]> git.saurik.com Git - apple/javascriptcore.git/blame_incremental - ChangeLog-2015-07-23
JavaScriptCore-7601.1.46.3.tar.gz
[apple/javascriptcore.git] / ChangeLog-2015-07-23
... / ...
CommitLineData
12015-07-20 Matthew Hanson <matthew_hanson@apple.com>
2
3 Merge r186819. rdar://problem/21729083
4
5 2015-07-14 Matthew Mirman <mmirman@apple.com>
6
7 Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32.
8 https://bugs.webkit.org/show_bug.cgi?id=146910
9 rdar://problem/21729083
10
11 Reviewed by Filip Pizlo.
12
13 Also fixes the debug build problem where all edges are assumed to
14 have UntypedUse before the fixup phase.
15
16 * dfg/DFGSpeculativeJIT.cpp:
17 (JSC::DFG::SpeculativeJIT::compileArithSub):
18 * dfg/DFGValidate.cpp:
19 (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary):
20 * tests/stress/arith-add-with-constants.js: Added some tests for this case.
21 (arithAdd42WrittenAsInteger):
22 (testArithAdd42WrittenAsInteger):
23 (arithSub42WrittenAsDouble):
24 (testArithSub42WrittenAsDouble):
25 (doubleConstant):
26 (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0)
27 (arithAdd42WrittenAsDouble): Deleted.
28 (testArithAdd42WrittenAsDouble): Deleted.
29
302015-07-20 Matthew Hanson <matthew_hanson@apple.com>
31
32 Merge r187028. rdar://problem/21869970
33
34 2015-07-18 Filip Pizlo <fpizlo@apple.com>
35
36 REGRESSION(186691): OSR entry is broken on loop headers that have no live variables
37 https://bugs.webkit.org/show_bug.cgi?id=147074
38 rdar://problem/21869970
39
40 Reviewed by Michael Saboff.
41
42 The OSR entry must-handle block/value widening introduced in r186691 would cause the
43 CFA to reexecute if it caused any live local variables to change value. But this fails
44 if the must-handle block has no live local variables, and the entry block otherwise
45 appears to be unreachable.
46
47 This fixes the bug by having the change detection include whether the block hadn't been
48 visited in addition to whether any local variable values got widened.
49
50 This is a ~4% speed-up on SunSpider in browser.
51
52 * dfg/DFGCFAPhase.cpp:
53 (JSC::DFG::CFAPhase::run):
54
552015-07-16 Matthew Hanson <matthew_hanson@apple.com>
56
57 Merge r186920. rdar://problem/21764196
58
59 2015-07-16 Mark Lam <mark.lam@apple.com>
60
61 RegExp::match() should set m_state to ByteCode if compilation fails.
62 https://bugs.webkit.org/show_bug.cgi?id=147023
63
64 Reviewed by Michael Saboff.
65
66 A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code.
67 If one of these compilations succeeds, RegExp::m_state will be set to JITCode.
68 Subsequently, if RegExp tries to compile another one of these but fails, m_state
69 will be left untouched i.e. it still says JITCode. As a result, when
70 RegExp::match() later tries to execute the non-existant compiled code, it will
71 crash.
72
73 The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile.
74 This failure should be rare. We'll do the minimal work here to fix the issue and
75 keep an eye on the perf bots. If perf regresses, we can do some optimization work then.
76
77 This issue is difficult to test for since it either requires a low memory condition
78 to trigger a failed RegExp compilation at the right moment, or for the RegExp to
79 succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode.
80 Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every
81 10 compilation attempts.
82
83 * runtime/RegExp.cpp:
84 (JSC::RegExp::compile):
85 (JSC::RegExp::compileMatchOnly):
86
872015-07-15 Lucas Forschler <lforschler@apple.com>
88
89 Merge r186826
90
91 2015-07-14 Anders Carlsson <andersca@apple.com>
92
93 Assertions.h should include ExportMacros.h
94 https://bugs.webkit.org/show_bug.cgi?id=146948
95
96 Reviewed by Tim Horton.
97
98 Remove now unneeded WTF_EXPORT_PRIVATE define.
99
100 * API/JSBase.h:
101
1022015-07-13 Babak Shafiei <bshafiei@apple.com>
103
104 Merge r186777.
105
106 2015-07-13 Anders Carlsson <andersca@apple.com>
107
108 Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API
109 https://bugs.webkit.org/show_bug.cgi?id=146913
110 rdar://problem/21789252
111
112 Reviewed by Dan Bernstein.
113
114 Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to
115 /System/Library/Frameworks/JavaScriptCore.framework.
116
117 * JavaScriptCore.xcodeproj/project.pbxproj:
118
1192015-07-12 Babak Shafiei <bshafiei@apple.com>
120
121 Merge r186702.
122
123 2015-07-10 Filip Pizlo <fpizlo@apple.com>
124
125 AI folding of IsObjectOrNull is broken for non-object types that may be null
126 https://bugs.webkit.org/show_bug.cgi?id=146867
127
128 Reviewed by Ryosuke Niwa.
129
130 * dfg/DFGAbstractInterpreterInlines.h:
131 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Fix the bug and add some text describing what is going on.
132 * tests/stress/misc-is-object-or-null.js: Added. Test for the bug.
133 (foo):
134 * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced.
135 (foo):
136
1372015-07-12 Babak Shafiei <bshafiei@apple.com>
138
139 Merge r186691.
140
141 2015-07-04 Filip Pizlo <fpizlo@apple.com>
142
143 DFG fragile frozen values are fundamentally broken
144 https://bugs.webkit.org/show_bug.cgi?id=146602
145
146 Reviewed by Mark Lam.
147
148 This change gets rid of the FragileValue value strength, because it was fundamentally
149 broken.
150
151 FragileValue was a value known to the compiler but not tracked by the GC in any way -
152 it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
153 must-handle values. The philosophy was that if the compiler did use the value for
154 optimization, it would have been strengthened to a weak value (or maybe even a strong
155 value, though we probably won't do that). But this was too much of a pipe dream. I've
156 found at least one case where the compiler did use the value, but never strengthened
157 it: it would happen if the value ended up in an OSR entry data expected value. Then if
158 we GCed, we might have killed the value, but OSR entry would still try to use it for
159 validation. That might have sort of just worked, but it's clearly shady.
160
161 The reason why we made must-handle values fragile and not weak is that most of the time
162 the values disappear from the abstract state: they are LUBed to a non-constant. If we
163 kept them around as weak, we'd have too many cases of the GC killing the code because
164 it thought that the value was somehow meaningful to the code when it was only used as a
165 temporary artifact of optimization.
166
167 So, it's true that it's very important for must-handle values not to automatically be
168 weak or strong. It's also true that the values are necessary for AI bootstrap because
169 we need to know what values OSR entry will require. But we shouldn't accomplish these
170 goals by having the compiler hold onto what are essentially dangling pointers.
171
172 This implements a better solution: instead of having InPlaceAbstractState bootstrap the
173 AI with must-handle values at the beginning, we now widen the valuesAtHead of the
174 must-handle block after AI converges. This widening is done in CFAPhase. This allows us
175 to see if the must-handle values are necessary at all. In most cases, the widening
176 takes a non-constant abstract value and simply amends something to its type based on
177 the type of the must-handle value, and so the must-handle value never actually shows up
178 in either the IR or any abstract value. In the unlikely event that the value at head is
179 bottom, we freeze the must-handle value. This change removes FragileValue, and this
180 freezing uses WeakValue as the strength. That makes sense: since the abstract value was
181 bottom, the must-handle value becomes integral to the IR and so it makes no sense for
182 the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
183 sometimes happen for example if you have a very long-running loop whose pre-header
184 allocates some object, but that pre-header appears to always exit to the optimizing JIT
185 because it was only profiled once in the LLInt and that profiling appears insufficient
186 to the DFG. In that case, we'll effectively constant-fold the references to the object
187 inside the loop, which is both efficient (yay constant folding!) and necessary
188 (otherwise we wouldn't know what the type of the variable should have been).
189
190 Testing and debugging this is complicated. So, this adds some new capabilities:
191
192 - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
193 their strengths, so that it's easy to see what GC objects the DFG feels are necessary
194 for the compilation.
195
196 - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
197 to see what GC pointers (and other things) are used for OSR entry validation. The
198 printouts are quite detailed, and should also help other kinds of OSR entry
199 debugging.
200
201 - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
202 data structures are also properly registered as either weak or strong pointers in the
203 CodeBlock. This validation check previously failed due to fragile values ending up in
204 the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
205 and in some pre-existing tests (like earley-boyer and 3d-raytrace).
206
207 * CMakeLists.txt:
208 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
209 * JavaScriptCore.xcodeproj/project.pbxproj:
210 * bytecode/CodeBlock.cpp:
211 (JSC::CodeBlock::stronglyVisitStrongReferences):
212 * bytecode/CodeOrigin.cpp:
213 (JSC::InlineCallFrame::visitAggregate):
214 * bytecode/Operands.h:
215 (JSC::Operands::operand):
216 (JSC::Operands::hasOperand):
217 * bytecode/StructureSet.cpp:
218 (JSC::StructureSet::dump):
219 (JSC::StructureSet::validateReferences):
220 * bytecode/StructureSet.h:
221 * bytecode/TrackedReferences.cpp: Added.
222 (JSC::TrackedReferences::TrackedReferences):
223 (JSC::TrackedReferences::~TrackedReferences):
224 (JSC::TrackedReferences::add):
225 (JSC::TrackedReferences::check):
226 (JSC::TrackedReferences::dump):
227 * bytecode/TrackedReferences.h: Added.
228 * dfg/DFGAbstractValue.cpp:
229 (JSC::DFG::AbstractValue::observeTransitions):
230 (JSC::DFG::AbstractValue::set):
231 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
232 (JSC::DFG::AbstractValue::mergeOSREntryValue):
233 (JSC::DFG::AbstractValue::filter):
234 (JSC::DFG::AbstractValue::dumpInContext):
235 (JSC::DFG::AbstractValue::validateReferences):
236 (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
237 * dfg/DFGAbstractValue.h:
238 (JSC::DFG::AbstractValue::fullTop):
239 (JSC::DFG::AbstractValue::merge):
240 * dfg/DFGByteCodeParser.cpp:
241 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
242 * dfg/DFGCFAPhase.cpp:
243 (JSC::DFG::CFAPhase::run):
244 * dfg/DFGCommonData.cpp:
245 (JSC::DFG::CommonData::invalidate):
246 (JSC::DFG::CommonData::validateReferences):
247 * dfg/DFGCommonData.h:
248 (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
249 * dfg/DFGFrozenValue.h:
250 (JSC::DFG::FrozenValue::FrozenValue):
251 (JSC::DFG::FrozenValue::strengthenTo):
252 (JSC::DFG::FrozenValue::pointsToHeap):
253 (JSC::DFG::FrozenValue::strength):
254 (JSC::DFG::FrozenValue::freeze):
255 * dfg/DFGGraph.cpp:
256 (JSC::DFG::Graph::Graph):
257 (JSC::DFG::Graph::dump):
258 (JSC::DFG::Graph::registerFrozenValues):
259 (JSC::DFG::Graph::visitChildren):
260 (JSC::DFG::Graph::freeze):
261 (JSC::DFG::Graph::freezeStrong):
262 (JSC::DFG::Graph::freezeFragile): Deleted.
263 * dfg/DFGGraph.h:
264 * dfg/DFGInPlaceAbstractState.cpp:
265 (JSC::DFG::InPlaceAbstractState::initialize):
266 * dfg/DFGJITCode.cpp:
267 (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
268 (JSC::DFG::JITCode::validateReferences):
269 * dfg/DFGJITCode.h:
270 * dfg/DFGJITCompiler.cpp:
271 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
272 (JSC::DFG::JITCompiler::noticeOSREntry):
273 * dfg/DFGJITCompiler.h:
274 (JSC::DFG::JITCompiler::branchStructurePtr):
275 (JSC::DFG::JITCompiler::jitCode):
276 (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
277 * dfg/DFGMinifiedGraph.cpp: Added.
278 (JSC::DFG::MinifiedGraph::prepareAndShrink):
279 (JSC::DFG::MinifiedGraph::validateReferences):
280 * dfg/DFGMinifiedGraph.h:
281 (JSC::DFG::MinifiedGraph::append):
282 (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
283 * dfg/DFGOSREntry.cpp:
284 (JSC::DFG::OSREntryData::dumpInContext):
285 (JSC::DFG::OSREntryData::dump):
286 (JSC::DFG::prepareOSREntry):
287 * dfg/DFGOSREntry.h:
288 (JSC::DFG::getOSREntryDataBytecodeIndex):
289 * dfg/DFGPlan.cpp:
290 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
291 * dfg/DFGSpeculativeJIT.cpp:
292 (JSC::DFG::SpeculativeJIT::linkOSREntries):
293 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
294 * dfg/DFGStructureAbstractValue.cpp:
295 (JSC::DFG::StructureAbstractValue::dump):
296 (JSC::DFG::StructureAbstractValue::validateReferences):
297 * dfg/DFGStructureAbstractValue.h:
298 * dfg/DFGValidate.cpp:
299 (JSC::DFG::Validate::validate):
300 * dfg/DFGValueStrength.cpp:
301 (WTF::printInternal):
302 * dfg/DFGValueStrength.h:
303 (JSC::DFG::merge):
304 * ftl/FTLExitPropertyValue.cpp:
305 (JSC::FTL::ExitPropertyValue::dump):
306 (JSC::FTL::ExitPropertyValue::validateReferences):
307 * ftl/FTLExitPropertyValue.h:
308 * ftl/FTLExitTimeObjectMaterialization.cpp:
309 (JSC::FTL::ExitTimeObjectMaterialization::dump):
310 (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
311 * ftl/FTLExitTimeObjectMaterialization.h:
312 * ftl/FTLExitValue.cpp:
313 (JSC::FTL::ExitValue::dump):
314 (JSC::FTL::ExitValue::validateReferences):
315 * ftl/FTLExitValue.h:
316 * ftl/FTLJITCode.cpp:
317 (JSC::FTL::JITCode::dfgCommon):
318 (JSC::FTL::JITCode::validateReferences):
319 * ftl/FTLJITCode.h:
320 (JSC::FTL::JITCode::handles):
321 (JSC::FTL::JITCode::dataSections):
322 * ftl/FTLOSRExit.cpp:
323 (JSC::FTL::OSRExit::codeLocationForRepatch):
324 (JSC::FTL::OSRExit::validateReferences):
325 * ftl/FTLOSRExit.h:
326 (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
327 * jit/JITCode.cpp:
328 (JSC::JITCode::typeName):
329 (JSC::JITCode::validateReferences):
330 (JSC::JITCode::execute):
331 * jit/JITCode.h:
332 (JSC::JITCode::start):
333 * tests/stress/dead-osr-entry-value.js: Added.
334 (foo):
335
3362015-07-10 Matthew Hanson <matthew_hanson@apple.com>
337
338 Disable non-shipping features.
339
340 * Configurations/FeatureDefines.xcconfig:
341
3422015-07-09 Mark Lam <mark.lam@apple.com>
343
344 SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector.
345 https://bugs.webkit.org/show_bug.cgi?id=146807
346
347 Reviewed by Filip Pizlo.
348
349 When we capture an argument by name and we use "arguments", we put all of the
350 arguments into the scope. But destructured arguments are put into the scope
351 anonymously i.e. the SymbolTable knows that the scope offset is in use via
352 SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in
353 SymbolTable::m_map.
354
355 The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will
356 have a size which is based on the largest ScopeOffset in the m_map. If we have a
357 scenario where the anonymous argument is at a higher ScopeOffset than all the
358 named arguments, then the m_localsToEntry vector will not have an entry for it
359 i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of
360 the anonymous argument.
361
362 Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is
363 within the bounds of the m_localToEntry vector before indexing into it.
364
365 * runtime/SymbolTable.cpp:
366 (JSC::SymbolTable::entryFor):
367
3682015-07-09 Michael Saboff <msaboff@apple.com>
369
370 REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
371 https://bugs.webkit.org/show_bug.cgi?id=146767
372
373 Reviewed by Geoffrey Garen.
374
375 If the stack check fails at the top most frame, we must use that frame to
376 generate the exception. Reverted the code to always use the current frame to
377 throw an out of stack exception.
378
379 * llint/LLIntSlowPaths.cpp:
380 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
381
3822015-07-03 Filip Pizlo <fpizlo@apple.com>
383
384 OSR exit fuzzing should allow us to select a static exit site
385 https://bugs.webkit.org/show_bug.cgi?id=146601
386
387 Reviewed by Geoffrey Garen.
388
389 The original implementation of the fuzzer allows us to trigger an exit based on its index
390 in the dynamic sequence of exit sites encountered. But there are usually millions of
391 dynamically encountered exit sites, even if the program only has thousands of static exit
392 sites. That means that we would at best be able to do a random sampling of exits, and
393 those would be biased to the hottest exit sites.
394
395 This change allows us to also select exit sites based on their index in the static
396 sequence of exit sites that the compiler compiled. Then, once that static exit site is
397 selected, we can select which dynamic exit at that exit site we should trigger. Since the
398 number of static exit sites is usually smallish (it's bounded by program size), we can do
399 an exhaustive search over all exit sites in most programs.
400
401 * dfg/DFGOSRExitFuzz.cpp:
402 (JSC::numberOfStaticOSRExitFuzzChecks):
403 (JSC::numberOfOSRExitFuzzChecks):
404 * dfg/DFGOSRExitFuzz.h:
405 (JSC::DFG::doOSRExitFuzzing):
406 * dfg/DFGSpeculativeJIT.cpp:
407 (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
408 * ftl/FTLLowerDFGToLLVM.cpp:
409 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
410 * jsc.cpp:
411 (jscmain):
412 * runtime/Options.h:
413 * runtime/TestRunnerUtils.h:
414
4152015-07-08 Joseph Pecoraro <pecoraro@apple.com>
416
417 Fix grammar issue in TypeError attempting to change an unconfigurable property
418 https://bugs.webkit.org/show_bug.cgi?id=146774
419
420 Reviewed by Brent Fulgham.
421
422 * runtime/JSFunction.cpp:
423 (JSC::JSFunction::defineOwnProperty):
424 * runtime/JSObject.cpp:
425 (JSC::JSObject::defineOwnNonIndexProperty):
426 * runtime/StringObject.cpp:
427 (JSC::StringObject::defineOwnProperty):
428
4292015-07-06 Csaba Osztrogonác <ossy@webkit.org>
430
431 Remove the unused HeapBlock.h
432 https://bugs.webkit.org/show_bug.cgi?id=146580
433
434 Reviewed by Andreas Kling.
435
436 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
437 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
438 * JavaScriptCore.xcodeproj/project.pbxproj:
439 * heap/CopiedBlock.h:
440 * heap/CopiedSpace.h:
441 * heap/CopiedSpaceInlines.h:
442 * heap/HandleBlock.h:
443 * heap/HeapBlock.h: Removed.
444 * heap/MarkedBlock.h:
445
4462015-07-06 Saam barati <saambarati1@gmail.com>
447
448 JSC's parser should follow the ES6 spec with respect to parsing Declarations
449 https://bugs.webkit.org/show_bug.cgi?id=146621
450
451 Reviewed by Mark Lam.
452
453 There were a few locations where JSC would allow declaration statements
454 in incorrect ways. JSC didn't distinguish between 'Statement' and
455 'StatementListItem' grammar productions. The relevant grammar is here:
456 http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements
457
458 From the ECMA Script 6.0 spec:
459 1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement)
460 says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems.
461 (Same with 'while/for/do-while' loop bodies).
462 2. Section 13 ECMAScript Language: Statements and Declarations
463 (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations)
464 defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations
465 (const, let, see 13.3.1 Let and Const Declarations).
466 Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).
467
468 Hence, the following style of declarations are no longer allowed:
469 'if/for/while (condition) const x = 40;'
470 'if/for/while (condition) class C { }'
471
472 Instead, we mandate such declaration constructs are within a StatementList
473 (which is the production that JSC's Parser::parseSourceElements function parses):
474 'if/for/while (condition) { const x = 40; }'
475 'if/for/while (condition) { class C { } }'
476
477 * parser/Parser.cpp:
478 (JSC::Parser<LexerType>::parseSourceElements):
479 (JSC::Parser<LexerType>::parseStatementListItem):
480 (JSC::Parser<LexerType>::parseVarDeclaration):
481 (JSC::Parser<LexerType>::parseStatement):
482 (JSC::Parser<LexerType>::parseExpressionStatement):
483 * parser/Parser.h:
484 (JSC::Parser::getLabel):
485
4862015-07-06 Alex Christensen <achristensen@webkit.org>
487
488 Unreviewed debug build fix after r186358.
489
490 * runtime/JSArray.cpp:
491 (JSC::JSArray::fastConcatWith):
492 Pass vm parameter to fastConcatType.
493
4942015-07-06 Ryosuke Niwa <rniwa@webkit.org>
495
496 Array.concat should be fast for integer or double arrays
497 https://bugs.webkit.org/show_bug.cgi?id=146260
498
499 Reviewed by Darin Adler.
500
501 Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
502 arrays, simply memcopy the arrays into a new uninitialized buffer.
503
504 This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.
505
506 * runtime/ArrayPrototype.cpp:
507 (JSC::arrayProtoFuncConcat):
508 * runtime/JSArray.cpp:
509 (JSC::JSArray::fastConcatWith): Added.
510 * runtime/JSArray.h:
511 (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
512 the fact path. Returns NonArray otherwise.
513
5142015-07-06 Youenn Fablet <youenn.fablet@crf.canon.fr>
515
516 [Streams API] Remove ReadableStream custom constructor
517 https://bugs.webkit.org/show_bug.cgi?id=146547
518
519 Reviewed by Darin Adler.
520
521 Adding helper function to throw range errors.
522
523 * runtime/Error.h:
524 (JSC::throwRangeError):
525 (JSC::throwVMRangeError):
526
5272015-07-05 Yusuke Suzuki <utatane.tea@gmail.com>
528
529 [ES6] Implement the latest Promise spec in JS
530 https://bugs.webkit.org/show_bug.cgi?id=146229
531
532 Reviewed by Sam Weinig.
533
534 Updated the Promise implementation to meet to the ES6 spec.
535 This patch
536 1. Implement ES6 Promise and related abstract operations in builtins JS
537 2. Expose @enqueueJob private function to JS world to post the microtask
538
539 Updated implementation has one-on-one correspondence to the ES6 spec description.
540 And keep the JSPromiseDeferred because it is the interface used from the WebCore.
541
542 * CMakeLists.txt:
543 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
544 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
545 * JavaScriptCore.xcodeproj/project.pbxproj:
546 * builtins/Array.prototype.js:
547 (reduce):
548 (reduceRight):
549 (every):
550 (forEach):
551 (filter):
552 (map):
553 (some):
554 (fill):
555 (find):
556 (findIndex):
557 (includes):
558 (copyWithin):
559 ToInteger / ToLength are renamed to toInteger and toLength.
560 * builtins/ArrayConstructor.js:
561 (from):
562 ToInteger / ToLength are renamed to toInteger and toLength.
563 * builtins/GlobalObject.js:
564 (toInteger):
565 (toLength):
566 (isObject):
567 (ToInteger): Deleted.
568 (ToLength): Deleted.
569 ToInteger / ToLength are renamed to toInteger and toLength.
570 Add new abstract operation, isObject.
571 * builtins/Operations.Promise.js: Added.
572 (isPromise):
573 (newPromiseReaction):
574 (newPromiseDeferred):
575 (newPromiseCapability.executor):
576 (newPromiseCapability):
577 (triggerPromiseReactions):
578 (rejectPromise):
579 (fulfillPromise):
580 (createResolvingFunctions.resolve):
581 (createResolvingFunctions.reject):
582 (createResolvingFunctions):
583 (promiseReactionJob):
584 (promiseResolveThenableJob):
585 (initializePromise):
586 Added Promise related abstract operations.
587 * builtins/Promise.prototype.js:
588 (catch):
589 (.onFulfilled):
590 (.onRejected):
591 (then):
592 Promise#then implementation in JS.
593 * builtins/PromiseConstructor.js: Added.
594 (all.newResolveElement):
595 (all):
596 (race):
597 (reject):
598 (resolve):
599 Promise static functions implementations in JS.
600 * builtins/StringConstructor.js:
601 (raw):
602 ToInteger / ToLength are renamed to toInteger and toLength.
603 * inspector/JSInjectedScriptHost.cpp:
604 (Inspector::JSInjectedScriptHost::getInternalProperties):
605 * runtime/CommonIdentifiers.h:
606 * runtime/JSGlobalObject.cpp:
607 (JSC::enqueueJob):
608 (JSC::JSGlobalObject::init):
609 (JSC::JSGlobalObject::visitChildren):
610 * runtime/JSGlobalObject.h:
611 (JSC::JSGlobalObject::initializePromiseFunction):
612 (JSC::JSGlobalObject::newPromiseDeferredFunction):
613 * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.
614 (JSC::createJSJob):
615 (JSC::JSJobMicrotask::run):
616 * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
617 * runtime/JSPromise.cpp:
618 (JSC::JSPromise::create):
619 (JSC::JSPromise::JSPromise):
620 (JSC::JSPromise::finishCreation):
621 (JSC::JSPromise::result):
622 (JSC::JSPromise::destroy): Deleted.
623 (JSC::JSPromise::visitChildren): Deleted.
624 (JSC::JSPromise::reject): Deleted.
625 (JSC::JSPromise::resolve): Deleted.
626 (JSC::JSPromise::appendResolveReaction): Deleted.
627 (JSC::JSPromise::appendRejectReaction): Deleted.
628 (JSC::triggerPromiseReactions): Deleted.
629 * runtime/JSPromise.h:
630 (JSC::JSPromise::status): Deleted.
631 (JSC::JSPromise::result): Deleted.
632 (JSC::JSPromise::constructor): Deleted.
633 * runtime/JSPromiseConstructor.cpp:
634 (JSC::constructPromise):
635 (JSC::JSPromiseConstructorFuncResolve): Deleted.
636 (JSC::JSPromiseConstructorFuncReject): Deleted.
637 (JSC::performPromiseRaceLoop): Deleted.
638 (JSC::JSPromiseConstructorFuncRace): Deleted.
639 (JSC::performPromiseAll): Deleted.
640 (JSC::JSPromiseConstructorFuncAll): Deleted.
641 * runtime/JSPromiseDeferred.cpp:
642 (JSC::JSPromiseDeferred::create):
643 (JSC::createJSPromiseDeferredFromConstructor): Deleted.
644 (JSC::updateDeferredFromPotentialThenable): Deleted.
645 (JSC::performDeferredResolve): Deleted.
646 (JSC::performDeferredReject): Deleted.
647 (JSC::abruptRejection): Deleted.
648 * runtime/JSPromiseDeferred.h:
649 * runtime/JSPromiseFunctions.cpp: Removed.
650 (JSC::deferredConstructionFunction): Deleted.
651 (JSC::createDeferredConstructionFunction): Deleted.
652 (JSC::identifyFunction): Deleted.
653 (JSC::createIdentifyFunction): Deleted.
654 (JSC::promiseAllCountdownFunction): Deleted.
655 (JSC::createPromiseAllCountdownFunction): Deleted.
656 (JSC::promiseResolutionHandlerFunction): Deleted.
657 (JSC::createPromiseResolutionHandlerFunction): Deleted.
658 (JSC::rejectPromiseFunction): Deleted.
659 (JSC::createRejectPromiseFunction): Deleted.
660 (JSC::resolvePromiseFunction): Deleted.
661 (JSC::createResolvePromiseFunction): Deleted.
662 (JSC::throwerFunction): Deleted.
663 (JSC::createThrowerFunction): Deleted.
664 * runtime/JSPromisePrototype.cpp:
665 (JSC::JSPromisePrototypeFuncThen): Deleted.
666 * runtime/JSPromiseReaction.cpp: Removed.
667 (JSC::createExecutePromiseReactionMicrotask): Deleted.
668 (JSC::ExecutePromiseReactionMicrotask::run): Deleted.
669 (JSC::JSPromiseReaction::create): Deleted.
670 (JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
671 (JSC::JSPromiseReaction::finishCreation): Deleted.
672 (JSC::JSPromiseReaction::visitChildren): Deleted.
673 * runtime/VM.cpp:
674 (JSC::VM::VM): Deleted.
675 * runtime/VM.h:
676
6772015-07-04 Chris Dumez <cdumez@apple.com>
678
679 Drop RefPtr::clear() method
680 https://bugs.webkit.org/show_bug.cgi?id=146556
681
682 Reviewed by Brady Eidson.
683
684 Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
685
6862015-07-03 Dan Bernstein <mitz@apple.com>
687
688 Just give up on -Wunreachable-code in JavaScriptCore.
689
690 * Configurations/Base.xcconfig:
691 * llint/LowLevelInterpreter.cpp:
692 (JSC::CLoop::execute):
693
6942015-07-03 Dan Bernstein <mitz@apple.com>
695
696 Fixed the LLINT CLoop build.
697
698 * llint/LowLevelInterpreter.cpp:
699 (JSC::CLoop::execute):
700
7012015-07-03 Dan Bernstein <mitz@apple.com>
702
703 [Xcode] Update some build settings as recommended by Xcode 7
704 https://bugs.webkit.org/show_bug.cgi?id=146597
705
706 Reviewed by Sam Weinig.
707
708 * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and
709 GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.
710
711 * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
712
713 * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.
714
7152015-07-03 Yusuke Suzuki <utatane.tea@gmail.com>
716
717 Relax builtin JS restriction about try-catch
718 https://bugs.webkit.org/show_bug.cgi?id=146555
719
720 Reviewed by Sam Weinig.
721
722 When retrieving the captured variables from the full activated scope,
723 it swapped the given vector with the stored declared variables vector.
724 This is because retrieving the captured variables are executed in the
725 last sequence of the parser, so declared variables are no longer used.
726 However, in builtins functions case, after retrieving the captured
727 variables, we check the variables by using declared variables vector.
728 So at that time, the declared variables vector becomes empty and it
729 raises assertion failures when the builtins function contains the full
730 activated scope. try-catch's catch scope requires the upper scope full
731 activated, so JS code in the builtins cannot use the try-catch.
732
733 This patch relaxes this restriction. When retrieving the captured
734 variables from the scope, just copy to the given vector.
735
736 * parser/Parser.h:
737 (JSC::Scope::getCapturedVariables):
738
7392015-07-02 Filip Pizlo <fpizlo@apple.com>
740
741 DFG and FTL should have an OSR exit fuzzer
742 https://bugs.webkit.org/show_bug.cgi?id=146562
743
744 Reviewed by Benjamin Poulain.
745
746 Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
747 spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
748 to harness this after I land it.
749
750 Since it's turned off by default, it should have no effect on behavior.
751
752 * CMakeLists.txt:
753 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
754 * JavaScriptCore.xcodeproj/project.pbxproj:
755 * dfg/DFGOSRExitFuzz.cpp: Added.
756 (JSC::numberOfOSRExitFuzzChecks):
757 * dfg/DFGOSRExitFuzz.h: Added.
758 * dfg/DFGSpeculativeJIT.cpp:
759 (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
760 (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
761 (JSC::DFG::SpeculativeJIT::speculationCheck):
762 * dfg/DFGSpeculativeJIT.h:
763 * ftl/FTLLowerDFGToLLVM.cpp:
764 (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
765 * jsc.cpp:
766 (jscmain):
767 * runtime/Options.h:
768 * runtime/TestRunnerUtils.h:
769
7702015-07-02 Saam barati <saambarati1@gmail.com>
771
772 Rename "Deconstruction" to "Destructuring" throughout JSC
773 https://bugs.webkit.org/show_bug.cgi?id=146100
774
775 Reviewed by Mark Lam.
776
777 It is good to use the same naming conventions as the ES6
778 spec because it is the de facto way of speaking about these
779 language features. This also has the benefit of improving JSC's
780 hackability because it improves code readability for newcomers
781 to JSC or newcomers to this part of the code base.
782
783 * bytecompiler/BytecodeGenerator.cpp:
784 (JSC::BytecodeGenerator::generate):
785 (JSC::BytecodeGenerator::BytecodeGenerator):
786 (JSC::BytecodeGenerator::initializeNextParameter):
787 (JSC::BytecodeGenerator::visibleNameForParameter):
788 * bytecompiler/BytecodeGenerator.h:
789 (JSC::BytecodeGenerator::registerFor):
790 * bytecompiler/NodesCodegen.cpp:
791 (JSC::ForInNode::tryGetBoundLocal):
792 (JSC::ForInNode::emitLoopHeader):
793 (JSC::ForOfNode::emitBytecode):
794 (JSC::ClassExprNode::emitBytecode):
795 (JSC::DestructuringAssignmentNode::emitBytecode):
796 (JSC::DestructuringPatternNode::~DestructuringPatternNode):
797 (JSC::ArrayPatternNode::collectBoundIdentifiers):
798 (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted.
799 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted.
800 * parser/ASTBuilder.h:
801 (JSC::ASTBuilder::createElementList):
802 (JSC::ASTBuilder::createFormalParameterList):
803 (JSC::ASTBuilder::createClause):
804 (JSC::ASTBuilder::createClauseList):
805 (JSC::ASTBuilder::createForInLoop):
806 (JSC::ASTBuilder::createForOfLoop):
807 (JSC::ASTBuilder::isBindingNode):
808 (JSC::ASTBuilder::isResolve):
809 (JSC::ASTBuilder::createDestructuringAssignment):
810 (JSC::ASTBuilder::createArrayPattern):
811 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
812 (JSC::ASTBuilder::appendArrayPatternEntry):
813 (JSC::ASTBuilder::appendArrayPatternRestEntry):
814 (JSC::ASTBuilder::createObjectPattern):
815 (JSC::ASTBuilder::appendObjectPatternEntry):
816 (JSC::ASTBuilder::createDeconstructingAssignment): Deleted.
817 * parser/NodeConstructors.h:
818 (JSC::TryNode::TryNode):
819 (JSC::ParameterNode::ParameterNode):
820 (JSC::ForOfNode::ForOfNode):
821 (JSC::DestructuringPatternNode::DestructuringPatternNode):
822 (JSC::ArrayPatternNode::ArrayPatternNode):
823 (JSC::ArrayPatternNode::create):
824 (JSC::ObjectPatternNode::ObjectPatternNode):
825 (JSC::BindingNode::create):
826 (JSC::BindingNode::BindingNode):
827 (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode):
828 (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted.
829 (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted.
830 * parser/Nodes.cpp:
831 (JSC::FunctionParameters::create):
832 * parser/Nodes.h:
833 (JSC::ExpressionNode::isResolveNode):
834 (JSC::ExpressionNode::isBracketAccessorNode):
835 (JSC::ExpressionNode::isDotAccessorNode):
836 (JSC::ExpressionNode::isDestructuringNode):
837 (JSC::ExpressionNode::isFuncExprNode):
838 (JSC::ExpressionNode::isCommaNode):
839 (JSC::ExpressionNode::isSimpleArray):
840 (JSC::ParameterNode::pattern):
841 (JSC::ParameterNode::nextParam):
842 (JSC::FunctionParameters::size):
843 (JSC::FunctionParameters::at):
844 (JSC::FunctionParameters::patterns):
845 (JSC::DestructuringPatternNode::isBindingNode):
846 (JSC::DestructuringPatternNode::emitDirectBinding):
847 (JSC::ArrayPatternNode::appendIndex):
848 (JSC::ObjectPatternNode::appendEntry):
849 (JSC::BindingNode::boundProperty):
850 (JSC::DestructuringAssignmentNode::bindings):
851 (JSC::ExpressionNode::isDeconstructionNode): Deleted.
852 (JSC::DeconstructionPatternNode::isBindingNode): Deleted.
853 (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted.
854 (JSC::DeconstructingAssignmentNode::bindings): Deleted.
855 * parser/Parser.cpp:
856 (JSC::Parser<LexerType>::parseVarDeclaration):
857 (JSC::Parser<LexerType>::parseWhileStatement):
858 (JSC::Parser<LexerType>::parseVarDeclarationList):
859 (JSC::Parser<LexerType>::createBindingPattern):
860 (JSC::Parser<LexerType>::tryParseDestructuringPatternExpression):
861 (JSC::Parser<LexerType>::parseDestructuringPattern):
862 (JSC::Parser<LexerType>::parseDefaultValueForDestructuringPattern):
863 (JSC::Parser<LexerType>::parseForStatement):
864 (JSC::Parser<LexerType>::parseFormalParameters):
865 (JSC::Parser<LexerType>::parseFunctionParameters):
866 (JSC::Parser<LexerType>::parseAssignmentExpression):
867 (JSC::Parser<LexerType>::tryParseDeconstructionPatternExpression): Deleted.
868 (JSC::Parser<LexerType>::parseDeconstructionPattern): Deleted.
869 (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern): Deleted.
870 * parser/Parser.h:
871 (JSC::isEvalNode):
872 * parser/SyntaxChecker.h:
873 (JSC::SyntaxChecker::createPropertyList):
874 (JSC::SyntaxChecker::createElementList):
875 (JSC::SyntaxChecker::createFormalParameterList):
876 (JSC::SyntaxChecker::createClause):
877 (JSC::SyntaxChecker::createClauseList):
878 (JSC::SyntaxChecker::operatorStackPop):
879 * tests/stress/reserved-word-with-escape.js:
880 * tests/stress/rest-elements.js:
881
8822015-07-02 Mark Lam <mark.lam@apple.com>
883
884 Build fix for Win EWS bot.
885 https://bugs.webkit.org/show_bug.cgi?id=146551
886
887 Not reviewed.
888
889 * tools/JSDollarVMPrototype.cpp:
890 (JSC::functionCrash):
891
8922015-07-02 Dan Bernstein <mitz@apple.com>
893
894 <rdar://problem/21429613> [iOS] Stop making symlinks from PrivateFrameworks to Frameworks
895 https://bugs.webkit.org/show_bug.cgi?id=146542
896
897 Reviewed by Sam Weinig.
898
899 * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink.
900
9012015-07-01 Joseph Pecoraro <pecoraro@apple.com>
902
903 Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes
904 https://bugs.webkit.org/show_bug.cgi?id=146536
905
906 Reviewed by Timothy Hatcher.
907
908 * inspector/protocol/Timeline.json:
909 Change a CPUProfile from sending a required "calls" param to sending a required
910 "callInfo" param which includes aggregated information about the calls.
911
9122015-06-30 Filip Pizlo <fpizlo@apple.com>
913
914 DFG::freezeFragile should register the frozen value's structure
915 https://bugs.webkit.org/show_bug.cgi?id=136055
916 rdar://problem/21042120
917
918 Reviewed by Mark Lam and Geoffrey Garen.
919
920 This fixes weird concurrency bugs where the constant folding phase tries to convert
921 something to a constant but then crashes because the constant's structure wasn't
922 registered. The AI was registering the structure of any value it saw, but constant folding
923 wasn't - and that's fine so long as there ain't no concurrency.
924
925 The best fix is to just make it impossible to introduce a constant into the IR without
926 registering its structure. That's what this change does. This is not only a great
927 concurrency fix - it also makes the compiler somewhat easier to hack on because it's one
928 less case of structure registering that you have to remember about.
929
930 * dfg/DFGAbstractValue.cpp:
931 (JSC::DFG::AbstractValue::setOSREntryValue): No need to register.
932 (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state.
933 * dfg/DFGGraph.cpp:
934 (JSC::DFG::Graph::freezeFragile): Register the structure.
935 * dfg/DFGStructureRegistrationPhase.cpp:
936 (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered.
937
9382015-07-01 Matthew Mirman <mmirman@apple.com>
939
940 Unreviewed, rolling out r185889
941 https://bugs.webkit.org/show_bug.cgi?id=146528
942 rdar://problem/21573959
943
944 Patch breaks chromeexperiments.com
945
946 Reverted changeset:
947
948 * CMakeLists.txt:
949 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
950 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
951 * JavaScriptCore.xcodeproj/project.pbxproj:
952 * inspector/InjectedScriptSource.js:
953 (.):
954 * runtime/JSBoundSlotBaseFunction.cpp: Removed.
955 * runtime/JSBoundSlotBaseFunction.h: Removed.
956 * runtime/JSGlobalObject.cpp:
957 (JSC::JSGlobalObject::init): Deleted.
958 (JSC::JSGlobalObject::visitChildren): Deleted.
959 * runtime/JSGlobalObject.h:
960 (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted.
961 * runtime/JSObject.cpp:
962 (JSC::JSObject::getOwnPropertyDescriptor):
963 (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted.
964 * runtime/VM.cpp:
965 (JSC::VM::VM): Deleted.
966 * runtime/VM.h:
967
9682015-07-01 Dean Jackson <dino@apple.com>
969
970 Disable the experimental WebGL2 implementation
971 https://bugs.webkit.org/show_bug.cgi?id=146526
972 <rdar://problem/21641235>
973
974 Reviewed by Myles Maxfield.
975
976 Add (and disable) an ENABLE_WEBGL2 flag.
977
978 * Configurations/FeatureDefines.xcconfig:
979
9802015-07-01 Matthew Daiter <mdaiter@apple.com>
981
982 Enable MEDIA_STREAM flag
983 https://bugs.webkit.org/show_bug.cgi?id=145947
984 <rdar://problem/21365829>
985
986 Reviewed by Eric Carlson.
987
988 * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag
989
9902015-06-30 Andy VanWagoner <thetalecrafter@gmail.com>
991
992 Implement ECMAScript Internationalization API
993 https://bugs.webkit.org/show_bug.cgi?id=90906
994
995 Reviewed by Benjamin Poulain.
996
997 * CMakeLists.txt: add IntlObject.cpp
998 * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag
999 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject
1000 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject
1001 * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject
1002 * runtime/CommonIdentifiers.h: add "Intl" name
1003 * runtime/IntlObject.cpp: Added.
1004 (JSC::IntlObject::IntlObject):
1005 (JSC::IntlObject::create):
1006 (JSC::IntlObject::finishCreation):
1007 (JSC::IntlObject::createStructure):
1008 * runtime/IntlObject.h: Added.
1009 * runtime/JSGlobalObject.cpp: Add global Intl
1010 (JSC::JSGlobalObject::init):
1011
10122015-06-30 Basile Clement <basile_clement@apple.com>
1013
1014 Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes
1015 https://bugs.webkit.org/show_bug.cgi?id=146431
1016
1017 Reviewed by Filip Pizlo.
1018
1019 * dfg/DFGNode.h:
1020 (JSC::DFG::Node::isFunctionAllocation):
1021 (JSC::DFG::Node::isPhantomFunctionAllocation):
1022 * dfg/DFGObjectAllocationSinkingPhase.cpp:
1023 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
1024 * dfg/DFGPromoteHeapAccess.h:
1025 (JSC::DFG::promoteHeapAccess):
1026
10272015-06-30 Matt Baker <mattbaker@apple.com>
1028
1029 Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing
1030 https://bugs.webkit.org/show_bug.cgi?id=146168
1031
1032 Reviewed by Brian Burg.
1033
1034 * inspector/protocol/Timeline.json:
1035 New timeline record type for compositing events.
1036
10372015-06-29 Dean Jackson <dino@apple.com>
1038
1039 Temporarily disable PICTURE_SIZES
1040 https://bugs.webkit.org/show_bug.cgi?id=146435
1041 <rdar://problem/21087013>
1042
1043 Reviewed by Tim Horton.
1044
1045 Temporarily disable PICTURE_SIZES because it causes problems with out
1046 of date <picture> polyfills.
1047
1048 * Configurations/FeatureDefines.xcconfig:
1049
10502015-06-29 Youenn Fablet <youenn.fablet@crf.canon.fr>
1051
1052 Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue
1053 https://bugs.webkit.org/show_bug.cgi?id=146403
1054
1055 Reviewed by Darin Adler.
1056
1057 * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue.
1058
10592015-06-28 Aleksandr Skachkov <gskachkov@gmail.com>
1060
1061 [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and =>
1062 https://bugs.webkit.org/show_bug.cgi?id=146394
1063
1064 Reviewed by Yusuke Suzuki.
1065
1066 * parser/Parser.cpp:
1067 (JSC::Parser<LexerType>::parseFunctionInfo):
1068
10692015-06-27 Darin Adler <darin@apple.com>
1070
1071 Make converting JSString to StringView idiomatically safe
1072 https://bugs.webkit.org/show_bug.cgi?id=146387
1073
1074 Reviewed by Anders Carlsson.
1075
1076 * jsc.cpp:
1077 (functionPrint): Add explicit call to SafeView::get, needed since there
1078 is no StringView temporary.
1079 (functionDebug): Ditto.
1080
1081 * runtime/ArrayPrototype.cpp:
1082 (JSC::holesMustForwardToPrototype): Refactored into helper function.
1083 (JSC::join): Refactored so that StringView is a function argument, making
1084 the lifetime simpler.
1085 (JSC::arrayProtoFuncJoin): Ditto.
1086 (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper.
1087
1088 * runtime/JSGlobalObjectFunctions.cpp:
1089 (JSC::encode): Add explicit call to SafeView::get.
1090
1091 * runtime/JSString.h: Moved declarations of functions to the top of the
1092 file instead of mixing them in with the function definitions. Changed
1093 return type of the view function to return a JSString::SafeView so that
1094 the JSString's lifetime will last as long as the StringView does in
1095 typical coding idioms.
1096 (JSC::JSString::getIndex): Use unsafeView so we can index into the
1097 view; could also have used view.get but here in this class this seems fine.
1098 (JSC::JSRopeString::unsafeView): Renamed existing view function to this.
1099 (JSC::JSString::unsafeView): Ditto.
1100 (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState
1101 and a JSString. The ExecState is needed to create the StringView, and the
1102 JSString needs to be kept alive as long as the StringView is.
1103 (JSC::JSString::SafeView::operator StringView): Call unsafeView.
1104 (JSC::JSString::SafeView::get): Convenience for when we want to call
1105 StringView member functions.
1106 (JSC::JSString::view): Added. Returns a SafeView.
1107
1108 * runtime/StringPrototype.cpp:
1109 (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get.
1110
11112015-06-26 Csaba Osztrogonác <ossy@webkit.org>
1112
1113 Remove ARMv7Assembler.cpp
1114 https://bugs.webkit.org/show_bug.cgi?id=146340
1115
1116 Reviewed by Filip Pizlo.
1117
1118 * CMakeLists.txt:
1119 * JavaScriptCore.xcodeproj/project.pbxproj:
1120 * assembler/ARMv7Assembler.cpp: Removed.
1121
11222015-06-26 Csaba Osztrogonác <ossy@webkit.org>
1123
1124 Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989
1125 https://bugs.webkit.org/show_bug.cgi?id=146344
1126
1127 Reviewed by Yusuke Suzuki.
1128
1129 * parser/Parser.cpp:
1130 (JSC::Parser<LexerType>::parseSourceElements):
1131
11322015-06-26 Aleksandr Skachkov <gskachkov@gmail.com>
1133
1134 [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function.
1135 https://bugs.webkit.org/show_bug.cgi?id=144955
1136
1137 Reviewed by Yusuke Suzuki.
1138
1139 Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc.
1140 This patch implements the simplest cases of arrow function declaration:
1141 parameters () => 10 + 20
1142 parameter x => x + 20
1143 parameters (x, y) => x + y
1144 function with block x => { return x*10; }
1145
1146 Not implemented:
1147 bind of the this, arguments, super and etc.
1148 exception in case of trying to use 'new' with arrow function
1149
1150 * parser/ASTBuilder.h:
1151 (JSC::ASTBuilder::createFunctionExpr):
1152 (JSC::ASTBuilder::createArrowFunctionExpr):
1153 (JSC::ASTBuilder::createGetterOrSetterProperty):
1154 (JSC::ASTBuilder::createFuncDeclStatement):
1155 * parser/Lexer.cpp:
1156 (JSC::Lexer<T>::setTokenPosition):
1157 (JSC::Lexer<T>::lex):
1158 * parser/Lexer.h:
1159 (JSC::Lexer::lastTokenLocation):
1160 (JSC::Lexer::setTerminator):
1161 * parser/Parser.cpp:
1162 (JSC::Parser<LexerType>::parseInner):
1163 (JSC::Parser<LexerType>::parseSourceElements):
1164 (JSC::Parser<LexerType>::parseArrowFunctionSingleExpressionBody):
1165 (JSC::Parser<LexerType>::parseSwitchClauses):
1166 (JSC::Parser<LexerType>::parseSwitchDefaultClause):
1167 (JSC::Parser<LexerType>::parseBlockStatement):
1168 (JSC::Parser<LexerType>::parseFunctionBody):
1169 (JSC::stringForFunctionMode):
1170 (JSC::Parser<LexerType>::parseFunctionParameters):
1171 (JSC::Parser<LexerType>::parseFunctionInfo):
1172 (JSC::Parser<LexerType>::parseFunctionDeclaration):
1173 (JSC::Parser<LexerType>::parseClass):
1174 (JSC::Parser<LexerType>::parseAssignmentExpression):
1175 (JSC::Parser<LexerType>::parsePropertyMethod):
1176 (JSC::Parser<LexerType>::parseGetterSetter):
1177 (JSC::Parser<LexerType>::parseArrowFunctionExpression):
1178 * parser/Parser.h:
1179 (JSC::Parser::locationBeforeLastToken):
1180 (JSC::Parser::isEndOfArrowFunction):
1181 (JSC::Parser::isArrowFunctionParamters):
1182 (JSC::Parser::setEndOfStatement):
1183 * parser/ParserFunctionInfo.h:
1184 * parser/ParserTokens.h:
1185 * parser/SourceCode.h:
1186 (JSC::SourceCode::subArrowExpression):
1187 * parser/SourceProviderCacheItem.h:
1188 (JSC::SourceProviderCacheItem::endFunctionToken):
1189 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1190 * parser/SyntaxChecker.h:
1191 (JSC::SyntaxChecker::createArrowFunctionExpr):
1192 (JSC::SyntaxChecker::setFunctionNameStart):
1193
11942015-06-25 Yusuke Suzuki <utatane.tea@gmail.com>
1195
1196 [ES6] Support rest element in destructuring assignments
1197 https://bugs.webkit.org/show_bug.cgi?id=146206
1198
1199 Reviewed by Oliver Hunt.
1200
1201 This patch enables rest element (...rest) in array binding patterns.
1202 It generates array from the iterables.
1203 In variable declarations and parameters, `[...identifier]` form is only allowed,
1204 while expressions can take `[...[...rest]]` pattern.
1205
1206 * bytecompiler/BytecodeGenerator.cpp:
1207 (JSC::BytecodeGenerator::emitEnumeration):
1208 (JSC::BytecodeGenerator::emitIteratorNext):
1209 * bytecompiler/BytecodeGenerator.h:
1210 * bytecompiler/NodesCodegen.cpp:
1211 (JSC::ArrayPatternNode::bindValue):
1212 (JSC::ArrayPatternNode::toString):
1213 * parser/ASTBuilder.h:
1214 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
1215 (JSC::ASTBuilder::appendArrayPatternEntry):
1216 (JSC::ASTBuilder::appendArrayPatternRestEntry):
1217 * parser/Nodes.h:
1218 (JSC::ArrayPatternNode::appendIndex):
1219 * parser/Parser.cpp:
1220 (JSC::Parser<LexerType>::parseDeconstructionPattern):
1221 * parser/SyntaxChecker.h:
1222 (JSC::SyntaxChecker::operatorStackPop):
1223 * tests/stress/rest-elements.js: Added.
1224 (shouldBe):
1225 (shouldThrow):
1226
12272015-06-25 Commit Queue <commit-queue@webkit.org>
1228
1229 Unreviewed, rolling out r185956.
1230 https://bugs.webkit.org/show_bug.cgi?id=146321
1231
1232 Causes massive crashes on test bots (Requested by bfulgham on
1233 #webkit).
1234
1235 Reverted changeset:
1236
1237 "Enabling MEDIA_STREAM"
1238 https://bugs.webkit.org/show_bug.cgi?id=145947
1239 http://trac.webkit.org/changeset/185956
1240
12412015-06-25 Michael Saboff <msaboff@apple.com>
1242
1243 Minor fix to idx bounds check after 185954
1244
1245 Rubber Stamped by Ryosuke Niwa.
1246
1247 Changed "idx > 1" to "idx > 0" in two places.
1248
1249 * runtime/ExceptionHelpers.cpp:
1250 (JSC::functionCallBase):
1251
12522015-06-25 Keith Miller <keith_miller@apple.com>
1253
1254 Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack.
1255 https://bugs.webkit.org/show_bug.cgi?id=146297
1256
1257 Reviewed by Filip Pizlo.
1258
1259 Since we cannot blacklist the system memcpy we must use our own naive implementation,
1260 copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is
1261 only called as part of an O(heapsize) operation. As the heap is generally much larger
1262 than the stack the performance hit is minimal.
1263
1264 * heap/MachineStackMarker.cpp:
1265 (JSC::copyMemory):
1266 (JSC::MachineThreads::tryCopyOtherThreadStack):
1267 (JSC::asanUnsafeMemcpy): Deleted.
1268
12692015-06-25 Matthew Daiter <mdaiter@apple.com>
1270
1271 Enabling MEDIA_STREAM
1272 https://bugs.webkit.org/show_bug.cgi?id=145947
1273 <rdar://problem/21365829>
1274
1275 Reviewed by Brent Fulgham.
1276
1277 * Configurations/FeatureDefines.xcconfig:
1278
12792015-06-25 Michael Saboff <msaboff@apple.com>
1280
1281 REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689)
1282 https://bugs.webkit.org/show_bug.cgi?id=146298
1283
1284 Reviewed by Mark Lam.
1285
1286 We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left
1287 string index. Added checks that idx stays within the string. Also added a termination
1288 condition when idx is 0.
1289
1290 * runtime/ExceptionHelpers.cpp:
1291 (JSC::functionCallBase):
1292
12932015-06-24 Chris Dumez <cdumez@apple.com>
1294
1295 Unreviewed, speculative build fix after r185942.
1296
1297 Add missing include for StrongInlines.h.
1298
1299 * runtime/ArrayPrototype.cpp:
1300
13012015-06-24 Darin Adler <darin@apple.com>
1302
1303 Optimize Array.join and Array.reverse for high speed array types
1304 https://bugs.webkit.org/show_bug.cgi?id=146275
1305
1306 Reviewed by Mark Lam.
1307
1308 This seems to yield another 17% speed improvement in the array
1309 test from the Peacekeeper benchmark.
1310
1311 * runtime/ArrayPrototype.cpp:
1312 (JSC::isHole): Added. Helper to check for holes.
1313 (JSC::containsHole): Ditto.
1314 (JSC::arrayProtoFuncJoin): Added special cases for the various types
1315 of arrays that could be in a butterfly.
1316 (JSC::arrayProtoFuncReverse): Ditto.
1317
1318 * runtime/JSStringJoiner.h: Made appendEmptyString public so we can
1319 call it from the new parts of Array.join.
1320
13212015-06-24 Filip Pizlo <fpizlo@apple.com>
1322
1323 DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear
1324 https://bugs.webkit.org/show_bug.cgi?id=146291
1325 rdar://problem/21435366
1326
1327 Reviewed by Michael Saboff.
1328
1329 The filter() method returns Contradiction only when a value *becomes* clear. This is
1330 necessary for supporting the convention that non-JSValue nodes have a bottom proved
1331 type. (We should fix that convention eventually, but for now let's just be consistent
1332 about it.)
1333
1334 * dfg/DFGFiltrationResult.h: Document the issue.
1335 * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue.
1336 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1337 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1338 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1339 * dfg/DFGSpeculativeJIT64.cpp: Work around the issue.
1340 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1341 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1342 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1343 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1344
13452015-06-24 Michael Saboff <msaboff@apple.com>
1346
1347 Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo
1348 https://bugs.webkit.org/show_bug.cgi?id=146285
1349
1350 Reviewed by Filip Pizlo.
1351
1352 CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains
1353 a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the
1354 CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the
1355 PolymorphicCallStubRoutine is decremented as expected, but since it inherits from
1356 GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original
1357 CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point,
1358 it will try to unlink a now deleted CallLinkInfo and crash as a result.
1359
1360 The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when
1361 when we set a new stub or clear an existing stub for a CallLinkInfo. This is done by
1362 calling PolymorphicCallNode::clearCallNodesFor() on the old stub.
1363
1364 The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor.
1365 This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo.
1366 Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo.
1367
1368 In the process I refactored CallLinkInfo from a struct to a class with proper accessors and
1369 made all the data elements private.
1370
1371 * bytecode/CallLinkInfo.cpp:
1372 (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor()
1373 to clear the back references to this CallLinkInfo.
1374 * bytecode/CallLinkInfo.h:
1375 (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub().
1376 (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub.
1377
13782015-06-24 Michael Saboff <msaboff@apple.com>
1379
1380 Refactor CallLinkInfo from a struct to a class
1381 https://bugs.webkit.org/show_bug.cgi?id=146292
1382
1383 Rubber stamped by Filip Pizlo.
1384
1385 Refactored CallLinkInfo from a struct to a class with proper accessors and made all the
1386 data elements private.
1387
1388 Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285.
1389
1390 * bytecode/CallLinkInfo.cpp:
1391 (JSC::CallLinkInfo::clearStub):
1392 (JSC::CallLinkInfo::unlink):
1393 (JSC::CallLinkInfo::visitWeak):
1394 * bytecode/CallLinkInfo.h:
1395 (JSC::CallLinkInfo::callTypeFor):
1396 (JSC::CallLinkInfo::CallLinkInfo):
1397 (JSC::CallLinkInfo::~CallLinkInfo):
1398 (JSC::CallLinkInfo::specializationKindFor):
1399 (JSC::CallLinkInfo::specializationKind):
1400 (JSC::CallLinkInfo::isLinked):
1401 (JSC::CallLinkInfo::setUpCall):
1402 (JSC::CallLinkInfo::setCallLocations):
1403 (JSC::CallLinkInfo::setUpCallFromFTL):
1404 (JSC::CallLinkInfo::callReturnLocation):
1405 (JSC::CallLinkInfo::hotPathBegin):
1406 (JSC::CallLinkInfo::hotPathOther):
1407 (JSC::CallLinkInfo::setCallee):
1408 (JSC::CallLinkInfo::clearCallee):
1409 (JSC::CallLinkInfo::callee):
1410 (JSC::CallLinkInfo::setLastSeenCallee):
1411 (JSC::CallLinkInfo::clearLastSeenCallee):
1412 (JSC::CallLinkInfo::lastSeenCallee):
1413 (JSC::CallLinkInfo::haveLastSeenCallee):
1414 (JSC::CallLinkInfo::setStub):
1415 (JSC::CallLinkInfo::stub):
1416 (JSC::CallLinkInfo::seenOnce):
1417 (JSC::CallLinkInfo::clearSeen):
1418 (JSC::CallLinkInfo::setSeen):
1419 (JSC::CallLinkInfo::hasSeenClosure):
1420 (JSC::CallLinkInfo::setHasSeenClosure):
1421 (JSC::CallLinkInfo::clearedByGC):
1422 (JSC::CallLinkInfo::setCallType):
1423 (JSC::CallLinkInfo::callType):
1424 (JSC::CallLinkInfo::addressOfMaxNumArguments):
1425 (JSC::CallLinkInfo::maxNumArguments):
1426 (JSC::CallLinkInfo::offsetOfSlowPathCount):
1427 (JSC::CallLinkInfo::setCalleeGPR):
1428 (JSC::CallLinkInfo::calleeGPR):
1429 (JSC::CallLinkInfo::slowPathCount):
1430 (JSC::CallLinkInfo::setCodeOrigin):
1431 (JSC::CallLinkInfo::codeOrigin):
1432 (JSC::getCallLinkInfoCodeOrigin):
1433 * bytecode/CallLinkStatus.cpp:
1434 (JSC::CallLinkStatus::computeFor):
1435 (JSC::CallLinkStatus::computeFromCallLinkInfo):
1436 (JSC::CallLinkStatus::computeDFGStatuses):
1437 * bytecode/CallLinkStatus.h:
1438 * bytecode/CodeBlock.cpp:
1439 (JSC::CodeBlock::printCallOp):
1440 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
1441 * dfg/DFGJITCompiler.cpp:
1442 (JSC::DFG::JITCompiler::link):
1443 * dfg/DFGOSRExitCompilerCommon.cpp:
1444 (JSC::DFG::reifyInlinedCallFrames):
1445 * dfg/DFGSpeculativeJIT32_64.cpp:
1446 (JSC::DFG::SpeculativeJIT::emitCall):
1447 * dfg/DFGSpeculativeJIT64.cpp:
1448 (JSC::DFG::SpeculativeJIT::emitCall):
1449 * ftl/FTLJSCallBase.cpp:
1450 (JSC::FTL::JSCallBase::link):
1451 * jit/AccessorCallJITStubRoutine.h:
1452 * jit/JIT.cpp:
1453 (JSC::JIT::privateCompile):
1454 * jit/JIT.h:
1455 * jit/JITCall.cpp:
1456 (JSC::JIT::compileSetupVarargsFrame):
1457 (JSC::JIT::compileOpCall):
1458 * jit/JITCall32_64.cpp:
1459 (JSC::JIT::compileSetupVarargsFrame):
1460 (JSC::JIT::compileOpCall):
1461 * jit/JITOperations.cpp:
1462 * jit/PolymorphicCallStubRoutine.cpp:
1463 (JSC::PolymorphicCallNode::unlink):
1464 (JSC::PolymorphicCallNode::clearCallLinkInfo):
1465 * jit/PolymorphicCallStubRoutine.h:
1466 * jit/Repatch.cpp:
1467 (JSC::generateByIdStub):
1468 (JSC::linkSlowFor):
1469 (JSC::linkFor):
1470 (JSC::revertCall):
1471 (JSC::unlinkFor):
1472 (JSC::linkPolymorphicCall):
1473 * jit/ThunkGenerators.cpp:
1474 (JSC::virtualForThunkGenerator):
1475
14762015-06-24 Doug Russell <d_russell@apple.com>
1477
1478 Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject
1479 when posting a selection notification when on the border between two accessibilityObjects
1480 https://bugs.webkit.org/show_bug.cgi?id=146177
1481
1482 Add an adopt() function to simplify JSRetainPtr<JSStringRef> { Adopt, string } to adopt(string).
1483
1484 Reviewed by Darin Adler.
1485
1486 * API/JSRetainPtr.h:
1487 (adopt):
1488
14892015-06-24 Keith Miller <keith_miller@apple.com>
1490
1491 Strict Equality on objects should only check that one of the two sides is an object.
1492 https://bugs.webkit.org/show_bug.cgi?id=145992
1493
1494 This patch adds a new optimization for checking strict equality on objects.
1495 If we speculate that a strict equality comparison has an object on one side
1496 we only need to type check that side. Equality is then determined by a pointer
1497 comparison between the two values (although in the 32-bit case we must also check
1498 that the other side is a cell). Once LICM hoists type checks out of a loop we
1499 can be cleverer about how we choose the operand we type check if both are
1500 speculated to be objects.
1501
1502 For testing I added the addressOf function, which returns the address
1503 of a Cell to the runtime.
1504
1505 Reviewed by Mark Lam.
1506
1507 * dfg/DFGFixupPhase.cpp:
1508 (JSC::DFG::FixupPhase::fixupNode):
1509 * dfg/DFGSpeculativeJIT.cpp:
1510 (JSC::DFG::SpeculativeJIT::compileStrictEq):
1511 * dfg/DFGSpeculativeJIT.h:
1512 * dfg/DFGSpeculativeJIT32_64.cpp:
1513 (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1514 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1515 * dfg/DFGSpeculativeJIT64.cpp:
1516 (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
1517 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
1518 * ftl/FTLCapabilities.cpp:
1519 (JSC::FTL::canCompile):
1520 * ftl/FTLLowerDFGToLLVM.cpp:
1521 (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq):
1522 * jsc.cpp:
1523 (GlobalObject::finishCreation):
1524 (functionAddressOf):
1525 * tests/stress/equality-type-checking.js: Added.
1526 (Foo):
1527 (checkStrictEq):
1528 (checkStrictEqOther):
1529
15302015-06-24 Mark Lam <mark.lam@apple.com>
1531
1532 Fixed assertion in JSStringJoiner::join() (regression from r185899).
1533
1534 Not reviewed.
1535
1536 JSStringJoiner did not account for the case where the array being joined can
1537 have null or undefined elements. As a result, its size may be less than
1538 its initially reserved capacity (which was estimated based on the array length).
1539
1540 * runtime/JSStringJoiner.cpp:
1541 (JSC::JSStringJoiner::join):
1542
15432015-06-24 Darin Adler <darin@apple.com>
1544
1545 Fix Array.concat with RuntimeArray (regression from my last patch)
1546
1547 * runtime/ArrayPrototype.cpp:
1548 (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
1549
1550 * runtime/JSArray.cpp:
1551 (JSC::JSArray::defineOwnProperty): Added comment about use of
1552 JSArray::length here that is incorrect (in a really non-obvious way).
1553 (JSC::JSArray::fillArgList): Ditto.
1554 (JSC::JSArray::copyToArguments): Ditto.
1555
1556 * runtime/JSArray.h: Added a comment explaining that it is not always
1557 safe to use JSArray::length.
1558
15592015-06-23 Mark Lam <mark.lam@apple.com>
1560
1561 Gardening: Fixing 2 bad asserts from r185889.
1562 https://bugs.webkit.org/show_bug.cgi?id=140575
1563
1564 Not reviewed.
1565
1566 * runtime/JSBoundSlotBaseFunction.cpp:
1567 (JSC::JSBoundSlotBaseFunction::finishCreation):
1568
15692015-06-23 Dan Bernstein <mitz@apple.com>
1570
1571 Fixed iOS production builds.
1572
1573 * JavaScriptCore.xcodeproj/project.pbxproj:
1574
15752015-06-22 Darin Adler <darin@apple.com>
1576
1577 Make Array.join work directly on substrings without reifying them
1578 https://bugs.webkit.org/show_bug.cgi?id=146191
1579
1580 Reviewed by Andreas Kling.
1581
1582 Besides the Array.join change, this has other optimizations based on
1583 profiling the Peacekeeper array benchmark.
1584
1585 I measured a 14% speed improvement in the Peacekeeper array benchmark.
1586
1587 Still a lot of low hanging fruit in that test because so many of functions
1588 on the array prototype are not optimizing for simple cases. For example,
1589 the reverse function does individual get and put calls even when the array
1590 is entirely made up of integers in contiguous storage.
1591
1592 * runtime/ArrayPrototype.cpp:
1593 (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot.
1594 (JSC::argumentClampedIndexFromStartOrEnd): Marked inline.
1595 (JSC::shift): Use the getProperty helper in this file instead of using
1596 getPropertySlot. Use putByIndexInline instead of calling putByIndex directly.
1597 In both cases this can yield a faster code path.
1598 (JSC::unshift): Ditto.
1599 (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner
1600 interface. Changed local variable name to thisArray since it's not a
1601 JSObject*. Changed loop index to i instead of k.
1602 (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner
1603 interface. Renamed thisObj to thisObject. Added a missing exception check
1604 after the toLocaleString function is called, but before toString is called
1605 the result of that function.
1606 (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface.
1607 Added a missing exception check after calling toString on the separator
1608 but before calling get to get the first element in the array-like object
1609 being joined. Changed loop index to i instead of k. Added missing exception
1610 check after calling toString on each string from the array before calling
1611 get for the next element.
1612 (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the
1613 getLength function.
1614 (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline.
1615 (JSC::arrayProtoFuncShift): Ditto.
1616 (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some
1617 additional optimizations.
1618 (JSC::getOrHole): Deleted. Unused function.
1619 (JSC::arrayProtoFuncUnShift): Use putByIndexInline.
1620
1621 * runtime/ExceptionHelpers.cpp:
1622 (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic
1623 from JSValue::toString.
1624
1625 * runtime/JSCJSValue.cpp:
1626 (JSC::JSValue::toStringSlowCase): Improved the performance when converting a
1627 small integer to a single character string.
1628 (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the
1629 inlineJSValueNotStringtoString function here.
1630 * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed
1631 a comment with a typo.
1632
1633 * runtime/JSObject.h:
1634 (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not
1635 getting inlined at some call sites.
1636 (JSC::JSObject::indexingData): Deleted. Unused function.
1637 (JSC::JSObject::currentIndexingData): Deleted. Unused function.
1638 (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function.
1639 (JSC::JSObject::relevantLength): Deleted. Unused function.
1640 (JSC::JSObject::currentRelevantLength): Deleted. Unused function.
1641
1642 * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and
1643 the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString
1644 and toWTFStringInline functions.
1645
1646 * runtime/JSStringJoiner.cpp:
1647 (JSC::appendStringToData): Changed this to be a template instead of writing
1648 it out, since StringView::getCharactersWithUpconvert does almsot exactly what
1649 this function was trying to do.
1650 (JSC::joinStrings): Rewrote this to use StringView.
1651 (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function.
1652 (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion
1653 that we entirely filled capacity, since we are now reserving capacity and using
1654 uncheckedAppend. Use String instead of RefPtr<StringImpl> because there was no
1655 particular value to using the impl directly.
1656
1657 * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView.
1658 Also changed this class so it now has the responsibility to convert each JSValue
1659 into a string. This let us share more code between toString and join, and also
1660 lets us use the new viewWithUnderlyingString function, which could be confusing at
1661 all the call sites, but is easier to understand here.
1662
16632015-06-23 Matthew Mirman <mmirman@apple.com>
1664
1665 Completes native binding descriptors with native getters and potentially setters.
1666 https://bugs.webkit.org/show_bug.cgi?id=140575
1667 rdar://problem/19506502
1668
1669 Reviewed by Mark Lam.
1670
1671 * CMakeLists.txt: Added JSBoundSlotBaseFunction.cpp
1672 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1673 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1674 * JavaScriptCore.xcodeproj/project.pbxproj:
1675 * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter.
1676 * runtime/JSBoundSlotBaseFunction.cpp: Added.
1677 (JSC::boundSlotBaseFunctionCall):
1678 (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction):
1679 Necessary wrapper for custom getters and setters as objects.
1680 (JSC::JSBoundSlotBaseFunction::create):
1681 (JSC::JSBoundSlotBaseFunction::visitChildren):
1682 (JSC::JSBoundSlotBaseFunction::finishCreation):
1683 * runtime/JSBoundSlotBaseFunction.h: Added.
1684 (JSC::JSBoundSlotBaseFunction::createStructure):
1685 (JSC::JSBoundSlotBaseFunction::boundSlotBase):
1686 (JSC::JSBoundSlotBaseFunction::customGetterSetter):
1687 (JSC::JSBoundSlotBaseFunction::isGetter):
1688 * runtime/JSGlobalObject.cpp:
1689 (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction
1690 (JSC::JSGlobalObject::visitChildren): visits that structure
1691 * runtime/JSGlobalObject.h:
1692 (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure
1693 * runtime/JSObject.cpp:
1694 (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to
1695 actually include GetterSetter as a JSBoundSlotBaseFunction
1696 * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap
1697 * runtime/VM.h: Added cache for JSBoundSlotBaseFunction
1698
16992015-06-22 Yusuke Suzuki <utatane.tea@gmail.com>
1700
1701 [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern
1702 https://bugs.webkit.org/show_bug.cgi?id=146192
1703
1704 Reviewed by Darin Adler.
1705
1706 According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed.
1707 And empty ArrayBindingPattern and ObjectBindingPattern is also allowed.
1708
1709 This patch allows trailing comma and empty binding patterns.
1710
1711 * bytecompiler/NodesCodegen.cpp:
1712 (JSC::ArrayPatternNode::bindValue):
1713 * parser/Parser.cpp:
1714 (JSC::Parser<LexerType>::parseDeconstructionPattern):
1715 * tests/stress/trailing-comma-in-patterns.js: Added.
1716 (shouldBe):
1717 (iterator):
1718
17192015-06-20 Yusuke Suzuki <utatane.tea@gmail.com>
1720
1721 [ES6] Destructuring assignment need to accept iterables
1722 https://bugs.webkit.org/show_bug.cgi?id=144111
1723
1724 Reviewed by Darin Adler.
1725
1726 This patch makes that destructuring assignments to array binding patterns accept iterables.
1727 Previously, it just access the indexed properties.
1728 After this patch, it iterates the given value by using ES6 iterator protocol.
1729
1730 The iteration becomes different from the for-of case.
1731 1. Since there's no break/continue case, finally scope is not necessary.
1732 2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that.
1733 3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator.
1734 4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed.
1735
1736 * bytecompiler/BytecodeGenerator.cpp:
1737 (JSC::BytecodeGenerator::emitIteratorClose):
1738 * bytecompiler/BytecodeGenerator.h:
1739 * bytecompiler/NodesCodegen.cpp:
1740 (JSC::ArrayPatternNode::bindValue):
1741 * parser/ASTBuilder.h:
1742 (JSC::ASTBuilder::finishArrayPattern):
1743 * parser/Nodes.h:
1744 * parser/Parser.cpp:
1745 (JSC::Parser<LexerType>::parseDeconstructionPattern):
1746 * parser/SyntaxChecker.h:
1747 (JSC::SyntaxChecker::operatorStackPop):
1748 * tests/stress/destructuring-assignment-accepts-iterables.js: Added.
1749 (shouldBe):
1750 (shouldThrow):
1751 (.set shouldThrow):
1752
17532015-06-19 Devin Rousso <drousso@apple.com>
1754
1755 Web Inspector: Highlight currently edited CSS selector
1756 https://bugs.webkit.org/show_bug.cgi?id=145658
1757
1758 Reviewed by Joseph Pecoraro.
1759
1760 * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes.
1761
17622015-06-19 Mark Lam <mark.lam@apple.com>
1763
1764 Gardening: fix build for EWS bots.
1765
1766 Not reviewed.
1767
1768 * runtime/JSArray.cpp:
1769 (JSC::JSArray::setLengthWithArrayStorage):
1770
17712015-06-19 Michael Saboff <msaboff@apple.com>
1772
1773 Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225
1774 https://bugs.webkit.org/show_bug.cgi?id=146133
1775
1776 Reviewed by Geoffrey Garen.
1777
1778 When generating code to put in inline caching areas, if there isn't enough space,
1779 then create and link to an out of line area. We connect the inline code to this
1780 out of line code area by planting a jump from the inline area to the out of line
1781 code and appending a jump at the end of the out of line code bck to the instruction
1782 following the inline area. We fill the unused inline area with nops, primarily to
1783 ensure the disassembler doesn't get confused.
1784
1785 * ftl/FTLCompile.cpp:
1786 (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space
1787 in the inline code area for the code to link. If so, it links inline, otherwise it links the
1788 code out of line and plants appropriate jumps to/from the out of line code.
1789 (generateICFastPath):
1790 (generateCheckInICFastPath):
1791 (fixFunctionBasedOnStackMaps):
1792 Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space.
1793
1794 * ftl/FTLJITFinalizer.cpp:
1795 (JSC::FTL::JITFinalizer::finalizeFunction):
1796 * ftl/FTLJITFinalizer.h:
1797 (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo):
1798 Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot().
1799
18002015-06-19 Geoffrey Garen <ggaren@apple.com>
1801
1802 WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276
1803 https://bugs.webkit.org/show_bug.cgi?id=146163
1804 <rdar://problem/20392986>
1805
1806 Reviewed by Michael Saboff.
1807
1808 There's no good way to test this in our test harness because we don't
1809 have a way to simulate executable memory pressure, and doing so would
1810 cause the cases that still use JITCompilationMustSucceed to crash.
1811
1812 Instead, I tested by manually forcing all regexp JIT compilation to
1813 fail and running the JavaScriptCore tests.
1814
1815 * yarr/YarrJIT.cpp:
1816 (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
1817 fall back to the regexp interpreter if we need to.
1818
18192015-06-19 Mark Lam <mark.lam@apple.com>
1820
1821 Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround.
1822 https://bugs.webkit.org/show_bug.cgi?id=146154
1823
1824 Reviewed by Darin Adler.
1825
1826 * assembler/MacroAssemblerCodeRef.h:
1827 (JSC::MacroAssemblerCodePtr::dataLocation):
1828 (JSC::MacroAssemblerCodePtr::operator bool):
1829 (JSC::MacroAssemblerCodePtr::operator==):
1830 (JSC::MacroAssemblerCodeRef::tryToDisassemble):
1831 (JSC::MacroAssemblerCodeRef::operator bool):
1832 (JSC::MacroAssemblerCodeRef::dump):
1833 (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted.
1834 (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted.
1835
1836 * bytecode/CodeOrigin.cpp:
1837 (JSC::CodeOrigin::isApproximatelyEqualTo):
1838 - Fixed a bug here where we were expecting to compare Executable pointers, but
1839 ended up comparing a (UnspecifiedBoolType*)1 with another
1840 (UnspecifiedBoolType*)1.
1841
1842 * bytecode/LLIntCallLinkInfo.h:
1843 (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
1844 (JSC::LLIntCallLinkInfo::isLinked):
1845 (JSC::LLIntCallLinkInfo::unlink):
1846 * dfg/DFGBlockWorklist.h:
1847 (JSC::DFG::BlockWith::BlockWith):
1848 (JSC::DFG::BlockWith::operator bool):
1849 (JSC::DFG::BlockWithOrder::BlockWithOrder):
1850 (JSC::DFG::BlockWithOrder::operator bool):
1851 (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted.
1852 (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted.
1853 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1854 * dfg/DFGLazyNode.h:
1855 (JSC::DFG::LazyNode::operator!):
1856 (JSC::DFG::LazyNode::operator bool):
1857 (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted.
1858 * heap/CopyWriteBarrier.h:
1859 (JSC::CopyWriteBarrier::operator!):
1860 (JSC::CopyWriteBarrier::operator bool):
1861 (JSC::CopyWriteBarrier::get):
1862 (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted.
1863 * heap/Handle.h:
1864 (JSC::HandleBase::operator!):
1865 (JSC::HandleBase::operator bool):
1866 (JSC::HandleBase::slot):
1867 (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted.
1868 * heap/Strong.h:
1869 (JSC::Strong::operator!):
1870 (JSC::Strong::operator bool):
1871 (JSC::Strong::swap):
1872 (JSC::Strong::operator UnspecifiedBoolType*): Deleted.
1873 * jit/JITWriteBarrier.h:
1874 (JSC::JITWriteBarrierBase::operator bool):
1875 (JSC::JITWriteBarrierBase::operator!):
1876 (JSC::JITWriteBarrierBase::setFlagOnBarrier):
1877 (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1878 * runtime/JSArray.cpp:
1879 (JSC::JSArray::setLengthWithArrayStorage):
1880 * runtime/JSCJSValue.h:
1881 * runtime/JSCJSValueInlines.h:
1882 (JSC::JSValue::JSValue):
1883 (JSC::JSValue::operator bool):
1884 (JSC::JSValue::operator==):
1885 (JSC::JSValue::operator UnspecifiedBoolType*): Deleted.
1886 * runtime/JSObject.h:
1887 (JSC::JSObject::hasSparseMap):
1888 * runtime/PropertyDescriptor.h:
1889 (JSC::PropertyDescriptor::writablePresent):
1890 (JSC::PropertyDescriptor::enumerablePresent):
1891 (JSC::PropertyDescriptor::configurablePresent):
1892 (JSC::PropertyDescriptor::setterPresent):
1893 (JSC::PropertyDescriptor::getterPresent):
1894 * runtime/WriteBarrier.h:
1895 (JSC::WriteBarrierBase::slot):
1896 (JSC::WriteBarrierBase::operator bool):
1897 (JSC::WriteBarrierBase::operator!):
1898 (JSC::WriteBarrierBase<Unknown>::tagPointer):
1899 (JSC::WriteBarrierBase<Unknown>::payloadPointer):
1900 (JSC::WriteBarrierBase<Unknown>::operator bool):
1901 (JSC::WriteBarrierBase<Unknown>::operator!):
1902 (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted.
1903 (JSC::WriteBarrierBase<Unknown>::operator UnspecifiedBoolType*): Deleted.
1904
19052015-06-19 Anders Carlsson <andersca@apple.com>
1906
1907 Add a JSC symlink in /System/Library/PrivateFrameworks
1908 https://bugs.webkit.org/show_bug.cgi?id=146158
1909 rdar://problem/21465968
1910
1911 Reviewed by Dan Bernstein.
1912
1913 * JavaScriptCore.xcodeproj/project.pbxproj:
1914
19152015-06-19 Joseph Pecoraro <pecoraro@apple.com>
1916
1917 Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists
1918 https://bugs.webkit.org/show_bug.cgi?id=146141
1919
1920 Reviewed by Timothy Hatcher.
1921
1922 * inspector/InjectedScriptSource.js:
1923 (InjectedScript.prototype._propertyDescriptors):
1924 Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead
1925 just generate property descriptors for the first 100 indexes. Note
1926 this would behave poorly for sparse arrays with a length > 100, but
1927 general support for lists with more than 100 elements is poor. See:
1928 <https://webkit.org/b/143589> Web Inspector: Better handling for large collections in Object Trees
1929
19302015-06-18 Yusuke Suzuki <utatane.tea@gmail.com>
1931
1932 [DFG] Avoid OSR exit in the middle of string concatenation
1933 https://bugs.webkit.org/show_bug.cgi?id=145820
1934
1935 Reviewed by Filip Pizlo.
1936
1937 DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))).
1938
1939 So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString.
1940 It leads ToString to become Identity with a speculated type check.
1941
1942 However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have
1943 an observable side effect when the given parameter is an object (calling object.{toString,valueOf}).
1944
1945 So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs
1946 observable `object.toString()` calling. But ToString is converted into a speculated type check for
1947 SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and
1948 it redundantly performs an observable ToPrimitive execution.
1949
1950 To fix this, this patch avoid fixing up for newly introduced ToString node.
1951 Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node,
1952 we can avoid conversion from ToString to Check.
1953
1954 * dfg/DFGFixupPhase.cpp:
1955 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
1956 * tests/stress/toprimitive-speculated-types.js: Added.
1957 (shouldBe):
1958 (raw):
1959 (Counter):
1960
19612015-06-18 Brian J. Burg <burg@cs.washington.edu>
1962
1963 Web Inspector: improve generated types for objects passed to backend commands
1964 https://bugs.webkit.org/show_bug.cgi?id=146091
1965
1966 Reviewed by Joseph Pecoraro.
1967
1968 The main change is that objects passed in will have a type like const T& or const T*,
1969 rather than const RefPtr<T>&&. These protocol objects are owned by the generated dispatcher
1970 methods and only exist to pass data to backend command implementations. So, there is no
1971 reason for callees to add a reference or take ownership of these inputs.
1972
1973 Some small improvements were made in the code generator to standardize how these
1974 expressions are generated for parameters. Optional in parameters are now prefixed with
1975 'opt_in_' to make the generated method signatures and implementations clearer.
1976
1977 * inspector/InspectorValues.cpp:
1978 (Inspector::InspectorArrayBase::get): Add const qualifier.
1979 * inspector/InspectorValues.h:
1980 * inspector/agents/InspectorDebuggerAgent.cpp:
1981 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1982 (Inspector::parseLocation):
1983 (Inspector::InspectorDebuggerAgent::setBreakpoint):
1984 (Inspector::InspectorDebuggerAgent::continueToLocation):
1985 * inspector/agents/InspectorDebuggerAgent.h:
1986 * inspector/agents/InspectorRuntimeAgent.cpp:
1987 (Inspector::InspectorRuntimeAgent::callFunctionOn):
1988 (Inspector::InspectorRuntimeAgent::saveResult):
1989 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1990 * inspector/agents/InspectorRuntimeAgent.h:
1991
1992 * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array').
1993 (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature
1994 for an unchecked input to use pointers or references.
1995
1996 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1997 (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
1998 (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
1999 Local variables for optional parameters now have the 'opt_' prefix.
2000
2001 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2002 (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2003 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2004 Local variables for optional parameters now have the 'opt_' prefix.
2005 Split parameterName and parameterKey into two separate template variables to avoid mixups.
2006
2007 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
2008
20092015-06-18 Joseph Pecoraro <pecoraro@apple.com>
2010
2011 Unreviewed. Rollout r185670 as it caused some tests to be flakey.
2012
2013 * debugger/Debugger.cpp:
2014
20152015-06-17 Alex Christensen <achristensen@webkit.org>
2016
2017 [Content Extensions] Log blocked loads to the WebInspector console
2018 https://bugs.webkit.org/show_bug.cgi?id=146089
2019
2020 Reviewed by Joseph Pecoraro.
2021
2022 * inspector/ConsoleMessage.cpp:
2023 (Inspector::messageSourceValue):
2024 * inspector/protocol/Console.json:
2025 * runtime/ConsoleTypes.h:
2026 Add content blocker message source.
2027
20282015-06-18 Saam Barati <saambarati1@gmail.com>
2029
2030 [ES6] support default values in deconstruction parameter nodes
2031 https://bugs.webkit.org/show_bug.cgi?id=142679
2032
2033 Reviewed by Darin Adler.
2034
2035 ES6 destructuring allows destructuring properties to assign
2036 default values. A link to the spec:
2037 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns
2038
2039 This patch implements default values for all places where deconstruction
2040 is allowed besides function parameters. This is because function
2041 parameters are parsed in a separate parser arena than the function
2042 body itself and ExpresionNode's which are default values for
2043 deconstruction parameters will be deallocated by the time we parse the body
2044 of the function. I have opened a bug to address this problem:
2045 https://bugs.webkit.org/show_bug.cgi?id=145995
2046
2047 * bytecompiler/NodesCodegen.cpp:
2048 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
2049 (JSC::assignDefaultValueIfUndefined):
2050 (JSC::ArrayPatternNode::bindValue):
2051 (JSC::ArrayPatternNode::emitDirectBinding):
2052 (JSC::ArrayPatternNode::toString):
2053 (JSC::ArrayPatternNode::collectBoundIdentifiers):
2054 (JSC::ObjectPatternNode::bindValue):
2055 * parser/ASTBuilder.h:
2056 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
2057 (JSC::ASTBuilder::appendArrayPatternEntry):
2058 (JSC::ASTBuilder::createObjectPattern):
2059 (JSC::ASTBuilder::appendObjectPatternEntry):
2060 (JSC::ASTBuilder::createBindingLocation):
2061 * parser/Nodes.h:
2062 (JSC::ArrayPatternNode::appendIndex):
2063 (JSC::ObjectPatternNode::appendEntry):
2064 (JSC::ObjectPatternNode::Entry::Entry): Deleted.
2065 * parser/Parser.cpp:
2066 (JSC::Parser<LexerType>::parseDeconstructionPattern):
2067 (JSC::Parser<LexerType>::parseDefaultValueForDeconstructionPattern):
2068 (JSC::Parser<LexerType>::parseConstDeclarationList):
2069 * parser/Parser.h:
2070 * parser/SyntaxChecker.h:
2071 (JSC::SyntaxChecker::operatorStackPop):
2072
20732015-06-17 Joseph Pecoraro <pecoraro@apple.com>
2074
2075 Web Inspector: Do not show JavaScriptCore builtins in inspector
2076 https://bugs.webkit.org/show_bug.cgi?id=146049
2077
2078 Reviewed by Timothy Hatcher.
2079
2080 * debugger/Debugger.cpp:
2081
20822015-06-17 Andreas Kling <akling@apple.com>
2083
2084 [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings."
2085 <https://webkit.org/b/146051>
2086
2087 Reviewed by Anders Carlsson.
2088
2089 If asked to make a substring that actually spans the entire base string,
2090 have jsSubstring() just return the base instead of allocating a new JSString.
2091
2092 3% speed-up on Octane/regexp.
2093
2094 * runtime/JSString.h:
2095 (JSC::jsSubstring):
2096
20972015-06-16 Alex Christensen <achristensen@webkit.org>
2098
2099 32-bit build fix after r185640.
2100
2101 * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2102 Explicitly cast clamped int64_t to an int.
2103
21042015-06-09 Filip Pizlo <fpizlo@apple.com>
2105
2106 FTL should eliminate array bounds checks in loops
2107 https://bugs.webkit.org/show_bug.cgi?id=145768
2108
2109 Reviewed by Benjamin Poulain.
2110
2111 This adds a phase that does forward propagation of integer inequalities. This allows us
2112 to do the algebraic reasoning we need to eliminate array bounds checks in loops. It
2113 also eliminates overflow checks on ArithAdd with a constant.
2114
2115 The phase's analysis produces results that are powerful enough to do speculative bounds
2116 check hoisting, but this phase currently only does elimination. We can implement
2117 hoisting later.
2118
2119 On programs that just loop over an array like:
2120
2121 for (var i = 0; i < array.length; ++i)
2122 thingy += array[i]
2123
2124 This change is a 60% speed-up.
2125
2126 This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual
2127 tests in Octane.
2128
2129 * CMakeLists.txt:
2130 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2131 * JavaScriptCore.xcodeproj/project.pbxproj:
2132 * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added.
2133 (JSC::DFG::performIntegerRangeOptimization):
2134 * dfg/DFGIntegerRangeOptimizationPhase.h: Added.
2135 * dfg/DFGPlan.cpp:
2136 (JSC::DFG::Plan::compileInThreadImpl):
2137 * tests/stress/add-overflows-after-not-equal.js: Added.
2138 * tests/stress/no-abc-skippy-loop.js: Added.
2139 * tests/stress/no-abc-skippy-paired-loop.js: Added.
2140 * tests/stress/sub-overflows-after-not-equal.js: Added.
2141
21422015-06-16 Andreas Kling <akling@apple.com>
2143
2144 Remove unused template parameter InlineCapacity from SegmentedVector.
2145 <https://webkit.org/b/146044>
2146
2147 Reviewed by Anders Carlsson.
2148
2149 * bytecode/ArrayProfile.h:
2150 * dfg/DFGCommonData.h:
2151
21522015-06-16 Michael Saboff <msaboff@apple.com>
2153
2154 Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function
2155 https://bugs.webkit.org/show_bug.cgi?id=146029
2156
2157 Reviewed by Benjamin Poulain.
2158
2159 Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will
2160 use m_currentInstruction during its own parsing. This happens because inlineCall() parses the
2161 inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block.
2162 It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it.
2163
2164 * dfg/DFGByteCodeParser.cpp:
2165 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
2166 (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue.
2167
21682015-06-16 Filip Pizlo <fpizlo@apple.com>
2169
2170 Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425.
2171
2172 * bytecode/CodeBlock.h:
2173 (JSC::CodeBlock::hasExitSite):
2174 (JSC::CodeBlock::exitProfile):
2175 (JSC::CodeBlock::numberOfExitSites): Deleted.
2176 * bytecode/DFGExitProfile.cpp:
2177 (JSC::DFG::ExitProfile::add):
2178 * bytecode/DFGExitProfile.h:
2179 (JSC::DFG::ExitProfile::hasExitSite):
2180 (JSC::DFG::ExitProfile::size): Deleted.
2181 * dfg/DFGByteCodeParser.cpp:
2182 (JSC::DFG::ByteCodeParser::inliningCost):
2183 * runtime/Options.h:
2184
21852015-06-16 Mark Lam <mark.lam@apple.com>
2186
2187 Use NakedPtr<Exception>& to return exception results.
2188 https://bugs.webkit.org/show_bug.cgi?id=145870
2189
2190 Reviewed by Anders Carlsson and Filip Pizlo.
2191
2192 Before r185259, calls into the VM takes a JSValue* exception result argument for
2193 returning any uncaught exception that may have been thrown while executing JS code.
2194 As a result, clients of the VM functions will declare a local JSValue exception
2195 result which is automatically initialized to a null value (i.e. the empty value,
2196 not the JS null value).
2197
2198 With r185259, the VM functions were changed to take an Exception*& exception result
2199 instead, and the VM functions are responsible for initializing the exception result
2200 to null if no exception is thrown.
2201
2202 This introduces 2 issues:
2203
2204 1. the VM functions are vulnerable to modifications that may add early returns
2205 before the exception result is nullified. This can result in the exception
2206 result being used without initialization.
2207
2208 2. Previously, a client could technically use the same exception result for more
2209 than one calls into the VM functions. If an earlier call sets it to a thrown
2210 value, the thrown value will stick unless a subsequent call throws a different
2211 exception.
2212
2213 With the new Exception*& exception result, the VM functions will always clear
2214 the exception result before proceeding. As a result, the client's exception
2215 result will be null after the second call even though the first call saw an
2216 exception thrown. This is a change in the expected behavior.
2217
2218 To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose
2219 is to guarantee that the pointer is initialized. The VM functions will now take
2220 a NakedPtr<Exception>& instead of the Exception*&. This ensures that the
2221 exception result is initialized.
2222
2223 The VM functions be also reverted to only set the exception result if a new
2224 exception is thrown.
2225
2226 * API/JSBase.cpp:
2227 (JSEvaluateScript):
2228 * API/JSScriptRef.cpp:
2229 * bindings/ScriptFunctionCall.cpp:
2230 (Deprecated::ScriptFunctionCall::call):
2231 * bindings/ScriptFunctionCall.h:
2232 * debugger/Debugger.cpp:
2233 (JSC::Debugger::hasBreakpoint):
2234 * debugger/Debugger.h:
2235 * debugger/DebuggerCallFrame.cpp:
2236 (JSC::DebuggerCallFrame::thisValue):
2237 (JSC::DebuggerCallFrame::evaluate):
2238 * debugger/DebuggerCallFrame.h:
2239 (JSC::DebuggerCallFrame::isValid):
2240 * inspector/InjectedScriptManager.cpp:
2241 (Inspector::InjectedScriptManager::createInjectedScript):
2242 * inspector/InspectorEnvironment.h:
2243 * inspector/JSJavaScriptCallFrame.cpp:
2244 (Inspector::JSJavaScriptCallFrame::evaluate):
2245 * inspector/JavaScriptCallFrame.h:
2246 (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
2247 (Inspector::JavaScriptCallFrame::thisValue):
2248 (Inspector::JavaScriptCallFrame::evaluate):
2249 * inspector/ScriptDebugServer.cpp:
2250 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
2251 * jsc.cpp:
2252 (functionRun):
2253 (functionLoad):
2254 (runWithScripts):
2255 (runInteractive):
2256 * runtime/CallData.cpp:
2257 (JSC::call):
2258 * runtime/CallData.h:
2259 * runtime/Completion.cpp:
2260 (JSC::checkSyntax):
2261 (JSC::evaluate):
2262 * runtime/Completion.h:
2263 (JSC::evaluate):
2264
22652015-06-15 Filip Pizlo <fpizlo@apple.com>
2266
2267 FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
2268 https://bugs.webkit.org/show_bug.cgi?id=146002
2269
2270 Reviewed by Darin Adler.
2271
2272 * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
2273 (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
2274 * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
2275 (foo):
2276
22772015-06-16 Andreas Kling <akling@apple.com>
2278
2279 [JSC] Pre-bake final Structure for RegExp matches arrays.
2280 <https://webkit.org/b/146006>
2281
2282 Reviewed by Darin Adler.
2283
2284 Since we always add the "index" and "input" fields to RegExp matches arrays,
2285 cache a finished structure on the global object so we can create these arrays without
2286 starting from scratch with a bare array every time.
2287
2288 10% progression on Octane/regexp (on my MBP.)
2289
2290 * runtime/JSArray.h:
2291 (JSC::JSArray::create):
2292 (JSC::JSArray::tryCreateUninitialized):
2293 (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper
2294 so we can call this from RegExpMatchesArray.cpp.
2295
2296 * runtime/JSGlobalObject.cpp:
2297 (JSC::JSGlobalObject::init):
2298 (JSC::JSGlobalObject::visitChildren):
2299 * runtime/JSGlobalObject.h:
2300 (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp
2301 subpattern matches arrays.
2302
2303 * runtime/JSObject.h:
2304 (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that
2305 JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now
2306 start out with capacity for 2 properties, that won't work. Change it to check that we
2307 don't have inline storage instead, since that should only be used by final objects.
2308
2309 * runtime/RegExpMatchesArray.h:
2310 * runtime/RegExpMatchesArray.cpp:
2311 (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with
2312 the cached Structure and a Butterfly with 2 slots of property storage.
2313
2314 (JSC::createRegExpMatchesArray):
2315 (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached
2316 by the JSGlobalObject.
2317
23182015-06-16 Saam Barati <saambarati1@gmail.com>
2319
2320 LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code
2321 https://bugs.webkit.org/show_bug.cgi?id=144268
2322
2323 Reviewed by Darin Adler.
2324
2325 The call to loadVariable(.) both for 32bit and 64bit is unnecessary.
2326 It grabs a value that is immediately overwritten by a call to getGlobalVar().
2327
2328 * llint/LowLevelInterpreter32_64.asm:
2329 * llint/LowLevelInterpreter64.asm:
2330
23312015-06-14 Yusuke Suzuki <utatane.tea@gmail.com>
2332
2333 [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor
2334 https://bugs.webkit.org/show_bug.cgi?id=145963
2335
2336 Reviewed by Darin Adler.
2337
2338 ES6 iterators inherit %IteratorPrototype%.
2339 And these prototype objects of derived iterators don't have @@iterator methods.
2340 Instead they use the %IteratorPrototype%[@@iterator] method.
2341
2342 To encourage inlining in for-of statement, we define this method in JS builtins.
2343
2344 And these iterator prototype objects don't have any constructor function.
2345 This patch drops them (like StringIteratorConstructor).
2346
2347 * CMakeLists.txt:
2348 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2349 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2350 * JavaScriptCore.xcodeproj/project.pbxproj:
2351 * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp.
2352 (SymbolIterator):
2353 * runtime/ArrayIteratorConstructor.cpp:
2354 (JSC::ArrayIteratorConstructor::finishCreation): Deleted.
2355 * runtime/ArrayIteratorConstructor.h: Removed.
2356 (JSC::ArrayIteratorConstructor::create): Deleted.
2357 (JSC::ArrayIteratorConstructor::createStructure): Deleted.
2358 (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted.
2359 * runtime/ArrayIteratorPrototype.cpp:
2360 (JSC::ArrayIteratorPrototype::finishCreation):
2361 (JSC::arrayIteratorProtoFuncIterator): Deleted.
2362 * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp.
2363 (JSC::IteratorPrototype::finishCreation):
2364 * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h.
2365 (JSC::IteratorPrototype::create):
2366 (JSC::IteratorPrototype::createStructure):
2367 (JSC::IteratorPrototype::IteratorPrototype):
2368 * runtime/JSFunction.cpp:
2369 (JSC::JSFunction::createBuiltinFunction):
2370 * runtime/JSFunction.h:
2371 * runtime/JSGlobalObject.cpp:
2372 (JSC::JSGlobalObject::init):
2373 (JSC::JSGlobalObject::visitChildren):
2374 * runtime/JSGlobalObject.h:
2375 (JSC::JSGlobalObject::iteratorPrototype):
2376 * runtime/MapIteratorConstructor.cpp: Removed.
2377 (JSC::MapIteratorConstructor::finishCreation): Deleted.
2378 * runtime/MapIteratorConstructor.h: Removed.
2379 (JSC::MapIteratorConstructor::create): Deleted.
2380 (JSC::MapIteratorConstructor::createStructure): Deleted.
2381 (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted.
2382 * runtime/MapIteratorPrototype.cpp:
2383 (JSC::MapIteratorPrototype::finishCreation): Deleted.
2384 (JSC::MapIteratorPrototypeFuncIterator): Deleted.
2385 * runtime/SetIteratorConstructor.cpp: Removed.
2386 (JSC::SetIteratorConstructor::finishCreation): Deleted.
2387 * runtime/SetIteratorConstructor.h:
2388 (JSC::SetIteratorConstructor::create): Deleted.
2389 (JSC::SetIteratorConstructor::createStructure): Deleted.
2390 (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted.
2391 * runtime/SetIteratorPrototype.cpp:
2392 (JSC::SetIteratorPrototype::finishCreation): Deleted.
2393 (JSC::SetIteratorPrototypeFuncIterator): Deleted.
2394 * runtime/StringIteratorConstructor.cpp:
2395 (JSC::StringIteratorConstructor::finishCreation): Deleted.
2396 * runtime/StringIteratorConstructor.h: Removed.
2397 (JSC::StringIteratorConstructor::create): Deleted.
2398 (JSC::StringIteratorConstructor::createStructure): Deleted.
2399 (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted.
2400 * runtime/StringIteratorPrototype.cpp:
2401 (JSC::StringIteratorPrototype::finishCreation):
2402 (JSC::stringIteratorPrototypeIterator): Deleted.
2403 * tests/stress/iterator-prototype.js: Added.
2404 (shouldBe):
2405 (inheritIteratorPrototype):
2406 (testChain):
2407
24082015-06-15 Michael Saboff <msaboff@apple.com>
2409
2410 JIT bug - fails when inspector closed, works when open
2411 https://bugs.webkit.org/show_bug.cgi?id=145243
2412
2413 Reviewed by Oliver Hunt.
2414
2415 We need to provide the Arguments object as the base when creating the HeapLocation for
2416 GetFromArguments and PutToArguments. Otherwise we endup creating a HeapLocation for
2417 any arguments object, not the one we need.
2418
2419 * dfg/DFGClobberize.h:
2420 (JSC::DFG::clobberize):
2421
24222015-06-13 Joseph Pecoraro <pecoraro@apple.com>
2423
2424 Web Inspector: console.table() with a list of objects no longer works
2425 https://bugs.webkit.org/show_bug.cgi?id=145952
2426
2427 Reviewed by Timothy Hatcher.
2428
2429 * inspector/InjectedScriptSource.js:
2430 (InjectedScript.RemoteObject.prototype._generatePreview):
2431 Calling generatePreview again was actually starting with a preview
2432 of the current object instead of the sub-value. Go down the other
2433 path that correctly generates sub-previews. Leave filtering on the
2434 backend unimplemented, which we were already ignoring.
2435
24362015-06-13 Youenn Fablet <youenn.fablet@crf.canon.fr>
2437
2438 [Streams API] ReadableJSStream should handle promises returned by JS source start callback
2439 https://bugs.webkit.org/show_bug.cgi?id=145792
2440
2441 Reviewed by Darin Adler.
2442
2443 Added support for JSFunction implemented by std::function.
2444
2445 * runtime/JSFunction.cpp:
2446 (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
2447 (JSC::JSFunction::create):
2448 (JSC::runStdFunction):
2449 * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
2450 * runtime.JSPromise.h:
2451
24522015-06-12 Gyuyoung Kim <gyuyoung.kim@webkit.org>
2453
2454 Purge PassRefPtr in JavaScriptCore - 2
2455 https://bugs.webkit.org/show_bug.cgi?id=145834
2456
2457 Reviewed by Darin Adler.
2458
2459 As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible
2460 in JavaScriptCore.
2461
2462 * API/JSClassRef.cpp:
2463 (OpaqueJSClass::create):
2464 * API/JSClassRef.h:
2465 * debugger/DebuggerCallFrame.cpp:
2466 (JSC::DebuggerCallFrame::callerFrame):
2467 * debugger/DebuggerCallFrame.h:
2468 * dfg/DFGJITCompiler.h:
2469 (JSC::DFG::JITCompiler::jitCode):
2470 * inspector/ScriptCallStackFactory.cpp:
2471 (Inspector::createScriptCallStack):
2472 (Inspector::createScriptCallStackForConsole):
2473 (Inspector::createScriptCallStackFromException):
2474 (Inspector::createScriptArguments):
2475 * inspector/ScriptCallStackFactory.h:
2476 * jit/ExecutableAllocator.cpp:
2477 (JSC::ExecutableAllocator::allocate):
2478 * jit/ExecutableAllocator.h:
2479 * jit/ExecutableAllocatorFixedVMPool.cpp:
2480 (JSC::ExecutableAllocator::allocate):
2481 * profiler/LegacyProfiler.cpp:
2482 (JSC::LegacyProfiler::stopProfiling):
2483 * profiler/LegacyProfiler.h:
2484 * runtime/DateInstanceCache.h:
2485 * runtime/Executable.cpp:
2486 (JSC::ScriptExecutable::newCodeBlockFor):
2487 * runtime/Executable.h:
2488 * runtime/GenericTypedArrayView.h:
2489 * runtime/GenericTypedArrayViewInlines.h:
2490 (JSC::GenericTypedArrayView<Adaptor>::create):
2491 (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
2492
24932015-06-12 Darin Adler <darin@apple.com>
2494
2495 Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little
2496 https://bugs.webkit.org/show_bug.cgi?id=145935
2497
2498 Reviewed by Anders Carlsson.
2499
2500 Test: js/regexp-toString.html
2501
2502 * runtime/RegExpPrototype.cpp:
2503 (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character
2504 buffer instead of constructing a WTF::String for it.
2505 (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require
2506 that it is actually a regular expression object. This is covered in the ES6 specification.
2507 Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the
2508 getter for the "source" property. Updated to use getFlags so we do one less memory allocation.
2509 (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString.
2510
25112015-06-12 Basile Clement <basile_clement@apple.com>
2512
2513 DFG Object Allocation Sinking should not consider GetClosureVar as escapes
2514 https://bugs.webkit.org/show_bug.cgi?id=145904
2515
2516 Reviewed by Filip Pizlo.
2517
2518 The object allocation sinking phase is currently able to sink
2519 CreateActivation nodes, but will consider any GetClosureVar node as
2520 escaping.
2521
2522 This is not problematic in general as most of the GetClosureVar nodes
2523 we would have been able to sink over will have been eliminated by CSE
2524 anyway. Still, this is an oversight that we should fix since the
2525 machinery is already in place.
2526
2527 * dfg/DFGObjectAllocationSinkingPhase.cpp:
2528 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
2529 * dfg/DFGPromoteHeapAccess.h:
2530 (JSC::DFG::promoteHeapAccess):
2531
25322015-06-11 Mark Lam <mark.lam@apple.com>
2533
2534 WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects.
2535 https://bugs.webkit.org/show_bug.cgi?id=145872
2536
2537 Reviewed by Michael Saboff.
2538
2539 In r185259, we changed exception handling code inside the VM to work with
2540 Exception objects instead of the thrown JSValue. The handling code will get the
2541 exception stack trace from the Exception object.
2542
2543 However, there is some code that cannot be updated to pass the Exception object.
2544 An example of this are the ObjC API functions. Those functions are specified to
2545 return any thrown exception JSValue in a JSValueRef. Since these APIs are
2546 public, we cannot arbitrarily change them to use the Exception object.
2547
2548 There are client code that calls these APIs and then passes the returned exception
2549 JSValue to WebCore::reportException() to be reported. WebCore::reportException()
2550 previously relied on the VM::exceptionStackTrace() to provide a cache of the
2551 stack trace of the last thrown exception. VM::exceptionStackTrace() no longer
2552 exists in the current code.
2553
2554 To restore this functionality, we will introduce VM::lastException() which
2555 caches the last thrown Exception object. With this, if the exception passed to
2556 WebCore::reportException() to be reported isn't an Exception object (which has its
2557 own stack trace), reportException() can again use the cached exception stack trace
2558 which is available from VM::lastException().
2559
2560 * heap/Heap.cpp:
2561 (JSC::Heap::visitException):
2562 - visit VM::m_lastException on GCs.
2563
2564 * interpreter/CallFrame.h:
2565 (JSC::ExecState::lastException):
2566 (JSC::ExecState::clearLastException):
2567 - convenience functions to get and clear the last exception.
2568
2569 * runtime/Exception.cpp:
2570 (JSC::Exception::create):
2571 (JSC::Exception::finishCreation):
2572 - add support to create an Exception object without capturing the JS stack trace.
2573 This is needed for making an Exception object to wrap a thrown value that does
2574 not have a stack trace.
2575 Currently, this is only used by WebCore::reportException() when there is no
2576 Exception object and no last exception available to provide a stack trace.
2577
2578 * runtime/Exception.h:
2579 (JSC::Exception::cast): Deleted. No longer needed.
2580
2581 * runtime/VM.h:
2582 (JSC::VM::clearLastException):
2583 (JSC::VM::setException):
2584 (JSC::VM::lastException):
2585 (JSC::VM::addressOfLastException):
2586 - Added support for VM::m_lastException.
2587 VM::m_lastException serves to cache the exception stack of the most recently
2588 thrown exception like VM::exceptionStackTrace() used to before r185259.
2589
2590 * runtime/VMEntryScope.cpp:
2591 (JSC::VMEntryScope::VMEntryScope):
2592 - Clear VM::m_lastException when we re-enter the VM. Exceptions should have been
2593 handled before we re-enter the VM anyway. So, this is a good place to release
2594 the cached last exception.
2595
2596 NOTE: this is also where the old code before r185259 clears the last exception
2597 stack trace. So, we're just restoring the previous behavior here in terms of
2598 the lifecycle of the last exception stack.
2599
26002015-06-11 Andreas Kling <akling@apple.com>
2601
2602 jsSubstring() should support creating substrings from substrings.
2603 <https://webkit.org/b/145427>
2604
2605 Reviewed by Geoffrey Garen
2606
2607 Tweak jsSubstring() to support base strings that are themselves substrings.
2608 They will now share the same grandparent base. This avoids creating a new StringImpl.
2609
2610 * runtime/JSString.h:
2611 (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation()
2612 if the base string is a non-substring rope. Note that resolveRope() is the very last thing
2613 called, since it may allocate and the JSRopeString needs to be ready for marking.
2614
2615 (JSC::JSString::isSubstring): Added a helper to find out if a JSString is
2616 a substring. This is just for internal use, so you don't have to cast to
2617 JSRopeString for the real substringness flag.
2618
26192015-06-11 Commit Queue <commit-queue@webkit.org>
2620
2621 Unreviewed, rolling out r185465.
2622 https://bugs.webkit.org/show_bug.cgi?id=145893
2623
2624 "This patch is breaking 32bit mac build" (Requested by youenn
2625 on #webkit).
2626
2627 Reverted changeset:
2628
2629 "[Streams API] ReadableJSStream should handle promises
2630 returned by JS source start callback"
2631 https://bugs.webkit.org/show_bug.cgi?id=145792
2632 http://trac.webkit.org/changeset/185465
2633
26342015-06-11 Youenn Fablet <youenn.fablet@crf.canon.fr>
2635
2636 [Streams API] ReadableJSStream should handle promises returned by JS source start callback
2637 https://bugs.webkit.org/show_bug.cgi?id=145792
2638
2639 Reviewed by Darin Adler.
2640
2641 Added support for JSFunction implemented by std::function.
2642
2643 * runtime/JSFunction.cpp:
2644 (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create
2645 (JSC::JSFunction::create):
2646 (JSC::runStdFunction):
2647 * runtime/JSFunction.h: Added std::function based JSFunction::create prototype.
2648 * runtime.JSPromise.h:
2649
26502015-06-10 Yusuke Suzuki <utatane.tea@gmail.com>
2651
2652 ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html
2653 https://bugs.webkit.org/show_bug.cgi?id=145599
2654
2655 Unreviewed, simple follow up patch.
2656
2657 use jsString instead of jsMakeNontrivialString
2658 since the flag string may be trivial (0 or 1 length).
2659
2660 * runtime/RegExpPrototype.cpp:
2661 (JSC::regExpProtoGetterFlags):
2662
26632015-06-10 Yusuke Suzuki <utatane.tea@gmail.com>
2664
2665 JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2666 https://bugs.webkit.org/show_bug.cgi?id=90678
2667
2668 Reviewed by Darin Adler.
2669
2670 After ES6, escaped reserved words in identifiers are prohibited.
2671 After parsing Identifier, we should perform `m_buffer16.shrink(0)`.
2672
2673 * parser/Lexer.cpp:
2674 (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2675 * tests/mozilla/ecma_3/Unicode/uc-003.js:
2676 (test): Deleted.
2677 * tests/stress/reserved-word-with-escape.js: Added.
2678 (testSyntax):
2679 (testSyntaxError):
2680
26812015-06-10 Jordan Harband <ljharb@gmail.com>
2682
2683 Implement RegExp.prototype.flags
2684 https://bugs.webkit.org/show_bug.cgi?id=145599
2685
2686 Reviewed by Geoffrey Garen.
2687 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags
2688
2689 * runtime/CommonIdentifiers.h:
2690 * runtime/RegExpPrototype.cpp:
2691 (JSC::flagsString):
2692 (JSC::regExpProtoFuncToString):
2693 (JSC::regExpProtoGetterFlags):
2694 * tests/stress/static-getter-in-names.js:
2695
26962015-06-10 Filip Pizlo <fpizlo@apple.com>
2697
2698 DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager
2699 https://bugs.webkit.org/show_bug.cgi?id=145853
2700
2701 Unreviewed, remove the assertion.
2702
2703 * dfg/DFGCSEPhase.cpp:
2704
27052015-06-10 Commit Queue <commit-queue@webkit.org>
2706
2707 Unreviewed, rolling out r185414.
2708 https://bugs.webkit.org/show_bug.cgi?id=145844
2709
2710 broke debug and jsc tests (Requested by alexchristensen on
2711 #webkit).
2712
2713 Reverted changeset:
2714
2715 "JavaScript: Drop the “escaped reserved words as identifiers”
2716 compatibility measure"
2717 https://bugs.webkit.org/show_bug.cgi?id=90678
2718 http://trac.webkit.org/changeset/185414
2719
27202015-06-10 Yusuke Suzuki <utatane.tea@gmail.com>
2721
2722 JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure
2723 https://bugs.webkit.org/show_bug.cgi?id=90678
2724
2725 Reviewed by Darin Adler.
2726
2727 After ES6, escaped reserved words in identifiers are prohibited.
2728
2729 * parser/Lexer.cpp:
2730 (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2731 * tests/stress/reserved-word-with-escape.js: Added.
2732 (testSyntax):
2733 (testSyntaxError):
2734
27352015-06-10 Andreas Kling <akling@apple.com>
2736
2737 [JSC] InlineCallFrame::arguments should be sized-to-fit.
2738 <https://webkit.org/b/145782>
2739
2740 Reviewed by Darin Adler.
2741
2742 I spotted this Vector<ValueRecovery> looking a bit chubby in Instruments,
2743 with 354 kB of memory allocated on cnet.com.
2744
2745 Use resizeToFit() instead of resize() since we know the final size up front.
2746
2747 * dfg/DFGByteCodeParser.cpp:
2748 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2749
27502015-06-09 Chris Dumez <cdumez@apple.com>
2751
2752 Allow one sync GC per gcTimer interval on critical memory pressure warning
2753 https://bugs.webkit.org/show_bug.cgi?id=145773
2754
2755 Reviewed by Geoffrey Garen.
2756
2757 On critical memory pressure warning, we were calling GCController::garbageCollectSoon(),
2758 which does not offer any guarantee on when the garbage collection will actually take
2759 place.
2760
2761 On critical memory pressure, we need to free up memory as soon as possible to avoid
2762 getting killed so this is an issue. Also, the fact that we clear the PageCache on
2763 critical memory pressure means a GC would likely be useful, even if the last
2764 collection did not free much memory.
2765
2766 This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows
2767 one synchronous GC per gcTimer interval on critical memory pressure warning. This makes
2768 us more responsive to critical memory pressure and avoids doing synchronous GCs too
2769 often.
2770
2771 * heap/FullGCActivityCallback.cpp:
2772 (JSC::FullGCActivityCallback::doCollection):
2773 * heap/FullGCActivityCallback.h:
2774 (JSC::GCActivityCallback::createFullTimer):
2775 * heap/GCActivityCallback.h:
2776 * heap/Heap.cpp:
2777 (JSC::Heap::collectAllGarbageIfNotDoneRecently):
2778 * heap/Heap.h:
2779
2780 * heap/IncrementalSweeper.cpp:
2781 (JSC::IncrementalSweeper::doWork): Deleted.
2782 * heap/IncrementalSweeper.h:
2783
2784 Drop fullSweep() API as it no longer seems useful. garbageCollectNow()
2785 already does a sweep after the full collection.
2786
27872015-06-09 Andreas Kling <akling@apple.com>
2788
2789 [JSC] CodeBlock::m_constantRegisters should be sized-to-fit.
2790 <https://webkit.org/b/145784>
2791
2792 Reviewed by Darin Adler.
2793
2794 Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory
2795 allocated below CodeBlock::setConstantRegisters().
2796
2797 Use resizeToFit() instead since we know the final size up front.
2798 Also removed some unused functions that operated on this constants vector
2799 and the corresponding one in UnlinkedCodeBlock.
2800
2801 * bytecode/CodeBlock.cpp:
2802 (JSC::CodeBlock::addOrFindConstant): Deleted.
2803 (JSC::CodeBlock::findConstant): Deleted.
2804 * bytecode/CodeBlock.h:
2805 (JSC::CodeBlock::setConstantRegisters):
2806 (JSC::CodeBlock::numberOfConstantRegisters): Deleted.
2807 * bytecode/UnlinkedCodeBlock.cpp:
2808 (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted.
2809 * bytecode/UnlinkedCodeBlock.h:
2810 (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted.
2811 (JSC::UnlinkedCodeBlock::getConstant): Deleted.
2812
28132015-06-09 Andreas Kling <akling@apple.com>
2814
2815 [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed.
2816 <https://webkit.org/b/145786>
2817
2818 Reviewed by Darin Adler.
2819
2820 These functions already contained comments saying they optimize for size over speed,
2821 but they were using Vector::resize() which adds the usual slack for faster append().
2822
2823 Switch them over to using Vector::resizeToFit() instead, which makes the Vector
2824 allocate a perfectly sized backing store.
2825
2826 Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these
2827 Vectors are definitely worth shrink-wrapping.
2828
2829 * bytecode/PolymorphicGetByIdList.cpp:
2830 (JSC::PolymorphicGetByIdList::addAccess):
2831 * bytecode/PolymorphicPutByIdList.cpp:
2832 (JSC::PolymorphicPutByIdList::addAccess):
2833
28342015-06-09 Andreas Kling <akling@apple.com>
2835
2836 [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit.
2837 <https://webkit.org/b/145787>
2838
2839 Reviewed by Darin Adler.
2840
2841 Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com.
2842 Use Vector::resizeToFit() since we know the perfect size up front.
2843
2844 * runtime/JSPropertyNameEnumerator.cpp:
2845 (JSC::JSPropertyNameEnumerator::finishCreation):
2846
28472015-06-09 Andreas Kling <akling@apple.com>
2848
2849 FunctionExecutable::isCompiling() is weird and wrong.
2850 <https://webkit.org/b/145689>
2851
2852 Reviewed by Geoffrey Garen.
2853
2854 Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style
2855 functions that called it before throwing away code.
2856
2857 isCompiling() would consider the executable to be "compiling" if it had a CodeBlock
2858 but no JITCode. In practice, every executable gets a JITCode at the same time as it
2859 gets a CodeBlock, by way of prepareForExecutionImpl().
2860
2861 * debugger/Debugger.cpp:
2862 * heap/Heap.cpp:
2863 (JSC::Heap::deleteAllCompiledCode):
2864 (JSC::Heap::deleteAllUnlinkedFunctionCode):
2865 * inspector/agents/InspectorRuntimeAgent.cpp:
2866 (Inspector::TypeRecompiler::visit):
2867 * runtime/Executable.cpp:
2868 (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation):
2869 (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted.
2870 (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted.
2871 * runtime/Executable.h:
2872 * runtime/VM.cpp:
2873 (JSC::StackPreservingRecompiler::visit):
2874
28752015-06-09 Yusuke Suzuki <utatane.tea@gmail.com>
2876
2877 Introduce getter definition into static hash tables and use it for getters in RegExp.prototype.
2878 https://bugs.webkit.org/show_bug.cgi?id=145705
2879
2880 Reviewed by Darin Adler.
2881
2882 In this patch, we introduce Accessor type into property tables.
2883 With Accessor type, create_hash_table creates a static getter property.
2884 This getter property is reified as the same to the static functions.
2885
2886 In the mean time, we only support getter because `putEntry` and `lookupPut`
2887 only work with null setter currently. However, in the spec, there's
2888 no need to add static setter properties. So we will add it if it becomes
2889 necessary in the future.
2890
2891 And at the same time, this patch fixes the issue 145738. Before this patch,
2892 `putEntry` in `JSObject::deleteProperty` adds `undefined` property if
2893 `isValidOffset(...)` is false (deleted). As the result, deleting twice
2894 revives the property with `undefined` value.
2895
2896 If the static functions are reified and the entry is
2897 `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with
2898 static hash table entry. They should be handled in the normal structure's
2899 looking up because they should be already reified. So added guard for this.
2900
2901 * CMakeLists.txt:
2902 * DerivedSources.make:
2903 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2904 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2905 * JavaScriptCore.xcodeproj/project.pbxproj:
2906 * create_hash_table:
2907 * runtime/JSObject.cpp:
2908 (JSC::getClassPropertyNames):
2909 (JSC::JSObject::put):
2910 (JSC::JSObject::deleteProperty):
2911 (JSC::JSObject::reifyStaticFunctionsForDelete):
2912 * runtime/Lookup.cpp:
2913 (JSC::reifyStaticAccessor):
2914 (JSC::setUpStaticFunctionSlot):
2915 * runtime/Lookup.h:
2916 (JSC::HashTableValue::propertyGetter):
2917 (JSC::HashTableValue::propertyPutter):
2918 (JSC::HashTableValue::accessorGetter):
2919 (JSC::HashTableValue::accessorSetter):
2920 (JSC::getStaticPropertySlot):
2921 (JSC::getStaticValueSlot):
2922 (JSC::putEntry):
2923 (JSC::reifyStaticProperties):
2924 * runtime/PropertySlot.h:
2925 * runtime/RegExpObject.cpp:
2926 (JSC::RegExpObject::getOwnPropertySlot):
2927 (JSC::regExpObjectGlobal): Deleted.
2928 (JSC::regExpObjectIgnoreCase): Deleted.
2929 (JSC::regExpObjectMultiline): Deleted.
2930 (JSC::appendLineTerminatorEscape<LChar>): Deleted.
2931 (JSC::appendLineTerminatorEscape<UChar>): Deleted.
2932 (JSC::regExpObjectSourceInternal): Deleted.
2933 (JSC::regExpObjectSource): Deleted.
2934 * runtime/RegExpPrototype.cpp:
2935 (JSC::RegExpPrototype::getOwnPropertySlot):
2936 (JSC::regExpProtoGetterGlobal):
2937 (JSC::regExpProtoGetterIgnoreCase):
2938 (JSC::regExpProtoGetterMultiline):
2939 (JSC::appendLineTerminatorEscape<LChar>):
2940 (JSC::appendLineTerminatorEscape<UChar>):
2941 (JSC::regExpProtoGetterSourceInternal):
2942 (JSC::regExpProtoGetterSource):
2943 * tests/stress/static-function-delete.js: Added.
2944 (shouldBe):
2945 * tests/stress/static-function-put.js: Added.
2946 (shouldBe):
2947 * tests/stress/static-getter-delete.js: Added.
2948 (shouldBe):
2949 (shouldThrow):
2950 * tests/stress/static-getter-descriptors.js: Added.
2951 (shouldBe):
2952 * tests/stress/static-getter-enumeration.js: Added.
2953 (shouldBe):
2954 * tests/stress/static-getter-get.js: Added.
2955 (shouldBe):
2956 * tests/stress/static-getter-in-names.js: Added.
2957 (shouldBe):
2958 * tests/stress/static-getter-names.js: Added.
2959 (shouldBe):
2960 * tests/stress/static-getter-put.js: Added.
2961 (shouldBe):
2962 (shouldThrow):
2963
29642015-06-09 Andreas Kling <akling@apple.com>
2965
2966 [JSC] JSString::getIndex() should avoid reifying substrings.
2967 <https://webkit.org/b/145803>
2968
2969 Reviewed by Darin Adler.
2970
2971 Implement getIndex() using JSString::view(), which cuts it down to a one-liner
2972 and also avoids reifying substrings.
2973
2974 I saw 178 kB of reified substrings below operationGetByVal -> getIndex()
2975 on cnet.com, so this should help.
2976
2977 * runtime/JSString.cpp:
2978 (JSC::JSRopeString::getIndexSlowCase): Deleted.
2979 * runtime/JSString.h:
2980 (JSC::JSString::getIndex):
2981
29822015-06-09 Andreas Kling <akling@apple.com>
2983
2984 [JSC] String.prototype.indexOf() should use StringView.
2985 <https://webkit.org/b/145351>
2986
2987 Reviewed by Darin Adler.
2988
2989 Use StringView::find() to implement String.prototype.indexOf().
2990 This avoids reifying the needle and haystack JSStrings in case they
2991 are substrings.
