]> git.saurik.com Git - apple/javascriptcore.git/blame - ChangeLog
projects / apple / javascriptcore.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
JavaScriptCore-7600.1.4.13.1.tar.gz
[apple/javascriptcore.git] / ChangeLog
CommitLineData
ef99ff28
A		 12014-12-10 Babak Shafiei <bshafiei@apple.com>
2
3 Merge r176803.
4
5 2014-12-04 Oliver Hunt <oliver@apple.com>
6
7 Serialization of MapData object provides unsafe access to internal types
8 https://bugs.webkit.org/show_bug.cgi?id=138653
9
10 Reviewed by Geoffrey Garen.
11
12 Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
13 that despite trying hard to be safe in all cases it's simply to easy
14 to use an iterator in an unsafe state.
15
16 * runtime/MapData.h:
17 (JSC::MapData::const_iterator::key):
18 (JSC::MapData::const_iterator::value):
19
cb9aa269
A		 202014-09-15 Babak Shafiei <bshafiei@apple.com>
21
22 <rdar://problem/18327341> Disable Web Timing on this branch.
23
24 Reviewed originally by Sam Weinig.
25
26 Disable:
27 - WEB_TIMING
28
29 * Configurations/FeatureDefines.xcconfig:
30
81345200
A		 312014-08-03 Babak Shafiei <bshafiei@apple.com>
32
33 Merge patch for <rdar://problem/17887398>.
34
35 2014-07-30 Filip Pizlo <fpizlo@apple.com>
36
37 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
38 https://bugs.webkit.org/show_bug.cgi?id=135430
39
40 Reviewed by Mark Hahnenberg.
41
42 * dfg/DFGAbstractInterpreterInlines.h:
43 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
44 * tests/stress/new-function-expression-has-structures.js: Added.
45 (foo.f):
46 (foo.f.prototype.f):
47 (foo):
48
492014-08-03 Babak Shafiei <bshafiei@apple.com>
50
51 Merge r171949.
52
53 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
54
55 URTBF after r171946 to fix non-Apple builds.
56
57 * bytecode/InlineCallFrameSet.cpp:
58
592014-08-03 Babak Shafiei <bshafiei@apple.com>
60
61 Merge r171946.
62
63 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
64
65 CodeBlock fails to visit the Executables of its InlineCallFrames
66 https://bugs.webkit.org/show_bug.cgi?id=135471
67
68 Reviewed by Geoffrey Garen.
69
70 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
71 can be prematurely collected and cause crashes.
72
73 * bytecode/CodeBlock.cpp:
74 (JSC::CodeBlock::stronglyVisitStrongReferences):
75 * bytecode/CodeOrigin.h:
76 (JSC::InlineCallFrame::visitAggregate):
77 * bytecode/InlineCallFrameSet.cpp:
78 (JSC::InlineCallFrameSet::visitAggregate):
79 * bytecode/InlineCallFrameSet.h:
80
812014-07-29 Matthew Hanson <matthew_hanson@apple.com>
82
83 Merge r171689. <rdar://problem/17844890>
84
85 2014-07-28 Filip Pizlo <fpizlo@apple.com>
86
87 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
88 https://bugs.webkit.org/show_bug.cgi?id=135350
89 <rdar://problem/17509889>
90
91 Reviewed by Mark Hahnenberg and Oliver Hunt.
92
93 If we have an exiting node that uses a conversion node, then that exiting node
94 needs to have a Phantom after it for the the original node. But we can't do that
95 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
96
97 * dfg/DFGFixupPhase.cpp:
98 (JSC::DFG::FixupPhase::fixupNode):
99 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
100 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
101 (foo):
102 (test):
103 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
104 (foo):
105 (test):
106
1072014-07-29 Matthew Hanson <matthew_hanson@apple.com>
108
109 Merge r171688. <rdar://problem/17364180>
110
111 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
112
113 JSContext Inspector: crash when using step-into
114 https://bugs.webkit.org/show_bug.cgi?id=135345
115
116 Reviewed by Timothy Hatcher.
117
118 * inspector/agents/InspectorDebuggerAgent.cpp:
119 (Inspector::InspectorDebuggerAgent::stepInto):
120 Null check m_listener since it may not be set.
121
1222014-07-25 Lucas Forschler <lforschler@apple.com>
123
124 Merge r171578
125
126 2014-07-24 Brent Fulgham <bfulgham@apple.com>
127
128 [Win] Correct build order in JavaScriptCore.submit.sln
129 https://bugs.webkit.org/show_bug.cgi?id=135282
130 <rdar://problem/17805592>
131
132 Unreviewed build fix.
133
134 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
135 such that LLIntDesiredOffset is built prior to the rest of JSC.
136
1372014-07-24 Lucas Forschler <lforschler@apple.com>
138
139 Merge r171564
140
141 2014-07-24 Mark Lam <mark.lam@apple.com>
142
143 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
144 <https://webkit.org/b/135258>
145
146 Reviewed by Mark Hahnenberg.
147
148 Where needed, we cache the prototype object pointer in a stack local var.
149 This allows it to be scanned by the GC, and hence be kept alive until
150 we use it. The constructor object will in turn be kept alive by the
151 prototype object.
152
153 Also added some comments to warn against future code additions that could
154 regress this issue.
155
156 * API/JSWrapperMap.mm:
157 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
158 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
159 (-[JSObjCClassInfo wrapperForObject:]):
160 (-[JSObjCClassInfo constructor]):
161
1622014-07-24 Lucas Forschler <lforschler@apple.com>
163
164 Merge r171558
165
166 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
167
168 JSLock release should only modify the AtomicStringTable if it modified in acquire
169 https://bugs.webkit.org/show_bug.cgi?id=135143
170
171 Reviewed by Darin Adler.
172
173 * runtime/JSLock.cpp:
174 (JSC::JSLock::JSLock):
175 Initialize the member variable to nullptr.
176
177 (JSC::JSLock::willDestroyVM):
178 Update style to use nullptr instead of 0.
179
180 (JSC::JSLock::willReleaseLock):
181 We should only reset the thread data's atomic string table if
182 didAcquireLock changed it. m_entryAtomicStringTable will have
183 been set by didAcquireLock if it changed, or nullptr if it didn't.
184 This way we are sure we are balanced, regardless of m_vm changes.
185
1862014-07-24 Lucas Forschler <lforschler@apple.com>
187
188 Merge r171543
189
190 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
191
192 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
193 https://bugs.webkit.org/show_bug.cgi?id=135250
194
195 Reviewed by Geoffrey Garen.
196
197 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
198 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
199 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
200 the JSProxy's prototype fixes the issue.
201
202 * API/JSValueRef.cpp:
203 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
204 would claim it wasn't of the specified class, even if the target was of the specified class.
205 * API/tests/CustomGlobalObjectClassTest.c: Added.
206 (jsDoSomething):
207 (customGlobalObjectClassTest):
208 * API/tests/CustomGlobalObjectClassTest.h: Added.
209 * API/tests/testapi.c:
210 (assertTrue):
211 (main):
212 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
213 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
214 * JavaScriptCore.xcodeproj/project.pbxproj:
215 * runtime/JSGlobalObject.cpp:
216 (JSC::JSGlobalObject::resetPrototype):
217
2182014-07-24 Lucas Forschler <lforschler@apple.com>
219
220 Merge r171395
221
222 2014-07-22 Brent Fulgham <bfulgham@apple.com>
223
224 Build fix for non-clang compile.
225
226 * jsc.cpp:
227 (WTF::RuntimeArray::put): Remove incorrect return statement
228 I added.
229
2302014-07-24 Lucas Forschler <lforschler@apple.com>
231
232 Merge r171393
233
234 2014-07-22 Brent Fulgham <bfulgham@apple.com>
235
236 Build fix for non-clang compile.
237
238 * jsc.cpp:
239 (WTF::RuntimeArray::deleteProperty): Need (fake) return
240 value when NO_RETURN_DUE_TO_CRASH is not defined.
241
2422014-07-24 Lucas Forschler <lforschler@apple.com>
243
244 Merge r171390
245
246 2014-07-22 Mark Lam <mark.lam@apple.com>
247
248 Array.concat() should work on runtime arrays too.
249 <https://webkit.org/b/135179>
250
251 Reviewed by Geoffrey Garen.
252
253 * jsc.cpp:
254 (WTF::RuntimeArray::create):
255 (WTF::RuntimeArray::~RuntimeArray):
256 (WTF::RuntimeArray::destroy):
257 (WTF::RuntimeArray::getOwnPropertySlot):
258 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
259 (WTF::RuntimeArray::put):
260 (WTF::RuntimeArray::deleteProperty):
261 (WTF::RuntimeArray::getLength):
262 (WTF::RuntimeArray::createPrototype):
263 (WTF::RuntimeArray::createStructure):
264 (WTF::RuntimeArray::finishCreation):
265 (WTF::RuntimeArray::RuntimeArray):
266 (WTF::RuntimeArray::lengthGetter):
267 (GlobalObject::finishCreation):
268 (functionCreateRuntimeArray):
269 - Added support to create a runtime array for testing purpose.
270 * runtime/ArrayPrototype.cpp:
271 (JSC::getLength):
272 - Added fast case for when the array object is a JSArray.
273 (JSC::arrayProtoFuncJoin):
274 - Added a needed but missing exception check.
275 (JSC::arrayProtoFuncConcat):
276 - Use getLength() to compute the array length instead of assuming that
277 the array is a JSArray instance.
278 * tests/stress/regexp-matches-array.js: Added.
279 (testArrayConcat):
280 * tests/stress/runtime-array.js: Added.
281 (testArrayConcat):
282
2832014-07-24 Lucas Forschler <lforschler@apple.com>
284
285 Merge r171328
286
287 2014-07-21 Mark Lam <mark.lam@apple.com>
288
289 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
290 https://bugs.webkit.org/show_bug.cgi?id=135139.
291
292 Reviewed by Oliver Hunt.
293
294 - Specialize putProperty() to putLength() because it is only used for setting
295 the length property.
296 - Added a getLength() utility function to get the value of the length property.
297 - Use these getLength() and putLength() functions instead of the existing code
298 to get and put the length property. Less code to read, easier to understand.
299
300 * runtime/ArrayPrototype.cpp:
301 (JSC::getLength):
302 (JSC::putLength):
303 (JSC::arrayProtoFuncToString):
304 (JSC::arrayProtoFuncToLocaleString):
305 (JSC::arrayProtoFuncJoin):
306 (JSC::arrayProtoFuncPop):
307 (JSC::arrayProtoFuncPush):
308 (JSC::arrayProtoFuncReverse):
309 (JSC::arrayProtoFuncShift):
310 (JSC::arrayProtoFuncSlice):
311 (JSC::arrayProtoFuncSort):
312 (JSC::arrayProtoFuncSplice):
313 (JSC::arrayProtoFuncUnShift):
314 (JSC::arrayProtoFuncReduce):
315 (JSC::arrayProtoFuncReduceRight):
316 (JSC::arrayProtoFuncIndexOf):
317 (JSC::arrayProtoFuncLastIndexOf):
318 (JSC::putProperty): Deleted.
319
3202014-07-23 Matthew Hanson <matthew_hanson@apple.com>
321
322 Merge r171474 (rollout r171367 from trunk)
323
3242014-07-23 Lucas Forschler <lforschler@apple.com>
325
326 Merge r171367
327
328 2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
329
330 JSLock release should only modify the AtomicStringTable if it modified in acquire
331 https://bugs.webkit.org/show_bug.cgi?id=135143
332
333 Reviewed by Pratik Solanki.
334
335 * runtime/JSLock.cpp:
336 (JSC::JSLock::willDestroyVM):
337 (JSC::JSLock::willReleaseLock):
338 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
339
3402014-07-23 Lucas Forschler <lforschler@apple.com>
341
342 Merge r171355
343
344 2014-07-21 Sam Weinig <sam@webkit.org>
345
346 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
347 https://bugs.webkit.org/show_bug.cgi?id=135148
348
349 Reviewed by Geoffrey Garen.
350
351 * runtime/CommonIdentifiers.h:
352 Add a common identifier for the string "webkit".
353
3542014-07-23 Lucas Forschler <lforschler@apple.com>
355
356 Merge r171354
357
358 2014-07-22 Filip Pizlo <fpizlo@apple.com>
359
360 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
361 https://bugs.webkit.org/show_bug.cgi?id=135155
362 <rdar://problem/17763909>
363
364 Reviewed by Oliver Hunt.
365
366 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
367 contradiction, and that this is OK. In this case, we were speculating cell on an int.
368
369 * dfg/DFGSpeculativeJIT64.cpp:
370 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
371 * tests/stress/regress-135155.js: Added.
372 (run.t.length):
373 (run):
374
3752014-07-22 Dana Burkart <dburkart@apple.com>
376
377 Merge r171228.
378
379 2014-07-18 Filip Pizlo <fpizlo@apple.com>
380
381 Fix cloop build.
382
383 * jsc.cpp:
384 (jscmain):
385
3862014-07-22 Dana Burkart <dburkart@apple.com>
387
388 Merge r171213.
389
390 2014-07-15 Filip Pizlo <fpizlo@apple.com>
391
392 Need ability to fuzz exception throwing
393 https://bugs.webkit.org/show_bug.cgi?id=134945
394 <rdar://problem/17722027>
395
396 Reviewed by Sam Weinig.
397
398 Adds the ability to instrument exception checks, and to force some random
399 exception check to artificially throw an exception. Also adds new tests that
400 are suitable for testing this. Note that this is closely tied to the Tools
401 directory changes that are also part of this changeset.
402
403 This also fixes an activation tear-off bug that arises if we ever throw an
404 exception from operationOptimize, or if due to some other bug it's only due
405 to the operationOptimize exception check that we realize that there is an
406 exception to be thrown.
407
408 * dfg/DFGJITCompiler.h:
409 (JSC::DFG::JITCompiler::fastExceptionCheck):
410 * ftl/FTLIntrinsicRepository.h:
411 * ftl/FTLLowerDFGToLLVM.cpp:
412 (JSC::FTL::LowerDFGToLLVM::callCheck):
413 * interpreter/Interpreter.cpp:
414 (JSC::unwindCallFrame):
415 * jit/AssemblyHelpers.cpp:
416 (JSC::AssemblyHelpers::callExceptionFuzz):
417 (JSC::AssemblyHelpers::emitExceptionCheck):
418 * jit/AssemblyHelpers.h:
419 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
420 * jit/JIT.cpp:
421 (JSC::JIT::privateCompileMainPass):
422 * jit/JITOpcodes.cpp:
423 (JSC::JIT::emit_op_enter):
424 * jit/JITOperations.cpp:
425 (JSC::numberOfExceptionFuzzChecks):
426 * jit/JITOperations.h:
427 * jsc.cpp:
428 (jscmain):
429 * runtime/Options.h:
430 * runtime/TestRunnerUtils.h:
431 * tests/exceptionFuzz.yaml: Added.
432 * tests/exceptionFuzz: Added.
433 * tests/exceptionFuzz/3d-cube.js: Added.
434 * tests/exceptionFuzz/date-format-xparb.js: Added.
435 * tests/exceptionFuzz/earley-boyer.js: Added.
436
4372014-07-22 Dana Burkart <dburkart@apple.com>
438
439 Merge r171204.
440
441 2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
442
443 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
444
445 Rubber-stamped by Alexey Proskuryakov.
446
447 Null / empty titles should be fine. Tests pass in release builds
448 which allowed empty titles, and it looks like the LegacyProfiler
449 stopProfiling handles empty titles as expected already.
450
451 * profiler/LegacyProfiler.cpp:
452 (JSC::LegacyProfiler::startProfiling):
453
4542014-07-22 Dana Burkart <dburkart@apple.com>
455
456 Merge r171190.
457
458 2014-07-16 Filip Pizlo <fpizlo@apple.com>
459
460 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
461 https://bugs.webkit.org/show_bug.cgi?id=134988
462 <rdar://problem/17706349>
463
464 Reviewed by Oliver Hunt.
465
466 Luckily, we also don't need this optimization to be super powerful: the only place
467 where it really matters is for getting rid of the redundancy between op_enter and
468 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
469 two things. This change updates the store eliminator to know about only that small,
470 obviously safe, set of nodes over which we can store-eliminate.
471
472 This shouldn't have any performance impact in the DFG because this optimization kicks
473 in relatively rarely already. And once we tier up into the FTL, we get a much better
474 store elimination over LLVM IR, so this really shouldn't matter at all.
475
476 The tricky part of this patch is that there is a close relative of this optimization,
477 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
478 I make this work by splitting it into two different store eliminators.
479
480 Note that in the process of crafting the tests, I realized that we were incorrectly
481 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
482 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
483 to a check node followed by the actual allocation.
484
485 * dfg/DFGCSEPhase.cpp:
486 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
487 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
488 (JSC::DFG::CSEPhase::setLocalStoreElimination):
489 (JSC::DFG::CSEPhase::performNodeCSE):
490 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
491 * dfg/DFGNodeType.h:
492 * tests/stress/capture-escape-and-throw.js: Added.
493 (foo.f):
494 (foo):
495 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
496 (foo):
497 (bar):
498
4992014-07-17 Dean Jackson <dino@apple.com>
500
501 <rdar://problem/17675068> Disable some features on this branch.
502
503 Reviewed originally by Simon Fraser.
504
505 Disable:
506 - CSS_EXCLUSIONS
507 - CSS_GRID_LAYOUT
508 - INPUT_TYPE_COLOR
509 - INPUT_TYPE_COLOR_POPUP
510 - CANVAS_PATH
511 - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
512 - INDIE_UI
513 - SHARED_WORKERS
514 - NAVIGATOR_HWCONCURRENCY
515 - GAMEPAD
516 - PICTURE_SIZES
517 - CSS3_CONDITIONAL_RULES
518 - WILL_REVEAL_EDGE_EVENTS
519
520 * Configurations/FeatureDefines.xcconfig:
521
5222014-07-15 Benjamin Poulain <benjamin@webkit.org>
523
524 Reduce the overhead of updating the AssemblerBuffer
525 https://bugs.webkit.org/show_bug.cgi?id=134659
526
527 Reviewed by Gavin Barraclough.
528
529 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
530 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
531 there.
532
533 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
534 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
535
536 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
537 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
538 to make clang give up a bunch of optimizations.
539
540 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
541 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
542
543 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
544 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
545 specific way that would make it unusable for the Assembler.
546
547 -- Technical details --
548
549 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
550 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
551 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
552 exactly what code access the Assembler instance. The code that does access the instance is then moved
553 at the beginning, before we modify anything.
554
555 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
556 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
557 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
558
559 -- Perf impact --
560
561 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
562 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
563 time by ~20%.
564
565 I could not measure any difference on x86_64.
566
567 * assembler/ARM64Assembler.h:
568 (JSC::ARM64Assembler::jumpSizeDelta):
569 (JSC::ARM64Assembler::canCompact):
570 (JSC::ARM64Assembler::computeJumpType):
571 (JSC::ARM64Assembler::link):
572 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
573 * assembler/ARMv7Assembler.h:
574 (JSC::ARMv7Assembler::ifThenElseConditionBit):
575 (JSC::ARMv7Assembler::ifThenElse):
576 (JSC::ARMv7Assembler::jumpSizeDelta):
577 (JSC::ARMv7Assembler::canCompact):
578 (JSC::ARMv7Assembler::computeJumpType):
579 (JSC::ARMv7Assembler::link):
580 (JSC::ARMv7Assembler::linkJumpT1):
581 (JSC::ARMv7Assembler::linkJumpT3):
582 (JSC::ARMv7Assembler::linkConditionalJumpT4):
583 (JSC::ARMv7Assembler::linkConditionalBX):
584 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
585 * assembler/AssemblerBuffer.h:
586 (JSC::AssemblerData::AssemblerData):
587 (JSC::AssemblerData::operator=):
588 (JSC::AssemblerData::~AssemblerData):
589 (JSC::AssemblerData::buffer):
590 (JSC::AssemblerData::capacity):
591 (JSC::AssemblerData::grow):
592 (JSC::AssemblerBuffer::AssemblerBuffer):
593 (JSC::AssemblerBuffer::isAvailable):
594 (JSC::AssemblerBuffer::data):
595 (JSC::AssemblerBuffer::releaseAssemblerData):
596 (JSC::AssemblerBuffer::putIntegral):
597 (JSC::AssemblerBuffer::putIntegralUnchecked):
598 (JSC::AssemblerBuffer::append):
599 (JSC::AssemblerBuffer::grow):
600 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
601 (JSC::AssemblerBuffer::storage): Deleted.
602 * assembler/LinkBuffer.cpp:
603 (JSC::recordLinkOffsets):
604 (JSC::LinkBuffer::copyCompactAndLinkCode):
605 * assembler/LinkBuffer.h:
606 (JSC::LinkBuffer::LinkBuffer):
607 (JSC::LinkBuffer::executableOffsetFor):
608 * assembler/MacroAssemblerARM64.h:
609 (JSC::MacroAssemblerARM64::canCompact):
610 (JSC::MacroAssemblerARM64::computeJumpType):
611 (JSC::MacroAssemblerARM64::jumpSizeDelta):
612 (JSC::MacroAssemblerARM64::link):
613 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
614 * assembler/MacroAssemblerARMv7.h:
615 (JSC::MacroAssemblerARMv7::canCompact):
616 (JSC::MacroAssemblerARMv7::computeJumpType):
617 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
618 (JSC::MacroAssemblerARMv7::link):
619 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
620
6212014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
622
623 Stores to PropertyTable use the Structure as the owner
624 https://bugs.webkit.org/show_bug.cgi?id=134595
625
626 Reviewed by Darin Adler.
627
628 Since PropertyTable is the object that does the marking of these references, it should be the owner.
629
630 Also removed some unused parameters to other methods that historically used the Structure as the owner.
631
632 * runtime/JSPropertyNameIterator.h:
633 (JSC::StructureRareData::setEnumerationCache):
634 * runtime/ObjectPrototype.cpp:
635 (JSC::objectProtoFuncToString):
636 * runtime/PropertyMapHashTable.h:
637 (JSC::PropertyTable::copy):
638 * runtime/PropertyTable.cpp:
639 (JSC::PropertyTable::clone):
640 (JSC::PropertyTable::PropertyTable):
641 * runtime/Structure.cpp:
642 (JSC::Structure::Structure):
643 (JSC::Structure::materializePropertyMap):
644 (JSC::Structure::addPropertyTransition):
645 (JSC::Structure::changePrototypeTransition):
646 (JSC::Structure::despecifyFunctionTransition):
647 (JSC::Structure::attributeChangeTransition):
648 (JSC::Structure::toDictionaryTransition):
649 (JSC::Structure::preventExtensionsTransition):
650 (JSC::Structure::takePropertyTableOrCloneIfPinned):
651 (JSC::Structure::nonPropertyTransition):
652 (JSC::Structure::copyPropertyTable):
653 (JSC::Structure::copyPropertyTableForPinning):
654 (JSC::Structure::putSpecificValue):
655 * runtime/Structure.h:
656 (JSC::Structure::setObjectToStringValue):
657 (JSC::Structure::setPreviousID):
658 * runtime/StructureInlines.h:
659 (JSC::Structure::setEnumerationCache):
660 * runtime/StructureRareData.h:
661 * runtime/StructureRareDataInlines.h:
662 (JSC::StructureRareData::setPreviousID):
663 (JSC::StructureRareData::setObjectToStringValue):
664
6652014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
666
667 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
668 https://bugs.webkit.org/show_bug.cgi?id=134928
669
670 Reviewed by Andreas Kling.
671
672 * bytecode/CodeBlock.h:
673 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
674
6752014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
676
677 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
678 https://bugs.webkit.org/show_bug.cgi?id=133790
679
680 Reviewed by Mark Lam.
681
682 * llint/LLIntSlowPaths.cpp:
683 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
684
6852014-07-14 Filip Pizlo <fpizlo@apple.com>
686
687 Allow for Int52Rep to see things other than Int32, and make this testable
688 https://bugs.webkit.org/show_bug.cgi?id=134873
689 <rdar://problem/17641915>
690
691 Reviewed by Geoffrey Garen and Mark Hahnenberg.
692
693 A major premise of our type inference is that prediction propagation can say whatever it
694 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
695 We required some kind of agreement between prediction propagation and fixup over which
696 data flow paths were Int52 and which weren't.
697
698 It turns out that we basically had such an agreement, with the exception of code that was
699 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
700 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
701 be a bug! Normally, we allow sloppiness in prediction propagation.
702
703 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
704 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
705 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
706 empowered Int52Rep is actually correct - in case we end up using it on paths other than
707 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
708 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
709 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
710
711 Note that it would still be a bug for prediction propagation to ever cause us to create an
712 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
713 a crash bug.
714
715 * dfg/DFGAbstractInterpreterInlines.h:
716 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
717 * dfg/DFGAbstractValue.cpp:
718 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
719 * dfg/DFGByteCodeParser.cpp:
720 (JSC::DFG::ByteCodeParser::handleIntrinsic):
721 * dfg/DFGClobberize.h:
722 (JSC::DFG::clobberize):
723 * dfg/DFGFixupPhase.cpp:
724 (JSC::DFG::FixupPhase::fixupNode):
725 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
726 * dfg/DFGGraph.h:
727 (JSC::DFG::Graph::isMachineIntConstant):
728 * dfg/DFGNode.h:
729 (JSC::DFG::Node::isMachineIntConstant):
730 * dfg/DFGNodeType.h:
731 * dfg/DFGOperations.cpp:
732 * dfg/DFGOperations.h:
733 * dfg/DFGPredictionPropagationPhase.cpp:
734 (JSC::DFG::PredictionPropagationPhase::propagate):
735 * dfg/DFGSafeToExecute.h:
736 (JSC::DFG::SafeToExecuteEdge::operator()):
737 (JSC::DFG::safeToExecute):
738 * dfg/DFGSpeculativeJIT.cpp:
739 (JSC::DFG::SpeculativeJIT::speculate):
740 * dfg/DFGSpeculativeJIT.h:
741 (JSC::DFG::SpeculativeJIT::callOperation):
742 * dfg/DFGSpeculativeJIT32_64.cpp:
743 (JSC::DFG::SpeculativeJIT::compile):
744 * dfg/DFGSpeculativeJIT64.cpp:
745 (JSC::DFG::SpeculativeJIT::compile):
746 (JSC::DFG::SpeculativeJIT::convertMachineInt):
747 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
748 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
749 * dfg/DFGStrengthReductionPhase.cpp:
750 (JSC::DFG::StrengthReductionPhase::handleNode):
751 * dfg/DFGUseKind.cpp:
752 (WTF::printInternal):
753 * dfg/DFGUseKind.h:
754 (JSC::DFG::typeFilterFor):
755 (JSC::DFG::isNumerical):
756 (JSC::DFG::isDouble):
757 * dfg/DFGValidate.cpp:
758 (JSC::DFG::Validate::validate):
759 * ftl/FTLCapabilities.cpp:
760 (JSC::FTL::canCompile):
761 * ftl/FTLIntrinsicRepository.h:
762 * ftl/FTLLowerDFGToLLVM.cpp:
763 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
764 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
765 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
766 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
767 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
768 (JSC::FTL::LowerDFGToLLVM::speculate):
769 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
770 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
771 * jit/JITOperations.h:
772 * jsc.cpp:
773 (GlobalObject::finishCreation):
774 (functionIdentity):
775 * runtime/Intrinsic.h:
776 * runtime/JSCJSValue.h:
777 * runtime/JSCJSValueInlines.h:
778 (JSC::tryConvertToInt52):
779 (JSC::isInt52):
780 (JSC::JSValue::isMachineInt):
781 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
782 (foo):
783 * tests/stress/dead-fiat-double-to-int52.js: Added.
784 (foo):
785 * tests/stress/dead-fiat-int32-to-int52.js: Added.
786 (foo):
787 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
788 (foo):
789 (bar):
790 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
791 (foo):
792 (bar):
793 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
794 (foo):
795 (bar):
796 * tests/stress/dead-fiat-value-to-int52.js: Added.
797 (foo):
798 (bar):
799 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
800 (foo):
801 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
802 (foo):
803 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
804 (foo):
805 * tests/stress/fiat-double-to-int52.js: Added.
806 (foo):
807 * tests/stress/fiat-int32-to-int52.js: Added.
808 (foo):
809 * tests/stress/fiat-value-to-int52-double-path.js: Added.
810 (foo):
811 (bar):
812 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
813 (foo):
814 (bar):
815 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
816 (foo):
817 (bar):
818 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
819 (foo):
820 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
821 (foo):
822 * tests/stress/fiat-value-to-int52.js: Added.
823 (foo):
824 (bar):
825 * tests/stress/int52-force-osr-exit-path.js: Added.
826 (foo):
827
8282014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
829
830 Flattening dictionaries with oversize backing stores can cause crashes
831 https://bugs.webkit.org/show_bug.cgi?id=134906
832
833 Reviewed by Filip Pizlo.
834
835 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
836 of the CopiedBlock header. This was always the case except for when flattening a dictionary
837 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
838 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
839 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
840 choke on the Butterfly pointer.
841
842 This patch fixes this issue by detect this situation during flattening and memmove-ing
843 the Butterfly down to where the old base was.
844
845 * runtime/JSObject.cpp:
846 (JSC::JSObject::shiftButterflyAfterFlattening):
847 * runtime/JSObject.h:
848 (JSC::JSObject::butterflyPreCapacity):
849 (JSC::JSObject::butterflyTotalSize):
850 * runtime/Structure.cpp:
851 (JSC::Structure::flattenDictionaryStructure):
852 * tests/stress/flatten-oversize-dictionary-object.js: Added.
853 (foo):
854
8552014-07-14 Benjamin Poulain <benjamin@webkit.org>
856
857 Remove some dead code from FTLJITFinalizer
858 https://bugs.webkit.org/show_bug.cgi?id=134874
859
860 Reviewed by Geoffrey Garen.
861
862 Not sure what that code was for...but it does not do anything :)
863
864 * ftl/FTLJITFinalizer.cpp:
865 (JSC::FTL::JITFinalizer::finalizeFunction):
866 The pointer of the label is computed but never used.
867
868 * ftl/FTLJITFinalizer.h:
869 * ftl/FTLLink.cpp:
870 (JSC::FTL::link):
871 The label is never set to anything.
872
8732014-07-14 Bear Travis <betravis@adobe.com>
874
875 [Feature Queries] Enable Feature Queries on Mac
876 https://bugs.webkit.org/show_bug.cgi?id=134404
877
878 Reviewed by Antti Koivisto.
879
880 Enable Feature Queries on Mac and resume running the
881 feature tests.
882
883 * Configurations/FeatureDefines.xcconfig: Turn on
884 ENABLE_CSS3_CONDITIONAL_RULES.
885
8862014-07-11 Joseph Pecoraro <pecoraro@apple.com>
887
888 Web Inspector: Debugger Pause button does not work
889 https://bugs.webkit.org/show_bug.cgi?id=134785
890
891 Reviewed by Timothy Hatcher.
892
893 * CMakeLists.txt:
894 * DerivedSources.make:
895 Minification strips the sourceURL command. Add it back with minification.
896
8972014-07-11 peavo@outlook.com <peavo@outlook.com>
898
899 [Win] Enable DFG JIT.
900 https://bugs.webkit.org/show_bug.cgi?id=123615
901
902 Reviewed by Mark Lam.
903
904 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
905 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
906 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
907 since the register allocation differs on 64-bit Windows.
908
909 * assembler/MacroAssemblerX86_64.h:
910 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
911 * jit/CCallHelpers.h:
912 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
913 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
914 * jit/JIT.h:
915 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
916 * jit/JITInlines.h:
917 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
918 (JSC::JIT::callOperation): Call new method.
919
9202014-07-09 Benjamin Poulain <benjamin@webkit.org>
921
922 Use 16bits instructions for push/pop on ARMv7 when possible
923 https://bugs.webkit.org/show_bug.cgi?id=134753
924
925 Reviewed by Geoffrey Garen.
926
927 The patch r170839 mixed the code for push/pop pair and single push/pop.
928 That part was reverted in r170909.
929
930 This patch puts the code back but specialized for single push/pop.
931
932 * assembler/ARMv7Assembler.h:
933 (JSC::ARMv7Assembler::pop):
934 (JSC::ARMv7Assembler::push):
935 * assembler/MacroAssemblerARMv7.h:
936 (JSC::MacroAssemblerARMv7::pop):
937 (JSC::MacroAssemblerARMv7::push):
938
9392014-07-09 Brent Fulgham <bfulgham@apple.com>
940
941 [Win] Remove uses of 'bash' in build system
942 https://bugs.webkit.org/show_bug.cgi?id=134782
943 <rdar://problem/17615533>
944
945 Reviewed by Dean Jackson.
946
947 Remove uses of 'bash' by replacing Windows-specific bash scripts
948 with Perl equivalents.
949
950 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
951 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
952 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
953 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
954 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
955 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
956 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
957 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
958 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
959 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
960 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
961 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
962 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
963 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
964 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
965 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
966 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
967
9682014-07-09 Brent Fulgham <bfulgham@apple.com>
969
970 [Win] Remove use of 'grep' in build steps
971 https://bugs.webkit.org/show_bug.cgi?id=134770
972 <rdar://problem/17608783>
973
974 Reviewed by Tim Horton.
975
976 Replace uses of the grep command in Windows builds with the equivalent
977 Perl program.
978
979 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
980 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
981 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
982 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
983
9842014-07-08 Benjamin Poulain <benjamin@webkit.org>
985
986 Restore the assertion changed with 170839
987
988 * assembler/ARMv7Assembler.h:
989 (JSC::ARMv7Assembler::pop):
990 (JSC::ARMv7Assembler::push):
991 Revert the Assembler part of 170839. The assertions do not match both encoding.
992
993 I'll add specific version of push and pop instead.
994
9952014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
996
997 RemoteInspector::shared() should not call WTF::initializeMainThread()
998 <https://bugs.webkit.org/show_bug.cgi?id=134747>
999 <rdar://problem/17161482>
1000
1001 Reviewed by Joseph Pecoraro.
1002
1003 * inspector/remote/RemoteInspector.mm:
1004 (Inspector::RemoteInspector::shared):
1005 Don't call WTF::initializeMainThread(). WTF threading is initialized by
1006 JSC::initializeThreading().
1007
10082014-07-08 Andreas Kling <akling@apple.com>
1009
1010 VM::lastCachedString should be a Strong, not a Weak.
1011 <https://webkit.org/b/134746>
1012
1013 Using Weak<JSString> for this regressed some of our bindings perf tests
1014 due to Weak having to allocate a new WeakImpl every time the last cached
1015 string changed. Make it a Strong instead should make that problem go away.
1016
1017 Reviewed by Geoffrey Garen.
1018
1019 * runtime/JSString.cpp:
1020 (JSC::jsStringWithCacheSlowCase):
1021 * runtime/VM.h:
1022
10232014-07-07 Benjamin Poulain <bpoulain@apple.com>
1024
1025 Fix the build after r170876
1026
1027 * assembler/LinkBuffer.cpp:
1028 (JSC::LinkBuffer::linkCode):
1029
10302014-07-07 Benjamin Poulain <benjamin@webkit.org>
1031
1032 LinkBuffer should not keep a reference to the MacroAssembler
1033 https://bugs.webkit.org/show_bug.cgi?id=134668
1034
1035 Reviewed by Geoffrey Garen.
1036
1037 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1038 When that happens, the pointer m_assembler points to released memory. That was not causing
1039 issues because the attribute is not used after linking, but that was not particularily
1040 future proof.
1041
1042 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1043 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1044
1045 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1046 everywhere. I refactored some #include to avoid that.
1047
1048 * assembler/LinkBuffer.cpp:
1049 (JSC::LinkBuffer::copyCompactAndLinkCode):
1050 (JSC::LinkBuffer::linkCode):
1051 * assembler/LinkBuffer.h:
1052 (JSC::LinkBuffer::LinkBuffer):
1053 * bytecode/Watchpoint.cpp:
1054 * dfg/DFGDisassembler.cpp:
1055 * dfg/DFGDisassembler.h:
1056 * dfg/DFGJITCompiler.cpp:
1057 (JSC::DFG::JITCompiler::link):
1058 (JSC::DFG::JITCompiler::linkFunction):
1059 * dfg/DFGOSRExitCompiler.cpp:
1060 * dfg/DFGPlan.cpp:
1061 * dfg/DFGThunks.cpp:
1062 (JSC::DFG::osrExitGenerationThunkGenerator):
1063 (JSC::DFG::osrEntryThunkGenerator):
1064 * ftl/FTLCompile.cpp:
1065 (JSC::FTL::generateICFastPath):
1066 (JSC::FTL::fixFunctionBasedOnStackMaps):
1067 * ftl/FTLJSCall.cpp:
1068 * ftl/FTLJSCall.h:
1069 * ftl/FTLLink.cpp:
1070 (JSC::FTL::link):
1071 * ftl/FTLLowerDFGToLLVM.cpp:
1072 * ftl/FTLOSRExitCompiler.cpp:
1073 (JSC::FTL::compileStub):
1074 * ftl/FTLThunks.cpp:
1075 (JSC::FTL::osrExitGenerationThunkGenerator):
1076 (JSC::FTL::slowPathCallThunkGenerator):
1077 * jit/ArityCheckFailReturnThunks.cpp:
1078 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1079 * jit/JIT.cpp:
1080 (JSC::JIT::privateCompile):
1081 * jit/JITCall.cpp:
1082 (JSC::JIT::privateCompileClosureCall):
1083 * jit/JITCall32_64.cpp:
1084 (JSC::JIT::privateCompileClosureCall):
1085 * jit/JITDisassembler.cpp:
1086 * jit/JITDisassembler.h:
1087 * jit/JITOpcodes.cpp:
1088 * jit/JITPropertyAccess.cpp:
1089 (JSC::JIT::stringGetByValStubGenerator):
1090 (JSC::JIT::privateCompileGetByVal):
1091 (JSC::JIT::privateCompilePutByVal):
1092 * jit/JITPropertyAccess32_64.cpp:
1093 (JSC::JIT::stringGetByValStubGenerator):
1094 * jit/RegisterPreservationWrapperGenerator.cpp:
1095 (JSC::generateRegisterPreservationWrapper):
1096 (JSC::registerRestorationThunkGenerator):
1097 * jit/Repatch.cpp:
1098 (JSC::generateByIdStub):
1099 (JSC::tryCacheGetByID):
1100 (JSC::emitPutReplaceStub):
1101 (JSC::emitPutTransitionStub):
1102 (JSC::tryRepatchIn):
1103 (JSC::linkClosureCall):
1104 * jit/SpecializedThunkJIT.h:
1105 (JSC::SpecializedThunkJIT::finalize):
1106 * jit/ThunkGenerators.cpp:
1107 (JSC::throwExceptionFromCallSlowPathGenerator):
1108 (JSC::linkForThunkGenerator):
1109 (JSC::linkClosureCallForThunkGenerator):
1110 (JSC::virtualForThunkGenerator):
1111 (JSC::nativeForGenerator):
1112 (JSC::arityFixup):
1113 * llint/LLIntThunks.cpp:
1114 (JSC::LLInt::generateThunkWithJumpTo):
1115 * yarr/YarrJIT.cpp:
1116 (JSC::Yarr::YarrGenerator::compile):
1117
11182014-07-07 Andreas Kling <akling@apple.com>
1119
1120 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1121 <https://webkit.org/b/134635>
1122
1123 Reviewed by Darin Adler.
1124
1125 Follow-up to r170818 addressing a review comment by Geoff Garen.
1126
1127 * runtime/JSString.cpp:
1128 (JSC::jsStringWithCacheSlowCase):
1129
11302014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1131
1132 Add missing ENABLE(FTL_JIT) guards
1133 https://bugs.webkit.org/show_bug.cgi?id=134680
1134
1135 Reviewed by Darin Adler.
1136
1137 * ftl/FTLDWARFDebugLineInfo.cpp:
1138 * ftl/FTLDWARFDebugLineInfo.h:
1139 * ftl/FTLGeneratedFunction.h:
1140
11412014-07-07 Zan Dobersek <zdobersek@igalia.com>
1142
1143 Enable ARMv7 disassembler for the GTK port
1144 https://bugs.webkit.org/show_bug.cgi?id=134676
1145
1146 Reviewed by Benjamin Poulain.
1147
1148 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
1149 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
1150
11512014-07-06 Benjamin Poulain <benjamin@webkit.org>
1152
1153 [ARMv7] Use 16 bits instructions for push/pop when possible
1154 https://bugs.webkit.org/show_bug.cgi?id=134656
1155
1156 Reviewed by Andreas Kling.
1157
1158 * assembler/ARMv7Assembler.h:
1159 (JSC::ARMv7Assembler::pop):
1160 (JSC::ARMv7Assembler::push):
1161 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
1162 Add the 16 bits version of push and pop.
1163
1164 * assembler/MacroAssemblerARMv7.h:
1165 (JSC::MacroAssemblerARMv7::pop):
1166 (JSC::MacroAssemblerARMv7::push):
1167 Use the new push/pop instead of a regular load/store.
1168
1169 * disassembler/ARMv7/ARMv7DOpcode.cpp:
1170 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
1171 * disassembler/ARMv7/ARMv7DOpcode.h:
1172 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
1173 Fix the disassembler for push/pop:
1174 -The register mask was on 7 bits for some reason.
1175 -The code printing the registers was comparing a register ID with a register
1176 mask.
1177
11782014-07-06 Yoav Weiss <yoav@yoav.ws>
1179
1180 Turn on img@sizes compile flag
1181 https://bugs.webkit.org/show_bug.cgi?id=134634
1182
1183 Reviewed by Benjamin Poulain.
1184
1185 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
1186
11872014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
1188
1189 Flags value of SourceCodeKey should be unique for each case.
1190 https://bugs.webkit.org/show_bug.cgi?id=134435
1191
1192 Reviewed by Darin Adler.
1193
1194 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
1195 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
1196 Shift the value of CodeType one bit farther to the left so those values don't overlap.
1197
1198 * runtime/CodeCache.h:
1199 (JSC::SourceCodeKey::SourceCodeKey):
1200
12012014-07-04 Andreas Kling <akling@apple.com>
1202
1203 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1204 <https://webkit.org/b/134635>
1205
1206 Also moved the whole thing from WebCore to JavaScriptCore since it
1207 makes more sense here, and inline the lightweight checks, leaving only
1208 the hashmap stuff out of line.
1209
1210 Reviewed by Darin Adler.
1211
1212 * runtime/JSString.cpp:
1213 (JSC::jsStringWithCacheSlowCase):
1214 * runtime/JSString.h:
1215 (JSC::jsStringWithCache):
1216 * runtime/VM.h:
1217
12182014-07-03 Daniel Bates <dabates@apple.com>
1219
1220 Add WTF::move()
1221 https://bugs.webkit.org/show_bug.cgi?id=134500
1222
1223 Rubber-stamped by Anders Carlsson.
1224
1225 Substitute WTF::move() for std::move().
1226
1227 * bytecode/CodeBlock.h:
1228 * bytecode/UnlinkedCodeBlock.cpp:
1229 * bytecompiler/BytecodeGenerator.cpp:
1230 * dfg/DFGGraph.cpp:
1231 * dfg/DFGJITCompiler.cpp:
1232 * dfg/DFGStackLayoutPhase.cpp:
1233 * dfg/DFGWorklist.cpp:
1234 * heap/DelayedReleaseScope.h:
1235 * heap/HeapInlines.h:
1236 [...]
1237
12382014-07-03 Filip Pizlo <fpizlo@apple.com>
1239
1240 SSA DCE should process blocks in forward order
1241 https://bugs.webkit.org/show_bug.cgi?id=134611
1242
1243 Reviewed by Andreas Kling.
1244
1245 * dfg/DFGDCEPhase.cpp:
1246 (JSC::DFG::DCEPhase::run):
1247 * ftl/FTLLowerDFGToLLVM.cpp:
1248 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1249 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
1250 (foo):
1251
12522014-07-03 Filip Pizlo <fpizlo@apple.com>
1253
1254 JSActivation::symbolTablePut() should invalidate variable watchpoints
1255 https://bugs.webkit.org/show_bug.cgi?id=134602
1256
1257 Reviewed by Oliver Hunt.
1258
1259 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
1260 during linking - we essentially assume that if it's at all possible for an inner function to store to a
1261 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
1262 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
1263 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
1264 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
1265
1266 * runtime/JSActivation.cpp:
1267 (JSC::JSActivation::symbolTablePut):
1268 * runtime/JSSymbolTableObject.h:
1269 (JSC::symbolTablePut):
1270 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
1271 (.):
1272
12732014-07-01 Mark Lam <mark.lam@apple.com>
1274
1275 Debugger's breakpoint list should not be a Vector.
1276 <https://webkit.org/b/134514>
1277
1278 Reviewed by Geoffrey Garen.
1279
1280 The debugger currently stores breakpoint data as entries in a Vector (see
1281 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
1282 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
1283 compact or reallocate its backing store, this can causes all sorts of havoc.
1284 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
1285 move in memory.
1286
1287 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
1288 doubly linked list.
1289
1290 * debugger/Breakpoint.h:
1291 (JSC::Breakpoint::Breakpoint):
1292 (JSC::BreakpointsList::~BreakpointsList):
1293 * debugger/Debugger.cpp:
1294 (JSC::Debugger::setBreakpoint):
1295 (JSC::Debugger::removeBreakpoint):
1296 (JSC::Debugger::hasBreakpoint):
1297 * debugger/Debugger.h:
1298
12992014-06-30 Michael Saboff <msaboff@apple.com>
1300
1301 Add option to run-jsc-stress-testes to filter out tests that use large heaps
1302 https://bugs.webkit.org/show_bug.cgi?id=134458
1303
1304 Reviewed by Filip Pizlo.
1305
1306 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
1307
1308 * tests/mozilla/mozilla-tests.yaml:
1309
13102014-06-30 Daniel Bates <dabates@apple.com>
1311
1312 Avoid copying closed variables vector; actually use move semantics
1313
1314 Rubber-stamped by Oliver Hunt.
1315
1316 Currently we always copy the closed variables vector passed by Parser::closedVariables()
1317 to ProgramNode::setClosedVariables() because these member functions return and take a const
1318 rvalue reference, respectively. Instead, these member functions should take an return a non-
1319 constant rvalue reference so that we actually move the closed variables vector from the Parser
1320 object to the Node object.
1321
1322 * parser/Nodes.cpp:
1323 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
1324 * parser/Nodes.h:
1325 (JSC::ScopeNode::setClosedVariables): Ditto.
1326 * parser/Parser.h:
1327 (JSC::Parser::closedVariables): Remove const qualifier on return type.
1328 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
1329 because Parser::closedVariables() returns an rvalue reference.
1330
13312014-06-30 Joseph Pecoraro <pecoraro@apple.com>
1332
1333 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
1334 https://bugs.webkit.org/show_bug.cgi?id=134371
1335
1336 Reviewed by Timothy Hatcher.
1337
1338 * API/JSContextPrivate.h:
1339 * API/JSContext.mm:
1340 (-[JSContext _debuggerRunLoop]):
1341 (-[JSContext _setDebuggerRunLoop:]):
1342 Private API for setting the CFRunLoop for a debugger to evaluate in.
1343
1344 * API/JSContextRefInternal.h: Added.
1345 * API/JSContextRef.cpp:
1346 (JSGlobalContextGetDebuggerRunLoop):
1347 (JSGlobalContextSetDebuggerRunLoop):
1348 Internal API for setting a CFRunLoop on a JSContextRef.
1349 Set this on the debuggable.
1350
1351 * inspector/remote/RemoteInspectorDebuggable.h:
1352 * inspector/remote/RemoteInspectorDebuggableConnection.h:
1353 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
1354 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
1355 (Inspector::RemoteInspectorBlock::operator=):
1356 (Inspector::RemoteInspectorBlock::operator()):
1357 Moved into the header.
1358
1359 * runtime/JSGlobalObject.h:
1360 (JSC::JSGlobalObject::inspectorDebuggable):
1361 Lets store the RunLoop on the debuggable instead of this core
1362 platform agnostic class, so expose the debuggable.
1363
1364 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1365 (Inspector::RemoteInspectorHandleRunSourceGlobal):
1366 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
1367 (Inspector::RemoteInspectorInitializeGlobalQueue):
1368 Rename the global functions for clarity.
1369
1370 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
1371 Handler for private run loops.
1372
1373 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
1374 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
1375 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
1376 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1377 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
1378 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
1379 Setup and teardown and use private run loop sources if the debuggable needs it.
1380
13812014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1382
1383 Add missing ENABLE(DFG_JIT) guards
1384 https://bugs.webkit.org/show_bug.cgi?id=134444
1385
1386 Reviewed by Darin Adler.
1387
1388 * dfg/DFGFunctionWhitelist.cpp:
1389 * dfg/DFGFunctionWhitelist.h:
1390
13912014-06-29 Yoav Weiss <yoav@yoav.ws>
1392
1393 Add support for HTMLImageElement's sizes attribute
1394 https://bugs.webkit.org/show_bug.cgi?id=133620
1395
1396 Reviewed by Dean Jackson.
1397
1398 Added an ENABLE_PICTURE_SIZES compile flag.
1399
1400 * Configurations/FeatureDefines.xcconfig:
1401
14022014-06-27 Filip Pizlo <fpizlo@apple.com>
1403
1404 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
1405 https://bugs.webkit.org/show_bug.cgi?id=134412
1406
1407 Reviewed by Mark Hahnenberg.
1408
1409 * dfg/DFGCSEPhase.cpp:
1410 (JSC::DFG::CSEPhase::setReplacement):
1411 * dfg/DFGStrengthReductionPhase.cpp:
1412 (JSC::DFG::StrengthReductionPhase::handleNode):
1413 * dfg/DFGValidate.cpp:
1414 (JSC::DFG::Validate::validate):
1415 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
1416 (foo):
1417 (bar):
1418 (baz):
1419
14202014-06-27 Peyton Randolph <prandolph@apple.com>
1421
1422 Add feature flag for link long-press gesture.
1423 https://bugs.webkit.org/show_bug.cgi?id=134262
1424
1425 Reviewed by Enrica Casucci.
1426
1427 * Configurations/FeatureDefines.xcconfig:
1428 Add ENABLE_LINK_LONG_PRESS.
1429
14302014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
1431
1432 [JavaScriptCore] FTL buildfix for EFL platform.
1433 https://bugs.webkit.org/show_bug.cgi?id=133546
1434
1435 Reviewed by Darin Adler.
1436
1437 * ftl/FTLAbstractHeap.cpp:
1438 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
1439 * ftl/FTLLocation.cpp:
1440 (JSC::FTL::Location::forStackmaps):
1441 * ftl/FTLLowerDFGToLLVM.cpp:
1442 (JSC::FTL::LowerDFGToLLVM::opposite):
1443 * ftl/FTLOSRExitCompiler.cpp:
1444 (JSC::FTL::compileStub):
1445 * ftl/FTLStackMaps.cpp:
1446 (JSC::FTL::StackMaps::Constant::dump):
1447 * llvm/InitializeLLVMPOSIX.cpp:
1448 (JSC::initializeLLVMPOSIX):
1449
14502014-06-26 Benjamin Poulain <benjamin@webkit.org>
1451
1452 iOS 8 beta 2 ES6 'Set' clear() broken
1453 https://bugs.webkit.org/show_bug.cgi?id=134346
1454
1455 Reviewed by Oliver Hunt.
1456
1457 The object map was not cleared :(.
1458
1459 Kudos to Ashley Gullen for tracking this and making a regression test.
1460 Credit to Oliver for finding the missing code.
1461
1462 * runtime/MapData.h:
1463 (JSC::MapData::clear):
1464
14652014-06-25 Brent Fulgham <bfulgham@apple.com>
1466
1467 [Win] Expose Cache Information to WinLauncher
1468 https://bugs.webkit.org/show_bug.cgi?id=134318
1469
1470 Reviewed by Dean Jackson.
1471
1472 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
1473 MemoryStatistics files to the WIndows build.
1474 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1475
14762014-06-26 David Kilzer <ddkilzer@apple.com>
1477
1478 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
1479 <http://webkit.org/b/134343>
1480 <rdar://problem/17459487>
1481
1482 Reviewed by Michael Saboff.
1483
1484 * dfg/DFGFunctionWhitelist.cpp:
1485 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
1486 Close the file handle, and log an error on failure.
1487
14882014-06-25 Dana Burkart <dburkart@apple.com>
1489
1490 Add support for 5-tuple versioning.
1491
1492 Reviewed by David Farler.
1493
1494 * Configurations/Version.xcconfig:
1495
14962014-06-25 Geoffrey Garen <ggaren@apple.com>
1497
1498 Build fix.
1499
1500 Unreviewed.
1501
1502 * runtime/JSDateMath.cpp:
1503 (JSC::parseDateFromNullTerminatedCharacters):
1504 * runtime/VM.cpp:
1505 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
1506 constant since that constant doesn't exist anymore.
1507
15082014-06-25 Geoffrey Garen <ggaren@apple.com>
1509
1510 Unreviewed, rolling out r166876.
1511
1512 Caused some ECMA test262 failures
1513
1514 Reverted changeset:
1515
1516 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
1517 https://bugs.webkit.org/show_bug.cgi?id=131248
1518 http://trac.webkit.org/changeset/166876
1519
15202014-06-25 Brent Fulgham <bfulgham@apple.com>
1521
1522 [Win] Unreviewed gardening.
1523
1524 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
1525 put various files in proper IDE categories.
1526
15272014-06-25 peavo@outlook.com <peavo@outlook.com>
1528
1529 [Win64] ASM LLINT is not enabled.
1530 https://bugs.webkit.org/show_bug.cgi?id=130638
1531
1532 This patch adds a new LLINT assembler backend for Win64, and implements it.
1533 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
1534 Also, LLINT and JIT is enabled for Win64.
1535
1536 Reviewed by Mark Lam.
1537
1538 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
1539 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
1540 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
1541 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
1542 * assembler/MacroAssemblerX86_64.h:
1543 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
1544 * jit/JITStubsMSVC64.asm: Added.
1545 * jit/Repatch.cpp:
1546 (JSC::emitPutTransitionStub): Compile fix.
1547 * jit/ThunkGenerators.cpp:
1548 (JSC::nativeForGenerator): Follow Win64 ABI spec.
1549 * llint/LLIntData.cpp:
1550 (JSC::LLInt::Data::performAssertions): Ditto.
1551 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
1552 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
1553 * llint/LowLevelInterpreter64.asm: Ditto.
1554 * offlineasm/asm.rb: Compile fix.
1555 * offlineasm/backends.rb: Add new llint backend for Win64.
1556 * offlineasm/settings.rb: Compile fix.
1557 * offlineasm/x86.rb: Implement new llint Win64 backend.
1558
15592014-06-25 Laszlo Gombos <l.gombos@samsung.com>
1560
1561 Remove build guard for progress element
1562 https://bugs.webkit.org/show_bug.cgi?id=134292
1563
1564 Reviewed by Benjamin Poulain.
1565
1566 * Configurations/FeatureDefines.xcconfig:
1567
15682014-06-24 Michael Saboff <msaboff@apple.com>
1569
1570 Add support routines to provide descriptive JavaScript backtraces
1571 https://bugs.webkit.org/show_bug.cgi?id=134278
1572
1573 Reviewed by Mark Lam.
1574
1575 * interpreter/CallFrame.cpp:
1576 (JSC::CallFrame::dump):
1577 (JSC::CallFrame::describeFrame):
1578 * interpreter/CallFrame.h:
1579 * runtime/JSCJSValue.cpp:
1580 (JSC::JSValue::dumpForBacktrace):
1581 * runtime/JSCJSValue.h:
1582
15832014-06-24 Brady Eidson <beidson@apple.com>
1584
1585 Enable GAMEPAD in the Mac build, but disabled at runtime.
1586 https://bugs.webkit.org/show_bug.cgi?id=134255
1587
1588 Reviewed by Dean Jackson.
1589
1590 * Configurations/FeatureDefines.xcconfig:
1591
1592 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
1593 functions at runtime.
1594
15952014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
1596
1597 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
1598 https://bugs.webkit.org/show_bug.cgi?id=134046
1599
1600 Reviewed by Filip Pizlo.
1601
1602 * runtime/GetterSetter.h:
1603 (JSC::asGetterSetter):
1604 * runtime/JSObject.cpp:
1605 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
1606 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
1607 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
1608
16092014-06-24 Brent Fulgham <bfulgham@apple.com>
1610
1611 [Win] MSVC mishandles enums in bitfields
1612 https://bugs.webkit.org/show_bug.cgi?id=134237
1613
1614 Reviewed by Michael Saboff.
1615
1616 Replace uses of enum types in bit fields with unsigned to
1617 avoid losing a bit to hold the sign value. This can result
1618 in Windows interpreting the value of the field improperly.
1619
1620 * bytecode/StructureStubInfo.h:
1621 * parser/Nodes.h:
1622
16232014-06-23 Andreas Kling <akling@apple.com>
1624
1625 Inline the UnlinkedInstructionStream::Reader logic.
1626 <https://webkit.org/b/134203>
1627
1628 This class is only used by CodeBlock to unpack the unlinked instructions,
1629 and we were spending 0.5% of total time on PLT calling Reader::next().
1630 Move the logic to the header file and mark it ALWAYS_INLINE.
1631
1632 Reviewed by Geoffrey Garen.
1633
1634 * bytecode/UnlinkedInstructionStream.cpp:
1635 * bytecode/UnlinkedInstructionStream.h:
1636 (JSC::UnlinkedInstructionStream::Reader::Reader):
1637 (JSC::UnlinkedInstructionStream::Reader::read8):
1638 (JSC::UnlinkedInstructionStream::Reader::read32):
1639 (JSC::UnlinkedInstructionStream::Reader::next):
1640
16412014-06-20 Sam Weinig <sam@webkit.org>
1642
1643 Remove static tables for bindings that use eager reification
1644 https://bugs.webkit.org/show_bug.cgi?id=134126
1645
1646 Reviewed by Oliver Hunt.
1647
1648 * runtime/JSObject.cpp:
1649 (JSC::JSObject::putDirectCustomAccessor):
1650 * runtime/Structure.h:
1651 (JSC::Structure::setHasCustomGetterSetterProperties):
1652 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
1653 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
1654 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
1655 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
1656
16572014-06-21 Brady Eidson <beidson@apple.com>
1658
1659 Gamepad API - Deprecate the existing implementation
1660 https://bugs.webkit.org/show_bug.cgi?id=134108
1661
1662 Reviewed by Timothy Hatcher.
1663
1664 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1665 -Move some implementation files into a "deprecated" subdirectory.
1666
1667 * Configurations/FeatureDefines.xcconfig:
1668
16692014-06-21 Commit Queue <commit-queue@webkit.org>
1670
1671 Unreviewed, rolling out r170244.
1672 https://bugs.webkit.org/show_bug.cgi?id=134157
1673
1674 GTK/EFL bindings generator works differently, making this
1675 patch not work there. Will fix entire patch after a rollout.
1676 (Requested by bradee-oh on #webkit).
1677
1678 Reverted changeset:
1679
1680 "Gamepad API - Deprecate the existing implementation"
1681 https://bugs.webkit.org/show_bug.cgi?id=134108
1682 http://trac.webkit.org/changeset/170244
1683
16842014-06-21 Brady Eidson <beidson@apple.com>
1685
1686 Gamepad API - Deprecate the existing implementation
1687 https://bugs.webkit.org/show_bug.cgi?id=134108
1688
1689 Reviewed by Timothy Hatcher.
1690
1691 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
1692 -Add the "Deprecated" suffix to some implementation files
1693
1694 * Configurations/FeatureDefines.xcconfig:
1695
16962014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1697
1698 Removing PAGE_VISIBILITY_API compile guard.
1699 https://bugs.webkit.org/show_bug.cgi?id=133844
1700
1701 Reviewed by Gavin Barraclough.
1702
1703 * Configurations/FeatureDefines.xcconfig:
1704
17052014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1706
1707 ARM traditional buildfix after r169942.
1708 https://bugs.webkit.org/show_bug.cgi?id=134100
1709
1710 Reviewed by Zoltan Herczeg.
1711
1712 * assembler/MacroAssemblerARM.h:
1713 (JSC::MacroAssemblerARM::abortWithReason): Added.
1714
17152014-06-20 Andreas Kling <akling@apple.com>
1716
1717 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
1718 <https://webkit.org/b/134112>
1719
1720 Reviewed by Mark Hahnenberg.
1721
1722 * heap/BlockAllocator.h:
1723
17242014-06-19 Alex Christensen <achristensen@webkit.org>
1725
1726 Unreviewed fix after r170130.
1727
1728 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
1729 Corrected directory so it can find common.props when opening Visual Studio.
1730
17312014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
1732
1733 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
1734 https://bugs.webkit.org/show_bug.cgi?id=130389
1735
1736 Reviewed by Mark Lam.
1737
1738 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
1739 into !ENABLE(JIT) since they are mutually exclusive.
1740
1741 * CMakeLists.txt:
1742 * assembler/MacroAssemblerCodeRef.h:
1743 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1744 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1745 * assembler/MaxFrameExtentForSlowPathCall.h:
1746 * bytecode/CallLinkStatus.cpp:
1747 (JSC::CallLinkStatus::computeFromLLInt):
1748 * bytecode/CodeBlock.cpp:
1749 (JSC::dumpStructure):
1750 (JSC::CodeBlock::printGetByIdCacheStatus):
1751 (JSC::CodeBlock::printCallOp):
1752 (JSC::CodeBlock::CodeBlock):
1753 (JSC::CodeBlock::~CodeBlock):
1754 (JSC::CodeBlock::propagateTransitions):
1755 (JSC::CodeBlock::finalizeUnconditionally):
1756 (JSC::CodeBlock::unlinkCalls):
1757 (JSC::CodeBlock::unlinkIncomingCalls):
1758 (JSC::CodeBlock::linkIncomingCall):
1759 (JSC::CodeBlock::frameRegisterCount):
1760 * bytecode/CodeBlock.h:
1761 * bytecode/GetByIdStatus.cpp:
1762 (JSC::GetByIdStatus::computeFromLLInt):
1763 * bytecode/Opcode.h:
1764 (JSC::padOpcodeName):
1765 * bytecode/PutByIdStatus.cpp:
1766 (JSC::PutByIdStatus::computeFromLLInt):
1767 * bytecompiler/BytecodeGenerator.cpp:
1768 (JSC::BytecodeGenerator::emitCall):
1769 (JSC::BytecodeGenerator::emitConstruct):
1770 * heap/Heap.cpp:
1771 (JSC::Heap::gatherJSStackRoots):
1772 * interpreter/Interpreter.cpp:
1773 (JSC::Interpreter::initialize):
1774 (JSC::Interpreter::isOpcode):
1775 * interpreter/Interpreter.h:
1776 (JSC::Interpreter::getOpcodeID):
1777 * interpreter/JSStack.cpp:
1778 (JSC::JSStack::JSStack):
1779 (JSC::JSStack::committedByteCount):
1780 * interpreter/JSStack.h:
1781 * interpreter/JSStackInlines.h:
1782 (JSC::JSStack::ensureCapacityFor):
1783 (JSC::JSStack::topOfFrameFor):
1784 (JSC::JSStack::setStackLimit):
1785 * jit/ExecutableAllocatorFixedVMPool.cpp:
1786 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1787 * jit/JIT.h:
1788 (JSC::JIT::compileCTINativeCall):
1789 * jit/JITExceptions.h:
1790 * jit/JITThunks.cpp:
1791 (JSC::JITThunks::ctiNativeCall):
1792 (JSC::JITThunks::ctiNativeConstruct):
1793 * llint/LLIntCLoop.cpp:
1794 * llint/LLIntCLoop.h:
1795 * llint/LLIntData.cpp:
1796 (JSC::LLInt::initialize):
1797 (JSC::LLInt::Data::performAssertions):
1798 * llint/LLIntData.h:
1799 (JSC::LLInt::Data::performAssertions): Deleted.
1800 * llint/LLIntEntrypoint.cpp:
1801 * llint/LLIntEntrypoint.h:
1802 * llint/LLIntExceptions.cpp:
1803 * llint/LLIntExceptions.h:
1804 * llint/LLIntOfflineAsmConfig.h:
1805 * llint/LLIntOffsetsExtractor.cpp:
1806 (JSC::LLIntOffsetsExtractor::dummy):
1807 * llint/LLIntOpcode.h:
1808 * llint/LLIntSlowPaths.cpp:
1809 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1810 * llint/LLIntSlowPaths.h:
1811 * llint/LLIntThunks.cpp:
1812 * llint/LLIntThunks.h:
1813 * llint/LowLevelInterpreter.cpp:
1814 * llint/LowLevelInterpreter.h:
1815 * runtime/CommonSlowPaths.cpp:
1816 * runtime/CommonSlowPaths.h:
1817 * runtime/ErrorHandlingScope.cpp:
1818 (JSC::ErrorHandlingScope::ErrorHandlingScope):
1819 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
1820 * runtime/Executable.cpp:
1821 (JSC::setupLLInt):
1822 * runtime/InitializeThreading.cpp:
1823 (JSC::initializeThreading):
1824 * runtime/JSCJSValue.h:
1825 * runtime/JSCJSValueInlines.h:
1826 * runtime/Options.cpp:
1827 (JSC::recomputeDependentOptions):
1828 * runtime/VM.cpp:
1829 (JSC::VM::VM):
1830 (JSC::sanitizeStackForVM):
1831 * runtime/VM.h:
1832 (JSC::VM::canUseJIT): Deleted.
1833
18342014-06-18 Alex Christensen <achristensen@webkit.org>
1835
1836 Add FTL to Windows build.
1837 https://bugs.webkit.org/show_bug.cgi?id=134015
1838
1839 Reviewed by Filip Pizlo.
1840
1841 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1842 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1843 Added ftl source files.
1844 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1845 Added ftl and llvm directories to include path.
1846 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
1847 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
1848 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
1849 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
1850 * ftl/FTLLowerDFGToLLVM.cpp:
1851 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1852 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
1853 * llvm/InitializeLLVMWin.cpp: Added.
1854 (JSC::initializeLLVMImpl):
1855 Implemented dynamic loading and linking for Windows.
1856
18572014-06-18 Alex Christensen <achristensen@webkit.org>
1858
1859 Unreviewed build fix after r170107.
1860
1861 * dfg/DFGSpeculativeJIT.cpp:
1862 (JSC::DFG::SpeculativeJIT::compileArithMod):
1863 Use non-template sub for armv7s.
1864
18652014-06-18 David Kilzer <ddkilzer@apple.com>
1866
1867 -[JSContext setName:] leaks NSString
1868 <http://webkit.org/b/134038>
1869
1870 Reviewed by Joseph Pecoraro.
1871
1872 Fixes the following static analyzer warning:
1873
1874 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
1875 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
1876 ^
1877
1878 * API/JSContext.mm:
1879 (-[JSContext setName:]): Autorelease the copy of |name|.
1880
18812014-06-18 Mark Lam <mark.lam@apple.com>
1882
1883 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1884 <https://webkit.org/b/133994>
1885
1886 Reviewed by Geoffrey Garen.
1887
1888 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1889 because it means two unfortunate things:
1890 - It will probably break for zero.
1891 - It will think that -0 is the same as +0 under some circumstances, size
1892 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1893
1894 The fix is to use std::unordered_map which does not require special empty
1895 and deleted values, and to use the raw bits instead of the double value as
1896 the key.
1897
1898 * dfg/DFGGraph.h:
1899 * dfg/DFGJITCompiler.cpp:
1900 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1901
19022014-06-18 Alex Christensen <achristensen@webkit.org>
1903
1904 Remove duplicate code using sdiv.
1905 https://bugs.webkit.org/show_bug.cgi?id=133764
1906
1907 Reviewed by Daniel Bates.
1908
1909 * assembler/ARMv7Assembler.h:
1910 (JSC::ARMv7Assembler::sdiv):
1911 Make sdiv a template to match arm64.
1912 * dfg/DFGSpeculativeJIT.cpp:
1913 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1914 (JSC::DFG::SpeculativeJIT::compileArithMod):
1915 Remove duplicate code that was identical except for sdiv not being a template.
1916
19172014-06-17 Commit Queue <commit-queue@webkit.org>
1918
1919 Unreviewed, rolling out r170082.
1920 https://bugs.webkit.org/show_bug.cgi?id=134006
1921
1922 Breaks build. (Requested by mlam on #webkit).
1923
1924 Reverted changeset:
1925
1926 "DFGGraph::m_doubleConstantMap will not map 0 values
1927 correctly."
1928 https://bugs.webkit.org/show_bug.cgi?id=133994
1929 http://trac.webkit.org/changeset/170082
1930
19312014-06-17 Mark Lam <mark.lam@apple.com>
1932
1933 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
1934 <https://webkit.org/b/133994>
1935
1936 Reviewed by Geoffrey Garen.
1937
1938 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
1939 because it means two unfortunate things:
1940 - It will probably break for zero.
1941 - It will think that -0 is the same as +0 under some circumstances, size
1942 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
1943
1944 The fix is to use std::unordered_map which does not require special empty
1945 and deleted values, and to use the raw bits instead of the double value as
1946 the key.
1947
1948 * dfg/DFGGraph.h:
1949 * dfg/DFGJITCompiler.cpp:
1950 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
1951
19522014-06-17 Oliver Hunt <oliver@apple.com>
1953
1954 Fix error messages for incorrect hex literals
1955 https://bugs.webkit.org/show_bug.cgi?id=133998
1956
1957 Reviewed by Mark Lam.
1958
1959 Ensure that the error messages for bogus hex literals actually
1960 make sense.
1961
1962 * parser/Lexer.cpp:
1963 (JSC::Lexer<T>::lex):
1964 * parser/ParserTokens.h:
1965
19662014-06-17 Matthew Mirman <mmirman@apple.com>
1967
1968 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
1969 https://bugs.webkit.org/show_bug.cgi?id=133814
1970
1971 Reviewed by Filip Pizlo.
1972
1973 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
1974 script from using "*.o" as a file when no other files in the directory exist.
1975
1976 * build-symbol-table-index.sh: Added license.
1977 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
1978
19792014-06-16 Sam Weinig <sam@webkit.org>
1980
1981 Move forward declaration of bindings static functions into their implementation files
1982 https://bugs.webkit.org/show_bug.cgi?id=133943
1983
1984 Reviewed by Geoffrey Garen.
1985
1986 * runtime/CommonIdentifiers.h:
1987 Add a few identifiers that are needed by the DOM.
1988
19892014-06-16 Mark Lam <mark.lam@apple.com>
1990
1991 Parser statementDepth accounting needs to account for when a function body excludes its braces.
1992 <https://webkit.org/b/133832>
1993
1994 Reviewed by Oliver Hunt.
1995
1996 In some cases (e.g. when a Function object is instantiated from a string), the
1997 function body source may not include its braces. The parser needs to account
1998 for this when calculating its statementDepth.
1999
2000 * bytecode/UnlinkedCodeBlock.cpp:
2001 (JSC::generateFunctionCodeBlock):
2002 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2003 * bytecode/UnlinkedCodeBlock.h:
2004 * parser/Parser.cpp:
2005 (JSC::Parser<LexerType>::parseStatement):
2006 - Also fixed the error message for declaring nested functions in strict mode
2007 to be more accurate.
2008 * parser/Parser.h:
2009 (JSC::Parser<LexerType>::parse):
2010 (JSC::parse):
2011 * runtime/Executable.cpp:
2012 (JSC::ScriptExecutable::newCodeBlockFor):
2013
20142014-06-16 Juergen Ributzka <juergen@apple.com>
2015
2016 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
2017 https://bugs.webkit.org/show_bug.cgi?id=133753
2018
2019 Reviewed by Geoffrey Garen.
2020
2021 The order in which the alias analysis passes are added affects also the
2022 order in which they are utilized. Change the order to align with the
2023 one use by LLVM itself. The last alias analysis pass added will be
2024 evaluated first. With this change we first perform a basic alias
2025 analysis and then use the type-based alias analysis (if required).
2026
2027 * ftl/FTLCompile.cpp:
2028 (JSC::FTL::compile):
2029
20302014-06-16 Juergen Ributzka <juergen@apple.com>
2031
2032 Fix the arguments passed to the LLVM dylib
2033 https://bugs.webkit.org/show_bug.cgi?id=133757
2034
2035 Reviewed by Geoffrey Garen.
2036
2037 The LLVM command line argument parser assumes that the first argument
2038 is the program name. We need to add a fake program name, otherwise the
2039 first argument will be parsed as program name and ignored.
2040
2041 * llvm/library/LLVMExports.cpp:
2042 (initializeAndGetJSCLLVMAPI):
2043
20442014-06-16 Michael Saboff <msaboff@apple.com>
2045
2046 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2047 https://bugs.webkit.org/show_bug.cgi?id=133903
2048
2049 Reviewed by Mark Hahnenberg.
2050
2051 Hardened code by Converting ASSERT to return CannotCompile.
2052
2053 * dfg/DFGCapabilities.h:
2054 (JSC::DFG::inlineFunctionForCapabilityLevel):
2055
20562014-06-13 Sam Weinig <sam@webkit.org>
2057
2058 Store DOM constants directly in the JS object rather than jumping through a custom accessor
2059 https://bugs.webkit.org/show_bug.cgi?id=133898
2060
2061 Reviewed by Oliver Hunt.
2062
2063 * runtime/Lookup.h:
2064 (JSC::HashTableValue::attributes):
2065 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2066 and will make adding more flags possibles.
2067
2068 (JSC::HashTableValue::propertyGetter):
2069 (JSC::HashTableValue::propertyPutter):
2070 Change assertion to use BuiltinOrFunctionOrConstant.
2071
2072 (JSC::HashTableValue::constantInteger):
2073 Added.
2074
2075 (JSC::getStaticPropertySlot):
2076 (JSC::getStaticValueSlot):
2077 Use PropertySlot::setValue() for constants during static lookup.
2078
2079 (JSC::reifyStaticProperties):
2080 Put the constant directly on the object when eagerly reifying.
2081
2082 * runtime/PropertySlot.h:
2083 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2084
20852014-06-14 Michael Saboff <msaboff@apple.com>
2086
2087 operationCreateArguments could cause a GC during OSR exit
2088 https://bugs.webkit.org/show_bug.cgi?id=133905
2089
2090 Reviewed by Filip Pizlo.
2091
2092 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2093 for use by OSR exit stubs.
2094
2095 * dfg/DFGOSRExitCompilerCommon.cpp:
2096 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2097 * dfg/DFGOperations.cpp:
2098 * dfg/DFGOperations.h:
2099 * jit/JITOperations.cpp:
2100 * jit/JITOperations.h:
2101
21022014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
2103
2104 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2105 https://bugs.webkit.org/show_bug.cgi?id=133880
2106
2107 Reviewed by Filip Pizlo.
2108
2109 We could have exited due to a value received from an inlined block that's no longer on
2110 the stack, so we should just barrier all InlineCallFrames.
2111
2112 * dfg/DFGOSRExitCompilerCommon.cpp:
2113 (JSC::DFG::adjustAndJumpToTarget):
2114
21152014-06-13 Alex Christensen <achristensen@webkit.org>
2116
2117 Make css jit compile for armv7.
2118 https://bugs.webkit.org/show_bug.cgi?id=133596
2119
2120 Reviewed by Benjamin Poulain.
2121
2122 * assembler/MacroAssembler.h:
2123 Use branchPtr on ARM_THUMB2.
2124 * assembler/MacroAssemblerARMv7.h:
2125 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2126 (JSC::MacroAssemblerARMv7::or32):
2127 (JSC::MacroAssemblerARMv7::test32):
2128 (JSC::MacroAssemblerARMv7::branch):
2129 (JSC::MacroAssemblerARMv7::branchPtr):
2130 Added macros necessary for css jit.
2131
21322014-06-13 Filip Pizlo <fpizlo@apple.com>
2133
2134 Unreviewed, fix ARMv7.
2135
2136 * assembler/MacroAssemblerARMv7.h:
2137 (JSC::MacroAssemblerARMv7::abortWithReason):
2138
21392014-06-12 Filip Pizlo <fpizlo@apple.com>
2140
2141 Even better diagnostics from DFG traps
2142 https://bugs.webkit.org/show_bug.cgi?id=133836
2143
2144 Reviewed by Oliver Hunt.
2145
2146 We now stuff the DFG::NodeType into a register before bailing. Also made the
2147 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
2148 different numbers than any previous abort reasons.
2149
2150 * assembler/AbortReason.h:
2151 * assembler/MacroAssemblerARM64.h:
2152 (JSC::MacroAssemblerARM64::abortWithReason):
2153 * assembler/MacroAssemblerARMv7.h:
2154 (JSC::MacroAssemblerARMv7::abortWithReason):
2155 * assembler/MacroAssemblerX86.h:
2156 (JSC::MacroAssemblerX86::abortWithReason):
2157 * assembler/MacroAssemblerX86_64.h:
2158 (JSC::MacroAssemblerX86_64::abortWithReason):
2159 * dfg/DFGSpeculativeJIT.cpp:
2160 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2161 (JSC::DFG::SpeculativeJIT::bail):
2162 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2163 * dfg/DFGSpeculativeJIT.h:
2164
21652014-06-12 Simon Fraser <simon.fraser@apple.com>
2166
2167 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
2168 https://bugs.webkit.org/show_bug.cgi?id=133840
2169
2170 Reviewed by Filip Pizlo.
2171
2172 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
2173 when running DFG tests.
2174
2175 * API/JSCTestRunnerUtils.cpp:
2176 (JSC::numberOfDFGCompiles):
2177 (JSC::setNeverInline):
2178
21792014-06-12 Brent Fulgham <bfulgham@apple.com>
2180
2181 [Win] Avoid fork bomb during build
2182 https://bugs.webkit.org/show_bug.cgi?id=133837
2183 <rdar://problem/17296034>
2184
2185 Reviewed by Tim Horton.
2186
2187 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
2188 reasonable default value when the 'num-cpus' script is not available.
2189
21902014-06-12 Mark Lam <mark.lam@apple.com>
2191
2192 Remove some dead / unused code.
2193 <https://webkit.org/b/133828>
2194
2195 Reviewed by Filip Pizlo.
2196
2197 * builtins/BuiltinExecutables.cpp:
2198 (JSC::BuiltinExecutables::createBuiltinExecutable):
2199 * bytecode/UnlinkedCodeBlock.cpp:
2200 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2201 * bytecode/UnlinkedCodeBlock.h:
2202 (JSC::UnlinkedFunctionExecutable::create):
2203 * bytecompiler/BytecodeGenerator.h:
2204 (JSC::BytecodeGenerator::makeFunction):
2205 * parser/Parser.h:
2206 (JSC::DepthManager::DepthManager): Deleted.
