structure, at this offset, would I commit suicide
15703 or would I get back some kind of value?"
15704
15705 - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
15706 way from the start.
15707
15708 - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
15709
15710 - Make GetByOffset also reference the base object in addition to the butterfly.
15711
15712 The future use of this power will be to answer questions like "If I hoisted this
15713 GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
15714 fine?"
15715
15716 I don't currently plan to use this power to perform validation, since the CSE has
15717 the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
15718 remove - both in the case of StructureSets where size >= 2 and in the case of
15719 CheckStructures that match across PutStructures. At first I tried to write a
15720 validator that was aware of this, but the validation code got way too complicated
15721 and I started having nightmares of spurious assertion bugs being filed against me.
15722
15723 This also changes some of the code for how we hash FunctionExecutable's for debug
15724 dumps, since that code still had some thread-safety issues. Basically, the
15725 concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
15726 that could transitively try to compute the hash from the source code. The source
15727 code is a string that may be lazily computed, and that involves all manner of thread
15728 unsafe things.
15729
15730 * bytecode/CodeOrigin.cpp:
15731 (JSC::InlineCallFrame::hash):
15732 * dfg/DFGAbstractInterpreterInlines.h:
15733 (JSC::DFG::::executeEffects):
15734 * dfg/DFGByteCodeParser.cpp:
15735 (JSC::DFG::ByteCodeParser::handleGetByOffset):
15736 (JSC::DFG::ByteCodeParser::handlePutByOffset):
15737 (JSC::DFG::ByteCodeParser::parseBlock):
15738 * dfg/DFGCFAPhase.cpp:
15739 (JSC::DFG::CFAPhase::performBlockCFA):
15740 * dfg/DFGConstantFoldingPhase.cpp:
15741 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15742 * dfg/DFGFixupPhase.cpp:
15743 (JSC::DFG::FixupPhase::fixupNode):
15744 * dfg/DFGGraph.h:
15745 (StorageAccessData):
15746 * dfg/DFGNode.h:
15747 (JSC::DFG::Node::convertToGetByOffset):
15748 * dfg/DFGSpeculativeJIT64.cpp:
15749 (JSC::DFG::SpeculativeJIT::compile):
15750 * ftl/FTLLowerDFGToLLVM.cpp:
15751 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
15752 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
15753 * runtime/FunctionExecutableDump.cpp:
15754 (JSC::FunctionExecutableDump::dump):
15755 * runtime/Structure.h:
15756 (Structure):
15757 (JSC::Structure::isValidOffset):
15758
157592013-07-18 Filip Pizlo <fpizlo@apple.com>
15760
15761 fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
15762 https://bugs.webkit.org/show_bug.cgi?id=118880
15763
15764 Reviewed by Sam Weinig.
15765
15766 It should be possible to have an AbstractState that is backed by a HashMap. But to
15767 do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
15768 the map, since otherwise the idiom of getting a reference to the AbstractValue
15769 returned by forNode() would cause really subtle memory corruption bugs.
15770
15771 * dfg/DFGAbstractInterpreterInlines.h:
15772 (JSC::DFG::::executeEffects):
15773 * dfg/DFGInPlaceAbstractState.h:
15774 (JSC::DFG::InPlaceAbstractState::createValueForNode):
15775 (InPlaceAbstractState):
15776
157772013-07-18 Filip Pizlo <fpizlo@apple.com>
15778
15779 fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
15780 https://bugs.webkit.org/show_bug.cgi?id=118835
15781
15782 Reviewed by Oliver Hunt.
15783
15784 This separates AbstractState into two things:
15785
15786 - InPlaceAbstractState, which can tell you the abstract state of anything you
15787 might care about, and uses the old AbstractState's algorithms and data
15788 structures for doing so.
15789
15790 - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
15791 respect to an AbstractStateType. Currently we always use
15792 AbstractStateType = InPlaceAbstractState. But we could drop in an other
15793 class that supports basic primitives like forNode() and variables().
15794
15795 This is important because:
15796
15797 - We want to hoist things out of loops.
15798
15799 - We don't know what things rely on what type checks.
15800
15801 - We only want to hoist type checks out of loops if they aren't clobbered.
15802
15803 - We may want to still hoist things that depended on those type checks, if it's
15804 safe to do those things based on the CFA state at the tail of the loop
15805 pre-header.
15806
15807 - We don't want things to rely on their type checks by way of a token, because
15808 that's just weird.
15809
15810 So, we want to be able to have a special form of the CFA that can
15811 incrementally update a basic block's state-at-tail, and we want to be able to
15812 do this for multiple blocks simultaneously. This requires *not* storing the
15813 per-node state in the nodes themselves, but instead using the at-tail HashMap
15814 directly.
15815
15816 Hence we need to have a way of making the abstract interpreter (i.e.
15817 AbstractState::execute) polymorphic with respect to state representation. Put
15818 another way, we need to separate the way that abstract state is represented
15819 from the way DFG IR is abstractly interpreted.
15820
15821 * JavaScriptCore.xcodeproj/project.pbxproj:
15822 * dfg/DFGAbstractInterpreter.h: Added.
15823 (DFG):
15824 (AbstractInterpreter):
15825 (JSC::DFG::AbstractInterpreter::forNode):
15826 (JSC::DFG::AbstractInterpreter::variables):
15827 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
15828 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
15829 (JSC::DFG::AbstractInterpreter::filter):
15830 (JSC::DFG::AbstractInterpreter::filterArrayModes):
15831 (JSC::DFG::AbstractInterpreter::filterByValue):
15832 (JSC::DFG::AbstractInterpreter::trySetConstant):
15833 (JSC::DFG::AbstractInterpreter::filterByType):
15834 * dfg/DFGAbstractInterpreterInlines.h: Added.
15835 (DFG):
15836 (JSC::DFG::::AbstractInterpreter):
15837 (JSC::DFG::::~AbstractInterpreter):
15838 (JSC::DFG::::booleanResult):
15839 (JSC::DFG::::startExecuting):
15840 (JSC::DFG::::executeEdges):
15841 (JSC::DFG::::verifyEdge):
15842 (JSC::DFG::::verifyEdges):
15843 (JSC::DFG::::executeEffects):
15844 (JSC::DFG::::execute):
15845 (JSC::DFG::::clobberWorld):
15846 (JSC::DFG::::clobberCapturedVars):
15847 (JSC::DFG::::clobberStructures):
15848 (JSC::DFG::::dump):
15849 (JSC::DFG::::filter):
15850 (JSC::DFG::::filterArrayModes):
15851 (JSC::DFG::::filterByValue):
15852 * dfg/DFGAbstractState.cpp: Removed.
15853 * dfg/DFGAbstractState.h: Removed.
15854 * dfg/DFGArgumentsSimplificationPhase.cpp:
15855 * dfg/DFGCFAPhase.cpp:
15856 (JSC::DFG::CFAPhase::CFAPhase):
15857 (JSC::DFG::CFAPhase::performBlockCFA):
15858 (CFAPhase):
15859 * dfg/DFGCFGSimplificationPhase.cpp:
15860 * dfg/DFGConstantFoldingPhase.cpp:
15861 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
15862 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15863 (ConstantFoldingPhase):
15864 * dfg/DFGInPlaceAbstractState.cpp: Added.
15865 (DFG):
15866 (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
15867 (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
15868 (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
15869 (JSC::DFG::setLiveValues):
15870 (JSC::DFG::InPlaceAbstractState::initialize):
15871 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
15872 (JSC::DFG::InPlaceAbstractState::reset):
15873 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
15874 (JSC::DFG::InPlaceAbstractState::merge):
15875 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
15876 (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
15877 * dfg/DFGInPlaceAbstractState.h: Added.
15878 (DFG):
15879 (InPlaceAbstractState):
15880 (JSC::DFG::InPlaceAbstractState::forNode):
15881 (JSC::DFG::InPlaceAbstractState::variables):
15882 (JSC::DFG::InPlaceAbstractState::block):
15883 (JSC::DFG::InPlaceAbstractState::didClobber):
15884 (JSC::DFG::InPlaceAbstractState::isValid):
15885 (JSC::DFG::InPlaceAbstractState::setDidClobber):
15886 (JSC::DFG::InPlaceAbstractState::setIsValid):
15887 (JSC::DFG::InPlaceAbstractState::setBranchDirection):
15888 (JSC::DFG::InPlaceAbstractState::setFoundConstants):
15889 (JSC::DFG::InPlaceAbstractState::haveStructures):
15890 (JSC::DFG::InPlaceAbstractState::setHaveStructures):
15891 * dfg/DFGMergeMode.h: Added.
15892 (DFG):
15893 * dfg/DFGSpeculativeJIT.cpp:
15894 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
15895 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
15896 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
15897 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
15898 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
15899 (JSC::DFG::SpeculativeJIT::speculateStringObject):
15900 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
15901 * dfg/DFGSpeculativeJIT.h:
15902 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
15903 (SpeculativeJIT):
15904 * dfg/DFGSpeculativeJIT32_64.cpp:
15905 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
15906 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
15907 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
15908 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
15909 * dfg/DFGSpeculativeJIT64.cpp:
15910 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
15911 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
15912 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
15913 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
15914 * ftl/FTLLowerDFGToLLVM.cpp:
15915 (FTL):
15916 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
15917 (JSC::FTL::LowerDFGToLLVM::compileNode):
15918 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
15919 (JSC::FTL::LowerDFGToLLVM::speculate):
15920 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
15921 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
15922 (LowerDFGToLLVM):
15923
159242013-07-18 Filip Pizlo <fpizlo@apple.com>
15925
15926 fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
15927 https://bugs.webkit.org/show_bug.cgi?id=118867
15928
15929 Reviewed by Mark Hahnenberg.
15930
15931 This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
15932 ArrayProfile.
15933
15934 It also makes it easier to ask any array-using node how to create its type check.
15935
15936 Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
15937 an array profile, thinking that it was storing into a value profile. Reshuffling the
15938 fields in ArrayProfile revealed this.
15939
15940 * bytecode/ArrayProfile.cpp:
15941 (JSC::ArrayProfile::computeUpdatedPrediction):
15942 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
15943 * bytecode/ArrayProfile.h:
15944 (JSC::ArrayProfile::ArrayProfile):
15945 (ArrayProfile):
15946 * bytecode/CodeBlock.cpp:
15947 (JSC::CodeBlock::updateAllArrayPredictions):
15948 (JSC::CodeBlock::updateAllPredictions):
15949 * bytecode/CodeBlock.h:
15950 (CodeBlock):
15951 (JSC::CodeBlock::updateAllArrayPredictions):
15952 * dfg/DFGArrayMode.h:
15953 (ArrayMode):
15954 * dfg/DFGByteCodeParser.cpp:
15955 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
15956 (JSC::DFG::ByteCodeParser::parseBlock):
15957 * dfg/DFGFixupPhase.cpp:
15958 (JSC::DFG::FixupPhase::fixupNode):
15959 (FixupPhase):
15960 (JSC::DFG::FixupPhase::checkArray):
15961 (JSC::DFG::FixupPhase::blessArrayOperation):
15962 * llint/LowLevelInterpreter64.asm:
15963
159642013-07-18 Filip Pizlo <fpizlo@apple.com>
15965
15966 fourthTier: CFA should consider live-at-head for clobbering and dumping
15967 https://bugs.webkit.org/show_bug.cgi?id=118857
15968
15969 Reviewed by Mark Hahnenberg.
15970
15971 - clobberStructures() was not considering nodes live-at-head when in SSA
15972 form. This means it would fail to clobber some structures.
15973
15974 - dump() was not considering nodes live-at-head when in SSA form. This
15975 means it wouldn't dump everything that you might be interested in.
15976
15977 - AbstractState::m_currentNode is a useless variable and we should get
15978 rid of it.
15979
15980 * dfg/DFGAbstractState.cpp:
15981 (JSC::DFG::AbstractState::AbstractState):
15982 (JSC::DFG::AbstractState::beginBasicBlock):
15983 (JSC::DFG::AbstractState::reset):
15984 (JSC::DFG::AbstractState::startExecuting):
15985 (JSC::DFG::AbstractState::clobberStructures):
15986 (JSC::DFG::AbstractState::dump):
15987 * dfg/DFGAbstractState.h:
15988 (AbstractState):
15989
159902013-07-16 Filip Pizlo <fpizlo@apple.com>
15991
15992 fourthTier: Add a phase to create loop pre-headers
15993 https://bugs.webkit.org/show_bug.cgi?id=118778
15994
15995 Reviewed by Oliver Hunt.
15996
15997 Add a loop pre-header creation phase. Any loop that doesn't already have
15998 just one predecessor that isn't part of the loop has a pre-header
15999 prepended. All non-loop predecessors then jump to that pre-header.
16000
16001 Also fix a handful of bugs:
16002
16003 - DFG::Analysis should set m_valid before running the analysis, since that
16004 makes it easier to use ASSERT(m_valid) in the analysis' methods, which
16005 may be called by the analysis before the analysis completes. NaturalLoops
16006 does this with loopsOf().
16007
16008 - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
16009 returning 0, since that'll happen if the block isn't in any loop.
16010
16011 - Change BlockInsertionSet to dethread the graph, since anyone using it
16012 will want to do so.
16013
16014 - Change dethreading to ignore SSA form graphs.
16015
16016 This also adds NaturalLoops::belongsTo(), which I always used in the
16017 pre-header creation phase. I didn't end up using it but I'll probably use
16018 it in the near future.
16019
16020 * JavaScriptCore.xcodeproj/project.pbxproj:
16021 * dfg/DFGAnalysis.h:
16022 (JSC::DFG::Analysis::computeIfNecessary):
16023 * dfg/DFGBlockInsertionSet.cpp:
16024 (JSC::DFG::BlockInsertionSet::execute):
16025 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16026 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16027 * dfg/DFGGraph.cpp:
16028 (JSC::DFG::Graph::dethread):
16029 * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
16030 (DFG):
16031 (LoopPreHeaderCreationPhase):
16032 (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
16033 (JSC::DFG::LoopPreHeaderCreationPhase::run):
16034 (JSC::DFG::performLoopPreHeaderCreation):
16035 * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
16036 (DFG):
16037 * dfg/DFGNaturalLoops.h:
16038 (NaturalLoop):
16039 (JSC::DFG::NaturalLoops::headerOf):
16040 (JSC::DFG::NaturalLoops::innerMostLoopOf):
16041 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
16042 (JSC::DFG::NaturalLoops::belongsTo):
16043 (NaturalLoops):
16044 * dfg/DFGPlan.cpp:
16045 (JSC::DFG::Plan::compileInThreadImpl):
16046
160472013-07-16 Filip Pizlo <fpizlo@apple.com>
16048
16049 fourthTier: Rationalize Node::replacement
16050 https://bugs.webkit.org/show_bug.cgi?id=118774
16051
16052 Reviewed by Oliver Hunt.
16053
16054 - Clearing of replacements is now done in Graph::clearReplacements().
16055
16056 - New nodes now have replacement set to 0.
16057
16058 - Node::replacement is now part of a 'misc' union. I'll be putting at least
16059 one other field into that union as part of LICM work (see
16060 https://bugs.webkit.org/show_bug.cgi?id=118749).
16061
16062 * dfg/DFGCPSRethreadingPhase.cpp:
16063 (JSC::DFG::CPSRethreadingPhase::run):
16064 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16065 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
16066 * dfg/DFGCSEPhase.cpp:
16067 (JSC::DFG::CSEPhase::run):
16068 (JSC::DFG::CSEPhase::setReplacement):
16069 (JSC::DFG::CSEPhase::performBlockCSE):
16070 * dfg/DFGGraph.cpp:
16071 (DFG):
16072 (JSC::DFG::Graph::clearReplacements):
16073 * dfg/DFGGraph.h:
16074 (JSC::DFG::Graph::performSubstitutionForEdge):
16075 (Graph):
16076 * dfg/DFGNode.h:
16077 (JSC::DFG::Node::Node):
16078 * dfg/DFGSSAConversionPhase.cpp:
16079 (JSC::DFG::SSAConversionPhase::run):
16080
160812013-07-16 Filip Pizlo <fpizlo@apple.com>
16082
16083 fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
16084 https://bugs.webkit.org/show_bug.cgi?id=118750
16085
16086 Reviewed by Mark Hahnenberg.
16087
16088 * dfg/DFGBasicBlock.h:
16089 (BasicBlock):
16090 * dfg/DFGNaturalLoops.cpp:
16091 (JSC::DFG::NaturalLoops::compute):
16092 (JSC::DFG::NaturalLoops::loopsOf):
16093 * dfg/DFGNaturalLoops.h:
16094 (DFG):
16095 (JSC::DFG::NaturalLoop::NaturalLoop):
16096 (NaturalLoop):
16097 (JSC::DFG::NaturalLoop::index):
16098 (JSC::DFG::NaturalLoop::isOuterMostLoop):
16099 (JSC::DFG::NaturalLoop::addBlock):
16100 (JSC::DFG::NaturalLoops::headerOf):
16101 (JSC::DFG::NaturalLoops::innerMostLoopOf):
16102 (NaturalLoops):
16103 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
16104 * dfg/DFGPlan.cpp:
16105 (JSC::DFG::Plan::compileInThreadImpl):
16106
161072013-07-16 Filip Pizlo <fpizlo@apple.com>
16108
16109 fourthTier: don't GC when shutting down the VM
16110 https://bugs.webkit.org/show_bug.cgi?id=118751
16111
16112 Reviewed by Mark Hahnenberg.
16113
16114 * heap/Heap.h:
16115 (Heap):
16116 * runtime/VM.cpp:
16117 (JSC::VM::~VM):
16118
161192013-07-12 Filip Pizlo <fpizlo@apple.com>
16120
16121 fourthTier: DFG should have an SSA form for use by FTL
16122 https://bugs.webkit.org/show_bug.cgi?id=118338
16123
16124 Reviewed by Mark Hahnenberg.
16125
16126 Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
16127 after breaking critical edges. The conversion algorithm follows Aycock and
16128 Horspool, and the SSA form itself follows something I've done before, where
16129 instead of having Phi functions specify input nodes corresponding to block
16130 predecessors, we instead have Upsilon functions in the predecessors that
16131 specify which value in that block goes into which subsequent Phi. Upsilons
16132 don't have to dominate Phis (usually they don't) and they correspond to a
16133 non-SSA "mov" into the Phi's "variable". This gives all of the good
16134 properties of SSA, while ensuring that a bunch of CFG transformations don't
16135 have to be SSA-aware.
16136
16137 So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
16138 simplification is probably SSA-aware by default, though I haven't tried it.
16139 Constant folding probably needs a few tweaks, but is likely ready. Ditto
16140 for CSE, though it's not clear that we'd want to use block-local CSE when
16141 we could be doing GVN.
16142
16143 Currently only the FTL can generate code from the SSA form, and there is no
16144 way to convert from SSA to ThreadedCPS or LoadStore. There probably will
16145 never be such a capability.
16146
16147 In order to handle OSR exit state in the SSA, we place MovHints at Phi
16148 points. Other than that, you can reconstruct state-at-exit by forward
16149 propagating MovHints. Note that MovHint is the new SetLocal in SSA.
16150 SetLocal and GetLocal only survive into SSA if they are on captured
16151 variables, or in the case of flushes. A "live SetLocal" will be
16152 NodeMustGenerate and will always correspond to a flush. Computing the
16153 state-at-exit requires running SSA liveness analysis, OSR availability
16154 analysis, and flush liveness analysis. The FTL runs all of these prior to
16155 generating code. While OSR exit continues to be tricky, much of the logic
16156 is now factored into separate phases and the backend has to do less work
16157 to reason about what happened outside of the basic block that is being
16158 lowered.
16159
16160 Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
16161 code in depth-first order, thus guaranteeing that a node will always be
16162 lowered (and hence have a LValue) before any of the blocks dominated by
16163 that node's block have code generated. For Upsilon/Phi, we just use
16164 alloca's. We could do something more clever there, but it's probably not
16165 worth it, at least not now.
16166
16167 Finally, while the SSA form is currently only being converted to LLVM IR,
16168 there is nothing that prevents us from considering other backends in the
16169 future - with the caveat that this form is designed to be first lowered to
16170 a lower-level SSA before actual machine code generation commences. So we
16171 ought to either use LLVM (the intended path) or we will have to write our
16172 own SSA low-level backend.
16173
16174 This runs all of the code that the FTL was known to run previously. No
16175 change in performance for now. But it does open some exciting
16176 possibilities!
16177
16178 * JavaScriptCore.xcodeproj/project.pbxproj:
16179 * bytecode/Operands.h:
16180 (JSC::OperandValueTraits::dump):
16181 (JSC::Operands::fill):
16182 (Operands):
16183 (JSC::Operands::clear):
16184 (JSC::Operands::operator==):
16185 * dfg/DFGAbstractState.cpp:
16186 (JSC::DFG::AbstractState::beginBasicBlock):
16187 (JSC::DFG::setLiveValues):
16188 (DFG):
16189 (JSC::DFG::AbstractState::initialize):
16190 (JSC::DFG::AbstractState::endBasicBlock):
16191 (JSC::DFG::AbstractState::executeEffects):
16192 (JSC::DFG::AbstractState::mergeStateAtTail):
16193 (JSC::DFG::AbstractState::merge):
16194 * dfg/DFGAbstractState.h:
16195 (AbstractState):
16196 * dfg/DFGAdjacencyList.h:
16197 (JSC::DFG::AdjacencyList::justOneChild):
16198 (AdjacencyList):
16199 * dfg/DFGBasicBlock.cpp: Added.
16200 (DFG):
16201 (JSC::DFG::BasicBlock::BasicBlock):
16202 (JSC::DFG::BasicBlock::~BasicBlock):
16203 (JSC::DFG::BasicBlock::ensureLocals):
16204 (JSC::DFG::BasicBlock::isInPhis):
16205 (JSC::DFG::BasicBlock::isInBlock):
16206 (JSC::DFG::BasicBlock::removePredecessor):
16207 (JSC::DFG::BasicBlock::replacePredecessor):
16208 (JSC::DFG::BasicBlock::dump):
16209 (JSC::DFG::BasicBlock::SSAData::SSAData):
16210 (JSC::DFG::BasicBlock::SSAData::~SSAData):
16211 * dfg/DFGBasicBlock.h:
16212 (BasicBlock):
16213 (JSC::DFG::BasicBlock::operator[]):
16214 (JSC::DFG::BasicBlock::successor):
16215 (JSC::DFG::BasicBlock::successorForCondition):
16216 (SSAData):
16217 * dfg/DFGBasicBlockInlines.h:
16218 (DFG):
16219 * dfg/DFGBlockInsertionSet.cpp: Added.
16220 (DFG):
16221 (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
16222 (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
16223 (JSC::DFG::BlockInsertionSet::insert):
16224 (JSC::DFG::BlockInsertionSet::insertBefore):
16225 (JSC::DFG::BlockInsertionSet::execute):
16226 * dfg/DFGBlockInsertionSet.h: Added.
16227 (DFG):
16228 (BlockInsertionSet):
16229 * dfg/DFGCFAPhase.cpp:
16230 (JSC::DFG::CFAPhase::run):
16231 * dfg/DFGCFGSimplificationPhase.cpp:
16232 * dfg/DFGCPSRethreadingPhase.cpp:
16233 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
16234 * dfg/DFGCommon.cpp:
16235 (WTF::printInternal):
16236 * dfg/DFGCommon.h:
16237 (JSC::DFG::doesKill):
16238 (DFG):
16239 (JSC::DFG::killStatusForDoesKill):
16240 * dfg/DFGConstantFoldingPhase.cpp:
16241 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16242 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
16243 * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
16244 (DFG):
16245 (CriticalEdgeBreakingPhase):
16246 (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
16247 (JSC::DFG::CriticalEdgeBreakingPhase::run):
16248 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16249 (JSC::DFG::performCriticalEdgeBreaking):
16250 * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
16251 (DFG):
16252 * dfg/DFGDCEPhase.cpp:
16253 (JSC::DFG::DCEPhase::run):
16254 (JSC::DFG::DCEPhase::findTypeCheckRoot):
16255 (JSC::DFG::DCEPhase::countNode):
16256 (DCEPhase):
16257 (JSC::DFG::DCEPhase::countEdge):
16258 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
16259 * dfg/DFGDriver.cpp:
16260 (JSC::DFG::compile):
16261 * dfg/DFGEdge.cpp:
16262 (JSC::DFG::Edge::dump):
16263 * dfg/DFGEdge.h:
16264 (JSC::DFG::Edge::Edge):
16265 (JSC::DFG::Edge::setNode):
16266 (JSC::DFG::Edge::useKindUnchecked):
16267 (JSC::DFG::Edge::setUseKind):
16268 (JSC::DFG::Edge::setProofStatus):
16269 (JSC::DFG::Edge::willNotHaveCheck):
16270 (JSC::DFG::Edge::willHaveCheck):
16271 (Edge):
16272 (JSC::DFG::Edge::killStatusUnchecked):
16273 (JSC::DFG::Edge::killStatus):
16274 (JSC::DFG::Edge::setKillStatus):
16275 (JSC::DFG::Edge::doesKill):
16276 (JSC::DFG::Edge::doesNotKill):
16277 (JSC::DFG::Edge::shift):
16278 (JSC::DFG::Edge::makeWord):
16279 * dfg/DFGFixupPhase.cpp:
16280 (JSC::DFG::FixupPhase::fixupNode):
16281 * dfg/DFGFlushFormat.cpp: Added.
16282 (WTF):
16283 (WTF::printInternal):
16284 * dfg/DFGFlushFormat.h: Added.
16285 (DFG):
16286 (JSC::DFG::resultFor):
16287 (JSC::DFG::useKindFor):
16288 (WTF):
16289 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
16290 (DFG):
16291 (FlushLivenessAnalysisPhase):
16292 (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
16293 (JSC::DFG::FlushLivenessAnalysisPhase::run):
16294 (JSC::DFG::FlushLivenessAnalysisPhase::process):
16295 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
16296 (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
16297 (JSC::DFG::performFlushLivenessAnalysis):
16298 * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
16299 (DFG):
16300 * dfg/DFGGraph.cpp:
16301 (JSC::DFG::Graph::dump):
16302 (JSC::DFG::Graph::dumpBlockHeader):
16303 (DFG):
16304 (JSC::DFG::Graph::addForDepthFirstSort):
16305 (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
16306 * dfg/DFGGraph.h:
16307 (JSC::DFG::Graph::convertToConstant):
16308 (JSC::DFG::Graph::valueProfileFor):
16309 (Graph):
16310 * dfg/DFGInsertionSet.h:
16311 (DFG):
16312 (JSC::DFG::InsertionSet::execute):
16313 * dfg/DFGLivenessAnalysisPhase.cpp: Added.
16314 (DFG):
16315 (LivenessAnalysisPhase):
16316 (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
16317 (JSC::DFG::LivenessAnalysisPhase::run):
16318 (JSC::DFG::LivenessAnalysisPhase::process):
16319 (JSC::DFG::LivenessAnalysisPhase::addChildUse):
16320 (JSC::DFG::performLivenessAnalysis):
16321 * dfg/DFGLivenessAnalysisPhase.h: Added.
16322 (DFG):
16323 * dfg/DFGNode.cpp:
16324 (JSC::DFG::Node::hasVariableAccessData):
16325 (DFG):
16326 * dfg/DFGNode.h:
16327 (DFG):
16328 (Node):
16329 (JSC::DFG::Node::hasLocal):
16330 (JSC::DFG::Node::variableAccessData):
16331 (JSC::DFG::Node::hasPhi):
16332 (JSC::DFG::Node::phi):
16333 (JSC::DFG::Node::takenBlock):
16334 (JSC::DFG::Node::notTakenBlock):
16335 (JSC::DFG::Node::successor):
16336 (JSC::DFG::Node::successorForCondition):
16337 (JSC::DFG::nodeComparator):
16338 (JSC::DFG::nodeListDump):
16339 (JSC::DFG::nodeMapDump):
16340 * dfg/DFGNodeFlags.cpp:
16341 (JSC::DFG::dumpNodeFlags):
16342 * dfg/DFGNodeType.h:
16343 (DFG):
16344 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
16345 (DFG):
16346 (OSRAvailabilityAnalysisPhase):
16347 (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
16348 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
16349 (JSC::DFG::performOSRAvailabilityAnalysis):
16350 * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
16351 (DFG):
16352 * dfg/DFGPlan.cpp:
16353 (JSC::DFG::Plan::compileInThreadImpl):
16354 * dfg/DFGPredictionInjectionPhase.cpp:
16355 (JSC::DFG::PredictionInjectionPhase::run):
16356 * dfg/DFGPredictionPropagationPhase.cpp:
16357 (JSC::DFG::PredictionPropagationPhase::propagate):
16358 * dfg/DFGSSAConversionPhase.cpp: Added.
16359 (DFG):
16360 (SSAConversionPhase):
16361 (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
16362 (JSC::DFG::SSAConversionPhase::run):
16363 (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
16364 (JSC::DFG::SSAConversionPhase::forwardPhi):
16365 (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
16366 (JSC::DFG::SSAConversionPhase::deduplicateChildren):
16367 (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
16368 (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
16369 (JSC::DFG::performSSAConversion):
16370 * dfg/DFGSSAConversionPhase.h: Added.
16371 (DFG):
16372 * dfg/DFGSpeculativeJIT32_64.cpp:
16373 (JSC::DFG::SpeculativeJIT::compile):
16374 * dfg/DFGSpeculativeJIT64.cpp:
16375 (JSC::DFG::SpeculativeJIT::compile):
16376 * dfg/DFGValidate.cpp:
16377 (JSC::DFG::Validate::validate):
16378 (Validate):
16379 (JSC::DFG::Validate::validateCPS):
16380 * dfg/DFGVariableAccessData.h:
16381 (JSC::DFG::VariableAccessData::flushFormat):
16382 (VariableAccessData):
16383 * ftl/FTLCapabilities.cpp:
16384 (JSC::FTL::canCompile):
16385 * ftl/FTLLowerDFGToLLVM.cpp:
16386 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
16387 (JSC::FTL::LowerDFGToLLVM::lower):
16388 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
16389 (JSC::FTL::LowerDFGToLLVM::compileBlock):
16390 (JSC::FTL::LowerDFGToLLVM::compileNode):
16391 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
16392 (LowerDFGToLLVM):
16393 (JSC::FTL::LowerDFGToLLVM::compilePhi):
16394 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
16395 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
16396 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
16397 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
16398 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
16399 (JSC::FTL::LowerDFGToLLVM::compileAdd):
16400 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
16401 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
16402 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
16403 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
16404 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
16405 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
16406 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
16407 (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
16408 (JSC::FTL::LowerDFGToLLVM::compileBitOr):
16409 (JSC::FTL::LowerDFGToLLVM::compileBitXor):
16410 (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
16411 (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
16412 (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
16413 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
16414 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
16415 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
16416 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
16417 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
16418 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
16419 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
16420 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
16421 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
16422 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
16423 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
16424 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
16425 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
16426 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
16427 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
16428 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
16429 (JSC::FTL::LowerDFGToLLVM::lowInt32):
16430 (JSC::FTL::LowerDFGToLLVM::lowCell):
16431 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
16432 (JSC::FTL::LowerDFGToLLVM::lowDouble):
16433 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
16434 (JSC::FTL::LowerDFGToLLVM::lowStorage):
16435 (JSC::FTL::LowerDFGToLLVM::speculate):
16436 (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
16437 (JSC::FTL::LowerDFGToLLVM::isLive):
16438 (JSC::FTL::LowerDFGToLLVM::use):
16439 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
16440 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
16441 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
16442 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
16443 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
16444 (JSC::FTL::LowerDFGToLLVM::setInt32):
16445 (JSC::FTL::LowerDFGToLLVM::setJSValue):
16446 (JSC::FTL::LowerDFGToLLVM::setBoolean):
16447 (JSC::FTL::LowerDFGToLLVM::setStorage):
16448 (JSC::FTL::LowerDFGToLLVM::setDouble):
16449 (JSC::FTL::LowerDFGToLLVM::isValid):
16450 * ftl/FTLLoweredNodeValue.h: Added.
16451 (FTL):
16452 (LoweredNodeValue):
16453 (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
16454 (JSC::FTL::LoweredNodeValue::isSet):
16455 (JSC::FTL::LoweredNodeValue::operator!):
16456 (JSC::FTL::LoweredNodeValue::value):
16457 (JSC::FTL::LoweredNodeValue::block):
16458 * ftl/FTLValueFromBlock.h:
16459 (JSC::FTL::ValueFromBlock::ValueFromBlock):
16460 (ValueFromBlock):
16461 * ftl/FTLValueSource.cpp:
16462 (JSC::FTL::ValueSource::dump):
16463 * ftl/FTLValueSource.h:
16464
164652013-07-11 Mark Lam <mark.lam@apple.com>
16466
16467 Resurrect the CLoop LLINT on the FTL branch.
16468 https://bugs.webkit.org/show_bug.cgi?id=118144.
16469
16470 Reviewed by Mark Hahnenberg.
16471
16472 * bytecode/CodeBlock.h:
16473 (JSC::CodeBlock::jitType):
16474 - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
16475 * bytecode/JumpTable.h:
16476 (JSC::SimpleJumpTable::clear):
16477 * interpreter/StackIterator.cpp:
16478 (JSC::StackIterator::Frame::bytecodeOffset):
16479 (JSC::StackIterator::Frame::print):
16480 * jit/JITCode.cpp:
16481 (JSC):
16482 * jit/JITExceptions.cpp:
16483 (JSC::getExceptionLocation):
16484 * llint/LowLevelInterpreter.cpp:
16485 * offlineasm/cloop.rb:
16486 * runtime/Structure.cpp:
16487
164882013-07-08 Filip Pizlo <fpizlo@apple.com>
16489
16490 NaturalLoops + Profiler = Crash
16491 https://bugs.webkit.org/show_bug.cgi?id=118486
16492
16493 Reviewed by Geoffrey Garen.
16494
16495 I borked dominators in:
16496 http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
16497
16498 This patch also adds some debug support, and fixes the loop that adds a block to
16499 an already-existing natural loop. Note that we currently don't take that path in
16500 most programs, but it will arise, for example if you use 'continue' - though you'd
16501 have to use it rather cleverly since the bytecode will not jump to the loop header
16502 in most uses of 'continue'.
16503
16504 * dfg/DFGDominators.cpp:
16505 (JSC::DFG::Dominators::dump):
16506 (DFG):
16507 * dfg/DFGDominators.h:
16508 (JSC::DFG::Dominators::dominates):
16509 (Dominators):
16510 * dfg/DFGNaturalLoops.cpp:
16511 (JSC::DFG::NaturalLoops::compute):
16512
165132013-07-08 Filip Pizlo <fpizlo@apple.com>
16514
16515 fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
16516 https://bugs.webkit.org/show_bug.cgi?id=118489
16517
16518 Reviewed by Mark Hahnenberg.
16519
16520 * bytecode/ArrayProfile.h:
16521 (JSC::arrayModesAreClearOrTop):
16522 (JSC):
16523 * dfg/DFGAbstractState.cpp:
16524 (JSC::DFG::AbstractState::beginBasicBlock):
16525 * dfg/DFGAbstractValue.h:
16526 (JSC::DFG::AbstractValue::hasClobberableState):
16527 (AbstractValue):
16528
165292013-07-08 Mark Hahnenberg <mhahnenberg@apple.com>
16530
16531 CheckArray should call the right version of filterArrayModes
16532 https://bugs.webkit.org/show_bug.cgi?id=118488
16533
16534 Reviewed by Filip Pizlo.
16535
16536 Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause
16537 the CFA to ignore when it sees a contradiction.
16538
16539 * dfg/DFGAbstractState.cpp:
16540 (JSC::DFG::AbstractState::executeEffects):
16541
165422013-07-07 Filip Pizlo <fpizlo@apple.com>
16543
16544 fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
16545 https://bugs.webkit.org/show_bug.cgi?id=118452
16546
16547 Reviewed by Sam Weinig.
16548
16549 Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
16550 resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
16551 holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
16552 clearAndDerefChild() was necessary back when we did eager reference counting. We
16553 don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
16554 any reference counting, so it was badly named to begin with.
16555
16556 * dfg/DFGAbstractState.cpp:
16557 (JSC::DFG::AbstractState::executeEffects):
16558 * dfg/DFGArgumentsSimplificationPhase.cpp:
16559 (JSC::DFG::ArgumentsSimplificationPhase::run):
16560 * dfg/DFGCPSRethreadingPhase.cpp:
16561 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16562 * dfg/DFGCSEPhase.cpp:
16563 (JSC::DFG::CSEPhase::performNodeCSE):
16564 * dfg/DFGFixupPhase.cpp:
16565 (JSC::DFG::FixupPhase::fixupNode):
16566 * dfg/DFGGraph.h:
16567 (Graph):
16568 * dfg/DFGNode.h:
16569 (JSC::DFG::Node::willHaveCodeGenOrOSR):
16570 * dfg/DFGNodeType.h:
16571 (DFG):
16572 * dfg/DFGPredictionPropagationPhase.cpp:
16573 (JSC::DFG::PredictionPropagationPhase::propagate):
16574 * dfg/DFGSpeculativeJIT32_64.cpp:
16575 (JSC::DFG::SpeculativeJIT::compile):
16576 * dfg/DFGSpeculativeJIT64.cpp:
16577 (JSC::DFG::SpeculativeJIT::compile):
16578
165792013-07-04 Filip Pizlo <fpizlo@apple.com>
16580
16581 fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
16582 https://bugs.webkit.org/show_bug.cgi?id=118401
16583
16584 Reviewed by Sam Weinig.
16585
16586 Add two new OSR exit modes, which are useful only for playing with compile times:
16587
16588 - All OSR exits are llvm.trap().
16589
16590 - OSR exits don't take arguments and have no exit value marshaling.
16591
16592 * dfg/DFGPlan.cpp:
16593 (JSC::DFG::Plan::compileInThread):
16594 (JSC::DFG::Plan::compileInThreadImpl):
16595 * dfg/DFGPlan.h:
16596 (Plan):
16597 * ftl/FTLIntrinsicRepository.h:
16598 (FTL):
16599 * ftl/FTLLowerDFGToLLVM.cpp:
16600 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
16601 (LowerDFGToLLVM):
16602 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
16603 * ftl/FTLOutput.h:
16604 (JSC::FTL::Output::trap):
16605 * runtime/Options.h:
16606 (JSC):
16607
166082013-07-04 Filip Pizlo <fpizlo@apple.com>
16609
16610 fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
16611 https://bugs.webkit.org/show_bug.cgi?id=118339
16612
16613 Reviewed by Michael Saboff.
16614
16615 This accomplishes two goals:
16616
16617 1) Simplifies a bunch of code. You can now much more directly get to a successor
16618 or predecessor, since you just get the pointer directly. The backend(s) always
16619 hold onto a pointer to the block they're on, so you don't have to do work to
16620 get the block from the index.
16621
16622 2) It allows for the possibility of inserting blocks into the program.
16623 Previously, if you did that, you'd have to edit all references to blocks since
16624 those references would have outdated indexing after an insertion. Now, if you
16625 change the indexing, you just have to invalidate some analyses and make sure
16626 that you change each block's BasicBlock::index accordingly.
16627
16628 * dfg/DFGAbstractState.cpp:
16629 (JSC::DFG::AbstractState::initialize):
16630 (JSC::DFG::AbstractState::endBasicBlock):
16631 (JSC::DFG::AbstractState::mergeToSuccessors):
16632 * dfg/DFGAbstractState.h:
16633 (AbstractState):
16634 * dfg/DFGArgumentsSimplificationPhase.cpp:
16635 (JSC::DFG::ArgumentsSimplificationPhase::run):
16636 * dfg/DFGBackwardsPropagationPhase.cpp:
16637 (JSC::DFG::BackwardsPropagationPhase::run):
16638 * dfg/DFGBasicBlock.h:
16639 (DFG):
16640 (JSC::DFG::BasicBlock::BasicBlock):
16641 (JSC::DFG::BasicBlock::size):
16642 (JSC::DFG::BasicBlock::isEmpty):
16643 (JSC::DFG::BasicBlock::at):
16644 (JSC::DFG::BasicBlock::operator[]):
16645 (JSC::DFG::BasicBlock::last):
16646 (JSC::DFG::BasicBlock::resize):
16647 (JSC::DFG::BasicBlock::grow):
16648 (BasicBlock):
16649 (JSC::DFG::BasicBlock::append):
16650 (JSC::DFG::BasicBlock::numSuccessors):
16651 (JSC::DFG::BasicBlock::successor):
16652 (JSC::DFG::BasicBlock::successorForCondition):
16653 (JSC::DFG::BasicBlock::dump):
16654 (UnlinkedBlock):
16655 (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
16656 (JSC::DFG::getBytecodeBeginForBlock):
16657 (JSC::DFG::blockForBytecodeOffset):
16658 * dfg/DFGByteCodeParser.cpp:
16659 (ByteCodeParser):
16660 (InlineStackEntry):
16661 (JSC::DFG::ByteCodeParser::handleInlining):
16662 (JSC::DFG::ByteCodeParser::parseBlock):
16663 (JSC::DFG::ByteCodeParser::linkBlock):
16664 (JSC::DFG::ByteCodeParser::linkBlocks):
16665 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
16666 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16667 (JSC::DFG::ByteCodeParser::parse):
16668 * dfg/DFGCFAPhase.cpp:
16669 (JSC::DFG::CFAPhase::performBlockCFA):
16670 (JSC::DFG::CFAPhase::performForwardCFA):
16671 * dfg/DFGCFGSimplificationPhase.cpp:
16672 (JSC::DFG::CFGSimplificationPhase::run):
16673 (JSC::DFG::CFGSimplificationPhase::convertToJump):
16674 * dfg/DFGCPSRethreadingPhase.cpp:
16675 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16676 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
16677 (JSC::DFG::CPSRethreadingPhase::propagatePhis):
16678 (CPSRethreadingPhase):
16679 * dfg/DFGCSEPhase.cpp:
16680 (JSC::DFG::CSEPhase::run):
16681 * dfg/DFGConstantFoldingPhase.cpp:
16682 (JSC::DFG::ConstantFoldingPhase::run):
16683 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16684 * dfg/DFGDCEPhase.cpp:
16685 (JSC::DFG::DCEPhase::run):
16686 * dfg/DFGDisassembler.cpp:
16687 (JSC::DFG::Disassembler::Disassembler):
16688 (JSC::DFG::Disassembler::createDumpList):
16689 * dfg/DFGDisassembler.h:
16690 (JSC::DFG::Disassembler::setForBlockIndex):
16691 * dfg/DFGDominators.cpp:
16692 (JSC::DFG::Dominators::compute):
16693 (JSC::DFG::Dominators::iterateForBlock):
16694 * dfg/DFGDominators.h:
16695 (JSC::DFG::Dominators::dominates):
16696 * dfg/DFGFixupPhase.cpp:
16697 (JSC::DFG::FixupPhase::run):
16698 (JSC::DFG::FixupPhase::fixupNode):
16699 * dfg/DFGGraph.cpp:
16700 (JSC::DFG::Graph::dump):
16701 (JSC::DFG::Graph::dumpBlockHeader):
16702 (JSC::DFG::Graph::handleSuccessor):
16703 (JSC::DFG::Graph::determineReachability):
16704 (JSC::DFG::Graph::resetReachability):
16705 * dfg/DFGGraph.h:
16706 (JSC::DFG::Graph::numBlocks):
16707 (JSC::DFG::Graph::block):
16708 (JSC::DFG::Graph::lastBlock):
16709 (Graph):
16710 (JSC::DFG::Graph::appendBlock):
16711 (JSC::DFG::Graph::killBlock):
16712 (DFG):
16713 * dfg/DFGJITCompiler.cpp:
16714 (JSC::DFG::JITCompiler::JITCompiler):
16715 (JSC::DFG::JITCompiler::link):
16716 * dfg/DFGJITCompiler.h:
16717 (JSC::DFG::JITCompiler::setForBlockIndex):
16718 * dfg/DFGNaturalLoops.cpp:
16719 (JSC::DFG::NaturalLoop::dump):
16720 (JSC::DFG::NaturalLoops::compute):
16721 (JSC::DFG::NaturalLoops::loopsOf):
16722 * dfg/DFGNaturalLoops.h:
16723 (JSC::DFG::NaturalLoop::NaturalLoop):
16724 (JSC::DFG::NaturalLoop::addBlock):
16725 (JSC::DFG::NaturalLoop::header):
16726 (JSC::DFG::NaturalLoop::at):
16727 (JSC::DFG::NaturalLoop::operator[]):
16728 (JSC::DFG::NaturalLoop::contains):
16729 (NaturalLoop):
16730 (JSC::DFG::NaturalLoops::headerOf):
16731 (NaturalLoops):
16732 * dfg/DFGNode.h:
16733 (DFG):
16734 (JSC::DFG::SwitchCase::SwitchCase):
16735 (JSC::DFG::SwitchCase::withBytecodeIndex):
16736 (SwitchCase):
16737 (JSC::DFG::SwitchCase::targetBytecodeIndex):
16738 (JSC::DFG::SwitchData::SwitchData):
16739 (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
16740 (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
16741 (SwitchData):
16742 (JSC::DFG::Node::setTakenBlock):
16743 (JSC::DFG::Node::setNotTakenBlock):
16744 (JSC::DFG::Node::takenBlock):
16745 (JSC::DFG::Node::notTakenBlock):
16746 (JSC::DFG::Node::successor):
16747 (JSC::DFG::Node::successorForCondition):
16748 * dfg/DFGPredictionInjectionPhase.cpp:
16749 (JSC::DFG::PredictionInjectionPhase::run):
16750 * dfg/DFGPredictionPropagationPhase.cpp:
16751 (JSC::DFG::PredictionPropagationPhase::propagateForward):
16752 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
16753 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
16754 * dfg/DFGSpeculativeJIT.cpp:
16755 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
16756 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
16757 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
16758 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
16759 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
16760 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
16761 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
16762 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
16763 (JSC::DFG::SpeculativeJIT::compile):
16764 (JSC::DFG::SpeculativeJIT::createOSREntries):
16765 (JSC::DFG::SpeculativeJIT::linkOSREntries):
16766 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
16767 (JSC::DFG::SpeculativeJIT::compileStrictEq):
16768 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
16769 (JSC::DFG::SpeculativeJIT::addBranch):
16770 (JSC::DFG::SpeculativeJIT::linkBranches):
16771 * dfg/DFGSpeculativeJIT.h:
16772 (JSC::DFG::SpeculativeJIT::nextBlock):
16773 (SpeculativeJIT):
16774 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
16775 (JSC::DFG::SpeculativeJIT::branchDouble):
16776 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
16777 (JSC::DFG::SpeculativeJIT::branch32):
16778 (JSC::DFG::SpeculativeJIT::branchTest32):
16779 (JSC::DFG::SpeculativeJIT::branch64):
16780 (JSC::DFG::SpeculativeJIT::branch8):
16781 (JSC::DFG::SpeculativeJIT::branchPtr):
16782 (JSC::DFG::SpeculativeJIT::branchTestPtr):
16783 (JSC::DFG::SpeculativeJIT::branchTest8):
16784 (JSC::DFG::SpeculativeJIT::jump):
16785 (JSC::DFG::SpeculativeJIT::addBranch):
16786 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
16787 (StringSwitchCase):
16788 (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
16789 (BranchRecord):
16790 * dfg/DFGSpeculativeJIT32_64.cpp:
16791 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
16792 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
16793 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
16794 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
16795 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
16796 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
16797 (JSC::DFG::SpeculativeJIT::emitBranch):
16798 (JSC::DFG::SpeculativeJIT::compile):
16799 * dfg/DFGSpeculativeJIT64.cpp:
16800 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
16801 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
16802 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
16803 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
16804 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
16805 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
16806 (JSC::DFG::SpeculativeJIT::emitBranch):
16807 (JSC::DFG::SpeculativeJIT::compile):
16808 * dfg/DFGTypeCheckHoistingPhase.cpp:
16809 (JSC::DFG::TypeCheckHoistingPhase::run):
16810 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
16811 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
16812 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
16813 * dfg/DFGUnificationPhase.cpp:
16814 (JSC::DFG::UnificationPhase::run):
16815 * dfg/DFGValidate.cpp:
16816 (JSC::DFG::Validate::validate):
16817 (JSC::DFG::Validate::checkOperand):
16818 (JSC::DFG::Validate::reportValidationContext):
16819 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
16820 (JSC::DFG::VirtualRegisterAllocationPhase::run):
16821 * ftl/FTLCapabilities.cpp:
16822 (JSC::FTL::canCompile):
16823 * ftl/FTLLowerDFGToLLVM.cpp:
16824 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
16825 (JSC::FTL::LowerDFGToLLVM::lower):
16826 (JSC::FTL::LowerDFGToLLVM::compileBlock):
16827 (JSC::FTL::LowerDFGToLLVM::compileJump):
16828 (JSC::FTL::LowerDFGToLLVM::compileBranch):
16829 (JSC::FTL::LowerDFGToLLVM::lowBlock):
16830
168312013-07-04 Filip Pizlo <fpizlo@apple.com>
16832
16833 Unreviewed, add a helpful comment for why DCE is needed in the FTL.
16834
16835 I believe I've now twice down the experiment of disabling DCE in the FTL,
16836 only to realize that this can't work, and that DCE is needed. I'd kind of
16837 like to not make that mistake again.
16838
16839 * dfg/DFGPlan.cpp:
16840 (JSC::DFG::Plan::compileInThreadImpl):
16841
168422013-07-02 Filip Pizlo <fpizlo@apple.com>
16843
16844 fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
16845 https://bugs.webkit.org/show_bug.cgi?id=118340
16846
16847 Reviewed by Sam Weinig.
16848
16849 * dfg/DFGNode.h:
16850 (JSC::DFG::Node::Node):
16851
168522013-07-02 Filip Pizlo <fpizlo@apple.com>
16853
16854 Unreviewed, fix 32-bit build.
16855
16856 * assembler/MacroAssembler.h:
16857 (JSC::MacroAssembler::comparePtr):
16858 (MacroAssembler):
16859 * dfg/DFGBinarySwitch.cpp:
16860 (JSC::DFG::BinarySwitch::advance):
16861 * dfg/DFGBinarySwitch.h:
16862 (JSC::DFG::BinarySwitch::caseValue):
16863
168642013-07-02 Filip Pizlo <fpizlo@apple.com>
16865
16866 fourthTier: Have fewer Arrayify's
16867 https://bugs.webkit.org/show_bug.cgi?id=118335
16868
16869 Reviewed by Mark Hahnenberg.
16870
16871 A lot of Arrayify's arise because some program saw Int32 arrays early on in
16872 execution, but then they all got converted to Double arrays and the program
16873 will never see Int32 arrays ever again. Prior to this change you would always
16874 have an Arrayify in this case. But with this change, the first time that an
16875 ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
16876 instead forcibly monomorphises itself to the latest-seen structure.
16877 Thereafter it will never again perform this monomorphisation. This is
16878 controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
16879 speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
16880 unblocks a bunch of stuff we want to do in the future because it makes a
16881 bunch of loops effect-free.
16882
16883 We will still want to implement Arrayify hoisting in the future, but this is
16884 great anyway because it's better to not have Arrayifications than it is to
16885 have hoisted Arrayifications.
16886
16887 * bytecode/ArrayProfile.cpp:
16888 (JSC::ArrayProfile::computeUpdatedPrediction):
16889 (JSC::ArrayProfile::briefDescription):
16890 (JSC):
16891 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
16892 * bytecode/ArrayProfile.h:
16893 (JSC::ArrayProfile::ArrayProfile):
16894 (ArrayProfile):
16895
168962013-07-02 Filip Pizlo <fpizlo@apple.com>
16897
16898 fourthTier: add option to disable OSR entry in loops
16899 https://bugs.webkit.org/show_bug.cgi?id=118329
16900
16901 Reviewed by Mark Hahnenberg.
16902
16903 This adds that option, and also makes the OSR exit reoptimization trigger rely less on
16904 OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
16905 high after a small number of OSR exits, we will recompile.
16906
16907 * dfg/DFGOSRExitCompilerCommon.cpp:
16908 (JSC::DFG::handleExitCounts):
16909 * dfg/DFGOperations.cpp:
16910 * jit/JITOpcodes.cpp:
16911 (JSC::JIT::emit_op_loop_hint):
16912 (JSC::JIT::emitSlow_op_loop_hint):
16913 * runtime/Options.h:
16914 (JSC):
16915
169162013-07-02 Filip Pizlo <fpizlo@apple.com>
16917
16918 fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
16919 https://bugs.webkit.org/show_bug.cgi?id=118313
16920
16921 Reviewed by Mark Hahnenberg.
16922
16923 Give it a mode where we can still crash on unrecognized reference types, so that we might
16924 implement them in the future, but by default just print some stuff and keep going.
16925
16926 * disassembler/LLVMDisassembler.cpp:
16927 (JSC):
16928 (JSC::symbolLookupCallback):
16929
169302013-07-02 Filip Pizlo <fpizlo@apple.com>
16931
16932 fourthTier: FTL should use the equivalent of llvm opt -O2 by default
16933 https://bugs.webkit.org/show_bug.cgi?id=118311
16934
16935 Reviewed by Mark Hahnenberg.
16936
16937 Use a PassManagerBuilder instead of rolling our own.
16938
16939 This boosts our speed-up by another 5% or so.
16940
16941 * ftl/FTLCompile.cpp:
16942 (JSC::FTL::compile):
16943 * runtime/Options.h:
16944 (JSC):
16945
169462013-07-01 Filip Pizlo <fpizlo@apple.com>
16947
16948 fourthTier: FTL should run LICM after AA setup
16949 https://bugs.webkit.org/show_bug.cgi?id=118277
16950
16951 Reviewed by Maciej Stachowiak.
16952
16953 LICM queries alias analysis. Hence, just like GVN, it should run after
16954 we have set up the alias analysis.
16955
16956 * ftl/FTLCompile.cpp:
16957 (JSC::FTL::compile):
16958
169592013-07-01 Filip Pizlo <fpizlo@apple.com>
16960
16961 fourthTier: FTL should run AA passes before GVN
16962 https://bugs.webkit.org/show_bug.cgi?id=118276
16963
16964 Rubber stamped by Geoffrey Garen.
16965
16966 These enable load elimination in GVN.
16967
16968 Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
16969 properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
16970 warning: the stock version of that benchmark won't see speed-ups -
16971 probably slow-downs instead - because the FTL can't do OSR entry yet.)
16972 Another example is the findGraphNode function, which now sees a 7%
16973 speed-up, and that's without even doing LICM or other good things.
16974
16975 * ftl/FTLCompile.cpp:
16976 (JSC::FTL::compile):
16977
169782013-06-27 Filip Pizlo <fpizlo@apple.com>
16979
16980 Make Graph::substituteGetLocal() out-of-line
16981
16982 Rubber stamped by Geoffrey Garen.
16983
16984 * dfg/DFGGraph.cpp:
16985 (JSC::DFG::Graph::substituteGetLocal):
16986 (DFG):
16987 * dfg/DFGGraph.h:
16988 (Graph):
16989
169902013-06-27 Filip Pizlo <fpizlo@apple.com>
16991
16992 fourthTier: DFG should know how to find natural loops
16993 https://bugs.webkit.org/show_bug.cgi?id=118152
16994
16995 Reviewed by Mark Hahnenberg.
16996
16997 There are a bunch of things we can do when we know where the loops are.
16998 Previously we didn't. With this patch, we do.
16999
17000 This patch adds the classic dominator based natural loop finder.
17001
17002 The only client of this right now is the DFG::Disassembler. It prints out
17003 a summary of the analysis for each block.
17004
17005 This will become more important when I do
17006 https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
17007 this kind of analysis, at least if we want to do the optimization over
17008 DFG IR (and I'm pretty sure we do).
17009
17010 * JavaScriptCore.xcodeproj/project.pbxproj:
17011 * dfg/DFGAnalysis.h: Added.
17012 (DFG):
17013 (Analysis):
17014 (JSC::DFG::Analysis::Analysis):
17015 (JSC::DFG::Analysis::invalidate):
17016 (JSC::DFG::Analysis::computeIfNecessary):
17017 (JSC::DFG::Analysis::isValid):
17018 * dfg/DFGCFGSimplificationPhase.cpp:
17019 (JSC::DFG::CFGSimplificationPhase::run):
17020 * dfg/DFGDisassembler.cpp:
17021 (JSC::DFG::Disassembler::createDumpList):
17022 * dfg/DFGDominators.cpp:
17023 (JSC::DFG::Dominators::Dominators):
17024 (JSC::DFG::Dominators::compute):
17025 * dfg/DFGDominators.h:
17026 (Dominators):
17027 * dfg/DFGGraph.cpp:
17028 (JSC::DFG::Graph::dumpBlockHeader):
17029 (JSC::DFG::Graph::invalidateCFG):
17030 (DFG):
17031 * dfg/DFGGraph.h:
17032 (Graph):
17033 * dfg/DFGNaturalLoops.cpp: Added.
17034 (DFG):
17035 (JSC::DFG::NaturalLoop::dump):
17036 (JSC::DFG::NaturalLoops::NaturalLoops):
17037 (JSC::DFG::NaturalLoops::~NaturalLoops):
17038 (JSC::DFG::NaturalLoops::compute):
17039 (JSC::DFG::NaturalLoops::loopsOf):
17040 (JSC::DFG::NaturalLoops::dump):
17041 * dfg/DFGNaturalLoops.h: Added.
17042 (DFG):
17043 (NaturalLoop):
17044 (JSC::DFG::NaturalLoop::NaturalLoop):
17045 (JSC::DFG::NaturalLoop::addBlock):
17046 (JSC::DFG::NaturalLoop::header):
17047 (JSC::DFG::NaturalLoop::size):
17048 (JSC::DFG::NaturalLoop::at):
17049 (JSC::DFG::NaturalLoop::operator[]):
17050 (JSC::DFG::NaturalLoop::contains):
17051 (NaturalLoops):
17052 (JSC::DFG::NaturalLoops::numLoops):
17053 (JSC::DFG::NaturalLoops::loop):
17054 (JSC::DFG::NaturalLoops::headerOf):
17055
170562013-06-27 Filip Pizlo <fpizlo@apple.com>
17057
17058 fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
17059 https://bugs.webkit.org/show_bug.cgi?id=118148
17060
17061 Reviewed by Anders Carlsson.
17062
17063 Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
17064 that LLVM generates for floating point. So the right decision is to
17065 switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
17066 cannot disassemble the load-from-absolute-address-into-%rax instructions
17067 that our JIT generates quite a lot of.
17068
17069 So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
17070 and requires the caller of disassemble() to hint which one is likely to
17071 be less wrong for the given code.
17072
17073 Maybe in the future LLVM will catch up to UDis86, but it's definitely not
17074 there right now.
17075
17076 This now allows us to disassemble all of the code that LLVM generates.
17077
17078 * JavaScriptCore.xcodeproj/project.pbxproj:
17079 * disassembler/Disassembler.cpp:
17080 (JSC::disassemble):
17081 * disassembler/Disassembler.h:
17082 (JSC::tryToDisassemble):
17083 (JSC):
17084 * disassembler/LLVMDisassembler.cpp: Added.
17085 (JSC):
17086 (JSC::symbolLookupCallback):
17087 (JSC::tryToDisassembleWithLLVM):
17088 * disassembler/LLVMDisassembler.h: Added.
17089 (JSC):
17090 (JSC::tryToDisassembleWithLLVM):
17091 * disassembler/UDis86Disassembler.cpp:
17092 (JSC::tryToDisassembleWithUDis86):
17093 * disassembler/UDis86Disassembler.h: Added.
17094 (JSC):
17095 (JSC::tryToDisassembleWithUDis86):
17096 * disassembler/X86Disassembler.cpp: Added.
17097 (JSC):
17098 (JSC::tryToDisassemble):
17099 * ftl/FTLAbbreviatedTypes.h:
17100 * ftl/FTLCompile.cpp:
17101 (JSC::FTL::compile):
17102 * ftl/FTLJITCode.h:
17103 * ftl/FTLJITFinalizer.h:
17104 * ftl/FTLLLVMHeaders.h: Removed.
17105 * ftl/FTLLink.cpp:
17106 * runtime/InitializeThreading.cpp:
17107 (JSC::initializeThreadingOnce):
17108 * runtime/Options.h:
17109 (JSC):
17110
171112013-06-27 Filip Pizlo <fpizlo@apple.com>
17112
17113 fourthTier: FTL should be able to dump disassembly
17114 https://bugs.webkit.org/show_bug.cgi?id=118141
17115
17116 Reviewed by Geoffrey Garen.
17117
17118 * ftl/FTLCompile.cpp:
17119 (JSC::FTL::compile):
17120
171212013-06-27 Filip Pizlo <fpizlo@apple.com>
17122
17123 Unreviewed, fix build for LLVM ToT.
17124
17125 This doesn't affect those using the binary drops, but if you're building from
17126 LLVM ToT you'll get link errors. These arise because we expect there to be a
17127 libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
17128 to fall back on the system's libLLVMArchive, which is incompatible with the
17129 other LLVM libs we pull in.
17130
17131 Also, we didn't need that library anyway and shouldn't have been linking
17132 against it.
17133
17134 * Configurations/JavaScriptCore.xcconfig:
17135
171362013-06-26 Filip Pizlo <fpizlo@apple.com>
17137
17138 fourthTier: FTL should support hole/OOB PutByVal's
17139 https://bugs.webkit.org/show_bug.cgi?id=118112
17140
17141 Reviewed by Geoffrey Garen.
17142
17143 Added a common code generator for the out-of-bounds case that is reused by
17144 all contiguous-like arrays (Int32, Double, Contiguous).
17145
17146 This is relatively straight-forward, except that it's the first time that
17147 the FTL has to call DFG operations that take more than two arguments.
17148
17149 * ftl/FTLAbbreviations.h:
17150 (JSC::FTL::functionType):
17151 (JSC::FTL::buildCall):
17152 * ftl/FTLAbstractHeapRepository.h:
17153 (FTL):
17154 * ftl/FTLCapabilities.cpp:
17155 (JSC::FTL::canCompile):
17156 * ftl/FTLIntrinsicRepository.h:
17157 (FTL):
17158 * ftl/FTLLowerDFGToLLVM.cpp:
17159 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
17160 (LowerDFGToLLVM):
17161 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
17162 (JSC::FTL::LowerDFGToLLVM::vmCall):
17163 * ftl/FTLOutput.h:
17164 (JSC::FTL::Output::call):
17165
171662013-06-26 Filip Pizlo <fpizlo@apple.com>
17167
17168 fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
17169 https://bugs.webkit.org/show_bug.cgi?id=118097
17170
17171 Reviewed by Mark Hahnenberg.
17172
17173 This increases coverage to include programs that have unprofiled paths. Those paths will
17174 often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
17175 support those; except that it doesn't matter since the reason why they were untyped is
17176 that they were unprofiled and anyway we won't run them because we'll exit before them.
17177
17178 * ftl/FTLCapabilities.cpp:
17179 (JSC::FTL::canCompile):
17180
171812013-06-26 Filip Pizlo <fpizlo@apple.com>
17182
17183 fourthTier: FTL should support ArrayifyToStructure
17184 https://bugs.webkit.org/show_bug.cgi?id=118095
17185
17186 Reviewed by Mark Hahnenberg.
17187
17188 * ftl/FTLCapabilities.cpp:
17189 (JSC::FTL::canCompile):
17190 * ftl/FTLIntrinsicRepository.h:
17191 (FTL):
17192 * ftl/FTLLowerDFGToLLVM.cpp:
17193 (JSC::FTL::LowerDFGToLLVM::compileNode):
17194 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
17195 (LowerDFGToLLVM):
17196
171972013-06-26 Filip Pizlo <fpizlo@apple.com>
17198
17199 fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
17200 https://bugs.webkit.org/show_bug.cgi?id=118091
17201
17202 Reviewed by Mark Hahnenberg.
17203
17204 I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
17205 which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
17206 the FTL. I then fixed those bugs, also:
17207
17208 - The FTL should not attempt to compile a block that is not reachable according to the CFA.
17209 This is analogous to terminating basic block compilation if the CFA becomes !isValid().
17210 Attempting to compile such a block means that you're running on broken CFA state, and the
17211 CFA will become inconsistent with the code you're generating, leading to some
17212 strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
17213 a node and hence don't have LValue's for that node (by virtue of us giving up due to
17214 !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
17215 weren't visited by the CFA at all, and the CFA expects you to know this because it
17216 expects that you already checked BasicBlock::cfaHasVisited.
17217
17218 - SetLocal needs to change the ValueSource of the operand to indicate that its value has
17219 been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
17220 speak). This is because although OSR exit already knows that the value of the operand is
17221 stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
17222 will also assume that if the Node dies then the value-at-exit for that operand should be
17223 Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
17224 things; in particular the local always outlives the Node in the case of a SetLocal. So,
17225 we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
17226 to ensure that OSR exit knows that the darn thing is really live until the end of the
17227 basic block, as opposed to until whenever the Node dies (which could be at any time).
17228
17229 - PutByOffset was erroneously storing to an offset from the base object, rather than an
17230 offset from the storage. Note that the storage will be the base object (exactly - i.e.
17231 same node, same value) for inline stores, but will be a distinct thing for out-of-line
17232 stores.
17233
17234 - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
17235 when it should have been using DoubleInLocals.
17236
17237 * ftl/FTLCapabilities.cpp:
17238 (JSC::FTL::canCompile):
17239 * ftl/FTLLowerDFGToLLVM.cpp:
17240 (JSC::FTL::LowerDFGToLLVM::compileBlock):
17241 (JSC::FTL::LowerDFGToLLVM::compileNode):
17242 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
17243 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
17244 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
17245 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
17246
172472013-06-26 Filip Pizlo <fpizlo@apple.com>
17248
17249 fourthTier: FTL should support PutByVal
17250 https://bugs.webkit.org/show_bug.cgi?id=118075
17251
17252 Reviewed by Mark Hahnenberg.
17253
17254 * ftl/FTLCapabilities.cpp:
17255 (JSC::FTL::canCompile):
17256 * ftl/FTLLowerDFGToLLVM.cpp:
17257 (JSC::FTL::LowerDFGToLLVM::lower):
17258 (JSC::FTL::LowerDFGToLLVM::compileNode):
17259 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
17260 (LowerDFGToLLVM):
17261 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
17262
172632013-06-25 Filip Pizlo <fpizlo@apple.com>
17264
17265 fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
17266 https://bugs.webkit.org/show_bug.cgi?id=118028
17267
17268 Reviewed by Sam Weinig.
17269
17270 The SaneChain optimization allows us to get rid of the NaN check on loading from
17271 a double array, if the result is used in an arithmetic op that wouldn't
17272 distinguish between NaN and undefined. Normally the NaN check would be needed
17273 because NaN is the hole marker.
17274
17275 The SaneChain optimization definitely requires that you're an Original array,
17276 since we need to watchpoint the array prototype chain. And so it also needs to
17277 be a JSArray, and not an object that has indexed double properties. We also
17278 require an in-bounds access, since the backend is only capable of the
17279 optimization in the in-bounds case (though we could extend it to OOB in the
17280 future). But whether the array is being converted or is as-is isn't relevant.
17281 Either way, if it's a double original array in-bounds access by the time that
17282 the array check (or conversion!) completes, we can do the optimization.
17283
17284 Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.
17285
17286 * dfg/DFGFixupPhase.cpp:
17287 (JSC::DFG::FixupPhase::fixupNode):
17288
172892013-06-25 Filip Pizlo <fpizlo@apple.com>
17290
17291 fourthTier: DFG should support switch_string
17292 https://bugs.webkit.org/show_bug.cgi?id=117967
17293
17294 Reviewed by Sam Weinig.
17295
17296 Add a reusable binary switch creator.
17297
17298 Implement switch on string using three modes:
17299
17300 - Binary switch on StringImpl* in the case of identifiers.
17301
17302 - Trie of binary switches on characters in the case of a not-too-big
17303 switch over not-too-big 8-bit strings.
17304
17305 - Hash lookup if all else fails.
17306
17307 Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
17308 string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
17309 pdfjs.
17310
17311 * JavaScriptCore.xcodeproj/project.pbxproj:
17312 * bytecode/JumpTable.h:
17313 (StringJumpTable):
17314 (JSC::StringJumpTable::clear):
17315 * dfg/DFGBackwardsPropagationPhase.cpp:
17316 (JSC::DFG::BackwardsPropagationPhase::propagate):
17317 * dfg/DFGBinarySwitch.cpp: Added.
17318 (DFG):
17319 (JSC::DFG::BinarySwitch::BinarySwitch):
17320 (JSC::DFG::BinarySwitch::advance):
17321 (JSC::DFG::BinarySwitch::build):
17322 * dfg/DFGBinarySwitch.h: Added.
17323 (DFG):
17324 (BinarySwitch):
17325 (JSC::DFG::BinarySwitch::caseIndex):
17326 (JSC::DFG::BinarySwitch::caseValue):
17327 (JSC::DFG::BinarySwitch::fallThrough):
17328 (JSC::DFG::BinarySwitch::Case::Case):
17329 (Case):
17330 (JSC::DFG::BinarySwitch::Case::operator<):
17331 (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
17332 (BranchCode):
17333 * dfg/DFGByteCodeParser.cpp:
17334 (JSC::DFG::ByteCodeParser::parseBlock):
17335 * dfg/DFGCapabilities.cpp:
17336 (JSC::DFG::capabilityLevel):
17337 * dfg/DFGFixupPhase.cpp:
17338 (JSC::DFG::FixupPhase::fixupNode):
17339 * dfg/DFGJITCompiler.cpp:
17340 (JSC::DFG::JITCompiler::link):
17341 * dfg/DFGLazyJSValue.cpp:
17342 (JSC::DFG::LazyJSValue::getValue):
17343 (JSC::DFG::equalToStringImpl):
17344 (DFG):
17345 (JSC::DFG::LazyJSValue::strictEqual):
17346 (JSC::DFG::LazyJSValue::dump):
17347 * dfg/DFGLazyJSValue.h:
17348 (JSC::DFG::LazyJSValue::knownStringImpl):
17349 (LazyJSValue):
17350 (JSC::DFG::LazyJSValue::stringImpl):
17351 (JSC::DFG::LazyJSValue::switchLookupValue):
17352 * dfg/DFGNode.cpp:
17353 (WTF::printInternal):
17354 * dfg/DFGNode.h:
17355 * dfg/DFGOperations.cpp:
17356 * dfg/DFGOperations.h:
17357 * dfg/DFGSpeculativeJIT.cpp:
17358 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
17359 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
17360 (DFG):
17361 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
17362 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
17363 (JSC::DFG::SpeculativeJIT::emitSwitchString):
17364 (JSC::DFG::SpeculativeJIT::emitSwitch):
17365 (JSC::DFG::SpeculativeJIT::addBranch):
17366 * dfg/DFGSpeculativeJIT.h:
17367 (JSC::DFG::SpeculativeJIT::callOperation):
17368 (JSC::DFG::SpeculativeJIT::branch8):
17369 (SpeculativeJIT):
17370 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
17371 (StringSwitchCase):
17372 * ftl/FTLLowerDFGToLLVM.cpp:
17373 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17374 * runtime/Options.h:
17375 (JSC):
17376
173772013-06-24 Filip Pizlo <fpizlo@apple.com>
17378
17379 fourthTier: Count external memory usage towards heap footprint
17380 https://bugs.webkit.org/show_bug.cgi?id=117948
17381
17382 Reviewed by Geoffrey Garen.
17383
17384 Currently just count strings. Strings get counted in such a way that we won't re-count strings
17385 that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
17386 the collector to appropriately amortize itself.
17387
17388 * heap/Heap.cpp:
17389 (JSC::Heap::Heap):
17390 (JSC::Heap::size):
17391 (JSC::Heap::collect):
17392 * heap/Heap.h:
17393 (Heap):
17394 * heap/SlotVisitor.h:
17395 * heap/SlotVisitorInlines.h:
17396 (JSC::SlotVisitor::reportExtraMemoryUsage):
17397 (JSC):
17398 * runtime/JSString.cpp:
17399 (JSC::JSString::visitChildren):
17400
174012013-06-23 Filip Pizlo <fpizlo@apple.com>
17402
17403 fourthTier: DFG should optimize identifier string equality
17404 https://bugs.webkit.org/show_bug.cgi?id=117920
17405
17406 Reviewed by Sam Weinig.
17407
17408 This is a 20% speed-up for string equality comparisons when both strings are
17409 identifiers.
17410
17411 This is important for two reasons:
17412
17413 1) Using strings as enumerations is an idiom. A great example is typeof. It
17414 would be great if this performed better.
17415
17416 2) When I implement switch_string in the DFG, it would be great to optimize
17417 the case where the switched-on value is an identifier. That would involve
17418 a simple binary switch rather than a more complicated trie-switch over
17419 characters.
17420
17421 * bytecode/SpeculatedType.cpp:
17422 (JSC::dumpSpeculation):
17423 (JSC::speculationToAbbreviatedString):
17424 (JSC::speculationFromCell):
17425 * bytecode/SpeculatedType.h:
17426 (JSC):
17427 (JSC::isStringIdentSpeculation):
17428 (JSC::isStringSpeculation):
17429 * dfg/DFGAbstractState.cpp:
17430 (JSC::DFG::AbstractState::executeEffects):
17431 * dfg/DFGFixupPhase.cpp:
17432 (JSC::DFG::FixupPhase::fixupNode):
17433 * dfg/DFGNode.h:
17434 (JSC::DFG::Node::shouldSpeculateStringIdent):
17435 (Node):
17436 * dfg/DFGSpeculativeJIT.cpp:
17437 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
17438 (JSC::DFG::SpeculativeJIT::compare):
17439 (JSC::DFG::SpeculativeJIT::compileStrictEq):
17440 (JSC::DFG::SpeculativeJIT::compileStringEquality):
17441 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
17442 (DFG):
17443 (JSC::DFG::SpeculativeJIT::speculateString):
17444 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
17445 (JSC::DFG::SpeculativeJIT::speculateStringIdent):
17446 (JSC::DFG::SpeculativeJIT::speculate):
17447 * dfg/DFGSpeculativeJIT.h:
17448 (SpeculativeJIT):
17449 * dfg/DFGUseKind.cpp:
17450 (WTF::printInternal):
17451 * dfg/DFGUseKind.h:
17452 (JSC::DFG::typeFilterFor):
17453 (JSC::DFG::isCell):
17454
174552013-06-22 Filip Pizlo <fpizlo@apple.com>
17456
17457 fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
17458 https://bugs.webkit.org/show_bug.cgi?id=117906
17459
17460 Reviewed by Mark Hahnenberg.
17461
17462 This does the obvious thing, but also makes sure that out-of-bounds accesses
17463 don't fall off into a C call, but try to do the fast thing if the prototype
17464 chain is sane. We ought to probably do this for other array accesses in the
17465 future, as well, since it's so darn easy.
