]> git.saurik.com Git - apple/javascriptcore.git/blame_incremental - ChangeLog
projects / apple / javascriptcore.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
JavaScriptCore-7600.1.4.17.5.tar.gz
[apple/javascriptcore.git] / ChangeLog
... / ...
CommitLineData
12015-07-27 Babak Shafiei <bshafiei@apple.com>
2
3 Roll out r182829.
4
52015-07-08 Matthew Hanson <matthew_hanson@apple.com>
6
7 Merge r183128. rdar://problem/21716620
8
9 2015-04-22 Mark Lam <mark.lam@apple.com>
10
11 SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
12 https://bugs.webkit.org/show_bug.cgi?id=144067
13
14 Reviewed by Michael Saboff.
15
16 Currently, there are a few places where the JSObject that owns the
17 SparseArrayValueMap is designated as the owner of the SparseArrayEntry
18 write barrier. This is a bug and can result in the GC collecting the
19 SparseArrayEntry even though it is being referenced by the
20 SparseArrayValueMap. This patch fixes the bug.
21
22 * runtime/JSObject.cpp:
23 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
24 (JSC::JSObject::putIndexedDescriptor):
25 * tests/stress/sparse-array-entry-update-144067.js: Added.
26 (useMemoryToTriggerGCs):
27 (foo):
28
292015-07-08 Matthew Hanson <matthew_hanson@apple.com>
30
31 Merge r182829. rdar://problem/21716511
32
33 2015-04-14 Chris Dumez <cdumez@apple.com>
34
35 Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
36 https://bugs.webkit.org/show_bug.cgi?id=143745
37 <rdar://problem/20243916>
38
39 Reviewed by Joseph Pecoraro.
40
41 Add assertion in ContentSearchUtilities::findMagicComment() to make
42 sure the content String is not null or we would crash in
43 JSC::Yarr::interpret() later.
44
45 * inspector/ContentSearchUtilities.cpp:
46 (Inspector::ContentSearchUtilities::findMagicComment):
47
482015-03-06 Lucas Forschler <lforschler@apple.com>
49
50 Merge r180234
51
52 2015-02-17 Filip Pizlo <fpizlo@apple.com>
53
54 Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
55 https://bugs.webkit.org/show_bug.cgi?id=141717
56 rdar://problem/19863382
57
58 Reviewed by Geoffrey Garen.
59
60 The best solution is to ensure that the engine catching an exception restores tag registers.
61
62 Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
63
64 * jit/JITOpcodes.cpp:
65 (JSC::JIT::emit_op_catch):
66 * llint/LowLevelInterpreter.asm:
67 * llint/LowLevelInterpreter64.asm:
68 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
69 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
70 * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
71
722015-03-06 Lucas Forschler <lforschler@apple.com>
73
74 Merge r181030
75
76 2015-03-04 Filip Pizlo <fpizlo@apple.com>
77
78 [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
79 https://bugs.webkit.org/show_bug.cgi?id=141180
80 rdar://problem/19677552
81
82 Reviewed by Benjamin Poulain.
83
84 If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
85 bounds check already terminates execution. This means we can skip the part where we
86 previously did an out-of-bound array access on the inlined call frame arguments vector.
87
88 * ftl/FTLLowerDFGToLLVM.cpp:
89 (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
90 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
91 (JSC::FTL::LowerDFGToLLVM::terminate):
92 (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
93 (JSC::FTL::LowerDFGToLLVM::crash):
94 * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
95 (foo):
96 (bar):
97
982015-03-04 Matthew Hanson <matthew_hanson@apple.com>
99
100 Merge r180101. rdar://problem/19913017
101
102 2015-02-13 Joseph Pecoraro <pecoraro@apple.com>
103
104 JSContext Inspector: Do not stash console messages for non-debuggable JSContext
105 https://bugs.webkit.org/show_bug.cgi?id=141589
106
107 Reviewed by Timothy Hatcher.
108
109 Consider developer extras disabled for JSContext inspection if the
110 RemoteInspector server is not enabled (typically a non-debuggable
111 process rejected by webinspectord) or if remote debugging on the
112 JSContext was explicitly disabled via SPI.
113
114 When developer extras are disabled, console message will not be stashed.
115
116 * inspector/JSGlobalObjectInspectorController.cpp:
117 (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
118 * inspector/JSGlobalObjectInspectorController.h:
119
1202015-02-26 Lucas Forschler <lforschler@apple.com>
121
122 Merge r180452
123
124 2015-02-20 Mark Lam <mark.lam@apple.com>
125
126 [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
127 <https://webkit.org/b/141809>
128
129 Reviewed by Geoffrey Garen.
130
131 A ObjC class that implement the JSExport protocol will have a JS prototype
132 chain and constructor automatically synthesized for its JS wrapper object.
133 However, if there are no more instances of that ObjC class reachable by a
134 JS GC root scan, then its synthesized prototype chain and constructors may
135 be released by the GC. If a new instance of that ObjC class is subsequently
136 instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
137 should re-construct the prototype chain and constructor (if they were
138 previously released). However, the current implementation only
139 re-constructs the immediate prototype, but not every other prototype
140 object upstream in the prototype chain.
141
142 To fix this, we do the following:
143 1. We no longer allocate the JSObjCClassInfo's prototype and constructor
144 eagerly. Hence, -initWithContext:forClass: will no longer call
145 -allocateConstructorAndPrototypeWithSuperClassInfo:.
146 2. Instead, we'll always access the prototype and constructor thru
147 accessor methods. The accessor methods will call
148 -allocateConstructorAndPrototype: if needed.
149 3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
150 from the JSWrapperMap itself. This makes it so that we no longer
151 need to pass the superClassInfo all over.
152 4. -allocateConstructorAndPrototype: will get the super class prototype
153 by invoking -prototype: on the superClassInfo, thereby allowing the
154 super class to allocate its prototype and constructor if needed and
155 fixing the issue in this bug.
156
157 5. Also removed the GC warning comments, and ensured that needed JS
158 objects are kept alive by having a local var pointing to it from the
159 stack (which makes a GC root).
160
161 * API/JSWrapperMap.mm:
162 (-[JSObjCClassInfo initWithContext:forClass:]):
163 (-[JSObjCClassInfo allocateConstructorAndPrototype]):
164 (-[JSObjCClassInfo wrapperForObject:]):
165 (-[JSObjCClassInfo constructor]):
166 (-[JSObjCClassInfo prototype]):
167 (-[JSWrapperMap classInfoForClass:]):
168 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
169 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
170 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
171 * API/tests/Regress141809.h: Added.
172 * API/tests/Regress141809.mm: Added.
173 (-[TestClassB name]):
174 (-[TestClassC name]):
175 (runRegress141809):
176 * API/tests/testapi.mm:
177 * JavaScriptCore.xcodeproj/project.pbxproj:
178
1792015-02-25 Babak Shafiei <bshafiei@apple.com>
180
181 Merge patch for r180247 and r180249.
182
183 2015-02-20 Michael Saboff <msaboff@apple.com>
184
185 CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
186 https://bugs.webkit.org/show_bug.cgi?id=141730
187
188 Reviewed by Geoffrey Garen.
189
190 Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
191 while processing DFG lowering. For debug builds, the failures are logged identical
192 to the way the DFG_CRASH() reports them. For release builds, the failures are reported
193 and that FTL compilation is terminated, but the process is allowed to continue.
194 Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
195 line number are reported at the point of the inconsistancy.
196
197 Converted instances of DFG_CRASH to LOWERING_FAILED.
198
199 * dfg/DFGPlan.cpp:
200 (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
201 will fail the FTL compile.
202
203 * ftl/FTLLowerDFGToLLVM.cpp:
204 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
205 Added new member variable, m_loweringSucceeded, to stop compilation on the first
206 reported failure.
207
208 * ftl/FTLLowerDFGToLLVM.cpp:
209 (JSC::FTL::LowerDFGToLLVM::lower):
210 * ftl/FTLLowerDFGToLLVM.h:
211 Added check for compilation failures and now report those failures via a boolean
212 return value.
213
214 * ftl/FTLLowerDFGToLLVM.cpp:
215 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
216 (JSC::FTL::LowerDFGToLLVM::compileNode):
217 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
218 (JSC::FTL::LowerDFGToLLVM::compilePhi):
219 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
220 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
221 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
222 (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
223 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
224 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
225 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
226 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
227 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
228 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
229 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
230 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
231 (JSC::FTL::LowerDFGToLLVM::compileGetById):
232 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
233 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
234 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
235 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
236 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
237 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
238 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
239 (JSC::FTL::LowerDFGToLLVM::compileToString):
240 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
241 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
242 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
243 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
244 (JSC::FTL::LowerDFGToLLVM::compare):
245 (JSC::FTL::LowerDFGToLLVM::boolify):
246 (JSC::FTL::LowerDFGToLLVM::opposite):
247 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
248 (JSC::FTL::LowerDFGToLLVM::speculate):
249 (JSC::FTL::LowerDFGToLLVM::isArrayType):
250 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
251 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
252 (JSC::FTL::LowerDFGToLLVM::setInt52):
253 Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate.
254
255 (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
256
2572015-02-25 Babak Shafiei <bshafiei@apple.com>
258
259 Merge r180516.
260
261 2015-02-23 Matthew Mirman <mmirman@apple.com>
262
263 r9 is volatile on ARMv7 for iOS 3 and up.
264 https://bugs.webkit.org/show_bug.cgi?id=141489
265 rdar://problem/19432916
266
267 Reviewed by Michael Saboff.
268
269 * jit/RegisterSet.cpp:
270 (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
271 * tests/stress/regress-141489.js: Added.
272 (foo):
273
2742015-02-20 Lucas Forschler <lforschler@apple.com>
275
276 Merge r180237
277
278 2015-02-17 Filip Pizlo <fpizlo@apple.com>
279
280 StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
281 https://bugs.webkit.org/show_bug.cgi?id=141721
282 rdar://problem/17198633
283
284 Reviewed by Michael Saboff.
285
286 I've seen cases where the two are out of sync. We know we can trust the CodeBlock::usesArguments because
287 we use it everywhere else.
288
289 No test because I could never reproduce the crash.
290
291 * dfg/DFGGraph.h:
292 (JSC::DFG::Graph::usesArguments):
293 * dfg/DFGStackLayoutPhase.cpp:
294 (JSC::DFG::StackLayoutPhase::run):
295
2962015-02-20 Babak Shafiei <bshafiei@apple.com>
297
298 Merge r178224.
299
300 2015-01-09 Joseph Pecoraro <pecoraro@apple.com>
301
302 Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
303 https://bugs.webkit.org/show_bug.cgi?id=140279
304 rdar://problem/19422299
305
306 Reviewed by Oliver Hunt.
307
308 * runtime/MapData.cpp:
309 (JSC::MapData::replaceAndPackBackingStore):
310 The cell table also needs to have its values fixed.
311
3122015-02-20 Babak Shafiei <bshafiei@apple.com>
313
314 Merge patch for rdar://problem/19828630.
315
316 2015-02-13 Filip Pizlo <fpizlo@apple.com>
317
318 Effectful calls to length should only happen once on the varargs path.
319 rdar://problem/19828518
320
321 Reviewed by Michael Saboff.
322
323 * interpreter/Interpreter.cpp:
324 (JSC::sizeFrameForVarargs):
325 (JSC::loadVarargs):
326 * runtime/VM.cpp:
327 (JSC::VM::VM):
328 * runtime/VM.h:
329
3302015-02-10 Babak Shafiei <bshafiei@apple.com>
331
332 Merge r179576, r179648.
333
334 2015-02-04 Mark Lam <mark.lam@apple.com>
335
336 r179576 introduce a deadlock potential during GC thread suspension.
337 <https://webkit.org/b/141268>
338
339 Reviewed by Michael Saboff.
340
341 http://trac.webkit.org/r179576 introduced a potential for deadlocking.
342 In the GC thread suspension loop, we currently delete
343 MachineThreads::Thread that we detect to be invalid. This is unsafe
344 because we may have already suspended some threads, and one of those
345 suspended threads may still be holding the C heap lock which we need
346 for deleting the invalid thread.
347
348 The fix is to put the invalid threads in a separate toBeDeleted list,
349 and delete them only after GC has resumed all threads.
350
351 * heap/MachineStackMarker.cpp:
352 (JSC::MachineThreads::removeCurrentThread):
353 - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
354 removeCurrentThread() since it is no longer needed.
355
356 (JSC::MachineThreads::tryCopyOtherThreadStacks):
357 - Put invalid Threads on a threadsToBeDeleted list, and delete those
358 Threads only after all threads have been resumed.
359
360 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
361 * heap/MachineStackMarker.h:
362
363 2015-02-03 Mark Lam <mark.lam@apple.com>
364
365 Workaround a thread library bug where thread destructors may not get called.
366 <https://webkit.org/b/141209>
367
368 Reviewed by Michael Saboff.
369
370 There's a bug where thread destructors may not get called. As far as
371 we know, this only manifests on darwin ports. We will work around this
372 by checking at GC time if the platform thread is still valid. If not,
373 we'll purge it from the VM's registeredThreads list before proceeding
374 with thread scanning activity.
375
376 Note: it is important that we do this invalid thread detection during
377 suspension, because the validity (and liveness) of the other thread is
378 only guaranteed while it is suspended.
379
380 * API/tests/testapi.mm:
381 (threadMain):
382 - Added a test to enter the VM from another thread before we GC on
383 the main thread.
384
385 * heap/MachineStackMarker.cpp:
386 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
387 (JSC::MachineThreads::removeCurrentThread):
388 - refactored removeThreadWithLockAlreadyAcquired() out from
389 removeCurrentThread() so that we can also call it for purging invalid
390 threads.
391 (JSC::suspendThread):
392 - Added a return status to tell if the suspension succeeded or not.
393 (JSC::MachineThreads::tryCopyOtherThreadStacks):
394 - Check if the suspension failed, and purge the thread if we can't
395 suspend it. Failure to suspend implies that the thread has
396 terminated without calling its destructor.
397 * heap/MachineStackMarker.h:
398
3992015-02-10 Babak Shafiei <bshafiei@apple.com>
400
401 Merge r179187.
402
403 2015-01-27 Csaba Osztrogonác <ossy@webkit.org>
404
405 [ARM] Typo fix after r176083
406 https://bugs.webkit.org/show_bug.cgi?id=140937
407
408 Reviewed by Anders Carlsson.
409
410 * assembler/ARMv7Assembler.h:
411 (JSC::ARMv7Assembler::ldrh):
412
4132015-02-10 Babak Shafiei <bshafiei@apple.com>
414
415 Merge r176083.
416
417 2014-11-13 Benjamin Poulain <benjamin@webkit.org>
418
419 ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset
420 https://bugs.webkit.org/show_bug.cgi?id=136914
421
422 Reviewed by Michael Saboff.
423
424 TLDR: the immediate offset of half-word load was divided by 2.
425
426 Story time: So I started getting those weird reports of :nth-child() behaving bizarrely
427 on ARMv7 and ARMv7s. To make things worse, the behavior changes depending on style updates.
428
429 I started looking the disassembly on the tests cases...
430
431 The first thing I noticed was that the computation of An+B looked wrong. For example,
432 in the case of n+6, the instruction should have been:
433 subs r1, r1, #6
434 but was
435 subs r1, r1, #2
436
437 After spending a lot of time trying to find the error in the assembler, I discovered
438 the problem was not real, but just a bug in the disassembler.
439 This is the first fix: ARMv7DOpcodeAddSubtractImmediate3's immediate3() was truncating
440 the value to 2 bits instead of 3 bits.
441
442 The disassembler being fixed, I still have no lead on the weird bug. Some disassembly later,
443 I realize the LDRH instruction is not decoded at all. The reason is that both LDRH and STRH
444 were under the umbrella ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord but the pattern
445 only matched SRTH.
446
447 I fix that next, ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord is split into
448 ARMv7DOpcodeStoreRegisterImmediateHalfWord and ARMv7DOpcodeLoadRegisterImmediateHalfWord,
449 each with their own pattern and their instruction group.
450
451 Now that I can see the LDRHs correctly, there is something fishy about them, their offset
452 is way too small for the data I load.
453
454 This time, looking at the binary, the generated code is indeed incorrect. It turns out that
455 the ARMv7 assembler shifted the offset of half-word load as if they were byte load: divided by 4.
456 As a result, all the load of half-words with more than zero offset were loading
457 values with a smaller offset than what they should have.
458
459 That being fixed, I dump the assembly: still wrong. I am ready to throw my keyboard through
460 my screen at that point.
461
462 Looking at the disassembler, there is yet again a bug. The computation of the scale() adjustment
463 of the offset was incorrect for anything but word loads.
464 I replaced it by a switch-case to make it explicit.
465
466 STRH is likely incorrect too. I'll fix that in a follow up, I want to survey all the 16 bits cases
467 that are not directly used by the CSS JIT.
468
469 * assembler/ARMv7Assembler.h:
470 (JSC::ARMv7Assembler::ldrh):
471 Fix the immediate scaling. Add an assertion to make sure the alignment of the input is correct.
472
473 * disassembler/ARMv7/ARMv7DOpcode.cpp:
474 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
475 Fix the scaling code. Just hardcode instruction-to-scale table.
476
477 * disassembler/ARMv7/ARMv7DOpcode.h:
478 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
479 The mask for a 3 bits immediate is not 3 :)
480
481 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): Deleted.
482
4832015-02-05 Lucas Forschler <lforschler@apple.com>
484
485 Merge r178953
486
487 2015-01-21 Joseph Pecoraro <pecoraro@apple.com>
488
489 Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
490 https://bugs.webkit.org/show_bug.cgi?id=140746
491
492 Reviewed by Timothy Hatcher.
493
494 * inspector/InjectedScriptSource.js:
495 Do not add impure properties to the descriptor object that will
496 eventually be sent to the frontend.
497
4982015-02-05 Lucas Forschler <lforschler@apple.com>
499
500 Merge r178768
501
502 2015-01-20 Joseph Pecoraro <pecoraro@apple.com>
503
504 Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
505 https://bugs.webkit.org/show_bug.cgi?id=137306
506
507 Reviewed by Timothy Hatcher.
508
509 Provide another optional parameter to getProperties, to gather a list
510 of all own and getter properties.
511
512 * inspector/InjectedScript.cpp:
513 (Inspector::InjectedScript::getProperties):
514 * inspector/InjectedScript.h:
515 * inspector/InjectedScriptSource.js:
516 * inspector/agents/InspectorRuntimeAgent.cpp:
517 (Inspector::InspectorRuntimeAgent::getProperties):
518 * inspector/agents/InspectorRuntimeAgent.h:
519 * inspector/protocol/Runtime.json:
520
5212015-02-04 Lucas Forschler <lforschler@apple.com>
522
523 Merge r179329
524
525 2015-01-13 Geoffrey Garen <ggaren@apple.com>
526
527 Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
528 https://bugs.webkit.org/show_bug.cgi?id=140397
529
530 Reviewed by Geoffrey Garen.
531
532 Patch by Alexey Proskuryakov.
533
534 Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
535
536 No performance change.
537
538 No test, since this is a small past-the-end read, which is very
539 difficult to turn into a reproducible failing test -- and existing tests
540 crash reliably using ASan.
541
542 * bytecompiler/NodesCodegen.cpp:
543 (JSC::BracketAccessorNode::emitBytecode):
544 (JSC::DotAccessorNode::emitBytecode):
545 (JSC::FunctionCallBracketNode::emitBytecode):
546 (JSC::PostfixNode::emitResolve):
547 (JSC::DeleteBracketNode::emitBytecode):
548 (JSC::DeleteDotNode::emitBytecode):
549 (JSC::PrefixNode::emitResolve):
550 (JSC::UnaryOpNode::emitBytecode):
551 (JSC::BitwiseNotNode::emitBytecode):
552 (JSC::BinaryOpNode::emitBytecode):
553 (JSC::EqualNode::emitBytecode):
554 (JSC::StrictEqualNode::emitBytecode):
555 (JSC::ThrowableBinaryOpNode::emitBytecode):
556 (JSC::AssignDotNode::emitBytecode):
557 (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
558 register used across a call to a function that might allocate a new
559 temporary register must be held in a RefPtr.
560
5612015-02-04 Lucas Forschler <lforschler@apple.com>
562
563 Merge r178311
564
565 2015-01-12 Geoffrey Garen <ggaren@apple.com>
566
567 Out of bounds read in IdentifierArena::makeIdentifier
568 https://bugs.webkit.org/show_bug.cgi?id=140376
569
570 Patch by Alexey Proskuryakov.
571
572 Reviewed and ChangeLogged by Geoffrey Garen.
573
574 No test, since this is a small past-the-end read, which is very
575 difficult to turn into a reproducible failing test -- and existing tests
576 crash reliably using ASan.
577
578 * parser/ParserArena.h:
579 (JSC::IdentifierArena::makeIdentifier):
580 (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
581 zero-length string input, like we do in the literal parser, since it is
582 not valid to dereference characters in a zero-length string.
583
584 A zero-length string is allowed in JavaScript -- for example, "".
585
5862015-01-28 Lucas Forschler <lforschler@apple.com>
587
588 Merge r178364
589
590 2015-01-12 Michael Saboff <msaboff@apple.com>
591
592 Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
593 https://bugs.webkit.org/show_bug.cgi?id=140348
594
595 Reviewed by Mark Lam.
596
597 We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
598 because those registers may have been spilled on the stack and replaced with other values by
599 the time we call down to gatherFromCurrentThread().
600
601 Now we get the register contents at the same place that we demarcate the current top of
602 stack using the address of a local variable, in Heap::markRoots(). The register contents
603 buffer is passed along with the demarcation pointer. These need to be done at this level
604 in the call tree and no lower, as markRoots() calls various functions that visit object
605 pointers that may be latter proven dead. Any of those pointers that are left on the
606 stack or in registers could be incorrectly marked as live if we scan the stack contents
607 from a called function or one of its callees. The stack demarcation pointer and register
608 saving need to be done in the same function so that we have a consistent stack, active
609 and spilled registers.
610
611 Because we don't want to make unnecessary calls to get the register contents, we use
612 a macro to allocated, and possibly align, the register structure and get the actual
613 register contents.
614
615
616 * heap/Heap.cpp:
617 (JSC::Heap::markRoots):
618 (JSC::Heap::gatherStackRoots):
619 * heap/Heap.h:
620 * heap/MachineStackMarker.cpp:
621 (JSC::MachineThreads::gatherFromCurrentThread):
622 (JSC::MachineThreads::gatherConservativeRoots):
623 * heap/MachineStackMarker.h:
624
6252015-01-27 Lucas Forschler <lforschler@apple.com>
626
627 Merge r177455
628
629 2014-12-17 Chris Dumez <cdumez@apple.com>
630
631 [iOS] Make it possible to toggle FeatureCounter support at runtime
632 https://bugs.webkit.org/show_bug.cgi?id=139688
633 <rdar://problem/19266254>
634
635 Reviewed by Andreas Kling.
636
637 Stop linking against AppSupport framework as the functionality is no
638 longer in WTF (it was moved to WebCore).
639
640 * Configurations/JavaScriptCore.xcconfig:
641
6422015-01-26 Lucas Forschler <lforschler@apple.com>
643
644 Merge r177328
645
646 2014-12-15 Chris Dumez <cdumez@apple.com>
647
648 [iOS] Add feature counting support
649 https://bugs.webkit.org/show_bug.cgi?id=139652
650 <rdar://problem/19255690>
651
652 Reviewed by Gavin Barraclough.
653
654 Link against AppSupport framework on iOS as we need it to implement
655 the new FeatureCounter API in WTF.
656
657 * Configurations/JavaScriptCore.xcconfig:
658
6592015-01-21 Babak Shafiei <bshafiei@apple.com>
660
661 Merge r176972.
662
663 2014-12-08 Mark Lam <mark.lam@apple.com>
664
665 CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
666 <https://webkit.org/b/139327>
667
668 Reviewed by Michael Saboff.
669
670 The code generator and runtime slow paths expects otherwise. This patch fixes
671 CFA to match the code generator's expectation.
672
673 * dfg/DFGArrayMode.h:
674 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
675 (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
676
6772015-01-20 Babak Shafiei <bshafiei@apple.com>
678
679 Merge r171691.
680
681 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
682
683 REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
684 https://bugs.webkit.org/show_bug.cgi?id=135322
685
686 Reviewed by Oliver Hunt.
687
688 The prototype chain of the JSProxy object should match that of the JSGlobalObject.
689
690 This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
691 account for JSProxies. I also audited the rest of the C API to check that we correctly
692 handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
693 and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
694 passed a JSProxy.
695
696 I also added some new tests for these cases.
697
698 * API/JSObjectRef.cpp:
699 (JSObjectSetPrototype):
700 (JSObjectGetPrivateProperty):
701 (JSObjectSetPrivateProperty):
702 (JSObjectDeletePrivateProperty):
703 * API/JSWeakObjectMapRefPrivate.cpp:
704 * API/tests/CustomGlobalObjectClassTest.c:
705 (globalObjectSetPrototypeTest):
706 (globalObjectPrivatePropertyTest):
707 * API/tests/CustomGlobalObjectClassTest.h:
708 * API/tests/testapi.c:
709 (main):
710
7112015-01-11 Mark Lam <mark.lam@apple.com>
712
713 Update WebKit branch to build with newer LLVM.
714 <https://webkit.org/b/140341>
715
716 Reviewed by Filip Pizlo.
717
718 * Configurations/LLVMForJSC.xcconfig:
719 - Add the ability to pick up LLVM_LIBS_iphoneos from AspenLLVM.xcconfig.
720 * llvm/LLVMAPIFunctions.h:
721 - Removed some erroneous and unused APIs.
722 * llvm/library/LLVMExports.cpp:
723 (initializeAndGetJSCLLVMAPI):
724 - Removed an unneeded option that is also not supported by the new LLVM.
725
7262014-12-10 Babak Shafiei <bshafiei@apple.com>
727
728 Merge r176803.
729
730 2014-12-04 Oliver Hunt <oliver@apple.com>
731
732 Serialization of MapData object provides unsafe access to internal types
733 https://bugs.webkit.org/show_bug.cgi?id=138653
734
735 Reviewed by Geoffrey Garen.
736
737 Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
738 that despite trying hard to be safe in all cases it's simply to easy
739 to use an iterator in an unsafe state.
740
741 * runtime/MapData.h:
742 (JSC::MapData::const_iterator::key):
743 (JSC::MapData::const_iterator::value):
744
7452014-09-15 Babak Shafiei <bshafiei@apple.com>
746
747 <rdar://problem/18327341> Disable Web Timing on this branch.
748
749 Reviewed originally by Sam Weinig.
750
751 Disable:
752 - WEB_TIMING
753
754 * Configurations/FeatureDefines.xcconfig:
755
7562014-08-03 Babak Shafiei <bshafiei@apple.com>
757
758 Merge patch for <rdar://problem/17887398>.
759
760 2014-07-30 Filip Pizlo <fpizlo@apple.com>
761
762 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
763 https://bugs.webkit.org/show_bug.cgi?id=135430
764
765 Reviewed by Mark Hahnenberg.
766
767 * dfg/DFGAbstractInterpreterInlines.h:
768 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
769 * tests/stress/new-function-expression-has-structures.js: Added.
770 (foo.f):
771 (foo.f.prototype.f):
772 (foo):
773
7742014-08-03 Babak Shafiei <bshafiei@apple.com>
775
776 Merge r171949.
777
778 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
779
780 URTBF after r171946 to fix non-Apple builds.
781
782 * bytecode/InlineCallFrameSet.cpp:
783
7842014-08-03 Babak Shafiei <bshafiei@apple.com>
785
786 Merge r171946.
787
788 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
789
790 CodeBlock fails to visit the Executables of its InlineCallFrames
791 https://bugs.webkit.org/show_bug.cgi?id=135471
792
793 Reviewed by Geoffrey Garen.
794
795 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
796 can be prematurely collected and cause crashes.
797
798 * bytecode/CodeBlock.cpp:
799 (JSC::CodeBlock::stronglyVisitStrongReferences):
800 * bytecode/CodeOrigin.h:
801 (JSC::InlineCallFrame::visitAggregate):
802 * bytecode/InlineCallFrameSet.cpp:
803 (JSC::InlineCallFrameSet::visitAggregate):
804 * bytecode/InlineCallFrameSet.h:
805
8062014-07-29 Matthew Hanson <matthew_hanson@apple.com>
807
808 Merge r171689. <rdar://problem/17844890>
809
810 2014-07-28 Filip Pizlo <fpizlo@apple.com>
811
812 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
813 https://bugs.webkit.org/show_bug.cgi?id=135350
814 <rdar://problem/17509889>
815
816 Reviewed by Mark Hahnenberg and Oliver Hunt.
817
818 If we have an exiting node that uses a conversion node, then that exiting node
819 needs to have a Phantom after it for the the original node. But we can't do that
820 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
821
822 * dfg/DFGFixupPhase.cpp:
823 (JSC::DFG::FixupPhase::fixupNode):
824 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
825 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
826 (foo):
827 (test):
828 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
829 (foo):
830 (test):
831
8322014-07-29 Matthew Hanson <matthew_hanson@apple.com>
833
834 Merge r171688. <rdar://problem/17364180>
835
836 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
837
838 JSContext Inspector: crash when using step-into
839 https://bugs.webkit.org/show_bug.cgi?id=135345
840
841 Reviewed by Timothy Hatcher.
842
843 * inspector/agents/InspectorDebuggerAgent.cpp:
844 (Inspector::InspectorDebuggerAgent::stepInto):
845 Null check m_listener since it may not be set.
846
8472014-07-25 Lucas Forschler <lforschler@apple.com>
848
849 Merge r171578
850
851 2014-07-24 Brent Fulgham <bfulgham@apple.com>
852
853 [Win] Correct build order in JavaScriptCore.submit.sln
854 https://bugs.webkit.org/show_bug.cgi?id=135282
855 <rdar://problem/17805592>
856
857 Unreviewed build fix.
858
859 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
860 such that LLIntDesiredOffset is built prior to the rest of JSC.
861
8622014-07-24 Lucas Forschler <lforschler@apple.com>
863
864 Merge r171564
865
866 2014-07-24 Mark Lam <mark.lam@apple.com>
867
868 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
869 <https://webkit.org/b/135258>
870
871 Reviewed by Mark Hahnenberg.
872
873 Where needed, we cache the prototype object pointer in a stack local var.
874 This allows it to be scanned by the GC, and hence be kept alive until
875 we use it. The constructor object will in turn be kept alive by the
876 prototype object.
877
878 Also added some comments to warn against future code additions that could
879 regress this issue.
880
881 * API/JSWrapperMap.mm:
882 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
883 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
884 (-[JSObjCClassInfo wrapperForObject:]):
885 (-[JSObjCClassInfo constructor]):
886
8872014-07-24 Lucas Forschler <lforschler@apple.com>
888
889 Merge r171558
890
891 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
892
893 JSLock release should only modify the AtomicStringTable if it modified in acquire
894 https://bugs.webkit.org/show_bug.cgi?id=135143
895
896 Reviewed by Darin Adler.
897
898 * runtime/JSLock.cpp:
899 (JSC::JSLock::JSLock):
900 Initialize the member variable to nullptr.
901
902 (JSC::JSLock::willDestroyVM):
903 Update style to use nullptr instead of 0.
904
905 (JSC::JSLock::willReleaseLock):
906 We should only reset the thread data's atomic string table if
907 didAcquireLock changed it. m_entryAtomicStringTable will have
908 been set by didAcquireLock if it changed, or nullptr if it didn't.
909 This way we are sure we are balanced, regardless of m_vm changes.
910
9112014-07-24 Lucas Forschler <lforschler@apple.com>
912
913 Merge r171543
914
915 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
916
917 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
918 https://bugs.webkit.org/show_bug.cgi?id=135250
919
920 Reviewed by Geoffrey Garen.
921
922 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
923 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
924 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
925 the JSProxy's prototype fixes the issue.
926
927 * API/JSValueRef.cpp:
928 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
929 would claim it wasn't of the specified class, even if the target was of the specified class.
930 * API/tests/CustomGlobalObjectClassTest.c: Added.
931 (jsDoSomething):
932 (customGlobalObjectClassTest):
933 * API/tests/CustomGlobalObjectClassTest.h: Added.
934 * API/tests/testapi.c:
935 (assertTrue):
936 (main):
937 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
938 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
939 * JavaScriptCore.xcodeproj/project.pbxproj:
940 * runtime/JSGlobalObject.cpp:
941 (JSC::JSGlobalObject::resetPrototype):
942
9432014-07-24 Lucas Forschler <lforschler@apple.com>
944
945 Merge r171395
946
947 2014-07-22 Brent Fulgham <bfulgham@apple.com>
948
949 Build fix for non-clang compile.
950
951 * jsc.cpp:
952 (WTF::RuntimeArray::put): Remove incorrect return statement
953 I added.
954
9552014-07-24 Lucas Forschler <lforschler@apple.com>
956
957 Merge r171393
958
959 2014-07-22 Brent Fulgham <bfulgham@apple.com>
960
961 Build fix for non-clang compile.
962
963 * jsc.cpp:
964 (WTF::RuntimeArray::deleteProperty): Need (fake) return
965 value when NO_RETURN_DUE_TO_CRASH is not defined.
966
9672014-07-24 Lucas Forschler <lforschler@apple.com>
968
969 Merge r171390
970
971 2014-07-22 Mark Lam <mark.lam@apple.com>
972
973 Array.concat() should work on runtime arrays too.
974 <https://webkit.org/b/135179>
975
976 Reviewed by Geoffrey Garen.
977
978 * jsc.cpp:
979 (WTF::RuntimeArray::create):
980 (WTF::RuntimeArray::~RuntimeArray):
981 (WTF::RuntimeArray::destroy):
982 (WTF::RuntimeArray::getOwnPropertySlot):
983 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
984 (WTF::RuntimeArray::put):
985 (WTF::RuntimeArray::deleteProperty):
986 (WTF::RuntimeArray::getLength):
987 (WTF::RuntimeArray::createPrototype):
988 (WTF::RuntimeArray::createStructure):
989 (WTF::RuntimeArray::finishCreation):
990 (WTF::RuntimeArray::RuntimeArray):
991 (WTF::RuntimeArray::lengthGetter):
992 (GlobalObject::finishCreation):
993 (functionCreateRuntimeArray):
994 - Added support to create a runtime array for testing purpose.
995 * runtime/ArrayPrototype.cpp:
996 (JSC::getLength):
997 - Added fast case for when the array object is a JSArray.
998 (JSC::arrayProtoFuncJoin):
999 - Added a needed but missing exception check.
1000 (JSC::arrayProtoFuncConcat):
1001 - Use getLength() to compute the array length instead of assuming that
1002 the array is a JSArray instance.
1003 * tests/stress/regexp-matches-array.js: Added.
1004 (testArrayConcat):
1005 * tests/stress/runtime-array.js: Added.
1006 (testArrayConcat):
1007
10082014-07-24 Lucas Forschler <lforschler@apple.com>
1009
1010 Merge r171328
1011
1012 2014-07-21 Mark Lam <mark.lam@apple.com>
1013
1014 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
1015 https://bugs.webkit.org/show_bug.cgi?id=135139.
1016
1017 Reviewed by Oliver Hunt.
1018
1019 - Specialize putProperty() to putLength() because it is only used for setting
1020 the length property.
1021 - Added a getLength() utility function to get the value of the length property.
1022 - Use these getLength() and putLength() functions instead of the existing code
1023 to get and put the length property. Less code to read, easier to understand.
1024
1025 * runtime/ArrayPrototype.cpp:
1026 (JSC::getLength):
1027 (JSC::putLength):
1028 (JSC::arrayProtoFuncToString):
1029 (JSC::arrayProtoFuncToLocaleString):
1030 (JSC::arrayProtoFuncJoin):
1031 (JSC::arrayProtoFuncPop):
1032 (JSC::arrayProtoFuncPush):
1033 (JSC::arrayProtoFuncReverse):
1034 (JSC::arrayProtoFuncShift):
1035 (JSC::arrayProtoFuncSlice):
1036 (JSC::arrayProtoFuncSort):
1037 (JSC::arrayProtoFuncSplice):
1038 (JSC::arrayProtoFuncUnShift):
1039 (JSC::arrayProtoFuncReduce):
1040 (JSC::arrayProtoFuncReduceRight):
1041 (JSC::arrayProtoFuncIndexOf):
1042 (JSC::arrayProtoFuncLastIndexOf):
1043 (JSC::putProperty): Deleted.
1044
10452014-07-23 Matthew Hanson <matthew_hanson@apple.com>
1046
1047 Merge r171474 (rollout r171367 from trunk)
1048
10492014-07-23 Lucas Forschler <lforschler@apple.com>
1050
1051 Merge r171367
1052
1053 2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
1054
1055 JSLock release should only modify the AtomicStringTable if it modified in acquire
1056 https://bugs.webkit.org/show_bug.cgi?id=135143
1057
1058 Reviewed by Pratik Solanki.
1059
1060 * runtime/JSLock.cpp:
1061 (JSC::JSLock::willDestroyVM):
1062 (JSC::JSLock::willReleaseLock):
1063 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
1064
10652014-07-23 Lucas Forschler <lforschler@apple.com>
1066
1067 Merge r171355
1068
1069 2014-07-21 Sam Weinig <sam@webkit.org>
1070
1071 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
1072 https://bugs.webkit.org/show_bug.cgi?id=135148
1073
1074 Reviewed by Geoffrey Garen.
1075
1076 * runtime/CommonIdentifiers.h:
1077 Add a common identifier for the string "webkit".
1078
10792014-07-23 Lucas Forschler <lforschler@apple.com>
1080
1081 Merge r171354
1082
1083 2014-07-22 Filip Pizlo <fpizlo@apple.com>
1084
1085 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
1086 https://bugs.webkit.org/show_bug.cgi?id=135155
1087 <rdar://problem/17763909>
1088
1089 Reviewed by Oliver Hunt.
1090
1091 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
1092 contradiction, and that this is OK. In this case, we were speculating cell on an int.
1093
1094 * dfg/DFGSpeculativeJIT64.cpp:
1095 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1096 * tests/stress/regress-135155.js: Added.
1097 (run.t.length):
1098 (run):
1099
11002014-07-22 Dana Burkart <dburkart@apple.com>
1101
1102 Merge r171228.
1103
1104 2014-07-18 Filip Pizlo <fpizlo@apple.com>
1105
1106 Fix cloop build.
1107
1108 * jsc.cpp:
1109 (jscmain):
1110
11112014-07-22 Dana Burkart <dburkart@apple.com>
1112
1113 Merge r171213.
1114
1115 2014-07-15 Filip Pizlo <fpizlo@apple.com>
1116
1117 Need ability to fuzz exception throwing
1118 https://bugs.webkit.org/show_bug.cgi?id=134945
1119 <rdar://problem/17722027>
1120
1121 Reviewed by Sam Weinig.
1122
1123 Adds the ability to instrument exception checks, and to force some random
1124 exception check to artificially throw an exception. Also adds new tests that
1125 are suitable for testing this. Note that this is closely tied to the Tools
1126 directory changes that are also part of this changeset.
1127
1128 This also fixes an activation tear-off bug that arises if we ever throw an
1129 exception from operationOptimize, or if due to some other bug it's only due
1130 to the operationOptimize exception check that we realize that there is an
1131 exception to be thrown.
1132
1133 * dfg/DFGJITCompiler.h:
1134 (JSC::DFG::JITCompiler::fastExceptionCheck):
1135 * ftl/FTLIntrinsicRepository.h:
1136 * ftl/FTLLowerDFGToLLVM.cpp:
1137 (JSC::FTL::LowerDFGToLLVM::callCheck):
1138 * interpreter/Interpreter.cpp:
1139 (JSC::unwindCallFrame):
1140 * jit/AssemblyHelpers.cpp:
1141 (JSC::AssemblyHelpers::callExceptionFuzz):
1142 (JSC::AssemblyHelpers::emitExceptionCheck):
1143 * jit/AssemblyHelpers.h:
1144 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
1145 * jit/JIT.cpp:
1146 (JSC::JIT::privateCompileMainPass):
1147 * jit/JITOpcodes.cpp:
1148 (JSC::JIT::emit_op_enter):
1149 * jit/JITOperations.cpp:
1150 (JSC::numberOfExceptionFuzzChecks):
1151 * jit/JITOperations.h:
1152 * jsc.cpp:
1153 (jscmain):
1154 * runtime/Options.h:
1155 * runtime/TestRunnerUtils.h:
1156 * tests/exceptionFuzz.yaml: Added.
1157 * tests/exceptionFuzz: Added.
1158 * tests/exceptionFuzz/3d-cube.js: Added.
1159 * tests/exceptionFuzz/date-format-xparb.js: Added.
1160 * tests/exceptionFuzz/earley-boyer.js: Added.
1161
11622014-07-22 Dana Burkart <dburkart@apple.com>
1163
1164 Merge r171204.
1165
1166 2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
1167
1168 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
1169
1170 Rubber-stamped by Alexey Proskuryakov.
1171
1172 Null / empty titles should be fine. Tests pass in release builds
1173 which allowed empty titles, and it looks like the LegacyProfiler
1174 stopProfiling handles empty titles as expected already.
1175
1176 * profiler/LegacyProfiler.cpp:
1177 (JSC::LegacyProfiler::startProfiling):
1178
11792014-07-22 Dana Burkart <dburkart@apple.com>
1180
1181 Merge r171190.
1182
1183 2014-07-16 Filip Pizlo <fpizlo@apple.com>
1184
1185 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
1186 https://bugs.webkit.org/show_bug.cgi?id=134988
1187 <rdar://problem/17706349>
1188
1189 Reviewed by Oliver Hunt.
1190
1191 Luckily, we also don't need this optimization to be super powerful: the only place
1192 where it really matters is for getting rid of the redundancy between op_enter and
1193 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
1194 two things. This change updates the store eliminator to know about only that small,
1195 obviously safe, set of nodes over which we can store-eliminate.
1196
1197 This shouldn't have any performance impact in the DFG because this optimization kicks
1198 in relatively rarely already. And once we tier up into the FTL, we get a much better
1199 store elimination over LLVM IR, so this really shouldn't matter at all.
1200
1201 The tricky part of this patch is that there is a close relative of this optimization,
1202 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
1203 I make this work by splitting it into two different store eliminators.
1204
1205 Note that in the process of crafting the tests, I realized that we were incorrectly
1206 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
1207 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
1208 to a check node followed by the actual allocation.
1209
1210 * dfg/DFGCSEPhase.cpp:
1211 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
1212 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
1213 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1214 (JSC::DFG::CSEPhase::performNodeCSE):
1215 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
1216 * dfg/DFGNodeType.h:
1217 * tests/stress/capture-escape-and-throw.js: Added.
1218 (foo.f):
1219 (foo):
1220 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1221 (foo):
1222 (bar):
1223
12242014-07-17 Dean Jackson <dino@apple.com>
1225
1226 <rdar://problem/17675068> Disable some features on this branch.
1227
1228 Reviewed originally by Simon Fraser.
1229
1230 Disable:
1231 - CSS_EXCLUSIONS
1232 - CSS_GRID_LAYOUT
1233 - INPUT_TYPE_COLOR
1234 - INPUT_TYPE_COLOR_POPUP
1235 - CANVAS_PATH
1236 - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
1237 - INDIE_UI
1238 - SHARED_WORKERS
1239 - NAVIGATOR_HWCONCURRENCY
1240 - GAMEPAD
1241 - PICTURE_SIZES
1242 - CSS3_CONDITIONAL_RULES
1243 - WILL_REVEAL_EDGE_EVENTS
1244
1245 * Configurations/FeatureDefines.xcconfig:
1246
12472014-07-15 Benjamin Poulain <benjamin@webkit.org>
1248
1249 Reduce the overhead of updating the AssemblerBuffer
1250 https://bugs.webkit.org/show_bug.cgi?id=134659
1251
1252 Reviewed by Gavin Barraclough.
1253
1254 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
1255 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
1256 there.
1257
1258 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
1259 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
1260
1261 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
1262 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
1263 to make clang give up a bunch of optimizations.
1264
1265 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
1266 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
1267
1268 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
1269 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
1270 specific way that would make it unusable for the Assembler.
1271
1272 -- Technical details --
1273
1274 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
1275 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
1276 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
1277 exactly what code access the Assembler instance. The code that does access the instance is then moved
1278 at the beginning, before we modify anything.
1279
1280 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
1281 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
1282 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
1283
1284 -- Perf impact --
1285
1286 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
1287 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
1288 time by ~20%.
1289
1290 I could not measure any difference on x86_64.
1291
1292 * assembler/ARM64Assembler.h:
1293 (JSC::ARM64Assembler::jumpSizeDelta):
1294 (JSC::ARM64Assembler::canCompact):
1295 (JSC::ARM64Assembler::computeJumpType):
1296 (JSC::ARM64Assembler::link):
1297 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
1298 * assembler/ARMv7Assembler.h:
1299 (JSC::ARMv7Assembler::ifThenElseConditionBit):
1300 (JSC::ARMv7Assembler::ifThenElse):
1301 (JSC::ARMv7Assembler::jumpSizeDelta):
1302 (JSC::ARMv7Assembler::canCompact):
1303 (JSC::ARMv7Assembler::computeJumpType):
1304 (JSC::ARMv7Assembler::link):
1305 (JSC::ARMv7Assembler::linkJumpT1):
1306 (JSC::ARMv7Assembler::linkJumpT3):
1307 (JSC::ARMv7Assembler::linkConditionalJumpT4):
1308 (JSC::ARMv7Assembler::linkConditionalBX):
1309 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
1310 * assembler/AssemblerBuffer.h:
1311 (JSC::AssemblerData::AssemblerData):
1312 (JSC::AssemblerData::operator=):
1313 (JSC::AssemblerData::~AssemblerData):
1314 (JSC::AssemblerData::buffer):
1315 (JSC::AssemblerData::capacity):
1316 (JSC::AssemblerData::grow):
1317 (JSC::AssemblerBuffer::AssemblerBuffer):
1318 (JSC::AssemblerBuffer::isAvailable):
1319 (JSC::AssemblerBuffer::data):
1320 (JSC::AssemblerBuffer::releaseAssemblerData):
1321 (JSC::AssemblerBuffer::putIntegral):
1322 (JSC::AssemblerBuffer::putIntegralUnchecked):
1323 (JSC::AssemblerBuffer::append):
1324 (JSC::AssemblerBuffer::grow):
1325 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
1326 (JSC::AssemblerBuffer::storage): Deleted.
1327 * assembler/LinkBuffer.cpp:
1328 (JSC::recordLinkOffsets):
1329 (JSC::LinkBuffer::copyCompactAndLinkCode):
1330 * assembler/LinkBuffer.h:
1331 (JSC::LinkBuffer::LinkBuffer):
1332 (JSC::LinkBuffer::executableOffsetFor):
1333 * assembler/MacroAssemblerARM64.h:
1334 (JSC::MacroAssemblerARM64::canCompact):
1335 (JSC::MacroAssemblerARM64::computeJumpType):
1336 (JSC::MacroAssemblerARM64::jumpSizeDelta):
1337 (JSC::MacroAssemblerARM64::link):
1338 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
1339 * assembler/MacroAssemblerARMv7.h:
1340 (JSC::MacroAssemblerARMv7::canCompact):
1341 (JSC::MacroAssemblerARMv7::computeJumpType):
1342 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
1343 (JSC::MacroAssemblerARMv7::link):
1344 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
1345
13462014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
1347
1348 Stores to PropertyTable use the Structure as the owner
1349 https://bugs.webkit.org/show_bug.cgi?id=134595
1350
1351 Reviewed by Darin Adler.
1352
1353 Since PropertyTable is the object that does the marking of these references, it should be the owner.
1354
1355 Also removed some unused parameters to other methods that historically used the Structure as the owner.
1356
1357 * runtime/JSPropertyNameIterator.h:
1358 (JSC::StructureRareData::setEnumerationCache):
1359 * runtime/ObjectPrototype.cpp:
1360 (JSC::objectProtoFuncToString):
1361 * runtime/PropertyMapHashTable.h:
1362 (JSC::PropertyTable::copy):
1363 * runtime/PropertyTable.cpp:
1364 (JSC::PropertyTable::clone):
1365 (JSC::PropertyTable::PropertyTable):
1366 * runtime/Structure.cpp:
1367 (JSC::Structure::Structure):
1368 (JSC::Structure::materializePropertyMap):
1369 (JSC::Structure::addPropertyTransition):
1370 (JSC::Structure::changePrototypeTransition):
1371 (JSC::Structure::despecifyFunctionTransition):
1372 (JSC::Structure::attributeChangeTransition):
1373 (JSC::Structure::toDictionaryTransition):
1374 (JSC::Structure::preventExtensionsTransition):
1375 (JSC::Structure::takePropertyTableOrCloneIfPinned):
1376 (JSC::Structure::nonPropertyTransition):
1377 (JSC::Structure::copyPropertyTable):
1378 (JSC::Structure::copyPropertyTableForPinning):
1379 (JSC::Structure::putSpecificValue):
1380 * runtime/Structure.h:
1381 (JSC::Structure::setObjectToStringValue):
1382 (JSC::Structure::setPreviousID):
1383 * runtime/StructureInlines.h:
1384 (JSC::Structure::setEnumerationCache):
1385 * runtime/StructureRareData.h:
1386 * runtime/StructureRareDataInlines.h:
1387 (JSC::StructureRareData::setPreviousID):
1388 (JSC::StructureRareData::setObjectToStringValue):
1389
13902014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
1391
1392 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
1393 https://bugs.webkit.org/show_bug.cgi?id=134928
1394
1395 Reviewed by Andreas Kling.
1396
1397 * bytecode/CodeBlock.h:
1398 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
1399
14002014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1401
1402 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
1403 https://bugs.webkit.org/show_bug.cgi?id=133790
1404
1405 Reviewed by Mark Lam.
1406
1407 * llint/LLIntSlowPaths.cpp:
1408 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1409
14102014-07-14 Filip Pizlo <fpizlo@apple.com>
1411
1412 Allow for Int52Rep to see things other than Int32, and make this testable
1413 https://bugs.webkit.org/show_bug.cgi?id=134873
1414 <rdar://problem/17641915>
1415
1416 Reviewed by Geoffrey Garen and Mark Hahnenberg.
1417
1418 A major premise of our type inference is that prediction propagation can say whatever it
1419 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
1420 We required some kind of agreement between prediction propagation and fixup over which
1421 data flow paths were Int52 and which weren't.
1422
1423 It turns out that we basically had such an agreement, with the exception of code that was
1424 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
1425 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
1426 be a bug! Normally, we allow sloppiness in prediction propagation.
1427
1428 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
1429 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
1430 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
1431 empowered Int52Rep is actually correct - in case we end up using it on paths other than
1432 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
1433 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
1434 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
1435
1436 Note that it would still be a bug for prediction propagation to ever cause us to create an
1437 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
1438 a crash bug.
1439
1440 * dfg/DFGAbstractInterpreterInlines.h:
1441 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1442 * dfg/DFGAbstractValue.cpp:
1443 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1444 * dfg/DFGByteCodeParser.cpp:
1445 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1446 * dfg/DFGClobberize.h:
1447 (JSC::DFG::clobberize):
1448 * dfg/DFGFixupPhase.cpp:
1449 (JSC::DFG::FixupPhase::fixupNode):
1450 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1451 * dfg/DFGGraph.h:
1452 (JSC::DFG::Graph::isMachineIntConstant):
1453 * dfg/DFGNode.h:
1454 (JSC::DFG::Node::isMachineIntConstant):
1455 * dfg/DFGNodeType.h:
1456 * dfg/DFGOperations.cpp:
1457 * dfg/DFGOperations.h:
1458 * dfg/DFGPredictionPropagationPhase.cpp:
1459 (JSC::DFG::PredictionPropagationPhase::propagate):
1460 * dfg/DFGSafeToExecute.h:
1461 (JSC::DFG::SafeToExecuteEdge::operator()):
1462 (JSC::DFG::safeToExecute):
1463 * dfg/DFGSpeculativeJIT.cpp:
1464 (JSC::DFG::SpeculativeJIT::speculate):
1465 * dfg/DFGSpeculativeJIT.h:
1466 (JSC::DFG::SpeculativeJIT::callOperation):
1467 * dfg/DFGSpeculativeJIT32_64.cpp:
1468 (JSC::DFG::SpeculativeJIT::compile):
1469 * dfg/DFGSpeculativeJIT64.cpp:
1470 (JSC::DFG::SpeculativeJIT::compile):
1471 (JSC::DFG::SpeculativeJIT::convertMachineInt):
1472 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
1473 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1474 * dfg/DFGStrengthReductionPhase.cpp:
1475 (JSC::DFG::StrengthReductionPhase::handleNode):
1476 * dfg/DFGUseKind.cpp:
1477 (WTF::printInternal):
1478 * dfg/DFGUseKind.h:
1479 (JSC::DFG::typeFilterFor):
1480 (JSC::DFG::isNumerical):
1481 (JSC::DFG::isDouble):
1482 * dfg/DFGValidate.cpp:
1483 (JSC::DFG::Validate::validate):
1484 * ftl/FTLCapabilities.cpp:
1485 (JSC::FTL::canCompile):
1486 * ftl/FTLIntrinsicRepository.h:
1487 * ftl/FTLLowerDFGToLLVM.cpp:
1488 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
1489 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
1490 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
1491 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
1492 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
1493 (JSC::FTL::LowerDFGToLLVM::speculate):
1494 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
1495 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
1496 * jit/JITOperations.h:
1497 * jsc.cpp:
1498 (GlobalObject::finishCreation):
1499 (functionIdentity):
1500 * runtime/Intrinsic.h:
1501 * runtime/JSCJSValue.h:
1502 * runtime/JSCJSValueInlines.h:
1503 (JSC::tryConvertToInt52):
1504 (JSC::isInt52):
1505 (JSC::JSValue::isMachineInt):
1506 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
1507 (foo):
1508 * tests/stress/dead-fiat-double-to-int52.js: Added.
1509 (foo):
1510 * tests/stress/dead-fiat-int32-to-int52.js: Added.
1511 (foo):
1512 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
1513 (foo):
1514 (bar):
1515 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
1516 (foo):
1517 (bar):
1518 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
1519 (foo):
1520 (bar):
1521 * tests/stress/dead-fiat-value-to-int52.js: Added.
1522 (foo):
1523 (bar):
1524 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
1525 (foo):
1526 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
1527 (foo):
1528 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
1529 (foo):
1530 * tests/stress/fiat-double-to-int52.js: Added.
1531 (foo):
1532 * tests/stress/fiat-int32-to-int52.js: Added.
1533 (foo):
1534 * tests/stress/fiat-value-to-int52-double-path.js: Added.
1535 (foo):
1536 (bar):
1537 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
1538 (foo):
1539 (bar):
1540 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
1541 (foo):
1542 (bar):
1543 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
1544 (foo):
1545 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
1546 (foo):
1547 * tests/stress/fiat-value-to-int52.js: Added.
1548 (foo):
1549 (bar):
1550 * tests/stress/int52-force-osr-exit-path.js: Added.
1551 (foo):
1552
15532014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
1554
1555 Flattening dictionaries with oversize backing stores can cause crashes
1556 https://bugs.webkit.org/show_bug.cgi?id=134906
1557
1558 Reviewed by Filip Pizlo.
1559
1560 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
1561 of the CopiedBlock header. This was always the case except for when flattening a dictionary
1562 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
1563 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
1564 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
1565 choke on the Butterfly pointer.
1566
1567 This patch fixes this issue by detect this situation during flattening and memmove-ing
1568 the Butterfly down to where the old base was.
1569
1570 * runtime/JSObject.cpp:
1571 (JSC::JSObject::shiftButterflyAfterFlattening):
1572 * runtime/JSObject.h:
1573 (JSC::JSObject::butterflyPreCapacity):
1574 (JSC::JSObject::butterflyTotalSize):
1575 * runtime/Structure.cpp:
1576 (JSC::Structure::flattenDictionaryStructure):
1577 * tests/stress/flatten-oversize-dictionary-object.js: Added.
1578 (foo):
1579
15802014-07-14 Benjamin Poulain <benjamin@webkit.org>
1581
1582 Remove some dead code from FTLJITFinalizer
1583 https://bugs.webkit.org/show_bug.cgi?id=134874
1584
1585 Reviewed by Geoffrey Garen.
1586
1587 Not sure what that code was for...but it does not do anything :)
1588
1589 * ftl/FTLJITFinalizer.cpp:
1590 (JSC::FTL::JITFinalizer::finalizeFunction):
1591 The pointer of the label is computed but never used.
1592
1593 * ftl/FTLJITFinalizer.h:
1594 * ftl/FTLLink.cpp:
1595 (JSC::FTL::link):
1596 The label is never set to anything.
1597
15982014-07-14 Bear Travis <betravis@adobe.com>
1599
1600 [Feature Queries] Enable Feature Queries on Mac
1601 https://bugs.webkit.org/show_bug.cgi?id=134404
1602
1603 Reviewed by Antti Koivisto.
1604
1605 Enable Feature Queries on Mac and resume running the
1606 feature tests.
1607
1608 * Configurations/FeatureDefines.xcconfig: Turn on
1609 ENABLE_CSS3_CONDITIONAL_RULES.
1610
16112014-07-11 Joseph Pecoraro <pecoraro@apple.com>
1612
1613 Web Inspector: Debugger Pause button does not work
1614 https://bugs.webkit.org/show_bug.cgi?id=134785
1615
1616 Reviewed by Timothy Hatcher.
1617
1618 * CMakeLists.txt:
1619 * DerivedSources.make:
1620 Minification strips the sourceURL command. Add it back with minification.
1621
16222014-07-11 peavo@outlook.com <peavo@outlook.com>
1623
1624 [Win] Enable DFG JIT.
1625 https://bugs.webkit.org/show_bug.cgi?id=123615
1626
1627 Reviewed by Mark Lam.
1628
1629 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
1630 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
1631 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
1632 since the register allocation differs on 64-bit Windows.
1633
1634 * assembler/MacroAssemblerX86_64.h:
1635 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
1636 * jit/CCallHelpers.h:
1637 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
1638 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
1639 * jit/JIT.h:
1640 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
1641 * jit/JITInlines.h:
1642 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
1643 (JSC::JIT::callOperation): Call new method.
1644
16452014-07-09 Benjamin Poulain <benjamin@webkit.org>
1646
1647 Use 16bits instructions for push/pop on ARMv7 when possible
1648 https://bugs.webkit.org/show_bug.cgi?id=134753
1649
1650 Reviewed by Geoffrey Garen.
1651
1652 The patch r170839 mixed the code for push/pop pair and single push/pop.
1653 That part was reverted in r170909.
1654
1655 This patch puts the code back but specialized for single push/pop.
1656
1657 * assembler/ARMv7Assembler.h:
1658 (JSC::ARMv7Assembler::pop):
1659 (JSC::ARMv7Assembler::push):
1660 * assembler/MacroAssemblerARMv7.h:
1661 (JSC::MacroAssemblerARMv7::pop):
1662 (JSC::MacroAssemblerARMv7::push):
1663
16642014-07-09 Brent Fulgham <bfulgham@apple.com>
1665
1666 [Win] Remove uses of 'bash' in build system
1667 https://bugs.webkit.org/show_bug.cgi?id=134782
1668 <rdar://problem/17615533>
1669
1670 Reviewed by Dean Jackson.
1671
1672 Remove uses of 'bash' by replacing Windows-specific bash scripts
1673 with Perl equivalents.
1674
1675 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1676 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1677 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
1678 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1679 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1680 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1681 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
1682 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1683 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1684 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1685 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
1686 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1687 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
1688 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
1689 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1690 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1691 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1692
16932014-07-09 Brent Fulgham <bfulgham@apple.com>
1694
1695 [Win] Remove use of 'grep' in build steps
1696 https://bugs.webkit.org/show_bug.cgi?id=134770
1697 <rdar://problem/17608783>
1698
1699 Reviewed by Tim Horton.
1700
1701 Replace uses of the grep command in Windows builds with the equivalent
1702 Perl program.
1703
1704 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1705 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1706 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1707 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1708
17092014-07-08 Benjamin Poulain <benjamin@webkit.org>
1710
1711 Restore the assertion changed with 170839
1712
1713 * assembler/ARMv7Assembler.h:
1714 (JSC::ARMv7Assembler::pop):
1715 (JSC::ARMv7Assembler::push):
1716 Revert the Assembler part of 170839. The assertions do not match both encoding.
1717
1718 I'll add specific version of push and pop instead.
1719
17202014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
1721
1722 RemoteInspector::shared() should not call WTF::initializeMainThread()
1723 <https://bugs.webkit.org/show_bug.cgi?id=134747>
1724 <rdar://problem/17161482>
1725
1726 Reviewed by Joseph Pecoraro.
1727
1728 * inspector/remote/RemoteInspector.mm:
1729 (Inspector::RemoteInspector::shared):
1730 Don't call WTF::initializeMainThread(). WTF threading is initialized by
1731 JSC::initializeThreading().
1732
17332014-07-08 Andreas Kling <akling@apple.com>
1734
1735 VM::lastCachedString should be a Strong, not a Weak.
1736 <https://webkit.org/b/134746>
1737
1738 Using Weak<JSString> for this regressed some of our bindings perf tests
1739 due to Weak having to allocate a new WeakImpl every time the last cached
1740 string changed. Make it a Strong instead should make that problem go away.
1741
1742 Reviewed by Geoffrey Garen.
1743
1744 * runtime/JSString.cpp:
1745 (JSC::jsStringWithCacheSlowCase):
1746 * runtime/VM.h:
1747
17482014-07-07 Benjamin Poulain <bpoulain@apple.com>
1749
1750 Fix the build after r170876
1751
1752 * assembler/LinkBuffer.cpp:
1753 (JSC::LinkBuffer::linkCode):
1754
17552014-07-07 Benjamin Poulain <benjamin@webkit.org>
1756
1757 LinkBuffer should not keep a reference to the MacroAssembler
1758 https://bugs.webkit.org/show_bug.cgi?id=134668
1759
1760 Reviewed by Geoffrey Garen.
1761
1762 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1763 When that happens, the pointer m_assembler points to released memory. That was not causing
1764 issues because the attribute is not used after linking, but that was not particularily
1765 future proof.
1766
1767 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1768 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1769
1770 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1771 everywhere. I refactored some #include to avoid that.
1772
1773 * assembler/LinkBuffer.cpp:
1774 (JSC::LinkBuffer::copyCompactAndLinkCode):
1775 (JSC::LinkBuffer::linkCode):
1776 * assembler/LinkBuffer.h:
1777 (JSC::LinkBuffer::LinkBuffer):
1778 * bytecode/Watchpoint.cpp:
1779 * dfg/DFGDisassembler.cpp:
1780 * dfg/DFGDisassembler.h:
1781 * dfg/DFGJITCompiler.cpp:
1782 (JSC::DFG::JITCompiler::link):
1783 (JSC::DFG::JITCompiler::linkFunction):
1784 * dfg/DFGOSRExitCompiler.cpp:
1785 * dfg/DFGPlan.cpp:
1786 * dfg/DFGThunks.cpp:
1787 (JSC::DFG::osrExitGenerationThunkGenerator):
1788 (JSC::DFG::osrEntryThunkGenerator):
1789 * ftl/FTLCompile.cpp:
1790 (JSC::FTL::generateICFastPath):
1791 (JSC::FTL::fixFunctionBasedOnStackMaps):
1792 * ftl/FTLJSCall.cpp:
1793 * ftl/FTLJSCall.h:
1794 * ftl/FTLLink.cpp:
1795 (JSC::FTL::link):
1796 * ftl/FTLLowerDFGToLLVM.cpp:
1797 * ftl/FTLOSRExitCompiler.cpp:
1798 (JSC::FTL::compileStub):
1799 * ftl/FTLThunks.cpp:
1800 (JSC::FTL::osrExitGenerationThunkGenerator):
1801 (JSC::FTL::slowPathCallThunkGenerator):
1802 * jit/ArityCheckFailReturnThunks.cpp:
1803 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1804 * jit/JIT.cpp:
1805 (JSC::JIT::privateCompile):
1806 * jit/JITCall.cpp:
1807 (JSC::JIT::privateCompileClosureCall):
1808 * jit/JITCall32_64.cpp:
1809 (JSC::JIT::privateCompileClosureCall):
1810 * jit/JITDisassembler.cpp:
1811 * jit/JITDisassembler.h:
1812 * jit/JITOpcodes.cpp:
1813 * jit/JITPropertyAccess.cpp:
1814 (JSC::JIT::stringGetByValStubGenerator):
1815 (JSC::JIT::privateCompileGetByVal):
1816 (JSC::JIT::privateCompilePutByVal):
1817 * jit/JITPropertyAccess32_64.cpp:
1818 (JSC::JIT::stringGetByValStubGenerator):
1819 * jit/RegisterPreservationWrapperGenerator.cpp:
1820 (JSC::generateRegisterPreservationWrapper):
1821 (JSC::registerRestorationThunkGenerator):
1822 * jit/Repatch.cpp:
1823 (JSC::generateByIdStub):
1824 (JSC::tryCacheGetByID):
1825 (JSC::emitPutReplaceStub):
1826 (JSC::emitPutTransitionStub):
1827 (JSC::tryRepatchIn):
1828 (JSC::linkClosureCall):
1829 * jit/SpecializedThunkJIT.h:
1830 (JSC::SpecializedThunkJIT::finalize):
1831 * jit/ThunkGenerators.cpp:
1832 (JSC::throwExceptionFromCallSlowPathGenerator):
1833 (JSC::linkForThunkGenerator):
1834 (JSC::linkClosureCallForThunkGenerator):
1835 (JSC::virtualForThunkGenerator):
1836 (JSC::nativeForGenerator):
1837 (JSC::arityFixup):
1838 * llint/LLIntThunks.cpp:
1839 (JSC::LLInt::generateThunkWithJumpTo):
1840 * yarr/YarrJIT.cpp:
1841 (JSC::Yarr::YarrGenerator::compile):
1842
18432014-07-07 Andreas Kling <akling@apple.com>
1844
1845 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1846 <https://webkit.org/b/134635>
1847
1848 Reviewed by Darin Adler.
1849
1850 Follow-up to r170818 addressing a review comment by Geoff Garen.
1851
1852 * runtime/JSString.cpp:
1853 (JSC::jsStringWithCacheSlowCase):
1854
18552014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1856
1857 Add missing ENABLE(FTL_JIT) guards
1858 https://bugs.webkit.org/show_bug.cgi?id=134680
1859
1860 Reviewed by Darin Adler.
1861
1862 * ftl/FTLDWARFDebugLineInfo.cpp:
1863 * ftl/FTLDWARFDebugLineInfo.h:
1864 * ftl/FTLGeneratedFunction.h:
1865
18662014-07-07 Zan Dobersek <zdobersek@igalia.com>
1867
1868 Enable ARMv7 disassembler for the GTK port
1869 https://bugs.webkit.org/show_bug.cgi?id=134676
1870
1871 Reviewed by Benjamin Poulain.
1872
1873 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
1874 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
1875
18762014-07-06 Benjamin Poulain <benjamin@webkit.org>
1877
1878 [ARMv7] Use 16 bits instructions for push/pop when possible
1879 https://bugs.webkit.org/show_bug.cgi?id=134656
1880
1881 Reviewed by Andreas Kling.
1882
1883 * assembler/ARMv7Assembler.h:
1884 (JSC::ARMv7Assembler::pop):
1885 (JSC::ARMv7Assembler::push):
1886 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
1887 Add the 16 bits version of push and pop.
1888
1889 * assembler/MacroAssemblerARMv7.h:
1890 (JSC::MacroAssemblerARMv7::pop):
1891 (JSC::MacroAssemblerARMv7::push):
1892 Use the new push/pop instead of a regular load/store.
1893
1894 * disassembler/ARMv7/ARMv7DOpcode.cpp:
1895 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
1896 * disassembler/ARMv7/ARMv7DOpcode.h:
1897 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
1898 Fix the disassembler for push/pop:
1899 -The register mask was on 7 bits for some reason.
1900 -The code printing the registers was comparing a register ID with a register
1901 mask.
1902
19032014-07-06 Yoav Weiss <yoav@yoav.ws>
1904
1905 Turn on img@sizes compile flag
1906 https://bugs.webkit.org/show_bug.cgi?id=134634
1907
1908 Reviewed by Benjamin Poulain.
1909
1910 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
1911
19122014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
1913
1914 Flags value of SourceCodeKey should be unique for each case.
1915 https://bugs.webkit.org/show_bug.cgi?id=134435
1916
1917 Reviewed by Darin Adler.
1918
1919 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
1920 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
1921 Shift the value of CodeType one bit farther to the left so those values don't overlap.
1922
1923 * runtime/CodeCache.h:
1924 (JSC::SourceCodeKey::SourceCodeKey):
1925
19262014-07-04 Andreas Kling <akling@apple.com>
1927
1928 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1929 <https://webkit.org/b/134635>
1930
1931 Also moved the whole thing from WebCore to JavaScriptCore since it
1932 makes more sense here, and inline the lightweight checks, leaving only
1933 the hashmap stuff out of line.
1934
1935 Reviewed by Darin Adler.
1936
1937 * runtime/JSString.cpp:
1938 (JSC::jsStringWithCacheSlowCase):
1939 * runtime/JSString.h:
1940 (JSC::jsStringWithCache):
1941 * runtime/VM.h:
1942
19432014-07-03 Daniel Bates <dabates@apple.com>
1944
1945 Add WTF::move()
1946 https://bugs.webkit.org/show_bug.cgi?id=134500
1947
1948 Rubber-stamped by Anders Carlsson.
1949
1950 Substitute WTF::move() for std::move().
1951
1952 * bytecode/CodeBlock.h:
1953 * bytecode/UnlinkedCodeBlock.cpp:
1954 * bytecompiler/BytecodeGenerator.cpp:
1955 * dfg/DFGGraph.cpp:
1956 * dfg/DFGJITCompiler.cpp:
1957 * dfg/DFGStackLayoutPhase.cpp:
1958 * dfg/DFGWorklist.cpp:
1959 * heap/DelayedReleaseScope.h:
1960 * heap/HeapInlines.h:
1961 [...]
1962
19632014-07-03 Filip Pizlo <fpizlo@apple.com>
1964
1965 SSA DCE should process blocks in forward order
1966 https://bugs.webkit.org/show_bug.cgi?id=134611
1967
1968 Reviewed by Andreas Kling.
1969
1970 * dfg/DFGDCEPhase.cpp:
1971 (JSC::DFG::DCEPhase::run):
1972 * ftl/FTLLowerDFGToLLVM.cpp:
1973 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1974 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
1975 (foo):
1976
19772014-07-03 Filip Pizlo <fpizlo@apple.com>
1978
1979 JSActivation::symbolTablePut() should invalidate variable watchpoints
1980 https://bugs.webkit.org/show_bug.cgi?id=134602
1981
1982 Reviewed by Oliver Hunt.
1983
1984 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
1985 during linking - we essentially assume that if it's at all possible for an inner function to store to a
1986 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
1987 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
1988 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
1989 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
1990
1991 * runtime/JSActivation.cpp:
1992 (JSC::JSActivation::symbolTablePut):
1993 * runtime/JSSymbolTableObject.h:
1994 (JSC::symbolTablePut):
1995 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
1996 (.):
1997
19982014-07-01 Mark Lam <mark.lam@apple.com>
1999
2000 Debugger's breakpoint list should not be a Vector.
2001 <https://webkit.org/b/134514>
2002
2003 Reviewed by Geoffrey Garen.
2004
2005 The debugger currently stores breakpoint data as entries in a Vector (see
2006 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
2007 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
2008 compact or reallocate its backing store, this can causes all sorts of havoc.
2009 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
2010 move in memory.
2011
2012 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
2013 doubly linked list.
2014
2015 * debugger/Breakpoint.h:
2016 (JSC::Breakpoint::Breakpoint):
2017 (JSC::BreakpointsList::~BreakpointsList):
2018 * debugger/Debugger.cpp:
2019 (JSC::Debugger::setBreakpoint):
2020 (JSC::Debugger::removeBreakpoint):
2021 (JSC::Debugger::hasBreakpoint):
2022 * debugger/Debugger.h:
2023
20242014-06-30 Michael Saboff <msaboff@apple.com>
2025
2026 Add option to run-jsc-stress-testes to filter out tests that use large heaps
2027 https://bugs.webkit.org/show_bug.cgi?id=134458
2028
2029 Reviewed by Filip Pizlo.
2030
2031 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
2032
2033 * tests/mozilla/mozilla-tests.yaml:
2034
20352014-06-30 Daniel Bates <dabates@apple.com>
2036
2037 Avoid copying closed variables vector; actually use move semantics
2038
2039 Rubber-stamped by Oliver Hunt.
2040
2041 Currently we always copy the closed variables vector passed by Parser::closedVariables()
2042 to ProgramNode::setClosedVariables() because these member functions return and take a const
2043 rvalue reference, respectively. Instead, these member functions should take an return a non-
2044 constant rvalue reference so that we actually move the closed variables vector from the Parser
2045 object to the Node object.
2046
2047 * parser/Nodes.cpp:
2048 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
2049 * parser/Nodes.h:
2050 (JSC::ScopeNode::setClosedVariables): Ditto.
2051 * parser/Parser.h:
2052 (JSC::Parser::closedVariables): Remove const qualifier on return type.
2053 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
2054 because Parser::closedVariables() returns an rvalue reference.
2055
20562014-06-30 Joseph Pecoraro <pecoraro@apple.com>
2057
2058 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
2059 https://bugs.webkit.org/show_bug.cgi?id=134371
2060
2061 Reviewed by Timothy Hatcher.
2062
2063 * API/JSContextPrivate.h:
2064 * API/JSContext.mm:
2065 (-[JSContext _debuggerRunLoop]):
2066 (-[JSContext _setDebuggerRunLoop:]):
2067 Private API for setting the CFRunLoop for a debugger to evaluate in.
2068
2069 * API/JSContextRefInternal.h: Added.
2070 * API/JSContextRef.cpp:
2071 (JSGlobalContextGetDebuggerRunLoop):
2072 (JSGlobalContextSetDebuggerRunLoop):
2073 Internal API for setting a CFRunLoop on a JSContextRef.
2074 Set this on the debuggable.
2075
2076 * inspector/remote/RemoteInspectorDebuggable.h:
2077 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2078 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2079 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2080 (Inspector::RemoteInspectorBlock::operator=):
2081 (Inspector::RemoteInspectorBlock::operator()):
2082 Moved into the header.
2083
2084 * runtime/JSGlobalObject.h:
2085 (JSC::JSGlobalObject::inspectorDebuggable):
2086 Lets store the RunLoop on the debuggable instead of this core
2087 platform agnostic class, so expose the debuggable.
2088
2089 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2090 (Inspector::RemoteInspectorHandleRunSourceGlobal):
2091 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2092 (Inspector::RemoteInspectorInitializeGlobalQueue):
2093 Rename the global functions for clarity.
2094
2095 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2096 Handler for private run loops.
2097
2098 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2099 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2100 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2101 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2102 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
2103 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2104 Setup and teardown and use private run loop sources if the debuggable needs it.
2105
21062014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2107
2108 Add missing ENABLE(DFG_JIT) guards
2109 https://bugs.webkit.org/show_bug.cgi?id=134444
2110
2111 Reviewed by Darin Adler.
2112
2113 * dfg/DFGFunctionWhitelist.cpp:
2114 * dfg/DFGFunctionWhitelist.h:
2115
21162014-06-29 Yoav Weiss <yoav@yoav.ws>
2117
2118 Add support for HTMLImageElement's sizes attribute
2119 https://bugs.webkit.org/show_bug.cgi?id=133620
2120
2121 Reviewed by Dean Jackson.
2122
2123 Added an ENABLE_PICTURE_SIZES compile flag.
2124
2125 * Configurations/FeatureDefines.xcconfig:
2126
21272014-06-27 Filip Pizlo <fpizlo@apple.com>
2128
2129 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
2130 https://bugs.webkit.org/show_bug.cgi?id=134412
2131
2132 Reviewed by Mark Hahnenberg.
2133
2134 * dfg/DFGCSEPhase.cpp:
2135 (JSC::DFG::CSEPhase::setReplacement):
2136 * dfg/DFGStrengthReductionPhase.cpp:
2137 (JSC::DFG::StrengthReductionPhase::handleNode):
2138 * dfg/DFGValidate.cpp:
2139 (JSC::DFG::Validate::validate):
2140 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
2141 (foo):
2142 (bar):
2143 (baz):
2144
21452014-06-27 Peyton Randolph <prandolph@apple.com>
2146
2147 Add feature flag for link long-press gesture.
2148 https://bugs.webkit.org/show_bug.cgi?id=134262
2149
2150 Reviewed by Enrica Casucci.
2151
2152 * Configurations/FeatureDefines.xcconfig:
2153 Add ENABLE_LINK_LONG_PRESS.
2154
21552014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
2156
2157 [JavaScriptCore] FTL buildfix for EFL platform.
2158 https://bugs.webkit.org/show_bug.cgi?id=133546
2159
2160 Reviewed by Darin Adler.
2161
2162 * ftl/FTLAbstractHeap.cpp:
2163 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2164 * ftl/FTLLocation.cpp:
2165 (JSC::FTL::Location::forStackmaps):
2166 * ftl/FTLLowerDFGToLLVM.cpp:
2167 (JSC::FTL::LowerDFGToLLVM::opposite):
2168 * ftl/FTLOSRExitCompiler.cpp:
2169 (JSC::FTL::compileStub):
2170 * ftl/FTLStackMaps.cpp:
2171 (JSC::FTL::StackMaps::Constant::dump):
2172 * llvm/InitializeLLVMPOSIX.cpp:
2173 (JSC::initializeLLVMPOSIX):
2174
21752014-06-26 Benjamin Poulain <benjamin@webkit.org>
2176
2177 iOS 8 beta 2 ES6 'Set' clear() broken
2178 https://bugs.webkit.org/show_bug.cgi?id=134346
2179
2180 Reviewed by Oliver Hunt.
2181
2182 The object map was not cleared :(.
2183
2184 Kudos to Ashley Gullen for tracking this and making a regression test.
2185 Credit to Oliver for finding the missing code.
2186
2187 * runtime/MapData.h:
2188 (JSC::MapData::clear):
2189
21902014-06-25 Brent Fulgham <bfulgham@apple.com>
2191
2192 [Win] Expose Cache Information to WinLauncher
2193 https://bugs.webkit.org/show_bug.cgi?id=134318
2194
2195 Reviewed by Dean Jackson.
2196
2197 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
2198 MemoryStatistics files to the WIndows build.
2199 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2200
22012014-06-26 David Kilzer <ddkilzer@apple.com>
2202
2203 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
2204 <http://webkit.org/b/134343>
2205 <rdar://problem/17459487>
2206
2207 Reviewed by Michael Saboff.
2208
2209 * dfg/DFGFunctionWhitelist.cpp:
2210 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2211 Close the file handle, and log an error on failure.
2212
22132014-06-25 Dana Burkart <dburkart@apple.com>
2214
2215 Add support for 5-tuple versioning.
2216
2217 Reviewed by David Farler.
2218
2219 * Configurations/Version.xcconfig:
2220
22212014-06-25 Geoffrey Garen <ggaren@apple.com>
2222
2223 Build fix.
2224
2225 Unreviewed.
2226
2227 * runtime/JSDateMath.cpp:
2228 (JSC::parseDateFromNullTerminatedCharacters):
2229 * runtime/VM.cpp:
2230 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
2231 constant since that constant doesn't exist anymore.
2232
22332014-06-25 Geoffrey Garen <ggaren@apple.com>
2234
2235 Unreviewed, rolling out r166876.
2236
2237 Caused some ECMA test262 failures
2238
2239 Reverted changeset:
2240
2241 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
2242 https://bugs.webkit.org/show_bug.cgi?id=131248
2243 http://trac.webkit.org/changeset/166876
2244
22452014-06-25 Brent Fulgham <bfulgham@apple.com>
2246
2247 [Win] Unreviewed gardening.
2248
2249 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
2250 put various files in proper IDE categories.
2251
22522014-06-25 peavo@outlook.com <peavo@outlook.com>
2253
2254 [Win64] ASM LLINT is not enabled.
2255 https://bugs.webkit.org/show_bug.cgi?id=130638
2256
2257 This patch adds a new LLINT assembler backend for Win64, and implements it.
2258 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
2259 Also, LLINT and JIT is enabled for Win64.
2260
2261 Reviewed by Mark Lam.
2262
2263 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
2264 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2265 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
2266 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
2267 * assembler/MacroAssemblerX86_64.h:
2268 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
2269 * jit/JITStubsMSVC64.asm: Added.
2270 * jit/Repatch.cpp:
2271 (JSC::emitPutTransitionStub): Compile fix.
2272 * jit/ThunkGenerators.cpp:
2273 (JSC::nativeForGenerator): Follow Win64 ABI spec.
2274 * llint/LLIntData.cpp:
2275 (JSC::LLInt::Data::performAssertions): Ditto.
2276 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
2277 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
2278 * llint/LowLevelInterpreter64.asm: Ditto.
2279 * offlineasm/asm.rb: Compile fix.
2280 * offlineasm/backends.rb: Add new llint backend for Win64.
2281 * offlineasm/settings.rb: Compile fix.
2282 * offlineasm/x86.rb: Implement new llint Win64 backend.