2207 (JSC::DepthManager::~DepthManager): Deleted.
2208 * runtime/CodeCache.cpp:
2209 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2210
22112014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
2212
2213 Move structureHasRareData out of TypeInfo
2214 https://bugs.webkit.org/show_bug.cgi?id=133800
2215
2216 Reviewed by Andreas Kling.
2217
2218 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
2219 but we have a few spare bits in Structure so it would be nice to remove this hack.
2220
2221 * runtime/JSTypeInfo.h:
2222 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
2223 (JSC::TypeInfo::structureHasRareData): Deleted.
2224 * runtime/Structure.cpp:
2225 (JSC::Structure::Structure):
2226 (JSC::Structure::allocateRareData):
2227 (JSC::Structure::cloneRareDataFrom):
2228 * runtime/Structure.h:
2229 (JSC::Structure::previousID):
2230 (JSC::Structure::objectToStringValue):
2231 (JSC::Structure::setObjectToStringValue):
2232 (JSC::Structure::setPreviousID):
2233 (JSC::Structure::clearPreviousID):
2234 (JSC::Structure::previous):
2235 (JSC::Structure::rareData):
2236 * runtime/StructureInlines.h:
2237 (JSC::Structure::setEnumerationCache):
2238 (JSC::Structure::enumerationCache):
2239
22402014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2241
2242 Allow enum guards to be generated from the replay json files
2243 https://bugs.webkit.org/show_bug.cgi?id=133399
2244
2245 Reviewed by Csaba Osztrogonác.
2246
2247 * replay/scripts/CodeGeneratorReplayInputs.py:
2248 (Type.__init__):
2249 (InputsModel.parse_type_with_framework_name):
2250 (Generator.generate_header):
2251 (Generator.generate_implementation):
2252 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
2253 (Test::HandleWheelEvent::HandleWheelEvent):
2254 (Test::HandleWheelEvent::~HandleWheelEvent):
2255 (JSC::InputTraits<Test::HandleWheelEvent>::type):
2256 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
2257 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
2258 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
2259 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
2260 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
2261 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
2262 (Test::HandleWheelEvent::platformEvent):
2263 * replay/scripts/tests/generate-enum-with-guard.json: Added.
2264
22652014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
2266
2267 Unreviewed. Fix GTK+ build after r169823.
2268
2269 Include StructureInlines.h in a few more files to fix linking
2270 issues due to JSC::Structure::get undefined symbol.
2271
2272 * runtime/ArrayIteratorConstructor.cpp:
2273 * runtime/ArrayIteratorPrototype.cpp:
2274 * runtime/JSConsole.cpp:
2275 * runtime/JSMapIterator.cpp:
2276 * runtime/JSSet.cpp:
2277 * runtime/JSSetIterator.cpp:
2278 * runtime/JSWeakMap.cpp:
2279 * runtime/MapIteratorPrototype.cpp:
2280 * runtime/MapPrototype.cpp:
2281 * runtime/SetIteratorPrototype.cpp:
2282 * runtime/SetPrototype.cpp:
2283 * runtime/WeakMapPrototype.cpp:
2284
22852014-06-12 Csaba Osztrogonác <ossy@webkit.org>
2286
2287 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
2288
2289 * runtime/JSMap.cpp:
2290
22912014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
2292
2293 Inline caching should try to flatten uncacheable dictionaries
2294 https://bugs.webkit.org/show_bug.cgi?id=133683
2295
2296 Reviewed by Geoffrey Garen.
2297
2298 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
2299 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
2300 If properties are deleted out of the object during its initialization, we can enable caching for that object by
2301 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
2302 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
2303 state then we can just give up on caching that object.
2304
2305 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
2306 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
2307 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
2308 returning.
2309
2310 * jit/Repatch.cpp:
2311 (JSC::actionForCell):
2312 (JSC::tryCacheGetByID):
2313 (JSC::repatchGetByID):
2314 (JSC::tryBuildGetByIDList):
2315 (JSC::buildGetByIDList):
2316 (JSC::tryCachePutByID):
2317 (JSC::repatchPutByID):
2318 (JSC::tryBuildPutByIdList):
2319 (JSC::buildPutByIdList):
2320 (JSC::tryRepatchIn):
2321 (JSC::repatchIn):
2322 * runtime/Structure.cpp:
2323 (JSC::Structure::Structure):
2324 (JSC::Structure::flattenDictionaryStructure):
2325 * runtime/Structure.h:
2326 (JSC::Structure::hasBeenFlattenedBefore):
2327
23282014-06-11 Csaba Osztrogonác <ossy@webkit.org>
2329
2330 [EFL] URTBF after r169823.
2331
2332 * bindings/ScriptValue.cpp: Missing include added.
2333
23342014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2335
2336 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
2337
2338 Rubber-stamped by Andreas Kling.
2339
2340 * runtime/JSObject.h:
2341 (JSC::JSObject::fastGetOwnPropertySlot):
2342
23432014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2344
2345 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
2346 https://bugs.webkit.org/show_bug.cgi?id=133673
2347
2348 Reviewed by Andreas Kling.
2349
2350 Rewrote the property map statistics code because the old code wasn't building,
2351 and it was also mixing numbers for lookups and insertions/removals.
2352
2353 New logging code records the number of calls to PropertyTable::find (finds) and
2354 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
2355 the number of probing during updates and lookups.
2356
2357 * jsc.cpp:
2358 * runtime/PropertyMapHashTable.h:
2359 (JSC::PropertyTable::find):
2360 (JSC::PropertyTable::get):
2361 (JSC::PropertyTable::findWithString):
2362 (JSC::PropertyTable::add):
2363 (JSC::PropertyTable::remove):
2364 (JSC::PropertyTable::reinsert):
2365 (JSC::PropertyTable::rehash):
2366 * runtime/Structure.cpp:
2367 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
2368 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
2369
23702014-06-11 Andreas Kling <akling@apple.com>
2371
2372 Always inline JSValue::get() and Structure::get().
2373 <https://webkit.org/b/133755>
2374
2375 Reviewed by Ryosuke Niwa.
2376
2377 These functions get really hot, so ask the compiler to be more
2378 aggressive about inlining them.
2379
2380 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
2381 through GetByVal.
2382
2383 * runtime/JSArrayIterator.cpp:
2384 * runtime/JSCJSValue.cpp:
2385 * runtime/JSCJSValueInlines.h:
2386 (JSC::JSValue::get):
2387 * runtime/JSPromiseDeferred.cpp:
2388 * runtime/StructureInlines.h:
2389 (JSC::Structure::get):
2390
23912014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2392
2393 Structure::get should instantiate DeferGC only when materializing property map
2394 https://bugs.webkit.org/show_bug.cgi?id=133727
2395
2396 Rubber-stamped by Andreas Kling.
2397
2398 Make materializePropertyMapIfNecessary always inline.
2399
2400 This is ~12% improvement on the microbenchmark attached in the bug.
2401
2402 * runtime/Structure.h:
2403 (JSC::Structure::materializePropertyMapIfNecessary):
2404 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2405
24062014-06-11 Ryosuke Niwa <rniwa@webkit.org>
2407
2408 Structure::get should instantiate DeferGC only when materializing property map
2409 https://bugs.webkit.org/show_bug.cgi?id=133727
2410
2411 Reviewed by Geoffrey Garen.
2412
2413 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
2414 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
2415 when GCSafeConcurrentJITLocker goes out of scope.
2416
2417 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
2418 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
2419 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
2420
2421 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
2422 and immediately storing a pointer to the newly created property table in the stack before DeferGC
2423 goes out of scope so that the property table will be marked.
2424
2425 This shows 13-16% improvement on the microbenchmark attached in the bug.
2426
2427 * runtime/JSCJSValue.cpp:
2428 * runtime/JSObject.h:
2429 (JSC::JSObject::fastGetOwnPropertySlot):
2430 * runtime/Structure.h:
2431 (JSC::Structure::materializePropertyMapIfNecessary):
2432 * runtime/StructureInlines.h:
2433 (JSC::Structure::get):
2434
24352014-06-11 Andreas Kling <akling@apple.com>
2436
2437 Some JSValue::get() micro-optimzations.
2438 <https://webkit.org/b/133739>
2439
2440 Tighten some of the property lookup code to improve performance of the
2441 eagerly reified prototype attributes:
2442
2443 - Instead of converting the property name to an integer at every step
2444 in the prototype chain, move that to a separate pass at the end
2445 since it should be a rare case.
2446
2447 - Cache the StructureIDTable in a local instead of fetching it from
2448 the Heap on every step.
2449
2450 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
2451 on the assumption that clients would mostly be cacheable GetByIds,
2452 and it gets pretty hot (~1%) in GetByVal.
2453
2454 - Pass the Structure directly to fillCustomGetterPropertySlot instead
2455 of refetching it from the StructureIDTable.
2456
2457 Reviewed by Geoff Garen.
2458
2459 * runtime/JSObject.cpp:
2460 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
2461 * runtime/JSObject.h:
2462 (JSC::JSObject::inlineGetOwnPropertySlot):
2463 (JSC::JSObject::fillCustomGetterPropertySlot):
2464 (JSC::JSObject::getOwnPropertySlot):
2465 (JSC::JSObject::fastGetOwnPropertySlot):
2466 (JSC::JSObject::getPropertySlot):
2467 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2468
24692014-06-10 Sam Weinig <sam@webkit.org>
2470
2471 Don't create a HashTable for JSObjects that use eager reification
2472 https://bugs.webkit.org/show_bug.cgi?id=133705
2473
2474 Reviewed by Geoffrey Garen.
2475
2476 * runtime/Lookup.h:
2477 (JSC::reifyStaticProperties):
2478 Add a version of reifyStaticProperties that takes an array of HashTableValues
2479 rather than a HashTable.
2480
24812014-06-10 Filip Pizlo <fpizlo@apple.com>
2482
2483 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
2484 https://bugs.webkit.org/show_bug.cgi?id=133698
2485
2486 Reviewed by Geoffrey Garen and Mark Hahnenberg.
2487
2488 * dfg/DFGPredictionPropagationPhase.cpp:
2489 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
2490 * dfg/DFGVariableAccessData.cpp:
2491 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
2492 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
2493 (JSC::DFG::VariableAccessData::flushFormat):
2494 * dfg/DFGVariableAccessData.h:
2495 * tests/stress/int52-inlined-call-argument.js: Added.
2496 (foo):
2497 (bar):
2498
24992014-06-10 Mark Lam <mark.lam@apple.com>
2500
2501 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
2502 <https://webkit.org/b/133356>
2503
2504 Reviewed by Mark Hahnenberg.
2505
2506 The root cause of this issue is that a nonPropertyTransition can transition
2507 a pinned dictionary structure to an unpinned dictionary structure. The new
2508 structure will get a copy of the property table from the original structure.
2509 However, when a GC occurs, the property table in the new structure will be
2510 cleared because it is unpinned. This leads to complications in subsequent
2511 derivative structures when flattening occurs, which eventually leads to the
2512 assertion failure in this bug.
2513
2514 The fix is to ensure that the new dictionary structure generated by the
2515 nonPropertyTransition will have a copy of its predecessor's property table
2516 and is pinned.
2517
2518 * runtime/Structure.cpp:
2519 (JSC::Structure::nonPropertyTransition):
2520
25212014-06-10 Michael Saboff <msaboff@apple.com>
2522
2523 In a certain app state, Array.prototype.filter() returns incorrect results
2524 https://bugs.webkit.org/show_bug.cgi?id=133577
2525
2526 Reviewed by Oliver Hunt.
2527
2528 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
2529
2530 * llint/LowLevelInterpreter32_64.asm:
2531 * llint/LowLevelInterpreter64.asm:
2532
25332014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2534
2535 Global HashTables contain references to atomic StringImpls
2536 https://bugs.webkit.org/show_bug.cgi?id=133661
2537
2538 Reviewed by Geoffrey Garen.
2539
2540 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
2541 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
2542 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
2543 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
2544
2545 * runtime/JSObject.cpp:
2546 (JSC::getClassPropertyNames):
2547 * runtime/Lookup.cpp:
2548 (JSC::HashTable::createTable):
2549 (JSC::HashTable::deleteTable):
2550 * runtime/Lookup.h:
2551 (JSC::HashTable::ConstIterator::key):
2552 (JSC::HashTable::entry):
2553
25542014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
2555
2556 Build fix after r169703
2557
2558 * JavaScriptCore.xcodeproj/project.pbxproj:
2559
25602014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
2561
2562 Eagerly reify DOM prototype attributes
2563 https://bugs.webkit.org/show_bug.cgi?id=133558
2564
2565 Reviewed by Oliver Hunt.
2566
2567 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
2568 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
2569 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
2570 DOM wrappers.
2571
2572 * CMakeLists.txt:
2573 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2574 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2575 * JavaScriptCore.xcodeproj/project.pbxproj:
2576 * llint/LLIntData.cpp:
2577 (JSC::LLInt::Data::performAssertions):
2578 * llint/LowLevelInterpreter.asm:
2579 * runtime/BatchedTransitionOptimizer.h:
2580 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
2581 * runtime/CustomGetterSetter.cpp: Added.
2582 (JSC::callCustomSetter):
2583 * runtime/CustomGetterSetter.h: Added.
2584 (JSC::CustomGetterSetter::create):
2585 (JSC::CustomGetterSetter::getter):
2586 (JSC::CustomGetterSetter::setter):
2587 (JSC::CustomGetterSetter::createStructure):
2588 (JSC::CustomGetterSetter::CustomGetterSetter):
2589 * runtime/JSCJSValue.cpp:
2590 (JSC::JSValue::putToPrimitive):
2591 * runtime/JSCJSValue.h:
2592 * runtime/JSCJSValueInlines.h:
2593 (JSC::JSValue::isCustomGetterSetter):
2594 * runtime/JSCell.h:
2595 * runtime/JSCellInlines.h:
2596 (JSC::JSCell::isCustomGetterSetter):
2597 (JSC::JSCell::canUseFastGetOwnProperty):
2598 * runtime/JSFunction.cpp:
2599 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
2600 (JSC::JSFunction::isBuiltinFunction): Deleted.
2601 * runtime/JSFunction.h:
2602 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
2603 (JSC::JSFunction::isBuiltinFunction):
2604 (JSC::JSFunction::isHostOrBuiltinFunction):
2605 * runtime/JSObject.cpp:
2606 (JSC::JSObject::put):
2607 (JSC::JSObject::putDirectCustomAccessor):
2608 (JSC::JSObject::fillGetterPropertySlot):
2609 (JSC::JSObject::fillCustomGetterPropertySlot):
2610 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2611 * runtime/JSObject.h:
2612 (JSC::JSObject::hasCustomGetterSetterProperties):
2613 (JSC::JSObject::convertToDictionary):
2614 (JSC::JSObject::inlineGetOwnPropertySlot):
2615 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
2616 (JSC::JSObject::putOwnDataProperty):
2617 (JSC::JSObject::putDirect):
2618 (JSC::JSObject::putDirectWithoutTransition):
2619 * runtime/JSType.h:
2620 * runtime/Lookup.h:
2621 (JSC::reifyStaticProperties):
2622 * runtime/PropertyDescriptor.h:
2623 (JSC::PropertyDescriptor::PropertyDescriptor):
2624 * runtime/Structure.cpp:
2625 (JSC::Structure::Structure):
2626 (JSC::nextOutOfLineStorageCapacity): Deleted.
2627 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
2628 (JSC::Structure::get): Deleted.
2629 * runtime/Structure.h:
2630 (JSC::Structure::hasCustomGetterSetterProperties):
2631 (JSC::Structure::setHasCustomGetterSetterProperties):
2632 * runtime/StructureInlines.h:
2633 (JSC::Structure::get): Inlined due to hotness.
2634 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
2635 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
2636 * runtime/VM.cpp:
2637 (JSC::VM::VM):
2638 * runtime/VM.h:
2639 * runtime/WriteBarrier.h:
2640 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
2641
26422014-06-07 Mark Lam <mark.lam@apple.com>
2643
2644 Structure should initialize its previousID in its constructor.
2645 <https://webkit.org/b/133606>
2646
2647 Reviewed by Mark Hahnenberg.
2648
2649 Currently, the Structure constructor that takes a previous structure will
2650 initialize its previousID to point to the previous structure's previousID.
2651 This is incorrect. However, the caller of the Structure::create() factory
2652 method (which instantiated the Structure) will later call setPreviousID()
2653 to set the previousID to the correct previous structure. This makes the
2654 code confusing to read and more error prone in that the structure relies
2655 on client code to fix its invalid previousID.
2656
2657 This patch fixes this by making the Structure constructor initialize
2658 previousID correctly.
2659
2660 * runtime/Structure.cpp:
2661 (JSC::Structure::Structure):
2662 (JSC::Structure::addPropertyTransition):
2663 (JSC::Structure::nonPropertyTransition):
2664 * runtime/Structure.h:
2665 * runtime/StructureInlines.h:
2666 (JSC::Structure::create):
2667
26682014-06-06 Andreas Kling <akling@apple.com>
2669
2670 Indexed getters should return values directly on the PropertySlot.
2671 <https://webkit.org/b/133586>
2672
2673 Remove PropertySlot's custom index mode.
2674
2675 Reviewed by Darin Adler.
2676
2677 * runtime/JSObject.h:
2678 (JSC::PropertySlot::getValue):
2679 * runtime/PropertySlot.h:
2680 (JSC::PropertySlot::setCustomIndex): Deleted.
2681
26822014-06-04 Timothy Horton <timothy_horton@apple.com>
2683
2684 iOS Debug build fix
2685
2686 Rubber-stamped by Filip Pizlo.
2687
2688 * Configurations/LLVMForJSC.xcconfig:
2689 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
2690
26912014-06-04 Oliver Hunt <oliver@apple.com>
2692
2693 ArrayIterator should not be exposed in Safari 8
2694 https://bugs.webkit.org/show_bug.cgi?id=133494
2695
2696 Reviewed by Michael Saboff.
2697
2698 Separate out types that require constructor objects, and don't
2699 include the iterator types in that list.
2700
2701 * runtime/JSGlobalObject.cpp:
2702 (JSC::JSGlobalObject::reset):
2703 * runtime/JSGlobalObject.h:
2704
27052014-06-04 Filip Pizlo <fpizlo@apple.com>
2706
2707 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
2708 https://bugs.webkit.org/show_bug.cgi?id=133525
2709 <rdar://problem/16790296>
2710
2711 Reviewed by Oliver Hunt.
2712
2713 * dfg/DFGSafepoint.cpp:
2714 (JSC::DFG::Safepoint::begin):
2715
27162014-06-03 Filip Pizlo <fpizlo@apple.com>
2717
2718 LLVM soft-linking should be truly fail-silent
2719 https://bugs.webkit.org/show_bug.cgi?id=133482
2720
2721 Reviewed by Mark Lam.
2722
2723 * llvm/InitializeLLVMPOSIX.cpp:
2724 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
2725
27262014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2727
2728 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
2729 https://bugs.webkit.org/show_bug.cgi?id=133149
2730
2731 Reviewed by Csaba Osztrogonác.
2732
2733 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
2734
27352014-05-31 Anders Carlsson <andersca@apple.com>
2736
2737 Add a LazyNeverDestroyed class template and use it
2738 https://bugs.webkit.org/show_bug.cgi?id=133425
2739
2740 Reviewed by Darin Adler.
2741
2742 * dfg/DFGFunctionWhitelist.cpp:
2743 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
2744 * dfg/DFGFunctionWhitelist.h:
2745
27462014-05-28 Filip Pizlo <fpizlo@apple.com>
2747
2748 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
2749 https://bugs.webkit.org/show_bug.cgi?id=133368
2750
2751 Reviewed by Mark Lam.
2752
2753 * dfg/DFGDCEPhase.cpp:
2754 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
2755 * tests/stress/new-array-dead.js: Added.
2756 (foo):
2757
27582014-05-28 Filip Pizlo <fpizlo@apple.com>
2759
2760 Unreviewed, fix not-x86 32-bit.
2761
2762 * llint/LowLevelInterpreter32_64.asm:
2763
27642014-05-27 Filip Pizlo <fpizlo@apple.com>
2765
2766 Arrayify neglects to inform the clobberizer that it might fire watchpoints
2767 https://bugs.webkit.org/show_bug.cgi?id=133340
2768
2769 Reviewed by Mark Lam.
2770
2771 * dfg/DFGClobberize.h:
2772 (JSC::DFG::clobberize): Be honest.
2773 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
2774 * tests/stress/arrayify-fires-watchpoint.js: Added.
2775 (foo):
2776 (test):
2777 (makeObjectArray):
2778 * tests/stress/arrayify-structure-bad-test.js: Added.
2779 (foo):
2780 (test):
2781
27822014-05-27 Jon Lee <jonlee@apple.com>
2783
2784 Update ENABLE(MEDIA_SOURCE) on Mac
2785 https://bugs.webkit.org/show_bug.cgi?id=133141
2786
2787 Reviewed by Darin Adler.
2788
2789 * Configurations/FeatureDefines.xcconfig:
2790
27912014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2792
2793 Remove BLOB guards
2794 https://bugs.webkit.org/show_bug.cgi?id=132863
2795
2796 Reviewed by Csaba Osztrogonác.
2797
2798 * Configurations/FeatureDefines.xcconfig:
2799
28002014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2801
2802 Allow building CMake based ports with WEB_REPLAY
2803 https://bugs.webkit.org/show_bug.cgi?id=133154
2804
2805 Reviewed by Csaba Osztrogonác.
2806
2807 * CMakeLists.txt:
2808
28092014-05-25 Filip Pizlo <fpizlo@apple.com>
2810
2811 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
2812 https://bugs.webkit.org/show_bug.cgi?id=133136
2813
2814 Reviewed by Oliver Hunt.
2815
2816 Some key concepts:
2817
2818 - Except for the prediction propagation and type fixup phases, which are super early in
2819 the pipeline, nobody has to know about the fact that booleans may flow into numerical
2820 operations because there will just be a BooleanToNumber node that will take a value
2821 and, if that value is a boolean, will convert it to the equivalent numerical value. It
2822 will have a BooleanUse mode where it will also speculate that the input is a boolean
2823 but it can also do UntypedUse in which case it will pass through any non-booleans.
2824 This operation is very easy to model in all of the compiler tiers.
2825
2826 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
2827 inputs require taking the slow path and it will still report that it took slow path
2828 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
2829 path profiling on operations that were known to have had boolean inputs. That's a
2830 little quirky, but it's probably easier than modifying the baseline JIT to track
2831 booleans correctly.
2832
2833 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
2834
2835 * bytecode/SpeculatedType.h:
2836 (JSC::isInt32OrBooleanSpeculation):
2837 (JSC::isInt32SpeculationForArithmetic):
2838 (JSC::isInt32OrBooleanSpeculationForArithmetic):
2839 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
2840 (JSC::isInt52Speculation):
2841 (JSC::isMachineIntSpeculation):
2842 (JSC::isFullNumberOrBooleanSpeculation):
2843 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
2844 (JSC::isInt32SpeculationExpectingDefined): Deleted.
2845 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
2846 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
2847 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
2848 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
2849 * dfg/DFGAbstractInterpreterInlines.h:
2850 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2851 * dfg/DFGAllocator.h:
2852 (JSC::DFG::Allocator<T>::indexOf):
2853 * dfg/DFGByteCodeParser.cpp:
2854 (JSC::DFG::ByteCodeParser::makeSafe):
2855 (JSC::DFG::ByteCodeParser::makeDivSafe):
2856 (JSC::DFG::ByteCodeParser::handleIntrinsic):
2857 * dfg/DFGCSEPhase.cpp:
2858 (JSC::DFG::CSEPhase::performNodeCSE):
2859 * dfg/DFGClobberize.h:
2860 (JSC::DFG::clobberize):
2861 * dfg/DFGCommon.h:
2862 * dfg/DFGConstantFoldingPhase.cpp:
2863 (JSC::DFG::ConstantFoldingPhase::foldConstants):
2864 * dfg/DFGFixupPhase.cpp:
2865 (JSC::DFG::FixupPhase::fixupNode):
2866 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
2867 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
2868 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
2869 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
2870 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
2871 * dfg/DFGGraph.h:
2872 (JSC::DFG::Graph::addSpeculationMode):
2873 (JSC::DFG::Graph::valueAddSpeculationMode):
2874 (JSC::DFG::Graph::arithAddSpeculationMode):
2875 (JSC::DFG::Graph::addShouldSpeculateInt32):
2876 (JSC::DFG::Graph::mulShouldSpeculateInt32):
2877 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
2878 (JSC::DFG::Graph::negateShouldSpeculateInt32):
2879 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
2880 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2881 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
2882 * dfg/DFGNode.h:
2883 (JSC::DFG::Node::sawBooleans):
2884 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
2885 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
2886 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
2887 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
2888 (JSC::DFG::Node::shouldSpeculateMachineInt):
2889 (JSC::DFG::Node::shouldSpeculateDouble):
2890 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
2891 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
2892 (JSC::DFG::Node::shouldSpeculateNumber):
2893 (JSC::DFG::Node::canSpeculateInt32):
2894 (JSC::DFG::Node::canSpeculateInt52):
2895 (JSC::DFG::Node::sourceFor):
2896 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
2897 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
2898 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
2899 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
2900 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
2901 * dfg/DFGNodeFlags.cpp:
2902 (JSC::DFG::dumpNodeFlags):
2903 * dfg/DFGNodeFlags.h:
2904 (JSC::DFG::nodeMayOverflow):
2905 (JSC::DFG::nodeMayNegZero):
2906 (JSC::DFG::nodeCanSpeculateInt32):
2907 (JSC::DFG::nodeCanSpeculateInt52):
2908 * dfg/DFGNodeType.h:
2909 * dfg/DFGPredictionPropagationPhase.cpp:
2910 (JSC::DFG::PredictionPropagationPhase::run):
2911 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
2912 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
2913 (JSC::DFG::PredictionPropagationPhase::propagate):
2914 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
2915 * dfg/DFGSafeToExecute.h:
2916 (JSC::DFG::safeToExecute):
2917 * dfg/DFGSpeculativeJIT.cpp:
2918 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2919 * dfg/DFGSpeculativeJIT32_64.cpp:
2920 (JSC::DFG::SpeculativeJIT::compile):
2921 * dfg/DFGSpeculativeJIT64.cpp:
2922 (JSC::DFG::SpeculativeJIT::compile):
2923 * ftl/FTLCapabilities.cpp:
2924 (JSC::FTL::canCompile):
2925 * ftl/FTLLowerDFGToLLVM.cpp:
2926 (JSC::FTL::LowerDFGToLLVM::compileNode):
2927 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
2928 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
2929 * runtime/JSCJSValue.h:
2930 * runtime/JSCJSValueInlines.h:
2931 (JSC::JSValue::asInt32ForArithmetic):
2932 * tests/stress/max-boolean-exit.js: Added.
2933 (foo):
2934 (test):
2935 * tests/stress/mul-boolean-exit.js: Added.
2936 (foo):
2937 (test):
2938 * tests/stress/plus-boolean-exit.js: Added.
2939 (foo):
2940 (test):
2941 * tests/stress/plus-boolean-or-double.js: Added.
2942 (foo):
2943 (test):
2944 * tests/stress/plus-boolean-or-int.js: Added.
2945 (foo):
2946 (test):
2947
29482014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2949
2950 Remove dead code from VM.cpp
2951 https://bugs.webkit.org/show_bug.cgi?id=133284
2952
2953 Reviewed by Darin Adler.
2954
2955 This workaround was added in r127505. Since the clang is the
2956 only used compiler in this case, this workaround is obsolete.
2957
2958 * runtime/VM.cpp:
2959 (JSC::enableAssembler):
2960
29612014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2962
2963 JSC CLoop warning fix
2964 https://bugs.webkit.org/show_bug.cgi?id=133259
2965
2966 Reviewed by Darin Adler.
2967
2968 * llint/LLIntSlowPaths.cpp:
2969 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2970
29712014-05-24 Andreas Kling <akling@apple.com>
2972
2973 Object.prototype.toString() should use cached strings for null/undefined.
2974 <https://webkit.org/b/133261>
2975
2976 Normally, when calling Object.prototype.toString() on a regular object,
2977 we'd cache the result of the stringification on the object's structure,
2978 making repeated calls fast.
2979
2980 For null and undefined, we were not as smart. We'd instead construct a
2981 new string with either "[object Null]" or "[object Undefined]" each time.
2982
2983 This was exposed by Dromaeo's JS library tests, where some prototype.js
2984 subtests generate millions of strings this way.
2985
2986 This patch adds two VM-permanent cached strings to the SmallStrings.
2987 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
2988
2989 Reviewed by Darin Adler.
2990
2991 * runtime/ObjectPrototype.cpp:
2992 (JSC::objectProtoFuncToString):
2993 * runtime/SmallStrings.cpp:
2994 (JSC::SmallStrings::SmallStrings):
2995 (JSC::SmallStrings::initializeCommonStrings):
2996 (JSC::SmallStrings::visitStrongReferences):
2997 * runtime/SmallStrings.h:
2998 (JSC::SmallStrings::nullObjectString):
2999 (JSC::SmallStrings::undefinedObjectString):
3000
30012014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
3002
3003 Remove operationCallGetter
3004
3005 Rubber stamped by Filip Pizlo.
3006
3007 Nobody calls this function.
3008
3009 * JavaScriptCore.order:
3010 * jit/JITOperations.cpp:
3011 * jit/JITOperations.h:
3012
30132014-05-23 Andreas Kling <akling@apple.com>
3014
3015 Templatize GC's destructor invocation for dtor type.
3016 <https://webkit.org/b/133231>
3017
3018 Get rid of a branch in callDestructor() by templatizing it for
3019 the DestructorType. Removed JSCell::methodTableForDestruction()
3020 since this was the only call site and it was jumping through
3021 a bunch of unnecessary hoops.
3022
3023 Reviewed by Geoffrey Garen.
3024
3025 * heap/MarkedBlock.cpp:
3026 (JSC::MarkedBlock::callDestructor):
3027 (JSC::MarkedBlock::specializedSweep):
3028 * heap/MarkedBlock.h:
3029 * runtime/JSCell.h:
3030 * runtime/JSCellInlines.h:
3031 (JSC::JSCell::methodTableForDestruction): Deleted.
3032
30332014-05-23 Andreas Kling <akling@apple.com>
3034
3035 Support inline caching of RegExpMatchesArray.length
3036 <https://webkit.org/b/133234>
3037
3038 Give RegExpMatchesArray.length the same treatment as JSArray in
3039 repatch so we don't have to go out of line on every access.
3040
3041 ~13% speed-up on Octane/regexp.
3042
3043 Reviewed by Geoffrey Garen.
3044
3045 * jit/Repatch.cpp:
3046 (JSC::tryCacheGetByID):
3047 * runtime/RegExpMatchesArray.h:
3048 (JSC::isRegExpMatchesArray):
3049
30502014-05-22 Mark Lam <mark.lam@apple.com>
3051
3052 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
3053 <https://webkit.org/b/133182>
3054
3055 Reviewed by Oliver Hunt.
3056
3057 Before r154797, we used to clear the VM exception before calling into the
3058 debugger. After r154797, we don't. This patch will restore this clearing
3059 of the exception before calling into the debugger.
3060
3061 Also added assertions after returning from calls into the debugger to
3062 ensure that the debugger did not introduce any exceptions.
3063
3064 * interpreter/Interpreter.cpp:
3065 (JSC::unwindCallFrame):
3066 (JSC::Interpreter::unwind):
3067 (JSC::Interpreter::debug):
3068 - Fixed the assertion here. Interpreter::debug() should never be called
3069 with a pending exception. Debugger callbacks for exceptions should be
3070 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
3071
30722014-05-21 Filip Pizlo <fpizlo@apple.com>
3073
3074 Store barrier elision should run after DCE in both the DFG path and the FTL path
3075 https://bugs.webkit.org/show_bug.cgi?id=129718
3076
3077 Rubber stamped by Mark Hahnenberg.
3078
3079 * dfg/DFGPlan.cpp:
3080 (JSC::DFG::Plan::compileInThreadImpl):
3081
30822014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3083
3084 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
3085 https://bugs.webkit.org/show_bug.cgi?id=132907
3086
3087 Reviewed by Gyuyoung Kim.
3088
3089 * CMakeLists.txt:
3090
30912014-05-16 Martin Robinson <mrobinson@igalia.com>
3092
3093 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
3094 https://bugs.webkit.org/show_bug.cgi?id=132819
3095
3096 Reviewed by Carlos Garcia Campos.
3097
3098 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
3099 use the common CMake ones directly.
3100
31012014-05-21 Filip Pizlo <fpizlo@apple.com>
3102
3103 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
3104
3105 This was a unilateral change and wasn't properly reviewed.
3106
3107 * tests/mozilla/mozilla-tests.yaml:
3108
31092014-05-21 Antoine Quint <graouts@webkit.org>
3110
3111 Array.prototype.find and findIndex should skip holes
3112 https://bugs.webkit.org/show_bug.cgi?id=132658
3113
3114 Reviewed by Geoffrey Garen.
3115
3116 Skip holes in the array when iterating such that callback isn't called.
3117
3118 * builtins/Array.prototype.js:
3119 (find):
3120 (findIndex):
3121
31222014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3123
3124 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
3125 https://bugs.webkit.org/show_bug.cgi?id=133149
3126
3127 Reviewed by Csaba Osztrogonác.
3128
3129 * tests/mozilla/mozilla-tests.yaml:
3130
31312014-05-20 Geoffrey Garen <ggaren@apple.com>
3132
3133 Rolled out <http://trac.webkit.org/changeset/166184>
3134 https://bugs.webkit.org/show_bug.cgi?id=133144
3135
3136 Reviewed by Gavin Barraclough.
3137
3138 It caused a performance regression.
3139
3140 * heap/BlockAllocator.cpp:
3141 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
3142
31432014-05-20 Filip Pizlo <fpizlo@apple.com>
3144
3145 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
3146 https://bugs.webkit.org/show_bug.cgi?id=133134
3147
3148 Reviewed by Mark Hahnenberg.
3149
3150 Make prediction propagator use ArrayMode refinement to decide the return type.
3151
3152 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
3153 like this. The only way we'll see a mismatch like this in the real world is probably
3154 through a gnarly race condition.
3155
3156 * dfg/DFGByteCodeParser.cpp:
3157 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3158 * dfg/DFGNode.h:
3159 (JSC::DFG::Node::setHeapPrediction):
3160 * dfg/DFGPredictionPropagationPhase.cpp:
3161 (JSC::DFG::PredictionPropagationPhase::propagate):
3162 * jsc.cpp:
3163 (GlobalObject::finishCreation):
3164 (functionFalse1):
3165 (functionFalse2):
3166 (functionUndefined1):
3167 (functionUndefined2):
3168 (functionFalse): Deleted.
3169 (functionOtherFalse): Deleted.
3170 (functionUndefined): Deleted.
3171 * runtime/Intrinsic.h:
3172 * tests/stress/get-by-val-double-predicted-int.js: Added.
3173 (foo):
3174
31752014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
3176
3177 Watchdog timer should be lazily allocated
3178 https://bugs.webkit.org/show_bug.cgi?id=133135
3179
3180 Reviewed by Geoffrey Garen.
3181
3182 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
3183 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
3184 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
3185
3186 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
3187 these two API functions (which is true of most clients).
3188
3189 * API/JSContextRef.cpp:
3190 (JSContextGroupSetExecutionTimeLimit):
3191 (JSContextGroupClearExecutionTimeLimit):
3192 * dfg/DFGByteCodeParser.cpp:
3193 (JSC::DFG::ByteCodeParser::parseBlock):
3194 * dfg/DFGSpeculativeJIT32_64.cpp:
3195 (JSC::DFG::SpeculativeJIT::compile):
3196 * dfg/DFGSpeculativeJIT64.cpp:
3197 (JSC::DFG::SpeculativeJIT::compile):
3198 * interpreter/Interpreter.cpp:
3199 (JSC::Interpreter::execute):
3200 (JSC::Interpreter::executeCall):
3201 (JSC::Interpreter::executeConstruct):
3202 * jit/JITOpcodes.cpp:
3203 (JSC::JIT::emit_op_loop_hint):
3204 (JSC::JIT::emitSlow_op_loop_hint):
3205 * jit/JITOperations.cpp:
3206 * llint/LLIntSlowPaths.cpp:
3207 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3208 * runtime/VM.h:
3209 * runtime/Watchdog.cpp:
3210 (JSC::Watchdog::Scope::Scope): Deleted.
3211 (JSC::Watchdog::Scope::~Scope): Deleted.
3212 * runtime/Watchdog.h:
3213 (JSC::Watchdog::Scope::Scope):
3214 (JSC::Watchdog::Scope::~Scope):
3215
32162014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
3217
3218 JSArray::shiftCountWith* could be more efficient
3219 https://bugs.webkit.org/show_bug.cgi?id=133011
3220
3221 Reviewed by Geoffrey Garen.
3222
3223 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
3224 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
3225 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
3226
3227 * runtime/ArrayStorage.h:
3228 (JSC::ArrayStorage::indexingHeader):
3229 (JSC::ArrayStorage::length):
3230 (JSC::ArrayStorage::hasHoles):
3231 * runtime/IndexingHeader.h:
3232 (JSC::IndexingHeader::publicLength):
3233 (JSC::IndexingHeader::from):
3234 * runtime/JSArray.cpp:
3235 (JSC::JSArray::shiftCountWithArrayStorage):
3236 (JSC::JSArray::shiftCountWithAnyIndexingType):
3237 (JSC::JSArray::unshiftCountWithArrayStorage):
3238 * runtime/JSArray.h:
3239 (JSC::JSArray::shiftCountForShift):
3240 (JSC::JSArray::shiftCountForSplice):
3241 (JSC::JSArray::shiftCount):
3242 * runtime/Structure.cpp:
3243 (JSC::Structure::holesRequireSpecialBehavior):
3244 * runtime/Structure.h:
3245
32462014-05-19 Filip Pizlo <fpizlo@apple.com>
3247
3248 Test gardening: skip some failing tests on not-X86.
3249
3250 * tests/mozilla/mozilla-tests.yaml:
3251
32522014-05-19 Mark Lam <mark.lam@apple.com>
3253
3254 operationOptimize() should defer the GC for a while.
3255 <https://webkit.org/b/133103>
3256
3257 Reviewed by Filip Pizlo.
3258
3259 Currently, operationOptimize() only defers the GC until its end. As a result,
3260 a GC may be triggered just before we return from operationOptimize(), and it may
3261 jettison the optimize codeBlock that we're planning to OSR enter into when we
3262 return from this function. This is because the OSR entry on-ramp code hasn't
3263 been executed yet, and hence, there is not yet a reference to this new codeBlock
3264 from the stack, and there won't be until we've had a chance to return out of
3265 operationOptimize() to run the OSR entry on-ramp code.
3266
3267 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
3268 ensures that the GC will be deferred until after the OSR entry on-ramp can be
3269 executed.
3270
3271 * jit/JITOperations.cpp:
3272
32732014-05-19 Filip Pizlo <fpizlo@apple.com>
3274
3275 Take care of some ARM64 test failures
3276 https://bugs.webkit.org/show_bug.cgi?id=133090
3277
3278 Reviewed by Geoffrey Garen.
3279
3280 Constant blinding on ARM64 cannot use the scratch register.
3281
3282 * assembler/MacroAssembler.h:
3283 (JSC::MacroAssembler::convertInt32ToDouble):
3284 (JSC::MacroAssembler::branchPtr):
3285 (JSC::MacroAssembler::storePtr):
3286 (JSC::MacroAssembler::store64):
3287 * assembler/MacroAssemblerARM64.h:
3288 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
3289
32902014-05-19 Tanay C <tanay.c@samsung.com>
3291
3292 Removing some check-webkit-style warnings from ./dfg
3293 https://bugs.webkit.org/show_bug.cgi?id=132854
3294
3295 Reviewed by Darin Adler.
3296
3297 * dfg/DFGAbstractInterpreter.h:
3298 * dfg/DFGAbstractValue.h:
3299 * dfg/DFGBlockInsertionSet.h:
3300 * dfg/DFGCommonData.h:
3301 * dfg/DFGDominators.h:
3302 * dfg/DFGGraph.h:
3303 * dfg/DFGInPlaceAbstractState.h:
3304 * dfg/DFGPredictionPropagationPhase.h:
3305
33062014-05-18 Filip Pizlo <fpizlo@apple.com>
3307
3308 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
3309 That was a long time ago.
3310
3311 * ftl/FTLLowerDFGToLLVM.cpp:
3312 (JSC::FTL::LowerDFGToLLVM::compileReturn):
3313
33142014-05-18 Rik Cabanier <cabanier@adobe.com>
3315
3316 support for navigator.hardwareConcurrency
3317 https://bugs.webkit.org/show_bug.cgi?id=132588
3318
3319 Reviewed by Filip Pizlo.
3320
3321 * Configurations/FeatureDefines.xcconfig:
3322
33232014-05-16 Michael Saboff <msaboff@apple.com>
3324
3325 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
3326 https://bugs.webkit.org/show_bug.cgi?id=133009
3327
3328 Reviewed by Oliver Hunt.
3329
3330 If we determine that any alternative requires a minumum match size greater than
3331 INT_MAX, we handle the match in the interpreter.
3332
3333 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
3334 * runtime/RegExp.cpp:
3335 (JSC::RegExp::compile):
3336 (JSC::RegExp::compileMatchOnly):
3337
3338 * tests/stress/large-regexp.js: New test added.
3339
3340 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
3341 doesn't fit in an int.
3342 * yarr/YarrPattern.cpp:
3343 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
3344
3345 Clear new m_containsUnsignedLengthPattern flag.
3346 * yarr/YarrPattern.cpp:
3347 (JSC::Yarr::YarrPattern::YarrPattern):
3348 * yarr/YarrPattern.h:
3349 (JSC::Yarr::YarrPattern::reset):
3350 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
3351
33522014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
3353
3354 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
3355 https://bugs.webkit.org/show_bug.cgi?id=132918
3356
3357 Reviewed by Geoffrey Garen.
3358
3359 * jit/Repatch.cpp:
3360 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
3361
33622014-05-15 Alex Christensen <achristensen@webkit.org>
3363
3364 Add pointer lock to features without enabling it.
3365 https://bugs.webkit.org/show_bug.cgi?id=132961
3366
3367 Reviewed by Sam Weinig.
3368
3369 * Configurations/FeatureDefines.xcconfig:
3370 Added ENABLE_POINTER_LOCK to list of features.
3371
33722014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
3373
3374 Inline caching for proxies clobbers baseGPR too early
3375 https://bugs.webkit.org/show_bug.cgi?id=132916
3376
3377 Reviewed by Filip Pizlo.
3378
3379 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
3380 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
3381 until we know the inline cache is going to succeed.
3382
3383 * jit/Repatch.cpp:
3384 (JSC::generateByIdStub):
3385
33862014-05-14 Brent Fulgham <bfulgham@apple.com>
3387
3388 [Win] Unreviewed build fix.
3389
3390 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
3391 was missing commands to build LLInt portions of JSC.
3392 * llint/LLIntData.cpp: 64-bit build fix.
3393
33942014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3395
3396 ARM Traditional buildfix after r168776.
3397 https://bugs.webkit.org/show_bug.cgi?id=132903
3398
3399 Reviewed by Darin Adler.
3400
3401 * assembler/MacroAssemblerARM.h:
3402 (JSC::MacroAssemblerARM::abortWithReason): Added.
3403
34042014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
3405
3406 Remove CSS_STICKY_POSITION guards
3407 https://bugs.webkit.org/show_bug.cgi?id=132676
3408
3409 Reviewed by Simon Fraser.
3410
3411 * Configurations/FeatureDefines.xcconfig:
3412
34132014-05-13 Filip Pizlo <fpizlo@apple.com>
3414
3415 JIT breakpoints should be more informative
3416 https://bugs.webkit.org/show_bug.cgi?id=132882
3417
3418 Reviewed by Oliver Hunt.
3419
3420 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
3421 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
3422 at that platform's abort reason register (r11 on X86-64 for example).
3423
3424 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3425 * JavaScriptCore.xcodeproj/project.pbxproj:
3426 * assembler/AbortReason.h: Added.
3427 * assembler/AbstractMacroAssembler.h:
3428 * assembler/MacroAssemblerARM64.h:
3429 (JSC::MacroAssemblerARM64::abortWithReason):
3430 * assembler/MacroAssemblerARMv7.h:
3431 (JSC::MacroAssemblerARMv7::abortWithReason):
3432 * assembler/MacroAssemblerX86.h:
3433 (JSC::MacroAssemblerX86::abortWithReason):
3434 * assembler/MacroAssemblerX86_64.h:
3435 (JSC::MacroAssemblerX86_64::abortWithReason):
3436 * dfg/DFGSlowPathGenerator.h:
3437 (JSC::DFG::SlowPathGenerator::generate):
3438 * dfg/DFGSpeculativeJIT.cpp:
3439 (JSC::DFG::SpeculativeJIT::bail):
3440 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3441 (JSC::DFG::SpeculativeJIT::compileMakeRope):
3442 * dfg/DFGSpeculativeJIT.h:
3443 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
3444 * dfg/DFGSpeculativeJIT32_64.cpp:
3445 (JSC::DFG::SpeculativeJIT::compile):
3446 * dfg/DFGSpeculativeJIT64.cpp:
3447 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3448 (JSC::DFG::SpeculativeJIT::compile):
3449 * dfg/DFGThunks.cpp:
3450 (JSC::DFG::osrEntryThunkGenerator):
3451 * jit/AssemblyHelpers.cpp:
3452 (JSC::AssemblyHelpers::jitAssertIsInt32):
3453 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
3454 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
3455 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
3456 (JSC::AssemblyHelpers::jitAssertIsCell):
3457 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
3458 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
3459 (JSC::AssemblyHelpers::jitAssertIsNull):
3460 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
3461 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
3462 * jit/AssemblyHelpers.h:
3463 (JSC::AssemblyHelpers::checkStackPointerAlignment):
3464 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
3465 * jit/JIT.h:
3466 * jit/JITArithmetic.cpp:
3467 (JSC::JIT::emitSlow_op_div):
3468 * jit/JITOpcodes.cpp:
3469 (JSC::JIT::emitSlow_op_loop_hint):
3470 * jit/JITOpcodes32_64.cpp:
3471 (JSC::JIT::privateCompileCTINativeCall):
3472 * jit/JITPropertyAccess.cpp:
3473 (JSC::JIT::emit_op_get_by_val):
3474 (JSC::JIT::compileGetDirectOffset):
3475 (JSC::JIT::addStructureTransitionCheck): Deleted.
3476 (JSC::JIT::testPrototype): Deleted.
3477 * jit/JITPropertyAccess32_64.cpp:
3478 (JSC::JIT::emit_op_get_by_val):
3479 (JSC::JIT::compileGetDirectOffset):
3480 * jit/RegisterPreservationWrapperGenerator.cpp:
3481 (JSC::generateRegisterRestoration):
3482 * jit/Repatch.cpp:
3483 (JSC::addStructureTransitionCheck):
3484 (JSC::linkClosureCall):
3485 * jit/ThunkGenerators.cpp:
3486 (JSC::emitPointerValidation):
3487 (JSC::nativeForGenerator):
3488 * yarr/YarrJIT.cpp:
3489 (JSC::Yarr::YarrGenerator::generate):
3490
34912014-05-13 peavo@outlook.com <peavo@outlook.com>
3492
3493 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3494 https://bugs.webkit.org/show_bug.cgi?id=132772
3495
3496 Reviewed by Geoffrey Garen.
3497
3498 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3499 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3500 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3501 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3502
3503 * assembler/MacroAssemblerARM.h:
3504 (JSC::MacroAssemblerARM::loadDouble):
3505 (JSC::MacroAssemblerARM::storeDouble):
3506 * assembler/MacroAssemblerARM64.h:
3507 (JSC::MacroAssemblerARM64::loadDouble):
3508 (JSC::MacroAssemblerARM64::storeDouble):
3509 * assembler/MacroAssemblerARMv7.h:
3510 (JSC::MacroAssemblerARMv7::loadDouble):
3511 (JSC::MacroAssemblerARMv7::storeDouble):
3512 * assembler/MacroAssemblerMIPS.h:
3513 (JSC::MacroAssemblerMIPS::loadDouble):
3514 (JSC::MacroAssemblerMIPS::storeDouble):
3515 * assembler/MacroAssemblerSH4.h:
3516 (JSC::MacroAssemblerSH4::loadDouble):
3517 (JSC::MacroAssemblerSH4::storeDouble):
3518 * assembler/MacroAssemblerX86.h:
3519 (JSC::MacroAssemblerX86::storeDouble):
3520 * assembler/MacroAssemblerX86Common.h:
3521 (JSC::MacroAssemblerX86Common::absDouble):
3522 (JSC::MacroAssemblerX86Common::negateDouble):
3523 (JSC::MacroAssemblerX86Common::loadDouble):
3524 * dfg/DFGSpeculativeJIT.cpp:
3525 (JSC::DFG::SpeculativeJIT::silentFill):
3526 (JSC::DFG::compileClampDoubleToByte):
3527 * dfg/DFGSpeculativeJIT32_64.cpp:
3528 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3529 (JSC::DFG::SpeculativeJIT::compile):
3530 * jit/AssemblyHelpers.cpp:
3531 (JSC::AssemblyHelpers::purifyNaN):
3532 * jit/JITInlines.h:
3533 (JSC::JIT::emitLoadDouble):
3534 * jit/JITPropertyAccess.cpp:
3535 (JSC::JIT::emitFloatTypedArrayGetByVal):
3536 * jit/ThunkGenerators.cpp:
3537 (JSC::floorThunkGenerator):
3538 (JSC::roundThunkGenerator):
3539 (JSC::powThunkGenerator):
3540
35412014-05-12 Commit Queue <commit-queue@webkit.org>
3542
3543 Unreviewed, rolling out r168642.
3544 https://bugs.webkit.org/show_bug.cgi?id=132839
3545
3546 Broke ARM build (Requested by jpfau on #webkit).
3547
3548 Reverted changeset:
3549
3550 "[Win] Enum type with value zero is compatible with void*,
3551 potential cause of crashes."
3552 https://bugs.webkit.org/show_bug.cgi?id=132772
3553 http://trac.webkit.org/changeset/168642
3554
35552014-05-12 peavo@outlook.com <peavo@outlook.com>
3556
3557 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
3558 https://bugs.webkit.org/show_bug.cgi?id=132772
3559
3560 Reviewed by Geoffrey Garen.
3561
3562 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
3563 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
3564 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
3565 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
3566
3567 * assembler/MacroAssemblerARM.h:
3568 (JSC::MacroAssemblerARM::loadDouble):
3569 (JSC::MacroAssemblerARM::storeDouble):
3570 * assembler/MacroAssemblerARM64.h:
3571 (JSC::MacroAssemblerARM64::loadDouble):
3572 (JSC::MacroAssemblerARM64::storeDouble):
3573 * assembler/MacroAssemblerARMv7.h:
3574 (JSC::MacroAssemblerARMv7::loadDouble):
3575 (JSC::MacroAssemblerARMv7::storeDouble):
3576 * assembler/MacroAssemblerMIPS.h:
3577 (JSC::MacroAssemblerMIPS::loadDouble):
3578 (JSC::MacroAssemblerMIPS::storeDouble):
3579 * assembler/MacroAssemblerSH4.h:
3580 (JSC::MacroAssemblerSH4::loadDouble):
3581 (JSC::MacroAssemblerSH4::storeDouble):
3582 * assembler/MacroAssemblerX86.h:
3583 (JSC::MacroAssemblerX86::storeDouble):
3584 * assembler/MacroAssemblerX86Common.h:
3585 (JSC::MacroAssemblerX86Common::absDouble):
3586 (JSC::MacroAssemblerX86Common::negateDouble):
3587 (JSC::MacroAssemblerX86Common::loadDouble):
3588 * dfg/DFGSpeculativeJIT.cpp:
3589 (JSC::DFG::SpeculativeJIT::silentFill):
3590 (JSC::DFG::compileClampDoubleToByte):
3591 * dfg/DFGSpeculativeJIT32_64.cpp:
3592 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
3593 (JSC::DFG::SpeculativeJIT::compile):
3594 * jit/AssemblyHelpers.cpp:
3595 (JSC::AssemblyHelpers::purifyNaN):
3596 * jit/JITInlines.h:
3597 (JSC::JIT::emitLoadDouble):
3598 * jit/JITPropertyAccess.cpp:
3599 (JSC::JIT::emitFloatTypedArrayGetByVal):
3600 * jit/ThunkGenerators.cpp:
3601 (JSC::floorThunkGenerator):
3602 (JSC::roundThunkGenerator):
3603 (JSC::powThunkGenerator):
3604
36052014-05-12 Andreas Kling <akling@apple.com>
3606
3607 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
3608 <https://webkit.org/b/132828>
3609 <rdar://problem/16886285>
3610
3611 Reviewed by Michael Saboff.
3612
3613 * runtime/JSObject.cpp:
3614 (JSC::JSObject::visitButterfly):
3615 (JSC::JSObject::visitChildren):
3616
3617 Use JSCell::structure(VM&) to reduce the number of hoops we jump
3618 through to find Structures during marking.
3619
36202014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
3621
3622 [cmake] Add missing FTL source files to the build system.
3623
3624 Reviewed by Csaba Osztrogonác.
3625
3626 * CMakeLists.txt:
3627
36282014-05-09 Joseph Pecoraro <pecoraro@apple.com>
3629
3630 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
3631 https://bugs.webkit.org/show_bug.cgi?id=132409
3632
3633 Reviewed by Timothy Hatcher.
3634
3635 Proxy applications are applications which hold WebViews for other
3636 applications. The WebProcess (Web Content Service) is a proxy application.
3637 For legacy reasons we were supporting a scenario where proxy applications
3638 could potentially host WebViews for more then one other application. That
3639 was never the case for WebProcess and it is now a scenario we don't need
3640 to worry about supporting.
3641
3642 With this change, a proxy application more naturally only holds WebViews
3643 for a single parent / host application. The proxy process can set the
3644 parent pid / audit_token data on the RemoteInspector singleton, and
3645 that data will be sent on to webinspectord later on to be validated.
3646 In the WebProcess<->UIProcess relationship that information is known
3647 and set immediately. In the Legacy iOS case that information is set
3648 soon after, but not immediately known at the point the WebView is created.
3649
3650 This allows us to simplify the RemoteInspectorDebuggable interface.
3651 We no longer need a pid per-Debuggable.
3652
3653 * inspector/remote/RemoteInspector.h:
3654 * inspector/remote/RemoteInspector.mm:
3655 (Inspector::RemoteInspector::RemoteInspector):
3656 (Inspector::RemoteInspector::setParentProcessInformation):
3657 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
3658 (Inspector::RemoteInspector::listingForDebuggable):
3659 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3660 Handle new proxy application setup message, and provide an API
3661 for a proxy application to set the parent process information.
3662
3663 * inspector/remote/RemoteInspectorConstants.h:
3664 New setup and response message for proxy applications to pass
3665 their parent / host application information to webinspectord.
3666
3667 * inspector/remote/RemoteInspectorDebuggable.cpp:
3668 (Inspector::RemoteInspectorDebuggable::info):
3669 * inspector/remote/RemoteInspectorDebuggable.h:
3670 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
3671 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
3672 pid per debuggable is no longer needed.
3673
36742014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
3675
3676 JSDOMWindow should disable property caching after a certain point
3677 https://bugs.webkit.org/show_bug.cgi?id=132751
3678
3679 Reviewed by Filip Pizlo.
3680
3681 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
3682 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
3683 that it has provided a cacheable value.
3684
3685 * runtime/PropertySlot.h:
3686 (JSC::PropertySlot::PropertySlot):
3687 (JSC::PropertySlot::isCacheable):
3688 (JSC::PropertySlot::disableCaching):
3689
36902014-05-09 Andreas Kling <akling@apple.com>
3691
3692 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
3693 <https://webkit.org/b/132749>
3694
3695 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
3696 in Object.prototype.* by using JSString::toIdentifier() in the cases where
3697 we are converting JSString -> String -> Identifier.
3698
3699 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
3700 "The Great HTML5 Gaming Performance Test: 2014 edition"
3701 <http://www.scirra.com/demos/c2/sbperftest/>
3702
3703 Reviewed by Oliver Hunt.
3704
3705 * runtime/ObjectPrototype.cpp:
3706 (JSC::objectProtoFuncHasOwnProperty):
3707 (JSC::objectProtoFuncDefineGetter):
3708 (JSC::objectProtoFuncDefineSetter):
3709 (JSC::objectProtoFuncLookupGetter):
3710 (JSC::objectProtoFuncLookupSetter):
3711
37122014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3713
3714 JSDOMWindow should have a WatchpointSet to fire on window close
3715 https://bugs.webkit.org/show_bug.cgi?id=132721
3716
3717 Reviewed by Filip Pizlo.
3718
3719 This patch allows us to reset the inline caches that assumed they could skip
3720 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
3721 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
3722
3723 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
3724 to see if it should create a new Watchpoint for that particular inline cache site.
3725
3726 * bytecode/Watchpoint.h:
3727 * jit/Repatch.cpp:
3728 (JSC::generateByIdStub):
3729 (JSC::tryBuildGetByIDList):
3730 (JSC::tryCachePutByID):
3731 (JSC::tryBuildPutByIdList):
3732 * runtime/PropertySlot.h:
3733 (JSC::PropertySlot::PropertySlot):
3734 (JSC::PropertySlot::watchpointSet):
3735 (JSC::PropertySlot::setWatchpointSet):
3736
37372014-05-09 Tanay C <tanay.c@samsung.com>
3738
3739 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
3740 https://bugs.webkit.org/show_bug.cgi?id=132331
3741
3742 Reviewed by Darin Adler.
3743
3744 * dfg/DFGFixupPhase.cpp:
3745 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3746
37472014-05-09 peavo@outlook.com <peavo@outlook.com>
3748
3749 [Win] Crash when enabling DFG JIT.
3750 https://bugs.webkit.org/show_bug.cgi?id=132683
3751
3752 Reviewed by Geoffrey Garen.
3753
3754 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
3755 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
3756 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
3757 This causes the register to be written to address 0, hence the crash.
3758
3759 * dfg/DFGOSRExitCompiler32_64.cpp:
3760 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
3761 * dfg/DFGOSRExitCompiler64.cpp:
3762 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
3763
37642014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
3765
3766 REGRESSION(r167094): JSC crashes on ARM Traditional
3767 https://bugs.webkit.org/show_bug.cgi?id=132738
3768
3769 Reviewed by Zoltan Herczeg.
3770
3771 PC is two instructions ahead of the current instruction
3772 on ARM Traditional, so the distance is 8 bytes not 2.
3773
3774 * llint/LowLevelInterpreter.asm:
3775
37762014-05-09 Alberto Garcia <berto@igalia.com>
3777
3778 jsmin.py license header confusing, mentions non-free license
3779 https://bugs.webkit.org/show_bug.cgi?id=123665
3780
3781 Reviewed by Darin Adler.
3782
3783 Pull the most recent version from upstream, which has a clear
3784 license.
3785
3786 * inspector/scripts/jsmin.py:
3787
37882014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
3789
3790 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
3791 https://bugs.webkit.org/show_bug.cgi?id=132695
3792
3793 Reviewed by Filip Pizlo.
3794
3795 We check in the case where we're accessing something other than the base object (e.g. the prototype),
3796 but we fail to do so for the base object.
3797
3798 * jit/Repatch.cpp:
3799 (JSC::tryCacheGetByID):
3800 (JSC::tryBuildGetByIDList):
3801 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
3802 because all of the values that are returned that could be impure are set to uncacheable anyways.
3803 (WTF::ImpureGetter::ImpureGetter):
3804 (WTF::ImpureGetter::createStructure):
3805 (WTF::ImpureGetter::create):
3806 (WTF::ImpureGetter::finishCreation):
3807 (WTF::ImpureGetter::getOwnPropertySlot):
3808 (WTF::ImpureGetter::visitChildren):
3809 (WTF::ImpureGetter::setDelegate):
3810 (GlobalObject::finishCreation):
3811 (functionCreateImpureGetter):
3812 (functionSetImpureGetterDelegate):
3813 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
3814 (foo):
3815
38162014-05-08 Filip Pizlo <fpizlo@apple.com>
3817
3818 deleteAllCompiledCode() shouldn't use the suspension worklist
3819 https://bugs.webkit.org/show_bug.cgi?id=132708
3820
3821 Reviewed by Mark Hahnenberg.
3822
3823 * bytecode/CodeBlock.cpp:
3824 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3825 * dfg/DFGPlan.cpp:
3826 (JSC::DFG::Plan::isStillValid):
3827 * heap/Heap.cpp:
3828 (JSC::Heap::deleteAllCompiledCode):
3829
38302014-05-08 Filip Pizlo <fpizlo@apple.com>
3831
3832 SSA conversion should delete PhantomLocals for captured variables
3833 https://bugs.webkit.org/show_bug.cgi?id=132693
3834
3835 Reviewed by Mark Hahnenberg.
3836
3837 * dfg/DFGCommon.cpp:
3838 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
3839 * dfg/DFGCommon.h:
3840 * dfg/DFGFixupPhase.cpp:
3841 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
3842 * dfg/DFGLivenessAnalysisPhase.cpp:
3843 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
3844 * dfg/DFGSSAConversionPhase.cpp:
3845 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
3846 * dfg/DFGValidate.cpp: Use the workaround.
3847 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
3848 (foo):
3849 (bar):
3850
38512014-05-07 Commit Queue <commit-queue@webkit.org>
3852
3853 Unreviewed, rolling out r168451.
3854 https://bugs.webkit.org/show_bug.cgi?id=132670
3855
3856 Not a speed-up, just do what other compilers do. (Requested by
3857 kling on #webkit).
3858
3859 Reverted changeset:
3860
3861 "[X86] Emit BT instruction for single-bit tests."
3862 https://bugs.webkit.org/show_bug.cgi?id=132650
3863 http://trac.webkit.org/changeset/168451
3864
38652014-05-07 Filip Pizlo <fpizlo@apple.com>
3866
3867 Make Executable::clearCode() actually clear all of the entrypoints, and
3868 clean up some other FTL-related calling convention stuff.
3869 <rdar://problem/16720172>
3870
3871 Rubber stamped by Mark Hahnenberg.
3872
3873 * dfg/DFGOperations.cpp:
3874 * dfg/DFGOperations.h:
3875 * dfg/DFGWorklist.cpp:
3876 (JSC::DFG::Worklist::Worklist):
3877 (JSC::DFG::Worklist::finishCreation):
3878 (JSC::DFG::Worklist::create):
3879 (JSC::DFG::ensureGlobalDFGWorklist):
3880 (JSC::DFG::ensureGlobalFTLWorklist):
3881 * dfg/DFGWorklist.h:
3882 * heap/CodeBlockSet.cpp:
3883 (JSC::CodeBlockSet::dump):
3884 * heap/CodeBlockSet.h:
3885 * runtime/Executable.cpp:
3886 (JSC::ExecutableBase::clearCode):
3887
38882014-05-07 Andreas Kling <akling@apple.com>
3889
3890 [X86] Emit BT instruction for single-bit tests.
3891 <https://webkit.org/b/132650>
3892
3893 Implement test-bit-and-branch slightly more efficiently by using
3894 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
3895 a single bit.
3896
3897 Reviewed by Michael Saboff.
3898
3899 * assembler/MacroAssemblerX86Common.h:
3900 (JSC::MacroAssemblerX86Common::singleBitIndex):
3901 (JSC::MacroAssemblerX86Common::branchTest32):
3902 * assembler/X86Assembler.h:
3903 (JSC::X86Assembler::bt_i8r):
3904 (JSC::X86Assembler::bt_i8m):
3905
39062014-05-07 Mark Lam <mark.lam@apple.com>
3907
3908 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
3909 <https://webkit.org/b/131356>
3910
3911 Reviewed by Geoffrey Garen.
3912
3913 The issue is that GC needs to be made aware of writes to m_inferredValue
3914 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
3915 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
3916 does not survive an eden GC shortly after, we will end up with a stale
3917 JSCell pointer left in the m_inferredValue.
3918
3919 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
3920 using DumpRenderTree with the VM heap in zombie mode.
3921
3922 The fix is to change VariableWatchpointSet m_inferredValue to type
3923 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
3924 is executed by all the execution engines so that the WriteBarrier semantics
3925 are honored.
3926
3927 We still check if the value to be written is the same as the one in the
3928 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
3929 values are the same.
3930
3931 * JavaScriptCore.xcodeproj/project.pbxproj:
3932 * bytecode/CodeBlock.cpp:
3933 (JSC::CodeBlock::CodeBlock):
3934 - need to pass the symbolTable to prepareToWatch() because it will be needed
3935 for instantiating the VariableWatchpointSet in prepareToWatch().
3936
3937 * bytecode/VariableWatchpointSet.h:
3938 (JSC::VariableWatchpointSet::VariableWatchpointSet):
3939 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
3940 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
3941 (JSC::VariableWatchpointSet::inferredValue):
3942 (JSC::VariableWatchpointSet::invalidate):
3943 (JSC::VariableWatchpointSet::finalizeUnconditionally):
3944 (JSC::VariableWatchpointSet::addressOfInferredValue):
3945 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
3946 * bytecode/VariableWatchpointSetInlines.h: Added.
3947 (JSC::VariableWatchpointSet::notifyWrite):
3948
3949 * dfg/DFGByteCodeParser.cpp:
3950 (JSC::DFG::ByteCodeParser::cellConstant):
3951 - Added an assert in case we try to make constants of zombified JSCells again.
3952
3953 * dfg/DFGOperations.cpp:
3954 * dfg/DFGOperations.h:
3955 * dfg/DFGSpeculativeJIT.h:
3956 (JSC::DFG::SpeculativeJIT::callOperation):
3957 * dfg/DFGSpeculativeJIT32_64.cpp:
3958 (JSC::DFG::SpeculativeJIT::compile):
3959 * dfg/DFGSpeculativeJIT64.cpp:
3960 (JSC::DFG::SpeculativeJIT::compile):
3961 - We now let the slow path handle the cases when the VariableWatchpointSet is
3962 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
3963 we handle the needed write barrier semantics correctly.
3964 We will by-pass the slow path if the value being written is the same as the
3965 inferred value.
3966
3967 * ftl/FTLIntrinsicRepository.h:
3968 * ftl/FTLLowerDFGToLLVM.cpp:
3969 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
3970 - Let the slow path handle the cases when the VariableWatchpointSet is
3971 in state ClearWatchpoint and IsWatched.
3972 We will by-pass the slow path if the value being written is the same as the
3973 inferred value.
3974
3975 * heap/Heap.cpp:
3976 (JSC::Zombify::operator()):
3977 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
3978 which is used everywhere else).
3979 * heap/Heap.h:
3980 (JSC::Heap::isZombified):
3981 - Provide a convenience test function to check if JSCells are zombified. This is
3982 currently only used in an assertion in the DFG bytecode parser, but the intent
3983 it that we'll apply this test in other strategic places later to help with early
3984 detection of usage of GC'ed objects when we run in zombie mode.
3985
3986 * jit/JITOpcodes.cpp:
3987 (JSC::JIT::emitSlow_op_captured_mov):
3988 * jit/JITOperations.h:
3989 * jit/JITPropertyAccess.cpp:
3990 (JSC::JIT::emitNotifyWrite):
3991 * jit/JITPropertyAccess32_64.cpp:
3992 (JSC::JIT::emitNotifyWrite):
3993 (JSC::JIT::emitSlow_op_put_to_scope):
3994 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
3995 is in state ClearWatchpoint and IsWatched.
3996 We will by-pass the slow path if the value being written is the same as the
3997 inferred value.
3998
3999 * llint/LowLevelInterpreter32_64.asm:
4000 * llint/LowLevelInterpreter64.asm:
4001 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
4002 is in state ClearWatchpoint and IsWatched.
4003 We will by-pass the slow path if the value being written is the same as the
4004 inferred value.
4005
4006 * runtime/CommonSlowPaths.cpp:
4007
4008 * runtime/JSCJSValue.h: Fixed some typos in the comments.
4009 * runtime/JSGlobalObject.cpp:
4010 (JSC::JSGlobalObject::addGlobalVar):
4011 (JSC::JSGlobalObject::addFunction):
4012 * runtime/JSSymbolTableObject.h:
4013 (JSC::symbolTablePut):
4014 (JSC::symbolTablePutWithAttributes):
4015 * runtime/SymbolTable.cpp:
4016 (JSC::SymbolTableEntry::prepareToWatch):
4017 (JSC::SymbolTableEntry::notifyWriteSlow):
4018 * runtime/SymbolTable.h:
4019 (JSC::SymbolTableEntry::notifyWrite):
4020
40212014-05-06 Michael Saboff <msaboff@apple.com>
4022
4023 Unreviewd build fix for C-LOOP after r168396.
4024
4025 * runtime/TestRunnerUtils.cpp:
4026 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
4027
40282014-05-06 Michael Saboff <msaboff@apple.com>
4029
4030 Add test for deleteAllCompiledCode
4031 https://bugs.webkit.org/show_bug.cgi?id=132632
4032
4033 Reviewed by Phil Pizlo.
4034
4035 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
4036 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
4037 to write a test that will queue up loads of DFG compiles and then call
4038 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
4039 code as well as code being compiled.
4040
4041 * jsc.cpp:
4042 (GlobalObject::finishCreation):
4043 (functionDeleteAllCompiledCode):
4044 (functionOptimizeNextInvocation):
4045 * runtime/TestRunnerUtils.cpp:
4046 (JSC::optimizeNextInvocation):
4047 * runtime/TestRunnerUtils.h:
4048 * tests/stress/deleteAllCompiledCode.js: Added.
4049 (functionList):
4050 (runTest):
4051
40522014-05-06 Andreas Kling <akling@apple.com>
4053
4054 JSString::toAtomicString() should return AtomicString.
4055 <https://webkit.org/b/132627>
4056
4057 Remove premature optimization where I was trying to avoid refcount
4058 churn when returning an already atomicized String.
4059
4060 Instead of using reinterpret_cast to mangle the String member into
4061 a const AtomicString& return value, just return AtomicString.
4062
4063 Reviewed by Geoff Garen.
4064
4065 * runtime/JSString.h:
4066 (JSC::JSString::toAtomicString):
4067
40682014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
4069
4070 Roll out r167889
4071
4072 Rubber stamped by Geoff Garen.
4073
4074 It broke some websites.
4075
4076 * runtime/JSPropertyNameIterator.cpp:
4077 (JSC::JSPropertyNameIterator::create):
4078 * runtime/PropertyMapHashTable.h:
4079 (JSC::PropertyTable::hasDeletedOffset):
4080 (JSC::PropertyTable::hadDeletedOffset): Deleted.
4081 * runtime/Structure.cpp:
4082 (JSC::Structure::Structure):
4083 (JSC::Structure::materializePropertyMap):
4084 (JSC::Structure::removePropertyTransition):
4085 (JSC::Structure::changePrototypeTransition):
4086 (JSC::Structure::despecifyFunctionTransition):
4087 (JSC::Structure::attributeChangeTransition):
4088 (JSC::Structure::toDictionaryTransition):
4089 (JSC::Structure::preventExtensionsTransition):
4090 (JSC::Structure::addPropertyWithoutTransition):
4091 (JSC::Structure::removePropertyWithoutTransition):
4092 (JSC::Structure::pin):
4093 (JSC::Structure::pinAndPreventTransitions): Deleted.
4094 * runtime/Structure.h:
4095 * runtime/StructureInlines.h:
4096 (JSC::Structure::setEnumerationCache):
4097 (JSC::Structure::propertyTable):
4098 (JSC::Structure::checkOffsetConsistency):
4099 (JSC::Structure::hadDeletedOffsets): Deleted.
4100 * tests/stress/for-in-after-delete.js:
4101 (foo): Deleted.
4102
41032014-05-05 Andreas Kling <akling@apple.com>
4104
4105 Fix debug build.
4106
4107 * runtime/JSCellInlines.h:
4108 (JSC::JSCell::fastGetOwnProperty):
4109
41102014-05-05 Andreas Kling <akling@apple.com>
4111
4112 Optimize GetByVal when subscript is a rope string.
4113 <https://webkit.org/b/132590>
4114
4115 Use JSString::toIdentifier() in the various GetByVal implementations
4116 to try and avoid allocating extra strings.
4117
4118 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
4119 in that, to avoid calling JSString::value() which always resolves ropes
4120 into new strings and de-optimizes subsequent toIdentifier() calls.
4121
4122 My iMac says ~9% progression on Dromaeo/dom-attr.html
4123
4124 Reviewed by Phil Pizlo.
4125
4126 * dfg/DFGOperations.cpp:
4127 * jit/JITOperations.cpp:
4128 (JSC::getByVal):
4129 * llint/LLIntSlowPaths.cpp:
4130 (JSC::LLInt::getByVal):
4131 * runtime/JSCell.h:
4132 * runtime/JSCellInlines.h:
4133 (JSC::JSCell::fastGetOwnProperty):
4134 (JSC::JSCell::canUseFastGetOwnProperty):
4135
41362014-05-05 Andreas Kling <akling@apple.com>
4137
4138 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4139 <https://webkit.org/b/168256>
4140 <rdar://problem/16816316>
4141
4142 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
4143 clear the fibers. The caller takes care of this.
4144
4145 Test: fast/dom/getElementById-with-rope-string-arg.html
4146
4147 Reviewed by Geoffrey Garen.
4148
4149 * runtime/JSString.cpp:
4150 (JSC::JSRopeString::resolveRopeSlowCase8):
4151
41522014-05-05 Michael Saboff <msaboff@apple.com>
4153
4154 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
4155 https://bugs.webkit.org/show_bug.cgi?id=132581
4156
4157 Reviewed by Filip Pizlo.
4158
4159 * dfg/DFGPlan.cpp:
4160 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
4161 started compiling for is still the same at the end of compilation.
4162 Also did some minor restructuring.
4163
41642014-05-05 Andreas Kling <akling@apple.com>
4165
4166 Optimize PutByVal when subscript is a rope string.
4167 <https://webkit.org/b/132572>
4168
4169 Add a JSString::toIdentifier() that is smarter when the JSString is
4170 really a rope string. Use this in baseline & DFG's PutByVal to avoid
4171 allocating new StringImpls that we immediately deduplicate anyway.
4172
4173 Reviewed by Antti Koivisto.
4174
4175 * dfg/DFGOperations.cpp:
4176 (JSC::DFG::operationPutByValInternal):
4177 * jit/JITOperations.cpp:
4178 * runtime/JSString.h:
4179 (JSC::JSString::toIdentifier):
4180
41812014-05-05 Andreas Kling <akling@apple.com>
4182
4183 Remove two now-incorrect assertions after r168256.
4184
4185 * runtime/JSString.cpp:
4186 (JSC::JSRopeString::resolveRopeSlowCase8):
4187 (JSC::JSRopeString::resolveRopeSlowCase):
4188
41892014-05-04 Andreas Kling <akling@apple.com>
4190
4191 Optimize JSRopeString for resolving directly to AtomicString.
4192 <https://webkit.org/b/132548>
4193
4194 If we know that the JSRopeString we are resolving is going to be used
4195 as an AtomicString, we can try to avoid creating a new string.
4196
4197 We do this by first resolving the rope into a stack buffer, and using
4198 that buffer as a key into the AtomicString table. If there is already
4199 an AtomicString with the same characters, we reuse that instead of
4200 constructing a new StringImpl.
4201
4202 JSString gains these two public functions:
4203
4204 - AtomicString toAtomicString()
4205
4206 Returns an AtomicString, tries to avoid allocating a new string
4207 if possible.
4208
4209 - AtomicStringImpl* toExistingAtomicString()
4210
4211 Returns a non-null AtomicStringImpl* if one already exists in the
4212 AtomicString table. If none is found, the rope is left unresolved.
4213
4214 Reviewed by Filip Pizlo.
4215
4216 * runtime/JSString.cpp:
4217 (JSC::JSRopeString::resolveRopeInternal8):
4218 (JSC::JSRopeString::resolveRopeInternal16):
4219 (JSC::JSRopeString::resolveRopeToAtomicString):
4220 (JSC::JSRopeString::clearFibers):
4221 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4222 (JSC::JSRopeString::resolveRope):
4223 (JSC::JSRopeString::outOfMemory):
4224 * runtime/JSString.h:
4225 (JSC::JSString::toAtomicString):
4226 (JSC::JSString::toExistingAtomicString):
4227
42282014-05-04 Andreas Kling <akling@apple.com>
4229
4230 Unreviewed, rolling out r168254.
4231
4232 Very crashy on debug JSC tests.
4233
4234 Reverted changeset:
4235
4236 "jsSubstring() should be lazy"
4237 https://bugs.webkit.org/show_bug.cgi?id=132556
4238 http://trac.webkit.org/changeset/168254
4239
42402014-05-04 Filip Pizlo <fpizlo@apple.com>
4241
4242 jsSubstring() should be lazy
4243 https://bugs.webkit.org/show_bug.cgi?id=132556
4244
4245 Reviewed by Andreas Kling.
4246
4247 jsSubstring() is now lazy by using a special rope that is a substring instead of a
4248 concatenation. To make this patch super simple, we require that a substring's base is
4249 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
4250 path, or we go down a concatenation path which may see exactly one level of substrings in
4251 its fibers.
