]>
Commit | Line | Data |
---|---|---|
1 | 2015-07-20 Matthew Hanson <matthew_hanson@apple.com> | |
2 | ||
3 | Merge r186819. rdar://problem/21729083 | |
4 | ||
5 | 2015-07-14 Matthew Mirman <mmirman@apple.com> | |
6 | ||
7 | Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32. | |
8 | https://bugs.webkit.org/show_bug.cgi?id=146910 | |
9 | rdar://problem/21729083 | |
10 | ||
11 | Reviewed by Filip Pizlo. | |
12 | ||
13 | Also fixes the debug build problem where all edges are assumed to | |
14 | have UntypedUse before the fixup phase. | |
15 | ||
16 | * dfg/DFGSpeculativeJIT.cpp: | |
17 | (JSC::DFG::SpeculativeJIT::compileArithSub): | |
18 | * dfg/DFGValidate.cpp: | |
19 | (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary): | |
20 | * tests/stress/arith-add-with-constants.js: Added some tests for this case. | |
21 | (arithAdd42WrittenAsInteger): | |
22 | (testArithAdd42WrittenAsInteger): | |
23 | (arithSub42WrittenAsDouble): | |
24 | (testArithSub42WrittenAsDouble): | |
25 | (doubleConstant): | |
26 | (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0) | |
27 | (arithAdd42WrittenAsDouble): Deleted. | |
28 | (testArithAdd42WrittenAsDouble): Deleted. | |
29 | ||
30 | 2015-07-20 Matthew Hanson <matthew_hanson@apple.com> | |
31 | ||
32 | Merge r187028. rdar://problem/21869970 | |
33 | ||
34 | 2015-07-18 Filip Pizlo <fpizlo@apple.com> | |
35 | ||
36 | REGRESSION(186691): OSR entry is broken on loop headers that have no live variables | |
37 | https://bugs.webkit.org/show_bug.cgi?id=147074 | |
38 | rdar://problem/21869970 | |
39 | ||
40 | Reviewed by Michael Saboff. | |
41 | ||
42 | The OSR entry must-handle block/value widening introduced in r186691 would cause the | |
43 | CFA to reexecute if it caused any live local variables to change value. But this fails | |
44 | if the must-handle block has no live local variables, and the entry block otherwise | |
45 | appears to be unreachable. | |
46 | ||
47 | This fixes the bug by having the change detection include whether the block hadn't been | |
48 | visited in addition to whether any local variable values got widened. | |
49 | ||
50 | This is a ~4% speed-up on SunSpider in browser. | |
51 | ||
52 | * dfg/DFGCFAPhase.cpp: | |
53 | (JSC::DFG::CFAPhase::run): | |
54 | ||
55 | 2015-07-16 Matthew Hanson <matthew_hanson@apple.com> | |
56 | ||
57 | Merge r186920. rdar://problem/21764196 | |
58 | ||
59 | 2015-07-16 Mark Lam <mark.lam@apple.com> | |
60 | ||
61 | RegExp::match() should set m_state to ByteCode if compilation fails. | |
62 | https://bugs.webkit.org/show_bug.cgi?id=147023 | |
63 | ||
64 | Reviewed by Michael Saboff. | |
65 | ||
66 | A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code. | |
67 | If one of these compilations succeeds, RegExp::m_state will be set to JITCode. | |
68 | Subsequently, if RegExp tries to compile another one of these but fails, m_state | |
69 | will be left untouched i.e. it still says JITCode. As a result, when | |
70 | RegExp::match() later tries to execute the non-existant compiled code, it will | |
71 | crash. | |
72 | ||
73 | The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile. | |
74 | This failure should be rare. We'll do the minimal work here to fix the issue and | |
75 | keep an eye on the perf bots. If perf regresses, we can do some optimization work then. | |
76 | ||
77 | This issue is difficult to test for since it either requires a low memory condition | |
78 | to trigger a failed RegExp compilation at the right moment, or for the RegExp to | |
79 | succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode. | |
80 | Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every | |
81 | 10 compilation attempts. | |
82 | ||
83 | * runtime/RegExp.cpp: | |
84 | (JSC::RegExp::compile): | |
85 | (JSC::RegExp::compileMatchOnly): | |
86 | ||
87 | 2015-07-15 Lucas Forschler <lforschler@apple.com> | |
88 | ||
89 | Merge r186826 | |
90 | ||
91 | 2015-07-14 Anders Carlsson <andersca@apple.com> | |
92 | ||
93 | Assertions.h should include ExportMacros.h | |
94 | https://bugs.webkit.org/show_bug.cgi?id=146948 | |
95 | ||
96 | Reviewed by Tim Horton. | |
97 | ||
98 | Remove now unneeded WTF_EXPORT_PRIVATE define. | |
99 | ||
100 | * API/JSBase.h: | |
101 | ||
102 | 2015-07-13 Babak Shafiei <bshafiei@apple.com> | |
103 | ||
104 | Merge r186777. | |
105 | ||
106 | 2015-07-13 Anders Carlsson <andersca@apple.com> | |
107 | ||
108 | Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API | |
109 | https://bugs.webkit.org/show_bug.cgi?id=146913 | |
110 | rdar://problem/21789252 | |
111 | ||
112 | Reviewed by Dan Bernstein. | |
113 | ||
114 | Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to | |
115 | /System/Library/Frameworks/JavaScriptCore.framework. | |
116 | ||
117 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
118 | ||
119 | 2015-07-12 Babak Shafiei <bshafiei@apple.com> | |
120 | ||
121 | Merge r186702. | |
122 | ||
123 | 2015-07-10 Filip Pizlo <fpizlo@apple.com> | |
124 | ||
125 | AI folding of IsObjectOrNull is broken for non-object types that may be null | |
126 | https://bugs.webkit.org/show_bug.cgi?id=146867 | |
127 | ||
128 | Reviewed by Ryosuke Niwa. | |
129 | ||
130 | * dfg/DFGAbstractInterpreterInlines.h: | |
131 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on. | |
132 | * tests/stress/misc-is-object-or-null.js: Added. Test for the bug. | |
133 | (foo): | |
134 | * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced. | |
135 | (foo): | |
136 | ||
137 | 2015-07-12 Babak Shafiei <bshafiei@apple.com> | |
138 | ||
139 | Merge r186691. | |
140 | ||
141 | 2015-07-04 Filip Pizlo <fpizlo@apple.com> | |
142 | ||
143 | DFG fragile frozen values are fundamentally broken | |
144 | https://bugs.webkit.org/show_bug.cgi?id=146602 | |
145 | ||
146 | Reviewed by Mark Lam. | |
147 | ||
148 | This change gets rid of the FragileValue value strength, because it was fundamentally | |
149 | broken. | |
150 | ||
151 | FragileValue was a value known to the compiler but not tracked by the GC in any way - | |
152 | it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR | |
153 | must-handle values. The philosophy was that if the compiler did use the value for | |
154 | optimization, it would have been strengthened to a weak value (or maybe even a strong | |
155 | value, though we probably won't do that). But this was too much of a pipe dream. I've | |
156 | found at least one case where the compiler did use the value, but never strengthened | |
157 | it: it would happen if the value ended up in an OSR entry data expected value. Then if | |
158 | we GCed, we might have killed the value, but OSR entry would still try to use it for | |
159 | validation. That might have sort of just worked, but it's clearly shady. | |
160 | ||
161 | The reason why we made must-handle values fragile and not weak is that most of the time | |
162 | the values disappear from the abstract state: they are LUBed to a non-constant. If we | |
163 | kept them around as weak, we'd have too many cases of the GC killing the code because | |
164 | it thought that the value was somehow meaningful to the code when it was only used as a | |
165 | temporary artifact of optimization. | |
166 | ||
167 | So, it's true that it's very important for must-handle values not to automatically be | |
168 | weak or strong. It's also true that the values are necessary for AI bootstrap because | |
169 | we need to know what values OSR entry will require. But we shouldn't accomplish these | |
170 | goals by having the compiler hold onto what are essentially dangling pointers. | |
171 | ||
172 | This implements a better solution: instead of having InPlaceAbstractState bootstrap the | |
173 | AI with must-handle values at the beginning, we now widen the valuesAtHead of the | |
174 | must-handle block after AI converges. This widening is done in CFAPhase. This allows us | |
175 | to see if the must-handle values are necessary at all. In most cases, the widening | |
176 | takes a non-constant abstract value and simply amends something to its type based on | |
177 | the type of the must-handle value, and so the must-handle value never actually shows up | |
178 | in either the IR or any abstract value. In the unlikely event that the value at head is | |
179 | bottom, we freeze the must-handle value. This change removes FragileValue, and this | |
180 | freezing uses WeakValue as the strength. That makes sense: since the abstract value was | |
181 | bottom, the must-handle value becomes integral to the IR and so it makes no sense for | |
182 | the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will | |
183 | sometimes happen for example if you have a very long-running loop whose pre-header | |
184 | allocates some object, but that pre-header appears to always exit to the optimizing JIT | |
185 | because it was only profiled once in the LLInt and that profiling appears insufficient | |
186 | to the DFG. In that case, we'll effectively constant-fold the references to the object | |
187 | inside the loop, which is both efficient (yay constant folding!) and necessary | |
188 | (otherwise we wouldn't know what the type of the variable should have been). | |
189 | ||
190 | Testing and debugging this is complicated. So, this adds some new capabilities: | |
191 | ||
192 | - DFG IR dumps also dump all of the FrozenValues that point to the heap along with | |
193 | their strengths, so that it's easy to see what GC objects the DFG feels are necessary | |
194 | for the compilation. | |
195 | ||
196 | - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy | |
197 | to see what GC pointers (and other things) are used for OSR entry validation. The | |
198 | printouts are quite detailed, and should also help other kinds of OSR entry | |
199 | debugging. | |
200 | ||
201 | - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode | |
202 | data structures are also properly registered as either weak or strong pointers in the | |
203 | CodeBlock. This validation check previously failed due to fragile values ending up in | |
204 | the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js) | |
205 | and in some pre-existing tests (like earley-boyer and 3d-raytrace). | |
206 | ||
207 | * CMakeLists.txt: | |
208 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
209 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
210 | * bytecode/CodeBlock.cpp: | |
211 | (JSC::CodeBlock::stronglyVisitStrongReferences): | |
212 | * bytecode/CodeOrigin.cpp: | |
213 | (JSC::InlineCallFrame::visitAggregate): | |
214 | * bytecode/Operands.h: | |
215 | (JSC::Operands::operand): | |
216 | (JSC::Operands::hasOperand): | |
217 | * bytecode/StructureSet.cpp: | |
218 | (JSC::StructureSet::dump): | |
219 | (JSC::StructureSet::validateReferences): | |
220 | * bytecode/StructureSet.h: | |
221 | * bytecode/TrackedReferences.cpp: Added. | |
222 | (JSC::TrackedReferences::TrackedReferences): | |
223 | (JSC::TrackedReferences::~TrackedReferences): | |
224 | (JSC::TrackedReferences::add): | |
225 | (JSC::TrackedReferences::check): | |
226 | (JSC::TrackedReferences::dump): | |
227 | * bytecode/TrackedReferences.h: Added. | |
228 | * dfg/DFGAbstractValue.cpp: | |
229 | (JSC::DFG::AbstractValue::observeTransitions): | |
230 | (JSC::DFG::AbstractValue::set): | |
231 | (JSC::DFG::AbstractValue::fixTypeForRepresentation): | |
232 | (JSC::DFG::AbstractValue::mergeOSREntryValue): | |
233 | (JSC::DFG::AbstractValue::filter): | |
234 | (JSC::DFG::AbstractValue::dumpInContext): | |
235 | (JSC::DFG::AbstractValue::validateReferences): | |
236 | (JSC::DFG::AbstractValue::setOSREntryValue): Deleted. | |
237 | * dfg/DFGAbstractValue.h: | |
238 | (JSC::DFG::AbstractValue::fullTop): | |
239 | (JSC::DFG::AbstractValue::merge): | |
240 | * dfg/DFGByteCodeParser.cpp: | |
241 | (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): | |
242 | * dfg/DFGCFAPhase.cpp: | |
243 | (JSC::DFG::CFAPhase::run): | |
244 | * dfg/DFGCommonData.cpp: | |
245 | (JSC::DFG::CommonData::invalidate): | |
246 | (JSC::DFG::CommonData::validateReferences): | |
247 | * dfg/DFGCommonData.h: | |
248 | (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit): | |
249 | * dfg/DFGFrozenValue.h: | |
250 | (JSC::DFG::FrozenValue::FrozenValue): | |
251 | (JSC::DFG::FrozenValue::strengthenTo): | |
252 | (JSC::DFG::FrozenValue::pointsToHeap): | |
253 | (JSC::DFG::FrozenValue::strength): | |
254 | (JSC::DFG::FrozenValue::freeze): | |
255 | * dfg/DFGGraph.cpp: | |
256 | (JSC::DFG::Graph::Graph): | |
257 | (JSC::DFG::Graph::dump): | |
258 | (JSC::DFG::Graph::registerFrozenValues): | |
259 | (JSC::DFG::Graph::visitChildren): | |
260 | (JSC::DFG::Graph::freeze): | |
261 | (JSC::DFG::Graph::freezeStrong): | |
262 | (JSC::DFG::Graph::freezeFragile): Deleted. | |
263 | * dfg/DFGGraph.h: | |
264 | * dfg/DFGInPlaceAbstractState.cpp: | |
265 | (JSC::DFG::InPlaceAbstractState::initialize): | |
266 | * dfg/DFGJITCode.cpp: | |
267 | (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult): | |
268 | (JSC::DFG::JITCode::validateReferences): | |
269 | * dfg/DFGJITCode.h: | |
270 | * dfg/DFGJITCompiler.cpp: | |
271 | (JSC::DFG::JITCompiler::addressOfDoubleConstant): | |
272 | (JSC::DFG::JITCompiler::noticeOSREntry): | |
273 | * dfg/DFGJITCompiler.h: | |
274 | (JSC::DFG::JITCompiler::branchStructurePtr): | |
275 | (JSC::DFG::JITCompiler::jitCode): | |
276 | (JSC::DFG::JITCompiler::noticeOSREntry): Deleted. | |
277 | * dfg/DFGMinifiedGraph.cpp: Added. | |
278 | (JSC::DFG::MinifiedGraph::prepareAndShrink): | |
279 | (JSC::DFG::MinifiedGraph::validateReferences): | |
280 | * dfg/DFGMinifiedGraph.h: | |
281 | (JSC::DFG::MinifiedGraph::append): | |
282 | (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted. | |
283 | * dfg/DFGOSREntry.cpp: | |
284 | (JSC::DFG::OSREntryData::dumpInContext): | |
285 | (JSC::DFG::OSREntryData::dump): | |
286 | (JSC::DFG::prepareOSREntry): | |
287 | * dfg/DFGOSREntry.h: | |
288 | (JSC::DFG::getOSREntryDataBytecodeIndex): | |
289 | * dfg/DFGPlan.cpp: | |
290 | (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): | |
291 | * dfg/DFGSpeculativeJIT.cpp: | |
292 | (JSC::DFG::SpeculativeJIT::linkOSREntries): | |
293 | (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): | |
294 | * dfg/DFGStructureAbstractValue.cpp: | |
295 | (JSC::DFG::StructureAbstractValue::dump): | |
296 | (JSC::DFG::StructureAbstractValue::validateReferences): | |
297 | * dfg/DFGStructureAbstractValue.h: | |
298 | * dfg/DFGValidate.cpp: | |
299 | (JSC::DFG::Validate::validate): | |
300 | * dfg/DFGValueStrength.cpp: | |
301 | (WTF::printInternal): | |
302 | * dfg/DFGValueStrength.h: | |
303 | (JSC::DFG::merge): | |
304 | * ftl/FTLExitPropertyValue.cpp: | |
305 | (JSC::FTL::ExitPropertyValue::dump): | |
306 | (JSC::FTL::ExitPropertyValue::validateReferences): | |
307 | * ftl/FTLExitPropertyValue.h: | |
308 | * ftl/FTLExitTimeObjectMaterialization.cpp: | |
309 | (JSC::FTL::ExitTimeObjectMaterialization::dump): | |
310 | (JSC::FTL::ExitTimeObjectMaterialization::validateReferences): | |
311 | * ftl/FTLExitTimeObjectMaterialization.h: | |
312 | * ftl/FTLExitValue.cpp: | |
313 | (JSC::FTL::ExitValue::dump): | |
314 | (JSC::FTL::ExitValue::validateReferences): | |
315 | * ftl/FTLExitValue.h: | |
316 | * ftl/FTLJITCode.cpp: | |
317 | (JSC::FTL::JITCode::dfgCommon): | |
318 | (JSC::FTL::JITCode::validateReferences): | |
319 | * ftl/FTLJITCode.h: | |
320 | (JSC::FTL::JITCode::handles): | |
321 | (JSC::FTL::JITCode::dataSections): | |
322 | * ftl/FTLOSRExit.cpp: | |
323 | (JSC::FTL::OSRExit::codeLocationForRepatch): | |
324 | (JSC::FTL::OSRExit::validateReferences): | |
325 | * ftl/FTLOSRExit.h: | |
326 | (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite): | |
327 | * jit/JITCode.cpp: | |
328 | (JSC::JITCode::typeName): | |
329 | (JSC::JITCode::validateReferences): | |
330 | (JSC::JITCode::execute): | |
331 | * jit/JITCode.h: | |
332 | (JSC::JITCode::start): | |
333 | * tests/stress/dead-osr-entry-value.js: Added. | |
334 | (foo): | |
335 | ||
336 | 2015-07-10 Matthew Hanson <matthew_hanson@apple.com> | |
337 | ||
338 | Disable non-shipping features. | |
339 | ||
340 | * Configurations/FeatureDefines.xcconfig: | |
341 | ||
342 | 2015-07-09 Mark Lam <mark.lam@apple.com> | |
343 | ||
344 | SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. | |
345 | https://bugs.webkit.org/show_bug.cgi?id=146807 | |
346 | ||
347 | Reviewed by Filip Pizlo. | |
348 | ||
349 | When we capture an argument by name and we use "arguments", we put all of the | |
350 | arguments into the scope. But destructured arguments are put into the scope | |
351 | anonymously i.e. the SymbolTable knows that the scope offset is in use via | |
352 | SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in | |
353 | SymbolTable::m_map. | |
354 | ||
355 | The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will | |
356 | have a size which is based on the largest ScopeOffset in the m_map. If we have a | |
357 | scenario where the anonymous argument is at a higher ScopeOffset than all the | |
358 | named arguments, then the m_localsToEntry vector will not have an entry for it | |
359 | i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of | |
360 | the anonymous argument. | |
361 | ||
362 | Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is | |
363 | within the bounds of the m_localToEntry vector before indexing into it. | |
364 | ||
365 | * runtime/SymbolTable.cpp: | |
366 | (JSC::SymbolTable::entryFor): | |
367 | ||
368 | 2015-07-09 Michael Saboff <msaboff@apple.com> | |
369 | ||
370 | REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20 | |
371 | https://bugs.webkit.org/show_bug.cgi?id=146767 | |
372 | ||
373 | Reviewed by Geoffrey Garen. | |
374 | ||
375 | If the stack check fails at the top most frame, we must use that frame to | |
376 | generate the exception. Reverted the code to always use the current frame to | |
377 | throw an out of stack exception. | |
378 | ||
379 | * llint/LLIntSlowPaths.cpp: | |
380 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
381 | ||
382 | 2015-07-03 Filip Pizlo <fpizlo@apple.com> | |
383 | ||
384 | OSR exit fuzzing should allow us to select a static exit site | |
385 | https://bugs.webkit.org/show_bug.cgi?id=146601 | |
386 | ||
387 | Reviewed by Geoffrey Garen. | |
388 | ||
389 | The original implementation of the fuzzer allows us to trigger an exit based on its index | |
390 | in the dynamic sequence of exit sites encountered. But there are usually millions of | |
391 | dynamically encountered exit sites, even if the program only has thousands of static exit | |
392 | sites. That means that we would at best be able to do a random sampling of exits, and | |
393 | those would be biased to the hottest exit sites. | |
394 | ||
395 | This change allows us to also select exit sites based on their index in the static | |
396 | sequence of exit sites that the compiler compiled. Then, once that static exit site is | |
397 | selected, we can select which dynamic exit at that exit site we should trigger. Since the | |
398 | number of static exit sites is usually smallish (it's bounded by program size), we can do | |
399 | an exhaustive search over all exit sites in most programs. | |
400 | ||
401 | * dfg/DFGOSRExitFuzz.cpp: | |
402 | (JSC::numberOfStaticOSRExitFuzzChecks): | |
403 | (JSC::numberOfOSRExitFuzzChecks): | |
404 | * dfg/DFGOSRExitFuzz.h: | |
405 | (JSC::DFG::doOSRExitFuzzing): | |
406 | * dfg/DFGSpeculativeJIT.cpp: | |
407 | (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): | |
408 | * ftl/FTLLowerDFGToLLVM.cpp: | |
409 | (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): | |
410 | * jsc.cpp: | |
411 | (jscmain): | |
412 | * runtime/Options.h: | |
413 | * runtime/TestRunnerUtils.h: | |
414 | ||
415 | 2015-07-08 Joseph Pecoraro <pecoraro@apple.com> | |
416 | ||
417 | Fix grammar issue in TypeError attempting to change an unconfigurable property | |
418 | https://bugs.webkit.org/show_bug.cgi?id=146774 | |
419 | ||
420 | Reviewed by Brent Fulgham. | |
421 | ||
422 | * runtime/JSFunction.cpp: | |
423 | (JSC::JSFunction::defineOwnProperty): | |
424 | * runtime/JSObject.cpp: | |
425 | (JSC::JSObject::defineOwnNonIndexProperty): | |
426 | * runtime/StringObject.cpp: | |
427 | (JSC::StringObject::defineOwnProperty): | |
428 | ||
429 | 2015-07-06 Csaba Osztrogonác <ossy@webkit.org> | |
430 | ||
431 | Remove the unused HeapBlock.h | |
432 | https://bugs.webkit.org/show_bug.cgi?id=146580 | |
433 | ||
434 | Reviewed by Andreas Kling. | |
435 | ||
436 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
437 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
438 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
439 | * heap/CopiedBlock.h: | |
440 | * heap/CopiedSpace.h: | |
441 | * heap/CopiedSpaceInlines.h: | |
442 | * heap/HandleBlock.h: | |
443 | * heap/HeapBlock.h: Removed. | |
444 | * heap/MarkedBlock.h: | |
445 | ||
446 | 2015-07-06 Saam barati <saambarati1@gmail.com> | |
447 | ||
448 | JSC's parser should follow the ES6 spec with respect to parsing Declarations | |
449 | https://bugs.webkit.org/show_bug.cgi?id=146621 | |
450 | ||
451 | Reviewed by Mark Lam. | |
452 | ||
453 | There were a few locations where JSC would allow declaration statements | |
454 | in incorrect ways. JSC didn't distinguish between 'Statement' and | |
455 | 'StatementListItem' grammar productions. The relevant grammar is here: | |
456 | http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements | |
457 | ||
458 | From the ECMA Script 6.0 spec: | |
459 | 1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) | |
460 | says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems. | |
461 | (Same with 'while/for/do-while' loop bodies). | |
462 | 2. Section 13 ECMAScript Language: Statements and Declarations | |
463 | (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations) | |
464 | defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations | |
465 | (const, let, see 13.3.1 Let and Const Declarations). | |
466 | Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2). | |
467 | ||
468 | Hence, the following style of declarations are no longer allowed: | |
469 | 'if/for/while (condition) const x = 40;' | |
470 | 'if/for/while (condition) class C { }' | |
471 | ||
472 | Instead, we mandate such declaration constructs are within a StatementList | |
473 | (which is the production that JSC's Parser::parseSourceElements function parses): | |
474 | 'if/for/while (condition) { const x = 40; }' | |
475 | 'if/for/while (condition) { class C { } }' | |
476 | ||
477 | * parser/Parser.cpp: | |
478 | (JSC::Parser<LexerType>::parseSourceElements): | |
479 | (JSC::Parser<LexerType>::parseStatementListItem): | |
480 | (JSC::Parser<LexerType>::parseVarDeclaration): | |
481 | (JSC::Parser<LexerType>::parseStatement): | |
482 | (JSC::Parser<LexerType>::parseExpressionStatement): | |
483 | * parser/Parser.h: | |
484 | (JSC::Parser::getLabel): | |
485 | ||
486 | 2015-07-06 Alex Christensen <achristensen@webkit.org> | |
487 | ||
488 | Unreviewed debug build fix after r186358. | |
489 | ||
490 | * runtime/JSArray.cpp: | |
491 | (JSC::JSArray::fastConcatWith): | |
492 | Pass vm parameter to fastConcatType. | |
493 | ||
494 | 2015-07-06 Ryosuke Niwa <rniwa@webkit.org> | |
495 | ||
496 | Array.concat should be fast for integer or double arrays | |
497 | https://bugs.webkit.org/show_bug.cgi?id=146260 | |
498 | ||
499 | Reviewed by Darin Adler. | |
500 | ||
501 | Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous | |
502 | arrays, simply memcopy the arrays into a new uninitialized buffer. | |
503 | ||
504 | This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro. | |
505 | ||
506 | * runtime/ArrayPrototype.cpp: | |
507 | (JSC::arrayProtoFuncConcat): | |
508 | * runtime/JSArray.cpp: | |
509 | (JSC::JSArray::fastConcatWith): Added. | |
510 | * runtime/JSArray.h: | |
511 | (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use | |
512 | the fact path. Returns NonArray otherwise. | |
513 | ||
514 | 2015-07-06 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
515 | ||
516 | [Streams API] Remove ReadableStream custom constructor | |
517 | https://bugs.webkit.org/show_bug.cgi?id=146547 | |
518 | ||
519 | Reviewed by Darin Adler. | |
520 | ||
521 | Adding helper function to throw range errors. | |
522 | ||
523 | * runtime/Error.h: | |
524 | (JSC::throwRangeError): | |
525 | (JSC::throwVMRangeError): | |
526 | ||
527 | 2015-07-05 Yusuke Suzuki <utatane.tea@gmail.com> | |
528 | ||
529 | [ES6] Implement the latest Promise spec in JS | |
530 | https://bugs.webkit.org/show_bug.cgi?id=146229 | |
531 | ||
532 | Reviewed by Sam Weinig. | |
533 | ||
534 | Updated the Promise implementation to meet to the ES6 spec. | |
535 | This patch | |
536 | 1. Implement ES6 Promise and related abstract operations in builtins JS | |
537 | 2. Expose @enqueueJob private function to JS world to post the microtask | |
538 | ||
539 | Updated implementation has one-on-one correspondence to the ES6 spec description. | |
540 | And keep the JSPromiseDeferred because it is the interface used from the WebCore. | |
541 | ||
542 | * CMakeLists.txt: | |
543 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
544 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
545 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
546 | * builtins/Array.prototype.js: | |
547 | (reduce): | |
548 | (reduceRight): | |
549 | (every): | |
550 | (forEach): | |
551 | (filter): | |
552 | (map): | |
553 | (some): | |
554 | (fill): | |
555 | (find): | |
556 | (findIndex): | |
557 | (includes): | |
558 | (copyWithin): | |
559 | ToInteger / ToLength are renamed to toInteger and toLength. | |
560 | * builtins/ArrayConstructor.js: | |
561 | (from): | |
562 | ToInteger / ToLength are renamed to toInteger and toLength. | |
563 | * builtins/GlobalObject.js: | |
564 | (toInteger): | |
565 | (toLength): | |
566 | (isObject): | |
567 | (ToInteger): Deleted. | |
568 | (ToLength): Deleted. | |
569 | ToInteger / ToLength are renamed to toInteger and toLength. | |
570 | Add new abstract operation, isObject. | |
571 | * builtins/Operations.Promise.js: Added. | |
572 | (isPromise): | |
573 | (newPromiseReaction): | |
574 | (newPromiseDeferred): | |
575 | (newPromiseCapability.executor): | |
576 | (newPromiseCapability): | |
577 | (triggerPromiseReactions): | |
578 | (rejectPromise): | |
579 | (fulfillPromise): | |
580 | (createResolvingFunctions.resolve): | |
581 | (createResolvingFunctions.reject): | |
582 | (createResolvingFunctions): | |
583 | (promiseReactionJob): | |
584 | (promiseResolveThenableJob): | |
585 | (initializePromise): | |
586 | Added Promise related abstract operations. | |
587 | * builtins/Promise.prototype.js: | |
588 | (catch): | |
589 | (.onFulfilled): | |
590 | (.onRejected): | |
591 | (then): | |
592 | Promise#then implementation in JS. | |
593 | * builtins/PromiseConstructor.js: Added. | |
594 | (all.newResolveElement): | |
595 | (all): | |
596 | (race): | |
597 | (reject): | |
598 | (resolve): | |
599 | Promise static functions implementations in JS. | |
600 | * builtins/StringConstructor.js: | |
601 | (raw): | |
602 | ToInteger / ToLength are renamed to toInteger and toLength. | |
603 | * inspector/JSInjectedScriptHost.cpp: | |
604 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
605 | * runtime/CommonIdentifiers.h: | |
606 | * runtime/JSGlobalObject.cpp: | |
607 | (JSC::enqueueJob): | |
608 | (JSC::JSGlobalObject::init): | |
609 | (JSC::JSGlobalObject::visitChildren): | |
610 | * runtime/JSGlobalObject.h: | |
611 | (JSC::JSGlobalObject::initializePromiseFunction): | |
612 | (JSC::JSGlobalObject::newPromiseDeferredFunction): | |
613 | * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h. | |
614 | (JSC::createJSJob): | |
615 | (JSC::JSJobMicrotask::run): | |
616 | * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h. | |
617 | * runtime/JSPromise.cpp: | |
618 | (JSC::JSPromise::create): | |
619 | (JSC::JSPromise::JSPromise): | |
620 | (JSC::JSPromise::finishCreation): | |
621 | (JSC::JSPromise::result): | |
622 | (JSC::JSPromise::destroy): Deleted. | |
623 | (JSC::JSPromise::visitChildren): Deleted. | |
624 | (JSC::JSPromise::reject): Deleted. | |
625 | (JSC::JSPromise::resolve): Deleted. | |
626 | (JSC::JSPromise::appendResolveReaction): Deleted. | |
627 | (JSC::JSPromise::appendRejectReaction): Deleted. | |
628 | (JSC::triggerPromiseReactions): Deleted. | |
629 | * runtime/JSPromise.h: | |
630 | (JSC::JSPromise::status): Deleted. | |
631 | (JSC::JSPromise::result): Deleted. | |
632 | (JSC::JSPromise::constructor): Deleted. | |
633 | * runtime/JSPromiseConstructor.cpp: | |
634 | (JSC::constructPromise): | |
635 | (JSC::JSPromiseConstructorFuncResolve): Deleted. | |
636 | (JSC::JSPromiseConstructorFuncReject): Deleted. | |
637 | (JSC::performPromiseRaceLoop): Deleted. | |
638 | (JSC::JSPromiseConstructorFuncRace): Deleted. | |
639 | (JSC::performPromiseAll): Deleted. | |
640 | (JSC::JSPromiseConstructorFuncAll): Deleted. | |
641 | * runtime/JSPromiseDeferred.cpp: | |
642 | (JSC::JSPromiseDeferred::create): | |
643 | (JSC::createJSPromiseDeferredFromConstructor): Deleted. | |
644 | (JSC::updateDeferredFromPotentialThenable): Deleted. | |
645 | (JSC::performDeferredResolve): Deleted. | |
646 | (JSC::performDeferredReject): Deleted. | |
647 | (JSC::abruptRejection): Deleted. | |
648 | * runtime/JSPromiseDeferred.h: | |
649 | * runtime/JSPromiseFunctions.cpp: Removed. | |
650 | (JSC::deferredConstructionFunction): Deleted. | |
651 | (JSC::createDeferredConstructionFunction): Deleted. | |
652 | (JSC::identifyFunction): Deleted. | |
653 | (JSC::createIdentifyFunction): Deleted. | |
654 | (JSC::promiseAllCountdownFunction): Deleted. | |
655 | (JSC::createPromiseAllCountdownFunction): Deleted. | |
656 | (JSC::promiseResolutionHandlerFunction): Deleted. | |
657 | (JSC::createPromiseResolutionHandlerFunction): Deleted. | |
658 | (JSC::rejectPromiseFunction): Deleted. | |
659 | (JSC::createRejectPromiseFunction): Deleted. | |
660 | (JSC::resolvePromiseFunction): Deleted. | |
661 | (JSC::createResolvePromiseFunction): Deleted. | |
662 | (JSC::throwerFunction): Deleted. | |
663 | (JSC::createThrowerFunction): Deleted. | |
664 | * runtime/JSPromisePrototype.cpp: | |
665 | (JSC::JSPromisePrototypeFuncThen): Deleted. | |
666 | * runtime/JSPromiseReaction.cpp: Removed. | |
667 | (JSC::createExecutePromiseReactionMicrotask): Deleted. | |
668 | (JSC::ExecutePromiseReactionMicrotask::run): Deleted. | |
669 | (JSC::JSPromiseReaction::create): Deleted. | |
670 | (JSC::JSPromiseReaction::JSPromiseReaction): Deleted. | |
671 | (JSC::JSPromiseReaction::finishCreation): Deleted. | |
672 | (JSC::JSPromiseReaction::visitChildren): Deleted. | |
673 | * runtime/VM.cpp: | |
674 | (JSC::VM::VM): Deleted. | |
675 | * runtime/VM.h: | |
676 | ||
677 | 2015-07-04 Chris Dumez <cdumez@apple.com> | |
678 | ||
679 | Drop RefPtr::clear() method | |
680 | https://bugs.webkit.org/show_bug.cgi?id=146556 | |
681 | ||
682 | Reviewed by Brady Eidson. | |
683 | ||
684 | Drop RefPtr::clear() method in favor of "= nullptr;" pattern. | |
685 | ||
686 | 2015-07-03 Dan Bernstein <mitz@apple.com> | |
687 | ||
688 | Just give up on -Wunreachable-code in JavaScriptCore. | |
689 | ||
690 | * Configurations/Base.xcconfig: | |
691 | * llint/LowLevelInterpreter.cpp: | |
692 | (JSC::CLoop::execute): | |
693 | ||
694 | 2015-07-03 Dan Bernstein <mitz@apple.com> | |
695 | ||
696 | Fixed the LLINT CLoop build. | |
697 | ||
698 | * llint/LowLevelInterpreter.cpp: | |
699 | (JSC::CLoop::execute): | |
700 | ||
701 | 2015-07-03 Dan Bernstein <mitz@apple.com> | |
702 | ||
703 | [Xcode] Update some build settings as recommended by Xcode 7 | |
704 | https://bugs.webkit.org/show_bug.cgi?id=146597 | |
705 | ||
706 | Reviewed by Sam Weinig. | |
707 | ||
708 | * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and | |
709 | GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING. | |
710 | ||
711 | * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck. | |
712 | ||
713 | * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings. | |
714 | ||
715 | 2015-07-03 Yusuke Suzuki <utatane.tea@gmail.com> | |
716 | ||
717 | Relax builtin JS restriction about try-catch | |
718 | https://bugs.webkit.org/show_bug.cgi?id=146555 | |
719 | ||
720 | Reviewed by Sam Weinig. | |
721 | ||
722 | When retrieving the captured variables from the full activated scope, | |
723 | it swapped the given vector with the stored declared variables vector. | |
724 | This is because retrieving the captured variables are executed in the | |
725 | last sequence of the parser, so declared variables are no longer used. | |
726 | However, in builtins functions case, after retrieving the captured | |
727 | variables, we check the variables by using declared variables vector. | |
728 | So at that time, the declared variables vector becomes empty and it | |
729 | raises assertion failures when the builtins function contains the full | |
730 | activated scope. try-catch's catch scope requires the upper scope full | |
731 | activated, so JS code in the builtins cannot use the try-catch. | |
732 | ||
733 | This patch relaxes this restriction. When retrieving the captured | |
734 | variables from the scope, just copy to the given vector. | |
735 | ||
736 | * parser/Parser.h: | |
737 | (JSC::Scope::getCapturedVariables): | |
738 | ||
739 | 2015-07-02 Filip Pizlo <fpizlo@apple.com> | |
740 | ||
741 | DFG and FTL should have an OSR exit fuzzer | |
742 | https://bugs.webkit.org/show_bug.cgi?id=146562 | |
743 | ||
744 | Reviewed by Benjamin Poulain. | |
745 | ||
746 | Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I | |
747 | spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how | |
748 | to harness this after I land it. | |
749 | ||
750 | Since it's turned off by default, it should have no effect on behavior. | |
751 | ||
752 | * CMakeLists.txt: | |
753 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
754 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
755 | * dfg/DFGOSRExitFuzz.cpp: Added. | |
756 | (JSC::numberOfOSRExitFuzzChecks): | |
757 | * dfg/DFGOSRExitFuzz.h: Added. | |
758 | * dfg/DFGSpeculativeJIT.cpp: | |
759 | (JSC::DFG::SpeculativeJIT::emitGetArgumentStart): | |
760 | (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): | |
761 | (JSC::DFG::SpeculativeJIT::speculationCheck): | |
762 | * dfg/DFGSpeculativeJIT.h: | |
763 | * ftl/FTLLowerDFGToLLVM.cpp: | |
764 | (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): | |
765 | * jsc.cpp: | |
766 | (jscmain): | |
767 | * runtime/Options.h: | |
768 | * runtime/TestRunnerUtils.h: | |
769 | ||
770 | 2015-07-02 Saam barati <saambarati1@gmail.com> | |
771 | ||
772 | Rename "Deconstruction" to "Destructuring" throughout JSC | |
773 | https://bugs.webkit.org/show_bug.cgi?id=146100 | |
774 | ||
775 | Reviewed by Mark Lam. | |
776 | ||
777 | It is good to use the same naming conventions as the ES6 | |
778 | spec because it is the de facto way of speaking about these | |
779 | language features. This also has the benefit of improving JSC's | |
780 | hackability because it improves code readability for newcomers | |
781 | to JSC or newcomers to this part of the code base. | |
782 | ||
783 | * bytecompiler/BytecodeGenerator.cpp: | |
784 | (JSC::BytecodeGenerator::generate): | |
785 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
786 | (JSC::BytecodeGenerator::initializeNextParameter): | |
787 | (JSC::BytecodeGenerator::visibleNameForParameter): | |
788 | * bytecompiler/BytecodeGenerator.h: | |
789 | (JSC::BytecodeGenerator::registerFor): | |
790 | * bytecompiler/NodesCodegen.cpp: | |
791 | (JSC::ForInNode::tryGetBoundLocal): | |
792 | (JSC::ForInNode::emitLoopHeader): | |
793 | (JSC::ForOfNode::emitBytecode): | |
794 | (JSC::ClassExprNode::emitBytecode): | |
795 | (JSC::DestructuringAssignmentNode::emitBytecode): | |
796 | (JSC::DestructuringPatternNode::~DestructuringPatternNode): | |
797 | (JSC::ArrayPatternNode::collectBoundIdentifiers): | |
798 | (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted. | |
799 | (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted. | |
800 | * parser/ASTBuilder.h: | |
801 | (JSC::ASTBuilder::createElementList): | |
802 | (JSC::ASTBuilder::createFormalParameterList): | |
803 | (JSC::ASTBuilder::createClause): | |
804 | (JSC::ASTBuilder::createClauseList): | |
805 | (JSC::ASTBuilder::createForInLoop): | |
806 | (JSC::ASTBuilder::createForOfLoop): | |
807 | (JSC::ASTBuilder::isBindingNode): | |
808 | (JSC::ASTBuilder::isResolve): | |
809 | (JSC::ASTBuilder::createDestructuringAssignment): | |
810 | (JSC::ASTBuilder::createArrayPattern): | |
811 | (JSC::ASTBuilder::appendArrayPatternSkipEntry): | |
812 | (JSC::ASTBuilder::appendArrayPatternEntry): | |
813 | (JSC::ASTBuilder::appendArrayPatternRestEntry): | |
814 | (JSC::ASTBuilder::createObjectPattern): | |
815 | (JSC::ASTBuilder::appendObjectPatternEntry): | |
816 | (JSC::ASTBuilder::createDeconstructingAssignment): Deleted. | |
817 | * parser/NodeConstructors.h: | |
818 | (JSC::TryNode::TryNode): | |
819 | (JSC::ParameterNode::ParameterNode): | |
820 | (JSC::ForOfNode::ForOfNode): | |
821 | (JSC::DestructuringPatternNode::DestructuringPatternNode): | |
822 | (JSC::ArrayPatternNode::ArrayPatternNode): | |
823 | (JSC::ArrayPatternNode::create): | |
824 | (JSC::ObjectPatternNode::ObjectPatternNode): | |
825 | (JSC::BindingNode::create): | |
826 | (JSC::BindingNode::BindingNode): | |
827 | (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode): | |
828 | (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted. | |
829 | (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted. | |
830 | * parser/Nodes.cpp: | |
831 | (JSC::FunctionParameters::create): | |
832 | * parser/Nodes.h: | |
833 | (JSC::ExpressionNode::isResolveNode): | |
834 | (JSC::ExpressionNode::isBracketAccessorNode): | |
835 | (JSC::ExpressionNode::isDotAccessorNode): | |
836 | (JSC::ExpressionNode::isDestructuringNode): | |
837 | (JSC::ExpressionNode::isFuncExprNode): | |
838 | (JSC::ExpressionNode::isCommaNode): | |
839 | (JSC::ExpressionNode::isSimpleArray): | |
840 | (JSC::ParameterNode::pattern): | |
841 | (JSC::ParameterNode::nextParam): | |
842 | (JSC::FunctionParameters::size): | |
843 | (JSC::FunctionParameters::at): | |
844 | (JSC::FunctionParameters::patterns): | |
845 | (JSC::DestructuringPatternNode::isBindingNode): | |
846 | (JSC::DestructuringPatternNode::emitDirectBinding): | |
847 | (JSC::ArrayPatternNode::appendIndex): | |
848 | (JSC::ObjectPatternNode::appendEntry): | |
849 | (JSC::BindingNode::boundProperty): | |
850 | (JSC::DestructuringAssignmentNode::bindings): | |
851 | (JSC::ExpressionNode::isDeconstructionNode): Deleted. | |
852 | (JSC::DeconstructionPatternNode::isBindingNode): Deleted. | |
853 | (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted. | |
854 | (JSC::DeconstructingAssignmentNode::bindings): Deleted. | |
855 | * parser/Parser.cpp: | |
856 | (JSC::Parser<LexerType>::parseVarDeclaration): | |
857 | (JSC::Parser<LexerType>::parseWhileStatement): | |
858 | (JSC::Parser<LexerType>::parseVarDeclarationList): | |
859 | (JSC::Parser<LexerType>::createBindingPattern): | |
860 | (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression): | |
861 | (JSC::Parser<LexerType>::parseDestructuringPattern): | |
862 | (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern): | |
863 | (JSC::Parser<LexerType>::parseForStatement): | |
864 | (JSC::Parser<LexerType>::parseFormalParameters): | |
865 | (JSC::Parser<LexerType>::parseFunctionParameters): | |
866 | (JSC::Parser<LexerType>::parseAssignmentExpression): | |
867 | (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted. | |
868 | (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted. | |
869 | (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted. | |
870 | * parser/Parser.h: | |
871 | (JSC::isEvalNode): | |
872 | * parser/SyntaxChecker.h: | |
873 | (JSC::SyntaxChecker::createPropertyList): | |
874 | (JSC::SyntaxChecker::createElementList): | |
875 | (JSC::SyntaxChecker::createFormalParameterList): | |
876 | (JSC::SyntaxChecker::createClause): | |
877 | (JSC::SyntaxChecker::createClauseList): | |
878 | (JSC::SyntaxChecker::operatorStackPop): | |
879 | * tests/stress/reserved-word-with-escape.js: | |
880 | * tests/stress/rest-elements.js: | |
881 | ||
882 | 2015-07-02 Mark Lam <mark.lam@apple.com> | |
883 | ||
884 | Build fix for Win EWS bot. | |
885 | https://bugs.webkit.org/show_bug.cgi?id=146551 | |
886 | ||
887 | Not reviewed. | |
888 | ||
889 | * tools/JSDollarVMPrototype.cpp: | |
890 | (JSC::functionCrash): | |
891 | ||
892 | 2015-07-02 Dan Bernstein <mitz@apple.com> | |
893 | ||
894 | <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks | |
895 | https://bugs.webkit.org/show_bug.cgi?id=146542 | |
896 | ||
897 | Reviewed by Sam Weinig. | |
898 | ||
899 | * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink. | |
900 | ||
901 | 2015-07-01 Joseph Pecoraro <pecoraro@apple.com> | |
902 | ||
903 | Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes | |
904 | https://bugs.webkit.org/show_bug.cgi?id=146536 | |
905 | ||
906 | Reviewed by Timothy Hatcher. | |
907 | ||
908 | * inspector/protocol/Timeline.json: | |
909 | Change a CPUProfile from sending a required "calls" param to sending a required | |
910 | "callInfo" param which includes aggregated information about the calls. | |
911 | ||
912 | 2015-06-30 Filip Pizlo <fpizlo@apple.com> | |
913 | ||
914 | DFG::freezeFragile should register the frozen value's structure | |
915 | https://bugs.webkit.org/show_bug.cgi?id=136055 | |
916 | rdar://problem/21042120 | |
917 | ||
918 | Reviewed by Mark Lam and Geoffrey Garen. | |
919 | ||
920 | This fixes weird concurrency bugs where the constant folding phase tries to convert | |
921 | something to a constant but then crashes because the constant's structure wasn't | |
922 | registered. The AI was registering the structure of any value it saw, but constant folding | |
923 | wasn't - and that's fine so long as there ain't no concurrency. | |
924 | ||
925 | The best fix is to just make it impossible to introduce a constant into the IR without | |
926 | registering its structure. That's what this change does. This is not only a great | |
927 | concurrency fix - it also makes the compiler somewhat easier to hack on because it's one | |
928 | less case of structure registering that you have to remember about. | |
929 | ||
930 | * dfg/DFGAbstractValue.cpp: | |
931 | (JSC::DFG::AbstractValue::setOSREntryValue): No need to register. | |
932 | (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state. | |
933 | * dfg/DFGGraph.cpp: | |
934 | (JSC::DFG::Graph::freezeFragile): Register the structure. | |
935 | * dfg/DFGStructureRegistrationPhase.cpp: | |
936 | (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered. | |
937 | ||
938 | 2015-07-01 Matthew Mirman <mmirman@apple.com> | |
939 | ||
940 | Unreviewed, rolling out r185889 | |
941 | https://bugs.webkit.org/show_bug.cgi?id=146528 | |
942 | rdar://problem/21573959 | |
943 | ||
944 | Patch breaks chromeexperiments.com | |
945 | ||
946 | Reverted changeset: | |
947 | ||
948 | * CMakeLists.txt: | |
949 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
950 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
951 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
952 | * inspector/InjectedScriptSource.js: | |
953 | (.): | |
954 | * runtime/JSBoundSlotBaseFunction.cpp: Removed. | |
955 | * runtime/JSBoundSlotBaseFunction.h: Removed. | |
956 | * runtime/JSGlobalObject.cpp: | |
957 | (JSC::JSGlobalObject::init): Deleted. | |
958 | (JSC::JSGlobalObject::visitChildren): Deleted. | |
959 | * runtime/JSGlobalObject.h: | |
960 | (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted. | |
961 | * runtime/JSObject.cpp: | |
962 | (JSC::JSObject::getOwnPropertyDescriptor): | |
963 | (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted. | |
964 | * runtime/VM.cpp: | |
965 | (JSC::VM::VM): Deleted. | |
966 | * runtime/VM.h: | |
967 | ||
968 | 2015-07-01 Dean Jackson <dino@apple.com> | |
969 | ||
970 | Disable the experimental WebGL2 implementation | |
971 | https://bugs.webkit.org/show_bug.cgi?id=146526 | |
972 | <rdar://problem/21641235> | |
973 | ||
974 | Reviewed by Myles Maxfield. | |
975 | ||
976 | Add (and disable) an ENABLE_WEBGL2 flag. | |
977 | ||
978 | * Configurations/FeatureDefines.xcconfig: | |
979 | ||
980 | 2015-07-01 Matthew Daiter <mdaiter@apple.com> | |
981 | ||
982 | Enable MEDIA_STREAM flag | |
983 | https://bugs.webkit.org/show_bug.cgi?id=145947 | |
984 | <rdar://problem/21365829> | |
985 | ||
986 | Reviewed by Eric Carlson. | |
987 | ||
988 | * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag | |
989 | ||
990 | 2015-06-30 Andy VanWagoner <thetalecrafter@gmail.com> | |
991 | ||
992 | Implement ECMAScript Internationalization API | |
993 | https://bugs.webkit.org/show_bug.cgi?id=90906 | |
994 | ||
995 | Reviewed by Benjamin Poulain. | |
996 | ||
997 | * CMakeLists.txt: add IntlObject.cpp | |
998 | * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag | |
999 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject | |
1000 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject | |
1001 | * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject | |
1002 | * runtime/CommonIdentifiers.h: add "Intl" name | |
1003 | * runtime/IntlObject.cpp: Added. | |
1004 | (JSC::IntlObject::IntlObject): | |
1005 | (JSC::IntlObject::create): | |
1006 | (JSC::IntlObject::finishCreation): | |
1007 | (JSC::IntlObject::createStructure): | |
1008 | * runtime/IntlObject.h: Added. | |
1009 | * runtime/JSGlobalObject.cpp: Add global Intl | |
1010 | (JSC::JSGlobalObject::init): | |
1011 | ||
1012 | 2015-06-30 Basile Clement <basile_clement@apple.com> | |
1013 | ||
1014 | Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes | |
1015 | https://bugs.webkit.org/show_bug.cgi?id=146431 | |
1016 | ||
1017 | Reviewed by Filip Pizlo. | |
1018 | ||
1019 | * dfg/DFGNode.h: | |
1020 | (JSC::DFG::Node::isFunctionAllocation): | |
1021 | (JSC::DFG::Node::isPhantomFunctionAllocation): | |
1022 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
1023 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
1024 | * dfg/DFGPromoteHeapAccess.h: | |
1025 | (JSC::DFG::promoteHeapAccess): | |
1026 | ||
1027 | 2015-06-30 Matt Baker <mattbaker@apple.com> | |
1028 | ||
1029 | Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing | |
1030 | https://bugs.webkit.org/show_bug.cgi?id=146168 | |
1031 | ||
1032 | Reviewed by Brian Burg. | |
1033 | ||
1034 | * inspector/protocol/Timeline.json: | |
1035 | New timeline record type for compositing events. | |
1036 | ||
1037 | 2015-06-29 Dean Jackson <dino@apple.com> | |
1038 | ||
1039 | Temporarily disable PICTURE_SIZES | |
1040 | https://bugs.webkit.org/show_bug.cgi?id=146435 | |
1041 | <rdar://problem/21087013> | |
1042 | ||
1043 | Reviewed by Tim Horton. | |
1044 | ||
1045 | Temporarily disable PICTURE_SIZES because it causes problems with out | |
1046 | of date <picture> polyfills. | |
1047 | ||
1048 | * Configurations/FeatureDefines.xcconfig: | |
1049 | ||
1050 | 2015-06-29 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
1051 | ||
1052 | Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue | |
1053 | https://bugs.webkit.org/show_bug.cgi?id=146403 | |
1054 | ||
1055 | Reviewed by Darin Adler. | |
1056 | ||
1057 | * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue. | |
1058 | ||
1059 | 2015-06-28 Aleksandr Skachkov <gskachkov@gmail.com> | |
1060 | ||
1061 | [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and => | |
1062 | https://bugs.webkit.org/show_bug.cgi?id=146394 | |
1063 | ||
1064 | Reviewed by Yusuke Suzuki. | |
1065 | ||
1066 | * parser/Parser.cpp: | |
1067 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
1068 | ||
1069 | 2015-06-27 Darin Adler <darin@apple.com> | |
1070 | ||
1071 | Make converting JSString to StringView idiomatically safe | |
1072 | https://bugs.webkit.org/show_bug.cgi?id=146387 | |
1073 | ||
1074 | Reviewed by Anders Carlsson. | |
1075 | ||
1076 | * jsc.cpp: | |
1077 | (functionPrint): Add explicit call to SafeView::get, needed since there | |
1078 | is no StringView temporary. | |
1079 | (functionDebug): Ditto. | |
1080 | ||
1081 | * runtime/ArrayPrototype.cpp: | |
1082 | (JSC::holesMustForwardToPrototype): Refactored into helper function. | |
1083 | (JSC::join): Refactored so that StringView is a function argument, making | |
1084 | the lifetime simpler. | |
1085 | (JSC::arrayProtoFuncJoin): Ditto. | |
1086 | (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper. | |
1087 | ||
1088 | * runtime/JSGlobalObjectFunctions.cpp: | |
1089 | (JSC::encode): Add explicit call to SafeView::get. | |
1090 | ||
1091 | * runtime/JSString.h: Moved declarations of functions to the top of the | |
1092 | file instead of mixing them in with the function definitions. Changed | |
1093 | return type of the view function to return a JSString::SafeView so that | |
1094 | the JSString's lifetime will last as long as the StringView does in | |
1095 | typical coding idioms. | |
1096 | (JSC::JSString::getIndex): Use unsafeView so we can index into the | |
1097 | view; could also have used view.get but here in this class this seems fine. | |
1098 | (JSC::JSRopeString::unsafeView): Renamed existing view function to this. | |
1099 | (JSC::JSString::unsafeView): Ditto. | |
1100 | (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState | |
1101 | and a JSString. The ExecState is needed to create the StringView, and the | |
1102 | JSString needs to be kept alive as long as the StringView is. | |
1103 | (JSC::JSString::SafeView::operator StringView): Call unsafeView. | |
1104 | (JSC::JSString::SafeView::get): Convenience for when we want to call | |
1105 | StringView member functions. | |
1106 | (JSC::JSString::view): Added. Returns a SafeView. | |
1107 | ||
1108 | * runtime/StringPrototype.cpp: | |
1109 | (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get. | |
1110 | ||
1111 | 2015-06-26 Csaba Osztrogonác <ossy@webkit.org> | |
1112 | ||
1113 | Remove ARMv7Assembler.cpp | |
1114 | https://bugs.webkit.org/show_bug.cgi?id=146340 | |
1115 | ||
1116 | Reviewed by Filip Pizlo. | |
1117 | ||
1118 | * CMakeLists.txt: | |
1119 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
1120 | * assembler/ARMv7Assembler.cpp: Removed. | |
1121 | ||
1122 | 2015-06-26 Csaba Osztrogonác <ossy@webkit.org> | |
1123 | ||
1124 | Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989 | |
1125 | https://bugs.webkit.org/show_bug.cgi?id=146344 | |
1126 | ||
1127 | Reviewed by Yusuke Suzuki. | |
1128 | ||
1129 | * parser/Parser.cpp: | |
1130 | (JSC::Parser<LexerType>::parseSourceElements): | |
1131 | ||
1132 | 2015-06-26 Aleksandr Skachkov <gskachkov@gmail.com> | |
1133 | ||
1134 | [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. | |
1135 | https://bugs.webkit.org/show_bug.cgi?id=144955 | |
1136 | ||
1137 | Reviewed by Yusuke Suzuki. | |
1138 | ||
1139 | Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc. | |
1140 | This patch implements the simplest cases of arrow function declaration: | |
1141 | parameters () => 10 + 20 | |
1142 | parameter x => x + 20 | |
1143 | parameters (x, y) => x + y | |
1144 | function with block x => { return x*10; } | |
1145 | ||
1146 | Not implemented: | |
1147 | bind of the this, arguments, super and etc. | |
1148 | exception in case of trying to use 'new' with arrow function | |
1149 | ||
1150 | * parser/ASTBuilder.h: | |
1151 | (JSC::ASTBuilder::createFunctionExpr): | |
1152 | (JSC::ASTBuilder::createArrowFunctionExpr): | |
1153 | (JSC::ASTBuilder::createGetterOrSetterProperty): | |
1154 | (JSC::ASTBuilder::createFuncDeclStatement): | |
1155 | * parser/Lexer.cpp: | |
1156 | (JSC::Lexer<T>::setTokenPosition): | |
1157 | (JSC::Lexer<T>::lex): | |
1158 | * parser/Lexer.h: | |
1159 | (JSC::Lexer::lastTokenLocation): | |
1160 | (JSC::Lexer::setTerminator): | |
1161 | * parser/Parser.cpp: | |
1162 | (JSC::Parser<LexerType>::parseInner): | |
1163 | (JSC::Parser<LexerType>::parseSourceElements): | |
1164 | (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody): | |
1165 | (JSC::Parser<LexerType>::parseSwitchClauses): | |
1166 | (JSC::Parser<LexerType>::parseSwitchDefaultClause): | |
1167 | (JSC::Parser<LexerType>::parseBlockStatement): | |
1168 | (JSC::Parser<LexerType>::parseFunctionBody): | |
1169 | (JSC::stringForFunctionMode): | |
1170 | (JSC::Parser<LexerType>::parseFunctionParameters): | |
1171 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
1172 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
1173 | (JSC::Parser<LexerType>::parseClass): | |
1174 | (JSC::Parser<LexerType>::parseAssignmentExpression): | |
1175 | (JSC::Parser<LexerType>::parsePropertyMethod): | |
1176 | (JSC::Parser<LexerType>::parseGetterSetter): | |
1177 | (JSC::Parser<LexerType>::parseArrowFunctionExpression): | |
1178 | * parser/Parser.h: | |
1179 | (JSC::Parser::locationBeforeLastToken): | |
1180 | (JSC::Parser::isEndOfArrowFunction): | |
1181 | (JSC::Parser::isArrowFunctionParamters): | |
1182 | (JSC::Parser::setEndOfStatement): | |
1183 | * parser/ParserFunctionInfo.h: | |
1184 | * parser/ParserTokens.h: | |
1185 | * parser/SourceCode.h: | |
1186 | (JSC::SourceCode::subArrowExpression): | |
1187 | * parser/SourceProviderCacheItem.h: | |
1188 | (JSC::SourceProviderCacheItem::endFunctionToken): | |
1189 | (JSC::SourceProviderCacheItem::SourceProviderCacheItem): | |
1190 | * parser/SyntaxChecker.h: | |
1191 | (JSC::SyntaxChecker::createArrowFunctionExpr): | |
1192 | (JSC::SyntaxChecker::setFunctionNameStart): | |
1193 | ||
1194 | 2015-06-25 Yusuke Suzuki <utatane.tea@gmail.com> | |
1195 | ||
1196 | [ES6] Support rest element in destructuring assignments | |
1197 | https://bugs.webkit.org/show_bug.cgi?id=146206 | |
1198 | ||
1199 | Reviewed by Oliver Hunt. | |
1200 | ||
1201 | This patch enables rest element (...rest) in array binding patterns. | |
1202 | It generates array from the iterables. | |
1203 | In variable declarations and parameters, `[...identifier]` form is only allowed, | |
1204 | while expressions can take `[...[...rest]]` pattern. | |
1205 | ||
1206 | * bytecompiler/BytecodeGenerator.cpp: | |
1207 | (JSC::BytecodeGenerator::emitEnumeration): | |
1208 | (JSC::BytecodeGenerator::emitIteratorNext): | |
1209 | * bytecompiler/BytecodeGenerator.h: | |
1210 | * bytecompiler/NodesCodegen.cpp: | |
1211 | (JSC::ArrayPatternNode::bindValue): | |
1212 | (JSC::ArrayPatternNode::toString): | |
1213 | * parser/ASTBuilder.h: | |
1214 | (JSC::ASTBuilder::appendArrayPatternSkipEntry): | |
1215 | (JSC::ASTBuilder::appendArrayPatternEntry): | |
1216 | (JSC::ASTBuilder::appendArrayPatternRestEntry): | |
1217 | * parser/Nodes.h: | |
1218 | (JSC::ArrayPatternNode::appendIndex): | |
1219 | * parser/Parser.cpp: | |
1220 | (JSC::Parser<LexerType>::parseDeconstructionPattern): | |
1221 | * parser/SyntaxChecker.h: | |
1222 | (JSC::SyntaxChecker::operatorStackPop): | |
1223 | * tests/stress/rest-elements.js: Added. | |
1224 | (shouldBe): | |
1225 | (shouldThrow): | |
1226 | ||
1227 | 2015-06-25 Commit Queue <commit-queue@webkit.org> | |
1228 | ||
1229 | Unreviewed, rolling out r185956. | |
1230 | https://bugs.webkit.org/show_bug.cgi?id=146321 | |
1231 | ||
1232 | Causes massive crashes on test bots (Requested by bfulgham on | |
1233 | #webkit). | |
1234 | ||
1235 | Reverted changeset: | |
1236 | ||
1237 | "Enabling MEDIA_STREAM" | |
1238 | https://bugs.webkit.org/show_bug.cgi?id=145947 | |
1239 | http://trac.webkit.org/changeset/185956 | |
1240 | ||
1241 | 2015-06-25 Michael Saboff <msaboff@apple.com> | |
1242 | ||
1243 | Minor fix to idx bounds check after 185954 | |
1244 | ||
1245 | Rubber Stamped by Ryosuke Niwa. | |
1246 | ||
1247 | Changed "idx > 1" to "idx > 0" in two places. | |
1248 | ||
1249 | * runtime/ExceptionHelpers.cpp: | |
1250 | (JSC::functionCallBase): | |
1251 | ||
1252 | 2015-06-25 Keith Miller <keith_miller@apple.com> | |
1253 | ||
1254 | Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack. | |
1255 | https://bugs.webkit.org/show_bug.cgi?id=146297 | |
1256 | ||
1257 | Reviewed by Filip Pizlo. | |
1258 | ||
1259 | Since we cannot blacklist the system memcpy we must use our own naive implementation, | |
1260 | copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is | |
1261 | only called as part of an O(heapsize) operation. As the heap is generally much larger | |
1262 | than the stack the performance hit is minimal. | |
1263 | ||
1264 | * heap/MachineStackMarker.cpp: | |
1265 | (JSC::copyMemory): | |
1266 | (JSC::MachineThreads::tryCopyOtherThreadStack): | |
1267 | (JSC::asanUnsafeMemcpy): Deleted. | |
1268 | ||
1269 | 2015-06-25 Matthew Daiter <mdaiter@apple.com> | |
1270 | ||
1271 | Enabling MEDIA_STREAM | |
1272 | https://bugs.webkit.org/show_bug.cgi?id=145947 | |
1273 | <rdar://problem/21365829> | |
1274 | ||
1275 | Reviewed by Brent Fulgham. | |
1276 | ||
1277 | * Configurations/FeatureDefines.xcconfig: | |
1278 | ||
1279 | 2015-06-25 Michael Saboff <msaboff@apple.com> | |
1280 | ||
1281 | REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689) | |
1282 | https://bugs.webkit.org/show_bug.cgi?id=146298 | |
1283 | ||
1284 | Reviewed by Mark Lam. | |
1285 | ||
1286 | We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left | |
1287 | string index. Added checks that idx stays within the string. Also added a termination | |
1288 | condition when idx is 0. | |
1289 | ||
1290 | * runtime/ExceptionHelpers.cpp: | |
1291 | (JSC::functionCallBase): | |
1292 | ||
1293 | 2015-06-24 Chris Dumez <cdumez@apple.com> | |
1294 | ||
1295 | Unreviewed, speculative build fix after r185942. | |
1296 | ||
1297 | Add missing include for StrongInlines.h. | |
1298 | ||
1299 | * runtime/ArrayPrototype.cpp: | |
1300 | ||
1301 | 2015-06-24 Darin Adler <darin@apple.com> | |
1302 | ||
1303 | Optimize Array.join and Array.reverse for high speed array types | |
1304 | https://bugs.webkit.org/show_bug.cgi?id=146275 | |
1305 | ||
1306 | Reviewed by Mark Lam. | |
1307 | ||
1308 | This seems to yield another 17% speed improvement in the array | |
1309 | test from the Peacekeeper benchmark. | |
1310 | ||
1311 | * runtime/ArrayPrototype.cpp: | |
1312 | (JSC::isHole): Added. Helper to check for holes. | |
1313 | (JSC::containsHole): Ditto. | |
1314 | (JSC::arrayProtoFuncJoin): Added special cases for the various types | |
1315 | of arrays that could be in a butterfly. | |
1316 | (JSC::arrayProtoFuncReverse): Ditto. | |
1317 | ||
1318 | * runtime/JSStringJoiner.h: Made appendEmptyString public so we can | |
1319 | call it from the new parts of Array.join. | |
1320 | ||
1321 | 2015-06-24 Filip Pizlo <fpizlo@apple.com> | |
1322 | ||
1323 | DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear | |
1324 | https://bugs.webkit.org/show_bug.cgi?id=146291 | |
1325 | rdar://problem/21435366 | |
1326 | ||
1327 | Reviewed by Michael Saboff. | |
1328 | ||
1329 | The filter() method returns Contradiction only when a value *becomes* clear. This is | |
1330 | necessary for supporting the convention that non-JSValue nodes have a bottom proved | |
1331 | type. (We should fix that convention eventually, but for now let's just be consistent | |
1332 | about it.) | |
1333 | ||
1334 | * dfg/DFGFiltrationResult.h: Document the issue. | |
1335 | * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue. | |
1336 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): | |
1337 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
1338 | (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): | |
1339 | * dfg/DFGSpeculativeJIT64.cpp: Work around the issue. | |
1340 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): | |
1341 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): | |
1342 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
1343 | (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): | |
1344 | ||
1345 | 2015-06-24 Michael Saboff <msaboff@apple.com> | |
1346 | ||
1347 | Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo | |
1348 | https://bugs.webkit.org/show_bug.cgi?id=146285 | |
1349 | ||
1350 | Reviewed by Filip Pizlo. | |
1351 | ||
1352 | CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains | |
1353 | a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the | |
1354 | CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the | |
1355 | PolymorphicCallStubRoutine is decremented as expected, but since it inherits from | |
1356 | GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original | |
1357 | CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point, | |
1358 | it will try to unlink a now deleted CallLinkInfo and crash as a result. | |
1359 | ||
1360 | The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when | |
1361 | when we set a new stub or clear an existing stub for a CallLinkInfo. This is done by | |
1362 | calling PolymorphicCallNode::clearCallNodesFor() on the old stub. | |
1363 | ||
1364 | The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor. | |
1365 | This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo. | |
1366 | Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo. | |
1367 | ||
1368 | In the process I refactored CallLinkInfo from a struct to a class with proper accessors and | |
1369 | made all the data elements private. | |
1370 | ||
1371 | * bytecode/CallLinkInfo.cpp: | |
1372 | (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor() | |
1373 | to clear the back references to this CallLinkInfo. | |
1374 | * bytecode/CallLinkInfo.h: | |
1375 | (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub(). | |
1376 | (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub. | |
1377 | ||
1378 | 2015-06-24 Michael Saboff <msaboff@apple.com> | |
1379 | ||
1380 | Refactor CallLinkInfo from a struct to a class | |
1381 | https://bugs.webkit.org/show_bug.cgi?id=146292 | |
1382 | ||
1383 | Rubber stamped by Filip Pizlo. | |
1384 | ||
1385 | Refactored CallLinkInfo from a struct to a class with proper accessors and made all the | |
1386 | data elements private. | |
1387 | ||
1388 | Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285. | |
1389 | ||
1390 | * bytecode/CallLinkInfo.cpp: | |
1391 | (JSC::CallLinkInfo::clearStub): | |
1392 | (JSC::CallLinkInfo::unlink): | |
1393 | (JSC::CallLinkInfo::visitWeak): | |
1394 | * bytecode/CallLinkInfo.h: | |
1395 | (JSC::CallLinkInfo::callTypeFor): | |
1396 | (JSC::CallLinkInfo::CallLinkInfo): | |
1397 | (JSC::CallLinkInfo::~CallLinkInfo): | |
1398 | (JSC::CallLinkInfo::specializationKindFor): | |
1399 | (JSC::CallLinkInfo::specializationKind): | |
1400 | (JSC::CallLinkInfo::isLinked): | |
1401 | (JSC::CallLinkInfo::setUpCall): | |
1402 | (JSC::CallLinkInfo::setCallLocations): | |
1403 | (JSC::CallLinkInfo::setUpCallFromFTL): | |
1404 | (JSC::CallLinkInfo::callReturnLocation): | |
1405 | (JSC::CallLinkInfo::hotPathBegin): | |
1406 | (JSC::CallLinkInfo::hotPathOther): | |
1407 | (JSC::CallLinkInfo::setCallee): | |
1408 | (JSC::CallLinkInfo::clearCallee): | |
1409 | (JSC::CallLinkInfo::callee): | |
1410 | (JSC::CallLinkInfo::setLastSeenCallee): | |
1411 | (JSC::CallLinkInfo::clearLastSeenCallee): | |
1412 | (JSC::CallLinkInfo::lastSeenCallee): | |
1413 | (JSC::CallLinkInfo::haveLastSeenCallee): | |
1414 | (JSC::CallLinkInfo::setStub): | |
1415 | (JSC::CallLinkInfo::stub): | |
1416 | (JSC::CallLinkInfo::seenOnce): | |
1417 | (JSC::CallLinkInfo::clearSeen): | |
1418 | (JSC::CallLinkInfo::setSeen): | |
1419 | (JSC::CallLinkInfo::hasSeenClosure): | |
1420 | (JSC::CallLinkInfo::setHasSeenClosure): | |
1421 | (JSC::CallLinkInfo::clearedByGC): | |
1422 | (JSC::CallLinkInfo::setCallType): | |
1423 | (JSC::CallLinkInfo::callType): | |
1424 | (JSC::CallLinkInfo::addressOfMaxNumArguments): | |
1425 | (JSC::CallLinkInfo::maxNumArguments): | |
1426 | (JSC::CallLinkInfo::offsetOfSlowPathCount): | |
1427 | (JSC::CallLinkInfo::setCalleeGPR): | |
1428 | (JSC::CallLinkInfo::calleeGPR): | |
1429 | (JSC::CallLinkInfo::slowPathCount): | |
1430 | (JSC::CallLinkInfo::setCodeOrigin): | |
1431 | (JSC::CallLinkInfo::codeOrigin): | |
1432 | (JSC::getCallLinkInfoCodeOrigin): | |
1433 | * bytecode/CallLinkStatus.cpp: | |
1434 | (JSC::CallLinkStatus::computeFor): | |
1435 | (JSC::CallLinkStatus::computeFromCallLinkInfo): | |
1436 | (JSC::CallLinkStatus::computeDFGStatuses): | |
1437 | * bytecode/CallLinkStatus.h: | |
1438 | * bytecode/CodeBlock.cpp: | |
1439 | (JSC::CodeBlock::printCallOp): | |
1440 | (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): | |
1441 | * dfg/DFGJITCompiler.cpp: | |
1442 | (JSC::DFG::JITCompiler::link): | |
1443 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
1444 | (JSC::DFG::reifyInlinedCallFrames): | |
1445 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
1446 | (JSC::DFG::SpeculativeJIT::emitCall): | |
1447 | * dfg/DFGSpeculativeJIT64.cpp: | |
1448 | (JSC::DFG::SpeculativeJIT::emitCall): | |
1449 | * ftl/FTLJSCallBase.cpp: | |
1450 | (JSC::FTL::JSCallBase::link): | |
1451 | * jit/AccessorCallJITStubRoutine.h: | |
1452 | * jit/JIT.cpp: | |
1453 | (JSC::JIT::privateCompile): | |
1454 | * jit/JIT.h: | |
1455 | * jit/JITCall.cpp: | |
1456 | (JSC::JIT::compileSetupVarargsFrame): | |
1457 | (JSC::JIT::compileOpCall): | |
1458 | * jit/JITCall32_64.cpp: | |
1459 | (JSC::JIT::compileSetupVarargsFrame): | |
1460 | (JSC::JIT::compileOpCall): | |
1461 | * jit/JITOperations.cpp: | |
1462 | * jit/PolymorphicCallStubRoutine.cpp: | |
1463 | (JSC::PolymorphicCallNode::unlink): | |
1464 | (JSC::PolymorphicCallNode::clearCallLinkInfo): | |
1465 | * jit/PolymorphicCallStubRoutine.h: | |
1466 | * jit/Repatch.cpp: | |
1467 | (JSC::generateByIdStub): | |
1468 | (JSC::linkSlowFor): | |
1469 | (JSC::linkFor): | |
1470 | (JSC::revertCall): | |
1471 | (JSC::unlinkFor): | |
1472 | (JSC::linkPolymorphicCall): | |
1473 | * jit/ThunkGenerators.cpp: | |
1474 | (JSC::virtualForThunkGenerator): | |
1475 | ||
1476 | 2015-06-24 Doug Russell <d_russell@apple.com> | |
1477 | ||
1478 | Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject | |
1479 | when posting a selection notification when on the border between two accessibilityObjects | |
1480 | https://bugs.webkit.org/show_bug.cgi?id=146177 | |
1481 | ||
1482 | Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string). | |
1483 | ||
1484 | Reviewed by Darin Adler. | |
1485 | ||
1486 | * API/JSRetainPtr.h: | |
1487 | (adopt): | |
1488 | ||
1489 | 2015-06-24 Keith Miller <keith_miller@apple.com> | |
1490 | ||
1491 | Strict Equality on objects should only check that one of the two sides is an object. | |
1492 | https://bugs.webkit.org/show_bug.cgi?id=145992 | |
1493 | ||
1494 | This patch adds a new optimization for checking strict equality on objects. | |
1495 | If we speculate that a strict equality comparison has an object on one side | |
1496 | we only need to type check that side. Equality is then determined by a pointer | |
1497 | comparison between the two values (although in the 32-bit case we must also check | |
1498 | that the other side is a cell). Once LICM hoists type checks out of a loop we | |
1499 | can be cleverer about how we choose the operand we type check if both are | |
1500 | speculated to be objects. | |
1501 | ||
1502 | For testing I added the addressOf function, which returns the address | |
1503 | of a Cell to the runtime. | |
1504 | ||
1505 | Reviewed by Mark Lam. | |
1506 | ||
1507 | * dfg/DFGFixupPhase.cpp: | |
1508 | (JSC::DFG::FixupPhase::fixupNode): | |
1509 | * dfg/DFGSpeculativeJIT.cpp: | |
1510 | (JSC::DFG::SpeculativeJIT::compileStrictEq): | |
1511 | * dfg/DFGSpeculativeJIT.h: | |
1512 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
1513 | (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): | |
1514 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): | |
1515 | * dfg/DFGSpeculativeJIT64.cpp: | |
1516 | (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): | |
1517 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): | |
1518 | * ftl/FTLCapabilities.cpp: | |
1519 | (JSC::FTL::canCompile): | |
1520 | * ftl/FTLLowerDFGToLLVM.cpp: | |
1521 | (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq): | |
1522 | * jsc.cpp: | |
1523 | (GlobalObject::finishCreation): | |
1524 | (functionAddressOf): | |
1525 | * tests/stress/equality-type-checking.js: Added. | |
1526 | (Foo): | |
1527 | (checkStrictEq): | |
1528 | (checkStrictEqOther): | |
1529 | ||
1530 | 2015-06-24 Mark Lam <mark.lam@apple.com> | |
1531 | ||
1532 | Fixed assertion in JSStringJoiner::join() (regression from r185899). | |
1533 | ||
1534 | Not reviewed. | |
1535 | ||
1536 | JSStringJoiner did not account for the case where the array being joined can | |
1537 | have null or undefined elements. As a result, its size may be less than | |
1538 | its initially reserved capacity (which was estimated based on the array length). | |
1539 | ||
1540 | * runtime/JSStringJoiner.cpp: | |
1541 | (JSC::JSStringJoiner::join): | |
1542 | ||
1543 | 2015-06-24 Darin Adler <darin@apple.com> | |
1544 | ||
1545 | Fix Array.concat with RuntimeArray (regression from my last patch) | |
1546 | ||
1547 | * runtime/ArrayPrototype.cpp: | |
1548 | (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length. | |
1549 | ||
1550 | * runtime/JSArray.cpp: | |
1551 | (JSC::JSArray::defineOwnProperty): Added comment about use of | |
1552 | JSArray::length here that is incorrect (in a really non-obvious way). | |
1553 | (JSC::JSArray::fillArgList): Ditto. | |
1554 | (JSC::JSArray::copyToArguments): Ditto. | |
1555 | ||
1556 | * runtime/JSArray.h: Added a comment explaining that it is not always | |
1557 | safe to use JSArray::length. | |
1558 | ||
1559 | 2015-06-23 Mark Lam <mark.lam@apple.com> | |
1560 | ||
1561 | Gardening: Fixing 2 bad asserts from r185889. | |
1562 | https://bugs.webkit.org/show_bug.cgi?id=140575 | |
1563 | ||
1564 | Not reviewed. | |
1565 | ||
1566 | * runtime/JSBoundSlotBaseFunction.cpp: | |
1567 | (JSC::JSBoundSlotBaseFunction::finishCreation): | |
1568 | ||
1569 | 2015-06-23 Dan Bernstein <mitz@apple.com> | |
1570 | ||
1571 | Fixed iOS production builds. | |
1572 | ||
1573 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
1574 | ||
1575 | 2015-06-22 Darin Adler <darin@apple.com> | |
1576 | ||
1577 | Make Array.join work directly on substrings without reifying them | |
1578 | https://bugs.webkit.org/show_bug.cgi?id=146191 | |
1579 | ||
1580 | Reviewed by Andreas Kling. | |
1581 | ||
1582 | Besides the Array.join change, this has other optimizations based on | |
1583 | profiling the Peacekeeper array benchmark. | |
1584 | ||
1585 | I measured a 14% speed improvement in the Peacekeeper array benchmark. | |
1586 | ||
1587 | Still a lot of low hanging fruit in that test because so many of functions | |
1588 | on the array prototype are not optimizing for simple cases. For example, | |
1589 | the reverse function does individual get and put calls even when the array | |
1590 | is entirely made up of integers in contiguous storage. | |
1591 | ||
1592 | * runtime/ArrayPrototype.cpp: | |
1593 | (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot. | |
1594 | (JSC::argumentClampedIndexFromStartOrEnd): Marked inline. | |
1595 | (JSC::shift): Use the getProperty helper in this file instead of using | |
1596 | getPropertySlot. Use putByIndexInline instead of calling putByIndex directly. | |
1597 | In both cases this can yield a faster code path. | |
1598 | (JSC::unshift): Ditto. | |
1599 | (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner | |
1600 | interface. Changed local variable name to thisArray since it's not a | |
1601 | JSObject*. Changed loop index to i instead of k. | |
1602 | (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner | |
1603 | interface. Renamed thisObj to thisObject. Added a missing exception check | |
1604 | after the toLocaleString function is called, but before toString is called | |
1605 | the result of that function. | |
1606 | (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface. | |
1607 | Added a missing exception check after calling toString on the separator | |
1608 | but before calling get to get the first element in the array-like object | |
1609 | being joined. Changed loop index to i instead of k. Added missing exception | |
1610 | check after calling toString on each string from the array before calling | |
1611 | get for the next element. | |
1612 | (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the | |
1613 | getLength function. | |
1614 | (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline. | |
1615 | (JSC::arrayProtoFuncShift): Ditto. | |
1616 | (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some | |
1617 | additional optimizations. | |
1618 | (JSC::getOrHole): Deleted. Unused function. | |
1619 | (JSC::arrayProtoFuncUnShift): Use putByIndexInline. | |
1620 | ||
1621 | * runtime/ExceptionHelpers.cpp: | |
1622 | (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic | |
1623 | from JSValue::toString. | |
1624 | ||
1625 | * runtime/JSCJSValue.cpp: | |
1626 | (JSC::JSValue::toStringSlowCase): Improved the performance when converting a | |
1627 | small integer to a single character string. | |
1628 | (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the | |
1629 | inlineJSValueNotStringtoString function here. | |
1630 | * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed | |
1631 | a comment with a typo. | |
1632 | ||
1633 | * runtime/JSObject.h: | |
1634 | (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not | |
1635 | getting inlined at some call sites. | |
1636 | (JSC::JSObject::indexingData): Deleted. Unused function. | |
1637 | (JSC::JSObject::currentIndexingData): Deleted. Unused function. | |
1638 | (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function. | |
1639 | (JSC::JSObject::relevantLength): Deleted. Unused function. | |
1640 | (JSC::JSObject::currentRelevantLength): Deleted. Unused function. | |
1641 | ||
1642 | * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and | |
1643 | the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString | |
1644 | and toWTFStringInline functions. | |
1645 | ||
1646 | * runtime/JSStringJoiner.cpp: | |
1647 | (JSC::appendStringToData): Changed this to be a template instead of writing | |
1648 | it out, since StringView::getCharactersWithUpconvert does almsot exactly what | |
1649 | this function was trying to do. | |
1650 | (JSC::joinStrings): Rewrote this to use StringView. | |
1651 | (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function. | |
1652 | (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion | |
1653 | that we entirely filled capacity, since we are now reserving capacity and using | |
1654 | uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no | |
1655 | particular value to using the impl directly. | |
1656 | ||
1657 | * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView. | |
1658 | Also changed this class so it now has the responsibility to convert each JSValue | |
1659 | into a string. This let us share more code between toString and join, and also | |
1660 | lets us use the new viewWithUnderlyingString function, which could be confusing at | |
1661 | all the call sites, but is easier to understand here. | |
1662 | ||
1663 | 2015-06-23 Matthew Mirman <mmirman@apple.com> | |
1664 | ||
1665 | Completes native binding descriptors with native getters and potentially setters. | |
1666 | https://bugs.webkit.org/show_bug.cgi?id=140575 | |
1667 | rdar://problem/19506502 | |
1668 | ||
1669 | Reviewed by Mark Lam. | |
1670 | ||
1671 | * CMakeLists.txt: Added JSBoundSlotBaseFunction.cpp | |
1672 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
1673 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
1674 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
1675 | * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter. | |
1676 | * runtime/JSBoundSlotBaseFunction.cpp: Added. | |
1677 | (JSC::boundSlotBaseFunctionCall): | |
1678 | (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction): | |
1679 | Necessary wrapper for custom getters and setters as objects. | |
1680 | (JSC::JSBoundSlotBaseFunction::create): | |
1681 | (JSC::JSBoundSlotBaseFunction::visitChildren): | |
1682 | (JSC::JSBoundSlotBaseFunction::finishCreation): | |
1683 | * runtime/JSBoundSlotBaseFunction.h: Added. | |
1684 | (JSC::JSBoundSlotBaseFunction::createStructure): | |
1685 | (JSC::JSBoundSlotBaseFunction::boundSlotBase): | |
1686 | (JSC::JSBoundSlotBaseFunction::customGetterSetter): | |
1687 | (JSC::JSBoundSlotBaseFunction::isGetter): | |
1688 | * runtime/JSGlobalObject.cpp: | |
1689 | (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction | |
1690 | (JSC::JSGlobalObject::visitChildren): visits that structure | |
1691 | * runtime/JSGlobalObject.h: | |
1692 | (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure | |
1693 | * runtime/JSObject.cpp: | |
1694 | (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to | |
1695 | actually include GetterSetter as a JSBoundSlotBaseFunction | |
1696 | * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap | |
1697 | * runtime/VM.h: Added cache for JSBoundSlotBaseFunction | |
1698 | ||
1699 | 2015-06-22 Yusuke Suzuki <utatane.tea@gmail.com> | |
1700 | ||
1701 | [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern | |
1702 | https://bugs.webkit.org/show_bug.cgi?id=146192 | |
1703 | ||
1704 | Reviewed by Darin Adler. | |
1705 | ||
1706 | According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed. | |
1707 | And empty ArrayBindingPattern and ObjectBindingPattern is also allowed. | |
1708 | ||
1709 | This patch allows trailing comma and empty binding patterns. | |
1710 | ||
1711 | * bytecompiler/NodesCodegen.cpp: | |
1712 | (JSC::ArrayPatternNode::bindValue): | |
1713 | * parser/Parser.cpp: | |
1714 | (JSC::Parser<LexerType>::parseDeconstructionPattern): | |
1715 | * tests/stress/trailing-comma-in-patterns.js: Added. | |
1716 | (shouldBe): | |
1717 | (iterator): | |
1718 | ||
1719 | 2015-06-20 Yusuke Suzuki <utatane.tea@gmail.com> | |
1720 | ||
1721 | [ES6] Destructuring assignment need to accept iterables | |
1722 | https://bugs.webkit.org/show_bug.cgi?id=144111 | |
1723 | ||
1724 | Reviewed by Darin Adler. | |
1725 | ||
1726 | This patch makes that destructuring assignments to array binding patterns accept iterables. | |
1727 | Previously, it just access the indexed properties. | |
1728 | After this patch, it iterates the given value by using ES6 iterator protocol. | |
1729 | ||
1730 | The iteration becomes different from the for-of case. | |
1731 | 1. Since there's no break/continue case, finally scope is not necessary. | |
1732 | 2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that. | |
1733 | 3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator. | |
1734 | 4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed. | |
1735 | ||
1736 | * bytecompiler/BytecodeGenerator.cpp: | |
1737 | (JSC::BytecodeGenerator::emitIteratorClose): | |
1738 | * bytecompiler/BytecodeGenerator.h: | |
1739 | * bytecompiler/NodesCodegen.cpp: | |
1740 | (JSC::ArrayPatternNode::bindValue): | |
1741 | * parser/ASTBuilder.h: | |
1742 | (JSC::ASTBuilder::finishArrayPattern): | |
1743 | * parser/Nodes.h: | |
1744 | * parser/Parser.cpp: | |
1745 | (JSC::Parser<LexerType>::parseDeconstructionPattern): | |
1746 | * parser/SyntaxChecker.h: | |
1747 | (JSC::SyntaxChecker::operatorStackPop): | |
1748 | * tests/stress/destructuring-assignment-accepts-iterables.js: Added. | |
1749 | (shouldBe): | |
1750 | (shouldThrow): | |
1751 | (.set shouldThrow): | |
1752 | ||
1753 | 2015-06-19 Devin Rousso <drousso@apple.com> | |
1754 | ||
1755 | Web Inspector: Highlight currently edited CSS selector | |
1756 | https://bugs.webkit.org/show_bug.cgi?id=145658 | |
1757 | ||
1758 | Reviewed by Joseph Pecoraro. | |
1759 | ||
1760 | * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes. | |
1761 | ||
1762 | 2015-06-19 Mark Lam <mark.lam@apple.com> | |
1763 | ||
1764 | Gardening: fix build for EWS bots. | |
1765 | ||
1766 | Not reviewed. | |
1767 | ||
1768 | * runtime/JSArray.cpp: | |
1769 | (JSC::JSArray::setLengthWithArrayStorage): | |
1770 | ||
1771 | 2015-06-19 Michael Saboff <msaboff@apple.com> | |
1772 | ||
1773 | Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225 | |
1774 | https://bugs.webkit.org/show_bug.cgi?id=146133 | |
1775 | ||
1776 | Reviewed by Geoffrey Garen. | |
1777 | ||
1778 | When generating code to put in inline caching areas, if there isn't enough space, | |
1779 | then create and link to an out of line area. We connect the inline code to this | |
1780 | out of line code area by planting a jump from the inline area to the out of line | |
1781 | code and appending a jump at the end of the out of line code bck to the instruction | |
1782 | following the inline area. We fill the unused inline area with nops, primarily to | |
1783 | ensure the disassembler doesn't get confused. | |
1784 | ||
1785 | * ftl/FTLCompile.cpp: | |
1786 | (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space | |
1787 | in the inline code area for the code to link. If so, it links inline, otherwise it links the | |
1788 | code out of line and plants appropriate jumps to/from the out of line code. | |
1789 | (generateICFastPath): | |
1790 | (generateCheckInICFastPath): | |
1791 | (fixFunctionBasedOnStackMaps): | |
1792 | Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space. | |
1793 | ||
1794 | * ftl/FTLJITFinalizer.cpp: | |
1795 | (JSC::FTL::JITFinalizer::finalizeFunction): | |
1796 | * ftl/FTLJITFinalizer.h: | |
1797 | (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo): | |
1798 | Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot(). | |
1799 | ||
1800 | 2015-06-19 Geoffrey Garen <ggaren@apple.com> | |
1801 | ||
1802 | WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276 | |
1803 | https://bugs.webkit.org/show_bug.cgi?id=146163 | |
1804 | <rdar://problem/20392986> | |
1805 | ||
1806 | Reviewed by Michael Saboff. | |
1807 | ||
1808 | There's no good way to test this in our test harness because we don't | |
1809 | have a way to simulate executable memory pressure, and doing so would | |
1810 | cause the cases that still use JITCompilationMustSucceed to crash. | |
1811 | ||
1812 | Instead, I tested by manually forcing all regexp JIT compilation to | |
1813 | fail and running the JavaScriptCore tests. | |
1814 | ||
1815 | * yarr/YarrJIT.cpp: | |
1816 | (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can | |
1817 | fall back to the regexp interpreter if we need to. | |
1818 | ||
1819 | 2015-06-19 Mark Lam <mark.lam@apple.com> | |
1820 | ||
1821 | Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. | |
1822 | https://bugs.webkit.org/show_bug.cgi?id=146154 | |
1823 | ||
1824 | Reviewed by Darin Adler. | |
1825 | ||
1826 | * assembler/MacroAssemblerCodeRef.h: | |
1827 | (JSC::MacroAssemblerCodePtr::dataLocation): | |
1828 | (JSC::MacroAssemblerCodePtr::operator bool): | |
1829 | (JSC::MacroAssemblerCodePtr::operator==): | |
1830 | (JSC::MacroAssemblerCodeRef::tryToDisassemble): | |
1831 | (JSC::MacroAssemblerCodeRef::operator bool): | |
1832 | (JSC::MacroAssemblerCodeRef::dump): | |
1833 | (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted. | |
1834 | (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted. | |
1835 | ||
1836 | * bytecode/CodeOrigin.cpp: | |
1837 | (JSC::CodeOrigin::isApproximatelyEqualTo): | |
1838 | - Fixed a bug here where we were expecting to compare Executable pointers, but | |
1839 | ended up comparing a (UnspecifiedBoolType*)1 with another | |
1840 | (UnspecifiedBoolType*)1. | |
1841 | ||
1842 | * bytecode/LLIntCallLinkInfo.h: | |
1843 | (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo): | |
1844 | (JSC::LLIntCallLinkInfo::isLinked): | |
1845 | (JSC::LLIntCallLinkInfo::unlink): | |
1846 | * dfg/DFGBlockWorklist.h: | |
1847 | (JSC::DFG::BlockWith::BlockWith): | |
1848 | (JSC::DFG::BlockWith::operator bool): | |
1849 | (JSC::DFG::BlockWithOrder::BlockWithOrder): | |
1850 | (JSC::DFG::BlockWithOrder::operator bool): | |
1851 | (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted. | |
1852 | (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted. | |
1853 | * dfg/DFGIntegerRangeOptimizationPhase.cpp: | |
1854 | * dfg/DFGLazyNode.h: | |
1855 | (JSC::DFG::LazyNode::operator!): | |
1856 | (JSC::DFG::LazyNode::operator bool): | |
1857 | (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted. | |
1858 | * heap/CopyWriteBarrier.h: | |
1859 | (JSC::CopyWriteBarrier::operator!): | |
1860 | (JSC::CopyWriteBarrier::operator bool): | |
1861 | (JSC::CopyWriteBarrier::get): | |
1862 | (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted. | |
1863 | * heap/Handle.h: | |
1864 | (JSC::HandleBase::operator!): | |
1865 | (JSC::HandleBase::operator bool): | |
1866 | (JSC::HandleBase::slot): | |
1867 | (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted. | |
1868 | * heap/Strong.h: | |
1869 | (JSC::Strong::operator!): | |
1870 | (JSC::Strong::operator bool): | |
1871 | (JSC::Strong::swap): | |
1872 | (JSC::Strong::operator UnspecifiedBoolType*): Deleted. | |
1873 | * jit/JITWriteBarrier.h: | |
1874 | (JSC::JITWriteBarrierBase::operator bool): | |
1875 | (JSC::JITWriteBarrierBase::operator!): | |
1876 | (JSC::JITWriteBarrierBase::setFlagOnBarrier): | |
1877 | (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted. | |
1878 | * runtime/JSArray.cpp: | |
1879 | (JSC::JSArray::setLengthWithArrayStorage): | |
1880 | * runtime/JSCJSValue.h: | |
1881 | * runtime/JSCJSValueInlines.h: | |
1882 | (JSC::JSValue::JSValue): | |
1883 | (JSC::JSValue::operator bool): | |
1884 | (JSC::JSValue::operator==): | |
1885 | (JSC::JSValue::operator UnspecifiedBoolType*): Deleted. | |
1886 | * runtime/JSObject.h: | |
1887 | (JSC::JSObject::hasSparseMap): | |
1888 | * runtime/PropertyDescriptor.h: | |
1889 | (JSC::PropertyDescriptor::writablePresent): | |
1890 | (JSC::PropertyDescriptor::enumerablePresent): | |
1891 | (JSC::PropertyDescriptor::configurablePresent): | |
1892 | (JSC::PropertyDescriptor::setterPresent): | |
1893 | (JSC::PropertyDescriptor::getterPresent): | |
1894 | * runtime/WriteBarrier.h: | |
1895 | (JSC::WriteBarrierBase::slot): | |
1896 | (JSC::WriteBarrierBase::operator bool): | |
1897 | (JSC::WriteBarrierBase::operator!): | |
1898 | (JSC::WriteBarrierBase<Unknown>::tagPointer): | |
1899 | (JSC::WriteBarrierBase<Unknown>::payloadPointer): | |
1900 | (JSC::WriteBarrierBase<Unknown>::operator bool): | |
1901 | (JSC::WriteBarrierBase<Unknown>::operator!): | |
1902 | (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted. | |
1903 | (JSC::WriteBarrierBase<Unknown>::operator UnspecifiedBoolType*): Deleted. | |
1904 | ||
1905 | 2015-06-19 Anders Carlsson <andersca@apple.com> | |
1906 | ||
1907 | Add a JSC symlink in /System/Library/PrivateFrameworks | |
1908 | https://bugs.webkit.org/show_bug.cgi?id=146158 | |
1909 | rdar://problem/21465968 | |
1910 | ||
1911 | Reviewed by Dan Bernstein. | |
1912 | ||
1913 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
1914 | ||
1915 | 2015-06-19 Joseph Pecoraro <pecoraro@apple.com> | |
1916 | ||
1917 | Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists | |
1918 | https://bugs.webkit.org/show_bug.cgi?id=146141 | |
1919 | ||
1920 | Reviewed by Timothy Hatcher. | |
1921 | ||
1922 | * inspector/InjectedScriptSource.js: | |
1923 | (InjectedScript.prototype._propertyDescriptors): | |
1924 | Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead | |
1925 | just generate property descriptors for the first 100 indexes. Note | |
1926 | this would behave poorly for sparse arrays with a length > 100, but | |
1927 | general support for lists with more than 100 elements is poor. See: | |
1928 | <https://webkit.org/b/143589> Web Inspector: Better handling for large collections in Object Trees | |
1929 | ||
1930 | 2015-06-18 Yusuke Suzuki <utatane.tea@gmail.com> | |
1931 | ||
1932 | [DFG] Avoid OSR exit in the middle of string concatenation | |
1933 | https://bugs.webkit.org/show_bug.cgi?id=145820 | |
1934 | ||
1935 | Reviewed by Filip Pizlo. | |
1936 | ||
1937 | DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))). | |
1938 | ||
1939 | So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString. | |
1940 | It leads ToString to become Identity with a speculated type check. | |
1941 | ||
1942 | However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have | |
1943 | an observable side effect when the given parameter is an object (calling object.{toString,valueOf}). | |
1944 | ||
1945 | So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs | |
1946 | observable `object.toString()` calling. But ToString is converted into a speculated type check for | |
1947 | SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and | |
1948 | it redundantly performs an observable ToPrimitive execution. | |
1949 | ||
1950 | To fix this, this patch avoid fixing up for newly introduced ToString node. | |
1951 | Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node, | |
1952 | we can avoid conversion from ToString to Check. | |
1953 | ||
1954 | * dfg/DFGFixupPhase.cpp: | |
1955 | (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): | |
1956 | * tests/stress/toprimitive-speculated-types.js: Added. | |
1957 | (shouldBe): | |
1958 | (raw): | |
1959 | (Counter): | |
1960 | ||
1961 | 2015-06-18 Brian J. Burg <burg@cs.washington.edu> | |
1962 | ||
1963 | Web Inspector: improve generated types for objects passed to backend commands | |
1964 | https://bugs.webkit.org/show_bug.cgi?id=146091 | |
1965 | ||
1966 | Reviewed by Joseph Pecoraro. | |
1967 | ||
1968 | The main change is that objects passed in will have a type like const T& or const T*, | |
1969 | rather than const RefPtr<T>&&. These protocol objects are owned by the generated dispatcher | |
1970 | methods and only exist to pass data to backend command implementations. So, there is no | |
1971 | reason for callees to add a reference or take ownership of these inputs. | |
1972 | ||
1973 | Some small improvements were made in the code generator to standardize how these | |
1974 | expressions are generated for parameters. Optional in parameters are now prefixed with | |
1975 | 'opt_in_' to make the generated method signatures and implementations clearer. | |
1976 | ||
1977 | * inspector/InspectorValues.cpp: | |
1978 | (Inspector::InspectorArrayBase::get): Add const qualifier. | |
1979 | * inspector/InspectorValues.h: | |
1980 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
1981 | (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): | |
1982 | (Inspector::parseLocation): | |
1983 | (Inspector::InspectorDebuggerAgent::setBreakpoint): | |
1984 | (Inspector::InspectorDebuggerAgent::continueToLocation): | |
1985 | * inspector/agents/InspectorDebuggerAgent.h: | |
1986 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
1987 | (Inspector::InspectorRuntimeAgent::callFunctionOn): | |
1988 | (Inspector::InspectorRuntimeAgent::saveResult): | |
1989 | (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): | |
1990 | * inspector/agents/InspectorRuntimeAgent.h: | |
1991 | ||
1992 | * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array'). | |
1993 | (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature | |
1994 | for an unchecked input to use pointers or references. | |
1995 | ||
1996 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: | |
1997 | (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): | |
1998 | (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): | |
1999 | Local variables for optional parameters now have the 'opt_' prefix. | |
2000 | ||
2001 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: | |
2002 | (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): | |
2003 | (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
2004 | Local variables for optional parameters now have the 'opt_' prefix. | |
2005 | Split parameterName and parameterKey into two separate template variables to avoid mixups. | |
2006 | ||
2007 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
2008 | ||
2009 | 2015-06-18 Joseph Pecoraro <pecoraro@apple.com> | |
2010 | ||
2011 | Unreviewed. Rollout r185670 as it caused some tests to be flakey. | |
2012 | ||
2013 | * debugger/Debugger.cpp: | |
2014 | ||
2015 | 2015-06-17 Alex Christensen <achristensen@webkit.org> | |
2016 | ||
2017 | [Content Extensions] Log blocked loads to the WebInspector console | |
2018 | https://bugs.webkit.org/show_bug.cgi?id=146089 | |
2019 | ||
2020 | Reviewed by Joseph Pecoraro. | |
2021 | ||
2022 | * inspector/ConsoleMessage.cpp: | |
2023 | (Inspector::messageSourceValue): | |
2024 | * inspector/protocol/Console.json: | |
2025 | * runtime/ConsoleTypes.h: | |
2026 | Add content blocker message source. | |
2027 | ||
2028 | 2015-06-18 Saam Barati <saambarati1@gmail.com> | |
2029 | ||
2030 | [ES6] support default values in deconstruction parameter nodes | |
2031 | https://bugs.webkit.org/show_bug.cgi?id=142679 | |
2032 | ||
2033 | Reviewed by Darin Adler. | |
2034 | ||
2035 | ES6 destructuring allows destructuring properties to assign | |
2036 | default values. A link to the spec: | |
2037 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns | |
2038 | ||
2039 | This patch implements default values for all places where deconstruction | |
2040 | is allowed besides function parameters. This is because function | |
2041 | parameters are parsed in a separate parser arena than the function | |
2042 | body itself and ExpresionNode's which are default values for | |
2043 | deconstruction parameters will be deallocated by the time we parse the body | |
2044 | of the function. I have opened a bug to address this problem: | |
2045 | https://bugs.webkit.org/show_bug.cgi?id=145995 | |
2046 | ||
2047 | * bytecompiler/NodesCodegen.cpp: | |
2048 | (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): | |
2049 | (JSC::assignDefaultValueIfUndefined): | |
2050 | (JSC::ArrayPatternNode::bindValue): | |
2051 | (JSC::ArrayPatternNode::emitDirectBinding): | |
2052 | (JSC::ArrayPatternNode::toString): | |
2053 | (JSC::ArrayPatternNode::collectBoundIdentifiers): | |
2054 | (JSC::ObjectPatternNode::bindValue): | |
2055 | * parser/ASTBuilder.h: | |
2056 | (JSC::ASTBuilder::appendArrayPatternSkipEntry): | |
2057 | (JSC::ASTBuilder::appendArrayPatternEntry): | |
2058 | (JSC::ASTBuilder::createObjectPattern): | |
2059 | (JSC::ASTBuilder::appendObjectPatternEntry): | |
2060 | (JSC::ASTBuilder::createBindingLocation): | |
2061 | * parser/Nodes.h: | |
2062 | (JSC::ArrayPatternNode::appendIndex): | |
2063 | (JSC::ObjectPatternNode::appendEntry): | |
2064 | (JSC::ObjectPatternNode::Entry::Entry): Deleted. | |
2065 | * parser/Parser.cpp: | |
2066 | (JSC::Parser<LexerType>::parseDeconstructionPattern): | |
2067 | (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): | |
2068 | (JSC::Parser<LexerType>::parseConstDeclarationList): | |
2069 | * parser/Parser.h: | |
2070 | * parser/SyntaxChecker.h: | |
2071 | (JSC::SyntaxChecker::operatorStackPop): | |
2072 | ||
2073 | 2015-06-17 Joseph Pecoraro <pecoraro@apple.com> | |
2074 | ||
2075 | Web Inspector: Do not show JavaScriptCore builtins in inspector | |
2076 | https://bugs.webkit.org/show_bug.cgi?id=146049 | |
2077 | ||
2078 | Reviewed by Timothy Hatcher. | |
2079 | ||
2080 | * debugger/Debugger.cpp: | |
2081 | ||
2082 | 2015-06-17 Andreas Kling <akling@apple.com> | |
2083 | ||
2084 | [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings." | |
2085 | <https://webkit.org/b/146051> | |
2086 | ||
2087 | Reviewed by Anders Carlsson. | |
2088 | ||
2089 | If asked to make a substring that actually spans the entire base string, | |
2090 | have jsSubstring() just return the base instead of allocating a new JSString. | |
2091 | ||
2092 | 3% speed-up on Octane/regexp. | |
2093 | ||
2094 | * runtime/JSString.h: | |
2095 | (JSC::jsSubstring): | |
2096 | ||
2097 | 2015-06-16 Alex Christensen <achristensen@webkit.org> | |
2098 | ||
2099 | 32-bit build fix after r185640. | |
2100 | ||
2101 | * dfg/DFGIntegerRangeOptimizationPhase.cpp: | |
2102 | Explicitly cast clamped int64_t to an int. | |
2103 | ||
2104 | 2015-06-09 Filip Pizlo <fpizlo@apple.com> | |
2105 | ||
2106 | FTL should eliminate array bounds checks in loops | |
2107 | https://bugs.webkit.org/show_bug.cgi?id=145768 | |
2108 | ||
2109 | Reviewed by Benjamin Poulain. | |
2110 | ||
2111 | This adds a phase that does forward propagation of integer inequalities. This allows us | |
2112 | to do the algebraic reasoning we need to eliminate array bounds checks in loops. It | |
2113 | also eliminates overflow checks on ArithAdd with a constant. | |
2114 | ||
2115 | The phase's analysis produces results that are powerful enough to do speculative bounds | |
2116 | check hoisting, but this phase currently only does elimination. We can implement | |
2117 | hoisting later. | |
2118 | ||
2119 | On programs that just loop over an array like: | |
2120 | ||
2121 | for (var i = 0; i < array.length; ++i) | |
2122 | thingy += array[i] | |
2123 | ||
2124 | This change is a 60% speed-up. | |
2125 | ||
2126 | This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual | |
2127 | tests in Octane. | |
2128 | ||
2129 | * CMakeLists.txt: | |
2130 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
2131 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
2132 | * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added. | |
2133 | (JSC::DFG::performIntegerRangeOptimization): | |
2134 | * dfg/DFGIntegerRangeOptimizationPhase.h: Added. | |
2135 | * dfg/DFGPlan.cpp: | |
2136 | (JSC::DFG::Plan::compileInThreadImpl): | |
2137 | * tests/stress/add-overflows-after-not-equal.js: Added. | |
2138 | * tests/stress/no-abc-skippy-loop.js: Added. | |
2139 | * tests/stress/no-abc-skippy-paired-loop.js: Added. | |
2140 | * tests/stress/sub-overflows-after-not-equal.js: Added. | |
2141 | ||
2142 | 2015-06-16 Andreas Kling <akling@apple.com> | |
2143 | ||
2144 | Remove unused template parameter InlineCapacity from SegmentedVector. | |
2145 | <https://webkit.org/b/146044> | |
2146 | ||
2147 | Reviewed by Anders Carlsson. | |
2148 | ||
2149 | * bytecode/ArrayProfile.h: | |
2150 | * dfg/DFGCommonData.h: | |
2151 | ||
2152 | 2015-06-16 Michael Saboff <msaboff@apple.com> | |
2153 | ||
2154 | Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function | |
2155 | https://bugs.webkit.org/show_bug.cgi?id=146029 | |
2156 | ||
2157 | Reviewed by Benjamin Poulain. | |
2158 | ||
2159 | Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will | |
2160 | use m_currentInstruction during its own parsing. This happens because inlineCall() parses the | |
2161 | inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block. | |
2162 | It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it. | |
2163 | ||
2164 | * dfg/DFGByteCodeParser.cpp: | |
2165 | (JSC::DFG::ByteCodeParser::attemptToInlineCall): | |
2166 | (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue. | |
2167 | ||
2168 | 2015-06-16 Filip Pizlo <fpizlo@apple.com> | |
2169 | ||
2170 | Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425. | |
2171 | ||
2172 | * bytecode/CodeBlock.h: | |
2173 | (JSC::CodeBlock::hasExitSite): | |
2174 | (JSC::CodeBlock::exitProfile): | |
2175 | (JSC::CodeBlock::numberOfExitSites): Deleted. | |
2176 | * bytecode/DFGExitProfile.cpp: | |
2177 | (JSC::DFG::ExitProfile::add): | |
2178 | * bytecode/DFGExitProfile.h: | |
2179 | (JSC::DFG::ExitProfile::hasExitSite): | |
2180 | (JSC::DFG::ExitProfile::size): Deleted. | |
2181 | * dfg/DFGByteCodeParser.cpp: | |
2182 | (JSC::DFG::ByteCodeParser::inliningCost): | |
2183 | * runtime/Options.h: | |
2184 | ||
2185 | 2015-06-16 Mark Lam <mark.lam@apple.com> | |
2186 | ||
2187 | Use NakedPtr<Exception>& to return exception results. | |
2188 | https://bugs.webkit.org/show_bug.cgi?id=145870 | |
2189 | ||
2190 | Reviewed by Anders Carlsson and Filip Pizlo. | |
2191 | ||
2192 | Before r185259, calls into the VM takes a JSValue* exception result argument for | |
2193 | returning any uncaught exception that may have been thrown while executing JS code. | |
2194 | As a result, clients of the VM functions will declare a local JSValue exception | |
2195 | result which is automatically initialized to a null value (i.e. the empty value, | |
2196 | not the JS null value). | |
2197 | ||
2198 | With r185259, the VM functions were changed to take an Exception*& exception result | |
2199 | instead, and the VM functions are responsible for initializing the exception result | |
2200 | to null if no exception is thrown. | |
2201 | ||
2202 | This introduces 2 issues: | |
2203 | ||
2204 | 1. the VM functions are vulnerable to modifications that may add early returns | |
2205 | before the exception result is nullified. This can result in the exception | |
2206 | result being used without initialization. | |
2207 | ||
2208 | 2. Previously, a client could technically use the same exception result for more | |
2209 | than one calls into the VM functions. If an earlier call sets it to a thrown | |
2210 | value, the thrown value will stick unless a subsequent call throws a different | |
2211 | exception. | |
2212 | ||
2213 | With the new Exception*& exception result, the VM functions will always clear | |
2214 | the exception result before proceeding. As a result, the client's exception | |
2215 | result will be null after the second call even though the first call saw an | |
2216 | exception thrown. This is a change in the expected behavior. | |
2217 | ||
2218 | To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose | |
2219 | is to guarantee that the pointer is initialized. The VM functions will now take | |
2220 | a NakedPtr<Exception>& instead of the Exception*&. This ensures that the | |
2221 | exception result is initialized. | |
2222 | ||
2223 | The VM functions be also reverted to only set the exception result if a new | |
2224 | exception is thrown. | |
2225 | ||
2226 | * API/JSBase.cpp: | |
2227 | (JSEvaluateScript): | |
2228 | * API/JSScriptRef.cpp: | |
2229 | * bindings/ScriptFunctionCall.cpp: | |
2230 | (Deprecated::ScriptFunctionCall::call): | |
2231 | * bindings/ScriptFunctionCall.h: | |
2232 | * debugger/Debugger.cpp: | |
2233 | (JSC::Debugger::hasBreakpoint): | |
2234 | * debugger/Debugger.h: | |
2235 | * debugger/DebuggerCallFrame.cpp: | |
2236 | (JSC::DebuggerCallFrame::thisValue): | |
2237 | (JSC::DebuggerCallFrame::evaluate): | |
2238 | * debugger/DebuggerCallFrame.h: | |
2239 | (JSC::DebuggerCallFrame::isValid): | |
2240 | * inspector/InjectedScriptManager.cpp: | |
2241 | (Inspector::InjectedScriptManager::createInjectedScript): | |
2242 | * inspector/InspectorEnvironment.h: | |
2243 | * inspector/JSJavaScriptCallFrame.cpp: | |
2244 | (Inspector::JSJavaScriptCallFrame::evaluate): | |
2245 | * inspector/JavaScriptCallFrame.h: | |
2246 | (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): | |
2247 | (Inspector::JavaScriptCallFrame::thisValue): | |
2248 | (Inspector::JavaScriptCallFrame::evaluate): | |
2249 | * inspector/ScriptDebugServer.cpp: | |
2250 | (Inspector::ScriptDebugServer::evaluateBreakpointAction): | |
2251 | * jsc.cpp: | |
2252 | (functionRun): | |
2253 | (functionLoad): | |
2254 | (runWithScripts): | |
2255 | (runInteractive): | |
2256 | * runtime/CallData.cpp: | |
2257 | (JSC::call): | |
2258 | * runtime/CallData.h: | |
2259 | * runtime/Completion.cpp: | |
2260 | (JSC::checkSyntax): | |
2261 | (JSC::evaluate): | |
2262 | * runtime/Completion.h: | |
2263 | (JSC::evaluate): | |
2264 | ||
2265 | 2015-06-15 Filip Pizlo <fpizlo@apple.com> | |
2266 | ||
2267 | FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case | |
2268 | https://bugs.webkit.org/show_bug.cgi?id=146002 | |
2269 | ||
2270 | Reviewed by Darin Adler. | |
2271 | ||
2272 | * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code. | |
2273 | (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug. | |
2274 | * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases. | |
2275 | (foo): | |
2276 | ||
2277 | 2015-06-16 Andreas Kling <akling@apple.com> | |
2278 | ||
2279 | [JSC] Pre-bake final Structure for RegExp matches arrays. | |
2280 | <https://webkit.org/b/146006> | |
2281 | ||
2282 | Reviewed by Darin Adler. | |
2283 | ||
2284 | Since we always add the "index" and "input" fields to RegExp matches arrays, | |
2285 | cache a finished structure on the global object so we can create these arrays without | |
2286 | starting from scratch with a bare array every time. | |
2287 | ||
2288 | 10% progression on Octane/regexp (on my MBP.) | |
2289 | ||
2290 | * runtime/JSArray.h: | |
2291 | (JSC::JSArray::create): | |
2292 | (JSC::JSArray::tryCreateUninitialized): | |
2293 | (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper | |
2294 | so we can call this from RegExpMatchesArray.cpp. | |
2295 | ||
2296 | * runtime/JSGlobalObject.cpp: | |
2297 | (JSC::JSGlobalObject::init): | |
2298 | (JSC::JSGlobalObject::visitChildren): | |
2299 | * runtime/JSGlobalObject.h: | |
2300 | (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp | |
2301 | subpattern matches arrays. | |
2302 | ||
2303 | * runtime/JSObject.h: | |
2304 | (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that | |
2305 | JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now | |
2306 | start out with capacity for 2 properties, that won't work. Change it to check that we | |
2307 | don't have inline storage instead, since that should only be used by final objects. | |
2308 | ||
2309 | * runtime/RegExpMatchesArray.h: | |
2310 | * runtime/RegExpMatchesArray.cpp: | |
2311 | (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with | |
2312 | the cached Structure and a Butterfly with 2 slots of property storage. | |
2313 | ||
2314 | (JSC::createRegExpMatchesArray): | |
2315 | (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached | |
2316 | by the JSGlobalObject. | |
2317 | ||
2318 | 2015-06-16 Saam Barati <saambarati1@gmail.com> | |
2319 | ||
2320 | LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code | |
2321 | https://bugs.webkit.org/show_bug.cgi?id=144268 | |
2322 | ||
2323 | Reviewed by Darin Adler. | |
2324 | ||
2325 | The call to loadVariable(.) both for 32bit and 64bit is unnecessary. | |
2326 | It grabs a value that is immediately overwritten by a call to getGlobalVar(). | |
2327 | ||
2328 | * llint/LowLevelInterpreter32_64.asm: | |
2329 | * llint/LowLevelInterpreter64.asm: | |
2330 | ||
2331 | 2015-06-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
2332 | ||
2333 | [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor | |
2334 | https://bugs.webkit.org/show_bug.cgi?id=145963 | |
2335 | ||
2336 | Reviewed by Darin Adler. | |
2337 | ||
2338 | ES6 iterators inherit %IteratorPrototype%. | |
2339 | And these prototype objects of derived iterators don't have @@iterator methods. | |
2340 | Instead they use the %IteratorPrototype%[@@iterator] method. | |
2341 | ||
2342 | To encourage inlining in for-of statement, we define this method in JS builtins. | |
2343 | ||
2344 | And these iterator prototype objects don't have any constructor function. | |
2345 | This patch drops them (like StringIteratorConstructor). | |
2346 | ||
2347 | * CMakeLists.txt: | |
2348 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
2349 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
2350 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
2351 | * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp. | |
2352 | (SymbolIterator): | |
2353 | * runtime/ArrayIteratorConstructor.cpp: | |
2354 | (JSC::ArrayIteratorConstructor::finishCreation): Deleted. | |
2355 | * runtime/ArrayIteratorConstructor.h: Removed. | |
2356 | (JSC::ArrayIteratorConstructor::create): Deleted. | |
2357 | (JSC::ArrayIteratorConstructor::createStructure): Deleted. | |
2358 | (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted. | |
2359 | * runtime/ArrayIteratorPrototype.cpp: | |
2360 | (JSC::ArrayIteratorPrototype::finishCreation): | |
2361 | (JSC::arrayIteratorProtoFuncIterator): Deleted. | |
2362 | * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp. | |
2363 | (JSC::IteratorPrototype::finishCreation): | |
2364 | * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h. | |
2365 | (JSC::IteratorPrototype::create): | |
2366 | (JSC::IteratorPrototype::createStructure): | |
2367 | (JSC::IteratorPrototype::IteratorPrototype): | |
2368 | * runtime/JSFunction.cpp: | |
2369 | (JSC::JSFunction::createBuiltinFunction): | |
2370 | * runtime/JSFunction.h: | |
2371 | * runtime/JSGlobalObject.cpp: | |
2372 | (JSC::JSGlobalObject::init): | |
2373 | (JSC::JSGlobalObject::visitChildren): | |
2374 | * runtime/JSGlobalObject.h: | |
2375 | (JSC::JSGlobalObject::iteratorPrototype): | |
2376 | * runtime/MapIteratorConstructor.cpp: Removed. | |
2377 | (JSC::MapIteratorConstructor::finishCreation): Deleted. | |
2378 | * runtime/MapIteratorConstructor.h: Removed. | |
2379 | (JSC::MapIteratorConstructor::create): Deleted. | |
2380 | (JSC::MapIteratorConstructor::createStructure): Deleted. | |
2381 | (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted. | |
2382 | * runtime/MapIteratorPrototype.cpp: | |
2383 | (JSC::MapIteratorPrototype::finishCreation): Deleted. | |
2384 | (JSC::MapIteratorPrototypeFuncIterator): Deleted. | |
2385 | * runtime/SetIteratorConstructor.cpp: Removed. | |
2386 | (JSC::SetIteratorConstructor::finishCreation): Deleted. | |
2387 | * runtime/SetIteratorConstructor.h: | |
2388 | (JSC::SetIteratorConstructor::create): Deleted. | |
2389 | (JSC::SetIteratorConstructor::createStructure): Deleted. | |
2390 | (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted. | |
2391 | * runtime/SetIteratorPrototype.cpp: | |
2392 | (JSC::SetIteratorPrototype::finishCreation): Deleted. | |
2393 | (JSC::SetIteratorPrototypeFuncIterator): Deleted. | |
2394 | * runtime/StringIteratorConstructor.cpp: | |
2395 | (JSC::StringIteratorConstructor::finishCreation): Deleted. | |
2396 | * runtime/StringIteratorConstructor.h: Removed. | |
2397 | (JSC::StringIteratorConstructor::create): Deleted. | |
2398 | (JSC::StringIteratorConstructor::createStructure): Deleted. | |
2399 | (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted. | |
2400 | * runtime/StringIteratorPrototype.cpp: | |
2401 | (JSC::StringIteratorPrototype::finishCreation): | |
2402 | (JSC::stringIteratorPrototypeIterator): Deleted. | |
2403 | * tests/stress/iterator-prototype.js: Added. | |
2404 | (shouldBe): | |
2405 | (inheritIteratorPrototype): | |
2406 | (testChain): | |
2407 | ||
2408 | 2015-06-15 Michael Saboff <msaboff@apple.com> | |
2409 | ||
2410 | JIT bug - fails when inspector closed, works when open | |
2411 | https://bugs.webkit.org/show_bug.cgi?id=145243 | |
2412 | ||
2413 | Reviewed by Oliver Hunt. | |
2414 | ||
2415 | We need to provide the Arguments object as the base when creating the HeapLocation for | |
2416 | GetFromArguments and PutToArguments. Otherwise we endup creating a HeapLocation for | |
2417 | any arguments object, not the one we need. | |
2418 | ||
2419 | * dfg/DFGClobberize.h: | |
2420 | (JSC::DFG::clobberize): | |
2421 | ||
2422 | 2015-06-13 Joseph Pecoraro <pecoraro@apple.com> | |
2423 | ||
2424 | Web Inspector: console.table() with a list of objects no longer works | |
2425 | https://bugs.webkit.org/show_bug.cgi?id=145952 | |
2426 | ||
2427 | Reviewed by Timothy Hatcher. | |
2428 | ||
2429 | * inspector/InjectedScriptSource.js: | |
2430 | (InjectedScript.RemoteObject.prototype._generatePreview): | |
2431 | Calling generatePreview again was actually starting with a preview | |
2432 | of the current object instead of the sub-value. Go down the other | |
2433 | path that correctly generates sub-previews. Leave filtering on the | |
2434 | backend unimplemented, which we were already ignoring. | |
2435 | ||
2436 | 2015-06-13 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
2437 | ||
2438 | [Streams API] ReadableJSStream should handle promises returned by JS source start callback | |
2439 | https://bugs.webkit.org/show_bug.cgi?id=145792 | |
2440 | ||
2441 | Reviewed by Darin Adler. | |
2442 | ||
2443 | Added support for JSFunction implemented by std::function. | |
2444 | ||
2445 | * runtime/JSFunction.cpp: | |
2446 | (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create | |
2447 | (JSC::JSFunction::create): | |
2448 | (JSC::runStdFunction): | |
2449 | * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. | |
2450 | * runtime.JSPromise.h: | |
2451 | ||
2452 | 2015-06-12 Gyuyoung Kim <gyuyoung.kim@webkit.org> | |
2453 | ||
2454 | Purge PassRefPtr in JavaScriptCore - 2 | |
2455 | https://bugs.webkit.org/show_bug.cgi?id=145834 | |
2456 | ||
2457 | Reviewed by Darin Adler. | |
2458 | ||
2459 | As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible | |
2460 | in JavaScriptCore. | |
2461 | ||
2462 | * API/JSClassRef.cpp: | |
2463 | (OpaqueJSClass::create): | |
2464 | * API/JSClassRef.h: | |
2465 | * debugger/DebuggerCallFrame.cpp: | |
2466 | (JSC::DebuggerCallFrame::callerFrame): | |
2467 | * debugger/DebuggerCallFrame.h: | |
2468 | * dfg/DFGJITCompiler.h: | |
2469 | (JSC::DFG::JITCompiler::jitCode): | |
2470 | * inspector/ScriptCallStackFactory.cpp: | |
2471 | (Inspector::createScriptCallStack): | |
2472 | (Inspector::createScriptCallStackForConsole): | |
2473 | (Inspector::createScriptCallStackFromException): | |
2474 | (Inspector::createScriptArguments): | |
2475 | * inspector/ScriptCallStackFactory.h: | |
2476 | * jit/ExecutableAllocator.cpp: | |
2477 | (JSC::ExecutableAllocator::allocate): | |
2478 | * jit/ExecutableAllocator.h: | |
2479 | * jit/ExecutableAllocatorFixedVMPool.cpp: | |
2480 | (JSC::ExecutableAllocator::allocate): | |
2481 | * profiler/LegacyProfiler.cpp: | |
2482 | (JSC::LegacyProfiler::stopProfiling): | |
2483 | * profiler/LegacyProfiler.h: | |
2484 | * runtime/DateInstanceCache.h: | |
2485 | * runtime/Executable.cpp: | |
2486 | (JSC::ScriptExecutable::newCodeBlockFor): | |
2487 | * runtime/Executable.h: | |
2488 | * runtime/GenericTypedArrayView.h: | |
2489 | * runtime/GenericTypedArrayViewInlines.h: | |
2490 | (JSC::GenericTypedArrayView<Adaptor>::create): | |
2491 | (JSC::GenericTypedArrayView<Adaptor>::createUninitialized): | |
2492 | ||
2493 | 2015-06-12 Darin Adler <darin@apple.com> | |
2494 | ||
2495 | Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little | |
2496 | https://bugs.webkit.org/show_bug.cgi?id=145935 | |
2497 | ||
2498 | Reviewed by Anders Carlsson. | |
2499 | ||
2500 | Test: js/regexp-toString.html | |
2501 | ||
2502 | * runtime/RegExpPrototype.cpp: | |
2503 | (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character | |
2504 | buffer instead of constructing a WTF::String for it. | |
2505 | (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require | |
2506 | that it is actually a regular expression object. This is covered in the ES6 specification. | |
2507 | Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the | |
2508 | getter for the "source" property. Updated to use getFlags so we do one less memory allocation. | |
2509 | (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString. | |
2510 | ||
2511 | 2015-06-12 Basile Clement <basile_clement@apple.com> | |
2512 | ||
2513 | DFG Object Allocation Sinking should not consider GetClosureVar as escapes | |
2514 | https://bugs.webkit.org/show_bug.cgi?id=145904 | |
2515 | ||
2516 | Reviewed by Filip Pizlo. | |
2517 | ||
2518 | The object allocation sinking phase is currently able to sink | |
2519 | CreateActivation nodes, but will consider any GetClosureVar node as | |
2520 | escaping. | |
2521 | ||
2522 | This is not problematic in general as most of the GetClosureVar nodes | |
2523 | we would have been able to sink over will have been eliminated by CSE | |
2524 | anyway. Still, this is an oversight that we should fix since the | |
2525 | machinery is already in place. | |
2526 | ||
2527 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
2528 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
2529 | * dfg/DFGPromoteHeapAccess.h: | |
2530 | (JSC::DFG::promoteHeapAccess): | |
2531 | ||
2532 | 2015-06-11 Mark Lam <mark.lam@apple.com> | |
2533 | ||
2534 | WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects. | |
2535 | https://bugs.webkit.org/show_bug.cgi?id=145872 | |
2536 | ||
2537 | Reviewed by Michael Saboff. | |
2538 | ||
2539 | In r185259, we changed exception handling code inside the VM to work with | |
2540 | Exception objects instead of the thrown JSValue. The handling code will get the | |
2541 | exception stack trace from the Exception object. | |
2542 | ||
2543 | However, there is some code that cannot be updated to pass the Exception object. | |
2544 | An example of this are the ObjC API functions. Those functions are specified to | |
2545 | return any thrown exception JSValue in a JSValueRef. Since these APIs are | |
2546 | public, we cannot arbitrarily change them to use the Exception object. | |
2547 | ||
2548 | There are client code that calls these APIs and then passes the returned exception | |
2549 | JSValue to WebCore::reportException() to be reported. WebCore::reportException() | |
2550 | previously relied on the VM::exceptionStackTrace() to provide a cache of the | |
2551 | stack trace of the last thrown exception. VM::exceptionStackTrace() no longer | |
2552 | exists in the current code. | |
2553 | ||
2554 | To restore this functionality, we will introduce VM::lastException() which | |
2555 | caches the last thrown Exception object. With this, if the exception passed to | |
2556 | WebCore::reportException() to be reported isn't an Exception object (which has its | |
2557 | own stack trace), reportException() can again use the cached exception stack trace | |
2558 | which is available from VM::lastException(). | |
2559 | ||
2560 | * heap/Heap.cpp: | |
2561 | (JSC::Heap::visitException): | |
2562 | - visit VM::m_lastException on GCs. | |
2563 | ||
2564 | * interpreter/CallFrame.h: | |
2565 | (JSC::ExecState::lastException): | |
2566 | (JSC::ExecState::clearLastException): | |
2567 | - convenience functions to get and clear the last exception. | |
2568 | ||
2569 | * runtime/Exception.cpp: | |
2570 | (JSC::Exception::create): | |
2571 | (JSC::Exception::finishCreation): | |
2572 | - add support to create an Exception object without capturing the JS stack trace. | |
2573 | This is needed for making an Exception object to wrap a thrown value that does | |
2574 | not have a stack trace. | |
2575 | Currently, this is only used by WebCore::reportException() when there is no | |
2576 | Exception object and no last exception available to provide a stack trace. | |
2577 | ||
2578 | * runtime/Exception.h: | |
2579 | (JSC::Exception::cast): Deleted. No longer needed. | |
2580 | ||
2581 | * runtime/VM.h: | |
2582 | (JSC::VM::clearLastException): | |
2583 | (JSC::VM::setException): | |
2584 | (JSC::VM::lastException): | |
2585 | (JSC::VM::addressOfLastException): | |
2586 | - Added support for VM::m_lastException. | |
2587 | VM::m_lastException serves to cache the exception stack of the most recently | |
2588 | thrown exception like VM::exceptionStackTrace() used to before r185259. | |
2589 | ||
2590 | * runtime/VMEntryScope.cpp: | |
2591 | (JSC::VMEntryScope::VMEntryScope): | |
2592 | - Clear VM::m_lastException when we re-enter the VM. Exceptions should have been | |
2593 | handled before we re-enter the VM anyway. So, this is a good place to release | |
2594 | the cached last exception. | |
2595 | ||
2596 | NOTE: this is also where the old code before r185259 clears the last exception | |
2597 | stack trace. So, we're just restoring the previous behavior here in terms of | |
2598 | the lifecycle of the last exception stack. | |
2599 | ||
2600 | 2015-06-11 Andreas Kling <akling@apple.com> | |
2601 | ||
2602 | jsSubstring() should support creating substrings from substrings. | |
2603 | <https://webkit.org/b/145427> | |
2604 | ||
2605 | Reviewed by Geoffrey Garen | |
2606 | ||
2607 | Tweak jsSubstring() to support base strings that are themselves substrings. | |
2608 | They will now share the same grandparent base. This avoids creating a new StringImpl. | |
2609 | ||
2610 | * runtime/JSString.h: | |
2611 | (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation() | |
2612 | if the base string is a non-substring rope. Note that resolveRope() is the very last thing | |
2613 | called, since it may allocate and the JSRopeString needs to be ready for marking. | |
2614 | ||
2615 | (JSC::JSString::isSubstring): Added a helper to find out if a JSString is | |
2616 | a substring. This is just for internal use, so you don't have to cast to | |
2617 | JSRopeString for the real substringness flag. | |
2618 | ||
2619 | 2015-06-11 Commit Queue <commit-queue@webkit.org> | |
2620 | ||
2621 | Unreviewed, rolling out r185465. | |
2622 | https://bugs.webkit.org/show_bug.cgi?id=145893 | |
2623 | ||
2624 | "This patch is breaking 32bit mac build" (Requested by youenn | |
2625 | on #webkit). | |
2626 | ||
2627 | Reverted changeset: | |
2628 | ||
2629 | "[Streams API] ReadableJSStream should handle promises | |
2630 | returned by JS source start callback" | |
2631 | https://bugs.webkit.org/show_bug.cgi?id=145792 | |
2632 | http://trac.webkit.org/changeset/185465 | |
2633 | ||
2634 | 2015-06-11 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
2635 | ||
2636 | [Streams API] ReadableJSStream should handle promises returned by JS source start callback | |
2637 | https://bugs.webkit.org/show_bug.cgi?id=145792 | |
2638 | ||
2639 | Reviewed by Darin Adler. | |
2640 | ||
2641 | Added support for JSFunction implemented by std::function. | |
2642 | ||
2643 | * runtime/JSFunction.cpp: | |
2644 | (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create | |
2645 | (JSC::JSFunction::create): | |
2646 | (JSC::runStdFunction): | |
2647 | * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. | |
2648 | * runtime.JSPromise.h: | |
2649 | ||
2650 | 2015-06-10 Yusuke Suzuki <utatane.tea@gmail.com> | |
2651 | ||
2652 | ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html | |
2653 | https://bugs.webkit.org/show_bug.cgi?id=145599 | |
2654 | ||
2655 | Unreviewed, simple follow up patch. | |
2656 | ||
2657 | use jsString instead of jsMakeNontrivialString | |
2658 | since the flag string may be trivial (0 or 1 length). | |
2659 | ||
2660 | * runtime/RegExpPrototype.cpp: | |
2661 | (JSC::regExpProtoGetterFlags): | |
2662 | ||
2663 | 2015-06-10 Yusuke Suzuki <utatane.tea@gmail.com> | |
2664 | ||
2665 | JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure | |
2666 | https://bugs.webkit.org/show_bug.cgi?id=90678 | |
2667 | ||
2668 | Reviewed by Darin Adler. | |
2669 | ||
2670 | After ES6, escaped reserved words in identifiers are prohibited. | |
2671 | After parsing Identifier, we should perform `m_buffer16.shrink(0)`. | |
2672 | ||
2673 | * parser/Lexer.cpp: | |
2674 | (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): | |
2675 | * tests/mozilla/ecma_3/Unicode/uc-003.js: | |
2676 | (test): Deleted. | |
2677 | * tests/stress/reserved-word-with-escape.js: Added. | |
2678 | (testSyntax): | |
2679 | (testSyntaxError): | |
2680 | ||
2681 | 2015-06-10 Jordan Harband <ljharb@gmail.com> | |
2682 | ||
2683 | Implement RegExp.prototype.flags | |
2684 | https://bugs.webkit.org/show_bug.cgi?id=145599 | |
2685 | ||
2686 | Reviewed by Geoffrey Garen. | |
2687 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags | |
2688 | ||
2689 | * runtime/CommonIdentifiers.h: | |
2690 | * runtime/RegExpPrototype.cpp: | |
2691 | (JSC::flagsString): | |
2692 | (JSC::regExpProtoFuncToString): | |
2693 | (JSC::regExpProtoGetterFlags): | |
2694 | * tests/stress/static-getter-in-names.js: | |
2695 | ||
2696 | 2015-06-10 Filip Pizlo <fpizlo@apple.com> | |
2697 | ||
2698 | DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager | |
2699 | https://bugs.webkit.org/show_bug.cgi?id=145853 | |
2700 | ||
2701 | Unreviewed, remove the assertion. | |
2702 | ||
2703 | * dfg/DFGCSEPhase.cpp: | |
2704 | ||
2705 | 2015-06-10 Commit Queue <commit-queue@webkit.org> | |
2706 | ||
2707 | Unreviewed, rolling out r185414. | |
2708 | https://bugs.webkit.org/show_bug.cgi?id=145844 | |
2709 | ||
2710 | broke debug and jsc tests (Requested by alexchristensen on | |
2711 | #webkit). | |
2712 | ||
2713 | Reverted changeset: | |
2714 | ||
2715 | "JavaScript: Drop the “escaped reserved words as identifiers” | |
2716 | compatibility measure" | |
2717 | https://bugs.webkit.org/show_bug.cgi?id=90678 | |
2718 | http://trac.webkit.org/changeset/185414 | |
2719 | ||
2720 | 2015-06-10 Yusuke Suzuki <utatane.tea@gmail.com> | |
2721 | ||
2722 | JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure | |
2723 | https://bugs.webkit.org/show_bug.cgi?id=90678 | |
2724 | ||
2725 | Reviewed by Darin Adler. | |
2726 | ||
2727 | After ES6, escaped reserved words in identifiers are prohibited. | |
2728 | ||
2729 | * parser/Lexer.cpp: | |
2730 | (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): | |
2731 | * tests/stress/reserved-word-with-escape.js: Added. | |
2732 | (testSyntax): | |
2733 | (testSyntaxError): | |
2734 | ||
2735 | 2015-06-10 Andreas Kling <akling@apple.com> | |
2736 | ||
2737 | [JSC] InlineCallFrame::arguments should be sized-to-fit. | |
2738 | <https://webkit.org/b/145782> | |
2739 | ||
2740 | Reviewed by Darin Adler. | |
2741 | ||
2742 | I spotted this Vector<ValueRecovery> looking a bit chubby in Instruments, | |
2743 | with 354 kB of memory allocated on cnet.com. | |
2744 | ||
2745 | Use resizeToFit() instead of resize() since we know the final size up front. | |
2746 | ||
2747 | * dfg/DFGByteCodeParser.cpp: | |
2748 | (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): | |
2749 | ||
2750 | 2015-06-09 Chris Dumez <cdumez@apple.com> | |
2751 | ||
2752 | Allow one sync GC per gcTimer interval on critical memory pressure warning | |
2753 | https://bugs.webkit.org/show_bug.cgi?id=145773 | |
2754 | ||
2755 | Reviewed by Geoffrey Garen. | |
2756 | ||
2757 | On critical memory pressure warning, we were calling GCController::garbageCollectSoon(), | |
2758 | which does not offer any guarantee on when the garbage collection will actually take | |
2759 | place. | |
2760 | ||
2761 | On critical memory pressure, we need to free up memory as soon as possible to avoid | |
2762 | getting killed so this is an issue. Also, the fact that we clear the PageCache on | |
2763 | critical memory pressure means a GC would likely be useful, even if the last | |
2764 | collection did not free much memory. | |
2765 | ||
2766 | This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows | |
2767 | one synchronous GC per gcTimer interval on critical memory pressure warning. This makes | |
2768 | us more responsive to critical memory pressure and avoids doing synchronous GCs too | |
2769 | often. | |
2770 | ||
2771 | * heap/FullGCActivityCallback.cpp: | |
2772 | (JSC::FullGCActivityCallback::doCollection): | |
2773 | * heap/FullGCActivityCallback.h: | |
2774 | (JSC::GCActivityCallback::createFullTimer): | |
2775 | * heap/GCActivityCallback.h: | |
2776 | * heap/Heap.cpp: | |
2777 | (JSC::Heap::collectAllGarbageIfNotDoneRecently): | |
2778 | * heap/Heap.h: | |
2779 | ||
2780 | * heap/IncrementalSweeper.cpp: | |
2781 | (JSC::IncrementalSweeper::doWork): Deleted. | |
2782 | * heap/IncrementalSweeper.h: | |
2783 | ||
2784 | Drop fullSweep() API as it no longer seems useful. garbageCollectNow() | |
2785 | already does a sweep after the full collection. | |
2786 | ||
2787 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2788 | ||
2789 | [JSC] CodeBlock::m_constantRegisters should be sized-to-fit. | |
2790 | <https://webkit.org/b/145784> | |
2791 | ||
2792 | Reviewed by Darin Adler. | |
2793 | ||
2794 | Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory | |
2795 | allocated below CodeBlock::setConstantRegisters(). | |
2796 | ||
2797 | Use resizeToFit() instead since we know the final size up front. | |
2798 | Also removed some unused functions that operated on this constants vector | |
2799 | and the corresponding one in UnlinkedCodeBlock. | |
2800 | ||
2801 | * bytecode/CodeBlock.cpp: | |
2802 | (JSC::CodeBlock::addOrFindConstant): Deleted. | |
2803 | (JSC::CodeBlock::findConstant): Deleted. | |
2804 | * bytecode/CodeBlock.h: | |
2805 | (JSC::CodeBlock::setConstantRegisters): | |
2806 | (JSC::CodeBlock::numberOfConstantRegisters): Deleted. | |
2807 | * bytecode/UnlinkedCodeBlock.cpp: | |
2808 | (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted. | |
2809 | * bytecode/UnlinkedCodeBlock.h: | |
2810 | (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted. | |
2811 | (JSC::UnlinkedCodeBlock::getConstant): Deleted. | |
2812 | ||
2813 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2814 | ||
2815 | [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed. | |
2816 | <https://webkit.org/b/145786> | |
2817 | ||
2818 | Reviewed by Darin Adler. | |
2819 | ||
2820 | These functions already contained comments saying they optimize for size over speed, | |
2821 | but they were using Vector::resize() which adds the usual slack for faster append(). | |
2822 | ||
2823 | Switch them over to using Vector::resizeToFit() instead, which makes the Vector | |
2824 | allocate a perfectly sized backing store. | |
2825 | ||
2826 | Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these | |
2827 | Vectors are definitely worth shrink-wrapping. | |
2828 | ||
2829 | * bytecode/PolymorphicGetByIdList.cpp: | |
2830 | (JSC::PolymorphicGetByIdList::addAccess): | |
2831 | * bytecode/PolymorphicPutByIdList.cpp: | |
2832 | (JSC::PolymorphicPutByIdList::addAccess): | |
2833 | ||
2834 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2835 | ||
2836 | [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit. | |
2837 | <https://webkit.org/b/145787> | |
2838 | ||
2839 | Reviewed by Darin Adler. | |
2840 | ||
2841 | Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com. | |
2842 | Use Vector::resizeToFit() since we know the perfect size up front. | |
2843 | ||
2844 | * runtime/JSPropertyNameEnumerator.cpp: | |
2845 | (JSC::JSPropertyNameEnumerator::finishCreation): | |
2846 | ||
2847 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2848 | ||
2849 | FunctionExecutable::isCompiling() is weird and wrong. | |
2850 | <https://webkit.org/b/145689> | |
2851 | ||
2852 | Reviewed by Geoffrey Garen. | |
2853 | ||
2854 | Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style | |
2855 | functions that called it before throwing away code. | |
2856 | ||
2857 | isCompiling() would consider the executable to be "compiling" if it had a CodeBlock | |
2858 | but no JITCode. In practice, every executable gets a JITCode at the same time as it | |
2859 | gets a CodeBlock, by way of prepareForExecutionImpl(). | |
2860 | ||
2861 | * debugger/Debugger.cpp: | |
2862 | * heap/Heap.cpp: | |
2863 | (JSC::Heap::deleteAllCompiledCode): | |
2864 | (JSC::Heap::deleteAllUnlinkedFunctionCode): | |
2865 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
2866 | (Inspector::TypeRecompiler::visit): | |
2867 | * runtime/Executable.cpp: | |
2868 | (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): | |
2869 | (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted. | |
2870 | (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted. | |
2871 | * runtime/Executable.h: | |
2872 | * runtime/VM.cpp: | |
2873 | (JSC::StackPreservingRecompiler::visit): | |
2874 | ||
2875 | 2015-06-09 Yusuke Suzuki <utatane.tea@gmail.com> | |
2876 | ||
2877 | Introduce getter definition into static hash tables and use it for getters in RegExp.prototype. | |
2878 | https://bugs.webkit.org/show_bug.cgi?id=145705 | |
2879 | ||
2880 | Reviewed by Darin Adler. | |
2881 | ||
2882 | In this patch, we introduce Accessor type into property tables. | |
2883 | With Accessor type, create_hash_table creates a static getter property. | |
2884 | This getter property is reified as the same to the static functions. | |
2885 | ||
2886 | In the mean time, we only support getter because `putEntry` and `lookupPut` | |
2887 | only work with null setter currently. However, in the spec, there's | |
2888 | no need to add static setter properties. So we will add it if it becomes | |
2889 | necessary in the future. | |
2890 | ||
2891 | And at the same time, this patch fixes the issue 145738. Before this patch, | |
2892 | `putEntry` in `JSObject::deleteProperty` adds `undefined` property if | |
2893 | `isValidOffset(...)` is false (deleted). As the result, deleting twice | |
2894 | revives the property with `undefined` value. | |
2895 | ||
2896 | If the static functions are reified and the entry is | |
2897 | `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with | |
2898 | static hash table entry. They should be handled in the normal structure's | |
2899 | looking up because they should be already reified. So added guard for this. | |
2900 | ||
2901 | * CMakeLists.txt: | |
2902 | * DerivedSources.make: | |
2903 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
2904 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
2905 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
2906 | * create_hash_table: | |
2907 | * runtime/JSObject.cpp: | |
2908 | (JSC::getClassPropertyNames): | |
2909 | (JSC::JSObject::put): | |
2910 | (JSC::JSObject::deleteProperty): | |
2911 | (JSC::JSObject::reifyStaticFunctionsForDelete): | |
2912 | * runtime/Lookup.cpp: | |
2913 | (JSC::reifyStaticAccessor): | |
2914 | (JSC::setUpStaticFunctionSlot): | |
2915 | * runtime/Lookup.h: | |
2916 | (JSC::HashTableValue::propertyGetter): | |
2917 | (JSC::HashTableValue::propertyPutter): | |
2918 | (JSC::HashTableValue::accessorGetter): | |
2919 | (JSC::HashTableValue::accessorSetter): | |
2920 | (JSC::getStaticPropertySlot): | |
2921 | (JSC::getStaticValueSlot): | |
2922 | (JSC::putEntry): | |
2923 | (JSC::reifyStaticProperties): | |
2924 | * runtime/PropertySlot.h: | |
2925 | * runtime/RegExpObject.cpp: | |
2926 | (JSC::RegExpObject::getOwnPropertySlot): | |
2927 | (JSC::regExpObjectGlobal): Deleted. | |
2928 | (JSC::regExpObjectIgnoreCase): Deleted. | |
2929 | (JSC::regExpObjectMultiline): Deleted. | |
2930 | (JSC::appendLineTerminatorEscape<LChar>): Deleted. | |
2931 | (JSC::appendLineTerminatorEscape<UChar>): Deleted. | |
2932 | (JSC::regExpObjectSourceInternal): Deleted. | |
2933 | (JSC::regExpObjectSource): Deleted. | |
2934 | * runtime/RegExpPrototype.cpp: | |
2935 | (JSC::RegExpPrototype::getOwnPropertySlot): | |
2936 | (JSC::regExpProtoGetterGlobal): | |
2937 | (JSC::regExpProtoGetterIgnoreCase): | |
2938 | (JSC::regExpProtoGetterMultiline): | |
2939 | (JSC::appendLineTerminatorEscape<LChar>): | |
2940 | (JSC::appendLineTerminatorEscape<UChar>): | |
2941 | (JSC::regExpProtoGetterSourceInternal): | |
2942 | (JSC::regExpProtoGetterSource): | |
2943 | * tests/stress/static-function-delete.js: Added. | |
2944 | (shouldBe): | |
2945 | * tests/stress/static-function-put.js: Added. | |
2946 | (shouldBe): | |
2947 | * tests/stress/static-getter-delete.js: Added. | |
2948 | (shouldBe): | |
2949 | (shouldThrow): | |
2950 | * tests/stress/static-getter-descriptors.js: Added. | |
2951 | (shouldBe): | |
2952 | * tests/stress/static-getter-enumeration.js: Added. | |
2953 | (shouldBe): | |
2954 | * tests/stress/static-getter-get.js: Added. | |
2955 | (shouldBe): | |
2956 | * tests/stress/static-getter-in-names.js: Added. | |
2957 | (shouldBe): | |
2958 | * tests/stress/static-getter-names.js: Added. | |
2959 | (shouldBe): | |
2960 | * tests/stress/static-getter-put.js: Added. | |
2961 | (shouldBe): | |
2962 | (shouldThrow): | |
2963 | ||
2964 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2965 | ||
2966 | [JSC] JSString::getIndex() should avoid reifying substrings. | |
2967 | <https://webkit.org/b/145803> | |
2968 | ||
2969 | Reviewed by Darin Adler. | |
2970 | ||
2971 | Implement getIndex() using JSString::view(), which cuts it down to a one-liner | |
2972 | and also avoids reifying substrings. | |
2973 | ||
2974 | I saw 178 kB of reified substrings below operationGetByVal -> getIndex() | |
2975 | on cnet.com, so this should help. | |
2976 | ||
2977 | * runtime/JSString.cpp: | |
2978 | (JSC::JSRopeString::getIndexSlowCase): Deleted. | |
2979 | * runtime/JSString.h: | |
2980 | (JSC::JSString::getIndex): | |
2981 | ||
2982 | 2015-06-09 Andreas Kling <akling@apple.com> | |
2983 | ||
2984 | [JSC] String.prototype.indexOf() should use StringView. | |
2985 | <https://webkit.org/b/145351> | |
2986 | ||
2987 | Reviewed by Darin Adler. | |
2988 | ||
2989 | Use StringView::find() to implement String.prototype.indexOf(). | |
2990 | This avoids reifying the needle and haystack JSStrings in case they | |
2991 | are substrings. | |
2992 | ||
2993 | Reduces malloc memory by ~190 kB on cnet.com. | |
2994 | ||
2995 | * runtime/StringPrototype.cpp: | |
2996 | (JSC::stringProtoFuncIndexOf): | |
2997 | ||
2998 | 2015-06-09 Csaba Osztrogonác <ossy@webkit.org> | |
2999 | ||
3000 | [cmake] Fix the style issues in cmake project files | |
3001 | https://bugs.webkit.org/show_bug.cgi?id=145755 | |
3002 | ||
3003 | Reviewed by Darin Adler. | |
3004 | ||
3005 | * CMakeLists.txt: | |
3006 | ||
3007 | 2015-06-08 Gyuyoung Kim <gyuyoung.kim@webkit.org> | |
3008 | ||
3009 | Purge PassRefPtr in JavaScriptCore | |
3010 | https://bugs.webkit.org/show_bug.cgi?id=145750 | |
3011 | ||
3012 | As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr. | |
3013 | ||
3014 | Reviewed by Darin Adler. | |
3015 | ||
3016 | * API/JSClassRef.cpp: | |
3017 | (OpaqueJSClass::createNoAutomaticPrototype): | |
3018 | * API/JSClassRef.h: | |
3019 | * API/JSContextRef.cpp: | |
3020 | * API/JSScriptRef.cpp: | |
3021 | (OpaqueJSScript::create): | |
3022 | * API/JSStringRef.cpp: | |
3023 | (JSStringCreateWithCharacters): | |
3024 | (JSStringCreateWithUTF8CString): | |
3025 | * API/OpaqueJSString.cpp: | |
3026 | (OpaqueJSString::create): | |
3027 | * API/OpaqueJSString.h: | |
3028 | (OpaqueJSString::create): | |
3029 | * bytecompiler/StaticPropertyAnalysis.h: | |
3030 | (JSC::StaticPropertyAnalysis::create): | |
3031 | * debugger/DebuggerCallFrame.h: | |
3032 | (JSC::DebuggerCallFrame::create): | |
3033 | * dfg/DFGToFTLDeferredCompilationCallback.cpp: | |
3034 | (JSC::DFG::ToFTLDeferredCompilationCallback::create): | |
3035 | * dfg/DFGToFTLDeferredCompilationCallback.h: | |
3036 | * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: | |
3037 | (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create): | |
3038 | (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted. | |
3039 | * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: | |
3040 | * dfg/DFGWorklist.cpp: | |
3041 | (JSC::DFG::Worklist::create): | |
3042 | (JSC::DFG::ensureGlobalDFGWorklist): | |
3043 | (JSC::DFG::ensureGlobalFTLWorklist): | |
3044 | * dfg/DFGWorklist.h: | |
3045 | * heap/EdenGCActivityCallback.h: | |
3046 | (JSC::GCActivityCallback::createEdenTimer): | |
3047 | * heap/FullGCActivityCallback.h: | |
3048 | (JSC::GCActivityCallback::createFullTimer): | |
3049 | * heap/GCActivityCallback.h: | |
3050 | * inspector/InjectedScriptHost.h: | |
3051 | * inspector/JavaScriptCallFrame.h: | |
3052 | (Inspector::JavaScriptCallFrame::create): | |
3053 | * inspector/ScriptArguments.cpp: | |
3054 | (Inspector::ScriptArguments::create): | |
3055 | * inspector/ScriptArguments.h: | |
3056 | * jit/JITStubRoutine.h: | |
3057 | (JSC::JITStubRoutine::createSelfManagedRoutine): | |
3058 | * jit/JITToDFGDeferredCompilationCallback.cpp: | |
3059 | (JSC::JITToDFGDeferredCompilationCallback::create): | |
3060 | * jit/JITToDFGDeferredCompilationCallback.h: | |
3061 | * jsc.cpp: | |
3062 | (jscmain): | |
3063 | * parser/NodeConstructors.h: | |
3064 | (JSC::ArrayPatternNode::create): | |
3065 | (JSC::ObjectPatternNode::create): | |
3066 | (JSC::BindingNode::create): | |
3067 | * parser/Nodes.cpp: | |
3068 | (JSC::FunctionParameters::create): | |
3069 | * parser/Nodes.h: | |
3070 | * parser/SourceProvider.h: | |
3071 | (JSC::StringSourceProvider::create): | |
3072 | * profiler/Profile.cpp: | |
3073 | (JSC::Profile::create): | |
3074 | * profiler/Profile.h: | |
3075 | * profiler/ProfileGenerator.cpp: | |
3076 | (JSC::ProfileGenerator::create): | |
3077 | * profiler/ProfileGenerator.h: | |
3078 | * profiler/ProfileNode.h: | |
3079 | (JSC::ProfileNode::create): | |
3080 | * runtime/DataView.cpp: | |
3081 | (JSC::DataView::create): | |
3082 | * runtime/DataView.h: | |
3083 | * runtime/DateInstanceCache.h: | |
3084 | (JSC::DateInstanceData::create): | |
3085 | * runtime/JSPromiseReaction.cpp: | |
3086 | (JSC::createExecutePromiseReactionMicrotask): | |
3087 | * runtime/JSPromiseReaction.h: | |
3088 | * runtime/PropertyNameArray.h: | |
3089 | (JSC::PropertyNameArrayData::create): | |
3090 | * runtime/TypeSet.h: | |
3091 | (JSC::StructureShape::create): | |
3092 | (JSC::TypeSet::create): | |
3093 | * runtime/TypedArrayBase.h: | |
3094 | (JSC::TypedArrayBase::create): | |
3095 | (JSC::TypedArrayBase::createUninitialized): | |
3096 | (JSC::TypedArrayBase::subarrayImpl): | |
3097 | * runtime/VM.cpp: | |
3098 | (JSC::VM::createContextGroup): | |
3099 | (JSC::VM::create): | |
3100 | (JSC::VM::createLeaked): | |
3101 | * runtime/VM.h: | |
3102 | * yarr/RegularExpression.cpp: | |
3103 | (JSC::Yarr::RegularExpression::Private::create): | |
3104 | ||
3105 | 2015-06-08 Filip Pizlo <fpizlo@apple.com> | |
3106 | ||
3107 | It should be possible to hoist all constants in DFG SSA | |
3108 | https://bugs.webkit.org/show_bug.cgi?id=145769 | |
3109 | ||
3110 | Reviewed by Geoffrey Garen. | |
3111 | ||
3112 | It's sometimes somewhat more efficient, and convenient, to have all constants at the | |
3113 | top of the root block. We don't require this as an IR invariant because too many phases | |
3114 | want to be able to insert constants in weird places. But, this phase will be great for | |
3115 | preparing for https://bugs.webkit.org/show_bug.cgi?id=145768. | |
3116 | ||
3117 | * CMakeLists.txt: | |
3118 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
3119 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
3120 | * dfg/DFGConstantHoistingPhase.cpp: Added. | |
3121 | (JSC::DFG::performConstantHoisting): | |
3122 | * dfg/DFGConstantHoistingPhase.h: Added. | |
3123 | * dfg/DFGPlan.cpp: | |
3124 | (JSC::DFG::Plan::compileInThreadImpl): | |
3125 | ||
3126 | 2015-06-07 Filip Pizlo <fpizlo@apple.com> | |
3127 | ||
3128 | The tiny set magic in StructureSet should be available in WTF | |
3129 | https://bugs.webkit.org/show_bug.cgi?id=145722 | |
3130 | ||
3131 | Reviewed by Geoffrey Garen. | |
3132 | ||
3133 | I moved the generic logic of small sets of pointers and moved it into WTF. Now, | |
3134 | StructureSet is a subclass of TinyPtrSet<Structure*>. There shouldn't be any functional | |
3135 | change. | |
3136 | ||
3137 | * bytecode/StructureSet.cpp: | |
3138 | (JSC::StructureSet::filter): | |
3139 | (JSC::StructureSet::filterArrayModes): | |
3140 | (JSC::StructureSet::speculationFromStructures): | |
3141 | (JSC::StructureSet::arrayModesFromStructures): | |
3142 | (JSC::StructureSet::dumpInContext): | |
3143 | (JSC::StructureSet::dump): | |
3144 | (JSC::StructureSet::clear): Deleted. | |
3145 | (JSC::StructureSet::add): Deleted. | |
3146 | (JSC::StructureSet::remove): Deleted. | |
3147 | (JSC::StructureSet::contains): Deleted. | |
3148 | (JSC::StructureSet::merge): Deleted. | |
3149 | (JSC::StructureSet::exclude): Deleted. | |
3150 | (JSC::StructureSet::isSubsetOf): Deleted. | |
3151 | (JSC::StructureSet::overlaps): Deleted. | |
3152 | (JSC::StructureSet::operator==): Deleted. | |
3153 | (JSC::StructureSet::addOutOfLine): Deleted. | |
3154 | (JSC::StructureSet::containsOutOfLine): Deleted. | |
3155 | (JSC::StructureSet::copyFromOutOfLine): Deleted. | |
3156 | (JSC::StructureSet::OutOfLineList::create): Deleted. | |
3157 | (JSC::StructureSet::OutOfLineList::destroy): Deleted. | |
3158 | * bytecode/StructureSet.h: | |
3159 | (JSC::StructureSet::onlyStructure): | |
3160 | (JSC::StructureSet::StructureSet): Deleted. | |
3161 | (JSC::StructureSet::operator=): Deleted. | |
3162 | (JSC::StructureSet::~StructureSet): Deleted. | |
3163 | (JSC::StructureSet::isEmpty): Deleted. | |
3164 | (JSC::StructureSet::genericFilter): Deleted. | |
3165 | (JSC::StructureSet::isSupersetOf): Deleted. | |
3166 | (JSC::StructureSet::size): Deleted. | |
3167 | (JSC::StructureSet::at): Deleted. | |
3168 | (JSC::StructureSet::operator[]): Deleted. | |
3169 | (JSC::StructureSet::last): Deleted. | |
3170 | (JSC::StructureSet::iterator::iterator): Deleted. | |
3171 | (JSC::StructureSet::iterator::operator*): Deleted. | |
3172 | (JSC::StructureSet::iterator::operator++): Deleted. | |
3173 | (JSC::StructureSet::iterator::operator==): Deleted. | |
3174 | (JSC::StructureSet::iterator::operator!=): Deleted. | |
3175 | (JSC::StructureSet::begin): Deleted. | |
3176 | (JSC::StructureSet::end): Deleted. | |
3177 | (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted. | |
3178 | (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted. | |
3179 | (JSC::StructureSet::copyFrom): Deleted. | |
3180 | (JSC::StructureSet::OutOfLineList::list): Deleted. | |
3181 | (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted. | |
3182 | (JSC::StructureSet::deleteStructureListIfNecessary): Deleted. | |
3183 | (JSC::StructureSet::isThin): Deleted. | |
3184 | (JSC::StructureSet::pointer): Deleted. | |
3185 | (JSC::StructureSet::singleStructure): Deleted. | |
3186 | (JSC::StructureSet::structureList): Deleted. | |
3187 | (JSC::StructureSet::set): Deleted. | |
3188 | (JSC::StructureSet::setEmpty): Deleted. | |
3189 | (JSC::StructureSet::getReservedFlag): Deleted. | |
3190 | (JSC::StructureSet::setReservedFlag): Deleted. | |
3191 | * dfg/DFGStructureAbstractValue.cpp: | |
3192 | (JSC::DFG::StructureAbstractValue::clobber): | |
3193 | (JSC::DFG::StructureAbstractValue::filter): | |
3194 | (JSC::DFG::StructureAbstractValue::filterSlow): | |
3195 | (JSC::DFG::StructureAbstractValue::contains): | |
3196 | * dfg/DFGStructureAbstractValue.h: | |
3197 | (JSC::DFG::StructureAbstractValue::makeTop): | |
3198 | ||
3199 | 2015-06-08 Csaba Osztrogonác <ossy@webkit.org> | |
3200 | ||
3201 | [ARM] Add the missing setupArgumentsWithExecState functions after r185240 | |
3202 | https://bugs.webkit.org/show_bug.cgi?id=145754 | |
3203 | ||
3204 | Reviewed by Benjamin Poulain. | |
3205 | ||
3206 | * jit/CCallHelpers.h: | |
3207 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
3208 | ||
3209 | 2015-06-08 Brady Eidson <beidson@apple.com> | |
3210 | ||
3211 | Completely remove all IDB properties/constructors when it is disabled at runtime. | |
3212 | rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034 | |
3213 | ||
3214 | Reviewed by Geoffrey Garen. | |
3215 | ||
3216 | * runtime/CommonIdentifiers.h: | |
3217 | ||
3218 | 2015-06-06 Mark Lam <mark.lam@apple.com> | |
3219 | ||
3220 | Returned Exception* values need to be initialized to nullptr when no exceptions are thrown. | |
3221 | https://bugs.webkit.org/show_bug.cgi?id=145720 | |
3222 | ||
3223 | Reviewed by Dan Bernstein. | |
3224 | ||
3225 | * debugger/DebuggerCallFrame.cpp: | |
3226 | (JSC::DebuggerCallFrame::evaluate): | |
3227 | ||
3228 | 2015-06-05 Mark Lam <mark.lam@apple.com> | |
3229 | ||
3230 | Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren(). | |
3231 | https://bugs.webkit.org/show_bug.cgi?id=145709 | |
3232 | ||
3233 | Reviewed by Geoffrey Garen. | |
3234 | ||
3235 | * jsc.cpp: | |
3236 | (functionSetElementRoot): | |
3237 | - The Element class has a member of type Root which extends JSDestructibleObject. | |
3238 | It should be stored in a WriteBarrier, and visited by visitChildren(). | |
3239 | ||
3240 | * runtime/ClonedArguments.cpp: | |
3241 | (JSC::ClonedArguments::materializeSpecialsIfNecessary): | |
3242 | (JSC::ClonedArguments::visitChildren): | |
3243 | * runtime/ClonedArguments.h: | |
3244 | - Add missing visitChildren(). | |
3245 | ||
3246 | * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added. | |
3247 | (makeTransientFunction.transientFunc): | |
3248 | (makeTransientFunction): | |
3249 | ||
3250 | 2015-06-05 Geoffrey Garen <ggaren@apple.com> | |
3251 | ||
3252 | DropAllLocks RELEASE_ASSERT on iOS | |
3253 | https://bugs.webkit.org/show_bug.cgi?id=139654 | |
3254 | ||
3255 | Reviewed by Mark Lam. | |
3256 | ||
3257 | * runtime/JSLock.cpp: | |
3258 | (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated | |
3259 | the code beneath it. Removed a FIXME because we can't ASSERT that | |
3260 | we're holding the lock. WebKit1 on iOS drops the lock before calling to | |
3261 | delegates, not knowing whether it holds the lock or not. | |
3262 | ||
3263 | (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not | |
3264 | GC'ing if we hold the lock. If we do not hold the lock, it is perfectly | |
3265 | valid for some other thread, which does hold the lock, to be GC'ing. | |
3266 | What is not valid is to drop the lock in the middle of GC, since GC | |
3267 | must be atomic. | |
3268 | ||
3269 | 2015-06-05 Filip Pizlo <fpizlo@apple.com> | |
3270 | ||
3271 | speculateRealNumber() should early exit if you're already a real number, not if you're already a real double. | |
3272 | ||
3273 | Rubber stamped by Mark Lam. | |
3274 | ||
3275 | This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt | |
3276 | ||
3277 | * dfg/DFGSpeculativeJIT.cpp: | |
3278 | (JSC::DFG::SpeculativeJIT::speculateRealNumber): | |
3279 | ||
3280 | 2015-06-05 Mark Lam <mark.lam@apple.com> | |
3281 | ||
3282 | finally blocks should not set the exception stack trace when re-throwing the exception. | |
3283 | https://bugs.webkit.org/show_bug.cgi?id=145525 | |
3284 | ||
3285 | Reviewed by Geoffrey Garen. | |
3286 | ||
3287 | How exceptions presently work: | |
3288 | ============================= | |
3289 | 1. op_throw can throw any JSValue. | |
3290 | 2. the VM tries to capture the stack at the throw point and propagate that as needed. | |
3291 | 3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw. | |
3292 | ||
3293 | What's wrong with how it presently works: | |
3294 | ======================================== | |
3295 | 1. finally's makes for bad exception throw line numbers in the Inspector console. | |
3296 | ||
3297 | The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point. | |
3298 | As a result, the Inspector sees the finally block as the throw point. The original stack is lost. | |
3299 | ||
3300 | 2. finally's breaks the Inspector's "Breaks on Uncaught Exception" | |
3301 | ||
3302 | This is because finally blocks are indistinguishable from catch blocks. As a result, a try-finally, | |
3303 | which should break in the Inspector on the throw, does not because the Inspector thought the | |
3304 | exception was "caught". | |
3305 | ||
3306 | 3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions" | |
3307 | ||
3308 | a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally. | |
3309 | b. In a for-of loop (which has synthesized finallys), the Inspector will do another break. | |
3310 | Similarly for other cases of JS code which synthesize finallys. | |
3311 | c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js), | |
3312 | the Inspector will do another break if there's an uncaught exception. | |
3313 | ||
3314 | How this patch fixes the issues: | |
3315 | =============================== | |
3316 | 1. We introduce an Exception object that wraps the thrown value and the exception stack. | |
3317 | ||
3318 | When throwing an exception, the VM will check if the thrown value is an Exception | |
3319 | object or not. If it is not an Exception object, then we must be throwing a new | |
3320 | exception. The VM will create an Exception object to wrap the thrown value and | |
3321 | capture the current stack for it. | |
3322 | ||
3323 | If the thrown value is already an Exception object, then the requested throw operation | |
3324 | must be a re-throw. The VM will not capture a new stack for it. | |
3325 | ||
3326 | 2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue. | |
3327 | ||
3328 | The VM is aware of the Exception object and uses it for rethrows in finally blocks. | |
3329 | JS source code is never aware of the Exception object. | |
3330 | ||
3331 | JS code is aware of the thrown value. If it throws the caught thrown value, that | |
3332 | constitutes a new throw, and a new Exception object will be created for it. | |
3333 | ||
3334 | 3. The VM no longer tracks the thrown JSValue and the exception stack. It will only | |
3335 | track a m_exception field which is an Exception*. | |
3336 | ||
3337 | 4. The BytecodeGenerator has already been updated in a prior patch to distinguish | |
3338 | between Catch, Finally, and SynthesizedFinally blocks. The interpreter runtime will | |
3339 | now report to the debugger whether we have a Catch handler, not just any handlers. | |
3340 | ||
3341 | The debugger will use this detail to determine whether to break or not. "Break on | |
3342 | uncaught exceptions" will only break if no Catch handler was found. | |
3343 | ||
3344 | This solves the issue of the debugger breaking at finally blocks, and for-of statements. | |
3345 | ||
3346 | 5. The Exception object will also have a flag to indicate whether the debugger has been | |
3347 | notified of the Exception being thrown. Once the Interpreter notifies the debugger | |
3348 | of the Exception object, it will mark this flag and not repeat the notify the debugger | |
3349 | again of the same Exception. | |
3350 | ||
3351 | This solves the issue of the debugger breaking at VM re-entry points due to uncaught | |
3352 | exceptions. | |
3353 | ||
3354 | 6. The life-cycle of the captured exception stack trace will now follow the life-cycle | |
3355 | of the Exception object. | |
3356 | ||
3357 | Other changes: | |
3358 | 7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue. | |
3359 | ||
3360 | 8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM. | |
3361 | ||
3362 | 9. Also renamed some variables and classes to better describe what they are. | |
3363 | ||
3364 | * API/JSBase.cpp: | |
3365 | (JSEvaluateScript): | |
3366 | (JSCheckScriptSyntax): | |
3367 | ||
3368 | * API/JSObjectRef.cpp: | |
3369 | (handleExceptionIfNeeded): | |
3370 | - The functions below all do the same exception check. Added this helper | |
3371 | to simplify the code. | |
3372 | (JSClassCreate): | |
3373 | (JSObjectMakeFunction): | |
3374 | (JSObjectMakeArray): | |
3375 | (JSObjectMakeDate): | |
3376 | (JSObjectMakeError): | |
3377 | (JSObjectMakeRegExp): | |
3378 | (JSObjectGetProperty): | |
3379 | (JSObjectSetProperty): | |
3380 | (JSObjectGetPropertyAtIndex): | |
3381 | (JSObjectSetPropertyAtIndex): | |
3382 | (JSObjectDeleteProperty): | |
3383 | (JSObjectCallAsFunction): | |
3384 | (JSObjectCallAsConstructor): | |
3385 | ||
3386 | * API/JSScriptRef.cpp: | |
3387 | * API/JSValue.mm: | |
3388 | (JSContainerConvertor::take): | |
3389 | (reportExceptionToInspector): | |
3390 | ||
3391 | * API/JSValueRef.cpp: | |
3392 | (handleExceptionIfNeeded): | |
3393 | - The functions below all do the same exception check. Added this helper | |
3394 | to simplify the code. | |
3395 | (evernoteHackNeeded): | |
3396 | (JSValueIsEqual): | |
3397 | (JSValueIsInstanceOfConstructor): | |
3398 | (JSValueCreateJSONString): | |
3399 | (JSValueToNumber): | |
3400 | (JSValueToStringCopy): | |
3401 | (JSValueToObject): | |
3402 | ||
3403 | * CMakeLists.txt: | |
3404 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
3405 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
3406 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
3407 | - Added new files Exception.h and Exception.cpp. | |
3408 | ||
3409 | * bindings/ScriptFunctionCall.cpp: | |
3410 | (Deprecated::ScriptFunctionCall::call): | |
3411 | * bindings/ScriptFunctionCall.h: | |
3412 | ||
3413 | * bytecode/BytecodeList.json: | |
3414 | - op_catch now had 2 operands: the exception register, and the thrown value register. | |
3415 | ||
3416 | * bytecode/BytecodeUseDef.h: | |
3417 | (JSC::computeDefsForBytecodeOffset): | |
3418 | * bytecode/CodeBlock.cpp: | |
3419 | (JSC::CodeBlock::dumpBytecode): | |
3420 | (JSC::CodeBlock::handlerForBytecodeOffset): | |
3421 | * bytecode/CodeBlock.h: | |
3422 | - handlerForBytecodeOffset() now can look for just Catch handlers only. | |
3423 | ||
3424 | * bytecode/HandlerInfo.h: | |
3425 | - Cleaned up some white space I accidentally added in a previous patch. | |
3426 | ||
3427 | * bytecompiler/BytecodeGenerator.cpp: | |
3428 | (JSC::BytecodeGenerator::pushTry): | |
3429 | (JSC::BytecodeGenerator::popTryAndEmitCatch): | |
3430 | (JSC::BytecodeGenerator::emitThrowReferenceError): | |
3431 | (JSC::BytecodeGenerator::emitEnumeration): | |
3432 | * bytecompiler/BytecodeGenerator.h: | |
3433 | (JSC::BytecodeGenerator::emitThrow): | |
3434 | * bytecompiler/NodesCodegen.cpp: | |
3435 | (JSC::TryNode::emitBytecode): | |
3436 | - Adding support for op_catch's 2 operands. | |
3437 | ||
3438 | * debugger/Debugger.cpp: | |
3439 | (JSC::Debugger::hasBreakpoint): | |
3440 | (JSC::Debugger::pauseIfNeeded): | |
3441 | (JSC::Debugger::exception): | |
3442 | * debugger/Debugger.h: | |
3443 | * debugger/DebuggerCallFrame.cpp: | |
3444 | (JSC::DebuggerCallFrame::thisValue): | |
3445 | (JSC::DebuggerCallFrame::evaluate): | |
3446 | * debugger/DebuggerCallFrame.h: | |
3447 | (JSC::DebuggerCallFrame::isValid): | |
3448 | * inspector/InjectedScriptManager.cpp: | |
3449 | (Inspector::InjectedScriptManager::createInjectedScript): | |
3450 | * inspector/InspectorEnvironment.h: | |
3451 | * inspector/JSGlobalObjectInspectorController.cpp: | |
3452 | (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): | |
3453 | (Inspector::JSGlobalObjectInspectorController::reportAPIException): | |
3454 | * inspector/JSGlobalObjectInspectorController.h: | |
3455 | * inspector/JSGlobalObjectScriptDebugServer.h: | |
3456 | * inspector/JSJavaScriptCallFrame.cpp: | |
3457 | (Inspector::JSJavaScriptCallFrame::evaluate): | |
3458 | * inspector/JavaScriptCallFrame.h: | |
3459 | (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): | |
3460 | (Inspector::JavaScriptCallFrame::thisValue): | |
3461 | (Inspector::JavaScriptCallFrame::evaluate): | |
3462 | * inspector/ScriptCallStackFactory.cpp: | |
3463 | (Inspector::extractSourceInformationFromException): | |
3464 | (Inspector::createScriptCallStackFromException): | |
3465 | * inspector/ScriptCallStackFactory.h: | |
3466 | * inspector/ScriptDebugServer.cpp: | |
3467 | (Inspector::ScriptDebugServer::evaluateBreakpointAction): | |
3468 | (Inspector::ScriptDebugServer::handleBreakpointHit): | |
3469 | (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition): | |
3470 | * inspector/ScriptDebugServer.h: | |
3471 | * interpreter/CallFrame.h: | |
3472 | (JSC::ExecState::clearException): | |
3473 | (JSC::ExecState::exception): | |
3474 | (JSC::ExecState::hadException): | |
3475 | (JSC::ExecState::atomicStringTable): | |
3476 | (JSC::ExecState::propertyNames): | |
3477 | (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted. | |
3478 | ||
3479 | * interpreter/Interpreter.cpp: | |
3480 | (JSC::unwindCallFrame): | |
3481 | (JSC::Interpreter::stackTraceAsString): | |
3482 | (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor): | |
3483 | (JSC::GetCatchHandlerFunctor::operator()): | |
3484 | (JSC::Interpreter::unwind): | |
3485 | - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports | |
3486 | of the same Exception to the debugger. | |
3487 | ||
3488 | (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted. | |
3489 | (JSC::GetExceptionHandlerFunctor::operator()): Deleted. | |
3490 | - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger | |
3491 | is only interested in knowing whether we have Catch handlers. | |
3492 | ||
3493 | * interpreter/Interpreter.h: | |
3494 | (JSC::SuspendExceptionScope::SuspendExceptionScope): | |
3495 | (JSC::SuspendExceptionScope::~SuspendExceptionScope): | |
3496 | (JSC::Interpreter::sampler): | |
3497 | (JSC::ClearExceptionScope::ClearExceptionScope): Deleted. | |
3498 | (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted. | |
3499 | - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that | |
3500 | we're purging the exception. Instead, we're merely suspending any handling of | |
3501 | that exception for a period defined by the scope. | |
3502 | ||
3503 | * jit/AssemblyHelpers.cpp: | |
3504 | (JSC::AssemblyHelpers::emitExceptionCheck): | |
3505 | ||
3506 | * jit/JITExceptions.cpp: | |
3507 | (JSC::genericUnwind): | |
3508 | - Removed the exception argument. It is always the value in VM::exception() anyway. | |
3509 | genericUnwind() can just get it from the VM, and save everyone some work. | |
3510 | ||
3511 | * jit/JITExceptions.h: | |
3512 | * jit/JITOpcodes.cpp: | |
3513 | (JSC::JIT::emit_op_catch): | |
3514 | * jit/JITOpcodes32_64.cpp: | |
3515 | (JSC::JIT::privateCompileCTINativeCall): | |
3516 | (JSC::JIT::emit_op_catch): | |
3517 | - Add support for the new op_catch operands. | |
3518 | ||
3519 | * jit/JITOperations.cpp: | |
3520 | * jit/ThunkGenerators.cpp: | |
3521 | (JSC::nativeForGenerator): | |
3522 | * jsc.cpp: | |
3523 | (functionRun): | |
3524 | (functionLoad): | |
3525 | (runWithScripts): | |
3526 | (runInteractive): | |
3527 | * llint/LLIntOffsetsExtractor.cpp: | |
3528 | * llint/LLIntSlowPaths.cpp: | |
3529 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
3530 | ||
3531 | * llint/LowLevelInterpreter32_64.asm: | |
3532 | * llint/LowLevelInterpreter64.asm: | |
3533 | - Add support for the new op_catch operands. Also update the code to handle | |
3534 | VM::m_exception being an Exception pointer, not a JSValue. | |
3535 | ||
3536 | * parser/NodeConstructors.h: | |
3537 | (JSC::TryNode::TryNode): | |
3538 | * parser/Nodes.h: | |
3539 | * runtime/CallData.cpp: | |
3540 | (JSC::call): | |
3541 | * runtime/CallData.h: | |
3542 | ||
3543 | * runtime/Completion.cpp: | |
3544 | (JSC::evaluate): | |
3545 | * runtime/Completion.h: | |
3546 | (JSC::evaluate): | |
3547 | - Change evaluate() to take a reference to the returned exception value instead | |
3548 | of a pointer. In all but 2 or 3 cases, we want the returned exception anyway. | |
3549 | Might as well simplify the code by requiring the reference. | |
3550 | ||
3551 | * runtime/Error.h: | |
3552 | (JSC::throwVMError): | |
3553 | (JSC::throwVMTypeError): | |
3554 | ||
3555 | * runtime/Exception.cpp: Added. | |
3556 | (JSC::Exception::create): | |
3557 | (JSC::Exception::destroy): | |
3558 | (JSC::Exception::createStructure): | |
3559 | (JSC::Exception::visitChildren): | |
3560 | (JSC::Exception::Exception): | |
3561 | (JSC::Exception::~Exception): | |
3562 | * runtime/Exception.h: Added. | |
3563 | (JSC::Exception::valueOffset): | |
3564 | (JSC::Exception::cast): | |
3565 | (JSC::Exception::value): | |
3566 | (JSC::Exception::stack): | |
3567 | (JSC::Exception::didNotifyInspectorOfThrow): | |
3568 | (JSC::Exception::setDidNotifyInspectorOfThrow): | |
3569 | ||
3570 | * runtime/ExceptionHelpers.cpp: | |
3571 | (JSC::createTerminatedExecutionException): | |
3572 | (JSC::isTerminatedExecutionException): | |
3573 | (JSC::createStackOverflowError): | |
3574 | * runtime/ExceptionHelpers.h: | |
3575 | * runtime/GetterSetter.cpp: | |
3576 | (JSC::callGetter): | |
3577 | * runtime/IteratorOperations.cpp: | |
3578 | (JSC::iteratorClose): | |
3579 | * runtime/JSObject.cpp: | |
3580 | * runtime/JSPromiseConstructor.cpp: | |
3581 | (JSC::constructPromise): | |
3582 | * runtime/JSPromiseDeferred.cpp: | |
3583 | (JSC::updateDeferredFromPotentialThenable): | |
3584 | (JSC::abruptRejection): | |
3585 | * runtime/JSPromiseReaction.cpp: | |
3586 | (JSC::ExecutePromiseReactionMicrotask::run): | |
3587 | ||
3588 | * runtime/VM.cpp: | |
3589 | (JSC::VM::VM): | |
3590 | (JSC::VM::releaseExecutableMemory): | |
3591 | (JSC::VM::throwException): | |
3592 | (JSC::VM::setStackPointerAtVMEntry): | |
3593 | (JSC::VM::getExceptionInfo): Deleted. | |
3594 | (JSC::VM::setExceptionInfo): Deleted. | |
3595 | (JSC::VM::clearException): Deleted. | |
3596 | (JSC::clearExceptionStack): Deleted. | |
3597 | * runtime/VM.h: | |
3598 | (JSC::VM::targetMachinePCForThrowOffset): | |
3599 | (JSC::VM::clearException): | |
3600 | (JSC::VM::setException): | |
3601 | (JSC::VM::exception): | |
3602 | (JSC::VM::addressOfException): | |
3603 | (JSC::VM::exceptionStack): Deleted. | |
3604 | * runtime/VMEntryScope.cpp: | |
3605 | (JSC::VMEntryScope::VMEntryScope): | |
3606 | (JSC::VMEntryScope::setEntryScopeDidPopListener): | |
3607 | ||
3608 | 2015-06-04 Benjamin Poulain <bpoulain@apple.com> | |
3609 | ||
3610 | [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case | |
3611 | https://bugs.webkit.org/show_bug.cgi?id=145673 | |
3612 | ||
3613 | Reviewed by Geoffrey Garen. | |
3614 | ||
3615 | Previously, we were deciding to use out-of-bounds speculation based on two informations: | |
3616 | -Explicitly detected out-of-bounds accesses tracked on ArrayProfile. | |
3617 | -The number of time we took the slow cases in the baseline JIT. | |
3618 | ||
3619 | The heuristic based on slow cases was a little too fragile. | |
3620 | ||
3621 | In some cases, we were running into that limit just because the indexing type changes between | |
3622 | two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what | |
3623 | we used for the inline cache. | |
3624 | ||
3625 | In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see | |
3626 | change between Int32 and Double. We run into the slow path a bit but never hit | |
3627 | out-of-bounds. | |
3628 | ||
3629 | By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based | |
3630 | on the number of slow cases we took. Because of that, we start boxing the double on GetByVal, | |
3631 | using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations. | |
3632 | ||
3633 | WebXPRT was also suffering from this problem but the other way arround: we were missing | |
3634 | the out-of-bounds accesses due to changes in indexing types, we were below the threshold | |
3635 | of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty | |
3636 | of out-of-bands. | |
3637 | ||
3638 | ||
3639 | This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go | |
3640 | into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove | |
3641 | the slow-path heuristic. | |
3642 | ||
3643 | There is new additional special case in the C code regarding out-of-bounds: Arguments access. | |
3644 | Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are | |
3645 | tracked in the way DFG expect it. | |
3646 | ||
3647 | ||
3648 | There are a few important cases that are still not covered optimally: | |
3649 | -PutByVal on Arguments. | |
3650 | -Get/Put ByVal on TypedArray. | |
3651 | Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future. | |
3652 | ||
3653 | * bytecode/ArrayProfile.cpp: | |
3654 | (JSC::ArrayProfile::computeUpdatedPrediction): | |
3655 | The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline | |
3656 | JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information. | |
3657 | ||
3658 | * bytecode/ArrayProfile.h: | |
3659 | (JSC::ArrayProfile::setOutOfBounds): | |
3660 | * dfg/DFGByteCodeParser.cpp: | |
3661 | (JSC::DFG::ByteCodeParser::getArrayMode): | |
3662 | (JSC::DFG::ByteCodeParser::parseBlock): | |
3663 | (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted. | |
3664 | * jit/CCallHelpers.h: | |
3665 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
3666 | * jit/JIT.h: | |
3667 | * jit/JITInlines.h: | |
3668 | (JSC::JIT::callOperation): | |
3669 | * jit/JITOpcodes.cpp: | |
3670 | (JSC::JIT::emitSlow_op_has_indexed_property): | |
3671 | * jit/JITOpcodes32_64.cpp: | |
3672 | (JSC::JIT::emitSlow_op_has_indexed_property): | |
3673 | * jit/JITOperations.cpp: | |
3674 | (JSC::canUseFastArgumentAccess): | |
3675 | This is not my favorite part of this patch. | |
3676 | ||
3677 | I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything | |
3678 | on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were | |
3679 | impacted by over 10% | |
3680 | ||
3681 | I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring | |
3682 | how DFG uses out-of-bounds for Arguments. | |
3683 | ||
3684 | (JSC::getByVal): | |
3685 | * jit/JITOperations.h: | |
3686 | * jit/JITPropertyAccess.cpp: | |
3687 | (JSC::JIT::emitSlow_op_get_by_val): | |
3688 | (JSC::JIT::emitSlow_op_put_by_val): | |
3689 | * jit/JITPropertyAccess32_64.cpp: | |
3690 | (JSC::JIT::emitSlow_op_get_by_val): | |
3691 | (JSC::JIT::emitSlow_op_put_by_val): | |
3692 | * runtime/JSPromiseFunctions.cpp: | |
3693 | * tests/stress/get-by-val-out-of-bounds-basics.js: Added. | |
3694 | (opaqueGetByValOnInt32ArrayEarlyOutOfBounds): | |
3695 | (testInt32ArrayEarlyOutOfBounds): | |
3696 | (testIndexingTypeChangesOnInt32Array): | |
3697 | (opaqueGetByValOnStringArrayHotOutOfBounds): | |
3698 | (testStringArrayHotOutOfBounds): | |
3699 | (testIndexingTypeChangesOnStringArray): | |
3700 | (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds): | |
3701 | (testStringAndInt32ArrayHotOutOfBounds): | |
3702 | (opaqueGetByValOnDoubleArrayHotOutOfBounds): | |
3703 | * tests/stress/put-by-val-out-of-bounds-basics.js: Added. | |
3704 | (opaquePutByValOnInt32ArrayEarlyOutOfBounds): | |
3705 | (testInt32ArrayEarlyOutOfBounds): | |
3706 | (opaquePutByValOnStringArrayHotOutOfBounds): | |
3707 | (testStringArrayHotOutOfBounds): | |
3708 | ||
3709 | 2015-06-03 Filip Pizlo <fpizlo@apple.com> | |
3710 | ||
3711 | Simplify unboxing of double JSValues known to be not NaN and not Int32 | |
3712 | https://bugs.webkit.org/show_bug.cgi?id=145618 | |
3713 | ||
3714 | Reviewed by Geoffrey Garen. | |
3715 | ||
3716 | In many cases we know that we most likely loaded a non-NaN double value from the heap. | |
3717 | Prior to this patch, we would do two branches before unboxing the double. This patch | |
3718 | reduces this to one branch in the common case. Before: | |
3719 | ||
3720 | if (is int32) | |
3721 | unbox int32 and convert to double | |
3722 | else if (is number) | |
3723 | unbox double | |
3724 | else | |
3725 | exit | |
3726 | ||
3727 | After: | |
3728 | ||
3729 | tmp = unbox double | |
3730 | if (tmp == tmp) | |
3731 | done | |
3732 | else if (is int32) | |
3733 | unbox int32 and convert to double | |
3734 | else | |
3735 | exit | |
3736 | ||
3737 | We only use the new style if we have profiling that tells us that we are unlikely to see | |
3738 | either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. | |
3739 | ||
3740 | This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. | |
3741 | ||
3742 | Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble() | |
3743 | that doesn't assert that the JSValue is a double, since we are intentionally using it | |
3744 | before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble() | |
3745 | does no such assertion on 32-bit. | |
3746 | ||
3747 | * dfg/DFGAbstractInterpreterInlines.h: | |
3748 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
3749 | * dfg/DFGFixupPhase.cpp: | |
3750 | (JSC::DFG::FixupPhase::observeUseKindOnNode): | |
3751 | (JSC::DFG::FixupPhase::fixEdgeRepresentation): | |
3752 | (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): | |
3753 | * dfg/DFGNode.h: | |
3754 | (JSC::DFG::Node::shouldSpeculateDouble): | |
3755 | (JSC::DFG::Node::shouldSpeculateDoubleReal): | |
3756 | (JSC::DFG::Node::shouldSpeculateNumber): | |
3757 | * dfg/DFGSafeToExecute.h: | |
3758 | (JSC::DFG::SafeToExecuteEdge::operator()): | |
3759 | * dfg/DFGSpeculativeJIT.cpp: | |
3760 | (JSC::DFG::SpeculativeJIT::compileDoubleRep): | |
3761 | (JSC::DFG::SpeculativeJIT::speculateNumber): | |
3762 | (JSC::DFG::SpeculativeJIT::speculateRealNumber): | |
3763 | (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): | |
3764 | (JSC::DFG::SpeculativeJIT::speculate): | |
3765 | (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. | |
3766 | * dfg/DFGSpeculativeJIT.h: | |
3767 | * dfg/DFGUseKind.cpp: | |
3768 | (WTF::printInternal): | |
3769 | * dfg/DFGUseKind.h: | |
3770 | (JSC::DFG::typeFilterFor): | |
3771 | (JSC::DFG::isNumerical): | |
3772 | * ftl/FTLCapabilities.cpp: | |
3773 | (JSC::FTL::canCompile): | |
3774 | * ftl/FTLLowerDFGToLLVM.cpp: | |
3775 | (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): | |
3776 | (JSC::FTL::LowerDFGToLLVM::boxDouble): | |
3777 | (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): | |
3778 | (JSC::FTL::LowerDFGToLLVM::speculate): | |
3779 | (JSC::FTL::LowerDFGToLLVM::speculateNumber): | |
3780 | (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): | |
3781 | (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): | |
3782 | (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. | |
3783 | (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. | |
3784 | * jit/AssemblyHelpers.h: | |
3785 | (JSC::AssemblyHelpers::branchIfNotOther): | |
3786 | (JSC::AssemblyHelpers::branchIfInt32): | |
3787 | (JSC::AssemblyHelpers::branchIfNotInt32): | |
3788 | (JSC::AssemblyHelpers::branchIfNumber): | |
3789 | ||
3790 | 2015-06-04 Joseph Pecoraro <pecoraro@apple.com> | |
3791 | ||
3792 | Web Inspector: Class constructor appearing as Object Tree property does not include parameters | |
3793 | https://bugs.webkit.org/show_bug.cgi?id=145661 | |
3794 | ||
3795 | Reviewed by Timothy Hatcher. | |
3796 | ||
3797 | * inspector/InjectedScriptSource.js: | |
3798 | (InjectedScript.prototype._classPreview): | |
3799 | (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): | |
3800 | The string we will return for previews of class constructor functions. | |
3801 | ||
3802 | (InjectedScript.RemoteObject): | |
3803 | (InjectedScript.RemoteObject.prototype._describe): | |
3804 | No longer return the class name as the description string. | |
3805 | Instead return the class name for the RemoteObject.className. | |
3806 | ||
3807 | 2015-06-04 Commit Queue <commit-queue@webkit.org> | |
3808 | ||
3809 | Unreviewed, rolling out r185216. | |
3810 | https://bugs.webkit.org/show_bug.cgi?id=145666 | |
3811 | ||
3812 | it caused a bunch of debug crashes (Requested by pizlo on | |
3813 | #webkit). | |
3814 | ||
3815 | Reverted changeset: | |
3816 | ||
3817 | "Simplify unboxing of double JSValues known to be not NaN and | |
3818 | not Int32" | |
3819 | https://bugs.webkit.org/show_bug.cgi?id=145618 | |
3820 | http://trac.webkit.org/changeset/185216 | |
3821 | ||
3822 | 2015-06-03 Filip Pizlo <fpizlo@apple.com> | |
3823 | ||
3824 | Simplify unboxing of double JSValues known to be not NaN and not Int32 | |
3825 | https://bugs.webkit.org/show_bug.cgi?id=145618 | |
3826 | ||
3827 | Reviewed by Geoffrey Garen. | |
3828 | ||
3829 | In many cases we know that we most likely loaded a non-NaN double value from the heap. | |
3830 | Prior to this patch, we would do two branches before unboxing the double. This patch | |
3831 | reduces this to one branch in the common case. Before: | |
3832 | ||
3833 | if (is int32) | |
3834 | unbox int32 and convert to double | |
3835 | else if (is number) | |
3836 | unbox double | |
3837 | else | |
3838 | exit | |
3839 | ||
3840 | After: | |
3841 | ||
3842 | tmp = unbox double | |
3843 | if (tmp == tmp) | |
3844 | done | |
3845 | else if (is int32) | |
3846 | unbox int32 and convert to double | |
3847 | else | |
3848 | exit | |
3849 | ||
3850 | We only use the new style if we have profiling that tells us that we are unlikely to see | |
3851 | either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. | |
3852 | ||
3853 | This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. | |
3854 | ||
3855 | * dfg/DFGAbstractInterpreterInlines.h: | |
3856 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
3857 | * dfg/DFGFixupPhase.cpp: | |
3858 | (JSC::DFG::FixupPhase::observeUseKindOnNode): | |
3859 | (JSC::DFG::FixupPhase::fixEdgeRepresentation): | |
3860 | (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): | |
3861 | * dfg/DFGNode.h: | |
3862 | (JSC::DFG::Node::shouldSpeculateDouble): | |
3863 | (JSC::DFG::Node::shouldSpeculateDoubleReal): | |
3864 | (JSC::DFG::Node::shouldSpeculateNumber): | |
3865 | * dfg/DFGSafeToExecute.h: | |
3866 | (JSC::DFG::SafeToExecuteEdge::operator()): | |
3867 | * dfg/DFGSpeculativeJIT.cpp: | |
3868 | (JSC::DFG::SpeculativeJIT::compileDoubleRep): | |
3869 | (JSC::DFG::SpeculativeJIT::speculateNumber): | |
3870 | (JSC::DFG::SpeculativeJIT::speculateRealNumber): | |
3871 | (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): | |
3872 | (JSC::DFG::SpeculativeJIT::speculate): | |
3873 | (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. | |
3874 | * dfg/DFGSpeculativeJIT.h: | |
3875 | * dfg/DFGUseKind.cpp: | |
3876 | (WTF::printInternal): | |
3877 | * dfg/DFGUseKind.h: | |
3878 | (JSC::DFG::typeFilterFor): | |
3879 | (JSC::DFG::isNumerical): | |
3880 | * ftl/FTLCapabilities.cpp: | |
3881 | (JSC::FTL::canCompile): | |
3882 | * ftl/FTLLowerDFGToLLVM.cpp: | |
3883 | (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): | |
3884 | (JSC::FTL::LowerDFGToLLVM::boxDouble): | |
3885 | (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): | |
3886 | (JSC::FTL::LowerDFGToLLVM::speculate): | |
3887 | (JSC::FTL::LowerDFGToLLVM::speculateNumber): | |
3888 | (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): | |
3889 | (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): | |
3890 | (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. | |
3891 | (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. | |
3892 | * jit/AssemblyHelpers.h: | |
3893 | (JSC::AssemblyHelpers::branchIfNotOther): | |
3894 | (JSC::AssemblyHelpers::branchIfInt32): | |
3895 | (JSC::AssemblyHelpers::branchIfNotInt32): | |
3896 | (JSC::AssemblyHelpers::branchIfNumber): | |
3897 | ||
3898 | 2015-06-04 Filip Pizlo <fpizlo@apple.com> | |
3899 | ||
3900 | SideState should be a distinct abstract heap from Heap and Stack | |
3901 | https://bugs.webkit.org/show_bug.cgi?id=145653 | |
3902 | ||
3903 | Reviewed by Geoffrey Garen. | |
3904 | ||
3905 | Before, SideState fit into the hierarchy like so: | |
3906 | ||
3907 | World | |
3908 | | | |
3909 | +-- Stack | |
3910 | | | |
3911 | +-- Heap | |
3912 | | | |
3913 | +-- SideState | |
3914 | ||
3915 | Now we will have: | |
3916 | ||
3917 | World | |
3918 | | | |
3919 | +-- Stack | |
3920 | | | |
3921 | +-- Heap | |
3922 | | | |
3923 | +-- SideState | |
3924 | ||
3925 | This makes it easy to ask if a writing operation wrote to anything that is observable even | |
3926 | if we don't exit. SideState is only observable if we exit. | |
3927 | ||
3928 | * dfg/DFGAbstractHeap.h: | |
3929 | (JSC::DFG::AbstractHeap::AbstractHeap): | |
3930 | (JSC::DFG::AbstractHeap::supertype): | |
3931 | ||
3932 | 2015-06-04 Chris Dumez <cdumez@apple.com> | |
3933 | ||
3934 | [WK2] Prune more resources from the MemoryCache before process suspension | |
3935 | https://bugs.webkit.org/show_bug.cgi?id=145633 | |
3936 | ||
3937 | Reviewed by Andreas Kling. | |
3938 | ||
3939 | No longer move protect IncrementalSweeper::fullSweep() behind | |
3940 | USE(CF) so we don't need #ifdefs at call sites, similarly to what is | |
3941 | done for the rest of the IncrementalSweeper API. | |
3942 | ||
3943 | * heap/IncrementalSweeper.cpp: | |
3944 | (JSC::IncrementalSweeper::fullSweep): | |
3945 | * heap/IncrementalSweeper.h: | |
3946 | ||
3947 | 2015-06-01 Filip Pizlo <fpizlo@apple.com> | |
3948 | ||
3949 | CallLinkStatus should return takesSlowPath if the GC often cleared the IC | |
3950 | https://bugs.webkit.org/show_bug.cgi?id=145502 | |
3951 | ||
3952 | Reviewed by Geoffrey Garen. | |
3953 | ||
3954 | CallLinkInfo now remembers when it has been cleared by GC. This has some safeguards for when | |
3955 | a call gets cleared by GC only because we hadn't converted it into a closure call; in that | |
3956 | case the GC will just tell us that it should be a closure call. The DFG will not optimize | |
3957 | a call that was cleared by GC, and the DFG will always prefer a closure call if the GC told | |
3958 | us that the specific callee was dead but the executable wasn't. | |
3959 | ||
3960 | This guards us from some scenarios that came up in Speedometer. It's neutral on the pure JS | |
3961 | benchmarks, most likely just because those benchmarks aren't real enough to have interesting | |
3962 | GC of code. | |
3963 | ||
3964 | * bytecode/CallLinkInfo.cpp: | |
3965 | (JSC::CallLinkInfo::visitWeak): | |
3966 | (JSC::CallLinkInfo::dummy): | |
3967 | * bytecode/CallLinkInfo.h: | |
3968 | (JSC::CallLinkInfo::CallLinkInfo): | |
3969 | * bytecode/CallLinkStatus.cpp: | |
3970 | (JSC::CallLinkStatus::computeFromCallLinkInfo): | |
3971 | ||
3972 | 2015-06-02 Filip Pizlo <fpizlo@apple.com> | |
3973 | ||
3974 | GetById and PutById profiling should be more precise about it takes slow path | |
3975 | https://bugs.webkit.org/show_bug.cgi?id=145590 | |
3976 | ||
3977 | Reviewed by Geoffrey Garen. | |
3978 | ||
3979 | If a ById access ever takes slow path, we want the DFG and FTL to know this. Previously we | |
3980 | were relying on slow path counts, which conflate slow paths taken due to a megamorphic | |
3981 | access and slow paths taken due to IC building. | |
3982 | ||
3983 | * bytecode/GetByIdStatus.cpp: | |
3984 | (JSC::GetByIdStatus::computeFor): | |
3985 | (JSC::GetByIdStatus::computeForStubInfo): | |
3986 | * bytecode/PutByIdStatus.cpp: | |
3987 | (JSC::PutByIdStatus::computeFor): | |
3988 | (JSC::PutByIdStatus::computeForStubInfo): | |
3989 | * bytecode/StructureStubInfo.h: | |
3990 | (JSC::StructureStubInfo::StructureStubInfo): | |
3991 | * ftl/FTLIntrinsicRepository.h: | |
3992 | * ftl/FTLLowerDFGToLLVM.cpp: | |
3993 | (JSC::FTL::LowerDFGToLLVM::compileGetById): | |
3994 | * jit/JITOperations.cpp: | |
3995 | * jit/JITOperations.h: | |
3996 | ||
3997 | 2015-06-03 Michael Saboff <msaboff@apple.com> | |
3998 | ||
3999 | Improve test coverage for changes made in 145527 | |
4000 | https://bugs.webkit.org/show_bug.cgi?id=145578 | |
4001 | ||
4002 | Reviewed by Geoffrey Garen. | |
4003 | ||
4004 | Added more complexity to poly-setter-combo.js stress test to create more turmoil in the | |
4005 | polymorphic get-by-id / put-by-id with getters and setters to exercise the code change in | |
4006 | https://bugs.webkit.org/show_bug.cgi?id=145527. By changing the objects that the main test | |
4007 | function sees, we are able to test those paths. Verified with temporary logging code. | |
4008 | ||
4009 | * tests/stress/poly-setter-combo.js: | |
4010 | (Cons2): | |
4011 | (Cons3): | |
4012 | (Cons4): | |
4013 | (foo): | |
4014 | (test): | |
4015 | (runTestWithConstructors): | |
4016 | ||
4017 | 2015-06-02 Mark Lam <mark.lam@apple.com> | |
4018 | ||
4019 | Gardening: fix broken CLoop build. | |
4020 | ||
4021 | Not reviewed. | |
4022 | ||
4023 | * bytecode/CallLinkStatus.cpp: | |
4024 | (JSC::CallLinkStatus::computeExitSiteData): | |
4025 | ||
4026 | 2015-06-02 Keith Miller <keith_miller@apple.com> | |
4027 | ||
4028 | JavaScriptCore: JSExport protocol with an NSInteger property converts negative values to 18446744073709552000 | |
4029 | https://bugs.webkit.org/show_bug.cgi?id=145563 | |
4030 | ||
4031 | Reviewed by Darin Adler. | |
4032 | ||
4033 | The Objective-C bindings were improperly converting negative | |
4034 | long long/NSIntegers to 18446744073709552000 because they | |
4035 | were converted to unsigned numbers. | |
4036 | ||
4037 | * API/ObjcRuntimeExtras.h: | |
4038 | (parseObjCType): | |
4039 | * API/tests/testapi.mm: | |
4040 | (testObjectiveCAPIMain): | |
4041 | (checkNegativeNSIntegers): | |
4042 | (testObjectiveCAPI): | |
4043 | ||
4044 | 2015-06-02 Yusuke Suzuki <utatane.tea@gmail.com> | |
4045 | ||
4046 | Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) | |
4047 | https://bugs.webkit.org/show_bug.cgi?id=145532 | |
4048 | ||
4049 | Reviewed by Geoffrey Garen. | |
4050 | ||
4051 | AtomicStringImpl::lookUp returns AtomicStringImpl*, | |
4052 | it doesn't give any ownership to the caller. | |
4053 | Originally, this is ok because the ownership is taken | |
4054 | by AtomicStringImpl's table (& the register side). | |
4055 | ||
4056 | But if we would like to use this returned AtomicStringImpl*, | |
4057 | we should take its ownership immediately. | |
4058 | Because if the register side releases its ownership (ref count), | |
4059 | it will be destroyed. | |
4060 | ||
4061 | In JSString::toExistingAtomicString, it returns AtomicStringImpl*. | |
4062 | But it's not appropriate. | |
4063 | If the owner of AtomicStringImpl* is always JSString*, it is ok. | |
4064 | But it looks up the table-registered AtomicStringImpl* from | |
4065 | the AtomicStringImpl table. So JSString* may not have the ownership | |
4066 | of the returned AtomicStringImpl*. | |
4067 | ||
4068 | The failure situation is the following. | |
4069 | ||
4070 | 1. A creates AtomicStringImpl. A has its ownership. | |
4071 | And A registers it to AtomicStringImpl table. | |
4072 | 2. JSString looks up the AtomicStringImpl from the table. | |
4073 | It gets AtomicStringImpl*. And JSString doesn't have its ownership. | |
4074 | It returns the raw pointer immediately to the users | |
4075 | 3. A is released. There's no owner for AtomicStringImpl*. | |
4076 | So it's also destroyed. | |
4077 | 4. Use looked up AtomicStringImpl in (2). It becomes use-after-free. | |
4078 | ||
4079 | This patch fixes it by the following changes. | |
4080 | ||
4081 | 1. Change the signature of `AtomicStringImpl* AtomicStringImpl::lookUp(...)` | |
4082 | to `RefPtr<AtomicStringImpl> AtomicStringImpl::lookUp(..)`. | |
4083 | Use `RefPtr` because it may return `nullptr`. | |
4084 | 2. Change the signature of `AtomicStringImpl* JSString::toExistingAtomicString(...)` | |
4085 | to `RefPtr<AtomicStringImpl> JSString::toExistingAtomicString(...)`. | |
4086 | Using `RefPtr` is the same reason. | |
4087 | 3. Receive the result with `RefPtr<AtomicStringImpl>` in the caller side. | |
4088 | ||
4089 | * dfg/DFGOperations.cpp: | |
4090 | * jit/JITOperations.cpp: | |
4091 | (JSC::getByVal): | |
4092 | * llint/LLIntSlowPaths.cpp: | |
4093 | (JSC::LLInt::getByVal): | |
4094 | * runtime/JSString.cpp: | |
4095 | (JSC::JSRopeString::resolveRopeToExistingAtomicString): | |
4096 | * runtime/JSString.h: | |
4097 | (JSC::JSString::toExistingAtomicString): | |
4098 | ||
4099 | 2015-05-30 Filip Pizlo <fpizlo@apple.com> | |
4100 | ||
4101 | Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary | |
4102 | https://bugs.webkit.org/show_bug.cgi?id=145496 | |
4103 | ||
4104 | Reviewed by Geoffrey Garen. | |
4105 | ||
4106 | This pessimizes compilation a bit, but it reduces the likelihood of exiting from FTL. I | |
4107 | couldn't find any convincing reason not to do this, and we know from Speedometer that this | |
4108 | change is necessary for weirder code. | |
4109 | ||
4110 | * bytecode/CallLinkStatus.cpp: | |
4111 | (JSC::CallLinkStatus::computeFor): | |
4112 | (JSC::CallLinkStatus::computeExitSiteData): | |
4113 | (JSC::CallLinkStatus::computeDFGStatuses): | |
4114 | * bytecode/CallLinkStatus.h: | |
4115 | * bytecode/GetByIdStatus.cpp: | |
4116 | (JSC::GetByIdStatus::appendVariant): | |
4117 | (JSC::GetByIdStatus::hasExitSite): | |
4118 | (JSC::GetByIdStatus::computeFor): | |
4119 | * bytecode/GetByIdStatus.h: | |
4120 | * bytecode/PutByIdStatus.cpp: | |
4121 | (JSC::PutByIdStatus::appendVariant): | |
4122 | (JSC::PutByIdStatus::hasExitSite): | |
4123 | (JSC::PutByIdStatus::computeFor): | |
4124 | * bytecode/PutByIdStatus.h: | |
4125 | ||
4126 | 2015-05-31 Filip Pizlo <fpizlo@apple.com> | |
4127 | ||
4128 | If a call has ever taken the virtual slow path, make sure that the DFG knows this | |
4129 | https://bugs.webkit.org/show_bug.cgi?id=145501 | |
4130 | ||
4131 | Reviewed by Geoffrey Garen. | |
4132 | ||
4133 | Now now return higher fidelity information in the case of no polymorphic call stub. If the | |
4134 | virtual slow path was ever taken, we note this, and we note either zero or one call variant | |
4135 | based on the IC's last callee. | |
4136 | ||
4137 | * bytecode/CallLinkStatus.cpp: | |
4138 | (JSC::CallLinkStatus::computeFromCallLinkInfo): | |
4139 | (JSC::CallLinkStatus::computeFor): | |
4140 | ||
4141 | 2015-06-01 Michael Saboff <msaboff@apple.com> | |
4142 | ||
4143 | Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24 | |
4144 | https://bugs.webkit.org/show_bug.cgi?id=145527 | |
4145 | ||
4146 | Reviewed by Filip Pizlo. | |
4147 | ||
4148 | If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it. | |
4149 | Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo | |
4150 | is going away. | |
4151 | ||
4152 | * bytecode/CallLinkInfo.h: | |
4153 | (JSC::CallLinkInfo::~CallLinkInfo): | |
4154 | * jit/PolymorphicCallStubRoutine.cpp: | |
4155 | (JSC::PolymorphicCallNode::unlink): | |
4156 | (JSC::PolymorphicCallNode::clearCallLinkInfo): | |
4157 | (JSC::PolymorphicCallCase::dump): | |
4158 | (JSC::PolymorphicCallStubRoutine::edges): | |
4159 | (JSC::PolymorphicCallStubRoutine::clearCallNodesFor): | |
4160 | (JSC::PolymorphicCallStubRoutine::visitWeak): | |
4161 | * jit/PolymorphicCallStubRoutine.h: | |
4162 | (JSC::PolymorphicCallNode::hasCallLinkInfo): | |
4163 | ||
4164 | 2015-06-01 Mark Lam <mark.lam@apple.com> | |
4165 | ||
4166 | Add the ability to tell between Catch and Finally blocks. | |
4167 | https://bugs.webkit.org/show_bug.cgi?id=145524 | |
4168 | ||
4169 | Reviewed by Michael Saboff. | |
4170 | ||
4171 | ... and also SynthesizedFinally blocks too. A SynthesizedFinally block | |
4172 | is a finally block that is synthesized by the bytecode generator but | |
4173 | does not actually correspond to any exception handling construct at the | |
4174 | JS source code level. An example of this is the "for ... of" statement | |
4175 | where it needs to do some "final" clean up before passing on the | |
4176 | exception. | |
4177 | ||
4178 | Manually tested by inspecting the bytecode dump of functions with | |
4179 | try-catch-finally blocks as well as for of statements which have | |
4180 | synthesized finally blocks. The bytecode dumps contains the exception | |
4181 | handlers table which has these blocks labelled with their newly added | |
4182 | types. No automatic test because this type info is not visible to JS | |
4183 | code. | |
4184 | ||
4185 | * bytecode/CodeBlock.cpp: | |
4186 | (JSC::CodeBlock::dumpBytecode): | |
4187 | * bytecode/HandlerInfo.h: | |
4188 | (JSC::HandlerInfoBase::type): | |
4189 | (JSC::HandlerInfoBase::setType): | |
4190 | (JSC::HandlerInfoBase::typeName): | |
4191 | (JSC::HandlerInfoBase::isCatchHandler): | |
4192 | (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): | |
4193 | (JSC::HandlerInfo::initialize): | |
4194 | * bytecompiler/BytecodeGenerator.cpp: | |
4195 | (JSC::BytecodeGenerator::generate): | |
4196 | (JSC::BytecodeGenerator::pushTry): | |
4197 | (JSC::BytecodeGenerator::popTryAndEmitCatch): | |
4198 | (JSC::BytecodeGenerator::emitEnumeration): | |
4199 | * bytecompiler/BytecodeGenerator.h: | |
4200 | (JSC::BytecodeGenerator::emitThrow): | |
4201 | * bytecompiler/NodesCodegen.cpp: | |
4202 | (JSC::TryNode::emitBytecode): | |
4203 | ||
4204 | 2015-05-29 Geoffrey Garen <ggaren@apple.com> | |
4205 | ||
4206 | REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower | |
4207 | https://bugs.webkit.org/show_bug.cgi?id=145412 | |
4208 | ||
4209 | Reviewed by Darin Adler. | |
4210 | ||
4211 | Moar speedup. | |
4212 | ||
4213 | Added a bucket sort for string sorting. | |
4214 | ||
4215 | * builtins/Array.prototype.js: | |
4216 | (sort.compactSparse): | |
4217 | (sort.compactSlow): | |
4218 | (sort.compact): Split out a compaction fast path for dense arrays. Without | |
4219 | it, compaction can increase sort time by 2X for simple sorts. | |
4220 | ||
4221 | (sort.bucketSort): | |
4222 | (sort.stringSort): Use a bucket sorting algorithm if we know we're sorting | |
4223 | strings. This makes average case string sorting O(N) with O(N) additional | |
4224 | memory use. | |
4225 | ||
4226 | The worst case bucket sort can require O(M * N) additional | |
4227 | space. We avoid this by falling back to merge sort when things are | |
4228 | simple or overly duplicative. These are the two cases that accumulate | |
4229 | excessive -- and potentially pathological -- bucketing overhead. | |
4230 | ||
4231 | 2015-06-01 Mark Lam <mark.lam@apple.com> | |
4232 | ||
4233 | HandlerInfo::initialize() should not assume that CodeLocationLabel is available. | |
4234 | https://bugs.webkit.org/show_bug.cgi?id=145515 | |
4235 | ||
4236 | Reviewed by Csaba Osztrogonác. | |
4237 | ||
4238 | CodeLocationLabel is only defined for ENABLE(ASSEMBLER) builds. r185022's | |
4239 | attempt at simplifying code to increase readability failed to take this into | |
4240 | account. This patch fixes it. | |
4241 | ||
4242 | * bytecode/CodeBlock.cpp: | |
4243 | (JSC::CodeBlock::CodeBlock): | |
4244 | * bytecode/HandlerInfo.h: | |
4245 | (JSC::HandlerInfo::initialize): | |
4246 | ||
4247 | 2015-05-31 Filip Pizlo <fpizlo@apple.com> | |
4248 | ||
4249 | Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=145503. | |
4250 | ||
4251 | * dfg/DFGByteCodeParser.cpp: | |
4252 | (JSC::DFG::ByteCodeParser::inliningCost): | |
4253 | ||
4254 | 2015-05-31 Yusuke Suzuki <utatane.tea@gmail.com> | |
4255 | ||
4256 | [ES6] Drop WeakMap#clear | |
4257 | https://bugs.webkit.org/show_bug.cgi?id=145489 | |
4258 | ||
4259 | Reviewed by Mark Lam. | |
4260 | ||
4261 | ES6 spec intentionally drops the WeakMap#clear | |
4262 | to allow engine to implement WeakMap as a per-object table. | |
4263 | ||
4264 | This patch drops WeakMap.prototype.clear. | |
4265 | ||
4266 | * runtime/WeakMapPrototype.cpp: | |
4267 | (JSC::WeakMapPrototype::finishCreation): Deleted. | |
4268 | (JSC::protoFuncWeakMapClear): Deleted. | |
4269 | ||
4270 | 2015-05-31 Jordan Harband <ljharb@gmail.com> | |
4271 | ||
4272 | Array#reduce and reduceRight don't follow ToLength | |
4273 | https://bugs.webkit.org/show_bug.cgi?id=145364 | |
4274 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength | |
4275 | ||
4276 | Reviewed by Yusuke Suzuki. | |
4277 | ||
4278 | * builtins/Array.prototype.js: | |
4279 | (reduce): | |
4280 | (reduceRight): | |
4281 | * runtime/ArrayPrototype.cpp: | |
4282 | (JSC::ArrayPrototype::finishCreation): | |
4283 | (JSC::arrayProtoFuncReduce): Deleted. | |
4284 | (JSC::arrayProtoFuncReduceRight): Deleted. | |
4285 | ||
4286 | 2015-05-29 Filip Pizlo <fpizlo@apple.com> | |
4287 | ||
4288 | FTL codegen for MultiGetByOffset and MultiPutByOffset where the structure set is already proved should have an unreachable default case instead of an exit | |
4289 | https://bugs.webkit.org/show_bug.cgi?id=145469 | |
4290 | ||
4291 | Reviewed by Geoffrey Garen. | |
4292 | ||
4293 | Omitting the speculation on the fail path when the speculation is guaranteed not to be | |
4294 | taken hints to LLVM that the default case is impossible. This enables some useful | |
4295 | optimizations. | |
4296 | ||
4297 | * ftl/FTLLowerDFGToLLVM.cpp: | |
4298 | (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): | |
4299 | (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): | |
4300 | ||
4301 | 2015-05-29 Mark Lam <mark.lam@apple.com> | |
4302 | ||
4303 | Refactoring HandlerInfo and UnlinkedHandlerInfo. | |
4304 | https://bugs.webkit.org/show_bug.cgi?id=145480 | |
4305 | ||
4306 | Reviewed by Benjamin Poulain. | |
4307 | ||
4308 | HandlerInfo and UnlinkedHandlerInfo have common parts, but are not currently | |
4309 | expressed as 2 unrelated structs that happen to have near identical fields. | |
4310 | We can refactor them to better express their relationship. We can also add | |
4311 | some convenience functions to make the code that uses them a little more | |
4312 | readable. | |
4313 | ||
4314 | * bytecode/CodeBlock.cpp: | |
4315 | (JSC::CodeBlock::dumpBytecode): | |
4316 | (JSC::CodeBlock::CodeBlock): | |
4317 | (JSC::CodeBlock::handlerForBytecodeOffset): | |
4318 | * bytecode/HandlerInfo.h: | |
4319 | (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): | |
4320 | (JSC::HandlerInfo::initialize): | |
4321 | - I chose to include CodeLocationLabel arg even though it is unused by | |
4322 | by non-JIT builds. This makes the call site cleaner to read. | |
4323 | ||
4324 | * bytecode/UnlinkedCodeBlock.h: | |
4325 | (JSC::UnlinkedSimpleJumpTable::add): | |
4326 | (JSC::UnlinkedInstruction::UnlinkedInstruction): | |
4327 | (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): | |
4328 | (JSC::UnlinkedCodeBlock::addExceptionHandler): | |
4329 | (JSC::UnlinkedCodeBlock::exceptionHandler): | |
4330 | (JSC::UnlinkedCodeBlock::symbolTable): | |
4331 | * bytecompiler/BytecodeGenerator.cpp: | |
4332 | (JSC::BytecodeGenerator::generate): | |
4333 | ||
4334 | 2015-05-28 Filip Pizlo <fpizlo@apple.com> | |
4335 | ||
4336 | Non-speculative Branch should be fast in the FTL | |
4337 | https://bugs.webkit.org/show_bug.cgi?id=145452 | |
4338 | ||
4339 | Reviewed by Andreas Kling. | |
4340 | ||
4341 | Inlines the code for convertJSValueToBoolean into the FTL. This also includes some other | |
4342 | clean-ups that I found along the way. | |
4343 | ||
4344 | I found this by looking at the hottest functions in DeltaBlue. Despite having so many | |
4345 | Branch specializations, apparently there was still a hot one that we missed that was going | |
4346 | down the untyped path. It was either Int32 or Other. Maybe we could specialize for that | |
4347 | combo, but it makes so much sense to just make all of this nonsense fast. | |
4348 | ||
4349 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
4350 | (JSC::DFG::WatchpointCollectionPhase::handle): Need to watch the masquerades watchpoint on UntypedUse: forms of Branch now. | |
4351 | * ftl/FTLLowerDFGToLLVM.cpp: | |
4352 | (JSC::FTL::LowerDFGToLLVM::boolify): The actual fix. | |
4353 | (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52): | |
4354 | (JSC::FTL::LowerDFGToLLVM::isInt32): | |
4355 | (JSC::FTL::LowerDFGToLLVM::isNotInt32): | |
4356 | (JSC::FTL::LowerDFGToLLVM::unboxInt32): | |
4357 | * runtime/JSCellInlines.h: | |
4358 | (JSC::JSCell::toBoolean): Symbol is always true. | |
4359 | (JSC::JSCell::pureToBoolean): Symbol is always true. | |
4360 | * runtime/JSString.cpp: | |
4361 | (JSC::JSString::getPrimitiveNumber): | |
4362 | (JSC::JSString::toNumber): | |
4363 | (JSC::JSString::toBoolean): Deleted. This is a tiny method. It doesn't need to be out-of-line. | |
4364 | * runtime/JSString.h: | |
4365 | (JSC::JSString::length): | |
4366 | (JSC::JSString::toBoolean): This method shouldbe inline. | |
4367 | * runtime/Symbol.cpp: | |
4368 | (JSC::Symbol::toPrimitive): | |
4369 | (JSC::Symbol::getPrimitiveNumber): | |
4370 | (JSC::Symbol::toBoolean): Deleted. A Symbol is always true, so we don't need a method for this. | |
4371 | * runtime/Symbol.h: | |
4372 | ||
4373 | 2015-05-29 Commit Queue <commit-queue@webkit.org> | |
4374 | ||
4375 | Unreviewed, rolling out r184860. | |
4376 | https://bugs.webkit.org/show_bug.cgi?id=145456 | |
4377 | ||
4378 | May have caused ~1% Octane regression (Requested by kling on | |
4379 | #webkit). | |
4380 | ||
4381 | Reverted changeset: | |
4382 | ||
4383 | "Try to use StringView when comparing JSStrings for equality." | |
4384 | https://bugs.webkit.org/show_bug.cgi?id=145379 | |
4385 | http://trac.webkit.org/changeset/184860 | |
4386 | ||
4387 | 2015-05-28 Michael Saboff <msaboff@apple.com> | |
4388 | ||
4389 | mozilla/js1_5/Array/regress-154338.js test causes ARM 32 bit iOS devices to run out of memory | |
4390 | https://bugs.webkit.org/show_bug.cgi?id=145444 | |
4391 | ||
4392 | Reviewed by Geoffrey Garen. | |
4393 | ||
4394 | Disabled mozilla/js1_5/Array/regress-154338.js when run on iOS ARM 32 bit devices and | |
4395 | the --memory-limited option is passed to run-jsc-stress-tests. | |
4396 | ||
4397 | * tests/mozilla/mozilla-tests.yaml: | |
4398 | ||
4399 | 2015-05-28 Benjamin Poulain <benjamin@webkit.org> | |
4400 | ||
4401 | [iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. | |
4402 | https://bugs.webkit.org/show_bug.cgi?id=138038 | |
4403 | ||
4404 | Reviewed by Michael Saboff. | |
4405 | ||
4406 | TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling | |
4407 | to C++, making put_by_id behave erratically. | |
4408 | ||
4409 | The bug was that put_by_id would randomly not work correctly in 32bits. It happened | |
4410 | in the baseline JIT if we were unlucky enough: | |
4411 | -The code get hot enough and the structure is stable so we get a fast path for | |
4412 | put_by_id. | |
4413 | -We repatch the fast-path branch with a stub generated by | |
4414 | emitPutTransitionStubAndGetOldStructure(). | |
4415 | -In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base | |
4416 | register, the tag register is ignored. | |
4417 | -emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those | |
4418 | could be the one used for the base's tag before the fast path and the value is trashed. | |
4419 | -If we hit one of the failure case, we fallback to the slow path, but we destroyed | |
4420 | the tag pointer. | |
4421 | -We now have unrelated bits in the tag, the most likely value type is now "double" | |
4422 | and we fail the put_by_id because we try to set a property on a number. | |
4423 | ||
4424 | The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure() | |
4425 | to preserve the tag register in addition to the value register. | |
4426 | I decided against that option because of the added complexity. The DFG does not need | |
4427 | that case, so I would have to add branches everywhere to distinguish the cases | |
4428 | were we need to preserve the tag or not. | |
4429 | ||
4430 | Instead, I just load the tag back from memory in the slow path. The function in the slow | |
4431 | path is several order of magnitude slower than a load, it is not worth eliminating it, | |
4432 | especially in baseline JIT. | |
4433 | ||
4434 | I also discovered 4 useless loads in the fast path, so even with my extra load, this patch | |
4435 | makes the baseline faster :) | |
4436 | ||
4437 | * jit/JITPropertyAccess32_64.cpp: | |
4438 | (JSC::JIT::emitSlow_op_put_by_id): | |
4439 | (JSC::JIT::emit_op_put_by_id): Deleted. | |
4440 | * tests/stress/put-by-id-on-new-object-after-prototype-transition-non-strict.js: Added. | |
4441 | (opaqueNewObject): | |
4442 | (putValueOnNewObject): | |
4443 | * tests/stress/put-by-id-on-new-object-after-prototype-transition-strict.js: Added. | |
4444 | (string_appeared_here.opaqueNewObject): | |
4445 | (putValueOnNewObject): | |
4446 | ||
4447 | 2015-05-28 Benjamin Poulain <benjamin@webkit.org> | |
4448 | ||
4449 | [JSC] reduction the iteration count of the DoubleRep stress tests | |
4450 | ||