2283
22842014-06-25 Laszlo Gombos <l.gombos@samsung.com>
2285
2286 Remove build guard for progress element
2287 https://bugs.webkit.org/show_bug.cgi?id=134292
2288
2289 Reviewed by Benjamin Poulain.
2290
2291 * Configurations/FeatureDefines.xcconfig:
2292
22932014-06-24 Michael Saboff <msaboff@apple.com>
2294
2295 Add support routines to provide descriptive JavaScript backtraces
2296 https://bugs.webkit.org/show_bug.cgi?id=134278
2297
2298 Reviewed by Mark Lam.
2299
2300 * interpreter/CallFrame.cpp:
2301 (JSC::CallFrame::dump):
2302 (JSC::CallFrame::describeFrame):
2303 * interpreter/CallFrame.h:
2304 * runtime/JSCJSValue.cpp:
2305 (JSC::JSValue::dumpForBacktrace):
2306 * runtime/JSCJSValue.h:
2307
23082014-06-24 Brady Eidson <beidson@apple.com>
2309
2310 Enable GAMEPAD in the Mac build, but disabled at runtime.
2311 https://bugs.webkit.org/show_bug.cgi?id=134255
2312
2313 Reviewed by Dean Jackson.
2314
2315 * Configurations/FeatureDefines.xcconfig:
2316
2317 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
2318 functions at runtime.
2319
23202014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
2321
2322 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
2323 https://bugs.webkit.org/show_bug.cgi?id=134046
2324
2325 Reviewed by Filip Pizlo.
2326
2327 * runtime/GetterSetter.h:
2328 (JSC::asGetterSetter):
2329 * runtime/JSObject.cpp:
2330 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
2331 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
2332 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
2333
23342014-06-24 Brent Fulgham <bfulgham@apple.com>
2335
2336 [Win] MSVC mishandles enums in bitfields
2337 https://bugs.webkit.org/show_bug.cgi?id=134237
2338
2339 Reviewed by Michael Saboff.
2340
2341 Replace uses of enum types in bit fields with unsigned to
2342 avoid losing a bit to hold the sign value. This can result
2343 in Windows interpreting the value of the field improperly.
2344
2345 * bytecode/StructureStubInfo.h:
2346 * parser/Nodes.h:
2347
23482014-06-23 Andreas Kling <akling@apple.com>
2349
2350 Inline the UnlinkedInstructionStream::Reader logic.
2351 <https://webkit.org/b/134203>
2352
2353 This class is only used by CodeBlock to unpack the unlinked instructions,
2354 and we were spending 0.5% of total time on PLT calling Reader::next().
2355 Move the logic to the header file and mark it ALWAYS_INLINE.
2356
2357 Reviewed by Geoffrey Garen.
2358
2359 * bytecode/UnlinkedInstructionStream.cpp:
2360 * bytecode/UnlinkedInstructionStream.h:
2361 (JSC::UnlinkedInstructionStream::Reader::Reader):
2362 (JSC::UnlinkedInstructionStream::Reader::read8):
2363 (JSC::UnlinkedInstructionStream::Reader::read32):
2364 (JSC::UnlinkedInstructionStream::Reader::next):
2365
23662014-06-20 Sam Weinig <sam@webkit.org>
2367
2368 Remove static tables for bindings that use eager reification
2369 https://bugs.webkit.org/show_bug.cgi?id=134126
2370
2371 Reviewed by Oliver Hunt.
2372
2373 * runtime/JSObject.cpp:
2374 (JSC::JSObject::putDirectCustomAccessor):
2375 * runtime/Structure.h:
2376 (JSC::Structure::setHasCustomGetterSetterProperties):
2377 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
2378 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
2379 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
2380 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
2381
23822014-06-21 Brady Eidson <beidson@apple.com>
2383
2384 Gamepad API - Deprecate the existing implementation
2385 https://bugs.webkit.org/show_bug.cgi?id=134108
2386
2387 Reviewed by Timothy Hatcher.
2388
2389 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2390 -Move some implementation files into a "deprecated" subdirectory.
2391
2392 * Configurations/FeatureDefines.xcconfig:
2393
23942014-06-21 Commit Queue <commit-queue@webkit.org>
2395
2396 Unreviewed, rolling out r170244.
2397 https://bugs.webkit.org/show_bug.cgi?id=134157
2398
2399 GTK/EFL bindings generator works differently, making this
2400 patch not work there. Will fix entire patch after a rollout.
2401 (Requested by bradee-oh on #webkit).
2402
2403 Reverted changeset:
2404
2405 "Gamepad API - Deprecate the existing implementation"
2406 https://bugs.webkit.org/show_bug.cgi?id=134108
2407 http://trac.webkit.org/changeset/170244
2408
24092014-06-21 Brady Eidson <beidson@apple.com>
2410
2411 Gamepad API - Deprecate the existing implementation
2412 https://bugs.webkit.org/show_bug.cgi?id=134108
2413
2414 Reviewed by Timothy Hatcher.
2415
2416 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2417 -Add the "Deprecated" suffix to some implementation files
2418
2419 * Configurations/FeatureDefines.xcconfig:
2420
24212014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2422
2423 Removing PAGE_VISIBILITY_API compile guard.
2424 https://bugs.webkit.org/show_bug.cgi?id=133844
2425
2426 Reviewed by Gavin Barraclough.
2427
2428 * Configurations/FeatureDefines.xcconfig:
2429
24302014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2431
2432 ARM traditional buildfix after r169942.
2433 https://bugs.webkit.org/show_bug.cgi?id=134100
2434
2435 Reviewed by Zoltan Herczeg.
2436
2437 * assembler/MacroAssemblerARM.h:
2438 (JSC::MacroAssemblerARM::abortWithReason): Added.
2439
24402014-06-20 Andreas Kling <akling@apple.com>
2441
2442 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
2443 <https://webkit.org/b/134112>
2444
2445 Reviewed by Mark Hahnenberg.
2446
2447 * heap/BlockAllocator.h:
2448
24492014-06-19 Alex Christensen <achristensen@webkit.org>
2450
2451 Unreviewed fix after r170130.
2452
2453 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
2454 Corrected directory so it can find common.props when opening Visual Studio.
2455
24562014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
2457
2458 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
2459 https://bugs.webkit.org/show_bug.cgi?id=130389
2460
2461 Reviewed by Mark Lam.
2462
2463 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
2464 into !ENABLE(JIT) since they are mutually exclusive.
2465
2466 * CMakeLists.txt:
2467 * assembler/MacroAssemblerCodeRef.h:
2468 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2469 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2470 * assembler/MaxFrameExtentForSlowPathCall.h:
2471 * bytecode/CallLinkStatus.cpp:
2472 (JSC::CallLinkStatus::computeFromLLInt):
2473 * bytecode/CodeBlock.cpp:
2474 (JSC::dumpStructure):
2475 (JSC::CodeBlock::printGetByIdCacheStatus):
2476 (JSC::CodeBlock::printCallOp):
2477 (JSC::CodeBlock::CodeBlock):
2478 (JSC::CodeBlock::~CodeBlock):
2479 (JSC::CodeBlock::propagateTransitions):
2480 (JSC::CodeBlock::finalizeUnconditionally):
2481 (JSC::CodeBlock::unlinkCalls):
2482 (JSC::CodeBlock::unlinkIncomingCalls):
2483 (JSC::CodeBlock::linkIncomingCall):
2484 (JSC::CodeBlock::frameRegisterCount):
2485 * bytecode/CodeBlock.h:
2486 * bytecode/GetByIdStatus.cpp:
2487 (JSC::GetByIdStatus::computeFromLLInt):
2488 * bytecode/Opcode.h:
2489 (JSC::padOpcodeName):
2490 * bytecode/PutByIdStatus.cpp:
2491 (JSC::PutByIdStatus::computeFromLLInt):
2492 * bytecompiler/BytecodeGenerator.cpp:
2493 (JSC::BytecodeGenerator::emitCall):
2494 (JSC::BytecodeGenerator::emitConstruct):
2495 * heap/Heap.cpp:
2496 (JSC::Heap::gatherJSStackRoots):
2497 * interpreter/Interpreter.cpp:
2498 (JSC::Interpreter::initialize):
2499 (JSC::Interpreter::isOpcode):
2500 * interpreter/Interpreter.h:
2501 (JSC::Interpreter::getOpcodeID):
2502 * interpreter/JSStack.cpp:
2503 (JSC::JSStack::JSStack):
2504 (JSC::JSStack::committedByteCount):
2505 * interpreter/JSStack.h:
2506 * interpreter/JSStackInlines.h:
2507 (JSC::JSStack::ensureCapacityFor):
2508 (JSC::JSStack::topOfFrameFor):
2509 (JSC::JSStack::setStackLimit):
2510 * jit/ExecutableAllocatorFixedVMPool.cpp:
2511 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2512 * jit/JIT.h:
2513 (JSC::JIT::compileCTINativeCall):
2514 * jit/JITExceptions.h:
2515 * jit/JITThunks.cpp:
2516 (JSC::JITThunks::ctiNativeCall):
2517 (JSC::JITThunks::ctiNativeConstruct):
2518 * llint/LLIntCLoop.cpp:
2519 * llint/LLIntCLoop.h:
2520 * llint/LLIntData.cpp:
2521 (JSC::LLInt::initialize):
2522 (JSC::LLInt::Data::performAssertions):
2523 * llint/LLIntData.h:
2524 (JSC::LLInt::Data::performAssertions): Deleted.
2525 * llint/LLIntEntrypoint.cpp:
2526 * llint/LLIntEntrypoint.h:
2527 * llint/LLIntExceptions.cpp:
2528 * llint/LLIntExceptions.h:
2529 * llint/LLIntOfflineAsmConfig.h:
2530 * llint/LLIntOffsetsExtractor.cpp:
2531 (JSC::LLIntOffsetsExtractor::dummy):
2532 * llint/LLIntOpcode.h:
2533 * llint/LLIntSlowPaths.cpp:
2534 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2535 * llint/LLIntSlowPaths.h:
2536 * llint/LLIntThunks.cpp:
2537 * llint/LLIntThunks.h:
2538 * llint/LowLevelInterpreter.cpp:
2539 * llint/LowLevelInterpreter.h:
2540 * runtime/CommonSlowPaths.cpp:
2541 * runtime/CommonSlowPaths.h:
2542 * runtime/ErrorHandlingScope.cpp:
2543 (JSC::ErrorHandlingScope::ErrorHandlingScope):
2544 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2545 * runtime/Executable.cpp:
2546 (JSC::setupLLInt):
2547 * runtime/InitializeThreading.cpp:
2548 (JSC::initializeThreading):
2549 * runtime/JSCJSValue.h:
2550 * runtime/JSCJSValueInlines.h:
2551 * runtime/Options.cpp:
2552 (JSC::recomputeDependentOptions):
2553 * runtime/VM.cpp:
2554 (JSC::VM::VM):
2555 (JSC::sanitizeStackForVM):
2556 * runtime/VM.h:
2557 (JSC::VM::canUseJIT): Deleted.
2558
25592014-06-18 Alex Christensen <achristensen@webkit.org>
2560
2561 Add FTL to Windows build.
2562 https://bugs.webkit.org/show_bug.cgi?id=134015
2563
2564 Reviewed by Filip Pizlo.
2565
2566 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2567 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2568 Added ftl source files.
2569 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2570 Added ftl and llvm directories to include path.
2571 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
2572 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
2573 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
2574 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
2575 * ftl/FTLLowerDFGToLLVM.cpp:
2576 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2577 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
2578 * llvm/InitializeLLVMWin.cpp: Added.
2579 (JSC::initializeLLVMImpl):
2580 Implemented dynamic loading and linking for Windows.
2581
25822014-06-18 Alex Christensen <achristensen@webkit.org>
2583
2584 Unreviewed build fix after r170107.
2585
2586 * dfg/DFGSpeculativeJIT.cpp:
2587 (JSC::DFG::SpeculativeJIT::compileArithMod):
2588 Use non-template sub for armv7s.
2589
25902014-06-18 David Kilzer <ddkilzer@apple.com>
2591
2592 -[JSContext setName:] leaks NSString
2593 <http://webkit.org/b/134038>
2594
2595 Reviewed by Joseph Pecoraro.
2596
2597 Fixes the following static analyzer warning:
2598
2599 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
2600 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
2601 ^
2602
2603 * API/JSContext.mm:
2604 (-[JSContext setName:]): Autorelease the copy of |name|.
2605
26062014-06-18 Mark Lam <mark.lam@apple.com>
2607
2608 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2609 <https://webkit.org/b/133994>
2610
2611 Reviewed by Geoffrey Garen.
2612
2613 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2614 because it means two unfortunate things:
2615 - It will probably break for zero.
2616 - It will think that -0 is the same as +0 under some circumstances, size
2617 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2618
2619 The fix is to use std::unordered_map which does not require special empty
2620 and deleted values, and to use the raw bits instead of the double value as
2621 the key.
2622
2623 * dfg/DFGGraph.h:
2624 * dfg/DFGJITCompiler.cpp:
2625 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2626
26272014-06-18 Alex Christensen <achristensen@webkit.org>
2628
2629 Remove duplicate code using sdiv.
2630 https://bugs.webkit.org/show_bug.cgi?id=133764
2631
2632 Reviewed by Daniel Bates.
2633
2634 * assembler/ARMv7Assembler.h:
2635 (JSC::ARMv7Assembler::sdiv):
2636 Make sdiv a template to match arm64.
2637 * dfg/DFGSpeculativeJIT.cpp:
2638 (JSC::DFG::SpeculativeJIT::compileArithDiv):
2639 (JSC::DFG::SpeculativeJIT::compileArithMod):
2640 Remove duplicate code that was identical except for sdiv not being a template.
2641
26422014-06-17 Commit Queue <commit-queue@webkit.org>
2643
2644 Unreviewed, rolling out r170082.
2645 https://bugs.webkit.org/show_bug.cgi?id=134006
2646
2647 Breaks build. (Requested by mlam on #webkit).
2648
2649 Reverted changeset:
2650
2651 "DFGGraph::m_doubleConstantMap will not map 0 values
2652 correctly."
2653 https://bugs.webkit.org/show_bug.cgi?id=133994
2654 http://trac.webkit.org/changeset/170082
2655
26562014-06-17 Mark Lam <mark.lam@apple.com>
2657
2658 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2659 <https://webkit.org/b/133994>
2660
2661 Reviewed by Geoffrey Garen.
2662
2663 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2664 because it means two unfortunate things:
2665 - It will probably break for zero.
2666 - It will think that -0 is the same as +0 under some circumstances, size
2667 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2668
2669 The fix is to use std::unordered_map which does not require special empty
2670 and deleted values, and to use the raw bits instead of the double value as
2671 the key.
2672
2673 * dfg/DFGGraph.h:
2674 * dfg/DFGJITCompiler.cpp:
2675 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2676
26772014-06-17 Oliver Hunt <oliver@apple.com>
2678
2679 Fix error messages for incorrect hex literals
2680 https://bugs.webkit.org/show_bug.cgi?id=133998
2681
2682 Reviewed by Mark Lam.
2683
2684 Ensure that the error messages for bogus hex literals actually
2685 make sense.
2686
2687 * parser/Lexer.cpp:
2688 (JSC::Lexer<T>::lex):
2689 * parser/ParserTokens.h:
2690
26912014-06-17 Matthew Mirman <mmirman@apple.com>
2692
2693 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
2694 https://bugs.webkit.org/show_bug.cgi?id=133814
2695
2696 Reviewed by Filip Pizlo.
2697
2698 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
2699 script from using "*.o" as a file when no other files in the directory exist.
2700
2701 * build-symbol-table-index.sh: Added license.
2702 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
2703
27042014-06-16 Sam Weinig <sam@webkit.org>
2705
2706 Move forward declaration of bindings static functions into their implementation files
2707 https://bugs.webkit.org/show_bug.cgi?id=133943
2708
2709 Reviewed by Geoffrey Garen.
2710
2711 * runtime/CommonIdentifiers.h:
2712 Add a few identifiers that are needed by the DOM.
2713
27142014-06-16 Mark Lam <mark.lam@apple.com>
2715
2716 Parser statementDepth accounting needs to account for when a function body excludes its braces.
2717 <https://webkit.org/b/133832>
2718
2719 Reviewed by Oliver Hunt.
2720
2721 In some cases (e.g. when a Function object is instantiated from a string), the
2722 function body source may not include its braces. The parser needs to account
2723 for this when calculating its statementDepth.
2724
2725 * bytecode/UnlinkedCodeBlock.cpp:
2726 (JSC::generateFunctionCodeBlock):
2727 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2728 * bytecode/UnlinkedCodeBlock.h:
2729 * parser/Parser.cpp:
2730 (JSC::Parser<LexerType>::parseStatement):
2731 - Also fixed the error message for declaring nested functions in strict mode
2732 to be more accurate.
2733 * parser/Parser.h:
2734 (JSC::Parser<LexerType>::parse):
2735 (JSC::parse):
2736 * runtime/Executable.cpp:
2737 (JSC::ScriptExecutable::newCodeBlockFor):
2738
27392014-06-16 Juergen Ributzka <juergen@apple.com>
2740
2741 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
2742 https://bugs.webkit.org/show_bug.cgi?id=133753
2743
2744 Reviewed by Geoffrey Garen.
2745
2746 The order in which the alias analysis passes are added affects also the
2747 order in which they are utilized. Change the order to align with the
2748 one use by LLVM itself. The last alias analysis pass added will be
2749 evaluated first. With this change we first perform a basic alias
2750 analysis and then use the type-based alias analysis (if required).
2751
2752 * ftl/FTLCompile.cpp:
2753 (JSC::FTL::compile):
2754
27552014-06-16 Juergen Ributzka <juergen@apple.com>
2756
2757 Fix the arguments passed to the LLVM dylib
2758 https://bugs.webkit.org/show_bug.cgi?id=133757
2759
2760 Reviewed by Geoffrey Garen.
2761
2762 The LLVM command line argument parser assumes that the first argument
2763 is the program name. We need to add a fake program name, otherwise the
2764 first argument will be parsed as program name and ignored.
2765
2766 * llvm/library/LLVMExports.cpp:
2767 (initializeAndGetJSCLLVMAPI):
2768
27692014-06-16 Michael Saboff <msaboff@apple.com>
2770
2771 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2772 https://bugs.webkit.org/show_bug.cgi?id=133903
2773
2774 Reviewed by Mark Hahnenberg.
2775
2776 Hardened code by Converting ASSERT to return CannotCompile.
2777
2778 * dfg/DFGCapabilities.h:
2779 (JSC::DFG::inlineFunctionForCapabilityLevel):
2780
27812014-06-13 Sam Weinig <sam@webkit.org>
2782
2783 Store DOM constants directly in the JS object rather than jumping through a custom accessor
2784 https://bugs.webkit.org/show_bug.cgi?id=133898
2785
2786 Reviewed by Oliver Hunt.
2787
2788 * runtime/Lookup.h:
2789 (JSC::HashTableValue::attributes):
2790 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2791 and will make adding more flags possibles.
2792
2793 (JSC::HashTableValue::propertyGetter):
2794 (JSC::HashTableValue::propertyPutter):
2795 Change assertion to use BuiltinOrFunctionOrConstant.
2796
2797 (JSC::HashTableValue::constantInteger):
2798 Added.
2799
2800 (JSC::getStaticPropertySlot):
2801 (JSC::getStaticValueSlot):
2802 Use PropertySlot::setValue() for constants during static lookup.
2803
2804 (JSC::reifyStaticProperties):
2805 Put the constant directly on the object when eagerly reifying.
2806
2807 * runtime/PropertySlot.h:
2808 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2809
28102014-06-14 Michael Saboff <msaboff@apple.com>
2811
2812 operationCreateArguments could cause a GC during OSR exit
2813 https://bugs.webkit.org/show_bug.cgi?id=133905
2814
2815 Reviewed by Filip Pizlo.
2816
2817 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2818 for use by OSR exit stubs.
2819
2820 * dfg/DFGOSRExitCompilerCommon.cpp:
2821 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2822 * dfg/DFGOperations.cpp:
2823 * dfg/DFGOperations.h:
2824 * jit/JITOperations.cpp:
2825 * jit/JITOperations.h:
2826
28272014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
2828
2829 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2830 https://bugs.webkit.org/show_bug.cgi?id=133880
2831
2832 Reviewed by Filip Pizlo.
2833
2834 We could have exited due to a value received from an inlined block that's no longer on
2835 the stack, so we should just barrier all InlineCallFrames.
2836
2837 * dfg/DFGOSRExitCompilerCommon.cpp:
2838 (JSC::DFG::adjustAndJumpToTarget):
2839
28402014-06-13 Alex Christensen <achristensen@webkit.org>
2841
2842 Make css jit compile for armv7.
2843 https://bugs.webkit.org/show_bug.cgi?id=133596
2844
2845 Reviewed by Benjamin Poulain.
2846
2847 * assembler/MacroAssembler.h:
2848 Use branchPtr on ARM_THUMB2.
2849 * assembler/MacroAssemblerARMv7.h:
2850 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2851 (JSC::MacroAssemblerARMv7::or32):
2852 (JSC::MacroAssemblerARMv7::test32):
2853 (JSC::MacroAssemblerARMv7::branch):
2854 (JSC::MacroAssemblerARMv7::branchPtr):
2855 Added macros necessary for css jit.
2856
28572014-06-13 Filip Pizlo <fpizlo@apple.com>
2858
2859 Unreviewed, fix ARMv7.
2860
2861 * assembler/MacroAssemblerARMv7.h:
2862 (JSC::MacroAssemblerARMv7::abortWithReason):
2863
28642014-06-12 Filip Pizlo <fpizlo@apple.com>
2865
2866 Even better diagnostics from DFG traps
2867 https://bugs.webkit.org/show_bug.cgi?id=133836
2868
2869 Reviewed by Oliver Hunt.
2870
2871 We now stuff the DFG::NodeType into a register before bailing. Also made the
2872 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
2873 different numbers than any previous abort reasons.
2874
2875 * assembler/AbortReason.h:
2876 * assembler/MacroAssemblerARM64.h:
2877 (JSC::MacroAssemblerARM64::abortWithReason):
2878 * assembler/MacroAssemblerARMv7.h:
2879 (JSC::MacroAssemblerARMv7::abortWithReason):
2880 * assembler/MacroAssemblerX86.h:
2881 (JSC::MacroAssemblerX86::abortWithReason):
2882 * assembler/MacroAssemblerX86_64.h:
2883 (JSC::MacroAssemblerX86_64::abortWithReason):
2884 * dfg/DFGSpeculativeJIT.cpp:
2885 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2886 (JSC::DFG::SpeculativeJIT::bail):
2887 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2888 * dfg/DFGSpeculativeJIT.h:
2889
28902014-06-12 Simon Fraser <simon.fraser@apple.com>
2891
2892 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
2893 https://bugs.webkit.org/show_bug.cgi?id=133840
2894
2895 Reviewed by Filip Pizlo.
2896
2897 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
2898 when running DFG tests.
2899
2900 * API/JSCTestRunnerUtils.cpp:
2901 (JSC::numberOfDFGCompiles):
2902 (JSC::setNeverInline):
2903
29042014-06-12 Brent Fulgham <bfulgham@apple.com>
2905
2906 [Win] Avoid fork bomb during build
2907 https://bugs.webkit.org/show_bug.cgi?id=133837
2908 <rdar://problem/17296034>
2909
2910 Reviewed by Tim Horton.
2911
2912 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
2913 reasonable default value when the 'num-cpus' script is not available.
2914
29152014-06-12 Mark Lam <mark.lam@apple.com>
2916
2917 Remove some dead / unused code.
2918 <https://webkit.org/b/133828>
2919
2920 Reviewed by Filip Pizlo.
2921
2922 * builtins/BuiltinExecutables.cpp:
2923 (JSC::BuiltinExecutables::createBuiltinExecutable):
2924 * bytecode/UnlinkedCodeBlock.cpp:
2925 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2926 * bytecode/UnlinkedCodeBlock.h:
2927 (JSC::UnlinkedFunctionExecutable::create):
2928 * bytecompiler/BytecodeGenerator.h:
2929 (JSC::BytecodeGenerator::makeFunction):
2930 * parser/Parser.h:
2931 (JSC::DepthManager::DepthManager): Deleted.
2932 (JSC::DepthManager::~DepthManager): Deleted.
2933 * runtime/CodeCache.cpp:
2934 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2935
29362014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
2937
2938 Move structureHasRareData out of TypeInfo
2939 https://bugs.webkit.org/show_bug.cgi?id=133800
2940
2941 Reviewed by Andreas Kling.
2942
2943 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
2944 but we have a few spare bits in Structure so it would be nice to remove this hack.
2945
2946 * runtime/JSTypeInfo.h:
2947 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
2948 (JSC::TypeInfo::structureHasRareData): Deleted.
2949 * runtime/Structure.cpp:
2950 (JSC::Structure::Structure):
2951 (JSC::Structure::allocateRareData):
2952 (JSC::Structure::cloneRareDataFrom):
2953 * runtime/Structure.h:
2954 (JSC::Structure::previousID):
2955 (JSC::Structure::objectToStringValue):
2956 (JSC::Structure::setObjectToStringValue):
2957 (JSC::Structure::setPreviousID):
2958 (JSC::Structure::clearPreviousID):
2959 (JSC::Structure::previous):
2960 (JSC::Structure::rareData):
2961 * runtime/StructureInlines.h:
2962 (JSC::Structure::setEnumerationCache):
2963 (JSC::Structure::enumerationCache):
2964
29652014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2966
2967 Allow enum guards to be generated from the replay json files
2968 https://bugs.webkit.org/show_bug.cgi?id=133399
2969
2970 Reviewed by Csaba Osztrogonác.
2971
2972 * replay/scripts/CodeGeneratorReplayInputs.py:
2973 (Type.__init__):
2974 (InputsModel.parse_type_with_framework_name):
2975 (Generator.generate_header):
2976 (Generator.generate_implementation):
2977 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
2978 (Test::HandleWheelEvent::HandleWheelEvent):
2979 (Test::HandleWheelEvent::~HandleWheelEvent):
2980 (JSC::InputTraits<Test::HandleWheelEvent>::type):
2981 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
2982 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
2983 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
2984 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
2985 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
2986 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
2987 (Test::HandleWheelEvent::platformEvent):
2988 * replay/scripts/tests/generate-enum-with-guard.json: Added.
2989
29902014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
2991
2992 Unreviewed. Fix GTK+ build after r169823.
2993
2994 Include StructureInlines.h in a few more files to fix linking
2995 issues due to JSC::Structure::get undefined symbol.
2996
2997 * runtime/ArrayIteratorConstructor.cpp:
2998 * runtime/ArrayIteratorPrototype.cpp:
2999 * runtime/JSConsole.cpp:
3000 * runtime/JSMapIterator.cpp:
3001 * runtime/JSSet.cpp:
3002 * runtime/JSSetIterator.cpp:
3003 * runtime/JSWeakMap.cpp:
3004 * runtime/MapIteratorPrototype.cpp:
3005 * runtime/MapPrototype.cpp:
3006 * runtime/SetIteratorPrototype.cpp:
3007 * runtime/SetPrototype.cpp:
3008 * runtime/WeakMapPrototype.cpp:
3009
30102014-06-12 Csaba Osztrogonác <ossy@webkit.org>
3011
3012 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
3013
3014 * runtime/JSMap.cpp:
3015
30162014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
3017
3018 Inline caching should try to flatten uncacheable dictionaries
3019 https://bugs.webkit.org/show_bug.cgi?id=133683
3020
3021 Reviewed by Geoffrey Garen.
3022
3023 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
3024 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
3025 If properties are deleted out of the object during its initialization, we can enable caching for that object by
3026 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
3027 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
3028 state then we can just give up on caching that object.
3029
3030 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
3031 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
3032 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
3033 returning.
3034
3035 * jit/Repatch.cpp:
3036 (JSC::actionForCell):
3037 (JSC::tryCacheGetByID):
3038 (JSC::repatchGetByID):
3039 (JSC::tryBuildGetByIDList):
3040 (JSC::buildGetByIDList):
3041 (JSC::tryCachePutByID):
3042 (JSC::repatchPutByID):
3043 (JSC::tryBuildPutByIdList):
3044 (JSC::buildPutByIdList):
3045 (JSC::tryRepatchIn):
3046 (JSC::repatchIn):
3047 * runtime/Structure.cpp:
3048 (JSC::Structure::Structure):
3049 (JSC::Structure::flattenDictionaryStructure):
3050 * runtime/Structure.h:
3051 (JSC::Structure::hasBeenFlattenedBefore):
3052
30532014-06-11 Csaba Osztrogonác <ossy@webkit.org>
3054
3055 [EFL] URTBF after r169823.
3056
3057 * bindings/ScriptValue.cpp: Missing include added.
3058
30592014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3060
3061 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
3062
3063 Rubber-stamped by Andreas Kling.
3064
3065 * runtime/JSObject.h:
3066 (JSC::JSObject::fastGetOwnPropertySlot):
3067
30682014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3069
3070 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
3071 https://bugs.webkit.org/show_bug.cgi?id=133673
3072
3073 Reviewed by Andreas Kling.
3074
3075 Rewrote the property map statistics code because the old code wasn't building,
3076 and it was also mixing numbers for lookups and insertions/removals.
3077
3078 New logging code records the number of calls to PropertyTable::find (finds) and
3079 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
3080 the number of probing during updates and lookups.
3081
3082 * jsc.cpp:
3083 * runtime/PropertyMapHashTable.h:
3084 (JSC::PropertyTable::find):
3085 (JSC::PropertyTable::get):
3086 (JSC::PropertyTable::findWithString):
3087 (JSC::PropertyTable::add):
3088 (JSC::PropertyTable::remove):
3089 (JSC::PropertyTable::reinsert):
3090 (JSC::PropertyTable::rehash):
3091 * runtime/Structure.cpp:
3092 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
3093 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
3094
30952014-06-11 Andreas Kling <akling@apple.com>
3096
3097 Always inline JSValue::get() and Structure::get().
3098 <https://webkit.org/b/133755>
3099
3100 Reviewed by Ryosuke Niwa.
3101
3102 These functions get really hot, so ask the compiler to be more
3103 aggressive about inlining them.
3104
3105 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
3106 through GetByVal.
3107
3108 * runtime/JSArrayIterator.cpp:
3109 * runtime/JSCJSValue.cpp:
3110 * runtime/JSCJSValueInlines.h:
3111 (JSC::JSValue::get):
3112 * runtime/JSPromiseDeferred.cpp:
3113 * runtime/StructureInlines.h:
3114 (JSC::Structure::get):
3115
31162014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3117
3118 Structure::get should instantiate DeferGC only when materializing property map
3119 https://bugs.webkit.org/show_bug.cgi?id=133727
3120
3121 Rubber-stamped by Andreas Kling.
3122
3123 Make materializePropertyMapIfNecessary always inline.
3124
3125 This is ~12% improvement on the microbenchmark attached in the bug.
3126
3127 * runtime/Structure.h:
3128 (JSC::Structure::materializePropertyMapIfNecessary):
3129 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3130
31312014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3132
3133 Structure::get should instantiate DeferGC only when materializing property map
3134 https://bugs.webkit.org/show_bug.cgi?id=133727
3135
3136 Reviewed by Geoffrey Garen.
3137
3138 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
3139 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
3140 when GCSafeConcurrentJITLocker goes out of scope.
3141
3142 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
3143 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
3144 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
3145
3146 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
3147 and immediately storing a pointer to the newly created property table in the stack before DeferGC
3148 goes out of scope so that the property table will be marked.
3149
3150 This shows 13-16% improvement on the microbenchmark attached in the bug.
3151
3152 * runtime/JSCJSValue.cpp:
3153 * runtime/JSObject.h:
3154 (JSC::JSObject::fastGetOwnPropertySlot):
3155 * runtime/Structure.h:
3156 (JSC::Structure::materializePropertyMapIfNecessary):
3157 * runtime/StructureInlines.h:
3158 (JSC::Structure::get):
3159
31602014-06-11 Andreas Kling <akling@apple.com>
3161
3162 Some JSValue::get() micro-optimzations.
3163 <https://webkit.org/b/133739>
3164
3165 Tighten some of the property lookup code to improve performance of the
3166 eagerly reified prototype attributes:
3167
3168 - Instead of converting the property name to an integer at every step
3169 in the prototype chain, move that to a separate pass at the end
3170 since it should be a rare case.
3171
3172 - Cache the StructureIDTable in a local instead of fetching it from
3173 the Heap on every step.
3174
3175 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
3176 on the assumption that clients would mostly be cacheable GetByIds,
3177 and it gets pretty hot (~1%) in GetByVal.
3178
3179 - Pass the Structure directly to fillCustomGetterPropertySlot instead
3180 of refetching it from the StructureIDTable.
3181
3182 Reviewed by Geoff Garen.
3183
3184 * runtime/JSObject.cpp:
3185 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
3186 * runtime/JSObject.h:
3187 (JSC::JSObject::inlineGetOwnPropertySlot):
3188 (JSC::JSObject::fillCustomGetterPropertySlot):
3189 (JSC::JSObject::getOwnPropertySlot):
3190 (JSC::JSObject::fastGetOwnPropertySlot):
3191 (JSC::JSObject::getPropertySlot):
3192 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
3193
31942014-06-10 Sam Weinig <sam@webkit.org>
3195
3196 Don't create a HashTable for JSObjects that use eager reification
3197 https://bugs.webkit.org/show_bug.cgi?id=133705
3198
3199 Reviewed by Geoffrey Garen.
3200
3201 * runtime/Lookup.h:
3202 (JSC::reifyStaticProperties):
3203 Add a version of reifyStaticProperties that takes an array of HashTableValues
3204 rather than a HashTable.
3205
32062014-06-10 Filip Pizlo <fpizlo@apple.com>
3207
3208 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
3209 https://bugs.webkit.org/show_bug.cgi?id=133698
3210
3211 Reviewed by Geoffrey Garen and Mark Hahnenberg.
3212
3213 * dfg/DFGPredictionPropagationPhase.cpp:
3214 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
3215 * dfg/DFGVariableAccessData.cpp:
3216 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
3217 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
3218 (JSC::DFG::VariableAccessData::flushFormat):
3219 * dfg/DFGVariableAccessData.h:
3220 * tests/stress/int52-inlined-call-argument.js: Added.
3221 (foo):
3222 (bar):
3223
32242014-06-10 Mark Lam <mark.lam@apple.com>
3225
3226 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
3227 <https://webkit.org/b/133356>
3228
3229 Reviewed by Mark Hahnenberg.
3230
3231 The root cause of this issue is that a nonPropertyTransition can transition
3232 a pinned dictionary structure to an unpinned dictionary structure. The new
3233 structure will get a copy of the property table from the original structure.
3234 However, when a GC occurs, the property table in the new structure will be
3235 cleared because it is unpinned. This leads to complications in subsequent
3236 derivative structures when flattening occurs, which eventually leads to the
3237 assertion failure in this bug.
3238
3239 The fix is to ensure that the new dictionary structure generated by the
3240 nonPropertyTransition will have a copy of its predecessor's property table
3241 and is pinned.
3242
3243 * runtime/Structure.cpp:
3244 (JSC::Structure::nonPropertyTransition):
3245
32462014-06-10 Michael Saboff <msaboff@apple.com>
3247
3248 In a certain app state, Array.prototype.filter() returns incorrect results
3249 https://bugs.webkit.org/show_bug.cgi?id=133577
3250
3251 Reviewed by Oliver Hunt.
3252
3253 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
3254
3255 * llint/LowLevelInterpreter32_64.asm:
3256 * llint/LowLevelInterpreter64.asm:
3257
32582014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
3259
3260 Global HashTables contain references to atomic StringImpls
3261 https://bugs.webkit.org/show_bug.cgi?id=133661
3262
3263 Reviewed by Geoffrey Garen.
3264
3265 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
3266 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
3267 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
3268 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
3269
3270 * runtime/JSObject.cpp:
3271 (JSC::getClassPropertyNames):
3272 * runtime/Lookup.cpp:
3273 (JSC::HashTable::createTable):
3274 (JSC::HashTable::deleteTable):
3275 * runtime/Lookup.h:
3276 (JSC::HashTable::ConstIterator::key):
3277 (JSC::HashTable::entry):
3278
32792014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
3280
3281 Build fix after r169703
3282
3283 * JavaScriptCore.xcodeproj/project.pbxproj:
3284
32852014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
3286
3287 Eagerly reify DOM prototype attributes
3288 https://bugs.webkit.org/show_bug.cgi?id=133558
3289
3290 Reviewed by Oliver Hunt.
3291
3292 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
3293 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
3294 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
3295 DOM wrappers.
3296
3297 * CMakeLists.txt:
3298 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3299 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3300 * JavaScriptCore.xcodeproj/project.pbxproj:
3301 * llint/LLIntData.cpp:
3302 (JSC::LLInt::Data::performAssertions):
3303 * llint/LowLevelInterpreter.asm:
3304 * runtime/BatchedTransitionOptimizer.h:
3305 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3306 * runtime/CustomGetterSetter.cpp: Added.
3307 (JSC::callCustomSetter):
3308 * runtime/CustomGetterSetter.h: Added.
3309 (JSC::CustomGetterSetter::create):
3310 (JSC::CustomGetterSetter::getter):
3311 (JSC::CustomGetterSetter::setter):
3312 (JSC::CustomGetterSetter::createStructure):
3313 (JSC::CustomGetterSetter::CustomGetterSetter):
3314 * runtime/JSCJSValue.cpp:
3315 (JSC::JSValue::putToPrimitive):
3316 * runtime/JSCJSValue.h:
3317 * runtime/JSCJSValueInlines.h:
3318 (JSC::JSValue::isCustomGetterSetter):
3319 * runtime/JSCell.h:
3320 * runtime/JSCellInlines.h:
3321 (JSC::JSCell::isCustomGetterSetter):
3322 (JSC::JSCell::canUseFastGetOwnProperty):
3323 * runtime/JSFunction.cpp:
3324 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
3325 (JSC::JSFunction::isBuiltinFunction): Deleted.
3326 * runtime/JSFunction.h:
3327 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
3328 (JSC::JSFunction::isBuiltinFunction):
3329 (JSC::JSFunction::isHostOrBuiltinFunction):
3330 * runtime/JSObject.cpp:
3331 (JSC::JSObject::put):
3332 (JSC::JSObject::putDirectCustomAccessor):
3333 (JSC::JSObject::fillGetterPropertySlot):
3334 (JSC::JSObject::fillCustomGetterPropertySlot):
3335 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
3336 * runtime/JSObject.h:
3337 (JSC::JSObject::hasCustomGetterSetterProperties):
3338 (JSC::JSObject::convertToDictionary):
3339 (JSC::JSObject::inlineGetOwnPropertySlot):
3340 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
3341 (JSC::JSObject::putOwnDataProperty):
3342 (JSC::JSObject::putDirect):
3343 (JSC::JSObject::putDirectWithoutTransition):
3344 * runtime/JSType.h:
3345 * runtime/Lookup.h:
3346 (JSC::reifyStaticProperties):
3347 * runtime/PropertyDescriptor.h:
3348 (JSC::PropertyDescriptor::PropertyDescriptor):
3349 * runtime/Structure.cpp:
3350 (JSC::Structure::Structure):
3351 (JSC::nextOutOfLineStorageCapacity): Deleted.
3352 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
3353 (JSC::Structure::get): Deleted.
3354 * runtime/Structure.h:
3355 (JSC::Structure::hasCustomGetterSetterProperties):
3356 (JSC::Structure::setHasCustomGetterSetterProperties):
3357 * runtime/StructureInlines.h:
3358 (JSC::Structure::get): Inlined due to hotness.
3359 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
3360 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
3361 * runtime/VM.cpp:
3362 (JSC::VM::VM):
3363 * runtime/VM.h:
3364 * runtime/WriteBarrier.h:
3365 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
3366
33672014-06-07 Mark Lam <mark.lam@apple.com>
3368
3369 Structure should initialize its previousID in its constructor.
3370 <https://webkit.org/b/133606>
3371
3372 Reviewed by Mark Hahnenberg.
3373
3374 Currently, the Structure constructor that takes a previous structure will
3375 initialize its previousID to point to the previous structure's previousID.
3376 This is incorrect. However, the caller of the Structure::create() factory
3377 method (which instantiated the Structure) will later call setPreviousID()
3378 to set the previousID to the correct previous structure. This makes the
3379 code confusing to read and more error prone in that the structure relies
3380 on client code to fix its invalid previousID.
3381
3382 This patch fixes this by making the Structure constructor initialize
3383 previousID correctly.
3384
3385 * runtime/Structure.cpp:
3386 (JSC::Structure::Structure):
3387 (JSC::Structure::addPropertyTransition):
3388 (JSC::Structure::nonPropertyTransition):
3389 * runtime/Structure.h:
3390 * runtime/StructureInlines.h:
3391 (JSC::Structure::create):
3392
33932014-06-06 Andreas Kling <akling@apple.com>
3394
3395 Indexed getters should return values directly on the PropertySlot.
3396 <https://webkit.org/b/133586>
3397
3398 Remove PropertySlot's custom index mode.
3399
3400 Reviewed by Darin Adler.
3401
3402 * runtime/JSObject.h:
3403 (JSC::PropertySlot::getValue):
3404 * runtime/PropertySlot.h:
3405 (JSC::PropertySlot::setCustomIndex): Deleted.
3406
34072014-06-04 Timothy Horton <timothy_horton@apple.com>
3408
3409 iOS Debug build fix
3410
3411 Rubber-stamped by Filip Pizlo.
3412
3413 * Configurations/LLVMForJSC.xcconfig:
3414 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
3415
34162014-06-04 Oliver Hunt <oliver@apple.com>
3417
3418 ArrayIterator should not be exposed in Safari 8
3419 https://bugs.webkit.org/show_bug.cgi?id=133494
3420
3421 Reviewed by Michael Saboff.
3422
3423 Separate out types that require constructor objects, and don't
3424 include the iterator types in that list.
3425
3426 * runtime/JSGlobalObject.cpp:
3427 (JSC::JSGlobalObject::reset):
3428 * runtime/JSGlobalObject.h:
3429
34302014-06-04 Filip Pizlo <fpizlo@apple.com>
3431
3432 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
3433 https://bugs.webkit.org/show_bug.cgi?id=133525
3434 <rdar://problem/16790296>
3435
3436 Reviewed by Oliver Hunt.
3437
3438 * dfg/DFGSafepoint.cpp:
3439 (JSC::DFG::Safepoint::begin):
3440
34412014-06-03 Filip Pizlo <fpizlo@apple.com>
3442
3443 LLVM soft-linking should be truly fail-silent
3444 https://bugs.webkit.org/show_bug.cgi?id=133482
3445
3446 Reviewed by Mark Lam.
3447
3448 * llvm/InitializeLLVMPOSIX.cpp:
3449 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
3450
34512014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3452
3453 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
3454 https://bugs.webkit.org/show_bug.cgi?id=133149
3455
3456 Reviewed by Csaba Osztrogonác.
3457
3458 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
3459
34602014-05-31 Anders Carlsson <andersca@apple.com>
3461
3462 Add a LazyNeverDestroyed class template and use it
3463 https://bugs.webkit.org/show_bug.cgi?id=133425
3464
3465 Reviewed by Darin Adler.
3466
3467 * dfg/DFGFunctionWhitelist.cpp:
3468 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3469 * dfg/DFGFunctionWhitelist.h:
3470
34712014-05-28 Filip Pizlo <fpizlo@apple.com>
3472
3473 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
3474 https://bugs.webkit.org/show_bug.cgi?id=133368
3475
3476 Reviewed by Mark Lam.
3477
3478 * dfg/DFGDCEPhase.cpp:
3479 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
3480 * tests/stress/new-array-dead.js: Added.
3481 (foo):
3482
34832014-05-28 Filip Pizlo <fpizlo@apple.com>
3484
3485 Unreviewed, fix not-x86 32-bit.
3486
3487 * llint/LowLevelInterpreter32_64.asm:
3488
34892014-05-27 Filip Pizlo <fpizlo@apple.com>
3490
3491 Arrayify neglects to inform the clobberizer that it might fire watchpoints
3492 https://bugs.webkit.org/show_bug.cgi?id=133340
3493
3494 Reviewed by Mark Lam.
3495
3496 * dfg/DFGClobberize.h:
3497 (JSC::DFG::clobberize): Be honest.
3498 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
3499 * tests/stress/arrayify-fires-watchpoint.js: Added.
3500 (foo):
3501 (test):
3502 (makeObjectArray):
3503 * tests/stress/arrayify-structure-bad-test.js: Added.
3504 (foo):
3505 (test):
3506
35072014-05-27 Jon Lee <jonlee@apple.com>
3508
3509 Update ENABLE(MEDIA_SOURCE) on Mac
3510 https://bugs.webkit.org/show_bug.cgi?id=133141
3511
3512 Reviewed by Darin Adler.
3513
3514 * Configurations/FeatureDefines.xcconfig:
3515
35162014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
3517
3518 Remove BLOB guards
3519 https://bugs.webkit.org/show_bug.cgi?id=132863
3520
3521 Reviewed by Csaba Osztrogonác.
3522
3523 * Configurations/FeatureDefines.xcconfig:
3524
35252014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3526
3527 Allow building CMake based ports with WEB_REPLAY
3528 https://bugs.webkit.org/show_bug.cgi?id=133154
3529
3530 Reviewed by Csaba Osztrogonác.
3531
3532 * CMakeLists.txt:
3533
35342014-05-25 Filip Pizlo <fpizlo@apple.com>
3535
3536 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
3537 https://bugs.webkit.org/show_bug.cgi?id=133136
3538
3539 Reviewed by Oliver Hunt.
3540
3541 Some key concepts:
3542
3543 - Except for the prediction propagation and type fixup phases, which are super early in
3544 the pipeline, nobody has to know about the fact that booleans may flow into numerical
3545 operations because there will just be a BooleanToNumber node that will take a value
3546 and, if that value is a boolean, will convert it to the equivalent numerical value. It
3547 will have a BooleanUse mode where it will also speculate that the input is a boolean
3548 but it can also do UntypedUse in which case it will pass through any non-booleans.
3549 This operation is very easy to model in all of the compiler tiers.
3550
3551 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
3552 inputs require taking the slow path and it will still report that it took slow path
3553 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
3554 path profiling on operations that were known to have had boolean inputs. That's a
3555 little quirky, but it's probably easier than modifying the baseline JIT to track
3556 booleans correctly.
3557
3558 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
3559
3560 * bytecode/SpeculatedType.h:
3561 (JSC::isInt32OrBooleanSpeculation):
3562 (JSC::isInt32SpeculationForArithmetic):
3563 (JSC::isInt32OrBooleanSpeculationForArithmetic):
3564 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
3565 (JSC::isInt52Speculation):
3566 (JSC::isMachineIntSpeculation):
3567 (JSC::isFullNumberOrBooleanSpeculation):
3568 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
3569 (JSC::isInt32SpeculationExpectingDefined): Deleted.
3570 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
3571 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
3572 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
3573 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
3574 * dfg/DFGAbstractInterpreterInlines.h:
3575 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3576 * dfg/DFGAllocator.h:
3577 (JSC::DFG::Allocator<T>::indexOf):
3578 * dfg/DFGByteCodeParser.cpp:
3579 (JSC::DFG::ByteCodeParser::makeSafe):
3580 (JSC::DFG::ByteCodeParser::makeDivSafe):
3581 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3582 * dfg/DFGCSEPhase.cpp:
3583 (JSC::DFG::CSEPhase::performNodeCSE):
3584 * dfg/DFGClobberize.h:
3585 (JSC::DFG::clobberize):
3586 * dfg/DFGCommon.h:
3587 * dfg/DFGConstantFoldingPhase.cpp:
3588 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3589 * dfg/DFGFixupPhase.cpp:
3590 (JSC::DFG::FixupPhase::fixupNode):
3591 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
3592 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
3593 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
3594 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3595 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
3596 * dfg/DFGGraph.h:
3597 (JSC::DFG::Graph::addSpeculationMode):
3598 (JSC::DFG::Graph::valueAddSpeculationMode):
3599 (JSC::DFG::Graph::arithAddSpeculationMode):
3600 (JSC::DFG::Graph::addShouldSpeculateInt32):
3601 (JSC::DFG::Graph::mulShouldSpeculateInt32):
3602 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
3603 (JSC::DFG::Graph::negateShouldSpeculateInt32):
3604 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
3605 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
3606 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
3607 * dfg/DFGNode.h:
3608 (JSC::DFG::Node::sawBooleans):
3609 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
3610 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
3611 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
3612 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
3613 (JSC::DFG::Node::shouldSpeculateMachineInt):
3614 (JSC::DFG::Node::shouldSpeculateDouble):
3615 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
3616 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
3617 (JSC::DFG::Node::shouldSpeculateNumber):
3618 (JSC::DFG::Node::canSpeculateInt32):
3619 (JSC::DFG::Node::canSpeculateInt52):
3620 (JSC::DFG::Node::sourceFor):
3621 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
3622 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
3623 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
3624 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
3625 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
3626 * dfg/DFGNodeFlags.cpp:
3627 (JSC::DFG::dumpNodeFlags):
3628 * dfg/DFGNodeFlags.h:
3629 (JSC::DFG::nodeMayOverflow):
3630 (JSC::DFG::nodeMayNegZero):
3631 (JSC::DFG::nodeCanSpeculateInt32):
3632 (JSC::DFG::nodeCanSpeculateInt52):
3633 * dfg/DFGNodeType.h:
3634 * dfg/DFGPredictionPropagationPhase.cpp:
3635 (JSC::DFG::PredictionPropagationPhase::run):
3636 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
3637 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
3638 (JSC::DFG::PredictionPropagationPhase::propagate):
3639 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
3640 * dfg/DFGSafeToExecute.h:
3641 (JSC::DFG::safeToExecute):
3642 * dfg/DFGSpeculativeJIT.cpp:
3643 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3644 * dfg/DFGSpeculativeJIT32_64.cpp:
3645 (JSC::DFG::SpeculativeJIT::compile):
3646 * dfg/DFGSpeculativeJIT64.cpp:
3647 (JSC::DFG::SpeculativeJIT::compile):
3648 * ftl/FTLCapabilities.cpp:
3649 (JSC::FTL::canCompile):
3650 * ftl/FTLLowerDFGToLLVM.cpp:
3651 (JSC::FTL::LowerDFGToLLVM::compileNode):
3652 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3653 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
3654 * runtime/JSCJSValue.h:
3655 * runtime/JSCJSValueInlines.h:
3656 (JSC::JSValue::asInt32ForArithmetic):
3657 * tests/stress/max-boolean-exit.js: Added.
3658 (foo):
3659 (test):
3660 * tests/stress/mul-boolean-exit.js: Added.
3661 (foo):
3662 (test):
3663 * tests/stress/plus-boolean-exit.js: Added.
3664 (foo):
3665 (test):
3666 * tests/stress/plus-boolean-or-double.js: Added.
3667 (foo):
3668 (test):
3669 * tests/stress/plus-boolean-or-int.js: Added.
3670 (foo):
3671 (test):
3672
36732014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3674
3675 Remove dead code from VM.cpp
3676 https://bugs.webkit.org/show_bug.cgi?id=133284
3677
3678 Reviewed by Darin Adler.
3679
3680 This workaround was added in r127505. Since the clang is the
3681 only used compiler in this case, this workaround is obsolete.
3682
3683 * runtime/VM.cpp:
3684 (JSC::enableAssembler):
3685
36862014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3687
3688 JSC CLoop warning fix
3689 https://bugs.webkit.org/show_bug.cgi?id=133259
3690
3691 Reviewed by Darin Adler.
3692
3693 * llint/LLIntSlowPaths.cpp:
3694 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3695
36962014-05-24 Andreas Kling <akling@apple.com>
3697
3698 Object.prototype.toString() should use cached strings for null/undefined.
3699 <https://webkit.org/b/133261>
3700
3701 Normally, when calling Object.prototype.toString() on a regular object,
3702 we'd cache the result of the stringification on the object's structure,
3703 making repeated calls fast.
3704
3705 For null and undefined, we were not as smart. We'd instead construct a
3706 new string with either "[object Null]" or "[object Undefined]" each time.
3707
3708 This was exposed by Dromaeo's JS library tests, where some prototype.js
3709 subtests generate millions of strings this way.
3710
3711 This patch adds two VM-permanent cached strings to the SmallStrings.
3712 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
3713
3714 Reviewed by Darin Adler.
3715
3716 * runtime/ObjectPrototype.cpp:
3717 (JSC::objectProtoFuncToString):
3718 * runtime/SmallStrings.cpp:
3719 (JSC::SmallStrings::SmallStrings):
3720 (JSC::SmallStrings::initializeCommonStrings):
3721 (JSC::SmallStrings::visitStrongReferences):
3722 * runtime/SmallStrings.h:
3723 (JSC::SmallStrings::nullObjectString):
3724 (JSC::SmallStrings::undefinedObjectString):
3725
37262014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
3727
3728 Remove operationCallGetter
3729
3730 Rubber stamped by Filip Pizlo.
3731
3732 Nobody calls this function.
3733
3734 * JavaScriptCore.order:
3735 * jit/JITOperations.cpp:
3736 * jit/JITOperations.h:
3737
37382014-05-23 Andreas Kling <akling@apple.com>
3739
3740 Templatize GC's destructor invocation for dtor type.
3741 <https://webkit.org/b/133231>
3742
3743 Get rid of a branch in callDestructor() by templatizing it for
3744 the DestructorType. Removed JSCell::methodTableForDestruction()
3745 since this was the only call site and it was jumping through
3746 a bunch of unnecessary hoops.
3747
3748 Reviewed by Geoffrey Garen.
3749
3750 * heap/MarkedBlock.cpp:
3751 (JSC::MarkedBlock::callDestructor):
3752 (JSC::MarkedBlock::specializedSweep):
3753 * heap/MarkedBlock.h:
3754 * runtime/JSCell.h:
3755 * runtime/JSCellInlines.h:
3756 (JSC::JSCell::methodTableForDestruction): Deleted.
3757
37582014-05-23 Andreas Kling <akling@apple.com>
3759
3760 Support inline caching of RegExpMatchesArray.length
3761 <https://webkit.org/b/133234>
3762
3763 Give RegExpMatchesArray.length the same treatment as JSArray in
3764 repatch so we don't have to go out of line on every access.
3765
3766 ~13% speed-up on Octane/regexp.
3767
3768 Reviewed by Geoffrey Garen.
3769
3770 * jit/Repatch.cpp:
3771 (JSC::tryCacheGetByID):
3772 * runtime/RegExpMatchesArray.h:
3773 (JSC::isRegExpMatchesArray):
3774
37752014-05-22 Mark Lam <mark.lam@apple.com>
3776
3777 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
3778 <https://webkit.org/b/133182>
3779
3780 Reviewed by Oliver Hunt.
3781
3782 Before r154797, we used to clear the VM exception before calling into the
3783 debugger. After r154797, we don't. This patch will restore this clearing
3784 of the exception before calling into the debugger.
3785
3786 Also added assertions after returning from calls into the debugger to
3787 ensure that the debugger did not introduce any exceptions.
3788
3789 * interpreter/Interpreter.cpp:
3790 (JSC::unwindCallFrame):
3791 (JSC::Interpreter::unwind):
3792 (JSC::Interpreter::debug):
3793 - Fixed the assertion here. Interpreter::debug() should never be called
3794 with a pending exception. Debugger callbacks for exceptions should be
3795 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
3796
37972014-05-21 Filip Pizlo <fpizlo@apple.com>
3798
3799 Store barrier elision should run after DCE in both the DFG path and the FTL path
3800 https://bugs.webkit.org/show_bug.cgi?id=129718
3801
3802 Rubber stamped by Mark Hahnenberg.
3803
3804 * dfg/DFGPlan.cpp:
3805 (JSC::DFG::Plan::compileInThreadImpl):
3806
38072014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3808
3809 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
3810 https://bugs.webkit.org/show_bug.cgi?id=132907
3811
3812 Reviewed by Gyuyoung Kim.
3813
3814 * CMakeLists.txt:
3815
38162014-05-16 Martin Robinson <mrobinson@igalia.com>
3817
3818 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
3819 https://bugs.webkit.org/show_bug.cgi?id=132819
3820
3821 Reviewed by Carlos Garcia Campos.
3822
3823 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
3824 use the common CMake ones directly.
3825
38262014-05-21 Filip Pizlo <fpizlo@apple.com>
3827
3828 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
3829
3830 This was a unilateral change and wasn't properly reviewed.
3831
3832 * tests/mozilla/mozilla-tests.yaml:
3833
38342014-05-21 Antoine Quint <graouts@webkit.org>
3835
3836 Array.prototype.find and findIndex should skip holes
3837 https://bugs.webkit.org/show_bug.cgi?id=132658
3838
3839 Reviewed by Geoffrey Garen.
3840
3841 Skip holes in the array when iterating such that callback isn't called.
3842
3843 * builtins/Array.prototype.js:
3844 (find):
3845 (findIndex):
3846
38472014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3848
3849 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
3850 https://bugs.webkit.org/show_bug.cgi?id=133149
3851
3852 Reviewed by Csaba Osztrogonác.
3853
3854 * tests/mozilla/mozilla-tests.yaml:
3855
38562014-05-20 Geoffrey Garen <ggaren@apple.com>
3857
3858 Rolled out <http://trac.webkit.org/changeset/166184>
3859 https://bugs.webkit.org/show_bug.cgi?id=133144
3860
3861 Reviewed by Gavin Barraclough.
3862
3863 It caused a performance regression.
3864
3865 * heap/BlockAllocator.cpp:
3866 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
3867
38682014-05-20 Filip Pizlo <fpizlo@apple.com>
3869
3870 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
3871 https://bugs.webkit.org/show_bug.cgi?id=133134
3872
3873 Reviewed by Mark Hahnenberg.
3874
3875 Make prediction propagator use ArrayMode refinement to decide the return type.
3876
3877 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
3878 like this. The only way we'll see a mismatch like this in the real world is probably
3879 through a gnarly race condition.
3880
3881 * dfg/DFGByteCodeParser.cpp:
3882 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3883 * dfg/DFGNode.h:
3884 (JSC::DFG::Node::setHeapPrediction):
3885 * dfg/DFGPredictionPropagationPhase.cpp:
3886 (JSC::DFG::PredictionPropagationPhase::propagate):
3887 * jsc.cpp:
3888 (GlobalObject::finishCreation):
3889 (functionFalse1):
3890 (functionFalse2):
3891 (functionUndefined1):
3892 (functionUndefined2):
3893 (functionFalse): Deleted.
3894 (functionOtherFalse): Deleted.
3895 (functionUndefined): Deleted.
3896 * runtime/Intrinsic.h:
3897 * tests/stress/get-by-val-double-predicted-int.js: Added.
3898 (foo):
3899
39002014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
3901
3902 Watchdog timer should be lazily allocated
3903 https://bugs.webkit.org/show_bug.cgi?id=133135
3904
3905 Reviewed by Geoffrey Garen.
3906
3907 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
3908 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
3909 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
3910
3911 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
3912 these two API functions (which is true of most clients).
3913
3914 * API/JSContextRef.cpp:
3915 (JSContextGroupSetExecutionTimeLimit):
3916 (JSContextGroupClearExecutionTimeLimit):
3917 * dfg/DFGByteCodeParser.cpp:
3918 (JSC::DFG::ByteCodeParser::parseBlock):
3919 * dfg/DFGSpeculativeJIT32_64.cpp:
3920 (JSC::DFG::SpeculativeJIT::compile):
3921 * dfg/DFGSpeculativeJIT64.cpp:
3922 (JSC::DFG::SpeculativeJIT::compile):
3923 * interpreter/Interpreter.cpp:
3924 (JSC::Interpreter::execute):
3925 (JSC::Interpreter::executeCall):
3926 (JSC::Interpreter::executeConstruct):
3927 * jit/JITOpcodes.cpp:
3928 (JSC::JIT::emit_op_loop_hint):
3929 (JSC::JIT::emitSlow_op_loop_hint):
3930 * jit/JITOperations.cpp:
3931 * llint/LLIntSlowPaths.cpp:
3932 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3933 * runtime/VM.h:
3934 * runtime/Watchdog.cpp:
3935 (JSC::Watchdog::Scope::Scope): Deleted.
3936 (JSC::Watchdog::Scope::~Scope): Deleted.
3937 * runtime/Watchdog.h:
3938 (JSC::Watchdog::Scope::Scope):
3939 (JSC::Watchdog::Scope::~Scope):
3940
39412014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
3942
3943 JSArray::shiftCountWith* could be more efficient
3944 https://bugs.webkit.org/show_bug.cgi?id=133011
3945
3946 Reviewed by Geoffrey Garen.
3947
3948 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
3949 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
3950 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
3951
3952 * runtime/ArrayStorage.h:
3953 (JSC::ArrayStorage::indexingHeader):
3954 (JSC::ArrayStorage::length):
3955 (JSC::ArrayStorage::hasHoles):
3956 * runtime/IndexingHeader.h:
3957 (JSC::IndexingHeader::publicLength):
3958 (JSC::IndexingHeader::from):
3959 * runtime/JSArray.cpp:
3960 (JSC::JSArray::shiftCountWithArrayStorage):
3961 (JSC::JSArray::shiftCountWithAnyIndexingType):
3962 (JSC::JSArray::unshiftCountWithArrayStorage):
3963 * runtime/JSArray.h:
3964 (JSC::JSArray::shiftCountForShift):
3965 (JSC::JSArray::shiftCountForSplice):
3966 (JSC::JSArray::shiftCount):
3967 * runtime/Structure.cpp:
3968 (JSC::Structure::holesRequireSpecialBehavior):
3969 * runtime/Structure.h:
3970
39712014-05-19 Filip Pizlo <fpizlo@apple.com>
3972
3973 Test gardening: skip some failing tests on not-X86.
3974
3975 * tests/mozilla/mozilla-tests.yaml:
3976
39772014-05-19 Mark Lam <mark.lam@apple.com>
3978
3979 operationOptimize() should defer the GC for a while.
3980 <https://webkit.org/b/133103>
3981
3982 Reviewed by Filip Pizlo.
3983
3984 Currently, operationOptimize() only defers the GC until its end. As a result,
3985 a GC may be triggered just before we return from operationOptimize(), and it may
3986 jettison the optimize codeBlock that we're planning to OSR enter into when we
3987 return from this function. This is because the OSR entry on-ramp code hasn't
3988 been executed yet, and hence, there is not yet a reference to this new codeBlock
3989 from the stack, and there won't be until we've had a chance to return out of
3990 operationOptimize() to run the OSR entry on-ramp code.
3991
3992 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
3993 ensures that the GC will be deferred until after the OSR entry on-ramp can be
3994 executed.
3995
3996 * jit/JITOperations.cpp:
3997
39982014-05-19 Filip Pizlo <fpizlo@apple.com>
3999
4000 Take care of some ARM64 test failures
4001 https://bugs.webkit.org/show_bug.cgi?id=133090
4002
4003 Reviewed by Geoffrey Garen.
4004
4005 Constant blinding on ARM64 cannot use the scratch register.
4006
4007 * assembler/MacroAssembler.h:
4008 (JSC::MacroAssembler::convertInt32ToDouble):
4009 (JSC::MacroAssembler::branchPtr):
4010 (JSC::MacroAssembler::storePtr):
4011 (JSC::MacroAssembler::store64):
4012 * assembler/MacroAssemblerARM64.h:
4013 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
4014
40152014-05-19 Tanay C <tanay.c@samsung.com>
4016
4017 Removing some check-webkit-style warnings from ./dfg
4018 https://bugs.webkit.org/show_bug.cgi?id=132854
4019
4020 Reviewed by Darin Adler.
4021
4022 * dfg/DFGAbstractInterpreter.h:
4023 * dfg/DFGAbstractValue.h:
4024 * dfg/DFGBlockInsertionSet.h:
4025 * dfg/DFGCommonData.h:
4026 * dfg/DFGDominators.h:
4027 * dfg/DFGGraph.h:
4028 * dfg/DFGInPlaceAbstractState.h:
4029 * dfg/DFGPredictionPropagationPhase.h:
4030
40312014-05-18 Filip Pizlo <fpizlo@apple.com>
4032
4033 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
4034 That was a long time ago.
4035
4036 * ftl/FTLLowerDFGToLLVM.cpp:
4037 (JSC::FTL::LowerDFGToLLVM::compileReturn):
4038
40392014-05-18 Rik Cabanier <cabanier@adobe.com>
4040
4041 support for navigator.hardwareConcurrency
4042 https://bugs.webkit.org/show_bug.cgi?id=132588
4043
4044 Reviewed by Filip Pizlo.
4045
4046 * Configurations/FeatureDefines.xcconfig:
4047
40482014-05-16 Michael Saboff <msaboff@apple.com>
4049
4050 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
4051 https://bugs.webkit.org/show_bug.cgi?id=133009
4052
4053 Reviewed by Oliver Hunt.
4054
4055 If we determine that any alternative requires a minumum match size greater than
4056 INT_MAX, we handle the match in the interpreter.
4057
4058 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
4059 * runtime/RegExp.cpp:
4060 (JSC::RegExp::compile):
4061 (JSC::RegExp::compileMatchOnly):
4062
4063 * tests/stress/large-regexp.js: New test added.
4064
4065 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
4066 doesn't fit in an int.
4067 * yarr/YarrPattern.cpp:
4068 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
4069
4070 Clear new m_containsUnsignedLengthPattern flag.
4071 * yarr/YarrPattern.cpp:
4072 (JSC::Yarr::YarrPattern::YarrPattern):
4073 * yarr/YarrPattern.h:
4074 (JSC::Yarr::YarrPattern::reset):
4075 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
4076
40772014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
4078
4079 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
4080 https://bugs.webkit.org/show_bug.cgi?id=132918
4081
4082 Reviewed by Geoffrey Garen.
4083
4084 * jit/Repatch.cpp:
4085 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
4086
40872014-05-15 Alex Christensen <achristensen@webkit.org>
4088
4089 Add pointer lock to features without enabling it.
4090 https://bugs.webkit.org/show_bug.cgi?id=132961
4091
4092 Reviewed by Sam Weinig.
4093
4094 * Configurations/FeatureDefines.xcconfig:
4095 Added ENABLE_POINTER_LOCK to list of features.
4096
40972014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
4098
4099 Inline caching for proxies clobbers baseGPR too early
4100 https://bugs.webkit.org/show_bug.cgi?id=132916
4101
4102 Reviewed by Filip Pizlo.
4103
4104 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
4105 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
4106 until we know the inline cache is going to succeed.
4107
4108 * jit/Repatch.cpp:
4109 (JSC::generateByIdStub):
4110
41112014-05-14 Brent Fulgham <bfulgham@apple.com>
4112
4113 [Win] Unreviewed build fix.
4114
4115 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
4116 was missing commands to build LLInt portions of JSC.
4117 * llint/LLIntData.cpp: 64-bit build fix.
4118
41192014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
4120
4121 ARM Traditional buildfix after r168776.
4122 https://bugs.webkit.org/show_bug.cgi?id=132903
4123
4124 Reviewed by Darin Adler.
4125
4126 * assembler/MacroAssemblerARM.h:
4127 (JSC::MacroAssemblerARM::abortWithReason): Added.
4128
41292014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
4130
4131 Remove CSS_STICKY_POSITION guards
4132 https://bugs.webkit.org/show_bug.cgi?id=132676
4133
4134 Reviewed by Simon Fraser.
4135
4136 * Configurations/FeatureDefines.xcconfig:
4137
41382014-05-13 Filip Pizlo <fpizlo@apple.com>
4139
4140 JIT breakpoints should be more informative
4141 https://bugs.webkit.org/show_bug.cgi?id=132882
4142
4143 Reviewed by Oliver Hunt.
4144
4145 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
4146 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
4147 at that platform's abort reason register (r11 on X86-64 for example).
4148
4149 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4150 * JavaScriptCore.xcodeproj/project.pbxproj:
4151 * assembler/AbortReason.h: Added.
4152 * assembler/AbstractMacroAssembler.h:
4153 * assembler/MacroAssemblerARM64.h:
4154 (JSC::MacroAssemblerARM64::abortWithReason):
4155 * assembler/MacroAssemblerARMv7.h:
4156 (JSC::MacroAssemblerARMv7::abortWithReason):
4157 * assembler/MacroAssemblerX86.h:
4158 (JSC::MacroAssemblerX86::abortWithReason):
4159 * assembler/MacroAssemblerX86_64.h:
4160 (JSC::MacroAssemblerX86_64::abortWithReason):
4161 * dfg/DFGSlowPathGenerator.h:
4162 (JSC::DFG::SlowPathGenerator::generate):
4163 * dfg/DFGSpeculativeJIT.cpp:
4164 (JSC::DFG::SpeculativeJIT::bail):
4165 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
4166 (JSC::DFG::SpeculativeJIT::compileMakeRope):
4167 * dfg/DFGSpeculativeJIT.h:
4168 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
4169 * dfg/DFGSpeculativeJIT32_64.cpp:
4170 (JSC::DFG::SpeculativeJIT::compile):
4171 * dfg/DFGSpeculativeJIT64.cpp:
4172 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
4173 (JSC::DFG::SpeculativeJIT::compile):
4174 * dfg/DFGThunks.cpp:
4175 (JSC::DFG::osrEntryThunkGenerator):
4176 * jit/AssemblyHelpers.cpp:
4177 (JSC::AssemblyHelpers::jitAssertIsInt32):
4178 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
4179 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
4180 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
4181 (JSC::AssemblyHelpers::jitAssertIsCell):
4182 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
4183 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
4184 (JSC::AssemblyHelpers::jitAssertIsNull):
4185 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
4186 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
4187 * jit/AssemblyHelpers.h:
4188 (JSC::AssemblyHelpers::checkStackPointerAlignment):
4189 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
4190 * jit/JIT.h:
4191 * jit/JITArithmetic.cpp:
4192 (JSC::JIT::emitSlow_op_div):
4193 * jit/JITOpcodes.cpp:
4194 (JSC::JIT::emitSlow_op_loop_hint):
4195 * jit/JITOpcodes32_64.cpp:
4196 (JSC::JIT::privateCompileCTINativeCall):
4197 * jit/JITPropertyAccess.cpp:
4198 (JSC::JIT::emit_op_get_by_val):
4199 (JSC::JIT::compileGetDirectOffset):
4200 (JSC::JIT::addStructureTransitionCheck): Deleted.
4201 (JSC::JIT::testPrototype): Deleted.
4202 * jit/JITPropertyAccess32_64.cpp:
4203 (JSC::JIT::emit_op_get_by_val):
4204 (JSC::JIT::compileGetDirectOffset):
4205 * jit/RegisterPreservationWrapperGenerator.cpp:
4206 (JSC::generateRegisterRestoration):
4207 * jit/Repatch.cpp:
4208 (JSC::addStructureTransitionCheck):
4209 (JSC::linkClosureCall):
4210 * jit/ThunkGenerators.cpp:
4211 (JSC::emitPointerValidation):
4212 (JSC::nativeForGenerator):
4213 * yarr/YarrJIT.cpp:
4214 (JSC::Yarr::YarrGenerator::generate):
4215
42162014-05-13 peavo@outlook.com <peavo@outlook.com>
4217
4218 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
4219 https://bugs.webkit.org/show_bug.cgi?id=132772
4220
4221 Reviewed by Geoffrey Garen.
4222
4223 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
4224 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
4225 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
4226 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
4227
4228 * assembler/MacroAssemblerARM.h:
4229 (JSC::MacroAssemblerARM::loadDouble):
4230 (JSC::MacroAssemblerARM::storeDouble):
4231 * assembler/MacroAssemblerARM64.h:
4232 (JSC::MacroAssemblerARM64::loadDouble):
4233 (JSC::MacroAssemblerARM64::storeDouble):
4234 * assembler/MacroAssemblerARMv7.h:
4235 (JSC::MacroAssemblerARMv7::loadDouble):
4236 (JSC::MacroAssemblerARMv7::storeDouble):
4237 * assembler/MacroAssemblerMIPS.h:
4238 (JSC::MacroAssemblerMIPS::loadDouble):
4239 (JSC::MacroAssemblerMIPS::storeDouble):
4240 * assembler/MacroAssemblerSH4.h:
4241 (JSC::MacroAssemblerSH4::loadDouble):
4242 (JSC::MacroAssemblerSH4::storeDouble):
4243 * assembler/MacroAssemblerX86.h:
4244 (JSC::MacroAssemblerX86::storeDouble):
4245 * assembler/MacroAssemblerX86Common.h:
4246 (JSC::MacroAssemblerX86Common::absDouble):
4247 (JSC::MacroAssemblerX86Common::negateDouble):
4248 (JSC::MacroAssemblerX86Common::loadDouble):
4249 * dfg/DFGSpeculativeJIT.cpp:
4250 (JSC::DFG::SpeculativeJIT::silentFill):
4251 (JSC::DFG::compileClampDoubleToByte):
4252 * dfg/DFGSpeculativeJIT32_64.cpp:
4253 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
4254 (JSC::DFG::SpeculativeJIT::compile):
4255 * jit/AssemblyHelpers.cpp:
4256 (JSC::AssemblyHelpers::purifyNaN):
4257 * jit/JITInlines.h:
4258 (JSC::JIT::emitLoadDouble):
4259 * jit/JITPropertyAccess.cpp:
4260 (JSC::JIT::emitFloatTypedArrayGetByVal):
4261 * jit/ThunkGenerators.cpp:
4262 (JSC::floorThunkGenerator):
4263 (JSC::roundThunkGenerator):
4264 (JSC::powThunkGenerator):
4265
42662014-05-12 Commit Queue <commit-queue@webkit.org>
4267
4268 Unreviewed, rolling out r168642.
4269 https://bugs.webkit.org/show_bug.cgi?id=132839
4270
4271 Broke ARM build (Requested by jpfau on #webkit).
4272
4273 Reverted changeset:
4274
4275 "[Win] Enum type with value zero is compatible with void*,
4276 potential cause of crashes."
4277 https://bugs.webkit.org/show_bug.cgi?id=132772
4278 http://trac.webkit.org/changeset/168642
4279
42802014-05-12 peavo@outlook.com <peavo@outlook.com>
4281
4282 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
4283 https://bugs.webkit.org/show_bug.cgi?id=132772
4284
4285 Reviewed by Geoffrey Garen.
4286
4287 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
4288 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
4289 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
4290 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
4291
4292 * assembler/MacroAssemblerARM.h:
4293 (JSC::MacroAssemblerARM::loadDouble):
4294 (JSC::MacroAssemblerARM::storeDouble):
4295 * assembler/MacroAssemblerARM64.h:
4296 (JSC::MacroAssemblerARM64::loadDouble):
4297 (JSC::MacroAssemblerARM64::storeDouble):
4298 * assembler/MacroAssemblerARMv7.h:
4299 (JSC::MacroAssemblerARMv7::loadDouble):
4300 (JSC::MacroAssemblerARMv7::storeDouble):
4301 * assembler/MacroAssemblerMIPS.h:
4302 (JSC::MacroAssemblerMIPS::loadDouble):
4303 (JSC::MacroAssemblerMIPS::storeDouble):
4304 * assembler/MacroAssemblerSH4.h:
4305 (JSC::MacroAssemblerSH4::loadDouble):
4306 (JSC::MacroAssemblerSH4::storeDouble):
4307 * assembler/MacroAssemblerX86.h:
4308 (JSC::MacroAssemblerX86::storeDouble):
4309 * assembler/MacroAssemblerX86Common.h:
4310 (JSC::MacroAssemblerX86Common::absDouble):
4311 (JSC::MacroAssemblerX86Common::negateDouble):
4312 (JSC::MacroAssemblerX86Common::loadDouble):
4313 * dfg/DFGSpeculativeJIT.cpp:
4314 (JSC::DFG::SpeculativeJIT::silentFill):
4315 (JSC::DFG::compileClampDoubleToByte):
4316 * dfg/DFGSpeculativeJIT32_64.cpp:
4317 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
4318 (JSC::DFG::SpeculativeJIT::compile):
4319 * jit/AssemblyHelpers.cpp:
4320 (JSC::AssemblyHelpers::purifyNaN):
4321 * jit/JITInlines.h:
4322 (JSC::JIT::emitLoadDouble):
4323 * jit/JITPropertyAccess.cpp:
4324 (JSC::JIT::emitFloatTypedArrayGetByVal):
4325 * jit/ThunkGenerators.cpp:
4326 (JSC::floorThunkGenerator):
4327 (JSC::roundThunkGenerator):
4328 (JSC::powThunkGenerator):
4329
43302014-05-12 Andreas Kling <akling@apple.com>
4331
4332 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
4333 <https://webkit.org/b/132828>
4334 <rdar://problem/16886285>
4335
4336 Reviewed by Michael Saboff.
4337
4338 * runtime/JSObject.cpp:
4339 (JSC::JSObject::visitButterfly):
4340 (JSC::JSObject::visitChildren):
4341
4342 Use JSCell::structure(VM&) to reduce the number of hoops we jump
4343 through to find Structures during marking.
4344
43452014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
4346
4347 [cmake] Add missing FTL source files to the build system.
4348
4349 Reviewed by Csaba Osztrogonác.
4350
4351 * CMakeLists.txt:
4352
43532014-05-09 Joseph Pecoraro <pecoraro@apple.com>
4354
4355 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
4356 https://bugs.webkit.org/show_bug.cgi?id=132409
4357
4358 Reviewed by Timothy Hatcher.
4359
4360 Proxy applications are applications which hold WebViews for other
4361 applications. The WebProcess (Web Content Service) is a proxy application.
4362 For legacy reasons we were supporting a scenario where proxy applications
4363 could potentially host WebViews for more then one other application. That
4364 was never the case for WebProcess and it is now a scenario we don't need
4365 to worry about supporting.
4366
4367 With this change, a proxy application more naturally only holds WebViews
4368 for a single parent / host application. The proxy process can set the
4369 parent pid / audit_token data on the RemoteInspector singleton, and
4370 that data will be sent on to webinspectord later on to be validated.
4371 In the WebProcess<->UIProcess relationship that information is known
4372 and set immediately. In the Legacy iOS case that information is set
4373 soon after, but not immediately known at the point the WebView is created.
4374
4375 This allows us to simplify the RemoteInspectorDebuggable interface.
4376 We no longer need a pid per-Debuggable.
4377
4378 * inspector/remote/RemoteInspector.h:
4379 * inspector/remote/RemoteInspector.mm:
4380 (Inspector::RemoteInspector::RemoteInspector):
4381 (Inspector::RemoteInspector::setParentProcessInformation):
4382 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
4383 (Inspector::RemoteInspector::listingForDebuggable):
4384 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
4385 Handle new proxy application setup message, and provide an API
4386 for a proxy application to set the parent process information.
4387
4388 * inspector/remote/RemoteInspectorConstants.h:
4389 New setup and response message for proxy applications to pass
4390 their parent / host application information to webinspectord.
4391
4392 * inspector/remote/RemoteInspectorDebuggable.cpp:
4393 (Inspector::RemoteInspectorDebuggable::info):
4394 * inspector/remote/RemoteInspectorDebuggable.h:
4395 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
4396 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
4397 pid per debuggable is no longer needed.
4398
43992014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
4400
4401 JSDOMWindow should disable property caching after a certain point
4402 https://bugs.webkit.org/show_bug.cgi?id=132751
4403
4404 Reviewed by Filip Pizlo.
4405
4406 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
4407 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
4408 that it has provided a cacheable value.
4409
4410 * runtime/PropertySlot.h:
4411 (JSC::PropertySlot::PropertySlot):
4412 (JSC::PropertySlot::isCacheable):
4413 (JSC::PropertySlot::disableCaching):
4414
44152014-05-09 Andreas Kling <akling@apple.com>
4416
4417 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
4418 <https://webkit.org/b/132749>
4419
4420 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
4421 in Object.prototype.* by using JSString::toIdentifier() in the cases where
4422 we are converting JSString -> String -> Identifier.
4423
4424 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
4425 "The Great HTML5 Gaming Performance Test: 2014 edition"
4426 <http://www.scirra.com/demos/c2/sbperftest/>
4427
4428 Reviewed by Oliver Hunt.
4429
4430 * runtime/ObjectPrototype.cpp:
4431 (JSC::objectProtoFuncHasOwnProperty):
4432 (JSC::objectProtoFuncDefineGetter):
4433 (JSC::objectProtoFuncDefineSetter):
4434 (JSC::objectProtoFuncLookupGetter):
4435 (JSC::objectProtoFuncLookupSetter):
4436
44372014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
4438
4439 JSDOMWindow should have a WatchpointSet to fire on window close
4440 https://bugs.webkit.org/show_bug.cgi?id=132721
4441
4442 Reviewed by Filip Pizlo.
4443
4444 This patch allows us to reset the inline caches that assumed they could skip
4445 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
4446 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
4447
4448 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
4449 to see if it should create a new Watchpoint for that particular inline cache site.
4450
4451 * bytecode/Watchpoint.h:
4452 * jit/Repatch.cpp:
4453 (JSC::generateByIdStub):
4454 (JSC::tryBuildGetByIDList):
4455 (JSC::tryCachePutByID):
4456 (JSC::tryBuildPutByIdList):
4457 * runtime/PropertySlot.h:
4458 (JSC::PropertySlot::PropertySlot):
4459 (JSC::PropertySlot::watchpointSet):
4460 (JSC::PropertySlot::setWatchpointSet):
4461
44622014-05-09 Tanay C <tanay.c@samsung.com>
4463
4464 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
4465 https://bugs.webkit.org/show_bug.cgi?id=132331
4466
4467 Reviewed by Darin Adler.
4468
4469 * dfg/DFGFixupPhase.cpp:
4470 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
4471
44722014-05-09 peavo@outlook.com <peavo@outlook.com>
4473
4474 [Win] Crash when enabling DFG JIT.