4252
4253 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
4254
4255 * heap/MarkedBlock.cpp:
4256 (JSC::MarkedBlock::specializedSweep):
4257 * runtime/JSString.cpp:
4258 (JSC::JSRopeString::visitFibers):
4259 (JSC::JSRopeString::resolveRope):
4260 (JSC::JSRopeString::resolveRopeSlowCase8):
4261 (JSC::JSRopeString::resolveRopeSlowCase):
4262 (JSC::JSRopeString::outOfMemory):
4263 * runtime/JSString.h:
4264 (JSC::JSRopeString::finishCreation):
4265 (JSC::JSRopeString::append):
4266 (JSC::JSRopeString::create):
4267 (JSC::JSRopeString::offsetOfFibers):
4268 (JSC::JSRopeString::fiber):
4269 (JSC::JSRopeString::substringBase):
4270 (JSC::JSRopeString::substringOffset):
4271 (JSC::JSRopeString::substringSentinel):
4272 (JSC::JSRopeString::isSubstring):
4273 (JSC::jsSubstring):
4274 * runtime/RegExpMatchesArray.cpp:
4275 (JSC::RegExpMatchesArray::reifyAllProperties):
4276 * runtime/StringPrototype.cpp:
4277 (JSC::stringProtoFuncSubstring):
4278
42792014-05-02 Michael Saboff <msaboff@apple.com>
4280
4281 "arm64 function not 4-byte aligned" warnings when building JSC
4282 https://bugs.webkit.org/show_bug.cgi?id=132495
4283
4284 Reviewed by Geoffrey Garen.
4285
4286 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
4287
4288 * llint/LowLevelInterpreter.cpp:
4289
42902014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
4291
4292 Fix cloop build after r168178
4293
4294 * bytecode/CodeBlock.cpp:
4295
42962014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
4297
4298 Add a DFG function whitelist
4299 https://bugs.webkit.org/show_bug.cgi?id=132437
4300
4301 Reviewed by Geoffrey Garen.
4302
4303 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
4304 particular DFG block that's causing issues. This patch adds the ability to whitelist
4305 specific functions specified in a file to enable further filtering without having to recompile.
4306
4307 * CMakeLists.txt:
4308 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4309 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4310 * JavaScriptCore.xcodeproj/project.pbxproj:
4311 * dfg/DFGCapabilities.cpp:
4312 (JSC::DFG::isSupported):
4313 (JSC::DFG::mightInlineFunctionForCall):
4314 (JSC::DFG::mightInlineFunctionForClosureCall):
4315 (JSC::DFG::mightInlineFunctionForConstruct):
4316 * dfg/DFGFunctionWhitelist.cpp: Added.
4317 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
4318 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
4319 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
4320 (JSC::DFG::FunctionWhitelist::contains):
4321 * dfg/DFGFunctionWhitelist.h: Added.
4322 * runtime/Options.cpp:
4323 (JSC::parse):
4324 (JSC::Options::dumpOption):
4325 * runtime/Options.h:
4326
43272014-05-02 Filip Pizlo <fpizlo@apple.com>
4328
4329 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
4330 https://bugs.webkit.org/show_bug.cgi?id=132446
4331
4332 Reviewed by Mark Hahnenberg.
4333
4334 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
4335 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
4336 to indicate a bound on the value. This is useful for knowing, for example, that
4337 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
4338 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
4339 But this means that all arithmetic operations must be careful to note that they may
4340 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
4341
4342 * dfg/DFGAbstractInterpreterInlines.h:
4343 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4344 * dfg/DFGByteCodeParser.cpp:
4345 (JSC::DFG::ByteCodeParser::makeSafe):
4346 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
4347 (foo):
4348 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
4349 (foo):
4350 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
4351 (foo):
4352 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
4353 (foo):
4354 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
4355 (foo):
4356 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
4357 (foo):
4358
43592014-05-01 Geoffrey Garen <ggaren@apple.com>
4360
4361 JavaScriptCore fails to build with some versions of clang
4362 https://bugs.webkit.org/show_bug.cgi?id=132436
4363
4364 Reviewed by Anders Carlsson.
4365
4366 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
4367 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
4368 and both are marked inline, it's valid for the compiler to decide
4369 to inline both and emit neither in the binary. Therefore, we need
4370 both inline definitions to be available in the translation unit at
4371 compile time, or we'll try to link against a function that doesn't exist.
4372
43732014-05-01 Commit Queue <commit-queue@webkit.org>
4374
4375 Unreviewed, rolling out r167964.
4376 https://bugs.webkit.org/show_bug.cgi?id=132431
4377
4378 Memory improvements should not regress memory usage (Requested
4379 by olliej on #webkit).
4380
4381 Reverted changeset:
4382
4383 "Don't hold on to parameter BindingNodes forever"
4384 https://bugs.webkit.org/show_bug.cgi?id=132360
4385 http://trac.webkit.org/changeset/167964
4386
43872014-05-01 Filip Pizlo <fpizlo@apple.com>
4388
4389 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
4390 https://bugs.webkit.org/show_bug.cgi?id=132427
4391
4392 Reviewed by Mark Hahnenberg.
4393
4394 * bytecode/CallLinkStatus.cpp:
4395 (JSC::CallLinkStatus::computeFor):
4396
43972014-04-30 Simon Fraser <simon.fraser@apple.com>
4398
4399 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
4400 https://bugs.webkit.org/show_bug.cgi?id=132396
4401
4402 Reviewed by Eric Carlson.
4403
4404 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
4405
4406 * Configurations/FeatureDefines.xcconfig:
4407
44082014-04-30 Filip Pizlo <fpizlo@apple.com>
4409
4410 Argument flush formats should not be presumed to be JSValue since 'this' is weird
4411 https://bugs.webkit.org/show_bug.cgi?id=132404
4412
4413 Reviewed by Michael Saboff.
4414
4415 * dfg/DFGSpeculativeJIT.cpp:
4416 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
4417 * dfg/DFGSpeculativeJIT32_64.cpp:
4418 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
4419 * dfg/DFGSpeculativeJIT64.cpp:
4420 (JSC::DFG::SpeculativeJIT::compile): Ditto.
4421 * dfg/DFGValueSource.cpp:
4422 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
4423 * dfg/DFGValueSource.h:
4424 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
4425 * ftl/FTLOSREntry.cpp:
4426 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
4427 * tests/stress/strict-to-this-int.js: Added.
4428 (foo):
4429 (Number.prototype.valueOf):
4430 (test):
4431
44322014-04-29 Oliver Hunt <oliver@apple.com>
4433
4434 Don't hold on to parameterBindingNodes forever
4435 https://bugs.webkit.org/show_bug.cgi?id=132360
4436
4437 Reviewed by Geoffrey Garen.
4438
4439 Don't keep the parameter nodes anymore. Instead we store the
4440 original parameter string and reparse whenever we actually
4441 need them. Because we only actually need them for compilation
4442 this only results in a single extra parse.
4443
4444 * bytecode/UnlinkedCodeBlock.cpp:
4445 (JSC::generateFunctionCodeBlock):
4446 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
4447 (JSC::UnlinkedFunctionExecutable::visitChildren):
4448 (JSC::UnlinkedFunctionExecutable::finishCreation):
4449 (JSC::UnlinkedFunctionExecutable::paramString):
4450 (JSC::UnlinkedFunctionExecutable::parameters):
4451 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
4452 * bytecode/UnlinkedCodeBlock.h:
4453 (JSC::UnlinkedFunctionExecutable::create):
4454 (JSC::UnlinkedFunctionExecutable::parameterCount):
4455 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
4456 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
4457 * parser/ASTBuilder.h:
4458 (JSC::ASTBuilder::ASTBuilder):
4459 (JSC::ASTBuilder::setFunctionBodyParameters):
4460 * parser/Nodes.h:
4461 (JSC::FunctionBodyNode::parametersStartOffset):
4462 (JSC::FunctionBodyNode::parametersEndOffset):
4463 (JSC::FunctionBodyNode::setParameterLocation):
4464 * parser/Parser.cpp:
4465 (JSC::Parser<LexerType>::parseFunctionInfo):
4466 (JSC::parseParameters):
4467 * parser/Parser.h:
4468 (JSC::parse):
4469 * parser/SourceCode.h:
4470 (JSC::SourceCode::subExpression):
4471 * parser/SyntaxChecker.h:
4472 (JSC::SyntaxChecker::setFunctionBodyParameters):
4473
44742014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
4475
4476 JSProxies should be cacheable
4477 https://bugs.webkit.org/show_bug.cgi?id=132351
4478
4479 Reviewed by Geoffrey Garen.
4480
4481 Whenever we encounter a proxy in an inline cache we should try to cache on the
4482 proxy's target instead of giving up.
4483
4484 This patch adds support for a simple "recursive" inline cache if the base object
4485 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
4486 are the only ones to benefit from this right now.
4487
4488 This is performance neutral on the benchmarks we track. Currently we won't
4489 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
4490
4491 * jit/Repatch.cpp:
4492 (JSC::generateByIdStub):
4493 (JSC::tryBuildGetByIDList):
4494 (JSC::tryCachePutByID):
4495 (JSC::tryBuildPutByIdList):
4496 * jsc.cpp:
4497 (GlobalObject::finishCreation):
4498 (functionCreateProxy):
4499 * runtime/IntendedStructureChain.cpp:
4500 (JSC::IntendedStructureChain::isNormalized):
4501 * runtime/JSCellInlines.h:
4502 (JSC::JSCell::isProxy):
4503 * runtime/JSGlobalObject.h:
4504 (JSC::JSGlobalObject::finishCreation):
4505 * runtime/JSProxy.h:
4506 (JSC::JSProxy::createStructure):
4507 (JSC::JSProxy::targetOffset):
4508 * runtime/JSType.h:
4509 * runtime/Operations.h:
4510 (JSC::isPrototypeChainNormalized):
4511 * runtime/Structure.h:
4512 (JSC::Structure::isProxy):
4513 * tests/stress/proxy-inline-cache.js: Added.
4514 (cacheOnTarget.getX):
4515 (cacheOnTarget):
4516 (cacheOnPrototypeOfTarget.getX):
4517 (cacheOnPrototypeOfTarget):
4518 (dontCacheOnProxyInPrototypeChain.getX):
4519 (dontCacheOnProxyInPrototypeChain):
4520 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
4521 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
4522
45232014-04-29 Filip Pizlo <fpizlo@apple.com>
4524
4525 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
4526 https://bugs.webkit.org/show_bug.cgi?id=112840
4527
4528 Rubber stamped by Geoffrey Garen.
4529
4530 * Configurations/FeatureDefines.xcconfig:
4531
45322014-04-29 Geoffrey Garen <ggaren@apple.com>
4533
4534 String.prototype.trim removes U+200B from strings.
4535 https://bugs.webkit.org/show_bug.cgi?id=130184
4536
4537 Reviewed by Michael Saboff.
4538
4539 * runtime/StringPrototype.cpp:
4540 (JSC::trimString):
4541 (JSC::isTrimWhitespace): Deleted.
4542
45432014-04-29 Mark Lam <mark.lam@apple.com>
4544
4545 Zombifying sweep should ignore retired blocks.
4546 <https://webkit.org/b/132344>
4547
4548 Reviewed by Mark Hahnenberg.
4549
4550 By definition, retired blocks do not have "dead" objects, or at least
4551 none that we know of yet until the next marking phase has been run
4552 over it. So, we should not be sweeping them (even for zombie mode).
4553
4554 * heap/Heap.cpp:
4555 (JSC::Heap::zombifyDeadObjects):
4556 * heap/MarkedSpace.cpp:
4557 (JSC::MarkedSpace::zombifySweep):
4558 * heap/MarkedSpace.h:
4559 (JSC::ZombifySweep::operator()):
4560
45612014-04-29 Mark Lam <mark.lam@apple.com>
4562
4563 Fix bit rot in zombie mode heap code.
4564 <https://webkit.org/b/132342>
4565
4566 Reviewed by Mark Hahnenberg.
4567
4568 Need to enter a DelayedReleaseScope before doing a sweep.
4569
4570 * heap/Heap.cpp:
4571 (JSC::Heap::zombifyDeadObjects):
4572
45732014-04-29 Tomas Popela <tpopela@redhat.com>
4574
4575 LLINT loadisFromInstruction doesn't need special case for big endians
4576 https://bugs.webkit.org/show_bug.cgi?id=132330
4577
4578 Reviewed by Mark Lam.
4579
4580 The change introduced in r167076 was wrong. We should not apply the offset
4581 adjustment on loadisFromInstruction usage as the instruction
4582 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
4583 operand variable). The offset of the other union members will be the
4584 same as the offset of the first one, that is 0. The behavior here is the
4585 same on little and big endian architectures. Thus we don't need
4586 special case for big endians.
4587
4588 * llint/LowLevelInterpreter.asm:
4589
45902014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4591
4592 Simplify tryCacheGetById
4593 https://bugs.webkit.org/show_bug.cgi?id=132314
4594
4595 Reviewed by Oliver Hunt and Filip Pizlo.
4596
4597 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
4598
4599 * jit/Repatch.cpp:
4600 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
4601
46022014-04-28 Michael Saboff <msaboff@apple.com>
4603
4604 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
4605 https://bugs.webkit.org/show_bug.cgi?id=132315
4606
4607 Reviewed by Mark Hahnenberg.
4608
4609 Used the StringImpl version of utf8() instead of creating a String first.
4610
4611 * bytecode/CodeBlock.cpp:
4612 (JSC::CodeBlock::dumpBytecode):
4613
46142014-04-28 Filip Pizlo <fpizlo@apple.com>
4615
4616 The LLInt is awesome and it should get more of the action.
4617
4618 Rubber stamped by Geoffrey Garen.
4619
4620 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
4621
4622 * runtime/Options.h:
4623
46242014-04-27 Filip Pizlo <fpizlo@apple.com>
4625
4626 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
4627 https://bugs.webkit.org/show_bug.cgi?id=132166
4628
4629 Reviewed by Oliver Hunt and Mark Hahnenberg.
4630
4631 The GC can aid type inference by removing structures that are dead and jettisoning
4632 code that relies on those structures. This can dramatically accelerate type inference
4633 for some tricky programs.
4634
4635 Unfortunately, we previously pinned any structures that enqueued compilations depended
4636 on. This means that if you're on a machine that only runs a single compilation thread
4637 and where compilations are relatively slow, you have a high chance of large numbers of
4638 structures being pinned during any GC since the compilation queue is likely to be full
4639 of random stuff.
4640
4641 This comprehensively fixes this issue by allowing the GC to remove compilation plans
4642 if the things they depend on are dead, and to even cancel safepointed compilations.
4643
4644 * bytecode/CodeBlock.cpp:
4645 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
4646 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
4647 (JSC::CodeBlock::finalizeUnconditionally):
4648 * bytecode/CodeBlock.h:
4649 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
4650 * dfg/DFGDesiredIdentifiers.cpp:
4651 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
4652 * dfg/DFGDesiredIdentifiers.h:
4653 * dfg/DFGDesiredWatchpoints.h:
4654 * dfg/DFGDesiredWeakReferences.cpp:
4655 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
4656 * dfg/DFGDesiredWeakReferences.h:
4657 * dfg/DFGGraphSafepoint.cpp:
4658 (JSC::DFG::GraphSafepoint::GraphSafepoint):
4659 * dfg/DFGGraphSafepoint.h:
4660 * dfg/DFGPlan.cpp:
4661 (JSC::DFG::Plan::Plan):
4662 (JSC::DFG::Plan::compileInThread):
4663 (JSC::DFG::Plan::compileInThreadImpl):
4664 (JSC::DFG::Plan::notifyCompiling):
4665 (JSC::DFG::Plan::notifyCompiled):
4666 (JSC::DFG::Plan::notifyReady):
4667 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
4668 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
4669 (JSC::DFG::Plan::cancel):
4670 (JSC::DFG::Plan::visitChildren): Deleted.
4671 * dfg/DFGPlan.h:
4672 * dfg/DFGSafepoint.cpp:
4673 (JSC::DFG::Safepoint::Result::~Result):
4674 (JSC::DFG::Safepoint::Result::didGetCancelled):
4675 (JSC::DFG::Safepoint::Safepoint):
4676 (JSC::DFG::Safepoint::~Safepoint):
4677 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
4678 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
4679 (JSC::DFG::Safepoint::cancel):
4680 (JSC::DFG::Safepoint::visitChildren): Deleted.
4681 * dfg/DFGSafepoint.h:
4682 (JSC::DFG::Safepoint::Result::Result):
4683 * dfg/DFGWorklist.cpp:
4684 (JSC::DFG::Worklist::compilationState):
4685 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
4686 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
4687 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
4688 (JSC::DFG::Worklist::visitWeakReferences):
4689 (JSC::DFG::Worklist::removeDeadPlans):
4690 (JSC::DFG::Worklist::runThread):
4691 (JSC::DFG::Worklist::visitChildren): Deleted.
4692 * dfg/DFGWorklist.h:
4693 * ftl/FTLCompile.cpp:
4694 (JSC::FTL::compile):
4695 * ftl/FTLCompile.h:
4696 * heap/CodeBlockSet.cpp:
4697 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
4698 * heap/Heap.cpp:
4699 (JSC::Heap::markRoots):
4700 (JSC::Heap::visitCompilerWorklistWeakReferences):
4701 (JSC::Heap::removeDeadCompilerWorklistEntries):
4702 (JSC::Heap::visitWeakHandles):
4703 (JSC::Heap::collect):
4704 (JSC::Heap::visitCompilerWorklists): Deleted.
4705 * heap/Heap.h:
4706
47072014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
4708
4709 Deleting properties poisons objects
4710 https://bugs.webkit.org/show_bug.cgi?id=131551
4711
4712 Reviewed by Oliver Hunt.
4713
4714 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
4715
4716 * runtime/JSPropertyNameIterator.cpp:
4717 (JSC::JSPropertyNameIterator::create):
4718 * runtime/PropertyMapHashTable.h:
4719 (JSC::PropertyTable::hasDeletedOffset):
4720 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
4721 iterating properties because we're required to iterate properties in insertion order.
4722 * runtime/Structure.cpp:
4723 (JSC::Structure::Structure):
4724 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
4725 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
4726 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
4727 delete transitions, but we allow transitioning from them.
4728 (JSC::Structure::changePrototypeTransition):
4729 (JSC::Structure::despecifyFunctionTransition):
4730 (JSC::Structure::attributeChangeTransition):
4731 (JSC::Structure::toDictionaryTransition):
4732 (JSC::Structure::preventExtensionsTransition):
4733 (JSC::Structure::addPropertyWithoutTransition):
4734 (JSC::Structure::removePropertyWithoutTransition):
4735 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
4736 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
4737 * runtime/Structure.h:
4738 * runtime/StructureInlines.h:
4739 (JSC::Structure::setEnumerationCache):
4740 (JSC::Structure::hadDeletedOffsets):
4741 (JSC::Structure::propertyTable):
4742 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
4743 * tests/stress/for-in-after-delete.js: Added.
4744 (foo):
4745
47462014-04-25 Andreas Kling <akling@apple.com>
4747
4748 Inline (C++) GetByVal with numeric indices more aggressively.
4749 <https://webkit.org/b/132218>
4750
4751 We were already inlining the string indexed GetByVal path pretty well,
4752 while the path for numeric indices got neglected. No more!
4753
4754 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
4755
4756 Before: 199.50 runs/s
4757 After: 218.58 runs/s
4758
4759 Reviewed by Phil Pizlo.
4760
4761 * dfg/DFGOperations.cpp:
4762 * runtime/JSCJSValueInlines.h:
4763 (JSC::JSValue::get):
4764
4765 ALWAYS_INLINE all the things.
4766
4767 * runtime/JSObject.h:
4768 (JSC::JSObject::getPropertySlot):
4769
4770 Avoid fetching the Structure more than once. We have the same
4771 optimization in the string-indexed code path.
4772
47732014-04-25 Oliver Hunt <oliver@apple.com>
4774
4775 Need earlier cell test
4776 https://bugs.webkit.org/show_bug.cgi?id=132211
4777
4778 Reviewed by Mark Lam.
4779
4780 Move cell test to before the function call repatch
4781 location, as the repatch logic for 32bit assumes that the
4782 caller will already have performed a cell check.
4783
4784 * jit/JITCall32_64.cpp:
4785 (JSC::JIT::compileOpCall):
4786
47872014-04-25 Andreas Kling <akling@apple.com>
4788
4789 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
4790
4791 * runtime/JSGlobalObject.h:
4792 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
4793 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
4794
47952014-04-25 Andreas Kling <akling@apple.com>
4796
4797 Windows build fix attempt.
4798
4799 * runtime/JSGlobalObject.h:
4800 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
4801
48022014-04-25 Mark Lam <mark.lam@apple.com>
4803
4804 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
4805 <https://webkit.org/b/132201>
4806
4807 Reviewed by Joseph Pecoraro.
4808
4809 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
4810 BreakpointActions everywhere.
4811
4812 * inspector/ScriptBreakpoint.h:
4813 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
4814 * inspector/ScriptDebugServer.cpp:
4815 (Inspector::ScriptDebugServer::setBreakpoint):
4816 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
4817 * inspector/ScriptDebugServer.h:
4818 * inspector/agents/InspectorDebuggerAgent.cpp:
4819 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
4820 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
4821 (Inspector::InspectorDebuggerAgent::setBreakpoint):
4822 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
4823 * inspector/agents/InspectorDebuggerAgent.h:
4824
48252014-04-24 Filip Pizlo <fpizlo@apple.com>
4826
4827 DFG worklist scanning should not treat the key as a separate entity
4828 https://bugs.webkit.org/show_bug.cgi?id=132167
4829
4830 Reviewed by Mark Hahnenberg.
4831
4832 This simplifies the interface to the GC and will enable more optimizations.
4833
4834 * dfg/DFGCompilationKey.cpp:
4835 (JSC::DFG::CompilationKey::visitChildren): Deleted.
4836 * dfg/DFGCompilationKey.h:
4837 * dfg/DFGPlan.cpp:
4838 (JSC::DFG::Plan::visitChildren):
4839 * dfg/DFGWorklist.cpp:
4840 (JSC::DFG::Worklist::visitChildren):
4841
48422014-04-25 Oliver Hunt <oliver@apple.com>
4843
4844 Remove unused parameter from codeblock linking function
4845 https://bugs.webkit.org/show_bug.cgi?id=132199
4846
4847 Reviewed by Anders Carlsson.
4848
4849 No change in behaviour. This is just a small change to make it
4850 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
4851 actually mean.
4852
4853 * bytecode/UnlinkedCodeBlock.cpp:
4854 (JSC::UnlinkedFunctionExecutable::link):
4855 * bytecode/UnlinkedCodeBlock.h:
4856 * runtime/Executable.cpp:
4857 (JSC::ProgramExecutable::initializeGlobalProperties):
4858
48592014-04-25 Andreas Kling <akling@apple.com>
4860
4861 Mark some things with WTF_MAKE_FAST_ALLOCATED.
4862 <https://webkit.org/b/132198>
4863
4864 Use FastMalloc for more things.
4865
4866 Reviewed by Anders Carlsson.
4867
4868 * builtins/BuiltinExecutables.h:
4869 * heap/GCThreadSharedData.h:
4870 * inspector/JSConsoleClient.h:
4871 * inspector/agents/InspectorAgent.h:
4872 * runtime/CodeCache.h:
4873 * runtime/JSGlobalObject.h:
4874 * runtime/Lookup.cpp:
4875 (JSC::HashTable::createTable):
4876 (JSC::HashTable::deleteTable):
4877 * runtime/WeakGCMap.h:
4878
48792014-04-25 Antoine Quint <graouts@webkit.org>
4880
4881 Implement Array.prototype.find()
4882 https://bugs.webkit.org/show_bug.cgi?id=130966
4883
4884 Reviewed by Oliver Hunt.
4885
4886 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
4887
4888 * builtins/Array.prototype.js:
4889 (find):
4890 (findIndex):
4891 * runtime/ArrayPrototype.cpp:
4892
48932014-04-24 Brady Eidson <beidson@apple.com>
4894
4895 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
4896 https://bugs.webkit.org/show_bug.cgi?id=132155
4897
4898 Reviewed by Tim Horton.
4899
4900 * Configurations/FeatureDefines.xcconfig:
4901
49022014-04-24 Michael Saboff <msaboff@apple.com>
4903
4904 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
4905 https://bugs.webkit.org/show_bug.cgi?id=132147
4906
4907 Reviewed by Mark Lam.
4908
4909 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
4910
4911 * assembler/MacroAssemblerARM64.h:
4912 (JSC::MacroAssemblerARM64::or64):
4913 (JSC::MacroAssemblerARM64::xor32):
4914 (JSC::MacroAssemblerARM64::xor64):
4915 * tests/stress/regress-132147.js: Added test.
4916
49172014-04-24 Mark Lam <mark.lam@apple.com>
4918
4919 Make slowPathAllocsBetweenGCs a runtime option.
4920 <https://webkit.org/b/132137>
4921
4922 Reviewed by Mark Hahnenberg.
4923
4924 This will make it easier to more casually run tests with this configuration
4925 as well as to reproduce issues (instead of requiring a code mod and rebuild).
4926 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
4927 slow path allocations before we trigger a collection.
4928
4929 The option defaults to 0, which is reserved to mean that we will not trigger
4930 any collections there.
4931
4932 * heap/Heap.h:
4933 * heap/MarkedAllocator.cpp:
4934 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
4935 (JSC::MarkedAllocator::allocateSlowCase):
4936 * heap/MarkedAllocator.h:
4937 * runtime/Options.h:
4938
49392014-04-23 Mark Lam <mark.lam@apple.com>
4940
4941 The GC should only resume compiler threads that it suspended in the same GC pass.
4942 <https://webkit.org/b/132088>
4943
4944 Reviewed by Mark Hahnenberg.
4945
4946 Previously, this scenario can occur:
4947 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
4948 no worklists were created yet at the that time.
4949 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
4950 acquires the worklist thread's lock.
4951 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
4952 This time, it sees the worklist created by Thread 2 and ends up unlocking
4953 the worklist thread's lock that is supposedly held by Thread 2.
4954 Thereafter, chaos ensues.
4955
4956 The fix is to cache the worklists that were actually suspended by each GC pass,
4957 and only resume those when the GC is done.
4958
4959 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
4960 the fast/workers layout tests.
4961
4962 * heap/Heap.cpp:
4963 (JSC::Heap::visitCompilerWorklists):
4964 (JSC::Heap::deleteAllCompiledCode):
4965 (JSC::Heap::suspendCompilerThreads):
4966 (JSC::Heap::resumeCompilerThreads):
4967 * heap/Heap.h:
4968
49692014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
4970
4971 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
4972 https://bugs.webkit.org/show_bug.cgi?id=132079
4973
4974 Reviewed by Michael Saboff.
4975
4976 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
4977
4978 Also added a test that previously triggered this bug.
4979
4980 * runtime/Arguments.cpp:
4981 (JSC::Arguments::copyBackingStore): D'oh!
4982 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
4983 (foo):
4984 (bar):
4985
49862014-04-23 Mark Rowe <mrowe@apple.com>
4987
4988 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
4989 <https://webkit.org/b/132053>
4990
4991 Reviewed by Dan Bernstein.
4992
4993 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
4994 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
4995 from /bin/sh since that generates unnecessary output.
4996
49972014-04-22 Mark Lam <mark.lam@apple.com>
4998
4999 DFG::Worklist should acquire the m_lock before iterating DFG plans.
5000 <https://webkit.org/b/132032>
5001
5002 Reviewed by Filip Pizlo.
5003
5004 Currently, there's a rightToRun mechanism that ensures that no compilation
5005 threads are running when the GC is iterating through the DFG worklists.
5006 However, this does not prevent a Worker thread from doing a DFG compilation
5007 and modifying the plans in the worklists thereby invalidating the plan
5008 iterator that the GC is using. This patch fixes the issue by acquiring
5009 the worklist m_lock before iterating the worklist plans.
5010
5011 This issue was uncovered by running the fast/workers layout tests with
5012 COLLECT_ON_EVERY_ALLOCATION enabled.
5013
5014 * dfg/DFGWorklist.cpp:
5015 (JSC::DFG::Worklist::isActiveForVM):
5016 (JSC::DFG::Worklist::visitChildren):
5017
50182014-04-22 Brent Fulgham <bfulgham@apple.com>
5019
5020 [Win] Support Python 2.7 in Cygwin
5021 https://bugs.webkit.org/show_bug.cgi?id=132023
5022
5023 Reviewed by Michael Saboff.
5024
5025 * DerivedSources.make: Use a conditional variable to define
5026 the path to Python/Perl.
5027
50282014-04-22 Filip Pizlo <fpizlo@apple.com>
5029
5030 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
5031 https://bugs.webkit.org/show_bug.cgi?id=130867
5032 <rdar://problem/16432456>
5033
5034 Reviewed by Mark Hahnenberg.
5035
5036 * Configurations/Base.xcconfig:
5037 * Configurations/LLVMForJSC.xcconfig:
5038
50392014-04-22 Alex Christensen <achristensen@webkit.org>
5040
5041 [Win] Unreviewed build fix after my r167666.
5042
5043 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5044 Added ../../../ again to include headers in Source/JavaScriptCore.
5045
50462014-04-22 Alex Christensen <achristensen@webkit.org>
5047
5048 Removed old stdbool and inttypes headers.
5049 https://bugs.webkit.org/show_bug.cgi?id=131966
5050
5051 Reviewed by Brent Fulgham.
5052
5053 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5054 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
5055 Removed references to os-win32 directory.
5056 * os-win32: Removed.
5057 * os-win32/inttypes.h: Removed.
5058 * os-win32/stdbool.h: Removed.
5059
50602014-04-21 Filip Pizlo <fpizlo@apple.com>
5061
5062 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
5063 https://bugs.webkit.org/show_bug.cgi?id=131971
5064 <rdar://problem/16676511>
5065
5066 Reviewed by Mark Lam.
5067
5068 * dfg/DFGClobberize.h:
5069 (JSC::DFG::clobberize):
5070
50712014-04-21 Filip Pizlo <fpizlo@apple.com>
5072
5073 Switch statements that skip the baseline JIT should work
5074 https://bugs.webkit.org/show_bug.cgi?id=131965
5075
5076 Reviewed by Mark Hahnenberg.
5077
5078 * bytecode/JumpTable.h:
5079 (JSC::SimpleJumpTable::ensureCTITable):
5080 * dfg/DFGSpeculativeJIT.cpp:
5081 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
5082 * jit/JITOpcodes.cpp:
5083 (JSC::JIT::emit_op_switch_imm):
5084 (JSC::JIT::emit_op_switch_char):
5085 * jit/JITOpcodes32_64.cpp:
5086 (JSC::JIT::emit_op_switch_imm):
5087 (JSC::JIT::emit_op_switch_char):
5088 * tests/stress/inline-llint-with-switch.js: Added.
5089 (foo):
5090 (bar):
5091 (test):
5092
50932014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5094
5095 Arguments objects shouldn't need a destructor
5096 https://bugs.webkit.org/show_bug.cgi?id=131899
5097
5098 Reviewed by Oliver Hunt.
5099
5100 This patch rids Arguments objects of their destructors. It does this by
5101 switching their backing stores to use CopiedSpace rather than malloc memory.
5102
5103 * dfg/DFGSpeculativeJIT.cpp:
5104 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
5105 Arguments allocation so that it only emits an extra write for strict mode code rather
5106 than unconditionally.
5107 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
5108 * runtime/Arguments.cpp:
5109 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
5110 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
5111 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
5112 (JSC::Arguments::deleteProperty):
5113 (JSC::Arguments::defineOwnProperty):
5114 (JSC::Arguments::allocateRegisterArray):
5115 (JSC::Arguments::tearOff):
5116 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
5117 * runtime/Arguments.h:
5118 (JSC::Arguments::registerArraySizeInBytes):
5119 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
5120 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
5121 allocation.
5122 (JSC::Arguments::SlowArgumentData::slowArguments):
5123 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
5124 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
5125 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
5126 (JSC::Arguments::Arguments):
5127 (JSC::Arguments::allocateSlowArguments):
5128 (JSC::Arguments::tryDeleteArgument):
5129 (JSC::Arguments::isDeletedArgument):
5130 (JSC::Arguments::isArgument):
5131 (JSC::Arguments::argument):
5132 (JSC::Arguments::finishCreation):
5133 * runtime/SymbolTable.h:
5134
51352014-04-21 Eric Carlson <eric.carlson@apple.com>
5136
5137 [Mac] implement WebKitDataCue
5138 https://bugs.webkit.org/show_bug.cgi?id=131799
5139
5140 Reviewed by Dean Jackson.
5141
5142 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5143
51442014-04-21 Filip Pizlo <fpizlo@apple.com>
5145
5146 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
5147
5148 * tests/stress/float32-repeat-out-of-bounds.js:
5149 * tests/stress/int8-repeat-out-of-bounds.js:
5150
51512014-04-21 Filip Pizlo <fpizlo@apple.com>
5152
5153 OSR exit should know about Int52 and Double constants
5154 https://bugs.webkit.org/show_bug.cgi?id=131945
5155
5156 Reviewed by Oliver Hunt.
5157
5158 The DFG OSR exit machinery's ignorance would lead to some constants becoming
5159 jsUndefined() after OSR exit.
5160
5161 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
5162 stackmap constant rather than baking the constant into the OSRExit data structure.
5163 So, not a big deal, but worth fixing.
5164
5165 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
5166
5167 * dfg/DFGByteCodeParser.cpp:
5168 (JSC::DFG::ByteCodeParser::handleIntrinsic):
5169 * dfg/DFGMinifiedNode.h:
5170 (JSC::DFG::belongsInMinifiedGraph):
5171 (JSC::DFG::MinifiedNode::hasConstantNumber):
5172 * ftl/FTLLowerDFGToLLVM.cpp:
5173 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
5174 * jsc.cpp:
5175 (GlobalObject::finishCreation):
5176 (functionOtherFalse):
5177 (functionUndefined):
5178 * runtime/Intrinsic.h:
5179 * tests/stress/fold-to-double-constant-then-exit.js: Added.
5180 (foo):
5181 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
5182 (foo):
5183
51842014-04-21 Filip Pizlo <fpizlo@apple.com>
5185
5186 Provide feedback when we encounter an unrecognied node in the FTL backend.
5187
5188 Rubber stamped by Alexey Proskuryakov.
5189
5190 * ftl/FTLLowerDFGToLLVM.cpp:
5191 (JSC::FTL::LowerDFGToLLVM::compileNode):
5192
51932014-04-21 Andreas Kling <akling@apple.com>
5194
5195 Move the JSString cache from DOMWrapperWorld to VM.
5196 <https://webkit.org/b/131940>
5197
5198 Reviewed by Geoff Garen.
5199
5200 * runtime/VM.h:
5201
52022014-04-19 Filip Pizlo <fpizlo@apple.com>
5203
5204 Take block execution count estimates into account when voting double
5205 https://bugs.webkit.org/show_bug.cgi?id=131906
5206
5207 Reviewed by Geoffrey Garen.
5208
5209 This was a drama in three acts.
5210
5211 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
5212 number of uses of a variable that want double or non-double. Easy as pie. This
5213 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
5214 else.
5215
5216 Act II: Realize that there were some programs where our previous double voting was
5217 just on the edge of disaster and making it more precise tipped it over. In
5218 particular, if you had an integer variable that would infrequently be used in a
5219 computation that resulted in a variable that was frequently used as an array index,
5220 the outer infrequentness would be the thing we'd use in the vote. So, an array
5221 index would become double. We fix this by reviving global backwards propagation
5222 and introducing the concept of ReallyWantsInt, which is used just for array
5223 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
5224 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
5225 be set in bitops for RageConversion but using it for double forcing is too much.
5226 Basically, it's cheaper to have to convert a double to an int for a bitop than it
5227 is to convert a double to an int for an array index; also a variable being used as
5228 an array index is a much stronger hint that it ought to be an int. This recovered
5229 performance on everything except programs that used FTL OSR entry.
5230
5231 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
5232 count, which then completely pollutes the weighting - essentially all votes go
5233 NaN. Fix this with some surgical defenses. Basically, any client of execution
5234 counts should allow for them to be NaN and shouldn't completely fall off a cliff
5235 when it happens.
5236
5237 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
5238 7% speed-up on AsmBench and 2% speed-up on Kraken.
5239
5240 * CMakeLists.txt:
5241 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5242 * JavaScriptCore.xcodeproj/project.pbxproj:
5243 * dfg/DFGBackwardsPropagationPhase.cpp:
5244 (JSC::DFG::BackwardsPropagationPhase::run):
5245 (JSC::DFG::BackwardsPropagationPhase::propagate):
5246 * dfg/DFGGraph.cpp:
5247 (JSC::DFG::Graph::dumpBlockHeader):
5248 * dfg/DFGGraph.h:
5249 (JSC::DFG::Graph::voteNode):
5250 (JSC::DFG::Graph::voteChildren):
5251 * dfg/DFGNodeFlags.cpp:
5252 (JSC::DFG::dumpNodeFlags):
5253 * dfg/DFGNodeFlags.h:
5254 * dfg/DFGOSREntrypointCreationPhase.cpp:
5255 (JSC::DFG::OSREntrypointCreationPhase::run):
5256 * dfg/DFGPlan.cpp:
5257 (JSC::DFG::Plan::compileInThreadImpl):
5258 * dfg/DFGPredictionPropagationPhase.cpp:
5259 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5260 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
5261 * dfg/DFGVariableAccessData.cpp: Added.
5262 (JSC::DFG::VariableAccessData::VariableAccessData):
5263 (JSC::DFG::VariableAccessData::mergeIsCaptured):
5264 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
5265 (JSC::DFG::VariableAccessData::predict):
5266 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
5267 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5268 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
5269 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
5270 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5271 (JSC::DFG::VariableAccessData::flushFormat):
5272 * dfg/DFGVariableAccessData.h:
5273 (JSC::DFG::VariableAccessData::vote):
5274 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
5275 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
5276 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
5277 (JSC::DFG::VariableAccessData::predict): Deleted.
5278 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
5279 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
5280 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
5281 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
5282 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
5283 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
5284
52852014-04-21 Michael Saboff <msaboff@apple.com>
5286
5287 REGRESSION(r167591): ARM64 and ARM traditional builds broken
5288 https://bugs.webkit.org/show_bug.cgi?id=131935
5289
5290 Reviewed by Mark Hahnenberg.
5291
5292 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
5293 macro assemblers. Added a new test for the original patch.
5294
5295 * assembler/MacroAssemblerARM.h:
5296 (JSC::MacroAssemblerARM::store8):
5297 * assembler/MacroAssemblerARM64.h:
5298 (JSC::MacroAssemblerARM64::store8):
5299 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
5300
53012014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5302
5303 Inline allocate Arguments objects in the DFG
5304 https://bugs.webkit.org/show_bug.cgi?id=131897
5305
5306 Reviewed by Geoffrey Garen.
5307
5308 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
5309 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
5310 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
5311
5312 * dfg/DFGSpeculativeJIT.cpp:
5313 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
5314 * dfg/DFGSpeculativeJIT.h:
5315 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
5316 * dfg/DFGSpeculativeJIT32_64.cpp:
5317 (JSC::DFG::SpeculativeJIT::compile):
5318 * dfg/DFGSpeculativeJIT64.cpp:
5319 (JSC::DFG::SpeculativeJIT::compile):
5320 * runtime/Arguments.h:
5321 (JSC::Arguments::offsetOfActivation):
5322 (JSC::Arguments::offsetOfOverrodeLength):
5323 (JSC::Arguments::offsetOfIsStrictMode):
5324 (JSC::Arguments::offsetOfRegisterArray):
5325 (JSC::Arguments::offsetOfCallee):
5326 (JSC::Arguments::allocationSize):
5327
53282014-04-20 Andreas Kling <akling@apple.com>
5329
5330 Speed up jsStringWithCache() through WeakGCMap inlining.
5331 <https://webkit.org/b/131923>
5332
5333 Always inline WeakGCMap::add() but move the slow garbage collecting
5334 path out-of-line.
5335
5336 Reviewed by Darin Adler.
5337
5338 * runtime/WeakGCMap.h:
5339 (JSC::WeakGCMap::add):
5340 (JSC::WeakGCMap::gcMap):
5341
53422014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
5343
5344 JavaScriptCore: ARM build fix after r167094.
5345 https://bugs.webkit.org/show_bug.cgi?id=131612
5346
5347 Reviewed by Michael Saboff.
5348
5349 After r167094 there are many build errors on ARM like these:
5350
5351 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
5352 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
5353 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
5354 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
5355
5356 Problem is caused by the wrong generated assembly like:
5357 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
5358
5359 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
5360 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
5361 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
5362 use case: move rn, (label1-label2) which is translated to movw and movt.
5363
5364 * llint/LowLevelInterpreter.asm:
5365 * offlineasm/arm.rb:
5366 * offlineasm/instructions.rb:
5367
53682014-04-20 Csaba Osztrogonác <ossy@webkit.org>
5369
5370 [ARM] Unreviewed build fix after r167336.
5371
5372 * assembler/MacroAssemblerARM.h:
5373 (JSC::MacroAssemblerARM::branchAdd32):
5374
53752014-04-20 Commit Queue <commit-queue@webkit.org>
5376
5377 Unreviewed, rolling out r167501.
5378 https://bugs.webkit.org/show_bug.cgi?id=131913
5379
5380 It broke DYEBench (Requested by mhahnenberg on #webkit).
5381
5382 Reverted changeset:
5383
5384 "Deleting properties poisons objects"
5385 https://bugs.webkit.org/show_bug.cgi?id=131551
5386 http://trac.webkit.org/changeset/167501
5387
53882014-04-19 Filip Pizlo <fpizlo@apple.com>
5389
5390 It should be OK to store new fields into objects that have no prototypes
5391 https://bugs.webkit.org/show_bug.cgi?id=131905
5392
5393 Reviewed by Mark Hahnenberg.
5394
5395 * dfg/DFGByteCodeParser.cpp:
5396 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
5397 * tests/stress/put-by-id-transition-null-prototype.js: Added.
5398 (foo):
5399
54002014-04-19 Benjamin Poulain <bpoulain@apple.com>
5401
5402 Make the CSS JIT compile for ARM64
5403 https://bugs.webkit.org/show_bug.cgi?id=131834
5404
5405 Reviewed by Gavin Barraclough.
5406
5407 Extend the ARM64 MacroAssembler to support the code generation required by
5408 the CSS JIT.
5409
5410 * assembler/MacroAssembler.h:
5411 * assembler/MacroAssemblerARM64.h:
5412 (JSC::MacroAssemblerARM64::addPtrNoFlags):
5413 (JSC::MacroAssemblerARM64::or32):
5414 (JSC::MacroAssemblerARM64::branchPtr):
5415 (JSC::MacroAssemblerARM64::test32):
5416 (JSC::MacroAssemblerARM64::branch):
5417 * assembler/MacroAssemblerX86Common.h:
5418 (JSC::MacroAssemblerX86Common::test32):
5419
54202014-04-19 Andreas Kling <akling@apple.com>
5421
5422 Two little shortcuts to the JSType.
5423 <https://webkit.org/b/131896>
5424
5425 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
5426 to look at data that's already in JSCell::type().
5427
5428 Reviewed by Darin Adler.
5429
5430 * runtime/NameInstance.h:
5431 (JSC::isName):
5432 * runtime/NumberPrototype.cpp:
5433 (JSC::toThisNumber):
5434
54352014-04-19 Filip Pizlo <fpizlo@apple.com>
5436
5437 Make it easier to check if an integer sum would overflow
5438 https://bugs.webkit.org/show_bug.cgi?id=131900
5439
5440 Reviewed by Darin Adler.
5441
5442 * dfg/DFGOperations.cpp:
5443 * runtime/Operations.h:
5444 (JSC::jsString):
5445
54462014-04-19 Filip Pizlo <fpizlo@apple.com>
5447
5448 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
5449
5450 * dfg/DFGOperations.cpp:
5451 * runtime/JSString.h:
5452 (JSC::JSRopeString::RopeBuilder::append):
5453
54542014-04-18 Mark Lam <mark.lam@apple.com>
5455
5456 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
5457 <https://webkit.org/b/130539>
5458
5459 Reviewed by Geoffrey Garen.
5460
5461 prepareOSREntry() prepares for OSR entry by first copying the local var
5462 values from the baseline frame to a scartch buffer, which is then used
5463 to fill in the locals in their new position in the DFG frame. Unfortunately,
5464 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
5465 size of the baseline frame. As a result, some values of locals in the
5466 baseline frame were not saved off, and the DFG frame may get initialized
5467 with random content that happened to be in the uninitialized (and possibly
5468 unallocated) portions of the scratch buffer.
5469
5470 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
5471 number of locals in the baseline frame that we want to copy to the scratch
5472 buffer.
5473
5474 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
5475 at offset 0 in the scratch buffer. So, we continue to write that value
5476 there, not the baseline frame size.
5477
5478 * dfg/DFGOSREntry.cpp:
5479 (JSC::DFG::prepareOSREntry):
5480
54812014-04-18 Timothy Hatcher <timothy@apple.com>
5482
5483 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
5484 https://bugs.webkit.org/show_bug.cgi?id=131673
5485
5486 Passes existing profiler and inspector tests.
5487
5488 Reviewed by Joseph Pecoraro.
5489
5490 * CMakeLists.txt:
5491 * DerivedSources.make:
5492 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5493 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5494 * JavaScriptCore.xcodeproj/project.pbxproj:
5495 * inspector/JSConsoleClient.cpp:
5496 (Inspector::JSConsoleClient::JSConsoleClient):
5497 (Inspector::JSConsoleClient::profile):
5498 (Inspector::JSConsoleClient::profileEnd):
5499 (Inspector::JSConsoleClient::count): Deleted.
5500 * inspector/JSConsoleClient.h:
5501 * inspector/JSGlobalObjectInspectorController.cpp:
5502 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
5503 * inspector/agents/InspectorProfilerAgent.cpp: Added.
5504 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
5505 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
5506 (Inspector::InspectorProfilerAgent::addProfile):
5507 (Inspector::InspectorProfilerAgent::createProfileHeader):
5508 (Inspector::InspectorProfilerAgent::enable):
5509 (Inspector::InspectorProfilerAgent::disable):
5510 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
5511 (Inspector::InspectorProfilerAgent::getProfileHeaders):
5512 (Inspector::buildInspectorObject):
5513 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
5514 (Inspector::InspectorProfilerAgent::getCPUProfile):
5515 (Inspector::InspectorProfilerAgent::removeProfile):
5516 (Inspector::InspectorProfilerAgent::reset):
5517 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
5518 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
5519 (Inspector::InspectorProfilerAgent::start):
5520 (Inspector::InspectorProfilerAgent::stop):
5521 (Inspector::InspectorProfilerAgent::setRecordingProfile):
5522 (Inspector::InspectorProfilerAgent::startProfiling):
5523 (Inspector::InspectorProfilerAgent::stopProfiling):
5524 * inspector/agents/InspectorProfilerAgent.h: Added.
5525 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5526 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
5527 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
5528 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
5529 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
5530 * profiler/Profile.h:
5531 * runtime/ConsoleClient.h:
5532
55332014-04-18 Commit Queue <commit-queue@webkit.org>
5534
5535 Unreviewed, rolling out r167527.
5536 https://bugs.webkit.org/show_bug.cgi?id=131883
5537
5538 Broke 32-bit build (Requested by ap on #webkit).
5539
5540 Reverted changeset:
5541
5542 "[Mac] implement WebKitDataCue"
5543 https://bugs.webkit.org/show_bug.cgi?id=131799
5544 http://trac.webkit.org/changeset/167527
5545
55462014-04-18 Eric Carlson <eric.carlson@apple.com>
5547
5548 [Mac] implement WebKitDataCue
5549 https://bugs.webkit.org/show_bug.cgi?id=131799
5550
5551 Reviewed by Dean Jackson.
5552
5553 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5554
55552014-04-18 Filip Pizlo <fpizlo@apple.com>
5556
5557 Actually address Mark's review feedback.
5558
5559 * dfg/DFGOSRExitCompilerCommon.cpp:
5560 (JSC::DFG::handleExitCounts):
5561
55622014-04-18 Filip Pizlo <fpizlo@apple.com>
5563
5564 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
5565 https://bugs.webkit.org/show_bug.cgi?id=131850
5566
5567 Reviewed by Mark Hahnenberg.
5568
5569 Templatize ExecutionCounter to allow for two different styles of calculating the
5570 checkpoint threshold.
5571
5572 Appears to be a slight speed-up on DYEBench.
5573
5574 * bytecode/CodeBlock.h:
5575 (JSC::CodeBlock::llintExecuteCounter):
5576 (JSC::CodeBlock::offsetOfJITExecuteCounter):
5577 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
5578 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
5579 (JSC::CodeBlock::jitExecuteCounter):
5580 * bytecode/ExecutionCounter.cpp:
5581 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
5582 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
5583 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
5584 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
5585 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
5586 (JSC::applyMemoryUsageHeuristics):
5587 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
5588 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
5589 (JSC::ExecutionCounter<countingVariant>::setThreshold):
5590 (JSC::ExecutionCounter<countingVariant>::reset):
5591 (JSC::ExecutionCounter<countingVariant>::dump):
5592 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
5593 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
5594 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
5595 (JSC::ExecutionCounter::setNewThreshold): Deleted.
5596 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
5597 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
5598 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
5599 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
5600 (JSC::ExecutionCounter::setThreshold): Deleted.
5601 (JSC::ExecutionCounter::reset): Deleted.
5602 (JSC::ExecutionCounter::dump): Deleted.
5603 * bytecode/ExecutionCounter.h:
5604 (JSC::formattedTotalExecutionCount):
5605 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
5606 (JSC::ExecutionCounter::clippedThreshold):
5607 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
5608 * dfg/DFGJITCode.h:
5609 * dfg/DFGOSRExitCompilerCommon.cpp:
5610 (JSC::DFG::handleExitCounts):
5611 * llint/LowLevelInterpreter.asm:
5612 * runtime/Options.h:
5613
56142014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
5615
5616 Deleting properties poisons objects
5617 https://bugs.webkit.org/show_bug.cgi?id=131551
5618
5619 Reviewed by Geoffrey Garen.
5620
5621 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
5622
5623 * runtime/Structure.cpp:
5624 (JSC::Structure::Structure):
5625 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
5626 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
5627 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
5628 delete transitions, but we allow transitioning from them.
5629 (JSC::Structure::changePrototypeTransition):
5630 (JSC::Structure::despecifyFunctionTransition):
5631 (JSC::Structure::attributeChangeTransition):
5632 (JSC::Structure::toDictionaryTransition):
5633 (JSC::Structure::preventExtensionsTransition):
5634 (JSC::Structure::addPropertyWithoutTransition):
5635 (JSC::Structure::removePropertyWithoutTransition):
5636 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
5637 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
5638 * runtime/Structure.h:
5639 * runtime/StructureInlines.h:
5640 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
5641
56422014-04-17 Filip Pizlo <fpizlo@apple.com>
5643
5644 InlineCallFrameSet should be refcounted
5645 https://bugs.webkit.org/show_bug.cgi?id=131829
5646
5647 Reviewed by Geoffrey Garen.
5648
5649 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
5650 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
5651 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
5652 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
5653
5654 So, just make the darn thing refcounted.
5655
5656 * bytecode/InlineCallFrameSet.h:
5657 * dfg/DFGArgumentsSimplificationPhase.cpp:
5658 (JSC::DFG::ArgumentsSimplificationPhase::run):
5659 * dfg/DFGByteCodeParser.cpp:
5660 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
5661 * dfg/DFGCommonData.h:
5662 * dfg/DFGGraph.cpp:
5663 (JSC::DFG::Graph::Graph):
5664 (JSC::DFG::Graph::requiredRegisterCountForExit):
5665 * dfg/DFGGraph.h:
5666 * dfg/DFGJITCompiler.cpp:
5667 (JSC::DFG::JITCompiler::link):
5668 * dfg/DFGPlan.cpp:
5669 (JSC::DFG::Plan::Plan):
5670 * dfg/DFGPlan.h:
5671 * dfg/DFGStackLayoutPhase.cpp:
5672 (JSC::DFG::StackLayoutPhase::run):
5673 * ftl/FTLFail.cpp:
5674 (JSC::FTL::fail):
5675 * ftl/FTLLink.cpp:
5676 (JSC::FTL::link):
5677
56782014-04-17 Filip Pizlo <fpizlo@apple.com>
5679
5680 FTL::fail() should manage memory "correctly"
5681 https://bugs.webkit.org/show_bug.cgi?id=131823
5682 <rdar://problem/16384297>
5683
5684 Reviewed by Oliver Hunt.
5685
5686 * ftl/FTLFail.cpp:
5687 (JSC::FTL::fail):
5688
56892014-04-17 Filip Pizlo <fpizlo@apple.com>
5690
5691 Prediction propagator should correctly model Int52s flowing through arguments
5692 https://bugs.webkit.org/show_bug.cgi?id=131822
5693 <rdar://problem/16641408>
5694
5695 Reviewed by Oliver Hunt.
5696
5697 * dfg/DFGPredictionPropagationPhase.cpp:
5698 (JSC::DFG::PredictionPropagationPhase::propagate):
5699 * tests/stress/int52-argument.js: Added.
5700 (foo):
5701 * tests/stress/int52-variable.js: Added.
5702 (foo):
5703
57042014-04-17 Filip Pizlo <fpizlo@apple.com>
5705
5706 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
5707 https://bugs.webkit.org/show_bug.cgi?id=131798
5708
5709 Reviewed by Alexey Proskuryakov.
5710
5711 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
5712 of this assertion can return. For now, it's not clear that the assertion is guarding
5713 any truly undesirable behavior - so it should just go away and be replaced with a
5714 FIXME.
5715
5716 * bytecode/GetByIdStatus.cpp:
5717 (JSC::GetByIdStatus::computeForStubInfo):
5718 * runtime/Structure.h:
5719 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
5720
57212014-04-17 David Kilzer <ddkilzer@apple.com>
5722
5723 Blind attempt to fix Windows build after r166837
5724 <http://webkit.org/b/131246>
5725
5726 Hoping to fix this build error:
5727
5728 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
5729
5730 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
5731 boo-boo by changing the GCLogging.cpp ClCompile entry to a
5732 GCLogging.h ClInclude entry.
5733
57342014-04-16 Filip Pizlo <fpizlo@apple.com>
5735
5736 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
5737 https://bugs.webkit.org/show_bug.cgi?id=131764
5738
5739 Reviewed by Geoffrey Garen.
5740
5741 The attached test case can be made to not crash by deleting old code. It used to be
5742 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
5743 long ago. At this point, these guards just make life difficult. So get rid of them.
5744
5745 * dfg/DFGAbstractInterpreterInlines.h:
5746 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5747 * dfg/DFGSpeculativeJIT32_64.cpp:
5748 (JSC::DFG::SpeculativeJIT::compile):
5749 * dfg/DFGSpeculativeJIT64.cpp:
5750 (JSC::DFG::SpeculativeJIT::compile):
5751 * tests/stress/bug-131764.js: Added.
5752 (test1):
5753 (test2):
5754
57552014-04-17 Darin Adler <darin@apple.com>
5756
5757 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
5758 https://bugs.webkit.org/show_bug.cgi?id=131785
5759 rdar://problem/16003108
5760
5761 Reviewed by Brady Eidson.
5762
5763 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
5764
57652014-04-16 Alexey Proskuryakov <ap@apple.com>
5766
5767 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
5768
5769 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
5770
57712014-04-16 Filip Pizlo <fpizlo@apple.com>
5772
5773 Extra error reporting for invalid value conversions
5774 https://bugs.webkit.org/show_bug.cgi?id=131786
5775
5776 Rubber stamped by Ryosuke Niwa.
5777
5778 * dfg/DFGFixupPhase.cpp:
5779 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5780
57812014-04-16 Filip Pizlo <fpizlo@apple.com>
5782
5783 Sink NaN sanitization to uses and remove it when it's unnecessary
5784 https://bugs.webkit.org/show_bug.cgi?id=131419
5785
5786 Reviewed by Oliver Hunt.
5787
5788 This moves NaN purification to stores that could see an impure NaN.
5789
5790 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
5791 though, because of the other bug that causes that benchmark to box doubles in a loop.
5792
5793 * bytecode/SpeculatedType.h:
5794 (JSC::isInt32SpeculationForArithmetic):
5795 (JSC::isMachineIntSpeculationForArithmetic):
5796 (JSC::isDoubleSpeculation):
5797 (JSC::isDoubleSpeculationForArithmetic):
5798 * dfg/DFGAbstractInterpreterInlines.h:
5799 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5800 * dfg/DFGAbstractValue.cpp:
5801 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
5802 * dfg/DFGFixupPhase.cpp:
5803 (JSC::DFG::FixupPhase::fixupNode):
5804 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
5805 * dfg/DFGInPlaceAbstractState.cpp:
5806 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5807 * dfg/DFGPredictionPropagationPhase.cpp:
5808 (JSC::DFG::PredictionPropagationPhase::propagate):
5809 * dfg/DFGSpeculativeJIT.cpp:
5810 (JSC::DFG::SpeculativeJIT::compileValueRep):
5811 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5812 * dfg/DFGUseKind.h:
5813 (JSC::DFG::typeFilterFor):
5814 * ftl/FTLLowerDFGToLLVM.cpp:
5815 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
5816 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5817 * runtime/PureNaN.h:
5818 * tests/stress/float32-array-nan-inlined.js: Added.
5819 (foo):
5820 (test):
5821 * tests/stress/float32-array-nan.js: Added.
5822 (foo):
5823 (test):
5824 * tests/stress/float64-array-nan-inlined.js: Added.
5825 (foo):
5826 (isBigEndian):
5827 (test):
5828 * tests/stress/float64-array-nan.js: Added.
5829 (foo):
5830 (isBigEndian):
5831 (test):
5832
58332014-04-16 Brent Fulgham <bfulgham@apple.com>
5834
5835 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
5836 to 32-bit builds, and revise the comment to explain what we are
5837 doing.
5838
5839 * runtime/JSCJSValueInlines.h:
5840 (JSC::JSValue::isMachineInt): Provide motivation for the new
5841 'isinf' check for our 32-bit code path.
5842
58432014-04-16 Juergen Ributzka <juergen@apple.com>
5844
5845 Allocate the data section on the heap again for FTL on ARM64
5846 https://bugs.webkit.org/show_bug.cgi?id=130156
5847
5848 Reviewed by Geoffrey Garen and Filip Pizlo.
5849
5850 * ftl/FTLCompile.cpp:
5851 (JSC::FTL::mmAllocateDataSection):
5852 * ftl/FTLDataSection.cpp:
5853 (JSC::FTL::DataSection::DataSection):
5854 (JSC::FTL::DataSection::~DataSection):
5855 * ftl/FTLDataSection.h:
5856
58572014-04-16 Mark Lam <mark.lam@apple.com>
5858
5859 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
5860 <https://webkit.org/b/131747>
5861
5862 Reviewed by Filip Pizlo.
5863
5864 When the debugger is about to activate (e.g. enter stepping mode), it first
5865 waits for all DFG compilations to complete. However, when the DFG completes,
5866 if compilation is successful, it will install a new DFG codeBlock. The
5867 CodeBlock installation process is required to register codeBlocks with the
5868 debugger. Debugger::registerCodeBlock() will eventually call
5869 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
5870 trying to install. Thereafter, chaos ensues.
5871
5872 This jettison'ing only happens because the debugger currently set its
5873 m_steppingMode flag before waiting for compilation to complete. The fix is
5874 simply to set that flag only after compilation is complete.
5875
5876 * debugger/Debugger.cpp:
5877 (JSC::Debugger::setSteppingMode):
5878 (JSC::Debugger::registerCodeBlock):
5879
58802014-04-16 Filip Pizlo <fpizlo@apple.com>
5881
5882 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
5883 https://bugs.webkit.org/show_bug.cgi?id=131420
5884
5885 Reviewed by Oliver Hunt.
5886
5887 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
5888 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
5889 goes through the purifyNaN() API.
5890
5891 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
5892
5893 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
5894 have to be too cautious since most prediction-based logic only cares about whether or not
5895 a value could be an integer.
5896
5897 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
5898 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
5899 soundly and precisely.
5900
5901 No performance change because this just unblocks
5902 https://bugs.webkit.org/show_bug.cgi?id=131419.
5903
5904 * API/JSValueRef.cpp:
5905 (JSValueMakeNumber):
5906 (JSValueToNumber):
5907 * JavaScriptCore.xcodeproj/project.pbxproj:
5908 * bytecode/SpeculatedType.cpp:
5909 (JSC::dumpSpeculation):
5910 (JSC::speculationFromValue):
5911 (JSC::typeOfDoubleSum):
5912 (JSC::typeOfDoubleDifference):
5913 (JSC::typeOfDoubleProduct):
5914 (JSC::polluteDouble):
5915 (JSC::typeOfDoubleQuotient):
5916 (JSC::typeOfDoubleMinMax):
5917 (JSC::typeOfDoubleNegation):
5918 (JSC::typeOfDoubleAbs):
5919 (JSC::typeOfDoubleFRound):
5920 (JSC::typeOfDoubleBinaryOp):
5921 (JSC::typeOfDoubleUnaryOp):
5922 * bytecode/SpeculatedType.h:
5923 * dfg/DFGAbstractInterpreterInlines.h:
5924 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5925 * dfg/DFGByteCodeParser.cpp:
5926 (JSC::DFG::ByteCodeParser::handleInlining):
5927 (JSC::DFG::ByteCodeParser::parseCodeBlock):
5928 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
5929 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
5930 * dfg/DFGInPlaceAbstractState.cpp:
5931 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5932 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
5933 (JSC::DFG::createPreHeader):
5934 * dfg/DFGNode.h:
5935 (JSC::DFG::BranchTarget::BranchTarget):
5936 * dfg/DFGOSREntrypointCreationPhase.cpp:
5937 (JSC::DFG::OSREntrypointCreationPhase::run):
5938 * dfg/DFGOSRExitCompiler32_64.cpp:
5939 (JSC::DFG::OSRExitCompiler::compileExit):
5940 * dfg/DFGOSRExitCompiler64.cpp:
5941 (JSC::DFG::OSRExitCompiler::compileExit):
5942 * dfg/DFGPredictionPropagationPhase.cpp:
5943 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5944 (JSC::DFG::PredictionPropagationPhase::propagate):
5945 * dfg/DFGSpeculativeJIT.cpp:
5946 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
5947 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5948 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
5949 * dfg/DFGSpeculativeJIT32_64.cpp:
5950 (JSC::DFG::SpeculativeJIT::compile):
5951 * dfg/DFGSpeculativeJIT64.cpp:
5952 (JSC::DFG::SpeculativeJIT::compile):
5953 * dfg/DFGVariableAccessData.h:
5954 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5955 * ftl/FTLLowerDFGToLLVM.cpp:
5956 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
5957 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5958 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
5959 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
5960 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
5961 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
5962 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
5963 * ftl/FTLValueFormat.cpp:
5964 (JSC::FTL::reboxAccordingToFormat):
5965 * jit/AssemblyHelpers.cpp:
5966 (JSC::AssemblyHelpers::purifyNaN):
5967 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
5968 * jit/AssemblyHelpers.h:
5969 * jit/JITPropertyAccess.cpp:
5970 (JSC::JIT::emitFloatTypedArrayGetByVal):
5971 * runtime/DateConstructor.cpp:
5972 (JSC::constructDate):
5973 * runtime/DateInstanceCache.h:
5974 (JSC::DateInstanceData::DateInstanceData):
5975 (JSC::DateInstanceCache::reset):
5976 * runtime/ExceptionHelpers.cpp:
5977 (JSC::TerminatedExecutionError::defaultValue):
5978 * runtime/JSArray.cpp:
5979 (JSC::JSArray::setLength):
5980 (JSC::JSArray::pop):
5981 (JSC::JSArray::shiftCountWithAnyIndexingType):
5982 (JSC::JSArray::sortVector):
5983 (JSC::JSArray::compactForSorting):
5984 * runtime/JSArray.h:
5985 (JSC::JSArray::create):
5986 (JSC::JSArray::tryCreateUninitialized):
5987 * runtime/JSCJSValue.cpp:
5988 (JSC::JSValue::toNumberSlowCase):
5989 * runtime/JSCJSValue.h:
5990 * runtime/JSCJSValueInlines.h:
5991 (JSC::jsNaN):
5992 (JSC::JSValue::JSValue):
5993 (JSC::JSValue::getPrimitiveNumber):
5994 * runtime/JSGlobalObjectFunctions.cpp:
5995 (JSC::parseInt):
5996 (JSC::jsStrDecimalLiteral):
5997 (JSC::toDouble):
5998 (JSC::jsToNumber):
5999 (JSC::parseFloat):
6000 * runtime/JSObject.cpp:
6001 (JSC::JSObject::createInitialDouble):
6002 (JSC::JSObject::convertUndecidedToDouble):
6003 (JSC::JSObject::convertInt32ToDouble):
6004 (JSC::JSObject::deletePropertyByIndex):
6005 (JSC::JSObject::ensureLengthSlow):
6006 * runtime/MathObject.cpp:
6007 (JSC::mathProtoFuncMax):
6008 (JSC::mathProtoFuncMin):
6009 * runtime/PureNaN.h: Added.
6010 (JSC::pureNaN):
6011 (JSC::isImpureNaN):
6012 (JSC::purifyNaN):
6013 * runtime/TypedArrayAdaptors.h:
6014 (JSC::FloatTypedArrayAdaptor::toJSValue):
6015
60162014-04-16 Juergen Ributzka <juergen@apple.com>
6017
6018 Enable system library calls in FTL for ARM64
6019 https://bugs.webkit.org/show_bug.cgi?id=130154
6020
6021 Reviewed by Geoffrey Garen and Filip Pizlo.
6022
6023 * ftl/FTLIntrinsicRepository.h:
6024 * ftl/FTLOutput.h:
6025 (JSC::FTL::Output::doubleRem):
6026 (JSC::FTL::Output::doubleSin):
6027 (JSC::FTL::Output::doubleCos):
6028
60292014-04-16 peavo@outlook.com <peavo@outlook.com>
6030
6031 Fix JSC Debug Regressions on Windows
6032 https://bugs.webkit.org/show_bug.cgi?id=131182
6033
6034 Reviewed by Brent Fulgham.
6035
6036 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
6037 and set the st floating point register tags, if the value of the number parameter is infinite.
6038 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
6039 This can be avoided by checking for infinity first.
6040
6041 * runtime/JSCJSValueInlines.h:
6042 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
6043 * runtime/Options.cpp:
6044 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
6045
60462014-04-16 Oliver Hunt <oliver@apple.com>
6047
6048 Simple ES6 feature:Array.prototype.fill
6049 https://bugs.webkit.org/show_bug.cgi?id=131703
6050
6051 Reviewed by David Hyatt.
6052
6053 Add support for Array.prototype.fill
6054
6055 * builtins/Array.prototype.js:
6056 (fill):
6057 * runtime/ArrayPrototype.cpp:
6058
60592014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
6060
6061 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
6062 https://bugs.webkit.org/show_bug.cgi?id=131728
6063
6064 Reviewed by Darin Adler.
6065
6066 * runtime/JSObject.cpp:
6067 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
6068 path we expect to never take. Also shut up confused compilers about uninitialized things.
6069
60702014-04-16 Filip Pizlo <fpizlo@apple.com>
6071
6072 Unreviewed, ARMv7 build fix after r167336.
6073
6074 * assembler/MacroAssemblerARMv7.h:
6075 (JSC::MacroAssemblerARMv7::branchAdd32):
6076
60772014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
6078
6079 Unreviewed, ARM64 buildfix after r167336.
6080
6081 * assembler/MacroAssemblerARM64.h:
6082 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
6083
60842014-04-15 Filip Pizlo <fpizlo@apple.com>
6085
6086 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
6087
6088 * dfg/DFGAbstractInterpreterInlines.h:
6089 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6090
60912014-04-15 Filip Pizlo <fpizlo@apple.com>
6092
6093 compileMakeRope does not emit necessary bounds checks
6094 https://bugs.webkit.org/show_bug.cgi?id=130684
6095 <rdar://problem/16398388>
6096
6097 Reviewed by Oliver Hunt.
6098
6099 Add string length bounds checks in a bunch of places. We should never allow a string
6100 to have a length greater than 2^31-1 because it's not clear that the language has
6101 semantics for it and because there is code that assumes that this cannot happen.
6102
6103 Also add a bunch of tests to that effect to cover the various ways in which this was
6104 previously allowed to happen.
6105
6106 * dfg/DFGOperations.cpp:
6107 * dfg/DFGSpeculativeJIT.cpp:
6108 (JSC::DFG::SpeculativeJIT::compileMakeRope):
6109 * ftl/FTLLowerDFGToLLVM.cpp:
6110 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
6111 * runtime/JSString.cpp:
6112 (JSC::JSRopeString::RopeBuilder::expand):
6113 * runtime/JSString.h:
6114 (JSC::JSString::create):
6115 (JSC::JSRopeString::RopeBuilder::append):
6116 (JSC::JSRopeString::RopeBuilder::release):
6117 (JSC::JSRopeString::append):
6118 * runtime/Operations.h:
6119 (JSC::jsString):
6120 (JSC::jsStringFromRegisterArray):
6121 (JSC::jsStringFromArguments):
6122 * runtime/StringPrototype.cpp:
6123 (JSC::stringProtoFuncIndexOf):
6124 (JSC::stringProtoFuncSlice):
6125 (JSC::stringProtoFuncSubstring):
6126 (JSC::stringProtoFuncToLowerCase):
6127 * tests/stress/make-large-string-jit-strcat.js: Added.
6128 (foo):
6129 * tests/stress/make-large-string-jit.js: Added.
6130 (foo):
6131 * tests/stress/make-large-string-strcat.js: Added.
6132 * tests/stress/make-large-string.js: Added.
6133
61342014-04-15 Julien Brianceau <jbriance@cisco.com>
6135
6136 Remove invalid sh4 specific code in JITInlines header.
6137 https://bugs.webkit.org/show_bug.cgi?id=131692
6138
6139 Reviewed by Geoffrey Garen.
6140
6141 * jit/JITInlines.h:
6142 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
6143 anymore since r160244, so the sh4 specific code is invalid now
6144 and has to be removed.
6145
61462014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6147
6148 Fix precedence issue in JSCell:setRemembered
6149
6150 Rubber stamped by Filip Pizlo.
6151
6152 * runtime/JSCell.h:
6153 (JSC::JSCell::setRemembered):
6154
61552014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6156
6157 Objective-C API external object graphs don't handle generational collection properly
6158 https://bugs.webkit.org/show_bug.cgi?id=131634
6159
6160 Reviewed by Geoffrey Garen.
6161
6162 If the set of Objective-C objects transitively reachable through an object changes, we
6163 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
6164 won't rescan the external object graph, which would lead us to consider a newly allocated
6165 JSManagedValue to be dead.
6166
6167 * API/JSBase.cpp:
6168 (JSSynchronousEdenCollectForDebugging):
6169 * API/JSVirtualMachine.mm:
6170 (-[JSVirtualMachine initWithContextGroupRef:]):
6171 (-[JSVirtualMachine dealloc]):
6172 (-[JSVirtualMachine isOldExternalObject:]):
6173 (-[JSVirtualMachine addExternalRememberedObject:]):
6174 (-[JSVirtualMachine addManagedReference:withOwner:]):
6175 (-[JSVirtualMachine removeManagedReference:withOwner:]):
6176 (-[JSVirtualMachine externalRememberedSet]):
6177 (scanExternalObjectGraph):
6178 (scanExternalRememberedSet):
6179 * API/JSVirtualMachineInternal.h:
6180 * API/tests/testapi.mm:
6181 * heap/Heap.cpp:
6182 (JSC::Heap::markRoots):
6183 * heap/Heap.h:
6184 (JSC::Heap::slotVisitor):
6185 * heap/SlotVisitor.h:
6186 * heap/SlotVisitorInlines.h:
6187 (JSC::SlotVisitor::containsOpaqueRoot):
6188 (JSC::SlotVisitor::containsOpaqueRootTriState):
6189
61902014-04-15 Filip Pizlo <fpizlo@apple.com>
6191
6192 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
6193 https://bugs.webkit.org/show_bug.cgi?id=131423
6194
6195 Reviewed by Geoffrey Garen.
6196
6197 This introduces more static typing into DFG IR. Previously we just had the notion of
6198 JSValues and Storage. This was weird because doubles weren't always convertible to
6199 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
6200 sort of insert explicit conversion nodes just for the places where we knew that an
6201 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
6202 we'd get bugs from forgetting to do the right conversion.
6203
6204 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
6205 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
6206 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
6207 conversions. They are like Identity but return the same value using a different
6208 representation. Likewise, constants may now be represented using either JSConstant,
6209 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
6210 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
6211 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
6212 we speculate DoubleReal and expect Double representation.
6213
6214 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
6215 this also makes it easier to introduce optimizations in the future. It's now possible for
6216 AI to model when/how conversion take place. For example if doing a conversion results in
6217 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
6218 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
6219
6220 This was a big change, so I had to do some interesting things, like finally get rid of
6221 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
6222 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
6223
6224 No performance change because this mostly just rationalizes preexisting behavior.
6225
6226 * JavaScriptCore.xcodeproj/project.pbxproj:
6227 * assembler/MacroAssemblerX86.h:
6228 * bytecode/CodeBlock.cpp:
6229 * bytecode/CodeBlock.h:
6230 * dfg/DFGAbstractInterpreter.h:
6231 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6232 (JSC::DFG::AbstractInterpreter::setConstant):
6233 * dfg/DFGAbstractInterpreterInlines.h:
6234 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6235 * dfg/DFGAbstractValue.cpp:
6236 (JSC::DFG::AbstractValue::set):
6237 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6238 (JSC::DFG::AbstractValue::checkConsistency):
6239 * dfg/DFGAbstractValue.h:
6240 * dfg/DFGBackwardsPropagationPhase.cpp:
6241 (JSC::DFG::BackwardsPropagationPhase::propagate):
6242 * dfg/DFGBasicBlock.h:
6243 * dfg/DFGBasicBlockInlines.h:
6244 (JSC::DFG::BasicBlock::appendNode):
6245 (JSC::DFG::BasicBlock::appendNonTerminal):
6246 * dfg/DFGByteCodeParser.cpp:
6247 (JSC::DFG::ByteCodeParser::parseBlock):
6248 * dfg/DFGCSEPhase.cpp:
6249 (JSC::DFG::CSEPhase::constantCSE):
6250 (JSC::DFG::CSEPhase::performNodeCSE):
6251 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
6252 * dfg/DFGCapabilities.h:
6253 * dfg/DFGClobberize.h:
6254 (JSC::DFG::clobberize):
6255 * dfg/DFGConstantFoldingPhase.cpp:
6256 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6257 * dfg/DFGDCEPhase.cpp:
6258 (JSC::DFG::DCEPhase::fixupBlock):
6259 * dfg/DFGEdge.h:
6260 (JSC::DFG::Edge::willNotHaveCheck):
6261 * dfg/DFGFixupPhase.cpp:
6262 (JSC::DFG::FixupPhase::run):
6263 (JSC::DFG::FixupPhase::fixupNode):
6264 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
6265 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6266 (JSC::DFG::FixupPhase::fixIntEdge):
6267 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6268 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6269 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
6270 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
6271 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6272 (JSC::DFG::FixupPhase::addRequiredPhantom):
6273 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6274 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6275 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
6276 * dfg/DFGFlushFormat.h:
6277 (JSC::DFG::resultFor):
6278 (JSC::DFG::useKindFor):
6279 * dfg/DFGGraph.cpp:
6280 (JSC::DFG::Graph::dump):
6281 * dfg/DFGGraph.h:
6282 (JSC::DFG::Graph::addNode):
6283 * dfg/DFGInPlaceAbstractState.cpp:
6284 (JSC::DFG::InPlaceAbstractState::initialize):
6285 * dfg/DFGInsertionSet.h:
6286 (JSC::DFG::InsertionSet::insertNode):
6287 (JSC::DFG::InsertionSet::insertConstant):
6288 (JSC::DFG::InsertionSet::insertConstantForUse):
6289 * dfg/DFGIntegerCheckCombiningPhase.cpp:
6290 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
6291 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
6292 * dfg/DFGNode.cpp:
6293 (JSC::DFG::Node::convertToIdentity):
6294 (WTF::printInternal):
6295 * dfg/DFGNode.h:
6296 (JSC::DFG::Node::Node):
6297 (JSC::DFG::Node::setResult):
6298 (JSC::DFG::Node::result):
6299 (JSC::DFG::Node::isConstant):
6300 (JSC::DFG::Node::hasConstant):
6301 (JSC::DFG::Node::convertToConstant):
6302 (JSC::DFG::Node::valueOfJSConstant):
6303 (JSC::DFG::Node::hasResult):
6304 (JSC::DFG::Node::hasInt32Result):
6305 (JSC::DFG::Node::hasInt52Result):
6306 (JSC::DFG::Node::hasNumberResult):
6307 (JSC::DFG::Node::hasDoubleResult):
6308 (JSC::DFG::Node::hasJSResult):
6309 (JSC::DFG::Node::hasBooleanResult):
6310 (JSC::DFG::Node::hasStorageResult):
6311 (JSC::DFG::Node::defaultUseKind):
6312 (JSC::DFG::Node::defaultEdge):
6313 (JSC::DFG::Node::convertToIdentity): Deleted.