4451 | Once again, I used big numbers for manual testing and I forgot to fix them before landing. | |
4452 | ||
4453 | * tests/stress/double-rep-with-non-cell.js: | |
4454 | * tests/stress/double-rep-with-null.js: | |
4455 | * tests/stress/double-rep-with-undefined.js: | |
4456 | ||
4457 | 2015-05-28 Basile Clement <basile_clement@apple.com> | |
4458 | ||
4459 | Add debug mode assertions for accessors casting JSC::DFG::Node.m_opInfo | |
4460 | https://bugs.webkit.org/show_bug.cgi?id=145441 | |
4461 | ||
4462 | Reviewed by Filip Pizlo. | |
4463 | ||
4464 | Most accessor functions casting m_opInfo in JSC::DFG::Node are | |
4465 | performing debug checks that they are only accessed for node types that | |
4466 | should have them. This patch adds similar checks for the accessors that | |
4467 | were missing them. | |
4468 | ||
4469 | * dfg/DFGNode.h: | |
4470 | (JSC::DFG::Node::watchpointSet): | |
4471 | (JSC::DFG::Node::storagePointer): | |
4472 | (JSC::DFG::Node::multiGetByOffsetData): | |
4473 | (JSC::DFG::Node::multiPutByOffsetData): | |
4474 | (JSC::DFG::Node::hasTypeLocation): | |
4475 | (JSC::DFG::Node::typeLocation): | |
4476 | (JSC::DFG::Node::hasBasicBlockLocation): | |
4477 | (JSC::DFG::Node::basicBlockLocation): | |
4478 | ||
4479 | 2015-05-28 Matt Rajca <mrajca@apple.com> | |
4480 | ||
4481 | Add ENABLE_MEDIA_SESSION feature flag (which is off by default). | |
4482 | https://bugs.webkit.org/show_bug.cgi?id=145415 | |
4483 | ||
4484 | Reviewed by Eric Carlson. | |
4485 | ||
4486 | * Configurations/FeatureDefines.xcconfig: | |
4487 | ||
4488 | 2015-05-27 Jordan Harband <ljharb@gmail.com> | |
4489 | ||
4490 | Array.of should work with other constructors | |
4491 | https://bugs.webkit.org/show_bug.cgi?id=145365 | |
4492 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.of | |
4493 | step 4 | |
4494 | ||
4495 | Reviewed by Yusuke Suzuki. | |
4496 | ||
4497 | * builtins/ArrayConstructor.js: | |
4498 | (of): | |
4499 | * runtime/ArrayConstructor.cpp: | |
4500 | (JSC::arrayConstructorOf): Deleted. | |
4501 | ||
4502 | 2015-05-27 Benjamin Poulain <bpoulain@apple.com> | |
4503 | ||
4504 | [JSC] Add undefined->double conversion to DoubleRep | |
4505 | https://bugs.webkit.org/show_bug.cgi?id=145293 | |
4506 | ||
4507 | Reviewed by Filip Pizlo. | |
4508 | ||
4509 | This patch adds undefined to double conversion to the DoubleRep | |
4510 | node for the cases were we speculate "undefined" as part of the types | |
4511 | processed. | |
4512 | ||
4513 | The use case is doing math with accidental out-of-bounds access. For example, | |
4514 | something like: | |
4515 | for (var i = 0; i <= length; ++i) | |
4516 | ouptput += array[i]; | |
4517 | ||
4518 | would cause us to OSR exit every time i === length. | |
4519 | ||
4520 | When hitting one of those cases, we would already speculate double math, | |
4521 | but the DoubleRep node was unable to convert the undefined and would exit. | |
4522 | ||
4523 | With this patch the use kind NotCellUse cover this conversion for DoubleRep. | |
4524 | I have been quite conservative so in general we will not find "undefined" | |
4525 | until a few recompile but being optimistic seems better since this is a corner case. | |
4526 | ||
4527 | This patch is a 80% progression on WebXPRT's DNA Sequencing test. | |
4528 | ||
4529 | * dfg/DFGAbstractInterpreterInlines.h: | |
4530 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
4531 | * dfg/DFGFixupPhase.cpp: | |
4532 | (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): | |
4533 | * dfg/DFGNode.h: | |
4534 | (JSC::DFG::Node::sawUndefined): | |
4535 | * dfg/DFGPredictionPropagationPhase.cpp: | |
4536 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
4537 | * dfg/DFGSafeToExecute.h: | |
4538 | (JSC::DFG::SafeToExecuteEdge::operator()): | |
4539 | * dfg/DFGSpeculativeJIT.cpp: | |
4540 | (JSC::DFG::SpeculativeJIT::compileDoubleRep): | |
4541 | * dfg/DFGUseKind.cpp: | |
4542 | (WTF::printInternal): | |
4543 | * dfg/DFGUseKind.h: | |
4544 | (JSC::DFG::typeFilterFor): | |
4545 | * ftl/FTLCapabilities.cpp: | |
4546 | (JSC::FTL::canCompile): | |
4547 | * ftl/FTLLowerDFGToLLVM.cpp: | |
4548 | (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): | |
4549 | (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): | |
4550 | * tests/stress/double-rep-with-undefined.js: Added. | |
4551 | (addArgsNumberAndUndefined): | |
4552 | (addArgsInt32AndUndefined): | |
4553 | (testFallbackWithDouble): | |
4554 | (addArgsDoubleAndUndefined): | |
4555 | (testFallbackWithObject.): | |
4556 | (testFallbackWithObject): | |
4557 | (addArgsOnlyUndefined): | |
4558 | (testFallbackWithString): | |
4559 | ||
4560 | 2015-05-27 Dean Jackson <dino@apple.com> | |
4561 | ||
4562 | img.currentSrc problem in strict mode with old picturefill | |
4563 | https://bugs.webkit.org/show_bug.cgi?id=144095 | |
4564 | <rdar://problem/21087013> | |
4565 | ||
4566 | Reviewed by Simon Fraser. | |
4567 | ||
4568 | Add a PICTURE_SIZES flag. | |
4569 | ||
4570 | * Configurations/FeatureDefines.xcconfig: | |
4571 | ||
4572 | 2015-05-27 Basile Clement <basile_clement@apple.com> | |
4573 | ||
4574 | LazyNode comparison can return incorrect results when comparing an empty value | |
4575 | https://bugs.webkit.org/show_bug.cgi?id=145421 | |
4576 | ||
4577 | Reviewed by Geoffrey Garen. | |
4578 | ||
4579 | When comparing a LazyNode to another, we compare the value pointers if | |
4580 | we have one, and otherwise compare the nodes. | |
4581 | We should be comparing value pointers if the other LazyNode has one as | |
4582 | well, otherwise we risk an incoherency when we are a empty LazyNode | |
4583 | being compared to a FrozenValue without node. | |
4584 | ||
4585 | Note that this is not a problem in any other case because if we don't | |
4586 | have a FrozenValue and we are not an empty LazyNode, we are a | |
4587 | non-constant node, and comparing the node pointers is correct. | |
4588 | ||
4589 | * dfg/DFGLazyNode.h: | |
4590 | (JSC::DFG::LazyNode::operator==): | |
4591 | ||
4592 | 2015-05-27 Geoffrey Garen <ggaren@apple.com> | |
4593 | ||
4594 | REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower | |
4595 | https://bugs.webkit.org/show_bug.cgi?id=145412 | |
4596 | ||
4597 | Reviewed by Benjamin Poulain. | |
4598 | ||
4599 | Cache strings when doing a string-converting sort. | |
4600 | ||
4601 | This is a 21% speedup. | |
4602 | ||
4603 | * builtins/Array.prototype.js: | |
4604 | (sort.stringComparator): Use subtraction instead of branching because | |
4605 | it's slightly faster. | |
4606 | ||
4607 | (sort.comparatorSort): | |
4608 | (sort.stringSort): | |
4609 | (sort): Add a special case for string sorting to avoid redundant string | |
4610 | conversion. | |
4611 | ||
4612 | * parser/Parser.cpp: | |
4613 | (JSC::Parser<LexerType>::createBindingPattern): Names can be empty if | |
4614 | they are private names. | |
4615 | ||
4616 | 2015-05-26 Filip Pizlo <fpizlo@apple.com> | |
4617 | ||
4618 | JIT-generated store barrier code should assume the buffer pointer and capacity to be compile-time constants | |
4619 | https://bugs.webkit.org/show_bug.cgi?id=145404 | |
4620 | ||
4621 | Reviewed by Andreas Kling. | |
4622 | ||
4623 | We never change the capacity of a write barrier buffer. We never repoint the buffer | |
4624 | pointer. So, the JIT shouldn't load those from memory; it should take advantage of the | |
4625 | fact that these are compile-time constants. | |
4626 | ||
4627 | * dfg/DFGSpeculativeJIT.cpp: | |
4628 | (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): | |
4629 | * ftl/FTLLowerDFGToLLVM.cpp: | |
4630 | (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): | |
4631 | * heap/WriteBarrierBuffer.h: | |
4632 | (JSC::WriteBarrierBuffer::currentIndexAddress): | |
4633 | (JSC::WriteBarrierBuffer::capacity): | |
4634 | (JSC::WriteBarrierBuffer::buffer): | |
4635 | (JSC::WriteBarrierBuffer::currentIndexOffset): Deleted. | |
4636 | (JSC::WriteBarrierBuffer::capacityOffset): Deleted. | |
4637 | (JSC::WriteBarrierBuffer::bufferOffset): Deleted. | |
4638 | * jit/Repatch.cpp: | |
4639 | (JSC::emitPutTransitionStubAndGetOldStructure): | |
4640 | ||
4641 | 2015-05-27 Geoffrey Garen <ggaren@apple.com> | |
4642 | ||
4643 | REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower | |
4644 | https://bugs.webkit.org/show_bug.cgi?id=145412 | |
4645 | ||
4646 | Reviewed by Darin Adler. | |
4647 | ||
4648 | Use @toString instead of the String constructor because calls to the | |
4649 | String constructor are never optimized. (See | |
4650 | https://bugs.webkit.org/show_bug.cgi?id=144458.) | |
4651 | ||
4652 | This is a ~2X speedup. | |
4653 | ||
4654 | * builtins/Array.prototype.js: | |
4655 | (sort.stringComparator): | |
4656 | ||
4657 | 2015-05-27 Dan Bernstein <mitz@apple.com> | |
4658 | ||
4659 | Remove JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 | |
4660 | https://bugs.webkit.org/show_bug.cgi?id=145403 | |
4661 | ||
4662 | Reviewed by Anders Carlsson. | |
4663 | ||
4664 | JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 was used to enable the JavaScriptCore Objective-C API | |
4665 | for WebKit and Safari projects building with JavaScriptCore targeting OS X 10.8. We don’t | |
4666 | need it anymore. | |
4667 | ||
4668 | * API/JSBase.h: | |
4669 | * API/JSContext.h: | |
4670 | * API/JSManagedValue.h: | |
4671 | * API/JSValue.h: | |
4672 | * API/JSVirtualMachine.h: | |
4673 | * Configurations/Base.xcconfig: | |
4674 | * postprocess-headers.sh: | |
4675 | ||
4676 | 2015-05-26 Geoffrey Garen <ggaren@apple.com> | |
4677 | ||
4678 | Photo Booth hangs under JSC::MachineThreads::tryCopyOtherThreadStacks | |
4679 | https://bugs.webkit.org/show_bug.cgi?id=145395 | |
4680 | ||
4681 | Reviewed by Mark Hahnenberg. | |
4682 | ||
4683 | No test case because we already have --threaded mode, which runs lots of | |
4684 | parallel GC, but it (and the original in-app test case) can't reproduce | |
4685 | this bug. | |
4686 | ||
4687 | * heap/MachineStackMarker.cpp: | |
4688 | (JSC::MachineThreads::tryCopyOtherThreadStacks): Use a lock to prevent | |
4689 | two threads from mutually suspending each other. | |
4690 | ||
4691 | 2015-05-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
4692 | ||
4693 | Add Array.prototype.copyWithin to JSC features.json | |
4694 | https://bugs.webkit.org/show_bug.cgi?id=145387 | |
4695 | ||
4696 | Reviewed by Darin Adler. | |
4697 | ||
4698 | * features.json: | |
4699 | ||
4700 | 2015-05-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
4701 | ||
4702 | Reflect nits for r184863 | |
4703 | https://bugs.webkit.org/show_bug.cgi?id=145107 | |
4704 | ||
4705 | Reviewed by Darin Adler. | |
4706 | ||
4707 | 1. Added the copyright line. | |
4708 | 2. Added an optional argument (/*, end */). To do so, fixed generate-js-builtins. | |
4709 | 3. Dropped the unnecessary variable `thisValue`. | |
4710 | 4. Fix the type error messages. This is also found in StringIterator.prototype.js. | |
4711 | 5. Added tests for 0 arguments. | |
4712 | ||
4713 | * builtins/Array.prototype.js: | |
4714 | (copyWithin): | |
4715 | * builtins/StringIterator.prototype.js: | |
4716 | (next): | |
4717 | * generate-js-builtins: | |
4718 | * tests/stress/array-copywithin.js: | |
4719 | * tests/stress/string-iterators.js: | |
4720 | ||
4721 | 2015-05-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
4722 | ||
4723 | Inline @Array / @Object callsites | |
4724 | https://bugs.webkit.org/show_bug.cgi?id=145382 | |
4725 | ||
4726 | Reviewed by Geoffrey Garen. | |
4727 | ||
4728 | As the same to Array/Object callsite inlining, @Array/@Object also | |
4729 | should be inlined in bytecode level. | |
4730 | While `new @Object` style is not encouraged in the builtins, | |
4731 | `@Array(len)` is already used at least in Array.from code. | |
4732 | ||
4733 | * bytecompiler/BytecodeGenerator.cpp: | |
4734 | (JSC::BytecodeGenerator::expectedFunctionForIdentifier): | |
4735 | ||
4736 | 2015-05-26 Andreas Kling <akling@apple.com> | |
4737 | ||
4738 | String.prototype.charCodeAt() should use StringView. | |
4739 | <https://webkit.org/b/145353> | |
4740 | ||
4741 | Reviewed by Darin Adler. | |
4742 | ||
4743 | Use JSString::view() in charCodeAt() to avoid reifying the JSString if it's | |
4744 | a substring. This avoids StringImpl allocation in some cases and ref churn | |
4745 | in all cases. | |
4746 | ||
4747 | * runtime/StringPrototype.cpp: | |
4748 | (JSC::stringProtoFuncCharCodeAt): | |
4749 | ||
4750 | 2015-05-26 Andreas Kling <akling@apple.com> | |
4751 | ||
4752 | String.prototype.charAt() should use StringView. | |
4753 | <https://webkit.org/b/145352> | |
4754 | ||
4755 | Reviewed by Darin Adler. | |
4756 | ||
4757 | Remove the jsSingleCharacterSubstring() function since it's actually completely | |
4758 | counter-productive: it could create a single-character string that would retain | |
4759 | a much larger string for the duration of its lifetime. | |
4760 | ||
4761 | This made sense before StringImpl learned to put its characters at the tail end | |
4762 | of its own allocation. Now that it does, it's far better to just create a new | |
4763 | single-character StringImpl. | |
4764 | ||
4765 | With that out of the way, we can make String.prototype.charAt() use StringView | |
4766 | to avoid reifying substring JSStrings (and avoid some ref churn too.) | |
4767 | ||
4768 | * runtime/JSString.cpp: | |
4769 | (JSC::JSRopeString::getIndexSlowCase): | |
4770 | * runtime/JSString.h: | |
4771 | (JSC::JSString::getIndex): | |
4772 | (JSC::jsSingleCharacterSubstring): Deleted. | |
4773 | * runtime/StringPrototype.cpp: | |
4774 | (JSC::stringProtoFuncCharAt): | |
4775 | (JSC::stringProtoFuncSplit): | |
4776 | ||
4777 | 2015-05-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
4778 | ||
4779 | [ES6] Implement Array.prototype.copyWithin | |
4780 | https://bugs.webkit.org/show_bug.cgi?id=145107 | |
4781 | ||
4782 | Reviewed by Darin Adler. | |
4783 | ||
4784 | This patch implements ES6 Array.prototype.copyWithin. | |
4785 | It is intended to be used for copying the region to the other region | |
4786 | in the callee array itself safely (like memmove, not memcpy). | |
4787 | This function is proposed in the context of WebGL. | |
4788 | ||
4789 | * builtins/Array.prototype.js: | |
4790 | (.maxWithPositives): | |
4791 | (.minWithMaybeNegativeZeroAndPositive): | |
4792 | (copyWithin): | |
4793 | * runtime/ArrayPrototype.cpp: | |
4794 | (JSC::ArrayPrototype::finishCreation): | |
4795 | * tests/stress/array-copywithin.js: Added. | |
4796 | (shouldBe): | |
4797 | (shouldBeArray): | |
4798 | (shouldThrow): | |
4799 | (arrayToObject): | |
4800 | (valueOf): | |
4801 | ||
4802 | 2015-05-26 Dan Bernstein <mitz@apple.com> | |
4803 | ||
4804 | <rdar://problem/21104551> Update build settings | |
4805 | ||
4806 | Reviewed by Anders Carlsson. | |
4807 | ||
4808 | * Configurations/DebugRelease.xcconfig: | |
4809 | * Configurations/FeatureDefines.xcconfig: | |
4810 | * Configurations/Version.xcconfig: | |
4811 | ||
4812 | 2015-05-26 Andreas Kling <akling@apple.com> | |
4813 | ||
4814 | Try to use StringView when comparing JSStrings for equality. | |
4815 | <https://webkit.org/b/145379> | |
4816 | ||
4817 | Reviewed by Darin Adler. | |
4818 | ||
4819 | Use JSString::view() when sending two JSStrings to WTF::equal() | |
4820 | for comparison. This avoids creating new objects in the case where | |
4821 | the strings are actually substrings. | |
4822 | ||
4823 | * jit/JITOperations.cpp: | |
4824 | * runtime/JSCJSValueInlines.h: | |
4825 | (JSC::JSValue::equalSlowCaseInline): | |
4826 | (JSC::JSValue::strictEqualSlowCaseInline): | |
4827 | ||
4828 | 2015-05-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
4829 | ||
4830 | [JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix | |
4831 | https://bugs.webkit.org/show_bug.cgi?id=145360 | |
4832 | ||
4833 | Reviewed by Darin Adler. | |
4834 | ||
4835 | JSObject::putDirect only accepts non-indexed properties. | |
4836 | So when generating put_by_id (with direct postfix) for indexed property, | |
4837 | we should generate put_by_val_direct instead. | |
4838 | ||
4839 | * bytecompiler/BytecodeGenerator.cpp: | |
4840 | (JSC::BytecodeGenerator::emitDirectPutById): | |
4841 | * bytecompiler/NodesCodegen.cpp: | |
4842 | (JSC::PropertyListNode::emitPutConstantProperty): | |
4843 | * tests/stress/put-by-id-direct-should-be-done-for-non-index-property.js: Added. | |
4844 | ||
4845 | 2015-05-24 Jordan Harband <ljharb@gmail.com> | |
4846 | ||
4847 | Array#findIndex/find should not skip holes | |
4848 | https://bugs.webkit.org/show_bug.cgi?id=145361 | |
4849 | per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.findindex | |
4850 | and https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.find | |
4851 | ||
4852 | Reviewed by Yusuke Suzuki. | |
4853 | ||
4854 | * builtins/Array.prototype.js: | |
4855 | (find): Deleted. | |
4856 | (findIndex): Deleted. | |
4857 | ||
4858 | 2015-05-24 Brian J. Burg <burg@cs.washington.edu> | |
4859 | ||
4860 | Web Inspector: Uncaught exception when using Inspect tool on SVG elements | |
4861 | https://bugs.webkit.org/show_bug.cgi?id=145363 | |
4862 | ||
4863 | Reviewed by Joseph Pecoraro. | |
4864 | ||
4865 | The injected script failed by chaining a call to String.prototype.trim to the result of | |
4866 | SVG*Element.className, which is an SVGAnimatedString and lacks useful methods. So, obtain | |
4867 | the class name using Node.getAttribute, which always returns a DOMString. | |
4868 | ||
4869 | * inspector/InjectedScriptSource.js: | |
4870 | (InjectedScriptSource.prototype._getDescription): use getAttribute instead of className. | |
4871 | ||
4872 | 2015-05-23 Dan Bernstein <mitz@apple.com> | |
4873 | ||
4874 | Remove unused definitions of WEBKIT_VERSION_MIN_REQUIRED | |
4875 | https://bugs.webkit.org/show_bug.cgi?id=145345 | |
4876 | ||
4877 | Reviewed by Sam Weinig. | |
4878 | ||
4879 | * Configurations/Base.xcconfig: Also changed to use $(inherited). | |
4880 | ||
4881 | 2015-05-23 Yusuke Suzuki <utatane.tea@gmail.com> | |
4882 | ||
4883 | Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl | |
4884 | https://bugs.webkit.org/show_bug.cgi?id=144848 | |
4885 | ||
4886 | Reviewed by Darin Adler. | |
4887 | ||
4888 | Use UniquedStringImpl, SymbolImpl and AtomicStringImpl. | |
4889 | ||
4890 | * API/JSCallbackObject.h: | |
4891 | * builtins/BuiltinNames.h: | |
4892 | (JSC::BuiltinNames::isPrivateName): | |
4893 | * bytecode/BytecodeIntrinsicRegistry.h: | |
4894 | * bytecode/CodeBlock.cpp: | |
4895 | (JSC::CodeBlock::CodeBlock): | |
4896 | * bytecode/ComplexGetStatus.cpp: | |
4897 | (JSC::ComplexGetStatus::computeFor): | |
4898 | * bytecode/ComplexGetStatus.h: | |
4899 | * bytecode/GetByIdStatus.cpp: | |
4900 | (JSC::GetByIdStatus::computeFromLLInt): | |
4901 | (JSC::GetByIdStatus::computeFor): | |
4902 | (JSC::GetByIdStatus::computeForStubInfo): | |
4903 | * bytecode/GetByIdStatus.h: | |
4904 | * bytecode/Instruction.h: | |
4905 | (JSC::Instruction::Instruction): | |
4906 | * bytecode/PutByIdStatus.cpp: | |
4907 | (JSC::PutByIdStatus::computeFromLLInt): | |
4908 | (JSC::PutByIdStatus::computeFor): | |
4909 | (JSC::PutByIdStatus::computeForStubInfo): | |
4910 | * bytecode/PutByIdStatus.h: | |
4911 | * bytecompiler/BytecodeGenerator.cpp: | |
4912 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
4913 | (JSC::BytecodeGenerator::visibleNameForParameter): | |
4914 | (JSC::BytecodeGenerator::hasConstant): | |
4915 | (JSC::BytecodeGenerator::addConstant): | |
4916 | * bytecompiler/BytecodeGenerator.h: | |
4917 | * bytecompiler/NodesCodegen.cpp: | |
4918 | (JSC::PropertyListNode::emitBytecode): | |
4919 | * dfg/DFGByteCodeParser.cpp: | |
4920 | (JSC::DFG::ByteCodeParser::parseBlock): | |
4921 | (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): | |
4922 | * dfg/DFGDesiredIdentifiers.cpp: | |
4923 | (JSC::DFG::DesiredIdentifiers::addLazily): | |
4924 | (JSC::DFG::DesiredIdentifiers::at): | |
4925 | (JSC::DFG::DesiredIdentifiers::reallyAdd): | |
4926 | * dfg/DFGDesiredIdentifiers.h: | |
4927 | (JSC::DFG::DesiredIdentifiers::operator[]): | |
4928 | * dfg/DFGFixupPhase.cpp: | |
4929 | (JSC::DFG::FixupPhase::fixupNode): | |
4930 | (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): | |
4931 | * dfg/DFGSpeculativeJIT.cpp: | |
4932 | (JSC::DFG::SpeculativeJIT::compileIn): | |
4933 | * dfg/DFGSpeculativeJIT.h: | |
4934 | (JSC::DFG::SpeculativeJIT::identifierUID): | |
4935 | (JSC::DFG::SpeculativeJIT::callOperation): | |
4936 | * ftl/FTLCompile.cpp: | |
4937 | (JSC::FTL::mmAllocateDataSection): | |
4938 | * ftl/FTLInlineCacheDescriptor.h: | |
4939 | (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor): | |
4940 | (JSC::FTL::InlineCacheDescriptor::uid): | |
4941 | (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor): | |
4942 | (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor): | |
4943 | (JSC::FTL::CheckInDescriptor::CheckInDescriptor): | |
4944 | * ftl/FTLIntrinsicRepository.h: | |
4945 | * ftl/FTLLowerDFGToLLVM.cpp: | |
4946 | (JSC::FTL::LowerDFGToLLVM::compilePutById): | |
4947 | (JSC::FTL::LowerDFGToLLVM::compileIn): | |
4948 | (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): | |
4949 | (JSC::FTL::LowerDFGToLLVM::getById): | |
4950 | * ftl/FTLOperations.cpp: | |
4951 | (JSC::FTL::operationMaterializeObjectInOSR): | |
4952 | * ftl/FTLSlowPathCall.cpp: | |
4953 | (JSC::FTL::callOperation): | |
4954 | * ftl/FTLSlowPathCall.h: | |
4955 | * jit/JIT.h: | |
4956 | * jit/JITInlines.h: | |
4957 | (JSC::JIT::callOperation): | |
4958 | * jit/JITOperations.cpp: | |
4959 | * jit/JITOperations.h: | |
4960 | * parser/Nodes.cpp: | |
4961 | (JSC::ProgramNode::setClosedVariables): | |
4962 | * parser/Nodes.h: | |
4963 | (JSC::ScopeNode::captures): | |
4964 | (JSC::ScopeNode::setClosedVariables): | |
4965 | (JSC::ProgramNode::closedVariables): | |
4966 | * parser/Parser.cpp: | |
4967 | (JSC::Parser<LexerType>::parseInner): | |
4968 | (JSC::Parser<LexerType>::didFinishParsing): | |
4969 | (JSC::Parser<LexerType>::parseContinueStatement): | |
4970 | * parser/Parser.h: | |
4971 | (JSC::Scope::Scope): | |
4972 | (JSC::Scope::pushLabel): | |
4973 | (JSC::Scope::getLabel): | |
4974 | (JSC::Scope::declareCallee): | |
4975 | (JSC::Scope::declareVariable): | |
4976 | (JSC::Scope::declareParameter): | |
4977 | (JSC::Scope::declareBoundParameter): | |
4978 | (JSC::Scope::useVariable): | |
4979 | (JSC::Scope::copyCapturedVariablesToVector): | |
4980 | (JSC::Parser::closedVariables): | |
4981 | (JSC::ScopeLabelInfo::ScopeLabelInfo): Deleted. | |
4982 | * parser/SourceProviderCacheItem.h: | |
4983 | (JSC::SourceProviderCacheItem::usedVariables): | |
4984 | (JSC::SourceProviderCacheItem::writtenVariables): | |
4985 | (JSC::SourceProviderCacheItem::create): | |
4986 | * runtime/CommonIdentifiers.cpp: | |
4987 | (JSC::CommonIdentifiers::isPrivateName): | |
4988 | * runtime/CommonIdentifiers.h: | |
4989 | * runtime/Identifier.h: | |
4990 | (JSC::Identifier::impl): | |
4991 | (JSC::Identifier::Identifier): | |
4992 | (JSC::parseIndex): | |
4993 | (JSC::IdentifierRepHash::hash): | |
4994 | * runtime/IdentifierInlines.h: | |
4995 | (JSC::Identifier::fromUid): | |
4996 | * runtime/IntendedStructureChain.cpp: | |
4997 | (JSC::IntendedStructureChain::mayInterceptStoreTo): | |
4998 | * runtime/IntendedStructureChain.h: | |
4999 | * runtime/JSGlobalObject.cpp: | |
5000 | (JSC::JSGlobalObject::init): | |
5001 | * runtime/Lookup.h: | |
5002 | (JSC::HashTable::entry): | |
5003 | * runtime/MapData.h: | |
5004 | * runtime/ObjectConstructor.cpp: | |
5005 | (JSC::objectConstructorGetOwnPropertySymbols): | |
5006 | * runtime/PrivateName.h: | |
5007 | (JSC::PrivateName::PrivateName): | |
5008 | (JSC::PrivateName::uid): | |
5009 | * runtime/PropertyMapHashTable.h: | |
5010 | * runtime/PropertyName.h: | |
5011 | (JSC::PropertyName::PropertyName): | |
5012 | (JSC::PropertyName::uid): | |
5013 | (JSC::PropertyName::publicName): | |
5014 | (JSC::parseIndex): | |
5015 | * runtime/PropertyNameArray.h: | |
5016 | (JSC::PropertyNameArray::addKnownUnique): | |
5017 | (JSC::PropertyNameArray::add): | |
5018 | * runtime/Structure.cpp: | |
5019 | (JSC::StructureTransitionTable::contains): | |
5020 | (JSC::StructureTransitionTable::get): | |
5021 | (JSC::StructureTransitionTable::add): | |
5022 | (JSC::Structure::addPropertyTransitionToExistingStructureImpl): | |
5023 | (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): | |
5024 | (JSC::Structure::getConcurrently): | |
5025 | (JSC::Structure::add): | |
5026 | (JSC::Structure::remove): | |
5027 | (JSC::Structure::toStructureShape): | |
5028 | * runtime/Structure.h: | |
5029 | (JSC::PropertyMapEntry::PropertyMapEntry): | |
5030 | * runtime/StructureInlines.h: | |
5031 | (JSC::Structure::getConcurrently): | |
5032 | * runtime/StructureTransitionTable.h: | |
5033 | (JSC::StructureTransitionTable::Hash::hash): | |
5034 | * runtime/Symbol.cpp: | |
5035 | (JSC::Symbol::Symbol): | |
5036 | * runtime/Symbol.h: | |
5037 | * runtime/SymbolConstructor.cpp: | |
5038 | (JSC::symbolConstructorFor): | |
5039 | (JSC::symbolConstructorKeyFor): | |
5040 | * runtime/SymbolTable.cpp: | |
5041 | (JSC::SymbolTable::uniqueIDForVariable): | |
5042 | (JSC::SymbolTable::globalTypeSetForVariable): | |
5043 | * runtime/SymbolTable.h: | |
5044 | * runtime/TypeSet.cpp: | |
5045 | (JSC::StructureShape::addProperty): | |
5046 | (JSC::StructureShape::propertyHash): | |
5047 | * runtime/TypeSet.h: | |
5048 | ||
5049 | 2015-05-21 Filip Pizlo <fpizlo@apple.com> | |
5050 | ||
5051 | Arguments elimination phase mishandles arity check failure in its reduction of LoadVarargs to GetStack/PutStacks | |
5052 | https://bugs.webkit.org/show_bug.cgi?id=145298 | |
5053 | ||
5054 | Reviewed by Geoffrey Garen. | |
5055 | ||
5056 | * dfg/DFGArgumentsEliminationPhase.cpp: Fix the bug. I restructured the loop to make it more obvious that we're initializing everything that we're supposed to initialize. | |
5057 | * dfg/DFGNode.h: Add a comment to clarify something I was confused about while writing this code. | |
5058 | * dfg/DFGPutStackSinkingPhase.cpp: Hacking on PutStacks made me think deep thoughts, and I added some FIXMEs. | |
5059 | * tests/stress/fold-load-varargs-arity-check-fail-barely.js: Added. This test crashes or fails before this patch. | |
5060 | * tests/stress/fold-load-varargs-arity-check-fail.js: Added. This is even more sure to crash or fail. | |
5061 | * tests/stress/simplify-varargs-mandatory-minimum-smaller-than-limit.js: Added. Not sure if we had coverage for this case before. | |
5062 | ||
5063 | 2015-05-22 Basile Clement <basile_clement@apple.com> | |
5064 | ||
5065 | Allow DFGClobberize to return non-node constants that must be later created | |
5066 | https://bugs.webkit.org/show_bug.cgi?id=145272 | |
5067 | ||
5068 | Reviewed by Filip Pizlo. | |
5069 | ||
5070 | This adds a new LazyNode class in DFG that represents either a Node*, | |
5071 | or a FrozenValue* with a way to convert it to a Node* provided a block | |
5072 | to insert it into. DFGClobberize is converted to use LazyNode instead | |
5073 | of Node* when def()'ing values, which allows to now define the array's | |
5074 | length as well as the value of its various fields in NewArray and | |
5075 | NewArrayBuffer nodes. | |
5076 | ||
5077 | We also introduce a Vector<uint32_t> in DFG::Graph to collect all the | |
5078 | values that can be used as index, in order to avoid def()'ing too many | |
5079 | values at once for big NewArrayBuffers. | |
5080 | ||
5081 | HeapLocation had to be updated to use a LazyNode as its index to be | |
5082 | able to define array values. | |
5083 | ||
5084 | * CMakeLists.txt: | |
5085 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
5086 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
5087 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
5088 | * dfg/DFGCSEPhase.cpp: | |
5089 | * dfg/DFGClobberize.h: | |
5090 | (JSC::DFG::clobberize): | |
5091 | (JSC::DFG::DefMethodClobberize::operator()): | |
5092 | * dfg/DFGGraph.cpp: | |
5093 | (JSC::DFG::Graph::freezeFragile): | |
5094 | * dfg/DFGGraph.h: | |
5095 | * dfg/DFGHeapLocation.h: | |
5096 | (JSC::DFG::HeapLocation::HeapLocation): | |
5097 | (JSC::DFG::HeapLocation::index): | |
5098 | (JSC::DFG::HeapLocation::hash): | |
5099 | * dfg/DFGLazyNode.cpp: Added. | |
5100 | (JSC::DFG::LazyNode::dump): | |
5101 | * dfg/DFGLazyNode.h: Added. | |
5102 | (JSC::DFG::LazyNode::LazyNode): | |
5103 | (JSC::DFG::LazyNode::setNode): | |
5104 | (JSC::DFG::LazyNode::isHashTableDeletedValue): | |
5105 | (JSC::DFG::LazyNode::isNode): | |
5106 | (JSC::DFG::LazyNode::op): | |
5107 | (JSC::DFG::LazyNode::asNode): | |
5108 | (JSC::DFG::LazyNode::asValue): | |
5109 | (JSC::DFG::LazyNode::hash): | |
5110 | (JSC::DFG::LazyNode::operator==): | |
5111 | (JSC::DFG::LazyNode::operator!=): | |
5112 | (JSC::DFG::LazyNode::ensureIsNode): | |
5113 | (JSC::DFG::LazyNode::operator->): | |
5114 | (JSC::DFG::LazyNode::operator*): | |
5115 | (JSC::DFG::LazyNode::operator!): | |
5116 | (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): | |
5117 | (JSC::DFG::LazyNode::setFrozenValue): | |
5118 | * dfg/DFGPreciseLocalClobberize.h: | |
5119 | (JSC::DFG::PreciseLocalClobberizeAdaptor::def): | |
5120 | * dfg/DFGPutStackSinkingPhase.cpp: | |
5121 | ||
5122 | 2015-05-22 Andreas Kling <akling@apple.com> | |
5123 | ||
5124 | [JSC] Speed up new array construction in Array.prototype.splice(). | |
5125 | <https://webkit.org/b/145303> | |
5126 | ||
5127 | Reviewed by Benjamin Poulain. | |
5128 | ||
5129 | Give splice() a fast path just like slice(), for indexing types where the backing | |
5130 | store can be memcpy'd. I generalized JSArray::fastSlice() a little bit so it works | |
5131 | for this optimization as well. | |
5132 | ||
5133 | 7% progression on Kraken/stanford-crypto-pbkdf2. | |
5134 | ||
5135 | * runtime/JSArray.h: | |
5136 | * runtime/JSArray.cpp: | |
5137 | (JSC::JSArray::fastSlice): Tweak this to return JSArray*, and don't bother throwing | |
5138 | out-of-memory exceptions. Let the caller worry about that. | |
5139 | ||
5140 | * runtime/ArrayPrototype.cpp: | |
5141 | (JSC::arrayProtoFuncSlice): Update for fastSlice() changes. | |
5142 | (JSC::arrayProtoFuncSplice): If the object we're splicing out of is a bona fide | |
5143 | JSArray, use fastSlice() to create the returned array instead of doing a generic | |
5144 | get/put loop. | |
5145 | ||
5146 | 2015-05-21 Filip Pizlo <fpizlo@apple.com> | |
5147 | ||
5148 | CPS rethreading should really get rid of GetLocals | |
5149 | https://bugs.webkit.org/show_bug.cgi?id=145290 | |
5150 | ||
5151 | Reviewed by Benjamin Poulain. | |
5152 | ||
5153 | CPS rethreading is intended to get rid of redundant GetLocals. CSE can also do it, but | |
5154 | the idea is that you should be able to disable CSE and everything would still work. This | |
5155 | fixes a bug in CPS rethreading's GetLocal elimination: we should be calling replaceWith | |
5156 | rather than setReplacement, since setReplacement still leaves the original node. | |
5157 | ||
5158 | * dfg/DFGCPSRethreadingPhase.cpp: | |
5159 | (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): Fix the bug. | |
5160 | * dfg/DFGFixupPhase.cpp: | |
5161 | (JSC::DFG::FixupPhase::fixupNode): Eliminating GetLocals means that they turn into Check. We should handle Checks that have zero inputs. | |
5162 | * dfg/DFGValidate.cpp: | |
5163 | (JSC::DFG::Validate::validateCPS): Add a validation for what a GetLocal should look like in ThreadedCPS. | |
5164 | * tests/stress/get-local-elimination.js: Added. | |
5165 | (foo): | |
5166 | ||
5167 | 2015-05-21 Saam Barati <saambarati1@gmail.com> | |
5168 | ||
5169 | Object allocation sinking phase should explicitly create bottom values for CreateActivation sink candidates and CreateActivation should have SymbolTable as a child node | |
5170 | https://bugs.webkit.org/show_bug.cgi?id=145192 | |
5171 | ||
5172 | Reviewed by Filip Pizlo. | |
5173 | ||
5174 | When we sink CreateActivation and generate MaterializeCreateActivation | |
5175 | in the object allocation sinking phase, we now explictly add PutHints for | |
5176 | all variables on the activation setting those variables to their default value | |
5177 | (undefined for Function activations and soon to be JS Empty Value for block scope activations). | |
5178 | This allows us to remove code that fills FTL fast activation allocations with Undefined. | |
5179 | ||
5180 | This patch also adds the constant SymbolTable as an OpInfo of CreateActivation and MaterializeCreateActivation | |
5181 | nodes. This is in preparation for ES6 block scoping which will introduce a new | |
5182 | op code that gets lowered to CreateActivation. | |
5183 | ||
5184 | * dfg/DFGByteCodeParser.cpp: | |
5185 | (JSC::DFG::ByteCodeParser::parseBlock): | |
5186 | * dfg/DFGClobberize.h: | |
5187 | (JSC::DFG::clobberize): | |
5188 | * dfg/DFGNode.h: | |
5189 | (JSC::DFG::Node::hasCellOperand): | |
5190 | (JSC::DFG::Node::cellOperand): | |
5191 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
5192 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
5193 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
5194 | (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): | |
5195 | (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): | |
5196 | * dfg/DFGPromotedHeapLocation.cpp: | |
5197 | (WTF::printInternal): | |
5198 | * dfg/DFGPromotedHeapLocation.h: | |
5199 | * dfg/DFGSpeculativeJIT.cpp: | |
5200 | (JSC::DFG::SpeculativeJIT::compileCreateActivation): | |
5201 | * ftl/FTLLowerDFGToLLVM.cpp: | |
5202 | (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): | |
5203 | (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): | |
5204 | * ftl/FTLOperations.cpp: | |
5205 | (JSC::FTL::operationMaterializeObjectInOSR): | |
5206 | * tests/stress/activation-sink-default-value.js: Added. | |
5207 | (bar): | |
5208 | * tests/stress/activation-sink-osrexit-default-value.js: Added. | |
5209 | (foo.set result): | |
5210 | ||
5211 | 2015-05-21 Per Arne Vollan <peavo@outlook.com> | |
5212 | ||
5213 | MSVC internal compiler error when compiling TemplateRegistryKey class. | |
5214 | https://bugs.webkit.org/show_bug.cgi?id=145259 | |
5215 | ||
5216 | Reviewed by Alex Christensen. | |
5217 | ||
5218 | MSVC is not able to handle the brace initialization of a class member in this case. | |
5219 | ||
5220 | * runtime/TemplateRegistryKey.h: | |
5221 | ||
5222 | 2015-05-21 Csaba Osztrogonác <ossy@webkit.org> | |
5223 | ||
5224 | Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337 | |
5225 | https://bugs.webkit.org/show_bug.cgi?id=145248 | |
5226 | ||
5227 | Reviewed by Yusuke Suzuki. | |
5228 | ||
5229 | * bytecompiler/BytecodeGenerator.cpp: | |
5230 | * bytecompiler/BytecodeGenerator.h: | |
5231 | * parser/Parser.cpp: | |
5232 | (JSC::Parser<LexerType>::parseMemberExpression): | |
5233 | ||
5234 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5235 | ||
5236 | Web Inspector: array previews should have a much smaller cap on values | |
5237 | https://bugs.webkit.org/show_bug.cgi?id=145195 | |
5238 | ||
5239 | Reviewed by Timothy Hatcher. | |
5240 | ||
5241 | * inspector/InjectedScriptSource.js: | |
5242 | (InjectedScript.RemoteObject.prototype._generatePreview): | |
5243 | Reduce the indexes threshold for previews. | |
5244 | ||
5245 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5246 | ||
5247 | Web Inspector: Use native Arguments detection instead of using toString | |
5248 | https://bugs.webkit.org/show_bug.cgi?id=145235 | |
5249 | ||
5250 | Reviewed by Timothy Hatcher. | |
5251 | ||
5252 | * inspector/InjectedScriptSource.js: | |
5253 | (InjectedScript.prototype._subtype): | |
5254 | Deleted the old string code. | |
5255 | ||
5256 | * inspector/JSInjectedScriptHost.cpp: | |
5257 | (Inspector::JSInjectedScriptHost::subtype): | |
5258 | Replaced with a stricter, more accurate check. | |
5259 | ||
5260 | 2015-05-20 Andreas Kling <akling@apple.com> | |
5261 | ||
5262 | Remove unused MarkedBlock::m_rememberedSet. | |
5263 | <https://webkit.org/b/145224> | |
5264 | ||
5265 | Reviewed by Mark Hahnenberg. | |
5266 | ||
5267 | The MarkedBlock had a copy of the remembered bit for each of its cells, | |
5268 | and we were maintaining that bitmap despite no one actually ever consulting it. | |
5269 | ||
5270 | This patch removes MarkedBlock::m_rememberedSet, freeing up 128 bytes in each | |
5271 | block and making write barriers a little faster. | |
5272 | ||
5273 | * heap/Heap.cpp: | |
5274 | (JSC::Heap::clearRememberedSet): | |
5275 | (JSC::Heap::addToRememberedSet): | |
5276 | * heap/HeapInlines.h: | |
5277 | (JSC::Heap::isRemembered): | |
5278 | * heap/MarkedBlock.cpp: | |
5279 | (JSC::MarkedBlock::clearRememberedSet): Deleted. | |
5280 | (JSC::MarkedBlock::clearMarksWithCollectionType): | |
5281 | * heap/MarkedBlock.h: | |
5282 | (JSC::MarkedBlock::setRemembered): Deleted. | |
5283 | (JSC::MarkedBlock::clearRemembered): Deleted. | |
5284 | (JSC::MarkedBlock::atomicClearRemembered): Deleted. | |
5285 | (JSC::MarkedBlock::isRemembered): Deleted. | |
5286 | * heap/MarkedSpace.h: | |
5287 | (JSC::ClearRememberedSet::operator()): Deleted. | |
5288 | (JSC::MarkedSpace::clearRememberedSet): Deleted. | |
5289 | ||
5290 | 2015-05-20 Andreas Kling <akling@apple.com> | |
5291 | ||
5292 | Eden collections should extend the IncrementalSweeper work list, not replace it. | |
5293 | <https://webkit.org/b/145213> | |
5294 | <rdar://problem/21002666> | |
5295 | ||
5296 | Reviewed by Geoffrey Garen. | |
5297 | ||
5298 | After an eden collection, the garbage collector was adding all MarkedBlocks containing | |
5299 | new objects to the IncrementalSweeper's work list, to make sure they didn't have to | |
5300 | wait until the next full collection before getting swept. | |
5301 | ||
5302 | Or at least, that's what it thought it was doing. It turns out that IncrementalSweeper's | |
5303 | internal work list is really just a reference to Heap::m_blockSnapshot. I didn't realize | |
5304 | this when writing the post-eden sweep code, and instead made eden collections cancel | |
5305 | all pending sweeps and *replace* them with the list of blocks with new objects. | |
5306 | ||
5307 | This made it so that rapidly occurring eden collections could prevent large numbers of | |
5308 | heap blocks from ever getting swept. This would manifest as accumulation of MarkedBlocks | |
5309 | when a system under heavy load was also allocating short lived objects at a high rate. | |
5310 | Things would eventually get cleaned up when there was a lull and a full collection was | |
5311 | allowed to run its heap sweep to completion. | |
5312 | ||
5313 | Fix this by moving all management of the block snapshot to Heap. snapshotMarkedSpace() | |
5314 | now handles eden collections by merging the list of blocks with new objects into the | |
5315 | existing block snapshot. | |
5316 | ||
5317 | * heap/Heap.cpp: | |
5318 | (JSC::Heap::snapshotMarkedSpace): | |
5319 | (JSC::Heap::notifyIncrementalSweeper): | |
5320 | * heap/IncrementalSweeper.cpp: | |
5321 | (JSC::IncrementalSweeper::startSweeping): | |
5322 | (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Deleted. | |
5323 | * heap/IncrementalSweeper.h: | |
5324 | ||
5325 | 2015-05-20 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
5326 | ||
5327 | AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions | |
5328 | https://bugs.webkit.org/show_bug.cgi?id=145064 | |
5329 | ||
5330 | Reviewed by Darin Adler. | |
5331 | ||
5332 | Added default message for TypeError. | |
5333 | ||
5334 | * runtime/Error.cpp: | |
5335 | (JSC::throwTypeError): | |
5336 | * runtime/Error.h: | |
5337 | ||
5338 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5339 | ||
5340 | No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint | |
5341 | https://bugs.webkit.org/show_bug.cgi?id=145219 | |
5342 | ||
5343 | Reviewed by Mark Lam. | |
5344 | ||
5345 | * jit/JITOperations.cpp: | |
5346 | Throw the error we just got, instead of a stack overflow exception. | |
5347 | This matches other error handling for callers of prepareForExecution. | |
5348 | ||
5349 | 2015-05-19 Filip Pizlo <fpizlo@apple.com> | |
5350 | ||
5351 | Add some assertions about the CFG in the loop pre-header creation phase | |
5352 | https://bugs.webkit.org/show_bug.cgi?id=145205 | |
5353 | ||
5354 | Reviewed by Geoffrey Garen. | |
5355 | ||
5356 | * dfg/DFGByteCodeParser.cpp: | |
5357 | (JSC::DFG::ByteCodeParser::currentNodeOrigin): Add a FIXME. | |
5358 | * dfg/DFGLICMPhase.cpp: | |
5359 | (JSC::DFG::LICMPhase::run): Add a FIXME. | |
5360 | * dfg/DFGLoopPreHeaderCreationPhase.cpp: | |
5361 | (JSC::DFG::LoopPreHeaderCreationPhase::run): Add the assertions. | |
5362 | ||
5363 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5364 | ||
5365 | ES6: Implement Object.setPrototypeOf | |
5366 | https://bugs.webkit.org/show_bug.cgi?id=145202 | |
5367 | ||
5368 | Reviewed by Darin Adler. | |
5369 | ||
5370 | * runtime/JSGlobalObjectFunctions.h: | |
5371 | * runtime/JSGlobalObjectFunctions.cpp: | |
5372 | (JSC::globalFuncProtoSetter): | |
5373 | (JSC::checkProtoSetterAccessAllowed): | |
5374 | Extract a helper to share this code between __proto__ setter and setPrototypeOf. | |
5375 | ||
5376 | * runtime/ObjectConstructor.cpp: | |
5377 | (JSC::objectConstructorSetPrototypeOf): | |
5378 | Implementation is very similiar to __proto__ setter. | |
5379 | ||
5380 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5381 | ||
5382 | ES6: Should not allow duplicate basic __proto__ properties in Object Literals | |
5383 | https://bugs.webkit.org/show_bug.cgi?id=145138 | |
5384 | ||
5385 | Reviewed by Darin Adler. | |
5386 | ||
5387 | Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__ | |
5388 | properties in object literals. This doesn't affect computed properties, | |
5389 | shorthand properties, or getters/setters all of which avoid setting | |
5390 | the actual prototype of the object anyway. | |
5391 | ||
5392 | * interpreter/Interpreter.cpp: | |
5393 | (JSC::eval): | |
5394 | Remove out of date comment. Duplicate property names are allowed | |
5395 | now in ES6, they were not in ES5 strict mode. | |
5396 | ||
5397 | * parser/ASTBuilder.h: | |
5398 | (JSC::ASTBuilder::getName): | |
5399 | (JSC::ASTBuilder::getType): | |
5400 | * parser/SyntaxChecker.h: | |
5401 | (JSC::SyntaxChecker::getName): | |
5402 | Add back getName to get the property name depending on the tree builder. | |
5403 | Also tighten up the parameter types. | |
5404 | ||
5405 | * runtime/LiteralParser.cpp: | |
5406 | (JSC::LiteralParser<CharType>::parse): | |
5407 | In quick JSON literal parsing for eval, we actually need to evaluate | |
5408 | the __proto__ property assignment, instead of just building up a list | |
5409 | of direct properties. Only do this when not doing a strict JSON parse. | |
5410 | ||
5411 | * parser/Nodes.h: | |
5412 | Add "Shorthand" to the list of PropertyNode types to allow it to | |
5413 | be distinguished without relying on other information. | |
5414 | ||
5415 | * parser/Parser.h: | |
5416 | * parser/Parser.cpp: | |
5417 | (JSC::Parser<LexerType>::parseProperty): | |
5418 | Add the Shorthand type when parsing a shorthand property. | |
5419 | ||
5420 | (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate): | |
5421 | (JSC::Parser<LexerType>::parseObjectLiteral): | |
5422 | (JSC::Parser<LexerType>::parseStrictObjectLiteral): | |
5423 | Check for duplicate __proto__ properties, and throw a SyntaxError | |
5424 | if that was the case. | |
5425 | ||
5426 | 2015-05-20 Csaba Osztrogonác <ossy@webkit.org> | |
5427 | ||
5428 | [JSC] Add missing copyrights and licenses for some scripts | |
5429 | https://bugs.webkit.org/show_bug.cgi?id=145044 | |
5430 | ||
5431 | Reviewed by Darin Adler. | |
5432 | ||
5433 | * build-symbol-table-index.py: | |
5434 | * create-llvm-ir-from-source-file.py: | |
5435 | * create-symbol-table-index.py: | |
5436 | ||
5437 | 2015-05-20 Joseph Pecoraro <pecoraro@apple.com> | |
5438 | ||
5439 | Web Inspector: Slightly better node previews in arrays | |
5440 | https://bugs.webkit.org/show_bug.cgi?id=145188 | |
5441 | ||
5442 | Reviewed by Timothy Hatcher. | |
5443 | ||
5444 | * inspector/InjectedScriptSource.js: | |
5445 | (InjectedScript.prototype._nodeDescription): | |
5446 | (InjectedScript.prototype._nodePreview): | |
5447 | Different stringified representations for a basic object description or in a preview. | |
5448 | ||
5449 | (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): | |
5450 | Use the node preview string representation inside previews. | |
5451 | ||
5452 | 2015-05-19 Commit Queue <commit-queue@webkit.org> | |
5453 | ||
5454 | Unreviewed, rolling out r184613 and r184614. | |
5455 | https://bugs.webkit.org/show_bug.cgi?id=145206 | |
5456 | ||
5457 | Broke 10 tests :| (Requested by kling on #webkit). | |
5458 | ||
5459 | Reverted changesets: | |
5460 | ||
5461 | "[JSC] Speed up URL encode/decode by using bitmaps instead of | |
5462 | strchr()." | |
5463 | https://bugs.webkit.org/show_bug.cgi?id=145115 | |
5464 | http://trac.webkit.org/changeset/184613 | |
5465 | ||
5466 | "[JSC] Speed up URL encode/decode by using bitmaps instead of | |
5467 | strchr()." | |
5468 | https://bugs.webkit.org/show_bug.cgi?id=145115 | |
5469 | http://trac.webkit.org/changeset/184614 | |
5470 | ||
5471 | 2015-05-19 Andreas Kling <akling@apple.com> | |
5472 | ||
5473 | Give StringView a utf8() API. | |
5474 | <https://webkit.org/b/145201> | |
5475 | ||
5476 | Reviewed by Anders Carlsson. | |
5477 | ||
5478 | Use JSString::view() in a few places where we couldn't before due to StringView | |
5479 | lacking a utf8() API. This is a minor speed-up on Kraken's crypto subtests, | |
5480 | which like to call encode() with substring JSStrings. | |
5481 | ||
5482 | * jsc.cpp: | |
5483 | (functionPrint): | |
5484 | (functionDebug): | |
5485 | * runtime/JSGlobalObjectFunctions.cpp: | |
5486 | (JSC::encode): | |
5487 | ||
5488 | 2015-05-19 Andreas Kling <akling@apple.com> | |
5489 | ||
5490 | [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). | |
5491 | <https://webkit.org/b/145115> | |
5492 | ||
5493 | Incorporate review feedback from Darin, removing some unnecessary zero checks. | |
5494 | ||
5495 | * runtime/JSGlobalObjectFunctions.cpp: | |
5496 | (JSC::encode): | |
5497 | (JSC::decode): | |
5498 | (JSC::globalFuncEscape): | |
5499 | ||
5500 | 2015-05-19 Yusuke Suzuki <utatane.tea@gmail.com> | |
5501 | ||
5502 | Move AtomicStringImpl table related operations from AtomicString to AtomicStringImpl | |
5503 | https://bugs.webkit.org/show_bug.cgi?id=145109 | |
5504 | ||
5505 | Reviewed by Darin Adler. | |
5506 | ||
5507 | * bytecode/CodeBlock.cpp: | |
5508 | (JSC::CodeBlock::nameForRegister): | |
5509 | * runtime/Identifier.cpp: | |
5510 | (JSC::Identifier::add): | |
5511 | (JSC::Identifier::add8): | |
5512 | * runtime/Identifier.h: | |
5513 | (JSC::Identifier::add): | |
5514 | * runtime/IdentifierInlines.h: | |
5515 | (JSC::Identifier::Identifier): | |
5516 | (JSC::Identifier::add): | |
5517 | * runtime/JSString.cpp: | |
5518 | (JSC::JSRopeString::resolveRopeToExistingAtomicString): | |
5519 | * runtime/JSString.h: | |
5520 | (JSC::JSString::toExistingAtomicString): | |
5521 | * runtime/SmallStrings.cpp: | |
5522 | (JSC::SmallStringsStorage::SmallStringsStorage): | |
5523 | * runtime/TypeSet.cpp: | |
5524 | (JSC::StructureShape::propertyHash): | |
5525 | ||
5526 | 2015-05-19 Joseph Pecoraro <pecoraro@apple.com> | |
5527 | ||
5528 | Web Inspector: Improve Preview for NodeList / array like collections | |
5529 | https://bugs.webkit.org/show_bug.cgi?id=145177 | |
5530 | ||
5531 | Reviewed by Timothy Hatcher. | |
5532 | ||
5533 | * inspector/InjectedScriptSource.js: | |
5534 | (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): | |
5535 | For "array" like object previews skip over non-index properties. | |
5536 | We are not marking the object as lossless by choice, but we | |
5537 | may return to this decision later. | |
5538 | ||
5539 | 2015-05-19 Michael Saboff <msaboff@apple.com> | |
5540 | ||
5541 | REGRESSION(183787): JIT is enabled for all builds | |
5542 | https://bugs.webkit.org/show_bug.cgi?id=145179 | |
5543 | ||
5544 | Reviewed by Geoffrey Garen. | |
5545 | ||
5546 | Eliminated the setting of ENABLE_JIT, as wtf/Platform.h has appropriate logic to | |
5547 | set it depending on OS and CPU type. | |
5548 | ||
5549 | * Configurations/FeatureDefines.xcconfig: | |
5550 | ||
5551 | 2015-05-19 Youenn Fablet <youenn.fablet@crf.canon.fr> | |
5552 | ||
5553 | Rename createIterResultObject as createIteratorResultObject | |
5554 | https://bugs.webkit.org/show_bug.cgi?id=145116 | |
5555 | ||
5556 | Reviewed by Darin Adler. | |
5557 | ||
5558 | Renamed createIterResultObject as createIteratorResultObject. | |
5559 | Made this function exportable for future use by streams API. | |
5560 | ||
5561 | * runtime/IteratorOperations.cpp: | |
5562 | (JSC::createIteratorResultObject): | |
5563 | * runtime/IteratorOperations.h: | |
5564 | * runtime/MapIteratorPrototype.cpp: | |
5565 | (JSC::MapIteratorPrototypeFuncNext): | |
5566 | * runtime/SetIteratorPrototype.cpp: | |
5567 | (JSC::SetIteratorPrototypeFuncNext): | |
5568 | ||
5569 | 2015-05-19 Yusuke Suzuki <utatane.tea@gmail.com> | |
5570 | ||
5571 | Array.prototype methods must use ToLength | |
5572 | https://bugs.webkit.org/show_bug.cgi?id=144128 | |
5573 | ||
5574 | Reviewed by Oliver Hunt. | |
5575 | ||
5576 | Patch by Jordan Harband <ljharb@gmail.com> and Yusuke Suzuki <utatane.tea@gmail.com> | |
5577 | ||
5578 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength | |
5579 | ||
5580 | This patch introduces ToLength and ToInteger JS implementation to encourage the DFG/FTL's inlining. | |
5581 | These implementations are located in GlobalObject.js. | |
5582 | And set to the JSGlobalObject with the private symbols @ToLength and @ToInteger manually. | |
5583 | ||
5584 | * builtins/Array.prototype.js: | |
5585 | (every): | |
5586 | (forEach): | |
5587 | (filter): | |
5588 | (map): | |
5589 | (some): | |
5590 | (fill): | |
5591 | (find): | |
5592 | (findIndex): | |
5593 | (includes): | |
5594 | * builtins/ArrayConstructor.js: | |
5595 | (from): | |
5596 | * builtins/GlobalObject.js: Copied from Source/JavaScriptCore/builtins/StringConstructor.js. | |
5597 | (ToInteger): | |
5598 | (ToLength): | |
5599 | * builtins/StringConstructor.js: | |
5600 | (raw): | |
5601 | * runtime/JSGlobalObject.cpp: | |
5602 | (JSC::JSGlobalObject::init): | |
5603 | * runtime/JSGlobalObjectFunctions.h: | |
5604 | ||
5605 | 2015-05-19 Mark Lam <mark.lam@apple.com> | |
5606 | ||
5607 | Fix the build of a universal binary with ARMv7k of JavaScriptCore. | |
5608 | https://bugs.webkit.org/show_bug.cgi?id=145143 | |
5609 | ||
5610 | Reviewed by Geoffrey Garen. | |
5611 | ||
5612 | The offlineasm works in 3 phases: | |
5613 | ||
5614 | Phase 1: | |
5615 | Parse the llint asm files for config options and desired offsets. | |
5616 | Let's say the offlineasm discovers C unique options and O unique offsets. | |
5617 | The offlineasm will then generate a LLIntDesiredOffsets.h file with | |
5618 | C x C build configurations, each with a set of O offsets. | |
5619 | ||
5620 | Each of these build configurations is given a unique configuration index number. | |
5621 | ||
5622 | Phase 2: | |
5623 | Compile the LLIntDesiredOffsets.h file into a JSCLLIntOffsetsExtractor binary. | |
5624 | ||
5625 | If we're building a fat binary with 2 configurations: armv7, and armv7k, | |
5626 | then the fat binary will contain 2 blobs of offsets, one for each of these | |
5627 | build configurations. | |
5628 | ||
5629 | Phase 3: | |
5630 | Parse the llint asm files and emit asm code using the offsets that are | |
5631 | extracted from the JSCLLIntOffsetsExtractor binary for the corresponding | |
5632 | configuration index number. | |
5633 | ||
5634 | In the pre-existing code, there are no "if ARMv7k" statements in the llint asm | |
5635 | source. As a result, OFFLINE_ASM_ARMv7k is not one of the config options in | |
5636 | the set of C unique options. | |
5637 | ||
5638 | For armv7k builds, OFFLINE_ASM_ARMv7 is also true. As a result, for an armv7k | |
5639 | target, we will end up building armv7 source. In general, this is fine except: | |
5640 | ||
5641 | 1. armv7k has different alignment requirements from armv7. Hence, their offset | |
5642 | values (in JSCLLIntOffsetsExtractor) will be different. | |
5643 | ||
5644 | 2. The offlineasm was never told that it needed to make a different configuration | |
5645 | for armv7k builds. Hence, the armv7k build of LLIntDesiredOffsets.h will | |
5646 | build the armv7 configuration, and consequently, the armv7k blob of offsets in | |
5647 | JSCLLIntOffsetsExtractor will have the same configuration index number as | |
5648 | the armv7 blob of offsets. | |
5649 | ||
5650 | In phase 3, when the offlineasm parses the JSCLLIntOffsetsExtractor fat binary | |
5651 | looking for the armv7 build's configuration index number, it discovers the | |
5652 | armv7k blob which has the same configuration number. As a result, it | |
5653 | erroneously thinks the armv7k offsets are appropriate for emitting armv7 code. | |
5654 | Needless to say, armv7 code using armv7k offsets will lead to incorrect behavior | |
5655 | and all round badness. | |
5656 | ||
5657 | The fix is to add a simple "if ARMv7k" statement to the llint asm files. While | |
5658 | the if statement has no body, it does make the offlineasm aware of the need for | |
5659 | ARMv7k as a configuration option. As a result, it will generate an armv7k | |
5660 | variant configuration in the LLIntDesiredOffsets.h file with its own unique | |
5661 | configuration index number. With that, the JSCLLIntOffsetsExtractor fat binary | |
5662 | will no longer have duplicate configuration index numbers for the armv7 and | |
5663 | armv7k blobs of offsets, and the issue is resolved. | |
5664 | ||
5665 | * llint/LLIntOfflineAsmConfig.h: | |
5666 | * llint/LowLevelInterpreter.asm: | |
5667 | ||
5668 | 2015-05-19 Andreas Kling <akling@apple.com> | |
5669 | ||
5670 | Give JSString a StringView getter and start using it. | |
5671 | <https://webkit.org/b/145131> | |
5672 | ||
5673 | Reviewed by Anders Carlsson. | |
5674 | ||
5675 | When JSString is a substring internally, calling value(ExecState*) on it | |
5676 | will reify the baseString/start/length tuple into a new StringImpl. | |
5677 | ||
5678 | For clients that only want to look at the characters of a JSString, but | |
5679 | don't actually need a reffable StringImpl, adding a light-weight StringView | |
5680 | getter lets them avoid constructing anything. | |
5681 | ||
5682 | This patch adds JSString::view(ExecState*) and uses it in a few places. | |
5683 | There are many more opportunities to use this API, but let's do a few things | |
5684 | at a time. | |
5685 | ||
5686 | * runtime/FunctionConstructor.cpp: | |
5687 | (JSC::constructFunctionSkippingEvalEnabledCheck): | |
5688 | * runtime/JSGlobalObjectFunctions.cpp: | |
5689 | (JSC::decode): | |
5690 | (JSC::parseInt): | |
5691 | (JSC::jsToNumber): | |
5692 | (JSC::parseFloat): | |
5693 | (JSC::globalFuncParseInt): | |
5694 | (JSC::globalFuncParseFloat): | |
5695 | (JSC::globalFuncEscape): | |
5696 | (JSC::globalFuncUnescape): | |
5697 | * runtime/JSGlobalObjectFunctions.h: | |
5698 | * runtime/JSONObject.cpp: | |
5699 | (JSC::JSONProtoFuncParse): | |
5700 | * runtime/JSString.cpp: | |
5701 | (JSC::JSString::getPrimitiveNumber): | |
5702 | (JSC::JSString::toNumber): | |
5703 | * runtime/JSString.h: | |
5704 | (JSC::JSRopeString::view): | |
5705 | (JSC::JSString::view): | |
5706 | ||
5707 | 2015-05-18 Filip Pizlo <fpizlo@apple.com> | |
5708 | ||
5709 | Better optimize 'if' with ternaries conditional tests. | |
5710 | https://bugs.webkit.org/show_bug.cgi?id=144136 | |
5711 | ||
5712 | Reviewed by Benjamin Poulain. | |
5713 | ||
5714 | This is the last fix I'll do for this for now. BooleanToNumber(Untyped:) where the input | |
5715 | is proved to be either BoolInt32 or Boolean should be optimized to just masking the | |
5716 | lowest bit. | |
5717 | ||
5718 | This is another 37% speed-up on JSRegress/slow-ternaries. | |
5719 | ||
5720 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
5721 | (JSC::DFG::SpeculativeJIT::compile): | |
5722 | * dfg/DFGSpeculativeJIT64.cpp: | |
5723 | (JSC::DFG::SpeculativeJIT::compile): | |
5724 | * ftl/FTLLowerDFGToLLVM.cpp: | |
5725 | (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): | |
5726 | ||
5727 | 2015-05-18 Benjamin Poulain <bpoulain@apple.com> | |
5728 | ||
5729 | <rdar://problem/21003555> cloberrize() is wrong for ArithRound because it doesn't account for the arith mode | |
5730 | https://bugs.webkit.org/show_bug.cgi?id=145147 | |
5731 | ||
5732 | Reviewed by Filip Pizlo. | |
5733 | ||
5734 | Really stupid bug: ArithRound nodes with different rounding modes | |
5735 | were not distinguished and CSE would happily unify with a node of | |
5736 | a different rounding mode. | |
5737 | ||
5738 | DFG::clobberize() already support additional data but I was not using it. | |
5739 | ||
5740 | * dfg/DFGClobberize.h: | |
5741 | (JSC::DFG::clobberize): | |
5742 | * tests/stress/math-round-arith-rounding-mode.js: Added. | |
5743 | (firstCareAboutZeroSecondDoesNot): | |
5744 | (firstDoNotCareAboutZeroSecondDoes): | |
5745 | (warmup): | |
5746 | (verifyNegativeZeroIsPreserved): | |
5747 | ||
5748 | 2015-05-18 Filip Pizlo <fpizlo@apple.com> | |
5749 | ||
5750 | Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1" | |
5751 | https://bugs.webkit.org/show_bug.cgi?id=145137 | |
5752 | ||
5753 | Reviewed by Benjamin Poulain. | |
5754 | ||
5755 | It's super useful to know if an integer value could be either zero or one. We have an | |
5756 | immediate need for this because of Int32|Boolean uses, where knowing that the Int32 is | |
5757 | either 0 or 1 means that there is no actual polymorphism if you just look at the low bit | |
5758 | (1 behaves like true, 0 behaves like false, and the low bit of 1|true is 1, and the low | |
5759 | bit of 0|false is 0). | |
5760 | ||
5761 | We do this by splitting the SpecInt32 type into SpecBoolInt32 and SpecNonBoolInt32. This | |
5762 | change doesn't have any effect on behavior, yet. But it does give us the ability to | |
5763 | predict and prove when values are SpecBoolInt32; it's just we don't leverage this yet. | |
5764 | ||
5765 | This is perf-neutral. | |
5766 | ||
5767 | * bytecode/SpeculatedType.cpp: | |
5768 | (JSC::dumpSpeculation): | |
5769 | (JSC::speculationToAbbreviatedString): | |
5770 | (JSC::speculationFromValue): | |
5771 | * bytecode/SpeculatedType.h: | |
5772 | (JSC::isStringOrStringObjectSpeculation): | |
5773 | (JSC::isBoolInt32Speculation): | |
5774 | (JSC::isInt32Speculation): | |
5775 | (JSC::isInt32OrBooleanSpeculation): | |
5776 | * dfg/DFGAbstractInterpreterInlines.h: | |
5777 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
5778 | ||
5779 | 2015-05-18 Michael Catanzaro <mcatanzaro@igalia.com> | |
5780 | ||
5781 | [CMake] Ignore warnings in system headers | |
5782 | https://bugs.webkit.org/show_bug.cgi?id=144747 | |
5783 | ||
5784 | Reviewed by Darin Adler. | |
5785 | ||
5786 | Separate include directories into WebKit project includes and system includes. Suppress all | |
5787 | warnings from headers in system include directories using the SYSTEM argument to | |
5788 | the include_directories command. | |
5789 | ||
5790 | * CMakeLists.txt: | |
5791 | * PlatformGTK.cmake: | |
5792 | ||
5793 | 2015-05-18 Skachkov Alexandr <gskachkov@gmail.com> | |
5794 | ||
5795 | [ES6] Arrow function syntax. Feature flag for arrow function | |
5796 | https://bugs.webkit.org/show_bug.cgi?id=145108 | |
5797 | ||
5798 | Reviewed by Ryosuke Niwa. | |
5799 | ||
5800 | Added feature flag ENABLE_ES6_ARROWFUNCTION_SYNTAX for arrow function | |
5801 | ||
5802 | * Configurations/FeatureDefines.xcconfig: | |
5803 | ||
5804 | 2015-05-18 Benjamin Poulain <benjamin@webkit.org> | |
5805 | ||
5806 | [JSC] When entering a CheckTierUp without OSREntry, force the CheckTierUp for the outer loops with OSR Entry | |
5807 | https://bugs.webkit.org/show_bug.cgi?id=145092 | |
5808 | ||
5809 | Reviewed by Filip Pizlo. | |
5810 | ||
5811 | When we have a hot loop without OSR Entry inside a slower loop that support OSR Entry, | |
5812 | we get the inside loop driving the tierUpCounter and we have very little chance of | |
5813 | doing a CheckTierUp on the outer loop. In turn, this give almost no opportunity to tier | |
5814 | up in the outer loop and OSR Enter there. | |
5815 | ||
5816 | This patches changes CheckTierUp to force its outer loops to do a CheckTierUp themselves. | |
5817 | ||
5818 | To do that, CheckTierUp sets a flag "nestedTriggerIsSet" to force the outer loop to | |
5819 | enter their CheckTierUp regardless of the tier-up counter. | |
5820 | ||
5821 | * bytecode/ExecutionCounter.cpp: | |
5822 | (JSC::ExecutionCounter<countingVariant>::setThreshold): | |
5823 | This is somewhat unrelated. This assertion is incorrect because it relies on | |
5824 | m_counter, which changes on an other thread. | |
5825 | ||
5826 | I have hit it a couple of times with this patch because we are a bit more aggressive | |
5827 | on CheckTierUp. What happens is: | |
5828 | 1) ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet() first checks | |
5829 | hasCrossedThreshold(), and it is false. | |
5830 | 2) On the main thread, the hot loops keeps running and the counter becomes large | |
5831 | enough to cross the threshold. | |
5832 | 3) ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet() runs the next | |
5833 | test, setThreshold(), where the assertion is. Since the counter is now large enough, | |
5834 | the assertion fails. | |
5835 | ||
5836 | * dfg/DFGAbstractInterpreterInlines.h: | |
5837 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
5838 | * dfg/DFGClobberize.h: | |
5839 | (JSC::DFG::clobberize): | |
5840 | * dfg/DFGDoesGC.cpp: | |
5841 | (JSC::DFG::doesGC): | |
5842 | * dfg/DFGFixupPhase.cpp: | |
5843 | (JSC::DFG::FixupPhase::fixupNode): | |
5844 | ||
5845 | * dfg/DFGJITCode.h: | |
5846 | I used a uint8_t instead of a boolean to make the code generation clearer | |
5847 | in DFGSpeculativeJIT64. | |
5848 | ||
5849 | * dfg/DFGNodeType.h: | |
5850 | * dfg/DFGOperations.cpp: | |
5851 | * dfg/DFGOperations.h: | |
5852 | ||
5853 | * dfg/DFGPredictionPropagationPhase.cpp: | |
5854 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
5855 | This is a bit annoying: we have the NaturalLoops analysis that provides us | |
5856 | everything we need to know about loops, but the TierUpCheck are conservative | |
5857 | and set on LoopHint. | |
5858 | ||
5859 | To make the two work together, we first find all the CheckTierUp that cannot | |
5860 | OSR enter and we keep a list of all the natural loops containing them. | |
5861 | ||
5862 | Then we do a second pass over the LoopHints, get their NaturalLoop, and check | |
5863 | if it contains a loop that cannot OSR enter. | |
5864 | ||
5865 | * dfg/DFGSafeToExecute.h: | |
5866 | (JSC::DFG::safeToExecute): | |
5867 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
5868 | (JSC::DFG::SpeculativeJIT::compile): | |
5869 | * dfg/DFGSpeculativeJIT64.cpp: | |
5870 | (JSC::DFG::SpeculativeJIT::compile): | |
5871 | * dfg/DFGTierUpCheckInjectionPhase.cpp: | |
5872 | (JSC::DFG::TierUpCheckInjectionPhase::run): | |
5873 | (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint): | |
5874 | ||
5875 | 2015-05-18 Filip Pizlo <fpizlo@apple.com> | |
5876 | ||
5877 | Add a Int-or-Boolean speculation to Branch | |
5878 | https://bugs.webkit.org/show_bug.cgi?id=145134 | |
5879 | ||
5880 | Reviewed by Benjamin Poulain. | |
5881 | ||
5882 | After https://bugs.webkit.org/show_bug.cgi?id=126778 we no longer have a reason not to do the | |
5883 | int-or-boolean optimization that we already do everywhere else. | |
5884 | ||
5885 | * dfg/DFGFixupPhase.cpp: | |
5886 | (JSC::DFG::FixupPhase::fixupNode): | |
5887 | ||
5888 | 2015-05-18 Andreas Kling <akling@apple.com> | |
5889 | ||
5890 | [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). | |
5891 | <https://webkit.org/b/145115> | |
5892 | ||
5893 | Reviewed by Anders Carlsson. | |
5894 | ||
5895 | We were calling strchr() for every character when doing URL encoding/decoding and it stood out | |
5896 | like a sore O(n) thumb in Instruments. Optimize this by using a Bitmap<256> instead. | |
5897 | ||
5898 | 5.5% progression on Kraken/stanford-crypto-sha256-iterative. | |
5899 | ||
5900 | * runtime/JSGlobalObjectFunctions.cpp: | |
5901 | (JSC::makeCharacterBitmap): | |
5902 | (JSC::encode): | |
5903 | (JSC::decode): | |
5904 | (JSC::globalFuncDecodeURI): | |
5905 | (JSC::globalFuncDecodeURIComponent): | |
5906 | (JSC::globalFuncEncodeURI): | |
5907 | (JSC::globalFuncEncodeURIComponent): | |
5908 | (JSC::globalFuncEscape): | |
5909 | ||
5910 | 2015-05-17 Benjamin Poulain <benjamin@webkit.org> | |
5911 | ||
5912 | Do not use fastMallocGoodSize anywhere | |
5913 | https://bugs.webkit.org/show_bug.cgi?id=145103 | |
5914 | ||
5915 | Reviewed by Michael Saboff. | |
5916 | ||
5917 | * assembler/AssemblerBuffer.h: | |
5918 | (JSC::AssemblerData::AssemblerData): | |
5919 | (JSC::AssemblerData::grow): | |
5920 | ||
5921 | 2015-05-17 Benjamin Poulain <benjamin@webkit.org> | |
5922 | ||
5923 | [JSC] Make StringRecursionChecker faster in the simple cases without any recursion | |
5924 | https://bugs.webkit.org/show_bug.cgi?id=145102 | |
5925 | ||
5926 | Reviewed by Darin Adler. | |
5927 | ||
5928 | In general, the array targeted by Array.toString() or Array.join() are pretty | |
5929 | simple. In those simple cases, we spend as much time in StringRecursionChecker | |
5930 | as we do on the actual operation. | |
5931 | ||
5932 | The reason for this is the HashSet stringRecursionCheckVisitedObjects used | |
5933 | to detect recursion. We are constantly adding and removing objects which | |
5934 | dirty buckets and force constant rehash. | |
5935 | ||
5936 | This patch adds a simple shortcut for those simple case: in addition to the HashSet, | |
5937 | we keep a pointer to the root object of the recursion. | |
5938 | In the vast majority of cases, we no longer touch the HashSet at all. | |
5939 | ||
5940 | This patch is a 12% progression on the overall score of ArrayWeighted. | |
5941 | ||
5942 | * runtime/StringRecursionChecker.h: | |
5943 | (JSC::StringRecursionChecker::performCheck): | |
5944 | (JSC::StringRecursionChecker::~StringRecursionChecker): | |
5945 | * runtime/VM.h: | |
5946 | ||
5947 | 2015-05-17 Filip Pizlo <fpizlo@apple.com> | |
5948 | ||
5949 | Insert store barriers late so that IR transformations don't have to worry about them | |
5950 | https://bugs.webkit.org/show_bug.cgi?id=145015 | |
5951 | ||
5952 | Reviewed by Geoffrey Garen. | |
5953 | ||
5954 | We have had three kinds of bugs with store barriers. For the sake of discussion we say | |
5955 | that a store barrier is needed when we have something like: | |
5956 | ||
5957 | base.field = value | |
5958 | ||
5959 | - We sometimes fail to realize that we could remove a barrier when value is a non-cell. | |
5960 | This might happen if we prove value to be a non-cell even though in the FixupPhase it | |
5961 | wasn't predicted non-cell. | |
5962 | ||
5963 | - We sometimes have a barrier in the wrong place after object allocation sinking. We | |
5964 | might sink an allocation to just above the store, but that puts it just after the | |
5965 | StoreBarrier that FixupPhase inserted. | |
5966 | ||
5967 | - We don't remove redundant barriers across basic blocks. | |
5968 | ||
5969 | This comprehensively fixes these issues by doing store barrier insertion late, and | |
5970 | removing the store barrier elision phase. Store barrier insertion uses an epoch-based | |
5971 | algorithm to determine when stores need barriers. Briefly, a barrier is not needed if | |
5972 | base is in the current GC epoch (i.e. was the last object that we allocated or had a | |
5973 | barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have | |
5974 | always been allocated before base). We do conservative things when merging epoch state | |
5975 | between basic blocks, and we only do such inter-block removal in the FTL. FTL also | |
5976 | queries AI to determine what type we've proved about value, and avoids barriers when | |
5977 | value is not a cell. FixupPhase still inserts type checks on some stores, to maximize | |
5978 | the likelihood that this AI-based removal is effective. | |
5979 | ||
5980 | Rolling back in after fixing some debug build test failures. | |
5981 | ||
5982 | * CMakeLists.txt: | |
5983 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
5984 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
5985 | * dfg/DFGBlockMap.h: | |
5986 | (JSC::DFG::BlockMap::at): | |
5987 | * dfg/DFGConstantFoldingPhase.cpp: | |
5988 | (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): | |
5989 | * dfg/DFGEpoch.h: | |
5990 | (JSC::DFG::Epoch::operator<): | |
5991 | (JSC::DFG::Epoch::operator>): | |
5992 | (JSC::DFG::Epoch::operator<=): | |
5993 | (JSC::DFG::Epoch::operator>=): | |
5994 | * dfg/DFGFixupPhase.cpp: | |
5995 | (JSC::DFG::FixupPhase::fixupNode): | |
5996 | (JSC::DFG::FixupPhase::speculateForBarrier): | |
5997 | (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. | |
5998 | * dfg/DFGPlan.cpp: | |
5999 | (JSC::DFG::Plan::compileInThreadImpl): | |
6000 | * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. | |
6001 | * dfg/DFGStoreBarrierElisionPhase.h: Removed. | |
6002 | * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. | |
6003 | (JSC::DFG::performFastStoreBarrierInsertion): | |
6004 | (JSC::DFG::performGlobalStoreBarrierInsertion): | |
6005 | * dfg/DFGStoreBarrierInsertionPhase.h: Added. | |
6006 | * ftl/FTLOperations.cpp: | |
6007 | (JSC::FTL::operationMaterializeObjectInOSR): Fix an unrelated debug-only bug. | |
6008 | * tests/stress/load-varargs-then-inlined-call-and-exit.js: Test for that debug-only bug. | |
6009 | * tests/stress/load-varargs-then-inlined-call-and-exit-strict.js: Strict version of that test. | |
6010 | ||
6011 | 2015-05-16 Commit Queue <commit-queue@webkit.org> | |
6012 | ||
6013 | Unreviewed, rolling out r184415. | |
6014 | https://bugs.webkit.org/show_bug.cgi?id=145096 | |
6015 | ||
6016 | Broke several tests (Requested by msaboff on #webkit). | |
6017 | ||
6018 | Reverted changeset: | |
6019 | ||
6020 | "Insert store barriers late so that IR transformations don't | |
6021 | have to worry about them" | |
6022 | https://bugs.webkit.org/show_bug.cgi?id=145015 | |
6023 | http://trac.webkit.org/changeset/184415 | |
6024 | ||
6025 | 2015-05-14 Filip Pizlo <fpizlo@apple.com> | |
6026 | ||
6027 | Insert store barriers late so that IR transformations don't have to worry about them | |
6028 | https://bugs.webkit.org/show_bug.cgi?id=145015 | |
6029 | ||
6030 | Reviewed by Geoffrey Garen. | |
6031 | ||
6032 | We have had three kinds of bugs with store barriers. For the sake of discussion we say | |
6033 | that a store barrier is needed when we have something like: | |
6034 | ||
6035 | base.field = value | |
6036 | ||
6037 | - We sometimes fail to realize that we could remove a barrier when value is a non-cell. | |
6038 | This might happen if we prove value to be a non-cell even though in the FixupPhase it | |
6039 | wasn't predicted non-cell. | |
6040 | ||
6041 | - We sometimes have a barrier in the wrong place after object allocation sinking. We | |
6042 | might sink an allocation to just above the store, but that puts it just after the | |
6043 | StoreBarrier that FixupPhase inserted. | |
6044 | ||
6045 | - We don't remove redundant barriers across basic blocks. | |
6046 | ||
6047 | This comprehensively fixes these issues by doing store barrier insertion late, and | |
6048 | removing the store barrier elision phase. Store barrier insertion uses an epoch-based | |
6049 | algorithm to determine when stores need barriers. Briefly, a barrier is not needed if | |
6050 | base is in the current GC epoch (i.e. was the last object that we allocated or had a | |
6051 | barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have | |
6052 | always been allocated before base). We do conservative things when merging epoch state | |
6053 | between basic blocks, and we only do such inter-block removal in the FTL. FTL also | |
6054 | queries AI to determine what type we've proved about value, and avoids barriers when | |
6055 | value is not a cell. FixupPhase still inserts type checks on some stores, to maximize | |
6056 | the likelihood that this AI-based removal is effective. | |
6057 | ||
6058 | * CMakeLists.txt: | |
6059 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
6060 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
6061 | * dfg/DFGBlockMap.h: | |
6062 | (JSC::DFG::BlockMap::at): | |
6063 | * dfg/DFGConstantFoldingPhase.cpp: | |
6064 | (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): | |
6065 | * dfg/DFGEpoch.h: | |
6066 | (JSC::DFG::Epoch::operator<): | |
6067 | (JSC::DFG::Epoch::operator>): | |
6068 | (JSC::DFG::Epoch::operator<=): | |
6069 | (JSC::DFG::Epoch::operator>=): | |
6070 | * dfg/DFGFixupPhase.cpp: | |
6071 | (JSC::DFG::FixupPhase::fixupNode): | |
6072 | (JSC::DFG::FixupPhase::speculateForBarrier): | |
6073 | (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. | |
6074 | * dfg/DFGPlan.cpp: | |
6075 | (JSC::DFG::Plan::compileInThreadImpl): | |
6076 | * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. | |
6077 | * dfg/DFGStoreBarrierElisionPhase.h: Removed. | |
6078 | * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. | |
6079 | (JSC::DFG::performFastStoreBarrierInsertion): | |
6080 | (JSC::DFG::performGlobalStoreBarrierInsertion): | |
6081 | * dfg/DFGStoreBarrierInsertionPhase.h: Added. | |
6082 | ||
6083 | 2015-05-15 Benjamin Poulain <bpoulain@apple.com> | |
6084 | ||
6085 | [ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero | |
6086 | https://bugs.webkit.org/show_bug.cgi?id=144976 | |
6087 | ||
6088 | Reviewed by Michael Saboff. | |
6089 | ||
6090 | Failing the conversion on zero is pretty dangerous as we discovered on x86. | |
6091 | ||
6092 | This patch does not really impact performance significantly because | |
6093 | r184220 removed the zero checks from Kraken. This patch is just to be | |
6094 | on the safe side for cases not covered by existing benchmarks. | |
6095 | ||
6096 | * assembler/MacroAssemblerARM64.h: | |
6097 | (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32): | |
6098 | ||
6099 | 2015-05-15 Sungmann Cho <sungmann.cho@navercorp.com> | |
6100 | ||
6101 | Remove unnecessary forward declarations in PropertyNameArray.h. | |
6102 | https://bugs.webkit.org/show_bug.cgi?id=145058 | |
6103 | ||
6104 | Reviewed by Andreas Kling. | |
6105 | ||
6106 | No new tests, no behavior change. | |
6107 | ||
6108 | * runtime/PropertyNameArray.h: | |
6109 | ||
6110 | 2015-05-15 Mark Lam <mark.lam@apple.com> | |
6111 | ||
6112 | JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough. | |
6113 | https://bugs.webkit.org/show_bug.cgi?id=144622 | |
6114 | ||
6115 | Reviewed by Geoffrey Garen. | |
6116 | ||
6117 | When setting the array to a new length that is shorter, we now check if it is worth | |
6118 | just making a new butterfly instead of clearing out the slots in the old butterfly | |
6119 | that resides beyond the new length. If so, we will make a new butterfly instead. | |
6120 | ||
6121 | There is no perf differences in the benchmark results. However, this does benefit | |
6122 | the perf of pathological cases where we need to shorten the length of a very large | |
6123 | array, as is the case in tests/mozilla/js1_5/Array/regress-101964.js. With this | |
6124 | patch, we can expect that test to complete in a short time again. | |
6125 | ||
6126 | * runtime/JSArray.cpp: | |
6127 | (JSC::JSArray::setLength): | |
6128 | * runtime/JSObject.cpp: | |
6129 | (JSC::JSObject::reallocateAndShrinkButterfly): | |
6130 | - makes a new butterfly with a new shorter length. | |
6131 | * runtime/JSObject.h: | |
6132 | * tests/mozilla/js1_5/Array/regress-101964.js: | |
6133 | - Undo this test change since this patch will prevent us from spending a lot of time | |
6134 | clearing a large butterfly. | |
6135 | ||
6136 | 2015-05-15 Basile Clement <basile_clement@apple.com> | |
6137 | ||
6138 | DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic | |
6139 | https://bugs.webkit.org/show_bug.cgi?id=145062 | |
6140 | ||
6141 | Reviewed by Filip Pizlo. | |
6142 | ||
6143 | We assert in various places (including NodeOrigin::isSet()) that a | |
6144 | NodeOrigin's semantic and forExit must be either both set, or both | |
6145 | unset. However, LICM'ing a node with unset NodeOrigin would only set | |
6146 | forExit, and leave semantic unset. This can for instance happen when a | |
6147 | Phi node is constant-folded into a JSConstant, which in turn gets | |
6148 | LICM'd. | |
6149 | ||
6150 | This patch changes DFGLICMPhase to set the NodeOrigin's semantic in | |
6151 | addition to its forExit if semantic was previously unset. | |
6152 | ||
6153 | It also adds two validators to DFGValidate.cpp: | |
6154 | - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset | |
6155 | - In CPS form, all nodes must have a set NodeOrigin forExit (this is | |
6156 | the CPS counterpart to the SSA validator that checks that all nodes | |
6157 | must have a set NodeOrigin except possibly for a continuous chunk of | |
6158 | nodes at the top of a block) | |
6159 | ||
6160 | * dfg/DFGLICMPhase.cpp: | |
6161 | (JSC::DFG::LICMPhase::attemptHoist): | |
6162 | * dfg/DFGValidate.cpp: | |
6163 | (JSC::DFG::Validate::validate): | |
6164 | (JSC::DFG::Validate::validateCPS): | |
6165 | ||
6166 | 2015-05-15 Filip Pizlo <fpizlo@apple.com> | |
6167 | ||
6168 | Unreviewed, remove an unused declaration. | |
6169 | ||
6170 | * dfg/DFGSpeculativeJIT.h: | |
6171 | ||
6172 | 2015-05-14 Filip Pizlo <fpizlo@apple.com> | |
6173 | ||
6174 | Remove unused constant-base and constant-value store barrier code in the DFG | |
6175 | https://bugs.webkit.org/show_bug.cgi?id=145039 | |
6176 | ||
6177 | Reviewed by Andreas Kling. | |
6178 | ||
6179 | Just killing dead code. | |
6180 | ||
6181 | * dfg/DFGSpeculativeJIT.cpp: | |
6182 | (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Deleted. | |
6183 | (JSC::DFG::SpeculativeJIT::writeBarrier): Deleted. | |
6184 | * dfg/DFGSpeculativeJIT.h: | |
6185 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
6186 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
6187 | * dfg/DFGSpeculativeJIT64.cpp: | |
6188 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
6189 | ||
6190 | 2015-05-15 Alexandr Skachkov <gskachkov@gmail.com> | |
6191 | ||
6192 | Fix typo in function name parseFunctionParamters -> parseFunctionParameters | |
6193 | https://bugs.webkit.org/show_bug.cgi?id=145040 | |
6194 | ||
6195 | Reviewed by Mark Lam. | |
6196 | ||
6197 | * parser/Parser.h: | |
6198 | * parser/Parser.cpp: | |
6199 | ||
6200 | 2015-05-14 Filip Pizlo <fpizlo@apple.com> | |
6201 | ||
6202 | Remove StoreBarrierWithNullCheck, nobody ever generates this. | |
6203 | ||
6204 | Rubber stamped by Benjamin Poulain and Michael Saboff. | |
6205 | ||
6206 | If we did bring something like this back in the future, we would just use UntypedUse instead | |
6207 | of CellUse to indicate that this is what we want. | |
6208 | ||
6209 | * dfg/DFGAbstractInterpreterInlines.h: | |
6210 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
6211 | * dfg/DFGClobberize.h: | |
6212 | (JSC::DFG::clobberize): | |
6213 | * dfg/DFGDoesGC.cpp: | |
6214 | (JSC::DFG::doesGC): | |
6215 | * dfg/DFGFixupPhase.cpp: | |
6216 | (JSC::DFG::FixupPhase::fixupNode): | |
6217 | * dfg/DFGNode.h: | |
6218 | (JSC::DFG::Node::isStoreBarrier): | |
6219 | * dfg/DFGNodeType.h: | |
6220 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
6221 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
6222 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
6223 | * dfg/DFGPredictionPropagationPhase.cpp: | |
6224 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
6225 | * dfg/DFGSafeToExecute.h: | |
6226 | (JSC::DFG::safeToExecute): | |
6227 | * dfg/DFGSpeculativeJIT.cpp: | |
6228 | (JSC::DFG::SpeculativeJIT::compileStoreBarrier): | |
6229 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
6230 | (JSC::DFG::SpeculativeJIT::compile): | |
6231 | * dfg/DFGSpeculativeJIT64.cpp: | |
6232 | (JSC::DFG::SpeculativeJIT::compile): | |
6233 | * ftl/FTLCapabilities.cpp: | |
6234 | (JSC::FTL::canCompile): | |
6235 | * ftl/FTLLowerDFGToLLVM.cpp: | |
6236 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
6237 | (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): Deleted. | |
6238 | ||
6239 | 2015-05-14 Filip Pizlo <fpizlo@apple.com> | |
6240 | ||
6241 | PutGlobalVar should reference the global object it's storing into | |
6242 | https://bugs.webkit.org/show_bug.cgi?id=145036 | |
6243 | ||
6244 | Reviewed by Michael Saboff. | |
6245 | ||
6246 | This makes it easier to reason about store barrier insertion and elimination. This changes | |
6247 | the format of PutGlobalVar so that child1 is the global object and child2 is the value. | |
6248 | Previously it just had child1, and that was the value. | |
6249 | ||
6250 | * dfg/DFGByteCodeParser.cpp: | |
6251 | (JSC::DFG::ByteCodeParser::parseBlock): | |
6252 | * dfg/DFGClobberize.h: | |
6253 | (JSC::DFG::clobberize): | |
6254 | * dfg/DFGFixupPhase.cpp: | |
6255 | (JSC::DFG::FixupPhase::fixupNode): | |
6256 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
6257 | (JSC::DFG::SpeculativeJIT::compile): | |
6258 | * dfg/DFGSpeculativeJIT64.cpp: | |
6259 | (JSC::DFG::SpeculativeJIT::compile): | |
6260 | * ftl/FTLLowerDFGToLLVM.cpp: | |
6261 | (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar): | |
6262 | ||
6263 | 2015-05-14 Michael Catanzaro <mcatanzaro@igalia.com> | |
6264 | ||
6265 | [CMake] Error out when ruby is too old | |
6266 | https://bugs.webkit.org/show_bug.cgi?id=145014 | |
6267 | ||
6268 | Reviewed by Martin Robinson. | |
6269 | ||
6270 | Don't enforce the check for the Ruby executable here; it's now enforced in the top-level | |
6271 | CMakeLists.txt instead. | |
6272 | ||
6273 | * CMakeLists.txt: | |
6274 | ||
6275 | 2015-05-12 Basile Clement <basile_clement@apple.com> | |
6276 | ||
6277 | Enforce options coherency | |
6278 | https://bugs.webkit.org/show_bug.cgi?id=144921 | |
6279 | ||
6280 | Reviewed by Mark Lam. | |
6281 | ||
6282 | JavaScriptCore should be failing early when the options are set in such | |
6283 | a way that we don't have a meaningful way to execute JavaScript, rather | |
6284 | than failing for obscure reasons at some point during execution. | |
6285 | ||
6286 | This patch adds a new function that checks whether the options are set | |
6287 | in a coherent way, and makes JSC::Options::initialize() crash when the | |
6288 | environment enforces incoherent options. | |
6289 | Client applications able to add or change additional options are | |
6290 | responsible to check for coherency again before starting to actually | |
6291 | execute JavaScript, if any additional options have been set. This is | |
6292 | implemented for the jsc executable in this patch. | |
6293 | ||
6294 | * jsc.cpp: | |
6295 | (CommandLine::parseArguments): | |
6296 | * runtime/Options.cpp: | |
6297 | (JSC::Options::initialize): | |
6298 | (JSC::Options::ensureOptionsAreCoherent): Added. | |
6299 | * runtime/Options.h: | |
6300 | (JSC::Options::ensureOptionsAreCoherent): Added. | |
6301 | ||
6302 | 2015-05-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
6303 | ||
6304 | REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds | |
6305 | https://bugs.webkit.org/show_bug.cgi?id=145019 | |
6306 | ||
6307 | Reviewed by Ryosuke Niwa. | |
6308 | ||
6309 | Attempt to fix compile errors in EFL ARM buildbots. | |
6310 | By executing `nm`, found JSTemplateRegistryKey.cpp.o and TemplateRegistry.cpp.o have | |
6311 | unresolved reference to Structure::get. That is inlined function in StructureInlines.h. | |
6312 | ||
6313 | * runtime/JSTemplateRegistryKey.cpp: | |
6314 | * runtime/TemplateRegistry.cpp: | |
6315 | ||
6316 | 2015-05-14 Alexandr Skachkov <gskachkov@gmail.com> | |
6317 | ||
6318 | Small refactoring before implementation of the ES6 arrow function. | |
6319 | https://bugs.webkit.org/show_bug.cgi?id=144954 | |
6320 | ||
6321 | Reviewed by Ryosuke Niwa. | |
6322 | ||
6323 | * parser/Parser.h: | |
6324 | * parser/Parser.cpp: | |
6325 | ||
6326 | 2015-05-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
6327 | ||
6328 | REGRESSION (r184337): ASSERT failed in debug builds for tagged templates | |
6329 | https://bugs.webkit.org/show_bug.cgi?id=145013 | |
6330 | ||
6331 | Reviewed by Filip Pizlo. | |
6332 | ||
6333 | Fix the regression introduced by r184337. | |
6334 | ||
6335 | 1. JSTemporaryRegistryKey::s_info should inherit the Base::s_info, | |
6336 | JSDestructibleObject::s_info. | |
6337 | ||
6338 | 2. The first register argument of BytecodeGenerator::emitNode | |
6339 | should be a referenced register if it is a temporary register. | |
6340 | ||
6341 | * bytecompiler/NodesCodegen.cpp: | |
6342 | (JSC::TaggedTemplateNode::emitBytecode): | |
6343 | * runtime/JSTemplateRegistryKey.cpp: | |
6344 | ||
6345 | 2015-05-14 Andreas Kling <akling@apple.com> | |
6346 | ||
6347 | String.prototype.split() should create efficient substrings. | |
6348 | <https://webkit.org/b/144985> | |
6349 | <rdar://problem/20949344> | |
6350 | ||
6351 | Reviewed by Geoffrey Garen. | |
6352 | ||
6353 | Teach split() how to make substring JSStrings instead of relying on StringImpl's | |
6354 | substring sharing mechanism. The optimization works by deferring the construction | |
6355 | of a StringImpl until the substring's value is actually needed. | |
6356 | ||
6357 | This knocks ~2MB off of theverge.com by avoiding the extra StringImpl allocations. | |
6358 | Out of ~70000 substrings created by split(), only ~2000 of them get reified. | |
6359 | ||
6360 | * runtime/StringPrototype.cpp: | |
6361 | (JSC::jsSubstring): | |
6362 | (JSC::splitStringByOneCharacterImpl): | |
6363 | (JSC::stringProtoFuncSplit): | |
6364 | ||
6365 | 2015-05-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
6366 | ||
6367 | Change the status of ES6 tagged templates to Done in features.json | |
6368 | https://bugs.webkit.org/show_bug.cgi?id=145003 | |
6369 | ||
6370 | Reviewed by Benjamin Poulain. | |
6371 | ||
6372 | Now it's implemented in r184337. | |
6373 | ||
6374 | * features.json: | |
6375 | ||
6376 | 2015-05-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
6377 | ||
6378 | Introduce SymbolType into SpeculativeTypes | |
6379 | https://bugs.webkit.org/show_bug.cgi?id=142651 | |
6380 | ||
6381 | Reviewed by Filip Pizlo. | |
6382 | ||
6383 | Introduce SpecSymbol type into speculative types. | |
6384 | Previously symbol type is categorized into SpecCellOther. | |
6385 | But SpecCellOther is not intended to be used for such cells. | |
6386 | ||
6387 | This patch just introduces SpecSymbol. | |
6388 | It represents the type of target value is definitely the symbol type. | |
6389 | It is the part of SpecCell. | |
6390 | ||
6391 | In this patch, we do not introduce SymbolUse tracking. | |
6392 | It will be added in the separate patch. | |
6393 | ||
6394 | * bytecode/SpeculatedType.cpp: | |
6395 | (JSC::dumpSpeculation): | |
6396 | (JSC::speculationFromStructure): | |
6397 | * bytecode/SpeculatedType.h: | |
6398 | (JSC::isSymbolSpeculation): | |
6399 | * dfg/DFGAbstractInterpreterInlines.h: | |
6400 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
6401 | * dfg/DFGAbstractValue.cpp: | |
6402 | (JSC::DFG::AbstractValue::setType): | |
6403 | * dfg/DFGConstantFoldingPhase.cpp: | |
6404 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
6405 | * tests/stress/typeof-symbol.js: Added. | |
6406 | ||
6407 | 2015-05-14 Yusuke Suzuki <utatane.tea@gmail.com> | |
6408 | ||
6409 | [ES6] Implement tagged templates | |
6410 | https://bugs.webkit.org/show_bug.cgi?id=143183 | |
6411 | ||
6412 | Reviewed by Oliver Hunt. | |
6413 | ||
6414 | This patch implements ES6 tagged templates. | |
6415 | In tagged templates, the function takes the template object. | |
6416 | ||
6417 | The template object contains the raw and cooked template strings, | |
6418 | so when parsing the tagged templates, we need to tokenize the raw and cooked strings. | |
6419 | While tagged templates require the both strings, the template literal only requires | |
6420 | the cooked strings. So when tokenizing under the template literal context, | |
6421 | we only builds the cooked strings. | |
6422 | ||
6423 | As per ES6 spec, the template objects for the same raw strings are shared in the same realm. | |
6424 | The template objects is cached. And every time we evaluate the same tagged templates, | |
6425 | the same (cached) template objects are used. | |
6426 | Since the spec freezes this template objects completely, | |
6427 | we cannot attach some properties to it. | |
6428 | So we can say that it behaves as if the template objects are the primitive values (like JSString). | |
6429 | Since we cannot attach properties, the only way to test the identity of the template object is comparing. (===) | |
6430 | As the result, when there is no reference to the template object, we can garbage collect it | |
6431 | because the user has no way to test that the newly created template object does not equal | |
6432 | to the already collected template object. | |
6433 | ||
6434 | So, to implement tagged templates, we implement the following components. | |
6435 | ||
6436 | 1. JSTemplateRegistryKey | |
6437 | It holds the template registry key and it does not exposed to users. | |
6438 | TemplateRegistryKey holds the vector of raw and cooked strings with the pre-computed hash value. | |
6439 | When obtaining the template object for the (statically, a.k.a. at the parsing time) given raw string vectors, | |
6440 | we use this JSTemplateRegistryKey as a key to the map and look up the template object from | |
6441 | TemplateRegistry. | |
6442 | JSTemplateRegistryKey is created at the bytecode compiling time and | |
6443 | stored in the CodeBlock as like as JSString content values. | |
6444 | ||
6445 | 2. TemplateRegistry | |
6446 | This manages the cached template objects. | |
6447 | It holds the weak map (JSTemplateRegistryKey -> the template object). | |
6448 | The template object is weakly referenced. | |
6449 | So if there is no reference to the template object, | |
6450 | the template object is automatically GC-ed. | |
6451 | When looking up the template object, it searches the cached template object. | |
6452 | If it is found, it is returned to the users. | |
6453 | If there is no cached template objects, it creates the new template object and | |
6454 | stores it with the given template registry key. | |
6455 | ||
6456 | * CMakeLists.txt: | |
6457 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
6458 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
6459 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
6460 | * bytecompiler/BytecodeGenerator.cpp: | |
6461 | (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): | |
6462 | (JSC::BytecodeGenerator::emitGetTemplateObject): | |
6463 | * bytecompiler/BytecodeGenerator.h: | |
6464 | * bytecompiler/NodesCodegen.cpp: | |
6465 | (JSC::TaggedTemplateNode::emitBytecode): | |
6466 | (JSC::TemplateLiteralNode::emitBytecode): Deleted. | |
6467 | * parser/ASTBuilder.h: | |
6468 | (JSC::ASTBuilder::createTaggedTemplate): | |
6469 | (JSC::ASTBuilder::createTemplateLiteral): Deleted. | |
6470 | * parser/Lexer.cpp: | |
6471 | (JSC::Lexer<T>::setCode): | |
6472 | (JSC::Lexer<T>::parseTemplateLiteral): | |
6473 | (JSC::Lexer<T>::lex): | |
6474 | (JSC::Lexer<T>::scanTrailingTemplateString): | |
6475 | (JSC::Lexer<T>::clear): | |
6476 | * parser/Lexer.h: | |
6477 | (JSC::Lexer<T>::makeEmptyIdentifier): | |
6478 | * parser/NodeConstructors.h: | |
6479 | (JSC::TaggedTemplateNode::TaggedTemplateNode): | |
6480 | (JSC::TemplateLiteralNode::TemplateLiteralNode): Deleted. | |
6481 | * parser/Nodes.h: | |
6482 | (JSC::TemplateLiteralNode::templateStrings): | |
6483 | (JSC::TemplateLiteralNode::templateExpressions): | |
6484 | (JSC::TaggedTemplateNode::templateLiteral): | |
6485 | * parser/Parser.cpp: | |
6486 | (JSC::Parser<LexerType>::parseTemplateString): | |
6487 | (JSC::Parser<LexerType>::parseTemplateLiteral): | |
6488 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
6489 | (JSC::Parser<LexerType>::parseMemberExpression): | |
6490 | * parser/Parser.h: | |
6491 | * parser/ParserArena.h: | |
6492 | (JSC::IdentifierArena::makeEmptyIdentifier): | |
6493 | * parser/SyntaxChecker.h: | |
6494 | (JSC::SyntaxChecker::createTaggedTemplate): | |
6495 | (JSC::SyntaxChecker::createTemplateLiteral): Deleted. | |
6496 | * runtime/CommonIdentifiers.h: | |
6497 | * runtime/JSGlobalObject.cpp: | |
6498 | (JSC::getTemplateObject): | |
6499 | (JSC::JSGlobalObject::JSGlobalObject): | |
6500 | (JSC::JSGlobalObject::init): | |
6501 | * runtime/JSGlobalObject.h: | |
6502 | (JSC::JSGlobalObject::templateRegistry): | |
6503 | * runtime/JSTemplateRegistryKey.cpp: Added. | |
6504 | (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey): | |
6505 | (JSC::JSTemplateRegistryKey::create): | |
6506 | (JSC::JSTemplateRegistryKey::destroy): | |
6507 | * runtime/JSTemplateRegistryKey.h: Added. | |
6508 | * runtime/ObjectConstructor.cpp: | |
6509 | (JSC::objectConstructorFreeze): | |
6510 | * runtime/ObjectConstructor.h: | |
6511 | * runtime/TemplateRegistry.cpp: Added. | |
6512 | (JSC::TemplateRegistry::TemplateRegistry): | |
6513 | (JSC::TemplateRegistry::getTemplateObject): | |
6514 | * runtime/TemplateRegistry.h: Added. | |
6515 | * runtime/TemplateRegistryKey.h: Added. | |
6516 | (JSC::TemplateRegistryKey::isDeletedValue): | |
6517 | (JSC::TemplateRegistryKey::isEmptyValue): | |
6518 | (JSC::TemplateRegistryKey::hash): | |
6519 | (JSC::TemplateRegistryKey::rawStrings): | |
6520 | (JSC::TemplateRegistryKey::cookedStrings): | |
6521 | (JSC::TemplateRegistryKey::operator==): | |
6522 | (JSC::TemplateRegistryKey::operator!=): | |
6523 | (JSC::TemplateRegistryKey::Hasher::hash): | |
6524 | (JSC::TemplateRegistryKey::Hasher::equal): | |
6525 | (JSC::TemplateRegistryKey::TemplateRegistryKey): | |
6526 | * runtime/VM.cpp: | |
6527 | (JSC::VM::VM): | |
6528 | * runtime/VM.h: | |
6529 | * tests/stress/tagged-templates-identity.js: Added. | |
6530 | (shouldBe): | |
6531 | * tests/stress/tagged-templates-raw-strings.js: Added. | |
6532 | (shouldBe): | |
6533 | (tag): | |
6534 | (testEval): | |
6535 | * tests/stress/tagged-templates-syntax.js: Added. | |
6536 | (tag): | |
6537 | (testSyntax): | |
6538 | (testSyntaxError): | |
6539 | * tests/stress/tagged-templates-template-object.js: Added. | |
6540 | (shouldBe): | |
6541 | (tag): | |
6542 | * tests/stress/tagged-templates-this.js: Added. | |
6543 | (shouldBe): | |
6544 | (tag): | |
6545 | * tests/stress/tagged-templates.js: Added. | |
6546 | (shouldBe): | |
6547 | (raw): | |
6548 | (cooked): | |
6549 | (Counter): | |
6550 | ||
6551 | 2015-05-13 Ryosuke Niwa <rniwa@webkit.org> | |
6552 | ||
6553 | REGRESSION(r180595): same-callee profiling no longer works | |
6554 | https://bugs.webkit.org/show_bug.cgi?id=144787 | |
6555 | ||
6556 | Reviewed by Filip Pizlo. | |
6557 | ||
6558 | This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is | |
6559 | always the same JSFunction. This condition doesn't hold when the byte code creates multiple | |
6560 | JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); | |
6561 | ||
6562 | To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly | |
6563 | added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying | |
6564 | our speculation that the callee is the same. To avoid recompiling the same code for different callee | |
6565 | objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in | |
6566 | LLint and baseline JIT when multiple callees are observed. | |
6567 | ||
6568 | Tests: stress/create-this-with-callee-variants.js | |
6569 | ||
6570 | * bytecode/BytecodeList.json: Increased the number of operands to 5. | |
6571 | * bytecode/CodeBlock.cpp: | |
6572 | (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. | |
6573 | (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. | |
6574 | * bytecompiler/BytecodeGenerator.cpp: | |
6575 | (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that | |
6576 | we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added | |
6577 | operand. | |
6578 | * dfg/DFGByteCodeParser.cpp: | |
6579 | (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to | |
6580 | match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. | |
6581 | * jit/JITOpcodes.cpp: | |
6582 | (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked | |
6583 | as seenMultipleCalleeObjects() to indicate the polymorphic behavior and/or we've OSR exited here. | |
6584 | (JSC::JIT::emitSlow_op_create_this): | |
6585 | * jit/JITOpcodes32_64.cpp: | |
6586 | (JSC::JIT::emit_op_create_this): Ditto. | |
6587 | (JSC::JIT::emitSlow_op_create_this): | |
6588 | * llint/LowLevelInterpreter32_64.asm: | |
6589 | (_llint_op_create_this): Ditto. | |
6590 | * llint/LowLevelInterpreter64.asm: | |
6591 | (_llint_op_create_this): Ditto. | |
6592 | * runtime/CommonSlowPaths.cpp: | |
6593 | (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has | |
6594 | been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). | |
6595 | * runtime/JSCell.h: | |
6596 | (JSC::JSCell::seenMultipleCalleeObjects): Added. | |
6597 | * runtime/WriteBarrier.h: | |
6598 | (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. | |
6599 | * tests/stress/create-this-with-callee-variants.js: Added. | |
6600 | ||
6601 | 2015-05-13 Joseph Pecoraro <pecoraro@apple.com> | |
6602 | ||
6603 | Clean up some possible RefPtr to PassRefPtr churn | |
6604 | https://bugs.webkit.org/show_bug.cgi?id=144779 | |
6605 | ||
6606 | Reviewed by Darin Adler. | |
6607 | ||
6608 | * runtime/GenericTypedArrayViewInlines.h: | |
6609 | (JSC::GenericTypedArrayView<Adaptor>::create): | |
6610 | (JSC::GenericTypedArrayView<Adaptor>::createUninitialized): | |
6611 | * runtime/JSArrayBufferConstructor.cpp: | |
6612 | (JSC::constructArrayBuffer): | |
6613 | * runtime/Structure.cpp: | |
6614 | (JSC::Structure::toStructureShape): | |
6615 | * runtime/TypedArrayBase.h: | |
6616 | (JSC::TypedArrayBase::create): | |
6617 | (JSC::TypedArrayBase::createUninitialized): | |
6618 | * tools/FunctionOverrides.cpp: | |
6619 | (JSC::initializeOverrideInfo): | |
6620 | Release the last use of a RefPtr as it is passed on. | |
6621 | ||
6622 | 2015-05-13 Joseph Pecoraro <pecoraro@apple.com> | |
6623 | ||
6624 | ES6: Allow duplicate property names | |
6625 | https://bugs.webkit.org/show_bug.cgi?id=142895 | |
6626 | ||
6627 | Reviewed by Geoffrey Garen. | |
6628 | ||
6629 | Introduce new `op_put_getter_by_id` and `op_put_setter_by_id` opcodes | |
6630 | that will define a single getter or setter property on an object. | |
6631 | ||
6632 | The existing `op_put_getter_setter` opcode is still preferred for | |
6633 | putting both a getter and setter at the same time but cannot be used | |
6634 | for putting an individual getter or setter which is needed in | |
6635 | some cases. | |
6636 | ||
6637 | Add a new slow path when generating bytecodes for a property list | |
6638 | with computed properties, as computed properties are the only time | |
6639 | the list of properties cannot be determined statically. | |
6640 | ||
6641 | * bytecompiler/NodesCodegen.cpp: | |
6642 | (JSC::PropertyListNode::emitBytecode): | |
6643 | - fast path for all constant properties | |
6644 | - slow but paired getter/setter path if there are no computed properties | |
6645 | - slow path, individual put operation for every property, if there are computed properties | |
6646 | ||
6647 | * parser/Nodes.h: | |
6648 | Distinguish a Computed property from a Constant property. | |
6649 | ||
6650 | * parser/Parser.cpp: | |
6651 | (JSC::Parser<LexerType>::parseProperty): | |
6652 | (JSC::Parser<LexerType>::parsePropertyMethod): | |
6653 | Distingish Computed and Constant properties. | |
6654 | ||
6655 | (JSC::Parser<LexerType>::parseObjectLiteral): | |
6656 | When we drop into strict mode it is because we saw a getter | |
6657 | or setter, so be more explicit. | |
6658 | ||
6659 | (JSC::Parser<LexerType>::parseStrictObjectLiteral): | |
6660 | Eliminate duplicate property syntax error exception. | |
6661 | ||
6662 | * parser/SyntaxChecker.h: | |
6663 | (JSC::SyntaxChecker::getName): | |
6664 | * parser/ASTBuilder.h: | |
6665 | (JSC::ASTBuilder::getName): Deleted. | |
6666 | No longer used. | |
6667 | ||
6668 | * runtime/JSObject.h: | |
6669 | (JSC::JSObject::putDirectInternal): | |
6670 | When updating a property. If the Accessor attribute changed | |
6671 | update the Structure. | |
6672 | ||
6673 | * runtime/JSObject.cpp: | |
6674 | (JSC::JSObject::putGetter): | |
6675 | (JSC::JSObject::putSetter): | |
6676 | Called by the opcodes, just perform the same operation that | |
6677 | __defineGetter__ or __defineSetter__ would do. | |
6678 | ||
6679 | (JSC::JSObject::putDirectNonIndexAccessor): | |
6680 | This transition is now handled in putDirectInternal. | |
6681 | ||
6682 | * runtime/Structure.h: | |
6683 | Add needed export. | |
6684 | ||
6685 | * bytecode/BytecodeList.json: | |
6686 | * bytecode/BytecodeUseDef.h: | |
6687 | (JSC::computeUsesForBytecodeOffset): | |
6688 | (JSC::computeDefsForBytecodeOffset): | |
6689 | * bytecode/CodeBlock.cpp: | |
6690 | (JSC::CodeBlock::dumpBytecode): | |
6691 | * bytecompiler/BytecodeGenerator.cpp: | |
6692 | (JSC::BytecodeGenerator::emitPutGetterById): | |
6693 | (JSC::BytecodeGenerator::emitPutSetterById): | |
6694 | * bytecompiler/BytecodeGenerator.h: | |
6695 | * jit/JIT.cpp: | |
6696 | (JSC::JIT::privateCompileMainPass): | |
6697 | * jit/JIT.h: | |
6698 | * jit/JITInlines.h: | |
6699 | (JSC::JIT::callOperation): | |
6700 | * jit/JITOperations.cpp: | |
6701 | * jit/JITOperations.h: | |
6702 | * jit/JITPropertyAccess.cpp: | |
6703 | (JSC::JIT::emit_op_put_getter_by_id): | |
6704 | (JSC::JIT::emit_op_put_setter_by_id): | |
6705 | * jit/JITPropertyAccess32_64.cpp: | |
6706 | (JSC::JIT::emit_op_put_getter_by_id): | |
6707 | (JSC::JIT::emit_op_put_setter_by_id): | |
6708 | * llint/LLIntSlowPaths.cpp: | |
6709 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
6710 | * llint/LLIntSlowPaths.h: | |
6711 | * llint/LowLevelInterpreter.asm: | |
6712 | New bytecodes. Modelled after existing op_put_getter_setter. | |
6713 | ||
6714 | 2015-05-13 Filip Pizlo <fpizlo@apple.com> | |
6715 | ||
6716 | Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble. | |
6717 | https://bugs.webkit.org/show_bug.cgi?id=144856 | |
6718 | ||
6719 | Reviewed by Benjamin Poulain. | |
6720 | ||
6721 | First I made fixTypeForRepresentation() print out better diagnostics when it dies. | |
6722 | ||
6723 | Then I fixed the bug: Node::convertToIdentityOn(Node*) needs to make sure that when it | |
6724 | converts to a representation-changing node, it needs to use one of the UseKinds that such | |
6725 | a node expects. For example, DoubleRep(UntypedUse:) doesn't make sense; it needs to be | |
6726 | something like DoubleRep(NumberUse:) since it will speculate that the input is a number. | |
6727 | ||
6728 | * dfg/DFGAbstractInterpreter.h: | |
6729 | (JSC::DFG::AbstractInterpreter::setBuiltInConstant): | |
6730 | * dfg/DFGAbstractInterpreterInlines.h: | |
6731 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
6732 | * dfg/DFGAbstractValue.cpp: | |
6733 | (JSC::DFG::AbstractValue::fixTypeForRepresentation): | |
6734 | * dfg/DFGAbstractValue.h: | |
6735 | * dfg/DFGInPlaceAbstractState.cpp: | |
6736 | (JSC::DFG::InPlaceAbstractState::initialize): | |
6737 | * dfg/DFGNode.cpp: | |
6738 | (JSC::DFG::Node::convertToIdentityOn): | |
6739 | * tests/stress/cloned-arguments-get-by-val-double-array.js: Added. | |
6740 | (foo): | |
6741 | ||
6742 | 2015-05-13 Commit Queue <commit-queue@webkit.org> | |
6743 | ||
6744 | Unreviewed, rolling out r184313. | |
6745 | https://bugs.webkit.org/show_bug.cgi?id=144974 | |
6746 | ||
6747 | Introduced an assertion failure in class-syntax- | |
6748 | declaration.js, class-syntax-expression.js, and object- | |
6749 | literal-syntax.js (Requested by rniwa on #webkit). | |
6750 | ||
6751 | Reverted changeset: | |
6752 | ||
6753 | "Small refactoring before ES6 Arrow function implementation." | |
6754 | https://bugs.webkit.org/show_bug.cgi?id=144954 | |
6755 | http://trac.webkit.org/changeset/184313 | |
6756 | ||
6757 | 2015-05-13 Oliver Hunt <oliver@apple.com> | |
6758 | Ensure that all the smart pointer types in WTF clear their pointer before deref | |
6759 | https://bugs.webkit.org/show_bug.cgi?id=143789 | |
6760 | ||
6761 | Reviewed by Ryosuke Niwa. | |
6762 | ||
6763 | One of the simpler cases of this in JavaScriptCore. There | |
6764 | are other cases where we need to guard the derefs but they | |
6765 | are more complex cases. | |
6766 | ||
6767 | * inspector/JSInjectedScriptHost.cpp: | |
6768 | (Inspector::JSInjectedScriptHost::releaseImpl): | |
6769 | * inspector/JSJavaScriptCallFrame.cpp: | |
6770 | (Inspector::JSJavaScriptCallFrame::releaseImpl): | |
6771 | ||
6772 | 2015-05-13 Alexandr Skachkov <gskachkov@gmail.com> | |
6773 | ||
6774 | Small refactoring before ES6 Arrow function implementation. | |
6775 | https://bugs.webkit.org/show_bug.cgi?id=144954 | |
6776 | ||
6777 | Reviewed by Filip Pizlo. | |
6778 | ||
6779 | * parser/Parser.h: | |
6780 | * parser/Parser.cpp: | |
6781 | ||
6782 | 2015-05-13 Filip Pizlo <fpizlo@apple.com> | |
6783 | ||
6784 | The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness | |
6785 | https://bugs.webkit.org/show_bug.cgi?id=144945 | |
6786 | ||
6787 | Reviewed by Michael Saboff. | |
6788 | ||
6789 | We were making the mistake of using DFG liveness for object allocation sinking decisions. | |
6790 | This is wrong. In fact we almost never want to use DFG liveness directly. The only place | |
6791 | where that makes sense is pruning in DFG AI. | |
6792 | ||
6793 | So, I created a CombinedLiveness class that combines the DFG liveness with bytecode | |
6794 | liveness. | |
6795 | ||
6796 | In the process of doing this, I realized that the DFGForAllKills definition of combined | |
6797 | liveness at block tail was not strictly right; it was using the bytecode liveness at the | |
6798 | block terminal instead of the union of the bytecode live-at-heads of successor blocks. So, | |
6799 | I changed DFGForAllKills to work in terms of CombinedLiveness. | |
6800 | ||
6801 | This allows me to unskip the test I added in r184260. I also added a new test that tries to | |
6802 | trigger this bug more directly. | |
6803 | ||
6804 | * CMakeLists.txt: | |
6805 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
6806 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
6807 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
6808 | * dfg/DFGCombinedLiveness.cpp: Added. | |
6809 | (JSC::DFG::liveNodesAtHead): | |
6810 | (JSC::DFG::CombinedLiveness::CombinedLiveness): | |
6811 | * dfg/DFGCombinedLiveness.h: Added. | |
6812 | (JSC::DFG::CombinedLiveness::CombinedLiveness): | |
6813 | * dfg/DFGForAllKills.h: | |
6814 | (JSC::DFG::forAllKillsInBlock): | |
6815 | (JSC::DFG::forAllLiveNodesAtTail): Deleted. | |
6816 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
6817 | (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): | |
6818 | (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): | |
6819 | (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): | |
6820 | (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): | |
6821 | * tests/stress/escape-object-in-diamond-then-exit.js: Added. | |
6822 | * tests/stress/sink-object-past-invalid-check-sneaky.js: | |
6823 | ||
6824 | 2015-05-13 Ryosuke Niwa <rniwa@webkit.org> | |
6825 | ||
6826 | I skipped a wrong test in r184270. Fix that. | |
6827 | The failure is tracked by webkit.org/b/144947. | |
6828 | ||
6829 | * tests/stress/arith-modulo-node-behaviors.js: | |
6830 | * tests/stress/arith-mul-with-constants.js: | |
6831 | ||
6832 | 2015-05-13 Joseph Pecoraro <pecoraro@apple.com> | |
6833 | ||
6834 | Avoid always running some debug code in type profiling | |
6835 | https://bugs.webkit.org/show_bug.cgi?id=144775 | |
6836 | ||
6837 | Reviewed by Daniel Bates. | |
6838 | ||
6839 | * runtime/TypeProfilerLog.cpp: | |
6840 | (JSC::TypeProfilerLog::processLogEntries): | |
6841 | ||
6842 | 2015-05-13 Joseph Pecoraro <pecoraro@apple.com> | |
6843 | ||
6844 | Pass String as reference in more places | |
6845 | https://bugs.webkit.org/show_bug.cgi?id=144769 | |
6846 | ||
6847 | Reviewed by Daniel Bates. | |
6848 | ||
6849 | * debugger/Breakpoint.h: | |
6850 | (JSC::Breakpoint::Breakpoint): | |
6851 | * parser/Parser.h: | |
6852 | (JSC::Parser::setErrorMessage): | |
6853 | (JSC::Parser::updateErrorWithNameAndMessage): | |
6854 | * parser/ParserError.h: | |
6855 | (JSC::ParserError::ParserError): | |
6856 | * runtime/RegExp.cpp: | |
6857 | (JSC::RegExpFunctionalTestCollector::outputOneTest): | |
6858 | * runtime/RegExpObject.cpp: | |
6859 | (JSC::regExpObjectSourceInternal): | |
6860 | * runtime/TypeProfiler.cpp: | |
6861 | (JSC::TypeProfiler::typeInformationForExpressionAtOffset): | |
6862 | * runtime/TypeProfilerLog.cpp: | |
6863 | (JSC::TypeProfilerLog::processLogEntries): | |
6864 | * runtime/TypeProfilerLog.h: | |
6865 | * tools/FunctionOverrides.cpp: | |
6866 | (JSC::initializeOverrideInfo): | |
6867 | * inspector/scripts/codegen/generate_objc_conversion_helpers.py: | |
6868 | (ObjCConversionHelpersGenerator._generate_enum_from_protocol_string): | |
6869 | ||
6870 | * inspector/scripts/codegen/objc_generator_templates.py: | |
6871 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
6872 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
6873 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
6874 | * inspector/scripts/tests/expected/enum-values.json-result: | |
6875 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
6876 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
6877 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
6878 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
6879 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
6880 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
6881 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
6882 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
6883 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
6884 | Rebaseline tests after updating the generator. | |
6885 | ||
6886 | 2015-05-13 Michael Saboff <msaboff@apple.com> | |
6887 | ||
6888 | com.apple.WebKit.WebContent crashed at JavaScriptCore: JSC::CodeBlock::finalizeUnconditionally | |
6889 | https://bugs.webkit.org/show_bug.cgi?id=144933 | |
6890 | ||
6891 | Changed the RELEASE_ASSERT_NOT_REACHED into an ASSERT. Added some diagnostic messages to | |
6892 | help determine the cause for any crash. | |
6893 | ||
6894 | Reviewed by Geoffrey Garen. | |
6895 | ||
6896 | * bytecode/CodeBlock.cpp: | |
6897 | (JSC::CodeBlock::finalizeUnconditionally): | |
6898 | ||
6899 | 2015-05-13 Filip Pizlo <fpizlo@apple.com> | |
6900 | ||
6901 | REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase | |
6902 | https://bugs.webkit.org/show_bug.cgi?id=144951 | |
6903 | ||
6904 | Reviewed by Michael Saboff. | |
6905 | ||
6906 | There were two issues here: | |
6907 | ||
6908 | - In r184260 we expected a small number of possible use kinds in Check nodes, and | |
6909 | UntypedUse was not one of them. That seemed like a sensible assumption because we don't | |
6910 | create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a | |
6911 | Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to | |
6912 | follow the same idiom as everyone else and not create tautological checks. | |
6913 | ||
6914 | - It's clearly not very robust to assume that Checks will not be used tautologically. So, | |
6915 | this changes how we validate Checks in the escape analyses. We now use willHaveCheck, | |
6916 | which catches cases that AI would have already marked as unnecessary. It then also uses | |
6917 | a new helper called alreadyChecked(), which allows us to just ask if the check is | |
6918 | unnecessary for objects. That's a good fall-back in case AI hadn't run yet. | |
6919 | ||
6920 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
6921 | * dfg/DFGMayExit.cpp: | |
6922 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
6923 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
6924 | * dfg/DFGSSAConversionPhase.cpp: | |
6925 | (JSC::DFG::SSAConversionPhase::run): | |
6926 | * dfg/DFGUseKind.h: | |
6927 | (JSC::DFG::alreadyChecked): | |
6928 | * dfg/DFGVarargsForwardingPhase.cpp: | |
6929 | ||
6930 | k | |
6931 | 2015-05-13 Yusuke Suzuki <utatane.tea@gmail.com> | |
6932 | ||
6933 | [ES6] Implement String.raw | |
6934 | https://bugs.webkit.org/show_bug.cgi?id=144330 | |
6935 | ||
6936 | Reviewed by Filip Pizlo. | |
6937 | ||
6938 | Implement String.raw. It is intended to be used with tagged-templates syntax. | |
6939 | To implement ToString abstract operation efficiently, | |
6940 | we introduce @toString bytecode intrinsic. It emits op_to_string directly. | |
6941 | ||
6942 | * CMakeLists.txt: | |
6943 | * builtins/StringConstructor.js: Added. | |
6944 | (raw): | |
6945 | * bytecompiler/NodesCodegen.cpp: | |
6946 | (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString): | |
6947 | * runtime/CommonIdentifiers.h: | |
6948 | * runtime/StringConstructor.cpp: | |
6949 | * tests/stress/string-raw.js: Added. | |
6950 | (shouldBe): | |
6951 | (.get shouldBe): | |
6952 | (Counter): | |
6953 | ||
6954 | 2015-05-12 Ryosuke Niwa <rniwa@webkit.org> | |
6955 | ||
6956 | Temporarily disable the test on Windows. The failure is tracked in webkit.org/b/144897. | |
6957 | ||
6958 | * tests/stress/arith-mul-with-constants.js: | |
6959 | ||
6960 | 2015-05-12 Filip Pizlo <fpizlo@apple.com> | |
6961 | ||
6962 | js/dom/stack-trace.html fails with eager compilation | |
6963 | https://bugs.webkit.org/show_bug.cgi?id=144853 | |
6964 | ||
6965 | Reviewed by Benjamin Poulain. | |
6966 | ||
6967 | All of our escape analyses were mishandling Check(). They were assuming that this is a | |
6968 | non-escaping operation. But, if we do for example a Check(Int32:@x) and @x is an escape | |
6969 | candidate, then we need to do something: if we eliminate or sink @x, then the check no | |
6970 | longer makes any sense since a phantom allocation has no type. This will make us forget | |
6971 | that this operation would have exited. This was causing us to not call a valueOf method in | |
6972 | js/dom/stack-trace.html with eager compilation enabled, because it was doing something like | |
6973 | +o where o had a valueOf method, and o was otherwise sinkable. | |
6974 | ||
6975 | This changes our escape analyses to basically pretend that any Check() that isn't obviously | |
6976 | unnecessary is an escape. We don't have to be super careful here. Most checks will be | |
6977 | completely eliminated by constant-folding. If that doesn't run in time, then the most | |
6978 | common check we will see is CellUse. So, we just recognize some very obvious check kinds | |
6979 | that we know would have passed, and for all of the rest we just assume that it's an escape. | |
6980 | ||
6981 | This was super tricky to test. The obvious way to test it is to use +o like | |
6982 | stack-trace.html, except that doing so relies on the fact that we still haven't implemented | |
6983 | the optimal behavior for op_to_number. So, I take four approaches in testing this patch: | |
6984 | ||
6985 | 1) Use +o. These will test what we want it to test for now, but at some point in the future | |
6986 | these tests will just be a good sanity-check that our op_to_number implementation is | |
6987 | right. | |
6988 | ||
6989 | 2) Do fancy control flow tricks to fool the profiling into thinking that some arithmetic | |
6990 | operation always sees integers even though we eventually feed it an object and that | |
6991 | object is a sink candidate. | |
6992 | ||
6993 | 3) Introduce a new jsc.cpp intrinsic called isInt32() which returns true if the incoming | |
6994 | value is an int32. This intrinsic is required to be implemented by DFG by | |
6995 | unconditionally speculating that the input is int32. This allows us to write much more | |
6996 | targetted tests of the underlying issue. | |
6997 | ||
6998 | 4) I made a version of stack-trace.html that runs in run-jsc-stress-tests, so that we can | |
6999 | get regression test coverage of this test in eager mode. | |
7000 | ||
7001 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
7002 | * dfg/DFGByteCodeParser.cpp: | |
7003 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
7004 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
7005 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
7006 | * dfg/DFGVarargsForwardingPhase.cpp: | |
7007 | * ftl/FTLExitValue.cpp: | |
7008 | (JSC::FTL::ExitValue::dumpInContext): | |
7009 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7010 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
7011 | * ftl/FTLOSRExitCompiler.cpp: | |
7012 | (JSC::FTL::compileFTLOSRExit): | |
7013 | * jsc.cpp: | |
7014 | (GlobalObject::finishCreation): | |
7015 | (functionIsInt32): | |
7016 | * runtime/Intrinsic.h: | |
7017 | * tests/stress/sink-arguments-past-invalid-check-dfg.js: Added. | |
7018 | * tests/stress/sink-arguments-past-invalid-check-int32-dfg.js: Added. | |
7019 | * tests/stress/sink-arguments-past-invalid-check-int32.js: Added. | |
7020 | * tests/stress/sink-arguments-past-invalid-check-sneakier.js: Added. | |
7021 | * tests/stress/sink-arguments-past-invalid-check.js: Added. | |
7022 | * tests/stress/sink-function-past-invalid-check-sneakier.js: Added. | |
7023 | * tests/stress/sink-function-past-invalid-check-sneaky.js: Added. | |
7024 | * tests/stress/sink-object-past-invalid-check-int32.js: Added. | |
7025 | * tests/stress/sink-object-past-invalid-check-sneakier.js: Added. | |
7026 | * tests/stress/sink-object-past-invalid-check-sneaky.js: Added. | |
7027 | * tests/stress/sink-object-past-invalid-check.js: Added. | |
7028 | ||
7029 | 2015-05-12 Benjamin Poulain <benjamin@webkit.org> | |
7030 | ||
7031 | Fix the iteration count of arith-modulo-node-behaviors.js | |
7032 | ||
7033 | * tests/stress/arith-modulo-node-behaviors.js: | |
7034 | No need for big numbers for the real testing. | |
7035 | ||
7036 | 2015-05-12 Mark Lam <mark.lam@apple.com> | |
7037 | ||
7038 | Windows: Cannot use HANDLE from GetCurrentThread() to get the CONTEXT of another thread. | |
7039 | https://bugs.webkit.org/show_bug.cgi?id=144924 | |
7040 | ||
7041 | Reviewed by Alex Christensen. | |
7042 | ||
7043 | The present stack scanning code in the Windows port is expecting that the | |
7044 | GetCurrentThread() API will provide a unique HANDLE for each thread. The code | |
7045 | then saves and later uses that HANDLE with GetThreadContext() to get the | |
7046 | runtime state of the target thread from the GC thread. According to | |
7047 | https://msdn.microsoft.com/en-us/library/windows/desktop/ms683182(v=vs.85).aspx, | |
7048 | GetCurrentThread() does not provide this unique HANDLE that we expect: | |
7049 | ||
7050 | "The function cannot be used by one thread to create a handle that can | |
7051 | be used by other threads to refer to the first thread. The handle is | |
7052 | always interpreted as referring to the thread that is using it. A | |
7053 | thread can create a "real" handle to itself that can be used by other | |
7054 | threads, or inherited by other processes, by specifying the pseudo | |
7055 | handle as the source handle in a call to the DuplicateHandle function." | |
7056 | ||
7057 | As a result of this, GetCurrentThread() always returns the same HANDLE value, and | |
7058 | we end up never scanning the stacks of other threads because we wrongly think that | |
7059 | they are all equal (in identity) to the scanning thread. This, in turn, results | |
7060 | in crashes due to objects that are incorrectly collected. | |
7061 | ||
7062 | The fix is to call DuplicateHandle() to create a HANDLE that we can use. The | |
7063 | MachineThreads::Thread class already accurately tracks the period of time when | |
7064 | we need that HANDLE for the VM. Hence, the life-cycle of the HANDLE can be tied | |
7065 | to the life-cycle of the MachineThreads::Thread object for the corresponding thread. | |
7066 | ||
7067 | * heap/MachineStackMarker.cpp: | |
7068 | (JSC::getCurrentPlatformThread): | |
7069 | (JSC::MachineThreads::Thread::Thread): | |
7070 | (JSC::MachineThreads::Thread::~Thread): | |
7071 | (JSC::MachineThreads::Thread::suspend): | |
7072 | (JSC::MachineThreads::Thread::resume): | |
7073 | (JSC::MachineThreads::Thread::getRegisters): | |
7074 | ||
7075 | 2015-05-12 Benjamin Poulain <bpoulain@apple.com> | |
7076 | ||
7077 | [JSC] Make the NegZero backward propagated flags of ArithMod stricter | |
7078 | https://bugs.webkit.org/show_bug.cgi?id=144897 | |
7079 | ||
7080 | Reviewed by Geoffrey Garen. | |
7081 | ||
7082 | The NegZero flags of ArithMod were the same as ArithDiv: both children were | |
7083 | marked as needing to handle NegativeZero. | |
7084 | ||
7085 | Lucky for us, ArithMod is quite a bit different than ArithDiv. | |
7086 | ||
7087 | First, the sign of the result is completely independent from | |
7088 | the sign of the divisor. A zero on the divisor always produces a NaN. | |
7089 | That's great, we can remove the NodeBytecodeNeedsNegZero | |
7090 | from the flags propagated to child2. | |
7091 | ||
7092 | Second, the sign of the result is always the same as the sign of | |
7093 | the dividend. A dividend of zero produces a zero of same sign | |
7094 | unless the divisor is zero (in which case the result is NaN). | |
7095 | This is great too: we can just pass the flags we got into | |
7096 | ArithMod. | |
7097 | ||
7098 | With those two out of the way, we can make a faster version of ArithRound | |
7099 | for Kraken's oscillator. Since we no longer care about negative zero, | |
7100 | rounding becomes cast<int32>(value + 0.5). This gives ~3% faster runtime | |
7101 | on the benchmark. | |
7102 | ||
7103 | Unfortunatelly, most of the time is spent in FTL and the same optimization | |
7104 | does not apply well just yet: rdar://problem/20904149. | |
7105 | ||
7106 | * dfg/DFGBackwardsPropagationPhase.cpp: | |
7107 | (JSC::DFG::BackwardsPropagationPhase::propagate): | |
7108 | Never add NodeBytecodeNeedsNegZero unless needed by the users of this node. | |
7109 | ||
7110 | * dfg/DFGSpeculativeJIT.cpp: | |
7111 | (JSC::DFG::SpeculativeJIT::compileArithRound): | |
7112 | Faster Math.round() when negative zero is not important. | |
7113 | ||
7114 | * tests/stress/arith-modulo-node-behaviors.js: Added. | |
7115 | (moduloWithNegativeZeroDividend): | |
7116 | (moduloWithUnusedNegativeZeroDividend): | |
7117 | (moduloWithNegativeZeroDivisor): | |
7118 | ||
7119 | 2015-05-12 Mark Lam <mark.lam@apple.com> | |
7120 | ||
7121 | Refactor MachineStackMarker.cpp so that it's easier to reason about MachineThreads::Thread. | |
7122 | https://bugs.webkit.org/show_bug.cgi?id=144925 | |
7123 | ||
7124 | Reviewed by Michael Saboff. | |
7125 | ||
7126 | Currently, the code in MachineStackMarker.cpp is written as a bunch of functions that | |
7127 | operate on the platformThread value in the MachineThreads::Thread struct. Instead, we | |
7128 | can apply better OO encapsulation and convert all these functions into methods of the | |
7129 | MachineThreads::Thread struct. | |
7130 | ||
7131 | This will also make it easier to reason about the fix for | |
7132 | https://bugs.webkit.org/show_bug.cgi?id=144924 later. | |
7133 | ||
7134 | * heap/MachineStackMarker.cpp: | |
7135 | (JSC::getCurrentPlatformThread): | |
7136 | (JSC::MachineThreads::Thread::createForCurrentThread): | |
7137 | (JSC::MachineThreads::Thread::operator!=): | |
7138 | (JSC::MachineThreads::Thread::operator==): | |
7139 | (JSC::MachineThreads::addCurrentThread): | |
7140 | (JSC::MachineThreads::removeThreadIfFound): | |
7141 | (JSC::MachineThreads::Thread::suspend): | |
7142 | (JSC::MachineThreads::Thread::resume): | |
7143 | (JSC::MachineThreads::Thread::getRegisters): | |
7144 | (JSC::MachineThreads::Thread::Registers::stackPointer): | |
7145 | (JSC::MachineThreads::Thread::freeRegisters): | |
7146 | (JSC::MachineThreads::Thread::captureStack): | |
7147 | (JSC::MachineThreads::tryCopyOtherThreadStack): | |
7148 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
7149 | (JSC::equalThread): Deleted. | |
7150 | (JSC::suspendThread): Deleted. | |
7151 | (JSC::resumeThread): Deleted. | |
7152 | (JSC::getPlatformThreadRegisters): Deleted. | |
7153 | (JSC::otherThreadStackPointer): Deleted. | |
7154 | (JSC::freePlatformThreadRegisters): Deleted. | |
7155 | (JSC::otherThreadStack): Deleted. | |
7156 | ||
7157 | 2015-05-12 Ryosuke Niwa <rniwa@webkit.org> | |
7158 | ||
7159 | Array.slice should have a fast path like Array.splice | |
7160 | https://bugs.webkit.org/show_bug.cgi?id=144901 | |
7161 | ||
7162 | Reviewed by Geoffrey Garen. | |
7163 | ||
7164 | Add a fast memcpy path to Array.prototype.slice as done for Array.prototype.splice. | |
7165 | In Kraken, this appears to be 30% win on stanford-crypto-ccm and 10% win on stanford-crypto-pbkdf2. | |
7166 | ||
7167 | * runtime/ArrayPrototype.cpp: | |
7168 | (JSC::arrayProtoFuncSlice): | |
7169 | * runtime/JSArray.cpp: | |
7170 | (JSC::JSArray::fastSlice): Added. | |
7171 | * runtime/JSArray.h: | |
7172 | ||
7173 | 2015-05-11 Filip Pizlo <fpizlo@apple.com> | |
7174 | ||
7175 | OSR availability analysis would be more scalable (and correct) if it did more liveness pruning | |
7176 | https://bugs.webkit.org/show_bug.cgi?id=143078 | |
7177 | ||
7178 | Reviewed by Andreas Kling. | |
7179 | ||
7180 | In https://bugs.webkit.org/show_bug.cgi?id=144883, we found an example of where liveness | |
7181 | pruning is actually necessary. Well, not quite: we just need to prune out keys from the | |
7182 | heap availability map where the base node doesn't dominate the point where we are asking | |
7183 | for availability. If we don't do this, then eventually the IR gets corrupt because we'll | |
7184 | insert PutHints that reference the base node in places where the base node doesn't | |
7185 | dominate. But if we're going to do any pruning, then it makes sense to prune by bytecode | |
7186 | liveness. This is the strongest possible pruning we can do, and it should be sound. We | |
7187 | shouldn't have a node available for a virtual register if that register is live and the | |
7188 | node doesn't dominate. | |
7189 | ||
7190 | Making this work meant reusing the prune-to-liveness algorithm from the FTL backend. So, I | |
7191 | abstracted this a bit better. You can now availabilityMap.pruneByLiveness(graph, origin). | |
7192 | ||
7193 | * dfg/DFGAvailabilityMap.cpp: | |
7194 | (JSC::DFG::AvailabilityMap::pruneHeap): | |
7195 | (JSC::DFG::AvailabilityMap::pruneByLiveness): | |
7196 | (JSC::DFG::AvailabilityMap::prune): Deleted. | |
7197 | * dfg/DFGAvailabilityMap.h: | |
7198 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
7199 | (JSC::DFG::OSRAvailabilityAnalysisPhase::run): | |
7200 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7201 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
7202 | * tests/stress/liveness-pruning-needed-for-osr-availability.js: Added. This is a proper regression test. | |
7203 | * tests/stress/liveness-pruning-needed-for-osr-availability-eager.js: Added. This is the original reduced test case, requires eager-no-cjit to fail prior to this changeset. | |
7204 | ||
7205 | 2015-05-12 Gabor Loki <loki@webkit.org> | |
7206 | ||
7207 | Workaround for Cortex-A53 erratum 843419 | |
7208 | https://bugs.webkit.org/show_bug.cgi?id=144680 | |
7209 | ||
7210 | Reviewed by Michael Saboff. | |
7211 | ||
7212 | This patch is about to give simple workaround for Cortex-A53 erratum 843419. | |
7213 | It inserts nops after ADRP instruction to avoid wrong address accesses. | |
7214 | ||
7215 | * assembler/ARM64Assembler.h: | |
7216 | (JSC::ARM64Assembler::adrp): | |
7217 | (JSC::ARM64Assembler::nopCortexA53Fix843419): | |
7218 | ||
7219 | 2015-05-11 Commit Queue <commit-queue@webkit.org> | |
7220 | ||
7221 | Unreviewed, rolling out r184009. | |
7222 | https://bugs.webkit.org/show_bug.cgi?id=144900 | |
7223 | ||
7224 | Caused crashes on inspector tests (Requested by ap on | |
7225 | #webkit). | |
7226 | ||
7227 | Reverted changeset: | |
7228 | ||
7229 | "MapDataImpl::add() shouldn't do the same hash lookup twice." | |
7230 | https://bugs.webkit.org/show_bug.cgi?id=144759 | |
7231 | http://trac.webkit.org/changeset/184009 | |
7232 | ||
7233 | 2015-05-11 Commit Queue <commit-queue@webkit.org> | |
7234 | ||
7235 | Unreviewed, rolling out r184123. | |
7236 | https://bugs.webkit.org/show_bug.cgi?id=144899 | |
7237 | ||
7238 | Seems to have introduced flaky crashes in many JS tests | |
7239 | (Requested by rniwa on #webkit). | |
7240 | ||
7241 | Reverted changeset: | |
7242 | ||
7243 | "REGRESSION(r180595): same-callee profiling no longer works" | |
7244 | https://bugs.webkit.org/show_bug.cgi?id=144787 | |
7245 | http://trac.webkit.org/changeset/184123 | |
7246 | ||
7247 | 2015-05-11 Brent Fulgham <bfulgham@apple.com> | |
7248 | ||
7249 | [Win] Move Windows build target to Windows 7 (or newer) | |
7250 | https://bugs.webkit.org/show_bug.cgi?id=144890 | |
7251 | <rdar://problem/20707307> | |
7252 | ||
7253 | Reviewed by Anders Carlsson. | |
7254 | ||
7255 | Update linked SDK and minimal Windows level to be compatible with | |
7256 | Windows 7 or newer. | |
7257 | ||
7258 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
7259 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
7260 | * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: | |
7261 | * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: | |
7262 | * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: | |
7263 | * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: | |
7264 | * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: | |
7265 | * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: | |
7266 | * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: | |
7267 | * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: | |
7268 | * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: | |
7269 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: | |
7270 | * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: | |
7271 | * config.h: | |
7272 | ||
7273 | 2015-05-08 Filip Pizlo <fpizlo@apple.com> | |
7274 | ||
7275 | CPS rethreading phase's flush detector flushes way too many SetLocals | |
7276 | https://bugs.webkit.org/show_bug.cgi?id=144819 | |
7277 | ||
7278 | Reviewed by Geoffrey Garen. | |
7279 | ||
7280 | After probably unrelated changes, this eventually caused some arguments elimination to stop | |
7281 | working because it would cause more SetLocals to turn into PutStacks. But it was a bug for | |
7282 | a long time. Basically, we don't want the children of a SetLocal to be flushed. Flushing is | |
7283 | meant to only affect the SetLocal itself. | |
7284 | ||
7285 | This is a speed-up on Octane/earley. | |
7286 | ||
7287 | * dfg/DFGCPSRethreadingPhase.cpp: | |
7288 | (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): | |
7289 | ||
7290 | 2015-05-11 Filip Pizlo <fpizlo@apple.com> | |
7291 | ||
7292 | gmail and google maps fail to load with eager compilation: Failed to insert inline cache for varargs call (specifically, CallForwardVarargs) because we thought the size would be 250 but it ended up being 262 prior to compaction. | |
7293 | https://bugs.webkit.org/show_bug.cgi?id=144854 | |
7294 | ||
7295 | Reviewed by Oliver Hunt. | |
7296 | ||
7297 | This is easy: just lift the threshold. Also remove the need for some duplicate thresholds. | |
7298 | It used to be that Construct required less code, but that's not the case for now. | |
7299 | ||
7300 | * ftl/FTLInlineCacheSize.cpp: | |
7301 | (JSC::FTL::sizeOfCallForwardVarargs): | |
7302 | (JSC::FTL::sizeOfConstructVarargs): | |
7303 | (JSC::FTL::sizeOfConstructForwardVarargs): | |
7304 | ||
7305 | 2015-05-11 Ryosuke Niwa <rniwa@webkit.org> | |
7306 | ||
7307 | REGRESSION(r180595): same-callee profiling no longer works | |
7308 | https://bugs.webkit.org/show_bug.cgi?id=144787 | |
7309 | ||
7310 | Reviewed by Michael Saboff. | |
7311 | ||
7312 | This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is | |
7313 | always the same JSFunction. This condition doesn't hold when the byte code creates multiple | |
7314 | JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); | |
7315 | ||
7316 | To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly | |
7317 | added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying | |
7318 | our speculation that the callee is the same. To avoid recompiling the same code for different callee | |
7319 | objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in | |
7320 | LLint and baseline JIT when multiple callees are observed. | |
7321 | ||
7322 | Tests: stress/create-this-with-callee-variants.js | |
7323 | ||
7324 | * bytecode/BytecodeList.json: Increased the number of operands to 5. | |
7325 | * bytecode/BytecodeUseDef.h: | |
7326 | (JSC::computeUsesForBytecodeOffset): op_create_this uses 2nd (constructor) and 4th (callee cache) | |
7327 | operands. | |
7328 | * bytecode/CodeBlock.cpp: | |
7329 | (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. | |
7330 | (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. | |
7331 | * bytecompiler/BytecodeGenerator.cpp: | |
7332 | (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that | |
7333 | we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added | |
7334 | operand. | |
7335 | * dfg/DFGByteCodeParser.cpp: | |
7336 | (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to | |
7337 | match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. | |
7338 | * jit/JITOpcodes.cpp: | |
7339 | (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked | |
7340 | as seenMultipleCalleeObjects() to indicate the polymorphic behavior. | |
7341 | (JSC::JIT::emitSlow_op_create_this): | |
7342 | * jit/JITOpcodes32_64.cpp: | |
7343 | (JSC::JIT::emit_op_create_this): Ditto. | |
7344 | (JSC::JIT::emitSlow_op_create_this): | |
7345 | * llint/LowLevelInterpreter32_64.asm: | |
7346 | (_llint_op_create_this): Ditto. | |
7347 | * llint/LowLevelInterpreter64.asm: | |
7348 | (_llint_op_create_this): Ditto. | |
7349 | * runtime/CommonSlowPaths.cpp: | |
7350 | (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has | |
7351 | been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). | |
7352 | * runtime/JSCell.h: | |
7353 | (JSC::JSCell::seenMultipleCalleeObjects): Added. | |
7354 | * runtime/WriteBarrier.h: | |
7355 | (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. | |
7356 | * tests/stress/create-this-with-callee-variants.js: Added. | |
7357 | ||
7358 | 2015-05-11 Andreas Kling <akling@apple.com> | |
7359 | ||
7360 | PropertyNameArray should use a Vector when there are few entries. | |
7361 | <https://webkit.org/b/144874> | |
7362 | ||
7363 | Reviewed by Geoffrey Garen. | |
7364 | ||
7365 | Bring back an optimization that was lost in the for-in refactoring. | |
7366 | PropertyNameArray now holds a Vector<AtomicStringImpl*> until there are | |
7367 | enough (20) entries to justify converting to a HashSet for contains(). | |
7368 | ||
7369 | Also inlined the code while we're here, since it has so few clients and | |
7370 | the call overhead adds up. | |
7371 | ||
7372 | ~5% progression on Kraken/json-stringify-tinderbox. | |
7373 | ||
7374 | * runtime/PropertyNameArray.cpp: Removed. | |
7375 | * runtime/PropertyNameArray.h: | |
7376 | (JSC::PropertyNameArray::canAddKnownUniqueForStructure): | |
7377 | (JSC::PropertyNameArray::add): | |
7378 | (JSC::PropertyNameArray::addKnownUnique): | |
7379 | ||
7380 | 2015-05-11 Matt Baker <mattbaker@apple.com> | |
7381 | ||
7382 | Web Inspector: REGRESSION (r175203): No profile information is shown in Inspector | |
7383 | https://bugs.webkit.org/show_bug.cgi?id=144808 | |
7384 | ||
7385 | Reviewed by Darin Adler. | |
7386 | ||
7387 | Since a profile can be started after a timeline recording has already begun, we can't assume a zero start time. | |
7388 | The start time for the root node's call entry should be based on the stopwatch used by the ProfileGenerator. | |
7389 | ||
7390 | * profiler/Profile.cpp: | |
7391 | (JSC::Profile::create): | |
7392 | (JSC::Profile::Profile): | |
7393 | * profiler/Profile.h: | |
7394 | * profiler/ProfileGenerator.cpp: | |
7395 | (JSC::ProfileGenerator::ProfileGenerator): | |
7396 | (JSC::AddParentForConsoleStartFunctor::operator()): | |
7397 | ||
7398 | 2015-05-11 Basile Clement <basile_clement@apple.com> | |
7399 | ||
7400 | Unreviewed, remove unintended change. | |
7401 | ||
7402 | * dfg/DFGAbstractInterpreterInlines.h: | |
7403 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
7404 | ||
7405 | 2015-05-11 Filip Pizlo <fpizlo@apple.com> | |
7406 | ||
7407 | Make it easy to enable eager/non-concurrent JIT compilation | |
7408 | https://bugs.webkit.org/show_bug.cgi?id=144877 | |
7409 | ||
7410 | Reviewed by Michael Saboff. | |
7411 | ||
7412 | * runtime/Options.cpp: | |
7413 | (JSC::recomputeDependentOptions): | |
7414 | * runtime/Options.h: | |
7415 | ||
7416 | 2015-05-10 Filip Pizlo <fpizlo@apple.com> | |
7417 | ||
7418 | We shouldn't promote LoadVarargs to a sequence of GetStacks and PutStacks if doing so would exceed the LoadVarargs' limit | |
7419 | https://bugs.webkit.org/show_bug.cgi?id=144851 | |
7420 | ||
7421 | Reviewed by Michael Saboff. | |
7422 | ||
7423 | LoadVarargs loads arguments from some object and puts them on the stack. The region of | |
7424 | stack is controlled by a bunch of meta-data, including InlineCallFrame. InlineCallFrame | |
7425 | shouldn't really be edited after ByteCodeParser, so we cannot convert LoadVarargs to | |
7426 | something that uses more stack than the LoadVarargs wanted to. | |
7427 | ||
7428 | This check was missing in the ArgumentsEliminationPhase's LoadVarargs->GetStack+PutStack | |
7429 | promoter. This is an important promotion rule for performance, and in cases where we are | |
7430 | compiling truly hot code, the LoadVarargs limit will be at least as big as the length of | |
7431 | the phantom arguments array that this phase sees. The LoadVarargs limit is based on | |
7432 | profiling and the phantom arguments array is a proof; in most cases the profiling is more | |
7433 | conservative. | |
7434 | ||
7435 | But, you could write some crazy code where the statically obvious arguments array value is | |
7436 | bigger than what the profiling would have told you. When this happens, this promotion | |
7437 | effectively removes a bounds check. This either results in us clobbering a bunch of stack, | |
7438 | or it means that we never initialize a region of the stack that a later operation will read | |
7439 | (the uninitialization happens because PutStackSinkingPhase removes PutStacks that appear | |
7440 | unnecessary, and a GetMyArgumentByVal will claim not to use the region of the stack outside | |
7441 | the original LoadVarargs limit). | |
7442 | ||
7443 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
7444 | * tests/stress/load-varargs-elimination-bounds-check-barely.js: Added. | |
7445 | (foo): | |
7446 | (bar): | |
7447 | (baz): | |
7448 | * tests/stress/load-varargs-elimination-bounds-check.js: Added. | |
7449 | (foo): | |
7450 | (bar): | |
7451 | (baz): | |
7452 | ||
7453 | 2015-05-11 Andreas Kling <akling@apple.com> | |
7454 | ||
7455 | JSON.stringify shouldn't use generic get() to access Array.length | |
7456 | <https://webkit.org/b/144847> | |
7457 | ||
7458 | Reviewed by Geoffrey Garen. | |
7459 | ||
7460 | If the value being serialized is a JSArray object, we can downcast and call its | |
7461 | length() directly instead of doing a generic property lookup. | |
7462 | ||
7463 | 0.5% progression on Kraken/json-stringify-tinderbox. | |
7464 | ||
7465 | * runtime/JSONObject.cpp: | |
7466 | (JSC::Stringifier::Holder::appendNextProperty): | |
7467 | ||
7468 | 2015-05-10 Andreas Kling <akling@apple.com> | |
7469 | ||
7470 | Remove unnecessary AtomicStringImpl* hash specification in PropertyNameArray. | |
7471 | ||
7472 | Follow up to r184050 suggested by Darin. | |
7473 | ||
7474 | * runtime/PropertyNameArray.h: | |
7475 | ||
7476 | 2015-05-10 Andreas Kling <akling@apple.com> | |
7477 | ||
7478 | Remove unused things from PropertyNameArray. | |
7479 | <https://webkit.org/b/144834> | |
7480 | ||
7481 | Reviewed by Filip Pizlo. | |
7482 | ||
7483 | PropertyNameArray had a bunch of bells and whistles added to it when for-in iteration | |
7484 | was refactored and optimized last year. Then more refactoring happened and this class | |
7485 | doesn't need to ring and toot anymore. | |
7486 | ||
7487 | The RefCountedIdentifierSet class disappears since the JSPropertyNameEnumerator wasn't | |
7488 | actually using it for anything and we were just wasting time creating these. | |
7489 | ||
7490 | Also made the member functions take AtomicStringImpl* instead of plain StringImpl*. | |
7491 | ||
7492 | * runtime/JSObject.cpp: | |
7493 | (JSC::JSObject::getPropertyNames): | |
7494 | * runtime/JSPropertyNameEnumerator.cpp: | |
7495 | (JSC::JSPropertyNameEnumerator::create): | |
7496 | (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): | |
7497 | * runtime/JSPropertyNameEnumerator.h: | |
7498 | * runtime/PropertyNameArray.cpp: | |
7499 | (JSC::PropertyNameArray::add): | |
7500 | (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties): Deleted. | |
7501 | * runtime/PropertyNameArray.h: | |
7502 | (JSC::PropertyNameArray::PropertyNameArray): | |
7503 | (JSC::PropertyNameArray::add): | |
7504 | (JSC::PropertyNameArray::addKnownUnique): | |
7505 | (JSC::PropertyNameArray::canAddKnownUniqueForStructure): | |
7506 | (JSC::RefCountedIdentifierSet::contains): Deleted. | |
7507 | (JSC::RefCountedIdentifierSet::size): Deleted. | |
7508 | (JSC::RefCountedIdentifierSet::add): Deleted. | |
7509 | (JSC::PropertyNameArray::identifierSet): Deleted. | |
7510 | (JSC::PropertyNameArray::numCacheableSlots): Deleted. | |
7511 | (JSC::PropertyNameArray::setNumCacheableSlotsForObject): Deleted. | |
7512 | (JSC::PropertyNameArray::setBaseObject): Deleted. | |
7513 | (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): Deleted. | |
7514 | ||
7515 | 2015-05-09 Yoav Weiss <yoav@yoav.ws> | |
7516 | ||
7517 | Remove the PICTURE_SIZES build flag | |
7518 | https://bugs.webkit.org/show_bug.cgi?id=144679 | |
7519 | ||
7520 | Reviewed by Benjamin Poulain. | |
7521 | ||
7522 | Removed the PICTURE_SIZES build time flag. | |
7523 | ||
7524 | * Configurations/FeatureDefines.xcconfig: | |
7525 | ||
7526 | 2015-05-08 Filip Pizlo <fpizlo@apple.com> | |
7527 | ||
7528 | Extend the SaneChain optimization to Contiguous arrays | |
7529 | https://bugs.webkit.org/show_bug.cgi?id=144664 | |
7530 | ||
7531 | Reviewed by Mark Lam. | |
7532 | ||
7533 | Previously if you loaded from a hole, you'd either have to take slow path for the array | |
7534 | load (which means C++ calls and prototype chain walks) or you'd exit (if you hadn't | |
7535 | gathered the necessary profiling yet). But that's unnecessary if we know that the | |
7536 | prototype chain is sane - i.e. has no indexed properties. Then we can just return | |
7537 | Undefined for the hole. | |
7538 | ||
7539 | Making this change requires setting more watchpoints on the array prototype chain. But | |
7540 | that hit a horrible bug: ArrayPrototype still uses the static lookup tables and builds | |
7541 | itself up lazily. This means that this increased the number of recompilations we'd get | |
7542 | due to the array prototype chain being built up. | |
7543 | ||
7544 | So, this change also removes the laziness and static tables from ArrayPrototype. | |
7545 | ||
7546 | But to make that change, I also had to add a helper for eagerly building up a prototype | |
7547 | that has builtin functions. | |
7548 | ||
7549 | * CMakeLists.txt: | |
7550 | * DerivedSources.make: | |
7551 | * dfg/DFGArrayMode.h: | |
7552 | * dfg/DFGFixupPhase.cpp: | |
7553 | (JSC::DFG::FixupPhase::fixupNode): | |
7554 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
7555 | (JSC::DFG::SpeculativeJIT::compile): | |
7556 | * dfg/DFGSpeculativeJIT64.cpp: | |
7557 | (JSC::DFG::SpeculativeJIT::compile): | |
7558 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7559 | (JSC::FTL::LowerDFGToLLVM::compileGetByVal): | |
7560 | * runtime/ArrayPrototype.cpp: | |
7561 | (JSC::ArrayPrototype::finishCreation): | |
7562 | (JSC::ArrayPrototype::getOwnPropertySlot): Deleted. | |
7563 | * runtime/ArrayPrototype.h: | |
7564 | * runtime/JSObject.h: | |
7565 | ||
7566 | 2015-05-08 Michael Saboff <msaboff@apple.com> | |
7567 | ||
7568 | Creating a large MarkedBlock sometimes results in more than one cell in the block | |
7569 | https://bugs.webkit.org/show_bug.cgi?id=144815 | |
7570 | ||
7571 | Reviewed by Mark Lam. | |
7572 | ||
7573 | Large MarkedBlocks should have one and only one cell. Changed the calculation of | |
7574 | m_endAtom for large blocks to use the location of the first cell + 1. This | |
7575 | assures that large blocks only have one cell. | |
7576 | ||
7577 | * heap/MarkedBlock.cpp: | |
7578 | (JSC::MarkedBlock::MarkedBlock): | |
7579 | ||
7580 | 2015-05-08 Oliver Hunt <oliver@apple.com> | |
7581 | ||
7582 | MapDataImpl::add() shouldn't do the same hash lookup twice. | |
7583 | https://bugs.webkit.org/show_bug.cgi?id=144759 | |
7584 | ||
7585 | Reviewed by Gavin Barraclough. | |
7586 | ||
7587 | We don't actually need to do a double lookup here, all we need to | |
7588 | do is update the index to point to the correct m_size. | |
7589 | ||
7590 | * runtime/MapDataInlines.h: | |
7591 | (JSC::JSIterator>::add): | |
7592 | ||
7593 | 2015-05-08 Andreas Kling <akling@apple.com> | |
7594 | ||
7595 | Micro-optimize JSON serialization of string primitives. | |
7596 | <https://webkit.org/b/144800> | |
7597 | ||
7598 | Reviewed by Sam Weinig. | |
7599 | ||
7600 | Don't use the out-of-line JSValue::getString() to grab at string primitives | |
7601 | in serialization. Just check if it's a JSString and then downcast to grab at | |
7602 | the WTF::String inside. | |
7603 | ||
7604 | 2% progression on Kraken/json-stringify-tinderbox. | |
7605 | ||
7606 | * runtime/JSONObject.cpp: | |
7607 | (JSC::Stringifier::appendStringifiedValue): | |
7608 | ||
7609 | 2015-05-08 Andreas Kling <akling@apple.com> | |
7610 | ||
7611 | Optimize serialization of quoted JSON strings. | |
7612 | <https://webkit.org/b/144754> | |
7613 | ||
7614 | Reviewed by Darin Adler. | |
7615 | ||
7616 | Optimized the serialization of quoted strings into JSON by moving the logic into | |
7617 | StringBuilder so it can make smarter decisions about buffering. | |
7618 | ||
7619 | 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) | |
7620 | ||
7621 | * bytecompiler/NodesCodegen.cpp: | |
7622 | (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. | |
7623 | ||
7624 | * runtime/JSONObject.h: | |
7625 | * runtime/JSONObject.cpp: | |
7626 | (JSC::Stringifier::Holder::appendNextProperty): | |
7627 | (JSC::appendStringToStringBuilder): Deleted. | |
7628 | (JSC::appendQuotedJSONStringToBuilder): Deleted. | |
7629 | (JSC::Stringifier::appendQuotedString): Deleted. | |
7630 | (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic | |
7631 | to StringBuilder and call that from here. | |
7632 | ||
7633 | 2015-05-07 Commit Queue <commit-queue@webkit.org> | |
7634 | ||
7635 | Unreviewed, rolling out r183961. | |
7636 | https://bugs.webkit.org/show_bug.cgi?id=144784 | |
7637 | ||
7638 | Broke js/dom/JSON-stringify.html (Requested by kling on | |
7639 | #webkit). | |
7640 | ||
7641 | Reverted changeset: | |
7642 | ||
7643 | "Optimize serialization of quoted JSON strings." | |
7644 | https://bugs.webkit.org/show_bug.cgi?id=144754 | |
7645 | http://trac.webkit.org/changeset/183961 | |
7646 | ||
7647 | 2015-05-07 Filip Pizlo <fpizlo@apple.com> | |
7648 | ||
7649 | GC has trouble with pathologically large array allocations | |
7650 | https://bugs.webkit.org/show_bug.cgi?id=144609 | |
7651 | ||
7652 | Reviewed by Geoffrey Garen. | |
7653 | ||
7654 | The bug was that SlotVisitor::copyLater() would return early for oversize blocks (right | |
7655 | after pinning them), and would skip the accounting. The GC calculates the size of the heap | |
7656 | in tandem with the scan to save time, and that accounting was part of how the GC would | |
7657 | know how big the heap was. The GC would then think that oversize copied blocks use no | |
7658 | memory, and would then mess up its scheduling of the next GC. | |
7659 | ||
7660 | Fixing this bug is harder than it seems. When running an eden GC, we figure out the heap | |
7661 | size by summing the size from the last collection and the size by walking the eden heap. | |
7662 | But this breaks when we eagerly delete objects that the last collection touched. We can do | |
7663 | that in one corner case: copied block reallocation. The old block will be deleted from old | |
7664 | space during the realloc and a new block will be allocated in new space. In order for the | |
7665 | GC to know that the size of old space actually shrank, we need a field to tell us how much | |
7666 | such shrinkage could occur. Since this is a very dirty corner case and it only works for | |
7667 | very particular reasons arising from the special properties of copied space (single owner, | |
7668 | and the realloc is used in places where the compiler already knows that it cannot register | |
7669 | allocate a pointer to the old block), I opted for an equally dirty shrinkage counter | |
7670 | devoted just to this case. It's called bytesRemovedFromOldSpaceDueToReallocation. | |
7671 | ||
7672 | To test this, I needed to add an Option to force a particular RAM size in the GC. This | |
7673 | allows us to write tests that assert that the GC heap size is some value X, without | |
7674 | worrying about machine-to-machine variations due to GC heuristics changing based on RAM | |
7675 | size. | |
7676 | ||
7677 | * heap/CopiedSpace.cpp: | |
7678 | (JSC::CopiedSpace::CopiedSpace): Initialize the dirty shrinkage counter. | |
7679 | (JSC::CopiedSpace::tryReallocateOversize): Bump the dirty shrinkage counter. | |
7680 | * heap/CopiedSpace.h: | |
7681 | (JSC::CopiedSpace::takeBytesRemovedFromOldSpaceDueToReallocation): Swap out the counter. Used by the GC when it does its accounting. | |
7682 | * heap/Heap.cpp: | |
7683 | (JSC::Heap::Heap): Allow the user to force the RAM size. | |
7684 | (JSC::Heap::updateObjectCounts): Use the dirty shrinkage counter to good effect. Also, make this code less confusing. | |
7685 | * heap/SlotVisitorInlines.h: | |
7686 | (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. | |
7687 | * jsc.cpp: Add size measuring hooks to write the largeish test. | |
7688 | (GlobalObject::finishCreation): | |
7689 | (functionGCAndSweep): | |
7690 | (functionFullGC): | |
7691 | (functionEdenGC): | |
7692 | (functionHeapSize): | |
7693 | * runtime/Options.h: | |
7694 | * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. | |
7695 | * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. | |
7696 | (foo): | |
7697 | (test): | |
7698 | ||
7699 | 2015-05-07 Saam Barati <saambarati1@gmail.com> | |
7700 | ||
7701 | Global functions should be initialized as JSFunctions in byte code | |
7702 | https://bugs.webkit.org/show_bug.cgi?id=144178 | |
7703 | ||
7704 | Reviewed by Geoffrey Garen. | |
7705 | ||
7706 | This patch makes the initialization of global functions more explicit by | |
7707 | moving initialization into bytecode. It also prepares JSC for having ES6 | |
7708 | style lexical scoping because initializing global functions in bytecode | |
7709 | easily allows global functions to be initialized with the proper scope that | |
7710 | will have access to global lexical variables. Global lexical variables | |
7711 | should be visible to global functions but don't live on the global object. | |
7712 | ||
7713 | * bytecode/UnlinkedCodeBlock.cpp: | |
7714 | (JSC::UnlinkedProgramCodeBlock::visitChildren): | |
7715 | * bytecode/UnlinkedCodeBlock.h: | |
7716 | * bytecompiler/BytecodeGenerator.cpp: | |
7717 | (JSC::BytecodeGenerator::generate): | |
7718 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
7719 | * bytecompiler/BytecodeGenerator.h: | |
7720 | * runtime/Executable.cpp: | |
7721 | (JSC::ProgramExecutable::initializeGlobalProperties): | |
7722 | * runtime/JSGlobalObject.cpp: | |
7723 | (JSC::JSGlobalObject::addGlobalVar): | |
7724 | (JSC::JSGlobalObject::addFunction): | |
7725 | * runtime/JSGlobalObject.h: | |
7726 | ||
7727 | 2015-05-07 Benjamin Poulain <bpoulain@apple.com> | |
7728 | ||
7729 | Fix the x86 32bits build | |
7730 | ||
7731 | * assembler/X86Assembler.h: | |
7732 | ||
7733 | 2015-05-07 Benjamin Poulain <bpoulain@apple.com> | |
7734 | ||
7735 | [JSC] Add basic DFG/FTL support for Math.round | |
7736 | https://bugs.webkit.org/show_bug.cgi?id=144725 | |
7737 | ||
7738 | Reviewed by Filip Pizlo. | |
7739 | ||
7740 | This patch adds two optimizations targeting Math.round(): | |
7741 | -Add a DFGNode ArithRound corresponding to the intrinsic RoundIntrinsic. | |
7742 | -Change the MacroAssembler to be stricter on how we fail to convert a double | |
7743 | to ingeter. Previously, any number valued zero would fail, now we only | |
7744 | fail for -0. | |
7745 | ||
7746 | Since ArithRound speculate it produces int32, the MacroAssembler assembler | |
7747 | part became necessary because zero is a pretty common output of Math.round() | |
7748 | and we would OSR exit a lot (and eventually recompile for doubles). | |
7749 | ||
7750 | The implementation itself of the inline Math.round() is exactly the same | |
7751 | as the C function that exists for Math.round(). We can very likely do better | |
7752 | but it is a good start known to be valid and inlining alone alread provides | |
7753 | significant speedups. | |
7754 | ||
7755 | * assembler/X86Assembler.h: | |
7756 | (JSC::X86Assembler::movmskpd_rr): | |
7757 | * assembler/MacroAssemblerX86Common.h: | |
7758 | (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): | |
7759 | When we have a zero, get the sign bit out of the double and check if is one. | |
7760 | ||
7761 | I'll look into doing the same improvement for ARM. | |
7762 | ||
7763 | * bytecode/SpeculatedType.cpp: | |
7764 | (JSC::typeOfDoubleRounding): | |
7765 | (JSC::typeOfDoubleFRound): Deleted. | |
7766 | * bytecode/SpeculatedType.h: | |
7767 | * dfg/DFGAbstractInterpreterInlines.h: | |
7768 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
7769 | * dfg/DFGByteCodeParser.cpp: | |
7770 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
7771 | * dfg/DFGClobberize.h: | |
7772 | (JSC::DFG::clobberize): | |
7773 | * dfg/DFGDoesGC.cpp: | |
7774 | (JSC::DFG::doesGC): | |
7775 | * dfg/DFGFixupPhase.cpp: | |
7776 | (JSC::DFG::FixupPhase::fixupNode): | |
7777 | * dfg/DFGGraph.h: | |
7778 | (JSC::DFG::Graph::roundShouldSpeculateInt32): | |
7779 | (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted. | |
7780 | * dfg/DFGNode.h: | |
7781 | (JSC::DFG::Node::arithNodeFlags): | |
7782 | (JSC::DFG::Node::hasHeapPrediction): | |
7783 | (JSC::DFG::Node::hasArithMode): | |
7784 | * dfg/DFGNodeType.h: | |
7785 | * dfg/DFGPredictionPropagationPhase.cpp: | |
7786 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
7787 | * dfg/DFGSafeToExecute.h: | |
7788 | (JSC::DFG::safeToExecute): | |
7789 | * dfg/DFGSpeculativeJIT.cpp: | |
7790 | (JSC::DFG::SpeculativeJIT::compileArithRound): | |
7791 | * dfg/DFGSpeculativeJIT.h: | |
7792 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
7793 | (JSC::DFG::SpeculativeJIT::compile): | |
7794 | * dfg/DFGSpeculativeJIT64.cpp: | |
7795 | (JSC::DFG::SpeculativeJIT::compile): | |
7796 | * ftl/FTLCapabilities.cpp: | |
7797 | (JSC::FTL::canCompile): | |
7798 | * ftl/FTLIntrinsicRepository.h: | |
7799 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7800 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
7801 | (JSC::FTL::LowerDFGToLLVM::convertDoubleToInt32): | |
7802 | (JSC::FTL::LowerDFGToLLVM::compileDoubleAsInt32): | |
7803 | (JSC::FTL::LowerDFGToLLVM::compileArithRound): | |
7804 | * ftl/FTLOutput.h: | |
7805 | (JSC::FTL::Output::ceil64): | |
7806 | * jit/ThunkGenerators.cpp: | |
7807 | * runtime/MathCommon.cpp: | |
7808 | * runtime/MathCommon.h: | |
7809 | * runtime/MathObject.cpp: | |
7810 | (JSC::mathProtoFuncRound): | |
7811 | * tests/stress/math-round-basics.js: Added. | |
7812 | (mathRoundOnIntegers): | |
7813 | (mathRoundOnDoubles): | |
7814 | (mathRoundOnBooleans): | |
7815 | (uselessMathRound): | |
7816 | (mathRoundWithOverflow): | |
7817 | (mathRoundConsumedAsDouble): | |
7818 | (mathRoundDoesNotCareAboutMinusZero): | |
7819 | (mathRoundNoArguments): | |
7820 | (mathRoundTooManyArguments): | |
7821 | (testMathRoundOnConstants): | |
7822 | (mathRoundStructTransition): | |
7823 | (Math.round): | |
7824 | ||
7825 | 2015-05-07 Saam Barati <saambarati1@gmail.com> | |
7826 | ||
7827 | exceptionFuzz tests should explicitly initialize the exceptionFuzz boolean in JavaScript code through a function in jsc.cpp | |
7828 | https://bugs.webkit.org/show_bug.cgi?id=144753 | |
7829 | ||
7830 | Reviewed by Mark Lam. | |
7831 | ||
7832 | This allows the BytecodeGenerator to freely emit startup code that "may" | |
7833 | throw exceptions without worrying that this startup code will trigger | |
7834 | the exceptionFuzz exception. The exceptionFuzz counter will only begin | |
7835 | ticking when the 'enableExceptionFuzz' function is explicitly called in | |
7836 | the exceptionFuzz tests. | |
7837 | ||
7838 | * jsc.cpp: | |
7839 | (GlobalObject::finishCreation): | |
7840 | (functionEnableExceptionFuzz): | |
7841 | * tests/exceptionFuzz/3d-cube.js: | |
7842 | * tests/exceptionFuzz/date-format-xparb.js: | |
7843 | * tests/exceptionFuzz/earley-boyer.js: | |
7844 | ||
7845 | 2015-05-07 Andreas Kling <akling@apple.com> | |
7846 | ||
7847 | Optimize serialization of quoted JSON strings. | |
7848 | <https://webkit.org/b/144754> | |
7849 | ||
7850 | Reviewed by Darin Adler. | |
7851 | ||
7852 | Optimized the serialization of quoted strings into JSON by moving the logic into | |
7853 | StringBuilder so it can make smarter decisions about buffering. | |
7854 | ||
7855 | 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) | |
7856 | ||
7857 | * bytecompiler/NodesCodegen.cpp: | |
7858 | (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. | |
7859 | ||
7860 | * runtime/JSONObject.h: | |
7861 | * runtime/JSONObject.cpp: | |
7862 | (JSC::Stringifier::Holder::appendNextProperty): | |
7863 | (JSC::appendStringToStringBuilder): Deleted. | |
7864 | (JSC::appendQuotedJSONStringToBuilder): Deleted. | |
7865 | (JSC::Stringifier::appendQuotedString): Deleted. | |
7866 | (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic | |
7867 | to StringBuilder and call that from here. | |
7868 | ||
7869 | 2015-05-07 Yusuke Suzuki <utatane.tea@gmail.com> | |
7870 | ||
7871 | FunctionCallBracketNode should store the base value to the temporary when subscript has assignment | |
7872 | https://bugs.webkit.org/show_bug.cgi?id=144678 | |
7873 | ||
7874 | Reviewed by Geoffrey Garen. | |
7875 | ||
7876 | Currently, FunctionCallBracketNode directly use the RegisterID returned by emitNode. | |
7877 | But if the base part is the local register and the subscript part has assignment to it, the base result is accidentally rewritten. | |
7878 | ||
7879 | function t() { var ok = {null: function () { } }; ok[ok = null](); } | |
7880 | t(); // Should not throw error. | |
7881 | ||
7882 | This patch takes care about `subscriptHasAssignment`. | |
7883 | By using `emitNodeForLeftHandSide`, when there's assignment to local variables in RHS, | |
7884 | it correctly moves the LHS value to a temporary register. | |
7885 | ||
7886 | * bytecompiler/NodesCodegen.cpp: | |
7887 | (JSC::FunctionCallBracketNode::emitBytecode): | |
7888 | * parser/ASTBuilder.h: | |
7889 | (JSC::ASTBuilder::makeFunctionCallNode): | |
7890 | * parser/NodeConstructors.h: | |
7891 | (JSC::FunctionCallBracketNode::FunctionCallBracketNode): | |
7892 | * parser/Nodes.h: | |
7893 | * tests/stress/assignment-in-function-call-bracket-node.js: Added. | |
7894 | (shouldBe): | |
7895 | (shouldBe.): | |
7896 | ||
7897 | 2015-05-07 Basile Clement <basile_clement@apple.com> | |
7898 | ||
7899 | Unreviewed, add missing braces on a single-line if that got expanded in r183939 | |
7900 | ||
7901 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7902 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
7903 | ||
7904 | 2015-05-05 Myles C. Maxfield <mmaxfield@apple.com> | |
7905 | ||
7906 | Revert "Introducing the Platform Abstraction Layer (PAL)" | |
7907 | https://bugs.webkit.org/show_bug.cgi?id=144751 | |
7908 | ||
7909 | Unreviewed. | |
7910 | ||
7911 | PAL should be a new target inside WebCore, rather than a top-level folder. | |
7912 | ||
7913 | * Configurations/FeatureDefines.xcconfig: Updated | |
7914 | ||
7915 | 2015-05-07 Basile Clement <basile_clement@apple.com> | |
7916 | ||
7917 | Dumping OSR ExitValue should expand materializations only once | |
7918 | https://bugs.webkit.org/show_bug.cgi?id=144694 | |
7919 | ||
7920 | Reviewed by Filip Pizlo. | |
7921 | ||
7922 | Currently, dumping OSR exit values will print the full materialization | |
7923 | information each time it is encountered. We change it to print only a | |
7924 | brief description (only the materialization's address), and print the | |
7925 | whole set of materializations later on. | |
7926 | ||
7927 | This makes the dump less confusing (less likely to think that two | |
7928 | instances of the same materialization are different), and will be a | |
7929 | necessary change if/when we support materialization cycles. | |
7930 | ||
7931 | * ftl/FTLCompile.cpp: | |
7932 | (JSC::FTL::mmAllocateDataSection): | |
7933 | * ftl/FTLExitValue.cpp: | |
7934 | (JSC::FTL::ExitValue::dumpInContext): | |
7935 | * ftl/FTLLowerDFGToLLVM.cpp: | |
7936 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
7937 | ||
7938 | 2015-05-07 Andreas Kling <akling@apple.com> | |
7939 | ||
7940 | Worker threads leak WeakBlocks (as seen on leaks bot) | |
7941 | <https://webkit.org/b/144721> | |
7942 | <rdar://problem/20848288> | |
7943 | ||
7944 | Reviewed by Darin Adler. | |
7945 | ||
7946 | Nuke any remaining empty WeakBlocks when the Heap is being torn down. | |
7947 | Trying to peek into these blocks after the VM is dead would be a bug anyway. | |
7948 | ||
7949 | This fixes a ~750 KB leak seen on the leaks bot. | |
7950 | ||
7951 | * heap/Heap.cpp: | |
7952 | (JSC::Heap::~Heap): | |
7953 | ||
7954 | 2015-05-05 Geoffrey Garen <ggaren@apple.com> | |
7955 | ||
7956 | Don't branch when accessing the callee | |
7957 | https://bugs.webkit.org/show_bug.cgi?id=144645 | |
7958 | ||
7959 | Reviewed by Michael Saboff. | |
7960 | ||
7961 | The branch was added in <http://trac.webkit.org/changeset/81040> without | |
7962 | explanation. | |
7963 | ||
7964 | kling found it to be a performance problem. See <https://webkit.org/b/144586>. | |
7965 | ||
7966 | Our theory of access to Registers is that it's up to the client to access | |
7967 | them in the right way. So, let's do that. | |
7968 | ||
7969 | * interpreter/CallFrame.h: | |
7970 | (JSC::ExecState::callee): | |
7971 | (JSC::ExecState::setCallee): Call the field object instead of function | |
7972 | because nothing guarantees that it's a function. | |
7973 | * interpreter/ProtoCallFrame.h: | |
7974 | (JSC::ProtoCallFrame::callee): | |
7975 | (JSC::ProtoCallFrame::setCallee): | |
7976 | * interpreter/Register.h: | |
7977 | * runtime/JSObject.h: | |
7978 | (JSC::Register::object): Just do a cast like our other accessors do. | |
7979 | (JSC::Register::operator=): | |
7980 | (JSC::Register::function): Deleted. | |
7981 | (JSC::Register::withCallee): Deleted. | |
7982 | ||
7983 | 2015-05-07 Dan Bernstein <mitz@apple.com> | |
7984 | ||
7985 | <rdar://problem/19317140> [Xcode] Remove usage of AspenFamily.xcconfig in Source/ | |
7986 | https://bugs.webkit.org/show_bug.cgi?id=144727 | |
7987 | ||
7988 | Reviewed by Darin Adler. | |
7989 | ||
7990 | * Configurations/Base.xcconfig: Don’t include AspenFamily.xcconfig, and define | |
7991 | INSTALL_PATH_PREFIX and LD_DYLIB_INSTALL_NAME for the iOS 8.x Simulator. | |
7992 | ||
7993 | 2015-05-07 Andreas Kling <akling@apple.com> | |
7994 | ||
7995 | Special-case Int32 values in JSON.stringify(). | |
7996 | <https://webkit.org/b/144731> | |
7997 | ||
7998 | Reviewed by Michael Saboff. | |
7999 | ||
8000 | Add a fast path for serializing Int32 values to JSON. This is far faster than dragging | |
8001 | simple integers through the full-blown dtoa() machinery. | |
8002 | ||
8003 | ~50% speedup on Kraken/json-stringify-tinderbox. | |
8004 | ||
8005 | * runtime/JSONObject.cpp: | |
8006 | (JSC::Stringifier::appendStringifiedValue): | |
8007 | ||
8008 | 2015-05-06 Ryosuke Niwa <rniwa@webkit.org> | |
8009 | ||
8010 | ToT WebKit crashes while loading ES6 compatibility table | |
8011 | https://bugs.webkit.org/show_bug.cgi?id=144726 | |
8012 | ||
8013 | Reviewed by Filip Pizlo. | |
8014 | ||
8015 | The bug was caused by parseClass superfluously avoiding to build up the string after seeing {. | |
8016 | ||
8017 | Always build the identifier here as it could be a method name. | |
8018 | ||
8019 | * parser/Parser.cpp: | |
8020 | (JSC::Parser<LexerType>::parseClass): | |
8021 | ||
8022 | 2015-05-05 Filip Pizlo <fpizlo@apple.com> | |
8023 | ||
8024 | Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase | |
8025 | https://bugs.webkit.org/show_bug.cgi?id=144665 | |
8026 | ||
8027 | Reviewed by Michael Saboff. | |
8028 | ||
8029 | This is a step towards getting rid of WatchpointCollectionPhase. It's also a step towards | |
8030 | extending SaneChain to all indexing shapes. | |
8031 | ||
8032 | * dfg/DFGFixupPhase.cpp: | |
8033 | (JSC::DFG::FixupPhase::fixupNode): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. | |
8034 | (JSC::DFG::FixupPhase::checkArray): Clarify the need for checking the structure. We often forget why we do this instead of always using CheckArray. | |
8035 | * dfg/DFGSpeculativeJIT.cpp: | |
8036 | (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. | |
8037 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
8038 | (JSC::DFG::WatchpointCollectionPhase::handle): Remove some code. | |
8039 | (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): Deleted. | |
8040 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8041 | (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. | |
8042 | ||
8043 | 2015-04-02 Myles C. Maxfield <mmaxfield@apple.com> | |
8044 | ||
8045 | Introducing the Platform Abstraction Layer (PAL) | |
8046 | https://bugs.webkit.org/show_bug.cgi?id=143358 | |
8047 | ||
8048 | Reviewed by Simon Fraser. | |
8049 | ||
8050 | * Configurations/FeatureDefines.xcconfig: Updated | |
8051 | ||
8052 | 2015-05-06 Andreas Kling <akling@apple.com> | |
8053 | ||
8054 | Don't allocate a StringImpl for every Number JSValue in JSON.stringify(). | |
8055 | <https://webkit.org/b/144676> | |
8056 | ||
8057 | Reviewed by Darin Adler. | |
8058 | ||
8059 | We were creating a new String for every number JSValue passing through the JSON stringifier. | |
8060 | These StringImpl allocations were dominating one of the Kraken JSON benchmarks. | |
8061 | Optimize this by using StringBuilder::appendECMAScriptNumber() which uses a stack buffer | |
8062 | for the conversion instead. | |
8063 | ||
8064 | 13% progression on Kraken/json-stringify-tinderbox. | |
8065 | ||
8066 | * runtime/JSONObject.cpp: | |
8067 | (JSC::Stringifier::appendStringifiedValue): | |
8068 | ||
8069 | 2015-05-06 Commit Queue <commit-queue@webkit.org> | |
8070 | ||
8071 | Unreviewed, rolling out r183847. | |
8072 | https://bugs.webkit.org/show_bug.cgi?id=144691 | |
8073 | ||
8074 | Caused many assertion failures (Requested by ap on #webkit). | |
8075 | ||
8076 | Reverted changeset: | |
8077 | ||
8078 | "GC has trouble with pathologically large array allocations" | |
8079 | https://bugs.webkit.org/show_bug.cgi?id=144609 | |
8080 | http://trac.webkit.org/changeset/183847 | |
8081 | ||
8082 | 2015-05-05 Filip Pizlo <fpizlo@apple.com> | |
8083 | ||
8084 | PutGlobalVar shouldn't have an unconditional store barrier | |
8085 | https://bugs.webkit.org/show_bug.cgi?id=133104 | |
8086 | ||
8087 | Reviewed by Benjamin Poulain. | |
8088 | ||
8089 | We don't need a store barrier on PutGlobalVar if the value being stored can be | |
8090 | speculated to not be a cell. | |
8091 | ||
8092 | * dfg/DFGFixupPhase.cpp: | |
8093 | (JSC::DFG::FixupPhase::fixupNode): | |
8094 | ||
8095 | 2015-05-05 Filip Pizlo <fpizlo@apple.com> | |
8096 | ||
8097 | CopiedBlock::reportLiveBytes() should be totally cool with oversize blocks | |
8098 | https://bugs.webkit.org/show_bug.cgi?id=144667 | |
8099 | ||
8100 | Reviewed by Andreas Kling. | |
8101 | ||
8102 | We are now calling this method for oversize blocks. It had an assertion that indirectly | |
8103 | implied that the block is not oversize, because it was claiming that the number of live | |
8104 | bytes should be smaller than the non-oversize-block size. | |
8105 | ||
8106 | * heap/CopiedBlockInlines.h: | |
8107 | (JSC::CopiedBlock::reportLiveBytes): | |
8108 | ||
8109 | 2015-05-05 Filip Pizlo <fpizlo@apple.com> | |
8110 | ||
8111 | GC has trouble with pathologically large array allocations | |
8112 | https://bugs.webkit.org/show_bug.cgi?id=144609 | |
8113 | ||
8114 | Reviewed by Mark Lam. | |
8115 | ||
8116 | * heap/Heap.cpp: | |
8117 | (JSC::Heap::updateObjectCounts): Make this code less confusing. | |
8118 | * heap/SlotVisitorInlines.h: | |
8119 | (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. | |
8120 | * jsc.cpp: Add size measuring hooks to write the largeish test. | |
8121 | (GlobalObject::finishCreation): | |
8122 | (functionGCAndSweep): | |
8123 | (functionFullGC): | |
8124 | (functionEdenGC): | |
8125 | (functionHeapSize): | |
8126 | * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. | |
8127 | * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. | |
8128 | (foo): | |
8129 | (test): | |
8130 | ||
8131 | 2015-05-05 Filip Pizlo <fpizlo@apple.com> | |
8132 | ||
8133 | FTL SwitchString slow case creates duplicate switch cases | |
8134 | https://bugs.webkit.org/show_bug.cgi?id=144634 | |
8135 | ||
8136 | Reviewed by Geoffrey Garen. | |
8137 | ||
8138 | The problem of duplicate switches is sufficiently annoying that I fixed the issue and also | |
8139 | added mostly-debug-only asserts to catch such issues earlier. | |
8140 | ||
8141 | * bytecode/CallVariant.cpp: | |
8142 | (JSC::variantListWithVariant): Assertion to prevent similar bugs. | |
8143 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8144 | (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs. | |
8145 | (JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug. | |
8146 | * jit/BinarySwitch.cpp: | |
8147 | (JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs. | |
8148 | * jit/Repatch.cpp: | |
8149 | (JSC::linkPolymorphicCall): Assertion to prevent similar bugs. | |
8150 | * tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time. | |
8151 | (foo): | |
8152 | (cat): | |
8153 | ||
8154 | 2015-05-05 Basile Clement <basile_clement@apple.com> | |
8155 | ||
8156 | Fix debug builds after r183812 | |
8157 | https://bugs.webkit.org/show_bug.cgi?id=144300 | |
8158 | ||
8159 | Rubber stamped by Andreas Kling and Filip Pizlo. | |
8160 | ||
8161 | hasObjectMaterializationData() didn't treat MaterializeCreateActivation | |
8162 | as having materialization data, which was causing an assertion failure when | |
8163 | sinking CreateActivations on debug builds. | |
8164 | ||
8165 | * dfg/DFGNode.h: | |
8166 | (JSC::DFG::Node::hasObjectMaterializationData): | |
8167 | ||
8168 | 2015-05-04 Basile Clement <basile_clement@apple.com> | |
8169 | ||
8170 | Allow CreateActivation sinking | |
8171 | https://bugs.webkit.org/show_bug.cgi?id=144300 | |
8172 | ||
8173 | Reviewed by Filip Pizlo. | |
8174 | ||
8175 | This pursues the work started in | |
8176 | https://bugs.webkit.org/show_bug.cgi?id=144016 to expand the set of | |
8177 | allocations we are able to sink by allowing sinking of CreateActivation | |
8178 | node. | |
8179 | ||
8180 | This is achieved by following closely the way NewObject is currently | |
8181 | sunk: we add a new PhantomCreateActivation node to record the initial | |
8182 | position of the CreateActivation node, new ClosureVarPLoc promoted heap | |
8183 | locations to keep track of the variables put in the activation, and a | |
8184 | new MaterializeCreateActivation node to allocate and populate the sunk | |
8185 | activation. | |
8186 | ||
8187 | * dfg/DFGAbstractInterpreterInlines.h: | |
8188 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
8189 | * dfg/DFGClobberize.h: | |
8190 | (JSC::DFG::clobberize): | |
8191 | * dfg/DFGDoesGC.cpp: | |
8192 | (JSC::DFG::doesGC): | |
8193 | * dfg/DFGFixupPhase.cpp: | |
8194 | (JSC::DFG::FixupPhase::fixupNode): | |
8195 | * dfg/DFGNode.cpp: | |
8196 | (JSC::DFG::Node::convertToPutClosureVarHint): | |
8197 | * dfg/DFGNode.h: | |
8198 | (JSC::DFG::Node::convertToPhantomCreateActivation): | |
8199 | (JSC::DFG::Node::isActivationAllocation): | |
8200 | (JSC::DFG::Node::isPhantomActivationAllocation): | |
8201 | (JSC::DFG::Node::isPhantomAllocation): | |
8202 | * dfg/DFGNodeType.h: | |
8203 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
8204 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
8205 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
8206 | (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): | |
8207 | (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): | |
8208 | * dfg/DFGPredictionPropagationPhase.cpp: | |
8209 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
8210 | * dfg/DFGPromotedHeapLocation.cpp: | |
8211 | (WTF::printInternal): | |
8212 | * dfg/DFGPromotedHeapLocation.h: | |
8213 | * dfg/DFGSafeToExecute.h: | |
8214 | (JSC::DFG::safeToExecute): | |
8215 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
8216 | (JSC::DFG::SpeculativeJIT::compile): | |
8217 | * dfg/DFGSpeculativeJIT64.cpp: | |
8218 | (JSC::DFG::SpeculativeJIT::compile): | |
8219 | * dfg/DFGValidate.cpp: | |
8220 | (JSC::DFG::Validate::validateCPS): | |
8221 | * ftl/FTLCapabilities.cpp: | |
8222 | (JSC::FTL::canCompile): | |
8223 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8224 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
8225 | (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): | |
8226 | * ftl/FTLOperations.cpp: | |
8227 | (JSC::FTL::operationMaterializeObjectInOSR): | |
8228 | * tests/stress/activation-sink-osrexit.js: Added. | |
8229 | (bar): | |
8230 | (foo.set result): | |
8231 | * tests/stress/activation-sink.js: Added. | |
8232 | (bar): | |
8233 | ||
8234 | 2015-05-04 Filip Pizlo <fpizlo@apple.com> | |
8235 | ||
8236 | Unreviewed, fix stale comment. | |
8237 | ||
8238 | * tests/mozilla/js1_5/Array/regress-101964.js: | |
8239 | ||
8240 | 2015-05-04 Filip Pizlo <fpizlo@apple.com> | |
8241 | ||
8242 | Large array shouldn't be slow | |
8243 | https://bugs.webkit.org/show_bug.cgi?id=144617 | |
8244 | ||
8245 | Rubber stamped by Mark Lam. | |
8246 | ||
8247 | * tests/mozilla/js1_5/Array/regress-101964.js: 500ms isn't enough in debug mode. We don't care how long this takes so long as we run it to completion. I've raised the limit much higher. | |
8248 | ||
8249 | 2015-05-04 Filip Pizlo <fpizlo@apple.com> | |
8250 | ||
8251 | Large array shouldn't be slow | |
8252 | https://bugs.webkit.org/show_bug.cgi?id=144617 | |
8253 | ||
8254 | Rubber stamped by Mark Lam. | |
8255 | ||
8256 | * tests/mozilla/js1_5/Array/regress-101964.js: Mozilla may have cared about this being fast a decade ago (or more), but we don't care. We've consistently found that an array implementation that punishes this case to get speed on common-case array accesses is better. This should fix some test failures on the bots. | |
8257 | ||
8258 | 2015-05-04 Commit Queue <commit-queue@webkit.org> | |
8259 | ||
8260 | Unreviewed, rolling out r183789. | |
8261 | https://bugs.webkit.org/show_bug.cgi?id=144620 | |
8262 | ||
8263 | Causing flakiness on exceptionFuzz tests locally on 32-bit | |
8264 | build (Requested by saamyjoon on #webkit). | |
8265 | ||
8266 | Reverted changeset: | |
8267 | ||
8268 | "Global functions should be initialized as JSFunctions in byte | |
8269 | code" | |
8270 | https://bugs.webkit.org/show_bug.cgi?id=144178 | |
8271 | http://trac.webkit.org/changeset/183789 | |
8272 | ||
8273 | 2015-05-04 Saam Barati <saambarati1@gmail.com> | |
8274 | ||
8275 | Global functions should be initialized as JSFunctions in byte code | |
8276 | https://bugs.webkit.org/show_bug.cgi?id=144178 | |
8277 | ||
8278 | Reviewed by Geoffrey Garen. | |
8279 | ||
8280 | This patch makes the initialization of global functions more explicit by | |
8281 | moving initialization into bytecode. It also prepares JSC for having ES6 | |
8282 | style lexical scoping because initializing global functions in bytecode | |
8283 | easily allows global functions to be initialized with the proper scope that | |
8284 | will have access to global lexical variables. Global lexical variables | |
8285 | should be visible to global functions but don't live on the global object. | |
8286 | ||
8287 | * bytecode/UnlinkedCodeBlock.cpp: | |
8288 | (JSC::UnlinkedProgramCodeBlock::visitChildren): | |
8289 | * bytecode/UnlinkedCodeBlock.h: | |
8290 | * bytecompiler/BytecodeGenerator.cpp: | |
8291 | (JSC::BytecodeGenerator::generate): | |
8292 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
8293 | * bytecompiler/BytecodeGenerator.h: | |
8294 | * runtime/Executable.cpp: | |
8295 | (JSC::ProgramExecutable::initializeGlobalProperties): | |
8296 | * runtime/JSGlobalObject.cpp: | |
8297 | (JSC::JSGlobalObject::addGlobalVar): | |
8298 | (JSC::JSGlobalObject::addFunction): | |
8299 | * runtime/JSGlobalObject.h: | |
8300 | ||
8301 | 2015-05-04 Filip Pizlo <fpizlo@apple.com> | |
8302 | ||
8303 | Large array shouldn't be slow | |
8304 | https://bugs.webkit.org/show_bug.cgi?id=144617 | |
8305 | ||
8306 | Reviewed by Geoffrey Garen. | |
8307 | ||
8308 | Decouple MIN_SPARSE_ARRAY_INDEX, which is the threshold for storing to the sparse map when | |
8309 | you're already using ArrayStorage mode, from the minimul array length required to use | |
8310 | ArrayStorage in a new Array(length) allocation. | |
8311 | ||
8312 | Lift the array allocation length threshold to something very high. If this works, we'll | |
8313 | probably remove that threshold entirely. | |
8314 | ||
8315 | This is a 27% speed-up on JetStream/hash-map. Because run-jsc-benchmarks still can't run | |
8316 | JetStream as a discrete suite, this adds hash-map to LongSpider so that we run it somewhere | |
8317 | for now. | |
8318 | ||
8319 | * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: | |
8320 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
8321 | (JSC::DFG::SpeculativeJIT::compile): | |
8322 | * dfg/DFGSpeculativeJIT64.cpp: | |
8323 | (JSC::DFG::SpeculativeJIT::compile): | |
8324 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8325 | (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): | |
8326 | * runtime/ArrayConventions.h: | |
8327 | * runtime/JSArray.h: | |
8328 | (JSC::JSArray::create): | |
8329 | * runtime/JSGlobalObject.h: | |
8330 | (JSC::constructEmptyArray): | |
8331 | * tests/stress/new-array-storage-array-with-size.js: Skip this test until we fix https://bugs.webkit.org/show_bug.cgi?id=144609. | |
8332 | ||
8333 | 2015-05-03 Yusuke Suzuki <utatane.tea@gmail.com> | |
8334 | ||
8335 | Add backed intrinsics to private functions exposed with private symbols in global object | |
8336 | https://bugs.webkit.org/show_bug.cgi?id=144545 | |
8337 | ||
8338 | Reviewed by Darin Adler. | |
8339 | ||
8340 | Math.abs and Math.floor have ASM intrinsics And it is further accelerated in DFG/FTL layers. | |
8341 | This patch adds intrinsic to private functions exposed with private symbols in global object, | |
8342 | @floor and @abs. | |
8343 | ||
8344 | * runtime/JSGlobalObject.cpp: | |
8345 | (JSC::JSGlobalObject::init): | |
8346 | * runtime/JSGlobalObjectFunctions.cpp: | |
8347 | (JSC::globalPrivateFuncAbs): Deleted. | |
8348 | (JSC::globalPrivateFuncFloor): Deleted. | |
8349 | * runtime/MathObject.cpp: | |
8350 | * runtime/MathObject.h: | |
8351 | * tests/stress/array-from-abs-and-floor.js: Added. | |
8352 | (target1): | |
8353 | (target2): | |
8354 | (target3): | |
8355 | ||
8356 | 2015-05-04 Csaba Osztrogonác <ossy@webkit.org> | |
8357 | ||
8358 | [cmake] ARM related build system cleanup | |
8359 | https://bugs.webkit.org/show_bug.cgi?id=144566 | |
8360 | ||
8361 | Reviewed by Darin Adler. | |
8362 | ||
8363 | * CMakeLists.txt: | |
8364 | ||
8365 | 2015-05-04 Andreas Kling <akling@apple.com> | |
8366 | ||
8367 | Optimize WeakBlock's "reap" and "visit" operations. | |
8368 | <https://webkit.org/b/144585> | |
8369 | ||
8370 | Reviewed by Geoffrey Garen. | |
8371 | ||
8372 | WeakBlock was using Heap::isLive(void*) to determine the liveness of weak pointees. | |
8373 | That function was really written with conservative roots marking in mind, and will do a bunch | |
8374 | of sanity and bounds checks. | |
8375 | ||
8376 | For weaks, we know that the pointer will have been a valid cell pointer into a block | |
8377 | of appropriate cell size, so we can skip a lot of the checks. | |
8378 | ||
8379 | We now keep a pointer to the MarkedBlock in each WeakBlock. That way we no longer have to do | |
8380 | MarkedBlock::blockFor() for every single cell when iterating. | |
8381 | ||
8382 | Note that a WeakBlock's MarkedBlock pointer becomes null when we detach a logically empty | |
8383 | WeakBlock from its WeakSet and transfer ownership to Heap. At that point, the block will never | |
8384 | be pointing to any live cells, and the only operation that will run on the block is sweep(). | |
8385 | ||
8386 | Finally, MarkedBlock allows liveness queries in three states: Marked, Retired, and Allocated. | |
8387 | In Allocated state, all cells are reported as live. This state will reset to Marked on next GC. | |
8388 | This patch uses that knowledge to avoid branching on the MarkedBlock's state for every cell. | |
8389 | ||
8390 | This is a ~3x speedup of visit() and a ~2x speedup of reap() on Dromaeo/dom-modify, netting | |
8391 | what looks like a 1% speedup locally. | |
8392 | ||
8393 | * heap/MarkedBlock.cpp: | |
8394 | (JSC::MarkedBlock::MarkedBlock): Pass *this to the WeakSet's ctor. | |
8395 | ||
8396 | * heap/MarkedBlock.h: | |
8397 | (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Added, stripped-down version of isLive() when the | |
8398 | block's state is known to be either Marked or Retired. | |
8399 | ||
8400 | (JSC::MarkedBlock::isAllocated): Added, tells WeakBlock it's okay to skip reap/visit since isLive() | |
8401 | would report that all cells are live anyway. | |
8402 | ||
8403 | * heap/WeakBlock.cpp: | |
8404 | (JSC::WeakBlock::create): | |
8405 | (JSC::WeakBlock::WeakBlock): Stash a MarkedBlock* on each WeakBlock. | |
8406 | ||
8407 | (JSC::WeakBlock::visit): | |
8408 | (JSC::WeakBlock::reap): Optimized these two to avoid a bunch of pointer arithmetic and branches. | |
8409 | ||
8410 | * heap/WeakBlock.h: | |
8411 | (JSC::WeakBlock::disconnectMarkedBlock): Added. | |
8412 | * heap/WeakSet.cpp: | |
8413 | (JSC::WeakSet::sweep): Call the above when removing a WeakBlock from WeakSet and transferring | |
8414 | ownership to Heap until it can die peacefully. | |
8415 | ||
8416 | (JSC::WeakSet::addAllocator): | |
8417 | * heap/WeakSet.h: | |
8418 | (JSC::WeakSet::WeakSet): Give WeakSet a MarkedBlock& for passing on to WeakBlocks. | |
8419 | ||
8420 | 2015-05-04 Basile Clement <basile_clement@apple.com> | |
8421 | ||
8422 | Allocation sinking is prohibiting the creation of phis between a Phantom object and its materialization | |
8423 | https://bugs.webkit.org/show_bug.cgi?id=144587 | |
8424 | ||
8425 | Rubber stamped by Filip Pizlo. | |
8426 | ||
8427 | When sinking object allocations, we ensure in | |
8428 | determineMaterializationPoints that whenever an allocation is | |
8429 | materialized on a path to a block, it is materialized in all such | |
8430 | paths. Thus when running the SSA calculator to place Phis in | |
8431 | placeMaterializationPoints, we can't encounter a situation where some | |
8432 | Upsilons are referring to a materialization while others are referring | |
8433 | to the phantom object. | |
8434 | ||
8435 | This replaces the code that was adding a materialization late in | |
8436 | placeMaterializationPoints to handle that case by an assertion that it | |
8437 | does not happen, which will make | |
8438 | https://bugs.webkit.org/show_bug.cgi?id=143073 easier to implement. | |
8439 | ||
8440 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
8441 | (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): | |
8442 | ||
8443 | 2015-05-04 Ryosuke Niwa <rniwa@webkit.org> | |
8444 | ||
8445 | Extending undefined in class syntax should throw a TypeError | |
8446 | https://bugs.webkit.org/show_bug.cgi?id=144284 | |
8447 | ||
8448 | Reviewed by Darin Adler. | |
8449 | ||
8450 | The bug was caused by op_eq_null evaluating to true when compared to undefined. | |
8451 | Explicitly check op_eq_undefined first to detect the case where we're extending undefined. | |
8452 | ||
8453 | We also had bogus test cases checked in class-syntax-extends.html. This patch also fixes them. | |
8454 | ||
8455 | * bytecompiler/NodesCodegen.cpp: | |
8456 | (JSC::ClassExprNode::emitBytecode): | |
8457 | ||
8458 | 2015-05-04 Ryosuke Niwa <rniwa@webkit.org> | |
8459 | ||
8460 | new super should be a syntax error | |
8461 | https://bugs.webkit.org/show_bug.cgi?id=144282 | |
8462 | ||
8463 | Reviewed by Joseph Pecoraro. | |
8464 | ||
8465 | Disallow "new super" as ES6 spec doesn't allow this. | |
8466 | ||
8467 | * parser/Parser.cpp: | |
8468 | (JSC::Parser<LexerType>::parseMemberExpression): | |
8469 | ||
8470 | 2015-05-04 Saam Barati <saambarati1@gmail.com> | |
8471 | ||
8472 | JSCallbackObject does not maintain symmetry between accesses for getOwnPropertySlot and put | |
8473 | https://bugs.webkit.org/show_bug.cgi?id=144265 | |
8474 | ||
8475 | Reviewed by Geoffrey Garen. | |
8476 | ||
8477 | JSCallbackObject will defer to a parent's implementation of getOwnPropertySlot | |
8478 | for a static function if the parent has that property slot. JSCallbackObject::put | |
8479 | did not maintain this symmetry of also calling ::put on the parent if the parent | |
8480 | has the property. We should ensure that this symmetry exists. | |
8481 | ||
8482 | * API/JSCallbackObjectFunctions.h: | |
8483 | (JSC::JSCallbackObject<Parent>::put): | |
8484 | * API/tests/testapi.c: | |
8485 | * API/tests/testapi.js: | |
8486 | (globalStaticFunction2): | |
8487 | (this.globalStaticFunction2): | |
8488 | (iAmNotAStaticFunction): | |
8489 | (this.iAmNotAStaticFunction): | |
8490 | ||
8491 | 2015-05-04 Andreas Kling <akling@apple.com> | |
8492 | ||
8493 | Make ExecState::vm() branchless in release builds. | |
8494 | <https://webkit.org/b/144586> | |
8495 | ||
8496 | Reviewed by Geoffrey Garen. | |
8497 | ||
8498 | Avoid null checking the ExecState's callee() before getting the | |
8499 | VM from it. The code was already dereferencing it anyway, since we | |
8500 | know it's not gonna be null. | |
8501 | ||
8502 | * runtime/JSCellInlines.h: | |
8503 | (JSC::ExecState::vm): | |
8504 | ||
8505 | 2015-05-04 Basile Clement <basile_clement@apple.com> | |
8506 | ||
8507 | Object allocation not sinking properly through CheckStructure | |
8508 | https://bugs.webkit.org/show_bug.cgi?id=144465 | |
8509 | ||
8510 | Reviewed by Filip Pizlo. | |
8511 | ||
8512 | Currently, sinking an allocation through a CheckStructure will | |
8513 | completely ignore all structure checking, which is obviously wrong. | |
8514 | ||
8515 | A CheckStructureImmediate node type was present for that purpose, but | |
8516 | the CheckStructures were not properly replaced. This ensures that | |
8517 | CheckStructure nodes are replaced by CheckStructureImmediate nodes when | |
8518 | sunk through, and that structure checking happens correctly. | |
8519 | ||
8520 | * dfg/DFGNode.h: | |
8521 | (JSC::DFG::Node::convertToCheckStructureImmediate): Added. | |
8522 | (JSC::DFG::Node::hasStructureSet): | |
8523 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
8524 | (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): | |
8525 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8526 | (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): | |
8527 | (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate): | |
8528 | (JSC::FTL::LowerDFGToLLVM::checkStructure): | |
8529 | * tests/stress/sink_checkstructure.js: Added. | |
8530 | (foo): | |
8531 | ||
8532 | 2015-05-01 Geoffrey Garen <ggaren@apple.com> | |
8533 | ||
8534 | REGRESSION(r183570): jslib-traverse-jquery is 22% slower | |
8535 | https://bugs.webkit.org/show_bug.cgi?id=144476 | |
8536 | ||
8537 | Reviewed by Sam Weinig. | |
8538 | ||
8539 | jslib-traverse-jquery is now 31% faster than its unregressed baseline. | |
8540 | ||
8541 | The jQuery algorithm for sorting DOM nodes is so pathologically slow that, | |
8542 | to my knowledge, the topic of how to optimize it is not covered in any | |
8543 | literature about sorting. | |
8544 | ||
8545 | On the slowest jQuery sorting test -- prevAll -- our new | |
8546 | Array.prototype.sort, compared to its predecessor, performed 12% fewer | |
8547 | comparisons and requireed 10X less overhead per comparison. Yet, it was | |
8548 | slower. | |
8549 | ||
8550 | It was slower because it inadvertantly increased the average cost of the | |
8551 | comparison function by 2X. jQuery uses compareDocumentPosition to compare | |
8552 | DOM nodes, and compareDocumentPosition(a, b) is O(N) in the distance | |
8553 | required to traverse backwards from b to a. In prevAll, we encounter the | |
8554 | worst case for merge sort of compareDocumentPosition: A long list of DOM | |
8555 | nodes in mostly reverse order. In this case, merge sort will sequentially | |
8556 | compareDocumentPosition(a, b), where a is not reachable backwards from | |
8557 | b, and therefore compareDocumentPosition will traverse the whole sibling | |
8558 | list. | |
8559 | ||
8560 | The solution is simple enough: Call compareDocumentPosition(b, a) instead. | |
8561 | ||
8562 | This is a pretty silly thing to do, but it is harmless, and jQuery is | |
8563 | popular, so let's do it. | |
8564 | ||
8565 | We do not risk suffering the same problem in reverse when sorting a long | |
8566 | list of DOM nodes in forward order. (We still have a 37% speedup on the | |
8567 | nextAll benchmark.) The reason is that merge sort performs 2X fewer | |
8568 | comparisons when the list is already sorted, so we can worry less about | |
8569 | the cost of each comparison. | |
8570 | ||
8571 | A fully principled soultion to this problem would probably do something | |
8572 | like Python's timsort, which special-cases ordered ranges to perform | |
8573 | only O(n) comparisons. But that would contradict our original | |
8574 | goal of just having something simple that works. | |
8575 | ||
8576 | Another option is for elements to keep a compareDocumentPosition cache, | |
8577 | like a node list cache, which allows you to determine the absolute | |
8578 | position of a node using a hash lookup. I will leave this as an exercise | |
8579 | for kling. | |
8580 | ||
8581 | * builtins/Array.prototype.js: | |
8582 | (sort.merge): Compare in an order that is favorable to a comparator | |
8583 | that calls compareDocumentPosition. | |
8584 | ||
8585 | 2015-05-04 Csaba Osztrogonác <ossy@webkit.org> | |
8586 | ||
8587 | [cmake] Fix generate-js-builtins related incremental build issue | |
8588 | https://bugs.webkit.org/show_bug.cgi?id=144094 | |
8589 | ||
8590 | Reviewed by Michael Saboff. | |
8591 | ||
8592 | * CMakeLists.txt: Generated JSCBuiltins.<cpp|h> should depend on Source/JavaScriptCore/builtins directory. | |
8593 | Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. | |
8594 | * DerivedSources.make: | |
8595 | Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. | |
8596 | * generate-js-builtins: Accept input files and input directory too. | |
8597 | ||
8598 | 2015-05-03 Simon Fraser <simon.fraser@apple.com> | |
8599 | ||
8600 | Make some static data const | |
8601 | https://bugs.webkit.org/show_bug.cgi?id=144552 | |
8602 | ||
8603 | Reviewed by Andreas Kling. | |
8604 | ||
8605 | Turn characterSetInfo into const data. | |
8606 | ||
8607 | * yarr/YarrCanonicalizeUCS2.cpp: | |
8608 | * yarr/YarrCanonicalizeUCS2.h: | |
8609 | ||
8610 | 2015-05-01 Filip Pizlo <fpizlo@apple.com> | |
8611 | ||
8612 | TypeOf should be fast | |
8613 | https://bugs.webkit.org/show_bug.cgi?id=144396 | |
8614 | ||
8615 | Reviewed by Geoffrey Garen. | |
8616 | ||
8617 | Adds comprehensive support for fast typeof to the optimizing JITs. Calls into the runtime | |
8618 | are only used for very exotic objects - they must have either the MasqueradesAsUndefined or | |
8619 | TypeOfShouldCallGetCallData type flags set. All other cases are handled inline. | |
8620 | ||
8621 | This means optimizing IsObjectOrNull, IsFunction, and TypeOf - all node types that used to | |
8622 | rely heavily on C++ calls to fulfill their function. | |
8623 | ||
8624 | Because TypeOf is now so fast, we no longer need to do any speculations on this node. | |
8625 | ||
8626 | In the FTL, we take this further by querying AI for each branch in the TypeOf decision tree. | |
8627 | This means that if the TypeOf is dominated by any type checks, we will automatically prune | |
8628 | out cases that are redundant. | |
8629 | ||
8630 | This patch anticipates the addition of SwitchTypeOf or something like that. So, the TypeOf | |
8631 | code generation is designed to be reusable. | |
8632 | ||
8633 | This is a speed-up on most typeof benchmarks. But, it is a slow-down on benchmarks that take | |
8634 | the exotic call trap hook. That hook is now in a deeper slow path than before. | |
8635 | ||
8636 | * CMakeLists.txt: | |
8637 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
8638 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
8639 | * dfg/DFGClobberize.h: | |
8640 | (JSC::DFG::clobberize): TypeOf was pure all along, but we failed to realize this. | |
8641 | * dfg/DFGFixupPhase.cpp: | |
8642 | (JSC::DFG::FixupPhase::fixupNode): | |
8643 | * dfg/DFGHeapLocation.cpp: | |
8644 | (WTF::printInternal): | |
8645 | * dfg/DFGHeapLocation.h: | |
8646 | * dfg/DFGOperations.cpp: | |
8647 | * dfg/DFGOperations.h: | |
8648 | * dfg/DFGSpeculativeJIT.cpp: | |
8649 | (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): | |
8650 | (JSC::DFG::SpeculativeJIT::compileIsFunction): | |
8651 | (JSC::DFG::SpeculativeJIT::compileTypeOf): | |
8652 | * dfg/DFGSpeculativeJIT.h: | |
8653 | (JSC::DFG::SpeculativeJIT::blessedBooleanResult): | |
8654 | (JSC::DFG::SpeculativeJIT::callOperation): | |
8655 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
8656 | (JSC::DFG::SpeculativeJIT::compile): | |
8657 | * dfg/DFGSpeculativeJIT64.cpp: | |
8658 | (JSC::DFG::SpeculativeJIT::compile): | |
8659 | * ftl/FTLCapabilities.cpp: | |
8660 | (JSC::FTL::canCompile): | |
8661 | * ftl/FTLIntrinsicRepository.h: | |
8662 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8663 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
8664 | (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull): | |
8665 | (JSC::FTL::LowerDFGToLLVM::compileIsFunction): | |
8666 | (JSC::FTL::LowerDFGToLLVM::compileTypeOf): | |
8667 | (JSC::FTL::LowerDFGToLLVM::buildTypeOf): Reusable TypeOf building for the FTL. | |
8668 | (JSC::FTL::LowerDFGToLLVM::isExoticForTypeof): | |
8669 | * ftl/FTLSwitchCase.h: | |
8670 | (JSC::FTL::SwitchCase::SwitchCase): | |
8671 | * jit/AssemblyHelpers.h: | |
8672 | (JSC::AssemblyHelpers::branchIfNotEqual): | |
8673 | (JSC::AssemblyHelpers::branchIfEqual): | |
8674 | (JSC::AssemblyHelpers::branchIfNumber): | |
8675 | (JSC::AssemblyHelpers::branchIfNotNumber): | |
8676 | (JSC::AssemblyHelpers::branchIfBoolean): | |
8677 | (JSC::AssemblyHelpers::branchIfNotBoolean): | |
8678 | (JSC::AssemblyHelpers::boxBooleanPayload): | |
8679 | (JSC::AssemblyHelpers::boxBoolean): | |
8680 | (JSC::AssemblyHelpers::emitTypeOf): Reusable TypeOf building for assembly JITs. | |
8681 | * jit/JITOperations.h: | |
8682 | * runtime/SmallStrings.h: | |
8683 | (JSC::SmallStrings::typeString): | |
8684 | * runtime/TypeofType.cpp: Added. | |
8685 | (WTF::printInternal): | |
8686 | * runtime/TypeofType.h: Added. | |
8687 | * tests/stress/type-of-functions-and-objects.js: Modified this test to give more comprehensive feedback. | |
8688 | ||
8689 | 2015-05-02 Filip Pizlo <fpizlo@apple.com> | |
8690 | ||
8691 | Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=144527. | |
8692 | ||
8693 | * dfg/DFGLICMPhase.cpp: | |
8694 | (JSC::DFG::LICMPhase::attemptHoist): | |
8695 | ||
8696 | 2015-05-02 Filip Pizlo <fpizlo@apple.com> | |
8697 | ||
8698 | Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=144524 and | |
8699 | https://bugs.webkit.org/show_bug.cgi?id=144525. | |
8700 | ||
8701 | * dfg/DFGLICMPhase.cpp: | |
8702 | (JSC::DFG::LICMPhase::attemptHoist): | |
8703 | * dfg/DFGPhantomInsertionPhase.cpp: | |
8704 | ||
8705 | 2015-05-02 Yusuke Suzuki <utatane.tea@gmail.com> | |
8706 | ||
8707 | Static property hashtable should only lookup with non-symbol key | |
8708 | https://bugs.webkit.org/show_bug.cgi?id=144438 | |
8709 | ||
8710 | Reviewed by Darin Adler. | |
8711 | ||
8712 | Static property hashtable compares the Identifier's uid | |
8713 | with the normal C string without interning it. | |
8714 | So this comparison is performed in their contents. | |
8715 | As the result, in this comparison, symbol-ness is not considered. | |
8716 | ||
8717 | So if accidentally the hash collision occur with the symbol and the string | |
8718 | and they have the same contents, the hash table entry is looked up incorrectly. | |
8719 | ||
8720 | * runtime/Lookup.h: | |
8721 | (JSC::HashTable::entry): | |
8722 | ||
8723 | 2015-05-01 Ryosuke Niwa <rniwa@webkit.org> | |
8724 | ||
8725 | Class syntax should allow string and numeric identifiers for method names | |
8726 | https://bugs.webkit.org/show_bug.cgi?id=144254 | |
8727 | ||
8728 | Reviewed by Darin Adler. | |
8729 | ||
8730 | Added the support for string and numeric identifiers in class syntax. | |
8731 | ||
8732 | * parser/Parser.cpp: | |
8733 | (JSC::Parser<LexerType>::parseFunctionInfo): Instead of using ConstructorKind to indicate whether we're | |
8734 | inside a class or not, use the newly added SuperBinding argument instead. ConstructorKind is now None | |
8735 | outside a class constructor as it should be. | |
8736 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
8737 | (JSC::Parser<LexerType>::parseClass): No longer expects an identifier at the beginning of every class | |
8738 | element to allow numeric and string method names. For both of those method names, parse it here instead | |
8739 | of parseFunctionInfo since it doesn't support either type. Also pass in SuperBinding::Needed. | |
8740 | (JSC::Parser<LexerType>::parsePropertyMethod): Call parseFunctionInfo with SuperBinding::NotNeeded since | |
8741 | this function is never used to parse a class method. | |
8742 | (JSC::Parser<LexerType>::parseGetterSetter): Pass in superBinding argument to parseFunctionInfo. | |
8743 | (JSC::Parser<LexerType>::parsePrimaryExpression): Call parseFunctionInfo with SuperBinding::NotNeeded. | |
8744 | * parser/Parser.h: | |
8745 | * parser/SyntaxChecker.h: | |
8746 | (JSC::SyntaxChecker::createProperty): | |
8747 | ||
8748 | 2015-05-01 Filip Pizlo <fpizlo@apple.com> | |
8749 | ||
8750 | FTL should use AI more | |
8751 | https://bugs.webkit.org/show_bug.cgi?id=144500 | |
8752 | ||
8753 | Reviewed by Oliver Hunt. | |
8754 | ||
8755 | This makes our type check folding even more comprehensive by ensuring that even if the FTL | |
8756 | decides to emit some checks, it will still do another query to the abstract interpreter to | |
8757 | see if the check is necessary. This helps with cases where we decided early on to speculate | |
8758 | one way, but later proved a more specific type of the value in question, and the constant | |
8759 | folder didn't catch it. | |
8760 | ||
8761 | This also makes it more natural to query the abstract interpreter. For example, if you just | |
8762 | want the proven type, you can now say provenType(node) or provenType(edge). | |
8763 | ||
8764 | * dfg/DFGArrayMode.cpp: | |
8765 | (JSC::DFG::ArrayMode::alreadyChecked): | |
8766 | * dfg/DFGArrayMode.h: | |
8767 | * ftl/FTLLowerDFGToLLVM.cpp: | |
8768 | (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): | |
8769 | (JSC::FTL::LowerDFGToLLVM::compileToThis): | |
8770 | (JSC::FTL::LowerDFGToLLVM::compileValueAdd): | |
8771 | (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): | |
8772 | (JSC::FTL::LowerDFGToLLVM::compileArithPow): | |
8773 | (JSC::FTL::LowerDFGToLLVM::compileArithNegate): | |
8774 | (JSC::FTL::LowerDFGToLLVM::compileGetById): | |
8775 | (JSC::FTL::LowerDFGToLLVM::compileCheckArray): | |
8776 | (JSC::FTL::LowerDFGToLLVM::compilePutByVal): | |
8777 | (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): | |
8778 | (JSC::FTL::LowerDFGToLLVM::compileToPrimitive): | |
8779 | (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): | |
8780 | (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): | |
8781 | (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): | |
8782 | (JSC::FTL::LowerDFGToLLVM::compileSwitch): | |
8783 | (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): | |
8784 | (JSC::FTL::LowerDFGToLLVM::compileIsNumber): | |
8785 | (JSC::FTL::LowerDFGToLLVM::compileIsString): | |
8786 | (JSC::FTL::LowerDFGToLLVM::compileIsObject): | |