4475 https://bugs.webkit.org/show_bug.cgi?id=132683
4476
4477 Reviewed by Geoffrey Garen.
4478
4479 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
4480 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
4481 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
4482 This causes the register to be written to address 0, hence the crash.
4483
4484 * dfg/DFGOSRExitCompiler32_64.cpp:
4485 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
4486 * dfg/DFGOSRExitCompiler64.cpp:
4487 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
4488
44892014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
4490
4491 REGRESSION(r167094): JSC crashes on ARM Traditional
4492 https://bugs.webkit.org/show_bug.cgi?id=132738
4493
4494 Reviewed by Zoltan Herczeg.
4495
4496 PC is two instructions ahead of the current instruction
4497 on ARM Traditional, so the distance is 8 bytes not 2.
4498
4499 * llint/LowLevelInterpreter.asm:
4500
45012014-05-09 Alberto Garcia <berto@igalia.com>
4502
4503 jsmin.py license header confusing, mentions non-free license
4504 https://bugs.webkit.org/show_bug.cgi?id=123665
4505
4506 Reviewed by Darin Adler.
4507
4508 Pull the most recent version from upstream, which has a clear
4509 license.
4510
4511 * inspector/scripts/jsmin.py:
4512
45132014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
4514
4515 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
4516 https://bugs.webkit.org/show_bug.cgi?id=132695
4517
4518 Reviewed by Filip Pizlo.
4519
4520 We check in the case where we're accessing something other than the base object (e.g. the prototype),
4521 but we fail to do so for the base object.
4522
4523 * jit/Repatch.cpp:
4524 (JSC::tryCacheGetByID):
4525 (JSC::tryBuildGetByIDList):
4526 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
4527 because all of the values that are returned that could be impure are set to uncacheable anyways.
4528 (WTF::ImpureGetter::ImpureGetter):
4529 (WTF::ImpureGetter::createStructure):
4530 (WTF::ImpureGetter::create):
4531 (WTF::ImpureGetter::finishCreation):
4532 (WTF::ImpureGetter::getOwnPropertySlot):
4533 (WTF::ImpureGetter::visitChildren):
4534 (WTF::ImpureGetter::setDelegate):
4535 (GlobalObject::finishCreation):
4536 (functionCreateImpureGetter):
4537 (functionSetImpureGetterDelegate):
4538 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
4539 (foo):
4540
45412014-05-08 Filip Pizlo <fpizlo@apple.com>
4542
4543 deleteAllCompiledCode() shouldn't use the suspension worklist
4544 https://bugs.webkit.org/show_bug.cgi?id=132708
4545
4546 Reviewed by Mark Hahnenberg.
4547
4548 * bytecode/CodeBlock.cpp:
4549 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
4550 * dfg/DFGPlan.cpp:
4551 (JSC::DFG::Plan::isStillValid):
4552 * heap/Heap.cpp:
4553 (JSC::Heap::deleteAllCompiledCode):
4554
45552014-05-08 Filip Pizlo <fpizlo@apple.com>
4556
4557 SSA conversion should delete PhantomLocals for captured variables
4558 https://bugs.webkit.org/show_bug.cgi?id=132693
4559
4560 Reviewed by Mark Hahnenberg.
4561
4562 * dfg/DFGCommon.cpp:
4563 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
4564 * dfg/DFGCommon.h:
4565 * dfg/DFGFixupPhase.cpp:
4566 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
4567 * dfg/DFGLivenessAnalysisPhase.cpp:
4568 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
4569 * dfg/DFGSSAConversionPhase.cpp:
4570 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
4571 * dfg/DFGValidate.cpp: Use the workaround.
4572 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
4573 (foo):
4574 (bar):
4575
45762014-05-07 Commit Queue <commit-queue@webkit.org>
4577
4578 Unreviewed, rolling out r168451.
4579 https://bugs.webkit.org/show_bug.cgi?id=132670
4580
4581 Not a speed-up, just do what other compilers do. (Requested by
4582 kling on #webkit).
4583
4584 Reverted changeset:
4585
4586 "[X86] Emit BT instruction for single-bit tests."
4587 https://bugs.webkit.org/show_bug.cgi?id=132650
4588 http://trac.webkit.org/changeset/168451
4589
45902014-05-07 Filip Pizlo <fpizlo@apple.com>
4591
4592 Make Executable::clearCode() actually clear all of the entrypoints, and
4593 clean up some other FTL-related calling convention stuff.
4594 <rdar://problem/16720172>
4595
4596 Rubber stamped by Mark Hahnenberg.
4597
4598 * dfg/DFGOperations.cpp:
4599 * dfg/DFGOperations.h:
4600 * dfg/DFGWorklist.cpp:
4601 (JSC::DFG::Worklist::Worklist):
4602 (JSC::DFG::Worklist::finishCreation):
4603 (JSC::DFG::Worklist::create):
4604 (JSC::DFG::ensureGlobalDFGWorklist):
4605 (JSC::DFG::ensureGlobalFTLWorklist):
4606 * dfg/DFGWorklist.h:
4607 * heap/CodeBlockSet.cpp:
4608 (JSC::CodeBlockSet::dump):
4609 * heap/CodeBlockSet.h:
4610 * runtime/Executable.cpp:
4611 (JSC::ExecutableBase::clearCode):
4612
46132014-05-07 Andreas Kling <akling@apple.com>
4614
4615 [X86] Emit BT instruction for single-bit tests.
4616 <https://webkit.org/b/132650>
4617
4618 Implement test-bit-and-branch slightly more efficiently by using
4619 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
4620 a single bit.
4621
4622 Reviewed by Michael Saboff.
4623
4624 * assembler/MacroAssemblerX86Common.h:
4625 (JSC::MacroAssemblerX86Common::singleBitIndex):
4626 (JSC::MacroAssemblerX86Common::branchTest32):
4627 * assembler/X86Assembler.h:
4628 (JSC::X86Assembler::bt_i8r):
4629 (JSC::X86Assembler::bt_i8m):
4630
46312014-05-07 Mark Lam <mark.lam@apple.com>
4632
4633 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
4634 <https://webkit.org/b/131356>
4635
4636 Reviewed by Geoffrey Garen.
4637
4638 The issue is that GC needs to be made aware of writes to m_inferredValue
4639 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
4640 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
4641 does not survive an eden GC shortly after, we will end up with a stale
4642 JSCell pointer left in the m_inferredValue.
4643
4644 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
4645 using DumpRenderTree with the VM heap in zombie mode.
4646
4647 The fix is to change VariableWatchpointSet m_inferredValue to type
4648 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
4649 is executed by all the execution engines so that the WriteBarrier semantics
4650 are honored.
4651
4652 We still check if the value to be written is the same as the one in the
4653 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
4654 values are the same.
4655
4656 * JavaScriptCore.xcodeproj/project.pbxproj:
4657 * bytecode/CodeBlock.cpp:
4658 (JSC::CodeBlock::CodeBlock):
4659 - need to pass the symbolTable to prepareToWatch() because it will be needed
4660 for instantiating the VariableWatchpointSet in prepareToWatch().
4661
4662 * bytecode/VariableWatchpointSet.h:
4663 (JSC::VariableWatchpointSet::VariableWatchpointSet):
4664 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
4665 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
4666 (JSC::VariableWatchpointSet::inferredValue):
4667 (JSC::VariableWatchpointSet::invalidate):
4668 (JSC::VariableWatchpointSet::finalizeUnconditionally):
4669 (JSC::VariableWatchpointSet::addressOfInferredValue):
4670 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
4671 * bytecode/VariableWatchpointSetInlines.h: Added.
4672 (JSC::VariableWatchpointSet::notifyWrite):
4673
4674 * dfg/DFGByteCodeParser.cpp:
4675 (JSC::DFG::ByteCodeParser::cellConstant):
4676 - Added an assert in case we try to make constants of zombified JSCells again.
4677
4678 * dfg/DFGOperations.cpp:
4679 * dfg/DFGOperations.h:
4680 * dfg/DFGSpeculativeJIT.h:
4681 (JSC::DFG::SpeculativeJIT::callOperation):
4682 * dfg/DFGSpeculativeJIT32_64.cpp:
4683 (JSC::DFG::SpeculativeJIT::compile):
4684 * dfg/DFGSpeculativeJIT64.cpp:
4685 (JSC::DFG::SpeculativeJIT::compile):
4686 - We now let the slow path handle the cases when the VariableWatchpointSet is
4687 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
4688 we handle the needed write barrier semantics correctly.
4689 We will by-pass the slow path if the value being written is the same as the
4690 inferred value.
4691
4692 * ftl/FTLIntrinsicRepository.h:
4693 * ftl/FTLLowerDFGToLLVM.cpp:
4694 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
4695 - Let the slow path handle the cases when the VariableWatchpointSet is
4696 in state ClearWatchpoint and IsWatched.
4697 We will by-pass the slow path if the value being written is the same as the
4698 inferred value.
4699
4700 * heap/Heap.cpp:
4701 (JSC::Zombify::operator()):
4702 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
4703 which is used everywhere else).
4704 * heap/Heap.h:
4705 (JSC::Heap::isZombified):
4706 - Provide a convenience test function to check if JSCells are zombified. This is
4707 currently only used in an assertion in the DFG bytecode parser, but the intent
4708 it that we'll apply this test in other strategic places later to help with early
4709 detection of usage of GC'ed objects when we run in zombie mode.
4710
4711 * jit/JITOpcodes.cpp:
4712 (JSC::JIT::emitSlow_op_captured_mov):
4713 * jit/JITOperations.h:
4714 * jit/JITPropertyAccess.cpp:
4715 (JSC::JIT::emitNotifyWrite):
4716 * jit/JITPropertyAccess32_64.cpp:
4717 (JSC::JIT::emitNotifyWrite):
4718 (JSC::JIT::emitSlow_op_put_to_scope):
4719 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
4720 is in state ClearWatchpoint and IsWatched.
4721 We will by-pass the slow path if the value being written is the same as the
4722 inferred value.
4723
4724 * llint/LowLevelInterpreter32_64.asm:
4725 * llint/LowLevelInterpreter64.asm:
4726 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
4727 is in state ClearWatchpoint and IsWatched.
4728 We will by-pass the slow path if the value being written is the same as the
4729 inferred value.
4730
4731 * runtime/CommonSlowPaths.cpp:
4732
4733 * runtime/JSCJSValue.h: Fixed some typos in the comments.
4734 * runtime/JSGlobalObject.cpp:
4735 (JSC::JSGlobalObject::addGlobalVar):
4736 (JSC::JSGlobalObject::addFunction):
4737 * runtime/JSSymbolTableObject.h:
4738 (JSC::symbolTablePut):
4739 (JSC::symbolTablePutWithAttributes):
4740 * runtime/SymbolTable.cpp:
4741 (JSC::SymbolTableEntry::prepareToWatch):
4742 (JSC::SymbolTableEntry::notifyWriteSlow):
4743 * runtime/SymbolTable.h:
4744 (JSC::SymbolTableEntry::notifyWrite):
4745
47462014-05-06 Michael Saboff <msaboff@apple.com>
4747
4748 Unreviewd build fix for C-LOOP after r168396.
4749
4750 * runtime/TestRunnerUtils.cpp:
4751 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
4752
47532014-05-06 Michael Saboff <msaboff@apple.com>
4754
4755 Add test for deleteAllCompiledCode
4756 https://bugs.webkit.org/show_bug.cgi?id=132632
4757
4758 Reviewed by Phil Pizlo.
4759
4760 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
4761 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
4762 to write a test that will queue up loads of DFG compiles and then call
4763 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
4764 code as well as code being compiled.
4765
4766 * jsc.cpp:
4767 (GlobalObject::finishCreation):
4768 (functionDeleteAllCompiledCode):
4769 (functionOptimizeNextInvocation):
4770 * runtime/TestRunnerUtils.cpp:
4771 (JSC::optimizeNextInvocation):
4772 * runtime/TestRunnerUtils.h:
4773 * tests/stress/deleteAllCompiledCode.js: Added.
4774 (functionList):
4775 (runTest):
4776
47772014-05-06 Andreas Kling <akling@apple.com>
4778
4779 JSString::toAtomicString() should return AtomicString.
4780 <https://webkit.org/b/132627>
4781
4782 Remove premature optimization where I was trying to avoid refcount
4783 churn when returning an already atomicized String.
4784
4785 Instead of using reinterpret_cast to mangle the String member into
4786 a const AtomicString& return value, just return AtomicString.
4787
4788 Reviewed by Geoff Garen.
4789
4790 * runtime/JSString.h:
4791 (JSC::JSString::toAtomicString):
4792
47932014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
4794
4795 Roll out r167889
4796
4797 Rubber stamped by Geoff Garen.
4798
4799 It broke some websites.
4800
4801 * runtime/JSPropertyNameIterator.cpp:
4802 (JSC::JSPropertyNameIterator::create):
4803 * runtime/PropertyMapHashTable.h:
4804 (JSC::PropertyTable::hasDeletedOffset):
4805 (JSC::PropertyTable::hadDeletedOffset): Deleted.
4806 * runtime/Structure.cpp:
4807 (JSC::Structure::Structure):
4808 (JSC::Structure::materializePropertyMap):
4809 (JSC::Structure::removePropertyTransition):
4810 (JSC::Structure::changePrototypeTransition):
4811 (JSC::Structure::despecifyFunctionTransition):
4812 (JSC::Structure::attributeChangeTransition):
4813 (JSC::Structure::toDictionaryTransition):
4814 (JSC::Structure::preventExtensionsTransition):
4815 (JSC::Structure::addPropertyWithoutTransition):
4816 (JSC::Structure::removePropertyWithoutTransition):
4817 (JSC::Structure::pin):
4818 (JSC::Structure::pinAndPreventTransitions): Deleted.
4819 * runtime/Structure.h:
4820 * runtime/StructureInlines.h:
4821 (JSC::Structure::setEnumerationCache):
4822 (JSC::Structure::propertyTable):
4823 (JSC::Structure::checkOffsetConsistency):
4824 (JSC::Structure::hadDeletedOffsets): Deleted.
4825 * tests/stress/for-in-after-delete.js:
4826 (foo): Deleted.
4827
48282014-05-05 Andreas Kling <akling@apple.com>
4829
4830 Fix debug build.
4831
4832 * runtime/JSCellInlines.h:
4833 (JSC::JSCell::fastGetOwnProperty):
4834
48352014-05-05 Andreas Kling <akling@apple.com>
4836
4837 Optimize GetByVal when subscript is a rope string.
4838 <https://webkit.org/b/132590>
4839
4840 Use JSString::toIdentifier() in the various GetByVal implementations
4841 to try and avoid allocating extra strings.
4842
4843 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
4844 in that, to avoid calling JSString::value() which always resolves ropes
4845 into new strings and de-optimizes subsequent toIdentifier() calls.
4846
4847 My iMac says ~9% progression on Dromaeo/dom-attr.html
4848
4849 Reviewed by Phil Pizlo.
4850
4851 * dfg/DFGOperations.cpp:
4852 * jit/JITOperations.cpp:
4853 (JSC::getByVal):
4854 * llint/LLIntSlowPaths.cpp:
4855 (JSC::LLInt::getByVal):
4856 * runtime/JSCell.h:
4857 * runtime/JSCellInlines.h:
4858 (JSC::JSCell::fastGetOwnProperty):
4859 (JSC::JSCell::canUseFastGetOwnProperty):
4860
48612014-05-05 Andreas Kling <akling@apple.com>
4862
4863 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4864 <https://webkit.org/b/168256>
4865 <rdar://problem/16816316>
4866
4867 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
4868 clear the fibers. The caller takes care of this.
4869
4870 Test: fast/dom/getElementById-with-rope-string-arg.html
4871
4872 Reviewed by Geoffrey Garen.
4873
4874 * runtime/JSString.cpp:
4875 (JSC::JSRopeString::resolveRopeSlowCase8):
4876
48772014-05-05 Michael Saboff <msaboff@apple.com>
4878
4879 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
4880 https://bugs.webkit.org/show_bug.cgi?id=132581
4881
4882 Reviewed by Filip Pizlo.
4883
4884 * dfg/DFGPlan.cpp:
4885 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
4886 started compiling for is still the same at the end of compilation.
4887 Also did some minor restructuring.
4888
48892014-05-05 Andreas Kling <akling@apple.com>
4890
4891 Optimize PutByVal when subscript is a rope string.
4892 <https://webkit.org/b/132572>
4893
4894 Add a JSString::toIdentifier() that is smarter when the JSString is
4895 really a rope string. Use this in baseline & DFG's PutByVal to avoid
4896 allocating new StringImpls that we immediately deduplicate anyway.
4897
4898 Reviewed by Antti Koivisto.
4899
4900 * dfg/DFGOperations.cpp:
4901 (JSC::DFG::operationPutByValInternal):
4902 * jit/JITOperations.cpp:
4903 * runtime/JSString.h:
4904 (JSC::JSString::toIdentifier):
4905
49062014-05-05 Andreas Kling <akling@apple.com>
4907
4908 Remove two now-incorrect assertions after r168256.
4909
4910 * runtime/JSString.cpp:
4911 (JSC::JSRopeString::resolveRopeSlowCase8):
4912 (JSC::JSRopeString::resolveRopeSlowCase):
4913
49142014-05-04 Andreas Kling <akling@apple.com>
4915
4916 Optimize JSRopeString for resolving directly to AtomicString.
4917 <https://webkit.org/b/132548>
4918
4919 If we know that the JSRopeString we are resolving is going to be used
4920 as an AtomicString, we can try to avoid creating a new string.
4921
4922 We do this by first resolving the rope into a stack buffer, and using
4923 that buffer as a key into the AtomicString table. If there is already
4924 an AtomicString with the same characters, we reuse that instead of
4925 constructing a new StringImpl.
4926
4927 JSString gains these two public functions:
4928
4929 - AtomicString toAtomicString()
4930
4931 Returns an AtomicString, tries to avoid allocating a new string
4932 if possible.
4933
4934 - AtomicStringImpl* toExistingAtomicString()
4935
4936 Returns a non-null AtomicStringImpl* if one already exists in the
4937 AtomicString table. If none is found, the rope is left unresolved.
4938
4939 Reviewed by Filip Pizlo.
4940
4941 * runtime/JSString.cpp:
4942 (JSC::JSRopeString::resolveRopeInternal8):
4943 (JSC::JSRopeString::resolveRopeInternal16):
4944 (JSC::JSRopeString::resolveRopeToAtomicString):
4945 (JSC::JSRopeString::clearFibers):
4946 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4947 (JSC::JSRopeString::resolveRope):
4948 (JSC::JSRopeString::outOfMemory):
4949 * runtime/JSString.h:
4950 (JSC::JSString::toAtomicString):
4951 (JSC::JSString::toExistingAtomicString):
4952
49532014-05-04 Andreas Kling <akling@apple.com>
4954
4955 Unreviewed, rolling out r168254.
4956
4957 Very crashy on debug JSC tests.
4958
4959 Reverted changeset:
4960
4961 "jsSubstring() should be lazy"
4962 https://bugs.webkit.org/show_bug.cgi?id=132556
4963 http://trac.webkit.org/changeset/168254
4964
49652014-05-04 Filip Pizlo <fpizlo@apple.com>
4966
4967 jsSubstring() should be lazy
4968 https://bugs.webkit.org/show_bug.cgi?id=132556
4969
4970 Reviewed by Andreas Kling.
4971
4972 jsSubstring() is now lazy by using a special rope that is a substring instead of a
4973 concatenation. To make this patch super simple, we require that a substring's base is
4974 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
4975 path, or we go down a concatenation path which may see exactly one level of substrings in
4976 its fibers.
4977
4978 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
4979
4980 * heap/MarkedBlock.cpp:
4981 (JSC::MarkedBlock::specializedSweep):
4982 * runtime/JSString.cpp:
4983 (JSC::JSRopeString::visitFibers):
4984 (JSC::JSRopeString::resolveRope):
4985 (JSC::JSRopeString::resolveRopeSlowCase8):
4986 (JSC::JSRopeString::resolveRopeSlowCase):
4987 (JSC::JSRopeString::outOfMemory):
4988 * runtime/JSString.h:
4989 (JSC::JSRopeString::finishCreation):
4990 (JSC::JSRopeString::append):
4991 (JSC::JSRopeString::create):
4992 (JSC::JSRopeString::offsetOfFibers):
4993 (JSC::JSRopeString::fiber):
4994 (JSC::JSRopeString::substringBase):
4995 (JSC::JSRopeString::substringOffset):
4996 (JSC::JSRopeString::substringSentinel):
4997 (JSC::JSRopeString::isSubstring):
4998 (JSC::jsSubstring):
4999 * runtime/RegExpMatchesArray.cpp:
5000 (JSC::RegExpMatchesArray::reifyAllProperties):
5001 * runtime/StringPrototype.cpp:
5002 (JSC::stringProtoFuncSubstring):
5003
50042014-05-02 Michael Saboff <msaboff@apple.com>
5005
5006 "arm64 function not 4-byte aligned" warnings when building JSC
5007 https://bugs.webkit.org/show_bug.cgi?id=132495
5008
5009 Reviewed by Geoffrey Garen.
5010
5011 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
5012
5013 * llint/LowLevelInterpreter.cpp:
5014
50152014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
5016
5017 Fix cloop build after r168178
5018
5019 * bytecode/CodeBlock.cpp:
5020
50212014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
5022
5023 Add a DFG function whitelist
5024 https://bugs.webkit.org/show_bug.cgi?id=132437
5025
5026 Reviewed by Geoffrey Garen.
5027
5028 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
5029 particular DFG block that's causing issues. This patch adds the ability to whitelist
5030 specific functions specified in a file to enable further filtering without having to recompile.
5031
5032 * CMakeLists.txt:
5033 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5034 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5035 * JavaScriptCore.xcodeproj/project.pbxproj:
5036 * dfg/DFGCapabilities.cpp:
5037 (JSC::DFG::isSupported):
5038 (JSC::DFG::mightInlineFunctionForCall):
5039 (JSC::DFG::mightInlineFunctionForClosureCall):
5040 (JSC::DFG::mightInlineFunctionForConstruct):
5041 * dfg/DFGFunctionWhitelist.cpp: Added.
5042 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
5043 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
5044 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
5045 (JSC::DFG::FunctionWhitelist::contains):
5046 * dfg/DFGFunctionWhitelist.h: Added.
5047 * runtime/Options.cpp:
5048 (JSC::parse):
5049 (JSC::Options::dumpOption):
5050 * runtime/Options.h:
5051
50522014-05-02 Filip Pizlo <fpizlo@apple.com>
5053
5054 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
5055 https://bugs.webkit.org/show_bug.cgi?id=132446
5056
5057 Reviewed by Mark Hahnenberg.
5058
5059 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
5060 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
5061 to indicate a bound on the value. This is useful for knowing, for example, that
5062 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
5063 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
5064 But this means that all arithmetic operations must be careful to note that they may
5065 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
5066
5067 * dfg/DFGAbstractInterpreterInlines.h:
5068 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5069 * dfg/DFGByteCodeParser.cpp:
5070 (JSC::DFG::ByteCodeParser::makeSafe):
5071 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
5072 (foo):
5073 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
5074 (foo):
5075 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
5076 (foo):
5077 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
5078 (foo):
5079 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
5080 (foo):
5081 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
5082 (foo):
5083
50842014-05-01 Geoffrey Garen <ggaren@apple.com>
5085
5086 JavaScriptCore fails to build with some versions of clang
5087 https://bugs.webkit.org/show_bug.cgi?id=132436
5088
5089 Reviewed by Anders Carlsson.
5090
5091 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
5092 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
5093 and both are marked inline, it's valid for the compiler to decide
5094 to inline both and emit neither in the binary. Therefore, we need
5095 both inline definitions to be available in the translation unit at
5096 compile time, or we'll try to link against a function that doesn't exist.
5097
50982014-05-01 Commit Queue <commit-queue@webkit.org>
5099
5100 Unreviewed, rolling out r167964.
5101 https://bugs.webkit.org/show_bug.cgi?id=132431
5102
5103 Memory improvements should not regress memory usage (Requested
5104 by olliej on #webkit).
5105
5106 Reverted changeset:
5107
5108 "Don't hold on to parameter BindingNodes forever"
5109 https://bugs.webkit.org/show_bug.cgi?id=132360
5110 http://trac.webkit.org/changeset/167964
5111
51122014-05-01 Filip Pizlo <fpizlo@apple.com>
5113
5114 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
5115 https://bugs.webkit.org/show_bug.cgi?id=132427
5116
5117 Reviewed by Mark Hahnenberg.
5118
5119 * bytecode/CallLinkStatus.cpp:
5120 (JSC::CallLinkStatus::computeFor):
5121
51222014-04-30 Simon Fraser <simon.fraser@apple.com>
5123
5124 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
5125 https://bugs.webkit.org/show_bug.cgi?id=132396
5126
5127 Reviewed by Eric Carlson.
5128
5129 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
5130
5131 * Configurations/FeatureDefines.xcconfig:
5132
51332014-04-30 Filip Pizlo <fpizlo@apple.com>
5134
5135 Argument flush formats should not be presumed to be JSValue since 'this' is weird
5136 https://bugs.webkit.org/show_bug.cgi?id=132404
5137
5138 Reviewed by Michael Saboff.
5139
5140 * dfg/DFGSpeculativeJIT.cpp:
5141 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
5142 * dfg/DFGSpeculativeJIT32_64.cpp:
5143 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
5144 * dfg/DFGSpeculativeJIT64.cpp:
5145 (JSC::DFG::SpeculativeJIT::compile): Ditto.
5146 * dfg/DFGValueSource.cpp:
5147 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
5148 * dfg/DFGValueSource.h:
5149 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
5150 * ftl/FTLOSREntry.cpp:
5151 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
5152 * tests/stress/strict-to-this-int.js: Added.
5153 (foo):
5154 (Number.prototype.valueOf):
5155 (test):
5156
51572014-04-29 Oliver Hunt <oliver@apple.com>
5158
5159 Don't hold on to parameterBindingNodes forever
5160 https://bugs.webkit.org/show_bug.cgi?id=132360
5161
5162 Reviewed by Geoffrey Garen.
5163
5164 Don't keep the parameter nodes anymore. Instead we store the
5165 original parameter string and reparse whenever we actually
5166 need them. Because we only actually need them for compilation
5167 this only results in a single extra parse.
5168
5169 * bytecode/UnlinkedCodeBlock.cpp:
5170 (JSC::generateFunctionCodeBlock):
5171 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
5172 (JSC::UnlinkedFunctionExecutable::visitChildren):
5173 (JSC::UnlinkedFunctionExecutable::finishCreation):
5174 (JSC::UnlinkedFunctionExecutable::paramString):
5175 (JSC::UnlinkedFunctionExecutable::parameters):
5176 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
5177 * bytecode/UnlinkedCodeBlock.h:
5178 (JSC::UnlinkedFunctionExecutable::create):
5179 (JSC::UnlinkedFunctionExecutable::parameterCount):
5180 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
5181 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
5182 * parser/ASTBuilder.h:
5183 (JSC::ASTBuilder::ASTBuilder):
5184 (JSC::ASTBuilder::setFunctionBodyParameters):
5185 * parser/Nodes.h:
5186 (JSC::FunctionBodyNode::parametersStartOffset):
5187 (JSC::FunctionBodyNode::parametersEndOffset):
5188 (JSC::FunctionBodyNode::setParameterLocation):
5189 * parser/Parser.cpp:
5190 (JSC::Parser<LexerType>::parseFunctionInfo):
5191 (JSC::parseParameters):
5192 * parser/Parser.h:
5193 (JSC::parse):
5194 * parser/SourceCode.h:
5195 (JSC::SourceCode::subExpression):
5196 * parser/SyntaxChecker.h:
5197 (JSC::SyntaxChecker::setFunctionBodyParameters):
5198
51992014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
5200
5201 JSProxies should be cacheable
5202 https://bugs.webkit.org/show_bug.cgi?id=132351
5203
5204 Reviewed by Geoffrey Garen.
5205
5206 Whenever we encounter a proxy in an inline cache we should try to cache on the
5207 proxy's target instead of giving up.
5208
5209 This patch adds support for a simple "recursive" inline cache if the base object
5210 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
5211 are the only ones to benefit from this right now.
5212
5213 This is performance neutral on the benchmarks we track. Currently we won't
5214 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
5215
5216 * jit/Repatch.cpp:
5217 (JSC::generateByIdStub):
5218 (JSC::tryBuildGetByIDList):
5219 (JSC::tryCachePutByID):
5220 (JSC::tryBuildPutByIdList):
5221 * jsc.cpp:
5222 (GlobalObject::finishCreation):
5223 (functionCreateProxy):
5224 * runtime/IntendedStructureChain.cpp:
5225 (JSC::IntendedStructureChain::isNormalized):
5226 * runtime/JSCellInlines.h:
5227 (JSC::JSCell::isProxy):
5228 * runtime/JSGlobalObject.h:
5229 (JSC::JSGlobalObject::finishCreation):
5230 * runtime/JSProxy.h:
5231 (JSC::JSProxy::createStructure):
5232 (JSC::JSProxy::targetOffset):
5233 * runtime/JSType.h:
5234 * runtime/Operations.h:
5235 (JSC::isPrototypeChainNormalized):
5236 * runtime/Structure.h:
5237 (JSC::Structure::isProxy):
5238 * tests/stress/proxy-inline-cache.js: Added.
5239 (cacheOnTarget.getX):
5240 (cacheOnTarget):
5241 (cacheOnPrototypeOfTarget.getX):
5242 (cacheOnPrototypeOfTarget):
5243 (dontCacheOnProxyInPrototypeChain.getX):
5244 (dontCacheOnProxyInPrototypeChain):
5245 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
5246 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
5247
52482014-04-29 Filip Pizlo <fpizlo@apple.com>
5249
5250 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
5251 https://bugs.webkit.org/show_bug.cgi?id=112840
5252
5253 Rubber stamped by Geoffrey Garen.
5254
5255 * Configurations/FeatureDefines.xcconfig:
5256
52572014-04-29 Geoffrey Garen <ggaren@apple.com>
5258
5259 String.prototype.trim removes U+200B from strings.
5260 https://bugs.webkit.org/show_bug.cgi?id=130184
5261
5262 Reviewed by Michael Saboff.
5263
5264 * runtime/StringPrototype.cpp:
5265 (JSC::trimString):
5266 (JSC::isTrimWhitespace): Deleted.
5267
52682014-04-29 Mark Lam <mark.lam@apple.com>
5269
5270 Zombifying sweep should ignore retired blocks.
5271 <https://webkit.org/b/132344>
5272
5273 Reviewed by Mark Hahnenberg.
5274
5275 By definition, retired blocks do not have "dead" objects, or at least
5276 none that we know of yet until the next marking phase has been run
5277 over it. So, we should not be sweeping them (even for zombie mode).
5278
5279 * heap/Heap.cpp:
5280 (JSC::Heap::zombifyDeadObjects):
5281 * heap/MarkedSpace.cpp:
5282 (JSC::MarkedSpace::zombifySweep):
5283 * heap/MarkedSpace.h:
5284 (JSC::ZombifySweep::operator()):
5285
52862014-04-29 Mark Lam <mark.lam@apple.com>
5287
5288 Fix bit rot in zombie mode heap code.
5289 <https://webkit.org/b/132342>
5290
5291 Reviewed by Mark Hahnenberg.
5292
5293 Need to enter a DelayedReleaseScope before doing a sweep.
5294
5295 * heap/Heap.cpp:
5296 (JSC::Heap::zombifyDeadObjects):
5297
52982014-04-29 Tomas Popela <tpopela@redhat.com>
5299
5300 LLINT loadisFromInstruction doesn't need special case for big endians
5301 https://bugs.webkit.org/show_bug.cgi?id=132330
5302
5303 Reviewed by Mark Lam.
5304
5305 The change introduced in r167076 was wrong. We should not apply the offset
5306 adjustment on loadisFromInstruction usage as the instruction
5307 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
5308 operand variable). The offset of the other union members will be the
5309 same as the offset of the first one, that is 0. The behavior here is the
5310 same on little and big endian architectures. Thus we don't need
5311 special case for big endians.
5312
5313 * llint/LowLevelInterpreter.asm:
5314
53152014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
5316
5317 Simplify tryCacheGetById
5318 https://bugs.webkit.org/show_bug.cgi?id=132314
5319
5320 Reviewed by Oliver Hunt and Filip Pizlo.
5321
5322 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
5323
5324 * jit/Repatch.cpp:
5325 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
5326
53272014-04-28 Michael Saboff <msaboff@apple.com>
5328
5329 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
5330 https://bugs.webkit.org/show_bug.cgi?id=132315
5331
5332 Reviewed by Mark Hahnenberg.
5333
5334 Used the StringImpl version of utf8() instead of creating a String first.
5335
5336 * bytecode/CodeBlock.cpp:
5337 (JSC::CodeBlock::dumpBytecode):
5338
53392014-04-28 Filip Pizlo <fpizlo@apple.com>
5340
5341 The LLInt is awesome and it should get more of the action.
5342
5343 Rubber stamped by Geoffrey Garen.
5344
5345 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
5346
5347 * runtime/Options.h:
5348
53492014-04-27 Filip Pizlo <fpizlo@apple.com>
5350
5351 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
5352 https://bugs.webkit.org/show_bug.cgi?id=132166
5353
5354 Reviewed by Oliver Hunt and Mark Hahnenberg.
5355
5356 The GC can aid type inference by removing structures that are dead and jettisoning
5357 code that relies on those structures. This can dramatically accelerate type inference
5358 for some tricky programs.
5359
5360 Unfortunately, we previously pinned any structures that enqueued compilations depended
5361 on. This means that if you're on a machine that only runs a single compilation thread
5362 and where compilations are relatively slow, you have a high chance of large numbers of
5363 structures being pinned during any GC since the compilation queue is likely to be full
5364 of random stuff.
5365
5366 This comprehensively fixes this issue by allowing the GC to remove compilation plans
5367 if the things they depend on are dead, and to even cancel safepointed compilations.
5368
5369 * bytecode/CodeBlock.cpp:
5370 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
5371 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
5372 (JSC::CodeBlock::finalizeUnconditionally):
5373 * bytecode/CodeBlock.h:
5374 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
5375 * dfg/DFGDesiredIdentifiers.cpp:
5376 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
5377 * dfg/DFGDesiredIdentifiers.h:
5378 * dfg/DFGDesiredWatchpoints.h:
5379 * dfg/DFGDesiredWeakReferences.cpp:
5380 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
5381 * dfg/DFGDesiredWeakReferences.h:
5382 * dfg/DFGGraphSafepoint.cpp:
5383 (JSC::DFG::GraphSafepoint::GraphSafepoint):
5384 * dfg/DFGGraphSafepoint.h:
5385 * dfg/DFGPlan.cpp:
5386 (JSC::DFG::Plan::Plan):
5387 (JSC::DFG::Plan::compileInThread):
5388 (JSC::DFG::Plan::compileInThreadImpl):
5389 (JSC::DFG::Plan::notifyCompiling):
5390 (JSC::DFG::Plan::notifyCompiled):
5391 (JSC::DFG::Plan::notifyReady):
5392 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
5393 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
5394 (JSC::DFG::Plan::cancel):
5395 (JSC::DFG::Plan::visitChildren): Deleted.
5396 * dfg/DFGPlan.h:
5397 * dfg/DFGSafepoint.cpp:
5398 (JSC::DFG::Safepoint::Result::~Result):
5399 (JSC::DFG::Safepoint::Result::didGetCancelled):
5400 (JSC::DFG::Safepoint::Safepoint):
5401 (JSC::DFG::Safepoint::~Safepoint):
5402 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
5403 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
5404 (JSC::DFG::Safepoint::cancel):
5405 (JSC::DFG::Safepoint::visitChildren): Deleted.
5406 * dfg/DFGSafepoint.h:
5407 (JSC::DFG::Safepoint::Result::Result):
5408 * dfg/DFGWorklist.cpp:
5409 (JSC::DFG::Worklist::compilationState):
5410 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
5411 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
5412 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
5413 (JSC::DFG::Worklist::visitWeakReferences):
5414 (JSC::DFG::Worklist::removeDeadPlans):
5415 (JSC::DFG::Worklist::runThread):
5416 (JSC::DFG::Worklist::visitChildren): Deleted.
5417 * dfg/DFGWorklist.h:
5418 * ftl/FTLCompile.cpp:
5419 (JSC::FTL::compile):
5420 * ftl/FTLCompile.h:
5421 * heap/CodeBlockSet.cpp:
5422 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
5423 * heap/Heap.cpp:
5424 (JSC::Heap::markRoots):
5425 (JSC::Heap::visitCompilerWorklistWeakReferences):
5426 (JSC::Heap::removeDeadCompilerWorklistEntries):
5427 (JSC::Heap::visitWeakHandles):
5428 (JSC::Heap::collect):
5429 (JSC::Heap::visitCompilerWorklists): Deleted.
5430 * heap/Heap.h:
5431
54322014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
5433
5434 Deleting properties poisons objects
5435 https://bugs.webkit.org/show_bug.cgi?id=131551
5436
5437 Reviewed by Oliver Hunt.
5438
5439 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
5440
5441 * runtime/JSPropertyNameIterator.cpp:
5442 (JSC::JSPropertyNameIterator::create):
5443 * runtime/PropertyMapHashTable.h:
5444 (JSC::PropertyTable::hasDeletedOffset):
5445 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
5446 iterating properties because we're required to iterate properties in insertion order.
5447 * runtime/Structure.cpp:
5448 (JSC::Structure::Structure):
5449 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
5450 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
5451 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
5452 delete transitions, but we allow transitioning from them.
5453 (JSC::Structure::changePrototypeTransition):
5454 (JSC::Structure::despecifyFunctionTransition):
5455 (JSC::Structure::attributeChangeTransition):
5456 (JSC::Structure::toDictionaryTransition):
5457 (JSC::Structure::preventExtensionsTransition):
5458 (JSC::Structure::addPropertyWithoutTransition):
5459 (JSC::Structure::removePropertyWithoutTransition):
5460 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
5461 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
5462 * runtime/Structure.h:
5463 * runtime/StructureInlines.h:
5464 (JSC::Structure::setEnumerationCache):
5465 (JSC::Structure::hadDeletedOffsets):
5466 (JSC::Structure::propertyTable):
5467 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
5468 * tests/stress/for-in-after-delete.js: Added.
5469 (foo):
5470
54712014-04-25 Andreas Kling <akling@apple.com>
5472
5473 Inline (C++) GetByVal with numeric indices more aggressively.
5474 <https://webkit.org/b/132218>
5475
5476 We were already inlining the string indexed GetByVal path pretty well,
5477 while the path for numeric indices got neglected. No more!
5478
5479 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
5480
5481 Before: 199.50 runs/s
5482 After: 218.58 runs/s
5483
5484 Reviewed by Phil Pizlo.
5485
5486 * dfg/DFGOperations.cpp:
5487 * runtime/JSCJSValueInlines.h:
5488 (JSC::JSValue::get):
5489
5490 ALWAYS_INLINE all the things.
5491
5492 * runtime/JSObject.h:
5493 (JSC::JSObject::getPropertySlot):
5494
5495 Avoid fetching the Structure more than once. We have the same
5496 optimization in the string-indexed code path.
5497
54982014-04-25 Oliver Hunt <oliver@apple.com>
5499
5500 Need earlier cell test
5501 https://bugs.webkit.org/show_bug.cgi?id=132211
5502
5503 Reviewed by Mark Lam.
5504
5505 Move cell test to before the function call repatch
5506 location, as the repatch logic for 32bit assumes that the
5507 caller will already have performed a cell check.
5508
5509 * jit/JITCall32_64.cpp:
5510 (JSC::JIT::compileOpCall):
5511
55122014-04-25 Andreas Kling <akling@apple.com>
5513
5514 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
5515
5516 * runtime/JSGlobalObject.h:
5517 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
5518 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
5519
55202014-04-25 Andreas Kling <akling@apple.com>
5521
5522 Windows build fix attempt.
5523
5524 * runtime/JSGlobalObject.h:
5525 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
5526
55272014-04-25 Mark Lam <mark.lam@apple.com>
5528
5529 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
5530 <https://webkit.org/b/132201>
5531
5532 Reviewed by Joseph Pecoraro.
5533
5534 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
5535 BreakpointActions everywhere.
5536
5537 * inspector/ScriptBreakpoint.h:
5538 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
5539 * inspector/ScriptDebugServer.cpp:
5540 (Inspector::ScriptDebugServer::setBreakpoint):
5541 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
5542 * inspector/ScriptDebugServer.h:
5543 * inspector/agents/InspectorDebuggerAgent.cpp:
5544 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
5545 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
5546 (Inspector::InspectorDebuggerAgent::setBreakpoint):
5547 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
5548 * inspector/agents/InspectorDebuggerAgent.h:
5549
55502014-04-24 Filip Pizlo <fpizlo@apple.com>
5551
5552 DFG worklist scanning should not treat the key as a separate entity
5553 https://bugs.webkit.org/show_bug.cgi?id=132167
5554
5555 Reviewed by Mark Hahnenberg.
5556
5557 This simplifies the interface to the GC and will enable more optimizations.
5558
5559 * dfg/DFGCompilationKey.cpp:
5560 (JSC::DFG::CompilationKey::visitChildren): Deleted.
5561 * dfg/DFGCompilationKey.h:
5562 * dfg/DFGPlan.cpp:
5563 (JSC::DFG::Plan::visitChildren):
5564 * dfg/DFGWorklist.cpp:
5565 (JSC::DFG::Worklist::visitChildren):
5566
55672014-04-25 Oliver Hunt <oliver@apple.com>
5568
5569 Remove unused parameter from codeblock linking function
5570 https://bugs.webkit.org/show_bug.cgi?id=132199
5571
5572 Reviewed by Anders Carlsson.
5573
5574 No change in behaviour. This is just a small change to make it
5575 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
5576 actually mean.
5577
5578 * bytecode/UnlinkedCodeBlock.cpp:
5579 (JSC::UnlinkedFunctionExecutable::link):
5580 * bytecode/UnlinkedCodeBlock.h:
5581 * runtime/Executable.cpp:
5582 (JSC::ProgramExecutable::initializeGlobalProperties):
5583
55842014-04-25 Andreas Kling <akling@apple.com>
5585
5586 Mark some things with WTF_MAKE_FAST_ALLOCATED.
5587 <https://webkit.org/b/132198>
5588
5589 Use FastMalloc for more things.
5590
5591 Reviewed by Anders Carlsson.
5592
5593 * builtins/BuiltinExecutables.h:
5594 * heap/GCThreadSharedData.h:
5595 * inspector/JSConsoleClient.h:
5596 * inspector/agents/InspectorAgent.h:
5597 * runtime/CodeCache.h:
5598 * runtime/JSGlobalObject.h:
5599 * runtime/Lookup.cpp:
5600 (JSC::HashTable::createTable):
5601 (JSC::HashTable::deleteTable):
5602 * runtime/WeakGCMap.h:
5603
56042014-04-25 Antoine Quint <graouts@webkit.org>
5605
5606 Implement Array.prototype.find()
5607 https://bugs.webkit.org/show_bug.cgi?id=130966
5608
5609 Reviewed by Oliver Hunt.
5610
5611 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
5612
5613 * builtins/Array.prototype.js:
5614 (find):
5615 (findIndex):
5616 * runtime/ArrayPrototype.cpp:
5617
56182014-04-24 Brady Eidson <beidson@apple.com>
5619
5620 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
5621 https://bugs.webkit.org/show_bug.cgi?id=132155
5622
5623 Reviewed by Tim Horton.
5624
5625 * Configurations/FeatureDefines.xcconfig:
5626
56272014-04-24 Michael Saboff <msaboff@apple.com>
5628
5629 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
5630 https://bugs.webkit.org/show_bug.cgi?id=132147
5631
5632 Reviewed by Mark Lam.
5633
5634 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
5635
5636 * assembler/MacroAssemblerARM64.h:
5637 (JSC::MacroAssemblerARM64::or64):
5638 (JSC::MacroAssemblerARM64::xor32):
5639 (JSC::MacroAssemblerARM64::xor64):
5640 * tests/stress/regress-132147.js: Added test.
5641
56422014-04-24 Mark Lam <mark.lam@apple.com>
5643
5644 Make slowPathAllocsBetweenGCs a runtime option.
5645 <https://webkit.org/b/132137>
5646
5647 Reviewed by Mark Hahnenberg.
5648
5649 This will make it easier to more casually run tests with this configuration
5650 as well as to reproduce issues (instead of requiring a code mod and rebuild).
5651 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
5652 slow path allocations before we trigger a collection.
5653
5654 The option defaults to 0, which is reserved to mean that we will not trigger
5655 any collections there.
5656
5657 * heap/Heap.h:
5658 * heap/MarkedAllocator.cpp:
5659 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
5660 (JSC::MarkedAllocator::allocateSlowCase):
5661 * heap/MarkedAllocator.h:
5662 * runtime/Options.h:
5663
56642014-04-23 Mark Lam <mark.lam@apple.com>
5665
5666 The GC should only resume compiler threads that it suspended in the same GC pass.
5667 <https://webkit.org/b/132088>
5668
5669 Reviewed by Mark Hahnenberg.
5670
5671 Previously, this scenario can occur:
5672 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
5673 no worklists were created yet at the that time.
5674 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
5675 acquires the worklist thread's lock.
5676 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
5677 This time, it sees the worklist created by Thread 2 and ends up unlocking
5678 the worklist thread's lock that is supposedly held by Thread 2.
5679 Thereafter, chaos ensues.
5680
5681 The fix is to cache the worklists that were actually suspended by each GC pass,
5682 and only resume those when the GC is done.
5683
5684 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
5685 the fast/workers layout tests.
5686
5687 * heap/Heap.cpp:
5688 (JSC::Heap::visitCompilerWorklists):
5689 (JSC::Heap::deleteAllCompiledCode):
5690 (JSC::Heap::suspendCompilerThreads):
5691 (JSC::Heap::resumeCompilerThreads):
5692 * heap/Heap.h:
5693
56942014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
5695
5696 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
5697 https://bugs.webkit.org/show_bug.cgi?id=132079
5698
5699 Reviewed by Michael Saboff.
5700
5701 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
5702
5703 Also added a test that previously triggered this bug.
5704
5705 * runtime/Arguments.cpp:
5706 (JSC::Arguments::copyBackingStore): D'oh!
5707 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
5708 (foo):
5709 (bar):
5710
57112014-04-23 Mark Rowe <mrowe@apple.com>
5712
5713 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
5714 <https://webkit.org/b/132053>
5715
5716 Reviewed by Dan Bernstein.
5717
5718 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
5719 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
5720 from /bin/sh since that generates unnecessary output.
5721
57222014-04-22 Mark Lam <mark.lam@apple.com>
5723
5724 DFG::Worklist should acquire the m_lock before iterating DFG plans.
5725 <https://webkit.org/b/132032>
5726
5727 Reviewed by Filip Pizlo.
5728
5729 Currently, there's a rightToRun mechanism that ensures that no compilation
5730 threads are running when the GC is iterating through the DFG worklists.
5731 However, this does not prevent a Worker thread from doing a DFG compilation
5732 and modifying the plans in the worklists thereby invalidating the plan
5733 iterator that the GC is using. This patch fixes the issue by acquiring
5734 the worklist m_lock before iterating the worklist plans.
5735
5736 This issue was uncovered by running the fast/workers layout tests with
5737 COLLECT_ON_EVERY_ALLOCATION enabled.
5738
5739 * dfg/DFGWorklist.cpp:
5740 (JSC::DFG::Worklist::isActiveForVM):
5741 (JSC::DFG::Worklist::visitChildren):
5742
57432014-04-22 Brent Fulgham <bfulgham@apple.com>
5744
5745 [Win] Support Python 2.7 in Cygwin
5746 https://bugs.webkit.org/show_bug.cgi?id=132023
5747
5748 Reviewed by Michael Saboff.
5749
5750 * DerivedSources.make: Use a conditional variable to define
5751 the path to Python/Perl.
5752
57532014-04-22 Filip Pizlo <fpizlo@apple.com>
5754
5755 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
5756 https://bugs.webkit.org/show_bug.cgi?id=130867
5757 <rdar://problem/16432456>
5758
5759 Reviewed by Mark Hahnenberg.
5760
5761 * Configurations/Base.xcconfig:
5762 * Configurations/LLVMForJSC.xcconfig:
5763
57642014-04-22 Alex Christensen <achristensen@webkit.org>
5765
5766 [Win] Unreviewed build fix after my r167666.
5767
5768 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5769 Added ../../../ again to include headers in Source/JavaScriptCore.
5770
57712014-04-22 Alex Christensen <achristensen@webkit.org>
5772
5773 Removed old stdbool and inttypes headers.
5774 https://bugs.webkit.org/show_bug.cgi?id=131966
5775
5776 Reviewed by Brent Fulgham.
5777
5778 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5779 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
5780 Removed references to os-win32 directory.
5781 * os-win32: Removed.
5782 * os-win32/inttypes.h: Removed.
5783 * os-win32/stdbool.h: Removed.
5784
57852014-04-21 Filip Pizlo <fpizlo@apple.com>
5786
5787 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
5788 https://bugs.webkit.org/show_bug.cgi?id=131971
5789 <rdar://problem/16676511>
5790
5791 Reviewed by Mark Lam.
5792
5793 * dfg/DFGClobberize.h:
5794 (JSC::DFG::clobberize):
5795
57962014-04-21 Filip Pizlo <fpizlo@apple.com>
5797
5798 Switch statements that skip the baseline JIT should work
5799 https://bugs.webkit.org/show_bug.cgi?id=131965
5800
5801 Reviewed by Mark Hahnenberg.
5802
5803 * bytecode/JumpTable.h:
5804 (JSC::SimpleJumpTable::ensureCTITable):
5805 * dfg/DFGSpeculativeJIT.cpp:
5806 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
5807 * jit/JITOpcodes.cpp:
5808 (JSC::JIT::emit_op_switch_imm):
5809 (JSC::JIT::emit_op_switch_char):
5810 * jit/JITOpcodes32_64.cpp:
5811 (JSC::JIT::emit_op_switch_imm):
5812 (JSC::JIT::emit_op_switch_char):
5813 * tests/stress/inline-llint-with-switch.js: Added.
5814 (foo):
5815 (bar):
5816 (test):
5817
58182014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5819
5820 Arguments objects shouldn't need a destructor
5821 https://bugs.webkit.org/show_bug.cgi?id=131899
5822
5823 Reviewed by Oliver Hunt.
5824
5825 This patch rids Arguments objects of their destructors. It does this by
5826 switching their backing stores to use CopiedSpace rather than malloc memory.
5827
5828 * dfg/DFGSpeculativeJIT.cpp:
5829 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
5830 Arguments allocation so that it only emits an extra write for strict mode code rather
5831 than unconditionally.
5832 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
5833 * runtime/Arguments.cpp:
5834 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
5835 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
5836 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
5837 (JSC::Arguments::deleteProperty):
5838 (JSC::Arguments::defineOwnProperty):
5839 (JSC::Arguments::allocateRegisterArray):
5840 (JSC::Arguments::tearOff):
5841 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
5842 * runtime/Arguments.h:
5843 (JSC::Arguments::registerArraySizeInBytes):
5844 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
5845 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
5846 allocation.
5847 (JSC::Arguments::SlowArgumentData::slowArguments):
5848 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
5849 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
5850 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
5851 (JSC::Arguments::Arguments):
5852 (JSC::Arguments::allocateSlowArguments):
5853 (JSC::Arguments::tryDeleteArgument):
5854 (JSC::Arguments::isDeletedArgument):
5855 (JSC::Arguments::isArgument):
5856 (JSC::Arguments::argument):
5857 (JSC::Arguments::finishCreation):
5858 * runtime/SymbolTable.h:
5859
58602014-04-21 Eric Carlson <eric.carlson@apple.com>
5861
5862 [Mac] implement WebKitDataCue
5863 https://bugs.webkit.org/show_bug.cgi?id=131799
5864
5865 Reviewed by Dean Jackson.
5866
5867 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5868
58692014-04-21 Filip Pizlo <fpizlo@apple.com>
5870
5871 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
5872
5873 * tests/stress/float32-repeat-out-of-bounds.js:
5874 * tests/stress/int8-repeat-out-of-bounds.js:
5875
58762014-04-21 Filip Pizlo <fpizlo@apple.com>
5877
5878 OSR exit should know about Int52 and Double constants
5879 https://bugs.webkit.org/show_bug.cgi?id=131945
5880
5881 Reviewed by Oliver Hunt.
5882
5883 The DFG OSR exit machinery's ignorance would lead to some constants becoming
5884 jsUndefined() after OSR exit.
5885
5886 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
5887 stackmap constant rather than baking the constant into the OSRExit data structure.
5888 So, not a big deal, but worth fixing.
5889
5890 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
5891
5892 * dfg/DFGByteCodeParser.cpp:
5893 (JSC::DFG::ByteCodeParser::handleIntrinsic):
5894 * dfg/DFGMinifiedNode.h:
5895 (JSC::DFG::belongsInMinifiedGraph):
5896 (JSC::DFG::MinifiedNode::hasConstantNumber):
5897 * ftl/FTLLowerDFGToLLVM.cpp:
5898 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
5899 * jsc.cpp:
5900 (GlobalObject::finishCreation):
5901 (functionOtherFalse):
5902 (functionUndefined):
5903 * runtime/Intrinsic.h:
5904 * tests/stress/fold-to-double-constant-then-exit.js: Added.
5905 (foo):
5906 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
5907 (foo):
5908
59092014-04-21 Filip Pizlo <fpizlo@apple.com>
5910
5911 Provide feedback when we encounter an unrecognied node in the FTL backend.
5912
5913 Rubber stamped by Alexey Proskuryakov.
5914
5915 * ftl/FTLLowerDFGToLLVM.cpp:
5916 (JSC::FTL::LowerDFGToLLVM::compileNode):
5917
59182014-04-21 Andreas Kling <akling@apple.com>
5919
5920 Move the JSString cache from DOMWrapperWorld to VM.
5921 <https://webkit.org/b/131940>
5922
5923 Reviewed by Geoff Garen.
5924
5925 * runtime/VM.h:
5926
59272014-04-19 Filip Pizlo <fpizlo@apple.com>
5928
5929 Take block execution count estimates into account when voting double
5930 https://bugs.webkit.org/show_bug.cgi?id=131906
5931
5932 Reviewed by Geoffrey Garen.
5933
5934 This was a drama in three acts.
5935
5936 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
5937 number of uses of a variable that want double or non-double. Easy as pie. This
5938 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
5939 else.
5940
5941 Act II: Realize that there were some programs where our previous double voting was
5942 just on the edge of disaster and making it more precise tipped it over. In
5943 particular, if you had an integer variable that would infrequently be used in a
5944 computation that resulted in a variable that was frequently used as an array index,
5945 the outer infrequentness would be the thing we'd use in the vote. So, an array
5946 index would become double. We fix this by reviving global backwards propagation
5947 and introducing the concept of ReallyWantsInt, which is used just for array
5948 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
5949 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
5950 be set in bitops for RageConversion but using it for double forcing is too much.
5951 Basically, it's cheaper to have to convert a double to an int for a bitop than it
5952 is to convert a double to an int for an array index; also a variable being used as
5953 an array index is a much stronger hint that it ought to be an int. This recovered
5954 performance on everything except programs that used FTL OSR entry.
5955
5956 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
5957 count, which then completely pollutes the weighting - essentially all votes go
5958 NaN. Fix this with some surgical defenses. Basically, any client of execution
5959 counts should allow for them to be NaN and shouldn't completely fall off a cliff
5960 when it happens.
5961
5962 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
5963 7% speed-up on AsmBench and 2% speed-up on Kraken.
5964
5965 * CMakeLists.txt:
5966 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5967 * JavaScriptCore.xcodeproj/project.pbxproj:
5968 * dfg/DFGBackwardsPropagationPhase.cpp:
5969 (JSC::DFG::BackwardsPropagationPhase::run):
5970 (JSC::DFG::BackwardsPropagationPhase::propagate):
5971 * dfg/DFGGraph.cpp:
5972 (JSC::DFG::Graph::dumpBlockHeader):
5973 * dfg/DFGGraph.h:
5974 (JSC::DFG::Graph::voteNode):
5975 (JSC::DFG::Graph::voteChildren):
5976 * dfg/DFGNodeFlags.cpp:
5977 (JSC::DFG::dumpNodeFlags):
5978 * dfg/DFGNodeFlags.h:
5979 * dfg/DFGOSREntrypointCreationPhase.cpp:
5980 (JSC::DFG::OSREntrypointCreationPhase::run):
5981 * dfg/DFGPlan.cpp:
5982 (JSC::DFG::Plan::compileInThreadImpl):
5983 * dfg/DFGPredictionPropagationPhase.cpp:
5984 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5985 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
5986 * dfg/DFGVariableAccessData.cpp: Added.
5987 (JSC::DFG::VariableAccessData::VariableAccessData):
5988 (JSC::DFG::VariableAccessData::mergeIsCaptured):
5989 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
5990 (JSC::DFG::VariableAccessData::predict):
5991 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
5992 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5993 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
5994 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
5995 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5996 (JSC::DFG::VariableAccessData::flushFormat):
5997 * dfg/DFGVariableAccessData.h:
5998 (JSC::DFG::VariableAccessData::vote):
5999 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
6000 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
6001 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
6002 (JSC::DFG::VariableAccessData::predict): Deleted.
6003 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
6004 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
6005 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
6006 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
6007 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
6008 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
6009
60102014-04-21 Michael Saboff <msaboff@apple.com>
6011
6012 REGRESSION(r167591): ARM64 and ARM traditional builds broken
6013 https://bugs.webkit.org/show_bug.cgi?id=131935
6014
6015 Reviewed by Mark Hahnenberg.
6016
6017 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
6018 macro assemblers. Added a new test for the original patch.
6019
6020 * assembler/MacroAssemblerARM.h:
6021 (JSC::MacroAssemblerARM::store8):
6022 * assembler/MacroAssemblerARM64.h:
6023 (JSC::MacroAssemblerARM64::store8):
6024 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
6025
60262014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
6027
6028 Inline allocate Arguments objects in the DFG
6029 https://bugs.webkit.org/show_bug.cgi?id=131897
6030
6031 Reviewed by Geoffrey Garen.
6032
6033 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
6034 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
6035 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
6036
6037 * dfg/DFGSpeculativeJIT.cpp:
6038 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
6039 * dfg/DFGSpeculativeJIT.h:
6040 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
6041 * dfg/DFGSpeculativeJIT32_64.cpp:
6042 (JSC::DFG::SpeculativeJIT::compile):
6043 * dfg/DFGSpeculativeJIT64.cpp:
6044 (JSC::DFG::SpeculativeJIT::compile):
6045 * runtime/Arguments.h:
6046 (JSC::Arguments::offsetOfActivation):
6047 (JSC::Arguments::offsetOfOverrodeLength):
6048 (JSC::Arguments::offsetOfIsStrictMode):
6049 (JSC::Arguments::offsetOfRegisterArray):
6050 (JSC::Arguments::offsetOfCallee):
6051 (JSC::Arguments::allocationSize):
6052
60532014-04-20 Andreas Kling <akling@apple.com>
6054
6055 Speed up jsStringWithCache() through WeakGCMap inlining.
6056 <https://webkit.org/b/131923>
6057
6058 Always inline WeakGCMap::add() but move the slow garbage collecting
6059 path out-of-line.
6060
6061 Reviewed by Darin Adler.
6062
6063 * runtime/WeakGCMap.h:
6064 (JSC::WeakGCMap::add):
6065 (JSC::WeakGCMap::gcMap):
6066
60672014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
6068
6069 JavaScriptCore: ARM build fix after r167094.
6070 https://bugs.webkit.org/show_bug.cgi?id=131612
6071
6072 Reviewed by Michael Saboff.
6073
6074 After r167094 there are many build errors on ARM like these:
6075
6076 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
6077 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
6078 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
6079 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
6080
6081 Problem is caused by the wrong generated assembly like:
6082 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
6083
6084 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
6085 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
6086 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
6087 use case: move rn, (label1-label2) which is translated to movw and movt.
6088
6089 * llint/LowLevelInterpreter.asm:
6090 * offlineasm/arm.rb:
6091 * offlineasm/instructions.rb:
6092
60932014-04-20 Csaba Osztrogonác <ossy@webkit.org>
6094
6095 [ARM] Unreviewed build fix after r167336.
6096
6097 * assembler/MacroAssemblerARM.h:
6098 (JSC::MacroAssemblerARM::branchAdd32):
6099
61002014-04-20 Commit Queue <commit-queue@webkit.org>
6101
6102 Unreviewed, rolling out r167501.
6103 https://bugs.webkit.org/show_bug.cgi?id=131913
6104
6105 It broke DYEBench (Requested by mhahnenberg on #webkit).
6106
6107 Reverted changeset:
6108
6109 "Deleting properties poisons objects"
6110 https://bugs.webkit.org/show_bug.cgi?id=131551
6111 http://trac.webkit.org/changeset/167501
6112
61132014-04-19 Filip Pizlo <fpizlo@apple.com>
6114
6115 It should be OK to store new fields into objects that have no prototypes
6116 https://bugs.webkit.org/show_bug.cgi?id=131905
6117
6118 Reviewed by Mark Hahnenberg.
6119
6120 * dfg/DFGByteCodeParser.cpp:
6121 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
6122 * tests/stress/put-by-id-transition-null-prototype.js: Added.
6123 (foo):
6124
61252014-04-19 Benjamin Poulain <bpoulain@apple.com>
6126
6127 Make the CSS JIT compile for ARM64
6128 https://bugs.webkit.org/show_bug.cgi?id=131834
6129
6130 Reviewed by Gavin Barraclough.
6131
6132 Extend the ARM64 MacroAssembler to support the code generation required by
6133 the CSS JIT.
6134
6135 * assembler/MacroAssembler.h:
6136 * assembler/MacroAssemblerARM64.h:
6137 (JSC::MacroAssemblerARM64::addPtrNoFlags):
6138 (JSC::MacroAssemblerARM64::or32):
6139 (JSC::MacroAssemblerARM64::branchPtr):
6140 (JSC::MacroAssemblerARM64::test32):
6141 (JSC::MacroAssemblerARM64::branch):
6142 * assembler/MacroAssemblerX86Common.h:
6143 (JSC::MacroAssemblerX86Common::test32):
6144
61452014-04-19 Andreas Kling <akling@apple.com>
6146
6147 Two little shortcuts to the JSType.
6148 <https://webkit.org/b/131896>
6149
6150 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
6151 to look at data that's already in JSCell::type().
6152
6153 Reviewed by Darin Adler.
6154
6155 * runtime/NameInstance.h:
6156 (JSC::isName):
6157 * runtime/NumberPrototype.cpp:
6158 (JSC::toThisNumber):
6159
61602014-04-19 Filip Pizlo <fpizlo@apple.com>
6161
6162 Make it easier to check if an integer sum would overflow
6163 https://bugs.webkit.org/show_bug.cgi?id=131900
6164
6165 Reviewed by Darin Adler.
6166
6167 * dfg/DFGOperations.cpp:
6168 * runtime/Operations.h:
6169 (JSC::jsString):
6170
61712014-04-19 Filip Pizlo <fpizlo@apple.com>
6172
6173 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
6174
6175 * dfg/DFGOperations.cpp:
6176 * runtime/JSString.h:
6177 (JSC::JSRopeString::RopeBuilder::append):
6178
61792014-04-18 Mark Lam <mark.lam@apple.com>
6180
6181 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
6182 <https://webkit.org/b/130539>
6183
6184 Reviewed by Geoffrey Garen.
6185
6186 prepareOSREntry() prepares for OSR entry by first copying the local var
6187 values from the baseline frame to a scartch buffer, which is then used
6188 to fill in the locals in their new position in the DFG frame. Unfortunately,
6189 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
6190 size of the baseline frame. As a result, some values of locals in the
6191 baseline frame were not saved off, and the DFG frame may get initialized
6192 with random content that happened to be in the uninitialized (and possibly
6193 unallocated) portions of the scratch buffer.
6194
6195 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
6196 number of locals in the baseline frame that we want to copy to the scratch
6197 buffer.
6198
6199 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
6200 at offset 0 in the scratch buffer. So, we continue to write that value
6201 there, not the baseline frame size.
6202
6203 * dfg/DFGOSREntry.cpp:
6204 (JSC::DFG::prepareOSREntry):
6205
62062014-04-18 Timothy Hatcher <timothy@apple.com>
6207
6208 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
6209 https://bugs.webkit.org/show_bug.cgi?id=131673
6210
6211 Passes existing profiler and inspector tests.
6212
6213 Reviewed by Joseph Pecoraro.
6214
6215 * CMakeLists.txt:
6216 * DerivedSources.make:
6217 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6218 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6219 * JavaScriptCore.xcodeproj/project.pbxproj:
6220 * inspector/JSConsoleClient.cpp:
6221 (Inspector::JSConsoleClient::JSConsoleClient):
6222 (Inspector::JSConsoleClient::profile):
6223 (Inspector::JSConsoleClient::profileEnd):
6224 (Inspector::JSConsoleClient::count): Deleted.
6225 * inspector/JSConsoleClient.h:
6226 * inspector/JSGlobalObjectInspectorController.cpp:
6227 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
6228 * inspector/agents/InspectorProfilerAgent.cpp: Added.
6229 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
6230 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
6231 (Inspector::InspectorProfilerAgent::addProfile):
6232 (Inspector::InspectorProfilerAgent::createProfileHeader):
6233 (Inspector::InspectorProfilerAgent::enable):
6234 (Inspector::InspectorProfilerAgent::disable):
6235 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
6236 (Inspector::InspectorProfilerAgent::getProfileHeaders):
6237 (Inspector::buildInspectorObject):
6238 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
6239 (Inspector::InspectorProfilerAgent::getCPUProfile):
6240 (Inspector::InspectorProfilerAgent::removeProfile):
6241 (Inspector::InspectorProfilerAgent::reset):
6242 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
6243 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
6244 (Inspector::InspectorProfilerAgent::start):
6245 (Inspector::InspectorProfilerAgent::stop):
6246 (Inspector::InspectorProfilerAgent::setRecordingProfile):
6247 (Inspector::InspectorProfilerAgent::startProfiling):
6248 (Inspector::InspectorProfilerAgent::stopProfiling):
6249 * inspector/agents/InspectorProfilerAgent.h: Added.
6250 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
6251 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
6252 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
6253 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
6254 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
6255 * profiler/Profile.h:
6256 * runtime/ConsoleClient.h:
6257
62582014-04-18 Commit Queue <commit-queue@webkit.org>
6259
6260 Unreviewed, rolling out r167527.
6261 https://bugs.webkit.org/show_bug.cgi?id=131883
6262
6263 Broke 32-bit build (Requested by ap on #webkit).
6264
6265 Reverted changeset:
6266
6267 "[Mac] implement WebKitDataCue"
6268 https://bugs.webkit.org/show_bug.cgi?id=131799
6269 http://trac.webkit.org/changeset/167527
6270
62712014-04-18 Eric Carlson <eric.carlson@apple.com>
6272
6273 [Mac] implement WebKitDataCue
6274 https://bugs.webkit.org/show_bug.cgi?id=131799
6275
6276 Reviewed by Dean Jackson.
6277
6278 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
6279
62802014-04-18 Filip Pizlo <fpizlo@apple.com>
6281
6282 Actually address Mark's review feedback.
6283
6284 * dfg/DFGOSRExitCompilerCommon.cpp:
6285 (JSC::DFG::handleExitCounts):
6286
62872014-04-18 Filip Pizlo <fpizlo@apple.com>
6288
6289 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
6290 https://bugs.webkit.org/show_bug.cgi?id=131850
6291
6292 Reviewed by Mark Hahnenberg.
6293
6294 Templatize ExecutionCounter to allow for two different styles of calculating the
6295 checkpoint threshold.
6296
6297 Appears to be a slight speed-up on DYEBench.
6298
6299 * bytecode/CodeBlock.h:
6300 (JSC::CodeBlock::llintExecuteCounter):
6301 (JSC::CodeBlock::offsetOfJITExecuteCounter):
6302 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
6303 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
6304 (JSC::CodeBlock::jitExecuteCounter):
6305 * bytecode/ExecutionCounter.cpp:
6306 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
6307 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
6308 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
6309 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
6310 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
6311 (JSC::applyMemoryUsageHeuristics):
6312 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
6313 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
6314 (JSC::ExecutionCounter<countingVariant>::setThreshold):
6315 (JSC::ExecutionCounter<countingVariant>::reset):
6316 (JSC::ExecutionCounter<countingVariant>::dump):
6317 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
6318 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
6319 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
6320 (JSC::ExecutionCounter::setNewThreshold): Deleted.
6321 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
6322 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
6323 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
6324 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
6325 (JSC::ExecutionCounter::setThreshold): Deleted.
6326 (JSC::ExecutionCounter::reset): Deleted.
6327 (JSC::ExecutionCounter::dump): Deleted.
6328 * bytecode/ExecutionCounter.h:
6329 (JSC::formattedTotalExecutionCount):
6330 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
6331 (JSC::ExecutionCounter::clippedThreshold):
6332 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
6333 * dfg/DFGJITCode.h:
6334 * dfg/DFGOSRExitCompilerCommon.cpp:
6335 (JSC::DFG::handleExitCounts):
6336 * llint/LowLevelInterpreter.asm:
6337 * runtime/Options.h:
6338
63392014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
6340
6341 Deleting properties poisons objects
6342 https://bugs.webkit.org/show_bug.cgi?id=131551
6343
6344 Reviewed by Geoffrey Garen.
6345
6346 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
6347
6348 * runtime/Structure.cpp:
6349 (JSC::Structure::Structure):
6350 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
6351 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
6352 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
6353 delete transitions, but we allow transitioning from them.
6354 (JSC::Structure::changePrototypeTransition):
6355 (JSC::Structure::despecifyFunctionTransition):
6356 (JSC::Structure::attributeChangeTransition):
6357 (JSC::Structure::toDictionaryTransition):
6358 (JSC::Structure::preventExtensionsTransition):
6359 (JSC::Structure::addPropertyWithoutTransition):
6360 (JSC::Structure::removePropertyWithoutTransition):
6361 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
6362 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
6363 * runtime/Structure.h:
6364 * runtime/StructureInlines.h:
6365 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
6366
63672014-04-17 Filip Pizlo <fpizlo@apple.com>
6368
6369 InlineCallFrameSet should be refcounted
6370 https://bugs.webkit.org/show_bug.cgi?id=131829
6371
6372 Reviewed by Geoffrey Garen.
6373
6374 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
6375 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
6376 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
6377 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
6378
6379 So, just make the darn thing refcounted.
6380
6381 * bytecode/InlineCallFrameSet.h:
6382 * dfg/DFGArgumentsSimplificationPhase.cpp:
6383 (JSC::DFG::ArgumentsSimplificationPhase::run):
6384 * dfg/DFGByteCodeParser.cpp:
6385 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6386 * dfg/DFGCommonData.h:
6387 * dfg/DFGGraph.cpp:
6388 (JSC::DFG::Graph::Graph):
6389 (JSC::DFG::Graph::requiredRegisterCountForExit):
6390 * dfg/DFGGraph.h:
6391 * dfg/DFGJITCompiler.cpp:
6392 (JSC::DFG::JITCompiler::link):
6393 * dfg/DFGPlan.cpp:
6394 (JSC::DFG::Plan::Plan):
6395 * dfg/DFGPlan.h:
6396 * dfg/DFGStackLayoutPhase.cpp:
6397 (JSC::DFG::StackLayoutPhase::run):
6398 * ftl/FTLFail.cpp:
6399 (JSC::FTL::fail):
6400 * ftl/FTLLink.cpp:
6401 (JSC::FTL::link):
6402
64032014-04-17 Filip Pizlo <fpizlo@apple.com>
6404
6405 FTL::fail() should manage memory "correctly"
6406 https://bugs.webkit.org/show_bug.cgi?id=131823
6407 <rdar://problem/16384297>
6408
6409 Reviewed by Oliver Hunt.
6410
6411 * ftl/FTLFail.cpp:
6412 (JSC::FTL::fail):
6413
64142014-04-17 Filip Pizlo <fpizlo@apple.com>
6415
6416 Prediction propagator should correctly model Int52s flowing through arguments
6417 https://bugs.webkit.org/show_bug.cgi?id=131822
6418 <rdar://problem/16641408>
6419
6420 Reviewed by Oliver Hunt.
6421
6422 * dfg/DFGPredictionPropagationPhase.cpp:
6423 (JSC::DFG::PredictionPropagationPhase::propagate):
6424 * tests/stress/int52-argument.js: Added.
6425 (foo):
6426 * tests/stress/int52-variable.js: Added.
6427 (foo):
6428
64292014-04-17 Filip Pizlo <fpizlo@apple.com>
6430
6431 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
6432 https://bugs.webkit.org/show_bug.cgi?id=131798
6433
6434 Reviewed by Alexey Proskuryakov.
6435
6436 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
6437 of this assertion can return. For now, it's not clear that the assertion is guarding
6438 any truly undesirable behavior - so it should just go away and be replaced with a
6439 FIXME.
6440
6441 * bytecode/GetByIdStatus.cpp:
6442 (JSC::GetByIdStatus::computeForStubInfo):
6443 * runtime/Structure.h:
6444 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
6445
64462014-04-17 David Kilzer <ddkilzer@apple.com>
6447
6448 Blind attempt to fix Windows build after r166837
6449 <http://webkit.org/b/131246>
6450
6451 Hoping to fix this build error:
6452
6453 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
6454
6455 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
6456 boo-boo by changing the GCLogging.cpp ClCompile entry to a
6457 GCLogging.h ClInclude entry.
6458
64592014-04-16 Filip Pizlo <fpizlo@apple.com>
6460
6461 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
6462 https://bugs.webkit.org/show_bug.cgi?id=131764
6463
6464 Reviewed by Geoffrey Garen.
6465
6466 The attached test case can be made to not crash by deleting old code. It used to be
6467 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
6468 long ago. At this point, these guards just make life difficult. So get rid of them.
6469
6470 * dfg/DFGAbstractInterpreterInlines.h:
6471 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6472 * dfg/DFGSpeculativeJIT32_64.cpp:
6473 (JSC::DFG::SpeculativeJIT::compile):
6474 * dfg/DFGSpeculativeJIT64.cpp:
6475 (JSC::DFG::SpeculativeJIT::compile):
6476 * tests/stress/bug-131764.js: Added.
6477 (test1):
6478 (test2):
6479
64802014-04-17 Darin Adler <darin@apple.com>
6481
6482 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
6483 https://bugs.webkit.org/show_bug.cgi?id=131785
6484 rdar://problem/16003108
6485
6486 Reviewed by Brady Eidson.
6487
6488 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
6489
64902014-04-16 Alexey Proskuryakov <ap@apple.com>
6491
6492 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
6493
6494 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
6495
64962014-04-16 Filip Pizlo <fpizlo@apple.com>
6497
6498 Extra error reporting for invalid value conversions
6499 https://bugs.webkit.org/show_bug.cgi?id=131786
6500
6501 Rubber stamped by Ryosuke Niwa.
6502
6503 * dfg/DFGFixupPhase.cpp:
6504 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6505
65062014-04-16 Filip Pizlo <fpizlo@apple.com>
6507
6508 Sink NaN sanitization to uses and remove it when it's unnecessary
6509 https://bugs.webkit.org/show_bug.cgi?id=131419
6510
6511 Reviewed by Oliver Hunt.
6512
6513 This moves NaN purification to stores that could see an impure NaN.
6514
6515 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
6516 though, because of the other bug that causes that benchmark to box doubles in a loop.
6517
6518 * bytecode/SpeculatedType.h:
6519 (JSC::isInt32SpeculationForArithmetic):
6520 (JSC::isMachineIntSpeculationForArithmetic):
6521 (JSC::isDoubleSpeculation):
6522 (JSC::isDoubleSpeculationForArithmetic):
6523 * dfg/DFGAbstractInterpreterInlines.h:
6524 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6525 * dfg/DFGAbstractValue.cpp:
6526 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6527 * dfg/DFGFixupPhase.cpp:
6528 (JSC::DFG::FixupPhase::fixupNode):
6529 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6530 * dfg/DFGInPlaceAbstractState.cpp:
6531 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
6532 * dfg/DFGPredictionPropagationPhase.cpp:
6533 (JSC::DFG::PredictionPropagationPhase::propagate):
6534 * dfg/DFGSpeculativeJIT.cpp:
6535 (JSC::DFG::SpeculativeJIT::compileValueRep):
6536 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6537 * dfg/DFGUseKind.h:
6538 (JSC::DFG::typeFilterFor):
6539 * ftl/FTLLowerDFGToLLVM.cpp:
6540 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
6541 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
6542 * runtime/PureNaN.h:
6543 * tests/stress/float32-array-nan-inlined.js: Added.
6544 (foo):
6545 (test):
6546 * tests/stress/float32-array-nan.js: Added.
6547 (foo):
6548 (test):
6549 * tests/stress/float64-array-nan-inlined.js: Added.
6550 (foo):
6551 (isBigEndian):
6552 (test):
6553 * tests/stress/float64-array-nan.js: Added.
6554 (foo):
6555 (isBigEndian):
6556 (test):
6557
65582014-04-16 Brent Fulgham <bfulgham@apple.com>
6559
6560 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
6561 to 32-bit builds, and revise the comment to explain what we are
6562 doing.
6563
6564 * runtime/JSCJSValueInlines.h:
6565 (JSC::JSValue::isMachineInt): Provide motivation for the new
6566 'isinf' check for our 32-bit code path.
6567
65682014-04-16 Juergen Ributzka <juergen@apple.com>
6569
6570 Allocate the data section on the heap again for FTL on ARM64
6571 https://bugs.webkit.org/show_bug.cgi?id=130156
6572
6573 Reviewed by Geoffrey Garen and Filip Pizlo.
6574
6575 * ftl/FTLCompile.cpp:
6576 (JSC::FTL::mmAllocateDataSection):
6577 * ftl/FTLDataSection.cpp:
6578 (JSC::FTL::DataSection::DataSection):
6579 (JSC::FTL::DataSection::~DataSection):
6580 * ftl/FTLDataSection.h:
6581
65822014-04-16 Mark Lam <mark.lam@apple.com>
6583
6584 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
6585 <https://webkit.org/b/131747>
6586
6587 Reviewed by Filip Pizlo.
6588
6589 When the debugger is about to activate (e.g. enter stepping mode), it first
6590 waits for all DFG compilations to complete. However, when the DFG completes,
6591 if compilation is successful, it will install a new DFG codeBlock. The
6592 CodeBlock installation process is required to register codeBlocks with the
6593 debugger. Debugger::registerCodeBlock() will eventually call
6594 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
6595 trying to install. Thereafter, chaos ensues.
6596
6597 This jettison'ing only happens because the debugger currently set its
6598 m_steppingMode flag before waiting for compilation to complete. The fix is
6599 simply to set that flag only after compilation is complete.
6600
6601 * debugger/Debugger.cpp:
6602 (JSC::Debugger::setSteppingMode):
6603 (JSC::Debugger::registerCodeBlock):
6604
66052014-04-16 Filip Pizlo <fpizlo@apple.com>
6606
6607 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
6608 https://bugs.webkit.org/show_bug.cgi?id=131420
6609
6610 Reviewed by Oliver Hunt.
6611
6612 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
6613 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
6614 goes through the purifyNaN() API.
6615
6616 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
6617
6618 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
6619 have to be too cautious since most prediction-based logic only cares about whether or not
6620 a value could be an integer.
6621
6622 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
6623 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
6624 soundly and precisely.
6625
6626 No performance change because this just unblocks
6627 https://bugs.webkit.org/show_bug.cgi?id=131419.