17466
17467 * dfg/DFGAbstractState.cpp:
17468 (JSC::DFG::AbstractState::executeEffects):
17469 * dfg/DFGFixupPhase.cpp:
17470 (JSC::DFG::FixupPhase::fixupNode):
17471 * dfg/DFGOperations.cpp:
17472 * dfg/DFGOperations.h:
17473 * dfg/DFGSpeculativeJIT.cpp:
17474 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17475 * dfg/DFGSpeculativeJIT.h:
17476 (JSC::DFG::SpeculativeJIT::callOperation):
17477 * runtime/JSGlobalObject.cpp:
17478 (JSC::JSGlobalObject::objectPrototypeIsSane):
17479 (JSC):
17480 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
17481 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
17482 * runtime/JSGlobalObject.h:
17483 (JSGlobalObject):
17484
174852013-06-22 Filip Pizlo <fpizlo@apple.com>
17486
17487 fourthTier: GC's put_by_id transition fixpoint should converge more quickly
17488 https://bugs.webkit.org/show_bug.cgi?id=117912
17489
17490 Reviewed by Mark Hahnenberg.
17491
17492 This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
17493 iterate the program in program order, or at least something close to program order. Because I enjoy reverse
17494 loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
17495 pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.
17496
17497 Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.
17498
17499 * bytecode/CodeBlock.cpp:
17500 (JSC::CodeBlock::propagateTransitions):
17501
175022013-06-21 Filip Pizlo <fpizlo@apple.com>
17503
17504 fourthTier: DFG should CSE MakeRope
17505 https://bugs.webkit.org/show_bug.cgi?id=117905
17506
17507 Reviewed by Geoffrey Garen.
17508
17509 Adds MakeRope to the CSE phase and removes the comment that says that
17510 we could do it but aren't doing it.
17511
17512 Also fixed SpeculatedType dumping so that if you have a Cell type then
17513 it just prints "Cell" and if you just have Object then it just prints
17514 "Object", instead of printing the long list of types.
17515
17516 * bytecode/SpeculatedType.cpp:
17517 (JSC::dumpSpeculation):
17518 * dfg/DFGCSEPhase.cpp:
17519 (JSC::DFG::CSEPhase::performNodeCSE):
17520
175212013-06-21 Filip Pizlo <fpizlo@apple.com>
17522
17523 fourthTier: DFG should't exit just because it GetByVal'd a big character
17524 https://bugs.webkit.org/show_bug.cgi?id=117899
17525
17526 Reviewed by Mark Hahnenberg.
17527
17528 Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
17529 Previously it would fail due to canExit() but now we can also fail because
17530 GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
17531 a very explicit way.
17532
17533 * dfg/DFGCSEPhase.cpp:
17534 (JSC::DFG::CSEPhase::putStructureStoreElimination):
17535 * dfg/DFGOperations.cpp:
17536 * dfg/DFGOperations.h:
17537 * dfg/DFGSpeculativeJIT.cpp:
17538 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17539 * dfg/DFGSpeculativeJIT.h:
17540 (JSC::DFG::SpeculativeJIT::callOperation):
17541 (SpeculativeJIT):
17542
175432013-06-21 Filip Pizlo <fpizlo@apple.com>
17544
17545 fourthTier: Small strings shouldn't get GC'd
17546 https://bugs.webkit.org/show_bug.cgi?id=117897
17547
17548 Reviewed by Mark Hahnenberg.
17549
17550 Kill off the code needed to allocate them lazily and finalize them.
17551
17552 * dfg/DFGSpeculativeJIT.cpp:
17553 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17554 * heap/Heap.cpp:
17555 (JSC::Heap::collect):
17556 * runtime/JSString.h:
17557 (JSC::jsSingleCharacterString):
17558 (JSC::jsSingleCharacterSubstring):
17559 (JSC::jsString):
17560 (JSC::jsSubstring8):
17561 (JSC::jsSubstring):
17562 (JSC::jsOwnedString):
17563 * runtime/NumberPrototype.cpp:
17564 (JSC::integerValueToString):
17565 * runtime/SmallStrings.cpp:
17566 (JSC):
17567 (JSC::SmallStrings::initializeCommonStrings):
17568 (JSC::SmallStrings::visitStrongReferences):
17569 * runtime/SmallStrings.h:
17570 (JSC::SmallStrings::singleCharacterString):
17571 (SmallStrings):
17572
175732013-06-20 Filip Pizlo <fpizlo@apple.com>
17574
17575 fourthTier: Structure should have a dump()
17576 https://bugs.webkit.org/show_bug.cgi?id=117859
17577
17578 Reviewed by Geoffrey Garen.
17579
17580 This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
17581 we now print a bunch of other info as well. For example, for an object literal
17582 like "{f:42, g:64, h:24}", when we print the structure we'll now get:
17583
17584 0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
17585
17586 This also changes a bunch of places to use the dump method.
17587
17588 * bytecode/StructureSet.h:
17589 (JSC::StructureSet::dump):
17590 * dfg/DFGGraph.cpp:
17591 (JSC::DFG::Graph::dump):
17592 * dfg/DFGStructureAbstractValue.h:
17593 (JSC::DFG::StructureAbstractValue::dump):
17594 * runtime/JSCJSValue.cpp:
17595 (JSC::JSValue::dump):
17596 * runtime/Structure.cpp:
17597 (JSC::Structure::dump):
17598 (JSC):
17599 * runtime/Structure.h:
17600 (Structure):
17601
176022013-06-20 Filip Pizlo <fpizlo@apple.com>
17603
17604 fourthTier: There should only be one table of SimpleJumpTables
17605 https://bugs.webkit.org/show_bug.cgi?id=117856
17606
17607 Reviewed by Geoffrey Garen.
17608
17609 Having multiple tables of SimpleJumpTables just means we have to duplicate a
17610 ton of code. This patch deduplicates all of it.
17611
17612 * bytecode/CodeBlock.cpp:
17613 (JSC::CodeBlock::dumpBytecode):
17614 (JSC):
17615 (JSC::CodeBlock::CodeBlock):
17616 (JSC::CodeBlock::shrinkToFit):
17617 * bytecode/CodeBlock.h:
17618 (JSC::CodeBlock::numberOfSwitchJumpTables):
17619 (JSC::CodeBlock::addSwitchJumpTable):
17620 (JSC::CodeBlock::switchJumpTable):
17621 (JSC::CodeBlock::clearSwitchJumpTables):
17622 (RareData):
17623 * bytecode/PreciseJumpTargets.cpp:
17624 (JSC):
17625 (JSC::computePreciseJumpTargets):
17626 * bytecode/UnlinkedCodeBlock.h:
17627 (JSC::UnlinkedCodeBlock::shrinkToFit):
17628 (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
17629 (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
17630 (JSC::UnlinkedCodeBlock::switchJumpTable):
17631 (RareData):
17632 * bytecompiler/BytecodeGenerator.cpp:
17633 (JSC):
17634 (JSC::prepareJumpTableForSwitch):
17635 (JSC::BytecodeGenerator::endSwitch):
17636 * dfg/DFGByteCodeParser.cpp:
17637 (InlineStackEntry):
17638 (JSC::DFG::ByteCodeParser::parseBlock):
17639 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
17640 * dfg/DFGJITCompiler.cpp:
17641 (JSC::DFG::JITCompiler::link):
17642 * dfg/DFGJITCompiler.h:
17643 (JITCompiler):
17644 * dfg/DFGOperations.cpp:
17645 * dfg/DFGSpeculativeJIT.cpp:
17646 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
17647 (DFG):
17648 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
17649 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
17650 * dfg/DFGSpeculativeJIT.h:
17651 (SpeculativeJIT):
17652 * ftl/FTLLink.cpp:
17653 (JSC::FTL::link):
17654 * jit/JITOpcodes.cpp:
17655 (JSC::JIT::emit_op_switch_imm):
17656 (JSC::JIT::emit_op_switch_char):
17657 * jit/JITOpcodes32_64.cpp:
17658 (JSC::JIT::emit_op_switch_imm):
17659 (JSC::JIT::emit_op_switch_char):
17660 * jit/JITStubs.cpp:
17661 (JSC::DEFINE_STUB_FUNCTION):
17662 * llint/LLIntSlowPaths.cpp:
17663 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17664 * llint/LowLevelInterpreter32_64.asm:
17665 * llint/LowLevelInterpreter64.asm:
17666
176672013-06-20 Filip Pizlo <fpizlo@apple.com>
17668
17669 fourthTier: FTL should clear character switch jump tables
17670 https://bugs.webkit.org/show_bug.cgi?id=117852
17671
17672 Reviewed by Sam Weinig.
17673
17674 The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
17675 jump tables as needed.
17676
17677 * bytecode/CodeBlock.h:
17678 (JSC::CodeBlock::clearCharacterSwitchJumpTables):
17679 * ftl/FTLLink.cpp:
17680 (JSC::FTL::link):
17681
176822013-06-20 Filip Pizlo <fpizlo@apple.com>
17683
17684 fourthTier: FTL should support SwitchChar
17685 https://bugs.webkit.org/show_bug.cgi?id=117849
17686
17687 Reviewed by Geoffrey Garen.
17688
17689 This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
17690 SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
17691 support for calling slow paths, and we avoided adding coverage that would require
17692 that. Well, this patch adds the ability to call slow paths and just uses that for
17693 resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
17694 so I did that, too.
17695
17696 * bytecode/CodeBlock.h:
17697 (CodeBlock):
17698 (JSC::CodeBlock::addCodeOrigin):
17699 * dfg/DFGBackwardsPropagationPhase.cpp:
17700 (JSC::DFG::BackwardsPropagationPhase::propagate):
17701 * dfg/DFGGraph.cpp:
17702 (JSC::DFG::Graph::dump):
17703 * dfg/DFGNode.cpp:
17704 (WTF):
17705 (WTF::printInternal):
17706 * dfg/DFGNode.h:
17707 (WTF):
17708 * dfg/DFGOperations.h:
17709 * dfg/DFGSpeculativeJIT.h:
17710 (JSC::DFG::SpeculativeJIT::callOperation):
17711 * ftl/FTLAbbreviations.h:
17712 (JSC::FTL::int16Type):
17713 (JSC::FTL::constInt):
17714 * ftl/FTLAbstractHeapRepository.h:
17715 (FTL):
17716 * ftl/FTLCapabilities.cpp:
17717 (JSC::FTL::canCompile):
17718 * ftl/FTLCommonValues.cpp:
17719 (JSC::FTL::CommonValues::CommonValues):
17720 * ftl/FTLCommonValues.h:
17721 (CommonValues):
17722 * ftl/FTLIntrinsicRepository.cpp:
17723 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
17724 (FTL):
17725 * ftl/FTLIntrinsicRepository.h:
17726 (FTL):
17727 (IntrinsicRepository):
17728 * ftl/FTLLowerDFGToLLVM.cpp:
17729 (JSC::FTL::LowerDFGToLLVM::lower):
17730 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
17731 (JSC::FTL::LowerDFGToLLVM::compileJump):
17732 (JSC::FTL::LowerDFGToLLVM::compileBranch):
17733 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17734 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
17735 (LowerDFGToLLVM):
17736 (JSC::FTL::LowerDFGToLLVM::lowString):
17737 (JSC::FTL::LowerDFGToLLVM::speculate):
17738 (JSC::FTL::LowerDFGToLLVM::isObject):
17739 (JSC::FTL::LowerDFGToLLVM::isNotString):
17740 (JSC::FTL::LowerDFGToLLVM::isString):
17741 (JSC::FTL::LowerDFGToLLVM::isNotObject):
17742 (JSC::FTL::LowerDFGToLLVM::speculateObject):
17743 (JSC::FTL::LowerDFGToLLVM::speculateString):
17744 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
17745 (JSC::FTL::LowerDFGToLLVM::vmCall):
17746 (JSC::FTL::LowerDFGToLLVM::callPreflight):
17747 (JSC::FTL::LowerDFGToLLVM::callCheck):
17748 (JSC::FTL::LowerDFGToLLVM::lowBlock):
17749 * ftl/FTLOutput.h:
17750 (JSC::FTL::Output::constBool):
17751 (JSC::FTL::Output::constInt8):
17752 (JSC::FTL::Output::constInt32):
17753 (JSC::FTL::Output::constIntPtr):
17754 (JSC::FTL::Output::constInt64):
17755 (JSC::FTL::Output::load16):
17756 (JSC::FTL::Output::isNull):
17757 (JSC::FTL::Output::notNull):
17758 (JSC::FTL::Output::testIsZero32):
17759 (JSC::FTL::Output::testNonZero32):
17760 (Output):
17761 (JSC::FTL::Output::operation):
17762 (JSC::FTL::Output::crash):
17763
177642013-06-18 Filip Pizlo <fpizlo@apple.com>
17765
17766 fourthTier: DFG should have switch_char
17767 https://bugs.webkit.org/show_bug.cgi?id=117710
17768
17769 Reviewed by Michael Saboff.
17770
17771 Add op_switch_char. Most of this is fairly simple, except for the whole
17772 LazyJSValue thing.
17773
17774 It's long been the case that anytime you wanted the DFG to speak of a string
17775 that didn't appear in the constant pool, you would have a hard time since
17776 the DFG isn't allowed to allocate in the GC heap. For example, if you know
17777 that you want to speak of a single character string, you might find that
17778 the one you wanted to speak of had been GC'd. Another example is if you
17779 wanted to add constant folding for string concatenation - something we don't
17780 have yet but will want eventually.
17781
17782 I solve this by finally adding the notion of LazyJSValue. In the future I
17783 anticipate using this for a variety of string-related things. The idea here
17784 is that the DFG can either say that it already knows what the value is, or
17785 it can describe the value. For example, in this patch I needed to be able to
17786 describe single-character strings.
17787
17788 * JavaScriptCore.xcodeproj/project.pbxproj:
17789 * bytecode/CodeBlock.cpp:
17790 (JSC::CodeBlock::dumpBytecode):
17791 (JSC::CodeBlock::CodeBlock):
17792 * bytecode/JumpTable.h:
17793 * dfg/DFGBackwardsPropagationPhase.cpp:
17794 (JSC::DFG::BackwardsPropagationPhase::propagate):
17795 * dfg/DFGByteCodeParser.cpp:
17796 (InlineStackEntry):
17797 (JSC::DFG::ByteCodeParser::parseBlock):
17798 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
17799 * dfg/DFGCFGSimplificationPhase.cpp:
17800 (JSC::DFG::CFGSimplificationPhase::run):
17801 * dfg/DFGCapabilities.cpp:
17802 (JSC::DFG::capabilityLevel):
17803 * dfg/DFGDriver.cpp:
17804 (JSC::DFG::compile):
17805 * dfg/DFGFixupPhase.cpp:
17806 (JSC::DFG::FixupPhase::fixupNode):
17807 * dfg/DFGGPRInfo.h:
17808 (JSC::DFG::JSValueRegs::payloadGPR):
17809 * dfg/DFGJITCompiler.cpp:
17810 (JSC::DFG::JITCompiler::jumpTable):
17811 (DFG):
17812 (JSC::DFG::JITCompiler::numberOfJumpTables):
17813 (JSC::DFG::JITCompiler::linkSwitches):
17814 (JSC::DFG::JITCompiler::link):
17815 * dfg/DFGJITCompiler.h:
17816 (JITCompiler):
17817 * dfg/DFGLazyJSValue.cpp: Added.
17818 (DFG):
17819 (JSC::DFG::LazyJSValue::getValue):
17820 (JSC::DFG::equalToSingleCharacter):
17821 (JSC::DFG::LazyJSValue::strictEqual):
17822 (JSC::DFG::LazyJSValue::dump):
17823 * dfg/DFGLazyJSValue.h: Added.
17824 (DFG):
17825 (LazyJSValue):
17826 (JSC::DFG::LazyJSValue::LazyJSValue):
17827 (JSC::DFG::LazyJSValue::singleCharacterString):
17828 (JSC::DFG::LazyJSValue::tryGetValue):
17829 (JSC::DFG::LazyJSValue::value):
17830 (JSC::DFG::LazyJSValue::character):
17831 (JSC::DFG::LazyJSValue::switchLookupValue):
17832 * dfg/DFGNode.h:
17833 (JSC::DFG::SwitchCase::SwitchCase):
17834 (SwitchCase):
17835 * dfg/DFGSpeculativeJIT.cpp:
17836 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
17837 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
17838 (DFG):
17839 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
17840 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
17841 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
17842 (JSC::DFG::SpeculativeJIT::emitSwitch):
17843 * dfg/DFGSpeculativeJIT.h:
17844 (SpeculativeJIT):
17845
178462013-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
17847
17848 Refactor ObjCCallbackFunction to inherit directly from InternalFunction
17849 https://bugs.webkit.org/show_bug.cgi?id=117595
17850
17851 Reviewed by Geoffrey Garen.
17852
17853 * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and
17854 ObjCCallbackFunction to share their host call() implementation through the magic of
17855 templates.
17856 (JSC::APICallbackFunction::call):
17857 * API/JSCallbackFunction.cpp:
17858 (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of
17859 the host function.
17860 * API/JSCallbackFunction.h:
17861 * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
17862 * API/ObjCCallbackFunction.mm:
17863 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
17864 (JSC::ObjCCallbackFunction::getCallData): Ditto.
17865 * GNUmakefile.list.am: Build files!
17866 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17867 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
17868 * JavaScriptCore.xcodeproj/project.pbxproj:
17869
178702013-06-19 Michael Saboff <msaboff@apple.com>
17871
17872 fourthTier: Arity fixup should be done while on same stack
17873 https://bugs.webkit.org/show_bug.cgi?id=117102
17874
17875 Reviewed by Oliver Hunt.
17876
17877 Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
17878 a thunk for the JITs and as assembly for the llint. This patch provides the plumbing needed to
17879 move to the C stack for JS execution. The fixup thunk and llint code would need to be change to
17880 work with a stack that grows down when we do move to the C stack.
17881
17882 Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
17883 and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm. The problem is that a const defined in
17884 one file that are used in a macro doesn't resolve the const if the macro is used in another file. This
17885 seemed like the quickest path.
17886
17887 * dfg/DFGJITCompiler.cpp:
17888 (JSC::DFG::JITCompiler::compileFunction):
17889 (JSC::DFG::JITCompiler::linkFunction):
17890 * dfg/DFGJITCompiler.h:
17891 (JITCompiler):
17892 * ftl/FTLLink.cpp:
17893 (JSC::FTL::link):
17894 * jit/JIT.cpp:
17895 (JSC::JIT::privateCompile):
17896 * jit/JITStubs.cpp:
17897 (JSC::DEFINE_STUB_FUNCTION):
17898 * jit/JITStubs.h:
17899 * jit/ThunkGenerators.cpp:
17900 (JSC::arityFixup):
17901 * jit/ThunkGenerators.h:
17902 * llint/LowLevelInterpreter.asm:
17903 * llint/LowLevelInterpreter32_64.asm:
17904 * llint/LowLevelInterpreter64.asm:
17905 * runtime/CommonSlowPaths.cpp:
17906 (JSC::SLOW_PATH_DECL):
17907 * runtime/CommonSlowPaths.h:
17908 (JSC::CommonSlowPaths::arityCheckFor):
17909
179102013-06-19 Michael Saboff <msaboff@apple.com>
17911
17912 FTL: arm build is broken in ToT
17913 https://bugs.webkit.org/show_bug.cgi?id=117800
17914
17915 Unreviewed build fixes.
17916
17917 * assembler/ARMv7Assembler.h:
17918 (ARMv7Assembler): Merge of r147941
17919 * jit/JITArithmetic32_64.cpp:
17920 (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.
17921
179222013-06-17 Michael Saboff <msaboff@apple.com>
17923
17924 FTL: Add another temp register regT4 to JSInterfaceJIT
17925 https://bugs.webkit.org/show_bug.cgi?id=117719
17926
17927 Reviewed by Geoffrey Garen.
17928
17929 Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
17930 bucketCounterRegister had been used. Since it is masked whenever it is used and
17931 we are looking for some randomness in the register anyway, we can use it without
17932 any issues.
17933
17934 * jit/JIT.cpp:
17935 (JSC::JIT::privateCompile):
17936 * jit/JIT.h:
17937 (JSC::JIT::emitValueProfilingSite):
17938 * jit/JITCall.cpp:
17939 (JSC::JIT::emitPutCallResult):
17940 * jit/JITCall32_64.cpp:
17941 (JSC::JIT::emitPutCallResult):
17942 * jit/JITInlines.h:
17943 (JSC::JIT::emitValueProfilingSite):
17944 * jit/JITOpcodes.cpp:
17945 (JSC::JIT::emit_op_to_this):
17946 (JSC::JIT::emit_op_get_callee):
17947 (JSC::JIT::emit_op_get_argument_by_val):
17948 * jit/JITOpcodes32_64.cpp:
17949 (JSC::JIT::emit_op_get_callee):
17950 (JSC::JIT::emit_op_to_this):
17951 (JSC::JIT::emit_op_get_argument_by_val):
17952 * jit/JITPropertyAccess.cpp:
17953 (JSC::JIT::emit_op_get_by_val):
17954 (JSC::JIT::emitSlow_op_get_by_val):
17955 (JSC::JIT::emit_op_get_by_id):
17956 (JSC::JIT::emitSlow_op_get_by_id):
17957 (JSC::JIT::emit_op_get_from_scope):
17958 (JSC::JIT::emitSlow_op_get_from_scope):
17959 * jit/JITPropertyAccess32_64.cpp:
17960 (JSC::JIT::emit_op_get_by_val):
17961 (JSC::JIT::emitSlow_op_get_by_val):
17962 (JSC::JIT::emit_op_get_by_id):
17963 (JSC::JIT::emitSlow_op_get_by_id):
17964 (JSC::JIT::emit_op_get_from_scope):
17965 (JSC::JIT::emitSlow_op_get_from_scope):
17966 * jit/JITStubCall.h:
17967 (JSC::JITStubCall::callWithValueProfiling):
17968 * jit/JSInterfaceJIT.h:
17969 (JSInterfaceJIT):
17970
179712013-06-17 Filip Pizlo <fpizlo@apple.com>
17972
17973 fourthTier: FTL should support Switch
17974 https://bugs.webkit.org/show_bug.cgi?id=117704
17975
17976 Reviewed by Oliver Hunt.
17977
17978 * bytecode/CodeBlock.h:
17979 (JSC::CodeBlock::clearImmediateSwitchJumpTables):
17980 * ftl/FTLAbbreviations.h:
17981 (JSC::FTL::buildFPToSI):
17982 (JSC::FTL::buildSwitch):
17983 (JSC::FTL::addCase):
17984 (FTL):
17985 * ftl/FTLCapabilities.cpp:
17986 (JSC::FTL::canCompile):
17987 * ftl/FTLLink.cpp:
17988 (JSC::FTL::link):
17989 * ftl/FTLLowerDFGToLLVM.cpp:
17990 (JSC::FTL::LowerDFGToLLVM::compileNode):
17991 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17992 (LowerDFGToLLVM):
17993 * ftl/FTLOutput.h:
17994 (JSC::FTL::Output::fpToInt):
17995 (JSC::FTL::Output::fpToInt32):
17996 (Output):
17997 (JSC::FTL::Output::switchInstruction):
17998 * ftl/FTLSwitchCase.h: Added.
17999 (FTL):
18000 (SwitchCase):
18001 (JSC::FTL::SwitchCase::SwitchCase):
18002 (JSC::FTL::SwitchCase::value):
18003 (JSC::FTL::SwitchCase::target):
18004
180052013-06-15 Filip Pizlo <fpizlo@apple.com>
18006
18007 fourthTier: Add CFG simplification for Switch
18008 https://bugs.webkit.org/show_bug.cgi?id=117677
18009
18010 Reviewed by Mark Hahnenberg.
18011
18012 This is for completeness. It only speeds up a microbenchmark at this point.
18013 Broadly, we want all control constructs to be known to the CFG simplifier.
18014
18015 * dfg/DFGCFGSimplificationPhase.cpp:
18016 (JSC::DFG::CFGSimplificationPhase::run):
18017 (JSC::DFG::CFGSimplificationPhase::convertToJump):
18018 (CFGSimplificationPhase):
18019 (JSC::DFG::CFGSimplificationPhase::noBlocks):
18020 (JSC::DFG::CFGSimplificationPhase::oneBlock):
18021 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
18022 * runtime/JSCJSValue.h:
18023 (JSValue):
18024 * runtime/JSCJSValueInlines.h:
18025 (JSC::JSValue::pureStrictEqual):
18026 (JSC):
18027
180282013-06-13 Filip Pizlo <fpizlo@apple.com>
18029
18030 fourthTier: DFG should support op_switch_imm
18031 https://bugs.webkit.org/show_bug.cgi?id=117559
18032
18033 Reviewed by Oliver Hunt.
18034
18035 Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
18036 threshold for using op_switch.
18037
18038 Also get rid of edge code support, since we haven't used it in the year since
18039 I introduced it. It was supposed to allow us to break critical edges late in
18040 the backend, thus enabling global register allocation from an SSA-form graph.
18041 But we aren't doing that so I figure we should just kill the code for now. It
18042 would have made implementing switch harder.
18043
18044 * assembler/AbstractMacroAssembler.h:
18045 (JSC::AbstractMacroAssembler::timesPtr):
18046 * assembler/MacroAssemblerCodeRef.h:
18047 (JSC::MacroAssemblerCodePtr::dumpWithName):
18048 (MacroAssemblerCodePtr):
18049 (JSC::MacroAssemblerCodePtr::dump):
18050 (MacroAssemblerCodeRef):
18051 (JSC::MacroAssemblerCodeRef::dump):
18052 * bytecode/CodeBlock.cpp:
18053 (JSC::CodeBlock::shrinkToFit):
18054 * bytecode/JumpTable.h:
18055 (SimpleJumpTable):
18056 (JSC::SimpleJumpTable::clear):
18057 * dfg/DFGAbstractState.cpp:
18058 (JSC::DFG::AbstractState::executeEffects):
18059 (JSC::DFG::AbstractState::mergeToSuccessors):
18060 * dfg/DFGBackwardsPropagationPhase.cpp:
18061 (JSC::DFG::BackwardsPropagationPhase::propagate):
18062 * dfg/DFGByteCodeParser.cpp:
18063 (InlineStackEntry):
18064 (JSC::DFG::ByteCodeParser::parseBlock):
18065 (JSC::DFG::ByteCodeParser::linkBlock):
18066 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
18067 * dfg/DFGCapabilities.cpp:
18068 (JSC::DFG::capabilityLevel):
18069 * dfg/DFGCommon.h:
18070 * dfg/DFGFixupPhase.cpp:
18071 (JSC::DFG::FixupPhase::fixupNode):
18072 * dfg/DFGGraph.cpp:
18073 (JSC::DFG::Graph::dump):
18074 (JSC::DFG::Graph::determineReachability):
18075 * dfg/DFGGraph.h:
18076 (Graph):
18077 * dfg/DFGJITCompiler.cpp:
18078 (JSC::DFG::JITCompiler::JITCompiler):
18079 (JSC::DFG::JITCompiler::link):
18080 * dfg/DFGJITCompiler.h:
18081 (JITCompiler):
18082 (JSC::DFG::JITCompiler::blockHeads):
18083 * dfg/DFGNode.h:
18084 (DFG):
18085 (JSC::DFG::SwitchCase::SwitchCase):
18086 (SwitchCase):
18087 (SwitchData):
18088 (JSC::DFG::SwitchData::SwitchData):
18089 (Node):
18090 (JSC::DFG::Node::isSwitch):
18091 (JSC::DFG::Node::isTerminal):
18092 (JSC::DFG::Node::switchData):
18093 (JSC::DFG::Node::numSuccessors):
18094 (JSC::DFG::Node::successor):
18095 * dfg/DFGNodeType.h:
18096 (DFG):
18097 * dfg/DFGOperations.cpp:
18098 * dfg/DFGOperations.h:
18099 * dfg/DFGPredictionPropagationPhase.cpp:
18100 (JSC::DFG::PredictionPropagationPhase::propagate):
18101 * dfg/DFGSpeculativeJIT.cpp:
18102 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
18103 (JSC::DFG::SpeculativeJIT::compile):
18104 (JSC::DFG::SpeculativeJIT::createOSREntries):
18105 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
18106 (DFG):
18107 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
18108 (JSC::DFG::SpeculativeJIT::emitSwitch):
18109 (JSC::DFG::SpeculativeJIT::linkBranches):
18110 * dfg/DFGSpeculativeJIT.h:
18111 (JSC::DFG::SpeculativeJIT::callOperation):
18112 (SpeculativeJIT):
18113 (JSC::DFG::SpeculativeJIT::branchDouble):
18114 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
18115 (JSC::DFG::SpeculativeJIT::branch32):
18116 (JSC::DFG::SpeculativeJIT::branchTest32):
18117 (JSC::DFG::SpeculativeJIT::branch64):
18118 (JSC::DFG::SpeculativeJIT::branchPtr):
18119 (JSC::DFG::SpeculativeJIT::branchTestPtr):
18120 (JSC::DFG::SpeculativeJIT::branchTest8):
18121 (JSC::DFG::SpeculativeJIT::jump):
18122 * dfg/DFGSpeculativeJIT32_64.cpp:
18123 (JSC::DFG::SpeculativeJIT::compile):
18124 * dfg/DFGSpeculativeJIT64.cpp:
18125 (JSC::DFG::SpeculativeJIT::compile):
18126 * jit/JITStubs.cpp:
18127 (JSC::DEFINE_STUB_FUNCTION):
18128 * parser/Nodes.h:
18129 (CaseBlockNode):
18130
181312013-06-15 Filip Pizlo <fpizlo@apple.com>
18132
18133 Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy
18134 https://bugs.webkit.org/show_bug.cgi?id=117676
18135
18136 Reviewed by Sam Weinig.
18137
18138 CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind.
18139
18140 Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the
18141 initialization of m_capabilityLevelState.
18142
18143 * bytecode/CodeBlock.cpp:
18144 (JSC::CodeBlock::hash):
18145 (JSC::CodeBlock::CodeBlock):
18146 * bytecode/CodeBlock.h:
18147 (CodeBlock):
18148 * bytecode/CodeBlockHash.cpp:
18149 (JSC::CodeBlockHash::CodeBlockHash):
18150 * bytecode/CodeBlockHash.h:
18151 (CodeBlockHash):
18152 (JSC::CodeBlockHash::isSet):
18153 (JSC::CodeBlockHash::operator!):
18154 * dfg/DFGDriver.cpp:
18155 (JSC::DFG::compile):
18156
181572013-06-11 Filip Pizlo <fpizlo@apple.com>
18158
18159 fourthTier: DFG should support op_in and it should use patching to make it fast
18160 https://bugs.webkit.org/show_bug.cgi?id=117385
18161
18162 Reviewed by Geoffrey Garen.
18163
18164 Implement op_in in the DFG and give it patching. The code we generate is just
18165 a jump on the hot path, and the slow paths generate stubs and link the jump to
18166 them. I didn't want to bother with patching structures and load offsets and
18167 the like, although I probably could have.
18168
18169 This is a ginormous speed-up on microbenchmarks for "in", obviously.
18170
18171 * bytecode/CodeBlock.cpp:
18172 (JSC::CodeBlock::dumpAssumingJITType):
18173 (JSC::CodeBlock::resetStubInternal):
18174 (JSC::structureStubInfoLessThan):
18175 (JSC):
18176 (JSC::CodeBlock::sortStructureStubInfos):
18177 * bytecode/CodeBlock.h:
18178 (CodeBlock):
18179 * bytecode/StructureStubInfo.cpp:
18180 (JSC::StructureStubInfo::deref):
18181 (JSC::StructureStubInfo::visitWeakReferences):
18182 * bytecode/StructureStubInfo.h:
18183 (JSC::isInAccess):
18184 (JSC):
18185 (StructureStubInfo):
18186 (JSC::StructureStubInfo::initInList):
18187 * dfg/DFGAbstractState.cpp:
18188 (JSC::DFG::AbstractState::executeEffects):
18189 * dfg/DFGByteCodeParser.cpp:
18190 (JSC::DFG::ByteCodeParser::parseBlock):
18191 * dfg/DFGCCallHelpers.h:
18192 (JSC::DFG::CCallHelpers::setupResults):
18193 * dfg/DFGCapabilities.cpp:
18194 (JSC::DFG::capabilityLevel):
18195 * dfg/DFGFixupPhase.cpp:
18196 (JSC::DFG::FixupPhase::fixupNode):
18197 * dfg/DFGGPRInfo.h:
18198 (JSC::DFG::JSValueRegs::payloadOnly):
18199 (JSValueRegs):
18200 (JSC::DFG::JSValueRegs::JSValueRegs):
18201 (JSC::DFG::JSValueRegs::operator!):
18202 (JSC::DFG::JSValueSource::operator!):
18203 * dfg/DFGJITCompiler.cpp:
18204 (JSC::DFG::JITCompiler::link):
18205 * dfg/DFGJITCompiler.h:
18206 (JSC::DFG::InRecord::InRecord):
18207 (InRecord):
18208 (DFG):
18209 (JITCompiler):
18210 (JSC::DFG::JITCompiler::addIn):
18211 * dfg/DFGNodeType.h:
18212 (DFG):
18213 * dfg/DFGOperations.cpp:
18214 * dfg/DFGOperations.h:
18215 * dfg/DFGPredictionPropagationPhase.cpp:
18216 (JSC::DFG::PredictionPropagationPhase::propagate):
18217 * dfg/DFGRepatch.cpp:
18218 (JSC::DFG::tryRepatchIn):
18219 (DFG):
18220 (JSC::DFG::dfgRepatchIn):
18221 (JSC::DFG::dfgResetIn):
18222 * dfg/DFGRepatch.h:
18223 (DFG):
18224 (JSC::DFG::dfgResetIn):
18225 * dfg/DFGSlowPathGenerator.h:
18226 (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
18227 (JSC::DFG::CallSlowPathGenerator::tearDown):
18228 (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
18229 (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
18230 (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
18231 (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
18232 (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
18233 (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
18234 * dfg/DFGSpeculativeJIT.cpp:
18235 (JSC::DFG::SpeculativeJIT::compileIn):
18236 (DFG):
18237 * dfg/DFGSpeculativeJIT.h:
18238 (JSC::DFG::extractResult):
18239 (DFG):
18240 (SpeculativeJIT):
18241 (JSC::DFG::SpeculativeJIT::callOperation):
18242 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
18243 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
18244 (JSC::DFG::JSValueOperand::tagGPR):
18245 * dfg/DFGSpeculativeJIT32_64.cpp:
18246 (JSC::DFG::SpeculativeJIT::compile):
18247 * dfg/DFGSpeculativeJIT64.cpp:
18248 (JSC::DFG::SpeculativeJIT::compile):
18249 * runtime/JSCJSValue.cpp:
18250 (JSC::JSValue::dump):
18251 * runtime/JSString.h:
18252 (JSString):
18253 (JSC::JSString::tryGetValueImpl):
18254 (JSC):
18255 * runtime/Operations.h:
18256 (JSC::normalizePrototypeChainForChainAccess):
18257
182582013-06-12 Geoffrey Garen <ggaren@apple.com>
18259
18260 The Math object should not be polymorphic
18261 https://bugs.webkit.org/show_bug.cgi?id=117576
18262
18263 Reviewed by Oliver Hunt.
18264
18265 Fill in the Math object eagerly, to avoid its structure changing during
18266 execution. There are lots of ways to skin this cat; this one seemed
18267 easiest, and justified given the relative hotness of math operations.
18268
18269 20% speedup on DSP-filtrr tests, small speedups on a few Kraken tests.
18270
18271 * DerivedSources.make:
18272 * JavaScriptCore.order:
18273 * create_hash_table:
18274 * interpreter/CallFrame.h:
18275 (JSC::ExecState::jsonTable): Removed the Math object's static table.
18276
18277 * runtime/JSObject.cpp:
18278 (JSC::JSObject::putDirectNativeFunctionWithoutTransition):
18279 * runtime/JSObject.h:
18280 * runtime/MathObject.cpp:
18281 (JSC::MathObject::finishCreation):
18282 * runtime/MathObject.h:
18283 (JSC::MathObject::create): Set up the Math object at construction time.
18284
18285 * runtime/VM.cpp:
18286 (JSC::VM::VM):
18287 (JSC::VM::~VM):
18288 * runtime/VM.h: Removed the Math object's static table.
18289
182902013-06-09 Geoffrey Garen <ggaren@apple.com>
18291
18292 Unreviewed, rolled back in http://trac.webkit.org/changeset/151342.
18293
18294 I filled in the missing return register loads, and tests
18295 seem to pass now.
18296
18297 2013-06-07 Michael Saboff <msaboff@apple.com>
18298
18299 fourthTier: The baseline jit and LLint should use common slow paths
18300 https://bugs.webkit.org/show_bug.cgi?id=116889
18301
183022013-06-07 Filip Pizlo <fpizlo@apple.com>
18303
18304 Unreviewed, roll out http://trac.webkit.org/changeset/151342
18305 It broke Kraken crypto tests in debug build. That results in a pretty bad
18306 loss of test coverage.
18307
18308 * JavaScriptCore.xcodeproj/project.pbxproj:
18309 * jit/JIT.cpp:
18310 (JSC):
18311 (JSC::JIT::privateCompileMainPass):
18312 * jit/JIT.h:
18313 (JIT):
18314 * jit/JITArithmetic.cpp:
18315 (JSC::JIT::emitSlow_op_negate):
18316 (JSC::JIT::emitSlow_op_lshift):
18317 (JSC::JIT::emitSlow_op_rshift):
18318 (JSC::JIT::emitSlow_op_urshift):
18319 (JSC::JIT::emitSlow_op_bitand):
18320 (JSC::JIT::emitSlow_op_inc):
18321 (JSC::JIT::emitSlow_op_dec):
18322 (JSC::JIT::emitSlow_op_mod):
18323 (JSC::JIT::emit_op_mod):
18324 (JSC::JIT::compileBinaryArithOpSlowCase):
18325 (JSC::JIT::emit_op_add):
18326 (JSC::JIT::emitSlow_op_add):
18327 (JSC::JIT::emitSlow_op_mul):
18328 (JSC::JIT::emitSlow_op_div):
18329 (JSC::JIT::emitSlow_op_sub):
18330 * jit/JITArithmetic32_64.cpp:
18331 (JSC::JIT::emitSlow_op_negate):
18332 (JSC::JIT::emitSlow_op_lshift):
18333 (JSC::JIT::emitRightShiftSlowCase):
18334 (JSC::JIT::emitSlow_op_bitand):
18335 (JSC::JIT::emitSlow_op_bitor):
18336 (JSC::JIT::emitSlow_op_bitxor):
18337 (JSC::JIT::emitSlow_op_inc):
18338 (JSC::JIT::emitSlow_op_dec):
18339 (JSC::JIT::emit_op_add):
18340 (JSC::JIT::emitSlow_op_add):
18341 (JSC::JIT::emitSlow_op_sub):
18342 (JSC::JIT::emitSlow_op_mul):
18343 (JSC::JIT::emitSlow_op_div):
18344 (JSC::JIT::emit_op_mod):
18345 (JSC::JIT::emitSlow_op_mod):
18346 * jit/JITExceptions.cpp:
18347 (JSC):
18348 (JSC::genericThrow):
18349 * jit/JITExceptions.h:
18350 (ExceptionHandler):
18351 (JSC):
18352 * jit/JITOpcodes.cpp:
18353 (JSC::JIT::emit_op_strcat):
18354 (JSC::JIT::emitSlow_op_create_this):
18355 (JSC::JIT::emitSlow_op_to_this):
18356 (JSC::JIT::emitSlow_op_to_primitive):
18357 (JSC::JIT::emitSlow_op_not):
18358 (JSC::JIT::emitSlow_op_bitxor):
18359 (JSC::JIT::emitSlow_op_bitor):
18360 (JSC::JIT::emitSlow_op_stricteq):
18361 (JSC::JIT::emitSlow_op_nstricteq):
18362 (JSC::JIT::emitSlow_op_to_number):
18363 * jit/JITOpcodes32_64.cpp:
18364 (JSC::JIT::privateCompileCTINativeCall):
18365 (JSC::JIT::emitSlow_op_to_primitive):
18366 (JSC::JIT::emit_op_strcat):
18367 (JSC::JIT::emitSlow_op_not):
18368 (JSC::JIT::emitSlow_op_stricteq):
18369 (JSC::JIT::emitSlow_op_nstricteq):
18370 (JSC::JIT::emitSlow_op_to_number):
18371 (JSC::JIT::emit_op_create_arguments):
18372 (JSC::JIT::emitSlow_op_create_this):
18373 (JSC::JIT::emitSlow_op_to_this):
18374 (JSC::JIT::emitSlow_op_get_argument_by_val):
18375 * jit/JITStubs.cpp:
18376 (JSC::DEFINE_STUB_FUNCTION):
18377 (JSC):
18378 * jit/JITStubs.h:
18379 (JSC):
18380 * jit/JITStubsARM.h:
18381 (JSC):
18382 * jit/JITStubsARMv7.h:
18383 (JSC):
18384 * jit/JITStubsMIPS.h:
18385 (JSC):
18386 * jit/JITStubsSH4.h:
18387 (JSC):
18388 * jit/JITStubsX86.h:
18389 (JSC):
18390 * jit/JITStubsX86_64.h:
18391 (JSC):
18392 * jit/JSInterfaceJIT.h:
18393 (JSInterfaceJIT):
18394 * jit/SlowPathCall.h: Removed.
18395 * jit/ThunkGenerators.cpp:
18396 (JSC::nativeForGenerator):
18397 * llint/LLIntSlowPaths.cpp:
18398 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
18399 (LLInt):
18400 * llint/LLIntSlowPaths.h:
18401 (LLInt):
18402 (SlowPathReturnType):
18403 (JSC::LLInt::encodeResult):
18404 (JSC::LLInt::decodeResult):
18405 * llint/LowLevelInterpreter.asm:
18406 * llint/LowLevelInterpreter.cpp:
18407 * llint/LowLevelInterpreter32_64.asm:
18408 * llint/LowLevelInterpreter64.asm:
18409 * runtime/CommonSlowPaths.cpp: Removed.
18410 * runtime/CommonSlowPaths.h:
18411 * runtime/JSCJSValue.h:
18412 (JSValue):
18413
184142013-06-07 Michael Saboff <msaboff@apple.com>
18415
18416 fourthTier: The baseline jit and LLint should use common slow paths
18417 https://bugs.webkit.org/show_bug.cgi?id=116889
18418
18419 Reviewed by Filip Pizlo.
18420
18421 Moved the llint_slow_paths that return JSValue along with several others to CommonSlowPaths.cpp.
18422 Eliminated the related JIT stubs. Changes the baseline JIT to call these new common stubs.
18423 Added a simple slow path call class that uses argument registers or the stack instead of
18424 JITStackFrame. Changes the exception mechanism for to check for an exception after making
18425 a slowpath call instead of returning to the handler directly form the slowpath function.
18426
18427 * JavaScriptCore.xcodeproj/project.pbxproj:
18428 * jit/JIT.cpp:
18429 (JSC::JIT::privateCompileMainPass):
18430 * jit/JIT.h:
18431 (JIT):
18432 * jit/JITArithmetic.cpp:
18433 (JSC::JIT::emitSlow_op_negate):
18434 (JSC::JIT::emitSlow_op_lshift):
18435 (JSC::JIT::emitSlow_op_rshift):
18436 (JSC::JIT::emitSlow_op_urshift):
18437 (JSC::JIT::emitSlow_op_bitand):
18438 (JSC::JIT::emitSlow_op_inc):
18439 (JSC::JIT::emitSlow_op_dec):
18440 (JSC::JIT::emitSlow_op_mod):
18441 (JSC::JIT::emit_op_mod):
18442 (JSC::JIT::compileBinaryArithOpSlowCase):
18443 (JSC::JIT::emit_op_add):
18444 (JSC::JIT::emitSlow_op_add):
18445 (JSC::JIT::emitSlow_op_mul):
18446 (JSC::JIT::emitSlow_op_div):
18447 (JSC::JIT::emitSlow_op_sub):
18448 * jit/JITArithmetic32_64.cpp:
18449 (JSC::JIT::emitSlow_op_negate):
18450 (JSC::JIT::emitSlow_op_lshift):
18451 (JSC::JIT::emitRightShiftSlowCase):
18452 (JSC::JIT::emitSlow_op_bitand):
18453 (JSC::JIT::emitSlow_op_bitor):
18454 (JSC::JIT::emitSlow_op_bitxor):
18455 (JSC::JIT::emitSlow_op_inc):
18456 (JSC::JIT::emitSlow_op_dec):
18457 (JSC::JIT::emit_op_add):
18458 (JSC::JIT::emitSlow_op_add):
18459 (JSC::JIT::emitSlow_op_sub):
18460 (JSC::JIT::emitSlow_op_mul):
18461 (JSC::JIT::emitSlow_op_div):
18462 (JSC::JIT::emit_op_mod):
18463 (JSC::JIT::emitSlow_op_mod):
18464 * jit/JITExceptions.cpp:
18465 (JSC::getExceptionLocation):
18466 (JSC::genericThrow):
18467 (JSC::jitThrowNew):
18468 * jit/JITExceptions.h:
18469 (ExceptionHandler):
18470 * jit/JITOpcodes.cpp:
18471 (JSC::JIT::emit_op_strcat):
18472 (JSC::JIT::emitSlow_op_create_this):
18473 (JSC::JIT::emitSlow_op_to_this):
18474 (JSC::JIT::emitSlow_op_to_primitive):
18475 (JSC::JIT::emitSlow_op_not):
18476 (JSC::JIT::emitSlow_op_bitxor):
18477 (JSC::JIT::emitSlow_op_bitor):
18478 (JSC::JIT::emitSlow_op_stricteq):
18479 (JSC::JIT::emitSlow_op_nstricteq):
18480 (JSC::JIT::emitSlow_op_to_number):
18481 * jit/JITOpcodes32_64.cpp:
18482 (JSC::JIT::privateCompileCTINativeCall):
18483 (JSC::JIT::emitSlow_op_to_primitive):
18484 (JSC::JIT::emit_op_strcat):
18485 (JSC::JIT::emitSlow_op_not):
18486 (JSC::JIT::emitSlow_op_stricteq):
18487 (JSC::JIT::emitSlow_op_nstricteq):
18488 (JSC::JIT::emitSlow_op_to_number):
18489 (JSC::JIT::emit_op_create_arguments):
18490 (JSC::JIT::emitSlow_op_create_this):
18491 (JSC::JIT::emitSlow_op_to_this):
18492 (JSC::JIT::emitSlow_op_get_argument_by_val):
18493 * jit/JITStubs.cpp:
18494 (JSC::DEFINE_STUB_FUNCTION):
18495 (JSC::cti_vm_throw_slowpath):
18496 * jit/JITStubs.h:
18497 * jit/JITStubsARM.h:
18498 * jit/JITStubsARMv7.h:
18499 * jit/JITStubsMIPS.h:
18500 * jit/JITStubsSH4.h:
18501 * jit/JITStubsX86.h:
18502 * jit/JITStubsX86_64.h:
18503 * jit/JSInterfaceJIT.h:
18504 (JSInterfaceJIT):
18505 * jit/SlowPathCall.h: Added.
18506 (JITSlowPathCall):
18507 (JSC::JITSlowPathCall::JITSlowPathCall):
18508 (JSC::JITSlowPathCall::call):
18509 * jit/ThunkGenerators.cpp:
18510 (JSC::nativeForGenerator):
18511 * llint/LLIntSlowPaths.cpp:
18512 (LLInt):
18513 * llint/LLIntSlowPaths.h:
18514 (LLInt):
18515 * llint/LowLevelInterpreter.asm:
18516 * llint/LowLevelInterpreter.cpp:
18517 * llint/LowLevelInterpreter32_64.asm:
18518 * llint/LowLevelInterpreter64.asm:
18519 * runtime/CommonSlowPaths.cpp: Added.
18520 (JSC::SLOW_PATH_DECL):
18521 * runtime/CommonSlowPaths.h:
18522 (SlowPathReturnType):
18523 (JSC::encodeResult):
18524 (JSC::decodeResult):
18525 * runtime/JSCJSValue.h:
18526 (JSValue):
18527
185282013-06-11 Geoffrey Garen <ggaren@apple.com>
18529
18530 Rolled back in <http://trac.webkit.org/changeset/151363>.
18531
18532 Rubber stamped by Phil Pizlo.
18533
18534 The ASSERTs were due to the bytecode parser performing a
18535 StructureTransitionWatchpoint optimization in a case where the CFA
18536 wouldn't because the CFA could prove that the watchpoint would contradict
18537 a preceding CheckStructure.
18538
18539 I fixed this by removing the bytecode parser optimization: now, we fully
18540 rely on CFA and constant folding to optimize structure checks when
18541 possible.
18542
18543 I verified that there's no performance change vs doing the optimization
18544 in the bytecode parser. (The optimization is very simple, so this is not
18545 surprising.)
18546
185472013-06-10 Mark Hahnenberg <mhahnenberg@apple.com>
18548
18549 isContravenedByStructure is backwards
18550 https://bugs.webkit.org/show_bug.cgi?id=117366
18551
18552 We should be checking if arrayModeForStructure(structure) is a
18553 subset of arrayModesThatPassFiltering(), not the other way around.
18554 Also renamed isContravenedByStructure to better reflect what the
18555 function is trying to determine.
18556
18557 Rubber stamped by Filip Pizlo.
18558
18559 * dfg/DFGArrayMode.h:
18560 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
18561 * dfg/DFGTypeCheckHoistingPhase.cpp:
18562 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
18563 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
18564
185652013-06-10 Mark Hahnenberg <mhahnenberg@apple.com>
18566
18567 isContravenedByStructure is backwards
18568 https://bugs.webkit.org/show_bug.cgi?id=117366
18569
18570 We should be checking if arrayModeForStructure(structure) is a
18571 subset of arrayModesThatPassFiltering(), not the other way around.
18572 Also renamed isContravenedByStructure to better reflect what the
18573 function is trying to determine.
18574
18575 Rubber stamped by Filip Pizlo.
18576
18577 * dfg/DFGArrayMode.h:
18578 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
18579 * dfg/DFGTypeCheckHoistingPhase.cpp:
18580 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
18581 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
18582
185832013-06-11 Filip Pizlo <fpizlo@apple.com>
18584
18585 fourthTier: Type check hoisting phase has a dead if statement
18586 https://bugs.webkit.org/show_bug.cgi?id=117510
18587
18588 Reviewed by Geoffrey Garen.
18589
18590 * dfg/DFGTypeCheckHoistingPhase.cpp:
18591 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
18592
185932013-06-10 Mark Lam <mark.lam@apple.com>
18594
18595 Introducing the StackIterator class.
18596 https://bugs.webkit.org/show_bug.cgi?id=117390.
18597
18598 Reviewed by Geoffrey Garen.
18599
18600 The StackIterator class is meant to unify the way we iterate the JS
18601 stack. It also makes it so that we don't have to copy the frame data
18602 into the intermediate StackFrame struct before processing it.
18603 Unfortunately we still can't get rid of StackFrame because it is used
18604 to record frame information for the Exception stack that is expected
18605 to persist beyond when the frames have been popped off the JS stack.
18606
18607 The StackIterator will iterate over all "logical" frames (i.e. including
18608 inlined frames). As it iterates the JS stack, if it encounters a DFG
18609 frame that has inlined frames, the iterator will canonicalize the
18610 inlined frames before returning. Once canonicalized, the frame can be
18611 read like any other frame.
18612
18613 The StackIterator implements a Frame class that inherits from CallFrame.
18614 The StackIterator::Frame serves as reader of the CallFrame that makes
18615 it easier to access information about the frame. The StackIterator::Frame
18616 only adds functions, and no additional data fields.
18617
18618 * API/JSContextRef.cpp:
18619 (JSContextCreateBacktrace):
18620 * CMakeLists.txt:
18621 * GNUmakefile.list.am:
18622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
18623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
18624 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
18625 * JavaScriptCore.xcodeproj/project.pbxproj:
18626 * Target.pri:
18627 * interpreter/CallFrame.cpp:
18628 (JSC::CallFrame::begin):
18629 (JSC::CallFrame::beginAt):
18630 * interpreter/CallFrame.h:
18631 (JSC::ExecState::setInlineCallFrame):
18632 (ExecState):
18633 (JSC::ExecState::end):
18634 * interpreter/Interpreter.cpp:
18635 (JSC::Interpreter::dumpRegisters):
18636 (JSC::Interpreter::unwindCallFrame):
18637 (JSC::Interpreter::getStackTrace):
18638 (JSC::Interpreter::throwException):
18639 (JSC::Interpreter::debug):
18640 * interpreter/Interpreter.h:
18641 (Interpreter):
18642 * interpreter/StackIterator.cpp: Added.
18643 (JSC::StackIterator::StackIterator):
18644 (JSC::StackIterator::beginAt):
18645 (JSC::StackIterator::gotoNextFrame):
18646 - Based on the deleted Interpreter::findFunctionCallFrameFromVMCode().
18647 (JSC::StackIterator::findFrameForFunction):
18648 - Based on the deleted Interpreter::retrieveCallerFromVMCode().
18649 (JSC::StackIterator::Frame::codeType):
18650 - Based on the deleted getStackFrameCodeType().
18651 (JSC::StackIterator::Frame::functionName):
18652 - Based on StackFrame::friendlyFunctionName().
18653 (JSC::StackIterator::Frame::sourceURL):
18654 - Based on StackFrame::friendlySourceURL().
18655 (JSC::StackIterator::Frame::toString):
18656 - Based on StackFrame::toString().
18657 (JSC::StackIterator::Frame::bytecodeOffset):
18658 (JSC::StackIterator::Frame::line):
18659 - Based on StackFrame::line().
18660 (JSC::StackIterator::Frame::column):
18661 - Based on StackFrame::column().
18662 (JSC::StackIterator::Frame::arguments):
18663 - Based on the deleted Interpreter::retrieveArgumentsFromVMCode().
18664 (JSC::StackIterator::Frame::retrieveExpressionInfo):
18665 - Based on StackFrame::expressionInfo().
18666 (JSC::StackIterator::Frame::logicalFrame):
18667 - Based on the now deleted CallFrame::trueCallFrame().
18668 (JSC::StackIterator::Frame::logicalCallerFrame):
18669 - Based on the now deleted CallFrame::trueCallerFrame().
18670 (JSC::jitTypeName):
18671 (JSC::printIndents):
18672 (JSC::printif):
18673 (JSC::StackIterator::Frame::print):
18674 (debugPrintCallFrame):
18675 - Prints the contents of the frame for debugging purposes.
18676 There are 2 versions that can be used as follows:
18677
18678 1. When you have a valid StackIterator, you can print
18679 the current frame's content using the print instance
18680 method:
18681 iter->print(indentLevel);
18682
18683 2. When you have a CallFrame* that you want to dump from a debugger
18684 console, you can print its content as follows:
18685 (gdb) call debugPrintCallFrame(callFrame)
18686
18687 A sample of the output looks like this:
18688
18689 frame 0x1510c70b0 {
18690 name 'shouldBe'
18691 sourceURL 'testapi.js'
18692 hostFlag 0
18693 isInlinedFrame 0
18694 callee 0x15154efb0
18695 returnPC 0x10ed0786d
18696 callerFrame 0x1510c7058
18697 logicalCallerFrame 0x1510c7058
18698 rawLocationBits 27 0x1b
18699 codeBlock 0x7fe79b037200
18700 bytecodeOffset 27 0x1b / 210
18701 line 46
18702 column 20
18703 jitType 3 <BaselineJIT> isOptimizingJIT 0
18704 hasCodeOrigins 0
18705 }
18706
18707 * interpreter/StackIterator.h: Added.
18708 (StackIterator::Frame):
18709 (JSC::StackIterator::Frame::create):
18710 (JSC::StackIterator::Frame::isJSFrame):
18711 (JSC::StackIterator::Frame::callFrame):
18712 * interpreter/StackIteratorPrivate.h: Added.
18713 (StackIterator):
18714 (JSC::StackIterator::operator*):
18715 (JSC::StackIterator::operator->):
18716 (JSC::StackIterator::operator==):
18717 (JSC::StackIterator::operator!=):
18718 (JSC::StackIterator::operator++):
18719 (JSC::StackIterator::end):
18720 (JSC::StackIterator::empty):
18721 * jsc.cpp:
18722 (functionJSCStack):
18723 * profiler/ProfileGenerator.cpp:
18724 (JSC::ProfileGenerator::addParentForConsoleStart):
18725 * profiler/ProfileNode.h:
18726 (ProfileNode):
18727 * runtime/JSFunction.cpp:
18728 (JSC::retrieveArguments):
18729 (JSC::JSFunction::argumentsGetter):
18730 (JSC::skipOverBoundFunctions):
18731 (JSC::retrieveCallerFunction):
18732 (JSC::JSFunction::callerGetter):
18733 (JSC::JSFunction::getOwnPropertyDescriptor):
18734 (JSC::JSFunction::defineOwnProperty):
18735 * runtime/JSGlobalObjectFunctions.cpp:
18736 (JSC::globalFuncProtoGetter):
18737 (JSC::globalFuncProtoSetter):
18738 * runtime/ObjectConstructor.cpp:
18739 (JSC::objectConstructorGetPrototypeOf):
18740 * runtime/Operations.h:
18741
187422013-06-09 Filip Pizlo <fpizlo@apple.com>
18743
18744 Marge trunk r146653.
18745
18746 2013-03-22 Filip Pizlo <fpizlo@apple.com>
18747
18748 DFG folding of PutById to SimpleReplace should consider the specialized function case
18749 https://bugs.webkit.org/show_bug.cgi?id=113093
18750
18751 Reviewed by Geoffrey Garen and Mark Hahnenberg.
18752
18753 * bytecode/PutByIdStatus.cpp:
18754 (JSC::PutByIdStatus::computeFor):
18755
187562013-06-09 Filip Pizlo <fpizlo@apple.com>
18757
18758 fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists
18759 https://bugs.webkit.org/show_bug.cgi?id=117377
18760
18761 Reviewed by Geoffrey Garen.
18762
18763 Previously if you did self accesses and then wanted to do a prototype access, you'd
18764 have a bad time: the prototype accesses would be forced to take slow path because
18765 the self list wouldn't allow prototype accesses. Likewise if you did prototype (or
18766 chain) accesses and then wanted to do a self access, similar stupidity would ensue.
18767
18768 This fixes the stupidity.
18769
18770 I believe that this was introduced way back in the days of the old interpreter,
18771 where distinguishing between self lists, proto lists, and chain lists was meaningful
18772 for interpreter performance: it meant fewer branches to evaluate those lists. Then
18773 it got mostly carried over to the old JIT since the old JIT was just initially an
18774 optimized version of the old interpreter, and then later it got carried over to the
18775 DFG because I didn't know any better at the time. Now I do know better and I'm
18776 fixing it.
18777
18778 * bytecode/PolymorphicAccessStructureList.h:
18779 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
18780 * bytecode/StructureStubInfo.h:
18781 (JSC::StructureStubInfo::initGetByIdSelfList):
18782 * dfg/DFGOperations.cpp:
18783 * dfg/DFGOperations.h:
18784 * dfg/DFGRepatch.cpp:
18785 (JSC::DFG::tryCacheGetByID):
18786 (JSC::DFG::getPolymorphicStructureList):
18787 (DFG):
18788 (JSC::DFG::patchJumpToGetByIdStub):
18789 (JSC::DFG::tryBuildGetByIDList):
18790 (JSC::DFG::dfgBuildGetByIDList):
18791
187922013-06-09 Mark Lam <mark.lam@apple.com>
18793
18794 Fix broken no-DFG build.
18795 https://bugs.webkit.org/show_bug.cgi?id=117381.
18796
18797 Reviewed by Geoffrey Garen.
18798
18799 * bytecode/CodeBlock.cpp:
18800 * bytecode/CodeBlock.h:
18801 (CodeBlock):
18802 (ProgramCodeBlock):
18803 (EvalCodeBlock):
18804 (FunctionCodeBlock):
18805 * dfg/DFGCapabilities.h:
18806 * dfg/DFGDriver.h:
18807 (JSC::DFG::tryCompile):
18808 (JSC::DFG::tryCompileFunction):
18809 * dfg/DFGJITCode.cpp:
18810 * dfg/DFGRepatch.h:
18811 (JSC::DFG::dfgResetGetByID):
18812 (JSC::DFG::dfgResetPutByID):
18813 * heap/DFGCodeBlocks.cpp:
18814 (JSC::DFGCodeBlocks::jettison):
18815 * interpreter/CallFrame.h:
18816 (ExecState):
18817 (JSC::ExecState::trueCallFrame):
18818 * interpreter/Interpreter.cpp:
18819 (JSC::getCallerInfo):
18820 * runtime/Executable.cpp:
18821 * runtime/Executable.h:
18822 (EvalExecutable):
18823 (ProgramExecutable):
18824 (FunctionExecutable):
18825 * runtime/ExecutionHarness.h:
18826 * runtime/VM.cpp:
18827 (JSC::VM::~VM):
18828
188292013-06-08 Filip Pizlo <fpizlo@apple.com>
18830
18831 fourthTier: Recursive deadlock in DFG::ByteCodeParser
18832 https://bugs.webkit.org/show_bug.cgi?id=117376
18833
18834 Reviewed by Mark Hahnenberg.
18835
18836 Leave the lock early to prevent a deadlock beneath get().
18837
18838 * dfg/DFGByteCodeParser.cpp:
18839 (JSC::DFG::ByteCodeParser::parseBlock):
18840
188412013-06-08 Mark Lam <mark.lam@apple.com>
18842
18843 Removed bogus assertion in CallFrame::setLocationAsBytecodeOffset().
18844 https://bugs.webkit.org/show_bug.cgi?id=117373.
18845
18846 Reviewed by Oliver Hunt.
18847
18848 The assertion wrongly assumes that the incoming offset argument is in
18849 units of bytes. This is not true. It is in units of Instruction*. Hence,
18850 the assertion which checks for the low 2 bits to be clear can fail.
18851
18852 * interpreter/CallFrame.cpp:
18853 (JSC::CallFrame::setLocationAsBytecodeOffset):
18854
188552013-06-07 Filip Pizlo <fpizlo@apple.com>
18856
18857 fourthTier: don't insert ForceOSRExits except for inadequate coverage
18858 https://bugs.webkit.org/show_bug.cgi?id=117363
18859
18860 Reviewed by Mark Hahnenberg.
18861
18862 Previously (in http://trac.webkit.org/changeset/151303) I made it so that we
18863 inserted ForceOSRExits more eagerly. I now think it's better to have
18864 contradictions execute normally and exit with full OSR exit profiling. It's
18865 better at catching the few cases where the DFG will end up with different
18866 types than the baseline engines.
18867
18868 This simplifies a bunch of code. For example it gets rid of
18869 ConstantFoldingPhase::paintUnreachableCode().
18870
18871 You can think of this as a partial roll-out of r151303, except that it uses
18872 the facilities introduced by that patch to give us run-time assertions that
18873 check the CFA's correctness: if the CFA thought that something was a
18874 contradiction but the code didn't exit, we'll now trap.
18875
18876 * dfg/DFGAbstractState.cpp:
18877 (JSC::DFG::AbstractState::AbstractState):
18878 (JSC::DFG::AbstractState::startExecuting):
18879 (JSC::DFG::AbstractState::executeEffects):
18880 (JSC::DFG::AbstractState::execute):
18881 (JSC::DFG::AbstractState::filter):
18882 (JSC::DFG::AbstractState::filterArrayModes):
18883 (JSC::DFG::AbstractState::filterByValue):
18884 (DFG):
18885 * dfg/DFGAbstractState.h:
18886 (AbstractState):
18887 (JSC::DFG::AbstractState::filter):
18888 (JSC::DFG::AbstractState::filterArrayModes):
18889 (JSC::DFG::AbstractState::filterByValue):
18890 * dfg/DFGCFAPhase.cpp:
18891 (JSC::DFG::CFAPhase::performBlockCFA):
18892 * dfg/DFGConstantFoldingPhase.cpp:
18893 (JSC::DFG::ConstantFoldingPhase::run):
18894 (JSC::DFG::ConstantFoldingPhase::foldConstants):
18895 (ConstantFoldingPhase):
18896 * dfg/DFGSpeculativeJIT.cpp:
18897 (JSC::DFG::SpeculativeJIT::compile):
18898 * ftl/FTLLowerDFGToLLVM.cpp:
18899 (JSC::FTL::LowerDFGToLLVM::compileNode):
18900
189012013-06-07 Filip Pizlo <fpizlo@apple.com>
18902
18903 Unreviewed, fix release build.
18904
18905 * ftl/FTLLink.cpp:
18906
189072013-06-06 Filip Pizlo <fpizlo@apple.com>
18908
18909 fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation
18910 https://bugs.webkit.org/show_bug.cgi?id=117331
18911
18912 Rubber stamped by Sam Weinig.
18913
18914 * dfg/DFGPlan.cpp:
18915 (JSC::DFG::Plan::compileInThreadImpl):
18916
189172013-06-05 Filip Pizlo <fpizlo@apple.com>
18918
18919 fourthTier: DFG CFA should know when it hits a contradiction
18920 https://bugs.webkit.org/show_bug.cgi?id=117272
18921
18922 Reviewed by Oliver Hunt.
18923
18924 This makes the DFG CFA immediately detect when it hit a contradiction. Previously
18925 we might not know this: for example if we did an int32 type check on a known string;
18926 the code would definitely always exit but the CFA would think that we wouldn't have
18927 even though it would have computed a BOTTOM (i.e. contradictory) value for that
18928 variable.
18929
18930 This requires two other changes:
18931
18932 - CFA must report contradictions as if they are frequent exit sites, since
18933 contradictory speculations will subsequently get replaced with ForceOSRExit.
18934 ForceOSRExit cannot itself report profiling data back to the DFG::ExitProfile. So,
18935 we do this on behalf of the speculation, eagerly, within the CFA. This also has
18936 the effect of speeding convergence somewhat. We may want to revisit this later;
18937 for example we might want to instead have the notion of a ForceOSRExit that knows
18938 the set of speculations that got folded into it.
18939
18940 - This revealed a bug where the CFA was modeling CheckStructure on a node that had
18941 a known singleton m_futurePossibleStructure set somewhat differently than the
18942 constant folder. If the CheckStructure was checking a structure set with two or
18943 more structures in it, it would not filter the abstract value. But the constant
18944 folder would turn this into a watchpoint on the singleton structure, thereby
18945 filtering the value. This discrepancy meant that we wouldn't realize the
18946 contradiction until the backend, and the AbstractState::bail() method asserts that
18947 we always realize contradictions in the constant folder.
18948
18949 * JavaScriptCore.xcodeproj/project.pbxproj:
18950 * bytecode/CodeBlock.h:
18951 (JSC::CodeBlock::addFrequentExitSite):
18952 (JSC::CodeBlock::hasExitSite):
18953 (CodeBlock):
18954 * bytecode/DFGExitProfile.cpp:
18955 (JSC::DFG::ExitProfile::add):
18956 (JSC::DFG::ExitProfile::hasExitSite):
18957 (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
18958 (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
18959 (DFG):
18960 (JSC::DFG::QueryableExitProfile::initialize):
18961 * bytecode/DFGExitProfile.h:
18962 (JSC::DFG::FrequentExitSite::FrequentExitSite):
18963 (ExitProfile):
18964 (JSC::DFG::ExitProfile::hasExitSite):
18965 (QueryableExitProfile):
18966 * bytecode/ExitKind.cpp:
18967 (JSC::exitKindToString):
18968 * dfg/DFGAbstractState.cpp:
18969 (JSC::DFG::AbstractState::AbstractState):
18970 (JSC::DFG::AbstractState::beginBasicBlock):
18971 (JSC::DFG::AbstractState::reset):
18972 (JSC::DFG::AbstractState::startExecuting):
18973 (JSC::DFG::AbstractState::executeEffects):
18974 (JSC::DFG::AbstractState::execute):
18975 (JSC::DFG::AbstractState::filter):
18976 (DFG):
18977 (JSC::DFG::AbstractState::filterArrayModes):
18978 (JSC::DFG::AbstractState::filterByValue):
18979 (JSC::DFG::AbstractState::bail):
18980 * dfg/DFGAbstractState.h:
18981 (AbstractState):
18982 (JSC::DFG::AbstractState::filter):
18983 (JSC::DFG::AbstractState::filterArrayModes):
18984 (JSC::DFG::AbstractState::filterByValue):
18985 (JSC::DFG::AbstractState::filterByType):
18986 * dfg/DFGAbstractValue.cpp:
18987 (JSC::DFG::AbstractValue::filter):
18988 (JSC::DFG::AbstractValue::filterArrayModes):
18989 (DFG):
18990 (JSC::DFG::AbstractValue::filterByValue):
18991 (JSC::DFG::AbstractValue::normalizeClarity):
18992 * dfg/DFGAbstractValue.h:
18993 (AbstractValue):
18994 * dfg/DFGByteCodeParser.cpp:
18995 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
18996 * dfg/DFGCFAPhase.cpp:
18997 (JSC::DFG::CFAPhase::performBlockCFA):
18998 * dfg/DFGCapabilities.cpp:
18999 (JSC::DFG::debugFail):
19000 (JSC::DFG::capabilityLevel):
19001 * dfg/DFGConstantFoldingPhase.cpp:
19002 (JSC::DFG::ConstantFoldingPhase::foldConstants):
19003 (ConstantFoldingPhase):
19004 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
19005 * dfg/DFGFiltrationResult.h: Added.
19006 (DFG):
19007 * dfg/DFGFixupPhase.cpp:
19008 (JSC::DFG::FixupPhase::fixupNode):
19009 * dfg/DFGNodeType.h:
19010 (DFG):
19011 * dfg/DFGOSRExitBase.cpp:
19012 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
19013 * dfg/DFGOSRExitBase.h:
19014 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
19015 * dfg/DFGPredictionPropagationPhase.cpp:
19016 (JSC::DFG::PredictionPropagationPhase::propagate):
19017 * dfg/DFGSpeculativeJIT.cpp:
19018 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
19019 (JSC::DFG::SpeculativeJIT::bail):
19020 (DFG):
19021 (JSC::DFG::SpeculativeJIT::compile):
19022 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
19023 (JSC::DFG::SpeculativeJIT::speculateStringObject):
19024 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
19025 * dfg/DFGSpeculativeJIT.h:
19026 (SpeculativeJIT):
19027 * dfg/DFGSpeculativeJIT32_64.cpp:
19028 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
19029 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
19030 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
19031 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
19032 (JSC::DFG::SpeculativeJIT::compile):
19033 * dfg/DFGSpeculativeJIT64.cpp:
19034 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
19035 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
19036 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
19037 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
19038 (JSC::DFG::SpeculativeJIT::compile):
19039 * ftl/FTLCapabilities.cpp:
19040 (JSC::FTL::canCompile):
19041 * ftl/FTLLowerDFGToLLVM.cpp:
19042 (JSC::FTL::LowerDFGToLLVM::compileNode):
19043 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
19044
190452013-06-07 Mark Lam <mark.lam@apple.com>
19046
19047 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset.
19048 https://bugs.webkit.org/show_bug.cgi?id=117327.
19049
19050 Reviewed by Michael Saboff.
19051
19052 - Renamed CallFrame::Location's Type to TypeTag.
19053 - Made the CallFrame::Location::TypeTag private, and provided type
19054 specific encoder functions. This reduces verbosity in client code.
19055 - Fixed the DFG's reifyInlinedCallFrames() on 32-bit ports to store a
19056 bytecode Instruction* in the CallFrame location instead of a bytecode
19057 offset.
19058 - Fixed places in JIT and FTL code which populate the CallFrame location
19059 (i.e. ArgumentCount tag) to use a Location encoder instead of storing
19060 the bytecodeOffset directly. This doesn't make any semantic difference,
19061 but it does assert that the stored value does not have bits where we
19062 would expect Location TypeTags to be.
19063
19064 * dfg/DFGJITCompiler.h:
19065 (JSC::DFG::JITCompiler::beginCall):
19066 * dfg/DFGOSRExitCompilerCommon.cpp:
19067 (JSC::DFG::reifyInlinedCallFrames):
19068 * ftl/FTLLink.cpp:
19069 (JSC::FTL::link):
19070 * interpreter/CallFrame.cpp:
19071 (JSC::CallFrame::setLocationAsBytecodeOffset):
19072 * interpreter/CallFrame.h:
19073 (Location):
19074 * interpreter/CallFrameInlines.h:
19075 (JSC::CallFrame::Location::encodeAsBytecodeOffset):
19076 (JSC::CallFrame::Location::encodeAsBytecodeInstruction):
19077 (JSC::CallFrame::Location::encodeAsCodeOriginIndex):
19078 (JSC::CallFrame::Location::encodeAsInlinedCode):
19079 (JSC::CallFrame::Location::isBytecodeLocation):
19080 (JSC::CallFrame::setIsInlinedFrame):
19081 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19082 (JSC::CallFrame::setLocationAsBytecodeOffset):
19083 * jit/JITCall.cpp:
19084 (JSC::JIT::compileOpCall):
19085 * jit/JITCall32_64.cpp:
19086 (JSC::JIT::compileOpCall):
19087 * jit/JITInlines.h:
19088 (JSC::JIT::updateTopCallFrame):
19089
190902013-06-06 Mark Lam <mark.lam@apple.com>
19091
19092 Encode CallFrame::Location flags in the low bits when USE(JSVALUE32_64).
19093 https://bugs.webkit.org/show_bug.cgi?id=117312.