8787 | (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): | |
8788 | (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): | |
8789 | (JSC::FTL::LowerDFGToLLVM::baseIndex): | |
8790 | (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): | |
8791 | (JSC::FTL::LowerDFGToLLVM::typedArrayLength): | |
8792 | (JSC::FTL::LowerDFGToLLVM::boolify): | |
8793 | (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): | |
8794 | (JSC::FTL::LowerDFGToLLVM::lowInt32): | |
8795 | (JSC::FTL::LowerDFGToLLVM::lowInt52): | |
8796 | (JSC::FTL::LowerDFGToLLVM::lowCell): | |
8797 | (JSC::FTL::LowerDFGToLLVM::lowBoolean): | |
8798 | (JSC::FTL::LowerDFGToLLVM::lowDouble): | |
8799 | (JSC::FTL::LowerDFGToLLVM::isCellOrMisc): | |
8800 | (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): | |
8801 | (JSC::FTL::LowerDFGToLLVM::isNumber): | |
8802 | (JSC::FTL::LowerDFGToLLVM::isNotNumber): | |
8803 | (JSC::FTL::LowerDFGToLLVM::isNotCell): | |
8804 | (JSC::FTL::LowerDFGToLLVM::isCell): | |
8805 | (JSC::FTL::LowerDFGToLLVM::isNotMisc): | |
8806 | (JSC::FTL::LowerDFGToLLVM::isMisc): | |
8807 | (JSC::FTL::LowerDFGToLLVM::isNotBoolean): | |
8808 | (JSC::FTL::LowerDFGToLLVM::isBoolean): | |
8809 | (JSC::FTL::LowerDFGToLLVM::isNotOther): | |
8810 | (JSC::FTL::LowerDFGToLLVM::isOther): | |
8811 | (JSC::FTL::LowerDFGToLLVM::isProvenValue): | |
8812 | (JSC::FTL::LowerDFGToLLVM::isObject): | |
8813 | (JSC::FTL::LowerDFGToLLVM::isNotObject): | |
8814 | (JSC::FTL::LowerDFGToLLVM::isNotString): | |
8815 | (JSC::FTL::LowerDFGToLLVM::isString): | |
8816 | (JSC::FTL::LowerDFGToLLVM::isFunction): | |
8817 | (JSC::FTL::LowerDFGToLLVM::isNotFunction): | |
8818 | (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): | |
8819 | (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): | |
8820 | (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): | |
8821 | (JSC::FTL::LowerDFGToLLVM::abstractValue): | |
8822 | (JSC::FTL::LowerDFGToLLVM::provenType): | |
8823 | (JSC::FTL::LowerDFGToLLVM::provenValue): | |
8824 | (JSC::FTL::LowerDFGToLLVM::abstractStructure): | |
8825 | ||
8826 | 2015-05-01 Martin Robinson <mrobinson@igalia.com> | |
8827 | ||
8828 | USE(...) macro should expect unprefixed variables | |
8829 | https://bugs.webkit.org/show_bug.cgi?id=144454 | |
8830 | ||
8831 | Reviewed by Daniel Bates. | |
8832 | ||
8833 | * CMakeLists.txt: Replace all occurrences WTF_USE with USE. | |
8834 | ||
8835 | 2015-05-01 Jordan Harband <ljharb@gmail.com> | |
8836 | ||
8837 | String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly | |
8838 | https://bugs.webkit.org/show_bug.cgi?id=144314 | |
8839 | ||
8840 | Reviewed by Darin Adler. | |
8841 | ||
8842 | Fixing handling of Infinity position args, per | |
8843 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes | |
8844 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith | |
8845 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith | |
8846 | ||
8847 | * runtime/StringPrototype.cpp: | |
8848 | (JSC::clampInt32): | |
8849 | (JSC::stringProtoFuncStartsWith): | |
8850 | (JSC::stringProtoFuncEndsWith): | |
8851 | (JSC::stringProtoFuncIncludes): | |
8852 | ||
8853 | 2015-05-01 Basile Clement <basile_clement@apple.com> | |
8854 | ||
8855 | Math.abs() returns negative | |
8856 | https://bugs.webkit.org/show_bug.cgi?id=137827 | |
8857 | ||
8858 | Reviewed by Michael Saboff. | |
8859 | ||
8860 | Math.abs() on doubles was mistakenly assumed by the DFG AI to be the | |
8861 | identity function. | |
8862 | ||
8863 | * dfg/DFGAbstractInterpreterInlines.h: | |
8864 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
8865 | * tests/stress/math-abs-positive.js: Added, was previously failing. | |
8866 | (foo): | |
8867 | ||
8868 | 2015-05-01 Basile Clement <basile_clement@apple.com> | |
8869 | ||
8870 | Function allocation sinking shouldn't be performed on singleton functions | |
8871 | https://bugs.webkit.org/show_bug.cgi?id=144166 | |
8872 | ||
8873 | Reviewed by Geoffrey Garen. | |
8874 | ||
8875 | Function allocations usually are free of any other side effects, but | |
8876 | this is not the case for allocations performed while the underlying | |
8877 | FunctionExecutable is still a singleton (as this allogation will fire | |
8878 | watchpoints invalidating code that depends on it being a singleton). | |
8879 | As the object allocation sinking phase assumes object allocation is | |
8880 | free of side-effects, sinking these allocations is not correct. | |
8881 | ||
8882 | This also means that when materializing a function allocation on OSR | |
8883 | exit, that function's executable will never be a singleton, and we don't have | |
8884 | to worry about its watchpoint, allowing us to use | |
8885 | JSFunction::createWithInvalidatedRellocationWatchpoint instead of | |
8886 | JSFunction::create. | |
8887 | ||
8888 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
8889 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
8890 | * ftl/FTLOperations.cpp: | |
8891 | (JSC::FTL::operationMaterializeObjectInOSR): | |
8892 | ||
8893 | 2015-04-30 Jon Davis <jond@apple.com> | |
8894 | ||
8895 | Web Inspector: console should show an icon for console.info() messages | |
8896 | https://bugs.webkit.org/show_bug.cgi?id=18530 | |
8897 | ||
8898 | Reviewed by Timothy Hatcher. | |
8899 | ||
8900 | * inspector/ConsoleMessage.cpp: | |
8901 | (Inspector::messageLevelValue): | |
8902 | * inspector/protocol/Console.json: | |
8903 | * runtime/ConsoleClient.cpp: | |
8904 | (JSC::appendMessagePrefix): | |
8905 | * runtime/ConsolePrototype.cpp: | |
8906 | (JSC::ConsolePrototype::finishCreation): | |
8907 | (JSC::consoleProtoFuncInfo): | |
8908 | * runtime/ConsoleTypes.h: | |
8909 | ||
8910 | 2015-04-30 Filip Pizlo <fpizlo@apple.com> | |
8911 | ||
8912 | Move all of the branchIs<type> helpers from SpeculativeJIT into AssemblyHelpers | |
8913 | https://bugs.webkit.org/show_bug.cgi?id=144462 | |
8914 | ||
8915 | Reviewed by Geoffrey Garen and Mark Lam. | |
8916 | ||
8917 | At some point we started adding representation-agnostic helpers for doing common type tests. | |
8918 | We added some in SpeculativeJIT, and then some in AssemblyHelpers. Prior to this change, | |
8919 | they had overlapping powers, though SpeculativeJIT was a bit better. | |
8920 | ||
8921 | This removes SpeculativeJIT's helpers and strengthens AssemblyHelpers' helpers. This is | |
8922 | better because now all of these helpers can be used in all of the assembly-based JITs, not | |
8923 | just the DFG. It also settles on what I find to be a slightly better naming convention. | |
8924 | For example where we previously would have said branchIsString, now we say | |
8925 | branchIfString. Similarly, branchNotString becomes branchIfNotString. | |
8926 | ||
8927 | * dfg/DFGSpeculativeJIT.cpp: | |
8928 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): | |
8929 | (JSC::DFG::SpeculativeJIT::compileValueToInt32): | |
8930 | (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): | |
8931 | (JSC::DFG::SpeculativeJIT::compileInstanceOf): | |
8932 | (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): | |
8933 | (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): | |
8934 | (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): | |
8935 | (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): | |
8936 | (JSC::DFG::SpeculativeJIT::speculateObject): | |
8937 | (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): | |
8938 | (JSC::DFG::SpeculativeJIT::speculateString): | |
8939 | (JSC::DFG::SpeculativeJIT::speculateNotStringVar): | |
8940 | (JSC::DFG::SpeculativeJIT::speculateNotCell): | |
8941 | (JSC::DFG::SpeculativeJIT::speculateOther): | |
8942 | (JSC::DFG::SpeculativeJIT::emitSwitchChar): | |
8943 | (JSC::DFG::SpeculativeJIT::emitSwitchString): | |
8944 | (JSC::DFG::SpeculativeJIT::branchIsObject): Deleted. | |
8945 | (JSC::DFG::SpeculativeJIT::branchNotObject): Deleted. | |
8946 | (JSC::DFG::SpeculativeJIT::branchIsString): Deleted. | |
8947 | (JSC::DFG::SpeculativeJIT::branchNotString): Deleted. | |
8948 | * dfg/DFGSpeculativeJIT.h: | |
8949 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
8950 | (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): | |
8951 | (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): | |
8952 | (JSC::DFG::SpeculativeJIT::emitCall): | |
8953 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
8954 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
8955 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
8956 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
8957 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
8958 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
8959 | (JSC::DFG::SpeculativeJIT::compile): | |
8960 | (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. | |
8961 | (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. | |
8962 | (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. | |
8963 | (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. | |
8964 | * dfg/DFGSpeculativeJIT64.cpp: | |
8965 | (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): | |
8966 | (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): | |
8967 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
8968 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
8969 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
8970 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
8971 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
8972 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
8973 | (JSC::DFG::SpeculativeJIT::compile): | |
8974 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
8975 | (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. | |
8976 | (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. | |
8977 | (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. | |
8978 | (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. | |
8979 | * jit/AssemblyHelpers.h: | |
8980 | (JSC::AssemblyHelpers::branchIfCell): | |
8981 | (JSC::AssemblyHelpers::branchIfOther): | |
8982 | (JSC::AssemblyHelpers::branchIfNotOther): | |
8983 | (JSC::AssemblyHelpers::branchIfObject): | |
8984 | (JSC::AssemblyHelpers::branchIfNotObject): | |
8985 | (JSC::AssemblyHelpers::branchIfType): | |
8986 | (JSC::AssemblyHelpers::branchIfNotType): | |
8987 | (JSC::AssemblyHelpers::branchIfString): | |
8988 | (JSC::AssemblyHelpers::branchIfNotString): | |
8989 | (JSC::AssemblyHelpers::branchIfSymbol): | |
8990 | (JSC::AssemblyHelpers::branchIfNotSymbol): | |
8991 | (JSC::AssemblyHelpers::branchIfFunction): | |
8992 | (JSC::AssemblyHelpers::branchIfNotFunction): | |
8993 | (JSC::AssemblyHelpers::branchIfEmpty): | |
8994 | (JSC::AssemblyHelpers::branchIsEmpty): Deleted. | |
8995 | (JSC::AssemblyHelpers::branchIfCellNotObject): Deleted. | |
8996 | * jit/JITPropertyAccess.cpp: | |
8997 | (JSC::JIT::emitScopedArgumentsGetByVal): | |
8998 | ||
8999 | 2015-04-30 Filip Pizlo <fpizlo@apple.com> | |
9000 | ||
9001 | js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing | |
9002 | https://bugs.webkit.org/show_bug.cgi?id=144463 | |
9003 | ||
9004 | Reviewed by Benjamin Poulain. | |
9005 | ||
9006 | Fixup phase was super cleverly folding an IsString(@x) when @x is predicted SpecString | |
9007 | into a Check(String:@x) followed by JSConstant(true). Then in these tests the | |
9008 | ValueAdd(IsString(@x), @stuff) would try to turn this into an integer add by cleverly | |
9009 | converting the boolean into an integer. But as part of doing that, it would try to | |
9010 | short-circuit any profiling by leveraging the fact that the IsString is now a constant, | |
9011 | and it would try to figure out if the addition might overflow. Part of that logic | |
9012 | involved checking if the immediate is either a boolean or a sufficiently small integer. | |
9013 | But: it would check if it's a sufficiently small integer before checking if it was a | |
9014 | boolean, so it would try to call asNumber() on the boolean. | |
9015 | ||
9016 | All of this cleverness was very deliberate, but apparently the @stuff + booleanConstant | |
9017 | case was previously never hit until I wrote these tests, and so we never knew that | |
9018 | calling asNumber() on a boolean was wrong. | |
9019 | ||
9020 | The fix is super simple: the expression should just check for boolean first. | |
9021 | ||
9022 | This bug was benign in release builds. JSValue::asNumber() on a boolean would return | |
9023 | garbage, and that's OK, since we'd take the boolean case anyway. | |
9024 | ||
9025 | * dfg/DFGGraph.h: | |
9026 | (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): | |
9027 | ||
9028 | 2015-04-30 Filip Pizlo <fpizlo@apple.com> | |
9029 | ||
9030 | Unreviewed, add a FIXME comment referencing https://bugs.webkit.org/show_bug.cgi?id=144458. | |
9031 | ||
9032 | * jit/JITOperations.cpp: | |
9033 | ||
9034 | 2015-04-30 Filip Pizlo <fpizlo@apple.com> | |
9035 | ||
9036 | Add a comment clarifying the behavior and semantics of getCallData/getConstructData, in | |
9037 | particular that they cannot change their minds and may be called from compiler threads. | |
9038 | ||
9039 | Rubber stamped by Geoffrey Garen. | |
9040 | ||
9041 | * runtime/JSCell.h: | |
9042 | ||
9043 | 2015-04-29 Filip Pizlo <fpizlo@apple.com> | |
9044 | ||
9045 | DFG Is<Blah> versions of TypeOf should fold based on proven input type | |
9046 | https://bugs.webkit.org/show_bug.cgi?id=144409 | |
9047 | ||
9048 | Reviewed by Geoffrey Garen. | |
9049 | ||
9050 | We were missing some obvious folding opportunities here. I don't know how this affects real | |
9051 | code, but in general, we like to ensure that our constant folding is comprehensive. So this | |
9052 | is more about placating my static analysis OCD than anything else. | |
9053 | ||
9054 | I added a bunch of speed/correctness tests for this in LayoutTests/js/regress. | |
9055 | ||
9056 | * dfg/DFGAbstractInterpreterInlines.h: | |
9057 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
9058 | ||
9059 | 2015-04-30 Yusuke Suzuki <utatane.tea@gmail.com> | |
9060 | ||
9061 | Use the default hash value for Symbolized StringImpl | |
9062 | https://bugs.webkit.org/show_bug.cgi?id=144347 | |
9063 | ||
9064 | Reviewed by Darin Adler. | |
9065 | ||
9066 | Before this patch, symbolized StringImpl* has a special hash value | |
9067 | to avoid the hash collision with the other normal StringImpl*. | |
9068 | I guess that it is introduced when private symbols are introduced. | |
9069 | However, it prevents using symbolized StringImpl* in the other place | |
9070 | For example, using it as WTFString cause a problem because of its special hash value. | |
9071 | ||
9072 | When only using private symbols, they are not exposed to the outside of JSC, | |
9073 | so we can handle it carefully. But now, it's extended to symbols. | |
9074 | So I think storing a special hash value in StringImpl* causes an error. | |
9075 | ||
9076 | To avoid this, I propose using the usual hash value in symbolized StringImpl*. | |
9077 | And to provide significantly different hash value when using it as symbol, | |
9078 | store the additional hash value in symbolized StringImpl*. It is used when | |
9079 | the hash value is required by IdentifierRepHash. | |
9080 | ||
9081 | * runtime/Identifier.h: | |
9082 | (JSC::IdentifierRepHash::hash): | |
9083 | * runtime/Lookup.h: | |
9084 | (JSC::HashTable::entry): | |
9085 | * runtime/PropertyMapHashTable.h: | |
9086 | (JSC::PropertyTable::find): | |
9087 | (JSC::PropertyTable::get): | |
9088 | * runtime/Structure.cpp: | |
9089 | (JSC::PropertyTable::checkConsistency): | |
9090 | ||
9091 | 2015-04-29 Benjamin Poulain <bpoulain@apple.com> | |
9092 | ||
9093 | [JSC] Remove RageConvert array conversion | |
9094 | https://bugs.webkit.org/show_bug.cgi?id=144433 | |
9095 | ||
9096 | Reviewed by Filip Pizlo. | |
9097 | ||
9098 | RageConvert was causing a subtle bug that was hitting the Kraken crypto tests | |
9099 | pretty hard: | |
9100 | -The indexing types shows that the array access varies between Int32 and DoubleArray. | |
9101 | -ArrayMode::fromObserved() decided to use the most generic type: DoubleArray. | |
9102 | An Arrayify node would convert the Int32 to that type. | |
9103 | -Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That | |
9104 | node would use RageConvert instead of Convert. | |
9105 | -The Arrayify for that GetByVal with RageConvert would not convert the array to | |
9106 | Contiguous. | |
9107 | -All the following array access that do not have the flag NodeBytecodeUsesAsInt would | |
9108 | now expect a DoubleArray and always get a Contiguous Array. The CheckStructure | |
9109 | fail systematically and we never get to run the later code. | |
9110 | ||
9111 | Getting rid of RageConvert fixes the problem and does not seems to have any | |
9112 | negative side effect on other benchmarks. | |
9113 | ||
9114 | The improvments on Kraken are: | |
9115 | -stanford-crypto-aes: definitely 1.0915x faster. | |
9116 | -stanford-crypto-pbkdf2: definitely 1.2446x faster. | |
9117 | -stanford-crypto-sha256-iterative: definitely 1.0544x faster. | |
9118 | ||
9119 | * dfg/DFGAbstractInterpreterInlines.h: | |
9120 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
9121 | * dfg/DFGArrayMode.cpp: | |
9122 | (JSC::DFG::ArrayMode::refine): | |
9123 | (JSC::DFG::arrayConversionToString): | |
9124 | * dfg/DFGArrayMode.h: | |
9125 | * dfg/DFGArrayifySlowPathGenerator.h: | |
9126 | * dfg/DFGFixupPhase.cpp: | |
9127 | (JSC::DFG::FixupPhase::fixupNode): | |
9128 | * dfg/DFGOperations.cpp: | |
9129 | * dfg/DFGOperations.h: | |
9130 | * dfg/DFGPredictionPropagationPhase.cpp: | |
9131 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
9132 | * dfg/DFGTypeCheckHoistingPhase.cpp: | |
9133 | (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): | |
9134 | * ftl/FTLLowerDFGToLLVM.cpp: | |
9135 | (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): | |
9136 | * runtime/JSObject.cpp: | |
9137 | (JSC::JSObject::convertDoubleToContiguous): | |
9138 | (JSC::JSObject::ensureContiguousSlow): | |
9139 | (JSC::JSObject::genericConvertDoubleToContiguous): Deleted. | |
9140 | (JSC::JSObject::rageConvertDoubleToContiguous): Deleted. | |
9141 | (JSC::JSObject::rageEnsureContiguousSlow): Deleted. | |
9142 | * runtime/JSObject.h: | |
9143 | (JSC::JSObject::rageEnsureContiguous): Deleted. | |
9144 | ||
9145 | 2015-04-29 Joseph Pecoraro <pecoraro@apple.com> | |
9146 | ||
9147 | Gracefully handle missing auto pause key on remote inspector setup | |
9148 | https://bugs.webkit.org/show_bug.cgi?id=144411 | |
9149 | ||
9150 | Reviewed by Timothy Hatcher. | |
9151 | ||
9152 | * inspector/remote/RemoteInspector.mm: | |
9153 | (Inspector::RemoteInspector::receivedSetupMessage): | |
9154 | ||
9155 | 2015-04-29 Joseph Pecoraro <pecoraro@apple.com> | |
9156 | ||
9157 | NodeList has issues with Symbol and empty string | |
9158 | https://bugs.webkit.org/show_bug.cgi?id=144310 | |
9159 | ||
9160 | Reviewed by Darin Adler. | |
9161 | ||
9162 | * runtime/PropertyName.h: | |
9163 | (JSC::PropertyName::isSymbol): | |
9164 | Helper to check if the PropertyName is a string or symbol property. | |
9165 | ||
9166 | 2015-04-29 Alex Christensen <achristensen@webkit.org> | |
9167 | ||
9168 | Fix non-cygwin incremental builds on Windows. | |
9169 | https://bugs.webkit.org/show_bug.cgi?id=143264 | |
9170 | ||
9171 | Reviewed by Brent Fulgham. | |
9172 | ||
9173 | * generate-js-builtins: | |
9174 | Remove stale headers before calling os.rename to replace them. | |
9175 | ||
9176 | 2015-04-29 Filip Pizlo <fpizlo@apple.com> | |
9177 | ||
9178 | JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden | |
9179 | https://bugs.webkit.org/show_bug.cgi?id=144397 | |
9180 | ||
9181 | Reviewed by Andreas Kling. | |
9182 | ||
9183 | Add the flag to JSTypeInfo. It's an inline flag so that it's fast to query. Slap the flag on | |
9184 | callback objects and internal functions. Modify the TypeOf operation to use this flag to avoid | |
9185 | making a getCallData() call if it isn't necessary. | |
9186 | ||
9187 | * API/JSCallbackObject.h: | |
9188 | * runtime/InternalFunction.h: | |
9189 | * runtime/JSTypeInfo.h: | |
9190 | (JSC::TypeInfo::typeOfShouldCallGetCallData): | |
9191 | * runtime/Operations.cpp: | |
9192 | (JSC::jsTypeStringForValue): | |
9193 | * tests/stress/type-of-functions-and-objects.js: Added. | |
9194 | (foo): | |
9195 | (bar): | |
9196 | (baz): | |
9197 | (fuzz): | |
9198 | (expect): | |
9199 | (test): | |
9200 | ||
9201 | 2015-04-28 Geoffrey Garen <ggaren@apple.com> | |
9202 | ||
9203 | It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. | |
9204 | https://bugs.webkit.org/show_bug.cgi?id=144013 | |
9205 | ||
9206 | Reviewed by Mark Lam. | |
9207 | ||
9208 | This patch implements Array.prototype.sort in JavaScript, removing the | |
9209 | C++ implementations. It is simpler and less error-prone to express our | |
9210 | operations in JavaScript, which provides memory safety, exception safety, | |
9211 | and recursion safety. | |
9212 | ||
9213 | The performance result is mixed, but net positive in my opinion. It's | |
9214 | difficult to enumerate all the results, since we used to have so many | |
9215 | different sorting modes, and there are lots of different data patterns | |
9216 | across which you might want to measure sorting. Suffice it to say: | |
9217 | ||
9218 | (*) The benchmarks we track are faster or unchanged. | |
9219 | ||
9220 | (*) Sorting random input using a comparator -- which we think is | |
9221 | common -- is 3X faster. | |
9222 | ||
9223 | (*) Sorting random input in a non-array object -- which jQuery does | |
9224 | -- is 4X faster. | |
9225 | ||
9226 | (*) Sorting random input in a compact array of integers using a | |
9227 | trivial pattern-matchable comparator is 2X *slower*. | |
9228 | ||
9229 | * builtins/Array.prototype.js: | |
9230 | (sort.min): | |
9231 | (sort.stringComparator): | |
9232 | (sort.compactSparse): Special case compaction for sparse arrays because | |
9233 | we don't want to hang when sorting new Array(BIG). | |
9234 | ||
9235 | (sort.compact): | |
9236 | (sort.merge): | |
9237 | (sort.mergeSort): Use merge sort because it's a reasonably efficient | |
9238 | stable sort. We have evidence that some sites depend on stable sort, | |
9239 | even though the ES6 spec does not mandate it. (See | |
9240 | <http://trac.webkit.org/changeset/33967>.) | |
9241 | ||
9242 | This is a textbook implementation of merge sort with three optimizations: | |
9243 | ||
9244 | (1) Use iteration instead of recursion; | |
9245 | ||
9246 | (2) Use array subscripting instead of array copying in order to | |
9247 | create logical sub-lists without creating physical sub-lists; | |
9248 | ||
9249 | (3) Swap src and dst at each iteration instead of copying src into | |
9250 | dst, and only copy src into the subject array at the end if src is | |
9251 | not the subject array. | |
9252 | ||
9253 | (sort.inflate): | |
9254 | (sort.comparatorSort): | |
9255 | (sort): Sort in JavaScript for the win. | |
9256 | ||
9257 | * builtins/BuiltinExecutables.cpp: | |
9258 | (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private | |
9259 | names so we can use helper functions. | |
9260 | ||
9261 | * bytecode/CodeBlock.h: | |
9262 | (JSC::CodeBlock::isNumericCompareFunction): Deleted. | |
9263 | * bytecode/UnlinkedCodeBlock.cpp: | |
9264 | (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): | |
9265 | * bytecode/UnlinkedCodeBlock.h: | |
9266 | (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. | |
9267 | (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. | |
9268 | * bytecompiler/BytecodeGenerator.cpp: | |
9269 | (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. | |
9270 | * bytecompiler/BytecodeGenerator.h: | |
9271 | * bytecompiler/NodesCodegen.cpp: | |
9272 | (JSC::FunctionNode::emitBytecode): We don't do this special casing based | |
9273 | on pattern matching anymore. This was mainly an optimization to avoid | |
9274 | the overhead of calling from C++ to JS, which we now avoid by | |
9275 | sorting in JS. | |
9276 | ||
9277 | * heap/Heap.cpp: | |
9278 | (JSC::Heap::markRoots): | |
9279 | (JSC::Heap::pushTempSortVector): Deleted. | |
9280 | (JSC::Heap::popTempSortVector): Deleted. | |
9281 | (JSC::Heap::visitTempSortVectors): Deleted. | |
9282 | * heap/Heap.h: We don't have temp sort vectors anymore because we sort | |
9283 | in JavaScript using a normal JavaScript array for our temporary storage. | |
9284 | ||
9285 | * parser/Parser.cpp: | |
9286 | (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use | |
9287 | helper functions. | |
9288 | ||
9289 | * runtime/ArrayPrototype.cpp: | |
9290 | (JSC::isNumericCompareFunction): Deleted. | |
9291 | (JSC::attemptFastSort): Deleted. | |
9292 | (JSC::performSlowSort): Deleted. | |
9293 | (JSC::arrayProtoFuncSort): Deleted. | |
9294 | ||
9295 | * runtime/CommonIdentifiers.h: New strings used by sort. | |
9296 | ||
9297 | * runtime/JSArray.cpp: | |
9298 | (JSC::compareNumbersForQSortWithInt32): Deleted. | |
9299 | (JSC::compareNumbersForQSortWithDouble): Deleted. | |
9300 | (JSC::compareNumbersForQSort): Deleted. | |
9301 | (JSC::compareByStringPairForQSort): Deleted. | |
9302 | (JSC::JSArray::sortNumericVector): Deleted. | |
9303 | (JSC::JSArray::sortNumeric): Deleted. | |
9304 | (JSC::ContiguousTypeAccessor::getAsValue): Deleted. | |
9305 | (JSC::ContiguousTypeAccessor::setWithValue): Deleted. | |
9306 | (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. | |
9307 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted. | |
9308 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted. | |
9309 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted. | |
9310 | (JSC::JSArray::sortCompactedVector): Deleted. | |
9311 | (JSC::JSArray::sort): Deleted. | |
9312 | (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. | |
9313 | (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. | |
9314 | (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. | |
9315 | (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. | |
9316 | (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. | |
9317 | (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. | |
9318 | (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. | |
9319 | (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. | |
9320 | (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. | |
9321 | (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. | |
9322 | (JSC::JSArray::sortVector): Deleted. | |
9323 | (JSC::JSArray::compactForSorting): Deleted. | |
9324 | * runtime/JSArray.h: | |
9325 | ||
9326 | * runtime/JSGlobalObject.cpp: | |
9327 | (JSC::JSGlobalObject::init): | |
9328 | * runtime/ObjectConstructor.cpp: | |
9329 | (JSC::ObjectConstructor::finishCreation): Provide some builtins used | |
9330 | by sort. | |
9331 | ||
9332 | 2015-04-29 Mark Lam <mark.lam@apple.com> | |
9333 | ||
9334 | Safari WebKit crash when loading Google Spreadsheet. | |
9335 | https://bugs.webkit.org/show_bug.cgi?id=144020 | |
9336 | ||
9337 | Reviewed by Filip Pizlo. | |
9338 | ||
9339 | The bug is that the object allocation sinking phase did not account for a case | |
9340 | where a property of a sunken object is only initialized on one path and not | |
9341 | another. As a result, on the path where the property is not initialized, we'll | |
9342 | encounter an Upsilon with a BottomValue (which is not allowed by definition). | |
9343 | ||
9344 | The fix is to use a JSConstant(undefined) as the bottom value instead (of | |
9345 | BottomValue). If the property is uninitialized, it should still be accessible | |
9346 | and have the value undefined. | |
9347 | ||
9348 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
9349 | (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): | |
9350 | * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added. | |
9351 | (foo): | |
9352 | (foo2): | |
9353 | ||
9354 | 2015-04-29 Yusuke Suzuki <utatane.tea@gmail.com> | |
9355 | ||
9356 | REGRESSION (r183373): ASSERT failed in wtf/SHA1.h | |
9357 | https://bugs.webkit.org/show_bug.cgi?id=144257 | |
9358 | ||
9359 | Reviewed by Darin Adler. | |
9360 | ||
9361 | SHA1 is used to calculate CodeBlockHash. | |
9362 | To calculate hash value, we pass the source code UTF-8 CString to SHA1::addBytes. | |
9363 | However, the source code can contain null character. | |
9364 | So when performing `strlen` on the source code's CString, it returns the incorrect length. | |
9365 | In SHA1::addBytes, there's assertion `input.length() == strlen(string)` and it fails. | |
9366 | ||
9367 | In the template-literal-syntax.js, we perform `eval` with the script contains "\0". | |
9368 | As the result, `strlen(string)` accidentally shortened by the contained "\0", and assertion fails. | |
9369 | ||
9370 | CString will be changed not to contain a null-character[1]. However, inserting the assertion here | |
9371 | is not correct. Because | |
9372 | ||
9373 | 1. If CString should not contain a null character, this should be asserted in CString side instead of SHA1::addBytes. | |
9374 | 2. If CString can contain a null character, this assertion becomes incorrect. | |
9375 | ||
9376 | So this patch just drops the assertion. | |
9377 | ||
9378 | In the current implementation, we once convert the entire source code to the newly allocated | |
9379 | UTF-8 string and pass it to the SHA1 processing. However, this is memory consuming. | |
9380 | Ideally, we should stream the decoded bytes into the SHA1 processing iteratively. | |
9381 | We'll implement it in the separate patch[2]. | |
9382 | ||
9383 | [1]: https://bugs.webkit.org/show_bug.cgi?id=144339 | |
9384 | [2]: https://bugs.webkit.org/show_bug.cgi?id=144263 | |
9385 | ||
9386 | * tests/stress/eval-script-contains-null-character.js: Added. | |
9387 | (shouldBe): | |
9388 | (test): | |
9389 | * tests/stress/template-literal-line-terminators.js: | |
9390 | * tests/stress/template-literal-syntax.js: | |
9391 | * tests/stress/template-literal.js: | |
9392 | ||
9393 | 2015-04-29 Filip Pizlo <fpizlo@apple.com> | |
9394 | ||
9395 | Evict IsEnvironmentRecord from inline type flags | |
9396 | https://bugs.webkit.org/show_bug.cgi?id=144398 | |
9397 | ||
9398 | Reviewed by Mark Lam and Michael Saboff. | |
9399 | ||
9400 | In https://bugs.webkit.org/show_bug.cgi?id=144397, we'll need an extra bit in the inline | |
9401 | type flags. This change picks the least important inline type flag - IsEnvironmentRecord - | |
9402 | and evicts it into the out-of-line type flags. This change has no performance implications | |
9403 | because we never even accessed IsEnvironmentRecord via the StructureIDBlob. The only place | |
9404 | where we access it at all is in String.prototype.repeat, and there we already load the | |
9405 | structure anyway. | |
9406 | ||
9407 | * runtime/JSTypeInfo.h: | |
9408 | (JSC::TypeInfo::implementsHasInstance): | |
9409 | (JSC::TypeInfo::structureIsImmortal): | |
9410 | (JSC::TypeInfo::isEnvironmentRecord): | |
9411 | ||
9412 | 2015-04-29 Darin Adler <darin@apple.com> | |
9413 | ||
9414 | [ES6] Implement Unicode code point escapes | |
9415 | https://bugs.webkit.org/show_bug.cgi?id=144377 | |
9416 | ||
9417 | Reviewed by Antti Koivisto. | |
9418 | ||
9419 | * parser/Lexer.cpp: Moved the UnicodeHexValue class in here from | |
9420 | the header. Made it a non-member class so it doesn't need to be part | |
9421 | of a template. Made it use UChar32 instead of int for the value to | |
9422 | make it clearer what goes into this class. | |
9423 | (JSC::ParsedUnicodeEscapeValue::isIncomplete): Added. Replaces the | |
9424 | old type() function. | |
9425 | (JSC::Lexer<CharacterType>::parseUnicodeEscape): Renamed from | |
9426 | parseFourDigitUnicodeHex and added support for code point escapes. | |
9427 | (JSC::isLatin1): Added an overload for UChar32. | |
9428 | (JSC::isIdentStart): Changed this to take UChar32; no caller tries | |
9429 | to call it with a UChar, so no need to overload for that type for now. | |
9430 | (JSC::isNonLatin1IdentPart): Changed argument type to UChar32 for clarity. | |
9431 | Also added FIXME about a subtle ES6 change that we might want to make later. | |
9432 | (JSC::isIdentPart): Changed this to take UChar32; no caller tries | |
9433 | to call it with a UChar, so no need to overload for that type for now. | |
9434 | (JSC::isIdentPartIncludingEscapeTemplate): Made this a template so that we | |
9435 | don't need to repeat the code twice. Added code to handle code point escapes. | |
9436 | (JSC::isIdentPartIncludingEscape): Call the template instead of having the | |
9437 | code in line. | |
9438 | (JSC::Lexer<CharacterType>::recordUnicodeCodePoint): Added. | |
9439 | (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): Made small tweaks and | |
9440 | updated to call parseUnicodeEscape instead of parseFourDigitUnicodeHex. | |
9441 | (JSC::Lexer<CharacterType>::parseComplexEscape): Call parseUnicodeEscape | |
9442 | instead of parseFourDigitUnicodeHex. Move the code to handle "\u" before | |
9443 | the code that handles the escapes, since the code point escape code now | |
9444 | consumes characters while parsing rather than peeking ahead. Test case | |
9445 | covers this: Symptom would be that "\u{" would evaluate to "u" instead of | |
9446 | giving a syntax error. | |
9447 | ||
9448 | * parser/Lexer.h: Updated for above changes. | |
9449 | ||
9450 | * runtime/StringConstructor.cpp: | |
9451 | (JSC::stringFromCodePoint): Use ICU's UCHAR_MAX_VALUE instead of writing | |
9452 | out 0x10FFFF; clearer this way. | |
9453 | ||
9454 | 2015-04-29 Martin Robinson <mrobinson@igalia.com> | |
9455 | ||
9456 | [CMake] [GTK] Organize and clean up unused CMake variables | |
9457 | https://bugs.webkit.org/show_bug.cgi?id=144364 | |
9458 | ||
9459 | Reviewed by Gyuyoung Kim. | |
9460 | ||
9461 | * PlatformGTK.cmake: Add variables specific to this project. | |
9462 | ||
9463 | 2015-04-28 Filip Pizlo <fpizlo@apple.com> | |
9464 | ||
9465 | TypeOf should return SpecStringIdent and the DFG should know this | |
9466 | https://bugs.webkit.org/show_bug.cgi?id=144376 | |
9467 | ||
9468 | Reviewed by Andreas Kling. | |
9469 | ||
9470 | Make TypeOf return atomic strings. That's a simple change in SmallStrings. | |
9471 | ||
9472 | Make the DFG know this and use it for optimization. This makes Switch(TypeOf) a bit less | |
9473 | bad. | |
9474 | ||
9475 | * dfg/DFGAbstractInterpreterInlines.h: | |
9476 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
9477 | * dfg/DFGAbstractValue.cpp: | |
9478 | (JSC::DFG::AbstractValue::setType): | |
9479 | * dfg/DFGAbstractValue.h: | |
9480 | (JSC::DFG::AbstractValue::setType): | |
9481 | * dfg/DFGInPlaceAbstractState.cpp: | |
9482 | (JSC::DFG::InPlaceAbstractState::initialize): | |
9483 | * dfg/DFGPredictionPropagationPhase.cpp: | |
9484 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
9485 | * runtime/SmallStrings.cpp: | |
9486 | (JSC::SmallStrings::initialize): | |
9487 | * tests/stress/switch-typeof-indirect.js: Added. | |
9488 | (bar): | |
9489 | (foo): | |
9490 | (test): | |
9491 | * tests/stress/switch-typeof-slightly-indirect.js: Added. | |
9492 | (foo): | |
9493 | (test): | |
9494 | * tests/stress/switch-typeof.js: Added. | |
9495 | (foo): | |
9496 | (test): | |
9497 | ||
9498 | 2015-04-29 Joseph Pecoraro <pecoraro@apple.com> | |
9499 | ||
9500 | REGRESSION(181868): Windows Live SkyDrive cannot open an excel file | |
9501 | https://bugs.webkit.org/show_bug.cgi?id=144373 | |
9502 | ||
9503 | Reviewed by Darin Adler. | |
9504 | ||
9505 | Revert r181868 as it caused a failure on live.com. We can try | |
9506 | re-enabling this exception after we make idl attributes configurable, | |
9507 | which may have prevented this particular failure. | |
9508 | ||
9509 | * runtime/ObjectPrototype.cpp: | |
9510 | (JSC::objectProtoFuncDefineGetter): | |
9511 | (JSC::objectProtoFuncDefineSetter): | |
9512 | ||
9513 | 2015-04-28 Joseph Pecoraro <pecoraro@apple.com> | |
9514 | ||
9515 | Deadlock on applications using JSContext on non-main thread | |
9516 | https://bugs.webkit.org/show_bug.cgi?id=144370 | |
9517 | ||
9518 | Reviewed by Timothy Hatcher. | |
9519 | ||
9520 | * inspector/remote/RemoteInspector.mm: | |
9521 | (Inspector::RemoteInspector::singleton): | |
9522 | Prevent a possible deadlock by assuming we can synchronously | |
9523 | run something on the main queue at this time. | |
9524 | ||
9525 | 2015-04-28 Filip Pizlo <fpizlo@apple.com> | |
9526 | ||
9527 | FTL should fully support Switch (it currently lacks the SwitchString variant) | |
9528 | https://bugs.webkit.org/show_bug.cgi?id=144348 | |
9529 | ||
9530 | Reviewed by Benjamin Poulain. | |
9531 | ||
9532 | This adds SwitchString support to the FTL. This is already tested by switch microbenchmarks | |
9533 | in LayoutTests/js/regress. | |
9534 | ||
9535 | * dfg/DFGCommon.cpp: | |
9536 | (JSC::DFG::stringLessThan): | |
9537 | * dfg/DFGCommon.h: | |
9538 | * dfg/DFGOperations.cpp: | |
9539 | * dfg/DFGOperations.h: | |
9540 | * dfg/DFGSpeculativeJIT.cpp: | |
9541 | (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): Deleted. | |
9542 | * dfg/DFGSpeculativeJIT.h: | |
9543 | (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): | |
9544 | * ftl/FTLCapabilities.cpp: | |
9545 | (JSC::FTL::canCompile): | |
9546 | * ftl/FTLIntrinsicRepository.h: | |
9547 | * ftl/FTLLowerDFGToLLVM.cpp: | |
9548 | (JSC::FTL::LowerDFGToLLVM::compileSwitch): | |
9549 | (JSC::FTL::LowerDFGToLLVM::switchString): | |
9550 | (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::StringSwitchCase): | |
9551 | (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::operator<): | |
9552 | (JSC::FTL::LowerDFGToLLVM::CharacterCase::CharacterCase): | |
9553 | (JSC::FTL::LowerDFGToLLVM::CharacterCase::operator<): | |
9554 | (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): | |
9555 | (JSC::FTL::LowerDFGToLLVM::switchStringSlow): | |
9556 | (JSC::FTL::LowerDFGToLLVM::appendOSRExit): | |
9557 | * ftl/FTLOutput.cpp: | |
9558 | (JSC::FTL::Output::check): | |
9559 | * ftl/FTLOutput.h: | |
9560 | * ftl/FTLWeight.h: | |
9561 | (JSC::FTL::Weight::inverse): | |
9562 | * jit/JITOperations.h: | |
9563 | ||
9564 | 2015-04-28 Michael Catanzaro <mcatanzaro@igalia.com> | |
9565 | ||
9566 | Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT | |
9567 | https://bugs.webkit.org/show_bug.cgi?id=144304 | |
9568 | ||
9569 | Reviewed by Geoffrey Garen. | |
9570 | ||
9571 | * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of | |
9572 | ENABLE_LLINT_C_LOOP, disabled by default. | |
9573 | * llint/LLIntSlowPaths.cpp: | |
9574 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. | |
9575 | ||
9576 | 2015-04-28 Commit Queue <commit-queue@webkit.org> | |
9577 | ||
9578 | Unreviewed, rolling out r183514. | |
9579 | https://bugs.webkit.org/show_bug.cgi?id=144359 | |
9580 | ||
9581 | It broke cloop test bots (Requested by mcatanzaro on #webkit). | |
9582 | ||
9583 | Reverted changeset: | |
9584 | ||
9585 | "Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT" | |
9586 | https://bugs.webkit.org/show_bug.cgi?id=144304 | |
9587 | http://trac.webkit.org/changeset/183514 | |
9588 | ||
9589 | 2015-04-28 Michael Catanzaro <mcatanzaro@igalia.com> | |
9590 | ||
9591 | Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT | |
9592 | https://bugs.webkit.org/show_bug.cgi?id=144304 | |
9593 | ||
9594 | Reviewed by Geoffrey Garen. | |
9595 | ||
9596 | * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of | |
9597 | ENABLE_LLINT_C_LOOP, disabled by default. | |
9598 | * llint/LLIntSlowPaths.cpp: | |
9599 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. | |
9600 | ||
9601 | 2015-04-28 Joseph Pecoraro <pecoraro@apple.com> | |
9602 | ||
9603 | Fix common typo "targetting" => "targeting" | |
9604 | https://bugs.webkit.org/show_bug.cgi?id=144349 | |
9605 | ||
9606 | Reviewed by Daniel Bates. | |
9607 | ||
9608 | * bytecode/ExecutionCounter.h: | |
9609 | ||
9610 | 2015-04-28 Yusuke Suzuki <utatane.tea@gmail.com> | |
9611 | ||
9612 | Update the features.json for WeakSet, WeakMap, Template literals, Tagged templates | |
9613 | https://bugs.webkit.org/show_bug.cgi?id=144328 | |
9614 | ||
9615 | Reviewed by Andreas Kling. | |
9616 | ||
9617 | Update the status of ES6 features. | |
9618 | ||
9619 | * features.json: | |
9620 | ||
9621 | 2015-04-28 Filip Pizlo <fpizlo@apple.com> | |
9622 | ||
9623 | DFG should not use or preserve Phantoms during transformations | |
9624 | https://bugs.webkit.org/show_bug.cgi?id=143736 | |
9625 | ||
9626 | Reviewed by Geoffrey Garen. | |
9627 | ||
9628 | Since http://trac.webkit.org/changeset/183207 and http://trac.webkit.org/changeset/183406, it is | |
9629 | no longer necessary to preserve Phantoms during transformations. They are still useful just | |
9630 | before FixupPhase to support backwards propagation analyses. They are still inserted late in the | |
9631 | game in the DFG backend. But transformations don't need to worry about them. Inside a basic | |
9632 | block, we can be sure that so long as the IR pinpoints the place where the value becomes | |
9633 | available in a bytecode register (using MovHint) and so long as there is a SetLocal anytime some | |
9634 | other block would need the value (either for OSR or for DFG execution), then we don't need any | |
9635 | liveness markers. | |
9636 | ||
9637 | So, this removes any places where we inserted Phantoms just for liveness during transformation | |
9638 | and it replaces convertToPhantom() with remove(), which just converts the node to a Check. A | |
9639 | Check node only keeps its children so long as those children have checks. | |
9640 | ||
9641 | The fact that we no longer convertToPhantom() means that we have to be more careful when | |
9642 | constant-folding GetLocal. Previously we would convertToPhantom() and use the fact that | |
9643 | Phantom(Phi) was a valid construct. It's not valid anymore. So, when constant folding encounters | |
9644 | a GetLocal it needs to insert a PhantomLocal directly. This allows us to simplify | |
9645 | Graph::convertToConstant() a bit. Luckily, none of the other users of this method would see | |
9646 | GetLocals. | |
9647 | ||
9648 | The only Phantom-like cruft left over after this patch is: | |
9649 | ||
9650 | - Phantoms before FixupPhase. I kind of like these. It means that before FixupPhase, we can do | |
9651 | backwards analyses and rely on the fact that the users of a node in DFG IR are a superset of | |
9652 | the users of the original local's live range in bytecode. This is essential for supporting our | |
9653 | BackwardsPropagationPhase, which is an important optimization for things like asm.js. | |
9654 | ||
9655 | - PhantomLocals and GetLocals being NodeMustGenerate. See discussion in | |
9656 | https://bugs.webkit.org/show_bug.cgi?id=144086. It appears that this is not as evil as the | |
9657 | alternatives. The best long-term plan is to simply ditch the ThreadedCPS IR entirely and have | |
9658 | the DFG use SSA. For now, so long as any new DFG optimizations we add are block-local and | |
9659 | treat GetLocal/SetLocal conservatively, this should all be sound. | |
9660 | ||
9661 | This change should be perf-neutral although it does reduce the total work that the compiler | |
9662 | does. | |
9663 | ||
9664 | * CMakeLists.txt: | |
9665 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
9666 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
9667 | * dfg/DFGAdjacencyList.h: | |
9668 | (JSC::DFG::AdjacencyList::justChecks): | |
9669 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
9670 | * dfg/DFGBasicBlock.cpp: | |
9671 | (JSC::DFG::BasicBlock::replaceTerminal): | |
9672 | * dfg/DFGBasicBlock.h: | |
9673 | (JSC::DFG::BasicBlock::findTerminal): | |
9674 | * dfg/DFGCFGSimplificationPhase.cpp: | |
9675 | (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): | |
9676 | (JSC::DFG::CFGSimplificationPhase::mergeBlocks): | |
9677 | * dfg/DFGCPSRethreadingPhase.cpp: | |
9678 | (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase): | |
9679 | (JSC::DFG::CPSRethreadingPhase::clearVariables): | |
9680 | (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): | |
9681 | (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): | |
9682 | * dfg/DFGCSEPhase.cpp: | |
9683 | * dfg/DFGCleanUpPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp. | |
9684 | (JSC::DFG::CleanUpPhase::CleanUpPhase): | |
9685 | (JSC::DFG::CleanUpPhase::run): | |
9686 | (JSC::DFG::performCleanUp): | |
9687 | (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): Deleted. | |
9688 | (JSC::DFG::PhantomRemovalPhase::run): Deleted. | |
9689 | (JSC::DFG::performPhantomRemoval): Deleted. | |
9690 | * dfg/DFGCleanUpPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h. | |
9691 | * dfg/DFGConstantFoldingPhase.cpp: | |
9692 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
9693 | (JSC::DFG::ConstantFoldingPhase::addBaseCheck): | |
9694 | (JSC::DFG::ConstantFoldingPhase::fixUpsilons): | |
9695 | * dfg/DFGDCEPhase.cpp: | |
9696 | (JSC::DFG::DCEPhase::run): | |
9697 | (JSC::DFG::DCEPhase::fixupBlock): | |
9698 | (JSC::DFG::DCEPhase::cleanVariables): | |
9699 | * dfg/DFGFixupPhase.cpp: | |
9700 | (JSC::DFG::FixupPhase::fixupBlock): | |
9701 | (JSC::DFG::FixupPhase::fixupNode): | |
9702 | (JSC::DFG::FixupPhase::convertStringAddUse): | |
9703 | (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): | |
9704 | (JSC::DFG::FixupPhase::checkArray): | |
9705 | (JSC::DFG::FixupPhase::fixIntConvertingEdge): | |
9706 | (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): | |
9707 | (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): | |
9708 | (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): | |
9709 | (JSC::DFG::FixupPhase::tryToRelaxRepresentation): | |
9710 | (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): | |
9711 | (JSC::DFG::FixupPhase::addRequiredPhantom): Deleted. | |
9712 | (JSC::DFG::FixupPhase::addPhantomsIfNecessary): Deleted. | |
9713 | * dfg/DFGGraph.cpp: | |
9714 | (JSC::DFG::Graph::convertToConstant): | |
9715 | (JSC::DFG::Graph::mergeRelevantToOSR): Deleted. | |
9716 | * dfg/DFGGraph.h: | |
9717 | * dfg/DFGInsertionSet.h: | |
9718 | (JSC::DFG::InsertionSet::insertCheck): | |
9719 | * dfg/DFGIntegerCheckCombiningPhase.cpp: | |
9720 | (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): | |
9721 | * dfg/DFGLICMPhase.cpp: | |
9722 | (JSC::DFG::LICMPhase::attemptHoist): | |
9723 | * dfg/DFGNode.cpp: | |
9724 | (JSC::DFG::Node::remove): | |
9725 | * dfg/DFGNode.h: | |
9726 | (JSC::DFG::Node::replaceWith): | |
9727 | (JSC::DFG::Node::convertToPhantom): Deleted. | |
9728 | (JSC::DFG::Node::convertToCheck): Deleted. | |
9729 | (JSC::DFG::Node::willHaveCodeGenOrOSR): Deleted. | |
9730 | * dfg/DFGNodeFlags.h: | |
9731 | * dfg/DFGNodeType.h: | |
9732 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
9733 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
9734 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
9735 | * dfg/DFGPhantomCanonicalizationPhase.cpp: Removed. | |
9736 | * dfg/DFGPhantomCanonicalizationPhase.h: Removed. | |
9737 | * dfg/DFGPhantomRemovalPhase.cpp: Removed. | |
9738 | * dfg/DFGPhantomRemovalPhase.h: Removed. | |
9739 | * dfg/DFGPlan.cpp: | |
9740 | (JSC::DFG::Plan::compileInThreadImpl): | |
9741 | * dfg/DFGPutStackSinkingPhase.cpp: | |
9742 | * dfg/DFGResurrectionForValidationPhase.cpp: Removed. | |
9743 | * dfg/DFGResurrectionForValidationPhase.h: Removed. | |
9744 | * dfg/DFGSSAConversionPhase.cpp: | |
9745 | (JSC::DFG::SSAConversionPhase::run): | |
9746 | * dfg/DFGSpeculativeJIT64.cpp: | |
9747 | (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): | |
9748 | * dfg/DFGStoreBarrierElisionPhase.cpp: | |
9749 | (JSC::DFG::StoreBarrierElisionPhase::elideBarrier): | |
9750 | * dfg/DFGStrengthReductionPhase.cpp: | |
9751 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
9752 | (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): | |
9753 | * dfg/DFGValidate.cpp: | |
9754 | (JSC::DFG::Validate::validate): | |
9755 | (JSC::DFG::Validate::validateCPS): | |
9756 | (JSC::DFG::Validate::validateSSA): | |
9757 | * dfg/DFGVarargsForwardingPhase.cpp: | |
9758 | * ftl/FTLLink.cpp: | |
9759 | (JSC::FTL::link): | |
9760 | * ftl/FTLLowerDFGToLLVM.cpp: | |
9761 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
9762 | (JSC::FTL::LowerDFGToLLVM::compileNoOp): | |
9763 | (JSC::FTL::LowerDFGToLLVM::compilePhantom): Deleted. | |
9764 | ||
9765 | 2015-04-28 Andreas Kling <akling@apple.com> | |
9766 | ||
9767 | DFG+FTL should generate efficient code for branching on a string's boolean value. | |
9768 | <https://webkit.org/b/144317> | |
9769 | ||
9770 | Reviewed by Geoff Garen & Filip Pizlo | |
9771 | ||
9772 | Teach Branch nodes about StringUse and have them generate an efficient zero-length string check | |
9773 | instead of dropping out to C++ whenever we branch on a string. | |
9774 | ||
9775 | The FTL JIT already handled Branch nodes with StringUse through its use of boolify(), so only | |
9776 | the DFG JIT gets some new codegen logic in this patch. | |
9777 | ||
9778 | Test: js/regress/branch-on-string-as-boolean.js (~4.5x speedup) | |
9779 | ||
9780 | * dfg/DFGFixupPhase.cpp: | |
9781 | (JSC::DFG::FixupPhase::fixupNode): | |
9782 | * dfg/DFGSpeculativeJIT.cpp: | |
9783 | (JSC::DFG::SpeculativeJIT::emitStringBranch): | |
9784 | * dfg/DFGSpeculativeJIT.h: | |
9785 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
9786 | (JSC::DFG::SpeculativeJIT::emitBranch): | |
9787 | * dfg/DFGSpeculativeJIT64.cpp: | |
9788 | (JSC::DFG::SpeculativeJIT::emitBranch): | |
9789 | ||
9790 | 2015-04-28 Filip Pizlo <fpizlo@apple.com> | |
9791 | ||
9792 | VarargsForwardingPhase should only consider MovHints that have the candidate as a child | |
9793 | https://bugs.webkit.org/show_bug.cgi?id=144340 | |
9794 | ||
9795 | Reviewed by Michael Saboff and Mark Lam. | |
9796 | ||
9797 | Since we were considering all MovHints, we'd assume that the CreateDirectArguments or | |
9798 | CreateClosedArguments node was live so long as any MovHinted bytecode variable was alive. | |
9799 | Basically, we'd keep it alive until the end of the block. This maximized the chances of | |
9800 | there being an interfering operation, which would prevent elimination. | |
9801 | ||
9802 | The fix is to only consider MovHints that have the arguments candidate as a child. We only | |
9803 | care to track the liveness of those bytecode locals that would need an arguments object | |
9804 | recovery on OSR exit. | |
9805 | ||
9806 | This is a speed-up on V8Spider/raytrace and Octane/raytrace because it undoes the regression | |
9807 | introduced in http://trac.webkit.org/changeset/183406. | |
9808 | ||
9809 | * dfg/DFGVarargsForwardingPhase.cpp: | |
9810 | ||
9811 | 2015-04-28 Csaba Osztrogonác <ossy@webkit.org> | |
9812 | ||
9813 | Remove WinCE cruft from cmake build system | |
9814 | https://bugs.webkit.org/show_bug.cgi?id=144325 | |
9815 | ||
9816 | Reviewed by Gyuyoung Kim. | |
9817 | ||
9818 | * CMakeLists.txt: | |
9819 | * create_jit_stubs: Removed. | |
9820 | ||
9821 | 2015-04-27 Andreas Kling <akling@apple.com> | |
9822 | ||
9823 | RegExp matches arrays should use contiguous indexing. | |
9824 | <https://webkit.org/b/144286> | |
9825 | ||
9826 | Reviewed by Geoffrey Garen. | |
9827 | ||
9828 | We had a custom Structure being used for RegExp matches arrays that would | |
9829 | put the arrays into SlowPutArrayStorageShape mode. This was just left | |
9830 | from when matches arrays were custom, lazily initialized objects. | |
9831 | ||
9832 | This change removes that Structure and switches the matches arrays to | |
9833 | using the default ContiguousShape Structure. This allows the FTL JIT | |
9834 | to compile the inner loop of the Octane/regexp benchmark. | |
9835 | ||
9836 | Also made a version of initializeIndex() [inline] that takes the indexing | |
9837 | type in an argument, allowing createRegExpMatchesArray() to initialize | |
9838 | the entire array without branching on the indexing type for each entry. | |
9839 | ||
9840 | ~3% progression on Octane/regexp. | |
9841 | ||
9842 | * runtime/JSGlobalObject.cpp: | |
9843 | (JSC::JSGlobalObject::init): | |
9844 | (JSC::JSGlobalObject::visitChildren): | |
9845 | * runtime/JSGlobalObject.h: | |
9846 | (JSC::JSGlobalObject::mapStructure): | |
9847 | (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. | |
9848 | * runtime/JSObject.h: | |
9849 | (JSC::JSObject::initializeIndex): | |
9850 | * runtime/RegExpMatchesArray.cpp: | |
9851 | (JSC::createRegExpMatchesArray): | |
9852 | ||
9853 | 2015-04-27 Filip Pizlo <fpizlo@apple.com> | |
9854 | ||
9855 | FTL failed to initialize arguments.callee on the slow path as well as the fast path | |
9856 | https://bugs.webkit.org/show_bug.cgi?id=144293 | |
9857 | ||
9858 | Reviewed by Mark Lam. | |
9859 | ||
9860 | The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need | |
9861 | to initialize the callee on the common path after the fast and slow path. | |
9862 | ||
9863 | * ftl/FTLLowerDFGToLLVM.cpp: | |
9864 | (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): | |
9865 | * tests/stress/arguments-callee-uninitialized.js: Added. | |
9866 | (foo): | |
9867 | ||
9868 | 2015-04-27 Benjamin Poulain <bpoulain@apple.com> | |
9869 | ||
9870 | [JSC] Add support for typed arrays to the Array profiling | |
9871 | https://bugs.webkit.org/show_bug.cgi?id=143913 | |
9872 | ||
9873 | Reviewed by Filip Pizlo. | |
9874 | ||
9875 | This patch adds ArrayModes for every typed arrays. Having that information | |
9876 | let us generate better GetByVal and PutByVal when the type speculation | |
9877 | are not good enough. | |
9878 | ||
9879 | A typical case where this is useful is any basic block for which the type | |
9880 | of the object is always more restrictive than the speculation (for example, | |
9881 | a basic block gated by a branch only taken for on type). | |
9882 | ||
9883 | * bytecode/ArrayProfile.cpp: | |
9884 | (JSC::dumpArrayModes): | |
9885 | * bytecode/ArrayProfile.h: | |
9886 | (JSC::arrayModeFromStructure): | |
9887 | * dfg/DFGArrayMode.cpp: | |
9888 | (JSC::DFG::ArrayMode::fromObserved): | |
9889 | (JSC::DFG::ArrayMode::refine): | |
9890 | Maintain the refine() semantic. We do not support OutOfBounds access | |
9891 | for GetByVal on typed array. | |
9892 | ||
9893 | * runtime/IndexingType.h: | |
9894 | * tests/stress/typed-array-get-by-val-profiling.js: Added. | |
9895 | (testArray.testCode): | |
9896 | (testArray): | |
9897 | * tests/stress/typed-array-put-by-val-profiling.js: Added. | |
9898 | (testArray.testCode): | |
9899 | (testArray): | |
9900 | ||
9901 | 2015-04-27 Filip Pizlo <fpizlo@apple.com> | |
9902 | ||
9903 | Unreviewed, roll out r183438 "RegExp matches arrays should use contiguous indexing". It | |
9904 | causes many debug test failures. | |
9905 | ||
9906 | * runtime/JSGlobalObject.cpp: | |
9907 | (JSC::JSGlobalObject::init): | |
9908 | (JSC::JSGlobalObject::visitChildren): | |
9909 | * runtime/JSGlobalObject.h: | |
9910 | (JSC::JSGlobalObject::regExpMatchesArrayStructure): | |
9911 | * runtime/JSObject.h: | |
9912 | (JSC::JSObject::initializeIndex): | |
9913 | * runtime/RegExpMatchesArray.cpp: | |
9914 | (JSC::createRegExpMatchesArray): | |
9915 | ||
9916 | 2015-04-27 Andreas Kling <akling@apple.com> | |
9917 | ||
9918 | RegExp matches arrays should use contiguous indexing. | |
9919 | <https://webkit.org/b/144286> | |
9920 | ||
9921 | Reviewed by Geoffrey Garen. | |
9922 | ||
9923 | We had a custom Structure being used for RegExp matches arrays that would | |
9924 | put the arrays into SlowPutArrayStorageShape mode. This was just left | |
9925 | from when matches arrays were custom, lazily initialized objects. | |
9926 | ||
9927 | This change removes that Structure and switches the matches arrays to | |
9928 | using the default ContiguousShape Structure. This allows the FTL JIT | |
9929 | to compile the inner loop of the Octane/regexp benchmark. | |
9930 | ||
9931 | Also made a version of initializeIndex() [inline] that takes the indexing | |
9932 | type in an argument, allowing createRegExpMatchesArray() to initialize | |
9933 | the entire array without branching on the indexing type for each entry. | |
9934 | ||
9935 | ~3% progression on Octane/regexp. | |
9936 | ||
9937 | * runtime/JSGlobalObject.cpp: | |
9938 | (JSC::JSGlobalObject::init): | |
9939 | (JSC::JSGlobalObject::visitChildren): | |
9940 | * runtime/JSGlobalObject.h: | |
9941 | (JSC::JSGlobalObject::mapStructure): | |
9942 | (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. | |
9943 | * runtime/JSObject.h: | |
9944 | (JSC::JSObject::initializeIndex): | |
9945 | * runtime/RegExpMatchesArray.cpp: | |
9946 | (JSC::createRegExpMatchesArray): | |
9947 | ||
9948 | 2015-04-27 Ryosuke Niwa <rniwa@webkit.org> | |
9949 | ||
9950 | REGRESSION (r183373): ASSERT failed in wtf/SHA1.h | |
9951 | https://bugs.webkit.org/show_bug.cgi?id=144257 | |
9952 | ||
9953 | Temporarily disable skip these tests. | |
9954 | ||
9955 | * tests/stress/template-literal-line-terminators.js: | |
9956 | * tests/stress/template-literal-syntax.js: | |
9957 | * tests/stress/template-literal.js: | |
9958 | ||
9959 | 2015-04-27 Basile Clement <basile_clement@apple.com> | |
9960 | ||
9961 | Function allocations shouldn't sink through Put operations | |
9962 | https://bugs.webkit.org/show_bug.cgi?id=144176 | |
9963 | ||
9964 | Reviewed by Filip Pizlo. | |
9965 | ||
9966 | By design, we don't support function allocation sinking through any | |
9967 | related operation ; however object allocation can sink through PutByOffset et | |
9968 | al. | |
9969 | ||
9970 | Currently, the checks to prevent function allocation to sink through | |
9971 | these are misguided and do not prevent anything ; function allocation sinking | |
9972 | through these operations is prevented as a side effect of requiring an | |
9973 | AllocatePropertyStorage through which the function allocation is seen as | |
9974 | escaping. | |
9975 | ||
9976 | This changes it so that ObjectAllocationSinkingPhase::handleNode() | |
9977 | checks properly that only object allocations sink through related write | |
9978 | operations. | |
9979 | ||
9980 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
9981 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
9982 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
9983 | ||
9984 | 2015-04-25 Filip Pizlo <fpizlo@apple.com> | |
9985 | ||
9986 | VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used | |
9987 | https://bugs.webkit.org/show_bug.cgi?id=143843 | |
9988 | ||
9989 | Reviewed by Geoffrey Garen. | |
9990 | ||
9991 | It will soon come to pass that Phantom isn't available at the time that | |
9992 | VarargsForwardingPhase runs. So, it needs to use some other mechanism for discovering when | |
9993 | a value dies for OSR. | |
9994 | ||
9995 | This is simplified by two things: | |
9996 | ||
9997 | 1) The bytecode kill analysis is now reusable. This patch makes it even more reusable than | |
9998 | before by polishing the API. | |
9999 | ||
10000 | 2) This phase already operates on one node at a time and allows itself to do a full search | |
10001 | of the enclosing basic block for that node. This is fine because CreateDirectArguments | |
10002 | and friends is a rarely occurring node. The fact that it operates on one node at a time | |
10003 | makes it even easier to reason about OSR liveness - we just track the list of locals in | |
10004 | which it is live. | |
10005 | ||
10006 | This change has no effect right now but it is a necessary prerequisite to implementing | |
10007 | https://bugs.webkit.org/show_bug.cgi?id=143736. | |
10008 | ||
10009 | * dfg/DFGBasicBlock.h: | |
10010 | (JSC::DFG::BasicBlock::tryAt): | |
10011 | * dfg/DFGForAllKills.h: | |
10012 | (JSC::DFG::forAllKilledOperands): | |
10013 | * dfg/DFGPhantomInsertionPhase.cpp: | |
10014 | * dfg/DFGVarargsForwardingPhase.cpp: | |
10015 | ||
10016 | 2015-04-27 Jordan Harband <ljharb@gmail.com> | |
10017 | ||
10018 | Map#entries and Map#keys error for non-Maps is swapped | |
10019 | https://bugs.webkit.org/show_bug.cgi?id=144253 | |
10020 | ||
10021 | Reviewed by Simon Fraser. | |
10022 | ||
10023 | Correcting error messages on Set/Map methods when called on | |
10024 | incompatible objects. | |
10025 | ||
10026 | * runtime/MapPrototype.cpp: | |
10027 | (JSC::mapProtoFuncEntries): | |
10028 | (JSC::mapProtoFuncKeys): | |
10029 | * runtime/SetPrototype.cpp: | |
10030 | (JSC::setProtoFuncEntries): | |
10031 | ||
10032 | 2015-04-24 Filip Pizlo <fpizlo@apple.com> | |
10033 | ||
10034 | Rationalize DFG DCE handling of nodes that perform checks that propagate through AI | |
10035 | https://bugs.webkit.org/show_bug.cgi?id=144186 | |
10036 | ||
10037 | Reviewed by Geoffrey Garen. | |
10038 | ||
10039 | If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns | |
10040 | Int32. We may later perform code simplifications based on the proof that this is Int32, and | |
10041 | we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at | |
10042 | which the ArithAdd is live. This seems like it is sufficient to then kill the ArithAdd, | |
10043 | except that we still need the overflow check! | |
10044 | ||
10045 | Previously we mishandled this: | |
10046 | ||
10047 | - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack | |
10048 | to keep it alive. That's dirty and it's just indicative of a deeper issue. | |
10049 | ||
10050 | - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it | |
10051 | powerless. This was sort of hiding the bug. | |
10052 | ||
10053 | - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill | |
10054 | something that you are relying on for subsequent simplifications. | |
10055 | ||
10056 | This fixes MovHint removal to also canonicalize Phantoms. This also adds ModeMustGenerate to | |
10057 | nodes that may perform checks that are used by AI to guarantee the result type. As a result, | |
10058 | we no longer need the weird MustGenerate node. | |
10059 | ||
10060 | * dfg/DFGAbstractInterpreterInlines.h: | |
10061 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
10062 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
10063 | * dfg/DFGClobberize.h: | |
10064 | (JSC::DFG::clobberize): | |
10065 | * dfg/DFGDCEPhase.cpp: | |
10066 | (JSC::DFG::DCEPhase::run): | |
10067 | * dfg/DFGDoesGC.cpp: | |
10068 | (JSC::DFG::doesGC): | |
10069 | * dfg/DFGFixupPhase.cpp: | |
10070 | (JSC::DFG::FixupPhase::fixupNode): | |
10071 | (JSC::DFG::FixupPhase::tryToRelaxRepresentation): | |
10072 | * dfg/DFGIntegerCheckCombiningPhase.cpp: | |
10073 | (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): | |
10074 | (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): Deleted. | |
10075 | * dfg/DFGMayExit.cpp: | |
10076 | (JSC::DFG::mayExit): | |
10077 | * dfg/DFGNode.h: | |
10078 | (JSC::DFG::Node::willHaveCodeGenOrOSR): | |
10079 | * dfg/DFGNodeType.h: | |
10080 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
10081 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
10082 | * dfg/DFGPhantomCanonicalizationPhase.cpp: | |
10083 | (JSC::DFG::PhantomCanonicalizationPhase::run): | |
10084 | * dfg/DFGPhantomRemovalPhase.cpp: | |
10085 | (JSC::DFG::PhantomRemovalPhase::run): | |
10086 | * dfg/DFGPlan.cpp: | |
10087 | (JSC::DFG::Plan::compileInThreadImpl): | |
10088 | * dfg/DFGPredictionPropagationPhase.cpp: | |
10089 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
10090 | * dfg/DFGSafeToExecute.h: | |
10091 | (JSC::DFG::safeToExecute): | |
10092 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
10093 | (JSC::DFG::SpeculativeJIT::compile): | |
10094 | * dfg/DFGSpeculativeJIT64.cpp: | |
10095 | (JSC::DFG::SpeculativeJIT::compile): | |
10096 | * dfg/DFGTypeCheckHoistingPhase.cpp: | |
10097 | (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): | |
10098 | (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): | |
10099 | * dfg/DFGVarargsForwardingPhase.cpp: | |
10100 | * ftl/FTLCapabilities.cpp: | |
10101 | (JSC::FTL::canCompile): | |
10102 | * ftl/FTLLowerDFGToLLVM.cpp: | |
10103 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
10104 | * tests/stress/fold-based-on-int32-proof-mul-branch.js: Added. | |
10105 | (foo): | |
10106 | * tests/stress/fold-based-on-int32-proof-mul.js: Added. | |
10107 | (foo): | |
10108 | * tests/stress/fold-based-on-int32-proof-or-zero.js: Added. | |
10109 | (foo): | |
10110 | * tests/stress/fold-based-on-int32-proof.js: Added. | |
10111 | (foo): | |
10112 | ||
10113 | 2015-04-26 Ryosuke Niwa <rniwa@webkit.org> | |
10114 | ||
10115 | Class body ending with a semicolon throws a SyntaxError | |
10116 | https://bugs.webkit.org/show_bug.cgi?id=144244 | |
10117 | ||
10118 | Reviewed by Darin Adler. | |
10119 | ||
10120 | The bug was caused by parseClass's inner loop for method definitions not moving onto the next iteration | |
10121 | it encounters a semicolon. As a result, we always expected a method to appear after a semicolon. Fixed | |
10122 | it by continue'ing when it encounters a semicolon. | |
10123 | ||
10124 | * parser/Parser.cpp: | |
10125 | (JSC::Parser<LexerType>::parseClass): | |
10126 | ||
10127 | 2015-04-26 Ryosuke Niwa <rniwa@webkit.org> | |
10128 | ||
10129 | Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError | |
10130 | https://bugs.webkit.org/show_bug.cgi?id=144243 | |
10131 | ||
10132 | Reviewed by Darin Adler. | |
10133 | ||
10134 | Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods. | |
10135 | ||
10136 | * parser/Parser.cpp: | |
10137 | (JSC::Parser<LexerType>::parseGetterSetter): | |
10138 | ||
10139 | 2015-04-26 Jordan Harband <ljharb@gmail.com> | |
10140 | ||
10141 | Map#forEach does not pass "map" argument to callback. | |
10142 | https://bugs.webkit.org/show_bug.cgi?id=144187 | |
10143 | ||
10144 | Reviewed by Darin Adler. | |
10145 | ||
10146 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach | |
10147 | step 7.a.i., the callback should be called with three arguments. | |
10148 | ||
10149 | * runtime/MapPrototype.cpp: | |
10150 | (JSC::mapProtoFuncForEach): | |
10151 | ||
10152 | 2015-04-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
10153 | ||
10154 | [ES6] Implement ES6 template literals | |
10155 | https://bugs.webkit.org/show_bug.cgi?id=142691 | |
10156 | ||
10157 | Reviewed by Darin Adler. | |
10158 | ||
10159 | This patch implements TemplateLiteral. | |
10160 | Since TaggedTemplate requires some global states and | |
10161 | primitive operations like GetTemplateObject, | |
10162 | we separate the patch. It will be implemented in a subsequent patch. | |
10163 | ||
10164 | Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag. | |
10165 | By disabling it, we can disable Template Literal support. | |
10166 | ||
10167 | To implement template literals, in this patch, | |
10168 | we newly introduces bytecode op_to_string. | |
10169 | In template literals, we alternately evaluate the expression and | |
10170 | perform ToString onto the result of evaluation. | |
10171 | For example, | |
10172 | ||
10173 | `${f1()} ${f2()}` | |
10174 | ||
10175 | In this template literal, execution order is the following, | |
10176 | 1. calling f1() | |
10177 | 2. ToString(the result of f1()) | |
10178 | 3. calling f2() | |
10179 | 4. ToString(the result of f2()) | |
10180 | ||
10181 | op_strcat also performs ToString. However, performing ToString | |
10182 | onto expressions are batched in op_strcat, it's not the same to the | |
10183 | template literal spec. In the above example, | |
10184 | ToString(f1()) should be called before calling f2(). | |
10185 | ||
10186 | * Configurations/FeatureDefines.xcconfig: | |
10187 | * bytecode/BytecodeList.json: | |
10188 | * bytecode/BytecodeUseDef.h: | |
10189 | (JSC::computeUsesForBytecodeOffset): | |
10190 | (JSC::computeDefsForBytecodeOffset): | |
10191 | * bytecode/CodeBlock.cpp: | |
10192 | (JSC::CodeBlock::dumpBytecode): | |
10193 | * bytecompiler/BytecodeGenerator.h: | |
10194 | (JSC::BytecodeGenerator::emitToString): | |
10195 | (JSC::BytecodeGenerator::emitToNumber): Deleted. | |
10196 | * bytecompiler/NodesCodegen.cpp: | |
10197 | (JSC::TemplateStringNode::emitBytecode): | |
10198 | (JSC::TemplateLiteralNode::emitBytecode): | |
10199 | * dfg/DFGByteCodeParser.cpp: | |
10200 | (JSC::DFG::ByteCodeParser::parseBlock): | |
10201 | * dfg/DFGCapabilities.cpp: | |
10202 | (JSC::DFG::capabilityLevel): | |
10203 | * jit/JIT.cpp: | |
10204 | (JSC::JIT::privateCompileMainPass): | |
10205 | (JSC::JIT::privateCompileSlowCases): | |
10206 | * jit/JIT.h: | |
10207 | * jit/JITOpcodes.cpp: | |
10208 | (JSC::JIT::emit_op_to_string): | |
10209 | (JSC::JIT::emitSlow_op_to_string): | |
10210 | * jit/JITOpcodes32_64.cpp: | |
10211 | (JSC::JIT::emit_op_to_string): | |
10212 | (JSC::JIT::emitSlow_op_to_string): | |
10213 | * llint/LowLevelInterpreter32_64.asm: | |
10214 | * llint/LowLevelInterpreter64.asm: | |
10215 | * parser/ASTBuilder.h: | |
10216 | (JSC::ASTBuilder::createTemplateString): | |
10217 | (JSC::ASTBuilder::createTemplateStringList): | |
10218 | (JSC::ASTBuilder::createTemplateExpressionList): | |
10219 | (JSC::ASTBuilder::createTemplateLiteral): | |
10220 | * parser/Lexer.cpp: | |
10221 | (JSC::Lexer<T>::Lexer): | |
10222 | (JSC::Lexer<T>::parseIdentifierSlowCase): | |
10223 | (JSC::Lexer<T>::parseString): | |
10224 | (JSC::LineNumberAdder::LineNumberAdder): | |
10225 | (JSC::LineNumberAdder::clear): | |
10226 | (JSC::LineNumberAdder::add): | |
10227 | (JSC::Lexer<T>::parseTemplateLiteral): | |
10228 | (JSC::Lexer<T>::lex): | |
10229 | (JSC::Lexer<T>::scanRegExp): | |
10230 | (JSC::Lexer<T>::scanTrailingTemplateString): | |
10231 | (JSC::Lexer<T>::parseStringSlowCase): Deleted. | |
10232 | * parser/Lexer.h: | |
10233 | * parser/NodeConstructors.h: | |
10234 | (JSC::TemplateExpressionListNode::TemplateExpressionListNode): | |
10235 | (JSC::TemplateStringNode::TemplateStringNode): | |
10236 | (JSC::TemplateStringListNode::TemplateStringListNode): | |
10237 | (JSC::TemplateLiteralNode::TemplateLiteralNode): | |
10238 | * parser/Nodes.h: | |
10239 | (JSC::TemplateExpressionListNode::value): | |
10240 | (JSC::TemplateExpressionListNode::next): | |
10241 | (JSC::TemplateStringNode::cooked): | |
10242 | (JSC::TemplateStringNode::raw): | |
10243 | (JSC::TemplateStringListNode::value): | |
10244 | (JSC::TemplateStringListNode::next): | |
10245 | * parser/Parser.cpp: | |
10246 | (JSC::Parser<LexerType>::parseTemplateString): | |
10247 | (JSC::Parser<LexerType>::parseTemplateLiteral): | |
10248 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
10249 | * parser/Parser.h: | |
10250 | * parser/ParserTokens.h: | |
10251 | * parser/SyntaxChecker.h: | |
10252 | (JSC::SyntaxChecker::createTemplateString): | |
10253 | (JSC::SyntaxChecker::createTemplateStringList): | |
10254 | (JSC::SyntaxChecker::createTemplateExpressionList): | |
10255 | (JSC::SyntaxChecker::createTemplateLiteral): | |
10256 | (JSC::SyntaxChecker::createSpreadExpression): Deleted. | |
10257 | * runtime/CommonSlowPaths.cpp: | |
10258 | (JSC::SLOW_PATH_DECL): | |
10259 | * runtime/CommonSlowPaths.h: | |
10260 | * tests/stress/template-literal-line-terminators.js: Added. | |
10261 | (test): | |
10262 | (testEval): | |
10263 | (testEvalLineNumber): | |
10264 | * tests/stress/template-literal-syntax.js: Added. | |
10265 | (testSyntax): | |
10266 | (testSyntaxError): | |
10267 | * tests/stress/template-literal.js: Added. | |
10268 | (test): | |
10269 | (testEval): | |
10270 | (testEmbedded): | |
10271 | ||
10272 | 2015-04-26 Jordan Harband <ljharb@gmail.com> | |
10273 | ||
10274 | Set#forEach does not pass "key" or "set" arguments to callback. | |
10275 | https://bugs.webkit.org/show_bug.cgi?id=144188 | |
10276 | ||
10277 | Reviewed by Darin Adler. | |
10278 | ||
10279 | Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach | |
10280 | Set#forEach should pass 3 arguments to the callback. | |
10281 | ||
10282 | * runtime/SetPrototype.cpp: | |
10283 | (JSC::setProtoFuncForEach): | |
10284 | ||
10285 | 2015-04-26 Benjamin Poulain <benjamin@webkit.org> | |
10286 | ||
10287 | [JSC] Implement Math.clz32(), remove Number.clz() | |
10288 | https://bugs.webkit.org/show_bug.cgi?id=144205 | |
10289 | ||
10290 | Reviewed by Michael Saboff. | |
10291 | ||
10292 | This patch adds the ES6 function Math.clz32(), and remove the non-standard | |
10293 | Number.clz(). Number.clz() probably came from an older draft. | |
10294 | ||
10295 | The new function has a corresponding instrinsic: Clz32Intrinsic, | |
10296 | and a corresponding DFG node: ArithClz32, optimized all the way to LLVM. | |
10297 | ||
10298 | * assembler/MacroAssemblerX86Common.h: | |
10299 | (JSC::MacroAssemblerX86Common::countLeadingZeros32): | |
10300 | * assembler/X86Assembler.h: | |
10301 | (JSC::X86Assembler::bsr_rr): | |
10302 | The x86 assembler did not have countLeadingZeros32() because there is | |
10303 | no native CLZ instruction on that architecture. | |
10304 | ||
10305 | I have added the version with bsr + branches for the case of zero. | |
10306 | An other popular version uses cmov to handle the case of zero. I kept | |
10307 | it simple since the Assembler has no support for cmov. | |
10308 | ||
10309 | It is unlikely to matter much. If the code is hot enough, LLVM picks | |
10310 | something good based on the surrounding code. | |
10311 | ||
10312 | * dfg/DFGAbstractInterpreterInlines.h: | |
10313 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
10314 | Constant handling + effect propagation. The node only produces integer (between 0 and 32). | |
10315 | ||
10316 | * dfg/DFGBackwardsPropagationPhase.cpp: | |
10317 | (JSC::DFG::BackwardsPropagationPhase::propagate): | |
10318 | Thanks to the definition of toUint32(), we can ignore plenty of details | |
10319 | from doubles. | |
10320 | ||
10321 | * dfg/DFGByteCodeParser.cpp: | |
10322 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
10323 | * dfg/DFGClobberize.h: | |
10324 | (JSC::DFG::clobberize): | |
10325 | * dfg/DFGDoesGC.cpp: | |
10326 | (JSC::DFG::doesGC): | |
10327 | * dfg/DFGFixupPhase.cpp: | |
10328 | (JSC::DFG::FixupPhase::fixupNode): | |
10329 | * dfg/DFGNodeType.h: | |
10330 | * dfg/DFGPredictionPropagationPhase.cpp: | |
10331 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
10332 | * dfg/DFGSafeToExecute.h: | |
10333 | (JSC::DFG::safeToExecute): | |
10334 | * dfg/DFGSpeculativeJIT.cpp: | |
10335 | (JSC::DFG::SpeculativeJIT::compileArithClz32): | |
10336 | * dfg/DFGSpeculativeJIT.h: | |
10337 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
10338 | (JSC::DFG::SpeculativeJIT::compile): | |
10339 | * dfg/DFGSpeculativeJIT64.cpp: | |
10340 | (JSC::DFG::SpeculativeJIT::compile): | |
10341 | * ftl/FTLCapabilities.cpp: | |
10342 | (JSC::FTL::canCompile): | |
10343 | * ftl/FTLIntrinsicRepository.h: | |
10344 | * ftl/FTLLowerDFGToLLVM.cpp: | |
10345 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
10346 | (JSC::FTL::LowerDFGToLLVM::compileArithClz32): | |
10347 | * ftl/FTLOutput.h: | |
10348 | (JSC::FTL::Output::ctlz32): | |
10349 | * jit/ThunkGenerators.cpp: | |
10350 | (JSC::clz32ThunkGenerator): | |
10351 | * jit/ThunkGenerators.h: | |
10352 | * runtime/Intrinsic.h: | |
10353 | * runtime/MathCommon.h: | |
10354 | (JSC::clz32): | |
10355 | Fun fact: InstCombine does not recognize this pattern to eliminate | |
10356 | the branch which makes our FTL version better than the C version. | |
10357 | ||
10358 | * runtime/MathObject.cpp: | |
10359 | (JSC::MathObject::finishCreation): | |
10360 | (JSC::mathProtoFuncClz32): | |
10361 | * runtime/NumberPrototype.cpp: | |
10362 | (JSC::clz): Deleted. | |
10363 | (JSC::numberProtoFuncClz): Deleted. | |
10364 | * runtime/VM.cpp: | |
10365 | (JSC::thunkGeneratorForIntrinsic): | |
10366 | * tests/stress/math-clz32-basics.js: Added. | |
10367 | (mathClz32OnInteger): | |
10368 | (testMathClz32OnIntegers): | |
10369 | (verifyMathClz32OnIntegerWithOtherTypes): | |
10370 | (mathClz32OnDouble): | |
10371 | (testMathClz32OnDoubles): | |
10372 | (verifyMathClz32OnDoublesWithOtherTypes): | |
10373 | (mathClz32NoArguments): | |
10374 | (mathClz32TooManyArguments): | |
10375 | (testMathClz32OnConstants): | |
10376 | (mathClz32StructTransition): | |
10377 | (Math.clz32): | |
10378 | ||
10379 | 2015-04-26 Yusuke Suzuki <utatane.tea@gmail.com> | |
10380 | ||
10381 | [ES6] Array.from need to accept iterables | |
10382 | https://bugs.webkit.org/show_bug.cgi?id=141055 | |
10383 | ||
10384 | Reviewed by Darin Adler. | |
10385 | ||
10386 | ES6 spec requires that Array.from accepts iterable objects. | |
10387 | This patch introduces this functionality, Array.from accepting iterable objects. | |
10388 | ||
10389 | Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used. | |
10390 | However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`, | |
10391 | `typeof thisObj === "function"` queries the given object has `[[Call]]`. | |
10392 | This will be fixed in the subsequent patch[1]. | |
10393 | ||
10394 | [1]: https://bugs.webkit.org/show_bug.cgi?id=144093 | |
10395 | ||
10396 | * builtins/ArrayConstructor.js: | |
10397 | (from): | |
10398 | * parser/Parser.cpp: | |
10399 | (JSC::Parser<LexerType>::parseInner): | |
10400 | * runtime/CommonIdentifiers.h: | |
10401 | * runtime/JSGlobalObject.cpp: | |
10402 | (JSC::JSGlobalObject::init): | |
10403 | * tests/stress/array-from-with-iterable.js: Added. | |
10404 | (shouldBe): | |
10405 | (.set for): | |
10406 | (.set var): | |
10407 | (.get var): | |
10408 | (argumentsGenerators): | |
10409 | (.set shouldBe): | |
10410 | (.set new): | |
10411 | * tests/stress/array-from-with-iterator.js: Added. | |
10412 | (shouldBe): | |
10413 | (shouldThrow): | |
10414 | (createIterator.iterator.return): | |
10415 | (createIterator): | |
10416 | (.): | |
10417 | ||
10418 | 2015-04-25 Jordan Harband <ljharb@gmail.com> | |
10419 | ||
10420 | Set#keys !== Set#values | |
10421 | https://bugs.webkit.org/show_bug.cgi?id=144190 | |
10422 | ||
10423 | Reviewed by Darin Adler. | |
10424 | ||
10425 | per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys | |
10426 | Set#keys should === Set#values | |
10427 | ||
10428 | * runtime/SetPrototype.cpp: | |
10429 | (JSC::SetPrototype::finishCreation): | |
10430 | (JSC::setProtoFuncValues): | |
10431 | (JSC::setProtoFuncEntries): | |
10432 | (JSC::setProtoFuncKeys): Deleted. | |
10433 | ||
10434 | 2015-04-25 Joseph Pecoraro <pecoraro@apple.com> | |
10435 | ||
10436 | Allow for pausing a JSContext when opening a Web Inspector | |
10437 | <rdar://problem/20564788> | |
10438 | ||
10439 | Reviewed by Timothy Hatcher. | |
10440 | ||
10441 | * inspector/remote/RemoteInspector.mm: | |
10442 | (Inspector::RemoteInspector::receivedSetupMessage): | |
10443 | * inspector/remote/RemoteInspectorConstants.h: | |
10444 | * inspector/remote/RemoteInspectorDebuggable.h: | |
10445 | * inspector/remote/RemoteInspectorDebuggableConnection.h: | |
10446 | * inspector/remote/RemoteInspectorDebuggableConnection.mm: | |
10447 | (Inspector::RemoteInspectorDebuggableConnection::setup): | |
10448 | On any incoming setup message, we may want to automatically | |
10449 | pause the debuggable. If requested, pause the debuggable | |
10450 | after we have setup the frontend connection. | |
10451 | ||
10452 | * runtime/JSGlobalObjectDebuggable.h: | |
10453 | * runtime/JSGlobalObjectDebuggable.cpp: | |
10454 | (JSC::JSGlobalObjectDebuggable::pause): | |
10455 | Pass through to the inspector controller. | |
10456 | ||
10457 | * inspector/JSGlobalObjectInspectorController.h: | |
10458 | * inspector/JSGlobalObjectInspectorController.cpp: | |
10459 | (Inspector::JSGlobalObjectInspectorController::pause): | |
10460 | Enable pause on next statement. | |
10461 | ||
10462 | 2015-04-23 Ryosuke Niwa <rniwa@webkit.org> | |
10463 | ||
10464 | class methods should be non-enumerable | |
10465 | https://bugs.webkit.org/show_bug.cgi?id=143181 | |
10466 | ||
10467 | Reviewed by Darin Adler. | |
10468 | ||
10469 | Fixed the bug by using Object.defineProperty to define methods. | |
10470 | ||
10471 | This patch adds the concept of link time constants and uses it to resolve Object.defineProperty | |
10472 | inside CodeBlock's constructor since bytecode can be linked against multiple global objects. | |
10473 | ||
10474 | * bytecode/CodeBlock.cpp: | |
10475 | (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register | |
10476 | index of zero. | |
10477 | * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains | |
10478 | exactly one entry for Object.defineProperty. | |
10479 | * bytecode/UnlinkedCodeBlock.h: | |
10480 | (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new | |
10481 | constant register for the link time constant we're adding. | |
10482 | (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added. | |
10483 | * bytecompiler/BytecodeGenerator.cpp: | |
10484 | (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new | |
10485 | register for the specified link time constant and notify UnlinkedCodeBlock about it. | |
10486 | (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call | |
10487 | Object.defineProperty with it. | |
10488 | * bytecompiler/BytecodeGenerator.h: | |
10489 | * bytecompiler/NodesCodegen.cpp: | |
10490 | (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes | |
10491 | non-enumerable by using emitCallDefineProperty to define them. | |
10492 | (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties. | |
10493 | (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype | |
10494 | property on the class non-writable, non-configurable, and non-enumerable by using defineProperty. | |
10495 | * runtime/CommonIdentifiers.h: | |
10496 | * runtime/JSGlobalObject.cpp: | |
10497 | (JSC::JSGlobalObject::init): Set m_definePropertyFunction. | |
10498 | (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction. | |
10499 | * runtime/JSGlobalObject.h: | |
10500 | (JSC::JSGlobalObject::definePropertyFunction): Added. | |
10501 | (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant. | |
10502 | (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and | |
10503 | returns a JSCell; e.g. Object.defineProperty. | |
10504 | * runtime/ObjectConstructor.cpp: | |
10505 | (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty. | |
10506 | * runtime/ObjectConstructor.h: | |
10507 | ||
10508 | 2015-04-25 Yusuke Suzuki <utatane.tea@gmail.com> | |
10509 | ||
10510 | [ES6] Implement String.fromCodePoint | |
10511 | https://bugs.webkit.org/show_bug.cgi?id=144160 | |
10512 | ||
10513 | Reviewed by Darin Adler. | |
10514 | ||
10515 | This patch implements String.fromCodePoint. | |
10516 | It accepts multiple code points and generates a string that consists of given code points. | |
10517 | The range [0x0000 - 0x10FFFF] is valid for code points. | |
10518 | If the given value is out of range, throw a range error. | |
10519 | ||
10520 | When a 0xFFFF <= valid code point is given, | |
10521 | String.fromCodePoint generates a string that contains surrogate pairs. | |
10522 | ||
10523 | * runtime/StringConstructor.cpp: | |
10524 | (JSC::stringFromCodePoint): | |
10525 | (JSC::constructWithStringConstructor): | |
10526 | * tests/stress/string-from-code-point.js: Added. | |
10527 | (shouldBe): | |
10528 | (shouldThrow): | |
10529 | (toCodePoints): | |
10530 | (passThrough): | |
10531 | ||
10532 | 2015-04-25 Martin Robinson <mrobinson@igalia.com> | |
10533 | ||
10534 | Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS | |
10535 | https://bugs.webkit.org/show_bug.cgi?id=144182 | |
10536 | ||
10537 | Reviewed by Simon Fraser. | |
10538 | ||
10539 | * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS. | |
10540 | ||
10541 | 2015-04-25 Mark Lam <mark.lam@apple.com> | |
10542 | ||
10543 | mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit. | |
10544 | https://bugs.webkit.org/show_bug.cgi?id=144152 | |
10545 | ||
10546 | Reviewed by Filip Pizlo. | |
10547 | ||
10548 | Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse, | |
10549 | StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering | |
10550 | OSR exits. This was overlooked in the original code. | |
10551 | ||
10552 | While only the ObjectOrOtherUse kind is relevant for manifesting this bug with | |
10553 | the Branch node, the other 3 may also trigger the same bug for other nodes. | |
10554 | To prevent this bug from manifesting with other nodes (and future ones that | |
10555 | are yet to be added to mayExits()'s "potential won't exit" set), we fix the | |
10556 | EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse). | |
10557 | ||
10558 | Also added a test to exercise a code path that will trigger this bug with | |
10559 | the Branch node before the fix is applied. | |
10560 | ||
10561 | * dfg/DFGMayExit.cpp: | |
10562 | * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added. | |
10563 | (inlinedFunction): | |
10564 | (foo): | |
10565 | ||
10566 | 2015-04-24 Commit Queue <commit-queue@webkit.org> | |
10567 | ||
10568 | Unreviewed, rolling out r183288. | |
10569 | https://bugs.webkit.org/show_bug.cgi?id=144189 | |
10570 | ||
10571 | Made js/sort-with-side-effecting-comparisons.html time out in | |
10572 | debug builds (Requested by ap on #webkit). | |
10573 | ||
10574 | Reverted changeset: | |
10575 | ||
10576 | "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an | |
10577 | array." | |
10578 | https://bugs.webkit.org/show_bug.cgi?id=144013 | |
10579 | http://trac.webkit.org/changeset/183288 | |
10580 | ||
10581 | 2015-04-24 Filip Pizlo <fpizlo@apple.com> | |
10582 | ||
10583 | CRASH in operationCreateDirectArgumentsDuringExit() | |
10584 | https://bugs.webkit.org/show_bug.cgi?id=143962 | |
10585 | ||
10586 | Reviewed by Geoffrey Garen. | |
10587 | ||
10588 | We shouldn't assume that constant-like OSR exit values are always recoverable. They are only | |
10589 | recoverable so long as they are live. Therefore, OSR exit should track liveness of | |
10590 | constants instead of assuming that they are always live. | |
10591 | ||
10592 | * dfg/DFGGenerationInfo.h: | |
10593 | (JSC::DFG::GenerationInfo::noticeOSRBirth): | |
10594 | (JSC::DFG::GenerationInfo::appendBirth): | |
10595 | * dfg/DFGSpeculativeJIT.cpp: | |
10596 | (JSC::DFG::SpeculativeJIT::compileCurrentBlock): | |
10597 | * dfg/DFGVariableEvent.cpp: | |
10598 | (JSC::DFG::VariableEvent::dump): | |
10599 | * dfg/DFGVariableEvent.h: | |
10600 | (JSC::DFG::VariableEvent::birth): | |
10601 | (JSC::DFG::VariableEvent::id): | |
10602 | (JSC::DFG::VariableEvent::dataFormat): | |
10603 | * dfg/DFGVariableEventStream.cpp: | |
10604 | (JSC::DFG::VariableEventStream::reconstruct): | |
10605 | * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added. | |
10606 | (foo): | |
10607 | (bar): | |
10608 | * tests/stress/phantom-direct-arguments-clobber-callee.js: Added. | |
10609 | (foo): | |
10610 | (bar): | |
10611 | ||
10612 | 2015-04-24 Benjamin Poulain <bpoulain@apple.com> | |
10613 | ||
10614 | [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray | |
10615 | https://bugs.webkit.org/show_bug.cgi?id=144169 | |
10616 | ||
10617 | Reviewed by Geoffrey Garen. | |
10618 | ||
10619 | * runtime/JSObject.cpp: | |
10620 | (JSC::JSObject::convertInt32ForValue): | |
10621 | DoubleArray do not store NaN, they are used for holes. | |
10622 | What happened was: | |
10623 | 1) We fail to insert the NaN in the Int32 array because it is a double. | |
10624 | 2) We were converting the array to DoubleArray. | |
10625 | 3) We were trying to insert the value again. We would fail again because | |
10626 | DoubleArray does not store NaN. | |
10627 | 4) We would convert the DoubleArrayt to Contiguous Array, converting the values | |
10628 | to boxed values. | |
10629 | ||
10630 | * tests/stress/int32array-transition-on-nan.js: Added. | |
10631 | The behavior is not really observable. This only test nothing crashes in those | |
10632 | cases. | |
10633 | ||
10634 | (insertNaNWhileFilling): | |
10635 | (testInsertNaNWhileFilling): | |
10636 | (insertNaNAfterFilling): | |
10637 | (testInsertNaNAfterFilling): | |
10638 | (pushNaNWhileFilling): | |
10639 | (testPushNaNWhileFilling): | |
10640 | ||
10641 | 2015-04-21 Geoffrey Garen <ggaren@apple.com> | |
10642 | ||
10643 | It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. | |
10644 | https://bugs.webkit.org/show_bug.cgi?id=144013 | |
10645 | ||
10646 | Reviewed by Mark Lam. | |
10647 | ||
10648 | This patch implements Array.prototype.sort in JavaScript, removing the | |
10649 | C++ implementations. It is simpler and less error-prone to express our | |
10650 | operations in JavaScript, which provides memory safety, exception safety, | |
10651 | and recursion safety. | |
10652 | ||
10653 | The performance result is mixed, but net positive in my opinion. It's | |
10654 | difficult to enumerate all the results, since we used to have so many | |
10655 | different sorting modes, and there are lots of different data patterns | |
10656 | across which you might want to measure sorting. Suffice it to say: | |
10657 | ||
10658 | (*) The benchmarks we track are faster or unchanged. | |
10659 | ||
10660 | (*) Sorting random input using a comparator -- which we think is | |
10661 | common -- is 3X faster. | |
10662 | ||
10663 | (*) Sorting random input in a non-array object -- which jQuery does | |
10664 | -- is 4X faster. | |
10665 | ||
10666 | (*) Sorting random input in a compact array of integers using a | |
10667 | trivial pattern-matchable comparator is 2X *slower*. | |
10668 | ||
10669 | * builtins/Array.prototype.js: | |
10670 | (sort.min): | |
10671 | (sort.stringComparator): | |
10672 | (sort.compactSparse): Special case compaction for sparse arrays because | |
10673 | we don't want to hang when sorting new Array(BIG). | |
10674 | ||
10675 | (sort.compact): | |
10676 | (sort.merge): | |
10677 | (sort.mergeSort): Use merge sort because it's a reasonably efficient | |
10678 | stable sort. We have evidence that some sites depend on stable sort, | |
10679 | even though the ES6 spec does not mandate it. (See | |
10680 | <http://trac.webkit.org/changeset/33967>.) | |
10681 | ||
10682 | This is a textbook implementation of merge sort with three optimizations: | |
10683 | ||
10684 | (1) Use iteration instead of recursion; | |
10685 | ||
10686 | (2) Use array subscripting instead of array copying in order to | |
10687 | create logical sub-lists without creating physical sub-lists; | |
10688 | ||
10689 | (3) Swap src and dst at each iteration instead of copying src into | |
10690 | dst, and only copy src into the subject array at the end if src is | |
10691 | not the subject array. | |
10692 | ||
10693 | (sort.inflate): | |
10694 | (sort.comparatorSort): | |
10695 | (sort): Sort in JavaScript for the win. | |
10696 | ||
10697 | * builtins/BuiltinExecutables.cpp: | |
10698 | (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private | |
10699 | names so we can use helper functions. | |
10700 | ||
10701 | * bytecode/CodeBlock.h: | |
10702 | (JSC::CodeBlock::isNumericCompareFunction): Deleted. | |
10703 | * bytecode/UnlinkedCodeBlock.cpp: | |
10704 | (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): | |
10705 | * bytecode/UnlinkedCodeBlock.h: | |
10706 | (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. | |
10707 | (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. | |
10708 | * bytecompiler/BytecodeGenerator.cpp: | |
10709 | (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. | |
10710 | * bytecompiler/BytecodeGenerator.h: | |
10711 | * bytecompiler/NodesCodegen.cpp: | |
10712 | (JSC::FunctionNode::emitBytecode): We don't do this special casing based | |
10713 | on pattern matching anymore. This was mainly an optimization to avoid | |
10714 | the overhead of calling from C++ to JS, which we now avoid by | |
10715 | sorting in JS. | |
10716 | ||
10717 | * heap/Heap.cpp: | |
10718 | (JSC::Heap::markRoots): | |
10719 | (JSC::Heap::pushTempSortVector): Deleted. | |
10720 | (JSC::Heap::popTempSortVector): Deleted. | |
10721 | (JSC::Heap::visitTempSortVectors): Deleted. | |
10722 | * heap/Heap.h: We don't have temp sort vectors anymore because we sort | |
10723 | in JavaScript using a normal JavaScript array for our temporary storage. | |
10724 | ||
10725 | * parser/Parser.cpp: | |
10726 | (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use | |
10727 | helper functions. | |
10728 | ||
10729 | * runtime/ArrayPrototype.cpp: | |
10730 | (JSC::isNumericCompareFunction): Deleted. | |
10731 | (JSC::attemptFastSort): Deleted. | |
10732 | (JSC::performSlowSort): Deleted. | |
10733 | (JSC::arrayProtoFuncSort): Deleted. | |
10734 | ||
10735 | * runtime/CommonIdentifiers.h: New strings used by sort. | |
10736 | ||
10737 | * runtime/JSArray.cpp: | |
10738 | (JSC::compareNumbersForQSortWithInt32): Deleted. | |
10739 | (JSC::compareNumbersForQSortWithDouble): Deleted. | |
10740 | (JSC::compareNumbersForQSort): Deleted. | |
10741 | (JSC::compareByStringPairForQSort): Deleted. | |
10742 | (JSC::JSArray::sortNumericVector): Deleted. | |
10743 | (JSC::JSArray::sortNumeric): Deleted. | |
10744 | (JSC::ContiguousTypeAccessor::getAsValue): Deleted. | |
10745 | (JSC::ContiguousTypeAccessor::setWithValue): Deleted. | |
10746 | (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. | |
10747 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted. | |
10748 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted. | |
10749 | (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted. | |
10750 | (JSC::JSArray::sortCompactedVector): Deleted. | |
10751 | (JSC::JSArray::sort): Deleted. | |
10752 | (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. | |
10753 | (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. | |
10754 | (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. | |
10755 | (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. | |
10756 | (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. | |
10757 | (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. | |
10758 | (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. | |
10759 | (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. | |
10760 | (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. | |
10761 | (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. | |
10762 | (JSC::JSArray::sortVector): Deleted. | |
10763 | (JSC::JSArray::compactForSorting): Deleted. | |
10764 | * runtime/JSArray.h: | |
10765 | ||
10766 | * runtime/JSGlobalObject.cpp: | |
10767 | (JSC::JSGlobalObject::init): | |
10768 | * runtime/ObjectConstructor.cpp: | |
10769 | (JSC::ObjectConstructor::finishCreation): Provide some builtins used | |
10770 | by sort. | |
10771 | ||
10772 | 2015-04-24 Matthew Mirman <mmirman@apple.com> | |
10773 | ||
10774 | Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined | |
10775 | https://bugs.webkit.org/show_bug.cgi?id=141865 | |
10776 | rdar://problem/19927273 | |
10777 | ||
10778 | Reviewed by Filip Pizlo. | |
10779 | ||
10780 | * runtime/JSGlobalObjectFunctions.cpp: | |
10781 | (JSC::globalFuncProtoGetter): | |
10782 | (JSC::globalFuncProtoSetter): | |
10783 | ||
10784 | 2015-04-23 Benjamin Poulain <bpoulain@apple.com> | |
10785 | ||
10786 | Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt() | |
10787 | https://bugs.webkit.org/show_bug.cgi?id=144118 | |
10788 | ||
10789 | Reviewed by Geoffrey Garen. | |
10790 | ||
10791 | * dfg/DFGGraph.h: | |
10792 | (JSC::DFG::Graph::addShouldSpeculateMachineInt): | |
10793 | Both block do the same thing. | |
10794 | ||
10795 | 2015-04-23 Joseph Pecoraro <pecoraro@apple.com> | |
10796 | ||
10797 | Web Inspector: Speculative fix for non-main thread auto-attach failures | |
10798 | https://bugs.webkit.org/show_bug.cgi?id=144134 | |
10799 | ||
10800 | Reviewed by Timothy Hatcher. | |
10801 | ||
10802 | * inspector/remote/RemoteInspector.mm: | |
10803 | (Inspector::RemoteInspector::singleton): | |
10804 | ||
10805 | 2015-04-23 Basile Clement <basile_clement@apple.com> | |
10806 | ||
10807 | Allow function allocation sinking | |
10808 | https://bugs.webkit.org/show_bug.cgi?id=144016 | |
10809 | ||
10810 | Reviewed by Filip Pizlo. | |
10811 | ||
10812 | This adds the ability to sink function allocations in the | |
10813 | DFGObjectAllocationSinkingPhase. | |
10814 | ||
10815 | In order to enable this, we add a new PhantomNewFunction node that is | |
10816 | used similarily to the PhantomNewObject node, i.e. as a placeholder to replace | |
10817 | a sunk NewFunction and keep track of the allocations that have to be performed | |
10818 | in case of OSR exit after the sunk allocation but before the real one. | |
10819 | The FunctionExecutable and JSLexicalEnvironment (activation) of the function | |
10820 | are stored onto the PhantomNewFunction through PutHints in order for them | |
10821 | to be recovered on OSR exit. | |
10822 | ||
10823 | Contrary to sunk object allocations, sunk function allocations do not | |
10824 | support any kind of operations (e.g. storing into a field) ; any such operation | |
10825 | will mark the function allocation as escaping and trigger materialization. As | |
10826 | such, function allocations can only be sunk to places where it would have been | |
10827 | correct to syntactically move them, and we don't need a special | |
10828 | MaterializeNewFunction node to recover possible operations on the function. A | |
10829 | sunk NewFunction node will simply create new NewFunction nodes, then replace | |
10830 | itself with a PhantomNewFunction node. | |
10831 | ||
10832 | In itself, this change is not expected to have a significant impact on | |
10833 | performances other than in degenerate cases (see e.g. | |
10834 | JSRegress/sink-function), but it is a step towards being able to sink recursive | |
10835 | closures onces we support CreateActivation sinking as well as allocation cycles | |
10836 | sinking. | |
10837 | ||
10838 | * dfg/DFGAbstractInterpreterInlines.h: | |
10839 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
10840 | * dfg/DFGClobberize.h: | |
10841 | (JSC::DFG::clobberize): | |
10842 | * dfg/DFGDoesGC.cpp: | |
10843 | (JSC::DFG::doesGC): | |
10844 | * dfg/DFGFixupPhase.cpp: | |
10845 | (JSC::DFG::FixupPhase::fixupNode): | |
10846 | * dfg/DFGNode.h: | |
10847 | (JSC::DFG::Node::convertToPhantomNewFunction): | |
10848 | (JSC::DFG::Node::isPhantomAllocation): | |
10849 | * dfg/DFGNodeType.h: | |
10850 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
10851 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
10852 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
10853 | (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): | |
10854 | (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): | |
10855 | * dfg/DFGPredictionPropagationPhase.cpp: | |
10856 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
10857 | * dfg/DFGPromotedHeapLocation.cpp: | |
10858 | (WTF::printInternal): | |
10859 | * dfg/DFGPromotedHeapLocation.h: | |
10860 | * dfg/DFGSafeToExecute.h: | |
10861 | (JSC::DFG::safeToExecute): | |
10862 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
10863 | (JSC::DFG::SpeculativeJIT::compile): | |
10864 | * dfg/DFGSpeculativeJIT64.cpp: | |
10865 | (JSC::DFG::SpeculativeJIT::compile): | |
10866 | * dfg/DFGValidate.cpp: | |
10867 | (JSC::DFG::Validate::validateCPS): | |
10868 | * ftl/FTLCapabilities.cpp: | |
10869 | (JSC::FTL::canCompile): | |
10870 | * ftl/FTLLowerDFGToLLVM.cpp: | |
10871 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
10872 | * ftl/FTLOperations.cpp: | |
10873 | (JSC::FTL::operationMaterializeObjectInOSR): | |
10874 | * tests/stress/function-sinking-no-double-allocate.js: Added. | |
10875 | (call): | |
10876 | (.f): | |
10877 | (sink): | |
10878 | * tests/stress/function-sinking-osrexit.js: Added. | |
10879 | (.g): | |
10880 | (sink): | |
10881 | * tests/stress/function-sinking-put.js: Added. | |
10882 | (.g): | |
10883 | (sink): | |
10884 | ||
10885 | 2015-04-23 Basile Clement <basile_clement@apple.com> | |
10886 | ||
10887 | Make FunctionRareData allocation thread-safe | |
10888 | https://bugs.webkit.org/show_bug.cgi?id=144001 | |
10889 | ||
10890 | Reviewed by Mark Lam. | |
10891 | ||
10892 | The two things we want to prevent are: | |
10893 | ||
10894 | 1. A thread seeing a pointer to a not-yet-fully-created rare data from | |
10895 | a JSFunction | |
10896 | 2. A thread seeing a pointer to a not-yet-fully-created Structure from | |
10897 | an ObjectAllocationProfile | |
10898 | ||
10899 | For 1., only the JS thread can be creating the rare data (in | |
10900 | runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to | |
10901 | worry about concurrent writes, and we don't need any fences when *reading* the | |
10902 | rare data from the JS thread. Thus we only need a storeStoreFence between the | |
10903 | rare data creation and assignment to m_rareData in | |
10904 | JSFunction::createAndInitializeRareData() to ensure that when the store to | |
10905 | m_rareData is issued, the rare data has been properly created. | |
10906 | ||
10907 | For the DFG compilation threads, the only place they can access the | |
10908 | rare data is through JSFunction::rareData(), and so we only need a | |
10909 | loadLoadFence there to ensure that when we see a non-null pointer in | |
10910 | m_rareData, the pointed object will be seen as a fully created | |
10911 | FunctionRareData. | |
10912 | ||
10913 | ||
10914 | For 2., the structure is created in | |
10915 | ObjectAllocationProfile::initialize() (which appears to be called only by the | |
10916 | JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization, | |
10917 | which always happen in the JS thread), and read through | |
10918 | ObjectAllocationProfile::structure() and | |
10919 | ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we | |
10920 | put a storeStoreFence in ObjectAllocationProfile::initialize() and a | |
10921 | loadLoadFence in ObjectAllocationProfile::structure() (and change | |
10922 | ObjectAllocationProfile::inlineCapacity() to go through | |
10923 | ObjectAllocationProfile::structure()). | |
10924 | ||
10925 | We don't need a fence in ObjectAllocationProfile::clear() because | |
10926 | clearing the structure is already as atomic as it gets. | |
10927 | ||
10928 | Finally, notice that we don't care about the ObjectAllocationProfile's | |
10929 | m_allocator as that is only used by ObjectAllocationProfile::initialize() and | |
10930 | ObjectAllocationProfile::clear() that are always run in the JS thread. | |
10931 | ObjectAllocationProfile::isNull() could cause some trouble, but it is | |
10932 | currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS | |
10933 | thread. Doing isNull()-style pre-checks would be wrong in any other concurrent | |
10934 | thread anyway. | |
10935 | ||
10936 | * bytecode/ObjectAllocationProfile.h: | |
10937 | (JSC::ObjectAllocationProfile::initialize): | |
10938 | (JSC::ObjectAllocationProfile::structure): | |
10939 | (JSC::ObjectAllocationProfile::inlineCapacity): | |
10940 | * runtime/JSFunction.cpp: | |
10941 | (JSC::JSFunction::allocateAndInitializeRareData): | |
10942 | * runtime/JSFunction.h: | |
10943 | (JSC::JSFunction::rareData): | |
10944 | (JSC::JSFunction::allocationStructure): Deleted. | |
10945 | This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data. | |
10946 | ||
10947 | 2015-04-22 Filip Pizlo <fpizlo@apple.com> | |
10948 | ||
10949 | DFG should insert Phantoms late using BytecodeKills and block-local OSR availability | |
10950 | https://bugs.webkit.org/show_bug.cgi?id=143735 | |
10951 | ||
10952 | Reviewed by Geoffrey Garen. | |
10953 | ||
10954 | We've always had bugs arising from the fact that we would MovHint something into a local, | |
10955 | and then fail to keep it alive. We would then try to keep things alive by putting Phantoms | |
10956 | on those Nodes that were MovHinted. But this became increasingly tricky. Given the | |
10957 | sophistication of the transformations we are doing today, this approach is just not sound | |
10958 | anymore. | |
10959 | ||
10960 | This comprehensively fixes these bugs by having the DFG backend automatically insert | |
10961 | Phantoms just before codegen based on bytecode liveness. To make this practical, this also | |
10962 | makes it much faster to query bytecode liveness. | |
10963 | ||
10964 | It's about as perf-neutral as it gets for a change that increases compiler work without | |
10965 | actually optimizing anything. Later changes will remove the old Phantom-preserving logic, | |
10966 | which should then speed us up. I can't really report concrete slow-down numbers because | |
10967 | they are low enough to basically be in the noise. For example, a 20-iteration run of | |
10968 | SunSpider yields "maybe 0.8% slower", whatever that means. | |
10969 | ||
10970 | * CMakeLists.txt: | |
10971 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
10972 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
10973 | * bytecode/BytecodeLivenessAnalysis.cpp: | |
10974 | (JSC::BytecodeLivenessAnalysis::computeFullLiveness): | |
10975 | * bytecode/FullBytecodeLiveness.h: | |
10976 | (JSC::FullBytecodeLiveness::getLiveness): | |
10977 | * bytecode/VirtualRegister.h: | |
10978 | (JSC::VirtualRegister::operator+): | |
10979 | (JSC::VirtualRegister::operator-): | |
10980 | * dfg/DFGForAllKills.h: | |
10981 | (JSC::DFG::forAllLiveNodesAtTail): | |
10982 | (JSC::DFG::forAllKilledOperands): | |
10983 | (JSC::DFG::forAllKilledNodesAtNodeIndex): | |
10984 | * dfg/DFGGraph.cpp: | |
10985 | (JSC::DFG::Graph::isLiveInBytecode): | |
10986 | (JSC::DFG::Graph::localsLiveInBytecode): | |
10987 | * dfg/DFGGraph.h: | |
10988 | (JSC::DFG::Graph::forAllLocalsLiveInBytecode): | |
10989 | (JSC::DFG::Graph::forAllLiveInBytecode): | |
10990 | * dfg/DFGMayExit.cpp: | |
10991 | (JSC::DFG::mayExit): | |
10992 | * dfg/DFGMovHintRemovalPhase.cpp: | |
10993 | * dfg/DFGNodeType.h: | |
10994 | * dfg/DFGPhantomInsertionPhase.cpp: Added. | |
10995 | (JSC::DFG::performPhantomInsertion): | |
10996 | * dfg/DFGPhantomInsertionPhase.h: Added. | |
10997 | * dfg/DFGPlan.cpp: | |
10998 | (JSC::DFG::Plan::compileInThreadImpl): | |
10999 | * dfg/DFGScoreBoard.h: | |
11000 | (JSC::DFG::ScoreBoard::sortFree): | |
11001 | (JSC::DFG::ScoreBoard::assertClear): | |
11002 | * dfg/DFGVirtualRegisterAllocationPhase.cpp: | |
11003 | (JSC::DFG::VirtualRegisterAllocationPhase::run): | |
11004 | * ftl/FTLLowerDFGToLLVM.cpp: | |
11005 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
11006 | * tests/stress/phantom-inadequacy.js: Added. | |
11007 | (bar): | |
11008 | (baz): | |
11009 | (foo): | |
11010 | ||
11011 | 2015-04-23 Filip Pizlo <fpizlo@apple.com> | |
11012 | ||
11013 | Rename HardPhantom to MustGenerate. | |
11014 | ||
11015 | Rubber stamped by Geoffrey Garen. | |
11016 | ||
11017 | We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom | |
11018 | is more than that; it's a utility for forcing the execution of otherwise killable nodes. | |
11019 | NodeMustGenerate is the flag we use to indicate that something isn't killable. So this | |
11020 | node should just be called MustGenerate. | |
11021 | ||
11022 | * dfg/DFGAbstractInterpreterInlines.h: | |
11023 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
11024 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
11025 | * dfg/DFGClobberize.h: | |
11026 | (JSC::DFG::clobberize): | |
11027 | * dfg/DFGDCEPhase.cpp: | |
11028 | (JSC::DFG::DCEPhase::run): | |
11029 | * dfg/DFGDoesGC.cpp: | |
11030 | (JSC::DFG::doesGC): | |
11031 | * dfg/DFGFixupPhase.cpp: | |
11032 | (JSC::DFG::FixupPhase::fixupNode): | |
11033 | (JSC::DFG::FixupPhase::tryToRelaxRepresentation): | |
11034 | * dfg/DFGIntegerCheckCombiningPhase.cpp: | |
11035 | (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): | |
11036 | * dfg/DFGMayExit.cpp: | |
11037 | (JSC::DFG::mayExit): | |
11038 | * dfg/DFGNode.h: | |
11039 | (JSC::DFG::Node::willHaveCodeGenOrOSR): | |
11040 | * dfg/DFGNodeType.h: | |
11041 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
11042 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
11043 | * dfg/DFGPhantomCanonicalizationPhase.cpp: | |
11044 | (JSC::DFG::PhantomCanonicalizationPhase::run): | |
11045 | * dfg/DFGPhantomRemovalPhase.cpp: | |
11046 | (JSC::DFG::PhantomRemovalPhase::run): | |
11047 | * dfg/DFGPredictionPropagationPhase.cpp: | |
11048 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
11049 | * dfg/DFGSafeToExecute.h: | |
11050 | (JSC::DFG::safeToExecute): | |
11051 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
11052 | (JSC::DFG::SpeculativeJIT::compile): | |
11053 | * dfg/DFGSpeculativeJIT64.cpp: | |
11054 | (JSC::DFG::SpeculativeJIT::compile): | |
11055 | * dfg/DFGTypeCheckHoistingPhase.cpp: | |
11056 | (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): | |
11057 | (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): | |
11058 | * dfg/DFGVarargsForwardingPhase.cpp: | |
11059 | * ftl/FTLCapabilities.cpp: | |
11060 | (JSC::FTL::canCompile): | |
11061 | * ftl/FTLLowerDFGToLLVM.cpp: | |
11062 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
11063 | ||
11064 | 2015-04-23 Jordan Harband <ljharb@gmail.com> | |
11065 | ||
11066 | Implement `Object.assign` | |
11067 | https://bugs.webkit.org/show_bug.cgi?id=143980 | |
11068 | ||
11069 | Reviewed by Filip Pizlo. | |
11070 | ||
11071 | per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign | |
11072 | ||
11073 | * builtins/ObjectConstructor.js: Added. | |
11074 | (assign): | |
11075 | * runtime/CommonIdentifiers.h: | |
11076 | * runtime/JSGlobalObject.cpp: | |
11077 | (JSC::JSGlobalObject::init): | |
11078 | * runtime/ObjectConstructor.cpp: | |
11079 | * runtime/ObjectConstructor.h: | |
11080 | ||
11081 | 2015-04-22 Filip Pizlo <fpizlo@apple.com> | |
11082 | ||
11083 | Unreviewed, fix debug build. | |
11084 | ||
11085 | * dfg/DFGGraph.h: | |
11086 | (JSC::DFG::Graph::performSubstitutionForEdge): | |
11087 | ||
11088 | 2015-04-22 Filip Pizlo <fpizlo@apple.com> | |
11089 | ||
11090 | Nodes should have an optional epoch field | |
11091 | https://bugs.webkit.org/show_bug.cgi?id=144084 | |
11092 | ||
11093 | Reviewed by Ryosuke Niwa and Mark Lam. | |
11094 | ||
11095 | This makes it easier to do epoch-based analyses on nodes. I plan to do just that in | |
11096 | https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet | |
11097 | used. | |
11098 | ||
11099 | * dfg/DFGCPSRethreadingPhase.cpp: | |
11100 | (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): | |
11101 | * dfg/DFGCSEPhase.cpp: | |
11102 | * dfg/DFGEpoch.h: | |
11103 | (JSC::DFG::Epoch::fromUnsigned): | |
11104 | (JSC::DFG::Epoch::toUnsigned): | |
11105 | * dfg/DFGGraph.cpp: | |
11106 | (JSC::DFG::Graph::clearReplacements): | |
11107 | (JSC::DFG::Graph::clearEpochs): | |
11108 | * dfg/DFGGraph.h: | |
11109 | (JSC::DFG::Graph::performSubstitutionForEdge): | |
11110 | * dfg/DFGNode.h: | |
11111 | (JSC::DFG::Node::Node): | |
11112 | (JSC::DFG::Node::replaceWith): | |
11113 | (JSC::DFG::Node::replacement): | |
11114 | (JSC::DFG::Node::setReplacement): | |
11115 | (JSC::DFG::Node::epoch): | |
11116 | (JSC::DFG::Node::setEpoch): | |
11117 | * dfg/DFGSSAConversionPhase.cpp: | |
11118 | (JSC::DFG::SSAConversionPhase::run): | |
11119 | ||
11120 | 2015-04-22 Mark Lam <mark.lam@apple.com> | |
11121 | ||
11122 | Fix assertion failure and race condition in Options::dumpSourceAtDFGTime(). | |
11123 | https://bugs.webkit.org/show_bug.cgi?id=143898 | |
11124 | ||
11125 | Reviewed by Filip Pizlo. | |
11126 | ||
11127 | CodeBlock::dumpSource() will access SourceCode strings in a way that requires | |
11128 | ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary | |
11129 | compilation threads because StringImpls are not thread safe. As a result, we get | |
11130 | an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug | |
11131 | build. | |
11132 | ||
11133 | This patch fixes the issue by only collecting the CodeBlock (and associated info) | |
11134 | into a DeferredSourceDump record while compiling, and stashing it away in a | |
11135 | deferredSourceDump list in the DeferredCompilationCallback object to be dumped | |
11136 | later. | |
11137 | ||
11138 | When compilation is done, the callback object will be notified that | |
11139 | compilationDidComplete(). We will dump the SourceCode strings from there. | |
11140 | Since compilationDidComplete() is guaranteed to only be called on the thread | |
11141 | doing JS execution, it is safe to access the SourceCode strings there and ref | |
11142 | their underlying StringImpls as needed. | |
11143 | ||
11144 | * CMakeLists.txt: | |
11145 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
11146 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
11147 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
11148 | * bytecode/DeferredCompilationCallback.cpp: | |
11149 | (JSC::DeferredCompilationCallback::compilationDidComplete): | |
11150 | (JSC::DeferredCompilationCallback::sourceDumpInfo): | |
11151 | (JSC::DeferredCompilationCallback::dumpCompiledSources): | |
11152 | * bytecode/DeferredCompilationCallback.h: | |
11153 | * bytecode/DeferredSourceDump.cpp: Added. | |
11154 | (JSC::DeferredSourceDump::DeferredSourceDump): | |
11155 | (JSC::DeferredSourceDump::dump): | |
11156 | * bytecode/DeferredSourceDump.h: Added. | |
11157 | * dfg/DFGByteCodeParser.cpp: | |
11158 | (JSC::DFG::ByteCodeParser::parseCodeBlock): | |
11159 | * dfg/DFGDriver.cpp: | |
11160 | (JSC::DFG::compileImpl): | |
11161 | ||
11162 | 2015-04-22 Benjamin Poulain <benjamin@webkit.org> | |
11163 | ||
11164 | Implement String.codePointAt() | |
11165 | https://bugs.webkit.org/show_bug.cgi?id=143934 | |
11166 | ||
11167 | Reviewed by Darin Adler. | |
11168 | ||
11169 | This patch adds String.codePointAt() as defined by ES6. | |
11170 | I opted for a C++ implementation for now. | |
11171 | ||
11172 | * runtime/StringPrototype.cpp: | |
11173 | (JSC::StringPrototype::finishCreation): | |
11174 | (JSC::codePointAt): | |
11175 | (JSC::stringProtoFuncCodePointAt): | |
11176 | ||
11177 | 2015-04-22 Mark Lam <mark.lam@apple.com> | |
11178 | ||
11179 | SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. | |
11180 | https://bugs.webkit.org/show_bug.cgi?id=144067 | |
11181 | ||
11182 | Reviewed by Michael Saboff. | |
11183 | ||
11184 | Currently, there are a few places where the JSObject that owns the | |
11185 | SparseArrayValueMap is designated as the owner of the SparseArrayEntry | |
11186 | write barrier. This is a bug and can result in the GC collecting the | |
11187 | SparseArrayEntry even though it is being referenced by the | |
11188 | SparseArrayValueMap. This patch fixes the bug. | |
11189 | ||
11190 | * runtime/JSObject.cpp: | |
11191 | (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): | |
11192 | (JSC::JSObject::putIndexedDescriptor): | |
11193 | * tests/stress/sparse-array-entry-update-144067.js: Added. | |
11194 | (useMemoryToTriggerGCs): | |
11195 | (foo): | |
11196 | ||
11197 | 2015-04-22 Mark Lam <mark.lam@apple.com> | |
11198 | ||
11199 | Give the heap object iterators the ability to return early. | |
11200 | https://bugs.webkit.org/show_bug.cgi?id=144011 | |
11201 | ||
11202 | Reviewed by Michael Saboff. | |
11203 | ||
11204 | JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate | |
11205 | candidate cell pointers, and, when in use, is called a lot more often than | |
11206 | the normal way those iterators are used. As a result, I see my instrumented | |
11207 | VM killed with a SIGXCPU (CPU time limit exceeded). This patch gives the | |
11208 | callback functor the ability to tell the iterators to return early when the | |
11209 | functor no longer needs to continue iterating. With this, my instrumented | |
11210 | VM is useful again for debugging. | |
11211 | ||
11212 | Since heap iteration is not something that we do in a typical fast path, | |
11213 | I don't expect this to have any noticeable impact on performance. | |
11214 | ||
11215 | I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since | |
11216 | it checks JSCell addresses, not just JSObjects. | |
11217 | ||
11218 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
11219 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
11220 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
11221 | * debugger/Debugger.cpp: | |
11222 | * heap/GCLogging.cpp: | |
11223 | (JSC::LoggingFunctor::operator()): | |
11224 | * heap/Heap.cpp: | |
11225 | (JSC::Zombify::visit): | |
11226 | (JSC::Zombify::operator()): | |
11227 | * heap/HeapStatistics.cpp: | |
11228 | (JSC::StorageStatistics::visit): | |
11229 | (JSC::StorageStatistics::operator()): | |
11230 | * heap/HeapVerifier.cpp: | |
11231 | (JSC::GatherLiveObjFunctor::visit): | |
11232 | (JSC::GatherLiveObjFunctor::operator()): | |
11233 | * heap/MarkedBlock.cpp: | |
11234 | (JSC::SetNewlyAllocatedFunctor::operator()): | |
11235 | * heap/MarkedBlock.h: | |
11236 | (JSC::MarkedBlock::forEachCell): | |
11237 | (JSC::MarkedBlock::forEachLiveCell): | |
11238 | (JSC::MarkedBlock::forEachDeadCell): | |
11239 | * heap/MarkedSpace.h: | |
11240 | (JSC::MarkedSpace::forEachLiveCell): | |
11241 | (JSC::MarkedSpace::forEachDeadCell): | |
11242 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
11243 | (Inspector::TypeRecompiler::visit): | |
11244 | (Inspector::TypeRecompiler::operator()): | |
11245 | * runtime/IterationStatus.h: Added. | |
11246 | * runtime/JSGlobalObject.cpp: | |
11247 | * runtime/VM.cpp: | |
11248 | (JSC::StackPreservingRecompiler::visit): | |
11249 | (JSC::StackPreservingRecompiler::operator()): | |
11250 | * tools/JSDollarVMPrototype.cpp: | |
11251 | (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor): | |
11252 | (JSC::CellAddressCheckFunctor::operator()): | |
11253 | (JSC::JSDollarVMPrototype::isValidCell): | |
11254 | (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted. | |
11255 | (JSC::ObjectAddressCheckFunctor::operator()): Deleted. | |
11256 | ||
11257 | 2015-04-22 Yusuke Suzuki <utatane.tea@gmail.com> | |
11258 | ||
11259 | [[Set]] should be properly executed in JS builtins | |
11260 | https://bugs.webkit.org/show_bug.cgi?id=143996 | |
11261 | ||
11262 | Reviewed by Geoffrey Garen. | |
11263 | ||
11264 | Currently, all assignments in builtins JS code is compiled into put_by_val_direct. | |
11265 | However, | |
11266 | ||
11267 | 1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]). | |
11268 | 2. It's different from the default JS behavior. | |
11269 | ||
11270 | In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly. | |
11271 | And dropping the current hack for builtins. | |
11272 | ||
11273 | * builtins/Array.prototype.js: | |
11274 | (filter): | |
11275 | (map): | |
11276 | (find): | |
11277 | * bytecompiler/BytecodeGenerator.cpp: | |
11278 | (JSC::BytecodeGenerator::emitPutByVal): | |
11279 | * tests/stress/array-fill-put-by-val.js: Added. | |
11280 | (shouldThrow): | |
11281 | (.set get array): | |
11282 | * tests/stress/array-filter-put-by-val-direct.js: Added. | |
11283 | (shouldBe): | |
11284 | (.set get var): | |
11285 | * tests/stress/array-find-does-not-lookup-twice.js: Added. | |
11286 | (shouldBe): | |
11287 | (shouldThrow): | |
11288 | (.get shouldBe): | |
11289 | * tests/stress/array-from-put-by-val-direct.js: Added. | |
11290 | (shouldBe): | |
11291 | (.set get var): | |
11292 | * tests/stress/array-from-set-length.js: Added. | |
11293 | (shouldBe): | |
11294 | (ArrayLike): | |
11295 | (ArrayLike.prototype.set length): | |
11296 | (ArrayLike.prototype.get length): | |
11297 | * tests/stress/array-map-put-by-val-direct.js: Added. | |
11298 | (shouldBe): | |
11299 | (.set get var): | |
11300 | ||
11301 | 2015-04-22 Basile Clement <basile_clement@apple.com> | |
11302 | ||
11303 | Don't de-allocate FunctionRareData | |
11304 | https://bugs.webkit.org/show_bug.cgi?id=144000 | |
11305 | ||
11306 | Reviewed by Michael Saboff. | |
11307 | ||
11308 | A function rare data (containing most notably its allocation profile) is currently | |
11309 | freed and re-allocated each time the function's prototype is cleared. | |
11310 | This is not optimal as it means we are invalidating the watchpoint and recompiling the | |
11311 | scope each time the prototype is cleared. | |
11312 | ||
11313 | This makes it so that a single rare data is reused, clearing the underlying | |
11314 | ObjectAllocationProfile instead of throwing away the whole rare data on | |
11315 | .prototype updates. | |
11316 | ||
11317 | * runtime/FunctionRareData.cpp: | |
11318 | (JSC::FunctionRareData::create): | |
11319 | (JSC::FunctionRareData::finishCreation): | |
11320 | * runtime/FunctionRareData.h: | |
11321 | * runtime/JSFunction.cpp: | |
11322 | (JSC::JSFunction::allocateAndInitializeRareData): | |
11323 | (JSC::JSFunction::initializeRareData): | |
11324 | ||
11325 | 2015-04-21 Filip Pizlo <fpizlo@apple.com> | |
11326 | ||
11327 | Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well. | |
11328 | ||
11329 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
11330 | (JSC::DFG::SpeculativeJIT::compile): | |
11331 | ||
11332 | 2015-04-21 Filip Pizlo <fpizlo@apple.com> | |
11333 | ||
11334 | DFG should allow Phantoms after terminals | |
11335 | https://bugs.webkit.org/show_bug.cgi?id=126778 | |
11336 | ||
11337 | Reviewed by Mark Lam. | |
11338 | ||
11339 | It's important for us to be able to place liveness-marking nodes after nodes that do | |
11340 | things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after | |
11341 | terminals. That made things awkward, especially for Switch and Branch, which may do | |
11342 | things that necessitate liveness markers (for example they might want to use a converted | |
11343 | version of a value rather than the value that was MovHinted). We previously made this | |
11344 | work by disallowing certain optimizations on Switch and Branch, which was probably a bad | |
11345 | thing. | |
11346 | ||
11347 | This changes our IR to allow for the terminal to not be the last node in a block. Asking | |
11348 | for the terminal involves a search. DFG::validate() checks that the nodes after the | |
11349 | terminal are liveness markers that have no effects or checks. | |
11350 | ||
11351 | This is perf-neutral but will allow more optimizations in the future. It will also make | |
11352 | it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735. | |
11353 | ||
11354 | * dfg/DFGBasicBlock.cpp: | |
11355 | (JSC::DFG::BasicBlock::replaceTerminal): | |
11356 | * dfg/DFGBasicBlock.h: | |
11357 | (JSC::DFG::BasicBlock::findTerminal): | |
11358 | (JSC::DFG::BasicBlock::terminal): | |
11359 | (JSC::DFG::BasicBlock::insertBeforeTerminal): | |
11360 | (JSC::DFG::BasicBlock::numSuccessors): | |
11361 | (JSC::DFG::BasicBlock::successor): | |
11362 | (JSC::DFG::BasicBlock::successorForCondition): | |
11363 | (JSC::DFG::BasicBlock::successors): | |
11364 | (JSC::DFG::BasicBlock::last): Deleted. | |
11365 | (JSC::DFG::BasicBlock::takeLast): Deleted. | |
11366 | (JSC::DFG::BasicBlock::insertBeforeLast): Deleted. | |
11367 | (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted. | |
11368 | (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted. | |
11369 | (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted. | |
11370 | (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted. | |
11371 | (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted. | |
11372 | (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted. | |
11373 | (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted. | |
11374 | (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted. | |
11375 | * dfg/DFGBasicBlockInlines.h: | |
11376 | (JSC::DFG::BasicBlock::appendNonTerminal): | |
11377 | (JSC::DFG::BasicBlock::replaceTerminal): | |
11378 | * dfg/DFGByteCodeParser.cpp: | |
11379 | (JSC::DFG::ByteCodeParser::addToGraph): | |
11380 | (JSC::DFG::ByteCodeParser::inlineCall): | |
11381 | (JSC::DFG::ByteCodeParser::handleInlining): | |
11382 | (JSC::DFG::ByteCodeParser::parseBlock): | |
11383 | (JSC::DFG::ByteCodeParser::linkBlock): | |
11384 | (JSC::DFG::ByteCodeParser::parseCodeBlock): | |
11385 | * dfg/DFGCFGSimplificationPhase.cpp: | |
11386 | (JSC::DFG::CFGSimplificationPhase::run): | |
11387 | (JSC::DFG::CFGSimplificationPhase::convertToJump): | |
11388 | (JSC::DFG::CFGSimplificationPhase::mergeBlocks): | |
11389 | * dfg/DFGCPSRethreadingPhase.cpp: | |
11390 | (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): | |
11391 | * dfg/DFGCommon.h: | |
11392 | (JSC::DFG::NodeAndIndex::NodeAndIndex): | |
11393 | (JSC::DFG::NodeAndIndex::operator!): | |
11394 | * dfg/DFGFixupPhase.cpp: | |
11395 | (JSC::DFG::FixupPhase::fixupBlock): | |
11396 | (JSC::DFG::FixupPhase::fixupNode): | |
11397 | (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): | |
11398 | (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted. | |
11399 | * dfg/DFGForAllKills.h: | |
11400 | (JSC::DFG::forAllLiveNodesAtTail): | |
11401 | * dfg/DFGGraph.cpp: | |
11402 | (JSC::DFG::Graph::terminalsAreValid): | |
11403 | (JSC::DFG::Graph::dumpBlockHeader): | |
11404 | * dfg/DFGGraph.h: | |
11405 | * dfg/DFGInPlaceAbstractState.cpp: | |
11406 | (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): | |
11407 | * dfg/DFGLICMPhase.cpp: | |
11408 | (JSC::DFG::LICMPhase::run): | |
11409 | (JSC::DFG::LICMPhase::attemptHoist): | |
11410 | * dfg/DFGMovHintRemovalPhase.cpp: | |
11411 | * dfg/DFGNode.h: | |
11412 | (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable): | |
11413 | (JSC::DFG::Node::SuccessorsIterable::iterator::iterator): | |
11414 | (JSC::DFG::Node::SuccessorsIterable::iterator::operator*): | |
11415 | (JSC::DFG::Node::SuccessorsIterable::iterator::operator++): | |
11416 | (JSC::DFG::Node::SuccessorsIterable::iterator::operator==): | |
11417 | (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=): | |
11418 | (JSC::DFG::Node::SuccessorsIterable::begin): | |
11419 | (JSC::DFG::Node::SuccessorsIterable::end): | |
11420 | (JSC::DFG::Node::successors): | |
11421 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
11422 | (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): | |
11423 | (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): | |
11424 | (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): | |
11425 | * dfg/DFGPhantomRemovalPhase.cpp: | |
11426 | (JSC::DFG::PhantomRemovalPhase::run): | |
11427 | * dfg/DFGPutStackSinkingPhase.cpp: | |
11428 | * dfg/DFGSSAConversionPhase.cpp: | |
11429 | (JSC::DFG::SSAConversionPhase::run): | |
11430 | * dfg/DFGSpeculativeJIT.h: | |
11431 | (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): | |
11432 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
11433 | (JSC::DFG::SpeculativeJIT::compile): | |
11434 | * dfg/DFGSpeculativeJIT64.cpp: | |
11435 | (JSC::DFG::SpeculativeJIT::compile): | |
11436 | * dfg/DFGStaticExecutionCountEstimationPhase.cpp: | |
11437 | (JSC::DFG::StaticExecutionCountEstimationPhase::run): | |
11438 | * dfg/DFGTierUpCheckInjectionPhase.cpp: | |
11439 | (JSC::DFG::TierUpCheckInjectionPhase::run): | |
11440 | * dfg/DFGValidate.cpp: | |
11441 | (JSC::DFG::Validate::validate): | |
11442 | * ftl/FTLLowerDFGToLLVM.cpp: | |
11443 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
11444 | * tests/stress/closure-call-exit.js: Added. | |
11445 | (foo): | |
11446 | ||
11447 | 2015-04-21 Basile Clement <basile_clement@apple.com> | |
11448 | ||
11449 | PhantomNewObject should be marked NodeMustGenerate | |
11450 | https://bugs.webkit.org/show_bug.cgi?id=143974 | |
11451 | ||
11452 | Reviewed by Filip Pizlo. | |
11453 | ||
11454 | * dfg/DFGNode.h: | |
11455 | (JSC::DFG::Node::convertToPhantomNewObject): | |
11456 | Was not properly marking NodeMustGenerate when converting. | |
11457 | ||
11458 | 2015-04-21 Filip Pizlo <fpizlo@apple.com> | |
11459 | ||
11460 | DFG Call/ConstructForwardVarargs fails to restore the stack pointer | |
11461 | https://bugs.webkit.org/show_bug.cgi?id=144007 | |
11462 | ||
11463 | Reviewed by Mark Lam. | |
11464 | ||
11465 | We were conditioning the stack pointer restoration on isVarargs, but we also need to do it | |
11466 | if isForwardVarargs. | |
11467 | ||
11468 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
11469 | (JSC::DFG::SpeculativeJIT::emitCall): | |
11470 | * dfg/DFGSpeculativeJIT64.cpp: | |
11471 | (JSC::DFG::SpeculativeJIT::emitCall): | |
11472 | * tests/stress/varargs-then-slow-call.js: Added. | |
11473 | (foo): | |
11474 | (bar): | |
11475 | (fuzz): | |
11476 | (baz): | |
11477 | ||
11478 | 2015-04-21 Basile Clement <basile_clement@apple.com> | |
11479 | ||
11480 | Remove AllocationProfileWatchpoint node | |
11481 | https://bugs.webkit.org/show_bug.cgi?id=143999 | |
11482 | ||
11483 | Reviewed by Filip Pizlo. | |
11484 | ||
11485 | * dfg/DFGAbstractInterpreterInlines.h: | |
11486 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
11487 | * dfg/DFGByteCodeParser.cpp: | |
11488 | (JSC::DFG::ByteCodeParser::parseBlock): | |
11489 | * dfg/DFGClobberize.h: | |
11490 | (JSC::DFG::clobberize): | |
11491 | * dfg/DFGDoesGC.cpp: | |
11492 | (JSC::DFG::doesGC): | |
11493 | * dfg/DFGFixupPhase.cpp: | |
11494 | (JSC::DFG::FixupPhase::fixupNode): | |
11495 | * dfg/DFGHeapLocation.cpp: | |
11496 | (WTF::printInternal): | |
11497 | * dfg/DFGHeapLocation.h: | |
11498 | * dfg/DFGNode.h: | |
11499 | (JSC::DFG::Node::hasCellOperand): | |
11500 | * dfg/DFGNodeType.h: | |
11501 | * dfg/DFGPredictionPropagationPhase.cpp: | |
11502 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
11503 | * dfg/DFGSafeToExecute.h: | |
11504 | (JSC::DFG::safeToExecute): | |
11505 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
11506 | (JSC::DFG::SpeculativeJIT::compile): | |
11507 | * dfg/DFGSpeculativeJIT64.cpp: | |
11508 | (JSC::DFG::SpeculativeJIT::compile): | |
11509 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
11510 | (JSC::DFG::WatchpointCollectionPhase::handle): | |
11511 | * ftl/FTLCapabilities.cpp: | |
11512 | (JSC::FTL::canCompile): | |
11513 | * ftl/FTLLowerDFGToLLVM.cpp: | |
11514 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
11515 | * runtime/JSFunction.h: | |
11516 | (JSC::JSFunction::rareData): | |
11517 | (JSC::JSFunction::allocationProfileWatchpointSet): Deleted. | |
11518 | ||
11519 | 2015-04-19 Filip Pizlo <fpizlo@apple.com> | |
11520 | ||
11521 | MovHint should be a strong use | |
11522 | https://bugs.webkit.org/show_bug.cgi?id=143734 | |
11523 | ||
11524 | Reviewed by Geoffrey Garen. | |
11525 | ||
11526 | This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing | |
11527 | so is a major step towards allowing more fancy DFG transformations and also probably fixing | |
11528 | some bugs. | |
11529 | ||
11530 | Just making MovHint a strong use would also completely disable DCE. So we mitigate this by | |
11531 | introducing a MovHint removal phase that runs in FTL. | |
11532 | ||
11533 | This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages. | |
11534 | ||
11535 | * CMakeLists.txt: | |
11536 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
11537 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
11538 | * bytecode/CodeOrigin.cpp: | |
11539 | (JSC::InlineCallFrame::dumpInContext): | |
11540 | * dfg/DFGDCEPhase.cpp: | |
11541 | (JSC::DFG::DCEPhase::fixupBlock): | |
11542 | * dfg/DFGDisassembler.cpp: | |
11543 | (JSC::DFG::Disassembler::createDumpList): | |
11544 | * dfg/DFGEpoch.cpp: Added. | |
11545 | (JSC::DFG::Epoch::dump): | |
11546 | * dfg/DFGEpoch.h: Added. | |
11547 | (JSC::DFG::Epoch::Epoch): | |
11548 | (JSC::DFG::Epoch::first): | |
11549 | (JSC::DFG::Epoch::operator!): | |
11550 | (JSC::DFG::Epoch::next): | |
11551 | (JSC::DFG::Epoch::bump): | |
11552 | (JSC::DFG::Epoch::operator==): | |
11553 | (JSC::DFG::Epoch::operator!=): | |
11554 | * dfg/DFGMayExit.cpp: | |
11555 | (JSC::DFG::mayExit): | |
11556 | * dfg/DFGMovHintRemovalPhase.cpp: Added. | |
11557 | (JSC::DFG::performMovHintRemoval): | |
11558 | * dfg/DFGMovHintRemovalPhase.h: Added. | |
11559 | * dfg/DFGNodeType.h: | |
11560 | * dfg/DFGPlan.cpp: | |
11561 | (JSC::DFG::Plan::compileInThreadImpl): | |
11562 | * dfg/DFGSpeculativeJIT.cpp: | |
11563 | (JSC::DFG::SpeculativeJIT::compileCurrentBlock): | |
11564 | * dfg/DFGSpeculativeJIT64.cpp: | |
11565 | (JSC::DFG::SpeculativeJIT::compile): | |
11566 | * runtime/Options.h: | |
11567 | ||
11568 | 2015-04-21 Basile Clement <basile_clement@apple.com> | |
11569 | ||
11570 | REGRESSION (r182899): icloud.com crashes | |
11571 | https://bugs.webkit.org/show_bug.cgi?id=143960 | |
11572 | ||
11573 | Reviewed by Filip Pizlo. | |
11574 | ||
11575 | * runtime/JSFunction.h: | |
11576 | (JSC::JSFunction::allocationStructure): | |
11577 | * tests/stress/dfg-rare-data.js: Added. | |
11578 | (F): Regression test | |
11579 | ||
11580 | 2015-04-21 Michael Saboff <msaboff@apple.com> | |
11581 | ||
11582 | Crash in JSC::Interpreter::execute | |
11583 | https://bugs.webkit.org/show_bug.cgi?id=142625 | |
11584 | ||
11585 | Reviewed by Filip Pizlo. | |
11586 | ||
11587 | We need to keep the FunctionExecutables in the code block for the eval flavor of | |
11588 | Interpreter::execute() in order to create the scope used to eval. | |
11589 | ||
11590 | * bytecode/CodeBlock.cpp: | |
11591 | (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted. | |
11592 | * bytecode/CodeBlock.h: | |
11593 | * dfg/DFGGraph.cpp: | |
11594 | (JSC::DFG::Graph::registerFrozenValues): | |
11595 | ||
11596 | 2015-04-21 Chris Dumez <cdumez@apple.com> | |
11597 | ||
11598 | Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit | |
11599 | https://bugs.webkit.org/show_bug.cgi?id=143970 | |
11600 | ||
11601 | Reviewed by Darin Adler. | |
11602 | ||
11603 | Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) | |
11604 | constructor explicit as it copies the vector and it is easy to call it | |
11605 | by mistake. | |
11606 | ||
11607 | * bytecode/UnlinkedInstructionStream.cpp: | |
11608 | (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream): | |
11609 | * bytecode/UnlinkedInstructionStream.h: | |
11610 | * ftl/FTLLowerDFGToLLVM.cpp: | |
11611 | (JSC::FTL::LowerDFGToLLVM::lower): | |
11612 | ||
11613 | 2015-04-20 Basile Clement <basile_clement@apple.com> | |
11614 | ||
11615 | PhantomNewObject should be marked NodeMustGenerate | |
11616 | https://bugs.webkit.org/show_bug.cgi?id=143974 | |
11617 | ||
11618 | Reviewed by Filip Pizlo. | |
11619 | ||
11620 | * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate | |
11621 | ||
11622 | 2015-04-20 Joseph Pecoraro <pecoraro@apple.com> | |
11623 | ||
11624 | Cleanup some StringBuilder use | |
11625 | https://bugs.webkit.org/show_bug.cgi?id=143550 | |
11626 | ||
11627 | Reviewed by Darin Adler. | |
11628 | ||
11629 | * runtime/Symbol.cpp: | |
11630 | (JSC::Symbol::descriptiveString): | |
11631 | * runtime/TypeProfiler.cpp: | |
11632 | (JSC::TypeProfiler::typeInformationForExpressionAtOffset): | |
11633 | * runtime/TypeSet.cpp: | |
11634 | (JSC::TypeSet::toJSONString): | |
11635 | (JSC::StructureShape::propertyHash): | |
11636 | (JSC::StructureShape::stringRepresentation): | |
11637 | (JSC::StructureShape::toJSONString): | |
11638 | ||
11639 | 2015-04-20 Mark Lam <mark.lam@apple.com> | |
11640 | ||
11641 | Add debugging tools to test if a given pointer is a valid object and in the heap. | |
11642 | https://bugs.webkit.org/show_bug.cgi?id=143910 | |
11643 | ||
11644 | Reviewed by Geoffrey Garen. | |
11645 | ||
11646 | When doing debugging from lldb, sometimes, it is useful to be able to tell if a | |
11647 | purported JSObject is really a valid object in the heap or not. We can add the | |
11648 | following utility functions to help: | |
11649 | isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap. | |
11650 | isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space. | |
11651 | isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space. | |
11652 | isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space. | |
11653 | ||
11654 | Also moved lldb callable debug utility function prototypes from | |
11655 | JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the | |
11656 | JSDollarVMPrototype class. This is so that we can conveniently #include that | |
11657 | file to get the prototypes when we need to call them programmatically from | |
11658 | instrumentation that we add while debugging an issue. | |
11659 | ||
11660 | * heap/Heap.h: | |
11661 | (JSC::Heap::storageSpace): | |
11662 | * tools/JSDollarVMPrototype.cpp: | |
11663 | (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock): | |
11664 | (JSC::ensureCurrentThreadOwnsJSLock): | |
11665 | (JSC::JSDollarVMPrototype::gc): | |
11666 | (JSC::functionGC): | |
11667 | (JSC::JSDollarVMPrototype::edenGC): | |
11668 | (JSC::functionEdenGC): | |
11669 | (JSC::JSDollarVMPrototype::isInHeap): | |
11670 | (JSC::JSDollarVMPrototype::isInObjectSpace): | |
11671 | (JSC::JSDollarVMPrototype::isInStorageSpace): | |
11672 | (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): | |
11673 | (JSC::ObjectAddressCheckFunctor::operator()): | |
11674 | (JSC::JSDollarVMPrototype::isValidCell): | |
11675 | (JSC::JSDollarVMPrototype::isValidCodeBlock): | |
11676 | (JSC::JSDollarVMPrototype::codeBlockForFrame): | |
11677 | (JSC::functionCodeBlockForFrame): | |
11678 | (JSC::codeBlockFromArg): | |
11679 | (JSC::JSDollarVMPrototype::printCallFrame): | |
11680 | (JSC::JSDollarVMPrototype::printStack): | |
11681 | (JSC::JSDollarVMPrototype::printValue): | |
11682 | (JSC::currentThreadOwnsJSLock): Deleted. | |
11683 | (JSC::gc): Deleted. | |
11684 | (JSC::edenGC): Deleted. | |
11685 | (JSC::isValidCodeBlock): Deleted. | |
11686 | (JSC::codeBlockForFrame): Deleted. | |
11687 | (JSC::printCallFrame): Deleted. | |
11688 | (JSC::printStack): Deleted. | |
11689 | (JSC::printValue): Deleted. | |
11690 | * tools/JSDollarVMPrototype.h: | |
11691 | ||
11692 | 2015-04-20 Joseph Pecoraro <pecoraro@apple.com> | |
11693 | ||
11694 | Web Inspector: Improve Support for WeakSet in Console | |
11695 | https://bugs.webkit.org/show_bug.cgi?id=143951 | |
11696 | ||
11697 | Reviewed by Darin Adler. | |
11698 | ||
11699 | * inspector/InjectedScriptSource.js: | |
11700 | * inspector/JSInjectedScriptHost.cpp: | |
11701 | (Inspector::JSInjectedScriptHost::subtype): | |
11702 | (Inspector::JSInjectedScriptHost::weakSetSize): | |
11703 | (Inspector::JSInjectedScriptHost::weakSetEntries): | |
11704 | * inspector/JSInjectedScriptHost.h: | |
11705 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
11706 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
11707 | (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): | |
11708 | (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): | |
11709 | Treat WeakSets like special sets. | |
11710 | ||
11711 | * inspector/protocol/Runtime.json: | |
11712 | Add a new object subtype, "weakset". | |
11713 | ||
11714 | 2015-04-20 Yusuke Suzuki <utatane.tea@gmail.com> | |
11715 | ||
11716 | HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols | |
11717 | https://bugs.webkit.org/show_bug.cgi?id=143947 | |
11718 | ||
11719 | Reviewed by Darin Adler. | |
11720 | ||
11721 | Type profiler has map between PropertyKey (StringImpl*) and offset. | |
11722 | StringImpl* is also used for Symbol PropertyKey. | |
11723 | So equality of hash tables is considered by interned StringImpl*'s pointer value. | |
11724 | To do so, use IdentifierRepHash instead of StringHash. | |
11725 | ||
11726 | * runtime/SymbolTable.h: | |
11727 | ||
11728 | 2015-04-20 Jordan Harband <ljharb@gmail.com> | |
11729 | ||
11730 | Implement `Object.is` | |
11731 | https://bugs.webkit.org/show_bug.cgi?id=143865 | |
11732 | ||
11733 | Reviewed by Darin Adler. | |
11734 | ||
11735 | Expose sameValue to JS, via Object.is | |
11736 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is | |
11737 | ||
11738 | * runtime/ObjectConstructor.cpp: | |
11739 | (JSC::objectConstructorIs): | |
11740 | * runtime/PropertyDescriptor.cpp: | |
11741 | (JSC::sameValue): | |
11742 | ||
11743 | 2015-04-19 Darin Adler <darin@apple.com> | |
11744 | ||
11745 | Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore | |
11746 | https://bugs.webkit.org/show_bug.cgi?id=143941 | |
11747 | ||
11748 | Reviewed by Gyuyoung Kim. | |
11749 | ||
11750 | * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData. | |
11751 | * API/JSCallbackObjectFunctions.h: Ditto. | |
11752 | ||
11753 | * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the | |
11754 | create function and the constructor and for m_impl. | |
11755 | * API/ObjCCallbackFunction.mm: | |
11756 | (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this | |
11757 | class by using RetainPtr<Class>. | |
11758 | (ArgumentTypeDelegate::typeInteger): Use make_unique. | |
11759 | (ArgumentTypeDelegate::typeDouble): Ditto. | |
11760 | (ArgumentTypeDelegate::typeBool): Ditto. | |
11761 | (ArgumentTypeDelegate::typeVoid): Ditto. | |
11762 | (ArgumentTypeDelegate::typeId): Ditto. | |
11763 | (ArgumentTypeDelegate::typeOfClass): Ditto. | |
11764 | (ArgumentTypeDelegate::typeBlock): Ditto. | |
11765 | (ArgumentTypeDelegate::typeStruct): Ditto. | |
11766 | (ResultTypeDelegate::typeInteger): Ditto. | |
11767 | (ResultTypeDelegate::typeDouble): Ditto. | |
11768 | (ResultTypeDelegate::typeBool): Ditto. | |
11769 | (ResultTypeDelegate::typeVoid): Ditto. | |
11770 | (ResultTypeDelegate::typeId): Ditto. | |
11771 | (ResultTypeDelegate::typeOfClass): Ditto. | |
11772 | (ResultTypeDelegate::typeBlock): Ditto. | |
11773 | (ResultTypeDelegate::typeStruct): Ditto. | |
11774 | (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use | |
11775 | unique_ptr for the arguments to the constructor, m_arguments, and m_result. | |
11776 | Use RetainPtr<Class> for m_instanceClass. | |
11777 | (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0 | |
11778 | for non-Objective-C object pointer null. | |
11779 | (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for | |
11780 | the arguments to the constructor and for m_impl. | |
11781 | (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments. | |
11782 | (skipNumber): Mark this static since it's local to this source file. | |
11783 | (objCCallbackFunctionForInvocation): Call parseObjCType without doing any | |
11784 | explicit adoptPtr since the types in the traits are now unique_ptr. Also use | |
11785 | nullptr instead of nil for JSObjectRef values. | |
11786 | (objCCallbackFunctionForMethod): Tweaked comment. | |
11787 | (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef. | |
11788 | ||
11789 | * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h. | |
11790 | ||
11791 | * heap/GCThread.cpp: | |
11792 | (JSC::GCThread::GCThread): Use unique_ptr. | |
11793 | * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for | |
11794 | m_slotVisitor and m_copyVisitor. | |
11795 | * heap/GCThreadSharedData.cpp: | |
11796 | (JSC::GCThreadSharedData::GCThreadSharedData): Ditto. | |
11797 | ||
11798 | * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h. | |
11799 | ||
11800 | 2015-04-19 Benjamin Poulain <benjamin@webkit.org> | |
11801 | ||
11802 | Improve the feature.json files | |
11803 | ||
11804 | * features.json: | |
11805 | ||
11806 | 2015-04-19 Yusuke Suzuki <utatane.tea@gmail.com> | |
11807 | ||
11808 | Introduce bytecode intrinsics | |
11809 | https://bugs.webkit.org/show_bug.cgi?id=143926 | |
11810 | ||
11811 | Reviewed by Filip Pizlo. | |
11812 | ||
11813 | This patch introduces bytecode level intrinsics into builtins/*.js JS code. | |
11814 | When implementing functions in builtins/*.js, | |
11815 | sometimes we require lower level functionality. | |
11816 | ||
11817 | For example, in the current Array.from, we use `result[k] = value`. | |
11818 | The spec requires `[[DefineOwnProperty]]` operation here. | |
11819 | However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`) | |
11820 | So if we implement `Array.prototype[k]` getter/setter, the difference is observable. | |
11821 | ||
11822 | Ideally, reaching here, we would like to use put_by_val_direct bytecode. | |
11823 | However, there's no syntax to generate it directly. | |
11824 | ||
11825 | This patch introduces bytecode level intrinsics into JSC BytecodeCompiler. | |
11826 | Like @call, @apply, we introduce a new node, Intrinsic. | |
11827 | These are generated when calling appropriate private symbols in privileged code. | |
11828 | AST parser detects them and generates Intrinsic nodes and | |
11829 | BytecodeCompiler detects them and generate required bytecodes. | |
11830 | ||
11831 | Currently, Array.from implementation works fine without this patch. | |
11832 | This is because when the target code is builtin JS, | |
11833 | BytecodeGenerator emits put_by_val_direct instead of put_by_val. | |
11834 | This solves the above issue. However, instead of solving this issue, | |
11835 | it raises another issue; There's no way to emit `[[Set]]` operation. | |
11836 | `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`). | |
11837 | So to implement it precisely, introducing bytecode level intrinsics is necessary. | |
11838 | ||
11839 | In the subsequent fixes, we'll remove that special path emitting put_by_val_direct | |
11840 | for `result[k] = value` under builtin JS environment. Instead of that special handling, | |
11841 | use bytecode intrinsics instead. It solves problems and it is more intuitive | |
11842 | because written JS code in builtin works as the same to the usual JS code. | |
11843 | ||
11844 | * CMakeLists.txt: | |
11845 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
11846 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
11847 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
11848 | * builtins/ArrayConstructor.js: | |
11849 | (from): | |
11850 | * bytecode/BytecodeIntrinsicRegistry.cpp: Added. | |
11851 | (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): | |
11852 | (JSC::BytecodeIntrinsicRegistry::lookup): | |
11853 | * bytecode/BytecodeIntrinsicRegistry.h: Added. | |
11854 | * bytecompiler/NodesCodegen.cpp: | |
11855 | (JSC::BytecodeIntrinsicNode::emitBytecode): | |
11856 | (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect): | |
11857 | * parser/ASTBuilder.h: | |
11858 | (JSC::ASTBuilder::makeFunctionCallNode): | |
11859 | * parser/NodeConstructors.h: | |
11860 | (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode): | |
11861 | * parser/Nodes.h: | |
11862 | (JSC::BytecodeIntrinsicNode::identifier): | |
11863 | * runtime/CommonIdentifiers.cpp: | |
11864 | (JSC::CommonIdentifiers::CommonIdentifiers): | |
11865 | * runtime/CommonIdentifiers.h: | |
11866 | (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry): | |
11867 | * tests/stress/array-from-with-accessors.js: Added. | |
11868 | (shouldBe): | |
11869 | ||
11870 | 2015-04-19 Yusuke Suzuki <utatane.tea@gmail.com> | |
11871 | ||
11872 | Make Builtin functions non constructible | |
11873 | https://bugs.webkit.org/show_bug.cgi?id=143923 | |
11874 | ||
11875 | Reviewed by Darin Adler. | |
11876 | ||
11877 | Builtin functions defined by builtins/*.js accidentally have [[Construct]]. | |
11878 | According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]]. | |
11879 | This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error. | |
11880 | ||
11881 | Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough. | |
11882 | However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType. | |
11883 | In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]]. | |
11884 | So in this patch, we check `isBuiltinFunction()` in those places. | |
11885 | ||
11886 | * dfg/DFGByteCodeParser.cpp: | |
11887 | (JSC::DFG::ByteCodeParser::inliningCost): | |
11888 | * jit/JITOperations.cpp: | |
11889 | * llint/LLIntSlowPaths.cpp: | |
11890 | (JSC::LLInt::setUpCall): | |
11891 | * runtime/JSFunction.cpp: | |
11892 | (JSC::JSFunction::getConstructData): | |
11893 | * tests/stress/builtin-function-is-construct-type-none.js: Added. | |
11894 | (shouldThrow): | |
11895 | ||
11896 | 2015-04-19 Yusuke Suzuki <utatane.tea@gmail.com> | |
11897 | ||
11898 | [ES6] Implement WeakSet | |
11899 | https://bugs.webkit.org/show_bug.cgi?id=142408 | |
11900 | ||
11901 | Reviewed by Darin Adler. | |
11902 | ||
11903 | This patch implements ES6 WeakSet. | |
11904 | Current implementation simply leverages WeakMapData with undefined value. | |
11905 | This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1]. | |
11906 | ||
11907 | And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec. | |
11908 | Except for adders (WeakMap.prototype.set/WeakSet.prototype.add), | |
11909 | methods return false (or undefined for WeakMap.prototype.get) | |
11910 | when a key is not Object instead of throwing a type error. | |
11911 | ||
11912 | [1]: https://bugs.webkit.org/show_bug.cgi?id=143919 | |
11913 | ||
11914 | * CMakeLists.txt: | |
11915 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
11916 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
11917 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
11918 | * runtime/CommonIdentifiers.h: | |
11919 | * runtime/JSGlobalObject.cpp: | |
11920 | * runtime/JSGlobalObject.h: | |
11921 | * runtime/JSWeakSet.cpp: Added. | |
11922 | (JSC::JSWeakSet::finishCreation): | |
11923 | (JSC::JSWeakSet::visitChildren): | |
11924 | * runtime/JSWeakSet.h: Added. | |
11925 | (JSC::JSWeakSet::createStructure): | |
11926 | (JSC::JSWeakSet::create): | |
11927 | (JSC::JSWeakSet::weakMapData): | |
11928 | (JSC::JSWeakSet::JSWeakSet): | |
11929 | * runtime/WeakMapPrototype.cpp: | |
11930 | (JSC::getWeakMapData): | |
11931 | (JSC::protoFuncWeakMapDelete): | |
11932 | (JSC::protoFuncWeakMapGet): | |
11933 | (JSC::protoFuncWeakMapHas): | |
11934 | * runtime/WeakSetConstructor.cpp: Added. | |
11935 | (JSC::WeakSetConstructor::finishCreation): | |
11936 | (JSC::callWeakSet): | |
11937 | (JSC::constructWeakSet): | |
11938 | (JSC::WeakSetConstructor::getConstructData): | |
11939 | (JSC::WeakSetConstructor::getCallData): | |
11940 | * runtime/WeakSetConstructor.h: Added. | |
11941 | (JSC::WeakSetConstructor::create): | |
11942 | (JSC::WeakSetConstructor::createStructure): | |
11943 | (JSC::WeakSetConstructor::WeakSetConstructor): | |
11944 | * runtime/WeakSetPrototype.cpp: Added. | |
11945 | (JSC::WeakSetPrototype::finishCreation): | |
11946 | (JSC::getWeakMapData): | |
11947 | (JSC::protoFuncWeakSetDelete): | |
11948 | (JSC::protoFuncWeakSetHas): | |
11949 | (JSC::protoFuncWeakSetAdd): | |
11950 | * runtime/WeakSetPrototype.h: Added. | |
11951 | (JSC::WeakSetPrototype::create): | |
11952 | (JSC::WeakSetPrototype::createStructure): | |
11953 | (JSC::WeakSetPrototype::WeakSetPrototype): | |
11954 | * tests/stress/weak-set-constructor-adder.js: Added. | |
11955 | (WeakSet.prototype.add): | |
11956 | * tests/stress/weak-set-constructor.js: Added. | |
11957 | ||
11958 | 2015-04-17 Alexey Proskuryakov <ap@apple.com> | |
11959 | ||
11960 | Remove unused BoundsCheckedPointer | |
11961 | https://bugs.webkit.org/show_bug.cgi?id=143896 | |
11962 | ||
11963 | Reviewed by Geoffrey Garen. | |
11964 | ||
11965 | * bytecode/SpeculatedType.cpp: The header was included here. | |
11966 | ||
11967 | 2015-04-17 Yusuke Suzuki <utatane.tea@gmail.com> | |
11968 | ||
11969 | [ES6] Fix name enumeration of static functions for Symbol constructor | |
11970 | https://bugs.webkit.org/show_bug.cgi?id=143891 | |
11971 | ||
11972 | Reviewed by Geoffrey Garen. | |
11973 | ||
11974 | Fix missing symbolPrototypeTable registration to the js class object. | |
11975 | This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor. | |
11976 | ||
11977 | * runtime/SymbolConstructor.cpp: | |
11978 | ||
11979 | 2015-04-17 Basile Clement <basile_clement@apple.com> | |
11980 | ||
11981 | Inline JSFunction allocation in DFG | |
11982 | https://bugs.webkit.org/show_bug.cgi?id=143858 | |
11983 | ||
11984 | Reviewed by Filip Pizlo. | |
11985 | ||
11986 | Followup to my previous patch which inlines JSFunction allocation when | |
11987 | using FTL, now also enabled in DFG. | |
11988 | ||
11989 | * dfg/DFGSpeculativeJIT.cpp: | |
11990 | (JSC::DFG::SpeculativeJIT::compileNewFunction): | |
11991 | ||
11992 | 2015-04-16 Jordan Harband <ljharb@gmail.com> | |
11993 | ||
11994 | Number.parseInt is not === global parseInt in nightly r182673 | |
11995 | https://bugs.webkit.org/show_bug.cgi?id=143799 | |
11996 | ||
11997 | Reviewed by Darin Adler. | |
11998 | ||
11999 | Ensuring parseInt === Number.parseInt, per spec | |
12000 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint | |
12001 | ||
12002 | * runtime/CommonIdentifiers.h: | |
12003 | * runtime/JSGlobalObject.cpp: | |
12004 | (JSC::JSGlobalObject::init): | |
12005 | * runtime/JSGlobalObject.h: | |
12006 | (JSC::JSGlobalObject::parseIntFunction): | |
12007 | * runtime/NumberConstructor.cpp: | |
12008 | (JSC::NumberConstructor::finishCreation): | |
12009 | ||
12010 | 2015-04-16 Mark Lam <mark.lam@apple.com> | |
12011 | ||
12012 | Gardening: fix CLOOP build after r182927. | |
12013 | ||
12014 | Not reviewed. | |
12015 | ||
12016 | * interpreter/StackVisitor.cpp: | |
12017 | (JSC::StackVisitor::Frame::print): | |
12018 | ||
12019 | 2015-04-16 Basile Clement <basile_clement@apple.com> | |
12020 | ||
12021 | Inline JSFunction allocation in FTL | |
12022 | https://bugs.webkit.org/show_bug.cgi?id=143851 | |
12023 | ||
12024 | Reviewed by Filip Pizlo. | |
12025 | ||
12026 | JSFunction allocation is a simple operation that should be inlined when possible. | |
12027 | ||
12028 | * ftl/FTLAbstractHeapRepository.h: | |
12029 | * ftl/FTLLowerDFGToLLVM.cpp: | |
12030 | (JSC::FTL::LowerDFGToLLVM::compileNewFunction): | |
12031 | * runtime/JSFunction.h: | |
12032 | (JSC::JSFunction::allocationSize): | |
12033 | ||
12034 | 2015-04-16 Mark Lam <mark.lam@apple.com> | |
12035 | ||
12036 | Add $vm debugging tool. | |
12037 | https://bugs.webkit.org/show_bug.cgi?id=143809 | |
12038 | ||
12039 | Reviewed by Geoffrey Garen. | |
12040 | ||
12041 | For debugging VM bugs, it would be useful to be able to dump VM data structures | |
12042 | from JS code that we instrument. To this end, let's introduce a | |
12043 | JS_enableDollarVM option that, if true, installs an $vm property into each JS | |
12044 | global object at creation time. The $vm property refers to an object that | |
12045 | provides a collection of useful utility functions. For this initial | |
12046 | implementation, $vm will have the following: | |
12047 | ||
12048 | crash() - trigger an intentional crash. | |
12049 | ||
12050 | dfgTrue() - returns true if the current function is DFG compiled, else returns false. | |
12051 | jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false. | |
12052 | llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false. | |
12053 | ||
12054 | gc() - runs a full GC. | |
12055 | edenGC() - runs an eden GC. | |
12056 | ||
12057 | codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc). | |
12058 | printSourceFor(codeBlock) - prints the source code for the codeBlock. | |
12059 | printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock. | |
12060 | ||
12061 | print(str) - prints a string to dataLog output. | |
12062 | printCallFrame() - prints the current CallFrame. | |
12063 | printStack() - prints the JS stack. | |
12064 | printInternal(value) - prints the JSC internal info for the specified value. | |
12065 | ||
12066 | With JS_enableDollarVM=true, JS code can use the above functions like so: | |
12067 | ||
12068 | $vm.print("Using $vm features\n"); | |
12069 | ||
12070 | * CMakeLists.txt: | |
12071 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12072 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
12073 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12074 | * bytecode/CodeBlock.cpp: | |
12075 | (JSC::CodeBlock::printCallOp): | |
12076 | - FTL compiled functions don't like it when we try to compute the CallLinkStatus. | |
12077 | Hence, we skip this step if we're dumping an FTL codeBlock. | |
12078 | ||
12079 | * heap/Heap.cpp: | |
12080 | (JSC::Heap::collectAndSweep): | |
12081 | (JSC::Heap::collectAllGarbage): Deleted. | |
12082 | * heap/Heap.h: | |
12083 | (JSC::Heap::collectAllGarbage): | |
12084 | - Add ability to do an Eden collection and sweep. | |
12085 | ||
12086 | * interpreter/StackVisitor.cpp: | |
12087 | (JSC::printIndents): | |
12088 | (JSC::log): | |
12089 | (JSC::logF): | |
12090 | (JSC::StackVisitor::Frame::print): | |
12091 | (JSC::jitTypeName): Deleted. | |
12092 | (JSC::printif): Deleted. | |
12093 | - Modernize the implementation of StackVisitor::Frame::print(), and remove some | |
12094 | now redundant code. | |
12095 | - Also fix it so that it downgrades gracefully when encountering inlined DFG | |
12096 | and compiled FTL functions. | |
12097 | ||
12098 | (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted. | |
12099 | (DebugPrintFrameFunctor::operator()): Deleted. | |
12100 | (debugPrintCallFrame): Deleted. | |
12101 | (debugPrintStack): Deleted. | |
12102 | - these have been moved into JSDollarVMPrototype.cpp. | |
12103 | ||
12104 | * interpreter/StackVisitor.h: | |
12105 | - StackVisitor::Frame::print() is now enabled for release builds as well so that | |
12106 | we can call it from $vm. | |
12107 | ||
12108 | * runtime/JSGlobalObject.cpp: | |
12109 | (JSC::JSGlobalObject::init): | |
12110 | (JSC::JSGlobalObject::visitChildren): | |
12111 | * runtime/JSGlobalObject.h: | |
12112 | - Added the $vm instance to global objects conditional on the JSC_enableDollarVM | |
12113 | option. | |
12114 | ||
12115 | * runtime/Options.h: | |
12116 | - Added the JSC_enableDollarVM option. | |
12117 | ||
12118 | * tools/JSDollarVM.cpp: Added. | |
12119 | * tools/JSDollarVM.h: Added. | |
12120 | (JSC::JSDollarVM::createStructure): | |
12121 | (JSC::JSDollarVM::create): | |
12122 | (JSC::JSDollarVM::JSDollarVM): | |
12123 | ||
12124 | * tools/JSDollarVMPrototype.cpp: Added. | |
12125 | - This file contains 2 sets of functions: | |
12126 | ||
12127 | a. a C++ implementation of debugging utility functions that are callable when | |
12128 | doing debugging from lldb. To the extent possible, these functions try to | |
12129 | be cautious and not cause unintended crashes should the user call them with | |
12130 | the wrong info. Hence, they are designed to be robust rather than speedy. | |
12131 | ||
12132 | b. the native implementations of JS functions in the $vm object. Where there | |
12133 | is overlapping functionality, these are built on top of the C++ functions | |
12134 | above to do the work. | |
12135 | ||
12136 | Note: it does not make sense for all of the $vm functions to have a C++ | |
12137 | counterpart for lldb debugging. For example, the $vm.dfgTrue() function is | |
12138 | only useful for JS code, and works via the DFG intrinsics mechanism. | |
12139 | When doing debugging via lldb, the optimization level of the currently | |
12140 | executing JS function can be gotten by dumping the current CallFrame instead. | |
12141 | ||
12142 | (JSC::currentThreadOwnsJSLock): | |
12143 | (JSC::ensureCurrentThreadOwnsJSLock): | |
12144 | (JSC::JSDollarVMPrototype::addFunction): | |
12145 | (JSC::functionCrash): - $vm.crash() | |
12146 | (JSC::functionDFGTrue): - $vm.dfgTrue() | |
12147 | (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): | |
12148 | (JSC::CallerFrameJITTypeFunctor::operator()): | |
12149 | (JSC::CallerFrameJITTypeFunctor::jitType): | |
12150 | (JSC::functionLLintTrue): - $vm.llintTrue() | |
12151 | (JSC::functionJITTrue): - $vm.jitTrue() | |
12152 | (JSC::gc): | |
12153 | (JSC::functionGC): - $vm.gc() | |
12154 | (JSC::edenGC): | |
12155 | (JSC::functionEdenGC): - $vm.edenGC() | |
12156 | (JSC::isValidCodeBlock): | |
12157 | (JSC::codeBlockForFrame): | |
12158 | (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber) | |
12159 | (JSC::codeBlockFromArg): | |
12160 | (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock) | |
12161 | (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock) | |
12162 | (JSC::functionPrint): - $vm.print(str) | |
12163 | (JSC::PrintFrameFunctor::PrintFrameFunctor): | |
12164 | (JSC::PrintFrameFunctor::operator()): | |
12165 | (JSC::printCallFrame): | |
12166 | (JSC::printStack): | |
12167 | (JSC::functionPrintCallFrame): - $vm.printCallFrame() | |
12168 | (JSC::functionPrintStack): - $vm.printStack() | |
12169 | (JSC::printValue): | |
12170 | (JSC::functionPrintValue): - $vm.printValue() | |
12171 | (JSC::JSDollarVMPrototype::finishCreation): | |
12172 | * tools/JSDollarVMPrototype.h: Added. | |
12173 | (JSC::JSDollarVMPrototype::create): | |
12174 | (JSC::JSDollarVMPrototype::createStructure): | |
12175 | (JSC::JSDollarVMPrototype::JSDollarVMPrototype): | |
12176 | ||
12177 | 2015-04-16 Geoffrey Garen <ggaren@apple.com> | |
12178 | ||
12179 | Speculative fix after r182915 | |
12180 | https://bugs.webkit.org/show_bug.cgi?id=143404 | |
12181 | ||
12182 | Reviewed by Alexey Proskuryakov. | |
12183 | ||
12184 | * runtime/SymbolConstructor.h: | |
12185 | ||
12186 | 2015-04-16 Mark Lam <mark.lam@apple.com> | |
12187 | ||
12188 | Fixed some typos in a comment. | |
12189 | ||
12190 | Not reviewed. | |
12191 | ||
12192 | * dfg/DFGGenerationInfo.h: | |
12193 | ||
12194 | 2015-04-16 Yusuke Suzuki <utatane.tea@gmail.com> | |
12195 | ||
12196 | [ES6] Implement Symbol.for and Symbol.keyFor | |
12197 | https://bugs.webkit.org/show_bug.cgi?id=143404 | |
12198 | ||
12199 | Reviewed by Geoffrey Garen. | |
12200 | ||
12201 | This patch implements Symbol.for and Symbol.keyFor. | |
12202 | SymbolRegistry maintains registered StringImpl* symbols. | |
12203 | And to make this mapping enabled over realms, | |
12204 | VM owns this mapping (not JSGlobalObject). | |
12205 | ||
12206 | While there's Default AtomicStringTable per thread, | |
12207 | SymbolRegistry should not exist over VMs. | |
12208 | So everytime VM is created, SymbolRegistry is also created. | |
12209 | ||
12210 | In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design). | |
12211 | Theres are several reasons. | |
12212 | 1. StringImpl* which represents identity of Symbols is not GC-managed object. | |
12213 | So we cannot use WeakGCMap directly. | |
12214 | While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness, | |
12215 | because distinct Symbol* can exist. | |
12216 | Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same. | |
12217 | ||
12218 | 2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr. | |
12219 | However there's problem about when we prune staled entries in SymbolRegistry. | |
12220 | Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content, | |
12221 | and it is not in GC-heap. | |
12222 | While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied. | |
12223 | So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback. | |
12224 | As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory. | |
12225 | ||
12226 | So instead of using Weak reference, we take relatively easy design. | |
12227 | When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that. | |
12228 | And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable. | |
12229 | ||
12230 | * CMakeLists.txt: | |
12231 | * DerivedSources.make: | |
12232 | * runtime/SymbolConstructor.cpp: | |
12233 | (JSC::SymbolConstructor::getOwnPropertySlot): | |
12234 | (JSC::symbolConstructorFor): | |
12235 | (JSC::symbolConstructorKeyFor): | |
12236 | * runtime/SymbolConstructor.h: | |
12237 | * runtime/VM.cpp: | |
12238 | * runtime/VM.h: | |
12239 | (JSC::VM::symbolRegistry): | |
12240 | * tests/stress/symbol-registry.js: Added. | |
12241 | (test): | |
12242 | ||
12243 | 2015-04-16 Yusuke Suzuki <utatane.tea@gmail.com> | |
12244 | ||
12245 | [ES6] Use specific functions for @@iterator functions | |
12246 | https://bugs.webkit.org/show_bug.cgi?id=143838 | |
12247 | ||
12248 | Reviewed by Geoffrey Garen. | |
12249 | ||
12250 | In ES6, some methods are defined with the different names. | |
12251 | ||
12252 | For example, | |
12253 | ||
12254 | Map.prototype[Symbol.iterator] === Map.prototype.entries | |
12255 | Set.prototype[Symbol.iterator] === Set.prototype.values | |
12256 | Array.prototype[Symbol.iterator] === Array.prototype.values | |
12257 | %Arguments%[Symbol.iterator] === Array.prototype.values | |
12258 | ||
12259 | However, current implementation creates different function objects per name. | |
12260 | This patch fixes it by setting the object that is used for the other method to @@iterator. | |
12261 | e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator]. | |
12262 | ||
12263 | And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation | |
12264 | with Array.prototype.values to conform to the spec. | |
12265 | ||
12266 | * CMakeLists.txt: | |
12267 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12268 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
12269 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12270 | * inspector/JSInjectedScriptHost.cpp: | |
12271 | (Inspector::JSInjectedScriptHost::subtype): | |
12272 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
12273 | (Inspector::JSInjectedScriptHost::iteratorEntries): | |
12274 | * runtime/ArgumentsIteratorConstructor.cpp: Removed. | |
12275 | * runtime/ArgumentsIteratorConstructor.h: Removed. | |
12276 | * runtime/ArgumentsIteratorPrototype.cpp: Removed. | |
12277 | * runtime/ArgumentsIteratorPrototype.h: Removed. | |
12278 | * runtime/ArrayPrototype.cpp: | |
12279 | (JSC::ArrayPrototype::finishCreation): | |
12280 | * runtime/ArrayPrototype.h: | |
12281 | * runtime/ClonedArguments.cpp: | |
12282 | (JSC::ClonedArguments::getOwnPropertySlot): | |
12283 | (JSC::ClonedArguments::put): | |
12284 | (JSC::ClonedArguments::deleteProperty): | |
12285 | (JSC::ClonedArguments::defineOwnProperty): | |
12286 | (JSC::ClonedArguments::materializeSpecials): | |
12287 | * runtime/ClonedArguments.h: | |
12288 | * runtime/CommonIdentifiers.h: | |
12289 | * runtime/DirectArguments.cpp: | |
12290 | (JSC::DirectArguments::overrideThings): | |
12291 | * runtime/GenericArgumentsInlines.h: | |
12292 | (JSC::GenericArguments<Type>::getOwnPropertySlot): | |
12293 | (JSC::GenericArguments<Type>::getOwnPropertyNames): | |
12294 | (JSC::GenericArguments<Type>::put): | |
12295 | (JSC::GenericArguments<Type>::deleteProperty): | |
12296 | (JSC::GenericArguments<Type>::defineOwnProperty): | |
12297 | * runtime/JSArgumentsIterator.cpp: Removed. | |
12298 | * runtime/JSArgumentsIterator.h: Removed. | |
12299 | * runtime/JSGlobalObject.cpp: | |
12300 | (JSC::JSGlobalObject::init): | |
12301 | (JSC::JSGlobalObject::visitChildren): | |
12302 | * runtime/JSGlobalObject.h: | |
12303 | (JSC::JSGlobalObject::arrayProtoValuesFunction): | |
12304 | * runtime/MapPrototype.cpp: | |
12305 | (JSC::MapPrototype::finishCreation): | |
12306 | * runtime/ScopedArguments.cpp: | |
12307 | (JSC::ScopedArguments::overrideThings): | |
12308 | * runtime/SetPrototype.cpp: | |
12309 | (JSC::SetPrototype::finishCreation): | |
12310 | * tests/stress/arguments-iterator.js: Added. | |
12311 | (test): | |
12312 | (testArguments): | |
12313 | * tests/stress/iterator-functions.js: Added. | |
12314 | (test): | |
12315 | (argumentsTests): | |
12316 | ||
12317 | 2015-04-14 Mark Lam <mark.lam@apple.com> | |
12318 | ||
12319 | Add JSC_functionOverrides=<overrides file> debugging tool. | |
12320 | https://bugs.webkit.org/show_bug.cgi?id=143717 | |
12321 | ||
12322 | Reviewed by Geoffrey Garen. | |
12323 | ||
12324 | This tool allows us to do runtime replacement of function bodies with alternatives | |
12325 | for debugging purposes. For example, this is useful when we need to debug VM bugs | |
12326 | which manifest in scripts executing in webpages downloaded from remote servers | |
12327 | that we don't control. The tool allows us to augment those scripts with logging | |
12328 | or test code to help isolate the bugs. | |
12329 | ||
12330 | This tool works by substituting the SourceCode at FunctionExecutable creation | |
12331 | time. It identifies which SourceCode to substitute by comparing the source | |
12332 | string against keys in a set of key value pairs. | |
12333 | ||
12334 | The keys are function body strings defined by 'override' clauses in the overrides | |
12335 | file specified by in the JSC_functionOverrides option. The values are function | |
12336 | body strings defines by 'with' clauses in the overrides file. | |
12337 | See comment blob at top of FunctionOverrides.cpp on the formatting | |
12338 | of the overrides file. | |
12339 | ||
12340 | At FunctionExecutable creation time, if the SourceCode string matches one of the | |
12341 | 'override' keys from the overrides file, the tool will replace the SourceCode with | |
12342 | a new one based on the corresponding 'with' value string. The FunctionExecutable | |
12343 | will then be created with the new SourceCode instead. | |
12344 | ||
12345 | Some design decisions: | |
12346 | 1. We opted to require that the 'with' clause appear on a separate line than the | |
12347 | 'override' clause because this makes it easier to read and write when the | |
12348 | 'override' clause's function body is single lined and long. | |
12349 | ||
12350 | 2. The user can use any sequence of characters for the delimiter (except for '{', | |
12351 | '}' and white space characters) because this ensures that there can always be | |
12352 | some delimiter pattern that does not appear in the function body in the clause | |
12353 | e.g. in the body of strings in the JS code. | |
12354 | ||
12355 | '{' and '}' are disallowed because they are used to mark the boundaries of the | |
12356 | function body string. White space characters are disallowed because they can | |
12357 | be error prone (the user may not be able to tell between spaces and tabs). | |
12358 | ||
12359 | 3. The start and end delimiter must be an identical sequence of characters. | |
12360 | ||
12361 | I had considered allowing the use of complementary characters like <>, [], and | |
12362 | () for making delimiter pairs like: | |
12363 | [[[[ ... ]]]] | |
12364 | <[([( ... )])]> | |
12365 | ||
12366 | But in the end, decided against it because: | |
12367 | a. These sequences of complementary characters can exists in JS code. | |
12368 | In contrast, a repeating delimiter like %%%% is unlikely to appear in JS | |
12369 | code. | |
12370 | b. It can be error prone for the user to have to type the exact complement | |
12371 | character for the end delimiter in reverse order. | |
12372 | In contrast, a repeating delimiter like %%%% is much easier to type and | |
12373 | less error prone. Even a sequence like @#$%^ is less error prone than | |
12374 | a complementary sequence because it can be copy-pasted, and need not be | |
12375 | typed in reverse order. | |
12376 | c. It is easier to parse for the same delimiter string for both start and end. | |
12377 | ||
12378 | 4. The tool does a lot of checks for syntax errors in the overrides file because | |
12379 | we don't want any overrides to fail silently. If a syntax error is detected, | |
12380 | the tool will print an error message and call exit(). This avoids the user | |
12381 | wasting time doing debugging only to be surprised later that their specified | |
12382 | overrides did not take effect because of some unnoticed typo. | |
12383 | ||
12384 | * CMakeLists.txt: | |
12385 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12386 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
12387 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12388 | * bytecode/UnlinkedCodeBlock.cpp: | |
12389 | (JSC::UnlinkedFunctionExecutable::link): | |
12390 | * runtime/Executable.h: | |
12391 | * runtime/Options.h: | |
12392 | * tools/FunctionOverrides.cpp: Added. | |
12393 | (JSC::FunctionOverrides::overrides): | |
12394 | (JSC::FunctionOverrides::FunctionOverrides): | |
12395 | (JSC::initializeOverrideInfo): | |
12396 | (JSC::FunctionOverrides::initializeOverrideFor): | |
12397 | (JSC::hasDisallowedCharacters): | |
12398 | (JSC::parseClause): | |
12399 | (JSC::FunctionOverrides::parseOverridesInFile): | |
12400 | * tools/FunctionOverrides.h: Added. | |
12401 | ||
12402 | 2015-04-16 Basile Clement <basile_clement@apple.com> | |
12403 | ||
12404 | Extract the allocation profile from JSFunction into a rare object | |
12405 | https://bugs.webkit.org/show_bug.cgi?id=143807 | |
12406 | ||
12407 | Reviewed by Filip Pizlo. | |
12408 | ||
12409 | The allocation profile is only needed for those functions that are used | |
12410 | to create objects with [new]. | |
12411 | Extracting it into its own JSCell removes the need for JSFunction and | |
12412 | JSCallee to be JSDestructibleObjects, which should improve performances in most | |
12413 | cases at the cost of an extra pointer dereference when the allocation profile | |
12414 | is actually needed. | |
12415 | ||
12416 | * CMakeLists.txt: | |
12417 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12418 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
12419 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12420 | * dfg/DFGOperations.cpp: | |
12421 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
12422 | (JSC::DFG::SpeculativeJIT::compile): | |
12423 | * dfg/DFGSpeculativeJIT64.cpp: | |
12424 | (JSC::DFG::SpeculativeJIT::compile): | |
12425 | * jit/JITOpcodes.cpp: | |
12426 | (JSC::JIT::emit_op_create_this): | |
12427 | * jit/JITOpcodes32_64.cpp: | |
12428 | (JSC::JIT::emit_op_create_this): | |
12429 | * llint/LowLevelInterpreter32_64.asm: | |
12430 | * llint/LowLevelInterpreter64.asm: | |
12431 | * runtime/CommonSlowPaths.cpp: | |
12432 | (JSC::SLOW_PATH_DECL): | |
12433 | * runtime/FunctionRareData.cpp: Added. | |
12434 | (JSC::FunctionRareData::create): | |
12435 | (JSC::FunctionRareData::destroy): | |
12436 | (JSC::FunctionRareData::createStructure): | |
12437 | (JSC::FunctionRareData::visitChildren): | |
12438 | (JSC::FunctionRareData::FunctionRareData): | |
12439 | (JSC::FunctionRareData::~FunctionRareData): | |
12440 | (JSC::FunctionRareData::finishCreation): | |
12441 | * runtime/FunctionRareData.h: Added. | |
12442 | (JSC::FunctionRareData::offsetOfAllocationProfile): | |
12443 | (JSC::FunctionRareData::allocationProfile): | |
12444 | (JSC::FunctionRareData::allocationStructure): | |
12445 | (JSC::FunctionRareData::allocationProfileWatchpointSet): | |
12446 | * runtime/JSBoundFunction.cpp: | |
12447 | (JSC::JSBoundFunction::destroy): Deleted. | |
12448 | * runtime/JSBoundFunction.h: | |
12449 | * runtime/JSCallee.cpp: | |
12450 | (JSC::JSCallee::destroy): Deleted. | |
12451 | * runtime/JSCallee.h: | |
12452 | * runtime/JSFunction.cpp: | |
12453 | (JSC::JSFunction::JSFunction): | |
12454 | (JSC::JSFunction::createRareData): | |
12455 | (JSC::JSFunction::visitChildren): | |
12456 | (JSC::JSFunction::put): | |
12457 | (JSC::JSFunction::defineOwnProperty): | |
12458 | (JSC::JSFunction::destroy): Deleted. | |
12459 | (JSC::JSFunction::createAllocationProfile): Deleted. | |
12460 | * runtime/JSFunction.h: | |
12461 | (JSC::JSFunction::offsetOfRareData): | |
12462 | (JSC::JSFunction::rareData): | |
12463 | (JSC::JSFunction::allocationStructure): | |
12464 | (JSC::JSFunction::allocationProfileWatchpointSet): | |
12465 | (JSC::JSFunction::offsetOfAllocationProfile): Deleted. | |
12466 | (JSC::JSFunction::allocationProfile): Deleted. | |
12467 | * runtime/JSFunctionInlines.h: | |
12468 | (JSC::JSFunction::JSFunction): | |
12469 | * runtime/VM.cpp: | |
12470 | (JSC::VM::VM): | |
12471 | * runtime/VM.h: | |
12472 | ||
12473 | 2015-04-16 Csaba Osztrogonác <ossy@webkit.org> | |
12474 | ||
12475 | Remove the unnecessary WTF_CHANGES define | |
12476 | https://bugs.webkit.org/show_bug.cgi?id=143825 | |
12477 | ||
12478 | Reviewed by Andreas Kling. | |
12479 | ||
12480 | * config.h: | |
12481 | ||
12482 | 2015-04-15 Andreas Kling <akling@apple.com> | |
12483 | ||
12484 | Make MarkedBlock and WeakBlock 4x smaller. | |
12485 | <https://webkit.org/b/143802> | |
12486 | ||
12487 | Reviewed by Mark Hahnenberg. | |
12488 | ||
12489 | To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock | |
12490 | and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB. | |
12491 | ||
12492 | In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size. | |
12493 | Some examples: | |
12494 | ||
12495 | apple.com: 6.3MB -> 5.5MB (14.5% smaller) | |
12496 | reddit.com: 4.5MB -> 4.1MB ( 9.7% smaller) | |
12497 | twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller) | |
12498 | cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller) | |
12499 | ||
12500 | Benchmarks look mostly neutral. | |
12501 | Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider. | |
12502 | ||
12503 | * heap/MarkedBlock.h: | |
12504 | * heap/WeakBlock.h: | |
12505 | * llint/LLIntData.cpp: | |
12506 | (JSC::LLInt::Data::performAssertions): | |
12507 | * llint/LowLevelInterpreter.asm: | |
12508 | ||
12509 | 2015-04-15 Jordan Harband <ljharb@gmail.com> | |
12510 | ||
12511 | String.prototype.startsWith/endsWith/includes have wrong length in r182673 | |
12512 | https://bugs.webkit.org/show_bug.cgi?id=143659 | |
12513 | ||
12514 | Reviewed by Benjamin Poulain. | |
12515 | ||
12516 | Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec | |
12517 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes | |
12518 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith | |
12519 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith | |
12520 | ||
12521 | * runtime/StringPrototype.cpp: | |
12522 | (JSC::StringPrototype::finishCreation): | |
12523 | ||
12524 | 2015-04-15 Mark Lam <mark.lam@apple.com> | |
12525 | ||
12526 | Remove obsolete VMInspector debugging tool. | |
12527 | https://bugs.webkit.org/show_bug.cgi?id=143798 | |
12528 | ||
12529 | Reviewed by Michael Saboff. | |
12530 | ||
12531 | I added the VMInspector tool 3 years ago to aid in VM hacking work. Some of it | |
12532 | has bit rotted, and now the VM also has better ways to achieve its functionality. | |
12533 | Hence this code is now obsolete and should be removed. | |
12534 | ||
12535 | * CMakeLists.txt: | |
12536 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12537 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
12538 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12539 | * interpreter/CallFrame.h: | |
12540 | * interpreter/VMInspector.cpp: Removed. | |
12541 | * interpreter/VMInspector.h: Removed. | |
12542 | * llint/LowLevelInterpreter.cpp: | |
12543 | ||
12544 | 2015-04-15 Jordan Harband <ljharb@gmail.com> | |
12545 | ||
12546 | Math.imul has wrong length in Safari 8.0.4 | |
12547 | https://bugs.webkit.org/show_bug.cgi?id=143658 | |
12548 | ||
12549 | Reviewed by Benjamin Poulain. | |
12550 | ||
12551 | Correcting function length from 1, to 2, to match spec | |
12552 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul | |
12553 | ||
12554 | * runtime/MathObject.cpp: | |
12555 | (JSC::MathObject::finishCreation): | |
12556 | ||
12557 | 2015-04-15 Jordan Harband <ljharb@gmail.com> | |
12558 | ||
12559 | Number.parseInt in nightly r182673 has wrong length | |
12560 | https://bugs.webkit.org/show_bug.cgi?id=143657 | |
12561 | ||
12562 | Reviewed by Benjamin Poulain. | |
12563 | ||
12564 | Correcting function length from 1, to 2, to match spec | |
12565 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint | |
12566 | ||
12567 | * runtime/NumberConstructor.cpp: | |
12568 | (JSC::NumberConstructor::finishCreation): | |
12569 | ||
12570 | 2015-04-15 Filip Pizlo <fpizlo@apple.com> | |
12571 | ||
12572 | Harden DFGForAllKills | |
12573 | https://bugs.webkit.org/show_bug.cgi?id=143792 | |
12574 | ||
12575 | Reviewed by Geoffrey Garen. | |
12576 | ||
12577 | Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent | |
12578 | bugs in https://bugs.webkit.org/show_bug.cgi?id=143734. | |
12579 | ||
12580 | Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because | |
12581 | that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong: | |
12582 | ||
12583 | - It looks for kill sites at forExit origin boundaries. But, something might have been killed | |
12584 | by an operation that was logically in between the forExit origins at the boundary, but was | |
12585 | removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction | |
12586 | gaps. | |
12587 | ||
12588 | - It overlooked the fact that a MovHint that addresses a local that is always live kills that | |
12589 | local. For example, storing to an argument means that the prior value of the argument is | |
12590 | killed. | |
12591 | ||
12592 | This fixes the analysis by making it handle MovHints directly, and making it define kills in | |
12593 | the most conservative way possible: it asks if you were live before but dead after. If we | |
12594 | have the compile time budget to afford this more direct approach, then it's definitel a good | |
12595 | idea since it's so fool-proof. | |
12596 | ||
12597 | * dfg/DFGArgumentsEliminationPhase.cpp: | |
12598 | * dfg/DFGForAllKills.h: | |
12599 | (JSC::DFG::forAllKilledOperands): | |
12600 | (JSC::DFG::forAllKilledNodesAtNodeIndex): | |
12601 | (JSC::DFG::forAllDirectlyKilledOperands): Deleted. | |
12602 | ||
12603 | 2015-04-15 Joseph Pecoraro <pecoraro@apple.com> | |
12604 | ||
12605 | Provide SPI to allow changing whether JSContexts are remote debuggable by default | |
12606 | https://bugs.webkit.org/show_bug.cgi?id=143681 | |
12607 | ||
12608 | Reviewed by Darin Adler. | |
12609 | ||
12610 | * API/JSRemoteInspector.h: | |
12611 | * API/JSRemoteInspector.cpp: | |
12612 | (JSRemoteInspectorGetInspectionEnabledByDefault): | |
12613 | (JSRemoteInspectorSetInspectionEnabledByDefault): | |
12614 | Provide SPI to toggle the default enabled inspection state of debuggables. | |
12615 | ||
12616 | * API/JSContextRef.cpp: | |
12617 | (JSGlobalContextCreateInGroup): | |
12618 | Respect the default setting. | |
12619 | ||
12620 | 2015-04-15 Joseph Pecoraro <pecoraro@apple.com> | |
12621 | ||
12622 | JavaScriptCore: Use kCFAllocatorDefault where possible | |
12623 | https://bugs.webkit.org/show_bug.cgi?id=143747 | |
12624 | ||
12625 | Reviewed by Darin Adler. | |
12626 | ||
12627 | * heap/HeapTimer.cpp: | |
12628 | (JSC::HeapTimer::HeapTimer): | |
12629 | * inspector/remote/RemoteInspectorDebuggableConnection.mm: | |
12630 | (Inspector::RemoteInspectorInitializeGlobalQueue): | |
12631 | (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): | |
12632 | For consistency and readability use the constant instead of | |
12633 | different representations of null. | |
12634 | ||
12635 | 2015-04-14 Michael Saboff <msaboff@apple.com> | |
12636 | ||
12637 | Remove JavaScriptCoreUseJIT default from JavaScriptCore | |
12638 | https://bugs.webkit.org/show_bug.cgi?id=143746 | |
12639 | ||
12640 | Reviewed by Mark Lam. | |
12641 | ||
12642 | * runtime/VM.cpp: | |
12643 | (JSC::enableAssembler): | |
12644 | ||
12645 | 2015-04-14 Chris Dumez <cdumez@apple.com> | |
12646 | ||
12647 | Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type | |
12648 | https://bugs.webkit.org/show_bug.cgi?id=143745 | |
12649 | <rdar://problem/20243916> | |
12650 | ||
12651 | Reviewed by Joseph Pecoraro. | |
12652 | ||
12653 | Add assertion in ContentSearchUtilities::findMagicComment() to make | |
12654 | sure the content String is not null or we would crash in | |
12655 | JSC::Yarr::interpret() later. | |
12656 | ||
12657 | * inspector/ContentSearchUtilities.cpp: | |
12658 | (Inspector::ContentSearchUtilities::findMagicComment): | |
12659 | ||
12660 | 2015-04-14 Michael Saboff <msaboff@apple.com> | |
12661 | ||
12662 | DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format | |
12663 | https://bugs.webkit.org/show_bug.cgi?id=143727 | |
12664 | ||
12665 | Reviewed by Geoffrey Garen. | |
12666 | ||
12667 | Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible | |
12668 | with the requested fill format. If filter() reports a contradiction, then we force an OSR exit. | |
12669 | Removed individual checks made redundant by the new check. | |
12670 | ||
12671 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
12672 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): | |
12673 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
12674 | (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): | |
12675 | * dfg/DFGSpeculativeJIT64.cpp: | |
12676 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): | |
12677 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): | |
12678 | (JSC::DFG::SpeculativeJIT::fillSpeculateCell): | |
12679 | (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): | |
12680 | ||
12681 | 2015-04-14 Joseph Pecoraro <pecoraro@apple.com> | |
12682 | ||
12683 | Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI | |
12684 | https://bugs.webkit.org/show_bug.cgi?id=143691 | |
12685 | ||
12686 | Reviewed by Geoffrey Garen. | |
12687 | ||
12688 | * API/JSRemoteInspector.h: | |
12689 | * API/JSRemoteInspector.cpp: | |
12690 | (JSRemoteInspectorSetLogToSystemConsole): | |
12691 | Add SPI to enable/disable logging to the system console. | |
12692 | This only affects JSContext `console` logs and warnings. | |
12693 | ||
12694 | * inspector/JSGlobalObjectConsoleClient.h: | |
12695 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
12696 | (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): | |
12697 | (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): | |
12698 | (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): | |
12699 | (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted. | |
12700 | Simplify access to the setting now that it doesn't need to | |
12701 | initialize its value from preferences. | |
12702 | ||
12703 | 2015-04-14 Joseph Pecoraro <pecoraro@apple.com> | |
12704 | ||
12705 | Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch | |
12706 | https://bugs.webkit.org/show_bug.cgi?id=143682 | |
12707 | ||
12708 | Reviewed by Timothy Hatcher. | |
12709 | ||
12710 | * inspector/remote/RemoteInspector.mm: | |
12711 | (Inspector::RemoteInspector::singleton): | |
12712 | If we are on the main thread, run the initialization immediately. | |
12713 | Otherwise dispatch to the main thread. This way if the first JSContext | |
12714 | was created on the main thread it can get auto-attached if applicable. | |
12715 | ||
12716 | 2015-04-14 Joseph Pecoraro <pecoraro@apple.com> | |
12717 | ||
12718 | Unreviewed build fix for Mavericks. | |
12719 | ||
12720 | Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR | |
12721 | so the Inspector namespace is not available when compiling this file. | |
12722 | ||
12723 | * API/JSRemoteInspector.cpp: | |
12724 | ||
12725 | 2015-04-14 Joseph Pecoraro <pecoraro@apple.com> | |
12726 | ||
12727 | Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit | |
12728 | https://bugs.webkit.org/show_bug.cgi?id=143729 | |
12729 | ||
12730 | Reviewed by Timothy Hatcher. | |
12731 | ||
12732 | * API/JSRemoteInspector.h: Added. | |
12733 | * API/JSRemoteInspector.cpp: Added. | |
12734 | (JSRemoteInspectorDisableAutoStart): | |
12735 | (JSRemoteInspectorStart): | |
12736 | (JSRemoteInspectorSetParentProcessInformation): | |
12737 | Add the new SPIs for basic remote inspection behavior. | |
12738 | ||
12739 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12740 | Add the new files to Mac only, since remote inspection is only | |
12741 | enabled there anyways. | |
12742 | ||
12743 | 2015-04-14 Mark Lam <mark.lam@apple.com> | |
12744 | ||
12745 | Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist. | |
12746 | https://bugs.webkit.org/show_bug.cgi?id=143722 | |
12747 | ||
12748 | Reviewed by Michael Saboff. | |
12749 | ||
12750 | Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is | |
12751 | shorter, and easier to remember (without having to look it up) and to | |
12752 | type. JSC options now support descriptions, and one can always look up | |
12753 | the description if the option's purpose is not already obvious. | |
12754 | ||
12755 | * dfg/DFGFunctionWhitelist.cpp: | |
12756 | (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): | |
12757 | (JSC::DFG::FunctionWhitelist::contains): | |
12758 | * runtime/Options.h: | |
12759 | ||
12760 | 2015-04-13 Filip Pizlo <fpizlo@apple.com> | |
12761 | ||
12762 | Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED. | |
12763 | ||
12764 | * runtime/InferredValue.h: | |
12765 | ||
12766 | 2015-04-13 Filip Pizlo <fpizlo@apple.com> | |
12767 | ||
12768 | Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written. | |
12769 | ||
12770 | * runtime/InferredValue.h: | |
12771 | ||
12772 | 2015-04-08 Filip Pizlo <fpizlo@apple.com> | |
12773 | ||
12774 | JSC should detect singleton functions | |
12775 | https://bugs.webkit.org/show_bug.cgi?id=143232 | |
12776 | ||
12777 | Reviewed by Geoffrey Garen. | |
12778 | ||
12779 | This started out as an attempt to make constructors faster by detecting when a constructor is a | |
12780 | singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint | |
12781 | along with an inferred value - that detects if only one JSFunction has been allocated for that | |
12782 | executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable, | |
12783 | if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid), | |
12784 | we can constant-fold GetCallee. | |
12785 | ||
12786 | Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the | |
12787 | process I realized a bunch of things: | |
12788 | ||
12789 | - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes | |
12790 | had even in code where our singleton-closure detection worked. That's because singleton-closure | |
12791 | inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive | |
12792 | the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence | |
12793 | disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant | |
12794 | values. | |
12795 | ||
12796 | - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and | |
12797 | created InferredValue. InferredValue is a cell, so it can handle its own GC magic. | |
12798 | FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions. | |
12799 | ||
12800 | - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable | |
12801 | detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you | |
12802 | about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in | |
12803 | SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways. | |
12804 | First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant | |
12805 | scope. Ths saves compile times and it allows prediction propagation to benefit from the | |
12806 | constant folding. Second, it means that we will detect a singleton scope even if it is | |
12807 | referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring | |
12808 | allows us to eliminate the function reentry watchpoint. | |
12809 | ||
12810 | - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring | |
12811 | constant values in scopes. Previously when the DFG inferred that a closure variable was | |
12812 | constant, it wouldn't know which closure that variable was in and so it couldn't just load that | |
12813 | value. But now we are first inferring that the function is a singleton, which means that we | |
12814 | know exactly what scope it points to, and we can load the value from the scope. Using a | |
12815 | WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of | |
12816 | code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable. | |
12817 | I've tweaked the code of VariableWatchpointSet to reduce its power to just be what | |
12818 | FunctionExecutable wants. | |
12819 | ||
12820 | This also has the effect of simplifying the implementation of block scoping. Prior to this | |
12821 | change, block scoping would have needed to have some story for the function reentry watchpoint on | |
12822 | any nested symbol table. That's totally weird to think about; it's not really a function reentry | |
12823 | but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes | |
12824 | will "just work": if we prove that we know the constant value of the scope then the machinery | |
12825 | kicks in, otherwise it doesn't. | |
12826 | ||
12827 | This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%. | |
12828 | ||
12829 | * CMakeLists.txt: | |
12830 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
12831 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
12832 | * bytecode/BytecodeList.json: | |
12833 | * bytecode/BytecodeUseDef.h: | |
12834 | (JSC::computeUsesForBytecodeOffset): | |
12835 | (JSC::computeDefsForBytecodeOffset): | |
12836 | * bytecode/CodeBlock.cpp: | |
12837 | (JSC::CodeBlock::dumpBytecode): | |
12838 | (JSC::CodeBlock::CodeBlock): | |
12839 | (JSC::CodeBlock::finalizeUnconditionally): | |
12840 | (JSC::CodeBlock::valueProfileForBytecodeOffset): | |
12841 | * bytecode/CodeBlock.h: | |
12842 | (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted. | |
12843 | * bytecode/CodeOrigin.cpp: | |
12844 | (JSC::InlineCallFrame::calleeConstant): | |
12845 | (JSC::InlineCallFrame::visitAggregate): | |
12846 | * bytecode/CodeOrigin.h: | |
12847 | (JSC::InlineCallFrame::calleeConstant): Deleted. | |
12848 | (JSC::InlineCallFrame::visitAggregate): Deleted. | |
12849 | * bytecode/Instruction.h: | |
12850 | * bytecode/VariableWatchpointSet.cpp: Removed. | |
12851 | * bytecode/VariableWatchpointSet.h: Removed. | |
12852 | * bytecode/VariableWatchpointSetInlines.h: Removed. | |
12853 | * bytecode/VariableWriteFireDetail.cpp: Added. | |
12854 | (JSC::VariableWriteFireDetail::dump): | |
12855 | (JSC::VariableWriteFireDetail::touch): | |
12856 | * bytecode/VariableWriteFireDetail.h: Added. | |
12857 | (JSC::VariableWriteFireDetail::VariableWriteFireDetail): | |
12858 | * bytecode/Watchpoint.h: | |
12859 | (JSC::WatchpointSet::stateOnJSThread): | |
12860 | (JSC::WatchpointSet::startWatching): | |
12861 | (JSC::WatchpointSet::fireAll): | |
12862 | (JSC::WatchpointSet::touch): | |
12863 | (JSC::WatchpointSet::invalidate): | |
12864 | (JSC::InlineWatchpointSet::stateOnJSThread): | |
12865 | (JSC::InlineWatchpointSet::state): | |
12866 | (JSC::InlineWatchpointSet::hasBeenInvalidated): | |
12867 | (JSC::InlineWatchpointSet::invalidate): | |
12868 | (JSC::InlineWatchpointSet::touch): | |
12869 | * bytecompiler/BytecodeGenerator.cpp: | |
12870 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
12871 | * dfg/DFGAbstractInterpreterInlines.h: | |
12872 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
12873 | * dfg/DFGByteCodeParser.cpp: | |
12874 | (JSC::DFG::ByteCodeParser::get): | |
12875 | (JSC::DFG::ByteCodeParser::parseBlock): | |
12876 | (JSC::DFG::ByteCodeParser::getScope): Deleted. | |
12877 | * dfg/DFGCapabilities.cpp: | |
12878 | (JSC::DFG::capabilityLevel): | |
12879 | * dfg/DFGClobberize.h: | |
12880 | (JSC::DFG::clobberize): | |
12881 | * dfg/DFGDesiredWatchpoints.cpp: | |
12882 | (JSC::DFG::InferredValueAdaptor::add): | |
12883 | (JSC::DFG::DesiredWatchpoints::addLazily): | |
12884 | (JSC::DFG::DesiredWatchpoints::reallyAdd): | |
12885 | (JSC::DFG::DesiredWatchpoints::areStillValid): | |
12886 | * dfg/DFGDesiredWatchpoints.h: | |
12887 | (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated): | |
12888 | (JSC::DFG::DesiredWatchpoints::isWatched): | |
12889 | * dfg/DFGGraph.cpp: | |
12890 | (JSC::DFG::Graph::dump): | |
12891 | (JSC::DFG::Graph::tryGetConstantClosureVar): | |
12892 | * dfg/DFGNode.h: | |
12893 | (JSC::DFG::Node::hasWatchpointSet): | |
12894 | (JSC::DFG::Node::watchpointSet): | |
12895 | (JSC::DFG::Node::hasVariableWatchpointSet): Deleted. | |
12896 | (JSC::DFG::Node::variableWatchpointSet): Deleted. | |
12897 | * dfg/DFGOperations.cpp: | |
12898 | * dfg/DFGOperations.h: | |
12899 | * dfg/DFGSpeculativeJIT.cpp: | |
12900 | (JSC::DFG::SpeculativeJIT::compileNewFunction): | |
12901 | (JSC::DFG::SpeculativeJIT::compileCreateActivation): | |
12902 | (JSC::DFG::SpeculativeJIT::compileNotifyWrite): | |
12903 | * dfg/DFGSpeculativeJIT.h: | |
12904 | (JSC::DFG::SpeculativeJIT::callOperation): | |
12905 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
12906 | (JSC::DFG::SpeculativeJIT::compile): | |
12907 | * dfg/DFGSpeculativeJIT64.cpp: | |
12908 | (JSC::DFG::SpeculativeJIT::compile): | |
12909 | * dfg/DFGVarargsForwardingPhase.cpp: | |
12910 | * ftl/FTLIntrinsicRepository.h: | |
12911 | * ftl/FTLLowerDFGToLLVM.cpp: | |
12912 | (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): | |
12913 | (JSC::FTL::LowerDFGToLLVM::compileNewFunction): | |
12914 | (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): | |
12915 | * interpreter/Interpreter.cpp: | |
12916 | (JSC::StackFrame::friendlySourceURL): | |
12917 | (JSC::StackFrame::friendlyFunctionName): | |
12918 | * interpreter/Interpreter.h: | |
12919 | (JSC::StackFrame::friendlySourceURL): Deleted. | |
12920 | (JSC::StackFrame::friendlyFunctionName): Deleted. | |
12921 | * jit/JIT.cpp: | |
12922 | (JSC::JIT::emitNotifyWrite): | |
12923 | (JSC::JIT::privateCompileMainPass): | |
12924 | * jit/JIT.h: | |
12925 | * jit/JITOpcodes.cpp: | |
12926 | (JSC::JIT::emit_op_touch_entry): Deleted. | |
12927 | * jit/JITOperations.cpp: | |
12928 | * jit/JITOperations.h: | |
12929 | * jit/JITPropertyAccess.cpp: | |
12930 | (JSC::JIT::emitPutGlobalVar): | |
12931 | (JSC::JIT::emitPutClosureVar): | |
12932 | (JSC::JIT::emitNotifyWrite): Deleted. | |
12933 | * jit/JITPropertyAccess32_64.cpp: | |
12934 | (JSC::JIT::emitPutGlobalVar): | |
12935 | (JSC::JIT::emitPutClosureVar): | |
12936 | (JSC::JIT::emitNotifyWrite): Deleted. | |
12937 | * llint/LLIntSlowPaths.cpp: | |
12938 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
12939 | * llint/LowLevelInterpreter.asm: | |
12940 | * llint/LowLevelInterpreter32_64.asm: | |
12941 | * llint/LowLevelInterpreter64.asm: | |
12942 | * runtime/CommonSlowPaths.cpp: | |
12943 | (JSC::SLOW_PATH_DECL): Deleted. | |
12944 | * runtime/CommonSlowPaths.h: | |
12945 | * runtime/Executable.cpp: | |
12946 | (JSC::FunctionExecutable::finishCreation): | |
12947 | (JSC::FunctionExecutable::visitChildren): | |
12948 | * runtime/Executable.h: | |
12949 | (JSC::FunctionExecutable::singletonFunction): | |
12950 | * runtime/InferredValue.cpp: Added. | |
12951 | (JSC::InferredValue::create): | |
12952 | (JSC::InferredValue::destroy): | |
12953 | (JSC::InferredValue::createStructure): | |
12954 | (JSC::InferredValue::visitChildren): | |
12955 | (JSC::InferredValue::InferredValue): | |
12956 | (JSC::InferredValue::~InferredValue): | |
12957 | (JSC::InferredValue::notifyWriteSlow): | |
12958 | (JSC::InferredValue::ValueCleanup::ValueCleanup): | |
12959 | (JSC::InferredValue::ValueCleanup::~ValueCleanup): | |
12960 | (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): | |
12961 | * runtime/InferredValue.h: Added. | |
12962 | (JSC::InferredValue::inferredValue): | |
12963 | (JSC::InferredValue::state): | |
12964 | (JSC::InferredValue::isStillValid): | |
12965 | (JSC::InferredValue::hasBeenInvalidated): | |
12966 | (JSC::InferredValue::add): | |
12967 | (JSC::InferredValue::notifyWrite): | |
12968 | (JSC::InferredValue::invalidate): | |
12969 | * runtime/JSEnvironmentRecord.cpp: | |
12970 | (JSC::JSEnvironmentRecord::visitChildren): | |
12971 | * runtime/JSEnvironmentRecord.h: | |
12972 | (JSC::JSEnvironmentRecord::isValid): | |
12973 | (JSC::JSEnvironmentRecord::finishCreation): | |
12974 | * runtime/JSFunction.cpp: | |
12975 | (JSC::JSFunction::create): | |
12976 | * runtime/JSFunction.h: | |
12977 | (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint): | |
12978 | (JSC::JSFunction::createImpl): | |
12979 | (JSC::JSFunction::create): Deleted. | |
12980 | * runtime/JSGlobalObject.cpp: | |
12981 | (JSC::JSGlobalObject::addGlobalVar): | |
12982 | (JSC::JSGlobalObject::addFunction): | |
12983 | * runtime/JSGlobalObject.h: | |
12984 | * runtime/JSLexicalEnvironment.cpp: | |
12985 | (JSC::JSLexicalEnvironment::symbolTablePut): | |
12986 | * runtime/JSScope.h: | |
12987 | (JSC::ResolveOp::ResolveOp): | |
12988 | * runtime/JSSegmentedVariableObject.h: | |
12989 | (JSC::JSSegmentedVariableObject::finishCreation): | |
12990 | * runtime/JSSymbolTableObject.h: | |
12991 | (JSC::JSSymbolTableObject::JSSymbolTableObject): | |
12992 | (JSC::JSSymbolTableObject::setSymbolTable): | |
12993 | (JSC::symbolTablePut): | |
12994 | (JSC::symbolTablePutWithAttributes): | |
12995 | * runtime/PutPropertySlot.h: | |
12996 | * runtime/SymbolTable.cpp: | |
12997 | (JSC::SymbolTableEntry::prepareToWatch): | |
12998 | (JSC::SymbolTable::SymbolTable): | |
12999 | (JSC::SymbolTable::finishCreation): | |
13000 | (JSC::SymbolTable::visitChildren): | |
13001 | (JSC::SymbolTableEntry::inferredValue): Deleted. | |
13002 | (JSC::SymbolTableEntry::notifyWriteSlow): Deleted. | |
13003 | (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted. | |
13004 | (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted. | |
13005 | (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted. | |
13006 | * runtime/SymbolTable.h: | |
13007 | (JSC::SymbolTableEntry::disableWatching): | |
13008 | (JSC::SymbolTableEntry::watchpointSet): | |
13009 | (JSC::SymbolTable::singletonScope): | |
13010 | (JSC::SymbolTableEntry::notifyWrite): Deleted. | |
13011 | * runtime/TypeProfiler.cpp: | |
13012 | * runtime/VM.cpp: | |
13013 | (JSC::VM::VM): | |
13014 | * runtime/VM.h: | |
13015 | * tests/stress/infer-uninitialized-closure-var.js: Added. | |
13016 | (foo.f): | |
13017 | (foo): | |
13018 | * tests/stress/singleton-scope-then-overwrite.js: Added. | |
13019 | (foo.f): | |
13020 | (foo): | |
13021 | * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added. | |
13022 | (foo): | |
13023 | * tests/stress/singleton-scope-then-realloc.js: Added. | |
13024 | (foo): | |
13025 | ||
13026 | 2015-04-13 Andreas Kling <akling@apple.com> | |
13027 | ||
13028 | Don't segregate heap objects based on Structure immortality. | |
13029 | <https://webkit.org/b/143638> | |
13030 | ||
13031 | Reviewed by Darin Adler. | |
13032 | ||
13033 | Put all objects that need a destructor call into the same MarkedBlock. | |
13034 | This reduces memory consumption in many situations, while improving locality, | |
13035 | since much more of the MarkedBlock space can be shared. | |
13036 | ||
13037 | Instead of branching on the MarkedBlock type, we now check a bit in the | |
13038 | JSCell's inline type flags (StructureIsImmortal) to see whether it's safe | |
13039 | to access the cell's Structure during destruction or not. | |
13040 | ||
13041 | Performance benchmarks look mostly neutral. Maybe a small regression on | |
13042 | SunSpider's date objects. | |
13043 | ||
13044 | On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along | |
13045 | with a bunch of WeakBlocks that were hanging off of them. That's on the higher | |
13046 | end of savings we can get from this, but still a very real improvement. | |
13047 | ||
13048 | Most of this patch is removing the "hasImmortalStructure" constant from JSCell | |