2992
2993 Reduces malloc memory by ~190 kB on cnet.com.
2994
2995 * runtime/StringPrototype.cpp:
2996 (JSC::stringProtoFuncIndexOf):
2997
29982015-06-09 Csaba Osztrogonác <ossy@webkit.org>
2999
3000 [cmake] Fix the style issues in cmake project files
3001 https://bugs.webkit.org/show_bug.cgi?id=145755
3002
3003 Reviewed by Darin Adler.
3004
3005 * CMakeLists.txt:
3006
30072015-06-08 Gyuyoung Kim <gyuyoung.kim@webkit.org>
3008
3009 Purge PassRefPtr in JavaScriptCore
3010 https://bugs.webkit.org/show_bug.cgi?id=145750
3011
3012 As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr.
3013
3014 Reviewed by Darin Adler.
3015
3016 * API/JSClassRef.cpp:
3017 (OpaqueJSClass::createNoAutomaticPrototype):
3018 * API/JSClassRef.h:
3019 * API/JSContextRef.cpp:
3020 * API/JSScriptRef.cpp:
3021 (OpaqueJSScript::create):
3022 * API/JSStringRef.cpp:
3023 (JSStringCreateWithCharacters):
3024 (JSStringCreateWithUTF8CString):
3025 * API/OpaqueJSString.cpp:
3026 (OpaqueJSString::create):
3027 * API/OpaqueJSString.h:
3028 (OpaqueJSString::create):
3029 * bytecompiler/StaticPropertyAnalysis.h:
3030 (JSC::StaticPropertyAnalysis::create):
3031 * debugger/DebuggerCallFrame.h:
3032 (JSC::DebuggerCallFrame::create):
3033 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
3034 (JSC::DFG::ToFTLDeferredCompilationCallback::create):
3035 * dfg/DFGToFTLDeferredCompilationCallback.h:
3036 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3037 (JSC::DFG::Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create):
3038 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted.
3039 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
3040 * dfg/DFGWorklist.cpp:
3041 (JSC::DFG::Worklist::create):
3042 (JSC::DFG::ensureGlobalDFGWorklist):
3043 (JSC::DFG::ensureGlobalFTLWorklist):
3044 * dfg/DFGWorklist.h:
3045 * heap/EdenGCActivityCallback.h:
3046 (JSC::GCActivityCallback::createEdenTimer):
3047 * heap/FullGCActivityCallback.h:
3048 (JSC::GCActivityCallback::createFullTimer):
3049 * heap/GCActivityCallback.h:
3050 * inspector/InjectedScriptHost.h:
3051 * inspector/JavaScriptCallFrame.h:
3052 (Inspector::JavaScriptCallFrame::create):
3053 * inspector/ScriptArguments.cpp:
3054 (Inspector::ScriptArguments::create):
3055 * inspector/ScriptArguments.h:
3056 * jit/JITStubRoutine.h:
3057 (JSC::JITStubRoutine::createSelfManagedRoutine):
3058 * jit/JITToDFGDeferredCompilationCallback.cpp:
3059 (JSC::JITToDFGDeferredCompilationCallback::create):
3060 * jit/JITToDFGDeferredCompilationCallback.h:
3061 * jsc.cpp:
3062 (jscmain):
3063 * parser/NodeConstructors.h:
3064 (JSC::ArrayPatternNode::create):
3065 (JSC::ObjectPatternNode::create):
3066 (JSC::BindingNode::create):
3067 * parser/Nodes.cpp:
3068 (JSC::FunctionParameters::create):
3069 * parser/Nodes.h:
3070 * parser/SourceProvider.h:
3071 (JSC::StringSourceProvider::create):
3072 * profiler/Profile.cpp:
3073 (JSC::Profile::create):
3074 * profiler/Profile.h:
3075 * profiler/ProfileGenerator.cpp:
3076 (JSC::ProfileGenerator::create):
3077 * profiler/ProfileGenerator.h:
3078 * profiler/ProfileNode.h:
3079 (JSC::ProfileNode::create):
3080 * runtime/DataView.cpp:
3081 (JSC::DataView::create):
3082 * runtime/DataView.h:
3083 * runtime/DateInstanceCache.h:
3084 (JSC::DateInstanceData::create):
3085 * runtime/JSPromiseReaction.cpp:
3086 (JSC::createExecutePromiseReactionMicrotask):
3087 * runtime/JSPromiseReaction.h:
3088 * runtime/PropertyNameArray.h:
3089 (JSC::PropertyNameArrayData::create):
3090 * runtime/TypeSet.h:
3091 (JSC::StructureShape::create):
3092 (JSC::TypeSet::create):
3093 * runtime/TypedArrayBase.h:
3094 (JSC::TypedArrayBase::create):
3095 (JSC::TypedArrayBase::createUninitialized):
3096 (JSC::TypedArrayBase::subarrayImpl):
3097 * runtime/VM.cpp:
3098 (JSC::VM::createContextGroup):
3099 (JSC::VM::create):
3100 (JSC::VM::createLeaked):
3101 * runtime/VM.h:
3102 * yarr/RegularExpression.cpp:
3103 (JSC::Yarr::RegularExpression::Private::create):
3104
31052015-06-08 Filip Pizlo <fpizlo@apple.com>
3106
3107 It should be possible to hoist all constants in DFG SSA
3108 https://bugs.webkit.org/show_bug.cgi?id=145769
3109
3110 Reviewed by Geoffrey Garen.
3111
3112 It's sometimes somewhat more efficient, and convenient, to have all constants at the
3113 top of the root block. We don't require this as an IR invariant because too many phases
3114 want to be able to insert constants in weird places. But, this phase will be great for
3115 preparing for https://bugs.webkit.org/show_bug.cgi?id=145768.
3116
3117 * CMakeLists.txt:
3118 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3119 * JavaScriptCore.xcodeproj/project.pbxproj:
3120 * dfg/DFGConstantHoistingPhase.cpp: Added.
3121 (JSC::DFG::performConstantHoisting):
3122 * dfg/DFGConstantHoistingPhase.h: Added.
3123 * dfg/DFGPlan.cpp:
3124 (JSC::DFG::Plan::compileInThreadImpl):
3125
31262015-06-07 Filip Pizlo <fpizlo@apple.com>
3127
3128 The tiny set magic in StructureSet should be available in WTF
3129 https://bugs.webkit.org/show_bug.cgi?id=145722
3130
3131 Reviewed by Geoffrey Garen.
3132
3133 I moved the generic logic of small sets of pointers and moved it into WTF. Now,
3134 StructureSet is a subclass of TinyPtrSet<Structure*>. There shouldn't be any functional
3135 change.
3136
3137 * bytecode/StructureSet.cpp:
3138 (JSC::StructureSet::filter):
3139 (JSC::StructureSet::filterArrayModes):
3140 (JSC::StructureSet::speculationFromStructures):
3141 (JSC::StructureSet::arrayModesFromStructures):
3142 (JSC::StructureSet::dumpInContext):
3143 (JSC::StructureSet::dump):
3144 (JSC::StructureSet::clear): Deleted.
3145 (JSC::StructureSet::add): Deleted.
3146 (JSC::StructureSet::remove): Deleted.
3147 (JSC::StructureSet::contains): Deleted.
3148 (JSC::StructureSet::merge): Deleted.
3149 (JSC::StructureSet::exclude): Deleted.
3150 (JSC::StructureSet::isSubsetOf): Deleted.
3151 (JSC::StructureSet::overlaps): Deleted.
3152 (JSC::StructureSet::operator==): Deleted.
3153 (JSC::StructureSet::addOutOfLine): Deleted.
3154 (JSC::StructureSet::containsOutOfLine): Deleted.
3155 (JSC::StructureSet::copyFromOutOfLine): Deleted.
3156 (JSC::StructureSet::OutOfLineList::create): Deleted.
3157 (JSC::StructureSet::OutOfLineList::destroy): Deleted.
3158 * bytecode/StructureSet.h:
3159 (JSC::StructureSet::onlyStructure):
3160 (JSC::StructureSet::StructureSet): Deleted.
3161 (JSC::StructureSet::operator=): Deleted.
3162 (JSC::StructureSet::~StructureSet): Deleted.
3163 (JSC::StructureSet::isEmpty): Deleted.
3164 (JSC::StructureSet::genericFilter): Deleted.
3165 (JSC::StructureSet::isSupersetOf): Deleted.
3166 (JSC::StructureSet::size): Deleted.
3167 (JSC::StructureSet::at): Deleted.
3168 (JSC::StructureSet::operator[]): Deleted.
3169 (JSC::StructureSet::last): Deleted.
3170 (JSC::StructureSet::iterator::iterator): Deleted.
3171 (JSC::StructureSet::iterator::operator*): Deleted.
3172 (JSC::StructureSet::iterator::operator++): Deleted.
3173 (JSC::StructureSet::iterator::operator==): Deleted.
3174 (JSC::StructureSet::iterator::operator!=): Deleted.
3175 (JSC::StructureSet::begin): Deleted.
3176 (JSC::StructureSet::end): Deleted.
3177 (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted.
3178 (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted.
3179 (JSC::StructureSet::copyFrom): Deleted.
3180 (JSC::StructureSet::OutOfLineList::list): Deleted.
3181 (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted.
3182 (JSC::StructureSet::deleteStructureListIfNecessary): Deleted.
3183 (JSC::StructureSet::isThin): Deleted.
3184 (JSC::StructureSet::pointer): Deleted.
3185 (JSC::StructureSet::singleStructure): Deleted.
3186 (JSC::StructureSet::structureList): Deleted.
3187 (JSC::StructureSet::set): Deleted.
3188 (JSC::StructureSet::setEmpty): Deleted.
3189 (JSC::StructureSet::getReservedFlag): Deleted.
3190 (JSC::StructureSet::setReservedFlag): Deleted.
3191 * dfg/DFGStructureAbstractValue.cpp:
3192 (JSC::DFG::StructureAbstractValue::clobber):
3193 (JSC::DFG::StructureAbstractValue::filter):
3194 (JSC::DFG::StructureAbstractValue::filterSlow):
3195 (JSC::DFG::StructureAbstractValue::contains):
3196 * dfg/DFGStructureAbstractValue.h:
3197 (JSC::DFG::StructureAbstractValue::makeTop):
3198
31992015-06-08 Csaba Osztrogonác <ossy@webkit.org>
3200
3201 [ARM] Add the missing setupArgumentsWithExecState functions after r185240
3202 https://bugs.webkit.org/show_bug.cgi?id=145754
3203
3204 Reviewed by Benjamin Poulain.
3205
3206 * jit/CCallHelpers.h:
3207 (JSC::CCallHelpers::setupArgumentsWithExecState):
3208
32092015-06-08 Brady Eidson <beidson@apple.com>
3210
3211 Completely remove all IDB properties/constructors when it is disabled at runtime.
3212 rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034
3213
3214 Reviewed by Geoffrey Garen.
3215
3216 * runtime/CommonIdentifiers.h:
3217
32182015-06-06 Mark Lam <mark.lam@apple.com>
3219
3220 Returned Exception* values need to be initialized to nullptr when no exceptions are thrown.
3221 https://bugs.webkit.org/show_bug.cgi?id=145720
3222
3223 Reviewed by Dan Bernstein.
3224
3225 * debugger/DebuggerCallFrame.cpp:
3226 (JSC::DebuggerCallFrame::evaluate):
3227
32282015-06-05 Mark Lam <mark.lam@apple.com>
3229
3230 Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren().
3231 https://bugs.webkit.org/show_bug.cgi?id=145709
3232
3233 Reviewed by Geoffrey Garen.
3234
3235 * jsc.cpp:
3236 (functionSetElementRoot):
3237 - The Element class has a member of type Root which extends JSDestructibleObject.
3238 It should be stored in a WriteBarrier, and visited by visitChildren().
3239
3240 * runtime/ClonedArguments.cpp:
3241 (JSC::ClonedArguments::materializeSpecialsIfNecessary):
3242 (JSC::ClonedArguments::visitChildren):
3243 * runtime/ClonedArguments.h:
3244 - Add missing visitChildren().
3245
3246 * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added.
3247 (makeTransientFunction.transientFunc):
3248 (makeTransientFunction):
3249
32502015-06-05 Geoffrey Garen <ggaren@apple.com>
3251
3252 DropAllLocks RELEASE_ASSERT on iOS
3253 https://bugs.webkit.org/show_bug.cgi?id=139654
3254
3255 Reviewed by Mark Lam.
3256
3257 * runtime/JSLock.cpp:
3258 (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated
3259 the code beneath it. Removed a FIXME because we can't ASSERT that
3260 we're holding the lock. WebKit1 on iOS drops the lock before calling to
3261 delegates, not knowing whether it holds the lock or not.
3262
3263 (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not
3264 GC'ing if we hold the lock. If we do not hold the lock, it is perfectly
3265 valid for some other thread, which does hold the lock, to be GC'ing.
3266 What is not valid is to drop the lock in the middle of GC, since GC
3267 must be atomic.
3268
32692015-06-05 Filip Pizlo <fpizlo@apple.com>
3270
3271 speculateRealNumber() should early exit if you're already a real number, not if you're already a real double.
3272
3273 Rubber stamped by Mark Lam.
3274
3275 This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt
3276
3277 * dfg/DFGSpeculativeJIT.cpp:
3278 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3279
32802015-06-05 Mark Lam <mark.lam@apple.com>
3281
3282 finally blocks should not set the exception stack trace when re-throwing the exception.
3283 https://bugs.webkit.org/show_bug.cgi?id=145525
3284
3285 Reviewed by Geoffrey Garen.
3286
3287 How exceptions presently work:
3288 =============================
3289 1. op_throw can throw any JSValue.
3290 2. the VM tries to capture the stack at the throw point and propagate that as needed.
3291 3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw.
3292
3293 What's wrong with how it presently works:
3294 ========================================
3295 1. finally's makes for bad exception throw line numbers in the Inspector console.
3296
3297 The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point.
3298 As a result, the Inspector sees the finally block as the throw point. The original stack is lost.
3299
3300 2. finally's breaks the Inspector's "Breaks on Uncaught Exception"
3301
3302 This is because finally blocks are indistinguishable from catch blocks. As a result, a try-finally,
3303 which should break in the Inspector on the throw, does not because the Inspector thought the
3304 exception was "caught".
3305
3306 3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions"
3307
3308 a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally.
3309 b. In a for-of loop (which has synthesized finallys), the Inspector will do another break.
3310 Similarly for other cases of JS code which synthesize finallys.
3311 c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js),
3312 the Inspector will do another break if there's an uncaught exception.
3313
3314 How this patch fixes the issues:
3315 ===============================
3316 1. We introduce an Exception object that wraps the thrown value and the exception stack.
3317
3318 When throwing an exception, the VM will check if the thrown value is an Exception
3319 object or not. If it is not an Exception object, then we must be throwing a new
3320 exception. The VM will create an Exception object to wrap the thrown value and
3321 capture the current stack for it.
3322
3323 If the thrown value is already an Exception object, then the requested throw operation
3324 must be a re-throw. The VM will not capture a new stack for it.
3325
3326 2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue.
3327
3328 The VM is aware of the Exception object and uses it for rethrows in finally blocks.
3329 JS source code is never aware of the Exception object.
3330
3331 JS code is aware of the thrown value. If it throws the caught thrown value, that
3332 constitutes a new throw, and a new Exception object will be created for it.
3333
3334 3. The VM no longer tracks the thrown JSValue and the exception stack. It will only
3335 track a m_exception field which is an Exception*.
3336
3337 4. The BytecodeGenerator has already been updated in a prior patch to distinguish
3338 between Catch, Finally, and SynthesizedFinally blocks. The interpreter runtime will
3339 now report to the debugger whether we have a Catch handler, not just any handlers.
3340
3341 The debugger will use this detail to determine whether to break or not. "Break on
3342 uncaught exceptions" will only break if no Catch handler was found.
3343
3344 This solves the issue of the debugger breaking at finally blocks, and for-of statements.
3345
3346 5. The Exception object will also have a flag to indicate whether the debugger has been
3347 notified of the Exception being thrown. Once the Interpreter notifies the debugger
3348 of the Exception object, it will mark this flag and not repeat the notify the debugger
3349 again of the same Exception.
3350
3351 This solves the issue of the debugger breaking at VM re-entry points due to uncaught
3352 exceptions.
3353
3354 6. The life-cycle of the captured exception stack trace will now follow the life-cycle
3355 of the Exception object.
3356
3357 Other changes:
3358 7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue.
3359
3360 8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM.
3361
3362 9. Also renamed some variables and classes to better describe what they are.
3363
3364 * API/JSBase.cpp:
3365 (JSEvaluateScript):
3366 (JSCheckScriptSyntax):
3367
3368 * API/JSObjectRef.cpp:
3369 (handleExceptionIfNeeded):
3370 - The functions below all do the same exception check. Added this helper
3371 to simplify the code.
3372 (JSClassCreate):
3373 (JSObjectMakeFunction):
3374 (JSObjectMakeArray):
3375 (JSObjectMakeDate):
3376 (JSObjectMakeError):
3377 (JSObjectMakeRegExp):
3378 (JSObjectGetProperty):
3379 (JSObjectSetProperty):
3380 (JSObjectGetPropertyAtIndex):
3381 (JSObjectSetPropertyAtIndex):
3382 (JSObjectDeleteProperty):
3383 (JSObjectCallAsFunction):
3384 (JSObjectCallAsConstructor):
3385
3386 * API/JSScriptRef.cpp:
3387 * API/JSValue.mm:
3388 (JSContainerConvertor::take):
3389 (reportExceptionToInspector):
3390
3391 * API/JSValueRef.cpp:
3392 (handleExceptionIfNeeded):
3393 - The functions below all do the same exception check. Added this helper
3394 to simplify the code.
3395 (evernoteHackNeeded):
3396 (JSValueIsEqual):
3397 (JSValueIsInstanceOfConstructor):
3398 (JSValueCreateJSONString):
3399 (JSValueToNumber):
3400 (JSValueToStringCopy):
3401 (JSValueToObject):
3402
3403 * CMakeLists.txt:
3404 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3405 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3406 * JavaScriptCore.xcodeproj/project.pbxproj:
3407 - Added new files Exception.h and Exception.cpp.
3408
3409 * bindings/ScriptFunctionCall.cpp:
3410 (Deprecated::ScriptFunctionCall::call):
3411 * bindings/ScriptFunctionCall.h:
3412
3413 * bytecode/BytecodeList.json:
3414 - op_catch now had 2 operands: the exception register, and the thrown value register.
3415
3416 * bytecode/BytecodeUseDef.h:
3417 (JSC::computeDefsForBytecodeOffset):
3418 * bytecode/CodeBlock.cpp:
3419 (JSC::CodeBlock::dumpBytecode):
3420 (JSC::CodeBlock::handlerForBytecodeOffset):
3421 * bytecode/CodeBlock.h:
3422 - handlerForBytecodeOffset() now can look for just Catch handlers only.
3423
3424 * bytecode/HandlerInfo.h:
3425 - Cleaned up some white space I accidentally added in a previous patch.
3426
3427 * bytecompiler/BytecodeGenerator.cpp:
3428 (JSC::BytecodeGenerator::pushTry):
3429 (JSC::BytecodeGenerator::popTryAndEmitCatch):
3430 (JSC::BytecodeGenerator::emitThrowReferenceError):
3431 (JSC::BytecodeGenerator::emitEnumeration):
3432 * bytecompiler/BytecodeGenerator.h:
3433 (JSC::BytecodeGenerator::emitThrow):
3434 * bytecompiler/NodesCodegen.cpp:
3435 (JSC::TryNode::emitBytecode):
3436 - Adding support for op_catch's 2 operands.
3437
3438 * debugger/Debugger.cpp:
3439 (JSC::Debugger::hasBreakpoint):
3440 (JSC::Debugger::pauseIfNeeded):
3441 (JSC::Debugger::exception):
3442 * debugger/Debugger.h:
3443 * debugger/DebuggerCallFrame.cpp:
3444 (JSC::DebuggerCallFrame::thisValue):
3445 (JSC::DebuggerCallFrame::evaluate):
3446 * debugger/DebuggerCallFrame.h:
3447 (JSC::DebuggerCallFrame::isValid):
3448 * inspector/InjectedScriptManager.cpp:
3449 (Inspector::InjectedScriptManager::createInjectedScript):
3450 * inspector/InspectorEnvironment.h:
3451 * inspector/JSGlobalObjectInspectorController.cpp:
3452 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3453 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3454 * inspector/JSGlobalObjectInspectorController.h:
3455 * inspector/JSGlobalObjectScriptDebugServer.h:
3456 * inspector/JSJavaScriptCallFrame.cpp:
3457 (Inspector::JSJavaScriptCallFrame::evaluate):
3458 * inspector/JavaScriptCallFrame.h:
3459 (Inspector::JavaScriptCallFrame::vmEntryGlobalObject):
3460 (Inspector::JavaScriptCallFrame::thisValue):
3461 (Inspector::JavaScriptCallFrame::evaluate):
3462 * inspector/ScriptCallStackFactory.cpp:
3463 (Inspector::extractSourceInformationFromException):
3464 (Inspector::createScriptCallStackFromException):
3465 * inspector/ScriptCallStackFactory.h:
3466 * inspector/ScriptDebugServer.cpp:
3467 (Inspector::ScriptDebugServer::evaluateBreakpointAction):
3468 (Inspector::ScriptDebugServer::handleBreakpointHit):
3469 (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition):
3470 * inspector/ScriptDebugServer.h:
3471 * interpreter/CallFrame.h:
3472 (JSC::ExecState::clearException):
3473 (JSC::ExecState::exception):
3474 (JSC::ExecState::hadException):
3475 (JSC::ExecState::atomicStringTable):
3476 (JSC::ExecState::propertyNames):
3477 (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted.
3478
3479 * interpreter/Interpreter.cpp:
3480 (JSC::unwindCallFrame):
3481 (JSC::Interpreter::stackTraceAsString):
3482 (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor):
3483 (JSC::GetCatchHandlerFunctor::operator()):
3484 (JSC::Interpreter::unwind):
3485 - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports
3486 of the same Exception to the debugger.
3487
3488 (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted.
3489 (JSC::GetExceptionHandlerFunctor::operator()): Deleted.
3490 - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger
3491 is only interested in knowing whether we have Catch handlers.
3492
3493 * interpreter/Interpreter.h:
3494 (JSC::SuspendExceptionScope::SuspendExceptionScope):
3495 (JSC::SuspendExceptionScope::~SuspendExceptionScope):
3496 (JSC::Interpreter::sampler):
3497 (JSC::ClearExceptionScope::ClearExceptionScope): Deleted.
3498 (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted.
3499 - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that
3500 we're purging the exception. Instead, we're merely suspending any handling of
3501 that exception for a period defined by the scope.
3502
3503 * jit/AssemblyHelpers.cpp:
3504 (JSC::AssemblyHelpers::emitExceptionCheck):
3505
3506 * jit/JITExceptions.cpp:
3507 (JSC::genericUnwind):
3508 - Removed the exception argument. It is always the value in VM::exception() anyway.
3509 genericUnwind() can just get it from the VM, and save everyone some work.
3510
3511 * jit/JITExceptions.h:
3512 * jit/JITOpcodes.cpp:
3513 (JSC::JIT::emit_op_catch):
3514 * jit/JITOpcodes32_64.cpp:
3515 (JSC::JIT::privateCompileCTINativeCall):
3516 (JSC::JIT::emit_op_catch):
3517 - Add support for the new op_catch operands.
3518
3519 * jit/JITOperations.cpp:
3520 * jit/ThunkGenerators.cpp:
3521 (JSC::nativeForGenerator):
3522 * jsc.cpp:
3523 (functionRun):
3524 (functionLoad):
3525 (runWithScripts):
3526 (runInteractive):
3527 * llint/LLIntOffsetsExtractor.cpp:
3528 * llint/LLIntSlowPaths.cpp:
3529 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3530
3531 * llint/LowLevelInterpreter32_64.asm:
3532 * llint/LowLevelInterpreter64.asm:
3533 - Add support for the new op_catch operands. Also update the code to handle
3534 VM::m_exception being an Exception pointer, not a JSValue.
3535
3536 * parser/NodeConstructors.h:
3537 (JSC::TryNode::TryNode):
3538 * parser/Nodes.h:
3539 * runtime/CallData.cpp:
3540 (JSC::call):
3541 * runtime/CallData.h:
3542
3543 * runtime/Completion.cpp:
3544 (JSC::evaluate):
3545 * runtime/Completion.h:
3546 (JSC::evaluate):
3547 - Change evaluate() to take a reference to the returned exception value instead
3548 of a pointer. In all but 2 or 3 cases, we want the returned exception anyway.
3549 Might as well simplify the code by requiring the reference.
3550
3551 * runtime/Error.h:
3552 (JSC::throwVMError):
3553 (JSC::throwVMTypeError):
3554
3555 * runtime/Exception.cpp: Added.
3556 (JSC::Exception::create):
3557 (JSC::Exception::destroy):
3558 (JSC::Exception::createStructure):
3559 (JSC::Exception::visitChildren):
3560 (JSC::Exception::Exception):
3561 (JSC::Exception::~Exception):
3562 * runtime/Exception.h: Added.
3563 (JSC::Exception::valueOffset):
3564 (JSC::Exception::cast):
3565 (JSC::Exception::value):
3566 (JSC::Exception::stack):
3567 (JSC::Exception::didNotifyInspectorOfThrow):
3568 (JSC::Exception::setDidNotifyInspectorOfThrow):
3569
3570 * runtime/ExceptionHelpers.cpp:
3571 (JSC::createTerminatedExecutionException):
3572 (JSC::isTerminatedExecutionException):
3573 (JSC::createStackOverflowError):
3574 * runtime/ExceptionHelpers.h:
3575 * runtime/GetterSetter.cpp:
3576 (JSC::callGetter):
3577 * runtime/IteratorOperations.cpp:
3578 (JSC::iteratorClose):
3579 * runtime/JSObject.cpp:
3580 * runtime/JSPromiseConstructor.cpp:
3581 (JSC::constructPromise):
3582 * runtime/JSPromiseDeferred.cpp:
3583 (JSC::updateDeferredFromPotentialThenable):
3584 (JSC::abruptRejection):
3585 * runtime/JSPromiseReaction.cpp:
3586 (JSC::ExecutePromiseReactionMicrotask::run):
3587
3588 * runtime/VM.cpp:
3589 (JSC::VM::VM):
3590 (JSC::VM::releaseExecutableMemory):
3591 (JSC::VM::throwException):
3592 (JSC::VM::setStackPointerAtVMEntry):
3593 (JSC::VM::getExceptionInfo): Deleted.
3594 (JSC::VM::setExceptionInfo): Deleted.
3595 (JSC::VM::clearException): Deleted.
3596 (JSC::clearExceptionStack): Deleted.
3597 * runtime/VM.h:
3598 (JSC::VM::targetMachinePCForThrowOffset):
3599 (JSC::VM::clearException):
3600 (JSC::VM::setException):
3601 (JSC::VM::exception):
3602 (JSC::VM::addressOfException):
3603 (JSC::VM::exceptionStack): Deleted.
3604 * runtime/VMEntryScope.cpp:
3605 (JSC::VMEntryScope::VMEntryScope):
3606 (JSC::VMEntryScope::setEntryScopeDidPopListener):
3607
36082015-06-04 Benjamin Poulain <bpoulain@apple.com>
3609
3610 [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case
3611 https://bugs.webkit.org/show_bug.cgi?id=145673
3612
3613 Reviewed by Geoffrey Garen.
3614
3615 Previously, we were deciding to use out-of-bounds speculation based on two informations:
3616 -Explicitly detected out-of-bounds accesses tracked on ArrayProfile.
3617 -The number of time we took the slow cases in the baseline JIT.
3618
3619 The heuristic based on slow cases was a little too fragile.
3620
3621 In some cases, we were running into that limit just because the indexing type changes between
3622 two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what
3623 we used for the inline cache.
3624
3625 In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see
3626 change between Int32 and Double. We run into the slow path a bit but never hit
3627 out-of-bounds.
3628
3629 By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based
3630 on the number of slow cases we took. Because of that, we start boxing the double on GetByVal,
3631 using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations.
3632
3633 WebXPRT was also suffering from this problem but the other way arround: we were missing
3634 the out-of-bounds accesses due to changes in indexing types, we were below the threshold
3635 of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty
3636 of out-of-bands.
3637
3638
3639 This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go
3640 into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove
3641 the slow-path heuristic.
3642
3643 There is new additional special case in the C code regarding out-of-bounds: Arguments access.
3644 Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are
3645 tracked in the way DFG expect it.
3646
3647
3648 There are a few important cases that are still not covered optimally:
3649 -PutByVal on Arguments.
3650 -Get/Put ByVal on TypedArray.
3651 Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future.
3652
3653 * bytecode/ArrayProfile.cpp:
3654 (JSC::ArrayProfile::computeUpdatedPrediction):
3655 The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline
3656 JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information.
3657
3658 * bytecode/ArrayProfile.h:
3659 (JSC::ArrayProfile::setOutOfBounds):
3660 * dfg/DFGByteCodeParser.cpp:
3661 (JSC::DFG::ByteCodeParser::getArrayMode):
3662 (JSC::DFG::ByteCodeParser::parseBlock):
3663 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted.
3664 * jit/CCallHelpers.h:
3665 (JSC::CCallHelpers::setupArgumentsWithExecState):
3666 * jit/JIT.h:
3667 * jit/JITInlines.h:
3668 (JSC::JIT::callOperation):
3669 * jit/JITOpcodes.cpp:
3670 (JSC::JIT::emitSlow_op_has_indexed_property):
3671 * jit/JITOpcodes32_64.cpp:
3672 (JSC::JIT::emitSlow_op_has_indexed_property):
3673 * jit/JITOperations.cpp:
3674 (JSC::canUseFastArgumentAccess):
3675 This is not my favorite part of this patch.
3676
3677 I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything
3678 on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were
3679 impacted by over 10%
3680
3681 I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring
3682 how DFG uses out-of-bounds for Arguments.
3683
3684 (JSC::getByVal):
3685 * jit/JITOperations.h:
3686 * jit/JITPropertyAccess.cpp:
3687 (JSC::JIT::emitSlow_op_get_by_val):
3688 (JSC::JIT::emitSlow_op_put_by_val):
3689 * jit/JITPropertyAccess32_64.cpp:
3690 (JSC::JIT::emitSlow_op_get_by_val):
3691 (JSC::JIT::emitSlow_op_put_by_val):
3692 * runtime/JSPromiseFunctions.cpp:
3693 * tests/stress/get-by-val-out-of-bounds-basics.js: Added.
3694 (opaqueGetByValOnInt32ArrayEarlyOutOfBounds):
3695 (testInt32ArrayEarlyOutOfBounds):
3696 (testIndexingTypeChangesOnInt32Array):
3697 (opaqueGetByValOnStringArrayHotOutOfBounds):
3698 (testStringArrayHotOutOfBounds):
3699 (testIndexingTypeChangesOnStringArray):
3700 (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds):
3701 (testStringAndInt32ArrayHotOutOfBounds):
3702 (opaqueGetByValOnDoubleArrayHotOutOfBounds):
3703 * tests/stress/put-by-val-out-of-bounds-basics.js: Added.
3704 (opaquePutByValOnInt32ArrayEarlyOutOfBounds):
3705 (testInt32ArrayEarlyOutOfBounds):
3706 (opaquePutByValOnStringArrayHotOutOfBounds):
3707 (testStringArrayHotOutOfBounds):
3708
37092015-06-03 Filip Pizlo <fpizlo@apple.com>
3710
3711 Simplify unboxing of double JSValues known to be not NaN and not Int32
3712 https://bugs.webkit.org/show_bug.cgi?id=145618
3713
3714 Reviewed by Geoffrey Garen.
3715
3716 In many cases we know that we most likely loaded a non-NaN double value from the heap.
3717 Prior to this patch, we would do two branches before unboxing the double. This patch
3718 reduces this to one branch in the common case. Before:
3719
3720 if (is int32)
3721 unbox int32 and convert to double
3722 else if (is number)
3723 unbox double
3724 else
3725 exit
3726
3727 After:
3728
3729 tmp = unbox double
3730 if (tmp == tmp)
3731 done
3732 else if (is int32)
3733 unbox int32 and convert to double
3734 else
3735 exit
3736
3737 We only use the new style if we have profiling that tells us that we are unlikely to see
3738 either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3739
3740 This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.
3741
3742 Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble()
3743 that doesn't assert that the JSValue is a double, since we are intentionally using it
3744 before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble()
3745 does no such assertion on 32-bit.
3746
3747 * dfg/DFGAbstractInterpreterInlines.h:
3748 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3749 * dfg/DFGFixupPhase.cpp:
3750 (JSC::DFG::FixupPhase::observeUseKindOnNode):
3751 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3752 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3753 * dfg/DFGNode.h:
3754 (JSC::DFG::Node::shouldSpeculateDouble):
3755 (JSC::DFG::Node::shouldSpeculateDoubleReal):
3756 (JSC::DFG::Node::shouldSpeculateNumber):
3757 * dfg/DFGSafeToExecute.h:
3758 (JSC::DFG::SafeToExecuteEdge::operator()):
3759 * dfg/DFGSpeculativeJIT.cpp:
3760 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3761 (JSC::DFG::SpeculativeJIT::speculateNumber):
3762 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3763 (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
3764 (JSC::DFG::SpeculativeJIT::speculate):
3765 (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted.
3766 * dfg/DFGSpeculativeJIT.h:
3767 * dfg/DFGUseKind.cpp:
3768 (WTF::printInternal):
3769 * dfg/DFGUseKind.h:
3770 (JSC::DFG::typeFilterFor):
3771 (JSC::DFG::isNumerical):
3772 * ftl/FTLCapabilities.cpp:
3773 (JSC::FTL::canCompile):
3774 * ftl/FTLLowerDFGToLLVM.cpp:
3775 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3776 (JSC::FTL::LowerDFGToLLVM::boxDouble):
3777 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
3778 (JSC::FTL::LowerDFGToLLVM::speculate):
3779 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3780 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3781 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal):
3782 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted.
3783 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted.
3784 * jit/AssemblyHelpers.h:
3785 (JSC::AssemblyHelpers::branchIfNotOther):
3786 (JSC::AssemblyHelpers::branchIfInt32):
3787 (JSC::AssemblyHelpers::branchIfNotInt32):
3788 (JSC::AssemblyHelpers::branchIfNumber):
3789
37902015-06-04 Joseph Pecoraro <pecoraro@apple.com>
3791
3792 Web Inspector: Class constructor appearing as Object Tree property does not include parameters
3793 https://bugs.webkit.org/show_bug.cgi?id=145661
3794
3795 Reviewed by Timothy Hatcher.
3796
3797 * inspector/InjectedScriptSource.js:
3798 (InjectedScript.prototype._classPreview):
3799 (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3800 The string we will return for previews of class constructor functions.
3801
3802 (InjectedScript.RemoteObject):
3803 (InjectedScript.RemoteObject.prototype._describe):
3804 No longer return the class name as the description string.
3805 Instead return the class name for the RemoteObject.className.
3806
38072015-06-04 Commit Queue <commit-queue@webkit.org>
3808
3809 Unreviewed, rolling out r185216.
3810 https://bugs.webkit.org/show_bug.cgi?id=145666
3811
3812 it caused a bunch of debug crashes (Requested by pizlo on
3813 #webkit).
3814
3815 Reverted changeset:
3816
3817 "Simplify unboxing of double JSValues known to be not NaN and
3818 not Int32"
3819 https://bugs.webkit.org/show_bug.cgi?id=145618
3820 http://trac.webkit.org/changeset/185216
3821
38222015-06-03 Filip Pizlo <fpizlo@apple.com>
3823
3824 Simplify unboxing of double JSValues known to be not NaN and not Int32
3825 https://bugs.webkit.org/show_bug.cgi?id=145618
3826
3827 Reviewed by Geoffrey Garen.
3828
3829 In many cases we know that we most likely loaded a non-NaN double value from the heap.
3830 Prior to this patch, we would do two branches before unboxing the double. This patch
3831 reduces this to one branch in the common case. Before:
3832
3833 if (is int32)
3834 unbox int32 and convert to double
3835 else if (is number)
3836 unbox double
3837 else
3838 exit
3839
3840 After:
3841
3842 tmp = unbox double
3843 if (tmp == tmp)
3844 done
3845 else if (is int32)
3846 unbox int32 and convert to double
3847 else
3848 exit
3849
3850 We only use the new style if we have profiling that tells us that we are unlikely to see
3851 either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch.
3852
3853 This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up.
3854
3855 * dfg/DFGAbstractInterpreterInlines.h:
3856 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3857 * dfg/DFGFixupPhase.cpp:
3858 (JSC::DFG::FixupPhase::observeUseKindOnNode):
3859 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
3860 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
3861 * dfg/DFGNode.h:
3862 (JSC::DFG::Node::shouldSpeculateDouble):
3863 (JSC::DFG::Node::shouldSpeculateDoubleReal):
3864 (JSC::DFG::Node::shouldSpeculateNumber):
3865 * dfg/DFGSafeToExecute.h:
3866 (JSC::DFG::SafeToExecuteEdge::operator()):
3867 * dfg/DFGSpeculativeJIT.cpp:
3868 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3869 (JSC::DFG::SpeculativeJIT::speculateNumber):
3870 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
3871 (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
3872 (JSC::DFG::SpeculativeJIT::speculate):
3873 (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted.
3874 * dfg/DFGSpeculativeJIT.h:
3875 * dfg/DFGUseKind.cpp:
3876 (WTF::printInternal):
3877 * dfg/DFGUseKind.h:
3878 (JSC::DFG::typeFilterFor):
3879 (JSC::DFG::isNumerical):
3880 * ftl/FTLCapabilities.cpp:
3881 (JSC::FTL::canCompile):
3882 * ftl/FTLLowerDFGToLLVM.cpp:
3883 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
3884 (JSC::FTL::LowerDFGToLLVM::boxDouble):
3885 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
3886 (JSC::FTL::LowerDFGToLLVM::speculate):
3887 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
3888 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
3889 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal):
3890 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted.
3891 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted.
3892 * jit/AssemblyHelpers.h:
3893 (JSC::AssemblyHelpers::branchIfNotOther):
3894 (JSC::AssemblyHelpers::branchIfInt32):
3895 (JSC::AssemblyHelpers::branchIfNotInt32):
3896 (JSC::AssemblyHelpers::branchIfNumber):
3897
38982015-06-04 Filip Pizlo <fpizlo@apple.com>
3899
3900 SideState should be a distinct abstract heap from Heap and Stack
3901 https://bugs.webkit.org/show_bug.cgi?id=145653
3902
3903 Reviewed by Geoffrey Garen.
3904
3905 Before, SideState fit into the hierarchy like so:
3906
3907 World
3908 |
3909 +-- Stack
3910 |
3911 +-- Heap
3912 |
3913 +-- SideState
3914
3915 Now we will have:
3916
3917 World
3918 |
3919 +-- Stack
3920 |
3921 +-- Heap
3922 |
3923 +-- SideState
3924
3925 This makes it easy to ask if a writing operation wrote to anything that is observable even
3926 if we don't exit. SideState is only observable if we exit.
3927
3928 * dfg/DFGAbstractHeap.h:
3929 (JSC::DFG::AbstractHeap::AbstractHeap):
3930 (JSC::DFG::AbstractHeap::supertype):
3931
39322015-06-04 Chris Dumez <cdumez@apple.com>
3933
3934 [WK2] Prune more resources from the MemoryCache before process suspension
3935 https://bugs.webkit.org/show_bug.cgi?id=145633
3936
3937 Reviewed by Andreas Kling.
3938
3939 No longer move protect IncrementalSweeper::fullSweep() behind
3940 USE(CF) so we don't need #ifdefs at call sites, similarly to what is
3941 done for the rest of the IncrementalSweeper API.
3942
3943 * heap/IncrementalSweeper.cpp:
3944 (JSC::IncrementalSweeper::fullSweep):
3945 * heap/IncrementalSweeper.h:
3946
39472015-06-01 Filip Pizlo <fpizlo@apple.com>
3948
3949 CallLinkStatus should return takesSlowPath if the GC often cleared the IC
3950 https://bugs.webkit.org/show_bug.cgi?id=145502
3951
3952 Reviewed by Geoffrey Garen.
3953
3954 CallLinkInfo now remembers when it has been cleared by GC. This has some safeguards for when
3955 a call gets cleared by GC only because we hadn't converted it into a closure call; in that
3956 case the GC will just tell us that it should be a closure call. The DFG will not optimize
3957 a call that was cleared by GC, and the DFG will always prefer a closure call if the GC told
3958 us that the specific callee was dead but the executable wasn't.
3959
3960 This guards us from some scenarios that came up in Speedometer. It's neutral on the pure JS
3961 benchmarks, most likely just because those benchmarks aren't real enough to have interesting
3962 GC of code.
3963
3964 * bytecode/CallLinkInfo.cpp:
3965 (JSC::CallLinkInfo::visitWeak):
3966 (JSC::CallLinkInfo::dummy):
3967 * bytecode/CallLinkInfo.h:
3968 (JSC::CallLinkInfo::CallLinkInfo):
3969 * bytecode/CallLinkStatus.cpp:
3970 (JSC::CallLinkStatus::computeFromCallLinkInfo):
3971
39722015-06-02 Filip Pizlo <fpizlo@apple.com>
3973
3974 GetById and PutById profiling should be more precise about it takes slow path
3975 https://bugs.webkit.org/show_bug.cgi?id=145590
3976
3977 Reviewed by Geoffrey Garen.
3978
3979 If a ById access ever takes slow path, we want the DFG and FTL to know this. Previously we
3980 were relying on slow path counts, which conflate slow paths taken due to a megamorphic
3981 access and slow paths taken due to IC building.
3982
3983 * bytecode/GetByIdStatus.cpp:
3984 (JSC::GetByIdStatus::computeFor):
3985 (JSC::GetByIdStatus::computeForStubInfo):
3986 * bytecode/PutByIdStatus.cpp:
3987 (JSC::PutByIdStatus::computeFor):
3988 (JSC::PutByIdStatus::computeForStubInfo):
3989 * bytecode/StructureStubInfo.h:
3990 (JSC::StructureStubInfo::StructureStubInfo):
3991 * ftl/FTLIntrinsicRepository.h:
3992 * ftl/FTLLowerDFGToLLVM.cpp:
3993 (JSC::FTL::LowerDFGToLLVM::compileGetById):
3994 * jit/JITOperations.cpp:
3995 * jit/JITOperations.h:
3996
39972015-06-03 Michael Saboff <msaboff@apple.com>
3998
3999 Improve test coverage for changes made in 145527
4000 https://bugs.webkit.org/show_bug.cgi?id=145578
4001
4002 Reviewed by Geoffrey Garen.
4003
4004 Added more complexity to poly-setter-combo.js stress test to create more turmoil in the
4005 polymorphic get-by-id / put-by-id with getters and setters to exercise the code change in
4006 https://bugs.webkit.org/show_bug.cgi?id=145527. By changing the objects that the main test
4007 function sees, we are able to test those paths. Verified with temporary logging code.
4008
4009 * tests/stress/poly-setter-combo.js:
4010 (Cons2):
4011 (Cons3):
4012 (Cons4):
4013 (foo):
4014 (test):
4015 (runTestWithConstructors):
4016
40172015-06-02 Mark Lam <mark.lam@apple.com>
4018
4019 Gardening: fix broken CLoop build.
4020
4021 Not reviewed.
4022
4023 * bytecode/CallLinkStatus.cpp:
4024 (JSC::CallLinkStatus::computeExitSiteData):
4025
40262015-06-02 Keith Miller <keith_miller@apple.com>
4027
4028 JavaScriptCore: JSExport protocol with an NSInteger property converts negative values to 18446744073709552000
4029 https://bugs.webkit.org/show_bug.cgi?id=145563
4030
4031 Reviewed by Darin Adler.
4032
4033 The Objective-C bindings were improperly converting negative
4034 long long/NSIntegers to 18446744073709552000 because they
4035 were converted to unsigned numbers.
4036
4037 * API/ObjcRuntimeExtras.h:
4038 (parseObjCType):
4039 * API/tests/testapi.mm:
4040 (testObjectiveCAPIMain):
4041 (checkNegativeNSIntegers):
4042 (testObjectiveCAPI):
4043
40442015-06-02 Yusuke Suzuki <utatane.tea@gmail.com>
4045
4046 Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496)
4047 https://bugs.webkit.org/show_bug.cgi?id=145532
4048
4049 Reviewed by Geoffrey Garen.
4050
4051 AtomicStringImpl::lookUp returns AtomicStringImpl*,
4052 it doesn't give any ownership to the caller.
4053 Originally, this is ok because the ownership is taken
4054 by AtomicStringImpl's table (& the register side).
4055
4056 But if we would like to use this returned AtomicStringImpl*,
4057 we should take its ownership immediately.
4058 Because if the register side releases its ownership (ref count),
4059 it will be destroyed.
4060
4061 In JSString::toExistingAtomicString, it returns AtomicStringImpl*.
4062 But it's not appropriate.
4063 If the owner of AtomicStringImpl* is always JSString*, it is ok.
4064 But it looks up the table-registered AtomicStringImpl* from
4065 the AtomicStringImpl table. So JSString* may not have the ownership
4066 of the returned AtomicStringImpl*.
4067
4068 The failure situation is the following.
4069
4070 1. A creates AtomicStringImpl. A has its ownership.
4071 And A registers it to AtomicStringImpl table.
4072 2. JSString looks up the AtomicStringImpl from the table.
4073 It gets AtomicStringImpl*. And JSString doesn't have its ownership.
4074 It returns the raw pointer immediately to the users
4075 3. A is released. There's no owner for AtomicStringImpl*.
4076 So it's also destroyed.
4077 4. Use looked up AtomicStringImpl in (2). It becomes use-after-free.
4078
4079 This patch fixes it by the following changes.
4080
4081 1. Change the signature of `AtomicStringImpl* AtomicStringImpl::lookUp(...)`
4082 to `RefPtr<AtomicStringImpl> AtomicStringImpl::lookUp(..)`.
4083 Use `RefPtr` because it may return `nullptr`.
4084 2. Change the signature of `AtomicStringImpl* JSString::toExistingAtomicString(...)`
4085 to `RefPtr<AtomicStringImpl> JSString::toExistingAtomicString(...)`.
4086 Using `RefPtr` is the same reason.
4087 3. Receive the result with `RefPtr<AtomicStringImpl>` in the caller side.
4088
4089 * dfg/DFGOperations.cpp:
4090 * jit/JITOperations.cpp:
4091 (JSC::getByVal):
4092 * llint/LLIntSlowPaths.cpp:
4093 (JSC::LLInt::getByVal):
4094 * runtime/JSString.cpp:
4095 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4096 * runtime/JSString.h:
4097 (JSC::JSString::toExistingAtomicString):
4098
40992015-05-30 Filip Pizlo <fpizlo@apple.com>
4100
4101 Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary
4102 https://bugs.webkit.org/show_bug.cgi?id=145496
4103
4104 Reviewed by Geoffrey Garen.
4105
4106 This pessimizes compilation a bit, but it reduces the likelihood of exiting from FTL. I
4107 couldn't find any convincing reason not to do this, and we know from Speedometer that this
4108 change is necessary for weirder code.
4109
4110 * bytecode/CallLinkStatus.cpp:
4111 (JSC::CallLinkStatus::computeFor):
4112 (JSC::CallLinkStatus::computeExitSiteData):
4113 (JSC::CallLinkStatus::computeDFGStatuses):
4114 * bytecode/CallLinkStatus.h:
4115 * bytecode/GetByIdStatus.cpp:
4116 (JSC::GetByIdStatus::appendVariant):
4117 (JSC::GetByIdStatus::hasExitSite):
4118 (JSC::GetByIdStatus::computeFor):
4119 * bytecode/GetByIdStatus.h:
4120 * bytecode/PutByIdStatus.cpp:
4121 (JSC::PutByIdStatus::appendVariant):
4122 (JSC::PutByIdStatus::hasExitSite):
4123 (JSC::PutByIdStatus::computeFor):
4124 * bytecode/PutByIdStatus.h:
4125
41262015-05-31 Filip Pizlo <fpizlo@apple.com>
4127
4128 If a call has ever taken the virtual slow path, make sure that the DFG knows this
4129 https://bugs.webkit.org/show_bug.cgi?id=145501
4130
4131 Reviewed by Geoffrey Garen.
4132
4133 Now now return higher fidelity information in the case of no polymorphic call stub. If the
4134 virtual slow path was ever taken, we note this, and we note either zero or one call variant
4135 based on the IC's last callee.
4136
4137 * bytecode/CallLinkStatus.cpp:
4138 (JSC::CallLinkStatus::computeFromCallLinkInfo):
4139 (JSC::CallLinkStatus::computeFor):
4140
41412015-06-01 Michael Saboff <msaboff@apple.com>
4142
4143 Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24
4144 https://bugs.webkit.org/show_bug.cgi?id=145527
4145
4146 Reviewed by Filip Pizlo.
4147
4148 If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
4149 Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
4150 is going away.
4151
4152 * bytecode/CallLinkInfo.h:
4153 (JSC::CallLinkInfo::~CallLinkInfo):
4154 * jit/PolymorphicCallStubRoutine.cpp:
4155 (JSC::PolymorphicCallNode::unlink):
4156 (JSC::PolymorphicCallNode::clearCallLinkInfo):
4157 (JSC::PolymorphicCallCase::dump):
4158 (JSC::PolymorphicCallStubRoutine::edges):
4159 (JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
4160 (JSC::PolymorphicCallStubRoutine::visitWeak):
4161 * jit/PolymorphicCallStubRoutine.h:
4162 (JSC::PolymorphicCallNode::hasCallLinkInfo):
4163
41642015-06-01 Mark Lam <mark.lam@apple.com>
4165
4166 Add the ability to tell between Catch and Finally blocks.
4167 https://bugs.webkit.org/show_bug.cgi?id=145524
4168
4169 Reviewed by Michael Saboff.
4170
4171 ... and also SynthesizedFinally blocks too. A SynthesizedFinally block
4172 is a finally block that is synthesized by the bytecode generator but
4173 does not actually correspond to any exception handling construct at the
4174 JS source code level. An example of this is the "for ... of" statement
4175 where it needs to do some "final" clean up before passing on the
4176 exception.
4177
4178 Manually tested by inspecting the bytecode dump of functions with
4179 try-catch-finally blocks as well as for of statements which have
4180 synthesized finally blocks. The bytecode dumps contains the exception
4181 handlers table which has these blocks labelled with their newly added
4182 types. No automatic test because this type info is not visible to JS
4183 code.
4184
4185 * bytecode/CodeBlock.cpp:
4186 (JSC::CodeBlock::dumpBytecode):
4187 * bytecode/HandlerInfo.h:
4188 (JSC::HandlerInfoBase::type):
4189 (JSC::HandlerInfoBase::setType):
4190 (JSC::HandlerInfoBase::typeName):
4191 (JSC::HandlerInfoBase::isCatchHandler):
4192 (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
4193 (JSC::HandlerInfo::initialize):
4194 * bytecompiler/BytecodeGenerator.cpp:
4195 (JSC::BytecodeGenerator::generate):
4196 (JSC::BytecodeGenerator::pushTry):
4197 (JSC::BytecodeGenerator::popTryAndEmitCatch):
4198 (JSC::BytecodeGenerator::emitEnumeration):
4199 * bytecompiler/BytecodeGenerator.h:
4200 (JSC::BytecodeGenerator::emitThrow):
4201 * bytecompiler/NodesCodegen.cpp:
4202 (JSC::TryNode::emitBytecode):
4203
42042015-05-29 Geoffrey Garen <ggaren@apple.com>
4205
4206 REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower
4207 https://bugs.webkit.org/show_bug.cgi?id=145412
4208
4209 Reviewed by Darin Adler.
4210
4211 Moar speedup.
4212
4213 Added a bucket sort for string sorting.
4214
4215 * builtins/Array.prototype.js:
4216 (sort.compactSparse):
4217 (sort.compactSlow):
4218 (sort.compact): Split out a compaction fast path for dense arrays. Without
4219 it, compaction can increase sort time by 2X for simple sorts.
4220
4221 (sort.bucketSort):
4222 (sort.stringSort): Use a bucket sorting algorithm if we know we're sorting
4223 strings. This makes average case string sorting O(N) with O(N) additional
4224 memory use.
4225
4226 The worst case bucket sort can require O(M * N) additional
4227 space. We avoid this by falling back to merge sort when things are
4228 simple or overly duplicative. These are the two cases that accumulate
4229 excessive -- and potentially pathological -- bucketing overhead.
4230
42312015-06-01 Mark Lam <mark.lam@apple.com>
4232
4233 HandlerInfo::initialize() should not assume that CodeLocationLabel is available.
4234 https://bugs.webkit.org/show_bug.cgi?id=145515
4235
4236 Reviewed by Csaba Osztrogonác.
4237
4238 CodeLocationLabel is only defined for ENABLE(ASSEMBLER) builds. r185022's
4239 attempt at simplifying code to increase readability failed to take this into
4240 account. This patch fixes it.
4241
4242 * bytecode/CodeBlock.cpp:
4243 (JSC::CodeBlock::CodeBlock):
4244 * bytecode/HandlerInfo.h:
4245 (JSC::HandlerInfo::initialize):
4246
42472015-05-31 Filip Pizlo <fpizlo@apple.com>
4248
4249 Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=145503.
4250
4251 * dfg/DFGByteCodeParser.cpp:
4252 (JSC::DFG::ByteCodeParser::inliningCost):
4253
42542015-05-31 Yusuke Suzuki <utatane.tea@gmail.com>
4255
4256 [ES6] Drop WeakMap#clear
4257 https://bugs.webkit.org/show_bug.cgi?id=145489
4258
4259 Reviewed by Mark Lam.
4260
4261 ES6 spec intentionally drops the WeakMap#clear
4262 to allow engine to implement WeakMap as a per-object table.
4263
4264 This patch drops WeakMap.prototype.clear.
4265
4266 * runtime/WeakMapPrototype.cpp:
4267 (JSC::WeakMapPrototype::finishCreation): Deleted.
4268 (JSC::protoFuncWeakMapClear): Deleted.
4269
42702015-05-31 Jordan Harband <ljharb@gmail.com>
4271
4272 Array#reduce and reduceRight don't follow ToLength
4273 https://bugs.webkit.org/show_bug.cgi?id=145364
4274 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength
4275
4276 Reviewed by Yusuke Suzuki.
4277
4278 * builtins/Array.prototype.js:
4279 (reduce):
4280 (reduceRight):
4281 * runtime/ArrayPrototype.cpp:
4282 (JSC::ArrayPrototype::finishCreation):
4283 (JSC::arrayProtoFuncReduce): Deleted.
4284 (JSC::arrayProtoFuncReduceRight): Deleted.
4285
42862015-05-29 Filip Pizlo <fpizlo@apple.com>
4287
4288 FTL codegen for MultiGetByOffset and MultiPutByOffset where the structure set is already proved should have an unreachable default case instead of an exit
4289 https://bugs.webkit.org/show_bug.cgi?id=145469
4290
4291 Reviewed by Geoffrey Garen.
4292
4293 Omitting the speculation on the fail path when the speculation is guaranteed not to be
4294 taken hints to LLVM that the default case is impossible. This enables some useful
4295 optimizations.
4296
4297 * ftl/FTLLowerDFGToLLVM.cpp:
4298 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
4299 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
4300
43012015-05-29 Mark Lam <mark.lam@apple.com>
4302
4303 Refactoring HandlerInfo and UnlinkedHandlerInfo.
4304 https://bugs.webkit.org/show_bug.cgi?id=145480
4305
4306 Reviewed by Benjamin Poulain.
4307
4308 HandlerInfo and UnlinkedHandlerInfo have common parts, but are not currently
4309 expressed as 2 unrelated structs that happen to have near identical fields.
4310 We can refactor them to better express their relationship. We can also add
4311 some convenience functions to make the code that uses them a little more
4312 readable.
4313
4314 * bytecode/CodeBlock.cpp:
4315 (JSC::CodeBlock::dumpBytecode):
4316 (JSC::CodeBlock::CodeBlock):
4317 (JSC::CodeBlock::handlerForBytecodeOffset):
4318 * bytecode/HandlerInfo.h:
4319 (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo):
4320 (JSC::HandlerInfo::initialize):
4321 - I chose to include CodeLocationLabel arg even though it is unused by
4322 by non-JIT builds. This makes the call site cleaner to read.
4323
4324 * bytecode/UnlinkedCodeBlock.h:
4325 (JSC::UnlinkedSimpleJumpTable::add):
4326 (JSC::UnlinkedInstruction::UnlinkedInstruction):
4327 (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers):
4328 (JSC::UnlinkedCodeBlock::addExceptionHandler):
4329 (JSC::UnlinkedCodeBlock::exceptionHandler):
4330 (JSC::UnlinkedCodeBlock::symbolTable):
4331 * bytecompiler/BytecodeGenerator.cpp:
4332 (JSC::BytecodeGenerator::generate):
4333
43342015-05-28 Filip Pizlo <fpizlo@apple.com>
4335
4336 Non-speculative Branch should be fast in the FTL
4337 https://bugs.webkit.org/show_bug.cgi?id=145452
4338
4339 Reviewed by Andreas Kling.
4340
4341 Inlines the code for convertJSValueToBoolean into the FTL. This also includes some other
4342 clean-ups that I found along the way.
4343
4344 I found this by looking at the hottest functions in DeltaBlue. Despite having so many
4345 Branch specializations, apparently there was still a hot one that we missed that was going
4346 down the untyped path. It was either Int32 or Other. Maybe we could specialize for that
4347 combo, but it makes so much sense to just make all of this nonsense fast.
4348
4349 * dfg/DFGWatchpointCollectionPhase.cpp:
4350 (JSC::DFG::WatchpointCollectionPhase::handle): Need to watch the masquerades watchpoint on UntypedUse: forms of Branch now.
4351 * ftl/FTLLowerDFGToLLVM.cpp:
4352 (JSC::FTL::LowerDFGToLLVM::boolify): The actual fix.
4353 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
4354 (JSC::FTL::LowerDFGToLLVM::isInt32):
4355 (JSC::FTL::LowerDFGToLLVM::isNotInt32):
4356 (JSC::FTL::LowerDFGToLLVM::unboxInt32):
4357 * runtime/JSCellInlines.h:
4358 (JSC::JSCell::toBoolean): Symbol is always true.
4359 (JSC::JSCell::pureToBoolean): Symbol is always true.
4360 * runtime/JSString.cpp:
4361 (JSC::JSString::getPrimitiveNumber):
4362 (JSC::JSString::toNumber):
4363 (JSC::JSString::toBoolean): Deleted. This is a tiny method. It doesn't need to be out-of-line.
4364 * runtime/JSString.h:
4365 (JSC::JSString::length):
4366 (JSC::JSString::toBoolean): This method shouldbe inline.
4367 * runtime/Symbol.cpp:
4368 (JSC::Symbol::toPrimitive):
4369 (JSC::Symbol::getPrimitiveNumber):
4370 (JSC::Symbol::toBoolean): Deleted. A Symbol is always true, so we don't need a method for this.
4371 * runtime/Symbol.h:
4372
43732015-05-29 Commit Queue <commit-queue@webkit.org>
4374
4375 Unreviewed, rolling out r184860.
4376 https://bugs.webkit.org/show_bug.cgi?id=145456
4377
4378 May have caused ~1% Octane regression (Requested by kling on
4379 #webkit).
4380
4381 Reverted changeset:
4382
4383 "Try to use StringView when comparing JSStrings for equality."
4384 https://bugs.webkit.org/show_bug.cgi?id=145379
4385 http://trac.webkit.org/changeset/184860
4386
43872015-05-28 Michael Saboff <msaboff@apple.com>
4388
4389 mozilla/js1_5/Array/regress-154338.js test causes ARM 32 bit iOS devices to run out of memory
4390 https://bugs.webkit.org/show_bug.cgi?id=145444
4391
4392 Reviewed by Geoffrey Garen.
4393
4394 Disabled mozilla/js1_5/Array/regress-154338.js when run on iOS ARM 32 bit devices and
4395 the --memory-limited option is passed to run-jsc-stress-tests.
4396
4397 * tests/mozilla/mozilla-tests.yaml:
4398
43992015-05-28 Benjamin Poulain <benjamin@webkit.org>
4400
4401 [iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks.
4402 https://bugs.webkit.org/show_bug.cgi?id=138038
4403
4404 Reviewed by Michael Saboff.
4405
4406 TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling
4407 to C++, making put_by_id behave erratically.
4408
4409 The bug was that put_by_id would randomly not work correctly in 32bits. It happened
4410 in the baseline JIT if we were unlucky enough:
4411 -The code get hot enough and the structure is stable so we get a fast path for
4412 put_by_id.
4413 -We repatch the fast-path branch with a stub generated by
4414 emitPutTransitionStubAndGetOldStructure().
4415 -In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base
4416 register, the tag register is ignored.
4417 -emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those
4418 could be the one used for the base's tag before the fast path and the value is trashed.
4419 -If we hit one of the failure case, we fallback to the slow path, but we destroyed
4420 the tag pointer.
4421 -We now have unrelated bits in the tag, the most likely value type is now "double"
4422 and we fail the put_by_id because we try to set a property on a number.
4423
4424 The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure()
4425 to preserve the tag register in addition to the value register.
4426 I decided against that option because of the added complexity. The DFG does not need
4427 that case, so I would have to add branches everywhere to distinguish the cases
4428 were we need to preserve the tag or not.
4429
4430 Instead, I just load the tag back from memory in the slow path. The function in the slow
4431 path is several order of magnitude slower than a load, it is not worth eliminating it,
4432 especially in baseline JIT.
4433
4434 I also discovered 4 useless loads in the fast path, so even with my extra load, this patch
4435 makes the baseline faster :)
4436
4437 * jit/JITPropertyAccess32_64.cpp:
4438 (JSC::JIT::emitSlow_op_put_by_id):
4439 (JSC::JIT::emit_op_put_by_id): Deleted.
4440 * tests/stress/put-by-id-on-new-object-after-prototype-transition-non-strict.js: Added.
4441 (opaqueNewObject):
4442 (putValueOnNewObject):
4443 * tests/stress/put-by-id-on-new-object-after-prototype-transition-strict.js: Added.
4444 (string_appeared_here.opaqueNewObject):
4445 (putValueOnNewObject):
4446
44472015-05-28 Benjamin Poulain <benjamin@webkit.org>
4448
4449 [JSC] reduction the iteration count of the DoubleRep stress tests
4450
4451 Once again, I used big numbers for manual testing and I forgot to fix them before landing.
4452
4453 * tests/stress/double-rep-with-non-cell.js:
4454 * tests/stress/double-rep-with-null.js:
4455 * tests/stress/double-rep-with-undefined.js:
4456
44572015-05-28 Basile Clement <basile_clement@apple.com>
4458
4459 Add debug mode assertions for accessors casting JSC::DFG::Node.m_opInfo
4460 https://bugs.webkit.org/show_bug.cgi?id=145441
4461
4462 Reviewed by Filip Pizlo.
4463
4464 Most accessor functions casting m_opInfo in JSC::DFG::Node are
4465 performing debug checks that they are only accessed for node types that
4466 should have them. This patch adds similar checks for the accessors that
4467 were missing them.
4468
4469 * dfg/DFGNode.h:
4470 (JSC::DFG::Node::watchpointSet):
4471 (JSC::DFG::Node::storagePointer):
4472 (JSC::DFG::Node::multiGetByOffsetData):
4473 (JSC::DFG::Node::multiPutByOffsetData):
4474 (JSC::DFG::Node::hasTypeLocation):
4475 (JSC::DFG::Node::typeLocation):
4476 (JSC::DFG::Node::hasBasicBlockLocation):
4477 (JSC::DFG::Node::basicBlockLocation):
4478
44792015-05-28 Matt Rajca <mrajca@apple.com>
4480
4481 Add ENABLE_MEDIA_SESSION feature flag (which is off by default).
4482 https://bugs.webkit.org/show_bug.cgi?id=145415
4483
4484 Reviewed by Eric Carlson.
4485
4486 * Configurations/FeatureDefines.xcconfig:
4487
44882015-05-27 Jordan Harband <ljharb@gmail.com>
4489
4490 Array.of should work with other constructors
4491 https://bugs.webkit.org/show_bug.cgi?id=145365
4492 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.of
4493 step 4
4494
4495 Reviewed by Yusuke Suzuki.
4496
4497 * builtins/ArrayConstructor.js:
4498 (of):
4499 * runtime/ArrayConstructor.cpp:
4500 (JSC::arrayConstructorOf): Deleted.
4501
45022015-05-27 Benjamin Poulain <bpoulain@apple.com>
4503
4504 [JSC] Add undefined->double conversion to DoubleRep
4505 https://bugs.webkit.org/show_bug.cgi?id=145293
4506
4507 Reviewed by Filip Pizlo.
4508
4509 This patch adds undefined to double conversion to the DoubleRep
4510 node for the cases were we speculate "undefined" as part of the types
4511 processed.
4512
4513 The use case is doing math with accidental out-of-bounds access. For example,
4514 something like:
4515 for (var i = 0; i <= length; ++i)
4516 ouptput += array[i];
4517
4518 would cause us to OSR exit every time i === length.
4519
4520 When hitting one of those cases, we would already speculate double math,
4521 but the DoubleRep node was unable to convert the undefined and would exit.
4522
4523 With this patch the use kind NotCellUse cover this conversion for DoubleRep.
4524 I have been quite conservative so in general we will not find "undefined"
4525 until a few recompile but being optimistic seems better since this is a corner case.
4526
4527 This patch is a 80% progression on WebXPRT's DNA Sequencing test.
4528
4529 * dfg/DFGAbstractInterpreterInlines.h:
4530 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
4531 * dfg/DFGFixupPhase.cpp:
4532 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
4533 * dfg/DFGNode.h:
4534 (JSC::DFG::Node::sawUndefined):
4535 * dfg/DFGPredictionPropagationPhase.cpp:
4536 (JSC::DFG::PredictionPropagationPhase::propagate):
4537 * dfg/DFGSafeToExecute.h:
4538 (JSC::DFG::SafeToExecuteEdge::operator()):
4539 * dfg/DFGSpeculativeJIT.cpp:
4540 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
4541 * dfg/DFGUseKind.cpp:
4542 (WTF::printInternal):
4543 * dfg/DFGUseKind.h:
4544 (JSC::DFG::typeFilterFor):
4545 * ftl/FTLCapabilities.cpp:
4546 (JSC::FTL::canCompile):
4547 * ftl/FTLLowerDFGToLLVM.cpp:
4548 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
4549 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
4550 * tests/stress/double-rep-with-undefined.js: Added.
4551 (addArgsNumberAndUndefined):
4552 (addArgsInt32AndUndefined):
4553 (testFallbackWithDouble):
4554 (addArgsDoubleAndUndefined):
4555 (testFallbackWithObject.):
4556 (testFallbackWithObject):
4557 (addArgsOnlyUndefined):
4558 (testFallbackWithString):
4559
45602015-05-27 Dean Jackson <dino@apple.com>
4561
4562 img.currentSrc problem in strict mode with old picturefill
4563 https://bugs.webkit.org/show_bug.cgi?id=144095
4564 <rdar://problem/21087013>
4565
4566 Reviewed by Simon Fraser.
4567
4568 Add a PICTURE_SIZES flag.
4569
4570 * Configurations/FeatureDefines.xcconfig:
4571
45722015-05-27 Basile Clement <basile_clement@apple.com>
4573
4574 LazyNode comparison can return incorrect results when comparing an empty value
4575 https://bugs.webkit.org/show_bug.cgi?id=145421
4576
4577 Reviewed by Geoffrey Garen.
4578
4579 When comparing a LazyNode to another, we compare the value pointers if
4580 we have one, and otherwise compare the nodes.
4581 We should be comparing value pointers if the other LazyNode has one as
4582 well, otherwise we risk an incoherency when we are a empty LazyNode
4583 being compared to a FrozenValue without node.
4584
4585 Note that this is not a problem in any other case because if we don't
4586 have a FrozenValue and we are not an empty LazyNode, we are a
4587 non-constant node, and comparing the node pointers is correct.
4588
4589 * dfg/DFGLazyNode.h:
4590 (JSC::DFG::LazyNode::operator==):
4591
45922015-05-27 Geoffrey Garen <ggaren@apple.com>
4593
4594 REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower
4595 https://bugs.webkit.org/show_bug.cgi?id=145412
4596
4597 Reviewed by Benjamin Poulain.
4598
4599 Cache strings when doing a string-converting sort.
4600
4601 This is a 21% speedup.
4602
4603 * builtins/Array.prototype.js:
4604 (sort.stringComparator): Use subtraction instead of branching because
4605 it's slightly faster.
4606
4607 (sort.comparatorSort):
4608 (sort.stringSort):
4609 (sort): Add a special case for string sorting to avoid redundant string
4610 conversion.
4611
4612 * parser/Parser.cpp:
4613 (JSC::Parser<LexerType>::createBindingPattern): Names can be empty if
4614 they are private names.
4615
46162015-05-26 Filip Pizlo <fpizlo@apple.com>
4617
4618 JIT-generated store barrier code should assume the buffer pointer and capacity to be compile-time constants
4619 https://bugs.webkit.org/show_bug.cgi?id=145404
4620
4621 Reviewed by Andreas Kling.
4622
4623 We never change the capacity of a write barrier buffer. We never repoint the buffer
4624 pointer. So, the JIT shouldn't load those from memory; it should take advantage of the
4625 fact that these are compile-time constants.
4626
4627 * dfg/DFGSpeculativeJIT.cpp:
4628 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer):
4629 * ftl/FTLLowerDFGToLLVM.cpp:
4630 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
4631 * heap/WriteBarrierBuffer.h:
4632 (JSC::WriteBarrierBuffer::currentIndexAddress):
4633 (JSC::WriteBarrierBuffer::capacity):
4634 (JSC::WriteBarrierBuffer::buffer):
4635 (JSC::WriteBarrierBuffer::currentIndexOffset): Deleted.
4636 (JSC::WriteBarrierBuffer::capacityOffset): Deleted.
4637 (JSC::WriteBarrierBuffer::bufferOffset): Deleted.
4638 * jit/Repatch.cpp:
4639 (JSC::emitPutTransitionStubAndGetOldStructure):
4640
46412015-05-27 Geoffrey Garen <ggaren@apple.com>
4642
4643 REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower
4644 https://bugs.webkit.org/show_bug.cgi?id=145412
4645
4646 Reviewed by Darin Adler.
4647
4648 Use @toString instead of the String constructor because calls to the
4649 String constructor are never optimized. (See
4650 https://bugs.webkit.org/show_bug.cgi?id=144458.)
4651
4652 This is a ~2X speedup.
4653
4654 * builtins/Array.prototype.js:
4655 (sort.stringComparator):
4656
46572015-05-27 Dan Bernstein <mitz@apple.com>
4658
4659 Remove JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080
4660 https://bugs.webkit.org/show_bug.cgi?id=145403
4661
4662 Reviewed by Anders Carlsson.
4663
4664 JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 was used to enable the JavaScriptCore Objective-C API
4665 for WebKit and Safari projects building with JavaScriptCore targeting OS X 10.8. We don’t
4666 need it anymore.
4667
4668 * API/JSBase.h:
4669 * API/JSContext.h:
4670 * API/JSManagedValue.h:
4671 * API/JSValue.h:
4672 * API/JSVirtualMachine.h:
4673 * Configurations/Base.xcconfig:
4674 * postprocess-headers.sh:
4675
46762015-05-26 Geoffrey Garen <ggaren@apple.com>
4677
4678 Photo Booth hangs under JSC::MachineThreads::tryCopyOtherThreadStacks
4679 https://bugs.webkit.org/show_bug.cgi?id=145395
4680
4681 Reviewed by Mark Hahnenberg.
4682
4683 No test case because we already have --threaded mode, which runs lots of
4684 parallel GC, but it (and the original in-app test case) can't reproduce
4685 this bug.
4686
4687 * heap/MachineStackMarker.cpp:
4688 (JSC::MachineThreads::tryCopyOtherThreadStacks): Use a lock to prevent
4689 two threads from mutually suspending each other.
4690
46912015-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
4692
4693 Add Array.prototype.copyWithin to JSC features.json
4694 https://bugs.webkit.org/show_bug.cgi?id=145387
4695
4696 Reviewed by Darin Adler.
4697
4698 * features.json:
4699
47002015-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
4701
4702 Reflect nits for r184863
4703 https://bugs.webkit.org/show_bug.cgi?id=145107
4704
4705 Reviewed by Darin Adler.
4706
4707 1. Added the copyright line.
4708 2. Added an optional argument (/*, end */). To do so, fixed generate-js-builtins.
4709 3. Dropped the unnecessary variable `thisValue`.
4710 4. Fix the type error messages. This is also found in StringIterator.prototype.js.
4711 5. Added tests for 0 arguments.
4712
4713 * builtins/Array.prototype.js:
4714 (copyWithin):
4715 * builtins/StringIterator.prototype.js:
4716 (next):
4717 * generate-js-builtins:
4718 * tests/stress/array-copywithin.js:
4719 * tests/stress/string-iterators.js:
4720
47212015-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
4722
4723 Inline @Array / @Object callsites
4724 https://bugs.webkit.org/show_bug.cgi?id=145382
4725
4726 Reviewed by Geoffrey Garen.
4727
4728 As the same to Array/Object callsite inlining, @Array/@Object also
4729 should be inlined in bytecode level.
4730 While `new @Object` style is not encouraged in the builtins,
4731 `@Array(len)` is already used at least in Array.from code.
4732
4733 * bytecompiler/BytecodeGenerator.cpp:
4734 (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
4735
47362015-05-26 Andreas Kling <akling@apple.com>
4737
4738 String.prototype.charCodeAt() should use StringView.
4739 <https://webkit.org/b/145353>
4740
4741 Reviewed by Darin Adler.
4742
4743 Use JSString::view() in charCodeAt() to avoid reifying the JSString if it's
4744 a substring. This avoids StringImpl allocation in some cases and ref churn
4745 in all cases.
4746
4747 * runtime/StringPrototype.cpp:
4748 (JSC::stringProtoFuncCharCodeAt):
4749
47502015-05-26 Andreas Kling <akling@apple.com>
4751
4752 String.prototype.charAt() should use StringView.
4753 <https://webkit.org/b/145352>
4754
4755 Reviewed by Darin Adler.
4756
4757 Remove the jsSingleCharacterSubstring() function since it's actually completely
4758 counter-productive: it could create a single-character string that would retain
4759 a much larger string for the duration of its lifetime.
4760
4761 This made sense before StringImpl learned to put its characters at the tail end
4762 of its own allocation. Now that it does, it's far better to just create a new
4763 single-character StringImpl.
4764
4765 With that out of the way, we can make String.prototype.charAt() use StringView
4766 to avoid reifying substring JSStrings (and avoid some ref churn too.)
4767
4768 * runtime/JSString.cpp:
4769 (JSC::JSRopeString::getIndexSlowCase):
4770 * runtime/JSString.h:
4771 (JSC::JSString::getIndex):
4772 (JSC::jsSingleCharacterSubstring): Deleted.
4773 * runtime/StringPrototype.cpp:
4774 (JSC::stringProtoFuncCharAt):
4775 (JSC::stringProtoFuncSplit):
4776
47772015-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
4778
4779 [ES6] Implement Array.prototype.copyWithin
4780 https://bugs.webkit.org/show_bug.cgi?id=145107
4781
4782 Reviewed by Darin Adler.
4783
4784 This patch implements ES6 Array.prototype.copyWithin.
4785 It is intended to be used for copying the region to the other region
4786 in the callee array itself safely (like memmove, not memcpy).
4787 This function is proposed in the context of WebGL.
4788
4789 * builtins/Array.prototype.js:
4790 (.maxWithPositives):
4791 (.minWithMaybeNegativeZeroAndPositive):
4792 (copyWithin):
4793 * runtime/ArrayPrototype.cpp:
4794 (JSC::ArrayPrototype::finishCreation):
4795 * tests/stress/array-copywithin.js: Added.
4796 (shouldBe):
4797 (shouldBeArray):
4798 (shouldThrow):
4799 (arrayToObject):
4800 (valueOf):
4801
48022015-05-26 Dan Bernstein <mitz@apple.com>
4803
4804 <rdar://problem/21104551> Update build settings
4805
4806 Reviewed by Anders Carlsson.
4807
4808 * Configurations/DebugRelease.xcconfig:
4809 * Configurations/FeatureDefines.xcconfig:
4810 * Configurations/Version.xcconfig:
4811
48122015-05-26 Andreas Kling <akling@apple.com>
4813
4814 Try to use StringView when comparing JSStrings for equality.
4815 <https://webkit.org/b/145379>
4816
4817 Reviewed by Darin Adler.
4818
4819 Use JSString::view() when sending two JSStrings to WTF::equal()
4820 for comparison. This avoids creating new objects in the case where
4821 the strings are actually substrings.
4822
4823 * jit/JITOperations.cpp:
4824 * runtime/JSCJSValueInlines.h:
4825 (JSC::JSValue::equalSlowCaseInline):
4826 (JSC::JSValue::strictEqualSlowCaseInline):
4827
48282015-05-26 Yusuke Suzuki <utatane.tea@gmail.com>
4829
4830 [JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix
4831 https://bugs.webkit.org/show_bug.cgi?id=145360
4832
4833 Reviewed by Darin Adler.
4834
4835 JSObject::putDirect only accepts non-indexed properties.
4836 So when generating put_by_id (with direct postfix) for indexed property,
4837 we should generate put_by_val_direct instead.
4838
4839 * bytecompiler/BytecodeGenerator.cpp:
4840 (JSC::BytecodeGenerator::emitDirectPutById):
4841 * bytecompiler/NodesCodegen.cpp:
4842 (JSC::PropertyListNode::emitPutConstantProperty):
4843 * tests/stress/put-by-id-direct-should-be-done-for-non-index-property.js: Added.
4844
48452015-05-24 Jordan Harband <ljharb@gmail.com>
4846
4847 Array#findIndex/find should not skip holes
4848 https://bugs.webkit.org/show_bug.cgi?id=145361
4849 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.findindex
4850 and https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.find
4851
4852 Reviewed by Yusuke Suzuki.
4853
4854 * builtins/Array.prototype.js:
4855 (find): Deleted.
4856 (findIndex): Deleted.
4857
48582015-05-24 Brian J. Burg <burg@cs.washington.edu>
4859
4860 Web Inspector: Uncaught exception when using Inspect tool on SVG elements
4861 https://bugs.webkit.org/show_bug.cgi?id=145363
4862
4863 Reviewed by Joseph Pecoraro.
4864
4865 The injected script failed by chaining a call to String.prototype.trim to the result of
4866 SVG*Element.className, which is an SVGAnimatedString and lacks useful methods. So, obtain
4867 the class name using Node.getAttribute, which always returns a DOMString.
4868
4869 * inspector/InjectedScriptSource.js:
4870 (InjectedScriptSource.prototype._getDescription): use getAttribute instead of className.
4871
48722015-05-23 Dan Bernstein <mitz@apple.com>
4873
4874 Remove unused definitions of WEBKIT_VERSION_MIN_REQUIRED
4875 https://bugs.webkit.org/show_bug.cgi?id=145345
4876
4877 Reviewed by Sam Weinig.
4878
4879 * Configurations/Base.xcconfig: Also changed to use $(inherited).
4880
48812015-05-23 Yusuke Suzuki <utatane.tea@gmail.com>
4882
4883 Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl
4884 https://bugs.webkit.org/show_bug.cgi?id=144848
4885
4886 Reviewed by Darin Adler.
4887
4888 Use UniquedStringImpl, SymbolImpl and AtomicStringImpl.
4889
4890 * API/JSCallbackObject.h:
4891 * builtins/BuiltinNames.h:
4892 (JSC::BuiltinNames::isPrivateName):
4893 * bytecode/BytecodeIntrinsicRegistry.h:
4894 * bytecode/CodeBlock.cpp:
4895 (JSC::CodeBlock::CodeBlock):
4896 * bytecode/ComplexGetStatus.cpp:
4897 (JSC::ComplexGetStatus::computeFor):
4898 * bytecode/ComplexGetStatus.h:
4899 * bytecode/GetByIdStatus.cpp:
4900 (JSC::GetByIdStatus::computeFromLLInt):
4901 (JSC::GetByIdStatus::computeFor):
4902 (JSC::GetByIdStatus::computeForStubInfo):
4903 * bytecode/GetByIdStatus.h:
4904 * bytecode/Instruction.h:
4905 (JSC::Instruction::Instruction):
4906 * bytecode/PutByIdStatus.cpp:
4907 (JSC::PutByIdStatus::computeFromLLInt):
4908 (JSC::PutByIdStatus::computeFor):
4909 (JSC::PutByIdStatus::computeForStubInfo):
4910 * bytecode/PutByIdStatus.h:
4911 * bytecompiler/BytecodeGenerator.cpp:
4912 (JSC::BytecodeGenerator::BytecodeGenerator):
4913 (JSC::BytecodeGenerator::visibleNameForParameter):
4914 (JSC::BytecodeGenerator::hasConstant):
4915 (JSC::BytecodeGenerator::addConstant):
4916 * bytecompiler/BytecodeGenerator.h:
4917 * bytecompiler/NodesCodegen.cpp:
4918 (JSC::PropertyListNode::emitBytecode):
4919 * dfg/DFGByteCodeParser.cpp:
4920 (JSC::DFG::ByteCodeParser::parseBlock):
4921 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
4922 * dfg/DFGDesiredIdentifiers.cpp:
4923 (JSC::DFG::DesiredIdentifiers::addLazily):
4924 (JSC::DFG::DesiredIdentifiers::at):
4925 (JSC::DFG::DesiredIdentifiers::reallyAdd):
4926 * dfg/DFGDesiredIdentifiers.h:
4927 (JSC::DFG::DesiredIdentifiers::operator[]):
4928 * dfg/DFGFixupPhase.cpp:
4929 (JSC::DFG::FixupPhase::fixupNode):
4930 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
4931 * dfg/DFGSpeculativeJIT.cpp:
4932 (JSC::DFG::SpeculativeJIT::compileIn):
4933 * dfg/DFGSpeculativeJIT.h:
4934 (JSC::DFG::SpeculativeJIT::identifierUID):
4935 (JSC::DFG::SpeculativeJIT::callOperation):
4936 * ftl/FTLCompile.cpp:
4937 (JSC::FTL::mmAllocateDataSection):
4938 * ftl/FTLInlineCacheDescriptor.h:
4939 (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
4940 (JSC::FTL::InlineCacheDescriptor::uid):
4941 (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
4942 (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
4943 (JSC::FTL::CheckInDescriptor::CheckInDescriptor):
4944 * ftl/FTLIntrinsicRepository.h:
4945 * ftl/FTLLowerDFGToLLVM.cpp:
4946 (JSC::FTL::LowerDFGToLLVM::compilePutById):
4947 (JSC::FTL::LowerDFGToLLVM::compileIn):
4948 (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation):
4949 (JSC::FTL::LowerDFGToLLVM::getById):
4950 * ftl/FTLOperations.cpp:
4951 (JSC::FTL::operationMaterializeObjectInOSR):
4952 * ftl/FTLSlowPathCall.cpp:
4953 (JSC::FTL::callOperation):
4954 * ftl/FTLSlowPathCall.h:
4955 * jit/JIT.h:
4956 * jit/JITInlines.h:
4957 (JSC::JIT::callOperation):
4958 * jit/JITOperations.cpp:
4959 * jit/JITOperations.h:
4960 * parser/Nodes.cpp:
4961 (JSC::ProgramNode::setClosedVariables):
4962 * parser/Nodes.h:
4963 (JSC::ScopeNode::captures):
4964 (JSC::ScopeNode::setClosedVariables):
4965 (JSC::ProgramNode::closedVariables):
4966 * parser/Parser.cpp:
4967 (JSC::Parser<LexerType>::parseInner):
4968 (JSC::Parser<LexerType>::didFinishParsing):
4969 (JSC::Parser<LexerType>::parseContinueStatement):
4970 * parser/Parser.h:
4971 (JSC::Scope::Scope):
4972 (JSC::Scope::pushLabel):
4973 (JSC::Scope::getLabel):
4974 (JSC::Scope::declareCallee):
4975 (JSC::Scope::declareVariable):
4976 (JSC::Scope::declareParameter):
4977 (JSC::Scope::declareBoundParameter):
4978 (JSC::Scope::useVariable):
4979 (JSC::Scope::copyCapturedVariablesToVector):
4980 (JSC::Parser::closedVariables):
4981 (JSC::ScopeLabelInfo::ScopeLabelInfo): Deleted.
4982 * parser/SourceProviderCacheItem.h:
4983 (JSC::SourceProviderCacheItem::usedVariables):
4984 (JSC::SourceProviderCacheItem::writtenVariables):
4985 (JSC::SourceProviderCacheItem::create):
4986 * runtime/CommonIdentifiers.cpp:
4987 (JSC::CommonIdentifiers::isPrivateName):
4988 * runtime/CommonIdentifiers.h:
4989 * runtime/Identifier.h:
4990 (JSC::Identifier::impl):
4991 (JSC::Identifier::Identifier):
4992 (JSC::parseIndex):
4993 (JSC::IdentifierRepHash::hash):
4994 * runtime/IdentifierInlines.h:
4995 (JSC::Identifier::fromUid):
4996 * runtime/IntendedStructureChain.cpp:
4997 (JSC::IntendedStructureChain::mayInterceptStoreTo):
4998 * runtime/IntendedStructureChain.h:
4999 * runtime/JSGlobalObject.cpp:
5000 (JSC::JSGlobalObject::init):
5001 * runtime/Lookup.h:
5002 (JSC::HashTable::entry):
5003 * runtime/MapData.h:
5004 * runtime/ObjectConstructor.cpp:
5005 (JSC::objectConstructorGetOwnPropertySymbols):
5006 * runtime/PrivateName.h:
5007 (JSC::PrivateName::PrivateName):
5008 (JSC::PrivateName::uid):
5009 * runtime/PropertyMapHashTable.h:
5010 * runtime/PropertyName.h:
5011 (JSC::PropertyName::PropertyName):
5012 (JSC::PropertyName::uid):
5013 (JSC::PropertyName::publicName):
5014 (JSC::parseIndex):
5015 * runtime/PropertyNameArray.h:
5016 (JSC::PropertyNameArray::addKnownUnique):
5017 (JSC::PropertyNameArray::add):
5018 * runtime/Structure.cpp:
5019 (JSC::StructureTransitionTable::contains):
5020 (JSC::StructureTransitionTable::get):
5021 (JSC::StructureTransitionTable::add):
5022 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
5023 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
5024 (JSC::Structure::getConcurrently):
5025 (JSC::Structure::add):
5026 (JSC::Structure::remove):
5027 (JSC::Structure::toStructureShape):
5028 * runtime/Structure.h:
5029 (JSC::PropertyMapEntry::PropertyMapEntry):
5030 * runtime/StructureInlines.h:
5031 (JSC::Structure::getConcurrently):
5032 * runtime/StructureTransitionTable.h:
5033 (JSC::StructureTransitionTable::Hash::hash):
5034 * runtime/Symbol.cpp:
5035 (JSC::Symbol::Symbol):
5036 * runtime/Symbol.h:
5037 * runtime/SymbolConstructor.cpp:
5038 (JSC::symbolConstructorFor):
5039 (JSC::symbolConstructorKeyFor):
5040 * runtime/SymbolTable.cpp:
5041 (JSC::SymbolTable::uniqueIDForVariable):
5042 (JSC::SymbolTable::globalTypeSetForVariable):
5043 * runtime/SymbolTable.h:
5044 * runtime/TypeSet.cpp:
5045 (JSC::StructureShape::addProperty):
5046 (JSC::StructureShape::propertyHash):
5047 * runtime/TypeSet.h:
5048
50492015-05-21 Filip Pizlo <fpizlo@apple.com>
5050
5051 Arguments elimination phase mishandles arity check failure in its reduction of LoadVarargs to GetStack/PutStacks
5052 https://bugs.webkit.org/show_bug.cgi?id=145298
5053
5054 Reviewed by Geoffrey Garen.
5055
5056 * dfg/DFGArgumentsEliminationPhase.cpp: Fix the bug. I restructured the loop to make it more obvious that we're initializing everything that we're supposed to initialize.
5057 * dfg/DFGNode.h: Add a comment to clarify something I was confused about while writing this code.
5058 * dfg/DFGPutStackSinkingPhase.cpp: Hacking on PutStacks made me think deep thoughts, and I added some FIXMEs.
5059 * tests/stress/fold-load-varargs-arity-check-fail-barely.js: Added. This test crashes or fails before this patch.
5060 * tests/stress/fold-load-varargs-arity-check-fail.js: Added. This is even more sure to crash or fail.
5061 * tests/stress/simplify-varargs-mandatory-minimum-smaller-than-limit.js: Added. Not sure if we had coverage for this case before.
5062
50632015-05-22 Basile Clement <basile_clement@apple.com>
5064
5065 Allow DFGClobberize to return non-node constants that must be later created
5066 https://bugs.webkit.org/show_bug.cgi?id=145272
5067
5068 Reviewed by Filip Pizlo.
5069
5070 This adds a new LazyNode class in DFG that represents either a Node*,
5071 or a FrozenValue* with a way to convert it to a Node* provided a block
5072 to insert it into. DFGClobberize is converted to use LazyNode instead
5073 of Node* when def()'ing values, which allows to now define the array's
5074 length as well as the value of its various fields in NewArray and
5075 NewArrayBuffer nodes.
5076
5077 We also introduce a Vector<uint32_t> in DFG::Graph to collect all the
5078 values that can be used as index, in order to avoid def()'ing too many
5079 values at once for big NewArrayBuffers.
5080
5081 HeapLocation had to be updated to use a LazyNode as its index to be
5082 able to define array values.
5083
5084 * CMakeLists.txt:
5085 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5086 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
5087 * JavaScriptCore.xcodeproj/project.pbxproj:
5088 * dfg/DFGCSEPhase.cpp:
5089 * dfg/DFGClobberize.h:
5090 (JSC::DFG::clobberize):
5091 (JSC::DFG::DefMethodClobberize::operator()):
5092 * dfg/DFGGraph.cpp:
5093 (JSC::DFG::Graph::freezeFragile):
5094 * dfg/DFGGraph.h:
5095 * dfg/DFGHeapLocation.h:
5096 (JSC::DFG::HeapLocation::HeapLocation):
5097 (JSC::DFG::HeapLocation::index):
5098 (JSC::DFG::HeapLocation::hash):
5099 * dfg/DFGLazyNode.cpp: Added.
5100 (JSC::DFG::LazyNode::dump):
5101 * dfg/DFGLazyNode.h: Added.
5102 (JSC::DFG::LazyNode::LazyNode):
5103 (JSC::DFG::LazyNode::setNode):
5104 (JSC::DFG::LazyNode::isHashTableDeletedValue):
5105 (JSC::DFG::LazyNode::isNode):
5106 (JSC::DFG::LazyNode::op):
5107 (JSC::DFG::LazyNode::asNode):
5108 (JSC::DFG::LazyNode::asValue):
5109 (JSC::DFG::LazyNode::hash):
5110 (JSC::DFG::LazyNode::operator==):
5111 (JSC::DFG::LazyNode::operator!=):
5112 (JSC::DFG::LazyNode::ensureIsNode):
5113 (JSC::DFG::LazyNode::operator->):
5114 (JSC::DFG::LazyNode::operator*):
5115 (JSC::DFG::LazyNode::operator!):
5116 (JSC::DFG::LazyNode::operator UnspecifiedBoolType*):
5117 (JSC::DFG::LazyNode::setFrozenValue):
5118 * dfg/DFGPreciseLocalClobberize.h:
5119 (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
5120 * dfg/DFGPutStackSinkingPhase.cpp:
5121
51222015-05-22 Andreas Kling <akling@apple.com>
5123
5124 [JSC] Speed up new array construction in Array.prototype.splice().
5125 <https://webkit.org/b/145303>
5126
5127 Reviewed by Benjamin Poulain.
5128
5129 Give splice() a fast path just like slice(), for indexing types where the backing
5130 store can be memcpy'd. I generalized JSArray::fastSlice() a little bit so it works
5131 for this optimization as well.
5132
5133 7% progression on Kraken/stanford-crypto-pbkdf2.
5134
5135 * runtime/JSArray.h:
5136 * runtime/JSArray.cpp:
5137 (JSC::JSArray::fastSlice): Tweak this to return JSArray*, and don't bother throwing
5138 out-of-memory exceptions. Let the caller worry about that.
5139
5140 * runtime/ArrayPrototype.cpp:
5141 (JSC::arrayProtoFuncSlice): Update for fastSlice() changes.
5142 (JSC::arrayProtoFuncSplice): If the object we're splicing out of is a bona fide
5143 JSArray, use fastSlice() to create the returned array instead of doing a generic
5144 get/put loop.
5145
51462015-05-21 Filip Pizlo <fpizlo@apple.com>
5147
5148 CPS rethreading should really get rid of GetLocals
5149 https://bugs.webkit.org/show_bug.cgi?id=145290
5150
5151 Reviewed by Benjamin Poulain.
5152
5153 CPS rethreading is intended to get rid of redundant GetLocals. CSE can also do it, but
5154 the idea is that you should be able to disable CSE and everything would still work. This
5155 fixes a bug in CPS rethreading's GetLocal elimination: we should be calling replaceWith
5156 rather than setReplacement, since setReplacement still leaves the original node.
5157
5158 * dfg/DFGCPSRethreadingPhase.cpp:
5159 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): Fix the bug.
5160 * dfg/DFGFixupPhase.cpp:
5161 (JSC::DFG::FixupPhase::fixupNode): Eliminating GetLocals means that they turn into Check. We should handle Checks that have zero inputs.
5162 * dfg/DFGValidate.cpp:
5163 (JSC::DFG::Validate::validateCPS): Add a validation for what a GetLocal should look like in ThreadedCPS.
5164 * tests/stress/get-local-elimination.js: Added.
5165 (foo):
5166
51672015-05-21 Saam Barati <saambarati1@gmail.com>
5168
5169 Object allocation sinking phase should explicitly create bottom values for CreateActivation sink candidates and CreateActivation should have SymbolTable as a child node
5170 https://bugs.webkit.org/show_bug.cgi?id=145192
5171
5172 Reviewed by Filip Pizlo.
5173
5174 When we sink CreateActivation and generate MaterializeCreateActivation
5175 in the object allocation sinking phase, we now explictly add PutHints for
5176 all variables on the activation setting those variables to their default value
5177 (undefined for Function activations and soon to be JS Empty Value for block scope activations).
5178 This allows us to remove code that fills FTL fast activation allocations with Undefined.
5179
5180 This patch also adds the constant SymbolTable as an OpInfo of CreateActivation and MaterializeCreateActivation
5181 nodes. This is in preparation for ES6 block scoping which will introduce a new
5182 op code that gets lowered to CreateActivation.
5183
5184 * dfg/DFGByteCodeParser.cpp:
5185 (JSC::DFG::ByteCodeParser::parseBlock):
5186 * dfg/DFGClobberize.h:
5187 (JSC::DFG::clobberize):
5188 * dfg/DFGNode.h:
5189 (JSC::DFG::Node::hasCellOperand):
5190 (JSC::DFG::Node::cellOperand):
5191 * dfg/DFGObjectAllocationSinkingPhase.cpp:
5192 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
5193 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
5194 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
5195 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
5196 * dfg/DFGPromotedHeapLocation.cpp:
5197 (WTF::printInternal):
5198 * dfg/DFGPromotedHeapLocation.h:
5199 * dfg/DFGSpeculativeJIT.cpp:
5200 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
5201 * ftl/FTLLowerDFGToLLVM.cpp:
5202 (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
5203 (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation):
5204 * ftl/FTLOperations.cpp:
5205 (JSC::FTL::operationMaterializeObjectInOSR):
5206 * tests/stress/activation-sink-default-value.js: Added.
5207 (bar):
5208 * tests/stress/activation-sink-osrexit-default-value.js: Added.
5209 (foo.set result):
5210
52112015-05-21 Per Arne Vollan <peavo@outlook.com>
5212
5213 MSVC internal compiler error when compiling TemplateRegistryKey class.
5214 https://bugs.webkit.org/show_bug.cgi?id=145259
5215
5216 Reviewed by Alex Christensen.
5217
5218 MSVC is not able to handle the brace initialization of a class member in this case.
5219
5220 * runtime/TemplateRegistryKey.h:
5221
52222015-05-21 Csaba Osztrogonác <ossy@webkit.org>
5223
5224 Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337
5225 https://bugs.webkit.org/show_bug.cgi?id=145248
5226
5227 Reviewed by Yusuke Suzuki.
5228
5229 * bytecompiler/BytecodeGenerator.cpp:
5230 * bytecompiler/BytecodeGenerator.h:
5231 * parser/Parser.cpp:
5232 (JSC::Parser<LexerType>::parseMemberExpression):
5233
52342015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5235
5236 Web Inspector: array previews should have a much smaller cap on values
5237 https://bugs.webkit.org/show_bug.cgi?id=145195
5238
5239 Reviewed by Timothy Hatcher.
5240
5241 * inspector/InjectedScriptSource.js:
5242 (InjectedScript.RemoteObject.prototype._generatePreview):
5243 Reduce the indexes threshold for previews.
5244
52452015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5246
5247 Web Inspector: Use native Arguments detection instead of using toString
5248 https://bugs.webkit.org/show_bug.cgi?id=145235
5249
5250 Reviewed by Timothy Hatcher.
5251
5252 * inspector/InjectedScriptSource.js:
5253 (InjectedScript.prototype._subtype):
5254 Deleted the old string code.
5255
5256 * inspector/JSInjectedScriptHost.cpp:
5257 (Inspector::JSInjectedScriptHost::subtype):
5258 Replaced with a stricter, more accurate check.
5259
52602015-05-20 Andreas Kling <akling@apple.com>
5261
5262 Remove unused MarkedBlock::m_rememberedSet.
5263 <https://webkit.org/b/145224>
5264
5265 Reviewed by Mark Hahnenberg.
5266
5267 The MarkedBlock had a copy of the remembered bit for each of its cells,
5268 and we were maintaining that bitmap despite no one actually ever consulting it.
5269
5270 This patch removes MarkedBlock::m_rememberedSet, freeing up 128 bytes in each
5271 block and making write barriers a little faster.
5272
5273 * heap/Heap.cpp:
5274 (JSC::Heap::clearRememberedSet):
5275 (JSC::Heap::addToRememberedSet):
5276 * heap/HeapInlines.h:
5277 (JSC::Heap::isRemembered):
5278 * heap/MarkedBlock.cpp:
5279 (JSC::MarkedBlock::clearRememberedSet): Deleted.
5280 (JSC::MarkedBlock::clearMarksWithCollectionType):
5281 * heap/MarkedBlock.h:
5282 (JSC::MarkedBlock::setRemembered): Deleted.
5283 (JSC::MarkedBlock::clearRemembered): Deleted.
5284 (JSC::MarkedBlock::atomicClearRemembered): Deleted.
5285 (JSC::MarkedBlock::isRemembered): Deleted.
5286 * heap/MarkedSpace.h:
5287 (JSC::ClearRememberedSet::operator()): Deleted.
5288 (JSC::MarkedSpace::clearRememberedSet): Deleted.
5289
52902015-05-20 Andreas Kling <akling@apple.com>
5291
5292 Eden collections should extend the IncrementalSweeper work list, not replace it.
5293 <https://webkit.org/b/145213>
5294 <rdar://problem/21002666>
5295
5296 Reviewed by Geoffrey Garen.
5297
5298 After an eden collection, the garbage collector was adding all MarkedBlocks containing
5299 new objects to the IncrementalSweeper's work list, to make sure they didn't have to
5300 wait until the next full collection before getting swept.
5301
5302 Or at least, that's what it thought it was doing. It turns out that IncrementalSweeper's
5303 internal work list is really just a reference to Heap::m_blockSnapshot. I didn't realize
5304 this when writing the post-eden sweep code, and instead made eden collections cancel
5305 all pending sweeps and *replace* them with the list of blocks with new objects.
5306
5307 This made it so that rapidly occurring eden collections could prevent large numbers of
5308 heap blocks from ever getting swept. This would manifest as accumulation of MarkedBlocks
5309 when a system under heavy load was also allocating short lived objects at a high rate.
5310 Things would eventually get cleaned up when there was a lull and a full collection was
5311 allowed to run its heap sweep to completion.
5312
5313 Fix this by moving all management of the block snapshot to Heap. snapshotMarkedSpace()
5314 now handles eden collections by merging the list of blocks with new objects into the
5315 existing block snapshot.
5316
5317 * heap/Heap.cpp:
5318 (JSC::Heap::snapshotMarkedSpace):
5319 (JSC::Heap::notifyIncrementalSweeper):
5320 * heap/IncrementalSweeper.cpp:
5321 (JSC::IncrementalSweeper::startSweeping):
5322 (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Deleted.
5323 * heap/IncrementalSweeper.h:
5324
53252015-05-20 Youenn Fablet <youenn.fablet@crf.canon.fr>
5326
5327 AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions
5328 https://bugs.webkit.org/show_bug.cgi?id=145064
5329
5330 Reviewed by Darin Adler.
5331
5332 Added default message for TypeError.
5333
5334 * runtime/Error.cpp:
5335 (JSC::throwTypeError):
5336 * runtime/Error.h:
5337
53382015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5339
5340 No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint
5341 https://bugs.webkit.org/show_bug.cgi?id=145219
5342
5343 Reviewed by Mark Lam.
5344
5345 * jit/JITOperations.cpp:
5346 Throw the error we just got, instead of a stack overflow exception.
5347 This matches other error handling for callers of prepareForExecution.
5348
53492015-05-19 Filip Pizlo <fpizlo@apple.com>
5350
5351 Add some assertions about the CFG in the loop pre-header creation phase
5352 https://bugs.webkit.org/show_bug.cgi?id=145205
5353
5354 Reviewed by Geoffrey Garen.
5355
5356 * dfg/DFGByteCodeParser.cpp:
5357 (JSC::DFG::ByteCodeParser::currentNodeOrigin): Add a FIXME.
5358 * dfg/DFGLICMPhase.cpp:
5359 (JSC::DFG::LICMPhase::run): Add a FIXME.
5360 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
5361 (JSC::DFG::LoopPreHeaderCreationPhase::run): Add the assertions.
5362
53632015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5364
5365 ES6: Implement Object.setPrototypeOf
5366 https://bugs.webkit.org/show_bug.cgi?id=145202
5367
5368 Reviewed by Darin Adler.
5369
5370 * runtime/JSGlobalObjectFunctions.h:
5371 * runtime/JSGlobalObjectFunctions.cpp:
5372 (JSC::globalFuncProtoSetter):
5373 (JSC::checkProtoSetterAccessAllowed):
5374 Extract a helper to share this code between __proto__ setter and setPrototypeOf.
5375
5376 * runtime/ObjectConstructor.cpp:
5377 (JSC::objectConstructorSetPrototypeOf):
5378 Implementation is very similiar to __proto__ setter.
5379
53802015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5381
5382 ES6: Should not allow duplicate basic __proto__ properties in Object Literals
5383 https://bugs.webkit.org/show_bug.cgi?id=145138
5384
5385 Reviewed by Darin Adler.
5386
5387 Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__
5388 properties in object literals. This doesn't affect computed properties,
5389 shorthand properties, or getters/setters all of which avoid setting
5390 the actual prototype of the object anyway.
5391
5392 * interpreter/Interpreter.cpp:
5393 (JSC::eval):
5394 Remove out of date comment. Duplicate property names are allowed
5395 now in ES6, they were not in ES5 strict mode.
5396
5397 * parser/ASTBuilder.h:
5398 (JSC::ASTBuilder::getName):
5399 (JSC::ASTBuilder::getType):
5400 * parser/SyntaxChecker.h:
5401 (JSC::SyntaxChecker::getName):
5402 Add back getName to get the property name depending on the tree builder.
5403 Also tighten up the parameter types.
5404
5405 * runtime/LiteralParser.cpp:
5406 (JSC::LiteralParser<CharType>::parse):
5407 In quick JSON literal parsing for eval, we actually need to evaluate
5408 the __proto__ property assignment, instead of just building up a list
5409 of direct properties. Only do this when not doing a strict JSON parse.
5410
5411 * parser/Nodes.h:
5412 Add "Shorthand" to the list of PropertyNode types to allow it to
5413 be distinguished without relying on other information.
5414
5415 * parser/Parser.h:
5416 * parser/Parser.cpp:
5417 (JSC::Parser<LexerType>::parseProperty):
5418 Add the Shorthand type when parsing a shorthand property.
5419
5420 (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
5421 (JSC::Parser<LexerType>::parseObjectLiteral):
5422 (JSC::Parser<LexerType>::parseStrictObjectLiteral):
5423 Check for duplicate __proto__ properties, and throw a SyntaxError
5424 if that was the case.
5425
54262015-05-20 Csaba Osztrogonác <ossy@webkit.org>
5427
5428 [JSC] Add missing copyrights and licenses for some scripts
5429 https://bugs.webkit.org/show_bug.cgi?id=145044
5430
5431 Reviewed by Darin Adler.
5432
5433 * build-symbol-table-index.py:
5434 * create-llvm-ir-from-source-file.py:
5435 * create-symbol-table-index.py:
5436
54372015-05-20 Joseph Pecoraro <pecoraro@apple.com>
5438
5439 Web Inspector: Slightly better node previews in arrays
5440 https://bugs.webkit.org/show_bug.cgi?id=145188
5441
5442 Reviewed by Timothy Hatcher.
5443
5444 * inspector/InjectedScriptSource.js:
5445 (InjectedScript.prototype._nodeDescription):
5446 (InjectedScript.prototype._nodePreview):
5447 Different stringified representations for a basic object description or in a preview.
5448
5449 (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
5450 Use the node preview string representation inside previews.
5451
54522015-05-19 Commit Queue <commit-queue@webkit.org>
5453
5454 Unreviewed, rolling out r184613 and r184614.
5455 https://bugs.webkit.org/show_bug.cgi?id=145206
5456
5457 Broke 10 tests :| (Requested by kling on #webkit).
5458
5459 Reverted changesets:
5460
5461 "[JSC] Speed up URL encode/decode by using bitmaps instead of
5462 strchr()."
5463 https://bugs.webkit.org/show_bug.cgi?id=145115
5464 http://trac.webkit.org/changeset/184613
5465
5466 "[JSC] Speed up URL encode/decode by using bitmaps instead of
5467 strchr()."
5468 https://bugs.webkit.org/show_bug.cgi?id=145115
5469 http://trac.webkit.org/changeset/184614
5470
54712015-05-19 Andreas Kling <akling@apple.com>
5472
5473 Give StringView a utf8() API.
5474 <https://webkit.org/b/145201>
5475
5476 Reviewed by Anders Carlsson.
5477
5478 Use JSString::view() in a few places where we couldn't before due to StringView
5479 lacking a utf8() API. This is a minor speed-up on Kraken's crypto subtests,
5480 which like to call encode() with substring JSStrings.
5481
5482 * jsc.cpp:
5483 (functionPrint):
5484 (functionDebug):
5485 * runtime/JSGlobalObjectFunctions.cpp:
5486 (JSC::encode):
5487
54882015-05-19 Andreas Kling <akling@apple.com>
5489
5490 [JSC] Speed up URL encode/decode by using bitmaps instead of strchr().
5491 <https://webkit.org/b/145115>
5492
5493 Incorporate review feedback from Darin, removing some unnecessary zero checks.
5494
5495 * runtime/JSGlobalObjectFunctions.cpp:
5496 (JSC::encode):
5497 (JSC::decode):
5498 (JSC::globalFuncEscape):
5499
55002015-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
5501
5502 Move AtomicStringImpl table related operations from AtomicString to AtomicStringImpl
5503 https://bugs.webkit.org/show_bug.cgi?id=145109
5504
5505 Reviewed by Darin Adler.
5506
5507 * bytecode/CodeBlock.cpp:
5508 (JSC::CodeBlock::nameForRegister):
5509 * runtime/Identifier.cpp:
5510 (JSC::Identifier::add):
5511 (JSC::Identifier::add8):
5512 * runtime/Identifier.h:
5513 (JSC::Identifier::add):
5514 * runtime/IdentifierInlines.h:
5515 (JSC::Identifier::Identifier):
5516 (JSC::Identifier::add):
5517 * runtime/JSString.cpp:
5518 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
5519 * runtime/JSString.h:
5520 (JSC::JSString::toExistingAtomicString):
5521 * runtime/SmallStrings.cpp:
5522 (JSC::SmallStringsStorage::SmallStringsStorage):
5523 * runtime/TypeSet.cpp:
5524 (JSC::StructureShape::propertyHash):
5525
55262015-05-19 Joseph Pecoraro <pecoraro@apple.com>
5527
5528 Web Inspector: Improve Preview for NodeList / array like collections
5529 https://bugs.webkit.org/show_bug.cgi?id=145177
5530
5531 Reviewed by Timothy Hatcher.
5532
5533 * inspector/InjectedScriptSource.js:
5534 (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
5535 For "array" like object previews skip over non-index properties.
5536 We are not marking the object as lossless by choice, but we
5537 may return to this decision later.
5538
55392015-05-19 Michael Saboff <msaboff@apple.com>
5540
5541 REGRESSION(183787): JIT is enabled for all builds
5542 https://bugs.webkit.org/show_bug.cgi?id=145179
5543
5544 Reviewed by Geoffrey Garen.
5545
5546 Eliminated the setting of ENABLE_JIT, as wtf/Platform.h has appropriate logic to
5547 set it depending on OS and CPU type.
5548
5549 * Configurations/FeatureDefines.xcconfig:
5550
55512015-05-19 Youenn Fablet <youenn.fablet@crf.canon.fr>
5552
5553 Rename createIterResultObject as createIteratorResultObject
5554 https://bugs.webkit.org/show_bug.cgi?id=145116
5555
5556 Reviewed by Darin Adler.
5557
5558 Renamed createIterResultObject as createIteratorResultObject.
5559 Made this function exportable for future use by streams API.
5560
5561 * runtime/IteratorOperations.cpp:
5562 (JSC::createIteratorResultObject):
5563 * runtime/IteratorOperations.h:
5564 * runtime/MapIteratorPrototype.cpp:
5565 (JSC::MapIteratorPrototypeFuncNext):
5566 * runtime/SetIteratorPrototype.cpp:
5567 (JSC::SetIteratorPrototypeFuncNext):
5568
55692015-05-19 Yusuke Suzuki <utatane.tea@gmail.com>
5570
5571 Array.prototype methods must use ToLength
5572 https://bugs.webkit.org/show_bug.cgi?id=144128
5573
5574 Reviewed by Oliver Hunt.
5575
5576 Patch by Jordan Harband <ljharb@gmail.com> and Yusuke Suzuki <utatane.tea@gmail.com>
5577
5578 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength
5579
5580 This patch introduces ToLength and ToInteger JS implementation to encourage the DFG/FTL's inlining.
5581 These implementations are located in GlobalObject.js.
5582 And set to the JSGlobalObject with the private symbols @ToLength and @ToInteger manually.
5583
5584 * builtins/Array.prototype.js:
5585 (every):
5586 (forEach):
5587 (filter):
5588 (map):
5589 (some):
5590 (fill):
5591 (find):
5592 (findIndex):
5593 (includes):
5594 * builtins/ArrayConstructor.js:
5595 (from):
5596 * builtins/GlobalObject.js: Copied from Source/JavaScriptCore/builtins/StringConstructor.js.
5597 (ToInteger):
5598 (ToLength):
5599 * builtins/StringConstructor.js:
5600 (raw):
5601 * runtime/JSGlobalObject.cpp:
5602 (JSC::JSGlobalObject::init):
5603 * runtime/JSGlobalObjectFunctions.h:
5604
56052015-05-19 Mark Lam <mark.lam@apple.com>
5606
5607 Fix the build of a universal binary with ARMv7k of JavaScriptCore.
5608 https://bugs.webkit.org/show_bug.cgi?id=145143
5609
5610 Reviewed by Geoffrey Garen.
5611
5612 The offlineasm works in 3 phases:
5613
5614 Phase 1:
5615 Parse the llint asm files for config options and desired offsets.
5616 Let's say the offlineasm discovers C unique options and O unique offsets.
5617 The offlineasm will then generate a LLIntDesiredOffsets.h file with
5618 C x C build configurations, each with a set of O offsets.
5619
5620 Each of these build configurations is given a unique configuration index number.
5621
5622 Phase 2:
5623 Compile the LLIntDesiredOffsets.h file into a JSCLLIntOffsetsExtractor binary.
5624
5625 If we're building a fat binary with 2 configurations: armv7, and armv7k,
5626 then the fat binary will contain 2 blobs of offsets, one for each of these
5627 build configurations.
5628
5629 Phase 3:
5630 Parse the llint asm files and emit asm code using the offsets that are
5631 extracted from the JSCLLIntOffsetsExtractor binary for the corresponding
5632 configuration index number.
5633
5634 In the pre-existing code, there are no "if ARMv7k" statements in the llint asm
5635 source. As a result, OFFLINE_ASM_ARMv7k is not one of the config options in
5636 the set of C unique options.
5637
5638 For armv7k builds, OFFLINE_ASM_ARMv7 is also true. As a result, for an armv7k
5639 target, we will end up building armv7 source. In general, this is fine except:
5640
5641 1. armv7k has different alignment requirements from armv7. Hence, their offset
5642 values (in JSCLLIntOffsetsExtractor) will be different.
5643
5644 2. The offlineasm was never told that it needed to make a different configuration
5645 for armv7k builds. Hence, the armv7k build of LLIntDesiredOffsets.h will
5646 build the armv7 configuration, and consequently, the armv7k blob of offsets in
5647 JSCLLIntOffsetsExtractor will have the same configuration index number as
5648 the armv7 blob of offsets.
5649
5650 In phase 3, when the offlineasm parses the JSCLLIntOffsetsExtractor fat binary
5651 looking for the armv7 build's configuration index number, it discovers the
5652 armv7k blob which has the same configuration number. As a result, it
5653 erroneously thinks the armv7k offsets are appropriate for emitting armv7 code.
5654 Needless to say, armv7 code using armv7k offsets will lead to incorrect behavior
5655 and all round badness.
5656
5657 The fix is to add a simple "if ARMv7k" statement to the llint asm files. While
5658 the if statement has no body, it does make the offlineasm aware of the need for
5659 ARMv7k as a configuration option. As a result, it will generate an armv7k
5660 variant configuration in the LLIntDesiredOffsets.h file with its own unique
5661 configuration index number. With that, the JSCLLIntOffsetsExtractor fat binary
5662 will no longer have duplicate configuration index numbers for the armv7 and
5663 armv7k blobs of offsets, and the issue is resolved.
5664
5665 * llint/LLIntOfflineAsmConfig.h:
5666 * llint/LowLevelInterpreter.asm:
5667
56682015-05-19 Andreas Kling <akling@apple.com>
5669
5670 Give JSString a StringView getter and start using it.
5671 <https://webkit.org/b/145131>
5672
5673 Reviewed by Anders Carlsson.
5674
5675 When JSString is a substring internally, calling value(ExecState*) on it
5676 will reify the baseString/start/length tuple into a new StringImpl.
5677
5678 For clients that only want to look at the characters of a JSString, but
5679 don't actually need a reffable StringImpl, adding a light-weight StringView
5680 getter lets them avoid constructing anything.
5681
5682 This patch adds JSString::view(ExecState*) and uses it in a few places.
5683 There are many more opportunities to use this API, but let's do a few things
5684 at a time.
5685
5686 * runtime/FunctionConstructor.cpp:
5687 (JSC::constructFunctionSkippingEvalEnabledCheck):
5688 * runtime/JSGlobalObjectFunctions.cpp:
5689 (JSC::decode):
5690 (JSC::parseInt):
5691 (JSC::jsToNumber):
5692 (JSC::parseFloat):
5693 (JSC::globalFuncParseInt):
5694 (JSC::globalFuncParseFloat):
5695 (JSC::globalFuncEscape):
5696 (JSC::globalFuncUnescape):
5697 * runtime/JSGlobalObjectFunctions.h:
5698 * runtime/JSONObject.cpp:
5699 (JSC::JSONProtoFuncParse):
5700 * runtime/JSString.cpp:
5701 (JSC::JSString::getPrimitiveNumber):
5702 (JSC::JSString::toNumber):
5703 * runtime/JSString.h:
5704 (JSC::JSRopeString::view):
5705 (JSC::JSString::view):
5706
57072015-05-18 Filip Pizlo <fpizlo@apple.com>
5708
5709 Better optimize 'if' with ternaries conditional tests.
5710 https://bugs.webkit.org/show_bug.cgi?id=144136
5711
5712 Reviewed by Benjamin Poulain.
5713
5714 This is the last fix I'll do for this for now. BooleanToNumber(Untyped:) where the input
5715 is proved to be either BoolInt32 or Boolean should be optimized to just masking the
5716 lowest bit.
5717
5718 This is another 37% speed-up on JSRegress/slow-ternaries.
5719
5720 * dfg/DFGSpeculativeJIT32_64.cpp:
5721 (JSC::DFG::SpeculativeJIT::compile):
5722 * dfg/DFGSpeculativeJIT64.cpp:
5723 (JSC::DFG::SpeculativeJIT::compile):
5724 * ftl/FTLLowerDFGToLLVM.cpp:
5725 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
5726
57272015-05-18 Benjamin Poulain <bpoulain@apple.com>
5728
5729 <rdar://problem/21003555> cloberrize() is wrong for ArithRound because it doesn't account for the arith mode
5730 https://bugs.webkit.org/show_bug.cgi?id=145147
5731
5732 Reviewed by Filip Pizlo.
5733
5734 Really stupid bug: ArithRound nodes with different rounding modes
5735 were not distinguished and CSE would happily unify with a node of
5736 a different rounding mode.
5737
5738 DFG::clobberize() already support additional data but I was not using it.
5739
5740 * dfg/DFGClobberize.h:
5741 (JSC::DFG::clobberize):
5742 * tests/stress/math-round-arith-rounding-mode.js: Added.
5743 (firstCareAboutZeroSecondDoesNot):
5744 (firstDoNotCareAboutZeroSecondDoes):
5745 (warmup):
5746 (verifyNegativeZeroIsPreserved):
5747
57482015-05-18 Filip Pizlo <fpizlo@apple.com>
5749
5750 Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1"
5751 https://bugs.webkit.org/show_bug.cgi?id=145137
5752
5753 Reviewed by Benjamin Poulain.
5754
5755 It's super useful to know if an integer value could be either zero or one. We have an
5756 immediate need for this because of Int32|Boolean uses, where knowing that the Int32 is
5757 either 0 or 1 means that there is no actual polymorphism if you just look at the low bit
5758 (1 behaves like true, 0 behaves like false, and the low bit of 1|true is 1, and the low
5759 bit of 0|false is 0).
5760
5761 We do this by splitting the SpecInt32 type into SpecBoolInt32 and SpecNonBoolInt32. This
5762 change doesn't have any effect on behavior, yet. But it does give us the ability to
5763 predict and prove when values are SpecBoolInt32; it's just we don't leverage this yet.
5764
5765 This is perf-neutral.
5766
5767 * bytecode/SpeculatedType.cpp:
5768 (JSC::dumpSpeculation):
5769 (JSC::speculationToAbbreviatedString):
5770 (JSC::speculationFromValue):
5771 * bytecode/SpeculatedType.h:
5772 (JSC::isStringOrStringObjectSpeculation):
5773 (JSC::isBoolInt32Speculation):
5774 (JSC::isInt32Speculation):
5775 (JSC::isInt32OrBooleanSpeculation):
5776 * dfg/DFGAbstractInterpreterInlines.h:
5777 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5778
57792015-05-18 Michael Catanzaro <mcatanzaro@igalia.com>
5780
5781 [CMake] Ignore warnings in system headers
5782 https://bugs.webkit.org/show_bug.cgi?id=144747
5783
5784 Reviewed by Darin Adler.
5785
5786 Separate include directories into WebKit project includes and system includes. Suppress all
5787 warnings from headers in system include directories using the SYSTEM argument to
5788 the include_directories command.
5789
5790 * CMakeLists.txt:
5791 * PlatformGTK.cmake:
5792
57932015-05-18 Skachkov Alexandr <gskachkov@gmail.com>
5794
5795 [ES6] Arrow function syntax. Feature flag for arrow function
5796 https://bugs.webkit.org/show_bug.cgi?id=145108
5797
5798 Reviewed by Ryosuke Niwa.
5799
5800 Added feature flag ENABLE_ES6_ARROWFUNCTION_SYNTAX for arrow function
5801
5802 * Configurations/FeatureDefines.xcconfig:
5803
58042015-05-18 Benjamin Poulain <benjamin@webkit.org>
5805
5806 [JSC] When entering a CheckTierUp without OSREntry, force the CheckTierUp for the outer loops with OSR Entry
5807 https://bugs.webkit.org/show_bug.cgi?id=145092
5808
5809 Reviewed by Filip Pizlo.
5810
5811 When we have a hot loop without OSR Entry inside a slower loop that support OSR Entry,
5812 we get the inside loop driving the tierUpCounter and we have very little chance of
5813 doing a CheckTierUp on the outer loop. In turn, this give almost no opportunity to tier
5814 up in the outer loop and OSR Enter there.
5815
5816 This patches changes CheckTierUp to force its outer loops to do a CheckTierUp themselves.
5817
5818 To do that, CheckTierUp sets a flag "nestedTriggerIsSet" to force the outer loop to
5819 enter their CheckTierUp regardless of the tier-up counter.
5820
5821 * bytecode/ExecutionCounter.cpp:
5822 (JSC::ExecutionCounter<countingVariant>::setThreshold):
5823 This is somewhat unrelated. This assertion is incorrect because it relies on
5824 m_counter, which changes on an other thread.
5825
5826 I have hit it a couple of times with this patch because we are a bit more aggressive
5827 on CheckTierUp. What happens is:
5828 1) ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet() first checks
5829 hasCrossedThreshold(), and it is false.
5830 2) On the main thread, the hot loops keeps running and the counter becomes large
5831 enough to cross the threshold.
5832 3) ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet() runs the next
5833 test, setThreshold(), where the assertion is. Since the counter is now large enough,
5834 the assertion fails.
5835
5836 * dfg/DFGAbstractInterpreterInlines.h:
5837 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5838 * dfg/DFGClobberize.h:
5839 (JSC::DFG::clobberize):
5840 * dfg/DFGDoesGC.cpp:
5841 (JSC::DFG::doesGC):
5842 * dfg/DFGFixupPhase.cpp:
5843 (JSC::DFG::FixupPhase::fixupNode):
5844
5845 * dfg/DFGJITCode.h:
5846 I used a uint8_t instead of a boolean to make the code generation clearer
5847 in DFGSpeculativeJIT64.
5848
5849 * dfg/DFGNodeType.h:
5850 * dfg/DFGOperations.cpp:
5851 * dfg/DFGOperations.h:
5852
5853 * dfg/DFGPredictionPropagationPhase.cpp:
5854 (JSC::DFG::PredictionPropagationPhase::propagate):
5855 This is a bit annoying: we have the NaturalLoops analysis that provides us
5856 everything we need to know about loops, but the TierUpCheck are conservative
5857 and set on LoopHint.
5858
5859 To make the two work together, we first find all the CheckTierUp that cannot
5860 OSR enter and we keep a list of all the natural loops containing them.
5861
5862 Then we do a second pass over the LoopHints, get their NaturalLoop, and check
5863 if it contains a loop that cannot OSR enter.
5864
5865 * dfg/DFGSafeToExecute.h:
5866 (JSC::DFG::safeToExecute):
5867 * dfg/DFGSpeculativeJIT32_64.cpp:
5868 (JSC::DFG::SpeculativeJIT::compile):
5869 * dfg/DFGSpeculativeJIT64.cpp:
5870 (JSC::DFG::SpeculativeJIT::compile):
5871 * dfg/DFGTierUpCheckInjectionPhase.cpp:
5872 (JSC::DFG::TierUpCheckInjectionPhase::run):
5873 (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint):
5874
58752015-05-18 Filip Pizlo <fpizlo@apple.com>
5876
5877 Add a Int-or-Boolean speculation to Branch
5878 https://bugs.webkit.org/show_bug.cgi?id=145134
5879
5880 Reviewed by Benjamin Poulain.
5881
5882 After https://bugs.webkit.org/show_bug.cgi?id=126778 we no longer have a reason not to do the
5883 int-or-boolean optimization that we already do everywhere else.
5884
5885 * dfg/DFGFixupPhase.cpp:
5886 (JSC::DFG::FixupPhase::fixupNode):
5887
58882015-05-18 Andreas Kling <akling@apple.com>
5889
5890 [JSC] Speed up URL encode/decode by using bitmaps instead of strchr().
5891 <https://webkit.org/b/145115>
5892
5893 Reviewed by Anders Carlsson.
5894
5895 We were calling strchr() for every character when doing URL encoding/decoding and it stood out
5896 like a sore O(n) thumb in Instruments. Optimize this by using a Bitmap<256> instead.
5897
5898 5.5% progression on Kraken/stanford-crypto-sha256-iterative.
5899
5900 * runtime/JSGlobalObjectFunctions.cpp:
5901 (JSC::makeCharacterBitmap):
5902 (JSC::encode):
5903 (JSC::decode):
5904 (JSC::globalFuncDecodeURI):
5905 (JSC::globalFuncDecodeURIComponent):
5906 (JSC::globalFuncEncodeURI):
5907 (JSC::globalFuncEncodeURIComponent):
5908 (JSC::globalFuncEscape):
5909
59102015-05-17 Benjamin Poulain <benjamin@webkit.org>
5911
5912 Do not use fastMallocGoodSize anywhere
5913 https://bugs.webkit.org/show_bug.cgi?id=145103
5914
5915 Reviewed by Michael Saboff.
5916
5917 * assembler/AssemblerBuffer.h:
5918 (JSC::AssemblerData::AssemblerData):
5919 (JSC::AssemblerData::grow):
5920
59212015-05-17 Benjamin Poulain <benjamin@webkit.org>
5922
5923 [JSC] Make StringRecursionChecker faster in the simple cases without any recursion
5924 https://bugs.webkit.org/show_bug.cgi?id=145102
5925
5926 Reviewed by Darin Adler.
5927
5928 In general, the array targeted by Array.toString() or Array.join() are pretty
5929 simple. In those simple cases, we spend as much time in StringRecursionChecker
5930 as we do on the actual operation.