19094
19095 Reviewed by Michael Saboff.
19096
19097 For USE(JSVALUE32_64), we store the location flags in the low 2 bits of
19098 the word because we need the high bits for address bits.
19099
19100 * interpreter/CallFrame.cpp:
19101 (JSC::CallFrame::setLocationAsBytecodeOffset):
19102 * interpreter/CallFrame.h:
19103 * interpreter/CallFrameInlines.h:
19104 (JSC::CallFrame::Location::encode):
19105 (JSC::CallFrame::Location::decode):
19106 (JSC::CallFrame::Location::isCodeOriginIndex):
19107 (JSC::CallFrame::Location::isInlinedCode):
19108
191092013-06-06 Mark Lam <mark.lam@apple.com>
19110
19111 CallFrame::trueCallFrame() should populate the bytecodeOffset field
19112 when reifying inlined frames..
19113 https://bugs.webkit.org/show_bug.cgi?id=117209.
19114
19115 Reviewed by Geoffrey Garen.
19116
19117 When reifying an inlined frame, we fill in its CodeBlock, and
19118 bytecodeOffset. We also set the InlinedFrame bit in the location field.
19119 This is needed in order to iterate the stack correctly. Here's why:
19120
19121 Let's say we have the following stack trace:
19122 X calls A inlines B inlines C calls D
19123
19124 Based on the above scenario,
19125 1. D's callerFrame points to A (not C).
19126 2. A has a codeOriginIndex that points to C.
19127
19128 When iterating the stack (from D back towards X), we will encounter A
19129 twice:
19130
19131 t1. when trying to find C as D's caller.
19132 This is the time when we reify B and C using the
19133 codeOriginIndex in A, and return C as the caller frame of D.
19134
19135 t2. when getting's the reified B's caller.
19136 This time, we don't run the reification process, and
19137 just take A as the caller frame of B.
19138
19139 To discern which treatment of the DFG frame (i.e. A) we need to apply,
19140 we check if the callee is an inlined frame:
19141
19142 If callee is NOT an inlined frame (e.g. frame D), apply treatment t1.
19143 If callee is an inlined frame (e.g. frame B), apply treatment t2.
19144
19145 Why not just reify A by replacing its codeOriginIndex with A's
19146 bytecodeOffset?
19147
19148 We can't do this because D's callerFrame pointer still points to A, and
19149 needs to remain that way because we did not deopt A. It remains a DFG
19150 frame which inlined B and C.
19151
19152 If we replace the codeOriginIndex in A with A's bytecodeOffset, we will
19153 only get to iterate the stack correctly once. If we try to iterate the
19154 stack a second time, we will not have the information from the
19155 codeOriginIndex to tell us that D's caller is actually the inlined C,
19156 and not A.
19157
19158 To recap, when reifying frames for stack iteration purposes, the DFG
19159 frame needs to hold on to its codeOriginIndex. This in turn means the
19160 DFG frame will need to be treated in 2 possible ways, and we need to
19161 know if a callee frame is an inlined frame in order to choose the
19162 correct treatment for the DFG frame.
19163
19164 Other changes:
19165 - Simplified Interpreter::getCallerInfo().
19166 - Removed CodeBlock::codeOriginForReturn() and supporting code
19167 which is now unneeded.
19168 - Moved CallFrame location bit encoding from the CodeOrigin to the
19169 new CallFrame::Location class.
19170 - Explicitly tagged inlined frames. This is necessary in order to
19171 iterate the stack correctly as explained above.
19172
19173 * bytecode/CodeBlock.cpp:
19174 * bytecode/CodeBlock.h:
19175 (JSC::CodeBlock::codeOrigins):
19176 (CodeBlock):
19177 (JSC::CodeBlock::codeOrigin):
19178 (RareData):
19179 * bytecode/CodeOrigin.h:
19180 (CodeOrigin):
19181 * dfg/DFGJITCompiler.cpp:
19182 (JSC::DFG::JITCompiler::link):
19183 * dfg/DFGJITCompiler.h:
19184 (JSC::DFG::JITCompiler::beginCall):
19185 * interpreter/CallFrame.cpp:
19186 (JSC::CallFrame::trueCallFrame):
19187 (JSC::CallFrame::trueCallerFrame):
19188 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
19189 * interpreter/CallFrame.h:
19190 (Location):
19191 (ExecState):
19192 (JSC::ExecState::trueCallerFrame):
19193 (JSC::ExecState::callerFrameNoFlags):
19194 * interpreter/CallFrameInlines.h:
19195 (JSC::CallFrame::Location::encode):
19196 (JSC::CallFrame::Location::decode):
19197 (JSC::CallFrame::Location::isBytecodeOffset):
19198 (JSC::CallFrame::Location::isCodeOriginIndex):
19199 (JSC::CallFrame::Location::isInlinedFrame):
19200 (JSC::CallFrame::isInlinedFrame):
19201 (JSC::CallFrame::setIsInlinedFrame):
19202 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19203 (JSC::CallFrame::hasLocationAsCodeOriginIndex):
19204 (JSC::CallFrame::locationAsBytecodeOffset):
19205 (JSC::CallFrame::setLocationAsBytecodeOffset):
19206 (JSC::CallFrame::locationAsCodeOriginIndex):
19207 * interpreter/Interpreter.cpp:
19208 (JSC::getCallerInfo):
19209 (JSC::Interpreter::getStackTrace):
19210 (JSC::Interpreter::findFunctionCallFrameFromVMCode):
19211 * runtime/Arguments.cpp:
19212 (JSC::Arguments::tearOff):
19213
192142013-06-05 Filip Pizlo <fpizlo@apple.com>
19215
19216 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
19217 https://bugs.webkit.org/show_bug.cgi?id=117279
19218
19219 Reviewed by Mark Hahnenberg.
19220
19221 The normalization of abstract value clarity introduced in r151229 revealed a
19222 long-standing bug where we filtered ArrayModes incorrectly and sometimes ended
19223 up with BOTTOM incorrectly.
19224
19225 This patch fixes that bug, and cleans up a bunch of debugging infrastructure
19226 that I needed to resurrect to track this down.
19227
19228 * bytecode/CodeBlock.cpp:
19229 (JSC::CodeBlock::resetStubInternal):
19230 (JSC::CodeBlock::noticeIncomingCall):
19231 * dfg/DFGAbstractValue.cpp:
19232 (JSC::DFG::AbstractValue::filterArrayModesByType):
19233 * dfg/DFGCFAPhase.cpp:
19234 (CFAPhase):
19235 (JSC::DFG::CFAPhase::run):
19236 (JSC::DFG::CFAPhase::performBlockCFA):
19237 (JSC::DFG::CFAPhase::performForwardCFA):
19238 * runtime/Options.h:
19239 (JSC):
19240
192412013-06-05 Filip Pizlo <fpizlo@apple.com>
19242
19243 Unreviewed, fix release build.
19244
19245 * interpreter/Interpreter.cpp:
19246 * jit/JITStubs.cpp:
19247
192482013-06-05 Mark Lam <mark.lam@apple.com>
19249
19250 Disambiguate between CallFrame bytecodeOffset and codeOriginIndex.
19251 https://bugs.webkit.org/show_bug.cgi?id=117262.
19252
19253 Reviewed by Geoffrey Garen.
19254
19255 When writing to the ArgumentCount tag in CallFrame, we will set the high
19256 bit if the written value is a codeOriginIndex.
19257
19258 * GNUmakefile.list.am:
19259 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
19260 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19261 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19262 * JavaScriptCore.xcodeproj/project.pbxproj:
19263 * bytecode/CodeOrigin.h:
19264 (CodeOrigin):
19265 (JSC::CodeOrigin::isHandle):
19266 (JSC::CodeOrigin::encodeHandle):
19267 (JSC::CodeOrigin::decodeHandle):
19268 * dfg/DFGJITCompiler.h:
19269 (JSC::DFG::JITCompiler::beginCall):
19270 * dfg/DFGRepatch.cpp:
19271 (JSC::DFG::tryBuildGetByIDList):
19272 * interpreter/CallFrame.cpp:
19273 (JSC::CallFrame::locationAsBytecodeOffset):
19274 (JSC::CallFrame::setLocationAsBytecodeOffset):
19275 (JSC::CallFrame::currentVPC):
19276 (JSC::CallFrame::setCurrentVPC):
19277 (JSC::CallFrame::trueCallFrame):
19278 * interpreter/CallFrame.h:
19279 (ExecState):
19280 (JSC::ExecState::inlineCallFrame):
19281 * interpreter/CallFrameInlines.h: Added.
19282 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19283 (JSC::CallFrame::hasLocationAsCodeOriginIndex):
19284 (JSC::CallFrame::locationAsRawBits):
19285 (JSC::CallFrame::setLocationAsRawBits):
19286 (JSC::CallFrame::locationAsBytecodeOffset):
19287 (JSC::CallFrame::setLocationAsBytecodeOffset):
19288 (JSC::CallFrame::locationAsCodeOriginIndex):
19289 * interpreter/Interpreter.cpp:
19290 (JSC::getBytecodeOffsetForCallFrame):
19291 (JSC::getCallerInfo):
19292 * jit/JITStubs.cpp:
19293 (JSC::DEFINE_STUB_FUNCTION):
19294
192952013-06-05 Filip Pizlo <fpizlo@apple.com>
19296
19297 Unreviewed, fix release build.
19298
19299 * interpreter/Interpreter.cpp:
19300 * jit/JITStubs.cpp:
19301
193022013-06-04 Filip Pizlo <fpizlo@apple.com>
19303
19304 fourthTier: Clean up AbstractValue
19305 https://bugs.webkit.org/show_bug.cgi?id=117217
19306
19307 Reviewed by Oliver Hunt.
19308
19309 This started as an attempt to make it so that when AbstractValue becomes empty,
19310 its m_type always becomes SpecNone. I wanted this to happen naturally. That turns
19311 out to be basically impossible, since AbstractValue is a set that is dynamically
19312 computed from the intersection of several internal sets: so the value becomes
19313 empty when any of the sets go empty. It's OK if we're imprecise here because it's
19314 always safe for the AbstractValue to seem to overapproximate the set of values
19315 that we see. So I mostly gave up on cleaning up that aspect of AbstractValue. But
19316 while trying to make this happen, I encountered two bugs:
19317
19318 - filterValueByType() ignores the case when m_type contravenes m_value. Namely,
19319 we might filter the AbstractValue against a SpeculatedType leading to m_value
19320 becoming inconsistent with the new m_type. This change fixes that case. This
19321 wasn't a symptomatic bug but it was a silly oversight.
19322
19323 - filterFuturePossibleStructure() was never right. The one call to this method,
19324 in filter(Graph&, const StructureSet&), assumed that the previous notions of
19325 what structures the value could have in the future were still relevant. This
19326 could lead to a bug where we:
19327
19328 1) CheckStructure(@foo, S1)
19329
19330 Where S1 has a valid watchpoint. Now @foo's abstract value will have current
19331 and future structure = S1.
19332
19333 2) Clobber the world.
19334
19335 Now @foo's abstract value will have current structure = TOP, and future
19336 possible structure = S1.
19337
19338 3) CheckStructure(@foo, S2)
19339
19340 Now @foo's abstract value will have current structure = S2 and future
19341 possible structure = S1 intersect S2 = BOTTOM.
19342
19343 Now we will think that any subsequent watchpoint on @foo is valid because the
19344 value is effectively BOTTOM. That would only be correct if we had actually set
19345 a watchpoint on S1. If we had done so, then (3) would only pass (i.e. @foo
19346 would only have structure S2) if S1's watchpoint fired, in which case (3)
19347 wouldn't have been reachable. But we didn't actually set a watchpoint on S1:
19348 we just observed that we *could* have set the watchpoint. Hence future possible
19349 structure should only be set to either the known structure at compile-time, or
19350 it should be the structure we just checked; in both cases it should only be set
19351 if the structure is watchable.
19352
19353 Then, in addition to all of this, I changed AbstractValue's filtering methods to
19354 call clear() if the AbstractValue is effectively clear. This is just meant to
19355 simplify the recognition of truly empty AbstractValues, but doesn't actually have
19356 any other implications.
19357
19358 * bytecode/StructureSet.h:
19359 (JSC::StructureSet::dump):
19360 * dfg/DFGAbstractValue.cpp:
19361 (JSC::DFG::AbstractValue::filter):
19362 (DFG):
19363 (JSC::DFG::AbstractValue::filterArrayModes):
19364 (JSC::DFG::AbstractValue::filterValueByType):
19365 (JSC::DFG::AbstractValue::filterArrayModesByType):
19366 (JSC::DFG::AbstractValue::shouldBeClear):
19367 (JSC::DFG::AbstractValue::normalizeClarity):
19368 (JSC::DFG::AbstractValue::checkConsistency):
19369 * dfg/DFGAbstractValue.h:
19370 (JSC::DFG::AbstractValue::isClear):
19371 (AbstractValue):
19372
193732013-06-04 Mark Lam <mark.lam@apple.com>
19374
19375 The DFG JIT should populate frame bytecodeOffsets on OSR exit.
19376 https://bugs.webkit.org/show_bug.cgi?id=117103.
19377
19378 Reviewed by Geoffrey Garen.
19379
19380 * dfg/DFGOSRExitCompilerCommon.cpp:
19381 (JSC::DFG::reifyInlinedCallFrames):
19382
193832013-06-03 Filip Pizlo <fpizlo@apple.com>
19384
19385 fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC
19386 https://bugs.webkit.org/show_bug.cgi?id=117170
19387
19388 Reviewed by Mark Hahnenberg.
19389
19390 * bytecode/CodeBlock.cpp:
19391 (JSC::CodeBlock::visitAggregate):
19392 (JSC::CodeBlock::propagateTransitions):
19393 (JSC):
19394 (JSC::CodeBlock::determineLiveness):
19395 (JSC::CodeBlock::visitWeakReferences):
19396 (JSC::CodeBlock::finalizeUnconditionally):
19397 * bytecode/CodeBlock.h:
19398 (CodeBlock):
19399 * bytecode/PolymorphicPutByIdList.h:
19400 (JSC):
19401 (PutByIdAccess):
19402 (PolymorphicPutByIdList):
19403 * bytecode/StructureStubInfo.h:
19404 (StructureStubInfo):
19405 * jit/JITCode.h:
19406 (JSC::JITCode::couldBeInterpreted):
19407 (JITCode):
19408
194092013-06-02 Filip Pizlo <fpizlo@apple.com>
19410
19411 fourthTier: Get rid of StructureStubInfo::bytecodeIndex
19412 https://bugs.webkit.org/show_bug.cgi?id=117127
19413
19414 Reviewed by Mark Hahnenberg.
19415
19416 StructureStubInfo already has a CodeOrigin field, which also has a bytecodeIndex.
19417 It makes sense to just always use the CodeOrigin.
19418
19419 * bytecode/StructureStubInfo.h:
19420 (StructureStubInfo):
19421 (JSC::getStructureStubInfoBytecodeIndex):
19422 * jit/JIT.cpp:
19423 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
19424 * jit/JIT.h:
19425 (JSC::JIT::compileGetByIdProto):
19426 (JSC::JIT::compileGetByIdSelfList):
19427 (JSC::JIT::compileGetByIdProtoList):
19428 (JSC::JIT::compileGetByIdChainList):
19429 (JSC::JIT::compileGetByIdChain):
19430 (JSC::JIT::compilePutByIdTransition):
19431 * jit/JITPropertyAccess.cpp:
19432 (JSC::JIT::privateCompilePutByIdTransition):
19433 * jit/JITPropertyAccess32_64.cpp:
19434 (JSC::JIT::privateCompilePutByIdTransition):
19435
194362013-06-01 Filip Pizlo <fpizlo@apple.com>
19437
19438 Fix some minor issues in the DFG's profiling of heap accesses
19439 https://bugs.webkit.org/show_bug.cgi?id=113010
19440
19441 Reviewed by Goeffrey Garen.
19442
19443 Carefully merge r146669 from trunk. This required some fiddling since it
19444 wasn't a clean apply.
19445
19446 Original changelog:
19447
19448 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.
19449
19450 2) If a CodeBlock clears a structure stub during GC, it should record this, and
19451 the DFG should prefer to not inline that access (i.e. treat it as if it had an
19452 exit site).
19453
19454 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
19455 but it chose not to, then assume that it will take slow path.
19456
19457 4) If we frequently exited because of a structure check on a weak constant,
19458 don't try to inline that access in the future.
19459
19460 5) Treat all exits that were counted as being frequent.
19461
19462 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.
19463
19464 * bytecode/CodeBlock.cpp:
19465 (JSC::CodeBlock::finalizeUnconditionally):
19466 (JSC):
19467 (JSC::CodeBlock::resetStubDuringGCInternal):
19468 (JSC::CodeBlock::reoptimize):
19469 (JSC::CodeBlock::jettison):
19470 (JSC::ProgramCodeBlock::jettisonImpl):
19471 (JSC::EvalCodeBlock::jettisonImpl):
19472 (JSC::FunctionCodeBlock::jettisonImpl):
19473 (JSC::CodeBlock::tallyFrequentExitSites):
19474 * bytecode/CodeBlock.h:
19475 (CodeBlock):
19476 (JSC::CodeBlock::tallyFrequentExitSites):
19477 (ProgramCodeBlock):
19478 (EvalCodeBlock):
19479 (FunctionCodeBlock):
19480 * bytecode/GetByIdStatus.cpp:
19481 (JSC::GetByIdStatus::computeFor):
19482 * bytecode/PutByIdStatus.cpp:
19483 (JSC::PutByIdStatus::computeFor):
19484 * bytecode/StructureStubInfo.h:
19485 (JSC::StructureStubInfo::StructureStubInfo):
19486 (StructureStubInfo):
19487 * dfg/DFGByteCodeParser.cpp:
19488 (JSC::DFG::ByteCodeParser::handleGetById):
19489 (JSC::DFG::ByteCodeParser::parseBlock):
19490 * dfg/DFGOSRExitBase.cpp:
19491 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
19492 * dfg/DFGOSRExitBase.h:
19493 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
19494 (OSRExitBase):
19495 * jit/JITStubs.cpp:
19496 (JSC::DEFINE_STUB_FUNCTION):
19497 * runtime/Options.h:
19498 (JSC):
19499
195002013-05-31 Filip Pizlo <fpizlo@apple.com>
19501
19502 Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result.
19503
19504 Rubber stamped by Mark Hahnenberg.
19505
19506 * bytecode/CodeOrigin.h:
19507 (CodeOrigin):
19508 (JSC::CodeOrigin::CodeOrigin):
19509 (JSC::CodeOrigin::isSet):
19510 * dfg/DFGByteCodeParser.cpp:
19511 (JSC::DFG::ByteCodeParser::currentCodeOrigin):
19512 * dfg/DFGGraph.h:
19513 (JSC::DFG::Graph::valueProfileFor):
19514
195152013-05-31 Filip Pizlo <fpizlo@apple.com>
19516
19517 Remove finalDestinationOrIgnored since it isn't called anymore.
19518
19519 Rubber stamped by Mark Hahnenberg.
19520
19521 * bytecompiler/BytecodeGenerator.h:
19522 (BytecodeGenerator):
19523
195242013-05-31 Filip Pizlo <fpizlo@apple.com>
19525
19526 fourthTier: get rid of op_call_put_result
19527 https://bugs.webkit.org/show_bug.cgi?id=117047
19528
19529 Reviewed by Gavin Barraclough.
19530
19531 op_call_put_result is an oddball. Its semantics are that it takes the return
19532 value of a call instruction, which is set aside in regT0/regT1, and places them
19533 into some stack slot. This is weird since there is an implicit contract with the
19534 preceding bytecode instruction, and it's even weirder since it means that it
19535 doesn't make sense to jump to it; for example OSR exit from the preceding call
19536 instruction must make sure to jump over the op_call_put_result.
19537
19538 So this patch gets rid of op_call_put_result:
19539
19540 - In bytecode, all calls return a value and we always allocate a temporary for
19541 that value even if it isn't used.
19542
19543 - The LLInt does the return value saving as part of dispatchAfterCall().
19544
19545 - The JIT and DFG do the return value saving as part of normal code generation.
19546 The DFG already did the right thing.
19547
19548 - DFG->JIT OSR exit in the case of inlining will make the return PC's point at
19549 the CallLinkInfo::callReturnLocation, rather than the machine PC associated
19550 with the op_call_put_result instruction.
19551
19552 - Tons of code gets removed. The DFG had to track whether or not a call had a
19553 return value in a bunch of places. It had to track the fact that we would
19554 exit to after the op_call_put_result. It was a mess. That mess is now gone.
19555
19556 * bytecode/CallLinkStatus.cpp:
19557 (JSC::CallLinkStatus::computeFromLLInt):
19558 * bytecode/CodeBlock.cpp:
19559 (JSC::CodeBlock::printCallOp):
19560 (JSC::CodeBlock::dumpArrayProfiling):
19561 (JSC::CodeBlock::dumpBytecode):
19562 (JSC::CodeBlock::CodeBlock):
19563 * bytecode/CodeBlock.h:
19564 * bytecode/Opcode.h:
19565 (JSC):
19566 (JSC::padOpcodeName):
19567 * bytecompiler/BytecodeGenerator.cpp:
19568 (JSC::BytecodeGenerator::emitCall):
19569 (JSC::BytecodeGenerator::emitCallVarargs):
19570 (JSC::BytecodeGenerator::emitConstruct):
19571 * bytecompiler/NodesCodegen.cpp:
19572 (JSC::NewExprNode::emitBytecode):
19573 (JSC::FunctionCallValueNode::emitBytecode):
19574 (JSC::FunctionCallResolveNode::emitBytecode):
19575 (JSC::FunctionCallBracketNode::emitBytecode):
19576 (JSC::FunctionCallDotNode::emitBytecode):
19577 (JSC::CallFunctionCallDotNode::emitBytecode):
19578 (JSC::ApplyFunctionCallDotNode::emitBytecode):
19579 * dfg/DFGByteCodeParser.cpp:
19580 (JSC::DFG::ByteCodeParser::ByteCodeParser):
19581 (ByteCodeParser):
19582 (JSC::DFG::ByteCodeParser::currentCodeOrigin):
19583 (JSC::DFG::ByteCodeParser::addCall):
19584 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
19585 (JSC::DFG::ByteCodeParser::getPrediction):
19586 (JSC::DFG::ByteCodeParser::handleCall):
19587 (JSC::DFG::ByteCodeParser::handleInlining):
19588 (JSC::DFG::ByteCodeParser::handleMinMax):
19589 (JSC::DFG::ByteCodeParser::handleIntrinsic):
19590 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
19591 (JSC::DFG::ByteCodeParser::parseBlock):
19592 * dfg/DFGCapabilities.cpp:
19593 (JSC::DFG::capabilityLevel):
19594 * dfg/DFGOSRExitCompiler.cpp:
19595 * dfg/DFGOSRExitCompilerCommon.cpp:
19596 (JSC::DFG::reifyInlinedCallFrames):
19597 * jit/JIT.cpp:
19598 (JSC::JIT::privateCompileMainPass):
19599 * jit/JIT.h:
19600 (JIT):
19601 * jit/JITCall.cpp:
19602 (JSC::JIT::emitPutCallResult):
19603 (JSC::JIT::compileLoadVarargs):
19604 (JSC::JIT::compileCallEval):
19605 (JSC::JIT::compileCallEvalSlowCase):
19606 (JSC::JIT::compileOpCall):
19607 (JSC::JIT::compileOpCallSlowCase):
19608 (JSC::JIT::emit_op_call):
19609 (JSC):
19610 (JSC::JIT::emit_op_call_eval):
19611 (JSC::JIT::emit_op_call_varargs):
19612 (JSC::JIT::emit_op_construct):
19613 (JSC::JIT::emitSlow_op_call):
19614 (JSC::JIT::emitSlow_op_call_eval):
19615 (JSC::JIT::emitSlow_op_call_varargs):
19616 (JSC::JIT::emitSlow_op_construct):
19617 * jit/JITCall32_64.cpp:
19618 (JSC::JIT::emitPutCallResult):
19619 (JSC::JIT::compileLoadVarargs):
19620 (JSC::JIT::compileCallEval):
19621 (JSC::JIT::compileCallEvalSlowCase):
19622 (JSC::JIT::compileOpCall):
19623 (JSC::JIT::compileOpCallSlowCase):
19624 * jit/JITOpcodes.cpp:
19625 (JSC):
19626 * llint/LLIntSlowPaths.cpp:
19627 (JSC::LLInt::genericCall):
19628 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
19629 * llint/LowLevelInterpreter.cpp:
19630 (JSC::CLoop::execute):
19631 * llint/LowLevelInterpreter32_64.asm:
19632 * llint/LowLevelInterpreter64.asm:
19633
196342013-05-30 Filip Pizlo <fpizlo@apple.com>
19635
19636 fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls
19637 https://bugs.webkit.org/show_bug.cgi?id=117048
19638
19639 Reviewed by Mark Hahnenberg.
19640
19641 This just makes everything consistent in the LLInt: anytime any op calls out,
19642 it stores its PC and never the next op's PC.
19643
19644 * bytecode/CodeBlock.cpp:
19645 (JSC::CodeBlock::dumpBytecode):
19646 (JSC::CodeBlock::linkIncomingCall):
19647 (JSC::CodeBlock::bytecodeOffset):
19648 * bytecode/CodeBlock.h:
19649 * bytecode/Opcode.h:
19650 (JSC::padOpcodeName):
19651 * bytecompiler/BytecodeGenerator.cpp:
19652 (JSC::BytecodeGenerator::emitCallVarargs):
19653 * llint/LLIntExceptions.cpp:
19654 (JSC::LLInt::interpreterThrowInCaller):
19655 (JSC::LLInt::returnToThrow):
19656 (JSC::LLInt::callToThrow):
19657 * llint/LLIntSlowPaths.cpp:
19658 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
19659 * llint/LowLevelInterpreter.asm:
19660 * llint/LowLevelInterpreter.cpp:
19661 (JSC::CLoop::execute):
19662 * llint/LowLevelInterpreter32_64.asm:
19663 * llint/LowLevelInterpreter64.asm:
19664
196652013-05-28 Filip Pizlo <fpizlo@apple.com>
19666
19667 fourthTier: FTL should support ArithAbs
19668 https://bugs.webkit.org/show_bug.cgi?id=116890
19669
19670 Reviewed by Oliver Hunt.
19671
19672 Implements ArithAbs in the FTL, and cleans up the DFG implementation. The
19673 DFG implementation was previously doing zero extensions manually when it
19674 is probably better to just use StrictInt32Operand instead.
19675
19676 * dfg/DFGSpeculativeJIT32_64.cpp:
19677 (JSC::DFG::SpeculativeJIT::compile):
19678 * dfg/DFGSpeculativeJIT64.cpp:
19679 (JSC::DFG::SpeculativeJIT::compile):
19680 * ftl/FTLCapabilities.cpp:
19681 (JSC::FTL::canCompile):
19682 * ftl/FTLIntrinsicRepository.h:
19683 (FTL):
19684 * ftl/FTLLowerDFGToLLVM.cpp:
19685 (JSC::FTL::LowerDFGToLLVM::compileNode):
19686 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
19687 (LowerDFGToLLVM):
19688 * ftl/FTLOutput.h:
19689 (JSC::FTL::Output::doubleAbs):
19690
196912013-05-28 Mark Lam <mark.lam@apple.com>
19692
19693 Misc JIT probe enhacements.
19694 https://bugs.webkit.org/show_bug.cgi?id=116586.
19695
19696 Reviewed by Michael Saboff.
19697
19698 1. Added JIT probe support for ARMv7 and traditional ARM.
19699 Built and tested on ARMv7. ARM version not tested nor built.
19700 2. Fix the following bugs in the X86 and X86_64 probes:
19701 a. Cannot assume that the stack pointer is already aligned when
19702 we push args for the probe. Instead, we ensure the stack
19703 alignment at runtime when we set up the probe call.
19704 This is now done in the ctiMasmProbeTrampoline.
19705 b. On return, the user probe function may have altered the stack
19706 pointer value to be restored. Previously, if the sp restore value
19707 points to some of the other register restore values in the
19708 ProbeContext record, we will fail to return from the probe having
19709 those user specified value as we're expected to do.
19710 This is now fixed.
19711 3. Rearranged the X86/X86_64 registers order to organize them like gdb
19712 expects on X86_64.
19713 4. We also now preserve the condition code registers.
19714
19715 * JavaScriptCore.xcodeproj/project.pbxproj:
19716 * assembler/ARMAssembler.h:
19717 * assembler/ARMv7Assembler.h:
19718 (ARMRegisters):
19719 * assembler/MacroAssemblerARM.cpp:
19720 (JSC::isVFPPresent):
19721 (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters):
19722 (JSC::MacroAssemblerARM::ProbeContext::dump):
19723 (JSC::MacroAssemblerARM::probe):
19724 * assembler/MacroAssemblerARM.h:
19725 (MacroAssemblerARM):
19726 (CPUState):
19727 (ProbeContext):
19728 (JSC::MacroAssemblerARM::trustedImm32FromPtr):
19729 * assembler/MacroAssemblerARMv7.h:
19730 (MacroAssemblerARMv7):
19731 (CPUState):
19732 (ProbeContext):
19733 (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
19734 * assembler/MacroAssemblerX86.h:
19735 (MacroAssemblerX86):
19736 (JSC::MacroAssemblerX86::probe):
19737 * assembler/MacroAssemblerX86Common.cpp:
19738 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
19739 * assembler/MacroAssemblerX86_64.h:
19740 (JSC::MacroAssemblerX86_64::probe):
19741 * assembler/X86Assembler.h:
19742 * config.h:
19743 * jit/JITStubsARM.h:
19744 * jit/JITStubsARMv7.h:
19745 * jit/JITStubsX86.h:
19746 * jit/JITStubsX86Common.h:
19747 * jit/JITStubsX86_64.h:
19748
197492013-05-28 Filip Pizlo <fpizlo@apple.com>
19750
19751 fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid() in all of the places where it currently calls masqueradesAsUndefinedWatchpointIsStillValid()
19752 https://bugs.webkit.org/show_bug.cgi?id=116892
19753
19754 Reviewed by Oliver Hunt.
19755
19756 All of those places mean to plant the watchpoint if it's still valid.
19757
19758 * ftl/FTLLowerDFGToLLVM.cpp:
19759 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
19760 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
19761
197622013-05-28 Filip Pizlo <fpizlo@apple.com>
19763
19764 fourthTier: FTL should support ArithMin/ArithMax
19765 https://bugs.webkit.org/show_bug.cgi?id=116885
19766
19767 Reviewed by Oliver Hunt.
19768
19769 * ftl/FTLCapabilities.cpp:
19770 (JSC::FTL::canCompile):
19771 * ftl/FTLLowerDFGToLLVM.cpp:
19772 (JSC::FTL::LowerDFGToLLVM::compileNode):
19773 (LowerDFGToLLVM):
19774 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
19775
197762013-05-28 Filip Pizlo <fpizlo@apple.com>
19777
19778 testRunner should have a way of disabling inlining of functions
19779 https://bugs.webkit.org/show_bug.cgi?id=116875
19780
19781 Reviewed by Mark Hahnenberg.
19782
19783 * API/JSCTestRunnerUtils.cpp:
19784 (JSC::getExecutable):
19785 (JSC):
19786 (JSC::numberOfDFGCompiles):
19787 (JSC::setNeverInline):
19788 * API/JSCTestRunnerUtils.h:
19789 (JSC):
19790 * bytecode/CodeBlock.cpp:
19791 (JSC::CodeBlock::dumpAssumingJITType):
19792 * dfg/DFGCapabilities.cpp:
19793 (JSC::DFG::mightInlineFunctionForCall):
19794 (JSC::DFG::mightInlineFunctionForClosureCall):
19795 (JSC::DFG::mightInlineFunctionForConstruct):
19796 * runtime/Executable.h:
19797 (JSC::ScriptExecutable::ScriptExecutable):
19798 (ScriptExecutable):
19799 (JSC::ScriptExecutable::setNeverInline):
19800 (JSC::ScriptExecutable::neverInline):
19801 (JSC::ScriptExecutable::isInliningCandidate):
19802
198032013-05-27 Filip Pizlo <fpizlo@apple.com>
19804
19805 fourthTier: FTL should support ArithMod
19806 https://bugs.webkit.org/show_bug.cgi?id=116792
19807
19808 Reviewed by Oliver Hunt.
19809
19810 * ftl/FTLAbbreviations.h:
19811 (JSC::FTL::buildFRem):
19812 * ftl/FTLCapabilities.cpp:
19813 (JSC::FTL::canCompile):
19814 * ftl/FTLLowerDFGToLLVM.cpp:
19815 (JSC::FTL::LowerDFGToLLVM::compileNode):
19816 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
19817 (LowerDFGToLLVM):
19818 * ftl/FTLOutput.h:
19819 (JSC::FTL::Output::doubleRem):
19820
198212013-05-27 Filip Pizlo <fpizlo@apple.com>
19822
19823 It should be possible to record heap operations (both FastMalloc and JSC GC)
19824 https://bugs.webkit.org/show_bug.cgi?id=116848
19825
19826 Reviewed by Mark Hahnenberg.
19827
19828 Record GC heap operations if ENABLE(ALLOCATION_LOGGING).
19829
19830 * API/JSManagedValue.mm:
19831 * dfg/DFGOperations.cpp:
19832 * heap/Heap.cpp:
19833 (JSC::Heap::collect):
19834 * heap/Heap.h:
19835 (Heap):
19836 (JSC::Heap::allocateWithNormalDestructor):
19837 (JSC::Heap::allocateWithImmortalStructureDestructor):
19838 (JSC::Heap::allocateWithoutDestructor):
19839 (JSC::Heap::tryAllocateStorage):
19840 (JSC::Heap::tryReallocateStorage):
19841 (JSC):
19842 (JSC::Heap::ascribeOwner):
19843 * heap/SlotVisitor.cpp:
19844 (JSC::SlotVisitor::append):
19845 (JSC::SlotVisitor::internalAppend):
19846 * heap/SlotVisitor.h:
19847 (SlotVisitor):
19848 * heap/SlotVisitorInlines.h:
19849 (JSC::SlotVisitor::append):
19850 (JSC::SlotVisitor::appendUnbarrieredPointer):
19851 (JSC::SlotVisitor::appendUnbarrieredValue):
19852 (JSC::SlotVisitor::appendUnbarrieredWeak):
19853 (JSC::SlotVisitor::internalAppend):
19854 (JSC):
19855 (JSC::SlotVisitor::appendValues):
19856 * jit/JITWriteBarrier.h:
19857 (JSC::SlotVisitor::append):
19858 * llint/LLIntCommon.h:
19859 * runtime/Butterfly.h:
19860 (Butterfly):
19861 * runtime/ButterflyInlines.h:
19862 (JSC::Butterfly::createUninitialized):
19863 (JSC::Butterfly::create):
19864 (JSC::Butterfly::growPropertyStorage):
19865 (JSC::Butterfly::createOrGrowArrayRight):
19866 (JSC):
19867 (JSC::Butterfly::growArrayRight):
19868 (JSC::Butterfly::resizeArray):
19869 * runtime/JSArray.cpp:
19870 (JSC::createArrayButterflyInDictionaryIndexingMode):
19871 (JSC::JSArray::unshiftCountSlowCase):
19872 * runtime/JSArray.h:
19873 (JSC::createContiguousArrayButterfly):
19874 (JSC::createArrayButterfly):
19875 (JSC):
19876 (JSC::JSArray::create):
19877 (JSC::JSArray::tryCreateUninitialized):
19878 * runtime/JSObject.cpp:
19879 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
19880 (JSC::JSObject::createInitialIndexedStorage):
19881 (JSC::JSObject::createArrayStorage):
19882 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
19883 (JSC::JSObject::increaseVectorLength):
19884 (JSC::JSObject::ensureLengthSlow):
19885 (JSC::JSObject::growOutOfLineStorage):
19886 * runtime/JSObject.h:
19887 (JSC::JSObject::JSObject):
19888 * runtime/Operations.h:
19889 * runtime/RegExpMatchesArray.cpp:
19890 (JSC::RegExpMatchesArray::create):
19891 * runtime/StructureInlines.h:
19892 (JSC):
19893 * runtime/WriteBarrier.h:
19894 (JSC):
19895
198962013-05-27 Filip Pizlo <fpizlo@apple.com>
19897
19898 testRunner should be able to tell you if a function is DFG compiled
19899 https://bugs.webkit.org/show_bug.cgi?id=116847
19900
19901 Reviewed by Mark Hahnenberg.
19902
19903 * API/JSCTestRunnerUtils.cpp: Added.
19904 (JSC):
19905 (JSC::numberOfDFGCompiles):
19906 * API/JSCTestRunnerUtils.h: Added.
19907 (JSC):
19908 * JavaScriptCore.xcodeproj/project.pbxproj:
19909 * bytecode/CodeBlock.cpp:
19910 (JSC::CodeBlock::numberOfDFGCompiles):
19911 (JSC):
19912 * bytecode/CodeBlock.h:
19913 (CodeBlock):
19914 * dfg/DFGWorklist.cpp:
19915 (JSC::DFG::Worklist::runThread):
19916 * runtime/Executable.h:
19917 (JSC):
19918 * runtime/JSFunctionInlines.h: Added.
19919 (JSC):
19920 (JSC::JSFunction::JSFunction):
19921 (JSC::JSFunction::jsExecutable):
19922 (JSC::JSFunction::isHostFunction):
19923 (JSC::JSFunction::nativeFunction):
19924 (JSC::JSFunction::nativeConstructor):
19925 * runtime/Operations.h:
19926
199272013-05-27 Filip Pizlo <fpizlo@apple.com>
19928
19929 fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has
19930 https://bugs.webkit.org/show_bug.cgi?id=116841
19931
19932 Reviewed by Mark Hahnenberg.
19933
19934 * dfg/DFGSpeculativeJIT.cpp:
19935 (JSC::DFG::SpeculativeJIT::compileArithMod):
19936
199372013-05-26 Filip Pizlo <fpizlo@apple.com>
19938
19939 fourthTier: clean up ArithDiv/ArithMod in the DFG
19940 https://bugs.webkit.org/show_bug.cgi?id=116793
19941
19942 Reviewed by Mark Hahnenberg.
19943
19944 This makes ArithDiv and ArithMod behave similarly, and moves both of their
19945 implementations entirely into DFGSpeculativeJIT.cpp into methods named like
19946 the ones for ArithSub/ArithMul.
19947
19948 Specifically, ArithMod now uses the wrap-in-conversion-nodes idiom that
19949 ArithDiv used for platforms that don't support integer division. Previously
19950 ArithMod had its own int-to-double and double-to-int conversions for this
19951 purpose.
19952
19953 As well, this gets rid of confusing methods like compileSoftModulo() (which
19954 did no such thing, there wasn't anything "soft" about it) and
19955 compileIntegerArithDivForX86() (which is accurately named but we don't use
19956 the platform-specific method convention anywhere else).
19957
19958 Finally, this takes the optimized power-of-two modulo operation that was
19959 previously only for ARMv7s, and makes it available for all platforms. Well,
19960 sort of: I actually rewrote it to do what latest LLVM appears to do, which
19961 is a crazy straight-line power-of-2 modulo based on a combination of shifts,
19962 ands, additions, and subtractions. I can kind of understand it well enough
19963 to see that it complies with both C and JS power-of-2 modulo semantics. I've
19964 also confirmed that it does by testing (hence the corresponding improvements
19965 to one of the division tests). But, I don't claim to know exactly how this
19966 code works other than to observe that it is super leet.
19967
19968 Overall, this patch has the effect of killing some code (no more hackish
19969 int-to-double conversions in ArithMod), making some optimization work on
19970 more platforms, and making the compiler less confusing by doing more things
19971 with the same idiom.
19972
19973 * dfg/DFGAbstractState.cpp:
19974 (JSC::DFG::AbstractState::executeEffects):
19975 * dfg/DFGFixupPhase.cpp:
19976 (JSC::DFG::FixupPhase::fixupNode):
19977 * dfg/DFGSpeculativeJIT.cpp:
19978 (DFG):
19979 (JSC::DFG::SpeculativeJIT::compileArithDiv):
19980 (JSC::DFG::SpeculativeJIT::compileArithMod):
19981 * dfg/DFGSpeculativeJIT.h:
19982 (SpeculativeJIT):
19983 * dfg/DFGSpeculativeJIT32_64.cpp:
19984 (JSC::DFG::SpeculativeJIT::compile):
19985 * dfg/DFGSpeculativeJIT64.cpp:
19986 (JSC::DFG::SpeculativeJIT::compile):
19987
199882013-05-25 Filip Pizlo <fpizlo@apple.com>
19989
19990 fourthTier: cti_optimize shouldn't allow GCs to get in the way of it seeing the state of its CodeBlock
19991 https://bugs.webkit.org/show_bug.cgi?id=116748
19992
19993 Reviewed by Geoffrey Garen.
19994
19995 This fixes the following race: an optimized version of our code block could be installed
19996 by the GC just as we return from completeAllReadyPlansForVM(), leading us to believe
19997 that the code block isn't ready yet even though it is. Currently this triggers a
19998 RELEASE_ASSERT. We could remove that assertion, but then this case would lead to the
19999 code in question entering into optimizeAfterWarmUp mode. That seems pretty wasteful.
20000
20001 Fix the bug, and hopefully close the door on these bugs for a while, by wrapping
20002 cti_optimize in a DeferGC. There is little downside to doing so since the only
20003 "allocations" in cti_optimize are the ones where we inform the GC about extra memory
20004 usage.
20005
20006 I had a more comprehensive solution (see the bug, "work in progress" patch) but that
20007 one involved adding *more* raciness to cti_optimize. I decided that was a less good
20008 approach once I came to appreciate the simplicity of just using DeferGC.
20009
20010 * jit/JITStubs.cpp:
20011 (JSC::DEFINE_STUB_FUNCTION):
20012
200132013-05-25 Filip Pizlo <fpizlo@apple.com>
20014
20015 fourthTier: FTL should support ArithDiv
20016 https://bugs.webkit.org/show_bug.cgi?id=116771
20017
20018 Reviewed by Oliver Hunt.
20019
20020 * ftl/FTLAbbreviations.h:
20021 (JSC::FTL::buildDiv):
20022 (JSC::FTL::buildRem):
20023 (JSC::FTL::buildFDiv):
20024 * ftl/FTLCapabilities.cpp:
20025 (JSC::FTL::canCompile):
20026 * ftl/FTLCommonValues.cpp:
20027 (JSC::FTL::CommonValues::CommonValues):
20028 * ftl/FTLCommonValues.h:
20029 (CommonValues):
20030 * ftl/FTLLowerDFGToLLVM.cpp:
20031 (JSC::FTL::LowerDFGToLLVM::compileNode):
20032 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
20033 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
20034 (LowerDFGToLLVM):
20035 * ftl/FTLOutput.h:
20036 (JSC::FTL::Output::div):
20037 (JSC::FTL::Output::rem):
20038 (JSC::FTL::Output::doubleDiv):
20039
200402013-05-25 Mark Lam <mark.lam@apple.com>
20041
20042 Remove Interpreter::retrieveLastCaller().
20043 https://bugs.webkit.org/show_bug.cgi?id=116753.
20044
20045 Reviewed by Geoffrey Garen.
20046
20047 This is part of the refactoring effort to get rid of functions walking
20048 the JS stack in their own way.
20049
20050 * API/JSContextRef.cpp:
20051 (JSContextCreateBacktrace):
20052 * interpreter/CallFrame.cpp:
20053 * interpreter/Interpreter.cpp:
20054 (JSC::Interpreter::Interpreter):
20055 (JSC::Interpreter::getStackTrace):
20056 (JSC::Interpreter::addStackTraceIfNecessary):
20057 * interpreter/Interpreter.h:
20058 (StackFrame):
20059 (JSC::StackFrame::StackFrame):
20060 (Interpreter):
20061 * jsc.cpp:
20062 (functionJSCStack):
20063 * profiler/ProfileGenerator.cpp:
20064 (JSC::ProfileGenerator::addParentForConsoleStart):
20065
200662013-05-24 Filip Pizlo <fpizlo@apple.com>
20067
20068 fourthTier: FTL boolify should support ObjectOrOtherUse
20069 https://bugs.webkit.org/show_bug.cgi?id=116741
20070
20071 Reviewed by Geoffrey Garen.
20072
20073 Just reusing what was already there in equalNullOrUndefined(). Note that we will
20074 sometimes generate some redundant IR - like having some spurious bitNot's in
20075 places - but it's safe to assume that LLVM will simplify those, and that it won't
20076 be the longest pole in the tent for compile times.
20077
20078 * ftl/FTLCapabilities.cpp:
20079 (JSC::FTL::canCompile):
20080 * ftl/FTLLowerDFGToLLVM.cpp:
20081 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
20082 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
20083 (JSC::FTL::LowerDFGToLLVM::boolify):
20084 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
20085
200862013-05-24 Filip Pizlo <fpizlo@apple.com>
20087
20088 fourthTier: FTL should support LogicalNot and Branch on Int32 and Number
20089 https://bugs.webkit.org/show_bug.cgi?id=116739
20090
20091 Reviewed by Gavin Barraclough.
20092
20093 * ftl/FTLCapabilities.cpp:
20094 (JSC::FTL::canCompile):
20095 * ftl/FTLLowerDFGToLLVM.cpp:
20096 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
20097 (JSC::FTL::LowerDFGToLLVM::compileBranch):
20098 (JSC::FTL::LowerDFGToLLVM::boolify):
20099 (LowerDFGToLLVM):
20100 * ftl/FTLOutput.h:
20101 (JSC::FTL::Output::isZero32):
20102 (JSC::FTL::Output::notZero32):
20103
201042013-05-23 Filip Pizlo <fpizlo@apple.com>
20105
20106 fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT
20107 https://bugs.webkit.org/show_bug.cgi?id=116557
20108
20109 Reviewed by Geoffrey Garen.
20110
20111 This introduces a fairly comprehensive mechanism for preventing trivially inlineable
20112 functions from being compiled independently of all of the things into which they end
20113 up being inlined.
20114
20115 The trick is CodeBlock::m_shouldAlwaysBeInlined, or SABI for short (that's what the
20116 debug logging calls it). A SABI function is one that we currently believe should
20117 never be DFG optimized because it should always be inlined into the functions that
20118 call it. SABI follows "innocent until proven guilty": all functions start out SABI
20119 and have SABI set to false if we see proof that that function may be called in some
20120 possibly non-inlineable way. So long as a function is SABI, it will not tier up to
20121 the DFG: cti_optimize will perpetually postpone its optimization. Because SABI has
20122 such a severe effect, we make the burden of proof of guilt quite low. SABI gets
20123 cleared if any of the following happen:
20124
20125 - You get called from native code (either through CallData or CachedCall).
20126
20127 - You get called from an eval, since eval code takes a long time to get DFG
20128 optimized.
20129
20130 - You get called from global code, since often global code doesn't tier-up since
20131 it's run-once.
20132
20133 - You get called recursively, where recursion is detected by a stack walk of depth
20134 Options::maximumInliningDepth().
20135
20136 - You get called through an unlinked virtual call.
20137
20138 - You get called from DFG code, since if the caller was already DFG optimized and
20139 didn't inline you then obviously, you might not get inlined.
20140
20141 - You've tiered up to the baseline JIT and you get called from the interpreter.
20142 The idea here is that this kind of ensures that you stay SABI only if you're
20143 called no more frequently than any of your callers.
20144
20145 - You get called from a code block that isn't a DFG candidate.
20146
20147 - You aren't an inlining candidate.
20148
20149 Most of the heuristics for SABI are in CodeBlock::noticeIncomingCall().
20150
20151 This is neutral on SunSpider and V8Spider, and appears to be a slight speed-up on
20152 V8v7, which was previously adversely affected by concurrent compilation. I also
20153 confirmed that for example on V8/richards, it dramatically reduces the number of
20154 code blocks that get DFG compiled. It is a speed-up on those V8v7 benchmarks that
20155 saw regressions from concurrent compilation.
20156
20157 * bytecode/CodeBlock.cpp:
20158 (JSC::CodeBlock::dumpAssumingJITType):
20159 (JSC::CodeBlock::CodeBlock):
20160 (JSC::CodeBlock::linkIncomingCall):
20161 (JSC):
20162 (JSC::CodeBlock::noticeIncomingCall):
20163 * bytecode/CodeBlock.h:
20164 (CodeBlock):
20165 * dfg/DFGCapabilities.h:
20166 (JSC::DFG::mightInlineFunction):
20167 (DFG):
20168 * dfg/DFGPlan.cpp:
20169 (JSC::DFG::Plan::compileInThread):
20170 * dfg/DFGRepatch.cpp:
20171 (JSC::DFG::dfgLinkFor):
20172 * interpreter/Interpreter.cpp:
20173 (JSC::Interpreter::executeCall):
20174 (JSC::Interpreter::executeConstruct):
20175 (JSC::Interpreter::prepareForRepeatCall):
20176 * jit/JIT.cpp:
20177 (JSC::JIT::privateCompile):
20178 (JSC::JIT::linkFor):
20179 * jit/JIT.h:
20180 (JIT):
20181 * jit/JITStubs.cpp:
20182 (JSC::DEFINE_STUB_FUNCTION):
20183 (JSC::lazyLinkFor):
20184 * llint/LLIntSlowPaths.cpp:
20185 (JSC::LLInt::setUpCall):
20186
201872013-05-23 Filip Pizlo <fpizlo@apple.com>
20188
20189 fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp]
20190 https://bugs.webkit.org/show_bug.cgi?id=116696
20191
20192 Reviewed by Sam Weinig.
20193
20194 Make it so that all capability calculation is funneled through one function, which tells
20195 you everything you wanted to know: can it be inlined, and can it be compiled.
20196
20197 This work will help with https://bugs.webkit.org/show_bug.cgi?id=116557, since now the
20198 JIT has a fairly authoritative answer to the "can it be inlined" question.
20199
20200 * bytecode/CodeBlock.cpp:
20201 (JSC::CodeBlock::CodeBlock):
20202 (JSC::ProgramCodeBlock::capabilityLevelInternal):
20203 (JSC::EvalCodeBlock::capabilityLevelInternal):
20204 (JSC::FunctionCodeBlock::capabilityLevelInternal):
20205 * bytecode/CodeBlock.h:
20206 (CodeBlock):
20207 (JSC::CodeBlock::capabilityLevel):
20208 (JSC::CodeBlock::capabilityLevelState):
20209 (ProgramCodeBlock):
20210 (EvalCodeBlock):
20211 (FunctionCodeBlock):
20212 * dfg/DFGCapabilities.cpp:
20213 (JSC::DFG::debugFail):
20214 (DFG):
20215 (JSC::DFG::canInlineResolveOperations):
20216 (JSC::DFG::capabilityLevel):
20217 * dfg/DFGCapabilities.h:
20218 (DFG):
20219 (JSC::DFG::capabilityLevel):
20220 (JSC::DFG::evalCapabilityLevel):
20221 (JSC::DFG::programCapabilityLevel):
20222 (JSC::DFG::functionForCallCapabilityLevel):
20223 (JSC::DFG::functionForConstructCapabilityLevel):
20224 (JSC::DFG::canInlineFunctionForCall):
20225 (JSC::DFG::canInlineFunctionForClosureCall):
20226 (JSC::DFG::canInlineFunctionForConstruct):
20227 * dfg/DFGCommon.h:
20228 (JSC::DFG::canCompile):
20229 (DFG):
20230 (JSC::DFG::canInline):
20231 (JSC::DFG::leastUpperBound):
20232 * dfg/DFGDriver.cpp:
20233 (JSC::DFG::compile):
20234 * jit/JIT.cpp:
20235 (JSC::JIT::privateCompile):
20236 * jit/JITPropertyAccess.cpp:
20237 (JSC::JIT::privateCompilePutByIdTransition):
20238 * jit/JITPropertyAccess32_64.cpp:
20239 (JSC::JIT::privateCompilePutByIdTransition):
20240 * tools/CodeProfile.cpp:
20241 (JSC::CodeProfile::sample):
20242
202432013-05-22 Filip Pizlo <fpizlo@apple.com>
20244
20245 Rename getJITCode and getJITType to jitCode and jitType.
20246
20247 Rubber stampted by Mark Hahnenberg.
20248
20249 * assembler/RepatchBuffer.h:
20250 (JSC::RepatchBuffer::RepatchBuffer):
20251 * bytecode/CodeBlock.cpp:
20252 (JSC::CodeBlock::dump):
20253 (JSC::CodeBlock::visitAggregate):
20254 (JSC::CodeBlock::finalizeUnconditionally):
20255 (JSC::CodeBlock::resetStubInternal):
20256 (JSC::CodeBlock::stronglyVisitWeakReferences):
20257 (JSC::CodeBlock::baselineVersion):
20258 (JSC::CodeBlock::hasOptimizedReplacement):
20259 (JSC::CodeBlock::bytecodeOffset):
20260 (JSC::CodeBlock::codeOriginForReturn):
20261 (JSC::ProgramCodeBlock::compileOptimized):
20262 (JSC::EvalCodeBlock::compileOptimized):
20263 (JSC::FunctionCodeBlock::compileOptimized):
20264 (JSC::ProgramCodeBlock::jettison):
20265 (JSC::EvalCodeBlock::jettison):
20266 (JSC::FunctionCodeBlock::jettison):
20267 (JSC::ProgramCodeBlock::jitCompileImpl):
20268 (JSC::EvalCodeBlock::jitCompileImpl):
20269 (JSC::FunctionCodeBlock::jitCompileImpl):
20270 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
20271 (JSC::CodeBlock::adjustedExitCountThreshold):
20272 (JSC::CodeBlock::tallyFrequentExitSites):
20273 * bytecode/CodeBlock.h:
20274 (JSC::CodeBlock::getCallLinkInfo):
20275 (JSC::CodeBlock::jitCode):
20276 (JSC::CodeBlock::jitCodeWithArityCheck):
20277 (JSC::CodeBlock::jitType):
20278 (JSC::CodeBlock::hasBaselineJITProfiling):
20279 (JSC::CodeBlock::jitCompile):
20280 (JSC::CodeBlock::addFrequentExitSite):
20281 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
20282 (JSC::ExecState::isInlineCallFrame):
20283 * dfg/DFGAssemblyHelpers.cpp:
20284 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
20285 * dfg/DFGAssemblyHelpers.h:
20286 (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
20287 * dfg/DFGDriver.cpp:
20288 (JSC::DFG::compile):
20289 * dfg/DFGOSREntry.cpp:
20290 (JSC::DFG::prepareOSREntry):
20291 * dfg/DFGOSRExit.cpp:
20292 (JSC::DFG::OSRExit::codeLocationForRepatch):
20293 * dfg/DFGOSRExitCompiler.cpp:
20294 * dfg/DFGOSRExitCompilerCommon.cpp:
20295 (JSC::DFG::reifyInlinedCallFrames):
20296 (JSC::DFG::adjustAndJumpToTarget):
20297 * dfg/DFGOperations.cpp:
20298 * dfg/DFGVariableEventStream.cpp:
20299 (JSC::DFG::VariableEventStream::reconstruct):
20300 * ftl/FTLOSRExit.cpp:
20301 (JSC::FTL::OSRExit::codeLocationForRepatch):
20302 * ftl/FTLOSRExitCompiler.cpp:
20303 (JSC::FTL::compileFTLOSRExit):
20304 * heap/DFGCodeBlocks.cpp:
20305 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
20306 (JSC::DFGCodeBlocks::jettison):
20307 (JSC::DFGCodeBlocks::clearMarks):
20308 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
20309 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
20310 * interpreter/Interpreter.cpp:
20311 (JSC::getLineNumberForCallFrame):
20312 (JSC::getCallerInfo):
20313 * jit/JITDriver.h:
20314 (JSC::jitCompileIfAppropriateImpl):
20315 (JSC::jitCompileFunctionIfAppropriateImpl):
20316 * jit/JITStubs.cpp:
20317 (JSC::DEFINE_STUB_FUNCTION):
20318 * llint/LLIntSlowPaths.cpp:
20319 (JSC::LLInt::entryOSR):
20320 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20321 * runtime/Executable.cpp:
20322 (JSC::jettisonCodeBlock):
20323 (JSC::EvalExecutable::compileOptimized):
20324 (JSC::EvalExecutable::jettisonOptimizedCode):
20325 (JSC::ProgramExecutable::compileOptimized):
20326 (JSC::ProgramExecutable::jettisonOptimizedCode):
20327 (JSC::FunctionExecutable::baselineCodeBlockFor):
20328 (JSC::FunctionExecutable::compileOptimizedForCall):
20329 (JSC::FunctionExecutable::compileOptimizedForConstruct):
20330 (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
20331 (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
20332 * tools/CodeProfile.cpp:
20333 (JSC::CodeProfile::sample):
20334
203352013-05-22 Filip Pizlo <fpizlo@apple.com>
20336
20337 fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data
20338 https://bugs.webkit.org/show_bug.cgi?id=116633
20339
20340 Reviewed by Mark Hahnenberg.
20341
20342 Previously we would check if we had Baseline JIT profiling data by seeing if the
20343 appropriate vector was non-empty. This is horrible if we're doing LLInt->Baseline
20344 tier-up at the same time. This will happen for code we are inlining, if we're
20345 deciding to inline it before the LLInt->Baseline tier-up happened for that code.
20346
20347 This changes things to take advantage of the fact that the very last thing that
20348 LLInt->Baseline tier-up will do (in JITDriver.h) is setJITCode(). We now precede
20349 the actual work in setJITCode() with a store-store fence to ensure that all
20350 stores to modify the CodeBlock happen before setting the JITCode, and we modify
20351 CodeBlock::getJITType() to use load-load fences to ensure that if you see
20352 JITCode::BaselineJIT then you will also see all of those vectors. Then this
20353 changes all of the code that scrapes Baseline JIT profiles to check if
20354 getJITType() returns JITCode::BaselineJIT instead of checking vector sizes.
20355
20356 The outcome is that for the non-racy cases we behave as we did before (we fall
20357 back on LLInt profiling if the tier-up hasn't happened) and for racy cases we
20358 use LLInt profiling conservatively.
20359
20360 Note that for some (but not all!) of the cases where we scrape Baseline JIT
20361 profiling, we would have anyway been holding the CodeBlock::m_lock so we can also
20362 fix those cases by just having setJITCode graph that lock. This patch does that
20363 also, mainly because although we only call setJITCode() from the main thread, in
20364 general it's dangerous to have a pointer to a ref-counted object being modified
20365 in a racy way. So, this patch just does the most conservative thing possible that
20366 does we can afford to do.
20367
20368 * bytecode/CallLinkStatus.cpp:
20369 (JSC::CallLinkStatus::computeFor):
20370 * bytecode/CodeBlock.h:
20371 (JSC::CodeBlock::setJITCode):
20372 (JSC::CodeBlock::getJITType):
20373 (JSC::CodeBlock::hasBaselineJITProfiling):
20374 (JSC::CodeBlock::likelyToTakeSlowCase):
20375 (JSC::CodeBlock::couldTakeSlowCase):
20376 (JSC::CodeBlock::likelyToTakeSpecialFastCase):
20377 (JSC::CodeBlock::couldTakeSpecialFastCase):
20378 (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
20379 (JSC::CodeBlock::likelyToTakeAnySlowCase):
20380 * bytecode/GetByIdStatus.cpp:
20381 (JSC::GetByIdStatus::computeFor):
20382 * bytecode/PutByIdStatus.cpp:
20383 (JSC::PutByIdStatus::computeFor):
20384
203852013-05-22 Filip Pizlo <fpizlo@apple.com>
20386
20387 fourthTier: It should be possible to use more than one compiler thread
20388 https://bugs.webkit.org/show_bug.cgi?id=116630
20389
20390 Reviewed by Mark Hahnenberg.
20391
20392 This gives us the ability to use more compiler threads, but doesn't actually
20393 enable the functionality because it isn't a speed-up on any benchmark. It can
20394 even be a slow-down. This also adds the ability to disable concurrent
20395 compilation if we're on a uniprocessor machine, and adds more logging to the
20396 worklist code to allow us to investigate how many threads are active. It
20397 appears that even on the most compiler-heavy benchmarks, we never have enough
20398 work for more than 4 threads, and even then the 4 threads are all active for
20399 a short time.
20400
20401 Something that having more threads does accomplish is that it shakes out bugs.
20402 This patch fixes a bug with Watchpoint not being thread-safe ref-counted,
20403 which enabling 7 compilation threads did catch.
20404
20405 As it stands, this patch is performance-neutral and just fixes bugs and adds
20406 some options.
20407
20408 * bytecode/Watchpoint.h:
20409 * dfg/DFGCommon.h:
20410 (JSC::DFG::enableConcurrentJIT):
20411 * dfg/DFGWorklist.cpp:
20412 (JSC::DFG::Worklist::Worklist):
20413 (JSC::DFG::Worklist::~Worklist):
20414 (JSC::DFG::Worklist::finishCreation):
20415 (JSC::DFG::Worklist::create):
20416 (JSC::DFG::Worklist::enqueue):
20417 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
20418 (JSC::DFG::Worklist::dump):
20419 (JSC::DFG::Worklist::runThread):
20420 (JSC::DFG::initializeGlobalWorklistOnce):
20421 * dfg/DFGWorklist.h:
20422 * runtime/Options.cpp:
20423 (JSC::computeNumberOfWorkerThreads):
20424 (JSC):
20425 (JSC::computeNumberOfGCMarkers):
20426 * runtime/Options.h:
20427 (JSC):
20428
204292013-05-22 Filip Pizlo <fpizlo@apple.com>
20430
20431 fourthTier: FTL shouldn't use the LLVM global context, and should instead create its own context for each compilation
20432 https://bugs.webkit.org/show_bug.cgi?id=116631
20433
20434 Reviewed by Mark Hahnenberg.
20435
20436 In the future we might want to share contexts for multiple compilations, but for
20437 now using one context per compilation is a progression over just constantly using
20438 the global context.
20439
20440 * dfg/DFGPlan.cpp:
20441 (JSC::DFG::Plan::compileInThread):
20442 (DFG):
20443 (JSC::DFG::Plan::compileInThreadImpl):
20444 * dfg/DFGPlan.h:
20445 * ftl/FTLAbbreviatedTypes.h:
20446 (FTL):
20447 * ftl/FTLAbbreviations.h:
20448 (JSC::FTL::voidType):
20449 (JSC::FTL::int1Type):
20450 (JSC::FTL::int8Type):
20451 (JSC::FTL::int32Type):
20452 (JSC::FTL::int64Type):
20453 (JSC::FTL::intPtrType):
20454 (JSC::FTL::doubleType):
20455 (JSC::FTL::structType):
20456 (JSC::FTL::mdKindID):
20457 (JSC::FTL::mdString):
20458 (JSC::FTL::mdNode):
20459 (JSC::FTL::appendBasicBlock):
20460 (JSC::FTL::insertBasicBlock):
20461 * ftl/FTLAbstractHeap.cpp:
20462 (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
20463 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
20464 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
20465 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
20466 * ftl/FTLAbstractHeap.h:
20467 (IndexedAbstractHeap):
20468 (NumberedAbstractHeap):
20469 (AbsoluteAbstractHeap):
20470 * ftl/FTLAbstractHeapRepository.cpp:
20471 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
20472 * ftl/FTLAbstractHeapRepository.h:
20473 (AbstractHeapRepository):
20474 * ftl/FTLCommonValues.cpp:
20475 (JSC::FTL::CommonValues::CommonValues):
20476 * ftl/FTLCommonValues.h:
20477 (CommonValues):
20478 * ftl/FTLCompile.cpp:
20479 (JSC::FTL::mmAllocateCodeSection):
20480 * ftl/FTLIntrinsicRepository.cpp:
20481 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
20482 * ftl/FTLIntrinsicRepository.h:
20483 (FTL):
20484 (IntrinsicRepository):
20485 * ftl/FTLLowerDFGToLLVM.cpp:
20486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
20487 (JSC::FTL::LowerDFGToLLVM::lower):
20488 * ftl/FTLOutput.cpp:
20489 (JSC::FTL::Output::Output):
20490 * ftl/FTLOutput.h:
20491 (Output):
20492 (JSC::FTL::Output::newBlock):
20493 * ftl/FTLState.cpp:
20494 (JSC::FTL::State::State):
20495 (JSC::FTL::State::~State):
20496 (FTL):
20497 * ftl/FTLState.h:
20498 (State):
20499 * runtime/Options.h:
20500 (JSC):
20501
205022013-05-18 Filip Pizlo <fpizlo@apple.com>
20503
20504 FTL should force LLVM to use our own JIT memory allocator, and we shouldn't have to keep around an LLVMExecutionEngineRef to keep code alive
20505 https://bugs.webkit.org/show_bug.cgi?id=113619
20506
20507 Reviewed by Geoffrey Garen.
20508
20509 This uses new API that I've exposed, which allows for memory manager callbacks
20510 from within LLVM. LLVM may allocate multiple independent chunks of memory for
20511 a module, and we track all of those in a Vector in FTL::JITCode.
20512
20513 * ftl/FTLCompile.cpp:
20514 (JSC::FTL::mmAllocateCodeSection):
20515 (FTL):
20516 (JSC::FTL::mmAllocateDataSection):
20517 (JSC::FTL::mmApplyPermissions):
20518 (JSC::FTL::mmDestroy):
20519 (JSC::FTL::compile):
20520 * ftl/FTLJITCode.cpp:
20521 (JSC::FTL::JITCode::JITCode):
20522 (JSC::FTL::JITCode::~JITCode):
20523 (JSC::FTL::JITCode::addHandle):
20524 (FTL):
20525 (JSC::FTL::JITCode::initializeCode):
20526 * ftl/FTLJITCode.h:
20527 (JITCode):
20528 (JSC::FTL::JITCode::handles):
20529 * ftl/FTLJITFinalizer.cpp:
20530 (JSC::FTL::JITFinalizer::~JITFinalizer):
20531 (JSC::FTL::JITFinalizer::finalizeFunction):
20532 * ftl/FTLJITFinalizer.h:
20533 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
20534 (JITFinalizer):
20535 * ftl/FTLLink.cpp:
20536 (JSC::FTL::link):
20537 * ftl/FTLState.cpp:
20538 (JSC::FTL::State::State):
20539 * ftl/FTLState.h:
20540 (State):
20541
205422013-05-12 Filip Pizlo <fpizlo@apple.com>
20543
20544 fourthTier: FTL shouldn't use FastISel and Small code model should be turned off for now
20545 https://bugs.webkit.org/show_bug.cgi?id=115998
20546
20547 Reviewed by Oliver Hunt.
20548
20549 This switches off FastISel and makes it possible to turn off Small code model.
20550
20551 * ftl/FTLCompile.cpp:
20552 (JSC::FTL::compile):
20553 * runtime/Options.h:
20554 (JSC):
20555
205562013-05-21 Filip Pizlo <fpizlo@apple.com>
20557
20558 fourthTier: should use ConcurrentJITLock[er] directly and not through typedef
20559 https://bugs.webkit.org/show_bug.cgi?id=116561
20560
20561 Rubber stamped by Geoffrey Garen.
20562
20563 * JavaScriptCore.xcodeproj/project.pbxproj:
20564 * bytecode/ArrayProfile.cpp:
20565 (JSC::ArrayProfile::computeUpdatedPrediction):
20566 (JSC::ArrayProfile::briefDescription):
20567 * bytecode/ArrayProfile.h:
20568 (ArrayProfile):
20569 (JSC::ArrayProfile::expectedStructure):
20570 (JSC::ArrayProfile::structureIsPolymorphic):
20571 (JSC::ArrayProfile::hasDefiniteStructure):
20572 (JSC::ArrayProfile::observedArrayModes):
20573 (JSC::ArrayProfile::mayInterceptIndexedAccesses):
20574 (JSC::ArrayProfile::mayStoreToHole):
20575 (JSC::ArrayProfile::outOfBounds):
20576 (JSC::ArrayProfile::usesOriginalArrayStructures):
20577 * bytecode/CallLinkStatus.cpp:
20578 (JSC::CallLinkStatus::computeFor):
20579 * bytecode/CodeBlock.cpp:
20580 (JSC::CodeBlock::dumpValueProfiling):
20581 (JSC::CodeBlock::dumpArrayProfiling):
20582 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
20583 (JSC::CodeBlock::updateAllArrayPredictions):
20584 (JSC::CodeBlock::nameForRegister):
20585 * bytecode/CodeBlock.h:
20586 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
20587 (CodeBlock):
20588 * bytecode/CodeBlockLock.h: Removed.
20589 * bytecode/GetByIdStatus.cpp:
20590 (JSC::GetByIdStatus::computeFor):
20591 * bytecode/LazyOperandValueProfile.cpp:
20592 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
20593 (JSC::CompressedLazyOperandValueProfileHolder::add):
20594 (JSC::LazyOperandValueProfileParser::initialize):
20595 (JSC::LazyOperandValueProfileParser::prediction):
20596 * bytecode/LazyOperandValueProfile.h:
20597 (CompressedLazyOperandValueProfileHolder):
20598 (LazyOperandValueProfileParser):
20599 * bytecode/MethodOfGettingAValueProfile.cpp:
20600 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
20601 * bytecode/PutByIdStatus.cpp:
20602 (JSC::PutByIdStatus::computeFor):
20603 * bytecode/ResolveGlobalStatus.cpp:
20604 (JSC::ResolveGlobalStatus::computeFor):
20605 * bytecode/ValueProfile.h:
20606 (JSC::ValueProfileBase::briefDescription):
20607 (JSC::ValueProfileBase::computeUpdatedPrediction):
20608 * bytecompiler/BytecodeGenerator.cpp:
20609 (JSC::BytecodeGenerator::addVar):
20610 * dfg/DFGArrayMode.cpp:
20611 (JSC::DFG::ArrayMode::fromObserved):
20612 * dfg/DFGArrayMode.h:
20613 (ArrayMode):
20614 (JSC::DFG::ArrayMode::withProfile):
20615 * dfg/DFGByteCodeParser.cpp:
20616 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
20617 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
20618 (JSC::DFG::ByteCodeParser::getArrayMode):
20619 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
20620 (JSC::DFG::ByteCodeParser::parseResolveOperations):
20621 (JSC::DFG::ByteCodeParser::parseBlock):
20622 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20623 * dfg/DFGFixupPhase.cpp:
20624 (JSC::DFG::FixupPhase::fixupNode):
20625 * dfg/DFGPredictionInjectionPhase.cpp:
20626 (JSC::DFG::PredictionInjectionPhase::run):
20627 * jit/JITInlines.h:
20628 (JSC::JIT::chooseArrayMode):
20629 * jit/JITStubs.cpp:
20630 (JSC::tryCachePutByID):
20631 (JSC::tryCacheGetByID):
20632 (JSC::DEFINE_STUB_FUNCTION):
20633 (JSC::lazyLinkFor):
20634 * llint/LLIntSlowPaths.cpp:
20635 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20636 (JSC::LLInt::setUpCall):
20637 * profiler/ProfilerBytecodeSequence.cpp:
20638 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
20639 * runtime/Executable.cpp:
20640 (JSC::ProgramExecutable::addGlobalVar):
20641 * runtime/JSActivation.cpp:
20642 (JSC::JSActivation::getOwnNonIndexPropertyNames):
20643 (JSC::JSActivation::symbolTablePutWithAttributes):
20644 * runtime/JSScope.cpp:
20645 (JSC::JSScope::resolveContainingScopeInternal):
20646 (JSC::JSScope::resolvePut):
20647 * runtime/JSSegmentedVariableObject.cpp:
20648 (JSC::JSSegmentedVariableObject::findRegisterIndex):
20649 (JSC::JSSegmentedVariableObject::addRegisters):
20650 * runtime/JSSegmentedVariableObject.h:
20651 (JSSegmentedVariableObject):
20652 * runtime/JSSymbolTableObject.cpp:
20653 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
20654 * runtime/JSSymbolTableObject.h:
20655 (JSC::symbolTableGet):
20656 (JSC::symbolTablePut):
20657 (JSC::symbolTablePutWithAttributes):
20658 * runtime/Structure.cpp:
20659 (JSC::Structure::materializePropertyMap):
20660 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
20661 (JSC::Structure::addPropertyTransition):
20662 (JSC::Structure::takePropertyTableOrCloneIfPinned):
20663 (JSC::Structure::nonPropertyTransition):
20664 (JSC::Structure::putSpecificValue):
20665 (JSC::Structure::remove):
20666 (JSC::Structure::createPropertyMap):
20667 * runtime/Structure.h:
20668 (Structure):
20669 * runtime/SymbolTable.h:
20670 (SymbolTable):
20671 (JSC::SymbolTable::find):
20672 (JSC::SymbolTable::get):
20673 (JSC::SymbolTable::inlineGet):
20674 (JSC::SymbolTable::begin):
20675 (JSC::SymbolTable::end):
20676 (JSC::SymbolTable::size):
20677 (JSC::SymbolTable::add):
20678 (JSC::SymbolTable::set):
20679 (JSC::SymbolTable::contains):
20680
206812013-05-20 Filip Pizlo <fpizlo@apple.com>
20682
20683 fourthTier: DFG should be able to run on a separate thread
20684 https://bugs.webkit.org/show_bug.cgi?id=112839
20685
20686 Reviewed by Geoffrey Garen.
20687
20688 This is the final bit of concurrent JITing. The idea is that there is a
20689 single global worklist, and a single global thread, that does all
20690 optimizing compilation. This is the DFG::Worklist. It contains a queue of
20691 DFG::Plans, and a map from CodeBlock* (the baseline code block we're
20692 trying to optimize) to DFG::Plan. If the DFGDriver tries to concurrently
20693 compile something, it puts the Plan on the Worklist. The Worklist's
20694 thread will compile that Plan eventually, and when it's done, it will
20695 signal its completion by (1) notifying anyone waiting for the Worklist to
20696 be done, and (2) forcing the CodeBlock::m_jitExecuteCounter to take slow
20697 path. The next Baseline JIT cti_optimize call will then install all ready
20698 (i.e. compiled) Plans for that VM. Note that (1) is only for the GC and
20699 VM shutdown, which will want to ensure that there aren't any outstanding
20700 async compilations before proceeding. They do so by simply waiting for
20701 all of the plans for the current VM to complete. (2) is the actual way
20702 that code typically gets installed.