13049 | derived classes and passing that responsibility to the StructureIsImmortal flag. | |
13050 | StructureFlags is made public so that it's accessible from non-member functions. | |
13051 | I made sure to declare it everywhere and make classes final to try to make it | |
13052 | explicit what each class is doing to its inherited flags. | |
13053 | ||
13054 | * API/JSCallbackConstructor.h: | |
13055 | * API/JSCallbackObject.h: | |
13056 | * bytecode/UnlinkedCodeBlock.h: | |
13057 | * debugger/DebuggerScope.h: | |
13058 | * dfg/DFGSpeculativeJIT.cpp: | |
13059 | (JSC::DFG::SpeculativeJIT::compileMakeRope): | |
13060 | * ftl/FTLLowerDFGToLLVM.cpp: | |
13061 | (JSC::FTL::LowerDFGToLLVM::compileMakeRope): | |
13062 | * heap/Heap.h: | |
13063 | (JSC::Heap::subspaceForObjectDestructor): | |
13064 | (JSC::Heap::allocatorForObjectWithDestructor): | |
13065 | (JSC::Heap::subspaceForObjectNormalDestructor): Deleted. | |
13066 | (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted. | |
13067 | (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted. | |
13068 | (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted. | |
13069 | * heap/HeapInlines.h: | |
13070 | (JSC::Heap::allocateWithDestructor): | |
13071 | (JSC::Heap::allocateObjectOfType): | |
13072 | (JSC::Heap::subspaceForObjectOfType): | |
13073 | (JSC::Heap::allocatorForObjectOfType): | |
13074 | (JSC::Heap::allocateWithNormalDestructor): Deleted. | |
13075 | (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted. | |
13076 | * heap/MarkedAllocator.cpp: | |
13077 | (JSC::MarkedAllocator::allocateBlock): | |
13078 | * heap/MarkedAllocator.h: | |
13079 | (JSC::MarkedAllocator::needsDestruction): | |
13080 | (JSC::MarkedAllocator::MarkedAllocator): | |
13081 | (JSC::MarkedAllocator::init): | |
13082 | (JSC::MarkedAllocator::destructorType): Deleted. | |
13083 | * heap/MarkedBlock.cpp: | |
13084 | (JSC::MarkedBlock::create): | |
13085 | (JSC::MarkedBlock::MarkedBlock): | |
13086 | (JSC::MarkedBlock::callDestructor): | |
13087 | (JSC::MarkedBlock::specializedSweep): | |
13088 | (JSC::MarkedBlock::sweep): | |
13089 | (JSC::MarkedBlock::sweepHelper): | |
13090 | * heap/MarkedBlock.h: | |
13091 | (JSC::MarkedBlock::needsDestruction): | |
13092 | (JSC::MarkedBlock::destructorType): Deleted. | |
13093 | * heap/MarkedSpace.cpp: | |
13094 | (JSC::MarkedSpace::MarkedSpace): | |
13095 | (JSC::MarkedSpace::resetAllocators): | |
13096 | (JSC::MarkedSpace::forEachAllocator): | |
13097 | (JSC::MarkedSpace::isPagedOut): | |
13098 | (JSC::MarkedSpace::clearNewlyAllocated): | |
13099 | * heap/MarkedSpace.h: | |
13100 | (JSC::MarkedSpace::subspaceForObjectsWithDestructor): | |
13101 | (JSC::MarkedSpace::destructorAllocatorFor): | |
13102 | (JSC::MarkedSpace::allocateWithDestructor): | |
13103 | (JSC::MarkedSpace::forEachBlock): | |
13104 | (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted. | |
13105 | (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted. | |
13106 | (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted. | |
13107 | (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted. | |
13108 | (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted. | |
13109 | (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted. | |
13110 | * inspector/JSInjectedScriptHost.h: | |
13111 | * inspector/JSInjectedScriptHostPrototype.h: | |
13112 | * inspector/JSJavaScriptCallFrame.h: | |
13113 | * inspector/JSJavaScriptCallFramePrototype.h: | |
13114 | * jsc.cpp: | |
13115 | * runtime/ArrayBufferNeuteringWatchpoint.h: | |
13116 | * runtime/ArrayConstructor.h: | |
13117 | * runtime/ArrayIteratorPrototype.h: | |
13118 | * runtime/BooleanPrototype.h: | |
13119 | * runtime/ClonedArguments.h: | |
13120 | * runtime/CustomGetterSetter.h: | |
13121 | * runtime/DateConstructor.h: | |
13122 | * runtime/DatePrototype.h: | |
13123 | * runtime/ErrorPrototype.h: | |
13124 | * runtime/ExceptionHelpers.h: | |
13125 | * runtime/Executable.h: | |
13126 | * runtime/GenericArguments.h: | |
13127 | * runtime/GetterSetter.h: | |
13128 | * runtime/InternalFunction.h: | |
13129 | * runtime/JSAPIValueWrapper.h: | |
13130 | * runtime/JSArgumentsIterator.h: | |
13131 | * runtime/JSArray.h: | |
13132 | * runtime/JSArrayBuffer.h: | |
13133 | * runtime/JSArrayBufferView.h: | |
13134 | * runtime/JSBoundFunction.h: | |
13135 | * runtime/JSCallee.h: | |
13136 | * runtime/JSCell.h: | |
13137 | * runtime/JSCellInlines.h: | |
13138 | (JSC::JSCell::classInfo): | |
13139 | * runtime/JSDataViewPrototype.h: | |
13140 | * runtime/JSEnvironmentRecord.h: | |
13141 | * runtime/JSFunction.h: | |
13142 | * runtime/JSGenericTypedArrayView.h: | |
13143 | * runtime/JSGlobalObject.h: | |
13144 | * runtime/JSLexicalEnvironment.h: | |
13145 | * runtime/JSNameScope.h: | |
13146 | * runtime/JSNotAnObject.h: | |
13147 | * runtime/JSONObject.h: | |
13148 | * runtime/JSObject.h: | |
13149 | (JSC::JSFinalObject::JSFinalObject): | |
13150 | * runtime/JSPromiseConstructor.h: | |
13151 | * runtime/JSPromiseDeferred.h: | |
13152 | * runtime/JSPromisePrototype.h: | |
13153 | * runtime/JSPromiseReaction.h: | |
13154 | * runtime/JSPropertyNameEnumerator.h: | |
13155 | * runtime/JSProxy.h: | |
13156 | * runtime/JSScope.h: | |
13157 | * runtime/JSString.h: | |
13158 | * runtime/JSSymbolTableObject.h: | |
13159 | * runtime/JSTypeInfo.h: | |
13160 | (JSC::TypeInfo::structureIsImmortal): | |
13161 | * runtime/MathObject.h: | |
13162 | * runtime/NumberConstructor.h: | |
13163 | * runtime/NumberPrototype.h: | |
13164 | * runtime/ObjectConstructor.h: | |
13165 | * runtime/PropertyMapHashTable.h: | |
13166 | * runtime/RegExp.h: | |
13167 | * runtime/RegExpConstructor.h: | |
13168 | * runtime/RegExpObject.h: | |
13169 | * runtime/RegExpPrototype.h: | |
13170 | * runtime/ScopedArgumentsTable.h: | |
13171 | * runtime/SparseArrayValueMap.h: | |
13172 | * runtime/StrictEvalActivation.h: | |
13173 | * runtime/StringConstructor.h: | |
13174 | * runtime/StringIteratorPrototype.h: | |
13175 | * runtime/StringObject.h: | |
13176 | * runtime/StringPrototype.h: | |
13177 | * runtime/Structure.cpp: | |
13178 | (JSC::Structure::Structure): | |
13179 | * runtime/Structure.h: | |
13180 | * runtime/StructureChain.h: | |
13181 | * runtime/StructureRareData.h: | |
13182 | * runtime/Symbol.h: | |
13183 | * runtime/SymbolPrototype.h: | |
13184 | * runtime/SymbolTable.h: | |
13185 | * runtime/WeakMapData.h: | |
13186 | ||
13187 | 2015-04-13 Mark Lam <mark.lam@apple.com> | |
13188 | ||
13189 | DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit. | |
13190 | https://bugs.webkit.org/show_bug.cgi?id=143407 | |
13191 | ||
13192 | Reviewed by Filip Pizlo. | |
13193 | ||
13194 | DFG inlining of a varargs call / construct needs to keep the local | |
13195 | containing the callee alive with a Phantom node because the LoadVarargs | |
13196 | node may OSR exit. After the OSR exit, the baseline JIT executes the | |
13197 | op_call_varargs with that callee in the local. | |
13198 | ||
13199 | Previously, because that callee local was not explicitly kept alive, | |
13200 | the op_call_varargs case can OSR exit a DFG function and leave an | |
13201 | undefined value in that local. As a result, the baseline observes the | |
13202 | side effect of an op_call_varargs on an undefined value instead of the | |
13203 | function it expected. | |
13204 | ||
13205 | Note: this issue does not manifest with op_construct_varargs because | |
13206 | the inlined constructor will have an op_create_this which operates on | |
13207 | the incoming callee value, thereby keeping it alive. | |
13208 | ||
13209 | * dfg/DFGByteCodeParser.cpp: | |
13210 | (JSC::DFG::ByteCodeParser::handleInlining): | |
13211 | * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added. | |
13212 | (foo): | |
13213 | (Foo): | |
13214 | (doTest): | |
13215 | ||
13216 | 2015-04-12 Yusuke Suzuki <utatane.tea@gmail.com> | |
13217 | ||
13218 | [ES6] Implement Array.prototype.values | |
13219 | https://bugs.webkit.org/show_bug.cgi?id=143633 | |
13220 | ||
13221 | Reviewed by Darin Adler. | |
13222 | ||
13223 | Symbol.unscopables is implemented, so we can implement Array.prototype.values | |
13224 | without largely breaking the web. The following script passes. | |
13225 | ||
13226 | var array = []; | |
13227 | var values = 42; | |
13228 | with (array) { | |
13229 | assert(values, 42); | |
13230 | } | |
13231 | ||
13232 | * runtime/ArrayPrototype.cpp: | |
13233 | * tests/stress/array-iterators-next.js: | |
13234 | * tests/stress/map-iterators-next.js: | |
13235 | * tests/stress/set-iterators-next.js: | |
13236 | * tests/stress/values-unscopables.js: Added. | |
13237 | (test): | |
13238 | ||
13239 | 2015-04-11 Yusuke Suzuki <utatane.tea@gmail.com> | |
13240 | ||
13241 | Run flaky conservative GC related test first before polluting stack and registers | |
13242 | https://bugs.webkit.org/show_bug.cgi?id=143634 | |
13243 | ||
13244 | Reviewed by Ryosuke Niwa. | |
13245 | ||
13246 | After r182653, JSC API tests fail. However, it's not related to the change. | |
13247 | After investigating the cause of this failure, I've found that the failed test is flaky | |
13248 | because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive | |
13249 | due to conservative roots in C stack and registers, this test fails. | |
13250 | ||
13251 | Since GC marks C stack and registers as roots conservatively, | |
13252 | objects not referenced logically can be accidentally marked and alive. | |
13253 | To avoid this situation as possible as we can, | |
13254 | 1. run this test first before stack is polluted, | |
13255 | 2. extract this test as a function to suppress stack height. | |
13256 | ||
13257 | * API/tests/testapi.mm: | |
13258 | (testWeakValue): | |
13259 | (testObjectiveCAPIMain): | |
13260 | (testObjectiveCAPI): | |
13261 | ||
13262 | 2015-04-11 Matt Baker <mattbaker@apple.com> | |
13263 | ||
13264 | Web Inspector: create content view and details sidebar for Frames timeline | |
13265 | https://bugs.webkit.org/show_bug.cgi?id=143533 | |
13266 | ||
13267 | Reviewed by Timothy Hatcher. | |
13268 | ||
13269 | Refactoring: RunLoop prefix changed to RenderingFrame. | |
13270 | ||
13271 | * inspector/protocol/Timeline.json: | |
13272 | ||
13273 | 2015-04-11 Yusuke Suzuki <utatane.tea@gmail.com> | |
13274 | ||
13275 | [ES6] Enable Symbol in web pages | |
13276 | https://bugs.webkit.org/show_bug.cgi?id=143375 | |
13277 | ||
13278 | Reviewed by Ryosuke Niwa. | |
13279 | ||
13280 | Expose Symbol to web pages. | |
13281 | Symbol was exposed, but it was hidden since it breaks Facebook comments. | |
13282 | This is because at that time Symbol is implemented, | |
13283 | but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet | |
13284 | and it breaks React.js and immutable.js. | |
13285 | ||
13286 | Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented | |
13287 | and make sure that Facebook comment input functionality is not broken with exposed Symbol. | |
13288 | ||
13289 | So this patch replaces runtime flags SymbolEnabled to SymbolDisabled | |
13290 | and makes enabling symbols by default. | |
13291 | ||
13292 | * runtime/ArrayPrototype.cpp: | |
13293 | (JSC::ArrayPrototype::finishCreation): | |
13294 | * runtime/CommonIdentifiers.h: | |
13295 | * runtime/JSGlobalObject.cpp: | |
13296 | (JSC::JSGlobalObject::init): | |
13297 | * runtime/ObjectConstructor.cpp: | |
13298 | (JSC::ObjectConstructor::finishCreation): | |
13299 | * runtime/RuntimeFlags.h: | |
13300 | ||
13301 | 2015-04-10 Yusuke Suzuki <utatane.tea@gmail.com> | |
13302 | ||
13303 | ES6: Iterator toString names should be consistent | |
13304 | https://bugs.webkit.org/show_bug.cgi?id=142424 | |
13305 | ||
13306 | Reviewed by Geoffrey Garen. | |
13307 | ||
13308 | Iterator Object Names in the spec right now have spaces. | |
13309 | In our implementation some do and some don't. | |
13310 | This patch aligns JSC to the spec. | |
13311 | ||
13312 | * runtime/JSArrayIterator.cpp: | |
13313 | * runtime/JSStringIterator.cpp: | |
13314 | * tests/stress/iterator-names.js: Added. | |
13315 | (test): | |
13316 | (iter): | |
13317 | (check): | |
13318 | ||
13319 | 2015-04-10 Michael Saboff <msaboff@apple.com> | |
13320 | ||
13321 | REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests | |
13322 | https://bugs.webkit.org/show_bug.cgi?id=143582 | |
13323 | ||
13324 | Reviewed by Mark Lam. | |
13325 | ||
13326 | For 32 bit builds, we favor spilling unboxed values. The ASSERT at the root of this bug doesn't | |
13327 | fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS). | |
13328 | For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell). | |
13329 | The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits | |
13330 | if the spillFormat is DataFormatCell. Had we spilled in DataFormatJS and the value was a JSCell*, | |
13331 | we would still OSR exit after the speculation check. | |
13332 | ||
13333 | * dfg/DFGFixupPhase.cpp: | |
13334 | (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging. | |
13335 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
13336 | (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): | |
13337 | ||
13338 | 2015-04-10 Milan Crha <mcrha@redhat.com> | |
13339 | ||
13340 | Disable Linux-specific code in a Windows build | |
13341 | https://bugs.webkit.org/show_bug.cgi?id=137973 | |
13342 | ||
13343 | Reviewed by Joseph Pecoraro. | |
13344 | ||
13345 | * inspector/JSGlobalObjectInspectorController.cpp: | |
13346 | (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): | |
13347 | ||
13348 | 2015-04-10 Csaba Osztrogonác <ossy@webkit.org> | |
13349 | ||
13350 | [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516 | |
13351 | https://bugs.webkit.org/show_bug.cgi?id=143368 | |
13352 | ||
13353 | Reviewed by Michael Saboff. | |
13354 | ||
13355 | * jit/RegisterSet.cpp: | |
13356 | (JSC::RegisterSet::calleeSaveRegisters): | |
13357 | ||
13358 | 2015-04-08 Joseph Pecoraro <pecoraro@apple.com> | |
13359 | ||
13360 | Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters | |
13361 | https://bugs.webkit.org/show_bug.cgi?id=143430 | |
13362 | ||
13363 | Reviewed by Darin Adler. | |
13364 | ||
13365 | * runtime/ExceptionHelpers.cpp: | |
13366 | (JSC::errorDescriptionForValue): | |
13367 | * runtime/NumberPrototype.cpp: | |
13368 | (JSC::numberProtoFuncToExponential): | |
13369 | (JSC::numberProtoFuncToPrecision): | |
13370 | (JSC::numberProtoFuncToString): | |
13371 | * runtime/SymbolPrototype.cpp: | |
13372 | (JSC::symbolProtoFuncToString): | |
13373 | ||
13374 | 2015-04-08 Filip Pizlo <fpizlo@apple.com> | |
13375 | ||
13376 | JSArray::sortNumeric should handle ArrayWithUndecided | |
13377 | https://bugs.webkit.org/show_bug.cgi?id=143535 | |
13378 | ||
13379 | Reviewed by Geoffrey Garen. | |
13380 | ||
13381 | ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it. | |
13382 | ||
13383 | * runtime/JSArray.cpp: | |
13384 | (JSC::JSArray::sortNumeric): | |
13385 | * tests/stress/sort-array-with-undecided.js: Added. | |
13386 | ||
13387 | 2015-04-08 Filip Pizlo <fpizlo@apple.com> | |
13388 | ||
13389 | DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around | |
13390 | https://bugs.webkit.org/show_bug.cgi?id=143532 | |
13391 | ||
13392 | Reviewed by Gavin Barraclough. | |
13393 | ||
13394 | Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in JavaScript. | |
13395 | But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler | |
13396 | would think that there never was wrap-around. | |
13397 | ||
13398 | This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang. | |
13399 | ||
13400 | * dfg/DFGIntegerCheckCombiningPhase.cpp: | |
13401 | (JSC::DFG::IntegerCheckCombiningPhase::isValid): | |
13402 | ||
13403 | 2015-04-07 Michael Saboff <msaboff@apple.com> | |
13404 | ||
13405 | Lazily initialize LogToSystemConsole flag to reduce memory usage | |
13406 | https://bugs.webkit.org/show_bug.cgi?id=143506 | |
13407 | ||
13408 | Reviewed by Mark Lam. | |
13409 | ||
13410 | Only call into CF preferences code when we need to in order to reduce memory usage. | |
13411 | ||
13412 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
13413 | (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): | |
13414 | (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): | |
13415 | (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): | |
13416 | (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient): | |
13417 | ||
13418 | 2015-04-07 Benjamin Poulain <benjamin@webkit.org> | |
13419 | ||
13420 | Get the features.json files ready for open contributions | |
13421 | https://bugs.webkit.org/show_bug.cgi?id=143436 | |
13422 | ||
13423 | Reviewed by Darin Adler. | |
13424 | ||
13425 | * features.json: | |
13426 | ||
13427 | 2015-04-07 Filip Pizlo <fpizlo@apple.com> | |
13428 | ||
13429 | Constant folding of typed array properties should be handled by AI rather than strength reduction | |
13430 | https://bugs.webkit.org/show_bug.cgi?id=143496 | |
13431 | ||
13432 | Reviewed by Geoffrey Garen. | |
13433 | ||
13434 | Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA | |
13435 | phase and whatever other phase did the folding in order to find all constants. | |
13436 | ||
13437 | This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint | |
13438 | directly. | |
13439 | ||
13440 | This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not | |
13441 | found because all of the tests for it involved the property getting constant folded. I found that | |
13442 | the codegen was bad because an earlier version of the patch broke that constant folding. This | |
13443 | adds a new test for that node type, which makes constant folding impossible by allocating a new | |
13444 | typed array every type. The lesson here is: if you write a test for something, run the test with | |
13445 | full IR dumps to make sure it's actually testing the thing you want it to test. | |
13446 | ||
13447 | * dfg/DFGAbstractInterpreterInlines.h: | |
13448 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
13449 | * dfg/DFGClobberize.h: | |
13450 | (JSC::DFG::clobberize): | |
13451 | * dfg/DFGConstantFoldingPhase.cpp: | |
13452 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
13453 | * dfg/DFGDoesGC.cpp: | |
13454 | (JSC::DFG::doesGC): | |
13455 | * dfg/DFGFixupPhase.cpp: | |
13456 | (JSC::DFG::FixupPhase::fixupNode): | |
13457 | * dfg/DFGGraph.cpp: | |
13458 | (JSC::DFG::Graph::dump): | |
13459 | (JSC::DFG::Graph::tryGetFoldableView): | |
13460 | (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted. | |
13461 | * dfg/DFGGraph.h: | |
13462 | * dfg/DFGNode.h: | |
13463 | (JSC::DFG::Node::hasTypedArray): Deleted. | |
13464 | (JSC::DFG::Node::typedArray): Deleted. | |
13465 | * dfg/DFGNodeType.h: | |
13466 | * dfg/DFGPredictionPropagationPhase.cpp: | |
13467 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
13468 | * dfg/DFGSafeToExecute.h: | |
13469 | (JSC::DFG::safeToExecute): | |
13470 | * dfg/DFGSpeculativeJIT.cpp: | |
13471 | (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): | |
13472 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
13473 | (JSC::DFG::SpeculativeJIT::compile): | |
13474 | * dfg/DFGSpeculativeJIT64.cpp: | |
13475 | (JSC::DFG::SpeculativeJIT::compile): | |
13476 | * dfg/DFGStrengthReductionPhase.cpp: | |
13477 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
13478 | (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted. | |
13479 | (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted. | |
13480 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
13481 | (JSC::DFG::WatchpointCollectionPhase::handle): | |
13482 | (JSC::DFG::WatchpointCollectionPhase::addLazily): | |
13483 | * ftl/FTLCapabilities.cpp: | |
13484 | (JSC::FTL::canCompile): | |
13485 | * ftl/FTLLowerDFGToLLVM.cpp: | |
13486 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
13487 | (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset): | |
13488 | (JSC::FTL::LowerDFGToLLVM::typedArrayLength): | |
13489 | * tests/stress/fold-typed-array-properties.js: | |
13490 | (foo): | |
13491 | * tests/stress/typed-array-byte-offset.js: Added. | |
13492 | (foo): | |
13493 | ||
13494 | 2015-04-07 Matthew Mirman <mmirman@apple.com> | |
13495 | ||
13496 | Source and stack information should get appended only to native errors | |
13497 | and should be added directly after construction rather than when thrown. | |
13498 | This fixes frozen objects being unfrozen when thrown while conforming to | |
13499 | ecma script standard and other browser behavior. | |
13500 | rdar://problem/19927293 | |
13501 | https://bugs.webkit.org/show_bug.cgi?id=141871 | |
13502 | ||
13503 | Reviewed by Geoffrey Garen. | |
13504 | ||
13505 | Appending stack, source, line, and column information to an object whenever that object is thrown | |
13506 | is incorrect because it violates the ecma script standard for the behavior of throw. Suppose for example | |
13507 | that the object being thrown already has one of these properties or is frozen. Adding the properties | |
13508 | would then violate the frozen contract or overwrite those properties. Other browsers do not do this, | |
13509 | and doing this causes unnecessary performance hits in code with heavy use of the throw construct as | |
13510 | a control flow construct rather than just an error reporting mechanism. | |
13511 | ||
13512 | Because WebCore adds "native" errors which do not inherit from any JSC native error, | |
13513 | appending the error properties as a seperate call after construction of the error is required | |
13514 | to avoid having to manually truncate the stack and gather local source information due to | |
13515 | the stack being extended by a nested call to construct one of the native jsc error. | |
13516 | ||
13517 | * interpreter/Interpreter.cpp: | |
13518 | (JSC::Interpreter::execute): | |
13519 | * interpreter/Interpreter.h: | |
13520 | * parser/ParserError.h: | |
13521 | (JSC::ParserError::toErrorObject): | |
13522 | * runtime/CommonIdentifiers.h: | |
13523 | * runtime/Error.cpp: | |
13524 | (JSC::createError): | |
13525 | (JSC::createEvalError): | |
13526 | (JSC::createRangeError): | |
13527 | (JSC::createReferenceError): | |
13528 | (JSC::createSyntaxError): | |
13529 | (JSC::createTypeError): | |
13530 | (JSC::createNotEnoughArgumentsError): | |
13531 | (JSC::createURIError): | |
13532 | (JSC::createOutOfMemoryError): | |
13533 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): | |
13534 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): | |
13535 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): | |
13536 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): | |
13537 | (JSC::addErrorInfoAndGetBytecodeOffset): Added. | |
13538 | (JSC::addErrorInfo): Added special case for appending complete error info | |
13539 | to a newly constructed error object. | |
13540 | * runtime/Error.h: | |
13541 | * runtime/ErrorConstructor.cpp: | |
13542 | (JSC::Interpreter::constructWithErrorConstructor): | |
13543 | (JSC::Interpreter::callErrorConstructor): | |
13544 | * runtime/ErrorInstance.cpp: | |
13545 | (JSC::appendSourceToError): Moved from VM.cpp | |
13546 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): | |
13547 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): | |
13548 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): | |
13549 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): | |
13550 | (JSC::addErrorInfoAndGetBytecodeOffset): | |
13551 | (JSC::ErrorInstance::finishCreation): | |
13552 | * runtime/ErrorInstance.h: | |
13553 | (JSC::ErrorInstance::create): | |
13554 | * runtime/ErrorPrototype.cpp: | |
13555 | (JSC::ErrorPrototype::finishCreation): | |
13556 | * runtime/ExceptionFuzz.cpp: | |
13557 | (JSC::doExceptionFuzzing): | |
13558 | * runtime/ExceptionHelpers.cpp: | |
13559 | (JSC::createError): | |
13560 | (JSC::createInvalidFunctionApplyParameterError): | |
13561 | (JSC::createInvalidInParameterError): | |
13562 | (JSC::createInvalidInstanceofParameterError): | |
13563 | (JSC::createNotAConstructorError): | |
13564 | (JSC::createNotAFunctionError): | |
13565 | (JSC::createNotAnObjectError): | |
13566 | (JSC::throwOutOfMemoryError): | |
13567 | (JSC::createStackOverflowError): Deleted. | |
13568 | (JSC::createOutOfMemoryError): Deleted. | |
13569 | * runtime/ExceptionHelpers.h: | |
13570 | * runtime/JSArrayBufferConstructor.cpp: | |
13571 | (JSC::constructArrayBuffer): | |
13572 | * runtime/JSArrayBufferPrototype.cpp: | |
13573 | (JSC::arrayBufferProtoFuncSlice): | |
13574 | * runtime/JSGenericTypedArrayViewInlines.h: | |
13575 | (JSC::JSGenericTypedArrayView<Adaptor>::create): | |
13576 | (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): | |
13577 | * runtime/NativeErrorConstructor.cpp: | |
13578 | (JSC::Interpreter::constructWithNativeErrorConstructor): | |
13579 | (JSC::Interpreter::callNativeErrorConstructor): | |
13580 | * runtime/VM.cpp: | |
13581 | (JSC::VM::throwException): | |
13582 | (JSC::appendSourceToError): Moved to Error.cpp | |
13583 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted. | |
13584 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted. | |
13585 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted. | |
13586 | (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted. | |
13587 | * tests/stress/freeze_leek.js: Added. | |
13588 | ||
13589 | 2015-04-07 Joseph Pecoraro <pecoraro@apple.com> | |
13590 | ||
13591 | Web Inspector: ES6: Show Symbol properties on Objects | |
13592 | https://bugs.webkit.org/show_bug.cgi?id=141279 | |
13593 | ||
13594 | Reviewed by Timothy Hatcher. | |
13595 | ||
13596 | * inspector/protocol/Runtime.json: | |
13597 | Give PropertyDescriptor a reference to the Symbol RemoteObject | |
13598 | if the property is a symbol property. | |
13599 | ||
13600 | * inspector/InjectedScriptSource.js: | |
13601 | Enumerate symbol properties on objects. | |
13602 | ||
13603 | 2015-04-07 Filip Pizlo <fpizlo@apple.com> | |
13604 | ||
13605 | Make it possible to enable LLVM FastISel | |
13606 | https://bugs.webkit.org/show_bug.cgi?id=143489 | |
13607 | ||
13608 | Reviewed by Michael Saboff. | |
13609 | ||
13610 | The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built | |
13611 | against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system | |
13612 | if we should enable it. | |
13613 | ||
13614 | * ftl/FTLCompile.cpp: | |
13615 | (JSC::FTL::mmAllocateDataSection): | |
13616 | * llvm/InitializeLLVM.cpp: | |
13617 | (JSC::initializeLLVMImpl): | |
13618 | * llvm/InitializeLLVM.h: | |
13619 | * llvm/InitializeLLVMLinux.cpp: | |
13620 | (JSC::getLLVMInitializerFunction): | |
13621 | (JSC::initializeLLVMImpl): Deleted. | |
13622 | * llvm/InitializeLLVMMac.cpp: | |
13623 | (JSC::getLLVMInitializerFunction): | |
13624 | (JSC::initializeLLVMImpl): Deleted. | |
13625 | * llvm/InitializeLLVMPOSIX.cpp: | |
13626 | (JSC::getLLVMInitializerFunctionPOSIX): | |
13627 | (JSC::initializeLLVMPOSIX): Deleted. | |
13628 | * llvm/InitializeLLVMPOSIX.h: | |
13629 | * llvm/InitializeLLVMWin.cpp: | |
13630 | (JSC::getLLVMInitializerFunction): | |
13631 | (JSC::initializeLLVMImpl): Deleted. | |
13632 | * llvm/LLVMAPI.cpp: | |
13633 | * llvm/LLVMAPI.h: | |
13634 | * llvm/library/LLVMExports.cpp: | |
13635 | (initCommandLine): | |
13636 | (initializeAndGetJSCLLVMAPI): | |
13637 | * runtime/Options.cpp: | |
13638 | (JSC::Options::initialize): | |
13639 | ||
13640 | 2015-04-06 Yusuke Suzuki <utatane.tea@gmail.com> | |
13641 | ||
13642 | put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex | |
13643 | https://bugs.webkit.org/show_bug.cgi?id=140426 | |
13644 | ||
13645 | Reviewed by Darin Adler. | |
13646 | ||
13647 | In the put_by_val_direct operation, we use JSObject::putDirect. | |
13648 | However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex. | |
13649 | This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex. | |
13650 | ||
13651 | * dfg/DFGOperations.cpp: | |
13652 | (JSC::DFG::putByVal): | |
13653 | (JSC::DFG::operationPutByValInternal): | |
13654 | * jit/JITOperations.cpp: | |
13655 | * llint/LLIntSlowPaths.cpp: | |
13656 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
13657 | * runtime/Identifier.h: | |
13658 | (JSC::isIndex): | |
13659 | (JSC::parseIndex): | |
13660 | * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added. | |
13661 | (lookupWithKey): | |
13662 | (toStringThrowsError.toString): | |
13663 | ||
13664 | 2015-04-06 Alberto Garcia <berto@igalia.com> | |
13665 | ||
13666 | [GTK] Fix HPPA build | |
13667 | https://bugs.webkit.org/show_bug.cgi?id=143453 | |
13668 | ||
13669 | Reviewed by Darin Adler. | |
13670 | ||
13671 | Add HPPA to the list of supported CPUs. | |
13672 | ||
13673 | * CMakeLists.txt: | |
13674 | ||
13675 | 2015-04-06 Mark Lam <mark.lam@apple.com> | |
13676 | ||
13677 | In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well. | |
13678 | <https://webkit.org/b/143396> | |
13679 | ||
13680 | Reviewed by Filip Pizlo. | |
13681 | ||
13682 | The DFG was neglecting to set the result boolean. The FTL was setting it with | |
13683 | an inverted value. Both of these are now resolved. | |
13684 | ||
13685 | * dfg/DFGSpeculativeJIT64.cpp: | |
13686 | (JSC::DFG::SpeculativeJIT::compile): | |
13687 | * ftl/FTLLowerDFGToLLVM.cpp: | |
13688 | (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty): | |
13689 | * tests/stress/for-in-array-mode.js: Added. | |
13690 | (.): | |
13691 | (test): | |
13692 | ||
13693 | 2015-04-06 Yusuke Suzuki <utatane.tea@gmail.com> | |
13694 | ||
13695 | [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString | |
13696 | https://bugs.webkit.org/show_bug.cgi?id=143424 | |
13697 | ||
13698 | Reviewed by Geoffrey Garen. | |
13699 | ||
13700 | In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString). | |
13701 | ||
13702 | ToString(symbol) throws a type error. | |
13703 | However, String(symbol) produces SymbolDescriptiveString(symbol). | |
13704 | ||
13705 | So, in DFG and FTL phase, they should not inline StringConstructor to ToString. | |
13706 | ||
13707 | Now, in the template literals patch, ToString DFG operation is planned to be used. | |
13708 | And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better. | |
13709 | So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL. | |
13710 | In CallStringConstructor, all behavior in DFG analysis is the same. | |
13711 | Only the difference from ToString is, when calling DFG operation functions, it calls | |
13712 | operationCallStringConstructorOnCell and operationCallStringConstructor instead of | |
13713 | operationToStringOnCell and operationToString. | |
13714 | ||
13715 | * dfg/DFGAbstractInterpreterInlines.h: | |
13716 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
13717 | * dfg/DFGBackwardsPropagationPhase.cpp: | |
13718 | (JSC::DFG::BackwardsPropagationPhase::propagate): | |
13719 | * dfg/DFGByteCodeParser.cpp: | |
13720 | (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): | |
13721 | * dfg/DFGClobberize.h: | |
13722 | (JSC::DFG::clobberize): | |
13723 | * dfg/DFGDoesGC.cpp: | |
13724 | (JSC::DFG::doesGC): | |
13725 | * dfg/DFGFixupPhase.cpp: | |
13726 | (JSC::DFG::FixupPhase::fixupNode): | |
13727 | (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor): | |
13728 | (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): | |
13729 | (JSC::DFG::FixupPhase::fixupToString): Deleted. | |
13730 | * dfg/DFGNodeType.h: | |
13731 | * dfg/DFGOperations.cpp: | |
13732 | * dfg/DFGOperations.h: | |
13733 | * dfg/DFGPredictionPropagationPhase.cpp: | |
13734 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
13735 | * dfg/DFGSafeToExecute.h: | |
13736 | (JSC::DFG::safeToExecute): | |
13737 | * dfg/DFGSpeculativeJIT.cpp: | |
13738 | (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): | |
13739 | (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted. | |
13740 | * dfg/DFGSpeculativeJIT.h: | |
13741 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
13742 | (JSC::DFG::SpeculativeJIT::compile): | |
13743 | * dfg/DFGSpeculativeJIT64.cpp: | |
13744 | (JSC::DFG::SpeculativeJIT::compile): | |
13745 | * dfg/DFGStructureRegistrationPhase.cpp: | |
13746 | (JSC::DFG::StructureRegistrationPhase::run): | |
13747 | * ftl/FTLCapabilities.cpp: | |
13748 | (JSC::FTL::canCompile): | |
13749 | * ftl/FTLLowerDFGToLLVM.cpp: | |
13750 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
13751 | (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): | |
13752 | (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted. | |
13753 | * runtime/StringConstructor.cpp: | |
13754 | (JSC::stringConstructor): | |
13755 | (JSC::callStringConstructor): | |
13756 | * runtime/StringConstructor.h: | |
13757 | * tests/stress/symbol-and-string-constructor.js: Added. | |
13758 | (performString): | |
13759 | ||
13760 | 2015-04-06 Yusuke Suzuki <utatane.tea@gmail.com> | |
13761 | ||
13762 | Return Optional<uint32_t> from PropertyName::asIndex | |
13763 | https://bugs.webkit.org/show_bug.cgi?id=143422 | |
13764 | ||
13765 | Reviewed by Darin Adler. | |
13766 | ||
13767 | PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex. | |
13768 | But it's not obvious to callers. | |
13769 | ||
13770 | This patch changes | |
13771 | 1. PropertyName::asIndex() to return Optional<uint32_t> and | |
13772 | 2. function name `asIndex()` to `parseIndex()`. | |
13773 | It forces callers to check the value is index or not explicitly. | |
13774 | ||
13775 | * bytecode/GetByIdStatus.cpp: | |
13776 | (JSC::GetByIdStatus::computeFor): | |
13777 | * bytecode/PutByIdStatus.cpp: | |
13778 | (JSC::PutByIdStatus::computeFor): | |
13779 | * bytecompiler/BytecodeGenerator.cpp: | |
13780 | (JSC::BytecodeGenerator::emitDirectPutById): | |
13781 | * jit/Repatch.cpp: | |
13782 | (JSC::emitPutTransitionStubAndGetOldStructure): | |
13783 | * jsc.cpp: | |
13784 | * runtime/ArrayPrototype.cpp: | |
13785 | (JSC::arrayProtoFuncSort): | |
13786 | * runtime/GenericArgumentsInlines.h: | |
13787 | (JSC::GenericArguments<Type>::getOwnPropertySlot): | |
13788 | (JSC::GenericArguments<Type>::put): | |
13789 | (JSC::GenericArguments<Type>::deleteProperty): | |
13790 | (JSC::GenericArguments<Type>::defineOwnProperty): | |
13791 | * runtime/Identifier.h: | |
13792 | (JSC::parseIndex): | |
13793 | (JSC::Identifier::isSymbol): | |
13794 | * runtime/JSArray.cpp: | |
13795 | (JSC::JSArray::defineOwnProperty): | |
13796 | * runtime/JSCJSValue.cpp: | |
13797 | (JSC::JSValue::putToPrimitive): | |
13798 | * runtime/JSGenericTypedArrayViewInlines.h: | |
13799 | (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): | |
13800 | (JSC::JSGenericTypedArrayView<Adaptor>::put): | |
13801 | (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): | |
13802 | (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): | |
13803 | * runtime/JSObject.cpp: | |
13804 | (JSC::JSObject::put): | |
13805 | (JSC::JSObject::putDirectAccessor): | |
13806 | (JSC::JSObject::putDirectCustomAccessor): | |
13807 | (JSC::JSObject::deleteProperty): | |
13808 | (JSC::JSObject::putDirectMayBeIndex): | |
13809 | (JSC::JSObject::defineOwnProperty): | |
13810 | * runtime/JSObject.h: | |
13811 | (JSC::JSObject::getOwnPropertySlot): | |
13812 | (JSC::JSObject::getPropertySlot): | |
13813 | (JSC::JSObject::putDirectInternal): | |
13814 | * runtime/JSString.cpp: | |
13815 | (JSC::JSString::getStringPropertyDescriptor): | |
13816 | * runtime/JSString.h: | |
13817 | (JSC::JSString::getStringPropertySlot): | |
13818 | * runtime/LiteralParser.cpp: | |
13819 | (JSC::LiteralParser<CharType>::parse): | |
13820 | * runtime/PropertyName.h: | |
13821 | (JSC::parseIndex): | |
13822 | (JSC::toUInt32FromCharacters): Deleted. | |
13823 | (JSC::toUInt32FromStringImpl): Deleted. | |
13824 | (JSC::PropertyName::asIndex): Deleted. | |
13825 | * runtime/PropertyNameArray.cpp: | |
13826 | (JSC::PropertyNameArray::add): | |
13827 | * runtime/StringObject.cpp: | |
13828 | (JSC::StringObject::deleteProperty): | |
13829 | * runtime/Structure.cpp: | |
13830 | (JSC::Structure::prototypeChainMayInterceptStoreTo): | |
13831 | ||
13832 | 2015-04-05 Andreas Kling <akling@apple.com> | |
13833 | ||
13834 | URI encoding/escaping should use efficient string building instead of calling snprintf(). | |
13835 | <https://webkit.org/b/143426> | |
13836 | ||
13837 | Reviewed by Gavin Barraclough. | |
13838 | ||
13839 | I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/> | |
13840 | which seemed pretty silly. This change gets that down to nothing in favor of using our | |
13841 | existing JSStringBuilder and HexNumber.h facilities. | |
13842 | ||
13843 | These APIs are well-exercised by our existing test suite. | |
13844 | ||
13845 | * runtime/JSGlobalObjectFunctions.cpp: | |
13846 | (JSC::encode): | |
13847 | (JSC::globalFuncEscape): | |
13848 | ||
13849 | 2015-04-05 Masataka Yakura <masataka.yakura@gmail.com> | |
13850 | ||
13851 | documentation for ES Promises points to the wrong one | |
13852 | https://bugs.webkit.org/show_bug.cgi?id=143263 | |
13853 | ||
13854 | Reviewed by Darin Adler. | |
13855 | ||
13856 | * features.json: | |
13857 | ||
13858 | 2015-04-05 Simon Fraser <simon.fraser@apple.com> | |
13859 | ||
13860 | Remove "go ahead and" from comments | |
13861 | https://bugs.webkit.org/show_bug.cgi?id=143421 | |
13862 | ||
13863 | Reviewed by Darin Adler, Benjamin Poulain. | |
13864 | ||
13865 | Remove the phrase "go ahead and" from comments where it doesn't add | |
13866 | anything (which is almost all of them). | |
13867 | ||
13868 | * interpreter/JSStack.cpp: | |
13869 | (JSC::JSStack::growSlowCase): | |
13870 | ||
13871 | 2015-04-04 Andreas Kling <akling@apple.com> | |
13872 | ||
13873 | Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. | |
13874 | <https://webkit.org/b/143210> | |
13875 | ||
13876 | Reviewed by Geoffrey Garen. | |
13877 | ||
13878 | Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone, | |
13879 | we had a little problem where WeakBlocks with only null pointers would still keep their | |
13880 | MarkedBlock alive. | |
13881 | ||
13882 | This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers | |
13883 | that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed | |
13884 | to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC, | |
13885 | destroying them once they're fully dead. | |
13886 | ||
13887 | This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves | |
13888 | a mysterious issue where doing two full garbage collections back-to-back would free additional | |
13889 | memory in the second collection. | |
13890 | ||
13891 | Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with | |
13892 | an index of the next block in that vector that needs to be swept. The IncrementalSweeper then | |
13893 | calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time. | |
13894 | ||
13895 | * heap/Heap.h: | |
13896 | * heap/Heap.cpp: | |
13897 | (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks | |
13898 | owned by Heap, after everything else has been swept. | |
13899 | ||
13900 | (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks | |
13901 | after a full garbage collection ends. Note that we don't do this after Eden collections, since | |
13902 | they are unlikely to cause entire WeakBlocks to go empty. | |
13903 | ||
13904 | (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock | |
13905 | to the Heap when it's detached from a WeakSet. | |
13906 | ||
13907 | (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all | |
13908 | of the logically empty WeakBlocks owned by Heap. | |
13909 | ||
13910 | (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed | |
13911 | and updates the next-logically-empty-weak-block-to-sweep index. | |
13912 | ||
13913 | (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there | |
13914 | won't be another chance after this. | |
13915 | ||
13916 | * heap/IncrementalSweeper.h: | |
13917 | (JSC::IncrementalSweeper::hasWork): Deleted. | |
13918 | ||
13919 | * heap/IncrementalSweeper.cpp: | |
13920 | (JSC::IncrementalSweeper::fullSweep): | |
13921 | (JSC::IncrementalSweeper::doSweep): | |
13922 | (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify | |
13923 | adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is | |
13924 | changed to return a bool (true if there's more work to be done.) | |
13925 | ||
13926 | * heap/WeakBlock.cpp: | |
13927 | (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't | |
13928 | contain any pointers to live objects. The answer is stored in a new SweepResult member. | |
13929 | ||
13930 | * heap/WeakBlock.h: | |
13931 | (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine | |
13932 | if the WeakBlock could be detached from the MarkedBlock. | |
13933 | ||
13934 | (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables | |
13935 | when declaring them. | |
13936 | ||
13937 | 2015-04-04 Yusuke Suzuki <utatane.tea@gmail.com> | |
13938 | ||
13939 | Implement ES6 Object.getOwnPropertySymbols | |
13940 | https://bugs.webkit.org/show_bug.cgi?id=141106 | |
13941 | ||
13942 | Reviewed by Geoffrey Garen. | |
13943 | ||
13944 | This patch implements `Object.getOwnPropertySymbols`. | |
13945 | One technical issue is that, since we use private symbols (such as `@Object`) in the | |
13946 | privileged JS code in `builtins/`, they should not be exposed. | |
13947 | To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name | |
13948 | before adding it into PropertyNameArray. | |
13949 | ||
13950 | To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames` | |
13951 | since all private symbols are held in this map. | |
13952 | ||
13953 | * builtins/BuiltinExecutables.cpp: | |
13954 | (JSC::BuiltinExecutables::createExecutableInternal): | |
13955 | * builtins/BuiltinNames.h: | |
13956 | (JSC::BuiltinNames::isPrivateName): | |
13957 | * runtime/CommonIdentifiers.cpp: | |
13958 | (JSC::CommonIdentifiers::isPrivateName): | |
13959 | * runtime/CommonIdentifiers.h: | |
13960 | * runtime/EnumerationMode.h: | |
13961 | (JSC::EnumerationMode::EnumerationMode): | |
13962 | (JSC::EnumerationMode::includeSymbolProperties): | |
13963 | * runtime/ExceptionHelpers.cpp: | |
13964 | (JSC::createUndefinedVariableError): | |
13965 | * runtime/JSGlobalObject.cpp: | |
13966 | (JSC::JSGlobalObject::init): | |
13967 | * runtime/JSLexicalEnvironment.cpp: | |
13968 | (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): | |
13969 | * runtime/JSSymbolTableObject.cpp: | |
13970 | (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): | |
13971 | * runtime/ObjectConstructor.cpp: | |
13972 | (JSC::ObjectConstructor::finishCreation): | |
13973 | (JSC::objectConstructorGetOwnPropertySymbols): | |
13974 | (JSC::defineProperties): | |
13975 | (JSC::objectConstructorSeal): | |
13976 | (JSC::objectConstructorFreeze): | |
13977 | (JSC::objectConstructorIsSealed): | |
13978 | (JSC::objectConstructorIsFrozen): | |
13979 | * runtime/ObjectConstructor.h: | |
13980 | (JSC::ObjectConstructor::create): | |
13981 | * runtime/Structure.cpp: | |
13982 | (JSC::Structure::getPropertyNamesFromStructure): | |
13983 | * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added. | |
13984 | (compare): | |
13985 | * tests/stress/object-get-own-property-symbols.js: Added. | |
13986 | (forIn): | |
13987 | * tests/stress/symbol-define-property.js: Added. | |
13988 | (testSymbol): | |
13989 | * tests/stress/symbol-seal-and-freeze.js: Added. | |
13990 | * tests/stress/symbol-with-json.js: Added. | |
13991 | ||
13992 | 2015-04-03 Mark Lam <mark.lam@apple.com> | |
13993 | ||
13994 | Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner. | |
13995 | <https://webkit.org/b/143385> | |
13996 | ||
13997 | Reviewed by Geoffrey Garen. | |
13998 | ||
13999 | For debugging purposes, sometimes, we want to be able to make compilation happen | |
14000 | sooner to see if we can accelerate the manifestation of certain events / bugs. | |
14001 | Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds | |
14002 | which make up the compilation policy. Let's add a single knob that can tune all | |
14003 | the thresholds up / down in one go proportionately so that we can easily tweak | |
14004 | how soon compilation occurs. | |
14005 | ||
14006 | * runtime/Options.cpp: | |
14007 | (JSC::scaleJITPolicy): | |
14008 | (JSC::recomputeDependentOptions): | |
14009 | * runtime/Options.h: | |
14010 | ||
14011 | 2015-04-03 Geoffrey Garen <ggaren@apple.com> | |
14012 | ||
14013 | is* API methods should be @properties | |
14014 | https://bugs.webkit.org/show_bug.cgi?id=143388 | |
14015 | ||
14016 | Reviewed by Mark Lam. | |
14017 | ||
14018 | This appears to be the preferred idiom in WebKit, CA, AppKit, and | |
14019 | Foundation. | |
14020 | ||
14021 | * API/JSValue.h: Be @properties. | |
14022 | ||
14023 | * API/tests/testapi.mm: | |
14024 | (testObjectiveCAPI): Use the @properties. | |
14025 | ||
14026 | 2015-04-03 Mark Lam <mark.lam@apple.com> | |
14027 | ||
14028 | Some JSC Options refactoring and enhancements. | |
14029 | <https://webkit.org/b/143384> | |
14030 | ||
14031 | Rubber stamped by Benjamin Poulain. | |
14032 | ||
14033 | Create a better encapsulated Option class to make working with options easier. This | |
14034 | is a building block towards a JIT policy scaling debugging option I will introduce later. | |
14035 | ||
14036 | This work entails: | |
14037 | 1. Convert Options::Option into a public class Option (who works closely with Options). | |
14038 | 2. Convert Options::EntryType into an enum class Options::Type and make it public. | |
14039 | 3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better. | |
14040 | 4. Add misc methods to class Option to make it more useable. | |
14041 | ||
14042 | * runtime/Options.cpp: | |
14043 | (JSC::Options::dumpOption): | |
14044 | (JSC::Option::dump): | |
14045 | (JSC::Option::operator==): | |
14046 | (JSC::Options::Option::dump): Deleted. | |
14047 | (JSC::Options::Option::operator==): Deleted. | |
14048 | * runtime/Options.h: | |
14049 | (JSC::Option::Option): | |
14050 | (JSC::Option::operator!=): | |
14051 | (JSC::Option::name): | |
14052 | (JSC::Option::description): | |
14053 | (JSC::Option::type): | |
14054 | (JSC::Option::isOverridden): | |
14055 | (JSC::Option::defaultOption): | |
14056 | (JSC::Option::boolVal): | |
14057 | (JSC::Option::unsignedVal): | |
14058 | (JSC::Option::doubleVal): | |
14059 | (JSC::Option::int32Val): | |
14060 | (JSC::Option::optionRangeVal): | |
14061 | (JSC::Option::optionStringVal): | |
14062 | (JSC::Option::gcLogLevelVal): | |
14063 | (JSC::Options::Option::Option): Deleted. | |
14064 | (JSC::Options::Option::operator!=): Deleted. | |
14065 | ||
14066 | 2015-04-03 Geoffrey Garen <ggaren@apple.com> | |
14067 | ||
14068 | JavaScriptCore API should support type checking for Array and Date | |
14069 | https://bugs.webkit.org/show_bug.cgi?id=143324 | |
14070 | ||
14071 | Follow-up to address a comment by Dan. | |
14072 | ||
14073 | * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100 | |
14074 | is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED | |
14075 | is equal to 101100. | |
14076 | ||
14077 | 2015-04-03 Geoffrey Garen <ggaren@apple.com> | |
14078 | ||
14079 | JavaScriptCore API should support type checking for Array and Date | |
14080 | https://bugs.webkit.org/show_bug.cgi?id=143324 | |
14081 | ||
14082 | Follow-up to address a comment by Dan. | |
14083 | ||
14084 | * API/WebKitAvailability.h: Do use 10.0 because it was right all along. | |
14085 | Added a comment explaining why. | |
14086 | ||
14087 | 2015-04-03 Csaba Osztrogonác <ossy@webkit.org> | |
14088 | ||
14089 | FTL JIT tests should fail if LLVM library isn't available | |
14090 | https://bugs.webkit.org/show_bug.cgi?id=143374 | |
14091 | ||
14092 | Reviewed by Mark Lam. | |
14093 | ||
14094 | * dfg/DFGPlan.cpp: | |
14095 | (JSC::DFG::Plan::compileInThreadImpl): | |
14096 | * runtime/Options.h: | |
14097 | ||
14098 | 2015-04-03 Zan Dobersek <zdobersek@igalia.com> | |
14099 | ||
14100 | Fix the EFL and GTK build after r182243 | |
14101 | https://bugs.webkit.org/show_bug.cgi?id=143361 | |
14102 | ||
14103 | Reviewed by Csaba Osztrogonác. | |
14104 | ||
14105 | * CMakeLists.txt: InspectorBackendCommands.js is generated in the | |
14106 | DerivedSources/JavaScriptCore/inspector/ directory. | |
14107 | ||
14108 | 2015-04-03 Zan Dobersek <zdobersek@igalia.com> | |
14109 | ||
14110 | Unreviewed, fixing Clang builds of the GTK port on Linux. | |
14111 | ||
14112 | * runtime/Options.cpp: | |
14113 | Include the <math.h> header for isnan(). | |
14114 | ||
14115 | 2015-04-02 Mark Lam <mark.lam@apple.com> | |
14116 | ||
14117 | Enhance ability to dump JSC Options. | |
14118 | <https://webkit.org/b/143357> | |
14119 | ||
14120 | Reviewed by Benjamin Poulain. | |
14121 | ||
14122 | Some enhancements to how the JSC options work: | |
14123 | ||
14124 | 1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only, | |
14125 | 2 = All, 3 = Verbose. | |
14126 | ||
14127 | The default is 0 (None). This dumps nothing. | |
14128 | With the Overridden setting, at VM initialization time, we will dump all | |
14129 | option values that have been changed from their default. | |
14130 | With the All setting, at VM initialization time, we will dump all option values. | |
14131 | With the Verbose setting, at VM initialization time, we will dump all option | |
14132 | values along with their descriptions (if available). | |
14133 | ||
14134 | 2. We now store a copy of the default option values. | |
14135 | ||
14136 | We later use this for comparison to tell if an option has been overridden, and | |
14137 | print the default value for reference. As a result, we no longer need the | |
14138 | didOverride flag since we can compute whether the option is overridden at any time. | |
14139 | ||
14140 | 3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose). | |
14141 | ||
14142 | This will come in handy later when we want to rename some of the options to more sane | |
14143 | names that are easier to remember. For example, we can change | |
14144 | Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and | |
14145 | Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate(). With the availability | |
14146 | of the description, we can afford to use shorter and less descriptive option names, | |
14147 | but they will be easier to remember and use for day to day debugging work. | |
14148 | ||
14149 | In this patch, I did not change the names of any of the options yet. I only added | |
14150 | description strings for options that I know about, and where I think the option name | |
14151 | isn't already descriptive enough. | |
14152 | ||
14153 | 4. Also deleted some unused code. | |
14154 | ||
14155 | * jsc.cpp: | |
14156 | (CommandLine::parseArguments): | |
14157 | * runtime/Options.cpp: | |
14158 | (JSC::Options::initialize): | |
14159 | (JSC::Options::setOption): | |
14160 | (JSC::Options::dumpAllOptions): | |
14161 | (JSC::Options::dumpOption): | |
14162 | (JSC::Options::Option::dump): | |
14163 | (JSC::Options::Option::operator==): | |
14164 | * runtime/Options.h: | |
14165 | (JSC::OptionRange::rangeString): | |
14166 | (JSC::Options::Option::Option): | |
14167 | (JSC::Options::Option::operator!=): | |
14168 | ||
14169 | 2015-04-02 Geoffrey Garen <ggaren@apple.com> | |
14170 | ||
14171 | JavaScriptCore API should support type checking for Array and Date | |
14172 | https://bugs.webkit.org/show_bug.cgi?id=143324 | |
14173 | ||
14174 | Reviewed by Darin Adler, Sam Weinig, Dan Bernstein. | |
14175 | ||
14176 | * API/JSValue.h: | |
14177 | * API/JSValue.mm: | |
14178 | (-[JSValue isArray]): | |
14179 | (-[JSValue isDate]): Added an ObjC API. | |
14180 | ||
14181 | * API/JSValueRef.cpp: | |
14182 | (JSValueIsArray): | |
14183 | (JSValueIsDate): | |
14184 | * API/JSValueRef.h: Added a C API. | |
14185 | ||
14186 | * API/WebKitAvailability.h: Brought our availability macros up to date | |
14187 | and fixed a harmless bug where "10_10" translated to "10.0". | |
14188 | ||
14189 | * API/tests/testapi.c: | |
14190 | (main): Added a test and corrected a pre-existing leak. | |
14191 | ||
14192 | * API/tests/testapi.mm: | |
14193 | (testObjectiveCAPI): Added a test. | |
14194 | ||
14195 | 2015-04-02 Mark Lam <mark.lam@apple.com> | |
14196 | ||
14197 | Add Options::dumpSourceAtDFGTime(). | |
14198 | <https://webkit.org/b/143349> | |
14199 | ||
14200 | Reviewed by Oliver Hunt, and Michael Saboff. | |
14201 | ||
14202 | Sometimes, we will want to see the JS source code that we're compiling, and it | |
14203 | would be nice to be able to do this without having to jump thru a lot of hoops. | |
14204 | So, let's add a Options::dumpSourceAtDFGTime() option just like we have a | |
14205 | Options::dumpBytecodeAtDFGTime() option. | |
14206 | ||
14207 | Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode() | |
14208 | that explicitly take no arguments (instead of relying on the version that takes | |
14209 | the default argument). These versions are friendlier to use when we want to call | |
14210 | them from an interactive debugging session. | |
14211 | ||
14212 | * bytecode/CodeBlock.cpp: | |
14213 | (JSC::CodeBlock::dumpSource): | |
14214 | (JSC::CodeBlock::dumpBytecode): | |
14215 | * bytecode/CodeBlock.h: | |
14216 | * dfg/DFGByteCodeParser.cpp: | |
14217 | (JSC::DFG::ByteCodeParser::parseCodeBlock): | |
14218 | * runtime/Options.h: | |
14219 | ||
14220 | 2015-04-02 Yusuke Suzuki <utatane.tea@gmail.com> | |
14221 | ||
14222 | Clean up EnumerationMode to easily extend | |
14223 | https://bugs.webkit.org/show_bug.cgi?id=143276 | |
14224 | ||
14225 | Reviewed by Geoffrey Garen. | |
14226 | ||
14227 | To make the followings easily, | |
14228 | 1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch | |
14229 | 2. Make ExcludeSymbols implicitly default for the existing flags | |
14230 | we encapsulate EnumerationMode flags into EnumerationMode class. | |
14231 | ||
14232 | And this class manages 2 flags. Later it will be extended to 3. | |
14233 | 1. DontEnumPropertiesMode (default is Exclude) | |
14234 | 2. JSObjectPropertiesMode (default is Include) | |
14235 | 3. SymbolPropertiesMode (default is Exclude) | |
14236 | SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch. | |
14237 | ||
14238 | This patch replaces places using ExcludeDontEnumProperties | |
14239 | to EnumerationMode() value which represents default mode. | |
14240 | ||
14241 | * API/JSCallbackObjectFunctions.h: | |
14242 | (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames): | |
14243 | * API/JSObjectRef.cpp: | |
14244 | (JSObjectCopyPropertyNames): | |
14245 | * bindings/ScriptValue.cpp: | |
14246 | (Deprecated::jsToInspectorValue): | |
14247 | * bytecode/ObjectAllocationProfile.h: | |
14248 | (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): | |
14249 | * runtime/ArrayPrototype.cpp: | |
14250 | (JSC::arrayProtoFuncSort): | |
14251 | * runtime/EnumerationMode.h: | |
14252 | (JSC::EnumerationMode::EnumerationMode): | |
14253 | (JSC::EnumerationMode::includeDontEnumProperties): | |
14254 | (JSC::EnumerationMode::includeJSObjectProperties): | |
14255 | (JSC::shouldIncludeDontEnumProperties): Deleted. | |
14256 | (JSC::shouldExcludeDontEnumProperties): Deleted. | |
14257 | (JSC::shouldIncludeJSObjectPropertyNames): Deleted. | |
14258 | (JSC::modeThatSkipsJSObject): Deleted. | |
14259 | * runtime/GenericArgumentsInlines.h: | |
14260 | (JSC::GenericArguments<Type>::getOwnPropertyNames): | |
14261 | * runtime/JSArray.cpp: | |
14262 | (JSC::JSArray::getOwnNonIndexPropertyNames): | |
14263 | * runtime/JSArrayBuffer.cpp: | |
14264 | (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): | |
14265 | * runtime/JSArrayBufferView.cpp: | |
14266 | (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): | |
14267 | * runtime/JSFunction.cpp: | |
14268 | (JSC::JSFunction::getOwnNonIndexPropertyNames): | |
14269 | * runtime/JSFunction.h: | |
14270 | * runtime/JSGenericTypedArrayViewInlines.h: | |
14271 | (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames): | |
14272 | * runtime/JSLexicalEnvironment.cpp: | |
14273 | (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): | |
14274 | * runtime/JSONObject.cpp: | |
14275 | (JSC::Stringifier::Holder::appendNextProperty): | |
14276 | (JSC::Walker::walk): | |
14277 | * runtime/JSObject.cpp: | |
14278 | (JSC::getClassPropertyNames): | |
14279 | (JSC::JSObject::getOwnPropertyNames): | |
14280 | (JSC::JSObject::getOwnNonIndexPropertyNames): | |
14281 | (JSC::JSObject::getGenericPropertyNames): | |
14282 | * runtime/JSPropertyNameEnumerator.h: | |
14283 | (JSC::propertyNameEnumerator): | |
14284 | * runtime/JSSymbolTableObject.cpp: | |
14285 | (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): | |
14286 | * runtime/ObjectConstructor.cpp: | |
14287 | (JSC::objectConstructorGetOwnPropertyNames): | |
14288 | (JSC::objectConstructorKeys): | |
14289 | (JSC::defineProperties): | |
14290 | (JSC::objectConstructorSeal): | |
14291 | (JSC::objectConstructorFreeze): | |
14292 | (JSC::objectConstructorIsSealed): | |
14293 | (JSC::objectConstructorIsFrozen): | |
14294 | * runtime/RegExpObject.cpp: | |
14295 | (JSC::RegExpObject::getOwnNonIndexPropertyNames): | |
14296 | (JSC::RegExpObject::getPropertyNames): | |
14297 | (JSC::RegExpObject::getGenericPropertyNames): | |
14298 | * runtime/StringObject.cpp: | |
14299 | (JSC::StringObject::getOwnPropertyNames): | |
14300 | * runtime/Structure.cpp: | |
14301 | (JSC::Structure::getPropertyNamesFromStructure): | |
14302 | ||
14303 | 2015-04-01 Alex Christensen <achristensen@webkit.org> | |
14304 | ||
14305 | Progress towards CMake on Windows and Mac. | |
14306 | https://bugs.webkit.org/show_bug.cgi?id=143293 | |
14307 | ||
14308 | Reviewed by Filip Pizlo. | |
14309 | ||
14310 | * CMakeLists.txt: | |
14311 | Enabled using assembly on Windows. | |
14312 | Replaced unix commands with CMake commands. | |
14313 | * PlatformMac.cmake: | |
14314 | Tell open source builders where to find unicode headers. | |
14315 | ||
14316 | 2015-04-01 Yusuke Suzuki <utatane.tea@gmail.com> | |
14317 | ||
14318 | IteratorClose should be called when jumping over the target for-of loop | |
14319 | https://bugs.webkit.org/show_bug.cgi?id=143140 | |
14320 | ||
14321 | Reviewed by Geoffrey Garen. | |
14322 | ||
14323 | This patch fixes labeled break/continue behaviors with for-of and iterators. | |
14324 | ||
14325 | 1. Support IteratorClose beyond multiple loop contexts | |
14326 | Previously, IteratorClose is only executed in for-of's breakTarget(). | |
14327 | However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts. | |
14328 | For example, | |
14329 | outer: for (var e1 of outer) { | |
14330 | inner: for (var e2 of inner) { | |
14331 | break outer; | |
14332 | } | |
14333 | } | |
14334 | In this case, return method of inner should be called. | |
14335 | We leverage the existing system for `finally` to execute inner.return method correctly. | |
14336 | Leveraging `finally` system fixes `break`, `continue` and `return` cases. | |
14337 | `throw` case is already supported by emitting try-catch handlers in for-of. | |
14338 | ||
14339 | 2. Incorrect LabelScope creation is done in ForOfNode | |
14340 | ForOfNode creates duplicated LabelScope. | |
14341 | It causes infinite loop when executing the following program that contains | |
14342 | explicitly labeled for-of loop. | |
14343 | For example, | |
14344 | inner: for (var elm of array) { | |
14345 | continue inner; | |
14346 | } | |
14347 | ||
14348 | * bytecompiler/BytecodeGenerator.cpp: | |
14349 | (JSC::BytecodeGenerator::pushFinallyContext): | |
14350 | (JSC::BytecodeGenerator::pushIteratorCloseContext): | |
14351 | (JSC::BytecodeGenerator::popFinallyContext): | |
14352 | (JSC::BytecodeGenerator::popIteratorCloseContext): | |
14353 | (JSC::BytecodeGenerator::emitComplexPopScopes): | |
14354 | (JSC::BytecodeGenerator::emitEnumeration): | |
14355 | (JSC::BytecodeGenerator::emitIteratorClose): | |
14356 | * bytecompiler/BytecodeGenerator.h: | |
14357 | * bytecompiler/NodesCodegen.cpp: | |
14358 | (JSC::ForOfNode::emitBytecode): | |
14359 | * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added. | |
14360 | (createIterator.iterator.return): | |
14361 | (createIterator): | |
14362 | * tests/stress/raise-error-in-iterator-close.js: Added. | |
14363 | (createIterator.iterator.return): | |
14364 | (createIterator): | |
14365 | ||
14366 | 2015-04-01 Yusuke Suzuki <utatane.tea@gmail.com> | |
14367 | ||
14368 | [ES6] Implement Symbol.unscopables | |
14369 | https://bugs.webkit.org/show_bug.cgi?id=142829 | |
14370 | ||
14371 | Reviewed by Geoffrey Garen. | |
14372 | ||
14373 | This patch introduces Symbol.unscopables functionality. | |
14374 | In ES6, some generic names (like keys, values) are introduced | |
14375 | as Array's method name. And this breaks the web since some web sites | |
14376 | use like the following code. | |
14377 | ||
14378 | var values = ...; | |
14379 | with (array) { | |
14380 | values; // This values is trapped by array's method "values". | |
14381 | } | |
14382 | ||
14383 | To fix this, Symbol.unscopables introduces blacklist | |
14384 | for with scope's trapping. When resolving scope, | |
14385 | if name is found in the target scope and the target scope is with scope, | |
14386 | we check Symbol.unscopables object to filter generic names. | |
14387 | ||
14388 | This functionality is only active for with scopes. | |
14389 | Global scope does not have unscopables functionality. | |
14390 | ||
14391 | And since | |
14392 | 1) op_resolve_scope for with scope always return Dynamic resolve type, | |
14393 | 2) in that case, JSScope::resolve is always used in JIT and LLInt, | |
14394 | 3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL, | |
14395 | to implement this functionality, we just change JSScope::resolve and no need to change JIT code. | |
14396 | So performance regression is only visible in Dynamic resolving case, and it is already much slow. | |
14397 | ||
14398 | * runtime/ArrayPrototype.cpp: | |
14399 | (JSC::ArrayPrototype::finishCreation): | |
14400 | * runtime/CommonIdentifiers.h: | |
14401 | * runtime/JSGlobalObject.h: | |
14402 | (JSC::JSGlobalObject::runtimeFlags): | |
14403 | * runtime/JSScope.cpp: | |
14404 | (JSC::isUnscopable): | |
14405 | (JSC::JSScope::resolve): | |
14406 | * runtime/JSScope.h: | |
14407 | (JSC::ScopeChainIterator::scope): | |
14408 | * tests/stress/global-environment-does-not-trap-unscopables.js: Added. | |
14409 | (test): | |
14410 | * tests/stress/unscopables.js: Added. | |
14411 | (test): | |
14412 | (.): | |
14413 | ||
14414 | 2015-03-31 Ryosuke Niwa <rniwa@webkit.org> | |
14415 | ||
14416 | ES6 class syntax should allow static setters and getters | |
14417 | https://bugs.webkit.org/show_bug.cgi?id=143180 | |
14418 | ||
14419 | Reviewed by Filip Pizlo | |
14420 | ||
14421 | Apparently I misread the spec when I initially implemented parseClass. | |
14422 | ES6 class syntax allows static getters and setters so just allow that. | |
14423 | ||
14424 | * parser/Parser.cpp: | |
14425 | (JSC::Parser<LexerType>::parseClass): | |
14426 | ||
14427 | 2015-03-31 Filip Pizlo <fpizlo@apple.com> | |
14428 | ||
14429 | PutClosureVar CSE def() rule has a wrong base | |
14430 | https://bugs.webkit.org/show_bug.cgi?id=143280 | |
14431 | ||
14432 | Reviewed by Michael Saboff. | |
14433 | ||
14434 | I think that this code was incorrect in a benign way, since the base of a | |
14435 | PutClosureVar is not a JS-visible object. But it was preventing some optimizations. | |
14436 | ||
14437 | * dfg/DFGClobberize.h: | |
14438 | (JSC::DFG::clobberize): | |
14439 | ||
14440 | 2015-03-31 Commit Queue <commit-queue@webkit.org> | |
14441 | ||
14442 | Unreviewed, rolling out r182200. | |
14443 | https://bugs.webkit.org/show_bug.cgi?id=143279 | |
14444 | ||
14445 | Probably causing assertion extravaganza on bots. (Requested by | |
14446 | kling on #webkit). | |
14447 | ||
14448 | Reverted changeset: | |
14449 | ||
14450 | "Logically empty WeakBlocks should not pin down their | |
14451 | MarkedBlocks indefinitely." | |
14452 | https://bugs.webkit.org/show_bug.cgi?id=143210 | |
14453 | http://trac.webkit.org/changeset/182200 | |
14454 | ||
14455 | 2015-03-31 Yusuke Suzuki <utatane.tea@gmail.com> | |
14456 | ||
14457 | Clean up Identifier factories to clarify the meaning of StringImpl* | |
14458 | https://bugs.webkit.org/show_bug.cgi?id=143146 | |
14459 | ||
14460 | Reviewed by Filip Pizlo. | |
14461 | ||
14462 | In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used. | |
14463 | However, it's ambiguous because `StringImpl*` has 2 different meanings. | |
14464 | 1) normal string, it is replacable with `WTFString` and | |
14465 | 2) `uid`, which holds `isSymbol` information to represent Symbols. | |
14466 | So we dropped Identifier constructors for strings and instead, introduced 2 factory functions. | |
14467 | + `Identifier::fromString(VM*/ExecState*, const String&)`. | |
14468 | Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept. | |
14469 | + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`. | |
14470 | This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept. | |
14471 | ||
14472 | And to clean up `StringImpl` which is used as uid, | |
14473 | we introduce `StringKind` into `StringImpl`. There's 3 kinds | |
14474 | 1. StringNormal (non-atomic, non-symbol) | |
14475 | 2. StringAtomic (atomic, non-symbol) | |
14476 | 3. StringSymbol (non-atomic, symbol) | |
14477 | They are mutually exclusive. And (atomic, symbol) case should not exist. | |
14478 | ||
14479 | * API/JSCallbackObjectFunctions.h: | |
14480 | (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames): | |
14481 | * API/JSObjectRef.cpp: | |
14482 | (JSObjectMakeFunction): | |
14483 | * API/OpaqueJSString.cpp: | |
14484 | (OpaqueJSString::identifier): | |
14485 | * bindings/ScriptFunctionCall.cpp: | |
14486 | (Deprecated::ScriptFunctionCall::call): | |
14487 | * builtins/BuiltinExecutables.cpp: | |
14488 | (JSC::BuiltinExecutables::createExecutableInternal): | |
14489 | * builtins/BuiltinNames.h: | |
14490 | (JSC::BuiltinNames::BuiltinNames): | |
14491 | * bytecompiler/BytecodeGenerator.cpp: | |
14492 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
14493 | (JSC::BytecodeGenerator::emitThrowReferenceError): | |
14494 | (JSC::BytecodeGenerator::emitThrowTypeError): | |
14495 | (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): | |
14496 | (JSC::BytecodeGenerator::emitEnumeration): | |
14497 | * dfg/DFGDesiredIdentifiers.cpp: | |
14498 | (JSC::DFG::DesiredIdentifiers::reallyAdd): | |
14499 | * inspector/JSInjectedScriptHost.cpp: | |
14500 | (Inspector::JSInjectedScriptHost::functionDetails): | |
14501 | (Inspector::constructInternalProperty): | |
14502 | (Inspector::JSInjectedScriptHost::weakMapEntries): | |
14503 | (Inspector::JSInjectedScriptHost::iteratorEntries): | |
14504 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
14505 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
14506 | * inspector/JSJavaScriptCallFramePrototype.cpp: | |
14507 | * inspector/ScriptCallStackFactory.cpp: | |
14508 | (Inspector::extractSourceInformationFromException): | |
14509 | * jit/JITOperations.cpp: | |
14510 | * jsc.cpp: | |
14511 | (GlobalObject::finishCreation): | |
14512 | (GlobalObject::addFunction): | |
14513 | (GlobalObject::addConstructableFunction): | |
14514 | (functionRun): | |
14515 | (runWithScripts): | |
14516 | * llint/LLIntData.cpp: | |
14517 | (JSC::LLInt::Data::performAssertions): | |
14518 | * llint/LowLevelInterpreter.asm: | |
14519 | * parser/ASTBuilder.h: | |
14520 | (JSC::ASTBuilder::addVar): | |
14521 | * parser/Parser.cpp: | |
14522 | (JSC::Parser<LexerType>::parseInner): | |
14523 | (JSC::Parser<LexerType>::createBindingPattern): | |
14524 | * parser/ParserArena.h: | |
14525 | (JSC::IdentifierArena::makeIdentifier): | |
14526 | (JSC::IdentifierArena::makeIdentifierLCharFromUChar): | |
14527 | (JSC::IdentifierArena::makeNumericIdentifier): | |
14528 | * runtime/ArgumentsIteratorPrototype.cpp: | |
14529 | (JSC::ArgumentsIteratorPrototype::finishCreation): | |
14530 | * runtime/ArrayIteratorPrototype.cpp: | |
14531 | (JSC::ArrayIteratorPrototype::finishCreation): | |
14532 | * runtime/ArrayPrototype.cpp: | |
14533 | (JSC::ArrayPrototype::finishCreation): | |
14534 | (JSC::arrayProtoFuncPush): | |
14535 | * runtime/ClonedArguments.cpp: | |
14536 | (JSC::ClonedArguments::getOwnPropertySlot): | |
14537 | * runtime/CommonIdentifiers.cpp: | |
14538 | (JSC::CommonIdentifiers::CommonIdentifiers): | |
14539 | * runtime/CommonIdentifiers.h: | |
14540 | * runtime/Error.cpp: | |
14541 | (JSC::addErrorInfo): | |
14542 | (JSC::hasErrorInfo): | |
14543 | * runtime/ExceptionHelpers.cpp: | |
14544 | (JSC::createUndefinedVariableError): | |
14545 | * runtime/GenericArgumentsInlines.h: | |
14546 | (JSC::GenericArguments<Type>::getOwnPropertySlot): | |
14547 | * runtime/Identifier.h: | |
14548 | (JSC::Identifier::isSymbol): | |
14549 | (JSC::Identifier::Identifier): | |
14550 | (JSC::Identifier::from): Deleted. | |
14551 | * runtime/IdentifierInlines.h: | |
14552 | (JSC::Identifier::Identifier): | |
14553 | (JSC::Identifier::fromUid): | |
14554 | (JSC::Identifier::fromString): | |
14555 | * runtime/JSCJSValue.cpp: | |
14556 | (JSC::JSValue::dumpInContextAssumingStructure): | |
14557 | * runtime/JSCJSValueInlines.h: | |
14558 | (JSC::JSValue::toPropertyKey): | |
14559 | * runtime/JSGlobalObject.cpp: | |
14560 | (JSC::JSGlobalObject::init): | |
14561 | * runtime/JSLexicalEnvironment.cpp: | |
14562 | (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): | |
14563 | * runtime/JSObject.cpp: | |
14564 | (JSC::getClassPropertyNames): | |
14565 | (JSC::JSObject::reifyStaticFunctionsForDelete): | |
14566 | * runtime/JSObject.h: | |
14567 | (JSC::makeIdentifier): | |
14568 | * runtime/JSPromiseConstructor.cpp: | |
14569 | (JSC::JSPromiseConstructorFuncRace): | |
14570 | (JSC::JSPromiseConstructorFuncAll): | |
14571 | * runtime/JSString.h: | |
14572 | (JSC::JSString::toIdentifier): | |
14573 | * runtime/JSSymbolTableObject.cpp: | |
14574 | (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): | |
14575 | * runtime/LiteralParser.cpp: | |
14576 | (JSC::LiteralParser<CharType>::tryJSONPParse): | |
14577 | (JSC::LiteralParser<CharType>::makeIdentifier): | |
14578 | * runtime/Lookup.h: | |
14579 | (JSC::reifyStaticProperties): | |
14580 | * runtime/MapConstructor.cpp: | |
14581 | (JSC::constructMap): | |
14582 | * runtime/MapIteratorPrototype.cpp: | |
14583 | (JSC::MapIteratorPrototype::finishCreation): | |
14584 | * runtime/MapPrototype.cpp: | |
14585 | (JSC::MapPrototype::finishCreation): | |
14586 | * runtime/MathObject.cpp: | |
14587 | (JSC::MathObject::finishCreation): | |
14588 | * runtime/NumberConstructor.cpp: | |
14589 | (JSC::NumberConstructor::finishCreation): | |
14590 | * runtime/ObjectConstructor.cpp: | |
14591 | (JSC::ObjectConstructor::finishCreation): | |
14592 | * runtime/PrivateName.h: | |
14593 | (JSC::PrivateName::PrivateName): | |
14594 | * runtime/PropertyMapHashTable.h: | |
14595 | (JSC::PropertyTable::find): | |
14596 | (JSC::PropertyTable::get): | |
14597 | * runtime/PropertyName.h: | |
14598 | (JSC::PropertyName::PropertyName): | |
14599 | (JSC::PropertyName::publicName): | |
14600 | (JSC::PropertyName::asIndex): | |
14601 | * runtime/PropertyNameArray.cpp: | |
14602 | (JSC::PropertyNameArray::add): | |
14603 | * runtime/PropertyNameArray.h: | |
14604 | (JSC::PropertyNameArray::addKnownUnique): | |
14605 | * runtime/RegExpConstructor.cpp: | |
14606 | (JSC::RegExpConstructor::finishCreation): | |
14607 | * runtime/SetConstructor.cpp: | |
14608 | (JSC::constructSet): | |
14609 | * runtime/SetIteratorPrototype.cpp: | |
14610 | (JSC::SetIteratorPrototype::finishCreation): | |
14611 | * runtime/SetPrototype.cpp: | |
14612 | (JSC::SetPrototype::finishCreation): | |
14613 | * runtime/StringIteratorPrototype.cpp: | |
14614 | (JSC::StringIteratorPrototype::finishCreation): | |
14615 | * runtime/StringPrototype.cpp: | |
14616 | (JSC::StringPrototype::finishCreation): | |
14617 | * runtime/Structure.cpp: | |
14618 | (JSC::Structure::getPropertyNamesFromStructure): | |
14619 | * runtime/SymbolConstructor.cpp: | |
14620 | * runtime/VM.cpp: | |
14621 | (JSC::VM::throwException): | |
14622 | * runtime/WeakMapConstructor.cpp: | |
14623 | (JSC::constructWeakMap): | |
14624 | ||
14625 | 2015-03-31 Andreas Kling <akling@apple.com> | |
14626 | ||
14627 | Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. | |
14628 | <https://webkit.org/b/143210> | |
14629 | ||
14630 | Reviewed by Geoffrey Garen. | |
14631 | ||
14632 | Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone, | |
14633 | we had a little problem where WeakBlocks with only null pointers would still keep their | |
14634 | MarkedBlock alive. | |
14635 | ||
14636 | This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers | |
14637 | that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed | |
14638 | to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC, | |
14639 | destroying them once they're fully dead. | |
14640 | ||
14641 | This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves | |
14642 | a mysterious issue where doing two full garbage collections back-to-back would free additional | |
14643 | memory in the second collection. | |
14644 | ||
14645 | Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with | |
14646 | an index of the next block in that vector that needs to be swept. The IncrementalSweeper then | |
14647 | calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time. | |
14648 | ||
14649 | * heap/Heap.h: | |
14650 | * heap/Heap.cpp: | |
14651 | (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks | |
14652 | owned by Heap, after everything else has been swept. | |
14653 | ||
14654 | (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks | |
14655 | after a full garbage collection ends. Note that we don't do this after Eden collections, since | |
14656 | they are unlikely to cause entire WeakBlocks to go empty. | |
14657 | ||
14658 | (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock | |
14659 | to the Heap when it's detached from a WeakSet. | |
14660 | ||
14661 | (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all | |
14662 | of the logically empty WeakBlocks owned by Heap. | |
14663 | ||
14664 | (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed | |
14665 | and updates the next-logically-empty-weak-block-to-sweep index. | |
14666 | ||
14667 | (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there | |
14668 | won't be another chance after this. | |
14669 | ||
14670 | * heap/IncrementalSweeper.h: | |
14671 | (JSC::IncrementalSweeper::hasWork): Deleted. | |
14672 | ||
14673 | * heap/IncrementalSweeper.cpp: | |
14674 | (JSC::IncrementalSweeper::fullSweep): | |
14675 | (JSC::IncrementalSweeper::doSweep): | |
14676 | (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify | |
14677 | adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is | |
14678 | changed to return a bool (true if there's more work to be done.) | |
14679 | ||
14680 | * heap/WeakBlock.cpp: | |
14681 | (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't | |
14682 | contain any pointers to live objects. The answer is stored in a new SweepResult member. | |
14683 | ||
14684 | * heap/WeakBlock.h: | |
14685 | (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine | |
14686 | if the WeakBlock could be detached from the MarkedBlock. | |
14687 | ||
14688 | (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables | |
14689 | when declaring them. | |
14690 | ||
14691 | 2015-03-31 Ryosuke Niwa <rniwa@webkit.org> | |
14692 | ||
14693 | eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor | |
14694 | https://bugs.webkit.org/show_bug.cgi?id=142883 | |
14695 | ||
14696 | Reviewed by Filip Pizlo. | |
14697 | ||
14698 | The crash was caused by eval inside the constructor of a derived class not checking TDZ. | |
14699 | ||
14700 | Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this" | |
14701 | in eval inside a derived class' constructor. | |
14702 | ||
14703 | * bytecode/EvalCodeCache.h: | |
14704 | (JSC::EvalCodeCache::getSlow): | |
14705 | * bytecompiler/NodesCodegen.cpp: | |
14706 | (JSC::ThisNode::emitBytecode): | |
14707 | * debugger/DebuggerCallFrame.cpp: | |
14708 | (JSC::DebuggerCallFrame::evaluate): | |
14709 | * interpreter/Interpreter.cpp: | |
14710 | (JSC::eval): | |
14711 | * parser/ASTBuilder.h: | |
14712 | (JSC::ASTBuilder::thisExpr): | |
14713 | * parser/NodeConstructors.h: | |
14714 | (JSC::ThisNode::ThisNode): | |
14715 | * parser/Nodes.h: | |
14716 | * parser/Parser.cpp: | |
14717 | (JSC::Parser<LexerType>::Parser): | |
14718 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
14719 | * parser/Parser.h: | |
14720 | (JSC::parse): | |
14721 | * parser/ParserModes.h: | |
14722 | * parser/SyntaxChecker.h: | |
14723 | (JSC::SyntaxChecker::thisExpr): | |
14724 | * runtime/CodeCache.cpp: | |
14725 | (JSC::CodeCache::getGlobalCodeBlock): | |
14726 | (JSC::CodeCache::getProgramCodeBlock): | |
14727 | (JSC::CodeCache::getEvalCodeBlock): | |
14728 | * runtime/CodeCache.h: | |
14729 | (JSC::SourceCodeKey::SourceCodeKey): | |
14730 | * runtime/Executable.cpp: | |
14731 | (JSC::EvalExecutable::create): | |
14732 | * runtime/Executable.h: | |
14733 | * runtime/JSGlobalObject.cpp: | |
14734 | (JSC::JSGlobalObject::createEvalCodeBlock): | |
14735 | * runtime/JSGlobalObject.h: | |
14736 | * runtime/JSGlobalObjectFunctions.cpp: | |
14737 | (JSC::globalFuncEval): | |
14738 | * tests/stress/class-syntax-no-tdz-in-eval.js: Added. | |
14739 | * tests/stress/class-syntax-tdz-in-eval.js: Added. | |
14740 | ||
14741 | 2015-03-31 Commit Queue <commit-queue@webkit.org> | |
14742 | ||
14743 | Unreviewed, rolling out r182186. | |
14744 | https://bugs.webkit.org/show_bug.cgi?id=143270 | |
14745 | ||
14746 | it crashes all the WebGL tests on the Debug bots (Requested by | |
14747 | dino on #webkit). | |
14748 | ||
14749 | Reverted changeset: | |
14750 | ||
14751 | "Web Inspector: add 2D/WebGL canvas instrumentation | |
14752 | infrastructure" | |
14753 | https://bugs.webkit.org/show_bug.cgi?id=137278 | |
14754 | http://trac.webkit.org/changeset/182186 | |
14755 | ||
14756 | 2015-03-31 Yusuke Suzuki <utatane.tea@gmail.com> | |
14757 | ||
14758 | [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed | |
14759 | https://bugs.webkit.org/show_bug.cgi?id=142937 | |
14760 | ||
14761 | Reviewed by Darin Adler. | |
14762 | ||
14763 | In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed. | |
14764 | In ES5 or prior, when a first parameter is not object type, these functions raise TypeError. | |
14765 | But now, several functions perform ToObject onto a non-object parameter. | |
14766 | And others behaves as if a parameter is a non-extensible ordinary object with no own properties. | |
14767 | It is described in ES6 Annex E. | |
14768 | Functions different from ES5 are following. | |
14769 | ||
14770 | 1. An attempt is make to coerce the argument using ToObject. | |
14771 | Object.getOwnPropertyDescriptor | |
14772 | Object.getOwnPropertyNames | |
14773 | Object.getPrototypeOf | |
14774 | Object.keys | |
14775 | ||
14776 | 2. Treated as if it was a non-extensible ordinary object with no own properties. | |
14777 | Object.freeze | |
14778 | Object.isExtensible | |
14779 | Object.isFrozen | |
14780 | Object.isSealed | |
14781 | Object.preventExtensions | |
14782 | Object.seal | |
14783 | ||
14784 | * runtime/ObjectConstructor.cpp: | |
14785 | (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()): | |
14786 | (JSC::objectConstructorGetPrototypeOf): | |
14787 | (JSC::objectConstructorGetOwnPropertyDescriptor): | |
14788 | (JSC::objectConstructorGetOwnPropertyNames): | |
14789 | (JSC::objectConstructorKeys): | |
14790 | (JSC::objectConstructorSeal): | |
14791 | (JSC::objectConstructorFreeze): | |
14792 | (JSC::objectConstructorPreventExtensions): | |
14793 | (JSC::objectConstructorIsSealed): | |
14794 | (JSC::objectConstructorIsFrozen): | |
14795 | (JSC::objectConstructorIsExtensible): | |
14796 | * tests/stress/object-freeze-accept-non-object.js: Added. | |
14797 | * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added. | |
14798 | (canary): | |
14799 | * tests/stress/object-get-own-property-names-perform-to-object.js: Added. | |
14800 | (compare): | |
14801 | * tests/stress/object-get-prototype-of-perform-to-object.js: Added. | |
14802 | * tests/stress/object-is-extensible-accept-non-object.js: Added. | |
14803 | * tests/stress/object-is-frozen-accept-non-object.js: Added. | |
14804 | * tests/stress/object-is-sealed-accept-non-object.js: Added. | |
14805 | * tests/stress/object-keys-perform-to-object.js: Added. | |
14806 | (compare): | |
14807 | * tests/stress/object-prevent-extensions-accept-non-object.js: Added. | |
14808 | * tests/stress/object-seal-accept-non-object.js: Added. | |
14809 | ||
14810 | 2015-03-31 Matt Baker <mattbaker@apple.com> | |
14811 | ||
14812 | Web Inspector: add 2D/WebGL canvas instrumentation infrastructure | |
14813 | https://bugs.webkit.org/show_bug.cgi?id=137278 | |
14814 | ||
14815 | Reviewed by Timothy Hatcher. | |
14816 | ||
14817 | Added Canvas protocol which defines types used by InspectorCanvasAgent. | |
14818 | ||
14819 | * CMakeLists.txt: | |
14820 | * DerivedSources.make: | |
14821 | * inspector/protocol/Canvas.json: Added. | |
14822 | ||
14823 | * inspector/scripts/codegen/generator.py: | |
14824 | (Generator.stylized_name_for_enum_value): | |
14825 | Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings. | |
14826 | ||
14827 | 2015-03-30 Ryosuke Niwa <rniwa@webkit.org> | |
14828 | ||
14829 | Extending null should set __proto__ to null | |
14830 | https://bugs.webkit.org/show_bug.cgi?id=142882 | |
14831 | ||
14832 | Reviewed by Geoffrey Garen and Benjamin Poulain. | |
14833 | ||
14834 | Set Derived.prototype.__proto__ to null when extending null. | |
14835 | ||
14836 | * bytecompiler/NodesCodegen.cpp: | |
14837 | (JSC::ClassExprNode::emitBytecode): | |
14838 | ||
14839 | 2015-03-30 Mark Lam <mark.lam@apple.com> | |
14840 | ||
14841 | REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes. | |
14842 | <https://webkit.org/b/143105> | |
14843 | ||
14844 | Reviewed by Filip Pizlo. | |
14845 | ||
14846 | With r181993, the DFG and FTL may elide the storing of the scope register. As a result, | |
14847 | on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline | |
14848 | JIT frames that may have its scope register not set. The Debugger's current implementation | |
14849 | which relies on the scope register is not happy about this. For example, this results in a | |
14850 | crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html. | |
14851 | ||
14852 | The fix is to disable inlining when the debugger is in use. Also, we add Flush nodes to | |
14853 | ensure that the scope register value is flushed to the register in the stack frame. | |
14854 | ||
14855 | * dfg/DFGByteCodeParser.cpp: | |
14856 | (JSC::DFG::ByteCodeParser::ByteCodeParser): | |
14857 | (JSC::DFG::ByteCodeParser::setLocal): | |
14858 | (JSC::DFG::ByteCodeParser::flush): | |
14859 | - Add code to flush the scope register. | |
14860 | (JSC::DFG::ByteCodeParser::inliningCost): | |
14861 | - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby | |
14862 | disabling inlining whenever the debugger is in use. | |
14863 | * dfg/DFGGraph.cpp: | |
14864 | (JSC::DFG::Graph::Graph): | |
14865 | * dfg/DFGGraph.h: | |
14866 | (JSC::DFG::Graph::hasDebuggerEnabled): | |
14867 | * dfg/DFGStackLayoutPhase.cpp: | |
14868 | (JSC::DFG::StackLayoutPhase::run): | |
14869 | - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout. | |
14870 | * ftl/FTLCompile.cpp: | |
14871 | (JSC::FTL::mmAllocateDataSection): | |
14872 | - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout. | |
14873 | ||
14874 | 2015-03-30 Michael Saboff <msaboff@apple.com> | |
14875 | ||
14876 | Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 | |
14877 | https://bugs.webkit.org/show_bug.cgi?id=138391 | |
14878 | ||
14879 | Reviewed by Mark Lam. | |
14880 | ||
14881 | Re-enabling these tests as I can't get them to fail on local iOS test devices. | |
14882 | There have been many changes since these tests were disabled. | |
14883 | I'll watch automated test results for failures. If there are failures running automated | |
14884 | testing, it might be due to the device's relative CPU performance. | |
14885 | ||
14886 | * tests/stress/float32-repeat-out-of-bounds.js: | |
14887 | * tests/stress/int8-repeat-out-of-bounds.js: | |
14888 | ||
14889 | 2015-03-30 Joseph Pecoraro <pecoraro@apple.com> | |
14890 | ||
14891 | Web Inspector: Regression: Preview for [[null]] shouldn't be [] | |
14892 | https://bugs.webkit.org/show_bug.cgi?id=143208 | |
14893 | ||
14894 | Reviewed by Mark Lam. | |
14895 | ||
14896 | * inspector/InjectedScriptSource.js: | |
14897 | Handle null when generating simple object previews. | |
14898 | ||
14899 | 2015-03-30 Per Arne Vollan <peavo@outlook.com> | |
14900 | ||
14901 | Avoid using hardcoded values for JSValue::Int32Tag, if possible. | |
14902 | https://bugs.webkit.org/show_bug.cgi?id=143134 | |
14903 | ||
14904 | Reviewed by Geoffrey Garen. | |
14905 | ||
14906 | * jit/JSInterfaceJIT.h: | |
14907 | * jit/Repatch.cpp: | |
14908 | (JSC::tryCacheGetByID): | |
14909 | ||
14910 | 2015-03-30 Filip Pizlo <fpizlo@apple.com> | |
14911 | ||
14912 | REGRESSION: js/regress/inline-arguments-local-escape.html is flaky | |
14913 | https://bugs.webkit.org/show_bug.cgi?id=143104 | |
14914 | ||
14915 | Reviewed by Geoffrey Garen. | |
14916 | ||
14917 | Created a test that is a 100% repro of the flaky failure. This test is called | |
14918 | get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it | |
14919 | always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by | |
14920 | the inlined function. Other than that, it's the same as inline-arguments-local-escape. | |
14921 | ||
14922 | Also created three more tests for three similar, but not identical, failures. | |
14923 | ||
14924 | Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are | |
14925 | only reading those parts of the stack that are relevant to the current semantic code origin. | |
14926 | That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments, | |
14927 | like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that | |
14928 | read parts of the stack associated with the inline call frame for the phantom arguments. This | |
14929 | may not be subsumed by the current semantic origin's stack area in cases that the arguments | |
14930 | were allowed to "locally" escape. | |
14931 | ||
14932 | The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area | |
14933 | is not really a meaningful concept anymore. It is only meaningful for nodes that will read | |
14934 | the stack due to function.arguments, but there are a bunch of other ways that we could also | |
14935 | read the stack and those operations may read any stack slot. I believe that this change makes | |
14936 | PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing | |
14937 | on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that | |
14938 | readTop() in PreciseLocalClobberize does the right thing. | |
14939 | ||
14940 | * dfg/DFGClobberize.h: | |
14941 | (JSC::DFG::clobberize): | |
14942 | * dfg/DFGPreciseLocalClobberize.h: | |
14943 | (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): | |
14944 | * dfg/DFGPutStackSinkingPhase.cpp: | |
14945 | * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added. | |
14946 | * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added. | |
14947 | * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added. | |
14948 | * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added. | |
14949 | * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added. | |
14950 | ||
14951 | 2015-03-30 Benjamin Poulain <benjamin@webkit.org> | |
14952 | ||
14953 | Start the features.json files | |
14954 | https://bugs.webkit.org/show_bug.cgi?id=143207 | |
14955 | ||
14956 | Reviewed by Darin Adler. | |
14957 | ||
14958 | Start the features.json files to have something to experiment | |
14959 | with for the UI. | |
14960 | ||
14961 | * features.json: Added. | |
14962 | ||
14963 | 2015-03-29 Myles C. Maxfield <mmaxfield@apple.com> | |
14964 | ||
14965 | [Win] Addresing post-review comment after r182122 | |
14966 | https://bugs.webkit.org/show_bug.cgi?id=143189 | |
14967 | ||
14968 | Unreviewed. | |
14969 | ||
14970 | 2015-03-29 Myles C. Maxfield <mmaxfield@apple.com> | |
14971 | ||
14972 | [Win] Allow building JavaScriptCore without Cygwin | |
14973 | https://bugs.webkit.org/show_bug.cgi?id=143189 | |
14974 | ||
14975 | Reviewed by Brent Fulgham. | |
14976 | ||
14977 | Paths like /usr/bin/ don't exist on Windows. | |
14978 | Hashbangs don't work on Windows. Instead we must explicitly call the executable. | |
14979 | Prefixing commands with environment variables doesn't work on Windows. | |
14980 | Windows doesn't have 'cmp' | |
14981 | Windows uses 'del' instead of 'rm' | |
14982 | Windows uses 'type NUL' intead of 'touch' | |
14983 | ||
14984 | * DerivedSources.make: | |
14985 | * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: | |
14986 | * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: | |
14987 | * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: | |
14988 | * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: | |
14989 | * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: | |
14990 | * JavaScriptCore.vcxproj/build-generated-files.pl: | |
14991 | * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl. | |
14992 | ||
14993 | 2015-03-28 Joseph Pecoraro <pecoraro@apple.com> | |
14994 | ||
14995 | Clean up JavaScriptCore/builtins | |
14996 | https://bugs.webkit.org/show_bug.cgi?id=143177 | |
14997 | ||
14998 | Reviewed by Ryosuke Niwa. | |
14999 | ||
15000 | * builtins/ArrayConstructor.js: | |
15001 | (from): | |
15002 | - We can compare to undefined instead of using a typeof undefined check. | |
15003 | - Converge on double quoted strings everywhere. | |
15004 | ||
15005 | * builtins/ArrayIterator.prototype.js: | |
15006 | (next): | |
15007 | * builtins/StringIterator.prototype.js: | |
15008 | (next): | |
15009 | - Use shorthand object construction to avoid duplication. | |
15010 | - Improve grammar in error messages. | |
15011 | ||
15012 | * tests/stress/array-iterators-next-with-call.js: | |
15013 | * tests/stress/string-iterators.js: | |
15014 | - Update for new error message strings. | |
15015 | ||
15016 | 2015-03-28 Saam Barati <saambarati1@gmail.com> | |
15017 | ||
15018 | Web Inspector: ES6: Better support for Symbol types in Type Profiler | |
15019 | https://bugs.webkit.org/show_bug.cgi?id=141257 | |
15020 | ||
15021 | Reviewed by Joseph Pecoraro. | |
15022 | ||
15023 | ES6 introduces the new primitive type Symbol. This patch makes JSC's | |
15024 | type profiler support this new primitive type. | |
15025 | ||
15026 | * dfg/DFGFixupPhase.cpp: | |
15027 | (JSC::DFG::FixupPhase::fixupNode): | |
15028 | * inspector/protocol/Runtime.json: | |
15029 | * runtime/RuntimeType.cpp: | |
15030 | (JSC::runtimeTypeForValue): | |
15031 | * runtime/RuntimeType.h: | |
15032 | (JSC::runtimeTypeIsPrimitive): | |
15033 | * runtime/TypeSet.cpp: | |
15034 | (JSC::TypeSet::addTypeInformation): | |
15035 | (JSC::TypeSet::dumpTypes): | |
15036 | (JSC::TypeSet::doesTypeConformTo): | |
15037 | (JSC::TypeSet::displayName): | |
15038 | (JSC::TypeSet::inspectorTypeSet): | |
15039 | (JSC::TypeSet::toJSONString): | |
15040 | * runtime/TypeSet.h: | |
15041 | (JSC::TypeSet::seenTypes): | |
15042 | * tests/typeProfiler/driver/driver.js: | |
15043 | * tests/typeProfiler/symbol.js: Added. | |
15044 | (wrapper.foo): | |
15045 | (wrapper.bar): | |
15046 | (wrapper.bar.bar.baz): | |
15047 | (wrapper): | |
15048 | ||
15049 | 2015-03-27 Saam Barati <saambarati1@gmail.com> | |
15050 | ||
15051 | Deconstruction parameters are bound too late | |
15052 | https://bugs.webkit.org/show_bug.cgi?id=143148 | |
15053 | ||
15054 | Reviewed by Filip Pizlo. | |
15055 | ||
15056 | Currently, a deconstruction pattern named with the same | |
15057 | name as a function will shadow the function. This is | |
15058 | wrong. It should be the other way around. | |
15059 | ||
15060 | * bytecompiler/BytecodeGenerator.cpp: | |
15061 | (JSC::BytecodeGenerator::generate): | |
15062 | ||
15063 | 2015-03-27 Ryosuke Niwa <rniwa@webkit.org> | |
15064 | ||
15065 | parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind | |
15066 | https://bugs.webkit.org/show_bug.cgi?id=143170 | |
15067 | ||
15068 | Reviewed by Benjamin Poulain. | |
15069 | ||
15070 | Assert that we never use 16-bit version of the parser to parse a default constructor | |
15071 | since both base and derived default constructors should be using a 8-bit string. | |
15072 | ||
15073 | * parser/Parser.h: | |
15074 | (JSC::parse): | |
15075 | ||
15076 | 2015-03-27 Ryosuke Niwa <rniwa@webkit.org> | |
15077 | ||
15078 | ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor | |
15079 | https://bugs.webkit.org/show_bug.cgi?id=142862 | |
15080 | ||
15081 | Reviewed by Benjamin Poulain. | |
15082 | ||
15083 | Add a test that used to fail in DFG now that the bug has been fixed by r181993. | |
15084 | ||
15085 | * tests/stress/class-syntax-derived-default-constructor.js: Added. | |
15086 | ||
15087 | 2015-03-27 Michael Saboff <msaboff@apple.com> | |
15088 | ||
15089 | load8Signed() and load16Signed() should be renamed to avoid confusion | |
15090 | https://bugs.webkit.org/show_bug.cgi?id=143168 | |
15091 | ||
15092 | Reviewed by Benjamin Poulain. | |
15093 | ||
15094 | Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32(). | |
15095 | ||
15096 | * assembler/MacroAssemblerARM.h: | |
15097 | (JSC::MacroAssemblerARM::load8SignedExtendTo32): | |
15098 | (JSC::MacroAssemblerARM::load16SignedExtendTo32): | |
15099 | (JSC::MacroAssemblerARM::load8Signed): Deleted. | |
15100 | (JSC::MacroAssemblerARM::load16Signed): Deleted. | |
15101 | * assembler/MacroAssemblerARM64.h: | |
15102 | (JSC::MacroAssemblerARM64::load16SignedExtendTo32): | |
15103 | (JSC::MacroAssemblerARM64::load8SignedExtendTo32): | |
15104 | (JSC::MacroAssemblerARM64::load16Signed): Deleted. | |
15105 | (JSC::MacroAssemblerARM64::load8Signed): Deleted. | |
15106 | * assembler/MacroAssemblerARMv7.h: | |
15107 | (JSC::MacroAssemblerARMv7::load16SignedExtendTo32): | |
15108 | (JSC::MacroAssemblerARMv7::load8SignedExtendTo32): | |
15109 | (JSC::MacroAssemblerARMv7::load16Signed): Deleted. | |
15110 | (JSC::MacroAssemblerARMv7::load8Signed): Deleted. | |
15111 | * assembler/MacroAssemblerMIPS.h: | |
15112 | (JSC::MacroAssemblerMIPS::load8SignedExtendTo32): | |
15113 | (JSC::MacroAssemblerMIPS::load16SignedExtendTo32): | |
15114 | (JSC::MacroAssemblerMIPS::load8Signed): Deleted. | |
15115 | (JSC::MacroAssemblerMIPS::load16Signed): Deleted. | |
15116 | * assembler/MacroAssemblerSH4.h: | |
15117 | (JSC::MacroAssemblerSH4::load8SignedExtendTo32): | |
15118 | (JSC::MacroAssemblerSH4::load8): | |
15119 | (JSC::MacroAssemblerSH4::load16SignedExtendTo32): | |
15120 | (JSC::MacroAssemblerSH4::load16): | |
15121 | (JSC::MacroAssemblerSH4::load8Signed): Deleted. | |
15122 | (JSC::MacroAssemblerSH4::load16Signed): Deleted. | |
15123 | * assembler/MacroAssemblerX86Common.h: | |
15124 | (JSC::MacroAssemblerX86Common::load8SignedExtendTo32): | |
15125 | (JSC::MacroAssemblerX86Common::load16SignedExtendTo32): | |
15126 | (JSC::MacroAssemblerX86Common::load8Signed): Deleted. | |
15127 | (JSC::MacroAssemblerX86Common::load16Signed): Deleted. | |
15128 | * dfg/DFGSpeculativeJIT.cpp: | |
15129 | (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray): | |
15130 | * jit/JITPropertyAccess.cpp: | |
15131 | (JSC::JIT::emitIntTypedArrayGetByVal): | |
15132 | ||
15133 | 2015-03-27 Michael Saboff <msaboff@apple.com> | |
15134 | ||
15135 | Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64 | |
15136 | https://bugs.webkit.org/show_bug.cgi?id=138390 | |
15137 | ||
15138 | Reviewed by Mark Lam. | |
15139 | ||
15140 | Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits | |
15141 | instead of 64 bits. This is what X86-64 does. | |
15142 | ||
15143 | * assembler/MacroAssemblerARM64.h: | |
15144 | (JSC::MacroAssemblerARM64::load16Signed): | |
15145 | (JSC::MacroAssemblerARM64::load8Signed): | |
15146 | ||
15147 | 2015-03-27 Saam Barati <saambarati1@gmail.com> | |
15148 | ||
15149 | Add back previously broken assert from bug 141869 | |
15150 | https://bugs.webkit.org/show_bug.cgi?id=143005 | |
15151 | ||
15152 | Reviewed by Michael Saboff. | |
15153 | ||
15154 | * runtime/ExceptionHelpers.cpp: | |
15155 | (JSC::invalidParameterInSourceAppender): | |
15156 | ||
15157 | 2015-03-26 Geoffrey Garen <ggaren@apple.com> | |
15158 | ||
15159 | Make some more objects use FastMalloc | |
15160 | https://bugs.webkit.org/show_bug.cgi?id=143122 | |
15161 | ||
15162 | Reviewed by Csaba Osztrogonác. | |
15163 | ||
15164 | * API/JSCallbackObject.h: | |
15165 | * heap/IncrementalSweeper.h: | |
15166 | * jit/JITThunks.h: | |
15167 | * runtime/JSGlobalObjectDebuggable.h: | |
15168 | * runtime/RegExpCache.h: | |
15169 | ||
15170 | 2015-03-27 Michael Saboff <msaboff@apple.com> | |
15171 | ||
15172 | Objects with numeric properties intermittently get a phantom 'length' property | |
15173 | https://bugs.webkit.org/show_bug.cgi?id=142792 | |
15174 | ||
15175 | Reviewed by Csaba Osztrogonác. | |
15176 | ||
15177 | Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles | |
15178 | test and branch instructions. This function is used for linking tbz/tbnz branches between | |
15179 | two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in | |
15180 | the failure case checks in the GetById array length stub created for "obj.length" access. | |
15181 | If the failure case code address was at a negative offset from the stub, we'd look for bit 1 | |
15182 | being set when we should have been looking for bit 0. | |
15183 | ||
15184 | * assembler/ARM64Assembler.h: | |
15185 | (JSC::ARM64Assembler::disassembleTestAndBranchImmediate): | |
15186 | ||
15187 | 2015-03-27 Yusuke Suzuki <utatane.tea@gmail.com> | |
15188 | ||
15189 | Insert exception check around toPropertyKey call | |
15190 | https://bugs.webkit.org/show_bug.cgi?id=142922 | |
15191 | ||
15192 | Reviewed by Geoffrey Garen. | |
15193 | ||
15194 | In some places, exception check is missing after/before toPropertyKey. | |
15195 | However, since it calls toString, it's observable to users, | |
15196 | ||
15197 | Missing exception checks in Object.prototype methods can be | |
15198 | observed since it would be overridden with toObject(null/undefined) errors. | |
15199 | We inserted exception checks after toPropertyKey. | |
15200 | ||
15201 | Missing exception checks in GetById related code can be | |
15202 | observed since it would be overridden with toObject(null/undefined) errors. | |
15203 | In this case, we need to insert exception checks before/after toPropertyKey | |
15204 | since RequireObjectCoercible followed by toPropertyKey can cause exceptions. | |
15205 | ||
15206 | JSValue::get checks null/undefined and raise an exception if |this| is null or undefined. | |
15207 | However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey. | |
15208 | According to the spec, we first perform RequireObjectCoercible and check the exception. | |
15209 | And second, we perform ToPropertyKey and check the exception. | |
15210 | Since JSValue::toPropertyKey can cause toString call, this is observable to users. | |
15211 | For example, if the target is not object coercible, | |
15212 | ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey. | |
15213 | So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec. | |
15214 | ||
15215 | This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons. | |
15216 | ||
15217 | 1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object. | |
15218 | ||
15219 | toObject converts primitive types into wrapper objects. | |
15220 | But it is not efficient since wrapper objects are not necessary | |
15221 | if we look up methods from primitive values's prototype. (using synthesizePrototype is better). | |
15222 | ||
15223 | 2. Using the result of toObject is not correct to the spec. | |
15224 | ||
15225 | To align to the spec correctly, we cannot use JSObject::get | |
15226 | by using the wrapper object produced by the toObject suggested in (1). | |
15227 | If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|. | |
15228 | It is not correct since getter should be called with the original |this| value that may be primitive types. | |
15229 | ||
15230 | So in this patch, we use JSValue::requireObjectCoercible | |
15231 | to check the target is object coercible and raise an error if it's not. | |
15232 | ||
15233 | * dfg/DFGOperations.cpp: | |
15234 | * jit/JITOperations.cpp: | |
15235 | (JSC::getByVal): | |
15236 | * llint/LLIntSlowPaths.cpp: | |
15237 | (JSC::LLInt::getByVal): | |
15238 | * runtime/CommonSlowPaths.cpp: | |
15239 | (JSC::SLOW_PATH_DECL): | |
15240 | * runtime/JSCJSValue.h: | |
15241 | * runtime/JSCJSValueInlines.h: | |
15242 | (JSC::JSValue::requireObjectCoercible): | |
15243 | * runtime/ObjectPrototype.cpp: | |
15244 | (JSC::objectProtoFuncHasOwnProperty): | |
15245 | (JSC::objectProtoFuncDefineGetter): | |
15246 | (JSC::objectProtoFuncDefineSetter): | |
15247 | (JSC::objectProtoFuncLookupGetter): | |
15248 | (JSC::objectProtoFuncLookupSetter): | |
15249 | (JSC::objectProtoFuncPropertyIsEnumerable): | |
15250 | * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added. | |
15251 | (shouldThrow): | |
15252 | (if): | |
15253 | * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added. | |
15254 | (shouldThrow): | |
15255 | (.): | |
15256 | ||
15257 | 2015-03-26 Joseph Pecoraro <pecoraro@apple.com> | |
15258 | ||
15259 | WebContent Crash when instantiating class with Type Profiling enabled | |
15260 | https://bugs.webkit.org/show_bug.cgi?id=143037 | |
15261 | ||
15262 | Reviewed by Ryosuke Niwa. | |
15263 | ||
15264 | * bytecompiler/BytecodeGenerator.h: | |
15265 | * bytecompiler/BytecodeGenerator.cpp: | |
15266 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
15267 | (JSC::BytecodeGenerator::emitMoveEmptyValue): | |
15268 | We cannot profile the type of an uninitialized empty JSValue. | |
15269 | Nor do we expect this to be necessary, since it is effectively | |
15270 | an unseen undefined value. So add a way to put the empty value | |
15271 | without profiling. | |
15272 | ||
15273 | (JSC::BytecodeGenerator::emitMove): | |
15274 | Add an assert to try to catch this issue early on, and force | |
15275 | callers to explicitly use emitMoveEmptyValue instead. | |
15276 | ||
15277 | * tests/typeProfiler/classes.js: Added. | |
15278 | (wrapper.Base): | |
15279 | (wrapper.Derived): | |
15280 | (wrapper): | |
15281 | Add test coverage both for this case and classes in general. | |
15282 | ||
15283 | 2015-03-26 Joseph Pecoraro <pecoraro@apple.com> | |
15284 | ||
15285 | Web Inspector: ES6: Provide a better view for Classes in the console | |
15286 | https://bugs.webkit.org/show_bug.cgi?id=142999 | |
15287 | ||
15288 | Reviewed by Timothy Hatcher. | |
15289 | ||
15290 | * inspector/protocol/Runtime.json: | |
15291 | Provide a new `subtype` enum "class". This is a subtype of `type` | |
15292 | "function", all other subtypes are subtypes of `object` types. | |
15293 | For a class, the frontend will immediately want to get the prototype | |
15294 | to enumerate its methods, so include the `classPrototype`. | |
15295 | ||
15296 | * inspector/JSInjectedScriptHost.cpp: | |
15297 | (Inspector::JSInjectedScriptHost::subtype): | |
15298 | Denote class construction functions as "class" subtypes. | |
15299 | ||
15300 | * inspector/InjectedScriptSource.js: | |
15301 | Handling for the new "class" type. | |
15302 | ||
15303 | * bytecode/UnlinkedCodeBlock.h: | |
15304 | (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction): | |
15305 | * runtime/Executable.h: | |
15306 | (JSC::FunctionExecutable::isClassConstructorFunction): | |
15307 | * runtime/JSFunction.h: | |
15308 | * runtime/JSFunctionInlines.h: | |
15309 | (JSC::JSFunction::isClassConstructorFunction): | |
15310 | Check if this function is a class constructor function. That information | |
15311 | is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction. | |
15312 | ||
15313 | 2015-03-26 Geoffrey Garen <ggaren@apple.com> | |
15314 | ||
15315 | Function.prototype.toString should not decompile the AST | |
15316 | https://bugs.webkit.org/show_bug.cgi?id=142853 | |
15317 | ||
15318 | Reviewed by Darin Adler. | |
15319 | ||
15320 | Following up on Darin's review comments. | |
15321 | ||
15322 | * runtime/FunctionConstructor.cpp: | |
15323 | (JSC::constructFunctionSkippingEvalEnabledCheck): | |
15324 | ||
15325 | 2015-03-26 Geoffrey Garen <ggaren@apple.com> | |
15326 | ||
15327 | "lineNo" does not match WebKit coding style guidelines | |
15328 | https://bugs.webkit.org/show_bug.cgi?id=143119 | |
15329 | ||
15330 | Reviewed by Michael Saboff. | |
15331 | ||
15332 | We can afford to use whole words. | |
15333 | ||
15334 | * bytecode/CodeBlock.cpp: | |
15335 | (JSC::CodeBlock::lineNumberForBytecodeOffset): | |
15336 | (JSC::CodeBlock::expressionRangeForBytecodeOffset): | |
15337 | * bytecode/UnlinkedCodeBlock.cpp: | |
15338 | (JSC::UnlinkedFunctionExecutable::link): | |
15339 | (JSC::UnlinkedFunctionExecutable::fromGlobalCode): | |
15340 | * bytecode/UnlinkedCodeBlock.h: | |
15341 | * bytecompiler/NodesCodegen.cpp: | |
15342 | (JSC::WhileNode::emitBytecode): | |
15343 | * debugger/Debugger.cpp: | |
15344 | (JSC::Debugger::toggleBreakpoint): | |
15345 | * interpreter/Interpreter.cpp: | |
15346 | (JSC::StackFrame::computeLineAndColumn): | |
15347 | (JSC::GetStackTraceFunctor::operator()): | |
15348 | (JSC::Interpreter::execute): | |
15349 | * interpreter/StackVisitor.cpp: | |
15350 | (JSC::StackVisitor::Frame::computeLineAndColumn): | |
15351 | * parser/Nodes.h: | |
15352 | (JSC::Node::firstLine): | |
15353 | (JSC::Node::lineNo): Deleted. | |
15354 | (JSC::StatementNode::firstLine): Deleted. | |
15355 | * parser/ParserError.h: | |
15356 | (JSC::ParserError::toErrorObject): | |
15357 | * profiler/LegacyProfiler.cpp: | |
15358 | (JSC::createCallIdentifierFromFunctionImp): | |
15359 | * runtime/CodeCache.cpp: | |
15360 | (JSC::CodeCache::getGlobalCodeBlock): | |
15361 | * runtime/Executable.cpp: | |
15362 | (JSC::ScriptExecutable::ScriptExecutable): | |
15363 | (JSC::ScriptExecutable::newCodeBlockFor): | |
15364 | (JSC::FunctionExecutable::fromGlobalCode): | |
15365 | * runtime/Executable.h: | |
15366 | (JSC::ScriptExecutable::firstLine): | |
15367 | (JSC::ScriptExecutable::setOverrideLineNumber): | |
15368 | (JSC::ScriptExecutable::hasOverrideLineNumber): | |
15369 | (JSC::ScriptExecutable::overrideLineNumber): | |
15370 | (JSC::ScriptExecutable::lineNo): Deleted. | |
15371 | (JSC::ScriptExecutable::setOverrideLineNo): Deleted. | |
15372 | (JSC::ScriptExecutable::hasOverrideLineNo): Deleted. | |
15373 | (JSC::ScriptExecutable::overrideLineNo): Deleted. | |
15374 | * runtime/FunctionConstructor.cpp: | |
15375 | (JSC::constructFunctionSkippingEvalEnabledCheck): | |
15376 | * runtime/FunctionConstructor.h: | |
15377 | * tools/CodeProfile.cpp: | |
15378 | (JSC::CodeProfile::report): | |
15379 | * tools/CodeProfile.h: | |
15380 | (JSC::CodeProfile::CodeProfile): | |
15381 | ||
15382 | 2015-03-26 Geoffrey Garen <ggaren@apple.com> | |
15383 | ||
15384 | Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site | |
15385 | https://bugs.webkit.org/show_bug.cgi?id=142974 | |
15386 | ||
15387 | Reviewed by Joseph Pecoraro. | |
15388 | ||
15389 | This patch does two things: | |
15390 | ||
15391 | (1) Restore JavaScriptCore's sanitization of line and column numbers to | |
15392 | one-based values. | |
15393 | ||
15394 | We need this because WebCore sometimes provides huge negative column | |
15395 | numbers. | |
15396 | ||
15397 | (2) Solve the attribute event listener line numbering problem a different | |
15398 | way: Rather than offseting all line numbers by -1 in an attribute event | |
15399 | listener in order to arrange for a custom result, instead use an explicit | |
15400 | feature for saying "all errors in this code should map to this line number". | |
15401 | ||
15402 | * bytecode/UnlinkedCodeBlock.cpp: | |
15403 | (JSC::UnlinkedFunctionExecutable::link): | |
15404 | (JSC::UnlinkedFunctionExecutable::fromGlobalCode): | |
15405 | * bytecode/UnlinkedCodeBlock.h: | |
15406 | * interpreter/Interpreter.cpp: | |
15407 | (JSC::StackFrame::computeLineAndColumn): | |
15408 | (JSC::GetStackTraceFunctor::operator()): | |
15409 | * interpreter/Interpreter.h: | |
15410 | * interpreter/StackVisitor.cpp: | |
15411 | (JSC::StackVisitor::Frame::computeLineAndColumn): | |
15412 | * parser/ParserError.h: | |
15413 | (JSC::ParserError::toErrorObject): Plumb through an override line number. | |
15414 | When a function has an override line number, all syntax and runtime | |
15415 | errors in the function will map to it. This is useful for attribute event | |
15416 | listeners. | |
15417 | ||
15418 | * parser/SourceCode.h: | |
15419 | (JSC::SourceCode::SourceCode): Restore the old sanitization of line and | |
15420 | column numbers to one-based integers. It was kind of a hack to remove this. | |
15421 | ||
15422 | * runtime/Executable.cpp: | |
15423 | (JSC::ScriptExecutable::ScriptExecutable): | |
15424 | (JSC::FunctionExecutable::fromGlobalCode): | |
15425 | * runtime/Executable.h: | |
15426 | (JSC::ScriptExecutable::setOverrideLineNo): | |
15427 | (JSC::ScriptExecutable::hasOverrideLineNo): | |
15428 | (JSC::ScriptExecutable::overrideLineNo): | |
15429 | * runtime/FunctionConstructor.cpp: | |
15430 | (JSC::constructFunctionSkippingEvalEnabledCheck): | |
15431 | * runtime/FunctionConstructor.h: Plumb through an override line number. | |
15432 | ||
15433 | 2015-03-26 Filip Pizlo <fpizlo@apple.com> | |
15434 | ||
15435 | If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments. | |
15436 | ||
15437 | Reviewed by Michael Saboff. | |
15438 | ||
15439 | * jit/JITPropertyAccess.cpp: | |
15440 | (JSC::JIT::emitScopedArgumentsGetByVal): | |
15441 | * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added. | |
15442 | ||
15443 | 2015-03-26 Filip Pizlo <fpizlo@apple.com> | |
15444 | ||
15445 | FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM | |
15446 | https://bugs.webkit.org/show_bug.cgi?id=143098 | |
15447 | ||
15448 | Reviewed by Csaba Osztrogonác. | |
15449 | ||
15450 | * ftl/FTLLowerDFGToLLVM.cpp: | |
15451 | (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo. | |
15452 | * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode. | |
15453 | ||
15454 | 2015-03-26 Csaba Osztrogonác <ossy@webkit.org> | |
15455 | ||
15456 | Unreviewed gardening, skip failing tests on AArch64 Linux. | |
15457 | ||
15458 | * tests/mozilla/mozilla-tests.yaml: | |
15459 | * tests/stress/cached-prototype-setter.js: | |
15460 | ||
15461 | 2015-03-26 Filip Pizlo <fpizlo@apple.com> | |
15462 | ||
15463 | Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them. | |
15464 | ||
15465 | * dfg/DFGConstantFoldingPhase.cpp: | |
15466 | (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it. | |
15467 | * ftl/FTLCompile.cpp: | |
15468 | (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again. | |
15469 | * ftl/FTLState.cpp: | |
15470 | (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module. | |
15471 | * ftl/FTLState.h: | |
15472 | ||
15473 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15474 | ||
15475 | Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it | |
15476 | right, so this just makes 32-bit do the same. | |
15477 | ||
15478 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
15479 | (JSC::DFG::SpeculativeJIT::emitCall): | |
15480 | ||
15481 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15482 | ||
15483 | Fix a typo that ggaren found but that I didn't fix before. | |
15484 | ||
15485 | * runtime/DirectArgumentsOffset.h: | |
15486 | ||
15487 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15488 | ||
15489 | Unreviewed, VC found a bug. This fixes the bug. | |
15490 | ||
15491 | * dfg/DFGConstantFoldingPhase.cpp: | |
15492 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
15493 | ||
15494 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15495 | ||
15496 | Unreviewed, try to fix Windows build. | |
15497 | ||
15498 | * runtime/ClonedArguments.cpp: | |
15499 | (JSC::ClonedArguments::createWithInlineFrame): | |
15500 | ||
15501 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15502 | ||
15503 | Unreviewed, fix debug build. | |
15504 | ||
15505 | * bytecompiler/NodesCodegen.cpp: | |
15506 | (JSC::ConstDeclNode::emitCodeSingle): | |
15507 | ||
15508 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15509 | ||
15510 | Unreviewed, fix CLOOP build. | |
15511 | ||
15512 | * dfg/DFGMinifiedID.h: | |
15513 | ||
15514 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
15515 | ||
15516 | Heap variables shouldn't end up in the stack frame | |
15517 | https://bugs.webkit.org/show_bug.cgi?id=141174 | |
15518 | ||
15519 | Reviewed by Geoffrey Garen. | |
15520 | ||
15521 | This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes | |
15522 | any ambiguity about whether a variable should be in the heap or on the stack. A variable will no | |
15523 | longer move between heap and stack during its lifetime. This enables a bunch of optimizations and | |
15524 | simplifications: | |
15525 | ||
15526 | - Accesses to variables no longer need checks or indirections to determine where the variable is | |
15527 | at that moment in time. For example, loading a closure variable now takes just one load instead | |
15528 | of two. Loading an argument by index now takes a bounds check and a load in the fastest case | |
15529 | (when no arguments object allocation is required) while previously that same operation required | |
15530 | a "did I allocate arguments yet" check, a bounds check, and then the load. | |
15531 | ||
15532 | - Reasoning about the allocation of an activation or arguments object now follows the same simple | |
15533 | logic as the allocation of any other kind of object. Previously, those objects were lazily | |
15534 | allocated - so an allocation instruction wasn't the actual allocation site, since it might not | |
15535 | allocate anything at all. This made the implementation of traditional escape analyses really | |
15536 | awkward, and ultimately it meant that we missed important cases. Now, we can reason about the | |
15537 | arguments object using the usual SSA tricks which allows for more comprehensive removal. | |
15538 | ||
15539 | - The allocations of arguments objects, functions, and activations are now much faster. While | |
15540 | this patch generally expands our ability to eliminate arguments object allocations, an earlier | |
15541 | version of the patch - which lacked that functionality - was a progression on some arguments- | |
15542 | and closure-happy benchmarks because although no allocations were eliminated, all allocations | |
15543 | were faster. | |
15544 | ||
15545 | - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps | |
15546 | its arguments objects or activations. The runtime doesn't have to do things to the arguments | |
15547 | objects and activations that a frame allocated, when the frame is unwound. We always had horrid | |
15548 | bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG, | |
15549 | FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is | |
15550 | now gone. This also enables implementing block-scoping. Without this change, block-scope | |
15551 | support would require telling CodeBlock and all of the rest of the runtime about all of the | |
15552 | variables that store currently-live scopes. That would have been so disastrously hard that it | |
15553 | might as well be impossible. With this change, it's fair game for the bytecode generator to | |
15554 | simply allocate whatever activations it wants, wherever it wants, and to keep them live for | |
15555 | however long it wants. This all works, because after bytecode generation, an activation is just | |
15556 | an object and variables that refer to it are just normal variables. | |
15557 | ||
15558 | - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a | |
15559 | VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never | |
15560 | used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds | |
15561 | of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into | |
15562 | an arguments object. | |
15563 | ||
15564 | - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also, | |
15565 | using activations used to prevent inlining; now functions that use activations can be inlined | |
15566 | just fine. | |
15567 | ||
15568 | This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny | |
15569 | speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider. | |
15570 | It's only a slow-down on very short-running microbenchmarks we had previously written for our old | |
15571 | style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite. | |
15572 | ||
15573 | The easiest way of understanding this change is to start by looking at the changes in runtime/, | |
15574 | and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers. | |
15575 | ||
15576 | * CMakeLists.txt: | |
15577 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
15578 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
15579 | * assembler/AbortReason.h: | |
15580 | * assembler/AbstractMacroAssembler.h: | |
15581 | (JSC::AbstractMacroAssembler::BaseIndex::withOffset): | |
15582 | * bytecode/ByValInfo.h: | |
15583 | (JSC::hasOptimizableIndexingForJSType): | |
15584 | (JSC::hasOptimizableIndexing): | |
15585 | (JSC::jitArrayModeForJSType): | |
15586 | (JSC::jitArrayModePermitsPut): | |
15587 | (JSC::jitArrayModeForStructure): | |
15588 | * bytecode/BytecodeKills.h: Added. | |
15589 | (JSC::BytecodeKills::BytecodeKills): | |
15590 | (JSC::BytecodeKills::operandIsKilled): | |
15591 | (JSC::BytecodeKills::forEachOperandKilledAt): | |
15592 | (JSC::BytecodeKills::KillSet::KillSet): | |
15593 | (JSC::BytecodeKills::KillSet::add): | |
15594 | (JSC::BytecodeKills::KillSet::forEachLocal): | |
15595 | (JSC::BytecodeKills::KillSet::contains): | |
15596 | * bytecode/BytecodeList.json: | |
15597 | * bytecode/BytecodeLivenessAnalysis.cpp: | |
15598 | (JSC::isValidRegisterForLiveness): | |
15599 | (JSC::stepOverInstruction): | |
15600 | (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): | |
15601 | (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): | |
15602 | (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): | |
15603 | (JSC::BytecodeLivenessAnalysis::computeFullLiveness): | |
15604 | (JSC::BytecodeLivenessAnalysis::computeKills): | |
15605 | (JSC::indexForOperand): Deleted. | |
15606 | (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted. | |
15607 | (JSC::getLivenessInfo): Deleted. | |
15608 | * bytecode/BytecodeLivenessAnalysis.h: | |
15609 | * bytecode/BytecodeLivenessAnalysisInlines.h: | |
15610 | (JSC::operandIsAlwaysLive): | |
15611 | (JSC::operandThatIsNotAlwaysLiveIsLive): | |
15612 | (JSC::operandIsLive): | |
15613 | * bytecode/BytecodeUseDef.h: | |
15614 | (JSC::computeUsesForBytecodeOffset): | |
15615 | (JSC::computeDefsForBytecodeOffset): | |
15616 | * bytecode/CodeBlock.cpp: | |
15617 | (JSC::CodeBlock::dumpBytecode): | |
15618 | (JSC::CodeBlock::CodeBlock): | |
15619 | (JSC::CodeBlock::nameForRegister): | |
15620 | (JSC::CodeBlock::validate): | |
15621 | (JSC::CodeBlock::isCaptured): Deleted. | |
15622 | (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted. | |
15623 | (JSC::CodeBlock::machineSlowArguments): Deleted. | |
15624 | * bytecode/CodeBlock.h: | |
15625 | (JSC::unmodifiedArgumentsRegister): Deleted. | |
15626 | (JSC::CodeBlock::setArgumentsRegister): Deleted. | |
15627 | (JSC::CodeBlock::argumentsRegister): Deleted. | |
15628 | (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted. | |
15629 | (JSC::CodeBlock::usesArguments): Deleted. | |
15630 | (JSC::CodeBlock::captureCount): Deleted. | |
15631 | (JSC::CodeBlock::captureStart): Deleted. | |
15632 | (JSC::CodeBlock::captureEnd): Deleted. | |
15633 | (JSC::CodeBlock::argumentIndexAfterCapture): Deleted. | |
15634 | (JSC::CodeBlock::hasSlowArguments): Deleted. | |
15635 | (JSC::ExecState::argumentAfterCapture): Deleted. | |
15636 | * bytecode/CodeOrigin.h: | |
15637 | * bytecode/DataFormat.h: | |
15638 | (JSC::dataFormatToString): | |
15639 | * bytecode/FullBytecodeLiveness.h: | |
15640 | (JSC::FullBytecodeLiveness::getLiveness): | |
15641 | (JSC::FullBytecodeLiveness::operandIsLive): | |
15642 | (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted. | |
15643 | (JSC::FullBytecodeLiveness::getOut): Deleted. | |
15644 | * bytecode/Instruction.h: | |
15645 | (JSC::Instruction::Instruction): | |
15646 | * bytecode/Operands.h: | |
15647 | (JSC::Operands::virtualRegisterForIndex): | |
15648 | * bytecode/SpeculatedType.cpp: | |
15649 | (JSC::dumpSpeculation): | |
15650 | (JSC::speculationToAbbreviatedString): | |
15651 | (JSC::speculationFromClassInfo): | |
15652 | * bytecode/SpeculatedType.h: | |
15653 | (JSC::isDirectArgumentsSpeculation): | |
15654 | (JSC::isScopedArgumentsSpeculation): | |
15655 | (JSC::isActionableMutableArraySpeculation): | |
15656 | (JSC::isActionableArraySpeculation): | |
15657 | (JSC::isArgumentsSpeculation): Deleted. | |
15658 | * bytecode/UnlinkedCodeBlock.cpp: | |
15659 | (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): | |
15660 | * bytecode/UnlinkedCodeBlock.h: | |
15661 | (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted. | |
15662 | (JSC::UnlinkedCodeBlock::usesArguments): Deleted. | |
15663 | (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted. | |
15664 | * bytecode/ValueRecovery.cpp: | |
15665 | (JSC::ValueRecovery::dumpInContext): | |
15666 | * bytecode/ValueRecovery.h: | |
15667 | (JSC::ValueRecovery::directArgumentsThatWereNotCreated): | |
15668 | (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated): | |
15669 | (JSC::ValueRecovery::nodeID): | |
15670 | (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted. | |
15671 | * bytecode/VirtualRegister.h: | |
15672 | (JSC::VirtualRegister::operator==): | |
15673 | (JSC::VirtualRegister::operator!=): | |
15674 | (JSC::VirtualRegister::operator<): | |
15675 | (JSC::VirtualRegister::operator>): | |
15676 | (JSC::VirtualRegister::operator<=): | |
15677 | (JSC::VirtualRegister::operator>=): | |
15678 | * bytecompiler/BytecodeGenerator.cpp: | |
15679 | (JSC::BytecodeGenerator::generate): | |
15680 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
15681 | (JSC::BytecodeGenerator::initializeNextParameter): | |
15682 | (JSC::BytecodeGenerator::visibleNameForParameter): | |
15683 | (JSC::BytecodeGenerator::emitMove): | |
15684 | (JSC::BytecodeGenerator::variable): | |
15685 | (JSC::BytecodeGenerator::createVariable): | |
15686 | (JSC::BytecodeGenerator::emitResolveScope): | |
15687 | (JSC::BytecodeGenerator::emitGetFromScope): | |
15688 | (JSC::BytecodeGenerator::emitPutToScope): | |
15689 | (JSC::BytecodeGenerator::initializeVariable): | |
15690 | (JSC::BytecodeGenerator::emitInstanceOf): | |
15691 | (JSC::BytecodeGenerator::emitNewFunction): | |
15692 | (JSC::BytecodeGenerator::emitNewFunctionInternal): | |
15693 | (JSC::BytecodeGenerator::emitCall): | |
15694 | (JSC::BytecodeGenerator::emitReturn): | |
15695 | (JSC::BytecodeGenerator::emitConstruct): | |
15696 | (JSC::BytecodeGenerator::isArgumentNumber): | |
15697 | (JSC::BytecodeGenerator::emitEnumeration): | |
15698 | (JSC::BytecodeGenerator::addVar): Deleted. | |
15699 | (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted. | |
15700 | (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted. | |
15701 | (JSC::BytecodeGenerator::resolveCallee): Deleted. | |
15702 | (JSC::BytecodeGenerator::addCallee): Deleted. | |
15703 | (JSC::BytecodeGenerator::addParameter): Deleted. | |
15704 | (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted. | |
15705 | (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted. | |
15706 | (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted. | |
15707 | (JSC::BytecodeGenerator::isCaptured): Deleted. | |
15708 | (JSC::BytecodeGenerator::local): Deleted. | |
15709 | (JSC::BytecodeGenerator::constLocal): Deleted. | |
15710 | (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted. | |
15711 | (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted. | |
15712 | (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted. | |
15713 | (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted. | |
15714 | (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted. | |
15715 | * bytecompiler/BytecodeGenerator.h: | |
15716 | (JSC::Variable::Variable): | |
15717 | (JSC::Variable::isResolved): | |
15718 | (JSC::Variable::ident): | |
15719 | (JSC::Variable::offset): | |
15720 | (JSC::Variable::isLocal): | |
15721 | (JSC::Variable::local): | |
15722 | (JSC::Variable::isSpecial): | |
15723 | (JSC::BytecodeGenerator::argumentsRegister): | |
15724 | (JSC::BytecodeGenerator::emitNode): | |
15725 | (JSC::BytecodeGenerator::registerFor): | |
15726 | (JSC::Local::Local): Deleted. | |
15727 | (JSC::Local::operator bool): Deleted. | |
15728 | (JSC::Local::get): Deleted. | |
15729 | (JSC::Local::isSpecial): Deleted. | |
15730 | (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted. | |
15731 | (JSC::ResolveScopeInfo::isLocal): Deleted. | |
15732 | (JSC::ResolveScopeInfo::localIndex): Deleted. | |
15733 | (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted. | |
15734 | (JSC::BytecodeGenerator::captureMode): Deleted. | |
15735 | (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted. | |
15736 | (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted. | |
15737 | (JSC::BytecodeGenerator::hasWatchableVariable): Deleted. | |
15738 | (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted. | |
15739 | * bytecompiler/NodesCodegen.cpp: | |
15740 | (JSC::ResolveNode::isPure): | |
15741 | (JSC::ResolveNode::emitBytecode): | |
15742 | (JSC::BracketAccessorNode::emitBytecode): | |
15743 | (JSC::DotAccessorNode::emitBytecode): | |
15744 | (JSC::EvalFunctionCallNode::emitBytecode): | |
15745 | (JSC::FunctionCallResolveNode::emitBytecode): | |
15746 | (JSC::CallFunctionCallDotNode::emitBytecode): | |
15747 | (JSC::ApplyFunctionCallDotNode::emitBytecode): | |
15748 | (JSC::PostfixNode::emitResolve): | |
15749 | (JSC::DeleteResolveNode::emitBytecode): | |
15750 | (JSC::TypeOfResolveNode::emitBytecode): | |
15751 | (JSC::PrefixNode::emitResolve): | |
15752 | (JSC::ReadModifyResolveNode::emitBytecode): | |
15753 | (JSC::AssignResolveNode::emitBytecode): | |
15754 | (JSC::ConstDeclNode::emitCodeSingle): | |
15755 | (JSC::EmptyVarExpression::emitBytecode): | |
15756 | (JSC::ForInNode::tryGetBoundLocal): | |
15757 | (JSC::ForInNode::emitLoopHeader): | |
15758 | (JSC::ForOfNode::emitBytecode): | |
15759 | (JSC::ArrayPatternNode::emitDirectBinding): | |
15760 | (JSC::BindingNode::bindValue): | |
15761 | (JSC::getArgumentByVal): Deleted. | |
15762 | * dfg/DFGAbstractHeap.h: | |
15763 | * dfg/DFGAbstractInterpreter.h: | |
15764 | * dfg/DFGAbstractInterpreterInlines.h: | |
15765 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
15766 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld): | |
15767 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted. | |
15768 | * dfg/DFGAbstractValue.h: | |
15769 | * dfg/DFGArgumentPosition.h: | |
15770 | (JSC::DFG::ArgumentPosition::addVariable): | |
15771 | * dfg/DFGArgumentsEliminationPhase.cpp: Added. | |
15772 | (JSC::DFG::performArgumentsElimination): | |
15773 | * dfg/DFGArgumentsEliminationPhase.h: Added. | |
15774 | * dfg/DFGArgumentsSimplificationPhase.cpp: Removed. | |
15775 | * dfg/DFGArgumentsSimplificationPhase.h: Removed. | |
15776 | * dfg/DFGArgumentsUtilities.cpp: Added. | |
15777 | (JSC::DFG::argumentsInvolveStackSlot): | |
15778 | (JSC::DFG::emitCodeToGetArgumentsArrayLength): | |
15779 | * dfg/DFGArgumentsUtilities.h: Added. | |
15780 | * dfg/DFGArrayMode.cpp: | |
15781 | (JSC::DFG::ArrayMode::refine): | |
15782 | (JSC::DFG::ArrayMode::alreadyChecked): | |
15783 | (JSC::DFG::arrayTypeToString): | |
15784 | * dfg/DFGArrayMode.h: | |
15785 | (JSC::DFG::ArrayMode::canCSEStorage): | |
15786 | (JSC::DFG::ArrayMode::modeForPut): | |
15787 | * dfg/DFGAvailabilityMap.cpp: | |
15788 | (JSC::DFG::AvailabilityMap::prune): | |
15789 | * dfg/DFGAvailabilityMap.h: | |
15790 | (JSC::DFG::AvailabilityMap::closeOverNodes): | |
15791 | (JSC::DFG::AvailabilityMap::closeStartingWithLocal): | |
15792 | * dfg/DFGBackwardsPropagationPhase.cpp: | |
15793 | (JSC::DFG::BackwardsPropagationPhase::propagate): | |
15794 | * dfg/DFGByteCodeParser.cpp: | |
15795 | (JSC::DFG::ByteCodeParser::newVariableAccessData): | |
15796 | (JSC::DFG::ByteCodeParser::getLocal): | |
15797 | (JSC::DFG::ByteCodeParser::setLocal): | |
15798 | (JSC::DFG::ByteCodeParser::getArgument): | |
15799 | (JSC::DFG::ByteCodeParser::setArgument): | |
15800 | (JSC::DFG::ByteCodeParser::flushDirect): | |
15801 | (JSC::DFG::ByteCodeParser::flush): | |
15802 | (JSC::DFG::ByteCodeParser::noticeArgumentsUse): | |
15803 | (JSC::DFG::ByteCodeParser::handleVarargsCall): | |
15804 | (JSC::DFG::ByteCodeParser::attemptToInlineCall): | |
15805 | (JSC::DFG::ByteCodeParser::handleInlining): | |
15806 | (JSC::DFG::ByteCodeParser::parseBlock): | |
15807 | (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): | |
15808 | (JSC::DFG::ByteCodeParser::parseCodeBlock): | |
15809 | * dfg/DFGCPSRethreadingPhase.cpp: | |
15810 | (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): | |
15811 | (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): | |
15812 | * dfg/DFGCSEPhase.cpp: | |
15813 | * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added. | |
15814 | (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator): | |
15815 | * dfg/DFGCapabilities.cpp: | |
15816 | (JSC::DFG::isSupportedForInlining): | |
15817 | (JSC::DFG::capabilityLevel): | |
15818 | * dfg/DFGClobberize.h: | |
15819 | (JSC::DFG::clobberize): | |
15820 | * dfg/DFGCommon.h: | |
15821 | * dfg/DFGCommonData.h: | |
15822 | (JSC::DFG::CommonData::CommonData): | |
15823 | * dfg/DFGConstantFoldingPhase.cpp: | |
15824 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
15825 | * dfg/DFGDCEPhase.cpp: | |
15826 | (JSC::DFG::DCEPhase::cleanVariables): | |
15827 | * dfg/DFGDisassembler.h: | |
15828 | * dfg/DFGDoesGC.cpp: | |
15829 | (JSC::DFG::doesGC): | |
15830 | * dfg/DFGFixupPhase.cpp: | |
15831 | (JSC::DFG::FixupPhase::fixupNode): | |
15832 | * dfg/DFGFlushFormat.cpp: | |
15833 | (WTF::printInternal): | |
15834 | * dfg/DFGFlushFormat.h: | |
15835 | (JSC::DFG::resultFor): | |
15836 | (JSC::DFG::useKindFor): | |
15837 | (JSC::DFG::dataFormatFor): | |
15838 | * dfg/DFGForAllKills.h: Added. | |
15839 | (JSC::DFG::forAllLiveNodesAtTail): | |
15840 | (JSC::DFG::forAllDirectlyKilledOperands): | |
15841 | (JSC::DFG::forAllKilledOperands): | |
15842 | (JSC::DFG::forAllKilledNodesAtNodeIndex): | |
15843 | (JSC::DFG::forAllKillsInBlock): | |
15844 | * dfg/DFGGraph.cpp: | |
15845 | (JSC::DFG::Graph::Graph): | |
15846 | (JSC::DFG::Graph::dump): | |
15847 | (JSC::DFG::Graph::substituteGetLocal): | |
15848 | (JSC::DFG::Graph::livenessFor): | |
15849 | (JSC::DFG::Graph::killsFor): | |
15850 | (JSC::DFG::Graph::tryGetConstantClosureVar): | |
15851 | (JSC::DFG::Graph::tryGetRegisters): Deleted. | |
15852 | * dfg/DFGGraph.h: | |
15853 | (JSC::DFG::Graph::symbolTableFor): | |
15854 | (JSC::DFG::Graph::uses): | |
15855 | (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted. | |
15856 | (JSC::DFG::Graph::capturedVarsFor): Deleted. | |
15857 | (JSC::DFG::Graph::usesArguments): Deleted. | |
15858 | (JSC::DFG::Graph::argumentsRegisterFor): Deleted. | |
15859 | (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted. | |
15860 | (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted. | |
15861 | * dfg/DFGHeapLocation.cpp: | |
15862 | (WTF::printInternal): | |
15863 | * dfg/DFGHeapLocation.h: | |
15864 | * dfg/DFGInPlaceAbstractState.cpp: | |
15865 | (JSC::DFG::InPlaceAbstractState::initialize): | |
15866 | (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): | |
15867 | * dfg/DFGJITCompiler.cpp: | |
15868 | (JSC::DFG::JITCompiler::link): | |
15869 | * dfg/DFGMayExit.cpp: | |
15870 | (JSC::DFG::mayExit): | |
15871 | * dfg/DFGMinifiedID.h: | |
15872 | * dfg/DFGMinifiedNode.cpp: | |
15873 | (JSC::DFG::MinifiedNode::fromNode): | |
15874 | * dfg/DFGMinifiedNode.h: | |
15875 | (JSC::DFG::belongsInMinifiedGraph): | |
15876 | (JSC::DFG::MinifiedNode::hasInlineCallFrame): | |
15877 | (JSC::DFG::MinifiedNode::inlineCallFrame): | |
15878 | * dfg/DFGNode.cpp: | |
15879 | (JSC::DFG::Node::convertToIdentityOn): | |
15880 | * dfg/DFGNode.h: | |
15881 | (JSC::DFG::Node::hasConstant): | |
15882 | (JSC::DFG::Node::constant): | |
15883 | (JSC::DFG::Node::hasScopeOffset): | |
15884 | (JSC::DFG::Node::scopeOffset): | |
15885 | (JSC::DFG::Node::hasDirectArgumentsOffset): | |
15886 | (JSC::DFG::Node::capturedArgumentsOffset): | |
15887 | (JSC::DFG::Node::variablePointer): | |
15888 | (JSC::DFG::Node::hasCallVarargsData): | |
15889 | (JSC::DFG::Node::hasLoadVarargsData): | |
15890 | (JSC::DFG::Node::hasHeapPrediction): | |
15891 | (JSC::DFG::Node::hasCellOperand): | |
15892 | (JSC::DFG::Node::objectMaterializationData): | |
15893 | (JSC::DFG::Node::isPhantomAllocation): | |
15894 | (JSC::DFG::Node::willHaveCodeGenOrOSR): | |
15895 | (JSC::DFG::Node::shouldSpeculateDirectArguments): | |
15896 | (JSC::DFG::Node::shouldSpeculateScopedArguments): | |
15897 | (JSC::DFG::Node::isPhantomArguments): Deleted. | |
15898 | (JSC::DFG::Node::hasVarNumber): Deleted. | |
15899 | (JSC::DFG::Node::varNumber): Deleted. | |
15900 | (JSC::DFG::Node::registerPointer): Deleted. | |
15901 | (JSC::DFG::Node::shouldSpeculateArguments): Deleted. | |
15902 | * dfg/DFGNodeType.h: | |
15903 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
15904 | (JSC::DFG::OSRAvailabilityAnalysisPhase::run): | |
15905 | (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): | |
15906 | * dfg/DFGOSRExitCompiler.cpp: | |
15907 | (JSC::DFG::OSRExitCompiler::emitRestoreArguments): | |
15908 | * dfg/DFGOSRExitCompiler.h: | |
15909 | (JSC::DFG::OSRExitCompiler::badIndex): Deleted. | |
15910 | (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted. | |
15911 | (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted. | |
15912 | * dfg/DFGOSRExitCompiler32_64.cpp: | |
15913 | (JSC::DFG::OSRExitCompiler::compileExit): | |
15914 | * dfg/DFGOSRExitCompiler64.cpp: | |
15915 | (JSC::DFG::OSRExitCompiler::compileExit): | |
15916 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
15917 | (JSC::DFG::reifyInlinedCallFrames): | |
15918 | (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted. | |
15919 | (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted. | |
15920 | (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted. | |
15921 | * dfg/DFGOSRExitCompilerCommon.h: | |
15922 | * dfg/DFGOperations.cpp: | |
15923 | * dfg/DFGOperations.h: | |
15924 | * dfg/DFGPlan.cpp: | |
15925 | (JSC::DFG::Plan::compileInThreadImpl): | |
15926 | * dfg/DFGPreciseLocalClobberize.h: | |
15927 | (JSC::DFG::PreciseLocalClobberizeAdaptor::read): | |
15928 | (JSC::DFG::PreciseLocalClobberizeAdaptor::write): | |
15929 | (JSC::DFG::PreciseLocalClobberizeAdaptor::def): | |
15930 | (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): | |
15931 | (JSC::DFG::preciseLocalClobberize): | |
15932 | (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted. | |
15933 | (JSC::DFG::forEachLocalReadByUnwind): Deleted. | |
15934 | * dfg/DFGPredictionPropagationPhase.cpp: | |
15935 | (JSC::DFG::PredictionPropagationPhase::run): | |
15936 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
15937 | (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): | |
15938 | (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions): | |
15939 | * dfg/DFGPromoteHeapAccess.h: | |
15940 | (JSC::DFG::promoteHeapAccess): | |
15941 | * dfg/DFGPromotedHeapLocation.cpp: | |
15942 | (WTF::printInternal): | |
15943 | * dfg/DFGPromotedHeapLocation.h: | |
15944 | * dfg/DFGSSAConversionPhase.cpp: | |
15945 | (JSC::DFG::SSAConversionPhase::run): | |
15946 | * dfg/DFGSafeToExecute.h: | |
15947 | (JSC::DFG::safeToExecute): | |
15948 | * dfg/DFGSpeculativeJIT.cpp: | |
15949 | (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): | |
15950 | (JSC::DFG::SpeculativeJIT::emitGetLength): | |
15951 | (JSC::DFG::SpeculativeJIT::emitGetCallee): | |
15952 | (JSC::DFG::SpeculativeJIT::emitGetArgumentStart): | |
15953 | (JSC::DFG::SpeculativeJIT::checkArray): | |
15954 | (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): | |
15955 | (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): | |
15956 | (JSC::DFG::SpeculativeJIT::compileGetArrayLength): | |
15957 | (JSC::DFG::SpeculativeJIT::compileNewFunction): | |
15958 | (JSC::DFG::SpeculativeJIT::compileForwardVarargs): | |
15959 | (JSC::DFG::SpeculativeJIT::compileCreateActivation): | |
15960 | (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): | |
15961 | (JSC::DFG::SpeculativeJIT::compileGetFromArguments): | |
15962 | (JSC::DFG::SpeculativeJIT::compilePutToArguments): | |
15963 | (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments): | |
15964 | (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments): | |
15965 | (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted. | |
15966 | (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted. | |
15967 | (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted. | |
15968 | (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted. | |
15969 | (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted. | |
15970 | * dfg/DFGSpeculativeJIT.h: | |
15971 | (JSC::DFG::SpeculativeJIT::callOperation): | |
15972 | (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize): | |
15973 | (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): | |
15974 | (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted. | |
15975 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
15976 | (JSC::DFG::SpeculativeJIT::emitCall): | |
15977 | (JSC::DFG::SpeculativeJIT::compile): | |
15978 | * dfg/DFGSpeculativeJIT64.cpp: | |
15979 | (JSC::DFG::SpeculativeJIT::emitCall): | |
15980 | (JSC::DFG::SpeculativeJIT::compile): | |
15981 | * dfg/DFGStackLayoutPhase.cpp: | |
15982 | (JSC::DFG::StackLayoutPhase::run): | |
15983 | * dfg/DFGStrengthReductionPhase.cpp: | |
15984 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
15985 | * dfg/DFGStructureRegistrationPhase.cpp: | |
15986 | (JSC::DFG::StructureRegistrationPhase::run): | |
15987 | * dfg/DFGUnificationPhase.cpp: | |
15988 | (JSC::DFG::UnificationPhase::run): | |
15989 | * dfg/DFGValidate.cpp: | |
15990 | (JSC::DFG::Validate::validateCPS): | |
15991 | * dfg/DFGValueSource.cpp: | |
15992 | (JSC::DFG::ValueSource::dump): | |
15993 | * dfg/DFGValueSource.h: | |
15994 | (JSC::DFG::dataFormatToValueSourceKind): | |
15995 | (JSC::DFG::valueSourceKindToDataFormat): | |
15996 | (JSC::DFG::ValueSource::ValueSource): | |
15997 | (JSC::DFG::ValueSource::forFlushFormat): | |
15998 | (JSC::DFG::ValueSource::valueRecovery): | |
15999 | * dfg/DFGVarargsForwardingPhase.cpp: Added. | |
16000 | (JSC::DFG::performVarargsForwarding): | |
16001 | * dfg/DFGVarargsForwardingPhase.h: Added. | |
16002 | * dfg/DFGVariableAccessData.cpp: | |
16003 | (JSC::DFG::VariableAccessData::VariableAccessData): | |
16004 | (JSC::DFG::VariableAccessData::flushFormat): | |
16005 | (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted. | |
16006 | * dfg/DFGVariableAccessData.h: | |
16007 | (JSC::DFG::VariableAccessData::shouldNeverUnbox): | |
16008 | (JSC::DFG::VariableAccessData::shouldUseDoubleFormat): | |
16009 | (JSC::DFG::VariableAccessData::isCaptured): Deleted. | |
16010 | (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted. | |
16011 | (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted. | |
16012 | * dfg/DFGVariableAccessDataDump.cpp: | |
16013 | (JSC::DFG::VariableAccessDataDump::dump): | |
16014 | * dfg/DFGVariableAccessDataDump.h: | |
16015 | * dfg/DFGVariableEventStream.cpp: | |
16016 | (JSC::DFG::VariableEventStream::tryToSetConstantRecovery): | |
16017 | * dfg/DFGVariableEventStream.h: | |
16018 | * ftl/FTLAbstractHeap.cpp: | |
16019 | (JSC::FTL::AbstractHeap::dump): | |
16020 | (JSC::FTL::AbstractField::dump): | |
16021 | (JSC::FTL::IndexedAbstractHeap::dump): | |
16022 | (JSC::FTL::NumberedAbstractHeap::dump): | |
16023 | (JSC::FTL::AbsoluteAbstractHeap::dump): | |
16024 | * ftl/FTLAbstractHeap.h: | |
16025 | * ftl/FTLAbstractHeapRepository.cpp: | |
16026 | * ftl/FTLAbstractHeapRepository.h: | |
16027 | * ftl/FTLCapabilities.cpp: | |
16028 | (JSC::FTL::canCompile): | |
16029 | * ftl/FTLCompile.cpp: | |
16030 | (JSC::FTL::mmAllocateDataSection): | |
16031 | * ftl/FTLExitArgument.cpp: | |
16032 | (JSC::FTL::ExitArgument::dump): | |
16033 | * ftl/FTLExitPropertyValue.cpp: | |
16034 | (JSC::FTL::ExitPropertyValue::withLocalsOffset): | |
16035 | * ftl/FTLExitPropertyValue.h: | |
16036 | * ftl/FTLExitTimeObjectMaterialization.cpp: | |
16037 | (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization): | |
16038 | (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset): | |
16039 | * ftl/FTLExitTimeObjectMaterialization.h: | |
16040 | (JSC::FTL::ExitTimeObjectMaterialization::origin): | |
16041 | * ftl/FTLExitValue.cpp: | |
16042 | (JSC::FTL::ExitValue::withLocalsOffset): | |
16043 | (JSC::FTL::ExitValue::valueFormat): | |
16044 | (JSC::FTL::ExitValue::dumpInContext): | |
16045 | * ftl/FTLExitValue.h: | |
16046 | (JSC::FTL::ExitValue::isArgument): | |
16047 | (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted. | |
16048 | (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted. | |
16049 | (JSC::FTL::ExitValue::valueFormat): Deleted. | |
16050 | * ftl/FTLInlineCacheSize.cpp: | |
16051 | (JSC::FTL::sizeOfCallForwardVarargs): | |
16052 | (JSC::FTL::sizeOfConstructForwardVarargs): | |
16053 | (JSC::FTL::sizeOfICFor): | |
16054 | * ftl/FTLInlineCacheSize.h: | |
16055 | * ftl/FTLIntrinsicRepository.h: | |
16056 | * ftl/FTLJSCallVarargs.cpp: | |
16057 | (JSC::FTL::JSCallVarargs::JSCallVarargs): | |
16058 | (JSC::FTL::JSCallVarargs::emit): | |
16059 | * ftl/FTLJSCallVarargs.h: | |
16060 | * ftl/FTLLowerDFGToLLVM.cpp: | |
16061 | (JSC::FTL::LowerDFGToLLVM::lower): | |
16062 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
16063 | (JSC::FTL::LowerDFGToLLVM::compilePutStack): | |
16064 | (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): | |
16065 | (JSC::FTL::LowerDFGToLLVM::compileGetByVal): | |
16066 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
16067 | (JSC::FTL::LowerDFGToLLVM::compilePutByVal): | |
16068 | (JSC::FTL::LowerDFGToLLVM::compileArrayPush): | |
16069 | (JSC::FTL::LowerDFGToLLVM::compileArrayPop): | |
16070 | (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): | |
16071 | (JSC::FTL::LowerDFGToLLVM::compileNewFunction): | |
16072 | (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): | |
16073 | (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments): | |
16074 | (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments): | |
16075 | (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): | |
16076 | (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): | |
16077 | (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar): | |
16078 | (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar): | |
16079 | (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount): | |
16080 | (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar): | |
16081 | (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar): | |
16082 | (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments): | |
16083 | (JSC::FTL::LowerDFGToLLVM::compilePutToArguments): | |
16084 | (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs): | |
16085 | (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs): | |
16086 | (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): | |
16087 | (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength): | |
16088 | (JSC::FTL::LowerDFGToLLVM::getArgumentsLength): | |
16089 | (JSC::FTL::LowerDFGToLLVM::getCurrentCallee): | |
16090 | (JSC::FTL::LowerDFGToLLVM::getArgumentsStart): | |
16091 | (JSC::FTL::LowerDFGToLLVM::baseIndex): | |
16092 | (JSC::FTL::LowerDFGToLLVM::allocateObject): | |
16093 | (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject): | |
16094 | (JSC::FTL::LowerDFGToLLVM::isArrayType): | |
16095 | (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): | |
16096 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
16097 | (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): | |
16098 | (JSC::FTL::LowerDFGToLLVM::exitValueForNode): | |
16099 | (JSC::FTL::LowerDFGToLLVM::loadStructure): | |
16100 | (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted. | |
16101 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted. | |
16102 | (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted. | |
16103 | (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted. | |
16104 | (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted. | |
16105 | * ftl/FTLOSRExitCompiler.cpp: | |
16106 | (JSC::FTL::compileRecovery): | |
16107 | (JSC::FTL::compileStub): | |
16108 | * ftl/FTLOperations.cpp: | |
16109 | (JSC::FTL::operationMaterializeObjectInOSR): | |
16110 | * ftl/FTLOutput.h: | |
16111 | (JSC::FTL::Output::aShr): | |
16112 | (JSC::FTL::Output::lShr): | |
16113 | (JSC::FTL::Output::zeroExtPtr): | |
16114 | * heap/CopyToken.h: | |
16115 | * interpreter/CallFrame.h: | |
16116 | (JSC::ExecState::getArgumentUnsafe): | |
16117 | * interpreter/Interpreter.cpp: | |
16118 | (JSC::sizeOfVarargs): | |
16119 | (JSC::sizeFrameForVarargs): | |
16120 | (JSC::loadVarargs): | |
16121 | (JSC::unwindCallFrame): | |
16122 | * interpreter/Interpreter.h: | |
16123 | * interpreter/StackVisitor.cpp: | |
16124 | (JSC::StackVisitor::Frame::createArguments): | |
16125 | (JSC::StackVisitor::Frame::existingArguments): Deleted. | |
16126 | * interpreter/StackVisitor.h: | |
16127 | * jit/AssemblyHelpers.h: | |
16128 | (JSC::AssemblyHelpers::storeValue): | |
16129 | (JSC::AssemblyHelpers::loadValue): | |
16130 | (JSC::AssemblyHelpers::storeTrustedValue): | |
16131 | (JSC::AssemblyHelpers::branchIfNotCell): | |
16132 | (JSC::AssemblyHelpers::branchIsEmpty): | |
16133 | (JSC::AssemblyHelpers::argumentsStart): | |
16134 | (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted. | |
16135 | (JSC::AssemblyHelpers::offsetOfLocals): Deleted. | |
16136 | (JSC::AssemblyHelpers::offsetOfArguments): Deleted. | |
16137 | * jit/CCallHelpers.h: | |
16138 | (JSC::CCallHelpers::setupArgument): | |
16139 | * jit/GPRInfo.h: | |
16140 | (JSC::JSValueRegs::withTwoAvailableRegs): | |
16141 | * jit/JIT.cpp: | |
16142 | (JSC::JIT::privateCompileMainPass): | |
16143 | (JSC::JIT::privateCompileSlowCases): | |
16144 | * jit/JIT.h: | |
16145 | * jit/JITCall.cpp: | |
16146 | (JSC::JIT::compileSetupVarargsFrame): | |
16147 | * jit/JITCall32_64.cpp: | |
16148 | (JSC::JIT::compileSetupVarargsFrame): | |
16149 | * jit/JITInlines.h: | |
16150 | (JSC::JIT::callOperation): | |
16151 | * jit/JITOpcodes.cpp: | |
16152 | (JSC::JIT::emit_op_create_lexical_environment): | |
16153 | (JSC::JIT::emit_op_new_func): | |
16154 | (JSC::JIT::emit_op_create_direct_arguments): | |
16155 | (JSC::JIT::emit_op_create_scoped_arguments): | |
16156 | (JSC::JIT::emit_op_create_out_of_band_arguments): | |
16157 | (JSC::JIT::emit_op_tear_off_arguments): Deleted. | |
16158 | (JSC::JIT::emit_op_create_arguments): Deleted. | |
16159 | (JSC::JIT::emit_op_init_lazy_reg): Deleted. | |
16160 | (JSC::JIT::emit_op_get_arguments_length): Deleted. | |
16161 | (JSC::JIT::emitSlow_op_get_arguments_length): Deleted. | |
16162 | (JSC::JIT::emit_op_get_argument_by_val): Deleted. | |
16163 | (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted. | |
16164 | * jit/JITOpcodes32_64.cpp: | |
16165 | (JSC::JIT::emit_op_create_lexical_environment): | |
16166 | (JSC::JIT::emit_op_tear_off_arguments): Deleted. | |
16167 | (JSC::JIT::emit_op_create_arguments): Deleted. | |
16168 | (JSC::JIT::emit_op_init_lazy_reg): Deleted. | |
16169 | (JSC::JIT::emit_op_get_arguments_length): Deleted. | |
16170 | (JSC::JIT::emitSlow_op_get_arguments_length): Deleted. | |
16171 | (JSC::JIT::emit_op_get_argument_by_val): Deleted. | |
16172 | (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted. | |
16173 | * jit/JITOperations.cpp: | |
16174 | * jit/JITOperations.h: | |
16175 | * jit/JITPropertyAccess.cpp: | |
16176 | (JSC::JIT::emitGetClosureVar): | |
16177 | (JSC::JIT::emitPutClosureVar): | |
16178 | (JSC::JIT::emit_op_get_from_arguments): | |
16179 | (JSC::JIT::emit_op_put_to_arguments): | |
16180 | (JSC::JIT::emit_op_init_global_const): | |
16181 | (JSC::JIT::privateCompileGetByVal): | |
16182 | (JSC::JIT::emitDirectArgumentsGetByVal): | |
16183 | (JSC::JIT::emitScopedArgumentsGetByVal): | |
16184 | * jit/JITPropertyAccess32_64.cpp: | |
16185 | (JSC::JIT::emitGetClosureVar): | |
16186 | (JSC::JIT::emitPutClosureVar): | |
16187 | (JSC::JIT::emit_op_get_from_arguments): | |
16188 | (JSC::JIT::emit_op_put_to_arguments): | |
16189 | (JSC::JIT::emit_op_init_global_const): | |
16190 | * jit/SetupVarargsFrame.cpp: | |
16191 | (JSC::emitSetupVarargsFrameFastCase): | |
16192 | * llint/LLIntOffsetsExtractor.cpp: | |
16193 | * llint/LLIntSlowPaths.cpp: | |
16194 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
16195 | * llint/LowLevelInterpreter.asm: | |
16196 | * llint/LowLevelInterpreter32_64.asm: | |
16197 | * llint/LowLevelInterpreter64.asm: | |
16198 | * parser/Nodes.h: | |
16199 | (JSC::ScopeNode::captures): | |
16200 | * runtime/Arguments.cpp: Removed. | |
16201 | * runtime/Arguments.h: Removed. | |
16202 | * runtime/ArgumentsMode.h: Added. | |
16203 | * runtime/DirectArgumentsOffset.cpp: Added. | |
16204 | (JSC::DirectArgumentsOffset::dump): | |
16205 | * runtime/DirectArgumentsOffset.h: Added. | |
16206 | (JSC::DirectArgumentsOffset::DirectArgumentsOffset): | |
16207 | * runtime/CommonSlowPaths.cpp: | |
16208 | (JSC::SLOW_PATH_DECL): | |
16209 | * runtime/CommonSlowPaths.h: | |
16210 | * runtime/ConstantMode.cpp: Added. | |
16211 | (WTF::printInternal): | |
16212 | * runtime/ConstantMode.h: | |
16213 | (JSC::modeForIsConstant): | |
16214 | * runtime/DirectArguments.cpp: Added. | |
16215 | (JSC::DirectArguments::DirectArguments): | |
16216 | (JSC::DirectArguments::createUninitialized): | |
16217 | (JSC::DirectArguments::create): | |
16218 | (JSC::DirectArguments::createByCopying): | |
16219 | (JSC::DirectArguments::visitChildren): | |
16220 | (JSC::DirectArguments::copyBackingStore): | |
16221 | (JSC::DirectArguments::createStructure): | |
16222 | (JSC::DirectArguments::overrideThings): | |
16223 | (JSC::DirectArguments::overrideThingsIfNecessary): | |
16224 | (JSC::DirectArguments::overrideArgument): | |
16225 | (JSC::DirectArguments::copyToArguments): | |
16226 | (JSC::DirectArguments::overridesSize): | |
16227 | * runtime/DirectArguments.h: Added. | |
16228 | (JSC::DirectArguments::internalLength): | |
16229 | (JSC::DirectArguments::length): | |
16230 | (JSC::DirectArguments::canAccessIndexQuickly): | |
16231 | (JSC::DirectArguments::getIndexQuickly): | |
16232 | (JSC::DirectArguments::setIndexQuickly): | |
16233 | (JSC::DirectArguments::callee): | |
16234 | (JSC::DirectArguments::argument): | |
16235 | (JSC::DirectArguments::overrodeThings): | |
16236 | (JSC::DirectArguments::offsetOfCallee): | |
16237 | (JSC::DirectArguments::offsetOfLength): | |
16238 | (JSC::DirectArguments::offsetOfMinCapacity): | |
16239 | (JSC::DirectArguments::offsetOfOverrides): | |
16240 | (JSC::DirectArguments::storageOffset): | |
16241 | (JSC::DirectArguments::offsetOfSlot): | |
16242 | (JSC::DirectArguments::allocationSize): | |
16243 | (JSC::DirectArguments::storage): | |
16244 | * runtime/FunctionPrototype.cpp: | |
16245 | * runtime/GenericArguments.h: Added. | |
16246 | (JSC::GenericArguments::GenericArguments): | |
16247 | * runtime/GenericArgumentsInlines.h: Added. | |
16248 | (JSC::GenericArguments<Type>::getOwnPropertySlot): | |
16249 | (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex): | |
16250 | (JSC::GenericArguments<Type>::getOwnPropertyNames): | |
16251 | (JSC::GenericArguments<Type>::put): | |
16252 | (JSC::GenericArguments<Type>::putByIndex): | |
16253 | (JSC::GenericArguments<Type>::deleteProperty): | |
16254 | (JSC::GenericArguments<Type>::deletePropertyByIndex): | |
16255 | (JSC::GenericArguments<Type>::defineOwnProperty): | |
16256 | (JSC::GenericArguments<Type>::copyToArguments): | |
16257 | * runtime/GenericOffset.h: Added. | |
16258 | (JSC::GenericOffset::GenericOffset): | |
16259 | (JSC::GenericOffset::operator!): | |
16260 | (JSC::GenericOffset::offsetUnchecked): | |
16261 | (JSC::GenericOffset::offset): | |
16262 | (JSC::GenericOffset::operator==): | |
16263 | (JSC::GenericOffset::operator!=): | |
16264 | (JSC::GenericOffset::operator<): | |
16265 | (JSC::GenericOffset::operator>): | |
16266 | (JSC::GenericOffset::operator<=): | |
16267 | (JSC::GenericOffset::operator>=): | |
16268 | (JSC::GenericOffset::operator+): | |
16269 | (JSC::GenericOffset::operator-): | |
16270 | (JSC::GenericOffset::operator+=): | |
16271 | (JSC::GenericOffset::operator-=): | |
16272 | * runtime/JSArgumentsIterator.cpp: | |
16273 | (JSC::JSArgumentsIterator::finishCreation): | |
16274 | (JSC::argumentsFuncIterator): | |
16275 | * runtime/JSArgumentsIterator.h: | |
16276 | (JSC::JSArgumentsIterator::create): | |
16277 | (JSC::JSArgumentsIterator::next): | |
16278 | * runtime/JSEnvironmentRecord.cpp: | |
16279 | (JSC::JSEnvironmentRecord::visitChildren): | |
16280 | * runtime/JSEnvironmentRecord.h: | |
16281 | (JSC::JSEnvironmentRecord::variables): | |
16282 | (JSC::JSEnvironmentRecord::isValid): | |
16283 | (JSC::JSEnvironmentRecord::variableAt): | |
16284 | (JSC::JSEnvironmentRecord::offsetOfVariables): | |
16285 | (JSC::JSEnvironmentRecord::offsetOfVariable): | |
16286 | (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): | |
16287 | (JSC::JSEnvironmentRecord::allocationSize): | |
16288 | (JSC::JSEnvironmentRecord::JSEnvironmentRecord): | |
16289 | (JSC::JSEnvironmentRecord::finishCreationUninitialized): | |
16290 | (JSC::JSEnvironmentRecord::finishCreation): | |
16291 | (JSC::JSEnvironmentRecord::registers): Deleted. | |
16292 | (JSC::JSEnvironmentRecord::registerAt): Deleted. | |
16293 | (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted. | |
16294 | (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted. | |
16295 | * runtime/JSFunction.cpp: | |
16296 | * runtime/JSGlobalObject.cpp: | |
16297 | (JSC::JSGlobalObject::init): | |
16298 | (JSC::JSGlobalObject::addGlobalVar): | |
16299 | (JSC::JSGlobalObject::addFunction): | |
16300 | (JSC::JSGlobalObject::visitChildren): | |
16301 | (JSC::JSGlobalObject::addStaticGlobals): | |
16302 | * runtime/JSGlobalObject.h: | |
16303 | (JSC::JSGlobalObject::directArgumentsStructure): | |
16304 | (JSC::JSGlobalObject::scopedArgumentsStructure): | |
16305 | (JSC::JSGlobalObject::outOfBandArgumentsStructure): | |
16306 | (JSC::JSGlobalObject::argumentsStructure): Deleted. | |
16307 | * runtime/JSLexicalEnvironment.cpp: | |
16308 | (JSC::JSLexicalEnvironment::symbolTableGet): | |
16309 | (JSC::JSLexicalEnvironment::symbolTablePut): | |
16310 | (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): | |
16311 | (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes): | |
16312 | (JSC::JSLexicalEnvironment::visitChildren): Deleted. | |
16313 | * runtime/JSLexicalEnvironment.h: | |
16314 | (JSC::JSLexicalEnvironment::create): | |
16315 | (JSC::JSLexicalEnvironment::JSLexicalEnvironment): | |
16316 | (JSC::JSLexicalEnvironment::registersOffset): Deleted. | |
16317 | (JSC::JSLexicalEnvironment::storageOffset): Deleted. | |
16318 | (JSC::JSLexicalEnvironment::storage): Deleted. | |
16319 | (JSC::JSLexicalEnvironment::allocationSize): Deleted. | |
16320 | (JSC::JSLexicalEnvironment::isValidIndex): Deleted. | |
16321 | (JSC::JSLexicalEnvironment::isValid): Deleted. | |
16322 | (JSC::JSLexicalEnvironment::registerAt): Deleted. | |
16323 | * runtime/JSNameScope.cpp: | |
16324 | (JSC::JSNameScope::visitChildren): Deleted. | |
16325 | * runtime/JSNameScope.h: | |
16326 | (JSC::JSNameScope::create): | |
16327 | (JSC::JSNameScope::value): | |
16328 | (JSC::JSNameScope::finishCreation): | |
16329 | (JSC::JSNameScope::JSNameScope): | |
16330 | * runtime/JSScope.cpp: | |
16331 | (JSC::abstractAccess): | |
16332 | * runtime/JSSegmentedVariableObject.cpp: | |
16333 | (JSC::JSSegmentedVariableObject::findVariableIndex): | |
16334 | (JSC::JSSegmentedVariableObject::addVariables): | |
16335 | (JSC::JSSegmentedVariableObject::visitChildren): | |
16336 | (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted. | |
16337 | (JSC::JSSegmentedVariableObject::addRegisters): Deleted. | |
16338 | * runtime/JSSegmentedVariableObject.h: | |
16339 | (JSC::JSSegmentedVariableObject::variableAt): | |
16340 | (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject): | |
16341 | (JSC::JSSegmentedVariableObject::registerAt): Deleted. | |
16342 | (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted. | |
16343 | * runtime/JSSymbolTableObject.h: | |
16344 | (JSC::JSSymbolTableObject::offsetOfSymbolTable): | |
16345 | (JSC::symbolTableGet): | |
16346 | (JSC::symbolTablePut): | |
16347 | (JSC::symbolTablePutWithAttributes): | |
16348 | * runtime/JSType.h: | |
16349 | * runtime/Options.h: | |
16350 | * runtime/ClonedArguments.cpp: Added. | |
16351 | (JSC::ClonedArguments::ClonedArguments): | |
16352 | (JSC::ClonedArguments::createEmpty): | |
16353 | (JSC::ClonedArguments::createWithInlineFrame): | |
16354 | (JSC::ClonedArguments::createWithMachineFrame): | |
16355 | (JSC::ClonedArguments::createByCopyingFrom): | |
16356 | (JSC::ClonedArguments::createStructure): | |
16357 | (JSC::ClonedArguments::getOwnPropertySlot): | |
16358 | (JSC::ClonedArguments::getOwnPropertyNames): | |
16359 | (JSC::ClonedArguments::put): | |
16360 | (JSC::ClonedArguments::deleteProperty): | |
16361 | (JSC::ClonedArguments::defineOwnProperty): | |
16362 | (JSC::ClonedArguments::materializeSpecials): | |
16363 | (JSC::ClonedArguments::materializeSpecialsIfNecessary): | |
16364 | * runtime/ClonedArguments.h: Added. | |
16365 | (JSC::ClonedArguments::specialsMaterialized): | |
16366 | * runtime/ScopeOffset.cpp: Added. | |
16367 | (JSC::ScopeOffset::dump): | |
16368 | * runtime/ScopeOffset.h: Added. | |
16369 | (JSC::ScopeOffset::ScopeOffset): | |
16370 | * runtime/ScopedArguments.cpp: Added. | |
16371 | (JSC::ScopedArguments::ScopedArguments): | |
16372 | (JSC::ScopedArguments::finishCreation): | |
16373 | (JSC::ScopedArguments::createUninitialized): | |
16374 | (JSC::ScopedArguments::create): | |
16375 | (JSC::ScopedArguments::createByCopying): | |
16376 | (JSC::ScopedArguments::createByCopyingFrom): | |
16377 | (JSC::ScopedArguments::visitChildren): | |
16378 | (JSC::ScopedArguments::createStructure): | |
16379 | (JSC::ScopedArguments::overrideThings): | |
16380 | (JSC::ScopedArguments::overrideThingsIfNecessary): | |
16381 | (JSC::ScopedArguments::overrideArgument): | |
16382 | (JSC::ScopedArguments::copyToArguments): | |
16383 | * runtime/ScopedArguments.h: Added. | |
16384 | (JSC::ScopedArguments::internalLength): | |
16385 | (JSC::ScopedArguments::length): | |
16386 | (JSC::ScopedArguments::canAccessIndexQuickly): | |
16387 | (JSC::ScopedArguments::getIndexQuickly): | |
16388 | (JSC::ScopedArguments::setIndexQuickly): | |
16389 | (JSC::ScopedArguments::callee): | |
16390 | (JSC::ScopedArguments::overrodeThings): | |
16391 | (JSC::ScopedArguments::offsetOfOverrodeThings): | |
16392 | (JSC::ScopedArguments::offsetOfTotalLength): | |
16393 | (JSC::ScopedArguments::offsetOfTable): | |
16394 | (JSC::ScopedArguments::offsetOfScope): | |
16395 | (JSC::ScopedArguments::overflowStorageOffset): | |
16396 | (JSC::ScopedArguments::allocationSize): | |
16397 | (JSC::ScopedArguments::overflowStorage): | |
16398 | * runtime/ScopedArgumentsTable.cpp: Added. | |
16399 | (JSC::ScopedArgumentsTable::ScopedArgumentsTable): | |
16400 | (JSC::ScopedArgumentsTable::~ScopedArgumentsTable): | |
16401 | (JSC::ScopedArgumentsTable::destroy): | |
16402 | (JSC::ScopedArgumentsTable::create): | |
16403 | (JSC::ScopedArgumentsTable::clone): | |
16404 | (JSC::ScopedArgumentsTable::setLength): | |
16405 | (JSC::ScopedArgumentsTable::set): | |
16406 | (JSC::ScopedArgumentsTable::createStructure): | |
16407 | * runtime/ScopedArgumentsTable.h: Added. | |
16408 | (JSC::ScopedArgumentsTable::length): | |
16409 | (JSC::ScopedArgumentsTable::get): | |
16410 | (JSC::ScopedArgumentsTable::lock): | |
16411 | (JSC::ScopedArgumentsTable::offsetOfLength): | |
16412 | (JSC::ScopedArgumentsTable::offsetOfArguments): | |
16413 | (JSC::ScopedArgumentsTable::at): | |
16414 | * runtime/SymbolTable.cpp: | |
16415 | (JSC::SymbolTableEntry::prepareToWatch): | |
16416 | (JSC::SymbolTable::SymbolTable): | |
16417 | (JSC::SymbolTable::visitChildren): | |
16418 | (JSC::SymbolTable::localToEntry): | |
16419 | (JSC::SymbolTable::entryFor): | |
16420 | (JSC::SymbolTable::cloneScopePart): | |
16421 | (JSC::SymbolTable::prepareForTypeProfiling): | |
16422 | (JSC::SymbolTable::uniqueIDForOffset): | |
16423 | (JSC::SymbolTable::globalTypeSetForOffset): | |
16424 | (JSC::SymbolTable::cloneCapturedNames): Deleted. | |
16425 | (JSC::SymbolTable::uniqueIDForRegister): Deleted. | |
16426 | (JSC::SymbolTable::globalTypeSetForRegister): Deleted. | |
16427 | * runtime/SymbolTable.h: | |
16428 | (JSC::SymbolTableEntry::varOffsetFromBits): | |
16429 | (JSC::SymbolTableEntry::scopeOffsetFromBits): | |
16430 | (JSC::SymbolTableEntry::Fast::varOffset): | |
16431 | (JSC::SymbolTableEntry::Fast::scopeOffset): | |
16432 | (JSC::SymbolTableEntry::Fast::isDontEnum): | |
16433 | (JSC::SymbolTableEntry::Fast::getAttributes): | |
16434 | (JSC::SymbolTableEntry::SymbolTableEntry): | |
16435 | (JSC::SymbolTableEntry::varOffset): | |
16436 | (JSC::SymbolTableEntry::isWatchable): | |
16437 | (JSC::SymbolTableEntry::scopeOffset): | |
16438 | (JSC::SymbolTableEntry::setAttributes): | |
16439 | (JSC::SymbolTableEntry::constantMode): | |
16440 | (JSC::SymbolTableEntry::isDontEnum): | |
16441 | (JSC::SymbolTableEntry::disableWatching): | |
16442 | (JSC::SymbolTableEntry::pack): | |
16443 | (JSC::SymbolTableEntry::isValidVarOffset): | |
16444 | (JSC::SymbolTable::createNameScopeTable): | |
16445 | (JSC::SymbolTable::maxScopeOffset): | |
16446 | (JSC::SymbolTable::didUseScopeOffset): | |
16447 | (JSC::SymbolTable::didUseVarOffset): | |
16448 | (JSC::SymbolTable::scopeSize): | |
16449 | (JSC::SymbolTable::nextScopeOffset): | |
16450 | (JSC::SymbolTable::takeNextScopeOffset): | |
16451 | (JSC::SymbolTable::add): | |
16452 | (JSC::SymbolTable::set): | |
16453 | (JSC::SymbolTable::argumentsLength): | |
16454 | (JSC::SymbolTable::setArgumentsLength): | |
16455 | (JSC::SymbolTable::argumentOffset): | |
16456 | (JSC::SymbolTable::setArgumentOffset): | |
16457 | (JSC::SymbolTable::arguments): | |
16458 | (JSC::SlowArgument::SlowArgument): Deleted. | |
16459 | (JSC::SymbolTableEntry::Fast::getIndex): Deleted. | |
16460 | (JSC::SymbolTableEntry::getIndex): Deleted. | |
16461 | (JSC::SymbolTableEntry::isValidIndex): Deleted. | |
16462 | (JSC::SymbolTable::captureStart): Deleted. | |
16463 | (JSC::SymbolTable::setCaptureStart): Deleted. | |
16464 | (JSC::SymbolTable::captureEnd): Deleted. | |
16465 | (JSC::SymbolTable::setCaptureEnd): Deleted. | |
16466 | (JSC::SymbolTable::captureCount): Deleted. | |
16467 | (JSC::SymbolTable::isCaptured): Deleted. | |
16468 | (JSC::SymbolTable::parameterCount): Deleted. | |
16469 | (JSC::SymbolTable::parameterCountIncludingThis): Deleted. | |
16470 | (JSC::SymbolTable::setParameterCountIncludingThis): Deleted. | |
16471 | (JSC::SymbolTable::slowArguments): Deleted. | |
16472 | (JSC::SymbolTable::setSlowArguments): Deleted. | |
16473 | * runtime/VM.cpp: | |
16474 | (JSC::VM::VM): | |
16475 | * runtime/VM.h: | |
16476 | * runtime/VarOffset.cpp: Added. | |
16477 | (JSC::VarOffset::dump): | |
16478 | (WTF::printInternal): | |
16479 | * runtime/VarOffset.h: Added. | |
16480 | (JSC::VarOffset::VarOffset): | |
16481 | (JSC::VarOffset::assemble): | |
16482 | (JSC::VarOffset::isValid): | |
16483 | (JSC::VarOffset::operator!): | |
16484 | (JSC::VarOffset::kind): | |
16485 | (JSC::VarOffset::isStack): | |
16486 | (JSC::VarOffset::isScope): | |
16487 | (JSC::VarOffset::isDirectArgument): | |
16488 | (JSC::VarOffset::stackOffsetUnchecked): | |
16489 | (JSC::VarOffset::scopeOffsetUnchecked): | |
16490 | (JSC::VarOffset::capturedArgumentsOffsetUnchecked): | |
16491 | (JSC::VarOffset::stackOffset): | |
16492 | (JSC::VarOffset::scopeOffset): | |
16493 | (JSC::VarOffset::capturedArgumentsOffset): | |
16494 | (JSC::VarOffset::rawOffset): | |
16495 | (JSC::VarOffset::checkSanity): | |
16496 | (JSC::VarOffset::operator==): | |
16497 | (JSC::VarOffset::operator!=): | |
16498 | (JSC::VarOffset::hash): | |
16499 | (JSC::VarOffset::isHashTableDeletedValue): | |
16500 | (JSC::VarOffsetHash::hash): | |
16501 | (JSC::VarOffsetHash::equal): | |
16502 | * tests/stress/arguments-exit-strict-mode.js: Added. | |
16503 | * tests/stress/arguments-exit.js: Added. | |
16504 | * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added. | |
16505 | * tests/stress/arguments-inlined-exit-strict-mode.js: Added. | |
16506 | * tests/stress/arguments-inlined-exit.js: Added. | |
16507 | * tests/stress/arguments-interference.js: Added. | |
16508 | * tests/stress/arguments-interference-cfg.js: Added. | |
16509 | * tests/stress/dead-get-closure-var.js: Added. | |
16510 | * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added. | |
16511 | * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added. | |
16512 | * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added. | |
16513 | * tests/stress/varargs-closure-inlined-exit.js: Added. | |
16514 | * tests/stress/varargs-exit.js: Added. | |
16515 | * tests/stress/varargs-inlined-exit.js: Added. | |
16516 | * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added. | |
16517 | * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added. | |
16518 | * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added. | |
16519 | * tests/stress/varargs-inlined-simple-exit.js: Added. | |
16520 | * tests/stress/varargs-too-few-arguments.js: Added. | |
16521 | * tests/stress/varargs-varargs-closure-inlined-exit.js: Added. | |
16522 | * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added. | |
16523 | * tests/stress/varargs-varargs-inlined-exit.js: Added. | |
16524 | ||
16525 | 2015-03-25 Andy Estes <aestes@apple.com> | |
16526 | ||
16527 | [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC | |
16528 | https://bugs.webkit.org/show_bug.cgi?id=143068 | |
16529 | ||
16530 | Reviewed by Dan Bernstein. | |
16531 | ||
16532 | * inspector/remote/RemoteInspectorXPCConnection.mm: | |
16533 | (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC. | |
16534 | ||
16535 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
16536 | ||
16537 | Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC | |
16538 | https://bugs.webkit.org/show_bug.cgi?id=142993 | |
16539 | ||
16540 | Reviewed by Geoffrey Garen and Mark Lam. | |
16541 | ||
16542 | This changes the most commonly invoked paths that relied on JITCompilationMustSucceed | |
16543 | into using JITCompilationCanFail and having a legit fallback path. This mostly involves | |
16544 | having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation | |
16545 | failure, but also involves adding the same kind of thing to the stub generators in | |
16546 | Repatch. | |
16547 | ||
16548 | Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most | |
16549 | of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few, | |
16550 | like host call stub generation, could handle a GC, but those get invoked very rarely. So, | |
16551 | this patch changes the releaseExecutableMemory() call into a crash with some diagnostic | |
16552 | printout. | |
16553 | ||
16554 | Also add a way of inducing executable allocation failure, so that we can test this. | |
16555 | ||
16556 | * CMakeLists.txt: | |
16557 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
16558 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
16559 | * dfg/DFGJITCompiler.cpp: | |
16560 | (JSC::DFG::JITCompiler::compile): | |
16561 | (JSC::DFG::JITCompiler::compileFunction): | |
16562 | (JSC::DFG::JITCompiler::link): Deleted. | |
16563 | (JSC::DFG::JITCompiler::linkFunction): Deleted. | |
16564 | * dfg/DFGJITCompiler.h: | |
16565 | * dfg/DFGPlan.cpp: | |
16566 | (JSC::DFG::Plan::compileInThreadImpl): | |
16567 | * ftl/FTLCompile.cpp: | |
16568 | (JSC::FTL::mmAllocateCodeSection): | |
16569 | (JSC::FTL::mmAllocateDataSection): | |
16570 | * ftl/FTLLink.cpp: | |
16571 | (JSC::FTL::link): | |
16572 | * ftl/FTLState.h: | |
16573 | * jit/ArityCheckFailReturnThunks.cpp: | |
16574 | (JSC::ArityCheckFailReturnThunks::returnPCsFor): | |
16575 | * jit/ExecutableAllocationFuzz.cpp: Added. | |
16576 | (JSC::numberOfExecutableAllocationFuzzChecks): | |
16577 | (JSC::doExecutableAllocationFuzzing): | |
16578 | * jit/ExecutableAllocationFuzz.h: Added. | |
16579 | (JSC::doExecutableAllocationFuzzingIfEnabled): | |
16580 | * jit/ExecutableAllocatorFixedVMPool.cpp: | |
16581 | (JSC::ExecutableAllocator::allocate): | |
16582 | * jit/JIT.cpp: | |
16583 | (JSC::JIT::privateCompile): | |
16584 | * jit/JITCompilationEffort.h: | |
16585 | * jit/Repatch.cpp: | |
16586 | (JSC::generateByIdStub): | |
16587 | (JSC::tryCacheGetByID): | |
16588 | (JSC::tryBuildGetByIDList): | |
16589 | (JSC::emitPutReplaceStub): | |
16590 | (JSC::emitPutTransitionStubAndGetOldStructure): | |
16591 | (JSC::tryCachePutByID): | |
16592 | (JSC::tryBuildPutByIdList): | |
16593 | (JSC::tryRepatchIn): | |
16594 | (JSC::linkPolymorphicCall): | |
16595 | * jsc.cpp: | |
16596 | (jscmain): | |
16597 | * runtime/Options.h: | |
16598 | * runtime/TestRunnerUtils.h: | |
16599 | * runtime/VM.cpp: | |
16600 | * tests/executableAllocationFuzz: Added. | |
16601 | * tests/executableAllocationFuzz.yaml: Added. | |
16602 | * tests/executableAllocationFuzz/v8-raytrace.js: Added. | |
16603 | ||
16604 | 2015-03-25 Mark Lam <mark.lam@apple.com> | |
16605 | ||
16606 | REGRESSION(169139): LLINT intermittently fails JSC testapi tests. | |
16607 | <https://webkit.org/b/135719> | |
16608 | ||
16609 | Reviewed by Geoffrey Garen. | |
16610 | ||
16611 | This is a regression introduced in http://trac.webkit.org/changeset/169139 which | |
16612 | changed VM::watchdog from an embedded field into a std::unique_ptr, but did not | |
16613 | update the LLINT to access it as such. | |
16614 | ||
16615 | The issue has only manifested so far on the CLoop tests because those are LLINT | |
16616 | only. In the non-CLoop cases, the JIT kicks in and does the right thing, thereby | |
16617 | hiding the bug in the LLINT. | |
16618 | ||
16619 | * API/JSContextRef.cpp: | |
16620 | (createWatchdogIfNeeded): | |
16621 | (JSContextGroupSetExecutionTimeLimit): | |
16622 | (JSContextGroupClearExecutionTimeLimit): | |
16623 | * llint/LowLevelInterpreter.asm: | |
16624 | ||
16625 | 2015-03-25 Filip Pizlo <fpizlo@apple.com> | |
16626 | ||
16627 | Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default. | |
16628 | ||
16629 | Rubber stamped by Geoffrey Garen. | |
16630 | ||
16631 | * bytecode/CodeBlock.cpp: | |
16632 | (JSC::CodeBlock::visitAggregate): | |
16633 | ||
16634 | 2015-03-25 Joseph Pecoraro <pecoraro@apple.com> | |
16635 | ||
16636 | Fix formatting in BuiltinExecutables | |
16637 | https://bugs.webkit.org/show_bug.cgi?id=143061 | |
16638 | ||
16639 | Reviewed by Ryosuke Niwa. | |
16640 | ||
16641 | * builtins/BuiltinExecutables.cpp: | |
16642 | (JSC::BuiltinExecutables::createExecutableInternal): | |
16643 | ||
16644 | 2015-03-25 Joseph Pecoraro <pecoraro@apple.com> | |
16645 | ||
16646 | ES6: Classes: Program level class statement throws exception in strict mode | |
16647 | https://bugs.webkit.org/show_bug.cgi?id=143038 | |
16648 | ||
16649 | Reviewed by Ryosuke Niwa. | |
16650 | ||
16651 | Classes expose a name to the current lexical environment. This treats | |
16652 | "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}". | |
16653 | Also, improve error messages for class statements where the class is missing a name. | |
16654 | ||
16655 | * parser/Parser.h: | |
16656 | * parser/Parser.cpp: | |
16657 | (JSC::Parser<LexerType>::parseClass): | |
16658 | Fill name in info parameter if needed. Better error message if name is needed and missing. | |
16659 | ||
16660 | (JSC::Parser<LexerType>::parseClassDeclaration): | |
16661 | Pass info parameter to get name, and expose the name as a variable name. | |
16662 | ||
16663 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
16664 | Pass info parameter that is ignored. | |
16665 | ||
16666 | * parser/ParserFunctionInfo.h: | |
16667 | Add a parser info for class, to extract the name. | |
16668 | ||
16669 | 2015-03-25 Yusuke Suzuki <utatane.tea@gmail.com> | |
16670 | ||
16671 | New map and set modification tests in r181922 fails | |
16672 | https://bugs.webkit.org/show_bug.cgi?id=143031 | |
16673 | ||
16674 | Reviewed and tweaked by Geoffrey Garen. | |
16675 | ||
16676 | When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index | |
16677 | to adjust for the packed backing store. | |
16678 | ||
16679 | Consider the following map data. | |
16680 | ||
16681 | x: deleted, o: exists | |
16682 | 0 1 2 3 4 | |
16683 | x x x x o | |
16684 | ||
16685 | And iterator with m_index 3. | |
16686 | ||
16687 | When packing the map data, map data will become, | |
16688 | ||
16689 | 0 | |
16690 | o | |
16691 | ||
16692 | At that time, we perfom didRemoveEntry 4 times on iterators. | |
16693 | times => m_index/index/result | |
16694 | 1 => 3/0/dec | |
16695 | 2 => 2/1/dec | |
16696 | 3 => 1/2/nothing | |
16697 | 4 => 1/3/nothing | |
16698 | ||
16699 | After iteration, iterator's m_index becomes 1. But we expected that becomes 0. | |
16700 | This is because if we use decremented m_index for comparison, | |
16701 | while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage. | |
16702 | ||
16703 | In this patch, we compare against the packed index instead. | |
16704 | times => m_index/packedIndex/result | |
16705 | 1 => 3/0/dec | |
16706 | 2 => 2/0/dec | |
16707 | 3 => 1/0/dec | |
16708 | 4 => 0/0/nothing | |
16709 | ||
16710 | So m_index becomes 0 as expected. | |
16711 | ||
16712 | And according to the spec, once the iterator is closed (becomes done: true), | |
16713 | its internal [[Map]]/[[Set]] is set to undefined. | |
16714 | So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0). | |
16715 | ||
16716 | In this patch, we change 2 things. | |
16717 | 1. | |
16718 | Compare an iterator's index against the packed index when removing an entry. | |
16719 | ||
16720 | 2. | |
16721 | If the iterator is closed (isFinished()), we don't apply adjustment to the iterator. | |
16722 | ||
16723 | * runtime/MapData.h: | |
16724 | (JSC::MapDataImpl::IteratorData::finish): | |
16725 | (JSC::MapDataImpl::IteratorData::isFinished): | |
16726 | (JSC::MapDataImpl::IteratorData::didRemoveEntry): | |
16727 | (JSC::MapDataImpl::IteratorData::didRemoveAllEntries): | |
16728 | (JSC::MapDataImpl::IteratorData::startPackBackingStore): | |
16729 | * runtime/MapDataInlines.h: | |
16730 | (JSC::JSIterator>::replaceAndPackBackingStore): | |
16731 | * tests/stress/modify-map-during-iteration.js: | |
16732 | * tests/stress/modify-set-during-iteration.js: | |
16733 | ||
16734 | 2015-03-24 Joseph Pecoraro <pecoraro@apple.com> | |
16735 | ||
16736 | Setter should have a single formal parameter, Getter no parameters | |
16737 | https://bugs.webkit.org/show_bug.cgi?id=142903 | |
16738 | ||
16739 | Reviewed by Geoffrey Garen. | |
16740 | ||
16741 | * parser/Parser.cpp: | |
16742 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
16743 | Enforce no parameters for getters and a single parameter | |
16744 | for setters, with informational error messages. | |
16745 | ||
16746 | 2015-03-24 Joseph Pecoraro <pecoraro@apple.com> | |
16747 | ||
16748 | ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance | |
16749 | https://bugs.webkit.org/show_bug.cgi?id=143012 | |
16750 | ||
16751 | Reviewed by Ryosuke Niwa. | |
16752 | ||
16753 | * bytecompiler/BytecodeGenerator.cpp: | |
16754 | (JSC::BytecodeGenerator::emitReturn): | |
16755 | Fix handling of "undefined" when returned from a Derived class. It was | |
16756 | returning "undefined" when it should have returned "this". | |
16757 | ||
16758 | 2015-03-24 Yusuke Suzuki <utatane.tea@gmail.com> | |
16759 | ||
16760 | REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor | |
16761 | https://bugs.webkit.org/show_bug.cgi?id=142696 | |
16762 | ||
16763 | Reviewed and tweaked by Geoffrey Garen. | |
16764 | ||
16765 | Before r142556, JSSetIterator::destroy was not defined. | |
16766 | So accidentally MapData::const_iterator in JSSet was never destroyed. | |
16767 | But it had non trivial destructor, decrementing MapData->m_iteratorCount. | |
16768 | ||
16769 | After r142556, JSSetIterator::destroy works. | |
16770 | It correctly destruct MapData::const_iterator and m_iteratorCount partially works. | |
16771 | But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount. | |
16772 | ||
16773 | It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet | |
16774 | and marks it in visitChildren (WriteBarrier<Unknown>). | |
16775 | However, the order of destructions is not guaranteed in GC-ed system. | |
16776 | ||
16777 | Consider the following case, | |
16778 | allocate JSSet and subsequently allocate JSSetIterator. | |
16779 | And they resides in the separated MarkedBlock, <1> and <2>. | |
16780 | ||
16781 | JSSet<1> <- JSSetIterator<2> | |
16782 | ||
16783 | And after that, when performing GC, Marker decides that the above 2 objects are not marked. | |
16784 | And Marker also decides MarkedBlocks <1> and <2> can be sweeped. | |
16785 | ||
16786 | First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>. | |
16787 | Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>. | |
16788 | However, JSSetIterator<2>'s destructor, | |
16789 | JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free. | |
16790 | ||
16791 | In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators. | |
16792 | When packing the removed elements in JSSet/JSMap, we apply the change to all live | |
16793 | iterators tracked by WeakGCMap. | |
16794 | ||
16795 | WeakGCMap can only track JSCell since they are managed by GC. | |
16796 | So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch | |
16797 | introduces JS style iterator signatures into C++ class IteratorData. | |
16798 | If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using | |
16799 | IteratorData directly. | |
16800 | ||
16801 | * runtime/JSMap.cpp: | |
16802 | (JSC::JSMap::destroy): | |
16803 | * runtime/JSMap.h: | |
16804 | (JSC::JSMap::JSMap): | |
16805 | (JSC::JSMap::begin): Deleted. | |
16806 | (JSC::JSMap::end): Deleted. | |
16807 | * runtime/JSMapIterator.cpp: | |
16808 | (JSC::JSMapIterator::destroy): | |
16809 | * runtime/JSMapIterator.h: | |
16810 | (JSC::JSMapIterator::next): | |
16811 | (JSC::JSMapIterator::nextKeyValue): | |
16812 | (JSC::JSMapIterator::iteratorData): | |
16813 | (JSC::JSMapIterator::JSMapIterator): | |
16814 | * runtime/JSSet.cpp: | |
16815 | (JSC::JSSet::destroy): | |
16816 | * runtime/JSSet.h: | |
16817 | (JSC::JSSet::JSSet): | |
16818 | (JSC::JSSet::begin): Deleted. | |
16819 | (JSC::JSSet::end): Deleted. | |
16820 | * runtime/JSSetIterator.cpp: | |
16821 | (JSC::JSSetIterator::destroy): | |
16822 | * runtime/JSSetIterator.h: | |
16823 | (JSC::JSSetIterator::next): | |
16824 | (JSC::JSSetIterator::iteratorData): | |
16825 | (JSC::JSSetIterator::JSSetIterator): | |
16826 | * runtime/MapData.h: | |
16827 | (JSC::MapDataImpl::IteratorData::finish): | |
16828 | (JSC::MapDataImpl::IteratorData::isFinished): | |
16829 | (JSC::MapDataImpl::shouldPack): | |
16830 | (JSC::JSIterator>::MapDataImpl): | |
16831 | (JSC::JSIterator>::KeyType::KeyType): | |
16832 | (JSC::JSIterator>::IteratorData::IteratorData): | |
16833 | (JSC::JSIterator>::IteratorData::next): | |
16834 | (JSC::JSIterator>::IteratorData::ensureSlot): | |
16835 | (JSC::JSIterator>::IteratorData::applyMapDataPatch): | |
16836 | (JSC::JSIterator>::IteratorData::refreshCursor): | |
16837 | (JSC::MapDataImpl::const_iterator::key): Deleted. | |
16838 | (JSC::MapDataImpl::const_iterator::value): Deleted. | |
16839 | (JSC::MapDataImpl::const_iterator::operator++): Deleted. | |
16840 | (JSC::MapDataImpl::const_iterator::finish): Deleted. | |
16841 | (JSC::MapDataImpl::const_iterator::atEnd): Deleted. | |
16842 | (JSC::MapDataImpl::begin): Deleted. | |
16843 | (JSC::MapDataImpl::end): Deleted. | |
16844 | (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted. | |
16845 | (JSC::MapDataImpl<Entry>::clear): Deleted. | |
16846 | (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted. | |
16847 | (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted. | |
16848 | (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted. | |
16849 | (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted. | |
16850 | (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted. | |
16851 | (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted. | |
16852 | (JSC::=): Deleted. | |
16853 | * runtime/MapDataInlines.h: | |
16854 | (JSC::JSIterator>::clear): | |
16855 | (JSC::JSIterator>::find): | |
16856 | (JSC::JSIterator>::contains): | |
16857 | (JSC::JSIterator>::add): | |
16858 | (JSC::JSIterator>::set): | |
16859 | (JSC::JSIterator>::get): | |
16860 | (JSC::JSIterator>::remove): | |
16861 | (JSC::JSIterator>::replaceAndPackBackingStore): | |
16862 | (JSC::JSIterator>::replaceBackingStore): | |
16863 | (JSC::JSIterator>::ensureSpaceForAppend): | |
16864 | (JSC::JSIterator>::visitChildren): | |
16865 | (JSC::JSIterator>::copyBackingStore): | |
16866 | (JSC::JSIterator>::applyMapDataPatch): | |
16867 | (JSC::MapDataImpl<Entry>::find): Deleted. | |
16868 | (JSC::MapDataImpl<Entry>::contains): Deleted. | |
16869 | (JSC::MapDataImpl<Entry>::add): Deleted. | |
16870 | (JSC::MapDataImpl<Entry>::set): Deleted. | |
16871 | (JSC::MapDataImpl<Entry>::get): Deleted. | |
16872 | (JSC::MapDataImpl<Entry>::remove): Deleted. | |
16873 | (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted. | |
16874 | (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted. | |
16875 | (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted. | |
16876 | (JSC::MapDataImpl<Entry>::visitChildren): Deleted. | |
16877 | (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted. | |
16878 | * runtime/MapPrototype.cpp: | |
16879 | (JSC::mapProtoFuncForEach): | |
16880 | * runtime/SetPrototype.cpp: | |
16881 | (JSC::setProtoFuncForEach): | |
16882 | * runtime/WeakGCMap.h: | |
16883 | (JSC::WeakGCMap::forEach): | |
16884 | * tests/stress/modify-map-during-iteration.js: Added. | |
16885 | (testValue): | |
16886 | (identityPairs): | |
16887 | (.set if): | |
16888 | (var): | |
16889 | (set map): | |
16890 | * tests/stress/modify-set-during-iteration.js: Added. | |
16891 | (testValue): | |
16892 | (set forEach): | |
16893 | (set delete): | |
16894 | ||
16895 | 2015-03-24 Mark Lam <mark.lam@apple.com> | |
16896 | ||
16897 | The ExecutionTimeLimit test should use its own JSGlobalContextRef. | |
16898 | <https://webkit.org/b/143024> | |
16899 | ||
16900 | Reviewed by Geoffrey Garen. | |
16901 | ||
16902 | Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef | |
16903 | passed in from testapi.c. It should create its own for better | |
16904 | encapsulation of the test. | |
16905 | ||
16906 | * API/tests/ExecutionTimeLimitTest.cpp: | |
16907 | (currentCPUTimeAsJSFunctionCallback): | |
16908 | (testExecutionTimeLimit): | |
16909 | * API/tests/ExecutionTimeLimitTest.h: | |
16910 | * API/tests/testapi.c: | |
16911 | (main): | |
16912 | ||
16913 | 2015-03-24 Joseph Pecoraro <pecoraro@apple.com> | |
16914 | ||
16915 | ES6: Object Literal Methods toString is missing method name | |
16916 | https://bugs.webkit.org/show_bug.cgi?id=142992 | |
16917 | ||
16918 | Reviewed by Geoffrey Garen. | |
16919 | ||
16920 | Always stringify functions in the pattern: | |
16921 | ||
16922 | "function " + <function name> + <text from opening parenthesis to closing brace>. | |
16923 | ||
16924 | * runtime/FunctionPrototype.cpp: | |
16925 | (JSC::functionProtoFuncToString): | |
16926 | Update the path that was not stringifying in this pattern. | |
16927 | ||
16928 | * bytecode/UnlinkedCodeBlock.cpp: | |
16929 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
16930 | * bytecode/UnlinkedCodeBlock.h: | |
16931 | (JSC::UnlinkedFunctionExecutable::parametersStartOffset): | |
16932 | * parser/Nodes.h: | |
16933 | * runtime/Executable.cpp: | |
16934 | (JSC::FunctionExecutable::FunctionExecutable): | |
16935 | * runtime/Executable.h: | |
16936 | (JSC::FunctionExecutable::parametersStartOffset): | |
16937 | Pass the already known function parameter opening parenthesis | |
16938 | start offset through to the FunctionExecutable. | |
16939 | ||
16940 | * tests/mozilla/js1_5/Scope/regress-185485.js: | |
16941 | (with.g): | |
16942 | Add back original space in this test that was removed by r181810 | |
16943 | now that we have the space again in stringification. | |
16944 | ||
16945 | 2015-03-24 Michael Saboff <msaboff@apple.com> | |
16946 | ||
16947 | REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated | |
16948 | https://bugs.webkit.org/show_bug.cgi?id=142856 | |
16949 | ||
16950 | Reviewed by Filip Pizlo. | |
16951 | ||
16952 | Refactored the way the for .. in enumeration over objects is done. We used to make three C++ calls to | |
16953 | get info for three loops to iterate over indexed properties, structure properties and other properties, | |
16954 | respectively. We still have the three loops, but now we make one C++ call to get all the info needed | |
16955 | for all loops before we exectue any enumeration. | |
16956 | ||
16957 | The JSPropertyEnumerator has a count of the indexed properties and a list of named properties. | |
16958 | The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex) | |
16959 | and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex); | |
16960 | ||
16961 | Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and | |
16962 | op_next_enumerator_pname. | |
16963 | Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname. | |
16964 | The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what | |
16965 | end value we stop iterating on. | |
16966 | ||
16967 | Made corresponding node changes to the DFG and FTL for the bytecode changes. | |
16968 | ||
16969 | * bytecode/BytecodeList.json: | |
16970 | * bytecode/BytecodeUseDef.h: | |
16971 | (JSC::computeUsesForBytecodeOffset): | |
16972 | (JSC::computeDefsForBytecodeOffset): | |
16973 | * bytecode/CodeBlock.cpp: | |
16974 | (JSC::CodeBlock::dumpBytecode): | |
16975 | * bytecompiler/BytecodeGenerator.cpp: | |
16976 | (JSC::BytecodeGenerator::emitGetPropertyEnumerator): | |
16977 | (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName): | |
16978 | (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName): | |
16979 | (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted. | |
16980 | (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted. | |
16981 | (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted. | |
16982 | * bytecompiler/BytecodeGenerator.h: | |
16983 | * bytecompiler/NodesCodegen.cpp: | |
16984 | (JSC::ForInNode::emitMultiLoopBytecode): | |
16985 | * dfg/DFGAbstractInterpreterInlines.h: | |
16986 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
16987 | * dfg/DFGByteCodeParser.cpp: | |
16988 | (JSC::DFG::ByteCodeParser::parseBlock): | |
16989 | * dfg/DFGCapabilities.cpp: | |
16990 | (JSC::DFG::capabilityLevel): | |
16991 | * dfg/DFGClobberize.h: | |
16992 | (JSC::DFG::clobberize): | |
16993 | * dfg/DFGDoesGC.cpp: | |
16994 | (JSC::DFG::doesGC): | |
16995 | * dfg/DFGFixupPhase.cpp: | |
16996 | (JSC::DFG::FixupPhase::fixupNode): | |
16997 | * dfg/DFGNodeType.h: | |
16998 | * dfg/DFGPredictionPropagationPhase.cpp: | |
16999 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
17000 | * dfg/DFGSafeToExecute.h: | |
17001 | (JSC::DFG::safeToExecute): | |
17002 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
17003 | (JSC::DFG::SpeculativeJIT::compile): | |
17004 | * dfg/DFGSpeculativeJIT64.cpp: | |
17005 | (JSC::DFG::SpeculativeJIT::compile): | |
17006 | * ftl/FTLAbstractHeapRepository.h: | |
17007 | * ftl/FTLCapabilities.cpp: | |
17008 | (JSC::FTL::canCompile): | |
17009 | * ftl/FTLLowerDFGToLLVM.cpp: | |
17010 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
17011 | (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength): | |
17012 | (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator): | |
17013 | (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname): | |
17014 | (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname): | |
17015 | (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted. | |
17016 | (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted. | |
17017 | (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted. | |
17018 | * jit/JIT.cpp: | |
17019 | (JSC::JIT::privateCompileMainPass): | |
17020 | * jit/JIT.h: | |
17021 | * jit/JITOpcodes.cpp: | |
17022 | (JSC::JIT::emit_op_enumerator_structure_pname): | |
17023 | (JSC::JIT::emit_op_enumerator_generic_pname): | |
17024 | (JSC::JIT::emit_op_get_property_enumerator): | |
17025 | (JSC::JIT::emit_op_next_enumerator_pname): Deleted. | |
17026 | (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted. | |
17027 | (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted. | |
17028 | * jit/JITOpcodes32_64.cpp: | |
17029 | (JSC::JIT::emit_op_enumerator_structure_pname): | |
17030 | (JSC::JIT::emit_op_enumerator_generic_pname): | |
17031 | (JSC::JIT::emit_op_next_enumerator_pname): Deleted. | |
17032 | * jit/JITOperations.cpp: | |
17033 | * jit/JITOperations.h: | |
17034 | * llint/LowLevelInterpreter.asm: | |
17035 | * runtime/CommonSlowPaths.cpp: | |
17036 | (JSC::SLOW_PATH_DECL): | |
17037 | * runtime/CommonSlowPaths.h: | |
17038 | * runtime/JSPropertyNameEnumerator.cpp: | |
17039 | (JSC::JSPropertyNameEnumerator::create): | |
17040 | (JSC::JSPropertyNameEnumerator::finishCreation): | |
17041 | * runtime/JSPropertyNameEnumerator.h: | |
17042 | (JSC::JSPropertyNameEnumerator::indexedLength): | |
17043 | (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex): | |
17044 | (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex): | |
17045 | (JSC::JSPropertyNameEnumerator::indexedLengthOffset): | |
17046 | (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset): | |
17047 | (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset): | |
17048 | (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset): | |
17049 | (JSC::propertyNameEnumerator): | |
17050 | (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted. | |
17051 | (JSC::structurePropertyNameEnumerator): Deleted. | |
17052 | (JSC::genericPropertyNameEnumerator): Deleted. | |
17053 | * runtime/Structure.cpp: | |
17054 | (JSC::Structure::setCachedPropertyNameEnumerator): | |
17055 | (JSC::Structure::cachedPropertyNameEnumerator): | |
17056 | (JSC::Structure::canCachePropertyNameEnumerator): | |
17057 | (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted. | |
17058 | (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted. | |
17059 | (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted. | |
17060 | (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted. | |
17061 | (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted. | |
17062 | (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted. | |
17063 | * runtime/Structure.h: | |
17064 | * runtime/StructureRareData.cpp: | |
17065 | (JSC::StructureRareData::visitChildren): | |
17066 | (JSC::StructureRareData::cachedPropertyNameEnumerator): | |
17067 | (JSC::StructureRareData::setCachedPropertyNameEnumerator): | |
17068 | (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted. | |
17069 | (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted. | |
17070 | (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted. | |
17071 | (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted. | |
17072 | * runtime/StructureRareData.h: | |
17073 | * tests/stress/for-in-delete-during-iteration.js: | |
17074 | ||
17075 | 2015-03-24 Michael Saboff <msaboff@apple.com> | |
17076 | ||
17077 | Unreviewed build fix for debug builds. | |
17078 | ||
17079 | * runtime/ExceptionHelpers.cpp: | |
17080 | (JSC::invalidParameterInSourceAppender): | |
17081 | ||
17082 | 2015-03-24 Saam Barati <saambarati1@gmail.com> | |
17083 | ||
17084 | Improve error messages in JSC | |
17085 | https://bugs.webkit.org/show_bug.cgi?id=141869 | |
17086 | ||
17087 | Reviewed by Geoffrey Garen. | |
17088 | ||
17089 | JavaScriptCore has some unintuitive error messages associated | |
17090 | with certain common errors. This patch changes some specific | |
17091 | error messages to be more understandable and also creates a | |
17092 | mechanism that will allow for easy modification of error messages | |
17093 | in the future. The specific errors we change are not a function | |
17094 | errors and invalid parameter errors. | |
17095 | ||
17096 | * CMakeLists.txt: | |
17097 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
17098 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
17099 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
17100 | * interpreter/Interpreter.cpp: | |
17101 | (JSC::sizeOfVarargs): | |
17102 | * jit/JITOperations.cpp: | |
17103 | op_throw_static_error always has a JSString as its argument. | |
17104 | There is no need to dance around this, and we should assert | |
17105 | that this always holds. This JSString represents the error | |
17106 | message we want to display to the user, so there is no need | |
17107 | to pass it into errorDescriptionForValue which will now place | |
17108 | quotes around the string. | |
17109 | ||
17110 | * llint/LLIntSlowPaths.cpp: | |
17111 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
17112 | * runtime/CommonSlowPaths.h: | |
17113 | (JSC::CommonSlowPaths::opIn): | |
17114 | * runtime/ErrorInstance.cpp: | |
17115 | (JSC::ErrorInstance::ErrorInstance): | |
17116 | * runtime/ErrorInstance.h: | |
17117 | (JSC::ErrorInstance::hasSourceAppender): | |
17118 | (JSC::ErrorInstance::sourceAppender): | |
17119 | (JSC::ErrorInstance::setSourceAppender): | |
17120 | (JSC::ErrorInstance::clearSourceAppender): | |
17121 | (JSC::ErrorInstance::setRuntimeTypeForCause): | |
17122 | (JSC::ErrorInstance::runtimeTypeForCause): | |
17123 | (JSC::ErrorInstance::clearRuntimeTypeForCause): | |
17124 | (JSC::ErrorInstance::appendSourceToMessage): Deleted. | |
17125 | (JSC::ErrorInstance::setAppendSourceToMessage): Deleted. | |
17126 | (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted. | |
17127 | * runtime/ExceptionHelpers.cpp: | |
17128 | (JSC::errorDescriptionForValue): | |
17129 | (JSC::defaultApproximateSourceError): | |
17130 | (JSC::defaultSourceAppender): | |
17131 | (JSC::functionCallBase): | |
17132 | (JSC::notAFunctionSourceAppender): | |
17133 | (JSC::invalidParameterInSourceAppender): | |
17134 | (JSC::invalidParameterInstanceofSourceAppender): | |
17135 | (JSC::createError): | |
17136 | (JSC::createInvalidFunctionApplyParameterError): | |
17137 | (JSC::createInvalidInParameterError): | |
17138 | (JSC::createInvalidInstanceofParameterError): | |
17139 | (JSC::createNotAConstructorError): | |
17140 | (JSC::createNotAFunctionError): | |
17141 | (JSC::createNotAnObjectError): | |
17142 | (JSC::createInvalidParameterError): Deleted. | |
17143 | * runtime/ExceptionHelpers.h: | |
17144 | * runtime/JSObject.cpp: | |
17145 | (JSC::JSObject::hasInstance): | |
17146 | * runtime/RuntimeType.cpp: Added. | |
17147 | (JSC::runtimeTypeForValue): | |
17148 | (JSC::runtimeTypeAsString): | |
17149 | * runtime/RuntimeType.h: Added. | |
17150 | * runtime/TypeProfilerLog.cpp: | |
17151 | (JSC::TypeProfilerLog::processLogEntries): | |
17152 | * runtime/TypeSet.cpp: | |
17153 | (JSC::TypeSet::getRuntimeTypeForValue): Deleted. | |
17154 | * runtime/TypeSet.h: | |
17155 | * runtime/VM.cpp: | |
17156 | (JSC::appendSourceToError): | |
17157 | (JSC::VM::throwException): | |
17158 | ||
17159 | 2015-03-23 Filip Pizlo <fpizlo@apple.com> | |
17160 | ||
17161 | JSC should have a low-cost asynchronous disassembler | |
17162 | https://bugs.webkit.org/show_bug.cgi?id=142997 | |
17163 | ||
17164 | Reviewed by Mark Lam. | |
17165 | ||
17166 | This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly | |
17167 | doesn't block execution. Some code will live a little longer because of this, since the | |
17168 | work tasks hold a ref to the code, but other than that there is basically no overhead. | |
17169 | ||
17170 | At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't | |
17171 | provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do | |
17172 | the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with | |
17173 | JSC_asyncDisassembly has bizarre behavior - so just choose one. | |
17174 | ||
17175 | A simple way of understanding how great this is, is to run a small benchmark like | |
17176 | V8Spider/earley-boyer. | |
17177 | ||
17178 | Performance without any disassembly flags: 60ms | |
17179 | Performance with JSC_showDisassembly=true: 477ms | |
17180 | Performance with JSC_asyncDisassembly=true: 65ms | |
17181 | ||
17182 | So, the overhead of disassembly goes from 8x to 8%. | |
17183 | ||
17184 | Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of | |
17185 | measuring benchmark performance. This is because at VM exit, we wait for all async | |
17186 | disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms | |
17187 | after the benchmark completely finishes to finish the disassemblies. This small weirdness | |
17188 | should be OK for the intended use-cases, since all you have to do to get around it is to | |
17189 | measure the execution time of the benchmark payload rather than the end-to-end time of | |
17190 | launching the VM. | |
17191 | ||
17192 | * assembler/LinkBuffer.cpp: | |
17193 | (JSC::LinkBuffer::finalizeCodeWithDisassembly): | |
17194 | * assembler/LinkBuffer.h: | |
17195 | (JSC::LinkBuffer::wasAlreadyDisassembled): | |
17196 | (JSC::LinkBuffer::didAlreadyDisassemble): | |
17197 | * dfg/DFGJITCompiler.cpp: | |
17198 | (JSC::DFG::JITCompiler::disassemble): | |
17199 | * dfg/DFGJITFinalizer.cpp: | |
17200 | (JSC::DFG::JITFinalizer::finalize): | |
17201 | (JSC::DFG::JITFinalizer::finalizeFunction): | |
17202 | * disassembler/Disassembler.cpp: | |
17203 | (JSC::disassembleAsynchronously): | |
17204 | (JSC::waitForAsynchronousDisassembly): | |
17205 | * disassembler/Disassembler.h: | |
17206 | * ftl/FTLCompile.cpp: | |
17207 | (JSC::FTL::mmAllocateDataSection): | |
17208 | * ftl/FTLLink.cpp: | |
17209 | (JSC::FTL::link): | |
17210 | * jit/JIT.cpp: | |
17211 | (JSC::JIT::privateCompile): | |
17212 | * jsc.cpp: | |
17213 | * runtime/Options.h: | |
17214 | * runtime/VM.cpp: | |
17215 | (JSC::VM::~VM): | |
17216 | ||
17217 | 2015-03-23 Dean Jackson <dino@apple.com> | |
17218 | ||
17219 | ES7: Implement Array.prototype.includes | |
17220 | https://bugs.webkit.org/show_bug.cgi?id=142707 | |
17221 | ||
17222 | Reviewed by Geoffrey Garen. | |
17223 | ||
17224 | Add support for the ES7 includes method on Arrays. | |
17225 | https://github.com/tc39/Array.prototype.includes | |
17226 | ||
17227 | * builtins/Array.prototype.js: | |
17228 | (includes): Implementation in JS. | |
17229 | * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table. | |
17230 | ||
17231 | 2015-03-23 Joseph Pecoraro <pecoraro@apple.com> | |
17232 | ||
17233 | __defineGetter__/__defineSetter__ should throw exceptions | |
17234 | https://bugs.webkit.org/show_bug.cgi?id=142934 | |
17235 | ||
17236 | Reviewed by Geoffrey Garen. | |
17237 | ||
17238 | * runtime/ObjectPrototype.cpp: | |
17239 | (JSC::objectProtoFuncDefineGetter): | |
17240 | (JSC::objectProtoFuncDefineSetter): | |
17241 | Throw exceptions when these functions are used directly. | |
17242 | ||
17243 | 2015-03-23 Joseph Pecoraro <pecoraro@apple.com> | |
17244 | ||
17245 | Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build | |
17246 | https://bugs.webkit.org/show_bug.cgi?id=142952 | |
17247 | ||
17248 | Reviewed by Geoffrey Garen. | |
17249 | ||
17250 | * runtime/Structure.cpp: | |
17251 | (JSC::PropertyTable::checkConsistency): | |
17252 | The check offset method doesn't exist in PropertyTable, it exists in Structure. | |
17253 | ||
17254 | (JSC::Structure::checkConsistency): | |
17255 | So move it here, and always put it at the start to match normal behavior. | |
17256 | ||
17257 | 2015-03-22 Filip Pizlo <fpizlo@apple.com> | |
17258 | ||
17259 | Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations | |
17260 | https://bugs.webkit.org/show_bug.cgi?id=142956 | |
17261 | ||
17262 | Rubber stamped by Gyuyoung Kim. | |
17263 | ||
17264 | Just removing dead code. | |
17265 | ||
17266 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
17267 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
17268 | * dfg/DFGOSRExit.h: | |
17269 | * dfg/DFGOSRExitCompiler.cpp: | |
17270 | * dfg/DFGValueRecoveryOverride.h: Removed. | |
17271 | ||
17272 | 2015-03-22 Filip Pizlo <fpizlo@apple.com> | |
17273 | ||
17274 | DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG | |
17275 | https://bugs.webkit.org/show_bug.cgi?id=142948 | |
17276 | ||
17277 | Reviewed by Sam Weinig. | |
17278 | ||
17279 | It's necessary to ensure that the stack pointer accounts for the extent of our stack usage | |
17280 | since a signal may clobber the area below the stack pointer. When the DFG is executing, | |
17281 | the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to | |
17282 | baseline, we will use a different amount of stack. This is because baseline is a different | |
17283 | compiler. It will make different decisions. So it will use a different amount of stack. | |
17284 | ||
17285 | This gets tricky when we are in the process of doing an OSR exit, because we are sort of | |