5931
5932 The reason for this is the HashSet stringRecursionCheckVisitedObjects used
5933 to detect recursion. We are constantly adding and removing objects which
5934 dirty buckets and force constant rehash.
5935
5936 This patch adds a simple shortcut for those simple case: in addition to the HashSet,
5937 we keep a pointer to the root object of the recursion.
5938 In the vast majority of cases, we no longer touch the HashSet at all.
5939
5940 This patch is a 12% progression on the overall score of ArrayWeighted.
5941
5942 * runtime/StringRecursionChecker.h:
5943 (JSC::StringRecursionChecker::performCheck):
5944 (JSC::StringRecursionChecker::~StringRecursionChecker):
5945 * runtime/VM.h:
5946
59472015-05-17 Filip Pizlo <fpizlo@apple.com>
5948
5949 Insert store barriers late so that IR transformations don't have to worry about them
5950 https://bugs.webkit.org/show_bug.cgi?id=145015
5951
5952 Reviewed by Geoffrey Garen.
5953
5954 We have had three kinds of bugs with store barriers. For the sake of discussion we say
5955 that a store barrier is needed when we have something like:
5956
5957 base.field = value
5958
5959 - We sometimes fail to realize that we could remove a barrier when value is a non-cell.
5960 This might happen if we prove value to be a non-cell even though in the FixupPhase it
5961 wasn't predicted non-cell.
5962
5963 - We sometimes have a barrier in the wrong place after object allocation sinking. We
5964 might sink an allocation to just above the store, but that puts it just after the
5965 StoreBarrier that FixupPhase inserted.
5966
5967 - We don't remove redundant barriers across basic blocks.
5968
5969 This comprehensively fixes these issues by doing store barrier insertion late, and
5970 removing the store barrier elision phase. Store barrier insertion uses an epoch-based
5971 algorithm to determine when stores need barriers. Briefly, a barrier is not needed if
5972 base is in the current GC epoch (i.e. was the last object that we allocated or had a
5973 barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have
5974 always been allocated before base). We do conservative things when merging epoch state
5975 between basic blocks, and we only do such inter-block removal in the FTL. FTL also
5976 queries AI to determine what type we've proved about value, and avoids barriers when
5977 value is not a cell. FixupPhase still inserts type checks on some stores, to maximize
5978 the likelihood that this AI-based removal is effective.
5979
5980 Rolling back in after fixing some debug build test failures.
5981
5982 * CMakeLists.txt:
5983 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5984 * JavaScriptCore.xcodeproj/project.pbxproj:
5985 * dfg/DFGBlockMap.h:
5986 (JSC::DFG::BlockMap::at):
5987 * dfg/DFGConstantFoldingPhase.cpp:
5988 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
5989 * dfg/DFGEpoch.h:
5990 (JSC::DFG::Epoch::operator<):
5991 (JSC::DFG::Epoch::operator>):
5992 (JSC::DFG::Epoch::operator<=):
5993 (JSC::DFG::Epoch::operator>=):
5994 * dfg/DFGFixupPhase.cpp:
5995 (JSC::DFG::FixupPhase::fixupNode):
5996 (JSC::DFG::FixupPhase::speculateForBarrier):
5997 (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted.
5998 * dfg/DFGPlan.cpp:
5999 (JSC::DFG::Plan::compileInThreadImpl):
6000 * dfg/DFGStoreBarrierElisionPhase.cpp: Removed.
6001 * dfg/DFGStoreBarrierElisionPhase.h: Removed.
6002 * dfg/DFGStoreBarrierInsertionPhase.cpp: Added.
6003 (JSC::DFG::performFastStoreBarrierInsertion):
6004 (JSC::DFG::performGlobalStoreBarrierInsertion):
6005 * dfg/DFGStoreBarrierInsertionPhase.h: Added.
6006 * ftl/FTLOperations.cpp:
6007 (JSC::FTL::operationMaterializeObjectInOSR): Fix an unrelated debug-only bug.
6008 * tests/stress/load-varargs-then-inlined-call-and-exit.js: Test for that debug-only bug.
6009 * tests/stress/load-varargs-then-inlined-call-and-exit-strict.js: Strict version of that test.
6010
60112015-05-16 Commit Queue <commit-queue@webkit.org>
6012
6013 Unreviewed, rolling out r184415.
6014 https://bugs.webkit.org/show_bug.cgi?id=145096
6015
6016 Broke several tests (Requested by msaboff on #webkit).
6017
6018 Reverted changeset:
6019
6020 "Insert store barriers late so that IR transformations don't
6021 have to worry about them"
6022 https://bugs.webkit.org/show_bug.cgi?id=145015
6023 http://trac.webkit.org/changeset/184415
6024
60252015-05-14 Filip Pizlo <fpizlo@apple.com>
6026
6027 Insert store barriers late so that IR transformations don't have to worry about them
6028 https://bugs.webkit.org/show_bug.cgi?id=145015
6029
6030 Reviewed by Geoffrey Garen.
6031
6032 We have had three kinds of bugs with store barriers. For the sake of discussion we say
6033 that a store barrier is needed when we have something like:
6034
6035 base.field = value
6036
6037 - We sometimes fail to realize that we could remove a barrier when value is a non-cell.
6038 This might happen if we prove value to be a non-cell even though in the FixupPhase it
6039 wasn't predicted non-cell.
6040
6041 - We sometimes have a barrier in the wrong place after object allocation sinking. We
6042 might sink an allocation to just above the store, but that puts it just after the
6043 StoreBarrier that FixupPhase inserted.
6044
6045 - We don't remove redundant barriers across basic blocks.
6046
6047 This comprehensively fixes these issues by doing store barrier insertion late, and
6048 removing the store barrier elision phase. Store barrier insertion uses an epoch-based
6049 algorithm to determine when stores need barriers. Briefly, a barrier is not needed if
6050 base is in the current GC epoch (i.e. was the last object that we allocated or had a
6051 barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have
6052 always been allocated before base). We do conservative things when merging epoch state
6053 between basic blocks, and we only do such inter-block removal in the FTL. FTL also
6054 queries AI to determine what type we've proved about value, and avoids barriers when
6055 value is not a cell. FixupPhase still inserts type checks on some stores, to maximize
6056 the likelihood that this AI-based removal is effective.
6057
6058 * CMakeLists.txt:
6059 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6060 * JavaScriptCore.xcodeproj/project.pbxproj:
6061 * dfg/DFGBlockMap.h:
6062 (JSC::DFG::BlockMap::at):
6063 * dfg/DFGConstantFoldingPhase.cpp:
6064 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
6065 * dfg/DFGEpoch.h:
6066 (JSC::DFG::Epoch::operator<):
6067 (JSC::DFG::Epoch::operator>):
6068 (JSC::DFG::Epoch::operator<=):
6069 (JSC::DFG::Epoch::operator>=):
6070 * dfg/DFGFixupPhase.cpp:
6071 (JSC::DFG::FixupPhase::fixupNode):
6072 (JSC::DFG::FixupPhase::speculateForBarrier):
6073 (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted.
6074 * dfg/DFGPlan.cpp:
6075 (JSC::DFG::Plan::compileInThreadImpl):
6076 * dfg/DFGStoreBarrierElisionPhase.cpp: Removed.
6077 * dfg/DFGStoreBarrierElisionPhase.h: Removed.
6078 * dfg/DFGStoreBarrierInsertionPhase.cpp: Added.
6079 (JSC::DFG::performFastStoreBarrierInsertion):
6080 (JSC::DFG::performGlobalStoreBarrierInsertion):
6081 * dfg/DFGStoreBarrierInsertionPhase.h: Added.
6082
60832015-05-15 Benjamin Poulain <bpoulain@apple.com>
6084
6085 [ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero
6086 https://bugs.webkit.org/show_bug.cgi?id=144976
6087
6088 Reviewed by Michael Saboff.
6089
6090 Failing the conversion on zero is pretty dangerous as we discovered on x86.
6091
6092 This patch does not really impact performance significantly because
6093 r184220 removed the zero checks from Kraken. This patch is just to be
6094 on the safe side for cases not covered by existing benchmarks.
6095
6096 * assembler/MacroAssemblerARM64.h:
6097 (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
6098
60992015-05-15 Sungmann Cho <sungmann.cho@navercorp.com>
6100
6101 Remove unnecessary forward declarations in PropertyNameArray.h.
6102 https://bugs.webkit.org/show_bug.cgi?id=145058
6103
6104 Reviewed by Andreas Kling.
6105
6106 No new tests, no behavior change.
6107
6108 * runtime/PropertyNameArray.h:
6109
61102015-05-15 Mark Lam <mark.lam@apple.com>
6111
6112 JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough.
6113 https://bugs.webkit.org/show_bug.cgi?id=144622
6114
6115 Reviewed by Geoffrey Garen.
6116
6117 When setting the array to a new length that is shorter, we now check if it is worth
6118 just making a new butterfly instead of clearing out the slots in the old butterfly
6119 that resides beyond the new length. If so, we will make a new butterfly instead.
6120
6121 There is no perf differences in the benchmark results. However, this does benefit
6122 the perf of pathological cases where we need to shorten the length of a very large
6123 array, as is the case in tests/mozilla/js1_5/Array/regress-101964.js. With this
6124 patch, we can expect that test to complete in a short time again.
6125
6126 * runtime/JSArray.cpp:
6127 (JSC::JSArray::setLength):
6128 * runtime/JSObject.cpp:
6129 (JSC::JSObject::reallocateAndShrinkButterfly):
6130 - makes a new butterfly with a new shorter length.
6131 * runtime/JSObject.h:
6132 * tests/mozilla/js1_5/Array/regress-101964.js:
6133 - Undo this test change since this patch will prevent us from spending a lot of time
6134 clearing a large butterfly.
6135
61362015-05-15 Basile Clement <basile_clement@apple.com>
6137
6138 DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
6139 https://bugs.webkit.org/show_bug.cgi?id=145062
6140
6141 Reviewed by Filip Pizlo.
6142
6143 We assert in various places (including NodeOrigin::isSet()) that a
6144 NodeOrigin's semantic and forExit must be either both set, or both
6145 unset. However, LICM'ing a node with unset NodeOrigin would only set
6146 forExit, and leave semantic unset. This can for instance happen when a
6147 Phi node is constant-folded into a JSConstant, which in turn gets
6148 LICM'd.
6149
6150 This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
6151 addition to its forExit if semantic was previously unset.
6152
6153 It also adds two validators to DFGValidate.cpp:
6154 - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
6155 - In CPS form, all nodes must have a set NodeOrigin forExit (this is
6156 the CPS counterpart to the SSA validator that checks that all nodes
6157 must have a set NodeOrigin except possibly for a continuous chunk of
6158 nodes at the top of a block)
6159
6160 * dfg/DFGLICMPhase.cpp:
6161 (JSC::DFG::LICMPhase::attemptHoist):
6162 * dfg/DFGValidate.cpp:
6163 (JSC::DFG::Validate::validate):
6164 (JSC::DFG::Validate::validateCPS):
6165
61662015-05-15 Filip Pizlo <fpizlo@apple.com>
6167
6168 Unreviewed, remove an unused declaration.
6169
6170 * dfg/DFGSpeculativeJIT.h:
6171
61722015-05-14 Filip Pizlo <fpizlo@apple.com>
6173
6174 Remove unused constant-base and constant-value store barrier code in the DFG
6175 https://bugs.webkit.org/show_bug.cgi?id=145039
6176
6177 Reviewed by Andreas Kling.
6178
6179 Just killing dead code.
6180
6181 * dfg/DFGSpeculativeJIT.cpp:
6182 (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Deleted.
6183 (JSC::DFG::SpeculativeJIT::writeBarrier): Deleted.
6184 * dfg/DFGSpeculativeJIT.h:
6185 * dfg/DFGSpeculativeJIT32_64.cpp:
6186 (JSC::DFG::SpeculativeJIT::writeBarrier):
6187 * dfg/DFGSpeculativeJIT64.cpp:
6188 (JSC::DFG::SpeculativeJIT::writeBarrier):
6189
61902015-05-15 Alexandr Skachkov <gskachkov@gmail.com>
6191
6192 Fix typo in function name parseFunctionParamters -> parseFunctionParameters
6193 https://bugs.webkit.org/show_bug.cgi?id=145040
6194
6195 Reviewed by Mark Lam.
6196
6197 * parser/Parser.h:
6198 * parser/Parser.cpp:
6199
62002015-05-14 Filip Pizlo <fpizlo@apple.com>
6201
6202 Remove StoreBarrierWithNullCheck, nobody ever generates this.
6203
6204 Rubber stamped by Benjamin Poulain and Michael Saboff.
6205
6206 If we did bring something like this back in the future, we would just use UntypedUse instead
6207 of CellUse to indicate that this is what we want.
6208
6209 * dfg/DFGAbstractInterpreterInlines.h:
6210 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6211 * dfg/DFGClobberize.h:
6212 (JSC::DFG::clobberize):
6213 * dfg/DFGDoesGC.cpp:
6214 (JSC::DFG::doesGC):
6215 * dfg/DFGFixupPhase.cpp:
6216 (JSC::DFG::FixupPhase::fixupNode):
6217 * dfg/DFGNode.h:
6218 (JSC::DFG::Node::isStoreBarrier):
6219 * dfg/DFGNodeType.h:
6220 * dfg/DFGObjectAllocationSinkingPhase.cpp:
6221 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
6222 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
6223 * dfg/DFGPredictionPropagationPhase.cpp:
6224 (JSC::DFG::PredictionPropagationPhase::propagate):
6225 * dfg/DFGSafeToExecute.h:
6226 (JSC::DFG::safeToExecute):
6227 * dfg/DFGSpeculativeJIT.cpp:
6228 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
6229 * dfg/DFGSpeculativeJIT32_64.cpp:
6230 (JSC::DFG::SpeculativeJIT::compile):
6231 * dfg/DFGSpeculativeJIT64.cpp:
6232 (JSC::DFG::SpeculativeJIT::compile):
6233 * ftl/FTLCapabilities.cpp:
6234 (JSC::FTL::canCompile):
6235 * ftl/FTLLowerDFGToLLVM.cpp:
6236 (JSC::FTL::LowerDFGToLLVM::compileNode):
6237 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): Deleted.
6238
62392015-05-14 Filip Pizlo <fpizlo@apple.com>
6240
6241 PutGlobalVar should reference the global object it's storing into
6242 https://bugs.webkit.org/show_bug.cgi?id=145036
6243
6244 Reviewed by Michael Saboff.
6245
6246 This makes it easier to reason about store barrier insertion and elimination. This changes
6247 the format of PutGlobalVar so that child1 is the global object and child2 is the value.
6248 Previously it just had child1, and that was the value.
6249
6250 * dfg/DFGByteCodeParser.cpp:
6251 (JSC::DFG::ByteCodeParser::parseBlock):
6252 * dfg/DFGClobberize.h:
6253 (JSC::DFG::clobberize):
6254 * dfg/DFGFixupPhase.cpp:
6255 (JSC::DFG::FixupPhase::fixupNode):
6256 * dfg/DFGSpeculativeJIT32_64.cpp:
6257 (JSC::DFG::SpeculativeJIT::compile):
6258 * dfg/DFGSpeculativeJIT64.cpp:
6259 (JSC::DFG::SpeculativeJIT::compile):
6260 * ftl/FTLLowerDFGToLLVM.cpp:
6261 (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
6262
62632015-05-14 Michael Catanzaro <mcatanzaro@igalia.com>
6264
6265 [CMake] Error out when ruby is too old
6266 https://bugs.webkit.org/show_bug.cgi?id=145014
6267
6268 Reviewed by Martin Robinson.
6269
6270 Don't enforce the check for the Ruby executable here; it's now enforced in the top-level
6271 CMakeLists.txt instead.
6272
6273 * CMakeLists.txt:
6274
62752015-05-12 Basile Clement <basile_clement@apple.com>
6276
6277 Enforce options coherency
6278 https://bugs.webkit.org/show_bug.cgi?id=144921
6279
6280 Reviewed by Mark Lam.
6281
6282 JavaScriptCore should be failing early when the options are set in such
6283 a way that we don't have a meaningful way to execute JavaScript, rather
6284 than failing for obscure reasons at some point during execution.
6285
6286 This patch adds a new function that checks whether the options are set
6287 in a coherent way, and makes JSC::Options::initialize() crash when the
6288 environment enforces incoherent options.
6289 Client applications able to add or change additional options are
6290 responsible to check for coherency again before starting to actually
6291 execute JavaScript, if any additional options have been set. This is
6292 implemented for the jsc executable in this patch.
6293
6294 * jsc.cpp:
6295 (CommandLine::parseArguments):
6296 * runtime/Options.cpp:
6297 (JSC::Options::initialize):
6298 (JSC::Options::ensureOptionsAreCoherent): Added.
6299 * runtime/Options.h:
6300 (JSC::Options::ensureOptionsAreCoherent): Added.
6301
63022015-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
6303
6304 REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds
6305 https://bugs.webkit.org/show_bug.cgi?id=145019
6306
6307 Reviewed by Ryosuke Niwa.
6308
6309 Attempt to fix compile errors in EFL ARM buildbots.
6310 By executing `nm`, found JSTemplateRegistryKey.cpp.o and TemplateRegistry.cpp.o have
6311 unresolved reference to Structure::get. That is inlined function in StructureInlines.h.
6312
6313 * runtime/JSTemplateRegistryKey.cpp:
6314 * runtime/TemplateRegistry.cpp:
6315
63162015-05-14 Alexandr Skachkov <gskachkov@gmail.com>
6317
6318 Small refactoring before implementation of the ES6 arrow function.
6319 https://bugs.webkit.org/show_bug.cgi?id=144954
6320
6321 Reviewed by Ryosuke Niwa.
6322
6323 * parser/Parser.h:
6324 * parser/Parser.cpp:
6325
63262015-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
6327
6328 REGRESSION (r184337): ASSERT failed in debug builds for tagged templates
6329 https://bugs.webkit.org/show_bug.cgi?id=145013
6330
6331 Reviewed by Filip Pizlo.
6332
6333 Fix the regression introduced by r184337.
6334
6335 1. JSTemporaryRegistryKey::s_info should inherit the Base::s_info,
6336 JSDestructibleObject::s_info.
6337
6338 2. The first register argument of BytecodeGenerator::emitNode
6339 should be a referenced register if it is a temporary register.
6340
6341 * bytecompiler/NodesCodegen.cpp:
6342 (JSC::TaggedTemplateNode::emitBytecode):
6343 * runtime/JSTemplateRegistryKey.cpp:
6344
63452015-05-14 Andreas Kling <akling@apple.com>
6346
6347 String.prototype.split() should create efficient substrings.
6348 <https://webkit.org/b/144985>
6349 <rdar://problem/20949344>
6350
6351 Reviewed by Geoffrey Garen.
6352
6353 Teach split() how to make substring JSStrings instead of relying on StringImpl's
6354 substring sharing mechanism. The optimization works by deferring the construction
6355 of a StringImpl until the substring's value is actually needed.
6356
6357 This knocks ~2MB off of theverge.com by avoiding the extra StringImpl allocations.
6358 Out of ~70000 substrings created by split(), only ~2000 of them get reified.
6359
6360 * runtime/StringPrototype.cpp:
6361 (JSC::jsSubstring):
6362 (JSC::splitStringByOneCharacterImpl):
6363 (JSC::stringProtoFuncSplit):
6364
63652015-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
6366
6367 Change the status of ES6 tagged templates to Done in features.json
6368 https://bugs.webkit.org/show_bug.cgi?id=145003
6369
6370 Reviewed by Benjamin Poulain.
6371
6372 Now it's implemented in r184337.
6373
6374 * features.json:
6375
63762015-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
6377
6378 Introduce SymbolType into SpeculativeTypes
6379 https://bugs.webkit.org/show_bug.cgi?id=142651
6380
6381 Reviewed by Filip Pizlo.
6382
6383 Introduce SpecSymbol type into speculative types.
6384 Previously symbol type is categorized into SpecCellOther.
6385 But SpecCellOther is not intended to be used for such cells.
6386
6387 This patch just introduces SpecSymbol.
6388 It represents the type of target value is definitely the symbol type.
6389 It is the part of SpecCell.
6390
6391 In this patch, we do not introduce SymbolUse tracking.
6392 It will be added in the separate patch.
6393
6394 * bytecode/SpeculatedType.cpp:
6395 (JSC::dumpSpeculation):
6396 (JSC::speculationFromStructure):
6397 * bytecode/SpeculatedType.h:
6398 (JSC::isSymbolSpeculation):
6399 * dfg/DFGAbstractInterpreterInlines.h:
6400 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6401 * dfg/DFGAbstractValue.cpp:
6402 (JSC::DFG::AbstractValue::setType):
6403 * dfg/DFGConstantFoldingPhase.cpp:
6404 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6405 * tests/stress/typeof-symbol.js: Added.
6406
64072015-05-14 Yusuke Suzuki <utatane.tea@gmail.com>
6408
6409 [ES6] Implement tagged templates
6410 https://bugs.webkit.org/show_bug.cgi?id=143183
6411
6412 Reviewed by Oliver Hunt.
6413
6414 This patch implements ES6 tagged templates.
6415 In tagged templates, the function takes the template object.
6416
6417 The template object contains the raw and cooked template strings,
6418 so when parsing the tagged templates, we need to tokenize the raw and cooked strings.
6419 While tagged templates require the both strings, the template literal only requires
6420 the cooked strings. So when tokenizing under the template literal context,
6421 we only builds the cooked strings.
6422
6423 As per ES6 spec, the template objects for the same raw strings are shared in the same realm.
6424 The template objects is cached. And every time we evaluate the same tagged templates,
6425 the same (cached) template objects are used.
6426 Since the spec freezes this template objects completely,
6427 we cannot attach some properties to it.
6428 So we can say that it behaves as if the template objects are the primitive values (like JSString).
6429 Since we cannot attach properties, the only way to test the identity of the template object is comparing. (===)
6430 As the result, when there is no reference to the template object, we can garbage collect it
6431 because the user has no way to test that the newly created template object does not equal
6432 to the already collected template object.
6433
6434 So, to implement tagged templates, we implement the following components.
6435
6436 1. JSTemplateRegistryKey
6437 It holds the template registry key and it does not exposed to users.
6438 TemplateRegistryKey holds the vector of raw and cooked strings with the pre-computed hash value.
6439 When obtaining the template object for the (statically, a.k.a. at the parsing time) given raw string vectors,
6440 we use this JSTemplateRegistryKey as a key to the map and look up the template object from
6441 TemplateRegistry.
6442 JSTemplateRegistryKey is created at the bytecode compiling time and
6443 stored in the CodeBlock as like as JSString content values.
6444
6445 2. TemplateRegistry
6446 This manages the cached template objects.
6447 It holds the weak map (JSTemplateRegistryKey -> the template object).
6448 The template object is weakly referenced.
6449 So if there is no reference to the template object,
6450 the template object is automatically GC-ed.
6451 When looking up the template object, it searches the cached template object.
6452 If it is found, it is returned to the users.
6453 If there is no cached template objects, it creates the new template object and
6454 stores it with the given template registry key.
6455
6456 * CMakeLists.txt:
6457 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6458 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6459 * JavaScriptCore.xcodeproj/project.pbxproj:
6460 * bytecompiler/BytecodeGenerator.cpp:
6461 (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
6462 (JSC::BytecodeGenerator::emitGetTemplateObject):
6463 * bytecompiler/BytecodeGenerator.h:
6464 * bytecompiler/NodesCodegen.cpp:
6465 (JSC::TaggedTemplateNode::emitBytecode):
6466 (JSC::TemplateLiteralNode::emitBytecode): Deleted.
6467 * parser/ASTBuilder.h:
6468 (JSC::ASTBuilder::createTaggedTemplate):
6469 (JSC::ASTBuilder::createTemplateLiteral): Deleted.
6470 * parser/Lexer.cpp:
6471 (JSC::Lexer<T>::setCode):
6472 (JSC::Lexer<T>::parseTemplateLiteral):
6473 (JSC::Lexer<T>::lex):
6474 (JSC::Lexer<T>::scanTrailingTemplateString):
6475 (JSC::Lexer<T>::clear):
6476 * parser/Lexer.h:
6477 (JSC::Lexer<T>::makeEmptyIdentifier):
6478 * parser/NodeConstructors.h:
6479 (JSC::TaggedTemplateNode::TaggedTemplateNode):
6480 (JSC::TemplateLiteralNode::TemplateLiteralNode): Deleted.
6481 * parser/Nodes.h:
6482 (JSC::TemplateLiteralNode::templateStrings):
6483 (JSC::TemplateLiteralNode::templateExpressions):
6484 (JSC::TaggedTemplateNode::templateLiteral):
6485 * parser/Parser.cpp:
6486 (JSC::Parser<LexerType>::parseTemplateString):
6487 (JSC::Parser<LexerType>::parseTemplateLiteral):
6488 (JSC::Parser<LexerType>::parsePrimaryExpression):
6489 (JSC::Parser<LexerType>::parseMemberExpression):
6490 * parser/Parser.h:
6491 * parser/ParserArena.h:
6492 (JSC::IdentifierArena::makeEmptyIdentifier):
6493 * parser/SyntaxChecker.h:
6494 (JSC::SyntaxChecker::createTaggedTemplate):
6495 (JSC::SyntaxChecker::createTemplateLiteral): Deleted.
6496 * runtime/CommonIdentifiers.h:
6497 * runtime/JSGlobalObject.cpp:
6498 (JSC::getTemplateObject):
6499 (JSC::JSGlobalObject::JSGlobalObject):
6500 (JSC::JSGlobalObject::init):
6501 * runtime/JSGlobalObject.h:
6502 (JSC::JSGlobalObject::templateRegistry):
6503 * runtime/JSTemplateRegistryKey.cpp: Added.
6504 (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
6505 (JSC::JSTemplateRegistryKey::create):
6506 (JSC::JSTemplateRegistryKey::destroy):
6507 * runtime/JSTemplateRegistryKey.h: Added.
6508 * runtime/ObjectConstructor.cpp:
6509 (JSC::objectConstructorFreeze):
6510 * runtime/ObjectConstructor.h:
6511 * runtime/TemplateRegistry.cpp: Added.
6512 (JSC::TemplateRegistry::TemplateRegistry):
6513 (JSC::TemplateRegistry::getTemplateObject):
6514 * runtime/TemplateRegistry.h: Added.
6515 * runtime/TemplateRegistryKey.h: Added.
6516 (JSC::TemplateRegistryKey::isDeletedValue):
6517 (JSC::TemplateRegistryKey::isEmptyValue):
6518 (JSC::TemplateRegistryKey::hash):
6519 (JSC::TemplateRegistryKey::rawStrings):
6520 (JSC::TemplateRegistryKey::cookedStrings):
6521 (JSC::TemplateRegistryKey::operator==):
6522 (JSC::TemplateRegistryKey::operator!=):
6523 (JSC::TemplateRegistryKey::Hasher::hash):
6524 (JSC::TemplateRegistryKey::Hasher::equal):
6525 (JSC::TemplateRegistryKey::TemplateRegistryKey):
6526 * runtime/VM.cpp:
6527 (JSC::VM::VM):
6528 * runtime/VM.h:
6529 * tests/stress/tagged-templates-identity.js: Added.
6530 (shouldBe):
6531 * tests/stress/tagged-templates-raw-strings.js: Added.
6532 (shouldBe):
6533 (tag):
6534 (testEval):
6535 * tests/stress/tagged-templates-syntax.js: Added.
6536 (tag):
6537 (testSyntax):
6538 (testSyntaxError):
6539 * tests/stress/tagged-templates-template-object.js: Added.
6540 (shouldBe):
6541 (tag):
6542 * tests/stress/tagged-templates-this.js: Added.
6543 (shouldBe):
6544 (tag):
6545 * tests/stress/tagged-templates.js: Added.
6546 (shouldBe):
6547 (raw):
6548 (cooked):
6549 (Counter):
6550
65512015-05-13 Ryosuke Niwa <rniwa@webkit.org>
6552
6553 REGRESSION(r180595): same-callee profiling no longer works
6554 https://bugs.webkit.org/show_bug.cgi?id=144787
6555
6556 Reviewed by Filip Pizlo.
6557
6558 This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is
6559 always the same JSFunction. This condition doesn't hold when the byte code creates multiple
6560 JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y();
6561
6562 To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly
6563 added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying
6564 our speculation that the callee is the same. To avoid recompiling the same code for different callee
6565 objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in
6566 LLint and baseline JIT when multiple callees are observed.
6567
6568 Tests: stress/create-this-with-callee-variants.js
6569
6570 * bytecode/BytecodeList.json: Increased the number of operands to 5.
6571 * bytecode/CodeBlock.cpp:
6572 (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache.
6573 (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive.
6574 * bytecompiler/BytecodeGenerator.cpp:
6575 (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that
6576 we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added
6577 operand.
6578 * dfg/DFGByteCodeParser.cpp:
6579 (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to
6580 match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit.
6581 * jit/JITOpcodes.cpp:
6582 (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked
6583 as seenMultipleCalleeObjects() to indicate the polymorphic behavior and/or we've OSR exited here.
6584 (JSC::JIT::emitSlow_op_create_this):
6585 * jit/JITOpcodes32_64.cpp:
6586 (JSC::JIT::emit_op_create_this): Ditto.
6587 (JSC::JIT::emitSlow_op_create_this):
6588 * llint/LowLevelInterpreter32_64.asm:
6589 (_llint_op_create_this): Ditto.
6590 * llint/LowLevelInterpreter64.asm:
6591 (_llint_op_create_this): Ditto.
6592 * runtime/CommonSlowPaths.cpp:
6593 (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has
6594 been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects().
6595 * runtime/JSCell.h:
6596 (JSC::JSCell::seenMultipleCalleeObjects): Added.
6597 * runtime/WriteBarrier.h:
6598 (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it.
6599 * tests/stress/create-this-with-callee-variants.js: Added.
6600
66012015-05-13 Joseph Pecoraro <pecoraro@apple.com>
6602
6603 Clean up some possible RefPtr to PassRefPtr churn
6604 https://bugs.webkit.org/show_bug.cgi?id=144779
6605
6606 Reviewed by Darin Adler.
6607
6608 * runtime/GenericTypedArrayViewInlines.h:
6609 (JSC::GenericTypedArrayView<Adaptor>::create):
6610 (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
6611 * runtime/JSArrayBufferConstructor.cpp:
6612 (JSC::constructArrayBuffer):
6613 * runtime/Structure.cpp:
6614 (JSC::Structure::toStructureShape):
6615 * runtime/TypedArrayBase.h:
6616 (JSC::TypedArrayBase::create):
6617 (JSC::TypedArrayBase::createUninitialized):
6618 * tools/FunctionOverrides.cpp:
6619 (JSC::initializeOverrideInfo):
6620 Release the last use of a RefPtr as it is passed on.
6621
66222015-05-13 Joseph Pecoraro <pecoraro@apple.com>
6623
6624 ES6: Allow duplicate property names
6625 https://bugs.webkit.org/show_bug.cgi?id=142895
6626
6627 Reviewed by Geoffrey Garen.
6628
6629 Introduce new `op_put_getter_by_id` and `op_put_setter_by_id` opcodes
6630 that will define a single getter or setter property on an object.
6631
6632 The existing `op_put_getter_setter` opcode is still preferred for
6633 putting both a getter and setter at the same time but cannot be used
6634 for putting an individual getter or setter which is needed in
6635 some cases.
6636
6637 Add a new slow path when generating bytecodes for a property list
6638 with computed properties, as computed properties are the only time
6639 the list of properties cannot be determined statically.
6640
6641 * bytecompiler/NodesCodegen.cpp:
6642 (JSC::PropertyListNode::emitBytecode):
6643 - fast path for all constant properties
6644 - slow but paired getter/setter path if there are no computed properties
6645 - slow path, individual put operation for every property, if there are computed properties
6646
6647 * parser/Nodes.h:
6648 Distinguish a Computed property from a Constant property.
6649
6650 * parser/Parser.cpp:
6651 (JSC::Parser<LexerType>::parseProperty):
6652 (JSC::Parser<LexerType>::parsePropertyMethod):
6653 Distingish Computed and Constant properties.
6654
6655 (JSC::Parser<LexerType>::parseObjectLiteral):
6656 When we drop into strict mode it is because we saw a getter
6657 or setter, so be more explicit.
6658
6659 (JSC::Parser<LexerType>::parseStrictObjectLiteral):
6660 Eliminate duplicate property syntax error exception.
6661
6662 * parser/SyntaxChecker.h:
6663 (JSC::SyntaxChecker::getName):
6664 * parser/ASTBuilder.h:
6665 (JSC::ASTBuilder::getName): Deleted.
6666 No longer used.
6667
6668 * runtime/JSObject.h:
6669 (JSC::JSObject::putDirectInternal):
6670 When updating a property. If the Accessor attribute changed
6671 update the Structure.
6672
6673 * runtime/JSObject.cpp:
6674 (JSC::JSObject::putGetter):
6675 (JSC::JSObject::putSetter):
6676 Called by the opcodes, just perform the same operation that
6677 __defineGetter__ or __defineSetter__ would do.
6678
6679 (JSC::JSObject::putDirectNonIndexAccessor):
6680 This transition is now handled in putDirectInternal.
6681
6682 * runtime/Structure.h:
6683 Add needed export.
6684
6685 * bytecode/BytecodeList.json:
6686 * bytecode/BytecodeUseDef.h:
6687 (JSC::computeUsesForBytecodeOffset):
6688 (JSC::computeDefsForBytecodeOffset):
6689 * bytecode/CodeBlock.cpp:
6690 (JSC::CodeBlock::dumpBytecode):
6691 * bytecompiler/BytecodeGenerator.cpp:
6692 (JSC::BytecodeGenerator::emitPutGetterById):
6693 (JSC::BytecodeGenerator::emitPutSetterById):
6694 * bytecompiler/BytecodeGenerator.h:
6695 * jit/JIT.cpp:
6696 (JSC::JIT::privateCompileMainPass):
6697 * jit/JIT.h:
6698 * jit/JITInlines.h:
6699 (JSC::JIT::callOperation):
6700 * jit/JITOperations.cpp:
6701 * jit/JITOperations.h:
6702 * jit/JITPropertyAccess.cpp:
6703 (JSC::JIT::emit_op_put_getter_by_id):
6704 (JSC::JIT::emit_op_put_setter_by_id):
6705 * jit/JITPropertyAccess32_64.cpp:
6706 (JSC::JIT::emit_op_put_getter_by_id):
6707 (JSC::JIT::emit_op_put_setter_by_id):
6708 * llint/LLIntSlowPaths.cpp:
6709 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6710 * llint/LLIntSlowPaths.h:
6711 * llint/LowLevelInterpreter.asm:
6712 New bytecodes. Modelled after existing op_put_getter_setter.
6713
67142015-05-13 Filip Pizlo <fpizlo@apple.com>
6715
6716 Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
6717 https://bugs.webkit.org/show_bug.cgi?id=144856
6718
6719 Reviewed by Benjamin Poulain.
6720
6721 First I made fixTypeForRepresentation() print out better diagnostics when it dies.
6722
6723 Then I fixed the bug: Node::convertToIdentityOn(Node*) needs to make sure that when it
6724 converts to a representation-changing node, it needs to use one of the UseKinds that such
6725 a node expects. For example, DoubleRep(UntypedUse:) doesn't make sense; it needs to be
6726 something like DoubleRep(NumberUse:) since it will speculate that the input is a number.
6727
6728 * dfg/DFGAbstractInterpreter.h:
6729 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6730 * dfg/DFGAbstractInterpreterInlines.h:
6731 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6732 * dfg/DFGAbstractValue.cpp:
6733 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6734 * dfg/DFGAbstractValue.h:
6735 * dfg/DFGInPlaceAbstractState.cpp:
6736 (JSC::DFG::InPlaceAbstractState::initialize):
6737 * dfg/DFGNode.cpp:
6738 (JSC::DFG::Node::convertToIdentityOn):
6739 * tests/stress/cloned-arguments-get-by-val-double-array.js: Added.
6740 (foo):
6741
67422015-05-13 Commit Queue <commit-queue@webkit.org>
6743
6744 Unreviewed, rolling out r184313.
6745 https://bugs.webkit.org/show_bug.cgi?id=144974
6746
6747 Introduced an assertion failure in class-syntax-
6748 declaration.js, class-syntax-expression.js, and object-
6749 literal-syntax.js (Requested by rniwa on #webkit).
6750
6751 Reverted changeset:
6752
6753 "Small refactoring before ES6 Arrow function implementation."
6754 https://bugs.webkit.org/show_bug.cgi?id=144954
6755 http://trac.webkit.org/changeset/184313
6756
67572015-05-13 Oliver Hunt <oliver@apple.com>
6758 Ensure that all the smart pointer types in WTF clear their pointer before deref
6759 https://bugs.webkit.org/show_bug.cgi?id=143789
6760
6761 Reviewed by Ryosuke Niwa.
6762
6763 One of the simpler cases of this in JavaScriptCore. There
6764 are other cases where we need to guard the derefs but they
6765 are more complex cases.
6766
6767 * inspector/JSInjectedScriptHost.cpp:
6768 (Inspector::JSInjectedScriptHost::releaseImpl):
6769 * inspector/JSJavaScriptCallFrame.cpp:
6770 (Inspector::JSJavaScriptCallFrame::releaseImpl):
6771
67722015-05-13 Alexandr Skachkov <gskachkov@gmail.com>
6773
6774 Small refactoring before ES6 Arrow function implementation.
6775 https://bugs.webkit.org/show_bug.cgi?id=144954
6776
6777 Reviewed by Filip Pizlo.
6778
6779 * parser/Parser.h:
6780 * parser/Parser.cpp:
6781
67822015-05-13 Filip Pizlo <fpizlo@apple.com>
6783
6784 The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness
6785 https://bugs.webkit.org/show_bug.cgi?id=144945
6786
6787 Reviewed by Michael Saboff.
6788
6789 We were making the mistake of using DFG liveness for object allocation sinking decisions.
6790 This is wrong. In fact we almost never want to use DFG liveness directly. The only place
6791 where that makes sense is pruning in DFG AI.
6792
6793 So, I created a CombinedLiveness class that combines the DFG liveness with bytecode
6794 liveness.
6795
6796 In the process of doing this, I realized that the DFGForAllKills definition of combined
6797 liveness at block tail was not strictly right; it was using the bytecode liveness at the
6798 block terminal instead of the union of the bytecode live-at-heads of successor blocks. So,
6799 I changed DFGForAllKills to work in terms of CombinedLiveness.
6800
6801 This allows me to unskip the test I added in r184260. I also added a new test that tries to
6802 trigger this bug more directly.
6803
6804 * CMakeLists.txt:
6805 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6806 * JavaScriptCore.xcodeproj/project.pbxproj:
6807 * dfg/DFGArgumentsEliminationPhase.cpp:
6808 * dfg/DFGCombinedLiveness.cpp: Added.
6809 (JSC::DFG::liveNodesAtHead):
6810 (JSC::DFG::CombinedLiveness::CombinedLiveness):
6811 * dfg/DFGCombinedLiveness.h: Added.
6812 (JSC::DFG::CombinedLiveness::CombinedLiveness):
6813 * dfg/DFGForAllKills.h:
6814 (JSC::DFG::forAllKillsInBlock):
6815 (JSC::DFG::forAllLiveNodesAtTail): Deleted.
6816 * dfg/DFGObjectAllocationSinkingPhase.cpp:
6817 (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
6818 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
6819 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
6820 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
6821 * tests/stress/escape-object-in-diamond-then-exit.js: Added.
6822 * tests/stress/sink-object-past-invalid-check-sneaky.js:
6823
68242015-05-13 Ryosuke Niwa <rniwa@webkit.org>
6825
6826 I skipped a wrong test in r184270. Fix that.
6827 The failure is tracked by webkit.org/b/144947.
6828
6829 * tests/stress/arith-modulo-node-behaviors.js:
6830 * tests/stress/arith-mul-with-constants.js:
6831
68322015-05-13 Joseph Pecoraro <pecoraro@apple.com>
6833
6834 Avoid always running some debug code in type profiling
6835 https://bugs.webkit.org/show_bug.cgi?id=144775
6836
6837 Reviewed by Daniel Bates.
6838
6839 * runtime/TypeProfilerLog.cpp:
6840 (JSC::TypeProfilerLog::processLogEntries):
6841
68422015-05-13 Joseph Pecoraro <pecoraro@apple.com>
6843
6844 Pass String as reference in more places
6845 https://bugs.webkit.org/show_bug.cgi?id=144769
6846
6847 Reviewed by Daniel Bates.
6848
6849 * debugger/Breakpoint.h:
6850 (JSC::Breakpoint::Breakpoint):
6851 * parser/Parser.h:
6852 (JSC::Parser::setErrorMessage):
6853 (JSC::Parser::updateErrorWithNameAndMessage):
6854 * parser/ParserError.h:
6855 (JSC::ParserError::ParserError):
6856 * runtime/RegExp.cpp:
6857 (JSC::RegExpFunctionalTestCollector::outputOneTest):
6858 * runtime/RegExpObject.cpp:
6859 (JSC::regExpObjectSourceInternal):
6860 * runtime/TypeProfiler.cpp:
6861 (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
6862 * runtime/TypeProfilerLog.cpp:
6863 (JSC::TypeProfilerLog::processLogEntries):
6864 * runtime/TypeProfilerLog.h:
6865 * tools/FunctionOverrides.cpp:
6866 (JSC::initializeOverrideInfo):
6867 * inspector/scripts/codegen/generate_objc_conversion_helpers.py:
6868 (ObjCConversionHelpersGenerator._generate_enum_from_protocol_string):
6869
6870 * inspector/scripts/codegen/objc_generator_templates.py:
6871 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
6872 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
6873 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
6874 * inspector/scripts/tests/expected/enum-values.json-result:
6875 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
6876 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
6877 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
6878 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
6879 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
6880 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
6881 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
6882 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
6883 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
6884 Rebaseline tests after updating the generator.
6885
68862015-05-13 Michael Saboff <msaboff@apple.com>
6887
6888 com.apple.WebKit.WebContent crashed at JavaScriptCore: JSC::CodeBlock::finalizeUnconditionally
6889 https://bugs.webkit.org/show_bug.cgi?id=144933
6890
6891 Changed the RELEASE_ASSERT_NOT_REACHED into an ASSERT. Added some diagnostic messages to
6892 help determine the cause for any crash.
6893
6894 Reviewed by Geoffrey Garen.
6895
6896 * bytecode/CodeBlock.cpp:
6897 (JSC::CodeBlock::finalizeUnconditionally):
6898
68992015-05-13 Filip Pizlo <fpizlo@apple.com>
6900
6901 REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase
6902 https://bugs.webkit.org/show_bug.cgi?id=144951
6903
6904 Reviewed by Michael Saboff.
6905
6906 There were two issues here:
6907
6908 - In r184260 we expected a small number of possible use kinds in Check nodes, and
6909 UntypedUse was not one of them. That seemed like a sensible assumption because we don't
6910 create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a
6911 Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to
6912 follow the same idiom as everyone else and not create tautological checks.
6913
6914 - It's clearly not very robust to assume that Checks will not be used tautologically. So,
6915 this changes how we validate Checks in the escape analyses. We now use willHaveCheck,
6916 which catches cases that AI would have already marked as unnecessary. It then also uses
6917 a new helper called alreadyChecked(), which allows us to just ask if the check is
6918 unnecessary for objects. That's a good fall-back in case AI hadn't run yet.
6919
6920 * dfg/DFGArgumentsEliminationPhase.cpp:
6921 * dfg/DFGMayExit.cpp:
6922 * dfg/DFGObjectAllocationSinkingPhase.cpp:
6923 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
6924 * dfg/DFGSSAConversionPhase.cpp:
6925 (JSC::DFG::SSAConversionPhase::run):
6926 * dfg/DFGUseKind.h:
6927 (JSC::DFG::alreadyChecked):
6928 * dfg/DFGVarargsForwardingPhase.cpp:
6929
6930k
69312015-05-13 Yusuke Suzuki <utatane.tea@gmail.com>
6932
6933 [ES6] Implement String.raw
6934 https://bugs.webkit.org/show_bug.cgi?id=144330
6935
6936 Reviewed by Filip Pizlo.
6937
6938 Implement String.raw. It is intended to be used with tagged-templates syntax.
6939 To implement ToString abstract operation efficiently,
6940 we introduce @toString bytecode intrinsic. It emits op_to_string directly.
6941
6942 * CMakeLists.txt:
6943 * builtins/StringConstructor.js: Added.
6944 (raw):
6945 * bytecompiler/NodesCodegen.cpp:
6946 (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
6947 * runtime/CommonIdentifiers.h:
6948 * runtime/StringConstructor.cpp:
6949 * tests/stress/string-raw.js: Added.
6950 (shouldBe):
6951 (.get shouldBe):
6952 (Counter):
6953
69542015-05-12 Ryosuke Niwa <rniwa@webkit.org>
6955
6956 Temporarily disable the test on Windows. The failure is tracked in webkit.org/b/144897.
6957
6958 * tests/stress/arith-mul-with-constants.js:
6959
69602015-05-12 Filip Pizlo <fpizlo@apple.com>
6961
6962 js/dom/stack-trace.html fails with eager compilation
6963 https://bugs.webkit.org/show_bug.cgi?id=144853
6964
6965 Reviewed by Benjamin Poulain.
6966
6967 All of our escape analyses were mishandling Check(). They were assuming that this is a
6968 non-escaping operation. But, if we do for example a Check(Int32:@x) and @x is an escape
6969 candidate, then we need to do something: if we eliminate or sink @x, then the check no
6970 longer makes any sense since a phantom allocation has no type. This will make us forget
6971 that this operation would have exited. This was causing us to not call a valueOf method in
6972 js/dom/stack-trace.html with eager compilation enabled, because it was doing something like
6973 +o where o had a valueOf method, and o was otherwise sinkable.
6974
6975 This changes our escape analyses to basically pretend that any Check() that isn't obviously
6976 unnecessary is an escape. We don't have to be super careful here. Most checks will be
6977 completely eliminated by constant-folding. If that doesn't run in time, then the most
6978 common check we will see is CellUse. So, we just recognize some very obvious check kinds
6979 that we know would have passed, and for all of the rest we just assume that it's an escape.
6980
6981 This was super tricky to test. The obvious way to test it is to use +o like
6982 stack-trace.html, except that doing so relies on the fact that we still haven't implemented
6983 the optimal behavior for op_to_number. So, I take four approaches in testing this patch:
6984
6985 1) Use +o. These will test what we want it to test for now, but at some point in the future
6986 these tests will just be a good sanity-check that our op_to_number implementation is
6987 right.
6988
6989 2) Do fancy control flow tricks to fool the profiling into thinking that some arithmetic
6990 operation always sees integers even though we eventually feed it an object and that
6991 object is a sink candidate.
6992
6993 3) Introduce a new jsc.cpp intrinsic called isInt32() which returns true if the incoming
6994 value is an int32. This intrinsic is required to be implemented by DFG by
6995 unconditionally speculating that the input is int32. This allows us to write much more
6996 targetted tests of the underlying issue.
6997
6998 4) I made a version of stack-trace.html that runs in run-jsc-stress-tests, so that we can
6999 get regression test coverage of this test in eager mode.
7000
7001 * dfg/DFGArgumentsEliminationPhase.cpp:
7002 * dfg/DFGByteCodeParser.cpp:
7003 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7004 * dfg/DFGObjectAllocationSinkingPhase.cpp:
7005 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
7006 * dfg/DFGVarargsForwardingPhase.cpp:
7007 * ftl/FTLExitValue.cpp:
7008 (JSC::FTL::ExitValue::dumpInContext):
7009 * ftl/FTLLowerDFGToLLVM.cpp:
7010 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
7011 * ftl/FTLOSRExitCompiler.cpp:
7012 (JSC::FTL::compileFTLOSRExit):
7013 * jsc.cpp:
7014 (GlobalObject::finishCreation):
7015 (functionIsInt32):
7016 * runtime/Intrinsic.h:
7017 * tests/stress/sink-arguments-past-invalid-check-dfg.js: Added.
7018 * tests/stress/sink-arguments-past-invalid-check-int32-dfg.js: Added.
7019 * tests/stress/sink-arguments-past-invalid-check-int32.js: Added.
7020 * tests/stress/sink-arguments-past-invalid-check-sneakier.js: Added.
7021 * tests/stress/sink-arguments-past-invalid-check.js: Added.
7022 * tests/stress/sink-function-past-invalid-check-sneakier.js: Added.
7023 * tests/stress/sink-function-past-invalid-check-sneaky.js: Added.
7024 * tests/stress/sink-object-past-invalid-check-int32.js: Added.
7025 * tests/stress/sink-object-past-invalid-check-sneakier.js: Added.
7026 * tests/stress/sink-object-past-invalid-check-sneaky.js: Added.
7027 * tests/stress/sink-object-past-invalid-check.js: Added.
7028
70292015-05-12 Benjamin Poulain <benjamin@webkit.org>
7030
7031 Fix the iteration count of arith-modulo-node-behaviors.js
7032
7033 * tests/stress/arith-modulo-node-behaviors.js:
7034 No need for big numbers for the real testing.
7035
70362015-05-12 Mark Lam <mark.lam@apple.com>
7037
7038 Windows: Cannot use HANDLE from GetCurrentThread() to get the CONTEXT of another thread.
7039 https://bugs.webkit.org/show_bug.cgi?id=144924
7040
7041 Reviewed by Alex Christensen.
7042
7043 The present stack scanning code in the Windows port is expecting that the
7044 GetCurrentThread() API will provide a unique HANDLE for each thread. The code
7045 then saves and later uses that HANDLE with GetThreadContext() to get the
7046 runtime state of the target thread from the GC thread. According to
7047 https://msdn.microsoft.com/en-us/library/windows/desktop/ms683182(v=vs.85).aspx,
7048 GetCurrentThread() does not provide this unique HANDLE that we expect:
7049
7050 "The function cannot be used by one thread to create a handle that can
7051 be used by other threads to refer to the first thread. The handle is
7052 always interpreted as referring to the thread that is using it. A
7053 thread can create a "real" handle to itself that can be used by other
7054 threads, or inherited by other processes, by specifying the pseudo
7055 handle as the source handle in a call to the DuplicateHandle function."
7056
7057 As a result of this, GetCurrentThread() always returns the same HANDLE value, and
7058 we end up never scanning the stacks of other threads because we wrongly think that
7059 they are all equal (in identity) to the scanning thread. This, in turn, results
7060 in crashes due to objects that are incorrectly collected.
7061
7062 The fix is to call DuplicateHandle() to create a HANDLE that we can use. The
7063 MachineThreads::Thread class already accurately tracks the period of time when
7064 we need that HANDLE for the VM. Hence, the life-cycle of the HANDLE can be tied
7065 to the life-cycle of the MachineThreads::Thread object for the corresponding thread.
7066
7067 * heap/MachineStackMarker.cpp:
7068 (JSC::getCurrentPlatformThread):
7069 (JSC::MachineThreads::Thread::Thread):
7070 (JSC::MachineThreads::Thread::~Thread):
7071 (JSC::MachineThreads::Thread::suspend):
7072 (JSC::MachineThreads::Thread::resume):
7073 (JSC::MachineThreads::Thread::getRegisters):
7074
70752015-05-12 Benjamin Poulain <bpoulain@apple.com>
7076
7077 [JSC] Make the NegZero backward propagated flags of ArithMod stricter
7078 https://bugs.webkit.org/show_bug.cgi?id=144897
7079
7080 Reviewed by Geoffrey Garen.
7081
7082 The NegZero flags of ArithMod were the same as ArithDiv: both children were
7083 marked as needing to handle NegativeZero.
7084
7085 Lucky for us, ArithMod is quite a bit different than ArithDiv.
7086
7087 First, the sign of the result is completely independent from
7088 the sign of the divisor. A zero on the divisor always produces a NaN.
7089 That's great, we can remove the NodeBytecodeNeedsNegZero
7090 from the flags propagated to child2.
7091
7092 Second, the sign of the result is always the same as the sign of
7093 the dividend. A dividend of zero produces a zero of same sign
7094 unless the divisor is zero (in which case the result is NaN).
7095 This is great too: we can just pass the flags we got into
7096 ArithMod.
7097
7098 With those two out of the way, we can make a faster version of ArithRound
7099 for Kraken's oscillator. Since we no longer care about negative zero,
7100 rounding becomes cast<int32>(value + 0.5). This gives ~3% faster runtime
7101 on the benchmark.
7102
7103 Unfortunatelly, most of the time is spent in FTL and the same optimization
7104 does not apply well just yet: rdar://problem/20904149.
7105
7106 * dfg/DFGBackwardsPropagationPhase.cpp:
7107 (JSC::DFG::BackwardsPropagationPhase::propagate):
7108 Never add NodeBytecodeNeedsNegZero unless needed by the users of this node.
7109
7110 * dfg/DFGSpeculativeJIT.cpp:
7111 (JSC::DFG::SpeculativeJIT::compileArithRound):
7112 Faster Math.round() when negative zero is not important.
7113
7114 * tests/stress/arith-modulo-node-behaviors.js: Added.
7115 (moduloWithNegativeZeroDividend):
7116 (moduloWithUnusedNegativeZeroDividend):
7117 (moduloWithNegativeZeroDivisor):
7118
71192015-05-12 Mark Lam <mark.lam@apple.com>
7120
7121 Refactor MachineStackMarker.cpp so that it's easier to reason about MachineThreads::Thread.
7122 https://bugs.webkit.org/show_bug.cgi?id=144925
7123
7124 Reviewed by Michael Saboff.
7125
7126 Currently, the code in MachineStackMarker.cpp is written as a bunch of functions that
7127 operate on the platformThread value in the MachineThreads::Thread struct. Instead, we
7128 can apply better OO encapsulation and convert all these functions into methods of the
7129 MachineThreads::Thread struct.
7130
7131 This will also make it easier to reason about the fix for
7132 https://bugs.webkit.org/show_bug.cgi?id=144924 later.
7133
7134 * heap/MachineStackMarker.cpp:
7135 (JSC::getCurrentPlatformThread):
7136 (JSC::MachineThreads::Thread::createForCurrentThread):
7137 (JSC::MachineThreads::Thread::operator!=):
7138 (JSC::MachineThreads::Thread::operator==):
7139 (JSC::MachineThreads::addCurrentThread):
7140 (JSC::MachineThreads::removeThreadIfFound):
7141 (JSC::MachineThreads::Thread::suspend):
7142 (JSC::MachineThreads::Thread::resume):
7143 (JSC::MachineThreads::Thread::getRegisters):
7144 (JSC::MachineThreads::Thread::Registers::stackPointer):
7145 (JSC::MachineThreads::Thread::freeRegisters):
7146 (JSC::MachineThreads::Thread::captureStack):
7147 (JSC::MachineThreads::tryCopyOtherThreadStack):
7148 (JSC::MachineThreads::tryCopyOtherThreadStacks):
7149 (JSC::equalThread): Deleted.
7150 (JSC::suspendThread): Deleted.
7151 (JSC::resumeThread): Deleted.
7152 (JSC::getPlatformThreadRegisters): Deleted.
7153 (JSC::otherThreadStackPointer): Deleted.
7154 (JSC::freePlatformThreadRegisters): Deleted.
7155 (JSC::otherThreadStack): Deleted.
7156
71572015-05-12 Ryosuke Niwa <rniwa@webkit.org>
7158
7159 Array.slice should have a fast path like Array.splice
7160 https://bugs.webkit.org/show_bug.cgi?id=144901
7161
7162 Reviewed by Geoffrey Garen.
7163
7164 Add a fast memcpy path to Array.prototype.slice as done for Array.prototype.splice.
7165 In Kraken, this appears to be 30% win on stanford-crypto-ccm and 10% win on stanford-crypto-pbkdf2.
7166
7167 * runtime/ArrayPrototype.cpp:
7168 (JSC::arrayProtoFuncSlice):
7169 * runtime/JSArray.cpp:
7170 (JSC::JSArray::fastSlice): Added.
7171 * runtime/JSArray.h:
7172
71732015-05-11 Filip Pizlo <fpizlo@apple.com>
7174
7175 OSR availability analysis would be more scalable (and correct) if it did more liveness pruning
7176 https://bugs.webkit.org/show_bug.cgi?id=143078
7177
7178 Reviewed by Andreas Kling.
7179
7180 In https://bugs.webkit.org/show_bug.cgi?id=144883, we found an example of where liveness
7181 pruning is actually necessary. Well, not quite: we just need to prune out keys from the
7182 heap availability map where the base node doesn't dominate the point where we are asking
7183 for availability. If we don't do this, then eventually the IR gets corrupt because we'll
7184 insert PutHints that reference the base node in places where the base node doesn't
7185 dominate. But if we're going to do any pruning, then it makes sense to prune by bytecode
7186 liveness. This is the strongest possible pruning we can do, and it should be sound. We
7187 shouldn't have a node available for a virtual register if that register is live and the
7188 node doesn't dominate.
7189
7190 Making this work meant reusing the prune-to-liveness algorithm from the FTL backend. So, I
7191 abstracted this a bit better. You can now availabilityMap.pruneByLiveness(graph, origin).
7192
7193 * dfg/DFGAvailabilityMap.cpp:
7194 (JSC::DFG::AvailabilityMap::pruneHeap):
7195 (JSC::DFG::AvailabilityMap::pruneByLiveness):
7196 (JSC::DFG::AvailabilityMap::prune): Deleted.
7197 * dfg/DFGAvailabilityMap.h:
7198 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
7199 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
7200 * ftl/FTLLowerDFGToLLVM.cpp:
7201 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
7202 * tests/stress/liveness-pruning-needed-for-osr-availability.js: Added. This is a proper regression test.
7203 * tests/stress/liveness-pruning-needed-for-osr-availability-eager.js: Added. This is the original reduced test case, requires eager-no-cjit to fail prior to this changeset.
7204
72052015-05-12 Gabor Loki <loki@webkit.org>
7206
7207 Workaround for Cortex-A53 erratum 843419
7208 https://bugs.webkit.org/show_bug.cgi?id=144680
7209
7210 Reviewed by Michael Saboff.
7211
7212 This patch is about to give simple workaround for Cortex-A53 erratum 843419.
7213 It inserts nops after ADRP instruction to avoid wrong address accesses.
7214
7215 * assembler/ARM64Assembler.h:
7216 (JSC::ARM64Assembler::adrp):
7217 (JSC::ARM64Assembler::nopCortexA53Fix843419):
7218
72192015-05-11 Commit Queue <commit-queue@webkit.org>
7220
7221 Unreviewed, rolling out r184009.
7222 https://bugs.webkit.org/show_bug.cgi?id=144900
7223
7224 Caused crashes on inspector tests (Requested by ap on
7225 #webkit).
7226
7227 Reverted changeset:
7228
7229 "MapDataImpl::add() shouldn't do the same hash lookup twice."
7230 https://bugs.webkit.org/show_bug.cgi?id=144759
7231 http://trac.webkit.org/changeset/184009
7232
72332015-05-11 Commit Queue <commit-queue@webkit.org>
7234
7235 Unreviewed, rolling out r184123.
7236 https://bugs.webkit.org/show_bug.cgi?id=144899
7237
7238 Seems to have introduced flaky crashes in many JS tests
7239 (Requested by rniwa on #webkit).
7240
7241 Reverted changeset:
7242
7243 "REGRESSION(r180595): same-callee profiling no longer works"
7244 https://bugs.webkit.org/show_bug.cgi?id=144787
7245 http://trac.webkit.org/changeset/184123
7246
72472015-05-11 Brent Fulgham <bfulgham@apple.com>
7248
7249 [Win] Move Windows build target to Windows 7 (or newer)
7250 https://bugs.webkit.org/show_bug.cgi?id=144890
7251 <rdar://problem/20707307>
7252
7253 Reviewed by Anders Carlsson.
7254
7255 Update linked SDK and minimal Windows level to be compatible with
7256 Windows 7 or newer.
7257
7258 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7259 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7260 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
7261 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
7262 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
7263 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
7264 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
7265 * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
7266 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
7267 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
7268 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
7269 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
7270 * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
7271 * config.h:
7272
72732015-05-08 Filip Pizlo <fpizlo@apple.com>
7274
7275 CPS rethreading phase's flush detector flushes way too many SetLocals
7276 https://bugs.webkit.org/show_bug.cgi?id=144819
7277
7278 Reviewed by Geoffrey Garen.
7279
7280 After probably unrelated changes, this eventually caused some arguments elimination to stop
7281 working because it would cause more SetLocals to turn into PutStacks. But it was a bug for
7282 a long time. Basically, we don't want the children of a SetLocal to be flushed. Flushing is
7283 meant to only affect the SetLocal itself.
7284
7285 This is a speed-up on Octane/earley.
7286
7287 * dfg/DFGCPSRethreadingPhase.cpp:
7288 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
7289
72902015-05-11 Filip Pizlo <fpizlo@apple.com>
7291
7292 gmail and google maps fail to load with eager compilation: Failed to insert inline cache for varargs call (specifically, CallForwardVarargs) because we thought the size would be 250 but it ended up being 262 prior to compaction.
7293 https://bugs.webkit.org/show_bug.cgi?id=144854
7294
7295 Reviewed by Oliver Hunt.
7296
7297 This is easy: just lift the threshold. Also remove the need for some duplicate thresholds.
7298 It used to be that Construct required less code, but that's not the case for now.
7299
7300 * ftl/FTLInlineCacheSize.cpp:
7301 (JSC::FTL::sizeOfCallForwardVarargs):
7302 (JSC::FTL::sizeOfConstructVarargs):
7303 (JSC::FTL::sizeOfConstructForwardVarargs):
7304
73052015-05-11 Ryosuke Niwa <rniwa@webkit.org>
7306
7307 REGRESSION(r180595): same-callee profiling no longer works
7308 https://bugs.webkit.org/show_bug.cgi?id=144787
7309
7310 Reviewed by Michael Saboff.
7311
7312 This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is
7313 always the same JSFunction. This condition doesn't hold when the byte code creates multiple
7314 JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y();
7315
7316 To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly
7317 added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying
7318 our speculation that the callee is the same. To avoid recompiling the same code for different callee
7319 objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in
7320 LLint and baseline JIT when multiple callees are observed.
7321
7322 Tests: stress/create-this-with-callee-variants.js
7323
7324 * bytecode/BytecodeList.json: Increased the number of operands to 5.
7325 * bytecode/BytecodeUseDef.h:
7326 (JSC::computeUsesForBytecodeOffset): op_create_this uses 2nd (constructor) and 4th (callee cache)
7327 operands.
7328 * bytecode/CodeBlock.cpp:
7329 (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache.
7330 (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive.
7331 * bytecompiler/BytecodeGenerator.cpp:
7332 (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that
7333 we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added
7334 operand.
7335 * dfg/DFGByteCodeParser.cpp:
7336 (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to
7337 match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit.
7338 * jit/JITOpcodes.cpp:
7339 (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked
7340 as seenMultipleCalleeObjects() to indicate the polymorphic behavior.
7341 (JSC::JIT::emitSlow_op_create_this):
7342 * jit/JITOpcodes32_64.cpp:
7343 (JSC::JIT::emit_op_create_this): Ditto.
7344 (JSC::JIT::emitSlow_op_create_this):
7345 * llint/LowLevelInterpreter32_64.asm:
7346 (_llint_op_create_this): Ditto.
7347 * llint/LowLevelInterpreter64.asm:
7348 (_llint_op_create_this): Ditto.
7349 * runtime/CommonSlowPaths.cpp:
7350 (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has
7351 been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects().
7352 * runtime/JSCell.h:
7353 (JSC::JSCell::seenMultipleCalleeObjects): Added.
7354 * runtime/WriteBarrier.h:
7355 (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it.
7356 * tests/stress/create-this-with-callee-variants.js: Added.
7357
73582015-05-11 Andreas Kling <akling@apple.com>
7359
7360 PropertyNameArray should use a Vector when there are few entries.
7361 <https://webkit.org/b/144874>
7362
7363 Reviewed by Geoffrey Garen.
7364
7365 Bring back an optimization that was lost in the for-in refactoring.
7366 PropertyNameArray now holds a Vector<AtomicStringImpl*> until there are
7367 enough (20) entries to justify converting to a HashSet for contains().
7368
7369 Also inlined the code while we're here, since it has so few clients and
7370 the call overhead adds up.
7371
7372 ~5% progression on Kraken/json-stringify-tinderbox.
7373
7374 * runtime/PropertyNameArray.cpp: Removed.
7375 * runtime/PropertyNameArray.h:
7376 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
7377 (JSC::PropertyNameArray::add):
7378 (JSC::PropertyNameArray::addKnownUnique):
7379
73802015-05-11 Matt Baker <mattbaker@apple.com>
7381
7382 Web Inspector: REGRESSION (r175203): No profile information is shown in Inspector
7383 https://bugs.webkit.org/show_bug.cgi?id=144808
7384
7385 Reviewed by Darin Adler.
7386
7387 Since a profile can be started after a timeline recording has already begun, we can't assume a zero start time.
7388 The start time for the root node's call entry should be based on the stopwatch used by the ProfileGenerator.
7389
7390 * profiler/Profile.cpp:
7391 (JSC::Profile::create):
7392 (JSC::Profile::Profile):
7393 * profiler/Profile.h:
7394 * profiler/ProfileGenerator.cpp:
7395 (JSC::ProfileGenerator::ProfileGenerator):
7396 (JSC::AddParentForConsoleStartFunctor::operator()):
7397
73982015-05-11 Basile Clement <basile_clement@apple.com>
7399
7400 Unreviewed, remove unintended change.
7401
7402 * dfg/DFGAbstractInterpreterInlines.h:
7403 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
7404
74052015-05-11 Filip Pizlo <fpizlo@apple.com>
7406
7407 Make it easy to enable eager/non-concurrent JIT compilation
7408 https://bugs.webkit.org/show_bug.cgi?id=144877
7409
7410 Reviewed by Michael Saboff.
7411
7412 * runtime/Options.cpp:
7413 (JSC::recomputeDependentOptions):
7414 * runtime/Options.h:
7415
74162015-05-10 Filip Pizlo <fpizlo@apple.com>
7417
7418 We shouldn't promote LoadVarargs to a sequence of GetStacks and PutStacks if doing so would exceed the LoadVarargs' limit
7419 https://bugs.webkit.org/show_bug.cgi?id=144851
7420
7421 Reviewed by Michael Saboff.
7422
7423 LoadVarargs loads arguments from some object and puts them on the stack. The region of
7424 stack is controlled by a bunch of meta-data, including InlineCallFrame. InlineCallFrame
7425 shouldn't really be edited after ByteCodeParser, so we cannot convert LoadVarargs to
7426 something that uses more stack than the LoadVarargs wanted to.
7427
7428 This check was missing in the ArgumentsEliminationPhase's LoadVarargs->GetStack+PutStack
7429 promoter. This is an important promotion rule for performance, and in cases where we are
7430 compiling truly hot code, the LoadVarargs limit will be at least as big as the length of
7431 the phantom arguments array that this phase sees. The LoadVarargs limit is based on
7432 profiling and the phantom arguments array is a proof; in most cases the profiling is more
7433 conservative.
7434
7435 But, you could write some crazy code where the statically obvious arguments array value is
7436 bigger than what the profiling would have told you. When this happens, this promotion
7437 effectively removes a bounds check. This either results in us clobbering a bunch of stack,
7438 or it means that we never initialize a region of the stack that a later operation will read
7439 (the uninitialization happens because PutStackSinkingPhase removes PutStacks that appear
7440 unnecessary, and a GetMyArgumentByVal will claim not to use the region of the stack outside
7441 the original LoadVarargs limit).
7442
7443 * dfg/DFGArgumentsEliminationPhase.cpp:
7444 * tests/stress/load-varargs-elimination-bounds-check-barely.js: Added.
7445 (foo):
7446 (bar):
7447 (baz):
7448 * tests/stress/load-varargs-elimination-bounds-check.js: Added.
7449 (foo):
7450 (bar):
7451 (baz):
7452
74532015-05-11 Andreas Kling <akling@apple.com>
7454
7455 JSON.stringify shouldn't use generic get() to access Array.length
7456 <https://webkit.org/b/144847>
7457
7458 Reviewed by Geoffrey Garen.
7459
7460 If the value being serialized is a JSArray object, we can downcast and call its
7461 length() directly instead of doing a generic property lookup.
7462
7463 0.5% progression on Kraken/json-stringify-tinderbox.
7464
7465 * runtime/JSONObject.cpp:
7466 (JSC::Stringifier::Holder::appendNextProperty):
7467
74682015-05-10 Andreas Kling <akling@apple.com>
7469
7470 Remove unnecessary AtomicStringImpl* hash specification in PropertyNameArray.
7471
7472 Follow up to r184050 suggested by Darin.
7473
7474 * runtime/PropertyNameArray.h:
7475
74762015-05-10 Andreas Kling <akling@apple.com>
7477
7478 Remove unused things from PropertyNameArray.
7479 <https://webkit.org/b/144834>
7480
7481 Reviewed by Filip Pizlo.
7482
7483 PropertyNameArray had a bunch of bells and whistles added to it when for-in iteration
7484 was refactored and optimized last year. Then more refactoring happened and this class
7485 doesn't need to ring and toot anymore.
7486
7487 The RefCountedIdentifierSet class disappears since the JSPropertyNameEnumerator wasn't
7488 actually using it for anything and we were just wasting time creating these.
7489
7490 Also made the member functions take AtomicStringImpl* instead of plain StringImpl*.
7491
7492 * runtime/JSObject.cpp:
7493 (JSC::JSObject::getPropertyNames):
7494 * runtime/JSPropertyNameEnumerator.cpp:
7495 (JSC::JSPropertyNameEnumerator::create):
7496 (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
7497 * runtime/JSPropertyNameEnumerator.h:
7498 * runtime/PropertyNameArray.cpp:
7499 (JSC::PropertyNameArray::add):
7500 (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties): Deleted.
7501 * runtime/PropertyNameArray.h:
7502 (JSC::PropertyNameArray::PropertyNameArray):
7503 (JSC::PropertyNameArray::add):
7504 (JSC::PropertyNameArray::addKnownUnique):
7505 (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
7506 (JSC::RefCountedIdentifierSet::contains): Deleted.
7507 (JSC::RefCountedIdentifierSet::size): Deleted.
7508 (JSC::RefCountedIdentifierSet::add): Deleted.
7509 (JSC::PropertyNameArray::identifierSet): Deleted.
7510 (JSC::PropertyNameArray::numCacheableSlots): Deleted.
7511 (JSC::PropertyNameArray::setNumCacheableSlotsForObject): Deleted.
7512 (JSC::PropertyNameArray::setBaseObject): Deleted.
7513 (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): Deleted.
7514
75152015-05-09 Yoav Weiss <yoav@yoav.ws>
7516
7517 Remove the PICTURE_SIZES build flag
7518 https://bugs.webkit.org/show_bug.cgi?id=144679
7519
7520 Reviewed by Benjamin Poulain.
7521
7522 Removed the PICTURE_SIZES build time flag.
7523
7524 * Configurations/FeatureDefines.xcconfig:
7525
75262015-05-08 Filip Pizlo <fpizlo@apple.com>
7527
7528 Extend the SaneChain optimization to Contiguous arrays
7529 https://bugs.webkit.org/show_bug.cgi?id=144664
7530
7531 Reviewed by Mark Lam.
7532
7533 Previously if you loaded from a hole, you'd either have to take slow path for the array
7534 load (which means C++ calls and prototype chain walks) or you'd exit (if you hadn't
7535 gathered the necessary profiling yet). But that's unnecessary if we know that the
7536 prototype chain is sane - i.e. has no indexed properties. Then we can just return
7537 Undefined for the hole.
7538
7539 Making this change requires setting more watchpoints on the array prototype chain. But
7540 that hit a horrible bug: ArrayPrototype still uses the static lookup tables and builds
7541 itself up lazily. This means that this increased the number of recompilations we'd get
7542 due to the array prototype chain being built up.
7543
7544 So, this change also removes the laziness and static tables from ArrayPrototype.
7545
7546 But to make that change, I also had to add a helper for eagerly building up a prototype
7547 that has builtin functions.
7548
7549 * CMakeLists.txt:
7550 * DerivedSources.make:
7551 * dfg/DFGArrayMode.h:
7552 * dfg/DFGFixupPhase.cpp:
7553 (JSC::DFG::FixupPhase::fixupNode):
7554 * dfg/DFGSpeculativeJIT32_64.cpp:
7555 (JSC::DFG::SpeculativeJIT::compile):
7556 * dfg/DFGSpeculativeJIT64.cpp:
7557 (JSC::DFG::SpeculativeJIT::compile):
7558 * ftl/FTLLowerDFGToLLVM.cpp:
7559 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
7560 * runtime/ArrayPrototype.cpp:
7561 (JSC::ArrayPrototype::finishCreation):
7562 (JSC::ArrayPrototype::getOwnPropertySlot): Deleted.
7563 * runtime/ArrayPrototype.h:
7564 * runtime/JSObject.h:
7565
75662015-05-08 Michael Saboff <msaboff@apple.com>
7567
7568 Creating a large MarkedBlock sometimes results in more than one cell in the block
7569 https://bugs.webkit.org/show_bug.cgi?id=144815
7570
7571 Reviewed by Mark Lam.
7572
7573 Large MarkedBlocks should have one and only one cell. Changed the calculation of
7574 m_endAtom for large blocks to use the location of the first cell + 1. This
7575 assures that large blocks only have one cell.
7576
7577 * heap/MarkedBlock.cpp:
7578 (JSC::MarkedBlock::MarkedBlock):
7579
75802015-05-08 Oliver Hunt <oliver@apple.com>
7581
7582 MapDataImpl::add() shouldn't do the same hash lookup twice.
7583 https://bugs.webkit.org/show_bug.cgi?id=144759
7584
7585 Reviewed by Gavin Barraclough.
7586
7587 We don't actually need to do a double lookup here, all we need to
7588 do is update the index to point to the correct m_size.
7589
7590 * runtime/MapDataInlines.h:
7591 (JSC::JSIterator>::add):
7592
75932015-05-08 Andreas Kling <akling@apple.com>
7594
7595 Micro-optimize JSON serialization of string primitives.
7596 <https://webkit.org/b/144800>
7597
7598 Reviewed by Sam Weinig.
7599
7600 Don't use the out-of-line JSValue::getString() to grab at string primitives
7601 in serialization. Just check if it's a JSString and then downcast to grab at
7602 the WTF::String inside.
7603
7604 2% progression on Kraken/json-stringify-tinderbox.
7605
7606 * runtime/JSONObject.cpp:
7607 (JSC::Stringifier::appendStringifiedValue):
7608
76092015-05-08 Andreas Kling <akling@apple.com>
7610
7611 Optimize serialization of quoted JSON strings.
7612 <https://webkit.org/b/144754>
7613
7614 Reviewed by Darin Adler.
7615
7616 Optimized the serialization of quoted strings into JSON by moving the logic into
7617 StringBuilder so it can make smarter decisions about buffering.
7618
7619 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.)
7620
7621 * bytecompiler/NodesCodegen.cpp:
7622 (JSC::ObjectPatternNode::toString): Use the new StringBuilder API.
7623
7624 * runtime/JSONObject.h:
7625 * runtime/JSONObject.cpp:
7626 (JSC::Stringifier::Holder::appendNextProperty):
7627 (JSC::appendStringToStringBuilder): Deleted.
7628 (JSC::appendQuotedJSONStringToBuilder): Deleted.
7629 (JSC::Stringifier::appendQuotedString): Deleted.
7630 (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic
7631 to StringBuilder and call that from here.
7632
76332015-05-07 Commit Queue <commit-queue@webkit.org>
7634
7635 Unreviewed, rolling out r183961.
7636 https://bugs.webkit.org/show_bug.cgi?id=144784
7637
7638 Broke js/dom/JSON-stringify.html (Requested by kling on
7639 #webkit).
7640
7641 Reverted changeset:
7642
7643 "Optimize serialization of quoted JSON strings."
7644 https://bugs.webkit.org/show_bug.cgi?id=144754
7645 http://trac.webkit.org/changeset/183961
7646
76472015-05-07 Filip Pizlo <fpizlo@apple.com>
7648
7649 GC has trouble with pathologically large array allocations
7650 https://bugs.webkit.org/show_bug.cgi?id=144609
7651
7652 Reviewed by Geoffrey Garen.
7653
7654 The bug was that SlotVisitor::copyLater() would return early for oversize blocks (right
7655 after pinning them), and would skip the accounting. The GC calculates the size of the heap
7656 in tandem with the scan to save time, and that accounting was part of how the GC would
7657 know how big the heap was. The GC would then think that oversize copied blocks use no
7658 memory, and would then mess up its scheduling of the next GC.
7659
7660 Fixing this bug is harder than it seems. When running an eden GC, we figure out the heap
7661 size by summing the size from the last collection and the size by walking the eden heap.
7662 But this breaks when we eagerly delete objects that the last collection touched. We can do
7663 that in one corner case: copied block reallocation. The old block will be deleted from old
7664 space during the realloc and a new block will be allocated in new space. In order for the
7665 GC to know that the size of old space actually shrank, we need a field to tell us how much
7666 such shrinkage could occur. Since this is a very dirty corner case and it only works for
7667 very particular reasons arising from the special properties of copied space (single owner,
7668 and the realloc is used in places where the compiler already knows that it cannot register
7669 allocate a pointer to the old block), I opted for an equally dirty shrinkage counter
7670 devoted just to this case. It's called bytesRemovedFromOldSpaceDueToReallocation.
7671
7672 To test this, I needed to add an Option to force a particular RAM size in the GC. This
7673 allows us to write tests that assert that the GC heap size is some value X, without
7674 worrying about machine-to-machine variations due to GC heuristics changing based on RAM
7675 size.
7676
7677 * heap/CopiedSpace.cpp:
7678 (JSC::CopiedSpace::CopiedSpace): Initialize the dirty shrinkage counter.
7679 (JSC::CopiedSpace::tryReallocateOversize): Bump the dirty shrinkage counter.
7680 * heap/CopiedSpace.h:
7681 (JSC::CopiedSpace::takeBytesRemovedFromOldSpaceDueToReallocation): Swap out the counter. Used by the GC when it does its accounting.
7682 * heap/Heap.cpp:
7683 (JSC::Heap::Heap): Allow the user to force the RAM size.
7684 (JSC::Heap::updateObjectCounts): Use the dirty shrinkage counter to good effect. Also, make this code less confusing.
7685 * heap/SlotVisitorInlines.h:
7686 (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory.
7687 * jsc.cpp: Add size measuring hooks to write the largeish test.
7688 (GlobalObject::finishCreation):
7689 (functionGCAndSweep):
7690 (functionFullGC):
7691 (functionEdenGC):
7692 (functionHeapSize):
7693 * runtime/Options.h:
7694 * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test.
7695 * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory.
7696 (foo):
7697 (test):
7698
76992015-05-07 Saam Barati <saambarati1@gmail.com>
7700
7701 Global functions should be initialized as JSFunctions in byte code
7702 https://bugs.webkit.org/show_bug.cgi?id=144178
7703
7704 Reviewed by Geoffrey Garen.
7705
7706 This patch makes the initialization of global functions more explicit by
7707 moving initialization into bytecode. It also prepares JSC for having ES6
7708 style lexical scoping because initializing global functions in bytecode
7709 easily allows global functions to be initialized with the proper scope that
7710 will have access to global lexical variables. Global lexical variables
7711 should be visible to global functions but don't live on the global object.
7712
7713 * bytecode/UnlinkedCodeBlock.cpp:
7714 (JSC::UnlinkedProgramCodeBlock::visitChildren):
7715 * bytecode/UnlinkedCodeBlock.h:
7716 * bytecompiler/BytecodeGenerator.cpp:
7717 (JSC::BytecodeGenerator::generate):
7718 (JSC::BytecodeGenerator::BytecodeGenerator):
7719 * bytecompiler/BytecodeGenerator.h:
7720 * runtime/Executable.cpp:
7721 (JSC::ProgramExecutable::initializeGlobalProperties):
7722 * runtime/JSGlobalObject.cpp:
7723 (JSC::JSGlobalObject::addGlobalVar):
7724 (JSC::JSGlobalObject::addFunction):
7725 * runtime/JSGlobalObject.h:
7726
77272015-05-07 Benjamin Poulain <bpoulain@apple.com>
7728
7729 Fix the x86 32bits build
7730
7731 * assembler/X86Assembler.h:
7732
77332015-05-07 Benjamin Poulain <bpoulain@apple.com>
7734
7735 [JSC] Add basic DFG/FTL support for Math.round
7736 https://bugs.webkit.org/show_bug.cgi?id=144725
7737
7738 Reviewed by Filip Pizlo.
7739
7740 This patch adds two optimizations targeting Math.round():
7741 -Add a DFGNode ArithRound corresponding to the intrinsic RoundIntrinsic.
7742 -Change the MacroAssembler to be stricter on how we fail to convert a double
7743 to ingeter. Previously, any number valued zero would fail, now we only
7744 fail for -0.
7745
7746 Since ArithRound speculate it produces int32, the MacroAssembler assembler
7747 part became necessary because zero is a pretty common output of Math.round()
7748 and we would OSR exit a lot (and eventually recompile for doubles).
7749
7750 The implementation itself of the inline Math.round() is exactly the same
7751 as the C function that exists for Math.round(). We can very likely do better
7752 but it is a good start known to be valid and inlining alone alread provides
7753 significant speedups.
7754
7755 * assembler/X86Assembler.h:
7756 (JSC::X86Assembler::movmskpd_rr):
7757 * assembler/MacroAssemblerX86Common.h:
7758 (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
7759 When we have a zero, get the sign bit out of the double and check if is one.
7760
7761 I'll look into doing the same improvement for ARM.
7762
7763 * bytecode/SpeculatedType.cpp:
7764 (JSC::typeOfDoubleRounding):
7765 (JSC::typeOfDoubleFRound): Deleted.
7766 * bytecode/SpeculatedType.h:
7767 * dfg/DFGAbstractInterpreterInlines.h:
7768 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
7769 * dfg/DFGByteCodeParser.cpp:
7770 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7771 * dfg/DFGClobberize.h:
7772 (JSC::DFG::clobberize):
7773 * dfg/DFGDoesGC.cpp:
7774 (JSC::DFG::doesGC):
7775 * dfg/DFGFixupPhase.cpp:
7776 (JSC::DFG::FixupPhase::fixupNode):
7777 * dfg/DFGGraph.h:
7778 (JSC::DFG::Graph::roundShouldSpeculateInt32):
7779 (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted.
7780 * dfg/DFGNode.h:
7781 (JSC::DFG::Node::arithNodeFlags):
7782 (JSC::DFG::Node::hasHeapPrediction):
7783 (JSC::DFG::Node::hasArithMode):
7784 * dfg/DFGNodeType.h:
7785 * dfg/DFGPredictionPropagationPhase.cpp:
7786 (JSC::DFG::PredictionPropagationPhase::propagate):
7787 * dfg/DFGSafeToExecute.h:
7788 (JSC::DFG::safeToExecute):
7789 * dfg/DFGSpeculativeJIT.cpp:
7790 (JSC::DFG::SpeculativeJIT::compileArithRound):
7791 * dfg/DFGSpeculativeJIT.h:
7792 * dfg/DFGSpeculativeJIT32_64.cpp:
7793 (JSC::DFG::SpeculativeJIT::compile):
7794 * dfg/DFGSpeculativeJIT64.cpp:
7795 (JSC::DFG::SpeculativeJIT::compile):
7796 * ftl/FTLCapabilities.cpp:
7797 (JSC::FTL::canCompile):
7798 * ftl/FTLIntrinsicRepository.h:
7799 * ftl/FTLLowerDFGToLLVM.cpp:
7800 (JSC::FTL::LowerDFGToLLVM::compileNode):
7801 (JSC::FTL::LowerDFGToLLVM::convertDoubleToInt32):
7802 (JSC::FTL::LowerDFGToLLVM::compileDoubleAsInt32):
7803 (JSC::FTL::LowerDFGToLLVM::compileArithRound):
7804 * ftl/FTLOutput.h:
7805 (JSC::FTL::Output::ceil64):
7806 * jit/ThunkGenerators.cpp:
7807 * runtime/MathCommon.cpp:
7808 * runtime/MathCommon.h:
7809 * runtime/MathObject.cpp:
7810 (JSC::mathProtoFuncRound):
7811 * tests/stress/math-round-basics.js: Added.
7812 (mathRoundOnIntegers):
7813 (mathRoundOnDoubles):
7814 (mathRoundOnBooleans):
7815 (uselessMathRound):
7816 (mathRoundWithOverflow):
7817 (mathRoundConsumedAsDouble):
7818 (mathRoundDoesNotCareAboutMinusZero):
7819 (mathRoundNoArguments):
7820 (mathRoundTooManyArguments):
7821 (testMathRoundOnConstants):
7822 (mathRoundStructTransition):
7823 (Math.round):
7824
78252015-05-07 Saam Barati <saambarati1@gmail.com>
7826
7827 exceptionFuzz tests should explicitly initialize the exceptionFuzz boolean in JavaScript code through a function in jsc.cpp
7828 https://bugs.webkit.org/show_bug.cgi?id=144753
7829
7830 Reviewed by Mark Lam.
7831
7832 This allows the BytecodeGenerator to freely emit startup code that "may"
7833 throw exceptions without worrying that this startup code will trigger
7834 the exceptionFuzz exception. The exceptionFuzz counter will only begin
7835 ticking when the 'enableExceptionFuzz' function is explicitly called in
7836 the exceptionFuzz tests.
7837
7838 * jsc.cpp:
7839 (GlobalObject::finishCreation):
7840 (functionEnableExceptionFuzz):
7841 * tests/exceptionFuzz/3d-cube.js:
7842 * tests/exceptionFuzz/date-format-xparb.js:
7843 * tests/exceptionFuzz/earley-boyer.js:
7844
78452015-05-07 Andreas Kling <akling@apple.com>
7846
7847 Optimize serialization of quoted JSON strings.
7848 <https://webkit.org/b/144754>
7849
7850 Reviewed by Darin Adler.
7851
7852 Optimized the serialization of quoted strings into JSON by moving the logic into
7853 StringBuilder so it can make smarter decisions about buffering.
7854
7855 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.)
7856
7857 * bytecompiler/NodesCodegen.cpp:
7858 (JSC::ObjectPatternNode::toString): Use the new StringBuilder API.
7859
7860 * runtime/JSONObject.h:
7861 * runtime/JSONObject.cpp:
7862 (JSC::Stringifier::Holder::appendNextProperty):
7863 (JSC::appendStringToStringBuilder): Deleted.
7864 (JSC::appendQuotedJSONStringToBuilder): Deleted.
7865 (JSC::Stringifier::appendQuotedString): Deleted.
7866 (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic
7867 to StringBuilder and call that from here.
7868
78692015-05-07 Yusuke Suzuki <utatane.tea@gmail.com>
7870
7871 FunctionCallBracketNode should store the base value to the temporary when subscript has assignment
7872 https://bugs.webkit.org/show_bug.cgi?id=144678
7873
7874 Reviewed by Geoffrey Garen.
7875
7876 Currently, FunctionCallBracketNode directly use the RegisterID returned by emitNode.
7877 But if the base part is the local register and the subscript part has assignment to it, the base result is accidentally rewritten.
7878
7879 function t() { var ok = {null: function () { } }; ok[ok = null](); }
7880 t(); // Should not throw error.
7881
7882 This patch takes care about `subscriptHasAssignment`.
7883 By using `emitNodeForLeftHandSide`, when there's assignment to local variables in RHS,
7884 it correctly moves the LHS value to a temporary register.
7885
7886 * bytecompiler/NodesCodegen.cpp:
7887 (JSC::FunctionCallBracketNode::emitBytecode):
7888 * parser/ASTBuilder.h:
7889 (JSC::ASTBuilder::makeFunctionCallNode):
7890 * parser/NodeConstructors.h:
7891 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
7892 * parser/Nodes.h:
7893 * tests/stress/assignment-in-function-call-bracket-node.js: Added.
7894 (shouldBe):
7895 (shouldBe.):
7896
78972015-05-07 Basile Clement <basile_clement@apple.com>
7898
7899 Unreviewed, add missing braces on a single-line if that got expanded in r183939
7900
7901 * ftl/FTLLowerDFGToLLVM.cpp:
7902 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
7903
79042015-05-05 Myles C. Maxfield <mmaxfield@apple.com>
7905
7906 Revert "Introducing the Platform Abstraction Layer (PAL)"
7907 https://bugs.webkit.org/show_bug.cgi?id=144751
7908
7909 Unreviewed.
7910
7911 PAL should be a new target inside WebCore, rather than a top-level folder.
7912
7913 * Configurations/FeatureDefines.xcconfig: Updated
7914
79152015-05-07 Basile Clement <basile_clement@apple.com>
7916
7917 Dumping OSR ExitValue should expand materializations only once
7918 https://bugs.webkit.org/show_bug.cgi?id=144694
7919
7920 Reviewed by Filip Pizlo.
7921
7922 Currently, dumping OSR exit values will print the full materialization
7923 information each time it is encountered. We change it to print only a
7924 brief description (only the materialization's address), and print the
7925 whole set of materializations later on.
7926
7927 This makes the dump less confusing (less likely to think that two
7928 instances of the same materialization are different), and will be a
7929 necessary change if/when we support materialization cycles.
7930
7931 * ftl/FTLCompile.cpp:
7932 (JSC::FTL::mmAllocateDataSection):
7933 * ftl/FTLExitValue.cpp:
7934 (JSC::FTL::ExitValue::dumpInContext):
7935 * ftl/FTLLowerDFGToLLVM.cpp:
7936 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
7937
79382015-05-07 Andreas Kling <akling@apple.com>
7939
7940 Worker threads leak WeakBlocks (as seen on leaks bot)
7941 <https://webkit.org/b/144721>
7942 <rdar://problem/20848288>
7943
7944 Reviewed by Darin Adler.
7945
7946 Nuke any remaining empty WeakBlocks when the Heap is being torn down.
7947 Trying to peek into these blocks after the VM is dead would be a bug anyway.
7948
7949 This fixes a ~750 KB leak seen on the leaks bot.
7950
7951 * heap/Heap.cpp:
7952 (JSC::Heap::~Heap):
7953
79542015-05-05 Geoffrey Garen <ggaren@apple.com>
7955
7956 Don't branch when accessing the callee
7957 https://bugs.webkit.org/show_bug.cgi?id=144645
7958
7959 Reviewed by Michael Saboff.
7960
7961 The branch was added in <http://trac.webkit.org/changeset/81040> without
7962 explanation.
7963
7964 kling found it to be a performance problem. See <https://webkit.org/b/144586>.
7965
7966 Our theory of access to Registers is that it's up to the client to access
7967 them in the right way. So, let's do that.
7968
7969 * interpreter/CallFrame.h:
7970 (JSC::ExecState::callee):
7971 (JSC::ExecState::setCallee): Call the field object instead of function
7972 because nothing guarantees that it's a function.
7973 * interpreter/ProtoCallFrame.h:
7974 (JSC::ProtoCallFrame::callee):
7975 (JSC::ProtoCallFrame::setCallee):
7976 * interpreter/Register.h:
7977 * runtime/JSObject.h:
7978 (JSC::Register::object): Just do a cast like our other accessors do.
7979 (JSC::Register::operator=):
7980 (JSC::Register::function): Deleted.
7981 (JSC::Register::withCallee): Deleted.
7982
79832015-05-07 Dan Bernstein <mitz@apple.com>
7984
7985 <rdar://problem/19317140> [Xcode] Remove usage of AspenFamily.xcconfig in Source/
7986 https://bugs.webkit.org/show_bug.cgi?id=144727
7987
7988 Reviewed by Darin Adler.
7989
7990 * Configurations/Base.xcconfig: Don’t include AspenFamily.xcconfig, and define
7991 INSTALL_PATH_PREFIX and LD_DYLIB_INSTALL_NAME for the iOS 8.x Simulator.
7992
79932015-05-07 Andreas Kling <akling@apple.com>
7994
7995 Special-case Int32 values in JSON.stringify().
7996 <https://webkit.org/b/144731>
7997
7998 Reviewed by Michael Saboff.
7999
8000 Add a fast path for serializing Int32 values to JSON. This is far faster than dragging
8001 simple integers through the full-blown dtoa() machinery.
8002
8003 ~50% speedup on Kraken/json-stringify-tinderbox.
8004
8005 * runtime/JSONObject.cpp:
8006 (JSC::Stringifier::appendStringifiedValue):
8007
80082015-05-06 Ryosuke Niwa <rniwa@webkit.org>
8009
8010 ToT WebKit crashes while loading ES6 compatibility table
8011 https://bugs.webkit.org/show_bug.cgi?id=144726
8012
8013 Reviewed by Filip Pizlo.
8014
8015 The bug was caused by parseClass superfluously avoiding to build up the string after seeing {.
8016
8017 Always build the identifier here as it could be a method name.
8018
8019 * parser/Parser.cpp:
8020 (JSC::Parser<LexerType>::parseClass):
8021
80222015-05-05 Filip Pizlo <fpizlo@apple.com>
8023
8024 Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase
8025 https://bugs.webkit.org/show_bug.cgi?id=144665
8026
8027 Reviewed by Michael Saboff.
8028
8029 This is a step towards getting rid of WatchpointCollectionPhase. It's also a step towards
8030 extending SaneChain to all indexing shapes.
8031
8032 * dfg/DFGFixupPhase.cpp:
8033 (JSC::DFG::FixupPhase::fixupNode): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
8034 (JSC::DFG::FixupPhase::checkArray): Clarify the need for checking the structure. We often forget why we do this instead of always using CheckArray.
8035 * dfg/DFGSpeculativeJIT.cpp:
8036 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
8037 * dfg/DFGWatchpointCollectionPhase.cpp:
8038 (JSC::DFG::WatchpointCollectionPhase::handle): Remove some code.
8039 (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): Deleted.
8040 * ftl/FTLLowerDFGToLLVM.cpp:
8041 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase.
8042
80432015-04-02 Myles C. Maxfield <mmaxfield@apple.com>
8044
8045 Introducing the Platform Abstraction Layer (PAL)
8046 https://bugs.webkit.org/show_bug.cgi?id=143358
8047
8048 Reviewed by Simon Fraser.
8049
8050 * Configurations/FeatureDefines.xcconfig: Updated
8051
80522015-05-06 Andreas Kling <akling@apple.com>
8053
8054 Don't allocate a StringImpl for every Number JSValue in JSON.stringify().
8055 <https://webkit.org/b/144676>
8056
8057 Reviewed by Darin Adler.
8058
8059 We were creating a new String for every number JSValue passing through the JSON stringifier.
8060 These StringImpl allocations were dominating one of the Kraken JSON benchmarks.
8061 Optimize this by using StringBuilder::appendECMAScriptNumber() which uses a stack buffer
8062 for the conversion instead.
8063
8064 13% progression on Kraken/json-stringify-tinderbox.
8065
8066 * runtime/JSONObject.cpp:
8067 (JSC::Stringifier::appendStringifiedValue):
8068
80692015-05-06 Commit Queue <commit-queue@webkit.org>
8070
8071 Unreviewed, rolling out r183847.
8072 https://bugs.webkit.org/show_bug.cgi?id=144691
8073
8074 Caused many assertion failures (Requested by ap on #webkit).
8075
8076 Reverted changeset:
8077
8078 "GC has trouble with pathologically large array allocations"
8079 https://bugs.webkit.org/show_bug.cgi?id=144609
8080 http://trac.webkit.org/changeset/183847
8081
80822015-05-05 Filip Pizlo <fpizlo@apple.com>
8083
8084 PutGlobalVar shouldn't have an unconditional store barrier
8085 https://bugs.webkit.org/show_bug.cgi?id=133104
8086
8087 Reviewed by Benjamin Poulain.
8088
8089 We don't need a store barrier on PutGlobalVar if the value being stored can be
8090 speculated to not be a cell.
8091
8092 * dfg/DFGFixupPhase.cpp:
8093 (JSC::DFG::FixupPhase::fixupNode):
8094
80952015-05-05 Filip Pizlo <fpizlo@apple.com>
8096
8097 CopiedBlock::reportLiveBytes() should be totally cool with oversize blocks
8098 https://bugs.webkit.org/show_bug.cgi?id=144667
8099
8100 Reviewed by Andreas Kling.
8101
8102 We are now calling this method for oversize blocks. It had an assertion that indirectly
8103 implied that the block is not oversize, because it was claiming that the number of live
8104 bytes should be smaller than the non-oversize-block size.
8105
8106 * heap/CopiedBlockInlines.h:
8107 (JSC::CopiedBlock::reportLiveBytes):
8108
81092015-05-05 Filip Pizlo <fpizlo@apple.com>
8110
8111 GC has trouble with pathologically large array allocations
8112 https://bugs.webkit.org/show_bug.cgi?id=144609
8113
8114 Reviewed by Mark Lam.
8115
8116 * heap/Heap.cpp:
8117 (JSC::Heap::updateObjectCounts): Make this code less confusing.
8118 * heap/SlotVisitorInlines.h:
8119 (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory.
8120 * jsc.cpp: Add size measuring hooks to write the largeish test.
8121 (GlobalObject::finishCreation):
8122 (functionGCAndSweep):
8123 (functionFullGC):
8124 (functionEdenGC):
8125 (functionHeapSize):
8126 * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test.
8127 * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory.
8128 (foo):
8129 (test):
8130
81312015-05-05 Filip Pizlo <fpizlo@apple.com>
8132
8133 FTL SwitchString slow case creates duplicate switch cases
8134 https://bugs.webkit.org/show_bug.cgi?id=144634
8135
8136 Reviewed by Geoffrey Garen.
8137
8138 The problem of duplicate switches is sufficiently annoying that I fixed the issue and also
8139 added mostly-debug-only asserts to catch such issues earlier.
8140
8141 * bytecode/CallVariant.cpp:
8142 (JSC::variantListWithVariant): Assertion to prevent similar bugs.
8143 * ftl/FTLLowerDFGToLLVM.cpp:
8144 (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs.
8145 (JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug.
8146 * jit/BinarySwitch.cpp:
8147 (JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs.
8148 * jit/Repatch.cpp:
8149 (JSC::linkPolymorphicCall): Assertion to prevent similar bugs.
8150 * tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time.
8151 (foo):
8152 (cat):
8153
81542015-05-05 Basile Clement <basile_clement@apple.com>
8155
8156 Fix debug builds after r183812
8157 https://bugs.webkit.org/show_bug.cgi?id=144300
8158
8159 Rubber stamped by Andreas Kling and Filip Pizlo.
8160
8161 hasObjectMaterializationData() didn't treat MaterializeCreateActivation
8162 as having materialization data, which was causing an assertion failure when
8163 sinking CreateActivations on debug builds.
8164
8165 * dfg/DFGNode.h:
8166 (JSC::DFG::Node::hasObjectMaterializationData):
8167
81682015-05-04 Basile Clement <basile_clement@apple.com>
8169
8170 Allow CreateActivation sinking
8171 https://bugs.webkit.org/show_bug.cgi?id=144300
8172
8173 Reviewed by Filip Pizlo.
8174
8175 This pursues the work started in
8176 https://bugs.webkit.org/show_bug.cgi?id=144016 to expand the set of
8177 allocations we are able to sink by allowing sinking of CreateActivation
8178 node.
8179
8180 This is achieved by following closely the way NewObject is currently
8181 sunk: we add a new PhantomCreateActivation node to record the initial
8182 position of the CreateActivation node, new ClosureVarPLoc promoted heap
8183 locations to keep track of the variables put in the activation, and a
8184 new MaterializeCreateActivation node to allocate and populate the sunk
8185 activation.
8186
8187 * dfg/DFGAbstractInterpreterInlines.h:
8188 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8189 * dfg/DFGClobberize.h:
8190 (JSC::DFG::clobberize):
8191 * dfg/DFGDoesGC.cpp:
8192 (JSC::DFG::doesGC):
8193 * dfg/DFGFixupPhase.cpp:
8194 (JSC::DFG::FixupPhase::fixupNode):
8195 * dfg/DFGNode.cpp:
8196 (JSC::DFG::Node::convertToPutClosureVarHint):
8197 * dfg/DFGNode.h:
8198 (JSC::DFG::Node::convertToPhantomCreateActivation):
8199 (JSC::DFG::Node::isActivationAllocation):
8200 (JSC::DFG::Node::isPhantomActivationAllocation):
8201 (JSC::DFG::Node::isPhantomAllocation):
8202 * dfg/DFGNodeType.h:
8203 * dfg/DFGObjectAllocationSinkingPhase.cpp:
8204 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
8205 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
8206 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
8207 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
8208 * dfg/DFGPredictionPropagationPhase.cpp:
8209 (JSC::DFG::PredictionPropagationPhase::propagate):
8210 * dfg/DFGPromotedHeapLocation.cpp:
8211 (WTF::printInternal):
8212 * dfg/DFGPromotedHeapLocation.h:
8213 * dfg/DFGSafeToExecute.h:
8214 (JSC::DFG::safeToExecute):
8215 * dfg/DFGSpeculativeJIT32_64.cpp:
8216 (JSC::DFG::SpeculativeJIT::compile):
8217 * dfg/DFGSpeculativeJIT64.cpp:
8218 (JSC::DFG::SpeculativeJIT::compile):
8219 * dfg/DFGValidate.cpp:
8220 (JSC::DFG::Validate::validateCPS):
8221 * ftl/FTLCapabilities.cpp:
8222 (JSC::FTL::canCompile):
8223 * ftl/FTLLowerDFGToLLVM.cpp:
8224 (JSC::FTL::LowerDFGToLLVM::compileNode):
8225 (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation):
8226 * ftl/FTLOperations.cpp:
8227 (JSC::FTL::operationMaterializeObjectInOSR):
8228 * tests/stress/activation-sink-osrexit.js: Added.
8229 (bar):
8230 (foo.set result):
8231 * tests/stress/activation-sink.js: Added.
8232 (bar):
8233
82342015-05-04 Filip Pizlo <fpizlo@apple.com>
8235
8236 Unreviewed, fix stale comment.
8237
8238 * tests/mozilla/js1_5/Array/regress-101964.js:
8239
82402015-05-04 Filip Pizlo <fpizlo@apple.com>
8241
8242 Large array shouldn't be slow
8243 https://bugs.webkit.org/show_bug.cgi?id=144617
8244
8245 Rubber stamped by Mark Lam.
8246
8247 * tests/mozilla/js1_5/Array/regress-101964.js: 500ms isn't enough in debug mode. We don't care how long this takes so long as we run it to completion. I've raised the limit much higher.
8248
82492015-05-04 Filip Pizlo <fpizlo@apple.com>
8250
8251 Large array shouldn't be slow
8252 https://bugs.webkit.org/show_bug.cgi?id=144617
8253
8254 Rubber stamped by Mark Lam.
8255
8256 * tests/mozilla/js1_5/Array/regress-101964.js: Mozilla may have cared about this being fast a decade ago (or more), but we don't care. We've consistently found that an array implementation that punishes this case to get speed on common-case array accesses is better. This should fix some test failures on the bots.
8257
82582015-05-04 Commit Queue <commit-queue@webkit.org>
8259
8260 Unreviewed, rolling out r183789.
8261 https://bugs.webkit.org/show_bug.cgi?id=144620
8262
8263 Causing flakiness on exceptionFuzz tests locally on 32-bit
8264 build (Requested by saamyjoon on #webkit).
8265
8266 Reverted changeset:
8267
8268 "Global functions should be initialized as JSFunctions in byte
8269 code"
8270 https://bugs.webkit.org/show_bug.cgi?id=144178
8271 http://trac.webkit.org/changeset/183789
8272
82732015-05-04 Saam Barati <saambarati1@gmail.com>
8274
8275 Global functions should be initialized as JSFunctions in byte code
8276 https://bugs.webkit.org/show_bug.cgi?id=144178
8277
8278 Reviewed by Geoffrey Garen.
8279
8280 This patch makes the initialization of global functions more explicit by
8281 moving initialization into bytecode. It also prepares JSC for having ES6
8282 style lexical scoping because initializing global functions in bytecode
8283 easily allows global functions to be initialized with the proper scope that
8284 will have access to global lexical variables. Global lexical variables
8285 should be visible to global functions but don't live on the global object.
8286
8287 * bytecode/UnlinkedCodeBlock.cpp:
8288 (JSC::UnlinkedProgramCodeBlock::visitChildren):
8289 * bytecode/UnlinkedCodeBlock.h:
8290 * bytecompiler/BytecodeGenerator.cpp:
8291 (JSC::BytecodeGenerator::generate):
8292 (JSC::BytecodeGenerator::BytecodeGenerator):
8293 * bytecompiler/BytecodeGenerator.h:
8294 * runtime/Executable.cpp:
8295 (JSC::ProgramExecutable::initializeGlobalProperties):
8296 * runtime/JSGlobalObject.cpp:
8297 (JSC::JSGlobalObject::addGlobalVar):
8298 (JSC::JSGlobalObject::addFunction):
8299 * runtime/JSGlobalObject.h:
8300
83012015-05-04 Filip Pizlo <fpizlo@apple.com>
8302
8303 Large array shouldn't be slow
8304 https://bugs.webkit.org/show_bug.cgi?id=144617
8305
8306 Reviewed by Geoffrey Garen.
8307
8308 Decouple MIN_SPARSE_ARRAY_INDEX, which is the threshold for storing to the sparse map when
8309 you're already using ArrayStorage mode, from the minimul array length required to use
8310 ArrayStorage in a new Array(length) allocation.
8311
8312 Lift the array allocation length threshold to something very high. If this works, we'll
8313 probably remove that threshold entirely.
8314
8315 This is a 27% speed-up on JetStream/hash-map. Because run-jsc-benchmarks still can't run
8316 JetStream as a discrete suite, this adds hash-map to LongSpider so that we run it somewhere
8317 for now.
8318
8319 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
8320 * dfg/DFGSpeculativeJIT32_64.cpp:
8321 (JSC::DFG::SpeculativeJIT::compile):
8322 * dfg/DFGSpeculativeJIT64.cpp:
8323 (JSC::DFG::SpeculativeJIT::compile):
8324 * ftl/FTLLowerDFGToLLVM.cpp:
8325 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
8326 * runtime/ArrayConventions.h:
8327 * runtime/JSArray.h:
8328 (JSC::JSArray::create):
8329 * runtime/JSGlobalObject.h:
8330 (JSC::constructEmptyArray):
8331 * tests/stress/new-array-storage-array-with-size.js: Skip this test until we fix https://bugs.webkit.org/show_bug.cgi?id=144609.
8332
83332015-05-03 Yusuke Suzuki <utatane.tea@gmail.com>
8334
8335 Add backed intrinsics to private functions exposed with private symbols in global object
8336 https://bugs.webkit.org/show_bug.cgi?id=144545
8337
8338 Reviewed by Darin Adler.
8339
8340 Math.abs and Math.floor have ASM intrinsics And it is further accelerated in DFG/FTL layers.
8341 This patch adds intrinsic to private functions exposed with private symbols in global object,
8342 @floor and @abs.
8343
8344 * runtime/JSGlobalObject.cpp:
8345 (JSC::JSGlobalObject::init):
8346 * runtime/JSGlobalObjectFunctions.cpp:
8347 (JSC::globalPrivateFuncAbs): Deleted.
8348 (JSC::globalPrivateFuncFloor): Deleted.
8349 * runtime/MathObject.cpp:
8350 * runtime/MathObject.h:
8351 * tests/stress/array-from-abs-and-floor.js: Added.
8352 (target1):
8353 (target2):
8354 (target3):
8355
83562015-05-04 Csaba Osztrogonác <ossy@webkit.org>
8357
8358 [cmake] ARM related build system cleanup
8359 https://bugs.webkit.org/show_bug.cgi?id=144566
8360
8361 Reviewed by Darin Adler.
8362
8363 * CMakeLists.txt:
8364
83652015-05-04 Andreas Kling <akling@apple.com>
8366
8367 Optimize WeakBlock's "reap" and "visit" operations.
8368 <https://webkit.org/b/144585>
8369
8370 Reviewed by Geoffrey Garen.
8371
8372 WeakBlock was using Heap::isLive(void*) to determine the liveness of weak pointees.
8373 That function was really written with conservative roots marking in mind, and will do a bunch
8374 of sanity and bounds checks.
8375
8376 For weaks, we know that the pointer will have been a valid cell pointer into a block
8377 of appropriate cell size, so we can skip a lot of the checks.
8378
8379 We now keep a pointer to the MarkedBlock in each WeakBlock. That way we no longer have to do
8380 MarkedBlock::blockFor() for every single cell when iterating.
8381
8382 Note that a WeakBlock's MarkedBlock pointer becomes null when we detach a logically empty
8383 WeakBlock from its WeakSet and transfer ownership to Heap. At that point, the block will never
8384 be pointing to any live cells, and the only operation that will run on the block is sweep().
8385
8386 Finally, MarkedBlock allows liveness queries in three states: Marked, Retired, and Allocated.
8387 In Allocated state, all cells are reported as live. This state will reset to Marked on next GC.
8388 This patch uses that knowledge to avoid branching on the MarkedBlock's state for every cell.
8389
8390 This is a ~3x speedup of visit() and a ~2x speedup of reap() on Dromaeo/dom-modify, netting
8391 what looks like a 1% speedup locally.
8392
8393 * heap/MarkedBlock.cpp:
8394 (JSC::MarkedBlock::MarkedBlock): Pass *this to the WeakSet's ctor.
8395
8396 * heap/MarkedBlock.h:
8397 (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Added, stripped-down version of isLive() when the
8398 block's state is known to be either Marked or Retired.
8399
8400 (JSC::MarkedBlock::isAllocated): Added, tells WeakBlock it's okay to skip reap/visit since isLive()
8401 would report that all cells are live anyway.
8402
8403 * heap/WeakBlock.cpp:
8404 (JSC::WeakBlock::create):
8405 (JSC::WeakBlock::WeakBlock): Stash a MarkedBlock* on each WeakBlock.
8406
8407 (JSC::WeakBlock::visit):
8408 (JSC::WeakBlock::reap): Optimized these two to avoid a bunch of pointer arithmetic and branches.
8409
8410 * heap/WeakBlock.h:
8411 (JSC::WeakBlock::disconnectMarkedBlock): Added.
8412 * heap/WeakSet.cpp:
8413 (JSC::WeakSet::sweep): Call the above when removing a WeakBlock from WeakSet and transferring
8414 ownership to Heap until it can die peacefully.
8415
8416 (JSC::WeakSet::addAllocator):
8417 * heap/WeakSet.h:
8418 (JSC::WeakSet::WeakSet): Give WeakSet a MarkedBlock& for passing on to WeakBlocks.
8419
84202015-05-04 Basile Clement <basile_clement@apple.com>
8421
8422 Allocation sinking is prohibiting the creation of phis between a Phantom object and its materialization
8423 https://bugs.webkit.org/show_bug.cgi?id=144587
8424
8425 Rubber stamped by Filip Pizlo.
8426
8427 When sinking object allocations, we ensure in
8428 determineMaterializationPoints that whenever an allocation is
8429 materialized on a path to a block, it is materialized in all such
8430 paths. Thus when running the SSA calculator to place Phis in
8431 placeMaterializationPoints, we can't encounter a situation where some
8432 Upsilons are referring to a materialization while others are referring
8433 to the phantom object.
8434
8435 This replaces the code that was adding a materialization late in
8436 placeMaterializationPoints to handle that case by an assertion that it
8437 does not happen, which will make
8438 https://bugs.webkit.org/show_bug.cgi?id=143073 easier to implement.
8439
8440 * dfg/DFGObjectAllocationSinkingPhase.cpp:
8441 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
8442
84432015-05-04 Ryosuke Niwa <rniwa@webkit.org>
8444
8445 Extending undefined in class syntax should throw a TypeError
8446 https://bugs.webkit.org/show_bug.cgi?id=144284
8447
8448 Reviewed by Darin Adler.
8449
8450 The bug was caused by op_eq_null evaluating to true when compared to undefined.
8451 Explicitly check op_eq_undefined first to detect the case where we're extending undefined.
8452
8453 We also had bogus test cases checked in class-syntax-extends.html. This patch also fixes them.
8454
8455 * bytecompiler/NodesCodegen.cpp:
8456 (JSC::ClassExprNode::emitBytecode):
8457
84582015-05-04 Ryosuke Niwa <rniwa@webkit.org>
8459
8460 new super should be a syntax error
8461 https://bugs.webkit.org/show_bug.cgi?id=144282
8462
8463 Reviewed by Joseph Pecoraro.
8464
8465 Disallow "new super" as ES6 spec doesn't allow this.
8466
8467 * parser/Parser.cpp:
8468 (JSC::Parser<LexerType>::parseMemberExpression):
8469
84702015-05-04 Saam Barati <saambarati1@gmail.com>
8471
8472 JSCallbackObject does not maintain symmetry between accesses for getOwnPropertySlot and put
8473 https://bugs.webkit.org/show_bug.cgi?id=144265
8474
8475 Reviewed by Geoffrey Garen.
8476
8477 JSCallbackObject will defer to a parent's implementation of getOwnPropertySlot
8478 for a static function if the parent has that property slot. JSCallbackObject::put
8479 did not maintain this symmetry of also calling ::put on the parent if the parent
8480 has the property. We should ensure that this symmetry exists.
8481
8482 * API/JSCallbackObjectFunctions.h:
8483 (JSC::JSCallbackObject<Parent>::put):
8484 * API/tests/testapi.c:
8485 * API/tests/testapi.js:
8486 (globalStaticFunction2):
8487 (this.globalStaticFunction2):
8488 (iAmNotAStaticFunction):
8489 (this.iAmNotAStaticFunction):
8490
84912015-05-04 Andreas Kling <akling@apple.com>
8492
8493 Make ExecState::vm() branchless in release builds.
8494 <https://webkit.org/b/144586>
8495
8496 Reviewed by Geoffrey Garen.
8497
8498 Avoid null checking the ExecState's callee() before getting the
8499 VM from it. The code was already dereferencing it anyway, since we
8500 know it's not gonna be null.
8501
8502 * runtime/JSCellInlines.h:
8503 (JSC::ExecState::vm):
8504
85052015-05-04 Basile Clement <basile_clement@apple.com>
8506
8507 Object allocation not sinking properly through CheckStructure
8508 https://bugs.webkit.org/show_bug.cgi?id=144465
8509
8510 Reviewed by Filip Pizlo.
8511
8512 Currently, sinking an allocation through a CheckStructure will
8513 completely ignore all structure checking, which is obviously wrong.
8514
8515 A CheckStructureImmediate node type was present for that purpose, but
8516 the CheckStructures were not properly replaced. This ensures that
8517 CheckStructure nodes are replaced by CheckStructureImmediate nodes when
8518 sunk through, and that structure checking happens correctly.
8519
8520 * dfg/DFGNode.h:
8521 (JSC::DFG::Node::convertToCheckStructureImmediate): Added.
8522 (JSC::DFG::Node::hasStructureSet):
8523 * dfg/DFGObjectAllocationSinkingPhase.cpp:
8524 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
8525 * ftl/FTLLowerDFGToLLVM.cpp:
8526 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
8527 (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
8528 (JSC::FTL::LowerDFGToLLVM::checkStructure):
8529 * tests/stress/sink_checkstructure.js: Added.
8530 (foo):
8531
85322015-05-01 Geoffrey Garen <ggaren@apple.com>
8533
8534 REGRESSION(r183570): jslib-traverse-jquery is 22% slower
8535 https://bugs.webkit.org/show_bug.cgi?id=144476
8536
8537 Reviewed by Sam Weinig.
8538
8539 jslib-traverse-jquery is now 31% faster than its unregressed baseline.
8540
8541 The jQuery algorithm for sorting DOM nodes is so pathologically slow that,
8542 to my knowledge, the topic of how to optimize it is not covered in any
8543 literature about sorting.
8544
8545 On the slowest jQuery sorting test -- prevAll -- our new
8546 Array.prototype.sort, compared to its predecessor, performed 12% fewer
8547 comparisons and requireed 10X less overhead per comparison. Yet, it was
8548 slower.
8549
8550 It was slower because it inadvertantly increased the average cost of the
8551 comparison function by 2X. jQuery uses compareDocumentPosition to compare
8552 DOM nodes, and compareDocumentPosition(a, b) is O(N) in the distance
8553 required to traverse backwards from b to a. In prevAll, we encounter the
8554 worst case for merge sort of compareDocumentPosition: A long list of DOM
8555 nodes in mostly reverse order. In this case, merge sort will sequentially
8556 compareDocumentPosition(a, b), where a is not reachable backwards from
8557 b, and therefore compareDocumentPosition will traverse the whole sibling
8558 list.
8559
8560 The solution is simple enough: Call compareDocumentPosition(b, a) instead.
8561
8562 This is a pretty silly thing to do, but it is harmless, and jQuery is
8563 popular, so let's do it.
8564
8565 We do not risk suffering the same problem in reverse when sorting a long
8566 list of DOM nodes in forward order. (We still have a 37% speedup on the
8567 nextAll benchmark.) The reason is that merge sort performs 2X fewer
8568 comparisons when the list is already sorted, so we can worry less about
8569 the cost of each comparison.
8570
8571 A fully principled soultion to this problem would probably do something
8572 like Python's timsort, which special-cases ordered ranges to perform
8573 only O(n) comparisons. But that would contradict our original
8574 goal of just having something simple that works.
8575
8576 Another option is for elements to keep a compareDocumentPosition cache,
8577 like a node list cache, which allows you to determine the absolute
8578 position of a node using a hash lookup. I will leave this as an exercise
8579 for kling.
8580
8581 * builtins/Array.prototype.js:
8582 (sort.merge): Compare in an order that is favorable to a comparator
8583 that calls compareDocumentPosition.
8584
85852015-05-04 Csaba Osztrogonác <ossy@webkit.org>
8586
8587 [cmake] Fix generate-js-builtins related incremental build issue
8588 https://bugs.webkit.org/show_bug.cgi?id=144094
8589
8590 Reviewed by Michael Saboff.
8591
8592 * CMakeLists.txt: Generated JSCBuiltins.<cpp|h> should depend on Source/JavaScriptCore/builtins directory.
8593 Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js.
8594 * DerivedSources.make:
8595 Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js.
8596 * generate-js-builtins: Accept input files and input directory too.
8597
85982015-05-03 Simon Fraser <simon.fraser@apple.com>
8599
8600 Make some static data const
8601 https://bugs.webkit.org/show_bug.cgi?id=144552
8602
8603 Reviewed by Andreas Kling.
8604
8605 Turn characterSetInfo into const data.
8606
8607 * yarr/YarrCanonicalizeUCS2.cpp:
8608 * yarr/YarrCanonicalizeUCS2.h:
8609
86102015-05-01 Filip Pizlo <fpizlo@apple.com>
8611
8612 TypeOf should be fast
8613 https://bugs.webkit.org/show_bug.cgi?id=144396
8614
8615 Reviewed by Geoffrey Garen.
8616
8617 Adds comprehensive support for fast typeof to the optimizing JITs. Calls into the runtime
8618 are only used for very exotic objects - they must have either the MasqueradesAsUndefined or
8619 TypeOfShouldCallGetCallData type flags set. All other cases are handled inline.
8620
8621 This means optimizing IsObjectOrNull, IsFunction, and TypeOf - all node types that used to
8622 rely heavily on C++ calls to fulfill their function.
8623
8624 Because TypeOf is now so fast, we no longer need to do any speculations on this node.
8625
8626 In the FTL, we take this further by querying AI for each branch in the TypeOf decision tree.
8627 This means that if the TypeOf is dominated by any type checks, we will automatically prune
8628 out cases that are redundant.
8629
8630 This patch anticipates the addition of SwitchTypeOf or something like that. So, the TypeOf
8631 code generation is designed to be reusable.
8632
8633 This is a speed-up on most typeof benchmarks. But, it is a slow-down on benchmarks that take
8634 the exotic call trap hook. That hook is now in a deeper slow path than before.
8635
8636 * CMakeLists.txt:
8637 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8638 * JavaScriptCore.xcodeproj/project.pbxproj:
8639 * dfg/DFGClobberize.h:
8640 (JSC::DFG::clobberize): TypeOf was pure all along, but we failed to realize this.
8641 * dfg/DFGFixupPhase.cpp:
8642 (JSC::DFG::FixupPhase::fixupNode):
8643 * dfg/DFGHeapLocation.cpp:
8644 (WTF::printInternal):
8645 * dfg/DFGHeapLocation.h:
8646 * dfg/DFGOperations.cpp:
8647 * dfg/DFGOperations.h:
8648 * dfg/DFGSpeculativeJIT.cpp:
8649 (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
8650 (JSC::DFG::SpeculativeJIT::compileIsFunction):
8651 (JSC::DFG::SpeculativeJIT::compileTypeOf):
8652 * dfg/DFGSpeculativeJIT.h:
8653 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
8654 (JSC::DFG::SpeculativeJIT::callOperation):
8655 * dfg/DFGSpeculativeJIT32_64.cpp:
8656 (JSC::DFG::SpeculativeJIT::compile):
8657 * dfg/DFGSpeculativeJIT64.cpp:
8658 (JSC::DFG::SpeculativeJIT::compile):
8659 * ftl/FTLCapabilities.cpp:
8660 (JSC::FTL::canCompile):
8661 * ftl/FTLIntrinsicRepository.h:
8662 * ftl/FTLLowerDFGToLLVM.cpp:
8663 (JSC::FTL::LowerDFGToLLVM::compileNode):
8664 (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
8665 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
8666 (JSC::FTL::LowerDFGToLLVM::compileTypeOf):
8667 (JSC::FTL::LowerDFGToLLVM::buildTypeOf): Reusable TypeOf building for the FTL.
8668 (JSC::FTL::LowerDFGToLLVM::isExoticForTypeof):
8669 * ftl/FTLSwitchCase.h:
8670 (JSC::FTL::SwitchCase::SwitchCase):
8671 * jit/AssemblyHelpers.h:
8672 (JSC::AssemblyHelpers::branchIfNotEqual):
8673 (JSC::AssemblyHelpers::branchIfEqual):
8674 (JSC::AssemblyHelpers::branchIfNumber):
8675 (JSC::AssemblyHelpers::branchIfNotNumber):
8676 (JSC::AssemblyHelpers::branchIfBoolean):
8677 (JSC::AssemblyHelpers::branchIfNotBoolean):
8678 (JSC::AssemblyHelpers::boxBooleanPayload):
8679 (JSC::AssemblyHelpers::boxBoolean):
8680 (JSC::AssemblyHelpers::emitTypeOf): Reusable TypeOf building for assembly JITs.
8681 * jit/JITOperations.h:
8682 * runtime/SmallStrings.h:
8683 (JSC::SmallStrings::typeString):
8684 * runtime/TypeofType.cpp: Added.
8685 (WTF::printInternal):
8686 * runtime/TypeofType.h: Added.
8687 * tests/stress/type-of-functions-and-objects.js: Modified this test to give more comprehensive feedback.
8688
86892015-05-02 Filip Pizlo <fpizlo@apple.com>
8690
8691 Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=144527.
8692
8693 * dfg/DFGLICMPhase.cpp:
8694 (JSC::DFG::LICMPhase::attemptHoist):
8695
86962015-05-02 Filip Pizlo <fpizlo@apple.com>
8697
8698 Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=144524 and
8699 https://bugs.webkit.org/show_bug.cgi?id=144525.
8700
8701 * dfg/DFGLICMPhase.cpp:
8702 (JSC::DFG::LICMPhase::attemptHoist):
8703 * dfg/DFGPhantomInsertionPhase.cpp:
8704
87052015-05-02 Yusuke Suzuki <utatane.tea@gmail.com>
8706
8707 Static property hashtable should only lookup with non-symbol key
8708 https://bugs.webkit.org/show_bug.cgi?id=144438
8709
8710 Reviewed by Darin Adler.
8711
8712 Static property hashtable compares the Identifier's uid
8713 with the normal C string without interning it.
8714 So this comparison is performed in their contents.
8715 As the result, in this comparison, symbol-ness is not considered.
8716
8717 So if accidentally the hash collision occur with the symbol and the string
8718 and they have the same contents, the hash table entry is looked up incorrectly.
8719
8720 * runtime/Lookup.h:
8721 (JSC::HashTable::entry):
8722
87232015-05-01 Ryosuke Niwa <rniwa@webkit.org>
8724
8725 Class syntax should allow string and numeric identifiers for method names
8726 https://bugs.webkit.org/show_bug.cgi?id=144254
8727
8728 Reviewed by Darin Adler.
8729
8730 Added the support for string and numeric identifiers in class syntax.
8731
8732 * parser/Parser.cpp:
8733 (JSC::Parser<LexerType>::parseFunctionInfo): Instead of using ConstructorKind to indicate whether we're
8734 inside a class or not, use the newly added SuperBinding argument instead. ConstructorKind is now None
8735 outside a class constructor as it should be.