6314 * dfg/DFGNodeFlags.cpp:
6315 (JSC::DFG::dumpNodeFlags):
6316 * dfg/DFGNodeFlags.h:
6317 (JSC::DFG::canonicalResultRepresentation):
6318 * dfg/DFGNodeType.h:
6319 * dfg/DFGOSRExitCompiler32_64.cpp:
6320 (JSC::DFG::OSRExitCompiler::compileExit):
6321 * dfg/DFGOSRExitCompiler64.cpp:
6322 (JSC::DFG::OSRExitCompiler::compileExit):
6323 * dfg/DFGPredictionPropagationPhase.cpp:
6324 (JSC::DFG::PredictionPropagationPhase::propagate):
6325 * dfg/DFGResurrectionForValidationPhase.cpp:
6326 (JSC::DFG::ResurrectionForValidationPhase::run):
6327 * dfg/DFGSSAConversionPhase.cpp:
6328 (JSC::DFG::SSAConversionPhase::run):
6329 * dfg/DFGSafeToExecute.h:
6330 (JSC::DFG::SafeToExecuteEdge::operator()):
6331 (JSC::DFG::safeToExecute):
6332 * dfg/DFGSpeculativeJIT.cpp:
6333 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
6334 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
6335 (JSC::DFG::SpeculativeJIT::silentFill):
6336 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
6337 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
6338 (JSC::DFG::JSValueRegsTemporary::regs):
6339 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
6340 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
6341 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6342 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
6343 (JSC::DFG::SpeculativeJIT::compileValueRep):
6344 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
6345 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6346 (JSC::DFG::SpeculativeJIT::compileAdd):
6347 (JSC::DFG::SpeculativeJIT::compileArithSub):
6348 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6349 (JSC::DFG::SpeculativeJIT::compileArithMul):
6350 (JSC::DFG::SpeculativeJIT::compileArithDiv):
6351 (JSC::DFG::SpeculativeJIT::compileArithMod):
6352 (JSC::DFG::SpeculativeJIT::compare):
6353 (JSC::DFG::SpeculativeJIT::compileStrictEq):
6354 (JSC::DFG::SpeculativeJIT::speculateNumber):
6355 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
6356 (JSC::DFG::SpeculativeJIT::speculate):
6357 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
6358 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
6359 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
6360 * dfg/DFGSpeculativeJIT.h:
6361 (JSC::DFG::SpeculativeJIT::allocate):
6362 (JSC::DFG::SpeculativeJIT::use):
6363 (JSC::DFG::SpeculativeJIT::boxDouble):
6364 (JSC::DFG::SpeculativeJIT::spill):
6365 (JSC::DFG::SpeculativeJIT::jsValueResult):
6366 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
6367 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
6368 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
6369 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
6370 * dfg/DFGSpeculativeJIT32_64.cpp:
6371 (JSC::DFG::SpeculativeJIT::fillJSValue):
6372 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6373 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6374 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6375 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6376 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6377 (JSC::DFG::SpeculativeJIT::emitBranch):
6378 (JSC::DFG::SpeculativeJIT::compile):
6379 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6380 * dfg/DFGSpeculativeJIT64.cpp:
6381 (JSC::DFG::SpeculativeJIT::fillJSValue):
6382 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6383 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
6384 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6385 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
6386 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
6387 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6388 (JSC::DFG::SpeculativeJIT::emitBranch):
6389 (JSC::DFG::SpeculativeJIT::compile):
6390 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
6391 * dfg/DFGStrengthReductionPhase.cpp:
6392 (JSC::DFG::StrengthReductionPhase::handleNode):
6393 * dfg/DFGUseKind.cpp:
6394 (WTF::printInternal):
6395 * dfg/DFGUseKind.h:
6396 (JSC::DFG::typeFilterFor):
6397 (JSC::DFG::shouldNotHaveTypeCheck):
6398 (JSC::DFG::mayHaveTypeCheck):
6399 (JSC::DFG::isNumerical):
6400 (JSC::DFG::isDouble):
6401 (JSC::DFG::isCell):
6402 (JSC::DFG::usesStructure):
6403 (JSC::DFG::useKindForResult):
6404 * dfg/DFGValidate.cpp:
6405 (JSC::DFG::Validate::validate):
6406 * dfg/DFGVariadicFunction.h: Removed.
6407 * ftl/FTLCapabilities.cpp:
6408 (JSC::FTL::canCompile):
6409 * ftl/FTLLowerDFGToLLVM.cpp:
6410 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
6411 (JSC::FTL::LowerDFGToLLVM::compileNode):
6412 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
6413 (JSC::FTL::LowerDFGToLLVM::compilePhi):
6414 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
6415 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
6416 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
6417 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
6418 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
6419 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
6420 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
6421 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
6422 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
6423 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
6424 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
6425 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
6426 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
6427 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
6428 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
6429 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
6430 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
6431 (JSC::FTL::LowerDFGToLLVM::compare):
6432 (JSC::FTL::LowerDFGToLLVM::boolify):
6433 (JSC::FTL::LowerDFGToLLVM::lowInt52):
6434 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
6435 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
6436 (JSC::FTL::LowerDFGToLLVM::lowDouble):
6437 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
6438 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
6439 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
6440 (JSC::FTL::LowerDFGToLLVM::speculate):
6441 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
6442 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
6443 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
6444 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
6445 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
6446 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
6447 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
6448 * ftl/FTLValueFormat.cpp:
6449 (JSC::FTL::reboxAccordingToFormat):
6450 * jit/AssemblyHelpers.cpp:
6451 (JSC::AssemblyHelpers::sanitizeDouble):
6452 * jit/AssemblyHelpers.h:
6453 (JSC::AssemblyHelpers::boxDouble):
6454
64552014-04-15 Commit Queue <commit-queue@webkit.org>
6456
6457 Unreviewed, rolling out r167199 and r167251.
6458 https://bugs.webkit.org/show_bug.cgi?id=131678
6459
6460 Caused a DYEBench regression and does not seem to improve perf
6461 on relevant websites (Requested by rniwa on #webkit).
6462
6463 Reverted changesets:
6464
6465 "Rewrite Function.bind as a builtin"
6466 https://bugs.webkit.org/show_bug.cgi?id=131083
6467 http://trac.webkit.org/changeset/167199
6468
6469 "Update test result"
6470 http://trac.webkit.org/changeset/167251
6471
64722014-04-14 Commit Queue <commit-queue@webkit.org>
6473
6474 Unreviewed, rolling out r167272.
6475 https://bugs.webkit.org/show_bug.cgi?id=131666
6476
6477 Broke multiple tests (Requested by ap on #webkit).
6478
6479 Reverted changeset:
6480
6481 "Function.bind itself is too slow"
6482 https://bugs.webkit.org/show_bug.cgi?id=131636
6483 http://trac.webkit.org/changeset/167272
6484
64852014-04-14 Geoffrey Garen <ggaren@apple.com>
6486
6487 ASSERT when firing low memory warning
6488 https://bugs.webkit.org/show_bug.cgi?id=131659
6489
6490 Reviewed by Mark Hahnenberg.
6491
6492 * heap/Heap.cpp:
6493 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
6494 called when no GC is happening because that is what we do when a low
6495 memory warning fires, and it is harmless.
6496
64972014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
6498
6499 emit_op_put_by_id should not emit a write barrier that filters on value
6500 https://bugs.webkit.org/show_bug.cgi?id=131654
6501
6502 Reviewed by Filip Pizlo.
6503
6504 The 32-bit implementation does this, and it can cause crashes if we later repatch the
6505 code to allocate and store new Butterflies.
6506
6507 * jit/JITPropertyAccess.cpp:
6508 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
6509 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
6510 load down into the if statement so that we don't do it if we're not filtering on the value.
6511 * jit/JITPropertyAccess32_64.cpp:
6512 (JSC::JIT::emit_op_put_by_id):
6513
65142014-04-14 Oliver Hunt <oliver@apple.com>
6515
6516 Function.bind itself is too slow
6517 https://bugs.webkit.org/show_bug.cgi?id=131636
6518
6519 Reviewed by Geoffrey Garen.
6520
6521 Rather than forcing creation of an activation, we now store
6522 bound function properties directly on the returned closure.
6523 This is necessary to deal with code that creates many function
6524 bindings, but does not call them very often.
6525
6526 This is a 60% speed up in the included js/regress test.
6527
6528 * builtins/BuiltinExecutables.cpp:
6529 (JSC::BuiltinExecutables::createBuiltinExecutable):
6530 * builtins/Function.prototype.js:
6531 (bind.bindingFunction):
6532 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6533 (bind.else.switch.case.1.bindingFunction):
6534 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6535 (bind.else.switch.case.2.bindingFunction):
6536 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
6537 (bind.else.switch.case.3.bindingFunction):
6538 (bind.else.switch.bindingFunction):
6539 (bind):
6540 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
6541 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
6542 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
6543 * runtime/CommonIdentifiers.h:
6544
65452014-04-14 Julien Brianceau <jbriance@cisco.com>
6546
6547 [sh4] Allow use of SubImmediates in LLINT.
6548 https://bugs.webkit.org/show_bug.cgi?id=131608
6549
6550 Reviewed by Mark Lam.
6551
6552 Allow use of SubImmediates with const pool so the sh4 architecture can
6553 share the arm path for setEntryAddress macro. It reduces architecture
6554 specific code and lead to a more optimal generated code for sh4.
6555
6556 * llint/LowLevelInterpreter.asm:
6557 * offlineasm/sh4.rb:
6558
65592014-04-14 Andreas Kling <akling@apple.com>
6560
6561 Array.prototype.concat should allocate output storage only once.
6562 <https://webkit.org/b/131609>
6563
6564 Do a first pass across 'this' and any arguments to compute the
6565 final size of the resulting array from Array.prototype.concat.
6566 This avoids having to grow the output incrementally as we go.
6567
6568 This also includes two other micro-optimizations:
6569
6570 - Mark getProperty() with ALWAYS_INLINE.
6571
6572 - Use JSArray::length() instead of taking the generic property
6573 lookup path when we know an argument is an Array.
6574
6575 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6576
6577 Reviewed by Oliver & Darin.
6578
6579 * runtime/ArrayPrototype.cpp:
6580 (JSC::getProperty):
6581 (JSC::arrayProtoFuncConcat):
6582
65832014-04-14 Commit Queue <commit-queue@webkit.org>
6584
6585 Unreviewed, rolling out r167249.
6586 https://bugs.webkit.org/show_bug.cgi?id=131621
6587
6588 broke 3 tests on cloop (Requested by kling on #webkit).
6589
6590 Reverted changeset:
6591
6592 "Array.prototype.concat should allocate output storage only
6593 once."
6594 https://bugs.webkit.org/show_bug.cgi?id=131609
6595 http://trac.webkit.org/changeset/167249
6596
65972014-04-14 Alex Christensen <achristensen@webkit.org>
6598
6599 Fixed potential integer truncation.
6600 https://bugs.webkit.org/show_bug.cgi?id=131615
6601
6602 Reviewed by Darin Adler.
6603
6604 * assembler/X86Assembler.h:
6605 (JSC::X86Assembler::fillNops):
6606 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
6607
66082014-04-14 Andreas Kling <akling@apple.com>
6609
6610 Array.prototype.concat should allocate output storage only once.
6611 <https://webkit.org/b/131609>
6612
6613 Do a first pass across 'this' and any arguments to compute the
6614 final size of the resulting array from Array.prototype.concat.
6615 This avoids having to grow the output incrementally as we go.
6616
6617 This also includes two other micro-optimizations:
6618
6619 - Mark getProperty() with ALWAYS_INLINE.
6620
6621 - Use JSArray::length() instead of taking the generic property
6622 lookup path when we know an argument is an Array.
6623
6624 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
6625
6626 Reviewed by Darin Adler.
6627
6628 * runtime/ArrayPrototype.cpp:
6629 (JSC::getProperty):
6630 (JSC::arrayProtoFuncConcat):
6631
66322014-04-14 Benjamin Poulain <benjamin@webkit.org>
6633
6634 [JSC] Improve the call site of string comparison in some hot path
6635 https://bugs.webkit.org/show_bug.cgi?id=131605
6636
6637 Reviewed by Darin Adler.
6638
6639 When resolved, the String of a JSString is never null. It can be empty but not null.
6640 The null value is reserved for ropes but those would be resolved when getting the value.
6641
6642 Consequently, we should use the equal() operation that do not handle null values.
6643 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
6644
6645 * jit/JITOperations.cpp:
6646 * runtime/JSCJSValueInlines.h:
6647 (JSC::JSValue::equalSlowCaseInline):
6648 (JSC::JSValue::strictEqualSlowCaseInline):
6649 (JSC::JSValue::pureStrictEqual):
6650
66512014-04-08 Oliver Hunt <oliver@apple.com>
6652
6653 Rewrite Function.bind as a builtin
6654 https://bugs.webkit.org/show_bug.cgi?id=131083
6655
6656 Reviewed by Geoffrey Garen.
6657
6658 This change removes the existing function.bind implementation
6659 entirely so JSBoundFunction is no more.
6660
6661 Instead we just return a regular JS closure with a few
6662 private properties hanging off it that allow us to perform
6663 the necessary bound function fakery. While most of this is
6664 simple, a couple of key changes:
6665
6666 - The parser and lexer now directly track whether they're
6667 parsing code for call or construct and convert the private
6668 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
6669 This automatically gives us the ability to vary behaviour
6670 from within the builtin. It also leaves a lot of headroom
6671 for trivial future improvements.
6672 - The instanceof operator now uses the prototypeForHasInstance
6673 private name, and we have a helper function to ensure that
6674 all objects that need to can update their magical 'prototype'
6675 property pair correctly.
6676
6677 * API/JSScriptRef.cpp:
6678 (parseScript):
6679 * JavaScriptCore.xcodeproj/project.pbxproj:
6680 * builtins/BuiltinExecutables.cpp:
6681 (JSC::BuiltinExecutables::createBuiltinExecutable):
6682 * builtins/Function.prototype.js:
6683 (bind.bindingFunction):
6684 (bind.else.bindingFunction):
6685 (bind):
6686 * bytecode/UnlinkedCodeBlock.cpp:
6687 (JSC::generateFunctionCodeBlock):
6688 * bytecompiler/NodesCodegen.cpp:
6689 (JSC::InstanceOfNode::emitBytecode):
6690 * interpreter/Interpreter.cpp:
6691 * parser/Lexer.cpp:
6692 (JSC::Lexer<T>::Lexer):
6693 (JSC::Lexer<LChar>::parseIdentifier):
6694 (JSC::Lexer<UChar>::parseIdentifier):
6695 * parser/Lexer.h:
6696 * parser/Parser.cpp:
6697 (JSC::Parser<LexerType>::Parser):
6698 (JSC::Parser<LexerType>::parseInner):
6699 * parser/Parser.h:
6700 (JSC::parse):
6701 * parser/ParserModes.h:
6702 * runtime/CodeCache.cpp:
6703 (JSC::CodeCache::getGlobalCodeBlock):
6704 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6705 * runtime/CommonIdentifiers.h:
6706 * runtime/Completion.cpp:
6707 (JSC::checkSyntax):
6708 * runtime/Executable.cpp:
6709 (JSC::ProgramExecutable::checkSyntax):
6710 * runtime/FunctionPrototype.cpp:
6711 (JSC::FunctionPrototype::addFunctionProperties):
6712 (JSC::functionProtoFuncBind): Deleted.
6713 * runtime/JSBoundFunction.cpp: Removed.
6714 * runtime/JSBoundFunction.h: Removed.
6715 * runtime/JSFunction.cpp:
6716 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6717 (JSC::RetrieveCallerFunctionFunctor::operator()):
6718 (JSC::retrieveCallerFunction):
6719 (JSC::JSFunction::getOwnPropertySlot):
6720 (JSC::JSFunction::defineOwnProperty):
6721 * runtime/JSGlobalObject.cpp:
6722 (JSC::JSGlobalObject::reset):
6723 * runtime/JSGlobalObjectFunctions.cpp:
6724 (JSC::globalFuncSetTypeErrorAccessor):
6725 * runtime/JSGlobalObjectFunctions.h:
6726 * runtime/JSObject.h:
6727 (JSC::JSObject::inlineGetOwnPropertySlot):
6728
67292014-04-12 Filip Pizlo <fpizlo@apple.com>
6730
6731 Math.fround() should be an intrinsic
6732 https://bugs.webkit.org/show_bug.cgi?id=131583
6733
6734 Reviewed by Geoffrey Garen.
6735
6736 Makes programs that use Math.fround() run up to 6x faster.
6737
6738 * dfg/DFGAbstractInterpreterInlines.h:
6739 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6740 * dfg/DFGByteCodeParser.cpp:
6741 (JSC::DFG::ByteCodeParser::handleIntrinsic):
6742 * dfg/DFGCSEPhase.cpp:
6743 (JSC::DFG::CSEPhase::performNodeCSE):
6744 * dfg/DFGClobberize.h:
6745 (JSC::DFG::clobberize):
6746 * dfg/DFGFixupPhase.cpp:
6747 (JSC::DFG::FixupPhase::fixupNode):
6748 * dfg/DFGNodeType.h:
6749 * dfg/DFGPredictionPropagationPhase.cpp:
6750 (JSC::DFG::PredictionPropagationPhase::propagate):
6751 * dfg/DFGSafeToExecute.h:
6752 (JSC::DFG::safeToExecute):
6753 * dfg/DFGSpeculativeJIT32_64.cpp:
6754 (JSC::DFG::SpeculativeJIT::compile):
6755 * dfg/DFGSpeculativeJIT64.cpp:
6756 (JSC::DFG::SpeculativeJIT::compile):
6757 * ftl/FTLCapabilities.cpp:
6758 (JSC::FTL::canCompile):
6759 * ftl/FTLLowerDFGToLLVM.cpp:
6760 (JSC::FTL::LowerDFGToLLVM::compileNode):
6761 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
6762 * runtime/Intrinsic.h:
6763 * runtime/MathObject.cpp:
6764 (JSC::MathObject::finishCreation):
6765
67662014-04-12 Filip Pizlo <fpizlo@apple.com>
6767
6768 FTL should use stackmap register liveness
6769 https://bugs.webkit.org/show_bug.cgi?id=130791
6770
6771 Reviewed by Goeffrey Garen.
6772
6773 Enable the stackmap register liveness support by fixing the two last bugs:
6774
6775 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
6776 then we shouldn't crash due to a null scratch buffer.
6777
6778 - Always consider callee-saves as if they were live. More precisely, we should
6779 consider those callee-saves that are not saved by the enclosing function to be live.
6780 For now we do the much simpler thing and consider callee-saves to be always live
6781 since it has minimal impact on the scratch register allocator. It will know not to
6782 preserve those for calls, anyway.
6783
6784 I tried writing a test for the null scratch buffer thing, but failed. I will land the
6785 test anyway since it seems useful.
6786
6787 * ftl/FTLCompile.cpp:
6788 (JSC::FTL::usedRegistersFor):
6789 * jit/ScratchRegisterAllocator.cpp:
6790 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
6791 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
6792 * runtime/Options.h:
6793 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
6794 (foo):
6795
67962014-04-11 Filip Pizlo <fpizlo@apple.com>
6797
6798 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
6799 https://bugs.webkit.org/show_bug.cgi?id=131424
6800
6801 Reviewed by Geoffrey Garen.
6802
6803 This defers type conversion injection until we've decided on types. This makes the
6804 process of deciding types a bit more flexible - for example we can naturally fixpoint
6805 and change our minds. Only when things are settled do we actually insert conversions.
6806
6807 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
6808 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
6809 that there are typed uses. If we were eagerly inserting type conversions then we would
6810 first insert a to/from-JSValue conversion in some cases only to then replace it by
6811 the other conversions. It's probably trivial to remove those redundant conversions later
6812 but I think it's better if we don't insert them to begin with.
6813
6814 * bytecode/CodeOrigin.h:
6815 (JSC::CodeOrigin::operator!):
6816 * dfg/DFGFixupPhase.cpp:
6817 (JSC::DFG::FixupPhase::run):
6818 (JSC::DFG::FixupPhase::fixupBlock):
6819 (JSC::DFG::FixupPhase::fixupNode):
6820 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
6821 (JSC::DFG::FixupPhase::fixEdge):
6822 (JSC::DFG::FixupPhase::fixIntEdge):
6823 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6824 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6825 (JSC::DFG::FixupPhase::addRequiredPhantom):
6826 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6827 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6828 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
6829 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
6830 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
6831
68322014-04-11 Brian J. Burg <burg@cs.washington.edu>
6833
6834 Web Replay: code generator should consider enclosing class when computing duplicate type names
6835 https://bugs.webkit.org/show_bug.cgi?id=131554
6836
6837 Reviewed by Timothy Hatcher.
6838
6839 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
6840 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
6841 by the enclosing class and enum name.
6842
6843 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
6844
6845 * replay/scripts/CodeGeneratorReplayInputs.py:
6846 (Type.type_name): Prepend the enclosing class name.
6847 (Type.type_name.is):
6848 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
6849 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
6850 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
6851 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
6852 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
6853 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
6854
68552014-04-11 Gavin Barraclough <baraclough@apple.com>
6856
6857 Rollout - Rewrite Function.bind as a builtin
6858 https://bugs.webkit.org/show_bug.cgi?id=131083
6859
6860 Unreviewed.
6861
6862 Rolling out r167020 while investigating a performance regression.
6863
6864 * API/JSObjectRef.cpp:
6865 (JSObjectMakeConstructor):
6866 * API/JSScriptRef.cpp:
6867 (parseScript):
6868 * CMakeLists.txt:
6869 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6870 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6871 * JavaScriptCore.xcodeproj/project.pbxproj:
6872 * builtins/BuiltinExecutables.cpp:
6873 (JSC::BuiltinExecutables::createBuiltinExecutable):
6874 * builtins/Function.prototype.js:
6875 (apply):
6876 (bind.bindingFunction): Deleted.
6877 (bind.else.bindingFunction): Deleted.
6878 (bind): Deleted.
6879 * bytecode/UnlinkedCodeBlock.cpp:
6880 (JSC::generateFunctionCodeBlock):
6881 * bytecompiler/NodesCodegen.cpp:
6882 (JSC::InstanceOfNode::emitBytecode):
6883 * interpreter/Interpreter.cpp:
6884 * parser/Lexer.cpp:
6885 (JSC::Lexer<T>::Lexer):
6886 (JSC::Lexer<LChar>::parseIdentifier):
6887 (JSC::Lexer<UChar>::parseIdentifier):
6888 * parser/Lexer.h:
6889 * parser/Parser.cpp:
6890 (JSC::Parser<LexerType>::Parser):
6891 (JSC::Parser<LexerType>::parseInner):
6892 * parser/Parser.h:
6893 (JSC::parse):
6894 * parser/ParserModes.h:
6895 * runtime/ArgumentsIteratorConstructor.cpp:
6896 (JSC::ArgumentsIteratorConstructor::finishCreation):
6897 * runtime/ArrayConstructor.cpp:
6898 (JSC::ArrayConstructor::finishCreation):
6899 * runtime/BooleanConstructor.cpp:
6900 (JSC::BooleanConstructor::finishCreation):
6901 * runtime/CodeCache.cpp:
6902 (JSC::CodeCache::getGlobalCodeBlock):
6903 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
6904 * runtime/CommonIdentifiers.h:
6905 * runtime/Completion.cpp:
6906 (JSC::checkSyntax):
6907 * runtime/DateConstructor.cpp:
6908 (JSC::DateConstructor::finishCreation):
6909 * runtime/ErrorConstructor.cpp:
6910 (JSC::ErrorConstructor::finishCreation):
6911 * runtime/Executable.cpp:
6912 (JSC::ProgramExecutable::checkSyntax):
6913 * runtime/FunctionConstructor.cpp:
6914 (JSC::FunctionConstructor::finishCreation):
6915 * runtime/FunctionPrototype.cpp:
6916 (JSC::FunctionPrototype::addFunctionProperties):
6917 (JSC::functionProtoFuncBind):
6918 * runtime/JSArrayBufferConstructor.cpp:
6919 (JSC::JSArrayBufferConstructor::finishCreation):
6920 * runtime/JSBoundFunction.cpp: Added.
6921 (JSC::boundFunctionCall):
6922 (JSC::boundFunctionConstruct):
6923 (JSC::JSBoundFunction::create):
6924 (JSC::JSBoundFunction::destroy):
6925 (JSC::JSBoundFunction::customHasInstance):
6926 (JSC::JSBoundFunction::JSBoundFunction):
6927 (JSC::JSBoundFunction::finishCreation):
6928 (JSC::JSBoundFunction::visitChildren):
6929 * runtime/JSBoundFunction.h: Added.
6930 (JSC::JSBoundFunction::targetFunction):
6931 (JSC::JSBoundFunction::boundThis):
6932 (JSC::JSBoundFunction::boundArgs):
6933 (JSC::JSBoundFunction::createStructure):
6934 * runtime/JSFunction.cpp:
6935 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
6936 (JSC::RetrieveCallerFunctionFunctor::operator()):
6937 (JSC::retrieveCallerFunction):
6938 (JSC::JSFunction::getOwnPropertySlot):
6939 (JSC::JSFunction::getOwnNonIndexPropertyNames):
6940 (JSC::JSFunction::put):
6941 (JSC::JSFunction::defineOwnProperty):
6942 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
6943 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
6944 * runtime/JSGlobalObject.cpp:
6945 (JSC::JSGlobalObject::reset):
6946 * runtime/JSGlobalObjectFunctions.cpp:
6947 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
6948 * runtime/JSGlobalObjectFunctions.h:
6949 * runtime/JSObject.cpp:
6950 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
6951 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
6952 * runtime/JSObject.h:
6953 * runtime/JSPromiseConstructor.cpp:
6954 (JSC::JSPromiseConstructor::finishCreation):
6955 * runtime/MapConstructor.cpp:
6956 (JSC::MapConstructor::finishCreation):
6957 * runtime/MapIteratorConstructor.cpp:
6958 (JSC::MapIteratorConstructor::finishCreation):
6959 * runtime/NameConstructor.cpp:
6960 (JSC::NameConstructor::finishCreation):
6961 * runtime/NativeErrorConstructor.cpp:
6962 (JSC::NativeErrorConstructor::finishCreation):
6963 * runtime/NumberConstructor.cpp:
6964 (JSC::NumberConstructor::finishCreation):
6965 * runtime/ObjectConstructor.cpp:
6966 (JSC::ObjectConstructor::finishCreation):
6967 * runtime/RegExpConstructor.cpp:
6968 (JSC::RegExpConstructor::finishCreation):
6969 * runtime/SetConstructor.cpp:
6970 (JSC::SetConstructor::finishCreation):
6971 * runtime/SetIteratorConstructor.cpp:
6972 (JSC::SetIteratorConstructor::finishCreation):
6973 * runtime/StringConstructor.cpp:
6974 (JSC::StringConstructor::finishCreation):
6975 * runtime/WeakMapConstructor.cpp:
6976 (JSC::WeakMapConstructor::finishCreation):
6977
69782014-04-11 David Kilzer <ddkilzer@apple.com>
6979
6980 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
6981 <http://webkit.org/b/131556>
6982 <rdar://problem/16591856>
6983
6984 Reviewed by Brent Fulgham.
6985
6986 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
6987 OTHER_LDFLAGS so the ASan build does not try to link to
6988 libclang_rt.asan_osx_dynamic.dylib.
6989
69902014-04-11 Mark Lam <mark.lam@apple.com>
6991
6992 JSMainThreadExecState::call() should clear exceptions before returning.
6993 <https://webkit.org/b/131530>
6994
6995 Reviewed by Geoffrey Garen.
6996
6997 Added a version of JSC::call() that return any uncaught exception instead
6998 of leaving it pending in the VM.
6999
7000 As part of this change, I updated various parts of the code base to use the
7001 new API as needed.
7002
7003 * bindings/ScriptFunctionCall.cpp:
7004 (Deprecated::ScriptFunctionCall::call):
7005 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
7006 The injected scripts that will include Inspector scripts that should catch
7007 and handle any exceptions that were thrown. We should not be seeing any
7008 exceptions returned from this call. However, we do have checks for
7009 exceptions in case there are bugs in the Inspector scripts which allowed
7010 the exception to leak through. Hence, it is proper to clear the exception
7011 here, and only record the fact that an exception was seen (if present).
7012
7013 * bindings/ScriptFunctionCall.h:
7014 * inspector/InspectorEnvironment.h:
7015 * runtime/CallData.cpp:
7016 (JSC::call):
7017 * runtime/CallData.h:
7018
70192014-04-11 Oliver Hunt <oliver@apple.com>
7020
7021 Add BuiltinLog function to make debugging builtins easier
7022 https://bugs.webkit.org/show_bug.cgi?id=131550
7023
7024 Reviewed by Andreas Kling.
7025
7026 Add a logging function that builtins can use for debugging.
7027
7028 * runtime/CommonIdentifiers.h:
7029 * runtime/JSGlobalObject.cpp:
7030 (JSC::JSGlobalObject::reset):
7031 * runtime/JSGlobalObjectFunctions.cpp:
7032 (JSC::globalFuncBuiltinLog):
7033 * runtime/JSGlobalObjectFunctions.h:
7034
70352014-04-11 Julien Brianceau <jbriance@cisco.com>
7036
7037 Fix LLInt for sh4 architecture (broken since C stack merge).
7038 https://bugs.webkit.org/show_bug.cgi?id=131532
7039
7040 Reviewed by Mark Lam.
7041
7042 This patch fixes build and also implements sh4 parts for initPCRelative and
7043 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
7044
7045 * llint/LowLevelInterpreter.asm:
7046 * llint/LowLevelInterpreter32_64.asm:
7047 * offlineasm/instructions.rb:
7048 * offlineasm/sh4.rb:
7049
70502014-04-10 Michael Saboff <msaboff@apple.com>
7051
7052 Crash beneath DFG JIT code @ video.disney.com
7053 https://bugs.webkit.org/show_bug.cgi?id=131447
7054
7055 Reviewed by Geoffrey Garen.
7056
7057 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
7058 'tag not less than Undefined' check. The first check was incorrectly elided if we
7059 knew that the value *was* an int32, when it should have been elided if we already
7060 knew that the value *was not* an int32.
7061
7062 * dfg/DFGSpeculativeJIT.cpp:
7063 (JSC::DFG::SpeculativeJIT::speculateMisc):
7064 * tests/stress/test-spec-misc.js: Added test.
7065 (getX):
7066 (foo):
7067 (bar):
7068
70692014-04-08 Filip Pizlo <fpizlo@apple.com>
7070
7071 Make room for additional types in SpeculatedType.h
7072 https://bugs.webkit.org/show_bug.cgi?id=131422
7073
7074 Reviewed by Sam Weinig.
7075
7076 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
7077
7078 * bytecode/SpeculatedType.h:
7079
70802014-04-10 Alex Christensen <achristensen@webkit.org>
7081
7082 Compile fix for Win64.
7083 https://bugs.webkit.org/show_bug.cgi?id=131508
7084
7085 Reviewed by Geoffrey Garen.
7086
7087 * assembler/X86Assembler.h:
7088 (JSC::X86Assembler::fillNops):
7089 Added unsigned template parameter to distinguish between size_t and unsigned long.
7090
70912014-04-10 Michael Saboff <msaboff@apple.com>
7092
7093 LLInt interpreter code should be generated as part of one function
7094 https://bugs.webkit.org/show_bug.cgi?id=131205
7095
7096 Reviewed by Mark Lam.
7097
7098 Changed the generation of llint opcodes so that they are all part of the same
7099 global function, llint_entry. That function is used to fill in an entry point
7100 table that includes each of the opcodes and helpers.
7101
7102 * CMakeLists.txt:
7103 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
7104 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
7105 * JavaScriptCore.xcodeproj/project.pbxproj:
7106 Added appropriate use of new -I option to offline assembler and offset
7107 generator scripts.
7108
7109 * llint/LowLevelInterpreter.asm:
7110 * llint/LowLevelInterpreter.cpp:
7111 * llint/LowLevelInterpreter.h:
7112 * offlineasm/arm.rb:
7113 * offlineasm/arm64.rb:
7114 * offlineasm/asm.rb:
7115 * offlineasm/ast.rb:
7116 * offlineasm/backends.rb:
7117 * offlineasm/cloop.rb:
7118 * offlineasm/generate_offset_extractor.rb:
7119 * offlineasm/instructions.rb:
7120 * offlineasm/parser.rb:
7121 * offlineasm/registers.rb:
7122 * offlineasm/self_hash.rb:
7123 * offlineasm/settings.rb:
7124 * offlineasm/transform.rb:
7125 * offlineasm/x86.rb:
7126 Added a new "global" keyword to the offline assembler that denotes a label that
7127 should be exported. Added opcode and operand support to get the absolute
7128 address of a local label using position independent calculations. Updated the
7129 offline assembler to handle included files, both when generating the checksum
7130 as well as including files from other than the local directory via a newly
7131 added -I option. The offline assembler now automatically determines external
7132 functions by keeping track of referenced functions that are defined within the
7133 assembly source. This is used both for choosing the correct macro for external
7134 references as well as generating the needed EXTERN directives for masm.
7135 Updated the generation of the masm only .sym file to be written once at the end
7136 of the offline assembler.
7137
7138 * assembler/MacroAssemblerCodeRef.h:
7139 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
7140 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
7141 * bytecode/CodeBlock.cpp:
7142 (JSC::CodeBlock::dumpBytecode):
7143 (JSC::CodeBlock::CodeBlock):
7144 * bytecode/GetByIdStatus.cpp:
7145 (JSC::GetByIdStatus::computeFromLLInt):
7146 * bytecode/Opcode.h:
7147 (JSC::padOpcodeName):
7148 * bytecode/PutByIdStatus.cpp:
7149 (JSC::PutByIdStatus::computeFromLLInt):
7150 * jit/JIT.cpp:
7151 (JSC::JIT::privateCompileMainPass):
7152 * jit/JITStubs.h:
7153 * llint/LLIntCLoop.cpp:
7154 (JSC::LLInt::initialize):
7155 * llint/LLIntData.h:
7156 (JSC::LLInt::getCodeFunctionPtr):
7157 (JSC::LLInt::getOpcode): Deleted.
7158 (JSC::LLInt::getCodePtr): Deleted.
7159 * llint/LLIntOpcode.h:
7160 * llint/LLIntSlowPaths.cpp:
7161 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7162 * llint/LLIntThunks.cpp:
7163 (JSC::LLInt::functionForCallEntryThunkGenerator):
7164 (JSC::LLInt::functionForConstructEntryThunkGenerator):
7165 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
7166 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
7167 (JSC::LLInt::evalEntryThunkGenerator):
7168 (JSC::LLInt::programEntryThunkGenerator):
7169 * llint/LLIntThunks.h:
7170 Changed references to llint helpers to go through the entry point table populated
7171 by llint_entry. Added helpers to OpcodeID enum for all builds.
7172
7173 * bytecode/BytecodeList.json:
7174 * generate-bytecode-files:
7175 * llint/LLIntCLoop.cpp:
7176 (JSC::LLInt::CLoop::initialize):
7177 Reordered sections to match the order that the functions are added to the entry point
7178 table. Added new "asmPrefix" property for symbols that have one name but are generated
7179 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
7180 as we are using enums for all bytecode references. Changed the C Loop only
7181 llint_c_loop_init to llint_entry.
7182
71832014-04-10 Matthew Mirman <mmirman@apple.com>
7184
7185 WIP for inlining C++. Added a build target to produce LLVM IR.
7186 https://bugs.webkit.org/show_bug.cgi?id=130523
7187
7188 Reviewed by Mark Rowe.
7189
7190 * JavaScriptCore.xcodeproj/project.pbxproj:
7191 * build-symbol-table-index.py: Added.
7192 * build-symbol-table-index.sh: Added.
7193 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
7194 * copy-llvm-ir-to-derived-sources.sh: Added.
7195
71962014-04-10 Brian J. Burg <burg@cs.washington.edu>
7197
7198 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
7199 https://bugs.webkit.org/show_bug.cgi?id=131341
7200
7201 Reviewed by Timothy Hatcher.
7202
7203 Add support for encoding/decoding unsigned long with EncodedValue.
7204 It is a distinct type from uint32_t and uint64_t.
7205
7206 * replay/EncodedValue.cpp:
7207 (JSC::EncodedValue::convertTo<unsigned long>):
7208 * replay/EncodedValue.h:
7209
72102014-04-10 Mark Lam <mark.lam@apple.com>
7211
7212 LLINT loadisFromInstruction should handle the big endian case.
7213 <https://webkit.org/b/131495>
7214
7215 Reviewed by Mark Hahnenberg.
7216
7217 The LLINT loadisFromInstruction macro aims to load the least significant
7218 32-bit word from the 64-bit bytecode instruction stream and sign extend
7219 it. For big endian machines, the current implementation would load the
7220 wrong 32-bit word.
7221
7222 Without this fix, the JSC tests will crash on big endian machines.
7223 Thanks to Tomas Popela for diagnosing this issue.
7224
7225 * llint/LowLevelInterpreter.asm:
7226
72272014-04-09 Mark Lam <mark.lam@apple.com>
7228
7229 Temporarily disable the JIT for the Windows port.
7230 <https://webkit.org/b/131470>
7231
7232 Reviewed by Brent Fulgham.
7233
7234 This is a temporary stop gap measure to green the Windows bots until
7235 we have a fix for https://webkit.org/b/131182.
7236
7237 * runtime/Options.cpp:
7238 (JSC::recomputeDependentOptions):
7239
72402014-04-09 Juergen Ributzka <juergen@apple.com>
7241
7242 [FTL] Emit multibyte NOPs on X86-64
7243 https://bugs.webkit.org/show_bug.cgi?id=131394
7244
7245 Reviewed by Michael Saboff.
7246
7247 * assembler/X86Assembler.h:
7248 (JSC::X86Assembler::fillNops):
7249
72502014-04-09 Julien Brianceau <jbriance@cisco.com>
7251
7252 Get rid of JITOperationWrappers.h header file.
7253 https://bugs.webkit.org/show_bug.cgi?id=131450
7254
7255 Reviewed by Michael Saboff.
7256
7257 JITOperationWrappers header file contains architecture specific code that is
7258 not needed anymore, so get rid of it.
7259
7260 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7261 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7262 * JavaScriptCore.xcodeproj/project.pbxproj:
7263 * dfg/DFGOperations.cpp:
7264 * jit/JITOperationWrappers.h: Removed.
7265 * jit/JITOperations.cpp:
7266
72672014-04-09 Mark Lam <mark.lam@apple.com>
7268
7269 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
7270 <https://webkit.org/b/131449>
7271
7272 Reviewed by Mark Hahnenberg.
7273
7274 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
7275 that it pads is of type int anyway. It doesn't need to be 64 bit. This
7276 also makes it work with the LLINT which is loading it with a loadi
7277 instruction.
7278
7279 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
7280 when loading the argCount.
7281
7282 The paddedArgCount issue was causing failures when running the JSC tests on a
7283 64-bit big endian machine. In this case, the paddedArgCount in the
7284 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
7285 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
7286 that field, the LLINT got a value of 0 instead of the expected 2. With this
7287 patch, we now have a matching store and load of a 32-bit value, and endianness
7288 no longer comes into play.
7289
7290 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
7291 the payload field of the Register. In the definition of EncodedValueDescriptor,
7292 We already ensure that that the payload is in the least significant 32-bits for
7293 little endian machines, and in the most significant 32-bits for big endian
7294 machines. This means that there is no endianness bug when loading this value
7295 using loadi. However, adding the PayLoadOffset clarifies the intent of the
7296 code to load the payload part of the Register value.
7297
7298 * interpreter/ProtoCallFrame.h:
7299 (JSC::ProtoCallFrame::setPaddedArgCount):
7300 * llint/LowLevelInterpreter32_64.asm:
7301 * llint/LowLevelInterpreter64.asm:
7302
73032014-04-08 Oliver Hunt <oliver@apple.com>
7304
7305 Rewrite Function.bind as a builtin
7306 https://bugs.webkit.org/show_bug.cgi?id=131083
7307
7308 Reviewed by Geoffrey Garen.
7309
7310 This change removes the existing function.bind implementation
7311 entirely so JSBoundFunction is no more.
7312
7313 Instead we just return a regular JS closure with a few
7314 private properties hanging off it that allow us to perform
7315 the necessary bound function fakery. While most of this is
7316 simple, a couple of key changes:
7317
7318 - The parser and lexer now directly track whether they're
7319 parsing code for call or construct and convert the private
7320 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7321 This automatically gives us the ability to vary behaviour
7322 from within the builtin. It also leaves a lot of headroom
7323 for trivial future improvements.
7324 - The instanceof operator now uses the prototypeForHasInstance
7325 private name, and we have a helper function to ensure that
7326 all objects that need to can update their magical 'prototype'
7327 property pair correctly.
7328
7329 * API/JSScriptRef.cpp:
7330 (parseScript):
7331 * JavaScriptCore.xcodeproj/project.pbxproj:
7332 * builtins/BuiltinExecutables.cpp:
7333 (JSC::BuiltinExecutables::createBuiltinExecutable):
7334 * builtins/Function.prototype.js:
7335 (bind.bindingFunction):
7336 (bind.else.bindingFunction):
7337 (bind):
7338 * bytecode/UnlinkedCodeBlock.cpp:
7339 (JSC::generateFunctionCodeBlock):
7340 * bytecompiler/NodesCodegen.cpp:
7341 (JSC::InstanceOfNode::emitBytecode):
7342 * interpreter/Interpreter.cpp:
7343 * parser/Lexer.cpp:
7344 (JSC::Lexer<T>::Lexer):
7345 (JSC::Lexer<LChar>::parseIdentifier):
7346 (JSC::Lexer<UChar>::parseIdentifier):
7347 * parser/Lexer.h:
7348 * parser/Parser.cpp:
7349 (JSC::Parser<LexerType>::Parser):
7350 (JSC::Parser<LexerType>::parseInner):
7351 * parser/Parser.h:
7352 (JSC::parse):
7353 * parser/ParserModes.h:
7354 * runtime/CodeCache.cpp:
7355 (JSC::CodeCache::getGlobalCodeBlock):
7356 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7357 * runtime/CommonIdentifiers.h:
7358 * runtime/Completion.cpp:
7359 (JSC::checkSyntax):
7360 * runtime/Executable.cpp:
7361 (JSC::ProgramExecutable::checkSyntax):
7362 * runtime/FunctionPrototype.cpp:
7363 (JSC::FunctionPrototype::addFunctionProperties):
7364 (JSC::functionProtoFuncBind): Deleted.
7365 * runtime/JSBoundFunction.cpp: Removed.
7366 * runtime/JSBoundFunction.h: Removed.
7367 * runtime/JSFunction.cpp:
7368 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7369 (JSC::RetrieveCallerFunctionFunctor::operator()):
7370 (JSC::retrieveCallerFunction):
7371 (JSC::JSFunction::getOwnPropertySlot):
7372 (JSC::JSFunction::defineOwnProperty):
7373 * runtime/JSGlobalObject.cpp:
7374 (JSC::JSGlobalObject::reset):
7375 * runtime/JSGlobalObjectFunctions.cpp:
7376 (JSC::globalFuncSetTypeErrorAccessor):
7377 * runtime/JSGlobalObjectFunctions.h:
7378 * runtime/JSObject.h:
7379 (JSC::JSObject::inlineGetOwnPropertySlot):
7380
73812014-04-08 Jon Lee <jonlee@apple.com>
7382
7383 Turn MSE on by default
7384 https://bugs.webkit.org/show_bug.cgi?id=131313
7385 <rdar://problem/16525223>
7386
7387 Reviewed by Jer Noble.
7388
7389 * Configurations/FeatureDefines.xcconfig:
7390
73912014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7392
7393 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
7394 https://bugs.webkit.org/show_bug.cgi?id=131406
7395
7396 Reviewed by Timothy Hatcher.
7397
7398 * inspector/remote/RemoteInspector.h:
7399 * inspector/remote/RemoteInspector.mm:
7400 (Inspector::RemoteInspector::stop):
7401 (Inspector::RemoteInspector::stopInternal):
7402 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7403 Provide a way to stop externally and a path to stop when in
7404 the middle of handling a message already with the locked mutex.
7405
7406 * inspector/remote/RemoteInspectorXPCConnection.h:
7407 * inspector/remote/RemoteInspectorXPCConnection.mm:
7408 (Inspector::RemoteInspectorXPCConnection::close):
7409 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
7410 Provide a way to close externally and a path to close when in
7411 the middle of handling a message already with a mutex.
7412
74132014-04-08 Joseph Pecoraro <pecoraro@apple.com>
7414
7415 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
7416 https://bugs.webkit.org/show_bug.cgi?id=131398
7417
7418 Reviewed by Timothy Hatcher.
7419
7420 * inspector/InjectedScriptSource.js:
7421 The console object can be deleted from a page or JSContext,
7422 so keep code that expects that it could have been deleted
7423 to be resilient in those cases.
7424
7425 * inspector/JSGlobalObjectScriptDebugServer.h:
7426 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
7427 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
7428 Change the FIXMEs to NOTEs that explain why these functions
7429 have empty implementations for JSContext inspection.
7430
74312014-04-08 Filip Pizlo <fpizlo@apple.com>
7432
7433 Unreviewed, fix a goofy assertion to fix debug.
7434
7435 * bytecode/PolymorphicPutByIdList.h:
7436 (JSC::PutByIdAccess::isSetter):
7437 (JSC::PutByIdAccess::oldStructure):
7438 (JSC::PutByIdAccess::chain):
7439 (JSC::PutByIdAccess::stubRoutine):
7440 (JSC::PutByIdAccess::customSetter):
7441
74422014-04-08 Filip Pizlo <fpizlo@apple.com>
7443
7444 Fail silently if the LLVM dylib isn't found
7445 https://bugs.webkit.org/show_bug.cgi?id=131385
7446
7447 Reviewed by Mark Hahnenberg.
7448
7449 * dfg/DFGPlan.cpp:
7450 (JSC::DFG::Plan::compileInThreadImpl):
7451 * llvm/InitializeLLVM.cpp:
7452 (JSC::initializeLLVM):
7453 * llvm/InitializeLLVM.h:
7454 * llvm/InitializeLLVMPOSIX.cpp:
7455 (JSC::initializeLLVMPOSIX):
7456
74572014-04-07 Filip Pizlo <fpizlo@apple.com>
7458
7459 Repatch should support setters and plant calls to them directly
7460 https://bugs.webkit.org/show_bug.cgi?id=130750
7461
7462 Reviewed by Geoffrey Garen.
7463
7464 All of the infrastructure was in place so this just enables setter optimization.
7465
7466 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
7467
7468 * bytecode/PolymorphicPutByIdList.cpp:
7469 (JSC::PutByIdAccess::visitWeak):
7470 * bytecode/PolymorphicPutByIdList.h:
7471 (JSC::PutByIdAccess::setter):
7472 (JSC::PutByIdAccess::customSetter): Deleted.
7473 * bytecode/PutByIdStatus.cpp:
7474 (JSC::PutByIdStatus::computeForStubInfo):
7475 * jit/Repatch.cpp:
7476 (JSC::toString):
7477 (JSC::kindFor):
7478 (JSC::customFor):
7479 (JSC::generateByIdStub):
7480 (JSC::tryCachePutByID):
7481 (JSC::tryBuildPutByIdList):
7482 * runtime/JSObject.cpp:
7483 (JSC::JSObject::put):
7484 * runtime/Lookup.h:
7485 (JSC::putEntry):
7486 * runtime/PutPropertySlot.h:
7487 (JSC::PutPropertySlot::setCacheableSetter):
7488 (JSC::PutPropertySlot::isCacheableSetter):
7489 (JSC::PutPropertySlot::isCacheableCustom):
7490 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
7491 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
7492 * tests/stress/setter.js: Added.
7493 (foo):
7494
74952014-04-07 Filip Pizlo <fpizlo@apple.com>
7496
7497 Setters are just getters that take an extra argument and don't return a value
7498 https://bugs.webkit.org/show_bug.cgi?id=131336
7499
7500 Reviewed by Geoffrey Garen.
7501
7502 Other than that, they're totally the same thing.
7503
7504 This isn't as dumb as it sounds.
7505
7506 Most of the work in calling an accessor has to do with emitting the necessary checks for
7507 figuring out whether we're calling the accessor we expected, followed by the boilerplate
7508 needed for setting up a call inside of a stub. It makes sense for the code to be totally
7509 common.
7510
7511 * jit/AssemblyHelpers.h:
7512 (JSC::AssemblyHelpers::storeValue):
7513 (JSC::AssemblyHelpers::moveTrustedValue):
7514 * jit/CCallHelpers.h:
7515 (JSC::CCallHelpers::setupResults):
7516 * jit/Repatch.cpp:
7517 (JSC::kindFor):
7518 (JSC::customFor):
7519 (JSC::generateByIdStub):
7520 (JSC::tryCacheGetByID):
7521 (JSC::tryBuildGetByIDList):
7522 (JSC::tryCachePutByID):
7523 (JSC::tryBuildPutByIdList):
7524 (JSC::generateGetByIdStub): Deleted.
7525 (JSC::emitCustomSetterStub): Deleted.
7526 * runtime/JSCJSValue.h:
7527 (JSC::JSValue::asValue):
7528 * runtime/PutPropertySlot.h:
7529 (JSC::PutPropertySlot::cachedOffset):
7530
75312014-04-07 Joseph Pecoraro <pecoraro@apple.com>
7532
7533 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
7534 https://bugs.webkit.org/show_bug.cgi?id=131321
7535
7536 Reviewed by Mark Rowe.
7537
7538 * inspector/remote/RemoteInspector.mm:
7539 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
7540 Avoid attempting to take the same lock twice. Move the received message
7541 lock grab after the WIRPermissionDenied branch, which takes the lock
7542 inside RemoteInspector::stop.
7543
75442014-04-07 Filip Pizlo <fpizlo@apple.com>
7545
7546 Make it possible to disable some of the FTL's more interesting features
7547 https://bugs.webkit.org/show_bug.cgi?id=131312
7548
7549 Reviewed by Mark Hahnenberg.
7550
7551 * dfg/DFGByteCodeParser.cpp:
7552 (JSC::DFG::ByteCodeParser::handleGetById):
7553 (JSC::DFG::ByteCodeParser::handlePutById):
7554 (JSC::DFG::ByteCodeParser::parse):
7555 * runtime/Options.h:
7556
75572014-04-04 Mark Lam <mark.lam@apple.com>
7558
7559 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
7560 <https://webkit.org/b/131248>
7561
7562 Reviewed by Mark Hahnenberg.
7563
7564 The current Date object code does not adequately check for the ES5
7565 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
7566 / overflow and produce unexpected results.
7567
7568 For example, we were getting an assertion failure in
7569 WTF::equivalentYearForDST() due int underflows in this function, which
7570 in turn were due to an int overflow in WTF::msToYear().
7571
7572 This patch adds the needed checks, and adds some assertions to ensure
7573 that the used values are sane.
7574
7575 The changes have no noticeable impact on benchmark results.
7576
7577 * runtime/DateConstructor.cpp:
7578 (JSC::callDate):
7579 * runtime/JSDateMath.cpp:
7580 (JSC::localTimeOffset):
7581 (JSC::gregorianDateTimeToMS):
7582 (JSC::msToGregorianDateTime):
7583 (JSC::parseDateFromNullTerminatedCharacters):
7584 (JSC::parseDate):
7585 * runtime/JSDateMath.h:
7586 - parseDateFromNullTerminatedCharacters() does not need to be public.
7587 Made it a static function.
7588 * runtime/VM.cpp:
7589 (JSC::VM::resetDateCache):
7590 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
7591 to be consistent with other Date code.
7592
75932014-04-06 Csaba Osztrogonác <ossy@webkit.org>
7594
7595 Unreviewed speculative 32-bit buildfix after r166837.
7596
7597 * heap/Heap.cpp:
7598 (JSC::Heap::updateObjectCounts):
7599
76002014-04-06 Dan Bernstein <mitz@apple.com>
7601
7602 32-bit build fix.
7603
7604 * runtime/JSGlobalObject.cpp:
7605 (JSC::JSGlobalObject::setInputCursor):
7606
76072014-04-04 Brian J. Burg <burg@cs.washington.edu>
7608
7609 Enable WEB_REPLAY for PLATFORM(MAC)
7610 https://bugs.webkit.org/show_bug.cgi?id=130700
7611
7612 Reviewed by Timothy Hatcher.
7613
7614 * Configurations/FeatureDefines.xcconfig:
7615
76162014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7617
7618 Add missing files from r166837
7619
7620 * heap/GCLogging.cpp: Added.
7621 (JSC::GCLogging::levelAsString):
7622 (JSC::LoggingFunctor::LoggingFunctor):
7623 (JSC::LoggingFunctor::~LoggingFunctor):
7624 (JSC::LoggingFunctor::operator()):
7625 (JSC::LoggingFunctor::log):
7626 (JSC::LoggingFunctor::reviveCells):
7627 (JSC::LoggingFunctor::returnValue):
7628 (JSC::GCLogging::dumpObjectGraph):
7629 * heap/GCLogging.h: Added.
7630
76312014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7632
7633 Enhanced GC logging
7634 https://bugs.webkit.org/show_bug.cgi?id=131246
7635
7636 Reviewed by Geoff Garen.
7637
7638 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
7639 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
7640 recompile to turn it on. It would be nice if we could runtime enable our GC logging
7641 infrastructure while incurring minimal cost when it is disabled.
7642
7643 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
7644 provides us with the discovered roots along with parent-child relationships as objects
7645 are scanned. However, once an object is scanned it will never be declared as the child
7646 of another object during that collection. This gives us a tree-like view of the
7647 Heap (i.e. each scanned node only reports having a single parent), where the actual
7648 Heap can be an arbitrary graph.
7649
7650 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
7651 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
7652 logging levels. None means no logging is done, Basic is what logGC() = true would have done
7653 prior to this patch, and Verbose logs all object relationships.
7654
7655 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
7656 subclasses to override the default string representation that will be dumped. These
7657 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
7658 the logging infrastructure in our compilers.
7659
7660 This patch also adds a GCLogging class that handles dumping the relationships between objects.
7661 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
7662 children of each live cell at the end of garbage collection.
7663
7664 This change meets our goal of being neutral on the benchmarks we track.
7665
7666 * JavaScriptCore.xcodeproj/project.pbxproj:
7667 * heap/GCLogging.cpp: Added.
7668 (JSC::GCLogging::levelAsString):
7669 (JSC::LoggingFunctor::LoggingFunctor):
7670 (JSC::LoggingFunctor::operator()):
7671 (JSC::LoggingFunctor::log):
7672 (JSC::LoggingFunctor::reviveCells):
7673 (JSC::LoggingFunctor::returnValue):
7674 (JSC::GCLogging::dumpObjectGraph):
7675 * heap/GCLogging.h: Added.
7676 * heap/GCSegmentedArray.h:
7677 (JSC::GCSegmentedArray::begin):
7678 (JSC::GCSegmentedArray::end):
7679 * heap/Heap.cpp:
7680 (JSC::Heap::markRoots):
7681 (JSC::Heap::visitSmallStrings):
7682 (JSC::Heap::visitConservativeRoots):
7683 (JSC::Heap::visitCompilerWorklists):
7684 (JSC::Heap::visitProtectedObjects):
7685 (JSC::Heap::visitTempSortVectors):
7686 (JSC::Heap::visitArgumentBuffers):
7687 (JSC::Heap::visitException):
7688 (JSC::Heap::visitStrongHandles):
7689 (JSC::Heap::visitHandleStack):
7690 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
7691 (JSC::Heap::visitWeakHandles):
7692 (JSC::Heap::updateObjectCounts):
7693 (JSC::Heap::collect):
7694 (JSC::Heap::didFinishCollection):
7695 * heap/Heap.h:
7696 * heap/MarkStack.h:
7697 * heap/SlotVisitor.cpp:
7698 (JSC::SlotVisitor::dump):
7699 * heap/SlotVisitor.h:
7700 (JSC::SlotVisitor::markStack):
7701 * heap/SlotVisitorInlines.h:
7702 (JSC::SlotVisitor::internalAppend):
7703 * runtime/ClassInfo.h:
7704 * runtime/JSCell.cpp:
7705 (JSC::JSCell::dump):
7706 (JSC::JSCell::dumpToStream):
7707 (JSC::JSCell::className):
7708 * runtime/JSCell.h:
7709 * runtime/JSCellInlines.h:
7710 (JSC::JSCell::visitChildren):
7711 * runtime/JSString.cpp:
7712 (JSC::JSString::dumpToStream):
7713 (JSC::JSString::visitChildren):
7714 * runtime/JSString.h:
7715 (JSC::JSString::length):
7716 (JSC::JSRopeString::RopeBuilder::length):
7717 * runtime/Options.cpp:
7718 (JSC::parse):
7719 (JSC::Options::setOption):
7720 (JSC::Options::dumpOption):
7721 * runtime/Options.h:
7722
77232014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
7724
7725 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
7726 https://bugs.webkit.org/show_bug.cgi?id=131251
7727
7728 Reviewed by Geoffrey Garen.
7729
7730 * API/JSVirtualMachine.mm:
7731 (scanExternalObjectGraph):
7732 * API/tests/testapi.mm:
7733
77342014-04-03 Brian J. Burg <burg@cs.washington.edu>
7735
7736 Web Inspector: hook up probe samples to TimelineAgent's records
7737 https://bugs.webkit.org/show_bug.cgi?id=131127
7738
7739 Reviewed by Timothy Hatcher.
7740
7741 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
7742
77432014-04-04 Commit Queue <commit-queue@webkit.org>
7744
7745 Unreviewed, rolling out r166820.
7746 https://bugs.webkit.org/show_bug.cgi?id=131256
7747
7748 Broke builds. (Requested by bdash on #webkit).
7749
7750 Reverted changeset:
7751
7752 "WIP for inlining C++. Added a build target to produce llvm
7753 ir."
7754 https://bugs.webkit.org/show_bug.cgi?id=130523
7755 http://trac.webkit.org/changeset/166820
7756
77572014-04-04 Matthew Mirman <mmirman@apple.com>
7758
7759 WIP for inlining C++. Added a build target to produce llvm ir.
7760 https://bugs.webkit.org/show_bug.cgi?id=130523
7761
7762 Reviewed by Filip Pizlo.
7763
7764 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
7765
7766 * JavaScriptCore.xcodeproj/project.pbxproj:
7767 * build_index.py: Added.
7768 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
7769
77702014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7771
7772 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
7773 https://bugs.webkit.org/show_bug.cgi?id=131241
7774
7775 Reviewed by Timothy Hatcher.
7776
7777 * inspector/JSGlobalObjectInspectorController.cpp:
7778 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7779 Log the exception to the system console if system console output is enabled.
7780
77812014-04-04 Joseph Pecoraro <pecoraro@apple.com>
7782
7783 Web Inspector: Provide a way for JSContext console to log to system console
7784 https://bugs.webkit.org/show_bug.cgi?id=131050
7785
7786 Reviewed by Timothy Hatcher.
7787
7788 Applications often re-expose some log -> NSLog functionality.
7789 We already have the capability ourselves, which includes extra
7790 information such as sourceURL:line:column, all arguments instead
7791 of just one argument, and backtrace information on console.trace.
7792 Therefore it would be convenient if developers could just use
7793 the built-in console.log and get rich output in both the inspector
7794 and the console, without writing their own logger.
7795
7796 The logging will be enabled in debug builds by default, and can be enabled
7797 otherwise by setting a user default before creating the first context.
7798
7799 For example, in the application itself:
7800
7801 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
7802
7803 Or from outside the application:
7804
7805 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
7806
7807 * inspector/JSConsoleClient.h:
7808 * inspector/JSConsoleClient.cpp:
7809 (Inspector::JSConsoleClient::logToSystemConsole):
7810 (Inspector::JSConsoleClient::setLogToSystemConsole):
7811 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
7812 (Inspector::JSConsoleClient::JSConsoleClient):
7813 Global setting for logging to system console. Enabled on
7814 debug builds, and by a user default on supported platforms.
7815
7816 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
7817 Log to system console when the static setting is enabled.
7818
7819 * runtime/ConsoleClient.h:
7820 * runtime/ConsoleClient.cpp:
7821 (JSC::appendURLAndPosition):
7822 (JSC::appendMessagePrefix):
7823 (JSC::ConsoleClient::printConsoleMessage):
7824 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7825 Clean up printing. Build strings and use WTFLogAlways instead of printf
7826 for consistant logging.
7827
7828 * runtime/ConsoleClient.cpp:
7829 (JSC::ConsoleClient::printConsoleMessageWithArguments):
7830 Clean up printing. If there is no source URL, don't print a leading colon.
7831
78322014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7833
7834 Use JSCell::indexingType instead of Structure::indexingType wherever possible
7835 https://bugs.webkit.org/show_bug.cgi?id=131230
7836
7837 Reviewed by Mark Lam.
7838
7839 Avoid the indirection through the Structure.
7840
7841 * bytecode/ArrayAllocationProfile.cpp:
7842 (JSC::ArrayAllocationProfile::updateIndexingType):
7843 * bytecode/ArrayAllocationProfile.h:
7844 (JSC::ArrayAllocationProfile::selectIndexingType):
7845 * heap/HeapStatistics.cpp:
7846 (JSC::StorageStatistics::operator()):
7847 * runtime/ArrayPrototype.cpp:
7848 (JSC::attemptFastSort):
7849 * runtime/JSGlobalObject.cpp:
7850 (JSC::JSGlobalObject::objectPrototypeIsSane):
7851 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
7852 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
7853 * runtime/JSPropertyNameIterator.cpp:
7854 (JSC::JSPropertyNameIterator::create):
7855
78562014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
7857
7858 Use JSCell::type instead of TypeInfo::type wherever possible
7859 https://bugs.webkit.org/show_bug.cgi?id=131229
7860
7861 Reviewed by Michael Saboff.
7862
7863 Avoid going through the Structure and reifying the TypeInfo.
7864
7865 * runtime/Executable.h:
7866 (JSC::ExecutableBase::isEvalExecutable):
7867 (JSC::ExecutableBase::isProgramExecutable):
7868
78692014-04-03 Andreas Kling <akling@apple.com>
7870
7871 Fast-path for casting JS wrappers to JSNode.
7872 <https://webkit.org/b/131196>
7873
7874 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
7875 a little bit. We do this by exposing a LastJSCObjectType constant so
7876 WebCore can encode its own wrapper types after that.
7877
7878 Reviewed by Mark Hahnenberg and Geoff Garen.
7879
7880 * runtime/JSType.h:
7881
7882 Added LastJSCObjectType for use by WebCore.
7883
7884 * runtime/JSObject.h:
7885 (JSC::JSObject::isVariableObject):
7886
7887 Updated since this can no longer assume that types >= VariableObjectType
7888 are all variable objects.
7889
78902014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
7891
7892 All Heap::writeBarriers should be inline
7893 https://bugs.webkit.org/show_bug.cgi?id=131197
7894
7895 Reviewed by Mark Lam.
7896
7897 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
7898 enough and small enough to belong in HeapInlines.h. Also added the proper
7899 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
7900
7901 * heap/Heap.cpp:
7902 (JSC::Heap::writeBarrier): Deleted.
7903 * heap/Heap.h:
7904 * heap/HeapInlines.h:
7905 (JSC::Heap::writeBarrier):
7906 * runtime/JSCellInlines.h:
7907 (JSC::Heap::writeBarrier): Deleted.
7908
79092014-04-03 Joseph Pecoraro <pecoraro@apple.com>
7910
7911 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
7912 https://bugs.webkit.org/show_bug.cgi?id=131186
7913
7914 Reviewed by Geoffrey Garen.
7915
7916 * API/JSContextPrivate.h:
7917 * API/JSContext.mm:
7918 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
7919 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
7920 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
7921
7922 * API/JSContextRefPrivate.h:
7923 * API/JSContextRef.cpp:
7924 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
7925 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
7926 JSContext C SPI to opt-out of including native call stacks in exceptions.
7927
7928 * inspector/JSGlobalObjectInspectorController.h:
7929 * inspector/JSGlobalObjectInspectorController.cpp:
7930 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
7931 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
7932 Only include the native call stack if the setting is enabled. It is enabled by default.
7933
79342014-04-03 Mark Lam <mark.lam@apple.com>
7935
7936 Fix bit rot in ARMv7 JIT probe mechanism.
7937 <https://webkit.org/b/131167>
7938
7939 Reviewed by Geoffrey Garen.
7940
7941 1. The macro assembler does not support pushing the SP register. Worked
7942 around this by pushing the LR register as a placeholder, and then
7943 writing the original SP value to that slot.
7944 2. The CPUState field in the ProbeContext needs to be aligned on a 4
7945 byte boundary, not an 8 byte boundary.
7946
7947 * assembler/MacroAssemblerARMv7.cpp:
7948 (JSC::MacroAssemblerARMv7::probe):
7949 * jit/JITStubsARMv7.h:
7950
79512014-04-02 Mark Lam <mark.lam@apple.com>
7952
7953 ARMv7 compare32() should not use TST to do CMP's job.
7954 <https://webkit.org/b/131146>
7955
7956 Reviewed by Geoffrey Garen.
7957
7958 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
7959 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
7960 instruction doesn't set the Overflow (V) flag and this results in random
7961 results depending on whether there was a preceeding instruction that did set
7962 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
7963 with a lot of OSR exits where not expected as well as producing wrong results.
7964
7965 The fix is to use "cmp reg, #0" to do the job properly.
7966
7967 * assembler/MacroAssemblerARMv7.h:
7968 (JSC::MacroAssemblerARMv7::compare32):
7969
79702014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
7971
7972 CodeBlockSet should be generational
7973 https://bugs.webkit.org/show_bug.cgi?id=127152
7974
7975 Reviewed by Geoffrey Garen.
7976
7977 During EdenCollections we now only visit those CodeBlocks that:
7978 a) Are new since the last collection if they were somehow otherwise reachable.
7979 b) Are reachable from an Executable that is part of the remembered set.
7980
7981 * bytecode/CodeBlock.cpp:
7982 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
7983 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
7984 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
7985 * bytecode/CodeBlock.h:
7986 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
7987 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
7988 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
7989 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
7990 * heap/CodeBlockSet.cpp:
7991 (JSC::CodeBlockSet::~CodeBlockSet):
7992 (JSC::CodeBlockSet::add):
7993 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
7994 the set of old CodeBlocks.
7995 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
7996 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
7997 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
7998 with its CodeBlock.
7999 (JSC::CodeBlockSet::clearMarks):
8000 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
8001 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
8002 (JSC::CodeBlockSet::remove):
8003 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
8004 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
8005 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
8006 * heap/CodeBlockSet.h:
8007 (JSC::CodeBlockSet::iterate):
8008 * heap/Heap.cpp:
8009 (JSC::Heap::markRoots):
8010 (JSC::Heap::deleteAllCompiledCode):
8011 (JSC::Heap::deleteUnmarkedCompiledCode):
8012 * runtime/Executable.cpp:
8013 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
8014 a) A CodeBlock is created and is compiled on a DFG worker thread.
8015 b) No GC happens.
8016 c) The CodeBlock has finished being compiled and is installed in the Executable.
8017 d) The function never executes before the next GC.
8018 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
8019 it's added to the remembered set.
8020
80212014-04-02 Mark Lam <mark.lam@apple.com>
8022
8023 Added some more dataLog info for OSR exits.
8024 <https://webkit.org/b/131120>
8025
8026 Reviewed by Michael Saboff.
8027
8028 Adding info about the OSR exit index, the bytecode index of the bytecode
8029 that is OSR exiting, and the reason for the OSR exit. This change is
8030 for debugging code which only comes into play when we use the
8031 --printEachOSRExit option.
8032
8033 * dfg/DFGOSRExit.h:
8034 * dfg/DFGOSRExitCompiler32_64.cpp:
8035 (JSC::DFG::OSRExitCompiler::compileExit):
8036 * dfg/DFGOSRExitCompiler64.cpp:
8037 (JSC::DFG::OSRExitCompiler::compileExit):
8038 * dfg/DFGOperations.cpp:
8039
80402014-04-02 Martin Robinson <mrobinson@igalia.com>
8041
8042 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
8043 https://bugs.webkit.org/show_bug.cgi?id=130343
8044
8045 Reviewed by Gustavo Noronha Silva.
8046
8047 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
8048 in which it should be distributed. This allows us to more easily package it for GTK+.
8049
80502014-04-01 Timothy Hatcher <timothy@apple.com>
8051
8052 Remove HeapProfiler from the Web Inspector protocol.
8053
8054 https://bugs.webkit.org/show_bug.cgi?id=131070
8055
8056 Reviewed by Joseph Pecoraro.
8057
8058 * inspector/agents/InspectorConsoleAgent.h:
8059 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
8060 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
8061 * inspector/agents/JSGlobalObjectConsoleAgent.h:
8062 * inspector/protocol/Console.json:
8063
80642014-03-31 Simon Fraser <simon.fraser@apple.com>
8065
8066 Enable WEB_TIMING on Mac and iOS
8067 https://bugs.webkit.org/show_bug.cgi?id=128064
8068
8069 Reviewed by Sam Weinig, Brent Fulgham.
8070
8071 Enable WEB_TIMING.
8072
8073 * Configurations/FeatureDefines.xcconfig:
8074
80752014-03-31 Michael Saboff <msaboff@apple.com>
8076
8077 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
8078 https://bugs.webkit.org/show_bug.cgi?id=130992
8079
8080 Reviewed by Mark Hahnenberg.
8081
8082 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
8083
8084 * API/JSObjectRef.cpp:
8085 (JSObjectGetPrivate):
8086 (JSObjectSetPrivate):
8087 * API/tests/testapi.c:
8088 (main): Added new test case to validate we are properly foarwarding.
8089
80902014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
8091
8092 Improve GC_LOGGING
8093 https://bugs.webkit.org/show_bug.cgi?id=130988
8094
8095 Reviewed by Geoffrey Garen.
8096
8097 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
8098 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
8099 patch updates it so that it can. It also adds the process ID to the beginning of each line
8100 of input to be able to distinguish between the output of multiple processes exiting at the
8101 same time.
8102
8103 * heap/Heap.cpp:
8104 (JSC::Heap::collect):
8105
81062014-03-31 Dean Jackson <dino@apple.com>
8107
8108 Remove WEB_ANIMATIONS
8109 https://bugs.webkit.org/show_bug.cgi?id=130989
8110
8111 Reviewed by Simon Fraser.
8112
8113 Remove this feature flag until we plan to implement.
8114
8115 * Configurations/FeatureDefines.xcconfig:
8116
81172014-03-31 Filip Pizlo <fpizlo@apple.com>
8118
8119 More validation for FTL inline caches
8120 https://bugs.webkit.org/show_bug.cgi?id=130948
8121
8122 Reviewed by Geoffrey Garen.
8123
8124 * dfg/DFGByteCodeParser.cpp:
8125 (JSC::DFG::ByteCodeParser::handleGetById):
8126 (JSC::DFG::ByteCodeParser::handlePutById):
8127 * runtime/Options.h:
8128
81292014-03-31 Filip Pizlo <fpizlo@apple.com>
8130
8131 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
8132 https://bugs.webkit.org/show_bug.cgi?id=130950
8133
8134 Reviewed by Mark Hahnenberg.
8135
8136 * ftl/FTLLowerDFGToLLVM.cpp:
8137 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
8138
81392014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
8140
8141 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
8142 https://bugs.webkit.org/show_bug.cgi?id=130965
8143
8144 Reviewed by Martin Robinson.
8145
8146 This is somewhat of a follow-up to r162782, which got rid of
8147 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
8148 CMakeLists.txt. This meant the includes and libraries were not
8149 being properly included since then.
8150
8151 * CMakeLists.txt:
8152
81532014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8154
8155 Remove hostThisRegister() and hostThisValue()
8156 https://bugs.webkit.org/show_bug.cgi?id=130895
8157
8158 Reviewed by Geoffrey Garen.
8159
8160 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
8161
8162 * API/APICallbackFunction.h:
8163 (JSC::APICallbackFunction::call):
8164 * API/JSCallbackObjectFunctions.h:
8165 (JSC::JSCallbackObject<Parent>::call):
8166 * dfg/DFGOSREntry.cpp:
8167 (JSC::DFG::prepareOSREntry):
8168 * inspector/JSInjectedScriptHostPrototype.cpp:
8169 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
8170 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
8171 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
8172 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
8173 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
8174 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
8175 * inspector/JSJavaScriptCallFramePrototype.cpp:
8176 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
8177 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
8178 (Inspector::jsJavaScriptCallFrameAttributeCaller):
8179 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
8180 (Inspector::jsJavaScriptCallFrameAttributeLine):
8181 (Inspector::jsJavaScriptCallFrameAttributeColumn):
8182 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
8183 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
8184 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
8185 (Inspector::jsJavaScriptCallFrameAttributeType):
8186 * interpreter/CallFrame.h:
8187 (JSC::ExecState::hostThisRegister): Deleted.
8188 (JSC::ExecState::hostThisValue): Deleted.
8189 * runtime/Arguments.cpp:
8190 (JSC::argumentsFuncIterator):
8191 * runtime/ArrayPrototype.cpp:
8192 (JSC::arrayProtoFuncToString):
8193 (JSC::arrayProtoFuncToLocaleString):
8194 (JSC::arrayProtoFuncJoin):
8195 (JSC::arrayProtoFuncConcat):
8196 (JSC::arrayProtoFuncPop):
8197 (JSC::arrayProtoFuncPush):
8198 (JSC::arrayProtoFuncReverse):
8199 (JSC::arrayProtoFuncShift):
8200 (JSC::arrayProtoFuncSlice):
8201 (JSC::arrayProtoFuncSort):
8202 (JSC::arrayProtoFuncSplice):
8203 (JSC::arrayProtoFuncUnShift):
8204 (JSC::arrayProtoFuncReduce):
8205 (JSC::arrayProtoFuncReduceRight):
8206 (JSC::arrayProtoFuncIndexOf):
8207 (JSC::arrayProtoFuncLastIndexOf):
8208 (JSC::arrayProtoFuncValues):
8209 (JSC::arrayProtoFuncEntries):
8210 (JSC::arrayProtoFuncKeys):
8211 * runtime/BooleanPrototype.cpp:
8212 (JSC::booleanProtoFuncToString):
8213 (JSC::booleanProtoFuncValueOf):
8214 * runtime/ConsolePrototype.cpp:
8215 (JSC::consoleLogWithLevel):
8216 (JSC::consoleProtoFuncClear):
8217 (JSC::consoleProtoFuncDir):
8218 (JSC::consoleProtoFuncDirXML):
8219 (JSC::consoleProtoFuncTable):
8220 (JSC::consoleProtoFuncTrace):
8221 (JSC::consoleProtoFuncAssert):
8222 (JSC::consoleProtoFuncCount):
8223 (JSC::consoleProtoFuncProfile):
8224 (JSC::consoleProtoFuncProfileEnd):
8225 (JSC::consoleProtoFuncTime):
8226 (JSC::consoleProtoFuncTimeEnd):
8227 (JSC::consoleProtoFuncTimeStamp):
8228 (JSC::consoleProtoFuncGroup):
8229 (JSC::consoleProtoFuncGroupCollapsed):
8230 (JSC::consoleProtoFuncGroupEnd):
8231 * runtime/DatePrototype.cpp:
8232 (JSC::formateDateInstance):
8233 (JSC::dateProtoFuncToISOString):
8234 (JSC::dateProtoFuncToLocaleString):
8235 (JSC::dateProtoFuncToLocaleDateString):
8236 (JSC::dateProtoFuncToLocaleTimeString):
8237 (JSC::dateProtoFuncGetTime):
8238 (JSC::dateProtoFuncGetFullYear):
8239 (JSC::dateProtoFuncGetUTCFullYear):
8240 (JSC::dateProtoFuncGetMonth):
8241 (JSC::dateProtoFuncGetUTCMonth):
8242 (JSC::dateProtoFuncGetDate):
8243 (JSC::dateProtoFuncGetUTCDate):
8244 (JSC::dateProtoFuncGetDay):
8245 (JSC::dateProtoFuncGetUTCDay):
8246 (JSC::dateProtoFuncGetHours):
8247 (JSC::dateProtoFuncGetUTCHours):
8248 (JSC::dateProtoFuncGetMinutes):
8249 (JSC::dateProtoFuncGetUTCMinutes):
8250 (JSC::dateProtoFuncGetSeconds):
8251 (JSC::dateProtoFuncGetUTCSeconds):
8252 (JSC::dateProtoFuncGetMilliSeconds):
8253 (JSC::dateProtoFuncGetUTCMilliseconds):
8254 (JSC::dateProtoFuncGetTimezoneOffset):
8255 (JSC::dateProtoFuncSetTime):
8256 (JSC::setNewValueFromTimeArgs):
8257 (JSC::setNewValueFromDateArgs):
8258 (JSC::dateProtoFuncSetYear):
8259 (JSC::dateProtoFuncGetYear):
8260 (JSC::dateProtoFuncToJSON):
8261 * runtime/ErrorPrototype.cpp:
8262 (JSC::errorProtoFuncToString):
8263 * runtime/FunctionPrototype.cpp:
8264 (JSC::functionProtoFuncToString):
8265 (JSC::functionProtoFuncBind):
8266 * runtime/NamePrototype.cpp:
8267 (JSC::privateNameProtoFuncToString):
8268 * runtime/NumberPrototype.cpp:
8269 (JSC::numberProtoFuncToExponential):
8270 (JSC::numberProtoFuncToFixed):
8271 (JSC::numberProtoFuncToPrecision):
8272 (JSC::numberProtoFuncClz):
8273 (JSC::numberProtoFuncToString):
8274 (JSC::numberProtoFuncToLocaleString):
8275 (JSC::numberProtoFuncValueOf):
8276 * runtime/ObjectPrototype.cpp:
8277 (JSC::objectProtoFuncValueOf):
8278 (JSC::objectProtoFuncHasOwnProperty):
8279 (JSC::objectProtoFuncIsPrototypeOf):
8280 (JSC::objectProtoFuncDefineGetter):
8281 (JSC::objectProtoFuncDefineSetter):
8282 (JSC::objectProtoFuncLookupGetter):
8283 (JSC::objectProtoFuncLookupSetter):
8284 (JSC::objectProtoFuncPropertyIsEnumerable):
8285 (JSC::objectProtoFuncToLocaleString):
8286 (JSC::objectProtoFuncToString):
8287 * runtime/RegExpPrototype.cpp:
8288 (JSC::regExpProtoFuncTest):
8289 (JSC::regExpProtoFuncExec):
8290 (JSC::regExpProtoFuncCompile):
8291 (JSC::regExpProtoFuncToString):
8292 * runtime/StringPrototype.cpp:
8293 (JSC::stringProtoFuncReplace):
8294 (JSC::stringProtoFuncToString):
8295 (JSC::stringProtoFuncCharAt):
8296 (JSC::stringProtoFuncCharCodeAt):
8297 (JSC::stringProtoFuncConcat):
8298 (JSC::stringProtoFuncIndexOf):
8299 (JSC::stringProtoFuncLastIndexOf):
8300 (JSC::stringProtoFuncMatch):
8301 (JSC::stringProtoFuncSearch):
8302 (JSC::stringProtoFuncSlice):
8303 (JSC::stringProtoFuncSplit):
8304 (JSC::stringProtoFuncSubstr):
8305 (JSC::stringProtoFuncSubstring):
8306 (JSC::stringProtoFuncToLowerCase):
8307 (JSC::stringProtoFuncToUpperCase):
8308 (JSC::stringProtoFuncLocaleCompare):
8309 (JSC::stringProtoFuncBig):
8310 (JSC::stringProtoFuncSmall):
8311 (JSC::stringProtoFuncBlink):
8312 (JSC::stringProtoFuncBold):
8313 (JSC::stringProtoFuncFixed):
8314 (JSC::stringProtoFuncItalics):
8315 (JSC::stringProtoFuncStrike):
8316 (JSC::stringProtoFuncSub):
8317 (JSC::stringProtoFuncSup):
8318 (JSC::stringProtoFuncFontcolor):
8319 (JSC::stringProtoFuncFontsize):
8320 (JSC::stringProtoFuncAnchor):
8321 (JSC::stringProtoFuncLink):
8322 (JSC::stringProtoFuncTrim):
8323 (JSC::stringProtoFuncTrimLeft):
8324 (JSC::stringProtoFuncTrimRight):
8325
83262014-03-28 Filip Pizlo <fpizlo@apple.com>
8327
8328 Land the stackmap register liveness glue with the uses of the liveness disabled
8329 https://bugs.webkit.org/show_bug.cgi?id=130924
8330
8331 Reviewed by Oliver Hunt.
8332
8333 Add the liveness and fix other bugs I found.
8334
8335 * bytecode/PutByIdStatus.cpp:
8336 (JSC::PutByIdStatus::computeFor):
8337 * ftl/FTLCompile.cpp:
8338 (JSC::FTL::usedRegistersFor):
8339 (JSC::FTL::fixFunctionBasedOnStackMaps):
8340 * ftl/FTLSlowPathCall.cpp:
8341 * ftl/FTLSlowPathCallKey.cpp:
8342 (JSC::FTL::SlowPathCallKey::dump):
8343 * ftl/FTLSlowPathCallKey.h:
8344 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
8345 (JSC::FTL::SlowPathCallKey::argumentRegisters):
8346 (JSC::FTL::SlowPathCallKey::withCallTarget):
8347 * ftl/FTLStackMaps.cpp:
8348 (JSC::FTL::StackMaps::Record::locationSet):
8349 (JSC::FTL::StackMaps::Record::liveOutsSet):
8350 (JSC::FTL::StackMaps::Record::usedRegisterSet):
8351 * ftl/FTLStackMaps.h:
8352 * ftl/FTLThunks.cpp:
8353 (JSC::FTL::registerClobberCheck):
8354 (JSC::FTL::slowPathCallThunkGenerator):
8355 * jit/RegisterSet.cpp:
8356 (JSC::RegisterSet::stackRegisters):
8357 (JSC::RegisterSet::reservedHardwareRegisters):
8358 (JSC::RegisterSet::runtimeRegisters):
8359 (JSC::RegisterSet::specialRegisters):
8360 (JSC::RegisterSet::dump):
8361 * jit/RegisterSet.h:
8362 (JSC::RegisterSet::RegisterSet):
8363 (JSC::RegisterSet::setAny):
8364 (JSC::RegisterSet::setMany):
8365 * jit/Repatch.cpp:
8366 (JSC::tryCacheGetByID):
8367 (JSC::tryCachePutByID):
8368 (JSC::tryRepatchIn):
8369 * runtime/Options.cpp:
8370 (JSC::recomputeDependentOptions):
8371 * runtime/Options.h:
8372
83732014-03-28 Mark Lam <mark.lam@apple.com>
8374
8375 mandreel throws a checksum error on 32-bit x86.