17286 | incrementally transforming the stack from how it looked in the DFG to how it will look in | |
17287 | baseline. The most conservative approach would be to set the stack pointer to the max of | |
17288 | DFG and baseline. | |
17289 | ||
17290 | When this code was written, a reckless assumption was made: that the stack usage in | |
17291 | baseline is always at least as large as the stack usage in DFG. Based on this incorrect | |
17292 | assumption, the code first adjusts the stack pointer to account for the baseline stack | |
17293 | usage. This sort of usually works, because usually baseline does happen to use more stack. | |
17294 | But that's not an invariant. Nobody guarantees this. We will never make any changes that | |
17295 | would make this be guaranteed, because that would be antithetical to how optimizing | |
17296 | compilers work. The DFG should be allowed to use however much stack it decides that it | |
17297 | should use in order to get good performance, and it shouldn't try to guarantee that it | |
17298 | always uses less stack than baseline. | |
17299 | ||
17300 | As such, we must always assume that the frame size for DFG execution (i.e. | |
17301 | frameRegisterCount) and the frame size in baseline once we exit (i.e. | |
17302 | requiredRegisterCountForExit) are two independent quantities and they have no | |
17303 | relationship. | |
17304 | ||
17305 | Fortunately, though, this code can be made correct by just moving the stack adjustment to | |
17306 | just before we do conversions. This is because we have since changed the OSR exit | |
17307 | algorithm to first lift up all state from the DFG state into a scratch buffer, and then to | |
17308 | drop it out of the scratch buffer and into the stack according to the baseline layout. The | |
17309 | point just before conversions is the point where we have finished reading the DFG frame | |
17310 | and will not read it anymore, and we haven't started writing the baseline frame. So, at | |
17311 | this point it is safe to set the stack pointer to account for the frame size at exit. | |
17312 | ||
17313 | This is benign because baseline happens to create larger frames than DFG. | |
17314 | ||
17315 | * dfg/DFGOSRExitCompiler32_64.cpp: | |
17316 | (JSC::DFG::OSRExitCompiler::compileExit): | |
17317 | * dfg/DFGOSRExitCompiler64.cpp: | |
17318 | (JSC::DFG::OSRExitCompiler::compileExit): | |
17319 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
17320 | (JSC::DFG::adjustAndJumpToTarget): | |
17321 | ||
17322 | 2015-03-22 Filip Pizlo <fpizlo@apple.com> | |
17323 | ||
17324 | Shorten the number of iterations to 10,000 since that's enough to test all tiers. | |
17325 | ||
17326 | Rubber stamped by Sam Weinig. | |
17327 | ||
17328 | * tests/stress/equals-masquerader.js: | |
17329 | ||
17330 | 2015-03-22 Filip Pizlo <fpizlo@apple.com> | |
17331 | ||
17332 | tests/stress/*tdz* tests do 10x more iterations than necessary | |
17333 | https://bugs.webkit.org/show_bug.cgi?id=142946 | |
17334 | ||
17335 | Reviewed by Ryosuke Niwa. | |
17336 | ||
17337 | The stress test harness runs all of these tests in various configurations. This includes | |
17338 | no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is | |
17339 | enough to get to the highest tier. The only exceptions are very large functions or | |
17340 | functions that have some reoptimizations. That happens rarely, and when it does happen, | |
17341 | usually 20,000 iterations is enough. | |
17342 | ||
17343 | Therefore, these tests use 10x too many iterations. This is bad, since these tests | |
17344 | allocate on each iteration, and so they run very slowly in debug mode. | |
17345 | ||
17346 | * tests/stress/class-syntax-no-loop-tdz.js: | |
17347 | * tests/stress/class-syntax-no-tdz-in-catch.js: | |
17348 | * tests/stress/class-syntax-no-tdz-in-conditional.js: | |
17349 | * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: | |
17350 | * tests/stress/class-syntax-no-tdz-in-loop.js: | |
17351 | * tests/stress/class-syntax-no-tdz.js: | |
17352 | * tests/stress/class-syntax-tdz-in-catch.js: | |
17353 | * tests/stress/class-syntax-tdz-in-conditional.js: | |
17354 | * tests/stress/class-syntax-tdz-in-loop.js: | |
17355 | * tests/stress/class-syntax-tdz.js: | |
17356 | ||
17357 | 2015-03-21 Joseph Pecoraro <pecoraro@apple.com> | |
17358 | ||
17359 | Fix a typo in Parser error message | |
17360 | https://bugs.webkit.org/show_bug.cgi?id=142942 | |
17361 | ||
17362 | Reviewed by Alexey Proskuryakov. | |
17363 | ||
17364 | * jit/JITPropertyAccess.cpp: | |
17365 | (JSC::JIT::emitSlow_op_resolve_scope): | |
17366 | * jit/JITPropertyAccess32_64.cpp: | |
17367 | (JSC::JIT::emitSlow_op_resolve_scope): | |
17368 | * parser/Parser.cpp: | |
17369 | (JSC::Parser<LexerType>::parseClass): | |
17370 | Fix a common identifier typo. | |
17371 | ||
17372 | 2015-03-21 Joseph Pecoraro <pecoraro@apple.com> | |
17373 | ||
17374 | Computed Property names should allow only AssignmentExpressions not any Expression | |
17375 | https://bugs.webkit.org/show_bug.cgi?id=142902 | |
17376 | ||
17377 | Reviewed by Ryosuke Niwa. | |
17378 | ||
17379 | * parser/Parser.cpp: | |
17380 | (JSC::Parser<LexerType>::parseProperty): | |
17381 | Limit computed expressions to just assignment expressions instead of | |
17382 | any expression (which allowed comma expressions). | |
17383 | ||
17384 | 2015-03-21 Andreas Kling <akling@apple.com> | |
17385 | ||
17386 | Make UnlinkedFunctionExecutable fit in a 128-byte cell. | |
17387 | <https://webkit.org/b/142939> | |
17388 | ||
17389 | Reviewed by Mark Hahnenberg. | |
17390 | ||
17391 | Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside | |
17392 | a 128-byte heap cell instead of requiring a 256-byte one. | |
17393 | ||
17394 | Threw in a static_assert to catch anyone pushing it over the limit again. | |
17395 | ||
17396 | * bytecode/UnlinkedCodeBlock.cpp: | |
17397 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
17398 | * bytecode/UnlinkedCodeBlock.h: | |
17399 | (JSC::UnlinkedFunctionExecutable::functionMode): | |
17400 | ||
17401 | 2015-03-20 Mark Hahnenberg <mhahnenb@gmail.com> | |
17402 | ||
17403 | GCTimer should know keep track of nested GC phases | |
17404 | https://bugs.webkit.org/show_bug.cgi?id=142675 | |
17405 | ||
17406 | Reviewed by Darin Adler. | |
17407 | ||
17408 | This improves the GC phase timing output in Heap.cpp by linking | |
17409 | phases nested inside other phases together, allowing tools | |
17410 | to compute how much time we're spending in various nested phases. | |
17411 | ||
17412 | * heap/Heap.cpp: | |
17413 | ||
17414 | 2015-03-20 Geoffrey Garen <ggaren@apple.com> | |
17415 | ||
17416 | FunctionBodyNode should known where its parameters started | |
17417 | https://bugs.webkit.org/show_bug.cgi?id=142926 | |
17418 | ||
17419 | Reviewed by Ryosuke Niwa. | |
17420 | ||
17421 | This will allow us to re-parse parameters instead of keeping the | |
17422 | parameters piece of the AST around forever. | |
17423 | ||
17424 | I also took the opportunity to initialize most FunctionBodyNode data | |
17425 | members at construction time, to help clarify that they are set right. | |
17426 | ||
17427 | * parser/ASTBuilder.h: | |
17428 | (JSC::ASTBuilder::createFunctionExpr): No need to pass | |
17429 | functionKeywordStart here; we now provide it at FunctionBodyNode | |
17430 | creation time. | |
17431 | ||
17432 | (JSC::ASTBuilder::createFunctionBody): Require everything we need at | |
17433 | construction time, including the start of our parameters. | |
17434 | ||
17435 | (JSC::ASTBuilder::createGetterOrSetterProperty): | |
17436 | (JSC::ASTBuilder::createFuncDeclStatement): No need to pass | |
17437 | functionKeywordStart here; we now provide it at FunctionBodyNode | |
17438 | creation time. | |
17439 | ||
17440 | (JSC::ASTBuilder::setFunctionNameStart): Deleted. | |
17441 | ||
17442 | * parser/Nodes.cpp: | |
17443 | (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at | |
17444 | construction time. | |
17445 | ||
17446 | * parser/Nodes.h: Added a field for the location of our parameters. | |
17447 | ||
17448 | * parser/Parser.cpp: | |
17449 | (JSC::Parser<LexerType>::parseFunctionBody): | |
17450 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
17451 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
17452 | (JSC::Parser<LexerType>::parseClass): | |
17453 | (JSC::Parser<LexerType>::parsePropertyMethod): | |
17454 | (JSC::Parser<LexerType>::parseGetterSetter): | |
17455 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
17456 | * parser/Parser.h: Refactored to match above interface changes. | |
17457 | ||
17458 | * parser/SyntaxChecker.h: | |
17459 | (JSC::SyntaxChecker::createFunctionExpr): | |
17460 | (JSC::SyntaxChecker::createFunctionBody): | |
17461 | (JSC::SyntaxChecker::createFuncDeclStatement): | |
17462 | (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match | |
17463 | above interface changes. | |
17464 | ||
17465 | (JSC::SyntaxChecker::setFunctionNameStart): Deleted. | |
17466 | ||
17467 | 2015-03-20 Filip Pizlo <fpizlo@apple.com> | |
17468 | ||
17469 | Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes | |
17470 | https://bugs.webkit.org/show_bug.cgi?id=142920 | |
17471 | ||
17472 | Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam. | |
17473 | ||
17474 | Observably effectful, n.: If we reexecute the bytecode instruction after this node has | |
17475 | executed, then something other than the bytecode instruction's specified outcome will | |
17476 | happen. | |
17477 | ||
17478 | We almost never had observably effectful nodes except at the end of the bytecode | |
17479 | instruction. The exception is a lowered transitioning PutById: | |
17480 | ||
17481 | PutStructure(@o, S1 -> S2) | |
17482 | PutByOffset(@o, @o, @v) | |
17483 | ||
17484 | The PutStructure is observably effectful: if you try to reexecute the bytecode after | |
17485 | doing the PutStructure, then we'll most likely crash. The generic PutById handling means | |
17486 | first checking what the old structure of the object is; but if we reexecute, the old | |
17487 | structure will seem to be the new structure. But the property ensured by the new | |
17488 | structure hasn't been stored yet, so any attempt to load it or scan it will crash. | |
17489 | ||
17490 | Intriguingly, however, none of the other operations involved in the PutById are | |
17491 | observably effectful. Consider this example: | |
17492 | ||
17493 | PutByOffset(@o, @o, @v) | |
17494 | PutStructure(@o, S1 -> S2) | |
17495 | ||
17496 | Note that the PutStructure node doesn't reallocate property storage; see further below | |
17497 | for an example that does that. Because no property storage is happening, we know that we | |
17498 | already had room for the new property. This means that the PutByOffset is no observable | |
17499 | until the PutStructure executes and "reveals" the property. Hence, PutByOffset is not | |
17500 | observably effectful. | |
17501 | ||
17502 | Now consider this: | |
17503 | ||
17504 | b: AllocatePropertyStorage(@o) | |
17505 | PutByOffset(@b, @o, @v) | |
17506 | PutStructure(@o, S1 -> S2) | |
17507 | ||
17508 | Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably | |
17509 | effectful. It *does* reallocate the property storage and the new property storage pointer | |
17510 | is stored into the object. But until the PutStructure occurs, the world will just think | |
17511 | that the reallocation didn't happen, in the sense that we'll think that the property | |
17512 | storage is using less memory than what we just allocated. That's harmless. | |
17513 | ||
17514 | The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the | |
17515 | AllocatePropertyStorage but before the PutByOffset (or before the PutStructure), | |
17516 | everything could be expected to be fine, so long as all of @o, @v and @b are on the | |
17517 | stack. If they are all on the stack, then the GC will leave the property storage alone | |
17518 | (so the extra memory we just allocated would be safe). The GC will not scan the part of | |
17519 | the property storage that contains @v, but that's fine, so long as @v is on the stack. | |
17520 | ||
17521 | The better long-term solution is probably bug 142921. | |
17522 | ||
17523 | But for now, this: | |
17524 | ||
17525 | - Fixes an object materialization bug, exemplified by the two tests, that previously | |
17526 | crashed 100% of the time with FTL enabled and concurrent JIT disabled. | |
17527 | ||
17528 | - Allows us to remove the workaround introduced in r174856. | |
17529 | ||
17530 | * dfg/DFGByteCodeParser.cpp: | |
17531 | (JSC::DFG::ByteCodeParser::handlePutById): | |
17532 | * dfg/DFGConstantFoldingPhase.cpp: | |
17533 | (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): | |
17534 | * dfg/DFGFixupPhase.cpp: | |
17535 | (JSC::DFG::FixupPhase::insertCheck): | |
17536 | (JSC::DFG::FixupPhase::indexOfNode): Deleted. | |
17537 | (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted. | |
17538 | * dfg/DFGInsertionSet.h: | |
17539 | (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted. | |
17540 | (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted. | |
17541 | * tests/stress/materialize-past-butterfly-allocation.js: Added. | |
17542 | (bar): | |
17543 | (foo0): | |
17544 | (foo1): | |
17545 | (foo2): | |
17546 | (foo3): | |
17547 | (foo4): | |
17548 | * tests/stress/materialize-past-put-structure.js: Added. | |
17549 | (foo): | |
17550 | ||
17551 | 2015-03-20 Yusuke Suzuki <utatane.tea@gmail.com> | |
17552 | ||
17553 | REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83 | |
17554 | https://bugs.webkit.org/show_bug.cgi?id=142410 | |
17555 | ||
17556 | Reviewed by Geoffrey Garen. | |
17557 | ||
17558 | Before this patch, added function JSValue::toPropertyKey returns PropertyName. | |
17559 | Since PropertyName doesn't have AtomicStringImpl ownership, | |
17560 | if Identifier is implicitly converted to PropertyName and Identifier is destructed, | |
17561 | PropertyName may refer freed AtomicStringImpl*. | |
17562 | ||
17563 | This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier, | |
17564 | to keep AtomicStringImpl* ownership after the toPropertyName call is done. | |
17565 | And receive the result value as Identifier type to keep ownership in the caller side. | |
17566 | ||
17567 | To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto. | |
17568 | ||
17569 | However, now we don't need to have both Identifier and PropertyName. | |
17570 | So we'll merge PropertyName to Identifier in the subsequent patch. | |
17571 | ||
17572 | * dfg/DFGOperations.cpp: | |
17573 | (JSC::DFG::operationPutByValInternal): | |
17574 | * jit/JITOperations.cpp: | |
17575 | (JSC::getByVal): | |
17576 | * llint/LLIntSlowPaths.cpp: | |
17577 | (JSC::LLInt::getByVal): | |
17578 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
17579 | * runtime/CommonSlowPaths.cpp: | |
17580 | (JSC::SLOW_PATH_DECL): | |
17581 | * runtime/CommonSlowPaths.h: | |
17582 | (JSC::CommonSlowPaths::opIn): | |
17583 | * runtime/JSCJSValue.h: | |
17584 | * runtime/JSCJSValueInlines.h: | |
17585 | (JSC::JSValue::toPropertyKey): | |
17586 | * runtime/ObjectConstructor.cpp: | |
17587 | (JSC::objectConstructorGetOwnPropertyDescriptor): | |
17588 | (JSC::objectConstructorDefineProperty): | |
17589 | * runtime/ObjectPrototype.cpp: | |
17590 | (JSC::objectProtoFuncPropertyIsEnumerable): | |
17591 | ||
17592 | 2015-03-18 Geoffrey Garen <ggaren@apple.com> | |
17593 | ||
17594 | Function.prototype.toString should not decompile the AST | |
17595 | https://bugs.webkit.org/show_bug.cgi?id=142853 | |
17596 | ||
17597 | Reviewed by Sam Weinig. | |
17598 | ||
17599 | To recover the function parameter string, Function.prototype.toString | |
17600 | decompiles the function parameters from the AST. This is bad for a few | |
17601 | reasons: | |
17602 | ||
17603 | (1) It requires us to keep pieces of the AST live forever. This is an | |
17604 | awkward design and a waste of memory. | |
17605 | ||
17606 | (2) It doesn't match Firefox or Chrome (because it changes whitespace | |
17607 | and ES6 destructuring expressions). | |
17608 | ||
17609 | (3) It doesn't scale to ES6 default argument parameters, which require | |
17610 | arbitrarily complex decompilation. | |
17611 | ||
17612 | (4) It can counterfeit all the line numbers in a function (because | |
17613 | whitespace can include newlines). | |
17614 | ||
17615 | (5) It's expensive, and we've seen cases where websites invoke | |
17616 | Function.prototype.toString a lot by accident. | |
17617 | ||
17618 | The fix is to do what we do for the rest of the function: Just quote the | |
17619 | original source text. | |
17620 | ||
17621 | Since this change inevitably changes some function stringification, I | |
17622 | took the opportunity to make our stringification match Firefox's and | |
17623 | Chrome's. | |
17624 | ||
17625 | * API/tests/testapi.c: | |
17626 | (assertEqualsAsUTF8String): Be more informative when this fails. | |
17627 | ||
17628 | (main): Updated to match new stringification rules. | |
17629 | ||
17630 | * bytecode/UnlinkedCodeBlock.cpp: | |
17631 | (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay! | |
17632 | * bytecode/UnlinkedCodeBlock.h: | |
17633 | ||
17634 | * parser/Nodes.h: | |
17635 | (JSC::StatementNode::isFuncDeclNode): New helper for constructing | |
17636 | anonymous functions. | |
17637 | ||
17638 | * parser/SourceCode.h: | |
17639 | (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it. | |
17640 | ||
17641 | * runtime/CodeCache.cpp: | |
17642 | (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use | |
17643 | of function declaration over function expression. | |
17644 | ||
17645 | * runtime/Executable.cpp: | |
17646 | (JSC::FunctionExecutable::paramString): Deleted. Yay! | |
17647 | * runtime/Executable.h: | |
17648 | (JSC::FunctionExecutable::parameterCount): | |
17649 | ||
17650 | * runtime/FunctionConstructor.cpp: | |
17651 | (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after | |
17652 | the opening brace to match Firefox and Chrome, and a space after the comma | |
17653 | to match Firefox and WebKit coding style. Added the function name to | |
17654 | the text of the function so it would look right when stringify-ing. Switched | |
17655 | from parentheses to braces to produce a function declaration instead of | |
17656 | a function expression because we are required to exclude the function's | |
17657 | name from its scope, and that's what a function declaration does. | |
17658 | ||
17659 | * runtime/FunctionPrototype.cpp: | |
17660 | (JSC::functionProtoFuncToString): Removed an old workaround because the | |
17661 | library it worked around doesn't really exist anymore, and the behavior | |
17662 | doesn't match Firefox or Chrome. Use type profiling offsets instead of | |
17663 | function body offsets because we want to include the function name and | |
17664 | the parameter string, rather than stitching them in manually by | |
17665 | decompiling the AST. | |
17666 | ||
17667 | (JSC::insertSemicolonIfNeeded): Deleted. | |
17668 | ||
17669 | * tests/mozilla/js1_2/function/tostring-1.js: | |
17670 | * tests/mozilla/js1_5/Scope/regress-185485.js: | |
17671 | (with.g): Updated these test results for formatting changes. | |
17672 | ||
17673 | 2015-03-20 Joseph Pecoraro <pecoraro@apple.com> | |
17674 | ||
17675 | SyntaxChecker assertion is trapped with computed property name and getter | |
17676 | https://bugs.webkit.org/show_bug.cgi?id=142863 | |
17677 | ||
17678 | Reviewed by Ryosuke Niwa. | |
17679 | ||
17680 | * parser/SyntaxChecker.h: | |
17681 | (JSC::SyntaxChecker::getName): | |
17682 | Remove invalid assert. Computed properties will not have a name | |
17683 | and the calling code is checking for null expecting it. The | |
17684 | AST path (non-CheckingPath) already does this without the assert | |
17685 | so it is well tested. | |
17686 | ||
17687 | 2015-03-19 Mark Lam <mark.lam@apple.com> | |
17688 | ||
17689 | JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called. | |
17690 | <https://webkit.org/b/142846> | |
17691 | ||
17692 | Reviewed by Geoffrey Garen. | |
17693 | ||
17694 | Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms: | |
17695 | 1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef | |
17696 | that a JSCallbackObject references. | |
17697 | 2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via | |
17698 | vm.heap.addFinalizer() which destroys the JSCallbackObject. | |
17699 | ||
17700 | The first finalizer is implemented as a virtual function of a JSCallbackObjectData | |
17701 | instance that will be destructed if the 2nd finalizer is called. Hence, if the | |
17702 | 2nd finalizer if called first, the later invocation of the 1st finalizer will | |
17703 | result in a crash. | |
17704 | ||
17705 | This patch fixes the issue by eliminating the finalizer registration in init(). | |
17706 | Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers | |
17707 | if needed. This ensures that these finalizers are called before the JSCallbackObject | |
17708 | is destructor. | |
17709 | ||
17710 | Also added assertions to a few Heap functions because JSCell::classInfo() expects | |
17711 | all objects that are allocated from MarkedBlock::Normal blocks to be derived from | |
17712 | JSDestructibleObject. These assertions will help us catch violations of this | |
17713 | expectation earlier. | |
17714 | ||
17715 | * API/JSCallbackObject.cpp: | |
17716 | (JSC::JSCallbackObjectData::finalize): Deleted. | |
17717 | * API/JSCallbackObject.h: | |
17718 | (JSC::JSCallbackObjectData::~JSCallbackObjectData): | |
17719 | * API/JSCallbackObjectFunctions.h: | |
17720 | (JSC::JSCallbackObject<Parent>::~JSCallbackObject): | |
17721 | (JSC::JSCallbackObject<Parent>::init): | |
17722 | * API/tests/GlobalContextWithFinalizerTest.cpp: Added. | |
17723 | (finalize): | |
17724 | (testGlobalContextWithFinalizer): | |
17725 | * API/tests/GlobalContextWithFinalizerTest.h: Added. | |
17726 | * API/tests/testapi.c: | |
17727 | (main): | |
17728 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: | |
17729 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: | |
17730 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
17731 | * heap/HeapInlines.h: | |
17732 | (JSC::Heap::allocateObjectOfType): | |
17733 | (JSC::Heap::subspaceForObjectOfType): | |
17734 | (JSC::Heap::allocatorForObjectOfType): | |
17735 | ||
17736 | 2015-03-19 Andreas Kling <akling@apple.com> | |
17737 | ||
17738 | JSCallee unnecessarily overrides a bunch of things in the method table. | |
17739 | <https://webkit.org/b/142855> | |
17740 | ||
17741 | Reviewed by Geoffrey Garen. | |
17742 | ||
17743 | Remove JSCallee method table overrides that simply call to base class. | |
17744 | This makes JSFunction property slot lookups slightly more efficient since | |
17745 | they can take the fast path when passing over JSCallee in the base class chain. | |
17746 | ||
17747 | * runtime/JSCallee.cpp: | |
17748 | (JSC::JSCallee::getOwnPropertySlot): Deleted. | |
17749 | (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted. | |
17750 | (JSC::JSCallee::put): Deleted. | |
17751 | (JSC::JSCallee::deleteProperty): Deleted. | |
17752 | (JSC::JSCallee::defineOwnProperty): Deleted. | |
17753 | * runtime/JSCallee.h: | |
17754 | ||
17755 | 2015-03-19 Andreas Kling <akling@apple.com> | |
17756 | ||
17757 | DFGAllocator should use bmalloc's aligned allocator. | |
17758 | <https://webkit.org/b/142871> | |
17759 | ||
17760 | Reviewed by Geoffrey Garen. | |
17761 | ||
17762 | Switch DFGAllocator to using bmalloc through fastAlignedMalloc(). | |
17763 | ||
17764 | * dfg/DFGAllocator.h: | |
17765 | (JSC::DFG::Allocator<T>::allocateSlow): | |
17766 | (JSC::DFG::Allocator<T>::freeRegionsStartingAt): | |
17767 | * heap/CopiedSpace.h: | |
17768 | * heap/MarkedBlock.h: | |
17769 | * heap/MarkedSpace.h: | |
17770 | ||
17771 | 2015-03-18 Joseph Pecoraro <pecoraro@apple.com> | |
17772 | ||
17773 | ES6 Classes: Extends should accept an expression without parenthesis | |
17774 | https://bugs.webkit.org/show_bug.cgi?id=142840 | |
17775 | ||
17776 | Reviewed by Ryosuke Niwa. | |
17777 | ||
17778 | * parser/Parser.cpp: | |
17779 | (JSC::Parser<LexerType>::parseClass): | |
17780 | "extends" allows a LeftHandExpression (new expression / call expression, | |
17781 | which includes a member expression), not a primary expression. Our | |
17782 | parseMemberExpression does all of these. | |
17783 | ||
17784 | 2015-03-18 Joseph Pecoraro <pecoraro@apple.com> | |
17785 | ||
17786 | Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection | |
17787 | https://bugs.webkit.org/show_bug.cgi?id=142830 | |
17788 | ||
17789 | Reviewed by Timothy Hatcher. | |
17790 | ||
17791 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
17792 | (Inspector::InspectorDebuggerAgent::breakpointActionProbe): | |
17793 | Give Probe Samples object previews. | |
17794 | ||
17795 | 2015-03-17 Ryuan Choi <ryuan.choi@navercorp.com> | |
17796 | ||
17797 | [EFL] Expose JavaScript binding interface through ewk_extension | |
17798 | https://bugs.webkit.org/show_bug.cgi?id=142033 | |
17799 | ||
17800 | Reviewed by Gyuyoung Kim. | |
17801 | ||
17802 | * PlatformEfl.cmake: Install Javascript APIs. | |
17803 | ||
17804 | 2015-03-17 Geoffrey Garen <ggaren@apple.com> | |
17805 | ||
17806 | Function bodies should always include braces | |
17807 | https://bugs.webkit.org/show_bug.cgi?id=142795 | |
17808 | ||
17809 | Reviewed by Michael Saboff. | |
17810 | ||
17811 | Having a mode for excluding the opening and closing braces from a function | |
17812 | body was unnecessary and confusing. | |
17813 | ||
17814 | * bytecode/CodeBlock.cpp: | |
17815 | (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function. | |
17816 | ||
17817 | * bytecode/UnlinkedCodeBlock.cpp: | |
17818 | (JSC::generateFunctionCodeBlock): | |
17819 | (JSC::UnlinkedFunctionExecutable::link): | |
17820 | (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through | |
17821 | a boolean: there is only one kind of function now. | |
17822 | ||
17823 | (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted. | |
17824 | (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only | |
17825 | have one way to do things. This removes the old mode that would pretend | |
17826 | that a function always started at column 1. That pretense was not true: | |
17827 | an attribute event listener does not necessarily start at column 1. | |
17828 | ||
17829 | * bytecode/UnlinkedCodeBlock.h: | |
17830 | * generate-js-builtins: Adopt the new one true linking function. | |
17831 | ||
17832 | * parser/Parser.h: | |
17833 | (JSC::Parser<LexerType>::parse): | |
17834 | (JSC::parse): needsReparsingAdjustment is always true now, so I removed it. | |
17835 | ||
17836 | * runtime/Executable.cpp: | |
17837 | (JSC::ScriptExecutable::newCodeBlockFor): | |
17838 | (JSC::FunctionExecutable::FunctionExecutable): | |
17839 | (JSC::ProgramExecutable::initializeGlobalProperties): | |
17840 | (JSC::FunctionExecutable::fromGlobalCode): | |
17841 | * runtime/Executable.h: | |
17842 | (JSC::FunctionExecutable::create): | |
17843 | (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff. | |
17844 | ||
17845 | * runtime/FunctionConstructor.cpp: | |
17846 | (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a | |
17847 | leading space because that's what this function's comment says is required | |
17848 | for web compatibility. We used to fake this up after the fact when | |
17849 | stringifying, based on the bodyIncludesBraces flag, but that flag is gone now. | |
17850 | ||
17851 | * runtime/FunctionPrototype.cpp: | |
17852 | (JSC::insertSemicolonIfNeeded): | |
17853 | (JSC::functionProtoFuncToString): No need to add braces and/or a space | |
17854 | after the fact -- we always have them now. | |
17855 | ||
17856 | 2015-03-17 Mark Lam <mark.lam@apple.com> | |
17857 | ||
17858 | Refactor execution time limit tests out of testapi.c. | |
17859 | <https://webkit.org/b/142798> | |
17860 | ||
17861 | Rubber stamped by Michael Saboff. | |
17862 | ||
17863 | These tests were sometimes failing to time out on C loop builds. Let's | |
17864 | refactor them out of the big monolith that is testapi.c so that we can | |
17865 | reason more easily about them and make adjustments if needed. | |
17866 | ||
17867 | * API/tests/ExecutionTimeLimitTest.cpp: Added. | |
17868 | (currentCPUTime): | |
17869 | (currentCPUTimeAsJSFunctionCallback): | |
17870 | (shouldTerminateCallback): | |
17871 | (cancelTerminateCallback): | |
17872 | (extendTerminateCallback): | |
17873 | (testExecutionTimeLimit): | |
17874 | * API/tests/ExecutionTimeLimitTest.h: Added. | |
17875 | * API/tests/testapi.c: | |
17876 | (main): | |
17877 | (currentCPUTime): Deleted. | |
17878 | (currentCPUTime_callAsFunction): Deleted. | |
17879 | (shouldTerminateCallback): Deleted. | |
17880 | (cancelTerminateCallback): Deleted. | |
17881 | (extendTerminateCallback): Deleted. | |
17882 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
17883 | ||
17884 | 2015-03-17 Geoffrey Garen <ggaren@apple.com> | |
17885 | ||
17886 | Built-in functions should know that they use strict mode | |
17887 | https://bugs.webkit.org/show_bug.cgi?id=142788 | |
17888 | ||
17889 | Reviewed by Mark Lam. | |
17890 | ||
17891 | Even though all of our builtin functions use strict mode, the parser | |
17892 | thinks that they don't. This is because Executable::toStrictness treats | |
17893 | builtin-ness and strict-ness as mutually exclusive. | |
17894 | ||
17895 | The fix is to disambiguate builtin-ness from strict-ness. | |
17896 | ||
17897 | This bug is currently unobservable because of some other parser bugs. But | |
17898 | it causes lots of test failures once those other bugs are fixed. | |
17899 | ||
17900 | * API/JSScriptRef.cpp: | |
17901 | (parseScript): | |
17902 | * builtins/BuiltinExecutables.cpp: | |
17903 | (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API | |
17904 | for a separate value to indicate builtin-ness vs strict-ness. | |
17905 | ||
17906 | * bytecode/UnlinkedCodeBlock.cpp: | |
17907 | (JSC::generateFunctionCodeBlock): | |
17908 | (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto. | |
17909 | ||
17910 | * bytecode/UnlinkedCodeBlock.h: | |
17911 | (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function | |
17912 | was misleading since it pretended that no builtin function was ever | |
17913 | strict, which is the opposite of true. | |
17914 | ||
17915 | * parser/Lexer.cpp: | |
17916 | (JSC::Lexer<T>::Lexer): | |
17917 | * parser/Lexer.h: | |
17918 | * parser/Parser.cpp: | |
17919 | (JSC::Parser<LexerType>::Parser): | |
17920 | * parser/Parser.h: | |
17921 | (JSC::parse): Adopt the new API. | |
17922 | ||
17923 | * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give | |
17924 | existing modes clearer names. | |
17925 | ||
17926 | * runtime/CodeCache.cpp: | |
17927 | (JSC::CodeCache::getGlobalCodeBlock): | |
17928 | (JSC::CodeCache::getProgramCodeBlock): | |
17929 | (JSC::CodeCache::getEvalCodeBlock): | |
17930 | (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API. | |
17931 | ||
17932 | * runtime/CodeCache.h: | |
17933 | (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and | |
17934 | bulitin-ness as separate pieces of the code cache key. We would not want | |
17935 | a user function to match a built-in function in the cache, even if they | |
17936 | agreed about strictness, since builtin functions have different lexing | |
17937 | rules. | |
17938 | ||
17939 | * runtime/Completion.cpp: | |
17940 | (JSC::checkSyntax): | |
17941 | * runtime/Executable.cpp: | |
17942 | (JSC::FunctionExecutable::FunctionExecutable): | |
17943 | (JSC::ProgramExecutable::checkSyntax): | |
17944 | * runtime/Executable.h: | |
17945 | (JSC::FunctionExecutable::create): | |
17946 | * runtime/JSGlobalObject.cpp: | |
17947 | (JSC::JSGlobalObject::createProgramCodeBlock): | |
17948 | (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API. | |
17949 | ||
17950 | 2015-03-16 Filip Pizlo <fpizlo@apple.com> | |
17951 | ||
17952 | DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor | |
17953 | https://bugs.webkit.org/show_bug.cgi?id=142769 | |
17954 | ||
17955 | Reviewed by Michael Saboff. | |
17956 | ||
17957 | When we sink an object allocation, we need to have some way of tracking what stores would | |
17958 | have happened had the allocation not been sunk, so that we know how to rematerialize the | |
17959 | object on OSR exit. Prior to this change, trunk had two ways of describing such a "put | |
17960 | hint": | |
17961 | ||
17962 | - The PutStrutureHint and PutByOffsetHint node types. | |
17963 | - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and | |
17964 | NamedPropertyPLoc. | |
17965 | ||
17966 | We also had ways of converting from a Node with those two node types to a | |
17967 | PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to | |
17968 | a Node. | |
17969 | ||
17970 | This change removes the redundancy. We now have just one node type that corresponds to a | |
17971 | put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata. | |
17972 | Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now | |
17973 | trivial. | |
17974 | ||
17975 | This means that if we add new kinds of sunken objects, we'll have less pro-forma to write | |
17976 | for the put hints to those objects. This is mainly to simplify the implementation of | |
17977 | arguments elimination in bug 141174. | |
17978 | ||
17979 | * dfg/DFGAbstractInterpreterInlines.h: | |
17980 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
17981 | * dfg/DFGClobberize.h: | |
17982 | (JSC::DFG::clobberize): | |
17983 | * dfg/DFGDoesGC.cpp: | |
17984 | (JSC::DFG::doesGC): | |
17985 | * dfg/DFGFixupPhase.cpp: | |
17986 | (JSC::DFG::FixupPhase::fixupNode): | |
17987 | * dfg/DFGGraph.cpp: | |
17988 | (JSC::DFG::Graph::dump): | |
17989 | (JSC::DFG::Graph::mergeRelevantToOSR): | |
17990 | * dfg/DFGMayExit.cpp: | |
17991 | (JSC::DFG::mayExit): | |
17992 | * dfg/DFGNode.cpp: | |
17993 | (JSC::DFG::Node::convertToPutHint): | |
17994 | (JSC::DFG::Node::convertToPutStructureHint): | |
17995 | (JSC::DFG::Node::convertToPutByOffsetHint): | |
17996 | (JSC::DFG::Node::promotedLocationDescriptor): | |
17997 | * dfg/DFGNode.h: | |
17998 | (JSC::DFG::Node::hasIdentifier): | |
17999 | (JSC::DFG::Node::hasPromotedLocationDescriptor): | |
18000 | (JSC::DFG::Node::convertToPutByOffsetHint): Deleted. | |
18001 | (JSC::DFG::Node::convertToPutStructureHint): Deleted. | |
18002 | * dfg/DFGNodeType.h: | |
18003 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
18004 | (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): | |
18005 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
18006 | (JSC::DFG::ObjectAllocationSinkingPhase::run): | |
18007 | (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): | |
18008 | (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): | |
18009 | * dfg/DFGPredictionPropagationPhase.cpp: | |
18010 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
18011 | * dfg/DFGPromoteHeapAccess.h: | |
18012 | (JSC::DFG::promoteHeapAccess): | |
18013 | * dfg/DFGPromotedHeapLocation.cpp: | |
18014 | (JSC::DFG::PromotedHeapLocation::createHint): | |
18015 | * dfg/DFGPromotedHeapLocation.h: | |
18016 | (JSC::DFG::PromotedLocationDescriptor::imm1): | |
18017 | (JSC::DFG::PromotedLocationDescriptor::imm2): | |
18018 | * dfg/DFGSafeToExecute.h: | |
18019 | (JSC::DFG::safeToExecute): | |
18020 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
18021 | (JSC::DFG::SpeculativeJIT::compile): | |
18022 | * dfg/DFGSpeculativeJIT64.cpp: | |
18023 | (JSC::DFG::SpeculativeJIT::compile): | |
18024 | * dfg/DFGValidate.cpp: | |
18025 | (JSC::DFG::Validate::validateCPS): | |
18026 | * ftl/FTLCapabilities.cpp: | |
18027 | (JSC::FTL::canCompile): | |
18028 | * ftl/FTLLowerDFGToLLVM.cpp: | |
18029 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
18030 | ||
18031 | 2015-03-17 Michael Saboff <msaboff@apple.com> | |
18032 | ||
18033 | Windows X86-64 should use the fixed executable allocator | |
18034 | https://bugs.webkit.org/show_bug.cgi?id=142749 | |
18035 | ||
18036 | Reviewed by Filip Pizlo. | |
18037 | ||
18038 | Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build. | |
18039 | ||
18040 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
18041 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
18042 | * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows. | |
18043 | ||
18044 | 2015-03-17 Matt Baker <mattbaker@apple.com> | |
18045 | ||
18046 | Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline | |
18047 | https://bugs.webkit.org/show_bug.cgi?id=142029 | |
18048 | ||
18049 | Reviewed by Timothy Hatcher. | |
18050 | ||
18051 | * inspector/protocol/Timeline.json: | |
18052 | Added new event type for runloop timeline records. | |
18053 | ||
18054 | 2015-03-16 Ryosuke Niwa <rniwa@webkit.org> | |
18055 | ||
18056 | Enable ES6 classes by default | |
18057 | https://bugs.webkit.org/show_bug.cgi?id=142774 | |
18058 | ||
18059 | Reviewed by Gavin Barraclough. | |
18060 | ||
18061 | Enabled the feature and unskipped tests. | |
18062 | ||
18063 | * Configurations/FeatureDefines.xcconfig: | |
18064 | * tests/stress/class-syntax-no-loop-tdz.js: | |
18065 | * tests/stress/class-syntax-no-tdz-in-catch.js: | |
18066 | * tests/stress/class-syntax-no-tdz-in-conditional.js: | |
18067 | * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: | |
18068 | * tests/stress/class-syntax-no-tdz-in-loop.js: | |
18069 | * tests/stress/class-syntax-no-tdz.js: | |
18070 | * tests/stress/class-syntax-tdz-in-catch.js: | |
18071 | * tests/stress/class-syntax-tdz-in-conditional.js: | |
18072 | * tests/stress/class-syntax-tdz-in-loop.js: | |
18073 | * tests/stress/class-syntax-tdz.js: | |
18074 | ||
18075 | 2015-03-16 Joseph Pecoraro <pecoraro@apple.com> | |
18076 | ||
18077 | Web Inspector: Better Console Previews for Arrays / Small Objects | |
18078 | https://bugs.webkit.org/show_bug.cgi?id=142322 | |
18079 | ||
18080 | Reviewed by Timothy Hatcher. | |
18081 | ||
18082 | * inspector/InjectedScriptSource.js: | |
18083 | Create deep valuePreviews for simple previewable objects, | |
18084 | such as arrays with 5 values, or basic objects with | |
18085 | 3 properties. | |
18086 | ||
18087 | 2015-03-16 Ryosuke Niwa <rniwa@webkit.org> | |
18088 | ||
18089 | Add support for default constructor | |
18090 | https://bugs.webkit.org/show_bug.cgi?id=142388 | |
18091 | ||
18092 | Reviewed by Filip Pizlo. | |
18093 | ||
18094 | Added the support for default constructors. They're generated by ClassExprNode::emitBytecode | |
18095 | via BuiltinExecutables::createDefaultConstructor. | |
18096 | ||
18097 | UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner | |
18098 | executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use | |
18099 | the same UnlinkedFunctionExecutable to generate code blocks for multiple functions. | |
18100 | ||
18101 | Parser now has the ability to treat any function expression as a constructor of the kind specified | |
18102 | by m_defaultConstructorKind member variable. | |
18103 | ||
18104 | * builtins/BuiltinExecutables.cpp: | |
18105 | (JSC::BuiltinExecutables::createDefaultConstructor): Added. | |
18106 | (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable. | |
18107 | Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked | |
18108 | function executable since the Miranda function's code is definitely not in the owner executable's | |
18109 | source code. That's the whole point. | |
18110 | * builtins/BuiltinExecutables.h: | |
18111 | (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal. | |
18112 | * bytecode/UnlinkedCodeBlock.cpp: | |
18113 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
18114 | (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): | |
18115 | (JSC::UnlinkedFunctionExecutable::linkGlobalCode): | |
18116 | * bytecode/UnlinkedCodeBlock.h: | |
18117 | (JSC::UnlinkedFunctionExecutable::create): | |
18118 | (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted. | |
18119 | * bytecompiler/BytecodeGenerator.cpp: | |
18120 | (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added. | |
18121 | * bytecompiler/BytecodeGenerator.h: | |
18122 | * bytecompiler/NodesCodegen.cpp: | |
18123 | (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed. | |
18124 | * parser/Parser.cpp: | |
18125 | (JSC::Parser<LexerType>::Parser): | |
18126 | (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as | |
18127 | a constructor if we're parsing a default constructor. | |
18128 | (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor. | |
18129 | * parser/Parser.h: | |
18130 | (JSC::parse): | |
18131 | ||
18132 | 2015-03-16 Alex Christensen <achristensen@webkit.org> | |
18133 | ||
18134 | Progress towards CMake on Mac | |
18135 | https://bugs.webkit.org/show_bug.cgi?id=142747 | |
18136 | ||
18137 | Reviewed by Chris Dumez. | |
18138 | ||
18139 | * CMakeLists.txt: | |
18140 | Include AugmentableInspectorController.h in CMake build. | |
18141 | ||
18142 | 2015-03-16 Csaba Osztrogonác <ossy@webkit.org> | |
18143 | ||
18144 | [ARM] Enable generating idiv instructions if it is supported | |
18145 | https://bugs.webkit.org/show_bug.cgi?id=142725 | |
18146 | ||
18147 | Reviewed by Michael Saboff. | |
18148 | ||
18149 | * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set. | |
18150 | (JSC::ARMAssembler::sdiv): | |
18151 | (JSC::ARMAssembler::udiv): | |
18152 | * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S). | |
18153 | * assembler/AbstractMacroAssembler.h: | |
18154 | (JSC::isARMv7IDIVSupported): | |
18155 | (JSC::optimizeForARMv7IDIVSupported): | |
18156 | (JSC::isARMv7s): Renamed to isARMv7IDIVSupported(). | |
18157 | (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported(). | |
18158 | * dfg/DFGFixupPhase.cpp: | |
18159 | (JSC::DFG::FixupPhase::fixupNode): | |
18160 | * dfg/DFGSpeculativeJIT.cpp: | |
18161 | (JSC::DFG::SpeculativeJIT::compileArithDiv): | |
18162 | (JSC::DFG::SpeculativeJIT::compileArithMod): | |
18163 | ||
18164 | 2015-03-15 Filip Pizlo <fpizlo@apple.com> | |
18165 | ||
18166 | DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred | |
18167 | https://bugs.webkit.org/show_bug.cgi?id=141624 | |
18168 | ||
18169 | Reviewed by Geoffrey Garen. | |
18170 | ||
18171 | Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase. | |
18172 | Previously, we would treat GetStacks conservatively and assume that the stack slot | |
18173 | escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change | |
18174 | makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end | |
18175 | we either keep the GetStack (if there was no concrete deferral) or we replace it with an | |
18176 | identity over the value that would have been stored by the deferred PutStack. Note that | |
18177 | this might be a Phi that the phase creates, so this is strictly stronger than what GCSE | |
18178 | could do. | |
18179 | ||
18180 | But this change revealed the fact that this phase never correctly handled side effects in | |
18181 | case that we had done a GetStack, then a side-effect, and then found ourselves wanting the | |
18182 | value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack. | |
18183 | Basically, it's only correct to use the SSA converter's incoming value mapping if we have | |
18184 | a concrete deferral - since anything but a concrete deferral may imply that the value has | |
18185 | been clobbered. | |
18186 | ||
18187 | This has no performance change. I believe that the bug was previously benign because we | |
18188 | have so few operations that clobber the stack anymore, and most of those get used in a | |
18189 | very idiomatic way. The GetStack elimination will be very useful for the varargs | |
18190 | simplification that is part of bug 141174. | |
18191 | ||
18192 | This includes a test for the case that Speedometer hit, plus tests for the other cases I | |
18193 | thought of once I realized the deeper issue. | |
18194 | ||
18195 | * dfg/DFGPutStackSinkingPhase.cpp: | |
18196 | * tests/stress/get-stack-identity-due-to-sinking.js: Added. | |
18197 | (foo): | |
18198 | (bar): | |
18199 | * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added. | |
18200 | (bar): | |
18201 | (foo): | |
18202 | * tests/stress/get-stack-mapping.js: Added. | |
18203 | (bar): | |
18204 | (foo): | |
18205 | * tests/stress/weird-put-stack-varargs.js: Added. | |
18206 | (baz): | |
18207 | (foo): | |
18208 | (fuzz): | |
18209 | (bar): | |
18210 | ||
18211 | 2015-03-16 Joseph Pecoraro <pecoraro@apple.com> | |
18212 | ||
18213 | Update Map/Set to treat -0 and 0 as the same value | |
18214 | https://bugs.webkit.org/show_bug.cgi?id=142709 | |
18215 | ||
18216 | Reviewed by Csaba Osztrogonác. | |
18217 | ||
18218 | * runtime/MapData.h: | |
18219 | (JSC::MapDataImpl<Entry>::KeyType::KeyType): | |
18220 | No longer special case -0. It will be treated as the same as 0. | |
18221 | ||
18222 | 2015-03-15 Joseph Pecoraro <pecoraro@apple.com> | |
18223 | ||
18224 | Web Inspector: Better handle displaying -0 | |
18225 | https://bugs.webkit.org/show_bug.cgi?id=142708 | |
18226 | ||
18227 | Reviewed by Timothy Hatcher. | |
18228 | ||
18229 | Modeled after a blink change: | |
18230 | ||
18231 | Patch by <aandrey@chromium.org> | |
18232 | DevTools: DevTools: Show -0 for negative zero in console | |
18233 | https://src.chromium.org/viewvc/blink?revision=162605&view=revision | |
18234 | ||
18235 | * inspector/InjectedScriptSource.js: | |
18236 | When creating a description string, or preview value string | |
18237 | for -0, be sure the string is "-0" and not "0". | |
18238 | ||
18239 | 2015-03-14 Ryosuke Niwa <rniwa@webkit.org> | |
18240 | ||
18241 | parseClass should popScope after pushScope | |
18242 | https://bugs.webkit.org/show_bug.cgi?id=142689 | |
18243 | ||
18244 | Reviewed by Benjamin Poulain. | |
18245 | ||
18246 | Pop the parser scope as needed. | |
18247 | ||
18248 | * parser/Parser.cpp: | |
18249 | (JSC::Parser<LexerType>::parseClass): | |
18250 | ||
18251 | 2015-03-14 Dean Jackson <dino@apple.com> | |
18252 | ||
18253 | Feature flag for Animations Level 2 | |
18254 | https://bugs.webkit.org/show_bug.cgi?id=142699 | |
18255 | <rdar://problem/20165097> | |
18256 | ||
18257 | Reviewed by Brent Fulgham. | |
18258 | ||
18259 | Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled. | |
18260 | ||
18261 | * Configurations/FeatureDefines.xcconfig: | |
18262 | ||
18263 | 2015-03-14 Commit Queue <commit-queue@webkit.org> | |
18264 | ||
18265 | Unreviewed, rolling out r181487. | |
18266 | https://bugs.webkit.org/show_bug.cgi?id=142695 | |
18267 | ||
18268 | Caused Speedometer/Full.html to fail (Requested by smfr on | |
18269 | #webkit). | |
18270 | ||
18271 | Reverted changeset: | |
18272 | ||
18273 | "DFG::PutStackSinkingPhase should eliminate GetStacks that | |
18274 | have an obviously known source" | |
18275 | https://bugs.webkit.org/show_bug.cgi?id=141624 | |
18276 | http://trac.webkit.org/changeset/181487 | |
18277 | ||
18278 | 2015-03-14 Michael Saboff <msaboff@apple.com> | |
18279 | ||
18280 | ES6: Add binary and octal literal support | |
18281 | https://bugs.webkit.org/show_bug.cgi?id=142681 | |
18282 | ||
18283 | Reviewed by Ryosuke Niwa. | |
18284 | ||
18285 | Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser. | |
18286 | Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of | |
18287 | characters to try and handle directly. Factored out the shifting past any prefix to be handled by | |
18288 | the caller. Added binary and octal parsing to toDouble() via helper functions. | |
18289 | ||
18290 | * parser/Lexer.cpp: | |
18291 | (JSC::Lexer<T>::parseHex): | |
18292 | (JSC::Lexer<T>::parseBinary): | |
18293 | (JSC::Lexer<T>::parseOctal): | |
18294 | (JSC::Lexer<T>::parseDecimal): | |
18295 | (JSC::Lexer<T>::lex): | |
18296 | * parser/Lexer.h: | |
18297 | * parser/ParserTokens.h: | |
18298 | * runtime/JSGlobalObjectFunctions.cpp: | |
18299 | (JSC::jsBinaryIntegerLiteral): | |
18300 | (JSC::jsOctalIntegerLiteral): | |
18301 | (JSC::toDouble): | |
18302 | ||
18303 | 2015-03-13 Alex Christensen <achristensen@webkit.org> | |
18304 | ||
18305 | Progress towards CMake on Mac. | |
18306 | https://bugs.webkit.org/show_bug.cgi?id=142680 | |
18307 | ||
18308 | Reviewed by Gyuyoung Kim. | |
18309 | ||
18310 | * PlatformMac.cmake: | |
18311 | Generate TracingDtrace.h based on project.pbxproj. | |
18312 | ||
18313 | 2015-03-13 Filip Pizlo <fpizlo@apple.com> | |
18314 | ||
18315 | Object allocation sinking phase shouldn't re-decorate previously sunken allocations on each fixpoint operation | |
18316 | https://bugs.webkit.org/show_bug.cgi?id=142686 | |
18317 | ||
18318 | Reviewed by Oliver Hunt. | |
18319 | ||
18320 | Just because promoteHeapAccess() notifies us of an effect to a heap location in a node doesn't | |
18321 | mean that we should handle it as if it was for one of our sinking candidates. Instead we should | |
18322 | prune based on m_sinkCandidates. | |
18323 | ||
18324 | This fixes a benign bug where we would generate a lot of repeated IR for some pathological | |
18325 | tests. | |
18326 | ||
18327 | * dfg/DFGObjectAllocationSinkingPhase.cpp: | |
18328 | (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): | |
18329 | ||
18330 | 2015-03-13 Eric Carlson <eric.carlson@apple.com> | |
18331 | ||
18332 | [Mac] Enable WIRELESS_PLAYBACK_TARGET | |
18333 | https://bugs.webkit.org/show_bug.cgi?id=142635 | |
18334 | ||
18335 | Reviewed by Darin Adler. | |
18336 | ||
18337 | * Configurations/FeatureDefines.xcconfig: | |
18338 | ||
18339 | 2015-03-13 Ryosuke Niwa <rniwa@webkit.org> | |
18340 | ||
18341 | Class constructor should throw TypeError when "called" | |
18342 | https://bugs.webkit.org/show_bug.cgi?id=142566 | |
18343 | ||
18344 | Reviewed by Michael Saboff. | |
18345 | ||
18346 | Added ConstructorKind::None to denote code that doesn't belong to an ES6 class. | |
18347 | This allows BytecodeGenerator to emit code to throw TypeError when generating code block | |
18348 | to call ES6 class constructors. | |
18349 | ||
18350 | Most of changes are about increasing the number of bits to store ConstructorKind from one | |
18351 | bit to two bits. | |
18352 | ||
18353 | * bytecode/UnlinkedCodeBlock.cpp: | |
18354 | (JSC::generateFunctionCodeBlock): | |
18355 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
18356 | (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): | |
18357 | * bytecode/UnlinkedCodeBlock.h: | |
18358 | (JSC::ExecutableInfo::ExecutableInfo): | |
18359 | (JSC::ExecutableInfo::needsActivation): | |
18360 | (JSC::ExecutableInfo::usesEval): | |
18361 | (JSC::ExecutableInfo::isStrictMode): | |
18362 | (JSC::ExecutableInfo::isConstructor): | |
18363 | (JSC::ExecutableInfo::isBuiltinFunction): | |
18364 | (JSC::ExecutableInfo::constructorKind): | |
18365 | (JSC::UnlinkedFunctionExecutable::constructorKind): | |
18366 | (JSC::UnlinkedCodeBlock::constructorKind): | |
18367 | (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Deleted. | |
18368 | (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Deleted. | |
18369 | * bytecompiler/BytecodeGenerator.cpp: | |
18370 | (JSC::BytecodeGenerator::generate): Don't emit bytecode when we had already emitted code | |
18371 | to throw TypeError. | |
18372 | (JSC::BytecodeGenerator::BytecodeGenerator): Emit code to throw TypeError when generating | |
18373 | code to call. | |
18374 | (JSC::BytecodeGenerator::emitReturn): | |
18375 | * bytecompiler/BytecodeGenerator.h: | |
18376 | (JSC::BytecodeGenerator::constructorKind): | |
18377 | (JSC::BytecodeGenerator::constructorKindIsDerived): Deleted. | |
18378 | * bytecompiler/NodesCodegen.cpp: | |
18379 | (JSC::ThisNode::emitBytecode): | |
18380 | (JSC::FunctionCallValueNode::emitBytecode): | |
18381 | * parser/Nodes.cpp: | |
18382 | (JSC::FunctionBodyNode::FunctionBodyNode): | |
18383 | * parser/Nodes.h: | |
18384 | * parser/Parser.cpp: | |
18385 | (JSC::Parser<LexerType>::parseFunctionInfo): Renamed the incoming function argument to | |
18386 | ownerClassKind. Set constructorKind to Base or Derived only if we're parsing a constructor. | |
18387 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
18388 | (JSC::Parser<LexerType>::parseClass): Don't parse static methods using MethodMode since that | |
18389 | would result in BytecodeGenerator erroneously treating static method named "constructor" as | |
18390 | a class constructor. | |
18391 | (JSC::Parser<LexerType>::parsePropertyMethod): | |
18392 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
18393 | * parser/Parser.h: | |
18394 | * parser/ParserModes.h: | |
18395 | * runtime/Executable.h: | |
18396 | (JSC::EvalExecutable::executableInfo): | |
18397 | (JSC::ProgramExecutable::executableInfo): | |
18398 | ||
18399 | 2015-03-13 Filip Pizlo <fpizlo@apple.com> | |
18400 | ||
18401 | DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source | |
18402 | https://bugs.webkit.org/show_bug.cgi?id=141624 | |
18403 | ||
18404 | Reviewed by Oliver Hunt. | |
18405 | ||
18406 | This was an obvious omission from the original PutStackSinkingPhase. Previously, we would treat | |
18407 | GetStacks conservatively and assume that the stack slot escaped. That's pretty dumb, since a | |
18408 | GetStack is a local load of the stack. This change makes GetStack a no-op from the standpoint of | |
18409 | this phase's deferral analysis. At the end we either keep the GetStack (if there was no concrete | |
18410 | deferral) or we replace it with an identity over the value that would have been stored by the | |
18411 | deferred PutStack. Note that this might be a Phi that the phase creates, so this is strictly | |
18412 | stronger than what GCSE could do. | |
18413 | ||
18414 | This is probably not a speed-up now, but it will be very useful for the varargs simplification | |
18415 | done in bug 141174. | |
18416 | ||
18417 | * dfg/DFGPutStackSinkingPhase.cpp: | |
18418 | ||
18419 | 2015-03-12 Geoffrey Garen <ggaren@apple.com> | |
18420 | ||
18421 | Prohibit GC while sweeping | |
18422 | https://bugs.webkit.org/show_bug.cgi?id=142638 | |
18423 | ||
18424 | Reviewed by Andreas Kling. | |
18425 | ||
18426 | I noticed in https://bugs.webkit.org/show_bug.cgi?id=142636 that a GC | |
18427 | could trigger a sweep which could trigger another GC. Yo Dawg. | |
18428 | ||
18429 | I tried to figure out whether this could cause problems or not and it | |
18430 | made me cross-eyed. | |
18431 | ||
18432 | (Some clients like to report extra memory cost during deallocation as a | |
18433 | way to indicate that the GC now owns something exclusively. It's | |
18434 | arguably a bug to communicate with the GC in this way, but we shouldn't | |
18435 | do crazy when this happens.) | |
18436 | ||
18437 | This patch makes explicit the fact that we don't allow GC while sweeping. | |
18438 | ||
18439 | Usually, sweeping implicitly defers GC by virtue of happening during | |
18440 | allocation. But not always. | |
18441 | ||
18442 | * heap/Heap.cpp: | |
18443 | (JSC::Heap::collectAllGarbage): Defer GC while sweeping due to an | |
18444 | explicit GC request. | |
18445 | ||
18446 | (JSC::Heap::didFinishCollection): Make sure that zombifying sweep | |
18447 | defers GC by not returning to the non-GC state until we're all done. | |
18448 | ||
18449 | * heap/IncrementalSweeper.cpp: | |
18450 | (JSC::IncrementalSweeper::sweepNextBlock): Defer GC while sweeping due | |
18451 | to a timer. | |
18452 | ||
18453 | 2015-03-13 Mark Lam <mark.lam@apple.com> | |
18454 | ||
18455 | Replace TCSpinLock with a new WTF::SpinLock based on WTF::Atomic. | |
18456 | <https://webkit.org/b/142674> | |
18457 | ||
18458 | Reviewed by Filip Pizlo. | |
18459 | ||
18460 | * API/JSValue.mm: | |
18461 | (handerForStructTag): | |
18462 | * API/JSWrapperMap.mm: | |
18463 | * dfg/DFGCommon.cpp: | |
18464 | (JSC::DFG::startCrashing): | |
18465 | (JSC::DFG::isCrashing): | |
18466 | - Changed to use a StaticSpinLock since that's what this code was trying to do | |
18467 | anyway. | |
18468 | * heap/CopiedBlock.h: | |
18469 | (JSC::CopiedBlock::CopiedBlock): | |
18470 | * heap/CopiedSpace.cpp: | |
18471 | (JSC::CopiedSpace::CopiedSpace): | |
18472 | * heap/CopiedSpace.h: | |
18473 | * heap/GCThreadSharedData.cpp: | |
18474 | (JSC::GCThreadSharedData::GCThreadSharedData): | |
18475 | * heap/GCThreadSharedData.h: | |
18476 | * heap/ListableHandler.h: | |
18477 | (JSC::ListableHandler::List::List): | |
18478 | * parser/SourceProvider.cpp: | |
18479 | * profiler/ProfilerDatabase.cpp: | |
18480 | (JSC::Profiler::Database::addDatabaseToAtExit): | |
18481 | (JSC::Profiler::Database::removeDatabaseFromAtExit): | |
18482 | (JSC::Profiler::Database::removeFirstAtExitDatabase): | |
18483 | ||
18484 | 2015-03-13 Ryosuke Niwa <rniwa@webkit.org> | |
18485 | ||
18486 | BytecodeGenerator needs to be re-entrant to support miranda functions | |
18487 | https://bugs.webkit.org/show_bug.cgi?id=142627 | |
18488 | ||
18489 | Reviewed by Filip Pizlo. | |
18490 | ||
18491 | Made CodeCache::getGlobalCodeBlock and CodeCache::getFunctionExecutableFromGlobalCode re-entrant | |
18492 | by not keeping AddResult while invoking BytecodeGenerator::generate. | |
18493 | ||
18494 | This is needed to support Miranda functions since they need to be lazily initialized. | |
18495 | ||
18496 | * runtime/CodeCache.cpp: | |
18497 | (JSC::CodeCache::getGlobalCodeBlock): | |
18498 | (JSC::CodeCache::getFunctionExecutableFromGlobalCode): | |
18499 | * runtime/CodeCache.h: | |
18500 | (JSC::CodeCacheMap::findCacheAndUpdateAge): Extracted from add. | |
18501 | (JSC::CodeCacheMap::addCache): Extracted from add. | |
18502 | (JSC::CodeCacheMap::add): Deleted. | |
18503 | ||
18504 | 2015-03-13 Mark Lam <mark.lam@apple.com> | |
18505 | ||
18506 | Introduce WTF::Atomic to wrap std::atomic for a friendlier CAS. | |
18507 | <https://webkit.org/b/142661> | |
18508 | ||
18509 | Reviewed by Filip Pizlo. | |
18510 | ||
18511 | Changed CodeBlock, and the DFG's crashLock to use WTF::Atomic instead of | |
18512 | std::atomic. | |
18513 | ||
18514 | * bytecode/CodeBlock.cpp: | |
18515 | (JSC::CodeBlock::CodeBlock): | |
18516 | (JSC::CodeBlock::visitAggregate): | |
18517 | * bytecode/CodeBlock.h: | |
18518 | * dfg/DFGCommon.cpp: | |
18519 | (JSC::DFG::startCrashing): | |
18520 | ||
18521 | 2015-03-12 Mark Lam <mark.lam@apple.com> | |
18522 | ||
18523 | Change the DFG crashLock to use std::atomic. | |
18524 | <https://webkit.org/b/142649> | |
18525 | ||
18526 | Reviewed by Filip Pizlo. | |
18527 | ||
18528 | * dfg/DFGCommon.cpp: | |
18529 | (JSC::DFG::startCrashing): | |
18530 | (JSC::DFG::isCrashing): | |
18531 | ||
18532 | 2015-03-12 Filip Pizlo <fpizlo@apple.com> | |
18533 | ||
18534 | Bytecode liveness analysis should have more lambdas and fewer sets | |
18535 | https://bugs.webkit.org/show_bug.cgi?id=142647 | |
18536 | ||
18537 | Reviewed by Mark Lam. | |
18538 | ||
18539 | In bug 141174 I'll need to identify all of the bytecode kill sites. This requires hooking into | |
18540 | the bytecode analysis' stepOverFunction method, except in such a way that we observe uses that | |
18541 | are not in outs. This refactors stepOverFunction so that you can pass it use/def functors that | |
18542 | can either be used to propagate outs (as we do right now) or to additionally detect kills or | |
18543 | whatever else. | |
18544 | ||
18545 | In order to achieve this, the liveness analysis was moved off of maintaining uses/defs | |
18546 | bitvectors. This wasn't helping the abstraction and was probably inefficient. The new code | |
18547 | should be a bit faster since we don't have to clear uses/defs bitvectors on each instruction. On | |
18548 | the other hand, being able to intercept each use means that our code for exception handlers is | |
18549 | no longer a bitwise-merge; it requires finding set bits. Fortunately, this code only kicks in | |
18550 | for instructions inside a try, and its performance is O(live at catch), so that's probably not | |
18551 | bad. | |
18552 | ||
18553 | * bytecode/BytecodeLivenessAnalysis.cpp: | |
18554 | (JSC::indexForOperand): | |
18555 | (JSC::stepOverInstruction): | |
18556 | (JSC::computeLocalLivenessForBytecodeOffset): | |
18557 | (JSC::BytecodeLivenessAnalysis::computeFullLiveness): | |
18558 | (JSC::setForOperand): Deleted. | |
18559 | * bytecode/BytecodeUseDef.h: | |
18560 | (JSC::computeUsesForBytecodeOffset): | |
18561 | (JSC::computeDefsForBytecodeOffset): | |
18562 | * bytecode/CodeBlock.cpp: | |
18563 | ||
18564 | 2015-03-12 Ryosuke Niwa <rniwa@webkit.org> | |
18565 | ||
18566 | "this" should be in TDZ until super is called in the constructor of a derived class | |
18567 | https://bugs.webkit.org/show_bug.cgi?id=142527 | |
18568 | ||
18569 | Reviewed by Mark Hahnenberg. | |
18570 | ||
18571 | DFG and FTL implementations co-authored by Filip Pizlo. | |
18572 | ||
18573 | In ES6 class syntax, "this" register must be in the "temporal dead zone" (TDZ) and throw ReferenceError until | |
18574 | super() is called inside the constructor of a derived class. | |
18575 | ||
18576 | Added op_check_tdz, a new OP code, which throws a reference error when the first operand is an empty value | |
18577 | to all tiers of JIT and LLint. The op code throws in the slow path on the basis that a TDZ error should be | |
18578 | a programming error and not a part of the programs' normal control flow. In DFG, this op code is represented | |
18579 | by a no-op must-generate node CheckNotEmpty modeled after CheckCell. | |
18580 | ||
18581 | Also made the constructor of a derived class assign the empty value to "this" register rather than undefined | |
18582 | so that ThisNode can emit the op_check_tdz to check the initialized-ness of "this" in such a constructor. | |
18583 | ||
18584 | * bytecode/BytecodeList.json: Added op_check_tdz. | |
18585 | * bytecode/BytecodeUseDef.h: | |
18586 | (JSC::computeUsesForBytecodeOffset): Ditto. | |
18587 | (JSC::computeDefsForBytecodeOffset): Ditto. | |
18588 | * bytecode/CodeBlock.cpp: | |
18589 | (JSC::CodeBlock::dumpBytecode): Ditto. | |
18590 | * bytecode/ExitKind.cpp: | |
18591 | (JSC::exitKindToString): Added TDZFailure. | |
18592 | * bytecode/ExitKind.h: Ditto. | |
18593 | * bytecompiler/BytecodeGenerator.cpp: | |
18594 | (JSC::BytecodeGenerator::BytecodeGenerator): Assign the empty value to "this" register to indicate it's in TDZ. | |
18595 | (JSC::BytecodeGenerator::emitTDZCheck): Added. | |
18596 | (JSC::BytecodeGenerator::emitReturn): Emit the TDZ check since "this" can still be in TDZ if super() was never | |
18597 | called. e.g. class B extends A { constructor() { } } | |
18598 | * bytecompiler/BytecodeGenerator.h: | |
18599 | * bytecompiler/NodesCodegen.cpp: | |
18600 | (JSC::ThisNode::emitBytecode): Always emit the TDZ check if we're inside the constructor of a derived class. | |
18601 | We can't omit this check even if the result was ignored per spec. | |
18602 | * dfg/DFGAbstractInterpreterInlines.h: | |
18603 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Previously, empty value could never appear | |
18604 | in a local variable. This is no longer true so generalize this code. Also added the support for CheckNotEmpty. | |
18605 | Like CheckCell, we phantomize this DFG node in the constant folding phase if the type of the operand is already | |
18606 | found to be not empty. Otherwise filter out SpecEmpty. | |
18607 | * dfg/DFGByteCodeParser.cpp: | |
18608 | (JSC::DFG::ByteCodeParser::parseBlock): Added op_check_tdz. | |
18609 | * dfg/DFGCapabilities.cpp: | |
18610 | (JSC::DFG::capabilityLevel): op_check_tdz can be compiled and inlined. | |
18611 | * dfg/DFGClobberize.h: | |
18612 | (JSC::DFG::clobberize): CheckNotEmpty doesn't read or write values. | |
18613 | * dfg/DFGConstantFoldingPhase.cpp: | |
18614 | (JSC::DFG::ConstantFoldingPhase::foldConstants): Convert CheckNotEmpty to a phantom if non-emptiness had already | |
18615 | been proven for the operand prior to this node. | |
18616 | * dfg/DFGDoesGC.cpp: | |
18617 | (JSC::DFG::doesGC): CheckNotEmpty does not trigger GC. | |
18618 | * dfg/DFGFixupPhase.cpp: | |
18619 | (JSC::DFG::FixupPhase::fixupNode): CheckNotEmpty is a no-op in the fixup phase. | |
18620 | * dfg/DFGNodeType.h: CheckNotEmpty cannot be removed even if the result was ignored. See ThisNode::emitBytecode. | |
18621 | * dfg/DFGPredictionPropagationPhase.cpp: | |
18622 | (JSC::DFG::PredictionPropagationPhase::propagate): CheckNotEmpty doesn't return any value. | |
18623 | * dfg/DFGSafeToExecute.h: | |
18624 | (JSC::DFG::safeToExecute): CheckNotEmpty doesn't load from heap so it's safe. | |
18625 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
18626 | (JSC::DFG::SpeculativeJIT::compile): Speculative the operand to be not empty. OSR exit if the speculation fails. | |
18627 | * dfg/DFGSpeculativeJIT64.cpp: | |
18628 | (JSC::DFG::SpeculativeJIT::compile): Ditto. | |
18629 | * ftl/FTLCapabilities.cpp: | |
18630 | (JSC::FTL::canCompile): CheckNotEmpty can be compiled in FTL. | |
18631 | * ftl/FTLLowerDFGToLLVM.cpp: | |
18632 | (JSC::FTL::LowerDFGToLLVM::compileNode): Calls compileCheckNotEmpty for CheckNotEmpty. | |
18633 | (JSC::FTL::LowerDFGToLLVM::compileCheckNotEmpty): OSR exit with "TDZFailure" if the operand is not empty. | |
18634 | * jit/JIT.cpp: | |
18635 | (JSC::JIT::privateCompileMainPass): Added op_check_tdz. | |
18636 | (JSC::JIT::privateCompileSlowCases): Ditto. | |
18637 | * jit/JIT.h: | |
18638 | * jit/JITOpcodes.cpp: | |
18639 | (JSC::JIT::emit_op_check_tdz): Implements op_check_tdz in Baseline JIT. | |
18640 | (JSC::JIT::emitSlow_op_check_tdz): Ditto. | |
18641 | * jit/JITOpcodes32_64.cpp: | |
18642 | (JSC::JIT::emit_op_check_tdz): Ditto. | |
18643 | (JSC::JIT::emitSlow_op_check_tdz): Ditto. | |
18644 | * llint/LowLevelInterpreter32_64.asm: Implements op_check_tdz in LLint. | |
18645 | * llint/LowLevelInterpreter64.asm: Ditto. | |
18646 | * runtime/CommonSlowPaths.cpp: | |
18647 | (JSC::SLOW_PATH_DECL): Throws a reference error for op_check_tdz. Shared by LLint and Baseline JIT. | |
18648 | * runtime/CommonSlowPaths.h: | |
18649 | * tests/stress/class-syntax-no-loop-tdz.js: Added. | |
18650 | * tests/stress/class-syntax-no-tdz-in-catch.js: Added. | |
18651 | * tests/stress/class-syntax-no-tdz-in-conditional.js: Added. | |
18652 | * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: Added. | |
18653 | * tests/stress/class-syntax-no-tdz-in-loop.js: Added. | |
18654 | * tests/stress/class-syntax-no-tdz.js: Added. | |
18655 | * tests/stress/class-syntax-tdz-in-catch.js: Added. | |
18656 | * tests/stress/class-syntax-tdz-in-conditional.js: Added. | |
18657 | * tests/stress/class-syntax-tdz-in-loop.js: Added. | |
18658 | * tests/stress/class-syntax-tdz.js: Added. | |
18659 | ||
18660 | 2015-03-12 Yusuke Suzuki <utatane.tea@gmail.com> | |
18661 | ||
18662 | Integrate MapData into JSMap and JSSet | |
18663 | https://bugs.webkit.org/show_bug.cgi?id=142556 | |
18664 | ||
18665 | Reviewed by Filip Pizlo. | |
18666 | ||
18667 | This patch integrates MapData into JSMap and JSSet. | |
18668 | This removes 2 object allocation per one JSMap / JSSet. | |
18669 | ||
18670 | MapDataImpl is specialized into MapData and SetData. | |
18671 | In the case of SetData, it does not have the dummy values | |
18672 | previously stored in the MapDataImpl. So the storage size of SetData | |
18673 | becomes the half of the previous implementation. | |
18674 | ||
18675 | And now MapData and SetData are completely integrated into JSMap and JSSet, | |
18676 | these structures are not exposed to the other code even in WebCore world. | |
18677 | ||
18678 | And at the same time, this patch fixes missing destroy functions | |
18679 | in JSMapIterator and JSSetIterator. | |
18680 | They are needed because MapData::const_iterator is a non-trivial destructor. | |
18681 | ||
18682 | * CMakeLists.txt: | |
18683 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
18684 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
18685 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
18686 | * runtime/JSMap.cpp: | |
18687 | (JSC::JSMap::destroy): | |
18688 | (JSC::JSMap::visitChildren): | |
18689 | (JSC::JSMap::copyBackingStore): | |
18690 | (JSC::JSMap::has): | |
18691 | (JSC::JSMap::size): | |
18692 | (JSC::JSMap::get): | |
18693 | (JSC::JSMap::set): | |
18694 | (JSC::JSMap::clear): | |
18695 | (JSC::JSMap::remove): | |
18696 | (JSC::JSMap::finishCreation): Deleted. | |
18697 | * runtime/JSMap.h: | |
18698 | (JSC::JSMap::Entry::key): | |
18699 | (JSC::JSMap::Entry::value): | |
18700 | (JSC::JSMap::Entry::visitChildren): | |
18701 | (JSC::JSMap::Entry::setKey): | |
18702 | (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): | |
18703 | (JSC::JSMap::Entry::setValue): | |
18704 | (JSC::JSMap::Entry::clear): | |
18705 | (JSC::JSMap::begin): | |
18706 | (JSC::JSMap::end): | |
18707 | (JSC::JSMap::JSMap): | |
18708 | (JSC::JSMap::mapData): Deleted. | |
18709 | * runtime/JSMapIterator.cpp: | |
18710 | (JSC::JSMapIterator::finishCreation): | |
18711 | (JSC::JSMapIterator::destroy): | |
18712 | (JSC::JSMapIterator::visitChildren): | |
18713 | * runtime/JSMapIterator.h: | |
18714 | (JSC::JSMapIterator::JSMapIterator): | |
18715 | * runtime/JSSet.cpp: | |
18716 | (JSC::JSSet::destroy): | |
18717 | (JSC::JSSet::visitChildren): | |
18718 | (JSC::JSSet::copyBackingStore): | |
18719 | (JSC::JSSet::has): | |
18720 | (JSC::JSSet::size): | |
18721 | (JSC::JSSet::add): | |
18722 | (JSC::JSSet::clear): | |
18723 | (JSC::JSSet::remove): | |
18724 | (JSC::JSSet::finishCreation): Deleted. | |
18725 | * runtime/JSSet.h: | |
18726 | (JSC::JSSet::Entry::key): | |
18727 | (JSC::JSSet::Entry::value): | |
18728 | (JSC::JSSet::Entry::visitChildren): | |
18729 | (JSC::JSSet::Entry::setKey): | |
18730 | (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): | |
18731 | (JSC::JSSet::Entry::setValue): | |
18732 | (JSC::JSSet::Entry::clear): | |
18733 | (JSC::JSSet::begin): | |
18734 | (JSC::JSSet::end): | |
18735 | (JSC::JSSet::JSSet): | |
18736 | (JSC::JSSet::mapData): Deleted. | |
18737 | * runtime/JSSetIterator.cpp: | |
18738 | (JSC::JSSetIterator::finishCreation): | |
18739 | (JSC::JSSetIterator::visitChildren): | |
18740 | (JSC::JSSetIterator::destroy): | |
18741 | * runtime/JSSetIterator.h: | |
18742 | (JSC::JSSetIterator::JSSetIterator): | |
18743 | * runtime/MapConstructor.cpp: | |
18744 | (JSC::constructMap): | |
18745 | * runtime/MapData.h: | |
18746 | (JSC::MapDataImpl::const_iterator::key): | |
18747 | (JSC::MapDataImpl::const_iterator::value): | |
18748 | (JSC::MapDataImpl::size): | |
18749 | (JSC::MapDataImpl<Entry>::MapDataImpl): | |
18750 | (JSC::MapDataImpl<Entry>::clear): | |
18751 | (JSC::MapDataImpl<Entry>::KeyType::KeyType): | |
18752 | (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): | |
18753 | (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): | |
18754 | (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): | |
18755 | (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): | |
18756 | (JSC::MapDataImpl<Entry>::const_iterator::operator): | |
18757 | (JSC::=): | |
18758 | (JSC::MapData::const_iterator::key): Deleted. | |
18759 | (JSC::MapData::const_iterator::value): Deleted. | |
18760 | (JSC::MapData::create): Deleted. | |
18761 | (JSC::MapData::createStructure): Deleted. | |
18762 | (JSC::MapData::size): Deleted. | |
18763 | (JSC::MapData::clear): Deleted. | |
18764 | (JSC::MapData::KeyType::KeyType): Deleted. | |
18765 | (JSC::MapData::const_iterator::internalIncrement): Deleted. | |
18766 | (JSC::MapData::const_iterator::ensureSlot): Deleted. | |
18767 | (JSC::MapData::const_iterator::const_iterator): Deleted. | |
18768 | (JSC::MapData::const_iterator::~const_iterator): Deleted. | |
18769 | (JSC::MapData::const_iterator::operator*): Deleted. | |
18770 | (JSC::MapData::const_iterator::end): Deleted. | |
18771 | (JSC::MapData::const_iterator::operator!=): Deleted. | |
18772 | (JSC::MapData::const_iterator::operator==): Deleted. | |
18773 | * runtime/MapDataInlines.h: Renamed from Source/JavaScriptCore/runtime/MapData.cpp. | |
18774 | (JSC::MapDataImpl<Entry>::find): | |
18775 | (JSC::MapDataImpl<Entry>::contains): | |
18776 | (JSC::MapDataImpl<Entry>::add): | |
18777 | (JSC::MapDataImpl<Entry>::set): | |
18778 | (JSC::MapDataImpl<Entry>::get): | |
18779 | (JSC::MapDataImpl<Entry>::remove): | |
18780 | (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): | |
18781 | (JSC::MapDataImpl<Entry>::replaceBackingStore): | |
18782 | (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): | |
18783 | (JSC::MapDataImpl<Entry>::visitChildren): | |
18784 | (JSC::MapDataImpl<Entry>::copyBackingStore): | |
18785 | * runtime/MapPrototype.cpp: | |
18786 | (JSC::getMap): | |
18787 | (JSC::mapProtoFuncClear): | |
18788 | (JSC::mapProtoFuncDelete): | |
18789 | (JSC::mapProtoFuncForEach): | |
18790 | (JSC::mapProtoFuncGet): | |
18791 | (JSC::mapProtoFuncHas): | |
18792 | (JSC::mapProtoFuncSet): | |
18793 | (JSC::mapProtoFuncSize): | |
18794 | (JSC::getMapData): Deleted. | |
18795 | * runtime/SetPrototype.cpp: | |
18796 | (JSC::getSet): | |
18797 | (JSC::setProtoFuncAdd): | |
18798 | (JSC::setProtoFuncClear): | |
18799 | (JSC::setProtoFuncDelete): | |
18800 | (JSC::setProtoFuncForEach): | |
18801 | (JSC::setProtoFuncHas): | |
18802 | (JSC::setProtoFuncSize): | |
18803 | (JSC::getMapData): Deleted. | |
18804 | * runtime/VM.cpp: | |
18805 | (JSC::VM::VM): | |
18806 | * runtime/VM.h: | |
18807 | ||
18808 | 2015-03-12 Mark Lam <mark.lam@apple.com> | |
18809 | ||
18810 | Use std::atomic for CodeBlock::m_visitAggregateHasBeenCalled. | |
18811 | <https://webkit.org/b/142640> | |
18812 | ||
18813 | Reviewed by Mark Hahnenberg. | |
18814 | ||
18815 | We used to spin our own compare and swap on a uint8_t. Now that we can | |
18816 | use C++11, let's use std::atomic instead. | |
18817 | ||
18818 | * bytecode/CodeBlock.cpp: | |
18819 | (JSC::CodeBlock::visitAggregate): | |
18820 | - The CAS here needs std::memory_order_acquire ordering because it | |
18821 | requires lock acquisition semantics to visit the CodeBlock. | |
18822 | ||
18823 | * bytecode/CodeBlock.h: | |
18824 | (JSC::CodeBlockSet::mark): | |
18825 | * heap/CodeBlockSet.cpp: | |
18826 | (JSC::CodeBlockSet::clearMarksForFullCollection): | |
18827 | (JSC::CodeBlockSet::clearMarksForEdenCollection): | |
18828 | - These can go with relaxed ordering because they are all done before | |
18829 | the GC starts parallel marking. | |
18830 | ||
18831 | 2015-03-12 Csaba Osztrogonác <ossy@webkit.org> | |
18832 | ||
18833 | [cmake] Fix the incremental build issue revealed by r181419 | |
18834 | https://bugs.webkit.org/show_bug.cgi?id=142613 | |
18835 | ||
18836 | Reviewed by Carlos Garcia Campos. | |
18837 | ||
18838 | * CMakeLists.txt: | |
18839 | ||
18840 | 2015-03-11 Ryosuke Niwa <rniwa@webkit.org> | |
18841 | ||
18842 | "static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled | |
18843 | https://bugs.webkit.org/show_bug.cgi?id=142600 | |
18844 | ||
18845 | Reviewed by Mark Lam. | |
18846 | ||
18847 | Make "static" RESERVED_IF_STRICT and manually detect it in parseClass. | |
18848 | ||
18849 | No new tests. This is already checked by js/reserved-words.html and js/keywords-and-reserved_words.html | |
18850 | ||
18851 | * parser/Keywords.table: | |
18852 | * parser/Parser.cpp: | |
18853 | (JSC::Parser<LexerType>::parseClass): | |
18854 | * parser/ParserTokens.h: | |
18855 | ||
18856 | 2015-03-11 Geoffrey Garen <ggaren@apple.com> | |
18857 | ||
18858 | Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth | |
18859 | https://bugs.webkit.org/show_bug.cgi?id=142593 | |
18860 | ||
18861 | Reviewed by Andreas Kling. | |
18862 | ||
18863 | Adopt deprecatedReportExtraMemory as a short-term fix for runaway | |
18864 | memory growth in these cases where we have not adopted | |
18865 | reportExtraMemoryVisited. | |
18866 | ||
18867 | Long-term, we should use reportExtraMemoryAllocated+reportExtraMemoryVisited. | |
18868 | That's tracked by https://bugs.webkit.org/show_bug.cgi?id=142595. | |
18869 | ||
18870 | * API/JSBase.cpp: | |
18871 | (JSReportExtraMemoryCost): | |
18872 | * runtime/SparseArrayValueMap.cpp: | |
18873 | (JSC::SparseArrayValueMap::add): | |
18874 | ||
18875 | 2015-03-11 Geoffrey Garen <ggaren@apple.com> | |
18876 | ||
18877 | Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious | |
18878 | https://bugs.webkit.org/show_bug.cgi?id=142589 | |
18879 | ||
18880 | Reviewed by Andreas Kling. | |
18881 | ||
18882 | * API/JSBase.cpp: | |
18883 | (JSReportExtraMemoryCost): Added a FIXME to annotate a known bug. | |
18884 | ||
18885 | * bytecode/CodeBlock.cpp: | |
18886 | (JSC::CodeBlock::CodeBlock): | |
18887 | (JSC::CodeBlock::visitAggregate): | |
18888 | * bytecode/CodeBlock.h: | |
18889 | (JSC::CodeBlock::setJITCode): Updated for rename. | |
18890 | ||
18891 | * heap/Heap.cpp: | |
18892 | (JSC::Heap::Heap): | |
18893 | (JSC::Heap::reportExtraMemoryAllocatedSlowCase): | |
18894 | (JSC::Heap::deprecatedReportExtraMemorySlowCase): Renamed our reporting | |
18895 | APIs to clarify their relationship to each other: One must report extra | |
18896 | memory at the time of allocation, and at the time the GC visits it. | |
18897 | ||
18898 | (JSC::Heap::extraMemorySize): | |
18899 | (JSC::Heap::size): | |
18900 | (JSC::Heap::capacity): | |
18901 | (JSC::Heap::sizeAfterCollect): | |
18902 | (JSC::Heap::willStartCollection): Updated for renames. Added explicit | |
18903 | API for deprecated users who can't use our best API. | |
18904 | ||
18905 | (JSC::Heap::reportExtraMemoryCostSlowCase): Deleted. | |
18906 | (JSC::Heap::extraSize): Deleted. | |
18907 | ||
18908 | * heap/Heap.h: | |
18909 | * heap/HeapInlines.h: | |
18910 | (JSC::Heap::reportExtraMemoryAllocated): | |
18911 | (JSC::Heap::reportExtraMemoryVisited): | |
18912 | (JSC::Heap::deprecatedReportExtraMemory): | |
18913 | (JSC::Heap::reportExtraMemoryCost): Deleted. Ditto. | |
18914 | ||
18915 | * heap/SlotVisitor.h: | |
18916 | * heap/SlotVisitorInlines.h: | |
18917 | (JSC::SlotVisitor::reportExtraMemoryVisited): | |
18918 | (JSC::SlotVisitor::reportExtraMemoryUsage): Deleted. Moved this | |
18919 | functionality into the Heap since it's pretty detailed in its access | |
18920 | to the heap. | |
18921 | ||
18922 | * runtime/JSArrayBufferView.cpp: | |
18923 | (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): | |
18924 | * runtime/JSGenericTypedArrayViewInlines.h: | |
18925 | (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Updated for | |
18926 | renames. | |
18927 | ||
18928 | * runtime/JSString.cpp: | |
18929 | (JSC::JSString::visitChildren): | |
18930 | (JSC::JSRopeString::resolveRopeToAtomicString): | |
18931 | (JSC::JSRopeString::resolveRope): | |
18932 | * runtime/JSString.h: | |
18933 | (JSC::JSString::finishCreation): Updated for renames. | |
18934 | ||
18935 | * runtime/SparseArrayValueMap.cpp: | |
18936 | (JSC::SparseArrayValueMap::add): Added FIXME. | |
18937 | ||
18938 | * runtime/WeakMapData.cpp: | |
18939 | (JSC::WeakMapData::visitChildren): Updated for rename. | |
18940 | ||
18941 | 2015-03-11 Ryosuke Niwa <rniwa@webkit.org> | |
18942 | ||
18943 | Calling super() in a base class results in a crash | |
18944 | https://bugs.webkit.org/show_bug.cgi?id=142563 | |
18945 | ||
18946 | Reviewed by Filip Pizlo. | |
18947 | ||
18948 | The bug was caused by BytecodeGenerator trying to generate "super" expression inside the constructor of a base class. | |
18949 | Disallow that by keeping track of whether "super" has been used in the current scope or not (needsSuperBinding flag) | |
18950 | and then throwing a syntax error in parseFunctionInfo if it was used and the current scope wasn't the constructor of | |
18951 | a derived class. | |
18952 | ||
18953 | * parser/Parser.cpp: | |
18954 | (JSC::Parser<LexerType>::parseFunctionInfo): Don't allow super() or super.foo outside the constructor of a derived class. | |
18955 | (JSC::Parser<LexerType>::parseClass): Pass in the constructor kind to parseGetterSetter. | |
18956 | (JSC::Parser<LexerType>::parseGetterSetter): Ditto to parseFunctionInfo. | |
18957 | (JSC::Parser<LexerType>::parseMemberExpression): Set needsSuperBinding flag true on the containing scope. | |
18958 | * parser/Parser.h: | |
18959 | (JSC::Scope::Scope): | |
18960 | (JSC::Scope::needsSuperBinding): Added. | |
18961 | (JSC::Scope::setNeedsSuperBinding): Added. | |
18962 | ||
18963 | 2015-03-10 Darin Adler <darin@apple.com> | |
18964 | ||
18965 | Some event handler fixes | |
18966 | https://bugs.webkit.org/show_bug.cgi?id=142474 | |
18967 | ||
18968 | Reviewed by Anders Carlsson. | |
18969 | ||
18970 | * inspector/InjectedScriptManager.cpp: | |
18971 | (Inspector::InjectedScriptManager::createInjectedScript): Call clearException. | |
18972 | I spotted the fact it was missing by auditing all the calls to JSC::call. | |
18973 | ||
18974 | 2015-03-10 Matthew Mirman <mmirman@apple.com> | |
18975 | ||
18976 | Functions should have initialization precedence over arguments. | |
18977 | https://bugs.webkit.org/show_bug.cgi?id=142550 | |
18978 | rdar://problem/19702564 | |
18979 | ||
18980 | Reviewed by Geoffrey Garen. | |
18981 | ||
18982 | * bytecompiler/BytecodeGenerator.cpp: | |
18983 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
18984 | (JSC::BytecodeGenerator::initializeCapturedVariable): | |
18985 | * tests/stress/initialize_functions_after_arguments.js: Added. | |
18986 | ||
18987 | 2015-03-10 Andreas Kling <akling@apple.com> | |
18988 | ||
18989 | Eden collections should trigger sweep of MarkedBlocks containing new objects. | |
18990 | <https://webkit.org/b/142538> | |
18991 | ||
18992 | Reviewed by Geoffrey Garen. | |
18993 | ||
18994 | Take a snapshot of all MarkedBlocks with new objects as part of Eden collections, | |
18995 | and append that to the IncrementalSweeper's working set. | |
18996 | ||
18997 | This ensures that we run destructors for objects that were discovered to be garbage during | |
18998 | Eden collections, instead of delaying their teardown until the next full collection, | |
18999 | or the next allocation cycle for their block. | |
19000 | ||
19001 | * heap/Heap.cpp: | |
19002 | (JSC::Heap::snapshotMarkedSpace): For Eden collections, snapshot the list of MarkedBlocks | |
19003 | that contain new objects, since those are the only ones we're interested in. | |
19004 | Also use Vector::resizeToFit() to allocate the snapshot for full collections, since we know | |
19005 | the final size we need up front. | |
19006 | ||
19007 | (JSC::Heap::notifyIncrementalSweeper): For Eden collections, tell the IncrementalSweeper | |
19008 | to add the block snapshot (taken earlier) to its existing set of blocks instead of replacing | |
19009 | it entirely. This allows Eden collections and incremental sweeping to occur interleaved with | |
19010 | each other without missing destruction opportunities. | |
19011 | ||
19012 | * heap/IncrementalSweeper.h: | |
19013 | * heap/IncrementalSweeper.cpp: | |
19014 | (JSC::IncrementalSweeper::doSweep): | |
19015 | (JSC::IncrementalSweeper::sweepNextBlock): Change the way we iterate over the sweeper's | |
19016 | work list: instead of keeping an index for the next block, just pop from the end of the list. | |
19017 | This allows us to add new blocks and deduplicate the list without disturbing iteration. | |
19018 | ||
19019 | (JSC::IncrementalSweeper::startSweeping): Make this take a Vector<MarkedBlock>&& so we can | |
19020 | pass ownership of this Vector efficiently from Heap to IncrementalSweeper. | |
19021 | ||
19022 | (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Added. This is used by Eden | |
19023 | collections to add a set of MarkedBlocks with new objects to the sweeper's existing | |
19024 | working set and kick the timer. | |
19025 | ||
19026 | * heap/MarkedSpace.h: | |
19027 | (JSC::MarkedSpace::blocksWithNewObjects): Expose the list of MarkedBlocks with new objects. | |
19028 | ||
19029 | 2015-03-10 Alex Christensen <achristensen@webkit.org> | |
19030 | ||
19031 | Use unsigned for HashSet size. | |
19032 | https://bugs.webkit.org/show_bug.cgi?id=142518 | |
19033 | ||
19034 | Reviewed by Benjamin Poulain. | |
19035 | ||
19036 | * dfg/DFGAvailabilityMap.cpp: | |
19037 | (JSC::DFG::AvailabilityMap::prune): | |
19038 | * ftl/FTLOSRExitCompiler.cpp: | |
19039 | (JSC::FTL::compileStub): | |
19040 | * heap/MarkedBlockSet.h: | |
19041 | (JSC::MarkedBlockSet::remove): | |
19042 | * runtime/WeakMapData.h: | |
19043 | ||
19044 | 2015-03-10 Mark Lam <mark.lam@apple.com> | |
19045 | ||
19046 | Use std::numeric_limits<unsigned>::max() instead of (unsigned)-1. | |
19047 | <https://webkit.org/b/142539> | |
19048 | ||
19049 | Reviewed by Benjamin Poulain. | |
19050 | ||
19051 | * jit/JIT.cpp: | |
19052 | (JSC::JIT::JIT): | |
19053 | (JSC::JIT::privateCompileMainPass): | |
19054 | (JSC::JIT::privateCompileSlowCases): | |
19055 | (JSC::JIT::privateCompile): | |
19056 | (JSC::JIT::privateCompileExceptionHandlers): | |
19057 | * jit/JITInlines.h: | |
19058 | (JSC::JIT::emitNakedCall): | |
19059 | (JSC::JIT::addSlowCase): | |
19060 | (JSC::JIT::addJump): | |
19061 | (JSC::JIT::emitJumpSlowToHot): | |
19062 | (JSC::JIT::emitGetVirtualRegister): | |
19063 | * jit/SlowPathCall.h: | |
19064 | (JSC::JITSlowPathCall::call): | |
19065 | * yarr/Yarr.h: | |
19066 | ||
19067 | 2015-03-10 Mark Lam <mark.lam@apple.com> | |
19068 | ||
19069 | [Win] JSC Build Warnings Need to be Resolved. | |
19070 | <https://webkit.org/b/142366> | |
19071 | ||
19072 | Reviewed by Brent Fulgham. | |
19073 | ||
19074 | Applied some benign changes to make the MSVC compiler happy. | |
19075 | ||
19076 | * bytecode/CodeBlock.cpp: | |
19077 | (JSC::CodeBlock::dumpBytecode): | |
19078 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
19079 | (JSC::DFG::SpeculativeJIT::fillJSValue): | |
19080 | * runtime/BasicBlockLocation.cpp: | |
19081 | (JSC::BasicBlockLocation::getExecutedRanges): | |
19082 | * runtime/ControlFlowProfiler.cpp: | |
19083 | (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted): | |
19084 | ||
19085 | 2015-03-10 Yusuke Suzuki <utatane.tea@gmail.com> | |
19086 | ||
19087 | Upgrade Map, Set and WeakMap constructor interface | |
19088 | https://bugs.webkit.org/show_bug.cgi?id=142348 | |
19089 | ||
19090 | Reviewed by Filip Pizlo. | |
19091 | ||
19092 | In the latest ES6 spec, Map and Set constructors take initialization data sets | |
19093 | as iterable value. And iterate it and add the values into the constructed one. | |
19094 | ||
19095 | This is breaking change because the old constructor interface is | |
19096 | already shipped in Safari 8. | |
19097 | ||
19098 | * runtime/MapConstructor.cpp: | |
19099 | (JSC::callMap): | |
19100 | (JSC::constructMap): | |
19101 | (JSC::MapConstructor::getCallData): | |
19102 | * runtime/SetConstructor.cpp: | |
19103 | (JSC::callSet): | |
19104 | (JSC::constructSet): | |
19105 | * runtime/WeakMapConstructor.cpp: | |
19106 | (JSC::callWeakMap): | |
19107 | (JSC::constructWeakMap): | |
19108 | (JSC::WeakMapConstructor::getCallData): | |
19109 | * tests/stress/map-constructor-adder.js: Added. | |
19110 | * tests/stress/map-constructor.js: Added. | |
19111 | (testCallTypeError): | |
19112 | (testTypeError): | |
19113 | (for): | |
19114 | * tests/stress/set-constructor-adder.js: Added. | |
19115 | (Set.prototype.add): | |
19116 | * tests/stress/set-constructor.js: Added. | |
19117 | (for): | |
19118 | * tests/stress/weak-map-constructor-adder.js: Added. | |
19119 | * tests/stress/weak-map-constructor.js: Added. | |
19120 | (testCallTypeError): | |
19121 | (testTypeError): | |
19122 | (for): | |
19123 | ||
19124 | 2015-03-10 Michael Catanzaro <mcatanzaro@igalia.com> | |
19125 | ||
19126 | GCC: CRASH() should be annotated with NORETURN | |
19127 | https://bugs.webkit.org/show_bug.cgi?id=142524 | |
19128 | ||
19129 | Reviewed by Anders Carlsson. | |
19130 | ||
19131 | Don't return from a NORETURN function. This used to avoid a warning from GCC, but now it | |
19132 | causes one. | |
19133 | ||
19134 | * jsc.cpp: | |
19135 | ||
19136 | 2015-03-10 Mark Lam <mark.lam@apple.com> | |
19137 | ||
19138 | Gardening: fix bleeding debug test bots. | |
19139 | https://webkit.org/b/142513> | |
19140 | ||
19141 | Not reviewed. | |
19142 | ||
19143 | The test needs to initialize WTF threading explicitly before using it. | |
19144 | ||
19145 | * API/tests/CompareAndSwapTest.cpp: | |
19146 | (testCompareAndSwap): | |
19147 | ||
19148 | 2015-03-10 Alex Christensen <achristensen@webkit.org> | |
19149 | ||
19150 | [WinCairo] Unreviewed build fix. | |
19151 | ||
19152 | * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: | |
19153 | Added directory containing config.h, like r181304. | |
19154 | ||
19155 | 2015-03-09 Mark Lam <mark.lam@apple.com> | |
19156 | ||
19157 | Yet another build fix for Windows. | |
19158 | https://webkit.org/b/142513> | |
19159 | ||
19160 | Reviewed by Alex Christensen. | |
19161 | ||
19162 | Looks like MSVC requires the function be explicitly declared in a header file | |
19163 | in order for it to be linkable from another file in the same project. This is | |
19164 | strange, but it seems to make MSVC happy. | |
19165 | ||
19166 | Also fixed a typo in testapi.vcxproj.filters. | |
19167 | ||
19168 | * API/tests/CompareAndSwapTest.cpp: | |
19169 | * API/tests/CompareAndSwapTest.h: Added. | |
19170 | * API/tests/testapi.c: | |
19171 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: | |
19172 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: | |
19173 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
19174 | ||
19175 | 2015-03-09 Chris Dumez <cdumez@apple.com> | |
19176 | ||
19177 | [iOS] Sweep all collected objects on critical memory pressure | |
19178 | https://bugs.webkit.org/show_bug.cgi?id=142457 | |
19179 | <rdar://problem/20044440> | |
19180 | ||
19181 | Reviewed by Geoffrey Garen. | |
19182 | ||
19183 | All fullSweep() API to IncrementalSweeper so that we can call it in the | |
19184 | memory pressure handler. | |
19185 | ||
19186 | * heap/IncrementalSweeper.cpp: | |
19187 | (JSC::IncrementalSweeper::fullSweep): | |
19188 | * heap/IncrementalSweeper.h: | |
19189 | (JSC::IncrementalSweeper::hasWork): | |
19190 | ||
19191 | 2015-03-09 Mark Lam <mark.lam@apple.com> | |
19192 | ||
19193 | Another build fix for Windows. | |
19194 | https://webkit.org/b/142513> | |
19195 | ||
19196 | Not reviewed. | |
19197 | ||
19198 | * API/tests/CompareAndSwapTest.cpp: | |
19199 | - Added JS_EXPORT_PRIVATE attribute. | |
19200 | ||
19201 | 2015-03-09 Mark Lam <mark.lam@apple.com> | |
19202 | ||
19203 | Build fix for Windows after r181305. | |
19204 | https://webkit.org/b/142513> | |
19205 | ||
19206 | Reviewed by Alex Christensen. | |
19207 | ||
19208 | Windows doesn't like pthreads anymore. Changed test to use WTF threading. | |
19209 | ||
19210 | * API/tests/CompareAndSwapTest.cpp: | |
19211 | (setBitThreadFunc): | |
19212 | (testCompareAndSwap): | |
19213 | ||
19214 | 2015-03-09 Mark Lam <mark.lam@apple.com> | |
19215 | ||
19216 | 8-bit version of weakCompareAndSwap() can cause an infinite loop. | |
19217 | https://webkit.org/b/142513> | |
19218 | ||
19219 | Reviewed by Filip Pizlo. | |
19220 | ||
19221 | Added a test that exercises the 8-bit CAS from multiple threads. The threads | |
19222 | will contend to set bits in a large array of bytes using the CAS function. | |
19223 | ||
19224 | * API/tests/CompareAndSwapTest.cpp: Added. | |
19225 | (Bitmap::Bitmap): | |
19226 | (Bitmap::numBits): | |
19227 | (Bitmap::clearAll): | |
19228 | (Bitmap::concurrentTestAndSet): | |
19229 | (setBitThreadFunc): | |
19230 | (testCompareAndSwap): | |
19231 | * API/tests/testapi.c: | |
19232 | (main): | |
19233 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: | |
19234 | * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: | |
19235 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
19236 | ||
19237 | 2015-03-09 Brent Fulgham <bfulgham@apple.com> | |
19238 | ||
19239 | [Win] testapi project is unable to find the 'config.h' file. | |
19240 | ||
19241 | Rubberstamped by Mark Lam. | |
19242 | ||
19243 | * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add JavaScriptCore source directory | |
19244 | to the include path. | |
19245 | ||
19246 | 2015-03-09 Andreas Kling <akling@apple.com> | |
19247 | ||
19248 | Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. | |
19249 | <https://webkit.org/b/142115> | |
19250 | <rdar://problem/19992268> | |
19251 | ||
19252 | Reviewed by Geoffrey Garen. | |
19253 | ||
19254 | Prune stale entries from WeakGCMaps as part of every full garbage collection. | |
19255 | This frees up tons of previously-stuck WeakBlocks that were only sitting around | |
19256 | with finalized handles waiting to die. | |
19257 | ||
19258 | Note that WeakGCMaps register/unregister themselves with the GC heap in their | |
19259 | ctor/dtor, so creating one now requires passing the VM. | |
19260 | ||
19261 | Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears | |
19262 | to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms. | |
19263 | It seems somewhat excessive to do this on every Eden collection, so it's only | |
19264 | doing work in full collections for now. | |
19265 | ||
19266 | Because the GC may now mutate WeakGCMap below object allocation, I've made it | |
19267 | so that the classic HashMap::add() optimization can't be used with WeakGCMap. | |
19268 | This caused intermittent test failures when originally landed due to having | |
19269 | an invalid iterator on the stack after add() inserted a new entry and we | |
19270 | proceeded to allocate the new object, triggering GC. | |
19271 | ||
19272 | * API/JSWeakObjectMapRefInternal.h: | |
19273 | (OpaqueJSWeakObjectMap::create): | |
19274 | (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap): | |
19275 | * API/JSWeakObjectMapRefPrivate.cpp: | |
19276 | * API/JSWrapperMap.mm: | |
19277 | (-[JSWrapperMap initWithContext:]): | |
19278 | (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor. | |
19279 | ||
19280 | * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make | |
19281 | it project-private so WebCore clients can access it. | |
19282 | ||
19283 | * heap/Heap.cpp: | |
19284 | (JSC::Heap::collect): | |
19285 | (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning | |
19286 | stale entries from WeakGCMaps. This is only executed during full collections. | |
19287 | ||
19288 | * heap/Heap.h: | |
19289 | * heap/HeapInlines.h: | |
19290 | (JSC::Heap::registerWeakGCMap): | |
19291 | (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register | |
19292 | themselves with the Heap and provide a pruning callback. | |
19293 | ||
19294 | * runtime/PrototypeMap.h: | |
19295 | (JSC::PrototypeMap::PrototypeMap): | |
19296 | * runtime/Structure.cpp: | |
19297 | (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor. | |
19298 | ||
19299 | * runtime/JSCInlines.h: Add "WeakGCMapInlines.h" | |
19300 | ||
19301 | * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds. | |
19302 | ||
19303 | * runtime/JSString.cpp: | |
19304 | (JSC::jsStringWithCacheSlowCase): | |
19305 | * runtime/PrototypeMap.cpp: | |
19306 | (JSC::PrototypeMap::addPrototype): | |
19307 | (JSC::PrototypeMap::emptyObjectStructureForPrototype): Remove HashMap add() | |
19308 | optimization since it's not safe in the GC-managed WeakGCMap world. | |
19309 | ||
19310 | * runtime/VM.cpp: | |
19311 | (JSC::VM::VM): Pass VM to WeakGCMap constructor. | |
19312 | ||
19313 | * runtime/WeakGCMap.h: | |
19314 | (JSC::WeakGCMap::set): | |
19315 | (JSC::WeakGCMap::add): | |
19316 | (JSC::WeakGCMap::WeakGCMap): Deleted. | |
19317 | (JSC::WeakGCMap::gcMap): Deleted. | |
19318 | (JSC::WeakGCMap::gcMapIfNeeded): Deleted. | |
19319 | * runtime/WeakGCMapInlines.h: Added. | |
19320 | (JSC::WeakGCMap::WeakGCMap): | |
19321 | (JSC::WeakGCMap::~WeakGCMap): | |
19322 | (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback | |
19323 | to WeakGCMapInlines.h to fix interdependent header issues. Removed code that | |
19324 | prunes WeakGCMap at certain growth milestones and instead rely on the GC | |
19325 | callback for housekeeping. | |
19326 | ||
19327 | 2015-03-09 Ryosuke Niwa <rniwa@webkit.org> | |
19328 | ||
19329 | Support extends and super keywords | |
19330 | https://bugs.webkit.org/show_bug.cgi?id=142200 | |
19331 | ||
19332 | Reviewed by Filip Pizlo. | |
19333 | ||
19334 | Added the support for ES6 class syntax inheritance. | |
19335 | ||
19336 | Added ConstructorKind as well as boolean flags indicating the constructor kind to | |
19337 | various classes in UnlinkedCodeBlock as well as AST nodes. | |
19338 | ||
19339 | Each method stores the associated class as its homeObjectPrivateName. This value is used to | |
19340 | make super calls. | |
19341 | ||
19342 | * bytecode/UnlinkedCodeBlock.cpp: | |
19343 | (JSC::generateFunctionCodeBlock): | |
19344 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
19345 | (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): | |
19346 | ||
19347 | * bytecode/UnlinkedCodeBlock.h: | |
19348 | (JSC::ExecutableInfo::ExecutableInfo): | |
19349 | (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Added. | |
19350 | (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Added. | |
19351 | ||
19352 | * bytecompiler/BytecodeGenerator.cpp: | |
19353 | (JSC::BytecodeGenerator::BytecodeGenerator): Don't emit op_create_this in a derived class | |
19354 | as the object is allocated by the highest base class's constructor. Also set "this" to null | |
19355 | and store the original value in m_newTargetRegister. "this" is supposed to be in TDZ but | |
19356 | that will be implemented in a separate patch. | |
19357 | (JSC::BytecodeGenerator::emitReturn): Allow "undefined" to be returned from a derived class. | |
19358 | In a derived class's constructor, not returning "undefined" or an object results in a type | |
19359 | error instead of "this" being returned. | |
19360 | (JSC::BytecodeGenerator::emitThrowTypeError): Added. | |
19361 | ||
19362 | * bytecompiler/BytecodeGenerator.h: | |
19363 | (JSC::BytecodeGenerator::constructorKindIsDerived): Added. | |
19364 | (JSC::BytecodeGenerator::newTarget): Added. | |
19365 | ||
19366 | * bytecompiler/NodesCodegen.cpp: | |
19367 | (JSC::SuperNode::emitBytecode): Added. Emits the code to obtain the callee's parent class. | |
19368 | (JSC::emitSuperBaseForCallee): Added. Emits the code to obtain the parent class's prototype. | |
19369 | (JSC::emitPutHomeObject): Added. | |
19370 | (JSC::PropertyListNode::emitBytecode): Stores the home object when adding methods. | |
19371 | (JSC::PropertyListNode::emitPutConstantProperty): Ditto. | |
19372 | (JSC::BracketAccessorNode::emitBytecode): Added the support for super['foo']. | |
19373 | (JSC::DotAccessorNode::emitBytecode): Added the support for super.foo. | |
19374 | (JSC::FunctionCallValueNode::emitBytecode): Added the support for super(). | |
19375 | (JSC::FunctionCallBracketNode::emitBytecode): Added the support for super['foo'](). | |
19376 | (JSC::FunctionCallDotNode::emitBytecode): Added the support for super.foo(). | |
19377 | (JSC::DeleteBracketNode::emitBytecode): Forbid "delete super.foo". | |
19378 | (JSC::DeleteDotNode::emitBytecode): Forbid "delete super['foo']". | |
19379 | (JSC::ClassExprNode::emitBytecode): Added the support for "classHeritage". This is the main | |
19380 | logic for inheritance. When a class B inherits from a class A, set B.__proto__ to A and set | |
19381 | B.prototype.__proto__ to A.prototype. Throw exceptions when either A or A.__proto__ is not | |
19382 | an object. | |
19383 | ||
19384 | * parser/ASTBuilder.h: | |
19385 | (JSC::ASTBuilder::superExpr): Added. | |
19386 | ||
19387 | * parser/NodeConstructors.h: | |
19388 | (JSC::SuperNode::SuperNode): Added. | |
19389 | ||
19390 | * parser/Nodes.cpp: | |
19391 | (JSC::FunctionBodyNode::FunctionBodyNode): | |
19392 | ||
19393 | * parser/Nodes.h: | |
19394 | (JSC::ExpressionNode::isSuperNode): | |
19395 | (JSC::PropertyNode::type): | |
19396 | (JSC::PropertyNode::needsSuperBinding): | |
19397 | ||
19398 | * parser/Parser.cpp: | |
19399 | (JSC::Parser<LexerType>::parseFunctionBody): | |
19400 | (JSC::Parser<LexerType>::parseFunctionInfo): Throw a parser error if super() is used outside | |
19401 | of class constructors. | |
19402 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
19403 | (JSC::Parser<LexerType>::parseClass): ConstructorKind is "derived" if and only if the parent | |
19404 | class is specified in the declaration / expression. | |
19405 | (JSC::Parser<LexerType>::parseGetterSetter): | |
19406 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
19407 | (JSC::Parser<LexerType>::parseMemberExpression): Added the support for "super()", "super.foo", | |
19408 | and "super['foo']". Throw a semantic error if "super" appears by itself. | |
19409 | ||
19410 | * parser/Parser.h: | |
19411 | (JSC::Scope::Scope): Added m_hasDirectSuper. This variable keeps track of the use of "super()" | |
19412 | so that parseFunctionInfo can spit an error if it's used outside of class constructors. | |
19413 | (JSC::Scope::hasDirectSuper): Added. | |
19414 | (JSC::Scope::setHasDirectSuper): Added. | |
19415 | ||
19416 | * parser/ParserModes.h: | |
19417 | (JSC::ConstructorKind): Added. | |
19418 | ||
19419 | * parser/SyntaxChecker.h: | |
19420 | (JSC::SyntaxChecker::superExpr): Added. | |
19421 | ||
19422 | * runtime/CommonIdentifiers.h: Added homeObjectPrivateName. | |
19423 | ||
19424 | * runtime/Executable.h: | |
19425 | (JSC::EvalExecutable::executableInfo): | |
19426 | (JSC::ProgramExecutable::executableInfo): | |
19427 | ||
19428 | 2015-03-08 Andreas Kling <akling@apple.com> | |
19429 | ||
19430 | JITThunks keeps finalized Weaks around, pinning WeakBlocks. | |
19431 | <https://webkit.org/b/142454> | |
19432 | ||
19433 | Reviewed by Darin Adler. | |
19434 | ||
19435 | Make JITThunks a WeakHandleOwner so it can keep its host function map free of stale entries. | |
19436 | This fixes an issue I was seeing where a bunch of WeakBlocks stuck around with nothing but | |
19437 | finalized Weak<NativeExecutable> entries. | |
19438 | ||
19439 | * jit/JITThunks.h: | |
19440 | * jit/JITThunks.cpp: | |
19441 | (JSC::JITThunks::finalize): Make JITThunks inherit from WeakHandleOwner so it can receive | |
19442 | a callback when the NativeExecutables get garbage collected. | |
19443 | ||
19444 | (JSC::JITThunks::hostFunctionStub): Pass 'this' as the handle owner when creating Weaks. | |
19445 | ||
19446 | 2015-03-08 Andreas Kling <akling@apple.com> | |
19447 | ||
19448 | BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks. | |
19449 | <https://webkit.org/b/142460> | |
19450 | ||
19451 | Reviewed by Geoffrey Garen. | |
19452 | ||
19453 | Make BuiltinExecutables a WeakHandleOwner so it can clear out its respective Weak members | |
19454 | if and when their pointees get garbage collected. | |
19455 | ||
19456 | This fixes an issue I've seen locally where a WeakBlock is pinned down by a single one of | |
19457 | these Weak<BuiltinExecutables>. | |
19458 | ||
19459 | * builtins/BuiltinExecutables.h: Make BuiltinExecutables inherit from WeakHandleOwner. | |
19460 | ||
19461 | * builtins/BuiltinExecutables.cpp: | |
19462 | (JSC::BuiltinExecutables::finalize): Clear out the relevant member pointer when it's been | |
19463 | garbage collected. We use the WeakImpl's "context" field to pass the address of the member. | |
19464 | ||
19465 | 2015-03-07 Geoffrey Garen <ggaren@apple.com> | |
19466 | ||
19467 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
19468 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
19469 | ||
19470 | Reviewed by Mark Hahnenberg. | |
19471 | ||
19472 | Re-landing just the removal of BlockAllocator, which is now unused. | |
19473 | ||
19474 | * API/JSBase.cpp: | |
19475 | * CMakeLists.txt: | |
19476 | * JavaScriptCore.order: | |
19477 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
19478 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
19479 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
19480 | * heap/BlockAllocator.cpp: Removed. | |
19481 | * heap/BlockAllocator.h: Removed. | |
19482 | * heap/GCThreadSharedData.h: | |
19483 | * heap/HandleBlockInlines.h: | |
19484 | * heap/Heap.cpp: | |
19485 | (JSC::Heap::Heap): | |
19486 | * heap/Heap.h: | |
19487 | * heap/HeapInlines.h: | |
19488 | (JSC::Heap::blockAllocator): Deleted. | |
19489 | * heap/HeapTimer.cpp: | |
19490 | * heap/MarkedBlock.h: | |
19491 | * heap/MarkedSpace.h: | |
19492 | * heap/Region.h: Removed. | |
19493 | * heap/SuperRegion.cpp: Removed. | |
19494 | * heap/SuperRegion.h: Removed. | |
19495 | ||
19496 | 2015-03-07 Commit Queue <commit-queue@webkit.org> | |
19497 | ||
19498 | Unreviewed, rolling out r181010. | |
19499 | https://bugs.webkit.org/show_bug.cgi?id=142442 | |
19500 | ||
19501 | Broke media/video-src-invalid-poster.html (Requested by kling | |
19502 | on #webkit). | |
19503 | ||
19504 | Reverted changeset: | |
19505 | ||
19506 | "Stale entries in WeakGCMaps are keeping tons of WeakBlocks | |
19507 | alive unnecessarily." | |
19508 | https://bugs.webkit.org/show_bug.cgi?id=142115 | |
19509 | http://trac.webkit.org/changeset/181010 | |
19510 | ||
19511 | 2015-03-07 Ryosuke Niwa <rniwa@webkit.org> | |
19512 | ||
19513 | The code to link FunctionExecutable is duplicated everywhere | |
19514 | https://bugs.webkit.org/show_bug.cgi?id=142436 | |
19515 | ||
19516 | Reviewed by Darin Adler. | |
19517 | ||
19518 | Reduced code duplication by factoring out linkInsideExecutable and linkGlobalCode. | |
19519 | ||
19520 | * bytecode/CodeBlock.cpp: | |
19521 | (JSC::CodeBlock::CodeBlock): Calls linkInsideExecutable. | |
19522 | ||
19523 | * bytecode/UnlinkedCodeBlock.cpp: | |
19524 | (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Renamed from link. Now takes care of startOffset. | |
19525 | This change was needed to use this function in CodeBlock::CodeBlock. Also, this function no longer takes | |
19526 | lineOffset since this information is already stored in the source code. | |
19527 | (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Extracted from FunctionExecutable::fromGlobalCode. | |
19528 | ||
19529 | * bytecode/UnlinkedCodeBlock.h: | |
19530 | ||
19531 | * generate-js-builtins: Calls linkGlobalCode. | |
19532 | ||
19533 | * runtime/Executable.cpp: | |
19534 | (JSC::ProgramExecutable::initializeGlobalProperties): Calls linkGlobalCode. | |
19535 | (JSC::FunctionExecutable::fromGlobalCode): Calls linkGlobalCode. | |
19536 | ||
19537 | 2015-03-06 Geoffrey Garen <ggaren@apple.com> | |
19538 | ||
19539 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
19540 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
19541 | ||
19542 | Reviewed by Mark Hahnenberg. | |
19543 | ||
19544 | Re-landing just the MarkedBlock piece of this patch. | |
19545 | ||
19546 | * heap/MarkedAllocator.cpp: | |
19547 | (JSC::MarkedAllocator::allocateBlock): | |
19548 | * heap/MarkedBlock.cpp: | |
19549 | (JSC::MarkedBlock::create): | |
19550 | (JSC::MarkedBlock::destroy): | |
19551 | (JSC::MarkedBlock::MarkedBlock): | |
19552 | * heap/MarkedBlock.h: | |
19553 | (JSC::MarkedBlock::capacity): | |
19554 | * heap/MarkedSpace.cpp: | |
19555 | (JSC::MarkedSpace::freeBlock): | |
19556 | ||
19557 | 2015-03-07 Ryosuke Niwa <rniwa@webkit.org> | |
19558 | ||
19559 | fromGlobalCode has an unused Debugger* argument | |
19560 | https://bugs.webkit.org/show_bug.cgi?id=142430 | |
19561 | ||
19562 | Reviewed by Darin Adler. | |
19563 | ||
19564 | Removed the debugger argument from UnlinkedFunctionExecutable::fromGlobalCode and | |
19565 | FunctionExecutable::fromGlobalCode since it's not used in either function. | |
19566 | ||
19567 | Also use reference in other arguments. | |
19568 | ||
19569 | * bytecode/UnlinkedCodeBlock.cpp: | |
19570 | (JSC::UnlinkedFunctionExecutable::fromGlobalCode): | |
19571 | * bytecode/UnlinkedCodeBlock.h: | |
19572 | * runtime/Executable.cpp: | |
19573 | (JSC::FunctionExecutable::fromGlobalCode): | |
19574 | * runtime/Executable.h: | |
19575 | * runtime/FunctionConstructor.cpp: | |
19576 | (JSC::constructFunctionSkippingEvalEnabledCheck): | |
19577 | ||
19578 | 2015-03-06 Brent Fulgham <bfulgham@apple.com> | |
19579 | ||
19580 | [Win] Turn off a warning on Windows. | |
19581 | ||
19582 | Reduce build logging noise on Windows. | |
19583 | ||
19584 | * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: | |
19585 | ||
19586 | 2015-03-06 Joseph Pecoraro <pecoraro@apple.com> | |
19587 | ||
19588 | Web Inspector: ES6: Improved Support for Iterator Objects | |
19589 | https://bugs.webkit.org/show_bug.cgi?id=142420 | |
19590 | ||
19591 | Reviewed by Timothy Hatcher. | |
19592 | ||
19593 | * inspector/protocol/Runtime.json: | |
19594 | Add new object subtype "iterator" for built-in iterator objects. | |
19595 | ||
19596 | * inspector/InjectedScriptSource.js: | |
19597 | Return iterator values as Entry objects. | |
19598 | ||
19599 | * inspector/JSInjectedScriptHost.cpp: | |
19600 | (Inspector::JSInjectedScriptHost::subtype): | |
19601 | Identify "iterator" typed objects. | |
19602 | ||
19603 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
19604 | Provide internal properties for the different Iterator objects. | |
19605 | ||
19606 | (Inspector::JSInjectedScriptHost::iteratorEntries): | |
19607 | Fetch the next few iterator entries of a built-in iterator object. | |
19608 | ||
19609 | * inspector/JSInjectedScriptHost.h: | |
19610 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
19611 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
19612 | (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries): | |
19613 | Call through to JSInjectedScriptHost. | |
19614 | ||
19615 | * runtime/JSArgumentsIterator.cpp: | |
19616 | (JSC::JSArgumentsIterator::clone): | |
19617 | * runtime/JSArgumentsIterator.h: | |
19618 | (JSC::JSArgumentsIterator::iteratedValue): | |
19619 | * runtime/JSArrayIterator.cpp: | |
19620 | (JSC::JSArrayIterator::kind): | |
19621 | (JSC::JSArrayIterator::iteratedValue): | |
19622 | (JSC::JSArrayIterator::clone): | |
19623 | * runtime/JSArrayIterator.h: | |
19624 | * runtime/JSMapIterator.cpp: | |
19625 | (JSC::JSMapIterator::finishCreation): | |
19626 | (JSC::JSMapIterator::clone): | |
19627 | * runtime/JSMapIterator.h: | |
19628 | (JSC::JSMapIterator::kind): | |
19629 | (JSC::JSMapIterator::iteratedValue): | |
19630 | * runtime/JSSetIterator.cpp: | |
19631 | (JSC::JSSetIterator::finishCreation): | |
19632 | (JSC::JSSetIterator::clone): | |
19633 | * runtime/JSSetIterator.h: | |
19634 | (JSC::JSSetIterator::kind): | |
19635 | (JSC::JSSetIterator::iteratedValue): | |
19636 | * runtime/JSStringIterator.cpp: | |
19637 | (JSC::JSStringIterator::iteratedValue): | |
19638 | (JSC::JSStringIterator::clone): | |
19639 | * runtime/JSStringIterator.h: | |
19640 | Add accessors for internal properties and provide a way to clone the | |
19641 | iterator so we can be at the same index and peek at the next few | |
19642 | objects without modifying the original iterator object. | |
19643 | ||
19644 | 2015-03-06 Ryosuke Niwa <rniwa@webkit.org> | |
19645 | ||
19646 | REGRESSION(r180595): construct varargs fails in FTL | |
19647 | https://bugs.webkit.org/show_bug.cgi?id=142030 | |
19648 | ||
19649 | Reviewed by Michael Saboff. | |
19650 | ||
19651 | Increase sizeOfCallVarargs as done for sizeOfConstructVarargs in r180651. | |
19652 | ||
19653 | * ftl/FTLInlineCacheSize.cpp: | |
19654 | (JSC::FTL::sizeOfCallVarargs): | |
19655 | ||
19656 | 2015-03-06 Joseph Pecoraro <pecoraro@apple.com> | |
19657 | ||
19658 | Web Inspector: Adopt Object Literal Shorthand Property Construction Syntax | |
19659 | https://bugs.webkit.org/show_bug.cgi?id=142374 | |
19660 | ||
19661 | Reviewed by Timothy Hatcher. | |
19662 | ||
19663 | * inspector/InjectedScriptSource.js: | |
19664 | ||
19665 | 2015-03-06 Joseph Pecoraro <pecoraro@apple.com> | |
19666 | ||
19667 | ES6: Object Literal Extensions - Methods | |
19668 | https://bugs.webkit.org/show_bug.cgi?id=142390 | |
19669 | ||
19670 | Reviewed by Geoffrey Garen. | |
19671 | ||
19672 | Support method syntax in object literals. | |
19673 | ||
19674 | * parser/Parser.h: | |
19675 | * parser/Parser.cpp: | |
19676 | (JSC::stringForFunctionMode): | |
19677 | (JSC::Parser<LexerType>::parseProperty): | |
19678 | Methods are allowed for identifier, string, and numeric names, | |
19679 | and computed property names. | |
19680 | ||
19681 | (JSC::Parser<LexerType>::parsePropertyMethod): | |
19682 | Helper for parsing a property method. | |
19683 | ||
19684 | 2015-03-05 Joseph Pecoraro <pecoraro@apple.com> | |
19685 | ||
19686 | __proto__ shorthand property should not modify prototype in Object Literal construction | |
19687 | https://bugs.webkit.org/show_bug.cgi?id=142382 | |
19688 | ||
19689 | Reviewed by Geoffrey Garen. | |
19690 | ||
19691 | When parsing shorthand property syntax we know we will do a | |
19692 | put direct, even if the property name is __proto__. Pass that | |
19693 | information through to bytecode generation. | |
19694 | ||
19695 | * bytecompiler/BytecodeGenerator.cpp: | |
19696 | (JSC::BytecodeGenerator::emitDirectPutById): | |
19697 | * bytecompiler/BytecodeGenerator.h: | |
19698 | * bytecompiler/NodesCodegen.cpp: | |
19699 | (JSC::PropertyListNode::emitPutConstantProperty): | |
19700 | * parser/ASTBuilder.h: | |
19701 | (JSC::ASTBuilder::createGetterOrSetterProperty): | |
19702 | (JSC::ASTBuilder::createProperty): | |
19703 | * parser/NodeConstructors.h: | |
19704 | (JSC::PropertyNode::PropertyNode): | |
19705 | * parser/Nodes.h: | |
19706 | (JSC::PropertyNode::putType): | |
19707 | * parser/Parser.cpp: | |
19708 | (JSC::Parser<LexerType>::parseClass): | |
19709 | (JSC::Parser<LexerType>::parseProperty): | |
19710 | * parser/SyntaxChecker.h: | |
19711 | (JSC::SyntaxChecker::createProperty): | |
19712 | ||
19713 | 2015-03-06 Geoffrey Garen <ggaren@apple.com> | |
19714 | ||
19715 | Fix crashes seen on the the 32-bit buildbots after my last patch. | |
19716 | ||
19717 | Unreviewed. | |
19718 | ||
19719 | * heap/CopiedBlock.h: | |
19720 | (JSC::CopiedBlock::payload): | |
19721 | * heap/CopiedSpace.cpp: | |
19722 | (JSC::CopiedSpace::tryAllocateOversize): Round up to the right alignment, | |
19723 | since the size of the CopiedBlock class is not guaranteed to be the | |
19724 | right alignment, and is in fact the wrong alignment on 32-bit. | |
19725 | ||
19726 | 2015-03-05 Geoffrey Garen <ggaren@apple.com> | |
19727 | ||
19728 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
19729 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
19730 | ||
19731 | Reviewed by Mark Hahnenberg. | |
19732 | ||
19733 | Re-landing just the CopiedBlock piece of this patch. | |
19734 | ||
19735 | * heap/CopiedBlock.h: | |
19736 | (JSC::CopiedBlock::createNoZeroFill): | |
19737 | (JSC::CopiedBlock::destroy): | |
19738 | (JSC::CopiedBlock::create): | |
19739 | (JSC::CopiedBlock::CopiedBlock): | |
19740 | (JSC::CopiedBlock::isOversize): | |
19741 | (JSC::CopiedBlock::payloadEnd): | |
19742 | (JSC::CopiedBlock::capacity): | |
19743 | * heap/CopiedSpace.cpp: | |
19744 | (JSC::CopiedSpace::~CopiedSpace): | |
19745 | (JSC::CopiedSpace::tryAllocateOversize): | |
19746 | (JSC::CopiedSpace::tryReallocateOversize): | |
19747 | * heap/CopiedSpaceInlines.h: | |
19748 | (JSC::CopiedSpace::recycleEvacuatedBlock): | |
19749 | (JSC::CopiedSpace::recycleBorrowedBlock): | |
19750 | (JSC::CopiedSpace::allocateBlockForCopyingPhase): | |
19751 | (JSC::CopiedSpace::allocateBlock): | |
19752 | (JSC::CopiedSpace::startedCopying): | |
19753 | * heap/CopyWorkList.h: | |
19754 | ||
19755 | 2015-03-06 Myles C. Maxfield <mmaxfield@apple.com> | |
19756 | ||
19757 | [iOS] SVG fonts are garbled | |
19758 | https://bugs.webkit.org/show_bug.cgi?id=142377 | |
19759 | ||
19760 | Reviewed by Simon Fraser. | |
19761 | ||
19762 | * Configurations/FeatureDefines.xcconfig: | |
19763 | ||
19764 | 2015-03-05 Joseph Pecoraro <pecoraro@apple.com> | |
19765 | ||
19766 | ES6: Object Literal Extensions - Shorthand Properties (Identifiers) | |
19767 | https://bugs.webkit.org/show_bug.cgi?id=142353 | |
19768 | ||
19769 | Reviewed by Geoffrey Garen. | |
19770 | ||
19771 | * parser/Parser.cpp: | |
19772 | (JSC::Parser<LexerType>::parseProperty): | |
19773 | Parsing an identifier property followed by a comma or end brace treat | |
19774 | as a shorthand property and create a property that has the same | |
19775 | property name as the identifier name and value of a variable with that | |
19776 | identifier. Otherwise, fall through to getter/setter parsing. | |
19777 | ||
19778 | 2015-03-05 Brent Fulgham <bfulgham@apple.com> | |
19779 | ||
19780 | [Win] Unreviewed gardening. | |
19781 | ||
19782 | Confirmed with JSC that warning 4611 (interaction between '_setjmp' and C++ object | |
19783 | destruction is non-portable) should be ignored in the JavaScriptCore project. | |
19784 | ||
19785 | * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Silence warning 4611. | |
19786 | ||
19787 | 2015-03-05 Chris Dumez <cdumez@apple.com> | |
19788 | ||
19789 | Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16() | |
19790 | https://bugs.webkit.org/show_bug.cgi?id=142350 | |
19791 | ||
19792 | Reviewed by Michael Saboff and Benjamin Poulain. | |
19793 | ||
19794 | Call WTFString::hasInfixStartingAt() / hasInfixEndingAt() now that these | |
19795 | methods have been renamed for clarity. | |
19796 | ||
19797 | * runtime/StringPrototype.cpp: | |
19798 | (JSC::stringProtoFuncStartsWith): | |
19799 | (JSC::stringProtoFuncEndsWith): | |
19800 | ||
19801 | 2015-03-05 Yusuke Suzuki <utatane.tea@gmail.com> | |
19802 | ||
19803 | Implement ES6 StringIterator | |
19804 | https://bugs.webkit.org/show_bug.cgi?id=142080 | |
19805 | ||
19806 | Reviewed by Filip Pizlo. | |
19807 | ||
19808 | This patch introduces ES6 String Iterator. | |
19809 | It enumerates code points instead of elements in String. | |
19810 | So surrogate pairs should be handled correctly. | |
19811 | ||
19812 | * CMakeLists.txt: | |
19813 | * DerivedSources.make: | |
19814 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
19815 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
19816 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
19817 | * builtins/StringIterator.prototype.js: Added. | |
19818 | (next): | |
19819 | * runtime/CommonIdentifiers.h: | |
19820 | * runtime/JSGlobalObject.cpp: | |
19821 | * runtime/JSGlobalObject.h: | |
19822 | * runtime/JSStringIterator.cpp: Added. | |
19823 | (JSC::JSStringIterator::finishCreation): | |
19824 | * runtime/JSStringIterator.h: Added. | |
19825 | (JSC::JSStringIterator::createStructure): | |
19826 | (JSC::JSStringIterator::create): | |
19827 | (JSC::JSStringIterator::JSStringIterator): | |
19828 | * runtime/StringIteratorConstructor.cpp: Added. | |
19829 | (JSC::StringIteratorConstructor::finishCreation): | |
19830 | * runtime/StringIteratorConstructor.h: Added. | |
19831 | (JSC::StringIteratorConstructor::create): | |
19832 | (JSC::StringIteratorConstructor::createStructure): | |
19833 | (JSC::StringIteratorConstructor::StringIteratorConstructor): | |
19834 | * runtime/StringIteratorPrototype.cpp: Added. | |
19835 | (JSC::StringIteratorPrototype::finishCreation): | |
19836 | (JSC::StringIteratorPrototype::getOwnPropertySlot): | |
19837 | (JSC::stringIteratorPrototypeIterator): | |
19838 | * runtime/StringIteratorPrototype.h: Added. | |
19839 | (JSC::StringIteratorPrototype::create): | |
19840 | (JSC::StringIteratorPrototype::createStructure): | |
19841 | (JSC::StringIteratorPrototype::StringIteratorPrototype): | |
19842 | * runtime/StringPrototype.cpp: | |
19843 | (JSC::StringPrototype::finishCreation): | |
19844 | (JSC::stringProtoFuncIterator): | |
19845 | * tests/stress/string-iterators.js: Added. | |
19846 | (testSurrogatePair): | |
19847 | (increment): | |
19848 | (for): | |
19849 | ||
19850 | 2015-03-05 Csaba Osztrogonác <ossy@webkit.org> | |
19851 | ||
19852 | [ARM] Fix the FTL build on Aarch64 Linux after r177421 | |
19853 | https://bugs.webkit.org/show_bug.cgi?id=142040 | |
19854 | ||
19855 | Reviewed by Mark Lam. | |
19856 | ||
19857 | * llvm/library/LLVMExports.cpp: | |
19858 | (initializeAndGetJSCLLVMAPI): | |
19859 | ||
19860 | 2015-03-05 Yusuke Suzuki <utatane.tea@gmail.com> | |
19861 | ||
19862 | Upgrade ES6 Iterator interfaces | |
19863 | https://bugs.webkit.org/show_bug.cgi?id=141351 | |
19864 | ||
19865 | Reviewed by Filip Pizlo. | |
19866 | ||
19867 | This patch upgrades the exising ES6 iterator to align the latest spec. | |
19868 | In the latest spec, | |
19869 | 1. `Iterator.next` returns object that implements IteratorResult interface { value: value, done, boolean }. | |
19870 | 2. `Iterator.return` is introduced. When the iteration is terminated by the abrupt completion, | |
19871 | it is called to close iterator state. | |
19872 | 3. Iterator.next of Array is moved from an iterator object to `%ArrayIteratorPrototype%`. | |
19873 | ||
19874 | To upgrade it, we changes the bytecode that represents for-of loops. | |
19875 | And to embody the efficient iteration with an iterator object, | |
19876 | we implemented %ArrayIteratorPrototype%.next in JavaScript and | |
19877 | it is located in builtins/ArrayIterator.prototype.js. | |
19878 | Implementing it in JavaScript encourages inlining and | |
19879 | utilizes escape analysis for an iterator result object in DFG JIT. | |
19880 | And we dropped the intrinsic version of %ArrayIteratorPrototype%.next. | |
19881 | ||
19882 | And we introduced IteratorOperations that is defined in the spec. | |
19883 | It aligns the iteration in the runtime to the latest spec. | |
19884 | Currently, Promise.all and Promise.race uses an iterable object. | |
19885 | However, Promise.all and Promise.race implementation is also based on the old spec. | |
19886 | Subsequent patches will upgrade it. | |
19887 | ||
19888 | * CMakeLists.txt: | |
19889 | * DerivedSources.make: | |
19890 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
19891 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
19892 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
19893 | * builtins/ArrayIterator.prototype.js: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.h. | |
19894 | (next): | |
19895 | * bytecompiler/BytecodeGenerator.cpp: | |
19896 | (JSC::BytecodeGenerator::emitReturn): | |
19897 | (JSC::BytecodeGenerator::emitThrowTypeError): | |
19898 | (JSC::BytecodeGenerator::emitEnumeration): | |
19899 | (JSC::BytecodeGenerator::emitIsObject): | |
19900 | (JSC::BytecodeGenerator::emitIsUndefined): | |
19901 | * bytecompiler/BytecodeGenerator.h: | |
19902 | * jit/ThunkGenerators.cpp: | |
19903 | (JSC::arrayIteratorNextThunkGenerator): Deleted. | |
19904 | (JSC::arrayIteratorNextKeyThunkGenerator): Deleted. | |
19905 | (JSC::arrayIteratorNextValueThunkGenerator): Deleted. | |
19906 | * jit/ThunkGenerators.h: | |
19907 | * runtime/ArgumentsIteratorPrototype.cpp: | |
19908 | (JSC::ArgumentsIteratorPrototype::finishCreation): | |
19909 | (JSC::argumentsIteratorPrototypeFuncNext): | |
19910 | * runtime/ArrayIteratorPrototype.cpp: | |
19911 | (JSC::ArrayIteratorPrototype::finishCreation): | |
19912 | (JSC::ArrayIteratorPrototype::getOwnPropertySlot): | |
19913 | (JSC::arrayIteratorProtoFuncIterator): | |
19914 | (JSC::arrayIteratorPrototypeIterate): Deleted. | |
19915 | * runtime/ArrayIteratorPrototype.h: | |
19916 | * runtime/CommonIdentifiers.h: | |
19917 | * runtime/Intrinsic.h: | |
19918 | * runtime/IteratorOperations.cpp: Added. | |
19919 | (JSC::iteratorNext): | |
19920 | (JSC::iteratorValue): | |
19921 | (JSC::iteratorComplete): | |
19922 | (JSC::iteratorStep): | |
19923 | (JSC::iteratorClose): | |
19924 | (JSC::createIterResultObject): | |
19925 | * runtime/IteratorOperations.h: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.cpp. | |
19926 | * runtime/JSArrayIterator.cpp: | |
19927 | (JSC::JSArrayIterator::finishCreation): | |
19928 | (JSC::JSArrayIterator::visitChildren): Deleted. | |
19929 | (JSC::createIteratorResult): Deleted. | |
19930 | (JSC::arrayIteratorNext): Deleted. | |
19931 | (JSC::arrayIteratorNextKey): Deleted. | |
19932 | (JSC::arrayIteratorNextValue): Deleted. | |
19933 | (JSC::arrayIteratorNextGeneric): Deleted. | |
19934 | * runtime/JSArrayIterator.h: | |
19935 | (JSC::JSArrayIterator::JSArrayIterator): | |
19936 | (JSC::JSArrayIterator::iterationKind): Deleted. | |
19937 | (JSC::JSArrayIterator::iteratedObject): Deleted. | |
19938 | (JSC::JSArrayIterator::nextIndex): Deleted. | |
19939 | (JSC::JSArrayIterator::setNextIndex): Deleted. | |
19940 | (JSC::JSArrayIterator::finish): Deleted. | |
19941 | (JSC::JSArrayIterator::offsetOfIterationKind): Deleted. | |
19942 | (JSC::JSArrayIterator::offsetOfIteratedObject): Deleted. | |
19943 | (JSC::JSArrayIterator::offsetOfNextIndex): Deleted. | |
19944 | * runtime/JSGlobalObject.cpp: | |
19945 | (JSC::JSGlobalObject::init): | |
19946 | * runtime/JSPromiseConstructor.cpp: | |
19947 | (JSC::performPromiseRaceLoop): | |
19948 | (JSC::JSPromiseConstructorFuncRace): | |
19949 | (JSC::performPromiseAll): | |
19950 | (JSC::JSPromiseConstructorFuncAll): | |
19951 | * runtime/MapIteratorPrototype.cpp: | |
19952 | (JSC::MapIteratorPrototype::finishCreation): | |
19953 | (JSC::MapIteratorPrototypeFuncNext): | |
19954 | * runtime/SetIteratorPrototype.cpp: | |
19955 | (JSC::SetIteratorPrototype::finishCreation): | |
19956 | (JSC::SetIteratorPrototypeFuncNext): | |
19957 | * runtime/VM.cpp: | |
19958 | (JSC::thunkGeneratorForIntrinsic): | |
19959 | * tests/stress/array-iterators-next-with-call.js: Added. | |
19960 | (increment): | |
19961 | (for): | |
19962 | * tests/stress/array-iterators-next.js: Added. | |
19963 | ||
19964 | Revive the older Array iterator tests that manually call 'next' method. | |
19965 | ||
19966 | * tests/stress/custom-iterators.js: Added. | |
19967 | (iter.next): | |
19968 | (iter.Symbol.iterator): | |
19969 | (iter.return): | |
19970 | (iter.get next): | |
19971 | (iter.get return): | |
19972 | (iteratorInterfaceErrorTest.iter.next): | |
19973 | (iteratorInterfaceErrorTest.iter.Symbol.iterator): | |
19974 | (iteratorInterfaceErrorTest.iter.return): | |
19975 | (iteratorInterfaceErrorTest): | |
19976 | (iteratorInterfaceErrorTestReturn.iter.next): | |
19977 | (iteratorInterfaceErrorTestReturn.iter.Symbol.iterator): | |
19978 | (iteratorInterfaceErrorTestReturn.iter.return): | |
19979 | (iteratorInterfaceErrorTestReturn): | |
19980 | (iteratorInterfaceBreakTestReturn.iter.next): | |
19981 | (iteratorInterfaceBreakTestReturn.iter.Symbol.iterator): | |
19982 | (iteratorInterfaceBreakTestReturn.iter.return): | |
19983 | (iteratorInterfaceBreakTestReturn): | |
19984 | ||
19985 | This tests the behavior of custom iterators. | |
19986 | 'next' and 'return' of iterator work with for-of. | |
19987 | ||
19988 | * tests/stress/iterators-shape.js: Added. | |
19989 | (iteratorShape): | |
19990 | (sameNextMethods): | |
19991 | (set var): | |
19992 | ||
19993 | This tests the shape of iterators; iterators of Array have 'next' method in %ArrayIteratorPrototype%. | |
19994 | ||
19995 | * tests/stress/map-iterators-next.js: Added. | |
19996 | (set var): | |
19997 | (.get if): | |
19998 | (otherKey): | |
19999 | * tests/stress/set-iterators-next.js: Added. | |
20000 | (otherKey): | |
20001 | ||
20002 | 2015-03-04 Yusuke Suzuki <utatane.tea@gmail.com> | |
20003 | ||
20004 | Hide Promise with runtime flags under Cocoa JSContext API | |
20005 | https://bugs.webkit.org/show_bug.cgi?id=141965 | |
20006 | ||
20007 | Reviewed by Filip Pizlo. | |
20008 | ||
20009 | Since there's no run loop in JavaScriptCore APIs, Promises don't work currently. | |
20010 | So until they work, we hide Promise from a global object. | |
20011 | Introduce new JSC runtime flag, PromiseDisabled. When `isPromiseDisabled` is true, | |
20012 | Promise constructor is not attached to JSGlobalObject. | |
20013 | ||
20014 | To make 0 as default runtime flags, we choose PromiseDisabled flag | |
20015 | instead of PromiseEnabled flag. So by default, Promise is enabled. | |
20016 | ||
20017 | * API/JSCallbackObjectFunctions.h: | |
20018 | (JSC::JSCallbackObject<Parent>::JSCallbackObject): | |
20019 | * API/JSContextRef.cpp: | |
20020 | (javaScriptRuntimeFlags): | |
20021 | (JSGlobalContextCreateInGroup): | |
20022 | * API/tests/testapi.c: | |
20023 | (main): | |
20024 | * API/tests/testapi.mm: | |
20025 | (testObjectiveCAPI): | |
20026 | * runtime/JSGlobalObject.cpp: | |
20027 | (JSC::JSGlobalObject::init): | |
20028 | * runtime/JSGlobalObject.h: | |
20029 | (JSC::JSGlobalObject::create): | |
20030 | * runtime/RuntimeFlags.h: | |
20031 | (JSC::RuntimeFlags::createAllEnabled): | |
20032 | ||
20033 | 2015-03-04 Joseph Pecoraro <pecoraro@apple.com> | |
20034 | ||
20035 | Web Inspector: Array/Collection Sizes should be visible and distinct | |
20036 | https://bugs.webkit.org/show_bug.cgi?id=142254 | |
20037 | ||
20038 | Reviewed by Timothy Hatcher. | |
20039 | ||
20040 | * runtime/WeakMapData.h: | |
20041 | (JSC::WeakMapData::size): | |
20042 | * inspector/JSInjectedScriptHost.cpp: | |
20043 | (Inspector::JSInjectedScriptHost::weakMapSize): | |
20044 | * inspector/JSInjectedScriptHost.h: | |
20045 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
20046 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
20047 | (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize): | |
20048 | Add a way to get a WeakMap's size. | |
20049 | ||
20050 | * inspector/protocol/Runtime.json: | |
20051 | Include size in RemoteObject and ObjectPreview. | |
20052 | ||
20053 | * inspector/InjectedScriptSource.js: | |
20054 | Set the size of RemoteObjects and previews if they | |
20055 | are array/collection types. | |
20056 | ||
20057 | 2015-03-04 Andreas Kling <akling@apple.com> | |
20058 | ||
20059 | GC should compute stack bounds and dump registers at the earliest opportunity. | |
20060 | <https://webkit.org/b/142310> | |
20061 | <rdar://problem/20045624> | |
20062 | ||
20063 | Reviewed by Geoffrey Garen. | |
20064 | ||
20065 | Make Heap::collect() a wrapper function around a collectImpl() where the work is actually done. | |
20066 | The wrapper function that grabs a snapshot of the current stack boundaries and register values | |
20067 | on entry, and sanitizes the stack on exit. | |
20068 | ||
20069 | This is a speculative fix for what appears to be overly conservative behavior in the garbage | |
20070 | collector following r178364 which caused a measurable regression in memory usage on Membuster. | |
20071 | The theory being that we were putting pointers to dead things on the stack before scanning it, | |
20072 | and by doing that ended up marking things that we'd otherwise discover to be garbage. | |
20073 | ||
20074 | * heap/Heap.cpp: | |
20075 | (JSC::Heap::markRoots): | |
20076 | (JSC::Heap::gatherStackRoots): | |
20077 | (JSC::Heap::collect): | |
20078 | (JSC::Heap::collectImpl): | |
20079 | * heap/Heap.h: | |
20080 | * heap/MachineStackMarker.cpp: | |
20081 | (JSC::MachineThreads::gatherFromCurrentThread): | |
20082 | (JSC::MachineThreads::gatherConservativeRoots): | |
20083 | * heap/MachineStackMarker.h: | |
20084 | ||
20085 | 2015-03-04 Debarshi Ray <debarshir@gnome.org> | |
20086 | ||
20087 | Silence GCC's -Wstrict-prototypes | |
20088 | https://bugs.webkit.org/show_bug.cgi?id=142278 | |
20089 | ||
20090 | Reviewed by Alexey Proskuryakov. | |
20091 | ||
20092 | * API/JSContextRef.h: | |
20093 | ||
20094 | 2015-03-04 Benjamin Poulain <bpoulain@apple.com> | |
20095 | ||
20096 | [JSC] Add a node for Math.log() | |
20097 | https://bugs.webkit.org/show_bug.cgi?id=142126 | |
20098 | ||
20099 | Reviewed by Geoffrey Garen. | |
20100 | ||
20101 | This patch adds the DFG node ArithLog for LogIntrinsic. | |
20102 | ||
20103 | Having a direct call to log has very little value by itself, the implementation | |
20104 | in DFG and FTL is a simple function call. | |
20105 | ||
20106 | What is useful in ArithLog is that we know the operation is pure. | |
20107 | This allow us to hoist it out of loops when the argument is independent | |
20108 | is an invariant of the loop. | |
20109 | ||
20110 | Perf wise, this patch gives: | |
20111 | -Kraken's imaging-darkroom: definitely 1.2372x faster. | |
20112 | -AsmBench's Towers.c: definitely 1.0261x faster. | |
20113 | ||
20114 | * dfg/DFGAbstractInterpreterInlines.h: | |
20115 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
20116 | * dfg/DFGByteCodeParser.cpp: | |
20117 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
20118 | * dfg/DFGClobberize.h: | |
20119 | (JSC::DFG::clobberize): | |
20120 | * dfg/DFGDoesGC.cpp: | |
20121 | (JSC::DFG::doesGC): | |
20122 | * dfg/DFGFixupPhase.cpp: | |
20123 | (JSC::DFG::FixupPhase::fixupNode): | |
20124 | * dfg/DFGNodeType.h: | |
20125 | * dfg/DFGPredictionPropagationPhase.cpp: | |
20126 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
20127 | (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): | |
20128 | * dfg/DFGSafeToExecute.h: | |
20129 | (JSC::DFG::safeToExecute): | |
20130 | * dfg/DFGSpeculativeJIT.cpp: | |
20131 | (JSC::DFG::SpeculativeJIT::compileArithLog): | |
20132 | * dfg/DFGSpeculativeJIT.h: | |
20133 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
20134 | (JSC::DFG::SpeculativeJIT::compile): | |
20135 | * dfg/DFGSpeculativeJIT64.cpp: | |
20136 | (JSC::DFG::SpeculativeJIT::compile): | |
20137 | * ftl/FTLCapabilities.cpp: | |
20138 | (JSC::FTL::canCompile): | |
20139 | * ftl/FTLIntrinsicRepository.h: | |
20140 | * ftl/FTLLowerDFGToLLVM.cpp: | |
20141 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
20142 | (JSC::FTL::LowerDFGToLLVM::compileArithLog): | |
20143 | * ftl/FTLOutput.h: | |
20144 | (JSC::FTL::Output::doubleLog): | |
20145 | * tests/stress/math-log-basics.js: Added. | |
20146 | * tests/stress/math-log-with-constants.js: Added. | |
20147 | ||
20148 | 2015-03-04 Filip Pizlo <fpizlo@apple.com> | |
20149 | ||
20150 | Only Heap should be in charge of deciding how to select a subspace for a type | |
20151 | https://bugs.webkit.org/show_bug.cgi?id=142304 | |
20152 | ||
20153 | Reviewed by Mark Lam. | |
20154 | ||
20155 | This slightly reduces the code duplication for selecting subspace based on type, and what | |
20156 | duplication is left is at least localized in HeapInlines.h. The immediate effect is that | |
20157 | the DFG and FTL don't have to duplicate this pattern. | |
20158 | ||
20159 | * dfg/DFGSpeculativeJIT.h: | |
20160 | (JSC::DFG::SpeculativeJIT::emitAllocateJSObject): | |
20161 | (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): | |
20162 | * ftl/FTLLowerDFGToLLVM.cpp: | |
20163 | (JSC::FTL::LowerDFGToLLVM::allocateObject): | |
20164 | * heap/Heap.h: | |
20165 | * heap/HeapInlines.h: | |
20166 | (JSC::Heap::allocateObjectOfType): | |
20167 | (JSC::Heap::subspaceForObjectOfType): | |
20168 | (JSC::Heap::allocatorForObjectOfType): | |
20169 | * runtime/JSCellInlines.h: | |
20170 | (JSC::allocateCell): | |
20171 | ||
20172 | 2015-03-04 Andreas Kling <akling@apple.com> | |
20173 | ||
20174 | Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. | |
20175 | <https://webkit.org/b/142115> | |
20176 | <rdar://problem/19992268> | |
20177 | ||
20178 | Reviewed by Geoffrey Garen. | |
20179 | ||
20180 | Prune stale entries from WeakGCMaps as part of every full garbage collection. | |
20181 | This frees up tons of previously-stuck WeakBlocks that were only sitting around | |
20182 | with finalized handles waiting to die. | |
20183 | ||
20184 | Note that WeakGCMaps register/unregister themselves with the GC heap in their | |
20185 | ctor/dtor, so creating one now requires passing the VM. | |
20186 | ||
20187 | Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears | |
20188 | to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms. | |
20189 | It seems somewhat excessive to do this on every Eden collection, so it's only | |
20190 | doing work in full collections for now. | |
20191 | ||
20192 | * API/JSWeakObjectMapRefInternal.h: | |
20193 | (OpaqueJSWeakObjectMap::create): | |
20194 | (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap): | |
20195 | * API/JSWeakObjectMapRefPrivate.cpp: | |
20196 | * API/JSWrapperMap.mm: | |
20197 | (-[JSWrapperMap initWithContext:]): | |
20198 | (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor. | |
20199 | ||
20200 | * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make | |
20201 | it project-private so WebCore clients can access it. | |
20202 | ||
20203 | * heap/Heap.cpp: | |
20204 | (JSC::Heap::collect): | |
20205 | (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning | |
20206 | stale entries from WeakGCMaps. This is only executed during full collections. | |
20207 | ||
20208 | * heap/Heap.h: | |
20209 | * heap/HeapInlines.h: | |
20210 | (JSC::Heap::registerWeakGCMap): | |
20211 | (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register | |
20212 | themselves with the Heap and provide a pruning callback. | |
20213 | ||
20214 | * runtime/PrototypeMap.h: | |
20215 | (JSC::PrototypeMap::PrototypeMap): | |
20216 | * runtime/Structure.cpp: | |
20217 | (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor. | |
20218 | ||
20219 | * runtime/JSCInlines.h: Add "WeakGCMapInlines.h" | |
20220 | ||
20221 | * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds. | |
20222 | ||
20223 | * runtime/VM.cpp: | |
20224 | (JSC::VM::VM): Pass VM to WeakGCMap constructor. | |
20225 | ||
20226 | * runtime/WeakGCMap.h: | |
20227 | (JSC::WeakGCMap::set): | |
20228 | (JSC::WeakGCMap::add): | |
20229 | (JSC::WeakGCMap::WeakGCMap): Deleted. | |
20230 | (JSC::WeakGCMap::gcMap): Deleted. | |
20231 | (JSC::WeakGCMap::gcMapIfNeeded): Deleted. | |
20232 | * runtime/WeakGCMapInlines.h: Added. | |
20233 | (JSC::WeakGCMap::WeakGCMap): | |
20234 | (JSC::WeakGCMap::~WeakGCMap): | |
20235 | (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback | |
20236 | to WeakGCMapInlines.h to fix interdependent header issues. Removed code that | |
20237 | prunes WeakGCMap at certain growth milestones and instead rely on the GC | |
20238 | callback for housekeeping. | |
20239 | ||
20240 | 2015-03-03 Filip Pizlo <fpizlo@apple.com> | |
20241 | ||
20242 | DFG IR should refer to FunctionExecutables directly and not via the CodeBlock | |
20243 | https://bugs.webkit.org/show_bug.cgi?id=142229 | |
20244 | ||
20245 | Reviewed by Mark Lam and Benjamin Poulain. | |
20246 | ||
20247 | Anytime a DFG IR node refers to something in CodeBlock, it has three effects: | |
20248 | ||
20249 | - Cumbersome API for accessing the thing that the node refers to. | |
20250 | ||
20251 | - Not obvious how to create a new such node after bytecode parsing, especially if the | |
20252 | thing it refers to isn't already in the CodeBlock. We have done this in the past, but | |
20253 | it usually involves subtle changes to CodeBlock. | |
20254 | ||
20255 | - Not obvious how to inline code that ends up using such nodes. Again, when we have done | |
20256 | this, it involved subtle changes to CodeBlock. | |
20257 | ||
20258 | Prior to this change, the NewFunction* node types used an index into tables in CodeBlock. | |
20259 | For this reason, those operations were not inlineable. But the functin tables in CodeBlock | |
20260 | just point to FunctionExecutables, which are cells; this means that we can just abstract | |
20261 | these operands in DFG IR as cellOperands. cellOperands use DFG::FrozenValue, which means | |
20262 | that GC registration happens automagically. Even better, our dumping for cellOperand | |
20263 | already did FunctionExecutable dumping - so that functionality gets to be deduplicated. | |
20264 | ||
20265 | Because this change increases the number of users of cellOperand, it also adds some | |
20266 | convenience methods for using it. For example, whereas before you'd say things like: | |
20267 | ||
20268 | jsCast<Foo*>(node->cellOperand()->value()) | |
20269 | ||
20270 | you can now just say: | |
20271 | ||
20272 | node->castOperand<Foo*>() | |
20273 | ||
20274 | This change also changes existing cellOperand users to use the new conveniance API when | |
20275 | applicable. | |
20276 | ||
20277 | * bytecode/CodeBlock.cpp: | |
20278 | (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): | |
20279 | * bytecode/CodeBlock.h: | |
20280 | * dfg/DFGByteCodeParser.cpp: | |
20281 | (JSC::DFG::ByteCodeParser::parseBlock): | |
20282 | * dfg/DFGCapabilities.cpp: | |
20283 | (JSC::DFG::capabilityLevel): | |
20284 | * dfg/DFGFrozenValue.h: | |
20285 | (JSC::DFG::FrozenValue::cell): | |
20286 | (JSC::DFG::FrozenValue::dynamicCast): | |
20287 | (JSC::DFG::FrozenValue::cast): | |
20288 | * dfg/DFGGraph.cpp: | |
20289 | (JSC::DFG::Graph::dump): | |
20290 | (JSC::DFG::Graph::registerFrozenValues): | |
20291 | * dfg/DFGNode.h: | |
20292 | (JSC::DFG::Node::hasCellOperand): | |
20293 | (JSC::DFG::Node::castOperand): | |
20294 | (JSC::DFG::Node::hasFunctionDeclIndex): Deleted. | |
20295 | (JSC::DFG::Node::functionDeclIndex): Deleted. | |
20296 | (JSC::DFG::Node::hasFunctionExprIndex): Deleted. | |
20297 | (JSC::DFG::Node::functionExprIndex): Deleted. | |
20298 | * dfg/DFGSpeculativeJIT.cpp: | |
20299 | (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): | |
20300 | (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): | |
20301 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
20302 | (JSC::DFG::SpeculativeJIT::compile): | |
20303 | * dfg/DFGSpeculativeJIT64.cpp: | |
20304 | (JSC::DFG::SpeculativeJIT::compile): | |
20305 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
20306 | (JSC::DFG::WatchpointCollectionPhase::handle): | |
20307 | * ftl/FTLLowerDFGToLLVM.cpp: | |
20308 | (JSC::FTL::LowerDFGToLLVM::compileCheckCell): | |
20309 | (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): | |
20310 | ||
20311 | 2015-03-03 Michael Saboff <msaboff@apple.com> | |
20312 | ||
20313 | DelayedReleaseScope drops locks during GC which can cause a thread switch and code reentry | |
20314 | https://bugs.webkit.org/show_bug.cgi?id=141275 | |
20315 | ||
20316 | Reviewed by Geoffrey Garen. | |
20317 | ||
20318 | The original issue is that the CodeCache uses an unsafe method to add new UnlinkedCodeBlocks. | |
20319 | It basically adds a null UnlinkedCodeBlock if there isn't a cached entry and then later | |
20320 | updates the null entry to the result of the compilation. If during that compilation and | |
20321 | related processing we need to garbage collect, the DelayedReleaseScope would drop locks | |
20322 | possibly allowing another thread to try to get the same source out of the CodeCache. | |
20323 | This second thread would find the null entry and crash. The fix is to move the processing of | |
20324 | DelayedReleaseScope to when we drop locks and not drop locks during GC. That was done in | |
20325 | the original patch with the new function releaseDelayedReleasedObjects(). | |
20326 | ||
20327 | Updated releaseDelayedReleasedObjects() so that objects are released with all locks | |
20328 | dropped. Now its processing follows these steps | |
20329 | Increment recursion counter and do recursion check and exit if recursing | |
20330 | While there are objects to release | |
20331 | ASSERT that lock is held by current thread | |
20332 | Take all items from delayed release Vector and put into temporary Vector | |
20333 | Release API lock | |
20334 | Release and clear items from temporary vector | |
20335 | Reaquire API lock | |
20336 | This meets the requirement that we release while the API lock is released and it is | |
20337 | safer processing of the delayed release Vector. | |
20338 | ||
20339 | Added new regression test to testapi. | |
20340 | ||
20341 | Also added comment describing how recursion into releaseDelayedReleasedObjects() is | |
20342 | prevented. | |
20343 | ||
20344 | * API/tests/Regress141275.h: Added. | |
20345 | * API/tests/Regress141275.mm: Added. | |
20346 | (+[JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:completionHandler:]): | |
20347 | (-[JSTEvaluator init]): | |
20348 | (-[JSTEvaluator initWithScript:]): | |
20349 | (-[JSTEvaluator _accessPendingTasksWithBlock:]): | |
20350 | (-[JSTEvaluator insertSignPostWithCompletion:]): | |
20351 | (-[JSTEvaluator evaluateScript:completion:]): | |
20352 | (-[JSTEvaluator evaluateBlock:completion:]): | |
20353 | (-[JSTEvaluator waitForTasksDoneAndReportResults]): | |
20354 | (__JSTRunLoopSourceScheduleCallBack): | |
20355 | (__JSTRunLoopSourcePerformCallBack): | |
20356 | (__JSTRunLoopSourceCancelCallBack): | |
20357 | (-[JSTEvaluator _jsThreadMain]): | |
20358 | (-[JSTEvaluator _sourceScheduledOnRunLoop:]): | |
20359 | (-[JSTEvaluator _setupEvaluatorThreadContextIfNeeded]): | |
20360 | (-[JSTEvaluator _callCompletionHandler:ifNeededWithError:]): | |
20361 | (-[JSTEvaluator _sourcePerform]): | |
20362 | (-[JSTEvaluator _sourceCanceledOnRunLoop:]): | |
20363 | (runRegress141275): | |
20364 | * API/tests/testapi.mm: | |
20365 | (testObjectiveCAPI): | |
20366 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
20367 | * heap/Heap.cpp: | |
20368 | (JSC::Heap::releaseDelayedReleasedObjects): | |
20369 | * runtime/JSLock.cpp: | |
20370 | (JSC::JSLock::unlock): | |
20371 | ||
20372 | 2015-03-03 Filip Pizlo <fpizlo@apple.com> | |
20373 | ||
20374 | DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking | |
20375 | https://bugs.webkit.org/show_bug.cgi?id=106202 | |
20376 | ||
20377 | Rubber stamped by Benjamin Poulain. | |
20378 | ||
20379 | This fixes a bug discovered by working on https://bugs.webkit.org/show_bug.cgi?id=142229, | |
20380 | which was in turn discovered by working on https://bugs.webkit.org/show_bug.cgi?id=141174. | |
20381 | Our way of dealing with scopes known to be constant is very sketchy, and only really works | |
20382 | when a function is inlined. When it is, we pretend that every load of the scopeRegister sees | |
20383 | a constant. But this breaks the DFG's tracking of the liveness of the scopeRegister. The way | |
20384 | this worked made us miss oppportunities for optimizing based on a constant scope, and it also | |
20385 | meant that in some cases - particularly like when we inline code that uses NewFuction and | |
20386 | friends, as I do in bug 142229 - it makes OSR exit think that the scope is dead even though | |
20387 | it's most definitely alive and it's a constant. | |
20388 | ||
20389 | The problem here is that we were doing too many optimizations in the ByteCodeParser, and not | |
20390 | later. Later optimization phases know how to preserve OSR exit liveness. They're actually | |
20391 | really good at it. Also, later phases know how to infer that any variable is a constant no | |
20392 | matter how that constant arose - rather than the inlining-specific thing in ByteCodeParser. | |
20393 | ||
20394 | This changes the ByteCodeParser to largely avoid doing constant folding on the scope, except | |
20395 | making the GetScope operation itself a constant. This is a compilation-time hack for small | |
20396 | functions, and it doesn't break the loads of local variables - so OSR exit liveness still | |
20397 | sees that the scopeRegister is in use. This then adds a vastly more powerful GetScope and | |
20398 | GetClosureVar constant folder in the AbstractInterpreter. This handles most general cases | |
20399 | including those that arise in complex control flow. This will catch cases where the scope | |
20400 | is constant for any number of reasons. Basically anytime that the callee is inferred constant | |
20401 | this will give us a constant scope. Also, we still have the parse-time constant folding of | |
20402 | ResolveScope based on the reentry watchpoint, which luckily did the right thing with respect | |
20403 | to OSR exit liveness (it splats a Phantom on its inputs, and it produces a constant result | |
20404 | which is then set() normally). | |
20405 | ||
20406 | This appears to be a broad speed-up, albeit a small one. But mainly it unblocks bug 142229, | |
20407 | which then should unblock bug 141174. | |
20408 | ||
20409 | * dfg/DFGAbstractInterpreterInlines.h: | |
20410 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
20411 | * dfg/DFGByteCodeParser.cpp: | |
20412 | (JSC::DFG::ByteCodeParser::get): | |
20413 | (JSC::DFG::ByteCodeParser::getLocal): | |
20414 | (JSC::DFG::ByteCodeParser::parseBlock): | |
20415 | (JSC::DFG::ByteCodeParser::parse): | |
20416 | * dfg/DFGClobberize.h: | |
20417 | (JSC::DFG::clobberize): | |
20418 | * dfg/DFGDoesGC.cpp: | |
20419 | (JSC::DFG::doesGC): | |
20420 | * dfg/DFGFixupPhase.cpp: | |
20421 | (JSC::DFG::FixupPhase::fixupNode): | |
20422 | * dfg/DFGGraph.cpp: | |
20423 | (JSC::DFG::Graph::tryGetConstantClosureVar): | |
20424 | (JSC::DFG::Graph::tryGetRegisters): | |
20425 | (JSC::DFG::Graph::tryGetActivation): Deleted. | |
20426 | * dfg/DFGGraph.h: | |
20427 | * dfg/DFGNode.h: | |
20428 | (JSC::DFG::Node::hasVariableWatchpointSet): | |
20429 | (JSC::DFG::Node::hasSymbolTable): Deleted. | |
20430 | (JSC::DFG::Node::symbolTable): Deleted. | |
20431 | * dfg/DFGNodeType.h: | |
20432 | * dfg/DFGPredictionPropagationPhase.cpp: | |
20433 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
20434 | * dfg/DFGSafeToExecute.h: | |
20435 | (JSC::DFG::safeToExecute): | |
20436 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
20437 | (JSC::DFG::SpeculativeJIT::compile): | |
20438 | * dfg/DFGSpeculativeJIT64.cpp: | |
20439 | (JSC::DFG::SpeculativeJIT::compile): | |
20440 | * dfg/DFGWatchpointCollectionPhase.cpp: | |
20441 | (JSC::DFG::WatchpointCollectionPhase::handle): | |
20442 | * ftl/FTLCapabilities.cpp: | |
20443 | (JSC::FTL::canCompile): | |
20444 | * ftl/FTLLowerDFGToLLVM.cpp: | |
20445 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
20446 | (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar): | |
20447 | * runtime/SymbolTable.cpp: | |
20448 | (JSC::SymbolTable::visitChildren): | |
20449 | (JSC::SymbolTable::localToEntry): | |
20450 | (JSC::SymbolTable::entryFor): | |
20451 | * runtime/SymbolTable.h: | |
20452 | (JSC::SymbolTable::add): | |
20453 | (JSC::SymbolTable::set): | |
20454 | * tests/stress/function-expression-exit.js: Added. | |
20455 | * tests/stress/function-reentry-infer-on-self.js: Added. | |
20456 | (thingy): | |
20457 | * tests/stress/goofy-function-reentry-incorrect-inference.js: Added. | |
20458 | ||
20459 | 2015-03-03 Anders Carlsson <andersca@apple.com> | |
20460 | ||
20461 | Remove unused compression code | |
20462 | https://bugs.webkit.org/show_bug.cgi?id=142237 | |
20463 | ||
20464 | Reviewed by Geoffrey Garen. | |
20465 | ||
20466 | * bytecode/UnlinkedCodeBlock.h: | |
20467 | ||
20468 | 2015-03-03 Filip Pizlo <fpizlo@apple.com> | |
20469 | ||
20470 | JIT debugging features that selectively disable the JITs for code blocks need to stay out of the way of the critical path of JIT management | |
20471 | https://bugs.webkit.org/show_bug.cgi?id=142234 | |
20472 | ||
20473 | Reviewed by Mark Lam and Benjamin Poulain. | |
20474 | ||
20475 | Long ago, we used to selectively disable compilation of CodeBlocks for debugging purposes by | |
20476 | adding hacks to DFGDriver.cpp. This was all well and good. It used the existing | |
20477 | CompilationFailed mode of the DFG driver to signal failure of CodeBlocks that we didn't want | |
20478 | to compile. That's great because CompilationFailed is a well-supported return value on the | |
20479 | critical path, usually used for when we run out of JIT memory. | |
20480 | ||
20481 | Later, this was moved into DFGCapabilities. This was basically incorrect. It introduced a bug | |
20482 | where disabling compiling of a CodeBlock meant that we stopped inlining it as well. So if | |
20483 | you had a compiler bug that arose if foo was inlined into bar, and you bisected down to bar, | |
20484 | then foo would no longer get inlined and you wouldn't see the bug. That's busted. | |
20485 | ||
20486 | So then we changed the code in DFGCapabilities to mark bar as CanCompile and foo as | |
20487 | CanInline. Now, foo wouldn't get compiled alone but it would get inlined. | |
20488 | ||
20489 | But then we removed CanCompile because that capability mode only existed for the purpose of | |
20490 | our old varargs hacks. After that removal, "CanInline" became CannotCompile. This means | |
20491 | that if you bisect down on bar in the "foo inlined into bar" case, you'll crash in the DFG | |
20492 | because the baseline JIT wouldn't have known to insert profiling on foo. | |
20493 | ||
20494 | We could fix this by bringing back CanInline. | |
20495 | ||
20496 | But this is all a pile of nonsense. The debug support to selectively disable compilation of | |
20497 | some CodeBlocks shouldn't cross-cut our entire engine and should most certainly never involve | |
20498 | adding new capability modes. This support is a hack at best and is for use by JSC hackers | |
20499 | only. It should be as unintrusive as possible. | |
20500 | ||
20501 | So, as in the ancient times, the only proper place to put this hack is in DFGDriver.cpp, and | |
20502 | return CompilationFailed. This is correct not just because it takes capability modes out of | |
20503 | the picture (and obviates the need to introduce new ones), but also because it means that | |
20504 | disabling compilation doesn't change the profiling mode of other CodeBlocks in the Baseline | |
20505 | JIT. Capability mode influences profiling mode which in turn influences code generation in | |
20506 | the Baseline JIT, sometimes in very significant ways - like, we sometimes do additional | |
20507 | double-to-int conversions in Baseline if we know that we might tier-up into the DFG, since | |
20508 | this buys us more precise profiling. | |
20509 | ||
20510 | This change reduces the intrusiveness of debugging hacks by making them use the very simple | |
20511 | CompilationFailed mechanism rather than trying to influence capability modes. Capability | |
20512 | modes have very subtle effects on the whole engine, while CompilationFailed just makes the | |
20513 | engine pretend like the DFG compilation will happen at timelike infinity. That makes these | |
20514 | hacks much more likely to continue working as we make other changes to the system. | |
20515 | ||
20516 | This brings back the ability to bisect down onto a function bar when bar inlines foo. Prior | |
20517 | to this change, we would crash in that case. | |
20518 | ||
20519 | * dfg/DFGCapabilities.cpp: | |
20520 | (JSC::DFG::isSupported): | |
20521 | (JSC::DFG::mightCompileEval): | |
20522 | (JSC::DFG::mightCompileProgram): | |
20523 | (JSC::DFG::mightCompileFunctionForCall): | |
20524 | (JSC::DFG::mightCompileFunctionForConstruct): | |
20525 | * dfg/DFGCapabilities.h: | |
20526 | * dfg/DFGDriver.cpp: | |
20527 | (JSC::DFG::compileImpl): | |
20528 | ||
20529 | 2015-03-03 peavo@outlook.com <peavo@outlook.com> | |
20530 | ||
20531 | [Win64] JSC compile error. | |
20532 | https://bugs.webkit.org/show_bug.cgi?id=142216 | |
20533 | ||
20534 | Reviewed by Mark Lam. | |
20535 | ||
20536 | There is missing a version of setupArgumentsWithExecState when NUMBER_OF_ARGUMENT_REGISTERS == 4. | |
20537 | ||
20538 | * jit/CCallHelpers.h: | |
20539 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
20540 | ||
20541 | 2015-03-02 Filip Pizlo <fpizlo@apple.com> | |
20542 | ||
20543 | DFG compile time measurements should really report milliseconds | |
20544 | https://bugs.webkit.org/show_bug.cgi?id=142209 | |
20545 | ||
20546 | Reviewed by Benjamin Poulain. | |
20547 | ||
20548 | Fix this to record milliseconds instead of seconds. | |
20549 | ||
20550 | * dfg/DFGPlan.cpp: | |
20551 | (JSC::DFG::Plan::compileInThread): | |
20552 | (JSC::DFG::Plan::compileInThreadImpl): | |
20553 | ||
20554 | 2015-03-02 Filip Pizlo <fpizlo@apple.com> | |
20555 | ||
20556 | Remove op_get_callee, it's unused | |
20557 | https://bugs.webkit.org/show_bug.cgi?id=142206 | |
20558 | ||
20559 | Reviewed by Andreas Kling. | |
20560 | ||
20561 | It's a bit of a shame that we stopped using this opcode since it gives us same-callee | |
20562 | profiling. But, if we were to add this functionality back in, we would almost certainly do | |
20563 | it by adding a JSFunction allocation watchpoint on FunctionExecutable. | |
20564 | ||
20565 | * bytecode/BytecodeList.json: | |
20566 | * bytecode/BytecodeUseDef.h: | |
20567 | (JSC::computeUsesForBytecodeOffset): | |
20568 | (JSC::computeDefsForBytecodeOffset): | |
20569 | * bytecode/CodeBlock.cpp: | |
20570 | (JSC::CodeBlock::dumpBytecode): | |
20571 | (JSC::CodeBlock::finalizeUnconditionally): | |
20572 | * dfg/DFGByteCodeParser.cpp: | |
20573 | (JSC::DFG::ByteCodeParser::parseBlock): | |
20574 | * dfg/DFGCapabilities.cpp: | |
20575 | (JSC::DFG::capabilityLevel): | |
20576 | * jit/JIT.cpp: | |
20577 | (JSC::JIT::privateCompileMainPass): | |
20578 | (JSC::JIT::privateCompileSlowCases): | |
20579 | * jit/JIT.h: | |
20580 | * jit/JITOpcodes.cpp: | |
20581 | (JSC::JIT::emit_op_get_callee): Deleted. | |
20582 | (JSC::JIT::emitSlow_op_get_callee): Deleted. | |
20583 | * jit/JITOpcodes32_64.cpp: | |
20584 | (JSC::JIT::emit_op_get_callee): Deleted. | |
20585 | (JSC::JIT::emitSlow_op_get_callee): Deleted. | |
20586 | * llint/LowLevelInterpreter32_64.asm: | |
20587 | * llint/LowLevelInterpreter64.asm: | |
20588 | * runtime/CommonSlowPaths.cpp: | |
20589 | (JSC::SLOW_PATH_DECL): Deleted. | |
20590 | ||
20591 | 2015-03-02 Joseph Pecoraro <pecoraro@apple.com> | |
20592 | ||
20593 | Web Inspector: Context Menu to Log a Particular Object | |
20594 | https://bugs.webkit.org/show_bug.cgi?id=142198 | |
20595 | ||
20596 | Reviewed by Timothy Hatcher. | |
20597 | ||
20598 | Add a protocol method to assign a $n index to a value. For an object | |
20599 | use the injected script context for that object. For a value, use | |
20600 | the execution context to know where to save the value. | |
20601 | ||
20602 | * inspector/InjectedScript.cpp: | |
20603 | (Inspector::InjectedScript::saveResult): | |
20604 | * inspector/InjectedScript.h: | |
20605 | * inspector/InjectedScriptSource.js: | |
20606 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
20607 | (Inspector::InspectorRuntimeAgent::saveResult): | |
20608 | * inspector/agents/InspectorRuntimeAgent.h: | |
20609 | * inspector/protocol/Debugger.json: | |
20610 | * inspector/protocol/Runtime.json: | |
20611 | ||
20612 | 2015-03-02 Filip Pizlo <fpizlo@apple.com> | |
20613 | ||
20614 | SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization | |
20615 | https://bugs.webkit.org/show_bug.cgi?id=142197 | |
20616 | ||
20617 | Reviewed by Geoffrey Garen. | |
20618 | ||
20619 | * dfg/DFGSpeculativeJIT.cpp: | |
20620 | (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Use shift instead of mul, since mul doesn't automatically strength-reduce to shift. Also pass the structure as a TrustedImmPtr. | |
20621 | * dfg/DFGSpeculativeJIT.h: | |
20622 | (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): Rationalize this a bit. The other emitAllocate... methods take a templated structure so that it can be either a TrustedImmPtr or a register. Also don't do destructor initialization, since its one client doesn't need it, and it's actually probably wrong. | |
20623 | ||
20624 | 2015-03-02 Mark Lam <mark.lam@apple.com> | |
20625 | ||
20626 | Exception stack unwinding in JSC hangs while the Timeline Profiler is enabled. | |
20627 | <https://webkit.org/b/142191> | |
20628 | ||
20629 | Reviewed by Geoffrey Garen. | |
20630 | ||
20631 | Imagine a scenario where the Inspector is paused / suspended at a breakpoint or | |
20632 | while the user is stepping through JS code. The user then tries to evaluate an | |
20633 | expression in the console, and that evaluation results in an exception being | |
20634 | thrown. Currently, if the Timeline Profiler is enabled while this exception is | |
20635 | being thrown, the WebProcess will hang while trying to handle that exception. | |
20636 | ||
20637 | The issue is that the Timeline Profiler's ProfileGenerator::didExecute() will | |
20638 | return early and decline to process ProfileNodes if the Inspector is paused. | |
20639 | This is proper because it does not want to count work done for injected scripts | |
20640 | (e.g. from the console) towards the timeline profile of the webpage being run. | |
20641 | However, this is in conflict with ProfileGenerator::exceptionUnwind()'s | |
20642 | expectation that didExecute() will process ProfileNodes in order to do the stack | |
20643 | unwinding for the exception handling. As a result, | |
20644 | ProfileGenerator::exceptionUnwind() hangs. | |
20645 | ||
20646 | ProfileGenerator::exceptionUnwind() is in error. While the Inspector is paused, | |
20647 | there will not be any ProfileNodes that it needs to "unwind". Hence, the fix is | |
20648 | simply to return early also in ProfileGenerator::exceptionUnwind() if the | |
20649 | Inspector is paused. | |
20650 | ||
20651 | * profiler/ProfileGenerator.cpp: | |
20652 | (JSC::ProfileGenerator::exceptionUnwind): | |
20653 | ||
20654 | 2015-03-02 Filip Pizlo <fpizlo@apple.com> | |
20655 | ||
20656 | FTL should correctly document where it puts the argument count for inlined varargs frames | |
20657 | https://bugs.webkit.org/show_bug.cgi?id=142187 | |
20658 | ||
20659 | Reviewed by Geoffrey Garn. | |
20660 | ||
20661 | After LLVM tells us where the captured variables alloca landed in the frame, we need to | |
20662 | tell all of our meta-data about it. We were forgetting to do so for the argument count | |
20663 | register, which is used by inlined varargs calls. | |
20664 | ||
20665 | * ftl/FTLCompile.cpp: | |
20666 | (JSC::FTL::mmAllocateDataSection): | |
20667 | * tests/stress/inline-varargs-get-arguments.js: Added. | |
20668 | (foo): | |
20669 | (bar): | |
20670 | (baz): | |
20671 | ||
20672 | 2015-03-02 Filip Pizlo <fpizlo@apple.com> | |
20673 | ||
20674 | Deduplicate slow path calling code in JITOpcodes.cpp/JITOpcodes32_64.cpp | |
20675 | https://bugs.webkit.org/show_bug.cgi?id=142184 | |
20676 | ||
20677 | Reviewed by Michael Saboff. | |
20678 | ||
20679 | * jit/JITOpcodes.cpp: | |
20680 | (JSC::JIT::emit_op_get_enumerable_length): | |
20681 | (JSC::JIT::emitSlow_op_has_structure_property): | |
20682 | (JSC::JIT::emit_op_has_generic_property): | |
20683 | (JSC::JIT::emit_op_get_structure_property_enumerator): | |
20684 | (JSC::JIT::emit_op_get_generic_property_enumerator): | |
20685 | (JSC::JIT::emit_op_to_index_string): | |
20686 | * jit/JITOpcodes32_64.cpp: | |
20687 | (JSC::JIT::emit_op_get_enumerable_length): Deleted. | |
20688 | (JSC::JIT::emitSlow_op_has_structure_property): Deleted. | |
20689 | (JSC::JIT::emit_op_has_generic_property): Deleted. | |
20690 | (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted. | |
20691 | (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted. | |
20692 | (JSC::JIT::emit_op_to_index_string): Deleted. | |
20693 | (JSC::JIT::emit_op_profile_control_flow): Deleted. | |
20694 | ||
20695 | 2015-03-02 Antti Koivisto <antti@apple.com> | |
20696 | ||
20697 | Add way to dump cache meta data to file | |
20698 | https://bugs.webkit.org/show_bug.cgi?id=142183 | |
20699 | ||
20700 | Reviewed by Andreas Kling. | |
20701 | ||
20702 | Export appendQuotedJSONStringToBuilder. | |
20703 | ||
20704 | * bytecompiler/NodesCodegen.cpp: | |
20705 | (JSC::ObjectPatternNode::toString): | |
20706 | * runtime/JSONObject.cpp: | |
20707 | (JSC::appendQuotedJSONStringToBuilder): | |
20708 | (JSC::Stringifier::appendQuotedString): | |
20709 | (JSC::escapeStringToBuilder): Deleted. | |
20710 | * runtime/JSONObject.h: | |
20711 | ||
20712 | 2015-03-02 Joseph Pecoraro <pecoraro@apple.com> | |
20713 | ||
20714 | Web Inspector: Add Context Menus to Object Tree properties | |
20715 | https://bugs.webkit.org/show_bug.cgi?id=142125 | |
20716 | ||
20717 | Reviewed by Timothy Hatcher. | |
20718 | ||
20719 | * inspector/JSInjectedScriptHost.cpp: | |
20720 | (Inspector::JSInjectedScriptHost::functionDetails): | |
20721 | Update to include columnNumber. | |
20722 | ||
20723 | 2015-03-01 Filip Pizlo <fpizlo@apple.com> | |
20724 | ||
20725 | BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister | |
20726 | https://bugs.webkit.org/show_bug.cgi?id=142153 | |
20727 | ||
20728 | Reviewed by Michael Saboff. | |
20729 | ||
20730 | We don't need a op_resolve_scope if we know that it will simply return the scope register. | |
20731 | This changes the BytecodeGenerator to use the scope register directly in those cases where | |
20732 | we know statically that we would just have returned that from op_resolve_scope. | |
20733 | ||
20734 | This doesn't appear to have a significant impact on performance. | |
20735 | ||
20736 | * bytecode/CodeBlock.cpp: | |
20737 | (JSC::CodeBlock::CodeBlock): | |
20738 | * bytecompiler/BytecodeGenerator.cpp: | |
20739 | (JSC::BytecodeGenerator::emitResolveScope): | |
20740 | (JSC::BytecodeGenerator::emitReturn): | |
20741 | (JSC::BytecodeGenerator::emitGetOwnScope): Deleted. | |
20742 | * bytecompiler/BytecodeGenerator.h: | |
20743 | * bytecompiler/NodesCodegen.cpp: | |
20744 | (JSC::ResolveNode::emitBytecode): | |
20745 | (JSC::EvalFunctionCallNode::emitBytecode): | |
20746 | (JSC::FunctionCallResolveNode::emitBytecode): | |
20747 | (JSC::PostfixNode::emitResolve): | |
20748 | (JSC::DeleteResolveNode::emitBytecode): | |
20749 | (JSC::TypeOfResolveNode::emitBytecode): | |
20750 | (JSC::PrefixNode::emitResolve): | |
20751 | (JSC::ReadModifyResolveNode::emitBytecode): | |
20752 | (JSC::AssignResolveNode::emitBytecode): | |
20753 | (JSC::ConstDeclNode::emitCodeSingle): | |
20754 | (JSC::EmptyVarExpression::emitBytecode): | |
20755 | (JSC::ForInNode::emitLoopHeader): | |
20756 | (JSC::ForOfNode::emitBytecode): | |
20757 | (JSC::BindingNode::bindValue): | |
20758 | ||
20759 | 2015-02-27 Benjamin Poulain <bpoulain@apple.com> | |
20760 | ||
20761 | [JSC] Use the way number constants are written to help type speculation | |
20762 | https://bugs.webkit.org/show_bug.cgi?id=142072 | |
20763 | ||
20764 | Reviewed by Filip Pizlo. | |
20765 | ||
20766 | This patch changes how we interpret numeric constant based on how they appear | |
20767 | in the source. | |
20768 | ||
20769 | Constants that are integers but written with a decimal point now carry that information | |
20770 | to the optimizating tiers. From there, we use that to be more aggressive about typing | |
20771 | math operations toward double operations. | |
20772 | ||
20773 | For example, in: | |
20774 | var a = x + 1.0; | |
20775 | var b = y + 1; | |
20776 | The Add for a would be biased toward doubles, the Add for b would speculate | |
20777 | integer as usual. | |
20778 | ||
20779 | ||
20780 | The gains are tiny but this is a prerequisite to make my next patch useful: | |
20781 | -SunSpider's access-fannkuch: definitely 1.0661x faster | |
20782 | -SunSpider's math-cordic: definitely 1.0266x slower | |
20783 | overal: might be 1.0066x slower. | |
20784 | -Kraken's imaging-darkroom: definitely 1.0333x faster. | |
20785 | ||
20786 | * parser/Lexer.cpp: | |
20787 | (JSC::tokenTypeForIntegerLikeToken): | |
20788 | (JSC::Lexer<T>::lex): | |
20789 | The lexer now create two types of tokens for number: INTEGER and DOUBLE. | |
20790 | Those token types only carry information about how the values were | |
20791 | entered, an INTEGER does not have to be an integer, it is only written like one. | |
20792 | Large integer still end up represented as double in memory. | |
20793 | ||
20794 | One trap I fell into was typing numbers like 12e3 as double. This kind of literal | |
20795 | is frequently used in integer-typed code, while 12.e3 would appear in double-typed | |
20796 | code. | |
20797 | Because of that, the only signals for double are: decimal point, negative zero, | |
20798 | and ridiculously large values. | |
20799 | ||
20800 | * parser/NodeConstructors.h: | |
20801 | (JSC::DoubleNode::DoubleNode): | |
20802 | (JSC::IntegerNode::IntegerNode): | |
20803 | * parser/Nodes.h: | |
20804 | (JSC::NumberNode::value): | |
20805 | (JSC::NumberNode::setValue): Deleted. | |
20806 | Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode. | |
20807 | ||
20808 | * bytecompiler/NodesCodegen.cpp: | |
20809 | (JSC::NumberNode::emitBytecode): | |
20810 | ||
20811 | * parser/ASTBuilder.h: | |
20812 | (JSC::ASTBuilder::createDoubleExpr): | |
20813 | (JSC::ASTBuilder::createIntegerExpr): | |
20814 | (JSC::ASTBuilder::createIntegerLikeNumber): | |
20815 | (JSC::ASTBuilder::createDoubleLikeNumber): | |
20816 | (JSC::ASTBuilder::createNumberFromBinaryOperation): | |
20817 | (JSC::ASTBuilder::createNumberFromUnaryOperation): | |
20818 | (JSC::ASTBuilder::makeNegateNode): | |
20819 | (JSC::ASTBuilder::makeBitwiseNotNode): | |
20820 | (JSC::ASTBuilder::makeMultNode): | |
20821 | (JSC::ASTBuilder::makeDivNode): | |
20822 | (JSC::ASTBuilder::makeModNode): | |
20823 | (JSC::ASTBuilder::makeAddNode): | |
20824 | (JSC::ASTBuilder::makeSubNode): | |
20825 | (JSC::ASTBuilder::makeLeftShiftNode): | |
20826 | (JSC::ASTBuilder::makeRightShiftNode): | |
20827 | (JSC::ASTBuilder::makeURightShiftNode): | |
20828 | (JSC::ASTBuilder::makeBitOrNode): | |
20829 | (JSC::ASTBuilder::makeBitAndNode): | |
20830 | (JSC::ASTBuilder::makeBitXOrNode): | |
20831 | (JSC::ASTBuilder::createNumberExpr): Deleted. | |
20832 | (JSC::ASTBuilder::createNumber): Deleted. | |
20833 | The AST has some optimization to resolve constants before emitting bytecode. | |
20834 | In the new code, the intger representation is kept if both operands where | |
20835 | also represented as integers. | |
20836 | ||
20837 | * parser/Parser.cpp: | |
20838 | (JSC::Parser<LexerType>::parseDeconstructionPattern): | |
20839 | (JSC::Parser<LexerType>::parseProperty): | |
20840 | (JSC::Parser<LexerType>::parseGetterSetter): | |
20841 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
20842 | (JSC::Parser<LexerType>::printUnexpectedTokenText): | |
20843 | * parser/ParserTokens.h: | |
20844 | * parser/SyntaxChecker.h: | |
20845 | (JSC::SyntaxChecker::createDoubleExpr): | |
20846 | (JSC::SyntaxChecker::createIntegerExpr): | |
20847 | (JSC::SyntaxChecker::createNumberExpr): Deleted. | |
20848 | ||
20849 | * bytecode/CodeBlock.cpp: | |
20850 | (JSC::CodeBlock::registerName): | |
20851 | (JSC::CodeBlock::constantName): | |
20852 | Change constantName(r, getConstant(r)) -> constantName(r) to simplify | |
20853 | the dump code. | |
20854 | ||
20855 | (JSC::CodeBlock::dumpBytecode): | |
20856 | Dump thre soure representation information we have with each constant. | |
20857 | ||
20858 | (JSC::CodeBlock::CodeBlock): | |
20859 | (JSC::CodeBlock::shrinkToFit): | |
20860 | (JSC::constantName): Deleted. | |
20861 | * bytecode/CodeBlock.h: | |
20862 | (JSC::CodeBlock::constantsSourceCodeRepresentation): | |
20863 | (JSC::CodeBlock::addConstant): | |
20864 | (JSC::CodeBlock::addConstantLazily): | |
20865 | (JSC::CodeBlock::constantSourceCodeRepresentation): | |
20866 | (JSC::CodeBlock::setConstantRegisters): | |
20867 | ||
20868 | * bytecode/UnlinkedCodeBlock.h: | |
20869 | (JSC::UnlinkedCodeBlock::addConstant): | |
20870 | (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation): | |
20871 | (JSC::UnlinkedCodeBlock::shrinkToFit): | |
20872 | ||
20873 | * bytecompiler/BytecodeGenerator.cpp: | |
20874 | (JSC::BytecodeGenerator::addConstantValue): | |
20875 | (JSC::BytecodeGenerator::emitLoad): | |
20876 | * bytecompiler/BytecodeGenerator.h: | |
20877 | We have to differentiate between constants that have the same values but are | |
20878 | represented differently in the source. Values like 1.0 and 1 now end up | |
20879 | as different constants. | |
20880 | ||
20881 | * dfg/DFGByteCodeParser.cpp: | |
20882 | (JSC::DFG::ByteCodeParser::get): | |
20883 | (JSC::DFG::ByteCodeParser::addConstantToGraph): | |
20884 | * dfg/DFGGraph.cpp: | |
20885 | (JSC::DFG::Graph::registerFrozenValues): | |
20886 | * dfg/DFGGraph.h: | |
20887 | (JSC::DFG::Graph::addSpeculationMode): | |
20888 | (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): | |
20889 | ArithAdd is very aggressive toward using Int52, which is quite useful | |
20890 | in many benchmarks. | |
20891 | ||
20892 | Here we need to specialize to make sure we don't force our literals | |
20893 | to Int52 if there were represented as double. | |
20894 | ||
20895 | There is one exception to that rule: when the other operand is guaranteed | |
20896 | to come from a NodeResultInt32. This is because there is some weird code | |
20897 | doing stuff like: | |
20898 | var b = a|0; | |
20899 | var c = b*2.0; | |
20900 | ||
20901 | * dfg/DFGNode.h: | |
20902 | (JSC::DFG::Node::Node): | |
20903 | (JSC::DFG::Node::setOpAndDefaultFlags): | |
20904 | (JSC::DFG::Node::sourceCodeRepresentation): | |
20905 | * dfg/DFGPredictionPropagationPhase.cpp: | |
20906 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
20907 | * runtime/JSCJSValue.h: | |
20908 | (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue): | |
20909 | (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue): | |
20910 | (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue): | |
20911 | (JSC::EncodedJSValueWithRepresentationHash::hash): | |
20912 | (JSC::EncodedJSValueWithRepresentationHash::equal): | |
20913 | * tests/stress/arith-add-with-constants.js: Added. | |
20914 | * tests/stress/arith-mul-with-constants.js: Added. | |
20915 | ||
20916 | 2015-02-26 Filip Pizlo <fpizlo@apple.com> | |
20917 | ||
20918 | Unreviewed, roll out r180723. It broke a bunch of tests. | |
20919 | ||
20920 | * bytecompiler/BytecodeGenerator.cpp: | |
20921 | (JSC::BytecodeGenerator::constLocal): | |
20922 | * bytecompiler/BytecodeGenerator.h: | |
20923 | * bytecompiler/NodesCodegen.cpp: | |
20924 | (JSC::ConstDeclNode::emitCodeSingle): | |
20925 | * tests/stress/const-arguments.js: Removed. | |
20926 | ||
20927 | 2015-02-26 Mark Lam <mark.lam@apple.com> | |
20928 | ||
20929 | Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed. | |
20930 | <https://webkit.org/b/142064> | |
20931 | ||
20932 | Reviewed by Joseph Pecoraro. | |
20933 | ||
20934 | * bytecompiler/BytecodeGenerator.cpp: | |
20935 | (JSC::BytecodeGenerator::addVar): | |
20936 | ||
20937 | 2015-02-26 Mark Lam <mark.lam@apple.com> | |
20938 | ||
20939 | MachineThreads::Thread clean up has a use after free race condition. | |
20940 | <https://webkit.org/b/141990> | |
20941 | ||
20942 | Reviewed by Filip Pizlo. | |
20943 | ||
20944 | MachineThreads::Thread clean up relies on the clean up mechanism | |
20945 | implemented in _pthread_tsd_cleanup_key(), which looks like this: | |
20946 | ||
20947 | void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key) | |
20948 | { | |
20949 | void (*destructor)(void *); | |
20950 | if (_pthread_key_get_destructor(key, &destructor)) { | |
20951 | void **ptr = &self->tsd[key]; | |
20952 | void *value = *ptr; | |
20953 | ||
20954 | // === Start of window for the bug to manifest ================= | |
20955 | ||
20956 | // At this point, this thread has cached "destructor" and "value" | |
20957 | // (which is a MachineThreads*). If the VM gets destructed (along | |
20958 | // with its MachineThreads registry) by another thread, then this | |
20959 | // thread will have no way of knowing that the MachineThreads* is | |
20960 | // now pointing to freed memory. Calling the destructor below will | |
20961 | // therefore result in a use after free scenario when it tries to | |
20962 | // access the MachineThreads' data members. | |
20963 | ||
20964 | if (value) { | |
20965 | *ptr = NULL; | |
20966 | if (destructor) { | |
20967 | ||
20968 | // === End of window for the bug to manifest ================== | |
20969 | ||
20970 | destructor(value); | |
20971 | } | |
20972 | } | |
20973 | } | |
20974 | } | |
20975 | ||
20976 | The fix is to add each active MachineThreads to an ActiveMachineThreadsManager, | |
20977 | and always check if the manager still contains that MachineThreads object | |
20978 | before we call removeCurrentThread() on it. When MachineThreads is destructed, | |
20979 | it will remove itself from the manager. The add, remove, and checking | |
20980 | operations are all synchronized on the manager's lock, thereby ensuring that | |
20981 | the MachineThreads object, if found in the manager, will remain alive for the | |
20982 | duration of time we call removeCurrentThread() on it. | |
20983 | ||
20984 | There's also possible for the MachineThreads object to already be destructed | |
20985 | and another one happened to have been instantiated at the same address. | |
20986 | Hence, we should only remove the exiting thread if it is found in the | |
20987 | MachineThreads object. | |
20988 | ||
20989 | There is no test for this issue because this bug requires a race condition | |
20990 | between 2 threads where: | |
20991 | 1. Thread B, which had previously used the VM, exiting and | |
20992 | getting to the bug window shown in _pthread_tsd_cleanup_key() above. | |
20993 | 2. Thread A destructing the VM (and its MachineThreads object) | |
20994 | within that window of time before Thread B calls the destructor. | |
20995 | ||
20996 | It is not possible to get a reliable test case without invasively | |
20997 | instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread() | |
20998 | to significantly increase that window of opportunity. | |
20999 | ||
21000 | * heap/MachineStackMarker.cpp: | |
21001 | (JSC::ActiveMachineThreadsManager::Locker::Locker): | |
21002 | (JSC::ActiveMachineThreadsManager::add): | |
21003 | (JSC::ActiveMachineThreadsManager::remove): | |
21004 | (JSC::ActiveMachineThreadsManager::contains): | |
21005 | (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): | |
21006 | (JSC::activeMachineThreadsManager): | |
21007 | (JSC::MachineThreads::MachineThreads): | |
21008 | (JSC::MachineThreads::~MachineThreads): | |
21009 | (JSC::MachineThreads::removeThread): | |
21010 | (JSC::MachineThreads::removeThreadIfFound): | |
21011 | (JSC::MachineThreads::removeCurrentThread): Deleted. | |
21012 | * heap/MachineStackMarker.h: | |
21013 | ||
21014 | 2015-02-26 Joseph Pecoraro <pecoraro@apple.com> | |
21015 | ||
21016 | Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n) | |
21017 | https://bugs.webkit.org/show_bug.cgi?id=142061 | |
21018 | ||
21019 | Reviewed by Timothy Hatcher. | |
21020 | ||
21021 | * inspector/protocol/Debugger.json: | |
21022 | * inspector/protocol/Runtime.json: | |
21023 | Input flag "saveResult" on whether we should try to save a result. | |
21024 | Output int "savedResultIndex" to tell the frontend the saved state. | |
21025 | ||
21026 | * inspector/InjectedScriptSource.js: | |
21027 | Handle saving and clearing $1-$99 values. | |
21028 | Include in BasicCommandLineAPI for JSContext inspection. | |
21029 | ||
21030 | * inspector/InjectedScriptBase.cpp: | |
21031 | (Inspector::InjectedScriptBase::makeEvalCall): | |
21032 | * inspector/InjectedScriptBase.h: | |
21033 | Allow an optional "savedResultIndex" out value on evals. | |
21034 | ||
21035 | * inspector/InjectedScript.cpp: | |
21036 | (Inspector::InjectedScript::evaluate): | |
21037 | (Inspector::InjectedScript::evaluateOnCallFrame): | |
21038 | * inspector/InjectedScript.h: | |
21039 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
21040 | (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): | |
21041 | * inspector/agents/InspectorDebuggerAgent.h: | |
21042 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
21043 | (Inspector::InspectorRuntimeAgent::evaluate): | |
21044 | * inspector/agents/InspectorRuntimeAgent.h: | |
21045 | Plumbing for new in and out parameters. | |
21046 | ||
21047 | 2015-02-26 Filip Pizlo <fpizlo@apple.com> | |
21048 | ||
21049 | The bool returning form of BytecodeGenerator::addVar() can be removed | |
21050 | https://bugs.webkit.org/show_bug.cgi?id=142064 | |
21051 | ||
21052 | Reviewed by Mark Lam. | |
21053 | ||
21054 | It's easier to implement addVar() when you don't have to return whether it's a new | |
21055 | variable or not. | |
21056 | ||
21057 | * bytecompiler/BytecodeGenerator.cpp: | |
21058 | (JSC::BytecodeGenerator::addVar): | |
21059 | * bytecompiler/BytecodeGenerator.h: | |
21060 | (JSC::BytecodeGenerator::addVar): Deleted. | |
21061 | ||
21062 | 2015-02-26 Filip Pizlo <fpizlo@apple.com> | |
21063 | ||
21064 | Various array access corner cases should take OSR exit feedback | |
21065 | https://bugs.webkit.org/show_bug.cgi?id=142056 | |
21066 | ||
21067 | Reviewed by Geoffrey Garen. | |
21068 | ||
21069 | Two major changes here: | |
21070 | ||
21071 | - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array | |
21072 | type check. | |
21073 | ||
21074 | - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks, | |
21075 | like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on | |
21076 | arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by | |
21077 | the Generic array mode. | |
21078 | ||
21079 | * bytecode/ExitKind.cpp: | |
21080 | (JSC::exitKindToString): | |
21081 | * bytecode/ExitKind.h: | |
21082 | * dfg/DFGArrayMode.cpp: | |
21083 | (JSC::DFG::ArrayMode::refine): | |
21084 | * dfg/DFGFixupPhase.cpp: | |
21085 | (JSC::DFG::FixupPhase::fixupNode): | |
21086 | * dfg/DFGSpeculativeJIT.cpp: | |
21087 | (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): | |
21088 | (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): | |
21089 | * tests/stress/array-length-array-storage-plain-object.js: Added. | |
21090 | (foo): | |
21091 | * tests/stress/array-length-plain-object.js: Added. | |
21092 | (foo): | |
21093 | ||
21094 | 2015-02-25 Filip Pizlo <fpizlo@apple.com> | |
21095 | ||
21096 | DFG SSA stack accesses shouldn't speak of VariableAccessDatas | |
21097 | https://bugs.webkit.org/show_bug.cgi?id=142036 | |
21098 | ||
21099 | Reviewed by Michael Saboff. | |
21100 | ||
21101 | VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in | |
21102 | SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load | |
21103 | or store to the stack, and you know what format to use as well as the location, then prior to | |
21104 | this patch you couldn't do it unless you found some existing VariableAccessData that matched | |
21105 | your requirements. That can be a hard task. | |
21106 | ||
21107 | It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses | |
21108 | that speak of the things that a stack access needs: local, machineLocal, and format. This | |
21109 | patch changes the SSA way of accessing the stack to do just that. | |
21110 | ||
21111 | Also add more IR validation. | |
21112 | ||
21113 | * CMakeLists.txt: | |
21114 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
21115 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
21116 | * dfg/DFGAbstractInterpreterInlines.h: | |
21117 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
21118 | * dfg/DFGClobberize.h: | |
21119 | (JSC::DFG::clobberize): | |
21120 | * dfg/DFGConstantFoldingPhase.cpp: | |
21121 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
21122 | * dfg/DFGDoesGC.cpp: | |
21123 | (JSC::DFG::doesGC): | |
21124 | * dfg/DFGFixupPhase.cpp: | |
21125 | (JSC::DFG::FixupPhase::fixupNode): | |
21126 | * dfg/DFGFlushFormat.h: | |
21127 | (JSC::DFG::isConcrete): | |
21128 | * dfg/DFGGraph.cpp: | |
21129 | (JSC::DFG::Graph::dump): | |
21130 | * dfg/DFGGraph.h: | |
21131 | * dfg/DFGMayExit.cpp: | |
21132 | (JSC::DFG::mayExit): | |
21133 | * dfg/DFGNode.cpp: | |
21134 | (JSC::DFG::Node::hasVariableAccessData): | |
21135 | * dfg/DFGNode.h: | |
21136 | (JSC::DFG::StackAccessData::StackAccessData): | |
21137 | (JSC::DFG::StackAccessData::flushedAt): | |
21138 | (JSC::DFG::Node::convertToPutStack): | |
21139 | (JSC::DFG::Node::convertToGetStack): | |
21140 | (JSC::DFG::Node::hasUnlinkedLocal): | |
21141 | (JSC::DFG::Node::hasStackAccessData): | |
21142 | (JSC::DFG::Node::stackAccessData): | |
21143 | (JSC::DFG::Node::willHaveCodeGenOrOSR): | |
21144 | * dfg/DFGNodeType.h: | |
21145 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
21146 | (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): | |
21147 | * dfg/DFGPlan.cpp: | |
21148 | (JSC::DFG::Plan::compileInThreadImpl): | |
21149 | * dfg/DFGPredictionPropagationPhase.cpp: | |
21150 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
21151 | * dfg/DFGPutLocalSinkingPhase.cpp: Removed. | |
21152 | * dfg/DFGPutLocalSinkingPhase.h: Removed. | |
21153 | * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp. | |
21154 | (JSC::DFG::performPutStackSinking): | |
21155 | (JSC::DFG::performPutLocalSinking): Deleted. | |
21156 | * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h. | |
21157 | * dfg/DFGSSAConversionPhase.cpp: | |
21158 | (JSC::DFG::SSAConversionPhase::run): | |
21159 | * dfg/DFGSafeToExecute.h: | |
21160 | (JSC::DFG::safeToExecute): | |
21161 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
21162 | (JSC::DFG::SpeculativeJIT::compile): | |
21163 | * dfg/DFGSpeculativeJIT64.cpp: | |
21164 | (JSC::DFG::SpeculativeJIT::compile): | |
21165 | * dfg/DFGStackLayoutPhase.cpp: | |
21166 | (JSC::DFG::StackLayoutPhase::run): | |
21167 | * dfg/DFGValidate.cpp: | |
21168 | (JSC::DFG::Validate::validate): | |
21169 | (JSC::DFG::Validate::validateCPS): | |
21170 | (JSC::DFG::Validate::validateSSA): | |
21171 | * dfg/DFGVirtualRegisterAllocationPhase.cpp: | |
21172 | (JSC::DFG::VirtualRegisterAllocationPhase::run): | |
21173 | * ftl/FTLCapabilities.cpp: | |
21174 | (JSC::FTL::canCompile): | |
21175 | * ftl/FTLLowerDFGToLLVM.cpp: | |
21176 | (JSC::FTL::LowerDFGToLLVM::lower): | |
21177 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
21178 | (JSC::FTL::LowerDFGToLLVM::compileGetStack): | |
21179 | (JSC::FTL::LowerDFGToLLVM::compilePutStack): | |
21180 | (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted. | |
21181 | (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted. | |
21182 | * ftl/FTLOSRExit.h: | |
21183 | * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it. | |
21184 | (foo): | |
21185 | (bar): | |
21186 | (baz): | |
21187 | (fuzz): | |
21188 | (buzz): | |
21189 | ||
21190 | 2015-02-26 Mark Lam <mark.lam@apple.com> | |
21191 | ||
21192 | Rolling out r180602, r180608, r180613, r180617, r180671. | |
21193 | <https://webkit.org/b/141990> | |
21194 | ||
21195 | Not reviewed. | |
21196 | ||
21197 | The r180602 solution does result in more work for GC when worker | |
21198 | threads are in use. Filip is uncomfortable with that. | |
21199 | The EFL and GTK ports also seem to be unhappy with this change. | |
21200 | Rolling out while we investigate. | |
21201 | ||
21202 | * heap/Heap.cpp: | |
21203 | (JSC::Heap::Heap): | |
21204 | (JSC::Heap::gatherStackRoots): | |
21205 | (JSC::Heap::machineThreads): Deleted. | |
21206 | * heap/Heap.h: | |
21207 | (JSC::Heap::machineThreads): | |
21208 | * heap/MachineStackMarker.cpp: | |
21209 | (JSC::MachineThreads::MachineThreads): | |
21210 | (JSC::MachineThreads::~MachineThreads): | |
21211 | (JSC::MachineThreads::addCurrentThread): | |
21212 | * heap/MachineStackMarker.h: | |
21213 | * runtime/JSLock.cpp: | |
21214 | (JSC::JSLock::didAcquireLock): | |
21215 | ||
21216 | 2015-02-26 Myles C. Maxfield <mmaxfield@apple.com> | |
21217 | ||
21218 | [Mac] [iOS] Parsing support for -apple-trailing-word | |
21219 | https://bugs.webkit.org/show_bug.cgi?id=141939 | |
21220 | ||
21221 | Reviewed by Andreas Kling. | |
21222 | ||
21223 | * Configurations/FeatureDefines.xcconfig: | |
21224 | ||
21225 | 2015-02-26 Michael Saboff <msaboff@apple.com> | |
21226 | ||
21227 | [Win] Debug-only JavaScriptCore failures | |
21228 | https://bugs.webkit.org/show_bug.cgi?id=142045 | |
21229 | ||
21230 | Rubber stamped by Filip Pizlo. | |
21231 | ||
21232 | Reduced loop count to a more reasonable value of 10,000. This still gets us to tier up | |
21233 | to the FTL, but doesn't take too long to run. | |
21234 | ||
21235 | * tests/stress/repeated-arity-check-fail.js: | |
21236 | ||
21237 | 2015-02-26 Brent Fulgham <bfulgham@apple.com> | |
21238 | ||
21239 | [Win] Make build logs more legible by reducing noise | |
21240 | https://bugs.webkit.org/show_bug.cgi?id=142034 | |
21241 | ||
21242 | Reviewed by Alexey Proskuryakov. | |
21243 | ||
21244 | Modify batch files, makefiles, and DOS commands to remove | |
21245 | uninteresting/unhelpful output. | |
21246 | ||
21247 | * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: | |
21248 | * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: | |
21249 | * JavaScriptCore.vcxproj/copy-files.cmd: | |
21250 | * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: | |
21251 | * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: | |
21252 | * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: | |
21253 | * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: | |
21254 | * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: | |
21255 | * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: | |
21256 | * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: | |
21257 | * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: | |
21258 | ||
21259 | 2015-02-26 Csaba Osztrogonác <ossy@webkit.org> | |
21260 | ||
21261 | Add calleeSaveRegisters() implementation for ARM Traditional | |
21262 | https://bugs.webkit.org/show_bug.cgi?id=141903 | |
21263 | ||
21264 | Reviewed by Darin Adler. | |
21265 | ||
21266 | * jit/RegisterSet.cpp: | |
21267 | (JSC::RegisterSet::calleeSaveRegisters): | |
21268 | ||
21269 | 2015-02-25 Michael Saboff <msaboff@apple.com> | |
21270 | ||
21271 | Web Inspector: CRASH when debugger pauses inside a Promise handler | |
21272 | https://bugs.webkit.org/show_bug.cgi?id=141396 | |
21273 | ||
21274 | Reviewed by Mark Lam. | |
21275 | ||
21276 | For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to | |
21277 | create the DebuggerScope for that frame. | |
21278 | ||
21279 | * debugger/DebuggerCallFrame.cpp: | |
21280 | (JSC::DebuggerCallFrame::scope): | |
21281 | ||
21282 | 2015-02-25 Filip Pizlo <fpizlo@apple.com> | |
21283 | ||
21284 | DFG abstract heaps should respect the difference between heap and stack | |
21285 | https://bugs.webkit.org/show_bug.cgi?id=142022 | |
21286 | ||
21287 | Reviewed by Geoffrey Garen. | |
21288 | ||
21289 | We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world | |
21290 | clobbering" operation cannot write to our stack, but may be able to read from it. This | |
21291 | means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that | |
21292 | subsumes all that World previously subsumed, and a new notion of Stack that is a subtype | |
21293 | of World and a sibling of Heap. | |
21294 | ||
21295 | So, henceforth "clobbering the world" means reading World and writing Heap. | |
21296 | ||
21297 | This makes a bunch of changes to make this work, including changing the implementation of | |
21298 | disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting | |
21299 | a slow-down, but I measured the heck out of this and found no perf difference. | |
21300 | ||
21301 | * dfg/DFGAbstractHeap.cpp: | |
21302 | (JSC::DFG::AbstractHeap::dump): | |
21303 | * dfg/DFGAbstractHeap.h: | |
21304 | (JSC::DFG::AbstractHeap::supertype): | |
21305 | (JSC::DFG::AbstractHeap::isStrictSubtypeOf): | |
21306 | (JSC::DFG::AbstractHeap::isSubtypeOf): | |
21307 | (JSC::DFG::AbstractHeap::overlaps): | |
21308 | (JSC::DFG::AbstractHeap::isDisjoint): | |
21309 | * dfg/DFGClobberize.cpp: | |
21310 | (JSC::DFG::clobbersHeap): | |
21311 | (JSC::DFG::clobbersWorld): Deleted. | |
21312 | * dfg/DFGClobberize.h: | |
21313 | (JSC::DFG::clobberize): | |
21314 | * dfg/DFGDoesGC.cpp: | |
21315 | (JSC::DFG::doesGC): | |
21316 | ||
21317 | 2015-02-25 Ryosuke Niwa <rniwa@webkit.org> | |
21318 | ||
21319 | REGRESSION(r180595): construct varargs fails in FTL | |
21320 | https://bugs.webkit.org/show_bug.cgi?id=142030 | |
21321 | ||
21322 | Reviewed by Geoffrey Garen. | |
21323 | ||
21324 | The bug was caused by IC size being too small for construct_varargs even though we've added a new argument. | |
21325 | Fixed the bug by increasing the IC size to match call_varargs. | |
21326 | ||
21327 | * ftl/FTLInlineCacheSize.cpp: | |
21328 | (JSC::FTL::sizeOfConstructVarargs): | |
21329 | ||
21330 | 2015-02-25 Mark Lam <mark.lam@apple.com> | |
21331 | ||
21332 | ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack. | |
21333 | <https://webkit.org/b/141672> | |
21334 | ||
21335 | Reviewed by Alexey Proskuryakov. | |
21336 | ||
21337 | ASan does not like the fact that we memcpy the stack for GC scans. So, | |
21338 | we're working around this by using our own memcpy (asanUnsafeMemcpy) | |
21339 | implementation that we can tell ASan to ignore. | |
21340 | ||
21341 | * heap/MachineStackMarker.cpp: | |
21342 | (JSC::asanUnsafeMemcpy): | |
21343 | ||
21344 | 2015-02-25 Benjamin Poulain <bpoulain@apple.com> | |
21345 | ||
21346 | CodeBlock crashes when dumping op_push_name_scope | |
21347 | https://bugs.webkit.org/show_bug.cgi?id=141953 | |
21348 | ||
21349 | Reviewed by Filip Pizlo and Csaba Osztrogonác. | |
21350 | ||
21351 | * bytecode/CodeBlock.cpp: | |
21352 | (JSC::CodeBlock::dumpBytecode): | |
21353 | * tests/stress/op-push-name-scope-crashes-profiler.js: Added. | |
21354 | ||
21355 | 2015-02-25 Benjamin Poulain <benjamin@webkit.org> | |
21356 | ||
21357 | Make ParserError immutable by design | |
21358 | https://bugs.webkit.org/show_bug.cgi?id=141955 | |
21359 | ||
21360 | Reviewed by Geoffrey Garen. | |
21361 | ||
21362 | This patch enforce that no field of ParserError can | |
21363 | be modified after the constructor. | |
21364 | ||
21365 | * parser/ParserError.h: | |
21366 | Move the attributes to pack the integer + 2 bytes together. | |
21367 | This is irrelevant for memory impact, it is to remve a load-store | |
21368 | when copying by value. | |
21369 | ||
21370 | Also move the attributes to be private. | |
21371 | ||
21372 | (JSC::ParserError::isValid): | |
21373 | To client of the interface cared about the type of the error, | |
21374 | the only information needed was: is there an error. | |
21375 | ||
21376 | (JSC::ParserError::ParserError): | |
21377 | (JSC::ParserError::syntaxErrorType): | |
21378 | (JSC::ParserError::token): | |
21379 | (JSC::ParserError::message): | |
21380 | (JSC::ParserError::line): | |
21381 | (JSC::ParserError::toErrorObject): | |
21382 | * API/JSScriptRef.cpp: | |
21383 | * builtins/BuiltinExecutables.cpp: | |
21384 | (JSC::BuiltinExecutables::createBuiltinExecutable): | |
21385 | * bytecode/UnlinkedCodeBlock.cpp: | |
21386 | (JSC::generateFunctionCodeBlock): | |
21387 | (JSC::UnlinkedFunctionExecutable::fromGlobalCode): | |
21388 | (JSC::UnlinkedFunctionExecutable::codeBlockFor): | |
21389 | * bytecode/UnlinkedCodeBlock.h: | |
21390 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
21391 | (Inspector::InspectorRuntimeAgent::parse): | |
21392 | * jsc.cpp: | |
21393 | (runInteractive): | |
21394 | * parser/Parser.h: | |
21395 | (JSC::parse): | |
21396 | * runtime/CodeCache.cpp: | |
21397 | (JSC::CodeCache::getGlobalCodeBlock): | |
21398 | (JSC::CodeCache::getFunctionExecutableFromGlobalCode): | |
21399 | * runtime/CodeCache.h: | |
21400 | * runtime/Completion.h: | |
21401 | * runtime/Executable.cpp: | |
21402 | (JSC::ProgramExecutable::checkSyntax): | |
21403 | * runtime/JSGlobalObject.cpp: | |
21404 | (JSC::JSGlobalObject::createProgramCodeBlock): | |
21405 | (JSC::JSGlobalObject::createEvalCodeBlock): | |
21406 | ||
21407 | 2015-02-25 Filip Pizlo <fpizlo@apple.com> | |
21408 | ||
21409 | Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux | |
21410 | https://bugs.webkit.org/show_bug.cgi?id=142006 | |
21411 | ||
21412 | Reviewed by Csaba Osztrogonác. | |
21413 | ||
21414 | This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and | |
21415 | concurrent JIT enabled. | |
21416 | ||
21417 | * llvm/InitializeLLVMPOSIX.cpp: | |
21418 | (JSC::initializeLLVMPOSIX): | |
21419 | ||
21420 | 2015-02-24 Filip Pizlo <fpizlo@apple.com> | |
21421 | ||
21422 | CMake build of libllvmForJSC.so should limit its export list like the Xcode build does | |
21423 | https://bugs.webkit.org/show_bug.cgi?id=141989 | |
21424 | ||
21425 | Reviewed by Gyuyoung Kim. | |
21426 | ||
21427 | * CMakeLists.txt: | |
21428 | * llvm/library/libllvmForJSC.version: Added. | |
21429 | ||
21430 | 2015-02-24 Alexey Proskuryakov <ap@apple.com> | |
21431 | ||
21432 | More iOS build fix after r180602. | |
21433 | ||
21434 | * heap/Heap.h: Export Heap::machineThreads(). | |
21435 | ||
21436 | 2015-02-24 Brent Fulgham <bfulgham@apple.com> | |
21437 | ||
21438 | Unreviewed build fix after r180602. | |
21439 | ||
21440 | * heap/MachineStackMarker.h: Add missing 'no return' | |
21441 | declaration for Windows. | |
21442 | ||
21443 | 2015-02-24 Commit Queue <commit-queue@webkit.org> | |
21444 | ||
21445 | Unreviewed, rolling out r180599. | |
21446 | https://bugs.webkit.org/show_bug.cgi?id=141998 | |
21447 | ||
21448 | Lots of new test failures (Requested by smfr on #webkit). | |
21449 | ||
21450 | Reverted changeset: | |
21451 | ||
21452 | "Parsing support for -webkit-trailing-word" | |
21453 | https://bugs.webkit.org/show_bug.cgi?id=141939 | |
21454 | http://trac.webkit.org/changeset/180599 | |
21455 | ||
21456 | 2015-02-24 Mark Lam <mark.lam@apple.com> | |
21457 | ||
21458 | MachineThreads::Thread clean up has a use after free race condition. | |
21459 | <https://webkit.org/b/141990> | |
21460 | ||
21461 | Reviewed by Michael Saboff. | |
21462 | ||
21463 | MachineThreads::Thread clean up relies on the clean up mechanism | |
21464 | implemented in _pthread_tsd_cleanup_key(), which looks like this: | |
21465 | ||
21466 | void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key) | |
21467 | { | |
21468 | void (*destructor)(void *); | |
21469 | if (_pthread_key_get_destructor(key, &destructor)) { | |
21470 | void **ptr = &self->tsd[key]; | |
21471 | void *value = *ptr; | |
21472 | ||
21473 | // At this point, this thread has cached "destructor" and "value" | |
21474 | // (which is a MachineThreads*). If the VM gets destructed (along | |
21475 | // with its MachineThreads registry) by another thread, then this | |
21476 | // thread will have no way of knowing that the MachineThreads* is | |
21477 | // now pointing to freed memory. Calling the destructor below will | |
21478 | // therefore result in a use after free scenario when it tries to | |
21479 | // access the MachineThreads' data members. | |
21480 | ||
21481 | if (value) { | |
21482 | *ptr = NULL; | |
21483 | if (destructor) { | |
21484 | destructor(value); | |
21485 | } | |
21486 | } | |
21487 | } | |
21488 | } | |
21489 | ||
21490 | The solution is simply to change MachineThreads from a per VM thread | |
21491 | registry to a process global singleton thread registry i.e. the | |
21492 | MachineThreads registry is now immortal and we cannot have a use after | |
21493 | free scenario since we never free it. | |
21494 | ||
21495 | The cost of this change is that all VM instances will have to scan | |
21496 | stacks of all threads ever touched by a VM, and not just those that | |
21497 | touched a specific VM. However, stacks tend to be shallow. Hence, | |
21498 | those additional scans will tend to be cheap. | |
21499 | ||
21500 | Secondly, it is not common for there to be multiple JSC VMs in use | |
21501 | concurrently on multiple threads. Hence, this cost should rarely | |
21502 | manifest in real world applications. | |
21503 | ||
21504 | * heap/Heap.cpp: | |
21505 | (JSC::Heap::Heap): | |
21506 | (JSC::Heap::machineThreads): | |
21507 | (JSC::Heap::gatherStackRoots): | |
21508 | * heap/Heap.h: | |
21509 | (JSC::Heap::machineThreads): Deleted. | |
21510 | * heap/MachineStackMarker.cpp: | |
21511 | (JSC::MachineThreads::MachineThreads): | |
21512 | (JSC::MachineThreads::~MachineThreads): | |
21513 | (JSC::MachineThreads::addCurrentThread): | |
21514 | * heap/MachineStackMarker.h: | |
21515 | * runtime/JSLock.cpp: | |
21516 | (JSC::JSLock::didAcquireLock): | |
21517 | ||
21518 | 2015-02-24 Myles C. Maxfield <mmaxfield@apple.com> | |
21519 | ||
21520 | [Mac] [iOS] Parsing support for -apple-trailing-word | |
21521 | https://bugs.webkit.org/show_bug.cgi?id=141939 | |
21522 | ||
21523 | Reviewed by Andreas Kling. | |
21524 | ||
21525 | * Configurations/FeatureDefines.xcconfig: | |
21526 | ||
21527 | 2015-02-24 Ryosuke Niwa <rniwa@webkit.org> | |
21528 | ||
21529 | Use "this" instead of "callee" to get the constructor | |
21530 | https://bugs.webkit.org/show_bug.cgi?id=141019 | |
21531 | ||
21532 | Reviewed by Filip Pizlo. | |
21533 | ||
21534 | This patch uses "this" register to pass the constructor (newTarget) to op_create_this from | |
21535 | op_construct or op_construct_varargs. This will allow future patches that implement ES6 class | |
21536 | to pass in the most derived class' constructor through "this" argument. | |
21537 | ||
21538 | BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like | |
21539 | regular calls and emitCreateThis passes in this register to op_create_this as constructor. | |
21540 | ||
21541 | The rest of the code change removes the code for special casing "this" register not being used | |
21542 | in call to construct. | |
21543 | ||
21544 | * bytecode/BytecodeUseDef.h: | |
21545 | (JSC::computeUsesForBytecodeOffset): | |
21546 | * bytecompiler/BytecodeGenerator.cpp: | |
21547 | (JSC::BytecodeGenerator::emitCreateThis): | |
21548 | (JSC::BytecodeGenerator::emitConstructVarargs): | |
21549 | (JSC::BytecodeGenerator::emitConstruct): | |
21550 | * bytecompiler/BytecodeGenerator.h: | |
21551 | * bytecompiler/NodesCodegen.cpp: | |
21552 | (JSC::NewExprNode::emitBytecode): | |
21553 | * dfg/DFGByteCodeParser.cpp: | |
21554 | (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): | |
21555 | (JSC::DFG::ByteCodeParser::handleVarargsCall): | |
21556 | (JSC::DFG::ByteCodeParser::emitArgumentPhantoms): | |
21557 | (JSC::DFG::ByteCodeParser::attemptToInlineCall): | |
21558 | (JSC::DFG::ByteCodeParser::handleInlining): | |
21559 | (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): | |
21560 | (JSC::DFG::ByteCodeParser::parseBlock): | |
21561 | * dfg/DFGJITCode.cpp: | |
21562 | (JSC::DFG::JITCode::reconstruct): | |
21563 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
21564 | (JSC::DFG::SpeculativeJIT::emitCall): | |
21565 | * dfg/DFGSpeculativeJIT64.cpp: | |
21566 | (JSC::DFG::SpeculativeJIT::emitCall): | |
21567 | * ftl/FTLJSCallVarargs.cpp: | |
21568 | (JSC::FTL::JSCallVarargs::emit): | |
21569 | * ftl/FTLLowerDFGToLLVM.cpp: | |
21570 | (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): | |
21571 | (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): | |