8736 (JSC::Parser<LexerType>::parseFunctionDeclaration):
8737 (JSC::Parser<LexerType>::parseClass): No longer expects an identifier at the beginning of every class
8738 element to allow numeric and string method names. For both of those method names, parse it here instead
8739 of parseFunctionInfo since it doesn't support either type. Also pass in SuperBinding::Needed.
8740 (JSC::Parser<LexerType>::parsePropertyMethod): Call parseFunctionInfo with SuperBinding::NotNeeded since
8741 this function is never used to parse a class method.
8742 (JSC::Parser<LexerType>::parseGetterSetter): Pass in superBinding argument to parseFunctionInfo.
8743 (JSC::Parser<LexerType>::parsePrimaryExpression): Call parseFunctionInfo with SuperBinding::NotNeeded.
8744 * parser/Parser.h:
8745 * parser/SyntaxChecker.h:
8746 (JSC::SyntaxChecker::createProperty):
8747
87482015-05-01 Filip Pizlo <fpizlo@apple.com>
8749
8750 FTL should use AI more
8751 https://bugs.webkit.org/show_bug.cgi?id=144500
8752
8753 Reviewed by Oliver Hunt.
8754
8755 This makes our type check folding even more comprehensive by ensuring that even if the FTL
8756 decides to emit some checks, it will still do another query to the abstract interpreter to
8757 see if the check is necessary. This helps with cases where we decided early on to speculate
8758 one way, but later proved a more specific type of the value in question, and the constant
8759 folder didn't catch it.
8760
8761 This also makes it more natural to query the abstract interpreter. For example, if you just
8762 want the proven type, you can now say provenType(node) or provenType(edge).
8763
8764 * dfg/DFGArrayMode.cpp:
8765 (JSC::DFG::ArrayMode::alreadyChecked):
8766 * dfg/DFGArrayMode.h:
8767 * ftl/FTLLowerDFGToLLVM.cpp:
8768 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
8769 (JSC::FTL::LowerDFGToLLVM::compileToThis):
8770 (JSC::FTL::LowerDFGToLLVM::compileValueAdd):
8771 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
8772 (JSC::FTL::LowerDFGToLLVM::compileArithPow):
8773 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
8774 (JSC::FTL::LowerDFGToLLVM::compileGetById):
8775 (JSC::FTL::LowerDFGToLLVM::compileCheckArray):
8776 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
8777 (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
8778 (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
8779 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
8780 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
8781 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
8782 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
8783 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
8784 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
8785 (JSC::FTL::LowerDFGToLLVM::compileIsString):
8786 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
8787 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
8788 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
8789 (JSC::FTL::LowerDFGToLLVM::baseIndex):
8790 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
8791 (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
8792 (JSC::FTL::LowerDFGToLLVM::boolify):
8793 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
8794 (JSC::FTL::LowerDFGToLLVM::lowInt32):
8795 (JSC::FTL::LowerDFGToLLVM::lowInt52):
8796 (JSC::FTL::LowerDFGToLLVM::lowCell):
8797 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
8798 (JSC::FTL::LowerDFGToLLVM::lowDouble):
8799 (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
8800 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
8801 (JSC::FTL::LowerDFGToLLVM::isNumber):
8802 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
8803 (JSC::FTL::LowerDFGToLLVM::isNotCell):
8804 (JSC::FTL::LowerDFGToLLVM::isCell):
8805 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
8806 (JSC::FTL::LowerDFGToLLVM::isMisc):
8807 (JSC::FTL::LowerDFGToLLVM::isNotBoolean):
8808 (JSC::FTL::LowerDFGToLLVM::isBoolean):
8809 (JSC::FTL::LowerDFGToLLVM::isNotOther):
8810 (JSC::FTL::LowerDFGToLLVM::isOther):
8811 (JSC::FTL::LowerDFGToLLVM::isProvenValue):
8812 (JSC::FTL::LowerDFGToLLVM::isObject):
8813 (JSC::FTL::LowerDFGToLLVM::isNotObject):
8814 (JSC::FTL::LowerDFGToLLVM::isNotString):
8815 (JSC::FTL::LowerDFGToLLVM::isString):
8816 (JSC::FTL::LowerDFGToLLVM::isFunction):
8817 (JSC::FTL::LowerDFGToLLVM::isNotFunction):
8818 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
8819 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
8820 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
8821 (JSC::FTL::LowerDFGToLLVM::abstractValue):
8822 (JSC::FTL::LowerDFGToLLVM::provenType):
8823 (JSC::FTL::LowerDFGToLLVM::provenValue):
8824 (JSC::FTL::LowerDFGToLLVM::abstractStructure):
8825
88262015-05-01 Martin Robinson <mrobinson@igalia.com>
8827
8828 USE(...) macro should expect unprefixed variables
8829 https://bugs.webkit.org/show_bug.cgi?id=144454
8830
8831 Reviewed by Daniel Bates.
8832
8833 * CMakeLists.txt: Replace all occurrences WTF_USE with USE.
8834
88352015-05-01 Jordan Harband <ljharb@gmail.com>
8836
8837 String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly
8838 https://bugs.webkit.org/show_bug.cgi?id=144314
8839
8840 Reviewed by Darin Adler.
8841
8842 Fixing handling of Infinity position args, per
8843 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
8844 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
8845 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
8846
8847 * runtime/StringPrototype.cpp:
8848 (JSC::clampInt32):
8849 (JSC::stringProtoFuncStartsWith):
8850 (JSC::stringProtoFuncEndsWith):
8851 (JSC::stringProtoFuncIncludes):
8852
88532015-05-01 Basile Clement <basile_clement@apple.com>
8854
8855 Math.abs() returns negative
8856 https://bugs.webkit.org/show_bug.cgi?id=137827
8857
8858 Reviewed by Michael Saboff.
8859
8860 Math.abs() on doubles was mistakenly assumed by the DFG AI to be the
8861 identity function.
8862
8863 * dfg/DFGAbstractInterpreterInlines.h:
8864 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
8865 * tests/stress/math-abs-positive.js: Added, was previously failing.
8866 (foo):
8867
88682015-05-01 Basile Clement <basile_clement@apple.com>
8869
8870 Function allocation sinking shouldn't be performed on singleton functions
8871 https://bugs.webkit.org/show_bug.cgi?id=144166
8872
8873 Reviewed by Geoffrey Garen.
8874
8875 Function allocations usually are free of any other side effects, but
8876 this is not the case for allocations performed while the underlying
8877 FunctionExecutable is still a singleton (as this allogation will fire
8878 watchpoints invalidating code that depends on it being a singleton).
8879 As the object allocation sinking phase assumes object allocation is
8880 free of side-effects, sinking these allocations is not correct.
8881
8882 This also means that when materializing a function allocation on OSR
8883 exit, that function's executable will never be a singleton, and we don't have
8884 to worry about its watchpoint, allowing us to use
8885 JSFunction::createWithInvalidatedRellocationWatchpoint instead of
8886 JSFunction::create.
8887
8888 * dfg/DFGObjectAllocationSinkingPhase.cpp:
8889 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
8890 * ftl/FTLOperations.cpp:
8891 (JSC::FTL::operationMaterializeObjectInOSR):
8892
88932015-04-30 Jon Davis <jond@apple.com>
8894
8895 Web Inspector: console should show an icon for console.info() messages
8896 https://bugs.webkit.org/show_bug.cgi?id=18530
8897
8898 Reviewed by Timothy Hatcher.
8899
8900 * inspector/ConsoleMessage.cpp:
8901 (Inspector::messageLevelValue):
8902 * inspector/protocol/Console.json:
8903 * runtime/ConsoleClient.cpp:
8904 (JSC::appendMessagePrefix):
8905 * runtime/ConsolePrototype.cpp:
8906 (JSC::ConsolePrototype::finishCreation):
8907 (JSC::consoleProtoFuncInfo):
8908 * runtime/ConsoleTypes.h:
8909
89102015-04-30 Filip Pizlo <fpizlo@apple.com>
8911
8912 Move all of the branchIs<type> helpers from SpeculativeJIT into AssemblyHelpers
8913 https://bugs.webkit.org/show_bug.cgi?id=144462
8914
8915 Reviewed by Geoffrey Garen and Mark Lam.
8916
8917 At some point we started adding representation-agnostic helpers for doing common type tests.
8918 We added some in SpeculativeJIT, and then some in AssemblyHelpers. Prior to this change,
8919 they had overlapping powers, though SpeculativeJIT was a bit better.
8920
8921 This removes SpeculativeJIT's helpers and strengthens AssemblyHelpers' helpers. This is
8922 better because now all of these helpers can be used in all of the assembly-based JITs, not
8923 just the DFG. It also settles on what I find to be a slightly better naming convention.
8924 For example where we previously would have said branchIsString, now we say
8925 branchIfString. Similarly, branchNotString becomes branchIfNotString.
8926
8927 * dfg/DFGSpeculativeJIT.cpp:
8928 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
8929 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
8930 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
8931 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
8932 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
8933 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
8934 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
8935 (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
8936 (JSC::DFG::SpeculativeJIT::speculateObject):
8937 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
8938 (JSC::DFG::SpeculativeJIT::speculateString):
8939 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
8940 (JSC::DFG::SpeculativeJIT::speculateNotCell):
8941 (JSC::DFG::SpeculativeJIT::speculateOther):
8942 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
8943 (JSC::DFG::SpeculativeJIT::emitSwitchString):
8944 (JSC::DFG::SpeculativeJIT::branchIsObject): Deleted.
8945 (JSC::DFG::SpeculativeJIT::branchNotObject): Deleted.
8946 (JSC::DFG::SpeculativeJIT::branchIsString): Deleted.
8947 (JSC::DFG::SpeculativeJIT::branchNotString): Deleted.
8948 * dfg/DFGSpeculativeJIT.h:
8949 * dfg/DFGSpeculativeJIT32_64.cpp:
8950 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8951 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8952 (JSC::DFG::SpeculativeJIT::emitCall):
8953 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
8954 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
8955 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
8956 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
8957 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
8958 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
8959 (JSC::DFG::SpeculativeJIT::compile):
8960 (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted.
8961 (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted.
8962 (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted.
8963 (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted.
8964 * dfg/DFGSpeculativeJIT64.cpp:
8965 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
8966 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
8967 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
8968 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
8969 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
8970 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
8971 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
8972 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
8973 (JSC::DFG::SpeculativeJIT::compile):
8974 (JSC::DFG::SpeculativeJIT::writeBarrier):
8975 (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted.
8976 (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted.
8977 (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted.
8978 (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted.
8979 * jit/AssemblyHelpers.h:
8980 (JSC::AssemblyHelpers::branchIfCell):
8981 (JSC::AssemblyHelpers::branchIfOther):
8982 (JSC::AssemblyHelpers::branchIfNotOther):
8983 (JSC::AssemblyHelpers::branchIfObject):
8984 (JSC::AssemblyHelpers::branchIfNotObject):
8985 (JSC::AssemblyHelpers::branchIfType):
8986 (JSC::AssemblyHelpers::branchIfNotType):
8987 (JSC::AssemblyHelpers::branchIfString):
8988 (JSC::AssemblyHelpers::branchIfNotString):
8989 (JSC::AssemblyHelpers::branchIfSymbol):
8990 (JSC::AssemblyHelpers::branchIfNotSymbol):
8991 (JSC::AssemblyHelpers::branchIfFunction):
8992 (JSC::AssemblyHelpers::branchIfNotFunction):
8993 (JSC::AssemblyHelpers::branchIfEmpty):
8994 (JSC::AssemblyHelpers::branchIsEmpty): Deleted.
8995 (JSC::AssemblyHelpers::branchIfCellNotObject): Deleted.
8996 * jit/JITPropertyAccess.cpp:
8997 (JSC::JIT::emitScopedArgumentsGetByVal):
8998
89992015-04-30 Filip Pizlo <fpizlo@apple.com>
9000
9001 js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing
9002 https://bugs.webkit.org/show_bug.cgi?id=144463
9003
9004 Reviewed by Benjamin Poulain.
9005
9006 Fixup phase was super cleverly folding an IsString(@x) when @x is predicted SpecString
9007 into a Check(String:@x) followed by JSConstant(true). Then in these tests the
9008 ValueAdd(IsString(@x), @stuff) would try to turn this into an integer add by cleverly
9009 converting the boolean into an integer. But as part of doing that, it would try to
9010 short-circuit any profiling by leveraging the fact that the IsString is now a constant,
9011 and it would try to figure out if the addition might overflow. Part of that logic
9012 involved checking if the immediate is either a boolean or a sufficiently small integer.
9013 But: it would check if it's a sufficiently small integer before checking if it was a
9014 boolean, so it would try to call asNumber() on the boolean.
9015
9016 All of this cleverness was very deliberate, but apparently the @stuff + booleanConstant
9017 case was previously never hit until I wrote these tests, and so we never knew that
9018 calling asNumber() on a boolean was wrong.
9019
9020 The fix is super simple: the expression should just check for boolean first.
9021
9022 This bug was benign in release builds. JSValue::asNumber() on a boolean would return
9023 garbage, and that's OK, since we'd take the boolean case anyway.
9024
9025 * dfg/DFGGraph.h:
9026 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
9027
90282015-04-30 Filip Pizlo <fpizlo@apple.com>
9029
9030 Unreviewed, add a FIXME comment referencing https://bugs.webkit.org/show_bug.cgi?id=144458.
9031
9032 * jit/JITOperations.cpp:
9033
90342015-04-30 Filip Pizlo <fpizlo@apple.com>
9035
9036 Add a comment clarifying the behavior and semantics of getCallData/getConstructData, in
9037 particular that they cannot change their minds and may be called from compiler threads.
9038
9039 Rubber stamped by Geoffrey Garen.
9040
9041 * runtime/JSCell.h:
9042
90432015-04-29 Filip Pizlo <fpizlo@apple.com>
9044
9045 DFG Is<Blah> versions of TypeOf should fold based on proven input type
9046 https://bugs.webkit.org/show_bug.cgi?id=144409
9047
9048 Reviewed by Geoffrey Garen.
9049
9050 We were missing some obvious folding opportunities here. I don't know how this affects real
9051 code, but in general, we like to ensure that our constant folding is comprehensive. So this
9052 is more about placating my static analysis OCD than anything else.
9053
9054 I added a bunch of speed/correctness tests for this in LayoutTests/js/regress.
9055
9056 * dfg/DFGAbstractInterpreterInlines.h:
9057 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9058
90592015-04-30 Yusuke Suzuki <utatane.tea@gmail.com>
9060
9061 Use the default hash value for Symbolized StringImpl
9062 https://bugs.webkit.org/show_bug.cgi?id=144347
9063
9064 Reviewed by Darin Adler.
9065
9066 Before this patch, symbolized StringImpl* has a special hash value
9067 to avoid the hash collision with the other normal StringImpl*.
9068 I guess that it is introduced when private symbols are introduced.
9069 However, it prevents using symbolized StringImpl* in the other place
9070 For example, using it as WTFString cause a problem because of its special hash value.
9071
9072 When only using private symbols, they are not exposed to the outside of JSC,
9073 so we can handle it carefully. But now, it's extended to symbols.
9074 So I think storing a special hash value in StringImpl* causes an error.
9075
9076 To avoid this, I propose using the usual hash value in symbolized StringImpl*.
9077 And to provide significantly different hash value when using it as symbol,
9078 store the additional hash value in symbolized StringImpl*. It is used when
9079 the hash value is required by IdentifierRepHash.
9080
9081 * runtime/Identifier.h:
9082 (JSC::IdentifierRepHash::hash):
9083 * runtime/Lookup.h:
9084 (JSC::HashTable::entry):
9085 * runtime/PropertyMapHashTable.h:
9086 (JSC::PropertyTable::find):
9087 (JSC::PropertyTable::get):
9088 * runtime/Structure.cpp:
9089 (JSC::PropertyTable::checkConsistency):
9090
90912015-04-29 Benjamin Poulain <bpoulain@apple.com>
9092
9093 [JSC] Remove RageConvert array conversion
9094 https://bugs.webkit.org/show_bug.cgi?id=144433
9095
9096 Reviewed by Filip Pizlo.
9097
9098 RageConvert was causing a subtle bug that was hitting the Kraken crypto tests
9099 pretty hard:
9100 -The indexing types shows that the array access varies between Int32 and DoubleArray.
9101 -ArrayMode::fromObserved() decided to use the most generic type: DoubleArray.
9102 An Arrayify node would convert the Int32 to that type.
9103 -Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That
9104 node would use RageConvert instead of Convert.
9105 -The Arrayify for that GetByVal with RageConvert would not convert the array to
9106 Contiguous.
9107 -All the following array access that do not have the flag NodeBytecodeUsesAsInt would
9108 now expect a DoubleArray and always get a Contiguous Array. The CheckStructure
9109 fail systematically and we never get to run the later code.
9110
9111 Getting rid of RageConvert fixes the problem and does not seems to have any
9112 negative side effect on other benchmarks.
9113
9114 The improvments on Kraken are:
9115 -stanford-crypto-aes: definitely 1.0915x faster.
9116 -stanford-crypto-pbkdf2: definitely 1.2446x faster.
9117 -stanford-crypto-sha256-iterative: definitely 1.0544x faster.
9118
9119 * dfg/DFGAbstractInterpreterInlines.h:
9120 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9121 * dfg/DFGArrayMode.cpp:
9122 (JSC::DFG::ArrayMode::refine):
9123 (JSC::DFG::arrayConversionToString):
9124 * dfg/DFGArrayMode.h:
9125 * dfg/DFGArrayifySlowPathGenerator.h:
9126 * dfg/DFGFixupPhase.cpp:
9127 (JSC::DFG::FixupPhase::fixupNode):
9128 * dfg/DFGOperations.cpp:
9129 * dfg/DFGOperations.h:
9130 * dfg/DFGPredictionPropagationPhase.cpp:
9131 (JSC::DFG::PredictionPropagationPhase::propagate):
9132 * dfg/DFGTypeCheckHoistingPhase.cpp:
9133 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
9134 * ftl/FTLLowerDFGToLLVM.cpp:
9135 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
9136 * runtime/JSObject.cpp:
9137 (JSC::JSObject::convertDoubleToContiguous):
9138 (JSC::JSObject::ensureContiguousSlow):
9139 (JSC::JSObject::genericConvertDoubleToContiguous): Deleted.
9140 (JSC::JSObject::rageConvertDoubleToContiguous): Deleted.
9141 (JSC::JSObject::rageEnsureContiguousSlow): Deleted.
9142 * runtime/JSObject.h:
9143 (JSC::JSObject::rageEnsureContiguous): Deleted.
9144
91452015-04-29 Joseph Pecoraro <pecoraro@apple.com>
9146
9147 Gracefully handle missing auto pause key on remote inspector setup
9148 https://bugs.webkit.org/show_bug.cgi?id=144411
9149
9150 Reviewed by Timothy Hatcher.
9151
9152 * inspector/remote/RemoteInspector.mm:
9153 (Inspector::RemoteInspector::receivedSetupMessage):
9154
91552015-04-29 Joseph Pecoraro <pecoraro@apple.com>
9156
9157 NodeList has issues with Symbol and empty string
9158 https://bugs.webkit.org/show_bug.cgi?id=144310
9159
9160 Reviewed by Darin Adler.
9161
9162 * runtime/PropertyName.h:
9163 (JSC::PropertyName::isSymbol):
9164 Helper to check if the PropertyName is a string or symbol property.
9165
91662015-04-29 Alex Christensen <achristensen@webkit.org>
9167
9168 Fix non-cygwin incremental builds on Windows.
9169 https://bugs.webkit.org/show_bug.cgi?id=143264
9170
9171 Reviewed by Brent Fulgham.
9172
9173 * generate-js-builtins:
9174 Remove stale headers before calling os.rename to replace them.
9175
91762015-04-29 Filip Pizlo <fpizlo@apple.com>
9177
9178 JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden
9179 https://bugs.webkit.org/show_bug.cgi?id=144397
9180
9181 Reviewed by Andreas Kling.
9182
9183 Add the flag to JSTypeInfo. It's an inline flag so that it's fast to query. Slap the flag on
9184 callback objects and internal functions. Modify the TypeOf operation to use this flag to avoid
9185 making a getCallData() call if it isn't necessary.
9186
9187 * API/JSCallbackObject.h:
9188 * runtime/InternalFunction.h:
9189 * runtime/JSTypeInfo.h:
9190 (JSC::TypeInfo::typeOfShouldCallGetCallData):
9191 * runtime/Operations.cpp:
9192 (JSC::jsTypeStringForValue):
9193 * tests/stress/type-of-functions-and-objects.js: Added.
9194 (foo):
9195 (bar):
9196 (baz):
9197 (fuzz):
9198 (expect):
9199 (test):
9200
92012015-04-28 Geoffrey Garen <ggaren@apple.com>
9202
9203 It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
9204 https://bugs.webkit.org/show_bug.cgi?id=144013
9205
9206 Reviewed by Mark Lam.
9207
9208 This patch implements Array.prototype.sort in JavaScript, removing the
9209 C++ implementations. It is simpler and less error-prone to express our
9210 operations in JavaScript, which provides memory safety, exception safety,
9211 and recursion safety.
9212
9213 The performance result is mixed, but net positive in my opinion. It's
9214 difficult to enumerate all the results, since we used to have so many
9215 different sorting modes, and there are lots of different data patterns
9216 across which you might want to measure sorting. Suffice it to say:
9217
9218 (*) The benchmarks we track are faster or unchanged.
9219
9220 (*) Sorting random input using a comparator -- which we think is
9221 common -- is 3X faster.
9222
9223 (*) Sorting random input in a non-array object -- which jQuery does
9224 -- is 4X faster.
9225
9226 (*) Sorting random input in a compact array of integers using a
9227 trivial pattern-matchable comparator is 2X *slower*.
9228
9229 * builtins/Array.prototype.js:
9230 (sort.min):
9231 (sort.stringComparator):
9232 (sort.compactSparse): Special case compaction for sparse arrays because
9233 we don't want to hang when sorting new Array(BIG).
9234
9235 (sort.compact):
9236 (sort.merge):
9237 (sort.mergeSort): Use merge sort because it's a reasonably efficient
9238 stable sort. We have evidence that some sites depend on stable sort,
9239 even though the ES6 spec does not mandate it. (See
9240 <http://trac.webkit.org/changeset/33967>.)
9241
9242 This is a textbook implementation of merge sort with three optimizations:
9243
9244 (1) Use iteration instead of recursion;
9245
9246 (2) Use array subscripting instead of array copying in order to
9247 create logical sub-lists without creating physical sub-lists;
9248
9249 (3) Swap src and dst at each iteration instead of copying src into
9250 dst, and only copy src into the subject array at the end if src is
9251 not the subject array.
9252
9253 (sort.inflate):
9254 (sort.comparatorSort):
9255 (sort): Sort in JavaScript for the win.
9256
9257 * builtins/BuiltinExecutables.cpp:
9258 (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
9259 names so we can use helper functions.
9260
9261 * bytecode/CodeBlock.h:
9262 (JSC::CodeBlock::isNumericCompareFunction): Deleted.
9263 * bytecode/UnlinkedCodeBlock.cpp:
9264 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
9265 * bytecode/UnlinkedCodeBlock.h:
9266 (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
9267 (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
9268 * bytecompiler/BytecodeGenerator.cpp:
9269 (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
9270 * bytecompiler/BytecodeGenerator.h:
9271 * bytecompiler/NodesCodegen.cpp:
9272 (JSC::FunctionNode::emitBytecode): We don't do this special casing based
9273 on pattern matching anymore. This was mainly an optimization to avoid
9274 the overhead of calling from C++ to JS, which we now avoid by
9275 sorting in JS.
9276
9277 * heap/Heap.cpp:
9278 (JSC::Heap::markRoots):
9279 (JSC::Heap::pushTempSortVector): Deleted.
9280 (JSC::Heap::popTempSortVector): Deleted.
9281 (JSC::Heap::visitTempSortVectors): Deleted.
9282 * heap/Heap.h: We don't have temp sort vectors anymore because we sort
9283 in JavaScript using a normal JavaScript array for our temporary storage.
9284
9285 * parser/Parser.cpp:
9286 (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
9287 helper functions.
9288
9289 * runtime/ArrayPrototype.cpp:
9290 (JSC::isNumericCompareFunction): Deleted.
9291 (JSC::attemptFastSort): Deleted.
9292 (JSC::performSlowSort): Deleted.
9293 (JSC::arrayProtoFuncSort): Deleted.
9294
9295 * runtime/CommonIdentifiers.h: New strings used by sort.
9296
9297 * runtime/JSArray.cpp:
9298 (JSC::compareNumbersForQSortWithInt32): Deleted.
9299 (JSC::compareNumbersForQSortWithDouble): Deleted.
9300 (JSC::compareNumbersForQSort): Deleted.
9301 (JSC::compareByStringPairForQSort): Deleted.
9302 (JSC::JSArray::sortNumericVector): Deleted.
9303 (JSC::JSArray::sortNumeric): Deleted.
9304 (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
9305 (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
9306 (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
9307 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
9308 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
9309 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
9310 (JSC::JSArray::sortCompactedVector): Deleted.
9311 (JSC::JSArray::sort): Deleted.
9312 (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
9313 (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
9314 (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
9315 (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
9316 (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
9317 (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
9318 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
9319 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
9320 (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
9321 (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
9322 (JSC::JSArray::sortVector): Deleted.
9323 (JSC::JSArray::compactForSorting): Deleted.
9324 * runtime/JSArray.h:
9325
9326 * runtime/JSGlobalObject.cpp:
9327 (JSC::JSGlobalObject::init):
9328 * runtime/ObjectConstructor.cpp:
9329 (JSC::ObjectConstructor::finishCreation): Provide some builtins used
9330 by sort.
9331
93322015-04-29 Mark Lam <mark.lam@apple.com>
9333
9334 Safari WebKit crash when loading Google Spreadsheet.
9335 https://bugs.webkit.org/show_bug.cgi?id=144020
9336
9337 Reviewed by Filip Pizlo.
9338
9339 The bug is that the object allocation sinking phase did not account for a case
9340 where a property of a sunken object is only initialized on one path and not
9341 another. As a result, on the path where the property is not initialized, we'll
9342 encounter an Upsilon with a BottomValue (which is not allowed by definition).
9343
9344 The fix is to use a JSConstant(undefined) as the bottom value instead (of
9345 BottomValue). If the property is uninitialized, it should still be accessible
9346 and have the value undefined.
9347
9348 * dfg/DFGObjectAllocationSinkingPhase.cpp:
9349 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
9350 * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added.
9351 (foo):
9352 (foo2):
9353
93542015-04-29 Yusuke Suzuki <utatane.tea@gmail.com>
9355
9356 REGRESSION (r183373): ASSERT failed in wtf/SHA1.h
9357 https://bugs.webkit.org/show_bug.cgi?id=144257
9358
9359 Reviewed by Darin Adler.
9360
9361 SHA1 is used to calculate CodeBlockHash.
9362 To calculate hash value, we pass the source code UTF-8 CString to SHA1::addBytes.
9363 However, the source code can contain null character.
9364 So when performing `strlen` on the source code's CString, it returns the incorrect length.
9365 In SHA1::addBytes, there's assertion `input.length() == strlen(string)` and it fails.
9366
9367 In the template-literal-syntax.js, we perform `eval` with the script contains "\0".
9368 As the result, `strlen(string)` accidentally shortened by the contained "\0", and assertion fails.
9369
9370 CString will be changed not to contain a null-character[1]. However, inserting the assertion here
9371 is not correct. Because
9372
9373 1. If CString should not contain a null character, this should be asserted in CString side instead of SHA1::addBytes.
9374 2. If CString can contain a null character, this assertion becomes incorrect.
9375
9376 So this patch just drops the assertion.
9377
9378 In the current implementation, we once convert the entire source code to the newly allocated
9379 UTF-8 string and pass it to the SHA1 processing. However, this is memory consuming.
9380 Ideally, we should stream the decoded bytes into the SHA1 processing iteratively.
9381 We'll implement it in the separate patch[2].
9382
9383 [1]: https://bugs.webkit.org/show_bug.cgi?id=144339
9384 [2]: https://bugs.webkit.org/show_bug.cgi?id=144263
9385
9386 * tests/stress/eval-script-contains-null-character.js: Added.
9387 (shouldBe):
9388 (test):
9389 * tests/stress/template-literal-line-terminators.js:
9390 * tests/stress/template-literal-syntax.js:
9391 * tests/stress/template-literal.js:
9392
93932015-04-29 Filip Pizlo <fpizlo@apple.com>
9394
9395 Evict IsEnvironmentRecord from inline type flags
9396 https://bugs.webkit.org/show_bug.cgi?id=144398
9397
9398 Reviewed by Mark Lam and Michael Saboff.
9399
9400 In https://bugs.webkit.org/show_bug.cgi?id=144397, we'll need an extra bit in the inline
9401 type flags. This change picks the least important inline type flag - IsEnvironmentRecord -
9402 and evicts it into the out-of-line type flags. This change has no performance implications
9403 because we never even accessed IsEnvironmentRecord via the StructureIDBlob. The only place
9404 where we access it at all is in String.prototype.repeat, and there we already load the
9405 structure anyway.
9406
9407 * runtime/JSTypeInfo.h:
9408 (JSC::TypeInfo::implementsHasInstance):
9409 (JSC::TypeInfo::structureIsImmortal):
9410 (JSC::TypeInfo::isEnvironmentRecord):
9411
94122015-04-29 Darin Adler <darin@apple.com>
9413
9414 [ES6] Implement Unicode code point escapes
9415 https://bugs.webkit.org/show_bug.cgi?id=144377
9416
9417 Reviewed by Antti Koivisto.
9418
9419 * parser/Lexer.cpp: Moved the UnicodeHexValue class in here from
9420 the header. Made it a non-member class so it doesn't need to be part
9421 of a template. Made it use UChar32 instead of int for the value to
9422 make it clearer what goes into this class.
9423 (JSC::ParsedUnicodeEscapeValue::isIncomplete): Added. Replaces the
9424 old type() function.
9425 (JSC::Lexer<CharacterType>::parseUnicodeEscape): Renamed from
9426 parseFourDigitUnicodeHex and added support for code point escapes.
9427 (JSC::isLatin1): Added an overload for UChar32.
9428 (JSC::isIdentStart): Changed this to take UChar32; no caller tries
9429 to call it with a UChar, so no need to overload for that type for now.
9430 (JSC::isNonLatin1IdentPart): Changed argument type to UChar32 for clarity.
9431 Also added FIXME about a subtle ES6 change that we might want to make later.
9432 (JSC::isIdentPart): Changed this to take UChar32; no caller tries
9433 to call it with a UChar, so no need to overload for that type for now.
9434 (JSC::isIdentPartIncludingEscapeTemplate): Made this a template so that we
9435 don't need to repeat the code twice. Added code to handle code point escapes.
9436 (JSC::isIdentPartIncludingEscape): Call the template instead of having the
9437 code in line.
9438 (JSC::Lexer<CharacterType>::recordUnicodeCodePoint): Added.
9439 (JSC::Lexer<CharacterType>::parseIdentifierSlowCase): Made small tweaks and
9440 updated to call parseUnicodeEscape instead of parseFourDigitUnicodeHex.
9441 (JSC::Lexer<CharacterType>::parseComplexEscape): Call parseUnicodeEscape
9442 instead of parseFourDigitUnicodeHex. Move the code to handle "\u" before
9443 the code that handles the escapes, since the code point escape code now
9444 consumes characters while parsing rather than peeking ahead. Test case
9445 covers this: Symptom would be that "\u{" would evaluate to "u" instead of
9446 giving a syntax error.
9447
9448 * parser/Lexer.h: Updated for above changes.
9449
9450 * runtime/StringConstructor.cpp:
9451 (JSC::stringFromCodePoint): Use ICU's UCHAR_MAX_VALUE instead of writing
9452 out 0x10FFFF; clearer this way.
9453
94542015-04-29 Martin Robinson <mrobinson@igalia.com>
9455
9456 [CMake] [GTK] Organize and clean up unused CMake variables
9457 https://bugs.webkit.org/show_bug.cgi?id=144364
9458
9459 Reviewed by Gyuyoung Kim.
9460
9461 * PlatformGTK.cmake: Add variables specific to this project.
9462
94632015-04-28 Filip Pizlo <fpizlo@apple.com>
9464
9465 TypeOf should return SpecStringIdent and the DFG should know this
9466 https://bugs.webkit.org/show_bug.cgi?id=144376
9467
9468 Reviewed by Andreas Kling.
9469
9470 Make TypeOf return atomic strings. That's a simple change in SmallStrings.
9471
9472 Make the DFG know this and use it for optimization. This makes Switch(TypeOf) a bit less
9473 bad.
9474
9475 * dfg/DFGAbstractInterpreterInlines.h:
9476 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
9477 * dfg/DFGAbstractValue.cpp:
9478 (JSC::DFG::AbstractValue::setType):
9479 * dfg/DFGAbstractValue.h:
9480 (JSC::DFG::AbstractValue::setType):
9481 * dfg/DFGInPlaceAbstractState.cpp:
9482 (JSC::DFG::InPlaceAbstractState::initialize):
9483 * dfg/DFGPredictionPropagationPhase.cpp:
9484 (JSC::DFG::PredictionPropagationPhase::propagate):
9485 * runtime/SmallStrings.cpp:
9486 (JSC::SmallStrings::initialize):
9487 * tests/stress/switch-typeof-indirect.js: Added.
9488 (bar):
9489 (foo):
9490 (test):
9491 * tests/stress/switch-typeof-slightly-indirect.js: Added.
9492 (foo):
9493 (test):
9494 * tests/stress/switch-typeof.js: Added.
9495 (foo):
9496 (test):
9497
94982015-04-29 Joseph Pecoraro <pecoraro@apple.com>
9499
9500 REGRESSION(181868): Windows Live SkyDrive cannot open an excel file
9501 https://bugs.webkit.org/show_bug.cgi?id=144373
9502
9503 Reviewed by Darin Adler.
9504
9505 Revert r181868 as it caused a failure on live.com. We can try
9506 re-enabling this exception after we make idl attributes configurable,
9507 which may have prevented this particular failure.
9508
9509 * runtime/ObjectPrototype.cpp:
9510 (JSC::objectProtoFuncDefineGetter):
9511 (JSC::objectProtoFuncDefineSetter):
9512
95132015-04-28 Joseph Pecoraro <pecoraro@apple.com>
9514
9515 Deadlock on applications using JSContext on non-main thread
9516 https://bugs.webkit.org/show_bug.cgi?id=144370
9517
9518 Reviewed by Timothy Hatcher.
9519
9520 * inspector/remote/RemoteInspector.mm:
9521 (Inspector::RemoteInspector::singleton):
9522 Prevent a possible deadlock by assuming we can synchronously
9523 run something on the main queue at this time.
9524
95252015-04-28 Filip Pizlo <fpizlo@apple.com>
9526
9527 FTL should fully support Switch (it currently lacks the SwitchString variant)
9528 https://bugs.webkit.org/show_bug.cgi?id=144348
9529
9530 Reviewed by Benjamin Poulain.
9531
9532 This adds SwitchString support to the FTL. This is already tested by switch microbenchmarks
9533 in LayoutTests/js/regress.
9534
9535 * dfg/DFGCommon.cpp:
9536 (JSC::DFG::stringLessThan):
9537 * dfg/DFGCommon.h:
9538 * dfg/DFGOperations.cpp:
9539 * dfg/DFGOperations.h:
9540 * dfg/DFGSpeculativeJIT.cpp:
9541 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): Deleted.
9542 * dfg/DFGSpeculativeJIT.h:
9543 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
9544 * ftl/FTLCapabilities.cpp:
9545 (JSC::FTL::canCompile):
9546 * ftl/FTLIntrinsicRepository.h:
9547 * ftl/FTLLowerDFGToLLVM.cpp:
9548 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
9549 (JSC::FTL::LowerDFGToLLVM::switchString):
9550 (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::StringSwitchCase):
9551 (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::operator<):
9552 (JSC::FTL::LowerDFGToLLVM::CharacterCase::CharacterCase):
9553 (JSC::FTL::LowerDFGToLLVM::CharacterCase::operator<):
9554 (JSC::FTL::LowerDFGToLLVM::switchStringRecurse):
9555 (JSC::FTL::LowerDFGToLLVM::switchStringSlow):
9556 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
9557 * ftl/FTLOutput.cpp:
9558 (JSC::FTL::Output::check):
9559 * ftl/FTLOutput.h:
9560 * ftl/FTLWeight.h:
9561 (JSC::FTL::Weight::inverse):
9562 * jit/JITOperations.h:
9563
95642015-04-28 Michael Catanzaro <mcatanzaro@igalia.com>
9565
9566 Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT
9567 https://bugs.webkit.org/show_bug.cgi?id=144304
9568
9569 Reviewed by Geoffrey Garen.
9570
9571 * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of
9572 ENABLE_LLINT_C_LOOP, disabled by default.
9573 * llint/LLIntSlowPaths.cpp:
9574 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP.
9575
95762015-04-28 Commit Queue <commit-queue@webkit.org>
9577
9578 Unreviewed, rolling out r183514.
9579 https://bugs.webkit.org/show_bug.cgi?id=144359
9580
9581 It broke cloop test bots (Requested by mcatanzaro on #webkit).
9582
9583 Reverted changeset:
9584
9585 "Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT"
9586 https://bugs.webkit.org/show_bug.cgi?id=144304
9587 http://trac.webkit.org/changeset/183514
9588
95892015-04-28 Michael Catanzaro <mcatanzaro@igalia.com>
9590
9591 Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT
9592 https://bugs.webkit.org/show_bug.cgi?id=144304
9593
9594 Reviewed by Geoffrey Garen.
9595
9596 * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of
9597 ENABLE_LLINT_C_LOOP, disabled by default.
9598 * llint/LLIntSlowPaths.cpp:
9599 (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP.
9600
96012015-04-28 Joseph Pecoraro <pecoraro@apple.com>
9602
9603 Fix common typo "targetting" => "targeting"
9604 https://bugs.webkit.org/show_bug.cgi?id=144349
9605
9606 Reviewed by Daniel Bates.
9607
9608 * bytecode/ExecutionCounter.h:
9609
96102015-04-28 Yusuke Suzuki <utatane.tea@gmail.com>
9611
9612 Update the features.json for WeakSet, WeakMap, Template literals, Tagged templates
9613 https://bugs.webkit.org/show_bug.cgi?id=144328
9614
9615 Reviewed by Andreas Kling.
9616
9617 Update the status of ES6 features.
9618
9619 * features.json:
9620
96212015-04-28 Filip Pizlo <fpizlo@apple.com>
9622
9623 DFG should not use or preserve Phantoms during transformations
9624 https://bugs.webkit.org/show_bug.cgi?id=143736
9625
9626 Reviewed by Geoffrey Garen.
9627
9628 Since http://trac.webkit.org/changeset/183207 and http://trac.webkit.org/changeset/183406, it is
9629 no longer necessary to preserve Phantoms during transformations. They are still useful just
9630 before FixupPhase to support backwards propagation analyses. They are still inserted late in the
9631 game in the DFG backend. But transformations don't need to worry about them. Inside a basic
9632 block, we can be sure that so long as the IR pinpoints the place where the value becomes
9633 available in a bytecode register (using MovHint) and so long as there is a SetLocal anytime some
9634 other block would need the value (either for OSR or for DFG execution), then we don't need any
9635 liveness markers.
9636
9637 So, this removes any places where we inserted Phantoms just for liveness during transformation
9638 and it replaces convertToPhantom() with remove(), which just converts the node to a Check. A
9639 Check node only keeps its children so long as those children have checks.
9640
9641 The fact that we no longer convertToPhantom() means that we have to be more careful when
9642 constant-folding GetLocal. Previously we would convertToPhantom() and use the fact that
9643 Phantom(Phi) was a valid construct. It's not valid anymore. So, when constant folding encounters
9644 a GetLocal it needs to insert a PhantomLocal directly. This allows us to simplify
9645 Graph::convertToConstant() a bit. Luckily, none of the other users of this method would see
9646 GetLocals.
9647
9648 The only Phantom-like cruft left over after this patch is:
9649
9650 - Phantoms before FixupPhase. I kind of like these. It means that before FixupPhase, we can do
9651 backwards analyses and rely on the fact that the users of a node in DFG IR are a superset of
9652 the users of the original local's live range in bytecode. This is essential for supporting our
9653 BackwardsPropagationPhase, which is an important optimization for things like asm.js.
9654
9655 - PhantomLocals and GetLocals being NodeMustGenerate. See discussion in
9656 https://bugs.webkit.org/show_bug.cgi?id=144086. It appears that this is not as evil as the
9657 alternatives. The best long-term plan is to simply ditch the ThreadedCPS IR entirely and have
9658 the DFG use SSA. For now, so long as any new DFG optimizations we add are block-local and
9659 treat GetLocal/SetLocal conservatively, this should all be sound.
9660
9661 This change should be perf-neutral although it does reduce the total work that the compiler
9662 does.
9663
9664 * CMakeLists.txt:
9665 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9666 * JavaScriptCore.xcodeproj/project.pbxproj:
9667 * dfg/DFGAdjacencyList.h:
9668 (JSC::DFG::AdjacencyList::justChecks):
9669 * dfg/DFGArgumentsEliminationPhase.cpp:
9670 * dfg/DFGBasicBlock.cpp:
9671 (JSC::DFG::BasicBlock::replaceTerminal):
9672 * dfg/DFGBasicBlock.h:
9673 (JSC::DFG::BasicBlock::findTerminal):
9674 * dfg/DFGCFGSimplificationPhase.cpp:
9675 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
9676 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
9677 * dfg/DFGCPSRethreadingPhase.cpp:
9678 (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
9679 (JSC::DFG::CPSRethreadingPhase::clearVariables):
9680 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
9681 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
9682 * dfg/DFGCSEPhase.cpp:
9683 * dfg/DFGCleanUpPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp.
9684 (JSC::DFG::CleanUpPhase::CleanUpPhase):
9685 (JSC::DFG::CleanUpPhase::run):
9686 (JSC::DFG::performCleanUp):
9687 (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): Deleted.
9688 (JSC::DFG::PhantomRemovalPhase::run): Deleted.
9689 (JSC::DFG::performPhantomRemoval): Deleted.
9690 * dfg/DFGCleanUpPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h.
9691 * dfg/DFGConstantFoldingPhase.cpp:
9692 (JSC::DFG::ConstantFoldingPhase::foldConstants):
9693 (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
9694 (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
9695 * dfg/DFGDCEPhase.cpp:
9696 (JSC::DFG::DCEPhase::run):
9697 (JSC::DFG::DCEPhase::fixupBlock):
9698 (JSC::DFG::DCEPhase::cleanVariables):
9699 * dfg/DFGFixupPhase.cpp:
9700 (JSC::DFG::FixupPhase::fixupBlock):
9701 (JSC::DFG::FixupPhase::fixupNode):
9702 (JSC::DFG::FixupPhase::convertStringAddUse):
9703 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
9704 (JSC::DFG::FixupPhase::checkArray):
9705 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
9706 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
9707 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
9708 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
9709 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
9710 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
9711 (JSC::DFG::FixupPhase::addRequiredPhantom): Deleted.
9712 (JSC::DFG::FixupPhase::addPhantomsIfNecessary): Deleted.
9713 * dfg/DFGGraph.cpp:
9714 (JSC::DFG::Graph::convertToConstant):
9715 (JSC::DFG::Graph::mergeRelevantToOSR): Deleted.
9716 * dfg/DFGGraph.h:
9717 * dfg/DFGInsertionSet.h:
9718 (JSC::DFG::InsertionSet::insertCheck):
9719 * dfg/DFGIntegerCheckCombiningPhase.cpp:
9720 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
9721 * dfg/DFGLICMPhase.cpp:
9722 (JSC::DFG::LICMPhase::attemptHoist):
9723 * dfg/DFGNode.cpp:
9724 (JSC::DFG::Node::remove):
9725 * dfg/DFGNode.h:
9726 (JSC::DFG::Node::replaceWith):
9727 (JSC::DFG::Node::convertToPhantom): Deleted.
9728 (JSC::DFG::Node::convertToCheck): Deleted.
9729 (JSC::DFG::Node::willHaveCodeGenOrOSR): Deleted.
9730 * dfg/DFGNodeFlags.h:
9731 * dfg/DFGNodeType.h:
9732 * dfg/DFGObjectAllocationSinkingPhase.cpp:
9733 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
9734 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
9735 * dfg/DFGPhantomCanonicalizationPhase.cpp: Removed.
9736 * dfg/DFGPhantomCanonicalizationPhase.h: Removed.
9737 * dfg/DFGPhantomRemovalPhase.cpp: Removed.
9738 * dfg/DFGPhantomRemovalPhase.h: Removed.
9739 * dfg/DFGPlan.cpp:
9740 (JSC::DFG::Plan::compileInThreadImpl):
9741 * dfg/DFGPutStackSinkingPhase.cpp:
9742 * dfg/DFGResurrectionForValidationPhase.cpp: Removed.
9743 * dfg/DFGResurrectionForValidationPhase.h: Removed.
9744 * dfg/DFGSSAConversionPhase.cpp:
9745 (JSC::DFG::SSAConversionPhase::run):
9746 * dfg/DFGSpeculativeJIT64.cpp:
9747 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
9748 * dfg/DFGStoreBarrierElisionPhase.cpp:
9749 (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
9750 * dfg/DFGStrengthReductionPhase.cpp:
9751 (JSC::DFG::StrengthReductionPhase::handleNode):
9752 (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
9753 * dfg/DFGValidate.cpp:
9754 (JSC::DFG::Validate::validate):
9755 (JSC::DFG::Validate::validateCPS):
9756 (JSC::DFG::Validate::validateSSA):
9757 * dfg/DFGVarargsForwardingPhase.cpp:
9758 * ftl/FTLLink.cpp:
9759 (JSC::FTL::link):
9760 * ftl/FTLLowerDFGToLLVM.cpp:
9761 (JSC::FTL::LowerDFGToLLVM::compileNode):
9762 (JSC::FTL::LowerDFGToLLVM::compileNoOp):
9763 (JSC::FTL::LowerDFGToLLVM::compilePhantom): Deleted.
9764
97652015-04-28 Andreas Kling <akling@apple.com>
9766
9767 DFG+FTL should generate efficient code for branching on a string's boolean value.
9768 <https://webkit.org/b/144317>
9769
9770 Reviewed by Geoff Garen & Filip Pizlo
9771
9772 Teach Branch nodes about StringUse and have them generate an efficient zero-length string check
9773 instead of dropping out to C++ whenever we branch on a string.
9774
9775 The FTL JIT already handled Branch nodes with StringUse through its use of boolify(), so only
9776 the DFG JIT gets some new codegen logic in this patch.
9777
9778 Test: js/regress/branch-on-string-as-boolean.js (~4.5x speedup)
9779
9780 * dfg/DFGFixupPhase.cpp:
9781 (JSC::DFG::FixupPhase::fixupNode):
9782 * dfg/DFGSpeculativeJIT.cpp:
9783 (JSC::DFG::SpeculativeJIT::emitStringBranch):
9784 * dfg/DFGSpeculativeJIT.h:
9785 * dfg/DFGSpeculativeJIT32_64.cpp:
9786 (JSC::DFG::SpeculativeJIT::emitBranch):
9787 * dfg/DFGSpeculativeJIT64.cpp:
9788 (JSC::DFG::SpeculativeJIT::emitBranch):
9789
97902015-04-28 Filip Pizlo <fpizlo@apple.com>
9791
9792 VarargsForwardingPhase should only consider MovHints that have the candidate as a child
9793 https://bugs.webkit.org/show_bug.cgi?id=144340
9794
9795 Reviewed by Michael Saboff and Mark Lam.
9796
9797 Since we were considering all MovHints, we'd assume that the CreateDirectArguments or
9798 CreateClosedArguments node was live so long as any MovHinted bytecode variable was alive.
9799 Basically, we'd keep it alive until the end of the block. This maximized the chances of
9800 there being an interfering operation, which would prevent elimination.
9801
9802 The fix is to only consider MovHints that have the arguments candidate as a child. We only
9803 care to track the liveness of those bytecode locals that would need an arguments object
9804 recovery on OSR exit.
9805
9806 This is a speed-up on V8Spider/raytrace and Octane/raytrace because it undoes the regression
9807 introduced in http://trac.webkit.org/changeset/183406.
9808
9809 * dfg/DFGVarargsForwardingPhase.cpp:
9810
98112015-04-28 Csaba Osztrogonác <ossy@webkit.org>
9812
9813 Remove WinCE cruft from cmake build system
9814 https://bugs.webkit.org/show_bug.cgi?id=144325
9815
9816 Reviewed by Gyuyoung Kim.
9817
9818 * CMakeLists.txt:
9819 * create_jit_stubs: Removed.
9820
98212015-04-27 Andreas Kling <akling@apple.com>
9822
9823 RegExp matches arrays should use contiguous indexing.
9824 <https://webkit.org/b/144286>
9825
9826 Reviewed by Geoffrey Garen.
9827
9828 We had a custom Structure being used for RegExp matches arrays that would
9829 put the arrays into SlowPutArrayStorageShape mode. This was just left
9830 from when matches arrays were custom, lazily initialized objects.
9831
9832 This change removes that Structure and switches the matches arrays to
9833 using the default ContiguousShape Structure. This allows the FTL JIT
9834 to compile the inner loop of the Octane/regexp benchmark.
9835
9836 Also made a version of initializeIndex() [inline] that takes the indexing
9837 type in an argument, allowing createRegExpMatchesArray() to initialize
9838 the entire array without branching on the indexing type for each entry.
9839
9840 ~3% progression on Octane/regexp.
9841
9842 * runtime/JSGlobalObject.cpp:
9843 (JSC::JSGlobalObject::init):
9844 (JSC::JSGlobalObject::visitChildren):
9845 * runtime/JSGlobalObject.h:
9846 (JSC::JSGlobalObject::mapStructure):
9847 (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted.
9848 * runtime/JSObject.h:
9849 (JSC::JSObject::initializeIndex):
9850 * runtime/RegExpMatchesArray.cpp:
9851 (JSC::createRegExpMatchesArray):
9852
98532015-04-27 Filip Pizlo <fpizlo@apple.com>
9854
9855 FTL failed to initialize arguments.callee on the slow path as well as the fast path
9856 https://bugs.webkit.org/show_bug.cgi?id=144293
9857
9858 Reviewed by Mark Lam.
9859
9860 The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need
9861 to initialize the callee on the common path after the fast and slow path.
9862
9863 * ftl/FTLLowerDFGToLLVM.cpp:
9864 (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
9865 * tests/stress/arguments-callee-uninitialized.js: Added.
9866 (foo):
9867
98682015-04-27 Benjamin Poulain <bpoulain@apple.com>
9869
9870 [JSC] Add support for typed arrays to the Array profiling
9871 https://bugs.webkit.org/show_bug.cgi?id=143913
9872
9873 Reviewed by Filip Pizlo.
9874
9875 This patch adds ArrayModes for every typed arrays. Having that information
9876 let us generate better GetByVal and PutByVal when the type speculation
9877 are not good enough.
9878
9879 A typical case where this is useful is any basic block for which the type
9880 of the object is always more restrictive than the speculation (for example,
9881 a basic block gated by a branch only taken for on type).
9882
9883 * bytecode/ArrayProfile.cpp:
9884 (JSC::dumpArrayModes):
9885 * bytecode/ArrayProfile.h:
9886 (JSC::arrayModeFromStructure):
9887 * dfg/DFGArrayMode.cpp:
9888 (JSC::DFG::ArrayMode::fromObserved):
9889 (JSC::DFG::ArrayMode::refine):
9890 Maintain the refine() semantic. We do not support OutOfBounds access
9891 for GetByVal on typed array.
9892
9893 * runtime/IndexingType.h:
9894 * tests/stress/typed-array-get-by-val-profiling.js: Added.
9895 (testArray.testCode):
9896 (testArray):
9897 * tests/stress/typed-array-put-by-val-profiling.js: Added.
9898 (testArray.testCode):
9899 (testArray):
9900
99012015-04-27 Filip Pizlo <fpizlo@apple.com>
9902
9903 Unreviewed, roll out r183438 "RegExp matches arrays should use contiguous indexing". It
9904 causes many debug test failures.
9905
9906 * runtime/JSGlobalObject.cpp:
9907 (JSC::JSGlobalObject::init):
9908 (JSC::JSGlobalObject::visitChildren):
9909 * runtime/JSGlobalObject.h:
9910 (JSC::JSGlobalObject::regExpMatchesArrayStructure):
9911 * runtime/JSObject.h:
9912 (JSC::JSObject::initializeIndex):
9913 * runtime/RegExpMatchesArray.cpp:
9914 (JSC::createRegExpMatchesArray):
9915
99162015-04-27 Andreas Kling <akling@apple.com>
9917
9918 RegExp matches arrays should use contiguous indexing.
9919 <https://webkit.org/b/144286>
9920
9921 Reviewed by Geoffrey Garen.
9922
9923 We had a custom Structure being used for RegExp matches arrays that would
9924 put the arrays into SlowPutArrayStorageShape mode. This was just left
9925 from when matches arrays were custom, lazily initialized objects.
9926
9927 This change removes that Structure and switches the matches arrays to
9928 using the default ContiguousShape Structure. This allows the FTL JIT
9929 to compile the inner loop of the Octane/regexp benchmark.
9930
9931 Also made a version of initializeIndex() [inline] that takes the indexing
9932 type in an argument, allowing createRegExpMatchesArray() to initialize
9933 the entire array without branching on the indexing type for each entry.
9934
9935 ~3% progression on Octane/regexp.
9936
9937 * runtime/JSGlobalObject.cpp:
9938 (JSC::JSGlobalObject::init):
9939 (JSC::JSGlobalObject::visitChildren):
9940 * runtime/JSGlobalObject.h:
9941 (JSC::JSGlobalObject::mapStructure):
9942 (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted.
9943 * runtime/JSObject.h:
9944 (JSC::JSObject::initializeIndex):
9945 * runtime/RegExpMatchesArray.cpp:
9946 (JSC::createRegExpMatchesArray):
9947
99482015-04-27 Ryosuke Niwa <rniwa@webkit.org>
9949
9950 REGRESSION (r183373): ASSERT failed in wtf/SHA1.h
9951 https://bugs.webkit.org/show_bug.cgi?id=144257
9952
9953 Temporarily disable skip these tests.
9954
9955 * tests/stress/template-literal-line-terminators.js:
9956 * tests/stress/template-literal-syntax.js:
9957 * tests/stress/template-literal.js:
9958
99592015-04-27 Basile Clement <basile_clement@apple.com>
9960
9961 Function allocations shouldn't sink through Put operations
9962 https://bugs.webkit.org/show_bug.cgi?id=144176
9963
9964 Reviewed by Filip Pizlo.
9965
9966 By design, we don't support function allocation sinking through any
9967 related operation ; however object allocation can sink through PutByOffset et
9968 al.
9969
9970 Currently, the checks to prevent function allocation to sink through
9971 these are misguided and do not prevent anything ; function allocation sinking
9972 through these operations is prevented as a side effect of requiring an
9973 AllocatePropertyStorage through which the function allocation is seen as
9974 escaping.
9975
9976 This changes it so that ObjectAllocationSinkingPhase::handleNode()
9977 checks properly that only object allocations sink through related write
9978 operations.
9979
9980 * dfg/DFGObjectAllocationSinkingPhase.cpp:
9981 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
9982 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
9983
99842015-04-25 Filip Pizlo <fpizlo@apple.com>
9985
9986 VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used
9987 https://bugs.webkit.org/show_bug.cgi?id=143843
9988
9989 Reviewed by Geoffrey Garen.
9990
9991 It will soon come to pass that Phantom isn't available at the time that
9992 VarargsForwardingPhase runs. So, it needs to use some other mechanism for discovering when
9993 a value dies for OSR.
9994
9995 This is simplified by two things:
9996
9997 1) The bytecode kill analysis is now reusable. This patch makes it even more reusable than
9998 before by polishing the API.
9999
10000 2) This phase already operates on one node at a time and allows itself to do a full search
10001 of the enclosing basic block for that node. This is fine because CreateDirectArguments
10002 and friends is a rarely occurring node. The fact that it operates on one node at a time
10003 makes it even easier to reason about OSR liveness - we just track the list of locals in
10004 which it is live.
10005
10006 This change has no effect right now but it is a necessary prerequisite to implementing
10007 https://bugs.webkit.org/show_bug.cgi?id=143736.
10008
10009 * dfg/DFGBasicBlock.h:
10010 (JSC::DFG::BasicBlock::tryAt):
10011 * dfg/DFGForAllKills.h:
10012 (JSC::DFG::forAllKilledOperands):
10013 * dfg/DFGPhantomInsertionPhase.cpp:
10014 * dfg/DFGVarargsForwardingPhase.cpp:
10015
100162015-04-27 Jordan Harband <ljharb@gmail.com>
10017
10018 Map#entries and Map#keys error for non-Maps is swapped
10019 https://bugs.webkit.org/show_bug.cgi?id=144253
10020
10021 Reviewed by Simon Fraser.
10022
10023 Correcting error messages on Set/Map methods when called on
10024 incompatible objects.
10025
10026 * runtime/MapPrototype.cpp:
10027 (JSC::mapProtoFuncEntries):
10028 (JSC::mapProtoFuncKeys):
10029 * runtime/SetPrototype.cpp:
10030 (JSC::setProtoFuncEntries):
10031
100322015-04-24 Filip Pizlo <fpizlo@apple.com>
10033
10034 Rationalize DFG DCE handling of nodes that perform checks that propagate through AI
10035 https://bugs.webkit.org/show_bug.cgi?id=144186
10036
10037 Reviewed by Geoffrey Garen.
10038
10039 If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns
10040 Int32. We may later perform code simplifications based on the proof that this is Int32, and
10041 we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at
10042 which the ArithAdd is live. This seems like it is sufficient to then kill the ArithAdd,
10043 except that we still need the overflow check!
10044
10045 Previously we mishandled this:
10046
10047 - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack
10048 to keep it alive. That's dirty and it's just indicative of a deeper issue.
10049
10050 - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it
10051 powerless. This was sort of hiding the bug.
10052
10053 - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill
10054 something that you are relying on for subsequent simplifications.
10055
10056 This fixes MovHint removal to also canonicalize Phantoms. This also adds ModeMustGenerate to
10057 nodes that may perform checks that are used by AI to guarantee the result type. As a result,
10058 we no longer need the weird MustGenerate node.
10059
10060 * dfg/DFGAbstractInterpreterInlines.h:
10061 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10062 * dfg/DFGArgumentsEliminationPhase.cpp:
10063 * dfg/DFGClobberize.h:
10064 (JSC::DFG::clobberize):
10065 * dfg/DFGDCEPhase.cpp:
10066 (JSC::DFG::DCEPhase::run):
10067 * dfg/DFGDoesGC.cpp:
10068 (JSC::DFG::doesGC):
10069 * dfg/DFGFixupPhase.cpp:
10070 (JSC::DFG::FixupPhase::fixupNode):
10071 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
10072 * dfg/DFGIntegerCheckCombiningPhase.cpp:
10073 (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
10074 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): Deleted.
10075 * dfg/DFGMayExit.cpp:
10076 (JSC::DFG::mayExit):
10077 * dfg/DFGNode.h:
10078 (JSC::DFG::Node::willHaveCodeGenOrOSR):
10079 * dfg/DFGNodeType.h:
10080 * dfg/DFGObjectAllocationSinkingPhase.cpp:
10081 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
10082 * dfg/DFGPhantomCanonicalizationPhase.cpp:
10083 (JSC::DFG::PhantomCanonicalizationPhase::run):
10084 * dfg/DFGPhantomRemovalPhase.cpp:
10085 (JSC::DFG::PhantomRemovalPhase::run):
10086 * dfg/DFGPlan.cpp:
10087 (JSC::DFG::Plan::compileInThreadImpl):
10088 * dfg/DFGPredictionPropagationPhase.cpp:
10089 (JSC::DFG::PredictionPropagationPhase::propagate):
10090 * dfg/DFGSafeToExecute.h:
10091 (JSC::DFG::safeToExecute):
10092 * dfg/DFGSpeculativeJIT32_64.cpp:
10093 (JSC::DFG::SpeculativeJIT::compile):
10094 * dfg/DFGSpeculativeJIT64.cpp:
10095 (JSC::DFG::SpeculativeJIT::compile):
10096 * dfg/DFGTypeCheckHoistingPhase.cpp:
10097 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
10098 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
10099 * dfg/DFGVarargsForwardingPhase.cpp:
10100 * ftl/FTLCapabilities.cpp:
10101 (JSC::FTL::canCompile):
10102 * ftl/FTLLowerDFGToLLVM.cpp:
10103 (JSC::FTL::LowerDFGToLLVM::compileNode):
10104 * tests/stress/fold-based-on-int32-proof-mul-branch.js: Added.
10105 (foo):
10106 * tests/stress/fold-based-on-int32-proof-mul.js: Added.
10107 (foo):
10108 * tests/stress/fold-based-on-int32-proof-or-zero.js: Added.
10109 (foo):
10110 * tests/stress/fold-based-on-int32-proof.js: Added.
10111 (foo):
10112
101132015-04-26 Ryosuke Niwa <rniwa@webkit.org>
10114
10115 Class body ending with a semicolon throws a SyntaxError
10116 https://bugs.webkit.org/show_bug.cgi?id=144244
10117
10118 Reviewed by Darin Adler.
10119
10120 The bug was caused by parseClass's inner loop for method definitions not moving onto the next iteration
10121 it encounters a semicolon. As a result, we always expected a method to appear after a semicolon. Fixed
10122 it by continue'ing when it encounters a semicolon.
10123
10124 * parser/Parser.cpp:
10125 (JSC::Parser<LexerType>::parseClass):
10126
101272015-04-26 Ryosuke Niwa <rniwa@webkit.org>
10128
10129 Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError
10130 https://bugs.webkit.org/show_bug.cgi?id=144243
10131
10132 Reviewed by Darin Adler.
10133
10134 Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods.
10135
10136 * parser/Parser.cpp:
10137 (JSC::Parser<LexerType>::parseGetterSetter):
10138
101392015-04-26 Jordan Harband <ljharb@gmail.com>
10140
10141 Map#forEach does not pass "map" argument to callback.
10142 https://bugs.webkit.org/show_bug.cgi?id=144187
10143
10144 Reviewed by Darin Adler.
10145
10146 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach
10147 step 7.a.i., the callback should be called with three arguments.
10148
10149 * runtime/MapPrototype.cpp:
10150 (JSC::mapProtoFuncForEach):
10151
101522015-04-26 Yusuke Suzuki <utatane.tea@gmail.com>
10153
10154 [ES6] Implement ES6 template literals
10155 https://bugs.webkit.org/show_bug.cgi?id=142691
10156
10157 Reviewed by Darin Adler.
10158
10159 This patch implements TemplateLiteral.
10160 Since TaggedTemplate requires some global states and
10161 primitive operations like GetTemplateObject,
10162 we separate the patch. It will be implemented in a subsequent patch.
10163
10164 Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag.
10165 By disabling it, we can disable Template Literal support.
10166
10167 To implement template literals, in this patch,
10168 we newly introduces bytecode op_to_string.
10169 In template literals, we alternately evaluate the expression and
10170 perform ToString onto the result of evaluation.
10171 For example,
10172
10173 `${f1()} ${f2()}`
10174
10175 In this template literal, execution order is the following,
10176 1. calling f1()
10177 2. ToString(the result of f1())
10178 3. calling f2()
10179 4. ToString(the result of f2())
10180
10181 op_strcat also performs ToString. However, performing ToString
10182 onto expressions are batched in op_strcat, it's not the same to the
10183 template literal spec. In the above example,
10184 ToString(f1()) should be called before calling f2().
10185
10186 * Configurations/FeatureDefines.xcconfig:
10187 * bytecode/BytecodeList.json:
10188 * bytecode/BytecodeUseDef.h:
10189 (JSC::computeUsesForBytecodeOffset):
10190 (JSC::computeDefsForBytecodeOffset):
10191 * bytecode/CodeBlock.cpp:
10192 (JSC::CodeBlock::dumpBytecode):
10193 * bytecompiler/BytecodeGenerator.h:
10194 (JSC::BytecodeGenerator::emitToString):
10195 (JSC::BytecodeGenerator::emitToNumber): Deleted.
10196 * bytecompiler/NodesCodegen.cpp:
10197 (JSC::TemplateStringNode::emitBytecode):
10198 (JSC::TemplateLiteralNode::emitBytecode):
10199 * dfg/DFGByteCodeParser.cpp:
10200 (JSC::DFG::ByteCodeParser::parseBlock):
10201 * dfg/DFGCapabilities.cpp:
10202 (JSC::DFG::capabilityLevel):
10203 * jit/JIT.cpp:
10204 (JSC::JIT::privateCompileMainPass):
10205 (JSC::JIT::privateCompileSlowCases):
10206 * jit/JIT.h:
10207 * jit/JITOpcodes.cpp:
10208 (JSC::JIT::emit_op_to_string):
10209 (JSC::JIT::emitSlow_op_to_string):
10210 * jit/JITOpcodes32_64.cpp:
10211 (JSC::JIT::emit_op_to_string):
10212 (JSC::JIT::emitSlow_op_to_string):
10213 * llint/LowLevelInterpreter32_64.asm:
10214 * llint/LowLevelInterpreter64.asm:
10215 * parser/ASTBuilder.h:
10216 (JSC::ASTBuilder::createTemplateString):
10217 (JSC::ASTBuilder::createTemplateStringList):
10218 (JSC::ASTBuilder::createTemplateExpressionList):
10219 (JSC::ASTBuilder::createTemplateLiteral):
10220 * parser/Lexer.cpp:
10221 (JSC::Lexer<T>::Lexer):
10222 (JSC::Lexer<T>::parseIdentifierSlowCase):
10223 (JSC::Lexer<T>::parseString):
10224 (JSC::LineNumberAdder::LineNumberAdder):
10225 (JSC::LineNumberAdder::clear):
10226 (JSC::LineNumberAdder::add):
10227 (JSC::Lexer<T>::parseTemplateLiteral):
10228 (JSC::Lexer<T>::lex):
10229 (JSC::Lexer<T>::scanRegExp):
10230 (JSC::Lexer<T>::scanTrailingTemplateString):
10231 (JSC::Lexer<T>::parseStringSlowCase): Deleted.
10232 * parser/Lexer.h:
10233 * parser/NodeConstructors.h:
10234 (JSC::TemplateExpressionListNode::TemplateExpressionListNode):
10235 (JSC::TemplateStringNode::TemplateStringNode):
10236 (JSC::TemplateStringListNode::TemplateStringListNode):
10237 (JSC::TemplateLiteralNode::TemplateLiteralNode):
10238 * parser/Nodes.h:
10239 (JSC::TemplateExpressionListNode::value):
10240 (JSC::TemplateExpressionListNode::next):
10241 (JSC::TemplateStringNode::cooked):
10242 (JSC::TemplateStringNode::raw):
10243 (JSC::TemplateStringListNode::value):
10244 (JSC::TemplateStringListNode::next):
10245 * parser/Parser.cpp:
10246 (JSC::Parser<LexerType>::parseTemplateString):
10247 (JSC::Parser<LexerType>::parseTemplateLiteral):
10248 (JSC::Parser<LexerType>::parsePrimaryExpression):
10249 * parser/Parser.h:
10250 * parser/ParserTokens.h:
10251 * parser/SyntaxChecker.h:
10252 (JSC::SyntaxChecker::createTemplateString):
10253 (JSC::SyntaxChecker::createTemplateStringList):
10254 (JSC::SyntaxChecker::createTemplateExpressionList):
10255 (JSC::SyntaxChecker::createTemplateLiteral):
10256 (JSC::SyntaxChecker::createSpreadExpression): Deleted.
10257 * runtime/CommonSlowPaths.cpp:
10258 (JSC::SLOW_PATH_DECL):
10259 * runtime/CommonSlowPaths.h:
10260 * tests/stress/template-literal-line-terminators.js: Added.
10261 (test):
10262 (testEval):
10263 (testEvalLineNumber):
10264 * tests/stress/template-literal-syntax.js: Added.
10265 (testSyntax):
10266 (testSyntaxError):
10267 * tests/stress/template-literal.js: Added.
10268 (test):
10269 (testEval):
10270 (testEmbedded):
10271
102722015-04-26 Jordan Harband <ljharb@gmail.com>
10273
10274 Set#forEach does not pass "key" or "set" arguments to callback.
10275 https://bugs.webkit.org/show_bug.cgi?id=144188
10276
10277 Reviewed by Darin Adler.
10278
10279 Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach
10280 Set#forEach should pass 3 arguments to the callback.
10281
10282 * runtime/SetPrototype.cpp:
10283 (JSC::setProtoFuncForEach):
10284
102852015-04-26 Benjamin Poulain <benjamin@webkit.org>
10286
10287 [JSC] Implement Math.clz32(), remove Number.clz()
10288 https://bugs.webkit.org/show_bug.cgi?id=144205
10289
10290 Reviewed by Michael Saboff.
10291
10292 This patch adds the ES6 function Math.clz32(), and remove the non-standard
10293 Number.clz(). Number.clz() probably came from an older draft.
10294
10295 The new function has a corresponding instrinsic: Clz32Intrinsic,
10296 and a corresponding DFG node: ArithClz32, optimized all the way to LLVM.
10297
10298 * assembler/MacroAssemblerX86Common.h:
10299 (JSC::MacroAssemblerX86Common::countLeadingZeros32):
10300 * assembler/X86Assembler.h:
10301 (JSC::X86Assembler::bsr_rr):
10302 The x86 assembler did not have countLeadingZeros32() because there is
10303 no native CLZ instruction on that architecture.
10304
10305 I have added the version with bsr + branches for the case of zero.
10306 An other popular version uses cmov to handle the case of zero. I kept
10307 it simple since the Assembler has no support for cmov.
10308
10309 It is unlikely to matter much. If the code is hot enough, LLVM picks
10310 something good based on the surrounding code.
10311
10312 * dfg/DFGAbstractInterpreterInlines.h:
10313 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10314 Constant handling + effect propagation. The node only produces integer (between 0 and 32).
10315
10316 * dfg/DFGBackwardsPropagationPhase.cpp:
10317 (JSC::DFG::BackwardsPropagationPhase::propagate):
10318 Thanks to the definition of toUint32(), we can ignore plenty of details
10319 from doubles.
10320
10321 * dfg/DFGByteCodeParser.cpp:
10322 (JSC::DFG::ByteCodeParser::handleIntrinsic):
10323 * dfg/DFGClobberize.h:
10324 (JSC::DFG::clobberize):
10325 * dfg/DFGDoesGC.cpp:
10326 (JSC::DFG::doesGC):
10327 * dfg/DFGFixupPhase.cpp:
10328 (JSC::DFG::FixupPhase::fixupNode):
10329 * dfg/DFGNodeType.h:
10330 * dfg/DFGPredictionPropagationPhase.cpp:
10331 (JSC::DFG::PredictionPropagationPhase::propagate):
10332 * dfg/DFGSafeToExecute.h:
10333 (JSC::DFG::safeToExecute):
10334 * dfg/DFGSpeculativeJIT.cpp:
10335 (JSC::DFG::SpeculativeJIT::compileArithClz32):
10336 * dfg/DFGSpeculativeJIT.h:
10337 * dfg/DFGSpeculativeJIT32_64.cpp:
10338 (JSC::DFG::SpeculativeJIT::compile):
10339 * dfg/DFGSpeculativeJIT64.cpp:
10340 (JSC::DFG::SpeculativeJIT::compile):
10341 * ftl/FTLCapabilities.cpp:
10342 (JSC::FTL::canCompile):
10343 * ftl/FTLIntrinsicRepository.h:
10344 * ftl/FTLLowerDFGToLLVM.cpp:
10345 (JSC::FTL::LowerDFGToLLVM::compileNode):
10346 (JSC::FTL::LowerDFGToLLVM::compileArithClz32):
10347 * ftl/FTLOutput.h:
10348 (JSC::FTL::Output::ctlz32):
10349 * jit/ThunkGenerators.cpp:
10350 (JSC::clz32ThunkGenerator):
10351 * jit/ThunkGenerators.h:
10352 * runtime/Intrinsic.h:
10353 * runtime/MathCommon.h:
10354 (JSC::clz32):
10355 Fun fact: InstCombine does not recognize this pattern to eliminate
10356 the branch which makes our FTL version better than the C version.
10357
10358 * runtime/MathObject.cpp:
10359 (JSC::MathObject::finishCreation):
10360 (JSC::mathProtoFuncClz32):
10361 * runtime/NumberPrototype.cpp:
10362 (JSC::clz): Deleted.
10363 (JSC::numberProtoFuncClz): Deleted.
10364 * runtime/VM.cpp:
10365 (JSC::thunkGeneratorForIntrinsic):
10366 * tests/stress/math-clz32-basics.js: Added.
10367 (mathClz32OnInteger):
10368 (testMathClz32OnIntegers):
10369 (verifyMathClz32OnIntegerWithOtherTypes):
10370 (mathClz32OnDouble):
10371 (testMathClz32OnDoubles):
10372 (verifyMathClz32OnDoublesWithOtherTypes):
10373 (mathClz32NoArguments):
10374 (mathClz32TooManyArguments):
10375 (testMathClz32OnConstants):
10376 (mathClz32StructTransition):
10377 (Math.clz32):
10378
103792015-04-26 Yusuke Suzuki <utatane.tea@gmail.com>
10380
10381 [ES6] Array.from need to accept iterables
10382 https://bugs.webkit.org/show_bug.cgi?id=141055
10383
10384 Reviewed by Darin Adler.
10385
10386 ES6 spec requires that Array.from accepts iterable objects.
10387 This patch introduces this functionality, Array.from accepting iterable objects.
10388
10389 Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used.
10390 However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`,
10391 `typeof thisObj === "function"` queries the given object has `[[Call]]`.
10392 This will be fixed in the subsequent patch[1].
10393
10394 [1]: https://bugs.webkit.org/show_bug.cgi?id=144093
10395
10396 * builtins/ArrayConstructor.js:
10397 (from):
10398 * parser/Parser.cpp:
10399 (JSC::Parser<LexerType>::parseInner):
10400 * runtime/CommonIdentifiers.h:
10401 * runtime/JSGlobalObject.cpp:
10402 (JSC::JSGlobalObject::init):
10403 * tests/stress/array-from-with-iterable.js: Added.
10404 (shouldBe):
10405 (.set for):
10406 (.set var):
10407 (.get var):
10408 (argumentsGenerators):
10409 (.set shouldBe):
10410 (.set new):
10411 * tests/stress/array-from-with-iterator.js: Added.
10412 (shouldBe):
10413 (shouldThrow):
10414 (createIterator.iterator.return):
10415 (createIterator):
10416 (.):
10417
104182015-04-25 Jordan Harband <ljharb@gmail.com>
10419
10420 Set#keys !== Set#values
10421 https://bugs.webkit.org/show_bug.cgi?id=144190
10422
10423 Reviewed by Darin Adler.
10424
10425 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys
10426 Set#keys should === Set#values
10427
10428 * runtime/SetPrototype.cpp:
10429 (JSC::SetPrototype::finishCreation):
10430 (JSC::setProtoFuncValues):
10431 (JSC::setProtoFuncEntries):
10432 (JSC::setProtoFuncKeys): Deleted.
10433
104342015-04-25 Joseph Pecoraro <pecoraro@apple.com>
10435
10436 Allow for pausing a JSContext when opening a Web Inspector
10437 <rdar://problem/20564788>
10438
10439 Reviewed by Timothy Hatcher.
10440
10441 * inspector/remote/RemoteInspector.mm:
10442 (Inspector::RemoteInspector::receivedSetupMessage):
10443 * inspector/remote/RemoteInspectorConstants.h:
10444 * inspector/remote/RemoteInspectorDebuggable.h:
10445 * inspector/remote/RemoteInspectorDebuggableConnection.h:
10446 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
10447 (Inspector::RemoteInspectorDebuggableConnection::setup):
10448 On any incoming setup message, we may want to automatically
10449 pause the debuggable. If requested, pause the debuggable
10450 after we have setup the frontend connection.
10451
10452 * runtime/JSGlobalObjectDebuggable.h:
10453 * runtime/JSGlobalObjectDebuggable.cpp:
10454 (JSC::JSGlobalObjectDebuggable::pause):
10455 Pass through to the inspector controller.
10456
10457 * inspector/JSGlobalObjectInspectorController.h:
10458 * inspector/JSGlobalObjectInspectorController.cpp:
10459 (Inspector::JSGlobalObjectInspectorController::pause):
10460 Enable pause on next statement.
10461
104622015-04-23 Ryosuke Niwa <rniwa@webkit.org>
10463
10464 class methods should be non-enumerable
10465 https://bugs.webkit.org/show_bug.cgi?id=143181
10466
10467 Reviewed by Darin Adler.
10468
10469 Fixed the bug by using Object.defineProperty to define methods.
10470
10471 This patch adds the concept of link time constants and uses it to resolve Object.defineProperty
10472 inside CodeBlock's constructor since bytecode can be linked against multiple global objects.
10473
10474 * bytecode/CodeBlock.cpp:
10475 (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register
10476 index of zero.
10477 * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains
10478 exactly one entry for Object.defineProperty.
10479 * bytecode/UnlinkedCodeBlock.h:
10480 (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new
10481 constant register for the link time constant we're adding.
10482 (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added.
10483 * bytecompiler/BytecodeGenerator.cpp:
10484 (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new
10485 register for the specified link time constant and notify UnlinkedCodeBlock about it.
10486 (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call
10487 Object.defineProperty with it.
10488 * bytecompiler/BytecodeGenerator.h:
10489 * bytecompiler/NodesCodegen.cpp:
10490 (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes
10491 non-enumerable by using emitCallDefineProperty to define them.
10492 (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties.
10493 (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype
10494 property on the class non-writable, non-configurable, and non-enumerable by using defineProperty.
10495 * runtime/CommonIdentifiers.h:
10496 * runtime/JSGlobalObject.cpp:
10497 (JSC::JSGlobalObject::init): Set m_definePropertyFunction.
10498 (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction.
10499 * runtime/JSGlobalObject.h:
10500 (JSC::JSGlobalObject::definePropertyFunction): Added.
10501 (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant.
10502 (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and
10503 returns a JSCell; e.g. Object.defineProperty.
10504 * runtime/ObjectConstructor.cpp:
10505 (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty.
10506 * runtime/ObjectConstructor.h:
10507
105082015-04-25 Yusuke Suzuki <utatane.tea@gmail.com>
10509
10510 [ES6] Implement String.fromCodePoint
10511 https://bugs.webkit.org/show_bug.cgi?id=144160
10512
10513 Reviewed by Darin Adler.
10514
10515 This patch implements String.fromCodePoint.
10516 It accepts multiple code points and generates a string that consists of given code points.
10517 The range [0x0000 - 0x10FFFF] is valid for code points.
10518 If the given value is out of range, throw a range error.
10519
10520 When a 0xFFFF <= valid code point is given,
10521 String.fromCodePoint generates a string that contains surrogate pairs.
10522
10523 * runtime/StringConstructor.cpp:
10524 (JSC::stringFromCodePoint):
10525 (JSC::constructWithStringConstructor):
10526 * tests/stress/string-from-code-point.js: Added.
10527 (shouldBe):
10528 (shouldThrow):
10529 (toCodePoints):
10530 (passThrough):
10531
105322015-04-25 Martin Robinson <mrobinson@igalia.com>
10533
10534 Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS
10535 https://bugs.webkit.org/show_bug.cgi?id=144182
10536
10537 Reviewed by Simon Fraser.
10538
10539 * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS.
10540
105412015-04-25 Mark Lam <mark.lam@apple.com>
10542
10543 mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit.
10544 https://bugs.webkit.org/show_bug.cgi?id=144152
10545
10546 Reviewed by Filip Pizlo.
10547
10548 Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse,
10549 StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering
10550 OSR exits. This was overlooked in the original code.
10551
10552 While only the ObjectOrOtherUse kind is relevant for manifesting this bug with
10553 the Branch node, the other 3 may also trigger the same bug for other nodes.
10554 To prevent this bug from manifesting with other nodes (and future ones that
10555 are yet to be added to mayExits()'s "potential won't exit" set), we fix the
10556 EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse).
10557
10558 Also added a test to exercise a code path that will trigger this bug with
10559 the Branch node before the fix is applied.
10560
10561 * dfg/DFGMayExit.cpp:
10562 * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added.
10563 (inlinedFunction):
10564 (foo):
10565
105662015-04-24 Commit Queue <commit-queue@webkit.org>
10567
10568 Unreviewed, rolling out r183288.
10569 https://bugs.webkit.org/show_bug.cgi?id=144189
10570
10571 Made js/sort-with-side-effecting-comparisons.html time out in
10572 debug builds (Requested by ap on #webkit).
10573
10574 Reverted changeset:
10575
10576 "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an
10577 array."
10578 https://bugs.webkit.org/show_bug.cgi?id=144013
10579 http://trac.webkit.org/changeset/183288
10580
105812015-04-24 Filip Pizlo <fpizlo@apple.com>
10582
10583 CRASH in operationCreateDirectArgumentsDuringExit()
10584 https://bugs.webkit.org/show_bug.cgi?id=143962
10585
10586 Reviewed by Geoffrey Garen.
10587
10588 We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
10589 recoverable so long as they are live. Therefore, OSR exit should track liveness of
10590 constants instead of assuming that they are always live.
10591
10592 * dfg/DFGGenerationInfo.h:
10593 (JSC::DFG::GenerationInfo::noticeOSRBirth):
10594 (JSC::DFG::GenerationInfo::appendBirth):
10595 * dfg/DFGSpeculativeJIT.cpp:
10596 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
10597 * dfg/DFGVariableEvent.cpp:
10598 (JSC::DFG::VariableEvent::dump):
10599 * dfg/DFGVariableEvent.h:
10600 (JSC::DFG::VariableEvent::birth):
10601 (JSC::DFG::VariableEvent::id):
10602 (JSC::DFG::VariableEvent::dataFormat):
10603 * dfg/DFGVariableEventStream.cpp:
10604 (JSC::DFG::VariableEventStream::reconstruct):
10605 * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.
10606 (foo):
10607 (bar):
10608 * tests/stress/phantom-direct-arguments-clobber-callee.js: Added.
10609 (foo):
10610 (bar):
10611
106122015-04-24 Benjamin Poulain <bpoulain@apple.com>
10613
10614 [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray
10615 https://bugs.webkit.org/show_bug.cgi?id=144169
10616
10617 Reviewed by Geoffrey Garen.
10618
10619 * runtime/JSObject.cpp:
10620 (JSC::JSObject::convertInt32ForValue):
10621 DoubleArray do not store NaN, they are used for holes.
10622 What happened was:
10623 1) We fail to insert the NaN in the Int32 array because it is a double.
10624 2) We were converting the array to DoubleArray.
10625 3) We were trying to insert the value again. We would fail again because
10626 DoubleArray does not store NaN.
10627 4) We would convert the DoubleArrayt to Contiguous Array, converting the values
10628 to boxed values.
10629
10630 * tests/stress/int32array-transition-on-nan.js: Added.
10631 The behavior is not really observable. This only test nothing crashes in those
10632 cases.
10633
10634 (insertNaNWhileFilling):
10635 (testInsertNaNWhileFilling):
10636 (insertNaNAfterFilling):
10637 (testInsertNaNAfterFilling):
10638 (pushNaNWhileFilling):
10639 (testPushNaNWhileFilling):
10640
106412015-04-21 Geoffrey Garen <ggaren@apple.com>
10642
10643 It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array.
10644 https://bugs.webkit.org/show_bug.cgi?id=144013
10645
10646 Reviewed by Mark Lam.
10647
10648 This patch implements Array.prototype.sort in JavaScript, removing the
10649 C++ implementations. It is simpler and less error-prone to express our
10650 operations in JavaScript, which provides memory safety, exception safety,
10651 and recursion safety.
10652
10653 The performance result is mixed, but net positive in my opinion. It's
10654 difficult to enumerate all the results, since we used to have so many
10655 different sorting modes, and there are lots of different data patterns
10656 across which you might want to measure sorting. Suffice it to say:
10657
10658 (*) The benchmarks we track are faster or unchanged.
10659
10660 (*) Sorting random input using a comparator -- which we think is
10661 common -- is 3X faster.
10662
10663 (*) Sorting random input in a non-array object -- which jQuery does
10664 -- is 4X faster.
10665
10666 (*) Sorting random input in a compact array of integers using a
10667 trivial pattern-matchable comparator is 2X *slower*.
10668
10669 * builtins/Array.prototype.js:
10670 (sort.min):
10671 (sort.stringComparator):
10672 (sort.compactSparse): Special case compaction for sparse arrays because
10673 we don't want to hang when sorting new Array(BIG).
10674
10675 (sort.compact):
10676 (sort.merge):
10677 (sort.mergeSort): Use merge sort because it's a reasonably efficient
10678 stable sort. We have evidence that some sites depend on stable sort,
10679 even though the ES6 spec does not mandate it. (See
10680 <http://trac.webkit.org/changeset/33967>.)
10681
10682 This is a textbook implementation of merge sort with three optimizations:
10683
10684 (1) Use iteration instead of recursion;
10685
10686 (2) Use array subscripting instead of array copying in order to
10687 create logical sub-lists without creating physical sub-lists;
10688
10689 (3) Swap src and dst at each iteration instead of copying src into
10690 dst, and only copy src into the subject array at the end if src is
10691 not the subject array.
10692
10693 (sort.inflate):
10694 (sort.comparatorSort):
10695 (sort): Sort in JavaScript for the win.
10696
10697 * builtins/BuiltinExecutables.cpp:
10698 (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private
10699 names so we can use helper functions.
10700
10701 * bytecode/CodeBlock.h:
10702 (JSC::CodeBlock::isNumericCompareFunction): Deleted.
10703 * bytecode/UnlinkedCodeBlock.cpp:
10704 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
10705 * bytecode/UnlinkedCodeBlock.h:
10706 (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted.
10707 (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted.
10708 * bytecompiler/BytecodeGenerator.cpp:
10709 (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted.
10710 * bytecompiler/BytecodeGenerator.h:
10711 * bytecompiler/NodesCodegen.cpp:
10712 (JSC::FunctionNode::emitBytecode): We don't do this special casing based
10713 on pattern matching anymore. This was mainly an optimization to avoid
10714 the overhead of calling from C++ to JS, which we now avoid by
10715 sorting in JS.
10716
10717 * heap/Heap.cpp:
10718 (JSC::Heap::markRoots):
10719 (JSC::Heap::pushTempSortVector): Deleted.
10720 (JSC::Heap::popTempSortVector): Deleted.
10721 (JSC::Heap::visitTempSortVectors): Deleted.
10722 * heap/Heap.h: We don't have temp sort vectors anymore because we sort
10723 in JavaScript using a normal JavaScript array for our temporary storage.
10724
10725 * parser/Parser.cpp:
10726 (JSC::Parser<LexerType>::parseInner): Allow capturing so we can use
10727 helper functions.
10728
10729 * runtime/ArrayPrototype.cpp:
10730 (JSC::isNumericCompareFunction): Deleted.
10731 (JSC::attemptFastSort): Deleted.
10732 (JSC::performSlowSort): Deleted.
10733 (JSC::arrayProtoFuncSort): Deleted.
10734
10735 * runtime/CommonIdentifiers.h: New strings used by sort.
10736
10737 * runtime/JSArray.cpp:
10738 (JSC::compareNumbersForQSortWithInt32): Deleted.
10739 (JSC::compareNumbersForQSortWithDouble): Deleted.
10740 (JSC::compareNumbersForQSort): Deleted.
10741 (JSC::compareByStringPairForQSort): Deleted.
10742 (JSC::JSArray::sortNumericVector): Deleted.
10743 (JSC::JSArray::sortNumeric): Deleted.
10744 (JSC::ContiguousTypeAccessor::getAsValue): Deleted.
10745 (JSC::ContiguousTypeAccessor::setWithValue): Deleted.
10746 (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted.
10747 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::getAsValue): Deleted.
10748 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::setWithValue): Deleted.
10749 (JSC::ContiguousTypeAccessor<ArrayWithDouble>::replaceDataReference): Deleted.
10750 (JSC::JSArray::sortCompactedVector): Deleted.
10751 (JSC::JSArray::sort): Deleted.
10752 (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted.
10753 (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted.
10754 (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted.
10755 (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted.
10756 (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted.
10757 (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted.
10758 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted.
10759 (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted.
10760 (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted.
10761 (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted.
10762 (JSC::JSArray::sortVector): Deleted.
10763 (JSC::JSArray::compactForSorting): Deleted.
10764 * runtime/JSArray.h:
10765
10766 * runtime/JSGlobalObject.cpp:
10767 (JSC::JSGlobalObject::init):
10768 * runtime/ObjectConstructor.cpp:
10769 (JSC::ObjectConstructor::finishCreation): Provide some builtins used
10770 by sort.
10771
107722015-04-24 Matthew Mirman <mmirman@apple.com>
10773
10774 Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
10775 https://bugs.webkit.org/show_bug.cgi?id=141865
10776 rdar://problem/19927273
10777
10778 Reviewed by Filip Pizlo.
10779
10780 * runtime/JSGlobalObjectFunctions.cpp:
10781 (JSC::globalFuncProtoGetter):
10782 (JSC::globalFuncProtoSetter):
10783
107842015-04-23 Benjamin Poulain <bpoulain@apple.com>
10785
10786 Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt()
10787 https://bugs.webkit.org/show_bug.cgi?id=144118
10788
10789 Reviewed by Geoffrey Garen.
10790
10791 * dfg/DFGGraph.h:
10792 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
10793 Both block do the same thing.
10794
107952015-04-23 Joseph Pecoraro <pecoraro@apple.com>
10796
10797 Web Inspector: Speculative fix for non-main thread auto-attach failures
10798 https://bugs.webkit.org/show_bug.cgi?id=144134
10799
10800 Reviewed by Timothy Hatcher.
10801
10802 * inspector/remote/RemoteInspector.mm:
10803 (Inspector::RemoteInspector::singleton):
10804
108052015-04-23 Basile Clement <basile_clement@apple.com>
10806
10807 Allow function allocation sinking
10808 https://bugs.webkit.org/show_bug.cgi?id=144016
10809
10810 Reviewed by Filip Pizlo.
10811
10812 This adds the ability to sink function allocations in the
10813 DFGObjectAllocationSinkingPhase.
10814
10815 In order to enable this, we add a new PhantomNewFunction node that is
10816 used similarily to the PhantomNewObject node, i.e. as a placeholder to replace
10817 a sunk NewFunction and keep track of the allocations that have to be performed
10818 in case of OSR exit after the sunk allocation but before the real one.
10819 The FunctionExecutable and JSLexicalEnvironment (activation) of the function
10820 are stored onto the PhantomNewFunction through PutHints in order for them
10821 to be recovered on OSR exit.
10822
10823 Contrary to sunk object allocations, sunk function allocations do not
10824 support any kind of operations (e.g. storing into a field) ; any such operation
10825 will mark the function allocation as escaping and trigger materialization. As
10826 such, function allocations can only be sunk to places where it would have been
10827 correct to syntactically move them, and we don't need a special
10828 MaterializeNewFunction node to recover possible operations on the function. A
10829 sunk NewFunction node will simply create new NewFunction nodes, then replace
10830 itself with a PhantomNewFunction node.
10831
10832 In itself, this change is not expected to have a significant impact on
10833 performances other than in degenerate cases (see e.g.
10834 JSRegress/sink-function), but it is a step towards being able to sink recursive
10835 closures onces we support CreateActivation sinking as well as allocation cycles
10836 sinking.
10837
10838 * dfg/DFGAbstractInterpreterInlines.h:
10839 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10840 * dfg/DFGClobberize.h:
10841 (JSC::DFG::clobberize):
10842 * dfg/DFGDoesGC.cpp:
10843 (JSC::DFG::doesGC):
10844 * dfg/DFGFixupPhase.cpp:
10845 (JSC::DFG::FixupPhase::fixupNode):
10846 * dfg/DFGNode.h:
10847 (JSC::DFG::Node::convertToPhantomNewFunction):
10848 (JSC::DFG::Node::isPhantomAllocation):
10849 * dfg/DFGNodeType.h:
10850 * dfg/DFGObjectAllocationSinkingPhase.cpp:
10851 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
10852 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
10853 (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
10854 (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
10855 * dfg/DFGPredictionPropagationPhase.cpp:
10856 (JSC::DFG::PredictionPropagationPhase::propagate):
10857 * dfg/DFGPromotedHeapLocation.cpp:
10858 (WTF::printInternal):
10859 * dfg/DFGPromotedHeapLocation.h:
10860 * dfg/DFGSafeToExecute.h:
10861 (JSC::DFG::safeToExecute):
10862 * dfg/DFGSpeculativeJIT32_64.cpp:
10863 (JSC::DFG::SpeculativeJIT::compile):
10864 * dfg/DFGSpeculativeJIT64.cpp:
10865 (JSC::DFG::SpeculativeJIT::compile):
10866 * dfg/DFGValidate.cpp:
10867 (JSC::DFG::Validate::validateCPS):
10868 * ftl/FTLCapabilities.cpp:
10869 (JSC::FTL::canCompile):
10870 * ftl/FTLLowerDFGToLLVM.cpp:
10871 (JSC::FTL::LowerDFGToLLVM::compileNode):
10872 * ftl/FTLOperations.cpp:
10873 (JSC::FTL::operationMaterializeObjectInOSR):
10874 * tests/stress/function-sinking-no-double-allocate.js: Added.
10875 (call):
10876 (.f):
10877 (sink):
10878 * tests/stress/function-sinking-osrexit.js: Added.
10879 (.g):
10880 (sink):
10881 * tests/stress/function-sinking-put.js: Added.
10882 (.g):
10883 (sink):
10884
108852015-04-23 Basile Clement <basile_clement@apple.com>
10886
10887 Make FunctionRareData allocation thread-safe
10888 https://bugs.webkit.org/show_bug.cgi?id=144001
10889
10890 Reviewed by Mark Lam.
10891
10892 The two things we want to prevent are:
10893
10894 1. A thread seeing a pointer to a not-yet-fully-created rare data from
10895 a JSFunction
10896 2. A thread seeing a pointer to a not-yet-fully-created Structure from
10897 an ObjectAllocationProfile
10898
10899 For 1., only the JS thread can be creating the rare data (in
10900 runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to
10901 worry about concurrent writes, and we don't need any fences when *reading* the
10902 rare data from the JS thread. Thus we only need a storeStoreFence between the
10903 rare data creation and assignment to m_rareData in
10904 JSFunction::createAndInitializeRareData() to ensure that when the store to
10905 m_rareData is issued, the rare data has been properly created.
10906
10907 For the DFG compilation threads, the only place they can access the
10908 rare data is through JSFunction::rareData(), and so we only need a
10909 loadLoadFence there to ensure that when we see a non-null pointer in
10910 m_rareData, the pointed object will be seen as a fully created
10911 FunctionRareData.
10912
10913
10914 For 2., the structure is created in
10915 ObjectAllocationProfile::initialize() (which appears to be called only by the
10916 JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization,
10917 which always happen in the JS thread), and read through
10918 ObjectAllocationProfile::structure() and
10919 ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we
10920 put a storeStoreFence in ObjectAllocationProfile::initialize() and a
10921 loadLoadFence in ObjectAllocationProfile::structure() (and change
10922 ObjectAllocationProfile::inlineCapacity() to go through
10923 ObjectAllocationProfile::structure()).
10924
10925 We don't need a fence in ObjectAllocationProfile::clear() because
10926 clearing the structure is already as atomic as it gets.
10927
10928 Finally, notice that we don't care about the ObjectAllocationProfile's
10929 m_allocator as that is only used by ObjectAllocationProfile::initialize() and
10930 ObjectAllocationProfile::clear() that are always run in the JS thread.
10931 ObjectAllocationProfile::isNull() could cause some trouble, but it is
10932 currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS
10933 thread. Doing isNull()-style pre-checks would be wrong in any other concurrent
10934 thread anyway.
10935
10936 * bytecode/ObjectAllocationProfile.h:
10937 (JSC::ObjectAllocationProfile::initialize):
10938 (JSC::ObjectAllocationProfile::structure):
10939 (JSC::ObjectAllocationProfile::inlineCapacity):
10940 * runtime/JSFunction.cpp:
10941 (JSC::JSFunction::allocateAndInitializeRareData):
10942 * runtime/JSFunction.h:
10943 (JSC::JSFunction::rareData):
10944 (JSC::JSFunction::allocationStructure): Deleted.
10945 This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data.
10946
109472015-04-22 Filip Pizlo <fpizlo@apple.com>
10948
10949 DFG should insert Phantoms late using BytecodeKills and block-local OSR availability
10950 https://bugs.webkit.org/show_bug.cgi?id=143735
10951
10952 Reviewed by Geoffrey Garen.
10953
10954 We've always had bugs arising from the fact that we would MovHint something into a local,
10955 and then fail to keep it alive. We would then try to keep things alive by putting Phantoms
10956 on those Nodes that were MovHinted. But this became increasingly tricky. Given the
10957 sophistication of the transformations we are doing today, this approach is just not sound
10958 anymore.
10959
10960 This comprehensively fixes these bugs by having the DFG backend automatically insert
10961 Phantoms just before codegen based on bytecode liveness. To make this practical, this also
10962 makes it much faster to query bytecode liveness.
10963
10964 It's about as perf-neutral as it gets for a change that increases compiler work without
10965 actually optimizing anything. Later changes will remove the old Phantom-preserving logic,
10966 which should then speed us up. I can't really report concrete slow-down numbers because
10967 they are low enough to basically be in the noise. For example, a 20-iteration run of
10968 SunSpider yields "maybe 0.8% slower", whatever that means.
10969
10970 * CMakeLists.txt:
10971 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10972 * JavaScriptCore.xcodeproj/project.pbxproj:
10973 * bytecode/BytecodeLivenessAnalysis.cpp:
10974 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
10975 * bytecode/FullBytecodeLiveness.h:
10976 (JSC::FullBytecodeLiveness::getLiveness):
10977 * bytecode/VirtualRegister.h:
10978 (JSC::VirtualRegister::operator+):
10979 (JSC::VirtualRegister::operator-):
10980 * dfg/DFGForAllKills.h:
10981 (JSC::DFG::forAllLiveNodesAtTail):
10982 (JSC::DFG::forAllKilledOperands):
10983 (JSC::DFG::forAllKilledNodesAtNodeIndex):
10984 * dfg/DFGGraph.cpp:
10985 (JSC::DFG::Graph::isLiveInBytecode):
10986 (JSC::DFG::Graph::localsLiveInBytecode):
10987 * dfg/DFGGraph.h:
10988 (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
10989 (JSC::DFG::Graph::forAllLiveInBytecode):
10990 * dfg/DFGMayExit.cpp:
10991 (JSC::DFG::mayExit):
10992 * dfg/DFGMovHintRemovalPhase.cpp:
10993 * dfg/DFGNodeType.h:
10994 * dfg/DFGPhantomInsertionPhase.cpp: Added.
10995 (JSC::DFG::performPhantomInsertion):
10996 * dfg/DFGPhantomInsertionPhase.h: Added.
10997 * dfg/DFGPlan.cpp:
10998 (JSC::DFG::Plan::compileInThreadImpl):
10999 * dfg/DFGScoreBoard.h:
11000 (JSC::DFG::ScoreBoard::sortFree):
11001 (JSC::DFG::ScoreBoard::assertClear):
11002 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
11003 (JSC::DFG::VirtualRegisterAllocationPhase::run):
11004 * ftl/FTLLowerDFGToLLVM.cpp:
11005 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
11006 * tests/stress/phantom-inadequacy.js: Added.
11007 (bar):
11008 (baz):
11009 (foo):
11010
110112015-04-23 Filip Pizlo <fpizlo@apple.com>
11012
11013 Rename HardPhantom to MustGenerate.
11014
11015 Rubber stamped by Geoffrey Garen.
11016
11017 We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom
11018 is more than that; it's a utility for forcing the execution of otherwise killable nodes.
11019 NodeMustGenerate is the flag we use to indicate that something isn't killable. So this
11020 node should just be called MustGenerate.
11021
11022 * dfg/DFGAbstractInterpreterInlines.h:
11023 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11024 * dfg/DFGArgumentsEliminationPhase.cpp:
11025 * dfg/DFGClobberize.h:
11026 (JSC::DFG::clobberize):
11027 * dfg/DFGDCEPhase.cpp:
11028 (JSC::DFG::DCEPhase::run):
11029 * dfg/DFGDoesGC.cpp:
11030 (JSC::DFG::doesGC):
11031 * dfg/DFGFixupPhase.cpp:
11032 (JSC::DFG::FixupPhase::fixupNode):
11033 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
11034 * dfg/DFGIntegerCheckCombiningPhase.cpp:
11035 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
11036 * dfg/DFGMayExit.cpp:
11037 (JSC::DFG::mayExit):
11038 * dfg/DFGNode.h:
11039 (JSC::DFG::Node::willHaveCodeGenOrOSR):
11040 * dfg/DFGNodeType.h:
11041 * dfg/DFGObjectAllocationSinkingPhase.cpp:
11042 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
11043 * dfg/DFGPhantomCanonicalizationPhase.cpp:
11044 (JSC::DFG::PhantomCanonicalizationPhase::run):
11045 * dfg/DFGPhantomRemovalPhase.cpp:
11046 (JSC::DFG::PhantomRemovalPhase::run):
11047 * dfg/DFGPredictionPropagationPhase.cpp:
11048 (JSC::DFG::PredictionPropagationPhase::propagate):
11049 * dfg/DFGSafeToExecute.h:
11050 (JSC::DFG::safeToExecute):
11051 * dfg/DFGSpeculativeJIT32_64.cpp:
11052 (JSC::DFG::SpeculativeJIT::compile):
11053 * dfg/DFGSpeculativeJIT64.cpp:
11054 (JSC::DFG::SpeculativeJIT::compile):
11055 * dfg/DFGTypeCheckHoistingPhase.cpp:
11056 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
11057 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
11058 * dfg/DFGVarargsForwardingPhase.cpp:
11059 * ftl/FTLCapabilities.cpp:
11060 (JSC::FTL::canCompile):
11061 * ftl/FTLLowerDFGToLLVM.cpp:
11062 (JSC::FTL::LowerDFGToLLVM::compileNode):
11063
110642015-04-23 Jordan Harband <ljharb@gmail.com>
11065
11066 Implement `Object.assign`
11067 https://bugs.webkit.org/show_bug.cgi?id=143980
11068
11069 Reviewed by Filip Pizlo.
11070
11071 per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign
11072
11073 * builtins/ObjectConstructor.js: Added.
11074 (assign):
11075 * runtime/CommonIdentifiers.h:
11076 * runtime/JSGlobalObject.cpp:
11077 (JSC::JSGlobalObject::init):
11078 * runtime/ObjectConstructor.cpp:
11079 * runtime/ObjectConstructor.h:
11080
110812015-04-22 Filip Pizlo <fpizlo@apple.com>
11082
11083 Unreviewed, fix debug build.
11084
11085 * dfg/DFGGraph.h:
11086 (JSC::DFG::Graph::performSubstitutionForEdge):
11087
110882015-04-22 Filip Pizlo <fpizlo@apple.com>
11089
11090 Nodes should have an optional epoch field
11091 https://bugs.webkit.org/show_bug.cgi?id=144084
11092
11093 Reviewed by Ryosuke Niwa and Mark Lam.
11094
11095 This makes it easier to do epoch-based analyses on nodes. I plan to do just that in
11096 https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet
11097 used.
11098
11099 * dfg/DFGCPSRethreadingPhase.cpp:
11100 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
11101 * dfg/DFGCSEPhase.cpp:
11102 * dfg/DFGEpoch.h:
11103 (JSC::DFG::Epoch::fromUnsigned):
11104 (JSC::DFG::Epoch::toUnsigned):
11105 * dfg/DFGGraph.cpp:
11106 (JSC::DFG::Graph::clearReplacements):
11107 (JSC::DFG::Graph::clearEpochs):
11108 * dfg/DFGGraph.h:
11109 (JSC::DFG::Graph::performSubstitutionForEdge):
11110 * dfg/DFGNode.h:
11111 (JSC::DFG::Node::Node):
11112 (JSC::DFG::Node::replaceWith):
11113 (JSC::DFG::Node::replacement):
11114 (JSC::DFG::Node::setReplacement):
11115 (JSC::DFG::Node::epoch):
11116 (JSC::DFG::Node::setEpoch):
11117 * dfg/DFGSSAConversionPhase.cpp:
11118 (JSC::DFG::SSAConversionPhase::run):
11119
111202015-04-22 Mark Lam <mark.lam@apple.com>
11121
11122 Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
11123 https://bugs.webkit.org/show_bug.cgi?id=143898
11124
11125 Reviewed by Filip Pizlo.
11126
11127 CodeBlock::dumpSource() will access SourceCode strings in a way that requires
11128 ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
11129 compilation threads because StringImpls are not thread safe. As a result, we get
11130 an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
11131 build.
11132
11133 This patch fixes the issue by only collecting the CodeBlock (and associated info)
11134 into a DeferredSourceDump record while compiling, and stashing it away in a
11135 deferredSourceDump list in the DeferredCompilationCallback object to be dumped
11136 later.
11137
11138 When compilation is done, the callback object will be notified that
11139 compilationDidComplete(). We will dump the SourceCode strings from there.
11140 Since compilationDidComplete() is guaranteed to only be called on the thread
11141 doing JS execution, it is safe to access the SourceCode strings there and ref
11142 their underlying StringImpls as needed.
11143
11144 * CMakeLists.txt:
11145 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11146 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11147 * JavaScriptCore.xcodeproj/project.pbxproj:
11148 * bytecode/DeferredCompilationCallback.cpp:
11149 (JSC::DeferredCompilationCallback::compilationDidComplete):
11150 (JSC::DeferredCompilationCallback::sourceDumpInfo):
11151 (JSC::DeferredCompilationCallback::dumpCompiledSources):
11152 * bytecode/DeferredCompilationCallback.h:
11153 * bytecode/DeferredSourceDump.cpp: Added.
11154 (JSC::DeferredSourceDump::DeferredSourceDump):
11155 (JSC::DeferredSourceDump::dump):
11156 * bytecode/DeferredSourceDump.h: Added.
11157 * dfg/DFGByteCodeParser.cpp:
11158 (JSC::DFG::ByteCodeParser::parseCodeBlock):
11159 * dfg/DFGDriver.cpp:
11160 (JSC::DFG::compileImpl):
11161
111622015-04-22 Benjamin Poulain <benjamin@webkit.org>
11163
11164 Implement String.codePointAt()
11165 https://bugs.webkit.org/show_bug.cgi?id=143934
11166
11167 Reviewed by Darin Adler.
11168
11169 This patch adds String.codePointAt() as defined by ES6.
11170 I opted for a C++ implementation for now.
11171
11172 * runtime/StringPrototype.cpp:
11173 (JSC::StringPrototype::finishCreation):
11174 (JSC::codePointAt):
11175 (JSC::stringProtoFuncCodePointAt):
11176
111772015-04-22 Mark Lam <mark.lam@apple.com>
11178
11179 SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
11180 https://bugs.webkit.org/show_bug.cgi?id=144067
11181
11182 Reviewed by Michael Saboff.
11183
11184 Currently, there are a few places where the JSObject that owns the
11185 SparseArrayValueMap is designated as the owner of the SparseArrayEntry
11186 write barrier. This is a bug and can result in the GC collecting the
11187 SparseArrayEntry even though it is being referenced by the
11188 SparseArrayValueMap. This patch fixes the bug.
11189
11190 * runtime/JSObject.cpp:
11191 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
11192 (JSC::JSObject::putIndexedDescriptor):
11193 * tests/stress/sparse-array-entry-update-144067.js: Added.
11194 (useMemoryToTriggerGCs):
11195 (foo):
11196
111972015-04-22 Mark Lam <mark.lam@apple.com>
11198
11199 Give the heap object iterators the ability to return early.
11200 https://bugs.webkit.org/show_bug.cgi?id=144011
11201
11202 Reviewed by Michael Saboff.
11203
11204 JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate
11205 candidate cell pointers, and, when in use, is called a lot more often than
11206 the normal way those iterators are used. As a result, I see my instrumented
11207 VM killed with a SIGXCPU (CPU time limit exceeded). This patch gives the
11208 callback functor the ability to tell the iterators to return early when the
11209 functor no longer needs to continue iterating. With this, my instrumented
11210 VM is useful again for debugging.
11211
11212 Since heap iteration is not something that we do in a typical fast path,
11213 I don't expect this to have any noticeable impact on performance.
11214
11215 I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since
11216 it checks JSCell addresses, not just JSObjects.
11217
11218 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11219 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11220 * JavaScriptCore.xcodeproj/project.pbxproj:
11221 * debugger/Debugger.cpp:
11222 * heap/GCLogging.cpp:
11223 (JSC::LoggingFunctor::operator()):
11224 * heap/Heap.cpp:
11225 (JSC::Zombify::visit):
11226 (JSC::Zombify::operator()):
11227 * heap/HeapStatistics.cpp:
11228 (JSC::StorageStatistics::visit):
11229 (JSC::StorageStatistics::operator()):
11230 * heap/HeapVerifier.cpp:
11231 (JSC::GatherLiveObjFunctor::visit):
11232 (JSC::GatherLiveObjFunctor::operator()):
11233 * heap/MarkedBlock.cpp:
11234 (JSC::SetNewlyAllocatedFunctor::operator()):
11235 * heap/MarkedBlock.h:
11236 (JSC::MarkedBlock::forEachCell):
11237 (JSC::MarkedBlock::forEachLiveCell):
11238 (JSC::MarkedBlock::forEachDeadCell):
11239 * heap/MarkedSpace.h:
11240 (JSC::MarkedSpace::forEachLiveCell):
11241 (JSC::MarkedSpace::forEachDeadCell):
11242 * inspector/agents/InspectorRuntimeAgent.cpp:
11243 (Inspector::TypeRecompiler::visit):
11244 (Inspector::TypeRecompiler::operator()):
11245 * runtime/IterationStatus.h: Added.
11246 * runtime/JSGlobalObject.cpp:
11247 * runtime/VM.cpp:
11248 (JSC::StackPreservingRecompiler::visit):
11249 (JSC::StackPreservingRecompiler::operator()):
11250 * tools/JSDollarVMPrototype.cpp:
11251 (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
11252 (JSC::CellAddressCheckFunctor::operator()):
11253 (JSC::JSDollarVMPrototype::isValidCell):
11254 (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted.
11255 (JSC::ObjectAddressCheckFunctor::operator()): Deleted.
11256
112572015-04-22 Yusuke Suzuki <utatane.tea@gmail.com>
11258
11259 [[Set]] should be properly executed in JS builtins
11260 https://bugs.webkit.org/show_bug.cgi?id=143996
11261
11262 Reviewed by Geoffrey Garen.
11263
11264 Currently, all assignments in builtins JS code is compiled into put_by_val_direct.
11265 However,
11266
11267 1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]).
11268 2. It's different from the default JS behavior.
11269
11270 In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly.
11271 And dropping the current hack for builtins.
11272
11273 * builtins/Array.prototype.js:
11274 (filter):
11275 (map):
11276 (find):
11277 * bytecompiler/BytecodeGenerator.cpp:
11278 (JSC::BytecodeGenerator::emitPutByVal):
11279 * tests/stress/array-fill-put-by-val.js: Added.
11280 (shouldThrow):
11281 (.set get array):
11282 * tests/stress/array-filter-put-by-val-direct.js: Added.
11283 (shouldBe):
11284 (.set get var):
11285 * tests/stress/array-find-does-not-lookup-twice.js: Added.
11286 (shouldBe):
11287 (shouldThrow):
11288 (.get shouldBe):
11289 * tests/stress/array-from-put-by-val-direct.js: Added.
11290 (shouldBe):
11291 (.set get var):
11292 * tests/stress/array-from-set-length.js: Added.
11293 (shouldBe):
11294 (ArrayLike):
11295 (ArrayLike.prototype.set length):
11296 (ArrayLike.prototype.get length):
11297 * tests/stress/array-map-put-by-val-direct.js: Added.
11298 (shouldBe):
11299 (.set get var):
11300
113012015-04-22 Basile Clement <basile_clement@apple.com>
11302
11303 Don't de-allocate FunctionRareData
11304 https://bugs.webkit.org/show_bug.cgi?id=144000
11305
11306 Reviewed by Michael Saboff.
11307
11308 A function rare data (containing most notably its allocation profile) is currently
11309 freed and re-allocated each time the function's prototype is cleared.
11310 This is not optimal as it means we are invalidating the watchpoint and recompiling the
11311 scope each time the prototype is cleared.
11312
11313 This makes it so that a single rare data is reused, clearing the underlying
11314 ObjectAllocationProfile instead of throwing away the whole rare data on
11315 .prototype updates.
11316
11317 * runtime/FunctionRareData.cpp:
11318 (JSC::FunctionRareData::create):
11319 (JSC::FunctionRareData::finishCreation):
11320 * runtime/FunctionRareData.h:
11321 * runtime/JSFunction.cpp:
11322 (JSC::JSFunction::allocateAndInitializeRareData):
11323 (JSC::JSFunction::initializeRareData):
11324
113252015-04-21 Filip Pizlo <fpizlo@apple.com>
11326
11327 Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well.
11328
11329 * dfg/DFGSpeculativeJIT32_64.cpp:
11330 (JSC::DFG::SpeculativeJIT::compile):
11331
113322015-04-21 Filip Pizlo <fpizlo@apple.com>
11333
11334 DFG should allow Phantoms after terminals
11335 https://bugs.webkit.org/show_bug.cgi?id=126778
11336
11337 Reviewed by Mark Lam.
11338
11339 It's important for us to be able to place liveness-marking nodes after nodes that do
11340 things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after
11341 terminals. That made things awkward, especially for Switch and Branch, which may do
11342 things that necessitate liveness markers (for example they might want to use a converted
11343 version of a value rather than the value that was MovHinted). We previously made this
11344 work by disallowing certain optimizations on Switch and Branch, which was probably a bad
11345 thing.
11346
11347 This changes our IR to allow for the terminal to not be the last node in a block. Asking
11348 for the terminal involves a search. DFG::validate() checks that the nodes after the
11349 terminal are liveness markers that have no effects or checks.
11350
11351 This is perf-neutral but will allow more optimizations in the future. It will also make
11352 it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735.
11353
11354 * dfg/DFGBasicBlock.cpp:
11355 (JSC::DFG::BasicBlock::replaceTerminal):
11356 * dfg/DFGBasicBlock.h:
11357 (JSC::DFG::BasicBlock::findTerminal):
11358 (JSC::DFG::BasicBlock::terminal):
11359 (JSC::DFG::BasicBlock::insertBeforeTerminal):
11360 (JSC::DFG::BasicBlock::numSuccessors):
11361 (JSC::DFG::BasicBlock::successor):
11362 (JSC::DFG::BasicBlock::successorForCondition):
11363 (JSC::DFG::BasicBlock::successors):
11364 (JSC::DFG::BasicBlock::last): Deleted.
11365 (JSC::DFG::BasicBlock::takeLast): Deleted.
11366 (JSC::DFG::BasicBlock::insertBeforeLast): Deleted.
11367 (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted.
11368 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted.
11369 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted.
11370 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted.
11371 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted.
11372 (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted.
11373 (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted.
11374 (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted.
11375 * dfg/DFGBasicBlockInlines.h:
11376 (JSC::DFG::BasicBlock::appendNonTerminal):
11377 (JSC::DFG::BasicBlock::replaceTerminal):
11378 * dfg/DFGByteCodeParser.cpp:
11379 (JSC::DFG::ByteCodeParser::addToGraph):
11380 (JSC::DFG::ByteCodeParser::inlineCall):
11381 (JSC::DFG::ByteCodeParser::handleInlining):
11382 (JSC::DFG::ByteCodeParser::parseBlock):
11383 (JSC::DFG::ByteCodeParser::linkBlock):
11384 (JSC::DFG::ByteCodeParser::parseCodeBlock):
11385 * dfg/DFGCFGSimplificationPhase.cpp:
11386 (JSC::DFG::CFGSimplificationPhase::run):
11387 (JSC::DFG::CFGSimplificationPhase::convertToJump):
11388 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
11389 * dfg/DFGCPSRethreadingPhase.cpp:
11390 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
11391 * dfg/DFGCommon.h:
11392 (JSC::DFG::NodeAndIndex::NodeAndIndex):
11393 (JSC::DFG::NodeAndIndex::operator!):
11394 * dfg/DFGFixupPhase.cpp:
11395 (JSC::DFG::FixupPhase::fixupBlock):
11396 (JSC::DFG::FixupPhase::fixupNode):
11397 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
11398 (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted.
11399 * dfg/DFGForAllKills.h:
11400 (JSC::DFG::forAllLiveNodesAtTail):
11401 * dfg/DFGGraph.cpp:
11402 (JSC::DFG::Graph::terminalsAreValid):
11403 (JSC::DFG::Graph::dumpBlockHeader):
11404 * dfg/DFGGraph.h:
11405 * dfg/DFGInPlaceAbstractState.cpp:
11406 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
11407 * dfg/DFGLICMPhase.cpp:
11408 (JSC::DFG::LICMPhase::run):
11409 (JSC::DFG::LICMPhase::attemptHoist):
11410 * dfg/DFGMovHintRemovalPhase.cpp:
11411 * dfg/DFGNode.h:
11412 (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable):
11413 (JSC::DFG::Node::SuccessorsIterable::iterator::iterator):
11414 (JSC::DFG::Node::SuccessorsIterable::iterator::operator*):
11415 (JSC::DFG::Node::SuccessorsIterable::iterator::operator++):
11416 (JSC::DFG::Node::SuccessorsIterable::iterator::operator==):
11417 (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=):
11418 (JSC::DFG::Node::SuccessorsIterable::begin):
11419 (JSC::DFG::Node::SuccessorsIterable::end):
11420 (JSC::DFG::Node::successors):
11421 * dfg/DFGObjectAllocationSinkingPhase.cpp:
11422 (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
11423 (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
11424 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
11425 * dfg/DFGPhantomRemovalPhase.cpp:
11426 (JSC::DFG::PhantomRemovalPhase::run):
11427 * dfg/DFGPutStackSinkingPhase.cpp:
11428 * dfg/DFGSSAConversionPhase.cpp:
11429 (JSC::DFG::SSAConversionPhase::run):
11430 * dfg/DFGSpeculativeJIT.h:
11431 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
11432 * dfg/DFGSpeculativeJIT32_64.cpp:
11433 (JSC::DFG::SpeculativeJIT::compile):
11434 * dfg/DFGSpeculativeJIT64.cpp:
11435 (JSC::DFG::SpeculativeJIT::compile):
11436 * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
11437 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
11438 * dfg/DFGTierUpCheckInjectionPhase.cpp:
11439 (JSC::DFG::TierUpCheckInjectionPhase::run):
11440 * dfg/DFGValidate.cpp:
11441 (JSC::DFG::Validate::validate):
11442 * ftl/FTLLowerDFGToLLVM.cpp:
11443 (JSC::FTL::LowerDFGToLLVM::compileNode):
11444 * tests/stress/closure-call-exit.js: Added.
11445 (foo):
11446
114472015-04-21 Basile Clement <basile_clement@apple.com>
11448
11449 PhantomNewObject should be marked NodeMustGenerate
11450 https://bugs.webkit.org/show_bug.cgi?id=143974
11451
11452 Reviewed by Filip Pizlo.
11453
11454 * dfg/DFGNode.h:
11455 (JSC::DFG::Node::convertToPhantomNewObject):
11456 Was not properly marking NodeMustGenerate when converting.
11457
114582015-04-21 Filip Pizlo <fpizlo@apple.com>
11459
11460 DFG Call/ConstructForwardVarargs fails to restore the stack pointer
11461 https://bugs.webkit.org/show_bug.cgi?id=144007
11462
11463 Reviewed by Mark Lam.
11464
11465 We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
11466 if isForwardVarargs.
11467
11468 * dfg/DFGSpeculativeJIT32_64.cpp:
11469 (JSC::DFG::SpeculativeJIT::emitCall):
11470 * dfg/DFGSpeculativeJIT64.cpp:
11471 (JSC::DFG::SpeculativeJIT::emitCall):
11472 * tests/stress/varargs-then-slow-call.js: Added.
11473 (foo):
11474 (bar):
11475 (fuzz):
11476 (baz):
11477
114782015-04-21 Basile Clement <basile_clement@apple.com>
11479
11480 Remove AllocationProfileWatchpoint node
11481 https://bugs.webkit.org/show_bug.cgi?id=143999
11482
11483 Reviewed by Filip Pizlo.
11484
11485 * dfg/DFGAbstractInterpreterInlines.h:
11486 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
11487 * dfg/DFGByteCodeParser.cpp:
11488 (JSC::DFG::ByteCodeParser::parseBlock):
11489 * dfg/DFGClobberize.h:
11490 (JSC::DFG::clobberize):
11491 * dfg/DFGDoesGC.cpp:
11492 (JSC::DFG::doesGC):
11493 * dfg/DFGFixupPhase.cpp:
11494 (JSC::DFG::FixupPhase::fixupNode):
11495 * dfg/DFGHeapLocation.cpp:
11496 (WTF::printInternal):
11497 * dfg/DFGHeapLocation.h:
11498 * dfg/DFGNode.h:
11499 (JSC::DFG::Node::hasCellOperand):
11500 * dfg/DFGNodeType.h:
11501 * dfg/DFGPredictionPropagationPhase.cpp:
11502 (JSC::DFG::PredictionPropagationPhase::propagate):
11503 * dfg/DFGSafeToExecute.h:
11504 (JSC::DFG::safeToExecute):
11505 * dfg/DFGSpeculativeJIT32_64.cpp:
11506 (JSC::DFG::SpeculativeJIT::compile):
11507 * dfg/DFGSpeculativeJIT64.cpp:
11508 (JSC::DFG::SpeculativeJIT::compile):
11509 * dfg/DFGWatchpointCollectionPhase.cpp:
11510 (JSC::DFG::WatchpointCollectionPhase::handle):
11511 * ftl/FTLCapabilities.cpp:
11512 (JSC::FTL::canCompile):
11513 * ftl/FTLLowerDFGToLLVM.cpp:
11514 (JSC::FTL::LowerDFGToLLVM::compileNode):
11515 * runtime/JSFunction.h:
11516 (JSC::JSFunction::rareData):
11517 (JSC::JSFunction::allocationProfileWatchpointSet): Deleted.
11518
115192015-04-19 Filip Pizlo <fpizlo@apple.com>
11520
11521 MovHint should be a strong use
11522 https://bugs.webkit.org/show_bug.cgi?id=143734
11523
11524 Reviewed by Geoffrey Garen.
11525
11526 This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
11527 so is a major step towards allowing more fancy DFG transformations and also probably fixing
11528 some bugs.
11529
11530 Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
11531 introducing a MovHint removal phase that runs in FTL.
11532
11533 This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
11534
11535 * CMakeLists.txt:
11536 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11537 * JavaScriptCore.xcodeproj/project.pbxproj:
11538 * bytecode/CodeOrigin.cpp:
11539 (JSC::InlineCallFrame::dumpInContext):
11540 * dfg/DFGDCEPhase.cpp:
11541 (JSC::DFG::DCEPhase::fixupBlock):
11542 * dfg/DFGDisassembler.cpp:
11543 (JSC::DFG::Disassembler::createDumpList):
11544 * dfg/DFGEpoch.cpp: Added.
11545 (JSC::DFG::Epoch::dump):
11546 * dfg/DFGEpoch.h: Added.
11547 (JSC::DFG::Epoch::Epoch):
11548 (JSC::DFG::Epoch::first):
11549 (JSC::DFG::Epoch::operator!):
11550 (JSC::DFG::Epoch::next):
11551 (JSC::DFG::Epoch::bump):
11552 (JSC::DFG::Epoch::operator==):
11553 (JSC::DFG::Epoch::operator!=):
11554 * dfg/DFGMayExit.cpp:
11555 (JSC::DFG::mayExit):
11556 * dfg/DFGMovHintRemovalPhase.cpp: Added.
11557 (JSC::DFG::performMovHintRemoval):
11558 * dfg/DFGMovHintRemovalPhase.h: Added.
11559 * dfg/DFGNodeType.h:
11560 * dfg/DFGPlan.cpp:
11561 (JSC::DFG::Plan::compileInThreadImpl):
11562 * dfg/DFGSpeculativeJIT.cpp:
11563 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
11564 * dfg/DFGSpeculativeJIT64.cpp:
11565 (JSC::DFG::SpeculativeJIT::compile):
11566 * runtime/Options.h:
11567
115682015-04-21 Basile Clement <basile_clement@apple.com>
11569
11570 REGRESSION (r182899): icloud.com crashes
11571 https://bugs.webkit.org/show_bug.cgi?id=143960
11572
11573 Reviewed by Filip Pizlo.
11574
11575 * runtime/JSFunction.h:
11576 (JSC::JSFunction::allocationStructure):
11577 * tests/stress/dfg-rare-data.js: Added.