20703
20704 This is all very racy by design. For example, just as we try to force the
20705 execute counter to take slow path, the main thread may be setting the
20706 execute counter to some other value. The main thread must set it to
20707 another value because (a) JIT code is constantly incrementing the counter
20708 in a racy way, (b) the cti_optimize slow path will set it to some
20709 large-ish negative value to ensure that cti_optimize isn't called
20710 repeatedly, and (c) OSR exits from previously jettisoned code blocks may
20711 still want to reset the counter values. This "race" is made benign, by
20712 ensuring that while there is an asynchronous compilation, we at worse set
20713 the counter to optimizeAfterWarmUp and never to deferIndefinitely. Hence
20714 if the race happens then the worst case is that we wait another ~1000
20715 counts before installing the optimized code. Another defense is that if
20716 any CodeBlock calls into cti_optimize, then it will check for all ready
20717 plans for the VM - so even if a code block has to wait another ~1000
20718 executions before it calls cti_optimize to do the installation, it may
20719 actually end up being installed sooner because a different code block had
20720 called cti_optimize, potentially for an unrelated reason.
20721
20722 Special care is taken to ensure that installing plans informs the GC
20723 about the increased memory usage, but also ensures that we don't recurse
20724 infinitely - since at start of GC we try to install outstanding plans.
20725 This is done by introducing a new GC deferral mechanism (the DeferGC
20726 block-scoped thingy), which will ensure that GCs don't happen in the
20727 scope but are allowed to happen after. This still leaves the strange
20728 corner case that cti_optimize may install outstanding plans, then GC, and
20729 that GC may jettison the code block that was installed. This, and the
20730 fact that the plan that we took slow path to install could have been a
20731 failed or invalid compile, mean that we have to take special precautions
20732 in cti_optimize.
20733
20734 This patch also fixes a number of small concurrency bugs that I found
20735 when things started running. There are probably more of those bugs still
20736 left to fix. This patch just fixes the ones I know about.
20737
20738 Concurrent compilation is right now only enabled on X86_64 Mac. We need
20739 platforms that are sufficiently CAStastic so that we can do the various
20740 memory fence and CAS tricks that make this safe. We also need a platform
20741 that uses JSVALUE64. And we need pthread_once. So, that pretty much means
20742 just X64_64 for now. Enabling Linux-64_64 should be a breeze, but I'll
20743 leave that up to the Qt and GTK+ ports to do at their discretion.
20744
20745 This is a solid speed-up on SunSpider (8-9%) and V8Spider (16%), our two
20746 main compile-time benchmarks. Most peculiarly, this also appears to
20747 reduce measurement noise, rather than increasing it as you would have
20748 expected. I don't understand that result but I like it anyway. On the
20749 other hand, this is a slight (1%) slow-down on V8v7. I will continue to
20750 investigate this but I think that the results are already good enough
20751 that we should land this as-is. So far, it appears that the slow-down is
20752 due to this breaking the don't-compile-inlineables heuristics. See
20753 investigation in https://bugs.webkit.org/show_bug.cgi?id=116556 and the
20754 bug https://bugs.webkit.org/show_bug.cgi?id=116557.
20755
20756 * JavaScriptCore.xcodeproj/project.pbxproj:
20757 * bytecode/CodeBlock.cpp:
20758 (JSC):
20759 (JSC::CodeBlock::finalizeUnconditionally):
20760 (JSC::CodeBlock::resetStubInternal):
20761 (JSC::CodeBlock::baselineVersion):
20762 (JSC::CodeBlock::hasOptimizedReplacement):
20763 (JSC::CodeBlock::optimizationThresholdScalingFactor):
20764 (JSC::CodeBlock::checkIfOptimizationThresholdReached):
20765 (JSC::CodeBlock::optimizeNextInvocation):
20766 (JSC::CodeBlock::dontOptimizeAnytimeSoon):
20767 (JSC::CodeBlock::optimizeAfterWarmUp):
20768 (JSC::CodeBlock::optimizeAfterLongWarmUp):
20769 (JSC::CodeBlock::optimizeSoon):
20770 (JSC::CodeBlock::forceOptimizationSlowPathConcurrently):
20771 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
20772 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
20773 (JSC::CodeBlock::updateAllArrayPredictions):
20774 (JSC::CodeBlock::shouldOptimizeNow):
20775 * bytecode/CodeBlock.h:
20776 (CodeBlock):
20777 (JSC::CodeBlock::jitCompile):
20778 * bytecode/CodeBlockLock.h:
20779 (JSC):
20780 * bytecode/ExecutionCounter.cpp:
20781 (JSC::ExecutionCounter::forceSlowPathConcurrently):
20782 (JSC):
20783 (JSC::ExecutionCounter::setThreshold):
20784 * bytecode/ExecutionCounter.h:
20785 (ExecutionCounter):
20786 * debugger/Debugger.cpp:
20787 (JSC::Debugger::recompileAllJSFunctions):
20788 * dfg/DFGByteCodeParser.cpp:
20789 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
20790 (JSC::DFG::ByteCodeParser::getArrayMode):
20791 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
20792 * dfg/DFGCommon.h:
20793 (JSC::DFG::enableConcurrentJIT):
20794 (DFG):
20795 * dfg/DFGDriver.cpp:
20796 (JSC::DFG::compile):
20797 * dfg/DFGGraph.cpp:
20798 (JSC::DFG::Graph::Graph):
20799 * dfg/DFGGraph.h:
20800 (Graph):
20801 * dfg/DFGOSREntry.cpp:
20802 (JSC::DFG::prepareOSREntry):
20803 * dfg/DFGOperations.cpp:
20804 * dfg/DFGPlan.cpp:
20805 (JSC::DFG::Plan::Plan):
20806 (JSC::DFG::Plan::compileInThread):
20807 (JSC::DFG::Plan::key):
20808 (DFG):
20809 * dfg/DFGPlan.h:
20810 (DFG):
20811 (Plan):
20812 * dfg/DFGWorklist.cpp: Added.
20813 (DFG):
20814 (JSC::DFG::Worklist::Worklist):
20815 (JSC::DFG::Worklist::~Worklist):
20816 (JSC::DFG::Worklist::finishCreation):
20817 (JSC::DFG::Worklist::create):
20818 (JSC::DFG::Worklist::enqueue):
20819 (JSC::DFG::Worklist::compilationState):
20820 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
20821 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
20822 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
20823 (JSC::DFG::Worklist::completeAllPlansForVM):
20824 (JSC::DFG::Worklist::queueLength):
20825 (JSC::DFG::Worklist::dump):
20826 (JSC::DFG::Worklist::runThread):
20827 (JSC::DFG::Worklist::threadFunction):
20828 (JSC::DFG::initializeGlobalWorklistOnce):
20829 (JSC::DFG::globalWorklist):
20830 * dfg/DFGWorklist.h: Added.
20831 (DFG):
20832 (Worklist):
20833 * heap/CopiedSpaceInlines.h:
20834 (JSC::CopiedSpace::allocateBlock):
20835 * heap/DeferGC.h: Added.
20836 (JSC):
20837 (DeferGC):
20838 (JSC::DeferGC::DeferGC):
20839 (JSC::DeferGC::~DeferGC):
20840 * heap/Heap.cpp:
20841 (JSC::Heap::Heap):
20842 (JSC::Heap::reportExtraMemoryCostSlowCase):
20843 (JSC::Heap::collectAllGarbage):
20844 (JSC::Heap::collect):
20845 (JSC::Heap::collectIfNecessaryOrDefer):
20846 (JSC):
20847 (JSC::Heap::incrementDeferralDepth):
20848 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
20849 * heap/Heap.h:
20850 (Heap):
20851 (JSC::Heap::isCollecting):
20852 (JSC):
20853 * heap/MarkedAllocator.cpp:
20854 (JSC::MarkedAllocator::allocateSlowCase):
20855 * jit/JIT.cpp:
20856 (JSC::JIT::privateCompile):
20857 * jit/JIT.h:
20858 * jit/JITStubs.cpp:
20859 (JSC::DEFINE_STUB_FUNCTION):
20860 * llint/LLIntSlowPaths.cpp:
20861 (JSC::LLInt::jitCompileAndSetHeuristics):
20862 (JSC::LLInt::entryOSR):
20863 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20864 * profiler/ProfilerBytecodes.h:
20865 * runtime/ConcurrentJITLock.h: Added.
20866 (JSC):
20867 * runtime/ExecutionHarness.h:
20868 (JSC::replaceWithDeferredOptimizedCode):
20869 * runtime/JSSegmentedVariableObject.cpp:
20870 (JSC::JSSegmentedVariableObject::findRegisterIndex):
20871 (JSC::JSSegmentedVariableObject::addRegisters):
20872 * runtime/JSSegmentedVariableObject.h:
20873 (JSSegmentedVariableObject):
20874 * runtime/Options.h:
20875 (JSC):
20876 * runtime/Structure.h:
20877 (Structure):
20878 * runtime/StructureInlines.h:
20879 (JSC::Structure::propertyTable):
20880 * runtime/SymbolTable.h:
20881 (SymbolTable):
20882 * runtime/VM.cpp:
20883 (JSC::VM::VM):
20884 (JSC::VM::~VM):
20885 (JSC::VM::prepareToDiscardCode):
20886 (JSC):
20887 (JSC::VM::discardAllCode):
20888 (JSC::VM::releaseExecutableMemory):
20889 * runtime/VM.h:
20890 (DFG):
20891 (VM):
20892
208932013-05-17 Mark Hahnenberg <mhahnenberg@apple.com>
20894
20895 CheckArrays should be hoisted
20896 https://bugs.webkit.org/show_bug.cgi?id=116353
20897
20898 Performance neutral. This will be more important when we start depending on CheckArray for flat arrays.
20899
20900 Reviewed by Filip Pizlo.
20901
20902 * dfg/DFGAbstractState.cpp: Add ForwardCheckArray to wherever we had a CheckArray before.
20903 (JSC::DFG::AbstractState::executeEffects):
20904 * dfg/DFGArgumentsSimplificationPhase.cpp:
20905 (JSC::DFG::ArgumentsSimplificationPhase::run):
20906 * dfg/DFGArrayMode.h:
20907 (JSC::DFG::ArrayMode::isContravenedByStructure): Checks if the ArrayMode derived from a specific Structure
20908 would contradict the ArrayModes that would be filtered by the current ArrayMode. This is used to detect
20909 if any specific CheckStructures would contradict our CheckArray so that we can defer to the CheckStructure's
20910 judgment.
20911 * dfg/DFGByteCodeParser.cpp: Fill in checkArrayHoistingFailed where we previously exited due to a BadIndexingType.
20912 (JSC::DFG::ByteCodeParser::setLocal):
20913 (JSC::DFG::ByteCodeParser::setArgument):
20914 (JSC::DFG::ByteCodeParser::parseBlock):
20915 * dfg/DFGCSEPhase.cpp:
20916 (JSC::DFG::CSEPhase::checkArrayElimination):
20917 (JSC::DFG::CSEPhase::performNodeCSE):
20918 * dfg/DFGConstantFoldingPhase.cpp:
20919 (JSC::DFG::ConstantFoldingPhase::foldConstants):
20920 * dfg/DFGFixupPhase.cpp:
20921 (JSC::DFG::FixupPhase::fixupNode):
20922 * dfg/DFGNode.h:
20923 (JSC::DFG::Node::hasArrayMode):
20924 * dfg/DFGNodeType.h: New ForwardCheckArray node type.
20925 * dfg/DFGPredictionPropagationPhase.cpp:
20926 (JSC::DFG::PredictionPropagationPhase::propagate):
20927 * dfg/DFGSpeculativeJIT32_64.cpp:
20928 (JSC::DFG::SpeculativeJIT::compile):
20929 * dfg/DFGSpeculativeJIT64.cpp:
20930 (JSC::DFG::SpeculativeJIT::compile):
20931 * dfg/DFGTypeCheckHoistingPhase.cpp: Refactored most of TypeCheckHoistingPhase into separate functions, some
20932 of which are now generic to both CheckStructure and CheckArray hoisting while others are specific to one or the
20933 other. Both of the non-zero CheckBallot values must be 1 because we use them as an index into an array of
20934 length 2 inside the VariableAccessData.
20935 (CheckData): Moved structure outside of TypeCheckHoistingPhase so that ArrayTypeCheck and StructureTypeCheck
20936 can access it. Also added new fields for tracking ArrayModes. We need the m_arrayModeIsValid because there
20937 isn't a good sentinel value for "this ArrayMode is invalid and meaningless" like there is for m_structure.
20938 We need m_arrayModeHoistingOkay for when we want to permanently disable hoisting for that particular variable.
20939 (JSC::DFG::CheckData::CheckData):
20940 (JSC::DFG::CheckData::disableCheckArrayHoisting): Helper function for disabling CheckArray hoisting for a
20941 specific CheckData.
20942 (JSC::DFG::TypeCheckHoistingPhase::run): We now do both CheckStructure and CheckArray hoisting, although we prefer
20943 CheckStructure hoisting when given the possibility to do both.
20944 (TypeCheckHoistingPhase):
20945 (JSC::DFG::TypeCheckHoistingPhase::clearVariableVotes): Clears all of the VariableAccessData votes since they
20946 can only have two types of votes at any particular time.
20947 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
20948 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): Very similar to identifyRedundantStructureChecks,
20949 but with a few different nodes that are important, namely CheckArray (instead of CheckStructure) and the Arrayify-like
20950 nodes always disable hoisting since they always change the IndexingType.
20951 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingForVariablesWithInsufficientVotes):
20952 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
20953 (JSC::DFG::TypeCheckHoistingPhase::disableCheckArrayHoisting): Helper that looks up the CheckData for the
20954 specified variable and disables CheckArray hoisting on it.
20955 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
20956 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
20957 (JSC::DFG::TypeCheckHoistingPhase::noticeCheckArray):
20958 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): We want to take CheckStructure nodes
20959 into account when hoisting CheckArrays, so we make sure that if we contradict what a CheckStructure says then we
20960 give up on hoisting the CheckArray.
20961 (JSC::DFG::ArrayTypeCheck::isValidToHoist):
20962 (ArrayTypeCheck): Structure that houses some of the specifics on how to hoist CheckArrays. This structure
20963 is used a template argument to allow some of the very similar code to statically parameterized and reused
20964 for both CheckStructure and CheckArray hoisting.
20965 (JSC::DFG::ArrayTypeCheck::disableHoisting):
20966 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
20967 (JSC::DFG::ArrayTypeCheck::hasEnoughVotesToHoist):
20968 (JSC::DFG::ArrayTypeCheck::hoistingPreviouslyFailed):
20969 (JSC::DFG::StructureTypeCheck::isValidToHoist):
20970 (StructureTypeCheck): Same as ArrayTypeCheck, but specific to CheckStructure hoisting.
20971 (JSC::DFG::StructureTypeCheck::disableHoisting):
20972 (JSC::DFG::StructureTypeCheck::isContravenedByValue):
20973 (JSC::DFG::StructureTypeCheck::hasEnoughVotesToHoist):
20974 (JSC::DFG::StructureTypeCheck::hoistingPreviouslyFailed):
20975 * dfg/DFGUnificationPhase.cpp: Added merging of whether or not CheckArray hoisting failed.
20976 (JSC::DFG::UnificationPhase::run):
20977 * dfg/DFGVariableAccessData.h:
20978 (JSC::DFG::VariableAccessData::VariableAccessData):
20979 (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
20980 (VariableAccessData):
20981 (JSC::DFG::VariableAccessData::checkArrayHoistingFailed):
20982 * runtime/Options.h:
20983
209842013-05-17 Filip Pizlo <fpizlo@apple.com>
20985
20986 fourthTier: getCTIStub should be thread-safe
20987 https://bugs.webkit.org/show_bug.cgi?id=116126
20988
20989 Reviewed by Dan Bernstein.
20990
20991 It's called from the compilation thread. Give it locks.
20992
20993 * jit/JITThunks.cpp:
20994 (JSC::JITThunks::ctiStub):
20995 (JSC::JITThunks::hostFunctionStub):
20996 * jit/JITThunks.h:
20997 (JITThunks):
20998
209992013-05-17 Filip Pizlo <fpizlo@apple.com>
21000
21001 fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously
21002 https://bugs.webkit.org/show_bug.cgi?id=116350
21003
21004 Reviewed by Oliver Hunt.
21005
21006 This refactors compilation so that:
21007
21008 - JITStubs knows exactly what the result of compilation was. For example, if
21009 compilation was deferred, it will now know this.
21010
21011 - The set of things that has to happen to install compiled code is now factored
21012 out into JSC::installOptimizedCode().
21013
21014 - A bunch of the code in Executable.cpp is now made more common to reduce code
21015 duplication. For example, the heap heuristics stuff is now in one place.
21016
21017 * JavaScriptCore.xcodeproj/project.pbxproj:
21018 * bytecode/CodeBlock.cpp:
21019 (JSC::ProgramCodeBlock::compileOptimized):
21020 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
21021 (JSC):
21022 (JSC::EvalCodeBlock::compileOptimized):
21023 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
21024 (JSC::FunctionCodeBlock::compileOptimized):
21025 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
21026 (JSC::ProgramCodeBlock::jitCompileImpl):
21027 (JSC::EvalCodeBlock::jitCompileImpl):
21028 (JSC::FunctionCodeBlock::jitCompileImpl):
21029 * bytecode/CodeBlock.h:
21030 (CodeBlock):
21031 (JSC::CodeBlock::jitCompile):
21032 (ProgramCodeBlock):
21033 (EvalCodeBlock):
21034 (FunctionCodeBlock):
21035 * dfg/DFGDesiredIdentifiers.cpp:
21036 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
21037 (DFG):
21038 (JSC::DFG::DesiredIdentifiers::at):
21039 * dfg/DFGDesiredIdentifiers.h:
21040 (JSC):
21041 (DesiredIdentifiers):
21042 * dfg/DFGDriver.cpp:
21043 (JSC::DFG::compile):
21044 (JSC::DFG::tryCompile):
21045 (JSC::DFG::tryCompileFunction):
21046 (JSC::DFG::tryFinalizePlan):
21047 (DFG):
21048 * dfg/DFGDriver.h:
21049 (DFG):
21050 (JSC::DFG::tryCompile):
21051 (JSC::DFG::tryCompileFunction):
21052 (JSC::DFG::tryFinalizePlan):
21053 * dfg/DFGGraph.cpp:
21054 (JSC::DFG::Graph::Graph):
21055 * dfg/DFGJITFinalizer.cpp:
21056 (JSC::DFG::JITFinalizer::finalizeCommon):
21057 * dfg/DFGPlan.cpp:
21058 (JSC::DFG::Plan::Plan):
21059 (JSC::DFG::Plan::compileInThread):
21060 (JSC::DFG::Plan::reallyAdd):
21061 * dfg/DFGPlan.h:
21062 (JSC):
21063 (Plan):
21064 (DFG):
21065 * ftl/FTLJITFinalizer.cpp:
21066 (JSC::FTL::JITFinalizer::finalizeFunction):
21067 * jit/JITDriver.h:
21068 (JSC::jitCompileIfAppropriateImpl):
21069 (JSC::jitCompileFunctionIfAppropriateImpl):
21070 (JSC):
21071 (JSC::jitCompileIfAppropriate):
21072 (JSC::jitCompileFunctionIfAppropriate):
21073 * jit/JITStubs.cpp:
21074 (JSC::DEFINE_STUB_FUNCTION):
21075 * llint/LLIntSlowPaths.cpp:
21076 (JSC::LLInt::jitCompileAndSetHeuristics):
21077 * runtime/CompilationResult.cpp: Added.
21078 (WTF):
21079 (WTF::printInternal):
21080 * runtime/CompilationResult.h: Added.
21081 (JSC):
21082 (WTF):
21083 * runtime/Executable.cpp:
21084 (JSC::EvalExecutable::compileOptimized):
21085 (JSC::EvalExecutable::jitCompile):
21086 (JSC::EvalExecutable::compileInternal):
21087 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
21088 (JSC):
21089 (JSC::ProgramExecutable::compileOptimized):
21090 (JSC::ProgramExecutable::jitCompile):
21091 (JSC::ProgramExecutable::compileInternal):
21092 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
21093 (JSC::FunctionExecutable::compileOptimizedForCall):
21094 (JSC::FunctionExecutable::compileOptimizedForConstruct):
21095 (JSC::FunctionExecutable::jitCompileForCall):
21096 (JSC::FunctionExecutable::jitCompileForConstruct):
21097 (JSC::FunctionExecutable::compileForCallInternal):
21098 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
21099 (JSC::FunctionExecutable::compileForConstructInternal):
21100 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
21101 * runtime/Executable.h:
21102 (ScriptExecutable):
21103 (EvalExecutable):
21104 (ProgramExecutable):
21105 (FunctionExecutable):
21106 (JSC::FunctionExecutable::compileOptimizedFor):
21107 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
21108 (JSC::FunctionExecutable::jitCompileFor):
21109 * runtime/ExecutionHarness.h:
21110 (JSC::prepareForExecutionImpl):
21111 (JSC::prepareFunctionForExecutionImpl):
21112 (JSC):
21113 (JSC::installOptimizedCode):
21114 (JSC::prepareForExecution):
21115 (JSC::prepareFunctionForExecution):
21116 (JSC::replaceWithDeferredOptimizedCode):
21117
211182013-05-16 Mark Hahnenberg <mhahnenberg@apple.com>
21119
21120 observeUseKindOnNode doesn't contain a case for KnownCellUse
21121 https://bugs.webkit.org/show_bug.cgi?id=116130
21122
21123 This would just lead to us being overly conservative when deciding
21124 whether we should unbox GetLocals with KnownCellUse UseKinds.
21125
21126 Reviewed by Filip Pizlo.
21127
21128 * dfg/DFGFixupPhase.cpp:
21129 (JSC::DFG::FixupPhase::observeUseKindOnNode):
21130
211312013-05-16 Mark Hahnenberg <mhahnenberg@apple.com>
21132
21133 fourthTier: infrequent segfault in DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks()
21134 https://bugs.webkit.org/show_bug.cgi?id=116134
21135
21136 CodeBlock and JITCode should be ThreadSafeRefCounted. We're going to
21137 start using them on more threads very soon (with concurrent
21138 compilation). This patch also fixes the specific place where we were
21139 superfluously creating a RefPtr.
21140
21141 Reviewed by Oliver Hunt.
21142
21143 * bytecode/CodeBlock.h:
21144 (JSC::CodeBlock::getJITType):
21145 * jit/JITCode.h:
21146
211472013-05-16 Mark Lam <mark.lam@apple.com>
21148
21149 Implement a probe mechanism for JIT generated code.
21150 https://bugs.webkit.org/show_bug.cgi?id=115705.
21151
21152 Reviewed by Geoffrey Garen.
21153
21154 Edit: For C++ code, you can do debugging by adding printfs to your
21155 code. For JIT generated code, you can now do the equivalent by
21156 inserting a probe and have it emit a call to your probe function.
21157
21158 The probe is in the form of a MacroAssembler pseudo instruction.
21159 It takes 3 arguments: a ProbeFunction, and 2 void* args.
21160
21161 When inserted into the JIT at some code generation site, the probe
21162 pseudo "instruction" will emit a minimal amount of code to save the
21163 stack pointer, 1 (or more) scratch register(s), and the probe
21164 arguments into a ProbeContext record on the stack. The emitted code
21165 will then call a probe trampoline to do the rest of the work, which
21166 consists of:
21167 1. saving the remaining registers into the ProbeContext.
21168 2. calling the ProbeFunction, and passing it the ProbeContext pointer.
21169 3. restoring the registers from the ProbeContext after the ProbeFunction
21170 returns, and then returning to the JIT generated code.
21171
21172 The ProbeContext is stack allocated and is only valid for the duration
21173 that the ProbeFunction is executing.
21174
21175 If the user supplied ProbeFunction alters the register values in the
21176 ProbeContext, the new values will be installed into the registers upon
21177 returning from the probe. This can be useful for some debugging or
21178 testing purposes.
21179
21180 The probe mechanism is built conditional on USE(MASM_PROBE) which is
21181 defined in config.h. USE(MASM_PROBE) will off by default.
21182
21183 This changeset only implements the probe mechanism for X86 and X86_64.
21184
21185 * CMakeLists.txt:
21186 * GNUmakefile.list.am:
21187 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
21188 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21189 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21190 * JavaScriptCore.xcodeproj/project.pbxproj:
21191 * Target.pri:
21192 * assembler/MacroAssembler.h:
21193 (MacroAssembler):
21194 (JSC::MacroAssembler::shouldBlind):
21195 (JSC::MacroAssembler::store32):
21196 * assembler/MacroAssemblerX86.h:
21197 (MacroAssemblerX86):
21198 (JSC::MacroAssemblerX86::trustedImm32FromPtr):
21199 (JSC::MacroAssemblerX86::probe):
21200 * assembler/MacroAssemblerX86Common.cpp: Added.
21201 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
21202 - CPU specific register dumper called by ProbeContext::dump().
21203 (JSC::MacroAssemblerX86Common::ProbeContext::dump):
21204 - Prints the ProbeContext to the DataLog.
21205 * assembler/MacroAssemblerX86Common.h:
21206 (MacroAssemblerX86Common):
21207 (CPUState): Added.
21208 (ProbeContext): Added.
21209 * assembler/MacroAssemblerX86_64.h:
21210 (MacroAssemblerX86_64):
21211 (JSC::MacroAssemblerX86_64::trustedImm64FromPtr):
21212 (JSC::MacroAssemblerX86_64::probe):
21213 * assembler/X86Assembler.h:
21214 * config.h: Added WTF_USE_MASM_PROBE flag.
21215 * jit/JITStubs.cpp:
21216 * jit/JITStubs.h:
21217 * jit/JITStubsX86.h:
21218 * jit/JITStubsX86Common.h: Added.
21219 * jit/JITStubsX86_64.h:
21220
212212013-05-15 Mark Lam <mark.lam@apple.com>
21222
21223 Fix for broken 32-bit build in SpeculativeJIT::checkArray().
21224 https://bugs.webkit.org/show_bug.cgi?id=116184.
21225
21226 Rubber stamped by Mark Hahnenberg.
21227
21228 * dfg/DFGSpeculativeJIT.cpp:
21229 (JSC::DFG::SpeculativeJIT::checkArray):
21230
212312013-05-15 Filip Pizlo <fpizlo@apple.com>
21232
21233 fourthTier: DFG should separate link phase into things that must be done concurrently and things that must be done synchronously, and have a way of passing data from one to the other
21234 https://bugs.webkit.org/show_bug.cgi?id=116060
21235
21236 Reviewed by Gavin Barraclough.
21237
21238 This introduces the concept of a DFG::Plan, which corresponds to:
21239
21240 - The data that the concurrent DFG or FTL need to start compiling a CodeBlock.
21241 This mostly includes basic things like CodeBlock*, but also a list of
21242 must-handle values for OSR entry.
21243
21244 - The data that the synchronous linker need to link in code compiled by a
21245 concurrent compilation thread. This is further encapsulated by DFG::Finalizer,
21246 since the data, and the actions that need to be taken, are different in DFG
21247 versus FTL. This patch also institutes the policy that the concurrent
21248 compilation thread shall not use LinkBuffer::performFinalization(), since that
21249 code assumes that it's running on the same thread that will actually run the
21250 code.
21251
21252 - The actions that need to be taken to compile code. In other words, most of the
21253 code that previously lived in DFGDriver.cpp now lives in
21254 DFG::Plan::compileInThread().
21255
21256 - The actions that need to be taken when synchronously linking the code. This
21257 includes "really" adding watchpoints and identifiers, checking watchpoint and
21258 chain validity, and running the DFG::Finalizer.
21259
21260 Currently, DFGDriver just creates a Plan and runs it synchronously. But in the
21261 future, we will be able to malloc some Plans and enqueue them, and have the
21262 concurrent thread dequeue them and call Plan::compileInThread().
21263
21264 For now, this has no behavior or performance change.
21265
21266 * JavaScriptCore.xcodeproj/project.pbxproj:
21267 * assembler/LinkBuffer.cpp:
21268 (JSC::LinkBuffer::performFinalization):
21269 * assembler/LinkBuffer.h:
21270 (LinkBuffer):
21271 (JSC::LinkBuffer::LinkBuffer):
21272 (JSC::LinkBuffer::~LinkBuffer):
21273 * dfg/DFGAbstractState.cpp:
21274 (JSC::DFG::AbstractState::initialize):
21275 (JSC::DFG::AbstractState::executeEffects):
21276 * dfg/DFGAbstractValue.cpp:
21277 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
21278 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
21279 * dfg/DFGByteCodeParser.cpp:
21280 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
21281 (JSC::DFG::ByteCodeParser::handleGetById):
21282 (JSC::DFG::ByteCodeParser::parseResolveOperations):
21283 (JSC::DFG::ByteCodeParser::parseBlock):
21284 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
21285 (JSC::DFG::ByteCodeParser::parseCodeBlock):
21286 * dfg/DFGConstantFoldingPhase.cpp:
21287 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21288 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
21289 * dfg/DFGDriver.cpp:
21290 (DFG):
21291 (JSC::DFG::compile):
21292 * dfg/DFGFailedFinalizer.cpp: Added.
21293 (DFG):
21294 (JSC::DFG::FailedFinalizer::FailedFinalizer):
21295 (JSC::DFG::FailedFinalizer::~FailedFinalizer):
21296 (JSC::DFG::FailedFinalizer::finalize):
21297 (JSC::DFG::FailedFinalizer::finalizeFunction):
21298 * dfg/DFGFailedFinalizer.h: Added.
21299 (DFG):
21300 (FailedFinalizer):
21301 * dfg/DFGFinalizer.cpp: Added.
21302 (DFG):
21303 (JSC::DFG::Finalizer::Finalizer):
21304 (JSC::DFG::Finalizer::~Finalizer):
21305 * dfg/DFGFinalizer.h: Added.
21306 (DFG):
21307 (Finalizer):
21308 * dfg/DFGFixupPhase.cpp:
21309 (JSC::DFG::FixupPhase::fixupNode):
21310 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
21311 * dfg/DFGGraph.cpp:
21312 (JSC::DFG::Graph::Graph):
21313 (JSC::DFG::Graph::dump):
21314 (DFG):
21315 * dfg/DFGGraph.h:
21316 (Graph):
21317 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
21318 (JSC::DFG::Graph::compilation):
21319 (JSC::DFG::Graph::identifiers):
21320 (JSC::DFG::Graph::watchpoints):
21321 (JSC::DFG::Graph::chains):
21322 * dfg/DFGJITCompiler.cpp:
21323 (JSC::DFG::JITCompiler::linkOSRExits):
21324 (JSC::DFG::JITCompiler::link):
21325 (JSC::DFG::JITCompiler::compile):
21326 (JSC::DFG::JITCompiler::compileFunction):
21327 (JSC::DFG::JITCompiler::linkFunction):
21328 (DFG):
21329 (JSC::DFG::JITCompiler::disassemble):
21330 * dfg/DFGJITCompiler.h:
21331 (JITCompiler):
21332 (JSC::DFG::JITCompiler::addLazily):
21333 * dfg/DFGJITFinalizer.cpp: Added.
21334 (DFG):
21335 (JSC::DFG::JITFinalizer::JITFinalizer):
21336 (JSC::DFG::JITFinalizer::~JITFinalizer):
21337 (JSC::DFG::JITFinalizer::finalize):
21338 (JSC::DFG::JITFinalizer::finalizeFunction):
21339 (JSC::DFG::JITFinalizer::finalizeCommon):
21340 * dfg/DFGJITFinalizer.h: Added.
21341 (DFG):
21342 (JITFinalizer):
21343 * dfg/DFGPlan.cpp: Added.
21344 (DFG):
21345 (JSC::DFG::dumpAndVerifyGraph):
21346 (JSC::DFG::Plan::Plan):
21347 (JSC::DFG::Plan::~Plan):
21348 (JSC::DFG::Plan::compileInThread):
21349 (JSC::DFG::Plan::isStillValid):
21350 (JSC::DFG::Plan::reallyAdd):
21351 (JSC::DFG::Plan::finalize):
21352 * dfg/DFGPlan.h: Added.
21353 (DFG):
21354 (Plan):
21355 (JSC::DFG::Plan::vm):
21356 * dfg/DFGPredictionInjectionPhase.cpp:
21357 (JSC::DFG::PredictionInjectionPhase::run):
21358 * dfg/DFGSpeculativeJIT.h:
21359 (JSC::DFG::SpeculativeJIT::identifierUID):
21360 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
21361 * dfg/DFGTypeCheckHoistingPhase.cpp:
21362 (JSC::DFG::TypeCheckHoistingPhase::run):
21363 * ftl/FTLGeneratedFunction.h: Added.
21364 (FTL):
21365 * ftl/FTLJITFinalizer.cpp: Added.
21366 (FTL):
21367 (JSC::FTL::JITFinalizer::JITFinalizer):
21368 (JSC::FTL::JITFinalizer::~JITFinalizer):
21369 (JSC::FTL::JITFinalizer::finalize):
21370 (JSC::FTL::JITFinalizer::finalizeFunction):
21371 * ftl/FTLJITFinalizer.h: Added.
21372 (FTL):
21373 (JITFinalizer):
21374 (JSC::FTL::JITFinalizer::initializeExitThunksLinkBuffer):
21375 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
21376 (JSC::FTL::JITFinalizer::initializeCode):
21377 (JSC::FTL::JITFinalizer::initializeFunction):
21378 (JSC::FTL::JITFinalizer::initializeArityCheck):
21379 (JSC::FTL::JITFinalizer::initializeJITCode):
21380 * ftl/FTLLink.cpp:
21381 (JSC::FTL::link):
21382 * ftl/FTLLink.h:
21383 (FTL):
21384 * ftl/FTLLowerDFGToLLVM.cpp:
21385 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
21386 * ftl/FTLState.cpp:
21387 (JSC::FTL::State::State):
21388 * ftl/FTLState.h:
21389 (FTL):
21390 (State):
21391
213922013-05-14 Mark Lam <mark.lam@apple.com>
21393
21394 Refactor JITStubs.cpp to move CPU specific parts out into their own files.
21395 https://bugs.webkit.org/show_bug.cgi?id=116135.
21396
21397 Reviewed by Michael Saboff.
21398
21399 This mod only moves the CPU specific parts out. There is no code change.
21400 Tested on debug builds of X86, X86_64, ARM and ARMv7. The SH4 and MIPS
21401 ports are untested. Windows port also not tested.
21402
21403 * GNUmakefile.list.am:
21404 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
21405 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21406 * JavaScriptCore.xcodeproj/project.pbxproj:
21407 * jit/JITStubs.cpp:
21408 (JSC::performPlatformSpecificJITAssertions):
21409 * jit/JITStubsARM.h: Added.
21410 (JSC::ctiTrampoline):
21411 (JSC::ctiTrampolineEnd):
21412 (JSC::ctiVMThrowTrampoline):
21413 (JSC::ctiOpThrowNotCaught):
21414 (JSC::performARMJITAssertions):
21415 * jit/JITStubsARMv7.h: Added.
21416 (JSC::ctiTrampoline):
21417 (JSC::ctiVMThrowTrampoline):
21418 (JSC::ctiOpThrowNotCaught):
21419 (JSC::performARMv7JITAssertions):
21420 * jit/JITStubsMIPS.h: Added.
21421 (JSC::performMIPSJITAssertions):
21422 * jit/JITStubsSH4.h: Added.
21423 * jit/JITStubsX86.h: Added.
21424 * jit/JITStubsX86_64.h: Added.
21425
214262013-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
21427
21428 fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
21429 https://bugs.webkit.org/show_bug.cgi?id=116082
21430
21431 It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the
21432 baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to
21433 check if we're the baseline version in baselineVersion() and return this if so.
21434
21435 Reviewed by Filip Pizlo.
21436
21437 * bytecode/CodeBlock.h:
21438 (JSC::CodeBlock::baselineVersion):
21439
214402013-05-11 Mark Hahnenberg <mhahnenberg@apple.com>
21441
21442 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase
21443 https://bugs.webkit.org/show_bug.cgi?id=115938
21444
21445 We're going to add some more types of check hoisting soon, so let's have
21446 the right name here.
21447
21448 Rubber stamped by Filip Pizlo.
21449
21450 * CMakeLists.txt:
21451 * GNUmakefile.list.am:
21452 * JavaScriptCore.xcodeproj/project.pbxproj:
21453 * Target.pri:
21454 * dfg/DFGDriver.cpp:
21455 (JSC::DFG::compile):
21456 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed.
21457 * dfg/DFGStructureCheckHoistingPhase.h: Removed.
21458 * dfg/DFGTypeCheckHoistingPhase.cpp: Added.
21459 (DFG):
21460 (TypeCheckHoistingPhase):
21461 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase):
21462 (JSC::DFG::TypeCheckHoistingPhase::run):
21463 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
21464 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
21465 (CheckData):
21466 (JSC::DFG::TypeCheckHoistingPhase::CheckData::CheckData):
21467 (JSC::DFG::performTypeCheckHoisting):
21468 * dfg/DFGTypeCheckHoistingPhase.h: Added.
21469
214702013-05-10 Mark Hahnenberg <mhahnenberg@apple.com>
21471
21472 SpeculativeJIT::checkArray should use the correct ExitKind
21473 https://bugs.webkit.org/show_bug.cgi?id=115943
21474
21475 Currently it uses Uncountable, which gives us no information if we end up exiting due to a
21476 mismatched ClassInfo pointer. It should instead use BadType and should pass the correct
21477 JSValueSource and Node instead of passing empty values.
21478
21479 Reviewed by Filip Pizlo.
21480
21481 * dfg/DFGSpeculativeJIT.cpp:
21482 (JSC::DFG::SpeculativeJIT::checkArray):
21483
214842013-05-11 Filip Pizlo <fpizlo@apple.com>
21485
21486 fourthTier: FTL should support Jump and ForceOSRExit
21487 https://bugs.webkit.org/show_bug.cgi?id=115942
21488
21489 Reviewed by Oliver Hunt.
21490
21491 Added two obvious nodes: Jump and ForceOSRExit. We already had everything we needed
21492 to support them.
21493
21494 Adding these increases our coverage a fair bit, and revealed a bug: LLVM's full
21495 instruction selector currently appears to mishandle doubles in constant pools (or
21496 just constant pools in general) with the small code model in the MCJIT. But switching
21497 to FastISel "fixes" it. That's what this patch does, for now. This will probably
21498 actually be permanent; the FastISel does pretty much everything we would ever want,
21499 at least in the foreseeable future.
21500
21501 * ftl/FTLCapabilities.cpp:
21502 (JSC::FTL::canCompile):
21503 (FTL):
21504 * ftl/FTLCompile.cpp:
21505 (JSC::FTL::compile):
21506 * ftl/FTLLowerDFGToLLVM.cpp:
21507 (JSC::FTL::LowerDFGToLLVM::compileBlock):
21508 (JSC::FTL::LowerDFGToLLVM::compileNode):
21509 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
21510 (LowerDFGToLLVM):
21511 (JSC::FTL::LowerDFGToLLVM::compileJump):
21512 (JSC::FTL::LowerDFGToLLVM::compileReturn):
21513 (JSC::FTL::LowerDFGToLLVM::compileForceOSRExit):
21514 * runtime/Options.h:
21515 (JSC):
21516
215172013-05-10 Filip Pizlo <fpizlo@apple.com>
21518
21519 fourthTier: FTL should support CompareStrictEqConstant
21520 https://bugs.webkit.org/show_bug.cgi?id=115941
21521
21522 Reviewed by Mark Hahnenberg.
21523
21524 Pretty simple, but factors out the craziness of comparing against null or undefined
21525 in a way that is reusable for both == and ===.
21526
21527 * ftl/FTLCapabilities.cpp:
21528 (JSC::FTL::canCompile):
21529 * ftl/FTLLowerDFGToLLVM.cpp:
21530 (JSC::FTL::LowerDFGToLLVM::compileNode):
21531 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
21532 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
21533 (LowerDFGToLLVM):
21534 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
21535
215362013-05-10 Filip Pizlo <fpizlo@apple.com>
21537
21538 fourthTier: FTL should support CompareEqConstant
21539 https://bugs.webkit.org/show_bug.cgi?id=115939
21540
21541 Reviewed by Oliver Hunt and Mark Hahnenberg.
21542
21543 The most interesting part of this patch is the way I make it easier to deal with
21544 the inputs to Phi functions. This adds the notion of ValueFromBlock, which you
21545 can get by doing m_out.anchor(value). You can build up a vector of these, and then
21546 pass them to m_out.phi(type, vector) in one go.
21547
21548 * JavaScriptCore.xcodeproj/project.pbxproj:
21549 * ftl/FTLAbbreviatedTypes.h: Added.
21550 (FTL):
21551 * ftl/FTLAbbreviations.h:
21552 (FTL):
21553 (JSC::FTL::addIncoming):
21554 (JSC::FTL::buildPhi):
21555 * ftl/FTLAbstractHeapRepository.h:
21556 (FTL):
21557 * ftl/FTLCapabilities.cpp:
21558 (JSC::FTL::canCompile):
21559 * ftl/FTLLowerDFGToLLVM.cpp:
21560 (JSC::FTL::LowerDFGToLLVM::compileNode):
21561 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
21562 (LowerDFGToLLVM):
21563 (JSC::FTL::LowerDFGToLLVM::lowDouble):
21564 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
21565 * ftl/FTLOutput.h:
21566 (JSC::FTL::Output::phi):
21567 (Output):
21568 (JSC::FTL::Output::anchor):
21569 * ftl/FTLValueFromBlock.h: Added.
21570 (FTL):
21571 (ValueFromBlock):
21572 (JSC::FTL::ValueFromBlock::ValueFromBlock):
21573 (JSC::FTL::ValueFromBlock::value):
21574 (JSC::FTL::ValueFromBlock::block):
21575
215762013-05-10 Filip Pizlo <fpizlo@apple.com>
21577
21578 fourthTier: FTL should support CompareStrictEq
21579 https://bugs.webkit.org/show_bug.cgi?id=115927
21580
21581 Reviewed by Mark Hahnenberg.
21582
21583 Do the sensible thing, and make it so that for common cases, CompareEq is
21584 implemented in terms of CompareStrictEq in the FTL backend. All of the cases
21585 we currently support can be done this way.
21586
21587 * ftl/FTLCapabilities.cpp:
21588 (JSC::FTL::canCompile):
21589 * ftl/FTLLowerDFGToLLVM.cpp:
21590 (JSC::FTL::LowerDFGToLLVM::compileNode):
21591 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
21592 (LowerDFGToLLVM):
21593 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
21594
215952013-05-10 Filip Pizlo <fpizlo@apple.com>
21596
21597 fourthTier: FTL should support Int32ToDouble
21598 https://bugs.webkit.org/show_bug.cgi?id=115926
21599
21600 Reviewed by Mark Hahnenberg.
21601
21602 This node exists mainly to help the DFG see that a node may have both an int
21603 and a double representation. But in the FTL, nodes already have multiple
21604 representations. So this is just a no-op for the FTL.
21605
21606 I considered making it so that the node isn't even inserted if we're doing
21607 FTL compilation, but that would have required a bunch of conditionalizing in
21608 the DFG's optimization phases, which sort of expect this node to be present
21609 and necessary.
21610
21611 * ftl/FTLCapabilities.cpp:
21612 (JSC::FTL::canCompile):
21613 * ftl/FTLLowerDFGToLLVM.cpp:
21614 (JSC::FTL::LowerDFGToLLVM::compileNode):
21615 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
21616 (LowerDFGToLLVM):
21617
216182013-05-10 Filip Pizlo <fpizlo@apple.com>
21619
21620 fourthTier: FTL should support LogicalNot
21621 https://bugs.webkit.org/show_bug.cgi?id=115924
21622
21623 Reviewed by Mark Hahnenberg.
21624
21625 * ftl/FTLAbbreviations.h:
21626 (JSC::FTL::buildNot):
21627 * ftl/FTLCapabilities.cpp:
21628 (JSC::FTL::canCompile):
21629 * ftl/FTLLowerDFGToLLVM.cpp:
21630 (JSC::FTL::LowerDFGToLLVM::compileNode):
21631 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
21632 (LowerDFGToLLVM):
21633 * ftl/FTLOutput.h:
21634 (JSC::FTL::Output::bitNot):
21635
216362013-05-10 Filip Pizlo <fpizlo@apple.com>
21637
21638 fourthTier: FTL should support CompareGreater, CompareLessEq, and CompareGreaterEq
21639 https://bugs.webkit.org/show_bug.cgi?id=115923
21640
21641 Reviewed by Mark Hahnenberg.
21642
21643 Also fixed a bug where double CompareLess would assert.
21644
21645 * ftl/FTLCapabilities.cpp:
21646 (JSC::FTL::canCompile):
21647 * ftl/FTLLowerDFGToLLVM.cpp:
21648 (JSC::FTL::LowerDFGToLLVM::compileNode):
21649 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
21650 (LowerDFGToLLVM):
21651 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
21652 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
21653 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
21654
216552013-05-10 Filip Pizlo <fpizlo@apple.com>
21656
21657 fourthTier: FTL CompareEq ObjectUse should handle masquerading
21658 https://bugs.webkit.org/show_bug.cgi?id=115920
21659
21660 Reviewed by Mark Hahnenberg.
21661
21662 We don't yet support watchpoints, but this does all the wiring right up to the
21663 part where we would have emitted watchpoints. I've also written this in a way that
21664 makes it easy to use the case where you would have anyway speculated non-masquerading
21665 even if the watchpoint was invalidated.
21666
21667 This is inherently racy, of course: but the only race here is that you might first
21668 set the watchpoint, and then the watchpoint is invalidated, and then you compile rest
21669 of the code in a way that doesn't need the watchpoint. That's fine, since the FTL
21670 will remember that it had set the watchpoint and then cancel the compilation.
21671
21672 * ftl/FTLAbbreviations.h:
21673 (JSC::FTL::int8Type):
21674 * ftl/FTLAbstractHeapRepository.h:
21675 (FTL):
21676 * ftl/FTLCommonValues.cpp:
21677 (JSC::FTL::CommonValues::CommonValues):
21678 * ftl/FTLCommonValues.h:
21679 (CommonValues):
21680 * ftl/FTLLowerDFGToLLVM.cpp:
21681 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
21682 (JSC::FTL::LowerDFGToLLVM::lowNonNullObject):
21683 (LowerDFGToLLVM):
21684 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
21685 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
21686 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
21687 * ftl/FTLOutput.h:
21688 (JSC::FTL::Output::constInt8):
21689 (JSC::FTL::Output::load8):
21690 (JSC::FTL::Output::isZero8):
21691 (JSC::FTL::Output::notZero8):
21692 (JSC::FTL::Output::testIsZero8):
21693 (JSC::FTL::Output::testNonZero8):
21694
216952013-05-09 Filip Pizlo <fpizlo@apple.com>
21696
21697 fourthTier: DFG shouldn't allocate in the GC heap
21698 https://bugs.webkit.org/show_bug.cgi?id=115598
21699
21700 Reviewed by Geoffrey Garen.
21701
21702 I believe that we've now fixed this, and this patch just adds the relevant assertion.
21703
21704 * runtime/JSCellInlines.h:
21705 (JSC::JSCell::JSCell):
21706
217072013-05-09 Filip Pizlo <fpizlo@apple.com>
21708
21709 fourthTier: CodeBlock should be RefCounted
21710 https://bugs.webkit.org/show_bug.cgi?id=115594
21711
21712 Reviewed by Geoffrey Garen.
21713
21714 This makes it possible to have the currently-being-compiled CodeBlock not be
21715 installed in Executable, while also allowing it to point to its intended
21716 alternative(). So long as we were using ownership and not reference counting, it
21717 would have been difficult to have both CodeBlock::m_alternative and
21718 Executable::m_codeBlockForBlah point to the previous CodeBlock.
21719
21720 I also took the opportunity to clean up a bunch of code that appears to have
21721 rotted.
21722
21723 * assembler/MacroAssemblerCodeRef.h:
21724 (MacroAssemblerCodePtr):
21725 (JSC::MacroAssemblerCodePtr::operator==):
21726 * bytecode/CodeBlock.cpp:
21727 (JSC::CodeBlock::CodeBlock):
21728 * bytecode/CodeBlock.h:
21729 (JSC::CodeBlock::releaseAlternative):
21730 (JSC::CodeBlock::setAlternative):
21731 (CodeBlock):
21732 (JSC::GlobalCodeBlock::GlobalCodeBlock):
21733 (JSC::ProgramCodeBlock::ProgramCodeBlock):
21734 (JSC::EvalCodeBlock::EvalCodeBlock):
21735 (JSC::FunctionCodeBlock::FunctionCodeBlock):
21736 * heap/DFGCodeBlocks.cpp:
21737 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
21738 (JSC::DFGCodeBlocks::jettison):
21739 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
21740 * heap/DFGCodeBlocks.h:
21741 (DFGCodeBlocks):
21742 * heap/Heap.cpp:
21743 (JSC::Heap::jettisonDFGCodeBlock):
21744 * heap/Heap.h:
21745 * jit/JITDriver.h:
21746 (JSC::jitCompileIfAppropriate):
21747 (JSC::jitCompileFunctionIfAppropriate):
21748 * runtime/Executable.cpp:
21749 (JSC::jettisonCodeBlock):
21750 (JSC::EvalExecutable::jitCompile):
21751 (JSC::EvalExecutable::compileInternal):
21752 (JSC::ProgramExecutable::jitCompile):
21753 (JSC::ProgramExecutable::compileInternal):
21754 (JSC::FunctionExecutable::jitCompileForCall):
21755 (JSC::FunctionExecutable::jitCompileForConstruct):
21756 (JSC::FunctionExecutable::produceCodeBlockFor):
21757 (JSC::FunctionExecutable::compileForCallInternal):
21758 (JSC::FunctionExecutable::compileForConstructInternal):
21759 * runtime/Executable.h:
21760 (EvalExecutable):
21761 (FunctionExecutable):
21762 (JSC::FunctionExecutable::codeBlockFor):
21763 * runtime/ExecutionHarness.h:
21764 (JSC::prepareForExecution):
21765 (JSC::prepareFunctionForExecution):
21766
217672013-05-09 Filip Pizlo <fpizlo@apple.com>
21768
21769 fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes
21770 https://bugs.webkit.org/show_bug.cgi?id=115841
21771
21772 Reviewed by Oliver Hunt.
21773
21774 This adds IntendedStructureChain, which is like StructureChain, except that it holds a bit
21775 more information and can be validated independantly of its owning Structure and lexical
21776 GlobalObject, since it remembers both of those things. It's also malloc'd and RefCounted
21777 rather than GC'd, so it can be allocated in a concurrent compilation thread.
21778
21779 Gave this class a bunch of methods to allow the following idiom:
21780
21781 - Snapshot a structure chain concurrently. This structure chain may end up being
21782 wrong in case of races, but in that case we will find out when we try to validate
21783 it.
21784
21785 - Perform validation on the structure chain itself, without recomputing the chain.
21786 Previously, many chain validation methods (prototypeChainMayInterceptStoreTo() for
21787 example) recomputed the chain, and hence, were inherently racy: you could build one
21788 chain and then validate against a different chain, and hence not realize that the
21789 chain you did build was actually broken for your purposes, because the chain you
21790 checked was a different one.
21791
21792 - Validate that the chain is still the right one at any time, allowing the cancellation
21793 of compilation if there was a race.
21794
21795 Also added DFG::DesiredStructureChains, which tracks those intended structure chains that
21796 the compiler had already chosen to use. If any of those are invalid at link time, throw
21797 out the compilation.
21798
21799 * JavaScriptCore.xcodeproj/project.pbxproj:
21800 * bytecode/GetByIdStatus.cpp:
21801 (JSC::GetByIdStatus::computeForChain):
21802 (JSC::GetByIdStatus::computeFor):
21803 * bytecode/GetByIdStatus.h:
21804 (JSC::GetByIdStatus::GetByIdStatus):
21805 (JSC::GetByIdStatus::chain):
21806 (GetByIdStatus):
21807 * bytecode/PutByIdStatus.cpp:
21808 (JSC::PutByIdStatus::computeFromLLInt):
21809 (JSC::PutByIdStatus::computeFor):
21810 * bytecode/PutByIdStatus.h:
21811 (JSC::PutByIdStatus::PutByIdStatus):
21812 (JSC::PutByIdStatus::structureChain):
21813 (PutByIdStatus):
21814 * dfg/DFGAbstractState.cpp:
21815 (JSC::DFG::AbstractState::executeEffects):
21816 * dfg/DFGByteCodeParser.cpp:
21817 (JSC::DFG::ByteCodeParser::handleGetById):
21818 (JSC::DFG::ByteCodeParser::parseBlock):
21819 * dfg/DFGConstantFoldingPhase.cpp:
21820 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21821 * dfg/DFGDesiredStructureChains.cpp: Added.
21822 (DFG):
21823 (JSC::DFG::DesiredStructureChains::DesiredStructureChains):
21824 (JSC::DFG::DesiredStructureChains::~DesiredStructureChains):
21825 (JSC::DFG::DesiredStructureChains::areStillValid):
21826 * dfg/DFGDesiredStructureChains.h: Added.
21827 (DFG):
21828 (DesiredStructureChains):
21829 (JSC::DFG::DesiredStructureChains::addLazily):
21830 * dfg/DFGGraph.cpp:
21831 (JSC::DFG::Graph::isStillValid):
21832 (DFG):
21833 * dfg/DFGGraph.h:
21834 (Graph):
21835 * dfg/DFGJITCompiler.cpp:
21836 (JSC::DFG::JITCompiler::link):
21837 (JSC::DFG::JITCompiler::linkFunction):
21838 * ftl/FTLLink.cpp:
21839 (JSC::FTL::link):
21840 * runtime/IntendedStructureChain.cpp: Added.
21841 (JSC):
21842 (JSC::IntendedStructureChain::IntendedStructureChain):
21843 (JSC::IntendedStructureChain::~IntendedStructureChain):
21844 (JSC::IntendedStructureChain::isStillValid):
21845 (JSC::IntendedStructureChain::matches):
21846 (JSC::IntendedStructureChain::chain):
21847 (JSC::IntendedStructureChain::mayInterceptStoreTo):
21848 (JSC::IntendedStructureChain::isNormalized):
21849 (JSC::IntendedStructureChain::terminalPrototype):
21850 * runtime/IntendedStructureChain.h: Added.
21851 (JSC):
21852 (IntendedStructureChain):
21853 (JSC::IntendedStructureChain::head):
21854 (JSC::IntendedStructureChain::size):
21855 (JSC::IntendedStructureChain::at):
21856 (JSC::IntendedStructureChain::operator[]):
21857 (JSC::IntendedStructureChain::last):
21858 * runtime/Structure.cpp:
21859 (JSC::Structure::prototypeChainMayInterceptStoreTo):
21860 * runtime/Structure.h:
21861 (Structure):
21862 * runtime/StructureInlines.h:
21863 (JSC::Structure::storedPrototypeObject):
21864 (JSC):
21865 (JSC::Structure::storedPrototypeStructure):
21866
218672013-05-06 Mark Lam <mark.lam@apple.com>
21868
21869 Fix broken 32-bit build + some clean up in JITStubs.cpp.
21870 https://bugs.webkit.org/show_bug.cgi?id=115684.
21871
21872 Reviewed by Geoffrey Garen.
21873
21874 * dfg/DFGSpeculativeJIT32_64.cpp:
21875 (JSC::DFG::SpeculativeJIT::compile):
21876 * jit/JITStubs.cpp:
21877 - removed unneeded stubs for CPU(X86_64) && USE(JSVALUE32_64).
21878 - added some line breaks to more clearly delineate between
21879 ports/configurations of stub code.
21880
218812013-05-05 Geoffrey Garen <ggaren@apple.com>
21882
21883 Rolled back in r149527 with crash fixed.
21884
21885 Reviewed by Oliver Hunt.
21886
21887 Rationalized 'this' value conversion
21888 https://bugs.webkit.org/show_bug.cgi?id=115542
21889
21890 This fixes a bunch of Sputnik tests, and some bad pointer access.
21891
21892 The new model is that the callee always performs 'this' value conversion.
21893
21894 My ultimate goal is to break up resolve_with_this into single-result
21895 opcodes. This step avoids having to add a special form of convert_this
21896 that distinguishes callers vs callees.
21897
21898 Only the callee knows whether it uses 'this' and/or whether 'this'
21899 conversion should use StrictMode, so it's most natural to perform
21900 convert_this in the callee.
21901
21902 * API/JSCallbackFunction.cpp:
21903 (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
21904 our callee, since it may observe 'this'.
21905
21906 * API/JSCallbackObjectFunctions.h:
21907 (JSC::::call): Ditto.
21908
21909 * API/JSContextRef.cpp:
21910 (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
21911 even when we're not in the browser. This eliminates some odd cases where
21912 API clients used to be able to get a direct reference to an environment
21913 record. Now, any reference to an environment record unambiguously means
21914 that the VM resolved that record in the scope chain.
21915
21916 (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
21917 participates in the proxy 'this' object scheme, the behavior is not
21918 WebCore-only.
21919
21920 * API/JSObjectRef.cpp:
21921 (JSObjectSetPrototype):
21922 (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
21923 caller; the callee will do it if needed.
21924
21925 * JavaScriptCore.order: Order!
21926
21927 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
21928 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
21929 What are the chances that this will work?
21930
21931 * bytecode/CodeBlock.cpp:
21932 (JSC::CodeBlock::dumpBytecode):
21933 (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
21934 other conversion opcodes.
21935
21936 * bytecode/CodeOrigin.h:
21937 (CodeOrigin):
21938 (InlineCallFrame):
21939 (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
21940 executable, so compilation can discover where we're in strict mode.
21941
21942 * bytecode/Opcode.h:
21943 (JSC::padOpcodeName): Updated for rename.
21944
21945 * bytecompiler/BytecodeGenerator.cpp:
21946 (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
21947 'this' is in use -- strict mode still needs to convert environment
21948 records to 'undefined'.
21949
21950 * dfg/DFGAbstractState.cpp:
21951 (JSC::DFG::AbstractState::executeEffects):
21952 * dfg/DFGByteCodeParser.cpp:
21953 (JSC::DFG::ByteCodeParser::parseBlock):
21954 * dfg/DFGCapabilities.h:
21955 (JSC::DFG::canCompileOpcode): Updated for renames.
21956
21957 * dfg/DFGFixupPhase.cpp:
21958 (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
21959 strict mode (a new requirement) and to consider the global object (which
21960 was always a requirement).
21961
21962 * dfg/DFGGraph.h:
21963 (JSC::DFG::Graph::globalThisObjectFor):
21964 (JSC::DFG::Graph::executableFor):
21965 * dfg/DFGNodeType.h:
21966 * dfg/DFGOperations.cpp:
21967 * dfg/DFGOperations.h:
21968 * dfg/DFGPredictionPropagationPhase.cpp:
21969 (JSC::DFG::PredictionPropagationPhase::propagate):
21970 * dfg/DFGSpeculativeJIT32_64.cpp:
21971 (JSC::DFG::SpeculativeJIT::compile):
21972 * dfg/DFGSpeculativeJIT64.cpp:
21973 (JSC::DFG::SpeculativeJIT::compile): Ditto.
21974
21975 * interpreter/Interpreter.cpp:
21976 (JSC::eval):
21977 (JSC::Interpreter::execute):
21978 (JSC::Interpreter::executeCall):
21979 * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
21980 to fix it up if needed.
21981
21982 * jit/JIT.cpp:
21983 (JSC::JIT::privateCompileMainPass):
21984 (JSC::JIT::privateCompileSlowCases):
21985 * jit/JIT.h:
21986 (JIT):
21987 * jit/JITOpcodes.cpp:
21988 (JSC::JIT::emit_op_to_this):
21989 (JSC::JIT::emitSlow_op_to_this):
21990 * jit/JITOpcodes32_64.cpp:
21991 (JSC::JIT::emit_op_to_this):
21992 (JSC::JIT::emitSlow_op_to_this):
21993 * jit/JITStubs.cpp:
21994 (JSC::DEFINE_STUB_FUNCTION):
21995 * jit/JITStubs.h: Removed special-case code for various kinds of
21996 conversions. The baseline fast path is now final objects only. It hurt
21997 my brain to think through how to keep the other fast paths working, and
21998 our benchmarks do not object.
21999
22000 * llint/LLIntData.cpp:
22001 (JSC::LLInt::Data::performAssertions):
22002 * llint/LLIntSlowPaths.cpp:
22003 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22004 * llint/LLIntSlowPaths.h:
22005 (LLInt):
22006 * llint/LowLevelInterpreter.asm:
22007 * llint/LowLevelInterpreter32_64.asm:
22008 * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
22009 special case code, as in the JIT above.
22010
22011 * profiler/ProfileGenerator.cpp:
22012 (JSC::ProfileGenerator::addParentForConsoleStart):
22013 * runtime/CallData.cpp:
22014 (JSC::call):
22015 * runtime/ClassInfo.h:
22016 (MethodTable):
22017 * runtime/Completion.cpp:
22018 (JSC::evaluate):
22019 * runtime/DatePrototype.cpp:
22020 (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
22021 the caller.
22022
22023 * runtime/GetterSetter.cpp:
22024 (JSC::callGetter):
22025 (JSC::callSetter):
22026 * runtime/GetterSetter.h: Added helper functions for invoking getters
22027 and setters from C++ code, since this was duplicated in a bunch of
22028 places.
22029
22030 * runtime/JSActivation.cpp:
22031 (JSC::JSActivation::toThis):
22032 * runtime/JSActivation.h:
22033 (JSActivation):
22034 * runtime/JSCJSValue.cpp:
22035 (JSC::JSValue::toThisSlowCase):
22036 (JSC::JSValue::putToPrimitive):
22037 * runtime/JSCJSValue.h:
22038 (JSValue):
22039 * runtime/JSCJSValueInlines.h:
22040 (JSC::JSValue::toThis):
22041 * runtime/JSCell.cpp:
22042 (JSC::JSCell::toThis):
22043 * runtime/JSCell.h:
22044 (JSCell):
22045 * runtime/JSGlobalObject.cpp:
22046 (JSC::JSGlobalObject::toThis):
22047 * runtime/JSGlobalObject.h:
22048 (JSGlobalObject): Filled out runtime support for converting 'this'
22049 values as needed, according to the appropriate strictness, using
22050 helper functions where getter/setter code was duplicated.
22051
22052 * runtime/JSGlobalObjectFunctions.cpp:
22053 (JSC::globalFuncProtoGetter):
22054 (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
22055 observe 'this'.
22056
22057 * runtime/JSNameScope.cpp:
22058 (JSC::JSNameScope::toThis):
22059 * runtime/JSNameScope.h:
22060 (JSNameScope): Same as JSActivation.
22061
22062 * runtime/JSObject.cpp:
22063 (JSC::JSObject::put):
22064 (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
22065 'this' value conversion in this helper function. The __proto__
22066 setter does this for us, since it's the function that logically observes
22067 'this' -- and we can ASSERT so. Also, the previous code used
22068 "globalExec()->thisValue()", which is a read past the beginning of a
22069 buffer! I don't think this ever worked on purpose.
22070
22071 (JSC::JSObject::toThis):
22072 (JSC::JSObject::fillGetterPropertySlot):
22073 * runtime/JSObject.h:
22074 (JSC::JSObject::inlineGetOwnPropertySlot):
22075 * runtime/JSScope.cpp:
22076 (JSC::JSScope::resolveWithThis):
22077 * runtime/JSString.cpp:
22078 (JSC::JSString::toThis):
22079 * runtime/JSString.h:
22080 (JSString):
22081 * runtime/PropertySlot.cpp:
22082 (JSC::PropertySlot::functionGetter):
22083 * runtime/PropertySlot.h:
22084 (JSC):
22085 (JSC::PropertySlot::setGetterSlot):
22086 (JSC::PropertySlot::setCacheableGetterSlot):
22087 * runtime/SparseArrayValueMap.cpp:
22088 (JSC::SparseArrayEntry::get):
22089 (JSC::SparseArrayEntry::put):
22090 * runtime/StrictEvalActivation.cpp:
22091 (JSC::StrictEvalActivation::toThis):
22092 * runtime/StrictEvalActivation.h:
22093 (StrictEvalActivation): Ditto.
22094
220952013-05-03 Filip Pizlo <fpizlo@apple.com>
22096
22097 fourthTier: DFG::ByteCodeParser doesn't need ExecState*
22098 https://bugs.webkit.org/show_bug.cgi?id=115582
22099
22100 Reviewed by Geoffrey Garen.
22101
22102 * dfg/DFGByteCodeParser.cpp:
22103 (JSC::DFG::ByteCodeParser::ByteCodeParser):
22104 (ByteCodeParser):
22105 (JSC::DFG::parse):
22106 * dfg/DFGByteCodeParser.h:
22107 (DFG):
22108 * dfg/DFGDriver.cpp:
22109 (JSC::DFG::compile):
22110
221112013-05-02 Filip Pizlo <fpizlo@apple.com>
22112
22113 fourthTier: Profiler should be thread-safe
22114 https://bugs.webkit.org/show_bug.cgi?id=115445
22115
22116 Reviewed by Geoffrey Garen.
22117
22118 Change the Profiler::Database API for Compilation creation so that we don't add
22119 it to the Database until it's completely constructed. This prevents the Database
22120 from seeing Compilations that are being concurrently constructed.
22121
22122 Change the Profiler::Database itself to do locking for creation of Bytecodes and
22123 for modifying the map. This map may be consulted by both the main thread and the
22124 concurrent thread.
22125
22126 * dfg/DFGGraph.cpp:
22127 (JSC::DFG::Graph::Graph):
22128 * dfg/DFGJITCompiler.cpp:
22129 (JSC::DFG::JITCompiler::link):
22130 (JSC::DFG::JITCompiler::linkFunction):
22131 * jit/JIT.cpp:
22132 (JSC::JIT::privateCompile):
22133 * profiler/ProfilerBytecodes.h:
22134 * profiler/ProfilerDatabase.cpp:
22135 (JSC::Profiler::Database::ensureBytecodesFor):
22136 (JSC::Profiler::Database::notifyDestruction):
22137 (JSC::Profiler::Database::addCompilation):
22138 * profiler/ProfilerDatabase.h:
22139 (Database):
22140
221412013-05-02 Filip Pizlo <fpizlo@apple.com>
22142
22143 fourthTier: DFG tries to ref/deref StringImpls in a ton of places
22144 https://bugs.webkit.org/show_bug.cgi?id=115300
22145
22146 Reviewed by Geoffrey Garen.
22147
22148 Change any code transitively called from DFG compilation to use StringImpl*
22149 directly instead of String, Identifier, or PropertyName. I use the convention
22150 of passing "StringImpl* uid" instead of an Identifier or PropertyName.
22151
22152 Switch over any code transitively called from DFG compilation to use CStrings
22153 whenever possible for all of its debug dumping.
22154
22155 This makes it possible to compile things without hitting the ref/deref
22156 assertion in StringImpl.
22157
22158 * JavaScriptCore.xcodeproj/project.pbxproj:
22159 * bytecode/CodeBlock.cpp:
22160 (JSC::CodeBlock::inferredName):
22161 (JSC::CodeBlock::sourceCodeForTools):
22162 (JSC::CodeBlock::sourceCodeOnOneLine):
22163 (JSC::constantName):
22164 (JSC::idName):
22165 (JSC::CodeBlock::registerName):
22166 (JSC::regexpToSourceString):
22167 (JSC::regexpName):
22168 (JSC::pointerToSourceString):
22169 (JSC::CodeBlock::printUnaryOp):
22170 (JSC::CodeBlock::printBinaryOp):
22171 (JSC::CodeBlock::printConditionalJump):
22172 (JSC::CodeBlock::printGetByIdOp):
22173 (JSC::dumpStructure):
22174 (JSC::CodeBlock::printCallOp):
22175 (JSC::CodeBlock::printPutByIdOp):
22176 (JSC::CodeBlock::printStructure):
22177 (JSC::CodeBlock::printStructures):
22178 (JSC::CodeBlock::dumpBytecode):
22179 * bytecode/CodeBlock.h:
22180 (CodeBlock):
22181 * bytecode/CodeBlockHash.cpp:
22182 (JSC::CodeBlockHash::CodeBlockHash):
22183 * bytecode/CodeOrigin.cpp:
22184 (JSC::InlineCallFrame::inferredName):
22185 * bytecode/CodeOrigin.h:
22186 (InlineCallFrame):
22187 * bytecode/GetByIdStatus.cpp:
22188 (JSC::GetByIdStatus::computeFromLLInt):
22189 (JSC::GetByIdStatus::computeForChain):
22190 (JSC::GetByIdStatus::computeFor):
22191 * bytecode/GetByIdStatus.h:
22192 (JSC):
22193 (GetByIdStatus):
22194 * bytecode/PutByIdStatus.cpp:
22195 (JSC::PutByIdStatus::computeFromLLInt):
22196 (JSC::PutByIdStatus::computeFor):
22197 * bytecode/PutByIdStatus.h:
22198 (JSC):
22199 (PutByIdStatus):
22200 * bytecode/ReduceWhitespace.cpp:
22201 (JSC::reduceWhitespace):
22202 * bytecode/ReduceWhitespace.h:
22203 (JSC):
22204 * bytecode/ResolveGlobalStatus.cpp:
22205 (JSC::computeForStructure):
22206 (JSC::ResolveGlobalStatus::computeFor):
22207 * bytecode/ResolveGlobalStatus.h:
22208 (JSC):
22209 (ResolveGlobalStatus):
22210 * dfg/DFGAbstractState.cpp:
22211 (JSC::DFG::AbstractState::executeEffects):
22212 * dfg/DFGByteCodeParser.cpp:
22213 (ByteCodeParser):
22214 (JSC::DFG::ByteCodeParser::parseResolveOperations):
22215 (JSC::DFG::ByteCodeParser::parseBlock):
22216 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
22217 * dfg/DFGConstantFoldingPhase.cpp:
22218 (JSC::DFG::ConstantFoldingPhase::foldConstants):
22219 * dfg/DFGDesiredIdentifiers.cpp: Added.
22220 (DFG):
22221 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
22222 (JSC::DFG::DesiredIdentifiers::~DesiredIdentifiers):
22223 (JSC::DFG::DesiredIdentifiers::addLazily):
22224 (JSC::DFG::DesiredIdentifiers::reallyAdd):
22225 * dfg/DFGDesiredIdentifiers.h: Added.
22226 (DFG):
22227 (DesiredIdentifiers):
22228 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
22229 (JSC::DFG::DesiredIdentifiers::at):
22230 (JSC::DFG::DesiredIdentifiers::operator[]):
22231 * dfg/DFGFixupPhase.cpp:
22232 (JSC::DFG::FixupPhase::fixupNode):
22233 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
22234 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
22235 * dfg/DFGGraph.cpp:
22236 (JSC::DFG::Graph::Graph):
22237 (JSC::DFG::Graph::dump):
22238 * dfg/DFGGraph.h:
22239 (Graph):
22240 * dfg/DFGJITCompiler.cpp:
22241 (JSC::DFG::JITCompiler::link):
22242 * dfg/DFGOperations.cpp:
22243 * dfg/DFGOperations.h:
22244 * dfg/DFGRepatch.cpp:
22245 (JSC::DFG::tryBuildGetByIDList):
22246 * dfg/DFGSpeculativeJIT.h:
22247 (JSC::DFG::SpeculativeJIT::identifierUID):
22248 (JSC::DFG::SpeculativeJIT::callOperation):
22249 * dfg/DFGSpeculativeJIT32_64.cpp:
22250 (JSC::DFG::SpeculativeJIT::cachedGetById):
22251 (JSC::DFG::SpeculativeJIT::cachedPutById):
22252 (JSC::DFG::SpeculativeJIT::compile):
22253 * dfg/DFGSpeculativeJIT64.cpp:
22254 (JSC::DFG::SpeculativeJIT::cachedGetById):
22255 (JSC::DFG::SpeculativeJIT::cachedPutById):
22256 (JSC::DFG::SpeculativeJIT::compile):
22257 * parser/SourceCode.cpp: Added.
22258 (JSC):
22259 (JSC::SourceCode::toUTF8):
22260 * parser/SourceCode.h:
22261 (SourceCode):
22262 * profiler/ProfilerBytecodes.cpp:
22263 (JSC::Profiler::Bytecodes::toJS):
22264 * profiler/ProfilerBytecodes.h:
22265 (JSC::Profiler::Bytecodes::inferredName):
22266 (JSC::Profiler::Bytecodes::sourceCode):
22267 (Bytecodes):
22268 * runtime/Identifier.h:
22269 (JSC::Identifier::utf8):
22270 (JSC):
22271 * runtime/Structure.cpp:
22272 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
22273 (JSC::Structure::addPropertyTransitionToExistingStructure):
22274 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
22275 (JSC::Structure::getConcurrently):
22276 (JSC::Structure::prototypeChainMayInterceptStoreTo):
22277 (JSC):
22278 * runtime/Structure.h:
22279 (Structure):
22280 * runtime/StructureInlines.h:
22281 (JSC::Structure::getConcurrently):
22282
222832013-05-02 Filip Pizlo <fpizlo@apple.com>
22284
22285 fourthTier: Structure transition table keys don't have to ref their StringImpl's
22286 https://bugs.webkit.org/show_bug.cgi?id=115525
22287
22288 Reviewed by Geoffrey Garen.
22289
22290 The structure transition table basically maps string to structure. The string is
22291 always also stored, and ref'd, in the structure in Structure::m_nameInPrevious.