8376 <https://webkit.org/b/125706>
8377
8378 Reviewed by Filip Pizlo.
8379
8380 The 32-bit DFG can emit code that loads double constants from its
8381 CodeBlock's m_constantRegisters vector. The emitted instruction will
8382 embed the address of the constant from the vector's backing store.
8383 Subsequently, while inserting new constants, the DFG may resize the
8384 vector, thereby reallocating the backing store. This renders the
8385 previously embedded constant addresses stale.
8386
8387 The fix is to use a dedicated doubles constant pool stored in the DFG
8388 CommonData instead. This constant pool won't be reallocated, and
8389 hence will not manifest this issue.
8390
8391 * dfg/DFGCommonData.h:
8392 * dfg/DFGGraph.h:
8393 * dfg/DFGJITCompiler.cpp:
8394 (JSC::DFG::JITCompiler::link):
8395 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
8396 * dfg/DFGJITCompiler.h:
8397 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
8398
83992014-03-28 Joseph Pecoraro <pecoraro@apple.com>
8400
8401 Web Inspector: console.warn is showing as error instead of warning
8402 https://bugs.webkit.org/show_bug.cgi?id=130921
8403
8404 Reviewed by Timothy Hatcher.
8405
8406 * runtime/ConsolePrototype.cpp:
8407 (JSC::consoleProtoFuncWarn):
8408 console.warn should be MessageLevel Warning, not Error.
8409
84102014-03-28 Oliver Hunt <oliver@apple.com>
8411
8412 Fix cloop build.
8413
8414 * bytecode/BytecodeList.json:
8415
84162014-03-28 Michael Saboff <msaboff@apple.com>
8417
8418 Unreviewed, rolling r166248 back in.
8419
8420 Turns out r166070 didn't cause a 2% performance loss in page load times
8421
8422 Reverted changeset:
8423
8424 Unreviewed, rolling out r166126.
8425 Rollout r166126 in prepartion to roll out prerequisite r166070
8426
84272014-03-27 Commit Queue <commit-queue@webkit.org>
8428
8429 Unreviewed, rolling out r166376.
8430 https://bugs.webkit.org/show_bug.cgi?id=130887
8431
8432 This was a misguided optimization. (Requested by kling on
8433 #webkit).
8434
8435 Reverted changeset:
8436
8437 "Avoid fetching JSObject::structure() repeatedly in
8438 putDirectInternal."
8439 https://bugs.webkit.org/show_bug.cgi?id=130857
8440 http://trac.webkit.org/changeset/166376
8441
84422014-03-27 Oliver Hunt <oliver@apple.com>
8443
8444 Support spread operand in |new| expressions
8445 https://bugs.webkit.org/show_bug.cgi?id=130877
8446
8447 Reviewed by Michael Saboff.
8448
8449 Add support for the spread operator being applied in
8450 |new| expressions. This required adding support for
8451 a new opcode, op_construct_varargs. This is a relatively
8452 simple refactoring of the call_varargs implementation.
8453
8454 * bytecode/BytecodeList.json:
8455 * bytecode/BytecodeUseDef.h:
8456 (JSC::computeUsesForBytecodeOffset):
8457 (JSC::computeDefsForBytecodeOffset):
8458 * bytecode/CallLinkInfo.cpp:
8459 (JSC::CallLinkInfo::unlink):
8460 * bytecode/CallLinkInfo.h:
8461 (JSC::CallLinkInfo::callTypeFor):
8462 (JSC::CallLinkInfo::specializationKind):
8463 * bytecode/CodeBlock.cpp:
8464 (JSC::CodeBlock::dumpBytecode):
8465 (JSC::CodeBlock::CodeBlock):
8466 * bytecompiler/BytecodeGenerator.cpp:
8467 (JSC::BytecodeGenerator::emitCallVarargs):
8468 (JSC::BytecodeGenerator::emitConstructVarargs):
8469 (JSC::BytecodeGenerator::emitConstruct):
8470 * bytecompiler/BytecodeGenerator.h:
8471 * jit/JIT.cpp:
8472 (JSC::JIT::privateCompileMainPass):
8473 (JSC::JIT::privateCompileSlowCases):
8474 * jit/JIT.h:
8475 * jit/JITCall.cpp:
8476 (JSC::JIT::compileOpCall):
8477 (JSC::JIT::compileOpCallSlowCase):
8478 (JSC::JIT::emit_op_construct_varargs):
8479 (JSC::JIT::emitSlow_op_construct_varargs):
8480 * jit/JITCall32_64.cpp:
8481 (JSC::JIT::emitSlow_op_construct_varargs):
8482 (JSC::JIT::emit_op_construct_varargs):
8483 (JSC::JIT::compileOpCall):
8484 (JSC::JIT::compileOpCallSlowCase):
8485 * jit/JITOperations.cpp:
8486 * llint/LLIntSlowPaths.cpp:
8487 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8488 * llint/LLIntSlowPaths.h:
8489 * llint/LowLevelInterpreter.asm:
8490 * parser/Parser.cpp:
8491 (JSC::Parser<LexerType>::parseMemberExpression):
8492
84932014-03-27 Filip Pizlo <fpizlo@apple.com>
8494
8495 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
8496
8497 * Configurations/Base.xcconfig:
8498 * Configurations/LLVMForJSC.xcconfig:
8499
85002014-03-27 Filip Pizlo <fpizlo@apple.com>
8501
8502 Unreviewed, skip this test for now.
8503
8504 * tests/stress/recurse-infinitely-on-getter.js:
8505
85062014-03-27 Filip Pizlo <fpizlo@apple.com>
8507
8508 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
8509 https://bugs.webkit.org/show_bug.cgi?id=130867
8510 <rdar://problem/16432456>
8511
8512 Reviewed by Mark Hahnenberg.
8513
8514 * Configurations/Base.xcconfig:
8515 * Configurations/LLVMForJSC.xcconfig:
8516
85172014-03-27 Andreas Kling <akling@apple.com>
8518
8519 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
8520 <https://webkit.org/b/130857>
8521
8522 Use the cached Structure* instead of re-fetching it over and over since
8523 that's a non-trivial operation these days.
8524
8525 Reviewed by Mark Hahnenberg.
8526
8527 * runtime/JSObject.h:
8528 (JSC::JSObject::putDirectInternal):
8529
85302014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8531
8532 Check the remembered set bit faster
8533 https://bugs.webkit.org/show_bug.cgi?id=130860
8534
8535 Reviewed by Oliver Hunt.
8536
8537 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
8538 that bit is also stored in the object. We should look it up there whenever possible.
8539
8540 * heap/CopiedBlockInlines.h:
8541 (JSC::CopiedBlock::shouldReportLiveBytes):
8542 * heap/Heap.cpp:
8543 (JSC::Heap::addToRememberedSet):
8544 * heap/Heap.h:
8545 * heap/HeapInlines.h: Removed.
8546 * heap/SlotVisitorInlines.h:
8547 (JSC::SlotVisitor::reportExtraMemoryUsage):
8548
85492014-03-27 Joseph Pecoraro <pecoraro@apple.com>
8550
8551 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
8552 https://bugs.webkit.org/show_bug.cgi?id=130853
8553
8554 Reviewed by Timothy Hatcher.
8555
8556 * API/JSContextPrivate.h: Added.
8557 * API/JSContext.mm:
8558 (-[JSContext _remoteInspectionEnabled]):
8559 (-[JSContext _setRemoteInspectionEnabled:]):
8560 ObjC SPI to enable/disable remote inspection.
8561
8562 * API/JSContextRefPrivate.h:
8563 * API/JSContextRef.cpp:
8564 (JSGlobalContextGetRemoteInspectionEnabled):
8565 (JSGlobalContextSetRemoteInspectionEnabled):
8566 C SPI to enable/disable remote inspection.
8567
8568 * JavaScriptCore.xcodeproj/project.pbxproj:
8569 Add new private header, and export as a private header.
8570
85712014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
8572
8573 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
8574 https://bugs.webkit.org/show_bug.cgi?id=130845
8575
8576 Reviewed by Filip Pizlo.
8577
8578 There was a hack added to make sure C Loop LLInt worked which included overriding the
8579 global Options::useLLInt setting, which makes no sense to do here. We should put the
8580 update of the global setting in Options::recomputeDependentOptions along with the other
8581 execution engine flags.
8582
8583 * runtime/Executable.cpp:
8584 (JSC::ScriptExecutable::prepareForExecutionImpl):
8585 * runtime/Options.cpp:
8586 (JSC::recomputeDependentOptions):
8587
85882014-03-26 Filip Pizlo <fpizlo@apple.com>
8589
8590 Enable LLVM stackmap liveOuts computation
8591 https://bugs.webkit.org/show_bug.cgi?id=130821
8592
8593 Reviewed by Andy Estes and Sam Weinig.
8594
8595 * ftl/FTLStackMaps.cpp:
8596 (JSC::FTL::StackMaps::Record::dump):
8597 * llvm/library/LLVMExports.cpp:
8598 (initializeAndGetJSCLLVMAPI):
8599
86002014-03-26 Filip Pizlo <fpizlo@apple.com>
8601
8602 Parse stackmaps liveOuts
8603 https://bugs.webkit.org/show_bug.cgi?id=130801
8604
8605 Reviewed by Geoffrey Garen.
8606
8607 This just adds the code to parse them but doesn't do anything with them, yet.
8608
8609 * ftl/FTLLocation.cpp:
8610 (JSC::FTL::Location::forStackmaps):
8611 * ftl/FTLLocation.h:
8612 (JSC::FTL::Location::forRegister):
8613 (JSC::FTL::Location::forIndirect):
8614 * ftl/FTLStackMaps.cpp:
8615 (JSC::FTL::StackMaps::Location::parse):
8616 (JSC::FTL::StackMaps::Location::dump):
8617 (JSC::FTL::StackMaps::LiveOut::parse):
8618 (JSC::FTL::StackMaps::LiveOut::dump):
8619 (JSC::FTL::StackMaps::Record::parse):
8620 (JSC::FTL::StackMaps::Record::dump):
8621 * ftl/FTLStackMaps.h:
8622
86232014-03-26 Mark Lam <mark.lam@apple.com>
8624
8625 Build fix after r166307.
8626
8627 Not reviewed.
8628
8629 * runtime/JSCell.h:
8630 - The inline function isAPIValueWrapper() should not be exported. This
8631 was causing a linkage error when building for 32-bit x86 on Mac.
8632
86332014-03-26 Filip Pizlo <fpizlo@apple.com>
8634
8635 Reasoning about DWARF register numbers should be moved out of FTL::Location
8636 https://bugs.webkit.org/show_bug.cgi?id=130792
8637
8638 Reviewed by Oliver Hunt.
8639
8640 Moving this code makes it possible for things other than FTL::Location to reason about
8641 DWARF register encoding. This refactoring also appears to reduce some code duplication
8642 and makes FTLLocation.cpp cleaner.
8643
8644 * JavaScriptCore.xcodeproj/project.pbxproj:
8645 * ftl/FTLCompile.cpp:
8646 (JSC::FTL::fixFunctionBasedOnStackMaps):
8647 * ftl/FTLDWARFRegister.cpp: Added.
8648 (JSC::FTL::DWARFRegister::reg):
8649 (JSC::FTL::DWARFRegister::dump):
8650 * ftl/FTLDWARFRegister.h: Added.
8651 (JSC::FTL::DWARFRegister::DWARFRegister):
8652 (JSC::FTL::DWARFRegister::dwarfRegNum):
8653 * ftl/FTLLocation.cpp:
8654 (JSC::FTL::Location::dump):
8655 (JSC::FTL::Location::isGPR):
8656 (JSC::FTL::Location::gpr):
8657 (JSC::FTL::Location::isFPR):
8658 (JSC::FTL::Location::fpr):
8659 * ftl/FTLLocation.h:
8660 (JSC::FTL::Location::hasDwarfReg):
8661 (JSC::FTL::Location::dwarfReg):
8662
86632014-03-26 Brent Fulgham <bfulgham@apple.com>
8664
8665 Unreviewed build fix.
8666
8667 * runtime/JSCell.h: VS2013 confused about argument type.
8668
86692014-03-26 Zoltan Horvath <zoltan@webkit.org>
8670
8671 [CSS Shapes] Remove shape-inside support
8672 https://bugs.webkit.org/show_bug.cgi?id=130698
8673
8674 Reviewed by David Hyatt.
8675
8676 * Configurations/FeatureDefines.xcconfig:
8677
86782014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8679
8680 Rename hasFastArrayStorage to be more appropriate
8681 https://bugs.webkit.org/show_bug.cgi?id=130773
8682
8683 Reviewed by Filip Pizlo.
8684
8685 * dfg/DFGArrayMode.cpp:
8686 (JSC::DFG::ArrayMode::alreadyChecked):
8687 * dfg/DFGSpeculativeJIT32_64.cpp:
8688 (JSC::DFG::SpeculativeJIT::compile):
8689 * dfg/DFGSpeculativeJIT64.cpp:
8690 (JSC::DFG::SpeculativeJIT::compile):
8691 * dfg/DFGWatchpointCollectionPhase.cpp:
8692 (JSC::DFG::WatchpointCollectionPhase::handle):
8693 * ftl/FTLLowerDFGToLLVM.cpp:
8694 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
8695 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
8696 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
8697 * runtime/ButterflyInlines.h:
8698 (JSC::Butterfly::unshift):
8699 (JSC::Butterfly::shift):
8700 * runtime/IndexingHeaderInlines.h:
8701 (JSC::IndexingHeader::preCapacity):
8702 * runtime/IndexingType.h:
8703 (JSC::hasArrayStorage):
8704 (JSC::hasAnyArrayStorage):
8705 (JSC::hasFastArrayStorage): Deleted.
8706 * runtime/JSArray.cpp:
8707 (JSC::JSArray::sortVector):
8708 (JSC::JSArray::compactForSorting):
8709 * runtime/JSArray.h:
8710 (JSC::JSArray::create):
8711 (JSC::JSArray::tryCreateUninitialized):
8712 * runtime/JSGlobalObject.cpp:
8713 * runtime/JSObject.cpp:
8714 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
8715 * runtime/JSObject.h:
8716 (JSC::JSObject::ensureArrayStorage):
8717 (JSC::JSObject::arrayStorage):
8718 * runtime/StructureTransitionTable.h:
8719 (JSC::newIndexingType):
8720
87212014-03-26 Zan Dobersek <zdobersek@igalia.com>
8722
8723 Unreviewed. Removing the remaining Automake cruft.
8724
8725 * GNUmakefile.list.am: Removed.
8726
87272014-03-25 Filip Pizlo <fpizlo@apple.com>
8728
8729 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
8730 https://bugs.webkit.org/show_bug.cgi?id=130764
8731 <rdar://problem/16304788>
8732
8733 Reviewed by Sam Weinig.
8734
8735 Being an arguments alias just means that your OSR exit recovery should attempt arguments
8736 creation. This is true of arguments locals. We had special cases that tried to make it not
8737 true of arguments locals. The only consequence of those special cases was to cause crashes
8738 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
8739 change just removes those special cases.
8740
8741 This change means that the FTL will now see SetLocals with a FlushedArguments format.
8742 Previously you wouldn't see them because previously only non-captured variable would be
8743 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
8744 left. Adding handling for FlushedArguments is a benign and simple change since its
8745 behavior is identical to FlushedJSValue for that code's purposes.
8746
8747 * dfg/DFGArgumentsSimplificationPhase.cpp:
8748 (JSC::DFG::ArgumentsSimplificationPhase::run):
8749 * ftl/FTLLowerDFGToLLVM.cpp:
8750 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
8751 * tests/stress/captured-arguments-variable.js: Added.
8752 (foo):
8753 (noInline):
8754
87552014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
8756
8757 Add HeapInlines
8758 https://bugs.webkit.org/show_bug.cgi?id=130759
8759
8760 Reviewed by Filip Pizlo.
8761
8762 * GNUmakefile.list.am:
8763 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8764 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8765 * JavaScriptCore.xcodeproj/project.pbxproj:
8766 * heap/Heap.cpp:
8767 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
8768 (JSC::MarkedBlockSnapshotFunctor::operator()):
8769 * heap/Heap.h: Also reindented while we're here.
8770 (JSC::Heap::writeBarrierBuffer):
8771 (JSC::Heap::vm):
8772 (JSC::Heap::objectSpace):
8773 (JSC::Heap::machineThreads):
8774 (JSC::Heap::operationInProgress):
8775 (JSC::Heap::allocatorForObjectWithoutDestructor):
8776 (JSC::Heap::allocatorForObjectWithNormalDestructor):
8777 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
8778 (JSC::Heap::storageAllocator):
8779 (JSC::Heap::notifyIsSafeToCollect):
8780 (JSC::Heap::isSafeToCollect):
8781 (JSC::Heap::handleSet):
8782 (JSC::Heap::handleStack):
8783 (JSC::Heap::lastFullGCLength):
8784 (JSC::Heap::lastEdenGCLength):
8785 (JSC::Heap::increaseLastFullGCLength):
8786 (JSC::Heap::sizeBeforeLastEdenCollection):
8787 (JSC::Heap::sizeAfterLastEdenCollection):
8788 (JSC::Heap::sizeBeforeLastFullCollection):
8789 (JSC::Heap::sizeAfterLastFullCollection):
8790 (JSC::Heap::jitStubRoutines):
8791 (JSC::Heap::isDeferred):
8792 (JSC::Heap::structureIDTable):
8793 (JSC::Heap::removeCodeBlock):
8794 * heap/HeapInlines.h: Added.
8795 (JSC::Heap::shouldCollect):
8796 (JSC::Heap::isBusy):
8797 (JSC::Heap::isCollecting):
8798 (JSC::Heap::heap):
8799 (JSC::Heap::isLive):
8800 (JSC::Heap::isInRememberedSet):
8801 (JSC::Heap::isMarked):
8802 (JSC::Heap::testAndSetMarked):
8803 (JSC::Heap::setMarked):
8804 (JSC::Heap::isWriteBarrierEnabled):
8805 (JSC::Heap::writeBarrier):
8806 (JSC::Heap::reportExtraMemoryCost):
8807 (JSC::Heap::forEachProtectedCell):
8808 (JSC::Heap::forEachCodeBlock):
8809 (JSC::Heap::allocateWithNormalDestructor):
8810 (JSC::Heap::allocateWithImmortalStructureDestructor):
8811 (JSC::Heap::allocateWithoutDestructor):
8812 (JSC::Heap::tryAllocateStorage):
8813 (JSC::Heap::tryReallocateStorage):
8814 (JSC::Heap::ascribeOwner):
8815 (JSC::Heap::blockAllocator):
8816 (JSC::Heap::releaseSoon):
8817 (JSC::Heap::incrementDeferralDepth):
8818 (JSC::Heap::decrementDeferralDepth):
8819 (JSC::Heap::collectIfNecessaryOrDefer):
8820 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
8821 (JSC::Heap::markListSet):
8822 * runtime/JSCInlines.h:
8823
88242014-03-25 Filip Pizlo <fpizlo@apple.com>
8825
8826 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
8827 https://bugs.webkit.org/show_bug.cgi?id=130760
8828
8829 Reviewed by Mark Hahnenberg.
8830
8831 * dfg/DFGByteCodeParser.cpp:
8832 (JSC::DFG::ByteCodeParser::setLocal):
8833 (JSC::DFG::ByteCodeParser::setArgument):
8834 (JSC::DFG::ByteCodeParser::handleInlining):
8835 (JSC::DFG::ByteCodeParser::parseBlock):
8836 * tests/stress/assign-argument-in-inlined-call.js: Added.
8837 (f1):
8838 (getF2Arguments):
8839 (f2):
8840 (f3):
8841 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
8842 (f1):
8843 (f2):
8844 (f3):
8845
88462014-03-25 Filip Pizlo <fpizlo@apple.com>
8847
8848 Fix 32-bit getter call alignment.
8849
8850 Reviewed by Mark Hahnenberg.
8851
8852 * jit/Repatch.cpp:
8853 (JSC::generateGetByIdStub):
8854
88552014-03-25 Filip Pizlo <fpizlo@apple.com>
8856
8857 Repatch should plant calls to getters directly rather than through a C helper
8858 https://bugs.webkit.org/show_bug.cgi?id=129589
8859
8860 Reviewed by Mark Hahnenberg.
8861
8862 As the title says. All of the superstructure for this was already in place, so now it
8863 was just a matter of actually emitting the call.
8864
8865 8x speed-up for getter microbenchmarks.
8866
8867 * CMakeLists.txt:
8868 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8869 * JavaScriptCore.xcodeproj/project.pbxproj:
8870 * bytecode/PolymorphicGetByIdList.h:
8871 (JSC::GetByIdAccess::doesCalls):
8872 * jit/AccessorCallJITStubRoutine.cpp: Added.
8873 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
8874 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
8875 (JSC::AccessorCallJITStubRoutine::visitWeak):
8876 * jit/AccessorCallJITStubRoutine.h: Added.
8877 * jit/AssemblyHelpers.h:
8878 (JSC::AssemblyHelpers::storeCell):
8879 * jit/GCAwareJITStubRoutine.h:
8880 * jit/Repatch.cpp:
8881 (JSC::generateGetByIdStub):
8882 * runtime/GetterSetter.h:
8883 (JSC::GetterSetter::offsetOfGetter):
8884 (JSC::GetterSetter::offsetOfSetter):
8885
88862014-03-25 Michael Saboff <msaboff@apple.com>
8887
8888 Unreviewed, rolling out r166126.
8889
8890 Rollout r166126 in prepartion to roll out prerequisite r166070
8891
8892 Reverted changeset:
8893
8894 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
8895 not undefined"
8896 https://bugs.webkit.org/show_bug.cgi?id=130554
8897 http://trac.webkit.org/changeset/166126
8898
88992014-03-25 Oliver Hunt <oliver@apple.com>
8900
8901 AST incorrectly conflates readable and writable locations
8902 https://bugs.webkit.org/show_bug.cgi?id=130734
8903
8904 Reviewed by Filip Pizlo.
8905
8906 We need to distinguish between "locations" that are valid for reading
8907 and writing, vs those that may only be written.
8908
8909 * bytecompiler/NodesCodegen.cpp:
8910 (JSC::ForInNode::emitBytecode):
8911 (JSC::ForOfNode::emitBytecode):
8912 * parser/Nodes.h:
8913 (JSC::ExpressionNode::isAssignmentLocation):
8914
89152014-03-24 Oliver Hunt <oliver@apple.com>
8916
8917 ASSERTION FAILED in Parser: dst != localReg
8918 https://bugs.webkit.org/show_bug.cgi?id=130710
8919
8920 Reviewed by Filip Pizlo.
8921
8922 Just make sure we don't try to write to a captured constant,
8923 following the change to track captured variables separately.
8924
8925 * bytecompiler/NodesCodegen.cpp:
8926 (JSC::PostfixNode::emitResolve):
8927 (JSC::PrefixNode::emitResolve):
8928
89292014-03-25 Martin Robinson <mrobinson@igalia.com>
8930
8931 [GTK] Remove the autotools build
8932 https://bugs.webkit.org/show_bug.cgi?id=130717
8933
8934 Reviewed by Anders Carlsson.
8935
8936 * GNUmakefile.am: Removed.
8937 * config.h: Remove references to the autotools configure file.
8938
89392014-03-24 Filip Pizlo <fpizlo@apple.com>
8940
8941 More scaffolding for a stub routine to have a stub recursively embedded inside it
8942 https://bugs.webkit.org/show_bug.cgi?id=130770
8943
8944 Reviewed by Oliver Hunt.
8945
8946 * bytecode/CallLinkInfo.cpp:
8947 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
8948 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
8949 * bytecode/CallLinkInfo.h:
8950 * bytecode/CodeBlock.cpp:
8951 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
8952 (JSC::CodeBlock::unlinkCalls):
8953 (JSC::CodeBlock::unlinkIncomingCalls):
8954 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8955 (JSC::GetByIdAccess::visitWeak):
8956 (JSC::PolymorphicGetByIdList::visitWeak):
8957 * bytecode/PolymorphicGetByIdList.h:
8958 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
8959 (JSC::PutByIdAccess::visitWeak):
8960 (JSC::PolymorphicPutByIdList::visitWeak):
8961 * bytecode/PolymorphicPutByIdList.h:
8962 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
8963 (JSC::StructureStubInfo::visitWeakReferences):
8964 * bytecode/StructureStubInfo.h:
8965 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
8966 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
8967 * jit/GCAwareJITStubRoutine.cpp:
8968 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
8969 (JSC::createJITStubRoutine):
8970 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
8971 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
8972 * jit/JITStubRoutine.cpp:
8973 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
8974 * jit/JITStubRoutine.h:
8975 * jit/Repatch.cpp:
8976 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
8977 (JSC::emitCustomSetterStub): Clean up some code.
8978
89792014-03-24 Geoffrey Garen <ggaren@apple.com>
8980
8981 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
8982 when WebKit is compiled with fcatch-undefined-behavior
8983 https://bugs.webkit.org/show_bug.cgi?id=130652
8984
8985 Reviewed by Mark Hahnenberg.
8986
8987 Use a static member function because the butterfly we pass in might be
8988 NULL, and passing NULL to a member function is undefined behavior.
8989
8990 Stylistically, I think this new way reads a little more clearly, since it
8991 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
8992 might not exist yet.
8993
8994 * runtime/Butterfly.h:
8995 * runtime/ButterflyInlines.h:
8996 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
8997 because we might create. Split out the create path to avoid using NULL
8998 in a member function expression.
8999
9000 Removed some unused versions of this function.
9001
9002 * runtime/JSObject.cpp:
9003 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
9004
90052014-03-24 Oliver Hunt <oliver@apple.com>
9006
9007 Strict mode destructuring assignment crashes the parser.
9008 https://bugs.webkit.org/show_bug.cgi?id=130538
9009
9010 Reviewed by Michael Saboff.
9011
9012 The SyntaxChecker mode always return 1 for success, except
9013 for a small subset of functions where we needed exact information.
9014 This ends up just being a poor design decision as it means
9015 the parser can get confused between a function return 1, and
9016 the Resolve constant which was also 1. So we now use a unique
9017 type for every creation method.
9018
9019 * parser/SyntaxChecker.h:
9020 (JSC::SyntaxChecker::createSourceElements):
9021 (JSC::SyntaxChecker::createFunctionBody):
9022 (JSC::SyntaxChecker::createArguments):
9023 (JSC::SyntaxChecker::createSpreadExpression):
9024 (JSC::SyntaxChecker::createArgumentsList):
9025 (JSC::SyntaxChecker::createPropertyList):
9026 (JSC::SyntaxChecker::createElementList):
9027 (JSC::SyntaxChecker::createFormalParameterList):
9028 (JSC::SyntaxChecker::createClause):
9029 (JSC::SyntaxChecker::createClauseList):
9030 (JSC::SyntaxChecker::createFuncDeclStatement):
9031 (JSC::SyntaxChecker::createBlockStatement):
9032 (JSC::SyntaxChecker::createExprStatement):
9033 (JSC::SyntaxChecker::createIfStatement):
9034 (JSC::SyntaxChecker::createForLoop):
9035 (JSC::SyntaxChecker::createForInLoop):
9036 (JSC::SyntaxChecker::createForOfLoop):
9037 (JSC::SyntaxChecker::createEmptyStatement):
9038 (JSC::SyntaxChecker::createVarStatement):
9039 (JSC::SyntaxChecker::createReturnStatement):
9040 (JSC::SyntaxChecker::createBreakStatement):
9041 (JSC::SyntaxChecker::createContinueStatement):
9042 (JSC::SyntaxChecker::createTryStatement):
9043 (JSC::SyntaxChecker::createSwitchStatement):
9044 (JSC::SyntaxChecker::createWhileStatement):
9045 (JSC::SyntaxChecker::createWithStatement):
9046 (JSC::SyntaxChecker::createDoWhileStatement):
9047 (JSC::SyntaxChecker::createLabelStatement):
9048 (JSC::SyntaxChecker::createThrowStatement):
9049 (JSC::SyntaxChecker::createDebugger):
9050 (JSC::SyntaxChecker::createConstStatement):
9051 (JSC::SyntaxChecker::appendConstDecl):
9052 (JSC::SyntaxChecker::combineCommaNodes):
9053 (JSC::SyntaxChecker::operatorStackPop):
9054
90552014-03-24 Brent Fulgham <bfulgham@apple.com>
9056
9057 Activate WebVTT Tests Once Merging is Complete
9058 https://bugs.webkit.org/show_bug.cgi?id=130420
9059
9060 Reviewed by Eric Carlson.
9061
9062 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
9063
90642014-03-24 Andreas Kling <akling@apple.com>
9065
9066 Stop pulling in all the macro assemblers from VM.h
9067 <https://webkit.org/b/130691>
9068
9069 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
9070 on macro assemblers headers and removes 8 includes from every
9071 .cpp file in the JS bindings.
9072
9073 Reviewed by Geoff Garen.
9074
9075 * runtime/VM.h:
9076
90772014-03-24 Gavin Barraclough <barraclough@apple.com>
9078
9079 Add support for thread QoS
9080 https://bugs.webkit.org/show_bug.cgi?id=130688
9081
9082 Reviewed by Andreas Kling.
9083
9084 * heap/BlockAllocator.cpp:
9085 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
9086 - block freeing is a utility activity.
9087
90882014-03-24 Filip Pizlo <fpizlo@apple.com>
9089
9090 Unreviewed, fix CLOOP build.
9091
9092 * bytecode/CallLinkStatus.cpp:
9093 (JSC::CallLinkStatus::computeFor):
9094 * bytecode/CodeBlock.cpp:
9095 (JSC::CodeBlock::printCallOp):
9096 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9097 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
9098 * bytecode/CodeBlock.h:
9099 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
9100
91012014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
9102
9103 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
9104 https://bugs.webkit.org/show_bug.cgi?id=130453
9105
9106 Reviewed by Filip Pizlo.
9107
9108 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
9109 at sxtw and uxtw instructions.
9110
9111 * offlineasm/arm64.rb:
9112
91132014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
9114
9115 Move all EFL typedefs into EflTypedefs.h.
9116 https://bugs.webkit.org/show_bug.cgi?id=130511
9117
9118 Reviewed by Gyuyoung Kim
9119
9120 * heap/HeapTimer.h: Remove EFL typedefs.
9121
91222014-03-23 Filip Pizlo <fpizlo@apple.com>
9123
9124 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
9125 https://bugs.webkit.org/show_bug.cgi?id=130650
9126 <rdar://problem/16122966>
9127
9128 Reviewed by Michael Saboff.
9129
9130 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
9131 previously established numLocals limit. But then we added generalized op_call_varargs
9132 handling, which results in us emitting SetLocals that didn't previously exist in the
9133 bytecode.
9134
9135 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
9136
9137 * dfg/DFGByteCodeParser.cpp:
9138 (JSC::DFG::ByteCodeParser::ensureLocals):
9139 (JSC::DFG::ByteCodeParser::handleInlining):
9140 (JSC::DFG::ByteCodeParser::parseBlock):
9141 (JSC::DFG::ByteCodeParser::parse):
9142 * ftl/FTLOSRExitCompiler.cpp:
9143 (JSC::FTL::compileStub): Make this do alignment correctly.
9144 * runtime/Options.h:
9145 * tests/stress/call-varargs-from-inlined-code.js: Added.
9146 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
9147
91482014-03-22 Filip Pizlo <fpizlo@apple.com>
9149
9150 Unreviewed, adjust sizes for ARM64.
9151
9152 * ftl/FTLInlineCacheSize.cpp:
9153 (JSC::FTL::sizeOfCall):
9154
91552014-03-22 Filip Pizlo <fpizlo@apple.com>
9156
9157 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
9158 https://bugs.webkit.org/show_bug.cgi?id=130649
9159 <rdar://problem/16399949>
9160
9161 Reviewed by Andreas Kling.
9162
9163 * dfg/DFGSpeculativeJIT32_64.cpp:
9164 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9165 * dfg/DFGSpeculativeJIT64.cpp:
9166 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9167 * tests/stress/fuzz-bug-16399949.js: Added.
9168 (tryItOut.f):
9169 (tryItOut):
9170
91712014-03-22 Filip Pizlo <fpizlo@apple.com>
9172
9173 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
9174 https://bugs.webkit.org/show_bug.cgi?id=130644
9175
9176 Reviewed by Andreas Kling.
9177
9178 This is conceptually a really simple change but it involves the following:
9179
9180 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
9181
9182 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
9183
9184 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
9185 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
9186
9187 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
9188 and not all relinking.
9189
9190 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
9191 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
9192 with a op_call/op_construct instruction and a machine code return PC within such an
9193 instruction.
9194
9195 * bytecode/CallLinkInfo.h:
9196 (JSC::getCallLinkInfoCodeOrigin):
9197 * bytecode/CallLinkStatus.cpp:
9198 (JSC::CallLinkStatus::computeFor):
9199 (JSC::CallLinkStatus::computeDFGStatuses):
9200 * bytecode/CallLinkStatus.h:
9201 * bytecode/CodeBlock.cpp:
9202 (JSC::CodeBlock::printCallOp):
9203 (JSC::CodeBlock::dumpBytecode):
9204 (JSC::CodeBlock::finalizeUnconditionally):
9205 (JSC::CodeBlock::getCallLinkInfoMap):
9206 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9207 (JSC::CodeBlock::addCallLinkInfo):
9208 (JSC::CodeBlock::unlinkCalls):
9209 * bytecode/CodeBlock.h:
9210 (JSC::CodeBlock::stubInfoBegin):
9211 (JSC::CodeBlock::stubInfoEnd):
9212 (JSC::CodeBlock::callLinkInfosBegin):
9213 (JSC::CodeBlock::callLinkInfosEnd):
9214 (JSC::CodeBlock::byValInfo):
9215 * dfg/DFGByteCodeParser.cpp:
9216 (JSC::DFG::ByteCodeParser::handleCall):
9217 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
9218 * dfg/DFGJITCode.h:
9219 * dfg/DFGJITCompiler.cpp:
9220 (JSC::DFG::JITCompiler::link):
9221 * dfg/DFGJITCompiler.h:
9222 (JSC::DFG::JITCompiler::addJSCall):
9223 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
9224 * dfg/DFGOSRExitCompilerCommon.cpp:
9225 (JSC::DFG::reifyInlinedCallFrames):
9226 * dfg/DFGSpeculativeJIT.cpp:
9227 (JSC::DFG::SpeculativeJIT::compile):
9228 * dfg/DFGSpeculativeJIT.h:
9229 * dfg/DFGSpeculativeJIT32_64.cpp:
9230 (JSC::DFG::SpeculativeJIT::emitCall):
9231 * dfg/DFGSpeculativeJIT64.cpp:
9232 (JSC::DFG::SpeculativeJIT::emitCall):
9233 * ftl/FTLCompile.cpp:
9234 (JSC::FTL::fixFunctionBasedOnStackMaps):
9235 * ftl/FTLInlineCacheSize.cpp:
9236 (JSC::FTL::sizeOfCall):
9237 * ftl/FTLJSCall.cpp:
9238 (JSC::FTL::JSCall::JSCall):
9239 (JSC::FTL::JSCall::emit):
9240 (JSC::FTL::JSCall::link):
9241 * ftl/FTLJSCall.h:
9242 * jit/JIT.cpp:
9243 (JSC::JIT::privateCompileMainPass):
9244 (JSC::JIT::privateCompileSlowCases):
9245 (JSC::JIT::privateCompile):
9246 * jit/JIT.h:
9247 * jit/JITCall.cpp:
9248 (JSC::JIT::compileOpCall):
9249 (JSC::JIT::compileOpCallSlowCase):
9250 * jit/JITCall32_64.cpp:
9251 (JSC::JIT::compileOpCall):
9252 (JSC::JIT::compileOpCallSlowCase):
9253 * jit/JITOperations.cpp:
9254 * jit/JITOperations.h:
9255 (JSC::operationLinkFor):
9256 (JSC::operationVirtualFor):
9257 (JSC::operationLinkClosureCallFor):
9258 * jit/Repatch.cpp:
9259 (JSC::linkClosureCall):
9260 * jit/ThunkGenerators.cpp:
9261 (JSC::slowPathFor):
9262 (JSC::virtualForThunkGenerator):
9263 * tests/stress/eval-that-is-not-eval.js: Added.
9264
92652014-03-22 Filip Pizlo <fpizlo@apple.com>
9266
9267 Unreviewed, fix mispelled test name.
9268
9269 * tests/stress/constand-folding-osr-exit.js: Removed.
9270 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
9271
92722014-03-22 Andreas Kling <akling@apple.com>
9273
9274 CREATE_DOM_WRAPPER doesn't need the ExecState.
9275 <https://webkit.org/b/130648>
9276
9277 Add a fast path from JSGlobalObject to the VM so we don't have
9278 to dance via the Heap.
9279
9280 Reviewed by Darin Adler.
9281
9282 * runtime/JSGlobalObject.cpp:
9283 (JSC::JSGlobalObject::JSGlobalObject):
9284 * runtime/JSGlobalObject.h:
9285 (JSC::JSGlobalObject::vm):
9286
92872014-03-22 Filip Pizlo <fpizlo@apple.com>
9288
9289 Unreviewed, fix FTL build.
9290
9291 * ftl/FTLJITFinalizer.cpp:
9292
92932014-03-22 Michael Saboff <msaboff@apple.com>
9294
9295 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
9296 https://bugs.webkit.org/show_bug.cgi?id=130554
9297
9298 Reviewed by Geoffrey Garen.
9299
9300 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
9301 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
9302 happen in finishCreation() so that it will also happen for other derived classes including
9303 JSWorkerGlobalScopeBase.
9304
9305 * API/JSContextRef.cpp:
9306 (JSGlobalContextCreateInGroup):
9307 * jsc.cpp:
9308 (GlobalObject::create):
9309 * API/tests/testapi.c:
9310 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
9311 the result from JSContextGetGlobalObject() as that will return the proxy.
9312 * runtime/JSGlobalObject.cpp:
9313 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
9314 we now call setGlobalThis in finishCreation().
9315 * runtime/JSGlobalObject.h:
9316 (JSC::JSGlobalObject::finishCreation):
9317 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
9318
93192014-03-22 Andreas Kling <akling@apple.com>
9320
9321 Fix debug build.
9322
9323 * bytecode/CodeBlock.cpp:
9324 * runtime/Executable.cpp:
9325
93262014-03-22 Andreas Kling <akling@apple.com>
9327
9328 Cut down on JSC profiler includes in WebCore & co.
9329 <https://webkit.org/b/130637>
9330
9331 Most of WebKit was pulling in JSC's profiler headers via VM.h.
9332
9333 Reviewed by Darin Adler.
9334
9335 * dfg/DFGDisassembler.cpp:
9336 * dfg/DFGDisassembler.h:
9337 * dfg/DFGJITFinalizer.cpp:
9338 * jsc.cpp:
9339 * runtime/VM.cpp:
9340 * runtime/VM.h:
9341
93422014-03-22 Landry Breuil <landry@openbsd.org>
9343
9344 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
9345 https://bugs.webkit.org/show_bug.cgi?id=129965
9346
9347 Reviewed By Anders Carlsson.
9348
93492014-03-21 Mark Lam <mark.lam@apple.com>
9350
9351 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
9352 <https://webkit.org/b/124508>
9353
9354 Reviewed by Oliver Hunt.
9355
9356 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
9357 pointer from the BytecodeGenerator's m_localScopes vector, and then it
9358 calls emitPopScopes(). emitPopScopes() may do finally clause handling
9359 which will require the m_localScopes to be cloned so that it can change
9360 the local scopes for the finally block, and then restore it after
9361 handling the finally clause. These modifications of the m_localScopes
9362 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
9363 becoming stale, thereby causing the crash.
9364
9365 The same issue applies to the ContinueNode as well.
9366
9367 The fix is to use the existing LabelScopePtr abstraction instead of raw
9368 LabelScope pointers. The LabelScopePtr is resilient to the underlying
9369 vector re-allocating its backing store.
9370
9371 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
9372 to expect a reference to the owner store instead of a pointer because the
9373 owner store should never be a null pointer.
9374
9375 * bytecompiler/BytecodeGenerator.cpp:
9376 (JSC::BytecodeGenerator::newLabelScope):
9377 (JSC::BytecodeGenerator::breakTarget):
9378 (JSC::BytecodeGenerator::continueTarget):
9379 * bytecompiler/BytecodeGenerator.h:
9380 * bytecompiler/LabelScope.h:
9381 (JSC::LabelScopePtr::LabelScopePtr):
9382 (JSC::LabelScopePtr::operator bool):
9383 (JSC::LabelScopePtr::null):
9384 * bytecompiler/NodesCodegen.cpp:
9385 (JSC::ContinueNode::trivialTarget):
9386 (JSC::ContinueNode::emitBytecode):
9387 (JSC::BreakNode::trivialTarget):
9388 (JSC::BreakNode::emitBytecode):
9389
93902014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
9391
9392 6% SunSpider commandline regression due to r165940
9393 https://bugs.webkit.org/show_bug.cgi?id=130617
9394
9395 Reviewed by Michael Saboff.
9396
9397 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
9398 before. Some of the benchmarks are never running a single EdenCollection, which causes
9399 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
9400 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
9401 magnitude more than we normally would.
9402
9403 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
9404
9405 * heap/Heap.cpp:
9406 (JSC::Heap::Heap):
9407
94082014-03-21 Filip Pizlo <fpizlo@apple.com>
9409
9410 Constants folded by DFG::ByteCodeParser should not be dead.
9411 https://bugs.webkit.org/show_bug.cgi?id=130576
9412
9413 Reviewed by Mark Hahnenberg.
9414
9415 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
9416 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
9417 or more folders in LLVM). Doing so has no performance impact since the other constant folders
9418 already subsume this one.
9419
9420 Also added a test case for the specific bug that instigated this.
9421
9422 * dfg/DFGByteCodeParser.cpp:
9423 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
9424 (JSC::DFG::ByteCodeParser::getJSConstant):
9425 (JSC::DFG::ByteCodeParser::inferredConstant):
9426 (JSC::DFG::ByteCodeParser::handleIntrinsic):
9427 (JSC::DFG::ByteCodeParser::parseBlock):
9428 * dfg/DFGNode.h:
9429 * dfg/DFGNodeFlags.h:
9430 * tests/stress/constand-folding-osr-exit.js: Added.
9431 (foo):
9432 (test):
9433 (.var):
9434
94352014-03-21 Mark Lam <mark.lam@apple.com>
9436
9437 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
9438 <https://webkit.org/b/130566>
9439
9440 Reviewed by Filip Pizlo.
9441
9442 * dfg/DFGStackLayoutPhase.cpp:
9443 (JSC::DFG::StackLayoutPhase::run):
9444
94452014-03-20 Filip Pizlo <fpizlo@apple.com>
9446
9447 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
9448 https://bugs.webkit.org/show_bug.cgi?id=130562
9449 <rdar://problem/16382842>
9450
9451 Reviewed by Geoffrey Garen.
9452
9453 * ftl/FTLLowerDFGToLLVM.cpp:
9454 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
9455 * tests/stress/uint32array-unsigned-load.js: Added.
9456 (foo):
9457
94582014-03-20 Brian Burg <bburg@apple.com>
9459
9460 Web Inspector: add frontend controller and models for replay sessions
9461 https://bugs.webkit.org/show_bug.cgi?id=130145
9462
9463 Reviewed by Joseph Pecoraro.
9464
9465 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
9466
94672014-03-20 Filip Pizlo <fpizlo@apple.com>
9468
9469 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
9470 https://bugs.webkit.org/show_bug.cgi?id=130546
9471 <rdar://problem/16383308>
9472
9473 Reviewed by Mark Hahnenberg.
9474
9475 Make AI do a better job of folding this.
9476
9477 Also made the FTL backend be more tolerant of data representations. In this case it
9478 didn't know that "constant" was a valid representation. There is a finite set of
9479 possible representations, but broadly, we don't write code that presumes anything
9480 about the representation of an input; that's what methods like lowJSValue() are for.
9481 ValueToInt32 was previously not relying on those methods at all because it had some
9482 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
9483 to lowJSValue().
9484
9485 * dfg/DFGAbstractInterpreterInlines.h:
9486 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9487 * ftl/FTLLowerDFGToLLVM.cpp:
9488 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
9489 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
9490 * tests/stress/value-to-int32-undefined-constant.js: Added.
9491 (foo):
9492 * tests/stress/value-to-int32-undefined.js: Added.
9493 (foo):
9494
94952014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
9496
9497 Add some assertions back
9498 https://bugs.webkit.org/show_bug.cgi?id=130531
9499
9500 Reviewed by Geoffrey Garen.
9501
9502 We removed a useful set of assertions for verifying that MarkedBlocks were
9503 in the state that we expected them to be in after clearing marks in the Heap.
9504 We should add these back to catch bugs earlier.
9505
9506 * heap/MarkedBlock.h:
9507 * heap/MarkedSpace.cpp:
9508 (JSC::VerifyMarkedOrRetired::operator()):
9509 (JSC::MarkedSpace::clearMarks):
9510
95112014-03-20 Filip Pizlo <fpizlo@apple.com>
9512
9513 Implement stackmap header version check and support new stackmap formats
9514 https://bugs.webkit.org/show_bug.cgi?id=130535
9515 <rdar://problem/16164284>
9516
9517 Reviewed by Geoffrey Garen.
9518
9519 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
9520 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
9521 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
9522 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
9523 happy to move backward in time to older versions of LLVM.
9524
9525 * ftl/FTLStackMaps.cpp:
9526 (JSC::FTL::readObject):
9527 (JSC::FTL::StackMaps::Constant::parse):
9528 (JSC::FTL::StackMaps::StackSize::parse):
9529 (JSC::FTL::StackMaps::Location::parse):
9530 (JSC::FTL::StackMaps::Record::parse):
9531 (JSC::FTL::StackMaps::parse):
9532 (JSC::FTL::StackMaps::dump):
9533 (JSC::FTL::StackMaps::dumpMultiline):
9534 * ftl/FTLStackMaps.h:
9535
95362014-03-20 Filip Pizlo <fpizlo@apple.com>
9537
9538 Crash beneath operationTearOffActivation running this JS compression demo
9539 https://bugs.webkit.org/show_bug.cgi?id=130295
9540 <rdar://problem/16332337>
9541
9542 Reviewed by Oliver Hunt.
9543
9544 Make sure that we flush things as if we were at a terminal, if we are at a block with
9545 no forward edges. This fixes infinitely loopy code with captured variables.
9546
9547 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
9548
9549 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
9550 it by itself. Now it's an artifact of CPS rethreading.
9551
9552 Add a bunch of tests. All of them previously either crashed or returned bad output due
9553 to memory corruption.
9554
9555 * bytecode/CodeBlock.cpp:
9556 (JSC::CodeBlock::isCaptured):
9557 * dfg/DFGByteCodeParser.cpp:
9558 (JSC::DFG::ByteCodeParser::flushForTerminal):
9559 (JSC::DFG::ByteCodeParser::flushForReturn):
9560 (JSC::DFG::ByteCodeParser::flushIfTerminal):
9561 (JSC::DFG::ByteCodeParser::branchData):
9562 (JSC::DFG::ByteCodeParser::parseBlock):
9563 * dfg/DFGCFGSimplificationPhase.cpp:
9564 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
9565 * dfg/DFGCPSRethreadingPhase.cpp:
9566 (JSC::DFG::CPSRethreadingPhase::run):
9567 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
9568 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
9569 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
9570 * dfg/DFGCSEPhase.cpp:
9571 (JSC::DFG::CSEPhase::performNodeCSE):
9572 * dfg/DFGGraph.cpp:
9573 (JSC::DFG::Graph::clearFlagsOnAllNodes):
9574 * dfg/DFGGraph.h:
9575 * dfg/DFGNode.h:
9576 * dfg/DFGNodeFlags.cpp:
9577 (JSC::DFG::dumpNodeFlags):
9578 * dfg/DFGNodeFlags.h:
9579 * dfg/DFGSSAConversionPhase.cpp:
9580 (JSC::DFG::SSAConversionPhase::run):
9581 * tests/stress/activation-test-loop.js: Added.
9582 (Inner.this.doStuff):
9583 (Inner):
9584 (foo.inner.isDone):
9585 (foo):
9586 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
9587 (bar):
9588 (foo):
9589 (noInline):
9590 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
9591 (bar):
9592 (foo):
9593 (noInline):
9594 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
9595 (bar):
9596 (foo):
9597 (noInline):
9598 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
9599 (bar):
9600 (foo):
9601 (noInline):
9602 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
9603 (bar):
9604 (foo):
9605 (noInline):
9606 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9607 (bar):
9608 (fuzz):
9609 (foo.f):
9610 (foo):
9611 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9612 (bar):
9613 (foo.f):
9614 (foo):
9615 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
9616 (bar):
9617 (foo.f):
9618 (foo):
9619 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
9620 (bar):
9621 (foo):
9622 (noInline):
9623
96242014-03-20 Oliver Hunt <oliver@apple.com>
9625
9626 Incorrect behavior when mutating a typed array during set.
9627 https://bugs.webkit.org/show_bug.cgi?id=130428
9628
9629 Reviewed by Geoffrey Garen.
9630
9631 This fixes a null derefence that occurs if a typed array
9632 is mutated during the set() operation. The patch gets rid
9633 of the "Quickly" version of setIndex that is assigning
9634 JSValues of unknown type, as the numeric conversion can trigger
9635 side effects that lead to neutering, and so we deref null.
9636
9637 * runtime/JSGenericTypedArrayView.h:
9638 (JSC::JSGenericTypedArrayView::setIndex):
9639 * runtime/JSGenericTypedArrayViewInlines.h:
9640 (JSC::JSGenericTypedArrayView<Adaptor>::set):
9641 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
9642
96432014-03-20 Gavin Barraclough <barraclough@apple.com>
9644
9645 Remove IdentifierTable typedef, isIdentifier()
9646 https://bugs.webkit.org/show_bug.cgi?id=130533
9647
9648 Rubber stamped by Geoff Garen.
9649
9650 Code should use AtomicStringTable, isAtomic() directly.
9651
9652 * API/JSClassRef.cpp:
9653 (OpaqueJSClass::~OpaqueJSClass):
9654 (OpaqueJSClassContextData::OpaqueJSClassContextData):
9655 (OpaqueJSClass::className):
9656 * API/JSClassRef.h:
9657 * bytecode/SpeculatedType.cpp:
9658 (JSC::speculationFromCell):
9659 * bytecompiler/BytecodeGenerator.cpp:
9660 (JSC::BytecodeGenerator::BytecodeGenerator):
9661 * dfg/DFGSpeculativeJIT.cpp:
9662 (JSC::DFG::SpeculativeJIT::compileIn):
9663 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
9664 * ftl/FTLLowerDFGToLLVM.cpp:
9665 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
9666 * heap/Heap.cpp:
9667 (JSC::Heap::collect):
9668 * interpreter/CallFrame.h:
9669 (JSC::ExecState::atomicStringTable):
9670 * parser/ASTBuilder.h:
9671 (JSC::ASTBuilder::addVar):
9672 * parser/Parser.cpp:
9673 (JSC::Parser<LexerType>::createBindingPattern):
9674 * runtime/Completion.cpp:
9675 (JSC::checkSyntax):
9676 (JSC::evaluate):
9677 * runtime/Identifier.cpp:
9678 (JSC::Identifier::checkCurrentAtomicStringTable):
9679 * runtime/Identifier.h:
9680 (JSC::Identifier::Identifier):
9681 * runtime/IdentifierInlines.h:
9682 (JSC::Identifier::add):
9683 * runtime/JSCJSValue.cpp:
9684 (JSC::JSValue::dumpInContext):
9685 * runtime/JSLock.cpp:
9686 (JSC::JSLock::didAcquireLock):
9687 (JSC::JSLock::willReleaseLock):
9688 (JSC::JSLock::DropAllLocks::DropAllLocks):
9689 (JSC::JSLock::DropAllLocks::~DropAllLocks):
9690 * runtime/JSLock.h:
9691 * runtime/PropertyMapHashTable.h:
9692 (JSC::PropertyTable::find):
9693 (JSC::PropertyTable::get):
9694 (JSC::PropertyTable::findWithString):
9695 * runtime/PropertyName.h:
9696 (JSC::PropertyName::PropertyName):
9697 * runtime/PropertyNameArray.cpp:
9698 (JSC::PropertyNameArray::add):
9699 * runtime/VM.cpp:
9700 (JSC::VM::VM):
9701 (JSC::VM::~VM):
9702 * runtime/VM.h:
9703 (JSC::VM::atomicStringTable):
9704
97052014-03-20 Gavin Barraclough <barraclough@apple.com>
9706
9707 Merge AtomicString, Identifier
9708 https://bugs.webkit.org/show_bug.cgi?id=128624
9709
9710 Reviewed by Geoff Garen.
9711
9712 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
9713 Identifer - that is one too many.
9714
9715 Remove Identifier in favour of AtomicString. Identifier had two interesting
9716 mechanisms that we preserve.
9717
9718 (1) JSC API VMs each get their own string table, switch the string table on
9719 API entry/exit.
9720 (2) JSC caches a pointer to the string table on the VM to avoid a thread
9721 specific access. Adds a new AtomicString::add method to support this.
9722
9723 * API/JSAPIWrapperObject.mm:
9724 - updated includes.
9725 * JavaScriptCore.xcodeproj/project.pbxproj:
9726 - added IdentifierInlines.h.
9727 * inspector/JSInjectedScriptHostPrototype.cpp:
9728 * inspector/JSJavaScriptCallFramePrototype.cpp:
9729 - updated includes.
9730 * interpreter/CallFrame.h:
9731 (JSC::ExecState::atomicStringTable):
9732 - added, used via AtomicString::add to avoid thread-specific access.
9733 * runtime/ConsolePrototype.cpp:
9734 - updated includes.
9735 * runtime/Identifier.cpp:
9736 (JSC::Identifier::add):
9737 (JSC::Identifier::add8):
9738 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9739 * runtime/Identifier.h:
9740 (JSC::Identifier::Identifier):
9741 - added ASSERTS.
9742 (JSC::Identifier::add):
9743 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
9744 * runtime/IdentifierInlines.h: Added.
9745 (JSC::Identifier::add):
9746 - moved from Identifier.h, use AtomicString::add.
9747 * runtime/JSCInlines.h:
9748 - added IdentifierInlines.h.
9749 * runtime/JSLock.h:
9750 - removed IdentifierTable.
9751 * runtime/PropertyNameArray.cpp:
9752 - updated includes.
9753 * runtime/SmallStrings.cpp:
9754 (JSC::SmallStringsStorage::SmallStringsStorage):
9755 - ensure all single character strings are Atomic.
9756 * runtime/VM.cpp:
9757 (JSC::VM::VM):
9758 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
9759 * runtime/VM.h:
9760 (JSC::VM::atomicStringTable):
9761 - added, used via AtomicString::add to avoid thread-specific access.
9762
97632014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
9764
9765 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
9766 https://bugs.webkit.org/show_bug.cgi?id=130502
9767
9768 Reviewed by Michael Saboff.
9769
9770 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
9771 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
9772 Add cacheFlush support for Linux.
9773
9774 * assembler/ARM64Assembler.h:
9775 (JSC::ARM64Assembler::linuxPageFlush):
9776 (JSC::ARM64Assembler::cacheFlush):
9777 * assembler/MacroAssemblerARM64.h:
9778 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
9779
97802014-03-19 Gavin Barraclough <barraclough@apple.com>
9781
9782 https://bugs.webkit.org/show_bug.cgi?id=130494
9783 EmptyUnique strings are Identifiers/Atomic
9784
9785 Reviewed by Geoff Garen.
9786
9787 EmptyUnique strings should set the Identifier/Atomic flag.
9788
9789 This fixes an unreproducible bug we believe exists in Identifier handling.
9790 Expected behaviour is that while Identifiers may reference EmptyUniques
9791 (StringImpls allocated as UIDs for PrivateNames), these are not created
9792 through the main Identifier constructor, the Identifier flag is not set
9793 on PrivateNames, and we should never lookup EmptyUnique strings in the
9794 IdentifierTable.
9795
9796 Unfortunately that was happening. Some tables used to implement property
9797 access in the JIT hold StringImpl*s, and turn these back into Identifiers
9798 using the identfiier constructor. Since the code generator will now plant
9799 by-id (cachable) accesses to PrivateNames we can end up passing an
9800 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
9801 uniqued together (though hard to prove, since the hash codes are random).
9802
9803 * runtime/PropertyName.h:
9804 (JSC::PropertyName::PropertyName):
9805 (JSC::PropertyName::uid):
9806 (JSC::PropertyName::publicName):
9807 (JSC::PropertyName::asIndex):
9808 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9809 * runtime/Structure.cpp:
9810 (JSC::Structure::getPropertyNamesFromStructure):
9811 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
9812
98132014-03-19 Filip Pizlo <fpizlo@apple.com>
9814
9815 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
9816
9817 * dfg/DFGCommon.h:
9818
98192014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9820
9821 GC timer should intelligently choose between EdenCollections and FullCollections
9822 https://bugs.webkit.org/show_bug.cgi?id=128261
9823
9824 Reviewed by Geoffrey Garen.
9825
9826 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9827 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9828 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9829 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9830 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
9831 be detected by an EdenCollection).
9832
9833 * CMakeLists.txt:
9834 * GNUmakefile.list.am:
9835 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9836 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9837 * JavaScriptCore.xcodeproj/project.pbxproj:
9838 * heap/EdenGCActivityCallback.cpp: Added.
9839 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9840 (JSC::EdenGCActivityCallback::doCollection):
9841 (JSC::EdenGCActivityCallback::lastGCLength):
9842 (JSC::EdenGCActivityCallback::deathRate):
9843 (JSC::EdenGCActivityCallback::gcTimeSlice):
9844 * heap/EdenGCActivityCallback.h: Added.
9845 (JSC::GCActivityCallback::createEdenTimer):
9846 * heap/FullGCActivityCallback.cpp: Added.
9847 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9848 (JSC::FullGCActivityCallback::doCollection):
9849 (JSC::FullGCActivityCallback::lastGCLength):
9850 (JSC::FullGCActivityCallback::deathRate):
9851 (JSC::FullGCActivityCallback::gcTimeSlice):
9852 * heap/FullGCActivityCallback.h: Added.
9853 (JSC::GCActivityCallback::createFullTimer):
9854 * heap/GCActivityCallback.cpp:
9855 (JSC::GCActivityCallback::GCActivityCallback):
9856 (JSC::GCActivityCallback::doWork):
9857 (JSC::GCActivityCallback::scheduleTimer):
9858 (JSC::GCActivityCallback::cancelTimer):
9859 (JSC::GCActivityCallback::didAllocate):
9860 (JSC::GCActivityCallback::willCollect):
9861 (JSC::GCActivityCallback::cancel):
9862 * heap/GCActivityCallback.h:
9863 * heap/Heap.cpp:
9864 (JSC::Heap::Heap):
9865 (JSC::Heap::reportAbandonedObjectGraph):
9866 (JSC::Heap::didAbandon):
9867 (JSC::Heap::collectAllGarbage):
9868 (JSC::Heap::collect):
9869 (JSC::Heap::willStartCollection):
9870 (JSC::Heap::updateAllocationLimits):
9871 (JSC::Heap::didFinishCollection):
9872 (JSC::Heap::setFullActivityCallback):
9873 (JSC::Heap::setEdenActivityCallback):
9874 (JSC::Heap::fullActivityCallback):
9875 (JSC::Heap::edenActivityCallback):
9876 (JSC::Heap::setGarbageCollectionTimerEnabled):
9877 (JSC::Heap::didAllocate):
9878 (JSC::Heap::shouldDoFullCollection):
9879 * heap/Heap.h:
9880 (JSC::Heap::lastFullGCLength):
9881 (JSC::Heap::lastEdenGCLength):
9882 (JSC::Heap::increaseLastFullGCLength):
9883 (JSC::Heap::sizeBeforeLastEdenCollection):
9884 (JSC::Heap::sizeAfterLastEdenCollection):
9885 (JSC::Heap::sizeBeforeLastFullCollection):
9886 (JSC::Heap::sizeAfterLastFullCollection):
9887 * heap/HeapOperation.h:
9888 * heap/HeapStatistics.cpp:
9889 (JSC::HeapStatistics::showObjectStatistics):
9890 * heap/HeapTimer.cpp:
9891 (JSC::HeapTimer::timerDidFire):
9892 * jsc.cpp:
9893 (functionFullGC):
9894 (functionEdenGC):
9895 * runtime/Options.h:
9896
98972014-03-19 Commit Queue <commit-queue@webkit.org>
9898
9899 Unreviewed, rolling out r165926.
9900 https://bugs.webkit.org/show_bug.cgi?id=130488
9901
9902 broke the iOS build (Requested by estes on #webkit).
9903
9904 Reverted changeset:
9905
9906 "GC timer should intelligently choose between EdenCollections
9907 and FullCollections"
9908 https://bugs.webkit.org/show_bug.cgi?id=128261
9909 http://trac.webkit.org/changeset/165926
9910
99112014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
9912
9913 GC timer should intelligently choose between EdenCollections and FullCollections
9914 https://bugs.webkit.org/show_bug.cgi?id=128261
9915
9916 Reviewed by Geoffrey Garen.
9917
9918 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
9919 always does FullCollections. To reduce the impact of the GC timer on the system this patch
9920 changes Heap so that it has two timers, one for each type of collection. The FullCollection
9921 timer is notified at the end of EdenCollections how much the Heap has grown since the last
9922 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
9923 detected by an EdenCollection).
9924
9925 * heap/GCActivityCallback.cpp:
9926 (JSC::GCActivityCallback::GCActivityCallback):
9927 (JSC::GCActivityCallback::doWork):
9928 (JSC::FullGCActivityCallback::FullGCActivityCallback):
9929 (JSC::FullGCActivityCallback::doCollection):
9930 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
9931 (JSC::EdenGCActivityCallback::doCollection):
9932 (JSC::GCActivityCallback::scheduleTimer):
9933 (JSC::GCActivityCallback::cancelTimer):
9934 (JSC::GCActivityCallback::didAllocate):
9935 (JSC::GCActivityCallback::willCollect):
9936 (JSC::GCActivityCallback::cancel):
9937 * heap/GCActivityCallback.h:
9938 (JSC::GCActivityCallback::GCActivityCallback):
9939 (JSC::GCActivityCallback::createFullTimer):
9940 (JSC::GCActivityCallback::createEdenTimer):
9941 * heap/Heap.cpp:
9942 (JSC::Heap::Heap):
9943 (JSC::Heap::didAbandon):
9944 (JSC::Heap::willStartCollection):
9945 (JSC::Heap::updateAllocationLimits):
9946 (JSC::Heap::setFullActivityCallback):
9947 (JSC::Heap::setEdenActivityCallback):
9948 (JSC::Heap::fullActivityCallback):
9949 (JSC::Heap::edenActivityCallback):
9950 (JSC::Heap::setGarbageCollectionTimerEnabled):
9951 (JSC::Heap::didAllocate):
9952 * heap/Heap.h:
9953 * heap/HeapTimer.cpp:
9954 (JSC::HeapTimer::timerDidFire):
9955
99562014-03-19 Filip Pizlo <fpizlo@apple.com>
9957
9958 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
9959 https://bugs.webkit.org/show_bug.cgi?id=130134
9960
9961 Reviewed by Mark Hahnenberg.
9962
9963 * dfg/DFGFixupPhase.cpp:
9964 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
9965 * dfg/DFGSpeculativeJIT32_64.cpp:
9966 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
9967 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
9968 * jit/JITInlineCacheGenerator.cpp:
9969 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
9970 * jit/JITInlineCacheGenerator.h:
9971 * jit/Repatch.cpp:
9972 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
9973
99742014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
9975
9976 Normalize some of the older JSC options
9977 https://bugs.webkit.org/show_bug.cgi?id=128753
9978
9979 Reviewed by Michael Saboff.
9980
9981 * runtime/Options.cpp:
9982 (JSC::Options::initialize):
9983
99842014-03-12 Mark Lam <mark.lam@apple.com>
9985
9986 Update type of local vars to match the type of String length.
9987 <https://webkit.org/b/130077>
9988
9989 Reviewed by Geoffrey Garen.
9990
9991 * runtime/JSStringJoiner.cpp:
9992 (JSC::JSStringJoiner::join):
9993
99942014-03-18 Filip Pizlo <fpizlo@apple.com>
9995
9996 Get rid of Flush in SSA
9997 https://bugs.webkit.org/show_bug.cgi?id=130440
9998
9999 Reviewed by Sam Weinig.
10000
10001 This is basically a red patch. We used to use backwards flow for determining what was
10002 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
10003 accomplish anything. Keeping them around in SSA can only make things hard.
10004
10005 * CMakeLists.txt:
10006 * GNUmakefile.list.am:
10007 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10008 * JavaScriptCore.xcodeproj/project.pbxproj:
10009 * dfg/DFGBasicBlock.cpp:
10010 (JSC::DFG::BasicBlock::SSAData::SSAData):
10011 * dfg/DFGBasicBlock.h:
10012 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
10013 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
10014 * dfg/DFGGraph.cpp:
10015 (JSC::DFG::Graph::dump):
10016 * dfg/DFGPlan.cpp:
10017 (JSC::DFG::Plan::compileInThreadImpl):
10018 * dfg/DFGSSAConversionPhase.cpp:
10019 (JSC::DFG::SSAConversionPhase::run):
10020 * ftl/FTLLowerDFGToLLVM.cpp:
10021 (JSC::FTL::LowerDFGToLLVM::compileNode):
10022
100232014-03-18 Filip Pizlo <fpizlo@apple.com>
10024
10025 Unreviewed, fix iOS production build.
10026
10027 * JavaScriptCore.xcodeproj/project.pbxproj:
10028
100292014-03-18 Michael Saboff <msaboff@apple.com>
10030
10031 Update RegExp Tracing code
10032 https://bugs.webkit.org/show_bug.cgi?id=130381
10033
10034 Reviewed by Andreas Kling.
10035
10036 Updated the regular expression tracing code for 8/16 bit JIT as
10037 well as match only entry points. Also added average string length
10038 metric.
10039
10040 * runtime/RegExp.cpp:
10041 (JSC::RegExp::RegExp):
10042 (JSC::RegExp::match):
10043 (JSC::RegExp::printTraceData):
10044 * runtime/RegExp.h:
10045 * runtime/VM.cpp:
10046 (JSC::VM::addRegExpToTrace):
10047 (JSC::VM::dumpRegExpTrace):
10048 * runtime/VM.h:
10049 * yarr/YarrJIT.h:
10050 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
10051 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
10052 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
10053 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
10054
100552014-03-17 Filip Pizlo <fpizlo@apple.com>
10056
10057 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
10058 https://bugs.webkit.org/show_bug.cgi?id=130300
10059
10060 Reviewed by Mark Hahnenberg.
10061
10062 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
10063 This makes the DFG aware of this.
10064
10065 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
10066 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
10067
10068 This also gives the DFG some abstractions for checking something is a cell or is other.
10069 This made this patch easier to write and also simplified a bunch of other stuff.
10070
10071 1% speed-up on Octane.
10072
10073 * assembler/AbstractMacroAssembler.h:
10074 (JSC::AbstractMacroAssembler::JumpList::JumpList):
10075 * bytecode/SpeculatedType.h:
10076 (JSC::isNotStringVarSpeculation):
10077 * dfg/DFGFixupPhase.cpp:
10078 (JSC::DFG::FixupPhase::fixupNode):
10079 * dfg/DFGNode.h:
10080 (JSC::DFG::Node::childFor):
10081 (JSC::DFG::Node::shouldSpeculateNotStringVar):
10082 * dfg/DFGSafeToExecute.h:
10083 (JSC::DFG::SafeToExecuteEdge::operator()):
10084 * dfg/DFGSpeculativeJIT.cpp:
10085 (JSC::DFG::SpeculativeJIT::compileIn):
10086 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
10087 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
10088 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
10089 (JSC::DFG::SpeculativeJIT::compileStrictEq):
10090 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
10091 (JSC::DFG::SpeculativeJIT::compileStringEquality):
10092 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
10093 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
10094 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
10095 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
10096 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
10097 (JSC::DFG::SpeculativeJIT::speculateString):
10098 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10099 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
10100 (JSC::DFG::SpeculativeJIT::speculateNotCell):
10101 (JSC::DFG::SpeculativeJIT::speculateOther):
10102 (JSC::DFG::SpeculativeJIT::speculate):
10103 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
10104 (JSC::DFG::SpeculativeJIT::emitSwitchString):
10105 * dfg/DFGSpeculativeJIT.h:
10106 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
10107 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
10108 (JSC::DFG::SpeculativeJIT::booleanResult):
10109 * dfg/DFGSpeculativeJIT32_64.cpp:
10110 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10111 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10112 (JSC::DFG::SpeculativeJIT::emitCall):
10113 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10114 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10115 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10116 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10117 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10118 (JSC::DFG::SpeculativeJIT::compile):
10119 (JSC::DFG::branchIsCell):
10120 (JSC::DFG::branchNotCell):
10121 (JSC::DFG::SpeculativeJIT::branchIsOther):
10122 (JSC::DFG::SpeculativeJIT::branchNotOther):
10123 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10124 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10125 (JSC::DFG::SpeculativeJIT::blessBoolean):
10126 * dfg/DFGSpeculativeJIT64.cpp:
10127 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10128 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10129 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10130 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10131 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10132 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10133 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10134 (JSC::DFG::SpeculativeJIT::compile):
10135 (JSC::DFG::SpeculativeJIT::writeBarrier):
10136 (JSC::DFG::SpeculativeJIT::branchIsCell):
10137 (JSC::DFG::SpeculativeJIT::branchNotCell):
10138 (JSC::DFG::SpeculativeJIT::branchIsOther):
10139 (JSC::DFG::SpeculativeJIT::branchNotOther):
10140 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10141 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10142 (JSC::DFG::SpeculativeJIT::blessBoolean):
10143 * dfg/DFGUseKind.cpp:
10144 (WTF::printInternal):
10145 * dfg/DFGUseKind.h:
10146 (JSC::DFG::typeFilterFor):
10147 * ftl/FTLCapabilities.cpp:
10148 (JSC::FTL::canCompile):
10149 * ftl/FTLLowerDFGToLLVM.cpp:
10150 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
10151 (JSC::FTL::LowerDFGToLLVM::lowString):
10152 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
10153 (JSC::FTL::LowerDFGToLLVM::speculate):
10154 (JSC::FTL::LowerDFGToLLVM::speculateString):
10155 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10156 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
10157 * runtime/JSCJSValue.h:
10158 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
10159 (foo):
10160 (bar):
10161 (test):
10162
101632014-03-18 Joseph Pecoraro <pecoraro@apple.com>
10164
10165 Add Copyright to framework.sb
10166 https://bugs.webkit.org/show_bug.cgi?id=130413
10167
10168 Reviewed by Timothy Hatcher.
10169
10170 Other sb files got the copyright. Follow suit.
10171
10172 * framework.sb:
10173
101742014-03-18 Matthew Mirman <mmirman@apple.com>
10175
10176 Removed extra parens from if statement in a preprocessor define.
10177 https://bugs.webkit.org/show_bug.cgi?id=130408
10178
10179 Reviewed by Filip Pizlo.
10180
10181 * parser/Parser.cpp:
10182
101832014-03-18 Filip Pizlo <fpizlo@apple.com>
10184
10185 More FTL enabling.
10186
10187 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
10188
10189 * Configurations/FeatureDefines.xcconfig:
10190 * ftl/FTLCompile.cpp:
10191 (JSC::FTL::compile):
10192
101932014-03-17 Michael Saboff <msaboff@apple.com>
10194
10195 V8 regexp spends most of its time in operationGetById
10196 https://bugs.webkit.org/show_bug.cgi?id=130380
10197
10198 Reviewed by Filip Pizlo.
10199
10200 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
10201 When V8 regexp is run from the command line, this nets a 2% performance improvement.
10202 When the test is run for a longer amount of time, there is much less benefit as the
10203 DFG will emit the appropriate code for String.length. This does remove
10204 operationGetById as the hottest function whne run from the command line.
10205
10206 * jit/Repatch.cpp:
10207 (JSC::tryCacheGetByID):
10208
102092014-03-17 Andreas Kling <akling@apple.com>
10210
10211 Add one-deep cache to opaque roots hashset.
10212 <https://webkit.org/b/130357>
10213
10214 The vast majority of WebCore JS wrappers will have their Document*
10215 as the root(). This change adds a simple optimization where we cache
10216 the last lookup and avoid going to the hashset for repeated queries.
10217
10218 Looks like 0.4% progression on DYEB on my MBP.
10219
10220 Reviewed by Mark Hahnenberg.
10221
10222 * JavaScriptCore.xcodeproj/project.pbxproj:
10223 * heap/OpaqueRootSet.h: Added.
10224 (JSC::OpaqueRootSet::OpaqueRootSet):
10225 (JSC::OpaqueRootSet::contains):
10226 (JSC::OpaqueRootSet::isEmpty):
10227 (JSC::OpaqueRootSet::clear):
10228 (JSC::OpaqueRootSet::add):
10229 (JSC::OpaqueRootSet::size):
10230 (JSC::OpaqueRootSet::begin):
10231 (JSC::OpaqueRootSet::end):
10232 * heap/SlotVisitor.h:
10233
102342014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
10235
10236 Implement Math.hypot
10237 https://bugs.webkit.org/show_bug.cgi?id=129486
10238
10239 Reviewed by Darin Adler.
10240
10241 * runtime/MathObject.cpp:
10242 (JSC::MathObject::finishCreation):
10243 (JSC::mathProtoFuncHypot):
10244
102452014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
10246
10247 Fix the !ENABLE(PROMISES) build
10248 https://bugs.webkit.org/show_bug.cgi?id=130328
10249
10250 Reviewed by Darin Adler.
10251
10252 Add missing ENABLE(PROMISES) guards.
10253
10254 * runtime/JSGlobalObject.cpp:
10255 (JSC::JSGlobalObject::reset):
10256 (JSC::JSGlobalObject::visitChildren):
10257 * runtime/JSGlobalObject.h:
10258 * runtime/JSPromiseDeferred.cpp:
10259 * runtime/JSPromiseDeferred.h:
10260 * runtime/JSPromiseReaction.cpp:
10261 * runtime/JSPromiseReaction.h:
10262 * runtime/VM.cpp:
10263 (JSC::VM::VM):
10264 * runtime/VM.h:
10265
102662014-03-16 Andreas Kling <akling@apple.com>
10267
10268 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
10269 <https://webkit.org/b/130304>
10270
10271 Reviewed by Anders Carlsson.
10272
10273 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
10274 that doesn't put a potentially unwanted string into the Identifier table.
10275
10276 * API/OpaqueJSString.cpp:
10277 (OpaqueJSString::identifier):
10278
102792014-03-16 Brian Burg <bburg@apple.com>
10280
10281 Web Inspector: generated backend commands should reflect build system ENABLE settings
10282 https://bugs.webkit.org/show_bug.cgi?id=130111
10283
10284 Reviewed by Timothy Hatcher.
10285
10286 * CMakeLists.txt:
10287
10288 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
10289 instead of globbing any .json file.
10290
10291 * DerivedSources.make:
10292
10293 Force the combined inspector protocol file to be regenerated if
10294 the content or list of domains itself changes.