11578 (F): Regression test
11579
115802015-04-21 Michael Saboff <msaboff@apple.com>
11581
11582 Crash in JSC::Interpreter::execute
11583 https://bugs.webkit.org/show_bug.cgi?id=142625
11584
11585 Reviewed by Filip Pizlo.
11586
11587 We need to keep the FunctionExecutables in the code block for the eval flavor of
11588 Interpreter::execute() in order to create the scope used to eval.
11589
11590 * bytecode/CodeBlock.cpp:
11591 (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
11592 * bytecode/CodeBlock.h:
11593 * dfg/DFGGraph.cpp:
11594 (JSC::DFG::Graph::registerFrozenValues):
11595
115962015-04-21 Chris Dumez <cdumez@apple.com>
11597
11598 Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
11599 https://bugs.webkit.org/show_bug.cgi?id=143970
11600
11601 Reviewed by Darin Adler.
11602
11603 Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
11604 constructor explicit as it copies the vector and it is easy to call it
11605 by mistake.
11606
11607 * bytecode/UnlinkedInstructionStream.cpp:
11608 (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
11609 * bytecode/UnlinkedInstructionStream.h:
11610 * ftl/FTLLowerDFGToLLVM.cpp:
11611 (JSC::FTL::LowerDFGToLLVM::lower):
11612
116132015-04-20 Basile Clement <basile_clement@apple.com>
11614
11615 PhantomNewObject should be marked NodeMustGenerate
11616 https://bugs.webkit.org/show_bug.cgi?id=143974
11617
11618 Reviewed by Filip Pizlo.
11619
11620 * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
11621
116222015-04-20 Joseph Pecoraro <pecoraro@apple.com>
11623
11624 Cleanup some StringBuilder use
11625 https://bugs.webkit.org/show_bug.cgi?id=143550
11626
11627 Reviewed by Darin Adler.
11628
11629 * runtime/Symbol.cpp:
11630 (JSC::Symbol::descriptiveString):
11631 * runtime/TypeProfiler.cpp:
11632 (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
11633 * runtime/TypeSet.cpp:
11634 (JSC::TypeSet::toJSONString):
11635 (JSC::StructureShape::propertyHash):
11636 (JSC::StructureShape::stringRepresentation):
11637 (JSC::StructureShape::toJSONString):
11638
116392015-04-20 Mark Lam <mark.lam@apple.com>
11640
11641 Add debugging tools to test if a given pointer is a valid object and in the heap.
11642 https://bugs.webkit.org/show_bug.cgi?id=143910
11643
11644 Reviewed by Geoffrey Garen.
11645
11646 When doing debugging from lldb, sometimes, it is useful to be able to tell if a
11647 purported JSObject is really a valid object in the heap or not. We can add the
11648 following utility functions to help:
11649 isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
11650 isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
11651 isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
11652 isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
11653
11654 Also moved lldb callable debug utility function prototypes from
11655 JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
11656 JSDollarVMPrototype class. This is so that we can conveniently #include that
11657 file to get the prototypes when we need to call them programmatically from
11658 instrumentation that we add while debugging an issue.
11659
11660 * heap/Heap.h:
11661 (JSC::Heap::storageSpace):
11662 * tools/JSDollarVMPrototype.cpp:
11663 (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
11664 (JSC::ensureCurrentThreadOwnsJSLock):
11665 (JSC::JSDollarVMPrototype::gc):
11666 (JSC::functionGC):
11667 (JSC::JSDollarVMPrototype::edenGC):
11668 (JSC::functionEdenGC):
11669 (JSC::JSDollarVMPrototype::isInHeap):
11670 (JSC::JSDollarVMPrototype::isInObjectSpace):
11671 (JSC::JSDollarVMPrototype::isInStorageSpace):
11672 (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
11673 (JSC::ObjectAddressCheckFunctor::operator()):
11674 (JSC::JSDollarVMPrototype::isValidCell):
11675 (JSC::JSDollarVMPrototype::isValidCodeBlock):
11676 (JSC::JSDollarVMPrototype::codeBlockForFrame):
11677 (JSC::functionCodeBlockForFrame):
11678 (JSC::codeBlockFromArg):
11679 (JSC::JSDollarVMPrototype::printCallFrame):
11680 (JSC::JSDollarVMPrototype::printStack):
11681 (JSC::JSDollarVMPrototype::printValue):
11682 (JSC::currentThreadOwnsJSLock): Deleted.
11683 (JSC::gc): Deleted.
11684 (JSC::edenGC): Deleted.
11685 (JSC::isValidCodeBlock): Deleted.
11686 (JSC::codeBlockForFrame): Deleted.
11687 (JSC::printCallFrame): Deleted.
11688 (JSC::printStack): Deleted.
11689 (JSC::printValue): Deleted.
11690 * tools/JSDollarVMPrototype.h:
11691
116922015-04-20 Joseph Pecoraro <pecoraro@apple.com>
11693
11694 Web Inspector: Improve Support for WeakSet in Console
11695 https://bugs.webkit.org/show_bug.cgi?id=143951
11696
11697 Reviewed by Darin Adler.
11698
11699 * inspector/InjectedScriptSource.js:
11700 * inspector/JSInjectedScriptHost.cpp:
11701 (Inspector::JSInjectedScriptHost::subtype):
11702 (Inspector::JSInjectedScriptHost::weakSetSize):
11703 (Inspector::JSInjectedScriptHost::weakSetEntries):
11704 * inspector/JSInjectedScriptHost.h:
11705 * inspector/JSInjectedScriptHostPrototype.cpp:
11706 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
11707 (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
11708 (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
11709 Treat WeakSets like special sets.
11710
11711 * inspector/protocol/Runtime.json:
11712 Add a new object subtype, "weakset".
11713
117142015-04-20 Yusuke Suzuki <utatane.tea@gmail.com>
11715
11716 HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
11717 https://bugs.webkit.org/show_bug.cgi?id=143947
11718
11719 Reviewed by Darin Adler.
11720
11721 Type profiler has map between PropertyKey (StringImpl*) and offset.
11722 StringImpl* is also used for Symbol PropertyKey.
11723 So equality of hash tables is considered by interned StringImpl*'s pointer value.
11724 To do so, use IdentifierRepHash instead of StringHash.
11725
11726 * runtime/SymbolTable.h:
11727
117282015-04-20 Jordan Harband <ljharb@gmail.com>
11729
11730 Implement `Object.is`
11731 https://bugs.webkit.org/show_bug.cgi?id=143865
11732
11733 Reviewed by Darin Adler.
11734
11735 Expose sameValue to JS, via Object.is
11736 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
11737
11738 * runtime/ObjectConstructor.cpp:
11739 (JSC::objectConstructorIs):
11740 * runtime/PropertyDescriptor.cpp:
11741 (JSC::sameValue):
11742
117432015-04-19 Darin Adler <darin@apple.com>
11744
11745 Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
11746 https://bugs.webkit.org/show_bug.cgi?id=143941
11747
11748 Reviewed by Gyuyoung Kim.
11749
11750 * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
11751 * API/JSCallbackObjectFunctions.h: Ditto.
11752
11753 * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
11754 create function and the constructor and for m_impl.
11755 * API/ObjCCallbackFunction.mm:
11756 (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
11757 class by using RetainPtr<Class>.
11758 (ArgumentTypeDelegate::typeInteger): Use make_unique.
11759 (ArgumentTypeDelegate::typeDouble): Ditto.
11760 (ArgumentTypeDelegate::typeBool): Ditto.
11761 (ArgumentTypeDelegate::typeVoid): Ditto.
11762 (ArgumentTypeDelegate::typeId): Ditto.
11763 (ArgumentTypeDelegate::typeOfClass): Ditto.
11764 (ArgumentTypeDelegate::typeBlock): Ditto.
11765 (ArgumentTypeDelegate::typeStruct): Ditto.
11766 (ResultTypeDelegate::typeInteger): Ditto.
11767 (ResultTypeDelegate::typeDouble): Ditto.
11768 (ResultTypeDelegate::typeBool): Ditto.
11769 (ResultTypeDelegate::typeVoid): Ditto.
11770 (ResultTypeDelegate::typeId): Ditto.
11771 (ResultTypeDelegate::typeOfClass): Ditto.
11772 (ResultTypeDelegate::typeBlock): Ditto.
11773 (ResultTypeDelegate::typeStruct): Ditto.
11774 (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
11775 unique_ptr for the arguments to the constructor, m_arguments, and m_result.
11776 Use RetainPtr<Class> for m_instanceClass.
11777 (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
11778 for non-Objective-C object pointer null.
11779 (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
11780 the arguments to the constructor and for m_impl.
11781 (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
11782 (skipNumber): Mark this static since it's local to this source file.
11783 (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
11784 explicit adoptPtr since the types in the traits are now unique_ptr. Also use
11785 nullptr instead of nil for JSObjectRef values.
11786 (objCCallbackFunctionForMethod): Tweaked comment.
11787 (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
11788
11789 * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
11790
11791 * heap/GCThread.cpp:
11792 (JSC::GCThread::GCThread): Use unique_ptr.
11793 * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
11794 m_slotVisitor and m_copyVisitor.
11795 * heap/GCThreadSharedData.cpp:
11796 (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
11797
11798 * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
11799
118002015-04-19 Benjamin Poulain <benjamin@webkit.org>
11801
11802 Improve the feature.json files
11803
11804 * features.json:
11805
118062015-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
11807
11808 Introduce bytecode intrinsics
11809 https://bugs.webkit.org/show_bug.cgi?id=143926
11810
11811 Reviewed by Filip Pizlo.
11812
11813 This patch introduces bytecode level intrinsics into builtins/*.js JS code.
11814 When implementing functions in builtins/*.js,
11815 sometimes we require lower level functionality.
11816
11817 For example, in the current Array.from, we use `result[k] = value`.
11818 The spec requires `[[DefineOwnProperty]]` operation here.
11819 However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
11820 So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
11821
11822 Ideally, reaching here, we would like to use put_by_val_direct bytecode.
11823 However, there's no syntax to generate it directly.
11824
11825 This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
11826 Like @call, @apply, we introduce a new node, Intrinsic.
11827 These are generated when calling appropriate private symbols in privileged code.
11828 AST parser detects them and generates Intrinsic nodes and
11829 BytecodeCompiler detects them and generate required bytecodes.
11830
11831 Currently, Array.from implementation works fine without this patch.
11832 This is because when the target code is builtin JS,
11833 BytecodeGenerator emits put_by_val_direct instead of put_by_val.
11834 This solves the above issue. However, instead of solving this issue,
11835 it raises another issue; There's no way to emit `[[Set]]` operation.
11836 `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
11837 So to implement it precisely, introducing bytecode level intrinsics is necessary.
11838
11839 In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
11840 for `result[k] = value` under builtin JS environment. Instead of that special handling,
11841 use bytecode intrinsics instead. It solves problems and it is more intuitive
11842 because written JS code in builtin works as the same to the usual JS code.
11843
11844 * CMakeLists.txt:
11845 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11846 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11847 * JavaScriptCore.xcodeproj/project.pbxproj:
11848 * builtins/ArrayConstructor.js:
11849 (from):
11850 * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
11851 (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
11852 (JSC::BytecodeIntrinsicRegistry::lookup):
11853 * bytecode/BytecodeIntrinsicRegistry.h: Added.
11854 * bytecompiler/NodesCodegen.cpp:
11855 (JSC::BytecodeIntrinsicNode::emitBytecode):
11856 (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
11857 * parser/ASTBuilder.h:
11858 (JSC::ASTBuilder::makeFunctionCallNode):
11859 * parser/NodeConstructors.h:
11860 (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
11861 * parser/Nodes.h:
11862 (JSC::BytecodeIntrinsicNode::identifier):
11863 * runtime/CommonIdentifiers.cpp:
11864 (JSC::CommonIdentifiers::CommonIdentifiers):
11865 * runtime/CommonIdentifiers.h:
11866 (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
11867 * tests/stress/array-from-with-accessors.js: Added.
11868 (shouldBe):
11869
118702015-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
11871
11872 Make Builtin functions non constructible
11873 https://bugs.webkit.org/show_bug.cgi?id=143923
11874
11875 Reviewed by Darin Adler.
11876
11877 Builtin functions defined by builtins/*.js accidentally have [[Construct]].
11878 According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
11879 This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
11880
11881 Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
11882 However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
11883 In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
11884 So in this patch, we check `isBuiltinFunction()` in those places.
11885
11886 * dfg/DFGByteCodeParser.cpp:
11887 (JSC::DFG::ByteCodeParser::inliningCost):
11888 * jit/JITOperations.cpp:
11889 * llint/LLIntSlowPaths.cpp:
11890 (JSC::LLInt::setUpCall):
11891 * runtime/JSFunction.cpp:
11892 (JSC::JSFunction::getConstructData):
11893 * tests/stress/builtin-function-is-construct-type-none.js: Added.
11894 (shouldThrow):
11895
118962015-04-19 Yusuke Suzuki <utatane.tea@gmail.com>
11897
11898 [ES6] Implement WeakSet
11899 https://bugs.webkit.org/show_bug.cgi?id=142408
11900
11901 Reviewed by Darin Adler.
11902
11903 This patch implements ES6 WeakSet.
11904 Current implementation simply leverages WeakMapData with undefined value.
11905 This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
11906
11907 And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
11908 Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
11909 methods return false (or undefined for WeakMap.prototype.get)
11910 when a key is not Object instead of throwing a type error.
11911
11912 [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
11913
11914 * CMakeLists.txt:
11915 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11916 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11917 * JavaScriptCore.xcodeproj/project.pbxproj:
11918 * runtime/CommonIdentifiers.h:
11919 * runtime/JSGlobalObject.cpp:
11920 * runtime/JSGlobalObject.h:
11921 * runtime/JSWeakSet.cpp: Added.
11922 (JSC::JSWeakSet::finishCreation):
11923 (JSC::JSWeakSet::visitChildren):
11924 * runtime/JSWeakSet.h: Added.
11925 (JSC::JSWeakSet::createStructure):
11926 (JSC::JSWeakSet::create):
11927 (JSC::JSWeakSet::weakMapData):
11928 (JSC::JSWeakSet::JSWeakSet):
11929 * runtime/WeakMapPrototype.cpp:
11930 (JSC::getWeakMapData):
11931 (JSC::protoFuncWeakMapDelete):
11932 (JSC::protoFuncWeakMapGet):
11933 (JSC::protoFuncWeakMapHas):
11934 * runtime/WeakSetConstructor.cpp: Added.
11935 (JSC::WeakSetConstructor::finishCreation):
11936 (JSC::callWeakSet):
11937 (JSC::constructWeakSet):
11938 (JSC::WeakSetConstructor::getConstructData):
11939 (JSC::WeakSetConstructor::getCallData):
11940 * runtime/WeakSetConstructor.h: Added.
11941 (JSC::WeakSetConstructor::create):
11942 (JSC::WeakSetConstructor::createStructure):
11943 (JSC::WeakSetConstructor::WeakSetConstructor):
11944 * runtime/WeakSetPrototype.cpp: Added.
11945 (JSC::WeakSetPrototype::finishCreation):
11946 (JSC::getWeakMapData):
11947 (JSC::protoFuncWeakSetDelete):
11948 (JSC::protoFuncWeakSetHas):
11949 (JSC::protoFuncWeakSetAdd):
11950 * runtime/WeakSetPrototype.h: Added.
11951 (JSC::WeakSetPrototype::create):
11952 (JSC::WeakSetPrototype::createStructure):
11953 (JSC::WeakSetPrototype::WeakSetPrototype):
11954 * tests/stress/weak-set-constructor-adder.js: Added.
11955 (WeakSet.prototype.add):
11956 * tests/stress/weak-set-constructor.js: Added.
11957
119582015-04-17 Alexey Proskuryakov <ap@apple.com>
11959
11960 Remove unused BoundsCheckedPointer
11961 https://bugs.webkit.org/show_bug.cgi?id=143896
11962
11963 Reviewed by Geoffrey Garen.
11964
11965 * bytecode/SpeculatedType.cpp: The header was included here.
11966
119672015-04-17 Yusuke Suzuki <utatane.tea@gmail.com>
11968
11969 [ES6] Fix name enumeration of static functions for Symbol constructor
11970 https://bugs.webkit.org/show_bug.cgi?id=143891
11971
11972 Reviewed by Geoffrey Garen.
11973
11974 Fix missing symbolPrototypeTable registration to the js class object.
11975 This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
11976
11977 * runtime/SymbolConstructor.cpp:
11978
119792015-04-17 Basile Clement <basile_clement@apple.com>
11980
11981 Inline JSFunction allocation in DFG
11982 https://bugs.webkit.org/show_bug.cgi?id=143858
11983
11984 Reviewed by Filip Pizlo.
11985
11986 Followup to my previous patch which inlines JSFunction allocation when
11987 using FTL, now also enabled in DFG.
11988
11989 * dfg/DFGSpeculativeJIT.cpp:
11990 (JSC::DFG::SpeculativeJIT::compileNewFunction):
11991
119922015-04-16 Jordan Harband <ljharb@gmail.com>
11993
11994 Number.parseInt is not === global parseInt in nightly r182673
11995 https://bugs.webkit.org/show_bug.cgi?id=143799
11996
11997 Reviewed by Darin Adler.
11998
11999 Ensuring parseInt === Number.parseInt, per spec
12000 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
12001
12002 * runtime/CommonIdentifiers.h:
12003 * runtime/JSGlobalObject.cpp:
12004 (JSC::JSGlobalObject::init):
12005 * runtime/JSGlobalObject.h:
12006 (JSC::JSGlobalObject::parseIntFunction):
12007 * runtime/NumberConstructor.cpp:
12008 (JSC::NumberConstructor::finishCreation):
12009
120102015-04-16 Mark Lam <mark.lam@apple.com>
12011
12012 Gardening: fix CLOOP build after r182927.
12013
12014 Not reviewed.
12015
12016 * interpreter/StackVisitor.cpp:
12017 (JSC::StackVisitor::Frame::print):
12018
120192015-04-16 Basile Clement <basile_clement@apple.com>
12020
12021 Inline JSFunction allocation in FTL
12022 https://bugs.webkit.org/show_bug.cgi?id=143851
12023
12024 Reviewed by Filip Pizlo.
12025
12026 JSFunction allocation is a simple operation that should be inlined when possible.
12027
12028 * ftl/FTLAbstractHeapRepository.h:
12029 * ftl/FTLLowerDFGToLLVM.cpp:
12030 (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
12031 * runtime/JSFunction.h:
12032 (JSC::JSFunction::allocationSize):
12033
120342015-04-16 Mark Lam <mark.lam@apple.com>
12035
12036 Add $vm debugging tool.
12037 https://bugs.webkit.org/show_bug.cgi?id=143809
12038
12039 Reviewed by Geoffrey Garen.
12040
12041 For debugging VM bugs, it would be useful to be able to dump VM data structures
12042 from JS code that we instrument. To this end, let's introduce a
12043 JS_enableDollarVM option that, if true, installs an $vm property into each JS
12044 global object at creation time. The $vm property refers to an object that
12045 provides a collection of useful utility functions. For this initial
12046 implementation, $vm will have the following:
12047
12048 crash() - trigger an intentional crash.
12049
12050 dfgTrue() - returns true if the current function is DFG compiled, else returns false.
12051 jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
12052 llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
12053
12054 gc() - runs a full GC.
12055 edenGC() - runs an eden GC.
12056
12057 codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
12058 printSourceFor(codeBlock) - prints the source code for the codeBlock.
12059 printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
12060
12061 print(str) - prints a string to dataLog output.
12062 printCallFrame() - prints the current CallFrame.
12063 printStack() - prints the JS stack.
12064 printInternal(value) - prints the JSC internal info for the specified value.
12065
12066 With JS_enableDollarVM=true, JS code can use the above functions like so:
12067
12068 $vm.print("Using $vm features\n");
12069
12070 * CMakeLists.txt:
12071 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12072 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12073 * JavaScriptCore.xcodeproj/project.pbxproj:
12074 * bytecode/CodeBlock.cpp:
12075 (JSC::CodeBlock::printCallOp):
12076 - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
12077 Hence, we skip this step if we're dumping an FTL codeBlock.
12078
12079 * heap/Heap.cpp:
12080 (JSC::Heap::collectAndSweep):
12081 (JSC::Heap::collectAllGarbage): Deleted.
12082 * heap/Heap.h:
12083 (JSC::Heap::collectAllGarbage):
12084 - Add ability to do an Eden collection and sweep.
12085
12086 * interpreter/StackVisitor.cpp:
12087 (JSC::printIndents):
12088 (JSC::log):
12089 (JSC::logF):
12090 (JSC::StackVisitor::Frame::print):
12091 (JSC::jitTypeName): Deleted.
12092 (JSC::printif): Deleted.
12093 - Modernize the implementation of StackVisitor::Frame::print(), and remove some
12094 now redundant code.
12095 - Also fix it so that it downgrades gracefully when encountering inlined DFG
12096 and compiled FTL functions.
12097
12098 (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
12099 (DebugPrintFrameFunctor::operator()): Deleted.
12100 (debugPrintCallFrame): Deleted.
12101 (debugPrintStack): Deleted.
12102 - these have been moved into JSDollarVMPrototype.cpp.
12103
12104 * interpreter/StackVisitor.h:
12105 - StackVisitor::Frame::print() is now enabled for release builds as well so that
12106 we can call it from $vm.
12107
12108 * runtime/JSGlobalObject.cpp:
12109 (JSC::JSGlobalObject::init):
12110 (JSC::JSGlobalObject::visitChildren):
12111 * runtime/JSGlobalObject.h:
12112 - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
12113 option.
12114
12115 * runtime/Options.h:
12116 - Added the JSC_enableDollarVM option.
12117
12118 * tools/JSDollarVM.cpp: Added.
12119 * tools/JSDollarVM.h: Added.
12120 (JSC::JSDollarVM::createStructure):
12121 (JSC::JSDollarVM::create):
12122 (JSC::JSDollarVM::JSDollarVM):
12123
12124 * tools/JSDollarVMPrototype.cpp: Added.
12125 - This file contains 2 sets of functions:
12126
12127 a. a C++ implementation of debugging utility functions that are callable when
12128 doing debugging from lldb. To the extent possible, these functions try to
12129 be cautious and not cause unintended crashes should the user call them with
12130 the wrong info. Hence, they are designed to be robust rather than speedy.
12131
12132 b. the native implementations of JS functions in the $vm object. Where there
12133 is overlapping functionality, these are built on top of the C++ functions
12134 above to do the work.
12135
12136 Note: it does not make sense for all of the $vm functions to have a C++
12137 counterpart for lldb debugging. For example, the $vm.dfgTrue() function is
12138 only useful for JS code, and works via the DFG intrinsics mechanism.
12139 When doing debugging via lldb, the optimization level of the currently
12140 executing JS function can be gotten by dumping the current CallFrame instead.
12141
12142 (JSC::currentThreadOwnsJSLock):
12143 (JSC::ensureCurrentThreadOwnsJSLock):
12144 (JSC::JSDollarVMPrototype::addFunction):
12145 (JSC::functionCrash): - $vm.crash()
12146 (JSC::functionDFGTrue): - $vm.dfgTrue()
12147 (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
12148 (JSC::CallerFrameJITTypeFunctor::operator()):
12149 (JSC::CallerFrameJITTypeFunctor::jitType):
12150 (JSC::functionLLintTrue): - $vm.llintTrue()
12151 (JSC::functionJITTrue): - $vm.jitTrue()
12152 (JSC::gc):
12153 (JSC::functionGC): - $vm.gc()
12154 (JSC::edenGC):
12155 (JSC::functionEdenGC): - $vm.edenGC()
12156 (JSC::isValidCodeBlock):
12157 (JSC::codeBlockForFrame):
12158 (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
12159 (JSC::codeBlockFromArg):
12160 (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
12161 (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
12162 (JSC::functionPrint): - $vm.print(str)
12163 (JSC::PrintFrameFunctor::PrintFrameFunctor):
12164 (JSC::PrintFrameFunctor::operator()):
12165 (JSC::printCallFrame):
12166 (JSC::printStack):
12167 (JSC::functionPrintCallFrame): - $vm.printCallFrame()
12168 (JSC::functionPrintStack): - $vm.printStack()
12169 (JSC::printValue):
12170 (JSC::functionPrintValue): - $vm.printValue()
12171 (JSC::JSDollarVMPrototype::finishCreation):
12172 * tools/JSDollarVMPrototype.h: Added.
12173 (JSC::JSDollarVMPrototype::create):
12174 (JSC::JSDollarVMPrototype::createStructure):
12175 (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
12176
121772015-04-16 Geoffrey Garen <ggaren@apple.com>
12178
12179 Speculative fix after r182915
12180 https://bugs.webkit.org/show_bug.cgi?id=143404
12181
12182 Reviewed by Alexey Proskuryakov.
12183
12184 * runtime/SymbolConstructor.h:
12185
121862015-04-16 Mark Lam <mark.lam@apple.com>
12187
12188 Fixed some typos in a comment.
12189
12190 Not reviewed.
12191
12192 * dfg/DFGGenerationInfo.h:
12193
121942015-04-16 Yusuke Suzuki <utatane.tea@gmail.com>
12195
12196 [ES6] Implement Symbol.for and Symbol.keyFor
12197 https://bugs.webkit.org/show_bug.cgi?id=143404
12198
12199 Reviewed by Geoffrey Garen.
12200
12201 This patch implements Symbol.for and Symbol.keyFor.
12202 SymbolRegistry maintains registered StringImpl* symbols.
12203 And to make this mapping enabled over realms,
12204 VM owns this mapping (not JSGlobalObject).
12205
12206 While there's Default AtomicStringTable per thread,
12207 SymbolRegistry should not exist over VMs.
12208 So everytime VM is created, SymbolRegistry is also created.
12209
12210 In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
12211 Theres are several reasons.
12212 1. StringImpl* which represents identity of Symbols is not GC-managed object.
12213 So we cannot use WeakGCMap directly.
12214 While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
12215 because distinct Symbol* can exist.
12216 Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
12217
12218 2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
12219 However there's problem about when we prune staled entries in SymbolRegistry.
12220 Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
12221 and it is not in GC-heap.
12222 While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
12223 So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
12224 As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
12225
12226 So instead of using Weak reference, we take relatively easy design.
12227 When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
12228 And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
12229
12230 * CMakeLists.txt:
12231 * DerivedSources.make:
12232 * runtime/SymbolConstructor.cpp:
12233 (JSC::SymbolConstructor::getOwnPropertySlot):
12234 (JSC::symbolConstructorFor):
12235 (JSC::symbolConstructorKeyFor):
12236 * runtime/SymbolConstructor.h:
12237 * runtime/VM.cpp:
12238 * runtime/VM.h:
12239 (JSC::VM::symbolRegistry):
12240 * tests/stress/symbol-registry.js: Added.
12241 (test):
12242
122432015-04-16 Yusuke Suzuki <utatane.tea@gmail.com>
12244
12245 [ES6] Use specific functions for @@iterator functions
12246 https://bugs.webkit.org/show_bug.cgi?id=143838
12247
12248 Reviewed by Geoffrey Garen.
12249
12250 In ES6, some methods are defined with the different names.
12251
12252 For example,
12253
12254 Map.prototype[Symbol.iterator] === Map.prototype.entries
12255 Set.prototype[Symbol.iterator] === Set.prototype.values
12256 Array.prototype[Symbol.iterator] === Array.prototype.values
12257 %Arguments%[Symbol.iterator] === Array.prototype.values
12258
12259 However, current implementation creates different function objects per name.
12260 This patch fixes it by setting the object that is used for the other method to @@iterator.
12261 e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
12262
12263 And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
12264 with Array.prototype.values to conform to the spec.
12265
12266 * CMakeLists.txt:
12267 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12268 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12269 * JavaScriptCore.xcodeproj/project.pbxproj:
12270 * inspector/JSInjectedScriptHost.cpp:
12271 (Inspector::JSInjectedScriptHost::subtype):
12272 (Inspector::JSInjectedScriptHost::getInternalProperties):
12273 (Inspector::JSInjectedScriptHost::iteratorEntries):
12274 * runtime/ArgumentsIteratorConstructor.cpp: Removed.
12275 * runtime/ArgumentsIteratorConstructor.h: Removed.
12276 * runtime/ArgumentsIteratorPrototype.cpp: Removed.
12277 * runtime/ArgumentsIteratorPrototype.h: Removed.
12278 * runtime/ArrayPrototype.cpp:
12279 (JSC::ArrayPrototype::finishCreation):
12280 * runtime/ArrayPrototype.h:
12281 * runtime/ClonedArguments.cpp:
12282 (JSC::ClonedArguments::getOwnPropertySlot):
12283 (JSC::ClonedArguments::put):
12284 (JSC::ClonedArguments::deleteProperty):
12285 (JSC::ClonedArguments::defineOwnProperty):
12286 (JSC::ClonedArguments::materializeSpecials):
12287 * runtime/ClonedArguments.h:
12288 * runtime/CommonIdentifiers.h:
12289 * runtime/DirectArguments.cpp:
12290 (JSC::DirectArguments::overrideThings):
12291 * runtime/GenericArgumentsInlines.h:
12292 (JSC::GenericArguments<Type>::getOwnPropertySlot):
12293 (JSC::GenericArguments<Type>::getOwnPropertyNames):
12294 (JSC::GenericArguments<Type>::put):
12295 (JSC::GenericArguments<Type>::deleteProperty):
12296 (JSC::GenericArguments<Type>::defineOwnProperty):
12297 * runtime/JSArgumentsIterator.cpp: Removed.
12298 * runtime/JSArgumentsIterator.h: Removed.
12299 * runtime/JSGlobalObject.cpp:
12300 (JSC::JSGlobalObject::init):
12301 (JSC::JSGlobalObject::visitChildren):
12302 * runtime/JSGlobalObject.h:
12303 (JSC::JSGlobalObject::arrayProtoValuesFunction):
12304 * runtime/MapPrototype.cpp:
12305 (JSC::MapPrototype::finishCreation):
12306 * runtime/ScopedArguments.cpp:
12307 (JSC::ScopedArguments::overrideThings):
12308 * runtime/SetPrototype.cpp:
12309 (JSC::SetPrototype::finishCreation):
12310 * tests/stress/arguments-iterator.js: Added.
12311 (test):
12312 (testArguments):
12313 * tests/stress/iterator-functions.js: Added.
12314 (test):
12315 (argumentsTests):
12316
123172015-04-14 Mark Lam <mark.lam@apple.com>
12318
12319 Add JSC_functionOverrides=<overrides file> debugging tool.
12320 https://bugs.webkit.org/show_bug.cgi?id=143717
12321
12322 Reviewed by Geoffrey Garen.
12323
12324 This tool allows us to do runtime replacement of function bodies with alternatives
12325 for debugging purposes. For example, this is useful when we need to debug VM bugs
12326 which manifest in scripts executing in webpages downloaded from remote servers
12327 that we don't control. The tool allows us to augment those scripts with logging
12328 or test code to help isolate the bugs.
12329
12330 This tool works by substituting the SourceCode at FunctionExecutable creation
12331 time. It identifies which SourceCode to substitute by comparing the source
12332 string against keys in a set of key value pairs.
12333
12334 The keys are function body strings defined by 'override' clauses in the overrides
12335 file specified by in the JSC_functionOverrides option. The values are function
12336 body strings defines by 'with' clauses in the overrides file.
12337 See comment blob at top of FunctionOverrides.cpp on the formatting
12338 of the overrides file.
12339
12340 At FunctionExecutable creation time, if the SourceCode string matches one of the
12341 'override' keys from the overrides file, the tool will replace the SourceCode with
12342 a new one based on the corresponding 'with' value string. The FunctionExecutable
12343 will then be created with the new SourceCode instead.
12344
12345 Some design decisions:
12346 1. We opted to require that the 'with' clause appear on a separate line than the
12347 'override' clause because this makes it easier to read and write when the
12348 'override' clause's function body is single lined and long.
12349
12350 2. The user can use any sequence of characters for the delimiter (except for '{',
12351 '}' and white space characters) because this ensures that there can always be
12352 some delimiter pattern that does not appear in the function body in the clause
12353 e.g. in the body of strings in the JS code.
12354
12355 '{' and '}' are disallowed because they are used to mark the boundaries of the
12356 function body string. White space characters are disallowed because they can
12357 be error prone (the user may not be able to tell between spaces and tabs).
12358
12359 3. The start and end delimiter must be an identical sequence of characters.
12360
12361 I had considered allowing the use of complementary characters like <>, [], and
12362 () for making delimiter pairs like:
12363 [[[[ ... ]]]]
12364 <[([( ... )])]>
12365
12366 But in the end, decided against it because:
12367 a. These sequences of complementary characters can exists in JS code.
12368 In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
12369 code.
12370 b. It can be error prone for the user to have to type the exact complement
12371 character for the end delimiter in reverse order.
12372 In contrast, a repeating delimiter like %%%% is much easier to type and
12373 less error prone. Even a sequence like @#$%^ is less error prone than
12374 a complementary sequence because it can be copy-pasted, and need not be
12375 typed in reverse order.
12376 c. It is easier to parse for the same delimiter string for both start and end.
12377
12378 4. The tool does a lot of checks for syntax errors in the overrides file because
12379 we don't want any overrides to fail silently. If a syntax error is detected,
12380 the tool will print an error message and call exit(). This avoids the user
12381 wasting time doing debugging only to be surprised later that their specified
12382 overrides did not take effect because of some unnoticed typo.
12383
12384 * CMakeLists.txt:
12385 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12386 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12387 * JavaScriptCore.xcodeproj/project.pbxproj:
12388 * bytecode/UnlinkedCodeBlock.cpp:
12389 (JSC::UnlinkedFunctionExecutable::link):
12390 * runtime/Executable.h:
12391 * runtime/Options.h:
12392 * tools/FunctionOverrides.cpp: Added.
12393 (JSC::FunctionOverrides::overrides):
12394 (JSC::FunctionOverrides::FunctionOverrides):
12395 (JSC::initializeOverrideInfo):
12396 (JSC::FunctionOverrides::initializeOverrideFor):
12397 (JSC::hasDisallowedCharacters):
12398 (JSC::parseClause):
12399 (JSC::FunctionOverrides::parseOverridesInFile):
12400 * tools/FunctionOverrides.h: Added.
12401
124022015-04-16 Basile Clement <basile_clement@apple.com>
12403
12404 Extract the allocation profile from JSFunction into a rare object
12405 https://bugs.webkit.org/show_bug.cgi?id=143807
12406
12407 Reviewed by Filip Pizlo.
12408
12409 The allocation profile is only needed for those functions that are used
12410 to create objects with [new].
12411 Extracting it into its own JSCell removes the need for JSFunction and
12412 JSCallee to be JSDestructibleObjects, which should improve performances in most
12413 cases at the cost of an extra pointer dereference when the allocation profile
12414 is actually needed.
12415
12416 * CMakeLists.txt:
12417 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12418 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12419 * JavaScriptCore.xcodeproj/project.pbxproj:
12420 * dfg/DFGOperations.cpp:
12421 * dfg/DFGSpeculativeJIT32_64.cpp:
12422 (JSC::DFG::SpeculativeJIT::compile):
12423 * dfg/DFGSpeculativeJIT64.cpp:
12424 (JSC::DFG::SpeculativeJIT::compile):
12425 * jit/JITOpcodes.cpp:
12426 (JSC::JIT::emit_op_create_this):
12427 * jit/JITOpcodes32_64.cpp:
12428 (JSC::JIT::emit_op_create_this):
12429 * llint/LowLevelInterpreter32_64.asm:
12430 * llint/LowLevelInterpreter64.asm:
12431 * runtime/CommonSlowPaths.cpp:
12432 (JSC::SLOW_PATH_DECL):
12433 * runtime/FunctionRareData.cpp: Added.
12434 (JSC::FunctionRareData::create):
12435 (JSC::FunctionRareData::destroy):
12436 (JSC::FunctionRareData::createStructure):
12437 (JSC::FunctionRareData::visitChildren):
12438 (JSC::FunctionRareData::FunctionRareData):
12439 (JSC::FunctionRareData::~FunctionRareData):
12440 (JSC::FunctionRareData::finishCreation):
12441 * runtime/FunctionRareData.h: Added.
12442 (JSC::FunctionRareData::offsetOfAllocationProfile):
12443 (JSC::FunctionRareData::allocationProfile):
12444 (JSC::FunctionRareData::allocationStructure):
12445 (JSC::FunctionRareData::allocationProfileWatchpointSet):
12446 * runtime/JSBoundFunction.cpp:
12447 (JSC::JSBoundFunction::destroy): Deleted.
12448 * runtime/JSBoundFunction.h:
12449 * runtime/JSCallee.cpp:
12450 (JSC::JSCallee::destroy): Deleted.
12451 * runtime/JSCallee.h:
12452 * runtime/JSFunction.cpp:
12453 (JSC::JSFunction::JSFunction):
12454 (JSC::JSFunction::createRareData):
12455 (JSC::JSFunction::visitChildren):
12456 (JSC::JSFunction::put):
12457 (JSC::JSFunction::defineOwnProperty):
12458 (JSC::JSFunction::destroy): Deleted.
12459 (JSC::JSFunction::createAllocationProfile): Deleted.
12460 * runtime/JSFunction.h:
12461 (JSC::JSFunction::offsetOfRareData):
12462 (JSC::JSFunction::rareData):
12463 (JSC::JSFunction::allocationStructure):
12464 (JSC::JSFunction::allocationProfileWatchpointSet):
12465 (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
12466 (JSC::JSFunction::allocationProfile): Deleted.
12467 * runtime/JSFunctionInlines.h:
12468 (JSC::JSFunction::JSFunction):
12469 * runtime/VM.cpp:
12470 (JSC::VM::VM):
12471 * runtime/VM.h:
12472
124732015-04-16 Csaba Osztrogonác <ossy@webkit.org>
12474
12475 Remove the unnecessary WTF_CHANGES define
12476 https://bugs.webkit.org/show_bug.cgi?id=143825
12477
12478 Reviewed by Andreas Kling.
12479
12480 * config.h:
12481
124822015-04-15 Andreas Kling <akling@apple.com>
12483
12484 Make MarkedBlock and WeakBlock 4x smaller.
12485 <https://webkit.org/b/143802>
12486
12487 Reviewed by Mark Hahnenberg.
12488
12489 To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
12490 and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
12491
12492 In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
12493 Some examples:
12494
12495 apple.com: 6.3MB -> 5.5MB (14.5% smaller)
12496 reddit.com: 4.5MB -> 4.1MB ( 9.7% smaller)
12497 twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
12498 cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
12499
12500 Benchmarks look mostly neutral.
12501 Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
12502
12503 * heap/MarkedBlock.h:
12504 * heap/WeakBlock.h:
12505 * llint/LLIntData.cpp:
12506 (JSC::LLInt::Data::performAssertions):
12507 * llint/LowLevelInterpreter.asm:
12508
125092015-04-15 Jordan Harband <ljharb@gmail.com>
12510
12511 String.prototype.startsWith/endsWith/includes have wrong length in r182673
12512 https://bugs.webkit.org/show_bug.cgi?id=143659
12513
12514 Reviewed by Benjamin Poulain.
12515
12516 Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
12517 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
12518 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
12519 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
12520
12521 * runtime/StringPrototype.cpp:
12522 (JSC::StringPrototype::finishCreation):
12523
125242015-04-15 Mark Lam <mark.lam@apple.com>
12525
12526 Remove obsolete VMInspector debugging tool.
12527 https://bugs.webkit.org/show_bug.cgi?id=143798
12528
12529 Reviewed by Michael Saboff.
12530
12531 I added the VMInspector tool 3 years ago to aid in VM hacking work. Some of it
12532 has bit rotted, and now the VM also has better ways to achieve its functionality.
12533 Hence this code is now obsolete and should be removed.
12534
12535 * CMakeLists.txt:
12536 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12537 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12538 * JavaScriptCore.xcodeproj/project.pbxproj:
12539 * interpreter/CallFrame.h:
12540 * interpreter/VMInspector.cpp: Removed.
12541 * interpreter/VMInspector.h: Removed.
12542 * llint/LowLevelInterpreter.cpp:
12543
125442015-04-15 Jordan Harband <ljharb@gmail.com>
12545
12546 Math.imul has wrong length in Safari 8.0.4
12547 https://bugs.webkit.org/show_bug.cgi?id=143658
12548
12549 Reviewed by Benjamin Poulain.
12550
12551 Correcting function length from 1, to 2, to match spec
12552 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
12553
12554 * runtime/MathObject.cpp:
12555 (JSC::MathObject::finishCreation):
12556
125572015-04-15 Jordan Harband <ljharb@gmail.com>
12558
12559 Number.parseInt in nightly r182673 has wrong length
12560 https://bugs.webkit.org/show_bug.cgi?id=143657
12561
12562 Reviewed by Benjamin Poulain.
12563
12564 Correcting function length from 1, to 2, to match spec
12565 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
12566
12567 * runtime/NumberConstructor.cpp:
12568 (JSC::NumberConstructor::finishCreation):
12569
125702015-04-15 Filip Pizlo <fpizlo@apple.com>
12571
12572 Harden DFGForAllKills
12573 https://bugs.webkit.org/show_bug.cgi?id=143792
12574
12575 Reviewed by Geoffrey Garen.
12576
12577 Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
12578 bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
12579
12580 Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
12581 that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
12582
12583 - It looks for kill sites at forExit origin boundaries. But, something might have been killed
12584 by an operation that was logically in between the forExit origins at the boundary, but was
12585 removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
12586 gaps.
12587
12588 - It overlooked the fact that a MovHint that addresses a local that is always live kills that
12589 local. For example, storing to an argument means that the prior value of the argument is
12590 killed.
12591
12592 This fixes the analysis by making it handle MovHints directly, and making it define kills in
12593 the most conservative way possible: it asks if you were live before but dead after. If we
12594 have the compile time budget to afford this more direct approach, then it's definitel a good
12595 idea since it's so fool-proof.
12596
12597 * dfg/DFGArgumentsEliminationPhase.cpp:
12598 * dfg/DFGForAllKills.h:
12599 (JSC::DFG::forAllKilledOperands):
12600 (JSC::DFG::forAllKilledNodesAtNodeIndex):
12601 (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
12602
126032015-04-15 Joseph Pecoraro <pecoraro@apple.com>
12604
12605 Provide SPI to allow changing whether JSContexts are remote debuggable by default
12606 https://bugs.webkit.org/show_bug.cgi?id=143681
12607
12608 Reviewed by Darin Adler.
12609
12610 * API/JSRemoteInspector.h:
12611 * API/JSRemoteInspector.cpp:
12612 (JSRemoteInspectorGetInspectionEnabledByDefault):
12613 (JSRemoteInspectorSetInspectionEnabledByDefault):
12614 Provide SPI to toggle the default enabled inspection state of debuggables.
12615
12616 * API/JSContextRef.cpp:
12617 (JSGlobalContextCreateInGroup):
12618 Respect the default setting.
12619
126202015-04-15 Joseph Pecoraro <pecoraro@apple.com>
12621
12622 JavaScriptCore: Use kCFAllocatorDefault where possible
12623 https://bugs.webkit.org/show_bug.cgi?id=143747
12624
12625 Reviewed by Darin Adler.
12626
12627 * heap/HeapTimer.cpp:
12628 (JSC::HeapTimer::HeapTimer):
12629 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
12630 (Inspector::RemoteInspectorInitializeGlobalQueue):
12631 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
12632 For consistency and readability use the constant instead of
12633 different representations of null.
12634
126352015-04-14 Michael Saboff <msaboff@apple.com>
12636
12637 Remove JavaScriptCoreUseJIT default from JavaScriptCore
12638 https://bugs.webkit.org/show_bug.cgi?id=143746
12639
12640 Reviewed by Mark Lam.
12641
12642 * runtime/VM.cpp:
12643 (JSC::enableAssembler):
12644
126452015-04-14 Chris Dumez <cdumez@apple.com>
12646
12647 Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
12648 https://bugs.webkit.org/show_bug.cgi?id=143745
12649 <rdar://problem/20243916>
12650
12651 Reviewed by Joseph Pecoraro.
12652
12653 Add assertion in ContentSearchUtilities::findMagicComment() to make
12654 sure the content String is not null or we would crash in
12655 JSC::Yarr::interpret() later.
12656
12657 * inspector/ContentSearchUtilities.cpp:
12658 (Inspector::ContentSearchUtilities::findMagicComment):
12659
126602015-04-14 Michael Saboff <msaboff@apple.com>
12661
12662 DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
12663 https://bugs.webkit.org/show_bug.cgi?id=143727
12664
12665 Reviewed by Geoffrey Garen.
12666
12667 Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
12668 with the requested fill format. If filter() reports a contradiction, then we force an OSR exit.
12669 Removed individual checks made redundant by the new check.
12670
12671 * dfg/DFGSpeculativeJIT32_64.cpp:
12672 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
12673 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
12674 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
12675 * dfg/DFGSpeculativeJIT64.cpp:
12676 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
12677 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
12678 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
12679 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
12680
126812015-04-14 Joseph Pecoraro <pecoraro@apple.com>
12682
12683 Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
12684 https://bugs.webkit.org/show_bug.cgi?id=143691
12685
12686 Reviewed by Geoffrey Garen.
12687
12688 * API/JSRemoteInspector.h:
12689 * API/JSRemoteInspector.cpp:
12690 (JSRemoteInspectorSetLogToSystemConsole):
12691 Add SPI to enable/disable logging to the system console.
12692 This only affects JSContext `console` logs and warnings.
12693
12694 * inspector/JSGlobalObjectConsoleClient.h:
12695 * inspector/JSGlobalObjectConsoleClient.cpp:
12696 (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
12697 (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
12698 (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
12699 (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
12700 Simplify access to the setting now that it doesn't need to
12701 initialize its value from preferences.
12702
127032015-04-14 Joseph Pecoraro <pecoraro@apple.com>
12704
12705 Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
12706 https://bugs.webkit.org/show_bug.cgi?id=143682
12707
12708 Reviewed by Timothy Hatcher.
12709
12710 * inspector/remote/RemoteInspector.mm:
12711 (Inspector::RemoteInspector::singleton):
12712 If we are on the main thread, run the initialization immediately.
12713 Otherwise dispatch to the main thread. This way if the first JSContext
12714 was created on the main thread it can get auto-attached if applicable.
12715
127162015-04-14 Joseph Pecoraro <pecoraro@apple.com>
12717
12718 Unreviewed build fix for Mavericks.
12719
12720 Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
12721 so the Inspector namespace is not available when compiling this file.
12722
12723 * API/JSRemoteInspector.cpp:
12724
127252015-04-14 Joseph Pecoraro <pecoraro@apple.com>
12726
12727 Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
12728 https://bugs.webkit.org/show_bug.cgi?id=143729
12729
12730 Reviewed by Timothy Hatcher.
12731
12732 * API/JSRemoteInspector.h: Added.
12733 * API/JSRemoteInspector.cpp: Added.
12734 (JSRemoteInspectorDisableAutoStart):
12735 (JSRemoteInspectorStart):
12736 (JSRemoteInspectorSetParentProcessInformation):
12737 Add the new SPIs for basic remote inspection behavior.
12738
12739 * JavaScriptCore.xcodeproj/project.pbxproj:
12740 Add the new files to Mac only, since remote inspection is only
12741 enabled there anyways.
12742
127432015-04-14 Mark Lam <mark.lam@apple.com>
12744
12745 Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
12746 https://bugs.webkit.org/show_bug.cgi?id=143722
12747
12748 Reviewed by Michael Saboff.
12749
12750 Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
12751 shorter, and easier to remember (without having to look it up) and to
12752 type. JSC options now support descriptions, and one can always look up
12753 the description if the option's purpose is not already obvious.
12754
12755 * dfg/DFGFunctionWhitelist.cpp:
12756 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
12757 (JSC::DFG::FunctionWhitelist::contains):
12758 * runtime/Options.h:
12759
127602015-04-13 Filip Pizlo <fpizlo@apple.com>
12761
12762 Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
12763
12764 * runtime/InferredValue.h:
12765
127662015-04-13 Filip Pizlo <fpizlo@apple.com>
12767
12768 Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
12769
12770 * runtime/InferredValue.h:
12771
127722015-04-08 Filip Pizlo <fpizlo@apple.com>
12773
12774 JSC should detect singleton functions
12775 https://bugs.webkit.org/show_bug.cgi?id=143232
12776
12777 Reviewed by Geoffrey Garen.
12778
12779 This started out as an attempt to make constructors faster by detecting when a constructor is a
12780 singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
12781 along with an inferred value - that detects if only one JSFunction has been allocated for that
12782 executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
12783 if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
12784 we can constant-fold GetCallee.
12785
12786 Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
12787 process I realized a bunch of things:
12788
12789 - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
12790 had even in code where our singleton-closure detection worked. That's because singleton-closure
12791 inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
12792 the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
12793 disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
12794 values.
12795
12796 - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
12797 created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
12798 FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
12799
12800 - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
12801 detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
12802 about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
12803 SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
12804 First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
12805 scope. Ths saves compile times and it allows prediction propagation to benefit from the
12806 constant folding. Second, it means that we will detect a singleton scope even if it is
12807 referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
12808 allows us to eliminate the function reentry watchpoint.
12809
12810 - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
12811 constant values in scopes. Previously when the DFG inferred that a closure variable was
12812 constant, it wouldn't know which closure that variable was in and so it couldn't just load that
12813 value. But now we are first inferring that the function is a singleton, which means that we
12814 know exactly what scope it points to, and we can load the value from the scope. Using a
12815 WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
12816 code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
12817 I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
12818 FunctionExecutable wants.
12819
12820 This also has the effect of simplifying the implementation of block scoping. Prior to this
12821 change, block scoping would have needed to have some story for the function reentry watchpoint on
12822 any nested symbol table. That's totally weird to think about; it's not really a function reentry
12823 but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
12824 will "just work": if we prove that we know the constant value of the scope then the machinery
12825 kicks in, otherwise it doesn't.
12826
12827 This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
12828
12829 * CMakeLists.txt:
12830 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12831 * JavaScriptCore.xcodeproj/project.pbxproj:
12832 * bytecode/BytecodeList.json:
12833 * bytecode/BytecodeUseDef.h:
12834 (JSC::computeUsesForBytecodeOffset):
12835 (JSC::computeDefsForBytecodeOffset):
12836 * bytecode/CodeBlock.cpp:
12837 (JSC::CodeBlock::dumpBytecode):
12838 (JSC::CodeBlock::CodeBlock):
12839 (JSC::CodeBlock::finalizeUnconditionally):
12840 (JSC::CodeBlock::valueProfileForBytecodeOffset):
12841 * bytecode/CodeBlock.h:
12842 (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
12843 * bytecode/CodeOrigin.cpp:
12844 (JSC::InlineCallFrame::calleeConstant):
12845 (JSC::InlineCallFrame::visitAggregate):
12846 * bytecode/CodeOrigin.h:
12847 (JSC::InlineCallFrame::calleeConstant): Deleted.
12848 (JSC::InlineCallFrame::visitAggregate): Deleted.
12849 * bytecode/Instruction.h:
12850 * bytecode/VariableWatchpointSet.cpp: Removed.
12851 * bytecode/VariableWatchpointSet.h: Removed.
12852 * bytecode/VariableWatchpointSetInlines.h: Removed.
12853 * bytecode/VariableWriteFireDetail.cpp: Added.
12854 (JSC::VariableWriteFireDetail::dump):
12855 (JSC::VariableWriteFireDetail::touch):
12856 * bytecode/VariableWriteFireDetail.h: Added.
12857 (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
12858 * bytecode/Watchpoint.h:
12859 (JSC::WatchpointSet::stateOnJSThread):
12860 (JSC::WatchpointSet::startWatching):
12861 (JSC::WatchpointSet::fireAll):
12862 (JSC::WatchpointSet::touch):
12863 (JSC::WatchpointSet::invalidate):
12864 (JSC::InlineWatchpointSet::stateOnJSThread):
12865 (JSC::InlineWatchpointSet::state):
12866 (JSC::InlineWatchpointSet::hasBeenInvalidated):
12867 (JSC::InlineWatchpointSet::invalidate):
12868 (JSC::InlineWatchpointSet::touch):
12869 * bytecompiler/BytecodeGenerator.cpp:
12870 (JSC::BytecodeGenerator::BytecodeGenerator):
12871 * dfg/DFGAbstractInterpreterInlines.h:
12872 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12873 * dfg/DFGByteCodeParser.cpp:
12874 (JSC::DFG::ByteCodeParser::get):
12875 (JSC::DFG::ByteCodeParser::parseBlock):
12876 (JSC::DFG::ByteCodeParser::getScope): Deleted.
12877 * dfg/DFGCapabilities.cpp:
12878 (JSC::DFG::capabilityLevel):
12879 * dfg/DFGClobberize.h:
12880 (JSC::DFG::clobberize):
12881 * dfg/DFGDesiredWatchpoints.cpp:
12882 (JSC::DFG::InferredValueAdaptor::add):
12883 (JSC::DFG::DesiredWatchpoints::addLazily):
12884 (JSC::DFG::DesiredWatchpoints::reallyAdd):
12885 (JSC::DFG::DesiredWatchpoints::areStillValid):
12886 * dfg/DFGDesiredWatchpoints.h:
12887 (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
12888 (JSC::DFG::DesiredWatchpoints::isWatched):
12889 * dfg/DFGGraph.cpp:
12890 (JSC::DFG::Graph::dump):
12891 (JSC::DFG::Graph::tryGetConstantClosureVar):
12892 * dfg/DFGNode.h:
12893 (JSC::DFG::Node::hasWatchpointSet):
12894 (JSC::DFG::Node::watchpointSet):
12895 (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
12896 (JSC::DFG::Node::variableWatchpointSet): Deleted.
12897 * dfg/DFGOperations.cpp:
12898 * dfg/DFGOperations.h:
12899 * dfg/DFGSpeculativeJIT.cpp:
12900 (JSC::DFG::SpeculativeJIT::compileNewFunction):
12901 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
12902 (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
12903 * dfg/DFGSpeculativeJIT.h:
12904 (JSC::DFG::SpeculativeJIT::callOperation):
12905 * dfg/DFGSpeculativeJIT32_64.cpp:
12906 (JSC::DFG::SpeculativeJIT::compile):
12907 * dfg/DFGSpeculativeJIT64.cpp:
12908 (JSC::DFG::SpeculativeJIT::compile):
12909 * dfg/DFGVarargsForwardingPhase.cpp:
12910 * ftl/FTLIntrinsicRepository.h:
12911 * ftl/FTLLowerDFGToLLVM.cpp:
12912 (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
12913 (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
12914 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
12915 * interpreter/Interpreter.cpp:
12916 (JSC::StackFrame::friendlySourceURL):
12917 (JSC::StackFrame::friendlyFunctionName):
12918 * interpreter/Interpreter.h:
12919 (JSC::StackFrame::friendlySourceURL): Deleted.
12920 (JSC::StackFrame::friendlyFunctionName): Deleted.
12921 * jit/JIT.cpp:
12922 (JSC::JIT::emitNotifyWrite):
12923 (JSC::JIT::privateCompileMainPass):
12924 * jit/JIT.h:
12925 * jit/JITOpcodes.cpp:
12926 (JSC::JIT::emit_op_touch_entry): Deleted.
12927 * jit/JITOperations.cpp:
12928 * jit/JITOperations.h:
12929 * jit/JITPropertyAccess.cpp:
12930 (JSC::JIT::emitPutGlobalVar):
12931 (JSC::JIT::emitPutClosureVar):
12932 (JSC::JIT::emitNotifyWrite): Deleted.
12933 * jit/JITPropertyAccess32_64.cpp:
12934 (JSC::JIT::emitPutGlobalVar):
12935 (JSC::JIT::emitPutClosureVar):
12936 (JSC::JIT::emitNotifyWrite): Deleted.
12937 * llint/LLIntSlowPaths.cpp:
12938 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12939 * llint/LowLevelInterpreter.asm:
12940 * llint/LowLevelInterpreter32_64.asm:
12941 * llint/LowLevelInterpreter64.asm:
12942 * runtime/CommonSlowPaths.cpp:
12943 (JSC::SLOW_PATH_DECL): Deleted.
12944 * runtime/CommonSlowPaths.h:
12945 * runtime/Executable.cpp:
12946 (JSC::FunctionExecutable::finishCreation):
12947 (JSC::FunctionExecutable::visitChildren):
12948 * runtime/Executable.h:
12949 (JSC::FunctionExecutable::singletonFunction):
12950 * runtime/InferredValue.cpp: Added.
12951 (JSC::InferredValue::create):
12952 (JSC::InferredValue::destroy):
12953 (JSC::InferredValue::createStructure):
12954 (JSC::InferredValue::visitChildren):
12955 (JSC::InferredValue::InferredValue):
12956 (JSC::InferredValue::~InferredValue):
12957 (JSC::InferredValue::notifyWriteSlow):
12958 (JSC::InferredValue::ValueCleanup::ValueCleanup):
12959 (JSC::InferredValue::ValueCleanup::~ValueCleanup):
12960 (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
12961 * runtime/InferredValue.h: Added.
12962 (JSC::InferredValue::inferredValue):
12963 (JSC::InferredValue::state):
12964 (JSC::InferredValue::isStillValid):
12965 (JSC::InferredValue::hasBeenInvalidated):
12966 (JSC::InferredValue::add):
12967 (JSC::InferredValue::notifyWrite):
12968 (JSC::InferredValue::invalidate):
12969 * runtime/JSEnvironmentRecord.cpp:
12970 (JSC::JSEnvironmentRecord::visitChildren):
12971 * runtime/JSEnvironmentRecord.h:
12972 (JSC::JSEnvironmentRecord::isValid):
12973 (JSC::JSEnvironmentRecord::finishCreation):
12974 * runtime/JSFunction.cpp:
12975 (JSC::JSFunction::create):
12976 * runtime/JSFunction.h:
12977 (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
12978 (JSC::JSFunction::createImpl):
12979 (JSC::JSFunction::create): Deleted.
12980 * runtime/JSGlobalObject.cpp:
12981 (JSC::JSGlobalObject::addGlobalVar):
12982 (JSC::JSGlobalObject::addFunction):
12983 * runtime/JSGlobalObject.h:
12984 * runtime/JSLexicalEnvironment.cpp:
12985 (JSC::JSLexicalEnvironment::symbolTablePut):
12986 * runtime/JSScope.h:
12987 (JSC::ResolveOp::ResolveOp):
12988 * runtime/JSSegmentedVariableObject.h:
12989 (JSC::JSSegmentedVariableObject::finishCreation):
12990 * runtime/JSSymbolTableObject.h:
12991 (JSC::JSSymbolTableObject::JSSymbolTableObject):
12992 (JSC::JSSymbolTableObject::setSymbolTable):
12993 (JSC::symbolTablePut):
12994 (JSC::symbolTablePutWithAttributes):
12995 * runtime/PutPropertySlot.h:
12996 * runtime/SymbolTable.cpp:
12997 (JSC::SymbolTableEntry::prepareToWatch):
12998 (JSC::SymbolTable::SymbolTable):
12999 (JSC::SymbolTable::finishCreation):
13000 (JSC::SymbolTable::visitChildren):
13001 (JSC::SymbolTableEntry::inferredValue): Deleted.
13002 (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
13003 (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
13004 (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
13005 (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
13006 * runtime/SymbolTable.h:
13007 (JSC::SymbolTableEntry::disableWatching):
13008 (JSC::SymbolTableEntry::watchpointSet):
13009 (JSC::SymbolTable::singletonScope):
13010 (JSC::SymbolTableEntry::notifyWrite): Deleted.
13011 * runtime/TypeProfiler.cpp:
13012 * runtime/VM.cpp:
13013 (JSC::VM::VM):
13014 * runtime/VM.h:
13015 * tests/stress/infer-uninitialized-closure-var.js: Added.
13016 (foo.f):
13017 (foo):
13018 * tests/stress/singleton-scope-then-overwrite.js: Added.
13019 (foo.f):
13020 (foo):
13021 * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
13022 (foo):
13023 * tests/stress/singleton-scope-then-realloc.js: Added.
13024 (foo):
13025
130262015-04-13 Andreas Kling <akling@apple.com>
13027
13028 Don't segregate heap objects based on Structure immortality.
13029 <https://webkit.org/b/143638>
13030
13031 Reviewed by Darin Adler.
13032
13033 Put all objects that need a destructor call into the same MarkedBlock.
13034 This reduces memory consumption in many situations, while improving locality,
13035 since much more of the MarkedBlock space can be shared.
13036
13037 Instead of branching on the MarkedBlock type, we now check a bit in the
13038 JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
13039 to access the cell's Structure during destruction or not.
13040
13041 Performance benchmarks look mostly neutral. Maybe a small regression on
13042 SunSpider's date objects.
13043
13044 On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
13045 with a bunch of WeakBlocks that were hanging off of them. That's on the higher
13046 end of savings we can get from this, but still a very real improvement.
13047
13048 Most of this patch is removing the "hasImmortalStructure" constant from JSCell
13049 derived classes and passing that responsibility to the StructureIsImmortal flag.
13050 StructureFlags is made public so that it's accessible from non-member functions.
13051 I made sure to declare it everywhere and make classes final to try to make it
13052 explicit what each class is doing to its inherited flags.
13053
13054 * API/JSCallbackConstructor.h:
13055 * API/JSCallbackObject.h:
13056 * bytecode/UnlinkedCodeBlock.h:
13057 * debugger/DebuggerScope.h:
13058 * dfg/DFGSpeculativeJIT.cpp:
13059 (JSC::DFG::SpeculativeJIT::compileMakeRope):
13060 * ftl/FTLLowerDFGToLLVM.cpp:
13061 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
13062 * heap/Heap.h:
13063 (JSC::Heap::subspaceForObjectDestructor):
13064 (JSC::Heap::allocatorForObjectWithDestructor):
13065 (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
13066 (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
13067 (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
13068 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
13069 * heap/HeapInlines.h:
13070 (JSC::Heap::allocateWithDestructor):
13071 (JSC::Heap::allocateObjectOfType):
13072 (JSC::Heap::subspaceForObjectOfType):
13073 (JSC::Heap::allocatorForObjectOfType):
13074 (JSC::Heap::allocateWithNormalDestructor): Deleted.
13075 (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
13076 * heap/MarkedAllocator.cpp:
13077 (JSC::MarkedAllocator::allocateBlock):
13078 * heap/MarkedAllocator.h:
13079 (JSC::MarkedAllocator::needsDestruction):
13080 (JSC::MarkedAllocator::MarkedAllocator):
13081 (JSC::MarkedAllocator::init):
13082 (JSC::MarkedAllocator::destructorType): Deleted.
13083 * heap/MarkedBlock.cpp:
13084 (JSC::MarkedBlock::create):
13085 (JSC::MarkedBlock::MarkedBlock):
13086 (JSC::MarkedBlock::callDestructor):
13087 (JSC::MarkedBlock::specializedSweep):
13088 (JSC::MarkedBlock::sweep):
13089 (JSC::MarkedBlock::sweepHelper):
13090 * heap/MarkedBlock.h:
13091 (JSC::MarkedBlock::needsDestruction):
13092 (JSC::MarkedBlock::destructorType): Deleted.
13093 * heap/MarkedSpace.cpp:
13094 (JSC::MarkedSpace::MarkedSpace):
13095 (JSC::MarkedSpace::resetAllocators):
13096 (JSC::MarkedSpace::forEachAllocator):
13097 (JSC::MarkedSpace::isPagedOut):
13098 (JSC::MarkedSpace::clearNewlyAllocated):
13099 * heap/MarkedSpace.h:
13100 (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
13101 (JSC::MarkedSpace::destructorAllocatorFor):
13102 (JSC::MarkedSpace::allocateWithDestructor):
13103 (JSC::MarkedSpace::forEachBlock):
13104 (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
13105 (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
13106 (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
13107 (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
13108 (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
13109 (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
13110 * inspector/JSInjectedScriptHost.h:
13111 * inspector/JSInjectedScriptHostPrototype.h:
13112 * inspector/JSJavaScriptCallFrame.h:
13113 * inspector/JSJavaScriptCallFramePrototype.h:
13114 * jsc.cpp:
13115 * runtime/ArrayBufferNeuteringWatchpoint.h:
13116 * runtime/ArrayConstructor.h:
13117 * runtime/ArrayIteratorPrototype.h:
13118 * runtime/BooleanPrototype.h:
13119 * runtime/ClonedArguments.h:
13120 * runtime/CustomGetterSetter.h:
13121 * runtime/DateConstructor.h:
13122 * runtime/DatePrototype.h:
13123 * runtime/ErrorPrototype.h:
13124 * runtime/ExceptionHelpers.h:
13125 * runtime/Executable.h:
13126 * runtime/GenericArguments.h:
13127 * runtime/GetterSetter.h:
13128 * runtime/InternalFunction.h:
13129 * runtime/JSAPIValueWrapper.h:
13130 * runtime/JSArgumentsIterator.h:
13131 * runtime/JSArray.h:
13132 * runtime/JSArrayBuffer.h:
13133 * runtime/JSArrayBufferView.h:
13134 * runtime/JSBoundFunction.h:
13135 * runtime/JSCallee.h:
13136 * runtime/JSCell.h:
13137 * runtime/JSCellInlines.h:
13138 (JSC::JSCell::classInfo):
13139 * runtime/JSDataViewPrototype.h:
13140 * runtime/JSEnvironmentRecord.h:
13141 * runtime/JSFunction.h:
13142 * runtime/JSGenericTypedArrayView.h:
13143 * runtime/JSGlobalObject.h:
13144 * runtime/JSLexicalEnvironment.h:
13145 * runtime/JSNameScope.h:
13146 * runtime/JSNotAnObject.h:
13147 * runtime/JSONObject.h:
13148 * runtime/JSObject.h:
13149 (JSC::JSFinalObject::JSFinalObject):
13150 * runtime/JSPromiseConstructor.h:
13151 * runtime/JSPromiseDeferred.h:
13152 * runtime/JSPromisePrototype.h:
13153 * runtime/JSPromiseReaction.h:
13154 * runtime/JSPropertyNameEnumerator.h:
13155 * runtime/JSProxy.h:
13156 * runtime/JSScope.h:
13157 * runtime/JSString.h:
13158 * runtime/JSSymbolTableObject.h:
13159 * runtime/JSTypeInfo.h:
13160 (JSC::TypeInfo::structureIsImmortal):
13161 * runtime/MathObject.h:
13162 * runtime/NumberConstructor.h:
13163 * runtime/NumberPrototype.h:
13164 * runtime/ObjectConstructor.h:
13165 * runtime/PropertyMapHashTable.h:
13166 * runtime/RegExp.h:
13167 * runtime/RegExpConstructor.h:
13168 * runtime/RegExpObject.h:
13169 * runtime/RegExpPrototype.h:
13170 * runtime/ScopedArgumentsTable.h:
13171 * runtime/SparseArrayValueMap.h:
13172 * runtime/StrictEvalActivation.h:
13173 * runtime/StringConstructor.h:
13174 * runtime/StringIteratorPrototype.h:
13175 * runtime/StringObject.h:
13176 * runtime/StringPrototype.h:
13177 * runtime/Structure.cpp:
13178 (JSC::Structure::Structure):
13179 * runtime/Structure.h:
13180 * runtime/StructureChain.h:
13181 * runtime/StructureRareData.h:
13182 * runtime/Symbol.h:
13183 * runtime/SymbolPrototype.h:
13184 * runtime/SymbolTable.h:
13185 * runtime/WeakMapData.h:
13186
131872015-04-13 Mark Lam <mark.lam@apple.com>
13188
13189 DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
13190 https://bugs.webkit.org/show_bug.cgi?id=143407
13191
13192 Reviewed by Filip Pizlo.
13193
13194 DFG inlining of a varargs call / construct needs to keep the local
13195 containing the callee alive with a Phantom node because the LoadVarargs
13196 node may OSR exit. After the OSR exit, the baseline JIT executes the
13197 op_call_varargs with that callee in the local.
13198
13199 Previously, because that callee local was not explicitly kept alive,
13200 the op_call_varargs case can OSR exit a DFG function and leave an
13201 undefined value in that local. As a result, the baseline observes the
13202 side effect of an op_call_varargs on an undefined value instead of the
13203 function it expected.
13204
13205 Note: this issue does not manifest with op_construct_varargs because
13206 the inlined constructor will have an op_create_this which operates on
13207 the incoming callee value, thereby keeping it alive.
13208
13209 * dfg/DFGByteCodeParser.cpp:
13210 (JSC::DFG::ByteCodeParser::handleInlining):
13211 * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
13212 (foo):
13213 (Foo):
13214 (doTest):
13215
132162015-04-12 Yusuke Suzuki <utatane.tea@gmail.com>
13217
13218 [ES6] Implement Array.prototype.values
13219 https://bugs.webkit.org/show_bug.cgi?id=143633
13220
13221 Reviewed by Darin Adler.
13222
13223 Symbol.unscopables is implemented, so we can implement Array.prototype.values
13224 without largely breaking the web. The following script passes.
13225
13226 var array = [];
13227 var values = 42;
13228 with (array) {
13229 assert(values, 42);
13230 }
13231
13232 * runtime/ArrayPrototype.cpp:
13233 * tests/stress/array-iterators-next.js:
13234 * tests/stress/map-iterators-next.js:
13235 * tests/stress/set-iterators-next.js:
13236 * tests/stress/values-unscopables.js: Added.
13237 (test):
13238
132392015-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
13240
13241 Run flaky conservative GC related test first before polluting stack and registers
13242 https://bugs.webkit.org/show_bug.cgi?id=143634
13243
13244 Reviewed by Ryosuke Niwa.
13245
13246 After r182653, JSC API tests fail. However, it's not related to the change.
13247 After investigating the cause of this failure, I've found that the failed test is flaky
13248 because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
13249 due to conservative roots in C stack and registers, this test fails.
13250
13251 Since GC marks C stack and registers as roots conservatively,
13252 objects not referenced logically can be accidentally marked and alive.
13253 To avoid this situation as possible as we can,
13254 1. run this test first before stack is polluted,
13255 2. extract this test as a function to suppress stack height.
13256
13257 * API/tests/testapi.mm:
13258 (testWeakValue):
13259 (testObjectiveCAPIMain):
13260 (testObjectiveCAPI):
13261
132622015-04-11 Matt Baker <mattbaker@apple.com>
13263
13264 Web Inspector: create content view and details sidebar for Frames timeline
13265 https://bugs.webkit.org/show_bug.cgi?id=143533
13266
13267 Reviewed by Timothy Hatcher.
13268
13269 Refactoring: RunLoop prefix changed to RenderingFrame.
13270
13271 * inspector/protocol/Timeline.json:
13272
132732015-04-11 Yusuke Suzuki <utatane.tea@gmail.com>
13274
13275 [ES6] Enable Symbol in web pages
13276 https://bugs.webkit.org/show_bug.cgi?id=143375
13277
13278 Reviewed by Ryosuke Niwa.
13279
13280 Expose Symbol to web pages.
13281 Symbol was exposed, but it was hidden since it breaks Facebook comments.
13282 This is because at that time Symbol is implemented,
13283 but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
13284 and it breaks React.js and immutable.js.
13285
13286 Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
13287 and make sure that Facebook comment input functionality is not broken with exposed Symbol.
13288
13289 So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
13290 and makes enabling symbols by default.
13291
13292 * runtime/ArrayPrototype.cpp:
13293 (JSC::ArrayPrototype::finishCreation):
13294 * runtime/CommonIdentifiers.h:
13295 * runtime/JSGlobalObject.cpp:
13296 (JSC::JSGlobalObject::init):
13297 * runtime/ObjectConstructor.cpp:
13298 (JSC::ObjectConstructor::finishCreation):
13299 * runtime/RuntimeFlags.h:
13300
133012015-04-10 Yusuke Suzuki <utatane.tea@gmail.com>
13302
13303 ES6: Iterator toString names should be consistent
13304 https://bugs.webkit.org/show_bug.cgi?id=142424
13305
13306 Reviewed by Geoffrey Garen.
13307
13308 Iterator Object Names in the spec right now have spaces.
13309 In our implementation some do and some don't.
13310 This patch aligns JSC to the spec.
13311
13312 * runtime/JSArrayIterator.cpp:
13313 * runtime/JSStringIterator.cpp:
13314 * tests/stress/iterator-names.js: Added.
13315 (test):
13316 (iter):
13317 (check):
13318
133192015-04-10 Michael Saboff <msaboff@apple.com>
13320
13321 REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
13322 https://bugs.webkit.org/show_bug.cgi?id=143582
13323
13324 Reviewed by Mark Lam.
13325
13326 For 32 bit builds, we favor spilling unboxed values. The ASSERT at the root of this bug doesn't
13327 fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
13328 For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
13329 The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
13330 if the spillFormat is DataFormatCell. Had we spilled in DataFormatJS and the value was a JSCell*,
13331 we would still OSR exit after the speculation check.
13332
13333 * dfg/DFGFixupPhase.cpp:
13334 (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
13335 * dfg/DFGSpeculativeJIT32_64.cpp:
13336 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
13337
133382015-04-10 Milan Crha <mcrha@redhat.com>
13339
13340 Disable Linux-specific code in a Windows build
13341 https://bugs.webkit.org/show_bug.cgi?id=137973
13342
13343 Reviewed by Joseph Pecoraro.
13344
13345 * inspector/JSGlobalObjectInspectorController.cpp:
13346 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
13347
133482015-04-10 Csaba Osztrogonác <ossy@webkit.org>
13349
13350 [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
13351 https://bugs.webkit.org/show_bug.cgi?id=143368
13352
13353 Reviewed by Michael Saboff.
13354
13355 * jit/RegisterSet.cpp:
13356 (JSC::RegisterSet::calleeSaveRegisters):
13357
133582015-04-08 Joseph Pecoraro <pecoraro@apple.com>
13359
13360 Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
13361 https://bugs.webkit.org/show_bug.cgi?id=143430
13362
13363 Reviewed by Darin Adler.
13364
13365 * runtime/ExceptionHelpers.cpp:
13366 (JSC::errorDescriptionForValue):
13367 * runtime/NumberPrototype.cpp:
13368 (JSC::numberProtoFuncToExponential):
13369 (JSC::numberProtoFuncToPrecision):
13370 (JSC::numberProtoFuncToString):
13371 * runtime/SymbolPrototype.cpp:
13372 (JSC::symbolProtoFuncToString):
13373
133742015-04-08 Filip Pizlo <fpizlo@apple.com>
13375
13376 JSArray::sortNumeric should handle ArrayWithUndecided
13377 https://bugs.webkit.org/show_bug.cgi?id=143535
13378
13379 Reviewed by Geoffrey Garen.
13380
13381 ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
13382
13383 * runtime/JSArray.cpp:
13384 (JSC::JSArray::sortNumeric):
13385 * tests/stress/sort-array-with-undecided.js: Added.
13386
133872015-04-08 Filip Pizlo <fpizlo@apple.com>
13388
13389 DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
13390 https://bugs.webkit.org/show_bug.cgi?id=143532
13391
13392 Reviewed by Gavin Barraclough.
13393
13394 Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
13395 But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler
13396 would think that there never was wrap-around.
13397
13398 This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
13399
13400 * dfg/DFGIntegerCheckCombiningPhase.cpp:
13401 (JSC::DFG::IntegerCheckCombiningPhase::isValid):
13402
134032015-04-07 Michael Saboff <msaboff@apple.com>
13404
13405 Lazily initialize LogToSystemConsole flag to reduce memory usage
13406 https://bugs.webkit.org/show_bug.cgi?id=143506
13407
13408 Reviewed by Mark Lam.
13409
13410 Only call into CF preferences code when we need to in order to reduce memory usage.
13411
13412 * inspector/JSGlobalObjectConsoleClient.cpp:
13413 (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
13414 (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
13415 (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
13416 (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
13417
134182015-04-07 Benjamin Poulain <benjamin@webkit.org>
13419
13420 Get the features.json files ready for open contributions
13421 https://bugs.webkit.org/show_bug.cgi?id=143436
13422
13423 Reviewed by Darin Adler.
13424
13425 * features.json:
13426
134272015-04-07 Filip Pizlo <fpizlo@apple.com>
13428
13429 Constant folding of typed array properties should be handled by AI rather than strength reduction
13430 https://bugs.webkit.org/show_bug.cgi?id=143496
13431
13432 Reviewed by Geoffrey Garen.
13433
13434 Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
13435 phase and whatever other phase did the folding in order to find all constants.
13436
13437 This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
13438 directly.
13439
13440 This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
13441 found because all of the tests for it involved the property getting constant folded. I found that
13442 the codegen was bad because an earlier version of the patch broke that constant folding. This
13443 adds a new test for that node type, which makes constant folding impossible by allocating a new
13444 typed array every type. The lesson here is: if you write a test for something, run the test with
13445 full IR dumps to make sure it's actually testing the thing you want it to test.
13446
13447 * dfg/DFGAbstractInterpreterInlines.h:
13448 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13449 * dfg/DFGClobberize.h:
13450 (JSC::DFG::clobberize):
13451 * dfg/DFGConstantFoldingPhase.cpp:
13452 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13453 * dfg/DFGDoesGC.cpp:
13454 (JSC::DFG::doesGC):
13455 * dfg/DFGFixupPhase.cpp:
13456 (JSC::DFG::FixupPhase::fixupNode):
13457 * dfg/DFGGraph.cpp:
13458 (JSC::DFG::Graph::dump):
13459 (JSC::DFG::Graph::tryGetFoldableView):
13460 (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
13461 * dfg/DFGGraph.h:
13462 * dfg/DFGNode.h:
13463 (JSC::DFG::Node::hasTypedArray): Deleted.
13464 (JSC::DFG::Node::typedArray): Deleted.
13465 * dfg/DFGNodeType.h:
13466 * dfg/DFGPredictionPropagationPhase.cpp:
13467 (JSC::DFG::PredictionPropagationPhase::propagate):
13468 * dfg/DFGSafeToExecute.h:
13469 (JSC::DFG::safeToExecute):
13470 * dfg/DFGSpeculativeJIT.cpp:
13471 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
13472 * dfg/DFGSpeculativeJIT32_64.cpp:
13473 (JSC::DFG::SpeculativeJIT::compile):
13474 * dfg/DFGSpeculativeJIT64.cpp:
13475 (JSC::DFG::SpeculativeJIT::compile):
13476 * dfg/DFGStrengthReductionPhase.cpp:
13477 (JSC::DFG::StrengthReductionPhase::handleNode):
13478 (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
13479 (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
13480 * dfg/DFGWatchpointCollectionPhase.cpp:
13481 (JSC::DFG::WatchpointCollectionPhase::handle):
13482 (JSC::DFG::WatchpointCollectionPhase::addLazily):
13483 * ftl/FTLCapabilities.cpp:
13484 (JSC::FTL::canCompile):
13485 * ftl/FTLLowerDFGToLLVM.cpp:
13486 (JSC::FTL::LowerDFGToLLVM::compileNode):
13487 (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
13488 (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
13489 * tests/stress/fold-typed-array-properties.js:
13490 (foo):
13491 * tests/stress/typed-array-byte-offset.js: Added.
13492 (foo):
13493
134942015-04-07 Matthew Mirman <mmirman@apple.com>
13495
13496 Source and stack information should get appended only to native errors
13497 and should be added directly after construction rather than when thrown.
13498 This fixes frozen objects being unfrozen when thrown while conforming to
13499 ecma script standard and other browser behavior.
13500 rdar://problem/19927293
13501 https://bugs.webkit.org/show_bug.cgi?id=141871
13502
13503 Reviewed by Geoffrey Garen.
13504
13505 Appending stack, source, line, and column information to an object whenever that object is thrown
13506 is incorrect because it violates the ecma script standard for the behavior of throw. Suppose for example
13507 that the object being thrown already has one of these properties or is frozen. Adding the properties
13508 would then violate the frozen contract or overwrite those properties. Other browsers do not do this,
13509 and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
13510 a control flow construct rather than just an error reporting mechanism.
13511
13512 Because WebCore adds "native" errors which do not inherit from any JSC native error,
13513 appending the error properties as a seperate call after construction of the error is required
13514 to avoid having to manually truncate the stack and gather local source information due to
13515 the stack being extended by a nested call to construct one of the native jsc error.
13516
13517 * interpreter/Interpreter.cpp:
13518 (JSC::Interpreter::execute):
13519 * interpreter/Interpreter.h:
13520 * parser/ParserError.h:
13521 (JSC::ParserError::toErrorObject):
13522 * runtime/CommonIdentifiers.h:
13523 * runtime/Error.cpp:
13524 (JSC::createError):
13525 (JSC::createEvalError):
13526 (JSC::createRangeError):
13527 (JSC::createReferenceError):
13528 (JSC::createSyntaxError):
13529 (JSC::createTypeError):
13530 (JSC::createNotEnoughArgumentsError):
13531 (JSC::createURIError):
13532 (JSC::createOutOfMemoryError):
13533 (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
13534 (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
13535 (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
13536 (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
13537 (JSC::addErrorInfoAndGetBytecodeOffset): Added.
13538 (JSC::addErrorInfo): Added special case for appending complete error info
13539 to a newly constructed error object.
13540 * runtime/Error.h:
13541 * runtime/ErrorConstructor.cpp:
13542 (JSC::Interpreter::constructWithErrorConstructor):
13543 (JSC::Interpreter::callErrorConstructor):
13544 * runtime/ErrorInstance.cpp:
13545 (JSC::appendSourceToError): Moved from VM.cpp
13546 (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
13547 (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
13548 (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
13549 (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
13550 (JSC::addErrorInfoAndGetBytecodeOffset):
13551 (JSC::ErrorInstance::finishCreation):
13552 * runtime/ErrorInstance.h:
13553 (JSC::ErrorInstance::create):
13554 * runtime/ErrorPrototype.cpp:
13555 (JSC::ErrorPrototype::finishCreation):
13556 * runtime/ExceptionFuzz.cpp:
13557 (JSC::doExceptionFuzzing):
13558 * runtime/ExceptionHelpers.cpp:
13559 (JSC::createError):
13560 (JSC::createInvalidFunctionApplyParameterError):
13561 (JSC::createInvalidInParameterError):
13562 (JSC::createInvalidInstanceofParameterError):
13563 (JSC::createNotAConstructorError):
13564 (JSC::createNotAFunctionError):
13565 (JSC::createNotAnObjectError):
13566 (JSC::throwOutOfMemoryError):
13567 (JSC::createStackOverflowError): Deleted.
13568 (JSC::createOutOfMemoryError): Deleted.
13569 * runtime/ExceptionHelpers.h:
13570 * runtime/JSArrayBufferConstructor.cpp:
13571 (JSC::constructArrayBuffer):
13572 * runtime/JSArrayBufferPrototype.cpp:
13573 (JSC::arrayBufferProtoFuncSlice):
13574 * runtime/JSGenericTypedArrayViewInlines.h:
13575 (JSC::JSGenericTypedArrayView<Adaptor>::create):
13576 (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
13577 * runtime/NativeErrorConstructor.cpp:
13578 (JSC::Interpreter::constructWithNativeErrorConstructor):
13579 (JSC::Interpreter::callNativeErrorConstructor):
13580 * runtime/VM.cpp:
13581 (JSC::VM::throwException):
13582 (JSC::appendSourceToError): Moved to Error.cpp
13583 (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
13584 (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
13585 (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
13586 (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
13587 * tests/stress/freeze_leek.js: Added.
13588
135892015-04-07 Joseph Pecoraro <pecoraro@apple.com>
13590
13591 Web Inspector: ES6: Show Symbol properties on Objects
13592 https://bugs.webkit.org/show_bug.cgi?id=141279
13593
13594 Reviewed by Timothy Hatcher.
13595
13596 * inspector/protocol/Runtime.json:
13597 Give PropertyDescriptor a reference to the Symbol RemoteObject
13598 if the property is a symbol property.
13599
13600 * inspector/InjectedScriptSource.js:
13601 Enumerate symbol properties on objects.
13602
136032015-04-07 Filip Pizlo <fpizlo@apple.com>
13604
13605 Make it possible to enable LLVM FastISel
13606 https://bugs.webkit.org/show_bug.cgi?id=143489
13607
13608 Reviewed by Michael Saboff.
13609
13610 The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
13611 against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
13612 if we should enable it.
13613
13614 * ftl/FTLCompile.cpp:
13615 (JSC::FTL::mmAllocateDataSection):
13616 * llvm/InitializeLLVM.cpp:
13617 (JSC::initializeLLVMImpl):
13618 * llvm/InitializeLLVM.h:
13619 * llvm/InitializeLLVMLinux.cpp:
13620 (JSC::getLLVMInitializerFunction):
13621 (JSC::initializeLLVMImpl): Deleted.
13622 * llvm/InitializeLLVMMac.cpp:
13623 (JSC::getLLVMInitializerFunction):
13624 (JSC::initializeLLVMImpl): Deleted.
13625 * llvm/InitializeLLVMPOSIX.cpp:
13626 (JSC::getLLVMInitializerFunctionPOSIX):
13627 (JSC::initializeLLVMPOSIX): Deleted.
13628 * llvm/InitializeLLVMPOSIX.h:
13629 * llvm/InitializeLLVMWin.cpp:
13630 (JSC::getLLVMInitializerFunction):
13631 (JSC::initializeLLVMImpl): Deleted.
13632 * llvm/LLVMAPI.cpp:
13633 * llvm/LLVMAPI.h:
13634 * llvm/library/LLVMExports.cpp:
13635 (initCommandLine):
13636 (initializeAndGetJSCLLVMAPI):
13637 * runtime/Options.cpp:
13638 (JSC::Options::initialize):
13639
136402015-04-06 Yusuke Suzuki <utatane.tea@gmail.com>
13641
13642 put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
13643 https://bugs.webkit.org/show_bug.cgi?id=140426
13644
13645 Reviewed by Darin Adler.
13646
13647 In the put_by_val_direct operation, we use JSObject::putDirect.
13648 However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
13649 This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
13650
13651 * dfg/DFGOperations.cpp:
13652 (JSC::DFG::putByVal):
13653 (JSC::DFG::operationPutByValInternal):
13654 * jit/JITOperations.cpp:
13655 * llint/LLIntSlowPaths.cpp:
13656 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13657 * runtime/Identifier.h:
13658 (JSC::isIndex):
13659 (JSC::parseIndex):
13660 * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
13661 (lookupWithKey):
13662 (toStringThrowsError.toString):
13663
136642015-04-06 Alberto Garcia <berto@igalia.com>
13665
13666 [GTK] Fix HPPA build
13667 https://bugs.webkit.org/show_bug.cgi?id=143453
13668
13669 Reviewed by Darin Adler.
13670
13671 Add HPPA to the list of supported CPUs.
13672
13673 * CMakeLists.txt:
13674
136752015-04-06 Mark Lam <mark.lam@apple.com>
13676
13677 In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
13678 <https://webkit.org/b/143396>
13679
13680 Reviewed by Filip Pizlo.
13681
13682 The DFG was neglecting to set the result boolean. The FTL was setting it with
13683 an inverted value. Both of these are now resolved.
13684
13685 * dfg/DFGSpeculativeJIT64.cpp:
13686 (JSC::DFG::SpeculativeJIT::compile):
13687 * ftl/FTLLowerDFGToLLVM.cpp:
13688 (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
13689 * tests/stress/for-in-array-mode.js: Added.
13690 (.):
13691 (test):
13692
136932015-04-06 Yusuke Suzuki <utatane.tea@gmail.com>
13694
13695 [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
13696 https://bugs.webkit.org/show_bug.cgi?id=143424
13697
13698 Reviewed by Geoffrey Garen.
13699
13700 In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
13701
13702 ToString(symbol) throws a type error.
13703 However, String(symbol) produces SymbolDescriptiveString(symbol).
13704
13705 So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
13706
13707 Now, in the template literals patch, ToString DFG operation is planned to be used.
13708 And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
13709 So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
13710 In CallStringConstructor, all behavior in DFG analysis is the same.
13711 Only the difference from ToString is, when calling DFG operation functions, it calls
13712 operationCallStringConstructorOnCell and operationCallStringConstructor instead of
13713 operationToStringOnCell and operationToString.
13714
13715 * dfg/DFGAbstractInterpreterInlines.h:
13716 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13717 * dfg/DFGBackwardsPropagationPhase.cpp:
13718 (JSC::DFG::BackwardsPropagationPhase::propagate):
13719 * dfg/DFGByteCodeParser.cpp:
13720 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
13721 * dfg/DFGClobberize.h:
13722 (JSC::DFG::clobberize):
13723 * dfg/DFGDoesGC.cpp:
13724 (JSC::DFG::doesGC):
13725 * dfg/DFGFixupPhase.cpp:
13726 (JSC::DFG::FixupPhase::fixupNode):
13727 (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
13728 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
13729 (JSC::DFG::FixupPhase::fixupToString): Deleted.
13730 * dfg/DFGNodeType.h:
13731 * dfg/DFGOperations.cpp:
13732 * dfg/DFGOperations.h:
13733 * dfg/DFGPredictionPropagationPhase.cpp:
13734 (JSC::DFG::PredictionPropagationPhase::propagate):
13735 * dfg/DFGSafeToExecute.h:
13736 (JSC::DFG::safeToExecute):
13737 * dfg/DFGSpeculativeJIT.cpp:
13738 (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
13739 (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
13740 * dfg/DFGSpeculativeJIT.h:
13741 * dfg/DFGSpeculativeJIT32_64.cpp:
13742 (JSC::DFG::SpeculativeJIT::compile):
13743 * dfg/DFGSpeculativeJIT64.cpp:
13744 (JSC::DFG::SpeculativeJIT::compile):
13745 * dfg/DFGStructureRegistrationPhase.cpp:
13746 (JSC::DFG::StructureRegistrationPhase::run):
13747 * ftl/FTLCapabilities.cpp:
13748 (JSC::FTL::canCompile):
13749 * ftl/FTLLowerDFGToLLVM.cpp:
13750 (JSC::FTL::LowerDFGToLLVM::compileNode):
13751 (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
13752 (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
13753 * runtime/StringConstructor.cpp:
13754 (JSC::stringConstructor):
13755 (JSC::callStringConstructor):
13756 * runtime/StringConstructor.h:
13757 * tests/stress/symbol-and-string-constructor.js: Added.
13758 (performString):
13759
137602015-04-06 Yusuke Suzuki <utatane.tea@gmail.com>
13761
13762 Return Optional<uint32_t> from PropertyName::asIndex
13763 https://bugs.webkit.org/show_bug.cgi?id=143422
13764
13765 Reviewed by Darin Adler.
13766
13767 PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
13768 But it's not obvious to callers.
13769
13770 This patch changes
13771 1. PropertyName::asIndex() to return Optional<uint32_t> and
13772 2. function name `asIndex()` to `parseIndex()`.
13773 It forces callers to check the value is index or not explicitly.
13774
13775 * bytecode/GetByIdStatus.cpp:
13776 (JSC::GetByIdStatus::computeFor):
13777 * bytecode/PutByIdStatus.cpp:
13778 (JSC::PutByIdStatus::computeFor):
13779 * bytecompiler/BytecodeGenerator.cpp:
13780 (JSC::BytecodeGenerator::emitDirectPutById):
13781 * jit/Repatch.cpp:
13782 (JSC::emitPutTransitionStubAndGetOldStructure):
13783 * jsc.cpp:
13784 * runtime/ArrayPrototype.cpp:
13785 (JSC::arrayProtoFuncSort):
13786 * runtime/GenericArgumentsInlines.h:
13787 (JSC::GenericArguments<Type>::getOwnPropertySlot):
13788 (JSC::GenericArguments<Type>::put):
13789 (JSC::GenericArguments<Type>::deleteProperty):
13790 (JSC::GenericArguments<Type>::defineOwnProperty):
13791 * runtime/Identifier.h:
13792 (JSC::parseIndex):
13793 (JSC::Identifier::isSymbol):
13794 * runtime/JSArray.cpp:
13795 (JSC::JSArray::defineOwnProperty):
13796 * runtime/JSCJSValue.cpp:
13797 (JSC::JSValue::putToPrimitive):
13798 * runtime/JSGenericTypedArrayViewInlines.h:
13799 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
13800 (JSC::JSGenericTypedArrayView<Adaptor>::put):
13801 (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
13802 (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
13803 * runtime/JSObject.cpp:
13804 (JSC::JSObject::put):
13805 (JSC::JSObject::putDirectAccessor):
13806 (JSC::JSObject::putDirectCustomAccessor):
13807 (JSC::JSObject::deleteProperty):
13808 (JSC::JSObject::putDirectMayBeIndex):
13809 (JSC::JSObject::defineOwnProperty):
13810 * runtime/JSObject.h:
13811 (JSC::JSObject::getOwnPropertySlot):
13812 (JSC::JSObject::getPropertySlot):
13813 (JSC::JSObject::putDirectInternal):
13814 * runtime/JSString.cpp:
13815 (JSC::JSString::getStringPropertyDescriptor):
13816 * runtime/JSString.h:
13817 (JSC::JSString::getStringPropertySlot):
13818 * runtime/LiteralParser.cpp:
13819 (JSC::LiteralParser<CharType>::parse):
13820 * runtime/PropertyName.h:
13821 (JSC::parseIndex):
13822 (JSC::toUInt32FromCharacters): Deleted.
13823 (JSC::toUInt32FromStringImpl): Deleted.
13824 (JSC::PropertyName::asIndex): Deleted.
13825 * runtime/PropertyNameArray.cpp:
13826 (JSC::PropertyNameArray::add):
13827 * runtime/StringObject.cpp:
13828 (JSC::StringObject::deleteProperty):
13829 * runtime/Structure.cpp:
13830 (JSC::Structure::prototypeChainMayInterceptStoreTo):
13831
138322015-04-05 Andreas Kling <akling@apple.com>
13833
13834 URI encoding/escaping should use efficient string building instead of calling snprintf().
13835 <https://webkit.org/b/143426>
13836
13837 Reviewed by Gavin Barraclough.
13838
13839 I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
13840 which seemed pretty silly. This change gets that down to nothing in favor of using our
13841 existing JSStringBuilder and HexNumber.h facilities.
13842
13843 These APIs are well-exercised by our existing test suite.
13844
13845 * runtime/JSGlobalObjectFunctions.cpp:
13846 (JSC::encode):
13847 (JSC::globalFuncEscape):
13848
138492015-04-05 Masataka Yakura <masataka.yakura@gmail.com>
13850
13851 documentation for ES Promises points to the wrong one
13852 https://bugs.webkit.org/show_bug.cgi?id=143263
13853
13854 Reviewed by Darin Adler.
13855
13856 * features.json:
13857
138582015-04-05 Simon Fraser <simon.fraser@apple.com>
13859
13860 Remove "go ahead and" from comments
13861 https://bugs.webkit.org/show_bug.cgi?id=143421
13862
13863 Reviewed by Darin Adler, Benjamin Poulain.
13864
13865 Remove the phrase "go ahead and" from comments where it doesn't add
13866 anything (which is almost all of them).
13867
13868 * interpreter/JSStack.cpp:
13869 (JSC::JSStack::growSlowCase):
13870
138712015-04-04 Andreas Kling <akling@apple.com>
13872
13873 Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
13874 <https://webkit.org/b/143210>
13875
13876 Reviewed by Geoffrey Garen.
13877
13878 Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
13879 we had a little problem where WeakBlocks with only null pointers would still keep their
13880 MarkedBlock alive.
13881
13882 This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
13883 that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
13884 to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
13885 destroying them once they're fully dead.
13886
13887 This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
13888 a mysterious issue where doing two full garbage collections back-to-back would free additional
13889 memory in the second collection.
13890
13891 Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
13892 an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
13893 calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
13894
13895 * heap/Heap.h:
13896 * heap/Heap.cpp:
13897 (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
13898 owned by Heap, after everything else has been swept.
13899
13900 (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
13901 after a full garbage collection ends. Note that we don't do this after Eden collections, since
13902 they are unlikely to cause entire WeakBlocks to go empty.
13903
13904 (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
13905 to the Heap when it's detached from a WeakSet.
13906
13907 (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
13908 of the logically empty WeakBlocks owned by Heap.
13909
13910 (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
13911 and updates the next-logically-empty-weak-block-to-sweep index.
13912
13913 (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
13914 won't be another chance after this.
13915
13916 * heap/IncrementalSweeper.h:
13917 (JSC::IncrementalSweeper::hasWork): Deleted.
13918
13919 * heap/IncrementalSweeper.cpp:
13920 (JSC::IncrementalSweeper::fullSweep):
13921 (JSC::IncrementalSweeper::doSweep):
13922 (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
13923 adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
13924 changed to return a bool (true if there's more work to be done.)
13925
13926 * heap/WeakBlock.cpp:
13927 (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
13928 contain any pointers to live objects. The answer is stored in a new SweepResult member.
13929
13930 * heap/WeakBlock.h:
13931 (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
13932 if the WeakBlock could be detached from the MarkedBlock.
13933
13934 (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
13935 when declaring them.
13936
139372015-04-04 Yusuke Suzuki <utatane.tea@gmail.com>
13938
13939 Implement ES6 Object.getOwnPropertySymbols
13940 https://bugs.webkit.org/show_bug.cgi?id=141106
13941
13942 Reviewed by Geoffrey Garen.
13943
13944 This patch implements `Object.getOwnPropertySymbols`.
13945 One technical issue is that, since we use private symbols (such as `@Object`) in the
13946 privileged JS code in `builtins/`, they should not be exposed.
13947 To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
13948 before adding it into PropertyNameArray.
13949
13950 To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
13951 since all private symbols are held in this map.
13952
13953 * builtins/BuiltinExecutables.cpp:
13954 (JSC::BuiltinExecutables::createExecutableInternal):
13955 * builtins/BuiltinNames.h:
13956 (JSC::BuiltinNames::isPrivateName):
13957 * runtime/CommonIdentifiers.cpp:
13958 (JSC::CommonIdentifiers::isPrivateName):
13959 * runtime/CommonIdentifiers.h:
13960 * runtime/EnumerationMode.h:
13961 (JSC::EnumerationMode::EnumerationMode):
13962 (JSC::EnumerationMode::includeSymbolProperties):
13963 * runtime/ExceptionHelpers.cpp:
13964 (JSC::createUndefinedVariableError):
13965 * runtime/JSGlobalObject.cpp:
13966 (JSC::JSGlobalObject::init):
13967 * runtime/JSLexicalEnvironment.cpp:
13968 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
13969 * runtime/JSSymbolTableObject.cpp:
13970 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
13971 * runtime/ObjectConstructor.cpp:
13972 (JSC::ObjectConstructor::finishCreation):
13973 (JSC::objectConstructorGetOwnPropertySymbols):
13974 (JSC::defineProperties):
13975 (JSC::objectConstructorSeal):
13976 (JSC::objectConstructorFreeze):
13977 (JSC::objectConstructorIsSealed):
13978 (JSC::objectConstructorIsFrozen):
13979 * runtime/ObjectConstructor.h:
13980 (JSC::ObjectConstructor::create):
13981 * runtime/Structure.cpp:
13982 (JSC::Structure::getPropertyNamesFromStructure):
13983 * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
13984 (compare):
13985 * tests/stress/object-get-own-property-symbols.js: Added.
13986 (forIn):
13987 * tests/stress/symbol-define-property.js: Added.
13988 (testSymbol):
13989 * tests/stress/symbol-seal-and-freeze.js: Added.
13990 * tests/stress/symbol-with-json.js: Added.
13991
139922015-04-03 Mark Lam <mark.lam@apple.com>
13993
13994 Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
13995 <https://webkit.org/b/143385>
13996
13997 Reviewed by Geoffrey Garen.
13998
13999 For debugging purposes, sometimes, we want to be able to make compilation happen
14000 sooner to see if we can accelerate the manifestation of certain events / bugs.
14001 Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
14002 which make up the compilation policy. Let's add a single knob that can tune all
14003 the thresholds up / down in one go proportionately so that we can easily tweak
14004 how soon compilation occurs.
14005
14006 * runtime/Options.cpp:
14007 (JSC::scaleJITPolicy):
14008 (JSC::recomputeDependentOptions):
14009 * runtime/Options.h:
14010
140112015-04-03 Geoffrey Garen <ggaren@apple.com>
14012
14013 is* API methods should be @properties
14014 https://bugs.webkit.org/show_bug.cgi?id=143388
14015
14016 Reviewed by Mark Lam.
14017
14018 This appears to be the preferred idiom in WebKit, CA, AppKit, and
14019 Foundation.
14020
14021 * API/JSValue.h: Be @properties.
14022
14023 * API/tests/testapi.mm:
14024 (testObjectiveCAPI): Use the @properties.
14025
140262015-04-03 Mark Lam <mark.lam@apple.com>
14027
14028 Some JSC Options refactoring and enhancements.
14029 <https://webkit.org/b/143384>
14030
14031 Rubber stamped by Benjamin Poulain.
14032
14033 Create a better encapsulated Option class to make working with options easier. This
14034 is a building block towards a JIT policy scaling debugging option I will introduce later.
14035
14036 This work entails:
14037 1. Convert Options::Option into a public class Option (who works closely with Options).
14038 2. Convert Options::EntryType into an enum class Options::Type and make it public.
14039 3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
14040 4. Add misc methods to class Option to make it more useable.
14041
14042 * runtime/Options.cpp:
14043 (JSC::Options::dumpOption):
14044 (JSC::Option::dump):
14045 (JSC::Option::operator==):
14046 (JSC::Options::Option::dump): Deleted.
14047 (JSC::Options::Option::operator==): Deleted.
14048 * runtime/Options.h:
14049 (JSC::Option::Option):
14050 (JSC::Option::operator!=):
14051 (JSC::Option::name):
14052 (JSC::Option::description):
14053 (JSC::Option::type):
14054 (JSC::Option::isOverridden):
14055 (JSC::Option::defaultOption):
14056 (JSC::Option::boolVal):
14057 (JSC::Option::unsignedVal):
14058 (JSC::Option::doubleVal):
14059 (JSC::Option::int32Val):
14060 (JSC::Option::optionRangeVal):
14061 (JSC::Option::optionStringVal):
14062 (JSC::Option::gcLogLevelVal):
14063 (JSC::Options::Option::Option): Deleted.
14064 (JSC::Options::Option::operator!=): Deleted.
14065
140662015-04-03 Geoffrey Garen <ggaren@apple.com>
14067
14068 JavaScriptCore API should support type checking for Array and Date
14069 https://bugs.webkit.org/show_bug.cgi?id=143324
14070
14071 Follow-up to address a comment by Dan.
14072
14073 * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
14074 is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
14075 is equal to 101100.
14076
140772015-04-03 Geoffrey Garen <ggaren@apple.com>
14078
14079 JavaScriptCore API should support type checking for Array and Date
14080 https://bugs.webkit.org/show_bug.cgi?id=143324
14081
14082 Follow-up to address a comment by Dan.
14083
14084 * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
14085 Added a comment explaining why.
14086
140872015-04-03 Csaba Osztrogonác <ossy@webkit.org>
14088
14089 FTL JIT tests should fail if LLVM library isn't available
14090 https://bugs.webkit.org/show_bug.cgi?id=143374
14091
14092 Reviewed by Mark Lam.
14093
14094 * dfg/DFGPlan.cpp:
14095 (JSC::DFG::Plan::compileInThreadImpl):
14096 * runtime/Options.h:
14097
140982015-04-03 Zan Dobersek <zdobersek@igalia.com>
14099
14100 Fix the EFL and GTK build after r182243
14101 https://bugs.webkit.org/show_bug.cgi?id=143361
14102
14103 Reviewed by Csaba Osztrogonác.
14104
14105 * CMakeLists.txt: InspectorBackendCommands.js is generated in the
14106 DerivedSources/JavaScriptCore/inspector/ directory.
14107
141082015-04-03 Zan Dobersek <zdobersek@igalia.com>
14109
14110 Unreviewed, fixing Clang builds of the GTK port on Linux.
14111
14112 * runtime/Options.cpp:
14113 Include the <math.h> header for isnan().
14114
141152015-04-02 Mark Lam <mark.lam@apple.com>
14116
14117 Enhance ability to dump JSC Options.
14118 <https://webkit.org/b/143357>
14119
14120 Reviewed by Benjamin Poulain.
14121
14122 Some enhancements to how the JSC options work:
14123
14124 1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
14125 2 = All, 3 = Verbose.
14126
14127 The default is 0 (None). This dumps nothing.
14128 With the Overridden setting, at VM initialization time, we will dump all
14129 option values that have been changed from their default.
14130 With the All setting, at VM initialization time, we will dump all option values.
14131 With the Verbose setting, at VM initialization time, we will dump all option
14132 values along with their descriptions (if available).
14133
14134 2. We now store a copy of the default option values.
14135
14136 We later use this for comparison to tell if an option has been overridden, and
14137 print the default value for reference. As a result, we no longer need the
14138 didOverride flag since we can compute whether the option is overridden at any time.
14139
14140 3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
14141
14142 This will come in handy later when we want to rename some of the options to more sane
14143 names that are easier to remember. For example, we can change
14144 Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
14145 Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate(). With the availability
14146 of the description, we can afford to use shorter and less descriptive option names,
14147 but they will be easier to remember and use for day to day debugging work.
14148
14149 In this patch, I did not change the names of any of the options yet. I only added
14150 description strings for options that I know about, and where I think the option name
14151 isn't already descriptive enough.
14152
14153 4. Also deleted some unused code.
14154
14155 * jsc.cpp:
14156 (CommandLine::parseArguments):
14157 * runtime/Options.cpp:
14158 (JSC::Options::initialize):
14159 (JSC::Options::setOption):
14160 (JSC::Options::dumpAllOptions):
14161 (JSC::Options::dumpOption):
14162 (JSC::Options::Option::dump):
14163 (JSC::Options::Option::operator==):
14164 * runtime/Options.h:
14165 (JSC::OptionRange::rangeString):
14166 (JSC::Options::Option::Option):
14167 (JSC::Options::Option::operator!=):
14168
141692015-04-02 Geoffrey Garen <ggaren@apple.com>
14170
14171 JavaScriptCore API should support type checking for Array and Date
14172 https://bugs.webkit.org/show_bug.cgi?id=143324
14173
14174 Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
14175
14176 * API/JSValue.h:
14177 * API/JSValue.mm:
14178 (-[JSValue isArray]):
14179 (-[JSValue isDate]): Added an ObjC API.
14180
14181 * API/JSValueRef.cpp:
14182 (JSValueIsArray):
14183 (JSValueIsDate):
14184 * API/JSValueRef.h: Added a C API.
14185
14186 * API/WebKitAvailability.h: Brought our availability macros up to date
14187 and fixed a harmless bug where "10_10" translated to "10.0".
14188
14189 * API/tests/testapi.c:
14190 (main): Added a test and corrected a pre-existing leak.
14191
14192 * API/tests/testapi.mm:
14193 (testObjectiveCAPI): Added a test.
14194
141952015-04-02 Mark Lam <mark.lam@apple.com>
14196
14197 Add Options::dumpSourceAtDFGTime().
14198 <https://webkit.org/b/143349>
14199
14200 Reviewed by Oliver Hunt, and Michael Saboff.
14201
14202 Sometimes, we will want to see the JS source code that we're compiling, and it
14203 would be nice to be able to do this without having to jump thru a lot of hoops.
14204 So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
14205 Options::dumpBytecodeAtDFGTime() option.
14206
14207 Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
14208 that explicitly take no arguments (instead of relying on the version that takes
14209 the default argument). These versions are friendlier to use when we want to call
14210 them from an interactive debugging session.
14211
14212 * bytecode/CodeBlock.cpp:
14213 (JSC::CodeBlock::dumpSource):
14214 (JSC::CodeBlock::dumpBytecode):
14215 * bytecode/CodeBlock.h:
14216 * dfg/DFGByteCodeParser.cpp:
14217 (JSC::DFG::ByteCodeParser::parseCodeBlock):
14218 * runtime/Options.h:
14219
142202015-04-02 Yusuke Suzuki <utatane.tea@gmail.com>
14221
14222 Clean up EnumerationMode to easily extend
14223 https://bugs.webkit.org/show_bug.cgi?id=143276
14224
14225 Reviewed by Geoffrey Garen.
14226
14227 To make the followings easily,
14228 1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
14229 2. Make ExcludeSymbols implicitly default for the existing flags
14230 we encapsulate EnumerationMode flags into EnumerationMode class.
14231
14232 And this class manages 2 flags. Later it will be extended to 3.
14233 1. DontEnumPropertiesMode (default is Exclude)
14234 2. JSObjectPropertiesMode (default is Include)
14235 3. SymbolPropertiesMode (default is Exclude)
14236 SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
14237
14238 This patch replaces places using ExcludeDontEnumProperties
14239 to EnumerationMode() value which represents default mode.
14240
14241 * API/JSCallbackObjectFunctions.h:
14242 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
14243 * API/JSObjectRef.cpp:
14244 (JSObjectCopyPropertyNames):
14245 * bindings/ScriptValue.cpp:
14246 (Deprecated::jsToInspectorValue):
14247 * bytecode/ObjectAllocationProfile.h:
14248 (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
14249 * runtime/ArrayPrototype.cpp:
14250 (JSC::arrayProtoFuncSort):
14251 * runtime/EnumerationMode.h:
14252 (JSC::EnumerationMode::EnumerationMode):
14253 (JSC::EnumerationMode::includeDontEnumProperties):
14254 (JSC::EnumerationMode::includeJSObjectProperties):
14255 (JSC::shouldIncludeDontEnumProperties): Deleted.
14256 (JSC::shouldExcludeDontEnumProperties): Deleted.
14257 (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
14258 (JSC::modeThatSkipsJSObject): Deleted.
14259 * runtime/GenericArgumentsInlines.h:
14260 (JSC::GenericArguments<Type>::getOwnPropertyNames):
14261 * runtime/JSArray.cpp:
14262 (JSC::JSArray::getOwnNonIndexPropertyNames):
14263 * runtime/JSArrayBuffer.cpp:
14264 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
14265 * runtime/JSArrayBufferView.cpp:
14266 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
14267 * runtime/JSFunction.cpp:
14268 (JSC::JSFunction::getOwnNonIndexPropertyNames):
14269 * runtime/JSFunction.h:
14270 * runtime/JSGenericTypedArrayViewInlines.h:
14271 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
14272 * runtime/JSLexicalEnvironment.cpp:
14273 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
14274 * runtime/JSONObject.cpp:
14275 (JSC::Stringifier::Holder::appendNextProperty):
14276 (JSC::Walker::walk):
14277 * runtime/JSObject.cpp:
14278 (JSC::getClassPropertyNames):
14279 (JSC::JSObject::getOwnPropertyNames):
14280 (JSC::JSObject::getOwnNonIndexPropertyNames):
14281 (JSC::JSObject::getGenericPropertyNames):
14282 * runtime/JSPropertyNameEnumerator.h:
14283 (JSC::propertyNameEnumerator):
14284 * runtime/JSSymbolTableObject.cpp:
14285 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
14286 * runtime/ObjectConstructor.cpp:
14287 (JSC::objectConstructorGetOwnPropertyNames):
14288 (JSC::objectConstructorKeys):
14289 (JSC::defineProperties):
14290 (JSC::objectConstructorSeal):
14291 (JSC::objectConstructorFreeze):
14292 (JSC::objectConstructorIsSealed):
14293 (JSC::objectConstructorIsFrozen):
14294 * runtime/RegExpObject.cpp:
14295 (JSC::RegExpObject::getOwnNonIndexPropertyNames):
14296 (JSC::RegExpObject::getPropertyNames):
14297 (JSC::RegExpObject::getGenericPropertyNames):
14298 * runtime/StringObject.cpp:
14299 (JSC::StringObject::getOwnPropertyNames):
14300 * runtime/Structure.cpp:
14301 (JSC::Structure::getPropertyNamesFromStructure):
14302
143032015-04-01 Alex Christensen <achristensen@webkit.org>
14304
14305 Progress towards CMake on Windows and Mac.
14306 https://bugs.webkit.org/show_bug.cgi?id=143293
14307
14308 Reviewed by Filip Pizlo.
14309
14310 * CMakeLists.txt:
14311 Enabled using assembly on Windows.
14312 Replaced unix commands with CMake commands.
14313 * PlatformMac.cmake:
14314 Tell open source builders where to find unicode headers.
14315
143162015-04-01 Yusuke Suzuki <utatane.tea@gmail.com>
14317
14318 IteratorClose should be called when jumping over the target for-of loop
14319 https://bugs.webkit.org/show_bug.cgi?id=143140
14320
14321 Reviewed by Geoffrey Garen.
14322
14323 This patch fixes labeled break/continue behaviors with for-of and iterators.
14324
14325 1. Support IteratorClose beyond multiple loop contexts
14326 Previously, IteratorClose is only executed in for-of's breakTarget().
14327 However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
14328 For example,
14329 outer: for (var e1 of outer) {
14330 inner: for (var e2 of inner) {
14331 break outer;
14332 }
14333 }
14334 In this case, return method of inner should be called.
14335 We leverage the existing system for `finally` to execute inner.return method correctly.
14336 Leveraging `finally` system fixes `break`, `continue` and `return` cases.
14337 `throw` case is already supported by emitting try-catch handlers in for-of.
14338
14339 2. Incorrect LabelScope creation is done in ForOfNode
14340 ForOfNode creates duplicated LabelScope.
14341 It causes infinite loop when executing the following program that contains
14342 explicitly labeled for-of loop.
14343 For example,
14344 inner: for (var elm of array) {
14345 continue inner;
14346 }
14347
14348 * bytecompiler/BytecodeGenerator.cpp:
14349 (JSC::BytecodeGenerator::pushFinallyContext):
14350 (JSC::BytecodeGenerator::pushIteratorCloseContext):
14351 (JSC::BytecodeGenerator::popFinallyContext):
14352 (JSC::BytecodeGenerator::popIteratorCloseContext):
14353 (JSC::BytecodeGenerator::emitComplexPopScopes):
14354 (JSC::BytecodeGenerator::emitEnumeration):
14355 (JSC::BytecodeGenerator::emitIteratorClose):
14356 * bytecompiler/BytecodeGenerator.h:
14357 * bytecompiler/NodesCodegen.cpp:
14358 (JSC::ForOfNode::emitBytecode):
14359 * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
14360 (createIterator.iterator.return):
14361 (createIterator):
14362 * tests/stress/raise-error-in-iterator-close.js: Added.
14363 (createIterator.iterator.return):
14364 (createIterator):
14365
143662015-04-01 Yusuke Suzuki <utatane.tea@gmail.com>
14367
14368 [ES6] Implement Symbol.unscopables
14369 https://bugs.webkit.org/show_bug.cgi?id=142829
14370
14371 Reviewed by Geoffrey Garen.
14372
14373 This patch introduces Symbol.unscopables functionality.
14374 In ES6, some generic names (like keys, values) are introduced
14375 as Array's method name. And this breaks the web since some web sites
14376 use like the following code.
14377
14378 var values = ...;
14379 with (array) {
14380 values; // This values is trapped by array's method "values".
14381 }
14382
14383 To fix this, Symbol.unscopables introduces blacklist
14384 for with scope's trapping. When resolving scope,
14385 if name is found in the target scope and the target scope is with scope,
14386 we check Symbol.unscopables object to filter generic names.
14387
14388 This functionality is only active for with scopes.
14389 Global scope does not have unscopables functionality.
14390
14391 And since
14392 1) op_resolve_scope for with scope always return Dynamic resolve type,
14393 2) in that case, JSScope::resolve is always used in JIT and LLInt,
14394 3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
14395 to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
14396 So performance regression is only visible in Dynamic resolving case, and it is already much slow.
14397
14398 * runtime/ArrayPrototype.cpp:
14399 (JSC::ArrayPrototype::finishCreation):
14400 * runtime/CommonIdentifiers.h:
14401 * runtime/JSGlobalObject.h:
14402 (JSC::JSGlobalObject::runtimeFlags):
14403 * runtime/JSScope.cpp:
14404 (JSC::isUnscopable):
14405 (JSC::JSScope::resolve):
14406 * runtime/JSScope.h:
14407 (JSC::ScopeChainIterator::scope):
14408 * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
14409 (test):
14410 * tests/stress/unscopables.js: Added.
14411 (test):
14412 (.):
14413
144142015-03-31 Ryosuke Niwa <rniwa@webkit.org>
14415
14416 ES6 class syntax should allow static setters and getters
14417 https://bugs.webkit.org/show_bug.cgi?id=143180
14418
14419 Reviewed by Filip Pizlo
14420
14421 Apparently I misread the spec when I initially implemented parseClass.
14422 ES6 class syntax allows static getters and setters so just allow that.
14423
14424 * parser/Parser.cpp:
14425 (JSC::Parser<LexerType>::parseClass):
14426
144272015-03-31 Filip Pizlo <fpizlo@apple.com>
14428
14429 PutClosureVar CSE def() rule has a wrong base
14430 https://bugs.webkit.org/show_bug.cgi?id=143280
14431
14432 Reviewed by Michael Saboff.
14433
14434 I think that this code was incorrect in a benign way, since the base of a
14435 PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
14436
14437 * dfg/DFGClobberize.h:
14438 (JSC::DFG::clobberize):
14439
144402015-03-31 Commit Queue <commit-queue@webkit.org>
14441
14442 Unreviewed, rolling out r182200.
14443 https://bugs.webkit.org/show_bug.cgi?id=143279
14444
14445 Probably causing assertion extravaganza on bots. (Requested by
14446 kling on #webkit).
14447
14448 Reverted changeset:
14449
14450 "Logically empty WeakBlocks should not pin down their
14451 MarkedBlocks indefinitely."
14452 https://bugs.webkit.org/show_bug.cgi?id=143210
14453 http://trac.webkit.org/changeset/182200
14454
144552015-03-31 Yusuke Suzuki <utatane.tea@gmail.com>
14456
14457 Clean up Identifier factories to clarify the meaning of StringImpl*
14458 https://bugs.webkit.org/show_bug.cgi?id=143146
14459
14460 Reviewed by Filip Pizlo.
14461
14462 In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
14463 However, it's ambiguous because `StringImpl*` has 2 different meanings.
14464 1) normal string, it is replacable with `WTFString` and
14465 2) `uid`, which holds `isSymbol` information to represent Symbols.
14466 So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
14467 + `Identifier::fromString(VM*/ExecState*, const String&)`.
14468 Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
14469 + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
14470 This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
14471
14472 And to clean up `StringImpl` which is used as uid,
14473 we introduce `StringKind` into `StringImpl`. There's 3 kinds
14474 1. StringNormal (non-atomic, non-symbol)
14475 2. StringAtomic (atomic, non-symbol)
14476 3. StringSymbol (non-atomic, symbol)
14477 They are mutually exclusive. And (atomic, symbol) case should not exist.
14478
14479 * API/JSCallbackObjectFunctions.h:
14480 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
14481 * API/JSObjectRef.cpp:
14482 (JSObjectMakeFunction):
14483 * API/OpaqueJSString.cpp:
14484 (OpaqueJSString::identifier):
14485 * bindings/ScriptFunctionCall.cpp:
14486 (Deprecated::ScriptFunctionCall::call):
14487 * builtins/BuiltinExecutables.cpp:
14488 (JSC::BuiltinExecutables::createExecutableInternal):
14489 * builtins/BuiltinNames.h:
14490 (JSC::BuiltinNames::BuiltinNames):
14491 * bytecompiler/BytecodeGenerator.cpp:
14492 (JSC::BytecodeGenerator::BytecodeGenerator):
14493 (JSC::BytecodeGenerator::emitThrowReferenceError):
14494 (JSC::BytecodeGenerator::emitThrowTypeError):
14495 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
14496 (JSC::BytecodeGenerator::emitEnumeration):
14497 * dfg/DFGDesiredIdentifiers.cpp:
14498 (JSC::DFG::DesiredIdentifiers::reallyAdd):
14499 * inspector/JSInjectedScriptHost.cpp:
14500 (Inspector::JSInjectedScriptHost::functionDetails):
14501 (Inspector::constructInternalProperty):
14502 (Inspector::JSInjectedScriptHost::weakMapEntries):
14503 (Inspector::JSInjectedScriptHost::iteratorEntries):
14504 * inspector/JSInjectedScriptHostPrototype.cpp:
14505 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
14506 * inspector/JSJavaScriptCallFramePrototype.cpp:
14507 * inspector/ScriptCallStackFactory.cpp:
14508 (Inspector::extractSourceInformationFromException):
14509 * jit/JITOperations.cpp:
14510 * jsc.cpp:
14511 (GlobalObject::finishCreation):
14512 (GlobalObject::addFunction):
14513 (GlobalObject::addConstructableFunction):
14514 (functionRun):
14515 (runWithScripts):
14516 * llint/LLIntData.cpp:
14517 (JSC::LLInt::Data::performAssertions):
14518 * llint/LowLevelInterpreter.asm:
14519 * parser/ASTBuilder.h:
14520 (JSC::ASTBuilder::addVar):
14521 * parser/Parser.cpp:
14522 (JSC::Parser<LexerType>::parseInner):
14523 (JSC::Parser<LexerType>::createBindingPattern):
14524 * parser/ParserArena.h:
14525 (JSC::IdentifierArena::makeIdentifier):
14526 (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
14527 (JSC::IdentifierArena::makeNumericIdentifier):
14528 * runtime/ArgumentsIteratorPrototype.cpp:
14529 (JSC::ArgumentsIteratorPrototype::finishCreation):
14530 * runtime/ArrayIteratorPrototype.cpp:
14531 (JSC::ArrayIteratorPrototype::finishCreation):
14532 * runtime/ArrayPrototype.cpp:
14533 (JSC::ArrayPrototype::finishCreation):
14534 (JSC::arrayProtoFuncPush):
14535 * runtime/ClonedArguments.cpp:
14536 (JSC::ClonedArguments::getOwnPropertySlot):
14537 * runtime/CommonIdentifiers.cpp:
14538 (JSC::CommonIdentifiers::CommonIdentifiers):
14539 * runtime/CommonIdentifiers.h:
14540 * runtime/Error.cpp:
14541 (JSC::addErrorInfo):
14542 (JSC::hasErrorInfo):
14543 * runtime/ExceptionHelpers.cpp:
14544 (JSC::createUndefinedVariableError):
14545 * runtime/GenericArgumentsInlines.h:
14546 (JSC::GenericArguments<Type>::getOwnPropertySlot):
14547 * runtime/Identifier.h:
14548 (JSC::Identifier::isSymbol):
14549 (JSC::Identifier::Identifier):
14550 (JSC::Identifier::from): Deleted.
14551 * runtime/IdentifierInlines.h:
14552 (JSC::Identifier::Identifier):
14553 (JSC::Identifier::fromUid):
14554 (JSC::Identifier::fromString):
14555 * runtime/JSCJSValue.cpp:
14556 (JSC::JSValue::dumpInContextAssumingStructure):
14557 * runtime/JSCJSValueInlines.h:
14558 (JSC::JSValue::toPropertyKey):
14559 * runtime/JSGlobalObject.cpp:
14560 (JSC::JSGlobalObject::init):
14561 * runtime/JSLexicalEnvironment.cpp:
14562 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
14563 * runtime/JSObject.cpp:
14564 (JSC::getClassPropertyNames):
14565 (JSC::JSObject::reifyStaticFunctionsForDelete):
14566 * runtime/JSObject.h:
14567 (JSC::makeIdentifier):
14568 * runtime/JSPromiseConstructor.cpp:
14569 (JSC::JSPromiseConstructorFuncRace):
14570 (JSC::JSPromiseConstructorFuncAll):
14571 * runtime/JSString.h:
14572 (JSC::JSString::toIdentifier):
14573 * runtime/JSSymbolTableObject.cpp:
14574 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
14575 * runtime/LiteralParser.cpp:
14576 (JSC::LiteralParser<CharType>::tryJSONPParse):
14577 (JSC::LiteralParser<CharType>::makeIdentifier):
14578 * runtime/Lookup.h:
14579 (JSC::reifyStaticProperties):
14580 * runtime/MapConstructor.cpp:
14581 (JSC::constructMap):
14582 * runtime/MapIteratorPrototype.cpp:
14583 (JSC::MapIteratorPrototype::finishCreation):
14584 * runtime/MapPrototype.cpp:
14585 (JSC::MapPrototype::finishCreation):
14586 * runtime/MathObject.cpp:
14587 (JSC::MathObject::finishCreation):
14588 * runtime/NumberConstructor.cpp:
14589 (JSC::NumberConstructor::finishCreation):
14590 * runtime/ObjectConstructor.cpp:
14591 (JSC::ObjectConstructor::finishCreation):
14592 * runtime/PrivateName.h:
14593 (JSC::PrivateName::PrivateName):
14594 * runtime/PropertyMapHashTable.h:
14595 (JSC::PropertyTable::find):
14596 (JSC::PropertyTable::get):
14597 * runtime/PropertyName.h:
14598 (JSC::PropertyName::PropertyName):
14599 (JSC::PropertyName::publicName):
14600 (JSC::PropertyName::asIndex):
14601 * runtime/PropertyNameArray.cpp:
14602 (JSC::PropertyNameArray::add):
14603 * runtime/PropertyNameArray.h:
14604 (JSC::PropertyNameArray::addKnownUnique):
14605 * runtime/RegExpConstructor.cpp:
14606 (JSC::RegExpConstructor::finishCreation):
14607 * runtime/SetConstructor.cpp:
14608 (JSC::constructSet):
14609 * runtime/SetIteratorPrototype.cpp:
14610 (JSC::SetIteratorPrototype::finishCreation):
14611 * runtime/SetPrototype.cpp:
14612 (JSC::SetPrototype::finishCreation):
14613 * runtime/StringIteratorPrototype.cpp:
14614 (JSC::StringIteratorPrototype::finishCreation):
14615 * runtime/StringPrototype.cpp:
14616 (JSC::StringPrototype::finishCreation):
14617 * runtime/Structure.cpp:
14618 (JSC::Structure::getPropertyNamesFromStructure):
14619 * runtime/SymbolConstructor.cpp:
14620 * runtime/VM.cpp:
14621 (JSC::VM::throwException):
14622 * runtime/WeakMapConstructor.cpp:
14623 (JSC::constructWeakMap):
14624
146252015-03-31 Andreas Kling <akling@apple.com>
14626
14627 Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
14628 <https://webkit.org/b/143210>
14629
14630 Reviewed by Geoffrey Garen.
14631
14632 Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
14633 we had a little problem where WeakBlocks with only null pointers would still keep their
14634 MarkedBlock alive.
14635
14636 This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
14637 that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
14638 to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
14639 destroying them once they're fully dead.