22292 m_nameInPrevious is never mutated, and never cleared. The string cannot die unless
22293 the structure dies. If the structure dies, then that entry in the transition map
22294 becomes a zombie anyway and we will detect this separately.
22295
22296 So, we don't need to use RefPtr<StringImpl>. We can just use StringImpl*.
22297
22298 This also fixes a goof where we were getting the StringImpl's hash rather than
22299 using a pointer hash. Not only is the latter faster, but it prevents my change
22300 from leading to crashes: with my change we can have zombie keys, not just zombie
22301 values. They will exist only until the next map mutation, which will clear them.
22302 Lookups will work fine because the lookup routine will reject zombies. But it
22303 does mean that the HashMap will have to deal with dangling StringImpl*'s; all it
22304 takes to make this work is to ensure that the HashMap itself never dereferences
22305 them. Using a pointer hash rather than StringImpl::existingHash() accomplishes
22306 this.
22307
22308 This also ensures that we don't accidentally call ref() or deref() from the
22309 compilation thread, if the compilation thread inspects the transition table.
22310
22311 And no, we wouldn't have been able to use the HashMap<RefPtr<...>, ...>
22312 specialization, because the transition table is actually
22313 HashMap<pair<RefPtr<StringImpl>, unsigned>, ...>: hence that specialization
22314 doesn't kick in. We could have written a new specialization or something, but
22315 that seemed like a lot of work given that we don't need the table to be ref'ing
22316 the strings anyways.
22317
22318 * runtime/Structure.cpp:
22319 (JSC::StructureTransitionTable::add):
22320 * runtime/StructureTransitionTable.h:
22321 (StructureTransitionTable):
22322 (Hash):
22323 (JSC::StructureTransitionTable::Hash::hash):
22324
223252013-05-01 Filip Pizlo <fpizlo@apple.com>
22326
22327 fourthTier: Structure::addPropertyTransitionToExistingStructure should be thread-safe
22328 https://bugs.webkit.org/show_bug.cgi?id=115468
22329
22330 Reviewed by Geoffrey Garen.
22331
22332 This makes the main thread modify the transition table while holding a lock. Note
22333 that the GC might modify its weak pointers without locking, but the GC will lock out
22334 the compilation thread anyway. The map will then only reshape in response to add()
22335 and set(), which happen while holding a lock.
22336
22337 This allows the compilation thread to now query transition tables safely, provided it
22338 holds a lock when doing so.
22339
22340 Also changed LLVM asm printer initialization to just initialize the X86 one. It makes
22341 sense for us to just initialize the asm printer(s) that we actually use; you could
22342 imagine us being linked to a system LLVM that has cross-compilation support; there is
22343 no point in the WebKit or JSC process doing work to initialize all of those targets.
22344 That part was rubber stamped by Mark Hahnenberg.
22345
22346 * bytecode/PutByIdStatus.cpp:
22347 (JSC::PutByIdStatus::computeFor):
22348 * runtime/InitializeThreading.cpp:
22349 (JSC::initializeThreadingOnce):
22350 * runtime/Structure.cpp:
22351 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
22352 (JSC::Structure::addPropertyTransitionToExistingStructure):
22353 (JSC):
22354 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
22355 (JSC::Structure::addPropertyTransition):
22356 (JSC::Structure::nonPropertyTransition):
22357 * runtime/Structure.h:
22358 (Structure):
22359
223602013-04-30 Filip Pizlo <fpizlo@apple.com>
22361
22362 fourthTier: Structure::getConcurrently() may be called from for uncacheable dictionaries, and this is safe
22363 https://bugs.webkit.org/show_bug.cgi?id=115464
22364
22365 Reviewed by Oliver Hunt and Geoffrey Garen.
22366
22367 This can happen for example transitively from JSObject::put(). getCurrently() does
22368 work for uncacheable dictionaries; it just has the obvious race that right after it
22369 returns, the result it returned may no longer be right. This isn't an issue if it was
22370 called on the main thread, and may not be an issue in some other situations.
22371
22372 So, we should just remove the assertion, since the only thing it buys us is crashes.
22373
22374 * runtime/Structure.cpp:
22375 (JSC::Structure::getConcurrently):
22376
223772013-04-30 Filip Pizlo <fpizlo@apple.com>
22378
22379 fourthTier: Don't link gtest into JavaScriptCore
22380
22381 Rubber stamped by Mark Rowe.
22382
22383 * Configurations/JavaScriptCore.xcconfig:
22384
223852013-04-29 Filip Pizlo <fpizlo@apple.com>
22386
22387 fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8()
22388 https://bugs.webkit.org/show_bug.cgi?id=115393
22389
22390 Reviewed by Geoffrey Garen.
22391
22392 * runtime/JSGlobalObjectFunctions.cpp:
22393 (JSC::encode):
22394
223952013-07-16 Oliver Hunt <oliver@apple.com>
22396
22397 Merge dfgFourthTier r149301
22398
22399 2013-04-28 Filip Pizlo <fpizlo@apple.com>
22400
22401 fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation
22402 https://bugs.webkit.org/show_bug.cgi?id=115297
22403
22404 Reviewed by Geoffrey Garen.
22405
22406 Put in assertions that we're not doing bad things in compilation threads. Also
22407 factored compilation into compile+link so that even though we don't yet have
22408 concurrent compilation, we can be explicit about which parts of DFG work are
22409 meant to be concurrent, and which aren't.
22410
22411 Also fix a handful of bugs found by these assertions.
22412
22413 * JavaScriptCore.xcodeproj/project.pbxproj:
22414 * bytecode/ResolveGlobalStatus.cpp:
22415 (JSC::computeForStructure):
22416 * bytecode/Watchpoint.cpp:
22417 (JSC::WatchpointSet::add):
22418 (JSC::InlineWatchpointSet::inflateSlow):
22419 * dfg/DFGDriver.cpp:
22420 (JSC::DFG::compile):
22421 * dfg/DFGJITCompiler.cpp:
22422 (JSC::DFG::JITCompiler::~JITCompiler):
22423 (DFG):
22424 (JSC::DFG::JITCompiler::compileBody):
22425 (JSC::DFG::JITCompiler::compile):
22426 (JSC::DFG::JITCompiler::link):
22427 (JSC::DFG::JITCompiler::compileFunction):
22428 (JSC::DFG::JITCompiler::linkFunction):
22429 * dfg/DFGJITCompiler.h:
22430 (JITCompiler):
22431 * ftl/FTLCompile.cpp:
22432 (JSC::FTL::compile):
22433 * ftl/FTLCompile.h:
22434 (FTL):
22435 * ftl/FTLLink.cpp: Added.
22436 (FTL):
22437 (JSC::FTL::compileEntry):
22438 (JSC::FTL::link):
22439 * ftl/FTLLink.h: Added.
22440 (FTL):
22441 * ftl/FTLState.cpp:
22442 (JSC::FTL::State::State):
22443 * ftl/FTLState.h:
22444 (FTL):
22445 (State):
22446 * runtime/Structure.cpp:
22447 (JSC::Structure::get):
22448 (JSC::Structure::prototypeChainMayInterceptStoreTo):
22449 * runtime/Structure.h:
22450 (JSC::Structure::materializePropertyMapIfNecessary):
22451 * runtime/StructureInlines.h:
22452 (JSC::Structure::get):
22453
224542013-04-27 Filip Pizlo <fpizlo@apple.com>
22455
22456 FTL should support double variables
22457 https://bugs.webkit.org/show_bug.cgi?id=113624
22458
22459 Reviewed by Geoffrey Garen.
22460
22461 Made all of the operations that the FTL already supports, also support doubles.
22462 OSR exit already basically had everything it needed, so no changes there. This
22463 mostly just glues together bits of DFG IR to LLVM IR, in a straight-forward way.
22464
22465 * ftl/FTLAbbreviations.h:
22466 (FTL):
22467 (JSC::FTL::doubleType):
22468 (JSC::FTL::constReal):
22469 (JSC::FTL::buildPhi):
22470 (JSC::FTL::addIncoming):
22471 (JSC::FTL::buildFAdd):
22472 (JSC::FTL::buildFSub):
22473 (JSC::FTL::buildFMul):
22474 (JSC::FTL::buildFNeg):
22475 (JSC::FTL::buildSIToFP):
22476 (JSC::FTL::buildUIToFP):
22477 (JSC::FTL::buildBitCast):
22478 (JSC::FTL::buildFCmp):
22479 * ftl/FTLCapabilities.cpp:
22480 (JSC::FTL::canCompile):
22481 * ftl/FTLCommonValues.cpp:
22482 (JSC::FTL::CommonValues::CommonValues):
22483 * ftl/FTLCommonValues.h:
22484 (CommonValues):
22485 * ftl/FTLLowerDFGToLLVM.cpp:
22486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
22487 (JSC::FTL::LowerDFGToLLVM::lower):
22488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
22489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
22490 (JSC::FTL::LowerDFGToLLVM::compileAdd):
22491 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
22492 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
22493 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
22494 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
22495 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
22496 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
22497 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
22498 (JSC::FTL::LowerDFGToLLVM::lowDouble):
22499 (LowerDFGToLLVM):
22500 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
22501 (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
22502 (JSC::FTL::LowerDFGToLLVM::unboxDouble):
22503 (JSC::FTL::LowerDFGToLLVM::boxDouble):
22504 (JSC::FTL::LowerDFGToLLVM::speculate):
22505 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
22506 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
22507 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
22508 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
22509 * ftl/FTLOutput.h:
22510 (JSC::FTL::Output::constDouble):
22511 (Output):
22512 (JSC::FTL::Output::phi):
22513 (JSC::FTL::Output::doubleAdd):
22514 (JSC::FTL::Output::doubleSub):
22515 (JSC::FTL::Output::doubleMul):
22516 (JSC::FTL::Output::doubleNeg):
22517 (JSC::FTL::Output::intToFP):
22518 (JSC::FTL::Output::intToDouble):
22519 (JSC::FTL::Output::unsignedToFP):
22520 (JSC::FTL::Output::unsignedToDouble):
22521 (JSC::FTL::Output::bitCast):
22522 (JSC::FTL::Output::loadDouble):
22523 (JSC::FTL::Output::storeDouble):
22524 (JSC::FTL::Output::doubleEqual):
22525 (JSC::FTL::Output::doubleNotEqualOrUnordered):
22526 (JSC::FTL::Output::doubleLessThan):
22527 (JSC::FTL::Output::doubleLessThanOrEqual):
22528 (JSC::FTL::Output::doubleGreaterThan):
22529 (JSC::FTL::Output::doubleGreaterThanOrEqual):
22530 (JSC::FTL::Output::doubleEqualOrUnordered):
22531 (JSC::FTL::Output::doubleNotEqual):
22532 (JSC::FTL::Output::doubleLessThanOrUnordered):
22533 (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
22534 (JSC::FTL::Output::doubleGreaterThanOrUnordered):
22535 (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
22536 (JSC::FTL::Output::testIsZero64):
22537
225382013-04-27 Filip Pizlo <fpizlo@apple.com>
22539
22540 fourthTier: SymbolTable should be thread-safe
22541 https://bugs.webkit.org/show_bug.cgi?id=115301
22542
22543 Reviewed by Geoffrey Garen.
22544
22545 Makes SymbolTable thread-safe. Relies on SymbolTableEntry already being immutable,
22546 other than the WatchpointSet; but the WatchpointSet already has a righteous
22547 concurrency protocol. So, this patch just protects the SymbolTable's HashMap.
22548
22549 * bytecode/CodeBlock.cpp:
22550 (JSC::CodeBlock::nameForRegister):
22551 * bytecompiler/BytecodeGenerator.cpp:
22552 (JSC::BytecodeGenerator::addVar):
22553 * runtime/Executable.cpp:
22554 (JSC::ProgramExecutable::addGlobalVar):
22555 * runtime/JSActivation.cpp:
22556 (JSC::JSActivation::getOwnNonIndexPropertyNames):
22557 (JSC::JSActivation::symbolTablePutWithAttributes):
22558 * runtime/JSSymbolTableObject.cpp:
22559 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
22560 * runtime/JSSymbolTableObject.h:
22561 (JSC::symbolTableGet):
22562 (JSC::symbolTablePut):
22563 (JSC::symbolTablePutWithAttributes):
22564 * runtime/SymbolTable.cpp:
22565 (JSC::SymbolTable::SymbolTable):
22566 (JSC::SymbolTable::~SymbolTable):
22567 * runtime/SymbolTable.h:
22568 (JSC::SymbolTable::find):
22569 (JSC::SymbolTable::get):
22570 (JSC::SymbolTable::inlineGet):
22571 (JSC::SymbolTable::begin):
22572 (JSC::SymbolTable::end):
22573 (JSC::SymbolTable::size):
22574 (JSC::SymbolTable::add):
22575 (JSC::SymbolTable::set):
22576 (JSC::SymbolTable::contains):
22577
225782013-04-26 Filip Pizlo <fpizlo@apple.com>
22579
22580 fourthTier: WatchpointSet should make racy uses easier to reason about
22581 https://bugs.webkit.org/show_bug.cgi?id=115299
22582
22583 Reviewed by Anders Carlsson.
22584
22585 The compiler often does things like:
22586
22587 1c) Observe something that would imply that a WatchpointSet ought to be invalid
22588
22589 2c) Check that it is invalid
22590
22591 The main thread often does things like:
22592
22593 1m) Fire the watchpoint set
22594
22595 2m) Do some other thing that would cause the compiler to assume that the WatchpointSet
22596 ought to be invalid
22597
22598 An example is structure transitions, where (1c) is the compiler noticing that a
22599 put_by_id inline cache is in a transition state, with the source structure being S;
22600 (2c) is the compiler asserting that S's watchpoint set is invalid; (1m) is the main
22601 thread firing S's watchpoint set before it does the first transition away from S; and
22602 (2m) is the main thread caching the put_by_id transition away from S.
22603
22604 This is totally fine, except that (1c) and (2c), and (1m) and (2m) could be reordered.
22605 Probably, in most cases, this ought to do enough things that the main thread probably
22606 already has some fencing. But the compiler thread definitely doesn't have fencing. In
22607 any case, we should play it safe and just have additional fencing in all of the
22608 relevant places.
22609
22610 We already have some idioms to put load-load and store-store fences in the right
22611 places. But this change just makes WatchpointSet take care of this for us, thus
22612 reducing the chances of us getting this wrong.
22613
22614 * bytecode/Watchpoint.cpp:
22615 (JSC::WatchpointSet::notifyWriteSlow):
22616 * bytecode/Watchpoint.h:
22617 (WatchpointSet):
22618 (JSC::WatchpointSet::isStillValid):
22619 (JSC::WatchpointSet::hasBeenInvalidated):
22620 (JSC::InlineWatchpointSet::hasBeenInvalidated):
22621 (JSC::InlineWatchpointSet::notifyWrite):
22622 * dfg/DFGByteCodeParser.cpp:
22623 (JSC::DFG::ByteCodeParser::parseBlock):
22624 * dfg/DFGDesiredWatchpoints.h:
22625 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
22626
226272013-07-16 Oliver Hunt <oliver@apple.com>
22628
22629 Merge dfgFourthTier r149233
22630
22631 2013-04-26 Filip Pizlo <fpizlo@apple.com>
22632
22633 fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation
22634 https://bugs.webkit.org/show_bug.cgi?id=115083
22635
22636 Reviewed by Geoffrey Garen.
22637
22638 This ruggedizes our racyness with respect to watchpoints. We want to be able to assert,
22639 in some places, that a watchpoint-based optimization has only occurred if the
22640 watchpoint set was still valid. But currently we *can* soundly do watchpoint-based
22641 optimizations even for invalid watchpoints, so long as we recorded in the IR that we
22642 had done so; this will then lead to the code being insta-jettisoned after compilation
22643 completes. Obviously, we don't want this to happen often - but we do want to allow it
22644 precisely in the case of watchpoint races.
22645
22646 This adds the ability to assert that we hadn't over-watchpointed ourselves, with and
22647 exemption for races.
22648
22649 * dfg/DFGAbstractState.cpp:
22650 (JSC::DFG::AbstractState::executeEffects):
22651 * dfg/DFGAbstractValue.cpp:
22652 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
22653 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
22654 * dfg/DFGByteCodeParser.cpp:
22655 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
22656 (JSC::DFG::ByteCodeParser::parseResolveOperations):
22657 (JSC::DFG::ByteCodeParser::parseBlock):
22658 * dfg/DFGConstantFoldingPhase.cpp:
22659 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
22660 * dfg/DFGDesiredWatchpoints.h:
22661 (GenericDesiredWatchpoints):
22662 (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
22663 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
22664 (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed):
22665 (JSC::DFG::DesiredWatchpoints::isStillValid):
22666 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
22667 (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
22668 (DesiredWatchpoints):
22669 * dfg/DFGFixupPhase.cpp:
22670 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
22671 * dfg/DFGGraph.h:
22672 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
22673 (Graph):
22674 * dfg/DFGJITCompiler.cpp:
22675 (JSC::DFG::JITCompiler::link):
22676 (JSC::DFG::JITCompiler::compile):
22677 (JSC::DFG::JITCompiler::compileFunction):
22678 * dfg/DFGJITCompiler.h:
22679 (JSC::DFG::JITCompiler::addLazily):
22680 (JITCompiler):
22681 * dfg/DFGSpeculativeJIT.cpp:
22682 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
22683 * dfg/DFGSpeculativeJIT.h:
22684 (SpeculativeJIT):
22685 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
22686 (JSC::DFG::SpeculativeJIT::speculationWatchpointForMasqueradesAsUndefined):
22687 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
22688 * dfg/DFGSpeculativeJIT32_64.cpp:
22689 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22690 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22691 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22692 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22693 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22694 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22695 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22696 (JSC::DFG::SpeculativeJIT::compile):
22697 * dfg/DFGSpeculativeJIT64.cpp:
22698 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22699 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22700 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22701 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22702 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22703 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22704 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22705 (JSC::DFG::SpeculativeJIT::compile):
22706 * ftl/FTLCompile.cpp:
22707 (JSC::FTL::compile):
22708 * ftl/FTLState.h:
22709 (State):
22710
227112013-04-23 Filip Pizlo <fpizlo@apple.com>
22712
22713 fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races
22714 https://bugs.webkit.org/show_bug.cgi?id=115084
22715
22716 Reviewed by Geoffrey Garen.
22717
22718 The idea is that as part of https://bugs.webkit.org/show_bug.cgi?id=115083, I'll have
22719 Graph record the initial state of a watchpoint at the time that we decide to take
22720 advantage of it; then I will use this to disable any watchpoint-related assertions
22721 in debug mode. Note that this "watchpoint cache" will only be maintained in debug
22722 mode, so there will be no release performance implications. But to do this, I need to
22723 ensure that all of the places that reason about watchpoints have access to Graph.
22724 For example, I'll want AbstractValue::setFuturePossibleStructure to record the state
22725 of the watchpoint in Graph so that subsequent assertions can check if the watchpoint's
22726 state had changed since that decision was made.
22727
22728 * JavaScriptCore.xcodeproj/project.pbxproj:
22729 * dfg/DFGAbstractState.cpp:
22730 (JSC::DFG::AbstractState::initialize):
22731 (JSC::DFG::AbstractState::executeEffects):
22732 (JSC::DFG::AbstractState::mergeStateAtTail):
22733 * dfg/DFGAbstractState.h:
22734 (JSC::DFG::AbstractState::trySetConstant):
22735 * dfg/DFGAbstractValue.cpp: Added.
22736 (DFG):
22737 (JSC::DFG::AbstractValue::setMostSpecific):
22738 (JSC::DFG::AbstractValue::set):
22739 (JSC::DFG::AbstractValue::filter):
22740 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
22741 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
22742 (JSC::DFG::AbstractValue::dump):
22743 * dfg/DFGAbstractValue.h:
22744 (DFG):
22745 (AbstractValue):
22746 (JSC::DFG::AbstractValue::setType):
22747 (JSC::DFG::AbstractValue::filterByValue):
22748
227492013-07-16 Oliver Hunt <oliver@apple.com>
22750
22751 Merge dfgFourthTier r148936
22752
22753 2013-04-22 Filip Pizlo <fpizlo@apple.com>
22754
22755 fourthTier: Create an equivalent of Structure::get() that can work from a compilation thread
22756 https://bugs.webkit.org/show_bug.cgi?id=114987
22757
22758 Reviewed by Geoffrey Garen.
22759
22760 This completes the work started by r148570. That patch made it possible to do
22761 Structure::get() without modifying Structure. This patch takes this further, and
22762 makes this thread-safe (for non-uncacheable-dictionaries) via
22763 Structure::getConcurrently(). This method not only doesn't modify Structure, but
22764 also ensures that any concurrent attempts to add to, remove from, or steal the
22765 table from that structure doesn't mess up the result of the call. The call may
22766 return invalidOffset even if a property is *just* about to be added, but it will
22767 never do the reverse: if it returns a property then you can be sure that the
22768 structure really does have that property and always will have it.
22769
22770 * bytecode/GetByIdStatus.cpp:
22771 (JSC::GetByIdStatus::computeFromLLInt):
22772 (JSC::GetByIdStatus::computeForChain):
22773 (JSC::GetByIdStatus::computeFor):
22774 * bytecode/PutByIdStatus.cpp:
22775 (JSC::PutByIdStatus::computeFromLLInt):
22776 (JSC::PutByIdStatus::computeFor):
22777 * dfg/DFGFixupPhase.cpp:
22778 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
22779 * runtime/PropertyMapHashTable.h:
22780 (PropertyTable):
22781 (JSC::PropertyTable::findConcurrently):
22782 (JSC):
22783 (JSC::PropertyTable::add):
22784 (JSC::PropertyTable::remove):
22785 (JSC::PropertyTable::reinsert):
22786 (JSC::PropertyTable::rehash):
22787 * runtime/PropertyTable.cpp:
22788 (JSC::PropertyTable::PropertyTable):
22789 * runtime/Structure.cpp:
22790 (JSC::Structure::findStructuresAndMapForMaterialization):
22791 (JSC::Structure::getConcurrently):
22792 * runtime/Structure.h:
22793 (Structure):
22794 * runtime/StructureInlines.h:
22795 (JSC::Structure::getConcurrently):
22796
227972013-07-16 Oliver Hunt <oliver@apple.com>
22798
22799 Merge dfgFourthTier r148850
22800
22801 2013-04-21 Filip Pizlo <fpizlo@apple.com>
22802
22803 fourthTier: WebKit's build system should relink JavaScriptCore if LLVM's libraries changed but its headers didn't
22804 https://bugs.webkit.org/show_bug.cgi?id=114926
22805
22806 Reviewed by Geoffrey Garen.
22807
22808 Use a phony file that includes a phony header to force JavaScriptCore to be relinked
22809 if necessary. The external LLVM-importing scripts will touch the header if the libraries
22810 are known to have changed.
22811
22812 * JavaScriptCore.xcodeproj/project.pbxproj:
22813 * ftl/WebKitLLVMLibraryAnchor.cpp: Added.
22814
228152013-07-16 Oliver Hunt <oliver@apple.com>
22816
22817 Merge dfgFourthTier r148836
22818
22819 2013-04-21 Filip Pizlo <fpizlo@apple.com>
22820
22821 fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread
22822 https://bugs.webkit.org/show_bug.cgi?id=114909
22823
22824 Reviewed by Oliver Hunt.
22825
22826 The idea here is that a concurrent compiler will use watchpoint sets as follows:
22827
22828 During concurrent compilation: It will create Watchpoints, and query WatchpointSets only
22829 for the purpose of profiling. That is, it will use decide whether it is profitable to
22830 compile the code "as if" the watchpoint sets are valid.
22831
22832 During synchronous linking: By "linking" I don't necessarily mean the LinkBuffer stuff,
22833 but just the very bitter end of compilation where we make the JIT code callable. This
22834 can happen after LinkBuffer stuff. Anyway, this will have to happen synchronously, and
22835 at that point we can (a) check that all WatchpointSets that we assumed were valid are
22836 still valid and (b) if they are then we add the watchpoints to those sets. If any of the
22837 sets are invalid, we give up on this compilation and try again later.
22838
22839 The querying of WatchpointSets is engineered to say that the set is still valid if it
22840 is so *right now*, but this is done in a racy way and so it may say so spuriously: we
22841 may, with hopefully low probability, have a set that says it is valid even though it was
22842 just invalidated. The goal is only to ensure that (i) a set never claims to be invalid
22843 if it is actually valid, (ii) a set doesn't claim to be valid if it was invalidated
22844 before compilation even began, and (iii) querying the validity of a set doesn't cause us
22845 to crash.
22846
22847 * JavaScriptCore.xcodeproj/project.pbxproj:
22848 * bytecode/Watchpoint.cpp:
22849 (JSC::InlineWatchpointSet::inflateSlow):
22850 * bytecode/Watchpoint.h:
22851 (WatchpointSet):
22852 (InlineWatchpointSet):
22853 (JSC::InlineWatchpointSet::hasBeenInvalidated):
22854 (JSC::InlineWatchpointSet::isThin):
22855 (JSC::InlineWatchpointSet::isFat):
22856 (JSC::InlineWatchpointSet::fat):
22857 * dfg/DFGDesiredWatchpoints.cpp: Added.
22858 (DFG):
22859 (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
22860 (JSC::DFG::DesiredWatchpoints::~DesiredWatchpoints):
22861 (JSC::DFG::DesiredWatchpoints::addLazily):
22862 (JSC::DFG::DesiredWatchpoints::reallyAdd):
22863 (JSC::DFG::DesiredWatchpoints::areStillValid):
22864 * dfg/DFGDesiredWatchpoints.h: Added.
22865 (DFG):
22866 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
22867 (WatchpointForGenericWatchpointSet):
22868 (GenericDesiredWatchpoints):
22869 (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
22870 (JSC::DFG::GenericDesiredWatchpoints::addLazily):
22871 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
22872 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
22873 (DesiredWatchpoints):
22874 * dfg/DFGDriver.cpp:
22875 (JSC::DFG::compile):
22876 * dfg/DFGJITCompiler.cpp:
22877 (JSC::DFG::JITCompiler::link):
22878 (JSC::DFG::JITCompiler::compile):
22879 (JSC::DFG::JITCompiler::compileFunction):
22880 * dfg/DFGJITCompiler.h:
22881 (JSC::DFG::JITCompiler::addLazily):
22882 (JITCompiler):
22883 * dfg/DFGSpeculativeJIT.cpp:
22884 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
22885 * dfg/DFGSpeculativeJIT32_64.cpp:
22886 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22887 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22888 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22889 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22890 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22891 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22892 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22893 (JSC::DFG::SpeculativeJIT::compile):
22894 * dfg/DFGSpeculativeJIT64.cpp:
22895 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22896 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22897 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22898 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22899 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22900 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22901 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22902 (JSC::DFG::SpeculativeJIT::compile):
22903 * ftl/FTLCompile.cpp:
22904 (JSC::FTL::compile):
22905 * ftl/FTLCompile.h:
22906 (FTL):
22907 * ftl/FTLState.h:
22908 (State):
22909 * runtime/JSFunction.h:
22910 (JSFunction):
22911 (JSC::JSFunction::allocationProfileWatchpointSet):
22912 * runtime/Structure.h:
22913 (Structure):
22914 (JSC::Structure::transitionWatchpointSet):
22915
229162013-07-16 Oliver Hunt <oliver@apple.com>
22917
22918 Merge dfgFourthTier r148804
22919
22920 2013-04-20 Filip Pizlo <fpizlo@apple.com>
22921
22922 fourthTier: value profiles and array profiles should be thread-safe enough to be accessible in a concurrent compilation thread
22923 https://bugs.webkit.org/show_bug.cgi?id=114906
22924
22925 Reviewed by Oliver Hunt.
22926
22927 This introduces thread safety to value profiles, array profiles, and
22928 array allocation profiles.
22929
22930 We already have three separate operations that happen on profiles:
22931 (1) writing, which the JIT, LLInt, and OSR exit do; (2) updating,
22932 which happens during GC, from OSR entry slow-paths, and in the DFG;
22933 and (3) reading, which happens in the DFG. For example, the JIT/LLInt
22934 and OSR exit write to ValueProfile::m_buckets, which gets synthesized
22935 into ValueProfile::m_prediction (and other fields) during update, and
22936 the latter gets read by the DFG. Note that (2) must also happen in
22937 the DFG since only the DFG knows which code blocks it will inline,
22938 and those blocks' profiles may not have otherwise been updated via
22939 any other mechanism.
22940
22941 I refer to these three operations as writing, updating, and reading.
22942
22943 Consequently, both profile updating and profile reading may happen
22944 asynchronously, if the JIT is asynchronous.
22945
22946 The locking protocol for profiles works as follows:
22947
22948 - Writing does not require locking, but is only allowed on the main
22949 thread. We require that these fields can be stored atomically by
22950 the profiling code, even without locks. For value profiles, this
22951 only works on 64-bit platforms, currently. For array profiles,
22952 which consist of multiple separate fields, this means that an
22953 asynchronous update of the profile may see slight inconsistencies
22954 (like a structure that doesn't quite match the array modes bits),
22955 but these should be harmless: at worst, the DFG will specialize
22956 too much and we'll have OSR exits.
22957
22958 - Updating a value profile requires holding a lock, but must assume
22959 that the fields written by the profiling code in JIT/LLInt may
22960 be written to without locking.
22961
22962 - Reading a value profile requires holding a lock.
22963
22964 The one major exception to these rules is the ArrayAllocationProfile,
22965 which requires no locking. We do this because it's used so often and
22966 in places where we don't necessarily have access to the owning
22967 CodeBlock, so if we did want it to be locked it would have to have
22968 its own lock. Also, I believe that it is sound to just make this
22969 profile racy and not worry about locking at all. All that was needed
22970 were some changes to ensure that we explicitly read some raced-over
22971 fields only once.
22972
22973 Two additional interesting things in this change:
22974
22975 - To make it easy to see which profile methods require locking, they
22976 take a const CodeBlockLocker& as an argument. I saw this idiom for
22977 identifying which methods require which locks to be held being used
22978 in LLVM, and I quite like it.
22979
22980 - Lazy operand value profiles, which are created lazily and at any
22981 time, require the CodeBlockLock to be held when they are being
22982 created. Writes to them are lockless and main-thread-only, but as
22983 with other profiles, updates and reads require locking.
22984
22985 * JavaScriptCore.xcodeproj/project.pbxproj:
22986 * bytecode/ArrayAllocationProfile.cpp:
22987 (JSC::ArrayAllocationProfile::updateIndexingType):
22988 * bytecode/ArrayAllocationProfile.h:
22989 (JSC::ArrayAllocationProfile::selectIndexingType):
22990 * bytecode/ArrayProfile.cpp:
22991 (JSC::ArrayProfile::computeUpdatedPrediction):
22992 (JSC::ArrayProfile::briefDescription):
22993 * bytecode/ArrayProfile.h:
22994 (ArrayProfile):
22995 (JSC::ArrayProfile::expectedStructure):
22996 (JSC::ArrayProfile::structureIsPolymorphic):
22997 (JSC::ArrayProfile::hasDefiniteStructure):
22998 (JSC::ArrayProfile::observedArrayModes):
22999 (JSC::ArrayProfile::mayInterceptIndexedAccesses):
23000 (JSC::ArrayProfile::mayStoreToHole):
23001 (JSC::ArrayProfile::outOfBounds):
23002 (JSC::ArrayProfile::usesOriginalArrayStructures):
23003 * bytecode/CallLinkStatus.cpp:
23004 (JSC::CallLinkStatus::computeFor):
23005 * bytecode/CodeBlock.cpp:
23006 (JSC::CodeBlock::dumpValueProfiling):
23007 (JSC::CodeBlock::dumpArrayProfiling):
23008 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
23009 (JSC::CodeBlock::updateAllArrayPredictions):
23010 * bytecode/CodeBlock.h:
23011 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
23012 (JSC::CodeBlock::updateAllPredictionsAndCheckIfShouldOptimizeNow):
23013 (CodeBlock):
23014 * bytecode/CodeBlockLock.h: Added.
23015 (JSC):
23016 * bytecode/GetByIdStatus.cpp:
23017 (JSC::GetByIdStatus::computeFor):
23018 * bytecode/LazyOperandValueProfile.cpp:
23019 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
23020 (JSC::CompressedLazyOperandValueProfileHolder::add):
23021 (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
23022 (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
23023 (JSC):
23024 (JSC::LazyOperandValueProfileParser::initialize):
23025 (JSC::LazyOperandValueProfileParser::prediction):
23026 * bytecode/LazyOperandValueProfile.h:
23027 (CompressedLazyOperandValueProfileHolder):
23028 (LazyOperandValueProfileParser):
23029 * bytecode/MethodOfGettingAValueProfile.cpp:
23030 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
23031 * bytecode/PutByIdStatus.cpp:
23032 (JSC::PutByIdStatus::computeFor):
23033 * bytecode/ResolveGlobalStatus.cpp:
23034 (JSC::ResolveGlobalStatus::computeFor):
23035 * bytecode/ValueProfile.h:
23036 (JSC::ValueProfileBase::briefDescription):
23037 (ValueProfileBase):
23038 (JSC::ValueProfileBase::computeUpdatedPrediction):
23039 * dfg/DFGArrayMode.cpp:
23040 (JSC::DFG::ArrayMode::fromObserved):
23041 * dfg/DFGArrayMode.h:
23042 (ArrayMode):
23043 (JSC::DFG::ArrayMode::withProfile):
23044 * dfg/DFGByteCodeParser.cpp:
23045 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
23046 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
23047 (JSC::DFG::ByteCodeParser::getArrayMode):
23048 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
23049 (JSC::DFG::ByteCodeParser::parseResolveOperations):
23050 (JSC::DFG::ByteCodeParser::parseBlock):
23051 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
23052 * dfg/DFGFixupPhase.cpp:
23053 (JSC::DFG::FixupPhase::fixupNode):
23054 * dfg/DFGOSRExitPreparation.cpp:
23055 (JSC::DFG::prepareCodeOriginForOSRExit):
23056 * dfg/DFGPredictionInjectionPhase.cpp:
23057 (JSC::DFG::PredictionInjectionPhase::run):
23058 * jit/JITInlines.h:
23059 (JSC::JIT::chooseArrayMode):
23060 * jit/JITStubs.cpp:
23061 (JSC::tryCachePutByID):
23062 (JSC::tryCacheGetByID):
23063 (JSC::DEFINE_STUB_FUNCTION):
23064 (JSC::lazyLinkFor):
23065 * llint/LLIntSlowPaths.cpp:
23066 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
23067 (JSC::LLInt::setUpCall):
23068 * profiler/ProfilerBytecodeSequence.cpp:
23069 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
23070 * runtime/JSScope.cpp:
23071 (JSC::JSScope::resolveContainingScopeInternal):
23072 (JSC::JSScope::resolvePut):
23073
230742013-04-17 Filip Pizlo <fpizlo@apple.com>
23075
23076 fourthTier: all inline caches should thread-safe enough to allow a concurrent compilation thread to read them safely
23077 https://bugs.webkit.org/show_bug.cgi?id=114762
23078
23079 Reviewed by Mark Hahnenberg.
23080
23081 For most inline caches this is easy: the inline cache has a clean temporal
23082 separation between doing the requested action (which may take an unbounded
23083 amount of time, may recurse, and may do arbitrary things) and recording the
23084 relevant information in the cache. So, we just put locks around the
23085 recording bit. That part is always O(1) and does not recurse. The lock we
23086 use is per-CodeBlock to achieve a good balance between locking granularity
23087 and low space overhead. So a concurrent compilation thread will only block
23088 if an inline cache ping-pongs in the code block being compiled (or inlined)
23089 and never when other inline caches do things.
23090
23091 For resolve operations, it's a bit tricky. The global resolve bit works
23092 like any other IC in that it has the clean temporal separation. But the
23093 operations vector itself doesn't have this separation, since we will be
23094 filling it in tandem with actions that may take a long time. This patch
23095 gets around this by having a m_ready bit in the ResolveOperations and
23096 PutToBaseOperation. This is set while holding the CodeBlock's lock. If the
23097 DFG observes the m_ready bit not set (while holding the lock) then it
23098 conservatively assumes that the resolve hasn't happened yet and just
23099 plants a ForceOSRExit.
23100
23101 * bytecode/CallLinkStatus.cpp:
23102 (JSC::CallLinkStatus::computeFor):
23103 * bytecode/CodeBlock.h:
23104 (CodeBlock):
23105 * bytecode/GetByIdStatus.cpp:
23106 (JSC::GetByIdStatus::computeFor):
23107 * bytecode/PutByIdStatus.cpp:
23108 (JSC::PutByIdStatus::computeFor):
23109 * bytecode/ResolveGlobalStatus.cpp:
23110 (JSC::ResolveGlobalStatus::computeFor):
23111 * bytecode/ResolveOperation.h:
23112 (JSC::ResolveOperations::ResolveOperations):
23113 (ResolveOperations):
23114 (JSC::PutToBaseOperation::PutToBaseOperation):
23115 * dfg/DFGByteCodeParser.cpp:
23116 (JSC::DFG::ByteCodeParser::parseResolveOperations):
23117 (JSC::DFG::ByteCodeParser::parseBlock):
23118 * jit/JITStubs.cpp:
23119 (JSC::tryCachePutByID):
23120 (JSC::tryCacheGetByID):
23121 (JSC::DEFINE_STUB_FUNCTION):
23122 (JSC::lazyLinkFor):
23123 * llint/LLIntSlowPaths.cpp:
23124 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
23125 (JSC::LLInt::setUpCall):
23126 * runtime/JSScope.cpp:
23127 (JSC::JSScope::resolveContainingScopeInternal):
23128 (JSC::JSScope::resolveContainingScope):
23129 (JSC::JSScope::resolvePut):
23130
231312013-04-16 Filip Pizlo <fpizlo@apple.com>
23132
23133 fourthTier: DFG should be able to query Structure without modifying it
23134 https://bugs.webkit.org/show_bug.cgi?id=114708
23135
23136 Reviewed by Oliver Hunt.
23137
23138 This is work towards allowing the DFG, and FTL, to run on a separate thread.
23139 The idea is that the most evil thing that the DFG does that has thread-safety
23140 issues is fiddling with Structures by calling Structure::get(). This can lead
23141 to rematerialization of property tables, which is definitely not thread-safe
23142 due to how StringImpl works. So, this patch completely side-steps the problem
23143 by creating a new version of Structure::get, called
23144 Structure::getWithoutMaterializing, which may choose to do an O(n) search if
23145 necessary to avoid materialization. I believe this should be fine - the DFG
23146 does't call into these code path often enough for this to matter, and most of
23147 the time, the Structure that we call this on will already have a property
23148 table because some inline cache would have already called ::get() on that
23149 Structure.
23150
23151 Also cleaned up the materialization logic: we can stop the search as soon as
23152 we find any Structure with a property table rather than searching all the way
23153 for a pinned one.
23154
23155 * bytecode/GetByIdStatus.cpp:
23156 (JSC::GetByIdStatus::computeFor):
23157 * bytecode/PutByIdStatus.cpp:
23158 (JSC::PutByIdStatus::computeFromLLInt):
23159 (JSC::PutByIdStatus::computeFor):
23160 * runtime/Structure.cpp:
23161 (JSC::Structure::findStructuresAndMapForMaterialization):
23162 (JSC::Structure::materializePropertyMap):
23163 (JSC::Structure::getWithoutMaterializing):
23164 (JSC):
23165 * runtime/Structure.h:
23166 (Structure):
23167 * runtime/StructureInlines.h:
23168 (JSC::Structure::getWithoutMaterializing):
23169 (JSC):
23170
231712013-04-13 Filip Pizlo <fpizlo@apple.com>
23172
23173 fourthTier: Fix release build.
23174
23175 * dfg/DFGOSRExitCompilerCommon.cpp:
23176 * ftl/FTLExitValue.cpp:
23177 * ftl/FTLOSRExitCompiler.cpp:
23178
231792013-04-13 Filip Pizlo <fpizlo@apple.com>
23180
23181 fourthTier: FTL should have OSR exit
23182 https://bugs.webkit.org/show_bug.cgi?id=113623
23183
23184 Reviewed by Oliver Hunt.
23185
23186 This implements OSR exit, and hilariously, it actually works. The idea is to have
23187 LLVM call a no-return function on the off-ramp, passing it everything we know about
23188 bytecode state that isn't already flushed to the call frame. Our own JIT takes care
23189 of the rest.
23190
23191 We can now run all of SunSpider, V8, and Kraken with the FTL enabled.
23192
23193 The details are described in FTLOSRExit.h.
23194
23195 * CMakeLists.txt:
23196 * GNUmakefile.list.am:
23197 * JavaScriptCore.xcodeproj/project.pbxproj:
23198 * Target.pri:
23199 * assembler/AbstractMacroAssembler.h:
23200 (Address):
23201 (JSC::AbstractMacroAssembler::Address::withOffset):
23202 * assembler/LinkBuffer.h:
23203 (JSC::LinkBuffer::offsetOf):
23204 (LinkBuffer):
23205 * assembler/MacroAssemblerX86Common.h:
23206 * assembler/RepatchBuffer.h:
23207 (JSC::RepatchBuffer::RepatchBuffer):
23208 (JSC::RepatchBuffer::~RepatchBuffer):
23209 (RepatchBuffer):
23210 * bytecode/CodeBlock.cpp:
23211 (JSC::CodeBlock::tallyFrequentExitSites):
23212 * bytecode/Operands.h:
23213 (Operands):
23214 (JSC):
23215 (JSC::::dump):
23216 * dfg/DFGAbstractState.cpp:
23217 (JSC::DFG::AbstractState::initialize):
23218 * dfg/DFGGPRInfo.h:
23219 (DFG):
23220 (GPRInfo):
23221 * dfg/DFGMinifiedNode.h:
23222 (JSC::DFG::belongsInMinifiedGraph):
23223 * dfg/DFGNodeType.h:
23224 (JSC::DFG::needsOSRBackwardRewiring):
23225 (DFG):
23226 (JSC::DFG::needsOSRForwardRewiring):
23227 * dfg/DFGOSRExit.cpp:
23228 (JSC::DFG::OSRExit::OSRExit):
23229 (DFG):
23230 (JSC::DFG::OSRExit::convertToForward):
23231 * dfg/DFGOSRExit.h:
23232 (OSRExit):
23233 * dfg/DFGOSRExitBase.cpp: Added.
23234 (DFG):
23235 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
23236 (JSC::DFG::OSRExitBase::doSearchForForwardConversion):
23237 * dfg/DFGOSRExitBase.h: Added.
23238 (DFG):
23239 (JSC::DFG::OSRExitBase::OSRExitBase):
23240 (OSRExitBase):
23241 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
23242 * dfg/DFGOSRExitCompiler.cpp:
23243 * dfg/DFGOSRExitCompiler64.cpp:
23244 (JSC::DFG::OSRExitCompiler::compileExit):
23245 * dfg/DFGOSRExitCompilerCommon.cpp:
23246 (JSC::DFG::handleExitCounts):
23247 (JSC::DFG::reifyInlinedCallFrames):
23248 (JSC::DFG::adjustAndJumpToTarget):
23249 * dfg/DFGOSRExitCompilerCommon.h:
23250 (DFG):
23251 * dfg/DFGOSRExitPreparation.cpp: Added.
23252 (DFG):
23253 (JSC::DFG::prepareCodeOriginForOSRExit):
23254 * dfg/DFGOSRExitPreparation.h: Added.
23255 (DFG):
23256 * dfg/DFGOperations.cpp:
23257 * dfg/DFGSpeculativeJIT.cpp:
23258 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
23259 * dfg/DFGValueSource.h:
23260 (JSC::DFG::ValueSource::forSpeculation):
23261 * dfg/DFGVariableEventStream.cpp:
23262 (JSC::DFG::VariableEventStream::reconstruct):
23263 * ftl/FTLAbbreviations.h:
23264 (JSC::FTL::functionType):
23265 (FTL):
23266 (JSC::FTL::typeOf):
23267 (JSC::FTL::appendBasicBlock):
23268 (JSC::FTL::insertBasicBlock):
23269 (JSC::FTL::buildCall):
23270 (JSC::FTL::setTailCall):
23271 * ftl/FTLCArgumentGetter.cpp: Added.
23272 (FTL):
23273 (JSC::FTL::CArgumentGetter::loadNextAndBox):
23274 * ftl/FTLCArgumentGetter.h: Added.
23275 (FTL):
23276 (JSC::FTL::isArgumentRegister):
23277 (CArgumentGetter):
23278 (JSC::FTL::CArgumentGetter::CArgumentGetter):
23279 (JSC::FTL::CArgumentGetter::loadNext8):
23280 (JSC::FTL::CArgumentGetter::loadNext32):
23281 (JSC::FTL::CArgumentGetter::loadNext64):
23282 (JSC::FTL::CArgumentGetter::loadNextPtr):
23283 (JSC::FTL::CArgumentGetter::loadNextDouble):
23284 (JSC::FTL::CArgumentGetter::nextAddress):
23285 * ftl/FTLCompile.cpp:
23286 (JSC::FTL::compile):
23287 * ftl/FTLExitArgument.cpp: Added.
23288 (FTL):
23289 (JSC::FTL::ExitArgument::dump):
23290 * ftl/FTLExitArgument.h: Added.
23291 (FTL):
23292 (ExitArgumentRepresentation):
23293 (ExitArgument):
23294 (JSC::FTL::ExitArgument::ExitArgument):
23295 (JSC::FTL::ExitArgument::operator!):
23296 (JSC::FTL::ExitArgument::format):
23297 (JSC::FTL::ExitArgument::argument):
23298 (JSC::FTL::ExitArgument::withFormat):
23299 (JSC::FTL::ExitArgument::representation):
23300 * ftl/FTLExitArgumentForOperand.cpp: Added.
23301 (FTL):
23302 (JSC::FTL::ExitArgumentForOperand::dump):
23303 * ftl/FTLExitArgumentForOperand.h: Added.
23304 (FTL):
23305 (ExitArgumentForOperand):
23306 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
23307 (JSC::FTL::ExitArgumentForOperand::operator!):
23308 (JSC::FTL::ExitArgumentForOperand::exitArgument):
23309 (JSC::FTL::ExitArgumentForOperand::operand):
23310 (JSC::FTL::lesserArgumentIndex):
23311 * ftl/FTLExitArgumentList.h: Added.
23312 (FTL):
23313 * ftl/FTLExitThunkGenerator.cpp: Added.
23314 (FTL):
23315 (JSC::FTL::ExitThunkGenerator::ExitThunkGenerator):
23316 (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator):
23317 (JSC::FTL::ExitThunkGenerator::emitThunk):
23318 * ftl/FTLExitThunkGenerator.h: Added.
23319 (FTL):
23320 (ExitThunkGenerator):
23321 (JSC::FTL::ExitThunkGenerator::didThings):
23322 * ftl/FTLExitValue.cpp: Added.
23323 (FTL):
23324 (JSC::FTL::ExitValue::dump):
23325 * ftl/FTLExitValue.h: Added.
23326 (FTL):
23327 (ExitValue):
23328 (JSC::FTL::ExitValue::ExitValue):
23329 (JSC::FTL::ExitValue::operator!):
23330 (JSC::FTL::ExitValue::dead):
23331 (JSC::FTL::ExitValue::inJSStack):
23332 (JSC::FTL::ExitValue::inJSStackAsInt32):
23333 (JSC::FTL::ExitValue::inJSStackAsDouble):
23334 (JSC::FTL::ExitValue::constant):
23335 (JSC::FTL::ExitValue::exitArgument):
23336 (JSC::FTL::ExitValue::kind):
23337 (JSC::FTL::ExitValue::isDead):
23338 (JSC::FTL::ExitValue::isInJSStackSomehow):
23339 (JSC::FTL::ExitValue::isConstant):
23340 (JSC::FTL::ExitValue::isArgument):
23341 * ftl/FTLFormattedValue.h:
23342 (FTL):
23343 (JSC::FTL::noValue):
23344 (JSC::FTL::int32Value):
23345 (JSC::FTL::uInt32Value):
23346 (JSC::FTL::booleanValue):
23347 (JSC::FTL::jsValueValue):
23348 (JSC::FTL::doubleValue):
23349 * ftl/FTLJITCode.cpp:
23350 (JSC::FTL::JITCode::initializeExitThunks):
23351 (FTL):
23352 (JSC::FTL::JITCode::exitThunks):
23353 * ftl/FTLJITCode.h:
23354 (JITCode):
23355 * ftl/FTLLowerDFGToLLVM.cpp:
23356 (FTL):
23357 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
23358 (JSC::FTL::LowerDFGToLLVM::lower):
23359 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
23360 (JSC::FTL::LowerDFGToLLVM::compileBlock):
23361 (JSC::FTL::LowerDFGToLLVM::compileNode):
23362 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
23363 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
23364 (LowerDFGToLLVM):
23365 (JSC::FTL::LowerDFGToLLVM::compileMovHint):
23366 (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
23367 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck):
23368 (JSC::FTL::LowerDFGToLLVM::compileAdd):
23369 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
23370 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
23371 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
23372 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23373 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
23374 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23375 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
23376 (JSC::FTL::LowerDFGToLLVM::speculateForward):
23377 (JSC::FTL::LowerDFGToLLVM::speculate):
23378 (JSC::FTL::LowerDFGToLLVM::terminate):
23379 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck):
23380 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
23381 (JSC::FTL::LowerDFGToLLVM::typeCheck):
23382 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
23383 (JSC::FTL::LowerDFGToLLVM::lowInt32):
23384 (JSC::FTL::LowerDFGToLLVM::lowCell):
23385 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
23386 (JSC::FTL::LowerDFGToLLVM::speculateObject):
23387 (JSC::FTL::LowerDFGToLLVM::isLive):
23388 (JSC::FTL::LowerDFGToLLVM::use):
23389 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
23390 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
23391 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
23392 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
23393 (JSC::FTL::LowerDFGToLLVM::addExitArgument):
23394 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
23395 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
23396 * ftl/FTLOSRExit.cpp: Added.
23397 (FTL):
23398 (JSC::FTL::OSRExit::OSRExit):
23399 (JSC::FTL::OSRExit::codeLocationForRepatch):
23400 (JSC::FTL::OSRExit::convertToForward):
23401 * ftl/FTLOSRExit.h: Added.
23402 (FTL):
23403 (OSRExit):
23404 * ftl/FTLOSRExitCompilationInfo.h: Added.
23405 (FTL):
23406 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
23407 (OSRExitCompilationInfo):
23408 * ftl/FTLOSRExitCompiler.cpp: Added.
23409 (FTL):
23410 (JSC::FTL::compileStub):
23411 (JSC::FTL::compileFTLOSRExit):
23412 * ftl/FTLOSRExitCompiler.h: Added.
23413 (FTL):
23414 * ftl/FTLOutput.h:
23415 (JSC::FTL::Output::newBlock):
23416 (JSC::FTL::Output::intToPtr):
23417 (JSC::FTL::Output::load):
23418 (JSC::FTL::Output::store):
23419 (Output):
23420 (JSC::FTL::Output::call):
23421 (JSC::FTL::Output::convertToTailCall):
23422 (FTL):
23423 * ftl/FTLState.h:
23424 (State):
23425 * ftl/FTLThunks.cpp: Added.
23426 (FTL):
23427 (JSC::FTL::osrExitGenerationThunkGenerator):
23428 * ftl/FTLThunks.h: Added.
23429 (JSC):
23430 (FTL):
23431 * ftl/FTLValueFormat.cpp: Added.
23432 (WTF):
23433 (WTF::printInternal):
23434 * ftl/FTLValueFormat.h: Added.
23435 (FTL):
23436 (WTF):
23437 * ftl/FTLValueSource.cpp: Added.
23438 (FTL):
23439 (JSC::FTL::ValueSource::dump):
23440 * ftl/FTLValueSource.h: Added.
23441 (FTL):
23442 (ValueSource):
23443 (JSC::FTL::ValueSource::ValueSource):
23444 (JSC::FTL::ValueSource::kind):
23445 (JSC::FTL::ValueSource::operator!):
23446 (JSC::FTL::ValueSource::node):
23447
234482013-04-12 Filip Pizlo <fpizlo@apple.com>
23449
23450 fourthTier: switch to using MCJIT and disable frame pointer elimination
23451 https://bugs.webkit.org/show_bug.cgi?id=114542
23452
23453 Reviewed by Oliver Hunt and Michael Saboff.
23454
23455 * ftl/FTLCompile.cpp:
23456 (JSC::FTL::compile):
23457 * runtime/InitializeThreading.cpp:
23458 (JSC::initializeThreadingOnce):
23459
234602013-04-09 Filip Pizlo <fpizlo@apple.com>
23461
23462 fourthTier: DFG should provide utilities for common OSR exit tasks
23463 https://bugs.webkit.org/show_bug.cgi?id=114306
23464
23465 Reviewed by Mark Hahnenberg.
23466
23467 Just abstract out some things that the FTL will want to use as well.
23468
23469 * CMakeLists.txt:
23470 * GNUmakefile.list.am:
23471 * JavaScriptCore.xcodeproj/project.pbxproj:
23472 * Target.pri:
23473 * dfg/DFGDriver.cpp:
23474 (JSC::DFG::compile):
23475 * dfg/DFGOSRExitCompiler.cpp:
23476 * dfg/DFGOSRExitCompiler.h:
23477 (OSRExitCompiler):
23478 * dfg/DFGOSRExitCompiler32_64.cpp:
23479 (JSC::DFG::OSRExitCompiler::compileExit):
23480 * dfg/DFGOSRExitCompiler64.cpp:
23481 (JSC::DFG::OSRExitCompiler::compileExit):
23482 * dfg/DFGOSRExitCompilerCommon.cpp: Added.
23483 (DFG):
23484 (JSC::DFG::handleExitCounts):
23485 (JSC::DFG::reifyInlinedCallFrames):
23486 (JSC::DFG::adjustAndJumpToTarget):
23487 * dfg/DFGOSRExitCompilerCommon.h: Added.
23488 (DFG):
23489
234902013-04-09 Filip Pizlo <fpizlo@apple.com>
23491
23492 fourthTier: DFG should better abstract floating point arguments
23493 https://bugs.webkit.org/show_bug.cgi?id=114300
23494
23495 Reviewed by Mark Hahnenberg.
23496
23497 * dfg/DFGFPRInfo.h:
23498 (FPRInfo):
23499 (JSC::DFG::FPRInfo::toArgumentRegister):
23500
235012013-04-05 Filip Pizlo <fpizlo@apple.com>
23502
23503 fourthTier: DFG should better abstract arguments
23504 https://bugs.webkit.org/show_bug.cgi?id=114073
23505
23506 Reviewed by Mark Hahnenberg.
23507
23508 * dfg/DFGGPRInfo.h:
23509 (GPRInfo):
23510 (JSC::DFG::GPRInfo::toArgumentRegister):
23511
235122013-04-03 Filip Pizlo <fpizlo@apple.com>
23513
23514 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode
23515 https://bugs.webkit.org/show_bug.cgi?id=113905
23516
23517 Reviewed by Geoffrey Garen.
23518
23519 This removes one pointer from CodeBlock.
23520
23521 It also gives us a framework for having JITType-specific data in CodeBlock, by
23522 putting it into the appropriate JITCode class (either DFG::JITCode or
23523 FTL::JITCode). And it allows us to have DFG and FTL share some common data,
23524 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and
23525 always accessible via JITCode::dfgCommon().
23526
23527 * CMakeLists.txt:
23528 * GNUmakefile.list.am:
23529 * JavaScriptCore.xcodeproj/project.pbxproj:
23530 * Target.pri:
23531 * bytecode/CodeBlock.cpp:
23532 (JSC):
23533 (JSC::CodeBlock::dumpBytecode):
23534 (JSC::CodeBlock::visitAggregate):
23535 (JSC::CodeBlock::performTracingFixpointIteration):
23536 (JSC::CodeBlock::finalizeUnconditionally):
23537 (JSC::CodeBlock::stronglyVisitWeakReferences):
23538 (JSC::CodeBlock::shrinkToFit):
23539 (JSC::CodeBlock::tallyFrequentExitSites):
23540 * bytecode/CodeBlock.h:
23541 (CodeBlock):
23542 (JSC::CodeBlock::setJITCode):
23543 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
23544 (JSC::DFGCodeBlocks::mark):
23545 * dfg/DFGAssemblyHelpers.h:
23546 * dfg/DFGCommonData.cpp: Added.
23547 (DFG):
23548 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
23549 (JSC::DFG::CommonData::shrinkToFit):
23550 * dfg/DFGCommonData.h: Added.
23551 (JSC):
23552 (DFG):
23553 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition):
23554 (WeakReferenceTransition):
23555 (CommonData):
23556 (JSC::DFG::CommonData::CommonData):
23557 * dfg/DFGDriver.cpp:
23558 (JSC::DFG::compile):
23559 (JSC::DFG::tryCompile):
23560 (JSC::DFG::tryCompileFunction):
23561 * dfg/DFGDriver.h:
23562 (DFG):
23563 (JSC::DFG::tryCompile):
23564 (JSC::DFG::tryCompileFunction):
23565 * dfg/DFGGraph.h:
23566 (Graph):
23567 * dfg/DFGJITCode.cpp: Added.
23568 (DFG):
23569 (JSC::DFG::JITCode::JITCode):
23570 (JSC::DFG::JITCode::~JITCode):
23571 (JSC::DFG::JITCode::dfgCommon):
23572 (JSC::DFG::JITCode::dfg):
23573 (JSC::DFG::JITCode::shrinkToFit):
23574 * dfg/DFGJITCode.h: Added.
23575 (DFG):
23576 (JITCode):
23577 (JSC::DFG::JITCode::appendOSREntryData):
23578 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex):
23579 (JSC::DFG::JITCode::appendOSRExit):
23580 (JSC::DFG::JITCode::lastOSRExit):
23581 (JSC::DFG::JITCode::appendSpeculationRecovery):
23582 (JSC::DFG::JITCode::appendWatchpoint):
23583 * dfg/DFGJITCompiler.cpp:
23584 (JSC::DFG::JITCompiler::JITCompiler):
23585 (JSC::DFG::JITCompiler::linkOSRExits):
23586 (JSC::DFG::JITCompiler::link):
23587 (JSC::DFG::JITCompiler::compile):
23588 (JSC::DFG::JITCompiler::compileFunction):
23589 * dfg/DFGJITCompiler.h:
23590 (JITCompiler):
23591 (JSC::DFG::JITCompiler::addWeakReference):
23592 (JSC::DFG::JITCompiler::noticeOSREntry):
23593 (JSC::DFG::JITCompiler::jitCode):
23594 * dfg/DFGOSREntry.cpp:
23595 (JSC::DFG::prepareOSREntry):
23596 * dfg/DFGOSRExit.h:
23597 (OSRExit):
23598 * dfg/DFGOSRExitCompiler.cpp:
23599 * dfg/DFGSpeculativeJIT.cpp:
23600 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
23601 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
23602 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
23603 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
23604 * dfg/DFGSpeculativeJIT32_64.cpp:
23605 (JSC::DFG::SpeculativeJIT::compile):
23606 * dfg/DFGSpeculativeJIT64.cpp:
23607 (JSC::DFG::SpeculativeJIT::compile):
23608 * dfg/DFGVariableEventStream.cpp:
23609 * ftl/FTLCompile.cpp:
23610 (JSC::FTL::compile):
23611 * ftl/FTLJITCode.cpp:
23612 (JSC::FTL::JITCode::JITCode):
23613 (JSC::FTL::JITCode::~JITCode):
23614 (FTL):
23615 (JSC::FTL::JITCode::initializeCode):
23616 (JSC::FTL::JITCode::addressForCall):
23617 (JSC::FTL::JITCode::executableAddressAtOffset):
23618 (JSC::FTL::JITCode::dataAddressAtOffset):
23619 (JSC::FTL::JITCode::offsetOf):
23620 (JSC::FTL::JITCode::size):
23621 (JSC::FTL::JITCode::contains):
23622 (JSC::FTL::JITCode::ftl):
23623 (JSC::FTL::JITCode::dfgCommon):
23624 * ftl/FTLJITCode.h:
23625 (JITCode):
23626 * ftl/FTLLowerDFGToLLVM.cpp:
23627 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
23628 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
23629 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
23630 (JSC::FTL::LowerDFGToLLVM::addWeakReference):
23631 (LowerDFGToLLVM):
23632 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23633 * ftl/FTLState.cpp:
23634 (FTL):
23635 (JSC::FTL::State::State):
23636 (JSC::FTL::State::dumpState):
23637 * ftl/FTLState.h:
23638 (State):
23639 * heap/DFGCodeBlocks.cpp:
23640 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
23641 (JSC::DFGCodeBlocks::jettison):
23642 (JSC::DFGCodeBlocks::clearMarks):
23643 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
23644 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
23645 * jit/JITCode.cpp:
23646 (JSC::JITCode::dfgCommon):
23647 (JSC):
23648 (JSC::JITCode::dfg):
23649 (JSC::JITCode::ftl):
23650 (JSC::DirectJITCode::DirectJITCode):
23651 (JSC::DirectJITCode::initializeCodeRef):
23652 (JSC::DirectJITCode::addressForCall):
23653 (JSC::DirectJITCode::executableAddressAtOffset):
23654 (JSC::DirectJITCode::dataAddressAtOffset):
23655 (JSC::DirectJITCode::offsetOf):
23656 (JSC::DirectJITCode::size):
23657 (JSC::DirectJITCode::contains):
23658 * jit/JITCode.h:
23659 (DFG):
23660 (FTL):
23661 (JSC):
23662 (JITCode):
23663 (DirectJITCode):
23664
236652013-04-03 Filip Pizlo <fpizlo@apple.com>
23666
23667 fourthTier: Include LLVM headers with surrounding #pragmas instead of using my #define
23668 https://bugs.webkit.org/show_bug.cgi?id=113921
23669
23670 Reviewed by Oliver Hunt.
23671
23672 The LLVM community wants us to continue including all of LLVM's C++ headers. Change
23673 to using #pragma's to disable warnings that they cannot handle.
23674
23675 * ftl/FTLLLVMHeaders.h:
23676
236772013-04-03 Filip Pizlo <fpizlo@apple.com>
23678
23679 fourthTier: Everyone should know about the FTL
23680 https://bugs.webkit.org/show_bug.cgi?id=113897
23681
23682 Reviewed by Mark Hahnenberg.
23683
23684 In order to get OSR exit to work right, we need the distinction between DFG and
23685 FTL to be clear even after compilation finishes, since they will have subtly
23686 different OSR stories and likely use different data structures.
23687
23688 * bytecode/CodeBlock.cpp:
23689 (JSC::CodeBlock::resetStubInternal):
23690 (JSC::ProgramCodeBlock::compileOptimized):
23691 (JSC::EvalCodeBlock::compileOptimized):
23692 (JSC::FunctionCodeBlock::compileOptimized):
23693 (JSC::CodeBlock::adjustedExitCountThreshold):
23694 (JSC::CodeBlock::tallyFrequentExitSites):
23695 * bytecode/CodeBlock.h:
23696 (JSC::CodeBlock::setJITCode):
23697 (JSC::CodeBlock::hasOptimizedReplacement):
23698 (JSC::ExecState::isInlineCallFrame):
23699 * ftl/FTLCompile.cpp:
23700 (JSC::FTL::compile):
23701 * ftl/FTLJITCode.cpp:
23702 (JSC::FTL::JITCode::JITCode):
23703 * ftl/FTLState.cpp:
23704 (JSC::FTL::State::dumpState):
23705 * heap/DFGCodeBlocks.cpp:
23706 (JSC::DFGCodeBlocks::jettison):
23707 * interpreter/Interpreter.cpp:
23708 (JSC::getLineNumberForCallFrame):
23709 (JSC::getCallerInfo):
23710 * jit/JITCode.cpp:
23711 (WTF::printInternal):
23712 * jit/JITCode.h:
23713 (JSC::JITCode::topTierJIT):
23714 (JSC::JITCode::nextTierJIT):
23715 (JITCode):
23716 (JSC::JITCode::isJIT):
23717 (JSC::JITCode::isLowerTier):
23718 (JSC::JITCode::isHigherTier):
23719 (JSC::JITCode::isLowerOrSameTier):
23720 (JSC::JITCode::isHigherOrSameTier):
23721 (JSC::JITCode::isOptimizingJIT):
23722 * jit/JITDriver.h:
23723 (JSC::jitCompileIfAppropriate):
23724 (JSC::jitCompileFunctionIfAppropriate):
23725 * jit/JITStubs.cpp:
23726 (JSC::DEFINE_STUB_FUNCTION):
23727 * runtime/Executable.cpp:
23728 (JSC::EvalExecutable::compileOptimized):
23729 (JSC::samplingDescription):
23730 (JSC::ProgramExecutable::compileOptimized):
23731 (JSC::FunctionExecutable::compileOptimizedForCall):
23732 (JSC::FunctionExecutable::compileOptimizedForConstruct):
23733
237342013-04-03 Filip Pizlo <fpizlo@apple.com>
23735
23736 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified
23737 https://bugs.webkit.org/show_bug.cgi?id=113894
23738
23739 Reviewed by Mark Hahnenberg.
23740
23741 1) We previously had two different ways of convertingToForward, one path for
23742 where we had a ValueRecovery for the current node and one where we didn't.
23743 But the paths were doing exactly the same thing except that if you have a
23744 ValueRecovery, you also find the last applicable mov hint and do some
23745 extra things. This patch combines the two paths and bases both of them on
23746 the previous no-ValueRecovery path, which was simpler to begin with.
23747
23748 2) This moves the logic into DFG::OSRExit, which further simplifies the code
23749 and makes the logic available to the FTL.
23750
23751 * dfg/DFGOSRExit.cpp:
23752 (JSC::DFG::OSRExit::convertToForward):
23753 (DFG):
23754 * dfg/DFGOSRExit.h:
23755 (DFG):
23756 (OSRExit):
23757 * dfg/DFGSpeculativeJIT.cpp:
23758 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
23759
237602013-04-02 Filip Pizlo <fpizlo@apple.com>
23761
23762 fourthTier: FTL should have the equivalent of a ValueRecovery
23763 https://bugs.webkit.org/show_bug.cgi?id=113819
23764
23765 Reviewed by Mark Hahnenberg.
23766
23767 This adds a way of saying that we have a value, we don't want to say what
23768 node the value came from, but we know specifics of how the value is
23769 formatted. This is the LLVM equivalent of DFG's ValueRecovery.
23770
23771 * JavaScriptCore.xcodeproj/project.pbxproj:
23772 * ftl/FTLFormattedValue.h: Added.
23773 (FTL):
23774 (FormattedValue):
23775 (JSC::FTL::FormattedValue::FormattedValue):
23776 (JSC::FTL::FormattedValue::operator!):
23777 (JSC::FTL::FormattedValue::format):
23778 (JSC::FTL::FormattedValue::value):
23779 * ftl/FTLLowerDFGToLLVM.cpp:
23780 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23781 (JSC::FTL::LowerDFGToLLVM::speculateForward):
23782 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23783
237842013-04-02 Filip Pizlo <fpizlo@apple.com>
23785
23786 fourthTier: FTL should use the right abstract heap for Int32 array accesses
23787 https://bugs.webkit.org/show_bug.cgi?id=113759
23788
23789 Reviewed by Mark Hahnenberg.
23790
23791 * ftl/FTLLowerDFGToLLVM.cpp:
23792 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23793
237942013-04-02 Filip Pizlo <fpizlo@apple.com>
23795
23796 fourthTier: FTL should support fast property stores
23797 https://bugs.webkit.org/show_bug.cgi?id=113757
23798
23799 Reviewed by Oliver Hunt.
23800
23801 Simplified the task of handling property transitions and reduced amount of code
23802 duplication between the JITs.
23803
23804 Added PutByOffset, PutStructure, PhantomPutStructure, WeakJSConstant, and a
23805 stub form of StructureTransitionWatchpoint to the FTL.
23806
23807 Also simplified the creation of pointer constants, and fixed a bug in
23808 speculateObject().
23809
23810 * dfg/DFGGraph.h:
23811 (JSC::DFG::Graph::notifyCompilingStructureTransition):
23812 (Graph):
23813 * dfg/DFGJITCompiler.h:
23814 (JITCompiler):
23815 * dfg/DFGSpeculativeJIT32_64.cpp:
23816 (JSC::DFG::SpeculativeJIT::compile):
23817 * dfg/DFGSpeculativeJIT64.cpp:
23818 (JSC::DFG::SpeculativeJIT::compile):
23819 * ftl/FTLCapabilities.cpp:
23820 (JSC::FTL::canCompile):
23821 * ftl/FTLLowerDFGToLLVM.cpp:
23822 (JSC::FTL::LowerDFGToLLVM::lower):
23823 (JSC::FTL::LowerDFGToLLVM::compileNode):
23824 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
23825 (LowerDFGToLLVM):
23826 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
23827 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
23828 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
23829 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
23830 (JSC::FTL::LowerDFGToLLVM::speculateObject):
23831 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23832 * ftl/FTLOutput.h:
23833 (Output):
23834 (JSC::FTL::Output::constIntPtr):
23835 (JSC::FTL::Output::absolute):
23836
238372013-04-01 Filip Pizlo <fpizlo@apple.com>
23838
23839 fourthTier: FTL should support some more integer arithmetic ops (negate, xor, urshift)
23840 https://bugs.webkit.org/show_bug.cgi?id=113740
23841
23842 Reviewed by Geoffrey Garen.
23843
23844 * ftl/FTLAbbreviations.h:
23845 (JSC::FTL::buildNeg):
23846 (JSC::FTL::buildLShr):
23847 * ftl/FTLCapabilities.cpp:
23848 (JSC::FTL::canCompile):
23849 * ftl/FTLLowerDFGToLLVM.cpp:
23850 (JSC::FTL::LowerDFGToLLVM::compileNode):
23851 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
23852 (LowerDFGToLLVM):
23853 (JSC::FTL::LowerDFGToLLVM::compileBitXor):
23854 (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
23855 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23856 * ftl/FTLOutput.h:
23857 (JSC::FTL::Output::neg):
23858 (JSC::FTL::Output::lShr):
23859
238602013-04-01 Filip Pizlo <fpizlo@apple.com>
23861
23862 fourthTier: FTL should support GetGlobalVar/PutGlobalVar
23863 https://bugs.webkit.org/show_bug.cgi?id=113728
23864
23865 Reviewed by Gavin Barraclough.
23866
23867 Removed the macro magic for the globals absolute abstract heap, since for anything
23868 with absolute addresses we can just share a common absolute abstract heap. It
23869 would only be a problem if we for example were emitting an access to a global but
23870 not using an absolute address, and then wanted to say that this access was
23871 constrained to global variables. I don't believe we do that, and I don't believe we
23872 ever will.
23873
23874 Then added Output::absolute(), a convenient way of building a typed pointer for an
23875 absolute address.
23876
23877 Then added GetGlobalVar/PutGlobalVar.
23878
23879 * ftl/FTLAbstractHeapRepository.cpp:
23880 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
23881 * ftl/FTLAbstractHeapRepository.h:
23882 (FTL):
23883 (AbstractHeapRepository):
23884 * ftl/FTLCapabilities.cpp:
23885 (JSC::FTL::canCompile):
23886 * ftl/FTLLowerDFGToLLVM.cpp:
23887 (JSC::FTL::LowerDFGToLLVM::compileNode):
23888 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
23889 (LowerDFGToLLVM):
23890 (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
23891 * ftl/FTLOutput.h:
23892 (JSC::FTL::Output::absolute):
23893 (Output):
23894
238952013-03-31 Filip Pizlo <fpizlo@apple.com>
23896
23897 fourthTier: FTL should support ArithSub
23898 https://bugs.webkit.org/show_bug.cgi?id=113675
23899
23900 Reviewed by Oliver Hunt.
23901
23902 This does the obvious bit of implementing ArithSub, but it also takes this
23903 as an opportunity to clean up how intrinsics and common values (common types
23904 and constants) are handled. Previously they were all lumped together in
23905 FTL::Output. Now, in an effort to split up the files and make FTL::Output
23906 less big, I created a thing called FTL::CommonValues which just tracks the
23907 common values, and a thing called FTL::IntrinsicRepository which just tracks
23908 intrinsics. These and FTL::Output are all related to each other in a linear
23909 hierarchy. Moreover, IntrinsicRepository uses macro-fu to make it easy to
23910 declare new intrinsics in the future.
23911
23912 I also out-of-lined some things and made .cpp files for each of these classes.
23913 Initialize I wasn't going to do this but then I realized that FTL::Output is
23914 already included in multiple places. Probably it's better if some of its guts
23915 are not inline, and it's also good to now have .cpp "landing pads" if we ever
23916 want to add more things to that class.
23917
23918 Note that a lot of how these things are designed has to do with the fact
23919 that pretty soon here I'll have to switch us from using the LLVM global
23920 context to using a context that we create. When that happens, anyone who
23921 creates anything will have to know the context; that's why FTL::CommonValues
23922 already knows the module but doesn't use it - in the future it will have to
23923 do things with it.
23924
23925 * JavaScriptCore.xcodeproj/project.pbxproj:
23926 * ftl/FTLAbbreviations.h:
23927 (JSC::FTL::buildSub):
23928 * ftl/FTLAbstractHeapRepository.cpp:
23929 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
23930 * ftl/FTLCapabilities.cpp:
23931 (JSC::FTL::canCompile):
23932 * ftl/FTLCommonValues.cpp: Added.