10295
102962014-03-16 Brian Burg <bburg@apple.com>
10297
10298 Web Inspector: vended backend commands file should be generated as part of the build
10299 https://bugs.webkit.org/show_bug.cgi?id=130110
10300
10301 Reviewed by Timothy Hatcher.
10302
10303 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
10304 private headers directory.
10305
103062014-03-16 Darin Adler <darin@apple.com>
10307
10308 Remove all uses of deprecatedCharacters from JavaScriptCore
10309 https://bugs.webkit.org/show_bug.cgi?id=130304
10310
10311 Reviewed by Anders Carlsson.
10312
10313 * API/JSValueRef.cpp:
10314 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
10315 * API/OpaqueJSString.cpp:
10316 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
10317 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
10318 juse use the standard one that takes a String.
10319 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
10320 hand-written alternative.
10321
10322 * bindings/ScriptValue.cpp:
10323 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
10324 instead of involving a character pointer. Use the String from Identifier
10325 directly instead of making a new String.
10326
10327 * inspector/ContentSearchUtilities.cpp:
10328 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
10329 instead of building a String a character at a time. This is still a very slow
10330 way to do this. Also use strchr to search for a character instead of building
10331 a String every time just to use find on it.
10332
10333 * inspector/InspectorValues.cpp:
10334 (Inspector::doubleQuoteString): Remove unnecessary trip through a
10335 character pointer. This is still a really slow way to do this.
10336 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
10337 instead of String::deprecatedCharacters. Still slow to always upconvert.
10338
10339 * runtime/DateConstructor.cpp: Removed unneeded include.
10340 * runtime/DatePrototype.cpp: Ditto.
10341
10342 * runtime/Identifier.h: Removed deprecatedCharacters function.
10343
10344 * runtime/JSGlobalObjectFunctions.cpp:
10345 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
10346 appending functions from JSStringBuilder. Removed unneeded code duplicating
10347 what JSStringBuilder already does in its character append function.
10348 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
10349 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
10350 is used outside this file have external linkage. Added a new overload that takes
10351 a StringView.
10352 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
10353 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
10354 single character.
10355
10356 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
10357
10358 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
10359 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
10360 Made one overload private. Fixed a performance bug where we would reserve capacity
10361 in the 8-bit buffer but then append to the 16-bit buffer.
10362
10363 * runtime/ObjectPrototype.cpp: Removed unneeded include.
10364
10365 * runtime/StringPrototype.cpp:
10366 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
10367 (JSC::stringProtoFuncLink): Ditto.
10368
103692014-03-15 Filip Pizlo <fpizlo@apple.com>
10370
10371 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
10372 https://bugs.webkit.org/show_bug.cgi?id=130296
10373
10374 Reviewed by Andreas Kling.
10375
10376 During the 32-bit structure ID work, the second load of the structure was removed.
10377 That's wrong. The whole point of loading the structure ID again is that the structure
10378 ID would have been changed by the arrayification call, and we're verifying that the
10379 arrayification succeeded in changing the structure. If we check the old structure - as
10380 the code was doing after the 32-bit structure ID work - then this check is guaranteed
10381 to fail, causing a significant performance regression.
10382
10383 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
10384 code pathologically exits but the equivalent DFG code doesn't, then the exponential
10385 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
10386 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
10387
10388 * ftl/FTLLowerDFGToLLVM.cpp:
10389 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
10390
103912014-03-15 Filip Pizlo <fpizlo@apple.com>
10392
10393 FTL should support CheckHasInstance/InstanceOf
10394 https://bugs.webkit.org/show_bug.cgi?id=130285
10395
10396 Reviewed by Sam Weinig.
10397
10398 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
10399
10400 * dfg/DFGFixupPhase.cpp:
10401 (JSC::DFG::FixupPhase::fixupNode):
10402 * ftl/FTLAbstractHeapRepository.h:
10403 * ftl/FTLCapabilities.cpp:
10404 (JSC::FTL::canCompile):
10405 * ftl/FTLLowerDFGToLLVM.cpp:
10406 (JSC::FTL::LowerDFGToLLVM::compileNode):
10407 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
10408 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
10409 * ftl/FTLOutput.h:
10410 (JSC::FTL::Output::phi):
10411 * tests/stress/instanceof.js: Added.
10412 * tests/stress/instanceof-not-cell.js: Added.
10413
104142014-03-15 Michael Saboff <msaboff@apple.com>
10415
10416 It should be possible to adjust DFG and FTL compiler thread priorities
10417 https://bugs.webkit.org/show_bug.cgi?id=130288
10418
10419 Reviewed by Filip Pizlo.
10420
10421 Added ability to change thread priorities relative to its current priority.
10422 Created options to adjust the priority of the DFG and FTL compilation work thread
10423 pools. For two core systems, there might be three runnable threads, the main thread,
10424 the DFG compilation thread and the FTL compilation thread. With the same priority,
10425 the scheduler is free to schedule whatever thread it wants. By lowering the
10426 compilation threads, the main thread can run. Further tests may suggest better values
10427 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
10428
10429 For a two-core device, this change has a net positive improvement of 1-3% across
10430 SunSpider, Octane, Kraken and AsmBench.
10431
10432 * dfg/DFGWorklist.cpp:
10433 (JSC::DFG::Worklist::finishCreation):
10434 (JSC::DFG::Worklist::create):
10435 (JSC::DFG::ensureGlobalDFGWorklist):
10436 (JSC::DFG::ensureGlobalFTLWorklist):
10437 * dfg/DFGWorklist.h:
10438 * runtime/Options.cpp:
10439 (JSC::computePriorityDeltaOfWorkerThreads):
10440 * runtime/Options.h:
10441
104422014-03-15 David Kilzer <ddkilzer@apple.com>
10443
10444 [iOS] Define SYSTEM_VERSION_PREFIX consistently
10445 <http://webkit.org/b/130293>
10446 <rdar://problem/15926359>
10447
10448 Reviewed by Dan Bernstein.
10449
10450 * Configurations/Version.xcconfig:
10451 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
10452 Source/WebKit/mac/Version.xcconfig.
10453
104542014-03-15 David Kilzer <ddkilzer@apple.com>
10455
10456 Fix build: using integer absolute value function 'abs' when argument is of floating point type
10457 <http://webkit.org/b/130286>
10458
10459 Reviewed by Filip Pizlo.
10460
10461 Fixes the following build failure using trunk clang:
10462
10463 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
10464 value = abs(value);
10465 ^
10466 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
10467 value = abs(value);
10468 ^~~
10469 fabs
10470
10471 * assembler/MacroAssembler.h:
10472 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
10473 fabs().
10474
104752014-03-14 Oliver Hunt <oliver@apple.com>
10476
10477 Reinstate intialiser syntax in for-in loops
10478 https://bugs.webkit.org/show_bug.cgi?id=130269
10479
10480 Reviewed by Michael Saboff.
10481
10482 Disallowing the initialiser broke some sites so this patch re-allows
10483 the syntax. We still disallow the syntax in 'of' and pattern based
10484 enumeration.
10485
10486 * parser/ASTBuilder.h:
10487 (JSC::ASTBuilder::isBindingNode):
10488 * parser/Parser.cpp:
10489 (JSC::Parser<LexerType>::parseVarDeclarationList):
10490 (JSC::Parser<LexerType>::parseForStatement):
10491 * parser/SyntaxChecker.h:
10492 (JSC::SyntaxChecker::operatorStackPop):
10493
104942014-03-14 Mark Lam <mark.lam@apple.com>
10495
10496 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
10497 <https://webkit.org/b/130279>
10498
10499 Reviewed by Filip Pizlo.
10500
10501 If neither the getter nor setter are defined, accessing __lookupGetter__
10502 and __lookupSetter__ will return undefined as expected. However, if the
10503 getter is defined but the setter is not, accessing __lookupSetter__ will
10504 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
10505 is defined will crash the VM.
10506
10507 The reason is because objectProtoFuncLookupGetter() and
10508 objectProtoFuncLookupSetter() did not check if the getter and setter
10509 value is non-null before returning it as an EncodedJSValue. The fix is
10510 to add the appropriate null checks.
10511
10512 * runtime/ObjectPrototype.cpp:
10513 (JSC::objectProtoFuncLookupGetter):
10514 (JSC::objectProtoFuncLookupSetter):
10515
105162014-03-14 Mark Rowe <mrowe@apple.com>
10517
10518 Fix the production build.
10519
10520 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
10521 be at the expected relative path when working from installed source.
10522
10523 * Configurations/Base.xcconfig:
10524
105252014-03-14 Maciej Stachowiak <mjs@apple.com>
10526
10527 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
10528 https://bugs.webkit.org/show_bug.cgi?id=130276
10529 <rdar://problem/16266927>
10530
10531 Reviewed by Simon Fraser.
10532
10533 * API/APICast.h:
10534 * API/JSBase.cpp:
10535 * API/JSBase.h:
10536 * API/JSBasePrivate.h:
10537 * API/JSCallbackConstructor.cpp:
10538 * API/JSCallbackConstructor.h:
10539 * API/JSCallbackFunction.cpp:
10540 * API/JSCallbackFunction.h:
10541 * API/JSCallbackObject.cpp:
10542 * API/JSCallbackObject.h:
10543 * API/JSCallbackObjectFunctions.h:
10544 * API/JSClassRef.cpp:
10545 * API/JSClassRef.h:
10546 * API/JSContextRef.cpp:
10547 * API/JSContextRef.h:
10548 * API/JSContextRefPrivate.h:
10549 * API/JSObjectRef.cpp:
10550 * API/JSObjectRef.h:
10551 * API/JSProfilerPrivate.cpp:
10552 * API/JSProfilerPrivate.h:
10553 * API/JSRetainPtr.h:
10554 * API/JSStringRef.cpp:
10555 * API/JSStringRef.h:
10556 * API/JSStringRefBSTR.cpp:
10557 * API/JSStringRefBSTR.h:
10558 * API/JSStringRefCF.cpp:
10559 * API/JSStringRefCF.h:
10560 * API/JSValueRef.cpp:
10561 * API/JSValueRef.h:
10562 * API/JavaScript.h:
10563 * API/JavaScriptCore.h:
10564 * API/OpaqueJSString.cpp:
10565 * API/OpaqueJSString.h:
10566 * API/tests/JSNode.c:
10567 * API/tests/JSNode.h:
10568 * API/tests/JSNodeList.c:
10569 * API/tests/JSNodeList.h:
10570 * API/tests/Node.c:
10571 * API/tests/Node.h:
10572 * API/tests/NodeList.c:
10573 * API/tests/NodeList.h:
10574 * API/tests/minidom.c:
10575 * API/tests/minidom.js:
10576 * API/tests/testapi.c:
10577 * API/tests/testapi.js:
10578 * DerivedSources.make:
10579 * bindings/ScriptValue.cpp:
10580 * bytecode/CodeBlock.cpp:
10581 * bytecode/CodeBlock.h:
10582 * bytecode/EvalCodeCache.h:
10583 * bytecode/Instruction.h:
10584 * bytecode/JumpTable.cpp:
10585 * bytecode/JumpTable.h:
10586 * bytecode/Opcode.cpp:
10587 * bytecode/Opcode.h:
10588 * bytecode/SamplingTool.cpp:
10589 * bytecode/SamplingTool.h:
10590 * bytecode/SpeculatedType.cpp:
10591 * bytecode/SpeculatedType.h:
10592 * bytecode/ValueProfile.h:
10593 * bytecompiler/BytecodeGenerator.cpp:
10594 * bytecompiler/BytecodeGenerator.h:
10595 * bytecompiler/Label.h:
10596 * bytecompiler/LabelScope.h:
10597 * bytecompiler/RegisterID.h:
10598 * debugger/DebuggerCallFrame.cpp:
10599 * debugger/DebuggerCallFrame.h:
10600 * dfg/DFGDesiredStructureChains.cpp:
10601 * dfg/DFGDesiredStructureChains.h:
10602 * heap/GCActivityCallback.cpp:
10603 * heap/GCActivityCallback.h:
10604 * inspector/ConsoleMessage.cpp:
10605 * inspector/ConsoleMessage.h:
10606 * inspector/IdentifiersFactory.cpp:
10607 * inspector/IdentifiersFactory.h:
10608 * inspector/InjectedScriptManager.cpp:
10609 * inspector/InjectedScriptManager.h:
10610 * inspector/InjectedScriptSource.js:
10611 * inspector/ScriptBreakpoint.h:
10612 * inspector/ScriptDebugListener.h:
10613 * inspector/ScriptDebugServer.cpp:
10614 * inspector/ScriptDebugServer.h:
10615 * inspector/agents/InspectorAgent.cpp:
10616 * inspector/agents/InspectorAgent.h:
10617 * inspector/agents/InspectorDebuggerAgent.cpp:
10618 * inspector/agents/InspectorDebuggerAgent.h:
10619 * interpreter/Interpreter.cpp:
10620 * interpreter/Interpreter.h:
10621 * interpreter/JSStack.cpp:
10622 * interpreter/JSStack.h:
10623 * interpreter/Register.h:
10624 * jit/CompactJITCodeMap.h:
10625 * jit/JITStubs.cpp:
10626 * jit/JITStubs.h:
10627 * jit/JITStubsARM.h:
10628 * jit/JITStubsARMv7.h:
10629 * jit/JITStubsX86.h:
10630 * jit/JITStubsX86_64.h:
10631 * os-win32/stdbool.h:
10632 * parser/SourceCode.h:
10633 * parser/SourceProvider.h:
10634 * profiler/LegacyProfiler.cpp:
10635 * profiler/LegacyProfiler.h:
10636 * profiler/ProfileNode.cpp:
10637 * profiler/ProfileNode.h:
10638 * runtime/ArrayBufferView.cpp:
10639 * runtime/ArrayBufferView.h:
10640 * runtime/BatchedTransitionOptimizer.h:
10641 * runtime/CallData.h:
10642 * runtime/ConstructData.h:
10643 * runtime/DumpContext.cpp:
10644 * runtime/DumpContext.h:
10645 * runtime/ExceptionHelpers.cpp:
10646 * runtime/ExceptionHelpers.h:
10647 * runtime/InitializeThreading.cpp:
10648 * runtime/InitializeThreading.h:
10649 * runtime/IntegralTypedArrayBase.h:
10650 * runtime/IntendedStructureChain.cpp:
10651 * runtime/IntendedStructureChain.h:
10652 * runtime/JSActivation.cpp:
10653 * runtime/JSActivation.h:
10654 * runtime/JSExportMacros.h:
10655 * runtime/JSGlobalObject.cpp:
10656 * runtime/JSNotAnObject.cpp:
10657 * runtime/JSNotAnObject.h:
10658 * runtime/JSPropertyNameIterator.cpp:
10659 * runtime/JSPropertyNameIterator.h:
10660 * runtime/JSSegmentedVariableObject.cpp:
10661 * runtime/JSSegmentedVariableObject.h:
10662 * runtime/JSSymbolTableObject.cpp:
10663 * runtime/JSSymbolTableObject.h:
10664 * runtime/JSTypeInfo.h:
10665 * runtime/JSVariableObject.cpp:
10666 * runtime/JSVariableObject.h:
10667 * runtime/PropertyTable.cpp:
10668 * runtime/PutPropertySlot.h:
10669 * runtime/SamplingCounter.cpp:
10670 * runtime/SamplingCounter.h:
10671 * runtime/Structure.cpp:
10672 * runtime/Structure.h:
10673 * runtime/StructureChain.cpp:
10674 * runtime/StructureChain.h:
10675 * runtime/StructureInlines.h:
10676 * runtime/StructureTransitionTable.h:
10677 * runtime/SymbolTable.cpp:
10678 * runtime/SymbolTable.h:
10679 * runtime/TypedArrayBase.h:
10680 * runtime/TypedArrayType.cpp:
10681 * runtime/TypedArrayType.h:
10682 * runtime/VM.cpp:
10683 * runtime/VM.h:
10684 * yarr/RegularExpression.cpp:
10685 * yarr/RegularExpression.h:
10686
106872014-03-14 Filip Pizlo <fpizlo@apple.com>
10688
10689 Final FTL iOS build magic
10690 https://bugs.webkit.org/show_bug.cgi?id=130281
10691
10692 Reviewed by Michael Saboff.
10693
10694 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
10695 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
10696
106972014-03-14 Joseph Pecoraro <pecoraro@apple.com>
10698
10699 Web Inspector: Gracefully handle nil name -[JSContext setName:]
10700 https://bugs.webkit.org/show_bug.cgi?id=130262
10701
10702 Reviewed by Mark Hahnenberg.
10703
10704 * API/JSContext.mm:
10705 (-[JSContext setName:]):
10706 Gracefully handle nil input.
10707
10708 * API/tests/testapi.c:
10709 (globalContextNameTest):
10710 * API/tests/testapi.mm:
10711 Test for nil / NULL names in the ObjC and C APIs.
10712
107132014-03-11 Oliver Hunt <oliver@apple.com>
10714
10715 Improve dom error messages
10716 https://bugs.webkit.org/show_bug.cgi?id=130103
10717
10718 Reviewed by Andreas Kling.
10719
10720 Add new helper function.
10721
10722 * runtime/Error.h:
10723 (JSC::throwVMTypeError):
10724
107252014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
10726
10727 Remove unused method declaration.
10728 https://bugs.webkit.org/show_bug.cgi?id=130238
10729
10730 Reviewed by Filip Pizlo.
10731
10732 The implementation of CallFrame::dumpCaller was removed in
10733 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
10734
10735 * interpreter/CallFrame.h:
10736 Remove CallFrame::dumpCaller() method declaration.
10737
107382014-03-12 Sergio Villar Senin <svillar@igalia.com>
10739
10740 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
10741 https://bugs.webkit.org/show_bug.cgi?id=129612
10742
10743 Reviewed by Darin Adler.
10744
10745 For new code use static NeverDestroyed<T> instead.
10746
10747 * API/JSAPIWrapperObject.mm:
10748 (jsAPIWrapperObjectHandleOwner):
10749 * API/JSManagedValue.mm:
10750 (managedValueHandleOwner):
10751 * inspector/agents/InspectorDebuggerAgent.cpp:
10752 (Inspector::objectGroupForBreakpointAction):
10753 * inspector/scripts/CodeGeneratorInspectorStrings.py:
10754 * interpreter/JSStack.cpp:
10755 (JSC::stackStatisticsMutex):
10756 * jit/ExecutableAllocator.cpp:
10757 (JSC::DemandExecutableAllocator::allocators):
10758
107592014-03-12 Gavin Barraclough <barraclough@apple.com>
10760
10761 Reduce memory use for static property maps
10762 https://bugs.webkit.org/show_bug.cgi?id=129986
10763
10764 Reviewed by Andreas Kling.
10765
10766 Static property tables are currently duplicated on first use from read-only memory into dirty memory
10767 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
10768 (we use a custom hash table without a rehash) a lot of memory may be wasted.
10769
10770 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
10771 from string hashes to indicies into a densely packed array of values. Compute the index table at
10772 compile time as a part of the derived sources step, such that this may be read-only data.
10773
10774 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
10775 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
10776 keys, which are Identifiers.
10777
10778 * create_hash_table:
10779 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
10780 * parser/Lexer.cpp:
10781 (JSC::Lexer<LChar>::parseIdentifier):
10782 (JSC::Lexer<UChar>::parseIdentifier):
10783 (JSC::Lexer<T>::parseIdentifierSlowCase):
10784 - HashEntry -> HashTableValue.
10785 * parser/Lexer.h:
10786 (JSC::Keywords::getKeyword):
10787 - HashEntry -> HashTableValue.
10788 * runtime/ClassInfo.h:
10789 - removed HashEntry.
10790 * runtime/JSObject.cpp:
10791 (JSC::getClassPropertyNames):
10792 - use HashTable::ConstIterator.
10793 (JSC::JSObject::put):
10794 (JSC::JSObject::deleteProperty):
10795 (JSC::JSObject::findPropertyHashEntry):
10796 - HashEntry -> HashTableValue.
10797 (JSC::JSObject::reifyStaticFunctionsForDelete):
10798 - changed HashTable::ConstIterator interface.
10799 * runtime/JSObject.h:
10800 - HashEntry -> HashTableValue.
10801 * runtime/Lookup.cpp:
10802 (JSC::HashTable::createTable):
10803 - table -> keys, keys array is now densely packed.
10804 (JSC::HashTable::deleteTable):
10805 - table -> keys.
10806 (JSC::setUpStaticFunctionSlot):
10807 - HashEntry -> HashTableValue.
10808 * runtime/Lookup.h:
10809 (JSC::HashTableValue::builtinGenerator):
10810 (JSC::HashTableValue::function):
10811 (JSC::HashTableValue::functionLength):
10812 (JSC::HashTableValue::propertyGetter):
10813 (JSC::HashTableValue::propertyPutter):
10814 (JSC::HashTableValue::lexerValue):
10815 - added accessor methods from HashEntry.
10816 (JSC::HashTable::copy):
10817 - fields changed.
10818 (JSC::HashTable::initializeIfNeeded):
10819 - table -> keys.
10820 (JSC::HashTable::entry):
10821 - HashEntry -> HashTableValue.
10822 (JSC::HashTable::ConstIterator::ConstIterator):
10823 - iterate packed value array, so no need to skipInvalidKeys().
10824 (JSC::HashTable::ConstIterator::value):
10825 (JSC::HashTable::ConstIterator::key):
10826 (JSC::HashTable::ConstIterator::operator->):
10827 - accessors now get HashTableValue/StringImpl* separately.
10828 (JSC::HashTable::ConstIterator::operator++):
10829 - iterate packed value array, so no need to skipInvalidKeys().
10830 (JSC::HashTable::end):
10831 - end is now size of dense not sparse array.
10832 (JSC::getStaticPropertySlot):
10833 (JSC::getStaticFunctionSlot):
10834 (JSC::getStaticValueSlot):
10835 (JSC::putEntry):
10836 (JSC::lookupPut):
10837 - HashEntry -> HashTableValue.
10838
108392014-03-13 Filip Pizlo <fpizlo@apple.com>
10840
10841 Unreviewed, fix Mac no-FTL build.
10842
10843 * llvm/library/LLVMExports.cpp:
10844 (initializeAndGetJSCLLVMAPI):
10845
108462014-03-13 Juergen Ributzka <juergen@apple.com>
10847
10848 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
10849 https://bugs.webkit.org/show_bug.cgi?id=130224
10850
10851 Reviewed by Filip Pizlo.
10852
10853 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
10854 the LLVM dylib. This allows the dylib to be safely used with other LLVM
10855 dylibs on the same system. It also reduces the dynamic linking overhead
10856 and also reduces the size by 6MB, because the linker can now dead strip
10857 many unused functions.
10858
10859 * Configurations/LLVMForJSC.xcconfig:
10860
108612014-03-13 Andreas Kling <akling@apple.com>
10862
10863 VM::discardAllCode() should clear the RegExp cache.
10864 <https://webkit.org/b/130144>
10865
10866 Reviewed by Michael Saboff.
10867
10868 * runtime/VM.cpp:
10869 (JSC::VM::discardAllCode):
10870
108712014-03-13 Andreas Kling <akling@apple.com>
10872
10873 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
10874 <https://webkit.org/b/129995>
10875
10876 This code path is not taken anymore on DYEB, and I can't explain why
10877 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
10878
10879 * inspector/JSGlobalObjectInspectorController.cpp:
10880 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
10881
108822014-03-13 Filip Pizlo <fpizlo@apple.com>
10883
10884 FTL should support IsBlah
10885 https://bugs.webkit.org/show_bug.cgi?id=130202
10886
10887 Reviewed by Geoffrey Garen.
10888
10889 * ftl/FTLCapabilities.cpp:
10890 (JSC::FTL::canCompile):
10891 * ftl/FTLIntrinsicRepository.h:
10892 * ftl/FTLLowerDFGToLLVM.cpp:
10893 (JSC::FTL::LowerDFGToLLVM::compileNode):
10894 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
10895 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
10896 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
10897 (JSC::FTL::LowerDFGToLLVM::compileIsString):
10898 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
10899 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
10900 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
10901 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
10902 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
10903 (JSC::FTL::LowerDFGToLLVM::isNumber):
10904 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
10905 (JSC::FTL::LowerDFGToLLVM::isBoolean):
10906 * ftl/FTLOSRExitCompiler.cpp:
10907 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
10908 (bar):
10909 (foo):
10910 (test):
10911 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
10912 (foo):
10913 (test):
10914 * tests/stress/is-undefined-masquerader.js: Added.
10915 (foo):
10916 (test):
10917
109182014-03-13 Mark Lam <mark.lam@apple.com>
10919
10920 JS benchmarks crash with a bus error on 32-bit x86.
10921 <https://webkit.org/b/130203>
10922
10923 Reviewed by Geoffrey Garen.
10924
10925 The issue is that generateGetByIdStub() can potentially use the same register
10926 for the JSValue base register and the target tag register. After loading the
10927 tag value into the target tag register, the JSValue base address is lost.
10928 The code then proceeds to load the payload value using the base register, and
10929 this results in a crash.
10930
10931 The fix is to check if the base register is the same as the target tag register.
10932 If so, we should make a copy the base register first before loading the tag
10933 value, and use the copy to load the payload value instead.
10934
10935 * jit/Repatch.cpp:
10936 (JSC::generateGetByIdStub):
10937
109382014-03-12 Filip Pizlo <fpizlo@apple.com>
10939
10940 WebKit shouldn't crash on uniprocessor machines
10941 https://bugs.webkit.org/show_bug.cgi?id=130176
10942
10943 Reviewed by Michael Saboff.
10944
10945 Previously the math for computing the number of JIT compiler threads would come up with
10946 zero threads on uniprocessor machines, and then the Worklist code would assert.
10947
10948 * runtime/Options.cpp:
10949 (JSC::computeNumberOfWorkerThreads):
10950 * runtime/Options.h:
10951
109522014-03-13 Radu Stavila <stavila@adobe.com>
10953
10954 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
10955 https://bugs.webkit.org/show_bug.cgi?id=130087
10956
10957 Reviewed by Mark Rowe.
10958
10959 Disable garbage collection on macosx when not using internal SDK.
10960
10961 * Configurations/Base.xcconfig:
10962
109632014-03-10 Darin Adler <darin@apple.com>
10964
10965 Avoid copy-prone idiom "for (auto item : collection)"
10966 https://bugs.webkit.org/show_bug.cgi?id=129990
10967
10968 Reviewed by Geoffrey Garen.
10969
10970 * heap/CodeBlockSet.h:
10971 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
10972 * inspector/ScriptDebugServer.cpp:
10973 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
10974 make explicit that we are iterating through pointers.
10975 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
10976 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
10977 * inspector/agents/InspectorDebuggerAgent.cpp:
10978 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
10979 get rid of an unneeded local variable.
10980
109812014-03-13 Brian Burg <bburg@apple.com>
10982
10983 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
10984 https://bugs.webkit.org/show_bug.cgi?id=129744
10985
10986 Reviewed by Timothy Hatcher.
10987
10988 * inspector/agents/InspectorAgent.cpp:
10989 (Inspector::InspectorAgent::enable):
10990 (Inspector::InspectorAgent::evaluateForTestInFrontend):
10991 * inspector/agents/InspectorAgent.h:
10992 * inspector/protocol/InspectorDomain.json:
10993
109942014-03-11 Filip Pizlo <fpizlo@apple.com>
10995
10996 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
10997 https://bugs.webkit.org/show_bug.cgi?id=130069
10998
10999 Reviewed by Geoffrey Garen.
11000
11001 This was a great assertion, and it represents our strictest interpretation of the rules of
11002 our intermediate representation. However, fixing DCE to actually preserve the relevant
11003 property would be hard, and it wouldn't have an observable effect right now because nobody
11004 actually uses the propery of CPS that this assertion is checking for.
11005
11006 In particular, we do always require, and rely on, the fact that non-captured variables
11007 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
11008 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
11009 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
11010 broken in this regard. But, in the strictest sense, CPS also means that for captured
11011 variables, variablesAtTail also continues to point to the last relevant use of the
11012 variable. In particular, if there are multiple GetLocals, then it should point to the last
11013 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
11014 variables, except to check the VariableAccessData; but in that case, we don't really need
11015 the *last* relevant use of the variable - any node that mentions the same variable will do
11016 just fine.
11017
11018 So, this change loosens the assertion and adds a detailed FIXME describing what we would
11019 have to do if we wanted to preserve the more strict property.
11020
11021 This also makes changes to various debug printing paths so that validation doesn't crash
11022 during graph dump. This also adds tests for the interesting cases of DCE failing to
11023 preserve CPS in the strictest sense. This also attempts to win the record for longest test
11024 name.
11025
11026 * bytecode/CodeBlock.cpp:
11027 (JSC::CodeBlock::hashAsStringIfPossible):
11028 (JSC::CodeBlock::dumpAssumingJITType):
11029 * bytecode/CodeBlock.h:
11030 * bytecode/CodeOrigin.cpp:
11031 (JSC::InlineCallFrame::hashAsStringIfPossible):
11032 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
11033 * bytecode/CodeOrigin.h:
11034 * dfg/DFGCPSRethreadingPhase.cpp:
11035 (JSC::DFG::CPSRethreadingPhase::run):
11036 * dfg/DFGDCEPhase.cpp:
11037 (JSC::DFG::DCEPhase::cleanVariables):
11038 * dfg/DFGInPlaceAbstractState.cpp:
11039 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
11040 * runtime/FunctionExecutableDump.cpp:
11041 (JSC::FunctionExecutableDump::dump):
11042 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
11043 (foo):
11044 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
11045 (foo):
11046
110472014-03-12 Brian Burg <bburg@apple.com>
11048
11049 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
11050 https://bugs.webkit.org/show_bug.cgi?id=129445
11051
11052 Reviewed by Timothy Hatcher.
11053
11054 There was a bug in the replay inputs code generator that would include
11055 headers for definitions of enum classes, even though they can be safely
11056 forward-declared.
11057
11058 * replay/scripts/CodeGeneratorReplayInputs.py:
11059 (Generator.generate_includes): Only include for copy constructor if the
11060 type is a heavy scalar (i.e., String, URL), not a normal scalar
11061 (i.e., int, double, enum classes).
11062
11063 (Generator.generate_type_forward_declarations): Forward-declare scalars
11064 that are enums or enum classes.
11065
110662014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11067
11068 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
11069 https://bugs.webkit.org/show_bug.cgi?id=130118
11070
11071 Reviewed by Timothy Hatcher.
11072
11073 * Configurations/FeatureDefines.xcconfig:
11074
110752014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11076
11077 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
11078 https://bugs.webkit.org/show_bug.cgi?id=130032
11079
11080 Reviewed by Timothy Hatcher.
11081
11082 * inspector/EventLoop.h:
11083 * inspector/EventLoop.cpp:
11084 (Inspector::EventLoop::remoteInspectorRunLoopMode):
11085 (Inspector::EventLoop::cycle):
11086 Expose the run loop mode name so it can be used if needed by others.
11087
11088 * inspector/remote/RemoteInspectorDebuggableConnection.h:
11089 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
11090 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
11091 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
11092 (Inspector::RemoteInspectorBlock::operator=):
11093 (Inspector::RemoteInspectorBlock::operator()):
11094 (Inspector::RemoteInspectorQueueTask):
11095 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
11096
11097 (Inspector::RemoteInspectorHandleRunSource):
11098 (Inspector::RemoteInspectorInitializeQueue):
11099 Initialize the static queue and run loop source. When the run loop source
11100 fires, it will exhaust the queue of debugger messages.
11101
11102 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
11103 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
11104 When we get a debuggable connection add a run loop source for inspector commands.
11105
11106 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
11107 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
11108 Enqueue blocks on our Vector instead of our dispatch_queue.
11109
111102014-03-12 Commit Queue <commit-queue@webkit.org>
11111
11112 Unreviewed, rolling out r165482.
11113 https://bugs.webkit.org/show_bug.cgi?id=130157
11114
11115 Broke the windows build; "error C2466: cannot allocate an
11116 array of constant size 0" (Requested by jernoble on #webkit).
11117
11118 Reverted changeset:
11119
11120 "Reduce memory use for static property maps"
11121 https://bugs.webkit.org/show_bug.cgi?id=129986
11122 http://trac.webkit.org/changeset/165482
11123
111242014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11125
11126 Remove HandleSet::m_nextToFinalize
11127 https://bugs.webkit.org/show_bug.cgi?id=130109
11128
11129 Reviewed by Mark Lam.
11130
11131 This is a remnant of when HandleSet contained things that needed to be finalized.
11132
11133 * heap/HandleSet.cpp:
11134 (JSC::HandleSet::HandleSet):
11135 (JSC::HandleSet::writeBarrier):
11136 * heap/HandleSet.h:
11137 (JSC::HandleSet::allocate):
11138 (JSC::HandleSet::deallocate):
11139
111402014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11141
11142 Layout Test fast/workers/worker-gc.html is failing
11143 https://bugs.webkit.org/show_bug.cgi?id=130135
11144
11145 Reviewed by Geoffrey Garen.
11146
11147 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
11148 main list of blocks, i.e. not in the retired list. When shutting down the VM this
11149 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
11150 so that allocators are notified with lastChanceToFinalize. This will give them
11151 the chance to move their retired blocks back into the main list before removing them all.
11152
11153 * heap/MarkedAllocator.cpp:
11154 (JSC::LastChanceToFinalize::operator()):
11155 (JSC::MarkedAllocator::lastChanceToFinalize):
11156 * heap/MarkedAllocator.h:
11157 * heap/MarkedSpace.cpp:
11158 (JSC::LastChanceToFinalize::operator()):
11159 (JSC::MarkedSpace::lastChanceToFinalize):
11160
111612014-03-12 Gavin Barraclough <barraclough@apple.com>
11162
11163 Reduce memory use for static property maps
11164 https://bugs.webkit.org/show_bug.cgi?id=129986
11165
11166 Reviewed by Andreas Kling.
11167
11168 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11169 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11170 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11171
11172 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11173 from string hashes to indicies into a densely packed array of values. Compute the index table at
11174 compile time as a part of the derived sources step, such that this may be read-only data.
11175
11176 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11177 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11178 keys, which are Identifiers.
11179
11180 * create_hash_table:
11181 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11182 * parser/Lexer.cpp:
11183 (JSC::Lexer<LChar>::parseIdentifier):
11184 (JSC::Lexer<UChar>::parseIdentifier):
11185 (JSC::Lexer<T>::parseIdentifierSlowCase):
11186 - HashEntry -> HashTableValue.
11187 * parser/Lexer.h:
11188 (JSC::Keywords::getKeyword):
11189 - HashEntry -> HashTableValue.
11190 * runtime/ClassInfo.h:
11191 - removed HashEntry.
11192 * runtime/JSObject.cpp:
11193 (JSC::getClassPropertyNames):
11194 - use HashTable::ConstIterator.
11195 (JSC::JSObject::put):
11196 (JSC::JSObject::deleteProperty):
11197 (JSC::JSObject::findPropertyHashEntry):
11198 - HashEntry -> HashTableValue.
11199 (JSC::JSObject::reifyStaticFunctionsForDelete):
11200 - changed HashTable::ConstIterator interface.
11201 * runtime/JSObject.h:
11202 - HashEntry -> HashTableValue.
11203 * runtime/Lookup.cpp:
11204 (JSC::HashTable::createTable):
11205 - table -> keys, keys array is now densely packed.
11206 (JSC::HashTable::deleteTable):
11207 - table -> keys.
11208 (JSC::setUpStaticFunctionSlot):
11209 - HashEntry -> HashTableValue.
11210 * runtime/Lookup.h:
11211 (JSC::HashTableValue::builtinGenerator):
11212 (JSC::HashTableValue::function):
11213 (JSC::HashTableValue::functionLength):
11214 (JSC::HashTableValue::propertyGetter):
11215 (JSC::HashTableValue::propertyPutter):
11216 (JSC::HashTableValue::lexerValue):
11217 - added accessor methods from HashEntry.
11218 (JSC::HashTable::copy):
11219 - fields changed.
11220 (JSC::HashTable::initializeIfNeeded):
11221 - table -> keys.
11222 (JSC::HashTable::entry):
11223 - HashEntry -> HashTableValue.
11224 (JSC::HashTable::ConstIterator::ConstIterator):
11225 - iterate packed value array, so no need to skipInvalidKeys().
11226 (JSC::HashTable::ConstIterator::value):
11227 (JSC::HashTable::ConstIterator::key):
11228 (JSC::HashTable::ConstIterator::operator->):
11229 - accessors now get HashTableValue/StringImpl* separately.
11230 (JSC::HashTable::ConstIterator::operator++):
11231 - iterate packed value array, so no need to skipInvalidKeys().
11232 (JSC::HashTable::end):
11233 - end is now size of dense not sparse array.
11234 (JSC::getStaticPropertySlot):
11235 (JSC::getStaticFunctionSlot):
11236 (JSC::getStaticValueSlot):
11237 (JSC::putEntry):
11238 (JSC::lookupPut):
11239 - HashEntry -> HashTableValue.
11240
112412014-03-11 Filip Pizlo <fpizlo@apple.com>
11242
11243 It should be possible to build WebKit with FTL on iOS
11244 https://bugs.webkit.org/show_bug.cgi?id=130116
11245
11246 Reviewed by Dan Bernstein.
11247
11248 * Configurations/Base.xcconfig:
11249
112502014-03-10 Filip Pizlo <fpizlo@apple.com>
11251
11252 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
11253 https://bugs.webkit.org/show_bug.cgi?id=129778
11254
11255 Reviewed by Geoffrey Garen.
11256
11257 Also deduplicate the GetById getter call caching. Also add some small tests for
11258 get stubs.
11259
11260 This change reduces the amount of code involved in GetById access caching and it
11261 creates data structures that can serve as an elegant scaffold for introducing other
11262 kinds of caches or improving current caching styles. It will definitely make getter
11263 performance improvements easier to implement.
11264
11265 * CMakeLists.txt:
11266 * GNUmakefile.list.am:
11267 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11268 * JavaScriptCore.xcodeproj/project.pbxproj:
11269 * bytecode/CodeBlock.cpp:
11270 (JSC::CodeBlock::printGetByIdCacheStatus):
11271 * bytecode/GetByIdStatus.cpp:
11272 (JSC::GetByIdStatus::computeForStubInfo):
11273 * bytecode/PolymorphicGetByIdList.cpp: Added.
11274 (JSC::GetByIdAccess::GetByIdAccess):
11275 (JSC::GetByIdAccess::~GetByIdAccess):
11276 (JSC::GetByIdAccess::fromStructureStubInfo):
11277 (JSC::GetByIdAccess::visitWeak):
11278 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
11279 (JSC::PolymorphicGetByIdList::from):
11280 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
11281 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
11282 (JSC::PolymorphicGetByIdList::addAccess):
11283 (JSC::PolymorphicGetByIdList::isFull):
11284 (JSC::PolymorphicGetByIdList::isAlmostFull):
11285 (JSC::PolymorphicGetByIdList::didSelfPatching):
11286 (JSC::PolymorphicGetByIdList::visitWeak):
11287 * bytecode/PolymorphicGetByIdList.h: Added.
11288 (JSC::GetByIdAccess::GetByIdAccess):
11289 (JSC::GetByIdAccess::isSet):
11290 (JSC::GetByIdAccess::operator!):
11291 (JSC::GetByIdAccess::type):
11292 (JSC::GetByIdAccess::structure):
11293 (JSC::GetByIdAccess::chain):
11294 (JSC::GetByIdAccess::chainCount):
11295 (JSC::GetByIdAccess::stubRoutine):
11296 (JSC::GetByIdAccess::doesCalls):
11297 (JSC::PolymorphicGetByIdList::isEmpty):
11298 (JSC::PolymorphicGetByIdList::size):
11299 (JSC::PolymorphicGetByIdList::at):
11300 (JSC::PolymorphicGetByIdList::operator[]):
11301 * bytecode/StructureStubInfo.cpp:
11302 (JSC::StructureStubInfo::deref):
11303 (JSC::StructureStubInfo::visitWeakReferences):
11304 * bytecode/StructureStubInfo.h:
11305 (JSC::isGetByIdAccess):
11306 (JSC::StructureStubInfo::initGetByIdList):
11307 * jit/Repatch.cpp:
11308 (JSC::generateGetByIdStub):
11309 (JSC::tryCacheGetByID):
11310 (JSC::patchJumpToGetByIdStub):
11311 (JSC::tryBuildGetByIDList):
11312 (JSC::tryBuildPutByIdList):
11313 * tests/stress/getter.js: Added.
11314 (foo):
11315 (.o):
11316 * tests/stress/polymorphic-prototype-accesses.js: Added.
11317 (Foo):
11318 (Bar):
11319 (foo):
11320 * tests/stress/prototype-getter.js: Added.
11321 (Foo):
11322 (foo):
11323 * tests/stress/simple-prototype-accesses.js: Added.
11324 (Foo):
11325 (foo):
11326
113272014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
11328
11329 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
11330 https://bugs.webkit.org/show_bug.cgi?id=129920
11331
11332 Reviewed by Geoffrey Garen.
11333
11334 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
11335 when the amount of free space in a MarkedBlock drops below a certain threshold.
11336 Retired blocks are not considered for sweeping.
11337
11338 This is profitable because it reduces churn during sweeping. To build a free list,
11339 we have to scan through each cell in a block. After a collection, all objects that
11340 are live in the block will remain live until the next FullCollection, at which time
11341 we un-retire all previously retired blocks. Thus, a small number of objects in a block
11342 that die during each EdenCollection could cause us to do a disproportiante amount of
11343 sweeping for how much free memory we get back.
11344
11345 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
11346
11347 * heap/Heap.h:
11348 (JSC::Heap::didRetireBlockWithFreeListSize):
11349 * heap/MarkedAllocator.cpp:
11350 (JSC::MarkedAllocator::tryAllocateHelper):
11351 (JSC::MarkedAllocator::removeBlock):
11352 (JSC::MarkedAllocator::reset):
11353 * heap/MarkedAllocator.h:
11354 (JSC::MarkedAllocator::MarkedAllocator):
11355 (JSC::MarkedAllocator::forEachBlock):
11356 * heap/MarkedBlock.cpp:
11357 (JSC::MarkedBlock::sweepHelper):
11358 (JSC::MarkedBlock::clearMarksWithCollectionType):
11359 (JSC::MarkedBlock::didRetireBlock):
11360 * heap/MarkedBlock.h:
11361 (JSC::MarkedBlock::willRemoveBlock):
11362 (JSC::MarkedBlock::isLive):
11363 * heap/MarkedSpace.cpp:
11364 (JSC::MarkedSpace::clearNewlyAllocated):
11365 (JSC::MarkedSpace::clearMarks):
11366 * runtime/Options.h:
11367
113682014-03-11 Andreas Kling <akling@apple.com>
11369
11370 Streamline PropertyTable for lookup-only access.
11371 <https://webkit.org/b/130060>
11372
11373 The PropertyTable lookup algorithm was written to support both read
11374 and write access. This wasn't actually needed in most places.
11375
11376 This change adds a PropertyTable::get() that just returns the value
11377 type (instead of an insertion iterator.) It also adds an early return
11378 for empty tables.
11379
11380 Finally, up the minimum table capacity from 8 to 16. It was lowered
11381 to 8 in order to save memory, but that was before PropertyTables were
11382 GC allocated. Nowadays we don't have nearly as many tables, since all
11383 the unpinned transitions die off.
11384
11385 Reviewed by Darin Adler.
11386
11387 * runtime/PropertyMapHashTable.h:
11388 (JSC::PropertyTable::get):
11389 * runtime/Structure.cpp:
11390 (JSC::Structure::despecifyDictionaryFunction):
11391 (JSC::Structure::attributeChangeTransition):
11392 (JSC::Structure::get):
11393 (JSC::Structure::despecifyFunction):
11394 * runtime/StructureInlines.h:
11395 (JSC::Structure::get):
11396
113972014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11398
11399 REGRESSION(r165407): DoYouEvenBench crashes in DRT
11400 https://bugs.webkit.org/show_bug.cgi?id=130066
11401
11402 Reviewed by Geoffrey Garen.
11403
11404 The baseline JIT does a conditional store barrier for the put_by_id, but we need
11405 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
11406
11407 * jit/JIT.h:
11408 * jit/JITPropertyAccess.cpp:
11409 (JSC::JIT::emit_op_put_by_id):
11410 (JSC::JIT::emitWriteBarrier):
11411
114122014-03-10 Mark Lam <mark.lam@apple.com>
11413
11414 Resurrect bit-rotted JIT::probe() mechanism.
11415 <https://webkit.org/b/130067>
11416
11417 Reviewed by Geoffrey Garen.
11418
11419 * jit/JITStubs.cpp:
11420 - Added the needed #include <wtf/InlineASM.h>.
11421
114222014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11423
11424 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
11425
11426 Rubber-stamped by Dan Bernstein.
11427
11428 * Configurations/JavaScriptCore.xcconfig:
11429
114302014-03-10 Mark Lam <mark.lam@apple.com>
11431
11432 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
11433 <https://webkit.org/b/130065>
11434
11435 Reviewed by Michael Saboff.
11436
11437 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
11438 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
11439 FPRInfo::toIndex().
11440
11441 The fix is to remove the "result != InvalidIndex" assertions.
11442
11443 * jit/FPRInfo.h:
11444 (JSC::FPRInfo::toIndex):
11445 * jit/GPRInfo.h:
11446 (JSC::GPRInfo::toIndex):
11447
114482014-03-10 Mark Lam <mark.lam@apple.com>
11449
11450 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
11451 <https://webkit.org/b/129955>
11452
11453 Reviewed by Geoffrey Garen.
11454
11455 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
11456 stack memory every time it was called. This is now fixed.
11457
11458 * jit/JITOperations.cpp:
11459
114602014-03-10 Joseph Pecoraro <pecoraro@apple.com>
11461
11462 Better JSContext API for named evaluations (other than //# sourceURL)
11463 https://bugs.webkit.org/show_bug.cgi?id=129911
11464
11465 Reviewed by Geoffrey Garen.
11466
11467 * API/JSBase.h:
11468 * API/JSContext.h:
11469 * API/JSContext.mm:
11470 (-[JSContext evaluateScript:]):
11471 (-[JSContext evaluateScript:withSourceURL:]):
11472 Add new evaluateScript:withSourceURL:.
11473
11474 * API/tests/testapi.c:
11475 (main):
11476 * API/tests/testapi.mm:
11477 (testObjectiveCAPI):
11478 Add tests for sourceURL in evaluate APIs. It should
11479 affect the exception objects.
11480
114812014-03-10 Filip Pizlo <fpizlo@apple.com>
11482
11483 Repatch should save and restore all used registers - not just temp ones - when making a call
11484 https://bugs.webkit.org/show_bug.cgi?id=130041
11485
11486 Reviewed by Geoffrey Garen and Mark Hahnenberg.
11487
11488 The save/restore code was written back when the only client was the DFG, which only uses a
11489 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
11490 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
11491 lead to data corruption on ARM64.
11492
11493 * jit/RegisterSet.cpp:
11494 (JSC::RegisterSet::calleeSaveRegisters):
11495 (JSC::RegisterSet::numberOfSetGPRs):
11496 (JSC::RegisterSet::numberOfSetFPRs):
11497 * jit/RegisterSet.h:
11498 * jit/Repatch.cpp:
11499 (JSC::storeToWriteBarrierBuffer):
11500 (JSC::emitPutTransitionStub):
11501 * jit/ScratchRegisterAllocator.cpp:
11502 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11503 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11504 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11505 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
11506 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
11507 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
11508 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
11509 * jit/ScratchRegisterAllocator.h:
11510
115112014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11512
11513 Remove ConditionalStore barrier
11514 https://bugs.webkit.org/show_bug.cgi?id=130040
11515
11516 Reviewed by Geoffrey Garen.
11517
11518 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
11519 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
11520 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
11521 on the base object in the case where we are allocating and storing a new Butterfly into it.
11522 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
11523 so we'd have to emit a write barrier in the transition case.
11524
11525 This is performance neutral on the benchmarks we track.
11526
11527 * dfg/DFGAbstractInterpreterInlines.h:
11528 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11529 * dfg/DFGClobberize.h:
11530 (JSC::DFG::clobberize):
11531 * dfg/DFGConstantFoldingPhase.cpp:
11532 (JSC::DFG::ConstantFoldingPhase::foldConstants):
11533 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
11534 * dfg/DFGFixupPhase.cpp:
11535 (JSC::DFG::FixupPhase::fixupNode):
11536 (JSC::DFG::FixupPhase::insertStoreBarrier):
11537 * dfg/DFGNode.h:
11538 (JSC::DFG::Node::isStoreBarrier):
11539 * dfg/DFGNodeType.h:
11540 * dfg/DFGPredictionPropagationPhase.cpp:
11541 (JSC::DFG::PredictionPropagationPhase::propagate):
11542 * dfg/DFGSafeToExecute.h:
11543 (JSC::DFG::safeToExecute):
11544 * dfg/DFGSpeculativeJIT.cpp:
11545 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
11546 * dfg/DFGSpeculativeJIT32_64.cpp:
11547 (JSC::DFG::SpeculativeJIT::compile):
11548 * dfg/DFGSpeculativeJIT64.cpp:
11549 (JSC::DFG::SpeculativeJIT::compile):
11550 * ftl/FTLCapabilities.cpp:
11551 (JSC::FTL::canCompile):
11552 * ftl/FTLLowerDFGToLLVM.cpp:
11553 (JSC::FTL::LowerDFGToLLVM::compileNode):
11554 * jit/Repatch.cpp:
11555 (JSC::emitPutTransitionStub):
11556
115572014-03-10 Filip Pizlo <fpizlo@apple.com>
11558
11559 DFG and FTL should know that comparing anything to Misc is cheap and easy
11560 https://bugs.webkit.org/show_bug.cgi?id=130001
11561
11562 Reviewed by Geoffrey Garen.
11563
11564 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
11565 comparison is just Untyped:.
11566
11567 - This obviates the need for CompareStrictEqConstant, so remove it.
11568
11569 - FTL had a thing called "Nully" which is really "Other". Rename it and add
11570 OtherUse.
11571
11572 9% speed-up on box2d.
11573
11574 * dfg/DFGAbstractInterpreterInlines.h:
11575 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11576 * dfg/DFGByteCodeParser.cpp:
11577 (JSC::DFG::ByteCodeParser::parseBlock):
11578 * dfg/DFGClobberize.h:
11579 (JSC::DFG::clobberize):
11580 * dfg/DFGFixupPhase.cpp:
11581 (JSC::DFG::FixupPhase::fixupNode):
11582 * dfg/DFGNode.h:
11583 (JSC::DFG::Node::isBinaryUseKind):
11584 (JSC::DFG::Node::shouldSpeculateOther):
11585 * dfg/DFGNodeType.h:
11586 * dfg/DFGPredictionPropagationPhase.cpp:
11587 (JSC::DFG::PredictionPropagationPhase::propagate):
11588 * dfg/DFGSafeToExecute.h:
11589 (JSC::DFG::safeToExecute):
11590 * dfg/DFGSpeculativeJIT.cpp:
11591 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
11592 (JSC::DFG::SpeculativeJIT::compare):
11593 (JSC::DFG::SpeculativeJIT::compileStrictEq):
11594 * dfg/DFGSpeculativeJIT.h:
11595 * dfg/DFGSpeculativeJIT32_64.cpp:
11596 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11597 (JSC::DFG::SpeculativeJIT::compile):
11598 * dfg/DFGSpeculativeJIT64.cpp:
11599 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
11600 (JSC::DFG::SpeculativeJIT::compile):
11601 * ftl/FTLCapabilities.cpp:
11602 (JSC::FTL::canCompile):
11603 * ftl/FTLLowerDFGToLLVM.cpp:
11604 (JSC::FTL::LowerDFGToLLVM::compileNode):
11605 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
11606 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
11607 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
11608 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
11609 (JSC::FTL::LowerDFGToLLVM::isNotOther):
11610 (JSC::FTL::LowerDFGToLLVM::isOther):
11611 (JSC::FTL::LowerDFGToLLVM::speculate):
11612 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
11613 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
11614 (JSC::FTL::LowerDFGToLLVM::speculateOther):
11615 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
11616 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
11617
116182014-03-10 Filip Pizlo <fpizlo@apple.com>
11619
11620 Unreviewed, remove unintended change.
11621
11622 * dfg/DFGDriver.cpp:
11623 (JSC::DFG::compileImpl):
11624
116252014-03-10 Filip Pizlo <fpizlo@apple.com>
11626
11627 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
11628 that they're running in the browser.
11629
11630 Rubber stamped by Mark Hahnenberg.
11631
11632 * jsc.cpp:
11633 (GlobalObject::finishCreation):
11634
116352014-03-10 Filip Pizlo <fpizlo@apple.com>
11636
11637 Out-line ScratchRegisterAllocator
11638
11639 Rubber stamped by Mark Hahnenberg.
11640
11641 * CMakeLists.txt:
11642 * GNUmakefile.list.am:
11643 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11644 * JavaScriptCore.xcodeproj/project.pbxproj:
11645 * dfg/DFGDriver.cpp:
11646 (JSC::DFG::compileImpl):
11647 * jit/ScratchRegisterAllocator.cpp: Added.
11648 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
11649 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
11650 (JSC::ScratchRegisterAllocator::lock):
11651 (JSC::ScratchRegisterAllocator::allocateScratch):
11652 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
11653 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
11654 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
11655 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
11656 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
11657 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
11658 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
11659 * jit/ScratchRegisterAllocator.h:
11660
116612014-03-10 Brent Fulgham <bfulgham@apple.com>
11662
11663 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
11664 https://bugs.webkit.org/show_bug.cgi?id=130023
11665
11666 Reviewed by Dean Jackson.
11667
11668 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
11669 path names to avoid accidental escaping of later string substitutions.
11670
116712014-03-10 Andreas Kling <akling@apple.com>
11672
11673 [X86_64] Smaller code for testb_i8r when register is accumulator.
11674 <https://webkit.org/b/130026>
11675
11676 Generate the shorthand version of "test al, imm" when possible.
11677
11678 Reviewed by Michael Saboff.
11679
11680 * assembler/X86Assembler.h:
11681 (JSC::X86Assembler::testb_i8r):
11682
116832014-03-10 Andreas Kling <akling@apple.com>
11684
11685 [X86_64] Smaller code for sub_ir when register is accumulator.
11686 <https://webkit.org/b/130025>
11687
11688 Generate the shorthand version of "sub eax, imm" when possible.
11689
11690 Reviewed by Michael Saboff.
11691
11692 * assembler/X86Assembler.h:
11693 (JSC::X86Assembler::subl_ir):
11694 (JSC::X86Assembler::subq_ir):
11695
116962014-03-10 Andreas Kling <akling@apple.com>
11697
11698 [X86_64] Smaller code for add_ir when register is accumulator.
11699 <https://webkit.org/b/130024>
11700
11701 Generate the shorthand version of "add eax, imm" when possible.
11702
11703 Reviewed by Michael Saboff.
11704
11705 * assembler/X86Assembler.h:
11706 (JSC::X86Assembler::addl_ir):
11707 (JSC::X86Assembler::addq_ir):
11708
117092014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
11710
11711 writeBarrier in emitPutReplaceStub is unnecessary
11712 https://bugs.webkit.org/show_bug.cgi?id=130030
11713
11714 Reviewed by Filip Pizlo.
11715
11716 We already emit write barriers for each put-by-id when they're first compiled, so it's
11717 redundant to emit a write barrier as part of the repatched code.
11718
11719 * jit/Repatch.cpp:
11720 (JSC::emitPutReplaceStub):
11721
117222014-03-10 Andreas Kling <akling@apple.com>
11723
11724 [X86_64] Smaller code for xor_ir when register is accumulator.
11725 <https://webkit.org/b/130008>
11726
11727 Generate the shorthand version of "xor eax, imm" when possible.
11728
11729 Reviewed by Benjamin Poulain.
11730
11731 * assembler/X86Assembler.h:
11732 (JSC::X86Assembler::xorl_ir):
11733 (JSC::X86Assembler::xorq_ir):
11734
117352014-03-10 Andreas Kling <akling@apple.com>
11736
11737 [X86_64] Smaller code for or_ir when register is accumulator.
11738 <https://webkit.org/b/130007>
11739
11740 Generate the shorthand version of "or eax, imm" when possible.
11741
11742 Reviewed by Benjamin Poulain.
11743
11744 * assembler/X86Assembler.h:
11745 (JSC::X86Assembler::orl_ir):
11746 (JSC::X86Assembler::orq_ir):
11747
117482014-03-10 Andreas Kling <akling@apple.com>
11749
11750 [X86_64] Smaller code for test_ir when register is accumulator.
11751 <https://webkit.org/b/130006>
11752
11753 Generate the shorthand version of "test eax, imm" when possible.
11754
11755 Reviewed by Benjamin Poulain.
11756
11757 * assembler/X86Assembler.h:
11758 (JSC::X86Assembler::testl_i32r):
11759 (JSC::X86Assembler::testq_i32r):
11760
117612014-03-10 Andreas Kling <akling@apple.com>
11762
11763 [X86_64] Smaller code for cmp_ir when register is accumulator.
11764 <https://webkit.org/b/130005>
11765
11766 Generate the shorthand version of "cmp eax, imm" when possible.
11767
11768 Reviewed by Benjamin Poulain.
11769
11770 * assembler/X86Assembler.h:
11771 (JSC::X86Assembler::cmpl_ir):
11772 (JSC::X86Assembler::cmpq_ir):
11773
117742014-03-10 Andreas Kling <akling@apple.com>
11775
11776 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
11777 <https://webkit.org/b/130002>
11778
11779 Generate this:
11780
11781 mov [address], imm32
11782
11783 Instead of this:
11784
11785 mov scratchRegister, imm32
11786 mov [address], scratchRegister
11787
11788 For store64(imm, address) where the 64-bit immediate can be passed as
11789 a sign-extended 32-bit value.
11790
11791 Reviewed by Benjamin Poulain.
11792
11793 * assembler/MacroAssemblerX86_64.h:
11794 (CAN_SIGN_EXTEND_32_64):
11795 (JSC::MacroAssemblerX86_64::store64):
11796
117972014-03-10 Andreas Kling <akling@apple.com>
11798
11799 [X86_64] Smaller code for xchg_rr when one register is accumulator.
11800 <https://webkit.org/b/130004>
11801
11802 Generate the 1-byte version of "xchg eax, reg" when possible.
11803
11804 Reviewed by Benjamin Poulain.
11805
11806 * assembler/X86Assembler.h:
11807 (JSC::X86Assembler::xchgl_rr):
11808 (JSC::X86Assembler::xchgq_rr):
11809
118102014-03-09 Filip Pizlo <fpizlo@apple.com>
11811
11812 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
11813 https://bugs.webkit.org/show_bug.cgi?id=129998
11814
11815 Reviewed by Geoffrey Garen.
11816
11817 Not only is that the established contract, but this is used to signal to
11818 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
11819 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
11820 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
11821 fine but previously it would have led to either an assertion failure, or data corruption, in
11822 the ScratchRegisterAllocator.
11823
11824 * jit/GPRInfo.h:
11825 (JSC::GPRInfo::toIndex):
11826
118272014-03-09 Filip Pizlo <fpizlo@apple.com>
11828
11829 FTL fails the new equals-masquerader strictEqualConstant test
11830 https://bugs.webkit.org/show_bug.cgi?id=129996
11831
11832 Reviewed by Mark Lam.
11833
11834 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
11835 that's wrong since none of the other engines do it. The DFG even had an ancient
11836 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
11837 don't do it and JSValue::strictEqual() doesn't do it.
11838
11839 Remove the FIXME and remove the extra checks in the FTL.
11840
11841 This is a glorious patch: nothing but red and it fixes a test failure.
11842
11843 * dfg/DFGSpeculativeJIT.cpp:
11844 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
11845 * ftl/FTLLowerDFGToLLVM.cpp:
11846 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
11847
118482014-03-09 Andreas Kling <akling@apple.com>
11849
11850 Short-circuit JSGlobalObjectInspectorController when not inspecting.
11851 <https://webkit.org/b/129995>
11852
11853 Add an early return in reportAPIException() when the console agent
11854 is disabled. This avoids expensive symbolication during exceptions
11855 if there's nobody expecting the fancy backtrace anyway.
11856
11857 ~2% progression on DYEB on my MBP.
11858
11859 Reviewed by Geoff Garen.
11860
11861 * inspector/JSGlobalObjectInspectorController.cpp:
11862 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
11863
118642014-03-09 Andreas Kling <akling@apple.com>
11865
11866 Inline the trivial parts of GC deferral.
11867 <https://webkit.org/b/129984>
11868
11869 Made most of the functions called by the DeferGC RAII object inline
11870 to avoid function call overhead.
11871
11872 Looks like ~1% progression on DYEB.
11873
11874 Reviewed by Geoffrey Garen.
11875
11876 * heap/Heap.cpp:
11877 * heap/Heap.h:
11878 (JSC::Heap::incrementDeferralDepth):
11879 (JSC::Heap::decrementDeferralDepth):
11880 (JSC::Heap::collectIfNecessaryOrDefer):
11881 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
11882
118832014-03-08 Mark Lam <mark.lam@apple.com>
11884
11885 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
11886 <https://webkit.org/b/129969>
11887
11888 Reviewed by Geoffrey Garen.
11889
11890 The 32-bit version of handleUncaughtException was missing the handling of an
11891 edge case for stack overflows where the current frame may already be the
11892 sentinel frame. This edge case was handled in the 64-bit version. The fix
11893 is to bring the 32-bit version up to parity.
11894
11895 * jit/JIT.cpp:
11896 (JSC::JIT::privateCompile):
11897 * llint/LowLevelInterpreter32_64.asm:
11898
118992014-03-07 Mark Lam <mark.lam@apple.com>
11900
11901 Fix bugs in 32-bit Structure implementation.
11902 <https://webkit.org/b/129947>
11903
11904 Reviewed by Mark Hahnenberg.
11905
11906 Added the loading of the Structure (from the JSCell) before use that was
11907 missing in a few places. Also added more test cases to equals-masquerader.js.
11908
11909 * dfg/DFGSpeculativeJIT32_64.cpp:
11910 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
11911 (JSC::DFG::SpeculativeJIT::compile):
11912 * dfg/DFGSpeculativeJIT64.cpp:
11913 (JSC::DFG::SpeculativeJIT::compile):
11914 * llint/LowLevelInterpreter32_64.asm:
11915 * tests/stress/equals-masquerader.js:
11916 (equalsNull):
11917 (notEqualsNull):
11918 (strictEqualsNull):
11919 (strictNotEqualsNull):
11920 (equalsUndefined):
11921 (notEqualsUndefined):
11922 (strictEqualsUndefined):
11923 (strictNotEqualsUndefined):
11924 (isFalsey):
11925 (test):
11926
119272014-03-07 Andrew Trick <atrick@apple.com>
11928
11929 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
11930 https://bugs.webkit.org/show_bug.cgi?id=129954
11931
11932 Reviewed by Filip Pizlo.
11933
11934 * tests/stress/float32-repeat-out-of-bounds.js:
11935 * tests/stress/int8-repeat-out-of-bounds.js:
11936
119372014-03-07 Michael Saboff <msaboff@apple.com>
11938
11939 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
11940 https://bugs.webkit.org/show_bug.cgi?id=129945
11941
11942 Reviewed by Mark Lam.
11943
11944 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
11945 or in lldb.
11946
11947 * llint/LowLevelInterpreter.cpp:
11948
119492014-03-07 Oliver Hunt <oliver@apple.com>
11950
11951 Continue hangs when performing for-of over arguments
11952 https://bugs.webkit.org/show_bug.cgi?id=129915
11953
11954 Reviewed by Geoffrey Garen.
11955
11956 Put the continue label in the right place
11957
11958 * bytecompiler/BytecodeGenerator.cpp:
11959 (JSC::BytecodeGenerator::emitEnumeration):
11960
119612014-03-07 peavo@outlook.com <peavo@outlook.com>
11962
11963 [Win64] Compile error after r165128.
11964 https://bugs.webkit.org/show_bug.cgi?id=129807
11965
11966 Reviewed by Mark Lam.
11967
11968 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
11969 Check platform environment variable to determine if an assembler file should be generated.
11970
119712014-03-07 Michael Saboff <msaboff@apple.com>
11972
11973 Clarify how we deal with "special" registers
11974 https://bugs.webkit.org/show_bug.cgi?id=129806
11975
11976 Already reviewed change being relanded.
11977
11978 Relanding change set r165196 as it wasn't responsible for the breakage reported in
11979 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
11980
11981 Reviewed by Michael Saboff.
11982 configuration issue.
11983
11984 * assembler/ARM64Assembler.h:
11985 (JSC::ARM64Assembler::lastRegister):
11986 * assembler/MacroAssembler.h:
11987 (JSC::MacroAssembler::nextRegister):
11988 * ftl/FTLLocation.cpp:
11989 (JSC::FTL::Location::restoreInto):
11990 * ftl/FTLSaveRestore.cpp:
11991 (JSC::FTL::saveAllRegisters):
11992 (JSC::FTL::restoreAllRegisters):
11993 * ftl/FTLSlowPathCall.cpp:
11994 * jit/RegisterSet.cpp:
11995 (JSC::RegisterSet::reservedHardwareRegisters):
11996 (JSC::RegisterSet::runtimeRegisters):
11997 (JSC::RegisterSet::specialRegisters):
11998 (JSC::RegisterSet::calleeSaveRegisters):
11999 * jit/RegisterSet.h:
12000
120012014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12002
12003 Move GCActivityCallback to heap
12004 https://bugs.webkit.org/show_bug.cgi?id=129457
12005
12006 Reviewed by Geoffrey Garen.
12007
12008 All the other GC timer related stuff is there already.
12009
12010 * CMakeLists.txt:
12011 * GNUmakefile.list.am:
12012 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12013 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12014 * JavaScriptCore.xcodeproj/project.pbxproj:
12015 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
12016 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
12017 * runtime/GCActivityCallback.cpp: Removed.
12018 * runtime/GCActivityCallback.h: Removed.
12019
120202014-03-07 Andrew Trick <atrick@apple.com>
12021
12022 Correct a comment typo from:
12023 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12024 https://bugs.webkit.org/show_bug.cgi?id=129865
12025
12026 Reviewed by Mark Lam.
12027
12028 * ftl/FTLOutput.h:
12029 (JSC::FTL::Output::doubleRem):
12030
120312014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12032
12033 Use OwnPtr in StructureIDTable
12034 https://bugs.webkit.org/show_bug.cgi?id=129828
12035
12036 Reviewed by Geoffrey Garen.
12037
12038 This reduces the amount of boilerplate and fixes a memory leak.
12039
12040 * runtime/StructureIDTable.cpp:
12041 (JSC::StructureIDTable::StructureIDTable):
12042 (JSC::StructureIDTable::resize):
12043 (JSC::StructureIDTable::flushOldTables):
12044 (JSC::StructureIDTable::allocateID):
12045 (JSC::StructureIDTable::deallocateID):
12046 * runtime/StructureIDTable.h:
12047 (JSC::StructureIDTable::table):
12048 (JSC::StructureIDTable::get):
12049
120502014-03-07 Andrew Trick <atrick@apple.com>
12051
12052 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12053 https://bugs.webkit.org/show_bug.cgi?id=129865
12054
12055 Reviewed by Filip Pizlo.
12056
12057 * ftl/FTLIntrinsicRepository.h:
12058 * ftl/FTLOutput.h:
12059 (JSC::FTL::Output::doubleRem):
12060
120612014-03-06 Filip Pizlo <fpizlo@apple.com>
12062
12063 If the FTL is build-time enabled then it should be run-time enabled.
12064
12065 Rubber stamped by Geoffrey Garen.
12066
12067 * runtime/Options.cpp:
12068 (JSC::recomputeDependentOptions):
12069 * runtime/Options.h:
12070
120712014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12072
12073 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
12074 https://bugs.webkit.org/show_bug.cgi?id=129852
12075
12076 Reviewed by Geoffrey Garen.
12077
12078 * framework.sb: Added.
12079 Sandbox extension to allow access to "com.apple.webinspector".
12080
12081 * JavaScriptCore.xcodeproj/project.pbxproj:
12082 Add a Copy Resources build phase and include framework.sb.
12083
12084 * Configurations/JavaScriptCore.xcconfig:
12085 Do not copy framework.sb on iOS.
12086
120872014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12088
12089 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
12090 https://bugs.webkit.org/show_bug.cgi?id=129858
12091
12092 Reviewed by Mark Lam.
12093
12094 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
12095 but now it ends up overwriting the IdentifierTable that JSLock just restored.
12096
12097 * API/JSContextRef.cpp:
12098 (JSGlobalContextRelease):
12099
121002014-03-06 Oliver Hunt <oliver@apple.com>
12101
12102 Fix FTL build.
12103
12104 * dfg/DFGConstantFoldingPhase.cpp:
12105 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12106
121072014-03-06 Brent Fulgham <bfulgham@apple.com>
12108
12109 Unreviewed build fix after r165128.
12110
12111 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
12112 performing 'Production' and 'DebugSuffix' type builds.
12113
121142014-03-06 Julien Brianceau <jbriance@cisco.com>
12115
12116 Unreviewed, fix style in my previous commit.
12117 https://bugs.webkit.org/show_bug.cgi?id=129833
12118
12119 * runtime/JSConsole.cpp:
12120
121212014-03-06 Julien Brianceau <jbriance@cisco.com>
12122
12123 Build fix: add missing include in JSConole.cpp.
12124 https://bugs.webkit.org/show_bug.cgi?id=129833
12125
12126 Reviewed by Oliver Hunt.
12127
12128 * runtime/JSConsole.cpp:
12129
121302014-03-06 Oliver Hunt <oliver@apple.com>
12131
12132 Fix ARMv7
12133
12134 * jit/CCallHelpers.h:
12135 (JSC::CCallHelpers::setupArgumentsWithExecState):
12136
121372014-03-06 Commit Queue <commit-queue@webkit.org>
12138
12139 Unreviewed, rolling out r165196.
12140 http://trac.webkit.org/changeset/165196
12141 https://bugs.webkit.org/show_bug.cgi?id=129822
12142
12143 broke arm64 on hardware (Requested by bfulgham on #webkit).
12144
12145 * assembler/ARM64Assembler.h:
12146 (JSC::ARM64Assembler::lastRegister):
12147 * assembler/MacroAssembler.h:
12148 (JSC::MacroAssembler::isStackRelated):
12149 (JSC::MacroAssembler::firstRealRegister):
12150 (JSC::MacroAssembler::nextRegister):
12151 (JSC::MacroAssembler::secondRealRegister):
12152 * ftl/FTLLocation.cpp:
12153 (JSC::FTL::Location::restoreInto):
12154 * ftl/FTLSaveRestore.cpp:
12155 (JSC::FTL::saveAllRegisters):
12156 (JSC::FTL::restoreAllRegisters):
12157 * ftl/FTLSlowPathCall.cpp:
12158 * jit/RegisterSet.cpp:
12159 (JSC::RegisterSet::specialRegisters):
12160 (JSC::RegisterSet::calleeSaveRegisters):
12161 * jit/RegisterSet.h:
12162
121632014-03-06 Mark Lam <mark.lam@apple.com>
12164
12165 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
12166 <https://webkit.org/b/129813>
12167
12168 Reviewed by Michael Saboff.
12169
12170 Fixed broken C loop LLINT build.
12171
12172 * llint/LowLevelInterpreter.cpp:
12173 (JSC::CLoop::execute):
12174 * offlineasm/cloop.rb:
12175
121762014-03-03 Oliver Hunt <oliver@apple.com>
12177
12178 Support caching of custom setters
12179 https://bugs.webkit.org/show_bug.cgi?id=129519
12180
12181 Reviewed by Filip Pizlo.
12182
12183 This patch adds caching of assignment to properties that
12184 are backed by C functions. This provides most of the leg
12185 work required to start supporting setters, and resolves
12186 the remaining regressions from moving DOM properties up
12187 the prototype chain.
12188
12189 * JavaScriptCore.xcodeproj/project.pbxproj:
12190 * bytecode/PolymorphicPutByIdList.cpp:
12191 (JSC::PutByIdAccess::visitWeak):
12192 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12193 (JSC::PolymorphicPutByIdList::from):
12194 * bytecode/PolymorphicPutByIdList.h:
12195 (JSC::PutByIdAccess::transition):
12196 (JSC::PutByIdAccess::replace):
12197 (JSC::PutByIdAccess::customSetter):
12198 (JSC::PutByIdAccess::isCustom):
12199 (JSC::PutByIdAccess::oldStructure):
12200 (JSC::PutByIdAccess::chain):
12201 (JSC::PutByIdAccess::stubRoutine):
12202 * bytecode/PutByIdStatus.cpp:
12203 (JSC::PutByIdStatus::computeForStubInfo):
12204 (JSC::PutByIdStatus::computeFor):
12205 (JSC::PutByIdStatus::dump):
12206 * bytecode/PutByIdStatus.h:
12207 (JSC::PutByIdStatus::PutByIdStatus):
12208 (JSC::PutByIdStatus::takesSlowPath):
12209 (JSC::PutByIdStatus::makesCalls):
12210 * bytecode/StructureStubInfo.h:
12211 * dfg/DFGAbstractInterpreterInlines.h:
12212 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12213 * dfg/DFGByteCodeParser.cpp:
12214 (JSC::DFG::ByteCodeParser::emitPutById):
12215 (JSC::DFG::ByteCodeParser::handlePutById):
12216 * dfg/DFGClobberize.h:
12217 (JSC::DFG::clobberize):
12218 * dfg/DFGCommon.h:
12219 * dfg/DFGConstantFoldingPhase.cpp:
12220 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12221 * dfg/DFGFixupPhase.cpp:
12222 (JSC::DFG::FixupPhase::fixupNode):
12223 * dfg/DFGNode.h:
12224 (JSC::DFG::Node::hasIdentifier):
12225 * dfg/DFGNodeType.h:
12226 * dfg/DFGPredictionPropagationPhase.cpp:
12227 (JSC::DFG::PredictionPropagationPhase::propagate):
12228 * dfg/DFGSafeToExecute.h:
12229 (JSC::DFG::safeToExecute):
12230 * dfg/DFGSpeculativeJIT.cpp:
12231 (JSC::DFG::SpeculativeJIT::compileIn):
12232 * dfg/DFGSpeculativeJIT.h:
12233 * dfg/DFGSpeculativeJIT32_64.cpp:
12234 (JSC::DFG::SpeculativeJIT::cachedGetById):
12235 (JSC::DFG::SpeculativeJIT::cachedPutById):
12236 (JSC::DFG::SpeculativeJIT::compile):
12237 * dfg/DFGSpeculativeJIT64.cpp:
12238 (JSC::DFG::SpeculativeJIT::cachedGetById):
12239 (JSC::DFG::SpeculativeJIT::cachedPutById):
12240 (JSC::DFG::SpeculativeJIT::compile):
12241 * jit/CCallHelpers.h:
12242 (JSC::CCallHelpers::setupArgumentsWithExecState):
12243 * jit/JITInlineCacheGenerator.cpp:
12244 (JSC::JITByIdGenerator::JITByIdGenerator):
12245 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12246 * jit/JITInlineCacheGenerator.h:
12247 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12248 * jit/JITOperations.cpp:
12249 * jit/JITOperations.h:
12250 * jit/JITPropertyAccess.cpp:
12251 (JSC::JIT::emit_op_get_by_id):
12252 (JSC::JIT::emit_op_put_by_id):
12253 * jit/JITPropertyAccess32_64.cpp:
12254 (JSC::JIT::emit_op_get_by_id):
12255 (JSC::JIT::emit_op_put_by_id):
12256 * jit/Repatch.cpp:
12257 (JSC::tryCacheGetByID):
12258 (JSC::tryBuildGetByIDList):
12259 (JSC::emitCustomSetterStub):
12260 (JSC::tryCachePutByID):
12261 (JSC::tryBuildPutByIdList):
12262 * jit/SpillRegistersMode.h: Added.
12263 * llint/LLIntSlowPaths.cpp:
12264 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12265 * runtime/Lookup.h:
12266 (JSC::putEntry):
12267 * runtime/PutPropertySlot.h:
12268 (JSC::PutPropertySlot::setCacheableCustomProperty):
12269 (JSC::PutPropertySlot::customSetter):
12270 (JSC::PutPropertySlot::isCacheablePut):
12271 (JSC::PutPropertySlot::isCacheableCustomProperty):
12272 (JSC::PutPropertySlot::cachedOffset):
12273
122742014-03-06 Filip Pizlo <fpizlo@apple.com>
12275
12276 FTL arity fixup should work on ARM64
12277 https://bugs.webkit.org/show_bug.cgi?id=129810
12278
12279 Reviewed by Michael Saboff.
12280
12281 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
12282 callee-save.
12283
12284 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
12285
12286 This makes some more tests pass.
12287
12288 * dfg/DFGJITCompiler.cpp:
12289 (JSC::DFG::JITCompiler::compileFunction):
12290 * ftl/FTLLink.cpp:
12291 (JSC::FTL::link):
12292 * jit/AssemblyHelpers.h:
12293 (JSC::AssemblyHelpers::prologueStackPointerDelta):
12294 * jit/JIT.cpp:
12295 (JSC::JIT::privateCompile):
12296 * jit/ThunkGenerators.cpp:
12297 (JSC::arityFixup):
12298 * llint/LowLevelInterpreter64.asm:
12299 * offlineasm/arm64.rb:
12300 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
12301
123022014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12303
12304 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
12305 https://bugs.webkit.org/show_bug.cgi?id=129760
12306
12307 Reviewed by Geoffrey Garen.
12308
12309 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
12310 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
12311
12312 * dfg/DFGSpeculativeJIT.cpp:
12313 (JSC::DFG::SpeculativeJIT::writeBarrier):
12314 * dfg/DFGSpeculativeJIT.h:
12315 * dfg/DFGSpeculativeJIT32_64.cpp:
12316 (JSC::DFG::SpeculativeJIT::writeBarrier):
12317 * dfg/DFGSpeculativeJIT64.cpp:
12318 (JSC::DFG::SpeculativeJIT::writeBarrier):
12319 * jit/AssemblyHelpers.h:
12320 (JSC::AssemblyHelpers::checkMarkByte):
12321 * jit/JIT.h:
12322 * jit/JITPropertyAccess.cpp:
12323 * jit/Repatch.cpp:
12324 (JSC::writeBarrier):
12325
123262014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12327
12328 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
12329 https://bugs.webkit.org/show_bug.cgi?id=127944
12330
12331 Reviewed by Geoffrey Garen.
12332
12333 Always expose the Console object in JSContexts, just like we
12334 do for web pages. The default behavior will route to an
12335 attached JSContext inspector. This can be overriden by
12336 setting the ConsoleClient on the JSGlobalObject, which WebCore
12337 does to get slightly different behavior.