14640
14641 This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
14642 a mysterious issue where doing two full garbage collections back-to-back would free additional
14643 memory in the second collection.
14644
14645 Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
14646 an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
14647 calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
14648
14649 * heap/Heap.h:
14650 * heap/Heap.cpp:
14651 (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
14652 owned by Heap, after everything else has been swept.
14653
14654 (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
14655 after a full garbage collection ends. Note that we don't do this after Eden collections, since
14656 they are unlikely to cause entire WeakBlocks to go empty.
14657
14658 (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
14659 to the Heap when it's detached from a WeakSet.
14660
14661 (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
14662 of the logically empty WeakBlocks owned by Heap.
14663
14664 (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
14665 and updates the next-logically-empty-weak-block-to-sweep index.
14666
14667 (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
14668 won't be another chance after this.
14669
14670 * heap/IncrementalSweeper.h:
14671 (JSC::IncrementalSweeper::hasWork): Deleted.
14672
14673 * heap/IncrementalSweeper.cpp:
14674 (JSC::IncrementalSweeper::fullSweep):
14675 (JSC::IncrementalSweeper::doSweep):
14676 (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
14677 adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
14678 changed to return a bool (true if there's more work to be done.)
14679
14680 * heap/WeakBlock.cpp:
14681 (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
14682 contain any pointers to live objects. The answer is stored in a new SweepResult member.
14683
14684 * heap/WeakBlock.h:
14685 (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
14686 if the WeakBlock could be detached from the MarkedBlock.
14687
14688 (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
14689 when declaring them.
14690
146912015-03-31 Ryosuke Niwa <rniwa@webkit.org>
14692
14693 eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor
14694 https://bugs.webkit.org/show_bug.cgi?id=142883
14695
14696 Reviewed by Filip Pizlo.
14697
14698 The crash was caused by eval inside the constructor of a derived class not checking TDZ.
14699
14700 Fixed the bug by adding a parser flag that forces the TDZ check to be always emitted when accessing "this"
14701 in eval inside a derived class' constructor.
14702
14703 * bytecode/EvalCodeCache.h:
14704 (JSC::EvalCodeCache::getSlow):
14705 * bytecompiler/NodesCodegen.cpp:
14706 (JSC::ThisNode::emitBytecode):
14707 * debugger/DebuggerCallFrame.cpp:
14708 (JSC::DebuggerCallFrame::evaluate):
14709 * interpreter/Interpreter.cpp:
14710 (JSC::eval):
14711 * parser/ASTBuilder.h:
14712 (JSC::ASTBuilder::thisExpr):
14713 * parser/NodeConstructors.h:
14714 (JSC::ThisNode::ThisNode):
14715 * parser/Nodes.h:
14716 * parser/Parser.cpp:
14717 (JSC::Parser<LexerType>::Parser):
14718 (JSC::Parser<LexerType>::parsePrimaryExpression):
14719 * parser/Parser.h:
14720 (JSC::parse):
14721 * parser/ParserModes.h:
14722 * parser/SyntaxChecker.h:
14723 (JSC::SyntaxChecker::thisExpr):
14724 * runtime/CodeCache.cpp:
14725 (JSC::CodeCache::getGlobalCodeBlock):
14726 (JSC::CodeCache::getProgramCodeBlock):
14727 (JSC::CodeCache::getEvalCodeBlock):
14728 * runtime/CodeCache.h:
14729 (JSC::SourceCodeKey::SourceCodeKey):
14730 * runtime/Executable.cpp:
14731 (JSC::EvalExecutable::create):
14732 * runtime/Executable.h:
14733 * runtime/JSGlobalObject.cpp:
14734 (JSC::JSGlobalObject::createEvalCodeBlock):
14735 * runtime/JSGlobalObject.h:
14736 * runtime/JSGlobalObjectFunctions.cpp:
14737 (JSC::globalFuncEval):
14738 * tests/stress/class-syntax-no-tdz-in-eval.js: Added.
14739 * tests/stress/class-syntax-tdz-in-eval.js: Added.
14740
147412015-03-31 Commit Queue <commit-queue@webkit.org>
14742
14743 Unreviewed, rolling out r182186.
14744 https://bugs.webkit.org/show_bug.cgi?id=143270
14745
14746 it crashes all the WebGL tests on the Debug bots (Requested by
14747 dino on #webkit).
14748
14749 Reverted changeset:
14750
14751 "Web Inspector: add 2D/WebGL canvas instrumentation
14752 infrastructure"
14753 https://bugs.webkit.org/show_bug.cgi?id=137278
14754 http://trac.webkit.org/changeset/182186
14755
147562015-03-31 Yusuke Suzuki <utatane.tea@gmail.com>
14757
14758 [ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed
14759 https://bugs.webkit.org/show_bug.cgi?id=142937
14760
14761 Reviewed by Darin Adler.
14762
14763 In ES6, Object type restrictions on a first parameter of several Object.* functions are relaxed.
14764 In ES5 or prior, when a first parameter is not object type, these functions raise TypeError.
14765 But now, several functions perform ToObject onto a non-object parameter.
14766 And others behaves as if a parameter is a non-extensible ordinary object with no own properties.
14767 It is described in ES6 Annex E.
14768 Functions different from ES5 are following.
14769
14770 1. An attempt is make to coerce the argument using ToObject.
14771 Object.getOwnPropertyDescriptor
14772 Object.getOwnPropertyNames
14773 Object.getPrototypeOf
14774 Object.keys
14775
14776 2. Treated as if it was a non-extensible ordinary object with no own properties.
14777 Object.freeze
14778 Object.isExtensible
14779 Object.isFrozen
14780 Object.isSealed
14781 Object.preventExtensions
14782 Object.seal
14783
14784 * runtime/ObjectConstructor.cpp:
14785 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
14786 (JSC::objectConstructorGetPrototypeOf):
14787 (JSC::objectConstructorGetOwnPropertyDescriptor):
14788 (JSC::objectConstructorGetOwnPropertyNames):
14789 (JSC::objectConstructorKeys):
14790 (JSC::objectConstructorSeal):
14791 (JSC::objectConstructorFreeze):
14792 (JSC::objectConstructorPreventExtensions):
14793 (JSC::objectConstructorIsSealed):
14794 (JSC::objectConstructorIsFrozen):
14795 (JSC::objectConstructorIsExtensible):
14796 * tests/stress/object-freeze-accept-non-object.js: Added.
14797 * tests/stress/object-get-own-property-descriptor-perform-to-object.js: Added.
14798 (canary):
14799 * tests/stress/object-get-own-property-names-perform-to-object.js: Added.
14800 (compare):
14801 * tests/stress/object-get-prototype-of-perform-to-object.js: Added.
14802 * tests/stress/object-is-extensible-accept-non-object.js: Added.
14803 * tests/stress/object-is-frozen-accept-non-object.js: Added.
14804 * tests/stress/object-is-sealed-accept-non-object.js: Added.
14805 * tests/stress/object-keys-perform-to-object.js: Added.
14806 (compare):
14807 * tests/stress/object-prevent-extensions-accept-non-object.js: Added.
14808 * tests/stress/object-seal-accept-non-object.js: Added.
14809
148102015-03-31 Matt Baker <mattbaker@apple.com>
14811
14812 Web Inspector: add 2D/WebGL canvas instrumentation infrastructure
14813 https://bugs.webkit.org/show_bug.cgi?id=137278
14814
14815 Reviewed by Timothy Hatcher.
14816
14817 Added Canvas protocol which defines types used by InspectorCanvasAgent.
14818
14819 * CMakeLists.txt:
14820 * DerivedSources.make:
14821 * inspector/protocol/Canvas.json: Added.
14822
14823 * inspector/scripts/codegen/generator.py:
14824 (Generator.stylized_name_for_enum_value):
14825 Added special handling for 2D (always uppercase) and WebGL (rename mapping) enum strings.
14826
148272015-03-30 Ryosuke Niwa <rniwa@webkit.org>
14828
14829 Extending null should set __proto__ to null
14830 https://bugs.webkit.org/show_bug.cgi?id=142882
14831
14832 Reviewed by Geoffrey Garen and Benjamin Poulain.
14833
14834 Set Derived.prototype.__proto__ to null when extending null.
14835
14836 * bytecompiler/NodesCodegen.cpp:
14837 (JSC::ClassExprNode::emitBytecode):
14838
148392015-03-30 Mark Lam <mark.lam@apple.com>
14840
14841 REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes.
14842 <https://webkit.org/b/143105>
14843
14844 Reviewed by Filip Pizlo.
14845
14846 With r181993, the DFG and FTL may elide the storing of the scope register. As a result,
14847 on OSR exits from DFG / FTL frames where this elision has take place, we may get baseline
14848 JIT frames that may have its scope register not set. The Debugger's current implementation
14849 which relies on the scope register is not happy about this. For example, this results in a
14850 crash in the layout test inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html.
14851
14852 The fix is to disable inlining when the debugger is in use. Also, we add Flush nodes to
14853 ensure that the scope register value is flushed to the register in the stack frame.
14854
14855 * dfg/DFGByteCodeParser.cpp:
14856 (JSC::DFG::ByteCodeParser::ByteCodeParser):
14857 (JSC::DFG::ByteCodeParser::setLocal):
14858 (JSC::DFG::ByteCodeParser::flush):
14859 - Add code to flush the scope register.
14860 (JSC::DFG::ByteCodeParser::inliningCost):
14861 - Pretend that all codeBlocks are too expensive to inline if the debugger is in use, thereby
14862 disabling inlining whenever the debugger is in use.
14863 * dfg/DFGGraph.cpp:
14864 (JSC::DFG::Graph::Graph):
14865 * dfg/DFGGraph.h:
14866 (JSC::DFG::Graph::hasDebuggerEnabled):
14867 * dfg/DFGStackLayoutPhase.cpp:
14868 (JSC::DFG::StackLayoutPhase::run):
14869 - Update the DFG codeBlock's scopeRegister since it can be moved during stack layout.
14870 * ftl/FTLCompile.cpp:
14871 (JSC::FTL::mmAllocateDataSection):
14872 - Update the FTL codeBlock's scopeRegister since it can be moved during stack layout.
14873
148742015-03-30 Michael Saboff <msaboff@apple.com>
14875
14876 Fix flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
14877 https://bugs.webkit.org/show_bug.cgi?id=138391
14878
14879 Reviewed by Mark Lam.
14880
14881 Re-enabling these tests as I can't get them to fail on local iOS test devices.
14882 There have been many changes since these tests were disabled.
14883 I'll watch automated test results for failures. If there are failures running automated
14884 testing, it might be due to the device's relative CPU performance.
14885
14886 * tests/stress/float32-repeat-out-of-bounds.js:
14887 * tests/stress/int8-repeat-out-of-bounds.js:
14888
148892015-03-30 Joseph Pecoraro <pecoraro@apple.com>
14890
14891 Web Inspector: Regression: Preview for [[null]] shouldn't be []
14892 https://bugs.webkit.org/show_bug.cgi?id=143208
14893
14894 Reviewed by Mark Lam.
14895
14896 * inspector/InjectedScriptSource.js:
14897 Handle null when generating simple object previews.
14898
148992015-03-30 Per Arne Vollan <peavo@outlook.com>
14900
14901 Avoid using hardcoded values for JSValue::Int32Tag, if possible.
14902 https://bugs.webkit.org/show_bug.cgi?id=143134
14903
14904 Reviewed by Geoffrey Garen.
14905
14906 * jit/JSInterfaceJIT.h:
14907 * jit/Repatch.cpp:
14908 (JSC::tryCacheGetByID):
14909
149102015-03-30 Filip Pizlo <fpizlo@apple.com>
14911
14912 REGRESSION: js/regress/inline-arguments-local-escape.html is flaky
14913 https://bugs.webkit.org/show_bug.cgi?id=143104
14914
14915 Reviewed by Geoffrey Garen.
14916
14917 Created a test that is a 100% repro of the flaky failure. This test is called
14918 get-my-argument-by-val-for-inlined-escaped-arguments.js. It fails all of the time because it
14919 always causes the compiler to emit a GetMyArgumentByVal of the arguments object returned by
14920 the inlined function. Other than that, it's the same as inline-arguments-local-escape.
14921
14922 Also created three more tests for three similar, but not identical, failures.
14923
14924 Then fixed the bug: PreciseLocalClobberize was assuming that if we read(Stack) then we are
14925 only reading those parts of the stack that are relevant to the current semantic code origin.
14926 That's false after ArgumentsEliminationPhase - we might have operations on phantom arguments,
14927 like GetMyArgumentByVal, ForwardVarargs, CallForwardVarargs, and ConstructForwardVarargs, that
14928 read parts of the stack associated with the inline call frame for the phantom arguments. This
14929 may not be subsumed by the current semantic origin's stack area in cases that the arguments
14930 were allowed to "locally" escape.
14931
14932 The higher-order lesson here is that in DFG SSA IR, the current semantic origin's stack area
14933 is not really a meaningful concept anymore. It is only meaningful for nodes that will read
14934 the stack due to function.arguments, but there are a bunch of other ways that we could also
14935 read the stack and those operations may read any stack slot. I believe that this change makes
14936 PreciseLocalClobberize right: it will refine a read(Stack) from Clobberize correctly by casing
14937 on node type. In future, if we add a read(Stack) to Clobberize, we'll have to make sure that
14938 readTop() in PreciseLocalClobberize does the right thing.
14939
14940 * dfg/DFGClobberize.h:
14941 (JSC::DFG::clobberize):
14942 * dfg/DFGPreciseLocalClobberize.h:
14943 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
14944 * dfg/DFGPutStackSinkingPhase.cpp:
14945 * tests/stress/call-forward-varargs-for-inlined-escaped-arguments.js: Added.
14946 * tests/stress/construct-forward-varargs-for-inlined-escaped-arguments.js: Added.
14947 * tests/stress/forward-varargs-for-inlined-escaped-arguments.js: Added.
14948 * tests/stress/get-my-argument-by-val-for-inlined-escaped-arguments.js: Added.
14949 * tests/stress/real-forward-varargs-for-inlined-escaped-arguments.js: Added.
14950
149512015-03-30 Benjamin Poulain <benjamin@webkit.org>
14952
14953 Start the features.json files
14954 https://bugs.webkit.org/show_bug.cgi?id=143207
14955
14956 Reviewed by Darin Adler.
14957
14958 Start the features.json files to have something to experiment
14959 with for the UI.
14960
14961 * features.json: Added.
14962
149632015-03-29 Myles C. Maxfield <mmaxfield@apple.com>
14964
14965 [Win] Addresing post-review comment after r182122
14966 https://bugs.webkit.org/show_bug.cgi?id=143189
14967
14968 Unreviewed.
14969
149702015-03-29 Myles C. Maxfield <mmaxfield@apple.com>
14971
14972 [Win] Allow building JavaScriptCore without Cygwin
14973 https://bugs.webkit.org/show_bug.cgi?id=143189
14974
14975 Reviewed by Brent Fulgham.
14976
14977 Paths like /usr/bin/ don't exist on Windows.
14978 Hashbangs don't work on Windows. Instead we must explicitly call the executable.
14979 Prefixing commands with environment variables doesn't work on Windows.
14980 Windows doesn't have 'cmp'
14981 Windows uses 'del' instead of 'rm'
14982 Windows uses 'type NUL' intead of 'touch'
14983
14984 * DerivedSources.make:
14985 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
14986 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
14987 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
14988 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
14989 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl:
14990 * JavaScriptCore.vcxproj/build-generated-files.pl:
14991 * UpdateContents.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl.
14992
149932015-03-28 Joseph Pecoraro <pecoraro@apple.com>
14994
14995 Clean up JavaScriptCore/builtins
14996 https://bugs.webkit.org/show_bug.cgi?id=143177
14997
14998 Reviewed by Ryosuke Niwa.
14999
15000 * builtins/ArrayConstructor.js:
15001 (from):
15002 - We can compare to undefined instead of using a typeof undefined check.
15003 - Converge on double quoted strings everywhere.
15004
15005 * builtins/ArrayIterator.prototype.js:
15006 (next):
15007 * builtins/StringIterator.prototype.js:
15008 (next):
15009 - Use shorthand object construction to avoid duplication.
15010 - Improve grammar in error messages.
15011
15012 * tests/stress/array-iterators-next-with-call.js:
15013 * tests/stress/string-iterators.js:
15014 - Update for new error message strings.
15015
150162015-03-28 Saam Barati <saambarati1@gmail.com>
15017
15018 Web Inspector: ES6: Better support for Symbol types in Type Profiler
15019 https://bugs.webkit.org/show_bug.cgi?id=141257
15020
15021 Reviewed by Joseph Pecoraro.
15022
15023 ES6 introduces the new primitive type Symbol. This patch makes JSC's
15024 type profiler support this new primitive type.
15025
15026 * dfg/DFGFixupPhase.cpp:
15027 (JSC::DFG::FixupPhase::fixupNode):
15028 * inspector/protocol/Runtime.json:
15029 * runtime/RuntimeType.cpp:
15030 (JSC::runtimeTypeForValue):
15031 * runtime/RuntimeType.h:
15032 (JSC::runtimeTypeIsPrimitive):
15033 * runtime/TypeSet.cpp:
15034 (JSC::TypeSet::addTypeInformation):
15035 (JSC::TypeSet::dumpTypes):
15036 (JSC::TypeSet::doesTypeConformTo):
15037 (JSC::TypeSet::displayName):
15038 (JSC::TypeSet::inspectorTypeSet):
15039 (JSC::TypeSet::toJSONString):
15040 * runtime/TypeSet.h:
15041 (JSC::TypeSet::seenTypes):
15042 * tests/typeProfiler/driver/driver.js:
15043 * tests/typeProfiler/symbol.js: Added.
15044 (wrapper.foo):
15045 (wrapper.bar):
15046 (wrapper.bar.bar.baz):
15047 (wrapper):
15048
150492015-03-27 Saam Barati <saambarati1@gmail.com>
15050
15051 Deconstruction parameters are bound too late
15052 https://bugs.webkit.org/show_bug.cgi?id=143148
15053
15054 Reviewed by Filip Pizlo.
15055
15056 Currently, a deconstruction pattern named with the same
15057 name as a function will shadow the function. This is
15058 wrong. It should be the other way around.
15059
15060 * bytecompiler/BytecodeGenerator.cpp:
15061 (JSC::BytecodeGenerator::generate):
15062
150632015-03-27 Ryosuke Niwa <rniwa@webkit.org>
15064
15065 parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind
15066 https://bugs.webkit.org/show_bug.cgi?id=143170
15067
15068 Reviewed by Benjamin Poulain.
15069
15070 Assert that we never use 16-bit version of the parser to parse a default constructor
15071 since both base and derived default constructors should be using a 8-bit string.
15072
15073 * parser/Parser.h:
15074 (JSC::parse):
15075
150762015-03-27 Ryosuke Niwa <rniwa@webkit.org>
15077
15078 ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
15079 https://bugs.webkit.org/show_bug.cgi?id=142862
15080
15081 Reviewed by Benjamin Poulain.
15082
15083 Add a test that used to fail in DFG now that the bug has been fixed by r181993.
15084
15085 * tests/stress/class-syntax-derived-default-constructor.js: Added.
15086
150872015-03-27 Michael Saboff <msaboff@apple.com>
15088
15089 load8Signed() and load16Signed() should be renamed to avoid confusion
15090 https://bugs.webkit.org/show_bug.cgi?id=143168
15091
15092 Reviewed by Benjamin Poulain.
15093
15094 Renamed load8Signed() to load8SignedExtendTo32() and load16Signed() to load16SignedExtendTo32().
15095
15096 * assembler/MacroAssemblerARM.h:
15097 (JSC::MacroAssemblerARM::load8SignedExtendTo32):
15098 (JSC::MacroAssemblerARM::load16SignedExtendTo32):
15099 (JSC::MacroAssemblerARM::load8Signed): Deleted.
15100 (JSC::MacroAssemblerARM::load16Signed): Deleted.
15101 * assembler/MacroAssemblerARM64.h:
15102 (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
15103 (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
15104 (JSC::MacroAssemblerARM64::load16Signed): Deleted.
15105 (JSC::MacroAssemblerARM64::load8Signed): Deleted.
15106 * assembler/MacroAssemblerARMv7.h:
15107 (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
15108 (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
15109 (JSC::MacroAssemblerARMv7::load16Signed): Deleted.
15110 (JSC::MacroAssemblerARMv7::load8Signed): Deleted.
15111 * assembler/MacroAssemblerMIPS.h:
15112 (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
15113 (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
15114 (JSC::MacroAssemblerMIPS::load8Signed): Deleted.
15115 (JSC::MacroAssemblerMIPS::load16Signed): Deleted.
15116 * assembler/MacroAssemblerSH4.h:
15117 (JSC::MacroAssemblerSH4::load8SignedExtendTo32):
15118 (JSC::MacroAssemblerSH4::load8):
15119 (JSC::MacroAssemblerSH4::load16SignedExtendTo32):
15120 (JSC::MacroAssemblerSH4::load16):
15121 (JSC::MacroAssemblerSH4::load8Signed): Deleted.
15122 (JSC::MacroAssemblerSH4::load16Signed): Deleted.
15123 * assembler/MacroAssemblerX86Common.h:
15124 (JSC::MacroAssemblerX86Common::load8SignedExtendTo32):
15125 (JSC::MacroAssemblerX86Common::load16SignedExtendTo32):
15126 (JSC::MacroAssemblerX86Common::load8Signed): Deleted.
15127 (JSC::MacroAssemblerX86Common::load16Signed): Deleted.
15128 * dfg/DFGSpeculativeJIT.cpp:
15129 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
15130 * jit/JITPropertyAccess.cpp:
15131 (JSC::JIT::emitIntTypedArrayGetByVal):
15132
151332015-03-27 Michael Saboff <msaboff@apple.com>
15134
15135 Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64
15136 https://bugs.webkit.org/show_bug.cgi?id=138390
15137
15138 Reviewed by Mark Lam.
15139
15140 Changed load8Signed() and load16Signed() to only sign extend the loaded value to 32 bits
15141 instead of 64 bits. This is what X86-64 does.
15142
15143 * assembler/MacroAssemblerARM64.h:
15144 (JSC::MacroAssemblerARM64::load16Signed):
15145 (JSC::MacroAssemblerARM64::load8Signed):
15146
151472015-03-27 Saam Barati <saambarati1@gmail.com>
15148
15149 Add back previously broken assert from bug 141869
15150 https://bugs.webkit.org/show_bug.cgi?id=143005
15151
15152 Reviewed by Michael Saboff.
15153
15154 * runtime/ExceptionHelpers.cpp:
15155 (JSC::invalidParameterInSourceAppender):
15156
151572015-03-26 Geoffrey Garen <ggaren@apple.com>
15158
15159 Make some more objects use FastMalloc
15160 https://bugs.webkit.org/show_bug.cgi?id=143122
15161
15162 Reviewed by Csaba Osztrogonác.
15163
15164 * API/JSCallbackObject.h:
15165 * heap/IncrementalSweeper.h:
15166 * jit/JITThunks.h:
15167 * runtime/JSGlobalObjectDebuggable.h:
15168 * runtime/RegExpCache.h:
15169
151702015-03-27 Michael Saboff <msaboff@apple.com>
15171
15172 Objects with numeric properties intermittently get a phantom 'length' property
15173 https://bugs.webkit.org/show_bug.cgi?id=142792
15174
15175 Reviewed by Csaba Osztrogonác.
15176
15177 Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
15178 test and branch instructions. This function is used for linking tbz/tbnz branches between
15179 two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in
15180 the failure case checks in the GetById array length stub created for "obj.length" access.
15181 If the failure case code address was at a negative offset from the stub, we'd look for bit 1
15182 being set when we should have been looking for bit 0.
15183
15184 * assembler/ARM64Assembler.h:
15185 (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
15186
151872015-03-27 Yusuke Suzuki <utatane.tea@gmail.com>
15188
15189 Insert exception check around toPropertyKey call
15190 https://bugs.webkit.org/show_bug.cgi?id=142922
15191
15192 Reviewed by Geoffrey Garen.
15193
15194 In some places, exception check is missing after/before toPropertyKey.
15195 However, since it calls toString, it's observable to users,
15196
15197 Missing exception checks in Object.prototype methods can be
15198 observed since it would be overridden with toObject(null/undefined) errors.
15199 We inserted exception checks after toPropertyKey.
15200
15201 Missing exception checks in GetById related code can be
15202 observed since it would be overridden with toObject(null/undefined) errors.
15203 In this case, we need to insert exception checks before/after toPropertyKey
15204 since RequireObjectCoercible followed by toPropertyKey can cause exceptions.
15205
15206 JSValue::get checks null/undefined and raise an exception if |this| is null or undefined.
15207 However, we need to check whether the baseValue is object coercible before executing JSValue::toPropertyKey.
15208 According to the spec, we first perform RequireObjectCoercible and check the exception.
15209 And second, we perform ToPropertyKey and check the exception.
15210 Since JSValue::toPropertyKey can cause toString call, this is observable to users.
15211 For example, if the target is not object coercible,
15212 ToPropertyKey should not be executed, and toString should not be executed by ToPropertyKey.
15213 So the order of observable actions (RequireObjectCoercible and ToPropertyKey) should be correct to the spec.
15214
15215 This patch introduces JSValue::requireObjectCoercible and use it because of the following 2 reasons.
15216
15217 1. Using toObject instead of requireObjectCoercible produces unnecessary wrapper object.
15218
15219 toObject converts primitive types into wrapper objects.
15220 But it is not efficient since wrapper objects are not necessary
15221 if we look up methods from primitive values's prototype. (using synthesizePrototype is better).
15222
15223 2. Using the result of toObject is not correct to the spec.
15224
15225 To align to the spec correctly, we cannot use JSObject::get
15226 by using the wrapper object produced by the toObject suggested in (1).
15227 If we use JSObject that is converted by toObject, getter will be called by using this JSObject as |this|.
15228 It is not correct since getter should be called with the original |this| value that may be primitive types.
15229
15230 So in this patch, we use JSValue::requireObjectCoercible
15231 to check the target is object coercible and raise an error if it's not.
15232
15233 * dfg/DFGOperations.cpp:
15234 * jit/JITOperations.cpp:
15235 (JSC::getByVal):
15236 * llint/LLIntSlowPaths.cpp:
15237 (JSC::LLInt::getByVal):
15238 * runtime/CommonSlowPaths.cpp:
15239 (JSC::SLOW_PATH_DECL):
15240 * runtime/JSCJSValue.h:
15241 * runtime/JSCJSValueInlines.h:
15242 (JSC::JSValue::requireObjectCoercible):
15243 * runtime/ObjectPrototype.cpp:
15244 (JSC::objectProtoFuncHasOwnProperty):
15245 (JSC::objectProtoFuncDefineGetter):
15246 (JSC::objectProtoFuncDefineSetter):
15247 (JSC::objectProtoFuncLookupGetter):
15248 (JSC::objectProtoFuncLookupSetter):
15249 (JSC::objectProtoFuncPropertyIsEnumerable):
15250 * tests/stress/exception-in-to-property-key-should-be-handled-early-in-object-methods.js: Added.
15251 (shouldThrow):
15252 (if):
15253 * tests/stress/exception-in-to-property-key-should-be-handled-early.js: Added.
15254 (shouldThrow):
15255 (.):
15256
152572015-03-26 Joseph Pecoraro <pecoraro@apple.com>
15258
15259 WebContent Crash when instantiating class with Type Profiling enabled
15260 https://bugs.webkit.org/show_bug.cgi?id=143037
15261
15262 Reviewed by Ryosuke Niwa.
15263
15264 * bytecompiler/BytecodeGenerator.h:
15265 * bytecompiler/BytecodeGenerator.cpp:
15266 (JSC::BytecodeGenerator::BytecodeGenerator):
15267 (JSC::BytecodeGenerator::emitMoveEmptyValue):
15268 We cannot profile the type of an uninitialized empty JSValue.
15269 Nor do we expect this to be necessary, since it is effectively
15270 an unseen undefined value. So add a way to put the empty value
15271 without profiling.
15272
15273 (JSC::BytecodeGenerator::emitMove):
15274 Add an assert to try to catch this issue early on, and force
15275 callers to explicitly use emitMoveEmptyValue instead.
15276
15277 * tests/typeProfiler/classes.js: Added.
15278 (wrapper.Base):
15279 (wrapper.Derived):
15280 (wrapper):
15281 Add test coverage both for this case and classes in general.
15282
152832015-03-26 Joseph Pecoraro <pecoraro@apple.com>
15284
15285 Web Inspector: ES6: Provide a better view for Classes in the console
15286 https://bugs.webkit.org/show_bug.cgi?id=142999
15287
15288 Reviewed by Timothy Hatcher.
15289
15290 * inspector/protocol/Runtime.json:
15291 Provide a new `subtype` enum "class". This is a subtype of `type`
15292 "function", all other subtypes are subtypes of `object` types.
15293 For a class, the frontend will immediately want to get the prototype
15294 to enumerate its methods, so include the `classPrototype`.
15295
15296 * inspector/JSInjectedScriptHost.cpp:
15297 (Inspector::JSInjectedScriptHost::subtype):
15298 Denote class construction functions as "class" subtypes.
15299
15300 * inspector/InjectedScriptSource.js:
15301 Handling for the new "class" type.
15302
15303 * bytecode/UnlinkedCodeBlock.h:
15304 (JSC::UnlinkedFunctionExecutable::isClassConstructorFunction):
15305 * runtime/Executable.h:
15306 (JSC::FunctionExecutable::isClassConstructorFunction):
15307 * runtime/JSFunction.h:
15308 * runtime/JSFunctionInlines.h:
15309 (JSC::JSFunction::isClassConstructorFunction):
15310 Check if this function is a class constructor function. That information
15311 is on the UnlinkedFunctionExecutable, so plumb it through to JSFunction.
15312
153132015-03-26 Geoffrey Garen <ggaren@apple.com>
15314
15315 Function.prototype.toString should not decompile the AST
15316 https://bugs.webkit.org/show_bug.cgi?id=142853
15317
15318 Reviewed by Darin Adler.
15319
15320 Following up on Darin's review comments.
15321
15322 * runtime/FunctionConstructor.cpp:
15323 (JSC::constructFunctionSkippingEvalEnabledCheck):
15324
153252015-03-26 Geoffrey Garen <ggaren@apple.com>
15326
15327 "lineNo" does not match WebKit coding style guidelines
15328 https://bugs.webkit.org/show_bug.cgi?id=143119
15329
15330 Reviewed by Michael Saboff.
15331
15332 We can afford to use whole words.
15333
15334 * bytecode/CodeBlock.cpp:
15335 (JSC::CodeBlock::lineNumberForBytecodeOffset):
15336 (JSC::CodeBlock::expressionRangeForBytecodeOffset):
15337 * bytecode/UnlinkedCodeBlock.cpp:
15338 (JSC::UnlinkedFunctionExecutable::link):
15339 (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
15340 * bytecode/UnlinkedCodeBlock.h:
15341 * bytecompiler/NodesCodegen.cpp:
15342 (JSC::WhileNode::emitBytecode):
15343 * debugger/Debugger.cpp:
15344 (JSC::Debugger::toggleBreakpoint):
15345 * interpreter/Interpreter.cpp:
15346 (JSC::StackFrame::computeLineAndColumn):
15347 (JSC::GetStackTraceFunctor::operator()):
15348 (JSC::Interpreter::execute):
15349 * interpreter/StackVisitor.cpp:
15350 (JSC::StackVisitor::Frame::computeLineAndColumn):
15351 * parser/Nodes.h:
15352 (JSC::Node::firstLine):
15353 (JSC::Node::lineNo): Deleted.
15354 (JSC::StatementNode::firstLine): Deleted.
15355 * parser/ParserError.h:
15356 (JSC::ParserError::toErrorObject):
15357 * profiler/LegacyProfiler.cpp:
15358 (JSC::createCallIdentifierFromFunctionImp):
15359 * runtime/CodeCache.cpp:
15360 (JSC::CodeCache::getGlobalCodeBlock):
15361 * runtime/Executable.cpp:
15362 (JSC::ScriptExecutable::ScriptExecutable):
15363 (JSC::ScriptExecutable::newCodeBlockFor):
15364 (JSC::FunctionExecutable::fromGlobalCode):
15365 * runtime/Executable.h:
15366 (JSC::ScriptExecutable::firstLine):
15367 (JSC::ScriptExecutable::setOverrideLineNumber):
15368 (JSC::ScriptExecutable::hasOverrideLineNumber):
15369 (JSC::ScriptExecutable::overrideLineNumber):
15370 (JSC::ScriptExecutable::lineNo): Deleted.
15371 (JSC::ScriptExecutable::setOverrideLineNo): Deleted.
15372 (JSC::ScriptExecutable::hasOverrideLineNo): Deleted.
15373 (JSC::ScriptExecutable::overrideLineNo): Deleted.
15374 * runtime/FunctionConstructor.cpp:
15375 (JSC::constructFunctionSkippingEvalEnabledCheck):
15376 * runtime/FunctionConstructor.h:
15377 * tools/CodeProfile.cpp:
15378 (JSC::CodeProfile::report):
15379 * tools/CodeProfile.h:
15380 (JSC::CodeProfile::CodeProfile):
15381
153822015-03-26 Geoffrey Garen <ggaren@apple.com>
15383
15384 Assertion firing in JavaScriptCore/parser/parser.h for statesman.com site
15385 https://bugs.webkit.org/show_bug.cgi?id=142974
15386
15387 Reviewed by Joseph Pecoraro.
15388
15389 This patch does two things:
15390
15391 (1) Restore JavaScriptCore's sanitization of line and column numbers to
15392 one-based values.
15393
15394 We need this because WebCore sometimes provides huge negative column
15395 numbers.
15396
15397 (2) Solve the attribute event listener line numbering problem a different
15398 way: Rather than offseting all line numbers by -1 in an attribute event
15399 listener in order to arrange for a custom result, instead use an explicit
15400 feature for saying "all errors in this code should map to this line number".
15401
15402 * bytecode/UnlinkedCodeBlock.cpp:
15403 (JSC::UnlinkedFunctionExecutable::link):
15404 (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
15405 * bytecode/UnlinkedCodeBlock.h:
15406 * interpreter/Interpreter.cpp:
15407 (JSC::StackFrame::computeLineAndColumn):
15408 (JSC::GetStackTraceFunctor::operator()):
15409 * interpreter/Interpreter.h:
15410 * interpreter/StackVisitor.cpp:
15411 (JSC::StackVisitor::Frame::computeLineAndColumn):
15412 * parser/ParserError.h:
15413 (JSC::ParserError::toErrorObject): Plumb through an override line number.
15414 When a function has an override line number, all syntax and runtime
15415 errors in the function will map to it. This is useful for attribute event
15416 listeners.
15417
15418 * parser/SourceCode.h:
15419 (JSC::SourceCode::SourceCode): Restore the old sanitization of line and
15420 column numbers to one-based integers. It was kind of a hack to remove this.
15421
15422 * runtime/Executable.cpp:
15423 (JSC::ScriptExecutable::ScriptExecutable):
15424 (JSC::FunctionExecutable::fromGlobalCode):
15425 * runtime/Executable.h:
15426 (JSC::ScriptExecutable::setOverrideLineNo):
15427 (JSC::ScriptExecutable::hasOverrideLineNo):
15428 (JSC::ScriptExecutable::overrideLineNo):
15429 * runtime/FunctionConstructor.cpp:
15430 (JSC::constructFunctionSkippingEvalEnabledCheck):
15431 * runtime/FunctionConstructor.h: Plumb through an override line number.
15432
154332015-03-26 Filip Pizlo <fpizlo@apple.com>
15434
15435 If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
15436
15437 Reviewed by Michael Saboff.
15438
15439 * jit/JITPropertyAccess.cpp:
15440 (JSC::JIT::emitScopedArgumentsGetByVal):
15441 * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
15442
154432015-03-26 Filip Pizlo <fpizlo@apple.com>
15444
15445 FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
15446 https://bugs.webkit.org/show_bug.cgi?id=143098
15447
15448 Reviewed by Csaba Osztrogonác.
15449
15450 * ftl/FTLLowerDFGToLLVM.cpp:
15451 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
15452 * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
15453
154542015-03-26 Csaba Osztrogonác <ossy@webkit.org>
15455
15456 Unreviewed gardening, skip failing tests on AArch64 Linux.
15457
15458 * tests/mozilla/mozilla-tests.yaml:
15459 * tests/stress/cached-prototype-setter.js:
15460
154612015-03-26 Filip Pizlo <fpizlo@apple.com>
15462
15463 Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them.
15464
15465 * dfg/DFGConstantFoldingPhase.cpp:
15466 (JSC::DFG::ConstantFoldingPhase::foldConstants): I landed a fix for a VS warning. It broke this. Now I'm fixing it.
15467 * ftl/FTLCompile.cpp:
15468 (JSC::FTL::compile): Make sure we pass the module when dumping. This makes FTL debugging possible again.
15469 * ftl/FTLState.cpp:
15470 (JSC::FTL::State::dumpState): New overload that takes a module, so that we can call this after FTL::compile() clears State's module.
15471 * ftl/FTLState.h:
15472
154732015-03-25 Filip Pizlo <fpizlo@apple.com>
15474
15475 Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it
15476 right, so this just makes 32-bit do the same.
15477
15478 * dfg/DFGSpeculativeJIT32_64.cpp:
15479 (JSC::DFG::SpeculativeJIT::emitCall):
15480
154812015-03-25 Filip Pizlo <fpizlo@apple.com>
15482
15483 Fix a typo that ggaren found but that I didn't fix before.
15484
15485 * runtime/DirectArgumentsOffset.h:
15486
154872015-03-25 Filip Pizlo <fpizlo@apple.com>
15488
15489 Unreviewed, VC found a bug. This fixes the bug.
15490
15491 * dfg/DFGConstantFoldingPhase.cpp:
15492 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15493
154942015-03-25 Filip Pizlo <fpizlo@apple.com>
15495
15496 Unreviewed, try to fix Windows build.
15497
15498 * runtime/ClonedArguments.cpp:
15499 (JSC::ClonedArguments::createWithInlineFrame):
15500
155012015-03-25 Filip Pizlo <fpizlo@apple.com>
15502
15503 Unreviewed, fix debug build.
15504
15505 * bytecompiler/NodesCodegen.cpp:
15506 (JSC::ConstDeclNode::emitCodeSingle):
15507
155082015-03-25 Filip Pizlo <fpizlo@apple.com>
15509
15510 Unreviewed, fix CLOOP build.
15511
15512 * dfg/DFGMinifiedID.h:
15513
155142015-03-25 Filip Pizlo <fpizlo@apple.com>
15515
15516 Heap variables shouldn't end up in the stack frame
15517 https://bugs.webkit.org/show_bug.cgi?id=141174
15518
15519 Reviewed by Geoffrey Garen.
15520
15521 This is a major change to how JavaScriptCore handles declared variables (i.e. "var"). It removes
15522 any ambiguity about whether a variable should be in the heap or on the stack. A variable will no
15523 longer move between heap and stack during its lifetime. This enables a bunch of optimizations and
15524 simplifications:
15525
15526 - Accesses to variables no longer need checks or indirections to determine where the variable is
15527 at that moment in time. For example, loading a closure variable now takes just one load instead
15528 of two. Loading an argument by index now takes a bounds check and a load in the fastest case
15529 (when no arguments object allocation is required) while previously that same operation required
15530 a "did I allocate arguments yet" check, a bounds check, and then the load.
15531
15532 - Reasoning about the allocation of an activation or arguments object now follows the same simple
15533 logic as the allocation of any other kind of object. Previously, those objects were lazily
15534 allocated - so an allocation instruction wasn't the actual allocation site, since it might not
15535 allocate anything at all. This made the implementation of traditional escape analyses really
15536 awkward, and ultimately it meant that we missed important cases. Now, we can reason about the
15537 arguments object using the usual SSA tricks which allows for more comprehensive removal.
15538
15539 - The allocations of arguments objects, functions, and activations are now much faster. While
15540 this patch generally expands our ability to eliminate arguments object allocations, an earlier
15541 version of the patch - which lacked that functionality - was a progression on some arguments-
15542 and closure-happy benchmarks because although no allocations were eliminated, all allocations
15543 were faster.
15544
15545 - There is no tear-off. The runtime no loner needs to know about where on the stack a frame keeps
15546 its arguments objects or activations. The runtime doesn't have to do things to the arguments
15547 objects and activations that a frame allocated, when the frame is unwound. We always had horrid
15548 bugs in that code, so it's good to see it go. This removes *a ton* of machinery from the DFG,
15549 FTL, CodeBlock, and other places. All of the things having to do with "captured variables" is
15550 now gone. This also enables implementing block-scoping. Without this change, block-scope
15551 support would require telling CodeBlock and all of the rest of the runtime about all of the
15552 variables that store currently-live scopes. That would have been so disastrously hard that it
15553 might as well be impossible. With this change, it's fair game for the bytecode generator to
15554 simply allocate whatever activations it wants, wherever it wants, and to keep them live for
15555 however long it wants. This all works, because after bytecode generation, an activation is just
15556 an object and variables that refer to it are just normal variables.
15557
15558 - SymbolTable can now tell you explicitly where a variable lives. The answer is in the form of a
15559 VarOffset object, which has methods like isStack(), isScope(), etc. VirtualRegister is never
15560 used for offsets of non-stack variables anymore. We now have shiny new objects for other kinds
15561 of offsets - ScopeOffset for offsets into scopes, and DirectArgumentsOffset for offsets into
15562 an arguments object.
15563
15564 - Functions that create activations can now tier-up into the FTL. Previously they couldn't. Also,
15565 using activations used to prevent inlining; now functions that use activations can be inlined
15566 just fine.
15567
15568 This is a >1% speed-up on Octane. This is a >2% speed-up on CompressionBench. This is a tiny
15569 speed-up on AsmBench (~0.4% or something). This looks like it might be a speed-up on SunSpider.
15570 It's only a slow-down on very short-running microbenchmarks we had previously written for our old
15571 style of tear-off-based arguments optimization. Those benchmarks are not part of any major suite.
15572
15573 The easiest way of understanding this change is to start by looking at the changes in runtime/,
15574 and then the changes in bytecompiler/, and then sort of work your way up the compiler tiers.
15575
15576 * CMakeLists.txt:
15577 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15578 * JavaScriptCore.xcodeproj/project.pbxproj:
15579 * assembler/AbortReason.h:
15580 * assembler/AbstractMacroAssembler.h:
15581 (JSC::AbstractMacroAssembler::BaseIndex::withOffset):
15582 * bytecode/ByValInfo.h:
15583 (JSC::hasOptimizableIndexingForJSType):
15584 (JSC::hasOptimizableIndexing):
15585 (JSC::jitArrayModeForJSType):
15586 (JSC::jitArrayModePermitsPut):
15587 (JSC::jitArrayModeForStructure):
15588 * bytecode/BytecodeKills.h: Added.
15589 (JSC::BytecodeKills::BytecodeKills):
15590 (JSC::BytecodeKills::operandIsKilled):
15591 (JSC::BytecodeKills::forEachOperandKilledAt):
15592 (JSC::BytecodeKills::KillSet::KillSet):
15593 (JSC::BytecodeKills::KillSet::add):
15594 (JSC::BytecodeKills::KillSet::forEachLocal):
15595 (JSC::BytecodeKills::KillSet::contains):
15596 * bytecode/BytecodeList.json:
15597 * bytecode/BytecodeLivenessAnalysis.cpp:
15598 (JSC::isValidRegisterForLiveness):
15599 (JSC::stepOverInstruction):
15600 (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
15601 (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
15602 (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
15603 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
15604 (JSC::BytecodeLivenessAnalysis::computeKills):
15605 (JSC::indexForOperand): Deleted.
15606 (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): Deleted.
15607 (JSC::getLivenessInfo): Deleted.
15608 * bytecode/BytecodeLivenessAnalysis.h:
15609 * bytecode/BytecodeLivenessAnalysisInlines.h:
15610 (JSC::operandIsAlwaysLive):
15611 (JSC::operandThatIsNotAlwaysLiveIsLive):
15612 (JSC::operandIsLive):
15613 * bytecode/BytecodeUseDef.h:
15614 (JSC::computeUsesForBytecodeOffset):
15615 (JSC::computeDefsForBytecodeOffset):
15616 * bytecode/CodeBlock.cpp:
15617 (JSC::CodeBlock::dumpBytecode):
15618 (JSC::CodeBlock::CodeBlock):
15619 (JSC::CodeBlock::nameForRegister):
15620 (JSC::CodeBlock::validate):
15621 (JSC::CodeBlock::isCaptured): Deleted.
15622 (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters): Deleted.
15623 (JSC::CodeBlock::machineSlowArguments): Deleted.
15624 * bytecode/CodeBlock.h:
15625 (JSC::unmodifiedArgumentsRegister): Deleted.
15626 (JSC::CodeBlock::setArgumentsRegister): Deleted.
15627 (JSC::CodeBlock::argumentsRegister): Deleted.
15628 (JSC::CodeBlock::uncheckedArgumentsRegister): Deleted.
15629 (JSC::CodeBlock::usesArguments): Deleted.
15630 (JSC::CodeBlock::captureCount): Deleted.
15631 (JSC::CodeBlock::captureStart): Deleted.
15632 (JSC::CodeBlock::captureEnd): Deleted.
15633 (JSC::CodeBlock::argumentIndexAfterCapture): Deleted.
15634 (JSC::CodeBlock::hasSlowArguments): Deleted.
15635 (JSC::ExecState::argumentAfterCapture): Deleted.
15636 * bytecode/CodeOrigin.h:
15637 * bytecode/DataFormat.h:
15638 (JSC::dataFormatToString):
15639 * bytecode/FullBytecodeLiveness.h:
15640 (JSC::FullBytecodeLiveness::getLiveness):
15641 (JSC::FullBytecodeLiveness::operandIsLive):
15642 (JSC::FullBytecodeLiveness::FullBytecodeLiveness): Deleted.
15643 (JSC::FullBytecodeLiveness::getOut): Deleted.
15644 * bytecode/Instruction.h:
15645 (JSC::Instruction::Instruction):
15646 * bytecode/Operands.h:
15647 (JSC::Operands::virtualRegisterForIndex):
15648 * bytecode/SpeculatedType.cpp:
15649 (JSC::dumpSpeculation):
15650 (JSC::speculationToAbbreviatedString):
15651 (JSC::speculationFromClassInfo):
15652 * bytecode/SpeculatedType.h:
15653 (JSC::isDirectArgumentsSpeculation):
15654 (JSC::isScopedArgumentsSpeculation):
15655 (JSC::isActionableMutableArraySpeculation):
15656 (JSC::isActionableArraySpeculation):
15657 (JSC::isArgumentsSpeculation): Deleted.
15658 * bytecode/UnlinkedCodeBlock.cpp:
15659 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
15660 * bytecode/UnlinkedCodeBlock.h:
15661 (JSC::UnlinkedCodeBlock::setArgumentsRegister): Deleted.
15662 (JSC::UnlinkedCodeBlock::usesArguments): Deleted.
15663 (JSC::UnlinkedCodeBlock::argumentsRegister): Deleted.
15664 * bytecode/ValueRecovery.cpp:
15665 (JSC::ValueRecovery::dumpInContext):
15666 * bytecode/ValueRecovery.h:
15667 (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
15668 (JSC::ValueRecovery::outOfBandArgumentsThatWereNotCreated):
15669 (JSC::ValueRecovery::nodeID):
15670 (JSC::ValueRecovery::argumentsThatWereNotCreated): Deleted.
15671 * bytecode/VirtualRegister.h:
15672 (JSC::VirtualRegister::operator==):
15673 (JSC::VirtualRegister::operator!=):
15674 (JSC::VirtualRegister::operator<):
15675 (JSC::VirtualRegister::operator>):
15676 (JSC::VirtualRegister::operator<=):
15677 (JSC::VirtualRegister::operator>=):
15678 * bytecompiler/BytecodeGenerator.cpp:
15679 (JSC::BytecodeGenerator::generate):
15680 (JSC::BytecodeGenerator::BytecodeGenerator):
15681 (JSC::BytecodeGenerator::initializeNextParameter):
15682 (JSC::BytecodeGenerator::visibleNameForParameter):
15683 (JSC::BytecodeGenerator::emitMove):
15684 (JSC::BytecodeGenerator::variable):
15685 (JSC::BytecodeGenerator::createVariable):
15686 (JSC::BytecodeGenerator::emitResolveScope):
15687 (JSC::BytecodeGenerator::emitGetFromScope):
15688 (JSC::BytecodeGenerator::emitPutToScope):
15689 (JSC::BytecodeGenerator::initializeVariable):
15690 (JSC::BytecodeGenerator::emitInstanceOf):
15691 (JSC::BytecodeGenerator::emitNewFunction):
15692 (JSC::BytecodeGenerator::emitNewFunctionInternal):
15693 (JSC::BytecodeGenerator::emitCall):
15694 (JSC::BytecodeGenerator::emitReturn):
15695 (JSC::BytecodeGenerator::emitConstruct):
15696 (JSC::BytecodeGenerator::isArgumentNumber):
15697 (JSC::BytecodeGenerator::emitEnumeration):
15698 (JSC::BytecodeGenerator::addVar): Deleted.
15699 (JSC::BytecodeGenerator::emitInitLazyRegister): Deleted.
15700 (JSC::BytecodeGenerator::initializeCapturedVariable): Deleted.
15701 (JSC::BytecodeGenerator::resolveCallee): Deleted.
15702 (JSC::BytecodeGenerator::addCallee): Deleted.
15703 (JSC::BytecodeGenerator::addParameter): Deleted.
15704 (JSC::BytecodeGenerator::willResolveToArgumentsRegister): Deleted.
15705 (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister): Deleted.
15706 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary): Deleted.
15707 (JSC::BytecodeGenerator::isCaptured): Deleted.
15708 (JSC::BytecodeGenerator::local): Deleted.
15709 (JSC::BytecodeGenerator::constLocal): Deleted.
15710 (JSC::BytecodeGenerator::emitResolveConstantLocal): Deleted.
15711 (JSC::BytecodeGenerator::emitGetArgumentsLength): Deleted.
15712 (JSC::BytecodeGenerator::emitGetArgumentByVal): Deleted.
15713 (JSC::BytecodeGenerator::emitLazyNewFunction): Deleted.
15714 (JSC::BytecodeGenerator::createArgumentsIfNecessary): Deleted.
15715 * bytecompiler/BytecodeGenerator.h:
15716 (JSC::Variable::Variable):
15717 (JSC::Variable::isResolved):
15718 (JSC::Variable::ident):
15719 (JSC::Variable::offset):
15720 (JSC::Variable::isLocal):
15721 (JSC::Variable::local):
15722 (JSC::Variable::isSpecial):
15723 (JSC::BytecodeGenerator::argumentsRegister):
15724 (JSC::BytecodeGenerator::emitNode):
15725 (JSC::BytecodeGenerator::registerFor):
15726 (JSC::Local::Local): Deleted.
15727 (JSC::Local::operator bool): Deleted.
15728 (JSC::Local::get): Deleted.
15729 (JSC::Local::isSpecial): Deleted.
15730 (JSC::ResolveScopeInfo::ResolveScopeInfo): Deleted.
15731 (JSC::ResolveScopeInfo::isLocal): Deleted.
15732 (JSC::ResolveScopeInfo::localIndex): Deleted.
15733 (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister): Deleted.
15734 (JSC::BytecodeGenerator::captureMode): Deleted.
15735 (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly): Deleted.
15736 (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): Deleted.
15737 (JSC::BytecodeGenerator::hasWatchableVariable): Deleted.
15738 (JSC::BytecodeGenerator::watchableVariableIdentifier): Deleted.
15739 * bytecompiler/NodesCodegen.cpp:
15740 (JSC::ResolveNode::isPure):
15741 (JSC::ResolveNode::emitBytecode):
15742 (JSC::BracketAccessorNode::emitBytecode):
15743 (JSC::DotAccessorNode::emitBytecode):
15744 (JSC::EvalFunctionCallNode::emitBytecode):
15745 (JSC::FunctionCallResolveNode::emitBytecode):
15746 (JSC::CallFunctionCallDotNode::emitBytecode):
15747 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15748 (JSC::PostfixNode::emitResolve):
15749 (JSC::DeleteResolveNode::emitBytecode):
15750 (JSC::TypeOfResolveNode::emitBytecode):
15751 (JSC::PrefixNode::emitResolve):
15752 (JSC::ReadModifyResolveNode::emitBytecode):
15753 (JSC::AssignResolveNode::emitBytecode):
15754 (JSC::ConstDeclNode::emitCodeSingle):
15755 (JSC::EmptyVarExpression::emitBytecode):
15756 (JSC::ForInNode::tryGetBoundLocal):
15757 (JSC::ForInNode::emitLoopHeader):
15758 (JSC::ForOfNode::emitBytecode):
15759 (JSC::ArrayPatternNode::emitDirectBinding):
15760 (JSC::BindingNode::bindValue):
15761 (JSC::getArgumentByVal): Deleted.
15762 * dfg/DFGAbstractHeap.h:
15763 * dfg/DFGAbstractInterpreter.h:
15764 * dfg/DFGAbstractInterpreterInlines.h:
15765 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15766 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberWorld):
15767 (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars): Deleted.
15768 * dfg/DFGAbstractValue.h:
15769 * dfg/DFGArgumentPosition.h:
15770 (JSC::DFG::ArgumentPosition::addVariable):
15771 * dfg/DFGArgumentsEliminationPhase.cpp: Added.
15772 (JSC::DFG::performArgumentsElimination):
15773 * dfg/DFGArgumentsEliminationPhase.h: Added.
15774 * dfg/DFGArgumentsSimplificationPhase.cpp: Removed.
15775 * dfg/DFGArgumentsSimplificationPhase.h: Removed.
15776 * dfg/DFGArgumentsUtilities.cpp: Added.
15777 (JSC::DFG::argumentsInvolveStackSlot):
15778 (JSC::DFG::emitCodeToGetArgumentsArrayLength):
15779 * dfg/DFGArgumentsUtilities.h: Added.
15780 * dfg/DFGArrayMode.cpp:
15781 (JSC::DFG::ArrayMode::refine):
15782 (JSC::DFG::ArrayMode::alreadyChecked):
15783 (JSC::DFG::arrayTypeToString):
15784 * dfg/DFGArrayMode.h:
15785 (JSC::DFG::ArrayMode::canCSEStorage):
15786 (JSC::DFG::ArrayMode::modeForPut):
15787 * dfg/DFGAvailabilityMap.cpp:
15788 (JSC::DFG::AvailabilityMap::prune):
15789 * dfg/DFGAvailabilityMap.h:
15790 (JSC::DFG::AvailabilityMap::closeOverNodes):
15791 (JSC::DFG::AvailabilityMap::closeStartingWithLocal):
15792 * dfg/DFGBackwardsPropagationPhase.cpp:
15793 (JSC::DFG::BackwardsPropagationPhase::propagate):
15794 * dfg/DFGByteCodeParser.cpp:
15795 (JSC::DFG::ByteCodeParser::newVariableAccessData):
15796 (JSC::DFG::ByteCodeParser::getLocal):
15797 (JSC::DFG::ByteCodeParser::setLocal):
15798 (JSC::DFG::ByteCodeParser::getArgument):
15799 (JSC::DFG::ByteCodeParser::setArgument):
15800 (JSC::DFG::ByteCodeParser::flushDirect):
15801 (JSC::DFG::ByteCodeParser::flush):
15802 (JSC::DFG::ByteCodeParser::noticeArgumentsUse):
15803 (JSC::DFG::ByteCodeParser::handleVarargsCall):
15804 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
15805 (JSC::DFG::ByteCodeParser::handleInlining):
15806 (JSC::DFG::ByteCodeParser::parseBlock):
15807 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
15808 (JSC::DFG::ByteCodeParser::parseCodeBlock):
15809 * dfg/DFGCPSRethreadingPhase.cpp:
15810 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
15811 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
15812 * dfg/DFGCSEPhase.cpp:
15813 * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h: Added.
15814 (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
15815 * dfg/DFGCapabilities.cpp:
15816 (JSC::DFG::isSupportedForInlining):
15817 (JSC::DFG::capabilityLevel):
15818 * dfg/DFGClobberize.h:
15819 (JSC::DFG::clobberize):
15820 * dfg/DFGCommon.h:
15821 * dfg/DFGCommonData.h:
15822 (JSC::DFG::CommonData::CommonData):
15823 * dfg/DFGConstantFoldingPhase.cpp:
15824 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15825 * dfg/DFGDCEPhase.cpp:
15826 (JSC::DFG::DCEPhase::cleanVariables):
15827 * dfg/DFGDisassembler.h:
15828 * dfg/DFGDoesGC.cpp:
15829 (JSC::DFG::doesGC):
15830 * dfg/DFGFixupPhase.cpp:
15831 (JSC::DFG::FixupPhase::fixupNode):
15832 * dfg/DFGFlushFormat.cpp:
15833 (WTF::printInternal):
15834 * dfg/DFGFlushFormat.h:
15835 (JSC::DFG::resultFor):
15836 (JSC::DFG::useKindFor):
15837 (JSC::DFG::dataFormatFor):
15838 * dfg/DFGForAllKills.h: Added.
15839 (JSC::DFG::forAllLiveNodesAtTail):
15840 (JSC::DFG::forAllDirectlyKilledOperands):
15841 (JSC::DFG::forAllKilledOperands):
15842 (JSC::DFG::forAllKilledNodesAtNodeIndex):
15843 (JSC::DFG::forAllKillsInBlock):
15844 * dfg/DFGGraph.cpp:
15845 (JSC::DFG::Graph::Graph):
15846 (JSC::DFG::Graph::dump):
15847 (JSC::DFG::Graph::substituteGetLocal):
15848 (JSC::DFG::Graph::livenessFor):
15849 (JSC::DFG::Graph::killsFor):
15850 (JSC::DFG::Graph::tryGetConstantClosureVar):
15851 (JSC::DFG::Graph::tryGetRegisters): Deleted.
15852 * dfg/DFGGraph.h:
15853 (JSC::DFG::Graph::symbolTableFor):
15854 (JSC::DFG::Graph::uses):
15855 (JSC::DFG::Graph::bytecodeRegisterForArgument): Deleted.
15856 (JSC::DFG::Graph::capturedVarsFor): Deleted.
15857 (JSC::DFG::Graph::usesArguments): Deleted.
15858 (JSC::DFG::Graph::argumentsRegisterFor): Deleted.
15859 (JSC::DFG::Graph::machineArgumentsRegisterFor): Deleted.
15860 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor): Deleted.
15861 * dfg/DFGHeapLocation.cpp:
15862 (WTF::printInternal):
15863 * dfg/DFGHeapLocation.h:
15864 * dfg/DFGInPlaceAbstractState.cpp:
15865 (JSC::DFG::InPlaceAbstractState::initialize):
15866 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
15867 * dfg/DFGJITCompiler.cpp:
15868 (JSC::DFG::JITCompiler::link):
15869 * dfg/DFGMayExit.cpp:
15870 (JSC::DFG::mayExit):
15871 * dfg/DFGMinifiedID.h:
15872 * dfg/DFGMinifiedNode.cpp:
15873 (JSC::DFG::MinifiedNode::fromNode):
15874 * dfg/DFGMinifiedNode.h:
15875 (JSC::DFG::belongsInMinifiedGraph):
15876 (JSC::DFG::MinifiedNode::hasInlineCallFrame):
15877 (JSC::DFG::MinifiedNode::inlineCallFrame):
15878 * dfg/DFGNode.cpp:
15879 (JSC::DFG::Node::convertToIdentityOn):
15880 * dfg/DFGNode.h:
15881 (JSC::DFG::Node::hasConstant):
15882 (JSC::DFG::Node::constant):
15883 (JSC::DFG::Node::hasScopeOffset):
15884 (JSC::DFG::Node::scopeOffset):
15885 (JSC::DFG::Node::hasDirectArgumentsOffset):
15886 (JSC::DFG::Node::capturedArgumentsOffset):
15887 (JSC::DFG::Node::variablePointer):
15888 (JSC::DFG::Node::hasCallVarargsData):
15889 (JSC::DFG::Node::hasLoadVarargsData):
15890 (JSC::DFG::Node::hasHeapPrediction):
15891 (JSC::DFG::Node::hasCellOperand):
15892 (JSC::DFG::Node::objectMaterializationData):
15893 (JSC::DFG::Node::isPhantomAllocation):
15894 (JSC::DFG::Node::willHaveCodeGenOrOSR):
15895 (JSC::DFG::Node::shouldSpeculateDirectArguments):
15896 (JSC::DFG::Node::shouldSpeculateScopedArguments):
15897 (JSC::DFG::Node::isPhantomArguments): Deleted.
15898 (JSC::DFG::Node::hasVarNumber): Deleted.
15899 (JSC::DFG::Node::varNumber): Deleted.
15900 (JSC::DFG::Node::registerPointer): Deleted.
15901 (JSC::DFG::Node::shouldSpeculateArguments): Deleted.
15902 * dfg/DFGNodeType.h:
15903 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
15904 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
15905 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
15906 * dfg/DFGOSRExitCompiler.cpp:
15907 (JSC::DFG::OSRExitCompiler::emitRestoreArguments):
15908 * dfg/DFGOSRExitCompiler.h:
15909 (JSC::DFG::OSRExitCompiler::badIndex): Deleted.
15910 (JSC::DFG::OSRExitCompiler::initializePoisoned): Deleted.
15911 (JSC::DFG::OSRExitCompiler::poisonIndex): Deleted.
15912 * dfg/DFGOSRExitCompiler32_64.cpp:
15913 (JSC::DFG::OSRExitCompiler::compileExit):
15914 * dfg/DFGOSRExitCompiler64.cpp:
15915 (JSC::DFG::OSRExitCompiler::compileExit):
15916 * dfg/DFGOSRExitCompilerCommon.cpp:
15917 (JSC::DFG::reifyInlinedCallFrames):
15918 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): Deleted.
15919 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): Deleted.
15920 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): Deleted.
15921 * dfg/DFGOSRExitCompilerCommon.h:
15922 * dfg/DFGOperations.cpp:
15923 * dfg/DFGOperations.h:
15924 * dfg/DFGPlan.cpp:
15925 (JSC::DFG::Plan::compileInThreadImpl):
15926 * dfg/DFGPreciseLocalClobberize.h:
15927 (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
15928 (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
15929 (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
15930 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
15931 (JSC::DFG::preciseLocalClobberize):
15932 (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): Deleted.
15933 (JSC::DFG::forEachLocalReadByUnwind): Deleted.
15934 * dfg/DFGPredictionPropagationPhase.cpp:
15935 (JSC::DFG::PredictionPropagationPhase::run):
15936 (JSC::DFG::PredictionPropagationPhase::propagate):
15937 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
15938 (JSC::DFG::PredictionPropagationPhase::propagateThroughArgumentPositions):
15939 * dfg/DFGPromoteHeapAccess.h:
15940 (JSC::DFG::promoteHeapAccess):
15941 * dfg/DFGPromotedHeapLocation.cpp:
15942 (WTF::printInternal):
15943 * dfg/DFGPromotedHeapLocation.h:
15944 * dfg/DFGSSAConversionPhase.cpp:
15945 (JSC::DFG::SSAConversionPhase::run):
15946 * dfg/DFGSafeToExecute.h:
15947 (JSC::DFG::safeToExecute):
15948 * dfg/DFGSpeculativeJIT.cpp:
15949 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
15950 (JSC::DFG::SpeculativeJIT::emitGetLength):
15951 (JSC::DFG::SpeculativeJIT::emitGetCallee):
15952 (JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
15953 (JSC::DFG::SpeculativeJIT::checkArray):
15954 (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
15955 (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
15956 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
15957 (JSC::DFG::SpeculativeJIT::compileNewFunction):
15958 (JSC::DFG::SpeculativeJIT::compileForwardVarargs):
15959 (JSC::DFG::SpeculativeJIT::compileCreateActivation):
15960 (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
15961 (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
15962 (JSC::DFG::SpeculativeJIT::compilePutToArguments):
15963 (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments):
15964 (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments):
15965 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Deleted.
15966 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): Deleted.
15967 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): Deleted.
15968 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): Deleted.
15969 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): Deleted.
15970 * dfg/DFGSpeculativeJIT.h:
15971 (JSC::DFG::SpeculativeJIT::callOperation):
15972 (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
15973 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
15974 (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters): Deleted.
15975 * dfg/DFGSpeculativeJIT32_64.cpp:
15976 (JSC::DFG::SpeculativeJIT::emitCall):
15977 (JSC::DFG::SpeculativeJIT::compile):
15978 * dfg/DFGSpeculativeJIT64.cpp:
15979 (JSC::DFG::SpeculativeJIT::emitCall):
15980 (JSC::DFG::SpeculativeJIT::compile):
15981 * dfg/DFGStackLayoutPhase.cpp:
15982 (JSC::DFG::StackLayoutPhase::run):
15983 * dfg/DFGStrengthReductionPhase.cpp:
15984 (JSC::DFG::StrengthReductionPhase::handleNode):
15985 * dfg/DFGStructureRegistrationPhase.cpp:
15986 (JSC::DFG::StructureRegistrationPhase::run):
15987 * dfg/DFGUnificationPhase.cpp:
15988 (JSC::DFG::UnificationPhase::run):
15989 * dfg/DFGValidate.cpp:
15990 (JSC::DFG::Validate::validateCPS):
15991 * dfg/DFGValueSource.cpp:
15992 (JSC::DFG::ValueSource::dump):
15993 * dfg/DFGValueSource.h:
15994 (JSC::DFG::dataFormatToValueSourceKind):
15995 (JSC::DFG::valueSourceKindToDataFormat):
15996 (JSC::DFG::ValueSource::ValueSource):
15997 (JSC::DFG::ValueSource::forFlushFormat):
15998 (JSC::DFG::ValueSource::valueRecovery):
15999 * dfg/DFGVarargsForwardingPhase.cpp: Added.
16000 (JSC::DFG::performVarargsForwarding):
16001 * dfg/DFGVarargsForwardingPhase.h: Added.
16002 * dfg/DFGVariableAccessData.cpp:
16003 (JSC::DFG::VariableAccessData::VariableAccessData):
16004 (JSC::DFG::VariableAccessData::flushFormat):
16005 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
16006 * dfg/DFGVariableAccessData.h:
16007 (JSC::DFG::VariableAccessData::shouldNeverUnbox):
16008 (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
16009 (JSC::DFG::VariableAccessData::isCaptured): Deleted.
16010 (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): Deleted.
16011 (JSC::DFG::VariableAccessData::isArgumentsAlias): Deleted.
16012 * dfg/DFGVariableAccessDataDump.cpp:
16013 (JSC::DFG::VariableAccessDataDump::dump):
16014 * dfg/DFGVariableAccessDataDump.h:
16015 * dfg/DFGVariableEventStream.cpp:
16016 (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
16017 * dfg/DFGVariableEventStream.h:
16018 * ftl/FTLAbstractHeap.cpp:
16019 (JSC::FTL::AbstractHeap::dump):
16020 (JSC::FTL::AbstractField::dump):
16021 (JSC::FTL::IndexedAbstractHeap::dump):
16022 (JSC::FTL::NumberedAbstractHeap::dump):
16023 (JSC::FTL::AbsoluteAbstractHeap::dump):
16024 * ftl/FTLAbstractHeap.h:
16025 * ftl/FTLAbstractHeapRepository.cpp:
16026 * ftl/FTLAbstractHeapRepository.h:
16027 * ftl/FTLCapabilities.cpp:
16028 (JSC::FTL::canCompile):
16029 * ftl/FTLCompile.cpp:
16030 (JSC::FTL::mmAllocateDataSection):
16031 * ftl/FTLExitArgument.cpp:
16032 (JSC::FTL::ExitArgument::dump):
16033 * ftl/FTLExitPropertyValue.cpp:
16034 (JSC::FTL::ExitPropertyValue::withLocalsOffset):
16035 * ftl/FTLExitPropertyValue.h:
16036 * ftl/FTLExitTimeObjectMaterialization.cpp:
16037 (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
16038 (JSC::FTL::ExitTimeObjectMaterialization::accountForLocalsOffset):
16039 * ftl/FTLExitTimeObjectMaterialization.h:
16040 (JSC::FTL::ExitTimeObjectMaterialization::origin):
16041 * ftl/FTLExitValue.cpp:
16042 (JSC::FTL::ExitValue::withLocalsOffset):
16043 (JSC::FTL::ExitValue::valueFormat):
16044 (JSC::FTL::ExitValue::dumpInContext):
16045 * ftl/FTLExitValue.h:
16046 (JSC::FTL::ExitValue::isArgument):
16047 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): Deleted.
16048 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): Deleted.
16049 (JSC::FTL::ExitValue::valueFormat): Deleted.
16050 * ftl/FTLInlineCacheSize.cpp:
16051 (JSC::FTL::sizeOfCallForwardVarargs):
16052 (JSC::FTL::sizeOfConstructForwardVarargs):
16053 (JSC::FTL::sizeOfICFor):
16054 * ftl/FTLInlineCacheSize.h:
16055 * ftl/FTLIntrinsicRepository.h:
16056 * ftl/FTLJSCallVarargs.cpp:
16057 (JSC::FTL::JSCallVarargs::JSCallVarargs):
16058 (JSC::FTL::JSCallVarargs::emit):
16059 * ftl/FTLJSCallVarargs.h:
16060 * ftl/FTLLowerDFGToLLVM.cpp:
16061 (JSC::FTL::LowerDFGToLLVM::lower):
16062 (JSC::FTL::LowerDFGToLLVM::compileNode):
16063 (JSC::FTL::LowerDFGToLLVM::compilePutStack):
16064 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
16065 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
16066 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
16067 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
16068 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
16069 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
16070 (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
16071 (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
16072 (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
16073 (JSC::FTL::LowerDFGToLLVM::compileCreateScopedArguments):
16074 (JSC::FTL::LowerDFGToLLVM::compileCreateClonedArguments):
16075 (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
16076 (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
16077 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
16078 (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
16079 (JSC::FTL::LowerDFGToLLVM::compileGetArgumentCount):
16080 (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
16081 (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
16082 (JSC::FTL::LowerDFGToLLVM::compileGetFromArguments):
16083 (JSC::FTL::LowerDFGToLLVM::compilePutToArguments):
16084 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
16085 (JSC::FTL::LowerDFGToLLVM::compileForwardVarargs):
16086 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
16087 (JSC::FTL::LowerDFGToLLVM::ArgumentsLength::ArgumentsLength):
16088 (JSC::FTL::LowerDFGToLLVM::getArgumentsLength):
16089 (JSC::FTL::LowerDFGToLLVM::getCurrentCallee):
16090 (JSC::FTL::LowerDFGToLLVM::getArgumentsStart):
16091 (JSC::FTL::LowerDFGToLLVM::baseIndex):
16092 (JSC::FTL::LowerDFGToLLVM::allocateObject):
16093 (JSC::FTL::LowerDFGToLLVM::allocateVariableSizedObject):
16094 (JSC::FTL::LowerDFGToLLVM::isArrayType):
16095 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
16096 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
16097 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
16098 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
16099 (JSC::FTL::LowerDFGToLLVM::loadStructure):
16100 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): Deleted.
16101 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): Deleted.
16102 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): Deleted.
16103 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): Deleted.
16104 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): Deleted.
16105 * ftl/FTLOSRExitCompiler.cpp:
16106 (JSC::FTL::compileRecovery):
16107 (JSC::FTL::compileStub):
16108 * ftl/FTLOperations.cpp:
16109 (JSC::FTL::operationMaterializeObjectInOSR):
16110 * ftl/FTLOutput.h:
16111 (JSC::FTL::Output::aShr):
16112 (JSC::FTL::Output::lShr):
16113 (JSC::FTL::Output::zeroExtPtr):
16114 * heap/CopyToken.h:
16115 * interpreter/CallFrame.h:
16116 (JSC::ExecState::getArgumentUnsafe):
16117 * interpreter/Interpreter.cpp:
16118 (JSC::sizeOfVarargs):
16119 (JSC::sizeFrameForVarargs):
16120 (JSC::loadVarargs):
16121 (JSC::unwindCallFrame):
16122 * interpreter/Interpreter.h:
16123 * interpreter/StackVisitor.cpp:
16124 (JSC::StackVisitor::Frame::createArguments):
16125 (JSC::StackVisitor::Frame::existingArguments): Deleted.
16126 * interpreter/StackVisitor.h:
16127 * jit/AssemblyHelpers.h:
16128 (JSC::AssemblyHelpers::storeValue):
16129 (JSC::AssemblyHelpers::loadValue):
16130 (JSC::AssemblyHelpers::storeTrustedValue):
16131 (JSC::AssemblyHelpers::branchIfNotCell):
16132 (JSC::AssemblyHelpers::branchIsEmpty):
16133 (JSC::AssemblyHelpers::argumentsStart):
16134 (JSC::AssemblyHelpers::baselineArgumentsRegisterFor): Deleted.
16135 (JSC::AssemblyHelpers::offsetOfLocals): Deleted.
16136 (JSC::AssemblyHelpers::offsetOfArguments): Deleted.
16137 * jit/CCallHelpers.h:
16138 (JSC::CCallHelpers::setupArgument):
16139 * jit/GPRInfo.h:
16140 (JSC::JSValueRegs::withTwoAvailableRegs):
16141 * jit/JIT.cpp:
16142 (JSC::JIT::privateCompileMainPass):
16143 (JSC::JIT::privateCompileSlowCases):
16144 * jit/JIT.h:
16145 * jit/JITCall.cpp:
16146 (JSC::JIT::compileSetupVarargsFrame):
16147 * jit/JITCall32_64.cpp:
16148 (JSC::JIT::compileSetupVarargsFrame):
16149 * jit/JITInlines.h:
16150 (JSC::JIT::callOperation):
16151 * jit/JITOpcodes.cpp:
16152 (JSC::JIT::emit_op_create_lexical_environment):
16153 (JSC::JIT::emit_op_new_func):
16154 (JSC::JIT::emit_op_create_direct_arguments):
16155 (JSC::JIT::emit_op_create_scoped_arguments):
16156 (JSC::JIT::emit_op_create_out_of_band_arguments):
16157 (JSC::JIT::emit_op_tear_off_arguments): Deleted.
16158 (JSC::JIT::emit_op_create_arguments): Deleted.
16159 (JSC::JIT::emit_op_init_lazy_reg): Deleted.
16160 (JSC::JIT::emit_op_get_arguments_length): Deleted.
16161 (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
16162 (JSC::JIT::emit_op_get_argument_by_val): Deleted.
16163 (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
16164 * jit/JITOpcodes32_64.cpp:
16165 (JSC::JIT::emit_op_create_lexical_environment):
16166 (JSC::JIT::emit_op_tear_off_arguments): Deleted.
16167 (JSC::JIT::emit_op_create_arguments): Deleted.
16168 (JSC::JIT::emit_op_init_lazy_reg): Deleted.
16169 (JSC::JIT::emit_op_get_arguments_length): Deleted.
16170 (JSC::JIT::emitSlow_op_get_arguments_length): Deleted.
16171 (JSC::JIT::emit_op_get_argument_by_val): Deleted.
16172 (JSC::JIT::emitSlow_op_get_argument_by_val): Deleted.
16173 * jit/JITOperations.cpp:
16174 * jit/JITOperations.h:
16175 * jit/JITPropertyAccess.cpp:
16176 (JSC::JIT::emitGetClosureVar):
16177 (JSC::JIT::emitPutClosureVar):
16178 (JSC::JIT::emit_op_get_from_arguments):
16179 (JSC::JIT::emit_op_put_to_arguments):
16180 (JSC::JIT::emit_op_init_global_const):
16181 (JSC::JIT::privateCompileGetByVal):
16182 (JSC::JIT::emitDirectArgumentsGetByVal):
16183 (JSC::JIT::emitScopedArgumentsGetByVal):
16184 * jit/JITPropertyAccess32_64.cpp:
16185 (JSC::JIT::emitGetClosureVar):
16186 (JSC::JIT::emitPutClosureVar):
16187 (JSC::JIT::emit_op_get_from_arguments):
16188 (JSC::JIT::emit_op_put_to_arguments):
16189 (JSC::JIT::emit_op_init_global_const):
16190 * jit/SetupVarargsFrame.cpp:
16191 (JSC::emitSetupVarargsFrameFastCase):
16192 * llint/LLIntOffsetsExtractor.cpp:
16193 * llint/LLIntSlowPaths.cpp:
16194 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
16195 * llint/LowLevelInterpreter.asm:
16196 * llint/LowLevelInterpreter32_64.asm:
16197 * llint/LowLevelInterpreter64.asm:
16198 * parser/Nodes.h:
16199 (JSC::ScopeNode::captures):
16200 * runtime/Arguments.cpp: Removed.
16201 * runtime/Arguments.h: Removed.
16202 * runtime/ArgumentsMode.h: Added.
16203 * runtime/DirectArgumentsOffset.cpp: Added.
16204 (JSC::DirectArgumentsOffset::dump):
16205 * runtime/DirectArgumentsOffset.h: Added.
16206 (JSC::DirectArgumentsOffset::DirectArgumentsOffset):
16207 * runtime/CommonSlowPaths.cpp:
16208 (JSC::SLOW_PATH_DECL):
16209 * runtime/CommonSlowPaths.h:
16210 * runtime/ConstantMode.cpp: Added.
16211 (WTF::printInternal):
16212 * runtime/ConstantMode.h:
16213 (JSC::modeForIsConstant):
16214 * runtime/DirectArguments.cpp: Added.
16215 (JSC::DirectArguments::DirectArguments):
16216 (JSC::DirectArguments::createUninitialized):
16217 (JSC::DirectArguments::create):
16218 (JSC::DirectArguments::createByCopying):
16219 (JSC::DirectArguments::visitChildren):
16220 (JSC::DirectArguments::copyBackingStore):
16221 (JSC::DirectArguments::createStructure):
16222 (JSC::DirectArguments::overrideThings):
16223 (JSC::DirectArguments::overrideThingsIfNecessary):
16224 (JSC::DirectArguments::overrideArgument):
16225 (JSC::DirectArguments::copyToArguments):
16226 (JSC::DirectArguments::overridesSize):
16227 * runtime/DirectArguments.h: Added.
16228 (JSC::DirectArguments::internalLength):
16229 (JSC::DirectArguments::length):
16230 (JSC::DirectArguments::canAccessIndexQuickly):
16231 (JSC::DirectArguments::getIndexQuickly):
16232 (JSC::DirectArguments::setIndexQuickly):
16233 (JSC::DirectArguments::callee):
16234 (JSC::DirectArguments::argument):
16235 (JSC::DirectArguments::overrodeThings):
16236 (JSC::DirectArguments::offsetOfCallee):
16237 (JSC::DirectArguments::offsetOfLength):
16238 (JSC::DirectArguments::offsetOfMinCapacity):
16239 (JSC::DirectArguments::offsetOfOverrides):
16240 (JSC::DirectArguments::storageOffset):
16241 (JSC::DirectArguments::offsetOfSlot):
16242 (JSC::DirectArguments::allocationSize):
16243 (JSC::DirectArguments::storage):
16244 * runtime/FunctionPrototype.cpp:
16245 * runtime/GenericArguments.h: Added.
16246 (JSC::GenericArguments::GenericArguments):
16247 * runtime/GenericArgumentsInlines.h: Added.
16248 (JSC::GenericArguments<Type>::getOwnPropertySlot):
16249 (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
16250 (JSC::GenericArguments<Type>::getOwnPropertyNames):
16251 (JSC::GenericArguments<Type>::put):
16252 (JSC::GenericArguments<Type>::putByIndex):
16253 (JSC::GenericArguments<Type>::deleteProperty):
16254 (JSC::GenericArguments<Type>::deletePropertyByIndex):
16255 (JSC::GenericArguments<Type>::defineOwnProperty):
16256 (JSC::GenericArguments<Type>::copyToArguments):
16257 * runtime/GenericOffset.h: Added.
16258 (JSC::GenericOffset::GenericOffset):
16259 (JSC::GenericOffset::operator!):
16260 (JSC::GenericOffset::offsetUnchecked):
16261 (JSC::GenericOffset::offset):
16262 (JSC::GenericOffset::operator==):
16263 (JSC::GenericOffset::operator!=):
16264 (JSC::GenericOffset::operator<):
16265 (JSC::GenericOffset::operator>):
16266 (JSC::GenericOffset::operator<=):
16267 (JSC::GenericOffset::operator>=):
16268 (JSC::GenericOffset::operator+):
16269 (JSC::GenericOffset::operator-):
16270 (JSC::GenericOffset::operator+=):
16271 (JSC::GenericOffset::operator-=):
16272 * runtime/JSArgumentsIterator.cpp:
16273 (JSC::JSArgumentsIterator::finishCreation):
16274 (JSC::argumentsFuncIterator):
16275 * runtime/JSArgumentsIterator.h:
16276 (JSC::JSArgumentsIterator::create):
16277 (JSC::JSArgumentsIterator::next):
16278 * runtime/JSEnvironmentRecord.cpp:
16279 (JSC::JSEnvironmentRecord::visitChildren):
16280 * runtime/JSEnvironmentRecord.h:
16281 (JSC::JSEnvironmentRecord::variables):
16282 (JSC::JSEnvironmentRecord::isValid):
16283 (JSC::JSEnvironmentRecord::variableAt):
16284 (JSC::JSEnvironmentRecord::offsetOfVariables):
16285 (JSC::JSEnvironmentRecord::offsetOfVariable):
16286 (JSC::JSEnvironmentRecord::allocationSizeForScopeSize):
16287 (JSC::JSEnvironmentRecord::allocationSize):
16288 (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
16289 (JSC::JSEnvironmentRecord::finishCreationUninitialized):
16290 (JSC::JSEnvironmentRecord::finishCreation):
16291 (JSC::JSEnvironmentRecord::registers): Deleted.
16292 (JSC::JSEnvironmentRecord::registerAt): Deleted.
16293 (JSC::JSEnvironmentRecord::addressOfRegisters): Deleted.
16294 (JSC::JSEnvironmentRecord::offsetOfRegisters): Deleted.
16295 * runtime/JSFunction.cpp:
16296 * runtime/JSGlobalObject.cpp:
16297 (JSC::JSGlobalObject::init):
16298 (JSC::JSGlobalObject::addGlobalVar):
16299 (JSC::JSGlobalObject::addFunction):
16300 (JSC::JSGlobalObject::visitChildren):
16301 (JSC::JSGlobalObject::addStaticGlobals):
16302 * runtime/JSGlobalObject.h:
16303 (JSC::JSGlobalObject::directArgumentsStructure):
16304 (JSC::JSGlobalObject::scopedArgumentsStructure):
16305 (JSC::JSGlobalObject::outOfBandArgumentsStructure):
16306 (JSC::JSGlobalObject::argumentsStructure): Deleted.
16307 * runtime/JSLexicalEnvironment.cpp:
16308 (JSC::JSLexicalEnvironment::symbolTableGet):
16309 (JSC::JSLexicalEnvironment::symbolTablePut):
16310 (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
16311 (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
16312 (JSC::JSLexicalEnvironment::visitChildren): Deleted.
16313 * runtime/JSLexicalEnvironment.h:
16314 (JSC::JSLexicalEnvironment::create):
16315 (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
16316 (JSC::JSLexicalEnvironment::registersOffset): Deleted.
16317 (JSC::JSLexicalEnvironment::storageOffset): Deleted.
16318 (JSC::JSLexicalEnvironment::storage): Deleted.
16319 (JSC::JSLexicalEnvironment::allocationSize): Deleted.
16320 (JSC::JSLexicalEnvironment::isValidIndex): Deleted.
16321 (JSC::JSLexicalEnvironment::isValid): Deleted.
16322 (JSC::JSLexicalEnvironment::registerAt): Deleted.
16323 * runtime/JSNameScope.cpp:
16324 (JSC::JSNameScope::visitChildren): Deleted.
16325 * runtime/JSNameScope.h:
16326 (JSC::JSNameScope::create):
16327 (JSC::JSNameScope::value):
16328 (JSC::JSNameScope::finishCreation):
16329 (JSC::JSNameScope::JSNameScope):
16330 * runtime/JSScope.cpp:
16331 (JSC::abstractAccess):
16332 * runtime/JSSegmentedVariableObject.cpp:
16333 (JSC::JSSegmentedVariableObject::findVariableIndex):
16334 (JSC::JSSegmentedVariableObject::addVariables):
16335 (JSC::JSSegmentedVariableObject::visitChildren):
16336 (JSC::JSSegmentedVariableObject::findRegisterIndex): Deleted.
16337 (JSC::JSSegmentedVariableObject::addRegisters): Deleted.
16338 * runtime/JSSegmentedVariableObject.h:
16339 (JSC::JSSegmentedVariableObject::variableAt):
16340 (JSC::JSSegmentedVariableObject::assertVariableIsInThisObject):
16341 (JSC::JSSegmentedVariableObject::registerAt): Deleted.
16342 (JSC::JSSegmentedVariableObject::assertRegisterIsInThisObject): Deleted.
16343 * runtime/JSSymbolTableObject.h:
16344 (JSC::JSSymbolTableObject::offsetOfSymbolTable):
16345 (JSC::symbolTableGet):
16346 (JSC::symbolTablePut):
16347 (JSC::symbolTablePutWithAttributes):
16348 * runtime/JSType.h:
16349 * runtime/Options.h:
16350 * runtime/ClonedArguments.cpp: Added.
16351 (JSC::ClonedArguments::ClonedArguments):
16352 (JSC::ClonedArguments::createEmpty):
16353 (JSC::ClonedArguments::createWithInlineFrame):
16354 (JSC::ClonedArguments::createWithMachineFrame):
16355 (JSC::ClonedArguments::createByCopyingFrom):
16356 (JSC::ClonedArguments::createStructure):
16357 (JSC::ClonedArguments::getOwnPropertySlot):
16358 (JSC::ClonedArguments::getOwnPropertyNames):
16359 (JSC::ClonedArguments::put):
16360 (JSC::ClonedArguments::deleteProperty):
16361 (JSC::ClonedArguments::defineOwnProperty):
16362 (JSC::ClonedArguments::materializeSpecials):
16363 (JSC::ClonedArguments::materializeSpecialsIfNecessary):
16364 * runtime/ClonedArguments.h: Added.
16365 (JSC::ClonedArguments::specialsMaterialized):
16366 * runtime/ScopeOffset.cpp: Added.
16367 (JSC::ScopeOffset::dump):
16368 * runtime/ScopeOffset.h: Added.
16369 (JSC::ScopeOffset::ScopeOffset):
16370 * runtime/ScopedArguments.cpp: Added.
16371 (JSC::ScopedArguments::ScopedArguments):
16372 (JSC::ScopedArguments::finishCreation):
16373 (JSC::ScopedArguments::createUninitialized):
16374 (JSC::ScopedArguments::create):
16375 (JSC::ScopedArguments::createByCopying):
16376 (JSC::ScopedArguments::createByCopyingFrom):
16377 (JSC::ScopedArguments::visitChildren):
16378 (JSC::ScopedArguments::createStructure):
16379 (JSC::ScopedArguments::overrideThings):
16380 (JSC::ScopedArguments::overrideThingsIfNecessary):
16381 (JSC::ScopedArguments::overrideArgument):
16382 (JSC::ScopedArguments::copyToArguments):
16383 * runtime/ScopedArguments.h: Added.
16384 (JSC::ScopedArguments::internalLength):
16385 (JSC::ScopedArguments::length):
16386 (JSC::ScopedArguments::canAccessIndexQuickly):
16387 (JSC::ScopedArguments::getIndexQuickly):
16388 (JSC::ScopedArguments::setIndexQuickly):
16389 (JSC::ScopedArguments::callee):
16390 (JSC::ScopedArguments::overrodeThings):
16391 (JSC::ScopedArguments::offsetOfOverrodeThings):
16392 (JSC::ScopedArguments::offsetOfTotalLength):
16393 (JSC::ScopedArguments::offsetOfTable):
16394 (JSC::ScopedArguments::offsetOfScope):
16395 (JSC::ScopedArguments::overflowStorageOffset):
16396 (JSC::ScopedArguments::allocationSize):
16397 (JSC::ScopedArguments::overflowStorage):
16398 * runtime/ScopedArgumentsTable.cpp: Added.
16399 (JSC::ScopedArgumentsTable::ScopedArgumentsTable):
16400 (JSC::ScopedArgumentsTable::~ScopedArgumentsTable):
16401 (JSC::ScopedArgumentsTable::destroy):
16402 (JSC::ScopedArgumentsTable::create):
16403 (JSC::ScopedArgumentsTable::clone):
16404 (JSC::ScopedArgumentsTable::setLength):
16405 (JSC::ScopedArgumentsTable::set):
16406 (JSC::ScopedArgumentsTable::createStructure):
16407 * runtime/ScopedArgumentsTable.h: Added.
16408 (JSC::ScopedArgumentsTable::length):
16409 (JSC::ScopedArgumentsTable::get):
16410 (JSC::ScopedArgumentsTable::lock):
16411 (JSC::ScopedArgumentsTable::offsetOfLength):
16412 (JSC::ScopedArgumentsTable::offsetOfArguments):
16413 (JSC::ScopedArgumentsTable::at):
16414 * runtime/SymbolTable.cpp:
16415 (JSC::SymbolTableEntry::prepareToWatch):
16416 (JSC::SymbolTable::SymbolTable):
16417 (JSC::SymbolTable::visitChildren):
16418 (JSC::SymbolTable::localToEntry):
16419 (JSC::SymbolTable::entryFor):
16420 (JSC::SymbolTable::cloneScopePart):
16421 (JSC::SymbolTable::prepareForTypeProfiling):
16422 (JSC::SymbolTable::uniqueIDForOffset):
16423 (JSC::SymbolTable::globalTypeSetForOffset):
16424 (JSC::SymbolTable::cloneCapturedNames): Deleted.
16425 (JSC::SymbolTable::uniqueIDForRegister): Deleted.
16426 (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
16427 * runtime/SymbolTable.h:
16428 (JSC::SymbolTableEntry::varOffsetFromBits):
16429 (JSC::SymbolTableEntry::scopeOffsetFromBits):
16430 (JSC::SymbolTableEntry::Fast::varOffset):
16431 (JSC::SymbolTableEntry::Fast::scopeOffset):
16432 (JSC::SymbolTableEntry::Fast::isDontEnum):
16433 (JSC::SymbolTableEntry::Fast::getAttributes):
16434 (JSC::SymbolTableEntry::SymbolTableEntry):
16435 (JSC::SymbolTableEntry::varOffset):
16436 (JSC::SymbolTableEntry::isWatchable):
16437 (JSC::SymbolTableEntry::scopeOffset):
16438 (JSC::SymbolTableEntry::setAttributes):
16439 (JSC::SymbolTableEntry::constantMode):
16440 (JSC::SymbolTableEntry::isDontEnum):
16441 (JSC::SymbolTableEntry::disableWatching):
16442 (JSC::SymbolTableEntry::pack):
16443 (JSC::SymbolTableEntry::isValidVarOffset):
16444 (JSC::SymbolTable::createNameScopeTable):
16445 (JSC::SymbolTable::maxScopeOffset):
16446 (JSC::SymbolTable::didUseScopeOffset):
16447 (JSC::SymbolTable::didUseVarOffset):
16448 (JSC::SymbolTable::scopeSize):
16449 (JSC::SymbolTable::nextScopeOffset):
16450 (JSC::SymbolTable::takeNextScopeOffset):
16451 (JSC::SymbolTable::add):
16452 (JSC::SymbolTable::set):
16453 (JSC::SymbolTable::argumentsLength):
16454 (JSC::SymbolTable::setArgumentsLength):
16455 (JSC::SymbolTable::argumentOffset):
16456 (JSC::SymbolTable::setArgumentOffset):
16457 (JSC::SymbolTable::arguments):
16458 (JSC::SlowArgument::SlowArgument): Deleted.
16459 (JSC::SymbolTableEntry::Fast::getIndex): Deleted.
16460 (JSC::SymbolTableEntry::getIndex): Deleted.
16461 (JSC::SymbolTableEntry::isValidIndex): Deleted.
16462 (JSC::SymbolTable::captureStart): Deleted.
16463 (JSC::SymbolTable::setCaptureStart): Deleted.
16464 (JSC::SymbolTable::captureEnd): Deleted.
16465 (JSC::SymbolTable::setCaptureEnd): Deleted.
16466 (JSC::SymbolTable::captureCount): Deleted.
16467 (JSC::SymbolTable::isCaptured): Deleted.
16468 (JSC::SymbolTable::parameterCount): Deleted.
16469 (JSC::SymbolTable::parameterCountIncludingThis): Deleted.
16470 (JSC::SymbolTable::setParameterCountIncludingThis): Deleted.
16471 (JSC::SymbolTable::slowArguments): Deleted.
16472 (JSC::SymbolTable::setSlowArguments): Deleted.
16473 * runtime/VM.cpp:
16474 (JSC::VM::VM):
16475 * runtime/VM.h:
16476 * runtime/VarOffset.cpp: Added.
16477 (JSC::VarOffset::dump):
16478 (WTF::printInternal):
16479 * runtime/VarOffset.h: Added.
16480 (JSC::VarOffset::VarOffset):
16481 (JSC::VarOffset::assemble):
16482 (JSC::VarOffset::isValid):
16483 (JSC::VarOffset::operator!):
16484 (JSC::VarOffset::kind):
16485 (JSC::VarOffset::isStack):
16486 (JSC::VarOffset::isScope):
16487 (JSC::VarOffset::isDirectArgument):
16488 (JSC::VarOffset::stackOffsetUnchecked):
16489 (JSC::VarOffset::scopeOffsetUnchecked):
16490 (JSC::VarOffset::capturedArgumentsOffsetUnchecked):
16491 (JSC::VarOffset::stackOffset):
16492 (JSC::VarOffset::scopeOffset):
16493 (JSC::VarOffset::capturedArgumentsOffset):
16494 (JSC::VarOffset::rawOffset):
16495 (JSC::VarOffset::checkSanity):
16496 (JSC::VarOffset::operator==):
16497 (JSC::VarOffset::operator!=):
16498 (JSC::VarOffset::hash):
16499 (JSC::VarOffset::isHashTableDeletedValue):
16500 (JSC::VarOffsetHash::hash):
16501 (JSC::VarOffsetHash::equal):
16502 * tests/stress/arguments-exit-strict-mode.js: Added.
16503 * tests/stress/arguments-exit.js: Added.
16504 * tests/stress/arguments-inlined-exit-strict-mode-fixed.js: Added.
16505 * tests/stress/arguments-inlined-exit-strict-mode.js: Added.
16506 * tests/stress/arguments-inlined-exit.js: Added.
16507 * tests/stress/arguments-interference.js: Added.
16508 * tests/stress/arguments-interference-cfg.js: Added.
16509 * tests/stress/dead-get-closure-var.js: Added.
16510 * tests/stress/get-declared-unpassed-argument-in-direct-arguments.js: Added.
16511 * tests/stress/get-declared-unpassed-argument-in-scoped-arguments.js: Added.
16512 * tests/stress/varargs-closure-inlined-exit-strict-mode.js: Added.
16513 * tests/stress/varargs-closure-inlined-exit.js: Added.
16514 * tests/stress/varargs-exit.js: Added.
16515 * tests/stress/varargs-inlined-exit.js: Added.
16516 * tests/stress/varargs-inlined-simple-exit-aliasing-weird-reversed-args.js: Added.
16517 * tests/stress/varargs-inlined-simple-exit-aliasing-weird.js: Added.
16518 * tests/stress/varargs-inlined-simple-exit-aliasing.js: Added.
16519 * tests/stress/varargs-inlined-simple-exit.js: Added.
16520 * tests/stress/varargs-too-few-arguments.js: Added.
16521 * tests/stress/varargs-varargs-closure-inlined-exit.js: Added.
16522 * tests/stress/varargs-varargs-inlined-exit-strict-mode.js: Added.
16523 * tests/stress/varargs-varargs-inlined-exit.js: Added.
16524
165252015-03-25 Andy Estes <aestes@apple.com>
16526
16527 [Cocoa] RemoteInspectorXPCConnection::deserializeMessage() leaks a NSDictionary under Objective-C GC
16528 https://bugs.webkit.org/show_bug.cgi?id=143068
16529
16530 Reviewed by Dan Bernstein.
16531
16532 * inspector/remote/RemoteInspectorXPCConnection.mm:
16533 (Inspector::RemoteInspectorXPCConnection::deserializeMessage): Used RetainPtr::autorelease(), which does the right thing under GC.
16534
165352015-03-25 Filip Pizlo <fpizlo@apple.com>
16536
16537 Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
16538 https://bugs.webkit.org/show_bug.cgi?id=142993
16539
16540 Reviewed by Geoffrey Garen and Mark Lam.
16541
16542 This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
16543 into using JITCompilationCanFail and having a legit fallback path. This mostly involves
16544 having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
16545 failure, but also involves adding the same kind of thing to the stub generators in
16546 Repatch.
16547
16548 Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
16549 of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
16550 like host call stub generation, could handle a GC, but those get invoked very rarely. So,
16551 this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
16552 printout.
16553
16554 Also add a way of inducing executable allocation failure, so that we can test this.
16555
16556 * CMakeLists.txt:
16557 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16558 * JavaScriptCore.xcodeproj/project.pbxproj:
16559 * dfg/DFGJITCompiler.cpp:
16560 (JSC::DFG::JITCompiler::compile):
16561 (JSC::DFG::JITCompiler::compileFunction):
16562 (JSC::DFG::JITCompiler::link): Deleted.
16563 (JSC::DFG::JITCompiler::linkFunction): Deleted.
16564 * dfg/DFGJITCompiler.h:
16565 * dfg/DFGPlan.cpp:
16566 (JSC::DFG::Plan::compileInThreadImpl):
16567 * ftl/FTLCompile.cpp:
16568 (JSC::FTL::mmAllocateCodeSection):
16569 (JSC::FTL::mmAllocateDataSection):
16570 * ftl/FTLLink.cpp:
16571 (JSC::FTL::link):
16572 * ftl/FTLState.h:
16573 * jit/ArityCheckFailReturnThunks.cpp:
16574 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
16575 * jit/ExecutableAllocationFuzz.cpp: Added.
16576 (JSC::numberOfExecutableAllocationFuzzChecks):
16577 (JSC::doExecutableAllocationFuzzing):
16578 * jit/ExecutableAllocationFuzz.h: Added.
16579 (JSC::doExecutableAllocationFuzzingIfEnabled):
16580 * jit/ExecutableAllocatorFixedVMPool.cpp:
16581 (JSC::ExecutableAllocator::allocate):
16582 * jit/JIT.cpp:
16583 (JSC::JIT::privateCompile):
16584 * jit/JITCompilationEffort.h:
16585 * jit/Repatch.cpp:
16586 (JSC::generateByIdStub):
16587 (JSC::tryCacheGetByID):
16588 (JSC::tryBuildGetByIDList):
16589 (JSC::emitPutReplaceStub):
16590 (JSC::emitPutTransitionStubAndGetOldStructure):
16591 (JSC::tryCachePutByID):
16592 (JSC::tryBuildPutByIdList):
16593 (JSC::tryRepatchIn):
16594 (JSC::linkPolymorphicCall):
16595 * jsc.cpp:
16596 (jscmain):
16597 * runtime/Options.h:
16598 * runtime/TestRunnerUtils.h:
16599 * runtime/VM.cpp:
16600 * tests/executableAllocationFuzz: Added.
16601 * tests/executableAllocationFuzz.yaml: Added.
16602 * tests/executableAllocationFuzz/v8-raytrace.js: Added.
16603
166042015-03-25 Mark Lam <mark.lam@apple.com>
16605
16606 REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
16607 <https://webkit.org/b/135719>
16608
16609 Reviewed by Geoffrey Garen.
16610
16611 This is a regression introduced in http://trac.webkit.org/changeset/169139 which
16612 changed VM::watchdog from an embedded field into a std::unique_ptr, but did not
16613 update the LLINT to access it as such.
16614
16615 The issue has only manifested so far on the CLoop tests because those are LLINT
16616 only. In the non-CLoop cases, the JIT kicks in and does the right thing, thereby
16617 hiding the bug in the LLINT.
16618
16619 * API/JSContextRef.cpp:
16620 (createWatchdogIfNeeded):
16621 (JSContextGroupSetExecutionTimeLimit):
16622 (JSContextGroupClearExecutionTimeLimit):
16623 * llint/LowLevelInterpreter.asm:
16624
166252015-03-25 Filip Pizlo <fpizlo@apple.com>
16626
16627 Change Atomic methods from using the_wrong_naming_conventions to using theRightNamingConventions. Also make seq_cst the default.
16628
16629 Rubber stamped by Geoffrey Garen.
16630
16631 * bytecode/CodeBlock.cpp:
16632 (JSC::CodeBlock::visitAggregate):
16633
166342015-03-25 Joseph Pecoraro <pecoraro@apple.com>
16635
16636 Fix formatting in BuiltinExecutables
16637 https://bugs.webkit.org/show_bug.cgi?id=143061
16638
16639 Reviewed by Ryosuke Niwa.
16640
16641 * builtins/BuiltinExecutables.cpp:
16642 (JSC::BuiltinExecutables::createExecutableInternal):
16643
166442015-03-25 Joseph Pecoraro <pecoraro@apple.com>
16645
16646 ES6: Classes: Program level class statement throws exception in strict mode
16647 https://bugs.webkit.org/show_bug.cgi?id=143038
16648
16649 Reviewed by Ryosuke Niwa.
16650
16651 Classes expose a name to the current lexical environment. This treats
16652 "class X {}" like "var X = class X {}". Ideally it would be "let X = class X {}".
16653 Also, improve error messages for class statements where the class is missing a name.
16654
16655 * parser/Parser.h:
16656 * parser/Parser.cpp:
16657 (JSC::Parser<LexerType>::parseClass):
16658 Fill name in info parameter if needed. Better error message if name is needed and missing.
16659
16660 (JSC::Parser<LexerType>::parseClassDeclaration):
16661 Pass info parameter to get name, and expose the name as a variable name.
16662
16663 (JSC::Parser<LexerType>::parsePrimaryExpression):
16664 Pass info parameter that is ignored.
16665
16666 * parser/ParserFunctionInfo.h:
16667 Add a parser info for class, to extract the name.
16668
166692015-03-25 Yusuke Suzuki <utatane.tea@gmail.com>
16670
16671 New map and set modification tests in r181922 fails
16672 https://bugs.webkit.org/show_bug.cgi?id=143031
16673
16674 Reviewed and tweaked by Geoffrey Garen.
16675
16676 When packing Map/Set backing store, we need to decrement Map/Set iterator's m_index
16677 to adjust for the packed backing store.
16678
16679 Consider the following map data.
16680
16681 x: deleted, o: exists
16682 0 1 2 3 4
16683 x x x x o
16684
16685 And iterator with m_index 3.
16686
16687 When packing the map data, map data will become,
16688
16689 0
16690 o
16691
16692 At that time, we perfom didRemoveEntry 4 times on iterators.
16693 times => m_index/index/result
16694 1 => 3/0/dec
16695 2 => 2/1/dec
16696 3 => 1/2/nothing
16697 4 => 1/3/nothing
16698
16699 After iteration, iterator's m_index becomes 1. But we expected that becomes 0.
16700 This is because if we use decremented m_index for comparison,
16701 while provided deletedIndex is the index in old storage, m_index is the index in partially packed storage.
16702
16703 In this patch, we compare against the packed index instead.
16704 times => m_index/packedIndex/result
16705 1 => 3/0/dec
16706 2 => 2/0/dec
16707 3 => 1/0/dec
16708 4 => 0/0/nothing
16709
16710 So m_index becomes 0 as expected.
16711
16712 And according to the spec, once the iterator is closed (becomes done: true),
16713 its internal [[Map]]/[[Set]] is set to undefined.
16714 So after the iterator is finished, we don't revive the iterator (e.g. by clearing m_index = 0).
16715
16716 In this patch, we change 2 things.
16717 1.
16718 Compare an iterator's index against the packed index when removing an entry.
16719
16720 2.
16721 If the iterator is closed (isFinished()), we don't apply adjustment to the iterator.
16722
16723 * runtime/MapData.h:
16724 (JSC::MapDataImpl::IteratorData::finish):
16725 (JSC::MapDataImpl::IteratorData::isFinished):
16726 (JSC::MapDataImpl::IteratorData::didRemoveEntry):
16727 (JSC::MapDataImpl::IteratorData::didRemoveAllEntries):
16728 (JSC::MapDataImpl::IteratorData::startPackBackingStore):
16729 * runtime/MapDataInlines.h:
16730 (JSC::JSIterator>::replaceAndPackBackingStore):
16731 * tests/stress/modify-map-during-iteration.js:
16732 * tests/stress/modify-set-during-iteration.js:
16733
167342015-03-24 Joseph Pecoraro <pecoraro@apple.com>
16735
16736 Setter should have a single formal parameter, Getter no parameters
16737 https://bugs.webkit.org/show_bug.cgi?id=142903
16738
16739 Reviewed by Geoffrey Garen.
16740
16741 * parser/Parser.cpp:
16742 (JSC::Parser<LexerType>::parseFunctionInfo):
16743 Enforce no parameters for getters and a single parameter
16744 for setters, with informational error messages.
16745
167462015-03-24 Joseph Pecoraro <pecoraro@apple.com>
16747
16748 ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance
16749 https://bugs.webkit.org/show_bug.cgi?id=143012
16750
16751 Reviewed by Ryosuke Niwa.
16752
16753 * bytecompiler/BytecodeGenerator.cpp:
16754 (JSC::BytecodeGenerator::emitReturn):
16755 Fix handling of "undefined" when returned from a Derived class. It was
16756 returning "undefined" when it should have returned "this".
16757
167582015-03-24 Yusuke Suzuki <utatane.tea@gmail.com>
16759
16760 REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor
16761 https://bugs.webkit.org/show_bug.cgi?id=142696
16762
16763 Reviewed and tweaked by Geoffrey Garen.
16764
16765 Before r142556, JSSetIterator::destroy was not defined.
16766 So accidentally MapData::const_iterator in JSSet was never destroyed.
16767 But it had non trivial destructor, decrementing MapData->m_iteratorCount.
16768
16769 After r142556, JSSetIterator::destroy works.
16770 It correctly destruct MapData::const_iterator and m_iteratorCount partially works.
16771 But JSSetIterator::~JSSetIterator requires owned JSSet since it mutates MapData->m_iteratorCount.
16772
16773 It is guaranteed that JSSet is live since JSSetIterator has a reference to JSSet
16774 and marks it in visitChildren (WriteBarrier<Unknown>).
16775 However, the order of destructions is not guaranteed in GC-ed system.
16776
16777 Consider the following case,
16778 allocate JSSet and subsequently allocate JSSetIterator.
16779 And they resides in the separated MarkedBlock, <1> and <2>.
16780
16781 JSSet<1> <- JSSetIterator<2>
16782
16783 And after that, when performing GC, Marker decides that the above 2 objects are not marked.
16784 And Marker also decides MarkedBlocks <1> and <2> can be sweeped.
16785
16786 First Sweeper sweep <1>, destruct JSSet<1> and free MarkedBlock<1>.
16787 Second Sweeper sweep <2>, attempt to destruct JSSetIterator<2>.
16788 However, JSSetIterator<2>'s destructor,
16789 JSSetIterator::~JSSetIterator requires live JSSet<1>, it causes use-after-free.
16790
16791 In this patch, we introduce WeakGCMap into JSMap/JSSet to track live iterators.
16792 When packing the removed elements in JSSet/JSMap, we apply the change to all live
16793 iterators tracked by WeakGCMap.
16794
16795 WeakGCMap can only track JSCell since they are managed by GC.
16796 So we drop JSSet/JSMap C++ style iterators. Instead of C++ style iterator, this patch
16797 introduces JS style iterator signatures into C++ class IteratorData.
16798 If we need to iterate over JSMap/JSSet, use JSSetIterator/JSMapIterator instead of using
16799 IteratorData directly.
16800
16801 * runtime/JSMap.cpp:
16802 (JSC::JSMap::destroy):
16803 * runtime/JSMap.h:
16804 (JSC::JSMap::JSMap):
16805 (JSC::JSMap::begin): Deleted.
16806 (JSC::JSMap::end): Deleted.
16807 * runtime/JSMapIterator.cpp:
16808 (JSC::JSMapIterator::destroy):
16809 * runtime/JSMapIterator.h:
16810 (JSC::JSMapIterator::next):
16811 (JSC::JSMapIterator::nextKeyValue):
16812 (JSC::JSMapIterator::iteratorData):
16813 (JSC::JSMapIterator::JSMapIterator):
16814 * runtime/JSSet.cpp:
16815 (JSC::JSSet::destroy):
16816 * runtime/JSSet.h:
16817 (JSC::JSSet::JSSet):
16818 (JSC::JSSet::begin): Deleted.
16819 (JSC::JSSet::end): Deleted.
16820 * runtime/JSSetIterator.cpp:
16821 (JSC::JSSetIterator::destroy):
16822 * runtime/JSSetIterator.h:
16823 (JSC::JSSetIterator::next):
16824 (JSC::JSSetIterator::iteratorData):
16825 (JSC::JSSetIterator::JSSetIterator):
16826 * runtime/MapData.h:
16827 (JSC::MapDataImpl::IteratorData::finish):
16828 (JSC::MapDataImpl::IteratorData::isFinished):
16829 (JSC::MapDataImpl::shouldPack):
16830 (JSC::JSIterator>::MapDataImpl):
16831 (JSC::JSIterator>::KeyType::KeyType):
16832 (JSC::JSIterator>::IteratorData::IteratorData):
16833 (JSC::JSIterator>::IteratorData::next):
16834 (JSC::JSIterator>::IteratorData::ensureSlot):
16835 (JSC::JSIterator>::IteratorData::applyMapDataPatch):
16836 (JSC::JSIterator>::IteratorData::refreshCursor):
16837 (JSC::MapDataImpl::const_iterator::key): Deleted.
16838 (JSC::MapDataImpl::const_iterator::value): Deleted.
16839 (JSC::MapDataImpl::const_iterator::operator++): Deleted.
16840 (JSC::MapDataImpl::const_iterator::finish): Deleted.
16841 (JSC::MapDataImpl::const_iterator::atEnd): Deleted.
16842 (JSC::MapDataImpl::begin): Deleted.
16843 (JSC::MapDataImpl::end): Deleted.
16844 (JSC::MapDataImpl<Entry>::MapDataImpl): Deleted.
16845 (JSC::MapDataImpl<Entry>::clear): Deleted.
16846 (JSC::MapDataImpl<Entry>::KeyType::KeyType): Deleted.
16847 (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement): Deleted.
16848 (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot): Deleted.
16849 (JSC::MapDataImpl<Entry>::const_iterator::const_iterator): Deleted.
16850 (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator): Deleted.
16851 (JSC::MapDataImpl<Entry>::const_iterator::operator): Deleted.
16852 (JSC::=): Deleted.
16853 * runtime/MapDataInlines.h:
16854 (JSC::JSIterator>::clear):
16855 (JSC::JSIterator>::find):
16856 (JSC::JSIterator>::contains):
16857 (JSC::JSIterator>::add):
16858 (JSC::JSIterator>::set):
16859 (JSC::JSIterator>::get):
16860 (JSC::JSIterator>::remove):
16861 (JSC::JSIterator>::replaceAndPackBackingStore):
16862 (JSC::JSIterator>::replaceBackingStore):
16863 (JSC::JSIterator>::ensureSpaceForAppend):
16864 (JSC::JSIterator>::visitChildren):
16865 (JSC::JSIterator>::copyBackingStore):
16866 (JSC::JSIterator>::applyMapDataPatch):
16867 (JSC::MapDataImpl<Entry>::find): Deleted.
16868 (JSC::MapDataImpl<Entry>::contains): Deleted.
16869 (JSC::MapDataImpl<Entry>::add): Deleted.
16870 (JSC::MapDataImpl<Entry>::set): Deleted.
16871 (JSC::MapDataImpl<Entry>::get): Deleted.
16872 (JSC::MapDataImpl<Entry>::remove): Deleted.
16873 (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore): Deleted.
16874 (JSC::MapDataImpl<Entry>::replaceBackingStore): Deleted.
16875 (JSC::MapDataImpl<Entry>::ensureSpaceForAppend): Deleted.
16876 (JSC::MapDataImpl<Entry>::visitChildren): Deleted.
16877 (JSC::MapDataImpl<Entry>::copyBackingStore): Deleted.
16878 * runtime/MapPrototype.cpp:
16879 (JSC::mapProtoFuncForEach):
16880 * runtime/SetPrototype.cpp:
16881 (JSC::setProtoFuncForEach):
16882 * runtime/WeakGCMap.h:
16883 (JSC::WeakGCMap::forEach):
16884 * tests/stress/modify-map-during-iteration.js: Added.
16885 (testValue):
16886 (identityPairs):
16887 (.set if):
16888 (var):
16889 (set map):
16890 * tests/stress/modify-set-during-iteration.js: Added.
16891 (testValue):
16892 (set forEach):
16893 (set delete):
16894
168952015-03-24 Mark Lam <mark.lam@apple.com>
16896
16897 The ExecutionTimeLimit test should use its own JSGlobalContextRef.
16898 <https://webkit.org/b/143024>
16899
16900 Reviewed by Geoffrey Garen.
16901
16902 Currently, the ExecutionTimeLimit test is using a JSGlobalContextRef
16903 passed in from testapi.c. It should create its own for better
16904 encapsulation of the test.
16905
16906 * API/tests/ExecutionTimeLimitTest.cpp:
16907 (currentCPUTimeAsJSFunctionCallback):
16908 (testExecutionTimeLimit):
16909 * API/tests/ExecutionTimeLimitTest.h:
16910 * API/tests/testapi.c:
16911 (main):
16912
169132015-03-24 Joseph Pecoraro <pecoraro@apple.com>
16914
16915 ES6: Object Literal Methods toString is missing method name
16916 https://bugs.webkit.org/show_bug.cgi?id=142992
16917
16918 Reviewed by Geoffrey Garen.
16919
16920 Always stringify functions in the pattern:
16921
16922 "function " + <function name> + <text from opening parenthesis to closing brace>.
16923
16924 * runtime/FunctionPrototype.cpp:
16925 (JSC::functionProtoFuncToString):
16926 Update the path that was not stringifying in this pattern.
16927
16928 * bytecode/UnlinkedCodeBlock.cpp:
16929 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
16930 * bytecode/UnlinkedCodeBlock.h:
16931 (JSC::UnlinkedFunctionExecutable::parametersStartOffset):
16932 * parser/Nodes.h:
16933 * runtime/Executable.cpp:
16934 (JSC::FunctionExecutable::FunctionExecutable):
16935 * runtime/Executable.h:
16936 (JSC::FunctionExecutable::parametersStartOffset):
16937 Pass the already known function parameter opening parenthesis
16938 start offset through to the FunctionExecutable.
16939
16940 * tests/mozilla/js1_5/Scope/regress-185485.js:
16941 (with.g):
16942 Add back original space in this test that was removed by r181810
16943 now that we have the space again in stringification.
16944
169452015-03-24 Michael Saboff <msaboff@apple.com>
16946
16947 REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated
16948 https://bugs.webkit.org/show_bug.cgi?id=142856
16949
16950 Reviewed by Filip Pizlo.
16951
16952 Refactored the way the for .. in enumeration over objects is done. We used to make three C++ calls to
16953 get info for three loops to iterate over indexed properties, structure properties and other properties,
16954 respectively. We still have the three loops, but now we make one C++ call to get all the info needed
16955 for all loops before we exectue any enumeration.
16956
16957 The JSPropertyEnumerator has a count of the indexed properties and a list of named properties.
16958 The named properties are one list, with structured properties in the range [0,m_endStructurePropertyIndex)
16959 and the generic properties in the range [m_endStructurePropertyIndex, m_endGenericPropertyIndex);
16960
16961 Eliminated the bytecodes op_get_structure_property_enumerator, op_get_generic_property_enumerator and
16962 op_next_enumerator_pname.
16963 Added the bytecodes op_get_property_enumerator, op_enumerator_structure_pname and op_enumerator_generic_pname.
16964 The bytecodes op_enumerator_structure_pname and op_enumerator_generic_pname are similar except for what
16965 end value we stop iterating on.
16966
16967 Made corresponding node changes to the DFG and FTL for the bytecode changes.
16968
16969 * bytecode/BytecodeList.json:
16970 * bytecode/BytecodeUseDef.h:
16971 (JSC::computeUsesForBytecodeOffset):
16972 (JSC::computeDefsForBytecodeOffset):
16973 * bytecode/CodeBlock.cpp:
16974 (JSC::CodeBlock::dumpBytecode):
16975 * bytecompiler/BytecodeGenerator.cpp:
16976 (JSC::BytecodeGenerator::emitGetPropertyEnumerator):
16977 (JSC::BytecodeGenerator::emitEnumeratorStructurePropertyName):
16978 (JSC::BytecodeGenerator::emitEnumeratorGenericPropertyName):
16979 (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): Deleted.
16980 (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): Deleted.
16981 (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): Deleted.
16982 * bytecompiler/BytecodeGenerator.h:
16983 * bytecompiler/NodesCodegen.cpp:
16984 (JSC::ForInNode::emitMultiLoopBytecode):
16985 * dfg/DFGAbstractInterpreterInlines.h:
16986 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
16987 * dfg/DFGByteCodeParser.cpp:
16988 (JSC::DFG::ByteCodeParser::parseBlock):
16989 * dfg/DFGCapabilities.cpp:
16990 (JSC::DFG::capabilityLevel):
16991 * dfg/DFGClobberize.h:
16992 (JSC::DFG::clobberize):
16993 * dfg/DFGDoesGC.cpp:
16994 (JSC::DFG::doesGC):
16995 * dfg/DFGFixupPhase.cpp:
16996 (JSC::DFG::FixupPhase::fixupNode):
16997 * dfg/DFGNodeType.h:
16998 * dfg/DFGPredictionPropagationPhase.cpp:
16999 (JSC::DFG::PredictionPropagationPhase::propagate):
17000 * dfg/DFGSafeToExecute.h:
17001 (JSC::DFG::safeToExecute):
17002 * dfg/DFGSpeculativeJIT32_64.cpp:
17003 (JSC::DFG::SpeculativeJIT::compile):
17004 * dfg/DFGSpeculativeJIT64.cpp:
17005 (JSC::DFG::SpeculativeJIT::compile):
17006 * ftl/FTLAbstractHeapRepository.h:
17007 * ftl/FTLCapabilities.cpp:
17008 (JSC::FTL::canCompile):
17009 * ftl/FTLLowerDFGToLLVM.cpp:
17010 (JSC::FTL::LowerDFGToLLVM::compileNode):
17011 (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
17012 (JSC::FTL::LowerDFGToLLVM::compileGetPropertyEnumerator):
17013 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorStructurePname):
17014 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorGenericPname):
17015 (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): Deleted.
17016 (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): Deleted.
17017 (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): Deleted.
17018 * jit/JIT.cpp:
17019 (JSC::JIT::privateCompileMainPass):
17020 * jit/JIT.h:
17021 * jit/JITOpcodes.cpp:
17022 (JSC::JIT::emit_op_enumerator_structure_pname):
17023 (JSC::JIT::emit_op_enumerator_generic_pname):
17024 (JSC::JIT::emit_op_get_property_enumerator):
17025 (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
17026 (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
17027 (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
17028 * jit/JITOpcodes32_64.cpp:
17029 (JSC::JIT::emit_op_enumerator_structure_pname):
17030 (JSC::JIT::emit_op_enumerator_generic_pname):
17031 (JSC::JIT::emit_op_next_enumerator_pname): Deleted.
17032 * jit/JITOperations.cpp:
17033 * jit/JITOperations.h:
17034 * llint/LowLevelInterpreter.asm:
17035 * runtime/CommonSlowPaths.cpp:
17036 (JSC::SLOW_PATH_DECL):
17037 * runtime/CommonSlowPaths.h:
17038 * runtime/JSPropertyNameEnumerator.cpp:
17039 (JSC::JSPropertyNameEnumerator::create):
17040 (JSC::JSPropertyNameEnumerator::finishCreation):
17041 * runtime/JSPropertyNameEnumerator.h:
17042 (JSC::JSPropertyNameEnumerator::indexedLength):
17043 (JSC::JSPropertyNameEnumerator::endStructurePropertyIndex):
17044 (JSC::JSPropertyNameEnumerator::endGenericPropertyIndex):
17045 (JSC::JSPropertyNameEnumerator::indexedLengthOffset):
17046 (JSC::JSPropertyNameEnumerator::endStructurePropertyIndexOffset):
17047 (JSC::JSPropertyNameEnumerator::endGenericPropertyIndexOffset):
17048 (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
17049 (JSC::propertyNameEnumerator):
17050 (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): Deleted.
17051 (JSC::structurePropertyNameEnumerator): Deleted.
17052 (JSC::genericPropertyNameEnumerator): Deleted.
17053 * runtime/Structure.cpp:
17054 (JSC::Structure::setCachedPropertyNameEnumerator):
17055 (JSC::Structure::cachedPropertyNameEnumerator):
17056 (JSC::Structure::canCachePropertyNameEnumerator):
17057 (JSC::Structure::setCachedStructurePropertyNameEnumerator): Deleted.
17058 (JSC::Structure::cachedStructurePropertyNameEnumerator): Deleted.
17059 (JSC::Structure::setCachedGenericPropertyNameEnumerator): Deleted.
17060 (JSC::Structure::cachedGenericPropertyNameEnumerator): Deleted.
17061 (JSC::Structure::canCacheStructurePropertyNameEnumerator): Deleted.
17062 (JSC::Structure::canCacheGenericPropertyNameEnumerator): Deleted.
17063 * runtime/Structure.h:
17064 * runtime/StructureRareData.cpp:
17065 (JSC::StructureRareData::visitChildren):
17066 (JSC::StructureRareData::cachedPropertyNameEnumerator):
17067 (JSC::StructureRareData::setCachedPropertyNameEnumerator):
17068 (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): Deleted.
17069 (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): Deleted.
17070 (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): Deleted.
17071 (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): Deleted.
17072 * runtime/StructureRareData.h:
17073 * tests/stress/for-in-delete-during-iteration.js:
17074
170752015-03-24 Michael Saboff <msaboff@apple.com>
17076
17077 Unreviewed build fix for debug builds.
17078
17079 * runtime/ExceptionHelpers.cpp:
17080 (JSC::invalidParameterInSourceAppender):
17081
170822015-03-24 Saam Barati <saambarati1@gmail.com>
17083
17084 Improve error messages in JSC
17085 https://bugs.webkit.org/show_bug.cgi?id=141869
17086
17087 Reviewed by Geoffrey Garen.
17088
17089 JavaScriptCore has some unintuitive error messages associated
17090 with certain common errors. This patch changes some specific
17091 error messages to be more understandable and also creates a
17092 mechanism that will allow for easy modification of error messages
17093 in the future. The specific errors we change are not a function
17094 errors and invalid parameter errors.
17095
17096 * CMakeLists.txt:
17097 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17098 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
17099 * JavaScriptCore.xcodeproj/project.pbxproj:
17100 * interpreter/Interpreter.cpp:
17101 (JSC::sizeOfVarargs):
17102 * jit/JITOperations.cpp:
17103 op_throw_static_error always has a JSString as its argument.
17104 There is no need to dance around this, and we should assert
17105 that this always holds. This JSString represents the error
17106 message we want to display to the user, so there is no need
17107 to pass it into errorDescriptionForValue which will now place
17108 quotes around the string.