6628
6629 * API/JSValueRef.cpp:
6630 (JSValueMakeNumber):
6631 (JSValueToNumber):
6632 * JavaScriptCore.xcodeproj/project.pbxproj:
6633 * bytecode/SpeculatedType.cpp:
6634 (JSC::dumpSpeculation):
6635 (JSC::speculationFromValue):
6636 (JSC::typeOfDoubleSum):
6637 (JSC::typeOfDoubleDifference):
6638 (JSC::typeOfDoubleProduct):
6639 (JSC::polluteDouble):
6640 (JSC::typeOfDoubleQuotient):
6641 (JSC::typeOfDoubleMinMax):
6642 (JSC::typeOfDoubleNegation):
6643 (JSC::typeOfDoubleAbs):
6644 (JSC::typeOfDoubleFRound):
6645 (JSC::typeOfDoubleBinaryOp):
6646 (JSC::typeOfDoubleUnaryOp):
6647 * bytecode/SpeculatedType.h:
6648 * dfg/DFGAbstractInterpreterInlines.h:
6649 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6650 * dfg/DFGByteCodeParser.cpp:
6651 (JSC::DFG::ByteCodeParser::handleInlining):
6652 (JSC::DFG::ByteCodeParser::parseCodeBlock):
6653 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
6654 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
6655 * dfg/DFGInPlaceAbstractState.cpp:
6656 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
6657 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
6658 (JSC::DFG::createPreHeader):
6659 * dfg/DFGNode.h:
6660 (JSC::DFG::BranchTarget::BranchTarget):
6661 * dfg/DFGOSREntrypointCreationPhase.cpp:
6662 (JSC::DFG::OSREntrypointCreationPhase::run):
6663 * dfg/DFGOSRExitCompiler32_64.cpp:
6664 (JSC::DFG::OSRExitCompiler::compileExit):
6665 * dfg/DFGOSRExitCompiler64.cpp:
6666 (JSC::DFG::OSRExitCompiler::compileExit):
6667 * dfg/DFGPredictionPropagationPhase.cpp:
6668 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
6669 (JSC::DFG::PredictionPropagationPhase::propagate):
6670 * dfg/DFGSpeculativeJIT.cpp:
6671 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
6672 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6673 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6674 * dfg/DFGSpeculativeJIT32_64.cpp:
6675 (JSC::DFG::SpeculativeJIT::compile):
6676 * dfg/DFGSpeculativeJIT64.cpp:
6677 (JSC::DFG::SpeculativeJIT::compile):
6678 * dfg/DFGVariableAccessData.h:
6679 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
6680 * ftl/FTLLowerDFGToLLVM.cpp:
6681 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
6682 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
6683 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
6684 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
6685 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
6686 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
6687 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
6688 * ftl/FTLValueFormat.cpp:
6689 (JSC::FTL::reboxAccordingToFormat):
6690 * jit/AssemblyHelpers.cpp:
6691 (JSC::AssemblyHelpers::purifyNaN):
6692 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
6693 * jit/AssemblyHelpers.h:
6694 * jit/JITPropertyAccess.cpp:
6695 (JSC::JIT::emitFloatTypedArrayGetByVal):
6696 * runtime/DateConstructor.cpp:
6697 (JSC::constructDate):
6698 * runtime/DateInstanceCache.h:
6699 (JSC::DateInstanceData::DateInstanceData):
6700 (JSC::DateInstanceCache::reset):
6701 * runtime/ExceptionHelpers.cpp:
6702 (JSC::TerminatedExecutionError::defaultValue):
6703 * runtime/JSArray.cpp:
6704 (JSC::JSArray::setLength):
6705 (JSC::JSArray::pop):
6706 (JSC::JSArray::shiftCountWithAnyIndexingType):
6707 (JSC::JSArray::sortVector):
6708 (JSC::JSArray::compactForSorting):
6709 * runtime/JSArray.h:
6710 (JSC::JSArray::create):
6711 (JSC::JSArray::tryCreateUninitialized):
6712 * runtime/JSCJSValue.cpp:
6713 (JSC::JSValue::toNumberSlowCase):
6714 * runtime/JSCJSValue.h:
6715 * runtime/JSCJSValueInlines.h:
6716 (JSC::jsNaN):
6717 (JSC::JSValue::JSValue):
6718 (JSC::JSValue::getPrimitiveNumber):
6719 * runtime/JSGlobalObjectFunctions.cpp:
6720 (JSC::parseInt):
6721 (JSC::jsStrDecimalLiteral):
6722 (JSC::toDouble):
6723 (JSC::jsToNumber):
6724 (JSC::parseFloat):
6725 * runtime/JSObject.cpp:
6726 (JSC::JSObject::createInitialDouble):
6727 (JSC::JSObject::convertUndecidedToDouble):
6728 (JSC::JSObject::convertInt32ToDouble):
6729 (JSC::JSObject::deletePropertyByIndex):
6730 (JSC::JSObject::ensureLengthSlow):
6731 * runtime/MathObject.cpp:
6732 (JSC::mathProtoFuncMax):
6733 (JSC::mathProtoFuncMin):
6734 * runtime/PureNaN.h: Added.
6735 (JSC::pureNaN):
6736 (JSC::isImpureNaN):
6737 (JSC::purifyNaN):
6738 * runtime/TypedArrayAdaptors.h:
6739 (JSC::FloatTypedArrayAdaptor::toJSValue):
6740
67412014-04-16 Juergen Ributzka <juergen@apple.com>
6742
6743 Enable system library calls in FTL for ARM64
6744 https://bugs.webkit.org/show_bug.cgi?id=130154
6745
6746 Reviewed by Geoffrey Garen and Filip Pizlo.
6747
6748 * ftl/FTLIntrinsicRepository.h:
6749 * ftl/FTLOutput.h:
6750 (JSC::FTL::Output::doubleRem):
6751 (JSC::FTL::Output::doubleSin):
6752 (JSC::FTL::Output::doubleCos):
6753
67542014-04-16 peavo@outlook.com <peavo@outlook.com>
6755
6756 Fix JSC Debug Regressions on Windows
6757 https://bugs.webkit.org/show_bug.cgi?id=131182
6758
6759 Reviewed by Brent Fulgham.
6760
6761 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
6762 and set the st floating point register tags, if the value of the number parameter is infinite.
6763 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
6764 This can be avoided by checking for infinity first.
6765
6766 * runtime/JSCJSValueInlines.h:
6767 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
6768 * runtime/Options.cpp:
6769 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
6770
67712014-04-16 Oliver Hunt <oliver@apple.com>
6772
6773 Simple ES6 feature:Array.prototype.fill
6774 https://bugs.webkit.org/show_bug.cgi?id=131703
6775
6776 Reviewed by David Hyatt.
6777
6778 Add support for Array.prototype.fill
6779
6780 * builtins/Array.prototype.js:
6781 (fill):
6782 * runtime/ArrayPrototype.cpp:
6783
67842014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
6785
6786 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
6787 https://bugs.webkit.org/show_bug.cgi?id=131728
6788
6789 Reviewed by Darin Adler.
6790
6791 * runtime/JSObject.cpp:
6792 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
6793 path we expect to never take. Also shut up confused compilers about uninitialized things.
6794
67952014-04-16 Filip Pizlo <fpizlo@apple.com>
6796
6797 Unreviewed, ARMv7 build fix after r167336.
6798
6799 * assembler/MacroAssemblerARMv7.h:
6800 (JSC::MacroAssemblerARMv7::branchAdd32):
6801
68022014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
6803
6804 Unreviewed, ARM64 buildfix after r167336.
6805
6806 * assembler/MacroAssemblerARM64.h:
6807 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
6808
68092014-04-15 Filip Pizlo <fpizlo@apple.com>
6810
6811 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
6812
6813 * dfg/DFGAbstractInterpreterInlines.h:
6814 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6815
68162014-04-15 Filip Pizlo <fpizlo@apple.com>
6817
6818 compileMakeRope does not emit necessary bounds checks
6819 https://bugs.webkit.org/show_bug.cgi?id=130684
6820 <rdar://problem/16398388>
6821
6822 Reviewed by Oliver Hunt.
6823
6824 Add string length bounds checks in a bunch of places. We should never allow a string
6825 to have a length greater than 2^31-1 because it's not clear that the language has
6826 semantics for it and because there is code that assumes that this cannot happen.
6827
6828 Also add a bunch of tests to that effect to cover the various ways in which this was
6829 previously allowed to happen.
6830
6831 * dfg/DFGOperations.cpp:
6832 * dfg/DFGSpeculativeJIT.cpp:
6833 (JSC::DFG::SpeculativeJIT::compileMakeRope):
6834 * ftl/FTLLowerDFGToLLVM.cpp:
6835 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
6836 * runtime/JSString.cpp:
6837 (JSC::JSRopeString::RopeBuilder::expand):
6838 * runtime/JSString.h:
6839 (JSC::JSString::create):
6840 (JSC::JSRopeString::RopeBuilder::append):
6841 (JSC::JSRopeString::RopeBuilder::release):
6842 (JSC::JSRopeString::append):
6843 * runtime/Operations.h:
6844 (JSC::jsString):
6845 (JSC::jsStringFromRegisterArray):
6846 (JSC::jsStringFromArguments):
6847 * runtime/StringPrototype.cpp:
6848 (JSC::stringProtoFuncIndexOf):
6849 (JSC::stringProtoFuncSlice):
6850 (JSC::stringProtoFuncSubstring):
6851 (JSC::stringProtoFuncToLowerCase):
6852 * tests/stress/make-large-string-jit-strcat.js: Added.
6853 (foo):
6854 * tests/stress/make-large-string-jit.js: Added.
6855 (foo):
6856 * tests/stress/make-large-string-strcat.js: Added.
6857 * tests/stress/make-large-string.js: Added.
6858
68592014-04-15 Julien Brianceau <jbriance@cisco.com>
6860
6861 Remove invalid sh4 specific code in JITInlines header.
6862 https://bugs.webkit.org/show_bug.cgi?id=131692
6863
6864 Reviewed by Geoffrey Garen.
6865
6866 * jit/JITInlines.h:
6867 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
6868 anymore since r160244, so the sh4 specific code is invalid now
6869 and has to be removed.
6870
68712014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6872
6873 Fix precedence issue in JSCell:setRemembered
6874
6875 Rubber stamped by Filip Pizlo.
6876
6877 * runtime/JSCell.h:
6878 (JSC::JSCell::setRemembered):
6879
68802014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6881
6882 Objective-C API external object graphs don't handle generational collection properly
6883 https://bugs.webkit.org/show_bug.cgi?id=131634
6884
6885 Reviewed by Geoffrey Garen.
6886
6887 If the set of Objective-C objects transitively reachable through an object changes, we
6888 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
6889 won't rescan the external object graph, which would lead us to consider a newly allocated
6890 JSManagedValue to be dead.
6891
6892 * API/JSBase.cpp:
6893 (JSSynchronousEdenCollectForDebugging):
6894 * API/JSVirtualMachine.mm:
6895 (-[JSVirtualMachine initWithContextGroupRef:]):
6896 (-[JSVirtualMachine dealloc]):
6897 (-[JSVirtualMachine isOldExternalObject:]):
6898 (-[JSVirtualMachine addExternalRememberedObject:]):
6899 (-[JSVirtualMachine addManagedReference:withOwner:]):
6900 (-[JSVirtualMachine removeManagedReference:withOwner:]):
6901 (-[JSVirtualMachine externalRememberedSet]):
6902 (scanExternalObjectGraph):
6903 (scanExternalRememberedSet):
6904 * API/JSVirtualMachineInternal.h:
6905 * API/tests/testapi.mm:
6906 * heap/Heap.cpp:
6907 (JSC::Heap::markRoots):
6908 * heap/Heap.h:
6909 (JSC::Heap::slotVisitor):
6910 * heap/SlotVisitor.h:
6911 * heap/SlotVisitorInlines.h:
6912 (JSC::SlotVisitor::containsOpaqueRoot):
6913 (JSC::SlotVisitor::containsOpaqueRootTriState):
6914
69152014-04-15 Filip Pizlo <fpizlo@apple.com>
6916
6917 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
6918 https://bugs.webkit.org/show_bug.cgi?id=131423
6919
6920 Reviewed by Geoffrey Garen.
6921
6922 This introduces more static typing into DFG IR. Previously we just had the notion of
6923 JSValues and Storage. This was weird because doubles weren't always convertible to
6924 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
6925 sort of insert explicit conversion nodes just for the places where we knew that an
6926 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
6927 we'd get bugs from forgetting to do the right conversion.
6928
6929 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
6930 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
6931 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
6932 conversions. They are like Identity but return the same value using a different
6933 representation. Likewise, constants may now be represented using either JSConstant,
6934 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
6935 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
6936 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
6937 we speculate DoubleReal and expect Double representation.
6938
6939 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
6940 this also makes it easier to introduce optimizations in the future. It's now possible for
6941 AI to model when/how conversion take place. For example if doing a conversion results in
6942 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
6943 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
6944
6945 This was a big change, so I had to do some interesting things, like finally get rid of
6946 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
6947 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
6948
6949 No performance change because this mostly just rationalizes preexisting behavior.
6950
6951 * JavaScriptCore.xcodeproj/project.pbxproj:
6952 * assembler/MacroAssemblerX86.h:
6953 * bytecode/CodeBlock.cpp:
6954 * bytecode/CodeBlock.h:
6955 * dfg/DFGAbstractInterpreter.h:
6956 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6957 (JSC::DFG::AbstractInterpreter::setConstant):
6958 * dfg/DFGAbstractInterpreterInlines.h:
6959 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6960 * dfg/DFGAbstractValue.cpp:
6961 (JSC::DFG::AbstractValue::set):
6962 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6963 (JSC::DFG::AbstractValue::checkConsistency):
6964 * dfg/DFGAbstractValue.h:
6965 * dfg/DFGBackwardsPropagationPhase.cpp:
6966 (JSC::DFG::BackwardsPropagationPhase::propagate):
6967 * dfg/DFGBasicBlock.h:
6968 * dfg/DFGBasicBlockInlines.h:
6969 (JSC::DFG::BasicBlock::appendNode):
6970 (JSC::DFG::BasicBlock::appendNonTerminal):
6971 * dfg/DFGByteCodeParser.cpp:
6972 (JSC::DFG::ByteCodeParser::parseBlock):
6973 * dfg/DFGCSEPhase.cpp:
6974 (JSC::DFG::CSEPhase::constantCSE):
6975 (JSC::DFG::CSEPhase::performNodeCSE):
6976 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
6977 * dfg/DFGCapabilities.h:
6978 * dfg/DFGClobberize.h:
6979 (JSC::DFG::clobberize):
6980 * dfg/DFGConstantFoldingPhase.cpp:
6981 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6982 * dfg/DFGDCEPhase.cpp:
6983 (JSC::DFG::DCEPhase::fixupBlock):
6984 * dfg/DFGEdge.h:
6985 (JSC::DFG::Edge::willNotHaveCheck):
6986 * dfg/DFGFixupPhase.cpp:
6987 (JSC::DFG::FixupPhase::run):
6988 (JSC::DFG::FixupPhase::fixupNode):
6989 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
6990 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6991 (JSC::DFG::FixupPhase::fixIntEdge):
6992 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6993 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6994 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
6995 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
6996 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6997 (JSC::DFG::FixupPhase::addRequiredPhantom):
6998 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6999 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
7000 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
7001 * dfg/DFGFlushFormat.h:
7002 (JSC::DFG::resultFor):
7003 (JSC::DFG::useKindFor):
7004 * dfg/DFGGraph.cpp:
7005 (JSC::DFG::Graph::dump):
7006 * dfg/DFGGraph.h:
7007 (JSC::DFG::Graph::addNode):
7008 * dfg/DFGInPlaceAbstractState.cpp:
7009 (JSC::DFG::InPlaceAbstractState::initialize):
7010 * dfg/DFGInsertionSet.h:
7011 (JSC::DFG::InsertionSet::insertNode):
7012 (JSC::DFG::InsertionSet::insertConstant):
7013 (JSC::DFG::InsertionSet::insertConstantForUse):
7014 * dfg/DFGIntegerCheckCombiningPhase.cpp:
7015 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
7016 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
7017 * dfg/DFGNode.cpp:
7018 (JSC::DFG::Node::convertToIdentity):
7019 (WTF::printInternal):
7020 * dfg/DFGNode.h:
7021 (JSC::DFG::Node::Node):
7022 (JSC::DFG::Node::setResult):
7023 (JSC::DFG::Node::result):
7024 (JSC::DFG::Node::isConstant):
7025 (JSC::DFG::Node::hasConstant):
7026 (JSC::DFG::Node::convertToConstant):
7027 (JSC::DFG::Node::valueOfJSConstant):
7028 (JSC::DFG::Node::hasResult):
7029 (JSC::DFG::Node::hasInt32Result):
7030 (JSC::DFG::Node::hasInt52Result):
7031 (JSC::DFG::Node::hasNumberResult):
7032 (JSC::DFG::Node::hasDoubleResult):
7033 (JSC::DFG::Node::hasJSResult):
7034 (JSC::DFG::Node::hasBooleanResult):
7035 (JSC::DFG::Node::hasStorageResult):
7036 (JSC::DFG::Node::defaultUseKind):
7037 (JSC::DFG::Node::defaultEdge):
7038 (JSC::DFG::Node::convertToIdentity): Deleted.
7039 * dfg/DFGNodeFlags.cpp:
7040 (JSC::DFG::dumpNodeFlags):
7041 * dfg/DFGNodeFlags.h:
7042 (JSC::DFG::canonicalResultRepresentation):
7043 * dfg/DFGNodeType.h:
7044 * dfg/DFGOSRExitCompiler32_64.cpp:
7045 (JSC::DFG::OSRExitCompiler::compileExit):
7046 * dfg/DFGOSRExitCompiler64.cpp:
7047 (JSC::DFG::OSRExitCompiler::compileExit):
7048 * dfg/DFGPredictionPropagationPhase.cpp:
7049 (JSC::DFG::PredictionPropagationPhase::propagate):
7050 * dfg/DFGResurrectionForValidationPhase.cpp:
7051 (JSC::DFG::ResurrectionForValidationPhase::run):
7052 * dfg/DFGSSAConversionPhase.cpp:
7053 (JSC::DFG::SSAConversionPhase::run):
7054 * dfg/DFGSafeToExecute.h:
7055 (JSC::DFG::SafeToExecuteEdge::operator()):
7056 (JSC::DFG::safeToExecute):
7057 * dfg/DFGSpeculativeJIT.cpp:
7058 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
7059 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
7060 (JSC::DFG::SpeculativeJIT::silentFill):
7061 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
7062 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
7063 (JSC::DFG::JSValueRegsTemporary::regs):
7064 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
7065 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
7066 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7067 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
7068 (JSC::DFG::SpeculativeJIT::compileValueRep):
7069 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7070 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
7071 (JSC::DFG::SpeculativeJIT::compileAdd):
7072 (JSC::DFG::SpeculativeJIT::compileArithSub):
7073 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7074 (JSC::DFG::SpeculativeJIT::compileArithMul):
7075 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7076 (JSC::DFG::SpeculativeJIT::compileArithMod):
7077 (JSC::DFG::SpeculativeJIT::compare):
7078 (JSC::DFG::SpeculativeJIT::compileStrictEq):
7079 (JSC::DFG::SpeculativeJIT::speculateNumber):
7080 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
7081 (JSC::DFG::SpeculativeJIT::speculate):
7082 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
7083 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
7084 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
7085 * dfg/DFGSpeculativeJIT.h:
7086 (JSC::DFG::SpeculativeJIT::allocate):
7087 (JSC::DFG::SpeculativeJIT::use):
7088 (JSC::DFG::SpeculativeJIT::boxDouble):
7089 (JSC::DFG::SpeculativeJIT::spill):
7090 (JSC::DFG::SpeculativeJIT::jsValueResult):
7091 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
7092 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
7093 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
7094 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
7095 * dfg/DFGSpeculativeJIT32_64.cpp:
7096 (JSC::DFG::SpeculativeJIT::fillJSValue):
7097 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
7098 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7099 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7100 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7101 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7102 (JSC::DFG::SpeculativeJIT::emitBranch):
7103 (JSC::DFG::SpeculativeJIT::compile):
7104 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
7105 * dfg/DFGSpeculativeJIT64.cpp:
7106 (JSC::DFG::SpeculativeJIT::fillJSValue):
7107 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
7108 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
7109 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7110 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7111 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7112 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7113 (JSC::DFG::SpeculativeJIT::emitBranch):
7114 (JSC::DFG::SpeculativeJIT::compile):
7115 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
7116 * dfg/DFGStrengthReductionPhase.cpp:
7117 (JSC::DFG::StrengthReductionPhase::handleNode):
7118 * dfg/DFGUseKind.cpp:
7119 (WTF::printInternal):
7120 * dfg/DFGUseKind.h:
7121 (JSC::DFG::typeFilterFor):
7122 (JSC::DFG::shouldNotHaveTypeCheck):
7123 (JSC::DFG::mayHaveTypeCheck):
7124 (JSC::DFG::isNumerical):
7125 (JSC::DFG::isDouble):
7126 (JSC::DFG::isCell):
7127 (JSC::DFG::usesStructure):
7128 (JSC::DFG::useKindForResult):
7129 * dfg/DFGValidate.cpp:
7130 (JSC::DFG::Validate::validate):
7131 * dfg/DFGVariadicFunction.h: Removed.
7132 * ftl/FTLCapabilities.cpp:
7133 (JSC::FTL::canCompile):
7134 * ftl/FTLLowerDFGToLLVM.cpp:
7135 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
7136 (JSC::FTL::LowerDFGToLLVM::compileNode):
7137 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
7138 (JSC::FTL::LowerDFGToLLVM::compilePhi):
7139 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
7140 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
7141 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
7142 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
7143 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
7144 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
7145 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
7146 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
7147 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
7148 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
7149 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
7150 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
7151 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
7152 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
7153 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
7154 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
7155 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
7156 (JSC::FTL::LowerDFGToLLVM::compare):
7157 (JSC::FTL::LowerDFGToLLVM::boolify):
7158 (JSC::FTL::LowerDFGToLLVM::lowInt52):
7159 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
7160 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
7161 (JSC::FTL::LowerDFGToLLVM::lowDouble):
7162 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
7163 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
7164 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
7165 (JSC::FTL::LowerDFGToLLVM::speculate):
7166 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
7167 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
7168 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
7169 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
7170 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
7171 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
7172 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
7173 * ftl/FTLValueFormat.cpp:
7174 (JSC::FTL::reboxAccordingToFormat):
7175 * jit/AssemblyHelpers.cpp:
7176 (JSC::AssemblyHelpers::sanitizeDouble):
7177 * jit/AssemblyHelpers.h:
7178 (JSC::AssemblyHelpers::boxDouble):
7179
71802014-04-15 Commit Queue <commit-queue@webkit.org>
7181
7182 Unreviewed, rolling out r167199 and r167251.
7183 https://bugs.webkit.org/show_bug.cgi?id=131678
7184
7185 Caused a DYEBench regression and does not seem to improve perf
7186 on relevant websites (Requested by rniwa on #webkit).
7187
7188 Reverted changesets:
7189
7190 "Rewrite Function.bind as a builtin"
7191 https://bugs.webkit.org/show_bug.cgi?id=131083
7192 http://trac.webkit.org/changeset/167199
7193
7194 "Update test result"
7195 http://trac.webkit.org/changeset/167251
7196
71972014-04-14 Commit Queue <commit-queue@webkit.org>
7198
7199 Unreviewed, rolling out r167272.
7200 https://bugs.webkit.org/show_bug.cgi?id=131666
7201
7202 Broke multiple tests (Requested by ap on #webkit).
7203
7204 Reverted changeset:
7205
7206 "Function.bind itself is too slow"
7207 https://bugs.webkit.org/show_bug.cgi?id=131636
7208 http://trac.webkit.org/changeset/167272
7209
72102014-04-14 Geoffrey Garen <ggaren@apple.com>
7211
7212 ASSERT when firing low memory warning
7213 https://bugs.webkit.org/show_bug.cgi?id=131659
7214
7215 Reviewed by Mark Hahnenberg.
7216
7217 * heap/Heap.cpp:
7218 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
7219 called when no GC is happening because that is what we do when a low
7220 memory warning fires, and it is harmless.
7221
72222014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
7223
7224 emit_op_put_by_id should not emit a write barrier that filters on value
7225 https://bugs.webkit.org/show_bug.cgi?id=131654
7226
7227 Reviewed by Filip Pizlo.
7228
7229 The 32-bit implementation does this, and it can cause crashes if we later repatch the
7230 code to allocate and store new Butterflies.
7231
7232 * jit/JITPropertyAccess.cpp:
7233 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
7234 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
7235 load down into the if statement so that we don't do it if we're not filtering on the value.
7236 * jit/JITPropertyAccess32_64.cpp:
7237 (JSC::JIT::emit_op_put_by_id):
7238
72392014-04-14 Oliver Hunt <oliver@apple.com>
7240
7241 Function.bind itself is too slow
7242 https://bugs.webkit.org/show_bug.cgi?id=131636
7243
7244 Reviewed by Geoffrey Garen.
7245
7246 Rather than forcing creation of an activation, we now store
7247 bound function properties directly on the returned closure.
7248 This is necessary to deal with code that creates many function
7249 bindings, but does not call them very often.
7250
7251 This is a 60% speed up in the included js/regress test.
7252
7253 * builtins/BuiltinExecutables.cpp:
7254 (JSC::BuiltinExecutables::createBuiltinExecutable):
7255 * builtins/Function.prototype.js:
7256 (bind.bindingFunction):
7257 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7258 (bind.else.switch.case.1.bindingFunction):
7259 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7260 (bind.else.switch.case.2.bindingFunction):
7261 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7262 (bind.else.switch.case.3.bindingFunction):
7263 (bind.else.switch.bindingFunction):
7264 (bind):
7265 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
7266 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
7267 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
7268 * runtime/CommonIdentifiers.h:
7269
72702014-04-14 Julien Brianceau <jbriance@cisco.com>
7271
7272 [sh4] Allow use of SubImmediates in LLINT.
7273 https://bugs.webkit.org/show_bug.cgi?id=131608
7274
7275 Reviewed by Mark Lam.
7276
7277 Allow use of SubImmediates with const pool so the sh4 architecture can
7278 share the arm path for setEntryAddress macro. It reduces architecture
7279 specific code and lead to a more optimal generated code for sh4.
7280
7281 * llint/LowLevelInterpreter.asm:
7282 * offlineasm/sh4.rb:
7283
72842014-04-14 Andreas Kling <akling@apple.com>
7285
7286 Array.prototype.concat should allocate output storage only once.
7287 <https://webkit.org/b/131609>
7288
7289 Do a first pass across 'this' and any arguments to compute the
7290 final size of the resulting array from Array.prototype.concat.
7291 This avoids having to grow the output incrementally as we go.
7292
7293 This also includes two other micro-optimizations:
7294
7295 - Mark getProperty() with ALWAYS_INLINE.
7296
7297 - Use JSArray::length() instead of taking the generic property
7298 lookup path when we know an argument is an Array.
7299
7300 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
7301
7302 Reviewed by Oliver & Darin.
7303
7304 * runtime/ArrayPrototype.cpp:
7305 (JSC::getProperty):
7306 (JSC::arrayProtoFuncConcat):
7307
73082014-04-14 Commit Queue <commit-queue@webkit.org>
7309
7310 Unreviewed, rolling out r167249.
7311 https://bugs.webkit.org/show_bug.cgi?id=131621
7312
7313 broke 3 tests on cloop (Requested by kling on #webkit).
7314
7315 Reverted changeset:
7316
7317 "Array.prototype.concat should allocate output storage only
7318 once."
7319 https://bugs.webkit.org/show_bug.cgi?id=131609
7320 http://trac.webkit.org/changeset/167249
7321
73222014-04-14 Alex Christensen <achristensen@webkit.org>
7323
7324 Fixed potential integer truncation.
7325 https://bugs.webkit.org/show_bug.cgi?id=131615
7326
7327 Reviewed by Darin Adler.
7328
7329 * assembler/X86Assembler.h:
7330 (JSC::X86Assembler::fillNops):
7331 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
7332
73332014-04-14 Andreas Kling <akling@apple.com>
7334
7335 Array.prototype.concat should allocate output storage only once.
7336 <https://webkit.org/b/131609>
7337
7338 Do a first pass across 'this' and any arguments to compute the
7339 final size of the resulting array from Array.prototype.concat.
7340 This avoids having to grow the output incrementally as we go.
7341
7342 This also includes two other micro-optimizations:
7343
7344 - Mark getProperty() with ALWAYS_INLINE.
7345
7346 - Use JSArray::length() instead of taking the generic property
7347 lookup path when we know an argument is an Array.
7348
7349 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
7350
7351 Reviewed by Darin Adler.
7352
7353 * runtime/ArrayPrototype.cpp:
7354 (JSC::getProperty):
7355 (JSC::arrayProtoFuncConcat):
7356
73572014-04-14 Benjamin Poulain <benjamin@webkit.org>
7358
7359 [JSC] Improve the call site of string comparison in some hot path
7360 https://bugs.webkit.org/show_bug.cgi?id=131605
7361
7362 Reviewed by Darin Adler.
7363
7364 When resolved, the String of a JSString is never null. It can be empty but not null.
7365 The null value is reserved for ropes but those would be resolved when getting the value.
7366
7367 Consequently, we should use the equal() operation that do not handle null values.
7368 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
7369
7370 * jit/JITOperations.cpp:
7371 * runtime/JSCJSValueInlines.h:
7372 (JSC::JSValue::equalSlowCaseInline):
7373 (JSC::JSValue::strictEqualSlowCaseInline):
7374 (JSC::JSValue::pureStrictEqual):
7375
73762014-04-08 Oliver Hunt <oliver@apple.com>
7377
7378 Rewrite Function.bind as a builtin
7379 https://bugs.webkit.org/show_bug.cgi?id=131083
7380
7381 Reviewed by Geoffrey Garen.
7382
7383 This change removes the existing function.bind implementation
7384 entirely so JSBoundFunction is no more.
7385
7386 Instead we just return a regular JS closure with a few
7387 private properties hanging off it that allow us to perform
7388 the necessary bound function fakery. While most of this is
7389 simple, a couple of key changes:
7390
7391 - The parser and lexer now directly track whether they're
7392 parsing code for call or construct and convert the private
7393 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7394 This automatically gives us the ability to vary behaviour
7395 from within the builtin. It also leaves a lot of headroom
7396 for trivial future improvements.
7397 - The instanceof operator now uses the prototypeForHasInstance
7398 private name, and we have a helper function to ensure that
7399 all objects that need to can update their magical 'prototype'
7400 property pair correctly.
7401
7402 * API/JSScriptRef.cpp:
7403 (parseScript):
7404 * JavaScriptCore.xcodeproj/project.pbxproj:
7405 * builtins/BuiltinExecutables.cpp:
7406 (JSC::BuiltinExecutables::createBuiltinExecutable):
7407 * builtins/Function.prototype.js:
7408 (bind.bindingFunction):
7409 (bind.else.bindingFunction):
7410 (bind):
7411 * bytecode/UnlinkedCodeBlock.cpp:
7412 (JSC::generateFunctionCodeBlock):
7413 * bytecompiler/NodesCodegen.cpp:
7414 (JSC::InstanceOfNode::emitBytecode):
7415 * interpreter/Interpreter.cpp:
7416 * parser/Lexer.cpp:
7417 (JSC::Lexer<T>::Lexer):
7418 (JSC::Lexer<LChar>::parseIdentifier):
7419 (JSC::Lexer<UChar>::parseIdentifier):
7420 * parser/Lexer.h:
7421 * parser/Parser.cpp:
7422 (JSC::Parser<LexerType>::Parser):
7423 (JSC::Parser<LexerType>::parseInner):
7424 * parser/Parser.h:
7425 (JSC::parse):
7426 * parser/ParserModes.h:
7427 * runtime/CodeCache.cpp:
7428 (JSC::CodeCache::getGlobalCodeBlock):
7429 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7430 * runtime/CommonIdentifiers.h:
7431 * runtime/Completion.cpp:
7432 (JSC::checkSyntax):
7433 * runtime/Executable.cpp:
7434 (JSC::ProgramExecutable::checkSyntax):
7435 * runtime/FunctionPrototype.cpp:
7436 (JSC::FunctionPrototype::addFunctionProperties):
7437 (JSC::functionProtoFuncBind): Deleted.
7438 * runtime/JSBoundFunction.cpp: Removed.
7439 * runtime/JSBoundFunction.h: Removed.
7440 * runtime/JSFunction.cpp:
7441 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7442 (JSC::RetrieveCallerFunctionFunctor::operator()):
7443 (JSC::retrieveCallerFunction):
7444 (JSC::JSFunction::getOwnPropertySlot):
7445 (JSC::JSFunction::defineOwnProperty):
7446 * runtime/JSGlobalObject.cpp:
7447 (JSC::JSGlobalObject::reset):
7448 * runtime/JSGlobalObjectFunctions.cpp:
7449 (JSC::globalFuncSetTypeErrorAccessor):
7450 * runtime/JSGlobalObjectFunctions.h:
7451 * runtime/JSObject.h:
7452 (JSC::JSObject::inlineGetOwnPropertySlot):
7453
74542014-04-12 Filip Pizlo <fpizlo@apple.com>
7455
7456 Math.fround() should be an intrinsic
7457 https://bugs.webkit.org/show_bug.cgi?id=131583
7458
7459 Reviewed by Geoffrey Garen.
7460
7461 Makes programs that use Math.fround() run up to 6x faster.
7462
7463 * dfg/DFGAbstractInterpreterInlines.h:
7464 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
7465 * dfg/DFGByteCodeParser.cpp:
7466 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7467 * dfg/DFGCSEPhase.cpp:
7468 (JSC::DFG::CSEPhase::performNodeCSE):
7469 * dfg/DFGClobberize.h:
7470 (JSC::DFG::clobberize):
7471 * dfg/DFGFixupPhase.cpp:
7472 (JSC::DFG::FixupPhase::fixupNode):
7473 * dfg/DFGNodeType.h:
7474 * dfg/DFGPredictionPropagationPhase.cpp:
7475 (JSC::DFG::PredictionPropagationPhase::propagate):
7476 * dfg/DFGSafeToExecute.h:
7477 (JSC::DFG::safeToExecute):
7478 * dfg/DFGSpeculativeJIT32_64.cpp:
7479 (JSC::DFG::SpeculativeJIT::compile):
7480 * dfg/DFGSpeculativeJIT64.cpp:
7481 (JSC::DFG::SpeculativeJIT::compile):
7482 * ftl/FTLCapabilities.cpp:
7483 (JSC::FTL::canCompile):
7484 * ftl/FTLLowerDFGToLLVM.cpp:
7485 (JSC::FTL::LowerDFGToLLVM::compileNode):
7486 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
7487 * runtime/Intrinsic.h:
7488 * runtime/MathObject.cpp:
7489 (JSC::MathObject::finishCreation):
7490
74912014-04-12 Filip Pizlo <fpizlo@apple.com>
7492
7493 FTL should use stackmap register liveness
7494 https://bugs.webkit.org/show_bug.cgi?id=130791
7495
7496 Reviewed by Goeffrey Garen.
7497
7498 Enable the stackmap register liveness support by fixing the two last bugs:
7499
7500 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
7501 then we shouldn't crash due to a null scratch buffer.
7502
7503 - Always consider callee-saves as if they were live. More precisely, we should
7504 consider those callee-saves that are not saved by the enclosing function to be live.
7505 For now we do the much simpler thing and consider callee-saves to be always live
7506 since it has minimal impact on the scratch register allocator. It will know not to
7507 preserve those for calls, anyway.
7508
7509 I tried writing a test for the null scratch buffer thing, but failed. I will land the
7510 test anyway since it seems useful.
7511
7512 * ftl/FTLCompile.cpp:
7513 (JSC::FTL::usedRegistersFor):
7514 * jit/ScratchRegisterAllocator.cpp:
7515 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
7516 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
7517 * runtime/Options.h:
7518 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
7519 (foo):
7520
75212014-04-11 Filip Pizlo <fpizlo@apple.com>
7522
7523 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
7524 https://bugs.webkit.org/show_bug.cgi?id=131424
7525
7526 Reviewed by Geoffrey Garen.
7527
7528 This defers type conversion injection until we've decided on types. This makes the
7529 process of deciding types a bit more flexible - for example we can naturally fixpoint
7530 and change our minds. Only when things are settled do we actually insert conversions.
7531
7532 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
7533 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
7534 that there are typed uses. If we were eagerly inserting type conversions then we would
7535 first insert a to/from-JSValue conversion in some cases only to then replace it by
7536 the other conversions. It's probably trivial to remove those redundant conversions later
7537 but I think it's better if we don't insert them to begin with.
7538
7539 * bytecode/CodeOrigin.h:
7540 (JSC::CodeOrigin::operator!):
7541 * dfg/DFGFixupPhase.cpp:
7542 (JSC::DFG::FixupPhase::run):
7543 (JSC::DFG::FixupPhase::fixupBlock):
7544 (JSC::DFG::FixupPhase::fixupNode):
7545 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
7546 (JSC::DFG::FixupPhase::fixEdge):
7547 (JSC::DFG::FixupPhase::fixIntEdge):
7548 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
7549 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
7550 (JSC::DFG::FixupPhase::addRequiredPhantom):
7551 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
7552 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
7553 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
7554 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
7555 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
7556
75572014-04-11 Brian J. Burg <burg@cs.washington.edu>
7558
7559 Web Replay: code generator should consider enclosing class when computing duplicate type names
7560 https://bugs.webkit.org/show_bug.cgi?id=131554
7561
7562 Reviewed by Timothy Hatcher.
7563
7564 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
7565 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
7566 by the enclosing class and enum name.
7567
7568 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
7569
7570 * replay/scripts/CodeGeneratorReplayInputs.py:
7571 (Type.type_name): Prepend the enclosing class name.
7572 (Type.type_name.is):
7573 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
7574 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
7575 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
7576 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
7577 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
7578 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
7579
75802014-04-11 Gavin Barraclough <baraclough@apple.com>
7581
7582 Rollout - Rewrite Function.bind as a builtin
7583 https://bugs.webkit.org/show_bug.cgi?id=131083
7584
7585 Unreviewed.
7586
7587 Rolling out r167020 while investigating a performance regression.
7588
7589 * API/JSObjectRef.cpp:
7590 (JSObjectMakeConstructor):
7591 * API/JSScriptRef.cpp:
7592 (parseScript):
7593 * CMakeLists.txt:
7594 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7595 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7596 * JavaScriptCore.xcodeproj/project.pbxproj:
7597 * builtins/BuiltinExecutables.cpp:
7598 (JSC::BuiltinExecutables::createBuiltinExecutable):
7599 * builtins/Function.prototype.js:
7600 (apply):
7601 (bind.bindingFunction): Deleted.
7602 (bind.else.bindingFunction): Deleted.
7603 (bind): Deleted.
7604 * bytecode/UnlinkedCodeBlock.cpp:
7605 (JSC::generateFunctionCodeBlock):
7606 * bytecompiler/NodesCodegen.cpp:
7607 (JSC::InstanceOfNode::emitBytecode):
7608 * interpreter/Interpreter.cpp:
7609 * parser/Lexer.cpp:
7610 (JSC::Lexer<T>::Lexer):
7611 (JSC::Lexer<LChar>::parseIdentifier):
7612 (JSC::Lexer<UChar>::parseIdentifier):
7613 * parser/Lexer.h:
7614 * parser/Parser.cpp:
7615 (JSC::Parser<LexerType>::Parser):
7616 (JSC::Parser<LexerType>::parseInner):
7617 * parser/Parser.h:
7618 (JSC::parse):
7619 * parser/ParserModes.h:
7620 * runtime/ArgumentsIteratorConstructor.cpp:
7621 (JSC::ArgumentsIteratorConstructor::finishCreation):
7622 * runtime/ArrayConstructor.cpp:
7623 (JSC::ArrayConstructor::finishCreation):
7624 * runtime/BooleanConstructor.cpp:
7625 (JSC::BooleanConstructor::finishCreation):
7626 * runtime/CodeCache.cpp:
7627 (JSC::CodeCache::getGlobalCodeBlock):
7628 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7629 * runtime/CommonIdentifiers.h:
7630 * runtime/Completion.cpp:
7631 (JSC::checkSyntax):
7632 * runtime/DateConstructor.cpp:
7633 (JSC::DateConstructor::finishCreation):
7634 * runtime/ErrorConstructor.cpp:
7635 (JSC::ErrorConstructor::finishCreation):
7636 * runtime/Executable.cpp:
7637 (JSC::ProgramExecutable::checkSyntax):
7638 * runtime/FunctionConstructor.cpp:
7639 (JSC::FunctionConstructor::finishCreation):
7640 * runtime/FunctionPrototype.cpp:
7641 (JSC::FunctionPrototype::addFunctionProperties):
7642 (JSC::functionProtoFuncBind):
7643 * runtime/JSArrayBufferConstructor.cpp:
7644 (JSC::JSArrayBufferConstructor::finishCreation):
7645 * runtime/JSBoundFunction.cpp: Added.
7646 (JSC::boundFunctionCall):
7647 (JSC::boundFunctionConstruct):
7648 (JSC::JSBoundFunction::create):
7649 (JSC::JSBoundFunction::destroy):
7650 (JSC::JSBoundFunction::customHasInstance):
7651 (JSC::JSBoundFunction::JSBoundFunction):
7652 (JSC::JSBoundFunction::finishCreation):
7653 (JSC::JSBoundFunction::visitChildren):
7654 * runtime/JSBoundFunction.h: Added.
7655 (JSC::JSBoundFunction::targetFunction):
7656 (JSC::JSBoundFunction::boundThis):
7657 (JSC::JSBoundFunction::boundArgs):
7658 (JSC::JSBoundFunction::createStructure):
7659 * runtime/JSFunction.cpp:
7660 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7661 (JSC::RetrieveCallerFunctionFunctor::operator()):
7662 (JSC::retrieveCallerFunction):
7663 (JSC::JSFunction::getOwnPropertySlot):
7664 (JSC::JSFunction::getOwnNonIndexPropertyNames):
7665 (JSC::JSFunction::put):
7666 (JSC::JSFunction::defineOwnProperty):
7667 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
7668 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
7669 * runtime/JSGlobalObject.cpp:
7670 (JSC::JSGlobalObject::reset):
7671 * runtime/JSGlobalObjectFunctions.cpp:
7672 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
7673 * runtime/JSGlobalObjectFunctions.h:
7674 * runtime/JSObject.cpp:
7675 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
7676 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
7677 * runtime/JSObject.h:
7678 * runtime/JSPromiseConstructor.cpp:
7679 (JSC::JSPromiseConstructor::finishCreation):
7680 * runtime/MapConstructor.cpp:
7681 (JSC::MapConstructor::finishCreation):
7682 * runtime/MapIteratorConstructor.cpp:
7683 (JSC::MapIteratorConstructor::finishCreation):
7684 * runtime/NameConstructor.cpp:
7685 (JSC::NameConstructor::finishCreation):
7686 * runtime/NativeErrorConstructor.cpp:
7687 (JSC::NativeErrorConstructor::finishCreation):
7688 * runtime/NumberConstructor.cpp:
7689 (JSC::NumberConstructor::finishCreation):
7690 * runtime/ObjectConstructor.cpp:
7691 (JSC::ObjectConstructor::finishCreation):
7692 * runtime/RegExpConstructor.cpp:
7693 (JSC::RegExpConstructor::finishCreation):
7694 * runtime/SetConstructor.cpp:
7695 (JSC::SetConstructor::finishCreation):
7696 * runtime/SetIteratorConstructor.cpp:
7697 (JSC::SetIteratorConstructor::finishCreation):
7698 * runtime/StringConstructor.cpp:
7699 (JSC::StringConstructor::finishCreation):
7700 * runtime/WeakMapConstructor.cpp:
7701 (JSC::WeakMapConstructor::finishCreation):
7702
77032014-04-11 David Kilzer <ddkilzer@apple.com>
7704
7705 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
7706 <http://webkit.org/b/131556>
7707 <rdar://problem/16591856>
7708
7709 Reviewed by Brent Fulgham.
7710
7711 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
7712 OTHER_LDFLAGS so the ASan build does not try to link to
7713 libclang_rt.asan_osx_dynamic.dylib.
7714
77152014-04-11 Mark Lam <mark.lam@apple.com>
7716
7717 JSMainThreadExecState::call() should clear exceptions before returning.
7718 <https://webkit.org/b/131530>
7719
7720 Reviewed by Geoffrey Garen.
7721
7722 Added a version of JSC::call() that return any uncaught exception instead
7723 of leaving it pending in the VM.
7724
7725 As part of this change, I updated various parts of the code base to use the
7726 new API as needed.
7727
7728 * bindings/ScriptFunctionCall.cpp:
7729 (Deprecated::ScriptFunctionCall::call):
7730 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
7731 The injected scripts that will include Inspector scripts that should catch
7732 and handle any exceptions that were thrown. We should not be seeing any
7733 exceptions returned from this call. However, we do have checks for
7734 exceptions in case there are bugs in the Inspector scripts which allowed
7735 the exception to leak through. Hence, it is proper to clear the exception
7736 here, and only record the fact that an exception was seen (if present).
7737
7738 * bindings/ScriptFunctionCall.h:
7739 * inspector/InspectorEnvironment.h:
7740 * runtime/CallData.cpp:
7741 (JSC::call):
7742 * runtime/CallData.h:
7743
77442014-04-11 Oliver Hunt <oliver@apple.com>
7745
7746 Add BuiltinLog function to make debugging builtins easier
7747 https://bugs.webkit.org/show_bug.cgi?id=131550
7748
7749 Reviewed by Andreas Kling.
7750
7751 Add a logging function that builtins can use for debugging.
7752
7753 * runtime/CommonIdentifiers.h:
7754 * runtime/JSGlobalObject.cpp:
7755 (JSC::JSGlobalObject::reset):
7756 * runtime/JSGlobalObjectFunctions.cpp:
7757 (JSC::globalFuncBuiltinLog):
7758 * runtime/JSGlobalObjectFunctions.h:
7759
77602014-04-11 Julien Brianceau <jbriance@cisco.com>
7761
7762 Fix LLInt for sh4 architecture (broken since C stack merge).
7763 https://bugs.webkit.org/show_bug.cgi?id=131532
7764
7765 Reviewed by Mark Lam.
7766
7767 This patch fixes build and also implements sh4 parts for initPCRelative and
7768 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
7769
7770 * llint/LowLevelInterpreter.asm:
7771 * llint/LowLevelInterpreter32_64.asm:
7772 * offlineasm/instructions.rb:
7773 * offlineasm/sh4.rb:
7774
77752014-04-10 Michael Saboff <msaboff@apple.com>
7776
7777 Crash beneath DFG JIT code @ video.disney.com
7778 https://bugs.webkit.org/show_bug.cgi?id=131447
7779
7780 Reviewed by Geoffrey Garen.
7781
7782 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
7783 'tag not less than Undefined' check. The first check was incorrectly elided if we
7784 knew that the value *was* an int32, when it should have been elided if we already
7785 knew that the value *was not* an int32.
7786
7787 * dfg/DFGSpeculativeJIT.cpp:
7788 (JSC::DFG::SpeculativeJIT::speculateMisc):
7789 * tests/stress/test-spec-misc.js: Added test.
7790 (getX):
7791 (foo):
7792 (bar):
7793
77942014-04-08 Filip Pizlo <fpizlo@apple.com>
7795
7796 Make room for additional types in SpeculatedType.h
7797 https://bugs.webkit.org/show_bug.cgi?id=131422
7798
7799 Reviewed by Sam Weinig.
7800
7801 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
7802
7803 * bytecode/SpeculatedType.h:
7804
78052014-04-10 Alex Christensen <achristensen@webkit.org>
7806
7807 Compile fix for Win64.
7808 https://bugs.webkit.org/show_bug.cgi?id=131508
7809
7810 Reviewed by Geoffrey Garen.
7811
7812 * assembler/X86Assembler.h:
7813 (JSC::X86Assembler::fillNops):
7814 Added unsigned template parameter to distinguish between size_t and unsigned long.
7815
78162014-04-10 Michael Saboff <msaboff@apple.com>
7817
7818 LLInt interpreter code should be generated as part of one function
7819 https://bugs.webkit.org/show_bug.cgi?id=131205
7820
7821 Reviewed by Mark Lam.
7822
7823 Changed the generation of llint opcodes so that they are all part of the same
7824 global function, llint_entry. That function is used to fill in an entry point
7825 table that includes each of the opcodes and helpers.
7826
7827 * CMakeLists.txt:
7828 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
7829 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
7830 * JavaScriptCore.xcodeproj/project.pbxproj:
7831 Added appropriate use of new -I option to offline assembler and offset
7832 generator scripts.
7833
7834 * llint/LowLevelInterpreter.asm:
7835 * llint/LowLevelInterpreter.cpp:
7836 * llint/LowLevelInterpreter.h:
7837 * offlineasm/arm.rb:
7838 * offlineasm/arm64.rb:
7839 * offlineasm/asm.rb:
7840 * offlineasm/ast.rb:
7841 * offlineasm/backends.rb:
7842 * offlineasm/cloop.rb:
7843 * offlineasm/generate_offset_extractor.rb:
7844 * offlineasm/instructions.rb:
7845 * offlineasm/parser.rb:
7846 * offlineasm/registers.rb:
7847 * offlineasm/self_hash.rb:
7848 * offlineasm/settings.rb:
7849 * offlineasm/transform.rb:
7850 * offlineasm/x86.rb:
7851 Added a new "global" keyword to the offline assembler that denotes a label that
7852 should be exported. Added opcode and operand support to get the absolute
7853 address of a local label using position independent calculations. Updated the
7854 offline assembler to handle included files, both when generating the checksum
7855 as well as including files from other than the local directory via a newly
7856 added -I option. The offline assembler now automatically determines external
7857 functions by keeping track of referenced functions that are defined within the
7858 assembly source. This is used both for choosing the correct macro for external
7859 references as well as generating the needed EXTERN directives for masm.
7860 Updated the generation of the masm only .sym file to be written once at the end
7861 of the offline assembler.
7862
7863 * assembler/MacroAssemblerCodeRef.h:
7864 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
7865 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
7866 * bytecode/CodeBlock.cpp:
7867 (JSC::CodeBlock::dumpBytecode):
7868 (JSC::CodeBlock::CodeBlock):
7869 * bytecode/GetByIdStatus.cpp:
7870 (JSC::GetByIdStatus::computeFromLLInt):
7871 * bytecode/Opcode.h:
7872 (JSC::padOpcodeName):
7873 * bytecode/PutByIdStatus.cpp:
7874 (JSC::PutByIdStatus::computeFromLLInt):
7875 * jit/JIT.cpp:
7876 (JSC::JIT::privateCompileMainPass):
7877 * jit/JITStubs.h:
7878 * llint/LLIntCLoop.cpp:
7879 (JSC::LLInt::initialize):
7880 * llint/LLIntData.h:
7881 (JSC::LLInt::getCodeFunctionPtr):
7882 (JSC::LLInt::getOpcode): Deleted.
7883 (JSC::LLInt::getCodePtr): Deleted.
7884 * llint/LLIntOpcode.h:
7885 * llint/LLIntSlowPaths.cpp:
7886 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7887 * llint/LLIntThunks.cpp:
7888 (JSC::LLInt::functionForCallEntryThunkGenerator):
7889 (JSC::LLInt::functionForConstructEntryThunkGenerator):
7890 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
7891 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
7892 (JSC::LLInt::evalEntryThunkGenerator):
7893 (JSC::LLInt::programEntryThunkGenerator):
7894 * llint/LLIntThunks.h:
7895 Changed references to llint helpers to go through the entry point table populated
7896 by llint_entry. Added helpers to OpcodeID enum for all builds.
7897
7898 * bytecode/BytecodeList.json:
7899 * generate-bytecode-files:
7900 * llint/LLIntCLoop.cpp:
7901 (JSC::LLInt::CLoop::initialize):
7902 Reordered sections to match the order that the functions are added to the entry point
7903 table. Added new "asmPrefix" property for symbols that have one name but are generated
7904 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
7905 as we are using enums for all bytecode references. Changed the C Loop only
7906 llint_c_loop_init to llint_entry.
7907
79082014-04-10 Matthew Mirman <mmirman@apple.com>
7909
7910 WIP for inlining C++. Added a build target to produce LLVM IR.
7911 https://bugs.webkit.org/show_bug.cgi?id=130523
7912
7913 Reviewed by Mark Rowe.
7914
7915 * JavaScriptCore.xcodeproj/project.pbxproj:
7916 * build-symbol-table-index.py: Added.
7917 * build-symbol-table-index.sh: Added.
7918 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
7919 * copy-llvm-ir-to-derived-sources.sh: Added.
7920
79212014-04-10 Brian J. Burg <burg@cs.washington.edu>
7922
7923 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
7924 https://bugs.webkit.org/show_bug.cgi?id=131341
7925
7926 Reviewed by Timothy Hatcher.
7927
7928 Add support for encoding/decoding unsigned long with EncodedValue.
7929 It is a distinct type from uint32_t and uint64_t.
7930
7931 * replay/EncodedValue.cpp:
7932 (JSC::EncodedValue::convertTo<unsigned long>):
7933 * replay/EncodedValue.h:
7934
79352014-04-10 Mark Lam <mark.lam@apple.com>
7936
7937 LLINT loadisFromInstruction should handle the big endian case.
7938 <https://webkit.org/b/131495>
7939
7940 Reviewed by Mark Hahnenberg.
7941
7942 The LLINT loadisFromInstruction macro aims to load the least significant
7943 32-bit word from the 64-bit bytecode instruction stream and sign extend
7944 it. For big endian machines, the current implementation would load the
7945 wrong 32-bit word.
7946
7947 Without this fix, the JSC tests will crash on big endian machines.
7948 Thanks to Tomas Popela for diagnosing this issue.
7949
7950 * llint/LowLevelInterpreter.asm:
7951
79522014-04-09 Mark Lam <mark.lam@apple.com>
7953
7954 Temporarily disable the JIT for the Windows port.
7955 <https://webkit.org/b/131470>
7956
7957 Reviewed by Brent Fulgham.
7958
7959 This is a temporary stop gap measure to green the Windows bots until
7960 we have a fix for https://webkit.org/b/131182.
7961
7962 * runtime/Options.cpp:
7963 (JSC::recomputeDependentOptions):
7964
79652014-04-09 Juergen Ributzka <juergen@apple.com>
7966
7967 [FTL] Emit multibyte NOPs on X86-64
7968 https://bugs.webkit.org/show_bug.cgi?id=131394
7969
7970 Reviewed by Michael Saboff.
7971
7972 * assembler/X86Assembler.h:
7973 (JSC::X86Assembler::fillNops):
7974
79752014-04-09 Julien Brianceau <jbriance@cisco.com>
7976
7977 Get rid of JITOperationWrappers.h header file.
7978 https://bugs.webkit.org/show_bug.cgi?id=131450
7979
7980 Reviewed by Michael Saboff.
7981
7982 JITOperationWrappers header file contains architecture specific code that is
7983 not needed anymore, so get rid of it.
7984
7985 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7986 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7987 * JavaScriptCore.xcodeproj/project.pbxproj:
7988 * dfg/DFGOperations.cpp:
7989 * jit/JITOperationWrappers.h: Removed.
7990 * jit/JITOperations.cpp:
7991
79922014-04-09 Mark Lam <mark.lam@apple.com>
7993
7994 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
7995 <https://webkit.org/b/131449>
7996
7997 Reviewed by Mark Hahnenberg.
7998
7999 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
8000 that it pads is of type int anyway. It doesn't need to be 64 bit. This
8001 also makes it work with the LLINT which is loading it with a loadi
8002 instruction.
8003
8004 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
8005 when loading the argCount.
8006
8007 The paddedArgCount issue was causing failures when running the JSC tests on a
8008 64-bit big endian machine. In this case, the paddedArgCount in the
8009 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
8010 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
8011 that field, the LLINT got a value of 0 instead of the expected 2. With this
8012 patch, we now have a matching store and load of a 32-bit value, and endianness
8013 no longer comes into play.
8014
8015 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
8016 the payload field of the Register. In the definition of EncodedValueDescriptor,
8017 We already ensure that that the payload is in the least significant 32-bits for
8018 little endian machines, and in the most significant 32-bits for big endian
8019 machines. This means that there is no endianness bug when loading this value
8020 using loadi. However, adding the PayLoadOffset clarifies the intent of the
8021 code to load the payload part of the Register value.
8022
8023 * interpreter/ProtoCallFrame.h:
8024 (JSC::ProtoCallFrame::setPaddedArgCount):
8025 * llint/LowLevelInterpreter32_64.asm:
8026 * llint/LowLevelInterpreter64.asm:
8027
80282014-04-08 Oliver Hunt <oliver@apple.com>
8029
8030 Rewrite Function.bind as a builtin
8031 https://bugs.webkit.org/show_bug.cgi?id=131083
8032
8033 Reviewed by Geoffrey Garen.
8034
8035 This change removes the existing function.bind implementation
8036 entirely so JSBoundFunction is no more.
8037
8038 Instead we just return a regular JS closure with a few
8039 private properties hanging off it that allow us to perform
8040 the necessary bound function fakery. While most of this is
8041 simple, a couple of key changes:
8042
8043 - The parser and lexer now directly track whether they're
8044 parsing code for call or construct and convert the private
8045 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
8046 This automatically gives us the ability to vary behaviour
8047 from within the builtin. It also leaves a lot of headroom
8048 for trivial future improvements.
8049 - The instanceof operator now uses the prototypeForHasInstance
8050 private name, and we have a helper function to ensure that
8051 all objects that need to can update their magical 'prototype'
8052 property pair correctly.
8053
8054 * API/JSScriptRef.cpp:
8055 (parseScript):
8056 * JavaScriptCore.xcodeproj/project.pbxproj:
8057 * builtins/BuiltinExecutables.cpp:
8058 (JSC::BuiltinExecutables::createBuiltinExecutable):
8059 * builtins/Function.prototype.js:
8060 (bind.bindingFunction):
8061 (bind.else.bindingFunction):
8062 (bind):
8063 * bytecode/UnlinkedCodeBlock.cpp:
8064 (JSC::generateFunctionCodeBlock):
8065 * bytecompiler/NodesCodegen.cpp:
8066 (JSC::InstanceOfNode::emitBytecode):
8067 * interpreter/Interpreter.cpp:
8068 * parser/Lexer.cpp:
8069 (JSC::Lexer<T>::Lexer):
8070 (JSC::Lexer<LChar>::parseIdentifier):
8071 (JSC::Lexer<UChar>::parseIdentifier):
8072 * parser/Lexer.h:
8073 * parser/Parser.cpp:
8074 (JSC::Parser<LexerType>::Parser):
8075 (JSC::Parser<LexerType>::parseInner):
8076 * parser/Parser.h:
8077 (JSC::parse):
8078 * parser/ParserModes.h:
8079 * runtime/CodeCache.cpp:
8080 (JSC::CodeCache::getGlobalCodeBlock):
8081 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
8082 * runtime/CommonIdentifiers.h:
8083 * runtime/Completion.cpp:
8084 (JSC::checkSyntax):
8085 * runtime/Executable.cpp:
8086 (JSC::ProgramExecutable::checkSyntax):
8087 * runtime/FunctionPrototype.cpp:
8088 (JSC::FunctionPrototype::addFunctionProperties):
8089 (JSC::functionProtoFuncBind): Deleted.
8090 * runtime/JSBoundFunction.cpp: Removed.
8091 * runtime/JSBoundFunction.h: Removed.
8092 * runtime/JSFunction.cpp:
8093 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
8094 (JSC::RetrieveCallerFunctionFunctor::operator()):
8095 (JSC::retrieveCallerFunction):
8096 (JSC::JSFunction::getOwnPropertySlot):
8097 (JSC::JSFunction::defineOwnProperty):
8098 * runtime/JSGlobalObject.cpp:
8099 (JSC::JSGlobalObject::reset):
8100 * runtime/JSGlobalObjectFunctions.cpp:
8101 (JSC::globalFuncSetTypeErrorAccessor):
8102 * runtime/JSGlobalObjectFunctions.h:
8103 * runtime/JSObject.h:
8104 (JSC::JSObject::inlineGetOwnPropertySlot):
8105
81062014-04-08 Jon Lee <jonlee@apple.com>
8107
8108 Turn MSE on by default
8109 https://bugs.webkit.org/show_bug.cgi?id=131313
8110 <rdar://problem/16525223>
8111
8112 Reviewed by Jer Noble.
8113
8114 * Configurations/FeatureDefines.xcconfig:
8115
81162014-04-08 Joseph Pecoraro <pecoraro@apple.com>
8117
8118 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
8119 https://bugs.webkit.org/show_bug.cgi?id=131406
8120
8121 Reviewed by Timothy Hatcher.
8122
8123 * inspector/remote/RemoteInspector.h:
8124 * inspector/remote/RemoteInspector.mm:
8125 (Inspector::RemoteInspector::stop):
8126 (Inspector::RemoteInspector::stopInternal):
8127 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
8128 Provide a way to stop externally and a path to stop when in
8129 the middle of handling a message already with the locked mutex.
8130
8131 * inspector/remote/RemoteInspectorXPCConnection.h:
8132 * inspector/remote/RemoteInspectorXPCConnection.mm:
8133 (Inspector::RemoteInspectorXPCConnection::close):
8134 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
8135 Provide a way to close externally and a path to close when in
8136 the middle of handling a message already with a mutex.
8137
81382014-04-08 Joseph Pecoraro <pecoraro@apple.com>
8139
8140 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
8141 https://bugs.webkit.org/show_bug.cgi?id=131398
8142
8143 Reviewed by Timothy Hatcher.
8144
8145 * inspector/InjectedScriptSource.js:
8146 The console object can be deleted from a page or JSContext,
8147 so keep code that expects that it could have been deleted
8148 to be resilient in those cases.
8149
8150 * inspector/JSGlobalObjectScriptDebugServer.h:
8151 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
8152 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
8153 Change the FIXMEs to NOTEs that explain why these functions
8154 have empty implementations for JSContext inspection.
8155
81562014-04-08 Filip Pizlo <fpizlo@apple.com>
8157
8158 Unreviewed, fix a goofy assertion to fix debug.
8159
8160 * bytecode/PolymorphicPutByIdList.h:
8161 (JSC::PutByIdAccess::isSetter):
8162 (JSC::PutByIdAccess::oldStructure):
8163 (JSC::PutByIdAccess::chain):
8164 (JSC::PutByIdAccess::stubRoutine):
8165 (JSC::PutByIdAccess::customSetter):
8166
81672014-04-08 Filip Pizlo <fpizlo@apple.com>
8168
8169 Fail silently if the LLVM dylib isn't found
8170 https://bugs.webkit.org/show_bug.cgi?id=131385
8171
8172 Reviewed by Mark Hahnenberg.
8173
8174 * dfg/DFGPlan.cpp:
8175 (JSC::DFG::Plan::compileInThreadImpl):
8176 * llvm/InitializeLLVM.cpp:
8177 (JSC::initializeLLVM):
8178 * llvm/InitializeLLVM.h:
8179 * llvm/InitializeLLVMPOSIX.cpp:
8180 (JSC::initializeLLVMPOSIX):
8181
81822014-04-07 Filip Pizlo <fpizlo@apple.com>
8183
8184 Repatch should support setters and plant calls to them directly
8185 https://bugs.webkit.org/show_bug.cgi?id=130750
8186
8187 Reviewed by Geoffrey Garen.
8188
8189 All of the infrastructure was in place so this just enables setter optimization.
8190
8191 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
8192
8193 * bytecode/PolymorphicPutByIdList.cpp:
8194 (JSC::PutByIdAccess::visitWeak):
8195 * bytecode/PolymorphicPutByIdList.h:
8196 (JSC::PutByIdAccess::setter):
8197 (JSC::PutByIdAccess::customSetter): Deleted.
8198 * bytecode/PutByIdStatus.cpp:
8199 (JSC::PutByIdStatus::computeForStubInfo):
8200 * jit/Repatch.cpp:
8201 (JSC::toString):
8202 (JSC::kindFor):
8203 (JSC::customFor):
8204 (JSC::generateByIdStub):
8205 (JSC::tryCachePutByID):
8206 (JSC::tryBuildPutByIdList):
8207 * runtime/JSObject.cpp:
8208 (JSC::JSObject::put):
8209 * runtime/Lookup.h:
8210 (JSC::putEntry):
8211 * runtime/PutPropertySlot.h:
8212 (JSC::PutPropertySlot::setCacheableSetter):
8213 (JSC::PutPropertySlot::isCacheableSetter):
8214 (JSC::PutPropertySlot::isCacheableCustom):
8215 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
8216 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
8217 * tests/stress/setter.js: Added.
8218 (foo):
8219
82202014-04-07 Filip Pizlo <fpizlo@apple.com>
8221
8222 Setters are just getters that take an extra argument and don't return a value
8223 https://bugs.webkit.org/show_bug.cgi?id=131336
8224
8225 Reviewed by Geoffrey Garen.
8226
8227 Other than that, they're totally the same thing.
8228
8229 This isn't as dumb as it sounds.
8230
8231 Most of the work in calling an accessor has to do with emitting the necessary checks for
8232 figuring out whether we're calling the accessor we expected, followed by the boilerplate
8233 needed for setting up a call inside of a stub. It makes sense for the code to be totally
8234 common.
8235
8236 * jit/AssemblyHelpers.h:
8237 (JSC::AssemblyHelpers::storeValue):
8238 (JSC::AssemblyHelpers::moveTrustedValue):
8239 * jit/CCallHelpers.h:
8240 (JSC::CCallHelpers::setupResults):
8241 * jit/Repatch.cpp:
8242 (JSC::kindFor):
8243 (JSC::customFor):
8244 (JSC::generateByIdStub):
8245 (JSC::tryCacheGetByID):
8246 (JSC::tryBuildGetByIDList):
8247 (JSC::tryCachePutByID):
8248 (JSC::tryBuildPutByIdList):
8249 (JSC::generateGetByIdStub): Deleted.
8250 (JSC::emitCustomSetterStub): Deleted.
8251 * runtime/JSCJSValue.h:
8252 (JSC::JSValue::asValue):
8253 * runtime/PutPropertySlot.h:
8254 (JSC::PutPropertySlot::cachedOffset):
8255
82562014-04-07 Joseph Pecoraro <pecoraro@apple.com>
8257
8258 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
8259 https://bugs.webkit.org/show_bug.cgi?id=131321
8260
8261 Reviewed by Mark Rowe.
8262
8263 * inspector/remote/RemoteInspector.mm:
8264 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
8265 Avoid attempting to take the same lock twice. Move the received message
8266 lock grab after the WIRPermissionDenied branch, which takes the lock
8267 inside RemoteInspector::stop.
8268
82692014-04-07 Filip Pizlo <fpizlo@apple.com>
8270
8271 Make it possible to disable some of the FTL's more interesting features
8272 https://bugs.webkit.org/show_bug.cgi?id=131312
8273
8274 Reviewed by Mark Hahnenberg.
8275
8276 * dfg/DFGByteCodeParser.cpp:
8277 (JSC::DFG::ByteCodeParser::handleGetById):
8278 (JSC::DFG::ByteCodeParser::handlePutById):
8279 (JSC::DFG::ByteCodeParser::parse):
8280 * runtime/Options.h:
8281
82822014-04-04 Mark Lam <mark.lam@apple.com>
8283
8284 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
8285 <https://webkit.org/b/131248>
8286
8287 Reviewed by Mark Hahnenberg.
8288
8289 The current Date object code does not adequately check for the ES5
8290 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
8291 / overflow and produce unexpected results.
8292
8293 For example, we were getting an assertion failure in
8294 WTF::equivalentYearForDST() due int underflows in this function, which
8295 in turn were due to an int overflow in WTF::msToYear().
8296
8297 This patch adds the needed checks, and adds some assertions to ensure
8298 that the used values are sane.
8299
8300 The changes have no noticeable impact on benchmark results.
8301
8302 * runtime/DateConstructor.cpp:
8303 (JSC::callDate):
8304 * runtime/JSDateMath.cpp:
8305 (JSC::localTimeOffset):
8306 (JSC::gregorianDateTimeToMS):
8307 (JSC::msToGregorianDateTime):
8308 (JSC::parseDateFromNullTerminatedCharacters):
8309 (JSC::parseDate):
8310 * runtime/JSDateMath.h:
8311 - parseDateFromNullTerminatedCharacters() does not need to be public.
8312 Made it a static function.
8313 * runtime/VM.cpp:
8314 (JSC::VM::resetDateCache):
8315 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
8316 to be consistent with other Date code.
8317
83182014-04-06 Csaba Osztrogonác <ossy@webkit.org>
8319
8320 Unreviewed speculative 32-bit buildfix after r166837.
8321
8322 * heap/Heap.cpp:
8323 (JSC::Heap::updateObjectCounts):
8324
83252014-04-06 Dan Bernstein <mitz@apple.com>
8326
8327 32-bit build fix.
8328
8329 * runtime/JSGlobalObject.cpp:
8330 (JSC::JSGlobalObject::setInputCursor):
8331
83322014-04-04 Brian J. Burg <burg@cs.washington.edu>
8333
8334 Enable WEB_REPLAY for PLATFORM(MAC)
8335 https://bugs.webkit.org/show_bug.cgi?id=130700
8336
8337 Reviewed by Timothy Hatcher.
8338
8339 * Configurations/FeatureDefines.xcconfig:
8340
83412014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
8342
8343 Add missing files from r166837
8344
8345 * heap/GCLogging.cpp: Added.
8346 (JSC::GCLogging::levelAsString):
8347 (JSC::LoggingFunctor::LoggingFunctor):
8348 (JSC::LoggingFunctor::~LoggingFunctor):
8349 (JSC::LoggingFunctor::operator()):
8350 (JSC::LoggingFunctor::log):
8351 (JSC::LoggingFunctor::reviveCells):
8352 (JSC::LoggingFunctor::returnValue):
8353 (JSC::GCLogging::dumpObjectGraph):
8354 * heap/GCLogging.h: Added.
8355
83562014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8357
8358 Enhanced GC logging
8359 https://bugs.webkit.org/show_bug.cgi?id=131246
8360
8361 Reviewed by Geoff Garen.
8362
8363 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
8364 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
8365 recompile to turn it on. It would be nice if we could runtime enable our GC logging
8366 infrastructure while incurring minimal cost when it is disabled.
8367
8368 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
8369 provides us with the discovered roots along with parent-child relationships as objects
8370 are scanned. However, once an object is scanned it will never be declared as the child
8371 of another object during that collection. This gives us a tree-like view of the
8372 Heap (i.e. each scanned node only reports having a single parent), where the actual
8373 Heap can be an arbitrary graph.
8374
8375 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
8376 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
8377 logging levels. None means no logging is done, Basic is what logGC() = true would have done
8378 prior to this patch, and Verbose logs all object relationships.
8379
8380 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
8381 subclasses to override the default string representation that will be dumped. These
8382 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
8383 the logging infrastructure in our compilers.
8384
8385 This patch also adds a GCLogging class that handles dumping the relationships between objects.
8386 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
8387 children of each live cell at the end of garbage collection.
8388
8389 This change meets our goal of being neutral on the benchmarks we track.
8390
8391 * JavaScriptCore.xcodeproj/project.pbxproj:
8392 * heap/GCLogging.cpp: Added.
8393 (JSC::GCLogging::levelAsString):
8394 (JSC::LoggingFunctor::LoggingFunctor):
8395 (JSC::LoggingFunctor::operator()):
8396 (JSC::LoggingFunctor::log):
8397 (JSC::LoggingFunctor::reviveCells):
8398 (JSC::LoggingFunctor::returnValue):
8399 (JSC::GCLogging::dumpObjectGraph):
8400 * heap/GCLogging.h: Added.
8401 * heap/GCSegmentedArray.h:
8402 (JSC::GCSegmentedArray::begin):
8403 (JSC::GCSegmentedArray::end):
8404 * heap/Heap.cpp:
8405 (JSC::Heap::markRoots):
8406 (JSC::Heap::visitSmallStrings):
8407 (JSC::Heap::visitConservativeRoots):
8408 (JSC::Heap::visitCompilerWorklists):
8409 (JSC::Heap::visitProtectedObjects):
8410 (JSC::Heap::visitTempSortVectors):
8411 (JSC::Heap::visitArgumentBuffers):
8412 (JSC::Heap::visitException):
8413 (JSC::Heap::visitStrongHandles):
8414 (JSC::Heap::visitHandleStack):
8415 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
8416 (JSC::Heap::visitWeakHandles):
8417 (JSC::Heap::updateObjectCounts):
8418 (JSC::Heap::collect):
8419 (JSC::Heap::didFinishCollection):
8420 * heap/Heap.h:
8421 * heap/MarkStack.h:
8422 * heap/SlotVisitor.cpp:
8423 (JSC::SlotVisitor::dump):
8424 * heap/SlotVisitor.h:
8425 (JSC::SlotVisitor::markStack):
8426 * heap/SlotVisitorInlines.h:
8427 (JSC::SlotVisitor::internalAppend):
8428 * runtime/ClassInfo.h:
8429 * runtime/JSCell.cpp:
8430 (JSC::JSCell::dump):
8431 (JSC::JSCell::dumpToStream):
8432 (JSC::JSCell::className):
8433 * runtime/JSCell.h:
8434 * runtime/JSCellInlines.h:
8435 (JSC::JSCell::visitChildren):
8436 * runtime/JSString.cpp:
8437 (JSC::JSString::dumpToStream):
8438 (JSC::JSString::visitChildren):
8439 * runtime/JSString.h:
8440 (JSC::JSString::length):
8441 (JSC::JSRopeString::RopeBuilder::length):
8442 * runtime/Options.cpp:
8443 (JSC::parse):
8444 (JSC::Options::setOption):
8445 (JSC::Options::dumpOption):
8446 * runtime/Options.h:
8447
84482014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
8449
8450 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
8451 https://bugs.webkit.org/show_bug.cgi?id=131251
8452
8453 Reviewed by Geoffrey Garen.
8454
8455 * API/JSVirtualMachine.mm:
8456 (scanExternalObjectGraph):
8457 * API/tests/testapi.mm:
8458
84592014-04-03 Brian J. Burg <burg@cs.washington.edu>
8460
8461 Web Inspector: hook up probe samples to TimelineAgent's records
8462 https://bugs.webkit.org/show_bug.cgi?id=131127
8463
8464 Reviewed by Timothy Hatcher.
8465
8466 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
8467
84682014-04-04 Commit Queue <commit-queue@webkit.org>
8469
8470 Unreviewed, rolling out r166820.
8471 https://bugs.webkit.org/show_bug.cgi?id=131256
8472
8473 Broke builds. (Requested by bdash on #webkit).
8474
8475 Reverted changeset:
8476
8477 "WIP for inlining C++. Added a build target to produce llvm
8478 ir."
8479 https://bugs.webkit.org/show_bug.cgi?id=130523
8480 http://trac.webkit.org/changeset/166820
8481
84822014-04-04 Matthew Mirman <mmirman@apple.com>
8483
8484 WIP for inlining C++. Added a build target to produce llvm ir.
8485 https://bugs.webkit.org/show_bug.cgi?id=130523
8486
8487 Reviewed by Filip Pizlo.
8488
8489 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
8490
8491 * JavaScriptCore.xcodeproj/project.pbxproj:
8492 * build_index.py: Added.
8493 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
8494
84952014-04-04 Joseph Pecoraro <pecoraro@apple.com>
8496
8497 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
8498 https://bugs.webkit.org/show_bug.cgi?id=131241
8499
8500 Reviewed by Timothy Hatcher.
8501
8502 * inspector/JSGlobalObjectInspectorController.cpp:
8503 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
8504 Log the exception to the system console if system console output is enabled.
8505
85062014-04-04 Joseph Pecoraro <pecoraro@apple.com>
8507
8508 Web Inspector: Provide a way for JSContext console to log to system console
8509 https://bugs.webkit.org/show_bug.cgi?id=131050
8510
8511 Reviewed by Timothy Hatcher.
8512
8513 Applications often re-expose some log -> NSLog functionality.
8514 We already have the capability ourselves, which includes extra
8515 information such as sourceURL:line:column, all arguments instead
8516 of just one argument, and backtrace information on console.trace.
8517 Therefore it would be convenient if developers could just use
8518 the built-in console.log and get rich output in both the inspector
8519 and the console, without writing their own logger.
8520
8521 The logging will be enabled in debug builds by default, and can be enabled
8522 otherwise by setting a user default before creating the first context.
8523
8524 For example, in the application itself:
8525
8526 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
8527
8528 Or from outside the application:
8529
8530 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
8531
8532 * inspector/JSConsoleClient.h:
8533 * inspector/JSConsoleClient.cpp:
8534 (Inspector::JSConsoleClient::logToSystemConsole):
8535 (Inspector::JSConsoleClient::setLogToSystemConsole):
8536 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
8537 (Inspector::JSConsoleClient::JSConsoleClient):
8538 Global setting for logging to system console. Enabled on
8539 debug builds, and by a user default on supported platforms.
8540
8541 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
8542 Log to system console when the static setting is enabled.
8543
8544 * runtime/ConsoleClient.h:
8545 * runtime/ConsoleClient.cpp:
8546 (JSC::appendURLAndPosition):
8547 (JSC::appendMessagePrefix):
8548 (JSC::ConsoleClient::printConsoleMessage):
8549 (JSC::ConsoleClient::printConsoleMessageWithArguments):
8550 Clean up printing. Build strings and use WTFLogAlways instead of printf
8551 for consistant logging.
8552
8553 * runtime/ConsoleClient.cpp:
8554 (JSC::ConsoleClient::printConsoleMessageWithArguments):
8555 Clean up printing. If there is no source URL, don't print a leading colon.
8556
85572014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8558
8559 Use JSCell::indexingType instead of Structure::indexingType wherever possible
8560 https://bugs.webkit.org/show_bug.cgi?id=131230
8561
8562 Reviewed by Mark Lam.
8563
8564 Avoid the indirection through the Structure.
8565
8566 * bytecode/ArrayAllocationProfile.cpp:
8567 (JSC::ArrayAllocationProfile::updateIndexingType):
8568 * bytecode/ArrayAllocationProfile.h:
8569 (JSC::ArrayAllocationProfile::selectIndexingType):
8570 * heap/HeapStatistics.cpp:
8571 (JSC::StorageStatistics::operator()):
8572 * runtime/ArrayPrototype.cpp:
8573 (JSC::attemptFastSort):
8574 * runtime/JSGlobalObject.cpp:
8575 (JSC::JSGlobalObject::objectPrototypeIsSane):
8576 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
8577 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
8578 * runtime/JSPropertyNameIterator.cpp:
8579 (JSC::JSPropertyNameIterator::create):
8580
85812014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8582
8583 Use JSCell::type instead of TypeInfo::type wherever possible
8584 https://bugs.webkit.org/show_bug.cgi?id=131229
8585
8586 Reviewed by Michael Saboff.
8587
8588 Avoid going through the Structure and reifying the TypeInfo.
8589
8590 * runtime/Executable.h:
8591 (JSC::ExecutableBase::isEvalExecutable):
8592 (JSC::ExecutableBase::isProgramExecutable):
8593
85942014-04-03 Andreas Kling <akling@apple.com>
8595
8596 Fast-path for casting JS wrappers to JSNode.
8597 <https://webkit.org/b/131196>
8598
8599 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
8600 a little bit. We do this by exposing a LastJSCObjectType constant so
8601 WebCore can encode its own wrapper types after that.
8602
8603 Reviewed by Mark Hahnenberg and Geoff Garen.
8604
8605 * runtime/JSType.h:
8606
8607 Added LastJSCObjectType for use by WebCore.
8608
8609 * runtime/JSObject.h:
8610 (JSC::JSObject::isVariableObject):
8611
8612 Updated since this can no longer assume that types >= VariableObjectType
8613 are all variable objects.
8614
86152014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
8616
8617 All Heap::writeBarriers should be inline
8618 https://bugs.webkit.org/show_bug.cgi?id=131197
8619
8620 Reviewed by Mark Lam.
8621
8622 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
8623 enough and small enough to belong in HeapInlines.h. Also added the proper
8624 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
8625
8626 * heap/Heap.cpp:
8627 (JSC::Heap::writeBarrier): Deleted.
8628 * heap/Heap.h:
8629 * heap/HeapInlines.h:
8630 (JSC::Heap::writeBarrier):
8631 * runtime/JSCellInlines.h:
8632 (JSC::Heap::writeBarrier): Deleted.
8633
86342014-04-03 Joseph Pecoraro <pecoraro@apple.com>
8635
8636 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
8637 https://bugs.webkit.org/show_bug.cgi?id=131186
8638
8639 Reviewed by Geoffrey Garen.
8640
8641 * API/JSContextPrivate.h:
8642 * API/JSContext.mm:
8643 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
8644 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
8645 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
8646
8647 * API/JSContextRefPrivate.h:
8648 * API/JSContextRef.cpp:
8649 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
8650 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
8651 JSContext C SPI to opt-out of including native call stacks in exceptions.
8652
8653 * inspector/JSGlobalObjectInspectorController.h:
8654 * inspector/JSGlobalObjectInspectorController.cpp:
8655 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
8656 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
8657 Only include the native call stack if the setting is enabled. It is enabled by default.
8658
86592014-04-03 Mark Lam <mark.lam@apple.com>
8660
8661 Fix bit rot in ARMv7 JIT probe mechanism.
8662 <https://webkit.org/b/131167>
8663
8664 Reviewed by Geoffrey Garen.
8665
8666 1. The macro assembler does not support pushing the SP register. Worked
8667 around this by pushing the LR register as a placeholder, and then
8668 writing the original SP value to that slot.
8669 2. The CPUState field in the ProbeContext needs to be aligned on a 4
8670 byte boundary, not an 8 byte boundary.
8671
8672 * assembler/MacroAssemblerARMv7.cpp:
8673 (JSC::MacroAssemblerARMv7::probe):
8674 * jit/JITStubsARMv7.h:
8675
86762014-04-02 Mark Lam <mark.lam@apple.com>
8677
8678 ARMv7 compare32() should not use TST to do CMP's job.
8679 <https://webkit.org/b/131146>
8680
8681 Reviewed by Geoffrey Garen.
8682
8683 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
8684 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
8685 instruction doesn't set the Overflow (V) flag and this results in random
8686 results depending on whether there was a preceeding instruction that did set
8687 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
8688 with a lot of OSR exits where not expected as well as producing wrong results.
8689
8690 The fix is to use "cmp reg, #0" to do the job properly.
8691
8692 * assembler/MacroAssemblerARMv7.h:
8693 (JSC::MacroAssemblerARMv7::compare32):
8694
86952014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
8696
8697 CodeBlockSet should be generational
8698 https://bugs.webkit.org/show_bug.cgi?id=127152
8699
8700 Reviewed by Geoffrey Garen.
8701
8702 During EdenCollections we now only visit those CodeBlocks that:
8703 a) Are new since the last collection if they were somehow otherwise reachable.
8704 b) Are reachable from an Executable that is part of the remembered set.
8705
8706 * bytecode/CodeBlock.cpp:
8707 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
8708 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
8709 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
8710 * bytecode/CodeBlock.h:
8711 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
8712 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
8713 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
8714 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
8715 * heap/CodeBlockSet.cpp:
8716 (JSC::CodeBlockSet::~CodeBlockSet):
8717 (JSC::CodeBlockSet::add):
8718 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
8719 the set of old CodeBlocks.
8720 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
8721 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
8722 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
8723 with its CodeBlock.
8724 (JSC::CodeBlockSet::clearMarks):
8725 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
8726 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
8727 (JSC::CodeBlockSet::remove):
8728 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
8729 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
8730 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
8731 * heap/CodeBlockSet.h:
8732 (JSC::CodeBlockSet::iterate):
8733 * heap/Heap.cpp:
8734 (JSC::Heap::markRoots):
8735 (JSC::Heap::deleteAllCompiledCode):
8736 (JSC::Heap::deleteUnmarkedCompiledCode):
8737 * runtime/Executable.cpp:
8738 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
8739 a) A CodeBlock is created and is compiled on a DFG worker thread.