23933 (FTL):
23934 (JSC::FTL::CommonValues::CommonValues):
23935 * ftl/FTLCommonValues.h: Added.
23936 (FTL):
23937 (CommonValues):
23938 (JSC::FTL::CommonValues::initialize):
23939 * ftl/FTLIntrinsicRepository.cpp: Added.
23940 (FTL):
23941 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
23942 * ftl/FTLIntrinsicRepository.h: Added.
23943 (FTL):
23944 (IntrinsicRepository):
23945 * ftl/FTLLowerDFGToLLVM.cpp:
23946 (JSC::FTL::LowerDFGToLLVM::compileNode):
23947 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
23948 (LowerDFGToLLVM):
23949 * ftl/FTLOutput.cpp: Added.
23950 (FTL):
23951 (JSC::FTL::Output::Output):
23952 (JSC::FTL::Output::~Output):
23953 * ftl/FTLOutput.h:
23954 (Output):
23955 (JSC::FTL::Output::initialize):
23956 (JSC::FTL::Output::sub):
23957 (JSC::FTL::Output::addWithOverflow32):
23958 (JSC::FTL::Output::subWithOverflow32):
23959 (JSC::FTL::Output::mulWithOverflow32):
23960
239612013-03-31 Filip Pizlo <fpizlo@apple.com>
23962
23963 fourthTier: FTL doesn't need virtual register allocation
23964 https://bugs.webkit.org/show_bug.cgi?id=113679
23965
23966 Reviewed by Mark Hahnenberg.
23967
23968 * dfg/DFGDriver.cpp:
23969 (JSC::DFG::dumpAndVerifyGraph):
23970 (DFG):
23971 (JSC::DFG::compile):
23972
239732013-03-31 Filip Pizlo <fpizlo@apple.com>
23974
23975 https://bugs.webkit.org/show_bug.cgi?id=113656
23976 Fix Sam's nits.
23977
23978 Unreviewed.
23979
23980 * ftl/FTLAbstractHeap.cpp:
23981 (JSC::FTL::IndexedAbstractHeap::initialize):
23982 * ftl/FTLAbstractHeap.h:
23983 (IndexedAbstractHeap):
23984 (AbsoluteAbstractHeap):
23985 * ftl/FTLAbstractHeapRepository.h:
23986 (AbstractHeapRepository):
23987
239882013-03-31 Filip Pizlo <fpizlo@apple.com>
23989
23990 fourthTier: FTL JIT should support GetByVal on Int32 arrays
23991 https://bugs.webkit.org/show_bug.cgi?id=113668
23992
23993 Reviewed by Sam Weinig.
23994
23995 It actually already supported this, but needed to be told that it did.
23996
23997 Also adds an option to enable LICM (loop-invariant code motion, i.e.
23998 http://llvm.org/docs/Passes.html#licm-loop-invariant-code-motion). LICM
23999 isn't doing me any good right now, but I guess I'll have to play with
24000 it more. And this adds the ability to tweak the LLVM optimization level
24001 from the command-line.
24002
24003 * ftl/FTLCapabilities.cpp:
24004 (JSC::FTL::canCompile):
24005 * ftl/FTLCompile.cpp:
24006 (JSC::FTL::compile):
24007 * ftl/FTLLowerDFGToLLVM.cpp:
24008 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24009 * runtime/Options.h:
24010 (JSC):
24011
240122013-03-31 Filip Pizlo <fpizlo@apple.com>
24013
24014 fourthTier: FTL JIT should supply TBAA meta-data to LLVM
24015 https://bugs.webkit.org/show_bug.cgi?id=113656
24016
24017 Reviewed by Oliver Hunt.
24018
24019 This adds support for performing strong typing on the LLVM IR that the FTL
24020 generates, by using TBAA meta-data. This will permit LLVM to do aggressive
24021 GVN, load elimination, and LICM optimization even if it sees pointer store
24022 side-effects. The goal is to precisely model all loads and stores we emit,
24023 except for the super crazy ones (GetById that can go all-out polymorphic,
24024 or for example a Call where we know nothing).
24025
24026 This is accomplished by introducing the notion of an AbstractHeap
24027 typesystem. An AbstractHeap is a subset of all possible memory locations
24028 that we might store to. For example, JSCell::m_structure and
24029 JSObject::m_butterfly are two disjoint AbstractHeaps because we know that
24030 a store to one cannot clobber the other. AbstractHeaps follow a
24031 single-inheritance hierarchy. There is the root heap, which corresponds to
24032 any possible memory location accessible to the JS engine, and then there
24033 are heaps for all internal object fields, a heap for each global object,
24034 and so on.
24035
24036 There are three other tidbits here that make this somewhat more interesting.
24037 We have a notion of an AbstractHeap-with-offset, called AbstractField.
24038 JSCell::m_structure is actually an AbstractField. This allows us to say
24039 things like m_out.loadPtr(base, m_heaps.JSCell_structure); this both
24040 gives you the offset of JSCell::m_structure and ascribes TBAA meta-data for
24041 the JSCell::m_structure heap to the generated load instrction.
24042
24043 Another fun tidbit is the notion of Indexed, Numbered, and Absolute abstract
24044 heaps. An indexed abstract heap corresponds to a set of locations that you
24045 might access by index from some base. Virtual registers are a great example.
24046 Though I call them just "variables" in the FTL. When we access a virtual
24047 register, we know that we aren't interfering with accesses to
24048 Structure-managed named properties, or with JSCell::m_structure, or with
24049 other such disjoint heaps. But we also know that if we access a variable at
24050 offset X and then another variable at offset Y and we know that X and Y are
24051 unequal, then these two accesses are on disjoint subheaps of the variables
24052 heap. This works out naturally for interference between, say, scoped variable
24053 access and local variable access: if you access scoped variable r5 and then
24054 access a local variable r5, these might interfere - and they will get the
24055 same abstract subheap of the variables heap. IndexedAbstractHeaps
24056 conveniently remember the size of the elements and will give you an
24057 AbstractField (i.e. heap-with-offset) if you give it an index. This is great
24058 for conveniently writing code that accesses contiguous arrays of well-typed
24059 things. This allows you to literally do things like
24060 m_out.load64(callFrameRegister, m_heaps.variables[operand]) and the right
24061 thing will happen. You can also get the heap variables.atAnyIndex(), if
24062 you're doing an access with an unknown index.
24063
24064 Numbered and Absolute abstract heaps are related except that they don't
24065 assume that the value used to get the abstract subheap corresponds to any
24066 meaningful offset from any base. Numbered heaps, like the properties heap
24067 (for named properties tracked by Structure), are "numbered" (not indexed)
24068 by the propertyNumber. So you can emit a GetByOffset by separately
24069 computing the offset and the propertyNumber (both values are stored in the
24070 StorageAccessData), and passing the offset directly to Output::address()
24071 and passing m_heaps.properties[propertyNumber] as the field. Absolute heaps
24072 are similar, but are keyed on absolute address. This is appropriate for
24073 global variables, and possibly other things.
24074
24075 Finally, FTL::Output understands the notion of a pointer-with-TBAA-data,
24076 and calls it a TypedPointer. TypedPointer is a tuple of a LLVMValueRef
24077 referencing an intptr value and a pointer to an AbstractHeap. All load()
24078 and store() operations now take a TypedPointer, and will perform the access
24079 by casting the intptr to a pointer of the right type and then ascribing the
24080 TBAA meta-data from the AbstractHeap.
24081
24082 * JavaScriptCore.xcodeproj/project.pbxproj:
24083 * ftl/FTLAbbreviations.h:
24084 (JSC::FTL::mdKindID):
24085 (JSC::FTL::mdString):
24086 (JSC::FTL::mdNode):
24087 (FTL):
24088 (JSC::FTL::setMetadata):
24089 * ftl/FTLAbstractHeap.cpp: Added.
24090 (FTL):
24091 (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
24092 (JSC::FTL::AbstractHeap::decorateInstruction):
24093 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
24094 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
24095 (JSC::FTL::IndexedAbstractHeap::baseIndex):
24096 (JSC::FTL::IndexedAbstractHeap::atSlow):
24097 (JSC::FTL::IndexedAbstractHeap::initialize):
24098 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
24099 (JSC::FTL::NumberedAbstractHeap::~NumberedAbstractHeap):
24100 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
24101 (JSC::FTL::AbsoluteAbstractHeap::~AbsoluteAbstractHeap):
24102 * ftl/FTLAbstractHeap.h: Added.
24103 (FTL):
24104 (AbstractHeap):
24105 (JSC::FTL::AbstractHeap::AbstractHeap):
24106 (JSC::FTL::AbstractHeap::isInitialized):
24107 (JSC::FTL::AbstractHeap::initialize):
24108 (JSC::FTL::AbstractHeap::parent):
24109 (JSC::FTL::AbstractHeap::heapName):
24110 (JSC::FTL::AbstractHeap::tbaaMetadata):
24111 (AbstractField):
24112 (JSC::FTL::AbstractField::AbstractField):
24113 (JSC::FTL::AbstractField::initialize):
24114 (JSC::FTL::AbstractField::offset):
24115 (IndexedAbstractHeap):
24116 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
24117 (JSC::FTL::IndexedAbstractHeap::at):
24118 (JSC::FTL::IndexedAbstractHeap::operator[]):
24119 (JSC::FTL::IndexedAbstractHeap::returnInitialized):
24120 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::constructDeletedValue):
24121 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::isDeletedValue):
24122 (NumberedAbstractHeap):
24123 (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
24124 (JSC::FTL::NumberedAbstractHeap::at):
24125 (JSC::FTL::NumberedAbstractHeap::operator[]):
24126 (AbsoluteAbstractHeap):
24127 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
24128 (JSC::FTL::AbsoluteAbstractHeap::at):
24129 (JSC::FTL::AbsoluteAbstractHeap::operator[]):
24130 * ftl/FTLAbstractHeapRepository.cpp: Added.
24131 (FTL):
24132 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
24133 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
24134 * ftl/FTLAbstractHeapRepository.h: Added.
24135 (FTL):
24136 (AbstractHeapRepository):
24137 * ftl/FTLLowerDFGToLLVM.cpp:
24138 (JSC::FTL::LowerDFGToLLVM::lower):
24139 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
24140 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
24141 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
24142 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24143 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
24144 (JSC::FTL::LowerDFGToLLVM::speculateObject):
24145 (JSC::FTL::LowerDFGToLLVM::addressFor):
24146 (JSC::FTL::LowerDFGToLLVM::payloadFor):
24147 (JSC::FTL::LowerDFGToLLVM::tagFor):
24148 (LowerDFGToLLVM):
24149 * ftl/FTLOutput.h:
24150 (FTL):
24151 (JSC::FTL::Output::Output):
24152 (JSC::FTL::Output::initialize):
24153 (JSC::FTL::Output::set):
24154 (JSC::FTL::Output::load):
24155 (JSC::FTL::Output::store):
24156 (Output):
24157 (JSC::FTL::Output::load32):
24158 (JSC::FTL::Output::load64):
24159 (JSC::FTL::Output::loadPtr):
24160 (JSC::FTL::Output::store32):
24161 (JSC::FTL::Output::store64):
24162 (JSC::FTL::Output::storePtr):
24163 (JSC::FTL::Output::addPtr):
24164 (JSC::FTL::Output::address):
24165 (JSC::FTL::Output::baseIndex):
24166 * ftl/FTLTypedPointer.h: Added.
24167 (FTL):
24168 (TypedPointer):
24169 (JSC::FTL::TypedPointer::TypedPointer):
24170 (JSC::FTL::TypedPointer::operator!):
24171 (JSC::FTL::TypedPointer::heap):
24172 (JSC::FTL::TypedPointer::value):
24173 * runtime/Options.h:
24174 (JSC):
24175
241762013-03-30 Filip Pizlo <fpizlo@apple.com>
24177
24178 fourthTier: FTL JIT should be able to compile the Array.prototype.findGraphNode function in Kraken/ai-astar
24179 https://bugs.webkit.org/show_bug.cgi?id=113646
24180
24181 Reviewed by Oliver Hunt.
24182
24183 This adds enough FTL support to compile Array.prototype.findGraphNode. This isn't
24184 a speed-up, yet, because findGraphNode tends to be aggressively inlined by the DFG,
24185 and the FTL can't yet compile the things into which it was inlined. In future
24186 patches we will get to a point where we can compile the callers, and then we'll be
24187 able to see what the performance effects are.
24188
24189 But the interesting thing is that it isn't a slow-down, either. This implies that
24190 even if we FTL compile a CodeBlock that we shouldn't have (the fact that we
24191 compiling things that end up being inlined is dumb, and the fact that the current
24192 FTL tiering strategy launches LLVM for those things is even dumber), we still run
24193 at OK performance.
24194
24195 * ftl/FTLCapabilities.cpp:
24196 (JSC::FTL::canCompile):
24197 * ftl/FTLLowerDFGToLLVM.cpp:
24198 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
24199 (JSC::FTL::LowerDFGToLLVM::compileNode):
24200 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
24201 (LowerDFGToLLVM):
24202 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
24203 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
24204 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24205 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
24206 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
24207 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24208 (JSC::FTL::LowerDFGToLLVM::lowCell):
24209 (JSC::FTL::LowerDFGToLLVM::lowObject):
24210 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24211 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24212 (JSC::FTL::LowerDFGToLLVM::lowStorage):
24213 (JSC::FTL::LowerDFGToLLVM::isNotInt32):
24214 (JSC::FTL::LowerDFGToLLVM::isNotCell):
24215 (JSC::FTL::LowerDFGToLLVM::isNotBoolean):
24216 (JSC::FTL::LowerDFGToLLVM::speculate):
24217 (JSC::FTL::LowerDFGToLLVM::speculateCell):
24218 (JSC::FTL::LowerDFGToLLVM::speculateObject):
24219 (JSC::FTL::LowerDFGToLLVM::accountedPointer):
24220 (JSC::FTL::LowerDFGToLLVM::weakPointer):
24221 * ftl/FTLOutput.h:
24222 (JSC::FTL::Output::Output):
24223 (JSC::FTL::Output::insertNewBlocksBefore):
24224 (JSC::FTL::Output::appendTo):
24225 (Output):
24226 (JSC::FTL::Output::baseIndex):
24227
242282013-03-29 Filip Pizlo <fpizlo@apple.com>
24229
24230 fourthTier: FTL JIT should be able to compile the Marsaglia random number generator
24231 https://bugs.webkit.org/show_bug.cgi?id=113635
24232
24233 Reviewed by Oliver Hunt.
24234
24235 Just adding missing functionality.
24236
24237 Also "fixed" OSR exit to use a call to abort() in addition to using Unreachable
24238 since the latter doesn't actually mean trap - quite the opposite, it tells LLVM
24239 that the code can never be reached.
24240
24241 The Marsaglia function runs ~60% faster with FTL, than DFG. Not a terrible start.
24242
24243 * JavaScriptCore.xcodeproj/project.pbxproj:
24244 * ftl/FTLAbbreviations.h:
24245 (FTL):
24246 (JSC::FTL::voidType):
24247 (JSC::FTL::structType):
24248 (JSC::FTL::functionType):
24249 (JSC::FTL::addFunction):
24250 (JSC::FTL::setLinkage):
24251 (JSC::FTL::setFunctionCallingConv):
24252 (JSC::FTL::addExternFunction):
24253 (JSC::FTL::constIntToPtr):
24254 (JSC::FTL::constBitCast):
24255 (JSC::FTL::buildMul):
24256 (JSC::FTL::buildOr):
24257 (JSC::FTL::buildShl):
24258 (JSC::FTL::buildAShr):
24259 (JSC::FTL::buildCall):
24260 (JSC::FTL::buildExtractValue):
24261 (JSC::FTL::dumpModule):
24262 (JSC::FTL::verifyModule):
24263 * ftl/FTLCapabilities.cpp:
24264 (JSC::FTL::canCompile):
24265 * ftl/FTLCompile.cpp:
24266 (JSC::FTL::compile):
24267 * ftl/FTLLowerDFGToLLVM.cpp:
24268 (JSC::FTL::LowerDFGToLLVM::lower):
24269 (JSC::FTL::LowerDFGToLLVM::compileBlock):
24270 (JSC::FTL::LowerDFGToLLVM::compileNode):
24271 (JSC::FTL::LowerDFGToLLVM::compileAdd):
24272 (LowerDFGToLLVM):
24273 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
24274 (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
24275 (JSC::FTL::LowerDFGToLLVM::compileBitOr):
24276 (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
24277 (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
24278 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
24279 (JSC::FTL::LowerDFGToLLVM::compileBranch):
24280 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
24281 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24282 * ftl/FTLOutput.h:
24283 (JSC::FTL::Output::Output):
24284 (JSC::FTL::Output::initialize):
24285 (JSC::FTL::Output::appendTo):
24286 (Output):
24287 (JSC::FTL::Output::mul):
24288 (JSC::FTL::Output::bitOr):
24289 (JSC::FTL::Output::shl):
24290 (JSC::FTL::Output::aShr):
24291 (JSC::FTL::Output::addWithOverflow32):
24292 (JSC::FTL::Output::mulWithOverflow32):
24293 (JSC::FTL::Output::extractValue):
24294 (JSC::FTL::Output::call):
24295 (JSC::FTL::Output::addWithOverflow32Function):
24296 (JSC::FTL::Output::mulWithOverflow32Function):
24297 * ftl/FTLState.cpp: Added.
24298 (FTL):
24299 (JSC::FTL::State::dumpState):
24300 * ftl/FTLState.h:
24301 (State):
24302
243032013-03-29 Filip Pizlo <fpizlo@apple.com>
24304
24305 Unreviewed, release mode build fix.
24306
24307 * ftl/FTLLowerDFGToLLVM.cpp:
24308 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24309 (JSC::FTL::LowerDFGToLLVM::lowCell):
24310 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24311 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24312
243132013-03-29 Filip Pizlo <fpizlo@apple.com>
24314
24315 fourthTier: Change DO_NOT_INCLUDE_LLVM_CPP_HEADERS to LLVM_DO_NOT_INCLUDE_CPP_HEADERS
24316 https://bugs.webkit.org/show_bug.cgi?id=113634
24317
24318 Reviewed by Dan Bernstein.
24319
24320 * ftl/FTLLLVMHeaders.h:
24321
243222013-03-29 Filip Pizlo <fpizlo@apple.com>
24323
24324 fourthTier: FTL JIT should be able run some simple function
24325 https://bugs.webkit.org/show_bug.cgi?id=113481
24326
24327 Reviewed by Geoffrey Garen.
24328
24329 I forgot to make a couple of the requested review changes, so I'm making
24330 them now!
24331
24332 * ftl/FTLCompile.cpp:
24333 (JSC::FTL::compile):
24334 * ftl/FTLJITCode.h:
24335
243362013-03-29 Filip Pizlo <fpizlo@apple.com>
24337
24338 fourthTier: FTL JIT should be able run some simple function
24339 https://bugs.webkit.org/show_bug.cgi?id=113481
24340
24341 Reviewed by Geoffrey Garen.
24342
24343 This is the initial version of the FTL JIT (Fourth Tier LLVM JIT).
24344 It includes a lowering from the DFG IR to LLVM IR (FTL::lowerDFGToLLVM)
24345 and a "backend" step that invokes the LLVM and wraps the resulting
24346 function in a thunk (FTL::compile).
24347
24348 All LLVM IR building functions are wrapped up into a nicer FTL API.
24349 First they're wrapped in an abbreviated API (FTLAbbreviations.h) and
24350 then again into an object-oriented IR builder (FTLOutput.h).
24351
24352 This runs things. I don't know how fast it runs things. And I don't
24353 make any claims of stability. The FTL is runtime-disabled by default;
24354 you will enable it by doing --useExperimentalFTL=true. Probably if you
24355 do this, you will run slower, because of the heavy thunking we do, the
24356 fact that we don't have anything resembling a sensible tiering story,
24357 and because we only compile ridiculously tiny functions.
24358
24359 Finally, this still requires a custom set of LLVM headers to build.
24360 I am working on getting that up-streamed to LLVM, and separately I'll
24361 make sure that we have a build checked into this branch.
24362
24363 * Configurations/JavaScriptCore.xcconfig:
24364 * JavaScriptCore.xcodeproj/project.pbxproj:
24365 * bytecode/Operands.h:
24366 (Operands):
24367 (JSC::Operands::Operands):
24368 * dfg/DFGAbstractState.h:
24369 (JSC::DFG::AbstractState::needsTypeCheck):
24370 (AbstractState):
24371 (JSC::DFG::AbstractState::filterEdgeByUse):
24372 * dfg/DFGDriver.cpp:
24373 (JSC::DFG::compile):
24374 * dfg/DFGSpeculativeJIT.cpp:
24375 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
24376 * dfg/DFGSpeculativeJIT.h:
24377 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
24378 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
24379 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
24380 (DFG):
24381 * dfg/DFGUseKind.h:
24382 (JSC::DFG::shouldNotHaveTypeCheck):
24383 (DFG):
24384 (JSC::DFG::mayHaveTypeCheck):
24385 (JSC::DFG::isDouble):
24386 (JSC::DFG::isCell):
24387 * ftl: Added.
24388 * ftl/FTLAbbreviations.h: Added.
24389 (FTL):
24390 (JSC::FTL::int1Type):
24391 (JSC::FTL::int32Type):
24392 (JSC::FTL::int64Type):
24393 (JSC::FTL::intPtrType):
24394 (JSC::FTL::pointerType):
24395 (JSC::FTL::getParam):
24396 (JSC::FTL::constInt):
24397 (JSC::FTL::appendBasicBlock):
24398 (JSC::FTL::insertBasicBlock):
24399 (JSC::FTL::buildAlloca):
24400 (JSC::FTL::buildAdd):
24401 (JSC::FTL::buildAnd):
24402 (JSC::FTL::buildXor):
24403 (JSC::FTL::buildLoad):
24404 (JSC::FTL::buildStore):
24405 (JSC::FTL::buildZExt):
24406 (JSC::FTL::buildIntCast):
24407 (JSC::FTL::buildIntToPtr):
24408 (JSC::FTL::buildPtrToInt):
24409 (JSC::FTL::buildICmp):
24410 (JSC::FTL::buildSelect):
24411 (JSC::FTL::buildBr):
24412 (JSC::FTL::buildCondBr):
24413 (JSC::FTL::buildRet):
24414 (JSC::FTL::buildUnreachable):
24415 * ftl/FTLCapabilities.cpp: Added.
24416 (FTL):
24417 (JSC::FTL::canCompile):
24418 * ftl/FTLCapabilities.h: Added.
24419 (FTL):
24420 * ftl/FTLCompile.cpp: Added.
24421 (FTL):
24422 (JSC::FTL::compileEntry):
24423 (JSC::FTL::compile):
24424 * ftl/FTLCompile.h: Added.
24425 (FTL):
24426 * ftl/FTLJITCode.cpp: Added.
24427 (FTL):
24428 (JSC::FTL::JITCode::JITCode):
24429 (JSC::FTL::JITCode::~JITCode):
24430 (JSC::FTL::JITCode::addressForCall):
24431 (JSC::FTL::JITCode::executableAddressAtOffset):
24432 (JSC::FTL::JITCode::dataAddressAtOffset):
24433 (JSC::FTL::JITCode::offsetOf):
24434 (JSC::FTL::JITCode::size):
24435 (JSC::FTL::JITCode::contains):
24436 * ftl/FTLJITCode.h: Added.
24437 (FTL):
24438 (JITCode):
24439 * ftl/FTLLLVMHeaders.h: Added.
24440 * ftl/FTLLowerDFGToLLVM.cpp: Added.
24441 (FTL):
24442 (LowerDFGToLLVM):
24443 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
24444 (JSC::FTL::LowerDFGToLLVM::lower):
24445 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOpRoots):
24446 (JSC::FTL::LowerDFGToLLVM::closeOverFlushedLocalOps):
24447 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOp):
24448 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalEdge):
24449 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
24450 (JSC::FTL::LowerDFGToLLVM::compileBlock):
24451 (JSC::FTL::LowerDFGToLLVM::compileNode):
24452 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
24453 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
24454 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
24455 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck):
24456 (JSC::FTL::LowerDFGToLLVM::compilePhantom):
24457 (JSC::FTL::LowerDFGToLLVM::compileReturn):
24458 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
24459 (JSC::FTL::LowerDFGToLLVM::speculateForward):
24460 (JSC::FTL::LowerDFGToLLVM::speculate):
24461 (JSC::FTL::LowerDFGToLLVM::terminate):
24462 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck):
24463 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
24464 (JSC::FTL::LowerDFGToLLVM::typeCheck):
24465 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24466 (JSC::FTL::LowerDFGToLLVM::lowCell):
24467 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24468 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24469 (JSC::FTL::LowerDFGToLLVM::checkNotInt32):
24470 (JSC::FTL::LowerDFGToLLVM::unboxInt32):
24471 (JSC::FTL::LowerDFGToLLVM::boxInt32):
24472 (JSC::FTL::LowerDFGToLLVM::checkNotCell):
24473 (JSC::FTL::LowerDFGToLLVM::checkNotBoolean):
24474 (JSC::FTL::LowerDFGToLLVM::unboxBoolean):
24475 (JSC::FTL::LowerDFGToLLVM::boxBoolean):
24476 (JSC::FTL::LowerDFGToLLVM::speculateInt32):
24477 (JSC::FTL::LowerDFGToLLVM::addressFor):
24478 (JSC::FTL::LowerDFGToLLVM::payloadFor):
24479 (JSC::FTL::LowerDFGToLLVM::tagFor):
24480 (JSC::FTL::LowerDFGToLLVM::globalData):
24481 (JSC::FTL::LowerDFGToLLVM::codeBlock):
24482 (JSC::FTL::lowerDFGToLLVM):
24483 * ftl/FTLLowerDFGToLLVM.h: Added.
24484 (FTL):
24485 * ftl/FTLOutput.h: Added.
24486 (FTL):
24487 (Output):
24488 (JSC::FTL::Output::Output):
24489 (JSC::FTL::Output::~Output):
24490 (JSC::FTL::Output::initialize):
24491 (JSC::FTL::Output::appendTo):
24492 (JSC::FTL::Output::newBlock):
24493 (JSC::FTL::Output::param):
24494 (JSC::FTL::Output::constBool):
24495 (JSC::FTL::Output::constInt32):
24496 (JSC::FTL::Output::constIntPtr):
24497 (JSC::FTL::Output::constInt64):
24498 (JSC::FTL::Output::add):
24499 (JSC::FTL::Output::bitAnd):
24500 (JSC::FTL::Output::bitXor):
24501 (JSC::FTL::Output::zeroExt):
24502 (JSC::FTL::Output::intCast):
24503 (JSC::FTL::Output::castToInt32):
24504 (JSC::FTL::Output::get):
24505 (JSC::FTL::Output::set):
24506 (JSC::FTL::Output::load):
24507 (JSC::FTL::Output::store):
24508 (JSC::FTL::Output::load32):
24509 (JSC::FTL::Output::load64):
24510 (JSC::FTL::Output::loadPtr):
24511 (JSC::FTL::Output::store32):
24512 (JSC::FTL::Output::store64):
24513 (JSC::FTL::Output::storePtr):
24514 (JSC::FTL::Output::equal):
24515 (JSC::FTL::Output::notEqual):
24516 (JSC::FTL::Output::above):
24517 (JSC::FTL::Output::aboveOrEqual):
24518 (JSC::FTL::Output::below):
24519 (JSC::FTL::Output::belowOrEqual):
24520 (JSC::FTL::Output::greaterThan):
24521 (JSC::FTL::Output::greaterThanOrEqual):
24522 (JSC::FTL::Output::lessThan):
24523 (JSC::FTL::Output::lessThanOrEqual):
24524 (JSC::FTL::Output::isZero64):
24525 (JSC::FTL::Output::notZero64):
24526 (JSC::FTL::Output::testNonZero64):
24527 (JSC::FTL::Output::select):
24528 (JSC::FTL::Output::jump):
24529 (JSC::FTL::Output::branch):
24530 (JSC::FTL::Output::ret):
24531 (JSC::FTL::Output::unreachable):
24532 * ftl/FTLState.h: Added.
24533 (FTL):
24534 (State):
24535 (JSC::FTL::State::State):
24536 * runtime/InitializeThreading.cpp:
24537 (JSC::initializeThreadingOnce):
24538 * runtime/Options.h:
24539 (JSC):
24540
245412013-03-27 Filip Pizlo <fpizlo@apple.com>
24542
24543 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated
24544 https://bugs.webkit.org/show_bug.cgi?id=113437
24545
24546 Reviewed by Mark Hahnenberg.
24547
24548 JITCode is now a virtual base class, which will allow different JITs to have radically
24549 different memory allocation and management conventions in the future. It will also
24550 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into
24551 an appropriate JITCode subclass.
24552
24553 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to
24554 behave.
24555
24556 * assembler/RepatchBuffer.h:
24557 (JSC::RepatchBuffer::RepatchBuffer):
24558 * bytecode/CodeBlock.cpp:
24559 (JSC::CodeBlock::resetStubInternal):
24560 (JSC::CodeBlock::bytecodeOffset):
24561 (JSC::CodeBlock::codeOriginForReturn):
24562 * bytecode/CodeBlock.h:
24563 (JSC::CodeBlock::setJITCode):
24564 (JSC::CodeBlock::getJITCode):
24565 (JSC::CodeBlock::getJITType):
24566 (CodeBlock):
24567 * dfg/DFGDriver.cpp:
24568 (JSC::DFG::compile):
24569 (JSC::DFG::tryCompile):
24570 (JSC::DFG::tryCompileFunction):
24571 * dfg/DFGDriver.h:
24572 (DFG):
24573 (JSC::DFG::tryCompile):
24574 (JSC::DFG::tryCompileFunction):
24575 * dfg/DFGJITCompiler.cpp:
24576 (JSC::DFG::JITCompiler::compile):
24577 (JSC::DFG::JITCompiler::compileFunction):
24578 * dfg/DFGJITCompiler.h:
24579 (JITCompiler):
24580 * dfg/DFGOSREntry.cpp:
24581 (JSC::DFG::prepareOSREntry):
24582 * dfg/DFGOSRExit.cpp:
24583 (JSC::DFG::OSRExit::codeLocationForRepatch):
24584 * dfg/DFGOSRExitCompiler32_64.cpp:
24585 (JSC::DFG::OSRExitCompiler::compileExit):
24586 * dfg/DFGOSRExitCompiler64.cpp:
24587 (JSC::DFG::OSRExitCompiler::compileExit):
24588 * dfg/DFGOperations.cpp:
24589 * interpreter/Interpreter.cpp:
24590 (JSC::Interpreter::execute):
24591 (JSC::Interpreter::executeCall):
24592 (JSC::Interpreter::executeConstruct):
24593 * jit/JIT.cpp:
24594 (JSC::JIT::privateCompile):
24595 * jit/JIT.h:
24596 (JSC::JIT::compile):
24597 (JIT):
24598 * jit/JITCode.cpp:
24599 (JSC):
24600 (JSC::JITCode::JITCode):
24601 (JSC::JITCode::~JITCode):
24602 (JSC::JITCode::execute):
24603 (JSC::JITCode::hostFunction):
24604 (JSC::DirectJITCode::DirectJITCode):
24605 (JSC::DirectJITCode::~DirectJITCode):
24606 (JSC::DirectJITCode::addressForCall):
24607 (JSC::DirectJITCode::executableAddressAtOffset):
24608 (JSC::DirectJITCode::dataAddressAtOffset):
24609 (JSC::DirectJITCode::offsetOf):
24610 (JSC::DirectJITCode::size):
24611 (JSC::DirectJITCode::contains):
24612 * jit/JITCode.h:
24613 (JSC):
24614 (JITCode):
24615 (JSC::JITCode::bottomTierJIT):
24616 (JSC::JITCode::topTierJIT):
24617 (JSC::JITCode::nextTierJIT):
24618 (JSC::JITCode::isOptimizingJIT):
24619 (JSC::JITCode::isBaselineCode):
24620 (JSC::JITCode::jitType):
24621 (JSC::JITCode::jitTypeFor):
24622 (JSC::JITCode::executableAddress):
24623 (JSC::JITCode::start):
24624 (JSC::JITCode::end):
24625 (DirectJITCode):
24626 * jit/JITDriver.h:
24627 (JSC::jitCompileIfAppropriate):
24628 (JSC::jitCompileFunctionIfAppropriate):
24629 * jit/JITStubs.cpp:
24630 (JSC::lazyLinkFor):
24631 (JSC::DEFINE_STUB_FUNCTION):
24632 * jit/ThunkGenerators.cpp:
24633 (JSC::virtualForGenerator):
24634 * llint/LLIntEntrypoints.cpp:
24635 (JSC::LLInt::getFunctionEntrypoint):
24636 (JSC::LLInt::getEvalEntrypoint):
24637 (JSC::LLInt::getProgramEntrypoint):
24638 * llint/LLIntEntrypoints.h:
24639 (JSC):
24640 (LLInt):
24641 (JSC::LLInt::getEntrypoint):
24642 * llint/LLIntSlowPaths.cpp:
24643 (JSC::LLInt::jitCompileAndSetHeuristics):
24644 (JSC::LLInt::entryOSR):
24645 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
24646 * runtime/Executable.cpp:
24647 (JSC::EvalExecutable::compileInternal):
24648 (JSC::ProgramExecutable::compileInternal):
24649 (JSC::FunctionExecutable::compileForCallInternal):
24650 (JSC::FunctionExecutable::compileForConstructInternal):
24651 * runtime/Executable.h:
24652 (JSC::ExecutableBase::generatedJITCodeForCall):
24653 (JSC::ExecutableBase::generatedJITCodeForConstruct):
24654 (JSC::ExecutableBase::generatedJITCodeFor):
24655 (ExecutableBase):
24656 (JSC::ExecutableBase::hostCodeEntryFor):
24657 (JSC::ExecutableBase::jsCodeEntryFor):
24658 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
24659 (JSC::NativeExecutable::create):
24660 (JSC::NativeExecutable::finishCreation):
24661 (JSC::EvalExecutable::generatedJITCode):
24662 (JSC::ProgramExecutable::generatedJITCode):
24663 * runtime/ExecutionHarness.h:
24664 (JSC::prepareForExecution):
24665 (JSC::prepareFunctionForExecution):
24666
246672013-07-16 Oliver Hunt <oliver@apple.com>
24668
24669 Merged dfgFourthTier r148570
24670
24671 2013-04-16 Filip Pizlo <fpizlo@apple.com>
24672
24673 fourthTier: DFG should be able to query Structure without modifying it
24674 https://bugs.webkit.org/show_bug.cgi?id=114708
24675
24676 Reviewed by Oliver Hunt.
24677
24678 This is work towards allowing the DFG, and FTL, to run on a separate thread.
24679 The idea is that the most evil thing that the DFG does that has thread-safety
24680 issues is fiddling with Structures by calling Structure::get(). This can lead
24681 to rematerialization of property tables, which is definitely not thread-safe
24682 due to how StringImpl works. So, this patch completely side-steps the problem
24683 by creating a new version of Structure::get, called
24684 Structure::getWithoutMaterializing, which may choose to do an O(n) search if
24685 necessary to avoid materialization. I believe this should be fine - the DFG
24686 does't call into these code path often enough for this to matter, and most of
24687 the time, the Structure that we call this on will already have a property
24688 table because some inline cache would have already called ::get() on that
24689 Structure.
24690
24691 Also cleaned up the materialization logic: we can stop the search as soon as
24692 we find any Structure with a property table rather than searching all the way
24693 for a pinned one.
24694
24695 * bytecode/GetByIdStatus.cpp:
24696 (JSC::GetByIdStatus::computeFor):
24697 * bytecode/PutByIdStatus.cpp:
24698 (JSC::PutByIdStatus::computeFromLLInt):
24699 (JSC::PutByIdStatus::computeFor):
24700 * runtime/Structure.cpp:
24701 (JSC::Structure::findStructuresAndMapForMaterialization):
24702 (JSC::Structure::materializePropertyMap):
24703 (JSC::Structure::getWithoutMaterializing):
24704 (JSC):
24705 * runtime/Structure.h:
24706 (Structure):
24707 * runtime/StructureInlines.h:
24708 (JSC::Structure::getWithoutMaterializing):
24709 (JSC):
24710
247112013-07-15 Oliver Hunt <oliver@apple.com>
24712
24713 Merged dfgFourthTier r148047
24714
24715 2013-04-09 Filip Pizlo <fpizlo@apple.com>
24716
24717 fourthTier: DFG should provide utilities for common OSR exit tasks
24718 https://bugs.webkit.org/show_bug.cgi?id=114306
24719
24720 Reviewed by Mark Hahnenberg.
24721
24722 Just abstract out some things that the FTL will want to use as well.
24723
24724 * CMakeLists.txt:
24725 * GNUmakefile.list.am:
24726 * JavaScriptCore.xcodeproj/project.pbxproj:
24727 * Target.pri:
24728 * dfg/DFGDriver.cpp:
24729 (JSC::DFG::compile):
24730 * dfg/DFGOSRExitCompiler.cpp:
24731 * dfg/DFGOSRExitCompiler.h:
24732 (OSRExitCompiler):
24733 * dfg/DFGOSRExitCompiler32_64.cpp:
24734 (JSC::DFG::OSRExitCompiler::compileExit):
24735 * dfg/DFGOSRExitCompiler64.cpp:
24736 (JSC::DFG::OSRExitCompiler::compileExit):
24737 * dfg/DFGOSRExitCompilerCommon.cpp: Added.
24738 (DFG):
24739 (JSC::DFG::handleExitCounts):
24740 (JSC::DFG::reifyInlinedCallFrames):
24741 (JSC::DFG::adjustAndJumpToTarget):
24742 * dfg/DFGOSRExitCompilerCommon.h: Added.
24743 (DFG):
24744
247452013-07-15 Oliver Hunt <oliver@apple.com>
24746
24747 Merged dfgFourthTier r148037
24748
24749 2013-04-09 Filip Pizlo <fpizlo@apple.com>
24750
24751 fourthTier: DFG should better abstract floating point arguments
24752 https://bugs.webkit.org/show_bug.cgi?id=114300
24753
24754 Reviewed by Mark Hahnenberg.
24755
24756 * dfg/DFGFPRInfo.h:
24757 (FPRInfo):
24758 (JSC::DFG::FPRInfo::toArgumentRegister):
24759
247602013-07-15 Oliver Hunt <oliver@apple.com>
24761
24762 Merged dfgFourthTier r147821
24763
24764 2013-04-05 Filip Pizlo <fpizlo@apple.com>
24765
24766 fourthTier: DFG should better abstract arguments
24767 https://bugs.webkit.org/show_bug.cgi?id=114073
24768
24769 Reviewed by Mark Hahnenberg.
24770
24771 * dfg/DFGGPRInfo.h:
24772 (GPRInfo):
24773 (JSC::DFG::GPRInfo::toArgumentRegister):
24774
247752013-07-15 Oliver Hunt <oliver@apple.com>
24776
24777 Merged dfgFourthTier r147609
24778
24779 2013-04-03 Filip Pizlo <fpizlo@apple.com>
24780
24781 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode
24782 https://bugs.webkit.org/show_bug.cgi?id=113905
24783
24784 Reviewed by Geoffrey Garen.
24785
24786 This removes one pointer from CodeBlock.
24787
24788 It also gives us a framework for having JITType-specific data in CodeBlock, by
24789 putting it into the appropriate JITCode class (either DFG::JITCode or
24790 FTL::JITCode). And it allows us to have DFG and FTL share some common data,
24791 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and
24792 always accessible via JITCode::dfgCommon().
24793
24794 * CMakeLists.txt:
24795 * GNUmakefile.list.am:
24796 * JavaScriptCore.xcodeproj/project.pbxproj:
24797 * Target.pri:
24798 * bytecode/CodeBlock.cpp:
24799 (JSC):
24800 (JSC::CodeBlock::dumpBytecode):
24801 (JSC::CodeBlock::visitAggregate):
24802 (JSC::CodeBlock::performTracingFixpointIteration):
24803 (JSC::CodeBlock::finalizeUnconditionally):
24804 (JSC::CodeBlock::stronglyVisitWeakReferences):
24805 (JSC::CodeBlock::shrinkToFit):
24806 (JSC::CodeBlock::tallyFrequentExitSites):
24807 * bytecode/CodeBlock.h:
24808 (CodeBlock):
24809 (JSC::CodeBlock::setJITCode):
24810 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
24811 (JSC::DFGCodeBlocks::mark):
24812 * dfg/DFGAssemblyHelpers.h:
24813 * dfg/DFGCommonData.cpp: Added.
24814 (DFG):
24815 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
24816 (JSC::DFG::CommonData::shrinkToFit):
24817 * dfg/DFGCommonData.h: Added.
24818 (JSC):
24819 (DFG):
24820 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition):
24821 (WeakReferenceTransition):
24822 (CommonData):
24823 (JSC::DFG::CommonData::CommonData):
24824 * dfg/DFGDriver.cpp:
24825 (JSC::DFG::compile):
24826 (JSC::DFG::tryCompile):
24827 (JSC::DFG::tryCompileFunction):
24828 * dfg/DFGDriver.h:
24829 (DFG):
24830 (JSC::DFG::tryCompile):
24831 (JSC::DFG::tryCompileFunction):
24832 * dfg/DFGGraph.h:
24833 (Graph):
24834 * dfg/DFGJITCode.cpp: Added.
24835 (DFG):
24836 (JSC::DFG::JITCode::JITCode):
24837 (JSC::DFG::JITCode::~JITCode):
24838 (JSC::DFG::JITCode::dfgCommon):
24839 (JSC::DFG::JITCode::dfg):
24840 (JSC::DFG::JITCode::shrinkToFit):
24841 * dfg/DFGJITCode.h: Added.
24842 (DFG):
24843 (JITCode):
24844 (JSC::DFG::JITCode::appendOSREntryData):
24845 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex):
24846 (JSC::DFG::JITCode::appendOSRExit):
24847 (JSC::DFG::JITCode::lastOSRExit):
24848 (JSC::DFG::JITCode::appendSpeculationRecovery):
24849 (JSC::DFG::JITCode::appendWatchpoint):
24850 * dfg/DFGJITCompiler.cpp:
24851 (JSC::DFG::JITCompiler::JITCompiler):
24852 (JSC::DFG::JITCompiler::linkOSRExits):
24853 (JSC::DFG::JITCompiler::link):
24854 (JSC::DFG::JITCompiler::compile):
24855 (JSC::DFG::JITCompiler::compileFunction):
24856 * dfg/DFGJITCompiler.h:
24857 (JITCompiler):
24858 (JSC::DFG::JITCompiler::addWeakReference):
24859 (JSC::DFG::JITCompiler::noticeOSREntry):
24860 (JSC::DFG::JITCompiler::jitCode):
24861 * dfg/DFGOSREntry.cpp:
24862 (JSC::DFG::prepareOSREntry):
24863 * dfg/DFGOSRExit.h:
24864 (OSRExit):
24865 * dfg/DFGOSRExitCompiler.cpp:
24866 * dfg/DFGSpeculativeJIT.cpp:
24867 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
24868 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
24869 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
24870 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
24871 * dfg/DFGSpeculativeJIT32_64.cpp:
24872 (JSC::DFG::SpeculativeJIT::compile):
24873 * dfg/DFGSpeculativeJIT64.cpp:
24874 (JSC::DFG::SpeculativeJIT::compile):
24875 * dfg/DFGVariableEventStream.cpp:
24876 * heap/DFGCodeBlocks.cpp:
24877 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
24878 (JSC::DFGCodeBlocks::jettison):
24879 (JSC::DFGCodeBlocks::clearMarks):
24880 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
24881 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
24882 * jit/JITCode.cpp:
24883 (JSC::JITCode::dfgCommon):
24884 (JSC):
24885 (JSC::JITCode::dfg):
24886 (JSC::JITCode::ftl):
24887 (JSC::DirectJITCode::DirectJITCode):
24888 (JSC::DirectJITCode::initializeCodeRef):
24889 (JSC::DirectJITCode::addressForCall):
24890 (JSC::DirectJITCode::executableAddressAtOffset):
24891 (JSC::DirectJITCode::dataAddressAtOffset):
24892 (JSC::DirectJITCode::offsetOf):
24893 (JSC::DirectJITCode::size):
24894 (JSC::DirectJITCode::contains):
24895 * jit/JITCode.h:
24896 (DFG):
24897 (FTL):
24898 (JSC):
24899 (JITCode):
24900 (DirectJITCode):
24901
249022013-07-15 Oliver Hunt <oliver@apple.com>
24903
24904 Merge dfgFourthTier r147587
24905
24906 2013-04-03 Filip Pizlo <fpizlo@apple.com>
24907
24908 fourthTier: Everyone should know about the FTL
24909 https://bugs.webkit.org/show_bug.cgi?id=113897
24910
24911 Reviewed by Mark Hahnenberg.
24912
24913 In order to get OSR exit to work right, we need the distinction between DFG and
24914 FTL to be clear even after compilation finishes, since they will have subtly
24915 different OSR stories and likely use different data structures.
24916
24917 * bytecode/CodeBlock.cpp:
24918 (JSC::CodeBlock::resetStubInternal):
24919 (JSC::ProgramCodeBlock::compileOptimized):
24920 (JSC::EvalCodeBlock::compileOptimized):
24921 (JSC::FunctionCodeBlock::compileOptimized):
24922 (JSC::CodeBlock::adjustedExitCountThreshold):
24923 (JSC::CodeBlock::tallyFrequentExitSites):
24924 * bytecode/CodeBlock.h:
24925 (JSC::CodeBlock::setJITCode):
24926 (JSC::CodeBlock::hasOptimizedReplacement):
24927 (JSC::ExecState::isInlineCallFrame):
24928 * ftl/FTLCompile.cpp:
24929 (JSC::FTL::compile):
24930 * ftl/FTLJITCode.cpp:
24931 (JSC::FTL::JITCode::JITCode):
24932 * ftl/FTLState.cpp:
24933 (JSC::FTL::State::dumpState):
24934 * heap/DFGCodeBlocks.cpp:
24935 (JSC::DFGCodeBlocks::jettison):
24936 * interpreter/Interpreter.cpp:
24937 (JSC::getLineNumberForCallFrame):
24938 (JSC::getCallerInfo):
24939 * jit/JITCode.cpp:
24940 (WTF::printInternal):
24941 * jit/JITCode.h:
24942 (JSC::JITCode::topTierJIT):
24943 (JSC::JITCode::nextTierJIT):
24944 (JITCode):
24945 (JSC::JITCode::isJIT):
24946 (JSC::JITCode::isLowerTier):
24947 (JSC::JITCode::isHigherTier):
24948 (JSC::JITCode::isLowerOrSameTier):
24949 (JSC::JITCode::isHigherOrSameTier):
24950 (JSC::JITCode::isOptimizingJIT):
24951 * jit/JITDriver.h:
24952 (JSC::jitCompileIfAppropriate):
24953 (JSC::jitCompileFunctionIfAppropriate):
24954 * jit/JITStubs.cpp:
24955 (JSC::DEFINE_STUB_FUNCTION):
24956 * runtime/Executable.cpp:
24957 (JSC::EvalExecutable::compileOptimized):
24958 (JSC::samplingDescription):
24959 (JSC::ProgramExecutable::compileOptimized):
24960 (JSC::FunctionExecutable::compileOptimizedForCall):
24961 (JSC::FunctionExecutable::compileOptimizedForConstruct):
24962
249632013-04-03 Filip Pizlo <fpizlo@apple.com>
24964
24965 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified
24966 https://bugs.webkit.org/show_bug.cgi?id=113894
24967
24968 Reviewed by Mark Hahnenberg.
24969
24970 1) We previously had two different ways of convertingToForward, one path for
24971 where we had a ValueRecovery for the current node and one where we didn't.
24972 But the paths were doing exactly the same thing except that if you have a
24973 ValueRecovery, you also find the last applicable mov hint and do some
24974 extra things. This patch combines the two paths and bases both of them on
24975 the previous no-ValueRecovery path, which was simpler to begin with.
24976
24977 2) This moves the logic into DFG::OSRExit, which further simplifies the code
24978 and makes the logic available to the FTL.
24979
24980 * dfg/DFGOSRExit.cpp:
24981 (JSC::DFG::OSRExit::convertToForward):
24982 (DFG):
24983 * dfg/DFGOSRExit.h:
24984 (DFG):
24985 (OSRExit):
24986 * dfg/DFGSpeculativeJIT.cpp:
24987 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
24988
249892013-07-15 Oliver Hunt <oliver@apple.com>
24990
24991 Merge dfgFourthTier r147582
24992
249932013-07-15 Oliver Hunt <oliver@apple.com>
24994
24995 Merge dfgFourthTier r147014
24996
24997 2013-03-27 Filip Pizlo <fpizlo@apple.com>
24998
24999 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated
25000 https://bugs.webkit.org/show_bug.cgi?id=113437
25001
25002 Reviewed by Mark Hahnenberg.
25003
25004 JITCode is now a virtual base class, which will allow different JITs to have radically
25005 different memory allocation and management conventions in the future. It will also
25006 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into
25007 an appropriate JITCode subclass.
25008
25009 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to
25010 behave.
25011
25012 * assembler/RepatchBuffer.h:
25013 (JSC::RepatchBuffer::RepatchBuffer):
25014 * bytecode/CodeBlock.cpp:
25015 (JSC::CodeBlock::resetStubInternal):
25016 (JSC::CodeBlock::bytecodeOffset):
25017 (JSC::CodeBlock::codeOriginForReturn):
25018 * bytecode/CodeBlock.h:
25019 (JSC::CodeBlock::setJITCode):
25020 (JSC::CodeBlock::getJITCode):
25021 (JSC::CodeBlock::getJITType):
25022 (CodeBlock):
25023 * dfg/DFGDriver.cpp:
25024 (JSC::DFG::compile):
25025 (JSC::DFG::tryCompile):
25026 (JSC::DFG::tryCompileFunction):
25027 * dfg/DFGDriver.h:
25028 (DFG):
25029 (JSC::DFG::tryCompile):
25030 (JSC::DFG::tryCompileFunction):
25031 * dfg/DFGJITCompiler.cpp:
25032 (JSC::DFG::JITCompiler::compile):
25033 (JSC::DFG::JITCompiler::compileFunction):
25034 * dfg/DFGJITCompiler.h:
25035 (JITCompiler):
25036 * dfg/DFGOSREntry.cpp:
25037 (JSC::DFG::prepareOSREntry):
25038 * dfg/DFGOSRExit.cpp:
25039 (JSC::DFG::OSRExit::codeLocationForRepatch):
25040 * dfg/DFGOSRExitCompiler32_64.cpp:
25041 (JSC::DFG::OSRExitCompiler::compileExit):
25042 * dfg/DFGOSRExitCompiler64.cpp:
25043 (JSC::DFG::OSRExitCompiler::compileExit):
25044 * dfg/DFGOperations.cpp:
25045 * interpreter/Interpreter.cpp:
25046 (JSC::Interpreter::execute):
25047 (JSC::Interpreter::executeCall):
25048 (JSC::Interpreter::executeConstruct):
25049 * jit/JIT.cpp:
25050 (JSC::JIT::privateCompile):
25051 * jit/JIT.h:
25052 (JSC::JIT::compile):
25053 (JIT):
25054 * jit/JITCode.cpp:
25055 (JSC):
25056 (JSC::JITCode::JITCode):
25057 (JSC::JITCode::~JITCode):
25058 (JSC::JITCode::execute):
25059 (JSC::JITCode::hostFunction):
25060 (JSC::DirectJITCode::DirectJITCode):
25061 (JSC::DirectJITCode::~DirectJITCode):
25062 (JSC::DirectJITCode::addressForCall):
25063 (JSC::DirectJITCode::executableAddressAtOffset):
25064 (JSC::DirectJITCode::dataAddressAtOffset):
25065 (JSC::DirectJITCode::offsetOf):
25066 (JSC::DirectJITCode::size):
25067 (JSC::DirectJITCode::contains):
25068 * jit/JITCode.h:
25069 (JSC):
25070 (JITCode):
25071 (JSC::JITCode::bottomTierJIT):
25072 (JSC::JITCode::topTierJIT):
25073 (JSC::JITCode::nextTierJIT):
25074 (JSC::JITCode::isOptimizingJIT):
25075 (JSC::JITCode::isBaselineCode):
25076 (JSC::JITCode::jitType):
25077 (JSC::JITCode::jitTypeFor):
25078 (JSC::JITCode::executableAddress):
25079 (JSC::JITCode::start):
25080 (JSC::JITCode::end):
25081 (DirectJITCode):
25082 * jit/JITDriver.h:
25083 (JSC::jitCompileIfAppropriate):
25084 (JSC::jitCompileFunctionIfAppropriate):
25085 * jit/JITStubs.cpp:
25086 (JSC::lazyLinkFor):
25087 (JSC::DEFINE_STUB_FUNCTION):
25088 * jit/ThunkGenerators.cpp:
25089 (JSC::virtualForGenerator):
25090 * llint/LLIntEntrypoints.cpp:
25091 (JSC::LLInt::getFunctionEntrypoint):
25092 (JSC::LLInt::getEvalEntrypoint):
25093 (JSC::LLInt::getProgramEntrypoint):
25094 * llint/LLIntEntrypoints.h:
25095 (JSC):
25096 (LLInt):
25097 (JSC::LLInt::getEntrypoint):
25098 * llint/LLIntSlowPaths.cpp:
25099 (JSC::LLInt::jitCompileAndSetHeuristics):
25100 (JSC::LLInt::entryOSR):
25101 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25102 * runtime/Executable.cpp:
25103 (JSC::EvalExecutable::compileInternal):
25104 (JSC::ProgramExecutable::compileInternal):
25105 (JSC::FunctionExecutable::compileForCallInternal):
25106 (JSC::FunctionExecutable::compileForConstructInternal):
25107 * runtime/Executable.h:
25108 (JSC::ExecutableBase::generatedJITCodeForCall):
25109 (JSC::ExecutableBase::generatedJITCodeForConstruct):
25110 (JSC::ExecutableBase::generatedJITCodeFor):
25111 (ExecutableBase):
25112 (JSC::ExecutableBase::hostCodeEntryFor):
25113 (JSC::ExecutableBase::jsCodeEntryFor):
25114 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
25115 (JSC::NativeExecutable::create):
25116 (JSC::NativeExecutable::finishCreation):
25117 (JSC::EvalExecutable::generatedJITCode):
25118 (JSC::ProgramExecutable::generatedJITCode):
25119 * runtime/ExecutionHarness.h:
25120 (JSC::prepareForExecution):
25121 (JSC::prepareFunctionForExecution):
25122
251232013-07-24 Filip Pizlo <fpizlo@apple.com>
25124
25125 It should be possible to hijack IndexingHeader for things other than lengths
25126 https://bugs.webkit.org/show_bug.cgi?id=119065
25127
25128 Reviewed by Mark Hahnenberg.
25129
25130 Made the body of IndexingHeader be a union.
25131
25132 Modified the offlineasm so that you can say IndexingHeader::u.lengths.publicLength.
25133 Previously those dots would cause parse errors. Now an identifier in offlineasm can
25134 have a dot anywhere except the first character.
25135
25136 * llint/LowLevelInterpreter32_64.asm:
25137 * llint/LowLevelInterpreter64.asm:
25138 * offlineasm/parser.rb:
25139 * runtime/IndexingHeader.h:
25140 (JSC::IndexingHeader::offsetOfPublicLength):
25141 (JSC::IndexingHeader::offsetOfVectorLength):
25142 (JSC::IndexingHeader::IndexingHeader):
25143 (JSC::IndexingHeader::vectorLength):
25144 (JSC::IndexingHeader::setVectorLength):
25145 (JSC::IndexingHeader::publicLength):
25146 (JSC::IndexingHeader::setPublicLength):
25147
251482013-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
25149
25150 JIT::updateTopCallFrame doesn't update the CallFrame's bytecodeOffset if bytecodeOffset == 0
25151 https://bugs.webkit.org/show_bug.cgi?id=118923
25152
25153 Reviewed by Filip Pizlo.
25154
25155 This bug causes the CallFrame's bytecodeOffset to not be properly set when we
25156 enter, e.g., cti_optimize from an op_enter.
25157
25158 * jit/JITInlines.h:
25159 (JSC::JIT::updateTopCallFrame):
25160
251612013-07-23 Filip Pizlo <fpizlo@apple.com>
25162
25163 DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs
25164 https://bugs.webkit.org/show_bug.cgi?id=119032
25165
25166 Reviewed by Oliver Hunt.
25167
25168 It just needs some Phantom action.
25169
25170 * dfg/DFGFixupPhase.cpp:
25171 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
25172
251732013-07-10 Mark Lam <mark.lam@apple.com>
25174
25175 Need ExpressionRangeInfo before ResolveForPuts in strict mode.
25176 https://bugs.webkit.org/show_bug.cgi?id=118997.
25177
25178 Reviewed by Oliver Hunt.
25179
25180 If we add an assertion in UnlinkedCodeBlock::expressionRangeForBytecodeOffset()
25181 to ensure that we are able to find an ExpressionRangeInfo for any given bytecode
25182 offset, the following tests will fails:
25183 fast/js/basic-strict-mode.html
25184 fast/js/mozilla/strict/8.7.2.html
25185 With this fix, those tests will no longer fail.
25186
25187 * bytecompiler/NodesCodegen.cpp:
25188 (JSC::AssignResolveNode::emitBytecode):
25189 (JSC::ForInNode::emitBytecode):
25190 - Emit expression info before calls to emitResolveBaseForPut() when in strict mode.
25191
251922013-07-23 Mark Lam <mark.lam@apple.com>
25193
25194 Added ExpressionRangeInfo for BinaryOpNodes that can throw exceptions
25195 due to type coersion.
25196 https://bugs.webkit.org/show_bug.cgi?id=116853.
25197
25198 Reviewed by Geoffrey Garen.
25199
25200 * bytecompiler/NodesCodegen.cpp:
25201 (JSC::BinaryOpNode::emitBytecode):
25202 - Added expression info for the strcat and the general binary op cases.
25203 I did not add expression info for the "compare with null" case because
25204 that comparison cannot trigger type coersion, and hence it won't throw
25205 any exceptions and doesn't need the expression info.
25206
252072013-07-23 Mark Lam <mark.lam@apple.com>
25208
25209 Removed unused sourceOffset from JSTokenLocation.
25210 https://bugs.webkit.org/show_bug.cgi?id=118996.
25211
25212 Reviewed by Geoffrey Garen.
25213
25214 This also removes the assertion reported in the bug because it is now
25215 moot, thereby resolving the assertion failure issue on Windows.
25216
25217 * bytecompiler/NodesCodegen.cpp:
25218 (JSC::ArrayNode::toArgumentList):
25219 (JSC::ApplyFunctionCallDotNode::emitBytecode):
25220 * parser/Lexer.cpp:
25221 (JSC::::lex):
25222 * parser/Lexer.h:
25223 (JSC::::lexExpectIdentifier):
25224 * parser/Nodes.h:
25225 * parser/Parser.cpp:
25226 (JSC::::Parser):
25227 (JSC::::parseFunctionInfo):
25228 (JSC::::parseExpressionOrLabelStatement):
25229 (JSC::::parseMemberExpression):
25230 * parser/Parser.h:
25231 (JSC::::parse):
25232 * parser/ParserTokens.h:
25233 (JSC::JSTokenLocation::JSTokenLocation):
25234
252352013-07-22 Alex Christensen <achristensen@apple.com>
25236
25237 Added assembly files to Windows 64-bit builds.
25238 https://bugs.webkit.org/show_bug.cgi?id=118931
25239
25240 Reviewed by Brent Fulgham.
25241
25242 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm for x64 and enabled MASM.
25243 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added JITStubsMSVC64.asm.
25244
252452013-07-20 Brent Fulgham <bfulgham@apple.com>
25246
25247 [Windows] Remove unneeded custom stdint.h now that we build on VS2010.
25248 https://bugs.webkit.org/show_bug.cgi?id=118868.
25249
25250 Reviewed by Anders Carlsson.
25251
25252 * os-win32/stdint.h: Removed.
25253 * GNUmakefile.list.am: Removed reference to os-win32/stdint.h
25254
252552013-07-19 Alex Christensen <achristensen@apple.com>
25256
25257 Added x64 configuration to Visual Studio build.
25258 https://bugs.webkit.org/show_bug.cgi?id=118888
25259
25260 Reviewed by Brent Fulgham.
25261
25262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25263 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
25264 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
25265 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
25266 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
25267 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
25268 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
25269 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
25270
252712013-07-18 Andreas Kling <akling@apple.com>
25272
25273 CodeBlock DFG entry list isn't getting shrunk-to-fit after linking.
25274 <http://webkit.org/b/118875>
25275 <rdar://problem/14488577>
25276
25277 Reviewed by Geoffrey Garen.
25278
25279 Move the CodeBlock::shrinkToFit() call out of JITCompiler::link() and to the call sites
25280 so SpeculativeJIT::linkOSREntries() can fill in CodeBlock::m_dfgData->osrEntry first.
25281
25282 886 kB progression on <http://twitter.com/awesomekling>
25283
25284 * dfg/DFGJITCompiler.cpp:
25285 (JSC::DFG::JITCompiler::link):
25286 (JSC::DFG::JITCompiler::compile):
25287 (JSC::DFG::JITCompiler::compileFunction):
25288
252892013-07-18 Chris Curtis <chris_curtis@apple.com>
25290
25291 Fixed ASSERTION FAILED: callFrame == globalData->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary
25292 https://bugs.webkit.org/show_bug.cgi?id=118498
25293
25294 Reviewed by Geoffrey Garen.
25295
25296 * jit/JITStubs.cpp:
25297 (throwExceptionFromOpCall):
25298 Created new throwExceptionFromOpCall that takes in a functor that contains
25299 a function pointer (to create the errorObject) instead of a JSValue. Inside
25300 of throwExceptionFromOpCall the topCallFrame is being rolled back in order
25301 to handle the error throw. By passing the function pointer in, we can defer
25302 the creation of the error object until after topCallFrame has been rolled
25303 back. This allows the error object to be created with the appropriate top
25304 frame.
25305
25306 DEFINE_STUB_FUNCTION(void*, stack_check):
25307 DEFINE_STUB_FUNCTION(void*, op_call_arityCheck):
25308 DEFINE_STUB_FUNCTION(void*, op_construct_arityCheck):
25309 DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction):
25310 DEFINE_STUB_FUNCTION(EncodedJSValue, op_construct_NotJSConstruct):
25311
25312 (JSC::ErrorFunctor::~ErrorFunctor):
25313 (JSC::ErrorWithExecFunctor::ErrorWithExecFunctor):
25314 (JSC::ErrorWithExecFunctor::operator()):
25315 (JSC::ErrorWithExecAndCalleeFunctor::ErrorWithExecAndCalleeFunctor):
25316 (JSC::ErrorWithExecAndCalleeFunctor::operator()):
25317 (JSC::ErrorWithExceptionFunctor::ErrorWithExceptionFunctor):
25318 (JSC::ErrorWithExceptionFunctor::operator()):
25319 (JSC::throwExceptionFromOpCall):
25320
25321 In order to eliminate the need to duplicate code, an error functor was
25322 created for the 3 different throwExceptionFromOpCall handles.
25323 1. The exception needs to be created, and the function pointer takes 1
25324 parameter(callFrame->callerFrame()).
25325 2. The exception needs to be created, and the function pointer takes 2
25326 parameters (callFrame->callerFrame(), callFrame.calleeAsValue()).
25327 3. The exception is already created. In this case, At the time when
25328 the error functor is called, globalData.exception is returned.
25329
25330 * llint/LLIntSlowPaths.cpp:
25331 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25332 * runtime/ExceptionHelpers.cpp:
25333 (JSC::errorDescriptionForValue):
25334 (JSC::createError):
25335 (JSC::createInvalidParameterError):
25336 (JSC::createNotAConstructorError):
25337 (JSC::createNotAFunctionError):
25338 (JSC::createNotAnObjectError):
25339 * runtime/ExceptionHelpers.h:
25340
25341 The function toString() was being used to stringify an object for an exception
25342 message. If the user wrote a toString() for that object, then the system would
25343 continue to evaluate that code. A new helper function was created to prevent
25344 the system to continue execution and exception creation from that execution.
25345
253462013-07-18 Filip Pizlo <fpizlo@apple.com>
25347
25348 LLInt get_argument_by_val for JSVALUE64 stores into the array profile when it meant to store into the value profile
25349 https://bugs.webkit.org/show_bug.cgi?id=118865
25350
25351 Reviewed by Mark Hahnenberg.
25352
25353 * llint/LowLevelInterpreter64.asm:
25354
253552013-07-18 Andreas Kling <akling@apple.com>
25356
25357 CodeBlock::m_argumentValueProfiles wastes a lot of memory.
25358 <http://webkit.org/b/118852>
25359 <rdar://problem/14481659>
25360
25361 Reviewed by Anders Carlsson.
25362
25363 Use Vector::resizeToFit() for CodeBlock::m_argumentValueProfiles. We don't need any padding
25364 for growth, since we won't be appending to it anyway.
25365
25366 921 KB progression on <http://twitter.com/awesomekling>
25367
25368 * bytecode/CodeBlock.cpp:
25369 (JSC::CodeBlock::setNumParameters):
25370
253712013-07-17 Filip Pizlo <fpizlo@apple.com>
25372
25373 Unreviewed, fix 32-bit after http://trac.webkit.org/changeset/152813
25374
25375 * dfg/DFGSpeculativeJIT.cpp:
25376 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
25377 * dfg/DFGSpeculativeJIT32_64.cpp:
25378 (JSC::DFG::SpeculativeJIT::compile):
25379
253802013-07-17 Geoffrey Garen <ggaren@apple.com>
25381
25382 API tests should test for JSStringCreateWithCFString with empty string
25383 https://bugs.webkit.org/show_bug.cgi?id=118819
25384
25385 Reviewed by Mark Hahnenberg.
25386
25387 * API/tests/testapi.c:
25388 (main): Test!
25389
253902013-07-17 Filip Pizlo <fpizlo@apple.com>
25391
25392 DFG assumes that NewFunction will never pass its input through
25393 https://bugs.webkit.org/show_bug.cgi?id=118798
25394
25395 Reviewed by Sam Weinig.
25396
25397 Previously the DFG was assuming that NewFunction always returns a function. That's not
25398 the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.
25399
25400 This fact needed to be wired through the compiler.
25401
25402 * dfg/DFGAbstractState.cpp:
25403 (JSC::DFG::AbstractState::executeEffects):
25404 * dfg/DFGAbstractValue.h:
25405 (JSC::DFG::AbstractValue::makeTop):
25406 * dfg/DFGGraph.cpp:
25407 (JSC::DFG::Graph::dump):
25408 * dfg/DFGOperations.cpp:
25409 * dfg/DFGOperations.h:
25410 * dfg/DFGPredictionPropagationPhase.cpp:
25411 (JSC::DFG::PredictionPropagationPhase::propagate):
25412 * dfg/DFGSpeculativeJIT.h:
25413 (JSC::DFG::SpeculativeJIT::callOperation):
25414 * dfg/DFGSpeculativeJIT32_64.cpp:
25415 (JSC::DFG::SpeculativeJIT::compile):
25416 * dfg/DFGSpeculativeJIT64.cpp:
25417 (JSC::DFG::SpeculativeJIT::compile):
25418
254192013-07-17 Geoffrey Garen <ggaren@apple.com>
25420
25421 JSStringCreateWithCFString should not convert the empty string into the NULL string
25422 https://bugs.webkit.org/show_bug.cgi?id=118816
25423
25424 Reviewed by Sam Weinig.
25425
25426 * API/JSStringRef.cpp:
25427 (JSStringCreateWithUTF8CString): Removed an extraneous comment, which
25428 a previous version of the patch made incorrect.
25429
25430 * API/JSStringRefCF.cpp:
25431 (JSStringCreateWithCFString): Don't convert the empty string into the
25432 null string.
25433
254342013-07-17 Chris Curtis <chris_curtis@apple.com>
25435
25436 Naming convention on createInvalidParamError is incorrect.
25437 https://bugs.webkit.org/show_bug.cgi?id=118756
25438
25439 Reviewed by Geoffrey Garen.
25440
25441 Changed the naming of createInvalidParamError to createInvalidParameterError.
25442 This corrects the naming convention for the function listed in the WebKit code styling.
25443
25444 * interpreter/Interpreter.cpp:
25445 (JSC::loadVarargs):
25446 * jit/JITStubs.cpp:
25447 (JSC::DEFINE_STUB_FUNCTION):
25448 * llint/LLIntSlowPaths.cpp:
25449 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25450 * runtime/CommonSlowPaths.h:
25451 (JSC::CommonSlowPaths::opIn):
25452 * runtime/ExceptionHelpers.cpp:
25453 (JSC::createInvalidParameterError):
25454 * runtime/ExceptionHelpers.h:
25455 * runtime/JSObject.cpp:
25456 (JSC::JSObject::hasInstance):
25457
254582013-07-16 David Farler <dfarler@apple.com>
25459
25460 Typo in DFGInsertionSet.h header guard: "DFGInsectionSet_h" -> "DFGInsertionSet_h"
25461 https://bugs.webkit.org/show_bug.cgi?id=118753
25462
25463 Reviewed by Geoffrey Garen.
25464
25465 * dfg/DFGInsertionSet.h:
25466 "DFGInsectionSet_h" -> "DFGInsertionSet_h"
25467
254682013-07-16 Filip Pizlo <fpizlo@apple.com>
25469
25470 MakeRope fixup shouldn't lead to an Identity without kids
25471 https://bugs.webkit.org/show_bug.cgi?id=118745
25472
25473 Reviewed by Mark Hahnenberg.
25474
25475 Make the empty string pruning part of fixupMakeRope() stop if it's on the last child.
25476
25477 Make Node::convertToIdentity release-assert that it has exactly one kid.
25478
25479 * dfg/DFGFixupPhase.cpp:
25480 (JSC::DFG::FixupPhase::fixupMakeRope):
25481 * dfg/DFGNode.h:
25482 (JSC::DFG::Node::convertToIdentity):
25483
254842013-07-16 Mark Hahnenberg <mhahnenberg@apple.com>
25485
25486 Remove reference to JSValueStructSupport.h from JSExport.h
25487 https://bugs.webkit.org/show_bug.cgi?id=118746
25488
25489 Reviewed by Filip Pizlo.
25490
25491 * API/JSExport.h: No such header exists, so it doesn't make sense to reference it.
25492
254932013-07-13 Commit Queue <commit-queue@webkit.org>
25494
25495 Unreviewed, rolling out r151978.
25496 http://trac.webkit.org/changeset/151978
25497 https://bugs.webkit.org/show_bug.cgi?id=118651
25498
25499 Caused regressions at least 3 websites (Requested by rniwa on
25500 #webkit).
25501
25502 * runtime/JSCJSValue.h:
25503 * runtime/JSString.h:
25504
255052013-07-12 Chris Curtis <chris_curtis@apple.com>
25506
25507 Optimize addStrackTraceIfNecessary to be faster in the case when it's not necessary
25508 https://bugs.webkit.org/show_bug.cgi?id=118328
25509
25510 Reviewed by Geoffrey Garen.
25511
25512 Retrieving the stack is costly. We want to get it only once. By moving the check
25513 for the .stack property above the code to retrieve the stack, we ensure this.
25514
25515 * interpreter/Interpreter.cpp:
25516 (JSC::Interpreter::addStackTraceIfNecessary):
25517
255182013-07-12 Brent Fulgham <bfulgham@apple.com>
25519
25520 [Windows] Build correction after r152573/r152577.
25521 https://bugs.webkit.org/show_bug.cgi?id=118610
25522
25523 Reviewed by Oliver Hunt.
25524
25525 * jit/JITThunks.cpp:
25526 (JSC::JITThunks::hostFunctionStub): Hand-feed MSVC++ the fact that we want the second
25527 argument of the make_pair to be a function pointer.
25528
255292013-07-11 Oliver Hunt <oliver@apple.com>
25530
25531 Attempt to fix the windows build.
25532
25533 * jit/JITThunks.cpp:
25534 (JSC::JITThunks::hostFunctionStub):
25535 * jit/JITThunks.h:
25536
255372013-07-10 Oliver Hunt <oliver@apple.com>
25538
25539 NativeExecutable cache needs to use both call and construct functions for key
25540 https://bugs.webkit.org/show_bug.cgi?id=118545
25541
25542 Reviewed by Geoffrey Garen.
25543
25544 Make the native executable cache make use a key pair so we don't decide to
25545 treat all subsequent functions as not being constructors.
25546
25547 * jit/JITThunks.cpp:
25548 (JSC::JITThunks::hostFunctionStub):
25549 * jit/JITThunks.h:
25550 * runtime/JSBoundFunction.cpp:
25551 (JSC::JSBoundFunction::create):
25552 * runtime/JSCell.cpp:
25553 (JSC::JSCell::getCallData):
25554 (JSC::JSCell::getConstructData):
25555
255562013-07-09 Mark Lam <mark.lam@apple.com>
25557
25558 Gardening to unbreak builds on the Windows bot.
25559
25560 Not reviewed.
25561
25562 * parser/ParserTokens.h:
25563
255642013-07-09 Mark Lam <mark.lam@apple.com>
25565
25566 Fix 30% JSBench regression (caused by adding column numbers to stack traces).
25567 https://bugs.webkit.org/show_bug.cgi?id=118481.
25568
25569 Reviewed by Mark Hahnenberg and Geoffrey Garen.
25570
25571 Previously, we already capture ExpressionRangeInfo that provides a divot for
25572 each bytecode that can potentially throw an exception (and therefore generate
25573 a stack trace). On first attempt to compute column numbers, we then do a walk
25574 of the source string to record all line start positions in a table associated
25575 with the SourceProvider. The column number can then be computed as
25576 divot - lineStartFor(bytecodeOffset).