21572 | (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs): | |
21573 | * interpreter/Interpreter.cpp: | |
21574 | (JSC::Interpreter::executeConstruct): | |
21575 | * jit/JITOperations.cpp: | |
21576 | ||
21577 | 2015-02-24 Joseph Pecoraro <pecoraro@apple.com> | |
21578 | ||
21579 | Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent | |
21580 | https://bugs.webkit.org/show_bug.cgi?id=141587 | |
21581 | ||
21582 | Reviewed by Timothy Hatcher. | |
21583 | ||
21584 | Convert getProperties(ownAndGetterProperties) to getDisplayableProperties(). | |
21585 | Mark PropertyDescriptors that are presumed to be native getters / bindings | |
21586 | separately so that the frontend may display them differently. | |
21587 | ||
21588 | * inspector/InjectedScript.cpp: | |
21589 | (Inspector::InjectedScript::getProperties): | |
21590 | (Inspector::InjectedScript::getDisplayableProperties): | |
21591 | * inspector/InjectedScript.h: | |
21592 | * inspector/InjectedScriptSource.js: | |
21593 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
21594 | (Inspector::InspectorRuntimeAgent::getProperties): | |
21595 | (Inspector::InspectorRuntimeAgent::getDisplayableProperties): | |
21596 | * inspector/agents/InspectorRuntimeAgent.h: | |
21597 | * inspector/protocol/Runtime.json: | |
21598 | ||
21599 | 2015-02-24 Mark Lam <mark.lam@apple.com> | |
21600 | ||
21601 | Rolling out r179753. The fix was invalid. | |
21602 | <https://webkit.org/b/141990> | |
21603 | ||
21604 | Not reviewed. | |
21605 | ||
21606 | * API/tests/testapi.mm: | |
21607 | (threadMain): | |
21608 | (useVMFromOtherThread): Deleted. | |
21609 | (useVMFromOtherThreadAndOutliveVM): Deleted. | |
21610 | * heap/Heap.cpp: | |
21611 | (JSC::Heap::Heap): | |
21612 | (JSC::Heap::~Heap): | |
21613 | (JSC::Heap::gatherStackRoots): | |
21614 | * heap/Heap.h: | |
21615 | (JSC::Heap::machineThreads): | |
21616 | * heap/MachineStackMarker.cpp: | |
21617 | (JSC::MachineThreads::Thread::Thread): | |
21618 | (JSC::MachineThreads::MachineThreads): | |
21619 | (JSC::MachineThreads::~MachineThreads): | |
21620 | (JSC::MachineThreads::addCurrentThread): | |
21621 | (JSC::MachineThreads::removeThread): | |
21622 | (JSC::MachineThreads::removeCurrentThread): | |
21623 | * heap/MachineStackMarker.h: | |
21624 | ||
21625 | 2015-02-24 Yusuke Suzuki <utatane.tea@gmail.com> | |
21626 | ||
21627 | Constructor returning null should construct an object instead of null | |
21628 | https://bugs.webkit.org/show_bug.cgi?id=141640 | |
21629 | ||
21630 | Reviewed by Filip Pizlo. | |
21631 | ||
21632 | When constructor code doesn't return object, constructor should return `this` object instead. | |
21633 | Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`, | |
21634 | it allows `null` as an object. | |
21635 | This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases. | |
21636 | Instead, constructor uses simplified `is_object`. | |
21637 | ||
21638 | As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`. | |
21639 | ||
21640 | 1. LLInt and baseline JIT support `op_is_object` as a fast path. | |
21641 | 2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects. | |
21642 | 3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function. | |
21643 | 4. FTL lowers DFG's IsObject into LLVM IR. | |
21644 | ||
21645 | And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others | |
21646 | in LLInt, JIT, DFG and FTL. | |
21647 | Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area. | |
21648 | So in many places, when the cell is not object, we recognize it as a string, and vice versa. | |
21649 | However, now ES6 Symbol is implemented as a JSCell, this assumption is broken. | |
21650 | So this patch stop using !isString as isObject. | |
21651 | To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure, | |
21652 | we examine typeInfo in JSCell. | |
21653 | ||
21654 | * JavaScriptCore.order: | |
21655 | * bytecode/BytecodeList.json: | |
21656 | * bytecode/BytecodeUseDef.h: | |
21657 | (JSC::computeUsesForBytecodeOffset): | |
21658 | (JSC::computeDefsForBytecodeOffset): | |
21659 | * bytecode/CodeBlock.cpp: | |
21660 | (JSC::CodeBlock::dumpBytecode): | |
21661 | * bytecode/PutByIdStatus.cpp: | |
21662 | (JSC::PutByIdStatus::computeFor): | |
21663 | * bytecompiler/BytecodeGenerator.cpp: | |
21664 | (JSC::BytecodeGenerator::emitEqualityOp): | |
21665 | (JSC::BytecodeGenerator::emitReturn): | |
21666 | * dfg/DFGAbstractInterpreterInlines.h: | |
21667 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
21668 | * dfg/DFGByteCodeParser.cpp: | |
21669 | (JSC::DFG::ByteCodeParser::parseBlock): | |
21670 | * dfg/DFGCapabilities.cpp: | |
21671 | (JSC::DFG::capabilityLevel): | |
21672 | * dfg/DFGClobberize.h: | |
21673 | (JSC::DFG::clobberize): | |
21674 | ||
21675 | IsObject operation only touches JSCell typeInfoType. | |
21676 | And this value would be changed through structure transition. | |
21677 | As a result, IsObject can report that it doesn't read any information. | |
21678 | ||
21679 | * dfg/DFGConstantFoldingPhase.cpp: | |
21680 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
21681 | * dfg/DFGDoesGC.cpp: | |
21682 | (JSC::DFG::doesGC): | |
21683 | * dfg/DFGFixupPhase.cpp: | |
21684 | (JSC::DFG::FixupPhase::fixupNode): | |
21685 | ||
21686 | Just like IsString, IsObject is also fixed up. | |
21687 | ||
21688 | * dfg/DFGHeapLocation.cpp: | |
21689 | (WTF::printInternal): | |
21690 | * dfg/DFGHeapLocation.h: | |
21691 | * dfg/DFGNodeType.h: | |
21692 | * dfg/DFGOperations.cpp: | |
21693 | * dfg/DFGOperations.h: | |
21694 | * dfg/DFGPredictionPropagationPhase.cpp: | |
21695 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
21696 | * dfg/DFGSafeToExecute.h: | |
21697 | (JSC::DFG::safeToExecute): | |
21698 | * dfg/DFGSpeculativeJIT.cpp: | |
21699 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): | |
21700 | (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): | |
21701 | (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): | |
21702 | (JSC::DFG::SpeculativeJIT::compileToStringOnCell): | |
21703 | (JSC::DFG::SpeculativeJIT::speculateObject): | |
21704 | (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): | |
21705 | (JSC::DFG::SpeculativeJIT::speculateString): | |
21706 | (JSC::DFG::SpeculativeJIT::speculateNotStringVar): | |
21707 | (JSC::DFG::SpeculativeJIT::emitSwitchChar): | |
21708 | (JSC::DFG::SpeculativeJIT::emitSwitchString): | |
21709 | (JSC::DFG::SpeculativeJIT::branchIsObject): | |
21710 | (JSC::DFG::SpeculativeJIT::branchNotObject): | |
21711 | (JSC::DFG::SpeculativeJIT::branchIsString): | |
21712 | (JSC::DFG::SpeculativeJIT::branchNotString): | |
21713 | * dfg/DFGSpeculativeJIT.h: | |
21714 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
21715 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
21716 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
21717 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
21718 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
21719 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
21720 | (JSC::DFG::SpeculativeJIT::compile): | |
21721 | * dfg/DFGSpeculativeJIT64.cpp: | |
21722 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
21723 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
21724 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
21725 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
21726 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
21727 | (JSC::DFG::SpeculativeJIT::compile): | |
21728 | * ftl/FTLCapabilities.cpp: | |
21729 | (JSC::FTL::canCompile): | |
21730 | * ftl/FTLLowerDFGToLLVM.cpp: | |
21731 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
21732 | (JSC::FTL::LowerDFGToLLVM::compileToString): | |
21733 | (JSC::FTL::LowerDFGToLLVM::compileIsObject): | |
21734 | (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull): | |
21735 | (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): | |
21736 | (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): | |
21737 | (JSC::FTL::LowerDFGToLLVM::isObject): | |
21738 | (JSC::FTL::LowerDFGToLLVM::isNotObject): | |
21739 | (JSC::FTL::LowerDFGToLLVM::isNotString): | |
21740 | (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): | |
21741 | * jit/JIT.cpp: | |
21742 | (JSC::JIT::privateCompileMainPass): | |
21743 | * jit/JIT.h: | |
21744 | * jit/JITInlines.h: | |
21745 | (JSC::JIT::emitJumpIfCellObject): | |
21746 | * jit/JITOpcodes.cpp: | |
21747 | (JSC::JIT::emit_op_is_object): | |
21748 | (JSC::JIT::emit_op_to_primitive): | |
21749 | * jit/JITOpcodes32_64.cpp: | |
21750 | (JSC::JIT::emit_op_is_object): | |
21751 | (JSC::JIT::emit_op_to_primitive): | |
21752 | (JSC::JIT::compileOpStrictEq): | |
21753 | * llint/LowLevelInterpreter.asm: | |
21754 | * llint/LowLevelInterpreter32_64.asm: | |
21755 | * llint/LowLevelInterpreter64.asm: | |
21756 | * runtime/CommonSlowPaths.cpp: | |
21757 | (JSC::SLOW_PATH_DECL): | |
21758 | * runtime/CommonSlowPaths.h: | |
21759 | * runtime/Operations.cpp: | |
21760 | (JSC::jsIsObjectTypeOrNull): | |
21761 | (JSC::jsIsObjectType): Deleted. | |
21762 | * runtime/Operations.h: | |
21763 | * tests/stress/constructor-with-return.js: Added. | |
21764 | (Test): | |
21765 | ||
21766 | When constructor doesn't return an object, `this` should be returned instead. | |
21767 | In this test, we check all primitives. And test object, array and wrappers. | |
21768 | ||
21769 | * tests/stress/dfg-to-primitive-pass-symbol.js: Added. | |
21770 | (toPrimitiveTarget): | |
21771 | (doToPrimitive): | |
21772 | ||
21773 | op_to_primitive operation passes Symbol in fast path. | |
21774 | ||
21775 | 2015-02-24 Yusuke Suzuki <utatane.tea@gmail.com> | |
21776 | ||
21777 | REGRESSION(r179429): Can't type comments in Facebook | |
21778 | https://bugs.webkit.org/show_bug.cgi?id=141859 | |
21779 | ||
21780 | Reviewed by Brent Fulgham. | |
21781 | ||
21782 | When window.Symbol is exposed to user-space pages, | |
21783 | Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key). | |
21784 | However, to work with Symbols completely, it also requires | |
21785 | 1) Object.getOwnPropertySymbols (for mixin including Symbols) | |
21786 | 2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }. | |
21787 | Since they are not landed yet, comments in Facebook don't work. | |
21788 | ||
21789 | This patch introduces RuntimeFlags for JavaScriptCore. | |
21790 | Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol. | |
21791 | And drop JavaScriptExperimentsEnabled flag | |
21792 | because it is no longer used and use case of this is duplicated to runtime flags. | |
21793 | ||
21794 | * JavaScriptCore.order: | |
21795 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
21796 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
21797 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
21798 | * jsc.cpp: | |
21799 | (GlobalObject::javaScriptRuntimeFlags): | |
21800 | (GlobalObject::javaScriptExperimentsEnabled): Deleted. | |
21801 | * runtime/JSGlobalObject.cpp: | |
21802 | (JSC::JSGlobalObject::JSGlobalObject): | |
21803 | (JSC::JSGlobalObject::init): | |
21804 | * runtime/JSGlobalObject.h: | |
21805 | (JSC::JSGlobalObject::finishCreation): | |
21806 | (JSC::JSGlobalObject::javaScriptRuntimeFlags): | |
21807 | (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted. | |
21808 | * runtime/RuntimeFlags.h: Added. | |
21809 | (JSC::RuntimeFlags::RuntimeFlags): | |
21810 | (JSC::RuntimeFlags::createAllEnabled): | |
21811 | ||
21812 | 2015-02-23 Filip Pizlo <fpizlo@apple.com> | |
21813 | ||
21814 | Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident | |
21815 | https://bugs.webkit.org/show_bug.cgi?id=141951 | |
21816 | ||
21817 | Reviewed by Benjamin Poulain. | |
21818 | ||
21819 | This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is | |
21820 | still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness | |
21821 | is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952. | |
21822 | ||
21823 | * runtime/Arguments.cpp: | |
21824 | (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly. | |
21825 | (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches. | |
21826 | * tests/stress/arguments-bizarre-behavior.js: Added. | |
21827 | (foo): | |
21828 | * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments. | |
21829 | (foo): | |
21830 | * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly. | |
21831 | (makeBaseArguments): | |
21832 | (makeArray): | |
21833 | (cons): | |
21834 | ||
21835 | 2015-02-23 Commit Queue <commit-queue@webkit.org> | |
21836 | ||
21837 | Unreviewed, rolling out r180547 and r180550. | |
21838 | https://bugs.webkit.org/show_bug.cgi?id=141957 | |
21839 | ||
21840 | Broke 10 Windows tests. (Requested by bfulgham_ on #webkit). | |
21841 | ||
21842 | Reverted changesets: | |
21843 | ||
21844 | "REGRESSION(r179429): Can't type comments in Facebook" | |
21845 | https://bugs.webkit.org/show_bug.cgi?id=141859 | |
21846 | http://trac.webkit.org/changeset/180547 | |
21847 | ||
21848 | "Constructor returning null should construct an object instead | |
21849 | of null" | |
21850 | https://bugs.webkit.org/show_bug.cgi?id=141640 | |
21851 | http://trac.webkit.org/changeset/180550 | |
21852 | ||
21853 | 2015-02-23 Yusuke Suzuki <utatane.tea@gmail.com> | |
21854 | ||
21855 | Constructor returning null should construct an object instead of null | |
21856 | https://bugs.webkit.org/show_bug.cgi?id=141640 | |
21857 | ||
21858 | Reviewed by Geoffrey Garen. | |
21859 | ||
21860 | When constructor code doesn't return object, constructor should return `this` object instead. | |
21861 | Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`, | |
21862 | it allows `null` as an object. | |
21863 | This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases. | |
21864 | Instead, constructor uses simplified `is_object`. | |
21865 | ||
21866 | As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`. | |
21867 | ||
21868 | 1. LLInt and baseline JIT support `op_is_object` as a fast path. | |
21869 | 2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects. | |
21870 | 3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function. | |
21871 | 4. FTL lowers DFG's IsObject into LLVM IR. | |
21872 | ||
21873 | And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others | |
21874 | in LLInt, JIT, DFG and FTL. | |
21875 | Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area. | |
21876 | So in many places, when the cell is not object, we recognize it as a string, and vice versa. | |
21877 | However, now ES6 Symbol is implemented as a JSCell, this assumption is broken. | |
21878 | So this patch stop using !isString as isObject. | |
21879 | To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure, | |
21880 | we examine typeInfo in JSCell. | |
21881 | ||
21882 | * JavaScriptCore.order: | |
21883 | * bytecode/BytecodeList.json: | |
21884 | * bytecode/BytecodeUseDef.h: | |
21885 | (JSC::computeUsesForBytecodeOffset): | |
21886 | (JSC::computeDefsForBytecodeOffset): | |
21887 | * bytecode/CodeBlock.cpp: | |
21888 | (JSC::CodeBlock::dumpBytecode): | |
21889 | * bytecode/PutByIdStatus.cpp: | |
21890 | (JSC::PutByIdStatus::computeFor): | |
21891 | * bytecompiler/BytecodeGenerator.cpp: | |
21892 | (JSC::BytecodeGenerator::emitEqualityOp): | |
21893 | (JSC::BytecodeGenerator::emitReturn): | |
21894 | * dfg/DFGAbstractInterpreterInlines.h: | |
21895 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
21896 | * dfg/DFGByteCodeParser.cpp: | |
21897 | (JSC::DFG::ByteCodeParser::parseBlock): | |
21898 | * dfg/DFGCapabilities.cpp: | |
21899 | (JSC::DFG::capabilityLevel): | |
21900 | * dfg/DFGClobberize.h: | |
21901 | (JSC::DFG::clobberize): | |
21902 | ||
21903 | IsObject operation only touches JSCell typeInfoType. | |
21904 | And this value would not be changed through structure transition. | |
21905 | As a result, IsObject can report that it doesn't read any information. | |
21906 | ||
21907 | * dfg/DFGDoesGC.cpp: | |
21908 | (JSC::DFG::doesGC): | |
21909 | * dfg/DFGFixupPhase.cpp: | |
21910 | (JSC::DFG::FixupPhase::fixupNode): | |
21911 | ||
21912 | Just like IsString, IsObject is also fixed up. | |
21913 | ||
21914 | * dfg/DFGHeapLocation.cpp: | |
21915 | (WTF::printInternal): | |
21916 | * dfg/DFGHeapLocation.h: | |
21917 | * dfg/DFGNodeType.h: | |
21918 | * dfg/DFGOperations.cpp: | |
21919 | * dfg/DFGOperations.h: | |
21920 | * dfg/DFGPredictionPropagationPhase.cpp: | |
21921 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
21922 | * dfg/DFGSafeToExecute.h: | |
21923 | (JSC::DFG::safeToExecute): | |
21924 | * dfg/DFGSpeculativeJIT.cpp: | |
21925 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): | |
21926 | (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): | |
21927 | (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): | |
21928 | (JSC::DFG::SpeculativeJIT::compileToStringOnCell): | |
21929 | (JSC::DFG::SpeculativeJIT::speculateObject): | |
21930 | (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): | |
21931 | (JSC::DFG::SpeculativeJIT::speculateString): | |
21932 | (JSC::DFG::SpeculativeJIT::speculateNotStringVar): | |
21933 | (JSC::DFG::SpeculativeJIT::emitSwitchChar): | |
21934 | (JSC::DFG::SpeculativeJIT::emitSwitchString): | |
21935 | (JSC::DFG::SpeculativeJIT::branchIsObject): | |
21936 | (JSC::DFG::SpeculativeJIT::branchNotObject): | |
21937 | (JSC::DFG::SpeculativeJIT::branchIsString): | |
21938 | (JSC::DFG::SpeculativeJIT::branchNotString): | |
21939 | * dfg/DFGSpeculativeJIT.h: | |
21940 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
21941 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
21942 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
21943 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
21944 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
21945 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
21946 | (JSC::DFG::SpeculativeJIT::compile): | |
21947 | * dfg/DFGSpeculativeJIT64.cpp: | |
21948 | (JSC::DFG::SpeculativeJIT::compileObjectEquality): | |
21949 | (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): | |
21950 | (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): | |
21951 | (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): | |
21952 | (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): | |
21953 | (JSC::DFG::SpeculativeJIT::compile): | |
21954 | * ftl/FTLCapabilities.cpp: | |
21955 | (JSC::FTL::canCompile): | |
21956 | * ftl/FTLLowerDFGToLLVM.cpp: | |
21957 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
21958 | (JSC::FTL::LowerDFGToLLVM::compileToString): | |
21959 | (JSC::FTL::LowerDFGToLLVM::compileIsObject): | |
21960 | (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull): | |
21961 | (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): | |
21962 | (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): | |
21963 | (JSC::FTL::LowerDFGToLLVM::isObject): | |
21964 | (JSC::FTL::LowerDFGToLLVM::isNotObject): | |
21965 | (JSC::FTL::LowerDFGToLLVM::isNotString): | |
21966 | (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): | |
21967 | * jit/JIT.cpp: | |
21968 | (JSC::JIT::privateCompileMainPass): | |
21969 | * jit/JIT.h: | |
21970 | * jit/JITInlines.h: | |
21971 | (JSC::JIT::emitJumpIfCellObject): | |
21972 | * jit/JITOpcodes.cpp: | |
21973 | (JSC::JIT::emit_op_is_object): | |
21974 | (JSC::JIT::emit_op_to_primitive): | |
21975 | * jit/JITOpcodes32_64.cpp: | |
21976 | (JSC::JIT::emit_op_is_object): | |
21977 | (JSC::JIT::emit_op_to_primitive): | |
21978 | (JSC::JIT::compileOpStrictEq): | |
21979 | * llint/LowLevelInterpreter.asm: | |
21980 | * llint/LowLevelInterpreter32_64.asm: | |
21981 | * llint/LowLevelInterpreter64.asm: | |
21982 | * runtime/CommonSlowPaths.cpp: | |
21983 | (JSC::SLOW_PATH_DECL): | |
21984 | * runtime/CommonSlowPaths.h: | |
21985 | * runtime/Operations.cpp: | |
21986 | (JSC::jsIsObjectTypeOrNull): | |
21987 | (JSC::jsIsObjectType): Deleted. | |
21988 | * runtime/Operations.h: | |
21989 | ||
21990 | 2015-02-23 Ryosuke Niwa <rniwa@webkit.org> | |
21991 | ||
21992 | Disable font loading events until our implementation gets updated to match the latest spec | |
21993 | https://bugs.webkit.org/show_bug.cgi?id=141938 | |
21994 | ||
21995 | Reviewed by Andreas Kling. | |
21996 | ||
21997 | * Configurations/FeatureDefines.xcconfig: | |
21998 | ||
21999 | 2015-02-23 Yusuke Suzuki <utatane.tea@gmail.com> | |
22000 | ||
22001 | REGRESSION(r179429): Can't type comments in Facebook | |
22002 | https://bugs.webkit.org/show_bug.cgi?id=141859 | |
22003 | ||
22004 | Reviewed by Geoffrey Garen. | |
22005 | ||
22006 | When window.Symbol is exposed to user-space pages, | |
22007 | Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key). | |
22008 | However, to work with Symbols completely, it also requires | |
22009 | 1) Object.getOwnPropertySymbols (for mixin including Symbols) | |
22010 | 2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }. | |
22011 | Since they are not landed yet, comments in Facebook don't work. | |
22012 | ||
22013 | This patch introduces RuntimeFlags for JavaScriptCore. | |
22014 | Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol. | |
22015 | And drop JavaScriptExperimentsEnabled flag | |
22016 | because it is no longer used and use case of this is duplicated to runtime flags. | |
22017 | ||
22018 | * JavaScriptCore.order: | |
22019 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
22020 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
22021 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
22022 | * jsc.cpp: | |
22023 | (GlobalObject::javaScriptRuntimeFlags): | |
22024 | (GlobalObject::javaScriptExperimentsEnabled): Deleted. | |
22025 | * runtime/JSGlobalObject.cpp: | |
22026 | (JSC::JSGlobalObject::JSGlobalObject): | |
22027 | (JSC::JSGlobalObject::init): | |
22028 | * runtime/JSGlobalObject.h: | |
22029 | (JSC::JSGlobalObject::finishCreation): | |
22030 | (JSC::JSGlobalObject::javaScriptRuntimeFlags): | |
22031 | (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted. | |
22032 | * runtime/RuntimeFlags.h: Added. | |
22033 | (JSC::RuntimeFlags::RuntimeFlags): | |
22034 | (JSC::RuntimeFlags::createAllEnabled): | |
22035 | ||
22036 | 2015-02-23 Benjamin Poulain <bpoulain@apple.com> | |
22037 | ||
22038 | Set the semantic origin of delayed SetLocal to the Bytecode that originated it | |
22039 | https://bugs.webkit.org/show_bug.cgi?id=141727 | |
22040 | ||
22041 | Reviewed by Filip Pizlo. | |
22042 | ||
22043 | Previously, delayed SetLocals would have the NodeOrigin of the next | |
22044 | bytecode. This was because delayed SetLocal are...delayed... and | |
22045 | currentCodeOrigin() is the one where the node is emitted. | |
22046 | ||
22047 | This made debugging a little awkward since the OSR exits on SetLocal | |
22048 | were reported for the next bytecode. This patch changes the semantic | |
22049 | origin to keep the original bytecode. | |
22050 | ||
22051 | From benchmarks, this looks like it could be a tiny bit faster | |
22052 | but it likely just noise. | |
22053 | ||
22054 | * dfg/DFGByteCodeParser.cpp: | |
22055 | (JSC::DFG::ByteCodeParser::setDirect): | |
22056 | (JSC::DFG::ByteCodeParser::setLocal): | |
22057 | (JSC::DFG::ByteCodeParser::setArgument): | |
22058 | (JSC::DFG::ByteCodeParser::currentNodeOrigin): | |
22059 | (JSC::DFG::ByteCodeParser::addToGraph): | |
22060 | (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): | |
22061 | (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute): | |
22062 | ||
22063 | 2015-02-23 Benjamin Poulain <bpoulain@apple.com> | |
22064 | ||
22065 | Remove DFGNode::predictHeap() | |
22066 | https://bugs.webkit.org/show_bug.cgi?id=141864 | |
22067 | ||
22068 | Reviewed by Geoffrey Garen. | |
22069 | ||
22070 | * dfg/DFGNode.h: | |
22071 | (JSC::DFG::Node::predictHeap): Deleted. | |
22072 | Unused code. | |
22073 | ||
22074 | 2015-02-23 Filip Pizlo <fpizlo@apple.com> | |
22075 | ||
22076 | Get rid of JSLexicalEnvironment::argumentsGetter | |
22077 | https://bugs.webkit.org/show_bug.cgi?id=141930 | |
22078 | ||
22079 | Reviewed by Mark Lam. | |
22080 | ||
22081 | This function is unused, and the way it's written is bizarre - it's a return statement that | |
22082 | dominates a bunch of dead code. | |
22083 | ||
22084 | * runtime/JSLexicalEnvironment.cpp: | |
22085 | (JSC::JSLexicalEnvironment::argumentsGetter): Deleted. | |
22086 | * runtime/JSLexicalEnvironment.h: | |
22087 | ||
22088 | 2015-02-23 Filip Pizlo <fpizlo@apple.com> | |
22089 | ||
22090 | Remove unused activationCount and allTheThingsCount variable declarations. | |
22091 | ||
22092 | Rubber stamped by Mark Lam and Michael Saboff. | |
22093 | ||
22094 | * runtime/JSLexicalEnvironment.h: | |
22095 | ||
22096 | 2015-02-23 Saam Barati <saambarati1@gmail.com> | |
22097 | ||
22098 | Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive | |
22099 | https://bugs.webkit.org/show_bug.cgi?id=141095 | |
22100 | ||
22101 | Reviewed by Mark Lam. | |
22102 | ||
22103 | Suppose the control flow of a program forms basic block A with successor block | |
22104 | B. A's end offset will be the *same* as B's start offset in the current architecture | |
22105 | of the control flow profiler. This makes reasoning about the text offsets of | |
22106 | the control flow profiler unsound. To make reasoning about offsets sound, all | |
22107 | basic block ranges should be mutually exclusive. All calls to emitProfileControlFlow | |
22108 | now pass in the *start* of a basic block as the text offset argument. This simplifies | |
22109 | all calls to emitProfileControlFlow because the previous implementation had a | |
22110 | lot of edge cases for getting the desired basic block text boundaries. | |
22111 | ||
22112 | This patch also ensures that the basic block boundary of a block statement | |
22113 | is the exactly the block's open and close brace offsets (inclusive). For example, | |
22114 | in if/for/while statements. This also has the consequence that for statements | |
22115 | like "if (cond) foo();", the whitespace preceding "foo()" is not part of | |
22116 | the "foo()" basic block, but instead is part of the "if (cond) " basic block. | |
22117 | This is okay because these text offsets aren't meant to be human readable. | |
22118 | Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector | |
22119 | is the only client of this API and user of these text offsets and it is | |
22120 | not negatively effected by this new behavior. | |
22121 | ||
22122 | * bytecode/CodeBlock.cpp: | |
22123 | (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): | |
22124 | When computing basic block boundaries in CodeBlock, we ensure that every | |
22125 | block's end offset is one less than its successor's start offset to | |
22126 | maintain that boundaries' ranges should be mutually exclusive. | |
22127 | ||
22128 | * bytecompiler/BytecodeGenerator.cpp: | |
22129 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
22130 | Because the control flow profiler needs to know which functions | |
22131 | have executed, we can't lazily create functions. This was a bug | |
22132 | from before that was hidden because the Type Profiler was always | |
22133 | enabled when the control flow profiler was enabled when profiling | |
22134 | was turned on from the Web Inspector. But, JSC allows for Control | |
22135 | Flow profiling to be turned on without Type Profiling, so we need | |
22136 | to ensure the Control Flow profiler has all the data it needs. | |
22137 | ||
22138 | * bytecompiler/NodesCodegen.cpp: | |
22139 | (JSC::ConditionalNode::emitBytecode): | |
22140 | (JSC::IfElseNode::emitBytecode): | |
22141 | (JSC::WhileNode::emitBytecode): | |
22142 | (JSC::ForNode::emitBytecode): | |
22143 | (JSC::ForInNode::emitMultiLoopBytecode): | |
22144 | (JSC::ForOfNode::emitBytecode): | |
22145 | (JSC::TryNode::emitBytecode): | |
22146 | * jsc.cpp: | |
22147 | (functionHasBasicBlockExecuted): | |
22148 | We now assert that the substring argument is indeed a substring | |
22149 | of the function argument's text because subtle bugs could be | |
22150 | introduced otherwise. | |
22151 | ||
22152 | * parser/ASTBuilder.h: | |
22153 | (JSC::ASTBuilder::setStartOffset): | |
22154 | * parser/Nodes.h: | |
22155 | (JSC::Node::setStartOffset): | |
22156 | * parser/Parser.cpp: | |
22157 | (JSC::Parser<LexerType>::parseBlockStatement): | |
22158 | (JSC::Parser<LexerType>::parseStatement): | |
22159 | (JSC::Parser<LexerType>::parseMemberExpression): | |
22160 | For the various function call AST nodes, their m_position member | |
22161 | variable is now the start of the entire function call expression | |
22162 | and not at the start of the open paren of the arguments list. | |
22163 | ||
22164 | * runtime/BasicBlockLocation.cpp: | |
22165 | (JSC::BasicBlockLocation::getExecutedRanges): | |
22166 | * runtime/ControlFlowProfiler.cpp: | |
22167 | (JSC::ControlFlowProfiler::getBasicBlocksForSourceID): | |
22168 | Function ranges inserted as gaps should follow the same criteria | |
22169 | that the bytecode generator uses to ensure that basic blocks | |
22170 | start and end offsets are mutually exclusive. | |
22171 | ||
22172 | * tests/controlFlowProfiler/brace-location.js: Added. | |
22173 | (foo): | |
22174 | (bar): | |
22175 | (baz): | |
22176 | (testIf): | |
22177 | (testForRegular): | |
22178 | (testForIn): | |
22179 | (testForOf): | |
22180 | (testWhile): | |
22181 | (testIfNoBraces): | |
22182 | (testForRegularNoBraces): | |
22183 | (testForInNoBraces): | |
22184 | (testForOfNoBraces): | |
22185 | (testWhileNoBraces): | |
22186 | * tests/controlFlowProfiler/conditional-expression.js: Added. | |
22187 | (foo): | |
22188 | (bar): | |
22189 | (baz): | |
22190 | (testConditionalBasic): | |
22191 | (testConditionalFunctionCall): | |
22192 | * tests/controlFlowProfiler/driver/driver.js: | |
22193 | (checkBasicBlock): | |
22194 | ||
22195 | 2015-02-23 Matthew Mirman <mmirman@apple.com> | |
22196 | ||
22197 | r9 is volatile on ARMv7 for iOS 3 and up. | |
22198 | https://bugs.webkit.org/show_bug.cgi?id=141489 | |
22199 | rdar://problem/19432916 | |
22200 | ||
22201 | Reviewed by Michael Saboff. | |
22202 | ||
22203 | * jit/RegisterSet.cpp: | |
22204 | (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers. | |
22205 | * tests/stress/regress-141489.js: Added. | |
22206 | (foo): | |
22207 | ||
22208 | 2015-02-23 Csaba Osztrogonác <ossy@webkit.org> | |
22209 | ||
22210 | [ARM] Add the necessary setupArgumentsWithExecState after bug141915 | |
22211 | https://bugs.webkit.org/show_bug.cgi?id=141921 | |
22212 | ||
22213 | Reviewed by Michael Saboff. | |
22214 | ||
22215 | * jit/CCallHelpers.h: | |
22216 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
22217 | ||
22218 | 2015-02-23 Filip Pizlo <fpizlo@apple.com> | |
22219 | ||
22220 | Scopes should always be created with a previously-created symbol table rather than creating one on the fly | |
22221 | https://bugs.webkit.org/show_bug.cgi?id=141915 | |
22222 | ||
22223 | Reviewed by Mark Lam. | |
22224 | ||
22225 | The main effect of this change is that pushing name scopes no longer requires creating symbol | |
22226 | tables on the fly. | |
22227 | ||
22228 | This also makes it so that JSEnvironmentRecords must always have an a priori symbol table. | |
22229 | ||
22230 | JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand. | |
22231 | This is needed because that's what JSGlobalObject and all of its many subclasses want. That's | |
22232 | harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway. | |
22233 | ||
22234 | * bytecode/BytecodeList.json: | |
22235 | * bytecompiler/BytecodeGenerator.cpp: | |
22236 | (JSC::BytecodeGenerator::emitPushFunctionNameScope): | |
22237 | (JSC::BytecodeGenerator::emitPushCatchScope): | |
22238 | * jit/CCallHelpers.h: | |
22239 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
22240 | * jit/JIT.h: | |
22241 | * jit/JITInlines.h: | |
22242 | (JSC::JIT::callOperation): | |
22243 | * jit/JITOpcodes.cpp: | |
22244 | (JSC::JIT::emit_op_push_name_scope): | |
22245 | * jit/JITOpcodes32_64.cpp: | |
22246 | (JSC::JIT::emit_op_push_name_scope): | |
22247 | * jit/JITOperations.cpp: | |
22248 | (JSC::pushNameScope): | |
22249 | * jit/JITOperations.h: | |
22250 | * llint/LLIntSlowPaths.cpp: | |
22251 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
22252 | * llint/LowLevelInterpreter.asm: | |
22253 | * runtime/Executable.cpp: | |
22254 | (JSC::ScriptExecutable::newCodeBlockFor): | |
22255 | * runtime/JSCatchScope.h: | |
22256 | (JSC::JSCatchScope::JSCatchScope): | |
22257 | (JSC::JSCatchScope::create): | |
22258 | * runtime/JSEnvironmentRecord.h: | |
22259 | (JSC::JSEnvironmentRecord::JSEnvironmentRecord): | |
22260 | * runtime/JSFunctionNameScope.h: | |
22261 | (JSC::JSFunctionNameScope::JSFunctionNameScope): | |
22262 | (JSC::JSFunctionNameScope::create): | |
22263 | * runtime/JSNameScope.cpp: | |
22264 | (JSC::JSNameScope::create): | |
22265 | * runtime/JSNameScope.h: | |
22266 | (JSC::JSNameScope::create): | |
22267 | (JSC::JSNameScope::finishCreation): | |
22268 | (JSC::JSNameScope::JSNameScope): | |
22269 | * runtime/JSSegmentedVariableObject.h: | |
22270 | (JSC::JSSegmentedVariableObject::finishCreation): | |
22271 | * runtime/JSSymbolTableObject.h: | |
22272 | (JSC::JSSymbolTableObject::JSSymbolTableObject): | |
22273 | (JSC::JSSymbolTableObject::finishCreation): Deleted. | |
22274 | * runtime/SymbolTable.h: | |
22275 | (JSC::SymbolTable::createNameScopeTable): | |
22276 | ||
22277 | 2015-02-23 Filip Pizlo <fpizlo@apple.com> | |
22278 | ||
22279 | Add a comment to clarify that the test was taken from the bug report, in response to | |
22280 | feedback from Michael Saboff and Benjamin Poulain. | |
22281 | ||
22282 | * tests/stress/regress-141883.js: | |
22283 | ||
22284 | 2015-02-22 Filip Pizlo <fpizlo@apple.com> | |
22285 | ||
22286 | Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it | |
22287 | https://bugs.webkit.org/show_bug.cgi?id=141881 | |
22288 | ||
22289 | Reviewed by Michael Saboff. | |
22290 | ||
22291 | Previously we only created the function name scope in a way that made it visible to the | |
22292 | function that triggered parsing/linking of the executable/codeBlock, and to the linker for | |
22293 | that code block. This was sort of the bare minimum for the feature to appear to work right to | |
22294 | synthetic tests. | |
22295 | ||
22296 | There are two valid "times" to create the function name scope. Either it's created for each | |
22297 | JSFunction instance that needs a name scope, or it's created for each execution of such a | |
22298 | JSFunction. This change chooses the latter, because it happens to be the easiest to implement | |
22299 | with what we have right now. I opened a bug for optimizing this if we ever need to: | |
22300 | https://bugs.webkit.org/show_bug.cgi?id=141887. | |
22301 | ||
22302 | * bytecompiler/BytecodeGenerator.cpp: | |
22303 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
22304 | * interpreter/Interpreter.cpp: | |
22305 | (JSC::Interpreter::execute): | |
22306 | (JSC::Interpreter::executeCall): | |
22307 | (JSC::Interpreter::executeConstruct): | |
22308 | (JSC::Interpreter::prepareForRepeatCall): | |
22309 | * jit/JITOperations.cpp: | |
22310 | * llint/LLIntSlowPaths.cpp: | |
22311 | (JSC::LLInt::setUpCall): | |
22312 | * runtime/ArrayPrototype.cpp: | |
22313 | (JSC::isNumericCompareFunction): | |
22314 | * runtime/Executable.cpp: | |
22315 | (JSC::ScriptExecutable::newCodeBlockFor): | |
22316 | (JSC::ScriptExecutable::prepareForExecutionImpl): | |
22317 | (JSC::FunctionExecutable::FunctionExecutable): | |
22318 | * runtime/Executable.h: | |
22319 | (JSC::ScriptExecutable::prepareForExecution): | |
22320 | * runtime/JSFunction.cpp: | |
22321 | (JSC::JSFunction::addNameScopeIfNeeded): Deleted. | |
22322 | * runtime/JSFunction.h: | |
22323 | * tests/stress/function-name-scope.js: Added. | |
22324 | (check.verify): | |
22325 | (check): | |
22326 | ||
22327 | 2015-02-22 Filip Pizlo <fpizlo@apple.com> | |
22328 | ||
22329 | Crash in DFGFrozenValue | |
22330 | https://bugs.webkit.org/show_bug.cgi?id=141883 | |
22331 | ||
22332 | Reviewed by Benjamin Poulain. | |
22333 | ||
22334 | If a value might be a cell, then we have to have Graph freeze it rather than trying to | |
22335 | create the FrozenValue directly. Creating it directly is just an optimization for when you | |
22336 | know for sure that it cannot be a cell. | |
22337 | ||
22338 | * dfg/DFGAbstractInterpreterInlines.h: | |
22339 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
22340 | * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix. | |
22341 | ||
22342 | 2015-02-21 Joseph Pecoraro <pecoraro@apple.com> | |
22343 | ||
22344 | Web Inspector: Generate Previews more often for RemoteObject interaction | |
22345 | https://bugs.webkit.org/show_bug.cgi?id=141875 | |
22346 | ||
22347 | Reviewed by Timothy Hatcher. | |
22348 | ||
22349 | * inspector/protocol/Runtime.json: | |
22350 | Add generatePreview to getProperties. | |
22351 | ||
22352 | * inspector/InjectedScript.cpp: | |
22353 | (Inspector::InjectedScript::getProperties): | |
22354 | (Inspector::InjectedScript::getInternalProperties): | |
22355 | * inspector/InjectedScript.h: | |
22356 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
22357 | (Inspector::InspectorRuntimeAgent::getProperties): | |
22358 | * inspector/agents/InspectorRuntimeAgent.h: | |
22359 | Plumb the generatePreview boolean through to the injected script. | |
22360 | ||
22361 | * inspector/InjectedScriptSource.js: | |
22362 | Add generatePreview for getProperties. | |
22363 | Fix callFunctionOn to generatePreviews if asked. | |
22364 | ||
22365 | 2015-02-20 Mark Lam <mark.lam@apple.com> | |
22366 | ||
22367 | Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment. | |
22368 | <https://webkit.org/b/141856> | |
22369 | ||
22370 | Reviewed by Geoffrey Garen. | |
22371 | ||
22372 | 1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a | |
22373 | JSC::JSObject* just like -prototype. | |
22374 | 2. Defer the creation of the ObjC JSValue from JSC::JSObject* until | |
22375 | the latest moment when it is needed. This allows us to not have to | |
22376 | keep converting back to a JSC::JSObject* in intermediate code. | |
22377 | ||
22378 | * API/JSWrapperMap.mm: | |
22379 | (makeWrapper): | |
22380 | (objectWithCustomBrand): | |
22381 | (constructorWithCustomBrand): | |
22382 | (allocateConstructorForCustomClass): | |
22383 | (-[JSObjCClassInfo allocateConstructorAndPrototype]): | |
22384 | (-[JSObjCClassInfo wrapperForObject:]): | |
22385 | (-[JSObjCClassInfo constructor]): | |
22386 | (-[JSWrapperMap jsWrapperForObject:]): | |
22387 | ||
22388 | 2015-02-20 Filip Pizlo <fpizlo@apple.com> | |
22389 | ||
22390 | Build fix for gcc. | |
22391 | ||
22392 | * runtime/JSNameScope.cpp: | |
22393 | (JSC::JSNameScope::create): | |
22394 | ||
22395 | 2015-02-20 Filip Pizlo <fpizlo@apple.com> | |
22396 | ||
22397 | Get rid of JSNameScope::m_type | |
22398 | https://bugs.webkit.org/show_bug.cgi?id=141851 | |
22399 | ||
22400 | Reviewed by Geoffrey Garen. | |
22401 | ||
22402 | This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need | |
22403 | to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that | |
22404 | JSEnvironmentRecord can always place "registers" right after the end of itself. | |
22405 | ||
22406 | * CMakeLists.txt: | |
22407 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
22408 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
22409 | * debugger/DebuggerScope.cpp: | |
22410 | (JSC::DebuggerScope::isCatchScope): | |
22411 | (JSC::DebuggerScope::isFunctionNameScope): | |
22412 | * interpreter/Interpreter.cpp: | |
22413 | (JSC::Interpreter::execute): | |
22414 | * jit/JITOperations.cpp: | |
22415 | * llint/LLIntSlowPaths.cpp: | |
22416 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
22417 | * runtime/JSCatchScope.cpp: Added. | |
22418 | * runtime/JSCatchScope.h: Added. | |
22419 | (JSC::JSCatchScope::JSCatchScope): | |
22420 | (JSC::JSCatchScope::create): | |
22421 | (JSC::JSCatchScope::createStructure): | |
22422 | * runtime/JSFunction.cpp: | |
22423 | (JSC::JSFunction::addNameScopeIfNeeded): | |
22424 | * runtime/JSFunctionNameScope.cpp: Added. | |
22425 | * runtime/JSFunctionNameScope.h: Added. | |
22426 | (JSC::JSFunctionNameScope::JSFunctionNameScope): | |
22427 | (JSC::JSFunctionNameScope::create): | |
22428 | (JSC::JSFunctionNameScope::createStructure): | |
22429 | * runtime/JSGlobalObject.cpp: | |
22430 | (JSC::JSGlobalObject::init): | |
22431 | (JSC::JSGlobalObject::visitChildren): | |
22432 | * runtime/JSGlobalObject.h: | |
22433 | (JSC::JSGlobalObject::catchScopeStructure): | |
22434 | (JSC::JSGlobalObject::functionNameScopeStructure): | |
22435 | (JSC::JSGlobalObject::nameScopeStructure): Deleted. | |
22436 | * runtime/JSNameScope.cpp: | |
22437 | (JSC::JSNameScope::create): | |
22438 | * runtime/JSNameScope.h: | |
22439 | (JSC::JSNameScope::create): | |
22440 | (JSC::JSNameScope::JSNameScope): | |
22441 | (JSC::JSNameScope::createStructure): Deleted. | |
22442 | (JSC::JSNameScope::isFunctionNameScope): Deleted. | |
22443 | (JSC::JSNameScope::isCatchScope): Deleted. | |
22444 | * runtime/JSObject.cpp: | |
22445 | (JSC::JSObject::isCatchScopeObject): | |
22446 | (JSC::JSObject::isFunctionNameScopeObject): | |
22447 | * runtime/JSObject.h: | |
22448 | ||
22449 | 2015-02-20 Mark Lam <mark.lam@apple.com> | |
22450 | ||
22451 | [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain. | |
22452 | <https://webkit.org/b/141809> | |
22453 | ||
22454 | Reviewed by Geoffrey Garen. | |
22455 | ||
22456 | A ObjC class that implement the JSExport protocol will have a JS prototype | |
22457 | chain and constructor automatically synthesized for its JS wrapper object. | |
22458 | However, if there are no more instances of that ObjC class reachable by a | |
22459 | JS GC root scan, then its synthesized prototype chain and constructors may | |
22460 | be released by the GC. If a new instance of that ObjC class is subsequently | |
22461 | instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype] | |
22462 | should re-construct the prototype chain and constructor (if they were | |
22463 | previously released). However, the current implementation only | |
22464 | re-constructs the immediate prototype, but not every other prototype | |
22465 | object upstream in the prototype chain. | |
22466 | ||
22467 | To fix this, we do the following: | |
22468 | 1. We no longer allocate the JSObjCClassInfo's prototype and constructor | |
22469 | eagerly. Hence, -initWithContext:forClass: will no longer call | |
22470 | -allocateConstructorAndPrototypeWithSuperClassInfo:. | |
22471 | 2. Instead, we'll always access the prototype and constructor thru | |
22472 | accessor methods. The accessor methods will call | |
22473 | -allocateConstructorAndPrototype: if needed. | |
22474 | 3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo | |
22475 | from the JSWrapperMap itself. This makes it so that we no longer | |
22476 | need to pass the superClassInfo all over. | |
22477 | 4. -allocateConstructorAndPrototype: will get the super class prototype | |
22478 | by invoking -prototype: on the superClassInfo, thereby allowing the | |
22479 | super class to allocate its prototype and constructor if needed and | |
22480 | fixing the issue in this bug. | |
22481 | ||
22482 | 5. Also removed the GC warning comments, and ensured that needed JS | |
22483 | objects are kept alive by having a local var pointing to it from the | |
22484 | stack (which makes a GC root). | |
22485 | ||
22486 | * API/JSWrapperMap.mm: | |
22487 | (-[JSObjCClassInfo initWithContext:forClass:]): | |
22488 | (-[JSObjCClassInfo allocateConstructorAndPrototype]): | |
22489 | (-[JSObjCClassInfo wrapperForObject:]): | |
22490 | (-[JSObjCClassInfo constructor]): | |
22491 | (-[JSObjCClassInfo prototype]): | |
22492 | (-[JSWrapperMap classInfoForClass:]): | |
22493 | (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted. | |
22494 | (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted. | |
22495 | (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted. | |
22496 | * API/tests/Regress141809.h: Added. | |
22497 | * API/tests/Regress141809.mm: Added. | |
22498 | (-[TestClassB name]): | |
22499 | (-[TestClassC name]): | |
22500 | (runRegress141809): | |
22501 | * API/tests/testapi.mm: | |
22502 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
22503 | ||
22504 | 2015-02-20 Alexey Proskuryakov <ap@apple.com> | |
22505 | ||
22506 | Remove svn:keywords property. | |
22507 | ||
22508 | As far as I can tell, the property had no effect on any of these files, but also, | |
22509 | when it has effect it's likely harmful. | |
22510 | ||
22511 | * builtins/ArrayConstructor.js: Removed property svn:keywords. | |
22512 | ||
22513 | 2015-02-20 Michael Saboff <msaboff@apple.com> | |
22514 | ||
22515 | DFG JIT needs to check for stack overflow at the start of Program and Eval execution | |
22516 | https://bugs.webkit.org/show_bug.cgi?id=141676 | |
22517 | ||
22518 | Reviewed by Filip Pizlo. | |
22519 | ||
22520 | Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes. | |
22521 | To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const | |
22522 | a options in runtime/Options.h. The test script, run-jsc-stress-tests, sets that option | |
22523 | to a huge value when running with the "Eager" options. This allows the updated test to | |
22524 | reliably exercise the code in questions. | |
22525 | ||
22526 | * dfg/DFGJITCompiler.cpp: | |
22527 | (JSC::DFG::JITCompiler::compile): | |
22528 | Added stack check. | |
22529 | ||
22530 | * bytecode/EvalCodeCache.h: | |
22531 | (JSC::EvalCodeCache::tryGet): | |
22532 | (JSC::EvalCodeCache::getSlow): | |
22533 | * runtime/Options.h: | |
22534 | Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength | |
22535 | so that it can be configured when running the related test. | |
22536 | ||
22537 | 2015-02-20 Eric Carlson <eric.carlson@apple.com> | |
22538 | ||
22539 | [iOS] cleanup AirPlay code | |
22540 | https://bugs.webkit.org/show_bug.cgi?id=141811 | |
22541 | ||
22542 | Reviewed by Jer Noble. | |
22543 | ||
22544 | * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET. | |
22545 | ||
22546 | 2015-02-19 Dean Jackson <dino@apple.com> | |
22547 | ||
22548 | ES6: Implement Array.from() | |
22549 | https://bugs.webkit.org/show_bug.cgi?id=141054 | |
22550 | <rdar://problem/19654521> | |
22551 | ||
22552 | Reviewed by Filip Pizlo. | |
22553 | ||
22554 | Implement the Array.from() ES6 method | |
22555 | as defined in Section 22.1.2.1 of the specification. | |
22556 | ||
22557 | Given that we can't rely on the built-in | |
22558 | global functions or objects to be untainted, | |
22559 | I had to expose a few of them directly to | |
22560 | the function via private names. In particular: | |
22561 | - Math.floor -> @floor | |
22562 | - Math.abs -> @abs | |
22563 | - Number -> @Number | |
22564 | - Array -> @Array | |
22565 | - isFinite -> @isFinite | |
22566 | ||
22567 | * builtins/ArrayConstructor.js: Added. | |
22568 | (from): Implementation of Array.from in JavaScript. | |
22569 | * runtime/ArrayConstructor.cpp: Add "from" to the lookup | |
22570 | table for the constructor object. | |
22571 | * runtime/CommonIdentifiers.h: Add the private versions | |
22572 | of the identifiers listed above. | |
22573 | * runtime/JSGlobalObject.cpp: Add the implementations of | |
22574 | those identifiers to the global object (using their | |
22575 | private names). | |
22576 | (JSC::JSGlobalObject::init): | |
22577 | * runtime/JSGlobalObjectFunctions.cpp: | |
22578 | (JSC::globalPrivateFuncAbs): Implementation of the abs function. | |
22579 | (JSC::globalPrivateFuncFloor): Implementation of the floor function. | |
22580 | * runtime/JSGlobalObjectFunctions.h: | |
22581 | ||
22582 | 2015-02-19 Benjamin Poulain <bpoulain@apple.com> | |
22583 | ||
22584 | Refine the FTL part of ArithPow | |
22585 | https://bugs.webkit.org/show_bug.cgi?id=141792 | |
22586 | ||
22587 | Reviewed by Filip Pizlo. | |
22588 | ||
22589 | This patch refines the FTL lowering of ArithPow. This was left out | |
22590 | of the original patch to keep it simpler. | |
22591 | ||
22592 | * ftl/FTLLowerDFGToLLVM.cpp: | |
22593 | (JSC::FTL::LowerDFGToLLVM::compileArithPow): | |
22594 | Two improvements here: | |
22595 | 1) Do not generate the NaN check unless we know the exponent might be a NaN. | |
22596 | 2) Use one BasicBlock per check with the appropriate weight. Now that we have | |
22597 | one branch per test, move the Infinity check before the check for 1 since | |
22598 | it is the less common case. | |
22599 | ||
22600 | * tests/stress/math-pow-becomes-custom-function.js: Added. | |
22601 | Test for changing the Math.pow() function after it has been optimized. | |
22602 | ||
22603 | * tests/stress/math-pow-nan-behaviors.js: | |
22604 | The previous tests were only going as far as the DFGAbstractInterpreter | |
22605 | were the operations were replaced by the equivalent constant. | |
22606 | ||
22607 | I duplicated the test functions to also test the dynamic behavior of DFG | |
22608 | and FTL. | |
22609 | ||
22610 | * tests/stress/math-pow-with-constants.js: | |
22611 | Add cases covering exponent constants. LLVM removes many value | |
22612 | checks for those. | |
22613 | ||
22614 | * tests/stress/math-pow-with-never-NaN-exponent.js: Added. | |
22615 | Test for the new optimization removing the NaN check. | |
22616 | ||
22617 | 2015-02-19 Csaba Osztrogonác <ossy@webkit.org> | |
22618 | ||
22619 | REGRESSION(r180279): It broke 20 tests on ARM Linux | |
22620 | https://bugs.webkit.org/show_bug.cgi?id=141771 | |
22621 | ||
22622 | Reviewed by Filip Pizlo. | |
22623 | ||
22624 | * dfg/DFGSpeculativeJIT.h: | |
22625 | (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI. | |
22626 | ||
22627 | 2015-02-18 Benjamin Poulain <bpoulain@apple.com> | |
22628 | ||
22629 | Remove BytecodeGenerator's numberMap, it is dead code | |
22630 | https://bugs.webkit.org/show_bug.cgi?id=141779 | |
22631 | ||
22632 | Reviewed by Filip Pizlo. | |
22633 | ||
22634 | * bytecompiler/BytecodeGenerator.cpp: | |
22635 | (JSC::BytecodeGenerator::emitLoad): Deleted. | |
22636 | * bytecompiler/BytecodeGenerator.h: | |
22637 | The JSValueMap seems better in every way. | |
22638 | ||
22639 | The emitLoad() taking a double was the only way to use numberMap | |
22640 | and that code has no caller. | |
22641 | ||
22642 | 2015-02-18 Michael Saboff <msaboff@apple.com> | |
22643 | ||
22644 | Rollout r180247 & r180249 from trunk | |
22645 | https://bugs.webkit.org/show_bug.cgi?id=141773 | |
22646 | ||
22647 | Reviewed by Filip Pizlo. | |
22648 | ||
22649 | Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730 | |
22650 | only for branches. The change to fail the FTL compile but continue running is not comprehensive | |
22651 | enough for general use on trunk. | |
22652 | ||
22653 | * dfg/DFGPlan.cpp: | |
22654 | (JSC::DFG::Plan::compileInThreadImpl): | |
22655 | * ftl/FTLLowerDFGToLLVM.cpp: | |
22656 | (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): | |
22657 | (JSC::FTL::LowerDFGToLLVM::lower): | |
22658 | (JSC::FTL::LowerDFGToLLVM::createPhiVariables): | |
22659 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
22660 | (JSC::FTL::LowerDFGToLLVM::compileUpsilon): | |
22661 | (JSC::FTL::LowerDFGToLLVM::compilePhi): | |
22662 | (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): | |
22663 | (JSC::FTL::LowerDFGToLLVM::compileValueRep): | |
22664 | (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): | |
22665 | (JSC::FTL::LowerDFGToLLVM::compilePutLocal): | |
22666 | (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): | |
22667 | (JSC::FTL::LowerDFGToLLVM::compileArithMul): | |
22668 | (JSC::FTL::LowerDFGToLLVM::compileArithDiv): | |
22669 | (JSC::FTL::LowerDFGToLLVM::compileArithMod): | |
22670 | (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): | |
22671 | (JSC::FTL::LowerDFGToLLVM::compileArithAbs): | |
22672 | (JSC::FTL::LowerDFGToLLVM::compileArithNegate): | |
22673 | (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): | |
22674 | (JSC::FTL::LowerDFGToLLVM::compileGetById): | |
22675 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
22676 | (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): | |
22677 | (JSC::FTL::LowerDFGToLLVM::compileGetByVal): | |
22678 | (JSC::FTL::LowerDFGToLLVM::compilePutByVal): | |
22679 | (JSC::FTL::LowerDFGToLLVM::compileArrayPush): | |
22680 | (JSC::FTL::LowerDFGToLLVM::compileArrayPop): | |
22681 | (JSC::FTL::LowerDFGToLLVM::compileNewArray): | |
22682 | (JSC::FTL::LowerDFGToLLVM::compileToString): | |
22683 | (JSC::FTL::LowerDFGToLLVM::compileMakeRope): | |
22684 | (JSC::FTL::LowerDFGToLLVM::compileCompareEq): | |
22685 | (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): | |
22686 | (JSC::FTL::LowerDFGToLLVM::compileSwitch): | |
22687 | (JSC::FTL::LowerDFGToLLVM::compare): | |
22688 | (JSC::FTL::LowerDFGToLLVM::boolify): | |
22689 | (JSC::FTL::LowerDFGToLLVM::opposite): | |
22690 | (JSC::FTL::LowerDFGToLLVM::lowJSValue): | |
22691 | (JSC::FTL::LowerDFGToLLVM::speculate): | |
22692 | (JSC::FTL::LowerDFGToLLVM::isArrayType): | |
22693 | (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): | |
22694 | (JSC::FTL::LowerDFGToLLVM::exitValueForNode): | |
22695 | (JSC::FTL::LowerDFGToLLVM::setInt52): | |
22696 | (JSC::FTL::lowerDFGToLLVM): | |
22697 | (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted. | |
22698 | * ftl/FTLLowerDFGToLLVM.h: | |
22699 | ||
22700 | 2015-02-18 Filip Pizlo <fpizlo@apple.com> | |
22701 | ||
22702 | DFG should really support varargs | |
22703 | https://bugs.webkit.org/show_bug.cgi?id=141332 | |
22704 | ||
22705 | Reviewed by Oliver Hunt. | |
22706 | ||
22707 | This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a | |
22708 | function had a varargs call, then it could only be compiled if that varargs call was just | |
22709 | forwarding arguments and we were inlining the function rather than compiling it directly. Also, | |
22710 | only varargs calls were dealt with; varargs constructs were not. | |
22711 | ||
22712 | This lifts all of those restrictions. Every varargs call or construct can now be compiled by both | |
22713 | the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a | |
22714 | sensible bound on arguments list length. When we inline a varargs call, the act of loading the | |
22715 | varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we | |
22716 | would be able to do the arguments forwarding optimization as an IR transformation. This patch | |
22717 | doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding | |
22718 | optimization for now. | |
22719 | ||
22720 | There are three major IR features introduced in this patch: | |
22721 | ||
22722 | CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments | |
22723 | array rather than a list of arguments. Currently, they splat this arguments array onto the stack | |
22724 | using the same basic technique as the baseline JIT has always done. Except, these nodes indicate | |
22725 | that we are not interested in doing the non-escaping "arguments" optimization. | |
22726 | ||
22727 | CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments" | |
22728 | optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include | |
22729 | ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for | |
22730 | arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just | |
22731 | not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined. | |
22732 | ||
22733 | LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs | |
22734 | call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will | |
22735 | make room on the stack for the arguments, and will use LoadVarars to put those arguments into | |
22736 | place. | |
22737 | ||
22738 | In the future, we can consider adding strength reductions like: | |
22739 | ||
22740 | - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into | |
22741 | Call/Construct. | |
22742 | ||
22743 | - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then | |
22744 | turn them into CallForwardVarargs/ConstructForwardVarargs. | |
22745 | ||
22746 | - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and | |
22747 | PutLocals. | |
22748 | ||
22749 | - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like | |
22750 | LoadForwardVarargs. | |
22751 | ||
22752 | - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array | |
22753 | prototype function), then do the splice and varargs loading in one go (maybe via a new node | |
22754 | type). | |
22755 | ||
22756 | * CMakeLists.txt: | |
22757 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
22758 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
22759 | * assembler/MacroAssembler.h: | |
22760 | (JSC::MacroAssembler::rshiftPtr): | |
22761 | (JSC::MacroAssembler::urshiftPtr): | |
22762 | * assembler/MacroAssemblerARM64.h: | |
22763 | (JSC::MacroAssemblerARM64::urshift64): | |
22764 | * assembler/MacroAssemblerX86_64.h: | |
22765 | (JSC::MacroAssemblerX86_64::urshift64): | |
22766 | * assembler/X86Assembler.h: | |
22767 | (JSC::X86Assembler::shrq_i8r): | |
22768 | * bytecode/CallLinkInfo.h: | |
22769 | (JSC::CallLinkInfo::CallLinkInfo): | |
22770 | * bytecode/CallLinkStatus.cpp: | |
22771 | (JSC::CallLinkStatus::computeFor): | |
22772 | (JSC::CallLinkStatus::setProvenConstantCallee): | |
22773 | (JSC::CallLinkStatus::dump): | |
22774 | * bytecode/CallLinkStatus.h: | |
22775 | (JSC::CallLinkStatus::maxNumArguments): | |
22776 | (JSC::CallLinkStatus::setIsProved): Deleted. | |
22777 | * bytecode/CodeOrigin.cpp: | |
22778 | (WTF::printInternal): | |
22779 | * bytecode/CodeOrigin.h: | |
22780 | (JSC::InlineCallFrame::varargsKindFor): | |
22781 | (JSC::InlineCallFrame::specializationKindFor): | |
22782 | (JSC::InlineCallFrame::isVarargs): | |
22783 | (JSC::InlineCallFrame::isNormalCall): Deleted. | |
22784 | * bytecode/ExitKind.cpp: | |
22785 | (JSC::exitKindToString): | |
22786 | * bytecode/ExitKind.h: | |
22787 | * bytecode/ValueRecovery.cpp: | |
22788 | (JSC::ValueRecovery::dumpInContext): | |
22789 | * dfg/DFGAbstractInterpreterInlines.h: | |
22790 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
22791 | * dfg/DFGArgumentsSimplificationPhase.cpp: | |
22792 | (JSC::DFG::ArgumentsSimplificationPhase::run): | |
22793 | * dfg/DFGByteCodeParser.cpp: | |
22794 | (JSC::DFG::ByteCodeParser::flush): | |
22795 | (JSC::DFG::ByteCodeParser::addCall): | |
22796 | (JSC::DFG::ByteCodeParser::handleCall): | |
22797 | (JSC::DFG::ByteCodeParser::handleVarargsCall): | |
22798 | (JSC::DFG::ByteCodeParser::emitFunctionChecks): | |
22799 | (JSC::DFG::ByteCodeParser::inliningCost): | |
22800 | (JSC::DFG::ByteCodeParser::inlineCall): | |
22801 | (JSC::DFG::ByteCodeParser::attemptToInlineCall): | |
22802 | (JSC::DFG::ByteCodeParser::handleInlining): | |
22803 | (JSC::DFG::ByteCodeParser::handleMinMax): | |
22804 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
22805 | (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor): | |
22806 | (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): | |
22807 | (JSC::DFG::ByteCodeParser::parseBlock): | |
22808 | (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted. | |
22809 | (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted. | |
22810 | * dfg/DFGCapabilities.cpp: | |
22811 | (JSC::DFG::capabilityLevel): | |
22812 | * dfg/DFGCapabilities.h: | |
22813 | (JSC::DFG::functionCapabilityLevel): | |
22814 | (JSC::DFG::mightCompileFunctionFor): | |
22815 | * dfg/DFGClobberize.h: | |
22816 | (JSC::DFG::clobberize): | |
22817 | * dfg/DFGCommon.cpp: | |
22818 | (WTF::printInternal): | |
22819 | * dfg/DFGCommon.h: | |
22820 | (JSC::DFG::canInline): | |
22821 | (JSC::DFG::leastUpperBound): | |
22822 | * dfg/DFGDoesGC.cpp: | |
22823 | (JSC::DFG::doesGC): | |
22824 | * dfg/DFGFixupPhase.cpp: | |
22825 | (JSC::DFG::FixupPhase::fixupNode): | |
22826 | * dfg/DFGGraph.cpp: | |
22827 | (JSC::DFG::Graph::dump): | |
22828 | (JSC::DFG::Graph::dumpBlockHeader): | |
22829 | (JSC::DFG::Graph::isLiveInBytecode): | |
22830 | (JSC::DFG::Graph::valueProfileFor): | |
22831 | (JSC::DFG::Graph::methodOfGettingAValueProfileFor): | |
22832 | * dfg/DFGGraph.h: | |
22833 | (JSC::DFG::Graph::valueProfileFor): Deleted. | |
22834 | (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted. | |
22835 | * dfg/DFGJITCompiler.cpp: | |
22836 | (JSC::DFG::JITCompiler::compileExceptionHandlers): | |
22837 | (JSC::DFG::JITCompiler::link): | |
22838 | * dfg/DFGMayExit.cpp: | |
22839 | (JSC::DFG::mayExit): | |
22840 | * dfg/DFGNode.h: | |
22841 | (JSC::DFG::Node::hasCallVarargsData): | |
22842 | (JSC::DFG::Node::callVarargsData): | |
22843 | (JSC::DFG::Node::hasLoadVarargsData): | |
22844 | (JSC::DFG::Node::loadVarargsData): | |
22845 | (JSC::DFG::Node::hasHeapPrediction): | |
22846 | * dfg/DFGNodeType.h: | |
22847 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
22848 | (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): | |
22849 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
22850 | (JSC::DFG::reifyInlinedCallFrames): | |
22851 | * dfg/DFGOperations.cpp: | |
22852 | * dfg/DFGOperations.h: | |
22853 | * dfg/DFGPlan.cpp: | |
22854 | (JSC::DFG::dumpAndVerifyGraph): | |
22855 | (JSC::DFG::Plan::compileInThreadImpl): | |
22856 | * dfg/DFGPreciseLocalClobberize.h: | |
22857 | (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): | |
22858 | (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): | |
22859 | * dfg/DFGPredictionPropagationPhase.cpp: | |
22860 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
22861 | * dfg/DFGSSAConversionPhase.cpp: | |
22862 | * dfg/DFGSafeToExecute.h: | |
22863 | (JSC::DFG::safeToExecute): | |
22864 | * dfg/DFGSpeculativeJIT.h: | |
22865 | (JSC::DFG::SpeculativeJIT::isFlushed): | |
22866 | (JSC::DFG::SpeculativeJIT::callOperation): | |
22867 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
22868 | (JSC::DFG::SpeculativeJIT::emitCall): | |
22869 | (JSC::DFG::SpeculativeJIT::compile): | |
22870 | * dfg/DFGSpeculativeJIT64.cpp: | |
22871 | (JSC::DFG::SpeculativeJIT::emitCall): | |
22872 | (JSC::DFG::SpeculativeJIT::compile): | |
22873 | * dfg/DFGStackLayoutPhase.cpp: | |
22874 | (JSC::DFG::StackLayoutPhase::run): | |
22875 | (JSC::DFG::StackLayoutPhase::assign): | |
22876 | * dfg/DFGStrengthReductionPhase.cpp: | |
22877 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
22878 | * dfg/DFGTypeCheckHoistingPhase.cpp: | |
22879 | (JSC::DFG::TypeCheckHoistingPhase::run): | |
22880 | * dfg/DFGValidate.cpp: | |
22881 | (JSC::DFG::Validate::validateCPS): | |
22882 | * ftl/FTLAbbreviations.h: | |
22883 | (JSC::FTL::functionType): | |
22884 | (JSC::FTL::buildCall): | |
22885 | * ftl/FTLCapabilities.cpp: | |
22886 | (JSC::FTL::canCompile): | |
22887 | * ftl/FTLCompile.cpp: | |
22888 | (JSC::FTL::mmAllocateDataSection): | |
22889 | * ftl/FTLInlineCacheSize.cpp: | |
22890 | (JSC::FTL::sizeOfCall): | |
22891 | (JSC::FTL::sizeOfCallVarargs): | |
22892 | (JSC::FTL::sizeOfCallForwardVarargs): | |
22893 | (JSC::FTL::sizeOfConstructVarargs): | |
22894 | (JSC::FTL::sizeOfIn): | |
22895 | (JSC::FTL::sizeOfICFor): | |
22896 | (JSC::FTL::sizeOfCheckIn): Deleted. | |
22897 | * ftl/FTLInlineCacheSize.h: | |
22898 | * ftl/FTLIntrinsicRepository.h: | |
22899 | * ftl/FTLJSCall.cpp: | |
22900 | (JSC::FTL::JSCall::JSCall): | |
22901 | * ftl/FTLJSCallBase.cpp: | |
22902 | * ftl/FTLJSCallBase.h: | |
22903 | * ftl/FTLJSCallVarargs.cpp: Added. | |
22904 | (JSC::FTL::JSCallVarargs::JSCallVarargs): | |
22905 | (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded): | |
22906 | (JSC::FTL::JSCallVarargs::emit): | |
22907 | (JSC::FTL::JSCallVarargs::link): | |
22908 | * ftl/FTLJSCallVarargs.h: Added. | |
22909 | (JSC::FTL::JSCallVarargs::node): | |
22910 | (JSC::FTL::JSCallVarargs::stackmapID): | |
22911 | (JSC::FTL::JSCallVarargs::operator<): | |
22912 | * ftl/FTLLowerDFGToLLVM.cpp: | |
22913 | (JSC::FTL::LowerDFGToLLVM::lower): | |
22914 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
22915 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): | |
22916 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
22917 | (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs): | |
22918 | (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs): | |
22919 | (JSC::FTL::LowerDFGToLLVM::compileIn): | |
22920 | (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): | |
22921 | (JSC::FTL::LowerDFGToLLVM::vmCall): | |
22922 | (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions): | |
22923 | (JSC::FTL::LowerDFGToLLVM::callCheck): | |
22924 | * ftl/FTLOutput.h: | |
22925 | (JSC::FTL::Output::call): | |
22926 | * ftl/FTLState.cpp: | |
22927 | (JSC::FTL::State::State): | |
22928 | * ftl/FTLState.h: | |
22929 | * interpreter/Interpreter.cpp: | |
22930 | (JSC::sizeOfVarargs): | |
22931 | (JSC::sizeFrameForVarargs): | |
22932 | * interpreter/Interpreter.h: | |
22933 | * interpreter/StackVisitor.cpp: | |
22934 | (JSC::StackVisitor::readInlinedFrame): | |
22935 | * jit/AssemblyHelpers.cpp: | |
22936 | (JSC::AssemblyHelpers::emitExceptionCheck): | |
22937 | * jit/AssemblyHelpers.h: | |
22938 | (JSC::AssemblyHelpers::addressFor): | |
22939 | (JSC::AssemblyHelpers::calleeFrameSlot): | |
22940 | (JSC::AssemblyHelpers::calleeArgumentSlot): | |
22941 | (JSC::AssemblyHelpers::calleeFrameTagSlot): | |
22942 | (JSC::AssemblyHelpers::calleeFramePayloadSlot): | |
22943 | (JSC::AssemblyHelpers::calleeArgumentTagSlot): | |
22944 | (JSC::AssemblyHelpers::calleeArgumentPayloadSlot): | |
22945 | (JSC::AssemblyHelpers::calleeFrameCallerFrame): | |
22946 | (JSC::AssemblyHelpers::selectScratchGPR): | |
22947 | * jit/CCallHelpers.h: | |
22948 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
22949 | * jit/GPRInfo.h: | |
22950 | * jit/JIT.cpp: | |
22951 | (JSC::JIT::privateCompile): | |
22952 | * jit/JIT.h: | |
22953 | * jit/JITCall.cpp: | |
22954 | (JSC::JIT::compileSetupVarargsFrame): | |
22955 | (JSC::JIT::compileOpCall): | |
22956 | * jit/JITCall32_64.cpp: | |
22957 | (JSC::JIT::compileSetupVarargsFrame): | |
22958 | (JSC::JIT::compileOpCall): | |
22959 | * jit/JITOperations.h: | |
22960 | * jit/SetupVarargsFrame.cpp: | |
22961 | (JSC::emitSetupVarargsFrameFastCase): | |
22962 | * jit/SetupVarargsFrame.h: | |
22963 | * runtime/Arguments.h: | |
22964 | (JSC::Arguments::create): | |
22965 | (JSC::Arguments::registerArraySizeInBytes): | |
22966 | (JSC::Arguments::finishCreation): | |
22967 | * runtime/Options.h: | |
22968 | * tests/stress/construct-varargs-inline-smaller-Foo.js: Added. | |
22969 | (Foo): | |
22970 | (bar): | |
22971 | (checkEqual): | |
22972 | (test): | |
22973 | * tests/stress/construct-varargs-inline.js: Added. | |
22974 | (Foo): | |
22975 | (bar): | |
22976 | (checkEqual): | |
22977 | (test): | |
22978 | * tests/stress/construct-varargs-no-inline.js: Added. | |
22979 | (Foo): | |
22980 | (bar): | |
22981 | (checkEqual): | |
22982 | (test): | |
22983 | * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added. | |
22984 | (foo): | |
22985 | (bar): | |
22986 | * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added. | |
22987 | (foo): | |
22988 | (bar): | |
22989 | * tests/stress/get-my-argument-by-val-creates-arguments.js: Added. | |
22990 | (blah): | |
22991 | (foo): | |
22992 | (bar): | |
22993 | (checkEqual): | |
22994 | (test): | |
22995 | * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added. | |
22996 | (foo): | |
22997 | (bar): | |
22998 | (checkEqual): | |
22999 | * tests/stress/load-varargs-then-inlined-call-inlined.js: Added. | |
23000 | (foo): | |
23001 | (bar): | |
23002 | (baz): | |
23003 | (checkEqual): | |
23004 | (test): | |
23005 | * tests/stress/load-varargs-then-inlined-call.js: Added. | |
23006 | (foo): | |
23007 | (bar): | |
23008 | (checkEqual): | |
23009 | (test): | |
23010 | ||
23011 | 2015-02-17 Michael Saboff <msaboff@apple.com> | |
23012 | ||
23013 | Unreviewed, Restoring the C LOOP insta-crash fix in r180184. | |
23014 | ||
23015 | Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. | |
23016 | After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). | |
23017 | ||
23018 | * llint/LowLevelInterpreter.asm: Fixed a typo. | |
23019 | ||
23020 | 2015-02-18 Csaba Osztrogonác <ossy@webkit.org> | |
23021 | ||
23022 | URTBF after r180258 to fix Windows build. | |
23023 | ||
23024 | * runtime/MathCommon.cpp: | |
23025 | (JSC::mathPowInternal): | |
23026 | ||
23027 | 2015-02-18 Joseph Pecoraro <pecoraro@apple.com> | |
23028 | ||
23029 | REGRESSION(r180235): It broke the !ENABLE(PROMISES) build | |
23030 | https://bugs.webkit.org/show_bug.cgi?id=141746 | |
23031 | ||
23032 | Unreviewed build fix. | |
23033 | ||
23034 | * inspector/JSInjectedScriptHost.cpp: | |
23035 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
23036 | Wrap JSPromise related code in ENABLE(PROMISES) guard. | |
23037 | ||
23038 | 2015-02-18 Benjamin Poulain <benjamin@webkit.org> | |
23039 | ||
23040 | Fix the C-Loop LLInt build | |
23041 | https://bugs.webkit.org/show_bug.cgi?id=141618 | |
23042 | ||
23043 | Reviewed by Filip Pizlo. | |
23044 | ||
23045 | I broke C-Loop when moving the common code of pow() | |
23046 | to JITOperations because that file is #ifdefed out | |
23047 | when the JITs are disabled. | |
23048 | ||
23049 | It would be weird to move it back to MathObject since | |
23050 | the function needs to know about the calling conventions. | |
23051 | ||
23052 | To avoid making a mess, I just gave the function its own file | |
23053 | that is used by both the runtime and the JIT. | |
23054 | ||
23055 | * CMakeLists.txt: | |
23056 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
23057 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
23058 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
23059 | * dfg/DFGAbstractInterpreterInlines.h: | |
23060 | * jit/JITOperations.cpp: | |
23061 | * jit/JITOperations.h: | |
23062 | * runtime/MathCommon.cpp: Added. | |
23063 | (JSC::fdlibmScalbn): | |
23064 | (JSC::fdlibmPow): | |
23065 | (JSC::isDenormal): | |
23066 | (JSC::isEdgeCase): | |
23067 | (JSC::mathPowInternal): | |
23068 | (JSC::operationMathPow): | |
23069 | * runtime/MathCommon.h: Added. | |
23070 | * runtime/MathObject.cpp: | |
23071 | ||
23072 | 2015-02-17 Benjamin Poulain <bpoulain@apple.com> | |
23073 | ||
23074 | Clean up OSRExit's considerAddingAsFrequentExitSite() | |
23075 | https://bugs.webkit.org/show_bug.cgi?id=141690 | |
23076 | ||
23077 | Reviewed by Anders Carlsson. | |
23078 | ||
23079 | Looks like some code was removed from CodeBlock::tallyFrequentExitSites() | |
23080 | and the OSRExit were left untouched. | |
23081 | ||
23082 | This patch cleans up the two loops and remove the boolean return | |
23083 | on considerAddingAsFrequentExitSite(). | |
23084 | ||
23085 | * bytecode/CodeBlock.cpp: | |
23086 | (JSC::CodeBlock::tallyFrequentExitSites): | |
23087 | * dfg/DFGOSRExit.h: | |
23088 | (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite): | |
23089 | * dfg/DFGOSRExitBase.cpp: | |
23090 | (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow): | |
23091 | * dfg/DFGOSRExitBase.h: | |
23092 | (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite): | |
23093 | * ftl/FTLOSRExit.h: | |
23094 | (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite): | |
23095 | ||
23096 | 2015-02-17 Alexey Proskuryakov <ap@apple.com> | |
23097 | ||
23098 | Debug build fix after r180247. | |
23099 | ||
23100 | * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed): | |
23101 | ||
23102 | 2015-02-17 Commit Queue <commit-queue@webkit.org> | |
23103 | ||
23104 | Unreviewed, rolling out r180184. | |
23105 | https://bugs.webkit.org/show_bug.cgi?id=141733 | |
23106 | ||
23107 | Caused infinite recursion on js/function-apply-aliased.html | |
23108 | (Requested by ap_ on #webkit). | |
23109 | ||
23110 | Reverted changeset: | |
23111 | ||
23112 | "REGRESSION(r180060): C Loop crashes" | |
23113 | https://bugs.webkit.org/show_bug.cgi?id=141671 | |
23114 | http://trac.webkit.org/changeset/180184 | |
23115 | ||
23116 | 2015-02-17 Michael Saboff <msaboff@apple.com> | |
23117 | ||
23118 | CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode | |
23119 | https://bugs.webkit.org/show_bug.cgi?id=141730 | |
23120 | ||
23121 | Reviewed by Geoffrey Garen. | |
23122 | ||
23123 | Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures | |
23124 | while processing DFG lowering. For debug builds, the failures are logged identical | |
23125 | to the way the DFG_CRASH() reports them. For release builds, the failures are reported | |
23126 | and that FTL compilation is terminated, but the process is allowed to continue. | |
23127 | Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and | |
23128 | line number are reported at the point of the inconsistancy. | |
23129 | ||
23130 | Converted instances of DFG_CRASH to LOWERING_FAILED. | |
23131 | ||
23132 | * dfg/DFGPlan.cpp: | |
23133 | (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that | |
23134 | will fail the FTL compile. | |
23135 | ||
23136 | * ftl/FTLLowerDFGToLLVM.cpp: | |
23137 | (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): | |
23138 | Added new member variable, m_loweringSucceeded, to stop compilation on the first | |
23139 | reported failure. | |
23140 | ||
23141 | * ftl/FTLLowerDFGToLLVM.cpp: | |
23142 | (JSC::FTL::LowerDFGToLLVM::lower): | |
23143 | * ftl/FTLLowerDFGToLLVM.h: | |
23144 | Added check for compilation failures and now report those failures via a boolean | |
23145 | return value. | |
23146 | ||
23147 | * ftl/FTLLowerDFGToLLVM.cpp: | |
23148 | (JSC::FTL::LowerDFGToLLVM::createPhiVariables): | |
23149 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
23150 | (JSC::FTL::LowerDFGToLLVM::compileUpsilon): | |
23151 | (JSC::FTL::LowerDFGToLLVM::compilePhi): | |
23152 | (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): | |
23153 | (JSC::FTL::LowerDFGToLLVM::compileValueRep): | |
23154 | (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): | |
23155 | (JSC::FTL::LowerDFGToLLVM::compilePutLocal): | |
23156 | (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): | |
23157 | (JSC::FTL::LowerDFGToLLVM::compileArithMul): | |
23158 | (JSC::FTL::LowerDFGToLLVM::compileArithDiv): | |
23159 | (JSC::FTL::LowerDFGToLLVM::compileArithMod): | |
23160 | (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): | |
23161 | (JSC::FTL::LowerDFGToLLVM::compileArithAbs): | |
23162 | (JSC::FTL::LowerDFGToLLVM::compileArithNegate): | |
23163 | (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): | |
23164 | (JSC::FTL::LowerDFGToLLVM::compileGetById): | |
23165 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
23166 | (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): | |
23167 | (JSC::FTL::LowerDFGToLLVM::compileGetByVal): | |
23168 | (JSC::FTL::LowerDFGToLLVM::compilePutByVal): | |
23169 | (JSC::FTL::LowerDFGToLLVM::compileArrayPush): | |
23170 | (JSC::FTL::LowerDFGToLLVM::compileArrayPop): | |
23171 | (JSC::FTL::LowerDFGToLLVM::compileNewArray): | |
23172 | (JSC::FTL::LowerDFGToLLVM::compileToString): | |
23173 | (JSC::FTL::LowerDFGToLLVM::compileMakeRope): | |
23174 | (JSC::FTL::LowerDFGToLLVM::compileCompareEq): | |
23175 | (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): | |
23176 | (JSC::FTL::LowerDFGToLLVM::compileSwitch): | |
23177 | (JSC::FTL::LowerDFGToLLVM::compare): | |
23178 | (JSC::FTL::LowerDFGToLLVM::boolify): | |
23179 | (JSC::FTL::LowerDFGToLLVM::opposite): | |
23180 | (JSC::FTL::LowerDFGToLLVM::lowJSValue): | |
23181 | (JSC::FTL::LowerDFGToLLVM::speculate): | |
23182 | (JSC::FTL::LowerDFGToLLVM::isArrayType): | |
23183 | (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): | |
23184 | (JSC::FTL::LowerDFGToLLVM::exitValueForNode): | |
23185 | (JSC::FTL::LowerDFGToLLVM::setInt52): | |
23186 | Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate. | |
23187 | ||
23188 | (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function. | |
23189 | ||
23190 | 2015-02-17 Filip Pizlo <fpizlo@apple.com> | |
23191 | ||
23192 | StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments | |
23193 | https://bugs.webkit.org/show_bug.cgi?id=141721 | |
23194 | rdar://problem/17198633 | |
23195 | ||
23196 | Reviewed by Michael Saboff. | |
23197 | ||
23198 | I've seen cases where the two are out of sync. We know we can trust the CodeBlock::usesArguments because | |
23199 | we use it everywhere else. | |
23200 | ||
23201 | No test because I could never reproduce the crash. | |
23202 | ||
23203 | * dfg/DFGGraph.h: | |
23204 | (JSC::DFG::Graph::usesArguments): | |
23205 | * dfg/DFGStackLayoutPhase.cpp: | |
23206 | (JSC::DFG::StackLayoutPhase::run): | |
23207 | ||
23208 | 2015-02-16 Joseph Pecoraro <pecoraro@apple.com> | |
23209 | ||
23210 | Web Inspector: Improved Console Support for Bound Functions | |
23211 | https://bugs.webkit.org/show_bug.cgi?id=141635 | |
23212 | ||
23213 | Reviewed by Timothy Hatcher. | |
23214 | ||
23215 | * inspector/JSInjectedScriptHost.cpp: | |
23216 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
23217 | Expose internal properties of a JSBoundFunction. | |
23218 | ||
23219 | 2015-02-16 Joseph Pecoraro <pecoraro@apple.com> | |
23220 | ||
23221 | Web Inspector: ES6: Improved Console Support for Promise Objects | |
23222 | https://bugs.webkit.org/show_bug.cgi?id=141634 | |
23223 | ||
23224 | Reviewed by Timothy Hatcher. | |
23225 | ||
23226 | * inspector/InjectedScript.cpp: | |
23227 | (Inspector::InjectedScript::getInternalProperties): | |
23228 | * inspector/InjectedScriptSource.js: | |
23229 | Include internal properties in previews. Share code | |
23230 | with normal internal property handling. | |
23231 | ||
23232 | * inspector/JSInjectedScriptHost.cpp: | |
23233 | (Inspector::constructInternalProperty): | |
23234 | (Inspector::JSInjectedScriptHost::getInternalProperties): | |
23235 | Provide internal state of Promises. | |
23236 | ||
23237 | * inspector/protocol/Runtime.json: | |
23238 | Provide an optional field to distinguish if a PropertyPreview | |
23239 | is for an Internal property or not. | |
23240 | ||
23241 | 2015-02-17 Filip Pizlo <fpizlo@apple.com> | |
23242 | ||
23243 | Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs | |
23244 | https://bugs.webkit.org/show_bug.cgi?id=141717 | |
23245 | rdar://problem/19863382 | |
23246 | ||
23247 | Reviewed by Geoffrey Garen. | |
23248 | ||
23249 | The best solution is to ensure that the engine catching an exception restores tag registers. | |
23250 | ||
23251 | Each of these new test cases reliably crashed prior to this patch and they don't crash at all now. | |
23252 | ||
23253 | * jit/JITOpcodes.cpp: | |
23254 | (JSC::JIT::emit_op_catch): | |
23255 | * llint/LowLevelInterpreter.asm: | |
23256 | * llint/LowLevelInterpreter64.asm: | |
23257 | * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added. | |
23258 | * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added. | |
23259 | * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added. | |
23260 | ||
23261 | 2015-02-17 Csaba Osztrogonác <ossy@webkit.org> | |
23262 | ||
23263 | [ARM] Add the necessary setupArgumentsWithExecState after bug141332 | |
23264 | https://bugs.webkit.org/show_bug.cgi?id=141714 | |
23265 | ||
23266 | Reviewed by Michael Saboff. | |
23267 | ||
23268 | * jit/CCallHelpers.h: | |
23269 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
23270 | ||
23271 | 2015-02-15 Sam Weinig <sam@webkit.org> | |
23272 | ||
23273 | Add experimental <attachment> element support | |
23274 | https://bugs.webkit.org/show_bug.cgi?id=141626 | |
23275 | ||
23276 | Reviewed by Tim Horton. | |
23277 | ||
23278 | * Configurations/FeatureDefines.xcconfig: | |
23279 | ||
23280 | 2015-02-16 Michael Saboff <msaboff@apple.com> | |
23281 | ||
23282 | REGRESSION(r180060): C Loop crashes | |
23283 | https://bugs.webkit.org/show_bug.cgi?id=141671 | |
23284 | ||
23285 | Reviewed by Geoffrey Garen. | |
23286 | ||
23287 | Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm. | |
23288 | After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1). | |
23289 | Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's | |
23290 | frame. This isn't needed, since this helper is only called to check the stack on entry. Any | |
23291 | exception will be handled by a call ancestor. | |
23292 | ||
23293 | * llint/LLIntSlowPaths.cpp: | |
23294 | (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception. | |
23295 | * llint/LowLevelInterpreter.asm: Fixed a typo. | |
23296 | ||
23297 | 2015-02-16 Joseph Pecoraro <pecoraro@apple.com> | |
23298 | ||
23299 | Web Inspector: Scope details sidebar should label objects with constructor names | |
23300 | https://bugs.webkit.org/show_bug.cgi?id=139449 | |
23301 | ||
23302 | Reviewed by Timothy Hatcher. | |
23303 | ||
23304 | * inspector/JSInjectedScriptHost.cpp: | |
23305 | (Inspector::JSInjectedScriptHost::internalConstructorName): | |
23306 | * runtime/Structure.cpp: | |
23307 | (JSC::Structure::toStructureShape): | |
23308 | Share calculatedClassName. | |
23309 | ||
23310 | * runtime/JSObject.h: | |
23311 | * runtime/JSObject.cpp: | |
23312 | (JSC::JSObject::calculatedClassName): | |
23313 | Elaborate on a way to get an Object's class name. | |
23314 | ||
23315 | 2015-02-16 Filip Pizlo <fpizlo@apple.com> | |
23316 | ||
23317 | DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed | |
23318 | https://bugs.webkit.org/show_bug.cgi?id=141623 | |
23319 | ||
23320 | Reviewed by Oliver Hunt. | |
23321 | ||
23322 | During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I | |
23323 | needed to use GetArgument for loading something that has magically already appeared on the | |
23324 | stack, so currently trunk sort of allows this. But then I realized three things: | |
23325 | ||
23326 | - A GetArgument with a non-JSValue flush format means speculating that the value on the | |
23327 | stack obeys that format, rather than just assuming that that it already has that format. | |
23328 | In bug 141332, I want it to assume rather than speculate. That also happens to be more | |
23329 | intuitive; I don't think I was wrong to expect that. | |
23330 | ||
23331 | - The node I really want is GetLocal. I'm just getting the value of the local and I don't | |
23332 | want to do anything else. | |
23333 | ||
23334 | - Maybe it would be easier if we just used GetLocal for all of the cases where we currently | |
23335 | use GetArgument. | |
23336 | ||
23337 | This changes the FTL to do argument speculations in the prologue just like the DFG does. | |
23338 | This brings some consistency to our system, and allows us to get rid of the GetArgument | |
23339 | node. The speculations that the FTL must do are now made explicit in the m_argumentFormats | |
23340 | vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are | |
23341 | dead we will still speculate. We already have safeguards to ensure we only speculate if | |
23342 | there are uses that benefit from speculation (which is a much more conservative criterion | |
23343 | than DCE). | |
23344 | ||
23345 | * dfg/DFGAbstractInterpreterInlines.h: | |
23346 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
23347 | * dfg/DFGClobberize.h: | |
23348 | (JSC::DFG::clobberize): | |
23349 | * dfg/DFGDCEPhase.cpp: | |
23350 | (JSC::DFG::DCEPhase::run): | |
23351 | * dfg/DFGDoesGC.cpp: | |
23352 | (JSC::DFG::doesGC): | |
23353 | * dfg/DFGFixupPhase.cpp: | |
23354 | (JSC::DFG::FixupPhase::fixupNode): | |
23355 | * dfg/DFGFlushFormat.h: | |
23356 | (JSC::DFG::typeFilterFor): | |
23357 | * dfg/DFGGraph.cpp: | |
23358 | (JSC::DFG::Graph::dump): | |
23359 | * dfg/DFGGraph.h: | |
23360 | (JSC::DFG::Graph::valueProfileFor): | |
23361 | (JSC::DFG::Graph::methodOfGettingAValueProfileFor): | |
23362 | * dfg/DFGInPlaceAbstractState.cpp: | |
23363 | (JSC::DFG::InPlaceAbstractState::initialize): | |
23364 | * dfg/DFGNode.cpp: | |
23365 | (JSC::DFG::Node::hasVariableAccessData): | |
23366 | * dfg/DFGNodeType.h: | |
23367 | * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: | |
23368 | (JSC::DFG::OSRAvailabilityAnalysisPhase::run): | |
23369 | (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): | |
23370 | * dfg/DFGPredictionPropagationPhase.cpp: | |
23371 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
23372 | * dfg/DFGPutLocalSinkingPhase.cpp: | |
23373 | * dfg/DFGSSAConversionPhase.cpp: | |
23374 | (JSC::DFG::SSAConversionPhase::run): | |
23375 | * dfg/DFGSafeToExecute.h: | |
23376 | (JSC::DFG::safeToExecute): | |
23377 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
23378 | (JSC::DFG::SpeculativeJIT::compile): | |
23379 | * dfg/DFGSpeculativeJIT64.cpp: | |
23380 | (JSC::DFG::SpeculativeJIT::compile): | |
23381 | * ftl/FTLCapabilities.cpp: | |
23382 | (JSC::FTL::canCompile): | |
23383 | * ftl/FTLLowerDFGToLLVM.cpp: | |
23384 | (JSC::FTL::LowerDFGToLLVM::lower): | |
23385 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
23386 | (JSC::FTL::LowerDFGToLLVM::compileGetLocal): | |
23387 | (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted. | |
23388 | * tests/stress/dead-speculating-argument-use.js: Added. | |
23389 | (foo): | |
23390 | (o.valueOf): | |
23391 | ||
23392 | 2015-02-15 Filip Pizlo <fpizlo@apple.com> | |
23393 | ||
23394 | Rare case profiling should actually work | |
23395 | https://bugs.webkit.org/show_bug.cgi?id=141632 | |
23396 | ||
23397 | Reviewed by Michael Saboff. | |
23398 | ||
23399 | This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case | |
23400 | heuristic has essentially stopped working because the typical execution count threshold for a | |
23401 | bytecode instruction is around 66 while the slow case threshold is 100: virtually | |
23402 | guaranteeing that the DFG will never think that a bytecode instruction has taken the slow | |
23403 | case even if it took it every single time. So, this changes the slow case threshold to 20. | |
23404 | ||
23405 | I checked if we could lower this down further, like to 10. That is worse than 20, and about | |
23406 | as bad as 100. | |
23407 | ||
23408 | * runtime/Options.h: | |
23409 | ||
23410 | 2015-02-15 Brian J. Burg <burg@cs.washington.edu> | |
23411 | ||
23412 | Web Inspector: remove unused XHR replay code | |
23413 | https://bugs.webkit.org/show_bug.cgi?id=141622 | |
23414 | ||
23415 | Reviewed by Timothy Hatcher. | |
23416 | ||
23417 | * inspector/protocol/Network.json: remove XHR replay methods. | |
23418 | ||
23419 | 2015-02-15 David Kilzer <ddkilzer@apple.com> | |
23420 | ||
23421 | REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols | |
23422 | <http://webkit.org/b/141607> | |
23423 | ||
23424 | More work towards fixing the Mavericks Debug build. | |
23425 | ||
23426 | * inspector/ScriptDebugServer.h: | |
23427 | (Inspector::ScriptDebugServer::Task): | |
23428 | * inspector/agents/InspectorDebuggerAgent.h: | |
23429 | (Inspector::InspectorDebuggerAgent::Listener): | |
23430 | - Remove subclass exports. They did not help. | |
23431 | ||
23432 | * runtime/JSCJSValue.h: | |
23433 | (JSC::JSValue::toFloat): Do not mark inline method for export. | |
23434 | ||
23435 | 2015-02-09 Brian J. Burg <burg@cs.washington.edu> | |
23436 | ||
23437 | Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace | |
23438 | https://bugs.webkit.org/show_bug.cgi?id=141372 | |
23439 | ||
23440 | Reviewed by Joseph Pecoraro. | |
23441 | ||
23442 | * inspector/ConsoleMessage.cpp: | |
23443 | (Inspector::ConsoleMessage::addToFrontend): | |
23444 | (Inspector::ConsoleMessage::updateRepeatCountInConsole): | |
23445 | * inspector/ConsoleMessage.h: | |
23446 | * inspector/InspectorAgentBase.h: | |
23447 | * inspector/InspectorAgentRegistry.cpp: | |
23448 | (Inspector::AgentRegistry::AgentRegistry): | |
23449 | (Inspector::AgentRegistry::append): | |
23450 | (Inspector::AgentRegistry::appendExtraAgent): | |
23451 | (Inspector::AgentRegistry::didCreateFrontendAndBackend): | |
23452 | (Inspector::AgentRegistry::willDestroyFrontendAndBackend): | |
23453 | (Inspector::AgentRegistry::discardAgents): | |
23454 | (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted. | |
23455 | (Inspector::InspectorAgentRegistry::append): Deleted. | |
23456 | (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted. | |
23457 | (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted. | |
23458 | (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted. | |
23459 | (Inspector::InspectorAgentRegistry::discardAgents): Deleted. | |
23460 | * inspector/InspectorAgentRegistry.h: | |
23461 | * inspector/InspectorBackendDispatcher.cpp: | |
23462 | (Inspector::BackendDispatcher::CallbackBase::CallbackBase): | |
23463 | (Inspector::BackendDispatcher::CallbackBase::isActive): | |
23464 | (Inspector::BackendDispatcher::CallbackBase::sendFailure): | |
23465 | (Inspector::BackendDispatcher::CallbackBase::sendIfActive): | |
23466 | (Inspector::BackendDispatcher::create): | |
23467 | (Inspector::BackendDispatcher::registerDispatcherForDomain): | |
23468 | (Inspector::BackendDispatcher::dispatch): | |
23469 | (Inspector::BackendDispatcher::sendResponse): | |
23470 | (Inspector::BackendDispatcher::reportProtocolError): | |
23471 | (Inspector::BackendDispatcher::getInteger): | |
23472 | (Inspector::BackendDispatcher::getDouble): | |
23473 | (Inspector::BackendDispatcher::getString): | |
23474 | (Inspector::BackendDispatcher::getBoolean): | |
23475 | (Inspector::BackendDispatcher::getObject): | |
23476 | (Inspector::BackendDispatcher::getArray): | |
23477 | (Inspector::BackendDispatcher::getValue): | |
23478 | (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted. | |
23479 | (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted. | |
23480 | (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted. | |
23481 | (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted. | |
23482 | (Inspector::InspectorBackendDispatcher::create): Deleted. | |
23483 | (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted. | |
23484 | (Inspector::InspectorBackendDispatcher::dispatch): Deleted. | |
23485 | (Inspector::InspectorBackendDispatcher::sendResponse): Deleted. | |
23486 | (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted. | |
23487 | (Inspector::InspectorBackendDispatcher::getInteger): Deleted. | |
23488 | (Inspector::InspectorBackendDispatcher::getDouble): Deleted. | |
23489 | (Inspector::InspectorBackendDispatcher::getString): Deleted. | |
23490 | (Inspector::InspectorBackendDispatcher::getBoolean): Deleted. | |
23491 | (Inspector::InspectorBackendDispatcher::getObject): Deleted. | |
23492 | (Inspector::InspectorBackendDispatcher::getArray): Deleted. | |
23493 | (Inspector::InspectorBackendDispatcher::getValue): Deleted. | |
23494 | * inspector/InspectorBackendDispatcher.h: | |
23495 | (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher): | |
23496 | (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher): | |
23497 | (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted. | |
23498 | (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted. | |
23499 | * inspector/InspectorFrontendChannel.h: | |
23500 | (Inspector::FrontendChannel::~FrontendChannel): | |
23501 | (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted. | |
23502 | * inspector/JSGlobalObjectInspectorController.cpp: | |
23503 | (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): | |
23504 | (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed): | |
23505 | (Inspector::JSGlobalObjectInspectorController::connectFrontend): | |
23506 | (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): | |
23507 | (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend): | |
23508 | (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): | |
23509 | * inspector/JSGlobalObjectInspectorController.h: | |
23510 | * inspector/agents/InspectorAgent.cpp: | |
23511 | (Inspector::InspectorAgent::didCreateFrontendAndBackend): | |
23512 | (Inspector::InspectorAgent::willDestroyFrontendAndBackend): | |
23513 | * inspector/agents/InspectorAgent.h: | |
23514 | * inspector/agents/InspectorConsoleAgent.cpp: | |
23515 | (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend): | |
23516 | (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend): | |
23517 | * inspector/agents/InspectorConsoleAgent.h: | |
23518 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
23519 | (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend): | |
23520 | (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend): | |
23521 | (Inspector::InspectorDebuggerAgent::handleConsoleAssert): | |
23522 | (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): | |
23523 | (Inspector::InspectorDebuggerAgent::pause): | |
23524 | (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): | |
23525 | (Inspector::InspectorDebuggerAgent::didPause): | |
23526 | (Inspector::InspectorDebuggerAgent::breakProgram): | |
23527 | (Inspector::InspectorDebuggerAgent::clearBreakDetails): | |
23528 | * inspector/agents/InspectorDebuggerAgent.h: | |
23529 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
23530 | (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend): | |
23531 | * inspector/agents/InspectorRuntimeAgent.h: | |
23532 | * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: | |
23533 | (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend): | |
23534 | (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend): | |
23535 | * inspector/agents/JSGlobalObjectRuntimeAgent.h: | |
23536 | * inspector/augmentable/AlternateDispatchableAgent.h: | |
23537 | * inspector/augmentable/AugmentableInspectorController.h: | |
23538 | * inspector/remote/RemoteInspectorDebuggable.h: | |
23539 | * inspector/remote/RemoteInspectorDebuggableConnection.h: | |
23540 | * inspector/scripts/codegen/cpp_generator.py: | |
23541 | (CppGenerator.cpp_type_for_formal_out_parameter): | |
23542 | (CppGenerator.cpp_type_for_stack_out_parameter): | |
23543 | * inspector/scripts/codegen/cpp_generator_templates.py: | |
23544 | (AlternateBackendDispatcher): | |
23545 | (Alternate): | |
23546 | (void): | |
23547 | (AlternateInspectorBackendDispatcher): Deleted. | |
23548 | (AlternateInspector): Deleted. | |
23549 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: | |
23550 | (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate): | |
23551 | (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command): | |
23552 | (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted. | |
23553 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: | |
23554 | (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain): | |
23555 | (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain): | |
23556 | (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
23557 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: | |
23558 | (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): | |
23559 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: | |
23560 | (ObjCFrontendDispatcherImplementationGenerator._generate_event): | |
23561 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
23562 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
23563 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
23564 | * inspector/scripts/tests/expected/enum-values.json-result: | |
23565 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
23566 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
23567 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
23568 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
23569 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
23570 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
23571 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
23572 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
23573 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
23574 | * runtime/JSGlobalObjectDebuggable.cpp: | |
23575 | (JSC::JSGlobalObjectDebuggable::connect): | |
23576 | (JSC::JSGlobalObjectDebuggable::disconnect): | |
23577 | * runtime/JSGlobalObjectDebuggable.h: | |
23578 | ||
23579 | 2015-02-14 David Kilzer <ddkilzer@apple.com> | |
23580 | ||
23581 | REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols | |
23582 | <http://webkit.org/b/141607> | |
23583 | ||
23584 | Work towards fixing the Mavericks Debug build. | |
23585 | ||
23586 | * inspector/ScriptDebugServer.h: | |
23587 | (Inspector::ScriptDebugServer::Task): Export class. | |
23588 | * inspector/agents/InspectorDebuggerAgent.h: | |
23589 | (Inspector::InspectorDebuggerAgent::Listener): Export class. | |
23590 | * runtime/JSGlobalObject.h: | |
23591 | (JSC::JSGlobalObject::setConsoleClient): Do not mark inline | |
23592 | method for export. | |
23593 | ||
23594 | 2015-02-14 Joseph Pecoraro <pecoraro@apple.com> | |
23595 | ||
23596 | Web Inspector: Symbol RemoteObject should not send sub-type | |
23597 | https://bugs.webkit.org/show_bug.cgi?id=141604 | |
23598 | ||
23599 | Reviewed by Brian Burg. | |
23600 | ||
23601 | * inspector/InjectedScriptSource.js: | |
23602 | ||
23603 | 2015-02-13 Benjamin Poulain <bpoulain@apple.com> | |
23604 | ||
23605 | Attempt to fix 32bits build after r180098 | |
23606 | ||
23607 | * jit/JITOperations.cpp: | |
23608 | * jit/JITOperations.h: | |
23609 | I copied the attribute from the MathObject version of that function when I moved | |
23610 | it over. DFG has no version of a function call taking those attributes. | |
23611 | ||
23612 | 2015-02-13 Joseph Pecoraro <pecoraro@apple.com> | |
23613 | ||
23614 | JSContext Inspector: Do not stash console messages for non-debuggable JSContext | |
23615 | https://bugs.webkit.org/show_bug.cgi?id=141589 | |
23616 | ||
23617 | Reviewed by Timothy Hatcher. | |
23618 | ||
23619 | Consider developer extras disabled for JSContext inspection if the | |
23620 | RemoteInspector server is not enabled (typically a non-debuggable | |
23621 | process rejected by webinspectord) or if remote debugging on the | |
23622 | JSContext was explicitly disabled via SPI. | |
23623 | ||
23624 | When developer extras are disabled, console message will not be stashed. | |
23625 | ||
23626 | * inspector/JSGlobalObjectInspectorController.cpp: | |
23627 | (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled): | |
23628 | * inspector/JSGlobalObjectInspectorController.h: | |
23629 | ||
23630 | 2015-02-13 Benjamin Poulain <bpoulain@apple.com> | |
23631 | ||
23632 | Add a DFG node for the Pow Intrinsics | |
23633 | https://bugs.webkit.org/show_bug.cgi?id=141540 | |
23634 | ||
23635 | Reviewed by Filip Pizlo. | |
23636 | ||
23637 | Add a DFG Node for PowIntrinsic. This patch covers the basic cases | |
23638 | need to avoid massive regression. I will iterate over the node to cover | |
23639 | the missing types. | |
23640 | ||
23641 | With this patch I get the following progressions on benchmarks: | |
23642 | -LongSpider's math-partial-sums: +5%. | |
23643 | -Kraken's imaging-darkroom: +17% | |
23644 | -AsmBench's cray.c: +6.6% | |
23645 | -CompressionBench: +2.2% globally. | |
23646 | ||
23647 | * dfg/DFGAbstractInterpreterInlines.h: | |
23648 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
23649 | Cover a couple of trivial cases: | |
23650 | -If the exponent is zero, the result is always one, regardless of the base. | |
23651 | -If both arguments are constants, compute the result at compile time. | |
23652 | ||
23653 | * dfg/DFGByteCodeParser.cpp: | |
23654 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
23655 | * dfg/DFGClobberize.h: | |
23656 | (JSC::DFG::clobberize): | |
23657 | * dfg/DFGDoesGC.cpp: | |
23658 | (JSC::DFG::doesGC): | |
23659 | ||
23660 | * dfg/DFGFixupPhase.cpp: | |
23661 | (JSC::DFG::FixupPhase::fixupNode): | |
23662 | We only support 2 basic cases at this time: | |
23663 | -Math.pow(double, int) | |
23664 | -Math.pow(double, double). | |
23665 | ||
23666 | I'll cover Math.pow(int, int) in a follow up. | |
23667 | ||
23668 | * dfg/DFGNode.h: | |
23669 | (JSC::DFG::Node::convertToArithSqrt): | |
23670 | (JSC::DFG::Node::arithNodeFlags): | |
23671 | * dfg/DFGNodeType.h: | |
23672 | * dfg/DFGPredictionPropagationPhase.cpp: | |
23673 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
23674 | (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): | |
23675 | * dfg/DFGSafeToExecute.h: | |
23676 | (JSC::DFG::safeToExecute): | |
23677 | * dfg/DFGSpeculativeJIT.cpp: | |
23678 | (JSC::DFG::compileArithPowIntegerFastPath): | |
23679 | (JSC::DFG::SpeculativeJIT::compileArithPow): | |
23680 | * dfg/DFGSpeculativeJIT.h: | |
23681 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
23682 | (JSC::DFG::SpeculativeJIT::compile): | |
23683 | * dfg/DFGSpeculativeJIT64.cpp: | |
23684 | (JSC::DFG::SpeculativeJIT::compile): | |
23685 | * dfg/DFGStrengthReductionPhase.cpp: | |
23686 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
23687 | * dfg/DFGValidate.cpp: | |
23688 | (JSC::DFG::Validate::validate): | |
23689 | * ftl/FTLCapabilities.cpp: | |
23690 | (JSC::FTL::canCompile): | |
23691 | * ftl/FTLIntrinsicRepository.h: | |
23692 | * ftl/FTLLowerDFGToLLVM.cpp: | |
23693 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
23694 | (JSC::FTL::LowerDFGToLLVM::compileArithPow): | |
23695 | * ftl/FTLOutput.h: | |
23696 | (JSC::FTL::Output::doublePow): | |
23697 | (JSC::FTL::Output::doublePowi): | |
23698 | * jit/JITOperations.cpp: | |
23699 | * jit/JITOperations.h: | |
23700 | * runtime/MathObject.cpp: | |
23701 | (JSC::mathProtoFuncPow): | |
23702 | (JSC::isDenormal): Deleted. | |
23703 | (JSC::isEdgeCase): Deleted. | |
23704 | (JSC::mathPow): Deleted. | |
23705 | ||
23706 | * tests/stress/math-pow-basics.js: Added. | |
23707 | * tests/stress/math-pow-integer-exponent-fastpath.js: Added. | |
23708 | * tests/stress/math-pow-nan-behaviors.js: Added. | |
23709 | * tests/stress/math-pow-with-constants.js: Added. | |
23710 | Start some basic testing of Math.pow(). | |
23711 | Due to the various transform, the value change when the code tiers up, | |
23712 | I covered this by checking for approximate values. | |
23713 | ||
23714 | 2015-02-13 Benjamin Poulain <bpoulain@apple.com> | |
23715 | ||
23716 | ArithSqrt should not be conditional on supportsFloatingPointSqrt | |
23717 | https://bugs.webkit.org/show_bug.cgi?id=141546 | |
23718 | ||
23719 | Reviewed by Geoffrey Garen and Filip Pizlo. | |
23720 | ||
23721 | Just fallback to the function call in the DFG codegen. | |
23722 | ||
23723 | * dfg/DFGByteCodeParser.cpp: | |
23724 | (JSC::DFG::ByteCodeParser::handleIntrinsic): | |
23725 | * dfg/DFGSpeculativeJIT.cpp: | |
23726 | (JSC::DFG::SpeculativeJIT::compileArithSqrt): | |
23727 | * dfg/DFGSpeculativeJIT.h: | |
23728 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
23729 | (JSC::DFG::SpeculativeJIT::compile): | |
23730 | * dfg/DFGSpeculativeJIT64.cpp: | |
23731 | (JSC::DFG::SpeculativeJIT::compile): | |
23732 | * tests/stress/math-sqrt-basics.js: Added. | |
23733 | Basic coverage. | |
23734 | ||
23735 | * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added. | |
23736 | Same tests but forcing the function call. | |
23737 | ||
23738 | 2015-02-13 Michael Saboff <msaboff@apple.com> | |
23739 | ||
23740 | REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. | |
23741 | https://bugs.webkit.org/show_bug.cgi?id=141577 | |
23742 | ||
23743 | Reviewed by Benjamin Poulain. | |
23744 | ||
23745 | Changed the prologue of the baseline JIT to check for stack space for all | |
23746 | types of code blocks. Previously, it was only checking Function. Now | |
23747 | it checks Program and Eval as well. | |
23748 | ||
23749 | * jit/JIT.cpp: | |
23750 | (JSC::JIT::privateCompile): | |
23751 | ||
23752 | 2015-02-13 Benjamin Poulain <bpoulain@apple.com> | |
23753 | ||
23754 | Generate incq instead of addq when the immediate value is one | |
23755 | https://bugs.webkit.org/show_bug.cgi?id=141548 | |
23756 | ||
23757 | Reviewed by Gavin Barraclough. | |
23758 | ||
23759 | JSC emits "addq #1 (rXX)" *a lot*. | |
23760 | This patch replace that by incq, which is one byte shorter | |
23761 | and is the adviced form. | |
23762 | ||
23763 | Sunspider: +0.47% | |
23764 | Octane: +0.28% | |
23765 | Kraken: +0.44% | |
23766 | AsmBench, CompressionBench: neutral. | |
23767 | ||
23768 | * assembler/MacroAssemblerX86_64.h: | |
23769 | (JSC::MacroAssemblerX86_64::add64): | |
23770 | * assembler/X86Assembler.h: | |
23771 | (JSC::X86Assembler::incq_m): | |
23772 | ||
23773 | 2015-02-13 Benjamin Poulain <benjamin@webkit.org> | |
23774 | ||
23775 | Little clean up of Bytecode Generator's Label | |
23776 | https://bugs.webkit.org/show_bug.cgi?id=141557 | |
23777 | ||
23778 | Reviewed by Michael Saboff. | |
23779 | ||
23780 | * bytecompiler/BytecodeGenerator.h: | |
23781 | * bytecompiler/BytecodeGenerator.cpp: | |
23782 | Label was a friend of BytecodeGenerator in order to access | |
23783 | m_instructions. There is no need for that, BytecodeGenerator | |
23784 | has a public getter. | |
23785 | ||
23786 | * bytecompiler/Label.h: | |
23787 | (JSC::Label::Label): | |
23788 | (JSC::Label::setLocation): | |
23789 | (JSC::BytecodeGenerator::newLabel): | |
23790 | Make it explicit that the generator must exist. | |
23791 | ||
23792 | 2015-02-13 Michael Saboff <msaboff@apple.com> | |
23793 | ||
23794 | Google doc spreadsheet reproducibly crashes when sorting | |
23795 | https://bugs.webkit.org/show_bug.cgi?id=141098 | |
23796 | ||
23797 | Reviewed by Oliver Hunt. | |
23798 | ||
23799 | Moved the stack check to before the callee registers are allocated in the | |
23800 | prologue() by movving it from the functionInitialization() macro. This | |
23801 | way we can check the stack before moving the stack pointer, avoiding a | |
23802 | crash during a "call" instruction. Before this change, we weren't even | |
23803 | checking the stack for program and eval execution. | |
23804 | ||
23805 | Made a couple of supporting changes. | |
23806 | ||
23807 | * llint/LLIntSlowPaths.cpp: | |
23808 | (JSC::LLInt::llint_stack_check): We can't just go up one frame as we | |
23809 | may be processing an exception to an entry frame. | |
23810 | ||
23811 | * llint/LowLevelInterpreter.asm: | |
23812 | ||
23813 | * llint/LowLevelInterpreter32_64.asm: | |
23814 | * llint/LowLevelInterpreter64.asm: | |
23815 | (llint_throw_from_slow_path_trampoline): Changed method to get the vm | |
23816 | from the code block to not use the codeBlock, since we may need to | |
23817 | continue from an exception in a native function. | |
23818 | ||
23819 | 2015-02-12 Benjamin Poulain <benjamin@webkit.org> | |
23820 | ||
23821 | Simplify the initialization of BytecodeGenerator a bit | |
23822 | https://bugs.webkit.org/show_bug.cgi?id=141505 | |
23823 | ||
23824 | Reviewed by Anders Carlsson. | |
23825 | ||
23826 | * bytecompiler/BytecodeGenerator.cpp: | |
23827 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
23828 | * bytecompiler/BytecodeGenerator.h: | |
23829 | Setup the default initialization at the declaration level | |
23830 | instead of the constructor. | |
23831 | ||
23832 | Also made m_scopeNode and m_codeType const to make it explicit | |
23833 | that they are invariant after construction. | |
23834 | ||
23835 | * parser/Nodes.cpp: | |
23836 | * runtime/Executable.cpp: | |
23837 | Remove 2 useless #includes. | |
23838 | ||
23839 | 2015-02-12 Benjamin Poulain <benjamin@webkit.org> | |
23840 | ||
23841 | Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT | |
23842 | https://bugs.webkit.org/show_bug.cgi?id=141506 | |
23843 | ||
23844 | Reviewed by Michael Saboff. | |
23845 | ||
23846 | The generators for the nodes GetScope and SkipScope were | |
23847 | completely identical between 32 and 64bits. | |
23848 | ||
23849 | This patch moves the duplicated code to DFGSpeculativeJIT. | |
23850 | ||
23851 | * dfg/DFGSpeculativeJIT.cpp: | |
23852 | (JSC::DFG::SpeculativeJIT::compileGetScope): | |
23853 | (JSC::DFG::SpeculativeJIT::compileSkipScope): | |
23854 | * dfg/DFGSpeculativeJIT.h: | |
23855 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
23856 | (JSC::DFG::SpeculativeJIT::compile): | |
23857 | * dfg/DFGSpeculativeJIT64.cpp: | |
23858 | (JSC::DFG::SpeculativeJIT::compile): | |
23859 | ||
23860 | 2015-02-11 Brent Fulgham <bfulgham@apple.com> | |
23861 | ||
23862 | [Win] [64-bit] Work around MSVC2013 Runtime Bug | |
23863 | https://bugs.webkit.org/show_bug.cgi?id=141498 | |
23864 | <rdar://problem/19803642> | |
23865 | ||
23866 | Reviewed by Anders Carlsson. | |
23867 | ||
23868 | Disable FMA3 instruction use in the MSVC math library to | |
23869 | work around a VS2013 runtime crash. We can remove this | |
23870 | workaround when we switch to VS2015. | |
23871 | ||
23872 | * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable | |
23873 | FMA3 support. | |
23874 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files. | |
23875 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. | |
23876 | * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added. | |
23877 | * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0) | |
23878 | to disable FMA3 support. | |
23879 | * jsc.cpp: Ditto. | |
23880 | * testRegExp.cpp: Ditto. | |
23881 | ||
23882 | 2015-02-11 Filip Pizlo <fpizlo@apple.com> | |
23883 | ||
23884 | The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs | |
23885 | https://bugs.webkit.org/show_bug.cgi?id=141493 | |
23886 | ||
23887 | Reviewed by Michael Saboff. | |
23888 | ||
23889 | * dfg/DFGSpeculativeJIT.h: | |
23890 | (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted. | |
23891 | (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted. | |
23892 | (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted. | |
23893 | (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted. | |
23894 | (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted. | |
23895 | (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted. | |
23896 | (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted. | |
23897 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
23898 | (JSC::DFG::SpeculativeJIT::emitCall): | |
23899 | * dfg/DFGSpeculativeJIT64.cpp: | |
23900 | (JSC::DFG::SpeculativeJIT::emitCall): | |
23901 | * jit/AssemblyHelpers.h: | |
23902 | (JSC::AssemblyHelpers::calleeFrameSlot): | |
23903 | (JSC::AssemblyHelpers::calleeArgumentSlot): | |
23904 | (JSC::AssemblyHelpers::calleeFrameTagSlot): | |
23905 | (JSC::AssemblyHelpers::calleeFramePayloadSlot): | |
23906 | (JSC::AssemblyHelpers::calleeArgumentTagSlot): | |
23907 | (JSC::AssemblyHelpers::calleeArgumentPayloadSlot): | |
23908 | (JSC::AssemblyHelpers::calleeFrameCallerFrame): | |
23909 | ||
23910 | 2015-02-11 Filip Pizlo <fpizlo@apple.com> | |
23911 | ||
23912 | SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame | |
23913 | https://bugs.webkit.org/show_bug.cgi?id=141485 | |
23914 | ||
23915 | Reviewed by Oliver Hunt. | |
23916 | ||
23917 | The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for | |
23918 | vararg calls from inlined code, but that doesn't work since the DFG inline call frame | |
23919 | doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there | |
23920 | is really no such thing as an inlineStackOffset except when we OSR exit; while the code is | |
23921 | running the stack layout is compacted so that the stackOffset is not meaningful. | |
23922 | ||
23923 | * jit/JITCall.cpp: | |
23924 | (JSC::JIT::compileSetupVarargsFrame): | |
23925 | * jit/JITCall32_64.cpp: | |
23926 | (JSC::JIT::compileSetupVarargsFrame): | |
23927 | * jit/SetupVarargsFrame.cpp: | |
23928 | (JSC::emitSetupVarargsFrameFastCase): | |
23929 | * jit/SetupVarargsFrame.h: | |
23930 | ||
23931 | 2015-02-10 Filip Pizlo <fpizlo@apple.com> | |
23932 | ||
23933 | Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints | |
23934 | https://bugs.webkit.org/show_bug.cgi?id=141455 | |
23935 | ||
23936 | Reviewed by Mark Lam. | |
23937 | ||
23938 | The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion | |
23939 | of https://bugs.webkit.org/show_bug.cgi?id=141332. | |
23940 | ||
23941 | * CMakeLists.txt: | |
23942 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
23943 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
23944 | * bytecode/CallLinkInfo.h: | |
23945 | (JSC::CallLinkInfo::specializationKindFor): | |
23946 | (JSC::CallLinkInfo::specializationKind): | |
23947 | * ftl/FTLJSCall.cpp: | |
23948 | (JSC::FTL::JSCall::JSCall): | |
23949 | (JSC::FTL::JSCall::emit): Deleted. | |
23950 | (JSC::FTL::JSCall::link): Deleted. | |
23951 | * ftl/FTLJSCall.h: | |
23952 | * ftl/FTLJSCallBase.cpp: Added. | |
23953 | (JSC::FTL::JSCallBase::JSCallBase): | |
23954 | (JSC::FTL::JSCallBase::emit): | |
23955 | (JSC::FTL::JSCallBase::link): | |
23956 | * ftl/FTLJSCallBase.h: Added. | |
23957 | ||
23958 | 2015-02-10 Filip Pizlo <fpizlo@apple.com> | |
23959 | ||
23960 | Unreviewed, fix build. | |
23961 | ||
23962 | * jit/CCallHelpers.h: | |
23963 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
23964 | ||
23965 | 2015-02-10 Filip Pizlo <fpizlo@apple.com> | |
23966 | ||
23967 | op_call_varargs should only load the length once | |
23968 | https://bugs.webkit.org/show_bug.cgi?id=141440 | |
23969 | rdar://problem/19761683 | |
23970 | ||
23971 | Reviewed by Michael Saboff. | |
23972 | ||
23973 | Refactors the pair of calls that set up the varargs frame so that the first call returns the | |
23974 | length, and the second call uses the length returned by the first one. It turns out that this | |
23975 | gave me an opportunity to shorten a lot of the code. | |
23976 | ||
23977 | * interpreter/Interpreter.cpp: | |
23978 | (JSC::sizeFrameForVarargs): | |
23979 | (JSC::loadVarargs): | |
23980 | (JSC::setupVarargsFrame): | |
23981 | (JSC::setupVarargsFrameAndSetThis): | |
23982 | * interpreter/Interpreter.h: | |
23983 | (JSC::calleeFrameForVarargs): | |
23984 | * jit/CCallHelpers.h: | |
23985 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
23986 | * jit/JIT.h: | |
23987 | * jit/JITCall.cpp: | |
23988 | (JSC::JIT::compileSetupVarargsFrame): | |
23989 | * jit/JITCall32_64.cpp: | |
23990 | (JSC::JIT::compileSetupVarargsFrame): | |
23991 | * jit/JITInlines.h: | |
23992 | (JSC::JIT::callOperation): | |
23993 | * jit/JITOperations.cpp: | |
23994 | * jit/JITOperations.h: | |
23995 | * jit/SetupVarargsFrame.cpp: | |
23996 | (JSC::emitSetVarargsFrame): | |
23997 | (JSC::emitSetupVarargsFrameFastCase): | |
23998 | * jit/SetupVarargsFrame.h: | |
23999 | * llint/LLIntSlowPaths.cpp: | |
24000 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
24001 | * runtime/Arguments.cpp: | |
24002 | (JSC::Arguments::copyToArguments): | |
24003 | * runtime/Arguments.h: | |
24004 | * runtime/JSArray.cpp: | |
24005 | (JSC::JSArray::copyToArguments): | |
24006 | * runtime/JSArray.h: | |
24007 | * runtime/VM.h: | |
24008 | * tests/stress/call-varargs-length-effects.js: Added. | |
24009 | (foo): | |
24010 | (bar): | |
24011 | ||
24012 | 2015-02-10 Michael Saboff <msaboff@apple.com> | |
24013 | ||
24014 | Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq | |
24015 | https://bugs.webkit.org/show_bug.cgi?id=139398 | |
24016 | ||
24017 | Reviewed by Filip Pizlo. | |
24018 | ||
24019 | Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later | |
24020 | was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq | |
24021 | node are UntypedUse which we can't compile. Fixed this by checking that the IR before | |
24022 | lowering can still be handled by the FTL. | |
24023 | ||
24024 | Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts | |
24025 | a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument | |
24026 | node. With the check right before lowering, we see this node. | |
24027 | ||
24028 | * dfg/DFGPlan.cpp: | |
24029 | (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering | |
24030 | to verify that after all the transformations we still have valid IR for the FTL. | |
24031 | * ftl/FTLCapabilities.cpp: | |
24032 | (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile. | |
24033 | ||
24034 | 2015-02-10 Filip Pizlo <fpizlo@apple.com> | |
24035 | ||
24036 | Remove unused DFG::SpeculativeJIT::calleeFrameOffset(). | |
24037 | ||
24038 | Rubber stamped by Michael Saboff. | |
24039 | ||
24040 | Not only was this not used, I believe that the math was wrong. The callee frame doesn't | |
24041 | actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and | |
24042 | that decision is made elsewhere. Also, it makes no sense to subtract 1 from | |
24043 | m_nextMachineLocal when trying to deduce the number of in-use stack slots. | |
24044 | ||
24045 | * dfg/DFGSpeculativeJIT.h: | |
24046 | (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted. | |
24047 | ||
24048 | 2015-02-10 Saam Barati <saambarati1@gmail.com> | |
24049 | ||
24050 | Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier | |
24051 | https://bugs.webkit.org/show_bug.cgi?id=141272 | |
24052 | ||
24053 | Reviewed by Oliver Hunt. | |
24054 | ||
24055 | This patch fixes a bug where the wrong text location would be | |
24056 | assigned to a variable declaration inside a ForIn/ForOf loop. | |
24057 | It also fixes a bug in the type profiler where the type profiler | |
24058 | emits the wrong text offset for a ForIn loop's variable declarator | |
24059 | when it's not a pattern node. | |
24060 | ||
24061 | * bytecompiler/NodesCodegen.cpp: | |
24062 | (JSC::ForInNode::emitLoopHeader): | |
24063 | * parser/Parser.cpp: | |
24064 | (JSC::Parser<LexerType>::parseVarDeclarationList): | |
24065 | * tests/typeProfiler/loop.js: | |
24066 | (testForIn): | |
24067 | (testForOf): | |
24068 | ||
24069 | 2015-02-09 Saam Barati <saambarati1@gmail.com> | |
24070 | ||
24071 | JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops | |
24072 | https://bugs.webkit.org/show_bug.cgi?id=141241 | |
24073 | ||
24074 | Reviewed by Filip Pizlo. | |
24075 | ||
24076 | Type information is now recorded for ForIn and ForOf statements. | |
24077 | It was an oversight to not have these statements profiled before. | |
24078 | ||
24079 | * bytecompiler/NodesCodegen.cpp: | |
24080 | (JSC::ForInNode::emitLoopHeader): | |
24081 | (JSC::ForOfNode::emitBytecode): | |
24082 | * tests/typeProfiler/loop.js: Added. | |
24083 | (testForIn): | |
24084 | (testForOf): | |
24085 | ||
24086 | 2015-02-09 Filip Pizlo <fpizlo@apple.com> | |
24087 | ||
24088 | DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid | |
24089 | https://bugs.webkit.org/show_bug.cgi?id=141412 | |
24090 | ||
24091 | Reviewed by Michael Saboff. | |
24092 | ||
24093 | StackLayoutPhase was attempting to ensure that the register that | |
24094 | CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing | |
24095 | else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can | |
24096 | tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark | |
24097 | it as being live. So, by the time we got here the register referred to by | |
24098 | CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was | |
24099 | not used for DFG code blocks, and was hardly ever used outside of bytecode generation. | |
24100 | ||
24101 | So, this patch just removes the code to manipulate this field and replaces it with an | |
24102 | unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register | |
24103 | ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately | |
24104 | punts. | |
24105 | ||
24106 | * dfg/DFGStackLayoutPhase.cpp: | |
24107 | (JSC::DFG::StackLayoutPhase::run): | |
24108 | ||
24109 | 2015-02-09 Filip Pizlo <fpizlo@apple.com> | |
24110 | ||
24111 | Varargs frame set-up should be factored out for use by other JITs | |
24112 | https://bugs.webkit.org/show_bug.cgi?id=141388 | |
24113 | ||
24114 | Reviewed by Michael Saboff. | |
24115 | ||
24116 | Previously the code that dealt with varargs always assumed that we were setting up a varargs call | |
24117 | frame by literally following the execution semantics of op_call_varargs. This isn't how it'll | |
24118 | happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL | |
24119 | don't literally execute bytecode; for example their stack frame layout has absolutely nothing in | |
24120 | common with what the bytecode says, and that will never change. | |
24121 | ||
24122 | This patch makes two changes: | |
24123 | ||
24124 | Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a | |
24125 | varargs call that gets inlined, we aren't going to actually want to set up a callee frame in | |
24126 | full - we just want to put the arguments somewhere, and that place will not have much (if | |
24127 | anything) in common with the call frame format. This patch factors that out into something called | |
24128 | a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch | |
24129 | also separates loading varargs from setting this, since the fact that those two things are done | |
24130 | together is a detail made explicit in bytecode but it's not at all required in the higher-tier | |
24131 | engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the | |
24132 | various calculations. I fixed them. The distance from the caller's frame pointer to the callee | |
24133 | frame pointer is always: | |
24134 | ||
24135 | numUsedCallerSlots + argCount + 1 + CallFrameSize | |
24136 | ||
24137 | where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just | |
24138 | -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister, | |
24139 | since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the | |
24140 | internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots. | |
24141 | In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP. | |
24142 | Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter | |
24143 | very much. | |
24144 | ||
24145 | The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will | |
24146 | want to do this optimization as well, but it involves quite a bit of code. So, this code is now | |
24147 | factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring | |
24148 | this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them. | |
24149 | ||
24150 | * CMakeLists.txt: | |
24151 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
24152 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
24153 | * bytecode/CodeBlock.h: | |
24154 | (JSC::ExecState::r): | |
24155 | (JSC::ExecState::uncheckedR): | |
24156 | * bytecode/VirtualRegister.h: | |
24157 | (JSC::VirtualRegister::operator+): | |
24158 | (JSC::VirtualRegister::operator-): | |
24159 | (JSC::VirtualRegister::operator+=): | |
24160 | (JSC::VirtualRegister::operator-=): | |
24161 | * interpreter/CallFrame.h: | |
24162 | * interpreter/Interpreter.cpp: | |
24163 | (JSC::sizeFrameForVarargs): | |
24164 | (JSC::loadVarargs): | |
24165 | (JSC::setupVarargsFrame): | |
24166 | (JSC::setupVarargsFrameAndSetThis): | |
24167 | * interpreter/Interpreter.h: | |
24168 | * jit/AssemblyHelpers.h: | |
24169 | (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr): | |
24170 | (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32): | |
24171 | (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64): | |
24172 | * jit/JIT.h: | |
24173 | * jit/JITCall.cpp: | |
24174 | (JSC::JIT::compileSetupVarargsFrame): | |
24175 | * jit/JITCall32_64.cpp: | |
24176 | (JSC::JIT::compileSetupVarargsFrame): | |
24177 | * jit/JITInlines.h: | |
24178 | (JSC::JIT::callOperation): | |
24179 | (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted. | |
24180 | (JSC::JIT::emitGetFromCallFrameHeader32): Deleted. | |
24181 | (JSC::JIT::emitGetFromCallFrameHeader64): Deleted. | |
24182 | * jit/JITOperations.cpp: | |
24183 | * jit/JITOperations.h: | |
24184 | * jit/SetupVarargsFrame.cpp: Added. | |
24185 | (JSC::emitSetupVarargsFrameFastCase): | |
24186 | * jit/SetupVarargsFrame.h: Added. | |
24187 | * llint/LLIntSlowPaths.cpp: | |
24188 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
24189 | * runtime/Arguments.cpp: | |
24190 | (JSC::Arguments::copyToArguments): | |
24191 | * runtime/Arguments.h: | |
24192 | * runtime/JSArray.cpp: | |
24193 | (JSC::JSArray::copyToArguments): | |
24194 | * runtime/JSArray.h: | |
24195 | ||
24196 | 2015-02-09 Filip Pizlo <fpizlo@apple.com> | |
24197 | ||
24198 | DFG call codegen should resolve the callee operand as late as possible | |
24199 | https://bugs.webkit.org/show_bug.cgi?id=141398 | |
24200 | ||
24201 | Reviewed by Mark Lam. | |
24202 | ||
24203 | This is mostly a benign restructuring to help with the implementation of | |
24204 | https://bugs.webkit.org/show_bug.cgi?id=141332. | |
24205 | ||
24206 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
24207 | (JSC::DFG::SpeculativeJIT::emitCall): | |
24208 | * dfg/DFGSpeculativeJIT64.cpp: | |
24209 | (JSC::DFG::SpeculativeJIT::emitCall): | |
24210 | ||
24211 | 2015-02-08 Filip Pizlo <fpizlo@apple.com> | |
24212 | ||
24213 | DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three | |
24214 | https://bugs.webkit.org/show_bug.cgi?id=141369 | |
24215 | ||
24216 | Reviewed by Michael Saboff. | |
24217 | ||
24218 | We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe | |
24219 | effectfulness. Starting over a year ago, we introduced a more powerful mechanism - the | |
24220 | DFG::clobberize() function. Now we only have one remaining client of the old NodeFlags, | |
24221 | and everyone else uses DFG::clobberize(). We should get rid of those NodeFlags and | |
24222 | finally switch everyone over to DFG::clobberize(). | |
24223 | ||
24224 | Unfortunately there is still another place where effectfulness of nodes is described: the | |
24225 | AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for | |
24226 | compile time performance and there are places where the AI is more precise than | |
24227 | clobberize() because of its flow-sensitivity. | |
24228 | ||
24229 | This means that after this change there will be only two places, rather than three, where | |
24230 | the effectfulness of a node has to be described: | |
24231 | ||
24232 | - DFG::clobberize() | |
24233 | - DFG::AbstractInterpreter | |
24234 | ||
24235 | * dfg/DFGClobberize.cpp: | |
24236 | (JSC::DFG::clobbersWorld): | |
24237 | * dfg/DFGClobberize.h: | |
24238 | * dfg/DFGDoesGC.cpp: | |
24239 | (JSC::DFG::doesGC): | |
24240 | * dfg/DFGFixupPhase.cpp: | |
24241 | (JSC::DFG::FixupPhase::fixupNode): | |
24242 | (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): | |
24243 | (JSC::DFG::FixupPhase::convertToGetArrayLength): | |
24244 | (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset): | |
24245 | * dfg/DFGGraph.h: | |
24246 | (JSC::DFG::Graph::isPredictedNumerical): Deleted. | |
24247 | (JSC::DFG::Graph::byValIsPure): Deleted. | |
24248 | (JSC::DFG::Graph::clobbersWorld): Deleted. | |
24249 | * dfg/DFGNode.h: | |
24250 | (JSC::DFG::Node::convertToConstant): | |
24251 | (JSC::DFG::Node::convertToGetLocalUnlinked): | |
24252 | (JSC::DFG::Node::convertToGetByOffset): | |
24253 | (JSC::DFG::Node::convertToMultiGetByOffset): | |
24254 | (JSC::DFG::Node::convertToPutByOffset): | |
24255 | (JSC::DFG::Node::convertToMultiPutByOffset): | |
24256 | * dfg/DFGNodeFlags.cpp: | |
24257 | (JSC::DFG::dumpNodeFlags): | |
24258 | * dfg/DFGNodeFlags.h: | |
24259 | * dfg/DFGNodeType.h: | |
24260 | ||
24261 | 2015-02-09 Csaba Osztrogonác <ossy@webkit.org> | |
24262 | ||
24263 | Fix the !ENABLE(DFG_JIT) build | |
24264 | https://bugs.webkit.org/show_bug.cgi?id=141387 | |
24265 | ||
24266 | Reviewed by Darin Adler. | |
24267 | ||
24268 | * jit/Repatch.cpp: | |
24269 | ||
24270 | 2015-02-08 Benjamin Poulain <benjamin@webkit.org> | |
24271 | ||
24272 | Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase | |
24273 | https://bugs.webkit.org/show_bug.cgi?id=141363 | |
24274 | ||
24275 | Reviewed by Darin Adler. | |
24276 | ||
24277 | * dfg/DFGPredictionPropagationPhase.cpp: | |
24278 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
24279 | Some blocks were duplicated, they probably evolved separately | |
24280 | to the same state. | |
24281 | ||
24282 | 2015-02-08 Benjamin Poulain <benjamin@webkit.org> | |
24283 | ||
24284 | Remove useless declarations and a stale comment from DFGByteCodeParser.h | |
24285 | https://bugs.webkit.org/show_bug.cgi?id=141361 | |
24286 | ||
24287 | Reviewed by Darin Adler. | |
24288 | ||
24289 | The comment refers to the original form of the ByteCodeParser: | |
24290 | parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex); | |
24291 | ||
24292 | That form is long dead, the comment is more misleading than anything. | |
24293 | ||
24294 | * dfg/DFGByteCodeParser.cpp: | |
24295 | * dfg/DFGByteCodeParser.h: | |
24296 | ||
24297 | 2015-02-08 Benjamin Poulain <benjamin@webkit.org> | |
24298 | ||
24299 | Encapsulate DFG::Plan's beforeFTL timestamp | |
24300 | https://bugs.webkit.org/show_bug.cgi?id=141360 | |
24301 | ||
24302 | Reviewed by Darin Adler. | |
24303 | ||
24304 | Make the attribute private, it is an internal state. | |
24305 | ||
24306 | Rename beforeFTL->timeBeforeFTL for readability. | |
24307 | ||
24308 | * dfg/DFGPlan.cpp: | |
24309 | (JSC::DFG::Plan::compileInThread): | |
24310 | (JSC::DFG::Plan::compileInThreadImpl): | |
24311 | * dfg/DFGPlan.h: | |
24312 | ||
24313 | 2015-02-08 Benjamin Poulain <bpoulain@apple.com> | |
24314 | ||
24315 | Remove DFGNode::hasArithNodeFlags() | |
24316 | https://bugs.webkit.org/show_bug.cgi?id=141319 | |
24317 | ||
24318 | Reviewed by Michael Saboff. | |
24319 | ||
24320 | * dfg/DFGNode.h: | |
24321 | (JSC::DFG::Node::hasArithNodeFlags): Deleted. | |
24322 | Unused code is unused. | |
24323 | ||
24324 | 2015-02-07 Chris Dumez <cdumez@apple.com> | |
24325 | ||
24326 | Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions | |
24327 | https://bugs.webkit.org/show_bug.cgi?id=141321 | |
24328 | ||
24329 | Reviewed by Darin Adler. | |
24330 | ||
24331 | Use new Vector::removeFirstMatching() / removeAllMatching() methods. | |
24332 | ||
24333 | 2015-02-06 Filip Pizlo <fpizlo@apple.com> | |
24334 | ||
24335 | DFG SSA shouldn't have SetArgument nodes | |
24336 | https://bugs.webkit.org/show_bug.cgi?id=141342 | |
24337 | ||
24338 | Reviewed by Mark Lam. | |
24339 | ||
24340 | I was wondering why we kept the SetArgument around for captured | |
24341 | variables. It turns out we did so because we thought we had to, even | |
24342 | though we didn't have to. The node is meaningless in SSA. | |
24343 | ||
24344 | * dfg/DFGSSAConversionPhase.cpp: | |
24345 | (JSC::DFG::SSAConversionPhase::run): | |
24346 | * ftl/FTLLowerDFGToLLVM.cpp: | |
24347 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
24348 | ||
24349 | 2015-02-06 Filip Pizlo <fpizlo@apple.com> | |
24350 | ||
24351 | It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band | |
24352 | https://bugs.webkit.org/show_bug.cgi?id=141337 | |
24353 | ||
24354 | Reviewed by Mark Lam. | |
24355 | ||
24356 | This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that | |
24357 | are associated with the prologue. | |
24358 | ||
24359 | * dfg/DFGCPSRethreadingPhase.cpp: | |
24360 | (JSC::DFG::CPSRethreadingPhase::run): | |
24361 | (JSC::DFG::CPSRethreadingPhase::canonicalizeSet): | |
24362 | (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): | |
24363 | (JSC::DFG::CPSRethreadingPhase::specialCaseArguments): | |
24364 | (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted. | |
24365 | (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted. | |
24366 | ||
24367 | 2015-02-06 Mark Lam <mark.lam@apple.com> | |
24368 | ||
24369 | MachineThreads should be ref counted. | |
24370 | <https://webkit.org/b/141317> | |
24371 | ||
24372 | Reviewed by Filip Pizlo. | |
24373 | ||
24374 | The VM's MachineThreads registry object is being referenced from other | |
24375 | threads as a raw pointer. In a scenario where the VM is destructed on | |
24376 | the main thread, there is no guarantee that another thread isn't still | |
24377 | holding a reference to the registry and will eventually invoke | |
24378 | removeThread() on it on thread exit. Hence, there's a possible use | |
24379 | after free scenario here. | |
24380 | ||
24381 | The fix is to make MachineThreads ThreadSafeRefCounted, and have all | |
24382 | threads that references keep a RefPtr to it to ensure that it stays | |
24383 | alive until the very last thread is done with it. | |
24384 | ||
24385 | * API/tests/testapi.mm: | |
24386 | (useVMFromOtherThread): - Renamed to be more descriptive. | |
24387 | (useVMFromOtherThreadAndOutliveVM): | |
24388 | - Added a test that has another thread which uses the VM outlive the | |
24389 | VM to confirm that there is no crash. | |
24390 | ||
24391 | However, I was not actually able to get the VM to crash without this | |
24392 | patch because I wasn't always able to the thread destructor to be | |
24393 | called. With this patch applied, I did verify with some logging that | |
24394 | the MachineThreads registry is only destructed after all threads | |
24395 | have removed themselves from it. | |
24396 | ||
24397 | (threadMain): Deleted. | |
24398 | ||
24399 | * heap/Heap.cpp: | |
24400 | (JSC::Heap::Heap): | |
24401 | (JSC::Heap::~Heap): | |
24402 | (JSC::Heap::gatherStackRoots): | |
24403 | * heap/Heap.h: | |
24404 | (JSC::Heap::machineThreads): | |
24405 | * heap/MachineStackMarker.cpp: | |
24406 | (JSC::MachineThreads::Thread::Thread): | |
24407 | (JSC::MachineThreads::addCurrentThread): | |
24408 | (JSC::MachineThreads::removeCurrentThread): | |
24409 | * heap/MachineStackMarker.h: | |
24410 | ||
24411 | 2015-02-06 Commit Queue <commit-queue@webkit.org> | |
24412 | ||
24413 | Unreviewed, rolling out r179743. | |
24414 | https://bugs.webkit.org/show_bug.cgi?id=141335 | |
24415 | ||
24416 | caused missing symbols in non-WebKit clients of WTF::Vector | |
24417 | (Requested by kling on #webkit). | |
24418 | ||
24419 | Reverted changeset: | |
24420 | ||
24421 | "Remove WTF::fastMallocGoodSize()." | |
24422 | https://bugs.webkit.org/show_bug.cgi?id=141020 | |
24423 | http://trac.webkit.org/changeset/179743 | |
24424 | ||
24425 | 2015-02-04 Filip Pizlo <fpizlo@apple.com> | |
24426 | ||
24427 | Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers | |
24428 | https://bugs.webkit.org/show_bug.cgi?id=141211 | |
24429 | ||
24430 | Reviewed by Mark Lam. | |
24431 | ||
24432 | Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime | |
24433 | we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It | |
24434 | would raise the refcount on the last (highest-numbered) variable created, and rely on | |
24435 | the fact that register reclamation started at higher-numbered registers and worked its | |
24436 | way down. So any retained register would block any lower-numbered registers from being | |
24437 | reclaimed. | |
24438 | ||
24439 | Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused. | |
24440 | ||
24441 | This removes preserveLastVar() and makes addVar() retain each register it creates. This | |
24442 | is more explicit, since addVar() is the mechanism for creating non-temporary registers. | |
24443 | ||
24444 | To make this work I had to remove an assertion that Register::setIndex() can only be | |
24445 | called when the refcount is zero. This method might be called after a var is created to | |
24446 | change its index. This previously worked because preserveLastVar() would be called after | |
24447 | we had already made all index changes, so the vars would still have refcount zero. Now | |
24448 | they have refcount 1. I think it's OK to lose this assertion; I can't remember this | |
24449 | assertion ever firing in a way that alerted me to a serious issue. | |
24450 | ||
24451 | * bytecompiler/BytecodeGenerator.cpp: | |
24452 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
24453 | (JSC::BytecodeGenerator::preserveLastVar): Deleted. | |
24454 | * bytecompiler/BytecodeGenerator.h: | |
24455 | (JSC::BytecodeGenerator::addVar): | |
24456 | * bytecompiler/RegisterID.h: | |
24457 | (JSC::RegisterID::setIndex): | |
24458 | ||
24459 | 2015-02-06 Andreas Kling <akling@apple.com> | |
24460 | ||
24461 | Remove WTF::fastMallocGoodSize(). | |
24462 | <https://webkit.org/b/141020> | |
24463 | ||
24464 | Reviewed by Anders Carlsson. | |
24465 | ||
24466 | * assembler/AssemblerBuffer.h: | |
24467 | (JSC::AssemblerData::AssemblerData): | |
24468 | (JSC::AssemblerData::grow): | |
24469 | ||
24470 | 2015-02-05 Michael Saboff <msaboff@apple.com> | |
24471 | ||
24472 | CodeCache is not thread safe when adding the same source from two different threads | |
24473 | https://bugs.webkit.org/show_bug.cgi?id=141275 | |
24474 | ||
24475 | Reviewed by Mark Lam. | |
24476 | ||
24477 | The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock, | |
24478 | but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it | |
24479 | will fill in later in the function. During the body of that function, it allocates | |
24480 | objects that may garbage collect. During that garbage collection, we drop the all locks. | |
24481 | While the locks are released by the first thread, another thread can enter the VM and might | |
24482 | have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself. When it | |
24483 | looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType* | |
24484 | and crashes. This fixes the problem by not dropping the locks during garbage collection. | |
24485 | There are other likely scenarios where we have a data structure like this code cache in an | |
24486 | unsafe state for arbitrary reentrance. | |
24487 | ||
24488 | Moved the functionality of DelayedReleaseScope directly into Heap. Changed it into | |
24489 | a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects. | |
24490 | Now we accumulate objects to be released and release them when all locks are dropped or | |
24491 | when destroying the Heap. This eliminated the dropping and reaquiring of locks associated | |
24492 | with the old scope form of this list. | |
24493 | ||
24494 | Given that all functionality of DelayedReleaseScope is now used and referenced by Heap | |
24495 | and the lock management no longer needs to be done, just made the list a member of Heap. | |
24496 | We do need to guard against the case that releasing an object can create more objects | |
24497 | by calling into JS. That is why releaseDelayedReleasedObjects() is written to remove | |
24498 | an object to release so that we aren't recursively in Vector code. The other thing we | |
24499 | do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using | |
24500 | the m_delayedReleaseRecursionCount. We only release at the first entry into the function. | |
24501 | This case is already tested by testapi.mm. | |
24502 | ||
24503 | * heap/DelayedReleaseScope.h: Removed file | |
24504 | ||
24505 | * API/JSAPIWrapperObject.mm: | |
24506 | * API/ObjCCallbackFunction.mm: | |
24507 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
24508 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
24509 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
24510 | * heap/IncrementalSweeper.cpp: | |
24511 | (JSC::IncrementalSweeper::doSweep): | |
24512 | * heap/MarkedAllocator.cpp: | |
24513 | (JSC::MarkedAllocator::tryAllocateHelper): | |
24514 | (JSC::MarkedAllocator::tryAllocate): | |
24515 | * heap/MarkedBlock.cpp: | |
24516 | (JSC::MarkedBlock::sweep): | |
24517 | * heap/MarkedSpace.cpp: | |
24518 | (JSC::MarkedSpace::MarkedSpace): | |
24519 | (JSC::MarkedSpace::lastChanceToFinalize): | |
24520 | (JSC::MarkedSpace::didFinishIterating): | |
24521 | * heap/MarkedSpace.h: | |
24522 | * heap/Heap.cpp: | |
24523 | (JSC::Heap::collectAllGarbage): | |
24524 | (JSC::Heap::zombifyDeadObjects): | |
24525 | Removed references to DelayedReleaseScope and DelayedReleaseScope.h. | |
24526 | ||
24527 | * heap/Heap.cpp: | |
24528 | (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount. | |
24529 | (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away. | |
24530 | (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated | |
24531 | delayed release objects. | |
24532 | ||
24533 | * heap/Heap.h: | |
24534 | (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later. | |
24535 | (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that | |
24536 | releaseDelayedReleasedObjects is being called recursively. | |
24537 | * heap/HeapInlines.h: | |
24538 | (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects. | |
24539 | ||
24540 | * runtime/JSLock.cpp: | |
24541 | (JSC::JSLock::willReleaseLock): | |
24542 | Call Heap::releaseDelayedObjectsNow() when releasing the lock. | |
24543 | ||
24544 | 2015-02-05 Youenn Fablet <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com> | |
24545 | ||
24546 | [Streams API] Implement a barebone ReadableStream interface | |
24547 | https://bugs.webkit.org/show_bug.cgi?id=141045 | |
24548 | ||
24549 | Reviewed by Benjamin Poulain. | |
24550 | ||
24551 | * Configurations/FeatureDefines.xcconfig: | |
24552 | ||
24553 | 2015-02-05 Saam Barati <saambarati1@gmail.com> | |
24554 | ||
24555 | Crash in uninitialized deconstructing variable. | |
24556 | https://bugs.webkit.org/show_bug.cgi?id=141070 | |
24557 | ||
24558 | Reviewed by Michael Saboff. | |
24559 | ||
24560 | According to the ES6 spec, when a destructuring pattern occurs | |
24561 | as the left hand side of an assignment inside a var declaration | |
24562 | statement, the assignment must also have a right hand side value. | |
24563 | "var {x} = {};" is a legal syntactic statement, but, | |
24564 | "var {x};" is a syntactic error. | |
24565 | ||
24566 | Section 13.2.2 of the latest draft ES6 spec specifies this requirement: | |
24567 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement | |
24568 | ||
24569 | * parser/Parser.cpp: | |
24570 | (JSC::Parser<LexerType>::parseVarDeclaration): | |
24571 | (JSC::Parser<LexerType>::parseVarDeclarationList): | |
24572 | (JSC::Parser<LexerType>::parseForStatement): | |
24573 | * parser/Parser.h: | |
24574 | ||
24575 | 2015-02-04 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
24576 | ||
24577 | Unreviewed, fix a build break on EFL port since r179648. | |
24578 | ||
24579 | * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable. | |
24580 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
24581 | ||
24582 | 2015-02-04 Joseph Pecoraro <pecoraro@apple.com> | |
24583 | ||
24584 | Web Inspector: ES6: Improved Console Support for Symbol Objects | |
24585 | https://bugs.webkit.org/show_bug.cgi?id=141173 | |
24586 | ||
24587 | Reviewed by Timothy Hatcher. | |
24588 | ||
24589 | * inspector/protocol/Runtime.json: | |
24590 | New type, "symbol". | |
24591 | ||
24592 | * inspector/InjectedScriptSource.js: | |
24593 | Handle Symbol objects in a few places. They don't have properties | |
24594 | and they cannot be implicitly converted to strings. | |
24595 | ||
24596 | 2015-02-04 Mark Lam <mark.lam@apple.com> | |
24597 | ||
24598 | Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness. | |
24599 | ||
24600 | Not reviewed. | |
24601 | ||
24602 | * heap/MachineStackMarker.cpp: | |
24603 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
24604 | ||
24605 | 2015-02-04 Mark Lam <mark.lam@apple.com> | |
24606 | ||
24607 | Gardening: Changed expected ERROR message to WARNING to make test bots happy. | |
24608 | ||
24609 | Rubber stamped by Simon Fraser. | |
24610 | ||
24611 | * heap/MachineStackMarker.cpp: | |
24612 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
24613 | ||
24614 | 2015-02-04 Mark Lam <mark.lam@apple.com> | |
24615 | ||
24616 | r179576 introduce a deadlock potential during GC thread suspension. | |
24617 | <https://webkit.org/b/141268> | |
24618 | ||
24619 | Reviewed by Michael Saboff. | |
24620 | ||
24621 | http://trac.webkit.org/r179576 introduced a potential for deadlocking. | |
24622 | In the GC thread suspension loop, we currently delete | |
24623 | MachineThreads::Thread that we detect to be invalid. This is unsafe | |
24624 | because we may have already suspended some threads, and one of those | |
24625 | suspended threads may still be holding the C heap lock which we need | |
24626 | for deleting the invalid thread. | |
24627 | ||
24628 | The fix is to put the invalid threads in a separate toBeDeleted list, | |
24629 | and delete them only after GC has resumed all threads. | |
24630 | ||
24631 | * heap/MachineStackMarker.cpp: | |
24632 | (JSC::MachineThreads::removeCurrentThread): | |
24633 | - Undo refactoring removeThreadWithLockAlreadyAcquired() out of | |
24634 | removeCurrentThread() since it is no longer needed. | |
24635 | ||
24636 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
24637 | - Put invalid Threads on a threadsToBeDeleted list, and delete those | |
24638 | Threads only after all threads have been resumed. | |
24639 | ||
24640 | (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted. | |
24641 | * heap/MachineStackMarker.h: | |
24642 | ||
24643 | 2015-02-04 Joseph Pecoraro <pecoraro@apple.com> | |
24644 | ||
24645 | Web Inspector: Clean up Object Property Descriptor Collection | |
24646 | https://bugs.webkit.org/show_bug.cgi?id=141222 | |
24647 | ||
24648 | Reviewed by Timothy Hatcher. | |
24649 | ||
24650 | * inspector/InjectedScriptSource.js: | |
24651 | Use a list of options when determining which properties to collect | |
24652 | instead of a few booleans with overlapping responsibilities. | |
24653 | ||
24654 | 2015-02-04 Joseph Pecoraro <pecoraro@apple.com> | |
24655 | ||
24656 | Web Inspector: console.table with columnName filter for non-existent property should still show column | |
24657 | https://bugs.webkit.org/show_bug.cgi?id=141066 | |
24658 | ||
24659 | Reviewed by Timothy Hatcher. | |
24660 | ||
24661 | * inspector/ConsoleMessage.cpp: | |
24662 | (Inspector::ConsoleMessage::addToFrontend): | |
24663 | When a user provides a second argument, e.g. console.table(..., columnNames), | |
24664 | then pass that second argument to the frontend. | |
24665 | ||
24666 | * inspector/InjectedScriptSource.js: | |
24667 | Add a FIXME about the old, unused path now. | |
24668 | ||
24669 | 2015-02-04 Saam Barati <saambarati1@gmail.com> | |
24670 | ||
24671 | TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable | |
24672 | https://bugs.webkit.org/show_bug.cgi?id=141204 | |
24673 | ||
24674 | Reviewed by Darin Adler. | |
24675 | ||
24676 | There is no need to use 32 bits to store a TypeSet::RuntimeType set | |
24677 | bit-vector when the largest value for a single TypeSet::RuntimeType | |
24678 | is 0x80. 8 bits is enough to represent the set of seen types. | |
24679 | ||
24680 | * dfg/DFGFixupPhase.cpp: | |
24681 | (JSC::DFG::FixupPhase::fixupNode): | |
24682 | * runtime/TypeSet.cpp: | |
24683 | (JSC::TypeSet::doesTypeConformTo): | |
24684 | * runtime/TypeSet.h: | |
24685 | (JSC::TypeSet::seenTypes): | |
24686 | ||
24687 | 2015-02-04 Mark Lam <mark.lam@apple.com> | |
24688 | ||
24689 | Remove concept of makeUsableFromMultipleThreads(). | |
24690 | <https://webkit.org/b/141221> | |
24691 | ||
24692 | Reviewed by Mark Hahnenberg. | |
24693 | ||
24694 | Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we | |
24695 | start acquiring the JSLock and entering the VM from different threads. | |
24696 | Acquisition of the JSLock will register the acquiring thread with the VM's thread | |
24697 | registry if not already registered. However, it will only do this if the VM's | |
24698 | thread specific key has been initialized by makeUsableFromMultipleThreads(). | |
24699 | ||
24700 | This is fragile, and also does not read intuitively because one would expect to | |
24701 | acquire the JSLock before calling any methods on the VM. This is exactly what | |
24702 | JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling | |
24703 | makeUsableFromMultipleThreads()), but is wrong. The result is that the invoking | |
24704 | thread will not have been registered with the VM during that first entry into | |
24705 | the VM. | |
24706 | ||
24707 | The fix is to make it so that we initialize the VM's thread specific key on | |
24708 | construction of the VM's MachineThreads registry instead of relying on | |
24709 | makeUsableFromMultipleThreads() being called. With this, we can eliminate | |
24710 | makeUsableFromMultipleThreads() altogether. | |
24711 | ||
24712 | Performance results are neutral in aggregate. | |
24713 | ||
24714 | * API/JSContextRef.cpp: | |
24715 | (JSGlobalContextCreateInGroup): | |
24716 | * heap/MachineStackMarker.cpp: | |
24717 | (JSC::MachineThreads::MachineThreads): | |
24718 | (JSC::MachineThreads::~MachineThreads): | |
24719 | (JSC::MachineThreads::addCurrentThread): | |
24720 | (JSC::MachineThreads::removeThread): | |
24721 | (JSC::MachineThreads::gatherConservativeRoots): | |
24722 | (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted. | |
24723 | * heap/MachineStackMarker.h: | |
24724 | * runtime/VM.cpp: | |
24725 | (JSC::VM::sharedInstance): | |
24726 | * runtime/VM.h: | |
24727 | (JSC::VM::makeUsableFromMultipleThreads): Deleted. | |
24728 | ||
24729 | 2015-02-04 Chris Dumez <cdumez@apple.com> | |
24730 | ||
24731 | Add removeFirst(value) / removeAll(value) methods to WTF::Vector | |
24732 | https://bugs.webkit.org/show_bug.cgi?id=141192 | |
24733 | ||
24734 | Reviewed by Benjamin Poulain. | |
24735 | ||
24736 | Use new Vector::removeFirst(value) / removeAll(value) API to simplify the | |
24737 | code a bit. | |
24738 | ||
24739 | * inspector/InspectorValues.cpp: | |
24740 | (Inspector::InspectorObjectBase::remove): | |
24741 | ||
24742 | 2015-02-03 Mark Lam <mark.lam@apple.com> | |
24743 | ||
24744 | Workaround a thread library bug where thread destructors may not get called. | |
24745 | <https://webkit.org/b/141209> | |
24746 | ||
24747 | Reviewed by Michael Saboff. | |
24748 | ||
24749 | There's a bug where thread destructors may not get called. As far as | |
24750 | we know, this only manifests on darwin ports. We will work around this | |
24751 | by checking at GC time if the platform thread is still valid. If not, | |
24752 | we'll purge it from the VM's registeredThreads list before proceeding | |
24753 | with thread scanning activity. | |
24754 | ||
24755 | Note: it is important that we do this invalid thread detection during | |
24756 | suspension, because the validity (and liveness) of the other thread is | |
24757 | only guaranteed while it is suspended. | |
24758 | ||
24759 | * API/tests/testapi.mm: | |
24760 | (threadMain): | |
24761 | - Added a test to enter the VM from another thread before we GC on | |
24762 | the main thread. | |
24763 | ||
24764 | * heap/MachineStackMarker.cpp: | |
24765 | (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): | |
24766 | (JSC::MachineThreads::removeCurrentThread): | |
24767 | - refactored removeThreadWithLockAlreadyAcquired() out from | |
24768 | removeCurrentThread() so that we can also call it for purging invalid | |
24769 | threads. | |
24770 | (JSC::suspendThread): | |
24771 | - Added a return status to tell if the suspension succeeded or not. | |
24772 | (JSC::MachineThreads::tryCopyOtherThreadStacks): | |
24773 | - Check if the suspension failed, and purge the thread if we can't | |
24774 | suspend it. Failure to suspend implies that the thread has | |
24775 | terminated without calling its destructor. | |
24776 | * heap/MachineStackMarker.h: | |
24777 | ||
24778 | 2015-02-03 Joseph Pecoraro <pecoraro@apple.com> | |
24779 | ||
24780 | Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore | |
24781 | https://bugs.webkit.org/show_bug.cgi?id=141189 | |
24782 | ||
24783 | Reviewed by Michael Saboff. | |
24784 | ||
24785 | * inspector/remote/RemoteInspector.mm: | |
24786 | (Inspector::RemoteInspector::singleton): | |
24787 | Ensure we call WTF::initializeMainThread() on the main thread so that | |
24788 | we can perform automatic String <-> NSString conversions. | |
24789 | ||
24790 | 2015-02-03 Brent Fulgham <bfulgham@apple.com> | |
24791 | ||
24792 | [Win] Project file cleanups after r179429. | |
24793 | ||
24794 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
24795 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
24796 | ||
24797 | 2015-02-02 Filip Pizlo <fpizlo@apple.com> | |
24798 | ||
24799 | arguments[-1] should have well-defined behavior | |
24800 | https://bugs.webkit.org/show_bug.cgi?id=141183 | |
24801 | ||
24802 | Reviewed by Mark Lam. | |
24803 | ||
24804 | According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument. | |
24805 | In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first | |
24806 | argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is | |
24807 | statically known to be the current function's arguments object - as follows: | |
24808 | ||
24809 | add 1, i | |
24810 | branchAboveOrEqual i, callFrame.ArgumentCount, slowPath | |
24811 | ||
24812 | The problem with this is that if i = -1, this passes the test, and we end up accessing | |
24813 | what would be the "this" argument slot. That's wrong, since we should really be bottoming | |
24814 | out in arguments["-1"], which is usually undefined but could be anything. It's even worse | |
24815 | if the function is inlined or if we're in a constructor - in that case the "this" slot | |
24816 | could be garbage. | |
24817 | ||
24818 | It turns out that we had this bug in all of our engines. | |
24819 | ||
24820 | This fixes the issue by changing the algorithm to: | |
24821 | ||
24822 | load32 callFrame.ArgumentCount, tmp | |
24823 | sub 1, tmp | |
24824 | branchAboveOrEqual i, tmp, slowPath | |
24825 | ||
24826 | In some engines, we would have used the modified "i" (the one that had 1 added to it) for | |
24827 | the subsequent argument load; since we don't do this anymore I also had to change some of | |
24828 | the offsets on the BaseIndex arguments load. | |
24829 | ||
24830 | This also includes tests that are written in such a way as to get coverage on LLInt and | |
24831 | Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL | |
24832 | (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user | |
24833 | overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also | |
24834 | includes off-by-1 out-of-bounds tests for each of these cases, since in the process of | |
24835 | writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see | |
24836 | any test failures. | |
24837 | ||
24838 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
24839 | (JSC::DFG::SpeculativeJIT::compile): | |
24840 | * dfg/DFGSpeculativeJIT64.cpp: | |
24841 | (JSC::DFG::SpeculativeJIT::compile): | |
24842 | * ftl/FTLLowerDFGToLLVM.cpp: | |
24843 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
24844 | * jit/AssemblyHelpers.h: | |
24845 | (JSC::AssemblyHelpers::offsetOfArguments): | |
24846 | (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted. | |
24847 | * jit/JITOpcodes.cpp: | |
24848 | (JSC::JIT::emit_op_get_argument_by_val): | |
24849 | * jit/JITOpcodes32_64.cpp: | |
24850 | (JSC::JIT::emit_op_get_argument_by_val): | |
24851 | * llint/LowLevelInterpreter.asm: | |
24852 | * llint/LowLevelInterpreter32_64.asm: | |
24853 | * llint/LowLevelInterpreter64.asm: | |
24854 | * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added. | |
24855 | (foo): | |
24856 | * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added. | |
24857 | (foo): | |
24858 | * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added. | |
24859 | (foo): | |
24860 | * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added. | |
24861 | (foo): | |
24862 | * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added. | |
24863 | (foo): | |
24864 | * tests/stress/get-my-argument-by-val-wrap-around.js: Added. | |
24865 | (foo): | |
24866 | ||
24867 | 2015-02-02 Filip Pizlo <fpizlo@apple.com> | |
24868 | ||
24869 | MultiGetByOffset should be marked NodeMustGenerate | |
24870 | https://bugs.webkit.org/show_bug.cgi?id=140137 | |
24871 | ||
24872 | Reviewed by Michael Saboff. | |
24873 | ||
24874 | * dfg/DFGNode.h: | |
24875 | (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset. | |
24876 | (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate. | |
24877 | * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay. | |
24878 | * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called. | |
24879 | (foo): | |
24880 | ||
24881 | 2015-02-02 Filip Pizlo <fpizlo@apple.com> | |
24882 | ||
24883 | [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash | |
24884 | https://bugs.webkit.org/show_bug.cgi?id=141180 | |
24885 | rdar://problem/19677552 | |
24886 | ||
24887 | Reviewed by Benjamin Poulain. | |
24888 | ||
24889 | If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the | |
24890 | bounds check already terminates execution. This means we can skip the part where we | |
24891 | previously did an out-of-bound array access on the inlined call frame arguments vector. | |
24892 | ||
24893 | * ftl/FTLLowerDFGToLLVM.cpp: | |
24894 | (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): | |
24895 | (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): | |
24896 | (JSC::FTL::LowerDFGToLLVM::terminate): | |
24897 | (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate): | |
24898 | (JSC::FTL::LowerDFGToLLVM::crash): | |
24899 | * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added. | |
24900 | (foo): | |
24901 | (bar): | |
24902 | ||
24903 | 2015-02-02 Filip Pizlo <fpizlo@apple.com> | |
24904 | ||
24905 | REGRESSION(r179477): arguments simplification no longer works | |
24906 | https://bugs.webkit.org/show_bug.cgi?id=141169 | |
24907 | ||
24908 | Reviewed by Mark Lam. | |
24909 | ||
24910 | The operations involved in callee/scope access don't exit and shouldn't get in the way | |
24911 | of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in | |
24912 | the way of further such strength-reduction. We also need to canonicalize PhantomLocal | |
24913 | before running arguments simplification. | |
24914 | ||
24915 | * dfg/DFGMayExit.cpp: | |
24916 | (JSC::DFG::mayExit): | |
24917 | * dfg/DFGPlan.cpp: | |
24918 | (JSC::DFG::Plan::compileInThreadImpl): | |
24919 | * dfg/DFGStrengthReductionPhase.cpp: | |
24920 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
24921 | ||
24922 | 2015-02-02 Filip Pizlo <fpizlo@apple.com> | |
24923 | ||
24924 | VirtualRegister should really know how to dump itself | |
24925 | https://bugs.webkit.org/show_bug.cgi?id=141171 | |
24926 | ||
24927 | Reviewed by Geoffrey Garen. | |
24928 | ||
24929 | Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of | |
24930 | the patch is all about using this new power. | |
24931 | ||
24932 | * CMakeLists.txt: | |
24933 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
24934 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
24935 | * bytecode/CodeBlock.cpp: | |
24936 | (JSC::constantName): | |
24937 | (JSC::CodeBlock::registerName): | |
24938 | * bytecode/CodeBlock.h: | |
24939 | (JSC::missingThisObjectMarker): Deleted. | |
24940 | * bytecode/VirtualRegister.cpp: Added. | |
24941 | (JSC::VirtualRegister::dump): | |
24942 | * bytecode/VirtualRegister.h: | |
24943 | (WTF::printInternal): Deleted. | |
24944 | * dfg/DFGArgumentPosition.h: | |
24945 | (JSC::DFG::ArgumentPosition::dump): | |
24946 | * dfg/DFGFlushedAt.cpp: | |
24947 | (JSC::DFG::FlushedAt::dump): | |
24948 | * dfg/DFGGraph.cpp: | |
24949 | (JSC::DFG::Graph::dump): | |
24950 | * dfg/DFGPutLocalSinkingPhase.cpp: | |
24951 | * dfg/DFGSSAConversionPhase.cpp: | |
24952 | (JSC::DFG::SSAConversionPhase::run): | |
24953 | * dfg/DFGValidate.cpp: | |
24954 | (JSC::DFG::Validate::reportValidationContext): | |
24955 | * dfg/DFGValueSource.cpp: | |
24956 | (JSC::DFG::ValueSource::dump): | |
24957 | * dfg/DFGVariableEvent.cpp: | |
24958 | (JSC::DFG::VariableEvent::dump): | |
24959 | (JSC::DFG::VariableEvent::dumpSpillInfo): | |
24960 | * ftl/FTLExitArgumentForOperand.cpp: | |
24961 | (JSC::FTL::ExitArgumentForOperand::dump): | |
24962 | * ftl/FTLExitValue.cpp: | |
24963 | (JSC::FTL::ExitValue::dumpInContext): | |
24964 | * profiler/ProfilerBytecodeSequence.cpp: | |
24965 | (JSC::Profiler::BytecodeSequence::BytecodeSequence): | |
24966 | ||
24967 | 2015-02-02 Geoffrey Garen <ggaren@apple.com> | |
24968 | ||
24969 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
24970 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
24971 | ||
24972 | Reviewed by Mark Hahnenberg. | |
24973 | ||
24974 | Re-landing just the HandleBlock piece of this patch. | |
24975 | ||
24976 | * heap/HandleBlock.h: | |
24977 | * heap/HandleBlockInlines.h: | |
24978 | (JSC::HandleBlock::create): | |
24979 | (JSC::HandleBlock::destroy): | |
24980 | (JSC::HandleBlock::HandleBlock): | |
24981 | (JSC::HandleBlock::payloadEnd): | |
24982 | * heap/HandleSet.cpp: | |
24983 | (JSC::HandleSet::~HandleSet): | |
24984 | (JSC::HandleSet::grow): | |
24985 | ||
24986 | 2015-02-02 Joseph Pecoraro <pecoraro@apple.com> | |
24987 | ||
24988 | Web Inspector: Support console.table | |
24989 | https://bugs.webkit.org/show_bug.cgi?id=141058 | |
24990 | ||
24991 | Reviewed by Timothy Hatcher. | |
24992 | ||
24993 | * inspector/InjectedScriptSource.js: | |
24994 | Include the firstLevelKeys filter when generating previews. | |
24995 | ||
24996 | * runtime/ConsoleClient.cpp: | |
24997 | (JSC::appendMessagePrefix): | |
24998 | Differentiate console.table logs to system log. | |
24999 | ||
25000 | 2015-01-31 Filip Pizlo <fpizlo@apple.com> | |
25001 | ||
25002 | BinarySwitch should be faster on average | |
25003 | https://bugs.webkit.org/show_bug.cgi?id=141046 | |
25004 | ||
25005 | Reviewed by Anders Carlsson. | |
25006 | ||
25007 | This optimizes our binary switch using math. It's strictly better than what we had before | |
25008 | assuming we bottom out in some case (rather than fall through), assuming all cases get | |
25009 | hit with equal probability. The difference is particularly large for large switch | |
25010 | statements. For example, a switch statement with 1000 cases would previously require on | |
25011 | average 13.207 branches to get to some case, while now it just requires 10.464. | |
25012 | ||
25013 | This is also a progression for the fall-through case, though we could shave off another | |
25014 | 1/6 branch on average if we wanted to - though it would regress taking a case (not falling | |
25015 | through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling | |
25016 | through. | |
25017 | ||
25018 | This also adds some randomness to the algorithm to minimize the likelihood of us | |
25019 | generating a switch statement that is always particularly bad for some input. Note that | |
25020 | the randomness has no effect on average-case performance assuming all cases are equally | |
25021 | likely. | |
25022 | ||
25023 | This ought to have no actual performance change because we don't rely on binary switches | |
25024 | that much. The main reason why this change is interesting is that I'm finding myself | |
25025 | increasingly relying on BinarySwitch, and I'd like to know that it's optimal. | |
25026 | ||
25027 | * jit/BinarySwitch.cpp: | |
25028 | (JSC::BinarySwitch::BinarySwitch): | |
25029 | (JSC::BinarySwitch::~BinarySwitch): | |
25030 | (JSC::BinarySwitch::build): | |
25031 | * jit/BinarySwitch.h: | |
25032 | ||
25033 | 2015-02-02 Joseph Pecoraro <pecoraro@apple.com> | |
25034 | ||
25035 | Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext | |
25036 | https://bugs.webkit.org/show_bug.cgi?id=141064 | |
25037 | ||
25038 | Reviewed by Timothy Hatcher. | |
25039 | ||
25040 | * inspector/protocol/CSS.json: | |
25041 | ||
25042 | 2015-02-02 Daniel Bates <dabates@apple.com> | |
25043 | ||
25044 | [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext | |
25045 | https://bugs.webkit.org/show_bug.cgi?id=141057 | |
25046 | <rdar://problem/19068790> | |
25047 | ||
25048 | Reviewed by Alexey Proskuryakov. | |
25049 | ||
25050 | * inspector/remote/RemoteInspector.mm: | |
25051 | (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread(). | |
25052 | (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function, | |
25053 | WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage() | |
25054 | and CryptoKeyRSA::generatePair(). | |
25055 | ||
25056 | 2015-02-02 Saam Barati <saambarati1@gmail.com> | |
25057 | ||
25058 | Create tests for JSC's Control Flow Profiler | |
25059 | https://bugs.webkit.org/show_bug.cgi?id=141123 | |
25060 | ||
25061 | Reviewed by Filip Pizlo. | |
25062 | ||
25063 | This patch creates a control flow profiler testing API in jsc.cpp | |
25064 | that accepts a function and a string as arguments. The string must | |
25065 | be a substring of the text of the function argument. The API returns | |
25066 | a boolean indicating whether or not the basic block that encloses the | |
25067 | substring has executed. | |
25068 | ||
25069 | This patch uses this API to test that the control flow profiler | |
25070 | behaves as expected on basic block boundaries. These tests do not | |
25071 | provide full coverage for all JavaScript statements that can create | |
25072 | basic blocks boundaries. Full coverage will come in a later patch. | |
25073 | ||
25074 | * jsc.cpp: | |
25075 | (GlobalObject::finishCreation): | |
25076 | (functionHasBasicBlockExecuted): | |
25077 | * runtime/ControlFlowProfiler.cpp: | |
25078 | (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted): | |
25079 | * runtime/ControlFlowProfiler.h: | |
25080 | * tests/controlFlowProfiler: Added. | |
25081 | * tests/controlFlowProfiler.yaml: Added. | |
25082 | * tests/controlFlowProfiler/driver: Added. | |
25083 | * tests/controlFlowProfiler/driver/driver.js: Added. | |
25084 | (assert): | |
25085 | * tests/controlFlowProfiler/if-statement.js: Added. | |
25086 | (testIf): | |
25087 | (noMatches): | |
25088 | * tests/controlFlowProfiler/loop-statements.js: Added. | |
25089 | (forRegular): | |
25090 | (forIn): | |
25091 | (forOf): | |
25092 | (whileLoop): | |
25093 | * tests/controlFlowProfiler/switch-statements.js: Added. | |
25094 | (testSwitch): | |
25095 | * tests/controlFlowProfiler/test-jit.js: Added. | |
25096 | (tierUpToBaseline): | |
25097 | (tierUpToDFG): | |
25098 | (baselineTest): | |
25099 | (dfgTest): | |
25100 | ||
25101 | 2015-01-28 Filip Pizlo <fpizlo@apple.com> | |
25102 | ||
25103 | Polymorphic call inlining should be based on polymorphic call inline caching rather than logging | |
25104 | https://bugs.webkit.org/show_bug.cgi?id=140660 | |
25105 | ||
25106 | Reviewed by Geoffrey Garen. | |
25107 | ||
25108 | When we first implemented polymorphic call inlining, we did the profiling based on a call | |
25109 | edge log. The idea was to store each call edge (a tuple of call site and callee) into a | |
25110 | global log that was processed lazily. Processing the log would give precise counts of call | |
25111 | edges, and could be used to drive well-informed inlining decisions - polymorphic or not. | |
25112 | This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win | |
25113 | nonetheless. | |
25114 | ||
25115 | Experience with this code shows three things. First, the call edge profiler is buggy and | |
25116 | complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of | |
25117 | overhead for latency code that we care deeply about. Third, it's not at all clear that | |
25118 | having call edge counts for every possible callee is any better than just having call edge | |
25119 | counts for the limited number of callees that an inline cache would catch. | |
25120 | ||
25121 | So, this patch removes the call edge profiler and replaces it with a polymorphic call inline | |
25122 | cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an | |
25123 | out-of-line stub that cases on the previously known callees. If that misses again, then we | |
25124 | rewrite that stub to include the new callee. We do this up to some number of callees. If we | |
25125 | hit the limit then we switch to using a plain virtual call. | |
25126 | ||
25127 | Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler | |
25128 | caused. Might be a SunSpider speed-up (below 1%), depending on hardware. | |
25129 | ||
25130 | Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107. | |
25131 | ||
25132 | * CMakeLists.txt: | |
25133 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
25134 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
25135 | * bytecode/CallEdge.h: | |
25136 | (JSC::CallEdge::count): | |
25137 | (JSC::CallEdge::CallEdge): | |
25138 | * bytecode/CallEdgeProfile.cpp: Removed. | |
25139 | * bytecode/CallEdgeProfile.h: Removed. | |
25140 | * bytecode/CallEdgeProfileInlines.h: Removed. | |
25141 | * bytecode/CallLinkInfo.cpp: | |
25142 | (JSC::CallLinkInfo::unlink): | |
25143 | (JSC::CallLinkInfo::visitWeak): | |
25144 | * bytecode/CallLinkInfo.h: | |
25145 | * bytecode/CallLinkStatus.cpp: | |
25146 | (JSC::CallLinkStatus::CallLinkStatus): | |
25147 | (JSC::CallLinkStatus::computeFor): | |
25148 | (JSC::CallLinkStatus::computeFromCallLinkInfo): | |
25149 | (JSC::CallLinkStatus::isClosureCall): | |
25150 | (JSC::CallLinkStatus::makeClosureCall): | |
25151 | (JSC::CallLinkStatus::dump): | |
25152 | (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted. | |
25153 | * bytecode/CallLinkStatus.h: | |
25154 | (JSC::CallLinkStatus::CallLinkStatus): | |
25155 | (JSC::CallLinkStatus::isSet): | |
25156 | (JSC::CallLinkStatus::variants): | |
25157 | (JSC::CallLinkStatus::size): | |
25158 | (JSC::CallLinkStatus::at): | |
25159 | (JSC::CallLinkStatus::operator[]): | |
25160 | (JSC::CallLinkStatus::canOptimize): | |
25161 | (JSC::CallLinkStatus::edges): Deleted. | |
25162 | (JSC::CallLinkStatus::canTrustCounts): Deleted. | |
25163 | * bytecode/CallVariant.cpp: | |
25164 | (JSC::variantListWithVariant): | |
25165 | (JSC::despecifiedVariantList): | |
25166 | * bytecode/CallVariant.h: | |
25167 | * bytecode/CodeBlock.cpp: | |
25168 | (JSC::CodeBlock::~CodeBlock): | |
25169 | (JSC::CodeBlock::linkIncomingPolymorphicCall): | |
25170 | (JSC::CodeBlock::unlinkIncomingCalls): | |
25171 | (JSC::CodeBlock::noticeIncomingCall): | |
25172 | * bytecode/CodeBlock.h: | |
25173 | (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted. | |
25174 | * dfg/DFGAbstractInterpreterInlines.h: | |
25175 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
25176 | * dfg/DFGByteCodeParser.cpp: | |
25177 | (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): | |
25178 | (JSC::DFG::ByteCodeParser::handleCall): | |
25179 | (JSC::DFG::ByteCodeParser::handleInlining): | |
25180 | * dfg/DFGClobberize.h: | |
25181 | (JSC::DFG::clobberize): | |
25182 | * dfg/DFGConstantFoldingPhase.cpp: | |
25183 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
25184 | * dfg/DFGDoesGC.cpp: | |
25185 | (JSC::DFG::doesGC): | |
25186 | * dfg/DFGDriver.cpp: | |
25187 | (JSC::DFG::compileImpl): | |
25188 | * dfg/DFGFixupPhase.cpp: | |
25189 | (JSC::DFG::FixupPhase::fixupNode): | |
25190 | * dfg/DFGNode.h: | |
25191 | (JSC::DFG::Node::hasHeapPrediction): | |
25192 | * dfg/DFGNodeType.h: | |
25193 | * dfg/DFGOperations.cpp: | |
25194 | * dfg/DFGPredictionPropagationPhase.cpp: | |
25195 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
25196 | * dfg/DFGSafeToExecute.h: | |
25197 | (JSC::DFG::safeToExecute): | |
25198 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
25199 | (JSC::DFG::SpeculativeJIT::emitCall): | |
25200 | (JSC::DFG::SpeculativeJIT::compile): | |
25201 | * dfg/DFGSpeculativeJIT64.cpp: | |
25202 | (JSC::DFG::SpeculativeJIT::emitCall): | |
25203 | (JSC::DFG::SpeculativeJIT::compile): | |
25204 | * dfg/DFGTierUpCheckInjectionPhase.cpp: | |
25205 | (JSC::DFG::TierUpCheckInjectionPhase::run): | |
25206 | (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted. | |
25207 | * ftl/FTLCapabilities.cpp: | |
25208 | (JSC::FTL::canCompile): | |
25209 | * heap/Heap.cpp: | |
25210 | (JSC::Heap::collect): | |
25211 | * jit/BinarySwitch.h: | |
25212 | * jit/ClosureCallStubRoutine.cpp: Removed. | |
25213 | * jit/ClosureCallStubRoutine.h: Removed. | |
25214 | * jit/JITCall.cpp: | |
25215 | (JSC::JIT::compileOpCall): | |
25216 | * jit/JITCall32_64.cpp: | |
25217 | (JSC::JIT::compileOpCall): | |
25218 | * jit/JITOperations.cpp: | |
25219 | * jit/JITOperations.h: | |
25220 | (JSC::operationLinkPolymorphicCallFor): | |
25221 | (JSC::operationLinkClosureCallFor): Deleted. | |
25222 | * jit/JITStubRoutine.h: | |
25223 | * jit/JITWriteBarrier.h: | |
25224 | * jit/PolymorphicCallStubRoutine.cpp: Added. | |
25225 | (JSC::PolymorphicCallNode::~PolymorphicCallNode): | |
25226 | (JSC::PolymorphicCallNode::unlink): | |
25227 | (JSC::PolymorphicCallCase::dump): | |
25228 | (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): | |
25229 | (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine): | |
25230 | (JSC::PolymorphicCallStubRoutine::variants): | |
25231 | (JSC::PolymorphicCallStubRoutine::edges): | |
25232 | (JSC::PolymorphicCallStubRoutine::visitWeak): | |
25233 | (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal): | |
25234 | * jit/PolymorphicCallStubRoutine.h: Added. | |
25235 | (JSC::PolymorphicCallNode::PolymorphicCallNode): | |
25236 | (JSC::PolymorphicCallCase::PolymorphicCallCase): | |
25237 | (JSC::PolymorphicCallCase::variant): | |
25238 | (JSC::PolymorphicCallCase::codeBlock): | |
25239 | * jit/Repatch.cpp: | |
25240 | (JSC::linkSlowFor): | |
25241 | (JSC::linkFor): | |
25242 | (JSC::revertCall): | |
25243 | (JSC::unlinkFor): | |
25244 | (JSC::linkVirtualFor): | |
25245 | (JSC::linkPolymorphicCall): | |
25246 | (JSC::linkClosureCall): Deleted. | |
25247 | * jit/Repatch.h: | |
25248 | * jit/ThunkGenerators.cpp: | |
25249 | (JSC::linkPolymorphicCallForThunkGenerator): | |
25250 | (JSC::linkPolymorphicCallThunkGenerator): | |
25251 | (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): | |
25252 | (JSC::linkClosureCallForThunkGenerator): Deleted. | |
25253 | (JSC::linkClosureCallThunkGenerator): Deleted. | |
25254 | (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted. | |
25255 | * jit/ThunkGenerators.h: | |
25256 | (JSC::linkPolymorphicCallThunkGeneratorFor): | |
25257 | (JSC::linkClosureCallThunkGeneratorFor): Deleted. | |
25258 | * llint/LLIntSlowPaths.cpp: | |
25259 | (JSC::LLInt::jitCompileAndSetHeuristics): | |
25260 | * runtime/Options.h: | |
25261 | * runtime/VM.cpp: | |
25262 | (JSC::VM::prepareToDiscardCode): | |
25263 | (JSC::VM::ensureCallEdgeLog): Deleted. | |
25264 | * runtime/VM.h: | |
25265 | ||
25266 | 2015-01-30 Filip Pizlo <fpizlo@apple.com> | |
25267 | ||
25268 | Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child | |
25269 | https://bugs.webkit.org/show_bug.cgi?id=141107 | |
25270 | ||
25271 | Reviewed by Michael Saboff. | |
25272 | ||
25273 | See the bugzilla for a discussion of the problem. This addresses the problem by ensuring | |
25274 | that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini | |
25275 | OSR availability analysis to determine the right MovHint value to use for the Phantom. | |
25276 | ||
25277 | * dfg/DFGCPSRethreadingPhase.cpp: | |
25278 | (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase): | |
25279 | (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): | |
25280 | (JSC::DFG::CPSRethreadingPhase::clearVariables): | |
25281 | (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): | |
25282 | (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): | |
25283 | (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted. | |
25284 | * dfg/DFGNode.h: | |
25285 | (JSC::DFG::Node::convertPhantomToPhantomLocal): | |
25286 | (JSC::DFG::Node::convertFlushToPhantomLocal): | |
25287 | (JSC::DFG::Node::convertToPhantomLocal): Deleted. | |
25288 | * dfg/DFGStrengthReductionPhase.cpp: | |
25289 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
25290 | * tests/stress/inline-call-that-doesnt-use-all-args.js: Added. | |
25291 | (foo): | |
25292 | (bar): | |
25293 | (baz): | |
25294 | ||
25295 | 2015-01-31 Michael Saboff <msaboff@apple.com> | |
25296 | ||
25297 | Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1 | |
25298 | https://bugs.webkit.org/show_bug.cgi?id=141111 | |
25299 | ||
25300 | Reviewed by Filip Pizlo. | |
25301 | ||
25302 | In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have | |
25303 | exited, we don't need to process the OSR availability or abstract interpreter. | |
25304 | ||
25305 | * ftl/FTLLowerDFGToLLVM.cpp: | |
25306 | (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate | |
25307 | method since we need to call it at the top and near the bottom of compileNode(). | |
25308 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
25309 | ||
25310 | 2015-01-31 Sam Weinig <sam@webkit.org> | |
25311 | ||
25312 | Remove even more Mountain Lion support | |
25313 | https://bugs.webkit.org/show_bug.cgi?id=141124 | |
25314 | ||
25315 | Reviewed by Alexey Proskuryakov. | |
25316 | ||
25317 | * API/tests/DateTests.mm: | |
25318 | * Configurations/Base.xcconfig: | |
25319 | * Configurations/DebugRelease.xcconfig: | |
25320 | * Configurations/FeatureDefines.xcconfig: | |
25321 | * Configurations/Version.xcconfig: | |
25322 | * jit/ExecutableAllocatorFixedVMPool.cpp: | |
25323 | ||
25324 | 2015-01-31 Commit Queue <commit-queue@webkit.org> | |
25325 | ||
25326 | Unreviewed, rolling out r179426. | |
25327 | https://bugs.webkit.org/show_bug.cgi?id=141119 | |
25328 | ||
25329 | "caused a memory use regression" (Requested by Guest45 on | |
25330 | #webkit). | |
25331 | ||
25332 | Reverted changeset: | |
25333 | ||
25334 | "Use FastMalloc (bmalloc) instead of BlockAllocator for GC | |
25335 | pages" | |
25336 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
25337 | http://trac.webkit.org/changeset/179426 | |
25338 | ||
25339 | 2015-01-30 Daniel Bates <dabates@apple.com> | |
25340 | ||
25341 | Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h | |
25342 | https://bugs.webkit.org/show_bug.cgi?id=141067 | |
25343 | ||
25344 | Reviewed by Timothy Hatcher. | |
25345 | ||
25346 | Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we | |
25347 | do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm | |
25348 | and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via | |
25349 | header RemoteInspectorDebuggableConnection.h. | |
25350 | ||
25351 | * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>. | |
25352 | * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>. | |
25353 | * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>. | |
25354 | ||
25355 | 2015-01-30 Yusuke Suzuki <utatane.tea@gmail.com> | |
25356 | ||
25357 | Implement ES6 Symbol | |
25358 | https://bugs.webkit.org/show_bug.cgi?id=140435 | |
25359 | ||
25360 | Reviewed by Geoffrey Garen. | |
25361 | ||
25362 | This patch implements ES6 Symbol. In this patch, we don't support | |
25363 | Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be | |
25364 | supported in the subsequent patches. | |
25365 | ||
25366 | Since ES6 Symbol is introduced as new primitive value, we implement | |
25367 | Symbol as a derived class from JSCell. And now JSValue accepts Symbol* | |
25368 | as a new primitive value. | |
25369 | ||
25370 | Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer | |
25371 | value represents the Symbol's identity. So don't compare Symbol's | |
25372 | JSCell pointer value for comparison. | |
25373 | This enables re-producing Symbol primitive value from StringImpl* uid | |
25374 | by executing`Symbol::create(vm, uid)`. This is needed to produce | |
25375 | Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`. | |
25376 | ||
25377 | And Symbol.[[Description]] is folded into the string value of Symbol's uid. | |
25378 | By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*. | |
25379 | ||
25380 | * CMakeLists.txt: | |
25381 | * DerivedSources.make: | |
25382 | * JavaScriptCore.order: | |
25383 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
25384 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
25385 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
25386 | * builtins/BuiltinExecutables.cpp: | |
25387 | (JSC::BuiltinExecutables::createBuiltinExecutable): | |
25388 | * builtins/BuiltinNames.h: | |
25389 | * dfg/DFGOperations.cpp: | |
25390 | (JSC::DFG::operationPutByValInternal): | |
25391 | * inspector/JSInjectedScriptHost.cpp: | |
25392 | (Inspector::JSInjectedScriptHost::subtype): | |
25393 | * interpreter/Interpreter.cpp: | |
25394 | * jit/JITOperations.cpp: | |
25395 | (JSC::getByVal): | |
25396 | * llint/LLIntData.cpp: | |
25397 | (JSC::LLInt::Data::performAssertions): | |
25398 | * llint/LLIntSlowPaths.cpp: | |
25399 | (JSC::LLInt::getByVal): | |
25400 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
25401 | * llint/LowLevelInterpreter.asm: | |
25402 | * runtime/CommonIdentifiers.h: | |
25403 | * runtime/CommonSlowPaths.cpp: | |
25404 | (JSC::SLOW_PATH_DECL): | |
25405 | * runtime/CommonSlowPaths.h: | |
25406 | (JSC::CommonSlowPaths::opIn): | |
25407 | * runtime/ExceptionHelpers.cpp: | |
25408 | (JSC::createUndefinedVariableError): | |
25409 | * runtime/JSCJSValue.cpp: | |
25410 | (JSC::JSValue::synthesizePrototype): | |
25411 | (JSC::JSValue::dumpInContextAssumingStructure): | |
25412 | (JSC::JSValue::toStringSlowCase): | |
25413 | * runtime/JSCJSValue.h: | |
25414 | * runtime/JSCJSValueInlines.h: | |
25415 | (JSC::JSValue::isSymbol): | |
25416 | (JSC::JSValue::isPrimitive): | |
25417 | (JSC::JSValue::toPropertyKey): | |
25418 | ||
25419 | It represents ToPropertyKey abstract operation in the ES6 spec. | |
25420 | It cleans up the old implementation's `isName` checks. | |
25421 | And to prevent performance regressions in | |
25422 | js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html | |
25423 | js/regress/fold-get-by-id-to-multi-get-by-offset.html | |
25424 | we annnotate this function as ALWAYS_INLINE. | |
25425 | ||
25426 | (JSC::JSValue::getPropertySlot): | |
25427 | (JSC::JSValue::get): | |
25428 | (JSC::JSValue::equalSlowCaseInline): | |
25429 | (JSC::JSValue::strictEqualSlowCaseInline): | |
25430 | * runtime/JSCell.cpp: | |
25431 | (JSC::JSCell::put): | |
25432 | (JSC::JSCell::putByIndex): | |
25433 | (JSC::JSCell::toPrimitive): | |
25434 | (JSC::JSCell::getPrimitiveNumber): | |
25435 | (JSC::JSCell::toNumber): | |
25436 | (JSC::JSCell::toObject): | |
25437 | * runtime/JSCell.h: | |
25438 | * runtime/JSCellInlines.h: | |
25439 | (JSC::JSCell::isSymbol): | |
25440 | (JSC::JSCell::toBoolean): | |
25441 | (JSC::JSCell::pureToBoolean): | |
25442 | * runtime/JSGlobalObject.cpp: | |
25443 | (JSC::JSGlobalObject::init): | |
25444 | (JSC::JSGlobalObject::visitChildren): | |
25445 | * runtime/JSGlobalObject.h: | |
25446 | (JSC::JSGlobalObject::symbolPrototype): | |
25447 | (JSC::JSGlobalObject::symbolObjectStructure): | |
25448 | * runtime/JSONObject.cpp: | |
25449 | (JSC::Stringifier::Stringifier): | |
25450 | * runtime/JSSymbolTableObject.cpp: | |
25451 | (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): | |
25452 | * runtime/JSType.h: | |
25453 | * runtime/JSTypeInfo.h: | |
25454 | (JSC::TypeInfo::isName): Deleted. | |
25455 | * runtime/MapData.cpp: | |
25456 | (JSC::MapData::find): | |
25457 | (JSC::MapData::add): | |
25458 | (JSC::MapData::remove): | |
25459 | (JSC::MapData::replaceAndPackBackingStore): | |
25460 | * runtime/MapData.h: | |
25461 | (JSC::MapData::clear): | |
25462 | * runtime/NameInstance.h: Removed. | |
25463 | * runtime/NamePrototype.cpp: Removed. | |
25464 | * runtime/ObjectConstructor.cpp: | |
25465 | (JSC::objectConstructorGetOwnPropertyDescriptor): | |
25466 | (JSC::objectConstructorDefineProperty): | |
25467 | * runtime/ObjectPrototype.cpp: | |
25468 | (JSC::objectProtoFuncHasOwnProperty): | |
25469 | (JSC::objectProtoFuncDefineGetter): | |
25470 | (JSC::objectProtoFuncDefineSetter): | |
25471 | (JSC::objectProtoFuncLookupGetter): | |
25472 | (JSC::objectProtoFuncLookupSetter): | |
25473 | (JSC::objectProtoFuncPropertyIsEnumerable): | |
25474 | * runtime/Operations.cpp: | |
25475 | (JSC::jsTypeStringForValue): | |
25476 | (JSC::jsIsObjectType): | |
25477 | * runtime/PrivateName.h: | |
25478 | (JSC::PrivateName::PrivateName): | |
25479 | (JSC::PrivateName::operator==): | |
25480 | (JSC::PrivateName::operator!=): | |
25481 | * runtime/PropertyMapHashTable.h: | |
25482 | (JSC::PropertyTable::find): | |
25483 | (JSC::PropertyTable::get): | |
25484 | * runtime/PropertyName.h: | |
25485 | (JSC::PropertyName::PropertyName): | |
25486 | (JSC::PropertyName::publicName): | |
25487 | * runtime/SmallStrings.h: | |
25488 | * runtime/StringConstructor.cpp: | |
25489 | (JSC::callStringConstructor): | |
25490 | ||
25491 | In ES6, String constructor accepts Symbol to execute `String(symbol)`. | |
25492 | ||
25493 | * runtime/Structure.cpp: | |
25494 | (JSC::Structure::getPropertyNamesFromStructure): | |
25495 | * runtime/StructureInlines.h: | |
25496 | (JSC::Structure::prototypeForLookup): | |
25497 | * runtime/Symbol.cpp: Added. | |
25498 | (JSC::Symbol::Symbol): | |
25499 | (JSC::SymbolObject::create): | |
25500 | (JSC::Symbol::toPrimitive): | |
25501 | (JSC::Symbol::toBoolean): | |
25502 | (JSC::Symbol::getPrimitiveNumber): | |
25503 | (JSC::Symbol::toObject): | |
25504 | (JSC::Symbol::toNumber): | |
25505 | (JSC::Symbol::destroy): | |
25506 | (JSC::Symbol::descriptiveString): | |
25507 | * runtime/Symbol.h: Added. | |
25508 | (JSC::Symbol::createStructure): | |
25509 | (JSC::Symbol::create): | |
25510 | (JSC::Symbol::privateName): | |
25511 | (JSC::Symbol::finishCreation): | |
25512 | (JSC::asSymbol): | |
25513 | * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp. | |
25514 | (JSC::SymbolConstructor::SymbolConstructor): | |
25515 | (JSC::SymbolConstructor::finishCreation): | |
25516 | (JSC::callSymbol): | |
25517 | (JSC::SymbolConstructor::getConstructData): | |
25518 | (JSC::SymbolConstructor::getCallData): | |
25519 | * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h. | |
25520 | (JSC::SymbolConstructor::create): | |
25521 | (JSC::SymbolConstructor::createStructure): | |
25522 | * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp. | |
25523 | (JSC::SymbolObject::SymbolObject): | |
25524 | (JSC::SymbolObject::finishCreation): | |
25525 | (JSC::SymbolObject::defaultValue): | |
25526 | ||
25527 | Now JSC doesn't support @@toPrimitive. So instead of it, we implement | |
25528 | Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]]. | |
25529 | ||
25530 | * runtime/SymbolObject.h: Added. | |
25531 | (JSC::SymbolObject::create): | |
25532 | (JSC::SymbolObject::internalValue): | |
25533 | (JSC::SymbolObject::createStructure): | |
25534 | * runtime/SymbolPrototype.cpp: Added. | |
25535 | (JSC::SymbolPrototype::SymbolPrototype): | |
25536 | (JSC::SymbolPrototype::finishCreation): | |
25537 | (JSC::SymbolPrototype::getOwnPropertySlot): | |
25538 | (JSC::symbolProtoFuncToString): | |
25539 | (JSC::symbolProtoFuncValueOf): | |
25540 | * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h. | |
25541 | (JSC::SymbolPrototype::create): | |
25542 | (JSC::SymbolPrototype::createStructure): | |
25543 | ||
25544 | SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol. | |
25545 | It is tested in js/symbol-prototype-is-ordinary-object.html. | |
25546 | ||
25547 | * runtime/VM.cpp: | |
25548 | (JSC::VM::VM): | |
25549 | * runtime/VM.h: | |
25550 | ||
25551 | 2015-01-30 Geoffrey Garen <ggaren@apple.com> | |
25552 | ||
25553 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
25554 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
25555 | ||
25556 | Reviewed by Mark Hahnenberg. | |
25557 | ||
25558 | Re-landing just the HandleBlock piece of this patch. | |
25559 | ||
25560 | * heap/HandleBlock.h: | |
25561 | * heap/HandleBlockInlines.h: | |
25562 | (JSC::HandleBlock::create): | |
25563 | (JSC::HandleBlock::destroy): | |
25564 | (JSC::HandleBlock::HandleBlock): | |
25565 | (JSC::HandleBlock::payloadEnd): | |
25566 | * heap/HandleSet.cpp: | |
25567 | (JSC::HandleSet::~HandleSet): | |
25568 | (JSC::HandleSet::grow): | |
25569 | ||
25570 | 2015-01-30 Geoffrey Garen <ggaren@apple.com> | |
25571 | ||
25572 | GC marking threads should clear malloc caches | |
25573 | https://bugs.webkit.org/show_bug.cgi?id=141097 | |
25574 | ||
25575 | Reviewed by Sam Weinig. | |
25576 | ||
25577 | Follow-up based on Mark Hahnenberg's review: Release after the copy | |
25578 | phase, rather than after any phase, since we'd rather not release | |
25579 | between marking and copying. | |
25580 | ||
25581 | * heap/GCThread.cpp: | |
25582 | (JSC::GCThread::waitForNextPhase): | |
25583 | (JSC::GCThread::gcThreadMain): | |
25584 | ||
25585 | 2015-01-30 Geoffrey Garen <ggaren@apple.com> | |
25586 | ||
25587 | GC marking threads should clear malloc caches | |
25588 | https://bugs.webkit.org/show_bug.cgi?id=141097 | |
25589 | ||
25590 | Reviewed by Andreas Kling. | |
25591 | ||
25592 | This is an attempt to ameliorate a potential memory use regression | |
25593 | caused by https://bugs.webkit.org/show_bug.cgi?id=140900 | |
25594 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages. | |
25595 | ||
25596 | FastMalloc may accumulate a per-thread cache on each of the 8-ish | |
25597 | GC marking threads, which can be expensive. | |
25598 | ||
25599 | * heap/GCThread.cpp: | |
25600 | (JSC::GCThread::waitForNextPhase): Scavenge the current thread before | |
25601 | going to sleep. There's probably not too much value to keeping our | |
25602 | per-thread cache between GCs, and it has some memory footprint. | |
25603 | ||
25604 | 2015-01-30 Chris Dumez <cdumez@apple.com> | |
25605 | ||
25606 | Rename shared() static member functions to singleton() for singleton classes. | |
25607 | https://bugs.webkit.org/show_bug.cgi?id=141088 | |
25608 | ||
25609 | Reviewed by Ryosuke Niwa and Benjamin Poulain. | |
25610 | ||
25611 | Rename shared() static member functions to singleton() for singleton | |
25612 | classes as per the recent coding style change. | |
25613 | ||
25614 | * inspector/remote/RemoteInspector.h: | |
25615 | * inspector/remote/RemoteInspector.mm: | |
25616 | (Inspector::RemoteInspector::singleton): | |
25617 | (Inspector::RemoteInspector::start): | |
25618 | (Inspector::RemoteInspector::shared): Deleted. | |
25619 | * inspector/remote/RemoteInspectorDebuggable.cpp: | |
25620 | (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable): | |
25621 | (Inspector::RemoteInspectorDebuggable::init): | |
25622 | (Inspector::RemoteInspectorDebuggable::update): | |
25623 | (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed): | |
25624 | (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): | |
25625 | (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector): | |
25626 | * inspector/remote/RemoteInspectorDebuggableConnection.mm: | |
25627 | (Inspector::RemoteInspectorDebuggableConnection::setup): | |
25628 | (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend): | |
25629 | ||
25630 | 2015-01-30 Geoffrey Garen <ggaren@apple.com> | |
25631 | ||
25632 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
25633 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
25634 | ||
25635 | Reviewed by Mark Hahnenberg. | |
25636 | ||
25637 | Re-landing just the CopyWorkListSegment piece of this patch. | |
25638 | ||
25639 | * heap/CopiedBlockInlines.h: | |
25640 | (JSC::CopiedBlock::reportLiveBytes): | |
25641 | * heap/CopyWorkList.h: | |
25642 | (JSC::CopyWorkListSegment::create): | |
25643 | (JSC::CopyWorkListSegment::destroy): | |
25644 | (JSC::CopyWorkListSegment::CopyWorkListSegment): | |
25645 | (JSC::CopyWorkList::CopyWorkList): | |
25646 | (JSC::CopyWorkList::~CopyWorkList): | |
25647 | (JSC::CopyWorkList::append): | |
25648 | ||
25649 | 2015-01-29 Commit Queue <commit-queue@webkit.org> | |
25650 | ||
25651 | Unreviewed, rolling out r179357 and r179358. | |
25652 | https://bugs.webkit.org/show_bug.cgi?id=141062 | |
25653 | ||
25654 | Suspect this caused WebGL tests to start flaking (Requested by | |
25655 | kling on #webkit). | |
25656 | ||
25657 | Reverted changesets: | |
25658 | ||
25659 | "Polymorphic call inlining should be based on polymorphic call | |
25660 | inline caching rather than logging" | |
25661 | https://bugs.webkit.org/show_bug.cgi?id=140660 | |
25662 | http://trac.webkit.org/changeset/179357 | |
25663 | ||
25664 | "Unreviewed, fix no-JIT build." | |
25665 | http://trac.webkit.org/changeset/179358 | |
25666 | ||
25667 | 2015-01-29 Geoffrey Garen <ggaren@apple.com> | |
25668 | ||
25669 | Removed op_ret_object_or_this | |
25670 | https://bugs.webkit.org/show_bug.cgi?id=141048 | |
25671 | ||
25672 | Reviewed by Michael Saboff. | |
25673 | ||
25674 | op_ret_object_or_this was one opcode that would keep us out of the | |
25675 | optimizing compilers. | |
25676 | ||
25677 | We don't need a special-purpose opcode; we can just use a branch. | |
25678 | ||
25679 | * bytecode/BytecodeBasicBlock.cpp: | |
25680 | (JSC::isTerminal): Removed. | |
25681 | * bytecode/BytecodeList.json: | |
25682 | * bytecode/BytecodeUseDef.h: | |
25683 | (JSC::computeUsesForBytecodeOffset): | |
25684 | (JSC::computeDefsForBytecodeOffset): Removed. | |
25685 | ||
25686 | * bytecode/CodeBlock.cpp: | |
25687 | (JSC::CodeBlock::dumpBytecode): Removed. | |
25688 | ||
25689 | * bytecompiler/BytecodeGenerator.cpp: | |
25690 | (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine | |
25691 | if we need to substitute 'this' for the return value. Our engine no longer | |
25692 | benefits from fused opcodes that dispatch less in the interpreter. | |
25693 | ||
25694 | * jit/JIT.cpp: | |
25695 | (JSC::JIT::privateCompileMainPass): | |
25696 | * jit/JIT.h: | |
25697 | * jit/JITCall32_64.cpp: | |
25698 | (JSC::JIT::emit_op_ret_object_or_this): Deleted. | |
25699 | * jit/JITOpcodes.cpp: | |
25700 | (JSC::JIT::emit_op_ret_object_or_this): Deleted. | |
25701 | * llint/LowLevelInterpreter32_64.asm: | |
25702 | * llint/LowLevelInterpreter64.asm: Removed. | |
25703 | ||
25704 | 2015-01-29 Ryosuke Niwa <rniwa@webkit.org> | |
25705 | ||
25706 | Implement ES6 class syntax without inheritance support | |
25707 | https://bugs.webkit.org/show_bug.cgi?id=140918 | |
25708 | ||
25709 | Reviewed by Geoffrey Garen. | |
25710 | ||
25711 | Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like: | |
25712 | class A { | |
25713 | constructor() { } | |
25714 | someMethod() { } | |
25715 | } | |
25716 | ||
25717 | We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches. | |
25718 | We also don't support block scoping of a class declaration. | |
25719 | ||
25720 | We support both class declaration and class expression. A class expression is implemented by the newly added | |
25721 | ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around | |
25722 | AssignResolveNode. | |
25723 | ||
25724 | Tests: js/class-syntax-declaration.html | |
25725 | js/class-syntax-expression.html | |
25726 | ||
25727 | * bytecompiler/NodesCodegen.cpp: | |
25728 | (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode. | |
25729 | Also fixed the 5-space indentation. | |
25730 | (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this. | |
25731 | (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code. | |
25732 | (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by | |
25733 | emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way. | |
25734 | ||
25735 | * parser/ASTBuilder.h: | |
25736 | (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode. | |
25737 | (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode. | |
25738 | ||
25739 | * parser/NodeConstructors.h: | |
25740 | (JSC::ClassDeclNode::ClassDeclNode): Added. | |
25741 | (JSC::ClassExprNode::ClassExprNode): Added. | |
25742 | ||
25743 | * parser/Nodes.h: | |
25744 | (JSC::ClassExprNode): Added. | |
25745 | (JSC::ClassDeclNode): Added. | |
25746 | ||
25747 | * parser/Parser.cpp: | |
25748 | (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration. | |
25749 | (JSC::stringForFunctionMode): Return "method" for MethodMode. | |
25750 | (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps | |
25751 | it with ClassDeclNode as described above. | |
25752 | (JSC::Parser<LexerType>::parseClass): Parses a class expression. | |
25753 | (JSC::Parser<LexerType>::parseProperty): | |
25754 | (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty | |
25755 | and parseClass. | |
25756 | (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression. | |
25757 | ||
25758 | * parser/Parser.h: | |
25759 | (FunctionParseMode): Added MethodMode. | |
25760 | ||
25761 | * parser/SyntaxChecker.h: | |
25762 | (JSC::SyntaxChecker::createClassExpr): Added. | |
25763 | (JSC::SyntaxChecker::createClassDeclStatement): Added. | |
25764 | ||
25765 | 2015-01-29 Geoffrey Garen <ggaren@apple.com> | |
25766 | ||
25767 | Try to fix the Windows build. | |
25768 | ||
25769 | Not reviewed. | |
25770 | ||
25771 | * heap/WeakBlock.h: Use the fully qualified name when declaring our friend. | |
25772 | ||
25773 | 2015-01-29 Geoffrey Garen <ggaren@apple.com> | |
25774 | ||
25775 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
25776 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
25777 | ||
25778 | Reviewed by Mark Hahnenberg. | |
25779 | ||
25780 | Re-landing just the WeakBlock piece of this patch. | |
25781 | ||
25782 | * heap/WeakBlock.cpp: | |
25783 | (JSC::WeakBlock::create): | |
25784 | (JSC::WeakBlock::destroy): | |
25785 | (JSC::WeakBlock::WeakBlock): | |
25786 | * heap/WeakBlock.h: | |
25787 | * heap/WeakSet.cpp: | |
25788 | (JSC::WeakSet::~WeakSet): | |
25789 | (JSC::WeakSet::addAllocator): | |
25790 | (JSC::WeakSet::removeAllocator): | |
25791 | ||
25792 | 2015-01-29 Geoffrey Garen <ggaren@apple.com> | |
25793 | ||
25794 | Use Vector instead of GCSegmentedArray in CodeBlockSet | |
25795 | https://bugs.webkit.org/show_bug.cgi?id=141044 | |
25796 | ||
25797 | Reviewed by Ryosuke Niwa. | |
25798 | ||
25799 | This is allowed now that we've gotten rid of fastMallocForbid. | |
25800 | ||
25801 | 4kB was a bit overkill for just storing a few pointers. | |
25802 | ||
25803 | * heap/CodeBlockSet.cpp: | |
25804 | (JSC::CodeBlockSet::CodeBlockSet): | |
25805 | * heap/CodeBlockSet.h: | |
25806 | * heap/Heap.cpp: | |
25807 | (JSC::Heap::Heap): | |
25808 | ||
25809 | 2015-01-29 Filip Pizlo <fpizlo@apple.com> | |
25810 | ||
25811 | Unreviewed, fix no-JIT build. | |
25812 | ||
25813 | * jit/PolymorphicCallStubRoutine.cpp: | |
25814 | ||
25815 | 2015-01-28 Filip Pizlo <fpizlo@apple.com> | |
25816 | ||
25817 | Polymorphic call inlining should be based on polymorphic call inline caching rather than logging | |
25818 | https://bugs.webkit.org/show_bug.cgi?id=140660 | |
25819 | ||
25820 | Reviewed by Geoffrey Garen. | |
25821 | ||
25822 | When we first implemented polymorphic call inlining, we did the profiling based on a call | |
25823 | edge log. The idea was to store each call edge (a tuple of call site and callee) into a | |
25824 | global log that was processed lazily. Processing the log would give precise counts of call | |
25825 | edges, and could be used to drive well-informed inlining decisions - polymorphic or not. | |
25826 | This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win | |
25827 | nonetheless. | |
25828 | ||
25829 | Experience with this code shows three things. First, the call edge profiler is buggy and | |
25830 | complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of | |
25831 | overhead for latency code that we care deeply about. Third, it's not at all clear that | |
25832 | having call edge counts for every possible callee is any better than just having call edge | |
25833 | counts for the limited number of callees that an inline cache would catch. | |
25834 | ||
25835 | So, this patch removes the call edge profiler and replaces it with a polymorphic call inline | |
25836 | cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an | |
25837 | out-of-line stub that cases on the previously known callees. If that misses again, then we | |
25838 | rewrite that stub to include the new callee. We do this up to some number of callees. If we | |
25839 | hit the limit then we switch to using a plain virtual call. | |
25840 | ||
25841 | Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler | |
25842 | caused. Might be a SunSpider speed-up (below 1%), depending on hardware. | |
25843 | ||
25844 | * CMakeLists.txt: | |
25845 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
25846 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
25847 | * bytecode/CallEdge.h: | |
25848 | (JSC::CallEdge::count): | |
25849 | (JSC::CallEdge::CallEdge): | |
25850 | * bytecode/CallEdgeProfile.cpp: Removed. | |
25851 | * bytecode/CallEdgeProfile.h: Removed. | |
25852 | * bytecode/CallEdgeProfileInlines.h: Removed. | |
25853 | * bytecode/CallLinkInfo.cpp: | |
25854 | (JSC::CallLinkInfo::unlink): | |
25855 | (JSC::CallLinkInfo::visitWeak): | |
25856 | * bytecode/CallLinkInfo.h: | |
25857 | * bytecode/CallLinkStatus.cpp: | |
25858 | (JSC::CallLinkStatus::CallLinkStatus): | |
25859 | (JSC::CallLinkStatus::computeFor): | |
25860 | (JSC::CallLinkStatus::computeFromCallLinkInfo): | |
25861 | (JSC::CallLinkStatus::isClosureCall): | |
25862 | (JSC::CallLinkStatus::makeClosureCall): | |
25863 | (JSC::CallLinkStatus::dump): | |
25864 | (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted. | |
25865 | * bytecode/CallLinkStatus.h: | |
25866 | (JSC::CallLinkStatus::CallLinkStatus): | |
25867 | (JSC::CallLinkStatus::isSet): | |
25868 | (JSC::CallLinkStatus::variants): | |
25869 | (JSC::CallLinkStatus::size): | |
25870 | (JSC::CallLinkStatus::at): | |
25871 | (JSC::CallLinkStatus::operator[]): | |
25872 | (JSC::CallLinkStatus::canOptimize): | |
25873 | (JSC::CallLinkStatus::edges): Deleted. | |
25874 | (JSC::CallLinkStatus::canTrustCounts): Deleted. | |
25875 | * bytecode/CallVariant.cpp: | |
25876 | (JSC::variantListWithVariant): | |
25877 | (JSC::despecifiedVariantList): | |
25878 | * bytecode/CallVariant.h: | |
25879 | * bytecode/CodeBlock.cpp: | |
25880 | (JSC::CodeBlock::~CodeBlock): | |
25881 | (JSC::CodeBlock::linkIncomingPolymorphicCall): | |
25882 | (JSC::CodeBlock::unlinkIncomingCalls): | |
25883 | (JSC::CodeBlock::noticeIncomingCall): | |
25884 | * bytecode/CodeBlock.h: | |
25885 | (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted. | |
25886 | * dfg/DFGAbstractInterpreterInlines.h: | |
25887 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
25888 | * dfg/DFGByteCodeParser.cpp: | |
25889 | (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): | |
25890 | (JSC::DFG::ByteCodeParser::handleCall): | |
25891 | (JSC::DFG::ByteCodeParser::handleInlining): | |
25892 | * dfg/DFGClobberize.h: | |
25893 | (JSC::DFG::clobberize): | |
25894 | * dfg/DFGConstantFoldingPhase.cpp: | |
25895 | (JSC::DFG::ConstantFoldingPhase::foldConstants): | |
25896 | * dfg/DFGDoesGC.cpp: | |
25897 | (JSC::DFG::doesGC): | |
25898 | * dfg/DFGDriver.cpp: | |
25899 | (JSC::DFG::compileImpl): | |
25900 | * dfg/DFGFixupPhase.cpp: | |
25901 | (JSC::DFG::FixupPhase::fixupNode): | |
25902 | * dfg/DFGNode.h: | |
25903 | (JSC::DFG::Node::hasHeapPrediction): | |
25904 | * dfg/DFGNodeType.h: | |
25905 | * dfg/DFGOperations.cpp: | |
25906 | * dfg/DFGPredictionPropagationPhase.cpp: | |