8740 b) No GC happens.
8741 c) The CodeBlock has finished being compiled and is installed in the Executable.
8742 d) The function never executes before the next GC.
8743 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
8744 it's added to the remembered set.
8745
87462014-04-02 Mark Lam <mark.lam@apple.com>
8747
8748 Added some more dataLog info for OSR exits.
8749 <https://webkit.org/b/131120>
8750
8751 Reviewed by Michael Saboff.
8752
8753 Adding info about the OSR exit index, the bytecode index of the bytecode
8754 that is OSR exiting, and the reason for the OSR exit. This change is
8755 for debugging code which only comes into play when we use the
8756 --printEachOSRExit option.
8757
8758 * dfg/DFGOSRExit.h:
8759 * dfg/DFGOSRExitCompiler32_64.cpp:
8760 (JSC::DFG::OSRExitCompiler::compileExit):
8761 * dfg/DFGOSRExitCompiler64.cpp:
8762 (JSC::DFG::OSRExitCompiler::compileExit):
8763 * dfg/DFGOperations.cpp:
8764
87652014-04-02 Martin Robinson <mrobinson@igalia.com>
8766
8767 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
8768 https://bugs.webkit.org/show_bug.cgi?id=130343
8769
8770 Reviewed by Gustavo Noronha Silva.
8771
8772 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
8773 in which it should be distributed. This allows us to more easily package it for GTK+.
8774
87752014-04-01 Timothy Hatcher <timothy@apple.com>
8776
8777 Remove HeapProfiler from the Web Inspector protocol.
8778
8779 https://bugs.webkit.org/show_bug.cgi?id=131070
8780
8781 Reviewed by Joseph Pecoraro.
8782
8783 * inspector/agents/InspectorConsoleAgent.h:
8784 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
8785 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
8786 * inspector/agents/JSGlobalObjectConsoleAgent.h:
8787 * inspector/protocol/Console.json:
8788
87892014-03-31 Simon Fraser <simon.fraser@apple.com>
8790
8791 Enable WEB_TIMING on Mac and iOS
8792 https://bugs.webkit.org/show_bug.cgi?id=128064
8793
8794 Reviewed by Sam Weinig, Brent Fulgham.
8795
8796 Enable WEB_TIMING.
8797
8798 * Configurations/FeatureDefines.xcconfig:
8799
88002014-03-31 Michael Saboff <msaboff@apple.com>
8801
8802 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
8803 https://bugs.webkit.org/show_bug.cgi?id=130992
8804
8805 Reviewed by Mark Hahnenberg.
8806
8807 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
8808
8809 * API/JSObjectRef.cpp:
8810 (JSObjectGetPrivate):
8811 (JSObjectSetPrivate):
8812 * API/tests/testapi.c:
8813 (main): Added new test case to validate we are properly foarwarding.
8814
88152014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
8816
8817 Improve GC_LOGGING
8818 https://bugs.webkit.org/show_bug.cgi?id=130988
8819
8820 Reviewed by Geoffrey Garen.
8821
8822 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
8823 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
8824 patch updates it so that it can. It also adds the process ID to the beginning of each line
8825 of input to be able to distinguish between the output of multiple processes exiting at the
8826 same time.
8827
8828 * heap/Heap.cpp:
8829 (JSC::Heap::collect):
8830
88312014-03-31 Dean Jackson <dino@apple.com>
8832
8833 Remove WEB_ANIMATIONS
8834 https://bugs.webkit.org/show_bug.cgi?id=130989
8835
8836 Reviewed by Simon Fraser.
8837
8838 Remove this feature flag until we plan to implement.
8839
8840 * Configurations/FeatureDefines.xcconfig:
8841
88422014-03-31 Filip Pizlo <fpizlo@apple.com>
8843
8844 More validation for FTL inline caches
8845 https://bugs.webkit.org/show_bug.cgi?id=130948
8846
8847 Reviewed by Geoffrey Garen.
8848
8849 * dfg/DFGByteCodeParser.cpp:
8850 (JSC::DFG::ByteCodeParser::handleGetById):
8851 (JSC::DFG::ByteCodeParser::handlePutById):
8852 * runtime/Options.h:
8853
88542014-03-31 Filip Pizlo <fpizlo@apple.com>
8855
8856 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
8857 https://bugs.webkit.org/show_bug.cgi?id=130950
8858
8859 Reviewed by Mark Hahnenberg.
8860
8861 * ftl/FTLLowerDFGToLLVM.cpp:
8862 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
8863
88642014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
8865
8866 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
8867 https://bugs.webkit.org/show_bug.cgi?id=130965
8868
8869 Reviewed by Martin Robinson.
8870
8871 This is somewhat of a follow-up to r162782, which got rid of
8872 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
8873 CMakeLists.txt. This meant the includes and libraries were not
8874 being properly included since then.
8875
8876 * CMakeLists.txt:
8877
88782014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8879
8880 Remove hostThisRegister() and hostThisValue()
8881 https://bugs.webkit.org/show_bug.cgi?id=130895
8882
8883 Reviewed by Geoffrey Garen.
8884
8885 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
8886
8887 * API/APICallbackFunction.h:
8888 (JSC::APICallbackFunction::call):
8889 * API/JSCallbackObjectFunctions.h:
8890 (JSC::JSCallbackObject<Parent>::call):
8891 * dfg/DFGOSREntry.cpp:
8892 (JSC::DFG::prepareOSREntry):
8893 * inspector/JSInjectedScriptHostPrototype.cpp:
8894 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
8895 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
8896 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
8897 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
8898 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
8899 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
8900 * inspector/JSJavaScriptCallFramePrototype.cpp:
8901 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
8902 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
8903 (Inspector::jsJavaScriptCallFrameAttributeCaller):
8904 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
8905 (Inspector::jsJavaScriptCallFrameAttributeLine):
8906 (Inspector::jsJavaScriptCallFrameAttributeColumn):
8907 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
8908 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
8909 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
8910 (Inspector::jsJavaScriptCallFrameAttributeType):
8911 * interpreter/CallFrame.h:
8912 (JSC::ExecState::hostThisRegister): Deleted.
8913 (JSC::ExecState::hostThisValue): Deleted.
8914 * runtime/Arguments.cpp:
8915 (JSC::argumentsFuncIterator):
8916 * runtime/ArrayPrototype.cpp:
8917 (JSC::arrayProtoFuncToString):
8918 (JSC::arrayProtoFuncToLocaleString):
8919 (JSC::arrayProtoFuncJoin):
8920 (JSC::arrayProtoFuncConcat):
8921 (JSC::arrayProtoFuncPop):
8922 (JSC::arrayProtoFuncPush):
8923 (JSC::arrayProtoFuncReverse):
8924 (JSC::arrayProtoFuncShift):
8925 (JSC::arrayProtoFuncSlice):
8926 (JSC::arrayProtoFuncSort):
8927 (JSC::arrayProtoFuncSplice):
8928 (JSC::arrayProtoFuncUnShift):
8929 (JSC::arrayProtoFuncReduce):
8930 (JSC::arrayProtoFuncReduceRight):
8931 (JSC::arrayProtoFuncIndexOf):
8932 (JSC::arrayProtoFuncLastIndexOf):
8933 (JSC::arrayProtoFuncValues):
8934 (JSC::arrayProtoFuncEntries):
8935 (JSC::arrayProtoFuncKeys):
8936 * runtime/BooleanPrototype.cpp:
8937 (JSC::booleanProtoFuncToString):
8938 (JSC::booleanProtoFuncValueOf):
8939 * runtime/ConsolePrototype.cpp:
8940 (JSC::consoleLogWithLevel):
8941 (JSC::consoleProtoFuncClear):
8942 (JSC::consoleProtoFuncDir):
8943 (JSC::consoleProtoFuncDirXML):
8944 (JSC::consoleProtoFuncTable):
8945 (JSC::consoleProtoFuncTrace):
8946 (JSC::consoleProtoFuncAssert):
8947 (JSC::consoleProtoFuncCount):
8948 (JSC::consoleProtoFuncProfile):
8949 (JSC::consoleProtoFuncProfileEnd):
8950 (JSC::consoleProtoFuncTime):
8951 (JSC::consoleProtoFuncTimeEnd):
8952 (JSC::consoleProtoFuncTimeStamp):
8953 (JSC::consoleProtoFuncGroup):
8954 (JSC::consoleProtoFuncGroupCollapsed):
8955 (JSC::consoleProtoFuncGroupEnd):
8956 * runtime/DatePrototype.cpp:
8957 (JSC::formateDateInstance):
8958 (JSC::dateProtoFuncToISOString):
8959 (JSC::dateProtoFuncToLocaleString):
8960 (JSC::dateProtoFuncToLocaleDateString):
8961 (JSC::dateProtoFuncToLocaleTimeString):
8962 (JSC::dateProtoFuncGetTime):
8963 (JSC::dateProtoFuncGetFullYear):
8964 (JSC::dateProtoFuncGetUTCFullYear):
8965 (JSC::dateProtoFuncGetMonth):
8966 (JSC::dateProtoFuncGetUTCMonth):
8967 (JSC::dateProtoFuncGetDate):
8968 (JSC::dateProtoFuncGetUTCDate):
8969 (JSC::dateProtoFuncGetDay):
8970 (JSC::dateProtoFuncGetUTCDay):
8971 (JSC::dateProtoFuncGetHours):
8972 (JSC::dateProtoFuncGetUTCHours):
8973 (JSC::dateProtoFuncGetMinutes):
8974 (JSC::dateProtoFuncGetUTCMinutes):
8975 (JSC::dateProtoFuncGetSeconds):
8976 (JSC::dateProtoFuncGetUTCSeconds):
8977 (JSC::dateProtoFuncGetMilliSeconds):
8978 (JSC::dateProtoFuncGetUTCMilliseconds):
8979 (JSC::dateProtoFuncGetTimezoneOffset):
8980 (JSC::dateProtoFuncSetTime):
8981 (JSC::setNewValueFromTimeArgs):
8982 (JSC::setNewValueFromDateArgs):
8983 (JSC::dateProtoFuncSetYear):
8984 (JSC::dateProtoFuncGetYear):
8985 (JSC::dateProtoFuncToJSON):
8986 * runtime/ErrorPrototype.cpp:
8987 (JSC::errorProtoFuncToString):
8988 * runtime/FunctionPrototype.cpp:
8989 (JSC::functionProtoFuncToString):
8990 (JSC::functionProtoFuncBind):
8991 * runtime/NamePrototype.cpp:
8992 (JSC::privateNameProtoFuncToString):
8993 * runtime/NumberPrototype.cpp:
8994 (JSC::numberProtoFuncToExponential):
8995 (JSC::numberProtoFuncToFixed):
8996 (JSC::numberProtoFuncToPrecision):
8997 (JSC::numberProtoFuncClz):
8998 (JSC::numberProtoFuncToString):
8999 (JSC::numberProtoFuncToLocaleString):
9000 (JSC::numberProtoFuncValueOf):
9001 * runtime/ObjectPrototype.cpp:
9002 (JSC::objectProtoFuncValueOf):
9003 (JSC::objectProtoFuncHasOwnProperty):
9004 (JSC::objectProtoFuncIsPrototypeOf):
9005 (JSC::objectProtoFuncDefineGetter):
9006 (JSC::objectProtoFuncDefineSetter):
9007 (JSC::objectProtoFuncLookupGetter):
9008 (JSC::objectProtoFuncLookupSetter):
9009 (JSC::objectProtoFuncPropertyIsEnumerable):
9010 (JSC::objectProtoFuncToLocaleString):
9011 (JSC::objectProtoFuncToString):
9012 * runtime/RegExpPrototype.cpp:
9013 (JSC::regExpProtoFuncTest):
9014 (JSC::regExpProtoFuncExec):
9015 (JSC::regExpProtoFuncCompile):
9016 (JSC::regExpProtoFuncToString):
9017 * runtime/StringPrototype.cpp:
9018 (JSC::stringProtoFuncReplace):
9019 (JSC::stringProtoFuncToString):
9020 (JSC::stringProtoFuncCharAt):
9021 (JSC::stringProtoFuncCharCodeAt):
9022 (JSC::stringProtoFuncConcat):
9023 (JSC::stringProtoFuncIndexOf):
9024 (JSC::stringProtoFuncLastIndexOf):
9025 (JSC::stringProtoFuncMatch):
9026 (JSC::stringProtoFuncSearch):
9027 (JSC::stringProtoFuncSlice):
9028 (JSC::stringProtoFuncSplit):
9029 (JSC::stringProtoFuncSubstr):
9030 (JSC::stringProtoFuncSubstring):
9031 (JSC::stringProtoFuncToLowerCase):
9032 (JSC::stringProtoFuncToUpperCase):
9033 (JSC::stringProtoFuncLocaleCompare):
9034 (JSC::stringProtoFuncBig):
9035 (JSC::stringProtoFuncSmall):
9036 (JSC::stringProtoFuncBlink):
9037 (JSC::stringProtoFuncBold):
9038 (JSC::stringProtoFuncFixed):
9039 (JSC::stringProtoFuncItalics):
9040 (JSC::stringProtoFuncStrike):
9041 (JSC::stringProtoFuncSub):
9042 (JSC::stringProtoFuncSup):
9043 (JSC::stringProtoFuncFontcolor):
9044 (JSC::stringProtoFuncFontsize):
9045 (JSC::stringProtoFuncAnchor):
9046 (JSC::stringProtoFuncLink):
9047 (JSC::stringProtoFuncTrim):
9048 (JSC::stringProtoFuncTrimLeft):
9049 (JSC::stringProtoFuncTrimRight):
9050
90512014-03-28 Filip Pizlo <fpizlo@apple.com>
9052
9053 Land the stackmap register liveness glue with the uses of the liveness disabled
9054 https://bugs.webkit.org/show_bug.cgi?id=130924
9055
9056 Reviewed by Oliver Hunt.
9057
9058 Add the liveness and fix other bugs I found.
9059
9060 * bytecode/PutByIdStatus.cpp:
9061 (JSC::PutByIdStatus::computeFor):
9062 * ftl/FTLCompile.cpp:
9063 (JSC::FTL::usedRegistersFor):
9064 (JSC::FTL::fixFunctionBasedOnStackMaps):
9065 * ftl/FTLSlowPathCall.cpp:
9066 * ftl/FTLSlowPathCallKey.cpp:
9067 (JSC::FTL::SlowPathCallKey::dump):
9068 * ftl/FTLSlowPathCallKey.h:
9069 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
9070 (JSC::FTL::SlowPathCallKey::argumentRegisters):
9071 (JSC::FTL::SlowPathCallKey::withCallTarget):
9072 * ftl/FTLStackMaps.cpp:
9073 (JSC::FTL::StackMaps::Record::locationSet):
9074 (JSC::FTL::StackMaps::Record::liveOutsSet):
9075 (JSC::FTL::StackMaps::Record::usedRegisterSet):
9076 * ftl/FTLStackMaps.h:
9077 * ftl/FTLThunks.cpp:
9078 (JSC::FTL::registerClobberCheck):
9079 (JSC::FTL::slowPathCallThunkGenerator):
9080 * jit/RegisterSet.cpp:
9081 (JSC::RegisterSet::stackRegisters):
9082 (JSC::RegisterSet::reservedHardwareRegisters):
9083 (JSC::RegisterSet::runtimeRegisters):
9084 (JSC::RegisterSet::specialRegisters):
9085 (JSC::RegisterSet::dump):
9086 * jit/RegisterSet.h:
9087 (JSC::RegisterSet::RegisterSet):
9088 (JSC::RegisterSet::setAny):
9089 (JSC::RegisterSet::setMany):
9090 * jit/Repatch.cpp:
9091 (JSC::tryCacheGetByID):
9092 (JSC::tryCachePutByID):
9093 (JSC::tryRepatchIn):
9094 * runtime/Options.cpp:
9095 (JSC::recomputeDependentOptions):
9096 * runtime/Options.h:
9097
90982014-03-28 Mark Lam <mark.lam@apple.com>
9099
9100 mandreel throws a checksum error on 32-bit x86.
9101 <https://webkit.org/b/125706>
9102
9103 Reviewed by Filip Pizlo.
9104
9105 The 32-bit DFG can emit code that loads double constants from its
9106 CodeBlock's m_constantRegisters vector. The emitted instruction will
9107 embed the address of the constant from the vector's backing store.
9108 Subsequently, while inserting new constants, the DFG may resize the
9109 vector, thereby reallocating the backing store. This renders the
9110 previously embedded constant addresses stale.
9111
9112 The fix is to use a dedicated doubles constant pool stored in the DFG
9113 CommonData instead. This constant pool won't be reallocated, and
9114 hence will not manifest this issue.
9115
9116 * dfg/DFGCommonData.h:
9117 * dfg/DFGGraph.h:
9118 * dfg/DFGJITCompiler.cpp:
9119 (JSC::DFG::JITCompiler::link):
9120 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
9121 * dfg/DFGJITCompiler.h:
9122 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
9123
91242014-03-28 Joseph Pecoraro <pecoraro@apple.com>
9125
9126 Web Inspector: console.warn is showing as error instead of warning
9127 https://bugs.webkit.org/show_bug.cgi?id=130921
9128
9129 Reviewed by Timothy Hatcher.
9130
9131 * runtime/ConsolePrototype.cpp:
9132 (JSC::consoleProtoFuncWarn):
9133 console.warn should be MessageLevel Warning, not Error.
9134
91352014-03-28 Oliver Hunt <oliver@apple.com>
9136
9137 Fix cloop build.
9138
9139 * bytecode/BytecodeList.json:
9140
91412014-03-28 Michael Saboff <msaboff@apple.com>
9142
9143 Unreviewed, rolling r166248 back in.
9144
9145 Turns out r166070 didn't cause a 2% performance loss in page load times
9146
9147 Reverted changeset:
9148
9149 Unreviewed, rolling out r166126.
9150 Rollout r166126 in prepartion to roll out prerequisite r166070
9151
91522014-03-27 Commit Queue <commit-queue@webkit.org>
9153
9154 Unreviewed, rolling out r166376.
9155 https://bugs.webkit.org/show_bug.cgi?id=130887
9156
9157 This was a misguided optimization. (Requested by kling on
9158 #webkit).
9159
9160 Reverted changeset:
9161
9162 "Avoid fetching JSObject::structure() repeatedly in
9163 putDirectInternal."
9164 https://bugs.webkit.org/show_bug.cgi?id=130857
9165 http://trac.webkit.org/changeset/166376
9166
91672014-03-27 Oliver Hunt <oliver@apple.com>
9168
9169 Support spread operand in |new| expressions
9170 https://bugs.webkit.org/show_bug.cgi?id=130877
9171
9172 Reviewed by Michael Saboff.
9173
9174 Add support for the spread operator being applied in
9175 |new| expressions. This required adding support for
9176 a new opcode, op_construct_varargs. This is a relatively
9177 simple refactoring of the call_varargs implementation.
9178
9179 * bytecode/BytecodeList.json:
9180 * bytecode/BytecodeUseDef.h:
9181 (JSC::computeUsesForBytecodeOffset):
9182 (JSC::computeDefsForBytecodeOffset):
9183 * bytecode/CallLinkInfo.cpp:
9184 (JSC::CallLinkInfo::unlink):
9185 * bytecode/CallLinkInfo.h:
9186 (JSC::CallLinkInfo::callTypeFor):
9187 (JSC::CallLinkInfo::specializationKind):
9188 * bytecode/CodeBlock.cpp:
9189 (JSC::CodeBlock::dumpBytecode):
9190 (JSC::CodeBlock::CodeBlock):
9191 * bytecompiler/BytecodeGenerator.cpp:
9192 (JSC::BytecodeGenerator::emitCallVarargs):
9193 (JSC::BytecodeGenerator::emitConstructVarargs):
9194 (JSC::BytecodeGenerator::emitConstruct):
9195 * bytecompiler/BytecodeGenerator.h:
9196 * jit/JIT.cpp:
9197 (JSC::JIT::privateCompileMainPass):
9198 (JSC::JIT::privateCompileSlowCases):
9199 * jit/JIT.h:
9200 * jit/JITCall.cpp:
9201 (JSC::JIT::compileOpCall):
9202 (JSC::JIT::compileOpCallSlowCase):
9203 (JSC::JIT::emit_op_construct_varargs):
9204 (JSC::JIT::emitSlow_op_construct_varargs):
9205 * jit/JITCall32_64.cpp:
9206 (JSC::JIT::emitSlow_op_construct_varargs):
9207 (JSC::JIT::emit_op_construct_varargs):
9208 (JSC::JIT::compileOpCall):
9209 (JSC::JIT::compileOpCallSlowCase):
9210 * jit/JITOperations.cpp:
9211 * llint/LLIntSlowPaths.cpp:
9212 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9213 * llint/LLIntSlowPaths.h:
9214 * llint/LowLevelInterpreter.asm:
9215 * parser/Parser.cpp:
9216 (JSC::Parser<LexerType>::parseMemberExpression):
9217
92182014-03-27 Filip Pizlo <fpizlo@apple.com>
9219
9220 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
9221
9222 * Configurations/Base.xcconfig:
9223 * Configurations/LLVMForJSC.xcconfig:
9224
92252014-03-27 Filip Pizlo <fpizlo@apple.com>
9226
9227 Unreviewed, skip this test for now.
9228
9229 * tests/stress/recurse-infinitely-on-getter.js:
9230
92312014-03-27 Filip Pizlo <fpizlo@apple.com>
9232
9233 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
9234 https://bugs.webkit.org/show_bug.cgi?id=130867
9235 <rdar://problem/16432456>
9236
9237 Reviewed by Mark Hahnenberg.
9238
9239 * Configurations/Base.xcconfig:
9240 * Configurations/LLVMForJSC.xcconfig:
9241
92422014-03-27 Andreas Kling <akling@apple.com>
9243
9244 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
9245 <https://webkit.org/b/130857>
9246
9247 Use the cached Structure* instead of re-fetching it over and over since
9248 that's a non-trivial operation these days.
9249
9250 Reviewed by Mark Hahnenberg.
9251
9252 * runtime/JSObject.h:
9253 (JSC::JSObject::putDirectInternal):
9254
92552014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
9256
9257 Check the remembered set bit faster
9258 https://bugs.webkit.org/show_bug.cgi?id=130860
9259
9260 Reviewed by Oliver Hunt.
9261
9262 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
9263 that bit is also stored in the object. We should look it up there whenever possible.
9264
9265 * heap/CopiedBlockInlines.h:
9266 (JSC::CopiedBlock::shouldReportLiveBytes):
9267 * heap/Heap.cpp:
9268 (JSC::Heap::addToRememberedSet):
9269 * heap/Heap.h:
9270 * heap/HeapInlines.h: Removed.
9271 * heap/SlotVisitorInlines.h:
9272 (JSC::SlotVisitor::reportExtraMemoryUsage):
9273
92742014-03-27 Joseph Pecoraro <pecoraro@apple.com>
9275
9276 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
9277 https://bugs.webkit.org/show_bug.cgi?id=130853
9278
9279 Reviewed by Timothy Hatcher.
9280
9281 * API/JSContextPrivate.h: Added.
9282 * API/JSContext.mm:
9283 (-[JSContext _remoteInspectionEnabled]):
9284 (-[JSContext _setRemoteInspectionEnabled:]):
9285 ObjC SPI to enable/disable remote inspection.
9286
9287 * API/JSContextRefPrivate.h:
9288 * API/JSContextRef.cpp:
9289 (JSGlobalContextGetRemoteInspectionEnabled):
9290 (JSGlobalContextSetRemoteInspectionEnabled):
9291 C SPI to enable/disable remote inspection.
9292
9293 * JavaScriptCore.xcodeproj/project.pbxproj:
9294 Add new private header, and export as a private header.
9295
92962014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
9297
9298 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
9299 https://bugs.webkit.org/show_bug.cgi?id=130845
9300
9301 Reviewed by Filip Pizlo.
9302
9303 There was a hack added to make sure C Loop LLInt worked which included overriding the
9304 global Options::useLLInt setting, which makes no sense to do here. We should put the
9305 update of the global setting in Options::recomputeDependentOptions along with the other
9306 execution engine flags.
9307
9308 * runtime/Executable.cpp:
9309 (JSC::ScriptExecutable::prepareForExecutionImpl):
9310 * runtime/Options.cpp:
9311 (JSC::recomputeDependentOptions):
9312
93132014-03-26 Filip Pizlo <fpizlo@apple.com>
9314
9315 Enable LLVM stackmap liveOuts computation
9316 https://bugs.webkit.org/show_bug.cgi?id=130821
9317
9318 Reviewed by Andy Estes and Sam Weinig.
9319
9320 * ftl/FTLStackMaps.cpp:
9321 (JSC::FTL::StackMaps::Record::dump):
9322 * llvm/library/LLVMExports.cpp:
9323 (initializeAndGetJSCLLVMAPI):
9324
93252014-03-26 Filip Pizlo <fpizlo@apple.com>
9326
9327 Parse stackmaps liveOuts
9328 https://bugs.webkit.org/show_bug.cgi?id=130801
9329
9330 Reviewed by Geoffrey Garen.
9331
9332 This just adds the code to parse them but doesn't do anything with them, yet.
9333
9334 * ftl/FTLLocation.cpp:
9335 (JSC::FTL::Location::forStackmaps):
9336 * ftl/FTLLocation.h:
9337 (JSC::FTL::Location::forRegister):
9338 (JSC::FTL::Location::forIndirect):
9339 * ftl/FTLStackMaps.cpp:
9340 (JSC::FTL::StackMaps::Location::parse):
9341 (JSC::FTL::StackMaps::Location::dump):
9342 (JSC::FTL::StackMaps::LiveOut::parse):
9343 (JSC::FTL::StackMaps::LiveOut::dump):
9344 (JSC::FTL::StackMaps::Record::parse):
9345 (JSC::FTL::StackMaps::Record::dump):
9346 * ftl/FTLStackMaps.h:
9347
93482014-03-26 Mark Lam <mark.lam@apple.com>
9349
9350 Build fix after r166307.
9351
9352 Not reviewed.
9353
9354 * runtime/JSCell.h:
9355 - The inline function isAPIValueWrapper() should not be exported. This
9356 was causing a linkage error when building for 32-bit x86 on Mac.
9357
93582014-03-26 Filip Pizlo <fpizlo@apple.com>
9359
9360 Reasoning about DWARF register numbers should be moved out of FTL::Location
9361 https://bugs.webkit.org/show_bug.cgi?id=130792
9362
9363 Reviewed by Oliver Hunt.
9364
9365 Moving this code makes it possible for things other than FTL::Location to reason about
9366 DWARF register encoding. This refactoring also appears to reduce some code duplication
9367 and makes FTLLocation.cpp cleaner.
9368
9369 * JavaScriptCore.xcodeproj/project.pbxproj:
9370 * ftl/FTLCompile.cpp:
9371 (JSC::FTL::fixFunctionBasedOnStackMaps):
9372 * ftl/FTLDWARFRegister.cpp: Added.
9373 (JSC::FTL::DWARFRegister::reg):
9374 (JSC::FTL::DWARFRegister::dump):
9375 * ftl/FTLDWARFRegister.h: Added.
9376 (JSC::FTL::DWARFRegister::DWARFRegister):
9377 (JSC::FTL::DWARFRegister::dwarfRegNum):
9378 * ftl/FTLLocation.cpp:
9379 (JSC::FTL::Location::dump):
9380 (JSC::FTL::Location::isGPR):
9381 (JSC::FTL::Location::gpr):
9382 (JSC::FTL::Location::isFPR):
9383 (JSC::FTL::Location::fpr):
9384 * ftl/FTLLocation.h:
9385 (JSC::FTL::Location::hasDwarfReg):
9386 (JSC::FTL::Location::dwarfReg):
9387
93882014-03-26 Brent Fulgham <bfulgham@apple.com>
9389
9390 Unreviewed build fix.
9391
9392 * runtime/JSCell.h: VS2013 confused about argument type.
9393
93942014-03-26 Zoltan Horvath <zoltan@webkit.org>
9395
9396 [CSS Shapes] Remove shape-inside support
9397 https://bugs.webkit.org/show_bug.cgi?id=130698
9398
9399 Reviewed by David Hyatt.
9400
9401 * Configurations/FeatureDefines.xcconfig:
9402
94032014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
9404
9405 Rename hasFastArrayStorage to be more appropriate
9406 https://bugs.webkit.org/show_bug.cgi?id=130773
9407
9408 Reviewed by Filip Pizlo.
9409
9410 * dfg/DFGArrayMode.cpp:
9411 (JSC::DFG::ArrayMode::alreadyChecked):
9412 * dfg/DFGSpeculativeJIT32_64.cpp:
9413 (JSC::DFG::SpeculativeJIT::compile):
9414 * dfg/DFGSpeculativeJIT64.cpp:
9415 (JSC::DFG::SpeculativeJIT::compile):
9416 * dfg/DFGWatchpointCollectionPhase.cpp:
9417 (JSC::DFG::WatchpointCollectionPhase::handle):
9418 * ftl/FTLLowerDFGToLLVM.cpp:
9419 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
9420 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
9421 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
9422 * runtime/ButterflyInlines.h:
9423 (JSC::Butterfly::unshift):
9424 (JSC::Butterfly::shift):
9425 * runtime/IndexingHeaderInlines.h:
9426 (JSC::IndexingHeader::preCapacity):
9427 * runtime/IndexingType.h:
9428 (JSC::hasArrayStorage):
9429 (JSC::hasAnyArrayStorage):
9430 (JSC::hasFastArrayStorage): Deleted.
9431 * runtime/JSArray.cpp:
9432 (JSC::JSArray::sortVector):
9433 (JSC::JSArray::compactForSorting):
9434 * runtime/JSArray.h:
9435 (JSC::JSArray::create):
9436 (JSC::JSArray::tryCreateUninitialized):
9437 * runtime/JSGlobalObject.cpp:
9438 * runtime/JSObject.cpp:
9439 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
9440 * runtime/JSObject.h:
9441 (JSC::JSObject::ensureArrayStorage):
9442 (JSC::JSObject::arrayStorage):
9443 * runtime/StructureTransitionTable.h:
9444 (JSC::newIndexingType):
9445
94462014-03-26 Zan Dobersek <zdobersek@igalia.com>
9447
9448 Unreviewed. Removing the remaining Automake cruft.
9449
9450 * GNUmakefile.list.am: Removed.
9451
94522014-03-25 Filip Pizlo <fpizlo@apple.com>
9453
9454 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
9455 https://bugs.webkit.org/show_bug.cgi?id=130764
9456 <rdar://problem/16304788>
9457
9458 Reviewed by Sam Weinig.
9459
9460 Being an arguments alias just means that your OSR exit recovery should attempt arguments
9461 creation. This is true of arguments locals. We had special cases that tried to make it not
9462 true of arguments locals. The only consequence of those special cases was to cause crashes
9463 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
9464 change just removes those special cases.
9465
9466 This change means that the FTL will now see SetLocals with a FlushedArguments format.
9467 Previously you wouldn't see them because previously only non-captured variable would be
9468 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
9469 left. Adding handling for FlushedArguments is a benign and simple change since its
9470 behavior is identical to FlushedJSValue for that code's purposes.
9471
9472 * dfg/DFGArgumentsSimplificationPhase.cpp:
9473 (JSC::DFG::ArgumentsSimplificationPhase::run):
9474 * ftl/FTLLowerDFGToLLVM.cpp:
9475 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
9476 * tests/stress/captured-arguments-variable.js: Added.
9477 (foo):
9478 (noInline):
9479
94802014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
9481
9482 Add HeapInlines
9483 https://bugs.webkit.org/show_bug.cgi?id=130759
9484
9485 Reviewed by Filip Pizlo.
9486
9487 * GNUmakefile.list.am:
9488 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9489 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9490 * JavaScriptCore.xcodeproj/project.pbxproj:
9491 * heap/Heap.cpp:
9492 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
9493 (JSC::MarkedBlockSnapshotFunctor::operator()):
9494 * heap/Heap.h: Also reindented while we're here.
9495 (JSC::Heap::writeBarrierBuffer):
9496 (JSC::Heap::vm):
9497 (JSC::Heap::objectSpace):
9498 (JSC::Heap::machineThreads):
9499 (JSC::Heap::operationInProgress):
9500 (JSC::Heap::allocatorForObjectWithoutDestructor):
9501 (JSC::Heap::allocatorForObjectWithNormalDestructor):
9502 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
9503 (JSC::Heap::storageAllocator):
9504 (JSC::Heap::notifyIsSafeToCollect):
9505 (JSC::Heap::isSafeToCollect):
9506 (JSC::Heap::handleSet):
9507 (JSC::Heap::handleStack):
9508 (JSC::Heap::lastFullGCLength):
9509 (JSC::Heap::lastEdenGCLength):
9510 (JSC::Heap::increaseLastFullGCLength):
9511 (JSC::Heap::sizeBeforeLastEdenCollection):
9512 (JSC::Heap::sizeAfterLastEdenCollection):
9513 (JSC::Heap::sizeBeforeLastFullCollection):
9514 (JSC::Heap::sizeAfterLastFullCollection):
9515 (JSC::Heap::jitStubRoutines):
9516 (JSC::Heap::isDeferred):
9517 (JSC::Heap::structureIDTable):
9518 (JSC::Heap::removeCodeBlock):
9519 * heap/HeapInlines.h: Added.
9520 (JSC::Heap::shouldCollect):
9521 (JSC::Heap::isBusy):
9522 (JSC::Heap::isCollecting):
9523 (JSC::Heap::heap):
9524 (JSC::Heap::isLive):
9525 (JSC::Heap::isInRememberedSet):
9526 (JSC::Heap::isMarked):
9527 (JSC::Heap::testAndSetMarked):
9528 (JSC::Heap::setMarked):
9529 (JSC::Heap::isWriteBarrierEnabled):
9530 (JSC::Heap::writeBarrier):
9531 (JSC::Heap::reportExtraMemoryCost):
9532 (JSC::Heap::forEachProtectedCell):
9533 (JSC::Heap::forEachCodeBlock):
9534 (JSC::Heap::allocateWithNormalDestructor):
9535 (JSC::Heap::allocateWithImmortalStructureDestructor):
9536 (JSC::Heap::allocateWithoutDestructor):
9537 (JSC::Heap::tryAllocateStorage):
9538 (JSC::Heap::tryReallocateStorage):
9539 (JSC::Heap::ascribeOwner):
9540 (JSC::Heap::blockAllocator):
9541 (JSC::Heap::releaseSoon):
9542 (JSC::Heap::incrementDeferralDepth):
9543 (JSC::Heap::decrementDeferralDepth):
9544 (JSC::Heap::collectIfNecessaryOrDefer):
9545 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
9546 (JSC::Heap::markListSet):
9547 * runtime/JSCInlines.h:
9548
95492014-03-25 Filip Pizlo <fpizlo@apple.com>
9550
9551 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
9552 https://bugs.webkit.org/show_bug.cgi?id=130760
9553
9554 Reviewed by Mark Hahnenberg.
9555
9556 * dfg/DFGByteCodeParser.cpp:
9557 (JSC::DFG::ByteCodeParser::setLocal):
9558 (JSC::DFG::ByteCodeParser::setArgument):
9559 (JSC::DFG::ByteCodeParser::handleInlining):
9560 (JSC::DFG::ByteCodeParser::parseBlock):
9561 * tests/stress/assign-argument-in-inlined-call.js: Added.
9562 (f1):
9563 (getF2Arguments):
9564 (f2):
9565 (f3):
9566 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
9567 (f1):
9568 (f2):
9569 (f3):
9570
95712014-03-25 Filip Pizlo <fpizlo@apple.com>
9572
9573 Fix 32-bit getter call alignment.
9574
9575 Reviewed by Mark Hahnenberg.
9576
9577 * jit/Repatch.cpp:
9578 (JSC::generateGetByIdStub):
9579
95802014-03-25 Filip Pizlo <fpizlo@apple.com>
9581
9582 Repatch should plant calls to getters directly rather than through a C helper
9583 https://bugs.webkit.org/show_bug.cgi?id=129589
9584
9585 Reviewed by Mark Hahnenberg.
9586
9587 As the title says. All of the superstructure for this was already in place, so now it
9588 was just a matter of actually emitting the call.
9589
9590 8x speed-up for getter microbenchmarks.
9591
9592 * CMakeLists.txt:
9593 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9594 * JavaScriptCore.xcodeproj/project.pbxproj:
9595 * bytecode/PolymorphicGetByIdList.h:
9596 (JSC::GetByIdAccess::doesCalls):
9597 * jit/AccessorCallJITStubRoutine.cpp: Added.
9598 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
9599 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
9600 (JSC::AccessorCallJITStubRoutine::visitWeak):
9601 * jit/AccessorCallJITStubRoutine.h: Added.
9602 * jit/AssemblyHelpers.h:
9603 (JSC::AssemblyHelpers::storeCell):
9604 * jit/GCAwareJITStubRoutine.h:
9605 * jit/Repatch.cpp:
9606 (JSC::generateGetByIdStub):
9607 * runtime/GetterSetter.h:
9608 (JSC::GetterSetter::offsetOfGetter):
9609 (JSC::GetterSetter::offsetOfSetter):
9610
96112014-03-25 Michael Saboff <msaboff@apple.com>
9612
9613 Unreviewed, rolling out r166126.
9614
9615 Rollout r166126 in prepartion to roll out prerequisite r166070
9616
9617 Reverted changeset:
9618
9619 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
9620 not undefined"
9621 https://bugs.webkit.org/show_bug.cgi?id=130554
9622 http://trac.webkit.org/changeset/166126
9623
96242014-03-25 Oliver Hunt <oliver@apple.com>
9625
9626 AST incorrectly conflates readable and writable locations
9627 https://bugs.webkit.org/show_bug.cgi?id=130734
9628
9629 Reviewed by Filip Pizlo.
9630
9631 We need to distinguish between "locations" that are valid for reading
9632 and writing, vs those that may only be written.
9633
9634 * bytecompiler/NodesCodegen.cpp:
9635 (JSC::ForInNode::emitBytecode):
9636 (JSC::ForOfNode::emitBytecode):
9637 * parser/Nodes.h:
9638 (JSC::ExpressionNode::isAssignmentLocation):
9639
96402014-03-24 Oliver Hunt <oliver@apple.com>
9641
9642 ASSERTION FAILED in Parser: dst != localReg
9643 https://bugs.webkit.org/show_bug.cgi?id=130710
9644
9645 Reviewed by Filip Pizlo.
9646
9647 Just make sure we don't try to write to a captured constant,
9648 following the change to track captured variables separately.
9649
9650 * bytecompiler/NodesCodegen.cpp:
9651 (JSC::PostfixNode::emitResolve):
9652 (JSC::PrefixNode::emitResolve):
9653
96542014-03-25 Martin Robinson <mrobinson@igalia.com>
9655
9656 [GTK] Remove the autotools build
9657 https://bugs.webkit.org/show_bug.cgi?id=130717
9658
9659 Reviewed by Anders Carlsson.
9660
9661 * GNUmakefile.am: Removed.
9662 * config.h: Remove references to the autotools configure file.
9663
96642014-03-24 Filip Pizlo <fpizlo@apple.com>
9665
9666 More scaffolding for a stub routine to have a stub recursively embedded inside it
9667 https://bugs.webkit.org/show_bug.cgi?id=130770
9668
9669 Reviewed by Oliver Hunt.
9670
9671 * bytecode/CallLinkInfo.cpp:
9672 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
9673 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
9674 * bytecode/CallLinkInfo.h:
9675 * bytecode/CodeBlock.cpp:
9676 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
9677 (JSC::CodeBlock::unlinkCalls):
9678 (JSC::CodeBlock::unlinkIncomingCalls):
9679 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
9680 (JSC::GetByIdAccess::visitWeak):
9681 (JSC::PolymorphicGetByIdList::visitWeak):
9682 * bytecode/PolymorphicGetByIdList.h:
9683 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
9684 (JSC::PutByIdAccess::visitWeak):
9685 (JSC::PolymorphicPutByIdList::visitWeak):
9686 * bytecode/PolymorphicPutByIdList.h:
9687 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
9688 (JSC::StructureStubInfo::visitWeakReferences):
9689 * bytecode/StructureStubInfo.h:
9690 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
9691 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
9692 * jit/GCAwareJITStubRoutine.cpp:
9693 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
9694 (JSC::createJITStubRoutine):
9695 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
9696 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
9697 * jit/JITStubRoutine.cpp:
9698 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
9699 * jit/JITStubRoutine.h:
9700 * jit/Repatch.cpp:
9701 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
9702 (JSC::emitCustomSetterStub): Clean up some code.
9703
97042014-03-24 Geoffrey Garen <ggaren@apple.com>
9705
9706 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
9707 when WebKit is compiled with fcatch-undefined-behavior
9708 https://bugs.webkit.org/show_bug.cgi?id=130652
9709
9710 Reviewed by Mark Hahnenberg.
9711
9712 Use a static member function because the butterfly we pass in might be
9713 NULL, and passing NULL to a member function is undefined behavior.
9714
9715 Stylistically, I think this new way reads a little more clearly, since it
9716 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
9717 might not exist yet.
9718
9719 * runtime/Butterfly.h:
9720 * runtime/ButterflyInlines.h:
9721 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
9722 because we might create. Split out the create path to avoid using NULL
9723 in a member function expression.
9724
9725 Removed some unused versions of this function.
9726
9727 * runtime/JSObject.cpp:
9728 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
9729
97302014-03-24 Oliver Hunt <oliver@apple.com>
9731
9732 Strict mode destructuring assignment crashes the parser.
9733 https://bugs.webkit.org/show_bug.cgi?id=130538
9734
9735 Reviewed by Michael Saboff.
9736
9737 The SyntaxChecker mode always return 1 for success, except
9738 for a small subset of functions where we needed exact information.
9739 This ends up just being a poor design decision as it means
9740 the parser can get confused between a function return 1, and
9741 the Resolve constant which was also 1. So we now use a unique
9742 type for every creation method.
9743
9744 * parser/SyntaxChecker.h:
9745 (JSC::SyntaxChecker::createSourceElements):
9746 (JSC::SyntaxChecker::createFunctionBody):
9747 (JSC::SyntaxChecker::createArguments):
9748 (JSC::SyntaxChecker::createSpreadExpression):
9749 (JSC::SyntaxChecker::createArgumentsList):
9750 (JSC::SyntaxChecker::createPropertyList):
9751 (JSC::SyntaxChecker::createElementList):
9752 (JSC::SyntaxChecker::createFormalParameterList):
9753 (JSC::SyntaxChecker::createClause):
9754 (JSC::SyntaxChecker::createClauseList):
9755 (JSC::SyntaxChecker::createFuncDeclStatement):
9756 (JSC::SyntaxChecker::createBlockStatement):
9757 (JSC::SyntaxChecker::createExprStatement):
9758 (JSC::SyntaxChecker::createIfStatement):
9759 (JSC::SyntaxChecker::createForLoop):
9760 (JSC::SyntaxChecker::createForInLoop):
9761 (JSC::SyntaxChecker::createForOfLoop):
9762 (JSC::SyntaxChecker::createEmptyStatement):
9763 (JSC::SyntaxChecker::createVarStatement):
9764 (JSC::SyntaxChecker::createReturnStatement):
9765 (JSC::SyntaxChecker::createBreakStatement):
9766 (JSC::SyntaxChecker::createContinueStatement):
9767 (JSC::SyntaxChecker::createTryStatement):
9768 (JSC::SyntaxChecker::createSwitchStatement):
9769 (JSC::SyntaxChecker::createWhileStatement):
9770 (JSC::SyntaxChecker::createWithStatement):
9771 (JSC::SyntaxChecker::createDoWhileStatement):
9772 (JSC::SyntaxChecker::createLabelStatement):
9773 (JSC::SyntaxChecker::createThrowStatement):
9774 (JSC::SyntaxChecker::createDebugger):
9775 (JSC::SyntaxChecker::createConstStatement):
9776 (JSC::SyntaxChecker::appendConstDecl):
9777 (JSC::SyntaxChecker::combineCommaNodes):
9778 (JSC::SyntaxChecker::operatorStackPop):
9779
97802014-03-24 Brent Fulgham <bfulgham@apple.com>
9781
9782 Activate WebVTT Tests Once Merging is Complete
9783 https://bugs.webkit.org/show_bug.cgi?id=130420
9784
9785 Reviewed by Eric Carlson.
9786
9787 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
9788
97892014-03-24 Andreas Kling <akling@apple.com>
9790
9791 Stop pulling in all the macro assemblers from VM.h
9792 <https://webkit.org/b/130691>
9793
9794 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
9795 on macro assemblers headers and removes 8 includes from every
9796 .cpp file in the JS bindings.
9797
9798 Reviewed by Geoff Garen.
9799
9800 * runtime/VM.h:
9801
98022014-03-24 Gavin Barraclough <barraclough@apple.com>
9803
9804 Add support for thread QoS
9805 https://bugs.webkit.org/show_bug.cgi?id=130688
9806
9807 Reviewed by Andreas Kling.
9808
9809 * heap/BlockAllocator.cpp:
9810 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
9811 - block freeing is a utility activity.
9812
98132014-03-24 Filip Pizlo <fpizlo@apple.com>
9814
9815 Unreviewed, fix CLOOP build.
9816
9817 * bytecode/CallLinkStatus.cpp:
9818 (JSC::CallLinkStatus::computeFor):
9819 * bytecode/CodeBlock.cpp:
9820 (JSC::CodeBlock::printCallOp):
9821 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9822 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
9823 * bytecode/CodeBlock.h:
9824 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
9825
98262014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
9827
9828 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
9829 https://bugs.webkit.org/show_bug.cgi?id=130453
9830
9831 Reviewed by Filip Pizlo.
9832
9833 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
9834 at sxtw and uxtw instructions.
9835
9836 * offlineasm/arm64.rb:
9837
98382014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
9839
9840 Move all EFL typedefs into EflTypedefs.h.
9841 https://bugs.webkit.org/show_bug.cgi?id=130511
9842
9843 Reviewed by Gyuyoung Kim
9844
9845 * heap/HeapTimer.h: Remove EFL typedefs.
9846
98472014-03-23 Filip Pizlo <fpizlo@apple.com>
9848
9849 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
9850 https://bugs.webkit.org/show_bug.cgi?id=130650
9851 <rdar://problem/16122966>
9852
9853 Reviewed by Michael Saboff.
9854
9855 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
9856 previously established numLocals limit. But then we added generalized op_call_varargs
9857 handling, which results in us emitting SetLocals that didn't previously exist in the
9858 bytecode.
9859
9860 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
9861
9862 * dfg/DFGByteCodeParser.cpp:
9863 (JSC::DFG::ByteCodeParser::ensureLocals):
9864 (JSC::DFG::ByteCodeParser::handleInlining):
9865 (JSC::DFG::ByteCodeParser::parseBlock):
9866 (JSC::DFG::ByteCodeParser::parse):
9867 * ftl/FTLOSRExitCompiler.cpp:
9868 (JSC::FTL::compileStub): Make this do alignment correctly.
9869 * runtime/Options.h:
9870 * tests/stress/call-varargs-from-inlined-code.js: Added.
9871 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
9872
98732014-03-22 Filip Pizlo <fpizlo@apple.com>
9874
9875 Unreviewed, adjust sizes for ARM64.
9876
9877 * ftl/FTLInlineCacheSize.cpp:
9878 (JSC::FTL::sizeOfCall):
9879
98802014-03-22 Filip Pizlo <fpizlo@apple.com>
9881
9882 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
9883 https://bugs.webkit.org/show_bug.cgi?id=130649
9884 <rdar://problem/16399949>
9885
9886 Reviewed by Andreas Kling.
9887
9888 * dfg/DFGSpeculativeJIT32_64.cpp:
9889 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9890 * dfg/DFGSpeculativeJIT64.cpp:
9891 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9892 * tests/stress/fuzz-bug-16399949.js: Added.
9893 (tryItOut.f):
9894 (tryItOut):
9895
98962014-03-22 Filip Pizlo <fpizlo@apple.com>
9897
9898 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
9899 https://bugs.webkit.org/show_bug.cgi?id=130644
9900
9901 Reviewed by Andreas Kling.
9902
9903 This is conceptually a really simple change but it involves the following:
9904
9905 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
9906
9907 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
9908
9909 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
9910 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
9911
9912 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
9913 and not all relinking.
9914
9915 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
9916 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
9917 with a op_call/op_construct instruction and a machine code return PC within such an
9918 instruction.
9919
9920 * bytecode/CallLinkInfo.h:
9921 (JSC::getCallLinkInfoCodeOrigin):
9922 * bytecode/CallLinkStatus.cpp:
9923 (JSC::CallLinkStatus::computeFor):
9924 (JSC::CallLinkStatus::computeDFGStatuses):
9925 * bytecode/CallLinkStatus.h:
9926 * bytecode/CodeBlock.cpp:
9927 (JSC::CodeBlock::printCallOp):
9928 (JSC::CodeBlock::dumpBytecode):
9929 (JSC::CodeBlock::finalizeUnconditionally):
9930 (JSC::CodeBlock::getCallLinkInfoMap):
9931 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9932 (JSC::CodeBlock::addCallLinkInfo):
9933 (JSC::CodeBlock::unlinkCalls):
9934 * bytecode/CodeBlock.h:
9935 (JSC::CodeBlock::stubInfoBegin):
9936 (JSC::CodeBlock::stubInfoEnd):
9937 (JSC::CodeBlock::callLinkInfosBegin):
9938 (JSC::CodeBlock::callLinkInfosEnd):
9939 (JSC::CodeBlock::byValInfo):
9940 * dfg/DFGByteCodeParser.cpp:
9941 (JSC::DFG::ByteCodeParser::handleCall):
9942 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
9943 * dfg/DFGJITCode.h:
9944 * dfg/DFGJITCompiler.cpp:
9945 (JSC::DFG::JITCompiler::link):
9946 * dfg/DFGJITCompiler.h:
9947 (JSC::DFG::JITCompiler::addJSCall):
9948 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
9949 * dfg/DFGOSRExitCompilerCommon.cpp:
9950 (JSC::DFG::reifyInlinedCallFrames):
9951 * dfg/DFGSpeculativeJIT.cpp:
9952 (JSC::DFG::SpeculativeJIT::compile):
9953 * dfg/DFGSpeculativeJIT.h:
9954 * dfg/DFGSpeculativeJIT32_64.cpp:
9955 (JSC::DFG::SpeculativeJIT::emitCall):
9956 * dfg/DFGSpeculativeJIT64.cpp:
9957 (JSC::DFG::SpeculativeJIT::emitCall):
9958 * ftl/FTLCompile.cpp:
9959 (JSC::FTL::fixFunctionBasedOnStackMaps):
9960 * ftl/FTLInlineCacheSize.cpp:
9961 (JSC::FTL::sizeOfCall):
9962 * ftl/FTLJSCall.cpp:
9963 (JSC::FTL::JSCall::JSCall):
9964 (JSC::FTL::JSCall::emit):
9965 (JSC::FTL::JSCall::link):
9966 * ftl/FTLJSCall.h:
9967 * jit/JIT.cpp:
9968 (JSC::JIT::privateCompileMainPass):
9969 (JSC::JIT::privateCompileSlowCases):
9970 (JSC::JIT::privateCompile):
9971 * jit/JIT.h:
9972 * jit/JITCall.cpp:
9973 (JSC::JIT::compileOpCall):
9974 (JSC::JIT::compileOpCallSlowCase):
9975 * jit/JITCall32_64.cpp:
9976 (JSC::JIT::compileOpCall):
9977 (JSC::JIT::compileOpCallSlowCase):
9978 * jit/JITOperations.cpp:
9979 * jit/JITOperations.h:
9980 (JSC::operationLinkFor):
9981 (JSC::operationVirtualFor):
9982 (JSC::operationLinkClosureCallFor):
9983 * jit/Repatch.cpp:
9984 (JSC::linkClosureCall):
9985 * jit/ThunkGenerators.cpp:
9986 (JSC::slowPathFor):
9987 (JSC::virtualForThunkGenerator):
9988 * tests/stress/eval-that-is-not-eval.js: Added.
9989
99902014-03-22 Filip Pizlo <fpizlo@apple.com>
9991
9992 Unreviewed, fix mispelled test name.
9993
9994 * tests/stress/constand-folding-osr-exit.js: Removed.
9995 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
9996
99972014-03-22 Andreas Kling <akling@apple.com>
9998
9999 CREATE_DOM_WRAPPER doesn't need the ExecState.
10000 <https://webkit.org/b/130648>
10001
10002 Add a fast path from JSGlobalObject to the VM so we don't have
10003 to dance via the Heap.
10004
10005 Reviewed by Darin Adler.
10006
10007 * runtime/JSGlobalObject.cpp:
10008 (JSC::JSGlobalObject::JSGlobalObject):
10009 * runtime/JSGlobalObject.h:
10010 (JSC::JSGlobalObject::vm):
10011
100122014-03-22 Filip Pizlo <fpizlo@apple.com>
10013
10014 Unreviewed, fix FTL build.
10015
10016 * ftl/FTLJITFinalizer.cpp:
10017
100182014-03-22 Michael Saboff <msaboff@apple.com>
10019
10020 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
10021 https://bugs.webkit.org/show_bug.cgi?id=130554
10022
10023 Reviewed by Geoffrey Garen.
10024
10025 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
10026 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
10027 happen in finishCreation() so that it will also happen for other derived classes including
10028 JSWorkerGlobalScopeBase.
10029
10030 * API/JSContextRef.cpp:
10031 (JSGlobalContextCreateInGroup):
10032 * jsc.cpp:
10033 (GlobalObject::create):
10034 * API/tests/testapi.c:
10035 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
10036 the result from JSContextGetGlobalObject() as that will return the proxy.
10037 * runtime/JSGlobalObject.cpp:
10038 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
10039 we now call setGlobalThis in finishCreation().
10040 * runtime/JSGlobalObject.h:
10041 (JSC::JSGlobalObject::finishCreation):
10042 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
10043
100442014-03-22 Andreas Kling <akling@apple.com>
10045
10046 Fix debug build.
10047
10048 * bytecode/CodeBlock.cpp:
10049 * runtime/Executable.cpp:
10050
100512014-03-22 Andreas Kling <akling@apple.com>
10052
10053 Cut down on JSC profiler includes in WebCore & co.
10054 <https://webkit.org/b/130637>
10055
10056 Most of WebKit was pulling in JSC's profiler headers via VM.h.
10057
10058 Reviewed by Darin Adler.
10059
10060 * dfg/DFGDisassembler.cpp:
10061 * dfg/DFGDisassembler.h:
10062 * dfg/DFGJITFinalizer.cpp:
10063 * jsc.cpp:
10064 * runtime/VM.cpp:
10065 * runtime/VM.h:
10066
100672014-03-22 Landry Breuil <landry@openbsd.org>
10068
10069 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
10070 https://bugs.webkit.org/show_bug.cgi?id=129965
10071
10072 Reviewed By Anders Carlsson.
10073
100742014-03-21 Mark Lam <mark.lam@apple.com>
10075
10076 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
10077 <https://webkit.org/b/124508>
10078
10079 Reviewed by Oliver Hunt.
10080
10081 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
10082 pointer from the BytecodeGenerator's m_localScopes vector, and then it
10083 calls emitPopScopes(). emitPopScopes() may do finally clause handling
10084 which will require the m_localScopes to be cloned so that it can change
10085 the local scopes for the finally block, and then restore it after
10086 handling the finally clause. These modifications of the m_localScopes
10087 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
10088 becoming stale, thereby causing the crash.
10089
10090 The same issue applies to the ContinueNode as well.
10091
10092 The fix is to use the existing LabelScopePtr abstraction instead of raw
10093 LabelScope pointers. The LabelScopePtr is resilient to the underlying
10094 vector re-allocating its backing store.
10095
10096 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
10097 to expect a reference to the owner store instead of a pointer because the
10098 owner store should never be a null pointer.
10099
10100 * bytecompiler/BytecodeGenerator.cpp:
10101 (JSC::BytecodeGenerator::newLabelScope):
10102 (JSC::BytecodeGenerator::breakTarget):
10103 (JSC::BytecodeGenerator::continueTarget):
10104 * bytecompiler/BytecodeGenerator.h:
10105 * bytecompiler/LabelScope.h:
10106 (JSC::LabelScopePtr::LabelScopePtr):
10107 (JSC::LabelScopePtr::operator bool):
10108 (JSC::LabelScopePtr::null):
10109 * bytecompiler/NodesCodegen.cpp:
10110 (JSC::ContinueNode::trivialTarget):
10111 (JSC::ContinueNode::emitBytecode):
10112 (JSC::BreakNode::trivialTarget):
10113 (JSC::BreakNode::emitBytecode):
10114
101152014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
10116
10117 6% SunSpider commandline regression due to r165940
10118 https://bugs.webkit.org/show_bug.cgi?id=130617
10119
10120 Reviewed by Michael Saboff.
10121
10122 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
10123 before. Some of the benchmarks are never running a single EdenCollection, which causes
10124 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
10125 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
10126 magnitude more than we normally would.
10127
10128 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
10129
10130 * heap/Heap.cpp:
10131 (JSC::Heap::Heap):
10132
101332014-03-21 Filip Pizlo <fpizlo@apple.com>
10134
10135 Constants folded by DFG::ByteCodeParser should not be dead.
10136 https://bugs.webkit.org/show_bug.cgi?id=130576
10137
10138 Reviewed by Mark Hahnenberg.
10139
10140 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
10141 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
10142 or more folders in LLVM). Doing so has no performance impact since the other constant folders
10143 already subsume this one.
10144
10145 Also added a test case for the specific bug that instigated this.
10146
10147 * dfg/DFGByteCodeParser.cpp:
10148 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
10149 (JSC::DFG::ByteCodeParser::getJSConstant):
10150 (JSC::DFG::ByteCodeParser::inferredConstant):
10151 (JSC::DFG::ByteCodeParser::handleIntrinsic):
10152 (JSC::DFG::ByteCodeParser::parseBlock):
10153 * dfg/DFGNode.h:
10154 * dfg/DFGNodeFlags.h:
10155 * tests/stress/constand-folding-osr-exit.js: Added.
10156 (foo):
10157 (test):
10158 (.var):
10159
101602014-03-21 Mark Lam <mark.lam@apple.com>
10161
10162 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
10163 <https://webkit.org/b/130566>
10164
10165 Reviewed by Filip Pizlo.
10166
10167 * dfg/DFGStackLayoutPhase.cpp:
10168 (JSC::DFG::StackLayoutPhase::run):
10169
101702014-03-20 Filip Pizlo <fpizlo@apple.com>
10171
10172 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
10173 https://bugs.webkit.org/show_bug.cgi?id=130562
10174 <rdar://problem/16382842>
10175
10176 Reviewed by Geoffrey Garen.
10177
10178 * ftl/FTLLowerDFGToLLVM.cpp:
10179 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
10180 * tests/stress/uint32array-unsigned-load.js: Added.
10181 (foo):
10182
101832014-03-20 Brian Burg <bburg@apple.com>
10184
10185 Web Inspector: add frontend controller and models for replay sessions
10186 https://bugs.webkit.org/show_bug.cgi?id=130145
10187
10188 Reviewed by Joseph Pecoraro.
10189
10190 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
10191
101922014-03-20 Filip Pizlo <fpizlo@apple.com>
10193
10194 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
10195 https://bugs.webkit.org/show_bug.cgi?id=130546
10196 <rdar://problem/16383308>
10197
10198 Reviewed by Mark Hahnenberg.
10199
10200 Make AI do a better job of folding this.
10201
10202 Also made the FTL backend be more tolerant of data representations. In this case it
10203 didn't know that "constant" was a valid representation. There is a finite set of
10204 possible representations, but broadly, we don't write code that presumes anything
10205 about the representation of an input; that's what methods like lowJSValue() are for.
10206 ValueToInt32 was previously not relying on those methods at all because it had some
10207 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
10208 to lowJSValue().
10209
10210 * dfg/DFGAbstractInterpreterInlines.h:
10211 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10212 * ftl/FTLLowerDFGToLLVM.cpp:
10213 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
10214 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
10215 * tests/stress/value-to-int32-undefined-constant.js: Added.
10216 (foo):
10217 * tests/stress/value-to-int32-undefined.js: Added.
10218 (foo):
10219
102202014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
10221
10222 Add some assertions back
10223 https://bugs.webkit.org/show_bug.cgi?id=130531
10224
10225 Reviewed by Geoffrey Garen.
10226
10227 We removed a useful set of assertions for verifying that MarkedBlocks were
10228 in the state that we expected them to be in after clearing marks in the Heap.
10229 We should add these back to catch bugs earlier.
10230
10231 * heap/MarkedBlock.h:
10232 * heap/MarkedSpace.cpp:
10233 (JSC::VerifyMarkedOrRetired::operator()):
10234 (JSC::MarkedSpace::clearMarks):
10235
102362014-03-20 Filip Pizlo <fpizlo@apple.com>
10237
10238 Implement stackmap header version check and support new stackmap formats
10239 https://bugs.webkit.org/show_bug.cgi?id=130535
10240 <rdar://problem/16164284>
10241
10242 Reviewed by Geoffrey Garen.
10243
10244 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
10245 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
10246 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
10247 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
10248 happy to move backward in time to older versions of LLVM.
10249
10250 * ftl/FTLStackMaps.cpp:
10251 (JSC::FTL::readObject):
10252 (JSC::FTL::StackMaps::Constant::parse):
10253 (JSC::FTL::StackMaps::StackSize::parse):
10254 (JSC::FTL::StackMaps::Location::parse):
10255 (JSC::FTL::StackMaps::Record::parse):
10256 (JSC::FTL::StackMaps::parse):
10257 (JSC::FTL::StackMaps::dump):
10258 (JSC::FTL::StackMaps::dumpMultiline):
10259 * ftl/FTLStackMaps.h:
10260
102612014-03-20 Filip Pizlo <fpizlo@apple.com>
10262
10263 Crash beneath operationTearOffActivation running this JS compression demo
10264 https://bugs.webkit.org/show_bug.cgi?id=130295
10265 <rdar://problem/16332337>
10266
10267 Reviewed by Oliver Hunt.
10268
10269 Make sure that we flush things as if we were at a terminal, if we are at a block with
10270 no forward edges. This fixes infinitely loopy code with captured variables.
10271
10272 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
10273
10274 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
10275 it by itself. Now it's an artifact of CPS rethreading.
10276
10277 Add a bunch of tests. All of them previously either crashed or returned bad output due
10278 to memory corruption.
10279
10280 * bytecode/CodeBlock.cpp:
10281 (JSC::CodeBlock::isCaptured):
10282 * dfg/DFGByteCodeParser.cpp:
10283 (JSC::DFG::ByteCodeParser::flushForTerminal):
10284 (JSC::DFG::ByteCodeParser::flushForReturn):
10285 (JSC::DFG::ByteCodeParser::flushIfTerminal):
10286 (JSC::DFG::ByteCodeParser::branchData):
10287 (JSC::DFG::ByteCodeParser::parseBlock):
10288 * dfg/DFGCFGSimplificationPhase.cpp:
10289 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
10290 * dfg/DFGCPSRethreadingPhase.cpp:
10291 (JSC::DFG::CPSRethreadingPhase::run):
10292 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
10293 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
10294 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
10295 * dfg/DFGCSEPhase.cpp:
10296 (JSC::DFG::CSEPhase::performNodeCSE):
10297 * dfg/DFGGraph.cpp:
10298 (JSC::DFG::Graph::clearFlagsOnAllNodes):
10299 * dfg/DFGGraph.h:
10300 * dfg/DFGNode.h:
10301 * dfg/DFGNodeFlags.cpp:
10302 (JSC::DFG::dumpNodeFlags):
10303 * dfg/DFGNodeFlags.h:
10304 * dfg/DFGSSAConversionPhase.cpp:
10305 (JSC::DFG::SSAConversionPhase::run):
10306 * tests/stress/activation-test-loop.js: Added.
10307 (Inner.this.doStuff):
10308 (Inner):
10309 (foo.inner.isDone):
10310 (foo):
10311 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
10312 (bar):
10313 (foo):
10314 (noInline):
10315 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
10316 (bar):
10317 (foo):
10318 (noInline):
10319 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
10320 (bar):
10321 (foo):
10322 (noInline):
10323 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
10324 (bar):
10325 (foo):
10326 (noInline):
10327 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
10328 (bar):
10329 (foo):
10330 (noInline):
10331 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10332 (bar):
10333 (fuzz):
10334 (foo.f):
10335 (foo):
10336 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10337 (bar):
10338 (foo.f):
10339 (foo):
10340 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10341 (bar):
10342 (foo.f):
10343 (foo):
10344 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
10345 (bar):
10346 (foo):
10347 (noInline):
10348
103492014-03-20 Oliver Hunt <oliver@apple.com>
10350
10351 Incorrect behavior when mutating a typed array during set.
10352 https://bugs.webkit.org/show_bug.cgi?id=130428
10353
10354 Reviewed by Geoffrey Garen.
10355
10356 This fixes a null derefence that occurs if a typed array
10357 is mutated during the set() operation. The patch gets rid
10358 of the "Quickly" version of setIndex that is assigning
10359 JSValues of unknown type, as the numeric conversion can trigger
10360 side effects that lead to neutering, and so we deref null.
10361
10362 * runtime/JSGenericTypedArrayView.h:
10363 (JSC::JSGenericTypedArrayView::setIndex):
10364 * runtime/JSGenericTypedArrayViewInlines.h:
10365 (JSC::JSGenericTypedArrayView<Adaptor>::set):
10366 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
10367
103682014-03-20 Gavin Barraclough <barraclough@apple.com>
10369
10370 Remove IdentifierTable typedef, isIdentifier()
10371 https://bugs.webkit.org/show_bug.cgi?id=130533
10372
10373 Rubber stamped by Geoff Garen.
10374
10375 Code should use AtomicStringTable, isAtomic() directly.
10376
10377 * API/JSClassRef.cpp:
10378 (OpaqueJSClass::~OpaqueJSClass):
10379 (OpaqueJSClassContextData::OpaqueJSClassContextData):
10380 (OpaqueJSClass::className):
10381 * API/JSClassRef.h:
10382 * bytecode/SpeculatedType.cpp:
10383 (JSC::speculationFromCell):
10384 * bytecompiler/BytecodeGenerator.cpp:
10385 (JSC::BytecodeGenerator::BytecodeGenerator):
10386 * dfg/DFGSpeculativeJIT.cpp:
10387 (JSC::DFG::SpeculativeJIT::compileIn):
10388 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10389 * ftl/FTLLowerDFGToLLVM.cpp:
10390 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10391 * heap/Heap.cpp:
10392 (JSC::Heap::collect):
10393 * interpreter/CallFrame.h:
10394 (JSC::ExecState::atomicStringTable):
10395 * parser/ASTBuilder.h:
10396 (JSC::ASTBuilder::addVar):
10397 * parser/Parser.cpp:
10398 (JSC::Parser<LexerType>::createBindingPattern):
10399 * runtime/Completion.cpp:
10400 (JSC::checkSyntax):
10401 (JSC::evaluate):
10402 * runtime/Identifier.cpp:
10403 (JSC::Identifier::checkCurrentAtomicStringTable):
10404 * runtime/Identifier.h:
10405 (JSC::Identifier::Identifier):
10406 * runtime/IdentifierInlines.h:
10407 (JSC::Identifier::add):
10408 * runtime/JSCJSValue.cpp:
10409 (JSC::JSValue::dumpInContext):
10410 * runtime/JSLock.cpp:
10411 (JSC::JSLock::didAcquireLock):
10412 (JSC::JSLock::willReleaseLock):
10413 (JSC::JSLock::DropAllLocks::DropAllLocks):
10414 (JSC::JSLock::DropAllLocks::~DropAllLocks):
10415 * runtime/JSLock.h:
10416 * runtime/PropertyMapHashTable.h:
10417 (JSC::PropertyTable::find):
10418 (JSC::PropertyTable::get):
10419 (JSC::PropertyTable::findWithString):
10420 * runtime/PropertyName.h:
10421 (JSC::PropertyName::PropertyName):
10422 * runtime/PropertyNameArray.cpp:
10423 (JSC::PropertyNameArray::add):
10424 * runtime/VM.cpp:
10425 (JSC::VM::VM):
10426 (JSC::VM::~VM):
10427 * runtime/VM.h:
10428 (JSC::VM::atomicStringTable):
10429
104302014-03-20 Gavin Barraclough <barraclough@apple.com>
10431
10432 Merge AtomicString, Identifier
10433 https://bugs.webkit.org/show_bug.cgi?id=128624
10434
10435 Reviewed by Geoff Garen.
10436
10437 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
10438 Identifer - that is one too many.
10439
10440 Remove Identifier in favour of AtomicString. Identifier had two interesting
10441 mechanisms that we preserve.
10442
10443 (1) JSC API VMs each get their own string table, switch the string table on
10444 API entry/exit.
10445 (2) JSC caches a pointer to the string table on the VM to avoid a thread
10446 specific access. Adds a new AtomicString::add method to support this.
10447
10448 * API/JSAPIWrapperObject.mm:
10449 - updated includes.
10450 * JavaScriptCore.xcodeproj/project.pbxproj:
10451 - added IdentifierInlines.h.
10452 * inspector/JSInjectedScriptHostPrototype.cpp:
10453 * inspector/JSJavaScriptCallFramePrototype.cpp:
10454 - updated includes.
10455 * interpreter/CallFrame.h:
10456 (JSC::ExecState::atomicStringTable):
10457 - added, used via AtomicString::add to avoid thread-specific access.
10458 * runtime/ConsolePrototype.cpp:
10459 - updated includes.
10460 * runtime/Identifier.cpp:
10461 (JSC::Identifier::add):
10462 (JSC::Identifier::add8):
10463 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
10464 * runtime/Identifier.h:
10465 (JSC::Identifier::Identifier):
10466 - added ASSERTS.
10467 (JSC::Identifier::add):
10468 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
10469 * runtime/IdentifierInlines.h: Added.
10470 (JSC::Identifier::add):
10471 - moved from Identifier.h, use AtomicString::add.
10472 * runtime/JSCInlines.h:
10473 - added IdentifierInlines.h.
10474 * runtime/JSLock.h:
10475 - removed IdentifierTable.
10476 * runtime/PropertyNameArray.cpp:
10477 - updated includes.
10478 * runtime/SmallStrings.cpp:
10479 (JSC::SmallStringsStorage::SmallStringsStorage):
10480 - ensure all single character strings are Atomic.
10481 * runtime/VM.cpp:
10482 (JSC::VM::VM):
10483 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
10484 * runtime/VM.h:
10485 (JSC::VM::atomicStringTable):
10486 - added, used via AtomicString::add to avoid thread-specific access.
10487
104882014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
10489
10490 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
10491 https://bugs.webkit.org/show_bug.cgi?id=130502
10492
10493 Reviewed by Michael Saboff.
10494
10495 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
10496 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
10497 Add cacheFlush support for Linux.
10498
10499 * assembler/ARM64Assembler.h:
10500 (JSC::ARM64Assembler::linuxPageFlush):
10501 (JSC::ARM64Assembler::cacheFlush):
10502 * assembler/MacroAssemblerARM64.h:
10503 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
10504
105052014-03-19 Gavin Barraclough <barraclough@apple.com>
10506
10507 https://bugs.webkit.org/show_bug.cgi?id=130494
10508 EmptyUnique strings are Identifiers/Atomic
10509
10510 Reviewed by Geoff Garen.
10511
10512 EmptyUnique strings should set the Identifier/Atomic flag.
10513
10514 This fixes an unreproducible bug we believe exists in Identifier handling.
10515 Expected behaviour is that while Identifiers may reference EmptyUniques
10516 (StringImpls allocated as UIDs for PrivateNames), these are not created
10517 through the main Identifier constructor, the Identifier flag is not set
10518 on PrivateNames, and we should never lookup EmptyUnique strings in the
10519 IdentifierTable.
10520
10521 Unfortunately that was happening. Some tables used to implement property
10522 access in the JIT hold StringImpl*s, and turn these back into Identifiers
10523 using the identfiier constructor. Since the code generator will now plant
10524 by-id (cachable) accesses to PrivateNames we can end up passing an
10525 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
10526 uniqued together (though hard to prove, since the hash codes are random).
10527
10528 * runtime/PropertyName.h:
10529 (JSC::PropertyName::PropertyName):
10530 (JSC::PropertyName::uid):
10531 (JSC::PropertyName::publicName):
10532 (JSC::PropertyName::asIndex):
10533 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
10534 * runtime/Structure.cpp:
10535 (JSC::Structure::getPropertyNamesFromStructure):
10536 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
10537
105382014-03-19 Filip Pizlo <fpizlo@apple.com>
10539
10540 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
10541
10542 * dfg/DFGCommon.h:
10543
105442014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
10545
10546 GC timer should intelligently choose between EdenCollections and FullCollections
10547 https://bugs.webkit.org/show_bug.cgi?id=128261
10548
10549 Reviewed by Geoffrey Garen.
10550
10551 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
10552 always does FullCollections. To reduce the impact of the GC timer on the system this patch
10553 changes Heap so that it has two timers, one for each type of collection. The FullCollection
10554 timer is notified at the end of EdenCollections how much the Heap has grown since the last
10555 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
10556 be detected by an EdenCollection).
10557
10558 * CMakeLists.txt:
10559 * GNUmakefile.list.am:
10560 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10561 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
10562 * JavaScriptCore.xcodeproj/project.pbxproj:
10563 * heap/EdenGCActivityCallback.cpp: Added.
10564 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
10565 (JSC::EdenGCActivityCallback::doCollection):
10566 (JSC::EdenGCActivityCallback::lastGCLength):
10567 (JSC::EdenGCActivityCallback::deathRate):
10568 (JSC::EdenGCActivityCallback::gcTimeSlice):
10569 * heap/EdenGCActivityCallback.h: Added.
10570 (JSC::GCActivityCallback::createEdenTimer):
10571 * heap/FullGCActivityCallback.cpp: Added.
10572 (JSC::FullGCActivityCallback::FullGCActivityCallback):
10573 (JSC::FullGCActivityCallback::doCollection):
10574 (JSC::FullGCActivityCallback::lastGCLength):
10575 (JSC::FullGCActivityCallback::deathRate):
10576 (JSC::FullGCActivityCallback::gcTimeSlice):
10577 * heap/FullGCActivityCallback.h: Added.
10578 (JSC::GCActivityCallback::createFullTimer):
10579 * heap/GCActivityCallback.cpp:
10580 (JSC::GCActivityCallback::GCActivityCallback):
10581 (JSC::GCActivityCallback::doWork):
10582 (JSC::GCActivityCallback::scheduleTimer):
10583 (JSC::GCActivityCallback::cancelTimer):
10584 (JSC::GCActivityCallback::didAllocate):
10585 (JSC::GCActivityCallback::willCollect):
10586 (JSC::GCActivityCallback::cancel):
10587 * heap/GCActivityCallback.h:
10588 * heap/Heap.cpp:
10589 (JSC::Heap::Heap):
10590 (JSC::Heap::reportAbandonedObjectGraph):
10591 (JSC::Heap::didAbandon):
10592 (JSC::Heap::collectAllGarbage):
10593 (JSC::Heap::collect):
10594 (JSC::Heap::willStartCollection):
10595 (JSC::Heap::updateAllocationLimits):
10596 (JSC::Heap::didFinishCollection):
10597 (JSC::Heap::setFullActivityCallback):
10598 (JSC::Heap::setEdenActivityCallback):
10599 (JSC::Heap::fullActivityCallback):
10600 (JSC::Heap::edenActivityCallback):
10601 (JSC::Heap::setGarbageCollectionTimerEnabled):
10602 (JSC::Heap::didAllocate):
10603 (JSC::Heap::shouldDoFullCollection):
10604 * heap/Heap.h:
10605 (JSC::Heap::lastFullGCLength):
10606 (JSC::Heap::lastEdenGCLength):
10607 (JSC::Heap::increaseLastFullGCLength):
10608 (JSC::Heap::sizeBeforeLastEdenCollection):
10609 (JSC::Heap::sizeAfterLastEdenCollection):
10610 (JSC::Heap::sizeBeforeLastFullCollection):
10611 (JSC::Heap::sizeAfterLastFullCollection):
10612 * heap/HeapOperation.h:
10613 * heap/HeapStatistics.cpp:
10614 (JSC::HeapStatistics::showObjectStatistics):
10615 * heap/HeapTimer.cpp:
10616 (JSC::HeapTimer::timerDidFire):
10617 * jsc.cpp:
10618 (functionFullGC):
10619 (functionEdenGC):
10620 * runtime/Options.h:
10621
106222014-03-19 Commit Queue <commit-queue@webkit.org>
10623
10624 Unreviewed, rolling out r165926.
10625 https://bugs.webkit.org/show_bug.cgi?id=130488
10626
10627 broke the iOS build (Requested by estes on #webkit).
10628
10629 Reverted changeset:
10630
10631 "GC timer should intelligently choose between EdenCollections
10632 and FullCollections"
10633 https://bugs.webkit.org/show_bug.cgi?id=128261
10634 http://trac.webkit.org/changeset/165926
10635
106362014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
10637
10638 GC timer should intelligently choose between EdenCollections and FullCollections
10639 https://bugs.webkit.org/show_bug.cgi?id=128261
10640
10641 Reviewed by Geoffrey Garen.
10642
10643 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
10644 always does FullCollections. To reduce the impact of the GC timer on the system this patch
10645 changes Heap so that it has two timers, one for each type of collection. The FullCollection
10646 timer is notified at the end of EdenCollections how much the Heap has grown since the last
10647 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
10648 detected by an EdenCollection).
10649
10650 * heap/GCActivityCallback.cpp:
10651 (JSC::GCActivityCallback::GCActivityCallback):
10652 (JSC::GCActivityCallback::doWork):
10653 (JSC::FullGCActivityCallback::FullGCActivityCallback):
10654 (JSC::FullGCActivityCallback::doCollection):
10655 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
10656 (JSC::EdenGCActivityCallback::doCollection):
10657 (JSC::GCActivityCallback::scheduleTimer):
10658 (JSC::GCActivityCallback::cancelTimer):
10659 (JSC::GCActivityCallback::didAllocate):
10660 (JSC::GCActivityCallback::willCollect):
10661 (JSC::GCActivityCallback::cancel):
10662 * heap/GCActivityCallback.h:
10663 (JSC::GCActivityCallback::GCActivityCallback):
10664 (JSC::GCActivityCallback::createFullTimer):
10665 (JSC::GCActivityCallback::createEdenTimer):
10666 * heap/Heap.cpp:
10667 (JSC::Heap::Heap):
10668 (JSC::Heap::didAbandon):
10669 (JSC::Heap::willStartCollection):
10670 (JSC::Heap::updateAllocationLimits):
10671 (JSC::Heap::setFullActivityCallback):
10672 (JSC::Heap::setEdenActivityCallback):
10673 (JSC::Heap::fullActivityCallback):
10674 (JSC::Heap::edenActivityCallback):
10675 (JSC::Heap::setGarbageCollectionTimerEnabled):
10676 (JSC::Heap::didAllocate):
10677 * heap/Heap.h:
10678 * heap/HeapTimer.cpp:
10679 (JSC::HeapTimer::timerDidFire):
10680
106812014-03-19 Filip Pizlo <fpizlo@apple.com>
10682
10683 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
10684 https://bugs.webkit.org/show_bug.cgi?id=130134
10685
10686 Reviewed by Mark Hahnenberg.
10687
10688 * dfg/DFGFixupPhase.cpp:
10689 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
10690 * dfg/DFGSpeculativeJIT32_64.cpp:
10691 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
10692 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
10693 * jit/JITInlineCacheGenerator.cpp:
10694 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
10695 * jit/JITInlineCacheGenerator.h:
10696 * jit/Repatch.cpp:
10697 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
10698
106992014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
10700
10701 Normalize some of the older JSC options
10702 https://bugs.webkit.org/show_bug.cgi?id=128753
10703
10704 Reviewed by Michael Saboff.
10705
10706 * runtime/Options.cpp:
10707 (JSC::Options::initialize):
10708
107092014-03-12 Mark Lam <mark.lam@apple.com>
10710
10711 Update type of local vars to match the type of String length.
10712 <https://webkit.org/b/130077>
10713
10714 Reviewed by Geoffrey Garen.
10715
10716 * runtime/JSStringJoiner.cpp:
10717 (JSC::JSStringJoiner::join):
10718
107192014-03-18 Filip Pizlo <fpizlo@apple.com>
10720
10721 Get rid of Flush in SSA
10722 https://bugs.webkit.org/show_bug.cgi?id=130440
10723
10724 Reviewed by Sam Weinig.
10725
10726 This is basically a red patch. We used to use backwards flow for determining what was
10727 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
10728 accomplish anything. Keeping them around in SSA can only make things hard.
10729
10730 * CMakeLists.txt:
10731 * GNUmakefile.list.am:
10732 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10733 * JavaScriptCore.xcodeproj/project.pbxproj:
10734 * dfg/DFGBasicBlock.cpp:
10735 (JSC::DFG::BasicBlock::SSAData::SSAData):
10736 * dfg/DFGBasicBlock.h:
10737 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
10738 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
10739 * dfg/DFGGraph.cpp:
10740 (JSC::DFG::Graph::dump):
10741 * dfg/DFGPlan.cpp:
10742 (JSC::DFG::Plan::compileInThreadImpl):
10743 * dfg/DFGSSAConversionPhase.cpp:
10744 (JSC::DFG::SSAConversionPhase::run):
10745 * ftl/FTLLowerDFGToLLVM.cpp:
10746 (JSC::FTL::LowerDFGToLLVM::compileNode):
10747
107482014-03-18 Filip Pizlo <fpizlo@apple.com>
10749
10750 Unreviewed, fix iOS production build.
10751
10752 * JavaScriptCore.xcodeproj/project.pbxproj:
10753
107542014-03-18 Michael Saboff <msaboff@apple.com>
10755
10756 Update RegExp Tracing code
10757 https://bugs.webkit.org/show_bug.cgi?id=130381
10758
10759 Reviewed by Andreas Kling.
10760
10761 Updated the regular expression tracing code for 8/16 bit JIT as
10762 well as match only entry points. Also added average string length
10763 metric.