12338
12339 * CMakeLists.txt:
12340 * GNUmakefile.list.am:
12341 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12342 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12343 * JavaScriptCore.xcodeproj/project.pbxproj:
12344 Update build systems.
12345
12346 * API/tests/testapi.js:
12347 * API/tests/testapi.mm:
12348 Test that "console" exists in C and ObjC contexts.
12349
12350 * runtime/ConsoleClient.cpp: Added.
12351 (JSC::ConsoleClient::printURLAndPosition):
12352 (JSC::ConsoleClient::printMessagePrefix):
12353 (JSC::ConsoleClient::printConsoleMessage):
12354 (JSC::ConsoleClient::printConsoleMessageWithArguments):
12355 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
12356 (JSC::ConsoleClient::logWithLevel):
12357 (JSC::ConsoleClient::clear):
12358 (JSC::ConsoleClient::dir):
12359 (JSC::ConsoleClient::dirXML):
12360 (JSC::ConsoleClient::table):
12361 (JSC::ConsoleClient::trace):
12362 (JSC::ConsoleClient::assertCondition):
12363 (JSC::ConsoleClient::group):
12364 (JSC::ConsoleClient::groupCollapsed):
12365 (JSC::ConsoleClient::groupEnd):
12366 * runtime/ConsoleClient.h: Added.
12367 (JSC::ConsoleClient::~ConsoleClient):
12368 New private interface for handling the console object's methods.
12369 A lot of the methods funnel through messageWithTypeAndLevel.
12370
12371 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
12372 Moved to JSC namespace.
12373
12374 * runtime/JSGlobalObject.cpp:
12375 (JSC::JSGlobalObject::JSGlobalObject):
12376 (JSC::JSGlobalObject::init):
12377 (JSC::JSGlobalObject::reset):
12378 (JSC::JSGlobalObject::visitChildren):
12379 Create the "console" object when initializing the environment.
12380 Also set the default console client to be the JS context inspector.
12381
12382 * runtime/JSGlobalObject.h:
12383 (JSC::JSGlobalObject::setConsoleClient):
12384 (JSC::JSGlobalObject::consoleClient):
12385 Ability to change the console client, so WebCore can set a custom client.
12386
12387 * runtime/ConsolePrototype.cpp: Added.
12388 (JSC::ConsolePrototype::finishCreation):
12389 (JSC::valueToStringWithUndefinedOrNullCheck):
12390 (JSC::consoleLogWithLevel):
12391 (JSC::consoleProtoFuncDebug):
12392 (JSC::consoleProtoFuncError):
12393 (JSC::consoleProtoFuncLog):
12394 (JSC::consoleProtoFuncWarn):
12395 (JSC::consoleProtoFuncClear):
12396 (JSC::consoleProtoFuncDir):
12397 (JSC::consoleProtoFuncDirXML):
12398 (JSC::consoleProtoFuncTable):
12399 (JSC::consoleProtoFuncTrace):
12400 (JSC::consoleProtoFuncAssert):
12401 (JSC::consoleProtoFuncCount):
12402 (JSC::consoleProtoFuncProfile):
12403 (JSC::consoleProtoFuncProfileEnd):
12404 (JSC::consoleProtoFuncTime):
12405 (JSC::consoleProtoFuncTimeEnd):
12406 (JSC::consoleProtoFuncTimeStamp):
12407 (JSC::consoleProtoFuncGroup):
12408 (JSC::consoleProtoFuncGroupCollapsed):
12409 (JSC::consoleProtoFuncGroupEnd):
12410 * runtime/ConsolePrototype.h: Added.
12411 (JSC::ConsolePrototype::create):
12412 (JSC::ConsolePrototype::createStructure):
12413 (JSC::ConsolePrototype::ConsolePrototype):
12414 Define the console object interface. Parse out required / expected
12415 arguments and throw expcetions when methods are misused.
12416
12417 * runtime/JSConsole.cpp: Added.
12418 * runtime/JSConsole.h: Added.
12419 (JSC::JSConsole::createStructure):
12420 (JSC::JSConsole::create):
12421 (JSC::JSConsole::JSConsole):
12422 Empty "console" object. Everything is in the prototype.
12423
12424 * inspector/JSConsoleClient.cpp: Added.
12425 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
12426 (Inspector::JSConsoleClient::count):
12427 (Inspector::JSConsoleClient::profile):
12428 (Inspector::JSConsoleClient::profileEnd):
12429 (Inspector::JSConsoleClient::time):
12430 (Inspector::JSConsoleClient::timeEnd):
12431 (Inspector::JSConsoleClient::timeStamp):
12432 (Inspector::JSConsoleClient::warnUnimplemented):
12433 (Inspector::JSConsoleClient::internalAddMessage):
12434 * inspector/JSConsoleClient.h: Added.
12435 * inspector/JSGlobalObjectInspectorController.cpp:
12436 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
12437 (Inspector::JSGlobalObjectInspectorController::consoleClient):
12438 * inspector/JSGlobalObjectInspectorController.h:
12439 Default JSContext ConsoleClient implementation. Handle nearly
12440 everything exception profile/profileEnd and timeStamp.
12441
124422014-03-06 Andreas Kling <akling@apple.com>
12443
12444 Drop unlinked function code on memory pressure.
12445 <https://webkit.org/b/129789>
12446
12447 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
12448 are not currently being compiled.
12449
12450 4.5 MB progression on Membuster.
12451
12452 Reviewed by Geoffrey Garen.
12453
12454 * heap/Heap.cpp:
12455 (JSC::Heap::deleteAllUnlinkedFunctionCode):
12456 * heap/Heap.h:
12457 * runtime/VM.cpp:
12458 (JSC::VM::discardAllCode):
12459
124602014-03-06 Filip Pizlo <fpizlo@apple.com>
12461
12462 Clarify how we deal with "special" registers
12463 https://bugs.webkit.org/show_bug.cgi?id=129806
12464
12465 Reviewed by Michael Saboff.
12466
12467 Previously we had two different places that defined what "stack" registers are, a thing
12468 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
12469 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
12470 one place and had a baked-in notion of what it meant for a register to be "real" or not.
12471
12472 It's not cool to use words like "real" and "special" to describe registers, especially if you
12473 fail to qualify what that means. This originally made sense on X86 - "real" registers were
12474 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
12475 you also have to worry about the LR register, which we'd want to say is "not real" but it's
12476 also not a "stack" register. This got super confusing.
12477
12478 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
12479 a "stack" register, and uses the word special only in places where it's clearly defined and
12480 where no better word comes to mind.
12481
12482 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
12483 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
12484 magically didn't break anything because you never need to save/restore either FP or Q0, but
12485 it was still super weird.
12486
12487 * assembler/ARM64Assembler.h:
12488 (JSC::ARM64Assembler::lastRegister):
12489 * assembler/MacroAssembler.h:
12490 (JSC::MacroAssembler::nextRegister):
12491 * ftl/FTLLocation.cpp:
12492 (JSC::FTL::Location::restoreInto):
12493 * ftl/FTLSaveRestore.cpp:
12494 (JSC::FTL::saveAllRegisters):
12495 (JSC::FTL::restoreAllRegisters):
12496 * ftl/FTLSlowPathCall.cpp:
12497 * jit/RegisterSet.cpp:
12498 (JSC::RegisterSet::reservedHardwareRegisters):
12499 (JSC::RegisterSet::runtimeRegisters):
12500 (JSC::RegisterSet::specialRegisters):
12501 (JSC::RegisterSet::calleeSaveRegisters):
12502 * jit/RegisterSet.h:
12503
125042014-03-06 Filip Pizlo <fpizlo@apple.com>
12505
12506 Unreviewed, fix build.
12507
12508 * disassembler/ARM64Disassembler.cpp:
12509
125102014-03-06 Filip Pizlo <fpizlo@apple.com>
12511
12512 Use the LLVM disassembler on ARM64 if we are enabling the FTL
12513 https://bugs.webkit.org/show_bug.cgi?id=129785
12514
12515 Reviewed by Geoffrey Garen.
12516
12517 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
12518 is strictly more capable at this point. Use it if it's available.
12519
12520 * disassembler/ARM64Disassembler.cpp:
12521 (JSC::tryToDisassemble):
12522
125232014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12524
12525 Web Inspector: Reduce RWI message frequency
12526 https://bugs.webkit.org/show_bug.cgi?id=129767
12527
12528 Reviewed by Timothy Hatcher.
12529
12530 This used to be 0.2s and changed by accident to 0.02s.
12531
12532 * inspector/remote/RemoteInspector.mm:
12533 (Inspector::RemoteInspector::pushListingSoon):
12534
125352014-03-05 Commit Queue <commit-queue@webkit.org>
12536
12537 Unreviewed, rolling out r165141, r165157, and r165158.
12538 http://trac.webkit.org/changeset/165141
12539 http://trac.webkit.org/changeset/165157
12540 http://trac.webkit.org/changeset/165158
12541 https://bugs.webkit.org/show_bug.cgi?id=129772
12542
12543 "broke ftl" (Requested by olliej_ on #webkit).
12544
12545 * JavaScriptCore.xcodeproj/project.pbxproj:
12546 * bytecode/PolymorphicPutByIdList.cpp:
12547 (JSC::PutByIdAccess::visitWeak):
12548 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12549 (JSC::PolymorphicPutByIdList::from):
12550 * bytecode/PolymorphicPutByIdList.h:
12551 (JSC::PutByIdAccess::transition):
12552 (JSC::PutByIdAccess::replace):
12553 (JSC::PutByIdAccess::oldStructure):
12554 (JSC::PutByIdAccess::chain):
12555 (JSC::PutByIdAccess::stubRoutine):
12556 * bytecode/PutByIdStatus.cpp:
12557 (JSC::PutByIdStatus::computeForStubInfo):
12558 (JSC::PutByIdStatus::computeFor):
12559 (JSC::PutByIdStatus::dump):
12560 * bytecode/PutByIdStatus.h:
12561 (JSC::PutByIdStatus::PutByIdStatus):
12562 (JSC::PutByIdStatus::takesSlowPath):
12563 * bytecode/StructureStubInfo.h:
12564 * dfg/DFGAbstractInterpreterInlines.h:
12565 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12566 * dfg/DFGByteCodeParser.cpp:
12567 (JSC::DFG::ByteCodeParser::emitPutById):
12568 (JSC::DFG::ByteCodeParser::handlePutById):
12569 * dfg/DFGClobberize.h:
12570 (JSC::DFG::clobberize):
12571 * dfg/DFGCommon.h:
12572 * dfg/DFGConstantFoldingPhase.cpp:
12573 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12574 * dfg/DFGFixupPhase.cpp:
12575 (JSC::DFG::FixupPhase::fixupNode):
12576 * dfg/DFGNode.h:
12577 (JSC::DFG::Node::hasIdentifier):
12578 * dfg/DFGNodeType.h:
12579 * dfg/DFGPredictionPropagationPhase.cpp:
12580 (JSC::DFG::PredictionPropagationPhase::propagate):
12581 * dfg/DFGSafeToExecute.h:
12582 (JSC::DFG::safeToExecute):
12583 * dfg/DFGSpeculativeJIT.cpp:
12584 (JSC::DFG::SpeculativeJIT::compileIn):
12585 * dfg/DFGSpeculativeJIT.h:
12586 * dfg/DFGSpeculativeJIT32_64.cpp:
12587 (JSC::DFG::SpeculativeJIT::cachedGetById):
12588 (JSC::DFG::SpeculativeJIT::cachedPutById):
12589 (JSC::DFG::SpeculativeJIT::compile):
12590 * dfg/DFGSpeculativeJIT64.cpp:
12591 (JSC::DFG::SpeculativeJIT::cachedGetById):
12592 (JSC::DFG::SpeculativeJIT::cachedPutById):
12593 (JSC::DFG::SpeculativeJIT::compile):
12594 * ftl/FTLCompile.cpp:
12595 (JSC::FTL::fixFunctionBasedOnStackMaps):
12596 * jit/CCallHelpers.h:
12597 (JSC::CCallHelpers::setupArgumentsWithExecState):
12598 * jit/JITInlineCacheGenerator.cpp:
12599 (JSC::JITByIdGenerator::JITByIdGenerator):
12600 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12601 * jit/JITInlineCacheGenerator.h:
12602 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12603 * jit/JITOperations.cpp:
12604 * jit/JITOperations.h:
12605 * jit/JITPropertyAccess.cpp:
12606 (JSC::JIT::emit_op_get_by_id):
12607 (JSC::JIT::emit_op_put_by_id):
12608 * jit/JITPropertyAccess32_64.cpp:
12609 (JSC::JIT::emit_op_get_by_id):
12610 (JSC::JIT::emit_op_put_by_id):
12611 * jit/Repatch.cpp:
12612 (JSC::tryCacheGetByID):
12613 (JSC::tryBuildGetByIDList):
12614 (JSC::tryCachePutByID):
12615 (JSC::tryBuildPutByIdList):
12616 * jit/SpillRegistersMode.h: Removed.
12617 * llint/LLIntSlowPaths.cpp:
12618 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12619 * runtime/Lookup.h:
12620 (JSC::putEntry):
12621 * runtime/PutPropertySlot.h:
12622 (JSC::PutPropertySlot::isCacheable):
12623 (JSC::PutPropertySlot::cachedOffset):
12624
126252014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12626
12627 Web Inspector: Prevent possible deadlock in view indication
12628 https://bugs.webkit.org/show_bug.cgi?id=129766
12629
12630 Reviewed by Geoffrey Garen.
12631
12632 * inspector/remote/RemoteInspector.mm:
12633 (Inspector::RemoteInspector::receivedIndicateMessage):
12634
126352014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12636
12637 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
12638 https://bugs.webkit.org/show_bug.cgi?id=129754
12639
12640 Reviewed by Geoffrey Garen.
12641
12642 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
12643
12644 * runtime/JSCell.h:
12645 (JSC::JSCell::inlineTypeFlags):
12646 * runtime/JSObject.h:
12647 (JSC::JSObject::fastGetOwnPropertySlot):
12648 * runtime/JSTypeInfo.h:
12649 (JSC::TypeInfo::TypeInfo):
12650 (JSC::TypeInfo::overridesGetOwnPropertySlot):
12651
126522014-03-05 Joseph Pecoraro <pecoraro@apple.com>
12653
12654 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
12655 https://bugs.webkit.org/show_bug.cgi?id=129763
12656
12657 Reviewed by Geoffrey Garen.
12658
12659 Clear the list of all breakpoints, including unresolved breakpoints.
12660
12661 * inspector/agents/InspectorDebuggerAgent.cpp:
12662 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
12663
126642014-03-05 Mark Lam <mark.lam@apple.com>
12665
12666 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
12667 <https://webkit.org/b/129768>
12668
12669 Reviewed by Mark Hahnenberg.
12670
12671 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
12672 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
12673 path llint_slow_path_check_has_instance(), and execute a code path that does the
12674 following:
12675 1. Adjusts the byte code PC to the jump target PC.
12676 2. For the purpose of storing the result, get the result registerIndex from the
12677 1st operand using the PC as if the PC is still pointing to op_check_has_instance
12678 bytecode.
12679
12680 The result is that whatever value resides after where the jump target PC is will
12681 be used as a result register value. Depending on what that value is, the result
12682 can be:
12683 1. the code coincidently works correctly
12684 2. memory corruption
12685 3. crashes
12686
12687 The fix is to only adjust the byte code PC after we have stored the result.
12688
12689 * llint/LLIntSlowPaths.cpp:
12690 (llint_slow_path_check_has_instance):
12691
126922014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12693
12694 Another build fix attempt after r165141.
12695
12696 * ftl/FTLCompile.cpp:
12697 (JSC::FTL::fixFunctionBasedOnStackMaps):
12698
126992014-03-05 Ryosuke Niwa <rniwa@webkit.org>
12700
12701 FTL build fix attempt after r165141.
12702
12703 * ftl/FTLCompile.cpp:
12704 (JSC::FTL::fixFunctionBasedOnStackMaps):
12705
127062014-03-05 Gavin Barraclough <barraclough@apple.com>
12707
12708 https://bugs.webkit.org/show_bug.cgi?id=128625
12709 Add fast mapping from StringImpl to JSString
12710
12711 Unreviewed roll-out.
12712
12713 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
12714
12715 * runtime/JSString.cpp:
12716 * runtime/JSString.h:
12717 * runtime/VM.cpp:
12718 (JSC::VM::createLeaked):
12719 * runtime/VM.h:
12720
127212014-03-03 Oliver Hunt <oliver@apple.com>
12722
12723 Support caching of custom setters
12724 https://bugs.webkit.org/show_bug.cgi?id=129519
12725
12726 Reviewed by Filip Pizlo.
12727
12728 This patch adds caching of assignment to properties that
12729 are backed by C functions. This provides most of the leg
12730 work required to start supporting setters, and resolves
12731 the remaining regressions from moving DOM properties up
12732 the prototype chain.
12733
12734 * JavaScriptCore.xcodeproj/project.pbxproj:
12735 * bytecode/PolymorphicPutByIdList.cpp:
12736 (JSC::PutByIdAccess::visitWeak):
12737 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12738 (JSC::PolymorphicPutByIdList::from):
12739 * bytecode/PolymorphicPutByIdList.h:
12740 (JSC::PutByIdAccess::transition):
12741 (JSC::PutByIdAccess::replace):
12742 (JSC::PutByIdAccess::customSetter):
12743 (JSC::PutByIdAccess::isCustom):
12744 (JSC::PutByIdAccess::oldStructure):
12745 (JSC::PutByIdAccess::chain):
12746 (JSC::PutByIdAccess::stubRoutine):
12747 * bytecode/PutByIdStatus.cpp:
12748 (JSC::PutByIdStatus::computeForStubInfo):
12749 (JSC::PutByIdStatus::computeFor):
12750 (JSC::PutByIdStatus::dump):
12751 * bytecode/PutByIdStatus.h:
12752 (JSC::PutByIdStatus::PutByIdStatus):
12753 (JSC::PutByIdStatus::takesSlowPath):
12754 (JSC::PutByIdStatus::makesCalls):
12755 * bytecode/StructureStubInfo.h:
12756 * dfg/DFGAbstractInterpreterInlines.h:
12757 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12758 * dfg/DFGByteCodeParser.cpp:
12759 (JSC::DFG::ByteCodeParser::emitPutById):
12760 (JSC::DFG::ByteCodeParser::handlePutById):
12761 * dfg/DFGClobberize.h:
12762 (JSC::DFG::clobberize):
12763 * dfg/DFGCommon.h:
12764 * dfg/DFGConstantFoldingPhase.cpp:
12765 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12766 * dfg/DFGFixupPhase.cpp:
12767 (JSC::DFG::FixupPhase::fixupNode):
12768 * dfg/DFGNode.h:
12769 (JSC::DFG::Node::hasIdentifier):
12770 * dfg/DFGNodeType.h:
12771 * dfg/DFGPredictionPropagationPhase.cpp:
12772 (JSC::DFG::PredictionPropagationPhase::propagate):
12773 * dfg/DFGSafeToExecute.h:
12774 (JSC::DFG::safeToExecute):
12775 * dfg/DFGSpeculativeJIT.cpp:
12776 (JSC::DFG::SpeculativeJIT::compileIn):
12777 * dfg/DFGSpeculativeJIT.h:
12778 * dfg/DFGSpeculativeJIT32_64.cpp:
12779 (JSC::DFG::SpeculativeJIT::cachedGetById):
12780 (JSC::DFG::SpeculativeJIT::cachedPutById):
12781 (JSC::DFG::SpeculativeJIT::compile):
12782 * dfg/DFGSpeculativeJIT64.cpp:
12783 (JSC::DFG::SpeculativeJIT::cachedGetById):
12784 (JSC::DFG::SpeculativeJIT::cachedPutById):
12785 (JSC::DFG::SpeculativeJIT::compile):
12786 * jit/CCallHelpers.h:
12787 (JSC::CCallHelpers::setupArgumentsWithExecState):
12788 * jit/JITInlineCacheGenerator.cpp:
12789 (JSC::JITByIdGenerator::JITByIdGenerator):
12790 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12791 * jit/JITInlineCacheGenerator.h:
12792 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12793 * jit/JITOperations.cpp:
12794 * jit/JITOperations.h:
12795 * jit/JITPropertyAccess.cpp:
12796 (JSC::JIT::emit_op_get_by_id):
12797 (JSC::JIT::emit_op_put_by_id):
12798 * jit/JITPropertyAccess32_64.cpp:
12799 (JSC::JIT::emit_op_get_by_id):
12800 (JSC::JIT::emit_op_put_by_id):
12801 * jit/Repatch.cpp:
12802 (JSC::tryCacheGetByID):
12803 (JSC::tryBuildGetByIDList):
12804 (JSC::emitCustomSetterStub):
12805 (JSC::tryCachePutByID):
12806 (JSC::tryBuildPutByIdList):
12807 * jit/SpillRegistersMode.h: Added.
12808 * llint/LLIntSlowPaths.cpp:
12809 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12810 * runtime/Lookup.h:
12811 (JSC::putEntry):
12812 * runtime/PutPropertySlot.h:
12813 (JSC::PutPropertySlot::setCacheableCustomProperty):
12814 (JSC::PutPropertySlot::customSetter):
12815 (JSC::PutPropertySlot::isCacheablePut):
12816 (JSC::PutPropertySlot::isCacheableCustomProperty):
12817 (JSC::PutPropertySlot::cachedOffset):
12818
128192014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
12820
12821 JSCell::m_gcData should encode its information differently
12822 https://bugs.webkit.org/show_bug.cgi?id=129741
12823
12824 Reviewed by Geoffrey Garen.
12825
12826 We want to keep track of three GC states for an object:
12827
12828 1. Not marked (which implies not in the remembered set)
12829 2. Marked but not in the remembered set
12830 3. Marked and in the remembered set
12831
12832 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
12833 barrier, we only want to take the slow path if the object being stored to is in state #2.
12834 We'd like to make the test for state #2 as fast as possible, which means making it a
12835 compare against 0.
12836
12837 * dfg/DFGOSRExitCompilerCommon.cpp:
12838 (JSC::DFG::osrWriteBarrier):
12839 * dfg/DFGSpeculativeJIT.cpp:
12840 (JSC::DFG::SpeculativeJIT::checkMarkByte):
12841 (JSC::DFG::SpeculativeJIT::writeBarrier):
12842 * dfg/DFGSpeculativeJIT.h:
12843 * dfg/DFGSpeculativeJIT32_64.cpp:
12844 (JSC::DFG::SpeculativeJIT::writeBarrier):
12845 * dfg/DFGSpeculativeJIT64.cpp:
12846 (JSC::DFG::SpeculativeJIT::writeBarrier):
12847 * ftl/FTLLowerDFGToLLVM.cpp:
12848 (JSC::FTL::LowerDFGToLLVM::allocateCell):
12849 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
12850 * heap/Heap.cpp:
12851 (JSC::Heap::clearRememberedSet):
12852 (JSC::Heap::addToRememberedSet):
12853 * jit/AssemblyHelpers.h:
12854 (JSC::AssemblyHelpers::checkMarkByte):
12855 * jit/JIT.h:
12856 * jit/JITPropertyAccess.cpp:
12857 (JSC::JIT::checkMarkByte):
12858 (JSC::JIT::emitWriteBarrier):
12859 * jit/Repatch.cpp:
12860 (JSC::writeBarrier):
12861 * llint/LowLevelInterpreter.asm:
12862 * llint/LowLevelInterpreter32_64.asm:
12863 * llint/LowLevelInterpreter64.asm:
12864 * runtime/JSCell.h:
12865 (JSC::JSCell::mark):
12866 (JSC::JSCell::remember):
12867 (JSC::JSCell::forget):
12868 (JSC::JSCell::isMarked):
12869 (JSC::JSCell::isRemembered):
12870 * runtime/JSCellInlines.h:
12871 (JSC::JSCell::JSCell):
12872 * runtime/StructureIDBlob.h:
12873 (JSC::StructureIDBlob::StructureIDBlob):
12874
128752014-03-05 Filip Pizlo <fpizlo@apple.com>
12876
12877 More FTL ARM fixes
12878 https://bugs.webkit.org/show_bug.cgi?id=129755
12879
12880 Reviewed by Geoffrey Garen.
12881
12882 - Be more defensive about inline caches that have degenerate chains.
12883
12884 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
12885 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
12886
12887 - Don't even emit intrinsic declarations on non-x86 platforms.
12888
12889 - More debug printing support.
12890
12891 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
12892 but somehow it gets lucky on x86.
12893
12894 * bytecode/GetByIdStatus.cpp:
12895 (JSC::GetByIdStatus::appendVariant):
12896 (JSC::GetByIdStatus::computeForChain):
12897 (JSC::GetByIdStatus::computeForStubInfo):
12898 * bytecode/GetByIdStatus.h:
12899 * bytecode/PutByIdStatus.cpp:
12900 (JSC::PutByIdStatus::appendVariant):
12901 (JSC::PutByIdStatus::computeForStubInfo):
12902 * bytecode/PutByIdStatus.h:
12903 * bytecode/StructureSet.h:
12904 (JSC::StructureSet::overlaps):
12905 * ftl/FTLCompile.cpp:
12906 (JSC::FTL::mmAllocateDataSection):
12907 * ftl/FTLDataSection.cpp:
12908 (JSC::FTL::DataSection::DataSection):
12909 (JSC::FTL::DataSection::~DataSection):
12910 * ftl/FTLDataSection.h:
12911 * ftl/FTLLowerDFGToLLVM.cpp:
12912 (JSC::FTL::LowerDFGToLLVM::lower):
12913 * ftl/FTLOutput.h:
12914 (JSC::FTL::Output::doubleSin):
12915 (JSC::FTL::Output::doubleCos):
12916 * runtime/JSCJSValue.cpp:
12917 (JSC::JSValue::dumpInContext):
12918 * runtime/JSCell.h:
12919 (JSC::JSCell::structureID):
12920
129212014-03-05 peavo@outlook.com <peavo@outlook.com>
12922
12923 [Win32][LLINT] Crash when running JSC stress tests.
12924 https://bugs.webkit.org/show_bug.cgi?id=129429
12925
12926 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
12927 where the guard page is a barrier between committed and uncommitted memory.
12928 When data from the guard page is read or written, the guard page is moved, and memory is committed.
12929 This is how the system grows the stack.
12930 When using the C stack on Windows we need to precommit the needed stack space.
12931 Otherwise we might crash later if we access uncommitted stack memory.
12932 This can happen if we allocate stack space larger than the page guard size (4K).
12933 The system does not get the chance to move the guard page, and commit more memory,
12934 and we crash if uncommitted memory is accessed.
12935 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
12936 when needed, see http://support.microsoft.com/kb/100775.
12937
12938 Reviewed by Geoffrey Garen.
12939
12940 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
12941 * jit/Repatch.cpp:
12942 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
12943 * offlineasm/x86.rb: Compile fix, and small simplification.
12944 * runtime/VM.cpp:
12945 (JSC::preCommitStackMemory): Added function to precommit stack memory.
12946 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
12947
129482014-03-05 Michael Saboff <msaboff@apple.com>
12949
12950 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
12951 https://bugs.webkit.org/show_bug.cgi?id=129746
12952
12953 Reviewed by Filip Pizlo.
12954
12955 Changed to use a union to manually assemble or disassemble the various types
12956 from / to the corresponding bytes. All memory access is now done using
12957 byte accesses.
12958
12959 * runtime/JSDataViewPrototype.cpp:
12960 (JSC::getData):
12961 (JSC::setData):
12962
129632014-03-05 Filip Pizlo <fpizlo@apple.com>
12964
12965 FTL loadStructure always generates invalid IR
12966 https://bugs.webkit.org/show_bug.cgi?id=129747
12967
12968 Reviewed by Mark Hahnenberg.
12969
12970 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
12971 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
12972 to have a pointer to a type, and you can only load things of that type from that
12973 pointer. Pointer arithmetic is basically not possible except through the bizarre
12974 getelementptr operator. This doesn't fit with how the JS object model works since
12975 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
12976 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
12977 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
12978 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
12979 this for us, but that would require that to use the FTL, JSC itself would have to
12980 be compiled with clang. Worse, it would have to be compiled with a clang that uses
12981 a version of LLVM that is compatible with the one against which the FTL is linked.
12982 Yuck!
12983
12984 The solution is to NEVER use LLVM pointers. This has always been the case in the
12985 FTL. But it causes some confusion.
12986
12987 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
12988 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
12989 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
12990 pointer that has the type that we want. The load and store operations over pointers
12991 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
12992 "64", "Ptr", "Float", or "Double.
12993
12994 There is unavoidable confusion here. It would be bizarre for the FTL to call its
12995 "pointer-wide integers" anything other than "pointers", since they are, in all
12996 respects that we care about, simply pointers. But they are *not* LLVM pointers and
12997 they never will be that.
12998
12999 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
13000 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
13001 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
13002 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
13003 methods for access called Output::get and Output::set. These lower to LLVM load
13004 and store, since FTL references are just LLVM pointers.
13005
13006 This confusion appears to have led to incorrect code in loadStructure().
13007 loadStructure() was using get() and set() to access FTL pointers. But those methods
13008 don't work on FTL pointers and never will, since they are for FTL references.
13009
13010 The worst part of this is that it was previously impossible to have test coverage
13011 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
13012 patch fixes this by introducing a Masquerader object to jsc.cpp.
13013
13014 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
13015 * ftl/FTLLowerDFGToLLVM.cpp:
13016 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
13017 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
13018 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
13019 (WTF::Masquerader::Masquerader):
13020 (WTF::Masquerader::create):
13021 (WTF::Masquerader::createStructure):
13022 (GlobalObject::finishCreation):
13023 (functionMakeMasquerader):
13024 * tests/stress/equals-masquerader.js: Added.
13025 (foo):
13026 (test):
13027
130282014-03-05 Anders Carlsson <andersca@apple.com>
13029
13030 Tweak after r165109 to avoid extra copies
13031 https://bugs.webkit.org/show_bug.cgi?id=129745
13032
13033 Reviewed by Geoffrey Garen.
13034
13035 * heap/Heap.cpp:
13036 (JSC::Heap::visitProtectedObjects):
13037 (JSC::Heap::visitTempSortVectors):
13038 (JSC::Heap::clearRememberedSet):
13039 * heap/Heap.h:
13040 (JSC::Heap::forEachProtectedCell):
13041
130422014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13043
13044 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
13045 https://bugs.webkit.org/show_bug.cgi?id=129717
13046
13047 Reviewed by Filip Pizlo.
13048
13049 * dfg/DFGStoreBarrierElisionPhase.cpp:
13050 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
13051 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
13052
130532014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13054
13055 Use range-based loops where possible in Heap methods
13056 https://bugs.webkit.org/show_bug.cgi?id=129513
13057
13058 Reviewed by Mark Lam.
13059
13060 Replace old school iterator based loops with the new range-based loop hotness
13061 for a better tomorrow.
13062
13063 * heap/CodeBlockSet.cpp:
13064 (JSC::CodeBlockSet::~CodeBlockSet):
13065 (JSC::CodeBlockSet::clearMarks):
13066 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
13067 (JSC::CodeBlockSet::traceMarked):
13068 * heap/Heap.cpp:
13069 (JSC::Heap::visitProtectedObjects):
13070 (JSC::Heap::visitTempSortVectors):
13071 (JSC::Heap::clearRememberedSet):
13072 * heap/Heap.h:
13073 (JSC::Heap::forEachProtectedCell):
13074
130752014-03-04 Filip Pizlo <fpizlo@apple.com>
13076
13077 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13078 https://bugs.webkit.org/show_bug.cgi?id=129563
13079
13080 Reviewed by Geoffrey Garen.
13081
13082 Rolling this back in after fixing an assertion failure. speculateMisc() should have
13083 said DFG_TYPE_CHECK instead of typeCheck.
13084
13085 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13086 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13087 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13088 comparing undefined, null, and booleans to each other.
13089
13090 This also adds support for miscellaneous things that I needed to make my various test
13091 cases work. This includes comparison over booleans and the various Throw-related node
13092 types.
13093
13094 This also improves constant folding of CompareStrictEq and CompareEq.
13095
13096 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13097 based on profiling, which caused some downstream badness. We don't actually support
13098 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13099 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13100 shouldn't factor out the bounds check since the access is not InBounds but then the
13101 backend would ignore the flag and assume that the bounds check was already emitted.
13102 This showed up on an existing test but I added a test for this explicitly to have more
13103 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13104 that we'll have a bounds check anyway.
13105
13106 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13107 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13108 still a lot more coverage work to be done there.
13109
13110 * bytecode/SpeculatedType.cpp:
13111 (JSC::speculationToAbbreviatedString):
13112 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13113 (JSC::valuesCouldBeEqual):
13114 * bytecode/SpeculatedType.h:
13115 (JSC::isMiscSpeculation):
13116 * dfg/DFGAbstractInterpreterInlines.h:
13117 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13118 * dfg/DFGArrayMode.cpp:
13119 (JSC::DFG::ArrayMode::refine):
13120 * dfg/DFGArrayMode.h:
13121 * dfg/DFGFixupPhase.cpp:
13122 (JSC::DFG::FixupPhase::fixupNode):
13123 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13124 * dfg/DFGNode.h:
13125 (JSC::DFG::Node::shouldSpeculateMisc):
13126 * dfg/DFGSafeToExecute.h:
13127 (JSC::DFG::SafeToExecuteEdge::operator()):
13128 * dfg/DFGSpeculativeJIT.cpp:
13129 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13130 (JSC::DFG::SpeculativeJIT::speculateMisc):
13131 (JSC::DFG::SpeculativeJIT::speculate):
13132 * dfg/DFGSpeculativeJIT.h:
13133 * dfg/DFGSpeculativeJIT32_64.cpp:
13134 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13135 * dfg/DFGSpeculativeJIT64.cpp:
13136 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13137 * dfg/DFGUseKind.cpp:
13138 (WTF::printInternal):
13139 * dfg/DFGUseKind.h:
13140 (JSC::DFG::typeFilterFor):
13141 * ftl/FTLCapabilities.cpp:
13142 (JSC::FTL::canCompile):
13143 * ftl/FTLLowerDFGToLLVM.cpp:
13144 (JSC::FTL::LowerDFGToLLVM::compileNode):
13145 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13146 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13147 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13148 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13149 (JSC::FTL::LowerDFGToLLVM::isMisc):
13150 (JSC::FTL::LowerDFGToLLVM::speculate):
13151 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13152 * tests/stress/float32-array-out-of-bounds.js: Added.
13153 * tests/stress/weird-equality-folding-cases.js: Added.
13154
131552014-03-04 Commit Queue <commit-queue@webkit.org>
13156
13157 Unreviewed, rolling out r165085.
13158 http://trac.webkit.org/changeset/165085
13159 https://bugs.webkit.org/show_bug.cgi?id=129729
13160
13161 Broke imported/w3c/html-templates/template-element/template-
13162 content.html (Requested by ap on #webkit).
13163
13164 * bytecode/SpeculatedType.cpp:
13165 (JSC::speculationToAbbreviatedString):
13166 * bytecode/SpeculatedType.h:
13167 * dfg/DFGAbstractInterpreterInlines.h:
13168 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13169 * dfg/DFGArrayMode.cpp:
13170 (JSC::DFG::ArrayMode::refine):
13171 * dfg/DFGArrayMode.h:
13172 * dfg/DFGFixupPhase.cpp:
13173 (JSC::DFG::FixupPhase::fixupNode):
13174 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13175 * dfg/DFGNode.h:
13176 (JSC::DFG::Node::shouldSpeculateBoolean):
13177 * dfg/DFGSafeToExecute.h:
13178 (JSC::DFG::SafeToExecuteEdge::operator()):
13179 * dfg/DFGSpeculativeJIT.cpp:
13180 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13181 (JSC::DFG::SpeculativeJIT::speculate):
13182 * dfg/DFGSpeculativeJIT.h:
13183 * dfg/DFGSpeculativeJIT32_64.cpp:
13184 * dfg/DFGSpeculativeJIT64.cpp:
13185 * dfg/DFGUseKind.cpp:
13186 (WTF::printInternal):
13187 * dfg/DFGUseKind.h:
13188 (JSC::DFG::typeFilterFor):
13189 * ftl/FTLCapabilities.cpp:
13190 (JSC::FTL::canCompile):
13191 * ftl/FTLLowerDFGToLLVM.cpp:
13192 (JSC::FTL::LowerDFGToLLVM::compileNode):
13193 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13194 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13195 (JSC::FTL::LowerDFGToLLVM::speculate):
13196 * tests/stress/float32-array-out-of-bounds.js: Removed.
13197 * tests/stress/weird-equality-folding-cases.js: Removed.
13198
131992014-03-04 Brian Burg <bburg@apple.com>
13200
13201 Inspector does not restore breakpoints after a page reload
13202 https://bugs.webkit.org/show_bug.cgi?id=129655
13203
13204 Reviewed by Joseph Pecoraro.
13205
13206 Fix a regression introduced by r162096 that erroneously removed
13207 the inspector backend's mapping of files to breakpoints whenever the
13208 global object was cleared.
13209
13210 The inspector's breakpoint mappings should only be cleared when the
13211 debugger agent is disabled or destroyed. We should only clear the
13212 debugger's breakpoint state when the global object is cleared.
13213
13214 To make it clearer what state is being cleared, the two cases have
13215 been split into separate methods.
13216
13217 * inspector/agents/InspectorDebuggerAgent.cpp:
13218 (Inspector::InspectorDebuggerAgent::disable):
13219 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13220 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
13221 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
13222 * inspector/agents/InspectorDebuggerAgent.h:
13223
132242014-03-04 Andreas Kling <akling@apple.com>
13225
13226 Streamline JSValue::get().
13227 <https://webkit.org/b/129720>
13228
13229 Fetch each Structure and VM only once when walking the prototype chain
13230 in JSObject::getPropertySlot(), then pass it along to the functions
13231 we call from there, so they don't have to re-fetch it.
13232
13233 Reviewed by Geoff Garen.
13234
13235 * runtime/JSObject.h:
13236 (JSC::JSObject::inlineGetOwnPropertySlot):
13237 (JSC::JSObject::fastGetOwnPropertySlot):
13238 (JSC::JSObject::getPropertySlot):
13239
132402014-03-01 Filip Pizlo <fpizlo@apple.com>
13241
13242 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13243 https://bugs.webkit.org/show_bug.cgi?id=129563
13244
13245 Reviewed by Geoffrey Garen.
13246
13247 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13248 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13249 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13250 comparing undefined, null, and booleans to each other.
13251
13252 This also adds support for miscellaneous things that I needed to make my various test
13253 cases work. This includes comparison over booleans and the various Throw-related node
13254 types.
13255
13256 This also improves constant folding of CompareStrictEq and CompareEq.
13257
13258 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13259 based on profiling, which caused some downstream badness. We don't actually support
13260 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13261 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13262 shouldn't factor out the bounds check since the access is not InBounds but then the
13263 backend would ignore the flag and assume that the bounds check was already emitted.
13264 This showed up on an existing test but I added a test for this explicitly to have more
13265 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13266 that we'll have a bounds check anyway.
13267
13268 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13269 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13270 still a lot more coverage work to be done there.
13271
13272 * bytecode/SpeculatedType.cpp:
13273 (JSC::speculationToAbbreviatedString):
13274 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13275 (JSC::valuesCouldBeEqual):
13276 * bytecode/SpeculatedType.h:
13277 (JSC::isMiscSpeculation):
13278 * dfg/DFGAbstractInterpreterInlines.h:
13279 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13280 * dfg/DFGFixupPhase.cpp:
13281 (JSC::DFG::FixupPhase::fixupNode):
13282 * dfg/DFGNode.h:
13283 (JSC::DFG::Node::shouldSpeculateMisc):
13284 * dfg/DFGSafeToExecute.h:
13285 (JSC::DFG::SafeToExecuteEdge::operator()):
13286 * dfg/DFGSpeculativeJIT.cpp:
13287 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13288 (JSC::DFG::SpeculativeJIT::speculateMisc):
13289 (JSC::DFG::SpeculativeJIT::speculate):
13290 * dfg/DFGSpeculativeJIT.h:
13291 * dfg/DFGSpeculativeJIT32_64.cpp:
13292 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13293 * dfg/DFGSpeculativeJIT64.cpp:
13294 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13295 * dfg/DFGUseKind.cpp:
13296 (WTF::printInternal):
13297 * dfg/DFGUseKind.h:
13298 (JSC::DFG::typeFilterFor):
13299 * ftl/FTLCapabilities.cpp:
13300 (JSC::FTL::canCompile):
13301 * ftl/FTLLowerDFGToLLVM.cpp:
13302 (JSC::FTL::LowerDFGToLLVM::compileNode):
13303 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13304 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13305 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13306 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13307 (JSC::FTL::LowerDFGToLLVM::isMisc):
13308 (JSC::FTL::LowerDFGToLLVM::speculate):
13309 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13310 * tests/stress/float32-array-out-of-bounds.js: Added.
13311 * tests/stress/weird-equality-folding-cases.js: Added.
13312
133132014-03-04 Andreas Kling <akling@apple.com>
13314
13315 Spam static branch prediction hints on JS bindings.
13316 <https://webkit.org/b/129703>
13317
13318 Add LIKELY hint to jsDynamicCast since it's always used in a context
13319 where we expect it to succeed and takes an error path when it doesn't.
13320
13321 Reviewed by Geoff Garen.
13322
13323 * runtime/JSCell.h:
13324 (JSC::jsDynamicCast):
13325
133262014-03-04 Andreas Kling <akling@apple.com>
13327
13328 Get to Structures more efficiently in JSCell::methodTable().
13329 <https://webkit.org/b/129702>
13330
13331 In JSCell::methodTable(), get the VM once and pass that along to
13332 structure(VM&) instead of using the heavier structure().
13333
13334 In JSCell::methodTable(VM&), replace calls to structure() with
13335 calls to structure(VM&).
13336
13337 Reviewed by Mark Hahnenberg.
13338
13339 * runtime/JSCellInlines.h:
13340 (JSC::JSCell::methodTable):
13341
133422014-03-04 Joseph Pecoraro <pecoraro@apple.com>
13343
13344 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
13345 https://bugs.webkit.org/show_bug.cgi?id=129697
13346
13347 Reviewed by Timothy Hatcher.
13348
13349 * inspector/remote/RemoteInspectorXPCConnection.mm:
13350 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13351 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13352
133532014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
13354
13355 Merge API shims and JSLock
13356 https://bugs.webkit.org/show_bug.cgi?id=129650
13357
13358 Reviewed by Mark Lam.
13359
13360 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
13361 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
13362
13363 * API/APICallbackFunction.h:
13364 (JSC::APICallbackFunction::call):
13365 (JSC::APICallbackFunction::construct):
13366 * API/APIShims.h: Removed.
13367 * API/JSBase.cpp:
13368 (JSEvaluateScript):
13369 (JSCheckScriptSyntax):
13370 (JSGarbageCollect):
13371 (JSReportExtraMemoryCost):
13372 (JSSynchronousGarbageCollectForDebugging):
13373 * API/JSCallbackConstructor.cpp:
13374 * API/JSCallbackFunction.cpp:
13375 * API/JSCallbackObjectFunctions.h:
13376 (JSC::JSCallbackObject<Parent>::init):
13377 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
13378 (JSC::JSCallbackObject<Parent>::put):
13379 (JSC::JSCallbackObject<Parent>::putByIndex):
13380 (JSC::JSCallbackObject<Parent>::deleteProperty):
13381 (JSC::JSCallbackObject<Parent>::construct):
13382 (JSC::JSCallbackObject<Parent>::customHasInstance):
13383 (JSC::JSCallbackObject<Parent>::call):
13384 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
13385 (JSC::JSCallbackObject<Parent>::getStaticValue):
13386 (JSC::JSCallbackObject<Parent>::callbackGetter):
13387 * API/JSContext.mm:
13388 (-[JSContext setException:]):
13389 (-[JSContext wrapperForObjCObject:]):
13390 (-[JSContext wrapperForJSObject:]):
13391 * API/JSContextRef.cpp:
13392 (JSContextGroupRelease):
13393 (JSContextGroupSetExecutionTimeLimit):
13394 (JSContextGroupClearExecutionTimeLimit):
13395 (JSGlobalContextCreateInGroup):
13396 (JSGlobalContextRetain):
13397 (JSGlobalContextRelease):
13398 (JSContextGetGlobalObject):
13399 (JSContextGetGlobalContext):
13400 (JSGlobalContextCopyName):
13401 (JSGlobalContextSetName):
13402 * API/JSManagedValue.mm:
13403 (-[JSManagedValue value]):
13404 * API/JSObjectRef.cpp:
13405 (JSObjectMake):
13406 (JSObjectMakeFunctionWithCallback):
13407 (JSObjectMakeConstructor):
13408 (JSObjectMakeFunction):
13409 (JSObjectMakeArray):
13410 (JSObjectMakeDate):
13411 (JSObjectMakeError):
13412 (JSObjectMakeRegExp):
13413 (JSObjectGetPrototype):
13414 (JSObjectSetPrototype):
13415 (JSObjectHasProperty):
13416 (JSObjectGetProperty):
13417 (JSObjectSetProperty):
13418 (JSObjectGetPropertyAtIndex):
13419 (JSObjectSetPropertyAtIndex):
13420 (JSObjectDeleteProperty):
13421 (JSObjectGetPrivateProperty):
13422 (JSObjectSetPrivateProperty):
13423 (JSObjectDeletePrivateProperty):
13424 (JSObjectIsFunction):
13425 (JSObjectCallAsFunction):
13426 (JSObjectCallAsConstructor):
13427 (JSObjectCopyPropertyNames):
13428 (JSPropertyNameArrayRelease):
13429 (JSPropertyNameAccumulatorAddName):
13430 * API/JSScriptRef.cpp:
13431 * API/JSValue.mm:
13432 (isDate):
13433 (isArray):
13434 (containerValueToObject):
13435 (valueToArray):
13436 (valueToDictionary):
13437 (objectToValue):
13438 * API/JSValueRef.cpp:
13439 (JSValueGetType):
13440 (JSValueIsUndefined):
13441 (JSValueIsNull):
13442 (JSValueIsBoolean):
13443 (JSValueIsNumber):
13444 (JSValueIsString):
13445 (JSValueIsObject):
13446 (JSValueIsObjectOfClass):
13447 (JSValueIsEqual):
13448 (JSValueIsStrictEqual):
13449 (JSValueIsInstanceOfConstructor):
13450 (JSValueMakeUndefined):
13451 (JSValueMakeNull):
13452 (JSValueMakeBoolean):
13453 (JSValueMakeNumber):
13454 (JSValueMakeString):
13455 (JSValueMakeFromJSONString):
13456 (JSValueCreateJSONString):
13457 (JSValueToBoolean):
13458 (JSValueToNumber):
13459 (JSValueToStringCopy):
13460 (JSValueToObject):
13461 (JSValueProtect):
13462 (JSValueUnprotect):
13463 * API/JSVirtualMachine.mm:
13464 (-[JSVirtualMachine addManagedReference:withOwner:]):
13465 (-[JSVirtualMachine removeManagedReference:withOwner:]):
13466 * API/JSWeakObjectMapRefPrivate.cpp:
13467 * API/JSWrapperMap.mm:
13468 (constructorHasInstance):
13469 (makeWrapper):
13470 (tryUnwrapObjcObject):
13471 * API/ObjCCallbackFunction.mm:
13472 (JSC::objCCallbackFunctionCallAsFunction):
13473 (JSC::objCCallbackFunctionCallAsConstructor):
13474 (objCCallbackFunctionForInvocation):
13475 * CMakeLists.txt:
13476 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
13477 * GNUmakefile.list.am:
13478 * JavaScriptCore.xcodeproj/project.pbxproj:
13479 * dfg/DFGWorklist.cpp:
13480 * heap/DelayedReleaseScope.h:
13481 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
13482 * heap/HeapTimer.cpp:
13483 (JSC::HeapTimer::timerDidFire):
13484 (JSC::HeapTimer::timerEvent):
13485 * heap/IncrementalSweeper.cpp:
13486 * inspector/InjectedScriptModule.cpp:
13487 (Inspector::InjectedScriptModule::ensureInjected):
13488 * jsc.cpp:
13489 (jscmain):
13490 * runtime/GCActivityCallback.cpp:
13491 (JSC::DefaultGCActivityCallback::doWork):
13492 * runtime/JSGlobalObjectDebuggable.cpp:
13493 (JSC::JSGlobalObjectDebuggable::connect):
13494 (JSC::JSGlobalObjectDebuggable::disconnect):
13495 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
13496 * runtime/JSLock.cpp:
13497 (JSC::JSLock::lock):
13498 (JSC::JSLock::didAcquireLock):
13499 (JSC::JSLock::unlock):
13500 (JSC::JSLock::willReleaseLock):
13501 (JSC::JSLock::DropAllLocks::DropAllLocks):
13502 (JSC::JSLock::DropAllLocks::~DropAllLocks):
13503 * runtime/JSLock.h:
13504 * testRegExp.cpp:
13505 (realMain):
13506
135072014-03-04 Commit Queue <commit-queue@webkit.org>
13508
13509 Unreviewed, rolling out r164812.
13510 http://trac.webkit.org/changeset/164812
13511 https://bugs.webkit.org/show_bug.cgi?id=129699
13512
13513 it made things run slower (Requested by pizlo on #webkit).
13514
13515 * interpreter/Interpreter.cpp:
13516 (JSC::Interpreter::execute):
13517 * jsc.cpp:
13518 (GlobalObject::finishCreation):
13519 * runtime/BatchedTransitionOptimizer.h:
13520 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
13521 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
13522
135232014-03-02 Filip Pizlo <fpizlo@apple.com>
13524
13525 GetMyArgumentByVal in FTL
13526 https://bugs.webkit.org/show_bug.cgi?id=128850
13527
13528 Reviewed by Oliver Hunt.
13529
13530 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
13531 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
13532 caused it to think that the arity check had failed if the caller had passed more
13533 arguments than needed. This would cause the call frame copying to sort of go into
13534 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
13535 throwing off a bunch of math) and the stack would end up being corrupted.
13536
13537 The bug was revealed by two existing tests although as far as I could tell, neither
13538 test was intending to cover this case directly. So, I added a new test.
13539
13540 * ftl/FTLCapabilities.cpp:
13541 (JSC::FTL::canCompile):
13542 * ftl/FTLLowerDFGToLLVM.cpp:
13543 (JSC::FTL::LowerDFGToLLVM::compileNode):
13544 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
13545 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
13546 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
13547 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
13548 * ftl/FTLOSRExitCompiler.cpp:
13549 (JSC::FTL::compileStub):
13550 * ftl/FTLState.h:
13551 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
13552 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
13553 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
13554 * tests/stress/ftl-get-my-argument-by-val.js: Added.
13555
135562014-03-04 Zan Dobersek <zdobersek@igalia.com>
13557
13558 [GTK] Build the Udis86 disassembler
13559 https://bugs.webkit.org/show_bug.cgi?id=129679
13560
13561 Reviewed by Michael Saboff.
13562
13563 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
13564 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
13565
135662014-03-04 Andreas Kling <akling@apple.com>
13567
13568 Fix too-narrow assertion I added in r165054.
13569
13570 It's okay for a 1-character string to come in here. This will happen
13571 if the VM small string optimization doesn't apply (ch > 0xFF)
13572
13573 * runtime/JSString.h:
13574 (JSC::jsStringWithWeakOwner):
13575
135762014-03-04 Andreas Kling <akling@apple.com>
13577
13578 Micro-optimize Strings in JS bindings.
13579 <https://webkit.org/b/129673>
13580
13581 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
13582 This avoids branches in length() and operator[].
13583
13584 Also call JSString::create() directly instead of jsString() and just
13585 assert that the string length is >1. This way we don't duplicate the
13586 optimizations for empty and single-character strings.
13587
13588 Reviewed by Ryosuke Niwa.
13589
13590 * runtime/JSString.h:
13591 (JSC::jsStringWithWeakOwner):
13592
135932014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
13594
13595 Implement Number.prototype.clz()
13596 https://bugs.webkit.org/show_bug.cgi?id=129479
13597
13598 Reviewed by Oliver Hunt.
13599
13600 Implemented Number.prototype.clz() as specified in the ES6 standard.
13601
13602 * runtime/NumberPrototype.cpp:
13603 (JSC::numberProtoFuncClz):
13604
136052014-03-03 Joseph Pecoraro <pecoraro@apple.com>
13606
13607 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
13608 https://bugs.webkit.org/show_bug.cgi?id=129631
13609
13610 Reviewed by Timothy Hatcher.
13611
13612 Avoid deref() too early if a client calls close(). The xpc_connection_close
13613 will cause another XPC_ERROR event to come in from the queue, deref then.
13614 Likewise, protect multithreaded access to m_client. If a client calls
13615 close() we want to immediately clear the pointer to prevent calls to it.
13616
13617 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
13618 growing too complicated for probably little benefit. We may want to
13619 clean this up later.
13620
13621 * inspector/remote/RemoteInspector.mm:
13622 (Inspector::RemoteInspector::xpcConnectionFailed):
13623 * inspector/remote/RemoteInspectorXPCConnection.h:
13624 * inspector/remote/RemoteInspectorXPCConnection.mm:
13625 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
13626 (Inspector::RemoteInspectorXPCConnection::close):
13627 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
13628 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
13629 (Inspector::RemoteInspectorXPCConnection::handleEvent):
13630 (Inspector::RemoteInspectorXPCConnection::sendMessage):
13631
136322014-03-03 Michael Saboff <msaboff@apple.com>
13633
13634 AbstractMacroAssembler::CachedTempRegister should start out invalid
13635 https://bugs.webkit.org/show_bug.cgi?id=129657
13636
13637 Reviewed by Filip Pizlo.
13638
13639 * assembler/AbstractMacroAssembler.h:
13640 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
13641 - Invalidate all cached registers in constructor as we don't know the
13642 contents of any register at the entry to the code we are going to
13643 generate.
13644
136452014-03-03 Andreas Kling <akling@apple.com>
13646
13647 StructureOrOffset should be fastmalloced.
13648 <https://webkit.org/b/129640>
13649
13650 Reviewed by Geoffrey Garen.
13651
13652 * runtime/StructureIDTable.h:
13653
136542014-03-03 Michael Saboff <msaboff@apple.com>
13655
13656 Crash in JIT code while watching a video @ storyboard.tumblr.com
13657 https://bugs.webkit.org/show_bug.cgi?id=129635
13658
13659 Reviewed by Filip Pizlo.
13660
13661 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
13662 construtor.
13663
13664 * jit/TempRegisterSet.cpp:
13665 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
13666 * jit/TempRegisterSet.h:
13667 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
13668 (JSC::TempRegisterSet::clearAll): New private helper.
13669
136702014-03-03 Benjamin Poulain <benjamin@webkit.org>
13671
13672 [x86] Improve code generation of byte test
13673 https://bugs.webkit.org/show_bug.cgi?id=129597
13674
13675 Reviewed by Geoffrey Garen.
13676
13677 When possible, test the 8 bit register to itself instead of comparing it
13678 to a literal.
13679
13680 * assembler/MacroAssemblerX86Common.h:
13681 (JSC::MacroAssemblerX86Common::test32):
13682
136832014-03-03 Mark Lam <mark.lam@apple.com>
13684
13685 Web Inspector: debugger statements do not break.
13686 <https://webkit.org/b/129524>
13687
13688 Reviewed by Geoff Garen.
13689
13690 Since we no longer call op_debug hooks unless there is a debugger request
13691 made on the CodeBlock, the op_debug for the debugger statement never gets
13692 serviced.
13693
13694 With this fix, we check in the CodeBlock constructor if any debugger
13695 statements are present. If so, we set a m_hasDebuggerStatement flag that
13696 causes the CodeBlock to show as having debugger requests. Hence,
13697 breaking at debugger statements is now restored.
13698
13699 * bytecode/CodeBlock.cpp:
13700 (JSC::CodeBlock::CodeBlock):
13701 * bytecode/CodeBlock.h:
13702 (JSC::CodeBlock::hasDebuggerRequests):
13703 (JSC::CodeBlock::clearDebuggerRequests):
13704
137052014-03-03 Mark Lam <mark.lam@apple.com>
13706
13707 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
13708 <https://webkit.org/b/129393>
13709
13710 Reviewed by Geoffrey Garen.
13711
13712 The issue manifests because the debugger will iterate all CodeBlocks in
13713 the heap when setting / clearing breakpoints, but it is possible for a
13714 CodeBlock to have been instantiate but is not yet registered with the
13715 debugger. This can happen because of the following:
13716
13717 1. DFG worklist compilation is still in progress, and the target
13718 codeBlock is not ready for installation in its executable yet.
13719
13720 2. DFG compilation failed and we have a codeBlock that will never be
13721 installed in its executable, and the codeBlock has not been cleaned
13722 up by the GC yet.
13723
13724 The code for installing the codeBlock in its executable is the same code
13725 that registers it with the debugger. Hence, these codeBlocks are not
13726 registered with the debugger, and any pending breakpoints that would map
13727 to that CodeBlock is as yet unset or will never be set. As such, an
13728 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
13729
13730 To fix this, we do the following:
13731
13732 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
13733 compilation. This is achieved by providing a
13734 DeferredCompilationCallback::compilationDidComplete() that does this
13735 clean up, and have all sub classes call it at the end of their
13736 compilationDidComplete() methods.
13737
13738 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
13739 will wait for all compilations to complete before proceeding. This
13740 ensures that:
13741 1. any zombie CodeBlocks would have been cleaned up, and won't be
13742 seen by the debugger or profiler.
13743 2. all CodeBlocks that the debugger and profiler needs to operate on
13744 will be "ready" for whatever needs to be done to them e.g.
13745 jettison'ing of DFG codeBlocks.
13746
13747 * bytecode/DeferredCompilationCallback.cpp:
13748 (JSC::DeferredCompilationCallback::compilationDidComplete):
13749 * bytecode/DeferredCompilationCallback.h:
13750 - Provide default implementation method to clean up zombie CodeBlocks.
13751
13752 * debugger/Debugger.cpp:
13753 (JSC::Debugger::forEachCodeBlock):
13754 - Utility function to iterate CodeBlocks. It ensures that all compilations
13755 are complete before proceeding.
13756 (JSC::Debugger::setSteppingMode):
13757 (JSC::Debugger::toggleBreakpoint):
13758 (JSC::Debugger::recompileAllJSFunctions):
13759 (JSC::Debugger::clearBreakpoints):
13760 (JSC::Debugger::clearDebuggerRequests):
13761 - Use the utility iterator function.
13762
13763 * debugger/Debugger.h:
13764 * dfg/DFGOperations.cpp:
13765 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13766
13767 * dfg/DFGPlan.cpp:
13768 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
13769 - Remove unneeded code (that was not the best solution anyway) for ensuring
13770 that we don't generate new DFG codeBlocks after enabling the debugger or
13771 profiler. Now that we wait for compilations to complete before proceeding
13772 with debugger and profiler work, this scenario will never happen.
13773
13774 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
13775 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
13776 - Call the super class method to clean up zombie codeBlocks.
13777
13778 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
13779 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
13780 - Call the super class method to clean up zombie codeBlocks.
13781
13782 * heap/CodeBlockSet.cpp:
13783 (JSC::CodeBlockSet::remove):
13784 * heap/CodeBlockSet.h:
13785 * heap/Heap.h:
13786 (JSC::Heap::removeCodeBlock):
13787 - New method to remove a codeBlock from the codeBlock set.
13788
13789 * jit/JITOperations.cpp:
13790 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
13791
13792 * jit/JITToDFGDeferredCompilationCallback.cpp:
13793 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
13794 - Call the super class method to clean up zombie codeBlocks.
13795
13796 * runtime/VM.cpp:
13797 (JSC::VM::waitForCompilationsToComplete):
13798 - Renamed from prepareToDiscardCode() to be clearer about what it does.
13799
13800 (JSC::VM::discardAllCode):
13801 (JSC::VM::releaseExecutableMemory):
13802 (JSC::VM::setEnabledProfiler):
13803 - Wait for compilation to complete before enabling the profiler.
13804
13805 * runtime/VM.h:
13806
138072014-03-03 Brian Burg <bburg@apple.com>
13808
13809 Another unreviewed build fix attempt for Windows after r164986.
13810
13811 We never told Visual Studio to copy over the web replay code generator scripts
13812 and the generated headers for JavaScriptCore replay inputs as if they were
13813 private headers.
13814
13815 * JavaScriptCore.vcxproj/copy-files.cmd:
13816
138172014-03-03 Brian Burg <bburg@apple.com>
13818
13819 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
13820 https://bugs.webkit.org/show_bug.cgi?id=128782
13821
13822 Reviewed by Timothy Hatcher.
13823
13824 Alter the replay inputs code generator so that it knows when it is necessary to
13825 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
13826
13827 * JavaScriptCore.xcodeproj/project.pbxproj:
13828 * replay/scripts/CodeGeneratorReplayInputs.py:
13829 (Framework.fromString):
13830 (Frameworks): Add WTF as an allowed framework for code generation.
13831 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
13832 (Generator.generate_includes.declaration):
13833 (Generator.generate_includes.or):
13834 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
13835
138362014-03-02 Filip Pizlo <fpizlo@apple.com>
13837
13838 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
13839 https://bugs.webkit.org/show_bug.cgi?id=129591
13840
13841 Reviewed by Michael Saboff.
13842
13843 * bytecode/PolymorphicPutByIdList.cpp:
13844 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
13845 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
13846 (JSC::PolymorphicPutByIdList::from):
13847 * bytecode/PolymorphicPutByIdList.h:
13848 (JSC::PutByIdAccess::stubRoutine):
13849 * jit/Repatch.cpp:
13850 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
13851
138522014-03-02 Filip Pizlo <fpizlo@apple.com>
13853
13854 Debugging improvements from my gbemu investigation session
13855 https://bugs.webkit.org/show_bug.cgi?id=129599
13856
13857 Reviewed by Mark Lam.
13858
13859 Various improvements from when I was investigating bug 129411.
13860
13861 * bytecode/CodeBlock.cpp:
13862 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
13863 * jsc.cpp:
13864 (GlobalObject::finishCreation):
13865 (functionDescribe): Make describe() return a string rather than printing the string.
13866 (functionDescribeArray): Like describe(), but prints details about arrays.
13867
138682014-02-25 Andreas Kling <akling@apple.com>
13869
13870 JSDOMWindow::commonVM() should return a reference.
13871 <https://webkit.org/b/129293>
13872
13873 Added a DropAllLocks constructor that takes VM& without null checks.
13874
13875 Reviewed by Geoff Garen.
13876
138772014-03-02 Mark Lam <mark.lam@apple.com>
13878
13879 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
13880 <https://webkit.org/b/129584>
13881
13882 Reviewed by Darin Adler.
13883
13884 * bytecode/CodeBlock.h:
13885 (JSC::CodeBlock::hasDebuggerRequests):
13886
138872014-03-02 Mark Lam <mark.lam@apple.com>
13888
13889 Clean up use of Options::enableConcurrentJIT().
13890 <https://webkit.org/b/129582>
13891
13892 Reviewed by Filip Pizlo.
13893
13894 DFG Driver was conditionally checking Options::enableConcurrentJIT()
13895 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
13896 enableConcurrentJIT set to false.
13897
13898 Instead we should configure Options::enableConcurrentJIT() to be false
13899 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
13900 check Options::enableConcurrentJIT(). This makes the code read a little
13901 cleaner.
13902
13903 * dfg/DFGDriver.cpp:
13904 (JSC::DFG::compileImpl):
13905 * runtime/Options.cpp:
13906 (JSC::recomputeDependentOptions):
13907
139082014-03-01 Filip Pizlo <fpizlo@apple.com>
13909
13910 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
13911 stress tests.
13912
13913 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
13914
139152014-03-01 Andreas Kling <akling@apple.com>
13916
13917 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
13918 <https://webkit.org/b/129560>
13919
13920 Now that structure() is nontrivial and we have a faster structure(VM&),
13921 make use of that in fastGetOwnProperty() since we already have VM.
13922
13923 Reviewed by Sam Weinig.
13924
13925 * runtime/JSCellInlines.h:
13926 (JSC::JSCell::fastGetOwnProperty):
13927
139282014-03-01 Andreas Kling <akling@apple.com>
13929
13930 Avoid going through ExecState for VM when we already have it (in some places.)
13931 <https://webkit.org/b/129554>
13932
13933 Tweak some places that jump through unnecessary hoops to get the VM.
13934 There are many more like this.
13935
13936 Reviewed by Sam Weinig.
13937
13938 * runtime/JSObject.cpp:
13939 (JSC::JSObject::putByIndexBeyondVectorLength):
13940 (JSC::JSObject::putDirectIndexBeyondVectorLength):
13941 * runtime/ObjectPrototype.cpp:
13942 (JSC::objectProtoFuncToString):
13943
139442014-02-28 Filip Pizlo <fpizlo@apple.com>
13945
13946 FTL should support PhantomArguments
13947 https://bugs.webkit.org/show_bug.cgi?id=113986
13948
13949 Reviewed by Oliver Hunt.
13950
13951 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
13952 object into the FTL's OSR exit compiler.
13953
13954 This isn't a speed-up yet, since there is still more to be done to fully support
13955 all of the arguments craziness that our varargs benchmarks do.
13956
13957 * dfg/DFGOSRExitCompiler32_64.cpp:
13958 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13959 * dfg/DFGOSRExitCompiler64.cpp:
13960 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
13961 * dfg/DFGOSRExitCompilerCommon.cpp:
13962 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
13963 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
13964 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
13965 * dfg/DFGOSRExitCompilerCommon.h:
13966 * ftl/FTLCapabilities.cpp:
13967 (JSC::FTL::canCompile):
13968 * ftl/FTLExitValue.cpp:
13969 (JSC::FTL::ExitValue::dumpInContext):
13970 * ftl/FTLExitValue.h:
13971 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
13972 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
13973 (JSC::FTL::ExitValue::valueFormat):
13974 * ftl/FTLLowerDFGToLLVM.cpp:
13975 (JSC::FTL::LowerDFGToLLVM::compileNode):
13976 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
13977 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
13978 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
13979 * ftl/FTLOSRExitCompiler.cpp:
13980 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
13981 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
13982 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
13983
139842014-02-28 Filip Pizlo <fpizlo@apple.com>
13985
13986 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
13987
13988 * dfg/DFGCSEPhase.cpp:
13989 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
13990
139912014-02-28 Andreas Kling <akling@apple.com>
13992
13993 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
13994 <https://webkit.org/b/129529>
13995
13996 Callers already have VM in a local, and findPropertyHashEntry() only
13997 uses the VM, no need to go all the way through ExecState.
13998
13999 Reviewed by Geoffrey Garen.
14000
14001 * runtime/JSObject.cpp:
14002 (JSC::JSObject::put):
14003 (JSC::JSObject::deleteProperty):
14004 (JSC::JSObject::findPropertyHashEntry):
14005 * runtime/JSObject.h:
14006
140072014-02-28 Joseph Pecoraro <pecoraro@apple.com>
14008
14009 Deadlock remotely inspecting iOS Simulator
14010 https://bugs.webkit.org/show_bug.cgi?id=129511
14011
14012 Reviewed by Timothy Hatcher.
14013
14014 Avoid synchronous setup. Do it asynchronously, and let
14015 the RemoteInspector singleton know later if it failed.
14016
14017 * inspector/remote/RemoteInspector.h:
14018 * inspector/remote/RemoteInspector.mm:
14019 (Inspector::RemoteInspector::setupFailed):
14020 * inspector/remote/RemoteInspectorDebuggableConnection.h:
14021 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14022 (Inspector::RemoteInspectorDebuggableConnection::setup):
14023
140242014-02-28 Oliver Hunt <oliver@apple.com>
14025
14026 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
14027 https://bugs.webkit.org/show_bug.cgi?id=129488
14028
14029 Reviewed by Mark Lam.
14030
14031 Whoops, modify the right register.
14032
14033 * jit/JITCall32_64.cpp:
14034 (JSC::JIT::compileLoadVarargs):
14035
140362014-02-28 Filip Pizlo <fpizlo@apple.com>
14037
14038 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
14039 https://bugs.webkit.org/show_bug.cgi?id=129503
14040
14041 Reviewed by Mark Lam.
14042
14043 * ftl/FTLIntrinsicRepository.h:
14044 * ftl/FTLOutput.h:
14045 (JSC::FTL::Output::doubleSin):
14046 (JSC::FTL::Output::doubleCos):
14047 (JSC::FTL::Output::intrinsicOrOperation):
14048
140492014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
14050
14051 Fix !ENABLE(GGC) builds
14052
14053 * heap/Heap.cpp:
14054 (JSC::Heap::markRoots):
14055 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
14056
140572014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14058
14059 Clean up Heap::collect and Heap::markRoots
14060 https://bugs.webkit.org/show_bug.cgi?id=129464
14061
14062 Reviewed by Geoffrey Garen.
14063
14064 These functions have built up a lot of cruft recently.
14065 We should do a bit of cleanup to make them easier to grok.
14066
14067 * heap/Heap.cpp:
14068 (JSC::Heap::finalizeUnconditionalFinalizers):
14069 (JSC::Heap::gatherStackRoots):
14070 (JSC::Heap::gatherJSStackRoots):
14071 (JSC::Heap::gatherScratchBufferRoots):
14072 (JSC::Heap::clearLivenessData):
14073 (JSC::Heap::visitSmallStrings):
14074 (JSC::Heap::visitConservativeRoots):
14075 (JSC::Heap::visitCompilerWorklists):
14076 (JSC::Heap::markProtectedObjects):
14077 (JSC::Heap::markTempSortVectors):
14078 (JSC::Heap::markArgumentBuffers):
14079 (JSC::Heap::visitException):
14080 (JSC::Heap::visitStrongHandles):
14081 (JSC::Heap::visitHandleStack):
14082 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
14083 (JSC::Heap::converge):
14084 (JSC::Heap::visitWeakHandles):
14085 (JSC::Heap::clearRememberedSet):
14086 (JSC::Heap::updateObjectCounts):
14087 (JSC::Heap::resetVisitors):
14088 (JSC::Heap::markRoots):
14089 (JSC::Heap::copyBackingStores):
14090 (JSC::Heap::deleteUnmarkedCompiledCode):
14091 (JSC::Heap::collect):
14092 (JSC::Heap::collectIfNecessaryOrDefer):
14093 (JSC::Heap::suspendCompilerThreads):
14094 (JSC::Heap::willStartCollection):
14095 (JSC::Heap::deleteOldCode):
14096 (JSC::Heap::flushOldStructureIDTables):
14097 (JSC::Heap::flushWriteBarrierBuffer):
14098 (JSC::Heap::stopAllocation):
14099 (JSC::Heap::reapWeakHandles):
14100 (JSC::Heap::sweepArrayBuffers):
14101 (JSC::Heap::snapshotMarkedSpace):
14102 (JSC::Heap::deleteSourceProviderCaches):
14103 (JSC::Heap::notifyIncrementalSweeper):
14104 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
14105 (JSC::Heap::resetAllocators):
14106 (JSC::Heap::updateAllocationLimits):
14107 (JSC::Heap::didFinishCollection):
14108 (JSC::Heap::resumeCompilerThreads):
14109 * heap/Heap.h:
14110
141112014-02-27 Ryosuke Niwa <rniwa@webkit.org>
14112
14113 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
14114 https://bugs.webkit.org/show_bug.cgi?id=129466
14115
14116 Reviewed by Michael Saboff.
14117
14118 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
14119
14120 * runtime/StringPrototype.cpp:
14121 (JSC::stringProtoFuncIndexOf):
14122 (JSC::stringProtoFuncLastIndexOf):
14123
141242014-02-27 Timothy Hatcher <timothy@apple.com>
14125
14126 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
14127
14128 https://bugs.webkit.org/show_bug.cgi?id=129458
14129
14130 Reviewed by Joseph Pecoraro.
14131
14132 * inspector/ContentSearchUtilities.cpp:
14133 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
14134 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
14135 line ending type and don't try to strip the line ending. Use size_t
14136 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
14137 This will include the line ending in the lines, but that is okay.
14138 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
14139 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
14140
141412014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14142
14143 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
14144 https://bugs.webkit.org/show_bug.cgi?id=129446
14145
14146 Reviewed by Timothy Hatcher.
14147
14148 Remove duplicate header entries in Copy Header build phase.
14149
14150 * JavaScriptCore.xcodeproj/project.pbxproj:
14151
141522014-02-27 Oliver Hunt <oliver@apple.com>
14153
14154 Whoops, include all of last patch.
14155
14156 * jit/JITCall32_64.cpp:
14157 (JSC::JIT::compileLoadVarargs):
14158
141592014-02-27 Oliver Hunt <oliver@apple.com>
14160
14161 Slow cases for function.apply and function.call should not require vm re-entry
14162 https://bugs.webkit.org/show_bug.cgi?id=129454
14163
14164 Reviewed by Geoffrey Garen.
14165
14166 Implement call and apply using builtins. Happily the use
14167 of @call and @apply don't perform function equality checks
14168 and just plant direct var_args calls. This did expose a few
14169 codegen issues, but they're all covered by existing tests
14170 once call and apply are implemented in JS.
14171
14172 * JavaScriptCore.xcodeproj/project.pbxproj:
14173 * builtins/Function.prototype.js: Added.
14174 (call):
14175 (apply):
14176 * bytecompiler/NodesCodegen.cpp:
14177 (JSC::CallFunctionCallDotNode::emitBytecode):
14178 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14179 * dfg/DFGCapabilities.cpp:
14180 (JSC::DFG::capabilityLevel):
14181 * interpreter/Interpreter.cpp:
14182 (JSC::sizeFrameForVarargs):
14183 (JSC::loadVarargs):
14184 * interpreter/Interpreter.h:
14185 * jit/JITCall.cpp:
14186 (JSC::JIT::compileLoadVarargs):
14187 * parser/ASTBuilder.h:
14188 (JSC::ASTBuilder::makeFunctionCallNode):
14189 * parser/Lexer.cpp:
14190 (JSC::isSafeBuiltinIdentifier):
14191 * runtime/CommonIdentifiers.h:
14192 * runtime/FunctionPrototype.cpp:
14193 (JSC::FunctionPrototype::addFunctionProperties):
14194 * runtime/JSObject.cpp:
14195 (JSC::JSObject::putDirectBuiltinFunction):
14196 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
14197 * runtime/JSObject.h:
14198
141992014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14200
14201 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
14202 https://bugs.webkit.org/show_bug.cgi?id=129443
14203
14204 Reviewed by Timothy Hatcher.
14205
14206 This queue is specific to the JSContext debuggable connections,
14207 there is no XPC involved. Give it a better name.
14208
14209 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14210 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
14211
142122014-02-27 David Kilzer <ddkilzer@apple.com>
14213
14214 Remove jsc symlink if it already exists
14215
14216 This is a follow-up fix for:
14217
14218 Create symlink to /usr/local/bin/jsc during installation
14219 <http://webkit.org/b/129399>
14220 <rdar://problem/16168734>
14221
14222 * JavaScriptCore.xcodeproj/project.pbxproj:
14223 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
14224 exists where we're about to create the symlink, remove the old
14225 one first.
14226
142272014-02-27 Michael Saboff <msaboff@apple.com>
14228
14229 Unreviewed build fix for Mac tools after r164814
14230
14231 * Configurations/ToolExecutable.xcconfig:
14232 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
14233 * JavaScriptCore.xcodeproj/project.pbxproj:
14234 - Changed productName to testRegExp for testRegExp target.
14235
142362014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14237
14238 Web Inspector: JSContext inspection should report exceptions in the console
14239 https://bugs.webkit.org/show_bug.cgi?id=128776
14240
14241 Reviewed by Timothy Hatcher.
14242
14243 When JavaScript API functions have an exception, let the inspector
14244 know so it can log the JavaScript and Native backtrace that caused
14245 the exception.
14246
14247 Include some clean up of ConsoleMessage and ScriptCallStack construction.
14248
14249 * API/JSBase.cpp:
14250 (JSEvaluateScript):
14251 (JSCheckScriptSyntax):
14252 * API/JSObjectRef.cpp:
14253 (JSObjectMakeFunction):
14254 (JSObjectMakeArray):
14255 (JSObjectMakeDate):
14256 (JSObjectMakeError):
14257 (JSObjectMakeRegExp):
14258 (JSObjectGetProperty):
14259 (JSObjectSetProperty):
14260 (JSObjectGetPropertyAtIndex):
14261 (JSObjectSetPropertyAtIndex):
14262 (JSObjectDeleteProperty):
14263 (JSObjectCallAsFunction):
14264 (JSObjectCallAsConstructor):
14265 * API/JSValue.mm:
14266 (reportExceptionToInspector):
14267 (valueToArray):
14268 (valueToDictionary):
14269 * API/JSValueRef.cpp:
14270 (JSValueIsEqual):
14271 (JSValueIsInstanceOfConstructor):
14272 (JSValueCreateJSONString):
14273 (JSValueToNumber):
14274 (JSValueToStringCopy):
14275 (JSValueToObject):
14276 When seeing an exception, let the inspector know there was an exception.
14277
14278 * inspector/JSGlobalObjectInspectorController.h:
14279 * inspector/JSGlobalObjectInspectorController.cpp:
14280 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
14281 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
14282 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
14283 Log API exceptions by also grabbing the native backtrace.
14284
14285 * inspector/ScriptCallStack.h:
14286 * inspector/ScriptCallStack.cpp:
14287 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
14288 (Inspector::ScriptCallStack::append):
14289 Minor extensions to ScriptCallStack to make it easier to work with.
14290
14291 * inspector/ConsoleMessage.cpp:
14292 (Inspector::ConsoleMessage::ConsoleMessage):
14293 (Inspector::ConsoleMessage::autogenerateMetadata):
14294 Provide better default information if the first call frame was native.
14295
14296 * inspector/ScriptCallStackFactory.cpp:
14297 (Inspector::createScriptCallStack):
14298 (Inspector::extractSourceInformationFromException):
14299 (Inspector::createScriptCallStackFromException):
14300 Perform the handling here of inserting a fake call frame for exceptions
14301 if there was no call stack (e.g. a SyntaxError) or if the first call
14302 frame had no information.