17109
17110 * llint/LLIntSlowPaths.cpp:
17111 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17112 * runtime/CommonSlowPaths.h:
17113 (JSC::CommonSlowPaths::opIn):
17114 * runtime/ErrorInstance.cpp:
17115 (JSC::ErrorInstance::ErrorInstance):
17116 * runtime/ErrorInstance.h:
17117 (JSC::ErrorInstance::hasSourceAppender):
17118 (JSC::ErrorInstance::sourceAppender):
17119 (JSC::ErrorInstance::setSourceAppender):
17120 (JSC::ErrorInstance::clearSourceAppender):
17121 (JSC::ErrorInstance::setRuntimeTypeForCause):
17122 (JSC::ErrorInstance::runtimeTypeForCause):
17123 (JSC::ErrorInstance::clearRuntimeTypeForCause):
17124 (JSC::ErrorInstance::appendSourceToMessage): Deleted.
17125 (JSC::ErrorInstance::setAppendSourceToMessage): Deleted.
17126 (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted.
17127 * runtime/ExceptionHelpers.cpp:
17128 (JSC::errorDescriptionForValue):
17129 (JSC::defaultApproximateSourceError):
17130 (JSC::defaultSourceAppender):
17131 (JSC::functionCallBase):
17132 (JSC::notAFunctionSourceAppender):
17133 (JSC::invalidParameterInSourceAppender):
17134 (JSC::invalidParameterInstanceofSourceAppender):
17135 (JSC::createError):
17136 (JSC::createInvalidFunctionApplyParameterError):
17137 (JSC::createInvalidInParameterError):
17138 (JSC::createInvalidInstanceofParameterError):
17139 (JSC::createNotAConstructorError):
17140 (JSC::createNotAFunctionError):
17141 (JSC::createNotAnObjectError):
17142 (JSC::createInvalidParameterError): Deleted.
17143 * runtime/ExceptionHelpers.h:
17144 * runtime/JSObject.cpp:
17145 (JSC::JSObject::hasInstance):
17146 * runtime/RuntimeType.cpp: Added.
17147 (JSC::runtimeTypeForValue):
17148 (JSC::runtimeTypeAsString):
17149 * runtime/RuntimeType.h: Added.
17150 * runtime/TypeProfilerLog.cpp:
17151 (JSC::TypeProfilerLog::processLogEntries):
17152 * runtime/TypeSet.cpp:
17153 (JSC::TypeSet::getRuntimeTypeForValue): Deleted.
17154 * runtime/TypeSet.h:
17155 * runtime/VM.cpp:
17156 (JSC::appendSourceToError):
17157 (JSC::VM::throwException):
17158
171592015-03-23 Filip Pizlo <fpizlo@apple.com>
17160
17161 JSC should have a low-cost asynchronous disassembler
17162 https://bugs.webkit.org/show_bug.cgi?id=142997
17163
17164 Reviewed by Mark Lam.
17165
17166 This adds a JSC_asyncDisassembly option that disassembles on a thread. Disassembly
17167 doesn't block execution. Some code will live a little longer because of this, since the
17168 work tasks hold a ref to the code, but other than that there is basically no overhead.
17169
17170 At present, this isn't really a replacement for JSC_showDisassembly, since it doesn't
17171 provide contextual IR information for Baseline and DFG disassemblies, and it doesn't do
17172 the separate IR dumps for FTL. Using JSC_showDisassembly and friends along with
17173 JSC_asyncDisassembly has bizarre behavior - so just choose one.
17174
17175 A simple way of understanding how great this is, is to run a small benchmark like
17176 V8Spider/earley-boyer.
17177
17178 Performance without any disassembly flags: 60ms
17179 Performance with JSC_showDisassembly=true: 477ms
17180 Performance with JSC_asyncDisassembly=true: 65ms
17181
17182 So, the overhead of disassembly goes from 8x to 8%.
17183
17184 Note that JSC_asyncDisassembly=true does make it incorrect to run "time" as a way of
17185 measuring benchmark performance. This is because at VM exit, we wait for all async
17186 disassembly requests to finish. For example, for earley-boyer, we spend an extra ~130ms
17187 after the benchmark completely finishes to finish the disassemblies. This small weirdness
17188 should be OK for the intended use-cases, since all you have to do to get around it is to
17189 measure the execution time of the benchmark payload rather than the end-to-end time of
17190 launching the VM.
17191
17192 * assembler/LinkBuffer.cpp:
17193 (JSC::LinkBuffer::finalizeCodeWithDisassembly):
17194 * assembler/LinkBuffer.h:
17195 (JSC::LinkBuffer::wasAlreadyDisassembled):
17196 (JSC::LinkBuffer::didAlreadyDisassemble):
17197 * dfg/DFGJITCompiler.cpp:
17198 (JSC::DFG::JITCompiler::disassemble):
17199 * dfg/DFGJITFinalizer.cpp:
17200 (JSC::DFG::JITFinalizer::finalize):
17201 (JSC::DFG::JITFinalizer::finalizeFunction):
17202 * disassembler/Disassembler.cpp:
17203 (JSC::disassembleAsynchronously):
17204 (JSC::waitForAsynchronousDisassembly):
17205 * disassembler/Disassembler.h:
17206 * ftl/FTLCompile.cpp:
17207 (JSC::FTL::mmAllocateDataSection):
17208 * ftl/FTLLink.cpp:
17209 (JSC::FTL::link):
17210 * jit/JIT.cpp:
17211 (JSC::JIT::privateCompile):
17212 * jsc.cpp:
17213 * runtime/Options.h:
17214 * runtime/VM.cpp:
17215 (JSC::VM::~VM):
17216
172172015-03-23 Dean Jackson <dino@apple.com>
17218
17219 ES7: Implement Array.prototype.includes
17220 https://bugs.webkit.org/show_bug.cgi?id=142707
17221
17222 Reviewed by Geoffrey Garen.
17223
17224 Add support for the ES7 includes method on Arrays.
17225 https://github.com/tc39/Array.prototype.includes
17226
17227 * builtins/Array.prototype.js:
17228 (includes): Implementation in JS.
17229 * runtime/ArrayPrototype.cpp: Add 'includes' to the lookup table.
17230
172312015-03-23 Joseph Pecoraro <pecoraro@apple.com>
17232
17233 __defineGetter__/__defineSetter__ should throw exceptions
17234 https://bugs.webkit.org/show_bug.cgi?id=142934
17235
17236 Reviewed by Geoffrey Garen.
17237
17238 * runtime/ObjectPrototype.cpp:
17239 (JSC::objectProtoFuncDefineGetter):
17240 (JSC::objectProtoFuncDefineSetter):
17241 Throw exceptions when these functions are used directly.
17242
172432015-03-23 Joseph Pecoraro <pecoraro@apple.com>
17244
17245 Fix DO_PROPERTYMAP_CONSTENCY_CHECK enabled build
17246 https://bugs.webkit.org/show_bug.cgi?id=142952
17247
17248 Reviewed by Geoffrey Garen.
17249
17250 * runtime/Structure.cpp:
17251 (JSC::PropertyTable::checkConsistency):
17252 The check offset method doesn't exist in PropertyTable, it exists in Structure.
17253
17254 (JSC::Structure::checkConsistency):
17255 So move it here, and always put it at the start to match normal behavior.
17256
172572015-03-22 Filip Pizlo <fpizlo@apple.com>
17258
17259 Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations
17260 https://bugs.webkit.org/show_bug.cgi?id=142956
17261
17262 Rubber stamped by Gyuyoung Kim.
17263
17264 Just removing dead code.
17265
17266 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17267 * JavaScriptCore.xcodeproj/project.pbxproj:
17268 * dfg/DFGOSRExit.h:
17269 * dfg/DFGOSRExitCompiler.cpp:
17270 * dfg/DFGValueRecoveryOverride.h: Removed.
17271
172722015-03-22 Filip Pizlo <fpizlo@apple.com>
17273
17274 DFG OSR exit shouldn't assume that the frame count for exit is greater than the frame count in DFG
17275 https://bugs.webkit.org/show_bug.cgi?id=142948
17276
17277 Reviewed by Sam Weinig.
17278
17279 It's necessary to ensure that the stack pointer accounts for the extent of our stack usage
17280 since a signal may clobber the area below the stack pointer. When the DFG is executing,
17281 the stack pointer accounts for the DFG's worst-case stack usage. When we OSR exit back to
17282 baseline, we will use a different amount of stack. This is because baseline is a different
17283 compiler. It will make different decisions. So it will use a different amount of stack.
17284
17285 This gets tricky when we are in the process of doing an OSR exit, because we are sort of
17286 incrementally transforming the stack from how it looked in the DFG to how it will look in
17287 baseline. The most conservative approach would be to set the stack pointer to the max of
17288 DFG and baseline.
17289
17290 When this code was written, a reckless assumption was made: that the stack usage in
17291 baseline is always at least as large as the stack usage in DFG. Based on this incorrect
17292 assumption, the code first adjusts the stack pointer to account for the baseline stack
17293 usage. This sort of usually works, because usually baseline does happen to use more stack.
17294 But that's not an invariant. Nobody guarantees this. We will never make any changes that
17295 would make this be guaranteed, because that would be antithetical to how optimizing
17296 compilers work. The DFG should be allowed to use however much stack it decides that it
17297 should use in order to get good performance, and it shouldn't try to guarantee that it
17298 always uses less stack than baseline.
17299
17300 As such, we must always assume that the frame size for DFG execution (i.e.
17301 frameRegisterCount) and the frame size in baseline once we exit (i.e.
17302 requiredRegisterCountForExit) are two independent quantities and they have no
17303 relationship.
17304
17305 Fortunately, though, this code can be made correct by just moving the stack adjustment to
17306 just before we do conversions. This is because we have since changed the OSR exit
17307 algorithm to first lift up all state from the DFG state into a scratch buffer, and then to
17308 drop it out of the scratch buffer and into the stack according to the baseline layout. The
17309 point just before conversions is the point where we have finished reading the DFG frame
17310 and will not read it anymore, and we haven't started writing the baseline frame. So, at
17311 this point it is safe to set the stack pointer to account for the frame size at exit.
17312
17313 This is benign because baseline happens to create larger frames than DFG.
17314
17315 * dfg/DFGOSRExitCompiler32_64.cpp:
17316 (JSC::DFG::OSRExitCompiler::compileExit):
17317 * dfg/DFGOSRExitCompiler64.cpp:
17318 (JSC::DFG::OSRExitCompiler::compileExit):
17319 * dfg/DFGOSRExitCompilerCommon.cpp:
17320 (JSC::DFG::adjustAndJumpToTarget):
17321
173222015-03-22 Filip Pizlo <fpizlo@apple.com>
17323
17324 Shorten the number of iterations to 10,000 since that's enough to test all tiers.
17325
17326 Rubber stamped by Sam Weinig.
17327
17328 * tests/stress/equals-masquerader.js:
17329
173302015-03-22 Filip Pizlo <fpizlo@apple.com>
17331
17332 tests/stress/*tdz* tests do 10x more iterations than necessary
17333 https://bugs.webkit.org/show_bug.cgi?id=142946
17334
17335 Reviewed by Ryosuke Niwa.
17336
17337 The stress test harness runs all of these tests in various configurations. This includes
17338 no-cjit, which has tier-up heuristics locked in such a way that 10,000 iterations is
17339 enough to get to the highest tier. The only exceptions are very large functions or
17340 functions that have some reoptimizations. That happens rarely, and when it does happen,
17341 usually 20,000 iterations is enough.
17342
17343 Therefore, these tests use 10x too many iterations. This is bad, since these tests
17344 allocate on each iteration, and so they run very slowly in debug mode.
17345
17346 * tests/stress/class-syntax-no-loop-tdz.js:
17347 * tests/stress/class-syntax-no-tdz-in-catch.js:
17348 * tests/stress/class-syntax-no-tdz-in-conditional.js:
17349 * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
17350 * tests/stress/class-syntax-no-tdz-in-loop.js:
17351 * tests/stress/class-syntax-no-tdz.js:
17352 * tests/stress/class-syntax-tdz-in-catch.js:
17353 * tests/stress/class-syntax-tdz-in-conditional.js:
17354 * tests/stress/class-syntax-tdz-in-loop.js:
17355 * tests/stress/class-syntax-tdz.js:
17356
173572015-03-21 Joseph Pecoraro <pecoraro@apple.com>
17358
17359 Fix a typo in Parser error message
17360 https://bugs.webkit.org/show_bug.cgi?id=142942
17361
17362 Reviewed by Alexey Proskuryakov.
17363
17364 * jit/JITPropertyAccess.cpp:
17365 (JSC::JIT::emitSlow_op_resolve_scope):
17366 * jit/JITPropertyAccess32_64.cpp:
17367 (JSC::JIT::emitSlow_op_resolve_scope):
17368 * parser/Parser.cpp:
17369 (JSC::Parser<LexerType>::parseClass):
17370 Fix a common identifier typo.
17371
173722015-03-21 Joseph Pecoraro <pecoraro@apple.com>
17373
17374 Computed Property names should allow only AssignmentExpressions not any Expression
17375 https://bugs.webkit.org/show_bug.cgi?id=142902
17376
17377 Reviewed by Ryosuke Niwa.
17378
17379 * parser/Parser.cpp:
17380 (JSC::Parser<LexerType>::parseProperty):
17381 Limit computed expressions to just assignment expressions instead of
17382 any expression (which allowed comma expressions).
17383
173842015-03-21 Andreas Kling <akling@apple.com>
17385
17386 Make UnlinkedFunctionExecutable fit in a 128-byte cell.
17387 <https://webkit.org/b/142939>
17388
17389 Reviewed by Mark Hahnenberg.
17390
17391 Re-arrange the members of UnlinkedFunctionExecutable so it can fit inside
17392 a 128-byte heap cell instead of requiring a 256-byte one.
17393
17394 Threw in a static_assert to catch anyone pushing it over the limit again.
17395
17396 * bytecode/UnlinkedCodeBlock.cpp:
17397 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
17398 * bytecode/UnlinkedCodeBlock.h:
17399 (JSC::UnlinkedFunctionExecutable::functionMode):
17400
174012015-03-20 Mark Hahnenberg <mhahnenb@gmail.com>
17402
17403 GCTimer should know keep track of nested GC phases
17404 https://bugs.webkit.org/show_bug.cgi?id=142675
17405
17406 Reviewed by Darin Adler.
17407
17408 This improves the GC phase timing output in Heap.cpp by linking
17409 phases nested inside other phases together, allowing tools
17410 to compute how much time we're spending in various nested phases.
17411
17412 * heap/Heap.cpp:
17413
174142015-03-20 Geoffrey Garen <ggaren@apple.com>
17415
17416 FunctionBodyNode should known where its parameters started
17417 https://bugs.webkit.org/show_bug.cgi?id=142926
17418
17419 Reviewed by Ryosuke Niwa.
17420
17421 This will allow us to re-parse parameters instead of keeping the
17422 parameters piece of the AST around forever.
17423
17424 I also took the opportunity to initialize most FunctionBodyNode data
17425 members at construction time, to help clarify that they are set right.
17426
17427 * parser/ASTBuilder.h:
17428 (JSC::ASTBuilder::createFunctionExpr): No need to pass
17429 functionKeywordStart here; we now provide it at FunctionBodyNode
17430 creation time.
17431
17432 (JSC::ASTBuilder::createFunctionBody): Require everything we need at
17433 construction time, including the start of our parameters.
17434
17435 (JSC::ASTBuilder::createGetterOrSetterProperty):
17436 (JSC::ASTBuilder::createFuncDeclStatement): No need to pass
17437 functionKeywordStart here; we now provide it at FunctionBodyNode
17438 creation time.
17439
17440 (JSC::ASTBuilder::setFunctionNameStart): Deleted.
17441
17442 * parser/Nodes.cpp:
17443 (JSC::FunctionBodyNode::FunctionBodyNode): Initialize everything at
17444 construction time.
17445
17446 * parser/Nodes.h: Added a field for the location of our parameters.
17447
17448 * parser/Parser.cpp:
17449 (JSC::Parser<LexerType>::parseFunctionBody):
17450 (JSC::Parser<LexerType>::parseFunctionInfo):
17451 (JSC::Parser<LexerType>::parseFunctionDeclaration):
17452 (JSC::Parser<LexerType>::parseClass):
17453 (JSC::Parser<LexerType>::parsePropertyMethod):
17454 (JSC::Parser<LexerType>::parseGetterSetter):
17455 (JSC::Parser<LexerType>::parsePrimaryExpression):
17456 * parser/Parser.h: Refactored to match above interface changes.
17457
17458 * parser/SyntaxChecker.h:
17459 (JSC::SyntaxChecker::createFunctionExpr):
17460 (JSC::SyntaxChecker::createFunctionBody):
17461 (JSC::SyntaxChecker::createFuncDeclStatement):
17462 (JSC::SyntaxChecker::createGetterOrSetterProperty): Refactored to match
17463 above interface changes.
17464
17465 (JSC::SyntaxChecker::setFunctionNameStart): Deleted.
17466
174672015-03-20 Filip Pizlo <fpizlo@apple.com>
17468
17469 Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes
17470 https://bugs.webkit.org/show_bug.cgi?id=142920
17471
17472 Reviewed by Oliver Hunt, Geoffrey Garen, and Mark Lam.
17473
17474 Observably effectful, n.: If we reexecute the bytecode instruction after this node has
17475 executed, then something other than the bytecode instruction's specified outcome will
17476 happen.
17477
17478 We almost never had observably effectful nodes except at the end of the bytecode
17479 instruction. The exception is a lowered transitioning PutById:
17480
17481 PutStructure(@o, S1 -> S2)
17482 PutByOffset(@o, @o, @v)
17483
17484 The PutStructure is observably effectful: if you try to reexecute the bytecode after
17485 doing the PutStructure, then we'll most likely crash. The generic PutById handling means
17486 first checking what the old structure of the object is; but if we reexecute, the old
17487 structure will seem to be the new structure. But the property ensured by the new
17488 structure hasn't been stored yet, so any attempt to load it or scan it will crash.
17489
17490 Intriguingly, however, none of the other operations involved in the PutById are
17491 observably effectful. Consider this example:
17492
17493 PutByOffset(@o, @o, @v)
17494 PutStructure(@o, S1 -> S2)
17495
17496 Note that the PutStructure node doesn't reallocate property storage; see further below
17497 for an example that does that. Because no property storage is happening, we know that we
17498 already had room for the new property. This means that the PutByOffset is no observable
17499 until the PutStructure executes and "reveals" the property. Hence, PutByOffset is not
17500 observably effectful.
17501
17502 Now consider this:
17503
17504 b: AllocatePropertyStorage(@o)
17505 PutByOffset(@b, @o, @v)
17506 PutStructure(@o, S1 -> S2)
17507
17508 Surprisingly, this is also safe, because the AllocatePropertyStorage is not observably
17509 effectful. It *does* reallocate the property storage and the new property storage pointer
17510 is stored into the object. But until the PutStructure occurs, the world will just think
17511 that the reallocation didn't happen, in the sense that we'll think that the property
17512 storage is using less memory than what we just allocated. That's harmless.
17513
17514 The AllocatePropertyStorage is safe in other ways, too. Even if we GC'd after the
17515 AllocatePropertyStorage but before the PutByOffset (or before the PutStructure),
17516 everything could be expected to be fine, so long as all of @o, @v and @b are on the
17517 stack. If they are all on the stack, then the GC will leave the property storage alone
17518 (so the extra memory we just allocated would be safe). The GC will not scan the part of
17519 the property storage that contains @v, but that's fine, so long as @v is on the stack.
17520
17521 The better long-term solution is probably bug 142921.
17522
17523 But for now, this:
17524
17525 - Fixes an object materialization bug, exemplified by the two tests, that previously
17526 crashed 100% of the time with FTL enabled and concurrent JIT disabled.
17527
17528 - Allows us to remove the workaround introduced in r174856.
17529
17530 * dfg/DFGByteCodeParser.cpp:
17531 (JSC::DFG::ByteCodeParser::handlePutById):
17532 * dfg/DFGConstantFoldingPhase.cpp:
17533 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
17534 * dfg/DFGFixupPhase.cpp:
17535 (JSC::DFG::FixupPhase::insertCheck):
17536 (JSC::DFG::FixupPhase::indexOfNode): Deleted.
17537 (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin): Deleted.
17538 * dfg/DFGInsertionSet.h:
17539 (JSC::DFG::InsertionSet::insertOutOfOrder): Deleted.
17540 (JSC::DFG::InsertionSet::insertOutOfOrderNode): Deleted.
17541 * tests/stress/materialize-past-butterfly-allocation.js: Added.
17542 (bar):
17543 (foo0):
17544 (foo1):
17545 (foo2):
17546 (foo3):
17547 (foo4):
17548 * tests/stress/materialize-past-put-structure.js: Added.
17549 (foo):
17550
175512015-03-20 Yusuke Suzuki <utatane.tea@gmail.com>
17552
17553 REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83
17554 https://bugs.webkit.org/show_bug.cgi?id=142410
17555
17556 Reviewed by Geoffrey Garen.
17557
17558 Before this patch, added function JSValue::toPropertyKey returns PropertyName.
17559 Since PropertyName doesn't have AtomicStringImpl ownership,
17560 if Identifier is implicitly converted to PropertyName and Identifier is destructed,
17561 PropertyName may refer freed AtomicStringImpl*.
17562
17563 This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
17564 to keep AtomicStringImpl* ownership after the toPropertyName call is done.
17565 And receive the result value as Identifier type to keep ownership in the caller side.
17566
17567 To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
17568
17569 However, now we don't need to have both Identifier and PropertyName.
17570 So we'll merge PropertyName to Identifier in the subsequent patch.
17571
17572 * dfg/DFGOperations.cpp:
17573 (JSC::DFG::operationPutByValInternal):
17574 * jit/JITOperations.cpp:
17575 (JSC::getByVal):
17576 * llint/LLIntSlowPaths.cpp:
17577 (JSC::LLInt::getByVal):
17578 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17579 * runtime/CommonSlowPaths.cpp:
17580 (JSC::SLOW_PATH_DECL):
17581 * runtime/CommonSlowPaths.h:
17582 (JSC::CommonSlowPaths::opIn):
17583 * runtime/JSCJSValue.h:
17584 * runtime/JSCJSValueInlines.h:
17585 (JSC::JSValue::toPropertyKey):
17586 * runtime/ObjectConstructor.cpp:
17587 (JSC::objectConstructorGetOwnPropertyDescriptor):
17588 (JSC::objectConstructorDefineProperty):
17589 * runtime/ObjectPrototype.cpp:
17590 (JSC::objectProtoFuncPropertyIsEnumerable):
17591
175922015-03-18 Geoffrey Garen <ggaren@apple.com>
17593
17594 Function.prototype.toString should not decompile the AST
17595 https://bugs.webkit.org/show_bug.cgi?id=142853
17596
17597 Reviewed by Sam Weinig.
17598
17599 To recover the function parameter string, Function.prototype.toString
17600 decompiles the function parameters from the AST. This is bad for a few
17601 reasons:
17602
17603 (1) It requires us to keep pieces of the AST live forever. This is an
17604 awkward design and a waste of memory.
17605
17606 (2) It doesn't match Firefox or Chrome (because it changes whitespace
17607 and ES6 destructuring expressions).
17608
17609 (3) It doesn't scale to ES6 default argument parameters, which require
17610 arbitrarily complex decompilation.
17611
17612 (4) It can counterfeit all the line numbers in a function (because
17613 whitespace can include newlines).
17614
17615 (5) It's expensive, and we've seen cases where websites invoke
17616 Function.prototype.toString a lot by accident.
17617
17618 The fix is to do what we do for the rest of the function: Just quote the
17619 original source text.
17620
17621 Since this change inevitably changes some function stringification, I
17622 took the opportunity to make our stringification match Firefox's and
17623 Chrome's.
17624
17625 * API/tests/testapi.c:
17626 (assertEqualsAsUTF8String): Be more informative when this fails.
17627
17628 (main): Updated to match new stringification rules.
17629
17630 * bytecode/UnlinkedCodeBlock.cpp:
17631 (JSC::UnlinkedFunctionExecutable::paramString): Deleted. Yay!
17632 * bytecode/UnlinkedCodeBlock.h:
17633
17634 * parser/Nodes.h:
17635 (JSC::StatementNode::isFuncDeclNode): New helper for constructing
17636 anonymous functions.
17637
17638 * parser/SourceCode.h:
17639 (JSC::SourceCode::SourceCode): Allow zero because WebCore wants it.
17640
17641 * runtime/CodeCache.cpp:
17642 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Updated for use
17643 of function declaration over function expression.
17644
17645 * runtime/Executable.cpp:
17646 (JSC::FunctionExecutable::paramString): Deleted. Yay!
17647 * runtime/Executable.h:
17648 (JSC::FunctionExecutable::parameterCount):
17649
17650 * runtime/FunctionConstructor.cpp:
17651 (JSC::constructFunctionSkippingEvalEnabledCheck): Added a newline after
17652 the opening brace to match Firefox and Chrome, and a space after the comma
17653 to match Firefox and WebKit coding style. Added the function name to
17654 the text of the function so it would look right when stringify-ing. Switched
17655 from parentheses to braces to produce a function declaration instead of
17656 a function expression because we are required to exclude the function's
17657 name from its scope, and that's what a function declaration does.
17658
17659 * runtime/FunctionPrototype.cpp:
17660 (JSC::functionProtoFuncToString): Removed an old workaround because the
17661 library it worked around doesn't really exist anymore, and the behavior
17662 doesn't match Firefox or Chrome. Use type profiling offsets instead of
17663 function body offsets because we want to include the function name and
17664 the parameter string, rather than stitching them in manually by
17665 decompiling the AST.
17666
17667 (JSC::insertSemicolonIfNeeded): Deleted.
17668
17669 * tests/mozilla/js1_2/function/tostring-1.js:
17670 * tests/mozilla/js1_5/Scope/regress-185485.js:
17671 (with.g): Updated these test results for formatting changes.
17672
176732015-03-20 Joseph Pecoraro <pecoraro@apple.com>
17674
17675 SyntaxChecker assertion is trapped with computed property name and getter
17676 https://bugs.webkit.org/show_bug.cgi?id=142863
17677
17678 Reviewed by Ryosuke Niwa.
17679
17680 * parser/SyntaxChecker.h:
17681 (JSC::SyntaxChecker::getName):
17682 Remove invalid assert. Computed properties will not have a name
17683 and the calling code is checking for null expecting it. The
17684 AST path (non-CheckingPath) already does this without the assert
17685 so it is well tested.
17686
176872015-03-19 Mark Lam <mark.lam@apple.com>
17688
17689 JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called.
17690 <https://webkit.org/b/142846>
17691
17692 Reviewed by Geoffrey Garen.
17693
17694 Currently, JSCallbackObject<JSGlobalObject> registers weak finalizers via 2 mechanisms:
17695 1. JSCallbackObject<Parent>::init() registers a weak finalizer for all JSClassRef
17696 that a JSCallbackObject references.
17697 2. JSCallbackObject<JSGlobalObject>::create() registers a finalizer via
17698 vm.heap.addFinalizer() which destroys the JSCallbackObject.
17699
17700 The first finalizer is implemented as a virtual function of a JSCallbackObjectData
17701 instance that will be destructed if the 2nd finalizer is called. Hence, if the
17702 2nd finalizer if called first, the later invocation of the 1st finalizer will
17703 result in a crash.
17704
17705 This patch fixes the issue by eliminating the finalizer registration in init().
17706 Instead, we'll have the JSCallbackObject destructor call all the JSClassRef finalizers
17707 if needed. This ensures that these finalizers are called before the JSCallbackObject
17708 is destructor.
17709
17710 Also added assertions to a few Heap functions because JSCell::classInfo() expects
17711 all objects that are allocated from MarkedBlock::Normal blocks to be derived from
17712 JSDestructibleObject. These assertions will help us catch violations of this
17713 expectation earlier.
17714
17715 * API/JSCallbackObject.cpp:
17716 (JSC::JSCallbackObjectData::finalize): Deleted.
17717 * API/JSCallbackObject.h:
17718 (JSC::JSCallbackObjectData::~JSCallbackObjectData):
17719 * API/JSCallbackObjectFunctions.h:
17720 (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
17721 (JSC::JSCallbackObject<Parent>::init):
17722 * API/tests/GlobalContextWithFinalizerTest.cpp: Added.
17723 (finalize):
17724 (testGlobalContextWithFinalizer):
17725 * API/tests/GlobalContextWithFinalizerTest.h: Added.
17726 * API/tests/testapi.c:
17727 (main):
17728 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
17729 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
17730 * JavaScriptCore.xcodeproj/project.pbxproj:
17731 * heap/HeapInlines.h:
17732 (JSC::Heap::allocateObjectOfType):
17733 (JSC::Heap::subspaceForObjectOfType):
17734 (JSC::Heap::allocatorForObjectOfType):
17735
177362015-03-19 Andreas Kling <akling@apple.com>
17737
17738 JSCallee unnecessarily overrides a bunch of things in the method table.
17739 <https://webkit.org/b/142855>
17740
17741 Reviewed by Geoffrey Garen.
17742
17743 Remove JSCallee method table overrides that simply call to base class.
17744 This makes JSFunction property slot lookups slightly more efficient since
17745 they can take the fast path when passing over JSCallee in the base class chain.
17746
17747 * runtime/JSCallee.cpp:
17748 (JSC::JSCallee::getOwnPropertySlot): Deleted.
17749 (JSC::JSCallee::getOwnNonIndexPropertyNames): Deleted.
17750 (JSC::JSCallee::put): Deleted.
17751 (JSC::JSCallee::deleteProperty): Deleted.
17752 (JSC::JSCallee::defineOwnProperty): Deleted.
17753 * runtime/JSCallee.h:
17754
177552015-03-19 Andreas Kling <akling@apple.com>
17756
17757 DFGAllocator should use bmalloc's aligned allocator.
17758 <https://webkit.org/b/142871>
17759
17760 Reviewed by Geoffrey Garen.
17761
17762 Switch DFGAllocator to using bmalloc through fastAlignedMalloc().
17763
17764 * dfg/DFGAllocator.h:
17765 (JSC::DFG::Allocator<T>::allocateSlow):
17766 (JSC::DFG::Allocator<T>::freeRegionsStartingAt):
17767 * heap/CopiedSpace.h:
17768 * heap/MarkedBlock.h:
17769 * heap/MarkedSpace.h:
17770
177712015-03-18 Joseph Pecoraro <pecoraro@apple.com>
17772
17773 ES6 Classes: Extends should accept an expression without parenthesis
17774 https://bugs.webkit.org/show_bug.cgi?id=142840
17775
17776 Reviewed by Ryosuke Niwa.
17777
17778 * parser/Parser.cpp:
17779 (JSC::Parser<LexerType>::parseClass):
17780 "extends" allows a LeftHandExpression (new expression / call expression,
17781 which includes a member expression), not a primary expression. Our
17782 parseMemberExpression does all of these.
17783
177842015-03-18 Joseph Pecoraro <pecoraro@apple.com>
17785
17786 Web Inspector: Debugger Popovers and Probes should use FormattedValue/ObjectTreeView instead of Custom/ObjectPropertiesSection
17787 https://bugs.webkit.org/show_bug.cgi?id=142830
17788
17789 Reviewed by Timothy Hatcher.
17790
17791 * inspector/agents/InspectorDebuggerAgent.cpp:
17792 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
17793 Give Probe Samples object previews.
17794
177952015-03-17 Ryuan Choi <ryuan.choi@navercorp.com>
17796
17797 [EFL] Expose JavaScript binding interface through ewk_extension
17798 https://bugs.webkit.org/show_bug.cgi?id=142033
17799
17800 Reviewed by Gyuyoung Kim.
17801
17802 * PlatformEfl.cmake: Install Javascript APIs.
17803
178042015-03-17 Geoffrey Garen <ggaren@apple.com>
17805
17806 Function bodies should always include braces
17807 https://bugs.webkit.org/show_bug.cgi?id=142795
17808
17809 Reviewed by Michael Saboff.
17810
17811 Having a mode for excluding the opening and closing braces from a function
17812 body was unnecessary and confusing.
17813
17814 * bytecode/CodeBlock.cpp:
17815 (JSC::CodeBlock::CodeBlock): Adopt the new one true linking function.
17816
17817 * bytecode/UnlinkedCodeBlock.cpp:
17818 (JSC::generateFunctionCodeBlock):
17819 (JSC::UnlinkedFunctionExecutable::link):
17820 (JSC::UnlinkedFunctionExecutable::codeBlockFor): No need to pass through
17821 a boolean: there is only one kind of function now.
17822
17823 (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Deleted.
17824 (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Deleted. Let's only
17825 have one way to do things. This removes the old mode that would pretend
17826 that a function always started at column 1. That pretense was not true:
17827 an attribute event listener does not necessarily start at column 1.
17828
17829 * bytecode/UnlinkedCodeBlock.h:
17830 * generate-js-builtins: Adopt the new one true linking function.
17831
17832 * parser/Parser.h:
17833 (JSC::Parser<LexerType>::parse):
17834 (JSC::parse): needsReparsingAdjustment is always true now, so I removed it.
17835
17836 * runtime/Executable.cpp:
17837 (JSC::ScriptExecutable::newCodeBlockFor):
17838 (JSC::FunctionExecutable::FunctionExecutable):
17839 (JSC::ProgramExecutable::initializeGlobalProperties):
17840 (JSC::FunctionExecutable::fromGlobalCode):
17841 * runtime/Executable.h:
17842 (JSC::FunctionExecutable::create):
17843 (JSC::FunctionExecutable::bodyIncludesBraces): Deleted. Removed unused stuff.
17844
17845 * runtime/FunctionConstructor.cpp:
17846 (JSC::constructFunctionSkippingEvalEnabledCheck): Always provide a
17847 leading space because that's what this function's comment says is required
17848 for web compatibility. We used to fake this up after the fact when
17849 stringifying, based on the bodyIncludesBraces flag, but that flag is gone now.
17850
17851 * runtime/FunctionPrototype.cpp:
17852 (JSC::insertSemicolonIfNeeded):
17853 (JSC::functionProtoFuncToString): No need to add braces and/or a space
17854 after the fact -- we always have them now.
17855
178562015-03-17 Mark Lam <mark.lam@apple.com>
17857
17858 Refactor execution time limit tests out of testapi.c.
17859 <https://webkit.org/b/142798>
17860
17861 Rubber stamped by Michael Saboff.
17862
17863 These tests were sometimes failing to time out on C loop builds. Let's
17864 refactor them out of the big monolith that is testapi.c so that we can
17865 reason more easily about them and make adjustments if needed.
17866
17867 * API/tests/ExecutionTimeLimitTest.cpp: Added.
17868 (currentCPUTime):
17869 (currentCPUTimeAsJSFunctionCallback):
17870 (shouldTerminateCallback):
17871 (cancelTerminateCallback):
17872 (extendTerminateCallback):
17873 (testExecutionTimeLimit):
17874 * API/tests/ExecutionTimeLimitTest.h: Added.
17875 * API/tests/testapi.c:
17876 (main):
17877 (currentCPUTime): Deleted.
17878 (currentCPUTime_callAsFunction): Deleted.
17879 (shouldTerminateCallback): Deleted.
17880 (cancelTerminateCallback): Deleted.
17881 (extendTerminateCallback): Deleted.
17882 * JavaScriptCore.xcodeproj/project.pbxproj:
17883
178842015-03-17 Geoffrey Garen <ggaren@apple.com>
17885
17886 Built-in functions should know that they use strict mode
17887 https://bugs.webkit.org/show_bug.cgi?id=142788
17888
17889 Reviewed by Mark Lam.
17890
17891 Even though all of our builtin functions use strict mode, the parser
17892 thinks that they don't. This is because Executable::toStrictness treats
17893 builtin-ness and strict-ness as mutually exclusive.
17894
17895 The fix is to disambiguate builtin-ness from strict-ness.
17896
17897 This bug is currently unobservable because of some other parser bugs. But
17898 it causes lots of test failures once those other bugs are fixed.
17899
17900 * API/JSScriptRef.cpp:
17901 (parseScript):
17902 * builtins/BuiltinExecutables.cpp:
17903 (JSC::BuiltinExecutables::createBuiltinExecutable): Adopt the new API
17904 for a separate value to indicate builtin-ness vs strict-ness.
17905
17906 * bytecode/UnlinkedCodeBlock.cpp:
17907 (JSC::generateFunctionCodeBlock):
17908 (JSC::UnlinkedFunctionExecutable::codeBlockFor): Ditto.
17909
17910 * bytecode/UnlinkedCodeBlock.h:
17911 (JSC::UnlinkedFunctionExecutable::toStrictness): Deleted. This function
17912 was misleading since it pretended that no builtin function was ever
17913 strict, which is the opposite of true.
17914
17915 * parser/Lexer.cpp:
17916 (JSC::Lexer<T>::Lexer):
17917 * parser/Lexer.h:
17918 * parser/Parser.cpp:
17919 (JSC::Parser<LexerType>::Parser):
17920 * parser/Parser.h:
17921 (JSC::parse): Adopt the new API.
17922
17923 * parser/ParserModes.h: Added JSParserBuiltinMode, and tried to give
17924 existing modes clearer names.
17925
17926 * runtime/CodeCache.cpp:
17927 (JSC::CodeCache::getGlobalCodeBlock):
17928 (JSC::CodeCache::getProgramCodeBlock):
17929 (JSC::CodeCache::getEvalCodeBlock):
17930 (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Adopt the new API.
17931
17932 * runtime/CodeCache.h:
17933 (JSC::SourceCodeKey::SourceCodeKey): Be sure to treat strict-ness and
17934 bulitin-ness as separate pieces of the code cache key. We would not want
17935 a user function to match a built-in function in the cache, even if they
17936 agreed about strictness, since builtin functions have different lexing
17937 rules.
17938
17939 * runtime/Completion.cpp:
17940 (JSC::checkSyntax):
17941 * runtime/Executable.cpp:
17942 (JSC::FunctionExecutable::FunctionExecutable):
17943 (JSC::ProgramExecutable::checkSyntax):
17944 * runtime/Executable.h:
17945 (JSC::FunctionExecutable::create):
17946 * runtime/JSGlobalObject.cpp:
17947 (JSC::JSGlobalObject::createProgramCodeBlock):
17948 (JSC::JSGlobalObject::createEvalCodeBlock): Adopt the new API.
17949
179502015-03-16 Filip Pizlo <fpizlo@apple.com>
17951
17952 DFG IR shouldn't have a separate node for every kind of put hint that could be described using PromotedLocationDescriptor
17953 https://bugs.webkit.org/show_bug.cgi?id=142769
17954
17955 Reviewed by Michael Saboff.
17956
17957 When we sink an object allocation, we need to have some way of tracking what stores would
17958 have happened had the allocation not been sunk, so that we know how to rematerialize the
17959 object on OSR exit. Prior to this change, trunk had two ways of describing such a "put
17960 hint":
17961
17962 - The PutStrutureHint and PutByOffsetHint node types.
17963 - The PromotedLocationDescriptor class, which has an enum with cases StructurePLoc and
17964 NamedPropertyPLoc.
17965
17966 We also had ways of converting from a Node with those two node types to a
17967 PromotedLocationDescriptor, and we had a way of converting a PromotedLocationDescriptor to
17968 a Node.
17969
17970 This change removes the redundancy. We now have just one node type that corresponds to a
17971 put hint, and it's called PutHint. It has a PromotedLocationDescriptor as metadata.
17972 Converting between a PutHint node and a PromotedLocationDescriptor and vice-versa is now
17973 trivial.
17974
17975 This means that if we add new kinds of sunken objects, we'll have less pro-forma to write
17976 for the put hints to those objects. This is mainly to simplify the implementation of
17977 arguments elimination in bug 141174.
17978
17979 * dfg/DFGAbstractInterpreterInlines.h:
17980 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
17981 * dfg/DFGClobberize.h:
17982 (JSC::DFG::clobberize):
17983 * dfg/DFGDoesGC.cpp:
17984 (JSC::DFG::doesGC):
17985 * dfg/DFGFixupPhase.cpp:
17986 (JSC::DFG::FixupPhase::fixupNode):
17987 * dfg/DFGGraph.cpp:
17988 (JSC::DFG::Graph::dump):
17989 (JSC::DFG::Graph::mergeRelevantToOSR):
17990 * dfg/DFGMayExit.cpp:
17991 (JSC::DFG::mayExit):
17992 * dfg/DFGNode.cpp:
17993 (JSC::DFG::Node::convertToPutHint):
17994 (JSC::DFG::Node::convertToPutStructureHint):
17995 (JSC::DFG::Node::convertToPutByOffsetHint):
17996 (JSC::DFG::Node::promotedLocationDescriptor):
17997 * dfg/DFGNode.h:
17998 (JSC::DFG::Node::hasIdentifier):
17999 (JSC::DFG::Node::hasPromotedLocationDescriptor):
18000 (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
18001 (JSC::DFG::Node::convertToPutStructureHint): Deleted.
18002 * dfg/DFGNodeType.h:
18003 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
18004 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
18005 * dfg/DFGObjectAllocationSinkingPhase.cpp:
18006 (JSC::DFG::ObjectAllocationSinkingPhase::run):
18007 (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
18008 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
18009 * dfg/DFGPredictionPropagationPhase.cpp:
18010 (JSC::DFG::PredictionPropagationPhase::propagate):
18011 * dfg/DFGPromoteHeapAccess.h:
18012 (JSC::DFG::promoteHeapAccess):
18013 * dfg/DFGPromotedHeapLocation.cpp:
18014 (JSC::DFG::PromotedHeapLocation::createHint):
18015 * dfg/DFGPromotedHeapLocation.h:
18016 (JSC::DFG::PromotedLocationDescriptor::imm1):
18017 (JSC::DFG::PromotedLocationDescriptor::imm2):
18018 * dfg/DFGSafeToExecute.h:
18019 (JSC::DFG::safeToExecute):
18020 * dfg/DFGSpeculativeJIT32_64.cpp:
18021 (JSC::DFG::SpeculativeJIT::compile):
18022 * dfg/DFGSpeculativeJIT64.cpp:
18023 (JSC::DFG::SpeculativeJIT::compile):
18024 * dfg/DFGValidate.cpp:
18025 (JSC::DFG::Validate::validateCPS):
18026 * ftl/FTLCapabilities.cpp:
18027 (JSC::FTL::canCompile):
18028 * ftl/FTLLowerDFGToLLVM.cpp:
18029 (JSC::FTL::LowerDFGToLLVM::compileNode):
18030
180312015-03-17 Michael Saboff <msaboff@apple.com>
18032
18033 Windows X86-64 should use the fixed executable allocator
18034 https://bugs.webkit.org/show_bug.cgi?id=142749
18035
18036 Reviewed by Filip Pizlo.
18037
18038 Added jit/ExecutableAllocatorFixedVMPool.cpp to Windows build.
18039
18040 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
18041 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
18042 * jit/ExecutableAllocatorFixedVMPool.cpp: Don't include unistd.h on Windows.
18043
180442015-03-17 Matt Baker <mattbaker@apple.com>
18045
18046 Web Inspector: Show rendering frames (and FPS) in Layout and Rendering timeline
18047 https://bugs.webkit.org/show_bug.cgi?id=142029
18048
18049 Reviewed by Timothy Hatcher.
18050
18051 * inspector/protocol/Timeline.json:
18052 Added new event type for runloop timeline records.
18053
180542015-03-16 Ryosuke Niwa <rniwa@webkit.org>
18055
18056 Enable ES6 classes by default
18057 https://bugs.webkit.org/show_bug.cgi?id=142774
18058
18059 Reviewed by Gavin Barraclough.
18060
18061 Enabled the feature and unskipped tests.
18062
18063 * Configurations/FeatureDefines.xcconfig:
18064 * tests/stress/class-syntax-no-loop-tdz.js:
18065 * tests/stress/class-syntax-no-tdz-in-catch.js:
18066 * tests/stress/class-syntax-no-tdz-in-conditional.js:
18067 * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js:
18068 * tests/stress/class-syntax-no-tdz-in-loop.js:
18069 * tests/stress/class-syntax-no-tdz.js:
18070 * tests/stress/class-syntax-tdz-in-catch.js:
18071 * tests/stress/class-syntax-tdz-in-conditional.js:
18072 * tests/stress/class-syntax-tdz-in-loop.js:
18073 * tests/stress/class-syntax-tdz.js:
18074
180752015-03-16 Joseph Pecoraro <pecoraro@apple.com>
18076
18077 Web Inspector: Better Console Previews for Arrays / Small Objects
18078 https://bugs.webkit.org/show_bug.cgi?id=142322
18079
18080 Reviewed by Timothy Hatcher.
18081
18082 * inspector/InjectedScriptSource.js:
18083 Create deep valuePreviews for simple previewable objects,
18084 such as arrays with 5 values, or basic objects with
18085 3 properties.
18086
180872015-03-16 Ryosuke Niwa <rniwa@webkit.org>
18088
18089 Add support for default constructor
18090 https://bugs.webkit.org/show_bug.cgi?id=142388
18091
18092 Reviewed by Filip Pizlo.
18093
18094 Added the support for default constructors. They're generated by ClassExprNode::emitBytecode
18095 via BuiltinExecutables::createDefaultConstructor.
18096
18097 UnlinkedFunctionExecutable now has the ability to override SourceCode provided by the owner
18098 executable. We can't make store SourceCode in UnlinkedFunctionExecutable since CodeCache can use
18099 the same UnlinkedFunctionExecutable to generate code blocks for multiple functions.
18100
18101 Parser now has the ability to treat any function expression as a constructor of the kind specified
18102 by m_defaultConstructorKind member variable.
18103
18104 * builtins/BuiltinExecutables.cpp:
18105 (JSC::BuiltinExecutables::createDefaultConstructor): Added.
18106 (JSC::BuiltinExecutables::createExecutableInternal): Generalized from createBuiltinExecutable.
18107 Parse default constructors as normal non-builtin functions. Override SourceCode in the unlinked
18108 function executable since the Miranda function's code is definitely not in the owner executable's
18109 source code. That's the whole point.
18110 * builtins/BuiltinExecutables.h:
18111 (UnlinkedFunctionExecutable::createBuiltinExecutable): Added. Wraps createExecutableInternal.
18112 * bytecode/UnlinkedCodeBlock.cpp:
18113 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
18114 (JSC::UnlinkedFunctionExecutable::linkInsideExecutable):
18115 (JSC::UnlinkedFunctionExecutable::linkGlobalCode):
18116 * bytecode/UnlinkedCodeBlock.h:
18117 (JSC::UnlinkedFunctionExecutable::create):
18118 (JSC::UnlinkedFunctionExecutable::symbolTable): Deleted.
18119 * bytecompiler/BytecodeGenerator.cpp:
18120 (JSC::BytecodeGenerator::emitNewDefaultConstructor): Added.
18121 * bytecompiler/BytecodeGenerator.h:
18122 * bytecompiler/NodesCodegen.cpp:
18123 (JSC::ClassExprNode::emitBytecode): Generate the default constructor if needed.
18124 * parser/Parser.cpp:
18125 (JSC::Parser<LexerType>::Parser):
18126 (JSC::Parser<LexerType>::parseFunctionInfo): Override ownerClassKind and assume the function as
18127 a constructor if we're parsing a default constructor.
18128 (JSC::Parser<LexerType>::parseClass): Allow omission of the class constructor.
18129 * parser/Parser.h:
18130 (JSC::parse):
18131
181322015-03-16 Alex Christensen <achristensen@webkit.org>
18133
18134 Progress towards CMake on Mac
18135 https://bugs.webkit.org/show_bug.cgi?id=142747
18136
18137 Reviewed by Chris Dumez.
18138
18139 * CMakeLists.txt:
18140 Include AugmentableInspectorController.h in CMake build.
18141
181422015-03-16 Csaba Osztrogonác <ossy@webkit.org>
18143
18144 [ARM] Enable generating idiv instructions if it is supported
18145 https://bugs.webkit.org/show_bug.cgi?id=142725
18146
18147 Reviewed by Michael Saboff.
18148
18149 * assembler/ARMAssembler.h: Added sdiv and udiv implementation for ARM Traditional instruction set.
18150 (JSC::ARMAssembler::sdiv):
18151 (JSC::ARMAssembler::udiv):
18152 * assembler/ARMv7Assembler.h: Use HAVE(ARM_IDIV_INSTRUCTIONS) instead of CPU(APPLE_ARMV7S).
18153 * assembler/AbstractMacroAssembler.h:
18154 (JSC::isARMv7IDIVSupported):
18155 (JSC::optimizeForARMv7IDIVSupported):
18156 (JSC::isARMv7s): Renamed to isARMv7IDIVSupported().
18157 (JSC::optimizeForARMv7s): Renamed to optimizeForARMv7IDIVSupported().
18158 * dfg/DFGFixupPhase.cpp:
18159 (JSC::DFG::FixupPhase::fixupNode):
18160 * dfg/DFGSpeculativeJIT.cpp:
18161 (JSC::DFG::SpeculativeJIT::compileArithDiv):
18162 (JSC::DFG::SpeculativeJIT::compileArithMod):
18163
181642015-03-15 Filip Pizlo <fpizlo@apple.com>
18165
18166 DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source, and emit GetStacks when the stack's value is needed and none is deferred
18167 https://bugs.webkit.org/show_bug.cgi?id=141624
18168
18169 Reviewed by Geoffrey Garen.
18170
18171 Not eliminating GetStacks was an obvious omission from the original PutStackSinkingPhase.
18172 Previously, we would treat GetStacks conservatively and assume that the stack slot
18173 escaped. That's pretty dumb, since a GetStack is a local load of the stack. This change
18174 makes GetStack a no-op from the standpoint of this phase's deferral analysis. At the end
18175 we either keep the GetStack (if there was no concrete deferral) or we replace it with an
18176 identity over the value that would have been stored by the deferred PutStack. Note that
18177 this might be a Phi that the phase creates, so this is strictly stronger than what GCSE
18178 could do.
18179
18180 But this change revealed the fact that this phase never correctly handled side effects in
18181 case that we had done a GetStack, then a side-effect, and then found ourselves wanting the
18182 value on the stack due to (for example) a Phi on a deferred PutStack and that GetStack.
18183 Basically, it's only correct to use the SSA converter's incoming value mapping if we have
18184 a concrete deferral - since anything but a concrete deferral may imply that the value has
18185 been clobbered.
18186
18187 This has no performance change. I believe that the bug was previously benign because we
18188 have so few operations that clobber the stack anymore, and most of those get used in a
18189 very idiomatic way. The GetStack elimination will be very useful for the varargs
18190 simplification that is part of bug 141174.
18191
18192 This includes a test for the case that Speedometer hit, plus tests for the other cases I
18193 thought of once I realized the deeper issue.
18194
18195 * dfg/DFGPutStackSinkingPhase.cpp:
18196 * tests/stress/get-stack-identity-due-to-sinking.js: Added.
18197 (foo):
18198 (bar):
18199 * tests/stress/get-stack-mapping-with-dead-get-stack.js: Added.
18200 (bar):
18201 (foo):
18202 * tests/stress/get-stack-mapping.js: Added.
18203 (bar):
18204 (foo):
18205 * tests/stress/weird-put-stack-varargs.js: Added.
18206 (baz):
18207 (foo):
18208 (fuzz):
18209 (bar):
18210
182112015-03-16 Joseph Pecoraro <pecoraro@apple.com>
18212
18213 Update Map/Set to treat -0 and 0 as the same value
18214 https://bugs.webkit.org/show_bug.cgi?id=142709
18215
18216 Reviewed by Csaba Osztrogonác.
18217
18218 * runtime/MapData.h:
18219 (JSC::MapDataImpl<Entry>::KeyType::KeyType):
18220 No longer special case -0. It will be treated as the same as 0.
18221
182222015-03-15 Joseph Pecoraro <pecoraro@apple.com>
18223
18224 Web Inspector: Better handle displaying -0
18225 https://bugs.webkit.org/show_bug.cgi?id=142708
18226
18227 Reviewed by Timothy Hatcher.
18228
18229 Modeled after a blink change:
18230
18231 Patch by <aandrey@chromium.org>
18232 DevTools: DevTools: Show -0 for negative zero in console
18233 https://src.chromium.org/viewvc/blink?revision=162605&view=revision
18234
18235 * inspector/InjectedScriptSource.js:
18236 When creating a description string, or preview value string
18237 for -0, be sure the string is "-0" and not "0".
18238
182392015-03-14 Ryosuke Niwa <rniwa@webkit.org>
18240
18241 parseClass should popScope after pushScope
18242 https://bugs.webkit.org/show_bug.cgi?id=142689
18243
18244 Reviewed by Benjamin Poulain.
18245
18246 Pop the parser scope as needed.
18247
18248 * parser/Parser.cpp:
18249 (JSC::Parser<LexerType>::parseClass):
18250
182512015-03-14 Dean Jackson <dino@apple.com>
18252
18253 Feature flag for Animations Level 2
18254 https://bugs.webkit.org/show_bug.cgi?id=142699
18255 <rdar://problem/20165097>
18256
18257 Reviewed by Brent Fulgham.
18258
18259 Add ENABLE_CSS_ANIMATIONS_LEVEL_2 and a runtime flag animationTriggersEnabled.
18260
18261 * Configurations/FeatureDefines.xcconfig:
18262
182632015-03-14 Commit Queue <commit-queue@webkit.org>
18264
18265 Unreviewed, rolling out r181487.
18266 https://bugs.webkit.org/show_bug.cgi?id=142695
18267
18268 Caused Speedometer/Full.html to fail (Requested by smfr on
18269 #webkit).
18270
18271 Reverted changeset:
18272
18273 "DFG::PutStackSinkingPhase should eliminate GetStacks that
18274 have an obviously known source"
18275 https://bugs.webkit.org/show_bug.cgi?id=141624
18276 http://trac.webkit.org/changeset/181487
18277
182782015-03-14 Michael Saboff <msaboff@apple.com>
18279
18280 ES6: Add binary and octal literal support
18281 https://bugs.webkit.org/show_bug.cgi?id=142681
18282
18283 Reviewed by Ryosuke Niwa.
18284
18285 Added a binary literal parser function, parseBinary(), to Lexer patterned after the octal parser.
18286 Refactored the parseBinary, parseOctal and parseDecimal to use a constant size for the number of
18287 characters to try and handle directly. Factored out the shifting past any prefix to be handled by
18288 the caller. Added binary and octal parsing to toDouble() via helper functions.
18289
18290 * parser/Lexer.cpp:
18291 (JSC::Lexer<T>::parseHex):
18292 (JSC::Lexer<T>::parseBinary):
18293 (JSC::Lexer<T>::parseOctal):
18294 (JSC::Lexer<T>::parseDecimal):
18295 (JSC::Lexer<T>::lex):
18296 * parser/Lexer.h:
18297 * parser/ParserTokens.h:
18298 * runtime/JSGlobalObjectFunctions.cpp:
18299 (JSC::jsBinaryIntegerLiteral):
18300 (JSC::jsOctalIntegerLiteral):
18301 (JSC::toDouble):
18302
183032015-03-13 Alex Christensen <achristensen@webkit.org>
18304
18305 Progress towards CMake on Mac.
18306 https://bugs.webkit.org/show_bug.cgi?id=142680
18307
18308 Reviewed by Gyuyoung Kim.
18309
18310 * PlatformMac.cmake:
18311 Generate TracingDtrace.h based on project.pbxproj.
18312
183132015-03-13 Filip Pizlo <fpizlo@apple.com>
18314
18315 Object allocation sinking phase shouldn't re-decorate previously sunken allocations on each fixpoint operation
18316 https://bugs.webkit.org/show_bug.cgi?id=142686
18317
18318 Reviewed by Oliver Hunt.
18319
18320 Just because promoteHeapAccess() notifies us of an effect to a heap location in a node doesn't
18321 mean that we should handle it as if it was for one of our sinking candidates. Instead we should
18322 prune based on m_sinkCandidates.
18323
18324 This fixes a benign bug where we would generate a lot of repeated IR for some pathological
18325 tests.
18326
18327 * dfg/DFGObjectAllocationSinkingPhase.cpp:
18328 (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
18329
183302015-03-13 Eric Carlson <eric.carlson@apple.com>
18331
18332 [Mac] Enable WIRELESS_PLAYBACK_TARGET
18333 https://bugs.webkit.org/show_bug.cgi?id=142635
18334
18335 Reviewed by Darin Adler.
18336
18337 * Configurations/FeatureDefines.xcconfig:
18338
183392015-03-13 Ryosuke Niwa <rniwa@webkit.org>
18340
18341 Class constructor should throw TypeError when "called"
18342 https://bugs.webkit.org/show_bug.cgi?id=142566
18343
18344 Reviewed by Michael Saboff.
18345
18346 Added ConstructorKind::None to denote code that doesn't belong to an ES6 class.
18347 This allows BytecodeGenerator to emit code to throw TypeError when generating code block
18348 to call ES6 class constructors.
18349
18350 Most of changes are about increasing the number of bits to store ConstructorKind from one
18351 bit to two bits.
18352
18353 * bytecode/UnlinkedCodeBlock.cpp:
18354 (JSC::generateFunctionCodeBlock):
18355 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
18356 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
18357 * bytecode/UnlinkedCodeBlock.h:
18358 (JSC::ExecutableInfo::ExecutableInfo):
18359 (JSC::ExecutableInfo::needsActivation):
18360 (JSC::ExecutableInfo::usesEval):
18361 (JSC::ExecutableInfo::isStrictMode):
18362 (JSC::ExecutableInfo::isConstructor):
18363 (JSC::ExecutableInfo::isBuiltinFunction):
18364 (JSC::ExecutableInfo::constructorKind):
18365 (JSC::UnlinkedFunctionExecutable::constructorKind):
18366 (JSC::UnlinkedCodeBlock::constructorKind):
18367 (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Deleted.
18368 (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Deleted.
18369 * bytecompiler/BytecodeGenerator.cpp:
18370 (JSC::BytecodeGenerator::generate): Don't emit bytecode when we had already emitted code
18371 to throw TypeError.
18372 (JSC::BytecodeGenerator::BytecodeGenerator): Emit code to throw TypeError when generating
18373 code to call.
18374 (JSC::BytecodeGenerator::emitReturn):
18375 * bytecompiler/BytecodeGenerator.h:
18376 (JSC::BytecodeGenerator::constructorKind):
18377 (JSC::BytecodeGenerator::constructorKindIsDerived): Deleted.
18378 * bytecompiler/NodesCodegen.cpp:
18379 (JSC::ThisNode::emitBytecode):
18380 (JSC::FunctionCallValueNode::emitBytecode):
18381 * parser/Nodes.cpp:
18382 (JSC::FunctionBodyNode::FunctionBodyNode):
18383 * parser/Nodes.h:
18384 * parser/Parser.cpp:
18385 (JSC::Parser<LexerType>::parseFunctionInfo): Renamed the incoming function argument to
18386 ownerClassKind. Set constructorKind to Base or Derived only if we're parsing a constructor.
18387 (JSC::Parser<LexerType>::parseFunctionDeclaration):
18388 (JSC::Parser<LexerType>::parseClass): Don't parse static methods using MethodMode since that
18389 would result in BytecodeGenerator erroneously treating static method named "constructor" as
18390 a class constructor.
18391 (JSC::Parser<LexerType>::parsePropertyMethod):
18392 (JSC::Parser<LexerType>::parsePrimaryExpression):
18393 * parser/Parser.h:
18394 * parser/ParserModes.h:
18395 * runtime/Executable.h:
18396 (JSC::EvalExecutable::executableInfo):
18397 (JSC::ProgramExecutable::executableInfo):
18398
183992015-03-13 Filip Pizlo <fpizlo@apple.com>
18400
18401 DFG::PutStackSinkingPhase should eliminate GetStacks that have an obviously known source
18402 https://bugs.webkit.org/show_bug.cgi?id=141624
18403
18404 Reviewed by Oliver Hunt.
18405
18406 This was an obvious omission from the original PutStackSinkingPhase. Previously, we would treat
18407 GetStacks conservatively and assume that the stack slot escaped. That's pretty dumb, since a
18408 GetStack is a local load of the stack. This change makes GetStack a no-op from the standpoint of
18409 this phase's deferral analysis. At the end we either keep the GetStack (if there was no concrete
18410 deferral) or we replace it with an identity over the value that would have been stored by the
18411 deferred PutStack. Note that this might be a Phi that the phase creates, so this is strictly
18412 stronger than what GCSE could do.
18413
18414 This is probably not a speed-up now, but it will be very useful for the varargs simplification
18415 done in bug 141174.
18416
18417 * dfg/DFGPutStackSinkingPhase.cpp:
18418
184192015-03-12 Geoffrey Garen <ggaren@apple.com>
18420
18421 Prohibit GC while sweeping
18422 https://bugs.webkit.org/show_bug.cgi?id=142638
18423
18424 Reviewed by Andreas Kling.
18425
18426 I noticed in https://bugs.webkit.org/show_bug.cgi?id=142636 that a GC
18427 could trigger a sweep which could trigger another GC. Yo Dawg.
18428
18429 I tried to figure out whether this could cause problems or not and it
18430 made me cross-eyed.
18431
18432 (Some clients like to report extra memory cost during deallocation as a
18433 way to indicate that the GC now owns something exclusively. It's
18434 arguably a bug to communicate with the GC in this way, but we shouldn't
18435 do crazy when this happens.)
18436
18437 This patch makes explicit the fact that we don't allow GC while sweeping.
18438
18439 Usually, sweeping implicitly defers GC by virtue of happening during
18440 allocation. But not always.
18441
18442 * heap/Heap.cpp:
18443 (JSC::Heap::collectAllGarbage): Defer GC while sweeping due to an
18444 explicit GC request.
18445
18446 (JSC::Heap::didFinishCollection): Make sure that zombifying sweep
18447 defers GC by not returning to the non-GC state until we're all done.
18448
18449 * heap/IncrementalSweeper.cpp:
18450 (JSC::IncrementalSweeper::sweepNextBlock): Defer GC while sweeping due
18451 to a timer.
18452
184532015-03-13 Mark Lam <mark.lam@apple.com>
18454
18455 Replace TCSpinLock with a new WTF::SpinLock based on WTF::Atomic.
18456 <https://webkit.org/b/142674>
18457
18458 Reviewed by Filip Pizlo.
18459
18460 * API/JSValue.mm:
18461 (handerForStructTag):
18462 * API/JSWrapperMap.mm:
18463 * dfg/DFGCommon.cpp:
18464 (JSC::DFG::startCrashing):
18465 (JSC::DFG::isCrashing):
18466 - Changed to use a StaticSpinLock since that's what this code was trying to do
18467 anyway.
18468 * heap/CopiedBlock.h:
18469 (JSC::CopiedBlock::CopiedBlock):
18470 * heap/CopiedSpace.cpp:
18471 (JSC::CopiedSpace::CopiedSpace):
18472 * heap/CopiedSpace.h:
18473 * heap/GCThreadSharedData.cpp:
18474 (JSC::GCThreadSharedData::GCThreadSharedData):
18475 * heap/GCThreadSharedData.h:
18476 * heap/ListableHandler.h:
18477 (JSC::ListableHandler::List::List):
18478 * parser/SourceProvider.cpp:
18479 * profiler/ProfilerDatabase.cpp:
18480 (JSC::Profiler::Database::addDatabaseToAtExit):
18481 (JSC::Profiler::Database::removeDatabaseFromAtExit):
18482 (JSC::Profiler::Database::removeFirstAtExitDatabase):
18483
184842015-03-13 Ryosuke Niwa <rniwa@webkit.org>
18485
18486 BytecodeGenerator needs to be re-entrant to support miranda functions
18487 https://bugs.webkit.org/show_bug.cgi?id=142627
18488
18489 Reviewed by Filip Pizlo.
18490
18491 Made CodeCache::getGlobalCodeBlock and CodeCache::getFunctionExecutableFromGlobalCode re-entrant
18492 by not keeping AddResult while invoking BytecodeGenerator::generate.
18493
18494 This is needed to support Miranda functions since they need to be lazily initialized.
18495
18496 * runtime/CodeCache.cpp:
18497 (JSC::CodeCache::getGlobalCodeBlock):
18498 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
18499 * runtime/CodeCache.h:
18500 (JSC::CodeCacheMap::findCacheAndUpdateAge): Extracted from add.
18501 (JSC::CodeCacheMap::addCache): Extracted from add.
18502 (JSC::CodeCacheMap::add): Deleted.
18503
185042015-03-13 Mark Lam <mark.lam@apple.com>
18505
18506 Introduce WTF::Atomic to wrap std::atomic for a friendlier CAS.
18507 <https://webkit.org/b/142661>
18508
18509 Reviewed by Filip Pizlo.
18510
18511 Changed CodeBlock, and the DFG's crashLock to use WTF::Atomic instead of
18512 std::atomic.
18513
18514 * bytecode/CodeBlock.cpp:
18515 (JSC::CodeBlock::CodeBlock):
18516 (JSC::CodeBlock::visitAggregate):
18517 * bytecode/CodeBlock.h:
18518 * dfg/DFGCommon.cpp:
18519 (JSC::DFG::startCrashing):
18520
185212015-03-12 Mark Lam <mark.lam@apple.com>
18522
18523 Change the DFG crashLock to use std::atomic.
18524 <https://webkit.org/b/142649>
18525
18526 Reviewed by Filip Pizlo.
18527
18528 * dfg/DFGCommon.cpp:
18529 (JSC::DFG::startCrashing):
18530 (JSC::DFG::isCrashing):
18531
185322015-03-12 Filip Pizlo <fpizlo@apple.com>
18533
18534 Bytecode liveness analysis should have more lambdas and fewer sets
18535 https://bugs.webkit.org/show_bug.cgi?id=142647
18536
18537 Reviewed by Mark Lam.
18538
18539 In bug 141174 I'll need to identify all of the bytecode kill sites. This requires hooking into
18540 the bytecode analysis' stepOverFunction method, except in such a way that we observe uses that
18541 are not in outs. This refactors stepOverFunction so that you can pass it use/def functors that
18542 can either be used to propagate outs (as we do right now) or to additionally detect kills or
18543 whatever else.
18544
18545 In order to achieve this, the liveness analysis was moved off of maintaining uses/defs
18546 bitvectors. This wasn't helping the abstraction and was probably inefficient. The new code
18547 should be a bit faster since we don't have to clear uses/defs bitvectors on each instruction. On
18548 the other hand, being able to intercept each use means that our code for exception handlers is
18549 no longer a bitwise-merge; it requires finding set bits. Fortunately, this code only kicks in
18550 for instructions inside a try, and its performance is O(live at catch), so that's probably not
18551 bad.
18552
18553 * bytecode/BytecodeLivenessAnalysis.cpp:
18554 (JSC::indexForOperand):
18555 (JSC::stepOverInstruction):
18556 (JSC::computeLocalLivenessForBytecodeOffset):
18557 (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
18558 (JSC::setForOperand): Deleted.
18559 * bytecode/BytecodeUseDef.h:
18560 (JSC::computeUsesForBytecodeOffset):
18561 (JSC::computeDefsForBytecodeOffset):
18562 * bytecode/CodeBlock.cpp:
18563
185642015-03-12 Ryosuke Niwa <rniwa@webkit.org>
18565
18566 "this" should be in TDZ until super is called in the constructor of a derived class
18567 https://bugs.webkit.org/show_bug.cgi?id=142527
18568
18569 Reviewed by Mark Hahnenberg.
18570
18571 DFG and FTL implementations co-authored by Filip Pizlo.
18572
18573 In ES6 class syntax, "this" register must be in the "temporal dead zone" (TDZ) and throw ReferenceError until
18574 super() is called inside the constructor of a derived class.
18575
18576 Added op_check_tdz, a new OP code, which throws a reference error when the first operand is an empty value
18577 to all tiers of JIT and LLint. The op code throws in the slow path on the basis that a TDZ error should be
18578 a programming error and not a part of the programs' normal control flow. In DFG, this op code is represented
18579 by a no-op must-generate node CheckNotEmpty modeled after CheckCell.
18580
18581 Also made the constructor of a derived class assign the empty value to "this" register rather than undefined
18582 so that ThisNode can emit the op_check_tdz to check the initialized-ness of "this" in such a constructor.
18583
18584 * bytecode/BytecodeList.json: Added op_check_tdz.
18585 * bytecode/BytecodeUseDef.h:
18586 (JSC::computeUsesForBytecodeOffset): Ditto.
18587 (JSC::computeDefsForBytecodeOffset): Ditto.
18588 * bytecode/CodeBlock.cpp:
18589 (JSC::CodeBlock::dumpBytecode): Ditto.
18590 * bytecode/ExitKind.cpp:
18591 (JSC::exitKindToString): Added TDZFailure.
18592 * bytecode/ExitKind.h: Ditto.
18593 * bytecompiler/BytecodeGenerator.cpp:
18594 (JSC::BytecodeGenerator::BytecodeGenerator): Assign the empty value to "this" register to indicate it's in TDZ.
18595 (JSC::BytecodeGenerator::emitTDZCheck): Added.
18596 (JSC::BytecodeGenerator::emitReturn): Emit the TDZ check since "this" can still be in TDZ if super() was never
18597 called. e.g. class B extends A { constructor() { } }
18598 * bytecompiler/BytecodeGenerator.h:
18599 * bytecompiler/NodesCodegen.cpp:
18600 (JSC::ThisNode::emitBytecode): Always emit the TDZ check if we're inside the constructor of a derived class.
18601 We can't omit this check even if the result was ignored per spec.
18602 * dfg/DFGAbstractInterpreterInlines.h:
18603 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Previously, empty value could never appear
18604 in a local variable. This is no longer true so generalize this code. Also added the support for CheckNotEmpty.
18605 Like CheckCell, we phantomize this DFG node in the constant folding phase if the type of the operand is already
18606 found to be not empty. Otherwise filter out SpecEmpty.
18607 * dfg/DFGByteCodeParser.cpp:
18608 (JSC::DFG::ByteCodeParser::parseBlock): Added op_check_tdz.
18609 * dfg/DFGCapabilities.cpp:
18610 (JSC::DFG::capabilityLevel): op_check_tdz can be compiled and inlined.
18611 * dfg/DFGClobberize.h:
18612 (JSC::DFG::clobberize): CheckNotEmpty doesn't read or write values.
18613 * dfg/DFGConstantFoldingPhase.cpp:
18614 (JSC::DFG::ConstantFoldingPhase::foldConstants): Convert CheckNotEmpty to a phantom if non-emptiness had already
18615 been proven for the operand prior to this node.
18616 * dfg/DFGDoesGC.cpp:
18617 (JSC::DFG::doesGC): CheckNotEmpty does not trigger GC.
18618 * dfg/DFGFixupPhase.cpp:
18619 (JSC::DFG::FixupPhase::fixupNode): CheckNotEmpty is a no-op in the fixup phase.
18620 * dfg/DFGNodeType.h: CheckNotEmpty cannot be removed even if the result was ignored. See ThisNode::emitBytecode.
18621 * dfg/DFGPredictionPropagationPhase.cpp:
18622 (JSC::DFG::PredictionPropagationPhase::propagate): CheckNotEmpty doesn't return any value.
18623 * dfg/DFGSafeToExecute.h:
18624 (JSC::DFG::safeToExecute): CheckNotEmpty doesn't load from heap so it's safe.
18625 * dfg/DFGSpeculativeJIT32_64.cpp:
18626 (JSC::DFG::SpeculativeJIT::compile): Speculative the operand to be not empty. OSR exit if the speculation fails.
18627 * dfg/DFGSpeculativeJIT64.cpp:
18628 (JSC::DFG::SpeculativeJIT::compile): Ditto.
18629 * ftl/FTLCapabilities.cpp:
18630 (JSC::FTL::canCompile): CheckNotEmpty can be compiled in FTL.
18631 * ftl/FTLLowerDFGToLLVM.cpp:
18632 (JSC::FTL::LowerDFGToLLVM::compileNode): Calls compileCheckNotEmpty for CheckNotEmpty.
18633 (JSC::FTL::LowerDFGToLLVM::compileCheckNotEmpty): OSR exit with "TDZFailure" if the operand is not empty.
18634 * jit/JIT.cpp:
18635 (JSC::JIT::privateCompileMainPass): Added op_check_tdz.
18636 (JSC::JIT::privateCompileSlowCases): Ditto.
18637 * jit/JIT.h:
18638 * jit/JITOpcodes.cpp:
18639 (JSC::JIT::emit_op_check_tdz): Implements op_check_tdz in Baseline JIT.
18640 (JSC::JIT::emitSlow_op_check_tdz): Ditto.
18641 * jit/JITOpcodes32_64.cpp:
18642 (JSC::JIT::emit_op_check_tdz): Ditto.
18643 (JSC::JIT::emitSlow_op_check_tdz): Ditto.
18644 * llint/LowLevelInterpreter32_64.asm: Implements op_check_tdz in LLint.
18645 * llint/LowLevelInterpreter64.asm: Ditto.
18646 * runtime/CommonSlowPaths.cpp:
18647 (JSC::SLOW_PATH_DECL): Throws a reference error for op_check_tdz. Shared by LLint and Baseline JIT.
18648 * runtime/CommonSlowPaths.h:
18649 * tests/stress/class-syntax-no-loop-tdz.js: Added.
18650 * tests/stress/class-syntax-no-tdz-in-catch.js: Added.
18651 * tests/stress/class-syntax-no-tdz-in-conditional.js: Added.
18652 * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: Added.
18653 * tests/stress/class-syntax-no-tdz-in-loop.js: Added.
18654 * tests/stress/class-syntax-no-tdz.js: Added.
18655 * tests/stress/class-syntax-tdz-in-catch.js: Added.
18656 * tests/stress/class-syntax-tdz-in-conditional.js: Added.
18657 * tests/stress/class-syntax-tdz-in-loop.js: Added.
18658 * tests/stress/class-syntax-tdz.js: Added.
18659
186602015-03-12 Yusuke Suzuki <utatane.tea@gmail.com>
18661
18662 Integrate MapData into JSMap and JSSet
18663 https://bugs.webkit.org/show_bug.cgi?id=142556
18664
18665 Reviewed by Filip Pizlo.
18666
18667 This patch integrates MapData into JSMap and JSSet.
18668 This removes 2 object allocation per one JSMap / JSSet.
18669
18670 MapDataImpl is specialized into MapData and SetData.
18671 In the case of SetData, it does not have the dummy values
18672 previously stored in the MapDataImpl. So the storage size of SetData
18673 becomes the half of the previous implementation.
18674
18675 And now MapData and SetData are completely integrated into JSMap and JSSet,
18676 these structures are not exposed to the other code even in WebCore world.
18677
18678 And at the same time, this patch fixes missing destroy functions
18679 in JSMapIterator and JSSetIterator.
18680 They are needed because MapData::const_iterator is a non-trivial destructor.
18681
18682 * CMakeLists.txt:
18683 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
18684 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
18685 * JavaScriptCore.xcodeproj/project.pbxproj:
18686 * runtime/JSMap.cpp:
18687 (JSC::JSMap::destroy):
18688 (JSC::JSMap::visitChildren):
18689 (JSC::JSMap::copyBackingStore):
18690 (JSC::JSMap::has):
18691 (JSC::JSMap::size):
18692 (JSC::JSMap::get):
18693 (JSC::JSMap::set):
18694 (JSC::JSMap::clear):
18695 (JSC::JSMap::remove):
18696 (JSC::JSMap::finishCreation): Deleted.
18697 * runtime/JSMap.h:
18698 (JSC::JSMap::Entry::key):
18699 (JSC::JSMap::Entry::value):
18700 (JSC::JSMap::Entry::visitChildren):
18701 (JSC::JSMap::Entry::setKey):
18702 (JSC::JSMap::Entry::setKeyWithoutWriteBarrier):
18703 (JSC::JSMap::Entry::setValue):
18704 (JSC::JSMap::Entry::clear):
18705 (JSC::JSMap::begin):
18706 (JSC::JSMap::end):
18707 (JSC::JSMap::JSMap):
18708 (JSC::JSMap::mapData): Deleted.
18709 * runtime/JSMapIterator.cpp:
18710 (JSC::JSMapIterator::finishCreation):
18711 (JSC::JSMapIterator::destroy):
18712 (JSC::JSMapIterator::visitChildren):
18713 * runtime/JSMapIterator.h:
18714 (JSC::JSMapIterator::JSMapIterator):
18715 * runtime/JSSet.cpp:
18716 (JSC::JSSet::destroy):
18717 (JSC::JSSet::visitChildren):
18718 (JSC::JSSet::copyBackingStore):
18719 (JSC::JSSet::has):
18720 (JSC::JSSet::size):
18721 (JSC::JSSet::add):
18722 (JSC::JSSet::clear):
18723 (JSC::JSSet::remove):
18724 (JSC::JSSet::finishCreation): Deleted.
18725 * runtime/JSSet.h:
18726 (JSC::JSSet::Entry::key):
18727 (JSC::JSSet::Entry::value):
18728 (JSC::JSSet::Entry::visitChildren):
18729 (JSC::JSSet::Entry::setKey):
18730 (JSC::JSSet::Entry::setKeyWithoutWriteBarrier):
18731 (JSC::JSSet::Entry::setValue):
18732 (JSC::JSSet::Entry::clear):
18733 (JSC::JSSet::begin):
18734 (JSC::JSSet::end):
18735 (JSC::JSSet::JSSet):
18736 (JSC::JSSet::mapData): Deleted.
18737 * runtime/JSSetIterator.cpp:
18738 (JSC::JSSetIterator::finishCreation):
18739 (JSC::JSSetIterator::visitChildren):
18740 (JSC::JSSetIterator::destroy):
18741 * runtime/JSSetIterator.h:
18742 (JSC::JSSetIterator::JSSetIterator):
18743 * runtime/MapConstructor.cpp:
18744 (JSC::constructMap):
18745 * runtime/MapData.h:
18746 (JSC::MapDataImpl::const_iterator::key):
18747 (JSC::MapDataImpl::const_iterator::value):
18748 (JSC::MapDataImpl::size):
18749 (JSC::MapDataImpl<Entry>::MapDataImpl):
18750 (JSC::MapDataImpl<Entry>::clear):
18751 (JSC::MapDataImpl<Entry>::KeyType::KeyType):
18752 (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement):
18753 (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot):
18754 (JSC::MapDataImpl<Entry>::const_iterator::const_iterator):
18755 (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator):
18756 (JSC::MapDataImpl<Entry>::const_iterator::operator):
18757 (JSC::=):
18758 (JSC::MapData::const_iterator::key): Deleted.
18759 (JSC::MapData::const_iterator::value): Deleted.
18760 (JSC::MapData::create): Deleted.
18761 (JSC::MapData::createStructure): Deleted.
18762 (JSC::MapData::size): Deleted.
18763 (JSC::MapData::clear): Deleted.
18764 (JSC::MapData::KeyType::KeyType): Deleted.
18765 (JSC::MapData::const_iterator::internalIncrement): Deleted.
18766 (JSC::MapData::const_iterator::ensureSlot): Deleted.
18767 (JSC::MapData::const_iterator::const_iterator): Deleted.
18768 (JSC::MapData::const_iterator::~const_iterator): Deleted.
18769 (JSC::MapData::const_iterator::operator*): Deleted.
18770 (JSC::MapData::const_iterator::end): Deleted.
18771 (JSC::MapData::const_iterator::operator!=): Deleted.
18772 (JSC::MapData::const_iterator::operator==): Deleted.
18773 * runtime/MapDataInlines.h: Renamed from Source/JavaScriptCore/runtime/MapData.cpp.
18774 (JSC::MapDataImpl<Entry>::find):
18775 (JSC::MapDataImpl<Entry>::contains):
18776 (JSC::MapDataImpl<Entry>::add):
18777 (JSC::MapDataImpl<Entry>::set):
18778 (JSC::MapDataImpl<Entry>::get):
18779 (JSC::MapDataImpl<Entry>::remove):
18780 (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore):
18781 (JSC::MapDataImpl<Entry>::replaceBackingStore):
18782 (JSC::MapDataImpl<Entry>::ensureSpaceForAppend):
18783 (JSC::MapDataImpl<Entry>::visitChildren):
18784 (JSC::MapDataImpl<Entry>::copyBackingStore):
18785 * runtime/MapPrototype.cpp:
18786 (JSC::getMap):
18787 (JSC::mapProtoFuncClear):
18788 (JSC::mapProtoFuncDelete):
18789 (JSC::mapProtoFuncForEach):
18790 (JSC::mapProtoFuncGet):
18791 (JSC::mapProtoFuncHas):
18792 (JSC::mapProtoFuncSet):
18793 (JSC::mapProtoFuncSize):
18794 (JSC::getMapData): Deleted.
18795 * runtime/SetPrototype.cpp:
18796 (JSC::getSet):
18797 (JSC::setProtoFuncAdd):
18798 (JSC::setProtoFuncClear):
18799 (JSC::setProtoFuncDelete):
18800 (JSC::setProtoFuncForEach):
18801 (JSC::setProtoFuncHas):
18802 (JSC::setProtoFuncSize):
18803 (JSC::getMapData): Deleted.
18804 * runtime/VM.cpp:
18805 (JSC::VM::VM):
18806 * runtime/VM.h:
18807
188082015-03-12 Mark Lam <mark.lam@apple.com>
18809
18810 Use std::atomic for CodeBlock::m_visitAggregateHasBeenCalled.
18811 <https://webkit.org/b/142640>
18812
18813 Reviewed by Mark Hahnenberg.
18814
18815 We used to spin our own compare and swap on a uint8_t. Now that we can
18816 use C++11, let's use std::atomic instead.
18817
18818 * bytecode/CodeBlock.cpp:
18819 (JSC::CodeBlock::visitAggregate):
18820 - The CAS here needs std::memory_order_acquire ordering because it
18821 requires lock acquisition semantics to visit the CodeBlock.
18822
18823 * bytecode/CodeBlock.h:
18824 (JSC::CodeBlockSet::mark):
18825 * heap/CodeBlockSet.cpp:
18826 (JSC::CodeBlockSet::clearMarksForFullCollection):
18827 (JSC::CodeBlockSet::clearMarksForEdenCollection):
18828 - These can go with relaxed ordering because they are all done before
18829 the GC starts parallel marking.
18830
188312015-03-12 Csaba Osztrogonác <ossy@webkit.org>
18832
18833 [cmake] Fix the incremental build issue revealed by r181419
18834 https://bugs.webkit.org/show_bug.cgi?id=142613
18835
18836 Reviewed by Carlos Garcia Campos.
18837
18838 * CMakeLists.txt:
18839
188402015-03-11 Ryosuke Niwa <rniwa@webkit.org>
18841
18842 "static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled
18843 https://bugs.webkit.org/show_bug.cgi?id=142600
18844
18845 Reviewed by Mark Lam.
18846
18847 Make "static" RESERVED_IF_STRICT and manually detect it in parseClass.
18848
18849 No new tests. This is already checked by js/reserved-words.html and js/keywords-and-reserved_words.html
18850
18851 * parser/Keywords.table:
18852 * parser/Parser.cpp:
18853 (JSC::Parser<LexerType>::parseClass):
18854 * parser/ParserTokens.h:
18855
188562015-03-11 Geoffrey Garen <ggaren@apple.com>
18857
18858 Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth
18859 https://bugs.webkit.org/show_bug.cgi?id=142593
18860
18861 Reviewed by Andreas Kling.
18862
18863 Adopt deprecatedReportExtraMemory as a short-term fix for runaway
18864 memory growth in these cases where we have not adopted
18865 reportExtraMemoryVisited.
18866
18867 Long-term, we should use reportExtraMemoryAllocated+reportExtraMemoryVisited.
18868 That's tracked by https://bugs.webkit.org/show_bug.cgi?id=142595.
18869
18870 * API/JSBase.cpp:
18871 (JSReportExtraMemoryCost):
18872 * runtime/SparseArrayValueMap.cpp:
18873 (JSC::SparseArrayValueMap::add):
18874
188752015-03-11 Geoffrey Garen <ggaren@apple.com>
18876
18877 Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious
18878 https://bugs.webkit.org/show_bug.cgi?id=142589
18879
18880 Reviewed by Andreas Kling.
18881
18882 * API/JSBase.cpp:
18883 (JSReportExtraMemoryCost): Added a FIXME to annotate a known bug.
18884
18885 * bytecode/CodeBlock.cpp:
18886 (JSC::CodeBlock::CodeBlock):
18887 (JSC::CodeBlock::visitAggregate):
18888 * bytecode/CodeBlock.h:
18889 (JSC::CodeBlock::setJITCode): Updated for rename.
18890
18891 * heap/Heap.cpp:
18892 (JSC::Heap::Heap):
18893 (JSC::Heap::reportExtraMemoryAllocatedSlowCase):
18894 (JSC::Heap::deprecatedReportExtraMemorySlowCase): Renamed our reporting
18895 APIs to clarify their relationship to each other: One must report extra
18896 memory at the time of allocation, and at the time the GC visits it.
18897
18898 (JSC::Heap::extraMemorySize):
18899 (JSC::Heap::size):
18900 (JSC::Heap::capacity):
18901 (JSC::Heap::sizeAfterCollect):
18902 (JSC::Heap::willStartCollection): Updated for renames. Added explicit
18903 API for deprecated users who can't use our best API.
18904
18905 (JSC::Heap::reportExtraMemoryCostSlowCase): Deleted.
18906 (JSC::Heap::extraSize): Deleted.
18907
18908 * heap/Heap.h:
18909 * heap/HeapInlines.h:
18910 (JSC::Heap::reportExtraMemoryAllocated):
18911 (JSC::Heap::reportExtraMemoryVisited):
18912 (JSC::Heap::deprecatedReportExtraMemory):
18913 (JSC::Heap::reportExtraMemoryCost): Deleted. Ditto.
18914
18915 * heap/SlotVisitor.h:
18916 * heap/SlotVisitorInlines.h:
18917 (JSC::SlotVisitor::reportExtraMemoryVisited):
18918 (JSC::SlotVisitor::reportExtraMemoryUsage): Deleted. Moved this
18919 functionality into the Heap since it's pretty detailed in its access
18920 to the heap.
18921
18922 * runtime/JSArrayBufferView.cpp:
18923 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
18924 * runtime/JSGenericTypedArrayViewInlines.h:
18925 (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Updated for
18926 renames.
18927
18928 * runtime/JSString.cpp:
18929 (JSC::JSString::visitChildren):
18930 (JSC::JSRopeString::resolveRopeToAtomicString):
18931 (JSC::JSRopeString::resolveRope):
18932 * runtime/JSString.h:
18933 (JSC::JSString::finishCreation): Updated for renames.
18934
18935 * runtime/SparseArrayValueMap.cpp:
18936 (JSC::SparseArrayValueMap::add): Added FIXME.
18937
18938 * runtime/WeakMapData.cpp:
18939 (JSC::WeakMapData::visitChildren): Updated for rename.
18940
189412015-03-11 Ryosuke Niwa <rniwa@webkit.org>
18942
18943 Calling super() in a base class results in a crash
18944 https://bugs.webkit.org/show_bug.cgi?id=142563
18945
18946 Reviewed by Filip Pizlo.
18947
18948 The bug was caused by BytecodeGenerator trying to generate "super" expression inside the constructor of a base class.
18949 Disallow that by keeping track of whether "super" has been used in the current scope or not (needsSuperBinding flag)
18950 and then throwing a syntax error in parseFunctionInfo if it was used and the current scope wasn't the constructor of
18951 a derived class.
18952
18953 * parser/Parser.cpp:
18954 (JSC::Parser<LexerType>::parseFunctionInfo): Don't allow super() or super.foo outside the constructor of a derived class.
18955 (JSC::Parser<LexerType>::parseClass): Pass in the constructor kind to parseGetterSetter.
18956 (JSC::Parser<LexerType>::parseGetterSetter): Ditto to parseFunctionInfo.
18957 (JSC::Parser<LexerType>::parseMemberExpression): Set needsSuperBinding flag true on the containing scope.
18958 * parser/Parser.h:
18959 (JSC::Scope::Scope):
18960 (JSC::Scope::needsSuperBinding): Added.
18961 (JSC::Scope::setNeedsSuperBinding): Added.
18962
189632015-03-10 Darin Adler <darin@apple.com>
18964
18965 Some event handler fixes
18966 https://bugs.webkit.org/show_bug.cgi?id=142474
18967
18968 Reviewed by Anders Carlsson.
18969
18970 * inspector/InjectedScriptManager.cpp:
18971 (Inspector::InjectedScriptManager::createInjectedScript): Call clearException.
18972 I spotted the fact it was missing by auditing all the calls to JSC::call.
18973
189742015-03-10 Matthew Mirman <mmirman@apple.com>
18975
18976 Functions should have initialization precedence over arguments.
18977 https://bugs.webkit.org/show_bug.cgi?id=142550
18978 rdar://problem/19702564
18979
18980 Reviewed by Geoffrey Garen.
18981
18982 * bytecompiler/BytecodeGenerator.cpp:
18983 (JSC::BytecodeGenerator::BytecodeGenerator):
18984 (JSC::BytecodeGenerator::initializeCapturedVariable):
18985 * tests/stress/initialize_functions_after_arguments.js: Added.
18986
189872015-03-10 Andreas Kling <akling@apple.com>
18988
18989 Eden collections should trigger sweep of MarkedBlocks containing new objects.
18990 <https://webkit.org/b/142538>
18991
18992 Reviewed by Geoffrey Garen.
18993
18994 Take a snapshot of all MarkedBlocks with new objects as part of Eden collections,
18995 and append that to the IncrementalSweeper's working set.
18996
18997 This ensures that we run destructors for objects that were discovered to be garbage during
18998 Eden collections, instead of delaying their teardown until the next full collection,
18999 or the next allocation cycle for their block.
19000
19001 * heap/Heap.cpp:
19002 (JSC::Heap::snapshotMarkedSpace): For Eden collections, snapshot the list of MarkedBlocks
19003 that contain new objects, since those are the only ones we're interested in.
19004 Also use Vector::resizeToFit() to allocate the snapshot for full collections, since we know
19005 the final size we need up front.
19006
19007 (JSC::Heap::notifyIncrementalSweeper): For Eden collections, tell the IncrementalSweeper
19008 to add the block snapshot (taken earlier) to its existing set of blocks instead of replacing
19009 it entirely. This allows Eden collections and incremental sweeping to occur interleaved with
19010 each other without missing destruction opportunities.
19011
19012 * heap/IncrementalSweeper.h:
19013 * heap/IncrementalSweeper.cpp:
19014 (JSC::IncrementalSweeper::doSweep):
19015 (JSC::IncrementalSweeper::sweepNextBlock): Change the way we iterate over the sweeper's
19016 work list: instead of keeping an index for the next block, just pop from the end of the list.
19017 This allows us to add new blocks and deduplicate the list without disturbing iteration.
19018
19019 (JSC::IncrementalSweeper::startSweeping): Make this take a Vector<MarkedBlock>&& so we can
19020 pass ownership of this Vector efficiently from Heap to IncrementalSweeper.
19021
19022 (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Added. This is used by Eden
19023 collections to add a set of MarkedBlocks with new objects to the sweeper's existing
19024 working set and kick the timer.
19025
19026 * heap/MarkedSpace.h:
19027 (JSC::MarkedSpace::blocksWithNewObjects): Expose the list of MarkedBlocks with new objects.
19028
190292015-03-10 Alex Christensen <achristensen@webkit.org>
19030
19031 Use unsigned for HashSet size.
19032 https://bugs.webkit.org/show_bug.cgi?id=142518
19033
19034 Reviewed by Benjamin Poulain.
19035
19036 * dfg/DFGAvailabilityMap.cpp:
19037 (JSC::DFG::AvailabilityMap::prune):
19038 * ftl/FTLOSRExitCompiler.cpp:
19039 (JSC::FTL::compileStub):
19040 * heap/MarkedBlockSet.h:
19041 (JSC::MarkedBlockSet::remove):
19042 * runtime/WeakMapData.h:
19043
190442015-03-10 Mark Lam <mark.lam@apple.com>
19045
19046 Use std::numeric_limits<unsigned>::max() instead of (unsigned)-1.
19047 <https://webkit.org/b/142539>
19048
19049 Reviewed by Benjamin Poulain.
19050
19051 * jit/JIT.cpp:
19052 (JSC::JIT::JIT):
19053 (JSC::JIT::privateCompileMainPass):
19054 (JSC::JIT::privateCompileSlowCases):
19055 (JSC::JIT::privateCompile):
19056 (JSC::JIT::privateCompileExceptionHandlers):
19057 * jit/JITInlines.h:
19058 (JSC::JIT::emitNakedCall):
19059 (JSC::JIT::addSlowCase):
19060 (JSC::JIT::addJump):
19061 (JSC::JIT::emitJumpSlowToHot):
19062 (JSC::JIT::emitGetVirtualRegister):
19063 * jit/SlowPathCall.h:
19064 (JSC::JITSlowPathCall::call):
19065 * yarr/Yarr.h:
19066
190672015-03-10 Mark Lam <mark.lam@apple.com>
19068
19069 [Win] JSC Build Warnings Need to be Resolved.
19070 <https://webkit.org/b/142366>
19071
19072 Reviewed by Brent Fulgham.
19073
19074 Applied some benign changes to make the MSVC compiler happy.
19075
19076 * bytecode/CodeBlock.cpp:
19077 (JSC::CodeBlock::dumpBytecode):
19078 * dfg/DFGSpeculativeJIT32_64.cpp:
19079 (JSC::DFG::SpeculativeJIT::fillJSValue):
19080 * runtime/BasicBlockLocation.cpp:
19081 (JSC::BasicBlockLocation::getExecutedRanges):
19082 * runtime/ControlFlowProfiler.cpp:
19083 (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
19084
190852015-03-10 Yusuke Suzuki <utatane.tea@gmail.com>
19086
19087 Upgrade Map, Set and WeakMap constructor interface
19088 https://bugs.webkit.org/show_bug.cgi?id=142348
19089
19090 Reviewed by Filip Pizlo.
19091
19092 In the latest ES6 spec, Map and Set constructors take initialization data sets
19093 as iterable value. And iterate it and add the values into the constructed one.
19094
19095 This is breaking change because the old constructor interface is
19096 already shipped in Safari 8.
19097
19098 * runtime/MapConstructor.cpp:
19099 (JSC::callMap):
19100 (JSC::constructMap):
19101 (JSC::MapConstructor::getCallData):
19102 * runtime/SetConstructor.cpp:
19103 (JSC::callSet):
19104 (JSC::constructSet):
19105 * runtime/WeakMapConstructor.cpp:
19106 (JSC::callWeakMap):
19107 (JSC::constructWeakMap):
19108 (JSC::WeakMapConstructor::getCallData):
19109 * tests/stress/map-constructor-adder.js: Added.
19110 * tests/stress/map-constructor.js: Added.
19111 (testCallTypeError):
19112 (testTypeError):
19113 (for):
19114 * tests/stress/set-constructor-adder.js: Added.
19115 (Set.prototype.add):
19116 * tests/stress/set-constructor.js: Added.
19117 (for):
19118 * tests/stress/weak-map-constructor-adder.js: Added.
19119 * tests/stress/weak-map-constructor.js: Added.
19120 (testCallTypeError):
19121 (testTypeError):
19122 (for):
19123
191242015-03-10 Michael Catanzaro <mcatanzaro@igalia.com>
19125
19126 GCC: CRASH() should be annotated with NORETURN
19127 https://bugs.webkit.org/show_bug.cgi?id=142524
19128
19129 Reviewed by Anders Carlsson.
19130
19131 Don't return from a NORETURN function. This used to avoid a warning from GCC, but now it
19132 causes one.
19133
19134 * jsc.cpp:
19135
191362015-03-10 Mark Lam <mark.lam@apple.com>
19137
19138 Gardening: fix bleeding debug test bots.
19139 https://webkit.org/b/142513>
19140
19141 Not reviewed.
19142
19143 The test needs to initialize WTF threading explicitly before using it.
19144
19145 * API/tests/CompareAndSwapTest.cpp:
19146 (testCompareAndSwap):
19147
191482015-03-10 Alex Christensen <achristensen@webkit.org>
19149
19150 [WinCairo] Unreviewed build fix.
19151
19152 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
19153 Added directory containing config.h, like r181304.
19154
191552015-03-09 Mark Lam <mark.lam@apple.com>
19156
19157 Yet another build fix for Windows.
19158 https://webkit.org/b/142513>
19159
19160 Reviewed by Alex Christensen.
19161
19162 Looks like MSVC requires the function be explicitly declared in a header file
19163 in order for it to be linkable from another file in the same project. This is
19164 strange, but it seems to make MSVC happy.
19165
19166 Also fixed a typo in testapi.vcxproj.filters.
19167
19168 * API/tests/CompareAndSwapTest.cpp:
19169 * API/tests/CompareAndSwapTest.h: Added.
19170 * API/tests/testapi.c:
19171 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
19172 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
19173 * JavaScriptCore.xcodeproj/project.pbxproj:
19174
191752015-03-09 Chris Dumez <cdumez@apple.com>
19176
19177 [iOS] Sweep all collected objects on critical memory pressure
19178 https://bugs.webkit.org/show_bug.cgi?id=142457
19179 <rdar://problem/20044440>
19180
19181 Reviewed by Geoffrey Garen.
19182
19183 All fullSweep() API to IncrementalSweeper so that we can call it in the
19184 memory pressure handler.
19185
19186 * heap/IncrementalSweeper.cpp:
19187 (JSC::IncrementalSweeper::fullSweep):
19188 * heap/IncrementalSweeper.h:
19189 (JSC::IncrementalSweeper::hasWork):
19190
191912015-03-09 Mark Lam <mark.lam@apple.com>
19192
19193 Another build fix for Windows.
19194 https://webkit.org/b/142513>
19195
19196 Not reviewed.
19197
19198 * API/tests/CompareAndSwapTest.cpp:
19199 - Added JS_EXPORT_PRIVATE attribute.
19200
192012015-03-09 Mark Lam <mark.lam@apple.com>
19202
19203 Build fix for Windows after r181305.
19204 https://webkit.org/b/142513>
19205
19206 Reviewed by Alex Christensen.
19207
19208 Windows doesn't like pthreads anymore. Changed test to use WTF threading.
19209
19210 * API/tests/CompareAndSwapTest.cpp:
19211 (setBitThreadFunc):
19212 (testCompareAndSwap):
19213
192142015-03-09 Mark Lam <mark.lam@apple.com>
19215
19216 8-bit version of weakCompareAndSwap() can cause an infinite loop.
19217 https://webkit.org/b/142513>
19218
19219 Reviewed by Filip Pizlo.
19220
19221 Added a test that exercises the 8-bit CAS from multiple threads. The threads
19222 will contend to set bits in a large array of bytes using the CAS function.
19223
19224 * API/tests/CompareAndSwapTest.cpp: Added.
19225 (Bitmap::Bitmap):
19226 (Bitmap::numBits):
19227 (Bitmap::clearAll):
19228 (Bitmap::concurrentTestAndSet):
19229 (setBitThreadFunc):
19230 (testCompareAndSwap):
19231 * API/tests/testapi.c:
19232 (main):
19233 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
19234 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
19235 * JavaScriptCore.xcodeproj/project.pbxproj:
19236
192372015-03-09 Brent Fulgham <bfulgham@apple.com>
19238
19239 [Win] testapi project is unable to find the 'config.h' file.
19240
19241 Rubberstamped by Mark Lam.
19242
19243 * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add JavaScriptCore source directory
19244 to the include path.
19245
192462015-03-09 Andreas Kling <akling@apple.com>
19247
19248 Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
19249 <https://webkit.org/b/142115>
19250 <rdar://problem/19992268>
19251
19252 Reviewed by Geoffrey Garen.
19253
19254 Prune stale entries from WeakGCMaps as part of every full garbage collection.
19255 This frees up tons of previously-stuck WeakBlocks that were only sitting around
19256 with finalized handles waiting to die.
19257
19258 Note that WeakGCMaps register/unregister themselves with the GC heap in their
19259 ctor/dtor, so creating one now requires passing the VM.
19260
19261 Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
19262 to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
19263 It seems somewhat excessive to do this on every Eden collection, so it's only
19264 doing work in full collections for now.
19265
19266 Because the GC may now mutate WeakGCMap below object allocation, I've made it
19267 so that the classic HashMap::add() optimization can't be used with WeakGCMap.
19268 This caused intermittent test failures when originally landed due to having
19269 an invalid iterator on the stack after add() inserted a new entry and we
19270 proceeded to allocate the new object, triggering GC.
19271
19272 * API/JSWeakObjectMapRefInternal.h:
19273 (OpaqueJSWeakObjectMap::create):
19274 (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
19275 * API/JSWeakObjectMapRefPrivate.cpp:
19276 * API/JSWrapperMap.mm:
19277 (-[JSWrapperMap initWithContext:]):
19278 (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
19279
19280 * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
19281 it project-private so WebCore clients can access it.
19282
19283 * heap/Heap.cpp:
19284 (JSC::Heap::collect):
19285 (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
19286 stale entries from WeakGCMaps. This is only executed during full collections.
19287
19288 * heap/Heap.h:
19289 * heap/HeapInlines.h:
19290 (JSC::Heap::registerWeakGCMap):
19291 (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
19292 themselves with the Heap and provide a pruning callback.
19293
19294 * runtime/PrototypeMap.h:
19295 (JSC::PrototypeMap::PrototypeMap):
19296 * runtime/Structure.cpp:
19297 (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
19298
19299 * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
19300
19301 * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
19302
19303 * runtime/JSString.cpp:
19304 (JSC::jsStringWithCacheSlowCase):
19305 * runtime/PrototypeMap.cpp:
19306 (JSC::PrototypeMap::addPrototype):
19307 (JSC::PrototypeMap::emptyObjectStructureForPrototype): Remove HashMap add()
19308 optimization since it's not safe in the GC-managed WeakGCMap world.
19309
19310 * runtime/VM.cpp:
19311 (JSC::VM::VM): Pass VM to WeakGCMap constructor.
19312
19313 * runtime/WeakGCMap.h:
19314 (JSC::WeakGCMap::set):
19315 (JSC::WeakGCMap::add):
19316 (JSC::WeakGCMap::WeakGCMap): Deleted.
19317 (JSC::WeakGCMap::gcMap): Deleted.
19318 (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
19319 * runtime/WeakGCMapInlines.h: Added.
19320 (JSC::WeakGCMap::WeakGCMap):
19321 (JSC::WeakGCMap::~WeakGCMap):
19322 (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
19323 to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
19324 prunes WeakGCMap at certain growth milestones and instead rely on the GC
19325 callback for housekeeping.
19326
193272015-03-09 Ryosuke Niwa <rniwa@webkit.org>
19328
19329 Support extends and super keywords
19330 https://bugs.webkit.org/show_bug.cgi?id=142200
19331
19332 Reviewed by Filip Pizlo.
19333
19334 Added the support for ES6 class syntax inheritance.
19335
19336 Added ConstructorKind as well as boolean flags indicating the constructor kind to
19337 various classes in UnlinkedCodeBlock as well as AST nodes.
19338
19339 Each method stores the associated class as its homeObjectPrivateName. This value is used to
19340 make super calls.
19341
19342 * bytecode/UnlinkedCodeBlock.cpp:
19343 (JSC::generateFunctionCodeBlock):
19344 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
19345 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
19346
19347 * bytecode/UnlinkedCodeBlock.h:
19348 (JSC::ExecutableInfo::ExecutableInfo):
19349 (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Added.
19350 (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Added.
19351
19352 * bytecompiler/BytecodeGenerator.cpp:
19353 (JSC::BytecodeGenerator::BytecodeGenerator): Don't emit op_create_this in a derived class
19354 as the object is allocated by the highest base class's constructor. Also set "this" to null
19355 and store the original value in m_newTargetRegister. "this" is supposed to be in TDZ but
19356 that will be implemented in a separate patch.
19357 (JSC::BytecodeGenerator::emitReturn): Allow "undefined" to be returned from a derived class.
19358 In a derived class's constructor, not returning "undefined" or an object results in a type
19359 error instead of "this" being returned.
19360 (JSC::BytecodeGenerator::emitThrowTypeError): Added.
19361
19362 * bytecompiler/BytecodeGenerator.h:
19363 (JSC::BytecodeGenerator::constructorKindIsDerived): Added.
19364 (JSC::BytecodeGenerator::newTarget): Added.
19365
19366 * bytecompiler/NodesCodegen.cpp:
19367 (JSC::SuperNode::emitBytecode): Added. Emits the code to obtain the callee's parent class.
19368 (JSC::emitSuperBaseForCallee): Added. Emits the code to obtain the parent class's prototype.
19369 (JSC::emitPutHomeObject): Added.
19370 (JSC::PropertyListNode::emitBytecode): Stores the home object when adding methods.
19371 (JSC::PropertyListNode::emitPutConstantProperty): Ditto.
19372 (JSC::BracketAccessorNode::emitBytecode): Added the support for super['foo'].
19373 (JSC::DotAccessorNode::emitBytecode): Added the support for super.foo.
19374 (JSC::FunctionCallValueNode::emitBytecode): Added the support for super().
19375 (JSC::FunctionCallBracketNode::emitBytecode): Added the support for super['foo']().
19376 (JSC::FunctionCallDotNode::emitBytecode): Added the support for super.foo().
19377 (JSC::DeleteBracketNode::emitBytecode): Forbid "delete super.foo".
19378 (JSC::DeleteDotNode::emitBytecode): Forbid "delete super['foo']".
19379 (JSC::ClassExprNode::emitBytecode): Added the support for "classHeritage". This is the main
19380 logic for inheritance. When a class B inherits from a class A, set B.__proto__ to A and set
19381 B.prototype.__proto__ to A.prototype. Throw exceptions when either A or A.__proto__ is not
19382 an object.
19383
19384 * parser/ASTBuilder.h:
19385 (JSC::ASTBuilder::superExpr): Added.
19386
19387 * parser/NodeConstructors.h:
19388 (JSC::SuperNode::SuperNode): Added.
19389
19390 * parser/Nodes.cpp:
19391 (JSC::FunctionBodyNode::FunctionBodyNode):
19392
19393 * parser/Nodes.h:
19394 (JSC::ExpressionNode::isSuperNode):
19395 (JSC::PropertyNode::type):
19396 (JSC::PropertyNode::needsSuperBinding):
19397
19398 * parser/Parser.cpp:
19399 (JSC::Parser<LexerType>::parseFunctionBody):
19400 (JSC::Parser<LexerType>::parseFunctionInfo): Throw a parser error if super() is used outside
19401 of class constructors.
19402 (JSC::Parser<LexerType>::parseFunctionDeclaration):
19403 (JSC::Parser<LexerType>::parseClass): ConstructorKind is "derived" if and only if the parent
19404 class is specified in the declaration / expression.
19405 (JSC::Parser<LexerType>::parseGetterSetter):
19406 (JSC::Parser<LexerType>::parsePrimaryExpression):
19407 (JSC::Parser<LexerType>::parseMemberExpression): Added the support for "super()", "super.foo",
19408 and "super['foo']". Throw a semantic error if "super" appears by itself.
19409
19410 * parser/Parser.h:
19411 (JSC::Scope::Scope): Added m_hasDirectSuper. This variable keeps track of the use of "super()"
19412 so that parseFunctionInfo can spit an error if it's used outside of class constructors.
19413 (JSC::Scope::hasDirectSuper): Added.
19414 (JSC::Scope::setHasDirectSuper): Added.
19415
19416 * parser/ParserModes.h:
19417 (JSC::ConstructorKind): Added.
19418
19419 * parser/SyntaxChecker.h:
19420 (JSC::SyntaxChecker::superExpr): Added.
19421
19422 * runtime/CommonIdentifiers.h: Added homeObjectPrivateName.
19423
19424 * runtime/Executable.h:
19425 (JSC::EvalExecutable::executableInfo):
19426 (JSC::ProgramExecutable::executableInfo):
19427
194282015-03-08 Andreas Kling <akling@apple.com>
19429
19430 JITThunks keeps finalized Weaks around, pinning WeakBlocks.
19431 <https://webkit.org/b/142454>
19432
19433 Reviewed by Darin Adler.
19434
19435 Make JITThunks a WeakHandleOwner so it can keep its host function map free of stale entries.
19436 This fixes an issue I was seeing where a bunch of WeakBlocks stuck around with nothing but
19437 finalized Weak<NativeExecutable> entries.
19438
19439 * jit/JITThunks.h:
19440 * jit/JITThunks.cpp:
19441 (JSC::JITThunks::finalize): Make JITThunks inherit from WeakHandleOwner so it can receive
19442 a callback when the NativeExecutables get garbage collected.
19443
19444 (JSC::JITThunks::hostFunctionStub): Pass 'this' as the handle owner when creating Weaks.
19445
194462015-03-08 Andreas Kling <akling@apple.com>
19447
19448 BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks.
19449 <https://webkit.org/b/142460>
19450
19451 Reviewed by Geoffrey Garen.
19452
19453 Make BuiltinExecutables a WeakHandleOwner so it can clear out its respective Weak members
19454 if and when their pointees get garbage collected.
19455
19456 This fixes an issue I've seen locally where a WeakBlock is pinned down by a single one of
19457 these Weak<BuiltinExecutables>.
19458
19459 * builtins/BuiltinExecutables.h: Make BuiltinExecutables inherit from WeakHandleOwner.
19460
19461 * builtins/BuiltinExecutables.cpp:
19462 (JSC::BuiltinExecutables::finalize): Clear out the relevant member pointer when it's been
19463 garbage collected. We use the WeakImpl's "context" field to pass the address of the member.
19464
194652015-03-07 Geoffrey Garen <ggaren@apple.com>
19466
19467 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
19468 https://bugs.webkit.org/show_bug.cgi?id=140900
19469
19470 Reviewed by Mark Hahnenberg.
19471
19472 Re-landing just the removal of BlockAllocator, which is now unused.
19473
19474 * API/JSBase.cpp:
19475 * CMakeLists.txt:
19476 * JavaScriptCore.order:
19477 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19478 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19479 * JavaScriptCore.xcodeproj/project.pbxproj:
19480 * heap/BlockAllocator.cpp: Removed.
19481 * heap/BlockAllocator.h: Removed.
19482 * heap/GCThreadSharedData.h:
19483 * heap/HandleBlockInlines.h:
19484 * heap/Heap.cpp:
19485 (JSC::Heap::Heap):
19486 * heap/Heap.h:
19487 * heap/HeapInlines.h:
19488 (JSC::Heap::blockAllocator): Deleted.
19489 * heap/HeapTimer.cpp:
19490 * heap/MarkedBlock.h:
19491 * heap/MarkedSpace.h:
19492 * heap/Region.h: Removed.
19493 * heap/SuperRegion.cpp: Removed.
19494 * heap/SuperRegion.h: Removed.
19495
194962015-03-07 Commit Queue <commit-queue@webkit.org>
19497
19498 Unreviewed, rolling out r181010.
19499 https://bugs.webkit.org/show_bug.cgi?id=142442
19500
19501 Broke media/video-src-invalid-poster.html (Requested by kling
19502 on #webkit).
19503
19504 Reverted changeset:
19505
19506 "Stale entries in WeakGCMaps are keeping tons of WeakBlocks
19507 alive unnecessarily."
19508 https://bugs.webkit.org/show_bug.cgi?id=142115
19509 http://trac.webkit.org/changeset/181010
19510
195112015-03-07 Ryosuke Niwa <rniwa@webkit.org>
19512
19513 The code to link FunctionExecutable is duplicated everywhere
19514 https://bugs.webkit.org/show_bug.cgi?id=142436
19515
19516 Reviewed by Darin Adler.
19517
19518 Reduced code duplication by factoring out linkInsideExecutable and linkGlobalCode.
19519
19520 * bytecode/CodeBlock.cpp:
19521 (JSC::CodeBlock::CodeBlock): Calls linkInsideExecutable.
19522
19523 * bytecode/UnlinkedCodeBlock.cpp:
19524 (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Renamed from link. Now takes care of startOffset.
19525 This change was needed to use this function in CodeBlock::CodeBlock. Also, this function no longer takes
19526 lineOffset since this information is already stored in the source code.
19527 (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Extracted from FunctionExecutable::fromGlobalCode.
19528
19529 * bytecode/UnlinkedCodeBlock.h:
19530
19531 * generate-js-builtins: Calls linkGlobalCode.
19532
19533 * runtime/Executable.cpp:
19534 (JSC::ProgramExecutable::initializeGlobalProperties): Calls linkGlobalCode.
19535 (JSC::FunctionExecutable::fromGlobalCode): Calls linkGlobalCode.
19536
195372015-03-06 Geoffrey Garen <ggaren@apple.com>
19538
19539 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
19540 https://bugs.webkit.org/show_bug.cgi?id=140900
19541
19542 Reviewed by Mark Hahnenberg.
19543
19544 Re-landing just the MarkedBlock piece of this patch.
19545
19546 * heap/MarkedAllocator.cpp:
19547 (JSC::MarkedAllocator::allocateBlock):
19548 * heap/MarkedBlock.cpp:
19549 (JSC::MarkedBlock::create):
19550 (JSC::MarkedBlock::destroy):
19551 (JSC::MarkedBlock::MarkedBlock):
19552 * heap/MarkedBlock.h:
19553 (JSC::MarkedBlock::capacity):
19554 * heap/MarkedSpace.cpp:
19555 (JSC::MarkedSpace::freeBlock):
19556
195572015-03-07 Ryosuke Niwa <rniwa@webkit.org>
19558
19559 fromGlobalCode has an unused Debugger* argument
19560 https://bugs.webkit.org/show_bug.cgi?id=142430
19561
19562 Reviewed by Darin Adler.
19563
19564 Removed the debugger argument from UnlinkedFunctionExecutable::fromGlobalCode and
19565 FunctionExecutable::fromGlobalCode since it's not used in either function.
19566
19567 Also use reference in other arguments.
19568
19569 * bytecode/UnlinkedCodeBlock.cpp:
19570 (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
19571 * bytecode/UnlinkedCodeBlock.h:
19572 * runtime/Executable.cpp:
19573 (JSC::FunctionExecutable::fromGlobalCode):
19574 * runtime/Executable.h:
19575 * runtime/FunctionConstructor.cpp:
19576 (JSC::constructFunctionSkippingEvalEnabledCheck):
19577
195782015-03-06 Brent Fulgham <bfulgham@apple.com>
19579
19580 [Win] Turn off a warning on Windows.
19581
19582 Reduce build logging noise on Windows.
19583
19584 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
19585
195862015-03-06 Joseph Pecoraro <pecoraro@apple.com>
19587
19588 Web Inspector: ES6: Improved Support for Iterator Objects
19589 https://bugs.webkit.org/show_bug.cgi?id=142420
19590
19591 Reviewed by Timothy Hatcher.
19592
19593 * inspector/protocol/Runtime.json:
19594 Add new object subtype "iterator" for built-in iterator objects.
19595
19596 * inspector/InjectedScriptSource.js:
19597 Return iterator values as Entry objects.
19598
19599 * inspector/JSInjectedScriptHost.cpp:
19600 (Inspector::JSInjectedScriptHost::subtype):
19601 Identify "iterator" typed objects.
19602
19603 (Inspector::JSInjectedScriptHost::getInternalProperties):
19604 Provide internal properties for the different Iterator objects.
19605
19606 (Inspector::JSInjectedScriptHost::iteratorEntries):
19607 Fetch the next few iterator entries of a built-in iterator object.
19608
19609 * inspector/JSInjectedScriptHost.h:
19610 * inspector/JSInjectedScriptHostPrototype.cpp:
19611 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
19612 (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
19613 Call through to JSInjectedScriptHost.
19614
19615 * runtime/JSArgumentsIterator.cpp:
19616 (JSC::JSArgumentsIterator::clone):
19617 * runtime/JSArgumentsIterator.h:
19618 (JSC::JSArgumentsIterator::iteratedValue):
19619 * runtime/JSArrayIterator.cpp:
19620 (JSC::JSArrayIterator::kind):
19621 (JSC::JSArrayIterator::iteratedValue):
19622 (JSC::JSArrayIterator::clone):
19623 * runtime/JSArrayIterator.h:
19624 * runtime/JSMapIterator.cpp:
19625 (JSC::JSMapIterator::finishCreation):
19626 (JSC::JSMapIterator::clone):
19627 * runtime/JSMapIterator.h:
19628 (JSC::JSMapIterator::kind):
19629 (JSC::JSMapIterator::iteratedValue):
19630 * runtime/JSSetIterator.cpp:
19631 (JSC::JSSetIterator::finishCreation):
19632 (JSC::JSSetIterator::clone):
19633 * runtime/JSSetIterator.h:
19634 (JSC::JSSetIterator::kind):
19635 (JSC::JSSetIterator::iteratedValue):
19636 * runtime/JSStringIterator.cpp:
19637 (JSC::JSStringIterator::iteratedValue):
19638 (JSC::JSStringIterator::clone):
19639 * runtime/JSStringIterator.h:
19640 Add accessors for internal properties and provide a way to clone the
19641 iterator so we can be at the same index and peek at the next few
19642 objects without modifying the original iterator object.
19643
196442015-03-06 Ryosuke Niwa <rniwa@webkit.org>
19645
19646 REGRESSION(r180595): construct varargs fails in FTL
19647 https://bugs.webkit.org/show_bug.cgi?id=142030
19648
19649 Reviewed by Michael Saboff.
19650
19651 Increase sizeOfCallVarargs as done for sizeOfConstructVarargs in r180651.
19652
19653 * ftl/FTLInlineCacheSize.cpp:
19654 (JSC::FTL::sizeOfCallVarargs):
19655
196562015-03-06 Joseph Pecoraro <pecoraro@apple.com>
19657
19658 Web Inspector: Adopt Object Literal Shorthand Property Construction Syntax
19659 https://bugs.webkit.org/show_bug.cgi?id=142374
19660
19661 Reviewed by Timothy Hatcher.
19662
19663 * inspector/InjectedScriptSource.js:
19664
196652015-03-06 Joseph Pecoraro <pecoraro@apple.com>
19666
19667 ES6: Object Literal Extensions - Methods
19668 https://bugs.webkit.org/show_bug.cgi?id=142390
19669
19670 Reviewed by Geoffrey Garen.
19671
19672 Support method syntax in object literals.
19673
19674 * parser/Parser.h:
19675 * parser/Parser.cpp:
19676 (JSC::stringForFunctionMode):
19677 (JSC::Parser<LexerType>::parseProperty):
19678 Methods are allowed for identifier, string, and numeric names,
19679 and computed property names.
19680
19681 (JSC::Parser<LexerType>::parsePropertyMethod):
19682 Helper for parsing a property method.
19683
196842015-03-05 Joseph Pecoraro <pecoraro@apple.com>
19685
19686 __proto__ shorthand property should not modify prototype in Object Literal construction
19687 https://bugs.webkit.org/show_bug.cgi?id=142382
19688
19689 Reviewed by Geoffrey Garen.
19690
19691 When parsing shorthand property syntax we know we will do a
19692 put direct, even if the property name is __proto__. Pass that
19693 information through to bytecode generation.
19694
19695 * bytecompiler/BytecodeGenerator.cpp:
19696 (JSC::BytecodeGenerator::emitDirectPutById):
19697 * bytecompiler/BytecodeGenerator.h:
19698 * bytecompiler/NodesCodegen.cpp:
19699 (JSC::PropertyListNode::emitPutConstantProperty):
19700 * parser/ASTBuilder.h:
19701 (JSC::ASTBuilder::createGetterOrSetterProperty):
19702 (JSC::ASTBuilder::createProperty):
19703 * parser/NodeConstructors.h:
19704 (JSC::PropertyNode::PropertyNode):
19705 * parser/Nodes.h:
19706 (JSC::PropertyNode::putType):
19707 * parser/Parser.cpp:
19708 (JSC::Parser<LexerType>::parseClass):
19709 (JSC::Parser<LexerType>::parseProperty):
19710 * parser/SyntaxChecker.h:
19711 (JSC::SyntaxChecker::createProperty):
19712
197132015-03-06 Geoffrey Garen <ggaren@apple.com>
19714
19715 Fix crashes seen on the the 32-bit buildbots after my last patch.
19716
19717 Unreviewed.
19718
19719 * heap/CopiedBlock.h:
19720 (JSC::CopiedBlock::payload):
19721 * heap/CopiedSpace.cpp:
19722 (JSC::CopiedSpace::tryAllocateOversize): Round up to the right alignment,
19723 since the size of the CopiedBlock class is not guaranteed to be the
19724 right alignment, and is in fact the wrong alignment on 32-bit.
19725
197262015-03-05 Geoffrey Garen <ggaren@apple.com>
19727
19728 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
19729 https://bugs.webkit.org/show_bug.cgi?id=140900
19730
19731 Reviewed by Mark Hahnenberg.
19732
19733 Re-landing just the CopiedBlock piece of this patch.
19734
19735 * heap/CopiedBlock.h:
19736 (JSC::CopiedBlock::createNoZeroFill):
19737 (JSC::CopiedBlock::destroy):
19738 (JSC::CopiedBlock::create):
19739 (JSC::CopiedBlock::CopiedBlock):
19740 (JSC::CopiedBlock::isOversize):
19741 (JSC::CopiedBlock::payloadEnd):
19742 (JSC::CopiedBlock::capacity):
19743 * heap/CopiedSpace.cpp:
19744 (JSC::CopiedSpace::~CopiedSpace):
19745 (JSC::CopiedSpace::tryAllocateOversize):
19746 (JSC::CopiedSpace::tryReallocateOversize):
19747 * heap/CopiedSpaceInlines.h:
19748 (JSC::CopiedSpace::recycleEvacuatedBlock):
19749 (JSC::CopiedSpace::recycleBorrowedBlock):
19750 (JSC::CopiedSpace::allocateBlockForCopyingPhase):
19751 (JSC::CopiedSpace::allocateBlock):
19752 (JSC::CopiedSpace::startedCopying):
19753 * heap/CopyWorkList.h:
19754
197552015-03-06 Myles C. Maxfield <mmaxfield@apple.com>
19756
19757 [iOS] SVG fonts are garbled
19758 https://bugs.webkit.org/show_bug.cgi?id=142377
19759
19760 Reviewed by Simon Fraser.
19761
19762 * Configurations/FeatureDefines.xcconfig:
19763
197642015-03-05 Joseph Pecoraro <pecoraro@apple.com>
19765
19766 ES6: Object Literal Extensions - Shorthand Properties (Identifiers)
19767 https://bugs.webkit.org/show_bug.cgi?id=142353
19768
19769 Reviewed by Geoffrey Garen.
19770
19771 * parser/Parser.cpp:
19772 (JSC::Parser<LexerType>::parseProperty):
19773 Parsing an identifier property followed by a comma or end brace treat
19774 as a shorthand property and create a property that has the same
19775 property name as the identifier name and value of a variable with that
19776 identifier. Otherwise, fall through to getter/setter parsing.
19777
197782015-03-05 Brent Fulgham <bfulgham@apple.com>
19779
19780 [Win] Unreviewed gardening.
19781
19782 Confirmed with JSC that warning 4611 (interaction between '_setjmp' and C++ object
19783 destruction is non-portable) should be ignored in the JavaScriptCore project.
19784
19785 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Silence warning 4611.
19786
197872015-03-05 Chris Dumez <cdumez@apple.com>
19788
19789 Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16()
19790 https://bugs.webkit.org/show_bug.cgi?id=142350
19791
19792 Reviewed by Michael Saboff and Benjamin Poulain.
19793
19794 Call WTFString::hasInfixStartingAt() / hasInfixEndingAt() now that these
19795 methods have been renamed for clarity.
19796
19797 * runtime/StringPrototype.cpp:
19798 (JSC::stringProtoFuncStartsWith):
19799 (JSC::stringProtoFuncEndsWith):
19800
198012015-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
19802
19803 Implement ES6 StringIterator
19804 https://bugs.webkit.org/show_bug.cgi?id=142080
19805
19806 Reviewed by Filip Pizlo.
19807
19808 This patch introduces ES6 String Iterator.
19809 It enumerates code points instead of elements in String.
19810 So surrogate pairs should be handled correctly.
19811
19812 * CMakeLists.txt:
19813 * DerivedSources.make:
19814 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19815 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19816 * JavaScriptCore.xcodeproj/project.pbxproj:
19817 * builtins/StringIterator.prototype.js: Added.
19818 (next):
19819 * runtime/CommonIdentifiers.h:
19820 * runtime/JSGlobalObject.cpp:
19821 * runtime/JSGlobalObject.h:
19822 * runtime/JSStringIterator.cpp: Added.
19823 (JSC::JSStringIterator::finishCreation):
19824 * runtime/JSStringIterator.h: Added.
19825 (JSC::JSStringIterator::createStructure):
19826 (JSC::JSStringIterator::create):
19827 (JSC::JSStringIterator::JSStringIterator):
19828 * runtime/StringIteratorConstructor.cpp: Added.
19829 (JSC::StringIteratorConstructor::finishCreation):
19830 * runtime/StringIteratorConstructor.h: Added.
19831 (JSC::StringIteratorConstructor::create):
19832 (JSC::StringIteratorConstructor::createStructure):
19833 (JSC::StringIteratorConstructor::StringIteratorConstructor):
19834 * runtime/StringIteratorPrototype.cpp: Added.
19835 (JSC::StringIteratorPrototype::finishCreation):
19836 (JSC::StringIteratorPrototype::getOwnPropertySlot):
19837 (JSC::stringIteratorPrototypeIterator):
19838 * runtime/StringIteratorPrototype.h: Added.