10764
10765 * runtime/RegExp.cpp:
10766 (JSC::RegExp::RegExp):
10767 (JSC::RegExp::match):
10768 (JSC::RegExp::printTraceData):
10769 * runtime/RegExp.h:
10770 * runtime/VM.cpp:
10771 (JSC::VM::addRegExpToTrace):
10772 (JSC::VM::dumpRegExpTrace):
10773 * runtime/VM.h:
10774 * yarr/YarrJIT.h:
10775 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
10776 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
10777 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
10778 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
10779
107802014-03-17 Filip Pizlo <fpizlo@apple.com>
10781
10782 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
10783 https://bugs.webkit.org/show_bug.cgi?id=130300
10784
10785 Reviewed by Mark Hahnenberg.
10786
10787 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
10788 This makes the DFG aware of this.
10789
10790 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
10791 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
10792
10793 This also gives the DFG some abstractions for checking something is a cell or is other.
10794 This made this patch easier to write and also simplified a bunch of other stuff.
10795
10796 1% speed-up on Octane.
10797
10798 * assembler/AbstractMacroAssembler.h:
10799 (JSC::AbstractMacroAssembler::JumpList::JumpList):
10800 * bytecode/SpeculatedType.h:
10801 (JSC::isNotStringVarSpeculation):
10802 * dfg/DFGFixupPhase.cpp:
10803 (JSC::DFG::FixupPhase::fixupNode):
10804 * dfg/DFGNode.h:
10805 (JSC::DFG::Node::childFor):
10806 (JSC::DFG::Node::shouldSpeculateNotStringVar):
10807 * dfg/DFGSafeToExecute.h:
10808 (JSC::DFG::SafeToExecuteEdge::operator()):
10809 * dfg/DFGSpeculativeJIT.cpp:
10810 (JSC::DFG::SpeculativeJIT::compileIn):
10811 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
10812 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
10813 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
10814 (JSC::DFG::SpeculativeJIT::compileStrictEq):
10815 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
10816 (JSC::DFG::SpeculativeJIT::compileStringEquality):
10817 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
10818 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
10819 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
10820 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
10821 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
10822 (JSC::DFG::SpeculativeJIT::speculateString):
10823 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10824 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
10825 (JSC::DFG::SpeculativeJIT::speculateNotCell):
10826 (JSC::DFG::SpeculativeJIT::speculateOther):
10827 (JSC::DFG::SpeculativeJIT::speculate):
10828 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
10829 (JSC::DFG::SpeculativeJIT::emitSwitchString):
10830 * dfg/DFGSpeculativeJIT.h:
10831 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
10832 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
10833 (JSC::DFG::SpeculativeJIT::booleanResult):
10834 * dfg/DFGSpeculativeJIT32_64.cpp:
10835 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10836 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10837 (JSC::DFG::SpeculativeJIT::emitCall):
10838 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10839 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10840 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10841 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10842 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10843 (JSC::DFG::SpeculativeJIT::compile):
10844 (JSC::DFG::branchIsCell):
10845 (JSC::DFG::branchNotCell):
10846 (JSC::DFG::SpeculativeJIT::branchIsOther):
10847 (JSC::DFG::SpeculativeJIT::branchNotOther):
10848 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10849 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10850 (JSC::DFG::SpeculativeJIT::blessBoolean):
10851 * dfg/DFGSpeculativeJIT64.cpp:
10852 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10853 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10854 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10855 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10856 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10857 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10858 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10859 (JSC::DFG::SpeculativeJIT::compile):
10860 (JSC::DFG::SpeculativeJIT::writeBarrier):
10861 (JSC::DFG::SpeculativeJIT::branchIsCell):
10862 (JSC::DFG::SpeculativeJIT::branchNotCell):
10863 (JSC::DFG::SpeculativeJIT::branchIsOther):
10864 (JSC::DFG::SpeculativeJIT::branchNotOther):
10865 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10866 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10867 (JSC::DFG::SpeculativeJIT::blessBoolean):
10868 * dfg/DFGUseKind.cpp:
10869 (WTF::printInternal):
10870 * dfg/DFGUseKind.h:
10871 (JSC::DFG::typeFilterFor):
10872 * ftl/FTLCapabilities.cpp:
10873 (JSC::FTL::canCompile):
10874 * ftl/FTLLowerDFGToLLVM.cpp:
10875 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
10876 (JSC::FTL::LowerDFGToLLVM::lowString):
10877 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
10878 (JSC::FTL::LowerDFGToLLVM::speculate):
10879 (JSC::FTL::LowerDFGToLLVM::speculateString):
10880 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10881 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
10882 * runtime/JSCJSValue.h:
10883 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
10884 (foo):
10885 (bar):
10886 (test):
10887
108882014-03-18 Joseph Pecoraro <pecoraro@apple.com>
10889
10890 Add Copyright to framework.sb
10891 https://bugs.webkit.org/show_bug.cgi?id=130413
10892
10893 Reviewed by Timothy Hatcher.
10894
10895 Other sb files got the copyright. Follow suit.
10896
10897 * framework.sb:
10898
108992014-03-18 Matthew Mirman <mmirman@apple.com>
10900
10901 Removed extra parens from if statement in a preprocessor define.
10902 https://bugs.webkit.org/show_bug.cgi?id=130408
10903
10904 Reviewed by Filip Pizlo.
10905
10906 * parser/Parser.cpp:
10907
109082014-03-18 Filip Pizlo <fpizlo@apple.com>
10909
10910 More FTL enabling.
10911
10912 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
10913
10914 * Configurations/FeatureDefines.xcconfig:
10915 * ftl/FTLCompile.cpp:
10916 (JSC::FTL::compile):
10917
109182014-03-17 Michael Saboff <msaboff@apple.com>
10919
10920 V8 regexp spends most of its time in operationGetById
10921 https://bugs.webkit.org/show_bug.cgi?id=130380
10922
10923 Reviewed by Filip Pizlo.
10924
10925 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
10926 When V8 regexp is run from the command line, this nets a 2% performance improvement.
10927 When the test is run for a longer amount of time, there is much less benefit as the
10928 DFG will emit the appropriate code for String.length. This does remove
10929 operationGetById as the hottest function whne run from the command line.
10930
10931 * jit/Repatch.cpp:
10932 (JSC::tryCacheGetByID):
10933
109342014-03-17 Andreas Kling <akling@apple.com>
10935
10936 Add one-deep cache to opaque roots hashset.
10937 <https://webkit.org/b/130357>
10938
10939 The vast majority of WebCore JS wrappers will have their Document*
10940 as the root(). This change adds a simple optimization where we cache
10941 the last lookup and avoid going to the hashset for repeated queries.
10942
10943 Looks like 0.4% progression on DYEB on my MBP.
10944
10945 Reviewed by Mark Hahnenberg.
10946
10947 * JavaScriptCore.xcodeproj/project.pbxproj:
10948 * heap/OpaqueRootSet.h: Added.
10949 (JSC::OpaqueRootSet::OpaqueRootSet):
10950 (JSC::OpaqueRootSet::contains):
10951 (JSC::OpaqueRootSet::isEmpty):
10952 (JSC::OpaqueRootSet::clear):
10953 (JSC::OpaqueRootSet::add):
10954 (JSC::OpaqueRootSet::size):
10955 (JSC::OpaqueRootSet::begin):
10956 (JSC::OpaqueRootSet::end):
10957 * heap/SlotVisitor.h:
10958
109592014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
10960
10961 Implement Math.hypot
10962 https://bugs.webkit.org/show_bug.cgi?id=129486
10963
10964 Reviewed by Darin Adler.
10965
10966 * runtime/MathObject.cpp:
10967 (JSC::MathObject::finishCreation):
10968 (JSC::mathProtoFuncHypot):
10969
109702014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
10971
10972 Fix the !ENABLE(PROMISES) build
10973 https://bugs.webkit.org/show_bug.cgi?id=130328
10974
10975 Reviewed by Darin Adler.
10976
10977 Add missing ENABLE(PROMISES) guards.
10978
10979 * runtime/JSGlobalObject.cpp:
10980 (JSC::JSGlobalObject::reset):
10981 (JSC::JSGlobalObject::visitChildren):
10982 * runtime/JSGlobalObject.h:
10983 * runtime/JSPromiseDeferred.cpp:
10984 * runtime/JSPromiseDeferred.h:
10985 * runtime/JSPromiseReaction.cpp:
10986 * runtime/JSPromiseReaction.h:
10987 * runtime/VM.cpp:
10988 (JSC::VM::VM):
10989 * runtime/VM.h:
10990
109912014-03-16 Andreas Kling <akling@apple.com>
10992
10993 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
10994 <https://webkit.org/b/130304>
10995
10996 Reviewed by Anders Carlsson.
10997
10998 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
10999 that doesn't put a potentially unwanted string into the Identifier table.
11000
11001 * API/OpaqueJSString.cpp:
11002 (OpaqueJSString::identifier):
11003
110042014-03-16 Brian Burg <bburg@apple.com>
11005
11006 Web Inspector: generated backend commands should reflect build system ENABLE settings
11007 https://bugs.webkit.org/show_bug.cgi?id=130111
11008
11009 Reviewed by Timothy Hatcher.
11010
11011 * CMakeLists.txt:
11012
11013 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
11014 instead of globbing any .json file.
11015
11016 * DerivedSources.make:
11017
11018 Force the combined inspector protocol file to be regenerated if
11019 the content or list of domains itself changes.
11020
110212014-03-16 Brian Burg <bburg@apple.com>
11022
11023 Web Inspector: vended backend commands file should be generated as part of the build
11024 https://bugs.webkit.org/show_bug.cgi?id=130110
11025
11026 Reviewed by Timothy Hatcher.
11027
11028 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
11029 private headers directory.
11030
110312014-03-16 Darin Adler <darin@apple.com>
11032
11033 Remove all uses of deprecatedCharacters from JavaScriptCore
11034 https://bugs.webkit.org/show_bug.cgi?id=130304
11035
11036 Reviewed by Anders Carlsson.
11037
11038 * API/JSValueRef.cpp:
11039 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
11040 * API/OpaqueJSString.cpp:
11041 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
11042 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
11043 juse use the standard one that takes a String.
11044 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
11045 hand-written alternative.
11046
11047 * bindings/ScriptValue.cpp:
11048 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
11049 instead of involving a character pointer. Use the String from Identifier
11050 directly instead of making a new String.
11051
11052 * inspector/ContentSearchUtilities.cpp:
11053 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
11054 instead of building a String a character at a time. This is still a very slow
11055 way to do this. Also use strchr to search for a character instead of building
11056 a String every time just to use find on it.
11057
11058 * inspector/InspectorValues.cpp:
11059 (Inspector::doubleQuoteString): Remove unnecessary trip through a
11060 character pointer. This is still a really slow way to do this.
11061 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
11062 instead of String::deprecatedCharacters. Still slow to always upconvert.
11063
11064 * runtime/DateConstructor.cpp: Removed unneeded include.
11065 * runtime/DatePrototype.cpp: Ditto.
11066
11067 * runtime/Identifier.h: Removed deprecatedCharacters function.
11068
11069 * runtime/JSGlobalObjectFunctions.cpp:
11070 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
11071 appending functions from JSStringBuilder. Removed unneeded code duplicating
11072 what JSStringBuilder already does in its character append function.
11073 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
11074 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
11075 is used outside this file have external linkage. Added a new overload that takes
11076 a StringView.
11077 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
11078 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
11079 single character.
11080
11081 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
11082
11083 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
11084 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
11085 Made one overload private. Fixed a performance bug where we would reserve capacity
11086 in the 8-bit buffer but then append to the 16-bit buffer.
11087
11088 * runtime/ObjectPrototype.cpp: Removed unneeded include.
11089
11090 * runtime/StringPrototype.cpp:
11091 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
11092 (JSC::stringProtoFuncLink): Ditto.
11093
110942014-03-15 Filip Pizlo <fpizlo@apple.com>
11095
11096 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
11097 https://bugs.webkit.org/show_bug.cgi?id=130296
11098
11099 Reviewed by Andreas Kling.
11100
11101 During the 32-bit structure ID work, the second load of the structure was removed.
11102 That's wrong. The whole point of loading the structure ID again is that the structure
11103 ID would have been changed by the arrayification call, and we're verifying that the
11104 arrayification succeeded in changing the structure. If we check the old structure - as
11105 the code was doing after the 32-bit structure ID work - then this check is guaranteed
11106 to fail, causing a significant performance regression.
11107
11108 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
11109 code pathologically exits but the equivalent DFG code doesn't, then the exponential
11110 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
11111 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
11112
11113 * ftl/FTLLowerDFGToLLVM.cpp:
11114 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
11115
111162014-03-15 Filip Pizlo <fpizlo@apple.com>
11117
11118 FTL should support CheckHasInstance/InstanceOf
11119 https://bugs.webkit.org/show_bug.cgi?id=130285
11120
11121 Reviewed by Sam Weinig.
11122
11123 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
11124
11125 * dfg/DFGFixupPhase.cpp:
11126 (JSC::DFG::FixupPhase::fixupNode):
11127 * ftl/FTLAbstractHeapRepository.h:
11128 * ftl/FTLCapabilities.cpp:
11129 (JSC::FTL::canCompile):
11130 * ftl/FTLLowerDFGToLLVM.cpp:
11131 (JSC::FTL::LowerDFGToLLVM::compileNode):
11132 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
11133 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
11134 * ftl/FTLOutput.h:
11135 (JSC::FTL::Output::phi):
11136 * tests/stress/instanceof.js: Added.
11137 * tests/stress/instanceof-not-cell.js: Added.
11138
111392014-03-15 Michael Saboff <msaboff@apple.com>
11140
11141 It should be possible to adjust DFG and FTL compiler thread priorities
11142 https://bugs.webkit.org/show_bug.cgi?id=130288
11143
11144 Reviewed by Filip Pizlo.
11145
11146 Added ability to change thread priorities relative to its current priority.
11147 Created options to adjust the priority of the DFG and FTL compilation work thread
11148 pools. For two core systems, there might be three runnable threads, the main thread,
11149 the DFG compilation thread and the FTL compilation thread. With the same priority,
11150 the scheduler is free to schedule whatever thread it wants. By lowering the
11151 compilation threads, the main thread can run. Further tests may suggest better values
11152 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
11153
11154 For a two-core device, this change has a net positive improvement of 1-3% across
11155 SunSpider, Octane, Kraken and AsmBench.
11156
11157 * dfg/DFGWorklist.cpp:
11158 (JSC::DFG::Worklist::finishCreation):
11159 (JSC::DFG::Worklist::create):
11160 (JSC::DFG::ensureGlobalDFGWorklist):
11161 (JSC::DFG::ensureGlobalFTLWorklist):
11162 * dfg/DFGWorklist.h:
11163 * runtime/Options.cpp:
11164 (JSC::computePriorityDeltaOfWorkerThreads):
11165 * runtime/Options.h:
11166
111672014-03-15 David Kilzer <ddkilzer@apple.com>
11168
11169 [iOS] Define SYSTEM_VERSION_PREFIX consistently
11170 <http://webkit.org/b/130293>
11171 <rdar://problem/15926359>
11172
11173 Reviewed by Dan Bernstein.
11174
11175 * Configurations/Version.xcconfig:
11176 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
11177 Source/WebKit/mac/Version.xcconfig.
11178
111792014-03-15 David Kilzer <ddkilzer@apple.com>
11180
11181 Fix build: using integer absolute value function 'abs' when argument is of floating point type
11182 <http://webkit.org/b/130286>
11183
11184 Reviewed by Filip Pizlo.
11185
11186 Fixes the following build failure using trunk clang:
11187
11188 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
11189 value = abs(value);
11190 ^
11191 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
11192 value = abs(value);
11193 ^~~
11194 fabs
11195
11196 * assembler/MacroAssembler.h:
11197 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
11198 fabs().
11199
112002014-03-14 Oliver Hunt <oliver@apple.com>
11201
11202 Reinstate intialiser syntax in for-in loops
11203 https://bugs.webkit.org/show_bug.cgi?id=130269
11204
11205 Reviewed by Michael Saboff.
11206
11207 Disallowing the initialiser broke some sites so this patch re-allows
11208 the syntax. We still disallow the syntax in 'of' and pattern based
11209 enumeration.
11210
11211 * parser/ASTBuilder.h:
11212 (JSC::ASTBuilder::isBindingNode):
11213 * parser/Parser.cpp:
11214 (JSC::Parser<LexerType>::parseVarDeclarationList):
11215 (JSC::Parser<LexerType>::parseForStatement):
11216 * parser/SyntaxChecker.h:
11217 (JSC::SyntaxChecker::operatorStackPop):
11218
112192014-03-14 Mark Lam <mark.lam@apple.com>
11220
11221 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
11222 <https://webkit.org/b/130279>
11223
11224 Reviewed by Filip Pizlo.
11225
11226 If neither the getter nor setter are defined, accessing __lookupGetter__
11227 and __lookupSetter__ will return undefined as expected. However, if the
11228 getter is defined but the setter is not, accessing __lookupSetter__ will
11229 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
11230 is defined will crash the VM.
11231
11232 The reason is because objectProtoFuncLookupGetter() and
11233 objectProtoFuncLookupSetter() did not check if the getter and setter
11234 value is non-null before returning it as an EncodedJSValue. The fix is
11235 to add the appropriate null checks.
11236
11237 * runtime/ObjectPrototype.cpp:
11238 (JSC::objectProtoFuncLookupGetter):
11239 (JSC::objectProtoFuncLookupSetter):
11240
112412014-03-14 Mark Rowe <mrowe@apple.com>
11242
11243 Fix the production build.
11244
11245 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
11246 be at the expected relative path when working from installed source.
11247
11248 * Configurations/Base.xcconfig:
11249
112502014-03-14 Maciej Stachowiak <mjs@apple.com>
11251
11252 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
11253 https://bugs.webkit.org/show_bug.cgi?id=130276
11254 <rdar://problem/16266927>
11255
11256 Reviewed by Simon Fraser.
11257
11258 * API/APICast.h:
11259 * API/JSBase.cpp:
11260 * API/JSBase.h:
11261 * API/JSBasePrivate.h:
11262 * API/JSCallbackConstructor.cpp:
11263 * API/JSCallbackConstructor.h:
11264 * API/JSCallbackFunction.cpp:
11265 * API/JSCallbackFunction.h:
11266 * API/JSCallbackObject.cpp:
11267 * API/JSCallbackObject.h:
11268 * API/JSCallbackObjectFunctions.h:
11269 * API/JSClassRef.cpp:
11270 * API/JSClassRef.h:
11271 * API/JSContextRef.cpp:
11272 * API/JSContextRef.h:
11273 * API/JSContextRefPrivate.h:
11274 * API/JSObjectRef.cpp:
11275 * API/JSObjectRef.h:
11276 * API/JSProfilerPrivate.cpp:
11277 * API/JSProfilerPrivate.h:
11278 * API/JSRetainPtr.h:
11279 * API/JSStringRef.cpp:
11280 * API/JSStringRef.h:
11281 * API/JSStringRefBSTR.cpp:
11282 * API/JSStringRefBSTR.h:
11283 * API/JSStringRefCF.cpp:
11284 * API/JSStringRefCF.h:
11285 * API/JSValueRef.cpp:
11286 * API/JSValueRef.h:
11287 * API/JavaScript.h:
11288 * API/JavaScriptCore.h:
11289 * API/OpaqueJSString.cpp:
11290 * API/OpaqueJSString.h:
11291 * API/tests/JSNode.c:
11292 * API/tests/JSNode.h:
11293 * API/tests/JSNodeList.c:
11294 * API/tests/JSNodeList.h:
11295 * API/tests/Node.c:
11296 * API/tests/Node.h:
11297 * API/tests/NodeList.c:
11298 * API/tests/NodeList.h:
11299 * API/tests/minidom.c:
11300 * API/tests/minidom.js:
11301 * API/tests/testapi.c:
11302 * API/tests/testapi.js:
11303 * DerivedSources.make:
11304 * bindings/ScriptValue.cpp:
11305 * bytecode/CodeBlock.cpp:
11306 * bytecode/CodeBlock.h:
11307 * bytecode/EvalCodeCache.h:
11308 * bytecode/Instruction.h:
11309 * bytecode/JumpTable.cpp:
11310 * bytecode/JumpTable.h:
11311 * bytecode/Opcode.cpp:
11312 * bytecode/Opcode.h:
11313 * bytecode/SamplingTool.cpp:
11314 * bytecode/SamplingTool.h:
11315 * bytecode/SpeculatedType.cpp:
11316 * bytecode/SpeculatedType.h:
11317 * bytecode/ValueProfile.h:
11318 * bytecompiler/BytecodeGenerator.cpp:
11319 * bytecompiler/BytecodeGenerator.h:
11320 * bytecompiler/Label.h:
11321 * bytecompiler/LabelScope.h:
11322 * bytecompiler/RegisterID.h:
11323 * debugger/DebuggerCallFrame.cpp:
11324 * debugger/DebuggerCallFrame.h:
11325 * dfg/DFGDesiredStructureChains.cpp:
11326 * dfg/DFGDesiredStructureChains.h:
11327 * heap/GCActivityCallback.cpp:
11328 * heap/GCActivityCallback.h:
11329 * inspector/ConsoleMessage.cpp:
11330 * inspector/ConsoleMessage.h:
11331 * inspector/IdentifiersFactory.cpp:
11332 * inspector/IdentifiersFactory.h:
11333 * inspector/InjectedScriptManager.cpp:
11334 * inspector/InjectedScriptManager.h:
11335 * inspector/InjectedScriptSource.js:
11336 * inspector/ScriptBreakpoint.h:
11337 * inspector/ScriptDebugListener.h:
11338 * inspector/ScriptDebugServer.cpp:
11339 * inspector/ScriptDebugServer.h:
11340 * inspector/agents/InspectorAgent.cpp:
11341 * inspector/agents/InspectorAgent.h:
11342 * inspector/agents/InspectorDebuggerAgent.cpp:
11343 * inspector/agents/InspectorDebuggerAgent.h:
11344 * interpreter/Interpreter.cpp:
11345 * interpreter/Interpreter.h:
11346 * interpreter/JSStack.cpp:
11347 * interpreter/JSStack.h:
11348 * interpreter/Register.h:
11349 * jit/CompactJITCodeMap.h:
11350 * jit/JITStubs.cpp:
11351 * jit/JITStubs.h:
11352 * jit/JITStubsARM.h:
11353 * jit/JITStubsARMv7.h:
11354 * jit/JITStubsX86.h:
11355 * jit/JITStubsX86_64.h:
11356 * os-win32/stdbool.h:
11357 * parser/SourceCode.h:
11358 * parser/SourceProvider.h:
11359 * profiler/LegacyProfiler.cpp:
11360 * profiler/LegacyProfiler.h:
11361 * profiler/ProfileNode.cpp:
11362 * profiler/ProfileNode.h:
11363 * runtime/ArrayBufferView.cpp:
11364 * runtime/ArrayBufferView.h:
11365 * runtime/BatchedTransitionOptimizer.h:
11366 * runtime/CallData.h:
11367 * runtime/ConstructData.h:
11368 * runtime/DumpContext.cpp:
11369 * runtime/DumpContext.h:
11370 * runtime/ExceptionHelpers.cpp:
11371 * runtime/ExceptionHelpers.h:
11372 * runtime/InitializeThreading.cpp:
11373 * runtime/InitializeThreading.h:
11374 * runtime/IntegralTypedArrayBase.h:
11375 * runtime/IntendedStructureChain.cpp:
11376 * runtime/IntendedStructureChain.h:
11377 * runtime/JSActivation.cpp:
11378 * runtime/JSActivation.h:
11379 * runtime/JSExportMacros.h:
11380 * runtime/JSGlobalObject.cpp:
11381 * runtime/JSNotAnObject.cpp:
11382 * runtime/JSNotAnObject.h:
11383 * runtime/JSPropertyNameIterator.cpp:
11384 * runtime/JSPropertyNameIterator.h:
11385 * runtime/JSSegmentedVariableObject.cpp:
11386 * runtime/JSSegmentedVariableObject.h:
11387 * runtime/JSSymbolTableObject.cpp:
11388 * runtime/JSSymbolTableObject.h:
11389 * runtime/JSTypeInfo.h:
11390 * runtime/JSVariableObject.cpp:
11391 * runtime/JSVariableObject.h:
11392 * runtime/PropertyTable.cpp:
11393 * runtime/PutPropertySlot.h:
11394 * runtime/SamplingCounter.cpp:
11395 * runtime/SamplingCounter.h:
11396 * runtime/Structure.cpp:
11397 * runtime/Structure.h:
11398 * runtime/StructureChain.cpp:
11399 * runtime/StructureChain.h:
11400 * runtime/StructureInlines.h:
11401 * runtime/StructureTransitionTable.h:
11402 * runtime/SymbolTable.cpp:
11403 * runtime/SymbolTable.h:
11404 * runtime/TypedArrayBase.h:
11405 * runtime/TypedArrayType.cpp:
11406 * runtime/TypedArrayType.h:
11407 * runtime/VM.cpp:
11408 * runtime/VM.h:
11409 * yarr/RegularExpression.cpp:
11410 * yarr/RegularExpression.h:
11411
114122014-03-14 Filip Pizlo <fpizlo@apple.com>
11413
11414 Final FTL iOS build magic
11415 https://bugs.webkit.org/show_bug.cgi?id=130281
11416
11417 Reviewed by Michael Saboff.
11418
11419 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
11420 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
11421
114222014-03-14 Joseph Pecoraro <pecoraro@apple.com>
11423
11424 Web Inspector: Gracefully handle nil name -[JSContext setName:]
11425 https://bugs.webkit.org/show_bug.cgi?id=130262
11426
11427 Reviewed by Mark Hahnenberg.
11428
11429 * API/JSContext.mm:
11430 (-[JSContext setName:]):
11431 Gracefully handle nil input.
11432
11433 * API/tests/testapi.c:
11434 (globalContextNameTest):
11435 * API/tests/testapi.mm:
11436 Test for nil / NULL names in the ObjC and C APIs.
11437
114382014-03-11 Oliver Hunt <oliver@apple.com>
11439
11440 Improve dom error messages
11441 https://bugs.webkit.org/show_bug.cgi?id=130103
11442
11443 Reviewed by Andreas Kling.
11444
11445 Add new helper function.
11446
11447 * runtime/Error.h:
11448 (JSC::throwVMTypeError):
11449
114502014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
11451
11452 Remove unused method declaration.
11453 https://bugs.webkit.org/show_bug.cgi?id=130238
11454
11455 Reviewed by Filip Pizlo.
11456
11457 The implementation of CallFrame::dumpCaller was removed in
11458 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
11459
11460 * interpreter/CallFrame.h:
11461 Remove CallFrame::dumpCaller() method declaration.
11462
114632014-03-12 Sergio Villar Senin <svillar@igalia.com>
11464
11465 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
11466 https://bugs.webkit.org/show_bug.cgi?id=129612
11467
11468 Reviewed by Darin Adler.
11469
11470 For new code use static NeverDestroyed<T> instead.
11471
11472 * API/JSAPIWrapperObject.mm:
11473 (jsAPIWrapperObjectHandleOwner):
11474 * API/JSManagedValue.mm:
11475 (managedValueHandleOwner):
11476 * inspector/agents/InspectorDebuggerAgent.cpp:
11477 (Inspector::objectGroupForBreakpointAction):
11478 * inspector/scripts/CodeGeneratorInspectorStrings.py:
11479 * interpreter/JSStack.cpp:
11480 (JSC::stackStatisticsMutex):
11481 * jit/ExecutableAllocator.cpp:
11482 (JSC::DemandExecutableAllocator::allocators):
11483
114842014-03-12 Gavin Barraclough <barraclough@apple.com>
11485
11486 Reduce memory use for static property maps
11487 https://bugs.webkit.org/show_bug.cgi?id=129986
11488
11489 Reviewed by Andreas Kling.
11490
11491 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11492 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11493 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11494
11495 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11496 from string hashes to indicies into a densely packed array of values. Compute the index table at
11497 compile time as a part of the derived sources step, such that this may be read-only data.
11498
11499 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11500 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11501 keys, which are Identifiers.
11502
11503 * create_hash_table:
11504 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11505 * parser/Lexer.cpp:
11506 (JSC::Lexer<LChar>::parseIdentifier):
11507 (JSC::Lexer<UChar>::parseIdentifier):
11508 (JSC::Lexer<T>::parseIdentifierSlowCase):
11509 - HashEntry -> HashTableValue.
11510 * parser/Lexer.h:
11511 (JSC::Keywords::getKeyword):
11512 - HashEntry -> HashTableValue.
11513 * runtime/ClassInfo.h:
11514 - removed HashEntry.
11515 * runtime/JSObject.cpp:
11516 (JSC::getClassPropertyNames):
11517 - use HashTable::ConstIterator.
11518 (JSC::JSObject::put):
11519 (JSC::JSObject::deleteProperty):
11520 (JSC::JSObject::findPropertyHashEntry):
11521 - HashEntry -> HashTableValue.
11522 (JSC::JSObject::reifyStaticFunctionsForDelete):
11523 - changed HashTable::ConstIterator interface.
11524 * runtime/JSObject.h:
11525 - HashEntry -> HashTableValue.
11526 * runtime/Lookup.cpp:
11527 (JSC::HashTable::createTable):
11528 - table -> keys, keys array is now densely packed.
11529 (JSC::HashTable::deleteTable):
11530 - table -> keys.
11531 (JSC::setUpStaticFunctionSlot):
11532 - HashEntry -> HashTableValue.
11533 * runtime/Lookup.h:
11534 (JSC::HashTableValue::builtinGenerator):
11535 (JSC::HashTableValue::function):
11536 (JSC::HashTableValue::functionLength):
11537 (JSC::HashTableValue::propertyGetter):
11538 (JSC::HashTableValue::propertyPutter):
11539 (JSC::HashTableValue::lexerValue):
11540 - added accessor methods from HashEntry.
11541 (JSC::HashTable::copy):
11542 - fields changed.
11543 (JSC::HashTable::initializeIfNeeded):
11544 - table -> keys.
11545 (JSC::HashTable::entry):
11546 - HashEntry -> HashTableValue.
11547 (JSC::HashTable::ConstIterator::ConstIterator):
11548 - iterate packed value array, so no need to skipInvalidKeys().
11549 (JSC::HashTable::ConstIterator::value):
11550 (JSC::HashTable::ConstIterator::key):
11551 (JSC::HashTable::ConstIterator::operator->):
11552 - accessors now get HashTableValue/StringImpl* separately.
11553 (JSC::HashTable::ConstIterator::operator++):
11554 - iterate packed value array, so no need to skipInvalidKeys().
11555 (JSC::HashTable::end):
11556 - end is now size of dense not sparse array.
11557 (JSC::getStaticPropertySlot):
11558 (JSC::getStaticFunctionSlot):
11559 (JSC::getStaticValueSlot):
11560 (JSC::putEntry):
11561 (JSC::lookupPut):
11562 - HashEntry -> HashTableValue.
11563
115642014-03-13 Filip Pizlo <fpizlo@apple.com>
11565
11566 Unreviewed, fix Mac no-FTL build.
11567
11568 * llvm/library/LLVMExports.cpp:
11569 (initializeAndGetJSCLLVMAPI):
11570
115712014-03-13 Juergen Ributzka <juergen@apple.com>
11572
11573 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
11574 https://bugs.webkit.org/show_bug.cgi?id=130224
11575
11576 Reviewed by Filip Pizlo.
11577
11578 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
11579 the LLVM dylib. This allows the dylib to be safely used with other LLVM
11580 dylibs on the same system. It also reduces the dynamic linking overhead
11581 and also reduces the size by 6MB, because the linker can now dead strip
11582 many unused functions.
11583
11584 * Configurations/LLVMForJSC.xcconfig:
11585
115862014-03-13 Andreas Kling <akling@apple.com>
11587
11588 VM::discardAllCode() should clear the RegExp cache.
11589 <https://webkit.org/b/130144>
11590
11591 Reviewed by Michael Saboff.
11592
11593 * runtime/VM.cpp:
11594 (JSC::VM::discardAllCode):
11595
115962014-03-13 Andreas Kling <akling@apple.com>
11597
11598 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
11599 <https://webkit.org/b/129995>
11600
11601 This code path is not taken anymore on DYEB, and I can't explain why
11602 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
11603
11604 * inspector/JSGlobalObjectInspectorController.cpp:
11605 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
11606
116072014-03-13 Filip Pizlo <fpizlo@apple.com>
11608
11609 FTL should support IsBlah
11610 https://bugs.webkit.org/show_bug.cgi?id=130202
11611
11612 Reviewed by Geoffrey Garen.
11613
11614 * ftl/FTLCapabilities.cpp:
11615 (JSC::FTL::canCompile):
11616 * ftl/FTLIntrinsicRepository.h:
11617 * ftl/FTLLowerDFGToLLVM.cpp:
11618 (JSC::FTL::LowerDFGToLLVM::compileNode):
11619 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
11620 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
11621 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
11622 (JSC::FTL::LowerDFGToLLVM::compileIsString):
11623 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
11624 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
11625 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
11626 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
11627 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
11628 (JSC::FTL::LowerDFGToLLVM::isNumber):
11629 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
11630 (JSC::FTL::LowerDFGToLLVM::isBoolean):
11631 * ftl/FTLOSRExitCompiler.cpp:
11632 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
11633 (bar):
11634 (foo):
11635 (test):
11636 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
11637 (foo):
11638 (test):
11639 * tests/stress/is-undefined-masquerader.js: Added.
11640 (foo):
11641 (test):
11642
116432014-03-13 Mark Lam <mark.lam@apple.com>
11644
11645 JS benchmarks crash with a bus error on 32-bit x86.
11646 <https://webkit.org/b/130203>
11647
11648 Reviewed by Geoffrey Garen.
11649
11650 The issue is that generateGetByIdStub() can potentially use the same register
11651 for the JSValue base register and the target tag register. After loading the
11652 tag value into the target tag register, the JSValue base address is lost.
11653 The code then proceeds to load the payload value using the base register, and
11654 this results in a crash.
11655
11656 The fix is to check if the base register is the same as the target tag register.
11657 If so, we should make a copy the base register first before loading the tag
11658 value, and use the copy to load the payload value instead.
11659
11660 * jit/Repatch.cpp:
11661 (JSC::generateGetByIdStub):
11662
116632014-03-12 Filip Pizlo <fpizlo@apple.com>
11664
11665 WebKit shouldn't crash on uniprocessor machines
11666 https://bugs.webkit.org/show_bug.cgi?id=130176
11667
11668 Reviewed by Michael Saboff.
11669
11670 Previously the math for computing the number of JIT compiler threads would come up with
11671 zero threads on uniprocessor machines, and then the Worklist code would assert.
11672
11673 * runtime/Options.cpp:
11674 (JSC::computeNumberOfWorkerThreads):
11675 * runtime/Options.h:
11676
116772014-03-13 Radu Stavila <stavila@adobe.com>
11678
11679 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
11680 https://bugs.webkit.org/show_bug.cgi?id=130087
11681
11682 Reviewed by Mark Rowe.
11683
11684 Disable garbage collection on macosx when not using internal SDK.
11685
11686 * Configurations/Base.xcconfig:
11687
116882014-03-10 Darin Adler <darin@apple.com>
11689
11690 Avoid copy-prone idiom "for (auto item : collection)"
11691 https://bugs.webkit.org/show_bug.cgi?id=129990
11692
11693 Reviewed by Geoffrey Garen.
11694
11695 * heap/CodeBlockSet.h:
11696 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
11697 * inspector/ScriptDebugServer.cpp:
11698 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
11699 make explicit that we are iterating through pointers.
11700 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
11701 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
11702 * inspector/agents/InspectorDebuggerAgent.cpp:
11703 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
11704 get rid of an unneeded local variable.
11705
117062014-03-13 Brian Burg <bburg@apple.com>
11707
11708 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
11709 https://bugs.webkit.org/show_bug.cgi?id=129744
11710
11711 Reviewed by Timothy Hatcher.
11712
11713 * inspector/agents/InspectorAgent.cpp:
11714 (Inspector::InspectorAgent::enable):
11715 (Inspector::InspectorAgent::evaluateForTestInFrontend):
11716 * inspector/agents/InspectorAgent.h:
11717 * inspector/protocol/InspectorDomain.json:
11718
117192014-03-11 Filip Pizlo <fpizlo@apple.com>
11720
11721 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
11722 https://bugs.webkit.org/show_bug.cgi?id=130069
11723
11724 Reviewed by Geoffrey Garen.
11725
11726 This was a great assertion, and it represents our strictest interpretation of the rules of
11727 our intermediate representation. However, fixing DCE to actually preserve the relevant
11728 property would be hard, and it wouldn't have an observable effect right now because nobody
11729 actually uses the propery of CPS that this assertion is checking for.
11730
11731 In particular, we do always require, and rely on, the fact that non-captured variables
11732 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
11733 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
11734 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
11735 broken in this regard. But, in the strictest sense, CPS also means that for captured
11736 variables, variablesAtTail also continues to point to the last relevant use of the
11737 variable. In particular, if there are multiple GetLocals, then it should point to the last
11738 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
11739 variables, except to check the VariableAccessData; but in that case, we don't really need
11740 the *last* relevant use of the variable - any node that mentions the same variable will do
11741 just fine.
11742
11743 So, this change loosens the assertion and adds a detailed FIXME describing what we would
11744 have to do if we wanted to preserve the more strict property.
11745
11746 This also makes changes to various debug printing paths so that validation doesn't crash
11747 during graph dump. This also adds tests for the interesting cases of DCE failing to
11748 preserve CPS in the strictest sense. This also attempts to win the record for longest test
11749 name.
11750
11751 * bytecode/CodeBlock.cpp:
11752 (JSC::CodeBlock::hashAsStringIfPossible):
11753 (JSC::CodeBlock::dumpAssumingJITType):
11754 * bytecode/CodeBlock.h:
11755 * bytecode/CodeOrigin.cpp:
11756 (JSC::InlineCallFrame::hashAsStringIfPossible):
11757 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
11758 * bytecode/CodeOrigin.h:
11759 * dfg/DFGCPSRethreadingPhase.cpp:
11760 (JSC::DFG::CPSRethreadingPhase::run):
11761 * dfg/DFGDCEPhase.cpp:
11762 (JSC::DFG::DCEPhase::cleanVariables):
11763 * dfg/DFGInPlaceAbstractState.cpp:
11764 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
11765 * runtime/FunctionExecutableDump.cpp:
11766 (JSC::FunctionExecutableDump::dump):
11767 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
11768 (foo):
11769 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
11770 (foo):
11771
117722014-03-12 Brian Burg <bburg@apple.com>
11773
11774 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
11775 https://bugs.webkit.org/show_bug.cgi?id=129445
11776
11777 Reviewed by Timothy Hatcher.
11778
11779 There was a bug in the replay inputs code generator that would include
11780 headers for definitions of enum classes, even though they can be safely
11781 forward-declared.
11782
11783 * replay/scripts/CodeGeneratorReplayInputs.py:
11784 (Generator.generate_includes): Only include for copy constructor if the
11785 type is a heavy scalar (i.e., String, URL), not a normal scalar
11786 (i.e., int, double, enum classes).
11787
11788 (Generator.generate_type_forward_declarations): Forward-declare scalars
11789 that are enums or enum classes.
11790
117912014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11792
11793 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
11794 https://bugs.webkit.org/show_bug.cgi?id=130118
11795
11796 Reviewed by Timothy Hatcher.
11797
11798 * Configurations/FeatureDefines.xcconfig:
11799
118002014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11801
11802 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
11803 https://bugs.webkit.org/show_bug.cgi?id=130032
11804
11805 Reviewed by Timothy Hatcher.
11806
11807 * inspector/EventLoop.h:
11808 * inspector/EventLoop.cpp:
11809 (Inspector::EventLoop::remoteInspectorRunLoopMode):
11810 (Inspector::EventLoop::cycle):
11811 Expose the run loop mode name so it can be used if needed by others.
11812
11813 * inspector/remote/RemoteInspectorDebuggableConnection.h:
11814 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
11815 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
11816 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
11817 (Inspector::RemoteInspectorBlock::operator=):
11818 (Inspector::RemoteInspectorBlock::operator()):
11819 (Inspector::RemoteInspectorQueueTask):
11820 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
11821
11822 (Inspector::RemoteInspectorHandleRunSource):
11823 (Inspector::RemoteInspectorInitializeQueue):
11824 Initialize the static queue and run loop source. When the run loop source
11825 fires, it will exhaust the queue of debugger messages.
11826
11827 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
11828 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
11829 When we get a debuggable connection add a run loop source for inspector commands.
11830
11831 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
11832 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
11833 Enqueue blocks on our Vector instead of our dispatch_queue.
11834
118352014-03-12 Commit Queue <commit-queue@webkit.org>
11836
11837 Unreviewed, rolling out r165482.
11838 https://bugs.webkit.org/show_bug.cgi?id=130157
11839
11840 Broke the windows build; "error C2466: cannot allocate an
11841 array of constant size 0" (Requested by jernoble on #webkit).
11842
11843 Reverted changeset:
11844
11845 "Reduce memory use for static property maps"
11846 https://bugs.webkit.org/show_bug.cgi?id=129986
11847 http://trac.webkit.org/changeset/165482
11848
118492014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11850
11851 Remove HandleSet::m_nextToFinalize
11852 https://bugs.webkit.org/show_bug.cgi?id=130109
11853
11854 Reviewed by Mark Lam.
11855
11856 This is a remnant of when HandleSet contained things that needed to be finalized.
11857
11858 * heap/HandleSet.cpp:
11859 (JSC::HandleSet::HandleSet):
11860 (JSC::HandleSet::writeBarrier):
11861 * heap/HandleSet.h:
11862 (JSC::HandleSet::allocate):
11863 (JSC::HandleSet::deallocate):
11864
118652014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11866
11867 Layout Test fast/workers/worker-gc.html is failing
11868 https://bugs.webkit.org/show_bug.cgi?id=130135
11869
11870 Reviewed by Geoffrey Garen.
11871
11872 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
11873 main list of blocks, i.e. not in the retired list. When shutting down the VM this
11874 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
11875 so that allocators are notified with lastChanceToFinalize. This will give them
11876 the chance to move their retired blocks back into the main list before removing them all.
11877
11878 * heap/MarkedAllocator.cpp:
11879 (JSC::LastChanceToFinalize::operator()):
11880 (JSC::MarkedAllocator::lastChanceToFinalize):
11881 * heap/MarkedAllocator.h:
11882 * heap/MarkedSpace.cpp:
11883 (JSC::LastChanceToFinalize::operator()):
11884 (JSC::MarkedSpace::lastChanceToFinalize):
11885
118862014-03-12 Gavin Barraclough <barraclough@apple.com>
11887
11888 Reduce memory use for static property maps
11889 https://bugs.webkit.org/show_bug.cgi?id=129986
11890
11891 Reviewed by Andreas Kling.
11892
11893 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11894 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11895 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11896
11897 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11898 from string hashes to indicies into a densely packed array of values. Compute the index table at
11899 compile time as a part of the derived sources step, such that this may be read-only data.
11900
11901 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11902 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11903 keys, which are Identifiers.
11904
11905 * create_hash_table:
11906 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11907 * parser/Lexer.cpp:
11908 (JSC::Lexer<LChar>::parseIdentifier):
11909 (JSC::Lexer<UChar>::parseIdentifier):
11910 (JSC::Lexer<T>::parseIdentifierSlowCase):
11911 - HashEntry -> HashTableValue.
11912 * parser/Lexer.h:
11913 (JSC::Keywords::getKeyword):
11914 - HashEntry -> HashTableValue.
11915 * runtime/ClassInfo.h:
11916 - removed HashEntry.
11917 * runtime/JSObject.cpp:
11918 (JSC::getClassPropertyNames):
11919 - use HashTable::ConstIterator.
11920 (JSC::JSObject::put):
11921 (JSC::JSObject::deleteProperty):
11922 (JSC::JSObject::findPropertyHashEntry):
11923 - HashEntry -> HashTableValue.
11924 (JSC::JSObject::reifyStaticFunctionsForDelete):
11925 - changed HashTable::ConstIterator interface.
11926 * runtime/JSObject.h:
11927 - HashEntry -> HashTableValue.
11928 * runtime/Lookup.cpp:
11929 (JSC::HashTable::createTable):
11930 - table -> keys, keys array is now densely packed.
11931 (JSC::HashTable::deleteTable):
11932 - table -> keys.
11933 (JSC::setUpStaticFunctionSlot):
11934 - HashEntry -> HashTableValue.
11935 * runtime/Lookup.h:
11936 (JSC::HashTableValue::builtinGenerator):
11937 (JSC::HashTableValue::function):
11938 (JSC::HashTableValue::functionLength):
11939 (JSC::HashTableValue::propertyGetter):
11940 (JSC::HashTableValue::propertyPutter):
11941 (JSC::HashTableValue::lexerValue):
11942 - added accessor methods from HashEntry.
11943 (JSC::HashTable::copy):
11944 - fields changed.
11945 (JSC::HashTable::initializeIfNeeded):
11946 - table -> keys.
11947 (JSC::HashTable::entry):
11948 - HashEntry -> HashTableValue.
11949 (JSC::HashTable::ConstIterator::ConstIterator):
11950 - iterate packed value array, so no need to skipInvalidKeys().
11951 (JSC::HashTable::ConstIterator::value):
11952 (JSC::HashTable::ConstIterator::key):
11953 (JSC::HashTable::ConstIterator::operator->):
11954 - accessors now get HashTableValue/StringImpl* separately.
11955 (JSC::HashTable::ConstIterator::operator++):
11956 - iterate packed value array, so no need to skipInvalidKeys().
11957 (JSC::HashTable::end):
11958 - end is now size of dense not sparse array.
11959 (JSC::getStaticPropertySlot):
11960 (JSC::getStaticFunctionSlot):
11961 (JSC::getStaticValueSlot):
11962 (JSC::putEntry):
11963 (JSC::lookupPut):
11964 - HashEntry -> HashTableValue.
11965
119662014-03-11 Filip Pizlo <fpizlo@apple.com>
11967
11968 It should be possible to build WebKit with FTL on iOS
11969 https://bugs.webkit.org/show_bug.cgi?id=130116
11970
11971 Reviewed by Dan Bernstein.
11972
11973 * Configurations/Base.xcconfig:
11974
119752014-03-10 Filip Pizlo <fpizlo@apple.com>
11976
11977 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
11978 https://bugs.webkit.org/show_bug.cgi?id=129778
11979
11980 Reviewed by Geoffrey Garen.
11981
11982 Also deduplicate the GetById getter call caching. Also add some small tests for
11983 get stubs.
11984
11985 This change reduces the amount of code involved in GetById access caching and it
11986 creates data structures that can serve as an elegant scaffold for introducing other
11987 kinds of caches or improving current caching styles. It will definitely make getter
11988 performance improvements easier to implement.
11989
11990 * CMakeLists.txt:
11991 * GNUmakefile.list.am:
11992 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11993 * JavaScriptCore.xcodeproj/project.pbxproj:
11994 * bytecode/CodeBlock.cpp:
11995 (JSC::CodeBlock::printGetByIdCacheStatus):
11996 * bytecode/GetByIdStatus.cpp:
11997 (JSC::GetByIdStatus::computeForStubInfo):
11998 * bytecode/PolymorphicGetByIdList.cpp: Added.
11999 (JSC::GetByIdAccess::GetByIdAccess):
12000 (JSC::GetByIdAccess::~GetByIdAccess):
12001 (JSC::GetByIdAccess::fromStructureStubInfo):
12002 (JSC::GetByIdAccess::visitWeak):
12003 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
12004 (JSC::PolymorphicGetByIdList::from):
12005 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
12006 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
12007 (JSC::PolymorphicGetByIdList::addAccess):
12008 (JSC::PolymorphicGetByIdList::isFull):
12009 (JSC::PolymorphicGetByIdList::isAlmostFull):
12010 (JSC::PolymorphicGetByIdList::didSelfPatching):
12011 (JSC::PolymorphicGetByIdList::visitWeak):
12012 * bytecode/PolymorphicGetByIdList.h: Added.
12013 (JSC::GetByIdAccess::GetByIdAccess):
12014 (JSC::GetByIdAccess::isSet):
12015 (JSC::GetByIdAccess::operator!):
12016 (JSC::GetByIdAccess::type):
12017 (JSC::GetByIdAccess::structure):
12018 (JSC::GetByIdAccess::chain):
12019 (JSC::GetByIdAccess::chainCount):
12020 (JSC::GetByIdAccess::stubRoutine):
12021 (JSC::GetByIdAccess::doesCalls):
12022 (JSC::PolymorphicGetByIdList::isEmpty):
12023 (JSC::PolymorphicGetByIdList::size):
12024 (JSC::PolymorphicGetByIdList::at):
12025 (JSC::PolymorphicGetByIdList::operator[]):
12026 * bytecode/StructureStubInfo.cpp:
12027 (JSC::StructureStubInfo::deref):
12028 (JSC::StructureStubInfo::visitWeakReferences):
12029 * bytecode/StructureStubInfo.h:
12030 (JSC::isGetByIdAccess):
12031 (JSC::StructureStubInfo::initGetByIdList):
12032 * jit/Repatch.cpp:
12033 (JSC::generateGetByIdStub):
12034 (JSC::tryCacheGetByID):
12035 (JSC::patchJumpToGetByIdStub):
12036 (JSC::tryBuildGetByIDList):
12037 (JSC::tryBuildPutByIdList):
12038 * tests/stress/getter.js: Added.
12039 (foo):
12040 (.o):
12041 * tests/stress/polymorphic-prototype-accesses.js: Added.
12042 (Foo):
12043 (Bar):
12044 (foo):
12045 * tests/stress/prototype-getter.js: Added.
12046 (Foo):
12047 (foo):
12048 * tests/stress/simple-prototype-accesses.js: Added.
12049 (Foo):
12050 (foo):
12051
120522014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
12053
12054 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
12055 https://bugs.webkit.org/show_bug.cgi?id=129920
12056
12057 Reviewed by Geoffrey Garen.
12058
12059 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
12060 when the amount of free space in a MarkedBlock drops below a certain threshold.
12061 Retired blocks are not considered for sweeping.
12062
12063 This is profitable because it reduces churn during sweeping. To build a free list,
12064 we have to scan through each cell in a block. After a collection, all objects that
12065 are live in the block will remain live until the next FullCollection, at which time
12066 we un-retire all previously retired blocks. Thus, a small number of objects in a block
12067 that die during each EdenCollection could cause us to do a disproportiante amount of
12068 sweeping for how much free memory we get back.
12069
12070 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
12071
12072 * heap/Heap.h:
12073 (JSC::Heap::didRetireBlockWithFreeListSize):
12074 * heap/MarkedAllocator.cpp:
12075 (JSC::MarkedAllocator::tryAllocateHelper):
12076 (JSC::MarkedAllocator::removeBlock):
12077 (JSC::MarkedAllocator::reset):
12078 * heap/MarkedAllocator.h:
12079 (JSC::MarkedAllocator::MarkedAllocator):
12080 (JSC::MarkedAllocator::forEachBlock):
12081 * heap/MarkedBlock.cpp:
12082 (JSC::MarkedBlock::sweepHelper):
12083 (JSC::MarkedBlock::clearMarksWithCollectionType):
12084 (JSC::MarkedBlock::didRetireBlock):
12085 * heap/MarkedBlock.h:
12086 (JSC::MarkedBlock::willRemoveBlock):
12087 (JSC::MarkedBlock::isLive):
12088 * heap/MarkedSpace.cpp:
12089 (JSC::MarkedSpace::clearNewlyAllocated):
12090 (JSC::MarkedSpace::clearMarks):
12091 * runtime/Options.h:
12092
120932014-03-11 Andreas Kling <akling@apple.com>
12094
12095 Streamline PropertyTable for lookup-only access.
12096 <https://webkit.org/b/130060>
12097
12098 The PropertyTable lookup algorithm was written to support both read
12099 and write access. This wasn't actually needed in most places.
12100
12101 This change adds a PropertyTable::get() that just returns the value
12102 type (instead of an insertion iterator.) It also adds an early return
12103 for empty tables.
12104
12105 Finally, up the minimum table capacity from 8 to 16. It was lowered
12106 to 8 in order to save memory, but that was before PropertyTables were
12107 GC allocated. Nowadays we don't have nearly as many tables, since all
12108 the unpinned transitions die off.
12109
12110 Reviewed by Darin Adler.
12111
12112 * runtime/PropertyMapHashTable.h:
12113 (JSC::PropertyTable::get):
12114 * runtime/Structure.cpp:
12115 (JSC::Structure::despecifyDictionaryFunction):
12116 (JSC::Structure::attributeChangeTransition):
12117 (JSC::Structure::get):
12118 (JSC::Structure::despecifyFunction):
12119 * runtime/StructureInlines.h:
12120 (JSC::Structure::get):
12121
121222014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12123
12124 REGRESSION(r165407): DoYouEvenBench crashes in DRT
12125 https://bugs.webkit.org/show_bug.cgi?id=130066
12126
12127 Reviewed by Geoffrey Garen.
12128
12129 The baseline JIT does a conditional store barrier for the put_by_id, but we need
12130 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
12131
12132 * jit/JIT.h:
12133 * jit/JITPropertyAccess.cpp:
12134 (JSC::JIT::emit_op_put_by_id):
12135 (JSC::JIT::emitWriteBarrier):
12136
121372014-03-10 Mark Lam <mark.lam@apple.com>
12138
12139 Resurrect bit-rotted JIT::probe() mechanism.
12140 <https://webkit.org/b/130067>
12141
12142 Reviewed by Geoffrey Garen.
12143
12144 * jit/JITStubs.cpp:
12145 - Added the needed #include <wtf/InlineASM.h>.
12146
121472014-03-10 Joseph Pecoraro <pecoraro@apple.com>
12148
12149 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
12150
12151 Rubber-stamped by Dan Bernstein.
12152
12153 * Configurations/JavaScriptCore.xcconfig:
12154
121552014-03-10 Mark Lam <mark.lam@apple.com>
12156
12157 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
12158 <https://webkit.org/b/130065>
12159
12160 Reviewed by Michael Saboff.
12161
12162 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
12163 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
12164 FPRInfo::toIndex().
12165
12166 The fix is to remove the "result != InvalidIndex" assertions.
12167
12168 * jit/FPRInfo.h:
12169 (JSC::FPRInfo::toIndex):
12170 * jit/GPRInfo.h:
12171 (JSC::GPRInfo::toIndex):
12172
121732014-03-10 Mark Lam <mark.lam@apple.com>
12174
12175 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
12176 <https://webkit.org/b/129955>
12177
12178 Reviewed by Geoffrey Garen.
12179
12180 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
12181 stack memory every time it was called. This is now fixed.
12182
12183 * jit/JITOperations.cpp:
12184
121852014-03-10 Joseph Pecoraro <pecoraro@apple.com>
12186
12187 Better JSContext API for named evaluations (other than //# sourceURL)
12188 https://bugs.webkit.org/show_bug.cgi?id=129911
12189
12190 Reviewed by Geoffrey Garen.
12191
12192 * API/JSBase.h:
12193 * API/JSContext.h:
12194 * API/JSContext.mm:
12195 (-[JSContext evaluateScript:]):
12196 (-[JSContext evaluateScript:withSourceURL:]):
12197 Add new evaluateScript:withSourceURL:.
12198
12199 * API/tests/testapi.c:
12200 (main):
12201 * API/tests/testapi.mm:
12202 (testObjectiveCAPI):
12203 Add tests for sourceURL in evaluate APIs. It should
12204 affect the exception objects.
12205
122062014-03-10 Filip Pizlo <fpizlo@apple.com>
12207
12208 Repatch should save and restore all used registers - not just temp ones - when making a call
12209 https://bugs.webkit.org/show_bug.cgi?id=130041
12210
12211 Reviewed by Geoffrey Garen and Mark Hahnenberg.
12212
12213 The save/restore code was written back when the only client was the DFG, which only uses a
12214 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
12215 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
12216 lead to data corruption on ARM64.
12217
12218 * jit/RegisterSet.cpp:
12219 (JSC::RegisterSet::calleeSaveRegisters):
12220 (JSC::RegisterSet::numberOfSetGPRs):
12221 (JSC::RegisterSet::numberOfSetFPRs):
12222 * jit/RegisterSet.h:
12223 * jit/Repatch.cpp:
12224 (JSC::storeToWriteBarrierBuffer):
12225 (JSC::emitPutTransitionStub):
12226 * jit/ScratchRegisterAllocator.cpp:
12227 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
12228 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12229 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12230 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
12231 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
12232 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
12233 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
12234 * jit/ScratchRegisterAllocator.h:
12235
122362014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12237
12238 Remove ConditionalStore barrier
12239 https://bugs.webkit.org/show_bug.cgi?id=130040
12240
12241 Reviewed by Geoffrey Garen.
12242
12243 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
12244 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
12245 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
12246 on the base object in the case where we are allocating and storing a new Butterfly into it.
12247 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
12248 so we'd have to emit a write barrier in the transition case.
12249
12250 This is performance neutral on the benchmarks we track.
12251
12252 * dfg/DFGAbstractInterpreterInlines.h:
12253 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12254 * dfg/DFGClobberize.h:
12255 (JSC::DFG::clobberize):
12256 * dfg/DFGConstantFoldingPhase.cpp:
12257 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12258 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12259 * dfg/DFGFixupPhase.cpp:
12260 (JSC::DFG::FixupPhase::fixupNode):
12261 (JSC::DFG::FixupPhase::insertStoreBarrier):
12262 * dfg/DFGNode.h:
12263 (JSC::DFG::Node::isStoreBarrier):
12264 * dfg/DFGNodeType.h:
12265 * dfg/DFGPredictionPropagationPhase.cpp:
12266 (JSC::DFG::PredictionPropagationPhase::propagate):
12267 * dfg/DFGSafeToExecute.h:
12268 (JSC::DFG::safeToExecute):
12269 * dfg/DFGSpeculativeJIT.cpp:
12270 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
12271 * dfg/DFGSpeculativeJIT32_64.cpp:
12272 (JSC::DFG::SpeculativeJIT::compile):
12273 * dfg/DFGSpeculativeJIT64.cpp:
12274 (JSC::DFG::SpeculativeJIT::compile):
12275 * ftl/FTLCapabilities.cpp:
12276 (JSC::FTL::canCompile):
12277 * ftl/FTLLowerDFGToLLVM.cpp:
12278 (JSC::FTL::LowerDFGToLLVM::compileNode):
12279 * jit/Repatch.cpp:
12280 (JSC::emitPutTransitionStub):
12281
122822014-03-10 Filip Pizlo <fpizlo@apple.com>
12283
12284 DFG and FTL should know that comparing anything to Misc is cheap and easy
12285 https://bugs.webkit.org/show_bug.cgi?id=130001
12286
12287 Reviewed by Geoffrey Garen.
12288
12289 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
12290 comparison is just Untyped:.
12291
12292 - This obviates the need for CompareStrictEqConstant, so remove it.
12293
12294 - FTL had a thing called "Nully" which is really "Other". Rename it and add
12295 OtherUse.
12296
12297 9% speed-up on box2d.
12298
12299 * dfg/DFGAbstractInterpreterInlines.h:
12300 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12301 * dfg/DFGByteCodeParser.cpp:
12302 (JSC::DFG::ByteCodeParser::parseBlock):
12303 * dfg/DFGClobberize.h:
12304 (JSC::DFG::clobberize):
12305 * dfg/DFGFixupPhase.cpp:
12306 (JSC::DFG::FixupPhase::fixupNode):
12307 * dfg/DFGNode.h:
12308 (JSC::DFG::Node::isBinaryUseKind):
12309 (JSC::DFG::Node::shouldSpeculateOther):
12310 * dfg/DFGNodeType.h:
12311 * dfg/DFGPredictionPropagationPhase.cpp:
12312 (JSC::DFG::PredictionPropagationPhase::propagate):
12313 * dfg/DFGSafeToExecute.h:
12314 (JSC::DFG::safeToExecute):
12315 * dfg/DFGSpeculativeJIT.cpp:
12316 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
12317 (JSC::DFG::SpeculativeJIT::compare):
12318 (JSC::DFG::SpeculativeJIT::compileStrictEq):
12319 * dfg/DFGSpeculativeJIT.h:
12320 * dfg/DFGSpeculativeJIT32_64.cpp:
12321 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
12322 (JSC::DFG::SpeculativeJIT::compile):
12323 * dfg/DFGSpeculativeJIT64.cpp:
12324 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
12325 (JSC::DFG::SpeculativeJIT::compile):
12326 * ftl/FTLCapabilities.cpp:
12327 (JSC::FTL::canCompile):
12328 * ftl/FTLLowerDFGToLLVM.cpp:
12329 (JSC::FTL::LowerDFGToLLVM::compileNode):
12330 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
12331 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
12332 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
12333 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
12334 (JSC::FTL::LowerDFGToLLVM::isNotOther):
12335 (JSC::FTL::LowerDFGToLLVM::isOther):
12336 (JSC::FTL::LowerDFGToLLVM::speculate):
12337 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
12338 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
12339 (JSC::FTL::LowerDFGToLLVM::speculateOther):
12340 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
12341 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
12342
123432014-03-10 Filip Pizlo <fpizlo@apple.com>
12344
12345 Unreviewed, remove unintended change.
12346
12347 * dfg/DFGDriver.cpp:
12348 (JSC::DFG::compileImpl):
12349
123502014-03-10 Filip Pizlo <fpizlo@apple.com>
12351
12352 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
12353 that they're running in the browser.
12354
12355 Rubber stamped by Mark Hahnenberg.
12356
12357 * jsc.cpp:
12358 (GlobalObject::finishCreation):
12359
123602014-03-10 Filip Pizlo <fpizlo@apple.com>
12361
12362 Out-line ScratchRegisterAllocator
12363
12364 Rubber stamped by Mark Hahnenberg.
12365
12366 * CMakeLists.txt:
12367 * GNUmakefile.list.am:
12368 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12369 * JavaScriptCore.xcodeproj/project.pbxproj:
12370 * dfg/DFGDriver.cpp:
12371 (JSC::DFG::compileImpl):
12372 * jit/ScratchRegisterAllocator.cpp: Added.
12373 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
12374 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
12375 (JSC::ScratchRegisterAllocator::lock):
12376 (JSC::ScratchRegisterAllocator::allocateScratch):
12377 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
12378 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
12379 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12380 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12381 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
12382 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
12383 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
12384 * jit/ScratchRegisterAllocator.h:
12385
123862014-03-10 Brent Fulgham <bfulgham@apple.com>
12387
12388 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
12389 https://bugs.webkit.org/show_bug.cgi?id=130023
12390
12391 Reviewed by Dean Jackson.
12392
12393 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
12394 path names to avoid accidental escaping of later string substitutions.
12395
123962014-03-10 Andreas Kling <akling@apple.com>
12397
12398 [X86_64] Smaller code for testb_i8r when register is accumulator.
12399 <https://webkit.org/b/130026>
12400
12401 Generate the shorthand version of "test al, imm" when possible.
12402
12403 Reviewed by Michael Saboff.
12404
12405 * assembler/X86Assembler.h:
12406 (JSC::X86Assembler::testb_i8r):
12407
124082014-03-10 Andreas Kling <akling@apple.com>
12409
12410 [X86_64] Smaller code for sub_ir when register is accumulator.
12411 <https://webkit.org/b/130025>
12412
12413 Generate the shorthand version of "sub eax, imm" when possible.
12414
12415 Reviewed by Michael Saboff.
12416
12417 * assembler/X86Assembler.h:
12418 (JSC::X86Assembler::subl_ir):
12419 (JSC::X86Assembler::subq_ir):
12420
124212014-03-10 Andreas Kling <akling@apple.com>
12422
12423 [X86_64] Smaller code for add_ir when register is accumulator.
12424 <https://webkit.org/b/130024>
12425
12426 Generate the shorthand version of "add eax, imm" when possible.
12427
12428 Reviewed by Michael Saboff.
12429
12430 * assembler/X86Assembler.h:
12431 (JSC::X86Assembler::addl_ir):
12432 (JSC::X86Assembler::addq_ir):
12433
124342014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12435
12436 writeBarrier in emitPutReplaceStub is unnecessary
12437 https://bugs.webkit.org/show_bug.cgi?id=130030
12438
12439 Reviewed by Filip Pizlo.
12440
12441 We already emit write barriers for each put-by-id when they're first compiled, so it's
12442 redundant to emit a write barrier as part of the repatched code.
12443
12444 * jit/Repatch.cpp:
12445 (JSC::emitPutReplaceStub):
12446
124472014-03-10 Andreas Kling <akling@apple.com>
12448
12449 [X86_64] Smaller code for xor_ir when register is accumulator.
12450 <https://webkit.org/b/130008>
12451
12452 Generate the shorthand version of "xor eax, imm" when possible.
12453
12454 Reviewed by Benjamin Poulain.
12455
12456 * assembler/X86Assembler.h:
12457 (JSC::X86Assembler::xorl_ir):
12458 (JSC::X86Assembler::xorq_ir):
12459
124602014-03-10 Andreas Kling <akling@apple.com>
12461
12462 [X86_64] Smaller code for or_ir when register is accumulator.
12463 <https://webkit.org/b/130007>
12464
12465 Generate the shorthand version of "or eax, imm" when possible.
12466
12467 Reviewed by Benjamin Poulain.
12468
12469 * assembler/X86Assembler.h:
12470 (JSC::X86Assembler::orl_ir):
12471 (JSC::X86Assembler::orq_ir):
12472
124732014-03-10 Andreas Kling <akling@apple.com>
12474
12475 [X86_64] Smaller code for test_ir when register is accumulator.
12476 <https://webkit.org/b/130006>
12477
12478 Generate the shorthand version of "test eax, imm" when possible.
12479
12480 Reviewed by Benjamin Poulain.
12481
12482 * assembler/X86Assembler.h:
12483 (JSC::X86Assembler::testl_i32r):
12484 (JSC::X86Assembler::testq_i32r):
12485
124862014-03-10 Andreas Kling <akling@apple.com>
12487
12488 [X86_64] Smaller code for cmp_ir when register is accumulator.
12489 <https://webkit.org/b/130005>
12490
12491 Generate the shorthand version of "cmp eax, imm" when possible.
12492
12493 Reviewed by Benjamin Poulain.
12494
12495 * assembler/X86Assembler.h:
12496 (JSC::X86Assembler::cmpl_ir):
12497 (JSC::X86Assembler::cmpq_ir):
12498
124992014-03-10 Andreas Kling <akling@apple.com>
12500
12501 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
12502 <https://webkit.org/b/130002>
12503
12504 Generate this:
12505
12506 mov [address], imm32
12507
12508 Instead of this:
12509
12510 mov scratchRegister, imm32
12511 mov [address], scratchRegister
12512
12513 For store64(imm, address) where the 64-bit immediate can be passed as
12514 a sign-extended 32-bit value.
12515
12516 Reviewed by Benjamin Poulain.
12517
12518 * assembler/MacroAssemblerX86_64.h:
12519 (CAN_SIGN_EXTEND_32_64):
12520 (JSC::MacroAssemblerX86_64::store64):
12521
125222014-03-10 Andreas Kling <akling@apple.com>
12523
12524 [X86_64] Smaller code for xchg_rr when one register is accumulator.
12525 <https://webkit.org/b/130004>
12526
12527 Generate the 1-byte version of "xchg eax, reg" when possible.
12528
12529 Reviewed by Benjamin Poulain.
12530
12531 * assembler/X86Assembler.h:
12532 (JSC::X86Assembler::xchgl_rr):
12533 (JSC::X86Assembler::xchgq_rr):
12534
125352014-03-09 Filip Pizlo <fpizlo@apple.com>
12536
12537 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
12538 https://bugs.webkit.org/show_bug.cgi?id=129998
12539
12540 Reviewed by Geoffrey Garen.
12541
12542 Not only is that the established contract, but this is used to signal to
12543 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
12544 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
12545 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
12546 fine but previously it would have led to either an assertion failure, or data corruption, in
12547 the ScratchRegisterAllocator.
12548
12549 * jit/GPRInfo.h:
12550 (JSC::GPRInfo::toIndex):
12551
125522014-03-09 Filip Pizlo <fpizlo@apple.com>
12553
12554 FTL fails the new equals-masquerader strictEqualConstant test
12555 https://bugs.webkit.org/show_bug.cgi?id=129996
12556
12557 Reviewed by Mark Lam.
12558
12559 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
12560 that's wrong since none of the other engines do it. The DFG even had an ancient
12561 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
12562 don't do it and JSValue::strictEqual() doesn't do it.
12563
12564 Remove the FIXME and remove the extra checks in the FTL.
12565
12566 This is a glorious patch: nothing but red and it fixes a test failure.
12567
12568 * dfg/DFGSpeculativeJIT.cpp:
12569 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
12570 * ftl/FTLLowerDFGToLLVM.cpp:
12571 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
12572
125732014-03-09 Andreas Kling <akling@apple.com>
12574
12575 Short-circuit JSGlobalObjectInspectorController when not inspecting.
12576 <https://webkit.org/b/129995>
12577
12578 Add an early return in reportAPIException() when the console agent
12579 is disabled. This avoids expensive symbolication during exceptions
12580 if there's nobody expecting the fancy backtrace anyway.
12581
12582 ~2% progression on DYEB on my MBP.
12583
12584 Reviewed by Geoff Garen.
12585
12586 * inspector/JSGlobalObjectInspectorController.cpp:
12587 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
12588
125892014-03-09 Andreas Kling <akling@apple.com>
12590
12591 Inline the trivial parts of GC deferral.
12592 <https://webkit.org/b/129984>
12593
12594 Made most of the functions called by the DeferGC RAII object inline
12595 to avoid function call overhead.
12596
12597 Looks like ~1% progression on DYEB.
12598
12599 Reviewed by Geoffrey Garen.
12600
12601 * heap/Heap.cpp:
12602 * heap/Heap.h:
12603 (JSC::Heap::incrementDeferralDepth):
12604 (JSC::Heap::decrementDeferralDepth):
12605 (JSC::Heap::collectIfNecessaryOrDefer):
12606 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
12607
126082014-03-08 Mark Lam <mark.lam@apple.com>
12609
12610 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
12611 <https://webkit.org/b/129969>
12612
12613 Reviewed by Geoffrey Garen.
12614
12615 The 32-bit version of handleUncaughtException was missing the handling of an
12616 edge case for stack overflows where the current frame may already be the
12617 sentinel frame. This edge case was handled in the 64-bit version. The fix
12618 is to bring the 32-bit version up to parity.
12619
12620 * jit/JIT.cpp:
12621 (JSC::JIT::privateCompile):
12622 * llint/LowLevelInterpreter32_64.asm:
12623
126242014-03-07 Mark Lam <mark.lam@apple.com>
12625
12626 Fix bugs in 32-bit Structure implementation.
12627 <https://webkit.org/b/129947>
12628
12629 Reviewed by Mark Hahnenberg.
12630
12631 Added the loading of the Structure (from the JSCell) before use that was
12632 missing in a few places. Also added more test cases to equals-masquerader.js.
12633
12634 * dfg/DFGSpeculativeJIT32_64.cpp:
12635 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
12636 (JSC::DFG::SpeculativeJIT::compile):
12637 * dfg/DFGSpeculativeJIT64.cpp:
12638 (JSC::DFG::SpeculativeJIT::compile):
12639 * llint/LowLevelInterpreter32_64.asm:
12640 * tests/stress/equals-masquerader.js:
12641 (equalsNull):
12642 (notEqualsNull):
12643 (strictEqualsNull):
12644 (strictNotEqualsNull):
12645 (equalsUndefined):
12646 (notEqualsUndefined):
12647 (strictEqualsUndefined):
12648 (strictNotEqualsUndefined):
12649 (isFalsey):
12650 (test):
12651
126522014-03-07 Andrew Trick <atrick@apple.com>
12653
12654 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
12655 https://bugs.webkit.org/show_bug.cgi?id=129954
12656
12657 Reviewed by Filip Pizlo.
12658
12659 * tests/stress/float32-repeat-out-of-bounds.js:
12660 * tests/stress/int8-repeat-out-of-bounds.js:
12661
126622014-03-07 Michael Saboff <msaboff@apple.com>
12663
12664 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
12665 https://bugs.webkit.org/show_bug.cgi?id=129945
12666
12667 Reviewed by Mark Lam.
12668
12669 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
12670 or in lldb.
12671
12672 * llint/LowLevelInterpreter.cpp:
12673
126742014-03-07 Oliver Hunt <oliver@apple.com>
12675
12676 Continue hangs when performing for-of over arguments
12677 https://bugs.webkit.org/show_bug.cgi?id=129915
12678
12679 Reviewed by Geoffrey Garen.
12680
12681 Put the continue label in the right place
12682
12683 * bytecompiler/BytecodeGenerator.cpp:
12684 (JSC::BytecodeGenerator::emitEnumeration):
12685
126862014-03-07 peavo@outlook.com <peavo@outlook.com>
12687
12688 [Win64] Compile error after r165128.
12689 https://bugs.webkit.org/show_bug.cgi?id=129807
12690
12691 Reviewed by Mark Lam.
12692
12693 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
12694 Check platform environment variable to determine if an assembler file should be generated.
12695
126962014-03-07 Michael Saboff <msaboff@apple.com>
12697
12698 Clarify how we deal with "special" registers
12699 https://bugs.webkit.org/show_bug.cgi?id=129806
12700
12701 Already reviewed change being relanded.
12702
12703 Relanding change set r165196 as it wasn't responsible for the breakage reported in
12704 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
12705
12706 Reviewed by Michael Saboff.
12707 configuration issue.
12708
12709 * assembler/ARM64Assembler.h:
12710 (JSC::ARM64Assembler::lastRegister):
12711 * assembler/MacroAssembler.h:
12712 (JSC::MacroAssembler::nextRegister):
12713 * ftl/FTLLocation.cpp:
12714 (JSC::FTL::Location::restoreInto):
12715 * ftl/FTLSaveRestore.cpp:
12716 (JSC::FTL::saveAllRegisters):
12717 (JSC::FTL::restoreAllRegisters):
12718 * ftl/FTLSlowPathCall.cpp:
12719 * jit/RegisterSet.cpp:
12720 (JSC::RegisterSet::reservedHardwareRegisters):
12721 (JSC::RegisterSet::runtimeRegisters):
12722 (JSC::RegisterSet::specialRegisters):
12723 (JSC::RegisterSet::calleeSaveRegisters):
12724 * jit/RegisterSet.h:
12725
127262014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12727
12728 Move GCActivityCallback to heap
12729 https://bugs.webkit.org/show_bug.cgi?id=129457
12730
12731 Reviewed by Geoffrey Garen.
12732
12733 All the other GC timer related stuff is there already.
12734
12735 * CMakeLists.txt:
12736 * GNUmakefile.list.am:
12737 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12738 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12739 * JavaScriptCore.xcodeproj/project.pbxproj:
12740 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
12741 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
12742 * runtime/GCActivityCallback.cpp: Removed.
12743 * runtime/GCActivityCallback.h: Removed.
12744
127452014-03-07 Andrew Trick <atrick@apple.com>
12746
12747 Correct a comment typo from:
12748 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12749 https://bugs.webkit.org/show_bug.cgi?id=129865
12750
12751 Reviewed by Mark Lam.
12752
12753 * ftl/FTLOutput.h:
12754 (JSC::FTL::Output::doubleRem):
12755
127562014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12757
12758 Use OwnPtr in StructureIDTable
12759 https://bugs.webkit.org/show_bug.cgi?id=129828
12760
12761 Reviewed by Geoffrey Garen.
12762
12763 This reduces the amount of boilerplate and fixes a memory leak.
12764
12765 * runtime/StructureIDTable.cpp:
12766 (JSC::StructureIDTable::StructureIDTable):
12767 (JSC::StructureIDTable::resize):
12768 (JSC::StructureIDTable::flushOldTables):
12769 (JSC::StructureIDTable::allocateID):
12770 (JSC::StructureIDTable::deallocateID):
12771 * runtime/StructureIDTable.h:
12772 (JSC::StructureIDTable::table):
12773 (JSC::StructureIDTable::get):
12774
127752014-03-07 Andrew Trick <atrick@apple.com>
12776
12777 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12778 https://bugs.webkit.org/show_bug.cgi?id=129865
12779
12780 Reviewed by Filip Pizlo.
12781
12782 * ftl/FTLIntrinsicRepository.h:
12783 * ftl/FTLOutput.h:
12784 (JSC::FTL::Output::doubleRem):
12785
127862014-03-06 Filip Pizlo <fpizlo@apple.com>
12787
12788 If the FTL is build-time enabled then it should be run-time enabled.
12789
12790 Rubber stamped by Geoffrey Garen.
12791
12792 * runtime/Options.cpp:
12793 (JSC::recomputeDependentOptions):
12794 * runtime/Options.h:
12795
127962014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12797
12798 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
12799 https://bugs.webkit.org/show_bug.cgi?id=129852
12800
12801 Reviewed by Geoffrey Garen.
12802
12803 * framework.sb: Added.
12804 Sandbox extension to allow access to "com.apple.webinspector".
12805
12806 * JavaScriptCore.xcodeproj/project.pbxproj:
12807 Add a Copy Resources build phase and include framework.sb.
12808
12809 * Configurations/JavaScriptCore.xcconfig:
12810 Do not copy framework.sb on iOS.
12811
128122014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12813
12814 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
12815 https://bugs.webkit.org/show_bug.cgi?id=129858
12816
12817 Reviewed by Mark Lam.
12818
12819 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
12820 but now it ends up overwriting the IdentifierTable that JSLock just restored.
12821
12822 * API/JSContextRef.cpp:
12823 (JSGlobalContextRelease):
12824
128252014-03-06 Oliver Hunt <oliver@apple.com>
12826
12827 Fix FTL build.
12828
12829 * dfg/DFGConstantFoldingPhase.cpp:
12830 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12831
128322014-03-06 Brent Fulgham <bfulgham@apple.com>
12833
12834 Unreviewed build fix after r165128.
12835
12836 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
12837 performing 'Production' and 'DebugSuffix' type builds.
12838
128392014-03-06 Julien Brianceau <jbriance@cisco.com>
12840
12841 Unreviewed, fix style in my previous commit.
12842 https://bugs.webkit.org/show_bug.cgi?id=129833
12843
12844 * runtime/JSConsole.cpp:
12845
128462014-03-06 Julien Brianceau <jbriance@cisco.com>
12847
12848 Build fix: add missing include in JSConole.cpp.
12849 https://bugs.webkit.org/show_bug.cgi?id=129833
12850
12851 Reviewed by Oliver Hunt.
12852
12853 * runtime/JSConsole.cpp:
12854
128552014-03-06 Oliver Hunt <oliver@apple.com>
12856
12857 Fix ARMv7
12858
12859 * jit/CCallHelpers.h:
12860 (JSC::CCallHelpers::setupArgumentsWithExecState):
12861
128622014-03-06 Commit Queue <commit-queue@webkit.org>
12863
12864 Unreviewed, rolling out r165196.
12865 http://trac.webkit.org/changeset/165196
12866 https://bugs.webkit.org/show_bug.cgi?id=129822
12867
12868 broke arm64 on hardware (Requested by bfulgham on #webkit).
12869
12870 * assembler/ARM64Assembler.h:
12871 (JSC::ARM64Assembler::lastRegister):
12872 * assembler/MacroAssembler.h:
12873 (JSC::MacroAssembler::isStackRelated):
12874 (JSC::MacroAssembler::firstRealRegister):
12875 (JSC::MacroAssembler::nextRegister):
12876 (JSC::MacroAssembler::secondRealRegister):
12877 * ftl/FTLLocation.cpp:
12878 (JSC::FTL::Location::restoreInto):
12879 * ftl/FTLSaveRestore.cpp:
12880 (JSC::FTL::saveAllRegisters):
12881 (JSC::FTL::restoreAllRegisters):
12882 * ftl/FTLSlowPathCall.cpp:
12883 * jit/RegisterSet.cpp:
12884 (JSC::RegisterSet::specialRegisters):
12885 (JSC::RegisterSet::calleeSaveRegisters):
12886 * jit/RegisterSet.h:
12887
128882014-03-06 Mark Lam <mark.lam@apple.com>
12889
12890 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
12891 <https://webkit.org/b/129813>
12892
12893 Reviewed by Michael Saboff.
12894
12895 Fixed broken C loop LLINT build.
12896
12897 * llint/LowLevelInterpreter.cpp:
12898 (JSC::CLoop::execute):
12899 * offlineasm/cloop.rb:
12900
129012014-03-03 Oliver Hunt <oliver@apple.com>
12902
12903 Support caching of custom setters
12904 https://bugs.webkit.org/show_bug.cgi?id=129519
12905
12906 Reviewed by Filip Pizlo.
12907
12908 This patch adds caching of assignment to properties that
12909 are backed by C functions. This provides most of the leg
12910 work required to start supporting setters, and resolves
12911 the remaining regressions from moving DOM properties up
12912 the prototype chain.