14303
14304 * inspector/ConsoleMessage.cpp:
14305 (Inspector::ConsoleMessage::ConsoleMessage):
14306 (Inspector::ConsoleMessage::autogenerateMetadata):
14307 * inspector/ConsoleMessage.h:
14308 * inspector/ScriptCallStackFactory.cpp:
14309 (Inspector::createScriptCallStack):
14310 (Inspector::createScriptCallStackForConsole):
14311 * inspector/ScriptCallStackFactory.h:
14312 * inspector/agents/InspectorConsoleAgent.cpp:
14313 (Inspector::InspectorConsoleAgent::enable):
14314 (Inspector::InspectorConsoleAgent::addMessageToConsole):
14315 (Inspector::InspectorConsoleAgent::count):
14316 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
14317 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
14318 ConsoleMessage cleanup.
14319
143202014-02-27 David Kilzer <ddkilzer@apple.com>
14321
14322 Create symlink to /usr/local/bin/jsc during installation
14323 <http://webkit.org/b/129399>
14324 <rdar://problem/16168734>
14325
14326 Reviewed by Dan Bernstein.
14327
14328 * JavaScriptCore.xcodeproj/project.pbxproj:
14329 - Add "Create /usr/local/bin/jsc symlink" build phase script to
14330 create the symlink during installation.
14331
143322014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
14333
14334 Math.{max, min}() must not return after first NaN value
14335 https://bugs.webkit.org/show_bug.cgi?id=104147
14336
14337 Reviewed by Oliver Hunt.
14338
14339 According to the spec, ToNumber going to be called on each argument
14340 even if a `NaN` value was already found
14341
14342 * runtime/MathObject.cpp:
14343 (JSC::mathProtoFuncMax):
14344 (JSC::mathProtoFuncMin):
14345
143462014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
14347
14348 JSType upper limit (0xff) assertion can be removed.
14349 https://bugs.webkit.org/show_bug.cgi?id=129424
14350
14351 Reviewed by Geoffrey Garen.
14352
14353 * runtime/JSTypeInfo.h:
14354 (JSC::TypeInfo::TypeInfo):
14355
143562014-02-26 Michael Saboff <msaboff@apple.com>
14357
14358 Auto generate bytecode information for bytecode parser and LLInt
14359 https://bugs.webkit.org/show_bug.cgi?id=129181
14360
14361 Reviewed by Mark Lam.
14362
14363 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
14364 helpers. It also includes bytecode length and other information used to generate files.
14365 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
14366 in DerivedSources/JavaScriptCore/.
14367
14368 Added the generation of these files to the "DerivedSource" build step.
14369 Slighty changed the build order, since the Bytecodes.h file is needed by
14370 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
14371 to be run after JSCLLIntOffsetsExtractor.
14372
14373 Made related changes to OPCODE macros and their use.
14374
14375 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
14376 jsc to resolve Mac build issue.
14377
14378 * CMakeLists.txt:
14379 * Configurations/JSC.xcconfig:
14380 * DerivedSources.make:
14381 * GNUmakefile.am:
14382 * GNUmakefile.list.am:
14383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14384 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14385 * JavaScriptCore.vcxproj/copy-files.cmd:
14386 * JavaScriptCore.xcodeproj/project.pbxproj:
14387 * bytecode/Opcode.h:
14388 (JSC::padOpcodeName):
14389 * llint/LLIntCLoop.cpp:
14390 (JSC::LLInt::CLoop::initialize):
14391 * llint/LLIntCLoop.h:
14392 * llint/LLIntData.cpp:
14393 (JSC::LLInt::initialize):
14394 * llint/LLIntOpcode.h:
14395 * llint/LowLevelInterpreter.asm:
14396
143972014-02-27 Julien Brianceau <jbriance@cisco.com>
14398
14399 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
14400 https://bugs.webkit.org/show_bug.cgi?id=129420
14401
14402 Reviewed by Geoffrey Garen.
14403
14404 * dfg/DFGSpeculativeJIT.h:
14405 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
14406 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
14407
144082014-02-27 Filip Pizlo <fpizlo@apple.com>
14409
14410 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
14411 https://bugs.webkit.org/show_bug.cgi?id=129435
14412
14413 Reviewed by Oliver Hunt.
14414
14415 This is a 5-10% speed-up on Octane/closure.
14416
14417 * interpreter/Interpreter.cpp:
14418 (JSC::Interpreter::execute):
14419 * jsc.cpp:
14420 (GlobalObject::finishCreation):
14421 (functionClearCodeCache):
14422 * runtime/BatchedTransitionOptimizer.h:
14423 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
14424 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
14425
144262014-02-27 Alexey Proskuryakov <ap@apple.com>
14427
14428 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
14429
14430 * inspector/scripts: Added property svn:ignore.
14431 * replay/scripts: Added property svn:ignore.
14432
144332014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
14434
14435 r164764 broke the ARM build
14436 https://bugs.webkit.org/show_bug.cgi?id=129415
14437
14438 Reviewed by Zoltan Herczeg.
14439
14440 * assembler/MacroAssemblerARM.h:
14441 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
14442 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
14443 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
14444 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
14445
144462014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14447
14448 r164764 broke the ARM build
14449 https://bugs.webkit.org/show_bug.cgi?id=129415
14450
14451 Reviewed by Geoffrey Garen.
14452
14453 * assembler/MacroAssemblerARM.h:
14454 (JSC::MacroAssemblerARM::moveWithPatch):
14455
144562014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14457
14458 r164764 broke the ARM build
14459 https://bugs.webkit.org/show_bug.cgi?id=129415
14460
14461 Reviewed by Geoffrey Garen.
14462
14463 * assembler/MacroAssemblerARM.h:
14464 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
14465
144662014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
14467
14468 EFL build fix
14469
14470 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
14471 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14472 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14473
144742014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
14475
14476 Make JSCells have 32-bit Structure pointers
14477 https://bugs.webkit.org/show_bug.cgi?id=123195
14478
14479 Reviewed by Filip Pizlo.
14480
14481 This patch changes JSCells such that they no longer have a full 64-bit Structure
14482 pointer in their header. Instead they now have a 32-bit index into
14483 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
14484 pointers.
14485
14486 This change frees up an additional 32 bits of information in our object headers.
14487 We then use this extra space to store the indexing type of the object, the JSType
14488 of the object, some various type flags, and garbage collection data (e.g. mark bit).
14489 Because this inline type information is now faster to read, it pays for the slowdown
14490 incurred by having to perform an extra indirection through the StructureIDTable.
14491
14492 This patch also threads a reference to the current VM through more of the C++ runtime
14493 to offset the cost of having to look up the VM to get the actual Structure pointer.
14494
14495 * API/JSContext.mm:
14496 (-[JSContext setException:]):
14497 (-[JSContext wrapperForObjCObject:]):
14498 (-[JSContext wrapperForJSObject:]):
14499 * API/JSContextRef.cpp:
14500 (JSContextGroupRelease):
14501 (JSGlobalContextRelease):
14502 * API/JSObjectRef.cpp:
14503 (JSObjectIsFunction):
14504 (JSObjectCopyPropertyNames):
14505 * API/JSValue.mm:
14506 (containerValueToObject):
14507 * API/JSWrapperMap.mm:
14508 (tryUnwrapObjcObject):
14509 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14510 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14511 * JavaScriptCore.xcodeproj/project.pbxproj:
14512 * assembler/AbstractMacroAssembler.h:
14513 * assembler/MacroAssembler.h:
14514 (JSC::MacroAssembler::patchableBranch32WithPatch):
14515 (JSC::MacroAssembler::patchableBranch32):
14516 * assembler/MacroAssemblerARM64.h:
14517 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
14518 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
14519 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
14520 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
14521 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
14522 * assembler/MacroAssemblerARMv7.h:
14523 (JSC::MacroAssemblerARMv7::store8):
14524 (JSC::MacroAssemblerARMv7::branch32WithPatch):
14525 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
14526 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
14527 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
14528 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
14529 * assembler/MacroAssemblerX86.h:
14530 (JSC::MacroAssemblerX86::branch32WithPatch):
14531 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
14532 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
14533 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
14534 * assembler/MacroAssemblerX86_64.h:
14535 (JSC::MacroAssemblerX86_64::store32):
14536 (JSC::MacroAssemblerX86_64::moveWithPatch):
14537 (JSC::MacroAssemblerX86_64::branch32WithPatch):
14538 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
14539 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
14540 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
14541 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
14542 * assembler/RepatchBuffer.h:
14543 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
14544 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
14545 * assembler/X86Assembler.h:
14546 (JSC::X86Assembler::revertJumpTo_movq_i64r):
14547 (JSC::X86Assembler::revertJumpTo_movl_i32r):
14548 * bytecode/ArrayProfile.cpp:
14549 (JSC::ArrayProfile::computeUpdatedPrediction):
14550 * bytecode/ArrayProfile.h:
14551 (JSC::ArrayProfile::ArrayProfile):
14552 (JSC::ArrayProfile::addressOfLastSeenStructureID):
14553 (JSC::ArrayProfile::observeStructure):
14554 * bytecode/CodeBlock.h:
14555 (JSC::CodeBlock::heap):
14556 * bytecode/UnlinkedCodeBlock.h:
14557 * debugger/Debugger.h:
14558 * dfg/DFGAbstractHeap.h:
14559 * dfg/DFGArrayifySlowPathGenerator.h:
14560 * dfg/DFGClobberize.h:
14561 (JSC::DFG::clobberize):
14562 * dfg/DFGJITCompiler.h:
14563 (JSC::DFG::JITCompiler::branchWeakStructure):
14564 (JSC::DFG::JITCompiler::branchStructurePtr):
14565 * dfg/DFGOSRExitCompiler32_64.cpp:
14566 (JSC::DFG::OSRExitCompiler::compileExit):
14567 * dfg/DFGOSRExitCompiler64.cpp:
14568 (JSC::DFG::OSRExitCompiler::compileExit):
14569 * dfg/DFGOSRExitCompilerCommon.cpp:
14570 (JSC::DFG::osrWriteBarrier):
14571 (JSC::DFG::adjustAndJumpToTarget):
14572 * dfg/DFGOperations.cpp:
14573 (JSC::DFG::putByVal):
14574 * dfg/DFGSpeculativeJIT.cpp:
14575 (JSC::DFG::SpeculativeJIT::checkArray):
14576 (JSC::DFG::SpeculativeJIT::arrayify):
14577 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
14578 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
14579 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
14580 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
14581 (JSC::DFG::SpeculativeJIT::speculateObject):
14582 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
14583 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
14584 (JSC::DFG::SpeculativeJIT::speculateString):
14585 (JSC::DFG::SpeculativeJIT::speculateStringObject):
14586 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
14587 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
14588 (JSC::DFG::SpeculativeJIT::emitSwitchString):
14589 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
14590 (JSC::DFG::SpeculativeJIT::writeBarrier):
14591 * dfg/DFGSpeculativeJIT.h:
14592 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
14593 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
14594 * dfg/DFGSpeculativeJIT32_64.cpp:
14595 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14596 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14597 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14598 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14599 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14600 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14601 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14602 (JSC::DFG::SpeculativeJIT::compile):
14603 (JSC::DFG::SpeculativeJIT::writeBarrier):
14604 * dfg/DFGSpeculativeJIT64.cpp:
14605 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
14606 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
14607 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
14608 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
14609 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
14610 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
14611 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
14612 (JSC::DFG::SpeculativeJIT::compile):
14613 (JSC::DFG::SpeculativeJIT::writeBarrier):
14614 * dfg/DFGWorklist.cpp:
14615 * ftl/FTLAbstractHeapRepository.cpp:
14616 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
14617 * ftl/FTLAbstractHeapRepository.h:
14618 * ftl/FTLLowerDFGToLLVM.cpp:
14619 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
14620 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
14621 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
14622 (JSC::FTL::LowerDFGToLLVM::compileToString):
14623 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
14624 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
14625 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
14626 (JSC::FTL::LowerDFGToLLVM::allocateCell):
14627 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
14628 (JSC::FTL::LowerDFGToLLVM::isObject):
14629 (JSC::FTL::LowerDFGToLLVM::isString):
14630 (JSC::FTL::LowerDFGToLLVM::isArrayType):
14631 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
14632 (JSC::FTL::LowerDFGToLLVM::isType):
14633 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
14634 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
14635 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
14636 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
14637 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
14638 (JSC::FTL::LowerDFGToLLVM::loadStructure):
14639 (JSC::FTL::LowerDFGToLLVM::weakStructure):
14640 * ftl/FTLOSRExitCompiler.cpp:
14641 (JSC::FTL::compileStub):
14642 * ftl/FTLOutput.h:
14643 (JSC::FTL::Output::store8):
14644 * heap/GCAssertions.h:
14645 * heap/Heap.cpp:
14646 (JSC::Heap::getConservativeRegisterRoots):
14647 (JSC::Heap::collect):
14648 (JSC::Heap::writeBarrier):
14649 * heap/Heap.h:
14650 (JSC::Heap::structureIDTable):
14651 * heap/MarkedSpace.h:
14652 (JSC::MarkedSpace::forEachBlock):
14653 * heap/SlotVisitorInlines.h:
14654 (JSC::SlotVisitor::internalAppend):
14655 * jit/AssemblyHelpers.h:
14656 (JSC::AssemblyHelpers::branchIfCellNotObject):
14657 (JSC::AssemblyHelpers::genericWriteBarrier):
14658 (JSC::AssemblyHelpers::emitLoadStructure):
14659 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
14660 * jit/JIT.h:
14661 * jit/JITCall.cpp:
14662 (JSC::JIT::compileOpCall):
14663 (JSC::JIT::privateCompileClosureCall):
14664 * jit/JITCall32_64.cpp:
14665 (JSC::JIT::emit_op_ret_object_or_this):
14666 (JSC::JIT::compileOpCall):
14667 (JSC::JIT::privateCompileClosureCall):
14668 * jit/JITInlineCacheGenerator.cpp:
14669 (JSC::JITByIdGenerator::generateFastPathChecks):
14670 * jit/JITInlineCacheGenerator.h:
14671 * jit/JITInlines.h:
14672 (JSC::JIT::emitLoadCharacterString):
14673 (JSC::JIT::checkStructure):
14674 (JSC::JIT::emitJumpIfCellNotObject):
14675 (JSC::JIT::emitAllocateJSObject):
14676 (JSC::JIT::emitArrayProfilingSiteWithCell):
14677 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
14678 (JSC::JIT::branchStructure):
14679 (JSC::branchStructure):
14680 * jit/JITOpcodes.cpp:
14681 (JSC::JIT::emit_op_check_has_instance):
14682 (JSC::JIT::emit_op_instanceof):
14683 (JSC::JIT::emit_op_is_undefined):
14684 (JSC::JIT::emit_op_is_string):
14685 (JSC::JIT::emit_op_ret_object_or_this):
14686 (JSC::JIT::emit_op_to_primitive):
14687 (JSC::JIT::emit_op_jeq_null):
14688 (JSC::JIT::emit_op_jneq_null):
14689 (JSC::JIT::emit_op_get_pnames):
14690 (JSC::JIT::emit_op_next_pname):
14691 (JSC::JIT::emit_op_eq_null):
14692 (JSC::JIT::emit_op_neq_null):
14693 (JSC::JIT::emit_op_to_this):
14694 (JSC::JIT::emitSlow_op_to_this):
14695 * jit/JITOpcodes32_64.cpp:
14696 (JSC::JIT::emit_op_check_has_instance):
14697 (JSC::JIT::emit_op_instanceof):
14698 (JSC::JIT::emit_op_is_undefined):
14699 (JSC::JIT::emit_op_is_string):
14700 (JSC::JIT::emit_op_to_primitive):
14701 (JSC::JIT::emit_op_jeq_null):
14702 (JSC::JIT::emit_op_jneq_null):
14703 (JSC::JIT::emitSlow_op_eq):
14704 (JSC::JIT::emitSlow_op_neq):
14705 (JSC::JIT::compileOpStrictEq):
14706 (JSC::JIT::emit_op_eq_null):
14707 (JSC::JIT::emit_op_neq_null):
14708 (JSC::JIT::emit_op_get_pnames):
14709 (JSC::JIT::emit_op_next_pname):
14710 (JSC::JIT::emit_op_to_this):
14711 * jit/JITOperations.cpp:
14712 * jit/JITPropertyAccess.cpp:
14713 (JSC::JIT::stringGetByValStubGenerator):
14714 (JSC::JIT::emit_op_get_by_val):
14715 (JSC::JIT::emitSlow_op_get_by_val):
14716 (JSC::JIT::emit_op_get_by_pname):
14717 (JSC::JIT::emit_op_put_by_val):
14718 (JSC::JIT::emit_op_get_by_id):
14719 (JSC::JIT::emitLoadWithStructureCheck):
14720 (JSC::JIT::emitSlow_op_get_from_scope):
14721 (JSC::JIT::emitSlow_op_put_to_scope):
14722 (JSC::JIT::checkMarkWord):
14723 (JSC::JIT::emitWriteBarrier):
14724 (JSC::JIT::addStructureTransitionCheck):
14725 (JSC::JIT::emitIntTypedArrayGetByVal):
14726 (JSC::JIT::emitFloatTypedArrayGetByVal):
14727 (JSC::JIT::emitIntTypedArrayPutByVal):
14728 (JSC::JIT::emitFloatTypedArrayPutByVal):
14729 * jit/JITPropertyAccess32_64.cpp:
14730 (JSC::JIT::stringGetByValStubGenerator):
14731 (JSC::JIT::emit_op_get_by_val):
14732 (JSC::JIT::emitSlow_op_get_by_val):
14733 (JSC::JIT::emit_op_put_by_val):
14734 (JSC::JIT::emit_op_get_by_id):
14735 (JSC::JIT::emit_op_get_by_pname):
14736 (JSC::JIT::emitLoadWithStructureCheck):
14737 * jit/JSInterfaceJIT.h:
14738 (JSC::JSInterfaceJIT::emitJumpIfNotType):
14739 * jit/Repatch.cpp:
14740 (JSC::repatchByIdSelfAccess):
14741 (JSC::addStructureTransitionCheck):
14742 (JSC::replaceWithJump):
14743 (JSC::generateProtoChainAccessStub):
14744 (JSC::tryCacheGetByID):
14745 (JSC::tryBuildGetByIDList):
14746 (JSC::writeBarrier):
14747 (JSC::emitPutReplaceStub):
14748 (JSC::emitPutTransitionStub):
14749 (JSC::tryBuildPutByIdList):
14750 (JSC::tryRepatchIn):
14751 (JSC::linkClosureCall):
14752 (JSC::resetGetByID):
14753 (JSC::resetPutByID):
14754 * jit/SpecializedThunkJIT.h:
14755 (JSC::SpecializedThunkJIT::loadJSStringArgument):
14756 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
14757 * jit/ThunkGenerators.cpp:
14758 (JSC::virtualForThunkGenerator):
14759 (JSC::arrayIteratorNextThunkGenerator):
14760 * jit/UnusedPointer.h:
14761 * llint/LowLevelInterpreter.asm:
14762 * llint/LowLevelInterpreter32_64.asm:
14763 * llint/LowLevelInterpreter64.asm:
14764 * runtime/Arguments.cpp:
14765 (JSC::Arguments::createStrictModeCallerIfNecessary):
14766 (JSC::Arguments::createStrictModeCalleeIfNecessary):
14767 * runtime/Arguments.h:
14768 (JSC::Arguments::createStructure):
14769 * runtime/ArrayPrototype.cpp:
14770 (JSC::shift):
14771 (JSC::unshift):
14772 (JSC::arrayProtoFuncToString):
14773 (JSC::arrayProtoFuncPop):
14774 (JSC::arrayProtoFuncReverse):
14775 (JSC::performSlowSort):
14776 (JSC::arrayProtoFuncSort):
14777 (JSC::arrayProtoFuncSplice):
14778 (JSC::arrayProtoFuncUnShift):
14779 * runtime/CommonSlowPaths.cpp:
14780 (JSC::SLOW_PATH_DECL):
14781 * runtime/Executable.h:
14782 (JSC::ExecutableBase::isFunctionExecutable):
14783 (JSC::ExecutableBase::clearCodeVirtual):
14784 (JSC::ScriptExecutable::unlinkCalls):
14785 * runtime/GetterSetter.cpp:
14786 (JSC::callGetter):
14787 (JSC::callSetter):
14788 * runtime/InitializeThreading.cpp:
14789 * runtime/JSArray.cpp:
14790 (JSC::JSArray::unshiftCountSlowCase):
14791 (JSC::JSArray::setLength):
14792 (JSC::JSArray::pop):
14793 (JSC::JSArray::push):
14794 (JSC::JSArray::shiftCountWithArrayStorage):
14795 (JSC::JSArray::shiftCountWithAnyIndexingType):
14796 (JSC::JSArray::unshiftCountWithArrayStorage):
14797 (JSC::JSArray::unshiftCountWithAnyIndexingType):
14798 (JSC::JSArray::sortNumericVector):
14799 (JSC::JSArray::sortNumeric):
14800 (JSC::JSArray::sortCompactedVector):
14801 (JSC::JSArray::sort):
14802 (JSC::JSArray::sortVector):
14803 (JSC::JSArray::fillArgList):
14804 (JSC::JSArray::copyToArguments):
14805 (JSC::JSArray::compactForSorting):
14806 * runtime/JSCJSValueInlines.h:
14807 (JSC::JSValue::toThis):
14808 (JSC::JSValue::put):
14809 (JSC::JSValue::putByIndex):
14810 (JSC::JSValue::equalSlowCaseInline):
14811 * runtime/JSCell.cpp:
14812 (JSC::JSCell::put):
14813 (JSC::JSCell::putByIndex):
14814 (JSC::JSCell::deleteProperty):
14815 (JSC::JSCell::deletePropertyByIndex):
14816 * runtime/JSCell.h:
14817 (JSC::JSCell::clearStructure):
14818 (JSC::JSCell::mark):
14819 (JSC::JSCell::isMarked):
14820 (JSC::JSCell::structureIDOffset):
14821 (JSC::JSCell::typeInfoFlagsOffset):
14822 (JSC::JSCell::typeInfoTypeOffset):
14823 (JSC::JSCell::indexingTypeOffset):
14824 (JSC::JSCell::gcDataOffset):
14825 * runtime/JSCellInlines.h:
14826 (JSC::JSCell::JSCell):
14827 (JSC::JSCell::finishCreation):
14828 (JSC::JSCell::type):
14829 (JSC::JSCell::indexingType):
14830 (JSC::JSCell::structure):
14831 (JSC::JSCell::visitChildren):
14832 (JSC::JSCell::isObject):
14833 (JSC::JSCell::isString):
14834 (JSC::JSCell::isGetterSetter):
14835 (JSC::JSCell::isProxy):
14836 (JSC::JSCell::isAPIValueWrapper):
14837 (JSC::JSCell::setStructure):
14838 (JSC::JSCell::methodTable):
14839 (JSC::Heap::writeBarrier):
14840 * runtime/JSDataView.cpp:
14841 (JSC::JSDataView::createStructure):
14842 * runtime/JSDestructibleObject.h:
14843 (JSC::JSCell::classInfo):
14844 * runtime/JSFunction.cpp:
14845 (JSC::JSFunction::getOwnNonIndexPropertyNames):
14846 (JSC::JSFunction::put):
14847 (JSC::JSFunction::defineOwnProperty):
14848 * runtime/JSGenericTypedArrayView.h:
14849 (JSC::JSGenericTypedArrayView::createStructure):
14850 * runtime/JSObject.cpp:
14851 (JSC::getCallableObjectSlow):
14852 (JSC::JSObject::copyButterfly):
14853 (JSC::JSObject::visitButterfly):
14854 (JSC::JSFinalObject::visitChildren):
14855 (JSC::JSObject::getOwnPropertySlotByIndex):
14856 (JSC::JSObject::put):
14857 (JSC::JSObject::putByIndex):
14858 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
14859 (JSC::JSObject::enterDictionaryIndexingMode):
14860 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
14861 (JSC::JSObject::createInitialIndexedStorage):
14862 (JSC::JSObject::createInitialUndecided):
14863 (JSC::JSObject::createInitialInt32):
14864 (JSC::JSObject::createInitialDouble):
14865 (JSC::JSObject::createInitialContiguous):
14866 (JSC::JSObject::createArrayStorage):
14867 (JSC::JSObject::convertUndecidedToInt32):
14868 (JSC::JSObject::convertUndecidedToDouble):
14869 (JSC::JSObject::convertUndecidedToContiguous):
14870 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
14871 (JSC::JSObject::convertUndecidedToArrayStorage):
14872 (JSC::JSObject::convertInt32ToDouble):
14873 (JSC::JSObject::convertInt32ToContiguous):
14874 (JSC::JSObject::convertInt32ToArrayStorage):
14875 (JSC::JSObject::genericConvertDoubleToContiguous):
14876 (JSC::JSObject::convertDoubleToArrayStorage):
14877 (JSC::JSObject::convertContiguousToArrayStorage):
14878 (JSC::JSObject::ensureInt32Slow):
14879 (JSC::JSObject::ensureDoubleSlow):
14880 (JSC::JSObject::ensureContiguousSlow):
14881 (JSC::JSObject::ensureArrayStorageSlow):
14882 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
14883 (JSC::JSObject::switchToSlowPutArrayStorage):
14884 (JSC::JSObject::setPrototype):
14885 (JSC::JSObject::setPrototypeWithCycleCheck):
14886 (JSC::JSObject::putDirectNonIndexAccessor):
14887 (JSC::JSObject::deleteProperty):
14888 (JSC::JSObject::hasOwnProperty):
14889 (JSC::JSObject::deletePropertyByIndex):
14890 (JSC::JSObject::getPrimitiveNumber):
14891 (JSC::JSObject::hasInstance):
14892 (JSC::JSObject::getPropertySpecificValue):
14893 (JSC::JSObject::getPropertyNames):
14894 (JSC::JSObject::getOwnPropertyNames):
14895 (JSC::JSObject::getOwnNonIndexPropertyNames):
14896 (JSC::JSObject::seal):
14897 (JSC::JSObject::freeze):
14898 (JSC::JSObject::preventExtensions):
14899 (JSC::JSObject::reifyStaticFunctionsForDelete):
14900 (JSC::JSObject::removeDirect):
14901 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
14902 (JSC::JSObject::putByIndexBeyondVectorLength):
14903 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
14904 (JSC::JSObject::putDirectIndexBeyondVectorLength):
14905 (JSC::JSObject::getNewVectorLength):
14906 (JSC::JSObject::countElements):
14907 (JSC::JSObject::increaseVectorLength):
14908 (JSC::JSObject::ensureLengthSlow):
14909 (JSC::JSObject::growOutOfLineStorage):
14910 (JSC::JSObject::getOwnPropertyDescriptor):
14911 (JSC::putDescriptor):
14912 (JSC::JSObject::defineOwnNonIndexProperty):
14913 * runtime/JSObject.h:
14914 (JSC::getJSFunction):
14915 (JSC::JSObject::getArrayLength):
14916 (JSC::JSObject::getVectorLength):
14917 (JSC::JSObject::putByIndexInline):
14918 (JSC::JSObject::canGetIndexQuickly):
14919 (JSC::JSObject::getIndexQuickly):
14920 (JSC::JSObject::tryGetIndexQuickly):
14921 (JSC::JSObject::getDirectIndex):
14922 (JSC::JSObject::canSetIndexQuickly):
14923 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
14924 (JSC::JSObject::setIndexQuickly):
14925 (JSC::JSObject::initializeIndex):
14926 (JSC::JSObject::hasSparseMap):
14927 (JSC::JSObject::inSparseIndexingMode):
14928 (JSC::JSObject::getDirect):
14929 (JSC::JSObject::getDirectOffset):
14930 (JSC::JSObject::isSealed):
14931 (JSC::JSObject::isFrozen):
14932 (JSC::JSObject::flattenDictionaryObject):
14933 (JSC::JSObject::ensureInt32):
14934 (JSC::JSObject::ensureDouble):
14935 (JSC::JSObject::ensureContiguous):
14936 (JSC::JSObject::rageEnsureContiguous):
14937 (JSC::JSObject::ensureArrayStorage):
14938 (JSC::JSObject::arrayStorage):
14939 (JSC::JSObject::arrayStorageOrNull):
14940 (JSC::JSObject::ensureLength):
14941 (JSC::JSObject::currentIndexingData):
14942 (JSC::JSObject::getHolyIndexQuickly):
14943 (JSC::JSObject::currentRelevantLength):
14944 (JSC::JSObject::isGlobalObject):
14945 (JSC::JSObject::isVariableObject):
14946 (JSC::JSObject::isStaticScopeObject):
14947 (JSC::JSObject::isNameScopeObject):
14948 (JSC::JSObject::isActivationObject):
14949 (JSC::JSObject::isErrorInstance):
14950 (JSC::JSObject::inlineGetOwnPropertySlot):
14951 (JSC::JSObject::fastGetOwnPropertySlot):
14952 (JSC::JSObject::getPropertySlot):
14953 (JSC::JSObject::putDirectInternal):
14954 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
14955 * runtime/JSPropertyNameIterator.h:
14956 (JSC::JSPropertyNameIterator::createStructure):
14957 * runtime/JSProxy.cpp:
14958 (JSC::JSProxy::getOwnPropertySlot):
14959 (JSC::JSProxy::getOwnPropertySlotByIndex):
14960 (JSC::JSProxy::put):
14961 (JSC::JSProxy::putByIndex):
14962 (JSC::JSProxy::defineOwnProperty):
14963 (JSC::JSProxy::deleteProperty):
14964 (JSC::JSProxy::deletePropertyByIndex):
14965 (JSC::JSProxy::getPropertyNames):
14966 (JSC::JSProxy::getOwnPropertyNames):
14967 * runtime/JSScope.cpp:
14968 (JSC::JSScope::objectAtScope):
14969 * runtime/JSString.h:
14970 (JSC::JSString::createStructure):
14971 (JSC::isJSString):
14972 * runtime/JSType.h:
14973 * runtime/JSTypeInfo.h:
14974 (JSC::TypeInfo::TypeInfo):
14975 (JSC::TypeInfo::isObject):
14976 (JSC::TypeInfo::structureIsImmortal):
14977 (JSC::TypeInfo::zeroedGCDataOffset):
14978 (JSC::TypeInfo::inlineTypeFlags):
14979 * runtime/MapData.h:
14980 * runtime/ObjectConstructor.cpp:
14981 (JSC::objectConstructorGetOwnPropertyNames):
14982 (JSC::objectConstructorKeys):
14983 (JSC::objectConstructorDefineProperty):
14984 (JSC::defineProperties):
14985 (JSC::objectConstructorSeal):
14986 (JSC::objectConstructorFreeze):
14987 (JSC::objectConstructorIsSealed):
14988 (JSC::objectConstructorIsFrozen):
14989 * runtime/ObjectPrototype.cpp:
14990 (JSC::objectProtoFuncDefineGetter):
14991 (JSC::objectProtoFuncDefineSetter):
14992 (JSC::objectProtoFuncToString):
14993 * runtime/Operations.cpp:
14994 (JSC::jsTypeStringForValue):
14995 (JSC::jsIsObjectType):
14996 * runtime/Operations.h:
14997 (JSC::normalizePrototypeChainForChainAccess):
14998 (JSC::normalizePrototypeChain):
14999 * runtime/PropertyMapHashTable.h:
15000 (JSC::PropertyTable::createStructure):
15001 * runtime/RegExp.h:
15002 (JSC::RegExp::createStructure):
15003 * runtime/SparseArrayValueMap.h:
15004 * runtime/Structure.cpp:
15005 (JSC::Structure::Structure):
15006 (JSC::Structure::~Structure):
15007 (JSC::Structure::prototypeChainMayInterceptStoreTo):
15008 * runtime/Structure.h:
15009 (JSC::Structure::id):
15010 (JSC::Structure::idBlob):
15011 (JSC::Structure::objectInitializationFields):
15012 (JSC::Structure::structureIDOffset):
15013 * runtime/StructureChain.h:
15014 (JSC::StructureChain::createStructure):
15015 * runtime/StructureIDTable.cpp: Added.
15016 (JSC::StructureIDTable::StructureIDTable):
15017 (JSC::StructureIDTable::~StructureIDTable):
15018 (JSC::StructureIDTable::resize):
15019 (JSC::StructureIDTable::flushOldTables):
15020 (JSC::StructureIDTable::allocateID):
15021 (JSC::StructureIDTable::deallocateID):
15022 * runtime/StructureIDTable.h: Added.
15023 (JSC::StructureIDTable::base):
15024 (JSC::StructureIDTable::get):
15025 * runtime/SymbolTable.h:
15026 * runtime/TypedArrayType.cpp:
15027 (JSC::typeForTypedArrayType):
15028 * runtime/TypedArrayType.h:
15029 * runtime/WeakMapData.h:
15030
150312014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15032
15033 Unconditional logging in compileFTLOSRExit
15034 https://bugs.webkit.org/show_bug.cgi?id=129407
15035
15036 Reviewed by Michael Saboff.
15037
15038 This was causing tests to fail with the FTL enabled.
15039
15040 * ftl/FTLOSRExitCompiler.cpp:
15041 (JSC::FTL::compileFTLOSRExit):
15042
150432014-02-26 Oliver Hunt <oliver@apple.com>
15044
15045 Remove unused access types
15046 https://bugs.webkit.org/show_bug.cgi?id=129385
15047
15048 Reviewed by Filip Pizlo.
15049
15050 Remove unused cruft.
15051
15052 * bytecode/CodeBlock.cpp:
15053 (JSC::CodeBlock::printGetByIdCacheStatus):
15054 * bytecode/StructureStubInfo.cpp:
15055 (JSC::StructureStubInfo::deref):
15056 * bytecode/StructureStubInfo.h:
15057 (JSC::isGetByIdAccess):
15058 (JSC::isPutByIdAccess):
15059
150602014-02-26 Oliver Hunt <oliver@apple.com>
15061
15062 Function.prototype.apply has a bad time with the spread operator
15063 https://bugs.webkit.org/show_bug.cgi?id=129381
15064
15065 Reviewed by Mark Hahnenberg.
15066
15067 Make sure our apply logic handle the spread operator correctly.
15068 To do this we simply emit the enumeration logic that we'd normally
15069 use for other enumerations, but only store the first two results
15070 to registers. Then perform a varargs call.
15071
15072 * bytecompiler/NodesCodegen.cpp:
15073 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15074
150752014-02-26 Mark Lam <mark.lam@apple.com>
15076
15077 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
15078 <https://webkit.org/b/129355>
15079
15080 Reviewed by Filip Pizlo.
15081
15082 By compilation policy, I mean the rules for determining whether to
15083 compile, when to compile, when to attempt compilation again, etc. The
15084 few of these policy decisions that were previously being made in the
15085 DFG driver are now moved to operationOptimize() where we keep the rest
15086 of the policy logic. Decisions that are based on the capabilities
15087 supported by the DFG are moved to DFG capabiliityLevel().
15088
15089 I've run the following benchmarks:
15090 1. the collection of jsc benchmarks on the jsc executable vs. its
15091 baseline.
15092 2. Octane 2.0 in browser without the WebInspector.
15093 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
15094 set somewhere where it won't break.
15095
15096 In all of these, the results came out to be a wash as expected.
15097
15098 * dfg/DFGCapabilities.cpp:
15099 (JSC::DFG::isSupported):
15100 (JSC::DFG::mightCompileEval):
15101 (JSC::DFG::mightCompileProgram):
15102 (JSC::DFG::mightCompileFunctionForCall):
15103 (JSC::DFG::mightCompileFunctionForConstruct):
15104 (JSC::DFG::mightInlineFunctionForCall):
15105 (JSC::DFG::mightInlineFunctionForClosureCall):
15106 (JSC::DFG::mightInlineFunctionForConstruct):
15107 * dfg/DFGCapabilities.h:
15108 * dfg/DFGDriver.cpp:
15109 (JSC::DFG::compileImpl):
15110 * jit/JITOperations.cpp:
15111
151122014-02-26 Mark Lam <mark.lam@apple.com>
15113
15114 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
15115 <https://webkit.org/b/129364>
15116
15117 Reviewed by Alexey Proskuryakov.
15118
15119 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
15120
15121 * inspector/InjectedScriptModule.cpp:
15122 (Inspector::InjectedScriptModule::ensureInjected):
15123 - Added the needed but missing APIEntryShim.
15124
151252014-02-25 Mark Lam <mark.lam@apple.com>
15126
15127 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
15128 <https://webkit.org/b/128766>
15129
15130 Reviewed by Geoffrey Garen.
15131
15132 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
15133 The reasoning is that we don't know of any clients that need unordered
15134 re-entry into the VM from different threads. So, we're enforcing ordered
15135 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
15136
15137 The crash in this bug happened because we were allowing unordered re-entry,
15138 and the following type of scenario occurred:
15139
15140 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
15141 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
15142 first time it entered the VM.
15143 T1 sets VM::m_entryScope to T1's entryScope.
15144 3. T1 drops all locks.
15145
15146 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
15147 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
15148 does not set the entryScope.
15149 5. T2 drops all locks.
15150
15151 6. T1 re-grabs locks.
15152 7. T1 returns all the way out of JS code. On exit from the outer most
15153 JS function, T1 clears VM::m_entryScope (because T1 was the one who
15154 set it).
15155 8. T1 unlocks the VM.
15156
15157 9. T2 re-grabs locks.
15158 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
15159 NOT null, but it turns out to be null. Assertion failures and
15160 crashes ensue.
15161
15162 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
15163 the VM. Hence, the issue will no longer manifest.
15164
15165 * runtime/JSLock.cpp:
15166 (JSC::JSLock::dropAllLocks):
15167 (JSC::JSLock::grabAllLocks):
15168 * runtime/JSLock.h:
15169 (JSC::JSLock::DropAllLocks::dropDepth):
15170
151712014-02-25 Mark Lam <mark.lam@apple.com>
15172
15173 Need to initialize VM stack data even when the VM is on an exclusive thread.
15174 <https://webkit.org/b/129265>
15175
15176 Not reviewed.
15177
15178 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
15179
15180 * API/APIShims.h:
15181 (JSC::APIEntryShim::APIEntryShim):
15182 (JSC::APICallbackShim::shouldDropAllLocks):
15183 * heap/MachineStackMarker.cpp:
15184 (JSC::MachineThreads::addCurrentThread):
15185 * runtime/JSLock.cpp:
15186 (JSC::JSLockHolder::JSLockHolder):
15187 (JSC::JSLockHolder::init):
15188 (JSC::JSLockHolder::~JSLockHolder):
15189 (JSC::JSLock::JSLock):
15190 (JSC::JSLock::setExclusiveThread):
15191 (JSC::JSLock::lock):
15192 (JSC::JSLock::unlock):
15193 (JSC::JSLock::currentThreadIsHoldingLock):
15194 (JSC::JSLock::dropAllLocks):
15195 (JSC::JSLock::grabAllLocks):
15196 * runtime/JSLock.h:
15197 (JSC::JSLock::hasExclusiveThread):
15198 (JSC::JSLock::exclusiveThread):
15199 * runtime/VM.cpp:
15200 (JSC::VM::VM):
15201 * runtime/VM.h:
15202 (JSC::VM::hasExclusiveThread):
15203 (JSC::VM::exclusiveThread):
15204 (JSC::VM::setExclusiveThread):
15205 (JSC::VM::currentThreadIsHoldingAPILock):
15206
152072014-02-25 Filip Pizlo <fpizlo@apple.com>
15208
15209 Inline caching in the FTL on ARM64 should "work"
15210 https://bugs.webkit.org/show_bug.cgi?id=129334
15211
15212 Reviewed by Mark Hahnenberg.
15213
15214 Gets us to the point where simple tests that use inline caching are passing.
15215
15216 * assembler/LinkBuffer.cpp:
15217 (JSC::LinkBuffer::copyCompactAndLinkCode):
15218 (JSC::LinkBuffer::shrink):
15219 * ftl/FTLInlineCacheSize.cpp:
15220 (JSC::FTL::sizeOfGetById):
15221 (JSC::FTL::sizeOfPutById):
15222 (JSC::FTL::sizeOfCall):
15223 * ftl/FTLOSRExitCompiler.cpp:
15224 (JSC::FTL::compileFTLOSRExit):
15225 * ftl/FTLThunks.cpp:
15226 (JSC::FTL::osrExitGenerationThunkGenerator):
15227 * jit/GPRInfo.h:
15228 * offlineasm/arm64.rb:
15229
152302014-02-25 Commit Queue <commit-queue@webkit.org>
15231
15232 Unreviewed, rolling out r164627.
15233 http://trac.webkit.org/changeset/164627
15234 https://bugs.webkit.org/show_bug.cgi?id=129325
15235
15236 Broke SubtleCrypto tests (Requested by ap on #webkit).
15237
15238 * API/APIShims.h:
15239 (JSC::APIEntryShim::APIEntryShim):
15240 (JSC::APICallbackShim::shouldDropAllLocks):
15241 * heap/MachineStackMarker.cpp:
15242 (JSC::MachineThreads::addCurrentThread):
15243 * runtime/JSLock.cpp:
15244 (JSC::JSLockHolder::JSLockHolder):
15245 (JSC::JSLockHolder::init):
15246 (JSC::JSLockHolder::~JSLockHolder):
15247 (JSC::JSLock::JSLock):
15248 (JSC::JSLock::lock):
15249 (JSC::JSLock::unlock):
15250 (JSC::JSLock::currentThreadIsHoldingLock):
15251 (JSC::JSLock::dropAllLocks):
15252 (JSC::JSLock::grabAllLocks):
15253 * runtime/JSLock.h:
15254 * runtime/VM.cpp:
15255 (JSC::VM::VM):
15256 * runtime/VM.h:
15257 (JSC::VM::currentThreadIsHoldingAPILock):
15258
152592014-02-25 Filip Pizlo <fpizlo@apple.com>
15260
15261 ARM64 rshift64 should be an arithmetic shift
15262 https://bugs.webkit.org/show_bug.cgi?id=129323
15263
15264 Reviewed by Mark Hahnenberg.
15265
15266 * assembler/MacroAssemblerARM64.h:
15267 (JSC::MacroAssemblerARM64::rshift64):
15268
152692014-02-25 Sergio Villar Senin <svillar@igalia.com>
15270
15271 [CSS Grid Layout] Add ENABLE flag
15272 https://bugs.webkit.org/show_bug.cgi?id=129153
15273
15274 Reviewed by Simon Fraser.
15275
15276 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
15277
152782014-02-25 Michael Saboff <msaboff@apple.com>
15279
15280 JIT Engines use the wrong stack limit for stack checks
15281 https://bugs.webkit.org/show_bug.cgi?id=129314
15282
15283 Reviewed by Filip Pizlo.
15284
15285 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
15286
15287 * dfg/DFGJITCompiler.cpp:
15288 (JSC::DFG::JITCompiler::compileFunction):
15289 * jit/JIT.cpp:
15290 (JSC::JIT::privateCompile):
15291 * jit/JITCall.cpp:
15292 (JSC::JIT::compileLoadVarargs):
15293 * jit/JITCall32_64.cpp:
15294 (JSC::JIT::compileLoadVarargs):
15295 * runtime/VM.h:
15296 (JSC::VM::addressOfStackLimit):
15297
152982014-02-25 Filip Pizlo <fpizlo@apple.com>
15299
15300 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
15301
15302 It causes crashes, apparently because it's removing too many barriers. I will investigate
15303 later.
15304
15305 * bytecode/SpeculatedType.cpp:
15306 (JSC::speculationToAbbreviatedString):
15307 * bytecode/SpeculatedType.h:
15308 * dfg/DFGFixupPhase.cpp:
15309 (JSC::DFG::FixupPhase::fixupNode):
15310 (JSC::DFG::FixupPhase::insertStoreBarrier):
15311 * dfg/DFGNode.h:
15312 * ftl/FTLCapabilities.cpp:
15313 (JSC::FTL::canCompile):
15314 * ftl/FTLLowerDFGToLLVM.cpp:
15315 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15316 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15317 (JSC::FTL::LowerDFGToLLVM::isNotNully):
15318 (JSC::FTL::LowerDFGToLLVM::isNully):
15319 (JSC::FTL::LowerDFGToLLVM::speculate):
15320 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15321 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15322
153232014-02-24 Oliver Hunt <oliver@apple.com>
15324
15325 Fix build.
15326
15327 * jit/CCallHelpers.h:
15328 (JSC::CCallHelpers::setupArgumentsWithExecState):
15329
153302014-02-24 Oliver Hunt <oliver@apple.com>
15331
15332 Spread operator has a bad time when applied to call function
15333 https://bugs.webkit.org/show_bug.cgi?id=128853
15334
15335 Reviewed by Geoffrey Garen.
15336
15337 Follow on from the previous patch the added an extra slot to
15338 op_call_varargs (and _call, _call_eval, _construct). We now
15339 use the slot as an offset to in effect act as a 'slice' on
15340 the spread subject. This allows us to automatically retain
15341 all our existing argument and array optimisatons. Most of
15342 this patch is simply threading the offset around.
15343
15344 * bytecode/CodeBlock.cpp:
15345 (JSC::CodeBlock::dumpBytecode):
15346 * bytecompiler/BytecodeGenerator.cpp:
15347 (JSC::BytecodeGenerator::emitCall):
15348 (JSC::BytecodeGenerator::emitCallVarargs):
15349 * bytecompiler/BytecodeGenerator.h:
15350 * bytecompiler/NodesCodegen.cpp:
15351 (JSC::getArgumentByVal):
15352 (JSC::CallFunctionCallDotNode::emitBytecode):
15353 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15354 * interpreter/Interpreter.cpp:
15355 (JSC::sizeFrameForVarargs):
15356 (JSC::loadVarargs):
15357 * interpreter/Interpreter.h:
15358 * jit/CCallHelpers.h:
15359 (JSC::CCallHelpers::setupArgumentsWithExecState):
15360 * jit/JIT.h:
15361 * jit/JITCall.cpp:
15362 (JSC::JIT::compileLoadVarargs):
15363 * jit/JITInlines.h:
15364 (JSC::JIT::callOperation):
15365 * jit/JITOperations.cpp:
15366 * jit/JITOperations.h:
15367 * llint/LLIntSlowPaths.cpp:
15368 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
15369 * runtime/Arguments.cpp:
15370 (JSC::Arguments::copyToArguments):
15371 * runtime/Arguments.h:
15372 * runtime/JSArray.cpp:
15373 (JSC::JSArray::copyToArguments):
15374 * runtime/JSArray.h:
15375
153762014-02-24 Mark Lam <mark.lam@apple.com>
15377
15378 Need to initialize VM stack data even when the VM is on an exclusive thread.
15379 <https://webkit.org/b/129265>
15380
15381 Reviewed by Geoffrey Garen.
15382
15383 We check VM::exclusiveThread as an optimization to forego the need to do
15384 JSLock locking. However, we recently started piggy backing on JSLock's
15385 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
15386 and lastStackTop) to appropriate values for the current thread. This is
15387 needed because we may be acquiring the lock to enter the VM on a different
15388 thread.
15389
15390 As a result, we ended up not initializing the VM stack data when
15391 VM::exclusiveThread causes us to bypass the locking activity. Even though
15392 the VM::exclusiveThread will not have to deal with the VM being entered
15393 on a different thread, it still needs to initialize the VM stack data.
15394 The VM relies on that data being initialized properly once it has been
15395 entered.
15396
15397 With this fix, we push the check for exclusiveThread down into the JSLock,
15398 and handle the bypassing of unneeded locking activity there while still
15399 executing the necessary the VM stack data initialization.
15400
15401 * API/APIShims.h:
15402 (JSC::APIEntryShim::APIEntryShim):
15403 (JSC::APICallbackShim::shouldDropAllLocks):
15404 * heap/MachineStackMarker.cpp:
15405 (JSC::MachineThreads::addCurrentThread):
15406 * runtime/JSLock.cpp:
15407 (JSC::JSLockHolder::JSLockHolder):
15408 (JSC::JSLockHolder::init):
15409 (JSC::JSLockHolder::~JSLockHolder):
15410 (JSC::JSLock::JSLock):
15411 (JSC::JSLock::setExclusiveThread):
15412 (JSC::JSLock::lock):
15413 (JSLock::unlock):
15414 (JSLock::currentThreadIsHoldingLock):
15415 (JSLock::dropAllLocks):
15416 (JSLock::grabAllLocks):
15417 * runtime/JSLock.h:
15418 (JSC::JSLock::exclusiveThread):
15419 * runtime/VM.cpp:
15420 (JSC::VM::VM):
15421 * runtime/VM.h:
15422 (JSC::VM::exclusiveThread):
15423 (JSC::VM::setExclusiveThread):
15424 (JSC::VM::currentThreadIsHoldingAPILock):
15425
154262014-02-24 Filip Pizlo <fpizlo@apple.com>
15427
15428 FTL should do polymorphic PutById inlining
15429 https://bugs.webkit.org/show_bug.cgi?id=129210
15430
15431 Reviewed by Mark Hahnenberg and Oliver Hunt.
15432
15433 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
15434 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
15435 selection of multiple inlined PutByIdVariants.
15436
15437 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
15438 http://trac.webkit.org/changeset/164207.
15439
15440 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
15441 that generate similar code.
15442
15443 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
15444 sometimes swaps field insertion order, creating fake polymorphism.
15445
15446 * CMakeLists.txt:
15447 * GNUmakefile.list.am:
15448 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15449 * JavaScriptCore.xcodeproj/project.pbxproj:
15450 * bytecode/PutByIdStatus.cpp:
15451 (JSC::PutByIdStatus::computeFromLLInt):
15452 (JSC::PutByIdStatus::computeFor):
15453 (JSC::PutByIdStatus::computeForStubInfo):
15454 (JSC::PutByIdStatus::dump):
15455 * bytecode/PutByIdStatus.h:
15456 (JSC::PutByIdStatus::PutByIdStatus):
15457 (JSC::PutByIdStatus::isSimple):
15458 (JSC::PutByIdStatus::numVariants):
15459 (JSC::PutByIdStatus::variants):
15460 (JSC::PutByIdStatus::at):
15461 (JSC::PutByIdStatus::operator[]):
15462 * bytecode/PutByIdVariant.cpp: Added.
15463 (JSC::PutByIdVariant::dump):
15464 (JSC::PutByIdVariant::dumpInContext):
15465 * bytecode/PutByIdVariant.h: Added.
15466 (JSC::PutByIdVariant::PutByIdVariant):
15467 (JSC::PutByIdVariant::replace):
15468 (JSC::PutByIdVariant::transition):
15469 (JSC::PutByIdVariant::kind):
15470 (JSC::PutByIdVariant::isSet):
15471 (JSC::PutByIdVariant::operator!):
15472 (JSC::PutByIdVariant::structure):
15473 (JSC::PutByIdVariant::oldStructure):
15474 (JSC::PutByIdVariant::newStructure):
15475 (JSC::PutByIdVariant::structureChain):
15476 (JSC::PutByIdVariant::offset):
15477 * dfg/DFGAbstractInterpreterInlines.h:
15478 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15479 * dfg/DFGByteCodeParser.cpp:
15480 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
15481 (JSC::DFG::ByteCodeParser::handleGetById):
15482 (JSC::DFG::ByteCodeParser::emitPutById):
15483 (JSC::DFG::ByteCodeParser::handlePutById):
15484 (JSC::DFG::ByteCodeParser::parseBlock):
15485 * dfg/DFGCSEPhase.cpp:
15486 (JSC::DFG::CSEPhase::checkStructureElimination):
15487 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
15488 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15489 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
15490 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
15491 * dfg/DFGClobberize.h:
15492 (JSC::DFG::clobberize):
15493 * dfg/DFGConstantFoldingPhase.cpp:
15494 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15495 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
15496 * dfg/DFGFixupPhase.cpp:
15497 (JSC::DFG::FixupPhase::fixupNode):
15498 * dfg/DFGGraph.cpp:
15499 (JSC::DFG::Graph::dump):
15500 * dfg/DFGGraph.h:
15501 * dfg/DFGNode.cpp:
15502 (JSC::DFG::MultiPutByOffsetData::writesStructures):
15503 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
15504 * dfg/DFGNode.h:
15505 (JSC::DFG::Node::convertToPutByOffset):
15506 (JSC::DFG::Node::hasMultiPutByOffsetData):
15507 (JSC::DFG::Node::multiPutByOffsetData):
15508 * dfg/DFGNodeType.h:
15509 * dfg/DFGPredictionPropagationPhase.cpp:
15510 (JSC::DFG::PredictionPropagationPhase::propagate):
15511 * dfg/DFGSafeToExecute.h:
15512 (JSC::DFG::safeToExecute):
15513 * dfg/DFGSpeculativeJIT32_64.cpp:
15514 (JSC::DFG::SpeculativeJIT::compile):
15515 * dfg/DFGSpeculativeJIT64.cpp:
15516 (JSC::DFG::SpeculativeJIT::compile):
15517 * dfg/DFGTypeCheckHoistingPhase.cpp:
15518 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
15519 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
15520 * ftl/FTLCapabilities.cpp:
15521 (JSC::FTL::canCompile):
15522 * ftl/FTLLowerDFGToLLVM.cpp:
15523 (JSC::FTL::LowerDFGToLLVM::compileNode):
15524 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
15525 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
15526 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
15527 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
15528 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
15529 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
15530 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
15531 (JSC::FTL::LowerDFGToLLVM::loadProperty):
15532 (JSC::FTL::LowerDFGToLLVM::storeProperty):
15533 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
15534 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
15535 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
15536 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
15537 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
15538 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
15539 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
15540 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
15541
155422014-02-24 peavo@outlook.com <peavo@outlook.com>
15543
15544 JSC regressions after r164494
15545 https://bugs.webkit.org/show_bug.cgi?id=129272
15546
15547 Reviewed by Mark Lam.
15548
15549 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
15550
155512014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
15552
15553 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
15554 https://bugs.webkit.org/show_bug.cgi?id=129255
15555
15556 Reviewed by Csaba Osztrogonác.
15557
15558 ENABLE_WORKERS macro was removed in r159679.
15559 Support is now also removed from xcconfig files.
15560
15561 * Configurations/FeatureDefines.xcconfig:
15562
155632014-02-24 David Kilzer <ddkilzer@apple.com>
15564
15565 Remove redundant setting in FeatureDefines.xcconfig
15566
15567 * Configurations/FeatureDefines.xcconfig:
15568
155692014-02-23 Sam Weinig <sam@webkit.org>
15570
15571 Update FeatureDefines.xcconfig
15572
15573 Rubber-stamped by Anders Carlsson.
15574
15575 * Configurations/FeatureDefines.xcconfig:
15576
155772014-02-23 Dean Jackson <dino@apple.com>
15578
15579 Sort the project file with sort-Xcode-project-file.
15580
15581 Rubber-stamped by Sam Weinig.
15582
15583 * JavaScriptCore.xcodeproj/project.pbxproj:
15584
155852014-02-23 Sam Weinig <sam@webkit.org>
15586
15587 Move telephone number detection behind its own ENABLE macro
15588 https://bugs.webkit.org/show_bug.cgi?id=129236
15589
15590 Reviewed by Dean Jackson.
15591
15592 * Configurations/FeatureDefines.xcconfig:
15593 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
15594
155952014-02-22 Filip Pizlo <fpizlo@apple.com>
15596
15597 Refine DFG+FTL inlining and compilation limits
15598 https://bugs.webkit.org/show_bug.cgi?id=129212
15599
15600 Reviewed by Mark Hahnenberg.
15601
15602 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
15603 and set that limit quite high. Institute a limit on inlining-into. The idea here is
15604 that large functions tend to be autogenerated, and code generators like emscripten
15605 appear to leave few inlining opportunities anyway. Also, we don't want the code
15606 size explosion that we would risk if we allowed compilation of a large function and
15607 then inlined a ton of stuff into it.
15608
15609 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
15610 regression. This is a 9% speed-up on AsmBench.
15611
15612 * bytecode/CodeBlock.cpp:
15613 (JSC::CodeBlock::noticeIncomingCall):
15614 * dfg/DFGByteCodeParser.cpp:
15615 (JSC::DFG::ByteCodeParser::handleInlining):
15616 * dfg/DFGCapabilities.h:
15617 (JSC::DFG::isSmallEnoughToInlineCodeInto):
15618 * ftl/FTLCapabilities.cpp:
15619 (JSC::FTL::canCompile):
15620 * ftl/FTLState.h:
15621 (JSC::FTL::shouldShowDisassembly):
15622 * runtime/Options.h:
15623
156242014-02-22 Dan Bernstein <mitz@apple.com>
15625
15626 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
15627 https://bugs.webkit.org/show_bug.cgi?id=129227
15628
15629 Reviewed by Eric Carlson.
15630
15631 Reverted r164507.
15632
15633 * API/JSBase.cpp:
15634 (JSEvaluateScript):
15635 (JSCheckScriptSyntax):
15636 * API/JSObjectRef.cpp:
15637 (JSObjectMakeFunction):
15638 (JSObjectMakeArray):
15639 (JSObjectMakeDate):
15640 (JSObjectMakeError):
15641 (JSObjectMakeRegExp):
15642 (JSObjectGetProperty):
15643 (JSObjectSetProperty):
15644 (JSObjectGetPropertyAtIndex):
15645 (JSObjectSetPropertyAtIndex):
15646 (JSObjectDeleteProperty):
15647 (JSObjectCallAsFunction):
15648 (JSObjectCallAsConstructor):
15649 * API/JSValue.mm:
15650 (valueToArray):
15651 (valueToDictionary):
15652 * API/JSValueRef.cpp:
15653 (JSValueIsEqual):
15654 (JSValueIsInstanceOfConstructor):
15655 (JSValueCreateJSONString):
15656 (JSValueToNumber):
15657 (JSValueToStringCopy):
15658 (JSValueToObject):
15659 * inspector/ConsoleMessage.cpp:
15660 (Inspector::ConsoleMessage::ConsoleMessage):
15661 (Inspector::ConsoleMessage::autogenerateMetadata):
15662 * inspector/ConsoleMessage.h:
15663 * inspector/JSGlobalObjectInspectorController.cpp:
15664 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15665 * inspector/JSGlobalObjectInspectorController.h:
15666 * inspector/ScriptCallStack.cpp:
15667 * inspector/ScriptCallStack.h:
15668 * inspector/ScriptCallStackFactory.cpp:
15669 (Inspector::createScriptCallStack):
15670 (Inspector::createScriptCallStackForConsole):
15671 (Inspector::createScriptCallStackFromException):
15672 * inspector/ScriptCallStackFactory.h:
15673 * inspector/agents/InspectorConsoleAgent.cpp:
15674 (Inspector::InspectorConsoleAgent::enable):
15675 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15676 (Inspector::InspectorConsoleAgent::count):
15677 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15678 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15679
156802014-02-22 Joseph Pecoraro <pecoraro@apple.com>
15681
15682 Remove some unreachable code (-Wunreachable-code)
15683 https://bugs.webkit.org/show_bug.cgi?id=129220
15684
15685 Reviewed by Eric Carlson.
15686
15687 * API/tests/testapi.c:
15688 (EvilExceptionObject_convertToType):
15689 * disassembler/udis86/udis86_decode.c:
15690 (decode_operand):
15691
156922014-02-22 Filip Pizlo <fpizlo@apple.com>
15693
15694 Unreviewed, ARMv7 build fix.
15695
15696 * assembler/ARMv7Assembler.h:
15697
156982014-02-21 Filip Pizlo <fpizlo@apple.com>
15699
15700 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
15701 https://bugs.webkit.org/show_bug.cgi?id=124733
15702
15703 Reviewed by Oliver Hunt.
15704
15705 This also takes the opportunity to de-duplicate some branch compaction code.
15706
15707 * assembler/ARM64Assembler.h:
15708 * assembler/ARMv7Assembler.h:
15709 (JSC::ARMv7Assembler::buffer):
15710 * assembler/AssemblerBuffer.h:
15711 (JSC::AssemblerData::AssemblerData):
15712 (JSC::AssemblerBuffer::AssemblerBuffer):
15713 (JSC::AssemblerBuffer::storage):
15714 (JSC::AssemblerBuffer::grow):
15715 * assembler/LinkBuffer.h:
15716 (JSC::LinkBuffer::LinkBuffer):
15717 (JSC::LinkBuffer::executableOffsetFor):
15718 (JSC::LinkBuffer::applyOffset):
15719 * assembler/MacroAssemblerARM64.h:
15720 (JSC::MacroAssemblerARM64::link):
15721 * assembler/MacroAssemblerARMv7.h:
15722
157232014-02-21 Brent Fulgham <bfulgham@apple.com>
15724
15725 Extend media support for WebVTT sources
15726 https://bugs.webkit.org/show_bug.cgi?id=129156
15727
15728 Reviewed by Eric Carlson.
15729
15730 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
15731
157322014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15733
15734 Web Inspector: JSContext inspection should report exceptions in the console
15735 https://bugs.webkit.org/show_bug.cgi?id=128776
15736
15737 Reviewed by Timothy Hatcher.
15738
15739 When JavaScript API functions have an exception, let the inspector
15740 know so it can log the JavaScript and Native backtrace that caused
15741 the exception.
15742
15743 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15744
15745 * API/JSBase.cpp:
15746 (JSEvaluateScript):
15747 (JSCheckScriptSyntax):
15748 * API/JSObjectRef.cpp:
15749 (JSObjectMakeFunction):
15750 (JSObjectMakeArray):
15751 (JSObjectMakeDate):
15752 (JSObjectMakeError):
15753 (JSObjectMakeRegExp):
15754 (JSObjectGetProperty):
15755 (JSObjectSetProperty):
15756 (JSObjectGetPropertyAtIndex):
15757 (JSObjectSetPropertyAtIndex):
15758 (JSObjectDeleteProperty):
15759 (JSObjectCallAsFunction):
15760 (JSObjectCallAsConstructor):
15761 * API/JSValue.mm:
15762 (reportExceptionToInspector):
15763 (valueToArray):
15764 (valueToDictionary):
15765 * API/JSValueRef.cpp:
15766 (JSValueIsEqual):
15767 (JSValueIsInstanceOfConstructor):
15768 (JSValueCreateJSONString):
15769 (JSValueToNumber):
15770 (JSValueToStringCopy):
15771 (JSValueToObject):
15772 When seeing an exception, let the inspector know there was an exception.
15773
15774 * inspector/JSGlobalObjectInspectorController.h:
15775 * inspector/JSGlobalObjectInspectorController.cpp:
15776 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15777 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15778 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15779 Log API exceptions by also grabbing the native backtrace.
15780
15781 * inspector/ScriptCallStack.h:
15782 * inspector/ScriptCallStack.cpp:
15783 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15784 (Inspector::ScriptCallStack::append):
15785 Minor extensions to ScriptCallStack to make it easier to work with.
15786
15787 * inspector/ConsoleMessage.cpp:
15788 (Inspector::ConsoleMessage::ConsoleMessage):
15789 (Inspector::ConsoleMessage::autogenerateMetadata):
15790 Provide better default information if the first call frame was native.
15791
15792 * inspector/ScriptCallStackFactory.cpp:
15793 (Inspector::createScriptCallStack):
15794 (Inspector::extractSourceInformationFromException):
15795 (Inspector::createScriptCallStackFromException):
15796 Perform the handling here of inserting a fake call frame for exceptions
15797 if there was no call stack (e.g. a SyntaxError) or if the first call
15798 frame had no information.
15799
15800 * inspector/ConsoleMessage.cpp:
15801 (Inspector::ConsoleMessage::ConsoleMessage):
15802 (Inspector::ConsoleMessage::autogenerateMetadata):
15803 * inspector/ConsoleMessage.h:
15804 * inspector/ScriptCallStackFactory.cpp:
15805 (Inspector::createScriptCallStack):
15806 (Inspector::createScriptCallStackForConsole):
15807 * inspector/ScriptCallStackFactory.h:
15808 * inspector/agents/InspectorConsoleAgent.cpp:
15809 (Inspector::InspectorConsoleAgent::enable):
15810 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15811 (Inspector::InspectorConsoleAgent::count):
15812 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15813 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15814 ConsoleMessage cleanup.
15815
158162014-02-21 Oliver Hunt <oliver@apple.com>
15817
15818 Add extra space to op_call and related opcodes
15819 https://bugs.webkit.org/show_bug.cgi?id=129170
15820
15821 Reviewed by Mark Lam.
15822
15823 No change in behaviour, just some refactoring to add an extra
15824 slot to the op_call instructions, and refactoring to make similar
15825 changes easier in future.
15826
15827 * bytecode/CodeBlock.cpp:
15828 (JSC::CodeBlock::printCallOp):
15829 * bytecode/Opcode.h:
15830 (JSC::padOpcodeName):
15831 * bytecompiler/BytecodeGenerator.cpp:
15832 (JSC::BytecodeGenerator::emitCall):
15833 (JSC::BytecodeGenerator::emitCallVarargs):
15834 (JSC::BytecodeGenerator::emitConstruct):
15835 * dfg/DFGByteCodeParser.cpp:
15836 (JSC::DFG::ByteCodeParser::handleIntrinsic):
15837 * jit/JITCall.cpp:
15838 (JSC::JIT::compileOpCall):
15839 * jit/JITCall32_64.cpp:
15840 (JSC::JIT::compileOpCall):
15841 * llint/LowLevelInterpreter.asm:
15842 * llint/LowLevelInterpreter32_64.asm:
15843 * llint/LowLevelInterpreter64.asm:
15844
158452014-02-21 Mark Lam <mark.lam@apple.com>
15846
15847 gatherFromOtherThread() needs to align the sp before gathering roots.
15848 <https://webkit.org/b/129169>
15849
15850 Reviewed by Geoffrey Garen.
15851
15852 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
15853 gatherFromOtherThread() defines the range of the other thread's stack as
15854 being bounded by the other thread's stack pointer and stack base. While
15855 the stack base will always be aligned to sizeof(void*), the stack pointer
15856 may not be. This is because the other thread may have just pushed a 32-bit
15857 value on its stack before we suspended it for scanning.
15858
15859 The fix is to round the stack pointer up to the next aligned address of
15860 sizeof(void*) and start scanning from there. On 64-bit systems, we will
15861 effectively ignore the 32-bit word at the bottom of the stack (top of the
15862 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
15863 64-bit pointers should always be stored on 64-bit aligned boundaries (our
15864 conservative scan algorithm already depends on this assumption).
15865
15866 On 32-bit systems, the rounding is effectively a no-op.
15867
15868 * heap/ConservativeRoots.cpp:
15869 (JSC::ConservativeRoots::genericAddSpan):
15870 - Hardened somne assertions so that we can catch misalignment issues on
15871 release builds as well.
15872 * heap/MachineStackMarker.cpp:
15873 (JSC::MachineThreads::gatherFromOtherThread):
15874
158752014-02-21 Matthew Mirman <mmirman@apple.com>
15876
15877 Added a GetMyArgumentsLengthSafe and added a speculation check.
15878 https://bugs.webkit.org/show_bug.cgi?id=129051
15879
15880 Reviewed by Filip Pizlo.
15881
15882 * ftl/FTLLowerDFGToLLVM.cpp:
15883 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
15884
158852014-02-21 peavo@outlook.com <peavo@outlook.com>
15886
15887 [Win][LLINT] Many JSC stress test failures.
15888 https://bugs.webkit.org/show_bug.cgi?id=129155
15889
15890 Reviewed by Michael Saboff.
15891
15892 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
15893 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
15894 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
15895
15896 * offlineasm/x86.rb: Swap operand order on Windows.
15897
158982014-02-21 Filip Pizlo <fpizlo@apple.com>
15899
15900 DFG write barriers should do more speculations
15901 https://bugs.webkit.org/show_bug.cgi?id=129160
15902
15903 Reviewed by Mark Hahnenberg.
15904
15905 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
15906 instead.
15907
15908 Miniscule speed-up on some things. It's a decent difference in code size, though.
15909
15910 * bytecode/SpeculatedType.cpp:
15911 (JSC::speculationToAbbreviatedString):
15912 * bytecode/SpeculatedType.h:
15913 (JSC::isNotCellSpeculation):
15914 * dfg/DFGFixupPhase.cpp:
15915 (JSC::DFG::FixupPhase::fixupNode):
15916 (JSC::DFG::FixupPhase::insertStoreBarrier):
15917 (JSC::DFG::FixupPhase::insertPhantomCheck):
15918 * dfg/DFGNode.h:
15919 (JSC::DFG::Node::shouldSpeculateOther):
15920 (JSC::DFG::Node::shouldSpeculateNotCell):
15921 * ftl/FTLCapabilities.cpp:
15922 (JSC::FTL::canCompile):
15923 * ftl/FTLLowerDFGToLLVM.cpp:
15924 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15925 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15926 (JSC::FTL::LowerDFGToLLVM::isNotOther):
15927 (JSC::FTL::LowerDFGToLLVM::isOther):
15928 (JSC::FTL::LowerDFGToLLVM::speculate):
15929 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15930 (JSC::FTL::LowerDFGToLLVM::speculateOther):
15931 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
15932
159332014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15934
15935 Revert r164486, causing a number of test failures.
15936
15937 Unreviewed rollout.
15938
159392014-02-21 Filip Pizlo <fpizlo@apple.com>
15940
15941 Revive SABI (aka shouldAlwaysBeInlined)
15942 https://bugs.webkit.org/show_bug.cgi?id=129159
15943
15944 Reviewed by Mark Hahnenberg.
15945
15946 This is a small Octane speed-up.
15947
15948 * jit/Repatch.cpp:
15949 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
15950
159512014-02-21 Joseph Pecoraro <pecoraro@apple.com>
15952
15953 Web Inspector: JSContext inspection should report exceptions in the console
15954 https://bugs.webkit.org/show_bug.cgi?id=128776
15955
15956 Reviewed by Timothy Hatcher.
15957
15958 When JavaScript API functions have an exception, let the inspector
15959 know so it can log the JavaScript and Native backtrace that caused
15960 the exception.
15961
15962 Include some clean up of ConsoleMessage and ScriptCallStack construction.
15963
15964 * API/JSBase.cpp:
15965 (JSEvaluateScript):
15966 (JSCheckScriptSyntax):
15967 * API/JSObjectRef.cpp:
15968 (JSObjectMakeFunction):
15969 (JSObjectMakeArray):
15970 (JSObjectMakeDate):
15971 (JSObjectMakeError):
15972 (JSObjectMakeRegExp):
15973 (JSObjectGetProperty):
15974 (JSObjectSetProperty):
15975 (JSObjectGetPropertyAtIndex):
15976 (JSObjectSetPropertyAtIndex):
15977 (JSObjectDeleteProperty):
15978 (JSObjectCallAsFunction):
15979 (JSObjectCallAsConstructor):
15980 * API/JSValue.mm:
15981 (reportExceptionToInspector):
15982 (valueToArray):
15983 (valueToDictionary):
15984 * API/JSValueRef.cpp:
15985 (JSValueIsEqual):
15986 (JSValueIsInstanceOfConstructor):
15987 (JSValueCreateJSONString):
15988 (JSValueToNumber):
15989 (JSValueToStringCopy):
15990 (JSValueToObject):
15991 When seeing an exception, let the inspector know there was an exception.
15992
15993 * inspector/JSGlobalObjectInspectorController.h:
15994 * inspector/JSGlobalObjectInspectorController.cpp:
15995 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15996 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15997 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15998 Log API exceptions by also grabbing the native backtrace.
15999
16000 * inspector/ScriptCallStack.h:
16001 * inspector/ScriptCallStack.cpp:
16002 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
16003 (Inspector::ScriptCallStack::append):
16004 Minor extensions to ScriptCallStack to make it easier to work with.
16005
16006 * inspector/ConsoleMessage.cpp:
16007 (Inspector::ConsoleMessage::ConsoleMessage):
16008 (Inspector::ConsoleMessage::autogenerateMetadata):
16009 Provide better default information if the first call frame was native.
16010
16011 * inspector/ScriptCallStackFactory.cpp:
16012 (Inspector::createScriptCallStack):
16013 (Inspector::extractSourceInformationFromException):
16014 (Inspector::createScriptCallStackFromException):
16015 Perform the handling here of inserting a fake call frame for exceptions
16016 if there was no call stack (e.g. a SyntaxError) or if the first call
16017 frame had no information.
16018
16019 * inspector/ConsoleMessage.cpp:
16020 (Inspector::ConsoleMessage::ConsoleMessage):
16021 (Inspector::ConsoleMessage::autogenerateMetadata):
16022 * inspector/ConsoleMessage.h:
16023 * inspector/ScriptCallStackFactory.cpp:
16024 (Inspector::createScriptCallStack):
16025 (Inspector::createScriptCallStackForConsole):
16026 * inspector/ScriptCallStackFactory.h:
16027 * inspector/agents/InspectorConsoleAgent.cpp:
16028 (Inspector::InspectorConsoleAgent::enable):
16029 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16030 (Inspector::InspectorConsoleAgent::count):
16031 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16032 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16033 ConsoleMessage cleanup.
16034
160352014-02-20 Anders Carlsson <andersca@apple.com>
16036
16037 Modernize JSGlobalLock and JSLockHolder
16038 https://bugs.webkit.org/show_bug.cgi?id=129105
16039
16040 Reviewed by Michael Saboff.
16041
16042 Use std::mutex and std::thread::id where possible.
16043
16044 * runtime/JSLock.cpp:
16045 (JSC::GlobalJSLock::GlobalJSLock):
16046 (JSC::GlobalJSLock::~GlobalJSLock):
16047 (JSC::GlobalJSLock::initialize):
16048 (JSC::JSLock::JSLock):
16049 (JSC::JSLock::lock):
16050 (JSC::JSLock::unlock):
16051 (JSC::JSLock::currentThreadIsHoldingLock):
16052 * runtime/JSLock.h:
16053
160542014-02-20 Mark Lam <mark.lam@apple.com>
16055
16056 virtualForWithFunction() should not throw an exception with a partially initialized frame.
16057 <https://webkit.org/b/129134>
16058
16059 Reviewed by Michael Saboff.
16060
16061 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
16062 prepare the callee function for execution, it proceeds to throw the
16063 exception using the callee frame which is only partially initialized
16064 thus far. Instead, it should be throwing the exception using the caller
16065 frame because:
16066 1. the error happened "in" the caller while preparing the callee for
16067 execution i.e. the caller frame is the top fully initialized frame
16068 on the stack.
16069 2. the callee frame is not fully initialized yet, and the unwind
16070 mechanism cannot depend on the data in it.
16071
16072 * jit/JITOperations.cpp:
16073
160742014-02-20 Mark Lam <mark.lam@apple.com>
16075
16076 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
16077 <https://webkit.org/b/129131>
16078
16079 Reviewed by Mark Hahnenberg.
16080
16081 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
16082 needs to be deferred before commencing. As a result, the GC may crash
16083 and/or corrupt data because the VM is not in the consistent state needed
16084 for the GC to run. With this fix, doWork() now checks if the GC is
16085 supposed to be deferred and re-schedules if needed. It only commences
16086 with GC'ing when it's safe to do so.
16087
16088 * runtime/GCActivityCallback.cpp:
16089 (JSC::DefaultGCActivityCallback::doWork):
16090
160912014-02-20 Geoffrey Garen <ggaren@apple.com>
16092
16093 Math.imul gives wrong results
16094 https://bugs.webkit.org/show_bug.cgi?id=126345
16095
16096 Reviewed by Mark Hahnenberg.
16097
16098 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
16099 Instead, take a slow path that will do the right thing.
16100
16101 * jit/ThunkGenerators.cpp:
16102 (JSC::imulThunkGenerator):
16103
161042014-02-20 Filip Pizlo <fpizlo@apple.com>
16105
16106 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
16107 https://bugs.webkit.org/show_bug.cgi?id=129129
16108
16109 Reviewed by Geoffrey Garen.
16110
16111 We estimate execution counts based on loop depth, and then use those to estimate branch
16112 weights. These weights then get carried all the way down to LLVM prof branch_weights
16113 meta-data.
16114
16115 This is better than letting LLVM do its own static estimates, since by the time we
16116 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
16117 course, it would be even better if we just slurped in some kind of execution counts
16118 from profiling, but we don't do that, yet.
16119
16120 * CMakeLists.txt:
16121 * GNUmakefile.list.am:
16122 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16123 * JavaScriptCore.xcodeproj/project.pbxproj:
16124 * dfg/DFGBasicBlock.cpp:
16125 (JSC::DFG::BasicBlock::BasicBlock):
16126 * dfg/DFGBasicBlock.h:
16127 * dfg/DFGBlockInsertionSet.cpp:
16128 (JSC::DFG::BlockInsertionSet::insert):
16129 (JSC::DFG::BlockInsertionSet::insertBefore):
16130 * dfg/DFGBlockInsertionSet.h:
16131 * dfg/DFGByteCodeParser.cpp:
16132 (JSC::DFG::ByteCodeParser::handleInlining):
16133 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16134 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16135 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16136 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
16137 (JSC::DFG::createPreHeader):
16138 * dfg/DFGNaturalLoops.h:
16139 (JSC::DFG::NaturalLoops::loopDepth):
16140 * dfg/DFGOSREntrypointCreationPhase.cpp:
16141 (JSC::DFG::OSREntrypointCreationPhase::run):
16142 * dfg/DFGPlan.cpp:
16143 (JSC::DFG::Plan::compileInThreadImpl):
16144 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
16145 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
16146 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
16147 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
16148 (JSC::DFG::performStaticExecutionCountEstimation):
16149 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
16150
161512014-02-20 Filip Pizlo <fpizlo@apple.com>
16152
16153 FTL may not see a compact_unwind section if there weren't any stackmaps
16154 https://bugs.webkit.org/show_bug.cgi?id=129125
16155
16156 Reviewed by Geoffrey Garen.
16157
16158 It's OK to not have an unwind section, so long as the function also doesn't have any
16159 OSR exits.
16160
16161 * ftl/FTLCompile.cpp:
16162 (JSC::FTL::fixFunctionBasedOnStackMaps):
16163 (JSC::FTL::compile):
16164 * ftl/FTLUnwindInfo.cpp:
16165 (JSC::FTL::UnwindInfo::parse):
16166 * ftl/FTLUnwindInfo.h:
16167
16168== Rolled over to ChangeLog-2014-02-20 ==
mirror of JavaScriptCore