25907 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
25908 | * dfg/DFGSafeToExecute.h: | |
25909 | (JSC::DFG::safeToExecute): | |
25910 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
25911 | (JSC::DFG::SpeculativeJIT::emitCall): | |
25912 | (JSC::DFG::SpeculativeJIT::compile): | |
25913 | * dfg/DFGSpeculativeJIT64.cpp: | |
25914 | (JSC::DFG::SpeculativeJIT::emitCall): | |
25915 | (JSC::DFG::SpeculativeJIT::compile): | |
25916 | * dfg/DFGTierUpCheckInjectionPhase.cpp: | |
25917 | (JSC::DFG::TierUpCheckInjectionPhase::run): | |
25918 | (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted. | |
25919 | * ftl/FTLCapabilities.cpp: | |
25920 | (JSC::FTL::canCompile): | |
25921 | * heap/Heap.cpp: | |
25922 | (JSC::Heap::collect): | |
25923 | * jit/BinarySwitch.h: | |
25924 | * jit/ClosureCallStubRoutine.cpp: Removed. | |
25925 | * jit/ClosureCallStubRoutine.h: Removed. | |
25926 | * jit/JITCall.cpp: | |
25927 | (JSC::JIT::compileOpCall): | |
25928 | * jit/JITCall32_64.cpp: | |
25929 | (JSC::JIT::compileOpCall): | |
25930 | * jit/JITOperations.cpp: | |
25931 | * jit/JITOperations.h: | |
25932 | (JSC::operationLinkPolymorphicCallFor): | |
25933 | (JSC::operationLinkClosureCallFor): Deleted. | |
25934 | * jit/JITStubRoutine.h: | |
25935 | * jit/JITWriteBarrier.h: | |
25936 | * jit/PolymorphicCallStubRoutine.cpp: Added. | |
25937 | (JSC::PolymorphicCallNode::~PolymorphicCallNode): | |
25938 | (JSC::PolymorphicCallNode::unlink): | |
25939 | (JSC::PolymorphicCallCase::dump): | |
25940 | (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine): | |
25941 | (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine): | |
25942 | (JSC::PolymorphicCallStubRoutine::variants): | |
25943 | (JSC::PolymorphicCallStubRoutine::edges): | |
25944 | (JSC::PolymorphicCallStubRoutine::visitWeak): | |
25945 | (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal): | |
25946 | * jit/PolymorphicCallStubRoutine.h: Added. | |
25947 | (JSC::PolymorphicCallNode::PolymorphicCallNode): | |
25948 | (JSC::PolymorphicCallCase::PolymorphicCallCase): | |
25949 | (JSC::PolymorphicCallCase::variant): | |
25950 | (JSC::PolymorphicCallCase::codeBlock): | |
25951 | * jit/Repatch.cpp: | |
25952 | (JSC::linkSlowFor): | |
25953 | (JSC::linkFor): | |
25954 | (JSC::revertCall): | |
25955 | (JSC::unlinkFor): | |
25956 | (JSC::linkVirtualFor): | |
25957 | (JSC::linkPolymorphicCall): | |
25958 | (JSC::linkClosureCall): Deleted. | |
25959 | * jit/Repatch.h: | |
25960 | * jit/ThunkGenerators.cpp: | |
25961 | (JSC::linkPolymorphicCallForThunkGenerator): | |
25962 | (JSC::linkPolymorphicCallThunkGenerator): | |
25963 | (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator): | |
25964 | (JSC::linkClosureCallForThunkGenerator): Deleted. | |
25965 | (JSC::linkClosureCallThunkGenerator): Deleted. | |
25966 | (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted. | |
25967 | * jit/ThunkGenerators.h: | |
25968 | (JSC::linkPolymorphicCallThunkGeneratorFor): | |
25969 | (JSC::linkClosureCallThunkGeneratorFor): Deleted. | |
25970 | * llint/LLIntSlowPaths.cpp: | |
25971 | (JSC::LLInt::jitCompileAndSetHeuristics): | |
25972 | * runtime/Options.h: | |
25973 | * runtime/VM.cpp: | |
25974 | (JSC::VM::prepareToDiscardCode): | |
25975 | (JSC::VM::ensureCallEdgeLog): Deleted. | |
25976 | * runtime/VM.h: | |
25977 | ||
25978 | 2015-01-29 Joseph Pecoraro <pecoraro@apple.com> | |
25979 | ||
25980 | Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays) | |
25981 | https://bugs.webkit.org/show_bug.cgi?id=122867 | |
25982 | ||
25983 | Reviewed by Timothy Hatcher. | |
25984 | ||
25985 | Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap". | |
25986 | ||
25987 | Upgrade Runtime.ObjectPreview to include type/subtype information. Now, | |
25988 | an ObjectPreview can be used for any value, in place of a RemoteObject, | |
25989 | and not capture / hold a reference to the value. The value will be in | |
25990 | the string description. | |
25991 | ||
25992 | Adding this information to ObjectPreview can duplicate some information | |
25993 | in the protocol messages if a preview is provided, but simplifies | |
25994 | previews, so that all the information you need for any RemoteObject | |
25995 | preview is available. To slim messages further, make "overflow" and | |
25996 | "properties" only available on previews that may contain properties. | |
25997 | So, not primitives or null. | |
25998 | ||
25999 | Finally, for "Map/Set/WeakMap" add an "entries" list to the preview | |
26000 | that will return previews with "key" and "value" properties depending | |
26001 | on the collection type. To get live, non-preview objects from a | |
26002 | collection, use Runtime.getCollectionEntries. | |
26003 | ||
26004 | In order to keep the WeakMap's values Weak the frontend may provide | |
26005 | a unique object group name when getting collection entries. It may | |
26006 | then release that object group, e.g. when not showing the WeakMap's | |
26007 | values to the user, and thus remove the strong reference to the keys | |
26008 | so they may be garbage collected. | |
26009 | ||
26010 | * runtime/WeakMapData.h: | |
26011 | (JSC::WeakMapData::begin): | |
26012 | (JSC::WeakMapData::end): | |
26013 | Expose iterators so the Inspector may access WeakMap keys/values. | |
26014 | ||
26015 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
26016 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
26017 | (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries): | |
26018 | * inspector/JSInjectedScriptHost.h: | |
26019 | * inspector/JSInjectedScriptHost.cpp: | |
26020 | (Inspector::JSInjectedScriptHost::subtype): | |
26021 | Discern "map", "set", and "weakmap" object subtypes. | |
26022 | ||
26023 | (Inspector::JSInjectedScriptHost::weakMapEntries): | |
26024 | Return a list of WeakMap entries. These are strong references | |
26025 | that the Inspector code is responsible for releasing. | |
26026 | ||
26027 | * inspector/protocol/Runtime.json: | |
26028 | Update types and expose the new getCollectionEntries command. | |
26029 | ||
26030 | * inspector/agents/InspectorRuntimeAgent.h: | |
26031 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
26032 | (Inspector::InspectorRuntimeAgent::getCollectionEntries): | |
26033 | * inspector/InjectedScript.h: | |
26034 | * inspector/InjectedScript.cpp: | |
26035 | (Inspector::InjectedScript::getInternalProperties): | |
26036 | (Inspector::InjectedScript::getCollectionEntries): | |
26037 | Pass through to the InjectedScript and call getCollectionEntries. | |
26038 | ||
26039 | * inspector/scripts/codegen/generator.py: | |
26040 | Add another type with runtime casting. | |
26041 | ||
26042 | * inspector/InjectedScriptSource.js: | |
26043 | - Implement getCollectionEntries to get a range of values from a | |
26044 | collection. The non-Weak collections have an order to their keys (in | |
26045 | order of added) so range'd gets are okay. WeakMap does not have an | |
26046 | order, so only allow fetching a number of values. | |
26047 | - Update preview generation to address the Runtime.ObjectPreview | |
26048 | type changes. | |
26049 | ||
26050 | 2015-01-28 Geoffrey Garen <ggaren@apple.com> | |
26051 | ||
26052 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
26053 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
26054 | ||
26055 | Reviewed by Mark Hahnenberg. | |
26056 | ||
26057 | Re-landing just the GCArraySegment piece of this patch. | |
26058 | ||
26059 | * heap/CodeBlockSet.cpp: | |
26060 | (JSC::CodeBlockSet::CodeBlockSet): | |
26061 | * heap/CodeBlockSet.h: | |
26062 | * heap/GCSegmentedArray.h: | |
26063 | (JSC::GCArraySegment::GCArraySegment): | |
26064 | * heap/GCSegmentedArrayInlines.h: | |
26065 | (JSC::GCSegmentedArray<T>::GCSegmentedArray): | |
26066 | (JSC::GCSegmentedArray<T>::~GCSegmentedArray): | |
26067 | (JSC::GCSegmentedArray<T>::clear): | |
26068 | (JSC::GCSegmentedArray<T>::expand): | |
26069 | (JSC::GCSegmentedArray<T>::refill): | |
26070 | (JSC::GCArraySegment<T>::create): | |
26071 | (JSC::GCArraySegment<T>::destroy): | |
26072 | * heap/GCThreadSharedData.cpp: | |
26073 | (JSC::GCThreadSharedData::GCThreadSharedData): | |
26074 | * heap/Heap.cpp: | |
26075 | (JSC::Heap::Heap): | |
26076 | * heap/MarkStack.cpp: | |
26077 | (JSC::MarkStackArray::MarkStackArray): | |
26078 | * heap/MarkStack.h: | |
26079 | * heap/SlotVisitor.cpp: | |
26080 | (JSC::SlotVisitor::SlotVisitor): | |
26081 | ||
26082 | 2015-01-29 Csaba Osztrogonác <ossy@webkit.org> | |
26083 | ||
26084 | Move HAVE_DTRACE definition back to Platform.h | |
26085 | https://bugs.webkit.org/show_bug.cgi?id=141033 | |
26086 | ||
26087 | Reviewed by Dan Bernstein. | |
26088 | ||
26089 | * Configurations/Base.xcconfig: | |
26090 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
26091 | ||
26092 | 2015-01-28 Geoffrey Garen <ggaren@apple.com> | |
26093 | ||
26094 | Removed fastMallocForbid / fastMallocAllow | |
26095 | https://bugs.webkit.org/show_bug.cgi?id=141012 | |
26096 | ||
26097 | Reviewed by Mark Hahnenberg. | |
26098 | ||
26099 | Copy non-current thread stacks before scanning them instead of scanning | |
26100 | them in-place. | |
26101 | ||
26102 | This operation is uncommon (i.e., never in the web content process), | |
26103 | and even in a stress test with 4 threads it only copies about 27kB, | |
26104 | so I think the performance cost is OK. | |
26105 | ||
26106 | Scanning in-place requires a complex dance where we constrain our GC | |
26107 | data structures not to use malloc, free, or any other interesting functions | |
26108 | that might acquire locks. We've gotten this wrong many times in the past, | |
26109 | and I just got it wrong again yesterday. Since this code path is rarely | |
26110 | tested, I want it to just make sense, and not depend on or constrain the | |
26111 | details of the rest of the GC heap's design. | |
26112 | ||
26113 | * heap/MachineStackMarker.cpp: | |
26114 | (JSC::otherThreadStack): Factored out a helper function for dealing with | |
26115 | unaligned and/or backwards pointers. | |
26116 | ||
26117 | (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only | |
26118 | constrained function, and it only calls memcpy and low-level thread APIs. | |
26119 | ||
26120 | (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that | |
26121 | you do one pass over all the threads to compute their combined size, | |
26122 | and then a second pass to do all the copying. In theory, the threads may | |
26123 | grow in between passes, in which case you'll continue until the threads | |
26124 | stop growing. In practice, you never continue. | |
26125 | ||
26126 | (JSC::growBuffer): Helper function for growing. | |
26127 | ||
26128 | (JSC::MachineThreads::gatherConservativeRoots): | |
26129 | (JSC::MachineThreads::gatherFromOtherThread): Deleted. | |
26130 | * heap/MachineStackMarker.h: Updated for interface changes. | |
26131 | ||
26132 | 2015-01-28 Brian J. Burg <burg@cs.washington.edu> | |
26133 | ||
26134 | Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code | |
26135 | https://bugs.webkit.org/show_bug.cgi?id=140961 | |
26136 | ||
26137 | Reviewed by Timothy Hatcher. | |
26138 | ||
26139 | * inspector/protocol/CSS.json: Remove unused protocol methods. | |
26140 | ||
26141 | 2015-01-28 Dana Burkart <dburkart@apple.com> | |
26142 | ||
26143 | Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig | |
26144 | https://bugs.webkit.org/show_bug.cgi?id=136765 | |
26145 | ||
26146 | Reviewed by Alexey Proskuryakov. | |
26147 | ||
26148 | * Configurations/Base.xcconfig: | |
26149 | * Configurations/DebugRelease.xcconfig: | |
26150 | ||
26151 | 2015-01-27 Filip Pizlo <fpizlo@apple.com> | |
26152 | ||
26153 | ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise | |
26154 | https://bugs.webkit.org/show_bug.cgi?id=140980 | |
26155 | ||
26156 | Reviewed by Oliver Hunt. | |
26157 | ||
26158 | * bytecode/CallLinkStatus.cpp: | |
26159 | (JSC::CallLinkStatus::computeFor): | |
26160 | ||
26161 | 2015-01-27 Filip Pizlo <fpizlo@apple.com> | |
26162 | ||
26163 | Move DFGBinarySwitch out of the DFG so that all of the JITs can use it | |
26164 | https://bugs.webkit.org/show_bug.cgi?id=140959 | |
26165 | ||
26166 | Rubber stamped by Geoffrey Garen. | |
26167 | ||
26168 | I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660. | |
26169 | This code no longer has DFG dependencies so this is a very clean move. | |
26170 | ||
26171 | * CMakeLists.txt: | |
26172 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
26173 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
26174 | * dfg/DFGBinarySwitch.cpp: Removed. | |
26175 | * dfg/DFGBinarySwitch.h: Removed. | |
26176 | * dfg/DFGSpeculativeJIT.cpp: | |
26177 | * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp. | |
26178 | * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h. | |
26179 | ||
26180 | 2015-01-27 Commit Queue <commit-queue@webkit.org> | |
26181 | ||
26182 | Unreviewed, rolling out r179192. | |
26183 | https://bugs.webkit.org/show_bug.cgi?id=140953 | |
26184 | ||
26185 | Caused numerous layout test failures (Requested by mattbaker_ | |
26186 | on #webkit). | |
26187 | ||
26188 | Reverted changeset: | |
26189 | ||
26190 | "Use FastMalloc (bmalloc) instead of BlockAllocator for GC | |
26191 | pages" | |
26192 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
26193 | http://trac.webkit.org/changeset/179192 | |
26194 | ||
26195 | 2015-01-27 Michael Saboff <msaboff@apple.com> | |
26196 | ||
26197 | REGRESSION(r178591): 20% regression in Octane box2d | |
26198 | https://bugs.webkit.org/show_bug.cgi?id=140948 | |
26199 | ||
26200 | Reviewed by Geoffrey Garen. | |
26201 | ||
26202 | Added check that we have a lexical environment to the arguments is captured check. | |
26203 | It doesn't make sense to resolve "arguments" when it really isn't captured. | |
26204 | ||
26205 | * bytecompiler/BytecodeGenerator.cpp: | |
26206 | (JSC::BytecodeGenerator::willResolveToArgumentsRegister): | |
26207 | ||
26208 | 2015-01-26 Geoffrey Garen <ggaren@apple.com> | |
26209 | ||
26210 | Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages | |
26211 | https://bugs.webkit.org/show_bug.cgi?id=140900 | |
26212 | ||
26213 | Reviewed by Mark Hahnenberg. | |
26214 | ||
26215 | Removes some more custom allocation code. | |
26216 | ||
26217 | Looks like a speedup. (See results attached to bugzilla.) | |
26218 | ||
26219 | Will hopefully reduce memory use by improving sharing between the GC and | |
26220 | malloc heaps. | |
26221 | ||
26222 | * API/JSBase.cpp: | |
26223 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
26224 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
26225 | * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler. | |
26226 | ||
26227 | * heap/BlockAllocator.cpp: Removed. | |
26228 | * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore. | |
26229 | ||
26230 | * heap/CodeBlockSet.cpp: | |
26231 | (JSC::CodeBlockSet::CodeBlockSet): | |
26232 | * heap/CodeBlockSet.h: Feed the compiler. | |
26233 | ||
26234 | * heap/CopiedBlock.h: | |
26235 | (JSC::CopiedBlock::createNoZeroFill): | |
26236 | (JSC::CopiedBlock::create): | |
26237 | (JSC::CopiedBlock::CopiedBlock): | |
26238 | (JSC::CopiedBlock::isOversize): | |
26239 | (JSC::CopiedBlock::payloadEnd): | |
26240 | (JSC::CopiedBlock::capacity): | |
26241 | * heap/CopiedBlockInlines.h: | |
26242 | (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its | |
26243 | own size, since we can't rely on Region to tell us our size anymore. | |
26244 | ||
26245 | * heap/CopiedSpace.cpp: | |
26246 | (JSC::CopiedSpace::~CopiedSpace): | |
26247 | (JSC::CopiedSpace::tryAllocateOversize): | |
26248 | (JSC::CopiedSpace::tryReallocateOversize): | |
26249 | * heap/CopiedSpaceInlines.h: | |
26250 | (JSC::CopiedSpace::recycleEvacuatedBlock): | |
26251 | (JSC::CopiedSpace::recycleBorrowedBlock): | |
26252 | (JSC::CopiedSpace::allocateBlockForCopyingPhase): | |
26253 | (JSC::CopiedSpace::allocateBlock): | |
26254 | (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather | |
26255 | than pushing them onto the block allocator's free list; the block | |
26256 | allocator doesn't exist anymore. | |
26257 | ||
26258 | * heap/CopyWorkList.h: | |
26259 | (JSC::CopyWorkListSegment::create): | |
26260 | (JSC::CopyWorkListSegment::CopyWorkListSegment): | |
26261 | (JSC::CopyWorkList::~CopyWorkList): | |
26262 | (JSC::CopyWorkList::append): | |
26263 | (JSC::CopyWorkList::CopyWorkList): Deleted. | |
26264 | * heap/GCSegmentedArray.h: | |
26265 | (JSC::GCArraySegment::GCArraySegment): | |
26266 | * heap/GCSegmentedArrayInlines.h: | |
26267 | (JSC::GCSegmentedArray<T>::GCSegmentedArray): | |
26268 | (JSC::GCSegmentedArray<T>::~GCSegmentedArray): | |
26269 | (JSC::GCSegmentedArray<T>::clear): | |
26270 | (JSC::GCSegmentedArray<T>::expand): | |
26271 | (JSC::GCSegmentedArray<T>::refill): | |
26272 | (JSC::GCArraySegment<T>::create): | |
26273 | * heap/GCThreadSharedData.cpp: | |
26274 | (JSC::GCThreadSharedData::GCThreadSharedData): | |
26275 | * heap/GCThreadSharedData.h: Feed the compiler. | |
26276 | ||
26277 | * heap/HandleBlock.h: | |
26278 | * heap/HandleBlockInlines.h: | |
26279 | (JSC::HandleBlock::create): | |
26280 | (JSC::HandleBlock::HandleBlock): | |
26281 | (JSC::HandleBlock::payloadEnd): | |
26282 | * heap/HandleSet.cpp: | |
26283 | (JSC::HandleSet::~HandleSet): | |
26284 | (JSC::HandleSet::grow): Same as above. | |
26285 | ||
26286 | * heap/Heap.cpp: | |
26287 | (JSC::Heap::Heap): | |
26288 | * heap/Heap.h: Removed the block allocator since it is unused now. | |
26289 | ||
26290 | * heap/HeapBlock.h: | |
26291 | (JSC::HeapBlock::destroy): | |
26292 | (JSC::HeapBlock::HeapBlock): | |
26293 | (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each | |
26294 | HeapBlock since a HeapBlock is just a normal allocation now. | |
26295 | ||
26296 | * heap/HeapInlines.h: | |
26297 | (JSC::Heap::blockAllocator): Deleted. | |
26298 | ||
26299 | * heap/HeapTimer.cpp: | |
26300 | * heap/MarkStack.cpp: | |
26301 | (JSC::MarkStackArray::MarkStackArray): | |
26302 | * heap/MarkStack.h: Feed the compiler. | |
26303 | ||
26304 | * heap/MarkedAllocator.cpp: | |
26305 | (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path | |
26306 | based on size, since we use a general purpose allocator now. | |
26307 | ||
26308 | * heap/MarkedBlock.cpp: | |
26309 | (JSC::MarkedBlock::create): | |
26310 | (JSC::MarkedBlock::destroy): | |
26311 | (JSC::MarkedBlock::MarkedBlock): | |
26312 | * heap/MarkedBlock.h: | |
26313 | (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock. | |
26314 | ||
26315 | * heap/MarkedSpace.cpp: | |
26316 | (JSC::MarkedSpace::freeBlock): | |
26317 | * heap/MarkedSpace.h: | |
26318 | ||
26319 | * heap/Region.h: Removed. | |
26320 | ||
26321 | * heap/SlotVisitor.cpp: | |
26322 | (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator. | |
26323 | ||
26324 | * heap/SuperRegion.cpp: Removed. | |
26325 | * heap/SuperRegion.h: Removed. | |
26326 | ||
26327 | * heap/WeakBlock.cpp: | |
26328 | (JSC::WeakBlock::create): | |
26329 | (JSC::WeakBlock::WeakBlock): | |
26330 | * heap/WeakBlock.h: | |
26331 | * heap/WeakSet.cpp: | |
26332 | (JSC::WeakSet::~WeakSet): | |
26333 | (JSC::WeakSet::addAllocator): | |
26334 | (JSC::WeakSet::removeAllocator): Removed reference to block allocator. | |
26335 | ||
26336 | 2015-01-27 Csaba Osztrogonác <ossy@webkit.org> | |
26337 | ||
26338 | [ARM] Typo fix after r176083 | |
26339 | https://bugs.webkit.org/show_bug.cgi?id=140937 | |
26340 | ||
26341 | Reviewed by Anders Carlsson. | |
26342 | ||
26343 | * assembler/ARMv7Assembler.h: | |
26344 | (JSC::ARMv7Assembler::ldrh): | |
26345 | ||
26346 | 2015-01-27 Csaba Osztrogonác <ossy@webkit.org> | |
26347 | ||
26348 | [Win] Unreviewed gardening, skip failing tests. | |
26349 | ||
26350 | * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928. | |
26351 | * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927. | |
26352 | ||
26353 | 2015-01-26 Csaba Osztrogonác <ossy@webkit.org> | |
26354 | ||
26355 | [Win] Enable JSC stress tests by default | |
26356 | https://bugs.webkit.org/show_bug.cgi?id=128307 | |
26357 | ||
26358 | Unreviewed typo fix after r179165. | |
26359 | ||
26360 | * tests/mozilla/mozilla-tests.yaml: | |
26361 | ||
26362 | 2015-01-26 Csaba Osztrogonác <ossy@webkit.org> | |
26363 | ||
26364 | [Win] Enable JSC stress tests by default | |
26365 | https://bugs.webkit.org/show_bug.cgi?id=128307 | |
26366 | ||
26367 | Reviewed by Brent Fulgham. | |
26368 | ||
26369 | * tests/mozilla/mozilla-tests.yaml: Skipped on Windows. | |
26370 | * tests/stress/ftl-arithcos.js: Skipped on Windows. | |
26371 | ||
26372 | 2015-01-26 Ryosuke Niwa <rniwa@webkit.org> | |
26373 | ||
26374 | Parse a function expression as a primary expression | |
26375 | https://bugs.webkit.org/show_bug.cgi?id=140908 | |
26376 | ||
26377 | Reviewed by Mark Lam. | |
26378 | ||
26379 | Moved the code to generate an AST node for a function expression from parseMemberExpression | |
26380 | to parsePrimaryExpression to match the ES6 specification terminology: | |
26381 | https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression | |
26382 | ||
26383 | There should be no behavior change from this change since parsePrimaryExpression is only | |
26384 | called in parseMemberExpression other than the fact failIfStackOverflow() is called. | |
26385 | ||
26386 | * parser/Parser.cpp: | |
26387 | (JSC::Parser<LexerType>::parsePrimaryExpression): | |
26388 | (JSC::Parser<LexerType>::parseMemberExpression): | |
26389 | ||
26390 | 2015-01-26 Myles C. Maxfield <mmaxfield@apple.com> | |
26391 | ||
26392 | [iOS] [SVG -> OTF Converter] Flip the switch off on iOS | |
26393 | https://bugs.webkit.org/show_bug.cgi?id=140860 | |
26394 | ||
26395 | Reviewed by Darin Adler. | |
26396 | ||
26397 | The fonts it makes are grotesque. (See what I did there? Typographic | |
26398 | humor is the best humor.) | |
26399 | ||
26400 | * Configurations/FeatureDefines.xcconfig: | |
26401 | ||
26402 | 2015-01-23 Joseph Pecoraro <pecoraro@apple.com> | |
26403 | ||
26404 | Web Inspector: Rename InjectedScriptHost::type to subtype | |
26405 | https://bugs.webkit.org/show_bug.cgi?id=140841 | |
26406 | ||
26407 | Reviewed by Timothy Hatcher. | |
26408 | ||
26409 | We were using this to set the subtype of an "object" type RemoteObject | |
26410 | so we should clean up the name and call it subtype. | |
26411 | ||
26412 | * inspector/InjectedScriptHost.h: | |
26413 | * inspector/InjectedScriptSource.js: | |
26414 | * inspector/JSInjectedScriptHost.cpp: | |
26415 | (Inspector::JSInjectedScriptHost::subtype): | |
26416 | (Inspector::JSInjectedScriptHost::type): Deleted. | |
26417 | * inspector/JSInjectedScriptHost.h: | |
26418 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
26419 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
26420 | (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype): | |
26421 | (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted. | |
26422 | ||
26423 | 2015-01-23 Michael Saboff <msaboff@apple.com> | |
26424 | ||
26425 | LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds | |
26426 | https://bugs.webkit.org/show_bug.cgi?id=140843 | |
26427 | ||
26428 | Reviewed by Oliver Hunt. | |
26429 | ||
26430 | When we are in vmEntryToJavaScript, we keep the stack pointer at an | |
26431 | alignment sutiable for pointing to a call frame header, which is the | |
26432 | alignment post making a call. We adjust the sp when calling to JS code, | |
26433 | but don't adjust it before calling the out of stack handler. | |
26434 | ||
26435 | * llint/LowLevelInterpreter32_64.asm: | |
26436 | Moved stack point down 8 bytes to get it aligned. | |
26437 | ||
26438 | 2015-01-23 Joseph Pecoraro <pecoraro@apple.com> | |
26439 | ||
26440 | Web Inspector: Object Previews in the Console | |
26441 | https://bugs.webkit.org/show_bug.cgi?id=129204 | |
26442 | ||
26443 | Reviewed by Timothy Hatcher. | |
26444 | ||
26445 | Update the very old, unused object preview code. Part of this comes from | |
26446 | the earlier WebKit legacy implementation, and the Blink implementation. | |
26447 | ||
26448 | A RemoteObject may include a preview, if it is asked for, and if the | |
26449 | RemoteObject is an object. Previews are a shallow (single level) list | |
26450 | of a limited number of properties on the object. The previewed | |
26451 | properties are always stringified (even if primatives). Previews are | |
26452 | limited to just 5 properties or 100 indices. Previews are marked | |
26453 | as lossless if they are a complete snapshot of the object. | |
26454 | ||
26455 | There is a path to make previews two levels deep, that is currently | |
26456 | unused but should soon be used for tables (e.g. IndexedDB). | |
26457 | ||
26458 | * inspector/InjectedScriptSource.js: | |
26459 | - Move some code off of InjectedScript to be generic functions | |
26460 | usable by RemoteObject as well. | |
26461 | - Update preview generation to use | |
26462 | ||
26463 | * inspector/protocol/Runtime.json: | |
26464 | - Add a new type, "accessor" for preview objects. This represents | |
26465 | a getter / setter. We currently don't get the value. | |
26466 | ||
26467 | 2015-01-23 Michael Saboff <msaboff@apple.com> | |
26468 | ||
26469 | Immediate crash when setting JS breakpoint | |
26470 | https://bugs.webkit.org/show_bug.cgi?id=140811 | |
26471 | ||
26472 | Reviewed by Mark Lam. | |
26473 | ||
26474 | When the DFG stack layout phase doesn't allocate a register for the scope register, | |
26475 | it incorrectly sets the scope register in the code block to a bad value, one with | |
26476 | an offset of 0. Changed it so that we set the code block's scope register to the | |
26477 | invalid VirtualRegister instead. | |
26478 | ||
26479 | No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug. | |
26480 | We crash with that ASSERT in testapi and likely many other tests as well. | |
26481 | ||
26482 | * bytecode/CodeBlock.cpp: | |
26483 | (JSC::CodeBlock::CodeBlock): | |
26484 | * bytecode/CodeBlock.h: | |
26485 | (JSC::CodeBlock::setScopeRegister): | |
26486 | (JSC::CodeBlock::scopeRegister): | |
26487 | Added ASSERTs to catch any future improper setting of the code block's scope register. | |
26488 | ||
26489 | * dfg/DFGStackLayoutPhase.cpp: | |
26490 | (JSC::DFG::StackLayoutPhase::run): | |
26491 | ||
26492 | 2015-01-22 Mark Hahnenberg <mhahnenb@gmail.com> | |
26493 | ||
26494 | EdenCollections unnecessarily visit SmallStrings | |
26495 | https://bugs.webkit.org/show_bug.cgi?id=140762 | |
26496 | ||
26497 | Reviewed by Geoffrey Garen. | |
26498 | ||
26499 | * heap/Heap.cpp: | |
26500 | (JSC::Heap::copyBackingStores): Also added a GCPhase for copying | |
26501 | backing stores, which is a significant portion of garbage collection. | |
26502 | (JSC::Heap::visitSmallStrings): Check to see if we need to visit | |
26503 | SmallStrings based on the collection type. | |
26504 | * runtime/SmallStrings.cpp: | |
26505 | (JSC::SmallStrings::SmallStrings): | |
26506 | (JSC::SmallStrings::visitStrongReferences): Set the fact that we have | |
26507 | visited the SmallStrings since the last modification. | |
26508 | * runtime/SmallStrings.h: | |
26509 | (JSC::SmallStrings::needsToBeVisited): If we're doing a | |
26510 | FullCollection, we need to visit. Otherwise, it depends on whether | |
26511 | we've been visited since the last modification/allocation. | |
26512 | ||
26513 | 2015-01-22 Ryosuke Niwa <rniwa@webkit.org> | |
26514 | ||
26515 | Add a build flag for ES6 class syntax | |
26516 | https://bugs.webkit.org/show_bug.cgi?id=140760 | |
26517 | ||
26518 | Reviewed by Michael Saboff. | |
26519 | ||
26520 | Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize | |
26521 | "class", "extends", "static" and "super" keywords. | |
26522 | ||
26523 | * Configurations/FeatureDefines.xcconfig: | |
26524 | * parser/Keywords.table: | |
26525 | * parser/ParserTokens.h: | |
26526 | ||
26527 | 2015-01-22 Commit Queue <commit-queue@webkit.org> | |
26528 | ||
26529 | Unreviewed, rolling out r178894. | |
26530 | https://bugs.webkit.org/show_bug.cgi?id=140775 | |
26531 | ||
26532 | Broke JSC and bindings tests (Requested by ap_ on #webkit). | |
26533 | ||
26534 | Reverted changeset: | |
26535 | ||
26536 | "put_by_val_direct need to check the property is index or not | |
26537 | for using putDirect / putDirectIndex" | |
26538 | https://bugs.webkit.org/show_bug.cgi?id=140426 | |
26539 | http://trac.webkit.org/changeset/178894 | |
26540 | ||
26541 | 2015-01-22 Mark Lam <mark.lam@apple.com> | |
26542 | ||
26543 | BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope. | |
26544 | <https://webkit.org/b/140743> | |
26545 | ||
26546 | Reviewed by Oliver Hunt. | |
26547 | ||
26548 | BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to | |
26549 | op_put_to_scope to an inappropriate value (i.e. 0). As a result, the execution | |
26550 | of put_to_scope could store a wrong inferred value into the VariableWatchpointSet | |
26551 | for which ever captured variable is at local index 0. In practice, this turns | |
26552 | out to be the local for the Arguments object. In this reproduction case in the | |
26553 | bug, the wrong inferred value written there is the boolean true. | |
26554 | ||
26555 | Subsequently, DFG compilation occurs and CreateArguments is emitted to first do | |
26556 | a check of the local for the Arguments object. But because that local has a | |
26557 | wrong inferred value, the check always discovers a non-null value and we never | |
26558 | actually create the Arguments object. Immediately after this, an OSR exit | |
26559 | occurs leaving the Arguments object local uninitialized. Later on at arguments | |
26560 | tear off, we run into a boolean true where we had expected to find an Arguments | |
26561 | object, which in turn, leads to the crash. | |
26562 | ||
26563 | The fix is to: | |
26564 | 1. In the case where the resolveModeType is LocalClosureVar, change the | |
26565 | 5th operand of op_put_to_scope to be a boolean. True means that the | |
26566 | local var is watchable. False means it is not watchable. We no longer | |
26567 | pass the local index (instead of true) and UINT_MAX (instead of false). | |
26568 | ||
26569 | This allows us to express more clearer in the code what that value means, | |
26570 | as well as remove the redundant way of getting the local's identifier. | |
26571 | The identifier is always the one passed in the 2nd operand. | |
26572 | ||
26573 | 2. Previously, though intuitively, we know that the watchable variable | |
26574 | identifier should be the same as the one that is passed in operand 2, this | |
26575 | relationship was not clear in the code. By code analysis, I confirmed that | |
26576 | the callers of BytecodeGenerator::emitPutToScope() always use the same | |
26577 | identifier for operand 2 and for filling out the ResolveScopeInfo from | |
26578 | which we get the watchable variable identifier later. I've changed the | |
26579 | code to make this clear now by always using the identifier passed in | |
26580 | operand 2. | |
26581 | ||
26582 | 3. In the case where the resolveModeType is LocalClosureVar, | |
26583 | initializeCapturedVariable() and emitPutToScope() will now query | |
26584 | hasWatchableVariable() to determine if the local is watchable or not. | |
26585 | Accordingly, we pass the boolean result of hasWatchableVariable() as | |
26586 | operand 5 of op_put_to_scope. | |
26587 | ||
26588 | Also added some assertions. | |
26589 | ||
26590 | * bytecode/CodeBlock.cpp: | |
26591 | (JSC::CodeBlock::CodeBlock): | |
26592 | * bytecompiler/BytecodeGenerator.cpp: | |
26593 | (JSC::BytecodeGenerator::initializeCapturedVariable): | |
26594 | (JSC::BytecodeGenerator::hasConstant): | |
26595 | (JSC::BytecodeGenerator::emitPutToScope): | |
26596 | * bytecompiler/BytecodeGenerator.h: | |
26597 | (JSC::BytecodeGenerator::hasWatchableVariable): | |
26598 | (JSC::BytecodeGenerator::watchableVariableIdentifier): | |
26599 | (JSC::BytecodeGenerator::watchableVariable): Deleted. | |
26600 | ||
26601 | 2015-01-22 Ryosuke Niwa <rniwa@webkit.org> | |
26602 | ||
26603 | PropertyListNode::emitNode duplicates the code to put a constant property | |
26604 | https://bugs.webkit.org/show_bug.cgi?id=140761 | |
26605 | ||
26606 | Reviewed by Geoffrey Garen. | |
26607 | ||
26608 | Extracted PropertyListNode::emitPutConstantProperty to share the code. | |
26609 | ||
26610 | Also made PropertyListNode::emitBytecode private since nobody is calling this function directly. | |
26611 | ||
26612 | * bytecompiler/NodesCodegen.cpp: | |
26613 | (JSC::PropertyListNode::emitBytecode): | |
26614 | (JSC::PropertyListNode::emitPutConstantProperty): Added. | |
26615 | * parser/Nodes.h: | |
26616 | ||
26617 | 2015-01-22 Yusuke Suzuki <utatane.tea@gmail.com> | |
26618 | ||
26619 | put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex | |
26620 | https://bugs.webkit.org/show_bug.cgi?id=140426 | |
26621 | ||
26622 | Reviewed by Geoffrey Garen. | |
26623 | ||
26624 | In the put_by_val_direct operation, we use JSObject::putDirect. | |
26625 | However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex. | |
26626 | This patch changes Identifier::asIndex() to return Optional<uint32_t>. | |
26627 | It forces callers to check the value is index or not explicitly. | |
26628 | Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex. | |
26629 | ||
26630 | * bytecode/GetByIdStatus.cpp: | |
26631 | (JSC::GetByIdStatus::computeFor): | |
26632 | * bytecode/PutByIdStatus.cpp: | |
26633 | (JSC::PutByIdStatus::computeFor): | |
26634 | * bytecompiler/BytecodeGenerator.cpp: | |
26635 | (JSC::BytecodeGenerator::emitDirectPutById): | |
26636 | * dfg/DFGOperations.cpp: | |
26637 | (JSC::DFG::operationPutByValInternal): | |
26638 | * jit/JITOperations.cpp: | |
26639 | * jit/Repatch.cpp: | |
26640 | (JSC::emitPutTransitionStubAndGetOldStructure): | |
26641 | * jsc.cpp: | |
26642 | * llint/LLIntSlowPaths.cpp: | |
26643 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
26644 | * runtime/Arguments.cpp: | |
26645 | (JSC::Arguments::getOwnPropertySlot): | |
26646 | (JSC::Arguments::put): | |
26647 | (JSC::Arguments::deleteProperty): | |
26648 | (JSC::Arguments::defineOwnProperty): | |
26649 | * runtime/ArrayPrototype.cpp: | |
26650 | (JSC::arrayProtoFuncSort): | |
26651 | * runtime/JSArray.cpp: | |
26652 | (JSC::JSArray::defineOwnProperty): | |
26653 | * runtime/JSCJSValue.cpp: | |
26654 | (JSC::JSValue::putToPrimitive): | |
26655 | * runtime/JSGenericTypedArrayViewInlines.h: | |
26656 | (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): | |
26657 | (JSC::JSGenericTypedArrayView<Adaptor>::put): | |
26658 | (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): | |
26659 | (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): | |
26660 | * runtime/JSObject.cpp: | |
26661 | (JSC::JSObject::put): | |
26662 | (JSC::JSObject::putDirectAccessor): | |
26663 | (JSC::JSObject::putDirectCustomAccessor): | |
26664 | (JSC::JSObject::deleteProperty): | |
26665 | (JSC::JSObject::putDirectMayBeIndex): | |
26666 | (JSC::JSObject::defineOwnProperty): | |
26667 | * runtime/JSObject.h: | |
26668 | (JSC::JSObject::getOwnPropertySlot): | |
26669 | (JSC::JSObject::getPropertySlot): | |
26670 | (JSC::JSObject::putDirectInternal): | |
26671 | * runtime/JSString.cpp: | |
26672 | (JSC::JSString::getStringPropertyDescriptor): | |
26673 | * runtime/JSString.h: | |
26674 | (JSC::JSString::getStringPropertySlot): | |
26675 | * runtime/LiteralParser.cpp: | |
26676 | (JSC::LiteralParser<CharType>::parse): | |
26677 | * runtime/PropertyName.h: | |
26678 | (JSC::toUInt32FromCharacters): | |
26679 | (JSC::toUInt32FromStringImpl): | |
26680 | (JSC::PropertyName::asIndex): | |
26681 | * runtime/PropertyNameArray.cpp: | |
26682 | (JSC::PropertyNameArray::add): | |
26683 | * runtime/StringObject.cpp: | |
26684 | (JSC::StringObject::deleteProperty): | |
26685 | * runtime/Structure.cpp: | |
26686 | (JSC::Structure::prototypeChainMayInterceptStoreTo): | |
26687 | ||
26688 | 2015-01-21 Ryosuke Niwa <rniwa@webkit.org> | |
26689 | ||
26690 | Consolidate out arguments of parseFunctionInfo into a struct | |
26691 | https://bugs.webkit.org/show_bug.cgi?id=140754 | |
26692 | ||
26693 | Reviewed by Oliver Hunt. | |
26694 | ||
26695 | Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo. | |
26696 | ||
26697 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
26698 | * parser/ASTBuilder.h: | |
26699 | (JSC::ASTBuilder::createFunctionExpr): | |
26700 | (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to | |
26701 | ParserFunctionInfo since the property name and the function name could differ. | |
26702 | (JSC::ASTBuilder::createFuncDeclStatement): | |
26703 | * parser/Parser.cpp: | |
26704 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
26705 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
26706 | (JSC::Parser<LexerType>::parseProperty): | |
26707 | (JSC::Parser<LexerType>::parseMemberExpression): | |
26708 | * parser/Parser.h: | |
26709 | * parser/ParserFunctionInfo.h: Added. | |
26710 | * parser/SyntaxChecker.h: | |
26711 | (JSC::SyntaxChecker::createFunctionExpr): | |
26712 | (JSC::SyntaxChecker::createFuncDeclStatement): | |
26713 | (JSC::SyntaxChecker::createClassDeclStatement): | |
26714 | (JSC::SyntaxChecker::createGetterOrSetterProperty): | |
26715 | ||
26716 | 2015-01-21 Mark Hahnenberg <mhahnenb@gmail.com> | |
26717 | ||
26718 | Change Heap::m_compiledCode to use a Vector | |
26719 | https://bugs.webkit.org/show_bug.cgi?id=140717 | |
26720 | ||
26721 | Reviewed by Andreas Kling. | |
26722 | ||
26723 | Right now it's a DoublyLinkedList, which is iterated during each | |
26724 | collection. This contributes to some of the longish Eden pause times. | |
26725 | A Vector would be more appropriate and would also allow ExecutableBase | |
26726 | to be 2 pointers smaller. | |
26727 | ||
26728 | * heap/Heap.cpp: | |
26729 | (JSC::Heap::deleteAllCompiledCode): | |
26730 | (JSC::Heap::deleteAllUnlinkedFunctionCode): | |
26731 | (JSC::Heap::clearUnmarkedExecutables): | |
26732 | * heap/Heap.h: | |
26733 | * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode. | |
26734 | ||
26735 | 2015-01-21 Ryosuke Niwa <rniwa@webkit.org> | |
26736 | ||
26737 | BytecodeGenerator shouldn't expose all of its member variables | |
26738 | https://bugs.webkit.org/show_bug.cgi?id=140752 | |
26739 | ||
26740 | Reviewed by Mark Lam. | |
26741 | ||
26742 | Added "private:" and removed unused data members as detected by clang. | |
26743 | ||
26744 | * bytecompiler/BytecodeGenerator.cpp: | |
26745 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
26746 | * bytecompiler/BytecodeGenerator.h: | |
26747 | (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode. | |
26748 | * bytecompiler/NodesCodegen.cpp: | |
26749 | (JSC::BinaryOpNode::emitBytecode): | |
26750 | ||
26751 | 2015-01-21 Joseph Pecoraro <pecoraro@apple.com> | |
26752 | ||
26753 | Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType | |
26754 | https://bugs.webkit.org/show_bug.cgi?id=140746 | |
26755 | ||
26756 | Reviewed by Timothy Hatcher. | |
26757 | ||
26758 | * inspector/InjectedScriptSource.js: | |
26759 | Do not add impure properties to the descriptor object that will | |
26760 | eventually be sent to the frontend. | |
26761 | ||
26762 | 2015-01-21 Matthew Mirman <mmirman@apple.com> | |
26763 | ||
26764 | Updated split such that it does not include the empty end of input string match. | |
26765 | https://bugs.webkit.org/show_bug.cgi?id=138129 | |
26766 | <rdar://problem/18807403> | |
26767 | ||
26768 | Reviewed by Filip Pizlo. | |
26769 | ||
26770 | * runtime/StringPrototype.cpp: | |
26771 | (JSC::stringProtoFuncSplit): | |
26772 | * tests/stress/empty_eos_regex_split.js: Added. | |
26773 | ||
26774 | 2015-01-21 Michael Saboff <msaboff@apple.com> | |
26775 | ||
26776 | Eliminate Scope slot from JavaScript CallFrame | |
26777 | https://bugs.webkit.org/show_bug.cgi?id=136724 | |
26778 | ||
26779 | Reviewed by Geoffrey Garen. | |
26780 | ||
26781 | This finishes the removal of the scope chain slot from the call frame header. | |
26782 | ||
26783 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
26784 | (JSC::DFG::reifyInlinedCallFrames): | |
26785 | * dfg/DFGPreciseLocalClobberize.h: | |
26786 | (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): | |
26787 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
26788 | (JSC::DFG::SpeculativeJIT::emitCall): | |
26789 | * dfg/DFGSpeculativeJIT64.cpp: | |
26790 | (JSC::DFG::SpeculativeJIT::emitCall): | |
26791 | * ftl/FTLJSCall.cpp: | |
26792 | (JSC::FTL::JSCall::emit): | |
26793 | * ftl/FTLLowerDFGToLLVM.cpp: | |
26794 | (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): | |
26795 | (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): | |
26796 | * interpreter/JSStack.h: | |
26797 | * interpreter/VMInspector.cpp: | |
26798 | (JSC::VMInspector::dumpFrame): | |
26799 | * jit/JITCall.cpp: | |
26800 | (JSC::JIT::compileOpCall): | |
26801 | * jit/JITCall32_64.cpp: | |
26802 | (JSC::JIT::compileOpCall): | |
26803 | * jit/JITOpcodes32_64.cpp: | |
26804 | (JSC::JIT::privateCompileCTINativeCall): | |
26805 | * jit/Repatch.cpp: | |
26806 | (JSC::generateByIdStub): | |
26807 | (JSC::linkClosureCall): | |
26808 | * jit/ThunkGenerators.cpp: | |
26809 | (JSC::virtualForThunkGenerator): | |
26810 | (JSC::nativeForGenerator): | |
26811 | Deleted ScopeChain slot from JSStack. Removed all code where ScopeChain was being | |
26812 | read or set. In most cases this was where we make JS calls. | |
26813 | ||
26814 | * interpreter/CallFrameClosure.h: | |
26815 | (JSC::CallFrameClosure::setArgument): | |
26816 | (JSC::CallFrameClosure::resetCallFrame): Deleted. | |
26817 | * interpreter/Interpreter.cpp: | |
26818 | (JSC::Interpreter::execute): | |
26819 | (JSC::Interpreter::executeCall): | |
26820 | (JSC::Interpreter::executeConstruct): | |
26821 | (JSC::Interpreter::prepareForRepeatCall): | |
26822 | * interpreter/ProtoCallFrame.cpp: | |
26823 | (JSC::ProtoCallFrame::init): | |
26824 | * interpreter/ProtoCallFrame.h: | |
26825 | (JSC::ProtoCallFrame::scope): Deleted. | |
26826 | (JSC::ProtoCallFrame::setScope): Deleted. | |
26827 | * llint/LLIntData.cpp: | |
26828 | (JSC::LLInt::Data::performAssertions): | |
26829 | * llint/LowLevelInterpreter.asm: | |
26830 | * llint/LowLevelInterpreter64.asm: | |
26831 | Removed the related scopeChainValue member from ProtoCallFrame. Reduced the number of | |
26832 | registers that needed to be copied from the ProtoCallFrame to a callee's frame | |
26833 | from 5 to 4. | |
26834 | ||
26835 | * llint/LowLevelInterpreter32_64.asm: | |
26836 | In addition to the prior changes, also deleted the unused macro getDeBruijnScope. | |
26837 | ||
26838 | 2015-01-21 Michael Saboff <msaboff@apple.com> | |
26839 | ||
26840 | Eliminate construct methods from NullGetterFunction and NullSetterFunction classes | |
26841 | https://bugs.webkit.org/show_bug.cgi?id=140708 | |
26842 | ||
26843 | Reviewed by Mark Lam. | |
26844 | ||
26845 | Eliminated construct methods and change getConstructData() for both classes to return | |
26846 | ConstructTypeNone as they can never be called. | |
26847 | ||
26848 | * runtime/NullGetterFunction.cpp: | |
26849 | (JSC::NullGetterFunction::getConstructData): | |
26850 | (JSC::constructReturnUndefined): Deleted. | |
26851 | * runtime/NullSetterFunction.cpp: | |
26852 | (JSC::NullSetterFunction::getConstructData): | |
26853 | (JSC::constructReturnUndefined): Deleted. | |
26854 | ||
26855 | 2015-01-21 Csaba Osztrogonác <ossy@webkit.org> | |
26856 | ||
26857 | Remove ENABLE(INSPECTOR) ifdef guards | |
26858 | https://bugs.webkit.org/show_bug.cgi?id=140668 | |
26859 | ||
26860 | Reviewed by Darin Adler. | |
26861 | ||
26862 | * Configurations/FeatureDefines.xcconfig: | |
26863 | * bindings/ScriptValue.cpp: | |
26864 | (Deprecated::ScriptValue::toInspectorValue): | |
26865 | * bindings/ScriptValue.h: | |
26866 | * inspector/ConsoleMessage.cpp: | |
26867 | * inspector/ConsoleMessage.h: | |
26868 | * inspector/ContentSearchUtilities.cpp: | |
26869 | * inspector/ContentSearchUtilities.h: | |
26870 | * inspector/IdentifiersFactory.cpp: | |
26871 | * inspector/IdentifiersFactory.h: | |
26872 | * inspector/InjectedScript.cpp: | |
26873 | * inspector/InjectedScript.h: | |
26874 | * inspector/InjectedScriptBase.cpp: | |
26875 | * inspector/InjectedScriptBase.h: | |
26876 | * inspector/InjectedScriptHost.cpp: | |
26877 | * inspector/InjectedScriptHost.h: | |
26878 | * inspector/InjectedScriptManager.cpp: | |
26879 | * inspector/InjectedScriptManager.h: | |
26880 | * inspector/InjectedScriptModule.cpp: | |
26881 | * inspector/InjectedScriptModule.h: | |
26882 | * inspector/InspectorAgentRegistry.cpp: | |
26883 | * inspector/InspectorBackendDispatcher.cpp: | |
26884 | * inspector/InspectorBackendDispatcher.h: | |
26885 | * inspector/InspectorProtocolTypes.h: | |
26886 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
26887 | * inspector/JSGlobalObjectInspectorController.cpp: | |
26888 | * inspector/JSGlobalObjectInspectorController.h: | |
26889 | * inspector/JSGlobalObjectScriptDebugServer.cpp: | |
26890 | * inspector/JSGlobalObjectScriptDebugServer.h: | |
26891 | * inspector/JSInjectedScriptHost.cpp: | |
26892 | * inspector/JSInjectedScriptHost.h: | |
26893 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
26894 | * inspector/JSInjectedScriptHostPrototype.h: | |
26895 | * inspector/JSJavaScriptCallFrame.cpp: | |
26896 | * inspector/JSJavaScriptCallFrame.h: | |
26897 | * inspector/JSJavaScriptCallFramePrototype.cpp: | |
26898 | * inspector/JSJavaScriptCallFramePrototype.h: | |
26899 | * inspector/JavaScriptCallFrame.cpp: | |
26900 | * inspector/JavaScriptCallFrame.h: | |
26901 | * inspector/ScriptCallFrame.cpp: | |
26902 | (Inspector::ScriptCallFrame::buildInspectorObject): | |
26903 | * inspector/ScriptCallFrame.h: | |
26904 | * inspector/ScriptCallStack.cpp: | |
26905 | (Inspector::ScriptCallStack::buildInspectorArray): | |
26906 | * inspector/ScriptCallStack.h: | |
26907 | * inspector/ScriptDebugServer.cpp: | |
26908 | * inspector/agents/InspectorAgent.cpp: | |
26909 | * inspector/agents/InspectorAgent.h: | |
26910 | * inspector/agents/InspectorConsoleAgent.cpp: | |
26911 | * inspector/agents/InspectorConsoleAgent.h: | |
26912 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
26913 | * inspector/agents/InspectorDebuggerAgent.h: | |
26914 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
26915 | * inspector/agents/InspectorRuntimeAgent.h: | |
26916 | * inspector/agents/JSGlobalObjectConsoleAgent.cpp: | |
26917 | * inspector/agents/JSGlobalObjectConsoleAgent.h: | |
26918 | * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: | |
26919 | * inspector/agents/JSGlobalObjectDebuggerAgent.h: | |
26920 | * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: | |
26921 | * inspector/agents/JSGlobalObjectRuntimeAgent.h: | |
26922 | * inspector/scripts/codegen/cpp_generator_templates.py: | |
26923 | (CppGeneratorTemplates): | |
26924 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
26925 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
26926 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
26927 | * inspector/scripts/tests/expected/enum-values.json-result: | |
26928 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
26929 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
26930 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
26931 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
26932 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
26933 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
26934 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
26935 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
26936 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
26937 | * runtime/TypeSet.cpp: | |
26938 | (JSC::TypeSet::inspectorTypeSet): | |
26939 | (JSC::StructureShape::inspectorRepresentation): | |
26940 | ||
26941 | 2015-01-20 Joseph Pecoraro <pecoraro@apple.com> | |
26942 | ||
26943 | Web Inspector: Clean up InjectedScriptSource.js | |
26944 | https://bugs.webkit.org/show_bug.cgi?id=140709 | |
26945 | ||
26946 | Reviewed by Timothy Hatcher. | |
26947 | ||
26948 | This patch includes some relevant Blink patches and small changes. | |
26949 | ||
26950 | Patch by <aandrey@chromium.org> | |
26951 | DevTools: Remove console last result $_ on console clear. | |
26952 | https://src.chromium.org/viewvc/blink?revision=179179&view=revision | |
26953 | ||
26954 | Patch by <eustas@chromium.org> | |
26955 | [Inspect DOM properties] incorrect CSS Selector Syntax | |
26956 | https://src.chromium.org/viewvc/blink?revision=156903&view=revision | |
26957 | ||
26958 | * inspector/InjectedScriptSource.js: | |
26959 | ||
26960 | 2015-01-20 Joseph Pecoraro <pecoraro@apple.com> | |
26961 | ||
26962 | Web Inspector: Cleanup RuntimeAgent a bit | |
26963 | https://bugs.webkit.org/show_bug.cgi?id=140706 | |
26964 | ||
26965 | Reviewed by Timothy Hatcher. | |
26966 | ||
26967 | * inspector/InjectedScript.h: | |
26968 | * inspector/InspectorBackendDispatcher.h: | |
26969 | * inspector/ScriptCallFrame.cpp: | |
26970 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
26971 | (Inspector::InspectorRuntimeAgent::evaluate): | |
26972 | (Inspector::InspectorRuntimeAgent::getProperties): | |
26973 | (Inspector::InspectorRuntimeAgent::run): | |
26974 | (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): | |
26975 | (Inspector::recompileAllJSFunctionsForTypeProfiling): | |
26976 | (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState): | |
26977 | ||
26978 | 2015-01-20 Matthew Mirman <mmirman@apple.com> | |
26979 | ||
26980 | Made Identity in the DFG allocate a new temp register and move | |
26981 | the old data to it. | |
26982 | https://bugs.webkit.org/show_bug.cgi?id=140700 | |
26983 | <rdar://problem/19339106> | |
26984 | ||
26985 | Reviewed by Filip Pizlo. | |
26986 | ||
26987 | * dfg/DFGSpeculativeJIT64.cpp: | |
26988 | (JSC::DFG::SpeculativeJIT::compile): | |
26989 | Added scratch registers for Identity. | |
26990 | * tests/mozilla/mozilla-tests.yaml: enabled previously failing test | |
26991 | ||
26992 | 2015-01-20 Joseph Pecoraro <pecoraro@apple.com> | |
26993 | ||
26994 | Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values | |
26995 | https://bugs.webkit.org/show_bug.cgi?id=137306 | |
26996 | ||
26997 | Reviewed by Timothy Hatcher. | |
26998 | ||
26999 | Provide another optional parameter to getProperties, to gather a list | |
27000 | of all own and getter properties. | |
27001 | ||
27002 | * inspector/InjectedScript.cpp: | |
27003 | (Inspector::InjectedScript::getProperties): | |
27004 | * inspector/InjectedScript.h: | |
27005 | * inspector/InjectedScriptSource.js: | |
27006 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
27007 | (Inspector::InspectorRuntimeAgent::getProperties): | |
27008 | * inspector/agents/InspectorRuntimeAgent.h: | |
27009 | * inspector/protocol/Runtime.json: | |
27010 | ||
27011 | 2015-01-20 Joseph Pecoraro <pecoraro@apple.com> | |
27012 | ||
27013 | Web Inspector: Should show dynamic specificity values | |
27014 | https://bugs.webkit.org/show_bug.cgi?id=140647 | |
27015 | ||
27016 | Reviewed by Benjamin Poulain. | |
27017 | ||
27018 | * inspector/protocol/CSS.json: | |
27019 | Clarify CSSSelector optional values and add "dynamic" property indicating | |
27020 | if the selector can be dynamic based on the element it is matched against. | |
27021 | ||
27022 | 2015-01-20 Commit Queue <commit-queue@webkit.org> | |
27023 | ||
27024 | Unreviewed, rolling out r178751. | |
27025 | https://bugs.webkit.org/show_bug.cgi?id=140694 | |
27026 | ||
27027 | Caused 32-bit JSC test failures (Requested by JoePeck on | |
27028 | #webkit). | |
27029 | ||
27030 | Reverted changeset: | |
27031 | ||
27032 | "put_by_val_direct need to check the property is index or not | |
27033 | for using putDirect / putDirectIndex" | |
27034 | https://bugs.webkit.org/show_bug.cgi?id=140426 | |
27035 | http://trac.webkit.org/changeset/178751 | |
27036 | ||
27037 | 2015-01-20 Yusuke Suzuki <utatane.tea@gmail.com> | |
27038 | ||
27039 | put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex | |
27040 | https://bugs.webkit.org/show_bug.cgi?id=140426 | |
27041 | ||
27042 | Reviewed by Geoffrey Garen. | |
27043 | ||
27044 | In the put_by_val_direct operation, we use JSObject::putDirect. | |
27045 | However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex. | |
27046 | This patch changes Identifier::asIndex() to return Optional<uint32_t>. | |
27047 | It forces callers to check the value is index or not explicitly. | |
27048 | Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex. | |
27049 | ||
27050 | * bytecode/GetByIdStatus.cpp: | |
27051 | (JSC::GetByIdStatus::computeFor): | |
27052 | * bytecode/PutByIdStatus.cpp: | |
27053 | (JSC::PutByIdStatus::computeFor): | |
27054 | * bytecompiler/BytecodeGenerator.cpp: | |
27055 | (JSC::BytecodeGenerator::emitDirectPutById): | |
27056 | * dfg/DFGOperations.cpp: | |
27057 | (JSC::DFG::operationPutByValInternal): | |
27058 | * jit/JITOperations.cpp: | |
27059 | * jit/Repatch.cpp: | |
27060 | (JSC::emitPutTransitionStubAndGetOldStructure): | |
27061 | * jsc.cpp: | |
27062 | * llint/LLIntSlowPaths.cpp: | |
27063 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
27064 | * runtime/Arguments.cpp: | |
27065 | (JSC::Arguments::getOwnPropertySlot): | |
27066 | (JSC::Arguments::put): | |
27067 | (JSC::Arguments::deleteProperty): | |
27068 | (JSC::Arguments::defineOwnProperty): | |
27069 | * runtime/ArrayPrototype.cpp: | |
27070 | (JSC::arrayProtoFuncSort): | |
27071 | * runtime/JSArray.cpp: | |
27072 | (JSC::JSArray::defineOwnProperty): | |
27073 | * runtime/JSCJSValue.cpp: | |
27074 | (JSC::JSValue::putToPrimitive): | |
27075 | * runtime/JSGenericTypedArrayViewInlines.h: | |
27076 | (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot): | |
27077 | (JSC::JSGenericTypedArrayView<Adaptor>::put): | |
27078 | (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): | |
27079 | (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty): | |
27080 | * runtime/JSObject.cpp: | |
27081 | (JSC::JSObject::put): | |
27082 | (JSC::JSObject::putDirectAccessor): | |
27083 | (JSC::JSObject::putDirectCustomAccessor): | |
27084 | (JSC::JSObject::deleteProperty): | |
27085 | (JSC::JSObject::putDirectMayBeIndex): | |
27086 | (JSC::JSObject::defineOwnProperty): | |
27087 | * runtime/JSObject.h: | |
27088 | (JSC::JSObject::getOwnPropertySlot): | |
27089 | (JSC::JSObject::getPropertySlot): | |
27090 | (JSC::JSObject::putDirectInternal): | |
27091 | * runtime/JSString.cpp: | |
27092 | (JSC::JSString::getStringPropertyDescriptor): | |
27093 | * runtime/JSString.h: | |
27094 | (JSC::JSString::getStringPropertySlot): | |
27095 | * runtime/LiteralParser.cpp: | |
27096 | (JSC::LiteralParser<CharType>::parse): | |
27097 | * runtime/PropertyName.h: | |
27098 | (JSC::toUInt32FromCharacters): | |
27099 | (JSC::toUInt32FromStringImpl): | |
27100 | (JSC::PropertyName::asIndex): | |
27101 | * runtime/PropertyNameArray.cpp: | |
27102 | (JSC::PropertyNameArray::add): | |
27103 | * runtime/StringObject.cpp: | |
27104 | (JSC::StringObject::deleteProperty): | |
27105 | * runtime/Structure.cpp: | |
27106 | (JSC::Structure::prototypeChainMayInterceptStoreTo): | |
27107 | ||
27108 | 2015-01-20 Michael Saboff <msaboff@apple.com> | |
27109 | ||
27110 | REGRESSION(178696): Sporadic crashes while garbage collecting | |
27111 | https://bugs.webkit.org/show_bug.cgi?id=140688 | |
27112 | ||
27113 | Reviewed by Geoffrey Garen. | |
27114 | ||
27115 | Added missing visitor.append(&thisObject->m_nullSetterFunction). | |
27116 | ||
27117 | * runtime/JSGlobalObject.cpp: | |
27118 | (JSC::JSGlobalObject::visitChildren): | |
27119 | ||
27120 | 2015-01-19 Brian J. Burg <burg@cs.washington.edu> | |
27121 | ||
27122 | Web Replay: code generator should take supplemental specifications and allow cross-framework references | |
27123 | https://bugs.webkit.org/show_bug.cgi?id=136312 | |
27124 | ||
27125 | Reviewed by Joseph Pecoraro. | |
27126 | ||
27127 | Some types are shared between replay inputs from different frameworks. | |
27128 | Previously, these type declarations were duplicated in every input | |
27129 | specification file in which they were used. This caused some type encoding | |
27130 | traits to be emitted twice if used from WebCore inputs and WebKit2 inputs. | |
27131 | ||
27132 | This patch teaches the replay inputs code generator to accept multiple | |
27133 | input specification files. Inputs can freely reference types from other | |
27134 | frameworks without duplicating declarations. | |
27135 | ||
27136 | On the code generation side, the model could contain types and inputs from | |
27137 | frameworks that are not the target framework. Only generate code for the | |
27138 | target framework. | |
27139 | ||
27140 | To properly generate cross-framework type encoding traits, use | |
27141 | Type.encoding_type_argument in more places, and add the export macro for WebCore | |
27142 | and the Test framework. | |
27143 | ||
27144 | Adjust some tests so that enum coverage is preserved by moving the enum types | |
27145 | into "Test" (the target framework for tests). | |
27146 | ||
27147 | * JavaScriptCore.vcxproj/copy-files.cmd: | |
27148 | For Windows, copy over JSInputs.json as if it were a private header. | |
27149 | ||
27150 | * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header. | |
27151 | * replay/JSInputs.json: | |
27152 | Put all primitive types and WTF types in this specification file. | |
27153 | ||
27154 | * replay/scripts/CodeGeneratorReplayInputs.py: | |
27155 | (Input.__init__): | |
27156 | (InputsModel.__init__): Keep track of the input's framework. | |
27157 | (InputsModel.parse_specification): Parse the framework here. Adjust to new format, | |
27158 | and allow either types or inputs to be missing from a single file. | |
27159 | ||
27160 | (InputsModel.parse_type_with_framework): | |
27161 | (InputsModel.parse_input_with_framework): | |
27162 | (Generator.should_generate_item): Added helper method. | |
27163 | (Generator.generate_header): Filter inputs to generate. | |
27164 | (Generator.generate_implementation): Filter inputs to generate. | |
27165 | (Generator.generate_enum_trait_declaration): Filter enums to generate. | |
27166 | Add WEBCORE_EXPORT macro to enum encoding traits. | |
27167 | ||
27168 | (Generator.generate_for_each_macro): Filter inputs to generate. | |
27169 | (Generator.generate_enum_trait_implementation): Filter enums to generate. | |
27170 | (generate_from_specifications): Added. | |
27171 | (generate_from_specifications.parse_json_from_file): | |
27172 | (InputsModel.parse_toplevel): Deleted. | |
27173 | (InputsModel.parse_type_with_framework_name): Deleted. | |
27174 | (InputsModel.parse_input): Deleted. | |
27175 | (generate_from_specification): Deleted. | |
27176 | * replay/scripts/CodeGeneratorReplayInputsTemplates.py: | |
27177 | * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed. | |
27178 | * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed. | |
27179 | * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: | |
27180 | * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: | |
27181 | * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: | |
27182 | * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: | |
27183 | * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: | |
27184 | * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: | |
27185 | * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: | |
27186 | * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: | |
27187 | * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: | |
27188 | * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: | |
27189 | * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: | |
27190 | * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: | |
27191 | * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: | |
27192 | * replay/scripts/tests/fail-on-duplicate-enum-type.json: | |
27193 | * replay/scripts/tests/fail-on-duplicate-input-names.json: | |
27194 | * replay/scripts/tests/fail-on-duplicate-type-names.json: | |
27195 | * replay/scripts/tests/fail-on-enum-type-missing-values.json: | |
27196 | * replay/scripts/tests/fail-on-missing-input-member-name.json: | |
27197 | * replay/scripts/tests/fail-on-missing-input-name.json: | |
27198 | * replay/scripts/tests/fail-on-missing-input-queue.json: | |
27199 | * replay/scripts/tests/fail-on-missing-type-mode.json: | |
27200 | * replay/scripts/tests/fail-on-missing-type-name.json: | |
27201 | * replay/scripts/tests/fail-on-no-inputs.json: | |
27202 | Removed, no longer required to be in a single file. | |
27203 | ||
27204 | * replay/scripts/tests/fail-on-no-types.json: | |
27205 | Removed, no longer required to be in a single file. | |
27206 | ||
27207 | * replay/scripts/tests/fail-on-unknown-input-queue.json: | |
27208 | * replay/scripts/tests/fail-on-unknown-member-type.json: | |
27209 | * replay/scripts/tests/fail-on-unknown-type-mode.json: | |
27210 | * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: | |
27211 | * replay/scripts/tests/generate-enum-encoding-helpers.json: | |
27212 | * replay/scripts/tests/generate-enum-with-guard.json: | |
27213 | Include enums that are and are not generated. | |
27214 | ||
27215 | * replay/scripts/tests/generate-enums-with-same-base-name.json: | |
27216 | * replay/scripts/tests/generate-event-loop-shape-types.json: | |
27217 | * replay/scripts/tests/generate-input-with-guard.json: | |
27218 | * replay/scripts/tests/generate-input-with-vector-members.json: | |
27219 | * replay/scripts/tests/generate-inputs-with-flags.json: | |
27220 | * replay/scripts/tests/generate-memoized-type-modes.json: | |
27221 | ||
27222 | 2015-01-20 Tomas Popela <tpopela@redhat.com> | |
27223 | ||
27224 | [GTK] Cannot compile 2.7.3 on PowerPC machines | |
27225 | https://bugs.webkit.org/show_bug.cgi?id=140616 | |
27226 | ||
27227 | Include climits for INT_MAX and wtf/DataLog.h for dataLogF | |
27228 | ||
27229 | Reviewed by Csaba Osztrogonác. | |
27230 | ||
27231 | * runtime/BasicBlockLocation.cpp: | |
27232 | ||
27233 | 2015-01-19 Michael Saboff <msaboff@apple.com> | |
27234 | ||
27235 | A "cached" null setter should throw a TypeException when called in strict mode and doesn't | |
27236 | https://bugs.webkit.org/show_bug.cgi?id=139418 | |
27237 | ||
27238 | Reviewed by Filip Pizlo. | |
27239 | ||
27240 | Made a new NullSetterFunction class similar to NullGetterFunction. The difference is that | |
27241 | NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller. | |
27242 | ||
27243 | * CMakeLists.txt: | |
27244 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
27245 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
27246 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
27247 | Added new files NullSetterFunction.cpp and NullSetterFunction.h. | |
27248 | ||
27249 | * runtime/GetterSetter.h: | |
27250 | (JSC::GetterSetter::GetterSetter): | |
27251 | (JSC::GetterSetter::isSetterNull): | |
27252 | (JSC::GetterSetter::setSetter): | |
27253 | Change setter instances from using NullGetterFunction to using NullSetterFunction. | |
27254 | ||
27255 | * runtime/JSGlobalObject.cpp: | |
27256 | (JSC::JSGlobalObject::init): | |
27257 | * runtime/JSGlobalObject.h: | |
27258 | (JSC::JSGlobalObject::nullSetterFunction): | |
27259 | Added m_nullSetterFunction and accessor. | |
27260 | ||
27261 | * runtime/NullSetterFunction.cpp: Added. | |
27262 | (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor): | |
27263 | (JSC::GetCallerStrictnessFunctor::operator()): | |
27264 | (JSC::GetCallerStrictnessFunctor::callerIsStrict): | |
27265 | (JSC::callerIsStrict): | |
27266 | Method to determine if the caller is in strict mode. | |
27267 | ||
27268 | (JSC::callReturnUndefined): | |
27269 | (JSC::constructReturnUndefined): | |
27270 | (JSC::NullSetterFunction::getCallData): | |
27271 | (JSC::NullSetterFunction::getConstructData): | |
27272 | * runtime/NullSetterFunction.h: Added. | |
27273 | (JSC::NullSetterFunction::create): | |
27274 | (JSC::NullSetterFunction::createStructure): | |
27275 | (JSC::NullSetterFunction::NullSetterFunction): | |
27276 | Class with handlers for a null setter. | |
27277 | ||
27278 | 2015-01-19 Saam Barati <saambarati1@gmail.com> | |
27279 | ||
27280 | Web Inspector: Provide a front end for JSC's Control Flow Profiler | |
27281 | https://bugs.webkit.org/show_bug.cgi?id=138454 | |
27282 | ||
27283 | Reviewed by Timothy Hatcher. | |
27284 | ||
27285 | This patch puts the final touches on what JSC needs to provide | |
27286 | for the Web Inspector to show a UI for the control flow profiler. | |
27287 | ||
27288 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
27289 | (Inspector::recompileAllJSFunctionsForTypeProfiling): | |
27290 | * runtime/ControlFlowProfiler.cpp: | |
27291 | (JSC::ControlFlowProfiler::getBasicBlocksForSourceID): | |
27292 | * runtime/FunctionHasExecutedCache.cpp: | |
27293 | (JSC::FunctionHasExecutedCache::getFunctionRanges): | |
27294 | (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted. | |
27295 | * runtime/FunctionHasExecutedCache.h: | |
27296 | ||
27297 | 2015-01-19 David Kilzer <ddkilzer@apple.com> | |
27298 | ||
27299 | [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib | |
27300 | <http://webkit.org/b/140658> | |
27301 | ||
27302 | Reviewed by Filip Pizlo. | |
27303 | ||
27304 | * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM | |
27305 | only when building for 64-bit architectures. | |
27306 | ||
27307 | 2015-01-19 Filip Pizlo <fpizlo@apple.com> | |
27308 | ||
27309 | ClosureCallStubRoutine no longer needs codeOrigin | |
27310 | https://bugs.webkit.org/show_bug.cgi?id=140659 | |
27311 | ||
27312 | Reviewed by Michael Saboff. | |
27313 | ||
27314 | Once upon a time, we would look for the CodeOrigin associated with a return PC. This search | |
27315 | would start with the CodeBlock according to the caller frame's call frame header. But if the | |
27316 | call was a closure call, the return PC would be inside some closure call stub. So if the | |
27317 | CodeBlock search failed, we would search *all* closure call stub routines to see which one | |
27318 | encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine | |
27319 | object. This was all a bunch of madness, and we actually got rid of it - we now determine | |
27320 | the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the | |
27321 | argument count. | |
27322 | ||
27323 | This patch removes the final vestiges of the madness: | |
27324 | ||
27325 | - Remove the totally unused method declaration for the thing that did the closure call stub | |
27326 | search. | |
27327 | ||
27328 | - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search | |
27329 | that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via | |
27330 | the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field | |
27331 | anymore. | |
27332 | ||
27333 | * bytecode/CodeBlock.h: | |
27334 | * jit/ClosureCallStubRoutine.cpp: | |
27335 | (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): | |
27336 | * jit/ClosureCallStubRoutine.h: | |
27337 | (JSC::ClosureCallStubRoutine::executable): | |
27338 | (JSC::ClosureCallStubRoutine::codeOrigin): Deleted. | |
27339 | * jit/Repatch.cpp: | |
27340 | (JSC::linkClosureCall): | |
27341 | ||
27342 | 2015-01-19 Saam Barati <saambarati1@gmail.com> | |
27343 | ||
27344 | Basic block start offsets should never be larger than end offsets in the control flow profiler | |
27345 | https://bugs.webkit.org/show_bug.cgi?id=140377 | |
27346 | ||
27347 | Reviewed by Filip Pizlo. | |
27348 | ||
27349 | The bytecode generator will emit code more than once for some AST nodes. For instance, | |
27350 | the finally block of TryNode will emit two code paths for its finally block: one for | |
27351 | the normal path, and another for the path where an exception is thrown in the catch block. | |
27352 | ||
27353 | This repeated code emission of the same AST node previously broke how the control | |
27354 | flow profiler computed text ranges of basic blocks because when the same AST node | |
27355 | is emitted multiple times, there is a good chance that there are ranges that span | |
27356 | from the end offset of one of these duplicated nodes back to the start offset of | |
27357 | the same duplicated node. This caused a basic block range to report a larger start | |
27358 | offset than end offset. This was incorrect. Now, when this situation is encountered | |
27359 | while linking a CodeBlock, the faulty range in question is ignored. | |
27360 | ||
27361 | * bytecode/CodeBlock.cpp: | |
27362 | (JSC::CodeBlock::CodeBlock): | |
27363 | (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler): | |
27364 | * bytecode/CodeBlock.h: | |
27365 | * bytecompiler/NodesCodegen.cpp: | |
27366 | (JSC::ForInNode::emitMultiLoopBytecode): | |
27367 | (JSC::ForOfNode::emitBytecode): | |
27368 | (JSC::TryNode::emitBytecode): | |
27369 | * parser/Parser.cpp: | |
27370 | (JSC::Parser<LexerType>::parseConditionalExpression): | |
27371 | * runtime/ControlFlowProfiler.cpp: | |
27372 | (JSC::ControlFlowProfiler::ControlFlowProfiler): | |
27373 | * runtime/ControlFlowProfiler.h: | |
27374 | (JSC::ControlFlowProfiler::dummyBasicBlock): | |
27375 | ||
27376 | 2015-01-19 Myles C. Maxfield <mmaxfield@apple.com> | |
27377 | ||
27378 | [SVG -> OTF Converter] Flip the switch on | |
27379 | https://bugs.webkit.org/show_bug.cgi?id=140592 | |
27380 | ||
27381 | Reviewed by Antti Koivisto. | |
27382 | ||
27383 | * Configurations/FeatureDefines.xcconfig: | |
27384 | ||
27385 | 2015-01-19 Brian J. Burg <burg@cs.washington.edu> | |
27386 | ||
27387 | Web Replay: convert to is<T> and downcast<T> for decoding replay inputs | |
27388 | https://bugs.webkit.org/show_bug.cgi?id=140512 | |
27389 | ||
27390 | Reviewed by Chris Dumez. | |
27391 | ||
27392 | Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot | |
27393 | be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify | |
27394 | input types, and the type traits macro is defined in namespace WTF. | |
27395 | ||
27396 | * replay/NondeterministicInput.h: Make overridden methods public. | |
27397 | * replay/scripts/CodeGeneratorReplayInputs.py: | |
27398 | (Generator.generate_header): | |
27399 | (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework. | |
27400 | (Generator.generate_input_type_trait_declaration): Added. | |
27401 | * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template. | |
27402 | * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: | |
27403 | * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: | |
27404 | * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: | |
27405 | * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: | |
27406 | * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: | |
27407 | * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: | |
27408 | * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: | |
27409 | * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: | |
27410 | ||
27411 | 2015-01-19 Commit Queue <commit-queue@webkit.org> | |
27412 | ||
27413 | Unreviewed, rolling out r178653. | |
27414 | https://bugs.webkit.org/show_bug.cgi?id=140634 | |
27415 | ||
27416 | Broke multiple SVG tests on Mountain Lion (Requested by ap on | |
27417 | #webkit). | |
27418 | ||
27419 | Reverted changeset: | |
27420 | ||
27421 | "[SVG -> OTF Converter] Flip the switch on" | |
27422 | https://bugs.webkit.org/show_bug.cgi?id=140592 | |
27423 | http://trac.webkit.org/changeset/178653 | |
27424 | ||
27425 | 2015-01-18 Dean Jackson <dino@apple.com> | |
27426 | ||
27427 | ES6: Support Array.of construction | |
27428 | https://bugs.webkit.org/show_bug.cgi?id=140605 | |
27429 | <rdar://problem/19513655> | |
27430 | ||
27431 | Reviewed by Geoffrey Garen. | |
27432 | ||
27433 | Add and implementation of Array.of, described in 22.1.2.3 of the ES6 | |
27434 | specification (15 Jan 2015). The Array.of() method creates a new Array | |
27435 | instance with a variable number of arguments, regardless of number or type | |
27436 | of the arguments. | |
27437 | ||
27438 | * runtime/ArrayConstructor.cpp: | |
27439 | (JSC::arrayConstructorOf): Create a new empty Array, then iterate | |
27440 | over the arguments, setting them to the appropriate index. | |
27441 | ||
27442 | 2015-01-19 Myles C. Maxfield <mmaxfield@apple.com> | |
27443 | ||
27444 | [SVG -> OTF Converter] Flip the switch on | |
27445 | https://bugs.webkit.org/show_bug.cgi?id=140592 | |
27446 | ||
27447 | Reviewed by Antti Koivisto. | |
27448 | ||
27449 | * Configurations/FeatureDefines.xcconfig: | |
27450 | ||
27451 | 2015-01-17 Brian J. Burg <burg@cs.washington.edu> | |
27452 | ||
27453 | Web Inspector: highlight data for overlay should use protocol type builders | |
27454 | https://bugs.webkit.org/show_bug.cgi?id=129441 | |
27455 | ||
27456 | Reviewed by Timothy Hatcher. | |
27457 | ||
27458 | Add a new domain for overlay types. | |
27459 | ||
27460 | * CMakeLists.txt: | |
27461 | * DerivedSources.make: | |
27462 | * inspector/protocol/OverlayTypes.json: Added. | |
27463 | ||
27464 | 2015-01-17 Michael Saboff <msaboff@apple.com> | |
27465 | ||
27466 | Crash in JSScope::resolve() on tools.ups.com | |
27467 | https://bugs.webkit.org/show_bug.cgi?id=140579 | |
27468 | ||
27469 | Reviewed by Geoffrey Garen. | |
27470 | ||
27471 | For op_resolve_scope of a global property or variable that needs to check for the var | |
27472 | injection check watchpoint, we need to keep the scope around with a Phantom. The | |
27473 | baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint | |
27474 | fired. | |
27475 | ||
27476 | * dfg/DFGByteCodeParser.cpp: | |
27477 | (JSC::DFG::ByteCodeParser::parseBlock): | |
27478 | ||
27479 | 2015-01-16 Brian J. Burg <burg@cs.washington.edu> | |
27480 | ||
27481 | Web Inspector: code generator should introduce typedefs for protocol types that are arrays | |
27482 | https://bugs.webkit.org/show_bug.cgi?id=140557 | |
27483 | ||
27484 | Reviewed by Joseph Pecoraro. | |
27485 | ||
27486 | Currently, there is no generated type name for "array" type declarations such as Console.CallStack. | |
27487 | This makes it longwinded and confusing to use the type in C++ code. | |
27488 | ||
27489 | This patch adds a typedef for array type declarations, so types such as Console::CallStack | |
27490 | can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>. | |
27491 | ||
27492 | Some tests were updated to cover array type declarations used as parameters and type members. | |
27493 | ||
27494 | * inspector/ScriptCallStack.cpp: Use the new typedef. | |
27495 | (Inspector::ScriptCallStack::buildInspectorArray): | |
27496 | * inspector/ScriptCallStack.h: | |
27497 | * inspector/scripts/codegen/cpp_generator.py: | |
27498 | (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead. | |
27499 | * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: | |
27500 | (_generate_typedefs_for_domain): Also generate typedefs for array type declarations. | |
27501 | (_generate_typedefs_for_domain.Inspector): | |
27502 | * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration. | |
27503 | (ArrayType.__init__): | |
27504 | (Protocol.resolve_types): | |
27505 | (Protocol.lookup_type_reference): | |
27506 | * inspector/scripts/tests/commands-with-async-attribute.json: | |
27507 | * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: | |
27508 | * inspector/scripts/tests/events-with-optional-parameters.json: | |
27509 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
27510 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
27511 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
27512 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
27513 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
27514 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
27515 | * inspector/scripts/tests/type-declaration-object-type.json: | |
27516 | ||
27517 | 2015-01-16 Brian J. Burg <burg@cs.washington.edu> | |
27518 | ||
27519 | Web Replay: purge remaining PassRefPtr uses and minor cleanup | |
27520 | https://bugs.webkit.org/show_bug.cgi?id=140456 | |
27521 | ||
27522 | Reviewed by Andreas Kling. | |
27523 | ||
27524 | Get rid of PassRefPtr. Introduce default initializers where it makes sense. | |
27525 | Remove mistaken uses of AtomicString that were not removed as part of r174113. | |
27526 | ||
27527 | * replay/EmptyInputCursor.h: | |
27528 | * replay/InputCursor.h: | |
27529 | (JSC::InputCursor::InputCursor): | |
27530 | ||
27531 | 2015-01-16 Brian J. Burg <burg@cs.washington.edu> | |
27532 | ||
27533 | Web Inspector: code generator should fail on duplicate parameter and member names | |
27534 | https://bugs.webkit.org/show_bug.cgi?id=140555 | |
27535 | ||
27536 | Reviewed by Timothy Hatcher. | |
27537 | ||
27538 | * inspector/scripts/codegen/models.py: | |
27539 | (find_duplicates): Add a helper function to find duplicates in a list. | |
27540 | (Protocol.parse_type_declaration): | |
27541 | (Protocol.parse_command): | |
27542 | (Protocol.parse_event): | |
27543 | * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added. | |
27544 | * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added. | |
27545 | * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added. | |
27546 | * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added. | |
27547 | * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added. | |
27548 | * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added. | |
27549 | * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added. | |
27550 | * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added. | |
27551 | ||
27552 | 2015-01-16 Michael Saboff <msaboff@apple.com> | |
27553 | ||
27554 | REGRESSION (r174226): Header on huffingtonpost.com is too large | |
27555 | https://bugs.webkit.org/show_bug.cgi?id=140306 | |
27556 | ||
27557 | Reviewed by Filip Pizlo. | |
27558 | ||
27559 | BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the | |
27560 | arguments register or whether we need to resolve "arguments". If the arguments have | |
27561 | been captured, then they are stored in the lexical environment and the arguments | |
27562 | register is not used. | |
27563 | ||
27564 | Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments | |
27565 | register is captured. Renamed the function to willResolveToArgumentsRegister() to | |
27566 | better indicate what we are checking. | |
27567 | ||
27568 | Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating | |
27569 | an arguments object that was optimized out of an inlined callFrame. The 32 bit path | |
27570 | incorrectly calculated the location of the reified callee frame. This alignment resulted | |
27571 | in the removal of operationCreateInlinedArgumentsDuringOSRExit() | |
27572 | ||
27573 | * bytecompiler/BytecodeGenerator.cpp: | |
27574 | (JSC::BytecodeGenerator::willResolveToArgumentsRegister): | |
27575 | (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): | |
27576 | (JSC::BytecodeGenerator::emitCall): | |
27577 | (JSC::BytecodeGenerator::emitConstruct): | |
27578 | (JSC::BytecodeGenerator::emitEnumeration): | |
27579 | (JSC::BytecodeGenerator::willResolveToArguments): Deleted. | |
27580 | * bytecompiler/BytecodeGenerator.h: | |
27581 | * bytecompiler/NodesCodegen.cpp: | |
27582 | (JSC::BracketAccessorNode::emitBytecode): | |
27583 | (JSC::DotAccessorNode::emitBytecode): | |
27584 | (JSC::getArgumentByVal): | |
27585 | (JSC::ApplyFunctionCallDotNode::emitBytecode): | |
27586 | (JSC::ArrayPatternNode::emitDirectBinding): | |
27587 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
27588 | (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): | |
27589 | * dfg/DFGOperations.cpp: | |
27590 | (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted. | |
27591 | * dfg/DFGOperations.h: | |
27592 | (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted. | |
27593 | ||
27594 | 2015-01-15 Csaba Osztrogonác <ossy@webkit.org> | |
27595 | ||
27596 | Remove ENABLE(SQL_DATABASE) guards | |
27597 | https://bugs.webkit.org/show_bug.cgi?id=140434 | |
27598 | ||
27599 | Reviewed by Darin Adler. | |
27600 | ||
27601 | * CMakeLists.txt: | |
27602 | * Configurations/FeatureDefines.xcconfig: | |
27603 | * DerivedSources.make: | |
27604 | * inspector/protocol/Database.json: | |
27605 | ||
27606 | 2015-01-14 Alexey Proskuryakov <ap@apple.com> | |
27607 | ||
27608 | Web Inspector and regular console use different source code locations for messages | |
27609 | https://bugs.webkit.org/show_bug.cgi?id=140478 | |
27610 | ||
27611 | Reviewed by Brian Burg. | |
27612 | ||
27613 | * inspector/ConsoleMessage.h: Expose computed source location. | |
27614 | ||
27615 | * inspector/agents/InspectorConsoleAgent.cpp: | |
27616 | (Inspector::InspectorConsoleAgent::addMessageToConsole): | |
27617 | (Inspector::InspectorConsoleAgent::stopTiming): | |
27618 | (Inspector::InspectorConsoleAgent::count): | |
27619 | * inspector/agents/InspectorConsoleAgent.h: | |
27620 | addMessageToConsole() now takes a pre-made ConsoleMessage object. | |
27621 | ||
27622 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
27623 | (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): | |
27624 | (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented): | |
27625 | * inspector/JSGlobalObjectInspectorController.cpp: | |
27626 | (Inspector::JSGlobalObjectInspectorController::reportAPIException): | |
27627 | * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: | |
27628 | (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): | |
27629 | Updated for the above changes. | |
27630 | ||
27631 | 2015-01-15 Mark Lam <mark.lam@apple.com> | |
27632 | ||
27633 | [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values. | |
27634 | <https://webkit.org/b/140093> | |
27635 | ||
27636 | Reviewed by Geoffrey Garen. | |
27637 | ||
27638 | * interpreter/StackVisitor.cpp: | |
27639 | (JSC::StackVisitor::Frame::createArguments): | |
27640 | - We should not fetching the lexicalEnvironment here. The reason we've | |
27641 | introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment | |
27642 | may not be available to us at this point. Instead, we'll just pass a nullptr. | |
27643 | ||
27644 | * runtime/Arguments.cpp: | |
27645 | (JSC::Arguments::tearOffForCloning): | |
27646 | * runtime/Arguments.h: | |
27647 | (JSC::Arguments::finishCreation): | |
27648 | - Use the new tearOffForCloning() to tear off arguments right out of the values | |
27649 | passed on the stack. tearOff() is not appropriate for this purpose because | |
27650 | it takes slowArgumentsData into account. | |
27651 | ||
27652 | 2015-01-14 Matthew Mirman <mmirman@apple.com> | |
27653 | ||
27654 | Removed accidental commit of "invalid_array.js" | |
27655 | http://trac.webkit.org/changeset/178439 | |
27656 | ||
27657 | * tests/stress/invalid_array.js: Removed. | |
27658 | ||
27659 | 2015-01-14 Matthew Mirman <mmirman@apple.com> | |
27660 | ||
27661 | Fixes operationPutByIdOptimizes such that they check that the put didn't | |
27662 | change the structure of the object who's property access is being | |
27663 | cached. Also removes uses of the new base value from the cache generation code. | |
27664 | https://bugs.webkit.org/show_bug.cgi?id=139500 | |
27665 | ||
27666 | Reviewed by Filip Pizlo. | |
27667 | ||
27668 | * jit/JITOperations.cpp: | |
27669 | (JSC::operationPutByIdStrictOptimize): saved the structure before the put. | |
27670 | (JSC::operationPutByIdNonStrictOptimize): ditto. | |
27671 | (JSC::operationPutByIdDirectStrictOptimize): ditto. | |
27672 | (JSC::operationPutByIdDirectNonStrictOptimize): ditto. | |
27673 | * jit/Repatch.cpp: | |
27674 | (JSC::generateByIdStub): | |
27675 | (JSC::tryCacheGetByID): | |
27676 | (JSC::tryBuildGetByIDList): | |
27677 | (JSC::emitPutReplaceStub): | |
27678 | (JSC::emitPutTransitionStubAndGetOldStructure): Added. | |
27679 | (JSC::tryCachePutByID): | |
27680 | (JSC::repatchPutByID): | |
27681 | (JSC::tryBuildPutByIdList): | |
27682 | (JSC::tryRepatchIn): | |
27683 | (JSC::emitPutTransitionStub): Deleted. | |
27684 | * jit/Repatch.h: | |
27685 | * llint/LLIntSlowPaths.cpp: | |
27686 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
27687 | * runtime/JSPropertyNameEnumerator.h: | |
27688 | (JSC::genericPropertyNameEnumerator): | |
27689 | * runtime/Operations.h: | |
27690 | (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value. | |
27691 | (JSC::normalizePrototypeChain): restructured to not use the base value. | |
27692 | * tests/mozilla/mozilla-tests.yaml: | |
27693 | * tests/stress/proto-setter.js: Added. | |
27694 | * tests/stress/put-by-id-build-list-order-recurse.js: Added. | |
27695 | Added test that fails without this patch. | |
27696 | ||
27697 | 2015-01-13 Joseph Pecoraro <pecoraro@apple.com> | |
27698 | ||
27699 | Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events | |
27700 | https://bugs.webkit.org/show_bug.cgi?id=140404 | |
27701 | ||
27702 | Reviewed by Timothy Hatcher. | |
27703 | ||
27704 | * inspector/protocol/Timeline.json: | |
27705 | ||
27706 | 2015-01-13 Yusuke Suzuki <utatane.tea@gmail.com> | |
27707 | ||
27708 | DFG can call PutByValDirect for generic arrays | |
27709 | https://bugs.webkit.org/show_bug.cgi?id=140389 | |
27710 | ||
27711 | Reviewed by Geoffrey Garen. | |
27712 | ||
27713 | Computed properties in object initializers (ES6) use the put_by_val_direct operation. | |
27714 | However, current DFG asserts that put_by_val_direct is not used for the generic array, | |
27715 | the assertion failure is raised. | |
27716 | This patch allow DFG to use put_by_val_direct to generic arrays. | |
27717 | ||
27718 | And fix the DFG put_by_val_direct implementation for string properties. | |
27719 | At first, put_by_val_direct is inteded to be used for spread elements. | |
27720 | So the property keys were limited to numbers (indexes). | |
27721 | But now, it's also used for computed properties in object initializers. | |
27722 | ||
27723 | * dfg/DFGOperations.cpp: | |
27724 | (JSC::DFG::operationPutByValInternal): | |
27725 | * dfg/DFGSpeculativeJIT64.cpp: | |
27726 | (JSC::DFG::SpeculativeJIT::compile): | |
27727 | ||
27728 | 2015-01-13 Geoffrey Garen <ggaren@apple.com> | |
27729 | ||
27730 | Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode | |
27731 | https://bugs.webkit.org/show_bug.cgi?id=140397 | |
27732 | ||
27733 | Reviewed by Geoffrey Garen. | |
27734 | ||
27735 | Patch by Alexey Proskuryakov. | |
27736 | ||
27737 | Reviewed, performance tested, and ChangeLogged by Geoffrey Garen. | |
27738 | ||
27739 | No performance change. | |
27740 | ||
27741 | No test, since this is a small past-the-end read, which is very | |
27742 | difficult to turn into a reproducible failing test -- and existing tests | |
27743 | crash reliably using ASan. | |
27744 | ||
27745 | * bytecompiler/NodesCodegen.cpp: | |
27746 | (JSC::BracketAccessorNode::emitBytecode): | |
27747 | (JSC::DotAccessorNode::emitBytecode): | |
27748 | (JSC::FunctionCallBracketNode::emitBytecode): | |
27749 | (JSC::PostfixNode::emitResolve): | |
27750 | (JSC::DeleteBracketNode::emitBytecode): | |
27751 | (JSC::DeleteDotNode::emitBytecode): | |
27752 | (JSC::PrefixNode::emitResolve): | |
27753 | (JSC::UnaryOpNode::emitBytecode): | |
27754 | (JSC::BitwiseNotNode::emitBytecode): | |
27755 | (JSC::BinaryOpNode::emitBytecode): | |
27756 | (JSC::EqualNode::emitBytecode): | |
27757 | (JSC::StrictEqualNode::emitBytecode): | |
27758 | (JSC::ThrowableBinaryOpNode::emitBytecode): | |
27759 | (JSC::AssignDotNode::emitBytecode): | |
27760 | (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any | |
27761 | register used across a call to a function that might allocate a new | |
27762 | temporary register must be held in a RefPtr. | |
27763 | ||
27764 | 2015-01-12 Michael Saboff <msaboff@apple.com> | |
27765 | ||
27766 | Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection | |
27767 | https://bugs.webkit.org/show_bug.cgi?id=140348 | |
27768 | ||
27769 | Reviewed by Mark Lam. | |
27770 | ||
27771 | We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late | |
27772 | because those registers may have been spilled on the stack and replaced with other values by | |
27773 | the time we call down to gatherFromCurrentThread(). | |
27774 | ||
27775 | Now we get the register contents at the same place that we demarcate the current top of | |
27776 | stack using the address of a local variable, in Heap::markRoots(). The register contents | |
27777 | buffer is passed along with the demarcation pointer. These need to be done at this level | |
27778 | in the call tree and no lower, as markRoots() calls various functions that visit object | |
27779 | pointers that may be latter proven dead. Any of those pointers that are left on the | |
27780 | stack or in registers could be incorrectly marked as live if we scan the stack contents | |
27781 | from a called function or one of its callees. The stack demarcation pointer and register | |
27782 | saving need to be done in the same function so that we have a consistent stack, active | |
27783 | and spilled registers. | |
27784 | ||
27785 | Because we don't want to make unnecessary calls to get the register contents, we use | |
27786 | a macro to allocated, and possibly align, the register structure and get the actual | |
27787 | register contents. | |
27788 | ||
27789 | ||
27790 | * heap/Heap.cpp: | |
27791 | (JSC::Heap::markRoots): | |
27792 | (JSC::Heap::gatherStackRoots): | |
27793 | * heap/Heap.h: | |
27794 | * heap/MachineStackMarker.cpp: | |
27795 | (JSC::MachineThreads::gatherFromCurrentThread): | |
27796 | (JSC::MachineThreads::gatherConservativeRoots): | |
27797 | * heap/MachineStackMarker.h: | |
27798 | ||
27799 | 2015-01-12 Benjamin Poulain <benjamin@webkit.org> | |
27800 | ||
27801 | Add basic pattern matching support to the url filters | |
27802 | https://bugs.webkit.org/show_bug.cgi?id=140283 | |
27803 | ||
27804 | Reviewed by Andreas Kling. | |
27805 | ||
27806 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
27807 | Make YarrParser.h private in order to use it from WebCore. | |
27808 | ||
27809 | 2015-01-12 Geoffrey Garen <ggaren@apple.com> | |
27810 | ||
27811 | Out of bounds read in IdentifierArena::makeIdentifier | |
27812 | https://bugs.webkit.org/show_bug.cgi?id=140376 | |
27813 | ||
27814 | Patch by Alexey Proskuryakov. | |
27815 | ||
27816 | Reviewed and ChangeLogged by Geoffrey Garen. | |
27817 | ||
27818 | No test, since this is a small past-the-end read, which is very | |
27819 | difficult to turn into a reproducible failing test -- and existing tests | |
27820 | crash reliably using ASan. | |
27821 | ||
27822 | * parser/ParserArena.h: | |
27823 | (JSC::IdentifierArena::makeIdentifier): | |
27824 | (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a | |
27825 | zero-length string input, like we do in the literal parser, since it is | |
27826 | not valid to dereference characters in a zero-length string. | |
27827 | ||
27828 | A zero-length string is allowed in JavaScript -- for example, "". | |
27829 | ||
27830 | 2015-01-11 Sam Weinig <sam@webkit.org> | |
27831 | ||
27832 | Remove support for SharedWorkers | |
27833 | https://bugs.webkit.org/show_bug.cgi?id=140344 | |
27834 | ||
27835 | Reviewed by Anders Carlsson. | |
27836 | ||
27837 | * Configurations/FeatureDefines.xcconfig: | |
27838 | ||
27839 | 2015-01-12 Myles C. Maxfield <mmaxfield@apple.com> | |
27840 | ||
27841 | Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER) | |
27842 | https://bugs.webkit.org/show_bug.cgi?id=136769 | |
27843 | ||
27844 | Reviewed by Antti Koivisto. | |
27845 | ||
27846 | * Configurations/FeatureDefines.xcconfig: | |
27847 | ||
27848 | 2015-01-12 Commit Queue <commit-queue@webkit.org> | |
27849 | ||
27850 | Unreviewed, rolling out r178266. | |
27851 | https://bugs.webkit.org/show_bug.cgi?id=140363 | |
27852 | ||
27853 | Broke a JSC test (Requested by ap on #webkit). | |
27854 | ||
27855 | Reverted changeset: | |
27856 | ||
27857 | "Local JSArray* "keys" in objectConstructorKeys() is not | |
27858 | marked during garbage collection" | |
27859 | https://bugs.webkit.org/show_bug.cgi?id=140348 | |
27860 | http://trac.webkit.org/changeset/178266 | |
27861 | ||
27862 | 2015-01-12 Michael Saboff <msaboff@apple.com> | |
27863 | ||
27864 | Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection | |
27865 | https://bugs.webkit.org/show_bug.cgi?id=140348 | |
27866 | ||
27867 | Reviewed by Mark Lam. | |
27868 | ||
27869 | Move the address of the local variable that is used to demarcate the top of the stack for | |
27870 | conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets | |
27871 | the register values using setjmp(). That way we don't lose any callee save register | |
27872 | contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread(). | |
27873 | If we lose any JSObject* that are only in callee save registers, they will be GC'ed | |
27874 | erroneously. | |
27875 | ||
27876 | * heap/Heap.cpp: | |
27877 | (JSC::Heap::markRoots): | |
27878 | (JSC::Heap::gatherStackRoots): | |
27879 | * heap/Heap.h: | |
27880 | * heap/MachineStackMarker.cpp: | |
27881 | (JSC::MachineThreads::gatherFromCurrentThread): | |
27882 | (JSC::MachineThreads::gatherConservativeRoots): | |
27883 | * heap/MachineStackMarker.h: | |
27884 | ||
27885 | 2015-01-11 Eric Carlson <eric.carlson@apple.com> | |
27886 | ||
27887 | Fix typo in testate.c error messages | |
27888 | https://bugs.webkit.org/show_bug.cgi?id=140305 | |
27889 | ||
27890 | Reviewed by Geoffrey Garen. | |
27891 | ||
27892 | * API/tests/testapi.c: | |
27893 | (main): "... script did not timed out ..." -> "... script did not time out ..." | |
27894 | ||
27895 | 2015-01-09 Michael Saboff <msaboff@apple.com> | |
27896 | ||
27897 | Breakpoint doesn't fire in this HTML5 game | |
27898 | https://bugs.webkit.org/show_bug.cgi?id=140269 | |
27899 | ||
27900 | Reviewed by Mark Lam. | |
27901 | ||
27902 | When parsing a single line cached function, use the lineStartOffset of the | |
27903 | location where we found the cached function instead of the cached lineStartOffset. | |
27904 | The cache location's lineStartOffset has not been adjusted for any possible | |
27905 | containing functions. | |
27906 | ||
27907 | This change is not needed for multi-line cached functions. Consider the | |
27908 | single line source: | |
27909 | ||
27910 | function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()} | |
27911 | ||
27912 | The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset | |
27913 | of 0. Later when we parse outer() and find inner1() in the cache, SourceCode start | |
27914 | character is at outer()'s outermost open brace. That is what we should use for | |
27915 | lineStartOffset for inner1(). When done parsing inner1() we set the parsing token | |
27916 | to the saved location for inner1(), including the lineStartOffset of 0. We need | |
27917 | to use the value of lineStartOffset before we started parsing inner1(). That is | |
27918 | what the fix does. When we parse inner2() the lineStartOffset will be correct. | |
27919 | ||
27920 | For a multi-line function, the close brace is guaranteed to be on a different line | |
27921 | than the open brace. Hence, its lineStartOffset will not change with the change of | |
27922 | the SourceCode start character | |
27923 | ||
27924 | * parser/Parser.cpp: | |
27925 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
27926 | ||
27927 | 2015-01-09 Joseph Pecoraro <pecoraro@apple.com> | |
27928 | ||
27929 | Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint | |
27930 | https://bugs.webkit.org/show_bug.cgi?id=140279 | |
27931 | rdar://problem/19422299 | |
27932 | ||
27933 | Reviewed by Oliver Hunt. | |
27934 | ||
27935 | * runtime/MapData.cpp: | |
27936 | (JSC::MapData::replaceAndPackBackingStore): | |
27937 | The cell table also needs to have its values fixed. | |
27938 | ||
27939 | 2015-01-09 Joseph Pecoraro <pecoraro@apple.com> | |
27940 | ||
27941 | Web Inspector: Remove or use TimelineAgent Resource related event types | |
27942 | https://bugs.webkit.org/show_bug.cgi?id=140155 | |
27943 | ||
27944 | Reviewed by Timothy Hatcher. | |
27945 | ||
27946 | Remove unused / stale Timeline event types. | |
27947 | ||
27948 | * inspector/protocol/Timeline.json: | |
27949 | ||
27950 | 2015-01-09 Csaba Osztrogonác <ossy@webkit.org> | |
27951 | ||
27952 | REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build | |
27953 | https://bugs.webkit.org/show_bug.cgi?id=140098 | |
27954 | ||
27955 | Reviewed by Brian Burg. | |
27956 | ||
27957 | * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added. | |
27958 | ||
27959 | 2015-01-08 Mark Lam <mark.lam@apple.com> | |
27960 | ||
27961 | Argument object created by "Function dot arguments" should use a clone of the argument values. | |
27962 | <https://webkit.org/b/140093> | |
27963 | ||
27964 | Reviewed by Geoffrey Garen. | |
27965 | ||
27966 | After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js | |
27967 | test will crash. The relevant code which manifests the issue is as follows: | |
27968 | ||
27969 | function bar() { | |
27970 | return foo.arguments; | |
27971 | } | |
27972 | ||
27973 | function foo(p) { | |
27974 | var x = 42; | |
27975 | if (p) | |
27976 | return (function() { return x; }); | |
27977 | else | |
27978 | return bar(); | |
27979 | } | |
27980 | ||
27981 | In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and | |
27982 | has dead code eliminated the SetLocal that stores it into its designated local. | |
27983 | In bar(), the factory for the Arguments object (for creating foo.arguments) tries | |
27984 | to read foo's LexicalEnvironment from its designated lexicalEnvironment local, | |
27985 | but instead, finds it to be uninitialized. This results in a null pointer access | |
27986 | which causes a crash. | |
27987 | ||
27988 | This can be resolved by having bar() instantiate a clone of the Arguments object | |
27989 | instead, and populate its elements with values fetched directly from foo's frame. | |
27990 | There's no need to reference foo's LexicalEnvironment (whether present or not). | |
27991 | ||
27992 | * interpreter/StackVisitor.cpp: | |
27993 | (JSC::StackVisitor::Frame::createArguments): | |
27994 | * runtime/Arguments.h: | |
27995 | (JSC::Arguments::finishCreation): | |
27996 | ||
27997 | 2015-01-08 Mark Lam <mark.lam@apple.com> | |
27998 | ||
27999 | Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand. | |
28000 | <https://webkit.org/b/140236> | |
28001 | ||
28002 | Reviewed by Geoffrey Garen. | |
28003 | ||
28004 | Will change the DFG to use the operand on a subsequent pass. For now, | |
28005 | the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to | |
28006 | retain the old behavior of getting the lexicalEnviroment from the | |
28007 | ExecState. | |
28008 | ||
28009 | * bytecompiler/BytecodeGenerator.cpp: | |
28010 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
28011 | (JSC::BytecodeGenerator::emitGetArgumentByVal): | |
28012 | (JSC::BytecodeGenerator::createArgumentsIfNecessary): | |
28013 | - When the lexicalEnvironment is not available, pass the invalid VirtualRegister | |
28014 | instead of an empty JSValue as the lexicalEnvironment operand. | |
28015 | ||
28016 | * dfg/DFGOperations.cpp: | |
28017 | - Use the lexicalEnvironment from the ExecState for now. | |
28018 | ||
28019 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
28020 | (JSC::DFG::SpeculativeJIT::compile): | |
28021 | * dfg/DFGSpeculativeJIT64.cpp: | |
28022 | (JSC::DFG::SpeculativeJIT::compile): | |
28023 | - Use the operationCreateArgumentsForDFG() thunk for now. | |
28024 | ||
28025 | * interpreter/CallFrame.cpp: | |
28026 | (JSC::CallFrame::lexicalEnvironmentOrNullptr): | |
28027 | * interpreter/CallFrame.h: | |
28028 | - Added this convenience function to return either the | |
28029 | lexicalEnvironment or a nullptr so that we don't need to do a | |
28030 | conditional check on codeBlock->needsActivation() at multiple sites. | |
28031 | ||
28032 | * interpreter/StackVisitor.cpp: | |
28033 | (JSC::StackVisitor::Frame::createArguments): | |
28034 | * jit/JIT.h: | |
28035 | * jit/JITInlines.h: | |
28036 | (JSC::JIT::callOperation): | |
28037 | * jit/JITOpcodes.cpp: | |
28038 | (JSC::JIT::emit_op_create_arguments): | |
28039 | (JSC::JIT::emitSlow_op_get_argument_by_val): | |
28040 | * jit/JITOpcodes32_64.cpp: | |
28041 | (JSC::JIT::emit_op_create_arguments): | |
28042 | (JSC::JIT::emitSlow_op_get_argument_by_val): | |
28043 | * jit/JITOperations.cpp: | |
28044 | * jit/JITOperations.h: | |
28045 | * llint/LLIntSlowPaths.cpp: | |
28046 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
28047 | * runtime/Arguments.h: | |
28048 | (JSC::Arguments::create): | |
28049 | (JSC::Arguments::finishCreation): | |
28050 | * runtime/CommonSlowPaths.cpp: | |
28051 | (JSC::SLOW_PATH_DECL): | |
28052 | * runtime/JSLexicalEnvironment.cpp: | |
28053 | (JSC::JSLexicalEnvironment::argumentsGetter): | |
28054 | ||
28055 | 2015-01-08 Joseph Pecoraro <pecoraro@apple.com> | |
28056 | ||
28057 | Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement) | |
28058 | https://bugs.webkit.org/show_bug.cgi?id=138991 | |
28059 | ||
28060 | Reviewed by Timothy Hatcher. | |
28061 | ||
28062 | * debugger/Debugger.cpp: | |
28063 | (JSC::Debugger::Debugger): | |
28064 | (JSC::Debugger::pauseIfNeeded): | |
28065 | (JSC::Debugger::didReachBreakpoint): | |
28066 | When actually pausing, if we hit a breakpoint ensure the reason | |
28067 | is PausedForBreakpoint, otherwise use the current reason. | |
28068 | ||
28069 | * debugger/Debugger.h: | |
28070 | Make pause reason and pausing breakpoint ID public. | |
28071 | ||
28072 | * inspector/agents/InspectorDebuggerAgent.h: | |
28073 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
28074 | (Inspector::buildAssertPauseReason): | |
28075 | (Inspector::buildCSPViolationPauseReason): | |
28076 | (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason): | |
28077 | (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason): | |
28078 | (Inspector::InspectorDebuggerAgent::handleConsoleAssert): | |
28079 | (Inspector::buildObjectForBreakpointCookie): | |
28080 | (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): | |
28081 | (Inspector::InspectorDebuggerAgent::removeBreakpoint): | |
28082 | (Inspector::InspectorDebuggerAgent::resolveBreakpoint): | |
28083 | (Inspector::InspectorDebuggerAgent::pause): | |
28084 | (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): | |
28085 | (Inspector::InspectorDebuggerAgent::currentCallFrames): | |
28086 | (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): | |
28087 | Clean up creation of pause reason objects and other cleanup | |
28088 | of PassRefPtr use and InjectedScript use. | |
28089 | ||
28090 | (Inspector::InspectorDebuggerAgent::didPause): | |
28091 | Clean up so that we first check for an Exception, and then fall | |
28092 | back to including a Pause Reason derived from the Debugger. | |
28093 | ||
28094 | * inspector/protocol/Debugger.json: | |
28095 | Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons. | |
28096 | ||
28097 | 2015-01-08 Joseph Pecoraro <pecoraro@apple.com> | |
28098 | ||
28099 | Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types | |
28100 | https://bugs.webkit.org/show_bug.cgi?id=140209 | |
28101 | ||
28102 | Reviewed by Timothy Hatcher. | |
28103 | ||
28104 | Check the types of objects in NSArrays for all interfaces (commands, events, types) | |
28105 | when the user can set an array of objects. Previously we were only type checking | |
28106 | they were RWIJSONObjects, now we add an explicit check for the exact object type. | |
28107 | ||
28108 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: | |
28109 | (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): | |
28110 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: | |
28111 | (ObjCFrontendDispatcherImplementationGenerator._generate_event): | |
28112 | * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: | |
28113 | (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members): | |
28114 | (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member): | |
28115 | * inspector/scripts/codegen/objc_generator.py: | |
28116 | (ObjCGenerator.objc_class_for_array_type): | |
28117 | (ObjCGenerator): | |
28118 | ||
28119 | 2015-01-07 Mark Lam <mark.lam@apple.com> | |
28120 | ||
28121 | Add the lexicalEnvironment as an operand to op_get_argument_by_val. | |
28122 | <https://webkit.org/b/140233> | |
28123 | ||
28124 | Reviewed by Filip Pizlo. | |
28125 | ||
28126 | This patch only adds the operand to the bytecode. It is not in use yet. | |
28127 | ||
28128 | * bytecode/BytecodeList.json: | |
28129 | * bytecode/BytecodeUseDef.h: | |
28130 | (JSC::computeUsesForBytecodeOffset): | |
28131 | * bytecode/CodeBlock.cpp: | |
28132 | (JSC::CodeBlock::dumpBytecode): | |
28133 | * bytecompiler/BytecodeGenerator.cpp: | |
28134 | (JSC::BytecodeGenerator::emitGetArgumentByVal): | |
28135 | * llint/LowLevelInterpreter32_64.asm: | |
28136 | * llint/LowLevelInterpreter64.asm: | |
28137 | ||
28138 | 2015-01-07 Yusuke Suzuki <utatane.tea@gmail.com> | |
28139 | ||
28140 | Investigate the character type of repeated string instead of checking is8Bit flag | |
28141 | https://bugs.webkit.org/show_bug.cgi?id=140139 | |
28142 | ||
28143 | Reviewed by Darin Adler. | |
28144 | ||
28145 | Instead of checking is8Bit flag of the repeated string, investigate | |
28146 | the actual value of the repeated character since i8Bit flag give a false negative case. | |
28147 | ||
28148 | * runtime/StringPrototype.cpp: | |
28149 | (JSC::repeatCharacter): | |
28150 | (JSC::stringProtoFuncRepeat): | |
28151 | (JSC::repeatSmallString): Deleted. | |
28152 | ||
28153 | 2015-01-07 Joseph Pecoraro <pecoraro@apple.com> | |
28154 | ||
28155 | Web Inspector: ObjC Generate types from the GenericTypes domain | |
28156 | https://bugs.webkit.org/show_bug.cgi?id=140229 | |
28157 | ||
28158 | Reviewed by Timothy Hatcher. | |
28159 | ||
28160 | Generate types from the GenericTypes domain, as they are expected | |
28161 | by other domains (like Page domain). Also, don't include the @protocol | |
28162 | forward declaration for a domain if it doesn't have any commands. | |
28163 | ||
28164 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: | |
28165 | (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations): | |
28166 | (ObjCBackendDispatcherHeaderGenerator): Deleted. | |
28167 | (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted. | |
28168 | * inspector/scripts/codegen/objc_generator.py: | |
28169 | (ObjCGenerator): | |
28170 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
28171 | * inspector/scripts/tests/expected/enum-values.json-result: | |
28172 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
28173 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
28174 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
28175 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
28176 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
28177 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
28178 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
28179 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
28180 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
28181 | ||
28182 | 2015-01-07 Joseph Pecoraro <pecoraro@apple.com> | |
28183 | ||
28184 | Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers | |
28185 | https://bugs.webkit.org/show_bug.cgi?id=140228 | |
28186 | ||
28187 | Reviewed by Timothy Hatcher. | |
28188 | ||
28189 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: | |
28190 | (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): | |
28191 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: | |
28192 | (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): | |
28193 | * inspector/scripts/tests/expected/enum-values.json-result: | |
28194 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
28195 | ||
28196 | 2015-01-07 Saam Barati <saambarati1@gmail.com> | |
28197 | ||
28198 | interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path | |
28199 | https://bugs.webkit.org/show_bug.cgi?id=140165 | |
28200 | ||
28201 | Reviewed by Michael Saboff. | |
28202 | ||
28203 | Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation | |
28204 | into the LLInt speeds up type profiling. | |
28205 | ||
28206 | * llint/LLIntOffsetsExtractor.cpp: | |
28207 | * llint/LowLevelInterpreter.asm: | |
28208 | * llint/LowLevelInterpreter32_64.asm: | |
28209 | * llint/LowLevelInterpreter64.asm: | |
28210 | * runtime/CommonSlowPaths.cpp: | |
28211 | (JSC::SLOW_PATH_DECL): | |
28212 | * runtime/CommonSlowPaths.h: | |
28213 | * runtime/TypeProfilerLog.h: | |
28214 | (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted. | |
28215 | ||
28216 | 2015-01-07 Brian J. Burg <burg@cs.washington.edu> | |
28217 | ||
28218 | Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects | |
28219 | https://bugs.webkit.org/show_bug.cgi?id=140053 | |
28220 | ||
28221 | Reviewed by Andreas Kling. | |
28222 | ||
28223 | This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code | |
28224 | related to Web Inspector. It also converts many uses of RefPtr to Ref where | |
28225 | references are always non-null. These two refactorings have been combined since | |
28226 | they tend to require similar changes to the code. | |
28227 | ||
28228 | Creation methods for subclasses of InspectorValue now return a Ref, and callsites | |
28229 | have been updated to take a Ref instead of RefPtr. | |
28230 | ||
28231 | Builders for typed protocol objects now return a Ref. Since there is no implicit | |
28232 | call to operator&, callsites now must explicitly call .release() to convert a | |
28233 | builder object into the corresponding protocol object once required fields are set. | |
28234 | Update callsites and use auto to eliminate repetition of longwinded protocol types. | |
28235 | ||
28236 | Tests for inspector protocol and replay inputs have been rebaselined. | |
28237 | ||
28238 | * bindings/ScriptValue.cpp: | |
28239 | (Deprecated::jsToInspectorValue): | |
28240 | (Deprecated::ScriptValue::toInspectorValue): | |
28241 | * bindings/ScriptValue.h: | |
28242 | * inspector/ConsoleMessage.cpp: | |
28243 | (Inspector::ConsoleMessage::addToFrontend): | |
28244 | * inspector/ContentSearchUtilities.cpp: | |
28245 | (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): | |
28246 | (Inspector::ContentSearchUtilities::searchInTextByLines): | |
28247 | * inspector/ContentSearchUtilities.h: | |
28248 | * inspector/InjectedScript.cpp: | |
28249 | (Inspector::InjectedScript::getFunctionDetails): | |
28250 | (Inspector::InjectedScript::getProperties): | |
28251 | (Inspector::InjectedScript::getInternalProperties): | |
28252 | (Inspector::InjectedScript::wrapCallFrames): | |
28253 | (Inspector::InjectedScript::wrapObject): | |
28254 | (Inspector::InjectedScript::wrapTable): | |
28255 | * inspector/InjectedScript.h: | |
28256 | * inspector/InjectedScriptBase.cpp: | |
28257 | (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits. | |
28258 | * inspector/InspectorBackendDispatcher.cpp: | |
28259 | (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): | |
28260 | (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): | |
28261 | (Inspector::InspectorBackendDispatcher::create): | |
28262 | (Inspector::InspectorBackendDispatcher::dispatch): | |
28263 | (Inspector::InspectorBackendDispatcher::sendResponse): | |
28264 | (Inspector::InspectorBackendDispatcher::reportProtocolError): | |
28265 | (Inspector::getPropertyValue): Add a comment to clarify what this clever code does. | |
28266 | (Inspector::InspectorBackendDispatcher::getInteger): | |
28267 | (Inspector::InspectorBackendDispatcher::getDouble): | |
28268 | (Inspector::InspectorBackendDispatcher::getString): | |
28269 | (Inspector::InspectorBackendDispatcher::getBoolean): | |
28270 | (Inspector::InspectorBackendDispatcher::getObject): | |
28271 | (Inspector::InspectorBackendDispatcher::getArray): | |
28272 | (Inspector::InspectorBackendDispatcher::getValue): | |
28273 | * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect | |
28274 | protocol error strings. | |
28275 | (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): | |
28276 | Convert the supplemental dispatcher's reference to Ref since it is never null. | |
28277 | * inspector/InspectorEnvironment.h: | |
28278 | * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and | |
28279 | StructItemTraits. Add more versions of addItem to handle pushing various types. | |
28280 | (Inspector::Protocol::Array::openAccessors): | |
28281 | (Inspector::Protocol::Array::addItem): | |
28282 | (Inspector::Protocol::Array::create): | |
28283 | (Inspector::Protocol::StructItemTraits::push): | |
28284 | (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument. | |
28285 | (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted. | |
28286 | (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted. | |
28287 | (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted. | |
28288 | (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted. | |
28289 | (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted. | |
28290 | (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted. | |
28291 | (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted. | |
28292 | (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted. | |
28293 | (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted. | |
28294 | * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have | |
28295 | the same call signature as other getters. Use Ref where possible. | |
28296 | (Inspector::InspectorObjectBase::getBoolean): | |
28297 | (Inspector::InspectorObjectBase::getString): | |
28298 | (Inspector::InspectorObjectBase::getObject): | |
28299 | (Inspector::InspectorObjectBase::getArray): | |
28300 | (Inspector::InspectorObjectBase::getValue): | |
28301 | (Inspector::InspectorObjectBase::writeJSON): | |
28302 | (Inspector::InspectorArrayBase::get): | |
28303 | (Inspector::InspectorObject::create): | |
28304 | (Inspector::InspectorArray::create): | |
28305 | (Inspector::InspectorValue::null): | |
28306 | (Inspector::InspectorString::create): | |
28307 | (Inspector::InspectorBasicValue::create): | |
28308 | (Inspector::InspectorObjectBase::get): Deleted. | |
28309 | * inspector/InspectorValues.h: | |
28310 | (Inspector::InspectorObjectBase::setValue): | |
28311 | (Inspector::InspectorObjectBase::setObject): | |
28312 | (Inspector::InspectorObjectBase::setArray): | |
28313 | (Inspector::InspectorArrayBase::pushValue): | |
28314 | (Inspector::InspectorArrayBase::pushObject): | |
28315 | (Inspector::InspectorArrayBase::pushArray): | |
28316 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
28317 | (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): | |
28318 | (Inspector::JSGlobalObjectConsoleClient::count): | |
28319 | (Inspector::JSGlobalObjectConsoleClient::timeEnd): | |
28320 | (Inspector::JSGlobalObjectConsoleClient::timeStamp): | |
28321 | * inspector/JSGlobalObjectConsoleClient.h: | |
28322 | * inspector/JSGlobalObjectInspectorController.cpp: | |
28323 | (Inspector::JSGlobalObjectInspectorController::executionStopwatch): | |
28324 | * inspector/JSGlobalObjectInspectorController.h: | |
28325 | * inspector/ScriptCallFrame.cpp: | |
28326 | (Inspector::ScriptCallFrame::buildInspectorObject): | |
28327 | * inspector/ScriptCallFrame.h: | |
28328 | * inspector/ScriptCallStack.cpp: | |
28329 | (Inspector::ScriptCallStack::create): | |
28330 | (Inspector::ScriptCallStack::buildInspectorArray): | |
28331 | * inspector/ScriptCallStack.h: | |
28332 | * inspector/agents/InspectorAgent.cpp: | |
28333 | (Inspector::InspectorAgent::enable): | |
28334 | (Inspector::InspectorAgent::inspect): | |
28335 | (Inspector::InspectorAgent::activateExtraDomain): | |
28336 | * inspector/agents/InspectorAgent.h: | |
28337 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
28338 | (Inspector::InspectorDebuggerAgent::handleConsoleAssert): | |
28339 | (Inspector::buildObjectForBreakpointCookie): | |
28340 | (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): | |
28341 | (Inspector::InspectorDebuggerAgent::setBreakpoint): | |
28342 | (Inspector::InspectorDebuggerAgent::continueToLocation): | |
28343 | (Inspector::InspectorDebuggerAgent::resolveBreakpoint): | |
28344 | (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): | |
28345 | (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): | |
28346 | (Inspector::InspectorDebuggerAgent::currentCallFrames): | |
28347 | (Inspector::InspectorDebuggerAgent::didParseSource): | |
28348 | (Inspector::InspectorDebuggerAgent::breakpointActionProbe): | |
28349 | (Inspector::InspectorDebuggerAgent::breakProgram): | |
28350 | * inspector/agents/InspectorDebuggerAgent.h: | |
28351 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
28352 | (Inspector::buildErrorRangeObject): | |
28353 | (Inspector::InspectorRuntimeAgent::callFunctionOn): | |
28354 | (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): | |
28355 | (Inspector::InspectorRuntimeAgent::getBasicBlocks): | |
28356 | * inspector/agents/InspectorRuntimeAgent.h: | |
28357 | * inspector/scripts/codegen/cpp_generator.py: | |
28358 | (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): | |
28359 | (CppGenerator.cpp_type_for_type_with_name): | |
28360 | (CppGenerator.cpp_type_for_formal_async_parameter): | |
28361 | (CppGenerator.should_use_references_for_type): | |
28362 | (CppGenerator): | |
28363 | * inspector/scripts/codegen/cpp_generator_templates.py: | |
28364 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: | |
28365 | (CppBackendDispatcherHeaderGenerator.generate_output): | |
28366 | (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): | |
28367 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: | |
28368 | (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): | |
28369 | (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
28370 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: | |
28371 | (CppFrontendDispatcherHeaderGenerator.generate_output): | |
28372 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: | |
28373 | (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): | |
28374 | * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: | |
28375 | (CppProtocolTypesHeaderGenerator.generate_output): | |
28376 | (_generate_class_for_object_declaration): | |
28377 | (_generate_unchecked_setter_for_member): | |
28378 | (_generate_forward_declarations_for_binding_traits): | |
28379 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: | |
28380 | (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): | |
28381 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: | |
28382 | (ObjCFrontendDispatcherImplementationGenerator._generate_event): | |
28383 | (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): | |
28384 | * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: | |
28385 | (ObjCProtocolTypesImplementationGenerator.generate_output): | |
28386 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
28387 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
28388 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
28389 | * inspector/scripts/tests/expected/enum-values.json-result: | |
28390 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
28391 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
28392 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
28393 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
28394 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
28395 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
28396 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
28397 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
28398 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
28399 | * replay/EncodedValue.cpp: | |
28400 | (JSC::EncodedValue::asObject): | |
28401 | (JSC::EncodedValue::asArray): | |
28402 | (JSC::EncodedValue::put<EncodedValue>): | |
28403 | (JSC::EncodedValue::append<EncodedValue>): | |
28404 | (JSC::EncodedValue::get<EncodedValue>): | |
28405 | * replay/EncodedValue.h: | |
28406 | * replay/scripts/CodeGeneratorReplayInputs.py: | |
28407 | (Type.borrow_type): | |
28408 | (Type.argument_type): | |
28409 | (Generator.generate_member_move_expression): | |
28410 | * runtime/ConsoleClient.cpp: | |
28411 | (JSC::ConsoleClient::printConsoleMessageWithArguments): | |
28412 | (JSC::ConsoleClient::internalMessageWithTypeAndLevel): | |
28413 | (JSC::ConsoleClient::logWithLevel): | |
28414 | (JSC::ConsoleClient::clear): | |
28415 | (JSC::ConsoleClient::dir): | |
28416 | (JSC::ConsoleClient::dirXML): | |
28417 | (JSC::ConsoleClient::table): | |
28418 | (JSC::ConsoleClient::trace): | |
28419 | (JSC::ConsoleClient::assertCondition): | |
28420 | (JSC::ConsoleClient::group): | |
28421 | (JSC::ConsoleClient::groupCollapsed): | |
28422 | (JSC::ConsoleClient::groupEnd): | |
28423 | * runtime/ConsoleClient.h: | |
28424 | * runtime/TypeSet.cpp: | |
28425 | (JSC::TypeSet::allStructureRepresentations): | |
28426 | (JSC::TypeSet::inspectorTypeSet): | |
28427 | (JSC::StructureShape::inspectorRepresentation): | |
28428 | * runtime/TypeSet.h: | |
28429 | ||
28430 | 2015-01-07 Commit Queue <commit-queue@webkit.org> | |
28431 | ||
28432 | Unreviewed, rolling out r178039. | |
28433 | https://bugs.webkit.org/show_bug.cgi?id=140187 | |
28434 | ||
28435 | Breaks ObjC Inspector Protocol (Requested by JoePeck on | |
28436 | #webkit). | |
28437 | ||
28438 | Reverted changeset: | |
28439 | ||
28440 | "Web Inspector: purge PassRefPtr from Inspector code and use | |
28441 | Ref for typed and untyped protocol objects" | |
28442 | https://bugs.webkit.org/show_bug.cgi?id=140053 | |
28443 | http://trac.webkit.org/changeset/178039 | |
28444 | ||
28445 | 2015-01-06 Brian J. Burg <burg@cs.washington.edu> | |
28446 | ||
28447 | Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects | |
28448 | https://bugs.webkit.org/show_bug.cgi?id=140053 | |
28449 | ||
28450 | Reviewed by Andreas Kling. | |
28451 | ||
28452 | This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code | |
28453 | related to Web Inspector. It also converts many uses of RefPtr to Ref where | |
28454 | references are always non-null. These two refactorings have been combined since | |
28455 | they tend to require similar changes to the code. | |
28456 | ||
28457 | Creation methods for subclasses of InspectorValue now return a Ref, and callsites | |
28458 | have been updated to take a Ref instead of RefPtr. | |
28459 | ||
28460 | Builders for typed protocol objects now return a Ref. Since there is no implicit | |
28461 | call to operator&, callsites now must explicitly call .release() to convert a | |
28462 | builder object into the corresponding protocol object once required fields are set. | |
28463 | Update callsites and use auto to eliminate repetition of longwinded protocol types. | |
28464 | ||
28465 | Tests for inspector protocol and replay inputs have been rebaselined. | |
28466 | ||
28467 | * bindings/ScriptValue.cpp: | |
28468 | (Deprecated::jsToInspectorValue): | |
28469 | (Deprecated::ScriptValue::toInspectorValue): | |
28470 | * bindings/ScriptValue.h: | |
28471 | * inspector/ConsoleMessage.cpp: | |
28472 | (Inspector::ConsoleMessage::addToFrontend): | |
28473 | * inspector/ContentSearchUtilities.cpp: | |
28474 | (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): | |
28475 | (Inspector::ContentSearchUtilities::searchInTextByLines): | |
28476 | * inspector/ContentSearchUtilities.h: | |
28477 | * inspector/InjectedScript.cpp: | |
28478 | (Inspector::InjectedScript::getFunctionDetails): | |
28479 | (Inspector::InjectedScript::getProperties): | |
28480 | (Inspector::InjectedScript::getInternalProperties): | |
28481 | (Inspector::InjectedScript::wrapCallFrames): | |
28482 | (Inspector::InjectedScript::wrapObject): | |
28483 | (Inspector::InjectedScript::wrapTable): | |
28484 | * inspector/InjectedScript.h: | |
28485 | * inspector/InjectedScriptBase.cpp: | |
28486 | (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits. | |
28487 | * inspector/InspectorBackendDispatcher.cpp: | |
28488 | (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): | |
28489 | (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): | |
28490 | (Inspector::InspectorBackendDispatcher::create): | |
28491 | (Inspector::InspectorBackendDispatcher::dispatch): | |
28492 | (Inspector::InspectorBackendDispatcher::sendResponse): | |
28493 | (Inspector::InspectorBackendDispatcher::reportProtocolError): | |
28494 | (Inspector::getPropertyValue): Add a comment to clarify what this clever code does. | |
28495 | (Inspector::InspectorBackendDispatcher::getInteger): | |
28496 | (Inspector::InspectorBackendDispatcher::getDouble): | |
28497 | (Inspector::InspectorBackendDispatcher::getString): | |
28498 | (Inspector::InspectorBackendDispatcher::getBoolean): | |
28499 | (Inspector::InspectorBackendDispatcher::getObject): | |
28500 | (Inspector::InspectorBackendDispatcher::getArray): | |
28501 | (Inspector::InspectorBackendDispatcher::getValue): | |
28502 | * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect | |
28503 | protocol error strings. | |
28504 | (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): | |
28505 | Convert the supplemental dispatcher's reference to Ref since it is never null. | |
28506 | * inspector/InspectorEnvironment.h: | |
28507 | * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and | |
28508 | StructItemTraits. Add more versions of addItem to handle pushing various types. | |
28509 | (Inspector::Protocol::Array::openAccessors): | |
28510 | (Inspector::Protocol::Array::addItem): | |
28511 | (Inspector::Protocol::Array::create): | |
28512 | (Inspector::Protocol::StructItemTraits::push): | |
28513 | (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument. | |
28514 | (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted. | |
28515 | (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted. | |
28516 | (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted. | |
28517 | (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted. | |
28518 | (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted. | |
28519 | (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted. | |
28520 | (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted. | |
28521 | (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted. | |
28522 | (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted. | |
28523 | * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have | |
28524 | the same call signature as other getters. Use Ref where possible. | |
28525 | (Inspector::InspectorObjectBase::getBoolean): | |
28526 | (Inspector::InspectorObjectBase::getString): | |
28527 | (Inspector::InspectorObjectBase::getObject): | |
28528 | (Inspector::InspectorObjectBase::getArray): | |
28529 | (Inspector::InspectorObjectBase::getValue): | |
28530 | (Inspector::InspectorObjectBase::writeJSON): | |
28531 | (Inspector::InspectorArrayBase::get): | |
28532 | (Inspector::InspectorObject::create): | |
28533 | (Inspector::InspectorArray::create): | |
28534 | (Inspector::InspectorValue::null): | |
28535 | (Inspector::InspectorString::create): | |
28536 | (Inspector::InspectorBasicValue::create): | |
28537 | (Inspector::InspectorObjectBase::get): Deleted. | |
28538 | * inspector/InspectorValues.h: | |
28539 | (Inspector::InspectorObjectBase::setValue): | |
28540 | (Inspector::InspectorObjectBase::setObject): | |
28541 | (Inspector::InspectorObjectBase::setArray): | |
28542 | (Inspector::InspectorArrayBase::pushValue): | |
28543 | (Inspector::InspectorArrayBase::pushObject): | |
28544 | (Inspector::InspectorArrayBase::pushArray): | |
28545 | * inspector/JSGlobalObjectConsoleClient.cpp: | |
28546 | (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): | |
28547 | (Inspector::JSGlobalObjectConsoleClient::count): | |
28548 | (Inspector::JSGlobalObjectConsoleClient::timeEnd): | |
28549 | (Inspector::JSGlobalObjectConsoleClient::timeStamp): | |
28550 | * inspector/JSGlobalObjectConsoleClient.h: | |
28551 | * inspector/JSGlobalObjectInspectorController.cpp: | |
28552 | (Inspector::JSGlobalObjectInspectorController::executionStopwatch): | |
28553 | * inspector/JSGlobalObjectInspectorController.h: | |
28554 | * inspector/ScriptCallFrame.cpp: | |
28555 | (Inspector::ScriptCallFrame::buildInspectorObject): | |
28556 | * inspector/ScriptCallFrame.h: | |
28557 | * inspector/ScriptCallStack.cpp: | |
28558 | (Inspector::ScriptCallStack::create): | |
28559 | (Inspector::ScriptCallStack::buildInspectorArray): | |
28560 | * inspector/ScriptCallStack.h: | |
28561 | * inspector/agents/InspectorAgent.cpp: | |
28562 | (Inspector::InspectorAgent::enable): | |
28563 | (Inspector::InspectorAgent::inspect): | |
28564 | (Inspector::InspectorAgent::activateExtraDomain): | |
28565 | * inspector/agents/InspectorAgent.h: | |
28566 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
28567 | (Inspector::InspectorDebuggerAgent::handleConsoleAssert): | |
28568 | (Inspector::buildObjectForBreakpointCookie): | |
28569 | (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): | |
28570 | (Inspector::InspectorDebuggerAgent::setBreakpoint): | |
28571 | (Inspector::InspectorDebuggerAgent::continueToLocation): | |
28572 | (Inspector::InspectorDebuggerAgent::resolveBreakpoint): | |
28573 | (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): | |
28574 | (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): | |
28575 | (Inspector::InspectorDebuggerAgent::currentCallFrames): | |
28576 | (Inspector::InspectorDebuggerAgent::didParseSource): | |
28577 | (Inspector::InspectorDebuggerAgent::breakpointActionProbe): | |
28578 | (Inspector::InspectorDebuggerAgent::breakProgram): | |
28579 | * inspector/agents/InspectorDebuggerAgent.h: | |
28580 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
28581 | (Inspector::buildErrorRangeObject): | |
28582 | (Inspector::InspectorRuntimeAgent::callFunctionOn): | |
28583 | (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): | |
28584 | (Inspector::InspectorRuntimeAgent::getBasicBlocks): | |
28585 | * inspector/agents/InspectorRuntimeAgent.h: | |
28586 | * inspector/scripts/codegen/cpp_generator.py: | |
28587 | (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): | |
28588 | (CppGenerator.cpp_type_for_type_with_name): | |
28589 | (CppGenerator.cpp_type_for_formal_async_parameter): | |
28590 | (CppGenerator.should_use_references_for_type): | |
28591 | (CppGenerator): | |
28592 | * inspector/scripts/codegen/cpp_generator_templates.py: | |
28593 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: | |
28594 | (CppBackendDispatcherHeaderGenerator.generate_output): | |
28595 | (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): | |
28596 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: | |
28597 | (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): | |
28598 | (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
28599 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: | |
28600 | (CppFrontendDispatcherHeaderGenerator.generate_output): | |
28601 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: | |
28602 | (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): | |
28603 | * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: | |
28604 | (CppProtocolTypesHeaderGenerator.generate_output): | |
28605 | (_generate_class_for_object_declaration): | |
28606 | (_generate_unchecked_setter_for_member): | |
28607 | (_generate_forward_declarations_for_binding_traits): | |
28608 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: | |
28609 | (ObjCConfigurationImplementationGenerator._generate_success_block_for_command): | |
28610 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: | |
28611 | (ObjCFrontendDispatcherImplementationGenerator._generate_event): | |
28612 | (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): | |
28613 | * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: | |
28614 | (ObjCProtocolTypesImplementationGenerator.generate_output): | |
28615 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
28616 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
28617 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
28618 | * inspector/scripts/tests/expected/enum-values.json-result: | |
28619 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
28620 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
28621 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
28622 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
28623 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
28624 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
28625 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
28626 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
28627 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
28628 | * replay/EncodedValue.cpp: | |
28629 | (JSC::EncodedValue::asObject): | |
28630 | (JSC::EncodedValue::asArray): | |
28631 | (JSC::EncodedValue::put<EncodedValue>): | |
28632 | (JSC::EncodedValue::append<EncodedValue>): | |
28633 | (JSC::EncodedValue::get<EncodedValue>): | |
28634 | * replay/EncodedValue.h: | |
28635 | * replay/scripts/CodeGeneratorReplayInputs.py: | |
28636 | (Type.borrow_type): | |
28637 | (Type.argument_type): | |
28638 | (Generator.generate_member_move_expression): | |
28639 | * runtime/ConsoleClient.cpp: | |
28640 | (JSC::ConsoleClient::printConsoleMessageWithArguments): | |
28641 | (JSC::ConsoleClient::internalMessageWithTypeAndLevel): | |
28642 | (JSC::ConsoleClient::logWithLevel): | |
28643 | (JSC::ConsoleClient::clear): | |
28644 | (JSC::ConsoleClient::dir): | |
28645 | (JSC::ConsoleClient::dirXML): | |
28646 | (JSC::ConsoleClient::table): | |
28647 | (JSC::ConsoleClient::trace): | |
28648 | (JSC::ConsoleClient::assertCondition): | |
28649 | (JSC::ConsoleClient::group): | |
28650 | (JSC::ConsoleClient::groupCollapsed): | |
28651 | (JSC::ConsoleClient::groupEnd): | |
28652 | * runtime/ConsoleClient.h: | |
28653 | * runtime/TypeSet.cpp: | |
28654 | (JSC::TypeSet::allStructureRepresentations): | |
28655 | (JSC::TypeSet::inspectorTypeSet): | |
28656 | (JSC::StructureShape::inspectorRepresentation): | |
28657 | * runtime/TypeSet.h: | |
28658 | ||
28659 | 2015-01-06 Chris Dumez <cdumez@apple.com> | |
28660 | ||
28661 | Drop ResourceResponseBase::connectionID and connectionReused members | |
28662 | https://bugs.webkit.org/show_bug.cgi?id=140158 | |
28663 | ||
28664 | Reviewed by Sam Weinig. | |
28665 | ||
28666 | Drop ResourceResponseBase::connectionID and connectionReused members. | |
28667 | Those were needed by the Chromium port but are no longer used. | |
28668 | ||
28669 | * inspector/protocol/Network.json: | |
28670 | ||
28671 | 2015-01-06 Mark Lam <mark.lam@apple.com> | |
28672 | ||
28673 | Add the lexicalEnvironment as an operand to op_create_arguments. | |
28674 | <https://webkit.org/b/140148> | |
28675 | ||
28676 | Reviewed by Geoffrey Garen. | |
28677 | ||
28678 | This patch only adds the operand to the bytecode. It is not in use yet. | |
28679 | ||
28680 | * bytecode/BytecodeList.json: | |
28681 | * bytecode/BytecodeUseDef.h: | |
28682 | (JSC::computeUsesForBytecodeOffset): | |
28683 | * bytecode/CodeBlock.cpp: | |
28684 | (JSC::CodeBlock::dumpBytecode): | |
28685 | * bytecompiler/BytecodeGenerator.cpp: | |
28686 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
28687 | (JSC::BytecodeGenerator::createArgumentsIfNecessary): | |
28688 | - Adds the lexicalEnvironment register (if present) as an operand to | |
28689 | op_create_arguments. Else, adds a constant empty JSValue. | |
28690 | * llint/LowLevelInterpreter32_64.asm: | |
28691 | * llint/LowLevelInterpreter64.asm: | |
28692 | ||
28693 | 2015-01-06 Alexey Proskuryakov <ap@apple.com> | |
28694 | ||
28695 | ADDRESS_SANITIZER macro is overloaded | |
28696 | https://bugs.webkit.org/show_bug.cgi?id=140130 | |
28697 | ||
28698 | Reviewed by Anders Carlsson. | |
28699 | ||
28700 | * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro. | |
28701 | This code is nearly unused (only compiled in when JIT is disabled at build time), | |
28702 | however I've been told that it's best to keep it. | |
28703 | ||
28704 | 2015-01-06 Mark Lam <mark.lam@apple.com> | |
28705 | ||
28706 | Fix Use details for op_create_arguments. | |
28707 | <https://webkit.org/b/140110> | |
28708 | ||
28709 | Rubber stamped by Filip Pizlo. | |
28710 | ||
28711 | The previous patch was wrong about op_create_arguments not using its 1st operand. | |
28712 | It does read from it (hence, used) to check if the Arguments object has already | |
28713 | been created or not. This patch reverts the change for op_create_arguments. | |
28714 | ||
28715 | * bytecode/BytecodeUseDef.h: | |
28716 | (JSC::computeUsesForBytecodeOffset): | |
28717 | ||
28718 | 2015-01-06 Mark Lam <mark.lam@apple.com> | |
28719 | ||
28720 | Fix Use details for op_create_lexical_environment and op_create_arguments. | |
28721 | <https://webkit.org/b/140110> | |
28722 | ||
28723 | Reviewed by Filip Pizlo. | |
28724 | ||
28725 | The current "Use" details for op_create_lexical_environment and | |
28726 | op_create_arguments are wrong. op_create_argument uses nothing instead of the | |
28727 | 1st operand (the output local). op_create_lexical_environment uses its 2nd | |
28728 | operand (the scope chain) instead of the 1st (the output local). | |
28729 | This patch fixes them to specify the proper uses. | |
28730 | ||
28731 | * bytecode/BytecodeUseDef.h: | |
28732 | (JSC::computeUsesForBytecodeOffset): | |
28733 | ||
28734 | 2015-01-06 Yusuke Suzuki <utatane.tea@gmail.com> | |
28735 | ||
28736 | Implement ES6 String.prototype.repeat(count) | |
28737 | https://bugs.webkit.org/show_bug.cgi?id=140047 | |
28738 | ||
28739 | Reviewed by Darin Adler. | |
28740 | ||
28741 | Introducing ES6 String.prototype.repeat(count) function. | |
28742 | ||
28743 | * runtime/JSString.h: | |
28744 | * runtime/StringPrototype.cpp: | |
28745 | (JSC::StringPrototype::finishCreation): | |
28746 | (JSC::repeatSmallString): | |
28747 | (JSC::stringProtoFuncRepeat): | |
28748 | ||
28749 | 2015-01-03 Michael Saboff <msaboff@apple.com> | |
28750 | ||
28751 | Crash in operationNewFunction when scrolling on Google+ | |
28752 | https://bugs.webkit.org/show_bug.cgi?id=140033 | |
28753 | ||
28754 | Reviewed by Oliver Hunt. | |
28755 | ||
28756 | In DFG code, the scope register can be eliminated because all uses have been | |
28757 | dead code eliminated. In the case where one of the uses was creating a function | |
28758 | that is never used, the baseline code will still create the function. If we OSR | |
28759 | exit to a path where that function gets created, check the scope register value | |
28760 | and set the new, but dead, function to undefined instead of creating a new function. | |
28761 | ||
28762 | * jit/JITOpcodes.cpp: | |
28763 | (JSC::JIT::emit_op_new_func_exp): | |
28764 | ||
28765 | 2015-01-01 Yusuke Suzuki <utatane.tea@gmail.com> | |
28766 | ||
28767 | String includes methods perform toString on searchString before toInt32 on a offset | |
28768 | https://bugs.webkit.org/show_bug.cgi?id=140031 | |
28769 | ||
28770 | Reviewed by Darin Adler. | |
28771 | ||
28772 | * runtime/StringPrototype.cpp: | |
28773 | (JSC::stringProtoFuncStartsWith): | |
28774 | (JSC::stringProtoFuncEndsWith): | |
28775 | (JSC::stringProtoFuncIncludes): | |
28776 | ||
28777 | 2015-01-01 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
28778 | ||
28779 | Change to return std::unique_ptr<> in fooCreate() | |
28780 | https://bugs.webkit.org/show_bug.cgi?id=139983 | |
28781 | ||
28782 | Reviewed by Darin Adler. | |
28783 | ||
28784 | To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly. | |
28785 | ||
28786 | * create_regex_tables: | |
28787 | * yarr/YarrPattern.h: | |
28788 | (JSC::Yarr::YarrPattern::reset): | |
28789 | (JSC::Yarr::YarrPattern::newlineCharacterClass): | |
28790 | (JSC::Yarr::YarrPattern::digitsCharacterClass): | |
28791 | (JSC::Yarr::YarrPattern::spacesCharacterClass): | |
28792 | (JSC::Yarr::YarrPattern::wordcharCharacterClass): | |
28793 | (JSC::Yarr::YarrPattern::nondigitsCharacterClass): | |
28794 | (JSC::Yarr::YarrPattern::nonspacesCharacterClass): | |
28795 | (JSC::Yarr::YarrPattern::nonwordcharCharacterClass): | |
28796 | ||
28797 | 2015-01-01 Jeff Miller <jeffm@apple.com> | |
28798 | ||
28799 | Update user-visible copyright strings to include 2015 | |
28800 | https://bugs.webkit.org/show_bug.cgi?id=139880 | |
28801 | ||
28802 | Reviewed by Darin Adler. | |
28803 | ||
28804 | * Info.plist: | |
28805 | ||
28806 | 2015-01-01 Darin Adler <darin@apple.com> | |
28807 | ||
28808 | We often misspell identifier as "identifer" | |
28809 | https://bugs.webkit.org/show_bug.cgi?id=140025 | |
28810 | ||
28811 | Reviewed by Michael Saboff. | |
28812 | ||
28813 | * runtime/ArrayConventions.h: Fix it. | |
28814 | ||
28815 | 2014-12-29 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
28816 | ||
28817 | Move JavaScriptCore/yarr to std::unique_ptr | |
28818 | https://bugs.webkit.org/show_bug.cgi?id=139621 | |
28819 | ||
28820 | Reviewed by Anders Carlsson. | |
28821 | ||
28822 | Final clean up OwnPtr|PassOwnPtr in JavaScriptCore/yarr. | |
28823 | ||
28824 | * yarr/YarrInterpreter.cpp: | |
28825 | (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd): | |
28826 | * yarr/YarrInterpreter.h: | |
28827 | (JSC::Yarr::BytecodePattern::BytecodePattern): | |
28828 | * yarr/YarrJIT.cpp: | |
28829 | (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern): | |
28830 | (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion): | |
28831 | (JSC::Yarr::YarrGenerator::opCompileBody): | |
28832 | * yarr/YarrPattern.cpp: | |
28833 | (JSC::Yarr::CharacterClassConstructor::charClass): | |
28834 | (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor): | |
28835 | (JSC::Yarr::YarrPatternConstructor::reset): | |
28836 | (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter): | |
28837 | (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd): | |
28838 | (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin): | |
28839 | (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin): | |
28840 | (JSC::Yarr::YarrPatternConstructor::copyDisjunction): | |
28841 | (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses): | |
28842 | (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions): | |
28843 | * yarr/YarrPattern.h: | |
28844 | (JSC::Yarr::PatternDisjunction::addNewAlternative): | |
28845 | (JSC::Yarr::YarrPattern::newlineCharacterClass): | |
28846 | (JSC::Yarr::YarrPattern::digitsCharacterClass): | |
28847 | (JSC::Yarr::YarrPattern::spacesCharacterClass): | |
28848 | (JSC::Yarr::YarrPattern::wordcharCharacterClass): | |
28849 | (JSC::Yarr::YarrPattern::nondigitsCharacterClass): | |
28850 | (JSC::Yarr::YarrPattern::nonspacesCharacterClass): | |
28851 | (JSC::Yarr::YarrPattern::nonwordcharCharacterClass): | |
28852 | ||
28853 | 2014-12-26 Dan Bernstein <mitz@apple.com> | |
28854 | ||
28855 | <rdar://problem/19348208> REGRESSION (r177027): iOS builds use the wrong toolchain | |
28856 | https://bugs.webkit.org/show_bug.cgi?id=139950 | |
28857 | ||
28858 | Reviewed by David Kilzer. | |
28859 | ||
28860 | * Configurations/Base.xcconfig: Only define TOOLCHAINS when building for OS X, doing so | |
28861 | in a manner that works with Xcode 5.1.1. | |
28862 | ||
28863 | 2014-12-22 Mark Lam <mark.lam@apple.com> | |
28864 | ||
28865 | Use ctiPatchCallByReturnAddress() in JITOperations.cpp. | |
28866 | <https://webkit.org/b/139892> | |
28867 | ||
28868 | Reviewed by Michael Saboff. | |
28869 | ||
28870 | The code in JITOperations.cpp sometimes calls RepatchBuffer::relinkCallerToFunction() | |
28871 | directly, and sometimes uses a helper function, ctiPatchCallByReturnAddress(). | |
28872 | This patch changes it to use the helper function consistently. | |
28873 | ||
28874 | * jit/JITOperations.cpp: | |
28875 | ||
28876 | 2014-12-22 Mark Lam <mark.lam@apple.com> | |
28877 | ||
28878 | Fix some typos in a comment. | |
28879 | <https://webkit.org/b/139882> | |
28880 | ||
28881 | Reviewed by Michael Saboff. | |
28882 | ||
28883 | * jit/JITPropertyAccess.cpp: | |
28884 | (JSC::JIT::emit_op_get_by_val): | |
28885 | ||
28886 | 2014-12-22 Mark Lam <mark.lam@apple.com> | |
28887 | ||
28888 | Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes. | |
28889 | <https://webkit.org/b/138118> | |
28890 | ||
28891 | Reviewed by Michael Saboff. | |
28892 | ||
28893 | * runtime/JSObject.cpp: | |
28894 | (JSC::JSObject::convertInt32ToArrayStorage): | |
28895 | (JSC::JSObject::convertDoubleToArrayStorage): | |
28896 | (JSC::JSObject::convertContiguousToArrayStorage): | |
28897 | ||
28898 | 2014-12-20 Eric Carlson <eric.carlson@apple.com> | |
28899 | ||
28900 | [iOS] add optimized fullscreen API | |
28901 | https://bugs.webkit.org/show_bug.cgi?id=139833 | |
28902 | <rdar://problem/18844486> | |
28903 | ||
28904 | Reviewed by Simon Fraser. | |
28905 | ||
28906 | * Configurations/FeatureDefines.xcconfig: Add ENABLE_VIDEO_PRESENTATION_MODE. | |
28907 | ||
28908 | 2014-12-20 David Kilzer <ddkilzer@apple.com> | |
28909 | ||
28910 | Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2 | |
28911 | <http://webkit.org/b/139463> | |
28912 | ||
28913 | Reviewed by Mark Rowe. | |
28914 | ||
28915 | * Configurations/JavaScriptCore.xcconfig: | |
28916 | - Simplify SECTORDER_FLAGS. | |
28917 | ||
28918 | 2014-12-19 Andreas Kling <akling@apple.com> | |
28919 | ||
28920 | Plug leak below LLVMCopyStringRepOfTargetData(). | |
28921 | <https://webkit.org/b/139832> | |
28922 | ||
28923 | Reviewed by Michael Saboff. | |
28924 | ||
28925 | LLVMCopyStringRepOfTargetData() returns a strdup()'ed string, so make sure | |
28926 | to free() it after we're done using it. | |
28927 | ||
28928 | * ftl/FTLCompile.cpp: | |
28929 | (JSC::FTL::mmAllocateDataSection): | |
28930 | ||
28931 | 2014-12-19 Joseph Pecoraro <pecoraro@apple.com> | |
28932 | ||
28933 | Web Inspector: CRASH inspector-protocol/debugger/breakpoint-action-detach.html | |
28934 | https://bugs.webkit.org/show_bug.cgi?id=139797 | |
28935 | ||
28936 | Reviewed by Mark Lam. | |
28937 | ||
28938 | * debugger/Debugger.h: | |
28939 | * debugger/Debugger.cpp: | |
28940 | (JSC::Debugger::isAttached): | |
28941 | Check if we are the debugger for a particular global object. | |
28942 | (JSC::Debugger::pauseIfNeeded): | |
28943 | Pass the global object on when hitting a brekapoint. | |
28944 | ||
28945 | * inspector/ScriptDebugServer.h: | |
28946 | * inspector/ScriptDebugServer.cpp: | |
28947 | (Inspector::ScriptDebugServer::handleBreakpointHit): | |
28948 | Stop evaluting breakpoint actions if a previous action caused the | |
28949 | debugger to detach from this global object. | |
28950 | (Inspector::ScriptDebugServer::handlePause): | |
28951 | Standardize on passing JSGlobalObject parameter first. | |
28952 | ||
28953 | 2014-12-19 Mark Lam <mark.lam@apple.com> | |
28954 | ||
28955 | [Win] Endless compiler warnings created by DFGEdge.h. | |
28956 | <https://webkit.org/b/139801> | |
28957 | ||
28958 | Reviewed by Brent Fulgham. | |
28959 | ||
28960 | Add a cast to fix the type just the way the 64-bit version does. | |
28961 | ||
28962 | * dfg/DFGEdge.h: | |
28963 | (JSC::DFG::Edge::makeWord): | |
28964 | ||
28965 | 2014-12-19 Commit Queue <commit-queue@webkit.org> | |
28966 | ||
28967 | Unreviewed, rolling out r177574. | |
28968 | https://bugs.webkit.org/show_bug.cgi?id=139821 | |
28969 | ||
28970 | "Broke Production builds by installing | |
28971 | libWebCoreTestSupport.dylib in the wrong directory" (Requested | |
28972 | by ddkilzer on #webkit). | |
28973 | ||
28974 | Reverted changeset: | |
28975 | ||
28976 | "Switch from using PLATFORM_NAME to SDK selectors in WebCore, | |
28977 | WebInspectorUI, WebKit, WebKit2" | |
28978 | https://bugs.webkit.org/show_bug.cgi?id=139463 | |
28979 | http://trac.webkit.org/changeset/177574 | |
28980 | ||
28981 | 2014-12-19 Michael Saboff <msaboff@apple.com> | |
28982 | ||
28983 | REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked | |
28984 | https://bugs.webkit.org/show_bug.cgi?id=139808 | |
28985 | ||
28986 | Reviewed by Oliver Hunt. | |
28987 | ||
28988 | There are three changes here. | |
28989 | 1) Create a VariableWatchpointSet for captured arguments variables. | |
28990 | 2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code. | |
28991 | 3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version. | |
28992 | ||
28993 | * bytecompiler/BytecodeGenerator.cpp: | |
28994 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
28995 | * llint/LowLevelInterpreter32_64.asm: | |
28996 | * llint/LowLevelInterpreter64.asm: | |
28997 | ||
28998 | 2014-12-19 David Kilzer <ddkilzer@apple.com> | |
28999 | ||
29000 | Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2 | |
29001 | <http://webkit.org/b/139463> | |
29002 | ||
29003 | Reviewed by Mark Rowe. | |
29004 | ||
29005 | * Configurations/JavaScriptCore.xcconfig: | |
29006 | - Simplify SECTORDER_FLAGS. | |
29007 | ||
29008 | 2014-12-18 Brent Fulgham <bfulgham@apple.com> | |
29009 | ||
29010 | Unreviewed build fix. | |
29011 | ||
29012 | * jsc.cpp: Remove typo. | |
29013 | ||
29014 | 2014-12-17 Michael Saboff <msaboff@apple.com> | |
29015 | ||
29016 | Tests with infinite recursion frequently crash | |
29017 | https://bugs.webkit.org/show_bug.cgi?id=139548 | |
29018 | ||
29019 | Reviewed by Geoffrey Garen. | |
29020 | ||
29021 | While unwinding, if the call frame doesn't have a codeblock, then we | |
29022 | are in native code, handle appropriately. | |
29023 | ||
29024 | * interpreter/Interpreter.cpp: | |
29025 | (JSC::unwindCallFrame): | |
29026 | (JSC::UnwindFunctor::operator()): | |
29027 | Added checks for null CodeBlock. | |
29028 | ||
29029 | (JSC::Interpreter::unwind): Removed wrong ASSERT. | |
29030 | ||
29031 | 2014-12-17 Chris Dumez <cdumez@apple.com> | |
29032 | ||
29033 | [iOS] Make it possible to toggle FeatureCounter support at runtime | |
29034 | https://bugs.webkit.org/show_bug.cgi?id=139688 | |
29035 | <rdar://problem/19266254> | |
29036 | ||
29037 | Reviewed by Andreas Kling. | |
29038 | ||
29039 | Stop linking against AppSupport framework as the functionality is no | |
29040 | longer in WTF (it was moved to WebCore). | |
29041 | ||
29042 | * Configurations/JavaScriptCore.xcconfig: | |
29043 | ||
29044 | 2014-12-17 Brent Fulgham <bfulgham@apple.com> | |
29045 | ||
29046 | [Win] Correct DebugSuffix builds under MSBuild | |
29047 | https://bugs.webkit.org/show_bug.cgi?id=139733 | |
29048 | <rdar://problem/19276880> | |
29049 | ||
29050 | Reviewed by Simon Fraser. | |
29051 | ||
29052 | * JavaScriptCore.vcxproj/JavaScriptCore.proj: Make sure to use the | |
29053 | '_debug' suffix when building the DebugSuffix target. | |
29054 | ||
29055 | 2014-12-16 Enrica Casucci <enrica@apple.com> | |
29056 | ||
29057 | Fix iOS builders for 8.0 | |
29058 | https://bugs.webkit.org/show_bug.cgi?id=139495 | |
29059 | ||
29060 | Reviewed by Michael Saboff. | |
29061 | ||
29062 | * Configurations/LLVMForJSC.xcconfig: | |
29063 | * llvm/library/LLVMExports.cpp: | |
29064 | (initializeAndGetJSCLLVMAPI): | |
29065 | ||
29066 | 2014-12-16 Commit Queue <commit-queue@webkit.org> | |
29067 | ||
29068 | Unreviewed, rolling out r177380. | |
29069 | https://bugs.webkit.org/show_bug.cgi?id=139707 | |
29070 | ||
29071 | "Breaks js/regres/elidable-new-object-* tests" (Requested by | |
29072 | msaboff_ on #webkit). | |
29073 | ||
29074 | Reverted changeset: | |
29075 | ||
29076 | "Fixes operationPutByIdOptimizes such that they check that the | |
29077 | put didn't" | |
29078 | https://bugs.webkit.org/show_bug.cgi?id=139500 | |
29079 | http://trac.webkit.org/changeset/177380 | |
29080 | ||
29081 | 2014-12-16 Matthew Mirman <mmirman@apple.com> | |
29082 | ||
29083 | Fixes operationPutByIdOptimizes such that they check that the put didn't | |
29084 | change the structure of the object who's property access is being | |
29085 | cached. | |
29086 | https://bugs.webkit.org/show_bug.cgi?id=139500 | |
29087 | ||
29088 | Reviewed by Geoffrey Garen. | |
29089 | ||
29090 | * jit/JITOperations.cpp: | |
29091 | (JSC::operationPutByIdStrictOptimize): saved the structure before the put. | |
29092 | (JSC::operationPutByIdNonStrictOptimize): ditto. | |
29093 | (JSC::operationPutByIdDirectStrictOptimize): ditto. | |
29094 | (JSC::operationPutByIdDirectNonStrictOptimize): ditto. | |
29095 | * jit/Repatch.cpp: | |
29096 | (JSC::tryCachePutByID): Added argument for the old structure | |
29097 | (JSC::repatchPutByID): Added argument for the old structure | |
29098 | * jit/Repatch.h: | |
29099 | * tests/stress/put-by-id-build-list-order-recurse.js: | |
29100 | Added test that fails without this patch. | |
29101 | ||
29102 | 2014-12-15 Chris Dumez <cdumez@apple.com> | |
29103 | ||
29104 | [iOS] Add feature counting support | |
29105 | https://bugs.webkit.org/show_bug.cgi?id=139652 | |
29106 | <rdar://problem/19255690> | |
29107 | ||
29108 | Reviewed by Gavin Barraclough. | |
29109 | ||
29110 | Link against AppSupport framework on iOS as we need it to implement | |
29111 | the new FeatureCounter API in WTF. | |
29112 | ||
29113 | * Configurations/JavaScriptCore.xcconfig: | |
29114 | ||
29115 | 2014-12-15 Commit Queue <commit-queue@webkit.org> | |
29116 | ||
29117 | Unreviewed, rolling out r177284. | |
29118 | https://bugs.webkit.org/show_bug.cgi?id=139658 | |
29119 | ||
29120 | "Breaks API tests and LayoutTests on Yosemite Debug" | |
29121 | (Requested by msaboff on #webkit). | |
29122 | ||
29123 | Reverted changeset: | |
29124 | ||
29125 | "Make sure range based iteration of Vector<> still receives | |
29126 | bounds checking" | |
29127 | https://bugs.webkit.org/show_bug.cgi?id=138821 | |
29128 | http://trac.webkit.org/changeset/177284 | |
29129 | ||
29130 | 2014-12-15 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> | |
29131 | ||
29132 | [EFL] FTL JIT not working on ARM64 | |
29133 | https://bugs.webkit.org/show_bug.cgi?id=139295 | |
29134 | ||
29135 | Reviewed by Michael Saboff. | |
29136 | ||
29137 | Added the missing code for stack unwinding and some additional small fixes | |
29138 | to get FTL working correctly. | |
29139 | ||
29140 | * ftl/FTLCompile.cpp: | |
29141 | (JSC::FTL::mmAllocateDataSection): | |
29142 | * ftl/FTLUnwindInfo.cpp: | |
29143 | (JSC::FTL::UnwindInfo::parse): | |
29144 | ||
29145 | 2014-12-15 Oliver Hunt <oliver@apple.com> | |
29146 | ||
29147 | Make sure range based iteration of Vector<> still receives bounds checking | |
29148 | https://bugs.webkit.org/show_bug.cgi?id=138821 | |
29149 | ||
29150 | Reviewed by Mark Lam. | |
29151 | ||
29152 | Update code to deal with slightly changed iterator semantics. | |
29153 | ||
29154 | * bytecode/UnlinkedCodeBlock.cpp: | |
29155 | (JSC::UnlinkedCodeBlock::visitChildren): | |
29156 | * bytecompiler/BytecodeGenerator.cpp: | |
29157 | (JSC::BytecodeGenerator::emitComplexPopScopes): | |
29158 | * dfg/DFGSpeculativeJIT.cpp: | |
29159 | (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): | |
29160 | * ftl/FTLAbbreviations.h: | |
29161 | (JSC::FTL::mdNode): | |
29162 | (JSC::FTL::buildCall): | |
29163 | * llint/LLIntData.cpp: | |
29164 | (JSC::LLInt::Data::performAssertions): | |
29165 | * parser/Parser.h: | |
29166 | (JSC::Scope::Scope): | |
29167 | * runtime/JSArray.cpp: | |
29168 | (JSC::JSArray::setLengthWithArrayStorage): | |
29169 | (JSC::JSArray::sortCompactedVector): | |
29170 | * tools/ProfileTreeNode.h: | |
29171 | (JSC::ProfileTreeNode::dumpInternal): | |
29172 | * yarr/YarrJIT.cpp: | |
29173 | (JSC::Yarr::YarrGenerator::matchCharacterClass): | |
29174 | ||
29175 | 2014-12-14 Filip Pizlo <fpizlo@apple.com> | |
29176 | ||
29177 | PutLocalSinkingPhase has an invalid assertion about incoming values, because both liveness and deferral analyses are conservative | |
29178 | https://bugs.webkit.org/show_bug.cgi?id=139630 | |
29179 | ||
29180 | Reviewed by Oliver Hunt. | |
29181 | ||
29182 | Replaces a faulty assertion with code to handle an awesome special case. Also adds a lot of | |
29183 | comments that reconstruct my reasoning about this code. I had to work hard to remember how | |
29184 | deferral worked so I wrote my discoveries down. | |
29185 | ||
29186 | * dfg/DFGInsertionSet.h: | |
29187 | (JSC::DFG::InsertionSet::insertBottomConstantForUse): | |
29188 | * dfg/DFGPutLocalSinkingPhase.cpp: | |
29189 | * tests/stress/put-local-conservative.js: Added. | |
29190 | (foo): | |
29191 | (.result): | |
29192 | (bar): | |
29193 | ||
29194 | 2014-12-14 Andreas Kling <akling@apple.com> | |
29195 | ||
29196 | Replace PassRef with Ref/Ref&& across the board. | |
29197 | <https://webkit.org/b/139587> | |
29198 | ||
29199 | Reviewed by Darin Adler. | |
29200 | ||
29201 | * runtime/Identifier.cpp: | |
29202 | (JSC::Identifier::add): | |
29203 | (JSC::Identifier::add8): | |
29204 | * runtime/Identifier.h: | |
29205 | (JSC::Identifier::add): | |
29206 | * runtime/IdentifierInlines.h: | |
29207 | (JSC::Identifier::add): | |
29208 | ||
29209 | 2014-12-12 Matthew Mirman <mmirman@apple.com> | |
29210 | ||
29211 | shiftCountWithArrayStorage should exit to slow path if the object has a sparse map. | |
29212 | https://bugs.webkit.org/show_bug.cgi?id=139598 | |
29213 | <rdar://problem/18779367> | |
29214 | ||
29215 | Reviewed by Filip Pizlo. | |
29216 | ||
29217 | * runtime/JSArray.cpp: | |
29218 | (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map. | |
29219 | * tests/stress/sparse_splice.js: Added. | |
29220 | ||
29221 | 2014-12-12 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
29222 | ||
29223 | Final clean up OwnPtr in JSC - runtime, ftl, and tool directories | |
29224 | https://bugs.webkit.org/show_bug.cgi?id=139532 | |
29225 | ||
29226 | Reviewed by Mark Lam. | |
29227 | ||
29228 | Final remove OwnPtr, PassOwnPtr in runtime, ftl, and tools directories of JSC. | |
29229 | ||
29230 | * builtins/BuiltinExecutables.h: | |
29231 | * bytecode/CodeBlock.h: | |
29232 | * bytecode/UnlinkedCodeBlock.cpp: | |
29233 | (JSC::generateFunctionCodeBlock): | |
29234 | * ftl/FTLAbstractHeap.cpp: | |
29235 | (JSC::FTL::IndexedAbstractHeap::atSlow): | |
29236 | * ftl/FTLAbstractHeap.h: | |
29237 | * ftl/FTLCompile.cpp: | |
29238 | (JSC::FTL::mmAllocateDataSection): | |
29239 | * ftl/FTLJITFinalizer.h: | |
29240 | * jsc.cpp: | |
29241 | (jscmain): | |
29242 | * parser/Lexer.h: | |
29243 | * runtime/PropertyMapHashTable.h: | |
29244 | (JSC::PropertyTable::clearDeletedOffsets): | |
29245 | (JSC::PropertyTable::addDeletedOffset): | |
29246 | * runtime/PropertyTable.cpp: | |
29247 | (JSC::PropertyTable::PropertyTable): | |
29248 | * runtime/RegExpObject.cpp: | |
29249 | * runtime/SmallStrings.cpp: | |
29250 | * runtime/Structure.cpp: | |
29251 | * runtime/StructureIDTable.cpp: | |
29252 | (JSC::StructureIDTable::StructureIDTable): | |
29253 | (JSC::StructureIDTable::resize): | |
29254 | * runtime/StructureIDTable.h: | |
29255 | * runtime/StructureTransitionTable.h: | |
29256 | * runtime/VM.cpp: | |
29257 | (JSC::VM::VM): | |
29258 | (JSC::VM::~VM): | |
29259 | * runtime/VM.h: | |
29260 | * tools/CodeProfile.h: | |
29261 | (JSC::CodeProfile::CodeProfile): | |
29262 | (JSC::CodeProfile::addChild): | |
29263 | ||
29264 | 2014-12-11 Dan Bernstein <mitz@apple.com> | |
29265 | ||
29266 | iOS Simulator production build fix. | |
29267 | ||
29268 | * Configurations/JavaScriptCore.xcconfig: Don’t use an order file when building for the iOS | |
29269 | Simulator, as we did prior to 177027. | |
29270 | ||
29271 | 2014-12-11 Joseph Pecoraro <pecoraro@apple.com> | |
29272 | ||
29273 | Explicitly export somre more RWIProtocol classes. | |
29274 | rdar://problem/19220408 | |
29275 | ||
29276 | Unreviewed build fix. | |
29277 | ||
29278 | * inspector/scripts/codegen/generate_objc_configuration_header.py: | |
29279 | (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains): | |
29280 | * inspector/scripts/codegen/generate_objc_header.py: | |
29281 | (ObjCHeaderGenerator._generate_event_interfaces): | |
29282 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
29283 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
29284 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
29285 | * inspector/scripts/tests/expected/enum-values.json-result: | |
29286 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
29287 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
29288 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
29289 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
29290 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
29291 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
29292 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
29293 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
29294 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
29295 | ||
29296 | 2014-12-11 Alexey Proskuryakov <ap@apple.com> | |
29297 | ||
29298 | Explicitly export some RWIProtocol classes | |
29299 | rdar://problem/19220408 | |
29300 | ||
29301 | * inspector/scripts/codegen/generate_objc_header.py: | |
29302 | (ObjCHeaderGenerator._generate_type_interface): | |
29303 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
29304 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
29305 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
29306 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
29307 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
29308 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
29309 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
29310 | ||
29311 | 2014-12-11 Mark Lam <mark.lam@apple.com> | |
29312 | ||
29313 | Fix broken build after r177146. | |
29314 | https://bugs.webkit.org/show_bug.cgi?id=139533 | |
29315 | ||
29316 | Not reviewed. | |
29317 | ||
29318 | * interpreter/CallFrame.h: | |
29319 | (JSC::ExecState::init): | |
29320 | - Restored CallFrame::init() minus the unused JSScope* arg. | |
29321 | * runtime/JSGlobalObject.cpp: | |
29322 | (JSC::JSGlobalObject::init): | |
29323 | - Remove JSScope* arg when calling CallFrame::init(). | |
29324 | ||
29325 | 2014-12-11 Michael Saboff <msaboff@apple.com> | |
29326 | ||
29327 | REGRESSION: Use of undefined CallFrame::ScopeChain value | |
29328 | https://bugs.webkit.org/show_bug.cgi?id=139533 | |
29329 | ||
29330 | Reviewed by Mark Lam. | |
29331 | ||
29332 | Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed | |
29333 | all usages of these funcitons. In some cases the scope is passed in or determined | |
29334 | another way. In some cases the scope is used to calculate other values. Lastly | |
29335 | were places where these functions where used that are no longer needed. For | |
29336 | example when making a call, the caller's ScopeChain was copied to the callee's | |
29337 | ScopeChain. This change no longer uses the ScopeChain call frame header slot. | |
29338 | That slot will be removed in a future patch. | |
29339 | ||
29340 | * dfg/DFGByteCodeParser.cpp: | |
29341 | (JSC::DFG::ByteCodeParser::parseBlock): | |
29342 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
29343 | (JSC::DFG::SpeculativeJIT::compile): | |
29344 | * dfg/DFGSpeculativeJIT64.cpp: | |
29345 | (JSC::DFG::SpeculativeJIT::compile): | |
29346 | * dfg/DFGSpeculativeJIT.h: | |
29347 | (JSC::DFG::SpeculativeJIT::callOperation): | |
29348 | * jit/JIT.h: | |
29349 | * jit/JITInlines.h: | |
29350 | (JSC::JIT::callOperation): | |
29351 | * runtime/JSLexicalEnvironment.h: | |
29352 | (JSC::JSLexicalEnvironment::create): | |
29353 | (JSC::JSLexicalEnvironment::JSLexicalEnvironment): | |
29354 | * jit/JITOpcodes.cpp: | |
29355 | (JSC::JIT::emit_op_create_lexical_environment): | |
29356 | * jit/JITOpcodes32_64.cpp: | |
29357 | (JSC::JIT::emit_op_create_lexical_environment): | |
29358 | * jit/JITOperations.cpp: | |
29359 | * jit/JITOperations.h: | |
29360 | * llint/LLIntSlowPaths.cpp: | |
29361 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
29362 | (JSC::LLInt::handleHostCall): | |
29363 | (JSC::LLInt::setUpCall): | |
29364 | (JSC::LLInt::llint_throw_stack_overflow_error): | |
29365 | Pass the current scope value to the helper operationCreateActivation() and | |
29366 | the call to JSLexicalEnvironment::create() instead of using the stack frame | |
29367 | scope chain value. | |
29368 | ||
29369 | * dfg/DFGFixupPhase.cpp: | |
29370 | (JSC::DFG::FixupPhase::fixupNode): | |
29371 | CreateActivation now has a second child, the scope. | |
29372 | ||
29373 | * interpreter/CallFrame.h: | |
29374 | (JSC::ExecState::init): Deleted. This is dead code. | |
29375 | (JSC::ExecState::scope): Deleted. | |
29376 | (JSC::ExecState::setScope): Deleted. | |
29377 | ||
29378 | * interpreter/Interpreter.cpp: | |
29379 | (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope | |
29380 | chain slot. | |
29381 | ||
29382 | (JSC::Interpreter::execute): | |
29383 | (JSC::Interpreter::executeCall): | |
29384 | (JSC::Interpreter::executeConstruct): | |
29385 | Changed process to find JSScope values on the stack or by some other means. | |
29386 | ||
29387 | * runtime/JSWithScope.h: | |
29388 | (JSC::JSWithScope::JSWithScope): Deleted. | |
29389 | Eliminated unused constructor. | |
29390 | ||
29391 | * runtime/StrictEvalActivation.cpp: | |
29392 | (JSC::StrictEvalActivation::StrictEvalActivation): | |
29393 | * runtime/StrictEvalActivation.h: | |
29394 | (JSC::StrictEvalActivation::create): | |
29395 | Changed to pass in the current scope. | |
29396 | ||
29397 | 2014-12-10 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
29398 | ||
29399 | Use std::unique_ptr instead of OwnPtr in JSC - heap, jit, runtime, and parser directories | |
29400 | https://bugs.webkit.org/show_bug.cgi?id=139351 | |
29401 | ||
29402 | Reviewed by Filip Pizlo. | |
29403 | ||
29404 | As a step to use std::unique_ptr<>, this cleans up OwnPtr and PassOwnPtr. | |
29405 | ||
29406 | * bytecode/SamplingTool.h: | |
29407 | (JSC::SamplingTool::SamplingTool): | |
29408 | * heap/CopiedBlock.h: | |
29409 | (JSC::CopiedBlock::didSurviveGC): | |
29410 | (JSC::CopiedBlock::pin): | |
29411 | * heap/CopiedBlockInlines.h: | |
29412 | (JSC::CopiedBlock::reportLiveBytes): | |
29413 | * heap/GCActivityCallback.h: | |
29414 | * heap/GCThread.cpp: | |
29415 | * heap/Heap.h: | |
29416 | * heap/HeapInlines.h: | |
29417 | (JSC::Heap::markListSet): | |
29418 | * jit/ExecutableAllocator.cpp: | |
29419 | * jit/JIT.cpp: | |
29420 | (JSC::JIT::privateCompile): | |
29421 | * jit/JIT.h: | |
29422 | * jit/JITThunks.cpp: | |
29423 | (JSC::JITThunks::JITThunks): | |
29424 | (JSC::JITThunks::clearHostFunctionStubs): | |
29425 | * jit/JITThunks.h: | |
29426 | * parser/Parser.cpp: | |
29427 | (JSC::Parser<LexerType>::Parser): | |
29428 | * parser/Parser.h: | |
29429 | (JSC::Scope::Scope): | |
29430 | (JSC::Scope::pushLabel): | |
29431 | * parser/ParserArena.cpp: | |
29432 | * parser/ParserArena.h: | |
29433 | (JSC::ParserArena::identifierArena): | |
29434 | * parser/SourceProviderCache.h: | |
29435 | * runtime/CodeCache.h: | |
29436 | * runtime/Executable.h: | |
29437 | * runtime/JSArray.cpp: | |
29438 | (JSC::JSArray::sortVector): | |
29439 | * runtime/JSGlobalObject.h: | |
29440 | ||
29441 | 2014-12-10 Geoffrey Garen <ggaren@apple.com> | |
29442 | ||
29443 | Please disable the webkitFirstVersionWithInitConstructorSupport check on Apple TV | |
29444 | https://bugs.webkit.org/show_bug.cgi?id=139501 | |
29445 | ||
29446 | Reviewed by Gavin Barraclough. | |
29447 | ||
29448 | NSVersionOfLinkTimeLibrary only works if you link directly against | |
29449 | JavaScriptCore, which is a bit awkward for our Apple TV client to do. | |
29450 | ||
29451 | It's easy enough just to disable this check on Apple TV, since it has no | |
29452 | backwards compatibility requirement. | |
29453 | ||
29454 | * API/JSWrapperMap.mm: | |
29455 | (supportsInitMethodConstructors): | |
29456 | ||
29457 | 2014-12-10 Matthew Mirman <mmirman@apple.com> | |
29458 | ||
29459 | Fixes operationPutByIds such that they check that the put didn't | |
29460 | change the structure of the object who's property access is being | |
29461 | cached. | |
29462 | https://bugs.webkit.org/show_bug.cgi?id=139196 | |
29463 | ||
29464 | Reviewed by Filip Pizlo. | |
29465 | ||
29466 | * jit/JITOperations.cpp: | |
29467 | (JSC::operationGetByIdOptimize): changed get to getPropertySlot | |
29468 | (JSC::operationPutByIdStrictBuildList): saved the structure before the put. | |
29469 | (JSC::operationPutByIdNonStrictBuildList): ditto. | |
29470 | (JSC::operationPutByIdDirectStrictBuildList): ditto. | |
29471 | (JSC::operationPutByIdDirectNonStrictBuildList): ditto. | |
29472 | * jit/Repatch.cpp: | |
29473 | (JSC::tryCachePutByID): fixed structure() to use the existant vm. | |
29474 | (JSC::tryBuildPutByIdList): Added a check that the old structure's id | |
29475 | is the same as the new. | |
29476 | (JSC::buildPutByIdList): Added an argument | |
29477 | * jit/Repatch.h: | |
29478 | (JSC::buildPutByIdList): Added an argument | |
29479 | * tests/stress/put-by-id-strict-build-list-order.js: Added. | |
29480 | ||
29481 | 2014-12-10 Csaba Osztrogonác <ossy@webkit.org> | |
29482 | ||
29483 | URTBF after r177030. | |
29484 | ||
29485 | Fix linking failure occured on ARM buildbots: | |
29486 | lib/libjavascriptcore_efl.so.1.11.0: undefined reference to `JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&)' | |
29487 | ||
29488 | * runtime/NullGetterFunction.cpp: | |
29489 | ||
29490 | 2014-12-09 Michael Saboff <msaboff@apple.com> | |
29491 | ||
29492 | DFG Tries using an inner object's getter/setter when one hasn't been defined | |
29493 | https://bugs.webkit.org/show_bug.cgi?id=139229 | |
29494 | ||
29495 | Reviewed by Filip Pizlo. | |
29496 | ||
29497 | Added a new NullGetterFunction singleton class to use for getters and setters that | |
29498 | haven't been set to a user defined value. The NullGetterFunction callReturnUndefined() | |
29499 | and createReturnUndefined() methods return undefined. Changed all null checks of the | |
29500 | getter and setter pointers to the newly added isGetterNull() and isSetterNull() | |
29501 | helper methods. | |
29502 | ||
29503 | * CMakeLists.txt: | |
29504 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
29505 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
29506 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
29507 | Added NullGetterFunction.cpp & .h to build files. | |
29508 | ||
29509 | * dfg/DFGAbstractInterpreterInlines.h: | |
29510 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
29511 | * runtime/ObjectPrototype.cpp: | |
29512 | (JSC::objectProtoFuncLookupGetter): | |
29513 | (JSC::objectProtoFuncLookupSetter): | |
29514 | * runtime/PropertyDescriptor.cpp: | |
29515 | (JSC::PropertyDescriptor::setDescriptor): | |
29516 | (JSC::PropertyDescriptor::setAccessorDescriptor): | |
29517 | Changed checking getter and setter to null to use new isGetterNull() and isSetterNull() | |
29518 | helpers. | |
29519 | ||
29520 | * inspector/JSInjectedScriptHostPrototype.cpp: | |
29521 | (Inspector::JSInjectedScriptHostPrototype::finishCreation): | |
29522 | * inspector/JSJavaScriptCallFramePrototype.cpp: | |
29523 | * jit/JITOperations.cpp: | |
29524 | * llint/LLIntSlowPaths.cpp: | |
29525 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
29526 | * runtime/JSObject.cpp: | |
29527 | (JSC::JSObject::putIndexedDescriptor): | |
29528 | (JSC::putDescriptor): | |
29529 | (JSC::JSObject::defineOwnNonIndexProperty): | |
29530 | * runtime/MapPrototype.cpp: | |
29531 | (JSC::MapPrototype::finishCreation): | |
29532 | * runtime/SetPrototype.cpp: | |
29533 | (JSC::SetPrototype::finishCreation): | |
29534 | Updated calls to GetterSetter::create(), setGetter(), setSetter(), withGetter() | |
29535 | and withSetter() to provide a global object. | |
29536 | ||
29537 | * runtime/GetterSetter.cpp: | |
29538 | (JSC::GetterSetter::withGetter): | |
29539 | (JSC::GetterSetter::withSetter): | |
29540 | (JSC::callGetter): | |
29541 | (JSC::callSetter): | |
29542 | * runtime/GetterSetter.h: | |
29543 | (JSC::GetterSetter::GetterSetter): | |
29544 | (JSC::GetterSetter::create): | |
29545 | (JSC::GetterSetter::isGetterNull): | |
29546 | (JSC::GetterSetter::isSetterNull): | |
29547 | (JSC::GetterSetter::setGetter): | |
29548 | (JSC::GetterSetter::setSetter): | |
29549 | Changed to use NullGetterFunction for unspecified getters / setters. | |
29550 | ||
29551 | * runtime/JSGlobalObject.cpp: | |
29552 | (JSC::JSGlobalObject::init): | |
29553 | (JSC::JSGlobalObject::createThrowTypeError): | |
29554 | (JSC::JSGlobalObject::visitChildren): | |
29555 | * runtime/JSGlobalObject.h: | |
29556 | (JSC::JSGlobalObject::nullGetterFunction): | |
29557 | (JSC::JSGlobalObject::evalFunction): | |
29558 | Added m_nullGetterFunction singleton. Updated calls to GetterSetter::create(), | |
29559 | setGetter() and setSetter() to provide a global object. | |
29560 | ||
29561 | * runtime/NullGetterFunction.cpp: Added. | |
29562 | (JSC::callReturnUndefined): | |
29563 | (JSC::constructReturnUndefined): | |
29564 | (JSC::NullGetterFunction::getCallData): | |
29565 | (JSC::NullGetterFunction::getConstructData): | |
29566 | * runtime/NullGetterFunction.h: Added. | |
29567 | (JSC::NullGetterFunction::create): | |
29568 | (JSC::NullGetterFunction::createStructure): | |
29569 | (JSC::NullGetterFunction::NullGetterFunction): | |
29570 | New singleton class that returns undefined when called. | |
29571 | ||
29572 | 2014-12-09 Geoffrey Garen <ggaren@apple.com> | |
29573 | ||
29574 | Re-enable function.arguments | |
29575 | https://bugs.webkit.org/show_bug.cgi?id=139452 | |
29576 | <rdar://problem/18848149> | |
29577 | ||
29578 | Reviewed by Sam Weinig. | |
29579 | ||
29580 | Disabling function.arguments broke a few websites, and we don't have | |
29581 | time right now to work through the details. | |
29582 | ||
29583 | I'm re-enabling function.arguments but leaving in the infrastructure | |
29584 | to re-disable it, so we can try this experiment again in the future. | |
29585 | ||
29586 | * runtime/Options.h: | |
29587 | ||
29588 | 2014-12-09 David Kilzer <ddkilzer@apple.com> | |
29589 | ||
29590 | Switch from using PLATFORM_NAME to SDK selectors in ANGLE, bmalloc, gtest, JavaScriptCore, WTF | |
29591 | <http://webkit.org/b/139212> | |
29592 | ||
29593 | Reviewed by Joseph Pecoraro. | |
29594 | ||
29595 | * Configurations/Base.xcconfig: | |
29596 | - Only set GCC_ENABLE_OBJC_GC, GCC_MODEL_TUNING and TOOLCHAINS | |
29597 | on OS X. | |
29598 | - Only set LLVM_LOCAL_HEADER_PATH and LLVM_SYSTEM_HEADER_PATH on | |
29599 | OS X. | |
29600 | - Set JAVASCRIPTCORE_CONTENTS_DIR and | |
29601 | JAVASCRIPTCORE_FRAMEWORKS_DIR separately for iOS and OS X. | |
29602 | ||
29603 | * Configurations/DebugRelease.xcconfig: | |
29604 | - Only set MACOSX_DEPLOYMENT_TARGET and SDKROOT on OS X. | |
29605 | ||
29606 | * Configurations/JSC.xcconfig: | |
29607 | - Only set CODE_SIGN_ENTITLEMENTS for iOS hardware builds. | |
29608 | ||
29609 | * Configurations/JavaScriptCore.xcconfig: | |
29610 | - Set OTHER_LDFLAGS separately for iOS and OS X. | |
29611 | - Set SECTORDER_FLAGS separately for iOS and OS X, but only for | |
29612 | Production builds. | |
29613 | - Only set EXCLUDED_SOURCE_FILE_NAMES for iOS. | |
29614 | ||
29615 | * Configurations/LLVMForJSC.xcconfig: | |
29616 | - Rename LLVM_LIBS_iphoneos to LLVM_LIBS_ios. | |
29617 | - Set LLVM_LIBRARY_PATHS and OTHER_LDFLAGS_LLVM_ENABLE_FTL_JIT | |
29618 | separately for iOS hardware and OS X. | |
29619 | - Fix curly braces in LIBRARY_SEARCH_PATHS. | |
29620 | - Merge OTHER_LDFLAGS_BASE into OTHER_LDFLAGS. (Could have been | |
29621 | done before this patch.) | |
29622 | ||
29623 | * Configurations/ToolExecutable.xcconfig: | |
29624 | - Only set CODE_SIGN_ENTITLEMENTS for iOS, per target. | |
29625 | - Only set CLANG_ENABLE_OBJC_ARC for i386 on the iOS Simulator. | |
29626 | - Add missing newline. | |
29627 | ||
29628 | * Configurations/Version.xcconfig: | |
29629 | - Set SYSTEM_VERSION_PREFIX separately for iOS and OS X. | |
29630 | ||
29631 | 2014-12-08 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
29632 | ||
29633 | Fix EFL build fix since r177001 | |
29634 | https://bugs.webkit.org/show_bug.cgi?id=139428 | |
29635 | ||
29636 | Unreviewed, EFL build fix. | |
29637 | ||
29638 | Do not inherit duplicated class. ExpressionNode is already | |
29639 | child of ParserArenaFreeable class. | |
29640 | ||
29641 | * parser/Nodes.h: | |
29642 | ||
29643 | 2014-12-08 Shivakumar JM <shiva.jm@samsung.com> | |
29644 | ||
29645 | Fix Build Warning in JavaScriptCore ControlFlowProfiler::dumpData() api. | |
29646 | https://bugs.webkit.org/show_bug.cgi?id=139384 | |
29647 | ||
29648 | Reviewed by Mark Lam. | |
29649 | ||
29650 | Fix Build Warning by using dataLog() function instead of dataLogF() function. | |
29651 | ||
29652 | * runtime/ControlFlowProfiler.cpp: | |
29653 | (JSC::ControlFlowProfiler::dumpData): | |
29654 | ||
29655 | 2014-12-08 Saam Barati <saambarati1@gmail.com> | |
29656 | ||
29657 | Web Inspector: Enable runtime API for JSC's control flow profiler | |
29658 | https://bugs.webkit.org/show_bug.cgi?id=139346 | |
29659 | ||
29660 | Reviewed by Joseph Pecoraro. | |
29661 | ||
29662 | This patch creates an API that the Web Inspector can use | |
29663 | to get information about which basic blocks have exectued | |
29664 | from JSC's control flow profiler. | |
29665 | ||
29666 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
29667 | (Inspector::InspectorRuntimeAgent::getBasicBlocks): | |
29668 | * inspector/agents/InspectorRuntimeAgent.h: | |
29669 | * inspector/protocol/Runtime.json: | |
29670 | ||
29671 | 2014-12-08 Geoffrey Garen <ggaren@apple.com> | |
29672 | ||
29673 | Removed some allocation and cruft from the parser | |
29674 | https://bugs.webkit.org/show_bug.cgi?id=139416 | |
29675 | ||
29676 | Reviewed by Mark Lam. | |
29677 | ||
29678 | Now, the only AST nodes that require a destructor are the ones that | |
29679 | relate to pickling a function's arguments -- which will required some | |
29680 | deeper thinking to resolve. | |
29681 | ||
29682 | This is a < 1% parser speedup. | |
29683 | ||
29684 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
29685 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
29686 | * JavaScriptCore.xcodeproj/project.pbxproj: Removed NodeInfo because it | |
29687 | was unused. | |
29688 | ||
29689 | * bytecompiler/NodesCodegen.cpp: | |
29690 | (JSC::CommaNode::emitBytecode): | |
29691 | (JSC::SourceElements::lastStatement): | |
29692 | (JSC::SourceElements::emitBytecode): Updated for interface change to linked list. | |
29693 | ||
29694 | * parser/ASTBuilder.h: | |
29695 | (JSC::ASTBuilder::ASTBuilder): | |
29696 | (JSC::ASTBuilder::varDeclarations): | |
29697 | (JSC::ASTBuilder::funcDeclarations): | |
29698 | (JSC::ASTBuilder::createFuncDeclStatement): | |
29699 | (JSC::ASTBuilder::addVar): Removed the ParserArenaData abstraction because | |
29700 | it wasn't buying us anything. We can just use Vector directly. | |
29701 | ||
29702 | (JSC::ASTBuilder::createCommaExpr): | |
29703 | (JSC::ASTBuilder::appendToCommaExpr): Changed to use a linked list instead | |
29704 | of a vector, to avoid allocating a vector with inline capacity in the | |
29705 | common case in which an expression is not followed by a vector. | |
29706 | ||
29707 | (JSC::ASTBuilder::Scope::Scope): Use Vector directly to avoid new'ing | |
29708 | up a Vector*. | |
29709 | ||
29710 | (JSC::ASTBuilder::appendToComma): Deleted. | |
29711 | (JSC::ASTBuilder::combineCommaNodes): Deleted. | |
29712 | ||
29713 | * parser/Lexer.cpp: | |
29714 | ||
29715 | * parser/NodeConstructors.h: | |
29716 | (JSC::StatementNode::StatementNode): | |
29717 | (JSC::CommaNode::CommaNode): | |
29718 | (JSC::SourceElements::SourceElements): Updated for interface change to linked list. | |
29719 | ||
29720 | * parser/NodeInfo.h: Removed. | |
29721 | ||
29722 | * parser/Nodes.cpp: | |
29723 | (JSC::SourceElements::append): | |
29724 | (JSC::SourceElements::singleStatement): Use a linked list instead of a | |
29725 | vector to track the statements in a list. This removes some allocation | |
29726 | and it means that we don't need a destructor anymore. | |
29727 | ||
29728 | (JSC::ScopeNode::ScopeNode): | |
29729 | (JSC::ProgramNode::ProgramNode): | |
29730 | (JSC::EvalNode::EvalNode): | |
29731 | (JSC::FunctionNode::FunctionNode): Updated for interface change to reference, | |
29732 | since these values are never null. | |
29733 | ||
29734 | * parser/Nodes.h: | |
29735 | (JSC::StatementNode::next): | |
29736 | (JSC::StatementNode::setNext): | |
29737 | (JSC::CommaNode::append): Deleted. Updated for interface change to linked list. | |
29738 | ||
29739 | * parser/Parser.cpp: | |
29740 | (JSC::Parser<LexerType>::didFinishParsing): Updated for interface change to reference. | |
29741 | ||
29742 | (JSC::Parser<LexerType>::parseVarDeclarationList): | |
29743 | (JSC::Parser<LexerType>::parseExpression): Track comma expressions as | |
29744 | an explicit list of CommaNodes, removing a use of vector and a destructor. | |
29745 | ||
29746 | * parser/Parser.h: | |
29747 | (JSC::Parser<LexerType>::parse): | |
29748 | * parser/SyntaxChecker.h: | |
29749 | (JSC::SyntaxChecker::createCommaExpr): | |
29750 | (JSC::SyntaxChecker::appendToCommaExpr): | |
29751 | (JSC::SyntaxChecker::appendToComma): Deleted. Updated for interface changes. | |
29752 | ||
29753 | 2014-12-08 Commit Queue <commit-queue@webkit.org> | |
29754 | ||
29755 | Unreviewed, rolling out r176979. | |
29756 | https://bugs.webkit.org/show_bug.cgi?id=139424 | |
29757 | ||
29758 | "New JSC test in this patch is failing" (Requested by mlam on | |
29759 | #webkit). | |
29760 | ||
29761 | Reverted changeset: | |
29762 | ||
29763 | "Fixes operationPutByIds such that they check that the put | |
29764 | didn't" | |
29765 | https://bugs.webkit.org/show_bug.cgi?id=139196 | |
29766 | http://trac.webkit.org/changeset/176979 | |
29767 | ||
29768 | 2014-12-08 Matthew Mirman <mmirman@apple.com> | |
29769 | ||
29770 | Fixes operationPutByIds such that they check that the put didn't | |
29771 | change the structure of the object who's property access is being | |
29772 | cached. | |
29773 | https://bugs.webkit.org/show_bug.cgi?id=139196 | |
29774 | ||
29775 | Reviewed by Filip Pizlo. | |
29776 | ||
29777 | * jit/JITOperations.cpp: | |
29778 | (JSC::operationGetByIdOptimize): changed get to getPropertySlot | |
29779 | (JSC::operationPutByIdStrictBuildList): saved the structure before the put. | |
29780 | (JSC::operationPutByIdNonStrictBuildList): ditto. | |
29781 | (JSC::operationPutByIdDirectStrictBuildList): ditto. | |
29782 | (JSC::operationPutByIdDirectNonStrictBuildList): ditto. | |
29783 | * jit/Repatch.cpp: | |
29784 | (JSC::tryCachePutByID): fixed structure() to use the existant vm. | |
29785 | (JSC::tryBuildPutByIdList): Added a check that the old structure's id | |
29786 | is the same as the new. | |
29787 | (JSC::buildPutByIdList): Added an argument | |
29788 | * jit/Repatch.h: | |
29789 | (JSC::buildPutByIdList): Added an argument | |
29790 | * tests/stress/put-by-id-build-list-order-recurse.js: Test that failed before the change | |
29791 | * tests/stress/put-by-id-strict-build-list-order.js: Added. | |
29792 | ||
29793 | ||
29794 | 2014-12-08 Anders Carlsson <andersca@apple.com> | |
29795 | ||
29796 | Change WTF::currentCPUTime to return std::chrono::microseconds and get rid of currentCPUTimeMS | |
29797 | https://bugs.webkit.org/show_bug.cgi?id=139410 | |
29798 | ||
29799 | Reviewed by Andreas Kling. | |
29800 | ||
29801 | * API/JSContextRef.cpp: | |
29802 | (JSContextGroupSetExecutionTimeLimit): | |
29803 | (JSContextGroupClearExecutionTimeLimit): | |
29804 | * runtime/Watchdog.cpp: | |
29805 | (JSC::Watchdog::setTimeLimit): | |
29806 | (JSC::Watchdog::didFire): | |
29807 | (JSC::Watchdog::startCountdownIfNeeded): | |
29808 | (JSC::Watchdog::startCountdown): | |
29809 | * runtime/Watchdog.h: | |
29810 | * runtime/WatchdogMac.cpp: | |
29811 | (JSC::Watchdog::startTimer): | |
29812 | ||
29813 | 2014-12-08 Mark Lam <mark.lam@apple.com> | |
29814 | ||
29815 | CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays. | |
29816 | <https://webkit.org/b/139327> | |
29817 | ||
29818 | Reviewed by Michael Saboff. | |
29819 | ||
29820 | The code generator and runtime slow paths expects otherwise. This patch fixes | |
29821 | CFA to match the code generator's expectation. | |
29822 | ||
29823 | * dfg/DFGArrayMode.h: | |
29824 | (JSC::DFG::ArrayMode::arrayModesThatPassFiltering): | |
29825 | (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes): | |
29826 | ||
29827 | 2014-12-08 Chris Dumez <cdumez@apple.com> | |
29828 | ||
29829 | Revert r176293 & r176275 | |
29830 | ||
29831 | Unreviewed, revert r176293 & r176275 changing the Vector API to use unsigned type | |
29832 | instead of size_t. There is some disagreement regarding the long-term direction | |
29833 | of the API and we shouldn’t leave the API partly transitioned to unsigned type | |
29834 | while making a decision. | |
29835 | ||
29836 | * bytecode/PreciseJumpTargets.cpp: | |
29837 | * replay/EncodedValue.h: | |
29838 | ||
29839 | 2014-12-07 Csaba Osztrogonác <ossy@webkit.org> | |
29840 | ||
29841 | Remove the unused WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND after r129453. | |
29842 | https://bugs.webkit.org/show_bug.cgi?id=139373 | |
29843 | ||
29844 | Reviewed by Sam Weinig. | |
29845 | ||
29846 | * interpreter/Interpreter.cpp: | |
29847 | ||
29848 | 2014-12-06 Anders Carlsson <andersca@apple.com> | |
29849 | ||
29850 | Fix build with newer versions of clang. | |
29851 | rdar://problem/18978716 | |
29852 | ||
29853 | * ftl/FTLJITCode.h: | |
29854 | Add missing overrides. | |
29855 | ||
29856 | 2014-12-05 Roger Fong <roger_fong@apple.com> | |
29857 | ||
29858 | [Win] proj files copying over too many resources.. | |
29859 | https://bugs.webkit.org/show_bug.cgi?id=139315. | |
29860 | <rdar://problem/19148278> | |
29861 | ||
29862 | Reviewed by Brent Fulgham. | |
29863 | ||
29864 | * JavaScriptCore.vcxproj/JavaScriptCore.proj: Only copy resource folders and JavaScriptCore.dll. | |
29865 | ||
29866 | 2014-12-05 Juergen Ributzka <juergen@apple.com> | |
29867 | ||
29868 | [JSC][FTL] Add the data layout to the module and fix the pass order. | |
29869 | https://bugs.webkit.org/show_bug.cgi?id=138748 | |
29870 | ||
29871 | Reviewed by Oliver Hunt. | |
29872 | ||
29873 | This adds the data layout to the module, so it can be used by all | |
29874 | optimization passes in the LLVM optimizer pipeline. This also allows | |
29875 | FastISel to select more instructions, because less non-legal types are | |
29876 | generated. | |
29877 | ||
29878 | Also fix the order of the alias analysis passes in the optimization | |
29879 | pipeline. | |
29880 | ||
29881 | * ftl/FTLCompile.cpp: | |
29882 | (JSC::FTL::mmAllocateDataSection): | |
29883 | ||
29884 | 2014-12-05 Geoffrey Garen <ggaren@apple.com> | |
29885 | ||
29886 | Removed an unused function. | |
29887 | ||
29888 | Reviewed by Michael Saboff. | |
29889 | ||
29890 | Broken out from https://bugs.webkit.org/show_bug.cgi?id=139305. | |
29891 | ||
29892 | * parser/ParserArena.h: | |
29893 | ||
29894 | 2014-12-05 David Kilzer <ddkilzer@apple.com> | |
29895 | ||
29896 | FeatureDefines.xcconfig: Workaround bug in Xcode 5.1.1 when defining ENABLE_WEB_REPLAY | |
29897 | <http://webkit.org/b/139286> | |
29898 | ||
29899 | Reviewed by Daniel Bates. | |
29900 | ||
29901 | * Configurations/FeatureDefines.xcconfig: Switch back to using | |
29902 | PLATFORM_NAME to workaround a bug in Xcode 5.1.1 on 10.8. | |
29903 | ||
29904 | 2014-12-04 Mark Rowe <mrowe@apple.com> | |
29905 | ||
29906 | Build fix after r176836. | |
29907 | ||
29908 | Reviewed by Mark Lam. | |
29909 | ||
29910 | * runtime/VM.h: | |
29911 | (JSC::VM::controlFlowProfiler): Don't try to export an inline function. | |
29912 | Doing so results in a weak external symbol being generated. | |
29913 | ||
29914 | 2014-12-04 Saam Barati <saambarati1@gmail.com> | |
29915 | ||
29916 | JavaScript Control Flow Profiler | |
29917 | https://bugs.webkit.org/show_bug.cgi?id=137785 | |
29918 | ||
29919 | Reviewed by Filip Pizlo. | |
29920 | ||
29921 | This patch introduces a mechanism for JavaScriptCore to profile | |
29922 | which basic blocks have executed. This mechanism will then be | |
29923 | used by the Web Inspector to indicate which basic blocks | |
29924 | have and have not executed. | |
29925 | ||
29926 | The profiling works by compiling in an op_profile_control_flow | |
29927 | at the start of every basic block. Then, whenever this op code | |
29928 | executes, we know that a particular basic block has executed. | |
29929 | ||
29930 | When we tier up a CodeBlock that contains an op_profile_control_flow | |
29931 | that corresponds to an already executed basic block, we don't | |
29932 | have to emit code for that particular op_profile_control_flow | |
29933 | because the internal data structures used to keep track of | |
29934 | basic block locations has already recorded that the corresponding | |
29935 | op_profile_control_flow has executed. | |
29936 | ||
29937 | * CMakeLists.txt: | |
29938 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
29939 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
29940 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
29941 | * bytecode/BytecodeList.json: | |
29942 | * bytecode/BytecodeUseDef.h: | |
29943 | (JSC::computeUsesForBytecodeOffset): | |
29944 | (JSC::computeDefsForBytecodeOffset): | |
29945 | * bytecode/CodeBlock.cpp: | |
29946 | (JSC::CodeBlock::dumpBytecode): | |
29947 | (JSC::CodeBlock::CodeBlock): | |
29948 | * bytecode/Instruction.h: | |
29949 | * bytecode/UnlinkedCodeBlock.cpp: | |
29950 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): | |
29951 | * bytecode/UnlinkedCodeBlock.h: | |
29952 | (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset): | |
29953 | (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets): | |
29954 | * bytecompiler/BytecodeGenerator.cpp: | |
29955 | (JSC::BytecodeGenerator::emitProfileControlFlow): | |
29956 | * bytecompiler/BytecodeGenerator.h: | |
29957 | * bytecompiler/NodesCodegen.cpp: | |
29958 | (JSC::ConditionalNode::emitBytecode): | |
29959 | (JSC::IfElseNode::emitBytecode): | |
29960 | (JSC::WhileNode::emitBytecode): | |
29961 | (JSC::ForNode::emitBytecode): | |
29962 | (JSC::ContinueNode::emitBytecode): | |
29963 | (JSC::BreakNode::emitBytecode): | |
29964 | (JSC::ReturnNode::emitBytecode): | |
29965 | (JSC::CaseClauseNode::emitBytecode): | |
29966 | (JSC::SwitchNode::emitBytecode): | |
29967 | (JSC::ThrowNode::emitBytecode): | |
29968 | (JSC::TryNode::emitBytecode): | |
29969 | (JSC::ProgramNode::emitBytecode): | |
29970 | (JSC::FunctionNode::emitBytecode): | |
29971 | * dfg/DFGAbstractInterpreterInlines.h: | |
29972 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
29973 | * dfg/DFGByteCodeParser.cpp: | |
29974 | (JSC::DFG::ByteCodeParser::parseBlock): | |
29975 | * dfg/DFGCapabilities.cpp: | |
29976 | (JSC::DFG::capabilityLevel): | |
29977 | * dfg/DFGClobberize.h: | |
29978 | (JSC::DFG::clobberize): | |
29979 | * dfg/DFGDoesGC.cpp: | |
29980 | (JSC::DFG::doesGC): | |
29981 | * dfg/DFGFixupPhase.cpp: | |
29982 | (JSC::DFG::FixupPhase::fixupNode): | |
29983 | * dfg/DFGNode.h: | |
29984 | (JSC::DFG::Node::basicBlockLocation): | |
29985 | * dfg/DFGNodeType.h: | |
29986 | * dfg/DFGPredictionPropagationPhase.cpp: | |
29987 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
29988 | * dfg/DFGSafeToExecute.h: | |
29989 | (JSC::DFG::safeToExecute): | |
29990 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
29991 | (JSC::DFG::SpeculativeJIT::compile): | |
29992 | * dfg/DFGSpeculativeJIT64.cpp: | |
29993 | (JSC::DFG::SpeculativeJIT::compile): | |
29994 | * inspector/agents/InspectorRuntimeAgent.cpp: | |
29995 | (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): | |
29996 | * jit/JIT.cpp: | |
29997 | (JSC::JIT::privateCompileMainPass): | |
29998 | * jit/JIT.h: | |
29999 | * jit/JITOpcodes.cpp: | |
30000 | (JSC::JIT::emit_op_profile_control_flow): | |
30001 | * jit/JITOpcodes32_64.cpp: | |
30002 | (JSC::JIT::emit_op_profile_control_flow): | |
30003 | * jsc.cpp: | |
30004 | (GlobalObject::finishCreation): | |
30005 | (functionFindTypeForExpression): | |
30006 | (functionReturnTypeFor): | |
30007 | (functionDumpBasicBlockExecutionRanges): | |
30008 | * llint/LowLevelInterpreter.asm: | |
30009 | * parser/ASTBuilder.h: | |
30010 | (JSC::ASTBuilder::createFunctionExpr): | |
30011 | (JSC::ASTBuilder::createGetterOrSetterProperty): | |
30012 | (JSC::ASTBuilder::createFuncDeclStatement): | |
30013 | (JSC::ASTBuilder::endOffset): | |
30014 | (JSC::ASTBuilder::setStartOffset): | |
30015 | * parser/NodeConstructors.h: | |
30016 | (JSC::Node::Node): | |
30017 | * parser/Nodes.h: | |
30018 | (JSC::CaseClauseNode::setStartOffset): | |
30019 | * parser/Parser.cpp: | |
30020 | (JSC::Parser<LexerType>::parseSwitchClauses): | |
30021 | (JSC::Parser<LexerType>::parseSwitchDefaultClause): | |
30022 | (JSC::Parser<LexerType>::parseBlockStatement): | |
30023 | (JSC::Parser<LexerType>::parseStatement): | |
30024 | (JSC::Parser<LexerType>::parseFunctionDeclaration): | |
30025 | (JSC::Parser<LexerType>::parseIfStatement): | |
30026 | (JSC::Parser<LexerType>::parseExpression): | |
30027 | (JSC::Parser<LexerType>::parseConditionalExpression): | |
30028 | (JSC::Parser<LexerType>::parseProperty): | |
30029 | (JSC::Parser<LexerType>::parseMemberExpression): | |
30030 | * parser/SyntaxChecker.h: | |
30031 | (JSC::SyntaxChecker::createFunctionExpr): | |
30032 | (JSC::SyntaxChecker::createFuncDeclStatement): | |
30033 | (JSC::SyntaxChecker::createGetterOrSetterProperty): | |
30034 | (JSC::SyntaxChecker::operatorStackPop): | |
30035 | * runtime/BasicBlockLocation.cpp: Added. | |
30036 | (JSC::BasicBlockLocation::BasicBlockLocation): | |
30037 | (JSC::BasicBlockLocation::insertGap): | |
30038 | (JSC::BasicBlockLocation::getExecutedRanges): | |
30039 | (JSC::BasicBlockLocation::dumpData): | |
30040 | (JSC::BasicBlockLocation::emitExecuteCode): | |
30041 | * runtime/BasicBlockLocation.h: Added. | |
30042 | (JSC::BasicBlockLocation::startOffset): | |
30043 | (JSC::BasicBlockLocation::endOffset): | |
30044 | (JSC::BasicBlockLocation::setStartOffset): | |
30045 | (JSC::BasicBlockLocation::setEndOffset): | |
30046 | (JSC::BasicBlockLocation::hasExecuted): | |
30047 | * runtime/CodeCache.cpp: | |
30048 | (JSC::CodeCache::getGlobalCodeBlock): | |
30049 | * runtime/ControlFlowProfiler.cpp: Added. | |
30050 | (JSC::ControlFlowProfiler::~ControlFlowProfiler): | |
30051 | (JSC::ControlFlowProfiler::getBasicBlockLocation): | |
30052 | (JSC::ControlFlowProfiler::dumpData): | |
30053 | (JSC::ControlFlowProfiler::getBasicBlocksForSourceID): | |
30054 | * runtime/ControlFlowProfiler.h: Added. This class is in | |
30055 | charge of generating BasicBlockLocations and also | |
30056 | providing an interface that the Web Inspector can use to ping | |
30057 | which basic blocks have executed based on the source id of a script. | |
30058 | ||
30059 | (JSC::BasicBlockKey::BasicBlockKey): | |
30060 | (JSC::BasicBlockKey::isHashTableDeletedValue): | |
30061 | (JSC::BasicBlockKey::operator==): | |
30062 | (JSC::BasicBlockKey::hash): | |
30063 | (JSC::BasicBlockKeyHash::hash): | |
30064 | (JSC::BasicBlockKeyHash::equal): | |
30065 | * runtime/Executable.cpp: | |
30066 | (JSC::ProgramExecutable::ProgramExecutable): | |
30067 | (JSC::ProgramExecutable::initializeGlobalProperties): | |
30068 | * runtime/FunctionHasExecutedCache.cpp: | |
30069 | (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): | |
30070 | * runtime/FunctionHasExecutedCache.h: | |
30071 | * runtime/Options.h: | |
30072 | * runtime/TypeProfiler.cpp: | |
30073 | (JSC::TypeProfiler::logTypesForTypeLocation): | |
30074 | (JSC::TypeProfiler::typeInformationForExpressionAtOffset): | |
30075 | (JSC::TypeProfiler::findLocation): | |
30076 | (JSC::TypeProfiler::dumpTypeProfilerData): | |
30077 | * runtime/TypeProfiler.h: | |
30078 | (JSC::TypeProfiler::functionHasExecutedCache): Deleted. | |
30079 | * runtime/VM.cpp: | |
30080 | (JSC::VM::VM): | |
30081 | (JSC::enableProfilerWithRespectToCount): | |
30082 | (JSC::disableProfilerWithRespectToCount): | |
30083 | (JSC::VM::enableTypeProfiler): | |
30084 | (JSC::VM::disableTypeProfiler): | |
30085 | (JSC::VM::enableControlFlowProfiler): | |
30086 | (JSC::VM::disableControlFlowProfiler): | |
30087 | (JSC::VM::dumpTypeProfilerData): | |
30088 | * runtime/VM.h: | |
30089 | (JSC::VM::functionHasExecutedCache): | |
30090 | (JSC::VM::controlFlowProfiler): | |
30091 | ||
30092 | 2014-12-04 Filip Pizlo <fpizlo@apple.com> | |
30093 | ||
30094 | printInternal(PrintStream& out, JSC::JITCode::JITType type) ends up dumping a literal %s | |
30095 | https://bugs.webkit.org/show_bug.cgi?id=139274 | |
30096 | ||
30097 | Reviewed by Geoffrey Garen. | |
30098 | ||
30099 | * jit/JITCode.cpp: | |
30100 | (WTF::printInternal): | |
30101 | ||
30102 | 2014-12-04 Geoffrey Garen <ggaren@apple.com> | |
30103 | ||
30104 | Removed the concept of ParserArenaRefCounted | |
30105 | https://bugs.webkit.org/show_bug.cgi?id=139277 | |
30106 | ||
30107 | Reviewed by Oliver Hunt. | |
30108 | ||
30109 | This is a step toward a parser speedup. | |
30110 | ||
30111 | Now that we have a clear root node type for each parse tree, there's no | |
30112 | need to have a concept for "I might be refcounted or arena allocated". | |
30113 | Instead, we can just use unique_ptr to manage the tree as a whole. | |
30114 | ||
30115 | * API/JSScriptRef.cpp: | |
30116 | (parseScript): | |
30117 | * builtins/BuiltinExecutables.cpp: | |
30118 | (JSC::BuiltinExecutables::createBuiltinExecutable): Updated for type change. | |
30119 | ||
30120 | * bytecode/UnlinkedCodeBlock.cpp: | |
30121 | (JSC::generateFunctionCodeBlock): Use unique_ptr. No need to call | |
30122 | destroyData() explicitly: the unique_ptr destructor will do everything | |
30123 | we need, as Bjarne intended. | |
30124 | ||
30125 | * parser/NodeConstructors.h: | |
30126 | (JSC::ParserArenaRoot::ParserArenaRoot): | |
30127 | (JSC::ParserArenaRefCounted::ParserArenaRefCounted): Deleted. | |
30128 | ||
30129 | * parser/Nodes.cpp: | |
30130 | (JSC::ScopeNode::ScopeNode): | |
30131 | (JSC::ProgramNode::ProgramNode): | |
30132 | (JSC::EvalNode::EvalNode): | |
30133 | (JSC::FunctionNode::FunctionNode): | |
30134 | (JSC::ProgramNode::create): Deleted. | |
30135 | (JSC::EvalNode::create): Deleted. | |
30136 | (JSC::FunctionNode::create): Deleted. All special create semantics can | |
30137 | just go away now that we play by C++ constructor / destructor rules. | |
30138 | ||
30139 | * parser/Nodes.h: | |
30140 | (JSC::ParserArenaRoot::parserArena): | |
30141 | (JSC::ParserArenaRoot::~ParserArenaRoot): Just a normal class now, which | |
30142 | holds onto the whole parse tree by virtue of owning the arena in which | |
30143 | all the parsed nodes (except for itself) were allocated. | |
30144 | ||
30145 | (JSC::ProgramNode::closedVariables): | |
30146 | (JSC::ParserArenaRefCounted::~ParserArenaRefCounted): Deleted. | |
30147 | ||
30148 | (JSC::ScopeNode::destroyData): Deleted. No need to destroy anything | |
30149 | explicitly anymore -- we can just rely on destructors. | |
30150 | ||
30151 | (JSC::ScopeNode::parserArena): Deleted. | |
30152 | ||
30153 | * parser/Parser.h: | |
30154 | (JSC::Parser<LexerType>::parse): | |
30155 | (JSC::parse): unique_ptr all the things. | |
30156 | ||
30157 | * parser/ParserArena.cpp: | |
30158 | (JSC::ParserArena::reset): | |
30159 | (JSC::ParserArena::isEmpty): | |
30160 | (JSC::ParserArena::contains): Deleted. | |
30161 | (JSC::ParserArena::last): Deleted. | |
30162 | (JSC::ParserArena::removeLast): Deleted. | |
30163 | (JSC::ParserArena::derefWithArena): Deleted. | |
30164 | * parser/ParserArena.h: | |
30165 | (JSC::ParserArena::swap): Much delete. Such wow. | |
30166 | ||
30167 | * runtime/CodeCache.cpp: | |
30168 | (JSC::CodeCache::getGlobalCodeBlock): | |
30169 | (JSC::CodeCache::getFunctionExecutableFromGlobalCode): | |
30170 | * runtime/Completion.cpp: | |
30171 | (JSC::checkSyntax): | |
30172 | * runtime/Executable.cpp: | |
30173 | (JSC::ProgramExecutable::checkSyntax): unique_ptr all the things. | |
30174 | ||
30175 | 2014-12-04 Andreas Kling <akling@apple.com> | |
30176 | ||
30177 | REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box. | |
30178 | <https://webkit.org/b/139076> | |
30179 | ||
30180 | Reviewed by Geoffrey Garen. | |
30181 | ||
30182 | The StringImpl* -> Weak<JSString> cache used by the DOM bindings | |
30183 | had a bug where the key could become a stale pointer if the cached | |
30184 | JSString had its internal StringImpl atomicized. | |
30185 | ||
30186 | If a new StringImpl was then later constructed at the exact same | |
30187 | address as the stale key, before the Weak<JSString> got booted out | |
30188 | of the string cache, we'd now have a situation where asking the | |
30189 | string cache for that key would return the old JSString. | |
30190 | ||
30191 | Solve this by not allowing JSString::toExistingAtomicString() to | |
30192 | change the JSString's internal StringImpl unless it's resolving a | |
30193 | rope string. (The StringImpl nullity determines rope state.) | |
30194 | ||
30195 | This means that calling toExistingAtomicString() may now have to | |
30196 | query the AtomicString table on each call rather than just once. | |
30197 | All clients of this API would be forced to do this regardless, | |
30198 | since they return value will be used to key into containers with | |
30199 | AtomicStringImpl* keys. | |
30200 | ||
30201 | No test because this relies on malloc putting two StringImpls | |
30202 | at the same address at different points in time and we have no | |
30203 | mechanism to reliably test that. | |
30204 | ||
30205 | * runtime/JSString.h: | |
30206 | (JSC::JSString::toExistingAtomicString): | |
30207 | ||
30208 | 2014-12-04 Geoffrey Garen <ggaren@apple.com> | |
30209 | ||
30210 | Marked some final things final. | |
30211 | ||
30212 | Reviewed by Andreas Kling. | |
30213 | ||
30214 | * parser/Nodes.h: | |
30215 | ||
30216 | 2014-12-04 Geoffrey Garen <ggaren@apple.com> | |
30217 | ||
30218 | Split out FunctionNode from FunctionBodyNode | |