12913
12914 * JavaScriptCore.xcodeproj/project.pbxproj:
12915 * bytecode/PolymorphicPutByIdList.cpp:
12916 (JSC::PutByIdAccess::visitWeak):
12917 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12918 (JSC::PolymorphicPutByIdList::from):
12919 * bytecode/PolymorphicPutByIdList.h:
12920 (JSC::PutByIdAccess::transition):
12921 (JSC::PutByIdAccess::replace):
12922 (JSC::PutByIdAccess::customSetter):
12923 (JSC::PutByIdAccess::isCustom):
12924 (JSC::PutByIdAccess::oldStructure):
12925 (JSC::PutByIdAccess::chain):
12926 (JSC::PutByIdAccess::stubRoutine):
12927 * bytecode/PutByIdStatus.cpp:
12928 (JSC::PutByIdStatus::computeForStubInfo):
12929 (JSC::PutByIdStatus::computeFor):
12930 (JSC::PutByIdStatus::dump):
12931 * bytecode/PutByIdStatus.h:
12932 (JSC::PutByIdStatus::PutByIdStatus):
12933 (JSC::PutByIdStatus::takesSlowPath):
12934 (JSC::PutByIdStatus::makesCalls):
12935 * bytecode/StructureStubInfo.h:
12936 * dfg/DFGAbstractInterpreterInlines.h:
12937 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12938 * dfg/DFGByteCodeParser.cpp:
12939 (JSC::DFG::ByteCodeParser::emitPutById):
12940 (JSC::DFG::ByteCodeParser::handlePutById):
12941 * dfg/DFGClobberize.h:
12942 (JSC::DFG::clobberize):
12943 * dfg/DFGCommon.h:
12944 * dfg/DFGConstantFoldingPhase.cpp:
12945 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12946 * dfg/DFGFixupPhase.cpp:
12947 (JSC::DFG::FixupPhase::fixupNode):
12948 * dfg/DFGNode.h:
12949 (JSC::DFG::Node::hasIdentifier):
12950 * dfg/DFGNodeType.h:
12951 * dfg/DFGPredictionPropagationPhase.cpp:
12952 (JSC::DFG::PredictionPropagationPhase::propagate):
12953 * dfg/DFGSafeToExecute.h:
12954 (JSC::DFG::safeToExecute):
12955 * dfg/DFGSpeculativeJIT.cpp:
12956 (JSC::DFG::SpeculativeJIT::compileIn):
12957 * dfg/DFGSpeculativeJIT.h:
12958 * dfg/DFGSpeculativeJIT32_64.cpp:
12959 (JSC::DFG::SpeculativeJIT::cachedGetById):
12960 (JSC::DFG::SpeculativeJIT::cachedPutById):
12961 (JSC::DFG::SpeculativeJIT::compile):
12962 * dfg/DFGSpeculativeJIT64.cpp:
12963 (JSC::DFG::SpeculativeJIT::cachedGetById):
12964 (JSC::DFG::SpeculativeJIT::cachedPutById):
12965 (JSC::DFG::SpeculativeJIT::compile):
12966 * jit/CCallHelpers.h:
12967 (JSC::CCallHelpers::setupArgumentsWithExecState):
12968 * jit/JITInlineCacheGenerator.cpp:
12969 (JSC::JITByIdGenerator::JITByIdGenerator):
12970 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12971 * jit/JITInlineCacheGenerator.h:
12972 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12973 * jit/JITOperations.cpp:
12974 * jit/JITOperations.h:
12975 * jit/JITPropertyAccess.cpp:
12976 (JSC::JIT::emit_op_get_by_id):
12977 (JSC::JIT::emit_op_put_by_id):
12978 * jit/JITPropertyAccess32_64.cpp:
12979 (JSC::JIT::emit_op_get_by_id):
12980 (JSC::JIT::emit_op_put_by_id):
12981 * jit/Repatch.cpp:
12982 (JSC::tryCacheGetByID):
12983 (JSC::tryBuildGetByIDList):
12984 (JSC::emitCustomSetterStub):
12985 (JSC::tryCachePutByID):
12986 (JSC::tryBuildPutByIdList):
12987 * jit/SpillRegistersMode.h: Added.
12988 * llint/LLIntSlowPaths.cpp:
12989 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12990 * runtime/Lookup.h:
12991 (JSC::putEntry):
12992 * runtime/PutPropertySlot.h:
12993 (JSC::PutPropertySlot::setCacheableCustomProperty):
12994 (JSC::PutPropertySlot::customSetter):
12995 (JSC::PutPropertySlot::isCacheablePut):
12996 (JSC::PutPropertySlot::isCacheableCustomProperty):
12997 (JSC::PutPropertySlot::cachedOffset):
12998
129992014-03-06 Filip Pizlo <fpizlo@apple.com>
13000
13001 FTL arity fixup should work on ARM64
13002 https://bugs.webkit.org/show_bug.cgi?id=129810
13003
13004 Reviewed by Michael Saboff.
13005
13006 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
13007 callee-save.
13008
13009 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
13010
13011 This makes some more tests pass.
13012
13013 * dfg/DFGJITCompiler.cpp:
13014 (JSC::DFG::JITCompiler::compileFunction):
13015 * ftl/FTLLink.cpp:
13016 (JSC::FTL::link):
13017 * jit/AssemblyHelpers.h:
13018 (JSC::AssemblyHelpers::prologueStackPointerDelta):
13019 * jit/JIT.cpp:
13020 (JSC::JIT::privateCompile):
13021 * jit/ThunkGenerators.cpp:
13022 (JSC::arityFixup):
13023 * llint/LowLevelInterpreter64.asm:
13024 * offlineasm/arm64.rb:
13025 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
13026
130272014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
13028
13029 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
13030 https://bugs.webkit.org/show_bug.cgi?id=129760
13031
13032 Reviewed by Geoffrey Garen.
13033
13034 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
13035 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
13036
13037 * dfg/DFGSpeculativeJIT.cpp:
13038 (JSC::DFG::SpeculativeJIT::writeBarrier):
13039 * dfg/DFGSpeculativeJIT.h:
13040 * dfg/DFGSpeculativeJIT32_64.cpp:
13041 (JSC::DFG::SpeculativeJIT::writeBarrier):
13042 * dfg/DFGSpeculativeJIT64.cpp:
13043 (JSC::DFG::SpeculativeJIT::writeBarrier):
13044 * jit/AssemblyHelpers.h:
13045 (JSC::AssemblyHelpers::checkMarkByte):
13046 * jit/JIT.h:
13047 * jit/JITPropertyAccess.cpp:
13048 * jit/Repatch.cpp:
13049 (JSC::writeBarrier):
13050
130512014-03-06 Joseph Pecoraro <pecoraro@apple.com>
13052
13053 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
13054 https://bugs.webkit.org/show_bug.cgi?id=127944
13055
13056 Reviewed by Geoffrey Garen.
13057
13058 Always expose the Console object in JSContexts, just like we
13059 do for web pages. The default behavior will route to an
13060 attached JSContext inspector. This can be overriden by
13061 setting the ConsoleClient on the JSGlobalObject, which WebCore
13062 does to get slightly different behavior.
13063
13064 * CMakeLists.txt:
13065 * GNUmakefile.list.am:
13066 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13067 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
13068 * JavaScriptCore.xcodeproj/project.pbxproj:
13069 Update build systems.
13070
13071 * API/tests/testapi.js:
13072 * API/tests/testapi.mm:
13073 Test that "console" exists in C and ObjC contexts.
13074
13075 * runtime/ConsoleClient.cpp: Added.
13076 (JSC::ConsoleClient::printURLAndPosition):
13077 (JSC::ConsoleClient::printMessagePrefix):
13078 (JSC::ConsoleClient::printConsoleMessage):
13079 (JSC::ConsoleClient::printConsoleMessageWithArguments):
13080 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
13081 (JSC::ConsoleClient::logWithLevel):
13082 (JSC::ConsoleClient::clear):
13083 (JSC::ConsoleClient::dir):
13084 (JSC::ConsoleClient::dirXML):
13085 (JSC::ConsoleClient::table):
13086 (JSC::ConsoleClient::trace):
13087 (JSC::ConsoleClient::assertCondition):
13088 (JSC::ConsoleClient::group):
13089 (JSC::ConsoleClient::groupCollapsed):
13090 (JSC::ConsoleClient::groupEnd):
13091 * runtime/ConsoleClient.h: Added.
13092 (JSC::ConsoleClient::~ConsoleClient):
13093 New private interface for handling the console object's methods.
13094 A lot of the methods funnel through messageWithTypeAndLevel.
13095
13096 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
13097 Moved to JSC namespace.
13098
13099 * runtime/JSGlobalObject.cpp:
13100 (JSC::JSGlobalObject::JSGlobalObject):
13101 (JSC::JSGlobalObject::init):
13102 (JSC::JSGlobalObject::reset):
13103 (JSC::JSGlobalObject::visitChildren):
13104 Create the "console" object when initializing the environment.
13105 Also set the default console client to be the JS context inspector.
13106
13107 * runtime/JSGlobalObject.h:
13108 (JSC::JSGlobalObject::setConsoleClient):
13109 (JSC::JSGlobalObject::consoleClient):
13110 Ability to change the console client, so WebCore can set a custom client.
13111
13112 * runtime/ConsolePrototype.cpp: Added.
13113 (JSC::ConsolePrototype::finishCreation):
13114 (JSC::valueToStringWithUndefinedOrNullCheck):
13115 (JSC::consoleLogWithLevel):
13116 (JSC::consoleProtoFuncDebug):
13117 (JSC::consoleProtoFuncError):
13118 (JSC::consoleProtoFuncLog):
13119 (JSC::consoleProtoFuncWarn):
13120 (JSC::consoleProtoFuncClear):
13121 (JSC::consoleProtoFuncDir):
13122 (JSC::consoleProtoFuncDirXML):
13123 (JSC::consoleProtoFuncTable):
13124 (JSC::consoleProtoFuncTrace):
13125 (JSC::consoleProtoFuncAssert):
13126 (JSC::consoleProtoFuncCount):
13127 (JSC::consoleProtoFuncProfile):
13128 (JSC::consoleProtoFuncProfileEnd):
13129 (JSC::consoleProtoFuncTime):
13130 (JSC::consoleProtoFuncTimeEnd):
13131 (JSC::consoleProtoFuncTimeStamp):
13132 (JSC::consoleProtoFuncGroup):
13133 (JSC::consoleProtoFuncGroupCollapsed):
13134 (JSC::consoleProtoFuncGroupEnd):
13135 * runtime/ConsolePrototype.h: Added.
13136 (JSC::ConsolePrototype::create):
13137 (JSC::ConsolePrototype::createStructure):
13138 (JSC::ConsolePrototype::ConsolePrototype):
13139 Define the console object interface. Parse out required / expected
13140 arguments and throw expcetions when methods are misused.
13141
13142 * runtime/JSConsole.cpp: Added.
13143 * runtime/JSConsole.h: Added.
13144 (JSC::JSConsole::createStructure):
13145 (JSC::JSConsole::create):
13146 (JSC::JSConsole::JSConsole):
13147 Empty "console" object. Everything is in the prototype.
13148
13149 * inspector/JSConsoleClient.cpp: Added.
13150 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
13151 (Inspector::JSConsoleClient::count):
13152 (Inspector::JSConsoleClient::profile):
13153 (Inspector::JSConsoleClient::profileEnd):
13154 (Inspector::JSConsoleClient::time):
13155 (Inspector::JSConsoleClient::timeEnd):
13156 (Inspector::JSConsoleClient::timeStamp):
13157 (Inspector::JSConsoleClient::warnUnimplemented):
13158 (Inspector::JSConsoleClient::internalAddMessage):
13159 * inspector/JSConsoleClient.h: Added.
13160 * inspector/JSGlobalObjectInspectorController.cpp:
13161 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
13162 (Inspector::JSGlobalObjectInspectorController::consoleClient):
13163 * inspector/JSGlobalObjectInspectorController.h:
13164 Default JSContext ConsoleClient implementation. Handle nearly
13165 everything exception profile/profileEnd and timeStamp.
13166
131672014-03-06 Andreas Kling <akling@apple.com>
13168
13169 Drop unlinked function code on memory pressure.
13170 <https://webkit.org/b/129789>
13171
13172 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
13173 are not currently being compiled.
13174
13175 4.5 MB progression on Membuster.
13176
13177 Reviewed by Geoffrey Garen.
13178
13179 * heap/Heap.cpp:
13180 (JSC::Heap::deleteAllUnlinkedFunctionCode):
13181 * heap/Heap.h:
13182 * runtime/VM.cpp:
13183 (JSC::VM::discardAllCode):
13184
131852014-03-06 Filip Pizlo <fpizlo@apple.com>
13186
13187 Clarify how we deal with "special" registers
13188 https://bugs.webkit.org/show_bug.cgi?id=129806
13189
13190 Reviewed by Michael Saboff.
13191
13192 Previously we had two different places that defined what "stack" registers are, a thing
13193 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
13194 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
13195 one place and had a baked-in notion of what it meant for a register to be "real" or not.
13196
13197 It's not cool to use words like "real" and "special" to describe registers, especially if you
13198 fail to qualify what that means. This originally made sense on X86 - "real" registers were
13199 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
13200 you also have to worry about the LR register, which we'd want to say is "not real" but it's
13201 also not a "stack" register. This got super confusing.
13202
13203 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
13204 a "stack" register, and uses the word special only in places where it's clearly defined and
13205 where no better word comes to mind.
13206
13207 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
13208 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
13209 magically didn't break anything because you never need to save/restore either FP or Q0, but
13210 it was still super weird.
13211
13212 * assembler/ARM64Assembler.h:
13213 (JSC::ARM64Assembler::lastRegister):
13214 * assembler/MacroAssembler.h:
13215 (JSC::MacroAssembler::nextRegister):
13216 * ftl/FTLLocation.cpp:
13217 (JSC::FTL::Location::restoreInto):
13218 * ftl/FTLSaveRestore.cpp:
13219 (JSC::FTL::saveAllRegisters):
13220 (JSC::FTL::restoreAllRegisters):
13221 * ftl/FTLSlowPathCall.cpp:
13222 * jit/RegisterSet.cpp:
13223 (JSC::RegisterSet::reservedHardwareRegisters):
13224 (JSC::RegisterSet::runtimeRegisters):
13225 (JSC::RegisterSet::specialRegisters):
13226 (JSC::RegisterSet::calleeSaveRegisters):
13227 * jit/RegisterSet.h:
13228
132292014-03-06 Filip Pizlo <fpizlo@apple.com>
13230
13231 Unreviewed, fix build.
13232
13233 * disassembler/ARM64Disassembler.cpp:
13234
132352014-03-06 Filip Pizlo <fpizlo@apple.com>
13236
13237 Use the LLVM disassembler on ARM64 if we are enabling the FTL
13238 https://bugs.webkit.org/show_bug.cgi?id=129785
13239
13240 Reviewed by Geoffrey Garen.
13241
13242 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
13243 is strictly more capable at this point. Use it if it's available.
13244
13245 * disassembler/ARM64Disassembler.cpp:
13246 (JSC::tryToDisassemble):
13247
132482014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13249
13250 Web Inspector: Reduce RWI message frequency
13251 https://bugs.webkit.org/show_bug.cgi?id=129767
13252
13253 Reviewed by Timothy Hatcher.
13254
13255 This used to be 0.2s and changed by accident to 0.02s.
13256
13257 * inspector/remote/RemoteInspector.mm:
13258 (Inspector::RemoteInspector::pushListingSoon):
13259
132602014-03-05 Commit Queue <commit-queue@webkit.org>
13261
13262 Unreviewed, rolling out r165141, r165157, and r165158.
13263 http://trac.webkit.org/changeset/165141
13264 http://trac.webkit.org/changeset/165157
13265 http://trac.webkit.org/changeset/165158
13266 https://bugs.webkit.org/show_bug.cgi?id=129772
13267
13268 "broke ftl" (Requested by olliej_ on #webkit).
13269
13270 * JavaScriptCore.xcodeproj/project.pbxproj:
13271 * bytecode/PolymorphicPutByIdList.cpp:
13272 (JSC::PutByIdAccess::visitWeak):
13273 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
13274 (JSC::PolymorphicPutByIdList::from):
13275 * bytecode/PolymorphicPutByIdList.h:
13276 (JSC::PutByIdAccess::transition):
13277 (JSC::PutByIdAccess::replace):
13278 (JSC::PutByIdAccess::oldStructure):
13279 (JSC::PutByIdAccess::chain):
13280 (JSC::PutByIdAccess::stubRoutine):
13281 * bytecode/PutByIdStatus.cpp:
13282 (JSC::PutByIdStatus::computeForStubInfo):
13283 (JSC::PutByIdStatus::computeFor):
13284 (JSC::PutByIdStatus::dump):
13285 * bytecode/PutByIdStatus.h:
13286 (JSC::PutByIdStatus::PutByIdStatus):
13287 (JSC::PutByIdStatus::takesSlowPath):
13288 * bytecode/StructureStubInfo.h:
13289 * dfg/DFGAbstractInterpreterInlines.h:
13290 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13291 * dfg/DFGByteCodeParser.cpp:
13292 (JSC::DFG::ByteCodeParser::emitPutById):
13293 (JSC::DFG::ByteCodeParser::handlePutById):
13294 * dfg/DFGClobberize.h:
13295 (JSC::DFG::clobberize):
13296 * dfg/DFGCommon.h:
13297 * dfg/DFGConstantFoldingPhase.cpp:
13298 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13299 * dfg/DFGFixupPhase.cpp:
13300 (JSC::DFG::FixupPhase::fixupNode):
13301 * dfg/DFGNode.h:
13302 (JSC::DFG::Node::hasIdentifier):
13303 * dfg/DFGNodeType.h:
13304 * dfg/DFGPredictionPropagationPhase.cpp:
13305 (JSC::DFG::PredictionPropagationPhase::propagate):
13306 * dfg/DFGSafeToExecute.h:
13307 (JSC::DFG::safeToExecute):
13308 * dfg/DFGSpeculativeJIT.cpp:
13309 (JSC::DFG::SpeculativeJIT::compileIn):
13310 * dfg/DFGSpeculativeJIT.h:
13311 * dfg/DFGSpeculativeJIT32_64.cpp:
13312 (JSC::DFG::SpeculativeJIT::cachedGetById):
13313 (JSC::DFG::SpeculativeJIT::cachedPutById):
13314 (JSC::DFG::SpeculativeJIT::compile):
13315 * dfg/DFGSpeculativeJIT64.cpp:
13316 (JSC::DFG::SpeculativeJIT::cachedGetById):
13317 (JSC::DFG::SpeculativeJIT::cachedPutById):
13318 (JSC::DFG::SpeculativeJIT::compile):
13319 * ftl/FTLCompile.cpp:
13320 (JSC::FTL::fixFunctionBasedOnStackMaps):
13321 * jit/CCallHelpers.h:
13322 (JSC::CCallHelpers::setupArgumentsWithExecState):
13323 * jit/JITInlineCacheGenerator.cpp:
13324 (JSC::JITByIdGenerator::JITByIdGenerator):
13325 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
13326 * jit/JITInlineCacheGenerator.h:
13327 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
13328 * jit/JITOperations.cpp:
13329 * jit/JITOperations.h:
13330 * jit/JITPropertyAccess.cpp:
13331 (JSC::JIT::emit_op_get_by_id):
13332 (JSC::JIT::emit_op_put_by_id):
13333 * jit/JITPropertyAccess32_64.cpp:
13334 (JSC::JIT::emit_op_get_by_id):
13335 (JSC::JIT::emit_op_put_by_id):
13336 * jit/Repatch.cpp:
13337 (JSC::tryCacheGetByID):
13338 (JSC::tryBuildGetByIDList):
13339 (JSC::tryCachePutByID):
13340 (JSC::tryBuildPutByIdList):
13341 * jit/SpillRegistersMode.h: Removed.
13342 * llint/LLIntSlowPaths.cpp:
13343 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13344 * runtime/Lookup.h:
13345 (JSC::putEntry):
13346 * runtime/PutPropertySlot.h:
13347 (JSC::PutPropertySlot::isCacheable):
13348 (JSC::PutPropertySlot::cachedOffset):
13349
133502014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13351
13352 Web Inspector: Prevent possible deadlock in view indication
13353 https://bugs.webkit.org/show_bug.cgi?id=129766
13354
13355 Reviewed by Geoffrey Garen.
13356
13357 * inspector/remote/RemoteInspector.mm:
13358 (Inspector::RemoteInspector::receivedIndicateMessage):
13359
133602014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13361
13362 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
13363 https://bugs.webkit.org/show_bug.cgi?id=129754
13364
13365 Reviewed by Geoffrey Garen.
13366
13367 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
13368
13369 * runtime/JSCell.h:
13370 (JSC::JSCell::inlineTypeFlags):
13371 * runtime/JSObject.h:
13372 (JSC::JSObject::fastGetOwnPropertySlot):
13373 * runtime/JSTypeInfo.h:
13374 (JSC::TypeInfo::TypeInfo):
13375 (JSC::TypeInfo::overridesGetOwnPropertySlot):
13376
133772014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13378
13379 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
13380 https://bugs.webkit.org/show_bug.cgi?id=129763
13381
13382 Reviewed by Geoffrey Garen.
13383
13384 Clear the list of all breakpoints, including unresolved breakpoints.
13385
13386 * inspector/agents/InspectorDebuggerAgent.cpp:
13387 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13388
133892014-03-05 Mark Lam <mark.lam@apple.com>
13390
13391 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
13392 <https://webkit.org/b/129768>
13393
13394 Reviewed by Mark Hahnenberg.
13395
13396 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
13397 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
13398 path llint_slow_path_check_has_instance(), and execute a code path that does the
13399 following:
13400 1. Adjusts the byte code PC to the jump target PC.
13401 2. For the purpose of storing the result, get the result registerIndex from the
13402 1st operand using the PC as if the PC is still pointing to op_check_has_instance
13403 bytecode.
13404
13405 The result is that whatever value resides after where the jump target PC is will
13406 be used as a result register value. Depending on what that value is, the result
13407 can be:
13408 1. the code coincidently works correctly
13409 2. memory corruption
13410 3. crashes
13411
13412 The fix is to only adjust the byte code PC after we have stored the result.
13413
13414 * llint/LLIntSlowPaths.cpp:
13415 (llint_slow_path_check_has_instance):
13416
134172014-03-05 Ryosuke Niwa <rniwa@webkit.org>
13418
13419 Another build fix attempt after r165141.
13420
13421 * ftl/FTLCompile.cpp:
13422 (JSC::FTL::fixFunctionBasedOnStackMaps):
13423
134242014-03-05 Ryosuke Niwa <rniwa@webkit.org>
13425
13426 FTL build fix attempt after r165141.
13427
13428 * ftl/FTLCompile.cpp:
13429 (JSC::FTL::fixFunctionBasedOnStackMaps):
13430
134312014-03-05 Gavin Barraclough <barraclough@apple.com>
13432
13433 https://bugs.webkit.org/show_bug.cgi?id=128625
13434 Add fast mapping from StringImpl to JSString
13435
13436 Unreviewed roll-out.
13437
13438 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
13439
13440 * runtime/JSString.cpp:
13441 * runtime/JSString.h:
13442 * runtime/VM.cpp:
13443 (JSC::VM::createLeaked):
13444 * runtime/VM.h:
13445
134462014-03-03 Oliver Hunt <oliver@apple.com>
13447
13448 Support caching of custom setters
13449 https://bugs.webkit.org/show_bug.cgi?id=129519
13450
13451 Reviewed by Filip Pizlo.
13452
13453 This patch adds caching of assignment to properties that
13454 are backed by C functions. This provides most of the leg
13455 work required to start supporting setters, and resolves
13456 the remaining regressions from moving DOM properties up
13457 the prototype chain.
13458
13459 * JavaScriptCore.xcodeproj/project.pbxproj:
13460 * bytecode/PolymorphicPutByIdList.cpp:
13461 (JSC::PutByIdAccess::visitWeak):
13462 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
13463 (JSC::PolymorphicPutByIdList::from):
13464 * bytecode/PolymorphicPutByIdList.h:
13465 (JSC::PutByIdAccess::transition):
13466 (JSC::PutByIdAccess::replace):
13467 (JSC::PutByIdAccess::customSetter):
13468 (JSC::PutByIdAccess::isCustom):
13469 (JSC::PutByIdAccess::oldStructure):
13470 (JSC::PutByIdAccess::chain):
13471 (JSC::PutByIdAccess::stubRoutine):
13472 * bytecode/PutByIdStatus.cpp:
13473 (JSC::PutByIdStatus::computeForStubInfo):
13474 (JSC::PutByIdStatus::computeFor):
13475 (JSC::PutByIdStatus::dump):
13476 * bytecode/PutByIdStatus.h:
13477 (JSC::PutByIdStatus::PutByIdStatus):
13478 (JSC::PutByIdStatus::takesSlowPath):
13479 (JSC::PutByIdStatus::makesCalls):
13480 * bytecode/StructureStubInfo.h:
13481 * dfg/DFGAbstractInterpreterInlines.h:
13482 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13483 * dfg/DFGByteCodeParser.cpp:
13484 (JSC::DFG::ByteCodeParser::emitPutById):
13485 (JSC::DFG::ByteCodeParser::handlePutById):
13486 * dfg/DFGClobberize.h:
13487 (JSC::DFG::clobberize):
13488 * dfg/DFGCommon.h:
13489 * dfg/DFGConstantFoldingPhase.cpp:
13490 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13491 * dfg/DFGFixupPhase.cpp:
13492 (JSC::DFG::FixupPhase::fixupNode):
13493 * dfg/DFGNode.h:
13494 (JSC::DFG::Node::hasIdentifier):
13495 * dfg/DFGNodeType.h:
13496 * dfg/DFGPredictionPropagationPhase.cpp:
13497 (JSC::DFG::PredictionPropagationPhase::propagate):
13498 * dfg/DFGSafeToExecute.h:
13499 (JSC::DFG::safeToExecute):
13500 * dfg/DFGSpeculativeJIT.cpp:
13501 (JSC::DFG::SpeculativeJIT::compileIn):
13502 * dfg/DFGSpeculativeJIT.h:
13503 * dfg/DFGSpeculativeJIT32_64.cpp:
13504 (JSC::DFG::SpeculativeJIT::cachedGetById):
13505 (JSC::DFG::SpeculativeJIT::cachedPutById):
13506 (JSC::DFG::SpeculativeJIT::compile):
13507 * dfg/DFGSpeculativeJIT64.cpp:
13508 (JSC::DFG::SpeculativeJIT::cachedGetById):
13509 (JSC::DFG::SpeculativeJIT::cachedPutById):
13510 (JSC::DFG::SpeculativeJIT::compile):
13511 * jit/CCallHelpers.h:
13512 (JSC::CCallHelpers::setupArgumentsWithExecState):
13513 * jit/JITInlineCacheGenerator.cpp:
13514 (JSC::JITByIdGenerator::JITByIdGenerator):
13515 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
13516 * jit/JITInlineCacheGenerator.h:
13517 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
13518 * jit/JITOperations.cpp:
13519 * jit/JITOperations.h:
13520 * jit/JITPropertyAccess.cpp:
13521 (JSC::JIT::emit_op_get_by_id):
13522 (JSC::JIT::emit_op_put_by_id):
13523 * jit/JITPropertyAccess32_64.cpp:
13524 (JSC::JIT::emit_op_get_by_id):
13525 (JSC::JIT::emit_op_put_by_id):
13526 * jit/Repatch.cpp:
13527 (JSC::tryCacheGetByID):
13528 (JSC::tryBuildGetByIDList):
13529 (JSC::emitCustomSetterStub):
13530 (JSC::tryCachePutByID):
13531 (JSC::tryBuildPutByIdList):
13532 * jit/SpillRegistersMode.h: Added.
13533 * llint/LLIntSlowPaths.cpp:
13534 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13535 * runtime/Lookup.h:
13536 (JSC::putEntry):
13537 * runtime/PutPropertySlot.h:
13538 (JSC::PutPropertySlot::setCacheableCustomProperty):
13539 (JSC::PutPropertySlot::customSetter):
13540 (JSC::PutPropertySlot::isCacheablePut):
13541 (JSC::PutPropertySlot::isCacheableCustomProperty):
13542 (JSC::PutPropertySlot::cachedOffset):
13543
135442014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13545
13546 JSCell::m_gcData should encode its information differently
13547 https://bugs.webkit.org/show_bug.cgi?id=129741
13548
13549 Reviewed by Geoffrey Garen.
13550
13551 We want to keep track of three GC states for an object:
13552
13553 1. Not marked (which implies not in the remembered set)
13554 2. Marked but not in the remembered set
13555 3. Marked and in the remembered set
13556
13557 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
13558 barrier, we only want to take the slow path if the object being stored to is in state #2.
13559 We'd like to make the test for state #2 as fast as possible, which means making it a
13560 compare against 0.
13561
13562 * dfg/DFGOSRExitCompilerCommon.cpp:
13563 (JSC::DFG::osrWriteBarrier):
13564 * dfg/DFGSpeculativeJIT.cpp:
13565 (JSC::DFG::SpeculativeJIT::checkMarkByte):
13566 (JSC::DFG::SpeculativeJIT::writeBarrier):
13567 * dfg/DFGSpeculativeJIT.h:
13568 * dfg/DFGSpeculativeJIT32_64.cpp:
13569 (JSC::DFG::SpeculativeJIT::writeBarrier):
13570 * dfg/DFGSpeculativeJIT64.cpp:
13571 (JSC::DFG::SpeculativeJIT::writeBarrier):
13572 * ftl/FTLLowerDFGToLLVM.cpp:
13573 (JSC::FTL::LowerDFGToLLVM::allocateCell):
13574 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
13575 * heap/Heap.cpp:
13576 (JSC::Heap::clearRememberedSet):
13577 (JSC::Heap::addToRememberedSet):
13578 * jit/AssemblyHelpers.h:
13579 (JSC::AssemblyHelpers::checkMarkByte):
13580 * jit/JIT.h:
13581 * jit/JITPropertyAccess.cpp:
13582 (JSC::JIT::checkMarkByte):
13583 (JSC::JIT::emitWriteBarrier):
13584 * jit/Repatch.cpp:
13585 (JSC::writeBarrier):
13586 * llint/LowLevelInterpreter.asm:
13587 * llint/LowLevelInterpreter32_64.asm:
13588 * llint/LowLevelInterpreter64.asm:
13589 * runtime/JSCell.h:
13590 (JSC::JSCell::mark):
13591 (JSC::JSCell::remember):
13592 (JSC::JSCell::forget):
13593 (JSC::JSCell::isMarked):
13594 (JSC::JSCell::isRemembered):
13595 * runtime/JSCellInlines.h:
13596 (JSC::JSCell::JSCell):
13597 * runtime/StructureIDBlob.h:
13598 (JSC::StructureIDBlob::StructureIDBlob):
13599
136002014-03-05 Filip Pizlo <fpizlo@apple.com>
13601
13602 More FTL ARM fixes
13603 https://bugs.webkit.org/show_bug.cgi?id=129755
13604
13605 Reviewed by Geoffrey Garen.
13606
13607 - Be more defensive about inline caches that have degenerate chains.
13608
13609 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
13610 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
13611
13612 - Don't even emit intrinsic declarations on non-x86 platforms.
13613
13614 - More debug printing support.
13615
13616 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
13617 but somehow it gets lucky on x86.
13618
13619 * bytecode/GetByIdStatus.cpp:
13620 (JSC::GetByIdStatus::appendVariant):
13621 (JSC::GetByIdStatus::computeForChain):
13622 (JSC::GetByIdStatus::computeForStubInfo):
13623 * bytecode/GetByIdStatus.h:
13624 * bytecode/PutByIdStatus.cpp:
13625 (JSC::PutByIdStatus::appendVariant):
13626 (JSC::PutByIdStatus::computeForStubInfo):
13627 * bytecode/PutByIdStatus.h:
13628 * bytecode/StructureSet.h:
13629 (JSC::StructureSet::overlaps):
13630 * ftl/FTLCompile.cpp:
13631 (JSC::FTL::mmAllocateDataSection):
13632 * ftl/FTLDataSection.cpp:
13633 (JSC::FTL::DataSection::DataSection):
13634 (JSC::FTL::DataSection::~DataSection):
13635 * ftl/FTLDataSection.h:
13636 * ftl/FTLLowerDFGToLLVM.cpp:
13637 (JSC::FTL::LowerDFGToLLVM::lower):
13638 * ftl/FTLOutput.h:
13639 (JSC::FTL::Output::doubleSin):
13640 (JSC::FTL::Output::doubleCos):
13641 * runtime/JSCJSValue.cpp:
13642 (JSC::JSValue::dumpInContext):
13643 * runtime/JSCell.h:
13644 (JSC::JSCell::structureID):
13645
136462014-03-05 peavo@outlook.com <peavo@outlook.com>
13647
13648 [Win32][LLINT] Crash when running JSC stress tests.
13649 https://bugs.webkit.org/show_bug.cgi?id=129429
13650
13651 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
13652 where the guard page is a barrier between committed and uncommitted memory.
13653 When data from the guard page is read or written, the guard page is moved, and memory is committed.
13654 This is how the system grows the stack.
13655 When using the C stack on Windows we need to precommit the needed stack space.
13656 Otherwise we might crash later if we access uncommitted stack memory.
13657 This can happen if we allocate stack space larger than the page guard size (4K).
13658 The system does not get the chance to move the guard page, and commit more memory,
13659 and we crash if uncommitted memory is accessed.
13660 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
13661 when needed, see http://support.microsoft.com/kb/100775.
13662
13663 Reviewed by Geoffrey Garen.
13664
13665 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
13666 * jit/Repatch.cpp:
13667 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
13668 * offlineasm/x86.rb: Compile fix, and small simplification.
13669 * runtime/VM.cpp:
13670 (JSC::preCommitStackMemory): Added function to precommit stack memory.
13671 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
13672
136732014-03-05 Michael Saboff <msaboff@apple.com>
13674
13675 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
13676 https://bugs.webkit.org/show_bug.cgi?id=129746
13677
13678 Reviewed by Filip Pizlo.
13679
13680 Changed to use a union to manually assemble or disassemble the various types
13681 from / to the corresponding bytes. All memory access is now done using
13682 byte accesses.
13683
13684 * runtime/JSDataViewPrototype.cpp:
13685 (JSC::getData):
13686 (JSC::setData):
13687
136882014-03-05 Filip Pizlo <fpizlo@apple.com>
13689
13690 FTL loadStructure always generates invalid IR
13691 https://bugs.webkit.org/show_bug.cgi?id=129747
13692
13693 Reviewed by Mark Hahnenberg.
13694
13695 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
13696 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
13697 to have a pointer to a type, and you can only load things of that type from that
13698 pointer. Pointer arithmetic is basically not possible except through the bizarre
13699 getelementptr operator. This doesn't fit with how the JS object model works since
13700 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
13701 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
13702 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
13703 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
13704 this for us, but that would require that to use the FTL, JSC itself would have to
13705 be compiled with clang. Worse, it would have to be compiled with a clang that uses
13706 a version of LLVM that is compatible with the one against which the FTL is linked.
13707 Yuck!
13708
13709 The solution is to NEVER use LLVM pointers. This has always been the case in the
13710 FTL. But it causes some confusion.
13711
13712 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
13713 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
13714 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
13715 pointer that has the type that we want. The load and store operations over pointers
13716 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
13717 "64", "Ptr", "Float", or "Double.
13718
13719 There is unavoidable confusion here. It would be bizarre for the FTL to call its
13720 "pointer-wide integers" anything other than "pointers", since they are, in all
13721 respects that we care about, simply pointers. But they are *not* LLVM pointers and
13722 they never will be that.
13723
13724 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
13725 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
13726 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
13727 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
13728 methods for access called Output::get and Output::set. These lower to LLVM load
13729 and store, since FTL references are just LLVM pointers.
13730
13731 This confusion appears to have led to incorrect code in loadStructure().
13732 loadStructure() was using get() and set() to access FTL pointers. But those methods
13733 don't work on FTL pointers and never will, since they are for FTL references.
13734
13735 The worst part of this is that it was previously impossible to have test coverage
13736 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
13737 patch fixes this by introducing a Masquerader object to jsc.cpp.
13738
13739 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
13740 * ftl/FTLLowerDFGToLLVM.cpp:
13741 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
13742 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
13743 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
13744 (WTF::Masquerader::Masquerader):
13745 (WTF::Masquerader::create):
13746 (WTF::Masquerader::createStructure):
13747 (GlobalObject::finishCreation):
13748 (functionMakeMasquerader):
13749 * tests/stress/equals-masquerader.js: Added.
13750 (foo):
13751 (test):
13752
137532014-03-05 Anders Carlsson <andersca@apple.com>
13754
13755 Tweak after r165109 to avoid extra copies
13756 https://bugs.webkit.org/show_bug.cgi?id=129745
13757
13758 Reviewed by Geoffrey Garen.
13759
13760 * heap/Heap.cpp:
13761 (JSC::Heap::visitProtectedObjects):
13762 (JSC::Heap::visitTempSortVectors):
13763 (JSC::Heap::clearRememberedSet):
13764 * heap/Heap.h:
13765 (JSC::Heap::forEachProtectedCell):
13766
137672014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13768
13769 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
13770 https://bugs.webkit.org/show_bug.cgi?id=129717
13771
13772 Reviewed by Filip Pizlo.
13773
13774 * dfg/DFGStoreBarrierElisionPhase.cpp:
13775 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
13776 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
13777
137782014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13779
13780 Use range-based loops where possible in Heap methods
13781 https://bugs.webkit.org/show_bug.cgi?id=129513
13782
13783 Reviewed by Mark Lam.
13784
13785 Replace old school iterator based loops with the new range-based loop hotness
13786 for a better tomorrow.
13787
13788 * heap/CodeBlockSet.cpp:
13789 (JSC::CodeBlockSet::~CodeBlockSet):
13790 (JSC::CodeBlockSet::clearMarks):
13791 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
13792 (JSC::CodeBlockSet::traceMarked):
13793 * heap/Heap.cpp:
13794 (JSC::Heap::visitProtectedObjects):
13795 (JSC::Heap::visitTempSortVectors):
13796 (JSC::Heap::clearRememberedSet):
13797 * heap/Heap.h:
13798 (JSC::Heap::forEachProtectedCell):
13799
138002014-03-04 Filip Pizlo <fpizlo@apple.com>
13801
13802 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13803 https://bugs.webkit.org/show_bug.cgi?id=129563
13804
13805 Reviewed by Geoffrey Garen.
13806
13807 Rolling this back in after fixing an assertion failure. speculateMisc() should have
13808 said DFG_TYPE_CHECK instead of typeCheck.
13809
13810 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13811 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13812 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13813 comparing undefined, null, and booleans to each other.
13814
13815 This also adds support for miscellaneous things that I needed to make my various test
13816 cases work. This includes comparison over booleans and the various Throw-related node
13817 types.
13818
13819 This also improves constant folding of CompareStrictEq and CompareEq.
13820
13821 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13822 based on profiling, which caused some downstream badness. We don't actually support
13823 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13824 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13825 shouldn't factor out the bounds check since the access is not InBounds but then the
13826 backend would ignore the flag and assume that the bounds check was already emitted.
13827 This showed up on an existing test but I added a test for this explicitly to have more
13828 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13829 that we'll have a bounds check anyway.
13830
13831 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13832 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13833 still a lot more coverage work to be done there.
13834
13835 * bytecode/SpeculatedType.cpp:
13836 (JSC::speculationToAbbreviatedString):
13837 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13838 (JSC::valuesCouldBeEqual):
13839 * bytecode/SpeculatedType.h:
13840 (JSC::isMiscSpeculation):
13841 * dfg/DFGAbstractInterpreterInlines.h:
13842 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13843 * dfg/DFGArrayMode.cpp:
13844 (JSC::DFG::ArrayMode::refine):
13845 * dfg/DFGArrayMode.h:
13846 * dfg/DFGFixupPhase.cpp:
13847 (JSC::DFG::FixupPhase::fixupNode):
13848 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13849 * dfg/DFGNode.h:
13850 (JSC::DFG::Node::shouldSpeculateMisc):
13851 * dfg/DFGSafeToExecute.h:
13852 (JSC::DFG::SafeToExecuteEdge::operator()):
13853 * dfg/DFGSpeculativeJIT.cpp:
13854 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13855 (JSC::DFG::SpeculativeJIT::speculateMisc):
13856 (JSC::DFG::SpeculativeJIT::speculate):
13857 * dfg/DFGSpeculativeJIT.h:
13858 * dfg/DFGSpeculativeJIT32_64.cpp:
13859 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13860 * dfg/DFGSpeculativeJIT64.cpp:
13861 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13862 * dfg/DFGUseKind.cpp:
13863 (WTF::printInternal):
13864 * dfg/DFGUseKind.h:
13865 (JSC::DFG::typeFilterFor):
13866 * ftl/FTLCapabilities.cpp:
13867 (JSC::FTL::canCompile):
13868 * ftl/FTLLowerDFGToLLVM.cpp:
13869 (JSC::FTL::LowerDFGToLLVM::compileNode):
13870 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13871 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13872 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13873 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13874 (JSC::FTL::LowerDFGToLLVM::isMisc):
13875 (JSC::FTL::LowerDFGToLLVM::speculate):
13876 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13877 * tests/stress/float32-array-out-of-bounds.js: Added.
13878 * tests/stress/weird-equality-folding-cases.js: Added.
13879
138802014-03-04 Commit Queue <commit-queue@webkit.org>
13881
13882 Unreviewed, rolling out r165085.
13883 http://trac.webkit.org/changeset/165085
13884 https://bugs.webkit.org/show_bug.cgi?id=129729
13885
13886 Broke imported/w3c/html-templates/template-element/template-
13887 content.html (Requested by ap on #webkit).
13888
13889 * bytecode/SpeculatedType.cpp:
13890 (JSC::speculationToAbbreviatedString):
13891 * bytecode/SpeculatedType.h:
13892 * dfg/DFGAbstractInterpreterInlines.h:
13893 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13894 * dfg/DFGArrayMode.cpp:
13895 (JSC::DFG::ArrayMode::refine):
13896 * dfg/DFGArrayMode.h:
13897 * dfg/DFGFixupPhase.cpp:
13898 (JSC::DFG::FixupPhase::fixupNode):
13899 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13900 * dfg/DFGNode.h:
13901 (JSC::DFG::Node::shouldSpeculateBoolean):
13902 * dfg/DFGSafeToExecute.h:
13903 (JSC::DFG::SafeToExecuteEdge::operator()):
13904 * dfg/DFGSpeculativeJIT.cpp:
13905 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13906 (JSC::DFG::SpeculativeJIT::speculate):
13907 * dfg/DFGSpeculativeJIT.h:
13908 * dfg/DFGSpeculativeJIT32_64.cpp:
13909 * dfg/DFGSpeculativeJIT64.cpp:
13910 * dfg/DFGUseKind.cpp:
13911 (WTF::printInternal):
13912 * dfg/DFGUseKind.h:
13913 (JSC::DFG::typeFilterFor):
13914 * ftl/FTLCapabilities.cpp:
13915 (JSC::FTL::canCompile):
13916 * ftl/FTLLowerDFGToLLVM.cpp:
13917 (JSC::FTL::LowerDFGToLLVM::compileNode):
13918 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13919 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13920 (JSC::FTL::LowerDFGToLLVM::speculate):
13921 * tests/stress/float32-array-out-of-bounds.js: Removed.
13922 * tests/stress/weird-equality-folding-cases.js: Removed.
13923
139242014-03-04 Brian Burg <bburg@apple.com>
13925
13926 Inspector does not restore breakpoints after a page reload
13927 https://bugs.webkit.org/show_bug.cgi?id=129655
13928
13929 Reviewed by Joseph Pecoraro.
13930
13931 Fix a regression introduced by r162096 that erroneously removed
13932 the inspector backend's mapping of files to breakpoints whenever the
13933 global object was cleared.
13934
13935 The inspector's breakpoint mappings should only be cleared when the
13936 debugger agent is disabled or destroyed. We should only clear the
13937 debugger's breakpoint state when the global object is cleared.
13938
13939 To make it clearer what state is being cleared, the two cases have
13940 been split into separate methods.
13941
13942 * inspector/agents/InspectorDebuggerAgent.cpp:
13943 (Inspector::InspectorDebuggerAgent::disable):
13944 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13945 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
13946 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
13947 * inspector/agents/InspectorDebuggerAgent.h:
13948
139492014-03-04 Andreas Kling <akling@apple.com>
13950
13951 Streamline JSValue::get().
13952 <https://webkit.org/b/129720>
13953
13954 Fetch each Structure and VM only once when walking the prototype chain
13955 in JSObject::getPropertySlot(), then pass it along to the functions
13956 we call from there, so they don't have to re-fetch it.
13957
13958 Reviewed by Geoff Garen.
13959
13960 * runtime/JSObject.h:
13961 (JSC::JSObject::inlineGetOwnPropertySlot):
13962 (JSC::JSObject::fastGetOwnPropertySlot):
13963 (JSC::JSObject::getPropertySlot):
13964
139652014-03-01 Filip Pizlo <fpizlo@apple.com>
13966
13967 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13968 https://bugs.webkit.org/show_bug.cgi?id=129563
13969
13970 Reviewed by Geoffrey Garen.
13971
13972 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13973 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13974 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13975 comparing undefined, null, and booleans to each other.
13976
13977 This also adds support for miscellaneous things that I needed to make my various test
13978 cases work. This includes comparison over booleans and the various Throw-related node
13979 types.
13980
13981 This also improves constant folding of CompareStrictEq and CompareEq.
13982
13983 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13984 based on profiling, which caused some downstream badness. We don't actually support
13985 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13986 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13987 shouldn't factor out the bounds check since the access is not InBounds but then the
13988 backend would ignore the flag and assume that the bounds check was already emitted.
13989 This showed up on an existing test but I added a test for this explicitly to have more
13990 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13991 that we'll have a bounds check anyway.
13992
13993 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13994 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13995 still a lot more coverage work to be done there.
13996
13997 * bytecode/SpeculatedType.cpp:
13998 (JSC::speculationToAbbreviatedString):
13999 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
14000 (JSC::valuesCouldBeEqual):
14001 * bytecode/SpeculatedType.h:
14002 (JSC::isMiscSpeculation):
14003 * dfg/DFGAbstractInterpreterInlines.h:
14004 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
14005 * dfg/DFGFixupPhase.cpp:
14006 (JSC::DFG::FixupPhase::fixupNode):
14007 * dfg/DFGNode.h:
14008 (JSC::DFG::Node::shouldSpeculateMisc):
14009 * dfg/DFGSafeToExecute.h:
14010 (JSC::DFG::SafeToExecuteEdge::operator()):
14011 * dfg/DFGSpeculativeJIT.cpp:
14012 (JSC::DFG::SpeculativeJIT::compileStrictEq):
14013 (JSC::DFG::SpeculativeJIT::speculateMisc):
14014 (JSC::DFG::SpeculativeJIT::speculate):
14015 * dfg/DFGSpeculativeJIT.h:
14016 * dfg/DFGSpeculativeJIT32_64.cpp:
14017 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
14018 * dfg/DFGSpeculativeJIT64.cpp:
14019 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
14020 * dfg/DFGUseKind.cpp:
14021 (WTF::printInternal):
14022 * dfg/DFGUseKind.h:
14023 (JSC::DFG::typeFilterFor):
14024 * ftl/FTLCapabilities.cpp:
14025 (JSC::FTL::canCompile):
14026 * ftl/FTLLowerDFGToLLVM.cpp:
14027 (JSC::FTL::LowerDFGToLLVM::compileNode):
14028 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
14029 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
14030 (JSC::FTL::LowerDFGToLLVM::compileThrow):
14031 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
14032 (JSC::FTL::LowerDFGToLLVM::isMisc):
14033 (JSC::FTL::LowerDFGToLLVM::speculate):
14034 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
14035 * tests/stress/float32-array-out-of-bounds.js: Added.
14036 * tests/stress/weird-equality-folding-cases.js: Added.
14037
140382014-03-04 Andreas Kling <akling@apple.com>
14039
14040 Spam static branch prediction hints on JS bindings.
14041 <https://webkit.org/b/129703>
14042
14043 Add LIKELY hint to jsDynamicCast since it's always used in a context
14044 where we expect it to succeed and takes an error path when it doesn't.
14045
14046 Reviewed by Geoff Garen.
14047
14048 * runtime/JSCell.h:
14049 (JSC::jsDynamicCast):
14050
140512014-03-04 Andreas Kling <akling@apple.com>
14052
14053 Get to Structures more efficiently in JSCell::methodTable().
14054 <https://webkit.org/b/129702>
14055
14056 In JSCell::methodTable(), get the VM once and pass that along to
14057 structure(VM&) instead of using the heavier structure().
14058
14059 In JSCell::methodTable(VM&), replace calls to structure() with
14060 calls to structure(VM&).
14061
14062 Reviewed by Mark Hahnenberg.
14063
14064 * runtime/JSCellInlines.h:
14065 (JSC::JSCell::methodTable):
14066
140672014-03-04 Joseph Pecoraro <pecoraro@apple.com>
14068
14069 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
14070 https://bugs.webkit.org/show_bug.cgi?id=129697
14071
14072 Reviewed by Timothy Hatcher.
14073
14074 * inspector/remote/RemoteInspectorXPCConnection.mm:
14075 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
14076 (Inspector::RemoteInspectorXPCConnection::handleEvent):
14077
140782014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
14079
14080 Merge API shims and JSLock
14081 https://bugs.webkit.org/show_bug.cgi?id=129650
14082
14083 Reviewed by Mark Lam.
14084
14085 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
14086 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
14087
14088 * API/APICallbackFunction.h:
14089 (JSC::APICallbackFunction::call):
14090 (JSC::APICallbackFunction::construct):
14091 * API/APIShims.h: Removed.
14092 * API/JSBase.cpp:
14093 (JSEvaluateScript):
14094 (JSCheckScriptSyntax):
14095 (JSGarbageCollect):
14096 (JSReportExtraMemoryCost):
14097 (JSSynchronousGarbageCollectForDebugging):
14098 * API/JSCallbackConstructor.cpp:
14099 * API/JSCallbackFunction.cpp:
14100 * API/JSCallbackObjectFunctions.h:
14101 (JSC::JSCallbackObject<Parent>::init):
14102 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
14103 (JSC::JSCallbackObject<Parent>::put):
14104 (JSC::JSCallbackObject<Parent>::putByIndex):
14105 (JSC::JSCallbackObject<Parent>::deleteProperty):
14106 (JSC::JSCallbackObject<Parent>::construct):
14107 (JSC::JSCallbackObject<Parent>::customHasInstance):
14108 (JSC::JSCallbackObject<Parent>::call):
14109 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
14110 (JSC::JSCallbackObject<Parent>::getStaticValue):
14111 (JSC::JSCallbackObject<Parent>::callbackGetter):
14112 * API/JSContext.mm:
14113 (-[JSContext setException:]):
14114 (-[JSContext wrapperForObjCObject:]):
14115 (-[JSContext wrapperForJSObject:]):
14116 * API/JSContextRef.cpp:
14117 (JSContextGroupRelease):
14118 (JSContextGroupSetExecutionTimeLimit):
14119 (JSContextGroupClearExecutionTimeLimit):
14120 (JSGlobalContextCreateInGroup):
14121 (JSGlobalContextRetain):
14122 (JSGlobalContextRelease):
14123 (JSContextGetGlobalObject):
14124 (JSContextGetGlobalContext):
14125 (JSGlobalContextCopyName):
14126 (JSGlobalContextSetName):
14127 * API/JSManagedValue.mm:
14128 (-[JSManagedValue value]):
14129 * API/JSObjectRef.cpp:
14130 (JSObjectMake):
14131 (JSObjectMakeFunctionWithCallback):
14132 (JSObjectMakeConstructor):
14133 (JSObjectMakeFunction):
14134 (JSObjectMakeArray):
14135 (JSObjectMakeDate):
14136 (JSObjectMakeError):
14137 (JSObjectMakeRegExp):
14138 (JSObjectGetPrototype):
14139 (JSObjectSetPrototype):
14140 (JSObjectHasProperty):
14141 (JSObjectGetProperty):
14142 (JSObjectSetProperty):
14143 (JSObjectGetPropertyAtIndex):
14144 (JSObjectSetPropertyAtIndex):
14145 (JSObjectDeleteProperty):
14146 (JSObjectGetPrivateProperty):
14147 (JSObjectSetPrivateProperty):
14148 (JSObjectDeletePrivateProperty):
14149 (JSObjectIsFunction):
14150 (JSObjectCallAsFunction):
14151 (JSObjectCallAsConstructor):
14152 (JSObjectCopyPropertyNames):
14153 (JSPropertyNameArrayRelease):
14154 (JSPropertyNameAccumulatorAddName):
14155 * API/JSScriptRef.cpp:
14156 * API/JSValue.mm:
14157 (isDate):
14158 (isArray):
14159 (containerValueToObject):
14160 (valueToArray):
14161 (valueToDictionary):
14162 (objectToValue):
14163 * API/JSValueRef.cpp:
14164 (JSValueGetType):
14165 (JSValueIsUndefined):
14166 (JSValueIsNull):
14167 (JSValueIsBoolean):
14168 (JSValueIsNumber):
14169 (JSValueIsString):
14170 (JSValueIsObject):
14171 (JSValueIsObjectOfClass):
14172 (JSValueIsEqual):
14173 (JSValueIsStrictEqual):
14174 (JSValueIsInstanceOfConstructor):
14175 (JSValueMakeUndefined):
14176 (JSValueMakeNull):
14177 (JSValueMakeBoolean):
14178 (JSValueMakeNumber):
14179 (JSValueMakeString):
14180 (JSValueMakeFromJSONString):
14181 (JSValueCreateJSONString):
14182 (JSValueToBoolean):
14183 (JSValueToNumber):
14184 (JSValueToStringCopy):
14185 (JSValueToObject):
14186 (JSValueProtect):
14187 (JSValueUnprotect):
14188 * API/JSVirtualMachine.mm:
14189 (-[JSVirtualMachine addManagedReference:withOwner:]):
14190 (-[JSVirtualMachine removeManagedReference:withOwner:]):
14191 * API/JSWeakObjectMapRefPrivate.cpp:
14192 * API/JSWrapperMap.mm:
14193 (constructorHasInstance):
14194 (makeWrapper):
14195 (tryUnwrapObjcObject):
14196 * API/ObjCCallbackFunction.mm:
14197 (JSC::objCCallbackFunctionCallAsFunction):
14198 (JSC::objCCallbackFunctionCallAsConstructor):
14199 (objCCallbackFunctionForInvocation):
14200 * CMakeLists.txt:
14201 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
14202 * GNUmakefile.list.am:
14203 * JavaScriptCore.xcodeproj/project.pbxproj:
14204 * dfg/DFGWorklist.cpp:
14205 * heap/DelayedReleaseScope.h:
14206 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
14207 * heap/HeapTimer.cpp:
14208 (JSC::HeapTimer::timerDidFire):
14209 (JSC::HeapTimer::timerEvent):
14210 * heap/IncrementalSweeper.cpp:
14211 * inspector/InjectedScriptModule.cpp:
14212 (Inspector::InjectedScriptModule::ensureInjected):
14213 * jsc.cpp:
14214 (jscmain):
14215 * runtime/GCActivityCallback.cpp:
14216 (JSC::DefaultGCActivityCallback::doWork):
14217 * runtime/JSGlobalObjectDebuggable.cpp:
14218 (JSC::JSGlobalObjectDebuggable::connect):
14219 (JSC::JSGlobalObjectDebuggable::disconnect):
14220 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
14221 * runtime/JSLock.cpp:
14222 (JSC::JSLock::lock):
14223 (JSC::JSLock::didAcquireLock):
14224 (JSC::JSLock::unlock):
14225 (JSC::JSLock::willReleaseLock):
14226 (JSC::JSLock::DropAllLocks::DropAllLocks):
14227 (JSC::JSLock::DropAllLocks::~DropAllLocks):
14228 * runtime/JSLock.h:
14229 * testRegExp.cpp:
14230 (realMain):
14231
142322014-03-04 Commit Queue <commit-queue@webkit.org>
14233
14234 Unreviewed, rolling out r164812.
14235 http://trac.webkit.org/changeset/164812
14236 https://bugs.webkit.org/show_bug.cgi?id=129699
14237
14238 it made things run slower (Requested by pizlo on #webkit).
14239
14240 * interpreter/Interpreter.cpp:
14241 (JSC::Interpreter::execute):
14242 * jsc.cpp:
14243 (GlobalObject::finishCreation):
14244 * runtime/BatchedTransitionOptimizer.h:
14245 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
14246 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
14247
142482014-03-02 Filip Pizlo <fpizlo@apple.com>
14249
14250 GetMyArgumentByVal in FTL
14251 https://bugs.webkit.org/show_bug.cgi?id=128850
14252
14253 Reviewed by Oliver Hunt.
14254
14255 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
14256 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
14257 caused it to think that the arity check had failed if the caller had passed more
14258 arguments than needed. This would cause the call frame copying to sort of go into
14259 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
14260 throwing off a bunch of math) and the stack would end up being corrupted.
14261
14262 The bug was revealed by two existing tests although as far as I could tell, neither
14263 test was intending to cover this case directly. So, I added a new test.
14264
14265 * ftl/FTLCapabilities.cpp:
14266 (JSC::FTL::canCompile):
14267 * ftl/FTLLowerDFGToLLVM.cpp:
14268 (JSC::FTL::LowerDFGToLLVM::compileNode):
14269 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
14270 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
14271 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
14272 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
14273 * ftl/FTLOSRExitCompiler.cpp:
14274 (JSC::FTL::compileStub):
14275 * ftl/FTLState.h:
14276 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
14277 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
14278 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
14279 * tests/stress/ftl-get-my-argument-by-val.js: Added.
14280
142812014-03-04 Zan Dobersek <zdobersek@igalia.com>
14282
14283 [GTK] Build the Udis86 disassembler
14284 https://bugs.webkit.org/show_bug.cgi?id=129679
14285
14286 Reviewed by Michael Saboff.
14287
14288 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
14289 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
14290
142912014-03-04 Andreas Kling <akling@apple.com>
14292
14293 Fix too-narrow assertion I added in r165054.
14294
14295 It's okay for a 1-character string to come in here. This will happen
14296 if the VM small string optimization doesn't apply (ch > 0xFF)
14297
14298 * runtime/JSString.h:
14299 (JSC::jsStringWithWeakOwner):
14300
143012014-03-04 Andreas Kling <akling@apple.com>
14302
14303 Micro-optimize Strings in JS bindings.
14304 <https://webkit.org/b/129673>
14305
14306 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
14307 This avoids branches in length() and operator[].
14308
14309 Also call JSString::create() directly instead of jsString() and just
14310 assert that the string length is >1. This way we don't duplicate the
14311 optimizations for empty and single-character strings.
14312
14313 Reviewed by Ryosuke Niwa.
14314
14315 * runtime/JSString.h:
14316 (JSC::jsStringWithWeakOwner):
14317
143182014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
14319
14320 Implement Number.prototype.clz()
14321 https://bugs.webkit.org/show_bug.cgi?id=129479
14322
14323 Reviewed by Oliver Hunt.
14324
14325 Implemented Number.prototype.clz() as specified in the ES6 standard.
14326
14327 * runtime/NumberPrototype.cpp:
14328 (JSC::numberProtoFuncClz):
14329
143302014-03-03 Joseph Pecoraro <pecoraro@apple.com>
14331
14332 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
14333 https://bugs.webkit.org/show_bug.cgi?id=129631
14334
14335 Reviewed by Timothy Hatcher.
14336
14337 Avoid deref() too early if a client calls close(). The xpc_connection_close
14338 will cause another XPC_ERROR event to come in from the queue, deref then.
14339 Likewise, protect multithreaded access to m_client. If a client calls
14340 close() we want to immediately clear the pointer to prevent calls to it.
14341
14342 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
14343 growing too complicated for probably little benefit. We may want to
14344 clean this up later.
14345
14346 * inspector/remote/RemoteInspector.mm:
14347 (Inspector::RemoteInspector::xpcConnectionFailed):
14348 * inspector/remote/RemoteInspectorXPCConnection.h:
14349 * inspector/remote/RemoteInspectorXPCConnection.mm:
14350 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
14351 (Inspector::RemoteInspectorXPCConnection::close):
14352 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
14353 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
14354 (Inspector::RemoteInspectorXPCConnection::handleEvent):
14355 (Inspector::RemoteInspectorXPCConnection::sendMessage):
14356
143572014-03-03 Michael Saboff <msaboff@apple.com>
14358
14359 AbstractMacroAssembler::CachedTempRegister should start out invalid
14360 https://bugs.webkit.org/show_bug.cgi?id=129657
14361
14362 Reviewed by Filip Pizlo.
14363
14364 * assembler/AbstractMacroAssembler.h:
14365 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
14366 - Invalidate all cached registers in constructor as we don't know the
14367 contents of any register at the entry to the code we are going to
14368 generate.
14369
143702014-03-03 Andreas Kling <akling@apple.com>
14371
14372 StructureOrOffset should be fastmalloced.
14373 <https://webkit.org/b/129640>
14374
14375 Reviewed by Geoffrey Garen.
14376
14377 * runtime/StructureIDTable.h:
14378
143792014-03-03 Michael Saboff <msaboff@apple.com>
14380
14381 Crash in JIT code while watching a video @ storyboard.tumblr.com
14382 https://bugs.webkit.org/show_bug.cgi?id=129635
14383
14384 Reviewed by Filip Pizlo.
14385
14386 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
14387 construtor.
14388
14389 * jit/TempRegisterSet.cpp:
14390 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
14391 * jit/TempRegisterSet.h:
14392 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
14393 (JSC::TempRegisterSet::clearAll): New private helper.
14394
143952014-03-03 Benjamin Poulain <benjamin@webkit.org>
14396
14397 [x86] Improve code generation of byte test
14398 https://bugs.webkit.org/show_bug.cgi?id=129597
14399
14400 Reviewed by Geoffrey Garen.
14401
14402 When possible, test the 8 bit register to itself instead of comparing it
14403 to a literal.
14404
14405 * assembler/MacroAssemblerX86Common.h:
14406 (JSC::MacroAssemblerX86Common::test32):
14407
144082014-03-03 Mark Lam <mark.lam@apple.com>
14409
14410 Web Inspector: debugger statements do not break.
14411 <https://webkit.org/b/129524>
14412
14413 Reviewed by Geoff Garen.
14414
14415 Since we no longer call op_debug hooks unless there is a debugger request
14416 made on the CodeBlock, the op_debug for the debugger statement never gets
14417 serviced.
14418
14419 With this fix, we check in the CodeBlock constructor if any debugger
14420 statements are present. If so, we set a m_hasDebuggerStatement flag that
14421 causes the CodeBlock to show as having debugger requests. Hence,
14422 breaking at debugger statements is now restored.
14423
14424 * bytecode/CodeBlock.cpp:
14425 (JSC::CodeBlock::CodeBlock):
14426 * bytecode/CodeBlock.h:
14427 (JSC::CodeBlock::hasDebuggerRequests):
14428 (JSC::CodeBlock::clearDebuggerRequests):
14429
144302014-03-03 Mark Lam <mark.lam@apple.com>
14431
14432 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
14433 <https://webkit.org/b/129393>
14434
14435 Reviewed by Geoffrey Garen.
14436
14437 The issue manifests because the debugger will iterate all CodeBlocks in
14438 the heap when setting / clearing breakpoints, but it is possible for a
14439 CodeBlock to have been instantiate but is not yet registered with the
14440 debugger. This can happen because of the following:
14441
14442 1. DFG worklist compilation is still in progress, and the target
14443 codeBlock is not ready for installation in its executable yet.
14444
14445 2. DFG compilation failed and we have a codeBlock that will never be
14446 installed in its executable, and the codeBlock has not been cleaned
14447 up by the GC yet.
14448
14449 The code for installing the codeBlock in its executable is the same code
14450 that registers it with the debugger. Hence, these codeBlocks are not
14451 registered with the debugger, and any pending breakpoints that would map
14452 to that CodeBlock is as yet unset or will never be set. As such, an
14453 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
14454
14455 To fix this, we do the following:
14456
14457 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
14458 compilation. This is achieved by providing a
14459 DeferredCompilationCallback::compilationDidComplete() that does this
14460 clean up, and have all sub classes call it at the end of their
14461 compilationDidComplete() methods.
14462
14463 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
14464 will wait for all compilations to complete before proceeding. This
14465 ensures that:
14466 1. any zombie CodeBlocks would have been cleaned up, and won't be
14467 seen by the debugger or profiler.
14468 2. all CodeBlocks that the debugger and profiler needs to operate on
14469 will be "ready" for whatever needs to be done to them e.g.
14470 jettison'ing of DFG codeBlocks.
14471
14472 * bytecode/DeferredCompilationCallback.cpp:
14473 (JSC::DeferredCompilationCallback::compilationDidComplete):
14474 * bytecode/DeferredCompilationCallback.h:
14475 - Provide default implementation method to clean up zombie CodeBlocks.
14476
14477 * debugger/Debugger.cpp:
14478 (JSC::Debugger::forEachCodeBlock):
14479 - Utility function to iterate CodeBlocks. It ensures that all compilations
14480 are complete before proceeding.
14481 (JSC::Debugger::setSteppingMode):
14482 (JSC::Debugger::toggleBreakpoint):
14483 (JSC::Debugger::recompileAllJSFunctions):
14484 (JSC::Debugger::clearBreakpoints):
14485 (JSC::Debugger::clearDebuggerRequests):
14486 - Use the utility iterator function.
14487
14488 * debugger/Debugger.h:
14489 * dfg/DFGOperations.cpp:
14490 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
14491
14492 * dfg/DFGPlan.cpp:
14493 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
14494 - Remove unneeded code (that was not the best solution anyway) for ensuring
14495 that we don't generate new DFG codeBlocks after enabling the debugger or
14496 profiler. Now that we wait for compilations to complete before proceeding
14497 with debugger and profiler work, this scenario will never happen.
14498
14499 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
14500 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
14501 - Call the super class method to clean up zombie codeBlocks.
14502
14503 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
14504 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
14505 - Call the super class method to clean up zombie codeBlocks.
14506
14507 * heap/CodeBlockSet.cpp:
14508 (JSC::CodeBlockSet::remove):
14509 * heap/CodeBlockSet.h:
14510 * heap/Heap.h:
14511 (JSC::Heap::removeCodeBlock):
14512 - New method to remove a codeBlock from the codeBlock set.
14513
14514 * jit/JITOperations.cpp:
14515 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
14516
14517 * jit/JITToDFGDeferredCompilationCallback.cpp:
14518 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
14519 - Call the super class method to clean up zombie codeBlocks.
14520
14521 * runtime/VM.cpp:
14522 (JSC::VM::waitForCompilationsToComplete):
14523 - Renamed from prepareToDiscardCode() to be clearer about what it does.
14524
14525 (JSC::VM::discardAllCode):
14526 (JSC::VM::releaseExecutableMemory):
14527 (JSC::VM::setEnabledProfiler):
14528 - Wait for compilation to complete before enabling the profiler.
14529
14530 * runtime/VM.h:
14531
145322014-03-03 Brian Burg <bburg@apple.com>
14533
14534 Another unreviewed build fix attempt for Windows after r164986.
14535
14536 We never told Visual Studio to copy over the web replay code generator scripts
14537 and the generated headers for JavaScriptCore replay inputs as if they were
14538 private headers.
14539
14540 * JavaScriptCore.vcxproj/copy-files.cmd:
14541
145422014-03-03 Brian Burg <bburg@apple.com>
14543
14544 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
14545 https://bugs.webkit.org/show_bug.cgi?id=128782
14546
14547 Reviewed by Timothy Hatcher.
14548
14549 Alter the replay inputs code generator so that it knows when it is necessary to
14550 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
14551
14552 * JavaScriptCore.xcodeproj/project.pbxproj:
14553 * replay/scripts/CodeGeneratorReplayInputs.py:
14554 (Framework.fromString):
14555 (Frameworks): Add WTF as an allowed framework for code generation.
14556 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
14557 (Generator.generate_includes.declaration):
14558 (Generator.generate_includes.or):
14559 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
14560
145612014-03-02 Filip Pizlo <fpizlo@apple.com>
14562
14563 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
14564 https://bugs.webkit.org/show_bug.cgi?id=129591
14565
14566 Reviewed by Michael Saboff.
14567
14568 * bytecode/PolymorphicPutByIdList.cpp:
14569 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
14570 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
14571 (JSC::PolymorphicPutByIdList::from):
14572 * bytecode/PolymorphicPutByIdList.h:
14573 (JSC::PutByIdAccess::stubRoutine):
14574 * jit/Repatch.cpp:
14575 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
14576
145772014-03-02 Filip Pizlo <fpizlo@apple.com>
14578
14579 Debugging improvements from my gbemu investigation session
14580 https://bugs.webkit.org/show_bug.cgi?id=129599
14581
14582 Reviewed by Mark Lam.
14583
14584 Various improvements from when I was investigating bug 129411.
14585
14586 * bytecode/CodeBlock.cpp:
14587 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
14588 * jsc.cpp:
14589 (GlobalObject::finishCreation):
14590 (functionDescribe): Make describe() return a string rather than printing the string.
14591 (functionDescribeArray): Like describe(), but prints details about arrays.
14592
145932014-02-25 Andreas Kling <akling@apple.com>
14594
14595 JSDOMWindow::commonVM() should return a reference.
14596 <https://webkit.org/b/129293>
14597
14598 Added a DropAllLocks constructor that takes VM& without null checks.
14599
14600 Reviewed by Geoff Garen.
14601
146022014-03-02 Mark Lam <mark.lam@apple.com>
14603
14604 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
14605 <https://webkit.org/b/129584>
14606
14607 Reviewed by Darin Adler.
14608
14609 * bytecode/CodeBlock.h:
14610 (JSC::CodeBlock::hasDebuggerRequests):
14611
146122014-03-02 Mark Lam <mark.lam@apple.com>
14613
14614 Clean up use of Options::enableConcurrentJIT().
14615 <https://webkit.org/b/129582>
14616
14617 Reviewed by Filip Pizlo.
14618
14619 DFG Driver was conditionally checking Options::enableConcurrentJIT()
14620 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
14621 enableConcurrentJIT set to false.
14622
14623 Instead we should configure Options::enableConcurrentJIT() to be false
14624 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
14625 check Options::enableConcurrentJIT(). This makes the code read a little
14626 cleaner.
14627
14628 * dfg/DFGDriver.cpp:
14629 (JSC::DFG::compileImpl):
14630 * runtime/Options.cpp:
14631 (JSC::recomputeDependentOptions):
14632
146332014-03-01 Filip Pizlo <fpizlo@apple.com>
14634
14635 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
14636 stress tests.
14637
14638 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
14639
146402014-03-01 Andreas Kling <akling@apple.com>
14641
14642 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
14643 <https://webkit.org/b/129560>
14644
14645 Now that structure() is nontrivial and we have a faster structure(VM&),
14646 make use of that in fastGetOwnProperty() since we already have VM.
14647
14648 Reviewed by Sam Weinig.
14649
14650 * runtime/JSCellInlines.h:
14651 (JSC::JSCell::fastGetOwnProperty):
14652
146532014-03-01 Andreas Kling <akling@apple.com>
14654
14655 Avoid going through ExecState for VM when we already have it (in some places.)
14656 <https://webkit.org/b/129554>
14657
14658 Tweak some places that jump through unnecessary hoops to get the VM.
14659 There are many more like this.
14660
14661 Reviewed by Sam Weinig.
14662
14663 * runtime/JSObject.cpp:
14664 (JSC::JSObject::putByIndexBeyondVectorLength):
14665 (JSC::JSObject::putDirectIndexBeyondVectorLength):
14666 * runtime/ObjectPrototype.cpp:
14667 (JSC::objectProtoFuncToString):
14668
146692014-02-28 Filip Pizlo <fpizlo@apple.com>
14670
14671 FTL should support PhantomArguments
14672 https://bugs.webkit.org/show_bug.cgi?id=113986
14673
14674 Reviewed by Oliver Hunt.
14675
14676 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
14677 object into the FTL's OSR exit compiler.
14678
14679 This isn't a speed-up yet, since there is still more to be done to fully support
14680 all of the arguments craziness that our varargs benchmarks do.
14681
14682 * dfg/DFGOSRExitCompiler32_64.cpp:
14683 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
14684 * dfg/DFGOSRExitCompiler64.cpp:
14685 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
14686 * dfg/DFGOSRExitCompilerCommon.cpp:
14687 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
14688 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
14689 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
14690 * dfg/DFGOSRExitCompilerCommon.h:
14691 * ftl/FTLCapabilities.cpp:
14692 (JSC::FTL::canCompile):
14693 * ftl/FTLExitValue.cpp:
14694 (JSC::FTL::ExitValue::dumpInContext):
14695 * ftl/FTLExitValue.h:
14696 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
14697 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
14698 (JSC::FTL::ExitValue::valueFormat):
14699 * ftl/FTLLowerDFGToLLVM.cpp:
14700 (JSC::FTL::LowerDFGToLLVM::compileNode):
14701 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
14702 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
14703 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
14704 * ftl/FTLOSRExitCompiler.cpp:
14705 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
14706 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
14707 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
14708
147092014-02-28 Filip Pizlo <fpizlo@apple.com>
14710
14711 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
14712
14713 * dfg/DFGCSEPhase.cpp:
14714 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
14715
147162014-02-28 Andreas Kling <akling@apple.com>
14717
14718 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
14719 <https://webkit.org/b/129529>
14720
14721 Callers already have VM in a local, and findPropertyHashEntry() only
14722 uses the VM, no need to go all the way through ExecState.
14723
14724 Reviewed by Geoffrey Garen.
14725
14726 * runtime/JSObject.cpp:
14727 (JSC::JSObject::put):
14728 (JSC::JSObject::deleteProperty):
14729 (JSC::JSObject::findPropertyHashEntry):
14730 * runtime/JSObject.h:
14731
147322014-02-28 Joseph Pecoraro <pecoraro@apple.com>
14733
14734 Deadlock remotely inspecting iOS Simulator
14735 https://bugs.webkit.org/show_bug.cgi?id=129511
14736
14737 Reviewed by Timothy Hatcher.
14738
14739 Avoid synchronous setup. Do it asynchronously, and let
14740 the RemoteInspector singleton know later if it failed.
14741
14742 * inspector/remote/RemoteInspector.h:
14743 * inspector/remote/RemoteInspector.mm:
14744 (Inspector::RemoteInspector::setupFailed):
14745 * inspector/remote/RemoteInspectorDebuggableConnection.h:
14746 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14747 (Inspector::RemoteInspectorDebuggableConnection::setup):
14748
147492014-02-28 Oliver Hunt <oliver@apple.com>
14750
14751 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
14752 https://bugs.webkit.org/show_bug.cgi?id=129488
14753
14754 Reviewed by Mark Lam.
14755
14756 Whoops, modify the right register.
14757
14758 * jit/JITCall32_64.cpp:
14759 (JSC::JIT::compileLoadVarargs):
14760
147612014-02-28 Filip Pizlo <fpizlo@apple.com>
14762
14763 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
14764 https://bugs.webkit.org/show_bug.cgi?id=129503
14765
14766 Reviewed by Mark Lam.
14767
14768 * ftl/FTLIntrinsicRepository.h:
14769 * ftl/FTLOutput.h:
14770 (JSC::FTL::Output::doubleSin):
14771 (JSC::FTL::Output::doubleCos):
14772 (JSC::FTL::Output::intrinsicOrOperation):
14773
147742014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
14775
14776 Fix !ENABLE(GGC) builds
14777
14778 * heap/Heap.cpp:
14779 (JSC::Heap::markRoots):
14780 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
14781
147822014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14783
14784 Clean up Heap::collect and Heap::markRoots
14785 https://bugs.webkit.org/show_bug.cgi?id=129464
14786
14787 Reviewed by Geoffrey Garen.
14788
14789 These functions have built up a lot of cruft recently.
14790 We should do a bit of cleanup to make them easier to grok.
14791
14792 * heap/Heap.cpp:
14793 (JSC::Heap::finalizeUnconditionalFinalizers):
14794 (JSC::Heap::gatherStackRoots):
14795 (JSC::Heap::gatherJSStackRoots):
14796 (JSC::Heap::gatherScratchBufferRoots):
14797 (JSC::Heap::clearLivenessData):
14798 (JSC::Heap::visitSmallStrings):
14799 (JSC::Heap::visitConservativeRoots):
14800 (JSC::Heap::visitCompilerWorklists):
14801 (JSC::Heap::markProtectedObjects):
14802 (JSC::Heap::markTempSortVectors):
14803 (JSC::Heap::markArgumentBuffers):
14804 (JSC::Heap::visitException):
14805 (JSC::Heap::visitStrongHandles):
14806 (JSC::Heap::visitHandleStack):
14807 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
14808 (JSC::Heap::converge):
14809 (JSC::Heap::visitWeakHandles):
14810 (JSC::Heap::clearRememberedSet):
14811 (JSC::Heap::updateObjectCounts):
14812 (JSC::Heap::resetVisitors):
14813 (JSC::Heap::markRoots):
14814 (JSC::Heap::copyBackingStores):
14815 (JSC::Heap::deleteUnmarkedCompiledCode):
14816 (JSC::Heap::collect):
14817 (JSC::Heap::collectIfNecessaryOrDefer):
14818 (JSC::Heap::suspendCompilerThreads):
14819 (JSC::Heap::willStartCollection):
14820 (JSC::Heap::deleteOldCode):
14821 (JSC::Heap::flushOldStructureIDTables):
14822 (JSC::Heap::flushWriteBarrierBuffer):
14823 (JSC::Heap::stopAllocation):
14824 (JSC::Heap::reapWeakHandles):
14825 (JSC::Heap::sweepArrayBuffers):
14826 (JSC::Heap::snapshotMarkedSpace):
14827 (JSC::Heap::deleteSourceProviderCaches):
14828 (JSC::Heap::notifyIncrementalSweeper):
14829 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
14830 (JSC::Heap::resetAllocators):
14831 (JSC::Heap::updateAllocationLimits):
14832 (JSC::Heap::didFinishCollection):
14833 (JSC::Heap::resumeCompilerThreads):
14834 * heap/Heap.h:
14835
148362014-02-27 Ryosuke Niwa <rniwa@webkit.org>
14837
14838 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
14839 https://bugs.webkit.org/show_bug.cgi?id=129466
14840
14841 Reviewed by Michael Saboff.
14842
14843 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
14844
14845 * runtime/StringPrototype.cpp:
14846 (JSC::stringProtoFuncIndexOf):
14847 (JSC::stringProtoFuncLastIndexOf):
14848
148492014-02-27 Timothy Hatcher <timothy@apple.com>
14850
14851 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
14852
14853 https://bugs.webkit.org/show_bug.cgi?id=129458
14854
14855 Reviewed by Joseph Pecoraro.
14856
14857 * inspector/ContentSearchUtilities.cpp:
14858 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
14859 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
14860 line ending type and don't try to strip the line ending. Use size_t
14861 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
14862 This will include the line ending in the lines, but that is okay.
14863 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
14864 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
14865
148662014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14867
14868 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
14869 https://bugs.webkit.org/show_bug.cgi?id=129446
14870
14871 Reviewed by Timothy Hatcher.
14872
14873 Remove duplicate header entries in Copy Header build phase.
14874
14875 * JavaScriptCore.xcodeproj/project.pbxproj:
14876
148772014-02-27 Oliver Hunt <oliver@apple.com>
14878
14879 Whoops, include all of last patch.
14880
14881 * jit/JITCall32_64.cpp:
14882 (JSC::JIT::compileLoadVarargs):
14883
148842014-02-27 Oliver Hunt <oliver@apple.com>
14885
14886 Slow cases for function.apply and function.call should not require vm re-entry
14887 https://bugs.webkit.org/show_bug.cgi?id=129454
14888
14889 Reviewed by Geoffrey Garen.
14890
14891 Implement call and apply using builtins. Happily the use
14892 of @call and @apply don't perform function equality checks
14893 and just plant direct var_args calls. This did expose a few
14894 codegen issues, but they're all covered by existing tests
14895 once call and apply are implemented in JS.
14896
14897 * JavaScriptCore.xcodeproj/project.pbxproj:
14898 * builtins/Function.prototype.js: Added.
14899 (call):
14900 (apply):
14901 * bytecompiler/NodesCodegen.cpp:
14902 (JSC::CallFunctionCallDotNode::emitBytecode):
14903 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14904 * dfg/DFGCapabilities.cpp:
14905 (JSC::DFG::capabilityLevel):
14906 * interpreter/Interpreter.cpp:
14907 (JSC::sizeFrameForVarargs):
14908 (JSC::loadVarargs):
14909 * interpreter/Interpreter.h:
14910 * jit/JITCall.cpp:
14911 (JSC::JIT::compileLoadVarargs):
14912 * parser/ASTBuilder.h:
14913 (JSC::ASTBuilder::makeFunctionCallNode):
14914 * parser/Lexer.cpp:
14915 (JSC::isSafeBuiltinIdentifier):
14916 * runtime/CommonIdentifiers.h:
14917 * runtime/FunctionPrototype.cpp:
14918 (JSC::FunctionPrototype::addFunctionProperties):
14919 * runtime/JSObject.cpp:
14920 (JSC::JSObject::putDirectBuiltinFunction):
14921 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
14922 * runtime/JSObject.h:
14923
149242014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14925
14926 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
14927 https://bugs.webkit.org/show_bug.cgi?id=129443
14928
14929 Reviewed by Timothy Hatcher.
14930
14931 This queue is specific to the JSContext debuggable connections,
14932 there is no XPC involved. Give it a better name.