25577
25578 The computation of this lineStarts table is the source of the 30% JSBench
25579 performance regression.
25580
25581 The new code now records lineStarts as the lexer and parser scans the source
25582 code. These lineStarts are then used to compute the column number for the
25583 given divot, and stored in the ExpressionRangeInfo. Similarly, we also capture
25584 the line number at the divot point and store that in the ExpressionRangeInfo.
25585 Hence, to look up line and column numbers, we now lookup the ExpressionRangeInfo
25586 for the bytecodeOffset, and then compute the line and column from the values
25587 stored in the expression info.
25588
25589 The strategy:
25590 1. We want to minimize perturbations to the lexer and parser. Specifically,
25591 the changes added should not change how it scans code, and generate bytecode.
25592 2. We regard the divot as the source character position we are interested
25593 in. As such, we'll capture line and lineStart (for column) at the point
25594 when we capture the divot information. This ensures that the 3 values are
25595 consistent.
25596
25597 How the change is done:
25598 1. Change the lexer to track lineStarts.
25599 2. Change the parser to capture line and lineStarts at the point of capturing
25600 divots.
25601 3. Change the parser and associated code to plumb these values all the way to
25602 the point that the correspoinding ExpressionRangeInfo is emitted.
25603 4. Propagate and record SourceCode firstLine and firstLineColumnOffset to the
25604 the necessary places so that we can add them as needed when reifying
25605 UnlinkedCodeBlocks into CodeBlocks.
25606 5. Compress the line and column number values in the ExpressionRangeInfo. In
25607 practice, we seldom have both large line and column numbers. Hence, we can
25608 encode both in an uint32_t most of the time. For the times when we encounter
25609 both large line and column numbers, we have a fallback to store the "fat"
25610 position info.
25611 6. Emit an ExpressionRangeInfo for UnaryOp nodes to get more line and column
25612 number coverage.
25613 7. Change the interpreter to use the new way of computing line and column.
25614 8. Delete old line and column computation code that is now unused.
25615
25616 Misc details:
25617 - the old lexer was tracking both a startOffset and charPosition where
25618 charPosition equals startOffset - SourceCode.startOffset. We now use
25619 startOffset exclusively throughout the system for consistency.
25620 All offset values (including lineStart) are relative to the start of the
25621 SourceProvider string. These values will only be converted to be relative
25622 to the SourceCode.startOffset at the very last minute i.e. when the divot
25623 is stored into the ExpressionRangeInfo.
25624
25625 This change to use the same offset system everywhere reduces confusion
25626 from having to convert back and forth between the 2 systems. It also
25627 enables a lot of assertions to be used.
25628
25629 - Also fixed some bugs in the choice of divot positions to use. For example,
25630 both Eval and Function expressions previously used column numbers from
25631 the start of the expression but used the line number at the end of the
25632 expression. This is now fixed to use either the start or end positions
25633 as appropriate, but not a mix of line and columns from both.
25634
25635 - Why use ints instead of unsigneds for offsets and lineStarts inside the
25636 lexer and parser?
25637 Some tests (e.g. fast/js/call-base-resolution.html and
25638 fast/js/eval-cross-window.html) has shown that lineStart offsets can be
25639 prior to the SourceCode.startOffset. Keeping the lexer offsets as ints
25640 simplifies computations and makes it easier to maintain the assertions
25641 that (startOffset >= lineStartOffset).
25642
25643 However, column and line numbers are always unsigned when we publish
25644 them to the ExpressionRangeInfo. The ints are only used inside the
25645 lexer and parser ... well, and bytecode generator.
25646
25647 - For all cases, lineStart is always captured where the divot is captured.
25648 However, some sputnik conformance tests have shown that we cannot honor
25649 line breaks for assignment statements like the following:
25650
25651 eval("x\u000A*=\u000A-1;");
25652
25653 In this case, the lineStart is expected to be captured at the start of
25654 the assignment expression instead of at the divot point in the middle.
25655 The assignment expression is the only special case for this.
25656
25657 This patch has been tested against the full layout tests both with release
25658 and debug builds with no regression.
25659
25660 * API/JSContextRef.cpp:
25661 (JSContextCreateBacktrace):
25662 - Updated to use the new StackFrame::computeLineAndColumn().
25663 * bytecode/CodeBlock.cpp:
25664 (JSC::CodeBlock::CodeBlock):
25665 - Added m_firstLineColumnOffset initialization.
25666 - Plumbed the firstLineColumnOffset into the SourceCode.
25667 - Initialized column for op_debug using the new way.
25668 (JSC::CodeBlock::lineNumberForBytecodeOffset):
25669 - Changed to compute line number using the ExpressionRangeInfo.
25670 (JSC::CodeBlock::columnNumberForBytecodeOffset): Added
25671 - Changed to compute column number using the ExpressionRangeInfo.
25672 (JSC::CodeBlock::expressionRangeForBytecodeOffset):
25673 * bytecode/CodeBlock.h:
25674 (JSC::CodeBlock::firstLineColumnOffset):
25675 (JSC::GlobalCodeBlock::GlobalCodeBlock):
25676 - Plumbed firstLineColumnOffset through to the super class.
25677 (JSC::ProgramCodeBlock::ProgramCodeBlock):
25678 - Plumbed firstLineColumnOffset through to the super class.
25679 (JSC::EvalCodeBlock::EvalCodeBlock):
25680 - Plumbed firstLineColumnOffset through to the super class.
25681 But for EvalCodeBlocks, the firstLineColumnOffset is always 1
25682 because we're starting with a new source string with no start
25683 offset.
25684 (JSC::FunctionCodeBlock::FunctionCodeBlock):
25685 - Plumbed firstLineColumnOffset through to the super class.
25686
25687 * bytecode/ExpressionRangeInfo.h:
25688 - Added modes for encoding line and column into a single 30-bit
25689 unsigned. The encoding is in 1 of 3 modes:
25690 1. FatLineMode: 22-bit line, 8-bit column
25691 2. FatColumnMode: 8-bit line, 22-bit column
25692 3. FatLineAndColumnMode: 32-bit line, 32-bit column
25693 (JSC::ExpressionRangeInfo::encodeFatLineMode): Added.
25694 - Encodes line and column into the 30-bit position using FatLine mode.
25695 (JSC::ExpressionRangeInfo::encodeFatColumnMode): Added.
25696 - Encodes line and column into the 30-bit position using FatColumn mode.
25697 (JSC::ExpressionRangeInfo::decodeFatLineMode): Added.
25698 - Decodes the FatLine mode 30-bit position into line and column.
25699 (JSC::ExpressionRangeInfo::decodeFatColumnMode): Added.
25700 - Decodes the FatColumn mode 30-bit position into line and column.
25701
25702 * bytecode/UnlinkedCodeBlock.cpp:
25703 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
25704 - Plumbed startColumn through.
25705 (JSC::UnlinkedFunctionExecutable::link):
25706 - Plumbed startColumn through.
25707 (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
25708 - Computes a line number using the new way.
25709 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
25710 - Added decoding of line and column.
25711 - Added handling of the case when we do not find a fitting expression
25712 range info for a specified bytecodeOffset. This only happens if the
25713 bytecodeOffset is below the first expression range info. In that
25714 case, we'll use the first expression range info entry.
25715 (JSC::UnlinkedCodeBlock::addExpressionInfo):
25716 - Added encoding of line and column.
25717
25718 * bytecode/UnlinkedCodeBlock.h:
25719 - Added m_expressionInfoFatPositions in RareData.
25720 (JSC::UnlinkedFunctionExecutable::functionStartColumn):
25721 (JSC::UnlinkedCodeBlock::shrinkToFit):
25722 - Removed obsoleted m_lineInfo.
25723 * bytecompiler/BytecodeGenerator.cpp:
25724 (JSC::BytecodeGenerator::emitCall): Plumbed line and lineStart through.
25725 (JSC::BytecodeGenerator::emitCallEval): Plumbed line and lineStart through.
25726 (JSC::BytecodeGenerator::emitCallVarargs): Plumbed line and lineStart through.
25727 (JSC::BytecodeGenerator::emitConstruct): Plumbed line and lineStart through.
25728 (JSC::BytecodeGenerator::emitDebugHook): Plumbed lineStart through.
25729 * bytecompiler/BytecodeGenerator.h:
25730 (JSC::BytecodeGenerator::emitNode):
25731 (JSC::BytecodeGenerator::emitNodeInConditionContext):
25732 - Removed obsoleted m_lineInfo.
25733 (JSC::BytecodeGenerator::emitExpressionInfo):
25734 - Plumbed line and lineStart through.
25735 - Compute the line and column to be added to the expression range info.
25736 * bytecompiler/NodesCodegen.cpp:
25737 (JSC::ThrowableExpressionData::emitThrowReferenceError):
25738 (JSC::ResolveNode::emitBytecode):
25739 (JSC::ArrayNode::toArgumentList):
25740 (JSC::BracketAccessorNode::emitBytecode):
25741 (JSC::DotAccessorNode::emitBytecode):
25742 (JSC::NewExprNode::emitBytecode):
25743 (JSC::EvalFunctionCallNode::emitBytecode):
25744 (JSC::FunctionCallValueNode::emitBytecode):
25745 (JSC::FunctionCallResolveNode::emitBytecode):
25746 (JSC::FunctionCallBracketNode::emitBytecode):
25747 (JSC::FunctionCallDotNode::emitBytecode):
25748 (JSC::CallFunctionCallDotNode::emitBytecode):
25749 (JSC::ApplyFunctionCallDotNode::emitBytecode):
25750 (JSC::PostfixNode::emitResolve):
25751 (JSC::PostfixNode::emitBracket):
25752 (JSC::PostfixNode::emitDot):
25753 (JSC::DeleteResolveNode::emitBytecode):
25754 (JSC::DeleteBracketNode::emitBytecode):
25755 (JSC::DeleteDotNode::emitBytecode):
25756 (JSC::PrefixNode::emitResolve):
25757 (JSC::PrefixNode::emitBracket):
25758 (JSC::PrefixNode::emitDot):
25759 - Plumbed line and lineStart through the above as needed.
25760
25761 (JSC::UnaryOpNode::emitBytecode):
25762 - Added emission of an ExpressionRangeInfo for the UnaryOp node.
25763
25764 (JSC::BinaryOpNode::emitStrcat):
25765 (JSC::ThrowableBinaryOpNode::emitBytecode):
25766 (JSC::InstanceOfNode::emitBytecode):
25767 (JSC::emitReadModifyAssignment):
25768 (JSC::ReadModifyResolveNode::emitBytecode):
25769 (JSC::AssignResolveNode::emitBytecode):
25770 (JSC::AssignDotNode::emitBytecode):
25771 (JSC::ReadModifyDotNode::emitBytecode):
25772 (JSC::AssignBracketNode::emitBytecode):
25773 (JSC::ReadModifyBracketNode::emitBytecode):
25774 - Plumbed line and lineStart through the above as needed.
25775
25776 (JSC::ConstStatementNode::emitBytecode):
25777 (JSC::EmptyStatementNode::emitBytecode):
25778 (JSC::DebuggerStatementNode::emitBytecode):
25779 (JSC::ExprStatementNode::emitBytecode):
25780 (JSC::VarStatementNode::emitBytecode):
25781 (JSC::IfElseNode::emitBytecode):
25782 (JSC::DoWhileNode::emitBytecode):
25783 (JSC::WhileNode::emitBytecode):
25784 (JSC::ForNode::emitBytecode):
25785 (JSC::ForInNode::emitBytecode):
25786 (JSC::ContinueNode::emitBytecode):
25787 (JSC::BreakNode::emitBytecode):
25788 (JSC::ReturnNode::emitBytecode):
25789 (JSC::WithNode::emitBytecode):
25790 (JSC::SwitchNode::emitBytecode):
25791 (JSC::LabelNode::emitBytecode):
25792 (JSC::ThrowNode::emitBytecode):
25793 (JSC::TryNode::emitBytecode):
25794 (JSC::ProgramNode::emitBytecode):
25795 (JSC::EvalNode::emitBytecode):
25796 (JSC::FunctionBodyNode::emitBytecode):
25797 - Plumbed line and lineStart through the above as needed.
25798
25799 * interpreter/Interpreter.cpp:
25800 (JSC::appendSourceToError):
25801 - Added line and column arguments for expressionRangeForBytecodeOffset().
25802 (JSC::StackFrame::computeLineAndColumn):
25803 - Replaces StackFrame::line() and StackFrame::column().
25804 (JSC::StackFrame::expressionInfo):
25805 - Added line and column arguments.
25806 (JSC::StackFrame::toString):
25807 - Changed to use the new StackFrame::computeLineAndColumn().
25808 (JSC::Interpreter::getStackTrace):
25809 - Added the needed firstLineColumnOffset arg for the StackFrame.
25810
25811 * interpreter/Interpreter.h:
25812 * parser/ASTBuilder.h:
25813 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
25814 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
25815 (JSC::ASTBuilder::createResolve):
25816 (JSC::ASTBuilder::createBracketAccess):
25817 (JSC::ASTBuilder::createDotAccess):
25818 (JSC::ASTBuilder::createRegExp):
25819 (JSC::ASTBuilder::createNewExpr):
25820 (JSC::ASTBuilder::createAssignResolve):
25821 (JSC::ASTBuilder::createFunctionExpr):
25822 (JSC::ASTBuilder::createFunctionBody):
25823 (JSC::ASTBuilder::createGetterOrSetterProperty):
25824 (JSC::ASTBuilder::createFuncDeclStatement):
25825 (JSC::ASTBuilder::createBlockStatement):
25826 (JSC::ASTBuilder::createExprStatement):
25827 (JSC::ASTBuilder::createIfStatement):
25828 (JSC::ASTBuilder::createForLoop):
25829 (JSC::ASTBuilder::createForInLoop):
25830 (JSC::ASTBuilder::createVarStatement):
25831 (JSC::ASTBuilder::createReturnStatement):
25832 (JSC::ASTBuilder::createBreakStatement):
25833 (JSC::ASTBuilder::createContinueStatement):
25834 (JSC::ASTBuilder::createTryStatement):
25835 (JSC::ASTBuilder::createSwitchStatement):
25836 (JSC::ASTBuilder::createWhileStatement):
25837 (JSC::ASTBuilder::createDoWhileStatement):
25838 (JSC::ASTBuilder::createLabelStatement):
25839 (JSC::ASTBuilder::createWithStatement):
25840 (JSC::ASTBuilder::createThrowStatement):
25841 (JSC::ASTBuilder::createDebugger):
25842 (JSC::ASTBuilder::createConstStatement):
25843 (JSC::ASTBuilder::appendBinaryExpressionInfo):
25844 (JSC::ASTBuilder::appendUnaryToken):
25845 (JSC::ASTBuilder::unaryTokenStackLastStart):
25846 (JSC::ASTBuilder::unaryTokenStackLastLineStartPosition): Added.
25847 (JSC::ASTBuilder::assignmentStackAppend):
25848 (JSC::ASTBuilder::createAssignment):
25849 (JSC::ASTBuilder::setExceptionLocation):
25850 (JSC::ASTBuilder::makeDeleteNode):
25851 (JSC::ASTBuilder::makeFunctionCallNode):
25852 (JSC::ASTBuilder::makeBinaryNode):
25853 (JSC::ASTBuilder::makeAssignNode):
25854 (JSC::ASTBuilder::makePrefixNode):
25855 (JSC::ASTBuilder::makePostfixNode):.
25856 - Plumbed line, lineStart, and startColumn through the above as needed.
25857
25858 * parser/Lexer.cpp:
25859 (JSC::::currentSourcePtr):
25860 (JSC::::setCode):
25861 - Added tracking for sourceoffset and lineStart.
25862 (JSC::::internalShift):
25863 (JSC::::parseIdentifier):
25864 - Added tracking for lineStart.
25865 (JSC::::parseIdentifierSlowCase):
25866 (JSC::::parseString):
25867 - Added tracking for lineStart.
25868 (JSC::::parseStringSlowCase):
25869 (JSC::::lex):
25870 - Added tracking for sourceoffset.
25871 (JSC::::sourceCode):
25872 * parser/Lexer.h:
25873 (JSC::Lexer::currentOffset):
25874 (JSC::Lexer::currentLineStartOffset):
25875 (JSC::Lexer::setOffset):
25876 - Added tracking for lineStart.
25877 (JSC::Lexer::offsetFromSourcePtr): Added. conversion function.
25878 (JSC::Lexer::sourcePtrFromOffset): Added. conversion function.
25879 (JSC::Lexer::setOffsetFromSourcePtr):
25880 (JSC::::lexExpectIdentifier):
25881 - Added tracking for sourceoffset and lineStart.
25882
25883 * parser/NodeConstructors.h:
25884 (JSC::Node::Node):
25885 (JSC::ResolveNode::ResolveNode):
25886 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
25887 (JSC::FunctionCallValueNode::FunctionCallValueNode):
25888 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
25889 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
25890 (JSC::FunctionCallDotNode::FunctionCallDotNode):
25891 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
25892 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
25893 (JSC::PostfixNode::PostfixNode):
25894 (JSC::DeleteResolveNode::DeleteResolveNode):
25895 (JSC::DeleteBracketNode::DeleteBracketNode):
25896 (JSC::DeleteDotNode::DeleteDotNode):
25897 (JSC::PrefixNode::PrefixNode):
25898 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
25899 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
25900 (JSC::AssignBracketNode::AssignBracketNode):
25901 (JSC::AssignDotNode::AssignDotNode):
25902 (JSC::ReadModifyDotNode::ReadModifyDotNode):
25903 (JSC::AssignErrorNode::AssignErrorNode):
25904 (JSC::WithNode::WithNode):
25905 (JSC::ForInNode::ForInNode):
25906 - Plumbed line and lineStart through the above as needed.
25907 * parser/Nodes.cpp:
25908 (JSC::StatementNode::setLoc): Plumbed lineStart.
25909 (JSC::ScopeNode::ScopeNode): Plumbed lineStart.
25910 (JSC::ProgramNode::ProgramNode): Plumbed startColumn.
25911 (JSC::ProgramNode::create): Plumbed startColumn.
25912 (JSC::EvalNode::create):
25913 (JSC::FunctionBodyNode::FunctionBodyNode): Plumbed startColumn.
25914 (JSC::FunctionBodyNode::create): Plumbed startColumn.
25915 * parser/Nodes.h:
25916 (JSC::Node::startOffset):
25917 (JSC::Node::lineStartOffset): Added.
25918 (JSC::StatementNode::firstLine):
25919 (JSC::StatementNode::lastLine):
25920 (JSC::ThrowableExpressionData::ThrowableExpressionData):
25921 (JSC::ThrowableExpressionData::setExceptionSourceCode):
25922 (JSC::ThrowableExpressionData::divotStartOffset):
25923 (JSC::ThrowableExpressionData::divotEndOffset):
25924 (JSC::ThrowableExpressionData::divotLine):
25925 (JSC::ThrowableExpressionData::divotLineStart):
25926 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
25927 (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
25928 (JSC::ThrowableSubExpressionData::subexpressionDivot):
25929 (JSC::ThrowableSubExpressionData::subexpressionStartOffset):
25930 (JSC::ThrowableSubExpressionData::subexpressionEndOffset):
25931 (JSC::ThrowableSubExpressionData::subexpressionLine):
25932 (JSC::ThrowableSubExpressionData::subexpressionLineStart):
25933 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
25934 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
25935 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
25936 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStartOffset):
25937 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEndOffset):
25938 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLine):
25939 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLineStart):
25940 (JSC::ScopeNode::startStartOffset):
25941 (JSC::ScopeNode::startLineStartOffset):
25942 (JSC::ProgramNode::startColumn):
25943 (JSC::EvalNode::startColumn):
25944 (JSC::FunctionBodyNode::startColumn):
25945 - Plumbed line and lineStart through the above as needed.
25946 * parser/Parser.cpp:
25947 (JSC::::Parser):
25948 (JSC::::parseSourceElements):
25949 (JSC::::parseVarDeclarationList):
25950 (JSC::::parseConstDeclarationList):
25951 (JSC::::parseForStatement):
25952 (JSC::::parseBreakStatement):
25953 (JSC::::parseContinueStatement):
25954 (JSC::::parseReturnStatement):
25955 (JSC::::parseThrowStatement):
25956 (JSC::::parseWithStatement):
25957 - Plumbed line and lineStart through the above as needed.
25958 (JSC::::parseFunctionBody):
25959 - Plumbed startColumn.
25960 (JSC::::parseFunctionInfo):
25961 (JSC::::parseFunctionDeclaration):
25962 (JSC::LabelInfo::LabelInfo):
25963 (JSC::::parseExpressionOrLabelStatement):
25964 (JSC::::parseAssignmentExpression):
25965 (JSC::::parseBinaryExpression):
25966 (JSC::::parseProperty):
25967 (JSC::::parseObjectLiteral):
25968 (JSC::::parsePrimaryExpression):
25969 (JSC::::parseMemberExpression):
25970 (JSC::::parseUnaryExpression):
25971 - Plumbed line, lineStart, startColumn through the above as needed.
25972 * parser/Parser.h:
25973 (JSC::Parser::next):
25974 (JSC::Parser::nextExpectIdentifier):
25975 (JSC::Parser::tokenStart):
25976 (JSC::Parser::tokenColumn):
25977 (JSC::Parser::tokenEnd):
25978 (JSC::Parser::tokenLineStart):
25979 (JSC::Parser::lastTokenLine):
25980 (JSC::Parser::lastTokenLineStart):
25981 (JSC::::parse):
25982 * parser/ParserTokens.h:
25983 (JSC::JSTokenLocation::JSTokenLocation):
25984 - Plumbed lineStart.
25985 (JSC::JSTokenLocation::lineStartPosition):
25986 (JSC::JSTokenLocation::startPosition):
25987 (JSC::JSTokenLocation::endPosition):
25988 * parser/SourceCode.h:
25989 (JSC::SourceCode::SourceCode):
25990 (JSC::SourceCode::startColumn):
25991 (JSC::makeSource):
25992 (JSC::SourceCode::subExpression):
25993 * parser/SourceProvider.cpp: delete old code.
25994 * parser/SourceProvider.h: delete old code.
25995 * parser/SourceProviderCacheItem.h:
25996 (JSC::SourceProviderCacheItem::closeBraceToken):
25997 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
25998 - Plumbed lineStart.
25999 * parser/SyntaxChecker.h:
26000 (JSC::SyntaxChecker::makeFunctionCallNode):
26001 (JSC::SyntaxChecker::makeAssignNode):
26002 (JSC::SyntaxChecker::makePrefixNode):
26003 (JSC::SyntaxChecker::makePostfixNode):
26004 (JSC::SyntaxChecker::makeDeleteNode):
26005 (JSC::SyntaxChecker::createResolve):
26006 (JSC::SyntaxChecker::createBracketAccess):
26007 (JSC::SyntaxChecker::createDotAccess):
26008 (JSC::SyntaxChecker::createRegExp):
26009 (JSC::SyntaxChecker::createNewExpr):
26010 (JSC::SyntaxChecker::createAssignResolve):
26011 (JSC::SyntaxChecker::createFunctionExpr):
26012 (JSC::SyntaxChecker::createFunctionBody):
26013 (JSC::SyntaxChecker::createFuncDeclStatement):
26014 (JSC::SyntaxChecker::createForInLoop):
26015 (JSC::SyntaxChecker::createReturnStatement):
26016 (JSC::SyntaxChecker::createBreakStatement):
26017 (JSC::SyntaxChecker::createContinueStatement):
26018 (JSC::SyntaxChecker::createWithStatement):
26019 (JSC::SyntaxChecker::createLabelStatement):
26020 (JSC::SyntaxChecker::createThrowStatement):
26021 (JSC::SyntaxChecker::createGetterOrSetterProperty):
26022 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
26023 (JSC::SyntaxChecker::operatorStackPop):
26024 - Made SyntaxChecker prototype changes to match ASTBuilder due to new
26025 args added for plumbing line, lineStart, and startColumn.
26026 * runtime/CodeCache.cpp:
26027 (JSC::CodeCache::generateBytecode):
26028 (JSC::CodeCache::getCodeBlock):
26029 - Plumbed startColumn.
26030 * runtime/Executable.cpp:
26031 (JSC::FunctionExecutable::FunctionExecutable):
26032 (JSC::ProgramExecutable::compileInternal):
26033 (JSC::FunctionExecutable::produceCodeBlockFor):
26034 (JSC::FunctionExecutable::fromGlobalCode):
26035 - Plumbed startColumn.
26036 * runtime/Executable.h:
26037 (JSC::ScriptExecutable::startColumn):
26038 (JSC::ScriptExecutable::recordParse):
26039 (JSC::FunctionExecutable::create):
26040 - Plumbed startColumn.
26041
260422013-07-08 Carlos Garcia Campos <cgarcia@igalia.com>
26043
26044 Unreviewed. Fix make distcheck.
26045
26046 * GNUmakefile.list.am: Add missing header files.
26047
260482013-07-04 Patrick Gansterer <paroga@webkit.org>
26049
26050 [CMake] Add generation of JITStubs for x86_64 MSVC
26051 https://bugs.webkit.org/show_bug.cgi?id=116666
26052
26053 Reviewed by Laszlo Gombos.
26054
26055 Also move the generation for ARM CPU into the CMakeLists.txt,
26056 since it's compiler specific and not dedicated to Windows CE.
26057
26058 * CMakeLists.txt:
26059 * PlatformWinCE.cmake: Removed.
26060
260612013-07-04 Patrick Gansterer <paroga@webkit.org>
26062
26063 [CMake] Add STATICALLY_LINKED_WITH_WTF to JavaScriptCore project
26064 https://bugs.webkit.org/show_bug.cgi?id=118120
26065
26066 Reviewed by Gyuyoung Kim.
26067
26068 Since WTF is a static library linked to JavaScriptCore on all CMake ports
26069 we need to define STATICALLY_LINKED_WITH_WTF for all of them.
26070 This makes only a difference for Windows, since WTF_EXPORT and WTF_IMPORT
26071 are the same on all other platforms.
26072
26073 * CMakeLists.txt:
26074
260752013-07-02 Mark Hahnenberg <mhahnenberg@apple.com>
26076
26077 Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex
26078 https://bugs.webkit.org/show_bug.cgi?id=118316
26079
26080 Reviewed by Geoffrey Garen.
26081
26082 This is causing some crashiness in release builds. We should replace it with an ASSERT
26083 until we track down all the places that need fixing in bug 118315.
26084
26085 * bytecode/CodeBlock.h:
26086 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
26087
260882013-07-02 Brent Fulgham <bfulgham@apple.com>
26089
26090 [Windows] Unreviewed build correction for 'DebugSuffix' target.
26091
26092 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Must pass the
26093 DEBUGSUFFIX definition to the nmake instance to be available during script processing.
26094
260952013-07-01 Sergio Correia <sergio.correia@openbossa.org>
26096
26097 [JSC]: Fix maybe-uninitialized gcc 4.8 warning in DFGSpeculativeJIT.cpp
26098 https://bugs.webkit.org/show_bug.cgi?id=118278
26099
26100 Reviewed by Filip Pizlo.
26101
26102 * dfg/DFGSpeculativeJIT.cpp:
26103 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
26104 Initialize valueGPR with InvalidGPRReg.
26105
261062013-07-01 Csaba Osztrogonác <ossy@webkit.org>
26107
26108 Fix cast-align warnings in JavaScriptCore/heap/HandleBlockInlines.h
26109 https://bugs.webkit.org/show_bug.cgi?id=118242
26110
26111 Reviewed by Mark Hahnenberg.
26112
26113 * heap/HandleBlockInlines.h:
26114 (JSC::HandleBlock::nodes):
26115
261162013-06-29 Andreas Kling <akling@apple.com>
26117
26118 Follow-up to r152206: also update HashFlags8BitBuffer in the LLInt.
26119
26120 * llint/LowLevelInterpreter.asm:
26121
261222013-06-28 Andreas Kling <akling@apple.com>
26123
26124 Un-crashify JSC tests on debug bots after Anders had his way with StringImpl.
26125
26126 * llint/LLIntData.cpp:
26127 (JSC::LLInt::Data::performAssertions):
26128
261292013-06-28 Anders Carlsson <andersca@apple.com>
26130
26131 Remove String::deprecatedCharactersWithNullTermination() and related code
26132 https://bugs.webkit.org/show_bug.cgi?id=118211
26133
26134 Reviewed by Benjamin Poulain.
26135
26136 * API/JSStringRef.cpp:
26137 (JSStringCreateWithCharactersNoCopy):
26138 Update call to StringImpl::createWithoutCopying.
26139
261402013-06-27 Timothy Hatcher <timothy@apple.com>
26141
26142 Notify the debugger about functions created from source code via new Function() or WebCore::JSLazyEventListener.
26143
26144 https://bugs.webkit.org/show_bug.cgi?id=118063
26145
26146 Reviewed by Geoffrey Garen.
26147
26148 * bytecode/UnlinkedCodeBlock.cpp:
26149 (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Call Debugger::sourceParsed.
26150
261512013-06-26 Anders Carlsson <andersca@apple.com>
26152
26153 Add JSStringCreateWithCharactersNoCopy SPI
26154 https://bugs.webkit.org/show_bug.cgi?id=118074
26155 <rdar://problem/14279905>
26156
26157 Reviewed by Geoffrey Garen.
26158
26159 * API/JSStringRef.cpp:
26160 (JSStringCreateWithCharactersNoCopy):
26161 Create a new OpaqueJSString, using the newly added StringImpl::createWithoutCopying function.
26162
26163 * API/JSStringRefPrivate.h: Added.
26164 Add a home for the JSStringCreateWithCharactersNoCopy function.
26165
26166 * API/OpaqueJSString.h:
26167 (OpaqueJSString::OpaqueJSString):
26168 Just call isolatedCopy on the passed in string.
26169
26170 * API/tests/testapi.c:
26171 Add an API test for JSStringCreateWithCharactersNoCopy.
26172
26173 * JavaScriptCore.xcodeproj/project.pbxproj:
26174 Add new files.
26175
261762013-06-25 Ryosuke Niwa <rniwa@webkit.org>
26177
26178 JSString should remember AtomicString
26179 https://bugs.webkit.org/show_bug.cgi?id=117386
26180
26181 Reviewed by Geoffrey Garen.
26182
26183 Added JSValue::toAtomicString and JSString::atomicString. These two functions allow WebCore to update
26184 JSString's m_value to set isAtomic flag and avoid the AtomicStringTable lookups in subsequent attempts
26185 to obtain the AtomicString of the same value.
26186
26187 * runtime/JSCJSValue.h:
26188 * runtime/JSString.h:
26189 (JSC::JSString::atomicString):
26190 (JSC::JSValue::toAtomicString):
26191
261922013-06-24 Roger Fong <roger_fong@apple.com>
26193
26194 Unreviewed. Makefile build fix for AppleWindows.
26195
26196 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26197
261982013-06-17 Darin Adler <darin@apple.com>
26199
26200 Sort all the Xcode project files
26201 https://bugs.webkit.org/show_bug.cgi?id=117696
26202
26203 Reviewed by Anders Carlsson.
26204
26205 * JavaScriptCore.xcodeproj/project.pbxproj: Ran the sort-Xcode-project-file script.
26206
262072013-06-21 Mark Lam <mark.lam@apple.com>
26208
26209 Introducing the VMStackBounds class.
26210 https://bugs.webkit.org/show_bug.cgi?id=117862.
26211
26212 Reviewed by Geoffrey Garen.
26213
26214 - Removed Interpreter::StackPolicy.
26215 - The new VMStackBounds will take over choosing the appropriate stack
26216 size requirements, and invoking the underlying WTF::StackBounds to
26217 to the real bounds check.
26218 - VMStackBounds will now be used universally throughout JSC instead of
26219 WTF::StackBounds.
26220
26221 * JavaScriptCore.xcodeproj/project.pbxproj:
26222 * bytecompiler/BytecodeGenerator.cpp:
26223 (JSC::BytecodeGenerator::BytecodeGenerator):
26224 * bytecompiler/BytecodeGenerator.h:
26225 * interpreter/Interpreter.cpp:
26226 (JSC::Interpreter::execute):
26227 (JSC::Interpreter::executeCall):
26228 (JSC::Interpreter::executeConstruct):
26229 (JSC::Interpreter::prepareForRepeatCall):
26230 * interpreter/Interpreter.h:
26231 (JSC::Interpreter::isInErrorHandlingMode):
26232 * parser/Parser.cpp:
26233 (JSC::::Parser):
26234 * parser/Parser.h:
26235 * runtime/StringRecursionChecker.h:
26236 (JSC::StringRecursionChecker::performCheck):
26237 * runtime/VMStackBounds.h: Added.
26238 (JSC::VMStackBounds::VMStackBounds):
26239 (JSC::VMStackBounds::isSafeToRecurse):
26240 (JSC::VMStackBounds::requiredCapacity):
26241
262422013-06-20 Mark Lam <mark.lam@apple.com>
26243
26244 Change stack capacity requirement to be more reasonable.
26245 https://bugs.webkit.org/show_bug.cgi?id=117801.
26246
26247 Reviewed by Geoffrey Garen.
26248
26249 Previously, the requiredStack in StackPolicy::StackPolicy() was set to
26250 to a high value like 256K to reduce the chances of encountering an
26251 undetected stack overflow in a scenario where we have a combination of
26252 deeply nested divs and a large amount recursive re-entries into the JSGlobalData.
26253
26254 However, this high value of requiredStack still does not completely
26255 ensure that we will never encounter an undetected stack overflow. It
26256 only lessens the probability of encountering it.
26257
26258 Secondly, on some platforms, the total stack size can be less than 256K
26259 to start with. Hence, this high value requiredStack renders the JSGlobalData
26260 unuseable on those platforms.
26261
26262 This patch will fix the requiredStack to be more reasonable based on
26263 real world stack usage by the JSGlobalData. We won't (and cannot) try to prevent
26264 undetected stack overflows outside of JSC as well. External code that
26265 do deep recursion (e.g. Documnet::updateLayout()) should do their own
26266 stack checks.
26267
26268 From a previous experiment, we measured the following:
26269
26270 On a debug build on OSX:
26271 1. Stack usage different between recursive calls to interpreter entry:
26272 7744 bytes
26273 On a release build on OSX:
26274 2. Stack usage difference between recursive calls to interpreter entry:
26275 6352 bytes
26276
26277 Using these as a guide, we'll pick the following values for the
26278 StackPolicy:
26279 requiredStack: 32K
26280 errorModeRequiredStack: 16K
26281
26282 The requiredStack is chosen to be 4x the measured usage above. The
26283 additional 3x is a conservative estimate to account for stack space
26284 that may be needed by other native functions called while in the
26285 interpreter.
26286
26287 The errorModeRequiredStack has to be less than the requiredStack or we
26288 won't be able to reenter the interpreter to do error handling work when
26289 an imminent stack overflow is detected. It is assumed that the error
26290 handling code will only do minimal work to allocate an exception and its
26291 stack trace, and not run any arbitrary JS code. As such, it is safe to
26292 allow re-entry into the interpreter with only 2x the measured usage in
26293 this case.
26294
26295 * interpreter/Interpreter.cpp:
26296 (JSC::Interpreter::StackPolicy::StackPolicy):
26297
262982013-06-20 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
26299
26300 HashSet: reverse the order of the template arguments at alternate 'find', 'contains' and 'add' methods
26301 https://bugs.webkit.org/show_bug.cgi?id=117830
26302
26303 Reviewed by Anders Carlsson.
26304
26305 The order of the template arguments at HashSet alternate 'find', 'contains' and
26306 'add' methods is reversed so that callers can just pass the translator
26307 and let the compiler deduce input argument type.
26308
26309 * runtime/Identifier.h:
26310 (JSC::IdentifierTable::add):
26311
263122013-06-20 Roger Fong <roger_fong@apple.com>
26313
26314 Make Windows makefile copy build output to a different folder.
26315 <rdar://problem/14219184>.
26316
26317 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26318
263192013-06-20 Mark Hahnenberg <mhahnenberg@apple.com>
26320
26321 Improper deallocation of JSManagedValue causes crashes during autorelease pool draining
26322 https://bugs.webkit.org/show_bug.cgi?id=117840
26323
26324 Reviewed by Geoffrey Garen.
26325
26326 Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the
26327 JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained
26328 JSManagedValues cause memory leaks than take down the whole app.
26329
26330 The fix is to use the callback to the JSC::Weak on the destruction of the JSGlobalData so that we
26331 can safely null it out. This will prevent ~Weak from crashing.
26332
26333 * API/JSManagedValue.mm:
26334 (-[JSManagedValue JSC::JSC::]):
26335 (JSManagedValueHandleOwner::finalize):
26336 * API/tests/testapi.mm: Added a test that crashed prior to this fix due to a leaked
26337 managed reference. Also fixed a small style nit I noticed in another test.
26338
263392013-06-18 Oliver Hunt <oliver@apple.com>
26340
26341 Going to google.com/trends causes a crash
26342 https://bugs.webkit.org/show_bug.cgi?id=117602
26343
26344 Reviewed by Geoffrey Garen.
26345
26346 When handling op_throw, etc we need to flush the variables and arguments
26347 for the entire inline stack, not just the top frame.
26348
26349 * dfg/DFGByteCodeParser.cpp:
26350 (JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack):
26351 (JSC::DFG::ByteCodeParser::parseBlock):
26352
263532013-06-18 Roger Fong <roger_fong@apple.com>
26354
26355 Replace tools32 folder with tools and update WebKit Windows solution accordingly.
26356 <rdar://problem/14118143>.
26357
26358 Rubberstamped by Brent Fulgham.
26359
26360 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26361 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props:
26362 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props:
26363 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
26364 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props:
26365 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props:
26366 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
26367 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd:
26368 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props:
26369 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
26370 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props:
26371 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
26372 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
26373 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
26374 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
26375 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props:
26376 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
26377 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
26378 * JavaScriptCore.vcxproj/jsc/jscDebug.props:
26379 * JavaScriptCore.vcxproj/jsc/jscProduction.props:
26380 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
26381 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
26382 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props:
26383 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props:
26384 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
26385 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
26386 * JavaScriptCore.vcxproj/testapi/testapiDebug.props:
26387 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props:
26388 * JavaScriptCore.vcxproj/testapi/testapiProduction.props:
26389 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
26390 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props:
26391
263922013-06-17 Roger Fong <roger_fong@apple.com>
26393
26394 Modify Windows makefiles to copy some bin output into Program Files.
26395 https://bugs.webkit.org/show_bug.cgi?id=117714.
26396 <rdar://problem/14179054>
26397
26398 Reviewed by Brent Fulgham.
26399
26400 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26401
264022013-06-14 Ryosuke Niwa <rniwa@webkit.org>
26403
26404 Function names on Object.prototype should be common identifiers
26405 https://bugs.webkit.org/show_bug.cgi?id=117614
26406
26407 Reviewed by Darin Adler.
26408
26409 Patch written by Sam Weinig. Make Object's prototype function names common identififers since they're used frequently.
26410
26411 * runtime/CommonIdentifiers.h:
26412 * runtime/FunctionConstructor.cpp:
26413 (JSC::constructFunction):
26414 * runtime/JSGlobalObject.cpp:
26415 (JSC::JSGlobalObject::reset):
26416 * runtime/JSObject.h:
26417 * runtime/ObjectPrototype.cpp:
26418 (JSC::ObjectPrototype::finishCreation):
26419 * runtime/StringPrototype.cpp:
26420 (JSC::StringPrototype::finishCreation):
26421
264222013-06-13 Ryosuke Niwa <rniwa@webkit.org>
26423
26424 Remove LiteralIdentifierTable
26425 https://bugs.webkit.org/show_bug.cgi?id=117613
26426
26427 Reviewed by Geoffrey Garen.
26428
26429 Removed LiteralIdentifierTable since it doesn't seem to have any perf. impact now.
26430
26431 * runtime/Identifier.cpp:
26432 (JSC::Identifier::add):
26433
264342013-06-12 Conrad Shultz <conrad_shultz@apple.com>
26435
26436 JSExport header documentation substitutes "semicolon" for "colon"
26437 https://bugs.webkit.org/show_bug.cgi?id=117552
26438
26439 Reviewed by Mark Hahnenberg.
26440
26441 * API/JSExport.h:
26442 Fix a couple typos.
26443
264442013-06-10 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
26445
26446 [JSC] Remove a vestige of wxWidgets support.
26447 https://bugs.webkit.org/show_bug.cgi?id=117419
26448
26449 Reviewed by Benjamin Poulain.
26450
26451 * runtime/JSExportMacros.h: Remove a check for BUILDING_WX__ that
26452 seems to have gone unnoticed when the wxWidgets port was removed.
26453
264542013-06-06 Roger Fong <roger_fong@apple.com>
26455
26456 Stop copying AAS binaries into build folder.
26457 https://bugs.webkit.org/show_bug.cgi?id=117319.
26458
26459 Rubberstamped by Darin Adler.
26460
26461 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
26462 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
26463 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
26464 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
26465 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
26466 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
26467
264682013-06-05 Filip Pizlo <fpizlo@apple.com>
26469
26470 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
26471 https://bugs.webkit.org/show_bug.cgi?id=117279
26472 <rdar://problem/14078025>
26473
26474 Reviewed by Mark Hahnenberg.
26475
26476 * dfg/DFGAbstractValue.h:
26477 (JSC::DFG::AbstractValue::filterArrayModesByType):
26478
264792013-06-05 Michael Saboff <msaboff@apple.com>
26480
26481 JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com
26482 https://bugs.webkit.org/show_bug.cgi?id=117280
26483
26484 Reviewed by Filip Pizlo.
26485
26486 Updated the merging of VariableAccessData nodes in ArgumentPosition lists
26487 to find the unified VariableAccessData node that is the root of the
26488 current node instead of using the current node directly when merging
26489 attributes.
26490 Added new dump code to dump the ArgumentPosition list.
26491
26492 * dfg/DFGArgumentPosition.h:
26493 (JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness):
26494 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
26495 (JSC::DFG::ArgumentPosition::dump):
26496 * dfg/DFGGraph.cpp:
26497 (JSC::DFG::Graph::dump):
26498
264992013-06-05 Bear Travis <betravis@adobe.com>
26500
26501 [CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags
26502 https://bugs.webkit.org/show_bug.cgi?id=117172
26503
26504 Reviewed by Alexandru Chiculita.
26505
26506 Adding the CSS_SHAPES compile flag.
26507
26508 * Configurations/FeatureDefines.xcconfig:
26509
265102013-06-05 Balazs Kilvady <kilvadyb@homejinni.com>
26511
26512 JSC Assertion tests failures on MIPS.
26513 https://bugs.webkit.org/show_bug.cgi?id=116552
26514
26515 Reviewed by Geoffrey Garen.
26516
26517 Fix condition handlig in branchAdd32 implemetations.
26518
26519 * assembler/MacroAssemblerMIPS.h:
26520 (JSC::MacroAssemblerMIPS::branchAdd32):
26521
265222013-06-04 Julien Brianceau <jbrianceau@nds.com>
26523
26524 [sh4] Add floating point absolute function support in baseline JIT.
26525 https://bugs.webkit.org/show_bug.cgi?id=117147
26526
26527 Reviewed by Geoffrey Garen.
26528
26529 * assembler/MacroAssemblerSH4.h:
26530 (JSC::MacroAssemblerSH4::supportsFloatingPointAbs):
26531 (JSC::MacroAssemblerSH4::absDouble):
26532 * assembler/SH4Assembler.h:
26533 (JSC::SH4Assembler::dabs):
26534 (JSC::SH4Assembler::printInstr):
26535
265362013-06-04 Zan Dobersek <zdobersek@igalia.com>
26537
26538 [JSC] Test262 15.5.4.9_3 test is failing
26539 https://bugs.webkit.org/show_bug.cgi?id=116789
26540
26541 Reviewed by Geoffrey Garen.
26542
26543 Bring the String.prototype.localeCompare behavior in line wit ES5 15.9.4.9.
26544 If method is not given enough arguments, the minimal amount of arguments must be assumed, with their value being undefined.
26545 The first argument to localeCompare, in its string form, is used as the 'that' string that's used in the comparison.
26546 Therefor, when calling str.localeCompare() or str.localeCompare(undefined), the first argument is `undefined` and the
26547 string "undefined" is used as the string to which value of str is compared.
26548
26549 * runtime/StringPrototype.cpp:
26550 (JSC::stringProtoFuncLocaleCompare): Remove the early return in case of no given arguments to achieve the desired behavior.
26551
265522013-06-03 Hojong Han <hojong.han@samsung.com>
26553
26554 [EFL] Implement GCActivityCallback
26555 https://bugs.webkit.org/show_bug.cgi?id=95923
26556
26557 Reviewed by Geoffrey Garen.
26558
26559 Implements the activity triggered garbage collector.
26560 Additional GCs can be triggered by platfrom timer.
26561 It has sort of compaction effect not to make JSC heap grow fast
26562 so that memory usage becomes lower than usual.
26563
26564 * PlatformEfl.cmake: Added.
26565 * heap/HeapTimer.cpp:
26566 (JSC):
26567 (JSC::HeapTimer::HeapTimer):
26568 (JSC::HeapTimer::~HeapTimer):
26569 (JSC::HeapTimer::add):
26570 (JSC::HeapTimer::stop):
26571 (JSC::HeapTimer::timerEvent):
26572 * heap/HeapTimer.h:
26573 (HeapTimer):
26574 * jsc.cpp:
26575 (main):
26576 * runtime/GCActivityCallback.cpp:
26577 (JSC):
26578 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
26579 (JSC::DefaultGCActivityCallback::scheduleTimer):
26580 (JSC::DefaultGCActivityCallback::cancelTimer):
26581 (JSC::DefaultGCActivityCallback::didAllocate):
26582 * runtime/GCActivityCallback.h:
26583 (GCActivityCallback):
26584 (JSC::GCActivityCallback::GCActivityCallback):
26585 (DefaultGCActivityCallback):
26586
265872013-06-03 Roger Fong <roger_fong@apple.com>
26588
26589 Nuke VS2005 files from the tree.
26590 <rdar://problem/14042021>.
26591
26592 Rubberstamped by Brent Fulgham.
26593
26594 * JavaScriptCore.vcproj: Removed.
26595 * JavaScriptCore.vcproj/JavaScriptCore: Removed.
26596 * JavaScriptCore.vcproj/JavaScriptCore.make: Removed.
26597 * JavaScriptCore.vcproj/JavaScriptCore.resources: Removed.
26598 * JavaScriptCore.vcproj/JavaScriptCore.resources/Info.plist: Removed.
26599 * JavaScriptCore.vcproj/JavaScriptCore.sln: Removed.
26600 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Removed.
26601 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCF.vsprops: Removed.
26602 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCFLite.vsprops: Removed.
26603 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Removed.
26604 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops: Removed.
26605 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops: Removed.
26606 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops: Removed.
26607 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Removed.
26608 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed.
26609 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed.
26610 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops: Removed.
26611 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops: Removed.
26612 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops: Removed.
26613 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops: Removed.
26614 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops: Removed.
26615 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops: Removed.
26616 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops: Removed.
26617 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops: Removed.
26618 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePGOOptimize.vsprops: Removed.
26619 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePostBuild.cmd: Removed.
26620 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreBuild.cmd: Removed.
26621 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreLink.cmd: Removed.
26622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops: Removed.
26623 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops: Removed.
26624 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops: Removed.
26625 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops: Removed.
26626 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops: Removed.
26627 * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed.
26628 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed.
26629 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed.
26630 * JavaScriptCore.vcproj/LLIntAssembly: Removed.
26631 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
26632 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Removed.
26633 * JavaScriptCore.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
26634 * JavaScriptCore.vcproj/LLIntDesiredOffsets: Removed.
26635 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
26636 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Removed.
26637 * JavaScriptCore.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
26638 * JavaScriptCore.vcproj/LLIntOffsetsExtractor: Removed.
26639 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Removed.
26640 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Removed.
26641 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Removed.
26642 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugAll.vsprops: Removed.
26643 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugCairoCFLite.vsprops: Removed.
26644 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.vsprops: Removed.
26645 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Removed.
26646 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleaseCairoCFLite.vsprops: Removed.
26647 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleasePGO.vsprops: Removed.
26648 * JavaScriptCore.vcproj/jsc: Removed.
26649 * JavaScriptCore.vcproj/jsc/jsc.vcproj: Removed.
26650 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Removed.
26651 * JavaScriptCore.vcproj/jsc/jscDebug.vsprops: Removed.
26652 * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops: Removed.
26653 * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops: Removed.
26654 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: Removed.
26655 * JavaScriptCore.vcproj/jsc/jscPreBuild.cmd: Removed.
26656 * JavaScriptCore.vcproj/jsc/jscPreLink.cmd: Removed.
26657 * JavaScriptCore.vcproj/jsc/jscProduction.vsprops: Removed.
26658 * JavaScriptCore.vcproj/jsc/jscRelease.vsprops: Removed.
26659 * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops: Removed.
26660 * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops: Removed.
26661 * JavaScriptCore.vcproj/testRegExp: Removed.
26662 * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Removed.
26663 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Removed.
26664 * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Removed.
26665 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Removed.
26666 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Removed.
26667 * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Removed.
26668 * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Removed.
26669 * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Removed.
26670 * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Removed.
26671 * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Removed.
26672 * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Removed.
26673 * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Removed.
26674 * JavaScriptCore.vcproj/testapi: Removed.
26675 * JavaScriptCore.vcproj/testapi/testapi.vcproj: Removed.
26676 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: Removed.
26677 * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops: Removed.
26678 * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops: Removed.
26679 * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops: Removed.
26680 * JavaScriptCore.vcproj/testapi/testapiPostBuild.cmd: Removed.
26681 * JavaScriptCore.vcproj/testapi/testapiPreBuild.cmd: Removed.
26682 * JavaScriptCore.vcproj/testapi/testapiPreLink.cmd: Removed.
26683 * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops: Removed.
26684 * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops: Removed.
26685 * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops: Removed.
26686
266872013-05-31 Filip Pizlo <fpizlo@apple.com>
26688
26689 Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor()
26690 <rdar://problem/13989324>
26691
26692 Rubber stamped by Mark Hahnenberg.
26693
26694 This has a bogus assertion that checks that the passed CodeOrigin doesn't have
26695 an inline call frame. This was well intentioned in the sense that it is true
26696 that inlined call frames wouldn't have an activation register. But that doesn't
26697 mean that people won't ask. Removing the assertion fixes a debug-only crash and
26698 has no impact on production code. This change adds a comment to that effect.
26699
26700 * dfg/DFGGraph.h:
26701 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
26702
267032013-05-31 Julien Brianceau <jbrianceau@nds.com>
26704
26705 [sh4] Fix Overflow case of branchMul32 in baseline JIT.
26706 https://bugs.webkit.org/show_bug.cgi?id=117057
26707
26708 Reviewed by Oliver Hunt.
26709
26710 Current implementation of Overflow case in branchMul32 performs an
26711 unsigned multiplication whereas a signed multiplication is expected.
26712
26713 * assembler/MacroAssemblerSH4.h:
26714 (JSC::MacroAssemblerSH4::branchMul32):
26715
267162013-05-31 Julien Brianceau <jbrianceau@nds.com>
26717
26718 [sh4] Fix floating point comparisons in baseline JIT.
26719 https://bugs.webkit.org/show_bug.cgi?id=117066.
26720
26721 Reviewed by Oliver Hunt.
26722
26723 Current implementation of branchDouble function in baseline JIT is wrong
26724 for some conditions and overkill for others. For instance:
26725 - With DoubleGreaterThanOrEqual condition, branch will be taken if either
26726 operand is NaN with current implementation whereras it should not.
26727 - With DoubleNotEqualOrUnordered condition, performed NaN checks are
26728 useless (because comparison result is false if either operand is NaN).
26729
26730 * assembler/MacroAssemblerSH4.h:
26731 (JSC::MacroAssemblerSH4::branchDouble):
26732
267332013-05-31 Julien Brianceau <jbrianceau@nds.com>
26734
26735 [sh4] Fix double floating point transfer in baseline JIT.
26736 https://bugs.webkit.org/show_bug.cgi?id=117054
26737
26738 Reviewed by Oliver Hunt.
26739
26740 In current implementation, dmovRegReg function transfers only one single
26741 FPRegister as PR=1 and SZ=0 in floating point status/control register.
26742 Double transfers must be performed with two fmov.s opcodes.
26743
26744 * assembler/MacroAssemblerSH4.h:
26745 (JSC::MacroAssemblerSH4::moveDouble):
26746 (JSC::MacroAssemblerSH4::addDouble): Handle (op2==dest) case properly.
26747 (JSC::MacroAssemblerSH4::sqrtDouble):
26748 * assembler/SH4Assembler.h:
26749 (JSC::SH4Assembler::fmovsRegReg):
26750
267512013-05-31 Julien Brianceau <jbrianceau@nds.com>
26752
26753 [sh4] Handle branchType properly in branchTruncateDoubleToInt32.
26754 https://bugs.webkit.org/show_bug.cgi?id=117062
26755
26756 Reviewed by Oliver Hunt.
26757
26758 Current implementation of branchTruncateDoubleToInt32 is incorrect
26759 when branchType == BranchIfTruncateSuccessful in sh4 baseline JIT.
26760
26761 * assembler/MacroAssemblerSH4.h:
26762 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32):
26763
267642013-05-31 Brent Fulgham <bfulgham@apple.com>
26765
26766 [Windows] Unreviewed build fix for VS2005 builders.
26767
26768 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add
26769 missing export for WTF::SHA1::computeHexDigest
26770
267712013-05-30 David Farler <dfarler@apple.com>
26772
26773 Fix jscore-test when not using --sdk option with jsDriver.pl
26774 https://bugs.webkit.org/show_bug.cgi?id=116339
26775
26776 Reviewed by Joe Pecoraro.
26777
26778 * tests/mozilla/jsDriver.pl:
26779 (execute_tests):
26780 With each test, the shell_command needs to be started from scratch.
26781
26782 This fix will clear the shell_command and start over as before with
26783 the opt_arch option when not using --sdk with jsDriver.pl.
26784
267852013-05-30 Roger Fong <roger_fong@apple.com>
26786
26787 Get rid of JavaScript exports file on AppleWin port.
26788 https://bugs.webkit.org/show_bug.cgi?id=117050.
26789
26790 Reviewed by Darin Adler.
26791
26792 Delete the JavaScriptCoreExportGenerator folder and remove dependencies.
26793 Start linking in WTF.lib now that it's a shared library.
26794
26795 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln:
26796 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26797 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
26798 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Removed.
26799 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Removed.
26800 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Removed.
26801 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Removed.
26802 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Removed.
26803 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Removed.
26804 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Removed.
26805 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Removed.
26806 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Removed.
26807 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Removed.
26808 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Removed.
26809 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Removed.
26810 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
26811 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
26812 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
26813 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
26814 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
26815
268162013-05-22 David Farler <dfarler@apple.com>
26817
26818 Add --sdk option to jsDriver.pl to run with iOS Simulator
26819 https://bugs.webkit.org/show_bug.cgi?id=116339
26820
26821 Reviewed by David Kilzer.
26822
26823 * tests/mozilla/jsDriver.pl:
26824 (execute_tests):
26825 Prefix shell command with the path to the "sim" tool.
26826 (parse_args):
26827 Add -d / --sdk option.
26828 (usage):
26829 Help message for -d / --sdk option.
26830
268312013-05-30 Julien Brianceau <jbrianceau@nds.com>
26832
26833 [sh4] Optimize NaN checks in LLINT for floating point comparisons.
26834 https://bugs.webkit.org/show_bug.cgi?id=117049
26835
26836 Reviewed by Oliver Hunt.
26837
26838 Use the fcmp/eq opcode in sh4 LLINT to test if a double is NaN.
26839 This is more efficient, doesn't require two tmp registers and requires
26840 less code than current implementation (which converts double to float,
26841 then checks 'E = Emax + 1' and 'f != 0').
26842
26843 * offlineasm/sh4.rb:
26844
268452013-05-30 Oliver Hunt <oliver@apple.com>
26846
26847 JSCallbackObject does not correctly initialise the PropertySlot for getOwnPropertyDescriptor
26848 https://bugs.webkit.org/show_bug.cgi?id=117053
26849
26850 Reviewed by Mark Hahnenberg.
26851
26852 Set appropriate thisValue on the PropertySlot
26853
26854 * API/JSCallbackObjectFunctions.h:
26855 (JSC::::getOwnPropertyDescriptor):
26856 * API/tests/testapi.mm:
26857
268582013-05-29 Jeffrey Pfau <jpfau@apple.com>
26859
26860 [Mac] Enable cache partitioning and the public suffix list on 10.8
26861 <rdar://problem/13679019>
26862
26863 Rubber-stamped by David Kilzer.
26864
26865 * Configurations/FeatureDefines.xcconfig:
26866
268672013-05-28 Brent Fulgham <bfulgham@apple.com>
26868
26869 [Windows] Put correct byteCompile symbol in file. Previous version
26870 had an extra 'i' appended to the end.
26871
26872 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26873 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
26874
268752013-05-28 Brent Fulgham <bfulgham@apple.com>
26876
26877 [Windows] Unreviewed build fix. Remove ?byteCompile symbol that
26878 is no longer accessible during link.
26879
26880 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26881 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
26882
268832013-05-28 Gavin Barraclough <barraclough@apple.com>
26884
26885 String(new Date(2010,10,1)) is wrong in KRAT, YAKT
26886 https://bugs.webkit.org/show_bug.cgi?id=106750
26887
26888 Reviewed by Darin Adler.
26889
26890 * runtime/JSDateMath.cpp:
26891 (JSC::msToGregorianDateTime):
26892 - Additional review comment fix.
26893
268942013-05-28 Brent Fulgham <bfulgham@apple.com>
26895
26896 [Windows] Unreviewed build fix after r150833
26897
26898 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26899 A CR/LF combination was lost in the file, combining two symbols.
26900
269012013-05-27 Gavin Barraclough <barraclough@apple.com>
26902
26903 String(new Date(2010,10,1)) is wrong in KRAT, YAKT
26904 https://bugs.webkit.org/show_bug.cgi?id=106750
26905
26906 Reviewed by Darin Adler.
26907
26908 First part of a fix, simplfy date handling code, instead of operating separately
26909 on the UTC-standard and standard-DST offsets, just generate a combined UTC-local
26910 offset (this is what we actually need, and what the OS gives us).
26911
26912 * runtime/JSDateMath.cpp:
26913 (JSC::getLocalTimeOffset):
26914 - removed getUTCOffset, converted getDSTOffset -> getLocalTimeOffset
26915 (JSC::gregorianDateTimeToMS):
26916 (JSC::msToGregorianDateTime):
26917 (JSC::parseDateFromNullTerminatedCharacters):
26918 - call getLocalTimeOffset instead of getUTCOffset/getDSTOffset
26919 * runtime/JSGlobalData.cpp:
26920 (JSC::JSGlobalData::resetDateCache):
26921 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache
26922 * runtime/JSGlobalData.h:
26923 (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache):
26924 (JSC::LocalTimeOffsetCache::reset):
26925 (LocalTimeOffsetCache):
26926 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache
26927
269282013-05-28 Mark Hahnenberg <mhahnenberg@apple.com>
26929
26930 r150199 is very wrong
26931 https://bugs.webkit.org/show_bug.cgi?id=116876
26932
26933 JSValue needs to protect its internal JSValueRef.
26934
26935 Reviewed by Darin Adler.
26936
26937 * API/JSValue.mm:
26938 (-[JSValue initWithValue:inContext:]):
26939 (-[JSValue dealloc]):
26940 * API/tests/testapi.mm: Added a simple test to make sure that we protect the
26941 underlying JavaScript value across garbage collections.
26942
269432013-05-27 Patrick Gansterer <paroga@webkit.org>
26944
26945 Use ICU_INCLUDE_DIRS in BlackBerry CMake files
26946 https://bugs.webkit.org/show_bug.cgi?id=116210
26947
26948 Reviewed by Rob Buis.
26949
26950 Set and use the ICU_INCLUDE_DIRS variable to avoid
26951 duplicated adding of the ICU include directory.
26952
26953 * PlatformBlackBerry.cmake:
26954
269552013-05-27 Gabor Rapcsanyi <rgabor@webkit.org>
26956
26957 MacroAssemblerARM should use xor to swap registers instead of move
26958 https://bugs.webkit.org/show_bug.cgi?id=116306
26959
26960 Reviewed by Zoltan Herczeg.
26961
26962 Change register swapping to xor from move and this way we don't need
26963 temporary register anymore.
26964
26965 * assembler/MacroAssemblerARM.h:
26966 (JSC::MacroAssemblerARM::swap):
26967
269682013-05-25 Filip Pizlo <fpizlo@apple.com>
26969
26970 We broke (-2^31/-1)|0 in the DFG
26971 https://bugs.webkit.org/show_bug.cgi?id=116767
26972
26973 Reviewed by Andreas Kling.
26974
26975 The bug is that we were assuming that in the -2^31 case, we already had -2^31
26976 in the result register. This was a wrong assumption.
26977
26978 * dfg/DFGSpeculativeJIT.cpp:
26979 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
26980
269812013-05-24 Filip Pizlo <fpizlo@apple.com>
26982
26983 We broke !(0/0)
26984 https://bugs.webkit.org/show_bug.cgi?id=116736
26985
26986 Reviewed by Gavin Barraclough.
26987
26988 * parser/ASTBuilder.h:
26989 (JSC::ASTBuilder::createLogicalNot):
26990 * runtime/JSCJSValueInlines.h:
26991 (JSC::JSValue::pureToBoolean):
26992
269932013-05-24 Julien Brianceau <jbrianceau@nds.com>
26994
26995 [sh4] Optimize LLINT generated code and fix few bugs in baseline JIT.
26996 https://bugs.webkit.org/show_bug.cgi?id=116716
26997
26998 Reviewed by Geoffrey Garen.
26999
27000 * assembler/MacroAssemblerSH4.h:
27001 (JSC::MacroAssemblerSH4::mul32): Cosmetic changes.
27002 (JSC::MacroAssemblerSH4::convertInt32ToDouble): Absolute address was not dereferenced.
27003 (JSC::MacroAssemblerSH4::branch32): Absolute address was not dereferenced.
27004 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): Use all 32 bits of pointer for revertJump call.
27005 * assembler/SH4Assembler.h:
27006 (JSC::SH4Assembler::revertJump): Use changePCrelativeAddress to patch the whole pointer.
27007 (JSC::SH4Assembler::linkJump): Cosmetic change.
27008 * offlineasm/sh4.rb: Optimize LLINT generated code.
27009
270102013-05-23 Peter Wang <peter.wang@torchmobile.com.cn>
27011
27012 CLoop llint backend should not use the d8 register as scratch register
27013 https://bugs.webkit.org/show_bug.cgi?id=116019
27014
27015 Reviewed by Csaba Osztrogonác.
27016
27017 * offlineasm/cloop.rb:
27018
270192013-05-22 Peter Wang <peter.wang@torchmobile.com.cn>
27020
27021 Use uninitialized register in "JIT::emit_op_neq_null" and "emit_op_eq_null"
27022 https://bugs.webkit.org/show_bug.cgi?id=116593
27023
27024 Reviewed by Filip Pizlo.
27025
27026 Generated instructions using uninitialized register. It's caused by a mistake of r126494.
27027
27028 * jit/JITOpcodes32_64.cpp:
27029 (JSC::JIT::emit_op_eq_null):
27030 (JSC::JIT::emit_op_neq_null):
27031
270322013-05-22 Filip Pizlo <fpizlo@apple.com>
27033
27034 Fix indentation of CodeBlock.h
27035
27036 Rubber stampted by Mark Hahnenberg.
27037
27038 * bytecode/CodeBlock.h:
27039
270402013-05-22 Julien Brianceau <jbrianceau@nds.com>
27041
27042 [sh4] Remove MacroAssemblerSH4.cpp file.
27043 https://bugs.webkit.org/show_bug.cgi?id=116596.
27044
27045 Reviewed by Geoffrey Garen.
27046
27047 Move linkCall and repatchCall implementations from MacroAssemblerSH4.cpp
27048 to MacroAssemblerSH4.h and remove MacroAssemblerSH4.cpp, as it is done
27049 for other architectures.
27050
27051 * GNUmakefile.list.am:
27052 * JavaScriptCore.xcodeproj/project.pbxproj:
27053 * Target.pri:
27054 * assembler/MacroAssemblerSH4.cpp: Removed.
27055 * assembler/MacroAssemblerSH4.h:
27056 (JSC::MacroAssemblerSH4::linkCall):
27057 (MacroAssemblerSH4):
27058 (JSC::MacroAssemblerSH4::repatchCall):
27059
270602013-05-21 Brent Fulgham <bfulgham@apple.com>
27061
27062 [Windows] Unreviewed speculative fix for test-bots.
27063
27064 Add export declaration for WTFInvokeCrashHook to avoid runtime
27065 load error on test bots.
27066
27067 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
27068 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
27069
270702013-05-21 Mark Lam <mark.lam@apple.com>
27071
27072 Added missing assert condition for PositiveOrZero in ARM branch32().
27073 https://bugs.webkit.org/show_bug.cgi?id=116538.
27074
27075 Reviewed by Geoffrey Garen.
27076
27077 * assembler/MacroAssemblerARM.h:
27078 (JSC::MacroAssemblerARM::branchAdd32):
27079
270802013-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
27081
27082 Disable SuperRegion
27083 https://bugs.webkit.org/show_bug.cgi?id=116362
27084
27085 Rubber stamped by Geoff Garen.
27086
27087 * heap/Region.h:
27088
270892013-05-20 Oliver Hunt <oliver@apple.com>
27090
27091 Make C API more robust against null contexts
27092 https://bugs.webkit.org/show_bug.cgi?id=116462
27093
27094 Reviewed by Anders Carlsson.
27095
27096 Handle null contexts in a non-crashy way. It's a bug to ever call the
27097 API with a null context, and the absence of a context means we can't
27098 produce a meaningful result, so we still assert in debug builds.
27099
27100 Now where possible we detect and early return, returning null for any
27101 pointer type, NaN for doubles, and false for any boolean result.
27102
27103 * API/JSBase.cpp:
27104 (JSEvaluateScript):
27105 (JSCheckScriptSyntax):
27106 (JSReportExtraMemoryCost):
27107 * API/JSContextRef.cpp:
27108 (JSContextGetGlobalObject):
27109 (JSContextGetGroup):
27110 (JSContextGetGlobalContext):
27111 (JSContextCreateBacktrace):
27112 * API/JSObjectRef.cpp:
27113 (JSObjectMake):
27114 (JSObjectMakeFunctionWithCallback):
27115 (JSObjectMakeConstructor):
27116 (JSObjectMakeFunction):
27117 (JSObjectMakeArray):
27118 (JSObjectMakeDate):
27119 (JSObjectMakeError):
27120 (JSObjectMakeRegExp):
27121 (JSObjectGetPrototype):
27122 (JSObjectSetPrototype):
27123 (JSObjectHasProperty):
27124 (JSObjectGetProperty):
27125 (JSObjectSetProperty):
27126 (JSObjectGetPropertyAtIndex):
27127 (JSObjectSetPropertyAtIndex):
27128 (JSObjectDeleteProperty):
27129 (JSObjectCopyPropertyNames):
27130 * API/JSValueRef.cpp:
27131 (JSValueGetType):
27132 (JSValueIsUndefined):
27133 (JSValueIsNull):
27134 (JSValueIsBoolean):
27135 (JSValueIsNumber):
27136 (JSValueIsString):
27137 (JSValueIsObject):
27138 (JSValueIsObjectOfClass):
27139 (JSValueIsEqual):
27140 (JSValueIsStrictEqual):
27141 (JSValueIsInstanceOfConstructor):
27142 (JSValueMakeUndefined):
27143 (JSValueMakeNull):
27144 (JSValueMakeBoolean):
27145 (JSValueMakeNumber):
27146 (JSValueMakeString):
27147 (JSValueMakeFromJSONString):
27148 (JSValueCreateJSONString):
27149 (JSValueToBoolean):
27150 (JSValueToNumber):
27151 (JSValueToStringCopy):
27152 (JSValueToObject):
27153 (JSValueProtect):
27154 * API/JSWeakObjectMapRefPrivate.cpp:
27155
271562013-05-20 David Kilzer <ddkilzer@apple.com>
27157
27158 Synchronize FeatureDefines.xcconfig
27159
27160 * Configurations/FeatureDefines.xcconfig: Remove
27161 ENABLE_LINK_PRERENDER. This was missed in r150356.
27162
271632013-05-19 Anders Carlsson <andersca@apple.com>
27164
27165 Remove link prerendering code
27166 https://bugs.webkit.org/show_bug.cgi?id=116415
27167
27168 Reviewed by Darin Adler.
27169
27170 This code was only used by Chromium and is dead now.
27171
27172 * Configurations/FeatureDefines.xcconfig:
27173
271742013-05-18 Patrick Gansterer <paroga@webkit.org>
27175
27176 [CMake] Replace *_LIBRARY_NAME with *_OUTPUT_NAME
27177 https://bugs.webkit.org/show_bug.cgi?id=114554
27178
27179 Reviewed by Gyuyoung Kim.
27180
27181 Using variables as target names is very uncommon in CMake.
27182 The usual way to specify the name of the resulting binary
27183 is to set the OUTPUT_NAME target property.
27184
27185 * CMakeLists.txt:
27186 * shell/CMakeLists.txt:
27187
271882013-05-17 Patrick Gansterer <paroga@webkit.org>
27189
27190 [CMake] Remove invalid include paths
27191 https://bugs.webkit.org/show_bug.cgi?id=116213
27192
27193 Reviewed by Gyuyoung Kim.
27194
27195 Since "${JAVASCRIPTCORE_DIR}/wtf" does not exist, it is safe
27196 to remove them from the list of include directories.
27197
27198 * PlatformEfl.cmake: Removed.
27199 * PlatformGTK.cmake: Removed.
27200
272012013-05-16 Patrick Gansterer <paroga@webkit.org>
27202
27203 Consolidate lists in JavaScriptCore CMake files
27204 https://bugs.webkit.org/show_bug.cgi?id=115992
27205
27206 Reviewed by Gyuyoung Kim.
27207
27208 Move common files into the CMakeLists.txt to avoid duplicating the list of files.
27209 Also rebase the recently added GTK files to match the other CMake ports, since
27210 the submitted patch was based on an older version of the source tree.
27211
27212 * CMakeLists.txt:
27213 * PlatformEfl.cmake:
27214 * PlatformGTK.cmake:
27215 * shell/CMakeLists.txt:
27216 * shell/PlatformEfl.cmake:
27217 * shell/PlatformGTK.cmake:
27218
272192013-05-16 Geoffrey Garen <ggaren@apple.com>
27220
27221 JSValue shouldn't protect/unprotect its context
27222 https://bugs.webkit.org/show_bug.cgi?id=116234
27223
27224 Reviewed by Mark Hahnenberg.
27225
27226 Our retain on _context is sufficient.
27227
27228 * API/JSValue.mm:
27229 (-[JSValue initWithValue:inContext:]):
27230 (-[JSValue dealloc]):
27231
272322013-05-15 Ryosuke Niwa <rniwa@webkit.org>
27233
27234 Another Windows build fix attempt after r150160.
27235
27236 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
27237 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
27238
272392013-05-15 Oliver Hunt <oliver@apple.com>
27240
27241 RefCountedArray needs to use vector initialisers for its backing store
27242 https://bugs.webkit.org/show_bug.cgi?id=116194
27243
27244 Reviewed by Gavin Barraclough.
27245
27246 Use an out of line function to clear the exception stack to avoid
27247 needing to include otherwise unnecessary headers all over the place.
27248
27249 Everything else is just being updated to use that.
27250
27251 * bytecompiler/BytecodeGenerator.cpp:
27252 * interpreter/CallFrame.h:
27253 (JSC::ExecState::clearSupplementaryExceptionInfo):
27254 * interpreter/Interpreter.cpp:
27255 (JSC::Interpreter::addStackTraceIfNecessary):
27256 (JSC::Interpreter::throwException):
27257 * runtime/JSGlobalObject.cpp:
27258 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
27259 * runtime/JSGlobalData.cpp:
27260 (JSC):
27261 (JSC::JSGlobalData::clearExceptionStack):
27262 * runtime/JSGlobalData.h:
27263 (JSGlobalData):
27264 (JSC::JSGlobalData::exceptionStack):
27265
272662013-05-15 Commit Queue <commit-queue@webkit.org>
27267
27268 Unreviewed, rolling out r150051.
27269 http://trac.webkit.org/changeset/150051
27270 https://bugs.webkit.org/show_bug.cgi?id=116186
27271
27272 Broke all JSC tests on Mac and the author is unresponsive
27273 (Requested by rniwa on #webkit).
27274
27275 * JavaScriptCore.xcodeproj/project.pbxproj:
27276
272772013-05-15 Julien Brianceau <jbrianceau@nds.com>
27278
27279 Remove savedTimeoutReg from JITStackFrame for sh4 base JIT.
27280 https://bugs.webkit.org/show_bug.cgi?id=116143
27281
27282 Reviewed by Geoffrey Garen.
27283
27284 Since r148119, timeoutCheckRegister is removed from baseline JIT.
27285 So we don't need to save r8 register in JITStackFrame anymore for sh4.
27286
27287 * jit/JITStubs.cpp:
27288 * jit/JITStubs.h:
27289 (JITStackFrame):
27290
272912013-05-15 Nico Weber <thakis@chromium.org>
27292
27293 WebKit doesn't support MSVS2003 any more, remove preprocessor checks for older versions.
27294 https://bugs.webkit.org/show_bug.cgi?id=116157
27295
27296 Reviewed by Anders Carlsson.
27297
27298 Also remove a gcc3.2 workaround.
27299
27300 Merges parts of these two commits by the talented Nico Weber:
27301 https://chromium.googlesource.com/chromium/blink/+/3677e2f47348daeff405a40b6f90fbdf0654c2f5
27302 https://chromium.googlesource.com/chromium/blink/+/0fcd96c448dc30be1416dcc15713c53710c1a312
27303
27304 * os-win32/inttypes.h:
27305
273062013-05-13 Alvaro Lopez Ortega <alvaro@alobbs.com>
27307
27308 Nightly build's jsc doesn't work without DYLD_FRAMEWORK...
27309 https://bugs.webkit.org/show_bug.cgi?id=79065
27310
27311 Reviewed by Darin Adler.
27312
27313 Fixes the build process so the depencencies of the jsc binary are
27314 modified before its copied to its target directory. In this way
27315 jsc should always use relative reference to the JavaScriptCore
27316 libraries.