30219 | https://bugs.webkit.org/show_bug.cgi?id=139273 | |
30220 | ||
30221 | Reviewed by Andreas Kling. | |
30222 | ||
30223 | This is step toward a parser speedup. | |
30224 | ||
30225 | We used to use FunctionBodyNode for two different purposes: | |
30226 | ||
30227 | (1) "I am the root function you are currently parsing"; | |
30228 | ||
30229 | (2) "I am a lazy record of a nested function, which you will parse later". | |
30230 | ||
30231 | This made for awkward lifetime semantics and interfaces. | |
30232 | ||
30233 | Now, case (1) is handled by FunctionBodyNode, and case (2) is handled by | |
30234 | a new node named FunctionNode. | |
30235 | ||
30236 | Since case (1) no longer needs to handle being the root of the parse | |
30237 | tree, FunctionBodyNode can be a normal arena-allocated node. | |
30238 | ||
30239 | * bytecode/UnlinkedCodeBlock.cpp: | |
30240 | (JSC::generateFunctionCodeBlock): Use FunctionNode instead of | |
30241 | FunctionBodyNode, since we are producing the root of the function parse | |
30242 | tree. | |
30243 | ||
30244 | (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Removed | |
30245 | some unused data, and default-initialized other data, which isn't filled | |
30246 | in meaningfully until recordParse() is called. (The previous values were | |
30247 | incorrect / meaningless, since the FunctionBodyNode didn't have | |
30248 | meaningful values in this case.) | |
30249 | ||
30250 | * bytecode/UnlinkedCodeBlock.h: Ditto. | |
30251 | ||
30252 | (JSC::UnlinkedFunctionExecutable::forceUsesArguments): Deleted. | |
30253 | ||
30254 | * bytecompiler/BytecodeGenerator.cpp: | |
30255 | (JSC::BytecodeGenerator::BytecodeGenerator): Use FunctionNode instead of | |
30256 | FunctionBodyNode, since we are generating code starting at the root of | |
30257 | the parse tree. | |
30258 | ||
30259 | (JSC::BytecodeGenerator::resolveCallee): | |
30260 | (JSC::BytecodeGenerator::addCallee): | |
30261 | * bytecompiler/BytecodeGenerator.h: Ditto. | |
30262 | ||
30263 | * bytecompiler/NodesCodegen.cpp: | |
30264 | (JSC::FunctionBodyNode::emitBytecode): | |
30265 | (JSC::FunctionNode::emitBytecode): Moved the emitBytecode implementation | |
30266 | to FunctionNode, since we never generate code for FunctionBodyNode, | |
30267 | since it's just a placeholder in the AST. | |
30268 | ||
30269 | * parser/ASTBuilder.h: | |
30270 | (JSC::ASTBuilder::createFunctionBody): | |
30271 | (JSC::ASTBuilder::setUsesArguments): Deleted. Updated for interface | |
30272 | changes. | |
30273 | ||
30274 | * parser/Nodes.cpp: | |
30275 | (JSC::FunctionBodyNode::FunctionBodyNode): | |
30276 | (JSC::FunctionBodyNode::finishParsing): | |
30277 | (JSC::FunctionBodyNode::setEndPosition): | |
30278 | (JSC::FunctionNode::FunctionNode): | |
30279 | (JSC::FunctionNode::create): | |
30280 | (JSC::FunctionNode::finishParsing): | |
30281 | (JSC::FunctionBodyNode::create): Deleted. | |
30282 | ||
30283 | * parser/Nodes.h: | |
30284 | (JSC::FunctionBodyNode::parameters): | |
30285 | (JSC::FunctionBodyNode::source): | |
30286 | (JSC::FunctionBodyNode::startStartOffset): | |
30287 | (JSC::FunctionBodyNode::isInStrictContext): | |
30288 | (JSC::FunctionNode::parameters): | |
30289 | (JSC::FunctionNode::ident): | |
30290 | (JSC::FunctionNode::functionMode): | |
30291 | (JSC::FunctionNode::startColumn): | |
30292 | (JSC::FunctionNode::endColumn): | |
30293 | (JSC::ScopeNode::setSource): Deleted. | |
30294 | (JSC::FunctionBodyNode::parameterCount): Deleted. Split out the differences | |
30295 | between FunctionNode and FunctionBodyNode. | |
30296 | ||
30297 | * parser/SyntaxChecker.h: | |
30298 | (JSC::SyntaxChecker::createClauseList): | |
30299 | (JSC::SyntaxChecker::setUsesArguments): Deleted. Removed setUsesArguments | |
30300 | since it wasn't used. | |
30301 | ||
30302 | * runtime/Executable.cpp: | |
30303 | (JSC::ProgramExecutable::checkSyntax): Removed a branch that was always | |
30304 | false. | |
30305 | ||
30306 | 2014-12-02 Brian J. Burg <burg@cs.washington.edu> | |
30307 | ||
30308 | Web Inspector: timeline probe records have inaccurate per-probe hit counts | |
30309 | https://bugs.webkit.org/show_bug.cgi?id=138976 | |
30310 | ||
30311 | Reviewed by Joseph Pecoraro. | |
30312 | ||
30313 | Previously, the DebuggerAgent was responsible for assigning unique ids to samples. | |
30314 | However, this makes it impossible for the frontend's Timeline manager to associate | |
30315 | a Probe Sample timeline record with the corresponding probe sample data. The record | |
30316 | only included the probe batchId (misnamed as hitCount in ScriptDebugServer). | |
30317 | ||
30318 | This patch moves both the batchId and sampleId counters into ScriptDebugServer, so | |
30319 | any client of ScriptDebugListener will get the correct sampleId for each sample. | |
30320 | ||
30321 | * inspector/ScriptDebugListener.h: | |
30322 | * inspector/ScriptDebugServer.cpp: | |
30323 | (Inspector::ScriptDebugServer::ScriptDebugServer): | |
30324 | (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): | |
30325 | (Inspector::ScriptDebugServer::handleBreakpointHit): | |
30326 | * inspector/ScriptDebugServer.h: | |
30327 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
30328 | (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): | |
30329 | (Inspector::InspectorDebuggerAgent::breakpointActionProbe): | |
30330 | * inspector/agents/InspectorDebuggerAgent.h: | |
30331 | ||
30332 | 2014-12-04 Oliver Hunt <oliver@apple.com> | |
30333 | ||
30334 | Serialization of MapData object provides unsafe access to internal types | |
30335 | https://bugs.webkit.org/show_bug.cgi?id=138653 | |
30336 | ||
30337 | Reviewed by Geoffrey Garen. | |
30338 | ||
30339 | Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious | |
30340 | that despite trying hard to be safe in all cases it's simply to easy | |
30341 | to use an iterator in an unsafe state. | |
30342 | ||
30343 | * runtime/MapData.h: | |
30344 | (JSC::MapData::const_iterator::key): | |
30345 | (JSC::MapData::const_iterator::value): | |
30346 | ||
30347 | 2014-12-03 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
30348 | ||
30349 | Move JavaScriptCore/dfg to std::unique_ptr | |
30350 | https://bugs.webkit.org/show_bug.cgi?id=139169 | |
30351 | ||
30352 | Reviewed by Filip Pizlo. | |
30353 | ||
30354 | Use std::unique_ptr<>|std::make_unique<> in JavaScriptCore/dfg directory. | |
30355 | ||
30356 | * dfg/DFGBasicBlock.h: | |
30357 | * dfg/DFGJITCompiler.cpp: | |
30358 | (JSC::DFG::JITCompiler::JITCompiler): | |
30359 | (JSC::DFG::JITCompiler::compile): | |
30360 | (JSC::DFG::JITCompiler::link): | |
30361 | (JSC::DFG::JITCompiler::compileFunction): | |
30362 | (JSC::DFG::JITCompiler::linkFunction): | |
30363 | * dfg/DFGJITCompiler.h: | |
30364 | * dfg/DFGPlan.cpp: | |
30365 | (JSC::DFG::Plan::compileInThreadImpl): | |
30366 | (JSC::DFG::Plan::cancel): | |
30367 | * dfg/DFGPlan.h: | |
30368 | * dfg/DFGSlowPathGenerator.h: | |
30369 | * dfg/DFGWorklist.h: | |
30370 | * ftl/FTLFail.cpp: | |
30371 | (JSC::FTL::fail): | |
30372 | * ftl/FTLState.cpp: | |
30373 | (JSC::FTL::State::State): | |
30374 | ||
30375 | 2014-12-03 Michael Saboff <msaboff@apple.com> | |
30376 | ||
30377 | REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests | |
30378 | https://bugs.webkit.org/show_bug.cgi?id=139246 | |
30379 | ||
30380 | Reviewed by Geoffrey Garen. | |
30381 | ||
30382 | * ftl/FTLLowerDFGToLLVM.cpp: | |
30383 | (JSC::FTL::LowerDFGToLLVM::buildExitArguments): | |
30384 | The DFG_ASSERT that checks liveness at exit time doesn't properly | |
30385 | handle the case where the local is not available at OSR exit time, | |
30386 | but the local is live in the bytecode. This now happens with the | |
30387 | allocated scope register when we are compiling for FTLForOSREntryMode | |
30388 | due to DCE done when the control flow was changed and a new entrypoint | |
30389 | was added in the OSR entrypoint creation phase. Therefore we silence | |
30390 | the assert when compiling for FTLForOSREntryMode. | |
30391 | ||
30392 | 2014-12-03 Geoffrey Garen <ggaren@apple.com> | |
30393 | ||
30394 | Removed the global parser arena | |
30395 | https://bugs.webkit.org/show_bug.cgi?id=139236 | |
30396 | ||
30397 | Reviewed by Sam Weinig. | |
30398 | ||
30399 | Simplifies parser lifetime logic. | |
30400 | ||
30401 | There's no need to keep a global arena. We can create a new arena | |
30402 | each time we parse. | |
30403 | ||
30404 | * bytecompiler/BytecodeGenerator.h: Global replace to pass around a | |
30405 | ParserArena instead of VM*, since the VM no longer owns the arena. | |
30406 | (JSC::BytecodeGenerator::parserArena): | |
30407 | ||
30408 | * bytecompiler/NodesCodegen.cpp: Ditto. | |
30409 | (JSC::ArrayNode::toArgumentList): | |
30410 | (JSC::ApplyFunctionCallDotNode::emitBytecode): | |
30411 | * parser/ASTBuilder.h: Ditto. | |
30412 | (JSC::ASTBuilder::ASTBuilder): | |
30413 | (JSC::ASTBuilder::createSourceElements): | |
30414 | (JSC::ASTBuilder::createCommaExpr): | |
30415 | (JSC::ASTBuilder::createLogicalNot): | |
30416 | (JSC::ASTBuilder::createUnaryPlus): | |
30417 | (JSC::ASTBuilder::createVoid): | |
30418 | (JSC::ASTBuilder::thisExpr): | |
30419 | (JSC::ASTBuilder::createResolve): | |
30420 | (JSC::ASTBuilder::createObjectLiteral): | |
30421 | (JSC::ASTBuilder::createArray): | |
30422 | (JSC::ASTBuilder::createNumberExpr): | |
30423 | (JSC::ASTBuilder::createString): | |
30424 | (JSC::ASTBuilder::createBoolean): | |
30425 | (JSC::ASTBuilder::createNull): | |
30426 | (JSC::ASTBuilder::createBracketAccess): | |
30427 | (JSC::ASTBuilder::createDotAccess): | |
30428 | (JSC::ASTBuilder::createSpreadExpression): | |
30429 | (JSC::ASTBuilder::createRegExp): | |
30430 | (JSC::ASTBuilder::createNewExpr): | |
30431 | (JSC::ASTBuilder::createConditionalExpr): | |
30432 | (JSC::ASTBuilder::createAssignResolve): | |
30433 | (JSC::ASTBuilder::createFunctionExpr): | |
30434 | (JSC::ASTBuilder::createFunctionBody): | |
30435 | (JSC::ASTBuilder::createGetterOrSetterProperty): | |
30436 | (JSC::ASTBuilder::createArguments): | |
30437 | (JSC::ASTBuilder::createArgumentsList): | |
30438 | (JSC::ASTBuilder::createProperty): | |
30439 | (JSC::ASTBuilder::createPropertyList): | |
30440 | (JSC::ASTBuilder::createElementList): | |
30441 | (JSC::ASTBuilder::createFormalParameterList): | |
30442 | (JSC::ASTBuilder::createClause): | |
30443 | (JSC::ASTBuilder::createClauseList): | |
30444 | (JSC::ASTBuilder::createFuncDeclStatement): | |
30445 | (JSC::ASTBuilder::createBlockStatement): | |
30446 | (JSC::ASTBuilder::createExprStatement): | |
30447 | (JSC::ASTBuilder::createIfStatement): | |
30448 | (JSC::ASTBuilder::createForLoop): | |
30449 | (JSC::ASTBuilder::createForInLoop): | |
30450 | (JSC::ASTBuilder::createForOfLoop): | |
30451 | (JSC::ASTBuilder::createEmptyStatement): | |
30452 | (JSC::ASTBuilder::createVarStatement): | |
30453 | (JSC::ASTBuilder::createEmptyVarExpression): | |
30454 | (JSC::ASTBuilder::createReturnStatement): | |
30455 | (JSC::ASTBuilder::createBreakStatement): | |
30456 | (JSC::ASTBuilder::createContinueStatement): | |
30457 | (JSC::ASTBuilder::createTryStatement): | |
30458 | (JSC::ASTBuilder::createSwitchStatement): | |
30459 | (JSC::ASTBuilder::createWhileStatement): | |
30460 | (JSC::ASTBuilder::createDoWhileStatement): | |
30461 | (JSC::ASTBuilder::createLabelStatement): | |
30462 | (JSC::ASTBuilder::createWithStatement): | |
30463 | (JSC::ASTBuilder::createThrowStatement): | |
30464 | (JSC::ASTBuilder::createDebugger): | |
30465 | (JSC::ASTBuilder::createConstStatement): | |
30466 | (JSC::ASTBuilder::appendConstDecl): | |
30467 | (JSC::ASTBuilder::combineCommaNodes): | |
30468 | (JSC::ASTBuilder::createDeconstructingAssignment): | |
30469 | (JSC::ASTBuilder::Scope::Scope): | |
30470 | (JSC::ASTBuilder::createNumber): | |
30471 | (JSC::ASTBuilder::makeTypeOfNode): | |
30472 | (JSC::ASTBuilder::makeDeleteNode): | |
30473 | (JSC::ASTBuilder::makeNegateNode): | |
30474 | (JSC::ASTBuilder::makeBitwiseNotNode): | |
30475 | (JSC::ASTBuilder::makeMultNode): | |
30476 | (JSC::ASTBuilder::makeDivNode): | |
30477 | (JSC::ASTBuilder::makeModNode): | |
30478 | (JSC::ASTBuilder::makeAddNode): | |
30479 | (JSC::ASTBuilder::makeSubNode): | |
30480 | (JSC::ASTBuilder::makeLeftShiftNode): | |
30481 | (JSC::ASTBuilder::makeRightShiftNode): | |
30482 | (JSC::ASTBuilder::makeURightShiftNode): | |
30483 | (JSC::ASTBuilder::makeBitOrNode): | |
30484 | (JSC::ASTBuilder::makeBitAndNode): | |
30485 | (JSC::ASTBuilder::makeBitXOrNode): | |
30486 | (JSC::ASTBuilder::makeFunctionCallNode): | |
30487 | (JSC::ASTBuilder::makeBinaryNode): | |
30488 | (JSC::ASTBuilder::makeAssignNode): | |
30489 | (JSC::ASTBuilder::makePrefixNode): | |
30490 | (JSC::ASTBuilder::makePostfixNode): | |
30491 | ||
30492 | * parser/NodeConstructors.h: Ditto. | |
30493 | (JSC::ParserArenaFreeable::operator new): | |
30494 | (JSC::ParserArenaDeletable::operator new): | |
30495 | (JSC::ParserArenaRefCounted::ParserArenaRefCounted): | |
30496 | ||
30497 | * parser/Nodes.cpp: Ditto. | |
30498 | (JSC::ScopeNode::ScopeNode): | |
30499 | (JSC::ProgramNode::ProgramNode): | |
30500 | (JSC::ProgramNode::create): | |
30501 | (JSC::EvalNode::EvalNode): | |
30502 | (JSC::EvalNode::create): | |
30503 | (JSC::FunctionBodyNode::FunctionBodyNode): | |
30504 | (JSC::FunctionBodyNode::create): | |
30505 | ||
30506 | * parser/Nodes.h: Ditto. | |
30507 | (JSC::ScopeNode::parserArena): | |
30508 | ||
30509 | * parser/Parser.cpp: | |
30510 | (JSC::Parser<LexerType>::Parser): | |
30511 | (JSC::Parser<LexerType>::parseInner): | |
30512 | (JSC::Parser<LexerType>::parseProperty): The parser now owns its own | |
30513 | arena, and transfers ownership of its contents when invoking the ScopeNode | |
30514 | constructor. | |
30515 | ||
30516 | * parser/Parser.h: | |
30517 | (JSC::Parser<LexerType>::parse): No need to explicitly reset the arena, | |
30518 | since its lifetime is tied to the parser's lifetime now. | |
30519 | ||
30520 | * parser/SyntaxChecker.h: | |
30521 | (JSC::SyntaxChecker::createProperty): | |
30522 | (JSC::SyntaxChecker::createGetterOrSetterProperty): | |
30523 | ||
30524 | * runtime/VM.cpp: | |
30525 | (JSC::VM::VM): | |
30526 | * runtime/VM.h: The point of the patch: no more global. | |
30527 | ||
30528 | 2014-12-03 Geoffrey Garen <ggaren@apple.com> | |
30529 | ||
30530 | The parser should allocate all pieces of the AST | |
30531 | https://bugs.webkit.org/show_bug.cgi?id=139230 | |
30532 | ||
30533 | Reviewed by Oliver Hunt. | |
30534 | ||
30535 | This is a step toward a 14% parsing speedup. | |
30536 | ||
30537 | Previously, allocation was split between the parser and certain node | |
30538 | constructor functions. This made for some duplicated code and circular | |
30539 | dependencies. | |
30540 | ||
30541 | * parser/ASTBuilder.h: | |
30542 | (JSC::ASTBuilder::createGetterOrSetterProperty): No need to pass through | |
30543 | the VM, since our callee no longer needs to allocate anything. | |
30544 | ||
30545 | (JSC::ASTBuilder::createProperty): Allocate the identifier for our | |
30546 | callee, since that is simpler than requiring our callee to notice that | |
30547 | we didn't do so, and do it for us. | |
30548 | ||
30549 | (JSC::ASTBuilder::createForInLoop): Allocate the DeconstructingAssignmentNode | |
30550 | for our callee, since that is simpler than requiring our callee to notice | |
30551 | that we didn't do so, and do it for us. | |
30552 | ||
30553 | Also, reuse some code instead of duplicating it. | |
30554 | ||
30555 | (JSC::ASTBuilder::createForOfLoop): Ditto. | |
30556 | ||
30557 | (JSC::ASTBuilder::createArrayPattern): | |
30558 | (JSC::ASTBuilder::createObjectPattern): | |
30559 | (JSC::ASTBuilder::createBindingLocation): No need to pass through a VM | |
30560 | pointer, since our callee no longer needs to allocate anything. | |
30561 | ||
30562 | (JSC::ASTBuilder::createBreakStatement): Deleted. | |
30563 | (JSC::ASTBuilder::createContinueStatement): Deleted. | |
30564 | ||
30565 | * parser/NodeConstructors.h: | |
30566 | (JSC::PropertyNode::PropertyNode): | |
30567 | (JSC::DeconstructionPatternNode::DeconstructionPatternNode): | |
30568 | (JSC::ArrayPatternNode::ArrayPatternNode): | |
30569 | (JSC::ArrayPatternNode::create): | |
30570 | (JSC::ObjectPatternNode::ObjectPatternNode): | |
30571 | (JSC::ObjectPatternNode::create): | |
30572 | (JSC::BindingNode::create): | |
30573 | (JSC::BindingNode::BindingNode): | |
30574 | (JSC::ContinueNode::ContinueNode): Deleted. | |
30575 | (JSC::BreakNode::BreakNode): Deleted. | |
30576 | (JSC::EnumerationNode::EnumerationNode): Deleted. | |
30577 | (JSC::ForInNode::ForInNode): Deleted. | |
30578 | (JSC::ForOfNode::ForOfNode): Deleted. Deleted a bunch of special cases | |
30579 | that don't exist anymore, now that the parser allocates all pieces of | |
30580 | the AST unconditionally. | |
30581 | ||
30582 | * parser/Nodes.h: Ditto. | |
30583 | ||
30584 | * parser/Parser.cpp: | |
30585 | (JSC::Parser<LexerType>::parseBreakStatement): | |
30586 | (JSC::Parser<LexerType>::parseContinueStatement): Allocate the null | |
30587 | identifier for our callee, since that is simpler than requiring our | |
30588 | callee to notice that we didn't do so, and do it for us. | |
30589 | ||
30590 | (JSC::Parser<LexerType>::parseProperty): | |
30591 | * parser/SyntaxChecker.h: | |
30592 | (JSC::SyntaxChecker::createProperty): No need to pass through a VM | |
30593 | pointer, since our callee no longer needs to allocate anything. | |
30594 | ||
30595 | 2014-12-03 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com> | |
30596 | ||
30597 | Remove unused JSC runtime options | |
30598 | https://bugs.webkit.org/show_bug.cgi?id=133070 | |
30599 | ||
30600 | Reviewed by Csaba Osztrogonác. | |
30601 | ||
30602 | * runtime/Options.h: | |
30603 | ||
30604 | 2014-12-02 Mark Lam <mark.lam@apple.com> | |
30605 | ||
30606 | Rolling out r176592, r176603, r176616, and r176705 until build and perf issues are resolved. | |
30607 | https://bugs.webkit.org/show_bug.cgi?id=138821 | |
30608 | ||
30609 | Not reviewed. | |
30610 | ||
30611 | * bytecode/UnlinkedCodeBlock.cpp: | |
30612 | (JSC::UnlinkedCodeBlock::visitChildren): | |
30613 | * bytecompiler/BytecodeGenerator.cpp: | |
30614 | (JSC::BytecodeGenerator::emitComplexPopScopes): | |
30615 | * dfg/DFGSpeculativeJIT.cpp: | |
30616 | (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): | |
30617 | * ftl/FTLAbbreviations.h: | |
30618 | (JSC::FTL::mdNode): | |
30619 | (JSC::FTL::buildCall): | |
30620 | * llint/LLIntData.cpp: | |
30621 | (JSC::LLInt::Data::performAssertions): | |
30622 | * parser/Parser.h: | |
30623 | (JSC::Scope::Scope): | |
30624 | * runtime/JSArray.cpp: | |
30625 | (JSC::JSArray::setLengthWithArrayStorage): | |
30626 | (JSC::JSArray::sortCompactedVector): | |
30627 | * tools/ProfileTreeNode.h: | |
30628 | (JSC::ProfileTreeNode::dumpInternal): | |
30629 | * yarr/YarrJIT.cpp: | |
30630 | (JSC::Yarr::YarrGenerator::matchCharacterClass): | |
30631 | ||
30632 | 2014-12-02 Michael Saboff <msaboff@apple.com> | |
30633 | ||
30634 | Change CallFrame::globalThisValue() to not use CallFrame::scope() | |
30635 | https://bugs.webkit.org/show_bug.cgi?id=139202 | |
30636 | ||
30637 | Reviewed by Mark Lam. | |
30638 | ||
30639 | Changed to use the globalThis() on the globalObject associated with the | |
30640 | callee. Moved the inline definition to JSGlobalObject.h instead of | |
30641 | including JSGlobalObject.h in JSScope.h. Also moved it as JSScope | |
30642 | objects are no longer involved in getting the value. | |
30643 | ||
30644 | * runtime/JSGlobalObject.h: | |
30645 | (JSC::ExecState::globalThisValue): | |
30646 | * runtime/JSScope.h: | |
30647 | (JSC::ExecState::globalThisValue): Deleted. | |
30648 | ||
30649 | 2014-12-02 Matthew Mirman <mmirman@apple.com> | |
30650 | ||
30651 | Fixes inline cache fast path accessing nonexistant getters. | |
30652 | <rdar://problem/18416918> | |
30653 | https://bugs.webkit.org/show_bug.cgi?id=136961 | |
30654 | ||
30655 | Reviewed by Filip Pizlo. | |
30656 | ||
30657 | Fixes a bug in inline caching where getters would have been able to | |
30658 | modify the property they are getting during | |
30659 | building the inline cache and then accessing that | |
30660 | property through the inline cache site causing a recursive | |
30661 | inline cache building and allowing the fast path of the cache to | |
30662 | try to load a getter for the property that no longer exists. | |
30663 | ||
30664 | * jit/JITOperations.cpp: Switched use of get to getPropertySlot. | |
30665 | * runtime/JSCJSValue.h: | |
30666 | added getPropertySlot for when you don't want to perform the get quite yet but want | |
30667 | to fill out the slot. | |
30668 | * runtime/JSCJSValueInlines.h: Added implementation for getPropertySlot | |
30669 | (JSC::JSValue::get): changed to simply call getPropertySlot | |
30670 | (JSC::JSValue::getPropertySlot): added. | |
30671 | * tests/stress/recursive_property_redefine_during_inline_caching.js: Added test case for bug. | |
30672 | (test): | |
30673 | ||
30674 | 2014-12-01 Michael Saboff <msaboff@apple.com> | |
30675 | ||
30676 | Remove GetMyScope node from DFG | |
30677 | https://bugs.webkit.org/show_bug.cgi?id=139166 | |
30678 | ||
30679 | Reviewed by Oliver Hunt. | |
30680 | ||
30681 | Eliminated GetMyScope DFG node type. | |
30682 | ||
30683 | * dfg/DFGAbstractInterpreterInlines.h: | |
30684 | (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): | |
30685 | * dfg/DFGClobberize.h: | |
30686 | (JSC::DFG::clobberize): | |
30687 | * dfg/DFGDoesGC.cpp: | |
30688 | (JSC::DFG::doesGC): | |
30689 | * dfg/DFGFixupPhase.cpp: | |
30690 | (JSC::DFG::FixupPhase::fixupNode): | |
30691 | * dfg/DFGGraph.cpp: | |
30692 | (JSC::DFG::Graph::isLiveInBytecode): | |
30693 | * dfg/DFGNodeType.h: | |
30694 | * dfg/DFGPredictionPropagationPhase.cpp: | |
30695 | (JSC::DFG::PredictionPropagationPhase::propagate): | |
30696 | * dfg/DFGSafeToExecute.h: | |
30697 | (JSC::DFG::safeToExecute): | |
30698 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
30699 | (JSC::DFG::SpeculativeJIT::compile): | |
30700 | * dfg/DFGSpeculativeJIT64.cpp: | |
30701 | (JSC::DFG::SpeculativeJIT::compile): | |
30702 | * ftl/FTLCapabilities.cpp: | |
30703 | (JSC::FTL::canCompile): | |
30704 | * ftl/FTLLowerDFGToLLVM.cpp: | |
30705 | (JSC::FTL::LowerDFGToLLVM::compileNode): | |
30706 | (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted. | |
30707 | ||
30708 | 2014-12-01 Michael Saboff <msaboff@apple.com> | |
30709 | ||
30710 | Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com | |
30711 | https://bugs.webkit.org/show_bug.cgi?id=139165 | |
30712 | ||
30713 | Reviewed by Oliver Hunt. | |
30714 | ||
30715 | If we don't have any getById or putById variants, emit non-cached versions of these operations. | |
30716 | ||
30717 | * dfg/DFGByteCodeParser.cpp: | |
30718 | (JSC::DFG::ByteCodeParser::handleGetById): | |
30719 | (JSC::DFG::ByteCodeParser::handlePutById): | |
30720 | ||
30721 | 2014-12-01 Andreas Kling <akling@apple.com> | |
30722 | ||
30723 | Optimize constructing JSC::Identifier from AtomicString. | |
30724 | <https://webkit.org/b/139157> | |
30725 | ||
30726 | Reviewed by Michael Saboff. | |
30727 | ||
30728 | Add constructors for Identifier taking AtomicString and AtomicStringImpl. | |
30729 | This avoids branching on the string's isAtomic flag, which is obviously | |
30730 | always true for AtomicString & AtomicStringImpl. | |
30731 | ||
30732 | Had to add a Identifier(const char*) constructor to resolve implicit | |
30733 | ambiguity between String / AtomicString. | |
30734 | ||
30735 | Also made PrivateName::uid() return AtomicStringImpl* to take advantage | |
30736 | of the new constructor in a few places. | |
30737 | ||
30738 | * runtime/Identifier.h: | |
30739 | (JSC::Identifier::Identifier): | |
30740 | * runtime/IdentifierInlines.h: | |
30741 | (JSC::Identifier::Identifier): | |
30742 | * runtime/PrivateName.h: | |
30743 | (JSC::PrivateName::uid): | |
30744 | ||
30745 | 2014-12-01 Alexey Proskuryakov <ap@apple.com> | |
30746 | ||
30747 | Several JavaScriptCore date tests are flaky, because they expect time to be frozen during execution | |
30748 | https://bugs.webkit.org/show_bug.cgi?id=139138 | |
30749 | ||
30750 | Reviewed by Mark Lam. | |
30751 | ||
30752 | Merged a fix by Bob Clary. | |
30753 | ||
30754 | * tests/mozilla/ecma/Date/15.9.1.1-1.js: | |
30755 | * tests/mozilla/ecma/Date/15.9.1.1-2.js: | |
30756 | * tests/mozilla/ecma/Date/15.9.2.1.js: | |
30757 | * tests/mozilla/ecma/Date/15.9.2.2-1.js: | |
30758 | * tests/mozilla/ecma/Date/15.9.2.2-2.js: | |
30759 | * tests/mozilla/ecma/Date/15.9.2.2-3.js: | |
30760 | * tests/mozilla/ecma/Date/15.9.2.2-4.js: | |
30761 | * tests/mozilla/ecma/Date/15.9.2.2-5.js: | |
30762 | * tests/mozilla/ecma/Date/15.9.2.2-6.js: | |
30763 | ||
30764 | 2014-11-17 Oliver Hunt <oliver@apple.com> | |
30765 | ||
30766 | Make sure range based iteration of Vector<> still receives bounds checking | |
30767 | https://bugs.webkit.org/show_bug.cgi?id=138821 | |
30768 | ||
30769 | Reviewed by Mark Lam. | |
30770 | ||
30771 | There are a few uses of begin()/end() that explicitly require pointers, | |
30772 | so we use getPtr() to extract the underlying pointer generically. | |
30773 | ||
30774 | * bytecode/UnlinkedCodeBlock.cpp: | |
30775 | (JSC::UnlinkedCodeBlock::visitChildren): | |
30776 | * bytecompiler/BytecodeGenerator.cpp: | |
30777 | (JSC::BytecodeGenerator::emitComplexPopScopes): | |
30778 | * dfg/DFGSpeculativeJIT.cpp: | |
30779 | (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): | |
30780 | * ftl/FTLAbbreviations.h: | |
30781 | (JSC::FTL::mdNode): | |
30782 | (JSC::FTL::buildCall): | |
30783 | * llint/LLIntData.cpp: | |
30784 | (JSC::LLInt::Data::performAssertions): | |
30785 | * parser/Parser.h: | |
30786 | (JSC::Scope::Scope): | |
30787 | * profiler/ProfileNode.cpp: | |
30788 | (JSC::ProfileNode::debugPrintRecursively): | |
30789 | * runtime/JSArray.cpp: | |
30790 | (JSC::JSArray::setLengthWithArrayStorage): | |
30791 | (JSC::JSArray::sortCompactedVector): | |
30792 | * tools/ProfileTreeNode.h: | |
30793 | (JSC::ProfileTreeNode::dumpInternal): | |
30794 | * yarr/YarrJIT.cpp: | |
30795 | (JSC::Yarr::YarrGenerator::matchCharacterClass): | |
30796 | ||
30797 | 2014-11-29 Andreas Kling <akling@apple.com> | |
30798 | ||
30799 | PropertyTable keys should be AtomicStringImpl. | |
30800 | <https://webkit.org/b/139096> | |
30801 | ||
30802 | Reviewed by Sam Weinig. | |
30803 | ||
30804 | Since PropertyTable keys are really always Identifiers, switch the key | |
30805 | type from StringImpl* to AtomicStringImpl*. | |
30806 | ||
30807 | We have code in the GetByVal opcode implementations that assumes things | |
30808 | about this, so this change adds confidence to those algorithms. | |
30809 | ||
30810 | * bytecode/ComplexGetStatus.cpp: | |
30811 | (JSC::ComplexGetStatus::computeFor): | |
30812 | * bytecode/ComplexGetStatus.h: | |
30813 | * bytecode/GetByIdStatus.cpp: | |
30814 | (JSC::GetByIdStatus::computeFromLLInt): | |
30815 | (JSC::GetByIdStatus::computeFor): | |
30816 | (JSC::GetByIdStatus::computeForStubInfo): | |
30817 | * bytecode/GetByIdStatus.h: | |
30818 | * bytecode/PutByIdStatus.cpp: | |
30819 | (JSC::PutByIdStatus::computeFromLLInt): | |
30820 | (JSC::PutByIdStatus::computeFor): | |
30821 | (JSC::PutByIdStatus::computeForStubInfo): | |
30822 | * bytecode/PutByIdStatus.h: | |
30823 | * dfg/DFGByteCodeParser.cpp: | |
30824 | (JSC::DFG::ByteCodeParser::parseBlock): | |
30825 | (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): | |
30826 | * dfg/DFGDesiredIdentifiers.cpp: | |
30827 | (JSC::DFG::DesiredIdentifiers::addLazily): | |
30828 | (JSC::DFG::DesiredIdentifiers::at): | |
30829 | * dfg/DFGDesiredIdentifiers.h: | |
30830 | (JSC::DFG::DesiredIdentifiers::operator[]): | |
30831 | * dfg/DFGFixupPhase.cpp: | |
30832 | (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): | |
30833 | * runtime/Identifier.h: | |
30834 | (JSC::Identifier::impl): | |
30835 | * runtime/IntendedStructureChain.cpp: | |
30836 | (JSC::IntendedStructureChain::mayInterceptStoreTo): | |
30837 | * runtime/IntendedStructureChain.h: | |
30838 | * runtime/PropertyMapHashTable.h: | |
30839 | * runtime/Structure.cpp: | |
30840 | (JSC::StructureTransitionTable::contains): | |
30841 | (JSC::StructureTransitionTable::get): | |
30842 | (JSC::Structure::addPropertyTransitionToExistingStructureImpl): | |
30843 | (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): | |
30844 | (JSC::Structure::getConcurrently): | |
30845 | (JSC::Structure::add): | |
30846 | (JSC::Structure::remove): | |
30847 | * runtime/Structure.h: | |
30848 | (JSC::PropertyMapEntry::PropertyMapEntry): | |
30849 | * runtime/StructureInlines.h: | |
30850 | (JSC::Structure::getConcurrently): | |
30851 | * runtime/StructureTransitionTable.h: | |
30852 | (JSC::StructureTransitionTable::Hash::hash): | |
30853 | ||
30854 | 2014-11-28 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
30855 | ||
30856 | Use std::unique_ptr<>|make_unique<> in ftl, bytecode of JSC | |
30857 | https://bugs.webkit.org/show_bug.cgi?id=139063 | |
30858 | ||
30859 | Reviewed by Andreas Kling. | |
30860 | ||
30861 | Clean up OwnPtr and PassOwnPtr in JSC. | |
30862 | ||
30863 | * bytecode/StructureStubClearingWatchpoint.cpp: | |
30864 | (JSC::StructureStubClearingWatchpoint::push): | |
30865 | * bytecode/StructureStubClearingWatchpoint.h: | |
30866 | (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): | |
30867 | * ftl/FTLCompile.cpp: | |
30868 | (JSC::FTL::mmAllocateDataSection): | |
30869 | * ftl/FTLJITFinalizer.h: | |
30870 | * ftl/FTLLink.cpp: | |
30871 | (JSC::FTL::link): | |
30872 | * parser/SourceProviderCacheItem.h: | |
30873 | ||
30874 | 2014-11-27 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
30875 | ||
30876 | Use std::unique_ptr instead of OwnPtr in JSC classes | |
30877 | https://bugs.webkit.org/show_bug.cgi?id=139009 | |
30878 | ||
30879 | Reviewed by Filip Pizlo. | |
30880 | ||
30881 | As a step of using std::unique_ptr<>, this patch replaces OwnPtr with | |
30882 | std::unique_ptr<>|std::make_unique<>. | |
30883 | ||
30884 | * bytecode/DFGExitProfile.cpp: | |
30885 | (JSC::DFG::ExitProfile::add): | |
30886 | * bytecode/DFGExitProfile.h: | |
30887 | * bytecode/LazyOperandValueProfile.cpp: | |
30888 | (JSC::CompressedLazyOperandValueProfileHolder::add): | |
30889 | * bytecode/LazyOperandValueProfile.h: | |
30890 | * heap/MarkedBlock.cpp: | |
30891 | (JSC::MarkedBlock::specializedSweep): | |
30892 | (JSC::MarkedBlock::stopAllocating): | |
30893 | * heap/MarkedBlock.h: | |
30894 | (JSC::MarkedBlock::clearNewlyAllocated): | |
30895 | * inspector/ContentSearchUtilities.cpp: | |
30896 | (Inspector::ContentSearchUtilities::findMagicComment): | |
30897 | * runtime/RegExp.cpp: | |
30898 | (JSC::RegExp::invalidateCode): | |
30899 | * runtime/RegExp.h: | |
30900 | * yarr/RegularExpression.cpp: | |
30901 | (JSC::Yarr::RegularExpression::Private::compile): | |
30902 | (JSC::Yarr::RegularExpression::isValid): | |
30903 | * yarr/YarrInterpreter.cpp: | |
30904 | (JSC::Yarr::ByteCompiler::compile): | |
30905 | (JSC::Yarr::ByteCompiler::regexBegin): | |
30906 | (JSC::Yarr::byteCompile): | |
30907 | * yarr/YarrInterpreter.h: | |
30908 | (JSC::Yarr::BytecodePattern::BytecodePattern): | |
30909 | ||
30910 | 2014-11-24 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
30911 | ||
30912 | Clean up OwnPtr and PassOwnPtr in JSC - bytecode, jit, inspector, and interpreter | |
30913 | https://bugs.webkit.org/show_bug.cgi?id=139022 | |
30914 | ||
30915 | Reviewed by Filip Pizlo. | |
30916 | ||
30917 | As a step of using std::unique_ptr<>, this patch replaces OwnPtr with | |
30918 | std::unique_ptr<>|std::make_unique<>. | |
30919 | ||
30920 | * bytecode/DFGExitProfile.cpp: | |
30921 | (JSC::DFG::ExitProfile::add): | |
30922 | * bytecode/DFGExitProfile.h: | |
30923 | * dfg/DFGJITCompiler.cpp: | |
30924 | (JSC::DFG::JITCompiler::link): | |
30925 | (JSC::DFG::JITCompiler::linkFunction): | |
30926 | * dfg/DFGJITFinalizer.cpp: | |
30927 | (JSC::DFG::JITFinalizer::JITFinalizer): | |
30928 | * dfg/DFGJITFinalizer.h: | |
30929 | * heap/IncrementalSweeper.h: | |
30930 | * inspector/ContentSearchUtilities.cpp: | |
30931 | (Inspector::ContentSearchUtilities::findMagicComment): | |
30932 | * inspector/agents/InspectorDebuggerAgent.h: | |
30933 | * inspector/agents/JSGlobalObjectRuntimeAgent.h: | |
30934 | * interpreter/Interpreter.cpp: | |
30935 | (JSC::Interpreter::enableSampler): | |
30936 | * interpreter/Interpreter.h: | |
30937 | * jit/ExecutableAllocator.cpp: | |
30938 | (JSC::ExecutableAllocator::ExecutableAllocator): | |
30939 | * jit/ExecutableAllocator.h: | |
30940 | ||
30941 | 2014-11-22 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
30942 | ||
30943 | Clean up OwnPtr and PassOwnPtr in some of JS classes | |
30944 | https://bugs.webkit.org/show_bug.cgi?id=138724 | |
30945 | ||
30946 | Reviewed by Filip Pizlo. | |
30947 | ||
30948 | As a step to use std::unique_ptr<> and std::make_unique<>, this patch replaces | |
30949 | OwnPtr with std::unique_ptr<>. Besides create() factory function is removed as well. | |
30950 | ||
30951 | * builtins/BuiltinExecutables.h: | |
30952 | (JSC::BuiltinExecutables::create): Deleted. | |
30953 | * bytecode/CodeBlock.h: | |
30954 | (JSC::CodeBlock::createRareDataIfNecessary): | |
30955 | * bytecode/StructureStubInfo.h: | |
30956 | * bytecode/UnlinkedCodeBlock.h: | |
30957 | (JSC::UnlinkedCodeBlock::hasRareData): | |
30958 | (JSC::UnlinkedCodeBlock::createRareDataIfNecessary): | |
30959 | * runtime/CodeCache.cpp: | |
30960 | (JSC::CodeCache::getGlobalCodeBlock): | |
30961 | * runtime/CodeCache.h: | |
30962 | (JSC::CodeCache::create): Deleted. | |
30963 | * runtime/JSGlobalObject.cpp: | |
30964 | (JSC::JSGlobalObject::clearRareData): | |
30965 | * runtime/JSGlobalObject.h: | |
30966 | (JSC::JSGlobalObject::createRareDataIfNeeded): | |
30967 | * runtime/RegExpConstructor.h: | |
30968 | * runtime/SmallStrings.cpp: | |
30969 | (JSC::SmallStrings::createSingleCharacterString): | |
30970 | (JSC::SmallStrings::singleCharacterStringRep): | |
30971 | * runtime/SmallStrings.h: | |
30972 | * runtime/VM.cpp: | |
30973 | (JSC::VM::VM): | |
30974 | * runtime/VM.h: | |
30975 | ||
30976 | 2014-11-21 Michael Saboff <msaboff@apple.com> | |
30977 | ||
30978 | r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) | |
30979 | https://bugs.webkit.org/show_bug.cgi?id=139000 | |
30980 | ||
30981 | Reviewed by Darin Adler. | |
30982 | ||
30983 | Check that the chainCount is non-zero before using a StructureChain. | |
30984 | ||
30985 | * bytecode/ComplexGetStatus.cpp: | |
30986 | (JSC::ComplexGetStatus::computeFor): | |
30987 | ||
30988 | 2014-11-21 Michael Saboff <msaboff@apple.com> | |
30989 | ||
30990 | Allocate local ScopeChain register | |
30991 | https://bugs.webkit.org/show_bug.cgi?id=138793 | |
30992 | ||
30993 | Reviewed by Geoffrey Garen. | |
30994 | ||
30995 | Now we allocate the scope register as a local. The allocated register is stored in the | |
30996 | CodeBlock for use by other components. Update the DFG to work with a local scope register. | |
30997 | Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated | |
30998 | local register. | |
30999 | ||
31000 | * bytecode/BytecodeUseDef.h: | |
31001 | (JSC::computeUsesForBytecodeOffset): | |
31002 | (JSC::computeDefsForBytecodeOffset): | |
31003 | Updated to properly represent the operand inputs and bytecode result. | |
31004 | ||
31005 | * bytecode/CodeBlock.cpp: | |
31006 | (JSC::CodeBlock::CodeBlock): | |
31007 | * bytecode/CodeBlock.h: | |
31008 | (JSC::CodeBlock::setScopeRegister): | |
31009 | (JSC::CodeBlock::scopeRegister): | |
31010 | * bytecode/UnlinkedCodeBlock.h: | |
31011 | (JSC::UnlinkedCodeBlock::setScopeRegister): | |
31012 | (JSC::UnlinkedCodeBlock::scopeRegister): | |
31013 | Added scope register member and accessors. | |
31014 | ||
31015 | * bytecompiler/BytecodeGenerator.cpp: | |
31016 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
31017 | (JSC::BytecodeGenerator::allocateAndEmitScope): | |
31018 | * bytecompiler/BytecodeGenerator.h: | |
31019 | (JSC::BytecodeGenerator::scopeRegister): | |
31020 | Change m_scopeRegister to an allocated register. Added allocateAndEmitScope helper to | |
31021 | allocate the scope register, set the CodeBlock with its value and emit op_get_scope. | |
31022 | ||
31023 | * debugger/DebuggerCallFrame.cpp: | |
31024 | (JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention. | |
31025 | ||
31026 | * dfg/DFGByteCodeParser.cpp: | |
31027 | (JSC::DFG::ByteCodeParser::get): | |
31028 | (JSC::DFG::ByteCodeParser::flush): | |
31029 | (JSC::DFG::ByteCodeParser::inlineCall): | |
31030 | (JSC::DFG::ByteCodeParser::parseBlock): | |
31031 | Changed op_create_lexical_environment to set the scope VirtualRegister operand. | |
31032 | Filled out op_get_scope processing to emit a GetScope node putting the result in | |
31033 | the scope VirtualRegister result operand. | |
31034 | Added Phantoms where appropriate to keep the Scope register alive in places where | |
31035 | it use is optimized away, but where the baseline JIT would need to use its value. | |
31036 | Eliminated uses of JSStack::ScopeChain. | |
31037 | ||
31038 | * dfg/DFGStackLayoutPhase.cpp: | |
31039 | (JSC::DFG::StackLayoutPhase::run): | |
31040 | Make sure that the scope register stack location is allocated using the same place | |
31041 | that the codeBlock expects. | |
31042 | ||
31043 | * dfg/DFGStrengthReductionPhase.cpp: | |
31044 | (JSC::DFG::StrengthReductionPhase::handleNode): | |
31045 | Allow strength reduction of Flush to skip of GetScope nodes looking for a prior | |
31046 | corresponding SetLocal. | |
31047 | ||
31048 | * interpreter/CallFrame.h: | |
31049 | (JSC::ExecState::scope): | |
31050 | (JSC::ExecState::setScope): | |
31051 | Added new scope() and setScope() helpers that take a VirtualRegister offset. | |
31052 | ||
31053 | * interpreter/Interpreter.cpp: | |
31054 | (JSC::eval): | |
31055 | Changed eval() to get the scope from the caller's scope register instead of from the | |
31056 | temporary frame created for eval. | |
31057 | ||
31058 | * interpreter/Interpreter.cpp: | |
31059 | (JSC::Interpreter::unwind): | |
31060 | Changed unwind() to manipulate the scope n the allocated register instead of from the | |
31061 | call frame slot. | |
31062 | ||
31063 | * interpreter/StackVisitor.cpp: | |
31064 | (JSC::StackVisitor::readNonInlinedFrame): | |
31065 | (JSC::StackVisitor::readInlinedFrame): | |
31066 | * interpreter/StackVisitor.h: | |
31067 | (JSC::StackVisitor::Frame::callee): | |
31068 | (JSC::StackVisitor::Frame::scope): Deleted. | |
31069 | Eliminated the scope member as it needed to change and no StackVisitor users use it. | |
31070 | ||
31071 | * jit/JITOperations.cpp: | |
31072 | (JSC::operationPushNameScope): | |
31073 | (JSC::operationPushWithScope): | |
31074 | * runtime/JSNameScope.h: | |
31075 | (JSC::JSNameScope::create): | |
31076 | * runtime/JSWithScope.h: | |
31077 | (JSC::JSWithScope::create): Deleted. | |
31078 | * llint/LLIntSlowPaths.cpp: | |
31079 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
31080 | Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot | |
31081 | in the CallFrame header. Changed the only user of these function, op_push_name_scope and | |
31082 | op_push_with_scope helpers, to use the remaining create variants that require explicit scope. | |
31083 | Those operations get the scope from the register pointed to by their scope operands. | |
31084 | ||
31085 | * llint/LowLevelInterpreter32_64.asm: | |
31086 | * llint/LowLevelInterpreter64.asm: | |
31087 | Changed resolveScope to use the allocated register. | |
31088 | ||
31089 | 2014-11-21 Csaba Osztrogonác <ossy@webkit.org> | |
31090 | ||
31091 | [JSC] Disable verifyHeap | |
31092 | https://bugs.webkit.org/show_bug.cgi?id=138962 | |
31093 | ||
31094 | Reviewed by Mark Lam. | |
31095 | ||
31096 | * runtime/Options.h: | |
31097 | ||
31098 | 2014-11-20 Mark Lam <mark.lam@apple.com> | |
31099 | ||
31100 | Add some comments to describe the DFG UseKind representations. | |
31101 | <https://webkit.org/b/138934> | |
31102 | ||
31103 | Reviewed by Filip Pizlo. | |
31104 | ||
31105 | * dfg/DFGUseKind.h: | |
31106 | - Also regrouped the UseKind enums by representation to be more readable. | |
31107 | ||
31108 | 2014-11-20 Mark Lam <mark.lam@apple.com> | |
31109 | ||
31110 | Add Heap verification infrastructure. | |
31111 | <https://webkit.org/b/138851> | |
31112 | ||
31113 | Reviewed by Geoffrey Garen. | |
31114 | ||
31115 | The verification infrastructure code is always built in but disabled by | |
31116 | default. When disabled, the cost is minimal: | |
31117 | 1. Heap has a m_verifier field. | |
31118 | 2. GC does a few "if (m_verifier)" checks that should fail. | |
31119 | 3. HeapVerifier takes up code space though not used. | |
31120 | ||
31121 | When enabled: | |
31122 | 1. The HeapVerifier will keep N number of GC cycle data. | |
31123 | Each GC cycle will contain a "before marking" and "after marking" live | |
31124 | object list. | |
31125 | The GC cycles is a circular buffer. Only data for the last N GC cycles | |
31126 | will be retained. | |
31127 | 2. During GC, the current GC cycle's live objects lists will be populated | |
31128 | before and after marking. | |
31129 | 3. The current GC cycle's live object lists will be validated before GC, | |
31130 | after marking, and after GC. | |
31131 | ||
31132 | Currently, the only validation being done is to verify that object | |
31133 | butterflies are allocated from valid blocks in the Storage (aka Copied) | |
31134 | space. | |
31135 | ||
31136 | * CMakeLists.txt: | |
31137 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
31138 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
31139 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
31140 | * heap/Heap.cpp: | |
31141 | (JSC::Heap::Heap): | |
31142 | (JSC::Heap::collect): | |
31143 | * heap/Heap.h: | |
31144 | * heap/HeapVerifier.cpp: Added. | |
31145 | (JSC::LiveObjectList::findObject): | |
31146 | (JSC::HeapVerifier::HeapVerifier): | |
31147 | (JSC::HeapVerifier::collectionTypeName): | |
31148 | (JSC::HeapVerifier::phaseName): | |
31149 | (JSC::getButterflyDetails): | |
31150 | (JSC::HeapVerifier::initializeGCCycle): | |
31151 | (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor): | |
31152 | (JSC::GatherLiveObjFunctor::operator()): | |
31153 | (JSC::HeapVerifier::gatherLiveObjects): | |
31154 | (JSC::HeapVerifier::liveObjectListForGathering): | |
31155 | (JSC::trimDeadObjectsFromList): | |
31156 | (JSC::HeapVerifier::trimDeadObjects): | |
31157 | (JSC::HeapVerifier::verifyButterflyIsInStorageSpace): | |
31158 | (JSC::HeapVerifier::verify): | |
31159 | (JSC::HeapVerifier::reportObject): | |
31160 | (JSC::HeapVerifier::checkIfRecorded): | |
31161 | * heap/HeapVerifier.h: Added. | |
31162 | (JSC::LiveObjectData::LiveObjectData): | |
31163 | (JSC::LiveObjectList::LiveObjectList): | |
31164 | (JSC::LiveObjectList::reset): | |
31165 | (JSC::HeapVerifier::GCCycle::GCCycle): | |
31166 | (JSC::HeapVerifier::GCCycle::collectionTypeName): | |
31167 | (JSC::HeapVerifier::incrementCycle): | |
31168 | (JSC::HeapVerifier::currentCycle): | |
31169 | (JSC::HeapVerifier::cycleForIndex): | |
31170 | * runtime/Options.h: | |
31171 | ||
31172 | 2014-11-20 Yusuke Suzuki <utatane.tea@gmail.com> | |
31173 | ||
31174 | Rename String.prototype.contains to String.prototype.includes | |
31175 | https://bugs.webkit.org/show_bug.cgi?id=138923 | |
31176 | ||
31177 | As per the latest TC39 meeting[1, 2], String.prototype.contains is | |
31178 | renamed to String.prototype.includes. This is because the name | |
31179 | `contains` breaks the web since it conflicts with existing `contains` | |
31180 | implementations in major libraries. | |
31181 | ||
31182 | [1]: https://github.com/mathiasbynens/String.prototype.includes | |
31183 | [2]: https://github.com/tc39/test262/pull/119 | |
31184 | ||
31185 | Reviewed by Geoffrey Garen. | |
31186 | ||
31187 | * runtime/StringPrototype.cpp: | |
31188 | (JSC::StringPrototype::finishCreation): | |
31189 | (JSC::stringProtoFuncIncludes): | |
31190 | (JSC::stringProtoFuncContains): Deleted. | |
31191 | ||
31192 | 2014-11-19 Mark Lam <mark.lam@apple.com> | |
31193 | ||
31194 | WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com. | |
31195 | <https://webkit.org/b/137642> | |
31196 | ||
31197 | Reviewed by Filip Pizlo. | |
31198 | ||
31199 | In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE | |
31200 | phases have already transpired. Hence, Identity nodes introduced in the | |
31201 | ConstantFolding phase will be left in the node graph. Subsequently, the | |
31202 | DFG code generator asserts that CSE phases have consumed all Identity nodes. | |
31203 | This turns out to not be true. Hence, the crash. We fix this by teaching | |
31204 | the DFG code generator to emit code for Identity nodes. | |
31205 | ||
31206 | Unlike the DFG, the FTL does not have this issue. That is because the FTL | |
31207 | plan has GlobalCSE phases that come after ConstantFolding and any other | |
31208 | phases that can generate Identity nodes. Hence, for the FTL, it is true that | |
31209 | CSE will consume all Identity nodes, and the code generator should not see any | |
31210 | Identity nodes. | |
31211 | ||
31212 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
31213 | (JSC::DFG::SpeculativeJIT::compile): | |
31214 | * dfg/DFGSpeculativeJIT64.cpp: | |
31215 | (JSC::DFG::SpeculativeJIT::compile): | |
31216 | ||
31217 | 2014-11-19 Joseph Pecoraro <pecoraro@apple.com> | |
31218 | ||
31219 | Web Inspector: JSContext inspection Resource search does not work | |
31220 | https://bugs.webkit.org/show_bug.cgi?id=131252 | |
31221 | ||
31222 | Reviewed by Timothy Hatcher. | |
31223 | ||
31224 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
31225 | (Inspector::InspectorDebuggerAgent::searchInContent): | |
31226 | * inspector/protocol/Debugger.json: | |
31227 | Do some cleanup of the description and implementation of content searching. | |
31228 | ||
31229 | 2014-11-19 Joseph Pecoraro <pecoraro@apple.com> | |
31230 | ||
31231 | Web Inspector: Provide $exception in the console for the thrown exception value | |
31232 | https://bugs.webkit.org/show_bug.cgi?id=138726 | |
31233 | ||
31234 | Reviewed by Timothy Hatcher. | |
31235 | ||
31236 | * debugger/DebuggerScope.cpp: | |
31237 | (JSC::DebuggerScope::caughtValue): | |
31238 | * debugger/DebuggerScope.h: | |
31239 | Access the caught value if this scope is a catch scope. | |
31240 | ||
31241 | * runtime/JSNameScope.h: | |
31242 | (JSC::JSNameScope::isFunctionNameScope): | |
31243 | (JSC::JSNameScope::isCatchScope): | |
31244 | (JSC::JSNameScope::value): | |
31245 | Provide an accessor for the single value in the JSNameScope (with / catch block). | |
31246 | ||
31247 | * inspector/InjectedScriptSource.js: | |
31248 | Save the exception value and expose it via $exception. Since the command line api | |
31249 | is recreated on each evaluation, $exception is essentially readonly. | |
31250 | ||
31251 | * inspector/ScriptDebugServer.h: | |
31252 | * inspector/ScriptDebugServer.cpp: | |
31253 | (Inspector::ScriptDebugServer::dispatchDidPause): | |
31254 | (Inspector::ScriptDebugServer::exceptionOrCaughtValue): | |
31255 | When pausing, get the exception or caught value. The exception will be provided | |
31256 | if we are breaking on an explicit exception. When inside of a catch block, we | |
31257 | can get the caught value by walking up the scope chain. | |
31258 | ||
31259 | * inspector/agents/InspectorDebuggerAgent.h: | |
31260 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
31261 | (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent): | |
31262 | (Inspector::InspectorDebuggerAgent::resume): | |
31263 | (Inspector::InspectorDebuggerAgent::stepOver): | |
31264 | (Inspector::InspectorDebuggerAgent::stepInto): | |
31265 | (Inspector::InspectorDebuggerAgent::stepOut): | |
31266 | Clearing state can be done in didContinue. | |
31267 | ||
31268 | (Inspector::InspectorDebuggerAgent::didPause): | |
31269 | Set the exception value explicitly in the injected script when we have it. | |
31270 | ||
31271 | (Inspector::InspectorDebuggerAgent::didContinue): | |
31272 | Clear state saved when we had paused, including clearly an exception value if needed. | |
31273 | ||
31274 | (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): | |
31275 | (Inspector::InspectorDebuggerAgent::clearExceptionValue): | |
31276 | Call into the injected script only when needed. | |
31277 | ||
31278 | * inspector/InjectedScript.cpp: | |
31279 | (Inspector::InjectedScript::setExceptionValue): | |
31280 | (Inspector::InjectedScript::clearExceptionValue): | |
31281 | * inspector/InjectedScript.h: | |
31282 | * inspector/InjectedScriptManager.cpp: | |
31283 | (Inspector::InjectedScriptManager::clearExceptionValue): | |
31284 | * inspector/InjectedScriptManager.h: | |
31285 | Clear on all injected scripts. | |
31286 | ||
31287 | 2014-11-19 Joseph Pecoraro <pecoraro@apple.com> | |
31288 | ||
31289 | Unreviewed build fixes after r176329. | |
31290 | ||
31291 | - export all of the codegen python files as they are included by the main generator | |
31292 | - update the imports of the main generator to match __init__.py | |
31293 | - remove bundling the python scripts as framework resources, just have them PrivateHeaders | |
31294 | ||
31295 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
31296 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
31297 | ||
31298 | 2014-11-18 Brian J. Burg <burg@cs.washington.edu> | |
31299 | ||
31300 | Web Inspector: standardize language-specific protocol generator file, class, and method prefixes | |
31301 | https://bugs.webkit.org/show_bug.cgi?id=138237 | |
31302 | ||
31303 | Reviewed by Joseph Pecoraro. | |
31304 | ||
31305 | Settle on cpp/objc/js file prefixes and Cpp/ObjC/JS class prefixes for generators. | |
31306 | Move C++-specific static methods into CppGenerator and add cpp_ prefixes where relevant. | |
31307 | Split the templates file into language-specific template files. | |
31308 | ||
31309 | * CMakeLists.txt: | |
31310 | * DerivedSources.make: | |
31311 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
31312 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
31313 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
31314 | * inspector/scripts/codegen/__init__.py: | |
31315 | * inspector/scripts/codegen/cpp_generator.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generator.py. | |
31316 | * inspector/scripts/codegen/cpp_generator_templates.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generator_templates.py. | |
31317 | (CppGeneratorTemplates): | |
31318 | * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py. | |
31319 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_dispatcher_header.py. | |
31320 | * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_dispatcher_implementation.py. | |
31321 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_frontend_dispatcher_header.py. | |
31322 | * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py. | |
31323 | * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_protocol_types_header.py. | |
31324 | * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_protocol_types_implementation.py. | |
31325 | * inspector/scripts/codegen/generate_js_backend_commands.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_commands.py. | |
31326 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_backend_dispatcher_header.py. | |
31327 | * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py. | |
31328 | * inspector/scripts/codegen/generate_objc_configuration_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_configuration_header.py. | |
31329 | * inspector/scripts/codegen/generate_objc_configuration_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_configuration_implementation.py. | |
31330 | * inspector/scripts/codegen/generate_objc_conversion_helpers.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_conversion_helpers.py. | |
31331 | * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py. | |
31332 | * inspector/scripts/codegen/generate_objc_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_header.py. | |
31333 | * inspector/scripts/codegen/generate_objc_internal_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_internal_header.py. | |
31334 | * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_types_implementation.py. | |
31335 | * inspector/scripts/codegen/generator.py: | |
31336 | * inspector/scripts/codegen/generator_templates.py: | |
31337 | * inspector/scripts/codegen/objc_generator.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c.py. | |
31338 | * inspector/scripts/codegen/objc_generator_templates.py: Added. | |
31339 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
31340 | ||
31341 | 2014-11-19 Juergen Ributzka <juergen@apple.com> | |
31342 | ||
31343 | Update WebKit to build with LLVM TOT | |
31344 | https://bugs.webkit.org/show_bug.cgi?id=138519 | |
31345 | ||
31346 | Reviewed by Alexey Proskuryakov. | |
31347 | ||
31348 | * Configurations/LLVMForJSC.xcconfig: | |
31349 | * llvm/LLVMAPIFunctions.h: | |
31350 | * llvm/library/LLVMExports.cpp: | |
31351 | (initializeAndGetJSCLLVMAPI): | |
31352 | ||
31353 | 2014-11-18 David Kilzer <ddkilzer@apple.com> | |
31354 | ||
31355 | FeatureDefines.xcconfig: Switch from using PLATFORM_NAME to SDK selectors | |
31356 | <http://webkit.org/b/138813> | |
31357 | ||
31358 | Reviewed by Mark Rowe. | |
31359 | ||
31360 | * Configurations/FeatureDefines.xcconfig: Switch to using SDK | |
31361 | selectors. | |
31362 | ||
31363 | 2014-11-18 Chris Dumez <cdumez@apple.com> | |
31364 | ||
31365 | Update the Vector API to deal with unsigned types instead of size_t | |
31366 | https://bugs.webkit.org/show_bug.cgi?id=138824 | |
31367 | ||
31368 | Reviewed by Andreas Kling. | |
31369 | ||
31370 | Update code base to fix build errors related to the typing changes | |
31371 | in the Vector API (size_t -> unsigned). | |
31372 | ||
31373 | * bytecode/PreciseJumpTargets.cpp: | |
31374 | * replay/EncodedValue.h: | |
31375 | ||
31376 | 2014-11-18 Commit Queue <commit-queue@webkit.org> | |
31377 | ||
31378 | Unreviewed, rolling out r176207. | |
31379 | https://bugs.webkit.org/show_bug.cgi?id=138836 | |
31380 | ||
31381 | Not ready yet (Requested by ap on #webkit). | |
31382 | ||
31383 | Reverted changeset: | |
31384 | ||
31385 | "Update WebKit to build with LLVM TOT" | |
31386 | https://bugs.webkit.org/show_bug.cgi?id=138519 | |
31387 | http://trac.webkit.org/changeset/176207 | |
31388 | ||
31389 | 2014-11-17 Mark Lam <mark.lam@apple.com> | |
31390 | ||
31391 | Add printing functionality in JITted code for debugging purposes. | |
31392 | <https://webkit.org/b/138660> | |
31393 | ||
31394 | Reviewed by Geoffrey Garen. | |
31395 | ||
31396 | Sometimes, for debugging, it'd be nice to be able to just print the | |
31397 | values of constants or registers used in JITted code, or even just | |
31398 | a string to log that certain pieces of JITted code have been executed. | |
31399 | Using the JIT probe mechanism, we can make this happen. | |
31400 | ||
31401 | * assembler/ARMv7Assembler.h: | |
31402 | * assembler/AbstractMacroAssembler.h: | |
31403 | (JSC::AbstractMacroAssembler::CPUState::registerName): | |
31404 | (JSC::AbstractMacroAssembler::CPUState::registerValue): | |
31405 | (JSC::AbstractMacroAssembler::print): | |
31406 | (JSC::AbstractMacroAssembler::PrintArg::PrintArg): | |
31407 | (JSC::AbstractMacroAssembler::appendPrintArg): | |
31408 | (JSC::AbstractMacroAssembler::printInternal): | |
31409 | (JSC::AbstractMacroAssembler::printCallback): | |
31410 | * assembler/MacroAssemblerARM.cpp: | |
31411 | (JSC::MacroAssemblerARM::printCPURegisters): | |
31412 | (JSC::MacroAssemblerARM::printRegister): | |
31413 | * assembler/MacroAssemblerARM.h: | |
31414 | * assembler/MacroAssemblerARMv7.cpp: | |
31415 | (JSC::MacroAssemblerARMv7::printCPURegisters): | |
31416 | (JSC::MacroAssemblerARMv7::printRegister): | |
31417 | * assembler/MacroAssemblerARMv7.h: | |
31418 | * assembler/MacroAssemblerX86Common.cpp: | |
31419 | (JSC::MacroAssemblerX86Common::printRegister): | |
31420 | * assembler/MacroAssemblerX86Common.h: | |
31421 | ||
31422 | 2014-11-17 Anders Carlsson <andersca@apple.com> | |
31423 | ||
31424 | Fix JavaScriptCore build with newer versions of clang. | |
31425 | <rdar://problem/18978716> | |
31426 | ||
31427 | * heap/Heap.cpp: | |
31428 | (JSC::Heap::visitTempSortVectors): | |
31429 | (JSC::Heap::deleteAllCompiledCode): Deleted. | |
31430 | * inspector/agents/InspectorConsoleAgent.h: | |
31431 | ||
31432 | 2014-11-17 Juergen Ributzka <juergen@apple.com> | |
31433 | ||
31434 | Update WebKit to build with LLVM TOT | |
31435 | https://bugs.webkit.org/show_bug.cgi?id=138519 | |
31436 | ||
31437 | Reviewed by Alexey Proskuryakov. | |
31438 | ||
31439 | * Configurations/LLVMForJSC.xcconfig: | |
31440 | * llvm/LLVMAPIFunctions.h: | |
31441 | * llvm/library/LLVMExports.cpp: | |
31442 | (initializeAndGetJSCLLVMAPI): | |
31443 | ||
31444 | 2014-11-14 Benjamin Poulain <bpoulain@apple.com> | |
31445 | ||
31446 | STRH can store values with the wrong offset | |
31447 | https://bugs.webkit.org/show_bug.cgi?id=138723 | |
31448 | ||
31449 | Reviewed by Michael Saboff. | |
31450 | ||
31451 | This is the counterpart of r176083 for the str instruction. | |
31452 | ||
31453 | I believe this code is currently unreachable because there is only one client of strh() | |
31454 | in the MacroAssembler and it always setup the scale explicitely. | |
31455 | ||
31456 | * assembler/ARMv7Assembler.h: | |
31457 | (JSC::ARMv7Assembler::strh): | |
31458 | ||
31459 | 2014-11-13 Mark Lam <mark.lam@apple.com> | |
31460 | ||
31461 | Reduce amount of cut-and-paste needed for probe mechanism implementations. | |
31462 | <https://webkit.org/b/138671> | |
31463 | ||
31464 | Reviewed by Geoffrey Garen. | |
31465 | ||
31466 | The existing code requires that each MacroAssembler implementation provide | |
31467 | their own copy of all of the probe implementations even when most of it is | |
31468 | identical. This patch hoists the common parts into AbstractMacroAssembler | |
31469 | (with some minor renaming). Each target specific MacroAssembler now only | |
31470 | need to implement a few target specific methods that are expected by and | |
31471 | documented in AbstractMacroAssembler.h in the ENABLE(MASM_PROBE) section. | |
31472 | ||
31473 | In this patch, I also simplified the X86 and X86_64 ports to use the same | |
31474 | port implementation. The ARMv7 probe implementation should not conditionally | |
31475 | exclude the higher FP registers (since the JIT doesn't). Fixed the ARMv7 | |
31476 | probe code to include the higher FP registers always. | |
31477 | ||
31478 | This is all done in preparation to add printing functionality in JITted code | |
31479 | for debugging. | |
31480 | ||
31481 | * assembler/AbstractMacroAssembler.h: | |
31482 | (JSC::AbstractMacroAssembler::Label::Label): | |
31483 | (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel): | |
31484 | (JSC::AbstractMacroAssembler::DataLabelPtr::DataLabelPtr): | |
31485 | (JSC::AbstractMacroAssembler::DataLabel32::DataLabel32): | |
31486 | (JSC::AbstractMacroAssembler::DataLabelCompact::DataLabelCompact): | |
31487 | (JSC::AbstractMacroAssembler::Jump::link): | |
31488 | (JSC::AbstractMacroAssembler::Jump::linkTo): | |
31489 | (JSC::AbstractMacroAssembler::JumpList::link): | |
31490 | (JSC::AbstractMacroAssembler::JumpList::linkTo): | |
31491 | (JSC::AbstractMacroAssembler::ProbeContext::print): | |
31492 | (JSC::AbstractMacroAssembler::printIndent): | |
31493 | (JSC::AbstractMacroAssembler::printCPU): | |
31494 | (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister): | |
31495 | - Except for the 3 printing methods (which are for the probe), the rest | |
31496 | are touched simply because we need to add the MacroAssemblerType to the | |
31497 | template args. | |
31498 | The MacroAssemblerType is used by the abstract probe code to call the | |
31499 | few probe methods that need to have CPU specific implementations. | |
31500 | ||
31501 | * assembler/MacroAssemblerARM.cpp: | |
31502 | (JSC::MacroAssemblerARM::printCPURegisters): | |
31503 | - This was refactored from ProbeContext::dumpCPURegisters() which no | |
31504 | longer exists. | |
31505 | (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters): Deleted. | |
31506 | (JSC::MacroAssemblerARM::ProbeContext::dump): Deleted. | |
31507 | ||
31508 | * assembler/MacroAssemblerARM.h: | |
31509 | * assembler/MacroAssemblerARM64.h: | |
31510 | ||
31511 | * assembler/MacroAssemblerARMv7.cpp: | |
31512 | (JSC::MacroAssemblerARMv7::printCPURegisters): | |
31513 | - This was refactored from ProbeContext::dumpCPURegisters() which no | |
31514 | longer exists. | |
31515 | (JSC::MacroAssemblerARMv7::ProbeContext::dumpCPURegisters): Deleted. | |
31516 | (JSC::MacroAssemblerARMv7::ProbeContext::dump): Deleted. | |
31517 | ||
31518 | * assembler/MacroAssemblerARMv7.h: | |
31519 | * assembler/MacroAssemblerMIPS.h: | |
31520 | * assembler/MacroAssemblerSH4.h: | |
31521 | * assembler/MacroAssemblerX86.h: | |
31522 | (JSC::MacroAssemblerX86::trustedImm32FromPtr): Deleted. | |
31523 | (JSC::MacroAssemblerX86::probe): Deleted. | |
31524 | ||
31525 | * assembler/MacroAssemblerX86Common.cpp: | |
31526 | (JSC::MacroAssemblerX86Common::printCPURegisters): | |
31527 | - This was refactored from ProbeContext::dumpCPURegisters() which no | |
31528 | longer exists. | |
31529 | (JSC::MacroAssemblerX86Common::probe): | |
31530 | - This implementation of probe() is based on the one originally in | |
31531 | MacroAssemblerX86_64.h. It is generic and should work for both | |
31532 | 32-bit and 64-bit. | |
31533 | (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters): Deleted. | |
31534 | (JSC::MacroAssemblerX86Common::ProbeContext::dump): Deleted. | |
31535 | ||
31536 | * assembler/MacroAssemblerX86Common.h: | |
31537 | * assembler/MacroAssemblerX86_64.h: | |
31538 | (JSC::MacroAssemblerX86_64::trustedImm64FromPtr): Deleted. | |
31539 | (JSC::MacroAssemblerX86_64::probe): Deleted. | |
31540 | * jit/JITStubsARMv7.h: | |
31541 | ||
31542 | 2014-11-13 Michael Saboff <msaboff@apple.com> | |
31543 | ||
31544 | Add scope operand to op_new_func* byte codes | |
31545 | https://bugs.webkit.org/show_bug.cgi?id=138707 | |
31546 | ||
31547 | Reviewed by Mark Lam. | |
31548 | ||
31549 | Added scope operand to op_new_func and op_new_func_expr to replace the implicit use | |
31550 | of exec->scope(). | |
31551 | ||
31552 | * bytecode/BytecodeList.json: Increased size of op_new_func & op_new_func_expr bytecodes. | |
31553 | ||
31554 | * bytecode/CodeBlock.cpp: | |
31555 | (JSC::CodeBlock::dumpBytecode): Added scope operand to dump output. | |
31556 | ||
31557 | * bytecompiler/BytecodeGenerator.cpp: | |
31558 | (JSC::BytecodeGenerator::emitNewFunctionInternal): | |
31559 | (JSC::BytecodeGenerator::emitNewFunctionExpression): | |
31560 | Emit scope operand. | |
31561 | ||
31562 | * dfg/DFGByteCodeParser.cpp: | |
31563 | (JSC::DFG::ByteCodeParser::parseBlock): | |
31564 | * dfg/DFGFixupPhase.cpp: | |
31565 | (JSC::DFG::FixupPhase::fixupNode): | |
31566 | Added new scope source nodes to NewFunction, NewFunctionExpression & NewFunctionNoCheck. | |
31567 | ||
31568 | * dfg/DFGSpeculativeJIT.cpp: | |
31569 | (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): | |
31570 | (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): | |
31571 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
31572 | (JSC::DFG::SpeculativeJIT::compile): | |
31573 | * dfg/DFGSpeculativeJIT64.cpp: | |
31574 | (JSC::DFG::SpeculativeJIT::compile): | |
31575 | Use scope children when making new function JIT_Operation calls. Use JSScope* value instead of | |
31576 | exec->scope(). | |
31577 | ||
31578 | * dfg/DFGOperations.h: | |
31579 | * dfg/DFGOperations.cpp: | |
31580 | * dfg/DFGSpeculativeJIT.h: | |
31581 | (JSC::DFG::SpeculativeJIT::callOperation): | |
31582 | * jit/JIT.h: | |
31583 | * jit/JITInlines.h: | |
31584 | (JSC::JIT::callOperation): | |
31585 | * jit/JITOpcodes.cpp: | |
31586 | (JSC::JIT::emit_op_new_func): | |
31587 | (JSC::JIT::emit_op_new_func_exp): | |
31588 | * jit/JITOperations.cpp: | |
31589 | * jit/JITOperations.h: | |
31590 | Added new Jsc JIT_Operation parameter type for JSScope* values. Created declarations and | |
31591 | definitions for new JIT_Operations with Jsc parameters. Use the JSScope* parameters in lieu | |
31592 | of exec->scope() in operationNewFunction(). | |
31593 | Removed comment for unused Jsa (JSLexicalEnvironment*) JIT_Operation parameter type. | |
31594 | ||
31595 | * llint/LLIntSlowPaths.cpp: | |
31596 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
31597 | Use the scope operand instead of exec->scope(). | |
31598 | ||
31599 | * llint/LowLevelInterpreter.asm: | |
31600 | * llint/LowLevelInterpreter32_64.asm: | |
31601 | * llint/LowLevelInterpreter64.asm: | |
31602 | Changed the operand indecies for added scope operand. | |
31603 | ||
31604 | 2014-11-13 Mark Lam <mark.lam@apple.com> | |
31605 | ||
31606 | Change X86/64 JIT probes to save/restore xmm regs as double instead of __m128. [Follow up] | |
31607 | <https://webkit.org/b/138708> | |
31608 | ||
31609 | Reviewed by Michael Saboff. | |
31610 | ||
31611 | Removed a stale comment and a now unnecessary #include. | |
31612 | ||
31613 | * assembler/X86Assembler.h: | |
31614 | ||
31615 | 2014-11-13 Commit Queue <commit-queue@webkit.org> | |
31616 | ||
31617 | Unreviewed, rolling out r176087. | |
31618 | https://bugs.webkit.org/show_bug.cgi?id=138714 | |
31619 | ||
31620 | Broke the build (Requested by ap on #webkit). | |
31621 | ||
31622 | Reverted changeset: | |
31623 | ||
31624 | "Update WebKit to build with LLVM TOT" | |
31625 | https://bugs.webkit.org/show_bug.cgi?id=138519 | |
31626 | http://trac.webkit.org/changeset/176087 | |
31627 | ||
31628 | 2014-11-13 Mark Lam <mark.lam@apple.com> | |
31629 | ||
31630 | Change X86/64 JIT probes to save/restore xmm regs as double instead of __m128. | |
31631 | <https://webkit.org/b/138708> | |
31632 | ||
31633 | Reviewed by Michael Saboff. | |
31634 | ||
31635 | The JIT code only uses the xmm regs as double registers. This patch changes | |
31636 | the storage types of the FP registers in X86Assembler.h to double instead of | |
31637 | __m128, and updates the X86 and X86_64 JIT probe implementations accordingly. | |
31638 | ||
31639 | Also made some minor cosmetic changes in the output of the probe dump functions. | |
31640 | ||
31641 | * assembler/MacroAssemblerX86Common.cpp: | |
31642 | (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters): | |
31643 | * assembler/X86Assembler.h: | |
31644 | * jit/JITStubsX86.h: | |
31645 | * jit/JITStubsX86Common.h: | |
31646 | * jit/JITStubsX86_64.h: | |
31647 | ||
31648 | 2014-11-13 Juergen Ributzka <juergen@apple.com> | |
31649 | ||
31650 | Update WebKit to build with LLVM TOT | |
31651 | https://bugs.webkit.org/show_bug.cgi?id=138519 | |
31652 | ||
31653 | Reviewed by Geoffrey Garen. | |
31654 | ||
31655 | * Configurations/LLVMForJSC.xcconfig: | |
31656 | * llvm/LLVMAPIFunctions.h: | |
31657 | * llvm/library/LLVMExports.cpp: | |
31658 | (initializeAndGetJSCLLVMAPI): | |
31659 | ||
31660 | 2014-11-13 Benjamin Poulain <benjamin@webkit.org> | |
31661 | ||
31662 | ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset | |
31663 | https://bugs.webkit.org/show_bug.cgi?id=136914 | |
31664 | ||
31665 | Reviewed by Michael Saboff. | |
31666 | ||
31667 | TLDR: the immediate offset of half-word load was divided by 2. | |
31668 | ||
31669 | Story time: So I started getting those weird reports of :nth-child() behaving bizarrely | |
31670 | on ARMv7 and ARMv7s. To make things worse, the behavior changes depending on style updates. | |
31671 | ||
31672 | I started looking the disassembly on the tests cases... | |
31673 | ||
31674 | The first thing I noticed was that the computation of An+B looked wrong. For example, | |
31675 | in the case of n+6, the instruction should have been: | |
31676 | subs r1, r1, #6 | |
31677 | but was | |
31678 | subs r1, r1, #2 | |
31679 | ||
31680 | After spending a lot of time trying to find the error in the assembler, I discovered | |
31681 | the problem was not real, but just a bug in the disassembler. | |
31682 | This is the first fix: ARMv7DOpcodeAddSubtractImmediate3's immediate3() was truncating | |
31683 | the value to 2 bits instead of 3 bits. | |
31684 | ||
31685 | The disassembler being fixed, I still have no lead on the weird bug. Some disassembly later, | |
31686 | I realize the LDRH instruction is not decoded at all. The reason is that both LDRH and STRH | |
31687 | were under the umbrella ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord but the pattern | |
31688 | only matched SRTH. | |
31689 | ||
31690 | I fix that next, ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord is split into | |
31691 | ARMv7DOpcodeStoreRegisterImmediateHalfWord and ARMv7DOpcodeLoadRegisterImmediateHalfWord, | |
31692 | each with their own pattern and their instruction group. | |
31693 | ||
31694 | Now that I can see the LDRHs correctly, there is something fishy about them, their offset | |
31695 | is way too small for the data I load. | |
31696 | ||
31697 | This time, looking at the binary, the generated code is indeed incorrect. It turns out that | |
31698 | the ARMv7 assembler shifted the offset of half-word load as if they were byte load: divided by 4. | |
31699 | As a result, all the load of half-words with more than zero offset were loading | |
31700 | values with a smaller offset than what they should have. | |
31701 | ||
31702 | That being fixed, I dump the assembly: still wrong. I am ready to throw my keyboard through | |
31703 | my screen at that point. | |
31704 | ||
31705 | Looking at the disassembler, there is yet again a bug. The computation of the scale() adjustment | |
31706 | of the offset was incorrect for anything but word loads. | |
31707 | I replaced it by a switch-case to make it explicit. | |
31708 | ||
31709 | STRH is likely incorrect too. I'll fix that in a follow up, I want to survey all the 16 bits cases | |
31710 | that are not directly used by the CSS JIT. | |
31711 | ||
31712 | * assembler/ARMv7Assembler.h: | |
31713 | (JSC::ARMv7Assembler::ldrh): | |
31714 | Fix the immediate scaling. Add an assertion to make sure the alignment of the input is correct. | |
31715 | ||
31716 | * disassembler/ARMv7/ARMv7DOpcode.cpp: | |
31717 | (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): | |
31718 | Fix the scaling code. Just hardcode instruction-to-scale table. | |
31719 | ||
31720 | * disassembler/ARMv7/ARMv7DOpcode.h: | |
31721 | (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3): | |
31722 | The mask for a 3 bits immediate is not 3 :) | |
31723 | ||
31724 | (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): Deleted. | |
31725 | ||
31726 | 2014-11-13 Andreas Kling <akling@apple.com> | |
31727 | ||
31728 | Generate put_by_id for bracket assignment with constant string subscript. | |
31729 | <https://webkit.org/b/138702> | |
31730 | ||
31731 | Reviewed by Geoffrey Garen. | |
31732 | ||
31733 | Transform o["f"]=x to o.f=x when generating bytecode. This allows our JIT | |
31734 | to inline-cache those accesses instead of always dropping out to C++. | |
31735 | ||
31736 | Just like the get_by_id transformations, this gets a bunch of use on | |
31737 | real-web content (and Speedometer) but little/none on raw JS benchmarks. | |
31738 | ||
31739 | * bytecompiler/NodesCodegen.cpp: | |
31740 | (JSC::AssignBracketNode::emitBytecode): | |
31741 | ||
31742 | 2014-11-12 Mark Lam <mark.lam@apple.com> | |
31743 | ||
31744 | Create canonical lists of registers used by both the Assemblers and the JIT probes. | |
31745 | <https://webkit.org/b/138681> | |
31746 | ||
31747 | Reviewed by Filip Pizlo. | |
31748 | ||
31749 | * assembler/ARMAssembler.h: | |
31750 | * assembler/ARMv7Assembler.h: | |
31751 | * assembler/X86Assembler.h: | |
31752 | - The FP register storage type is still defined as __m128 because the JIT | |
31753 | probe code still expects that amount of storage to be available. Will | |
31754 | change this to double when the JIT probe code is updated accordingly in a | |
31755 | later patch. | |
31756 | ||
31757 | 2014-11-12 Andreas Kling <akling@apple.com> | |
31758 | ||
31759 | Generate get_by_id for bracket access with constant string subscript. | |
31760 | <https://webkit.org/b/138663> | |
31761 | ||
31762 | Reviewed by Michael Saboff. | |
31763 | ||
31764 | Transform o["f"] into o.f when generating bytecode. This allows our JIT | |
31765 | to inline-cache those accesses instead of always dropping out to C++. | |
31766 | ||
31767 | This is surprisingly common in real-web content, less so in benchmarks. | |
31768 | Interestingly, Speedometer does hit the optimization quite a bit. | |
31769 | ||
31770 | * bytecompiler/NodesCodegen.cpp: | |
31771 | (JSC::BracketAccessorNode::emitBytecode): | |
31772 | ||
31773 | 2014-11-12 Mark Lam <mark.lam@apple.com> | |
31774 | ||
31775 | Rename USE(MASM_PROBE) to ENABLE(MASM_PROBE). | |
31776 | <https://webkit.org/b/138661> | |
31777 | ||
31778 | Reviewed by Michael Saboff. | |
31779 | ||
31780 | Also move the switch for enabling the use of MASM_PROBE from JavaScriptCore's | |
31781 | config.h to WTF's Platform.h. This ensures that the setting is consistently | |
31782 | applied even when building WebCore parts as well. | |
31783 | ||
31784 | * assembler/ARMAssembler.h: | |
31785 | * assembler/ARMv7Assembler.h: | |
31786 | * assembler/MacroAssemblerARM.cpp: | |
31787 | * assembler/MacroAssemblerARM.h: | |
31788 | * assembler/MacroAssemblerARMv7.cpp: | |
31789 | * assembler/MacroAssemblerARMv7.h: | |
31790 | * assembler/MacroAssemblerX86.h: | |
31791 | * assembler/MacroAssemblerX86Common.cpp: | |
31792 | * assembler/MacroAssemblerX86Common.h: | |
31793 | * assembler/MacroAssemblerX86_64.h: | |
31794 | * assembler/X86Assembler.h: | |
31795 | * config.h: | |
31796 | * jit/JITStubs.h: | |
31797 | * jit/JITStubsARM.h: | |
31798 | * jit/JITStubsARMv7.h: | |
31799 | * jit/JITStubsX86.h: | |
31800 | * jit/JITStubsX86Common.h: | |
31801 | * jit/JITStubsX86_64.h: | |
31802 | ||
31803 | 2014-11-12 peavo@outlook.com <peavo@outlook.com> | |
31804 | ||
31805 | [WinCairo] Incorrect names for test executables in debug mode. | |
31806 | https://bugs.webkit.org/show_bug.cgi?id=138659 | |
31807 | ||
31808 | Reviewed by Alex Christensen. | |
31809 | ||
31810 | In debug mode, jsc.exe, and testapi.exe are not created, causing JSC test failures. | |
31811 | ||
31812 | * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: | |
31813 | * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: | |
31814 | ||
31815 | 2014-11-11 Michael Saboff <msaboff@apple.com> | |
31816 | ||
31817 | Change DFG to use scope operand for op_resolve_scope | |
31818 | https://bugs.webkit.org/show_bug.cgi?id=138651 | |
31819 | ||
31820 | Reviewed by Geoffrey Garen. | |
31821 | ||
31822 | Changed to use the provided scope VirtualRegister. | |
31823 | ||
31824 | * dfg/DFGByteCodeParser.cpp: | |
31825 | (JSC::DFG::ByteCodeParser::getScope): Changed to use an argument scope register. | |
31826 | (JSC::DFG::ByteCodeParser::parseBlock): Created VirtualRegister from scope operand. | |
31827 | ||
31828 | 2014-11-11 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
31829 | ||
31830 | Remove IncrementalSweeper::create() | |
31831 | https://bugs.webkit.org/show_bug.cgi?id=138243 | |
31832 | ||
31833 | Reviewed by Filip Pizlo. | |
31834 | ||
31835 | As a step to use std::unique_ptr<> and std::make_unique<>, this patch removes | |
31836 | IncrementalSweeper::create(), then set constructor of IncrementalSweeper to public. | |
31837 | Now we begins to use std::make_unique<> to create IncrementalSweeper instance. | |
31838 | ||
31839 | * heap/Heap.cpp: | |
31840 | (JSC::Heap::Heap): | |
31841 | (JSC::Heap::setIncrementalSweeper): | |
31842 | * heap/Heap.h: | |
31843 | * heap/IncrementalSweeper.cpp: | |
31844 | (JSC::IncrementalSweeper::create): Deleted. | |
31845 | * heap/IncrementalSweeper.h: | |
31846 | ||
31847 | 2014-11-11 Joseph Pecoraro <pecoraro@apple.com> | |
31848 | ||
31849 | Web Inspector: Handle activating extra agents properly after inspector has connected | |
31850 | https://bugs.webkit.org/show_bug.cgi?id=138639 | |
31851 | ||
31852 | Reviewed by Timothy Hatcher. | |
31853 | ||
31854 | Instead of having the protocol configuration directly add the extra agent | |
31855 | to the inspector registry, isntead go through the augmentable controller. | |
31856 | The controller will initialize as required if we are already connected or not, | |
31857 | and will add to the registry. | |
31858 | ||
31859 | The functional change here is that the frontend can be notified to activate | |
31860 | extra agents multiple times as agents eventually become available. | |
31861 | ||
31862 | * inspector/JSGlobalObjectInspectorController.cpp: | |
31863 | (Inspector::JSGlobalObjectInspectorController::appendExtraAgent): | |
31864 | * inspector/JSGlobalObjectInspectorController.h: | |
31865 | * inspector/agents/InspectorAgent.cpp: | |
31866 | (Inspector::InspectorAgent::activateExtraDomain): | |
31867 | * inspector/agents/InspectorAgent.h: | |
31868 | * inspector/augmentable/AugmentableInspectorController.h: | |
31869 | * inspector/scripts/codegen/generator_templates.py: | |
31870 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
31871 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
31872 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
31873 | * inspector/scripts/tests/expected/enum-values.json-result: | |
31874 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
31875 | Rebased results. | |
31876 | ||
31877 | 2014-11-11 Michael Saboff <msaboff@apple.com> | |
31878 | ||
31879 | Use scope register when processing op_resolve_scope in LLInt and Baseline JIT | |
31880 | https://bugs.webkit.org/show_bug.cgi?id=138637 | |
31881 | ||
31882 | Reviewed by Mark Lam. | |
31883 | ||
31884 | Filled out op_resolve_scope processing to use the scope operand to access the current | |
31885 | scope chain. | |
31886 | ||
31887 | * jit/JIT.h: | |
31888 | * jit/JITInlines.h: | |
31889 | (JSC::JIT::callOperation): | |
31890 | * jit/JITOperations.cpp: | |
31891 | * jit/JITOperations.h: | |
31892 | Added scope virtual register parameter to emitResolveClosure(). Added new callOperation() to | |
31893 | support the additional argument. | |
31894 | ||
31895 | * jit/JITPropertyAccess.cpp: | |
31896 | (JSC::JIT::emitResolveClosure): | |
31897 | (JSC::JIT::emit_op_resolve_scope): | |
31898 | (JSC::JIT::emitSlow_op_resolve_scope): | |
31899 | * jit/JITPropertyAccess32_64.cpp: | |
31900 | (JSC::JIT::emitResolveClosure): | |
31901 | (JSC::JIT::emit_op_resolve_scope): | |
31902 | (JSC::JIT::emitSlow_op_resolve_scope): | |
31903 | * llint/LLIntSlowPaths.cpp: | |
31904 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
31905 | Added "scope" parameter to emitResolveClosure(). Passed scope register index to slow path. | |
31906 | Used scope virtual register instead of JSStack::ScopeChain. | |
31907 | ||
31908 | 2014-11-11 Joseph Pecoraro <pecoraro@apple.com> | |
31909 | ||
31910 | Web Inspector: Don't require a debugger be attached for inspector auto attach | |
31911 | https://bugs.webkit.org/show_bug.cgi?id=138638 | |
31912 | ||
31913 | Reviewed by Timothy Hatcher. | |
31914 | ||
31915 | * inspector/remote/RemoteInspector.mm: | |
31916 | (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): | |
31917 | ||
31918 | 2014-11-11 Akos Kiss <akiss@inf.u-szeged.hu> | |
31919 | ||
31920 | Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet | |
31921 | https://bugs.webkit.org/show_bug.cgi?id=138543 | |
31922 | ||
31923 | Reviewed by Geoffrey Garen. | |
31924 | ||
31925 | Exception fuzzing may may raise exceptions in places where they would be | |
31926 | otherwise impossible. Therefore, a callFrame may lack activation even if | |
31927 | the codeBlock signals need of activation. Also, even if codeBlock | |
31928 | signals the use of arguments, the unmodifiedArgumentsRegister may not be | |
31929 | initialized yet (neither locally nor in lexicalEnvironment). | |
31930 | ||
31931 | If codeBlock()->needsActivation() is false, unmodifiedArgumentsRegister | |
31932 | is already checked for Undefined. This patch applies the same check when | |
31933 | the condition is true (and also checks whether | |
31934 | callFrame()->hasActivation()). | |
31935 | ||
31936 | * interpreter/CallFrame.h: | |
31937 | (JSC::ExecState::hasActivation): | |
31938 | Moved to interpreter/CallFrameInlines.h. | |
31939 | * interpreter/CallFrameInlines.h: | |
31940 | (JSC::CallFrame::hasActivation): | |
31941 | Fixed to verify that the JSValue returned by uncheckedActivation() is a | |
31942 | cell. | |
31943 | * interpreter/StackVisitor.cpp: | |
31944 | (JSC::StackVisitor::Frame::existingArguments): | |
31945 | ||
31946 | 2014-11-11 Andreas Kling <akling@apple.com> | |
31947 | ||
31948 | Another assertion fix for debug builds after r175846. | |
31949 | ||
31950 | generateByIdStub() can now be called with an empty prototype chain | |
31951 | if kind == GetUndefined, so tweak the assertion to cover that. | |
31952 | ||
31953 | * jit/Repatch.cpp: | |
31954 | (JSC::generateByIdStub): | |
31955 | ||
31956 | 2014-11-10 Andreas Kling <akling@apple.com> | |
31957 | ||
31958 | Assertion fix for debug builds after r175846. | |
31959 | ||
31960 | PropertySlot::slotBase() will assert if the slot is unset, so reorder | |
31961 | the tests to check for isCacheableValue() first. | |
31962 | ||
31963 | * jit/Repatch.cpp: | |
31964 | (JSC::tryCacheGetByID): | |
31965 | ||
31966 | 2014-11-10 Andreas Kling <akling@apple.com> | |
31967 | ||
31968 | The JIT should cache property lookup misses. | |
31969 | <https://webkit.org/b/135578> | |
31970 | ||
31971 | Add support for inline caching of missed property lookups. | |
31972 | Previously this would banish us to C++ slow path. | |
31973 | ||
31974 | It's implemented as a simple GetById cache that returns jsUndefined() | |
31975 | as long as the Structure chain check passes. There's no DFG exploitation | |
31976 | of this knowledge in this patch. | |
31977 | ||
31978 | Test: js/regress/undefined-property-access.js (~5.5x speedup) | |
31979 | ||
31980 | Reviewed by Filip Pizlo. | |
31981 | ||
31982 | * bytecode/PolymorphicGetByIdList.h: | |
31983 | * bytecode/GetByIdStatus.cpp: | |
31984 | (JSC::GetByIdStatus::computeForStubInfo): | |
31985 | ||
31986 | Add GetByIdAccess::SimpleMiss so we can communicate to the DFG that | |
31987 | the access has been cached. | |
31988 | ||
31989 | * jit/Repatch.cpp: | |
31990 | (JSC::toString): | |
31991 | (JSC::kindFor): | |
31992 | (JSC::generateByIdStub): | |
31993 | (JSC::tryCacheGetByID): | |
31994 | (JSC::tryBuildGetByIDList): | |
31995 | ||
31996 | Added a GetUndefined stub kind, just a simple "store jsUndefined()" snippet. | |
31997 | Use this to cache missed lookups, piggybacking mostly on the GetValue kind. | |
31998 | ||
31999 | * runtime/PropertySlot.h: | |
32000 | (JSC::PropertySlot::isUnset): | |
32001 | ||
32002 | Exposed the unset state so PropertySlot can communicate that lookup failed. | |
32003 | ||
32004 | 2014-11-10 Michael Saboff <msaboff@apple.com> | |
32005 | ||
32006 | Add scope operand to op_create_lexical_environment | |
32007 | https://bugs.webkit.org/show_bug.cgi?id=138588 | |
32008 | ||
32009 | Reviewed by Geoffrey Garen. | |
32010 | ||
32011 | Added a second operand to op_create_lexical_environment that contains the scope register | |
32012 | to update. Note that the DFG relies on operationCreateActivation() to update the | |
32013 | scope register since we can't issue a set() with a non-local, non-argument register. | |
32014 | This is temporary until the scope register is allocated as a local. | |
32015 | ||
32016 | * bytecode/BytecodeList.json: | |
32017 | * bytecode/CodeBlock.cpp: | |
32018 | (JSC::CodeBlock::dumpBytecode): | |
32019 | Added the scope register operand. | |
32020 | ||
32021 | * bytecompiler/BytecodeGenerator.cpp: | |
32022 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
32023 | Filled in the scope register operand. | |
32024 | ||
32025 | * jit/JITOpcodes.cpp: | |
32026 | (JSC::JIT::emit_op_create_lexical_environment): | |
32027 | * jit/JITOpcodes32_64.cpp: | |
32028 | (JSC::JIT::emit_op_create_lexical_environment): | |
32029 | * llint/LLIntSlowPaths.cpp: | |
32030 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
32031 | * llint/LowLevelInterpreter32_64.asm: | |
32032 | * llint/LowLevelInterpreter64.asm: | |
32033 | Set the scope register with the result of the appropriate create activation slow call. | |
32034 | ||
32035 | 2014-11-09 Akos Kiss <akiss@inf.u-szeged.hu> | |
32036 | ||
32037 | Fix 'noreturn' function does return warning in LLVMOverrides.cpp | |
32038 | https://bugs.webkit.org/show_bug.cgi?id=138306 | |
32039 | ||
32040 | Reviewed by Filip Pizlo. | |
32041 | ||
32042 | Adding NO_RETURN where needed. | |
32043 | ||
32044 | * llvm/library/LLVMExports.cpp: | |
32045 | (initializeAndGetJSCLLVMAPI): | |
32046 | * llvm/library/LLVMOverrides.cpp: | |
32047 | * llvm/library/LLVMTrapCallback.h: | |
32048 | ||
32049 | 2014-11-07 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> | |
32050 | ||
32051 | Fix an alignment issue with operationPushCatchScope on ARMv7 | |
32052 | https://bugs.webkit.org/show_bug.cgi?id=138510 | |
32053 | ||
32054 | Reviewed by Csaba Osztrogonác. | |
32055 | ||
32056 | * jit/CCallHelpers.h: | |
32057 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
32058 | * jit/JITInlines.h: | |
32059 | (JSC::JIT::callOperation): | |
32060 | ||
32061 | 2014-11-07 Michael Saboff <msaboff@apple.com> | |
32062 | ||
32063 | Update scope related slow path code to use scope register added to opcodes | |
32064 | https://bugs.webkit.org/show_bug.cgi?id=138254 | |
32065 | ||
32066 | Reviewed by Mark Lam. | |
32067 | ||
32068 | Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. | |
32069 | Added scope register index parameter to the front of the relevant argument lists of the | |
32070 | slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough | |
32071 | registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow | |
32072 | paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate | |
32073 | the last "type" argument. | |
32074 | ||
32075 | ||
32076 | * assembler/MacroAssemblerCodeRef.h: | |
32077 | (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. | |
32078 | ||
32079 | * jit/CCallHelpers.h: | |
32080 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
32081 | * jit/JIT.h: | |
32082 | * jit/JITInlines.h: | |
32083 | (JSC::JIT::callOperation): | |
32084 | New variants of setupArgumentsWithExecState() and callOperation() to handle the new | |
32085 | combinations of argument types and counts. | |
32086 | ||
32087 | * jit/JITOpcodes.cpp: | |
32088 | (JSC::JIT::emit_op_push_with_scope): | |
32089 | (JSC::JIT::emit_op_pop_scope): | |
32090 | (JSC::JIT::emit_op_push_name_scope): | |
32091 | * jit/JITOpcodes32_64.cpp: | |
32092 | (JSC::JIT::emit_op_push_with_scope): | |
32093 | (JSC::JIT::emit_op_pop_scope): | |
32094 | (JSC::JIT::emit_op_push_name_scope): | |
32095 | Use the new slow paths. | |
32096 | ||
32097 | * jit/JITOperations.cpp: | |
32098 | * jit/JITOperations.h: | |
32099 | Updates to set the scope result using the scope register index. Added operationPushCatchScope() | |
32100 | and operationPushFunctionNameScope(). | |
32101 | ||
32102 | * llint/LLIntSlowPaths.cpp: | |
32103 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
32104 | Updated the scope slow paths to use the scope register index in the instruction to read and | |
32105 | write the register instead of using CallFrame::scope() and CallFrame::setScope(). | |
32106 | ||
32107 | 2014-11-07 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
32108 | ||
32109 | Apply std::unique_ptr to slowPathCall() | |
32110 | https://bugs.webkit.org/show_bug.cgi?id=138489 | |
32111 | ||
32112 | Reviewed by Mark Lam. | |
32113 | ||
32114 | As a step to use std::unique_ptr<>, this patch makes slowPathCall() use std::unique_ptr<>, | |
32115 | std::make_unique<>, and WTF::move(). | |
32116 | ||
32117 | * dfg/DFGSlowPathGenerator.h: | |
32118 | (JSC::DFG::slowPathCall): | |
32119 | (JSC::DFG::slowPathMove): | |
32120 | * dfg/DFGSpeculativeJIT.cpp: | |
32121 | (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): | |
32122 | (JSC::DFG::SpeculativeJIT::addSlowPathGenerator): | |
32123 | (JSC::DFG::SpeculativeJIT::arrayify): | |
32124 | (JSC::DFG::SpeculativeJIT::compileIn): | |
32125 | (JSC::DFG::SpeculativeJIT::compileGetByValOnString): | |
32126 | * dfg/DFGSpeculativeJIT.h: | |
32127 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
32128 | (JSC::DFG::SpeculativeJIT::cachedGetById): | |
32129 | (JSC::DFG::SpeculativeJIT::cachedPutById): | |
32130 | (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): | |
32131 | (JSC::DFG::SpeculativeJIT::compile): | |
32132 | * dfg/DFGSpeculativeJIT64.cpp: | |
32133 | (JSC::DFG::SpeculativeJIT::cachedGetById): | |
32134 | (JSC::DFG::SpeculativeJIT::cachedPutById): | |
32135 | (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): | |
32136 | (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq): | |
32137 | (JSC::DFG::SpeculativeJIT::compile): | |
32138 | ||
32139 | 2014-11-06 Mark Lam <mark.lam@apple.com> | |
32140 | ||
32141 | slow_path_get_direct_pname() needs to be hardened against a constant baseValue. | |
32142 | <https://webkit.org/b/138476> | |
32143 | ||
32144 | Reviewed by Michael Saboff. | |
32145 | ||
32146 | slow_path_get_direct_pname() currently assumes that the baseValue is always a | |
32147 | non-constant virtual register. However, this is not always the case like in the | |
32148 | following: | |
32149 | ||
32150 | function foo() { | |
32151 | var o = { a:1 }; | |
32152 | for (var n in o) | |
32153 | 0[n]; | |
32154 | } | |
32155 | foo(); | |
32156 | ||
32157 | This patch fixes it to also check for constant virtual register indexes. | |
32158 | ||
32159 | * runtime/CommonSlowPaths.cpp: | |
32160 | (JSC::SLOW_PATH_DECL): | |
32161 | ||
32162 | 2014-11-06 Michael Saboff <msaboff@apple.com> | |
32163 | ||
32164 | REGRESSION (r174985-174986): Site display disappears | |
32165 | https://bugs.webkit.org/show_bug.cgi?id=138082 | |
32166 | ||
32167 | Reviewed by Geoffrey Garen. | |
32168 | ||
32169 | In support of the change in WebCore, this adds a new functor class to unwind to our | |
32170 | caller's frame possibly skipping of intermediate C++ frames. | |
32171 | ||
32172 | * interpreter/StackVisitor.h: | |
32173 | (JSC::CallerFunctor::CallerFunctor): | |
32174 | (JSC::CallerFunctor::callerFrame): | |
32175 | (JSC::CallerFunctor::operator()): | |
32176 | ||
32177 | 2014-11-06 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
32178 | ||
32179 | Use std::unique_ptr in CodeBlock class | |
32180 | https://bugs.webkit.org/show_bug.cgi?id=138395 | |
32181 | ||
32182 | Reviewed by Darin Adler. | |
32183 | ||
32184 | * bytecode/CodeBlock.h: Use std::unique_ptr. | |
32185 | (JSC::CodeBlock::setJITCodeMap): | |
32186 | * jit/CompactJITCodeMap.h: Use std::unique_ptr instead of OwnPtr|PassOwnPtr. | |
32187 | (JSC::CompactJITCodeMap::CompactJITCodeMap): | |
32188 | (JSC::CompactJITCodeMap::Encoder::finish): Use std::unique_ptr instead of PassOwnPtr. | |
32189 | ||
32190 | 2014-11-05 Mark Lam <mark.lam@apple.com> | |
32191 | ||
32192 | PutById inline caches should have a store barrier when it triggers a structure transition. | |
32193 | <https://webkit.org/b/138441> | |
32194 | ||
32195 | Reviewed by Geoffrey Garen. | |
32196 | ||
32197 | After r174025, we no longer insert DFG store barriers when the payload of a | |
32198 | PutById operation is not a cell. However, this can lead to a crash when we have | |
32199 | PutById inline cache code transitioning the structure and re-allocating the | |
32200 | butterfly of an old gen object. The lack of a store barrier in that inline | |
32201 | cache results in the old gen object not being noticed during an eden GC scan. | |
32202 | As a result, its newly allocated butterfly will not be kept alive, which leads | |
32203 | to a stale butterfly pointer and, eventually, a crash. | |
32204 | ||
32205 | It is also possible that the new structure can be collected by the eden GC if | |
32206 | (at GC time): | |
32207 | 1. It is in the eden gen. | |
32208 | 2. The inline cache that installed it has been evicted. | |
32209 | 3. There are no live eden gen objects referring to it. | |
32210 | ||
32211 | The chances of this should be more rare than the butterfly re-allocation, but | |
32212 | it is still possible. Hence, the fix is to always add a store barrier if the | |
32213 | inline caches performs a structure transition. | |
32214 | ||
32215 | * jit/Repatch.cpp: | |
32216 | (JSC::emitPutTransitionStub): | |
32217 | - Added store barrier code based on SpeculativeJIT::storeToWriteBarrierBuffer()'s | |
32218 | implementation. | |
32219 | ||
32220 | 2014-11-05 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
32221 | ||
32222 | Use std::unique_ptr in JSClassRef and JSCallbackObject | |
32223 | https://bugs.webkit.org/show_bug.cgi?id=138402 | |
32224 | ||
32225 | Reviewed by Geoffrey Garen. | |
32226 | ||
32227 | * API/JSCallbackObject.h: Use std::unique_ptr instead of OwnPtr|PassOwnPtr. | |
32228 | (JSC::JSCallbackObjectData::setPrivateProperty): ditto. | |
32229 | * API/JSClassRef.cpp: ditto. | |
32230 | * API/JSClassRef.h: ditto. | |
32231 | ||
32232 | 2014-11-05 Michael Saboff <msaboff@apple.com> | |
32233 | ||
32234 | Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 | |
32235 | https://bugs.webkit.org/show_bug.cgi?id=138381 | |
32236 | ||
32237 | Reviewed by Mark Lam. | |
32238 | ||
32239 | Disabled these test for ARM64. Will address the failures and then re-enable. | |
32240 | ||
32241 | * tests/stress/float32-repeat-out-of-bounds.js: | |
32242 | * tests/stress/int8-repeat-out-of-bounds.js: | |
32243 | ||
32244 | 2014-11-05 Alexey Proskuryakov <ap@apple.com> | |
32245 | ||
32246 | Incorrect sandbox_check in RemoteInspector.mm | |
32247 | https://bugs.webkit.org/show_bug.cgi?id=138408 | |
32248 | ||
32249 | Reviewed by Joseph Pecoraro. | |
32250 | ||
32251 | * inspector/remote/RemoteInspector.mm: | |
32252 | (Inspector::canAccessWebInspectorMachPort): | |
32253 | ||
32254 | 2014-11-03 Dean Jackson <dino@apple.com> | |
32255 | ||
32256 | Add ENABLE_FILTERS_LEVEL_2 feature guard. | |
32257 | https://bugs.webkit.org/show_bug.cgi?id=138362 | |
32258 | ||
32259 | Reviewed by Tim Horton. | |
32260 | ||
32261 | Add a new feature define for Level 2 of CSS Filters. | |
32262 | http://dev.w3.org/fxtf/filters-2/ | |
32263 | ||
32264 | * Configurations/FeatureDefines.xcconfig: | |
32265 | ||
32266 | 2014-11-04 Mark Lam <mark.lam@apple.com> | |
32267 | ||
32268 | Rename checkMarkByte() to jumpIfIsRememberedOrInEden(). | |
32269 | <https://webkit.org/b/138369> | |
32270 | ||
32271 | Reviewed by Geoffrey Garen. | |
32272 | ||
32273 | Write barriers are needed for GC Eden collections so that we can scan pointers | |
32274 | pointing from old generation objects to eden generation objects. The barrier | |
32275 | currently checks the mark byte in a cell to see if we should skip adding the | |
32276 | cell to the GC remembered set. The addition should be skipped if: | |
32277 | ||
32278 | 1. The cell is in the young generation. It has no old to eden pointers by | |
32279 | definition. | |
32280 | 2. The cell is already in the remembered set. While it is ok to add the cell | |
32281 | to the GC remembered set more than once, it would be redundant. Hence, | |
32282 | we skip this as an optimization to avoid doing unnecessary work. | |
32283 | ||
32284 | The barrier currently names this check as checkMarkByte(). We should rename it | |
32285 | to jumpIfIsRememberedOrInEden() to be clearer about its intent. | |
32286 | ||
32287 | Similarly, Jump results of this check are currently named | |
32288 | ownerNotMarkedOrAlreadyRemembered. This can be misinterpreted as the owner is | |
32289 | not marked or not already remembered. We should rename it to | |
32290 | ownerIsRememberedOrInEden which is clearer about the intent of the | |
32291 | check. What we are really checking for is that the cell is in the eden gen, | |
32292 | which is implied by it being "not marked". | |
32293 | ||
32294 | * dfg/DFGOSRExitCompilerCommon.cpp: | |
32295 | (JSC::DFG::osrWriteBarrier): | |
32296 | * dfg/DFGSpeculativeJIT.cpp: | |
32297 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
32298 | * dfg/DFGSpeculativeJIT32_64.cpp: | |
32299 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
32300 | * dfg/DFGSpeculativeJIT64.cpp: | |
32301 | (JSC::DFG::SpeculativeJIT::writeBarrier): | |
32302 | * jit/AssemblyHelpers.h: | |
32303 | (JSC::AssemblyHelpers::jumpIfIsRememberedOrInEden): | |
32304 | (JSC::AssemblyHelpers::checkMarkByte): Deleted. | |
32305 | * jit/JITPropertyAccess.cpp: | |
32306 | (JSC::JIT::emitWriteBarrier): | |
32307 | * llint/LowLevelInterpreter.asm: | |
32308 | * llint/LowLevelInterpreter32_64.asm: | |
32309 | * llint/LowLevelInterpreter64.asm: | |
32310 | * runtime/JSCell.h: | |
32311 | ||
32312 | 2014-11-04 Joseph Pecoraro <pecoraro@apple.com> | |
32313 | ||
32314 | Web Inspector: Pause on exceptions should show the actual exception | |
32315 | https://bugs.webkit.org/show_bug.cgi?id=63096 | |
32316 | ||
32317 | Reviewed by Timothy Hatcher. | |
32318 | ||
32319 | * debugger/Debugger.h: | |
32320 | Expose accessor for the pause reason to subclasses. | |
32321 | ||
32322 | * inspector/JSInjectedScriptHost.cpp: | |
32323 | (Inspector::JSInjectedScriptHost::type): | |
32324 | New "error" subtype for error objects. | |
32325 | ||
32326 | * inspector/InjectedScriptSource.js: | |
32327 | When an object is an error object, use toString to provide a richer description. | |
32328 | ||
32329 | * inspector/protocol/Runtime.json: | |
32330 | Expose a new "error" subtype for Error types (TypeError, ReferenceError, EvalError, etc). | |
32331 | ||
32332 | * inspector/protocol/Debugger.json: | |
32333 | Provide type checked objects for different Debugger.pause pause reasons. | |
32334 | An exception provides the thrown object, but assert / CSP pauses provide | |
32335 | a richer typed object as the auxiliary data. | |
32336 | ||
32337 | * inspector/ScriptDebugServer.cpp: | |
32338 | (Inspector::ScriptDebugServer::dispatchDidPause): | |
32339 | When paused because of an exception, pass the exception on. | |
32340 | ||
32341 | * inspector/agents/InspectorDebuggerAgent.h: | |
32342 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
32343 | (Inspector::InspectorDebuggerAgent::handleConsoleAssert): | |
32344 | (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP): | |
32345 | Provide richer data in pause events. | |
32346 | ||
32347 | * inspector/scripts/codegen/generate_backend_commands.py: | |
32348 | (BackendCommandsGenerator.generate_domain.is_anonymous_enum_param): | |
32349 | (BackendCommandsGenerator.generate_domain): | |
32350 | * inspector/scripts/tests/expected/enum-values.json-result: | |
32351 | Generate frontend enums for anonymous enum event parameters. | |
32352 | ||
32353 | 2014-11-04 Michael Saboff <msaboff@apple.com> | |
32354 | ||
32355 | Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64 | |
32356 | https://bugs.webkit.org/show_bug.cgi?id=138381 | |
32357 | ||
32358 | Reviewed by Mark Lam. | |
32359 | ||
32360 | Disabled these test for ARM64. Will address the failures and then re-enable. | |
32361 | ||
32362 | * tests/stress/float32-repeat-out-of-bounds.js: | |
32363 | * tests/stress/int8-repeat-out-of-bounds.js: | |
32364 | ||
32365 | 2014-11-04 Joseph Pecoraro <pecoraro@apple.com> | |
32366 | ||
32367 | Web Inspector: Enum value collisions between different generators | |
32368 | https://bugs.webkit.org/show_bug.cgi?id=138343 | |
32369 | ||
32370 | Reviewed by Brian Burg. | |
32371 | ||
32372 | Each generator was using its own filtered list of domains_to_generate | |
32373 | to build the shared unique list of enum value encodings. This list | |
32374 | was slightly different across different generators. Instead always | |
32375 | use the list of all non-supplemental domains to generate the shared | |
32376 | list of enum values. | |
32377 | ||
32378 | * inspector/scripts/codegen/generator.py: | |
32379 | (Generator.non_supplemental_domains): | |
32380 | (Generator.domains_to_generate): | |
32381 | (Generator._traverse_and_assign_enum_values): | |
32382 | * inspector/scripts/tests/enum-values.json: Added. | |
32383 | * inspector/scripts/tests/expected/enum-values.json-result: Added. | |
32384 | ||
32385 | 2014-11-03 Akos Kiss <akiss@inf.u-szeged.hu> | |
32386 | ||
32387 | Workaround for Cortex-A53 erratum 835769 | |
32388 | https://bugs.webkit.org/show_bug.cgi?id=138315 | |
32389 | ||
32390 | Reviewed by Filip Pizlo. | |
32391 | ||
32392 | This patch introduces CMake variable and preprocessor macro | |
32393 | WTF_CPU_ARM64_CORTEXA53 with the aim of enabling Cortex-A53-specific | |
32394 | code paths, if set true. The patch also implements one case where such | |
32395 | code paths are needed: the workaround for Cortex-A53 erratum 835769. If | |
32396 | WTF_CPU_ARM64_CORTEXA53 is set then: | |
32397 | - CMake checks whether the compiler already has support for a workaround | |
32398 | and adds -mfix-cortex-a53-835769 to the compiler flags if so, | |
32399 | - the ARM64 backend of offlineasm inserts a nop between memory and | |
32400 | multiply-accumulate instructions, and | |
32401 | - the ARM64 assembler also inserts a nop between memory and (64-bit) | |
32402 | multiply-accumulate instructions. | |
32403 | ||
32404 | * assembler/ARM64Assembler.h: | |
32405 | (JSC::ARM64Assembler::madd): | |
32406 | Call nopCortexA53Fix835769() to insert a nop if CPU(ARM64_CORTEXA53) and | |
32407 | if necessary. | |
32408 | (JSC::ARM64Assembler::msub): Likewise. | |
32409 | (JSC::ARM64Assembler::smaddl): Likewise. | |
32410 | (JSC::ARM64Assembler::smsubl): Likewise. | |
32411 | (JSC::ARM64Assembler::umaddl): Likewise. | |
32412 | (JSC::ARM64Assembler::umsubl): Likewise. | |
32413 | (JSC::ARM64Assembler::nopCortexA53Fix835769): | |
32414 | Added. Insert a nop if the previously emitted instruction was a load, a | |
32415 | store, or a prefetch, and if the current instruction is 64-bit. | |
32416 | * offlineasm/arm64.rb: | |
32417 | Add the arm64CortexA53Fix835769 phase and call it from | |
32418 | getModifiedListARM64 to insert nopCortexA53Fix835769 between appropriate | |
32419 | macro instructions. Also, lower nopCortexA53Fix835769 to nop if | |
32420 | CPU(ARM64_CORTEXA53), to nothing otherwise. | |
32421 | * offlineasm/instructions.rb: | |
32422 | Define macro instruction nopFixCortexA53Err835769. | |
32423 | ||
32424 | 2014-11-03 Commit Queue <commit-queue@webkit.org> | |
32425 | ||
32426 | Unreviewed, rolling out r175509. | |
32427 | https://bugs.webkit.org/show_bug.cgi?id=138349 | |
32428 | ||
32429 | broke some builds (Requested by msaboff on #webkit). | |
32430 | ||
32431 | Reverted changeset: | |
32432 | ||
32433 | "Update scope related slow path code to use scope register | |
32434 | added to opcodes" | |
32435 | https://bugs.webkit.org/show_bug.cgi?id=138254 | |
32436 | http://trac.webkit.org/changeset/175509 | |
32437 | ||
32438 | 2014-11-03 Michael Saboff <msaboff@apple.com> | |
32439 | ||
32440 | Update scope related slow path code to use scope register added to opcodes | |
32441 | https://bugs.webkit.org/show_bug.cgi?id=138254 | |
32442 | ||
32443 | Reviewed by Mark Lam. | |
32444 | ||
32445 | Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope. | |
32446 | Added scope register index parameter to the front of the relevant argument lists of the | |
32447 | slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough | |
32448 | registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow | |
32449 | paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate | |
32450 | the last "type" argument. | |
32451 | ||
32452 | ||
32453 | * assembler/MacroAssemblerCodeRef.h: | |
32454 | (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments. | |
32455 | ||
32456 | * jit/CCallHelpers.h: | |
32457 | (JSC::CCallHelpers::setupArgumentsWithExecState): | |
32458 | * jit/JIT.h: | |
32459 | * jit/JITInlines.h: | |
32460 | (JSC::JIT::callOperation): | |
32461 | New variants of setupArgumentsWithExecState() and callOperation() to handle the new | |
32462 | combinations of argument types and counts. | |
32463 | ||
32464 | * jit/JITOpcodes.cpp: | |
32465 | (JSC::JIT::emit_op_push_with_scope): | |
32466 | (JSC::JIT::emit_op_pop_scope): | |
32467 | (JSC::JIT::emit_op_push_name_scope): | |
32468 | * jit/JITOpcodes32_64.cpp: | |
32469 | (JSC::JIT::emit_op_push_with_scope): | |
32470 | (JSC::JIT::emit_op_pop_scope): | |
32471 | (JSC::JIT::emit_op_push_name_scope): | |
32472 | Use the new slow paths. | |
32473 | ||
32474 | * jit/JITOperations.cpp: | |
32475 | * jit/JITOperations.h: | |
32476 | Updates to set the scope result using the scope register index. Added operationPushCatchScope() | |
32477 | and operationPushFunctionNameScope(). | |
32478 | ||
32479 | * llint/LLIntSlowPaths.cpp: | |
32480 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
32481 | Updated the scope slow paths to use the scope register index in the instruction to read and | |
32482 | write the register instead of using CallFrame::scope() and CallFrame::setScope(). | |
32483 | ||
32484 | 2014-11-03 Michael Saboff <msaboff@apple.com> | |
32485 | ||
32486 | Add "get scope" byte code | |
32487 | https://bugs.webkit.org/show_bug.cgi?id=138326 | |
32488 | ||
32489 | Reviewed by Mark Lam. | |
32490 | ||
32491 | Added op_get_scope. Added implementations for the LLInt and baseline JIT. | |
32492 | Provided nop implementation for DFG and FTL. The new byte code is emitted | |
32493 | after op_enter for any function, program or eval. It is expected that the | |
32494 | DFG will be implemented such that unneeded op_get_scope would be eliminated | |
32495 | during DFG compilation. | |
32496 | ||
32497 | * bytecode/BytecodeList.json: | |
32498 | * bytecode/BytecodeUseDef.h: | |
32499 | (JSC::computeUsesForBytecodeOffset): | |
32500 | (JSC::computeDefsForBytecodeOffset): | |
32501 | Added new op_get_scope bytecode. | |
32502 | ||
32503 | * bytecompiler/BytecodeGenerator.cpp: | |
32504 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
32505 | (JSC::BytecodeGenerator::emitGetScope): | |
32506 | * bytecompiler/BytecodeGenerator.h: | |
32507 | Emit new op_get_scope bytecode. | |
32508 | ||
32509 | * dfg/DFGByteCodeParser.cpp: | |
32510 | (JSC::DFG::ByteCodeParser::parseBlock): | |
32511 | * dfg/DFGCapabilities.cpp: | |
32512 | (JSC::DFG::capabilityLevel): | |
32513 | Added framework for new op_get_scope bytecode. | |
32514 | ||
32515 | * bytecode/CodeBlock.cpp: | |
32516 | (JSC::CodeBlock::dumpBytecode): | |
32517 | * jit/JIT.cpp: | |
32518 | (JSC::JIT::privateCompileMainPass): | |
32519 | * jit/JIT.h: | |
32520 | * jit/JITOpcodes.cpp: | |
32521 | (JSC::JIT::emit_op_get_scope): | |
32522 | * jit/JITOpcodes32_64.cpp: | |
32523 | (JSC::JIT::emit_op_get_scope): | |
32524 | * llint/LowLevelInterpreter32_64.asm: | |
32525 | * llint/LowLevelInterpreter64.asm: | |
32526 | Implementation of op_get_scope bytecode. | |
32527 | ||
32528 | 2014-11-03 Joseph Pecoraro <pecoraro@apple.com> | |
32529 | ||
32530 | Web Inspector: Fix RWIProtocol 64-to-32 bit conversion warnings | |
32531 | https://bugs.webkit.org/show_bug.cgi?id=138325 | |
32532 | ||
32533 | Reviewed by Timothy Hatcher. | |
32534 | ||
32535 | * inspector/InspectorValues.h: | |
32536 | Vector's length really is an unsigned, so a static_cast here is fine. | |
32537 | ||
32538 | * inspector/scripts/codegen/generate_objective_c.py: | |
32539 | (ObjCGenerator.objc_type_for_raw_name): | |
32540 | Use int instead of NSInteger for APIs that eventually map to | |
32541 | InspectorObject's setInteger, which takes an int. | |
32542 | ||
32543 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
32544 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
32545 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
32546 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
32547 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
32548 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
32549 | Rebaselined results with the type change. | |
32550 | ||
32551 | 2014-11-03 Joseph Pecoraro <pecoraro@apple.com> | |
32552 | ||
32553 | Web Inspector: Show Selector's Specificity | |
32554 | https://bugs.webkit.org/show_bug.cgi?id=138189 | |
32555 | ||
32556 | Reviewed by Timothy Hatcher. | |
32557 | ||
32558 | * inspector/protocol/CSS.json: | |
32559 | Create a new named type CSSSelector to include a selector's text and specificity. | |
32560 | The specificity tuple is optional as it may soon be made dynamic in some cases. | |
32561 | ||
32562 | 2014-11-03 Joseph Pecoraro <pecoraro@apple.com> | |
32563 | ||
32564 | Web Inspector: ObjC Protocol Interfaces should throw exceptions for nil arguments | |
32565 | https://bugs.webkit.org/show_bug.cgi?id=138221 | |
32566 | ||
32567 | Reviewed by Timothy Hatcher. | |
32568 | ||
32569 | The RWIProtocol APIs will now raise exceptions when: | |
32570 | ||
32571 | - any properties are set on a type with a nil value or key (handled by RWIProtocolJSONObject) | |
32572 | - required parameters in type constructors have nil value | |
32573 | - required or optional command return parameters have nil values | |
32574 | - required or optional event parameters have nil values | |
32575 | ||
32576 | The exceptions include the name of the field when possible. | |
32577 | ||
32578 | * inspector/scripts/codegen/generate_objective_c.py: | |
32579 | (ObjCGenerator.is_type_objc_pointer_type): | |
32580 | Provide a quick check to see if type would be a pointer or not | |
32581 | in the ObjC API. Enums for example are not pointers in the API | |
32582 | because we manage converting them to/from strings. | |
32583 | ||
32584 | * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py: | |
32585 | (ObjectiveCConfigurationImplementationGenerator._generate_success_block_for_command): | |
32586 | * inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py: | |
32587 | (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event): | |
32588 | * inspector/scripts/codegen/generate_objective_c_types_implementation.py: | |
32589 | (ObjectiveCTypesImplementationGenerator._generate_init_method_for_required_members): | |
32590 | (ObjectiveCTypesImplementationGenerator._generate_setter_for_member): | |
32591 | Throw exceptions when nil values are disallowed. | |
32592 | ||
32593 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
32594 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
32595 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
32596 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
32597 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
32598 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
32599 | Rebaseline tests which include the exception raise calls. | |
32600 | ||
32601 | 2014-11-03 Joseph Pecoraro <pecoraro@apple.com> | |
32602 | ||
32603 | Web Inspector: ALTERNATE_DISPATCHERS Let the frontend know about extra agents | |
32604 | https://bugs.webkit.org/show_bug.cgi?id=138236 | |
32605 | ||
32606 | Reviewed by Brian Burg. | |
32607 | ||
32608 | Inform the frontend about any extra domains the backend may have | |
32609 | above and beyond the default list of domains for the debuggable type. | |
32610 | This approach means there is almost no cost to normal debugging. | |
32611 | When a JSContext is debugged with extra agents, a message is sent | |
32612 | to the frontend letting it know which domains to then activate, | |
32613 | and perform any initialization work that may be required. | |
32614 | ||
32615 | * inspector/InspectorAgentBase.h: | |
32616 | (Inspector::InspectorAgentBase::domainName): | |
32617 | * inspector/InspectorAgentRegistry.cpp: | |
32618 | (Inspector::InspectorAgentRegistry::appendExtraAgent): | |
32619 | * inspector/InspectorAgentRegistry.h: | |
32620 | * inspector/scripts/codegen/generator_templates.py: | |
32621 | Provide a way to get a list of just the extra domains. | |
32622 | To aggregate this list provide a different "append" | |
32623 | specifically for extra agents. | |
32624 | ||
32625 | * inspector/JSGlobalObjectInspectorController.h: | |
32626 | * inspector/JSGlobalObjectInspectorController.cpp: | |
32627 | (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): | |
32628 | (Inspector::JSGlobalObjectInspectorController::connectFrontend): | |
32629 | When a frontend connects, inform it of the extra domains. | |
32630 | ||
32631 | * inspector/protocol/Inspector.json: | |
32632 | * inspector/agents/InspectorAgent.h: | |
32633 | * inspector/agents/InspectorAgent.cpp: | |
32634 | (Inspector::InspectorAgent::enable): | |
32635 | (Inspector::InspectorAgent::activateExtraDomains): | |
32636 | Send an event with the extra domains to activate. | |
32637 | ||
32638 | 2014-11-01 Michael Saboff <msaboff@apple.com> | |
32639 | ||
32640 | Add scope operand to op_resolve_scope | |
32641 | https://bugs.webkit.org/show_bug.cgi?id=138253 | |
32642 | ||
32643 | Reviewed by Mark Lam. | |
32644 | ||
32645 | Added scope operand to op_resolve_scope. Although the scope register is filled in with | |
32646 | the ScopeChain register, this operand is not used in the processing of the bytecode. | |
32647 | That will be addressed in a future patch. | |
32648 | ||
32649 | * bytecode/BytecodeList.json: Lengthened the three bytecodes. | |
32650 | * bytecode/CodeBlock.cpp: | |
32651 | (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. | |
32652 | ||
32653 | (JSC::CodeBlock::CodeBlock): | |
32654 | (JSC::CodeBlock::finalizeUnconditionally): | |
32655 | Updated the operand indecies for the processing of op_resolve_scope. | |
32656 | ||
32657 | * bytecompiler/BytecodeGenerator.cpp: | |
32658 | (JSC::BytecodeGenerator::emitResolveScope): | |
32659 | (JSC::BytecodeGenerator::emitGetOwnScope): | |
32660 | (JSC::BytecodeGenerator::emitReturn): | |
32661 | Added scope register to these emit functions and the bytecodes they emit. | |
32662 | ||
32663 | * dfg/DFGByteCodeParser.cpp: | |
32664 | (JSC::DFG::ByteCodeParser::parseBlock): | |
32665 | * dfg/DFGCapabilities.cpp: | |
32666 | (JSC::DFG::capabilityLevel): | |
32667 | * jit/JITPropertyAccess.cpp: | |
32668 | (JSC::JIT::emit_op_resolve_scope): | |
32669 | (JSC::JIT::emitSlow_op_resolve_scope): | |
32670 | * jit/JITPropertyAccess32_64.cpp: | |
32671 | (JSC::JIT::emit_op_resolve_scope): | |
32672 | (JSC::JIT::emitSlow_op_resolve_scope): | |
32673 | * llint/LLIntSlowPaths.cpp: | |
32674 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
32675 | * llint/LowLevelInterpreter32_64.asm: | |
32676 | * llint/LowLevelInterpreter64.asm: | |
32677 | Updated the operand indecies for the processing of op_resolve_scope. | |
32678 | ||
32679 | 2014-11-01 Carlos Garcia Campos <cgarcia@igalia.com> | |
32680 | ||
32681 | REGRESSION(CMake): Make it possible to build without introspection | |
32682 | https://bugs.webkit.org/show_bug.cgi?id=138006 | |
32683 | ||
32684 | Reviewed by Philippe Normand. | |
32685 | ||
32686 | Do not install introspection files when introspection is disabled. | |
32687 | ||
32688 | * PlatformGTK.cmake: | |
32689 | ||
32690 | 2014-10-31 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
32691 | ||
32692 | Use std::unique_ptr for TypeCountSet | |
32693 | https://bugs.webkit.org/show_bug.cgi?id=138242 | |
32694 | ||
32695 | Reviewed by Andreas Kling. | |
32696 | ||
32697 | * heap/Heap.cpp: | |
32698 | (JSC::Heap::protectedObjectTypeCounts): | |
32699 | Use std::unique_ptr<> instead of PassOwnPtr|OwnPtr. | |
32700 | (JSC::Heap::objectTypeCounts): ditto. | |
32701 | * heap/Heap.h: | |
32702 | ||
32703 | 2014-10-31 Michael Saboff <msaboff@apple.com> | |
32704 | ||
32705 | Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope | |
32706 | https://bugs.webkit.org/show_bug.cgi?id=138252 | |
32707 | ||
32708 | Reviewed by Geoffrey Garen. | |
32709 | ||
32710 | Added scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope. | |
32711 | Although the scope register is filled in with the ScopeChain register for all | |
32712 | three bytecodes, this operand is not used in the processing of the bytecodes. | |
32713 | That will be addressed in a future patch. | |
32714 | ||
32715 | * bytecode/BytecodeList.json: Lengthened the three bytecodes. | |
32716 | * bytecode/CodeBlock.cpp: | |
32717 | (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand. | |
32718 | * bytecompiler/BytecodeGenerator.cpp: | |
32719 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
32720 | (JSC::BytecodeGenerator::emitPushWithScope): | |
32721 | (JSC::BytecodeGenerator::emitPopScope): | |
32722 | (JSC::BytecodeGenerator::emitComplexPopScopes): | |
32723 | (JSC::BytecodeGenerator::emitPopScopes): | |
32724 | (JSC::BytecodeGenerator::emitPushFunctionNameScope): | |
32725 | (JSC::BytecodeGenerator::emitPushCatchScope): | |
32726 | * bytecompiler/BytecodeGenerator.h: | |
32727 | (JSC::BytecodeGenerator::scopeRegister): | |
32728 | Added scope register to these emit functions and the bytecodes they emit. | |
32729 | New m_scopeRegister and accessor. | |
32730 | ||
32731 | * bytecompiler/NodesCodegen.cpp: | |
32732 | (JSC::ContinueNode::emitBytecode): | |
32733 | (JSC::BreakNode::emitBytecode): | |
32734 | (JSC::ReturnNode::emitBytecode): | |
32735 | (JSC::WithNode::emitBytecode): | |
32736 | (JSC::TryNode::emitBytecode): | |
32737 | Created a RegisterID for the ScopeChain register and used it to emit the updated | |
32738 | bytecodes. | |
32739 | ||
32740 | * jit/JITOpcodes.cpp: | |
32741 | (JSC::JIT::emit_op_push_with_scope): | |
32742 | (JSC::JIT::emit_op_push_name_scope): | |
32743 | * jit/JITOpcodes32_64.cpp: | |
32744 | (JSC::JIT::emit_op_push_with_scope): | |
32745 | (JSC::JIT::emit_op_push_name_scope): | |
32746 | * llint/LLIntSlowPaths.cpp: | |
32747 | (JSC::LLInt::LLINT_SLOW_PATH_DECL): | |
32748 | * llint/LowLevelInterpreter.asm: | |
32749 | Updated the operand indecies for the processing of the updated bytecodes. | |
32750 | ||
32751 | 2014-10-31 Andreas Kling <akling@apple.com> | |
32752 | ||
32753 | Make writes to RegExpObject.lastIndex cacheable. | |
32754 | <https://webkit.org/b/138255> | |
32755 | ||
32756 | Reviewed by Geoffrey Garen. | |
32757 | ||
32758 | We were neglecting to IC the puts to RegExpObject.lastIndex on Octane/regexp, | |
32759 | and ended up spending 4.5% of a time profile in operationPutByIdNonStrict. | |
32760 | ||
32761 | ~3% progression on Octane/regexp. | |
32762 | ||
32763 | * runtime/RegExpObject.cpp: | |
32764 | (JSC::regExpObjectSetLastIndexStrict): | |
32765 | (JSC::regExpObjectSetLastIndexNonStrict): | |
32766 | (JSC::RegExpObject::put): | |
32767 | ||
32768 | 2014-10-31 Chris Dumez <cdumez@apple.com> | |
32769 | ||
32770 | Fix a couple of warnings in JSC reported by clang static analyzer | |
32771 | https://bugs.webkit.org/show_bug.cgi?id=138240 | |
32772 | ||
32773 | Reviewed by Geoffrey Garen. | |
32774 | ||
32775 | Fix a couple of warnings in JSC reported by clang static analyzer about | |
32776 | value stored in variables never being read. This is addressed by | |
32777 | reducing the scope of the variable or removing the variable entirely. | |
32778 | ||
32779 | * dfg/DFGConstantFoldingPhase.cpp: | |
32780 | (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): | |
32781 | * runtime/VM.cpp: | |
32782 | (JSC::VM::throwException): | |
32783 | ||
32784 | 2014-10-30 Dana Burkart <dburkart@apple.com> | |
32785 | ||
32786 | <rdar://problem/18821260> Prepare for the mysterious future | |
32787 | ||
32788 | Reviewed by Lucas Forschler. | |
32789 | ||
32790 | * Configurations/Base.xcconfig: | |
32791 | * Configurations/DebugRelease.xcconfig: | |
32792 | * Configurations/FeatureDefines.xcconfig: | |
32793 | * Configurations/Version.xcconfig: | |
32794 | ||
32795 | 2014-10-30 Saam Barati <saambarati1@gmail.com> | |
32796 | ||
32797 | AST Nodes should keep track of their end offset | |
32798 | https://bugs.webkit.org/show_bug.cgi?id=138143 | |
32799 | ||
32800 | Reviewed by Filip Pizlo. | |
32801 | ||
32802 | AST nodes nodes now have an int property for their end text | |
32803 | offsets. This change lays some foundational work that will be | |
32804 | needed in profiling which basic blocks have executed. | |
32805 | ||
32806 | * parser/ASTBuilder.h: | |
32807 | (JSC::ASTBuilder::setEndOffset): | |
32808 | * parser/Nodes.h: | |
32809 | (JSC::Node::endOffset): | |
32810 | (JSC::Node::setEndOffset): | |
32811 | * parser/Parser.cpp: | |
32812 | (JSC::Parser<LexerType>::parseStatement): | |
32813 | (JSC::Parser<LexerType>::parseFunctionInfo): | |
32814 | (JSC::Parser<LexerType>::parseExpression): | |
32815 | (JSC::Parser<LexerType>::parseProperty): | |
32816 | * parser/Parser.h: | |
32817 | (JSC::Parser<LexerType>::parse): | |
32818 | * parser/SyntaxChecker.h: | |
32819 | (JSC::SyntaxChecker::operatorStackPop): | |
32820 | ||
32821 | 2014-10-30 Joseph Pecoraro <pecoraro@apple.com> | |
32822 | ||
32823 | Web Inspector: Generate ObjC inspector protocol types and alternate dispatcher interfaces | |
32824 | https://bugs.webkit.org/show_bug.cgi?id=138048 | |
32825 | ||
32826 | Reviewed by Brian Burg. | |
32827 | ||
32828 | Generate Objective-C interfaces for inspector protocol types, command, and event dispatchers. | |
32829 | This is very much like the InspectorProtocolTypes, BackendDispatchers, and FrontendDispatchers, | |
32830 | but with an ObjC spin on things. | |
32831 | ||
32832 | The private API that clients would use is all encapsulated in RWIProtocol.h. It includes the | |
32833 | types interfaces, command handler protocol, and event dispatcher interface. Where possible the | |
32834 | API uses real enums, which hides the raw protocol enum strings from clients. | |
32835 | ||
32836 | Inspector protocol types are, like InspectorProtocolObjects, built on top of an InspectorObject. | |
32837 | This offers the flexibilty of adding arbitrary key/values using the RWIProtocolJSONObject | |
32838 | interface, which may be required for certain protocol objects like "Network.Headers" which | |
32839 | have no fields, but expect arbitrary properties to be added. | |
32840 | ||
32841 | Command handler protocols always have two callbacks. An error callback and a success callback. | |
32842 | The signature is very much like BackendDispatchers. In parameters are passed directly to | |
32843 | the selectors, and out parameters are defined by the success callback. It will be the client's | |
32844 | responsibility to call either of these callbacks to complete handling of a request. | |
32845 | ||
32846 | Event dispatcher interfaces are straight forward, just packaging up the arguments and sending | |
32847 | the message to the frontend. | |
32848 | ||
32849 | ObjC <-> Protocol conversion happens in each of the generated files. In type getters / setters, | |
32850 | in commands parameters and event parameters. For this to work we generate conversion helpers | |
32851 | for all enums, ObjC enum <-> protocol strings. For NSArray <-> InspectorArray there are some | |
32852 | static helpers to do the conversions. We do lose some type safety in these conversions. | |
32853 | ||
32854 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
32855 | * inspector/scripts/codegen/__init__.py: | |
32856 | * inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py: | |
32857 | (AlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): | |
32858 | * inspector/scripts/codegen/generate_backend_dispatcher_header.py: | |
32859 | (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): | |
32860 | (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): | |
32861 | (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): | |
32862 | * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: | |
32863 | (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain): | |
32864 | (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): | |
32865 | * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: | |
32866 | (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): | |
32867 | * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: | |
32868 | (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): | |
32869 | * inspector/scripts/codegen/generate_objective_c.py: Added. | |
32870 | (join_type_and_name): | |
32871 | (strip_comment_markers): | |
32872 | (remove_duplicate_from_str): | |
32873 | (ObjCTypeCategory): | |
32874 | (ObjCTypeCategory.category_of_type): | |
32875 | (ObjCGenerator): | |
32876 | (ObjCGenerator.identifier_to_objc_identifier): | |
32877 | (ObjCGenerator.objc_identifier_to_identifier): | |
32878 | (ObjCGenerator.should_generate_domain_types_filter): | |
32879 | (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types): | |
32880 | (ObjCGenerator.should_generate_domain_command_handler_filter): | |
32881 | (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler): | |
32882 | (ObjCGenerator.should_generate_domain_event_dispatcher_filter): | |
32883 | (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher): | |
32884 | (ObjCGenerator.objc_name_for_type): | |
32885 | (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration): | |
32886 | (ObjCGenerator.objc_enum_name_for_anonymous_enum_member): | |
32887 | (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter): | |
32888 | (ObjCGenerator.objc_enum_name_for_non_anonymous_enum): | |
32889 | (ObjCGenerator.variable_name_prefix_for_domain): | |
32890 | (ObjCGenerator.objc_accessor_type_for_raw_name): | |
32891 | (ObjCGenerator.objc_type_for_raw_name): | |
32892 | (ObjCGenerator.objc_class_for_raw_name): | |
32893 | (ObjCGenerator.protocol_type_for_raw_name): | |
32894 | (ObjCGenerator.protocol_type_for_type): | |
32895 | (ObjCGenerator.objc_class_for_type): | |
32896 | (ObjCGenerator.objc_accessor_type_for_member): | |
32897 | (ObjCGenerator.objc_accessor_type_for_member_internal): | |
32898 | (ObjCGenerator.objc_type_for_member): | |
32899 | (ObjCGenerator.objc_type_for_member_internal): | |
32900 | (ObjCGenerator.objc_type_for_param): | |
32901 | (ObjCGenerator.objc_type_for_param_internal): | |
32902 | (ObjCGenerator.objc_protocol_export_expression_for_variable): | |
32903 | (ObjCGenerator.objc_protocol_import_expression_for_member): | |
32904 | (ObjCGenerator.objc_protocol_import_expression_for_parameter): | |
32905 | (ObjCGenerator.objc_protocol_import_expression_for_variable): | |
32906 | (ObjCGenerator.objc_to_protocol_expression_for_member): | |
32907 | (ObjCGenerator.protocol_to_objc_expression_for_member): | |
32908 | (ObjCGenerator.objc_setter_method_for_member): | |
32909 | (ObjCGenerator.objc_setter_method_for_member_internal): | |
32910 | (ObjCGenerator.objc_getter_method_for_member): | |
32911 | (ObjCGenerator.objc_getter_method_for_member_internal): | |
32912 | * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py. | |
32913 | (ObjectiveCBackendDispatcherHeaderGenerator): | |
32914 | (ObjectiveCBackendDispatcherHeaderGenerator.output_filename): | |
32915 | (ObjectiveCBackendDispatcherHeaderGenerator.domains_to_generate): | |
32916 | (ObjectiveCBackendDispatcherHeaderGenerator.generate_output): | |
32917 | (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations): | |
32918 | (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): | |
32919 | (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain): | |
32920 | (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command): | |
32921 | * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py: Added. | |
32922 | (ObjectiveCConfigurationImplementationGenerator): | |
32923 | (ObjectiveCConfigurationImplementationGenerator.__init__): | |
32924 | (ObjectiveCConfigurationImplementationGenerator.output_filename): | |
32925 | (ObjectiveCConfigurationImplementationGenerator.domains_to_generate): | |
32926 | (ObjectiveCConfigurationImplementationGenerator.generate_output): | |
32927 | (ObjectiveCConfigurationImplementationGenerator._generate_handler_implementation_for_domain): | |
32928 | (ObjectiveCConfigurationImplementationGenerator._generate_handler_implementation_for_command): | |
32929 | (ObjectiveCConfigurationImplementationGenerator._generate_success_block_for_command): | |
32930 | (ObjectiveCConfigurationImplementationGenerator._generate_conversions_for_command): | |
32931 | (ObjectiveCConfigurationImplementationGenerator._generate_invocation_for_command): | |
32932 | * inspector/scripts/codegen/generate_objective_c_configuration_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py. | |
32933 | (ObjectiveCConfigurationHeaderGenerator): | |
32934 | (ObjectiveCConfigurationHeaderGenerator.output_filename): | |
32935 | (ObjectiveCConfigurationHeaderGenerator.generate_output): | |
32936 | (ObjectiveCConfigurationHeaderGenerator._generate_configuration_interface_for_domains): | |
32937 | (ObjectiveCConfigurationHeaderGenerator._generate_properties_for_domain): | |
32938 | * inspector/scripts/codegen/generate_objective_c_configuration_implementation.py: Added. | |
32939 | (ObjectiveCBackendDispatcherImplementationGenerator): | |
32940 | (ObjectiveCBackendDispatcherImplementationGenerator.__init__): | |
32941 | (ObjectiveCBackendDispatcherImplementationGenerator.output_filename): | |
32942 | (ObjectiveCBackendDispatcherImplementationGenerator.generate_output): | |
32943 | (ObjectiveCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains): | |
32944 | (ObjectiveCBackendDispatcherImplementationGenerator._generate_ivars): | |
32945 | (ObjectiveCBackendDispatcherImplementationGenerator._generate_dealloc): | |
32946 | (ObjectiveCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain): | |
32947 | (ObjectiveCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain): | |
32948 | * inspector/scripts/codegen/generate_objective_c_conversion_helpers.py: Added. | |
32949 | (add_whitespace_separator): | |
32950 | (ObjectiveCConversionHelpersGenerator): | |
32951 | (ObjectiveCConversionHelpersGenerator.__init__): | |
32952 | (ObjectiveCConversionHelpersGenerator.output_filename): | |
32953 | (ObjectiveCConversionHelpersGenerator.domains_to_generate): | |
32954 | (ObjectiveCConversionHelpersGenerator.generate_output): | |
32955 | (ObjectiveCConversionHelpersGenerator._generate_enum_conversion_functions): | |
32956 | (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration): | |
32957 | (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member): | |
32958 | (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter): | |
32959 | (ObjectiveCConversionHelpersGenerator._generate_enum_objc_to_protocol_string): | |
32960 | (ObjectiveCConversionHelpersGenerator._generate_enum_from_protocol_string): | |
32961 | * inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py: Added. | |
32962 | (ObjectiveCFrontendDispatcherImplementationGenerator): | |
32963 | (ObjectiveCFrontendDispatcherImplementationGenerator.__init__): | |
32964 | (ObjectiveCFrontendDispatcherImplementationGenerator.output_filename): | |
32965 | (ObjectiveCFrontendDispatcherImplementationGenerator.domains_to_generate): | |
32966 | (ObjectiveCFrontendDispatcherImplementationGenerator.generate_output): | |
32967 | (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations): | |
32968 | (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event): | |
32969 | (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_signature): | |
32970 | (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_out_parameters): | |
32971 | * inspector/scripts/codegen/generate_objective_c_header.py: Added. | |
32972 | (add_whitespace_separator): | |
32973 | (ObjectiveCHeaderGenerator): | |
32974 | (ObjectiveCHeaderGenerator.__init__): | |
32975 | (ObjectiveCHeaderGenerator.output_filename): | |
32976 | (ObjectiveCHeaderGenerator.generate_output): | |
32977 | (ObjectiveCHeaderGenerator._generate_forward_declarations): | |
32978 | (ObjectiveCHeaderGenerator._generate_enums): | |
32979 | (ObjectiveCHeaderGenerator._generate_types): | |
32980 | (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_declaration): | |
32981 | (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_member): | |
32982 | (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_parameter): | |
32983 | (ObjectiveCHeaderGenerator._generate_enum): | |
32984 | (ObjectiveCHeaderGenerator._generate_enum.NS_ENUM): | |
32985 | (ObjectiveCHeaderGenerator._generate_type_interface): | |
32986 | (ObjectiveCHeaderGenerator._generate_init_method_for_required_members): | |
32987 | (ObjectiveCHeaderGenerator._generate_member_property): | |
32988 | (ObjectiveCHeaderGenerator._generate_command_protocols): | |
32989 | (ObjectiveCHeaderGenerator._generate_single_command_protocol): | |
32990 | (ObjectiveCHeaderGenerator._callback_block_for_command): | |
32991 | (ObjectiveCHeaderGenerator._generate_event_interfaces): | |
32992 | (ObjectiveCHeaderGenerator._generate_single_event_interface): | |
32993 | * inspector/scripts/codegen/generate_objective_c_internal_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py. | |
32994 | (ObjectiveCTypesInternalHeaderGenerator): | |
32995 | (ObjectiveCTypesInternalHeaderGenerator.output_filename): | |
32996 | (ObjectiveCTypesInternalHeaderGenerator.generate_output): | |
32997 | (ObjectiveCTypesInternalHeaderGenerator._generate_event_dispatcher_private_interfaces): | |
32998 | * inspector/scripts/codegen/generate_objective_c_types_implementation.py: Added. | |
32999 | (add_whitespace_separator): | |
33000 | (ObjectiveCTypesImplementationGenerator): | |
33001 | (ObjectiveCTypesImplementationGenerator.__init__): | |
33002 | (ObjectiveCTypesImplementationGenerator.output_filename): | |
33003 | (ObjectiveCTypesImplementationGenerator.domains_to_generate): | |
33004 | (ObjectiveCTypesImplementationGenerator.generate_output): | |
33005 | (ObjectiveCTypesImplementationGenerator.generate_type_implementations): | |
33006 | (ObjectiveCTypesImplementationGenerator.generate_type_implementation): | |
33007 | (ObjectiveCTypesImplementationGenerator._generate_init_method_for_required_members): | |
33008 | (ObjectiveCTypesImplementationGenerator._generate_setter_for_member): | |
33009 | (ObjectiveCTypesImplementationGenerator._generate_getter_for_member): | |
33010 | * inspector/scripts/codegen/generate_protocol_types_header.py: | |
33011 | (ProtocolTypesHeaderGenerator._generate_forward_declarations): | |
33012 | (_generate_typedefs_for_domain): | |
33013 | (_generate_builders_for_domain): | |
33014 | * inspector/scripts/codegen/generator.py: | |
33015 | (Generator.wrap_with_guard_for_domain): | |
33016 | (Generator): | |
33017 | (Generator.wrap_with_guard): | |
33018 | * inspector/scripts/codegen/generator_templates.py: | |
33019 | (AlternateInspector): | |
33020 | (ObjCInspector): | |
33021 | * inspector/scripts/codegen/models.py: | |
33022 | (Framework.fromString): | |
33023 | (Frameworks): | |
33024 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
33025 | (generate_from_specification): | |
33026 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
33027 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
33028 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
33029 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
33030 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
33031 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
33032 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
33033 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
33034 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
33035 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
33036 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
33037 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
33038 | ||
33039 | 2014-10-30 Andreas Kling <akling@apple.com> | |
33040 | ||
33041 | Unreviewed assertion fix. | |
33042 | ||
33043 | RegExpCachedResult::m_reified is now the dedicated member that knows whether | |
33044 | the result was reified into an array or not. Check that instead of m_result | |
33045 | which is now single-purpose. | |
33046 | ||
33047 | * runtime/RegExpCachedResult.cpp: | |
33048 | (JSC::RegExpCachedResult::setInput): | |
33049 | ||
33050 | 2014-10-29 Andreas Kling <akling@apple.com> | |
33051 | ||
33052 | Use plain JSArray for RegExp matches instead of a lazily populated custom object. | |
33053 | <https://webkit.org/b/138191> | |
33054 | ||
33055 | Reviewed by Geoffrey Garen. | |
33056 | ||
33057 | We're already offering two RegExp matching APIs, one that collects subpattern | |
33058 | matches (exec), and one that simply tests for a match (test). | |
33059 | Given that, it was pretty overkill to lazily populate the resulting array of | |
33060 | matches, since the user could simply use test() if they didn't need them. | |
33061 | ||
33062 | This allows the JIT to generate better code for RegExp match arrays, and also | |
33063 | enables some fast paths in the JSC runtime that check if an object isJSArray(). | |
33064 | ||
33065 | Looks like ~1.5% improvement on Octane/regexp according to run-jsc-benchmarks. | |
33066 | ||
33067 | * jit/Repatch.cpp: | |
33068 | (JSC::tryCacheGetByID): | |
33069 | * runtime/JSArray.h: | |
33070 | (JSC::createArrayButterflyWithExactLength): Deleted. | |
33071 | * runtime/JSGlobalObject.cpp: | |
33072 | (JSC::JSGlobalObject::init): | |
33073 | * runtime/RegExpCachedResult.cpp: | |
33074 | (JSC::RegExpCachedResult::visitChildren): | |
33075 | (JSC::RegExpCachedResult::lastResult): | |
33076 | (JSC::RegExpCachedResult::leftContext): | |
33077 | (JSC::RegExpCachedResult::rightContext): | |
33078 | * runtime/RegExpCachedResult.h: | |
33079 | (JSC::RegExpCachedResult::RegExpCachedResult): | |
33080 | (JSC::RegExpCachedResult::record): | |
33081 | (JSC::RegExpCachedResult::input): | |
33082 | * runtime/RegExpConstructor.cpp: | |
33083 | (JSC::RegExpConstructor::getBackref): | |
33084 | (JSC::RegExpConstructor::getLastParen): | |
33085 | (JSC::RegExpConstructor::getLeftContext): | |
33086 | (JSC::RegExpConstructor::getRightContext): | |
33087 | * runtime/RegExpMatchesArray.cpp: | |
33088 | (JSC::createRegExpMatchesArray): | |
33089 | (JSC::RegExpMatchesArray::RegExpMatchesArray): Deleted. | |
33090 | (JSC::RegExpMatchesArray::create): Deleted. | |
33091 | (JSC::RegExpMatchesArray::finishCreation): Deleted. | |
33092 | (JSC::RegExpMatchesArray::visitChildren): Deleted. | |
33093 | (JSC::RegExpMatchesArray::reifyAllProperties): Deleted. | |
33094 | (JSC::RegExpMatchesArray::reifyMatchProperty): Deleted. | |
33095 | (JSC::RegExpMatchesArray::leftContext): Deleted. | |
33096 | (JSC::RegExpMatchesArray::rightContext): Deleted. | |
33097 | * runtime/RegExpMatchesArray.h: | |
33098 | (JSC::RegExpMatchesArray::createStructure): Deleted. | |
33099 | (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary): Deleted. | |
33100 | (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary): Deleted. | |
33101 | (JSC::RegExpMatchesArray::getOwnPropertySlot): Deleted. | |
33102 | (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex): Deleted. | |
33103 | (JSC::RegExpMatchesArray::put): Deleted. | |
33104 | (JSC::RegExpMatchesArray::putByIndex): Deleted. | |
33105 | (JSC::RegExpMatchesArray::deleteProperty): Deleted. | |
33106 | (JSC::RegExpMatchesArray::deletePropertyByIndex): Deleted. | |
33107 | (JSC::RegExpMatchesArray::getOwnPropertyNames): Deleted. | |
33108 | (JSC::RegExpMatchesArray::defineOwnProperty): Deleted. | |
33109 | (JSC::isRegExpMatchesArray): Deleted. | |
33110 | * runtime/RegExpObject.cpp: | |
33111 | (JSC::RegExpObject::exec): | |
33112 | * runtime/StringPrototype.cpp: | |
33113 | (JSC::stringProtoFuncMatch): | |
33114 | ||
33115 | 2014-10-29 Joseph Pecoraro <pecoraro@apple.com> | |
33116 | ||
33117 | Web Inspector: Fix Type Dependency Issues | |
33118 | https://bugs.webkit.org/show_bug.cgi?id=125664 | |
33119 | ||
33120 | Reviewed by Brian Burg. | |
33121 | ||
33122 | Now that all JSON protocol files are processed together again | |
33123 | in r174892, we can remove the duplicated types which were only | |
33124 | needed when the domains were split. | |
33125 | ||
33126 | * inspector/protocol/Console.json: | |
33127 | * inspector/protocol/Runtime.json: | |
33128 | ||
33129 | 2014-10-28 Commit Queue <commit-queue@webkit.org> | |
33130 | ||
33131 | Unreviewed, rolling out r175249. | |
33132 | https://bugs.webkit.org/show_bug.cgi?id=138138 | |
33133 | ||
33134 | Appears to be failing some JS tests (Requested by mlam_ on | |
33135 | #webkit). | |
33136 | ||
33137 | Reverted changeset: | |
33138 | ||
33139 | "Holes are not copied properly when Arrays change shape to | |
33140 | ArrayStorage type." | |
33141 | https://bugs.webkit.org/show_bug.cgi?id=138118 | |
33142 | http://trac.webkit.org/changeset/175249 | |
33143 | ||
33144 | 2014-10-27 Mark Lam <mark.lam@apple.com> | |
33145 | ||
33146 | Holes are not copied properly when Arrays change shape to ArrayStorage type. | |
33147 | <https://webkit.org/b/138118> | |
33148 | ||
33149 | Reviewed by Mark Hahnenberg. | |
33150 | ||
33151 | When we convert non-ArrayStorage typed arrays into ArrayStorage typed arrays, | |
33152 | we skipped the holes. As a result, the slots in the ArrayStorage vector that | |
33153 | corresponds to those holes are uninitialize. This is now fixed. | |
33154 | ||
33155 | * runtime/JSObject.cpp: | |
33156 | (JSC::JSObject::convertUndecidedToArrayStorage): | |
33157 | (JSC::JSObject::convertInt32ToArrayStorage): | |
33158 | (JSC::JSObject::convertDoubleToArrayStorage): | |
33159 | (JSC::JSObject::convertContiguousToArrayStorage): | |
33160 | ||
33161 | 2014-10-27 Mark Lam <mark.lam@apple.com> | |
33162 | ||
33163 | Crash when attempting to perform array iteration on a non-array with numeric keys not initialized. | |
33164 | <https://webkit.org/b/137814> | |
33165 | ||
33166 | Reviewed by Geoffrey Garen. | |
33167 | ||
33168 | The arrayIteratorNextThunkGenerator() thunk was not checking for the case where | |
33169 | the butterfly may be NULL. This was the source of the crash, and is now fixed. | |
33170 | ||
33171 | In addition, it is also not checking for the case where a property named "length" | |
33172 | may have been set on the iterated object. The thunk only checks the butterfly's | |
33173 | publicLength for its iteration operation. Array objects will work fine with this | |
33174 | because it always updates its butterfly's publicLength when its length changes. | |
33175 | In the case of iterable non-Array objects, the "length" property will require a | |
33176 | look up outside of the scope of this thunk. The fix is simply to limit the fast | |
33177 | case checks in this thunk to Array objects. | |
33178 | ||
33179 | * jit/ThunkGenerators.cpp: | |
33180 | (JSC::arrayIteratorNextThunkGenerator): | |
33181 | ||
33182 | 2014-10-27 Mark Lam <mark.lam@apple.com> | |
33183 | ||
33184 | Simplified some JSObject methods for converting arrays to ArrayStorage shape. | |
33185 | <https://webkit.org/b/138119> | |
33186 | ||
33187 | Reviewed by Filip Pizlo. | |
33188 | ||
33189 | Currently, for each Undecided, Int32, Double, and Contiguous array shapes, | |
33190 | there are 3 JSObject methods to convert them to ArrayStorage shape: | |
33191 | ArrayStorage* convert<shape>ToArrayStorage(VM&, NonPropertyTransition, unsigned neededLength); | |
33192 | ArrayStorage* convert<shape>ToArrayStorage(VM&, NonPropertyTransition); | |
33193 | ArrayStorage* convert<shape>ToArrayStorage(VM&); | |
33194 | ||
33195 | However, the neededLength that is passed is always m_butterfly->vectorLength(). | |
33196 | Hence, the method that takes a neededLength is really not needed. This patch | |
33197 | removes this unneeded verbosity. | |
33198 | ||
33199 | * runtime/JSObject.cpp: | |
33200 | (JSC::JSObject::convertUndecidedToArrayStorage): | |
33201 | (JSC::JSObject::convertInt32ToArrayStorage): | |
33202 | - Also reordered the placement of the DeferGC statement so this Int32 function | |
33203 | will look more similar to the others. | |
33204 | (JSC::JSObject::convertDoubleToArrayStorage): | |
33205 | (JSC::JSObject::convertContiguousToArrayStorage): | |
33206 | * runtime/JSObject.h: | |
33207 | ||
33208 | 2014-10-25 Brian J. Burg <burg@cs.washington.edu> | |
33209 | ||
33210 | Web Inspector: timelines should not count time elapsed while paused in the debugger | |
33211 | https://bugs.webkit.org/show_bug.cgi?id=136351 | |
33212 | ||
33213 | Unreviewed, follow-up fix after r175203. The debugger agent should not assume | |
33214 | that the inspector environment's stopwatch has already been started. | |
33215 | ||
33216 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
33217 | (Inspector::InspectorDebuggerAgent::didPause): Check if the stopwatch isActive() before stopping. | |
33218 | ||
33219 | 2014-10-18 Brian J. Burg <burg@cs.washington.edu> | |
33220 | ||
33221 | Web Inspector: timelines should not count time elapsed while paused in the debugger | |
33222 | https://bugs.webkit.org/show_bug.cgi?id=136351 | |
33223 | ||
33224 | Reviewed by Timothy Hatcher. | |
33225 | ||
33226 | Now that we have a stopwatch to provide pause-aware timing data, we can remove the | |
33227 | profiler's handling of debugger pause/continue callbacks. The debugger agent accounts | |
33228 | for suspended execution by pausing and resuming the stopwatch. | |
33229 | ||
33230 | * API/JSProfilerPrivate.cpp: | |
33231 | (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API. | |
33232 | * inspector/InspectorEnvironment.h: | |
33233 | * inspector/JSGlobalObjectInspectorController.cpp: | |
33234 | (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): | |
33235 | (Inspector::JSGlobalObjectInspectorController::executionStopwatch): | |
33236 | * inspector/JSGlobalObjectInspectorController.h: | |
33237 | * inspector/ScriptDebugServer.cpp: | |
33238 | (Inspector::ScriptDebugServer::handlePause): | |
33239 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
33240 | (Inspector::InspectorDebuggerAgent::didPause): | |
33241 | (Inspector::InspectorDebuggerAgent::breakpointActionProbe): | |
33242 | (Inspector::InspectorDebuggerAgent::didContinue): | |
33243 | * inspector/agents/InspectorDebuggerAgent.h: | |
33244 | * profiler/LegacyProfiler.cpp: | |
33245 | (JSC::LegacyProfiler::profiler): Use nullptr. | |
33246 | (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator. | |
33247 | (JSC::LegacyProfiler::stopProfiling): Use nullptr. | |
33248 | (JSC::LegacyProfiler::didPause): Deleted. | |
33249 | (JSC::LegacyProfiler::didContinue): Deleted. | |
33250 | * profiler/LegacyProfiler.h: | |
33251 | * profiler/Profile.cpp: The root node should always have a start time of 0.0. | |
33252 | (JSC::Profile::Profile): | |
33253 | * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the | |
33254 | timestamp member that was used to track time elapsed by the debugger. Just use the | |
33255 | stopwatch's elapsed times to generate start/elapsed times for function calls. | |
33256 | ||
33257 | (JSC::ProfileGenerator::create): | |
33258 | (JSC::ProfileGenerator::ProfileGenerator): | |
33259 | (JSC::AddParentForConsoleStartFunctor::operator()): The parent node of |console.profile| | |
33260 | should have a start time of 0.0, since it represents the starting node of profiling. | |
33261 | ||
33262 | (JSC::ProfileGenerator::beginCallEntry): | |
33263 | (JSC::ProfileGenerator::endCallEntry): | |
33264 | (JSC::ProfileGenerator::didPause): Deleted. | |
33265 | (JSC::ProfileGenerator::didContinue): Deleted. | |
33266 | * profiler/ProfileGenerator.h: | |
33267 | ||
33268 | 2014-10-24 Mark Lam <mark.lam@apple.com> | |
33269 | ||
33270 | Simplified IndexingType's hasAnyArrayStorage(). | |
33271 | <https://webkit.org/b/138051> | |
33272 | ||
33273 | Reviewed by Michael Saboff. | |
33274 | ||
33275 | IndexingType's hasAnyArrayStorage() currently does subtraction of ArrayStorageShape | |
33276 | with the purpose of making non-ArrayStorage types underflow (with that subtraction) | |
33277 | and have a result that exceeds SlowPutArrayStorageShape. What it is doing is | |
33278 | basically checking for a shape value that is greater equal to ArrayStorageShape. | |
33279 | We can just simplify the code as such. | |
33280 | ||
33281 | Also added a comment to describe the structure of the bits in IndexingType. | |
33282 | ||
33283 | * runtime/IndexingType.h: | |
33284 | (JSC::hasAnyArrayStorage): | |
33285 | ||
33286 | 2014-10-23 Joseph Pecoraro <pecoraro@apple.com> | |
33287 | ||
33288 | Web Inspector: Provide a way to have alternate inspector agents | |
33289 | https://bugs.webkit.org/show_bug.cgi?id=137901 | |
33290 | ||
33291 | Reviewed by Brian Burg. | |
33292 | ||
33293 | Provide a way to use alternate inspector agents debugging a JSContext. | |
33294 | Expose a very slim private API that a client could use to know when | |
33295 | an inspector has connected/disconnected, and a way to register its | |
33296 | augmentative agents. | |
33297 | ||
33298 | * Configurations/FeatureDefines.xcconfig: | |
33299 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
33300 | New feature guard. New files. | |
33301 | ||
33302 | * API/JSContextRef.cpp: | |
33303 | (JSGlobalContextGetAugmentableInspectorController): | |
33304 | * API/JSContextRefInspectorSupport.h: Added. | |
33305 | Access to the private interface from a JSContext. | |
33306 | ||
33307 | * inspector/JSGlobalObjectInspectorController.cpp: | |
33308 | (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): | |
33309 | (Inspector::JSGlobalObjectInspectorController::connectFrontend): | |
33310 | (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): | |
33311 | * inspector/JSGlobalObjectInspectorController.h: | |
33312 | * inspector/augmentable/AugmentableInspectorController.h: Added. | |
33313 | (Inspector::AugmentableInspectorController::~AugmentableInspectorController): | |
33314 | (Inspector::AugmentableInspectorController::connected): | |
33315 | * inspector/augmentable/AugmentableInspectorControllerClient.h: Added. | |
33316 | (Inspector::AugmentableInspectorControllerClient::~AugmentableInspectorControllerClient): | |
33317 | * inspector/augmentable/AlternateDispatchableAgent.h: Added. | |
33318 | (Inspector::AlternateDispatchableAgent::AlternateDispatchableAgent): | |
33319 | Provide the private APIs a client could use to add alternate agents using alternate backend dispatchers. | |
33320 | ||
33321 | * inspector/scripts/codegen/__init__.py: | |
33322 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
33323 | (generate_from_specification): | |
33324 | New includes, and use the new generator. | |
33325 | ||
33326 | * inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py: Added. | |
33327 | (AlternateBackendDispatcherHeaderGenerator): | |
33328 | (AlternateBackendDispatcherHeaderGenerator.__init__): | |
33329 | (AlternateBackendDispatcherHeaderGenerator.output_filename): | |
33330 | (AlternateBackendDispatcherHeaderGenerator.generate_output): | |
33331 | (AlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): | |
33332 | (AlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): | |
33333 | Generate the abstract AlternateInspectorBackendDispatcher interfaces. | |
33334 | ||
33335 | * inspector/scripts/codegen/generate_backend_dispatcher_header.py: | |
33336 | (BackendDispatcherHeaderGenerator.generate_output): | |
33337 | (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains): | |
33338 | (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): | |
33339 | Forward declare alternate dispatchers, and allow setting an alternate dispatcher on a domain dispatcher. | |
33340 | ||
33341 | * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: | |
33342 | (BackendDispatcherImplementationGenerator.generate_output): | |
33343 | (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
33344 | Check for and dispatch on an AlternateInspectorBackendDispatcher if there is one for this domain. | |
33345 | ||
33346 | * inspector/scripts/codegen/generator_templates.py: | |
33347 | (AlternateInspectorBackendDispatcher): | |
33348 | (AlternateInspector): | |
33349 | Template boilerplate for prelude and postlude. | |
33350 | ||
33351 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
33352 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
33353 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
33354 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
33355 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
33356 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
33357 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
33358 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
33359 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
33360 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
33361 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
33362 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
33363 | Rebaseline tests. | |
33364 | ||
33365 | 2014-10-23 Michael Saboff <msaboff@apple.com> | |
33366 | ||
33367 | offsets.rb:183:in `buildOffsetsMap': unhandled exception - is offlineasm dependency tracking broken? (132668) | |
33368 | https://bugs.webkit.org/show_bug.cgi?id=138017 | |
33369 | ||
33370 | Reviewed by Mark Lam. | |
33371 | ||
33372 | Removed from the nput file $(SRCROOT)/llint/LowLevelAssembler.asm and output file | |
33373 | $(BUILT_PRODUCTS_DIR)/LLIntOffsets/LLIntDesiredOffsets.h from the Generate Derived Sources | |
33374 | build phase in the LLInt Offset target. There is no need for Xcode to do any dependency | |
33375 | checking with these files as the ruby script offlineasm/generate_offset_extractor.rb will | |
33376 | do that for us. | |
33377 | ||
33378 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
33379 | ||
33380 | 2014-10-23 Michael Saboff <msaboff@apple.com> | |
33381 | ||
33382 | Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope | |
33383 | https://bugs.webkit.org/show_bug.cgi?id=136901 | |
33384 | ||
33385 | Reviewed by Mark Lam. | |
33386 | ||
33387 | Implement ExecState::lexicalGlobalObject() using Callee. | |
33388 | ||
33389 | * runtime/JSScope.h: | |
33390 | (JSC::ExecState::lexicalGlobalObject): | |
33391 | ||
33392 | 2014-10-22 Milan Crha <mcrha@redhat.com> | |
33393 | ||
33394 | Prefix isnan() with std::. | |
33395 | <https://webkit.org/b/137966>. | |
33396 | ||
33397 | Reviewed by Carlos Garcia Campos. | |
33398 | ||
33399 | * profiler/ProfileNode.h: | |
33400 | (JSC::ProfileNode::Call::setStartTime): | |
33401 | (JSC::ProfileNode::Call::setElapsedTime): | |
33402 | ||
33403 | 2014-10-22 Mark Lam <mark.lam@apple.com> | |
33404 | ||
33405 | Refactoring to simplify some code in DatePrototype.cpp. | |
33406 | <https://webkit.org/b/137997> | |
33407 | ||
33408 | Reviewed by Filip Pizlo. | |
33409 | ||
33410 | A bunch of functions in DatePrototype.cpp have the pattern of loading a | |
33411 | constant into a local variable only to pass it to a callee function | |
33412 | immediately after. There is no other use for that variable. This adds | |
33413 | additional verbosity with no added benefit. | |
33414 | ||
33415 | This patch refactors those functions to just pass the constant arg directly. | |
33416 | ||
33417 | * runtime/DatePrototype.cpp: | |
33418 | (JSC::dateProtoFuncSetMilliSeconds): | |
33419 | (JSC::dateProtoFuncSetUTCMilliseconds): | |
33420 | (JSC::dateProtoFuncSetSeconds): | |
33421 | (JSC::dateProtoFuncSetUTCSeconds): | |
33422 | (JSC::dateProtoFuncSetMinutes): | |
33423 | (JSC::dateProtoFuncSetUTCMinutes): | |
33424 | (JSC::dateProtoFuncSetHours): | |
33425 | (JSC::dateProtoFuncSetUTCHours): | |
33426 | (JSC::dateProtoFuncSetDate): | |
33427 | (JSC::dateProtoFuncSetUTCDate): | |
33428 | (JSC::dateProtoFuncSetMonth): | |
33429 | (JSC::dateProtoFuncSetUTCMonth): | |
33430 | (JSC::dateProtoFuncSetFullYear): | |
33431 | (JSC::dateProtoFuncSetUTCFullYear): | |
33432 | ||
33433 | 2014-10-22 Byungseon Shin <sun.shin@lge.com> | |
33434 | ||
33435 | String(new Date(Mar 30 2014 01:00:00)) is wrong in CET | |
33436 | https://bugs.webkit.org/show_bug.cgi?id=130967 | |
33437 | ||
33438 | Reviewed by Mark Lam. | |
33439 | ||
33440 | By definition of calculateLocalTimeOffset, input time should be UTC time. | |
33441 | But there are many cases when input time is based on local time. | |
33442 | So, it gives erroneous results while calculating offset of DST boundary time. | |
33443 | By adding a argument to distinguish UTC and local time, we can get the correct offset. | |
33444 | ||
33445 | * JavaScriptCore.order: | |
33446 | * runtime/DateConstructor.cpp: | |
33447 | (JSC::constructDate): | |
33448 | (JSC::callDate): | |
33449 | (JSC::dateUTC): | |
33450 | * runtime/DateInstance.cpp: | |
33451 | (JSC::DateInstance::calculateGregorianDateTime): | |
33452 | (JSC::DateInstance::calculateGregorianDateTimeUTC): | |
33453 | * runtime/DatePrototype.cpp: | |
33454 | (JSC::setNewValueFromTimeArgs): | |
33455 | (JSC::setNewValueFromDateArgs): | |
33456 | (JSC::dateProtoFuncSetMilliSeconds): | |
33457 | (JSC::dateProtoFuncSetUTCMilliseconds): | |
33458 | (JSC::dateProtoFuncSetSeconds): | |
33459 | (JSC::dateProtoFuncSetUTCSeconds): | |
33460 | (JSC::dateProtoFuncSetMinutes): | |
33461 | (JSC::dateProtoFuncSetUTCMinutes): | |
33462 | (JSC::dateProtoFuncSetHours): | |
33463 | (JSC::dateProtoFuncSetUTCHours): | |
33464 | (JSC::dateProtoFuncSetDate): | |
33465 | (JSC::dateProtoFuncSetUTCDate): | |
33466 | (JSC::dateProtoFuncSetMonth): | |
33467 | (JSC::dateProtoFuncSetUTCMonth): | |
33468 | (JSC::dateProtoFuncSetFullYear): | |
33469 | (JSC::dateProtoFuncSetUTCFullYear): | |
33470 | (JSC::dateProtoFuncSetYear): | |
33471 | * runtime/JSDateMath.cpp: | |
33472 | (JSC::localTimeOffset): | |
33473 | (JSC::gregorianDateTimeToMS): | |
33474 | (JSC::msToGregorianDateTime): | |
33475 | (JSC::parseDateFromNullTerminatedCharacters): | |
33476 | * runtime/JSDateMath.h: | |
33477 | * runtime/VM.h: | |
33478 | (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache): | |
33479 | (JSC::LocalTimeOffsetCache::reset): | |
33480 | Passing TimeType argument to distingush UTC time and local time. | |
33481 | ||
33482 | 2014-10-22 Joseph Pecoraro <pecoraro@apple.com> | |
33483 | ||
33484 | Web Inspector: Fix generator importing of protocol type "any", treat as value | |
33485 | https://bugs.webkit.org/show_bug.cgi?id=137931 | |
33486 | ||
33487 | Reviewed by Timothy Hatcher. | |
33488 | ||
33489 | Treat incoming "any" objects as InspectorValues, which can be any type. | |
33490 | Add the necessary boilerplate to import. | |
33491 | ||
33492 | * inspector/InspectorBackendDispatcher.cpp: | |
33493 | (Inspector::AsMethodBridges::asValue): | |
33494 | (Inspector::InspectorBackendDispatcher::getValue): | |
33495 | * inspector/InspectorBackendDispatcher.h: | |
33496 | * inspector/scripts/codegen/generator.py: | |
33497 | (Generator.keyed_get_method_for_type): | |
33498 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
33499 | ||
33500 | 2014-10-22 Michael Saboff <msaboff@apple.com> | |
33501 | ||
33502 | REGRESSION(r174996): Broke C_LOOP | |
33503 | https://bugs.webkit.org/show_bug.cgi?id=137971 | |
33504 | ||
33505 | Reviewed by Mark Lam. | |
33506 | ||
33507 | Removed incorrect move to cfr (CallFrameRegister) before we make the call to a native function. | |
33508 | After r174996, the source register for the move contained garbage causing the crash. The move | |
33509 | to cfr before making the call to the native function is wrong and should have been removed | |
33510 | some time ago. This brings the ARM64 / C_LOOP code path inline with the other CPU paths. | |
33511 | Tested on ARM64 as well as a C_LOOP build. | |
33512 | ||
33513 | * llint/LowLevelInterpreter64.asm: | |
33514 | ||
33515 | 2014-10-21 Mark Lam <mark.lam@apple.com> | |
33516 | ||
33517 | Remove erroneous canUseJIT() in the intrinsics version of JITThunks::hostFunctionStub(). | |
33518 | <https://webkit.org/b/137937> | |
33519 | ||
33520 | Reviewed by Michael Saboff. | |
33521 | ||
33522 | This version of JITThunks::hostFunctionStub() can only be called from the intrinsics | |
33523 | version of VM::getHostFunction() which asserts canUseJIT(). Hence, we can eliminate | |
33524 | the canUseJIT() check in JITThunks::hostFunctionStub(). We don't handle the | |
33525 | !canUseJIT() case properly there anyway. | |
33526 | ||
33527 | * jit/JITThunks.cpp: | |
33528 | (JSC::JITThunks::hostFunctionStub): | |
33529 | ||
33530 | 2014-10-21 Michael Saboff <msaboff@apple.com> | |
33531 | ||
33532 | Add operator==(PropertyName, const char*) | |
33533 | https://bugs.webkit.org/show_bug.cgi?id=137925 | |
33534 | ||
33535 | Reviewed by Mark Lam. | |
33536 | ||
33537 | * runtime/PropertyName.h: | |
33538 | (JSC::operator==): Added to simplify comparison with string literals. | |
33539 | ||
33540 | ||
33541 | 2014-10-21 Michael Saboff <msaboff@apple.com> | |
33542 | ||
33543 | Change native call frames to use the scope from their Callee instead of their caller's scope | |
33544 | https://bugs.webkit.org/show_bug.cgi?id=137907 | |
33545 | ||
33546 | Reviewed by Mark Lam. | |
33547 | ||
33548 | Changed setting of scope for native CallFrames to use the scope associated with the | |
33549 | Callee instead of the caller's scope. | |
33550 | ||
33551 | * jit/ThunkGenerators.cpp: | |
33552 | (JSC::nativeForGenerator): | |
33553 | * llint/LowLevelInterpreter32_64.asm: | |
33554 | * llint/LowLevelInterpreter64.asm: | |
33555 | ||
33556 | 2014-10-21 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com> | |
33557 | ||
33558 | Add missing ENABLE(FTL_NATIVE_CALL_INLINING) guard to BundlePath.cpp after r174940 | |
33559 | https://bugs.webkit.org/show_bug.cgi?id=137924 | |
33560 | ||
33561 | Reviewed by Csaba Osztrogonác. | |
33562 | ||
33563 | * runtime/BundlePath.cpp: | |
33564 | ||
33565 | 2014-10-21 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com> | |
33566 | ||
33567 | Fix FTL Native Inlining for EFL | |
33568 | https://bugs.webkit.org/show_bug.cgi?id=137774 | |
33569 | ||
33570 | Reviewed by Michael Saboff. | |
33571 | ||
33572 | Added required functionality for Native Inlining to EFL, and fixed a bug/typo in the original code, | |
33573 | which caused incorrect memory allocation. | |
33574 | ||
33575 | * CMakeLists.txt: | |
33576 | * create-llvm-ir-from-source-file.py: Added. | |
33577 | * create-symbol-table-index.py: Added. | |
33578 | * ftl/FTLLowerDFGToLLVM.cpp: | |
33579 | (JSC::FTL::LowerDFGToLLVM::lower): | |
33580 | (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): | |
33581 | (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): | |
33582 | (JSC::FTL::LowerDFGToLLVM::exitValueForNode): | |
33583 | * runtime/BundlePath.cpp: Added. | |
33584 | (JSC::bundlePath): | |
33585 | * runtime/JSDataViewPrototype.cpp: | |
33586 | (JSC::getData): | |
33587 | (JSC::setData): | |
33588 | * runtime/MathObject.cpp: | |
33589 | ||
33590 | 2014-10-21 Milan Crha <mcrha@redhat.com> | |
33591 | ||
33592 | Move JSC::MacroAssemblerX86Common::s_sse2CheckState definition to MacroAssemblerX86Common.cpp. | |
33593 | <https://webkit.org/b/137807> | |
33594 | ||
33595 | Reviewed by Csaba Osztrogonác. | |
33596 | ||
33597 | * assembler/MacroAssemblerX86Common.cpp: | |
33598 | * jit/JIT.cpp: | |
33599 | ||
33600 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33601 | ||
33602 | Unreviewed add back copyright line that was accidentally removed. | |
33603 | ||
33604 | * inspector/scripts/codegen/generator_templates.py: | |
33605 | (GeneratorTemplates): | |
33606 | ||
33607 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33608 | ||
33609 | Web Inspector: InspectorBackendCommands should include when to activate particular domains | |
33610 | https://bugs.webkit.org/show_bug.cgi?id=137753 | |
33611 | ||
33612 | Reviewed by Timothy Hatcher. | |
33613 | ||
33614 | Add an availability property to domains that only activate for | |
33615 | particular debuggable types. If missing, the domain is always | |
33616 | activated. Otherwise it must be a debuggable type string. | |
33617 | When a frontend is opened for that debuggable type, the domain | |
33618 | will be activated. | |
33619 | ||
33620 | * inspector/scripts/codegen/models.py: | |
33621 | (Protocol.parse_domain): | |
33622 | (Domain.__init__): | |
33623 | (Domains): | |
33624 | Parse and validate the Domain's "availability" property. | |
33625 | ||
33626 | * inspector/scripts/codegen/generate_backend_commands.py: | |
33627 | (BackendCommandsGenerator.generate_domain): | |
33628 | Emit InspectorBackend.activateDomain with debuggable type filter. | |
33629 | ||
33630 | * inspector/protocol/ApplicationCache.json: | |
33631 | * inspector/protocol/CSS.json: | |
33632 | * inspector/protocol/DOM.json: | |
33633 | * inspector/protocol/DOMDebugger.json: | |
33634 | * inspector/protocol/DOMStorage.json: | |
33635 | * inspector/protocol/Database.json: | |
33636 | * inspector/protocol/IndexedDB.json: | |
33637 | * inspector/protocol/LayerTree.json: | |
33638 | * inspector/protocol/Network.json: | |
33639 | * inspector/protocol/Page.json: | |
33640 | * inspector/protocol/Replay.json: | |
33641 | * inspector/protocol/Timeline.json: | |
33642 | * inspector/protocol/Worker.json: | |
33643 | These domains only activate for Web debuggables. | |
33644 | ||
33645 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
33646 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
33647 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
33648 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
33649 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
33650 | Update existing tests that now have activate output. | |
33651 | ||
33652 | * inspector/scripts/tests/expected/fail-on-domain-availability.json-error: Added. | |
33653 | * inspector/scripts/tests/fail-on-domain-availability.json: Added. | |
33654 | Add a test for "availability" validation. | |
33655 | ||
33656 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33657 | ||
33658 | [Win] Build fix for generated inspector files. | |
33659 | ||
33660 | Rubberstamped by Brent Fulgham. | |
33661 | ||
33662 | * inspector/scripts/codegen/generate_backend_dispatcher_header.py: | |
33663 | (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): | |
33664 | * inspector/scripts/codegen/generator_templates.py: | |
33665 | (GeneratorTemplates): | |
33666 | ||
33667 | 2014-10-20 Brent Fulgham <bfulgham@apple.com> | |
33668 | ||
33669 | [Win] Unreviewed build fix. | |
33670 | ||
33671 | We need to (1) pass the 'windows' argument to our script for checking feature definitions, | |
33672 | and (2) we must use Cwd::realpath on our path input arguments to avoid Cygwin and Windows | |
33673 | getting confused about path separators versus escape characters. | |
33674 | ||
33675 | ||
33676 | * JavaScriptCore.vcxproj/build-generated-files.pl: | |
33677 | ||
33678 | 2014-10-20 Mark Lam <mark.lam@apple.com> | |
33679 | ||
33680 | [Follow up] Web Process crash when starting the web inspector after r174025. | |
33681 | <https://webkit.org/b/137340> | |
33682 | ||
33683 | Reviewed by Geoffrey Garen. | |
33684 | ||
33685 | Applied Geoff's feedback to clean up some code for better clarity after | |
33686 | r174856. | |
33687 | ||
33688 | * dfg/DFGFixupPhase.cpp: | |
33689 | (JSC::DFG::FixupPhase::insertCheck): | |
33690 | * dfg/DFGInsertionSet.h: | |
33691 | (JSC::DFG::InsertionSet::insertOutOfOrder): | |
33692 | ||
33693 | 2014-10-20 Mark Lam <mark.lam@apple.com> | |
33694 | ||
33695 | Factor out JITCode::typeName() for debugging use. | |
33696 | <https://webkit.org/b/137888> | |
33697 | ||
33698 | Reviewed by Geoffrey Garen. | |
33699 | ||
33700 | JITCode's printInternal() currently decodes the JITType into a string and | |
33701 | prints it. This change factors out the part that decodes the JITType into | |
33702 | JITCode::typeName() so that we can call it from lldb while debugging to | |
33703 | quickly decode a JITType value. | |
33704 | ||
33705 | * jit/JITCode.cpp: | |
33706 | (JSC::JITCode::typeName): | |
33707 | (WTF::printInternal): | |
33708 | * jit/JITCode.h: | |
33709 | ||
33710 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33711 | ||
33712 | Unreviewed Windows Build Fix #2 after r174892. | |
33713 | ||
33714 | * JavaScriptCore.vcxproj/build-generated-files.pl: | |
33715 | Define FEATURE_DEFINES for JavaScriptCore's DerivedSources.make. | |
33716 | This uses the same technique as WebCore. | |
33717 | ||
33718 | 2014-10-20 Mark Lam <mark.lam@apple.com> | |
33719 | ||
33720 | Fix placement of a few items in vcxproj ItemGroups. | |
33721 | <https://webkit.org/b/137886> | |
33722 | ||
33723 | Reviewed by Geoffrey Garen. | |
33724 | ||
33725 | https://webkit.org/b/137873 is likely a cut-and-paste error that manifested | |
33726 | because we had ClCompile and ClInclude entries mixed up in the wrong ItemGroups. | |
33727 | We should fix these so that ClCompile entries are in the ClCompile ItemGroup, | |
33728 | and ClInclude entries in the ClInclude ItemGroup. This will help reduce the | |
33729 | chance of future cut-and-paste errors of this nature. | |
33730 | ||
33731 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
33732 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
33733 | ||
33734 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33735 | ||
33736 | Unreviewed Windows Build Fix after r174892. | |
33737 | ||
33738 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
33739 | Update file name to the new generated file name. | |
33740 | ||
33741 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33742 | ||
33743 | Web Inspector: Rename generated Inspector.json to CombinedDomains.json to prevent name collisions | |
33744 | https://bugs.webkit.org/show_bug.cgi?id=137825 | |
33745 | ||
33746 | Reviewed by Timothy Hatcher. | |
33747 | ||
33748 | * CMakeLists.txt: | |
33749 | * DerivedSources.make: | |
33750 | * JavaScriptCore.vcxproj/copy-files.cmd: | |
33751 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
33752 | * inspector/protocol/Inspector.json: Renamed from Source/JavaScriptCore/inspector/protocol/InspectorDomain.json. | |
33753 | ||
33754 | 2014-10-20 Joseph Pecoraro <pecoraro@apple.com> | |
33755 | ||
33756 | Web Inspector: Generate all Inspector domains together in JavaScriptCore | |
33757 | https://bugs.webkit.org/show_bug.cgi?id=137748 | |
33758 | ||
33759 | Reviewed by Brian Burg. | |
33760 | ||
33761 | * inspector/protocol/ApplicationCache.json: Renamed from Source/WebCore/inspector/protocol/ApplicationCache.json. | |
33762 | * inspector/protocol/CSS.json: Renamed from Source/WebCore/inspector/protocol/CSS.json. | |
33763 | * inspector/protocol/DOM.json: Renamed from Source/WebCore/inspector/protocol/DOM.json. | |
33764 | * inspector/protocol/DOMDebugger.json: Renamed from Source/WebCore/inspector/protocol/DOMDebugger.json. | |
33765 | * inspector/protocol/DOMStorage.json: Renamed from Source/WebCore/inspector/protocol/DOMStorage.json. | |
33766 | * inspector/protocol/Database.json: Renamed from Source/WebCore/inspector/protocol/Database.json. | |
33767 | * inspector/protocol/IndexedDB.json: Renamed from Source/WebCore/inspector/protocol/IndexedDB.json. | |
33768 | * inspector/protocol/LayerTree.json: Renamed from Source/WebCore/inspector/protocol/LayerTree.json. | |
33769 | * inspector/protocol/Network.json: Renamed from Source/WebCore/inspector/protocol/Network.json. | |
33770 | * inspector/protocol/Page.json: Renamed from Source/WebCore/inspector/protocol/Page.json. | |
33771 | * inspector/protocol/Replay.json: Renamed from Source/WebCore/inspector/protocol/Replay.json. | |
33772 | * inspector/protocol/Timeline.json: Renamed from Source/WebCore/inspector/protocol/Timeline.json. | |
33773 | * inspector/protocol/Worker.json: Renamed from Source/WebCore/inspector/protocol/Worker.json. | |
33774 | Move all protocol files into this directory. | |
33775 | ||
33776 | * inspector/InspectorProtocolTypesBase.h: Renamed from Source/JavaScriptCore/inspector/InspectorProtocolTypes.h. | |
33777 | Renamed the base types file to not clash with the generated types file. | |
33778 | ||
33779 | * CMakeLists.txt: | |
33780 | * DerivedSources.make: | |
33781 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
33782 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
33783 | * JavaScriptCore.vcxproj/copy-files.cmd: | |
33784 | * JavaScriptCore.xcodeproj/project.pbxproj: | |
33785 | Update build phases for new JSON files and new filenames. | |
33786 | ||
33787 | * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: | |
33788 | * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: | |
33789 | * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: | |
33790 | * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: | |
33791 | * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: | |
33792 | * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: | |
33793 | * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: | |
33794 | * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: | |
33795 | * inspector/scripts/tests/expected/type-declaration-array-type.json-result: | |
33796 | * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: | |
33797 | * inspector/scripts/tests/expected/type-declaration-object-type.json-result: | |
33798 | * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: | |
33799 | Updated names of things now that prefixes are no longer needed. | |
33800 | ||
33801 | * inspector/ConsoleMessage.h: | |
33802 | * inspector/ContentSearchUtilities.cpp: | |
33803 | * inspector/ContentSearchUtilities.h: | |
33804 | * inspector/InjectedScript.h: | |
33805 | * inspector/InjectedScriptBase.h: | |
33806 | * inspector/ScriptCallFrame.h: | |
33807 | * inspector/ScriptCallStack.h: | |
33808 | * inspector/agents/InspectorAgent.h: | |
33809 | * inspector/agents/InspectorConsoleAgent.h: | |
33810 | * inspector/agents/InspectorDebuggerAgent.cpp: | |
33811 | (Inspector::breakpointActionTypeForString): | |
33812 | * inspector/agents/InspectorDebuggerAgent.h: | |
33813 | * inspector/agents/InspectorRuntimeAgent.h: | |
33814 | * runtime/TypeProfiler.cpp: | |
33815 | * runtime/TypeSet.cpp: | |
33816 | Update includes and update a few function names that are generated. | |
33817 | ||
33818 | * inspector/scripts/codegen/generate_protocol_types_header.py: | |
33819 | (ProtocolTypesHeaderGenerator.output_filename): | |
33820 | (ProtocolTypesHeaderGenerator.generate_output): | |
33821 | Include an export macro for type string constants defined in the implementation file. | |
33822 | ||
33823 | * inspector/scripts/codegen/generate_backend_commands.py: | |
33824 | (BackendCommandsGenerator.output_filename): | |
33825 | * inspector/scripts/codegen/generate_backend_dispatcher_header.py: | |
33826 | (BackendDispatcherHeaderGenerator.output_filename): | |
33827 | (BackendDispatcherHeaderGenerator.generate_output): | |
33828 | * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: | |
33829 | (BackendDispatcherImplementationGenerator.output_filename): | |
33830 | (BackendDispatcherImplementationGenerator.generate_output): | |
33831 | (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): | |
33832 | (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): | |
33833 | * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: | |
33834 | (FrontendDispatcherHeaderGenerator.output_filename): | |
33835 | (FrontendDispatcherHeaderGenerator.generate_output): | |
33836 | * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: | |
33837 | (FrontendDispatcherImplementationGenerator.output_filename): | |
33838 | (FrontendDispatcherImplementationGenerator.generate_output): | |
33839 | (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): | |
33840 | (_generate_class_for_object_declaration): | |
33841 | (_generate_builder_setter_for_member): | |
33842 | (_generate_unchecked_setter_for_member): | |
33843 | * inspector/scripts/codegen/generate_protocol_types_implementation.py: | |
33844 | (ProtocolTypesImplementationGenerator.output_filename): | |
33845 | (ProtocolTypesImplementationGenerator.generate_output): | |
33846 | (ProtocolTypesImplementationGenerator._generate_enum_mapping): | |
33847 | * inspector/scripts/codegen/models.py: | |
33848 | (Framework.fromString): | |
33849 | (Frameworks): | |
33850 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
33851 | Simplify generator now that prefixes are no longer needed. This updates | |
33852 | filenames, includes, and the list of supported directories. | |
33853 | ||
33854 | 2014-10-20 Csaba Osztrogonác <ossy@webkit.org> | |
33855 | ||
33856 | Remove obsolete comments after r99798 | |
33857 | https://bugs.webkit.org/show_bug.cgi?id=137871 | |
33858 | ||
33859 | Reviewed by Darin Adler. | |
33860 | ||
33861 | r99798 removed the comment in MacroAssemblerARMv7::supportsFloatingPointTruncate(), | |
33862 | so we should remove the stale references to this removed comment. | |
33863 | ||
33864 | * assembler/MacroAssemblerX86.h: | |
33865 | * assembler/MacroAssemblerX86_64.h: | |
33866 | ||
33867 | 2014-10-20 Csaba Osztrogonác <ossy@webkit.org> | |
33868 | ||
33869 | MacroAssemblerX86Common.cpp should be built on Windows too | |
33870 | https://bugs.webkit.org/show_bug.cgi?id=137873 | |
33871 | ||
33872 | Reviewed by Brent Fulgham. | |
33873 | ||
33874 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: | |
33875 | * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: | |
33876 | ||
33877 | 2014-10-20 Csaba Osztrogonác <ossy@webkit.org> | |
33878 | ||
33879 | [cmake] Remove duplicated source files | |
33880 | https://bugs.webkit.org/show_bug.cgi?id=137875 | |
33881 | ||
33882 | Reviewed by Gyuyoung Kim. | |
33883 | ||
33884 | * CMakeLists.txt: | |
33885 | ||
33886 | 2014-10-18 Brian J. Burg <burg@cs.washington.edu> | |
33887 | ||
33888 | Web Replay: code generator shouldn't complain about enums without a storage type if they are in an enclosing scope | |
33889 | https://bugs.webkit.org/show_bug.cgi?id=137084 | |
33890 | ||
33891 | Reviewed by Joseph Pecoraro. | |
33892 | ||
33893 | In order to generate encode/decode method declarations without pulling in lots of headers, | |
33894 | the generator must forward declare enums (for enum classes or enums with explicit sizes). | |
33895 | ||
33896 | Change the generator to not require an explicit size if an enum is declared inside a struct | |
33897 | or class definition. In that case, it must pull in headers since scoped enums can't be | |
33898 | forward declared. | |
33899 | ||
33900 | This patch also fixes some chained if-statements that should be if-else statements. | |
33901 | ||
33902 | Test: updated replay/scripts/tests/generate-enum-encoding-helpers.json to cover the new case. | |
33903 | ||
33904 | * replay/scripts/CodeGeneratorReplayInputs.py: | |
33905 | (InputsModel.parse_type_with_framework_name.is): | |
33906 | (InputsModel.parse_type_with_framework_name.is.must): | |
33907 | (Generator.generate_enum_trait_implementation): | |
33908 | (InputsModel.parse_type_with_framework_name): Deleted. | |
33909 | * replay/scripts/CodeGeneratorReplayInputsTemplates.py: | |
33910 | * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: | |
33911 | * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: | |
33912 | (JSC::EncodingTraits<WebCore::MouseButton>::decodeValue): | |
33913 | * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: | |
33914 | (JSC::EncodingTraits<WebCore::MouseButton>::decodeValue): | |
33915 | (JSC::EncodingTraits<WebCore::PlatformEvent::Type>::encodeValue): | |
33916 | (JSC::EncodingTraits<WebCore::PlatformEvent::Type>::decodeValue): | |
33917 | * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: | |
33918 | * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: | |
33919 | (JSC::EncodingTraits<WebCore::FormData1::Type>::decodeValue): | |
33920 | (JSC::EncodingTraits<PlatformEvent1::Type>::decodeValue): | |
33921 | * replay/scripts/tests/generate-enum-encoding-helpers.json: Added a new input to cover this case. | |
33922 | ||
33923 | 2014-10-17 Mark Lam <mark.lam@apple.com> | |
33924 | ||
33925 | Web Process crash when starting the web inspector after r174025. | |
33926 | <https://webkit.org/b/137340> | |
33927 | ||
33928 | Reviewed by Filip Pizlo. | |
33929 | ||
33930 | After r174025, we can generate a bad graph in the DFG fixup phase like so: | |
33931 | ||
33932 | 102:<!0:-> StoreBarrier(Check:KnownCell:@19, ..., bc#44) | |
33933 | 60:<!0:-> PutStructure(Check:KnownCell:@19, ..., bc#44) | |
33934 | 103:<!0:-> Check(Check:NotCell:@54, ..., bc#44) | |
33935 | // ^-- PutByOffset's StoreBarrier has been elided and replaced | |
33936 | // with a speculation check which can OSR exit. | |
33937 | 61:<!0:-> PutByOffset(Check:KnownCell:@19, ..., bc#44) | |
33938 | ||
33939 | As a result, the structure change will get executed even if we end up OSR | |
33940 | exiting before the PutByOffset. In the baseline JIT code, the structure now | |
33941 | erroneously tells the put operation that there is a value in that property | |
33942 | slot when it is actually uninitialized (hence, the crash). | |
33943 | ||
33944 | The fix is to insert the Check at the earliest point possible: | |
33945 | ||
33946 | 1. If the checked node is in the same bytecode as the PutByOffset, then | |
33947 | the earliest point where we can insert the Check is right after the | |
33948 | checked node. | |
33949 | ||
33950 | 2. If the checked node is from a preceding bytecode (before the PutByOffset), | |
33951 | then the earliest point where we can insert the Check is at the start | |
33952 | of the current bytecode. | |
33953 | ||
33954 | Also reverted the workaround from r174749: https://webkit.org/b/137758. | |
33955 | ||
33956 | Benchmark results appear to be a wash on aggregate. | |
33957 | ||
33958 | * dfg/DFGFixupPhase.cpp: | |
33959 | (JSC::DFG::FixupPhase::indexOfNode): | |
33960 | (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): | |
33961 | (JSC::DFG::FixupPhase::fixupNode): | |
33962 | (JSC::DFG::FixupPhase::insertCheck): | |
33963 | * dfg/DFGInsertionSet.h: | |
33964 | (JSC::DFG::InsertionSet::insertOutOfOrder): | |
33965 | (JSC::DFG::InsertionSet::insertOutOfOrderNode): | |
33966 | ||
33967 | 2014-10-10 Oliver Hunt <oliver@apple.com> | |
33968 | ||
33969 | Various arguments optimisations in codegen fail to account for arguments being in lexical record | |
33970 | https://bugs.webkit.org/show_bug.cgi?id=137617 | |
33971 | ||
33972 | Reviewed by Michael Saboff. | |
33973 | ||
33974 | Rework the way we track |arguments| references so that we don't try | |
33975 | to use the |arguments| reference on the stack if it's not safe. | |
33976 | ||
33977 | To do this without nuking performance it was necessary to update | |
33978 | the parser to track modification of the |arguments| reference | |
33979 | itself. | |
33980 | ||
33981 | * bytecode/CodeBlock.cpp: | |
33982 | * bytecompiler/BytecodeGenerator.cpp: | |
33983 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
33984 | (JSC::BytecodeGenerator::willResolveToArguments): | |
33985 | (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): | |
33986 | (JSC::BytecodeGenerator::emitCall): | |
33987 | (JSC::BytecodeGenerator::emitConstruct): | |
33988 | (JSC::BytecodeGenerator::emitEnumeration): | |
33989 | (JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted. | |
33990 | * bytecompiler/BytecodeGenerator.h: | |
33991 | (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): | |
33992 | * bytecompiler/NodesCodegen.cpp: | |
33993 | (JSC::BracketAccessorNode::emitBytecode): | |
33994 | (JSC::DotAccessorNode::emitBytecode): | |
33995 | (JSC::getArgumentByVal): | |
33996 | (JSC::CallFunctionCallDotNode::emitBytecode): | |
33997 | (JSC::ApplyFunctionCallDotNode::emitBytecode): | |
33998 | (JSC::ArrayPatternNode::emitDirectBinding): | |
33999 | * interpreter/StackVisitor.cpp: | |
34000 | (JSC::StackVisitor::Frame::existingArguments): | |
34001 | * parser/Nodes.h: | |
34002 | (JSC::ScopeNode::modifiesArguments): | |
34003 | * parser/Parser.cpp: | |
34004 | (JSC::Parser<LexerType>::parseInner): | |
34005 | * parser/Parser.h: | |
34006 | (JSC::Scope::getCapturedVariables): | |
34007 | * parser/ParserModes.h: | |
34008 | ||
34009 | 2014-10-17 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
34010 | ||
34011 | Use WTF::move() instead of std::move() to help ensure move semantics in JavaScriptCore | |
34012 | https://bugs.webkit.org/show_bug.cgi?id=137809 | |
34013 | ||
34014 | Reviewed by Csaba Osztrogonác. | |
34015 | ||
34016 | Substitution of WTF::move() for std::move(). Clean up std::move() in JavaScriptCore. | |
34017 | ||
34018 | * bytecode/GetByIdStatus.cpp: | |
34019 | (JSC::GetByIdStatus::computeForStubInfo): | |
34020 | * bytecode/PutByIdStatus.cpp: | |
34021 | (JSC::PutByIdStatus::computeForStubInfo): | |
34022 | * bytecode/PutByIdVariant.cpp: | |
34023 | (JSC::PutByIdVariant::setter): | |
34024 | ||
34025 | 2014-10-15 Oliver Hunt <oliver@apple.com> | |
34026 | ||
34027 | Use a single allocation for the Arguments object | |
34028 | https://bugs.webkit.org/show_bug.cgi?id=137751 | |
34029 | ||
34030 | Reviewed by Filip Pizlo. | |
34031 | ||
34032 | This patch removes the secondary allocation for parameters in the Arguments | |
34033 | object. This is faily simple, but we needed to make it possible for the JIT | |
34034 | to allocate a variable GC object. To do this i've added a new | |
34035 | emitAllocateVariableSizedJSObject function to the JIT that does the work to | |
34036 | find the correct heap for a variable sized allocation and then bump that | |
34037 | allocator. | |
34038 | ||
34039 | * dfg/DFGSpeculativeJIT.cpp: | |
34040 | (JSC::DFG::SpeculativeJIT::emitAllocateArguments): | |
34041 | * dfg/DFGSpeculativeJIT.h: | |
34042 | (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): | |
34043 | * heap/CopyToken.h: | |
34044 | * heap/Heap.h: | |
34045 | (JSC::Heap::subspaceForObjectWithoutDestructor): | |
34046 | (JSC::Heap::subspaceForObjectNormalDestructor): | |
34047 | (JSC::Heap::subspaceForObjectsWithImmortalStructure): | |
34048 | * heap/MarkedSpace.h: | |
34049 | (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): | |
34050 | (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): | |
34051 | (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor): | |
34052 | * interpreter/StackVisitor.cpp: | |
34053 | (JSC::StackVisitor::Frame::createArguments): | |
34054 | * runtime/Arguments.cpp: | |
34055 | (JSC::Arguments::visitChildren): | |
34056 | (JSC::Arguments::copyBackingStore): | |
34057 | (JSC::Arguments::tearOff): | |
34058 | (JSC::Arguments::allocateRegisterArray): Deleted. | |
34059 | * runtime/Arguments.h: | |
34060 | (JSC::Arguments::create): | |
34061 | (JSC::Arguments::isTornOff): | |
34062 | (JSC::Arguments::offsetOfRegisterArray): | |
34063 | (JSC::Arguments::registerArraySizeInBytes): | |
34064 | (JSC::Arguments::registerArray): | |
34065 | (JSC::Arguments::allocationSize): Deleted. | |
34066 | ||
34067 | 2014-10-15 Filip Pizlo <fpizlo@apple.com> | |
34068 | ||
34069 | Apparently we've had a hole in arguments capture all along | |
34070 | https://bugs.webkit.org/show_bug.cgi?id=137767 | |
34071 | ||
34072 | Reviewed by Oliver Hunt. | |
34073 | ||
34074 | * dfg/DFGByteCodeParser.cpp: | |
34075 | (JSC::DFG::ByteCodeParser::getArgument): | |
34076 | * tests/stress/arguments-captured.js: Added. | |
34077 | (foo): | |
34078 | (bar): | |
34079 | ||
34080 | 2014-10-16 Saam Barati <saambarati1@gmail.com> | |
34081 | ||
34082 | Have the ProfileType node in the DFG convert to a structure check where it can | |
34083 | https://bugs.webkit.org/show_bug.cgi?id=137596 | |
34084 | ||
34085 | Reviewed by Filip Pizlo. | |
34086 | ||
34087 | TypeSet now keeps track of the live set of Structures it has seen. | |
34088 | It no longer nukes everything during GC. It now only removes unmarked | |
34089 | structures during GC. This modification allows the ProfileType node | |
34090 | to convert into a CheckStructure node safely in the DFG. | |
34091 | ||
34092 | This change brings up the conversion rate from ProfileType to Check | |
34093 | or CheckStructrue from ~45% to ~65%. This change also speeds the | |
34094 | type profiler up significantly: consistently between 2x-20x faster. | |
34095 | ||
34096 | This patch also does some slight refactoring: a few type profiler | |
34097 | related fields are moved from VM to TypeProfiler. | |
34098 | ||
34099 | * bytecode/CodeBlock.cpp: | |
34100 | (JSC::CodeBlock::CodeBlock): | |
34101 | * dfg/DFGFixupPhase.cpp: | |
34102 | (JSC::DFG::FixupPhase::fixupNode): | |
34103 | * dfg/DFGNode.h: | |
34104 | (JSC::DFG::Node::convertToCheckStructure): | |
34105 | * heap/Heap.cpp: | |
34106 | (JSC::Heap::collect): | |
34107 | * runtime/SymbolTable.cpp: | |
34108 | (JSC::SymbolTable::uniqueIDForVariable): | |
34109 | * runtime/SymbolTable.h: | |
34110 | * runtime/TypeLocationCache.cpp: | |
34111 | (JSC::TypeLocationCache::getTypeLocation): | |
34112 | * runtime/TypeProfiler.cpp: | |
34113 | (JSC::TypeProfiler::TypeProfiler): | |
34114 | (JSC::TypeProfiler::nextTypeLocation): | |
34115 | (JSC::TypeProfiler::invalidateTypeSetCache): | |
34116 | (JSC::TypeProfiler::dumpTypeProfilerData): | |
34117 | * runtime/TypeProfiler.h: | |
34118 | (JSC::TypeProfiler::getNextUniqueVariableID): | |
34119 | * runtime/TypeProfilerLog.cpp: | |
34120 | (JSC::TypeProfilerLog::processLogEntries): | |
34121 | * runtime/TypeSet.cpp: | |
34122 | (JSC::TypeSet::addTypeInformation): | |
34123 | (JSC::TypeSet::invalidateCache): | |
34124 | * runtime/TypeSet.h: | |
34125 | (JSC::TypeSet::structureSet): | |
34126 | * runtime/VM.cpp: | |
34127 | (JSC::VM::VM): | |
34128 | (JSC::VM::enableTypeProfiler): | |
34129 | (JSC::VM::disableTypeProfiler): | |
34130 | (JSC::VM::dumpTypeProfilerData): | |
34131 | (JSC::VM::nextTypeLocation): Deleted. | |
34132 | (JSC::VM::invalidateTypeSetCache): Deleted. | |
34133 | * runtime/VM.h: | |
34134 | (JSC::VM::typeProfiler): | |
34135 | (JSC::VM::getNextUniqueVariableID): Deleted. | |
34136 | * tests/typeProfiler/dfg-jit-optimizations.js: | |
34137 | ||
34138 | 2014-10-16 Adrien Destugues <pulkomandy@gmail.com> | |
34139 | ||
34140 | Use isnan from std namespace in ProfileGenerator.cpp | |
34141 | https://bugs.webkit.org/show_bug.cgi?id=137653 | |
34142 | ||
34143 | Reviewed by Darin Adler. | |
34144 | ||
34145 | The C++ isnan() function is in the std namespace. The unprefixed isnan | |
34146 | may be available because of C99 headers leakage in C++, but should not | |
34147 | be used. | |
34148 | ||
34149 | No new tests: no functional change, build fix on platforms which don't | |
34150 | export C99 functions in C++. | |
34151 | ||
34152 | * profiler/ProfileGenerator.cpp: | |
34153 | (JSC::ProfileGenerator::beginCallEntry): | |
34154 | (JSC::ProfileGenerator::endCallEntry): | |
34155 | (JSC::ProfileGenerator::didPause): | |
34156 | (JSC::ProfileGenerator::didContinue): | |
34157 | ||
34158 | 2014-10-15 Michael Saboff <msaboff@apple.com> | |
34159 | ||
34160 | REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's JavaScript | |
34161 | https://bugs.webkit.org/show_bug.cgi?id=137758 | |
34162 | ||
34163 | Rubber stamped by Filip Pizlo. | |
34164 | ||
34165 | Reverted r174025 for just PutByOffset Nodes. | |
34166 | ||
34167 | * dfg/DFGFixupPhase.cpp: | |
34168 | (JSC::DFG::FixupPhase::fixupNode): | |
34169 | ||
34170 | 2014-10-14 Gyuyoung Kim <gyuyoung.kim@samsung.com> | |
34171 | ||
34172 | Clean up unnecessary PassOwnPtr.h inclusion | |
34173 | https://bugs.webkit.org/show_bug.cgi?id=137726 | |
34174 | ||
34175 | Reviewed by Chris Dumez. | |
34176 | ||
34177 | * API/JSCallbackObject.h: Remove PassOwnPtr.h inclusion. | |
34178 | * bytecode/DFGExitProfile.cpp: ditto. | |
34179 | ||
34180 | 2014-10-14 Brent Fulgham <bfulgham@apple.com> | |
34181 | ||
34182 | [Win] Unreviewed gardening. Ignore Visual Studio *.sdf files. | |
34183 | ||
34184 | * JavaScriptCore.vcxproj: Modified properties svn:ignore and svn:ignore. | |
34185 | * JavaScriptCore.vcxproj/jsc: Modified property svn:ignore. | |
34186 | ||
34187 | 2014-10-14 Matthew Mirman <mmirman@apple.com> | |
34188 | ||
34189 | Removes references to LLVMJIT which is no longer part of LLVM | |
34190 | https://bugs.webkit.org/show_bug.cgi?id=137708 | |
34191 | ||
34192 | Reviewed by Filip Pizlo. | |
34193 | ||
34194 | * Configurations/LLVMForJSC.xcconfig: removed -lLLVMJIT | |
34195 | * llvm/LLVMAPIFunctions.h: removed LinkInJIT | |
34196 | ||
34197 | 2014-10-14 peavo@outlook.com <peavo@outlook.com> | |
34198 | ||
34199 | [Win32] Thunk is not implemented. | |
34200 | https://bugs.webkit.org/show_bug.cgi?id=137691 | |
34201 | ||
34202 | Reviewed by Mark Lam. | |
34203 | ||
34204 | Thunks for functions with double operands (floor, etc.) are not implemented on Win32. | |
34205 | ||
34206 | * jit/ThunkGenerators.cpp: | |
34207 | ||
34208 | 2014-10-12 Alexey Proskuryakov <ap@apple.com> | |
34209 | ||
34210 | Adding svn:ignore so that .pyc files don't show up as new. | |
34211 | ||
34212 | * inspector/scripts/codegen: Added property svn:ignore. | |
34213 | ||
34214 | 2014-10-10 Commit Queue <commit-queue@webkit.org> | |
34215 | ||
34216 | Unreviewed, rolling out r174606. | |
34217 | https://bugs.webkit.org/show_bug.cgi?id=137621 | |
34218 | ||
34219 | broke a JSC test (Requested by estes on #webkit). | |
34220 | ||
34221 | Reverted changeset: | |
34222 | ||
34223 | "Various arguments optimisations in codegen fail to account | |
34224 | for arguments being in lexical record" | |
34225 | https://bugs.webkit.org/show_bug.cgi?id=137617 | |
34226 | http://trac.webkit.org/changeset/174606 | |
34227 | ||
34228 | 2014-10-10 Oliver Hunt <oliver@apple.com> | |
34229 | ||
34230 | Various arguments optimisations in codegen fail to account for arguments being in lexical record | |
34231 | https://bugs.webkit.org/show_bug.cgi?id=137617 | |
34232 | ||
34233 | Reviewed by Michael Saboff. | |
34234 | ||
34235 | Rework the way we track |arguments| references so that we don't try | |
34236 | to use the |arguments| reference on the stack if it's not safe. | |
34237 | ||
34238 | To do this without nuking performance it was necessary to update | |
34239 | the parser to track modification of the |arguments| reference | |
34240 | itself. | |
34241 | ||
34242 | * bytecode/CodeBlock.cpp: | |
34243 | * bytecompiler/BytecodeGenerator.cpp: | |
34244 | (JSC::BytecodeGenerator::BytecodeGenerator): | |
34245 | (JSC::BytecodeGenerator::willResolveToArguments): | |
34246 | (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): | |
34247 | (JSC::BytecodeGenerator::emitCall): | |
34248 | (JSC::BytecodeGenerator::emitConstruct): | |
34249 | (JSC::BytecodeGenerator::emitEnumeration): | |
34250 | (JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted. | |
34251 | * bytecompiler/BytecodeGenerator.h: | |
34252 | (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): | |
34253 | * bytecompiler/NodesCodegen.cpp: | |
34254 | (JSC::BracketAccessorNode::emitBytecode): | |
34255 | (JSC::DotAccessorNode::emitBytecode): | |
34256 | (JSC::getArgumentByVal): | |
34257 | (JSC::CallFunctionCallDotNode::emitBytecode): | |
34258 | (JSC::ApplyFunctionCallDotNode::emitBytecode): | |
34259 | (JSC::ArrayPatternNode::emitDirectBinding): | |
34260 | * interpreter/StackVisitor.cpp: | |
34261 | (JSC::StackVisitor::Frame::existingArguments): | |
34262 | * parser/Nodes.h: | |
34263 | (JSC::ScopeNode::modifiesArguments): | |
34264 | * parser/Parser.cpp: | |
34265 | (JSC::Parser<LexerType>::parseInner): | |
34266 | * parser/Parser.h: | |
34267 | (JSC::Scope::getCapturedVariables): | |
34268 | * parser/ParserModes.h: | |
34269 | ||
34270 | 2014-10-09 Joseph Pecoraro <pecoraro@apple.com> | |
34271 | ||
34272 | Web Inspector: Remove unused generator code | |
34273 | https://bugs.webkit.org/show_bug.cgi?id=137564 | |
34274 | ||
34275 | Reviewed by Brian Burg. | |
34276 | ||
34277 | * inspector/scripts/codegen/generate_backend_dispatcher_header.py: | |
34278 | (BackendDispatcherHeaderGenerator.generate_output): Deleted. | |
34279 | * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: | |
34280 | (BackendDispatcherImplementationGenerator.generate_output): | |
34281 | * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: | |
34282 | (FrontendDispatcherHeaderGenerator.generate_output): | |
34283 | * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: | |
34284 | (FrontendDispatcherImplementationGenerator.generate_output): | |
34285 | * inspector/scripts/codegen/generate_protocol_types_header.py: | |
34286 | (ProtocolTypesHeaderGenerator.generate_output): | |
34287 | * inspector/scripts/codegen/generate_protocol_types_implementation.py: | |
34288 | (ProtocolTypesImplementationGenerator.generate_output): | |
34289 | inputFilename is now handled by the generic generator base class. | |
34290 | ||
34291 | * inspector/scripts/codegen/models.py: | |
34292 | (Framework.fromString): | |
34293 | (Frameworks): | |
34294 | * inspector/scripts/generate-inspector-protocol-bindings.py: | |
34295 | The WTF framework is unused. Remove unexpected frameworks. | |
34296 | ||
34297 | 2014-10-09 Dean Jackson <dino@apple.com> | |
34298 | ||
34299 | Remove ENABLE_CSS3_CONDITIONAL_RULES | |
34300 | https://bugs.webkit.org/show_bug.cgi?id=137571 | |
34301 | ||
34302 | Reviewed by Simon Fraser. | |
34303 | ||
34304 | * Configurations/FeatureDefines.xcconfig: | |
34305 | ||
34306 | 2014-10-09 Adrien Destugues <pulkomandy@gmail.com> | |
34307 | ||
34308 | Fix compiler warning on noreturn function | |
34309 | https://bugs.webkit.org/show_bug.cgi?id=137558 | |
34310 | ||
34311 | Reviewed by Darin Adler. | |
34312 | ||
34313 | The function is marked "noreturn", but the stub implementation does | |
34314 | return. No new tests: function is never called. Only fixes a warning. | |
34315 | ||
34316 | * heap/HeapStatistics.cpp: | |
34317 | (JSC::HeapStatistics::exitWithFailure): | |
34318 | ||
34319 | 2014-10-09 Akos Kiss <akiss@inf.u-szeged.hu> | |
34320 | ||
34321 | Ensure that inline assembly Thunk functions don't conflict with the section designations of the compiler | |
34322 | https://bugs.webkit.org/show_bug.cgi?id=137434 | |
34323 | ||
34324 | Reviewed by Michael Saboff. | |
34325 | ||
34326 | The ARM64 version of the defineUnaryDoubleOpWrapper macro in | |
34327 | ThunkGenerators.cpp contains inline assembly with .text assembler | |
34328 | directive followed by a static variable declaration. This macro gets | |
34329 | expanded several times afterwards, however, only during the compilation | |
34330 | of the first expansion does gcc insert a .data assembler directive | |
34331 | before the assembled version of the static variable. Thus, only the | |
34332 | first variable gets allocated in the .data section, all the others | |
34333 | remain in .text. If JavaScriptCore is built as a shared library then | |
34334 | this causes a segmentation fault during dynamic linking. | |
34335 | ||
34336 | This patch puts a .previous directive at the end of the inline assembly | |
34337 | to ensure that the assumptions of the compiler about the sections are | |
34338 | not broken and the following variable goes to the right place. | |
34339 | ||
34340 | * jit/ThunkGenerators.cpp: | |
34341 | ||
34342 | 2014-10-08 Oliver Hunt <oliver@apple.com> | |
34343 | ||
34344 | Make sure arguments tearoff is performed through the environment record if necessary | |
34345 | https://bugs.webkit.org/show_bug.cgi?id=137538 | |
34346 | ||
34347 | Reviewed by Michael Saboff. | |
34348 | ||
34349 | Fairly simple change. If we have a lexical record we need to pull the unmodified | |
34350 | arguments object from the record and then use the standard op_tear_off_arguments | |
34351 | instruction on the temporary. | |
34352 | ||
34353 | * bytecompiler/BytecodeGenerator.cpp: | |
34354 | (JSC::BytecodeGenerator::emitGetOwnScope): | |
34355 | (JSC::BytecodeGenerator::emitReturn): | |
34356 | * bytecompiler/BytecodeGenerator.h: | |
34357 | ||
34358 | 2014-10-08 peavo@outlook.com <peavo@outlook.com> | |
34359 | ||
34360 | [WinCairo] Enable JIT on 32-bit. | |
34361 | https://bugs.webkit.org/show_bug.cgi?id=137521 | |
34362 | ||
34363 | Reviewed by Mark Lam. | |
34364 | ||
34365 | Enable JIT on Windows 32-bit, but disable it at runtime if SSE2 is not present. | |
34366 | ||
34367 | * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: | |
34368 | * runtime/Options.cpp: | |
34369 | (JSC::recomputeDependentOptions): | |
34370 | ||
34371 | 2014-10-08 Brent Fulgham <bfulgham@apple.com> | |
34372 | ||
34373 | [Win] Resolve some static analysis warnings in JavaScriptCore | |
34374 | https://bugs.webkit.org/show_bug.cgi?id=137508 | |
34375 | ||
34376 | Reviewed by Geoffrey Garen. | |
34377 | ||
34378 | * API/tests/testapi.c: | |
34379 | (assertEqualsAsCharactersPtr): MSVC insists on using %Iu as its format specifier | |
34380 | for size_t. Make the format string conditional on Windows. | |
34381 | * bytecode/Watchpoint.h: | |
34382 | (JSC::InlineWatchpointSet::encodeState): Silence warning about left-shifting 'state' | |
34383 | as a 32-bit value before OR-ing it with a 64-bit value. | |
34384 | * dfg/DFGFixupPhase.cpp: | |
34385 | (JSC::DFG::FixupPhase::fixupNode): Silence warning about operator prescedence | |
34386 | causing the || operation to take place before the >= test. | |
34387 | * dfg/DFGInPlaceAbstractState.cpp: | |
34388 | (JSC::DFG::InPlaceAbstractState::endBasicBlock): Ditto (|| before !=) | |
34389 | * testRegExp.cpp: | |
34390 | (testOneRegExp): Ditto %Iu format specifier. | |
34391 | * yarr/YarrInterpreter.cpp: | |
34392 | (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Silence warning about | |
34393 | using a 32-bit value as part of a 64-bit calculation. | |
34394 | ||
34395 | 2014-10-07 Simon Fraser <simon.fraser@apple.com> | |
34396 | ||
34397 | Roll-over Changelogs. | |
34398 | ||
34399 | * ChangeLog-2014-10-07: Copied from Source/JavaScriptCore/ChangeLog. | |
34400 | ||
34401 | == Rolled over to ChangeLog-2014-10-07 == |