14933
14934 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14935 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
14936
149372014-02-27 David Kilzer <ddkilzer@apple.com>
14938
14939 Remove jsc symlink if it already exists
14940
14941 This is a follow-up fix for:
14942
14943 Create symlink to /usr/local/bin/jsc during installation
14944 <http://webkit.org/b/129399>
14945 <rdar://problem/16168734>
14946
14947 * JavaScriptCore.xcodeproj/project.pbxproj:
14948 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
14949 exists where we're about to create the symlink, remove the old
14950 one first.
14951
149522014-02-27 Michael Saboff <msaboff@apple.com>
14953
14954 Unreviewed build fix for Mac tools after r164814
14955
14956 * Configurations/ToolExecutable.xcconfig:
14957 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
14958 * JavaScriptCore.xcodeproj/project.pbxproj:
14959 - Changed productName to testRegExp for testRegExp target.
14960
149612014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14962
14963 Web Inspector: JSContext inspection should report exceptions in the console
14964 https://bugs.webkit.org/show_bug.cgi?id=128776
14965
14966 Reviewed by Timothy Hatcher.
14967
14968 When JavaScript API functions have an exception, let the inspector
14969 know so it can log the JavaScript and Native backtrace that caused
14970 the exception.
14971
14972 Include some clean up of ConsoleMessage and ScriptCallStack construction.
14973
14974 * API/JSBase.cpp:
14975 (JSEvaluateScript):
14976 (JSCheckScriptSyntax):
14977 * API/JSObjectRef.cpp:
14978 (JSObjectMakeFunction):
14979 (JSObjectMakeArray):
14980 (JSObjectMakeDate):
14981 (JSObjectMakeError):
14982 (JSObjectMakeRegExp):
14983 (JSObjectGetProperty):
14984 (JSObjectSetProperty):
14985 (JSObjectGetPropertyAtIndex):
14986 (JSObjectSetPropertyAtIndex):
14987 (JSObjectDeleteProperty):
14988 (JSObjectCallAsFunction):
14989 (JSObjectCallAsConstructor):
14990 * API/JSValue.mm:
14991 (reportExceptionToInspector):
14992 (valueToArray):
14993 (valueToDictionary):
14994 * API/JSValueRef.cpp:
14995 (JSValueIsEqual):
14996 (JSValueIsInstanceOfConstructor):
14997 (JSValueCreateJSONString):
14998 (JSValueToNumber):
14999 (JSValueToStringCopy):
15000 (JSValueToObject):
15001 When seeing an exception, let the inspector know there was an exception.
15002
15003 * inspector/JSGlobalObjectInspectorController.h:
15004 * inspector/JSGlobalObjectInspectorController.cpp:
15005 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
15006 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
15007 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
15008 Log API exceptions by also grabbing the native backtrace.
15009
15010 * inspector/ScriptCallStack.h:
15011 * inspector/ScriptCallStack.cpp:
15012 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
15013 (Inspector::ScriptCallStack::append):
15014 Minor extensions to ScriptCallStack to make it easier to work with.
15015
15016 * inspector/ConsoleMessage.cpp:
15017 (Inspector::ConsoleMessage::ConsoleMessage):
15018 (Inspector::ConsoleMessage::autogenerateMetadata):
15019 Provide better default information if the first call frame was native.
15020
15021 * inspector/ScriptCallStackFactory.cpp:
15022 (Inspector::createScriptCallStack):
15023 (Inspector::extractSourceInformationFromException):
15024 (Inspector::createScriptCallStackFromException):
15025 Perform the handling here of inserting a fake call frame for exceptions
15026 if there was no call stack (e.g. a SyntaxError) or if the first call
15027 frame had no information.
15028
15029 * inspector/ConsoleMessage.cpp:
15030 (Inspector::ConsoleMessage::ConsoleMessage):
15031 (Inspector::ConsoleMessage::autogenerateMetadata):
15032 * inspector/ConsoleMessage.h:
15033 * inspector/ScriptCallStackFactory.cpp:
15034 (Inspector::createScriptCallStack):
15035 (Inspector::createScriptCallStackForConsole):
15036 * inspector/ScriptCallStackFactory.h:
15037 * inspector/agents/InspectorConsoleAgent.cpp:
15038 (Inspector::InspectorConsoleAgent::enable):
15039 (Inspector::InspectorConsoleAgent::addMessageToConsole):
15040 (Inspector::InspectorConsoleAgent::count):
15041 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
15042 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
15043 ConsoleMessage cleanup.
15044
150452014-02-27 David Kilzer <ddkilzer@apple.com>
15046
15047 Create symlink to /usr/local/bin/jsc during installation
15048 <http://webkit.org/b/129399>
15049 <rdar://problem/16168734>
15050
15051 Reviewed by Dan Bernstein.
15052
15053 * JavaScriptCore.xcodeproj/project.pbxproj:
15054 - Add "Create /usr/local/bin/jsc symlink" build phase script to
15055 create the symlink during installation.
15056
150572014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
15058
15059 Math.{max, min}() must not return after first NaN value
15060 https://bugs.webkit.org/show_bug.cgi?id=104147
15061
15062 Reviewed by Oliver Hunt.
15063
15064 According to the spec, ToNumber going to be called on each argument
15065 even if a `NaN` value was already found
15066
15067 * runtime/MathObject.cpp:
15068 (JSC::mathProtoFuncMax):
15069 (JSC::mathProtoFuncMin):
15070
150712014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
15072
15073 JSType upper limit (0xff) assertion can be removed.
15074 https://bugs.webkit.org/show_bug.cgi?id=129424
15075
15076 Reviewed by Geoffrey Garen.
15077
15078 * runtime/JSTypeInfo.h:
15079 (JSC::TypeInfo::TypeInfo):
15080
150812014-02-26 Michael Saboff <msaboff@apple.com>
15082
15083 Auto generate bytecode information for bytecode parser and LLInt
15084 https://bugs.webkit.org/show_bug.cgi?id=129181
15085
15086 Reviewed by Mark Lam.
15087
15088 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
15089 helpers. It also includes bytecode length and other information used to generate files.
15090 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
15091 in DerivedSources/JavaScriptCore/.
15092
15093 Added the generation of these files to the "DerivedSource" build step.
15094 Slighty changed the build order, since the Bytecodes.h file is needed by
15095 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
15096 to be run after JSCLLIntOffsetsExtractor.
15097
15098 Made related changes to OPCODE macros and their use.
15099
15100 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
15101 jsc to resolve Mac build issue.
15102
15103 * CMakeLists.txt:
15104 * Configurations/JSC.xcconfig:
15105 * DerivedSources.make:
15106 * GNUmakefile.am:
15107 * GNUmakefile.list.am:
15108 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15109 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15110 * JavaScriptCore.vcxproj/copy-files.cmd:
15111 * JavaScriptCore.xcodeproj/project.pbxproj:
15112 * bytecode/Opcode.h:
15113 (JSC::padOpcodeName):
15114 * llint/LLIntCLoop.cpp:
15115 (JSC::LLInt::CLoop::initialize):
15116 * llint/LLIntCLoop.h:
15117 * llint/LLIntData.cpp:
15118 (JSC::LLInt::initialize):
15119 * llint/LLIntOpcode.h:
15120 * llint/LowLevelInterpreter.asm:
15121
151222014-02-27 Julien Brianceau <jbriance@cisco.com>
15123
15124 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
15125 https://bugs.webkit.org/show_bug.cgi?id=129420
15126
15127 Reviewed by Geoffrey Garen.
15128
15129 * dfg/DFGSpeculativeJIT.h:
15130 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
15131 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
15132
151332014-02-27 Filip Pizlo <fpizlo@apple.com>
15134
15135 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
15136 https://bugs.webkit.org/show_bug.cgi?id=129435
15137
15138 Reviewed by Oliver Hunt.
15139
15140 This is a 5-10% speed-up on Octane/closure.
15141
15142 * interpreter/Interpreter.cpp:
15143 (JSC::Interpreter::execute):
15144 * jsc.cpp:
15145 (GlobalObject::finishCreation):
15146 (functionClearCodeCache):
15147 * runtime/BatchedTransitionOptimizer.h:
15148 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
15149 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
15150
151512014-02-27 Alexey Proskuryakov <ap@apple.com>
15152
15153 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
15154
15155 * inspector/scripts: Added property svn:ignore.
15156 * replay/scripts: Added property svn:ignore.
15157
151582014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
15159
15160 r164764 broke the ARM build
15161 https://bugs.webkit.org/show_bug.cgi?id=129415
15162
15163 Reviewed by Zoltan Herczeg.
15164
15165 * assembler/MacroAssemblerARM.h:
15166 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
15167 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
15168 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
15169 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
15170
151712014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
15172
15173 r164764 broke the ARM build
15174 https://bugs.webkit.org/show_bug.cgi?id=129415
15175
15176 Reviewed by Geoffrey Garen.
15177
15178 * assembler/MacroAssemblerARM.h:
15179 (JSC::MacroAssemblerARM::moveWithPatch):
15180
151812014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15182
15183 r164764 broke the ARM build
15184 https://bugs.webkit.org/show_bug.cgi?id=129415
15185
15186 Reviewed by Geoffrey Garen.
15187
15188 * assembler/MacroAssemblerARM.h:
15189 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
15190
151912014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15192
15193 EFL build fix
15194
15195 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
15196 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15197 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15198
151992014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
15200
15201 Make JSCells have 32-bit Structure pointers
15202 https://bugs.webkit.org/show_bug.cgi?id=123195
15203
15204 Reviewed by Filip Pizlo.
15205
15206 This patch changes JSCells such that they no longer have a full 64-bit Structure
15207 pointer in their header. Instead they now have a 32-bit index into
15208 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
15209 pointers.
15210
15211 This change frees up an additional 32 bits of information in our object headers.
15212 We then use this extra space to store the indexing type of the object, the JSType
15213 of the object, some various type flags, and garbage collection data (e.g. mark bit).
15214 Because this inline type information is now faster to read, it pays for the slowdown
15215 incurred by having to perform an extra indirection through the StructureIDTable.
15216
15217 This patch also threads a reference to the current VM through more of the C++ runtime
15218 to offset the cost of having to look up the VM to get the actual Structure pointer.
15219
15220 * API/JSContext.mm:
15221 (-[JSContext setException:]):
15222 (-[JSContext wrapperForObjCObject:]):
15223 (-[JSContext wrapperForJSObject:]):
15224 * API/JSContextRef.cpp:
15225 (JSContextGroupRelease):
15226 (JSGlobalContextRelease):
15227 * API/JSObjectRef.cpp:
15228 (JSObjectIsFunction):
15229 (JSObjectCopyPropertyNames):
15230 * API/JSValue.mm:
15231 (containerValueToObject):
15232 * API/JSWrapperMap.mm:
15233 (tryUnwrapObjcObject):
15234 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15235 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15236 * JavaScriptCore.xcodeproj/project.pbxproj:
15237 * assembler/AbstractMacroAssembler.h:
15238 * assembler/MacroAssembler.h:
15239 (JSC::MacroAssembler::patchableBranch32WithPatch):
15240 (JSC::MacroAssembler::patchableBranch32):
15241 * assembler/MacroAssemblerARM64.h:
15242 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
15243 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
15244 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
15245 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
15246 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
15247 * assembler/MacroAssemblerARMv7.h:
15248 (JSC::MacroAssemblerARMv7::store8):
15249 (JSC::MacroAssemblerARMv7::branch32WithPatch):
15250 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
15251 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
15252 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
15253 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
15254 * assembler/MacroAssemblerX86.h:
15255 (JSC::MacroAssemblerX86::branch32WithPatch):
15256 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
15257 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
15258 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
15259 * assembler/MacroAssemblerX86_64.h:
15260 (JSC::MacroAssemblerX86_64::store32):
15261 (JSC::MacroAssemblerX86_64::moveWithPatch):
15262 (JSC::MacroAssemblerX86_64::branch32WithPatch):
15263 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
15264 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
15265 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
15266 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
15267 * assembler/RepatchBuffer.h:
15268 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
15269 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
15270 * assembler/X86Assembler.h:
15271 (JSC::X86Assembler::revertJumpTo_movq_i64r):
15272 (JSC::X86Assembler::revertJumpTo_movl_i32r):
15273 * bytecode/ArrayProfile.cpp:
15274 (JSC::ArrayProfile::computeUpdatedPrediction):
15275 * bytecode/ArrayProfile.h:
15276 (JSC::ArrayProfile::ArrayProfile):
15277 (JSC::ArrayProfile::addressOfLastSeenStructureID):
15278 (JSC::ArrayProfile::observeStructure):
15279 * bytecode/CodeBlock.h:
15280 (JSC::CodeBlock::heap):
15281 * bytecode/UnlinkedCodeBlock.h:
15282 * debugger/Debugger.h:
15283 * dfg/DFGAbstractHeap.h:
15284 * dfg/DFGArrayifySlowPathGenerator.h:
15285 * dfg/DFGClobberize.h:
15286 (JSC::DFG::clobberize):
15287 * dfg/DFGJITCompiler.h:
15288 (JSC::DFG::JITCompiler::branchWeakStructure):
15289 (JSC::DFG::JITCompiler::branchStructurePtr):
15290 * dfg/DFGOSRExitCompiler32_64.cpp:
15291 (JSC::DFG::OSRExitCompiler::compileExit):
15292 * dfg/DFGOSRExitCompiler64.cpp:
15293 (JSC::DFG::OSRExitCompiler::compileExit):
15294 * dfg/DFGOSRExitCompilerCommon.cpp:
15295 (JSC::DFG::osrWriteBarrier):
15296 (JSC::DFG::adjustAndJumpToTarget):
15297 * dfg/DFGOperations.cpp:
15298 (JSC::DFG::putByVal):
15299 * dfg/DFGSpeculativeJIT.cpp:
15300 (JSC::DFG::SpeculativeJIT::checkArray):
15301 (JSC::DFG::SpeculativeJIT::arrayify):
15302 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
15303 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
15304 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
15305 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
15306 (JSC::DFG::SpeculativeJIT::speculateObject):
15307 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
15308 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
15309 (JSC::DFG::SpeculativeJIT::speculateString):
15310 (JSC::DFG::SpeculativeJIT::speculateStringObject):
15311 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
15312 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
15313 (JSC::DFG::SpeculativeJIT::emitSwitchString):
15314 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
15315 (JSC::DFG::SpeculativeJIT::writeBarrier):
15316 * dfg/DFGSpeculativeJIT.h:
15317 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
15318 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
15319 * dfg/DFGSpeculativeJIT32_64.cpp:
15320 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
15321 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
15322 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
15323 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15324 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15325 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
15326 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
15327 (JSC::DFG::SpeculativeJIT::compile):
15328 (JSC::DFG::SpeculativeJIT::writeBarrier):
15329 * dfg/DFGSpeculativeJIT64.cpp:
15330 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
15331 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
15332 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
15333 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15334 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15335 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
15336 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
15337 (JSC::DFG::SpeculativeJIT::compile):
15338 (JSC::DFG::SpeculativeJIT::writeBarrier):
15339 * dfg/DFGWorklist.cpp:
15340 * ftl/FTLAbstractHeapRepository.cpp:
15341 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
15342 * ftl/FTLAbstractHeapRepository.h:
15343 * ftl/FTLLowerDFGToLLVM.cpp:
15344 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
15345 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
15346 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
15347 (JSC::FTL::LowerDFGToLLVM::compileToString):
15348 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
15349 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
15350 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
15351 (JSC::FTL::LowerDFGToLLVM::allocateCell):
15352 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15353 (JSC::FTL::LowerDFGToLLVM::isObject):
15354 (JSC::FTL::LowerDFGToLLVM::isString):
15355 (JSC::FTL::LowerDFGToLLVM::isArrayType):
15356 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
15357 (JSC::FTL::LowerDFGToLLVM::isType):
15358 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
15359 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
15360 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
15361 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
15362 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
15363 (JSC::FTL::LowerDFGToLLVM::loadStructure):
15364 (JSC::FTL::LowerDFGToLLVM::weakStructure):
15365 * ftl/FTLOSRExitCompiler.cpp:
15366 (JSC::FTL::compileStub):
15367 * ftl/FTLOutput.h:
15368 (JSC::FTL::Output::store8):
15369 * heap/GCAssertions.h:
15370 * heap/Heap.cpp:
15371 (JSC::Heap::getConservativeRegisterRoots):
15372 (JSC::Heap::collect):
15373 (JSC::Heap::writeBarrier):
15374 * heap/Heap.h:
15375 (JSC::Heap::structureIDTable):
15376 * heap/MarkedSpace.h:
15377 (JSC::MarkedSpace::forEachBlock):
15378 * heap/SlotVisitorInlines.h:
15379 (JSC::SlotVisitor::internalAppend):
15380 * jit/AssemblyHelpers.h:
15381 (JSC::AssemblyHelpers::branchIfCellNotObject):
15382 (JSC::AssemblyHelpers::genericWriteBarrier):
15383 (JSC::AssemblyHelpers::emitLoadStructure):
15384 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
15385 * jit/JIT.h:
15386 * jit/JITCall.cpp:
15387 (JSC::JIT::compileOpCall):
15388 (JSC::JIT::privateCompileClosureCall):
15389 * jit/JITCall32_64.cpp:
15390 (JSC::JIT::emit_op_ret_object_or_this):
15391 (JSC::JIT::compileOpCall):
15392 (JSC::JIT::privateCompileClosureCall):
15393 * jit/JITInlineCacheGenerator.cpp:
15394 (JSC::JITByIdGenerator::generateFastPathChecks):
15395 * jit/JITInlineCacheGenerator.h:
15396 * jit/JITInlines.h:
15397 (JSC::JIT::emitLoadCharacterString):
15398 (JSC::JIT::checkStructure):
15399 (JSC::JIT::emitJumpIfCellNotObject):
15400 (JSC::JIT::emitAllocateJSObject):
15401 (JSC::JIT::emitArrayProfilingSiteWithCell):
15402 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
15403 (JSC::JIT::branchStructure):
15404 (JSC::branchStructure):
15405 * jit/JITOpcodes.cpp:
15406 (JSC::JIT::emit_op_check_has_instance):
15407 (JSC::JIT::emit_op_instanceof):
15408 (JSC::JIT::emit_op_is_undefined):
15409 (JSC::JIT::emit_op_is_string):
15410 (JSC::JIT::emit_op_ret_object_or_this):
15411 (JSC::JIT::emit_op_to_primitive):
15412 (JSC::JIT::emit_op_jeq_null):
15413 (JSC::JIT::emit_op_jneq_null):
15414 (JSC::JIT::emit_op_get_pnames):
15415 (JSC::JIT::emit_op_next_pname):
15416 (JSC::JIT::emit_op_eq_null):
15417 (JSC::JIT::emit_op_neq_null):
15418 (JSC::JIT::emit_op_to_this):
15419 (JSC::JIT::emitSlow_op_to_this):
15420 * jit/JITOpcodes32_64.cpp:
15421 (JSC::JIT::emit_op_check_has_instance):
15422 (JSC::JIT::emit_op_instanceof):
15423 (JSC::JIT::emit_op_is_undefined):
15424 (JSC::JIT::emit_op_is_string):
15425 (JSC::JIT::emit_op_to_primitive):
15426 (JSC::JIT::emit_op_jeq_null):
15427 (JSC::JIT::emit_op_jneq_null):
15428 (JSC::JIT::emitSlow_op_eq):
15429 (JSC::JIT::emitSlow_op_neq):
15430 (JSC::JIT::compileOpStrictEq):
15431 (JSC::JIT::emit_op_eq_null):
15432 (JSC::JIT::emit_op_neq_null):
15433 (JSC::JIT::emit_op_get_pnames):
15434 (JSC::JIT::emit_op_next_pname):
15435 (JSC::JIT::emit_op_to_this):
15436 * jit/JITOperations.cpp:
15437 * jit/JITPropertyAccess.cpp:
15438 (JSC::JIT::stringGetByValStubGenerator):
15439 (JSC::JIT::emit_op_get_by_val):
15440 (JSC::JIT::emitSlow_op_get_by_val):
15441 (JSC::JIT::emit_op_get_by_pname):
15442 (JSC::JIT::emit_op_put_by_val):
15443 (JSC::JIT::emit_op_get_by_id):
15444 (JSC::JIT::emitLoadWithStructureCheck):
15445 (JSC::JIT::emitSlow_op_get_from_scope):
15446 (JSC::JIT::emitSlow_op_put_to_scope):
15447 (JSC::JIT::checkMarkWord):
15448 (JSC::JIT::emitWriteBarrier):
15449 (JSC::JIT::addStructureTransitionCheck):
15450 (JSC::JIT::emitIntTypedArrayGetByVal):
15451 (JSC::JIT::emitFloatTypedArrayGetByVal):
15452 (JSC::JIT::emitIntTypedArrayPutByVal):
15453 (JSC::JIT::emitFloatTypedArrayPutByVal):
15454 * jit/JITPropertyAccess32_64.cpp:
15455 (JSC::JIT::stringGetByValStubGenerator):
15456 (JSC::JIT::emit_op_get_by_val):
15457 (JSC::JIT::emitSlow_op_get_by_val):
15458 (JSC::JIT::emit_op_put_by_val):
15459 (JSC::JIT::emit_op_get_by_id):
15460 (JSC::JIT::emit_op_get_by_pname):
15461 (JSC::JIT::emitLoadWithStructureCheck):
15462 * jit/JSInterfaceJIT.h:
15463 (JSC::JSInterfaceJIT::emitJumpIfNotType):
15464 * jit/Repatch.cpp:
15465 (JSC::repatchByIdSelfAccess):
15466 (JSC::addStructureTransitionCheck):
15467 (JSC::replaceWithJump):
15468 (JSC::generateProtoChainAccessStub):
15469 (JSC::tryCacheGetByID):
15470 (JSC::tryBuildGetByIDList):
15471 (JSC::writeBarrier):
15472 (JSC::emitPutReplaceStub):
15473 (JSC::emitPutTransitionStub):
15474 (JSC::tryBuildPutByIdList):
15475 (JSC::tryRepatchIn):
15476 (JSC::linkClosureCall):
15477 (JSC::resetGetByID):
15478 (JSC::resetPutByID):
15479 * jit/SpecializedThunkJIT.h:
15480 (JSC::SpecializedThunkJIT::loadJSStringArgument):
15481 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
15482 * jit/ThunkGenerators.cpp:
15483 (JSC::virtualForThunkGenerator):
15484 (JSC::arrayIteratorNextThunkGenerator):
15485 * jit/UnusedPointer.h:
15486 * llint/LowLevelInterpreter.asm:
15487 * llint/LowLevelInterpreter32_64.asm:
15488 * llint/LowLevelInterpreter64.asm:
15489 * runtime/Arguments.cpp:
15490 (JSC::Arguments::createStrictModeCallerIfNecessary):
15491 (JSC::Arguments::createStrictModeCalleeIfNecessary):
15492 * runtime/Arguments.h:
15493 (JSC::Arguments::createStructure):
15494 * runtime/ArrayPrototype.cpp:
15495 (JSC::shift):
15496 (JSC::unshift):
15497 (JSC::arrayProtoFuncToString):
15498 (JSC::arrayProtoFuncPop):
15499 (JSC::arrayProtoFuncReverse):
15500 (JSC::performSlowSort):
15501 (JSC::arrayProtoFuncSort):
15502 (JSC::arrayProtoFuncSplice):
15503 (JSC::arrayProtoFuncUnShift):
15504 * runtime/CommonSlowPaths.cpp:
15505 (JSC::SLOW_PATH_DECL):
15506 * runtime/Executable.h:
15507 (JSC::ExecutableBase::isFunctionExecutable):
15508 (JSC::ExecutableBase::clearCodeVirtual):
15509 (JSC::ScriptExecutable::unlinkCalls):
15510 * runtime/GetterSetter.cpp:
15511 (JSC::callGetter):
15512 (JSC::callSetter):
15513 * runtime/InitializeThreading.cpp:
15514 * runtime/JSArray.cpp:
15515 (JSC::JSArray::unshiftCountSlowCase):
15516 (JSC::JSArray::setLength):
15517 (JSC::JSArray::pop):
15518 (JSC::JSArray::push):
15519 (JSC::JSArray::shiftCountWithArrayStorage):
15520 (JSC::JSArray::shiftCountWithAnyIndexingType):
15521 (JSC::JSArray::unshiftCountWithArrayStorage):
15522 (JSC::JSArray::unshiftCountWithAnyIndexingType):
15523 (JSC::JSArray::sortNumericVector):
15524 (JSC::JSArray::sortNumeric):
15525 (JSC::JSArray::sortCompactedVector):
15526 (JSC::JSArray::sort):
15527 (JSC::JSArray::sortVector):
15528 (JSC::JSArray::fillArgList):
15529 (JSC::JSArray::copyToArguments):
15530 (JSC::JSArray::compactForSorting):
15531 * runtime/JSCJSValueInlines.h:
15532 (JSC::JSValue::toThis):
15533 (JSC::JSValue::put):
15534 (JSC::JSValue::putByIndex):
15535 (JSC::JSValue::equalSlowCaseInline):
15536 * runtime/JSCell.cpp:
15537 (JSC::JSCell::put):
15538 (JSC::JSCell::putByIndex):
15539 (JSC::JSCell::deleteProperty):
15540 (JSC::JSCell::deletePropertyByIndex):
15541 * runtime/JSCell.h:
15542 (JSC::JSCell::clearStructure):
15543 (JSC::JSCell::mark):
15544 (JSC::JSCell::isMarked):
15545 (JSC::JSCell::structureIDOffset):
15546 (JSC::JSCell::typeInfoFlagsOffset):
15547 (JSC::JSCell::typeInfoTypeOffset):
15548 (JSC::JSCell::indexingTypeOffset):
15549 (JSC::JSCell::gcDataOffset):
15550 * runtime/JSCellInlines.h:
15551 (JSC::JSCell::JSCell):
15552 (JSC::JSCell::finishCreation):
15553 (JSC::JSCell::type):
15554 (JSC::JSCell::indexingType):
15555 (JSC::JSCell::structure):
15556 (JSC::JSCell::visitChildren):
15557 (JSC::JSCell::isObject):
15558 (JSC::JSCell::isString):
15559 (JSC::JSCell::isGetterSetter):
15560 (JSC::JSCell::isProxy):
15561 (JSC::JSCell::isAPIValueWrapper):
15562 (JSC::JSCell::setStructure):
15563 (JSC::JSCell::methodTable):
15564 (JSC::Heap::writeBarrier):
15565 * runtime/JSDataView.cpp:
15566 (JSC::JSDataView::createStructure):
15567 * runtime/JSDestructibleObject.h:
15568 (JSC::JSCell::classInfo):
15569 * runtime/JSFunction.cpp:
15570 (JSC::JSFunction::getOwnNonIndexPropertyNames):
15571 (JSC::JSFunction::put):
15572 (JSC::JSFunction::defineOwnProperty):
15573 * runtime/JSGenericTypedArrayView.h:
15574 (JSC::JSGenericTypedArrayView::createStructure):
15575 * runtime/JSObject.cpp:
15576 (JSC::getCallableObjectSlow):
15577 (JSC::JSObject::copyButterfly):
15578 (JSC::JSObject::visitButterfly):
15579 (JSC::JSFinalObject::visitChildren):
15580 (JSC::JSObject::getOwnPropertySlotByIndex):
15581 (JSC::JSObject::put):
15582 (JSC::JSObject::putByIndex):
15583 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
15584 (JSC::JSObject::enterDictionaryIndexingMode):
15585 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
15586 (JSC::JSObject::createInitialIndexedStorage):
15587 (JSC::JSObject::createInitialUndecided):
15588 (JSC::JSObject::createInitialInt32):
15589 (JSC::JSObject::createInitialDouble):
15590 (JSC::JSObject::createInitialContiguous):
15591 (JSC::JSObject::createArrayStorage):
15592 (JSC::JSObject::convertUndecidedToInt32):
15593 (JSC::JSObject::convertUndecidedToDouble):
15594 (JSC::JSObject::convertUndecidedToContiguous):
15595 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
15596 (JSC::JSObject::convertUndecidedToArrayStorage):
15597 (JSC::JSObject::convertInt32ToDouble):
15598 (JSC::JSObject::convertInt32ToContiguous):
15599 (JSC::JSObject::convertInt32ToArrayStorage):
15600 (JSC::JSObject::genericConvertDoubleToContiguous):
15601 (JSC::JSObject::convertDoubleToArrayStorage):
15602 (JSC::JSObject::convertContiguousToArrayStorage):
15603 (JSC::JSObject::ensureInt32Slow):
15604 (JSC::JSObject::ensureDoubleSlow):
15605 (JSC::JSObject::ensureContiguousSlow):
15606 (JSC::JSObject::ensureArrayStorageSlow):
15607 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
15608 (JSC::JSObject::switchToSlowPutArrayStorage):
15609 (JSC::JSObject::setPrototype):
15610 (JSC::JSObject::setPrototypeWithCycleCheck):
15611 (JSC::JSObject::putDirectNonIndexAccessor):
15612 (JSC::JSObject::deleteProperty):
15613 (JSC::JSObject::hasOwnProperty):
15614 (JSC::JSObject::deletePropertyByIndex):
15615 (JSC::JSObject::getPrimitiveNumber):
15616 (JSC::JSObject::hasInstance):
15617 (JSC::JSObject::getPropertySpecificValue):
15618 (JSC::JSObject::getPropertyNames):
15619 (JSC::JSObject::getOwnPropertyNames):
15620 (JSC::JSObject::getOwnNonIndexPropertyNames):
15621 (JSC::JSObject::seal):
15622 (JSC::JSObject::freeze):
15623 (JSC::JSObject::preventExtensions):
15624 (JSC::JSObject::reifyStaticFunctionsForDelete):
15625 (JSC::JSObject::removeDirect):
15626 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
15627 (JSC::JSObject::putByIndexBeyondVectorLength):
15628 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
15629 (JSC::JSObject::putDirectIndexBeyondVectorLength):
15630 (JSC::JSObject::getNewVectorLength):
15631 (JSC::JSObject::countElements):
15632 (JSC::JSObject::increaseVectorLength):
15633 (JSC::JSObject::ensureLengthSlow):
15634 (JSC::JSObject::growOutOfLineStorage):
15635 (JSC::JSObject::getOwnPropertyDescriptor):
15636 (JSC::putDescriptor):
15637 (JSC::JSObject::defineOwnNonIndexProperty):
15638 * runtime/JSObject.h:
15639 (JSC::getJSFunction):
15640 (JSC::JSObject::getArrayLength):
15641 (JSC::JSObject::getVectorLength):
15642 (JSC::JSObject::putByIndexInline):
15643 (JSC::JSObject::canGetIndexQuickly):
15644 (JSC::JSObject::getIndexQuickly):
15645 (JSC::JSObject::tryGetIndexQuickly):
15646 (JSC::JSObject::getDirectIndex):
15647 (JSC::JSObject::canSetIndexQuickly):
15648 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
15649 (JSC::JSObject::setIndexQuickly):
15650 (JSC::JSObject::initializeIndex):
15651 (JSC::JSObject::hasSparseMap):
15652 (JSC::JSObject::inSparseIndexingMode):
15653 (JSC::JSObject::getDirect):
15654 (JSC::JSObject::getDirectOffset):
15655 (JSC::JSObject::isSealed):
15656 (JSC::JSObject::isFrozen):
15657 (JSC::JSObject::flattenDictionaryObject):
15658 (JSC::JSObject::ensureInt32):
15659 (JSC::JSObject::ensureDouble):
15660 (JSC::JSObject::ensureContiguous):
15661 (JSC::JSObject::rageEnsureContiguous):
15662 (JSC::JSObject::ensureArrayStorage):
15663 (JSC::JSObject::arrayStorage):
15664 (JSC::JSObject::arrayStorageOrNull):
15665 (JSC::JSObject::ensureLength):
15666 (JSC::JSObject::currentIndexingData):
15667 (JSC::JSObject::getHolyIndexQuickly):
15668 (JSC::JSObject::currentRelevantLength):
15669 (JSC::JSObject::isGlobalObject):
15670 (JSC::JSObject::isVariableObject):
15671 (JSC::JSObject::isStaticScopeObject):
15672 (JSC::JSObject::isNameScopeObject):
15673 (JSC::JSObject::isActivationObject):
15674 (JSC::JSObject::isErrorInstance):
15675 (JSC::JSObject::inlineGetOwnPropertySlot):
15676 (JSC::JSObject::fastGetOwnPropertySlot):
15677 (JSC::JSObject::getPropertySlot):
15678 (JSC::JSObject::putDirectInternal):
15679 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
15680 * runtime/JSPropertyNameIterator.h:
15681 (JSC::JSPropertyNameIterator::createStructure):
15682 * runtime/JSProxy.cpp:
15683 (JSC::JSProxy::getOwnPropertySlot):
15684 (JSC::JSProxy::getOwnPropertySlotByIndex):
15685 (JSC::JSProxy::put):
15686 (JSC::JSProxy::putByIndex):
15687 (JSC::JSProxy::defineOwnProperty):
15688 (JSC::JSProxy::deleteProperty):
15689 (JSC::JSProxy::deletePropertyByIndex):
15690 (JSC::JSProxy::getPropertyNames):
15691 (JSC::JSProxy::getOwnPropertyNames):
15692 * runtime/JSScope.cpp:
15693 (JSC::JSScope::objectAtScope):
15694 * runtime/JSString.h:
15695 (JSC::JSString::createStructure):
15696 (JSC::isJSString):
15697 * runtime/JSType.h:
15698 * runtime/JSTypeInfo.h:
15699 (JSC::TypeInfo::TypeInfo):
15700 (JSC::TypeInfo::isObject):
15701 (JSC::TypeInfo::structureIsImmortal):
15702 (JSC::TypeInfo::zeroedGCDataOffset):
15703 (JSC::TypeInfo::inlineTypeFlags):
15704 * runtime/MapData.h:
15705 * runtime/ObjectConstructor.cpp:
15706 (JSC::objectConstructorGetOwnPropertyNames):
15707 (JSC::objectConstructorKeys):
15708 (JSC::objectConstructorDefineProperty):
15709 (JSC::defineProperties):
15710 (JSC::objectConstructorSeal):
15711 (JSC::objectConstructorFreeze):
15712 (JSC::objectConstructorIsSealed):
15713 (JSC::objectConstructorIsFrozen):
15714 * runtime/ObjectPrototype.cpp:
15715 (JSC::objectProtoFuncDefineGetter):
15716 (JSC::objectProtoFuncDefineSetter):
15717 (JSC::objectProtoFuncToString):
15718 * runtime/Operations.cpp:
15719 (JSC::jsTypeStringForValue):
15720 (JSC::jsIsObjectType):
15721 * runtime/Operations.h:
15722 (JSC::normalizePrototypeChainForChainAccess):
15723 (JSC::normalizePrototypeChain):
15724 * runtime/PropertyMapHashTable.h:
15725 (JSC::PropertyTable::createStructure):
15726 * runtime/RegExp.h:
15727 (JSC::RegExp::createStructure):
15728 * runtime/SparseArrayValueMap.h:
15729 * runtime/Structure.cpp:
15730 (JSC::Structure::Structure):
15731 (JSC::Structure::~Structure):
15732 (JSC::Structure::prototypeChainMayInterceptStoreTo):
15733 * runtime/Structure.h:
15734 (JSC::Structure::id):
15735 (JSC::Structure::idBlob):
15736 (JSC::Structure::objectInitializationFields):
15737 (JSC::Structure::structureIDOffset):
15738 * runtime/StructureChain.h:
15739 (JSC::StructureChain::createStructure):
15740 * runtime/StructureIDTable.cpp: Added.
15741 (JSC::StructureIDTable::StructureIDTable):
15742 (JSC::StructureIDTable::~StructureIDTable):
15743 (JSC::StructureIDTable::resize):
15744 (JSC::StructureIDTable::flushOldTables):
15745 (JSC::StructureIDTable::allocateID):
15746 (JSC::StructureIDTable::deallocateID):
15747 * runtime/StructureIDTable.h: Added.
15748 (JSC::StructureIDTable::base):
15749 (JSC::StructureIDTable::get):
15750 * runtime/SymbolTable.h:
15751 * runtime/TypedArrayType.cpp:
15752 (JSC::typeForTypedArrayType):
15753 * runtime/TypedArrayType.h:
15754 * runtime/WeakMapData.h:
15755
157562014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15757
15758 Unconditional logging in compileFTLOSRExit
15759 https://bugs.webkit.org/show_bug.cgi?id=129407
15760
15761 Reviewed by Michael Saboff.
15762
15763 This was causing tests to fail with the FTL enabled.
15764
15765 * ftl/FTLOSRExitCompiler.cpp:
15766 (JSC::FTL::compileFTLOSRExit):
15767
157682014-02-26 Oliver Hunt <oliver@apple.com>
15769
15770 Remove unused access types
15771 https://bugs.webkit.org/show_bug.cgi?id=129385
15772
15773 Reviewed by Filip Pizlo.
15774
15775 Remove unused cruft.
15776
15777 * bytecode/CodeBlock.cpp:
15778 (JSC::CodeBlock::printGetByIdCacheStatus):
15779 * bytecode/StructureStubInfo.cpp:
15780 (JSC::StructureStubInfo::deref):
15781 * bytecode/StructureStubInfo.h:
15782 (JSC::isGetByIdAccess):
15783 (JSC::isPutByIdAccess):
15784
157852014-02-26 Oliver Hunt <oliver@apple.com>
15786
15787 Function.prototype.apply has a bad time with the spread operator
15788 https://bugs.webkit.org/show_bug.cgi?id=129381
15789
15790 Reviewed by Mark Hahnenberg.
15791
15792 Make sure our apply logic handle the spread operator correctly.
15793 To do this we simply emit the enumeration logic that we'd normally
15794 use for other enumerations, but only store the first two results
15795 to registers. Then perform a varargs call.
15796
15797 * bytecompiler/NodesCodegen.cpp:
15798 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15799
158002014-02-26 Mark Lam <mark.lam@apple.com>
15801
15802 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
15803 <https://webkit.org/b/129355>
15804
15805 Reviewed by Filip Pizlo.
15806
15807 By compilation policy, I mean the rules for determining whether to
15808 compile, when to compile, when to attempt compilation again, etc. The
15809 few of these policy decisions that were previously being made in the
15810 DFG driver are now moved to operationOptimize() where we keep the rest
15811 of the policy logic. Decisions that are based on the capabilities
15812 supported by the DFG are moved to DFG capabiliityLevel().
15813
15814 I've run the following benchmarks:
15815 1. the collection of jsc benchmarks on the jsc executable vs. its
15816 baseline.
15817 2. Octane 2.0 in browser without the WebInspector.
15818 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
15819 set somewhere where it won't break.
15820
15821 In all of these, the results came out to be a wash as expected.
15822
15823 * dfg/DFGCapabilities.cpp:
15824 (JSC::DFG::isSupported):
15825 (JSC::DFG::mightCompileEval):
15826 (JSC::DFG::mightCompileProgram):
15827 (JSC::DFG::mightCompileFunctionForCall):
15828 (JSC::DFG::mightCompileFunctionForConstruct):
15829 (JSC::DFG::mightInlineFunctionForCall):
15830 (JSC::DFG::mightInlineFunctionForClosureCall):
15831 (JSC::DFG::mightInlineFunctionForConstruct):
15832 * dfg/DFGCapabilities.h:
15833 * dfg/DFGDriver.cpp:
15834 (JSC::DFG::compileImpl):
15835 * jit/JITOperations.cpp:
15836
158372014-02-26 Mark Lam <mark.lam@apple.com>
15838
15839 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
15840 <https://webkit.org/b/129364>
15841
15842 Reviewed by Alexey Proskuryakov.
15843
15844 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
15845
15846 * inspector/InjectedScriptModule.cpp:
15847 (Inspector::InjectedScriptModule::ensureInjected):
15848 - Added the needed but missing APIEntryShim.
15849
158502014-02-25 Mark Lam <mark.lam@apple.com>
15851
15852 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
15853 <https://webkit.org/b/128766>
15854
15855 Reviewed by Geoffrey Garen.
15856
15857 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
15858 The reasoning is that we don't know of any clients that need unordered
15859 re-entry into the VM from different threads. So, we're enforcing ordered
15860 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
15861
15862 The crash in this bug happened because we were allowing unordered re-entry,
15863 and the following type of scenario occurred:
15864
15865 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
15866 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
15867 first time it entered the VM.
15868 T1 sets VM::m_entryScope to T1's entryScope.
15869 3. T1 drops all locks.
15870
15871 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
15872 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
15873 does not set the entryScope.
15874 5. T2 drops all locks.
15875
15876 6. T1 re-grabs locks.
15877 7. T1 returns all the way out of JS code. On exit from the outer most
15878 JS function, T1 clears VM::m_entryScope (because T1 was the one who
15879 set it).
15880 8. T1 unlocks the VM.
15881
15882 9. T2 re-grabs locks.
15883 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
15884 NOT null, but it turns out to be null. Assertion failures and
15885 crashes ensue.
15886
15887 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
15888 the VM. Hence, the issue will no longer manifest.
15889
15890 * runtime/JSLock.cpp:
15891 (JSC::JSLock::dropAllLocks):
15892 (JSC::JSLock::grabAllLocks):
15893 * runtime/JSLock.h:
15894 (JSC::JSLock::DropAllLocks::dropDepth):
15895
158962014-02-25 Mark Lam <mark.lam@apple.com>
15897
15898 Need to initialize VM stack data even when the VM is on an exclusive thread.
15899 <https://webkit.org/b/129265>
15900
15901 Not reviewed.
15902
15903 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
15904
15905 * API/APIShims.h:
15906 (JSC::APIEntryShim::APIEntryShim):
15907 (JSC::APICallbackShim::shouldDropAllLocks):
15908 * heap/MachineStackMarker.cpp:
15909 (JSC::MachineThreads::addCurrentThread):
15910 * runtime/JSLock.cpp:
15911 (JSC::JSLockHolder::JSLockHolder):
15912 (JSC::JSLockHolder::init):
15913 (JSC::JSLockHolder::~JSLockHolder):
15914 (JSC::JSLock::JSLock):
15915 (JSC::JSLock::setExclusiveThread):
15916 (JSC::JSLock::lock):
15917 (JSC::JSLock::unlock):
15918 (JSC::JSLock::currentThreadIsHoldingLock):
15919 (JSC::JSLock::dropAllLocks):
15920 (JSC::JSLock::grabAllLocks):
15921 * runtime/JSLock.h:
15922 (JSC::JSLock::hasExclusiveThread):
15923 (JSC::JSLock::exclusiveThread):
15924 * runtime/VM.cpp:
15925 (JSC::VM::VM):
15926 * runtime/VM.h:
15927 (JSC::VM::hasExclusiveThread):
15928 (JSC::VM::exclusiveThread):
15929 (JSC::VM::setExclusiveThread):
15930 (JSC::VM::currentThreadIsHoldingAPILock):
15931
159322014-02-25 Filip Pizlo <fpizlo@apple.com>
15933
15934 Inline caching in the FTL on ARM64 should "work"
15935 https://bugs.webkit.org/show_bug.cgi?id=129334
15936
15937 Reviewed by Mark Hahnenberg.
15938
15939 Gets us to the point where simple tests that use inline caching are passing.
15940
15941 * assembler/LinkBuffer.cpp:
15942 (JSC::LinkBuffer::copyCompactAndLinkCode):
15943 (JSC::LinkBuffer::shrink):
15944 * ftl/FTLInlineCacheSize.cpp:
15945 (JSC::FTL::sizeOfGetById):
15946 (JSC::FTL::sizeOfPutById):
15947 (JSC::FTL::sizeOfCall):
15948 * ftl/FTLOSRExitCompiler.cpp:
15949 (JSC::FTL::compileFTLOSRExit):
15950 * ftl/FTLThunks.cpp:
15951 (JSC::FTL::osrExitGenerationThunkGenerator):
15952 * jit/GPRInfo.h:
15953 * offlineasm/arm64.rb:
15954
159552014-02-25 Commit Queue <commit-queue@webkit.org>
15956
15957 Unreviewed, rolling out r164627.
15958 http://trac.webkit.org/changeset/164627
15959 https://bugs.webkit.org/show_bug.cgi?id=129325
15960
15961 Broke SubtleCrypto tests (Requested by ap on #webkit).
15962
15963 * API/APIShims.h:
15964 (JSC::APIEntryShim::APIEntryShim):
15965 (JSC::APICallbackShim::shouldDropAllLocks):
15966 * heap/MachineStackMarker.cpp:
15967 (JSC::MachineThreads::addCurrentThread):
15968 * runtime/JSLock.cpp:
15969 (JSC::JSLockHolder::JSLockHolder):
15970 (JSC::JSLockHolder::init):
15971 (JSC::JSLockHolder::~JSLockHolder):
15972 (JSC::JSLock::JSLock):
15973 (JSC::JSLock::lock):
15974 (JSC::JSLock::unlock):
15975 (JSC::JSLock::currentThreadIsHoldingLock):
15976 (JSC::JSLock::dropAllLocks):
15977 (JSC::JSLock::grabAllLocks):
15978 * runtime/JSLock.h:
15979 * runtime/VM.cpp:
15980 (JSC::VM::VM):
15981 * runtime/VM.h:
15982 (JSC::VM::currentThreadIsHoldingAPILock):
15983
159842014-02-25 Filip Pizlo <fpizlo@apple.com>
15985
15986 ARM64 rshift64 should be an arithmetic shift
15987 https://bugs.webkit.org/show_bug.cgi?id=129323
15988
15989 Reviewed by Mark Hahnenberg.
15990
15991 * assembler/MacroAssemblerARM64.h:
15992 (JSC::MacroAssemblerARM64::rshift64):
15993
159942014-02-25 Sergio Villar Senin <svillar@igalia.com>
15995
15996 [CSS Grid Layout] Add ENABLE flag
15997 https://bugs.webkit.org/show_bug.cgi?id=129153
15998
15999 Reviewed by Simon Fraser.
16000
16001 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
16002
160032014-02-25 Michael Saboff <msaboff@apple.com>
16004
16005 JIT Engines use the wrong stack limit for stack checks
16006 https://bugs.webkit.org/show_bug.cgi?id=129314
16007
16008 Reviewed by Filip Pizlo.
16009
16010 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
16011
16012 * dfg/DFGJITCompiler.cpp:
16013 (JSC::DFG::JITCompiler::compileFunction):
16014 * jit/JIT.cpp:
16015 (JSC::JIT::privateCompile):
16016 * jit/JITCall.cpp:
16017 (JSC::JIT::compileLoadVarargs):
16018 * jit/JITCall32_64.cpp:
16019 (JSC::JIT::compileLoadVarargs):
16020 * runtime/VM.h:
16021 (JSC::VM::addressOfStackLimit):
16022
160232014-02-25 Filip Pizlo <fpizlo@apple.com>
16024
16025 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
16026
16027 It causes crashes, apparently because it's removing too many barriers. I will investigate
16028 later.
16029
16030 * bytecode/SpeculatedType.cpp:
16031 (JSC::speculationToAbbreviatedString):
16032 * bytecode/SpeculatedType.h:
16033 * dfg/DFGFixupPhase.cpp:
16034 (JSC::DFG::FixupPhase::fixupNode):
16035 (JSC::DFG::FixupPhase::insertStoreBarrier):
16036 * dfg/DFGNode.h:
16037 * ftl/FTLCapabilities.cpp:
16038 (JSC::FTL::canCompile):
16039 * ftl/FTLLowerDFGToLLVM.cpp:
16040 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
16041 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
16042 (JSC::FTL::LowerDFGToLLVM::isNotNully):
16043 (JSC::FTL::LowerDFGToLLVM::isNully):
16044 (JSC::FTL::LowerDFGToLLVM::speculate):
16045 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
16046 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
16047
160482014-02-24 Oliver Hunt <oliver@apple.com>
16049
16050 Fix build.
16051
16052 * jit/CCallHelpers.h:
16053 (JSC::CCallHelpers::setupArgumentsWithExecState):
16054
160552014-02-24 Oliver Hunt <oliver@apple.com>
16056
16057 Spread operator has a bad time when applied to call function
16058 https://bugs.webkit.org/show_bug.cgi?id=128853
16059
16060 Reviewed by Geoffrey Garen.
16061
16062 Follow on from the previous patch the added an extra slot to
16063 op_call_varargs (and _call, _call_eval, _construct). We now
16064 use the slot as an offset to in effect act as a 'slice' on
16065 the spread subject. This allows us to automatically retain
16066 all our existing argument and array optimisatons. Most of
16067 this patch is simply threading the offset around.
16068
16069 * bytecode/CodeBlock.cpp:
16070 (JSC::CodeBlock::dumpBytecode):
16071 * bytecompiler/BytecodeGenerator.cpp:
16072 (JSC::BytecodeGenerator::emitCall):
16073 (JSC::BytecodeGenerator::emitCallVarargs):
16074 * bytecompiler/BytecodeGenerator.h:
16075 * bytecompiler/NodesCodegen.cpp:
16076 (JSC::getArgumentByVal):
16077 (JSC::CallFunctionCallDotNode::emitBytecode):
16078 (JSC::ApplyFunctionCallDotNode::emitBytecode):
16079 * interpreter/Interpreter.cpp:
16080 (JSC::sizeFrameForVarargs):
16081 (JSC::loadVarargs):
16082 * interpreter/Interpreter.h:
16083 * jit/CCallHelpers.h:
16084 (JSC::CCallHelpers::setupArgumentsWithExecState):
16085 * jit/JIT.h:
16086 * jit/JITCall.cpp:
16087 (JSC::JIT::compileLoadVarargs):
16088 * jit/JITInlines.h:
16089 (JSC::JIT::callOperation):
16090 * jit/JITOperations.cpp:
16091 * jit/JITOperations.h:
16092 * llint/LLIntSlowPaths.cpp:
16093 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
16094 * runtime/Arguments.cpp:
16095 (JSC::Arguments::copyToArguments):
16096 * runtime/Arguments.h:
16097 * runtime/JSArray.cpp:
16098 (JSC::JSArray::copyToArguments):
16099 * runtime/JSArray.h:
16100
161012014-02-24 Mark Lam <mark.lam@apple.com>
16102
16103 Need to initialize VM stack data even when the VM is on an exclusive thread.
16104 <https://webkit.org/b/129265>
16105
16106 Reviewed by Geoffrey Garen.
16107
16108 We check VM::exclusiveThread as an optimization to forego the need to do
16109 JSLock locking. However, we recently started piggy backing on JSLock's
16110 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
16111 and lastStackTop) to appropriate values for the current thread. This is
16112 needed because we may be acquiring the lock to enter the VM on a different
16113 thread.
16114
16115 As a result, we ended up not initializing the VM stack data when
16116 VM::exclusiveThread causes us to bypass the locking activity. Even though
16117 the VM::exclusiveThread will not have to deal with the VM being entered
16118 on a different thread, it still needs to initialize the VM stack data.
16119 The VM relies on that data being initialized properly once it has been
16120 entered.
16121
16122 With this fix, we push the check for exclusiveThread down into the JSLock,
16123 and handle the bypassing of unneeded locking activity there while still
16124 executing the necessary the VM stack data initialization.
16125
16126 * API/APIShims.h:
16127 (JSC::APIEntryShim::APIEntryShim):
16128 (JSC::APICallbackShim::shouldDropAllLocks):
16129 * heap/MachineStackMarker.cpp:
16130 (JSC::MachineThreads::addCurrentThread):
16131 * runtime/JSLock.cpp:
16132 (JSC::JSLockHolder::JSLockHolder):
16133 (JSC::JSLockHolder::init):
16134 (JSC::JSLockHolder::~JSLockHolder):
16135 (JSC::JSLock::JSLock):
16136 (JSC::JSLock::setExclusiveThread):
16137 (JSC::JSLock::lock):
16138 (JSLock::unlock):
16139 (JSLock::currentThreadIsHoldingLock):
16140 (JSLock::dropAllLocks):
16141 (JSLock::grabAllLocks):
16142 * runtime/JSLock.h:
16143 (JSC::JSLock::exclusiveThread):
16144 * runtime/VM.cpp:
16145 (JSC::VM::VM):
16146 * runtime/VM.h:
16147 (JSC::VM::exclusiveThread):
16148 (JSC::VM::setExclusiveThread):
16149 (JSC::VM::currentThreadIsHoldingAPILock):
16150
161512014-02-24 Filip Pizlo <fpizlo@apple.com>
16152
16153 FTL should do polymorphic PutById inlining
16154 https://bugs.webkit.org/show_bug.cgi?id=129210
16155
16156 Reviewed by Mark Hahnenberg and Oliver Hunt.
16157
16158 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
16159 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
16160 selection of multiple inlined PutByIdVariants.
16161
16162 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
16163 http://trac.webkit.org/changeset/164207.
16164
16165 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
16166 that generate similar code.
16167
16168 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
16169 sometimes swaps field insertion order, creating fake polymorphism.
16170
16171 * CMakeLists.txt:
16172 * GNUmakefile.list.am:
16173 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16174 * JavaScriptCore.xcodeproj/project.pbxproj:
16175 * bytecode/PutByIdStatus.cpp:
16176 (JSC::PutByIdStatus::computeFromLLInt):
16177 (JSC::PutByIdStatus::computeFor):
16178 (JSC::PutByIdStatus::computeForStubInfo):
16179 (JSC::PutByIdStatus::dump):
16180 * bytecode/PutByIdStatus.h:
16181 (JSC::PutByIdStatus::PutByIdStatus):
16182 (JSC::PutByIdStatus::isSimple):
16183 (JSC::PutByIdStatus::numVariants):
16184 (JSC::PutByIdStatus::variants):
16185 (JSC::PutByIdStatus::at):
16186 (JSC::PutByIdStatus::operator[]):
16187 * bytecode/PutByIdVariant.cpp: Added.
16188 (JSC::PutByIdVariant::dump):
16189 (JSC::PutByIdVariant::dumpInContext):
16190 * bytecode/PutByIdVariant.h: Added.
16191 (JSC::PutByIdVariant::PutByIdVariant):
16192 (JSC::PutByIdVariant::replace):
16193 (JSC::PutByIdVariant::transition):
16194 (JSC::PutByIdVariant::kind):
16195 (JSC::PutByIdVariant::isSet):
16196 (JSC::PutByIdVariant::operator!):
16197 (JSC::PutByIdVariant::structure):
16198 (JSC::PutByIdVariant::oldStructure):
16199 (JSC::PutByIdVariant::newStructure):
16200 (JSC::PutByIdVariant::structureChain):
16201 (JSC::PutByIdVariant::offset):
16202 * dfg/DFGAbstractInterpreterInlines.h:
16203 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
16204 * dfg/DFGByteCodeParser.cpp:
16205 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
16206 (JSC::DFG::ByteCodeParser::handleGetById):
16207 (JSC::DFG::ByteCodeParser::emitPutById):
16208 (JSC::DFG::ByteCodeParser::handlePutById):
16209 (JSC::DFG::ByteCodeParser::parseBlock):
16210 * dfg/DFGCSEPhase.cpp:
16211 (JSC::DFG::CSEPhase::checkStructureElimination):
16212 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
16213 (JSC::DFG::CSEPhase::putStructureStoreElimination):
16214 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
16215 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
16216 * dfg/DFGClobberize.h:
16217 (JSC::DFG::clobberize):
16218 * dfg/DFGConstantFoldingPhase.cpp:
16219 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16220 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
16221 * dfg/DFGFixupPhase.cpp:
16222 (JSC::DFG::FixupPhase::fixupNode):
16223 * dfg/DFGGraph.cpp:
16224 (JSC::DFG::Graph::dump):
16225 * dfg/DFGGraph.h:
16226 * dfg/DFGNode.cpp:
16227 (JSC::DFG::MultiPutByOffsetData::writesStructures):
16228 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
16229 * dfg/DFGNode.h:
16230 (JSC::DFG::Node::convertToPutByOffset):
16231 (JSC::DFG::Node::hasMultiPutByOffsetData):
16232 (JSC::DFG::Node::multiPutByOffsetData):
16233 * dfg/DFGNodeType.h:
16234 * dfg/DFGPredictionPropagationPhase.cpp:
16235 (JSC::DFG::PredictionPropagationPhase::propagate):
16236 * dfg/DFGSafeToExecute.h:
16237 (JSC::DFG::safeToExecute):
16238 * dfg/DFGSpeculativeJIT32_64.cpp:
16239 (JSC::DFG::SpeculativeJIT::compile):
16240 * dfg/DFGSpeculativeJIT64.cpp:
16241 (JSC::DFG::SpeculativeJIT::compile):
16242 * dfg/DFGTypeCheckHoistingPhase.cpp:
16243 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
16244 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
16245 * ftl/FTLCapabilities.cpp:
16246 (JSC::FTL::canCompile):
16247 * ftl/FTLLowerDFGToLLVM.cpp:
16248 (JSC::FTL::LowerDFGToLLVM::compileNode):
16249 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
16250 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
16251 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
16252 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
16253 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
16254 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
16255 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
16256 (JSC::FTL::LowerDFGToLLVM::loadProperty):
16257 (JSC::FTL::LowerDFGToLLVM::storeProperty):
16258 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
16259 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
16260 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
16261 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
16262 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
16263 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
16264 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
16265 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
16266
162672014-02-24 peavo@outlook.com <peavo@outlook.com>
16268
16269 JSC regressions after r164494
16270 https://bugs.webkit.org/show_bug.cgi?id=129272
16271
16272 Reviewed by Mark Lam.
16273
16274 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
16275
162762014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
16277
16278 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
16279 https://bugs.webkit.org/show_bug.cgi?id=129255
16280
16281 Reviewed by Csaba Osztrogonác.
16282
16283 ENABLE_WORKERS macro was removed in r159679.
16284 Support is now also removed from xcconfig files.
16285
16286 * Configurations/FeatureDefines.xcconfig:
16287
162882014-02-24 David Kilzer <ddkilzer@apple.com>
16289
16290 Remove redundant setting in FeatureDefines.xcconfig
16291
16292 * Configurations/FeatureDefines.xcconfig:
16293
162942014-02-23 Sam Weinig <sam@webkit.org>
16295
16296 Update FeatureDefines.xcconfig
16297
16298 Rubber-stamped by Anders Carlsson.
16299
16300 * Configurations/FeatureDefines.xcconfig:
16301
163022014-02-23 Dean Jackson <dino@apple.com>
16303
16304 Sort the project file with sort-Xcode-project-file.
16305
16306 Rubber-stamped by Sam Weinig.
16307
16308 * JavaScriptCore.xcodeproj/project.pbxproj:
16309
163102014-02-23 Sam Weinig <sam@webkit.org>
16311
16312 Move telephone number detection behind its own ENABLE macro
16313 https://bugs.webkit.org/show_bug.cgi?id=129236
16314
16315 Reviewed by Dean Jackson.
16316
16317 * Configurations/FeatureDefines.xcconfig:
16318 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
16319
163202014-02-22 Filip Pizlo <fpizlo@apple.com>
16321
16322 Refine DFG+FTL inlining and compilation limits
16323 https://bugs.webkit.org/show_bug.cgi?id=129212
16324
16325 Reviewed by Mark Hahnenberg.
16326
16327 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
16328 and set that limit quite high. Institute a limit on inlining-into. The idea here is
16329 that large functions tend to be autogenerated, and code generators like emscripten
16330 appear to leave few inlining opportunities anyway. Also, we don't want the code
16331 size explosion that we would risk if we allowed compilation of a large function and
16332 then inlined a ton of stuff into it.
16333
16334 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
16335 regression. This is a 9% speed-up on AsmBench.
16336
16337 * bytecode/CodeBlock.cpp:
16338 (JSC::CodeBlock::noticeIncomingCall):
16339 * dfg/DFGByteCodeParser.cpp:
16340 (JSC::DFG::ByteCodeParser::handleInlining):
16341 * dfg/DFGCapabilities.h:
16342 (JSC::DFG::isSmallEnoughToInlineCodeInto):
16343 * ftl/FTLCapabilities.cpp:
16344 (JSC::FTL::canCompile):
16345 * ftl/FTLState.h:
16346 (JSC::FTL::shouldShowDisassembly):
16347 * runtime/Options.h:
16348
163492014-02-22 Dan Bernstein <mitz@apple.com>
16350
16351 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
16352 https://bugs.webkit.org/show_bug.cgi?id=129227
16353
16354 Reviewed by Eric Carlson.
16355
16356 Reverted r164507.
16357
16358 * API/JSBase.cpp:
16359 (JSEvaluateScript):
16360 (JSCheckScriptSyntax):
16361 * API/JSObjectRef.cpp:
16362 (JSObjectMakeFunction):
16363 (JSObjectMakeArray):
16364 (JSObjectMakeDate):
16365 (JSObjectMakeError):
16366 (JSObjectMakeRegExp):
16367 (JSObjectGetProperty):
16368 (JSObjectSetProperty):
16369 (JSObjectGetPropertyAtIndex):
16370 (JSObjectSetPropertyAtIndex):
16371 (JSObjectDeleteProperty):
16372 (JSObjectCallAsFunction):
16373 (JSObjectCallAsConstructor):
16374 * API/JSValue.mm:
16375 (valueToArray):
16376 (valueToDictionary):
16377 * API/JSValueRef.cpp:
16378 (JSValueIsEqual):
16379 (JSValueIsInstanceOfConstructor):
16380 (JSValueCreateJSONString):
16381 (JSValueToNumber):
16382 (JSValueToStringCopy):
16383 (JSValueToObject):
16384 * inspector/ConsoleMessage.cpp:
16385 (Inspector::ConsoleMessage::ConsoleMessage):
16386 (Inspector::ConsoleMessage::autogenerateMetadata):
16387 * inspector/ConsoleMessage.h:
16388 * inspector/JSGlobalObjectInspectorController.cpp:
16389 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16390 * inspector/JSGlobalObjectInspectorController.h:
16391 * inspector/ScriptCallStack.cpp:
16392 * inspector/ScriptCallStack.h:
16393 * inspector/ScriptCallStackFactory.cpp:
16394 (Inspector::createScriptCallStack):
16395 (Inspector::createScriptCallStackForConsole):
16396 (Inspector::createScriptCallStackFromException):
16397 * inspector/ScriptCallStackFactory.h:
16398 * inspector/agents/InspectorConsoleAgent.cpp:
16399 (Inspector::InspectorConsoleAgent::enable):
16400 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16401 (Inspector::InspectorConsoleAgent::count):
16402 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16403 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16404
164052014-02-22 Joseph Pecoraro <pecoraro@apple.com>
16406
16407 Remove some unreachable code (-Wunreachable-code)
16408 https://bugs.webkit.org/show_bug.cgi?id=129220
16409
16410 Reviewed by Eric Carlson.
16411
16412 * API/tests/testapi.c:
16413 (EvilExceptionObject_convertToType):
16414 * disassembler/udis86/udis86_decode.c:
16415 (decode_operand):
16416
164172014-02-22 Filip Pizlo <fpizlo@apple.com>
16418
16419 Unreviewed, ARMv7 build fix.
16420
16421 * assembler/ARMv7Assembler.h:
16422
164232014-02-21 Filip Pizlo <fpizlo@apple.com>
16424
16425 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
16426 https://bugs.webkit.org/show_bug.cgi?id=124733
16427
16428 Reviewed by Oliver Hunt.
16429
16430 This also takes the opportunity to de-duplicate some branch compaction code.
16431
16432 * assembler/ARM64Assembler.h:
16433 * assembler/ARMv7Assembler.h:
16434 (JSC::ARMv7Assembler::buffer):
16435 * assembler/AssemblerBuffer.h:
16436 (JSC::AssemblerData::AssemblerData):
16437 (JSC::AssemblerBuffer::AssemblerBuffer):
16438 (JSC::AssemblerBuffer::storage):
16439 (JSC::AssemblerBuffer::grow):
16440 * assembler/LinkBuffer.h:
16441 (JSC::LinkBuffer::LinkBuffer):
16442 (JSC::LinkBuffer::executableOffsetFor):
16443 (JSC::LinkBuffer::applyOffset):
16444 * assembler/MacroAssemblerARM64.h:
16445 (JSC::MacroAssemblerARM64::link):
16446 * assembler/MacroAssemblerARMv7.h:
16447
164482014-02-21 Brent Fulgham <bfulgham@apple.com>
16449
16450 Extend media support for WebVTT sources
16451 https://bugs.webkit.org/show_bug.cgi?id=129156
16452
16453 Reviewed by Eric Carlson.
16454
16455 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
16456
164572014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16458
16459 Web Inspector: JSContext inspection should report exceptions in the console
16460 https://bugs.webkit.org/show_bug.cgi?id=128776
16461
16462 Reviewed by Timothy Hatcher.
16463
16464 When JavaScript API functions have an exception, let the inspector
16465 know so it can log the JavaScript and Native backtrace that caused
16466 the exception.
16467
16468 Include some clean up of ConsoleMessage and ScriptCallStack construction.
16469
16470 * API/JSBase.cpp:
16471 (JSEvaluateScript):
16472 (JSCheckScriptSyntax):
16473 * API/JSObjectRef.cpp:
16474 (JSObjectMakeFunction):
16475 (JSObjectMakeArray):
16476 (JSObjectMakeDate):
16477 (JSObjectMakeError):
16478 (JSObjectMakeRegExp):
16479 (JSObjectGetProperty):
16480 (JSObjectSetProperty):
16481 (JSObjectGetPropertyAtIndex):
16482 (JSObjectSetPropertyAtIndex):
16483 (JSObjectDeleteProperty):
16484 (JSObjectCallAsFunction):
16485 (JSObjectCallAsConstructor):
16486 * API/JSValue.mm:
16487 (reportExceptionToInspector):
16488 (valueToArray):
16489 (valueToDictionary):
16490 * API/JSValueRef.cpp:
16491 (JSValueIsEqual):
16492 (JSValueIsInstanceOfConstructor):
16493 (JSValueCreateJSONString):
16494 (JSValueToNumber):
16495 (JSValueToStringCopy):
16496 (JSValueToObject):
16497 When seeing an exception, let the inspector know there was an exception.
16498
16499 * inspector/JSGlobalObjectInspectorController.h:
16500 * inspector/JSGlobalObjectInspectorController.cpp:
16501 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16502 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
16503 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
16504 Log API exceptions by also grabbing the native backtrace.
16505
16506 * inspector/ScriptCallStack.h:
16507 * inspector/ScriptCallStack.cpp:
16508 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
16509 (Inspector::ScriptCallStack::append):
16510 Minor extensions to ScriptCallStack to make it easier to work with.
16511
16512 * inspector/ConsoleMessage.cpp:
16513 (Inspector::ConsoleMessage::ConsoleMessage):
16514 (Inspector::ConsoleMessage::autogenerateMetadata):
16515 Provide better default information if the first call frame was native.
16516
16517 * inspector/ScriptCallStackFactory.cpp:
16518 (Inspector::createScriptCallStack):
16519 (Inspector::extractSourceInformationFromException):
16520 (Inspector::createScriptCallStackFromException):
16521 Perform the handling here of inserting a fake call frame for exceptions
16522 if there was no call stack (e.g. a SyntaxError) or if the first call
16523 frame had no information.
16524
16525 * inspector/ConsoleMessage.cpp:
16526 (Inspector::ConsoleMessage::ConsoleMessage):
16527 (Inspector::ConsoleMessage::autogenerateMetadata):
16528 * inspector/ConsoleMessage.h:
16529 * inspector/ScriptCallStackFactory.cpp:
16530 (Inspector::createScriptCallStack):
16531 (Inspector::createScriptCallStackForConsole):
16532 * inspector/ScriptCallStackFactory.h:
16533 * inspector/agents/InspectorConsoleAgent.cpp:
16534 (Inspector::InspectorConsoleAgent::enable):
16535 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16536 (Inspector::InspectorConsoleAgent::count):
16537 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16538 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16539 ConsoleMessage cleanup.
16540
165412014-02-21 Oliver Hunt <oliver@apple.com>
16542
16543 Add extra space to op_call and related opcodes
16544 https://bugs.webkit.org/show_bug.cgi?id=129170
16545
16546 Reviewed by Mark Lam.
16547
16548 No change in behaviour, just some refactoring to add an extra
16549 slot to the op_call instructions, and refactoring to make similar
16550 changes easier in future.
16551
16552 * bytecode/CodeBlock.cpp:
16553 (JSC::CodeBlock::printCallOp):
16554 * bytecode/Opcode.h:
16555 (JSC::padOpcodeName):
16556 * bytecompiler/BytecodeGenerator.cpp:
16557 (JSC::BytecodeGenerator::emitCall):
16558 (JSC::BytecodeGenerator::emitCallVarargs):
16559 (JSC::BytecodeGenerator::emitConstruct):
16560 * dfg/DFGByteCodeParser.cpp:
16561 (JSC::DFG::ByteCodeParser::handleIntrinsic):
16562 * jit/JITCall.cpp:
16563 (JSC::JIT::compileOpCall):
16564 * jit/JITCall32_64.cpp:
16565 (JSC::JIT::compileOpCall):
16566 * llint/LowLevelInterpreter.asm:
16567 * llint/LowLevelInterpreter32_64.asm:
16568 * llint/LowLevelInterpreter64.asm:
16569
165702014-02-21 Mark Lam <mark.lam@apple.com>
16571
16572 gatherFromOtherThread() needs to align the sp before gathering roots.
16573 <https://webkit.org/b/129169>
16574
16575 Reviewed by Geoffrey Garen.
16576
16577 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
16578 gatherFromOtherThread() defines the range of the other thread's stack as
16579 being bounded by the other thread's stack pointer and stack base. While
16580 the stack base will always be aligned to sizeof(void*), the stack pointer
16581 may not be. This is because the other thread may have just pushed a 32-bit
16582 value on its stack before we suspended it for scanning.
16583
16584 The fix is to round the stack pointer up to the next aligned address of
16585 sizeof(void*) and start scanning from there. On 64-bit systems, we will
16586 effectively ignore the 32-bit word at the bottom of the stack (top of the
16587 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
16588 64-bit pointers should always be stored on 64-bit aligned boundaries (our
16589 conservative scan algorithm already depends on this assumption).
16590
16591 On 32-bit systems, the rounding is effectively a no-op.
16592
16593 * heap/ConservativeRoots.cpp:
16594 (JSC::ConservativeRoots::genericAddSpan):
16595 - Hardened somne assertions so that we can catch misalignment issues on
16596 release builds as well.
16597 * heap/MachineStackMarker.cpp:
16598 (JSC::MachineThreads::gatherFromOtherThread):
16599
166002014-02-21 Matthew Mirman <mmirman@apple.com>
16601
16602 Added a GetMyArgumentsLengthSafe and added a speculation check.
16603 https://bugs.webkit.org/show_bug.cgi?id=129051
16604
16605 Reviewed by Filip Pizlo.
16606
16607 * ftl/FTLLowerDFGToLLVM.cpp:
16608 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
16609
166102014-02-21 peavo@outlook.com <peavo@outlook.com>
16611
16612 [Win][LLINT] Many JSC stress test failures.
16613 https://bugs.webkit.org/show_bug.cgi?id=129155
16614
16615 Reviewed by Michael Saboff.
16616
16617 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
16618 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
16619 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
16620
16621 * offlineasm/x86.rb: Swap operand order on Windows.
16622
166232014-02-21 Filip Pizlo <fpizlo@apple.com>
16624
16625 DFG write barriers should do more speculations
16626 https://bugs.webkit.org/show_bug.cgi?id=129160
16627
16628 Reviewed by Mark Hahnenberg.
16629
16630 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
16631 instead.
16632
16633 Miniscule speed-up on some things. It's a decent difference in code size, though.
16634
16635 * bytecode/SpeculatedType.cpp:
16636 (JSC::speculationToAbbreviatedString):
16637 * bytecode/SpeculatedType.h:
16638 (JSC::isNotCellSpeculation):
16639 * dfg/DFGFixupPhase.cpp:
16640 (JSC::DFG::FixupPhase::fixupNode):
16641 (JSC::DFG::FixupPhase::insertStoreBarrier):
16642 (JSC::DFG::FixupPhase::insertPhantomCheck):
16643 * dfg/DFGNode.h:
16644 (JSC::DFG::Node::shouldSpeculateOther):
16645 (JSC::DFG::Node::shouldSpeculateNotCell):
16646 * ftl/FTLCapabilities.cpp:
16647 (JSC::FTL::canCompile):
16648 * ftl/FTLLowerDFGToLLVM.cpp:
16649 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
16650 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
16651 (JSC::FTL::LowerDFGToLLVM::isNotOther):
16652 (JSC::FTL::LowerDFGToLLVM::isOther):
16653 (JSC::FTL::LowerDFGToLLVM::speculate):
16654 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
16655 (JSC::FTL::LowerDFGToLLVM::speculateOther):
16656 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
16657
166582014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16659
16660 Revert r164486, causing a number of test failures.
16661
16662 Unreviewed rollout.
16663
166642014-02-21 Filip Pizlo <fpizlo@apple.com>
16665
16666 Revive SABI (aka shouldAlwaysBeInlined)
16667 https://bugs.webkit.org/show_bug.cgi?id=129159
16668
16669 Reviewed by Mark Hahnenberg.
16670
16671 This is a small Octane speed-up.
16672
16673 * jit/Repatch.cpp:
16674 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
16675
166762014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16677
16678 Web Inspector: JSContext inspection should report exceptions in the console
16679 https://bugs.webkit.org/show_bug.cgi?id=128776
16680
16681 Reviewed by Timothy Hatcher.
16682
16683 When JavaScript API functions have an exception, let the inspector
16684 know so it can log the JavaScript and Native backtrace that caused
16685 the exception.
16686
16687 Include some clean up of ConsoleMessage and ScriptCallStack construction.
16688
16689 * API/JSBase.cpp:
16690 (JSEvaluateScript):
16691 (JSCheckScriptSyntax):
16692 * API/JSObjectRef.cpp:
16693 (JSObjectMakeFunction):
16694 (JSObjectMakeArray):
16695 (JSObjectMakeDate):
16696 (JSObjectMakeError):
16697 (JSObjectMakeRegExp):
16698 (JSObjectGetProperty):
16699 (JSObjectSetProperty):
16700 (JSObjectGetPropertyAtIndex):
16701 (JSObjectSetPropertyAtIndex):
16702 (JSObjectDeleteProperty):
16703 (JSObjectCallAsFunction):
16704 (JSObjectCallAsConstructor):
16705 * API/JSValue.mm:
16706 (reportExceptionToInspector):
16707 (valueToArray):
16708 (valueToDictionary):
16709 * API/JSValueRef.cpp:
16710 (JSValueIsEqual):
16711 (JSValueIsInstanceOfConstructor):
16712 (JSValueCreateJSONString):
16713 (JSValueToNumber):
16714 (JSValueToStringCopy):
16715 (JSValueToObject):
16716 When seeing an exception, let the inspector know there was an exception.
16717
16718 * inspector/JSGlobalObjectInspectorController.h:
16719 * inspector/JSGlobalObjectInspectorController.cpp:
16720 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16721 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
16722 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
16723 Log API exceptions by also grabbing the native backtrace.
16724
16725 * inspector/ScriptCallStack.h:
16726 * inspector/ScriptCallStack.cpp:
16727 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
16728 (Inspector::ScriptCallStack::append):
16729 Minor extensions to ScriptCallStack to make it easier to work with.
16730
16731 * inspector/ConsoleMessage.cpp:
16732 (Inspector::ConsoleMessage::ConsoleMessage):
16733 (Inspector::ConsoleMessage::autogenerateMetadata):
16734 Provide better default information if the first call frame was native.
16735
16736 * inspector/ScriptCallStackFactory.cpp:
16737 (Inspector::createScriptCallStack):
16738 (Inspector::extractSourceInformationFromException):
16739 (Inspector::createScriptCallStackFromException):
16740 Perform the handling here of inserting a fake call frame for exceptions
16741 if there was no call stack (e.g. a SyntaxError) or if the first call
16742 frame had no information.
16743
16744 * inspector/ConsoleMessage.cpp:
16745 (Inspector::ConsoleMessage::ConsoleMessage):
16746 (Inspector::ConsoleMessage::autogenerateMetadata):
16747 * inspector/ConsoleMessage.h:
16748 * inspector/ScriptCallStackFactory.cpp:
16749 (Inspector::createScriptCallStack):
16750 (Inspector::createScriptCallStackForConsole):
16751 * inspector/ScriptCallStackFactory.h:
16752 * inspector/agents/InspectorConsoleAgent.cpp:
16753 (Inspector::InspectorConsoleAgent::enable):
16754 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16755 (Inspector::InspectorConsoleAgent::count):
16756 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16757 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16758 ConsoleMessage cleanup.
16759
167602014-02-20 Anders Carlsson <andersca@apple.com>
16761
16762 Modernize JSGlobalLock and JSLockHolder
16763 https://bugs.webkit.org/show_bug.cgi?id=129105
16764
16765 Reviewed by Michael Saboff.
16766
16767 Use std::mutex and std::thread::id where possible.
16768
16769 * runtime/JSLock.cpp:
16770 (JSC::GlobalJSLock::GlobalJSLock):
16771 (JSC::GlobalJSLock::~GlobalJSLock):
16772 (JSC::GlobalJSLock::initialize):
16773 (JSC::JSLock::JSLock):
16774 (JSC::JSLock::lock):
16775 (JSC::JSLock::unlock):
16776 (JSC::JSLock::currentThreadIsHoldingLock):
16777 * runtime/JSLock.h:
16778
167792014-02-20 Mark Lam <mark.lam@apple.com>
16780
16781 virtualForWithFunction() should not throw an exception with a partially initialized frame.
16782 <https://webkit.org/b/129134>
16783
16784 Reviewed by Michael Saboff.
16785
16786 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
16787 prepare the callee function for execution, it proceeds to throw the
16788 exception using the callee frame which is only partially initialized
16789 thus far. Instead, it should be throwing the exception using the caller
16790 frame because:
16791 1. the error happened "in" the caller while preparing the callee for
16792 execution i.e. the caller frame is the top fully initialized frame
16793 on the stack.
16794 2. the callee frame is not fully initialized yet, and the unwind
16795 mechanism cannot depend on the data in it.
16796
16797 * jit/JITOperations.cpp:
16798
167992014-02-20 Mark Lam <mark.lam@apple.com>
16800
16801 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
16802 <https://webkit.org/b/129131>
16803
16804 Reviewed by Mark Hahnenberg.
16805
16806 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
16807 needs to be deferred before commencing. As a result, the GC may crash
16808 and/or corrupt data because the VM is not in the consistent state needed
16809 for the GC to run. With this fix, doWork() now checks if the GC is
16810 supposed to be deferred and re-schedules if needed. It only commences
16811 with GC'ing when it's safe to do so.
16812
16813 * runtime/GCActivityCallback.cpp:
16814 (JSC::DefaultGCActivityCallback::doWork):
16815
168162014-02-20 Geoffrey Garen <ggaren@apple.com>
16817
16818 Math.imul gives wrong results
16819 https://bugs.webkit.org/show_bug.cgi?id=126345
16820
16821 Reviewed by Mark Hahnenberg.
16822
16823 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
16824 Instead, take a slow path that will do the right thing.
16825
16826 * jit/ThunkGenerators.cpp:
16827 (JSC::imulThunkGenerator):
16828
168292014-02-20 Filip Pizlo <fpizlo@apple.com>
16830
16831 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
16832 https://bugs.webkit.org/show_bug.cgi?id=129129
16833
16834 Reviewed by Geoffrey Garen.
16835
16836 We estimate execution counts based on loop depth, and then use those to estimate branch
16837 weights. These weights then get carried all the way down to LLVM prof branch_weights
16838 meta-data.
16839
16840 This is better than letting LLVM do its own static estimates, since by the time we
16841 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
16842 course, it would be even better if we just slurped in some kind of execution counts
16843 from profiling, but we don't do that, yet.
16844
16845 * CMakeLists.txt:
16846 * GNUmakefile.list.am:
16847 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16848 * JavaScriptCore.xcodeproj/project.pbxproj:
16849 * dfg/DFGBasicBlock.cpp:
16850 (JSC::DFG::BasicBlock::BasicBlock):
16851 * dfg/DFGBasicBlock.h:
16852 * dfg/DFGBlockInsertionSet.cpp:
16853 (JSC::DFG::BlockInsertionSet::insert):
16854 (JSC::DFG::BlockInsertionSet::insertBefore):
16855 * dfg/DFGBlockInsertionSet.h:
16856 * dfg/DFGByteCodeParser.cpp:
16857 (JSC::DFG::ByteCodeParser::handleInlining):
16858 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16859 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16860 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16861 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
16862 (JSC::DFG::createPreHeader):
16863 * dfg/DFGNaturalLoops.h:
16864 (JSC::DFG::NaturalLoops::loopDepth):
16865 * dfg/DFGOSREntrypointCreationPhase.cpp:
16866 (JSC::DFG::OSREntrypointCreationPhase::run):
16867 * dfg/DFGPlan.cpp:
16868 (JSC::DFG::Plan::compileInThreadImpl):
16869 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
16870 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
16871 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
16872 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
16873 (JSC::DFG::performStaticExecutionCountEstimation):
16874 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
16875
168762014-02-20 Filip Pizlo <fpizlo@apple.com>
16877
16878 FTL may not see a compact_unwind section if there weren't any stackmaps
16879 https://bugs.webkit.org/show_bug.cgi?id=129125
16880
16881 Reviewed by Geoffrey Garen.
16882
16883 It's OK to not have an unwind section, so long as the function also doesn't have any
16884 OSR exits.
16885
16886 * ftl/FTLCompile.cpp:
16887 (JSC::FTL::fixFunctionBasedOnStackMaps):
16888 (JSC::FTL::compile):
16889 * ftl/FTLUnwindInfo.cpp:
16890 (JSC::FTL::UnwindInfo::parse):
16891 * ftl/FTLUnwindInfo.h:
16892
16893== Rolled over to ChangeLog-2014-02-20 ==
mirror of JavaScriptCore