27317
27318 * JavaScriptCore.xcodeproj/project.pbxproj: Fixes the commands in
27319 the "Copy Into Framework" target.
27320
273212013-05-13 Mark Hahnenberg <mhahnenberg@apple.com>
27322
27323 Objective-C API: scanExternalObjectGraph should not create new JSVirtualMachine wrappers
27324 https://bugs.webkit.org/show_bug.cgi?id=116074
27325
27326 If scanExternalObjectGraph creates a new JSVirtualMachine wrapper during collection, when the
27327 scanExternalObjectGraph call finishes and the autorelease pool is drained we will dealloc the
27328 JSVirtualMachine which will cause us to try to take the API lock for the corresponding JSGlobalData.
27329 If this happens on a GC thread other than the "main" thread, we will deadlock. The solution
27330 is to just check the JSGlobalData cache, and if there is no JSVirtualMachine wrapper, return early.
27331
27332 Reviewed by Darin Adler.
27333
27334 * API/JSVirtualMachine.mm:
27335 (scanExternalObjectGraph):
27336
273372013-05-13 Benjamin Poulain <benjamin@webkit.org>
27338
27339 Improve stringProtoFuncLastIndexOf for the prefix case
27340 https://bugs.webkit.org/show_bug.cgi?id=115952
27341
27342 Reviewed by Geoffrey Garen.
27343
27344 * runtime/StringPrototype.cpp:
27345 (JSC::stringProtoFuncLastIndexOf):
27346 Use the optimized string search when possible.
27347
27348 On Joseph Pecoraro's tests, this gives a ~30% speed improvement.
27349
273502013-05-13 Zalan Bujtas <zalan@apple.com>
27351
27352 WebProcess consuming very high CPU on linkedin.com
27353 https://bugs.webkit.org/show_bug.cgi?id=115601
27354
27355 Reviewed by Andreas Kling.
27356
27357 Disable WEB_TIMING_MINIMAL.
27358 Turn off window.performance and performance.now(). Some JS frameworks expect
27359 additional Web Timing APIs, when performance.now() is available.
27360
27361 * Configurations/FeatureDefines.xcconfig:
27362
273632013-05-12 Anders Carlsson <andersca@apple.com>
27364
27365 Stop including UnusedParam.h
27366 https://bugs.webkit.org/show_bug.cgi?id=116003
27367
27368 Reviewed by Sam Weinig.
27369
27370 UnusedParam.h is empty now so there's no need to include it anymore.
27371
27372 * API/APICast.h:
27373 * API/tests/JSNode.c:
27374 * API/tests/JSNodeList.c:
27375 * API/tests/minidom.c:
27376 * API/tests/testapi.c:
27377 * assembler/AbstractMacroAssembler.h:
27378 * assembler/MacroAssemblerCodeRef.h:
27379 * bytecode/CodeBlock.cpp:
27380 * heap/HandleStack.h:
27381 * interpreter/JSStackInlines.h:
27382 * jit/CompactJITCodeMap.h:
27383 * jit/ExecutableAllocator.h:
27384 * parser/SourceProvider.h:
27385 * runtime/DatePrototype.cpp:
27386 * runtime/JSNotAnObject.cpp:
27387 * runtime/JSSegmentedVariableObject.h:
27388 * runtime/JSVariableObject.h:
27389 * runtime/Options.cpp:
27390 * runtime/PropertyOffset.h:
27391
273922013-05-11 Martin Robinson <mrobinson@igalia.com>
27393
27394 [GTK] Add a basic cmake build for WTF and JavaScriptCore
27395 https://bugs.webkit.org/show_bug.cgi?id=115967
27396
27397 Reviewed by Laszlo Gombos.
27398
27399 * PlatformGTK.cmake: Added.
27400 * shell/PlatformGTK.cmake: Added.
27401
274022013-05-10 Laszlo Gombos <l.gombos@samsung.com>
27403
27404 Remove USE(OS_RANDOMNESS)
27405 https://bugs.webkit.org/show_bug.cgi?id=108095
27406
27407 Reviewed by Darin Adler.
27408
27409 Remove the USE(OS_RANDOMNESS) guard as it is turned on for all
27410 ports.
27411
27412 * jit/JIT.cpp:
27413 (JSC::JIT::JIT):
27414
274152013-05-10 Mark Hahnenberg <mhahnenberg@apple.com>
27416
27417 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase
27418 https://bugs.webkit.org/show_bug.cgi?id=115938
27419
27420 We're going to add some more types of check hoisting soon, so let's have the right name here.
27421
27422 Rubber stamped by Filip Pizlo.
27423
27424 * CMakeLists.txt:
27425 * GNUmakefile.list.am:
27426 * JavaScriptCore.xcodeproj/project.pbxproj:
27427 * Target.pri:
27428 * dfg/DFGDriver.cpp:
27429 (JSC::DFG::compile):
27430 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed.
27431 * dfg/DFGStructureCheckHoistingPhase.h: Removed.
27432 * dfg/DFGTypeCheckHoistingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp.
27433 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase):
27434 (JSC::DFG::performTypeCheckHoisting):
27435 * dfg/DFGTypeCheckHoistingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.h.
27436
274372013-05-09 Christophe Dumez <ch.dumez@sisa.samsung.com>
27438
27439 Unreviewed build fix after r149836.
27440
27441 It broke at least EFL and GTK builds. Move new static members initialization
27442 outside the class. Those need to have a definition outside the class because
27443 their address is used (e.g. CodeCacheMap::nonGlobalWorkingSetMaxEntries).
27444
27445 * runtime/CodeCache.cpp:
27446 (JSC):
27447 * runtime/CodeCache.h:
27448 (CodeCacheMap):
27449
274502013-05-08 Oliver Hunt <oliver@apple.com>
27451
27452 Code cache stores bogus var references for functions in eval code
27453 https://bugs.webkit.org/show_bug.cgi?id=115747
27454
27455 Reviewed by Mark Hahnenberg.
27456
27457 Non-global eval now uses a per-CodeBlock cache, and only use it
27458 when we're at the top of a function's scope. This means that we
27459 will no longer cache the parsing of a single string across
27460 multiple functions, and we won't cache when we're nested inside
27461 constructs like |with| and |catch| where previously we would, which
27462 is good because caching in those cases is unsound.
27463
27464 * bytecode/EvalCodeCache.h:
27465 (JSC):
27466 (JSC::EvalCodeCache::getSlow):
27467 (JSC::EvalCodeCache::get):
27468 * bytecode/UnlinkedCodeBlock.h:
27469 (JSC::UnlinkedCodeBlock::codeCacheForEval):
27470 (UnlinkedCodeBlock):
27471 (RareData):
27472 * debugger/Debugger.cpp:
27473 (JSC::evaluateInGlobalCallFrame):
27474 * debugger/DebuggerCallFrame.cpp:
27475 (JSC::DebuggerCallFrame::evaluate):
27476 * interpreter/Interpreter.cpp:
27477 (JSC::eval):
27478 * runtime/CodeCache.cpp:
27479 (JSC::CodeCache::CodeCache):
27480 (JSC::CodeCache::generateBytecode):
27481 (JSC):
27482 (JSC::CodeCache::getCodeBlock):
27483 * runtime/CodeCache.h:
27484 (JSC::CodeCacheMap::CodeCacheMap):
27485 (CodeCacheMap):
27486 (JSC::CodeCacheMap::canPruneQuickly):
27487 (JSC::CodeCacheMap::prune):
27488 (JSC::CodeCache::create):
27489 (CodeCache):
27490 * runtime/Executable.cpp:
27491 (JSC::EvalExecutable::EvalExecutable):
27492 (JSC::EvalExecutable::compileInternal):
27493 * runtime/Executable.h:
27494 (JSC::EvalExecutable::create):
27495 (EvalExecutable):
27496 * runtime/JSGlobalObject.cpp:
27497 (JSC::JSGlobalObject::createEvalCodeBlock):
27498 * runtime/JSGlobalObject.h:
27499 (JSGlobalObject):
27500 * runtime/JSGlobalObjectFunctions.cpp:
27501 (JSC::globalFuncEval):
27502 * runtime/JSGlobalData.cpp:
27503 (JSC::JSGlobalData::JSGlobalData):
27504 * runtime/JSGlobalData.h:
27505 (JSGlobalData):
27506
275072013-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
27508
27509 DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes
27510 https://bugs.webkit.org/show_bug.cgi?id=115805
27511
27512 Reviewed by Geoffrey Garen.
27513
27514 It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's
27515 an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the
27516 code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray)
27517 instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray.
27518
27519 To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which
27520 should then use Array::PossiblyArray, then do the checks we were already doing.
27521
27522 * bytecode/ArrayProfile.h:
27523 (JSC::hasSeenArray):
27524 (JSC::hasSeenNonArray):
27525 * dfg/DFGArrayMode.cpp:
27526 (JSC::DFG::ArrayMode::fromObserved):
27527
275282013-05-09 Joe Mason <jmason@blackberry.com>
27529
27530 [BlackBerry] Set up logging buffer on start of jsc executable
27531 https://bugs.webkit.org/show_bug.cgi?id=114688
27532
27533 Reviewed by Rob Buis.
27534
27535 Internal PR: 322715
27536 Internally Reviewed By: Jeff Rogers
27537
27538 * jsc.cpp:
27539 (main): call BB::Platform::setupApplicationLogging
27540
275412013-05-08 Michael Saboff <msaboff@apple.com>
27542
27543 JSC: There should be a disassembler for ARM Thumb 2
27544 https://bugs.webkit.org/show_bug.cgi?id=115827
27545
27546 Reviewed by Filip Pizlo.
27547
27548 Added a new disassembler for ARMv7 Thumb2 instructions for use by the JSC debugging
27549 and profiling code. The opcode coverage is currently not complete. It covers all
27550 of the integer instructions JSC currently emits, but only a limited number of
27551 floating point opcodes. Currently that is just the 64 bit vmov and vmsr instructions.
27552
27553 The disassembler is structured as a base opcode class ARMv7DOpcode with sub-classes
27554 for each instruction group. There is a public format method that does the bulk of
27555 the disassembly work. There are two broad sub-classes, ARMv7D16BitOpcode and
27556 ARMv7D32BitOpcode, for the 16 bit and 32 bit opcodes. There are sub-classes under
27557 those two classes for individual and related groups of opcodes. Instructions are
27558 "dispatched" to the right subclass via two arrays of linked lists in the inner classes
27559 OpcodeGroup. There is one such inner class for each ARMv7D16BitOpcode and ARMv7D32BitOpcode.
27560 Each OpcodeGroup has a mask and a pattern that it applies to the instruction to determine
27561 that it matches a particular group. OpcodeGroup uses a static method to reinterpret_cast
27562 the Opcode object to the right base class for the instruction group for formatting.
27563 The cast eliminates the need of allocating an object for each decoded instruction.
27564 Unknown instructions are formatted as ".word 1234" or ".long 12345678" depending whether
27565 the instruction is 16 or 32 bit.
27566
27567 * JavaScriptCore.xcodeproj/project.pbxproj:
27568 * disassembler/ARMv7: Added.
27569 * disassembler/ARMv7/ARMv7DOpcode.cpp: Added.
27570 (ARMv7Disassembler):
27571 (OpcodeGroupInitializer):
27572 (JSC::ARMv7Disassembler::ARMv7DOpcode::init):
27573 (JSC::ARMv7Disassembler::ARMv7DOpcode::startITBlock):
27574 (JSC::ARMv7Disassembler::ARMv7DOpcode::saveITConditionAt):
27575 (JSC::ARMv7Disassembler::ARMv7DOpcode::fetchOpcode):
27576 (JSC::ARMv7Disassembler::ARMv7DOpcode::disassemble):
27577 (JSC::ARMv7Disassembler::ARMv7DOpcode::bufferPrintf):
27578 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionName):
27579 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterName):
27580 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
27581 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendFPRegisterName):
27582 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::init):
27583 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::doDisassemble):
27584 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::defaultFormat):
27585 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::format):
27586 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::format):
27587 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::format):
27588 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::format):
27589 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::format):
27590 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::format):
27591 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::format):
27592 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::format):
27593 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::format):
27594 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::format):
27595 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::format):
27596 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::format):
27597 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::format):
27598 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::format):
27599 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::format):
27600 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::format):
27601 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::format):
27602 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::format):
27603 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::format):
27604 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::format):
27605 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::format):
27606 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::format):
27607 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::format):
27608 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::format):
27609 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::format):
27610 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::format):
27611 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::format):
27612 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::init):
27613 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::doDisassemble):
27614 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::defaultFormat):
27615 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::format):
27616 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::format):
27617 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::appendModifiedImmediate):
27618 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::format):
27619 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::appendImmShift):
27620 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::format):
27621 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::format):
27622 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::appendFPRegister):
27623 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::format):
27624 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::format):
27625 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::format):
27626 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::format):
27627 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::format):
27628 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::format):
27629 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::format):
27630 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::format):
27631 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::format):
27632 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::format):
27633 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::format):
27634 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::format):
27635 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::format):
27636 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::format):
27637 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::format):
27638 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::format):
27639 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::format):
27640 * disassembler/ARMv7/ARMv7DOpcode.h: Added.
27641 (ARMv7Disassembler):
27642 (ARMv7DOpcode):
27643 (JSC::ARMv7Disassembler::ARMv7DOpcode::ARMv7DOpcode):
27644 (JSC::ARMv7Disassembler::ARMv7DOpcode::is32BitInstruction):
27645 (JSC::ARMv7Disassembler::ARMv7DOpcode::isFPInstruction):
27646 (JSC::ARMv7Disassembler::ARMv7DOpcode::conditionName):
27647 (JSC::ARMv7Disassembler::ARMv7DOpcode::shiftName):
27648 (JSC::ARMv7Disassembler::ARMv7DOpcode::inITBlock):
27649 (JSC::ARMv7Disassembler::ARMv7DOpcode::startingITBlock):
27650 (JSC::ARMv7Disassembler::ARMv7DOpcode::endITBlock):
27651 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionNameNoITBlock):
27652 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSeparator):
27653 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendCharacter):
27654 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendString):
27655 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftType):
27656 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSignedImmediate):
27657 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendUnsignedImmediate):
27658 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendPCRelativeOffset):
27659 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftAmount):
27660 (ARMv7D16BitOpcode):
27661 (OpcodeGroup):
27662 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::OpcodeGroup):
27663 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::setNext):
27664 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::next):
27665 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::matches):
27666 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::format):
27667 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rm):
27668 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rd):
27669 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::opcodeGroupNumber):
27670 (ARMv7DOpcodeAddRegisterT2):
27671 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rdn):
27672 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rm):
27673 (ARMv7DOpcodeAddSPPlusImmediate):
27674 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::rd):
27675 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::immediate8):
27676 (ARMv7DOpcodeAddSubtract):
27677 (ARMv7DOpcodeAddSubtractT1):
27678 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::opName):
27679 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::op):
27680 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rm):
27681 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rn):
27682 (ARMv7DOpcodeAddSubtractImmediate3):
27683 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::opName):
27684 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::op):
27685 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
27686 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::rn):
27687 (ARMv7DOpcodeAddSubtractImmediate8):
27688 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::opName):
27689 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::op):
27690 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::rdn):
27691 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::immediate8):
27692 (ARMv7DOpcodeBranchConditionalT1):
27693 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::condition):
27694 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::offset):
27695 (ARMv7DOpcodeBranchExchangeT1):
27696 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::opName):
27697 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::rm):
27698 (ARMv7DOpcodeBranchT2):
27699 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::immediate11):
27700 (ARMv7DOpcodeCompareImmediateT1):
27701 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::rn):
27702 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::immediate8):
27703 (ARMv7DOpcodeCompareRegisterT1):
27704 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::rn):
27705 (ARMv7DOpcodeCompareRegisterT2):
27706 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rn):
27707 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rm):
27708 (ARMv7DOpcodeDataProcessingRegisterT1):
27709 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::opName):
27710 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::op):
27711 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rm):
27712 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rdn):
27713 (ARMv7DOpcodeGeneratePCRelativeAddress):
27714 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::rd):
27715 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::immediate8):
27716 (ARMv7DOpcodeLoadFromLiteralPool):
27717 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::rt):
27718 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::immediate8):
27719 (ARMv7DOpcodeLoadStoreRegisterImmediate):
27720 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::opName):
27721 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::op):
27722 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::immediate5):
27723 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rn):
27724 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rt):
27725 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
27726 (ARMv7DOpcodeLoadStoreRegisterImmediateWordAndByte):
27727 (ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord):
27728 (ARMv7DOpcodeLoadStoreRegisterOffsetT1):
27729 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opName):
27730 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opB):
27731 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rm):
27732 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rn):
27733 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rt):
27734 (ARMv7DOpcodeLoadStoreRegisterSPRelative):
27735 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::opName):
27736 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::op):
27737 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::rt):
27738 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::immediate8):
27739 (ARMv7DOpcodeLogicalImmediateT1):
27740 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::opName):
27741 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::op):
27742 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::immediate5):
27743 (ARMv7DOpcodeMiscAddSubSP):
27744 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::opName):
27745 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::op):
27746 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::immediate7):
27747 (ARMv7DOpcodeMiscByteHalfwordOps):
27748 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::opName):
27749 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::op):
27750 (ARMv7DOpcodeMiscBreakpointT1):
27751 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::immediate8):
27752 (ARMv7DOpcodeMiscCompareAndBranch):
27753 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::opName):
27754 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::op):
27755 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::immediate6):
27756 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::rn):
27757 (ARMv7DOpcodeMiscHint16):
27758 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opName):
27759 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opA):
27760 (ARMv7DOpcodeMiscIfThenT1):
27761 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::firstCondition):
27762 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::mask):
27763 (ARMv7DOpcodeMiscPushPop):
27764 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::opName):
27765 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::op):
27766 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
27767 (ARMv7DOpcodeMoveImmediateT1):
27768 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::rd):
27769 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::immediate8):
27770 (ARMv7DOpcodeMoveRegisterT1):
27771 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rd):
27772 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rm):
27773 (ARMv7D32BitOpcode):
27774 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::OpcodeGroup):
27775 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::setNext):
27776 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::next):
27777 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::matches):
27778 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::format):
27779 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rd):
27780 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rm):
27781 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rn):
27782 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rt):
27783 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::opcodeGroupNumber):
27784 (ARMv7DOpcodeBranchRelative):
27785 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::sBit):
27786 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j1):
27787 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j2):
27788 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::immediate11):
27789 (ARMv7DOpcodeConditionalBranchT3):
27790 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::offset):
27791 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::condition):
27792 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::immediate6):
27793 (ARMv7DOpcodeBranchOrBranchLink):
27794 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::offset):
27795 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::immediate10):
27796 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::isBL):
27797 (ARMv7DOpcodeDataProcessingLogicalAndRithmetic):
27798 (ARMv7DOpcodeDataProcessingModifiedImmediate):
27799 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::opName):
27800 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::op):
27801 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::sBit):
27802 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::immediate12):
27803 (ARMv7DOpcodeDataProcessingShiftedReg):
27804 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::opName):
27805 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::sBit):
27806 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::op):
27807 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::immediate5):
27808 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::type):
27809 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tbBit):
27810 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tBit):
27811 (ARMv7DOpcodeDataProcessingReg):
27812 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op1):
27813 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op2):
27814 (ARMv7DOpcodeDataProcessingRegShift):
27815 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::opName):
27816 (ARMv7DOpcodeDataProcessingRegExtend):
27817 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendName):
27818 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendAndAddName):
27819 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::rotate):
27820 (ARMv7DOpcodeDataProcessingRegParallel):
27821 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::opName):
27822 (ARMv7DOpcodeDataProcessingRegMisc):
27823 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::opName):
27824 (ARMv7DOpcodeHint32):
27825 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::opName):
27826 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::isDebugHint):
27827 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::debugOption):
27828 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::op):
27829 (ARMv7DOpcodeFPTransfer):
27830 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opH):
27831 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opL):
27832 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::rt):
27833 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opC):
27834 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opB):
27835 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vd):
27836 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vn):
27837 (ARMv7DOpcodeDataLoad):
27838 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::opName):
27839 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::op):
27840 (ARMv7DOpcodeLoadRegister):
27841 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::immediate2):
27842 (ARMv7DOpcodeLoadSignedImmediate):
27843 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::pBit):
27844 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::uBit):
27845 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::wBit):
27846 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::immediate8):
27847 (ARMv7DOpcodeLoadUnsignedImmediate):
27848 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::immediate12):
27849 (ARMv7DOpcodeLongMultipleDivide):
27850 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::opName):
27851 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlalOpName):
27852 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlaldOpName):
27853 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlsldOpName):
27854 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdLo):
27855 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdHi):
27856 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op1):
27857 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op2):
27858 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::nBit):
27859 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::mBit):
27860 (ARMv7DOpcodeDataPushPopSingle):
27861 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::opName):
27862 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::op):
27863 (ARMv7DOpcodeDataStoreSingle):
27864 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::opName):
27865 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::op):
27866 (ARMv7DOpcodeStoreSingleImmediate12):
27867 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::immediate12):
27868 (ARMv7DOpcodeStoreSingleImmediate8):
27869 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::pBit):
27870 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::uBit):
27871 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::wBit):
27872 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::immediate8):
27873 (ARMv7DOpcodeStoreSingleRegister):
27874 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::immediate2):
27875 (ARMv7DOpcodeUnmodifiedImmediate):
27876 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::opName):
27877 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::op):
27878 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::shBit):
27879 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::bitNumOrSatImmediate):
27880 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate5):
27881 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate12):
27882 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate16):
27883 (ARMv7DOpcodeVMOVDoublePrecision):
27884 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::op):
27885 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt2):
27886 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
27887 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::globalData):
27888 (ARMv7DOpcodeVMOVSinglePrecision):
27889 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::op):
27890 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt2):
27891 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
27892 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::globalData):
27893 (ARMv7DOpcodeVMSR):
27894 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::opL):
27895 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::rt):
27896 * disassembler/ARMv7Disassembler.cpp: Added.
27897 (JSC::tryToDisassemble):
27898
278992013-05-07 Julien Brianceau <jbrianceau@nds.com>
27900
27901 Take advantage of pre-decrement and post-increment opcodes for sh4 base JIT.
27902 https://bugs.webkit.org/show_bug.cgi?id=115722
27903
27904 Reviewed by Oliver Hunt.
27905
27906 * assembler/MacroAssemblerSH4.h:
27907 (JSC::MacroAssemblerSH4::load8PostInc):
27908 (MacroAssemblerSH4):
27909 (JSC::MacroAssemblerSH4::load16Unaligned):
27910 (JSC::MacroAssemblerSH4::load16PostInc):
27911 (JSC::MacroAssemblerSH4::storeDouble):
27912 (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords):
27913 * assembler/SH4Assembler.h:
27914 (JSC::SH4Assembler::movwMemRegIn):
27915 (SH4Assembler):
27916 (JSC::SH4Assembler::movbMemRegIn):
27917 (JSC::SH4Assembler::printInstr):
27918
279192013-05-07 Anders Carlsson <andersca@apple.com>
27920
27921 Remove AlwaysInline.h from WTF
27922 https://bugs.webkit.org/show_bug.cgi?id=115727
27923
27924 Reviewed by Brent Fulgham.
27925
27926 The macro that used to be in AlwaysInline.h is now in Compiler.h so there's no reason
27927 to keep AlwaysInline.h around anymore.
27928
27929 * jit/JSInterfaceJIT.h:
27930 * parser/Lexer.h:
27931 * runtime/JSCJSValue.h:
27932 * runtime/SymbolTable.h:
27933
279342013-05-07 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
27935
27936 HashTraits<RefPtr<P> >::PeekType should be raw pointer for better performance
27937 https://bugs.webkit.org/show_bug.cgi?id=115646
27938
27939 Reviewed by Darin Adler.
27940
27941 * bytecompiler/StaticPropertyAnalyzer.h:
27942 (JSC::StaticPropertyAnalyzer::putById):
27943 Updated accordingly to new HashMap<.., RefPtr>::get() semantics.
27944
279452013-05-06 Julien Brianceau <jbrianceau@nds.com>
27946
27947 Misc bugfix and cleaning in sh4 base JIT.
27948 https://bugs.webkit.org/show_bug.cgi?id=115627
27949
27950 Reviewed by Oliver Hunt.
27951
27952 Get rid of loadX(RegisterID r0, RegisterID src, RegisterID dest) functions.
27953 Remove misplaced extuw() implementation from MacroAssemblerSH4.
27954 Add movbRegMemr0 and movwRegMemr0 functions in SH4Assembler.
27955
27956 * assembler/MacroAssemblerSH4.h:
27957 (JSC::MacroAssemblerSH4::add32): Skip operation when first operand is a zero immediate.
27958 (JSC::MacroAssemblerSH4::sub32): Skip operation when first operand is a zero immediate.
27959 (JSC::MacroAssemblerSH4::load32): Fix wrong usage of r0 register.
27960 (JSC::MacroAssemblerSH4::load8Signed): Handle "base == r0" case.
27961 (MacroAssemblerSH4):
27962 (JSC::MacroAssemblerSH4::load16): Handle "base == r0" case.
27963 (JSC::MacroAssemblerSH4::load16Unaligned): Use extuw() implementation from SH4Assembler.
27964 (JSC::MacroAssemblerSH4::load16Signed): Cosmetic change.
27965 (JSC::MacroAssemblerSH4::store8): Fix unhandled BaseIndex offset and handle (base == r0) case.
27966 (JSC::MacroAssemblerSH4::store16): Fix unhandled BaseIndex offset and handle (base == r0) case.
27967 (JSC::MacroAssemblerSH4::store32):
27968 * assembler/SH4Assembler.h:
27969 (JSC::SH4Assembler::movwRegMemr0):
27970 (SH4Assembler):
27971 (JSC::SH4Assembler::movbRegMemr0):
27972 (JSC::SH4Assembler::placeConstantPoolBarrier): Cosmetic change.
27973 (JSC::SH4Assembler::maxJumpReplacementSize):
27974 (JSC::SH4Assembler::replaceWithJump): Correct branch range and save an opcode.
27975 (JSC::SH4Assembler::printInstr):
27976
279772013-05-06 Anders Carlsson <andersca@apple.com>
27978
27979 Stop using WTF::deleteAllValues in JavaScriptCore
27980 https://bugs.webkit.org/show_bug.cgi?id=115670
27981
27982 Reviewed by Oliver Hunt.
27983
27984 Change the Vectors used to Vectors of OwnPtrs instead.
27985
27986 * heap/DFGCodeBlocks.cpp:
27987 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
27988 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
27989
279902013-05-06 Andras Becsi <andras.becsi@digia.com>
27991
27992 Build with GCC 4.8 fails because of -Wmaybe-uninitialized
27993 https://bugs.webkit.org/show_bug.cgi?id=115648
27994
27995 Reviewed by Michael Saboff.
27996
27997 Initialize values in Options::setOption since from
27998 there we end up calling OptionRange::init with
27999 uninitialized members.
28000
28001 * runtime/Options.cpp:
28002
280032013-05-06 Gabor Rapcsanyi <rgabor@webkit.org>
28004
28005 JSC ARM traditional failing on Octane NavierStokes test
28006 https://bugs.webkit.org/show_bug.cgi?id=115626
28007
28008 Reviewed by Zoltan Herczeg.
28009
28010 Change the ARM traditional assembler to use double precision on value
28011 conversions.
28012
28013 * assembler/ARMAssembler.h:
28014
280152013-05-03 Michael Saboff <msaboff@apple.com>
28016
28017 There should be a runtime option to constrain what functions get DFG compiled
28018 https://bugs.webkit.org/show_bug.cgi?id=115576
28019
28020 Reviewed by Mark Hahnenberg.
28021
28022 Added OptionRange to Options to allow checking that something is within an option
28023 or not. The new OptionClass supports range strings in the form of [!]<low>[:<high>].
28024 If only one value is given, then it will be used for both low and high. A leading
28025 '!' inverts the check. If no range is given, then checking for a value within a range
28026 will always return true. Added the option "bytecodeRangeToDFGCompile" that takes an
28027 OptionRange string to select the bytecode range of code blocks to DFG compile.
28028
28029 * dfg/DFGDriver.cpp:
28030 (JSC::DFG::compile): Added new check for bytecode count within bytecodeRangeToDFGCompile
28031 range.
28032 * runtime/Options.cpp:
28033 (JSC::parse): Added overloaded parse() for OptionRange.
28034 (JSC::OptionRange::init): Parse range string and then initialize the range.
28035 (JSC::OptionRange::isInRange): Function used by consumer to check if a value is within
28036 the specified range.
28037 (JSC::Options::dumpOption): Added code to dump OptionRange options.
28038 * runtime/Options.h:
28039 (OptionRange): New class.
28040 (JSC::OptionRange::operator= ): This is really used as a default ctor for use within
28041 the Option static array initialization.
28042 (JSC::OptionRange::rangeString): This is used for debug. It assumes that the char*
28043 passed into OptionRange::init is valid when this function is called.
28044
280452013-05-02 Oliver Hunt <oliver@apple.com>
28046
28047 Fix potential bug in lookup logic
28048 https://bugs.webkit.org/show_bug.cgi?id=115522
28049
28050 Reviewed by Mark Hahnenberg.
28051
28052 Though not a problem in practise, it is technically possible
28053 to inject an un-proxied global object into the scope chain
28054 via the C API. This change makes sure that the scope walk
28055 in BytecodeGenerator actually limits itself to scopes that
28056 are statically bindable.
28057
28058 * bytecompiler/BytecodeGenerator.cpp:
28059 (JSC::BytecodeGenerator::resolve):
28060 * runtime/JSObject.h:
28061 (JSObject):
28062 (JSC):
28063 (JSC::JSObject::isStaticScopeObject):
28064
280652013-05-01 Roger Fong <roger_fong@apple.com>
28066
28067 Set Path in makefile for AppleWin.
28068
28069 * JavaScriptCore.vcxproj/JavaScriptCore.make:
28070
280712013-05-01 Benjamin Poulain <benjamin@webkit.org>
28072
28073 Remove the remaining wscript
28074 https://bugs.webkit.org/show_bug.cgi?id=115459
28075
28076 Reviewed by Andreas Kling.
28077
28078 * wscript: Removed.
28079
280802013-04-30 Mark Lam <mark.lam@apple.com>
28081
28082 JSContextGroupSetExecutionTimeLimit() should not pass a callback to the
28083 JSGlobalData watchdog if its client did not pass one in.
28084 https://bugs.webkit.org/show_bug.cgi?id=115461.
28085
28086 Reviewed by Geoffrey Garen.
28087
28088 * API/JSContextRef.cpp:
28089 (internalScriptTimeoutCallback):
28090 (JSContextGroupSetExecutionTimeLimit):
28091 * API/tests/testapi.c:
28092 (main):
28093 - Added test case when the time limit callback is 0.
28094 - Also updated a check to verify that a TerminatedExecutionException is
28095 thrown when the time out is cancelled.
28096 - Also fixed some cosmetic typos.
28097
280982013-04-30 Geoffrey Garen <ggaren@apple.com>
28099
28100 Removed op_ensure_property_exists
28101 https://bugs.webkit.org/show_bug.cgi?id=115460
28102
28103 Reviewed by Mark Hahnenberg.
28104
28105 It was unused, and whatever it was once used for was not optimized.
28106
28107 * JavaScriptCore.order:
28108 * bytecode/CodeBlock.cpp:
28109 (JSC::CodeBlock::dumpBytecode):
28110 * bytecode/Opcode.h:
28111 (JSC::padOpcodeName):
28112 * jit/JIT.cpp:
28113 (JSC::JIT::privateCompileMainPass):
28114 * jit/JIT.h:
28115 * jit/JITOpcodes.cpp:
28116 * jit/JITOpcodes32_64.cpp:
28117 * jit/JITStubs.cpp:
28118 * jit/JITStubs.h:
28119 * llint/LLIntSlowPaths.cpp:
28120 * llint/LLIntSlowPaths.h:
28121 * llint/LowLevelInterpreter.asm:
28122
281232013-04-30 Oliver Hunt <oliver@apple.com>
28124
28125 JSC Stack walking logic craches in the face of inlined functions triggering JSGlobalData re-entry
28126 https://bugs.webkit.org/show_bug.cgi?id=115449
28127
28128 Reviewed by Geoffrey Garen.
28129
28130 Rename callframeishost to something that makes sense, and fix
28131 getCallerInfo to correctly handle inline functions calling into
28132 the JSGlobalData.
28133
28134 * bytecode/CodeBlock.cpp:
28135 (JSC::CodeBlock::codeOriginForReturn):
28136 Make this more robust in the face of incorrect stack walking
28137 * interpreter/CallFrame.cpp:
28138 (JSC::CallFrame::trueCallerFrame):
28139 Everyone has to perform a codeblock() check before calling this
28140 so we might as well just do it here.
28141 * interpreter/Interpreter.cpp:
28142 (JSC::getCallerInfo):
28143
281442013-04-30 Julien Brianceau <jbrianceau@nds.com>
28145
28146 Bug fixing in sh4 base JIT and LLINT.
28147 https://bugs.webkit.org/show_bug.cgi?id=115420
28148
28149 Reviewed by Oliver Hunt.
28150
28151 * assembler/MacroAssemblerSH4.h:
28152 (JSC::MacroAssemblerSH4::lshift32):
28153 (JSC::MacroAssemblerSH4::rshift32):
28154 (JSC::MacroAssemblerSH4::branchMul32):
28155 (JSC::MacroAssemblerSH4::urshift32):
28156 (JSC::MacroAssemblerSH4::replaceWithJump):
28157 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
28158 * assembler/SH4Assembler.h:
28159 (JSC::SH4Assembler::shldRegReg):
28160 (JSC::SH4Assembler::shadRegReg):
28161 (JSC::SH4Assembler::shalImm8r):
28162 (SH4Assembler):
28163 (JSC::SH4Assembler::sharImm8r):
28164 (JSC::SH4Assembler::maxJumpReplacementSize):
28165 (JSC::SH4Assembler::replaceWithJump):
28166 * offlineasm/sh4.rb:
28167
281682013-04-30 Geoffrey Garen <ggaren@apple.com>
28169
28170 Objective-C JavaScriptCore API should publicly support bridging to C
28171 https://bugs.webkit.org/show_bug.cgi?id=115447
28172
28173 Reviewed by Mark Hahnenberg.
28174
28175 For consistency, I renamed
28176
28177 +[JSValue valueWithValue:] => +[JSValue valueWithJSValueRef]
28178 +[JSContext contextWithGlobalContextRef] => +[JSContext contextWithJSGlobalContextRef]
28179 -[JSContext globalContext] => -[JSContext JSGlobalContextRef]
28180
28181 I searched svn to verify that these functions don't have clients yet,
28182 so we won't break anything.
28183
28184 I also exported as public API
28185
28186 +[JSValue valueWithJSValueRef:]
28187 +[JSContext contextWithJSGlobalContextRef:]
28188
28189 It's hard to integrate with the C API without these.
28190
281912013-04-30 Commit Queue <rniwa@webkit.org>
28192
28193 Unreviewed, rolling out r149349 and r149354.
28194 http://trac.webkit.org/changeset/149349
28195 http://trac.webkit.org/changeset/149354
28196 https://bugs.webkit.org/show_bug.cgi?id=115444
28197
28198 The Thumb version of compileSoftModulo make invalid use of
28199 registers (Requested by benjaminp on #webkit).
28200
28201 * CMakeLists.txt:
28202 * GNUmakefile.list.am:
28203 * JavaScriptCore.xcodeproj/project.pbxproj:
28204 * assembler/ARMv7Assembler.h:
28205 (ARMv7Assembler):
28206 * assembler/AbstractMacroAssembler.h:
28207 (JSC::isARMv7s):
28208 (JSC):
28209 * assembler/MacroAssemblerARMv7.cpp: Removed.
28210 * assembler/MacroAssemblerARMv7.h:
28211 (MacroAssemblerARMv7):
28212 * dfg/DFGFixupPhase.cpp:
28213 (JSC::DFG::FixupPhase::fixupNode):
28214 * dfg/DFGOperations.cpp:
28215 * dfg/DFGOperations.h:
28216 * dfg/DFGSpeculativeJIT.cpp:
28217 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28218 (DFG):
28219 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
28220 * dfg/DFGSpeculativeJIT.h:
28221 (JSC::DFG::SpeculativeJIT::callOperation):
28222 (SpeculativeJIT):
28223 * dfg/DFGSpeculativeJIT32_64.cpp:
28224 (JSC::DFG::SpeculativeJIT::compile):
28225
282262013-04-30 Zalan Bujtas <zalan@apple.com>
28227
28228 Animations fail to start on http://www.google.com/insidesearch/howsearchworks/thestory/
28229 https://bugs.webkit.org/show_bug.cgi?id=111244
28230
28231 Reviewed by David Kilzer.
28232
28233 Enable performance.now() as a minimal subset of Web Timing API.
28234 It returns DOMHighResTimeStamp, a monotonically increasing value representing the
28235 number of milliseconds from the start of the navigation of the current document.
28236 JS libraries use this API to check against the requestAnimationFrame() timestamp.
28237
28238 * Configurations/FeatureDefines.xcconfig:
28239
282402013-04-30 Zoltan Arvai <zarvai@inf.u-szeged.hu>
28241
28242 Unreviewed. Speculative build fix on Qt Arm and Mips after r149349.
28243
28244 * dfg/DFGSpeculativeJIT.cpp:
28245 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28246
282472013-04-29 Cosmin Truta <ctruta@blackberry.com>
28248
28249 [ARM] Expand the use of integer division
28250 https://bugs.webkit.org/show_bug.cgi?id=115138
28251
28252 Reviewed by Benjamin Poulain.
28253
28254 If availability of hardware integer division isn't known at compile
28255 time, check the CPU flags and decide at runtime whether to fall back
28256 to software. Currently, this OS-specific check is implemented on QNX.
28257
28258 Moreover, use operator % instead of fmod() in the calculation of the
28259 software modulo. Even when it's software-emulated, operator % is faster
28260 than fmod(): on ARM v7 QNX, without hardware division, we noticed
28261 >3% speedup on SunSpider.
28262
28263 * CMakeLists.txt:
28264 * GNUmakefile.list.am:
28265 * JavaScriptCore.xcodeproj/project.pbxproj:
28266 * assembler/ARMv7Assembler.h:
28267 (JSC::ARMv7Assembler::sdiv): Did not compile conditionally.
28268 (JSC::ARMv7Assembler::udiv): Ditto.
28269 * assembler/AbstractMacroAssembler.h:
28270 (JSC::isARMv7s): Removed.
28271 * assembler/MacroAssemblerARMv7.cpp: Added.
28272 (JSC::isIntegerDivSupported): Added.
28273 * assembler/MacroAssemblerARMv7.h:
28274 (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added.
28275 * dfg/DFGFixupPhase.cpp:
28276 (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case.
28277 * dfg/DFGOperations.cpp:
28278 (JSC::DFG::operationModOnInts): Added.
28279 * dfg/DFGOperations.h:
28280 (JSC::DFG::Z_DFGOperation_ZZ): Added.
28281 * dfg/DFGSpeculativeJIT.cpp:
28282 (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen
28283 from the common implementation; used operationModOnInts on ARM.
28284 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7.
28285 (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM.
28286 * dfg/DFGSpeculativeJIT.h:
28287 (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments.
28288 * dfg/DFGSpeculativeJIT32_64.cpp:
28289 (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM.
28290
282912013-04-29 Benjamin Poulain <benjamin@webkit.org>
28292
28293 Unify the data access of StringImpl members from JavaScriptCore
28294 https://bugs.webkit.org/show_bug.cgi?id=115320
28295
28296 Reviewed by Andreas Kling.
28297
28298 DFG accesses the member infos by directly calling the methods on StringImpl,
28299 while the baseline JIT was using helper methods on ThunkHelpers.
28300
28301 Cut the middle man, and use StringImpl directly everywhere.
28302
28303 * jit/JITInlines.h:
28304 (JSC::JIT::emitLoadCharacterString):
28305 * jit/JITPropertyAccess.cpp:
28306 (JSC::JIT::stringGetByValStubGenerator):
28307 * jit/JITPropertyAccess32_64.cpp:
28308 (JSC::JIT::stringGetByValStubGenerator):
28309 * jit/JSInterfaceJIT.h:
28310 * jit/ThunkGenerators.cpp:
28311 (JSC::stringCharLoad):
28312
283132013-04-29 Benjamin Poulain <bpoulain@apple.com>
28314
28315 Use push and pop for iOS math function thunks
28316 https://bugs.webkit.org/show_bug.cgi?id=115215
28317
28318 Reviewed by Filip Pizlo.
28319
28320 The iOS ABI is a little different than regular ARM ABI regarding stack alignment.
28321 The requirement is 4 bytes:
28322 "The ARM environment uses a stack that—at the point of function calls—is 4-byte aligned,
28323 grows downward, and contains local variables and a function’s parameters."
28324
28325 Subsequently, we can just use push and pop to preserve the link register.
28326
28327 * jit/ThunkGenerators.cpp:
28328
283292013-04-29 Brent Fulgham <bfulgham@webkit.org>
28330
28331 [Windows, WinCairo] Get rid of last few pthread include/link references.
28332 https://bugs.webkit.org/show_bug.cgi?id=115375
28333
28334 Reviewed by Tim Horton.
28335
28336 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd:
28337 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
28338 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
28339 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
28340 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
28341 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
28342
283432013-04-29 Roger Fong <roger_fong@apple.com>
28344
28345 Unreviewed. AppleWin VS2010 build fix.
28346
28347 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
28348
283492013-04-26 Mark Hahnenberg <mhahnenberg@apple.com>
28350
28351 ~BlockAllocator should ASSERT that it has no more Regions left
28352 https://bugs.webkit.org/show_bug.cgi?id=115287
28353
28354 Reviewed by Andreas Kling.
28355
28356 * heap/BlockAllocator.cpp:
28357 (JSC::BlockAllocator::~BlockAllocator):
28358 (JSC::BlockAllocator::allRegionSetsAreEmpty):
28359 * heap/BlockAllocator.h:
28360 (RegionSet):
28361 (JSC::BlockAllocator::RegionSet::isEmpty):
28362 (BlockAllocator):
28363
283642013-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
28365
28366 IndexingTypes should use hex
28367 https://bugs.webkit.org/show_bug.cgi?id=115286
28368
28369 Decimal is kind of confusing/hard to read because they're used as bit masks. Hex seems more appropriate.
28370
28371 Reviewed by Geoffrey Garen.
28372
28373 * runtime/IndexingType.h:
28374
283752013-04-29 Carlos Garcia Campos <cgarcia@igalia.com>
28376
28377 Unreviewed. Fix make distcheck.
28378
28379 * GNUmakefile.list.am: Add missing headers files to compilation
28380 and offlineasm/sh4.rb script.
28381
283822013-04-28 Dean Jackson <dino@apple.com>
28383
28384 [Mac] Disable canvas backing store scaling (HIGH_DPI_CANVAS)
28385 https://bugs.webkit.org/show_bug.cgi?id=115310
28386
28387 Reviewed by Simon Fraser.
28388
28389 Remove ENABLE_HIGH_DPI_CANVAS_macosx.
28390
28391 * Configurations/FeatureDefines.xcconfig:
28392
283932013-04-27 Darin Adler <darin@apple.com>
28394
28395 Move from constructor and member function adoptCF/NS to free function adoptCF/NS.
28396 https://bugs.webkit.org/show_bug.cgi?id=115307
28397
28398 Reviewed by Geoffrey Garen.
28399
28400 * heap/HeapTimer.cpp:
28401 (JSC::HeapTimer::HeapTimer):
28402 * runtime/JSGlobalData.cpp:
28403 (JSC::enableAssembler):
28404 Use adoptCF free function.
28405
284062013-04-27 Anders Carlsson <andersca@apple.com>
28407
28408 Try to fix the Windows build.
28409
28410 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
28411
284122013-04-25 Geoffrey Garen <ggaren@apple.com>
28413
28414 Cleaned up pre/post inc/dec in bytecode
28415 https://bugs.webkit.org/show_bug.cgi?id=115222
28416
28417 Reviewed by Filip Pizlo.
28418
28419 A few related changes here:
28420
28421 (*) Removed post_inc and post_dec. The two-result form was awkward to
28422 reason about. Being explicit about the intermediate mov and to_number
28423 reduces DFG overhead, removes some fragile ASSERTs from the DFG, and
28424 fixes a const bug. Plus, we get to blow away 262 lines of code.
28425
28426 (*) Renamed pre_inc and pre_dec to inc and dec, since there's only one
28427 version now.
28428
28429 (*) Renamed to_jsnumber to to_number, to match the ECMA name.
28430
28431 (*) Tightened up the codegen and runtime support for to_number.
28432
28433
28434 * JavaScriptCore.order: Order!
28435
28436 * bytecode/CodeBlock.cpp:
28437 (JSC::CodeBlock::dumpBytecode):
28438 * bytecode/Opcode.h:
28439 (JSC::padOpcodeName):
28440 * bytecompiler/BytecodeGenerator.cpp:
28441 (JSC::BytecodeGenerator::emitInc):
28442 (JSC::BytecodeGenerator::emitDec):
28443 * bytecompiler/BytecodeGenerator.h:
28444 (JSC::BytecodeGenerator::emitToNumber):
28445 (BytecodeGenerator): Removed post_inc and post_dec.
28446
28447 * bytecompiler/NodesCodegen.cpp:
28448 (JSC::emitPreIncOrDec): Updated for rename.
28449
28450 (JSC::emitPostIncOrDec): Issue an explicit mov and to_number when needed.
28451 These are rare, and they boil away in the DFG.
28452
28453 (JSC::PostfixNode::emitResolve):
28454 (JSC::PrefixNode::emitResolve): For const, use an explicit mov instead
28455 of any special forms. This fixes a bug where we would do string
28456 add/subtract instead of number.
28457
28458 * dfg/DFGByteCodeParser.cpp:
28459 (JSC::DFG::ByteCodeParser::parseBlock):
28460 * dfg/DFGCapabilities.h:
28461 (JSC::DFG::canCompileOpcode):
28462 * jit/JIT.cpp:
28463 (JSC::JIT::privateCompileMainPass):
28464 (JSC::JIT::privateCompileSlowCases):
28465 * jit/JIT.h:
28466 * jit/JITArithmetic.cpp:
28467 (JSC::JIT::emit_op_inc):
28468 (JSC::JIT::emitSlow_op_inc):
28469 (JSC::JIT::emit_op_dec):
28470 (JSC::JIT::emitSlow_op_dec):
28471 * jit/JITArithmetic32_64.cpp:
28472 (JSC::JIT::emit_op_inc):
28473 (JSC::JIT::emitSlow_op_inc):
28474 (JSC::JIT::emit_op_dec):
28475 (JSC::JIT::emitSlow_op_dec): Removed post_inc/dec, and updated for renames.
28476
28477 * jit/JITOpcodes.cpp:
28478 (JSC::JIT::emit_op_to_number):
28479 (JSC::JIT::emitSlow_op_to_number): Removed a test for number cells. There's
28480 no such thing!
28481
28482 * jit/JITOpcodes32_64.cpp:
28483 (JSC::JIT::emit_op_to_number): Use LowestTag to avoid making assumptions
28484 about the lowest valued tag.
28485
28486 (JSC::JIT::emitSlow_op_to_number): Updated for renames.
28487
28488 * jit/JITStubs.cpp:
28489 (JSC::DEFINE_STUB_FUNCTION):
28490 * jit/JITStubs.h:
28491 * llint/LLIntSlowPaths.cpp:
28492 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
28493 * llint/LLIntSlowPaths.h:
28494 * llint/LowLevelInterpreter32_64.asm:
28495 * llint/LowLevelInterpreter64.asm:
28496 * parser/NodeConstructors.h:
28497 (JSC::UnaryPlusNode::UnaryPlusNode): Removed post_inc/dec, and updated for renames.
28498
28499 * runtime/Operations.cpp:
28500 (JSC::jsIsObjectType): Removed a test for number cells. There's
28501 no such thing!
28502
285032013-04-27 Julien Brianceau <jbrianceau@nds.com>
28504
28505 REGRESSION(r149114): cache flush for SH4 arch may flush an extra page.
28506 https://bugs.webkit.org/show_bug.cgi?id=115305
28507
28508 Reviewed by Andreas Kling.
28509
28510 * assembler/SH4Assembler.h:
28511 (JSC::SH4Assembler::cacheFlush):
28512
285132013-04-26 Geoffrey Garen <ggaren@apple.com>
28514
28515 Re-landing <http://trac.webkit.org/changeset/148999>
28516
28517 Filled out more cases of branch folding in bytecode when emitting
28518 expressions into a branching context
28519 https://bugs.webkit.org/show_bug.cgi?id=115057
28520
28521 Reviewed by Phil Pizlo.
28522
28523 We can't fold the number == 1 case to boolean because all non-zero numbers
28524 down-cast to true, but only 1 is == to true.
28525
285262013-04-26 Filip Pizlo <fpizlo@apple.com>
28527
28528 Correct indentation of SymbolTable.h
28529
28530 Rubber stamped by Mark Hahnenberg.
28531
28532 * runtime/SymbolTable.h:
28533
285342013-04-26 Roger Fong <roger_fong@apple.com>
28535
28536 Make Apple Windows VS2010 build results into and get dependencies from __32 suffixed folders.
28537 Make the DebugSuffix configuration use _debug dependencies.
28538
28539 * JavaScriptCore.vcxproj/JavaScriptCore.make:
28540 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
28541 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
28542 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
28543 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
28544 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props:
28545 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props:
28546 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
28547 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
28548 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd:
28549 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
28550 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
28551 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
28552 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
28553 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props:
28554 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
28555 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
28556 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
28557 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props:
28558 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props:
28559 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props:
28560 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
28561 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd:
28562 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
28563 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props:
28564 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
28565 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props:
28566 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
28567 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
28568 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
28569 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
28570 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
28571 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
28572 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
28573 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
28574 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
28575 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props:
28576 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
28577 * JavaScriptCore.vcxproj/build-generated-files.sh:
28578 * JavaScriptCore.vcxproj/copy-files.cmd:
28579 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
28580 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
28581 * JavaScriptCore.vcxproj/jsc/jscDebug.props:
28582 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
28583 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
28584 * JavaScriptCore.vcxproj/jsc/jscProduction.props:
28585 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
28586 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
28587 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
28588 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
28589 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props:
28590 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
28591 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
28592 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props:
28593 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
28594 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
28595 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
28596 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
28597 * JavaScriptCore.vcxproj/testapi/testapiDebug.props:
28598 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props:
28599 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
28600 * JavaScriptCore.vcxproj/testapi/testapiProduction.props:
28601 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
28602 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props:
28603
286042013-04-26 Roger Fong <roger_fong@apple.com>
28605
28606 Disable sub-pixel layout on mac.
28607 https://bugs.webkit.org/show_bug.cgi?id=114999.
28608
28609 Reviewed by Simon Fraser.
28610
28611 * Configurations/FeatureDefines.xcconfig:
28612
286132013-04-26 Oliver Hunt <oliver@apple.com>
28614
28615 Make stack tracing more robust
28616 https://bugs.webkit.org/show_bug.cgi?id=115272
28617
28618 Reviewed by Geoffrey Garen.
28619
28620 CallFrame already handles stack walking confusion robustly,
28621 so we should make sure that the actual walk handles that as well.
28622
28623 * interpreter/Interpreter.cpp:
28624 (JSC::getCallerInfo):
28625
286262013-04-26 Mark Hahnenberg <mhahnenberg@apple.com>
28627
28628 REGRESSION(r149165): It made many tests crash on 32 bit
28629 https://bugs.webkit.org/show_bug.cgi?id=115227
28630
28631 Reviewed by Csaba Osztrogonác.
28632
28633 m_reservation is uninitialized when ENABLE(SUPER_REGION) is false.
28634
28635 * heap/SuperRegion.cpp:
28636 (JSC::SuperRegion::~SuperRegion):
28637
286382013-04-26 Julien Brianceau <jbrianceau@nds.com>
28639
28640 Fix SH4 build broken since r149159.
28641 https://bugs.webkit.org/show_bug.cgi?id=115229
28642
28643 Add BranchTruncateType enum in SH4 port and handle it in branchTruncateDoubleToInt32.
28644
28645 Reviewed by Allan Sandfeld Jensen.
28646
28647 * assembler/MacroAssemblerSH4.h:
28648 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32):
28649
286502013-04-25 Mark Hahnenberg <mhahnenberg@apple.com>
28651
28652 SuperRegion doesn't call deallocate() on its PageReservation
28653 https://bugs.webkit.org/show_bug.cgi?id=115208
28654
28655 Reviewed by Geoffrey Garen.
28656
28657 It should. This doesn't cause us to leak physical memory, but it does cause us to leak virtual
28658 address space (and probably mach ports), which is also bad :-( FixedVMPoolExecutableAllocator
28659 also has this bug, but it doesn't matter much because there's only one instance of that class
28660 throughout the entire lifetime of the process, whereas each JSGlobalData has its own SuperRegion.
28661
28662 * heap/SuperRegion.cpp:
28663 (JSC::SuperRegion::~SuperRegion):
28664 * heap/SuperRegion.h:
28665 (SuperRegion):
28666 * jit/ExecutableAllocatorFixedVMPool.cpp:
28667 (FixedVMPoolExecutableAllocator):
28668 (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
28669
286702013-04-25 Filip Pizlo <fpizlo@apple.com>
28671
28672 DFG doesn't support to_jsnumber
28673 https://bugs.webkit.org/show_bug.cgi?id=115129
28674
28675 Reviewed by Geoffrey Garen.
28676
28677 Based on Oliver's patch. Implements to_jsnumber as Identity(Number:@thingy), and then does
28678 an optimization in Fixup to turn Identity(Number:) into Identity(Int32:) if the predictions
28679 tell us to. Identity is later turned into Phantom.
28680
28681 Also fixed BackPropMask, which appeared to have NodeDoesNotExit included in it. That's
28682 wrong; NodeDoesNotExit is not a backward propagation property.
28683
28684 Also fixed Identity to be marked as CanExit (i.e. not NodeDoesNotExit).
28685
28686 This more than doubles the FPS on ammo.
28687
28688 * dfg/DFGByteCodeParser.cpp:
28689 (JSC::DFG::ByteCodeParser::parseBlock):
28690 * dfg/DFGCapabilities.h:
28691 (JSC::DFG::canCompileOpcode):
28692 * dfg/DFGFixupPhase.cpp:
28693 (JSC::DFG::FixupPhase::fixupNode):
28694 (FixupPhase):
28695 (JSC::DFG::FixupPhase::observeUseKindOnNode):
28696 (JSC::DFG::FixupPhase::observeUseKindOnEdge):
28697 * dfg/DFGNodeFlags.h:
28698 (DFG):
28699 * dfg/DFGNodeType.h:
28700 (DFG):
28701 * dfg/DFGPredictionPropagationPhase.cpp:
28702 (JSC::DFG::PredictionPropagationPhase::propagate):
28703
287042013-04-24 Oliver Hunt <oliver@apple.com>
28705
28706 Add support for Math.imul
28707 https://bugs.webkit.org/show_bug.cgi?id=115143
28708
28709 Reviewed by Filip Pizlo.
28710
28711 Add support for Math.imul, a thunk generator for Math.imul,
28712 and an intrinsic.
28713
28714 Fairly self explanatory set of changes, DFG intrinsics simply
28715 leverages the existing ValueToInt32 nodes.
28716
28717 * create_hash_table:
28718 * dfg/DFGAbstractState.cpp:
28719 (JSC::DFG::AbstractState::executeEffects):
28720 * dfg/DFGBackwardsPropagationPhase.cpp:
28721 (JSC::DFG::BackwardsPropagationPhase::propagate):
28722 * dfg/DFGByteCodeParser.cpp:
28723 (JSC::DFG::ByteCodeParser::handleIntrinsic):
28724 * dfg/DFGCSEPhase.cpp:
28725 (JSC::DFG::CSEPhase::performNodeCSE):
28726 * dfg/DFGFixupPhase.cpp:
28727 (JSC::DFG::FixupPhase::fixupNode):
28728 * dfg/DFGNodeType.h:
28729 (DFG):
28730 * dfg/DFGPredictionPropagationPhase.cpp:
28731 (JSC::DFG::PredictionPropagationPhase::propagate):
28732 * dfg/DFGSpeculativeJIT.cpp:
28733 (JSC::DFG::SpeculativeJIT::compileArithIMul):
28734 * dfg/DFGSpeculativeJIT.h:
28735 (SpeculativeJIT):
28736 * dfg/DFGSpeculativeJIT32_64.cpp:
28737 (JSC::DFG::SpeculativeJIT::compile):
28738 * dfg/DFGSpeculativeJIT64.cpp:
28739 (JSC::DFG::SpeculativeJIT::compile):
28740 * jit/ThunkGenerators.cpp:
28741 (JSC::imulThunkGenerator):
28742 (JSC):
28743 * jit/ThunkGenerators.h:
28744 (JSC):
28745 * runtime/Intrinsic.h:
28746 * runtime/MathObject.cpp:
28747 (JSC):
28748 (JSC::mathProtoFuncIMul):
28749 * runtime/JSGlobalData.cpp:
28750 (JSC::thunkGeneratorForIntrinsic):
28751
287522013-04-25 Filip Pizlo <fpizlo@apple.com>
28753
28754 Unreviewed, roll out http://trac.webkit.org/changeset/148999
28755 It broke http://kripken.github.io/ammo.js/examples/new/ammo.html
28756
28757 * JavaScriptCore.order:
28758 * bytecompiler/BytecodeGenerator.cpp:
28759 (JSC::BytecodeGenerator::emitNewArray):
28760 (JSC::BytecodeGenerator::emitThrowReferenceError):
28761 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
28762 * bytecompiler/BytecodeGenerator.h:
28763 (JSC::BytecodeGenerator::shouldEmitProfileHooks):
28764 (BytecodeGenerator):
28765 * bytecompiler/NodesCodegen.cpp:
28766 (JSC):
28767 (JSC::NullNode::emitBytecode):
28768 (JSC::BooleanNode::emitBytecode):
28769 (JSC::NumberNode::emitBytecode):
28770 (JSC::StringNode::emitBytecode):
28771 (JSC::IfNode::emitBytecode):
28772 (JSC::IfElseNode::emitBytecode):
28773 * parser/ASTBuilder.h:
28774 (JSC::ASTBuilder::createIfStatement):
28775 (ASTBuilder):
28776 * parser/NodeConstructors.h:
28777 (JSC):
28778 (JSC::NullNode::NullNode):
28779 (JSC::BooleanNode::BooleanNode):
28780 (JSC::NumberNode::NumberNode):
28781 (JSC::StringNode::StringNode):
28782 (JSC::IfNode::IfNode):
28783 (JSC::IfElseNode::IfElseNode):
28784 * parser/Nodes.h:
28785 (JSC::ExpressionNode::isPure):
28786 (JSC::ExpressionNode::isSubtract):
28787 (StatementNode):
28788 (NullNode):
28789 (JSC::NullNode::isNull):
28790 (BooleanNode):
28791 (JSC::BooleanNode::isPure):
28792 (NumberNode):
28793 (JSC::NumberNode::value):
28794 (JSC::NumberNode::isPure):
28795 (StringNode):
28796 (JSC::StringNode::isPure):
28797 (JSC::StringNode::isString):
28798 (BinaryOpNode):
28799 (IfNode):
28800 (JSC):
28801 (IfElseNode):
28802 (ContinueNode):
28803 (BreakNode):
28804 * parser/Parser.cpp:
28805 (JSC::::parseIfStatement):
28806 * parser/ResultType.h:
28807 (ResultType):
28808 * runtime/JSCJSValueInlines.h:
28809 (JSC::JSValue::pureToBoolean):
28810 * runtime/JSCell.h:
28811 (JSCell):
28812 * runtime/JSCellInlines.h:
28813 (JSC):
28814
288152013-04-25 Filip Pizlo <fpizlo@apple.com>
28816
28817 PreciseJumpTargets should treat loop_hint as a jump target
28818 https://bugs.webkit.org/show_bug.cgi?id=115209
28819
28820 Reviewed by Mark Hahnenberg.
28821
28822 I didn't add a test but I turned this into a release assertion. Running Octane is enough
28823 to trigger it.
28824
28825 * bytecode/PreciseJumpTargets.cpp:
28826 (JSC::computePreciseJumpTargets):
28827 * dfg/DFGByteCodeParser.cpp:
28828 (JSC::DFG::ByteCodeParser::parseBlock):
28829
288302013-04-25 Roman Zhuykov <zhroma@ispras.ru>
28831
28832 Fix problems with processing negative zero on DFG.
28833 https://bugs.webkit.org/show_bug.cgi?id=113862
28834
28835 Reviewed by Filip Pizlo.
28836
28837 Fix NodeNeedsNegZero flag propagation in BackwardPropagationPhase.
28838 Function arithNodeFlags should not mask NodeNeedsNegZero flag for ArithNegate and DoubleAsInt32
28839 nodes and this flag should be always used to decide where we need to generate nezative-zero checks.
28840 Remove unnecessary negative-zero checks from integer ArithDiv on ARM.
28841 Also remove such checks from integer ArithMod on ARM and X86, and make them always to
28842 check not only "modulo_result == 0" but also "dividend < 0".
28843 Generate faster code for case when ArithMod operation divisor is constant power of 2 on ARMv7
28844 in the same way as on ARMv7s, and add negative-zero checks into this code when needed.
28845 Change speculationCheck ExitKind from Overflow to NegativeZero where applicable.
28846
28847 This shows 30% speedup of math-spectral-norm, and 5% speedup
28848 on SunSpider overall on ARMv7 Linux.
28849
28850 * assembler/MacroAssemblerARM.h:
28851 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
28852 * assembler/MacroAssemblerARMv7.h:
28853 (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
28854 * assembler/MacroAssemblerMIPS.h:
28855 (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32):
28856 * assembler/MacroAssemblerSH4.h:
28857 (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32):
28858 * assembler/MacroAssemblerX86Common.h:
28859 (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
28860 * dfg/DFGBackwardsPropagationPhase.cpp:
28861 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
28862 (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
28863 (JSC::DFG::BackwardsPropagationPhase::propagate):
28864 * dfg/DFGNode.h:
28865 (JSC::DFG::Node::arithNodeFlags):
28866 * dfg/DFGSpeculativeJIT.cpp:
28867 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
28868 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28869 (JSC::DFG::SpeculativeJIT::compileArithNegate):
28870
288712013-04-25 Oliver Hunt <oliver@apple.com>
28872
28873 Stack guards are too conservative
28874 https://bugs.webkit.org/show_bug.cgi?id=115147
28875
28876 Reviewed by Mark Hahnenberg.
28877
28878 Increase stack guard to closer to old size.
28879
28880 * interpreter/Interpreter.cpp:
28881 (JSC::Interpreter::StackPolicy::StackPolicy):
28882
288832013-04-25 Oliver Hunt <oliver@apple.com>
28884
28885 Stack guards are too conservative
28886 https://bugs.webkit.org/show_bug.cgi?id=115147
28887
28888 Reviewed by Geoffrey Garen.
28889
28890 Reduce the limits and simplify the decision making.
28891
28892 * interpreter/Interpreter.cpp:
28893 (JSC::Interpreter::StackPolicy::StackPolicy):
28894
288952013-04-25 Nick Diego Yamane <nick.yamane@openbossa.org>
28896
28897 JSC: Fix interpreter misbehavior in builds with JIT disabled
28898 https://bugs.webkit.org/show_bug.cgi?id=115190
28899
28900 Reviewed by Oliver Hunt.
28901
28902 Commit http://trac.webkit.org/changeset/147858 modified
28903 some details on how JS stack traces are built. The method
28904 "getLineNumberForCallFrame", renamed in that changeset to
28905 "getBytecodeOffsetForCallFrame" is always returning `0' when
28906 JIT is disabled
28907
28908 How to reproduce:
28909 - Build webkit with JIT disabled
28910 - Open MiniBrowser, for example, with http://google.com
28911 - In a debug build, WebProcess will hit the following ASSERT:
28912 Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:279 ASSERT(low);
28913
28914 * interpreter/Interpreter.cpp:
28915 (JSC::getBytecodeOffsetForCallFrame):
28916
289172013-04-25 Oliver Hunt <oliver@apple.com>
28918
28919 Make checkSyntax take a JSGlobalData instead of an ExecState
28920
28921 RS=Tim
28922
28923 * jsc.cpp:
28924 (runInteractive):
28925 * runtime/Completion.cpp:
28926 (JSC::checkSyntax):
28927 * runtime/Completion.h:
28928 (JSC):
28929
289302013-04-25 Michael Saboff <msaboff@apple.com>
28931
28932 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean
28933 https://bugs.webkit.org/show_bug.cgi?id=115188
28934
28935 Reviewed by Geoffrey Garen.
28936
28937 Changed the RegExpTest node to set the AbstractValue to boolean, since that
28938 what it is.
28939
28940 * dfg/DFGAbstractState.cpp:
28941 (JSC::DFG::AbstractState::executeEffects):
28942
289432013-04-25 Julien Brianceau <jbrianceau@nds.com>
28944
28945 REGRESSION(r137994): Random crashes occur with SH4 JSC.
28946 https://bugs.webkit.org/show_bug.cgi?id=115167.
28947
28948 Reviewed by Oliver Hunt.
28949
28950 Since r137994, uncommited pages could be inside the area of memory in
28951 parameter of the cacheFlush function. That's why we have to flush each
28952 page separately to avoid a fail of the whole flush, if an uncommited page
28953 is in the area.
28954
28955 This patch is very similar to changeset 145194 made for ARMv7 architecture,
28956 see https://bugs.webkit.org/show_bug.cgi?id=111441 for further information.
28957
28958 * assembler/SH4Assembler.h:
28959 (JSC::SH4Assembler::cacheFlush):
28960
289612013-04-24 Mark Lam <mark.lam@apple.com>
28962
28963 Add watchdog timer polling for the DFG.
28964 https://bugs.webkit.org/show_bug.cgi?id=115134.
28965
28966 Reviewed by Geoffrey Garen.
28967
28968 The strategy is to add a speculation check to the DFG generated code to
28969 test if the watchdog timer has fired or not. If the watchdog timer has
28970 fired, the generated code will do an OSR exit to the baseline JIT, and
28971 let it handle servicing the watchdog timer.
28972
28973 If the watchdog is not enabled, this speculation check will not be
28974 emitted.
28975
28976 * API/tests/testapi.c:
28977 (currentCPUTime_callAsFunction):
28978 (extendTerminateCallback):
28979 (main):
28980 - removed try/catch statements so that we can test the watchdog on the DFG.
28981 - added JS bindings to a native currentCPUTime() function so that the timeout
28982 tests can be more accurate.
28983 - also shortened the time values so that the tests can complete sooner.
28984
28985 * bytecode/ExitKind.h:
28986 * dfg/DFGAbstractState.cpp:
28987 (JSC::DFG::AbstractState::executeEffects):
28988 * dfg/DFGByteCodeParser.cpp:
28989 (JSC::DFG::ByteCodeParser::parseBlock):
28990 * dfg/DFGFixupPhase.cpp:
28991 (JSC::DFG::FixupPhase::fixupNode):
28992 * dfg/DFGNodeType.h:
28993 * dfg/DFGPredictionPropagationPhase.cpp:
28994 (JSC::DFG::PredictionPropagationPhase::propagate):
28995 * dfg/DFGSpeculativeJIT32_64.cpp:
28996 (JSC::DFG::SpeculativeJIT::compile):
28997 * dfg/DFGSpeculativeJIT64.cpp:
28998 (JSC::DFG::SpeculativeJIT::compile):
28999 * runtime/Watchdog.cpp:
29000 (JSC::Watchdog::setTimeLimit):
29001
290022013-04-24 Filip Pizlo <fpizlo@apple.com>
29003
29004 Special thunks for math functions should work on ARMv7
29005 https://bugs.webkit.org/show_bug.cgi?id=115144
29006
29007 Reviewed by Gavin Barraclough and Oliver Hunt.
29008
29009 The only hard bit here was ensuring that we implemented the very special
29010 "cheap C call" convention on ARMv7.
29011
29012 * assembler/AbstractMacroAssembler.h:
29013 (JSC::isARMv7s):
29014 (JSC):
29015 (JSC::isX86):
29016 * dfg/DFGCommon.h:
29017 * jit/SpecializedThunkJIT.h:
29018 (SpecializedThunkJIT):
29019 (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
29020 * jit/ThunkGenerators.cpp:
29021 (JSC::floorThunkGenerator):
29022 (JSC::ceilThunkGenerator):
29023 (JSC::roundThunkGenerator):
29024 (JSC::expThunkGenerator):
29025 (JSC::logThunkGenerator):
29026
290272013-04-24 Julien Brianceau <jbrianceau@nds.com>
29028
29029 Misc bugfix and cleaning in sh4 base JIT.
29030 https://bugs.webkit.org/show_bug.cgi?id=115022.
29031
29032 Reviewed by Oliver Hunt.
29033
29034 Remove unused add32() and sub32() with scratchreg parameter to avoid
29035 confusion as this function prototype means another behaviour.
29036 Remove unused "void push(Address)" function which seems quite buggy.
29037
29038 * assembler/MacroAssemblerSH4.h:
29039 (JSC::MacroAssemblerSH4::and32): Cosmetic change.
29040 (JSC::MacroAssemblerSH4::lshift32): Cosmetic change.
29041 (JSC::MacroAssemblerSH4::or32): Cosmetic change.
29042 (JSC::MacroAssemblerSH4::xor32): Cosmetic change.
29043 (MacroAssemblerSH4):
29044 (JSC::MacroAssemblerSH4::load32): Cosmetic change.
29045 (JSC::MacroAssemblerSH4::load8Signed): Fix invalid offset upper limit
29046 when using r0 register and cosmetic changes.
29047 (JSC::MacroAssemblerSH4::load8): Reuse load8Signed to avoid duplication.
29048 (JSC::MacroAssemblerSH4::load16): Fix invalid offset upper limit when
29049 using r0 register, fix missing offset shift and cosmetic changes.
29050 (JSC::MacroAssemblerSH4::store32): Cosmetic change.
29051 (JSC::MacroAssemblerSH4::branchAdd32): Store result value before branch.
29052
290532013-04-24 Patrick Gansterer <paroga@webkit.org>
29054
29055 [WIN] Remove pthread from Visual Studio files in JavaScriptCore
29056 https://bugs.webkit.org/show_bug.cgi?id=114864
29057
29058 Reviewed by Brent Fulgham.
29059
29060 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
29061 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops:
29062 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops:
29063 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops:
29064 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops:
29065 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
29066 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
29067 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
29068 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
29069 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
29070 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
29071 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
29072
290732013-04-24 Filip Pizlo <fpizlo@apple.com>
29074
29075 DFG should keep the operand to create_this alive if it's emitting code for create_this
29076 https://bugs.webkit.org/show_bug.cgi?id=115133
29077
29078 Reviewed by Mark Hahnenberg.
29079
29080 The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time.
29081
29082 * dfg/DFGByteCodeParser.cpp:
29083 (JSC::DFG::ByteCodeParser::parseBlock):
29084
290852013-04-24 Roger Fong <roger_fong@apple.com>
29086
29087 Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies.
29088
29089 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
29090 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
29091 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
29092 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
29093 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
29094 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
29095 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
29096 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
29097
290982013-04-24 Geoffrey Garen <ggaren@apple.com>
29099
29100 32-bit build fix.
29101
29102 Unreviewed.
29103
29104 * dfg/DFGSpeculativeJIT.cpp:
29105 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): Explicitly
29106 truncate to 32-bit to avoid compiler warnings. It's safe to truncate
29107 because the payload of a boolean is the low bits on both 64-bit and 32-bit.
29108
291092013-04-23 Geoffrey Garen <ggaren@apple.com>
29110
29111 Filled out more cases of branch folding in the DFG
29112 https://bugs.webkit.org/show_bug.cgi?id=115088
29113
29114 Reviewed by Oliver Hunt.
29115
29116 No change on the benchmarks we track, but a 3X speedup on a
29117 microbenchmark that uses these techniques.
29118
29119 * dfg/DFGByteCodeParser.cpp:
29120 (JSC::DFG::ByteCodeParser::parseBlock): (!/=)= and (!/=)== can constant
29121 fold all types, not just numbers, because true constants have no
29122 side effects when type-converted at runtime.
29123
29124 * dfg/DFGFixupPhase.cpp:
29125 (JSC::DFG::FixupPhase::fixupNode):
29126 * dfg/DFGNode.h:
29127 (JSC::DFG::Node::shouldSpeculateBoolean): Added support for fixing up
29128 boolean uses, like we do for other types like number.
29129
29130 * dfg/DFGSpeculativeJIT.cpp:
29131 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
29132 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
29133 (JSC::DFG::SpeculativeJIT::compare):
29134 (JSC::DFG::SpeculativeJIT::compileStrictEq):
29135 (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Peephole fuse
29136 boolean compare and/or compare-branch, now that we have the types for
29137 them.
29138
29139 * dfg/DFGSpeculativeJIT.h: Updated declarations.
29140
29141== Rolled over to ChangeLog-2013-04-24 ==