19839 (JSC::StringIteratorPrototype::create):
19840 (JSC::StringIteratorPrototype::createStructure):
19841 (JSC::StringIteratorPrototype::StringIteratorPrototype):
19842 * runtime/StringPrototype.cpp:
19843 (JSC::StringPrototype::finishCreation):
19844 (JSC::stringProtoFuncIterator):
19845 * tests/stress/string-iterators.js: Added.
19846 (testSurrogatePair):
19847 (increment):
19848 (for):
19849
198502015-03-05 Csaba Osztrogonác <ossy@webkit.org>
19851
19852 [ARM] Fix the FTL build on Aarch64 Linux after r177421
19853 https://bugs.webkit.org/show_bug.cgi?id=142040
19854
19855 Reviewed by Mark Lam.
19856
19857 * llvm/library/LLVMExports.cpp:
19858 (initializeAndGetJSCLLVMAPI):
19859
198602015-03-05 Yusuke Suzuki <utatane.tea@gmail.com>
19861
19862 Upgrade ES6 Iterator interfaces
19863 https://bugs.webkit.org/show_bug.cgi?id=141351
19864
19865 Reviewed by Filip Pizlo.
19866
19867 This patch upgrades the exising ES6 iterator to align the latest spec.
19868 In the latest spec,
19869 1. `Iterator.next` returns object that implements IteratorResult interface { value: value, done, boolean }.
19870 2. `Iterator.return` is introduced. When the iteration is terminated by the abrupt completion,
19871 it is called to close iterator state.
19872 3. Iterator.next of Array is moved from an iterator object to `%ArrayIteratorPrototype%`.
19873
19874 To upgrade it, we changes the bytecode that represents for-of loops.
19875 And to embody the efficient iteration with an iterator object,
19876 we implemented %ArrayIteratorPrototype%.next in JavaScript and
19877 it is located in builtins/ArrayIterator.prototype.js.
19878 Implementing it in JavaScript encourages inlining and
19879 utilizes escape analysis for an iterator result object in DFG JIT.
19880 And we dropped the intrinsic version of %ArrayIteratorPrototype%.next.
19881
19882 And we introduced IteratorOperations that is defined in the spec.
19883 It aligns the iteration in the runtime to the latest spec.
19884 Currently, Promise.all and Promise.race uses an iterable object.
19885 However, Promise.all and Promise.race implementation is also based on the old spec.
19886 Subsequent patches will upgrade it.
19887
19888 * CMakeLists.txt:
19889 * DerivedSources.make:
19890 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19891 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19892 * JavaScriptCore.xcodeproj/project.pbxproj:
19893 * builtins/ArrayIterator.prototype.js: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.h.
19894 (next):
19895 * bytecompiler/BytecodeGenerator.cpp:
19896 (JSC::BytecodeGenerator::emitReturn):
19897 (JSC::BytecodeGenerator::emitThrowTypeError):
19898 (JSC::BytecodeGenerator::emitEnumeration):
19899 (JSC::BytecodeGenerator::emitIsObject):
19900 (JSC::BytecodeGenerator::emitIsUndefined):
19901 * bytecompiler/BytecodeGenerator.h:
19902 * jit/ThunkGenerators.cpp:
19903 (JSC::arrayIteratorNextThunkGenerator): Deleted.
19904 (JSC::arrayIteratorNextKeyThunkGenerator): Deleted.
19905 (JSC::arrayIteratorNextValueThunkGenerator): Deleted.
19906 * jit/ThunkGenerators.h:
19907 * runtime/ArgumentsIteratorPrototype.cpp:
19908 (JSC::ArgumentsIteratorPrototype::finishCreation):
19909 (JSC::argumentsIteratorPrototypeFuncNext):
19910 * runtime/ArrayIteratorPrototype.cpp:
19911 (JSC::ArrayIteratorPrototype::finishCreation):
19912 (JSC::ArrayIteratorPrototype::getOwnPropertySlot):
19913 (JSC::arrayIteratorProtoFuncIterator):
19914 (JSC::arrayIteratorPrototypeIterate): Deleted.
19915 * runtime/ArrayIteratorPrototype.h:
19916 * runtime/CommonIdentifiers.h:
19917 * runtime/Intrinsic.h:
19918 * runtime/IteratorOperations.cpp: Added.
19919 (JSC::iteratorNext):
19920 (JSC::iteratorValue):
19921 (JSC::iteratorComplete):
19922 (JSC::iteratorStep):
19923 (JSC::iteratorClose):
19924 (JSC::createIterResultObject):
19925 * runtime/IteratorOperations.h: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.cpp.
19926 * runtime/JSArrayIterator.cpp:
19927 (JSC::JSArrayIterator::finishCreation):
19928 (JSC::JSArrayIterator::visitChildren): Deleted.
19929 (JSC::createIteratorResult): Deleted.
19930 (JSC::arrayIteratorNext): Deleted.
19931 (JSC::arrayIteratorNextKey): Deleted.
19932 (JSC::arrayIteratorNextValue): Deleted.
19933 (JSC::arrayIteratorNextGeneric): Deleted.
19934 * runtime/JSArrayIterator.h:
19935 (JSC::JSArrayIterator::JSArrayIterator):
19936 (JSC::JSArrayIterator::iterationKind): Deleted.
19937 (JSC::JSArrayIterator::iteratedObject): Deleted.
19938 (JSC::JSArrayIterator::nextIndex): Deleted.
19939 (JSC::JSArrayIterator::setNextIndex): Deleted.
19940 (JSC::JSArrayIterator::finish): Deleted.
19941 (JSC::JSArrayIterator::offsetOfIterationKind): Deleted.
19942 (JSC::JSArrayIterator::offsetOfIteratedObject): Deleted.
19943 (JSC::JSArrayIterator::offsetOfNextIndex): Deleted.
19944 * runtime/JSGlobalObject.cpp:
19945 (JSC::JSGlobalObject::init):
19946 * runtime/JSPromiseConstructor.cpp:
19947 (JSC::performPromiseRaceLoop):
19948 (JSC::JSPromiseConstructorFuncRace):
19949 (JSC::performPromiseAll):
19950 (JSC::JSPromiseConstructorFuncAll):
19951 * runtime/MapIteratorPrototype.cpp:
19952 (JSC::MapIteratorPrototype::finishCreation):
19953 (JSC::MapIteratorPrototypeFuncNext):
19954 * runtime/SetIteratorPrototype.cpp:
19955 (JSC::SetIteratorPrototype::finishCreation):
19956 (JSC::SetIteratorPrototypeFuncNext):
19957 * runtime/VM.cpp:
19958 (JSC::thunkGeneratorForIntrinsic):
19959 * tests/stress/array-iterators-next-with-call.js: Added.
19960 (increment):
19961 (for):
19962 * tests/stress/array-iterators-next.js: Added.
19963
19964 Revive the older Array iterator tests that manually call 'next' method.
19965
19966 * tests/stress/custom-iterators.js: Added.
19967 (iter.next):
19968 (iter.Symbol.iterator):
19969 (iter.return):
19970 (iter.get next):
19971 (iter.get return):
19972 (iteratorInterfaceErrorTest.iter.next):
19973 (iteratorInterfaceErrorTest.iter.Symbol.iterator):
19974 (iteratorInterfaceErrorTest.iter.return):
19975 (iteratorInterfaceErrorTest):
19976 (iteratorInterfaceErrorTestReturn.iter.next):
19977 (iteratorInterfaceErrorTestReturn.iter.Symbol.iterator):
19978 (iteratorInterfaceErrorTestReturn.iter.return):
19979 (iteratorInterfaceErrorTestReturn):
19980 (iteratorInterfaceBreakTestReturn.iter.next):
19981 (iteratorInterfaceBreakTestReturn.iter.Symbol.iterator):
19982 (iteratorInterfaceBreakTestReturn.iter.return):
19983 (iteratorInterfaceBreakTestReturn):
19984
19985 This tests the behavior of custom iterators.
19986 'next' and 'return' of iterator work with for-of.
19987
19988 * tests/stress/iterators-shape.js: Added.
19989 (iteratorShape):
19990 (sameNextMethods):
19991 (set var):
19992
19993 This tests the shape of iterators; iterators of Array have 'next' method in %ArrayIteratorPrototype%.
19994
19995 * tests/stress/map-iterators-next.js: Added.
19996 (set var):
19997 (.get if):
19998 (otherKey):
19999 * tests/stress/set-iterators-next.js: Added.
20000 (otherKey):
20001
200022015-03-04 Yusuke Suzuki <utatane.tea@gmail.com>
20003
20004 Hide Promise with runtime flags under Cocoa JSContext API
20005 https://bugs.webkit.org/show_bug.cgi?id=141965
20006
20007 Reviewed by Filip Pizlo.
20008
20009 Since there's no run loop in JavaScriptCore APIs, Promises don't work currently.
20010 So until they work, we hide Promise from a global object.
20011 Introduce new JSC runtime flag, PromiseDisabled. When `isPromiseDisabled` is true,
20012 Promise constructor is not attached to JSGlobalObject.
20013
20014 To make 0 as default runtime flags, we choose PromiseDisabled flag
20015 instead of PromiseEnabled flag. So by default, Promise is enabled.
20016
20017 * API/JSCallbackObjectFunctions.h:
20018 (JSC::JSCallbackObject<Parent>::JSCallbackObject):
20019 * API/JSContextRef.cpp:
20020 (javaScriptRuntimeFlags):
20021 (JSGlobalContextCreateInGroup):
20022 * API/tests/testapi.c:
20023 (main):
20024 * API/tests/testapi.mm:
20025 (testObjectiveCAPI):
20026 * runtime/JSGlobalObject.cpp:
20027 (JSC::JSGlobalObject::init):
20028 * runtime/JSGlobalObject.h:
20029 (JSC::JSGlobalObject::create):
20030 * runtime/RuntimeFlags.h:
20031 (JSC::RuntimeFlags::createAllEnabled):
20032
200332015-03-04 Joseph Pecoraro <pecoraro@apple.com>
20034
20035 Web Inspector: Array/Collection Sizes should be visible and distinct
20036 https://bugs.webkit.org/show_bug.cgi?id=142254
20037
20038 Reviewed by Timothy Hatcher.
20039
20040 * runtime/WeakMapData.h:
20041 (JSC::WeakMapData::size):
20042 * inspector/JSInjectedScriptHost.cpp:
20043 (Inspector::JSInjectedScriptHost::weakMapSize):
20044 * inspector/JSInjectedScriptHost.h:
20045 * inspector/JSInjectedScriptHostPrototype.cpp:
20046 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
20047 (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
20048 Add a way to get a WeakMap's size.
20049
20050 * inspector/protocol/Runtime.json:
20051 Include size in RemoteObject and ObjectPreview.
20052
20053 * inspector/InjectedScriptSource.js:
20054 Set the size of RemoteObjects and previews if they
20055 are array/collection types.
20056
200572015-03-04 Andreas Kling <akling@apple.com>
20058
20059 GC should compute stack bounds and dump registers at the earliest opportunity.
20060 <https://webkit.org/b/142310>
20061 <rdar://problem/20045624>
20062
20063 Reviewed by Geoffrey Garen.
20064
20065 Make Heap::collect() a wrapper function around a collectImpl() where the work is actually done.
20066 The wrapper function that grabs a snapshot of the current stack boundaries and register values
20067 on entry, and sanitizes the stack on exit.
20068
20069 This is a speculative fix for what appears to be overly conservative behavior in the garbage
20070 collector following r178364 which caused a measurable regression in memory usage on Membuster.
20071 The theory being that we were putting pointers to dead things on the stack before scanning it,
20072 and by doing that ended up marking things that we'd otherwise discover to be garbage.
20073
20074 * heap/Heap.cpp:
20075 (JSC::Heap::markRoots):
20076 (JSC::Heap::gatherStackRoots):
20077 (JSC::Heap::collect):
20078 (JSC::Heap::collectImpl):
20079 * heap/Heap.h:
20080 * heap/MachineStackMarker.cpp:
20081 (JSC::MachineThreads::gatherFromCurrentThread):
20082 (JSC::MachineThreads::gatherConservativeRoots):
20083 * heap/MachineStackMarker.h:
20084
200852015-03-04 Debarshi Ray <debarshir@gnome.org>
20086
20087 Silence GCC's -Wstrict-prototypes
20088 https://bugs.webkit.org/show_bug.cgi?id=142278
20089
20090 Reviewed by Alexey Proskuryakov.
20091
20092 * API/JSContextRef.h:
20093
200942015-03-04 Benjamin Poulain <bpoulain@apple.com>
20095
20096 [JSC] Add a node for Math.log()
20097 https://bugs.webkit.org/show_bug.cgi?id=142126
20098
20099 Reviewed by Geoffrey Garen.
20100
20101 This patch adds the DFG node ArithLog for LogIntrinsic.
20102
20103 Having a direct call to log has very little value by itself, the implementation
20104 in DFG and FTL is a simple function call.
20105
20106 What is useful in ArithLog is that we know the operation is pure.
20107 This allow us to hoist it out of loops when the argument is independent
20108 is an invariant of the loop.
20109
20110 Perf wise, this patch gives:
20111 -Kraken's imaging-darkroom: definitely 1.2372x faster.
20112 -AsmBench's Towers.c: definitely 1.0261x faster.
20113
20114 * dfg/DFGAbstractInterpreterInlines.h:
20115 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20116 * dfg/DFGByteCodeParser.cpp:
20117 (JSC::DFG::ByteCodeParser::handleIntrinsic):
20118 * dfg/DFGClobberize.h:
20119 (JSC::DFG::clobberize):
20120 * dfg/DFGDoesGC.cpp:
20121 (JSC::DFG::doesGC):
20122 * dfg/DFGFixupPhase.cpp:
20123 (JSC::DFG::FixupPhase::fixupNode):
20124 * dfg/DFGNodeType.h:
20125 * dfg/DFGPredictionPropagationPhase.cpp:
20126 (JSC::DFG::PredictionPropagationPhase::propagate):
20127 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
20128 * dfg/DFGSafeToExecute.h:
20129 (JSC::DFG::safeToExecute):
20130 * dfg/DFGSpeculativeJIT.cpp:
20131 (JSC::DFG::SpeculativeJIT::compileArithLog):
20132 * dfg/DFGSpeculativeJIT.h:
20133 * dfg/DFGSpeculativeJIT32_64.cpp:
20134 (JSC::DFG::SpeculativeJIT::compile):
20135 * dfg/DFGSpeculativeJIT64.cpp:
20136 (JSC::DFG::SpeculativeJIT::compile):
20137 * ftl/FTLCapabilities.cpp:
20138 (JSC::FTL::canCompile):
20139 * ftl/FTLIntrinsicRepository.h:
20140 * ftl/FTLLowerDFGToLLVM.cpp:
20141 (JSC::FTL::LowerDFGToLLVM::compileNode):
20142 (JSC::FTL::LowerDFGToLLVM::compileArithLog):
20143 * ftl/FTLOutput.h:
20144 (JSC::FTL::Output::doubleLog):
20145 * tests/stress/math-log-basics.js: Added.
20146 * tests/stress/math-log-with-constants.js: Added.
20147
201482015-03-04 Filip Pizlo <fpizlo@apple.com>
20149
20150 Only Heap should be in charge of deciding how to select a subspace for a type
20151 https://bugs.webkit.org/show_bug.cgi?id=142304
20152
20153 Reviewed by Mark Lam.
20154
20155 This slightly reduces the code duplication for selecting subspace based on type, and what
20156 duplication is left is at least localized in HeapInlines.h. The immediate effect is that
20157 the DFG and FTL don't have to duplicate this pattern.
20158
20159 * dfg/DFGSpeculativeJIT.h:
20160 (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
20161 (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
20162 * ftl/FTLLowerDFGToLLVM.cpp:
20163 (JSC::FTL::LowerDFGToLLVM::allocateObject):
20164 * heap/Heap.h:
20165 * heap/HeapInlines.h:
20166 (JSC::Heap::allocateObjectOfType):
20167 (JSC::Heap::subspaceForObjectOfType):
20168 (JSC::Heap::allocatorForObjectOfType):
20169 * runtime/JSCellInlines.h:
20170 (JSC::allocateCell):
20171
201722015-03-04 Andreas Kling <akling@apple.com>
20173
20174 Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
20175 <https://webkit.org/b/142115>
20176 <rdar://problem/19992268>
20177
20178 Reviewed by Geoffrey Garen.
20179
20180 Prune stale entries from WeakGCMaps as part of every full garbage collection.
20181 This frees up tons of previously-stuck WeakBlocks that were only sitting around
20182 with finalized handles waiting to die.
20183
20184 Note that WeakGCMaps register/unregister themselves with the GC heap in their
20185 ctor/dtor, so creating one now requires passing the VM.
20186
20187 Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
20188 to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
20189 It seems somewhat excessive to do this on every Eden collection, so it's only
20190 doing work in full collections for now.
20191
20192 * API/JSWeakObjectMapRefInternal.h:
20193 (OpaqueJSWeakObjectMap::create):
20194 (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
20195 * API/JSWeakObjectMapRefPrivate.cpp:
20196 * API/JSWrapperMap.mm:
20197 (-[JSWrapperMap initWithContext:]):
20198 (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
20199
20200 * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
20201 it project-private so WebCore clients can access it.
20202
20203 * heap/Heap.cpp:
20204 (JSC::Heap::collect):
20205 (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
20206 stale entries from WeakGCMaps. This is only executed during full collections.
20207
20208 * heap/Heap.h:
20209 * heap/HeapInlines.h:
20210 (JSC::Heap::registerWeakGCMap):
20211 (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
20212 themselves with the Heap and provide a pruning callback.
20213
20214 * runtime/PrototypeMap.h:
20215 (JSC::PrototypeMap::PrototypeMap):
20216 * runtime/Structure.cpp:
20217 (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
20218
20219 * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
20220
20221 * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
20222
20223 * runtime/VM.cpp:
20224 (JSC::VM::VM): Pass VM to WeakGCMap constructor.
20225
20226 * runtime/WeakGCMap.h:
20227 (JSC::WeakGCMap::set):
20228 (JSC::WeakGCMap::add):
20229 (JSC::WeakGCMap::WeakGCMap): Deleted.
20230 (JSC::WeakGCMap::gcMap): Deleted.
20231 (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
20232 * runtime/WeakGCMapInlines.h: Added.
20233 (JSC::WeakGCMap::WeakGCMap):
20234 (JSC::WeakGCMap::~WeakGCMap):
20235 (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
20236 to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
20237 prunes WeakGCMap at certain growth milestones and instead rely on the GC
20238 callback for housekeeping.
20239
202402015-03-03 Filip Pizlo <fpizlo@apple.com>
20241
20242 DFG IR should refer to FunctionExecutables directly and not via the CodeBlock
20243 https://bugs.webkit.org/show_bug.cgi?id=142229
20244
20245 Reviewed by Mark Lam and Benjamin Poulain.
20246
20247 Anytime a DFG IR node refers to something in CodeBlock, it has three effects:
20248
20249 - Cumbersome API for accessing the thing that the node refers to.
20250
20251 - Not obvious how to create a new such node after bytecode parsing, especially if the
20252 thing it refers to isn't already in the CodeBlock. We have done this in the past, but
20253 it usually involves subtle changes to CodeBlock.
20254
20255 - Not obvious how to inline code that ends up using such nodes. Again, when we have done
20256 this, it involved subtle changes to CodeBlock.
20257
20258 Prior to this change, the NewFunction* node types used an index into tables in CodeBlock.
20259 For this reason, those operations were not inlineable. But the functin tables in CodeBlock
20260 just point to FunctionExecutables, which are cells; this means that we can just abstract
20261 these operands in DFG IR as cellOperands. cellOperands use DFG::FrozenValue, which means
20262 that GC registration happens automagically. Even better, our dumping for cellOperand
20263 already did FunctionExecutable dumping - so that functionality gets to be deduplicated.
20264
20265 Because this change increases the number of users of cellOperand, it also adds some
20266 convenience methods for using it. For example, whereas before you'd say things like:
20267
20268 jsCast<Foo*>(node->cellOperand()->value())
20269
20270 you can now just say:
20271
20272 node->castOperand<Foo*>()
20273
20274 This change also changes existing cellOperand users to use the new conveniance API when
20275 applicable.
20276
20277 * bytecode/CodeBlock.cpp:
20278 (JSC::CodeBlock::jettisonFunctionDeclsAndExprs):
20279 * bytecode/CodeBlock.h:
20280 * dfg/DFGByteCodeParser.cpp:
20281 (JSC::DFG::ByteCodeParser::parseBlock):
20282 * dfg/DFGCapabilities.cpp:
20283 (JSC::DFG::capabilityLevel):
20284 * dfg/DFGFrozenValue.h:
20285 (JSC::DFG::FrozenValue::cell):
20286 (JSC::DFG::FrozenValue::dynamicCast):
20287 (JSC::DFG::FrozenValue::cast):
20288 * dfg/DFGGraph.cpp:
20289 (JSC::DFG::Graph::dump):
20290 (JSC::DFG::Graph::registerFrozenValues):
20291 * dfg/DFGNode.h:
20292 (JSC::DFG::Node::hasCellOperand):
20293 (JSC::DFG::Node::castOperand):
20294 (JSC::DFG::Node::hasFunctionDeclIndex): Deleted.
20295 (JSC::DFG::Node::functionDeclIndex): Deleted.
20296 (JSC::DFG::Node::hasFunctionExprIndex): Deleted.
20297 (JSC::DFG::Node::functionExprIndex): Deleted.
20298 * dfg/DFGSpeculativeJIT.cpp:
20299 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
20300 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
20301 * dfg/DFGSpeculativeJIT32_64.cpp:
20302 (JSC::DFG::SpeculativeJIT::compile):
20303 * dfg/DFGSpeculativeJIT64.cpp:
20304 (JSC::DFG::SpeculativeJIT::compile):
20305 * dfg/DFGWatchpointCollectionPhase.cpp:
20306 (JSC::DFG::WatchpointCollectionPhase::handle):
20307 * ftl/FTLLowerDFGToLLVM.cpp:
20308 (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
20309 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
20310
203112015-03-03 Michael Saboff <msaboff@apple.com>
20312
20313 DelayedReleaseScope drops locks during GC which can cause a thread switch and code reentry
20314 https://bugs.webkit.org/show_bug.cgi?id=141275
20315
20316 Reviewed by Geoffrey Garen.
20317
20318 The original issue is that the CodeCache uses an unsafe method to add new UnlinkedCodeBlocks.
20319 It basically adds a null UnlinkedCodeBlock if there isn't a cached entry and then later
20320 updates the null entry to the result of the compilation. If during that compilation and
20321 related processing we need to garbage collect, the DelayedReleaseScope would drop locks
20322 possibly allowing another thread to try to get the same source out of the CodeCache.
20323 This second thread would find the null entry and crash. The fix is to move the processing of
20324 DelayedReleaseScope to when we drop locks and not drop locks during GC. That was done in
20325 the original patch with the new function releaseDelayedReleasedObjects().
20326
20327 Updated releaseDelayedReleasedObjects() so that objects are released with all locks
20328 dropped. Now its processing follows these steps
20329 Increment recursion counter and do recursion check and exit if recursing
20330 While there are objects to release
20331 ASSERT that lock is held by current thread
20332 Take all items from delayed release Vector and put into temporary Vector
20333 Release API lock
20334 Release and clear items from temporary vector
20335 Reaquire API lock
20336 This meets the requirement that we release while the API lock is released and it is
20337 safer processing of the delayed release Vector.
20338
20339 Added new regression test to testapi.
20340
20341 Also added comment describing how recursion into releaseDelayedReleasedObjects() is
20342 prevented.
20343
20344 * API/tests/Regress141275.h: Added.
20345 * API/tests/Regress141275.mm: Added.
20346 (+[JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:completionHandler:]):
20347 (-[JSTEvaluator init]):
20348 (-[JSTEvaluator initWithScript:]):
20349 (-[JSTEvaluator _accessPendingTasksWithBlock:]):
20350 (-[JSTEvaluator insertSignPostWithCompletion:]):
20351 (-[JSTEvaluator evaluateScript:completion:]):
20352 (-[JSTEvaluator evaluateBlock:completion:]):
20353 (-[JSTEvaluator waitForTasksDoneAndReportResults]):
20354 (__JSTRunLoopSourceScheduleCallBack):
20355 (__JSTRunLoopSourcePerformCallBack):
20356 (__JSTRunLoopSourceCancelCallBack):
20357 (-[JSTEvaluator _jsThreadMain]):
20358 (-[JSTEvaluator _sourceScheduledOnRunLoop:]):
20359 (-[JSTEvaluator _setupEvaluatorThreadContextIfNeeded]):
20360 (-[JSTEvaluator _callCompletionHandler:ifNeededWithError:]):
20361 (-[JSTEvaluator _sourcePerform]):
20362 (-[JSTEvaluator _sourceCanceledOnRunLoop:]):
20363 (runRegress141275):
20364 * API/tests/testapi.mm:
20365 (testObjectiveCAPI):
20366 * JavaScriptCore.xcodeproj/project.pbxproj:
20367 * heap/Heap.cpp:
20368 (JSC::Heap::releaseDelayedReleasedObjects):
20369 * runtime/JSLock.cpp:
20370 (JSC::JSLock::unlock):
20371
203722015-03-03 Filip Pizlo <fpizlo@apple.com>
20373
20374 DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking
20375 https://bugs.webkit.org/show_bug.cgi?id=106202
20376
20377 Rubber stamped by Benjamin Poulain.
20378
20379 This fixes a bug discovered by working on https://bugs.webkit.org/show_bug.cgi?id=142229,
20380 which was in turn discovered by working on https://bugs.webkit.org/show_bug.cgi?id=141174.
20381 Our way of dealing with scopes known to be constant is very sketchy, and only really works
20382 when a function is inlined. When it is, we pretend that every load of the scopeRegister sees
20383 a constant. But this breaks the DFG's tracking of the liveness of the scopeRegister. The way
20384 this worked made us miss oppportunities for optimizing based on a constant scope, and it also
20385 meant that in some cases - particularly like when we inline code that uses NewFuction and
20386 friends, as I do in bug 142229 - it makes OSR exit think that the scope is dead even though
20387 it's most definitely alive and it's a constant.
20388
20389 The problem here is that we were doing too many optimizations in the ByteCodeParser, and not
20390 later. Later optimization phases know how to preserve OSR exit liveness. They're actually
20391 really good at it. Also, later phases know how to infer that any variable is a constant no
20392 matter how that constant arose - rather than the inlining-specific thing in ByteCodeParser.
20393
20394 This changes the ByteCodeParser to largely avoid doing constant folding on the scope, except
20395 making the GetScope operation itself a constant. This is a compilation-time hack for small
20396 functions, and it doesn't break the loads of local variables - so OSR exit liveness still
20397 sees that the scopeRegister is in use. This then adds a vastly more powerful GetScope and
20398 GetClosureVar constant folder in the AbstractInterpreter. This handles most general cases
20399 including those that arise in complex control flow. This will catch cases where the scope
20400 is constant for any number of reasons. Basically anytime that the callee is inferred constant
20401 this will give us a constant scope. Also, we still have the parse-time constant folding of
20402 ResolveScope based on the reentry watchpoint, which luckily did the right thing with respect
20403 to OSR exit liveness (it splats a Phantom on its inputs, and it produces a constant result
20404 which is then set() normally).
20405
20406 This appears to be a broad speed-up, albeit a small one. But mainly it unblocks bug 142229,
20407 which then should unblock bug 141174.
20408
20409 * dfg/DFGAbstractInterpreterInlines.h:
20410 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
20411 * dfg/DFGByteCodeParser.cpp:
20412 (JSC::DFG::ByteCodeParser::get):
20413 (JSC::DFG::ByteCodeParser::getLocal):
20414 (JSC::DFG::ByteCodeParser::parseBlock):
20415 (JSC::DFG::ByteCodeParser::parse):
20416 * dfg/DFGClobberize.h:
20417 (JSC::DFG::clobberize):
20418 * dfg/DFGDoesGC.cpp:
20419 (JSC::DFG::doesGC):
20420 * dfg/DFGFixupPhase.cpp:
20421 (JSC::DFG::FixupPhase::fixupNode):
20422 * dfg/DFGGraph.cpp:
20423 (JSC::DFG::Graph::tryGetConstantClosureVar):
20424 (JSC::DFG::Graph::tryGetRegisters):
20425 (JSC::DFG::Graph::tryGetActivation): Deleted.
20426 * dfg/DFGGraph.h:
20427 * dfg/DFGNode.h:
20428 (JSC::DFG::Node::hasVariableWatchpointSet):
20429 (JSC::DFG::Node::hasSymbolTable): Deleted.
20430 (JSC::DFG::Node::symbolTable): Deleted.
20431 * dfg/DFGNodeType.h:
20432 * dfg/DFGPredictionPropagationPhase.cpp:
20433 (JSC::DFG::PredictionPropagationPhase::propagate):
20434 * dfg/DFGSafeToExecute.h:
20435 (JSC::DFG::safeToExecute):
20436 * dfg/DFGSpeculativeJIT32_64.cpp:
20437 (JSC::DFG::SpeculativeJIT::compile):
20438 * dfg/DFGSpeculativeJIT64.cpp:
20439 (JSC::DFG::SpeculativeJIT::compile):
20440 * dfg/DFGWatchpointCollectionPhase.cpp:
20441 (JSC::DFG::WatchpointCollectionPhase::handle):
20442 * ftl/FTLCapabilities.cpp:
20443 (JSC::FTL::canCompile):
20444 * ftl/FTLLowerDFGToLLVM.cpp:
20445 (JSC::FTL::LowerDFGToLLVM::compileNode):
20446 (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
20447 * runtime/SymbolTable.cpp:
20448 (JSC::SymbolTable::visitChildren):
20449 (JSC::SymbolTable::localToEntry):
20450 (JSC::SymbolTable::entryFor):
20451 * runtime/SymbolTable.h:
20452 (JSC::SymbolTable::add):
20453 (JSC::SymbolTable::set):
20454 * tests/stress/function-expression-exit.js: Added.
20455 * tests/stress/function-reentry-infer-on-self.js: Added.
20456 (thingy):
20457 * tests/stress/goofy-function-reentry-incorrect-inference.js: Added.
20458
204592015-03-03 Anders Carlsson <andersca@apple.com>
20460
20461 Remove unused compression code
20462 https://bugs.webkit.org/show_bug.cgi?id=142237
20463
20464 Reviewed by Geoffrey Garen.
20465
20466 * bytecode/UnlinkedCodeBlock.h:
20467
204682015-03-03 Filip Pizlo <fpizlo@apple.com>
20469
20470 JIT debugging features that selectively disable the JITs for code blocks need to stay out of the way of the critical path of JIT management
20471 https://bugs.webkit.org/show_bug.cgi?id=142234
20472
20473 Reviewed by Mark Lam and Benjamin Poulain.
20474
20475 Long ago, we used to selectively disable compilation of CodeBlocks for debugging purposes by
20476 adding hacks to DFGDriver.cpp. This was all well and good. It used the existing
20477 CompilationFailed mode of the DFG driver to signal failure of CodeBlocks that we didn't want
20478 to compile. That's great because CompilationFailed is a well-supported return value on the
20479 critical path, usually used for when we run out of JIT memory.
20480
20481 Later, this was moved into DFGCapabilities. This was basically incorrect. It introduced a bug
20482 where disabling compiling of a CodeBlock meant that we stopped inlining it as well. So if
20483 you had a compiler bug that arose if foo was inlined into bar, and you bisected down to bar,
20484 then foo would no longer get inlined and you wouldn't see the bug. That's busted.
20485
20486 So then we changed the code in DFGCapabilities to mark bar as CanCompile and foo as
20487 CanInline. Now, foo wouldn't get compiled alone but it would get inlined.
20488
20489 But then we removed CanCompile because that capability mode only existed for the purpose of
20490 our old varargs hacks. After that removal, "CanInline" became CannotCompile. This means
20491 that if you bisect down on bar in the "foo inlined into bar" case, you'll crash in the DFG
20492 because the baseline JIT wouldn't have known to insert profiling on foo.
20493
20494 We could fix this by bringing back CanInline.
20495
20496 But this is all a pile of nonsense. The debug support to selectively disable compilation of
20497 some CodeBlocks shouldn't cross-cut our entire engine and should most certainly never involve
20498 adding new capability modes. This support is a hack at best and is for use by JSC hackers
20499 only. It should be as unintrusive as possible.
20500
20501 So, as in the ancient times, the only proper place to put this hack is in DFGDriver.cpp, and
20502 return CompilationFailed. This is correct not just because it takes capability modes out of
20503 the picture (and obviates the need to introduce new ones), but also because it means that
20504 disabling compilation doesn't change the profiling mode of other CodeBlocks in the Baseline
20505 JIT. Capability mode influences profiling mode which in turn influences code generation in
20506 the Baseline JIT, sometimes in very significant ways - like, we sometimes do additional
20507 double-to-int conversions in Baseline if we know that we might tier-up into the DFG, since
20508 this buys us more precise profiling.
20509
20510 This change reduces the intrusiveness of debugging hacks by making them use the very simple
20511 CompilationFailed mechanism rather than trying to influence capability modes. Capability
20512 modes have very subtle effects on the whole engine, while CompilationFailed just makes the
20513 engine pretend like the DFG compilation will happen at timelike infinity. That makes these
20514 hacks much more likely to continue working as we make other changes to the system.
20515
20516 This brings back the ability to bisect down onto a function bar when bar inlines foo. Prior
20517 to this change, we would crash in that case.
20518
20519 * dfg/DFGCapabilities.cpp:
20520 (JSC::DFG::isSupported):
20521 (JSC::DFG::mightCompileEval):
20522 (JSC::DFG::mightCompileProgram):
20523 (JSC::DFG::mightCompileFunctionForCall):
20524 (JSC::DFG::mightCompileFunctionForConstruct):
20525 * dfg/DFGCapabilities.h:
20526 * dfg/DFGDriver.cpp:
20527 (JSC::DFG::compileImpl):
20528
205292015-03-03 peavo@outlook.com <peavo@outlook.com>
20530
20531 [Win64] JSC compile error.
20532 https://bugs.webkit.org/show_bug.cgi?id=142216
20533
20534 Reviewed by Mark Lam.
20535
20536 There is missing a version of setupArgumentsWithExecState when NUMBER_OF_ARGUMENT_REGISTERS == 4.
20537
20538 * jit/CCallHelpers.h:
20539 (JSC::CCallHelpers::setupArgumentsWithExecState):
20540
205412015-03-02 Filip Pizlo <fpizlo@apple.com>
20542
20543 DFG compile time measurements should really report milliseconds
20544 https://bugs.webkit.org/show_bug.cgi?id=142209
20545
20546 Reviewed by Benjamin Poulain.
20547
20548 Fix this to record milliseconds instead of seconds.
20549
20550 * dfg/DFGPlan.cpp:
20551 (JSC::DFG::Plan::compileInThread):
20552 (JSC::DFG::Plan::compileInThreadImpl):
20553
205542015-03-02 Filip Pizlo <fpizlo@apple.com>
20555
20556 Remove op_get_callee, it's unused
20557 https://bugs.webkit.org/show_bug.cgi?id=142206
20558
20559 Reviewed by Andreas Kling.
20560
20561 It's a bit of a shame that we stopped using this opcode since it gives us same-callee
20562 profiling. But, if we were to add this functionality back in, we would almost certainly do
20563 it by adding a JSFunction allocation watchpoint on FunctionExecutable.
20564
20565 * bytecode/BytecodeList.json:
20566 * bytecode/BytecodeUseDef.h:
20567 (JSC::computeUsesForBytecodeOffset):
20568 (JSC::computeDefsForBytecodeOffset):
20569 * bytecode/CodeBlock.cpp:
20570 (JSC::CodeBlock::dumpBytecode):
20571 (JSC::CodeBlock::finalizeUnconditionally):
20572 * dfg/DFGByteCodeParser.cpp:
20573 (JSC::DFG::ByteCodeParser::parseBlock):
20574 * dfg/DFGCapabilities.cpp:
20575 (JSC::DFG::capabilityLevel):
20576 * jit/JIT.cpp:
20577 (JSC::JIT::privateCompileMainPass):
20578 (JSC::JIT::privateCompileSlowCases):
20579 * jit/JIT.h:
20580 * jit/JITOpcodes.cpp:
20581 (JSC::JIT::emit_op_get_callee): Deleted.
20582 (JSC::JIT::emitSlow_op_get_callee): Deleted.
20583 * jit/JITOpcodes32_64.cpp:
20584 (JSC::JIT::emit_op_get_callee): Deleted.
20585 (JSC::JIT::emitSlow_op_get_callee): Deleted.
20586 * llint/LowLevelInterpreter32_64.asm:
20587 * llint/LowLevelInterpreter64.asm:
20588 * runtime/CommonSlowPaths.cpp:
20589 (JSC::SLOW_PATH_DECL): Deleted.
20590
205912015-03-02 Joseph Pecoraro <pecoraro@apple.com>
20592
20593 Web Inspector: Context Menu to Log a Particular Object
20594 https://bugs.webkit.org/show_bug.cgi?id=142198
20595
20596 Reviewed by Timothy Hatcher.
20597
20598 Add a protocol method to assign a $n index to a value. For an object
20599 use the injected script context for that object. For a value, use
20600 the execution context to know where to save the value.
20601
20602 * inspector/InjectedScript.cpp:
20603 (Inspector::InjectedScript::saveResult):
20604 * inspector/InjectedScript.h:
20605 * inspector/InjectedScriptSource.js:
20606 * inspector/agents/InspectorRuntimeAgent.cpp:
20607 (Inspector::InspectorRuntimeAgent::saveResult):
20608 * inspector/agents/InspectorRuntimeAgent.h:
20609 * inspector/protocol/Debugger.json:
20610 * inspector/protocol/Runtime.json:
20611
206122015-03-02 Filip Pizlo <fpizlo@apple.com>
20613
20614 SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization
20615 https://bugs.webkit.org/show_bug.cgi?id=142197
20616
20617 Reviewed by Geoffrey Garen.
20618
20619 * dfg/DFGSpeculativeJIT.cpp:
20620 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Use shift instead of mul, since mul doesn't automatically strength-reduce to shift. Also pass the structure as a TrustedImmPtr.
20621 * dfg/DFGSpeculativeJIT.h:
20622 (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): Rationalize this a bit. The other emitAllocate... methods take a templated structure so that it can be either a TrustedImmPtr or a register. Also don't do destructor initialization, since its one client doesn't need it, and it's actually probably wrong.
20623
206242015-03-02 Mark Lam <mark.lam@apple.com>
20625
20626 Exception stack unwinding in JSC hangs while the Timeline Profiler is enabled.
20627 <https://webkit.org/b/142191>
20628
20629 Reviewed by Geoffrey Garen.
20630
20631 Imagine a scenario where the Inspector is paused / suspended at a breakpoint or
20632 while the user is stepping through JS code. The user then tries to evaluate an
20633 expression in the console, and that evaluation results in an exception being
20634 thrown. Currently, if the Timeline Profiler is enabled while this exception is
20635 being thrown, the WebProcess will hang while trying to handle that exception.
20636
20637 The issue is that the Timeline Profiler's ProfileGenerator::didExecute() will
20638 return early and decline to process ProfileNodes if the Inspector is paused.
20639 This is proper because it does not want to count work done for injected scripts
20640 (e.g. from the console) towards the timeline profile of the webpage being run.
20641 However, this is in conflict with ProfileGenerator::exceptionUnwind()'s
20642 expectation that didExecute() will process ProfileNodes in order to do the stack
20643 unwinding for the exception handling. As a result,
20644 ProfileGenerator::exceptionUnwind() hangs.
20645
20646 ProfileGenerator::exceptionUnwind() is in error. While the Inspector is paused,
20647 there will not be any ProfileNodes that it needs to "unwind". Hence, the fix is
20648 simply to return early also in ProfileGenerator::exceptionUnwind() if the
20649 Inspector is paused.
20650
20651 * profiler/ProfileGenerator.cpp:
20652 (JSC::ProfileGenerator::exceptionUnwind):
20653
206542015-03-02 Filip Pizlo <fpizlo@apple.com>
20655
20656 FTL should correctly document where it puts the argument count for inlined varargs frames
20657 https://bugs.webkit.org/show_bug.cgi?id=142187
20658
20659 Reviewed by Geoffrey Garn.
20660
20661 After LLVM tells us where the captured variables alloca landed in the frame, we need to
20662 tell all of our meta-data about it. We were forgetting to do so for the argument count
20663 register, which is used by inlined varargs calls.
20664
20665 * ftl/FTLCompile.cpp:
20666 (JSC::FTL::mmAllocateDataSection):
20667 * tests/stress/inline-varargs-get-arguments.js: Added.
20668 (foo):
20669 (bar):
20670 (baz):
20671
206722015-03-02 Filip Pizlo <fpizlo@apple.com>
20673
20674 Deduplicate slow path calling code in JITOpcodes.cpp/JITOpcodes32_64.cpp
20675 https://bugs.webkit.org/show_bug.cgi?id=142184
20676
20677 Reviewed by Michael Saboff.
20678
20679 * jit/JITOpcodes.cpp:
20680 (JSC::JIT::emit_op_get_enumerable_length):
20681 (JSC::JIT::emitSlow_op_has_structure_property):
20682 (JSC::JIT::emit_op_has_generic_property):
20683 (JSC::JIT::emit_op_get_structure_property_enumerator):
20684 (JSC::JIT::emit_op_get_generic_property_enumerator):
20685 (JSC::JIT::emit_op_to_index_string):
20686 * jit/JITOpcodes32_64.cpp:
20687 (JSC::JIT::emit_op_get_enumerable_length): Deleted.
20688 (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
20689 (JSC::JIT::emit_op_has_generic_property): Deleted.
20690 (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
20691 (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
20692 (JSC::JIT::emit_op_to_index_string): Deleted.
20693 (JSC::JIT::emit_op_profile_control_flow): Deleted.
20694
206952015-03-02 Antti Koivisto <antti@apple.com>
20696
20697 Add way to dump cache meta data to file
20698 https://bugs.webkit.org/show_bug.cgi?id=142183
20699
20700 Reviewed by Andreas Kling.
20701
20702 Export appendQuotedJSONStringToBuilder.
20703
20704 * bytecompiler/NodesCodegen.cpp:
20705 (JSC::ObjectPatternNode::toString):
20706 * runtime/JSONObject.cpp:
20707 (JSC::appendQuotedJSONStringToBuilder):
20708 (JSC::Stringifier::appendQuotedString):
20709 (JSC::escapeStringToBuilder): Deleted.
20710 * runtime/JSONObject.h:
20711
207122015-03-02 Joseph Pecoraro <pecoraro@apple.com>
20713
20714 Web Inspector: Add Context Menus to Object Tree properties
20715 https://bugs.webkit.org/show_bug.cgi?id=142125
20716
20717 Reviewed by Timothy Hatcher.
20718
20719 * inspector/JSInjectedScriptHost.cpp:
20720 (Inspector::JSInjectedScriptHost::functionDetails):
20721 Update to include columnNumber.
20722
207232015-03-01 Filip Pizlo <fpizlo@apple.com>
20724
20725 BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
20726 https://bugs.webkit.org/show_bug.cgi?id=142153
20727
20728 Reviewed by Michael Saboff.
20729
20730 We don't need a op_resolve_scope if we know that it will simply return the scope register.
20731 This changes the BytecodeGenerator to use the scope register directly in those cases where
20732 we know statically that we would just have returned that from op_resolve_scope.
20733
20734 This doesn't appear to have a significant impact on performance.
20735
20736 * bytecode/CodeBlock.cpp:
20737 (JSC::CodeBlock::CodeBlock):
20738 * bytecompiler/BytecodeGenerator.cpp:
20739 (JSC::BytecodeGenerator::emitResolveScope):
20740 (JSC::BytecodeGenerator::emitReturn):
20741 (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
20742 * bytecompiler/BytecodeGenerator.h:
20743 * bytecompiler/NodesCodegen.cpp:
20744 (JSC::ResolveNode::emitBytecode):
20745 (JSC::EvalFunctionCallNode::emitBytecode):
20746 (JSC::FunctionCallResolveNode::emitBytecode):
20747 (JSC::PostfixNode::emitResolve):
20748 (JSC::DeleteResolveNode::emitBytecode):
20749 (JSC::TypeOfResolveNode::emitBytecode):
20750 (JSC::PrefixNode::emitResolve):
20751 (JSC::ReadModifyResolveNode::emitBytecode):
20752 (JSC::AssignResolveNode::emitBytecode):
20753 (JSC::ConstDeclNode::emitCodeSingle):
20754 (JSC::EmptyVarExpression::emitBytecode):
20755 (JSC::ForInNode::emitLoopHeader):
20756 (JSC::ForOfNode::emitBytecode):
20757 (JSC::BindingNode::bindValue):
20758
207592015-02-27 Benjamin Poulain <bpoulain@apple.com>
20760
20761 [JSC] Use the way number constants are written to help type speculation
20762 https://bugs.webkit.org/show_bug.cgi?id=142072
20763
20764 Reviewed by Filip Pizlo.
20765
20766 This patch changes how we interpret numeric constant based on how they appear
20767 in the source.
20768
20769 Constants that are integers but written with a decimal point now carry that information
20770 to the optimizating tiers. From there, we use that to be more aggressive about typing
20771 math operations toward double operations.
20772
20773 For example, in:
20774 var a = x + 1.0;
20775 var b = y + 1;
20776 The Add for a would be biased toward doubles, the Add for b would speculate
20777 integer as usual.
20778
20779
20780 The gains are tiny but this is a prerequisite to make my next patch useful:
20781 -SunSpider's access-fannkuch: definitely 1.0661x faster
20782 -SunSpider's math-cordic: definitely 1.0266x slower
20783 overal: might be 1.0066x slower.
20784 -Kraken's imaging-darkroom: definitely 1.0333x faster.
20785
20786 * parser/Lexer.cpp:
20787 (JSC::tokenTypeForIntegerLikeToken):
20788 (JSC::Lexer<T>::lex):
20789 The lexer now create two types of tokens for number: INTEGER and DOUBLE.
20790 Those token types only carry information about how the values were
20791 entered, an INTEGER does not have to be an integer, it is only written like one.
20792 Large integer still end up represented as double in memory.
20793
20794 One trap I fell into was typing numbers like 12e3 as double. This kind of literal
20795 is frequently used in integer-typed code, while 12.e3 would appear in double-typed
20796 code.
20797 Because of that, the only signals for double are: decimal point, negative zero,
20798 and ridiculously large values.
20799
20800 * parser/NodeConstructors.h:
20801 (JSC::DoubleNode::DoubleNode):
20802 (JSC::IntegerNode::IntegerNode):
20803 * parser/Nodes.h:
20804 (JSC::NumberNode::value):
20805 (JSC::NumberNode::setValue): Deleted.
20806 Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
20807
20808 * bytecompiler/NodesCodegen.cpp:
20809 (JSC::NumberNode::emitBytecode):
20810
20811 * parser/ASTBuilder.h:
20812 (JSC::ASTBuilder::createDoubleExpr):
20813 (JSC::ASTBuilder::createIntegerExpr):
20814 (JSC::ASTBuilder::createIntegerLikeNumber):
20815 (JSC::ASTBuilder::createDoubleLikeNumber):
20816 (JSC::ASTBuilder::createNumberFromBinaryOperation):
20817 (JSC::ASTBuilder::createNumberFromUnaryOperation):
20818 (JSC::ASTBuilder::makeNegateNode):
20819 (JSC::ASTBuilder::makeBitwiseNotNode):
20820 (JSC::ASTBuilder::makeMultNode):
20821 (JSC::ASTBuilder::makeDivNode):
20822 (JSC::ASTBuilder::makeModNode):
20823 (JSC::ASTBuilder::makeAddNode):
20824 (JSC::ASTBuilder::makeSubNode):
20825 (JSC::ASTBuilder::makeLeftShiftNode):
20826 (JSC::ASTBuilder::makeRightShiftNode):
20827 (JSC::ASTBuilder::makeURightShiftNode):
20828 (JSC::ASTBuilder::makeBitOrNode):
20829 (JSC::ASTBuilder::makeBitAndNode):
20830 (JSC::ASTBuilder::makeBitXOrNode):
20831 (JSC::ASTBuilder::createNumberExpr): Deleted.
20832 (JSC::ASTBuilder::createNumber): Deleted.
20833 The AST has some optimization to resolve constants before emitting bytecode.
20834 In the new code, the intger representation is kept if both operands where
20835 also represented as integers.
20836
20837 * parser/Parser.cpp:
20838 (JSC::Parser<LexerType>::parseDeconstructionPattern):
20839 (JSC::Parser<LexerType>::parseProperty):
20840 (JSC::Parser<LexerType>::parseGetterSetter):
20841 (JSC::Parser<LexerType>::parsePrimaryExpression):
20842 (JSC::Parser<LexerType>::printUnexpectedTokenText):
20843 * parser/ParserTokens.h:
20844 * parser/SyntaxChecker.h:
20845 (JSC::SyntaxChecker::createDoubleExpr):
20846 (JSC::SyntaxChecker::createIntegerExpr):
20847 (JSC::SyntaxChecker::createNumberExpr): Deleted.
20848
20849 * bytecode/CodeBlock.cpp:
20850 (JSC::CodeBlock::registerName):
20851 (JSC::CodeBlock::constantName):
20852 Change constantName(r, getConstant(r)) -> constantName(r) to simplify
20853 the dump code.
20854
20855 (JSC::CodeBlock::dumpBytecode):
20856 Dump thre soure representation information we have with each constant.
20857
20858 (JSC::CodeBlock::CodeBlock):
20859 (JSC::CodeBlock::shrinkToFit):
20860 (JSC::constantName): Deleted.
20861 * bytecode/CodeBlock.h:
20862 (JSC::CodeBlock::constantsSourceCodeRepresentation):
20863 (JSC::CodeBlock::addConstant):
20864 (JSC::CodeBlock::addConstantLazily):
20865 (JSC::CodeBlock::constantSourceCodeRepresentation):
20866 (JSC::CodeBlock::setConstantRegisters):
20867
20868 * bytecode/UnlinkedCodeBlock.h:
20869 (JSC::UnlinkedCodeBlock::addConstant):
20870 (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
20871 (JSC::UnlinkedCodeBlock::shrinkToFit):
20872
20873 * bytecompiler/BytecodeGenerator.cpp:
20874 (JSC::BytecodeGenerator::addConstantValue):
20875 (JSC::BytecodeGenerator::emitLoad):
20876 * bytecompiler/BytecodeGenerator.h:
20877 We have to differentiate between constants that have the same values but are
20878 represented differently in the source. Values like 1.0 and 1 now end up
20879 as different constants.
20880
20881 * dfg/DFGByteCodeParser.cpp:
20882 (JSC::DFG::ByteCodeParser::get):
20883 (JSC::DFG::ByteCodeParser::addConstantToGraph):
20884 * dfg/DFGGraph.cpp:
20885 (JSC::DFG::Graph::registerFrozenValues):
20886 * dfg/DFGGraph.h:
20887 (JSC::DFG::Graph::addSpeculationMode):
20888 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
20889 ArithAdd is very aggressive toward using Int52, which is quite useful
20890 in many benchmarks.
20891
20892 Here we need to specialize to make sure we don't force our literals
20893 to Int52 if there were represented as double.
20894
20895 There is one exception to that rule: when the other operand is guaranteed
20896 to come from a NodeResultInt32. This is because there is some weird code
20897 doing stuff like:
20898 var b = a|0;
20899 var c = b*2.0;
20900
20901 * dfg/DFGNode.h:
20902 (JSC::DFG::Node::Node):
20903 (JSC::DFG::Node::setOpAndDefaultFlags):
20904 (JSC::DFG::Node::sourceCodeRepresentation):
20905 * dfg/DFGPredictionPropagationPhase.cpp:
20906 (JSC::DFG::PredictionPropagationPhase::propagate):
20907 * runtime/JSCJSValue.h:
20908 (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
20909 (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
20910 (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
20911 (JSC::EncodedJSValueWithRepresentationHash::hash):
20912 (JSC::EncodedJSValueWithRepresentationHash::equal):
20913 * tests/stress/arith-add-with-constants.js: Added.
20914 * tests/stress/arith-mul-with-constants.js: Added.
20915
209162015-02-26 Filip Pizlo <fpizlo@apple.com>
20917
20918 Unreviewed, roll out r180723. It broke a bunch of tests.
20919
20920 * bytecompiler/BytecodeGenerator.cpp:
20921 (JSC::BytecodeGenerator::constLocal):
20922 * bytecompiler/BytecodeGenerator.h:
20923 * bytecompiler/NodesCodegen.cpp:
20924 (JSC::ConstDeclNode::emitCodeSingle):
20925 * tests/stress/const-arguments.js: Removed.
20926
209272015-02-26 Mark Lam <mark.lam@apple.com>
20928
20929 Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
20930 <https://webkit.org/b/142064>
20931
20932 Reviewed by Joseph Pecoraro.
20933
20934 * bytecompiler/BytecodeGenerator.cpp:
20935 (JSC::BytecodeGenerator::addVar):
20936
209372015-02-26 Mark Lam <mark.lam@apple.com>
20938
20939 MachineThreads::Thread clean up has a use after free race condition.
20940 <https://webkit.org/b/141990>
20941
20942 Reviewed by Filip Pizlo.
20943
20944 MachineThreads::Thread clean up relies on the clean up mechanism
20945 implemented in _pthread_tsd_cleanup_key(), which looks like this:
20946
20947 void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
20948 {
20949 void (*destructor)(void *);
20950 if (_pthread_key_get_destructor(key, &destructor)) {
20951 void **ptr = &self->tsd[key];
20952 void *value = *ptr;
20953
20954 // === Start of window for the bug to manifest =================
20955
20956 // At this point, this thread has cached "destructor" and "value"
20957 // (which is a MachineThreads*). If the VM gets destructed (along
20958 // with its MachineThreads registry) by another thread, then this
20959 // thread will have no way of knowing that the MachineThreads* is
20960 // now pointing to freed memory. Calling the destructor below will
20961 // therefore result in a use after free scenario when it tries to
20962 // access the MachineThreads' data members.
20963
20964 if (value) {
20965 *ptr = NULL;
20966 if (destructor) {
20967
20968 // === End of window for the bug to manifest ==================
20969
20970 destructor(value);
20971 }
20972 }
20973 }
20974 }
20975
20976 The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
20977 and always check if the manager still contains that MachineThreads object
20978 before we call removeCurrentThread() on it. When MachineThreads is destructed,
20979 it will remove itself from the manager. The add, remove, and checking
20980 operations are all synchronized on the manager's lock, thereby ensuring that
20981 the MachineThreads object, if found in the manager, will remain alive for the
20982 duration of time we call removeCurrentThread() on it.
20983
20984 There's also possible for the MachineThreads object to already be destructed
20985 and another one happened to have been instantiated at the same address.
20986 Hence, we should only remove the exiting thread if it is found in the
20987 MachineThreads object.
20988
20989 There is no test for this issue because this bug requires a race condition
20990 between 2 threads where:
20991 1. Thread B, which had previously used the VM, exiting and
20992 getting to the bug window shown in _pthread_tsd_cleanup_key() above.
20993 2. Thread A destructing the VM (and its MachineThreads object)
20994 within that window of time before Thread B calls the destructor.
20995
20996 It is not possible to get a reliable test case without invasively
20997 instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
20998 to significantly increase that window of opportunity.
20999
21000 * heap/MachineStackMarker.cpp:
21001 (JSC::ActiveMachineThreadsManager::Locker::Locker):
21002 (JSC::ActiveMachineThreadsManager::add):
21003 (JSC::ActiveMachineThreadsManager::remove):
21004 (JSC::ActiveMachineThreadsManager::contains):
21005 (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
21006 (JSC::activeMachineThreadsManager):
21007 (JSC::MachineThreads::MachineThreads):
21008 (JSC::MachineThreads::~MachineThreads):
21009 (JSC::MachineThreads::removeThread):
21010 (JSC::MachineThreads::removeThreadIfFound):
21011 (JSC::MachineThreads::removeCurrentThread): Deleted.
21012 * heap/MachineStackMarker.h:
21013
210142015-02-26 Joseph Pecoraro <pecoraro@apple.com>
21015
21016 Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
21017 https://bugs.webkit.org/show_bug.cgi?id=142061
21018
21019 Reviewed by Timothy Hatcher.
21020
21021 * inspector/protocol/Debugger.json:
21022 * inspector/protocol/Runtime.json:
21023 Input flag "saveResult" on whether we should try to save a result.
21024 Output int "savedResultIndex" to tell the frontend the saved state.
21025
21026 * inspector/InjectedScriptSource.js:
21027 Handle saving and clearing $1-$99 values.
21028 Include in BasicCommandLineAPI for JSContext inspection.
21029
21030 * inspector/InjectedScriptBase.cpp:
21031 (Inspector::InjectedScriptBase::makeEvalCall):
21032 * inspector/InjectedScriptBase.h:
21033 Allow an optional "savedResultIndex" out value on evals.
21034
21035 * inspector/InjectedScript.cpp:
21036 (Inspector::InjectedScript::evaluate):
21037 (Inspector::InjectedScript::evaluateOnCallFrame):
21038 * inspector/InjectedScript.h:
21039 * inspector/agents/InspectorDebuggerAgent.cpp:
21040 (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
21041 * inspector/agents/InspectorDebuggerAgent.h:
21042 * inspector/agents/InspectorRuntimeAgent.cpp:
21043 (Inspector::InspectorRuntimeAgent::evaluate):
21044 * inspector/agents/InspectorRuntimeAgent.h:
21045 Plumbing for new in and out parameters.
21046
210472015-02-26 Filip Pizlo <fpizlo@apple.com>
21048
21049 The bool returning form of BytecodeGenerator::addVar() can be removed
21050 https://bugs.webkit.org/show_bug.cgi?id=142064
21051
21052 Reviewed by Mark Lam.
21053
21054 It's easier to implement addVar() when you don't have to return whether it's a new
21055 variable or not.
21056
21057 * bytecompiler/BytecodeGenerator.cpp:
21058 (JSC::BytecodeGenerator::addVar):
21059 * bytecompiler/BytecodeGenerator.h:
21060 (JSC::BytecodeGenerator::addVar): Deleted.
21061
210622015-02-26 Filip Pizlo <fpizlo@apple.com>
21063
21064 Various array access corner cases should take OSR exit feedback
21065 https://bugs.webkit.org/show_bug.cgi?id=142056
21066
21067 Reviewed by Geoffrey Garen.
21068
21069 Two major changes here:
21070
21071 - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
21072 type check.
21073
21074 - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
21075 like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
21076 arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
21077 the Generic array mode.
21078
21079 * bytecode/ExitKind.cpp:
21080 (JSC::exitKindToString):
21081 * bytecode/ExitKind.h:
21082 * dfg/DFGArrayMode.cpp:
21083 (JSC::DFG::ArrayMode::refine):
21084 * dfg/DFGFixupPhase.cpp:
21085 (JSC::DFG::FixupPhase::fixupNode):
21086 * dfg/DFGSpeculativeJIT.cpp:
21087 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
21088 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
21089 * tests/stress/array-length-array-storage-plain-object.js: Added.
21090 (foo):
21091 * tests/stress/array-length-plain-object.js: Added.
21092 (foo):
21093
210942015-02-25 Filip Pizlo <fpizlo@apple.com>
21095
21096 DFG SSA stack accesses shouldn't speak of VariableAccessDatas
21097 https://bugs.webkit.org/show_bug.cgi?id=142036
21098
21099 Reviewed by Michael Saboff.
21100
21101 VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
21102 SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
21103 or store to the stack, and you know what format to use as well as the location, then prior to
21104 this patch you couldn't do it unless you found some existing VariableAccessData that matched
21105 your requirements. That can be a hard task.
21106
21107 It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
21108 that speak of the things that a stack access needs: local, machineLocal, and format. This
21109 patch changes the SSA way of accessing the stack to do just that.
21110
21111 Also add more IR validation.
21112
21113 * CMakeLists.txt:
21114 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21115 * JavaScriptCore.xcodeproj/project.pbxproj:
21116 * dfg/DFGAbstractInterpreterInlines.h:
21117 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
21118 * dfg/DFGClobberize.h:
21119 (JSC::DFG::clobberize):
21120 * dfg/DFGConstantFoldingPhase.cpp:
21121 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21122 * dfg/DFGDoesGC.cpp:
21123 (JSC::DFG::doesGC):
21124 * dfg/DFGFixupPhase.cpp:
21125 (JSC::DFG::FixupPhase::fixupNode):
21126 * dfg/DFGFlushFormat.h:
21127 (JSC::DFG::isConcrete):
21128 * dfg/DFGGraph.cpp:
21129 (JSC::DFG::Graph::dump):
21130 * dfg/DFGGraph.h:
21131 * dfg/DFGMayExit.cpp:
21132 (JSC::DFG::mayExit):
21133 * dfg/DFGNode.cpp:
21134 (JSC::DFG::Node::hasVariableAccessData):
21135 * dfg/DFGNode.h:
21136 (JSC::DFG::StackAccessData::StackAccessData):
21137 (JSC::DFG::StackAccessData::flushedAt):
21138 (JSC::DFG::Node::convertToPutStack):
21139 (JSC::DFG::Node::convertToGetStack):
21140 (JSC::DFG::Node::hasUnlinkedLocal):
21141 (JSC::DFG::Node::hasStackAccessData):
21142 (JSC::DFG::Node::stackAccessData):
21143 (JSC::DFG::Node::willHaveCodeGenOrOSR):
21144 * dfg/DFGNodeType.h:
21145 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
21146 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
21147 * dfg/DFGPlan.cpp:
21148 (JSC::DFG::Plan::compileInThreadImpl):
21149 * dfg/DFGPredictionPropagationPhase.cpp:
21150 (JSC::DFG::PredictionPropagationPhase::propagate):
21151 * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
21152 * dfg/DFGPutLocalSinkingPhase.h: Removed.
21153 * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
21154 (JSC::DFG::performPutStackSinking):
21155 (JSC::DFG::performPutLocalSinking): Deleted.
21156 * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
21157 * dfg/DFGSSAConversionPhase.cpp:
21158 (JSC::DFG::SSAConversionPhase::run):
21159 * dfg/DFGSafeToExecute.h:
21160 (JSC::DFG::safeToExecute):
21161 * dfg/DFGSpeculativeJIT32_64.cpp:
21162 (JSC::DFG::SpeculativeJIT::compile):
21163 * dfg/DFGSpeculativeJIT64.cpp:
21164 (JSC::DFG::SpeculativeJIT::compile):
21165 * dfg/DFGStackLayoutPhase.cpp:
21166 (JSC::DFG::StackLayoutPhase::run):
21167 * dfg/DFGValidate.cpp:
21168 (JSC::DFG::Validate::validate):
21169 (JSC::DFG::Validate::validateCPS):
21170 (JSC::DFG::Validate::validateSSA):
21171 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
21172 (JSC::DFG::VirtualRegisterAllocationPhase::run):
21173 * ftl/FTLCapabilities.cpp:
21174 (JSC::FTL::canCompile):
21175 * ftl/FTLLowerDFGToLLVM.cpp:
21176 (JSC::FTL::LowerDFGToLLVM::lower):
21177 (JSC::FTL::LowerDFGToLLVM::compileNode):
21178 (JSC::FTL::LowerDFGToLLVM::compileGetStack):
21179 (JSC::FTL::LowerDFGToLLVM::compilePutStack):
21180 (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
21181 (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
21182 * ftl/FTLOSRExit.h:
21183 * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
21184 (foo):
21185 (bar):
21186 (baz):
21187 (fuzz):
21188 (buzz):
21189
211902015-02-26 Mark Lam <mark.lam@apple.com>
21191
21192 Rolling out r180602, r180608, r180613, r180617, r180671.
21193 <https://webkit.org/b/141990>
21194
21195 Not reviewed.
21196
21197 The r180602 solution does result in more work for GC when worker
21198 threads are in use. Filip is uncomfortable with that.
21199 The EFL and GTK ports also seem to be unhappy with this change.
21200 Rolling out while we investigate.
21201
21202 * heap/Heap.cpp:
21203 (JSC::Heap::Heap):
21204 (JSC::Heap::gatherStackRoots):
21205 (JSC::Heap::machineThreads): Deleted.
21206 * heap/Heap.h:
21207 (JSC::Heap::machineThreads):
21208 * heap/MachineStackMarker.cpp:
21209 (JSC::MachineThreads::MachineThreads):
21210 (JSC::MachineThreads::~MachineThreads):
21211 (JSC::MachineThreads::addCurrentThread):
21212 * heap/MachineStackMarker.h:
21213 * runtime/JSLock.cpp:
21214 (JSC::JSLock::didAcquireLock):
21215
212162015-02-26 Myles C. Maxfield <mmaxfield@apple.com>
21217
21218 [Mac] [iOS] Parsing support for -apple-trailing-word
21219 https://bugs.webkit.org/show_bug.cgi?id=141939
21220
21221 Reviewed by Andreas Kling.
21222
21223 * Configurations/FeatureDefines.xcconfig:
21224
212252015-02-26 Michael Saboff <msaboff@apple.com>
21226
21227 [Win] Debug-only JavaScriptCore failures
21228 https://bugs.webkit.org/show_bug.cgi?id=142045
21229
21230 Rubber stamped by Filip Pizlo.
21231
21232 Reduced loop count to a more reasonable value of 10,000. This still gets us to tier up
21233 to the FTL, but doesn't take too long to run.
21234
21235 * tests/stress/repeated-arity-check-fail.js:
21236
212372015-02-26 Brent Fulgham <bfulgham@apple.com>
21238
21239 [Win] Make build logs more legible by reducing noise
21240 https://bugs.webkit.org/show_bug.cgi?id=142034
21241
21242 Reviewed by Alexey Proskuryakov.
21243
21244 Modify batch files, makefiles, and DOS commands to remove
21245 uninteresting/unhelpful output.
21246
21247 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
21248 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
21249 * JavaScriptCore.vcxproj/copy-files.cmd:
21250 * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
21251 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
21252 * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
21253 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
21254 * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
21255 * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
21256 * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
21257 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
21258
212592015-02-26 Csaba Osztrogonác <ossy@webkit.org>
21260
21261 Add calleeSaveRegisters() implementation for ARM Traditional
21262 https://bugs.webkit.org/show_bug.cgi?id=141903
21263
21264 Reviewed by Darin Adler.
21265
21266 * jit/RegisterSet.cpp:
21267 (JSC::RegisterSet::calleeSaveRegisters):
21268
212692015-02-25 Michael Saboff <msaboff@apple.com>
21270
21271 Web Inspector: CRASH when debugger pauses inside a Promise handler
21272 https://bugs.webkit.org/show_bug.cgi?id=141396
21273
21274 Reviewed by Mark Lam.
21275
21276 For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
21277 create the DebuggerScope for that frame.
21278
21279 * debugger/DebuggerCallFrame.cpp:
21280 (JSC::DebuggerCallFrame::scope):
21281
212822015-02-25 Filip Pizlo <fpizlo@apple.com>
21283
21284 DFG abstract heaps should respect the difference between heap and stack
21285 https://bugs.webkit.org/show_bug.cgi?id=142022
21286
21287 Reviewed by Geoffrey Garen.
21288
21289 We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
21290 clobbering" operation cannot write to our stack, but may be able to read from it. This
21291 means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
21292 subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
21293 of World and a sibling of Heap.
21294
21295 So, henceforth "clobbering the world" means reading World and writing Heap.
21296
21297 This makes a bunch of changes to make this work, including changing the implementation of
21298 disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
21299 a slow-down, but I measured the heck out of this and found no perf difference.
21300
21301 * dfg/DFGAbstractHeap.cpp:
21302 (JSC::DFG::AbstractHeap::dump):
21303 * dfg/DFGAbstractHeap.h:
21304 (JSC::DFG::AbstractHeap::supertype):
21305 (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
21306 (JSC::DFG::AbstractHeap::isSubtypeOf):
21307 (JSC::DFG::AbstractHeap::overlaps):
21308 (JSC::DFG::AbstractHeap::isDisjoint):
21309 * dfg/DFGClobberize.cpp:
21310 (JSC::DFG::clobbersHeap):
21311 (JSC::DFG::clobbersWorld): Deleted.
21312 * dfg/DFGClobberize.h:
21313 (JSC::DFG::clobberize):
21314 * dfg/DFGDoesGC.cpp:
21315 (JSC::DFG::doesGC):
21316
213172015-02-25 Ryosuke Niwa <rniwa@webkit.org>
21318
21319 REGRESSION(r180595): construct varargs fails in FTL
21320 https://bugs.webkit.org/show_bug.cgi?id=142030
21321
21322 Reviewed by Geoffrey Garen.
21323
21324 The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
21325 Fixed the bug by increasing the IC size to match call_varargs.
21326
21327 * ftl/FTLInlineCacheSize.cpp:
21328 (JSC::FTL::sizeOfConstructVarargs):
21329
213302015-02-25 Mark Lam <mark.lam@apple.com>
21331
21332 ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
21333 <https://webkit.org/b/141672>
21334
21335 Reviewed by Alexey Proskuryakov.
21336
21337 ASan does not like the fact that we memcpy the stack for GC scans. So,
21338 we're working around this by using our own memcpy (asanUnsafeMemcpy)
21339 implementation that we can tell ASan to ignore.
21340
21341 * heap/MachineStackMarker.cpp:
21342 (JSC::asanUnsafeMemcpy):
21343
213442015-02-25 Benjamin Poulain <bpoulain@apple.com>
21345
21346 CodeBlock crashes when dumping op_push_name_scope
21347 https://bugs.webkit.org/show_bug.cgi?id=141953
21348
21349 Reviewed by Filip Pizlo and Csaba Osztrogonác.
21350
21351 * bytecode/CodeBlock.cpp:
21352 (JSC::CodeBlock::dumpBytecode):
21353 * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
21354
213552015-02-25 Benjamin Poulain <benjamin@webkit.org>
21356
21357 Make ParserError immutable by design
21358 https://bugs.webkit.org/show_bug.cgi?id=141955
21359
21360 Reviewed by Geoffrey Garen.
21361
21362 This patch enforce that no field of ParserError can
21363 be modified after the constructor.
21364
21365 * parser/ParserError.h:
21366 Move the attributes to pack the integer + 2 bytes together.
21367 This is irrelevant for memory impact, it is to remve a load-store
21368 when copying by value.
21369
21370 Also move the attributes to be private.
21371
21372 (JSC::ParserError::isValid):
21373 To client of the interface cared about the type of the error,
21374 the only information needed was: is there an error.
21375
21376 (JSC::ParserError::ParserError):
21377 (JSC::ParserError::syntaxErrorType):
21378 (JSC::ParserError::token):
21379 (JSC::ParserError::message):
21380 (JSC::ParserError::line):
21381 (JSC::ParserError::toErrorObject):
21382 * API/JSScriptRef.cpp:
21383 * builtins/BuiltinExecutables.cpp:
21384 (JSC::BuiltinExecutables::createBuiltinExecutable):
21385 * bytecode/UnlinkedCodeBlock.cpp:
21386 (JSC::generateFunctionCodeBlock):
21387 (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
21388 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
21389 * bytecode/UnlinkedCodeBlock.h:
21390 * inspector/agents/InspectorRuntimeAgent.cpp:
21391 (Inspector::InspectorRuntimeAgent::parse):
21392 * jsc.cpp:
21393 (runInteractive):
21394 * parser/Parser.h:
21395 (JSC::parse):
21396 * runtime/CodeCache.cpp:
21397 (JSC::CodeCache::getGlobalCodeBlock):
21398 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
21399 * runtime/CodeCache.h:
21400 * runtime/Completion.h:
21401 * runtime/Executable.cpp:
21402 (JSC::ProgramExecutable::checkSyntax):
21403 * runtime/JSGlobalObject.cpp:
21404 (JSC::JSGlobalObject::createProgramCodeBlock):
21405 (JSC::JSGlobalObject::createEvalCodeBlock):
21406
214072015-02-25 Filip Pizlo <fpizlo@apple.com>
21408
21409 Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
21410 https://bugs.webkit.org/show_bug.cgi?id=142006
21411
21412 Reviewed by Csaba Osztrogonác.
21413
21414 This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
21415 concurrent JIT enabled.
21416
21417 * llvm/InitializeLLVMPOSIX.cpp:
21418 (JSC::initializeLLVMPOSIX):
21419
214202015-02-24 Filip Pizlo <fpizlo@apple.com>
21421
21422 CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
21423 https://bugs.webkit.org/show_bug.cgi?id=141989
21424
21425 Reviewed by Gyuyoung Kim.
21426
21427 * CMakeLists.txt:
21428 * llvm/library/libllvmForJSC.version: Added.
21429
214302015-02-24 Alexey Proskuryakov <ap@apple.com>
21431
21432 More iOS build fix after r180602.
21433
21434 * heap/Heap.h: Export Heap::machineThreads().
21435
214362015-02-24 Brent Fulgham <bfulgham@apple.com>
21437
21438 Unreviewed build fix after r180602.
21439
21440 * heap/MachineStackMarker.h: Add missing 'no return'
21441 declaration for Windows.
21442
214432015-02-24 Commit Queue <commit-queue@webkit.org>
21444
21445 Unreviewed, rolling out r180599.
21446 https://bugs.webkit.org/show_bug.cgi?id=141998
21447
21448 Lots of new test failures (Requested by smfr on #webkit).
21449
21450 Reverted changeset:
21451
21452 "Parsing support for -webkit-trailing-word"
21453 https://bugs.webkit.org/show_bug.cgi?id=141939
21454 http://trac.webkit.org/changeset/180599
21455
214562015-02-24 Mark Lam <mark.lam@apple.com>
21457
21458 MachineThreads::Thread clean up has a use after free race condition.
21459 <https://webkit.org/b/141990>
21460
21461 Reviewed by Michael Saboff.
21462
21463 MachineThreads::Thread clean up relies on the clean up mechanism
21464 implemented in _pthread_tsd_cleanup_key(), which looks like this:
21465
21466 void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
21467 {
21468 void (*destructor)(void *);
21469 if (_pthread_key_get_destructor(key, &destructor)) {
21470 void **ptr = &self->tsd[key];
21471 void *value = *ptr;
21472
21473 // At this point, this thread has cached "destructor" and "value"
21474 // (which is a MachineThreads*). If the VM gets destructed (along
21475 // with its MachineThreads registry) by another thread, then this
21476 // thread will have no way of knowing that the MachineThreads* is
21477 // now pointing to freed memory. Calling the destructor below will
21478 // therefore result in a use after free scenario when it tries to
21479 // access the MachineThreads' data members.
21480
21481 if (value) {
21482 *ptr = NULL;
21483 if (destructor) {
21484 destructor(value);
21485 }
21486 }
21487 }
21488 }
21489
21490 The solution is simply to change MachineThreads from a per VM thread
21491 registry to a process global singleton thread registry i.e. the
21492 MachineThreads registry is now immortal and we cannot have a use after
21493 free scenario since we never free it.
21494
21495 The cost of this change is that all VM instances will have to scan
21496 stacks of all threads ever touched by a VM, and not just those that
21497 touched a specific VM. However, stacks tend to be shallow. Hence,
21498 those additional scans will tend to be cheap.
21499
21500 Secondly, it is not common for there to be multiple JSC VMs in use
21501 concurrently on multiple threads. Hence, this cost should rarely
21502 manifest in real world applications.
21503
21504 * heap/Heap.cpp:
21505 (JSC::Heap::Heap):
21506 (JSC::Heap::machineThreads):
21507 (JSC::Heap::gatherStackRoots):
21508 * heap/Heap.h:
21509 (JSC::Heap::machineThreads): Deleted.
21510 * heap/MachineStackMarker.cpp:
21511 (JSC::MachineThreads::MachineThreads):
21512 (JSC::MachineThreads::~MachineThreads):
21513 (JSC::MachineThreads::addCurrentThread):
21514 * heap/MachineStackMarker.h:
21515 * runtime/JSLock.cpp:
21516 (JSC::JSLock::didAcquireLock):
21517
215182015-02-24 Myles C. Maxfield <mmaxfield@apple.com>
21519
21520 [Mac] [iOS] Parsing support for -apple-trailing-word
21521 https://bugs.webkit.org/show_bug.cgi?id=141939
21522
21523 Reviewed by Andreas Kling.
21524
21525 * Configurations/FeatureDefines.xcconfig:
21526
215272015-02-24 Ryosuke Niwa <rniwa@webkit.org>
21528
21529 Use "this" instead of "callee" to get the constructor
21530 https://bugs.webkit.org/show_bug.cgi?id=141019
21531
21532 Reviewed by Filip Pizlo.
21533
21534 This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
21535 op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
21536 to pass in the most derived class' constructor through "this" argument.
21537
21538 BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
21539 regular calls and emitCreateThis passes in this register to op_create_this as constructor.
21540
21541 The rest of the code change removes the code for special casing "this" register not being used
21542 in call to construct.
21543
21544 * bytecode/BytecodeUseDef.h:
21545 (JSC::computeUsesForBytecodeOffset):
21546 * bytecompiler/BytecodeGenerator.cpp:
21547 (JSC::BytecodeGenerator::emitCreateThis):
21548 (JSC::BytecodeGenerator::emitConstructVarargs):
21549 (JSC::BytecodeGenerator::emitConstruct):
21550 * bytecompiler/BytecodeGenerator.h:
21551 * bytecompiler/NodesCodegen.cpp:
21552 (JSC::NewExprNode::emitBytecode):
21553 * dfg/DFGByteCodeParser.cpp:
21554 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
21555 (JSC::DFG::ByteCodeParser::handleVarargsCall):
21556 (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
21557 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
21558 (JSC::DFG::ByteCodeParser::handleInlining):
21559 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
21560 (JSC::DFG::ByteCodeParser::parseBlock):
21561 * dfg/DFGJITCode.cpp:
21562 (JSC::DFG::JITCode::reconstruct):
21563 * dfg/DFGSpeculativeJIT32_64.cpp:
21564 (JSC::DFG::SpeculativeJIT::emitCall):
21565 * dfg/DFGSpeculativeJIT64.cpp:
21566 (JSC::DFG::SpeculativeJIT::emitCall):
21567 * ftl/FTLJSCallVarargs.cpp:
21568 (JSC::FTL::JSCallVarargs::emit):
21569 * ftl/FTLLowerDFGToLLVM.cpp:
21570 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
21571 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
21572 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
21573 * interpreter/Interpreter.cpp:
21574 (JSC::Interpreter::executeConstruct):
21575 * jit/JITOperations.cpp:
21576
215772015-02-24 Joseph Pecoraro <pecoraro@apple.com>
21578
21579 Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
21580 https://bugs.webkit.org/show_bug.cgi?id=141587
21581
21582 Reviewed by Timothy Hatcher.
21583
21584 Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
21585 Mark PropertyDescriptors that are presumed to be native getters / bindings
21586 separately so that the frontend may display them differently.
21587
21588 * inspector/InjectedScript.cpp:
21589 (Inspector::InjectedScript::getProperties):
21590 (Inspector::InjectedScript::getDisplayableProperties):
21591 * inspector/InjectedScript.h:
21592 * inspector/InjectedScriptSource.js:
21593 * inspector/agents/InspectorRuntimeAgent.cpp:
21594 (Inspector::InspectorRuntimeAgent::getProperties):
21595 (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
21596 * inspector/agents/InspectorRuntimeAgent.h:
21597 * inspector/protocol/Runtime.json:
21598
215992015-02-24 Mark Lam <mark.lam@apple.com>
21600
21601 Rolling out r179753. The fix was invalid.
21602 <https://webkit.org/b/141990>
21603
21604 Not reviewed.
21605
21606 * API/tests/testapi.mm:
21607 (threadMain):
21608 (useVMFromOtherThread): Deleted.
21609 (useVMFromOtherThreadAndOutliveVM): Deleted.
21610 * heap/Heap.cpp:
21611 (JSC::Heap::Heap):
21612 (JSC::Heap::~Heap):
21613 (JSC::Heap::gatherStackRoots):
21614 * heap/Heap.h:
21615 (JSC::Heap::machineThreads):
21616 * heap/MachineStackMarker.cpp:
21617 (JSC::MachineThreads::Thread::Thread):
21618 (JSC::MachineThreads::MachineThreads):
21619 (JSC::MachineThreads::~MachineThreads):
21620 (JSC::MachineThreads::addCurrentThread):
21621 (JSC::MachineThreads::removeThread):
21622 (JSC::MachineThreads::removeCurrentThread):
21623 * heap/MachineStackMarker.h:
21624
216252015-02-24 Yusuke Suzuki <utatane.tea@gmail.com>
21626
21627 Constructor returning null should construct an object instead of null
21628 https://bugs.webkit.org/show_bug.cgi?id=141640
21629
21630 Reviewed by Filip Pizlo.
21631
21632 When constructor code doesn't return object, constructor should return `this` object instead.
21633 Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
21634 it allows `null` as an object.
21635 This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
21636 Instead, constructor uses simplified `is_object`.
21637
21638 As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
21639
21640 1. LLInt and baseline JIT support `op_is_object` as a fast path.
21641 2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
21642 3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
21643 4. FTL lowers DFG's IsObject into LLVM IR.
21644
21645 And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
21646 in LLInt, JIT, DFG and FTL.
21647 Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
21648 So in many places, when the cell is not object, we recognize it as a string, and vice versa.
21649 However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
21650 So this patch stop using !isString as isObject.
21651 To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
21652 we examine typeInfo in JSCell.
21653
21654 * JavaScriptCore.order:
21655 * bytecode/BytecodeList.json:
21656 * bytecode/BytecodeUseDef.h:
21657 (JSC::computeUsesForBytecodeOffset):
21658 (JSC::computeDefsForBytecodeOffset):
21659 * bytecode/CodeBlock.cpp:
21660 (JSC::CodeBlock::dumpBytecode):
21661 * bytecode/PutByIdStatus.cpp:
21662 (JSC::PutByIdStatus::computeFor):
21663 * bytecompiler/BytecodeGenerator.cpp:
21664 (JSC::BytecodeGenerator::emitEqualityOp):
21665 (JSC::BytecodeGenerator::emitReturn):
21666 * dfg/DFGAbstractInterpreterInlines.h:
21667 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
21668 * dfg/DFGByteCodeParser.cpp:
21669 (JSC::DFG::ByteCodeParser::parseBlock):
21670 * dfg/DFGCapabilities.cpp:
21671 (JSC::DFG::capabilityLevel):
21672 * dfg/DFGClobberize.h:
21673 (JSC::DFG::clobberize):
21674
21675 IsObject operation only touches JSCell typeInfoType.
21676 And this value would be changed through structure transition.
21677 As a result, IsObject can report that it doesn't read any information.
21678
21679 * dfg/DFGConstantFoldingPhase.cpp:
21680 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21681 * dfg/DFGDoesGC.cpp:
21682 (JSC::DFG::doesGC):
21683 * dfg/DFGFixupPhase.cpp:
21684 (JSC::DFG::FixupPhase::fixupNode):
21685
21686 Just like IsString, IsObject is also fixed up.
21687
21688 * dfg/DFGHeapLocation.cpp:
21689 (WTF::printInternal):
21690 * dfg/DFGHeapLocation.h:
21691 * dfg/DFGNodeType.h:
21692 * dfg/DFGOperations.cpp:
21693 * dfg/DFGOperations.h:
21694 * dfg/DFGPredictionPropagationPhase.cpp:
21695 (JSC::DFG::PredictionPropagationPhase::propagate):
21696 * dfg/DFGSafeToExecute.h:
21697 (JSC::DFG::safeToExecute):
21698 * dfg/DFGSpeculativeJIT.cpp:
21699 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
21700 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
21701 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
21702 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
21703 (JSC::DFG::SpeculativeJIT::speculateObject):
21704 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
21705 (JSC::DFG::SpeculativeJIT::speculateString):
21706 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
21707 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
21708 (JSC::DFG::SpeculativeJIT::emitSwitchString):
21709 (JSC::DFG::SpeculativeJIT::branchIsObject):
21710 (JSC::DFG::SpeculativeJIT::branchNotObject):
21711 (JSC::DFG::SpeculativeJIT::branchIsString):
21712 (JSC::DFG::SpeculativeJIT::branchNotString):
21713 * dfg/DFGSpeculativeJIT.h:
21714 * dfg/DFGSpeculativeJIT32_64.cpp:
21715 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
21716 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
21717 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
21718 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
21719 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
21720 (JSC::DFG::SpeculativeJIT::compile):
21721 * dfg/DFGSpeculativeJIT64.cpp:
21722 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
21723 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
21724 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
21725 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
21726 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
21727 (JSC::DFG::SpeculativeJIT::compile):
21728 * ftl/FTLCapabilities.cpp:
21729 (JSC::FTL::canCompile):
21730 * ftl/FTLLowerDFGToLLVM.cpp:
21731 (JSC::FTL::LowerDFGToLLVM::compileNode):
21732 (JSC::FTL::LowerDFGToLLVM::compileToString):
21733 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
21734 (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
21735 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
21736 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
21737 (JSC::FTL::LowerDFGToLLVM::isObject):
21738 (JSC::FTL::LowerDFGToLLVM::isNotObject):
21739 (JSC::FTL::LowerDFGToLLVM::isNotString):
21740 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
21741 * jit/JIT.cpp:
21742 (JSC::JIT::privateCompileMainPass):
21743 * jit/JIT.h:
21744 * jit/JITInlines.h:
21745 (JSC::JIT::emitJumpIfCellObject):
21746 * jit/JITOpcodes.cpp:
21747 (JSC::JIT::emit_op_is_object):
21748 (JSC::JIT::emit_op_to_primitive):
21749 * jit/JITOpcodes32_64.cpp:
21750 (JSC::JIT::emit_op_is_object):
21751 (JSC::JIT::emit_op_to_primitive):
21752 (JSC::JIT::compileOpStrictEq):
21753 * llint/LowLevelInterpreter.asm:
21754 * llint/LowLevelInterpreter32_64.asm:
21755 * llint/LowLevelInterpreter64.asm:
21756 * runtime/CommonSlowPaths.cpp:
21757 (JSC::SLOW_PATH_DECL):
21758 * runtime/CommonSlowPaths.h:
21759 * runtime/Operations.cpp:
21760 (JSC::jsIsObjectTypeOrNull):
21761 (JSC::jsIsObjectType): Deleted.
21762 * runtime/Operations.h:
21763 * tests/stress/constructor-with-return.js: Added.
21764 (Test):
21765
21766 When constructor doesn't return an object, `this` should be returned instead.
21767 In this test, we check all primitives. And test object, array and wrappers.
21768
21769 * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
21770 (toPrimitiveTarget):
21771 (doToPrimitive):
21772
21773 op_to_primitive operation passes Symbol in fast path.
21774
217752015-02-24 Yusuke Suzuki <utatane.tea@gmail.com>
21776
21777 REGRESSION(r179429): Can't type comments in Facebook
21778 https://bugs.webkit.org/show_bug.cgi?id=141859
21779
21780 Reviewed by Brent Fulgham.
21781
21782 When window.Symbol is exposed to user-space pages,
21783 Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
21784 However, to work with Symbols completely, it also requires
21785 1) Object.getOwnPropertySymbols (for mixin including Symbols)
21786 2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
21787 Since they are not landed yet, comments in Facebook don't work.
21788
21789 This patch introduces RuntimeFlags for JavaScriptCore.
21790 Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
21791 And drop JavaScriptExperimentsEnabled flag
21792 because it is no longer used and use case of this is duplicated to runtime flags.
21793
21794 * JavaScriptCore.order:
21795 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21796 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21797 * JavaScriptCore.xcodeproj/project.pbxproj:
21798 * jsc.cpp:
21799 (GlobalObject::javaScriptRuntimeFlags):
21800 (GlobalObject::javaScriptExperimentsEnabled): Deleted.
21801 * runtime/JSGlobalObject.cpp:
21802 (JSC::JSGlobalObject::JSGlobalObject):
21803 (JSC::JSGlobalObject::init):
21804 * runtime/JSGlobalObject.h:
21805 (JSC::JSGlobalObject::finishCreation):
21806 (JSC::JSGlobalObject::javaScriptRuntimeFlags):
21807 (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
21808 * runtime/RuntimeFlags.h: Added.
21809 (JSC::RuntimeFlags::RuntimeFlags):
21810 (JSC::RuntimeFlags::createAllEnabled):
21811
218122015-02-23 Filip Pizlo <fpizlo@apple.com>
21813
21814 Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
21815 https://bugs.webkit.org/show_bug.cgi?id=141951
21816
21817 Reviewed by Benjamin Poulain.
21818
21819 This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
21820 still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
21821 is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
21822
21823 * runtime/Arguments.cpp:
21824 (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
21825 (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
21826 * tests/stress/arguments-bizarre-behavior.js: Added.
21827 (foo):
21828 * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
21829 (foo):
21830 * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
21831 (makeBaseArguments):
21832 (makeArray):
21833 (cons):
21834
218352015-02-23 Commit Queue <commit-queue@webkit.org>
21836
21837 Unreviewed, rolling out r180547 and r180550.
21838 https://bugs.webkit.org/show_bug.cgi?id=141957
21839
21840 Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
21841
21842 Reverted changesets:
21843
21844 "REGRESSION(r179429): Can't type comments in Facebook"
21845 https://bugs.webkit.org/show_bug.cgi?id=141859
21846 http://trac.webkit.org/changeset/180547
21847
21848 "Constructor returning null should construct an object instead
21849 of null"
21850 https://bugs.webkit.org/show_bug.cgi?id=141640
21851 http://trac.webkit.org/changeset/180550
21852
218532015-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
21854
21855 Constructor returning null should construct an object instead of null
21856 https://bugs.webkit.org/show_bug.cgi?id=141640
21857
21858 Reviewed by Geoffrey Garen.
21859
21860 When constructor code doesn't return object, constructor should return `this` object instead.
21861 Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
21862 it allows `null` as an object.
21863 This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
21864 Instead, constructor uses simplified `is_object`.
21865
21866 As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
21867
21868 1. LLInt and baseline JIT support `op_is_object` as a fast path.
21869 2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
21870 3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
21871 4. FTL lowers DFG's IsObject into LLVM IR.
21872
21873 And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
21874 in LLInt, JIT, DFG and FTL.
21875 Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
21876 So in many places, when the cell is not object, we recognize it as a string, and vice versa.
21877 However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
21878 So this patch stop using !isString as isObject.
21879 To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
21880 we examine typeInfo in JSCell.
21881
21882 * JavaScriptCore.order:
21883 * bytecode/BytecodeList.json:
21884 * bytecode/BytecodeUseDef.h:
21885 (JSC::computeUsesForBytecodeOffset):
21886 (JSC::computeDefsForBytecodeOffset):
21887 * bytecode/CodeBlock.cpp:
21888 (JSC::CodeBlock::dumpBytecode):
21889 * bytecode/PutByIdStatus.cpp:
21890 (JSC::PutByIdStatus::computeFor):
21891 * bytecompiler/BytecodeGenerator.cpp:
21892 (JSC::BytecodeGenerator::emitEqualityOp):
21893 (JSC::BytecodeGenerator::emitReturn):
21894 * dfg/DFGAbstractInterpreterInlines.h:
21895 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
21896 * dfg/DFGByteCodeParser.cpp:
21897 (JSC::DFG::ByteCodeParser::parseBlock):
21898 * dfg/DFGCapabilities.cpp:
21899 (JSC::DFG::capabilityLevel):
21900 * dfg/DFGClobberize.h:
21901 (JSC::DFG::clobberize):
21902
21903 IsObject operation only touches JSCell typeInfoType.
21904 And this value would not be changed through structure transition.
21905 As a result, IsObject can report that it doesn't read any information.
21906
21907 * dfg/DFGDoesGC.cpp:
21908 (JSC::DFG::doesGC):
21909 * dfg/DFGFixupPhase.cpp:
21910 (JSC::DFG::FixupPhase::fixupNode):
21911
21912 Just like IsString, IsObject is also fixed up.
21913
21914 * dfg/DFGHeapLocation.cpp:
21915 (WTF::printInternal):
21916 * dfg/DFGHeapLocation.h:
21917 * dfg/DFGNodeType.h:
21918 * dfg/DFGOperations.cpp:
21919 * dfg/DFGOperations.h:
21920 * dfg/DFGPredictionPropagationPhase.cpp:
21921 (JSC::DFG::PredictionPropagationPhase::propagate):
21922 * dfg/DFGSafeToExecute.h:
21923 (JSC::DFG::safeToExecute):
21924 * dfg/DFGSpeculativeJIT.cpp:
21925 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
21926 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
21927 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
21928 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
21929 (JSC::DFG::SpeculativeJIT::speculateObject):
21930 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
21931 (JSC::DFG::SpeculativeJIT::speculateString):
21932 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
21933 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
21934 (JSC::DFG::SpeculativeJIT::emitSwitchString):
21935 (JSC::DFG::SpeculativeJIT::branchIsObject):
21936 (JSC::DFG::SpeculativeJIT::branchNotObject):
21937 (JSC::DFG::SpeculativeJIT::branchIsString):
21938 (JSC::DFG::SpeculativeJIT::branchNotString):
21939 * dfg/DFGSpeculativeJIT.h:
21940 * dfg/DFGSpeculativeJIT32_64.cpp:
21941 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
21942 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
21943 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
21944 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
21945 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
21946 (JSC::DFG::SpeculativeJIT::compile):
21947 * dfg/DFGSpeculativeJIT64.cpp:
21948 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
21949 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
21950 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
21951 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
21952 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
21953 (JSC::DFG::SpeculativeJIT::compile):
21954 * ftl/FTLCapabilities.cpp:
21955 (JSC::FTL::canCompile):
21956 * ftl/FTLLowerDFGToLLVM.cpp:
21957 (JSC::FTL::LowerDFGToLLVM::compileNode):
21958 (JSC::FTL::LowerDFGToLLVM::compileToString):
21959 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
21960 (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
21961 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
21962 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
21963 (JSC::FTL::LowerDFGToLLVM::isObject):
21964 (JSC::FTL::LowerDFGToLLVM::isNotObject):
21965 (JSC::FTL::LowerDFGToLLVM::isNotString):
21966 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
21967 * jit/JIT.cpp:
21968 (JSC::JIT::privateCompileMainPass):
21969 * jit/JIT.h:
21970 * jit/JITInlines.h:
21971 (JSC::JIT::emitJumpIfCellObject):
21972 * jit/JITOpcodes.cpp:
21973 (JSC::JIT::emit_op_is_object):
21974 (JSC::JIT::emit_op_to_primitive):
21975 * jit/JITOpcodes32_64.cpp:
21976 (JSC::JIT::emit_op_is_object):
21977 (JSC::JIT::emit_op_to_primitive):
21978 (JSC::JIT::compileOpStrictEq):
21979 * llint/LowLevelInterpreter.asm:
21980 * llint/LowLevelInterpreter32_64.asm:
21981 * llint/LowLevelInterpreter64.asm:
21982 * runtime/CommonSlowPaths.cpp:
21983 (JSC::SLOW_PATH_DECL):
21984 * runtime/CommonSlowPaths.h:
21985 * runtime/Operations.cpp:
21986 (JSC::jsIsObjectTypeOrNull):
21987 (JSC::jsIsObjectType): Deleted.
21988 * runtime/Operations.h:
21989
219902015-02-23 Ryosuke Niwa <rniwa@webkit.org>
21991
21992 Disable font loading events until our implementation gets updated to match the latest spec
21993 https://bugs.webkit.org/show_bug.cgi?id=141938
21994
21995 Reviewed by Andreas Kling.
21996
21997 * Configurations/FeatureDefines.xcconfig:
21998
219992015-02-23 Yusuke Suzuki <utatane.tea@gmail.com>
22000
22001 REGRESSION(r179429): Can't type comments in Facebook
22002 https://bugs.webkit.org/show_bug.cgi?id=141859
22003
22004 Reviewed by Geoffrey Garen.
22005
22006 When window.Symbol is exposed to user-space pages,
22007 Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
22008 However, to work with Symbols completely, it also requires
22009 1) Object.getOwnPropertySymbols (for mixin including Symbols)
22010 2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
22011 Since they are not landed yet, comments in Facebook don't work.
22012
22013 This patch introduces RuntimeFlags for JavaScriptCore.
22014 Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
22015 And drop JavaScriptExperimentsEnabled flag
22016 because it is no longer used and use case of this is duplicated to runtime flags.
22017
22018 * JavaScriptCore.order:
22019 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22020 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
22021 * JavaScriptCore.xcodeproj/project.pbxproj:
22022 * jsc.cpp:
22023 (GlobalObject::javaScriptRuntimeFlags):
22024 (GlobalObject::javaScriptExperimentsEnabled): Deleted.
22025 * runtime/JSGlobalObject.cpp:
22026 (JSC::JSGlobalObject::JSGlobalObject):
22027 (JSC::JSGlobalObject::init):
22028 * runtime/JSGlobalObject.h:
22029 (JSC::JSGlobalObject::finishCreation):
22030 (JSC::JSGlobalObject::javaScriptRuntimeFlags):
22031 (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
22032 * runtime/RuntimeFlags.h: Added.
22033 (JSC::RuntimeFlags::RuntimeFlags):
22034 (JSC::RuntimeFlags::createAllEnabled):
22035
220362015-02-23 Benjamin Poulain <bpoulain@apple.com>
22037
22038 Set the semantic origin of delayed SetLocal to the Bytecode that originated it
22039 https://bugs.webkit.org/show_bug.cgi?id=141727
22040
22041 Reviewed by Filip Pizlo.
22042
22043 Previously, delayed SetLocals would have the NodeOrigin of the next
22044 bytecode. This was because delayed SetLocal are...delayed... and
22045 currentCodeOrigin() is the one where the node is emitted.
22046
22047 This made debugging a little awkward since the OSR exits on SetLocal
22048 were reported for the next bytecode. This patch changes the semantic
22049 origin to keep the original bytecode.
22050
22051 From benchmarks, this looks like it could be a tiny bit faster
22052 but it likely just noise.
22053
22054 * dfg/DFGByteCodeParser.cpp:
22055 (JSC::DFG::ByteCodeParser::setDirect):
22056 (JSC::DFG::ByteCodeParser::setLocal):
22057 (JSC::DFG::ByteCodeParser::setArgument):
22058 (JSC::DFG::ByteCodeParser::currentNodeOrigin):
22059 (JSC::DFG::ByteCodeParser::addToGraph):
22060 (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
22061 (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
22062
220632015-02-23 Benjamin Poulain <bpoulain@apple.com>
22064
22065 Remove DFGNode::predictHeap()
22066 https://bugs.webkit.org/show_bug.cgi?id=141864
22067
22068 Reviewed by Geoffrey Garen.
22069
22070 * dfg/DFGNode.h:
22071 (JSC::DFG::Node::predictHeap): Deleted.
22072 Unused code.
22073
220742015-02-23 Filip Pizlo <fpizlo@apple.com>
22075
22076 Get rid of JSLexicalEnvironment::argumentsGetter
22077 https://bugs.webkit.org/show_bug.cgi?id=141930
22078
22079 Reviewed by Mark Lam.
22080
22081 This function is unused, and the way it's written is bizarre - it's a return statement that
22082 dominates a bunch of dead code.
22083
22084 * runtime/JSLexicalEnvironment.cpp:
22085 (JSC::JSLexicalEnvironment::argumentsGetter): Deleted.
22086 * runtime/JSLexicalEnvironment.h:
22087
220882015-02-23 Filip Pizlo <fpizlo@apple.com>
22089
22090 Remove unused activationCount and allTheThingsCount variable declarations.
22091
22092 Rubber stamped by Mark Lam and Michael Saboff.
22093
22094 * runtime/JSLexicalEnvironment.h:
22095
220962015-02-23 Saam Barati <saambarati1@gmail.com>
22097
22098 Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive
22099 https://bugs.webkit.org/show_bug.cgi?id=141095
22100
22101 Reviewed by Mark Lam.
22102
22103 Suppose the control flow of a program forms basic block A with successor block
22104 B. A's end offset will be the *same* as B's start offset in the current architecture
22105 of the control flow profiler. This makes reasoning about the text offsets of
22106 the control flow profiler unsound. To make reasoning about offsets sound, all
22107 basic block ranges should be mutually exclusive. All calls to emitProfileControlFlow
22108 now pass in the *start* of a basic block as the text offset argument. This simplifies
22109 all calls to emitProfileControlFlow because the previous implementation had a
22110 lot of edge cases for getting the desired basic block text boundaries.
22111
22112 This patch also ensures that the basic block boundary of a block statement
22113 is the exactly the block's open and close brace offsets (inclusive). For example,
22114 in if/for/while statements. This also has the consequence that for statements
22115 like "if (cond) foo();", the whitespace preceding "foo()" is not part of
22116 the "foo()" basic block, but instead is part of the "if (cond) " basic block.
22117 This is okay because these text offsets aren't meant to be human readable.
22118 Instead, they reflect the text offsets of JSC's AST nodes. The Web Inspector
22119 is the only client of this API and user of these text offsets and it is
22120 not negatively effected by this new behavior.
22121
22122 * bytecode/CodeBlock.cpp:
22123 (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
22124 When computing basic block boundaries in CodeBlock, we ensure that every
22125 block's end offset is one less than its successor's start offset to
22126 maintain that boundaries' ranges should be mutually exclusive.
22127
22128 * bytecompiler/BytecodeGenerator.cpp:
22129 (JSC::BytecodeGenerator::BytecodeGenerator):
22130 Because the control flow profiler needs to know which functions
22131 have executed, we can't lazily create functions. This was a bug
22132 from before that was hidden because the Type Profiler was always
22133 enabled when the control flow profiler was enabled when profiling
22134 was turned on from the Web Inspector. But, JSC allows for Control
22135 Flow profiling to be turned on without Type Profiling, so we need
22136 to ensure the Control Flow profiler has all the data it needs.
22137
22138 * bytecompiler/NodesCodegen.cpp:
22139 (JSC::ConditionalNode::emitBytecode):
22140 (JSC::IfElseNode::emitBytecode):
22141 (JSC::WhileNode::emitBytecode):
22142 (JSC::ForNode::emitBytecode):
22143 (JSC::ForInNode::emitMultiLoopBytecode):
22144 (JSC::ForOfNode::emitBytecode):
22145 (JSC::TryNode::emitBytecode):
22146 * jsc.cpp:
22147 (functionHasBasicBlockExecuted):
22148 We now assert that the substring argument is indeed a substring
22149 of the function argument's text because subtle bugs could be
22150 introduced otherwise.
22151
22152 * parser/ASTBuilder.h:
22153 (JSC::ASTBuilder::setStartOffset):
22154 * parser/Nodes.h:
22155 (JSC::Node::setStartOffset):
22156 * parser/Parser.cpp:
22157 (JSC::Parser<LexerType>::parseBlockStatement):
22158 (JSC::Parser<LexerType>::parseStatement):
22159 (JSC::Parser<LexerType>::parseMemberExpression):
22160 For the various function call AST nodes, their m_position member
22161 variable is now the start of the entire function call expression
22162 and not at the start of the open paren of the arguments list.
22163
22164 * runtime/BasicBlockLocation.cpp:
22165 (JSC::BasicBlockLocation::getExecutedRanges):
22166 * runtime/ControlFlowProfiler.cpp:
22167 (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
22168 Function ranges inserted as gaps should follow the same criteria
22169 that the bytecode generator uses to ensure that basic blocks
22170 start and end offsets are mutually exclusive.
22171
22172 * tests/controlFlowProfiler/brace-location.js: Added.
22173 (foo):
22174 (bar):
22175 (baz):
22176 (testIf):
22177 (testForRegular):
22178 (testForIn):
22179 (testForOf):
22180 (testWhile):
22181 (testIfNoBraces):
22182 (testForRegularNoBraces):
22183 (testForInNoBraces):
22184 (testForOfNoBraces):
22185 (testWhileNoBraces):
22186 * tests/controlFlowProfiler/conditional-expression.js: Added.
22187 (foo):
22188 (bar):
22189 (baz):
22190 (testConditionalBasic):
22191 (testConditionalFunctionCall):
22192 * tests/controlFlowProfiler/driver/driver.js:
22193 (checkBasicBlock):
22194
221952015-02-23 Matthew Mirman <mmirman@apple.com>
22196
22197 r9 is volatile on ARMv7 for iOS 3 and up.
22198 https://bugs.webkit.org/show_bug.cgi?id=141489
22199 rdar://problem/19432916
22200
22201 Reviewed by Michael Saboff.
22202
22203 * jit/RegisterSet.cpp:
22204 (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
22205 * tests/stress/regress-141489.js: Added.
22206 (foo):
22207
222082015-02-23 Csaba Osztrogonác <ossy@webkit.org>
22209
22210 [ARM] Add the necessary setupArgumentsWithExecState after bug141915
22211 https://bugs.webkit.org/show_bug.cgi?id=141921
22212
22213 Reviewed by Michael Saboff.
22214
22215 * jit/CCallHelpers.h:
22216 (JSC::CCallHelpers::setupArgumentsWithExecState):
22217
222182015-02-23 Filip Pizlo <fpizlo@apple.com>
22219
22220 Scopes should always be created with a previously-created symbol table rather than creating one on the fly
22221 https://bugs.webkit.org/show_bug.cgi?id=141915
22222
22223 Reviewed by Mark Lam.
22224
22225 The main effect of this change is that pushing name scopes no longer requires creating symbol
22226 tables on the fly.
22227
22228 This also makes it so that JSEnvironmentRecords must always have an a priori symbol table.
22229
22230 JSSegmentedVariableObject still does a hack where it creates a blank symbol table on-demand.
22231 This is needed because that's what JSGlobalObject and all of its many subclasses want. That's
22232 harmless; I mainly needed a prior symbol tables for JSEnvironmentRecords anyway.
22233
22234 * bytecode/BytecodeList.json:
22235 * bytecompiler/BytecodeGenerator.cpp:
22236 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
22237 (JSC::BytecodeGenerator::emitPushCatchScope):
22238 * jit/CCallHelpers.h:
22239 (JSC::CCallHelpers::setupArgumentsWithExecState):
22240 * jit/JIT.h:
22241 * jit/JITInlines.h:
22242 (JSC::JIT::callOperation):
22243 * jit/JITOpcodes.cpp:
22244 (JSC::JIT::emit_op_push_name_scope):
22245 * jit/JITOpcodes32_64.cpp:
22246 (JSC::JIT::emit_op_push_name_scope):
22247 * jit/JITOperations.cpp:
22248 (JSC::pushNameScope):
22249 * jit/JITOperations.h:
22250 * llint/LLIntSlowPaths.cpp:
22251 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22252 * llint/LowLevelInterpreter.asm:
22253 * runtime/Executable.cpp:
22254 (JSC::ScriptExecutable::newCodeBlockFor):
22255 * runtime/JSCatchScope.h:
22256 (JSC::JSCatchScope::JSCatchScope):
22257 (JSC::JSCatchScope::create):
22258 * runtime/JSEnvironmentRecord.h:
22259 (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
22260 * runtime/JSFunctionNameScope.h:
22261 (JSC::JSFunctionNameScope::JSFunctionNameScope):
22262 (JSC::JSFunctionNameScope::create):
22263 * runtime/JSNameScope.cpp:
22264 (JSC::JSNameScope::create):
22265 * runtime/JSNameScope.h:
22266 (JSC::JSNameScope::create):
22267 (JSC::JSNameScope::finishCreation):
22268 (JSC::JSNameScope::JSNameScope):
22269 * runtime/JSSegmentedVariableObject.h:
22270 (JSC::JSSegmentedVariableObject::finishCreation):
22271 * runtime/JSSymbolTableObject.h:
22272 (JSC::JSSymbolTableObject::JSSymbolTableObject):
22273 (JSC::JSSymbolTableObject::finishCreation): Deleted.
22274 * runtime/SymbolTable.h:
22275 (JSC::SymbolTable::createNameScopeTable):
22276
222772015-02-23 Filip Pizlo <fpizlo@apple.com>
22278
22279 Add a comment to clarify that the test was taken from the bug report, in response to
22280 feedback from Michael Saboff and Benjamin Poulain.
22281
22282 * tests/stress/regress-141883.js:
22283
222842015-02-22 Filip Pizlo <fpizlo@apple.com>
22285
22286 Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it
22287 https://bugs.webkit.org/show_bug.cgi?id=141881
22288
22289 Reviewed by Michael Saboff.
22290
22291 Previously we only created the function name scope in a way that made it visible to the
22292 function that triggered parsing/linking of the executable/codeBlock, and to the linker for
22293 that code block. This was sort of the bare minimum for the feature to appear to work right to
22294 synthetic tests.
22295
22296 There are two valid "times" to create the function name scope. Either it's created for each
22297 JSFunction instance that needs a name scope, or it's created for each execution of such a
22298 JSFunction. This change chooses the latter, because it happens to be the easiest to implement
22299 with what we have right now. I opened a bug for optimizing this if we ever need to:
22300 https://bugs.webkit.org/show_bug.cgi?id=141887.
22301
22302 * bytecompiler/BytecodeGenerator.cpp:
22303 (JSC::BytecodeGenerator::BytecodeGenerator):
22304 * interpreter/Interpreter.cpp:
22305 (JSC::Interpreter::execute):
22306 (JSC::Interpreter::executeCall):
22307 (JSC::Interpreter::executeConstruct):
22308 (JSC::Interpreter::prepareForRepeatCall):
22309 * jit/JITOperations.cpp:
22310 * llint/LLIntSlowPaths.cpp:
22311 (JSC::LLInt::setUpCall):
22312 * runtime/ArrayPrototype.cpp:
22313 (JSC::isNumericCompareFunction):
22314 * runtime/Executable.cpp:
22315 (JSC::ScriptExecutable::newCodeBlockFor):
22316 (JSC::ScriptExecutable::prepareForExecutionImpl):
22317 (JSC::FunctionExecutable::FunctionExecutable):
22318 * runtime/Executable.h:
22319 (JSC::ScriptExecutable::prepareForExecution):
22320 * runtime/JSFunction.cpp:
22321 (JSC::JSFunction::addNameScopeIfNeeded): Deleted.
22322 * runtime/JSFunction.h:
22323 * tests/stress/function-name-scope.js: Added.
22324 (check.verify):
22325 (check):
22326
223272015-02-22 Filip Pizlo <fpizlo@apple.com>
22328
22329 Crash in DFGFrozenValue
22330 https://bugs.webkit.org/show_bug.cgi?id=141883
22331
22332 Reviewed by Benjamin Poulain.
22333
22334 If a value might be a cell, then we have to have Graph freeze it rather than trying to
22335 create the FrozenValue directly. Creating it directly is just an optimization for when you
22336 know for sure that it cannot be a cell.
22337
22338 * dfg/DFGAbstractInterpreterInlines.h:
22339 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
22340 * tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.
22341
223422015-02-21 Joseph Pecoraro <pecoraro@apple.com>
22343
22344 Web Inspector: Generate Previews more often for RemoteObject interaction
22345 https://bugs.webkit.org/show_bug.cgi?id=141875
22346
22347 Reviewed by Timothy Hatcher.
22348
22349 * inspector/protocol/Runtime.json:
22350 Add generatePreview to getProperties.
22351
22352 * inspector/InjectedScript.cpp:
22353 (Inspector::InjectedScript::getProperties):
22354 (Inspector::InjectedScript::getInternalProperties):
22355 * inspector/InjectedScript.h:
22356 * inspector/agents/InspectorRuntimeAgent.cpp:
22357 (Inspector::InspectorRuntimeAgent::getProperties):
22358 * inspector/agents/InspectorRuntimeAgent.h:
22359 Plumb the generatePreview boolean through to the injected script.
22360
22361 * inspector/InjectedScriptSource.js:
22362 Add generatePreview for getProperties.
22363 Fix callFunctionOn to generatePreviews if asked.
22364
223652015-02-20 Mark Lam <mark.lam@apple.com>
22366
22367 Refactor JSWrapperMap.mm to defer creation of the ObjC JSValue until the latest possible moment.
22368 <https://webkit.org/b/141856>
22369
22370 Reviewed by Geoffrey Garen.
22371
22372 1. Make JSObjCClassInfo's -constructor and -wrapperForObject return a
22373 JSC::JSObject* just like -prototype.
22374 2. Defer the creation of the ObjC JSValue from JSC::JSObject* until
22375 the latest moment when it is needed. This allows us to not have to
22376 keep converting back to a JSC::JSObject* in intermediate code.
22377
22378 * API/JSWrapperMap.mm:
22379 (makeWrapper):
22380 (objectWithCustomBrand):
22381 (constructorWithCustomBrand):
22382 (allocateConstructorForCustomClass):
22383 (-[JSObjCClassInfo allocateConstructorAndPrototype]):
22384 (-[JSObjCClassInfo wrapperForObject:]):
22385 (-[JSObjCClassInfo constructor]):
22386 (-[JSWrapperMap jsWrapperForObject:]):
22387
223882015-02-20 Filip Pizlo <fpizlo@apple.com>
22389
22390 Build fix for gcc.
22391
22392 * runtime/JSNameScope.cpp:
22393 (JSC::JSNameScope::create):
22394
223952015-02-20 Filip Pizlo <fpizlo@apple.com>
22396
22397 Get rid of JSNameScope::m_type
22398 https://bugs.webkit.org/show_bug.cgi?id=141851
22399
22400 Reviewed by Geoffrey Garen.
22401
22402 This is a big step towards getting rid of JSEnvironmentRecord::m_registers. To do it we need
22403 to ensure that subclasses of JSEnvironmentRecord never have additional C++ fields, so that
22404 JSEnvironmentRecord can always place "registers" right after the end of itself.
22405
22406 * CMakeLists.txt:
22407 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22408 * JavaScriptCore.xcodeproj/project.pbxproj:
22409 * debugger/DebuggerScope.cpp:
22410 (JSC::DebuggerScope::isCatchScope):
22411 (JSC::DebuggerScope::isFunctionNameScope):
22412 * interpreter/Interpreter.cpp:
22413 (JSC::Interpreter::execute):
22414 * jit/JITOperations.cpp:
22415 * llint/LLIntSlowPaths.cpp:
22416 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22417 * runtime/JSCatchScope.cpp: Added.
22418 * runtime/JSCatchScope.h: Added.
22419 (JSC::JSCatchScope::JSCatchScope):
22420 (JSC::JSCatchScope::create):
22421 (JSC::JSCatchScope::createStructure):
22422 * runtime/JSFunction.cpp:
22423 (JSC::JSFunction::addNameScopeIfNeeded):
22424 * runtime/JSFunctionNameScope.cpp: Added.
22425 * runtime/JSFunctionNameScope.h: Added.
22426 (JSC::JSFunctionNameScope::JSFunctionNameScope):
22427 (JSC::JSFunctionNameScope::create):
22428 (JSC::JSFunctionNameScope::createStructure):
22429 * runtime/JSGlobalObject.cpp:
22430 (JSC::JSGlobalObject::init):
22431 (JSC::JSGlobalObject::visitChildren):
22432 * runtime/JSGlobalObject.h:
22433 (JSC::JSGlobalObject::catchScopeStructure):
22434 (JSC::JSGlobalObject::functionNameScopeStructure):
22435 (JSC::JSGlobalObject::nameScopeStructure): Deleted.
22436 * runtime/JSNameScope.cpp:
22437 (JSC::JSNameScope::create):
22438 * runtime/JSNameScope.h:
22439 (JSC::JSNameScope::create):
22440 (JSC::JSNameScope::JSNameScope):
22441 (JSC::JSNameScope::createStructure): Deleted.
22442 (JSC::JSNameScope::isFunctionNameScope): Deleted.
22443 (JSC::JSNameScope::isCatchScope): Deleted.
22444 * runtime/JSObject.cpp:
22445 (JSC::JSObject::isCatchScopeObject):
22446 (JSC::JSObject::isFunctionNameScopeObject):
22447 * runtime/JSObject.h:
22448
224492015-02-20 Mark Lam <mark.lam@apple.com>
22450
22451 [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
22452 <https://webkit.org/b/141809>
22453
22454 Reviewed by Geoffrey Garen.
22455
22456 A ObjC class that implement the JSExport protocol will have a JS prototype
22457 chain and constructor automatically synthesized for its JS wrapper object.
22458 However, if there are no more instances of that ObjC class reachable by a
22459 JS GC root scan, then its synthesized prototype chain and constructors may
22460 be released by the GC. If a new instance of that ObjC class is subsequently
22461 instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
22462 should re-construct the prototype chain and constructor (if they were
22463 previously released). However, the current implementation only
22464 re-constructs the immediate prototype, but not every other prototype
22465 object upstream in the prototype chain.
22466
22467 To fix this, we do the following:
22468 1. We no longer allocate the JSObjCClassInfo's prototype and constructor
22469 eagerly. Hence, -initWithContext:forClass: will no longer call
22470 -allocateConstructorAndPrototypeWithSuperClassInfo:.
22471 2. Instead, we'll always access the prototype and constructor thru
22472 accessor methods. The accessor methods will call
22473 -allocateConstructorAndPrototype: if needed.
22474 3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
22475 from the JSWrapperMap itself. This makes it so that we no longer
22476 need to pass the superClassInfo all over.
22477 4. -allocateConstructorAndPrototype: will get the super class prototype
22478 by invoking -prototype: on the superClassInfo, thereby allowing the
22479 super class to allocate its prototype and constructor if needed and
22480 fixing the issue in this bug.
22481
22482 5. Also removed the GC warning comments, and ensured that needed JS
22483 objects are kept alive by having a local var pointing to it from the
22484 stack (which makes a GC root).
22485
22486 * API/JSWrapperMap.mm:
22487 (-[JSObjCClassInfo initWithContext:forClass:]):
22488 (-[JSObjCClassInfo allocateConstructorAndPrototype]):
22489 (-[JSObjCClassInfo wrapperForObject:]):
22490 (-[JSObjCClassInfo constructor]):
22491 (-[JSObjCClassInfo prototype]):
22492 (-[JSWrapperMap classInfoForClass:]):
22493 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
22494 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
22495 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
22496 * API/tests/Regress141809.h: Added.
22497 * API/tests/Regress141809.mm: Added.
22498 (-[TestClassB name]):
22499 (-[TestClassC name]):
22500 (runRegress141809):
22501 * API/tests/testapi.mm:
22502 * JavaScriptCore.xcodeproj/project.pbxproj:
22503
225042015-02-20 Alexey Proskuryakov <ap@apple.com>
22505
22506 Remove svn:keywords property.
22507
22508 As far as I can tell, the property had no effect on any of these files, but also,
22509 when it has effect it's likely harmful.
22510
22511 * builtins/ArrayConstructor.js: Removed property svn:keywords.
22512
225132015-02-20 Michael Saboff <msaboff@apple.com>
22514
22515 DFG JIT needs to check for stack overflow at the start of Program and Eval execution
22516 https://bugs.webkit.org/show_bug.cgi?id=141676
22517
22518 Reviewed by Filip Pizlo.
22519
22520 Added stack check to the beginning of the code the DFG copmiler emits for Program and Eval nodes.
22521 To aid in testing the code, I replaced the EvalCodeCache::maxCacheableSourceLength const
22522 a options in runtime/Options.h. The test script, run-jsc-stress-tests, sets that option
22523 to a huge value when running with the "Eager" options. This allows the updated test to
22524 reliably exercise the code in questions.
22525
22526 * dfg/DFGJITCompiler.cpp:
22527 (JSC::DFG::JITCompiler::compile):
22528 Added stack check.
22529
22530 * bytecode/EvalCodeCache.h:
22531 (JSC::EvalCodeCache::tryGet):
22532 (JSC::EvalCodeCache::getSlow):
22533 * runtime/Options.h:
22534 Replaced EvalCodeCache::imaxCacheableSourceLength with Options::maximumEvalCacheableSourceLength
22535 so that it can be configured when running the related test.
22536
225372015-02-20 Eric Carlson <eric.carlson@apple.com>
22538
22539 [iOS] cleanup AirPlay code
22540 https://bugs.webkit.org/show_bug.cgi?id=141811
22541
22542 Reviewed by Jer Noble.
22543
22544 * Configurations/FeatureDefines.xcconfig: IOS_AIRPLAY -> WIRELESS_PLAYBACK_TARGET.
22545
225462015-02-19 Dean Jackson <dino@apple.com>
22547
22548 ES6: Implement Array.from()
22549 https://bugs.webkit.org/show_bug.cgi?id=141054
22550 <rdar://problem/19654521>
22551
22552 Reviewed by Filip Pizlo.
22553
22554 Implement the Array.from() ES6 method
22555 as defined in Section 22.1.2.1 of the specification.
22556
22557 Given that we can't rely on the built-in
22558 global functions or objects to be untainted,
22559 I had to expose a few of them directly to
22560 the function via private names. In particular:
22561 - Math.floor -> @floor
22562 - Math.abs -> @abs
22563 - Number -> @Number
22564 - Array -> @Array
22565 - isFinite -> @isFinite
22566
22567 * builtins/ArrayConstructor.js: Added.
22568 (from): Implementation of Array.from in JavaScript.
22569 * runtime/ArrayConstructor.cpp: Add "from" to the lookup
22570 table for the constructor object.
22571 * runtime/CommonIdentifiers.h: Add the private versions
22572 of the identifiers listed above.
22573 * runtime/JSGlobalObject.cpp: Add the implementations of
22574 those identifiers to the global object (using their
22575 private names).
22576 (JSC::JSGlobalObject::init):
22577 * runtime/JSGlobalObjectFunctions.cpp:
22578 (JSC::globalPrivateFuncAbs): Implementation of the abs function.
22579 (JSC::globalPrivateFuncFloor): Implementation of the floor function.
22580 * runtime/JSGlobalObjectFunctions.h:
22581
225822015-02-19 Benjamin Poulain <bpoulain@apple.com>
22583
22584 Refine the FTL part of ArithPow
22585 https://bugs.webkit.org/show_bug.cgi?id=141792
22586
22587 Reviewed by Filip Pizlo.
22588
22589 This patch refines the FTL lowering of ArithPow. This was left out
22590 of the original patch to keep it simpler.
22591
22592 * ftl/FTLLowerDFGToLLVM.cpp:
22593 (JSC::FTL::LowerDFGToLLVM::compileArithPow):
22594 Two improvements here:
22595 1) Do not generate the NaN check unless we know the exponent might be a NaN.
22596 2) Use one BasicBlock per check with the appropriate weight. Now that we have
22597 one branch per test, move the Infinity check before the check for 1 since
22598 it is the less common case.
22599
22600 * tests/stress/math-pow-becomes-custom-function.js: Added.
22601 Test for changing the Math.pow() function after it has been optimized.
22602
22603 * tests/stress/math-pow-nan-behaviors.js:
22604 The previous tests were only going as far as the DFGAbstractInterpreter
22605 were the operations were replaced by the equivalent constant.
22606
22607 I duplicated the test functions to also test the dynamic behavior of DFG
22608 and FTL.
22609
22610 * tests/stress/math-pow-with-constants.js:
22611 Add cases covering exponent constants. LLVM removes many value
22612 checks for those.
22613
22614 * tests/stress/math-pow-with-never-NaN-exponent.js: Added.
22615 Test for the new optimization removing the NaN check.
22616
226172015-02-19 Csaba Osztrogonác <ossy@webkit.org>
22618
22619 REGRESSION(r180279): It broke 20 tests on ARM Linux
22620 https://bugs.webkit.org/show_bug.cgi?id=141771
22621
22622 Reviewed by Filip Pizlo.
22623
22624 * dfg/DFGSpeculativeJIT.h:
22625 (JSC::DFG::SpeculativeJIT::callOperation): Align 64-bit values to respect ARM EABI.
22626
226272015-02-18 Benjamin Poulain <bpoulain@apple.com>
22628
22629 Remove BytecodeGenerator's numberMap, it is dead code
22630 https://bugs.webkit.org/show_bug.cgi?id=141779
22631
22632 Reviewed by Filip Pizlo.
22633
22634 * bytecompiler/BytecodeGenerator.cpp:
22635 (JSC::BytecodeGenerator::emitLoad): Deleted.
22636 * bytecompiler/BytecodeGenerator.h:
22637 The JSValueMap seems better in every way.
22638
22639 The emitLoad() taking a double was the only way to use numberMap
22640 and that code has no caller.
22641
226422015-02-18 Michael Saboff <msaboff@apple.com>
22643
22644 Rollout r180247 & r180249 from trunk
22645 https://bugs.webkit.org/show_bug.cgi?id=141773
22646
22647 Reviewed by Filip Pizlo.
22648
22649 Theses changes makes sense to fix the crash reported in https://bugs.webkit.org/show_bug.cgi?id=141730
22650 only for branches. The change to fail the FTL compile but continue running is not comprehensive
22651 enough for general use on trunk.
22652
22653 * dfg/DFGPlan.cpp:
22654 (JSC::DFG::Plan::compileInThreadImpl):
22655 * ftl/FTLLowerDFGToLLVM.cpp:
22656 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
22657 (JSC::FTL::LowerDFGToLLVM::lower):
22658 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
22659 (JSC::FTL::LowerDFGToLLVM::compileNode):
22660 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
22661 (JSC::FTL::LowerDFGToLLVM::compilePhi):
22662 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
22663 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
22664 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
22665 (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
22666 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
22667 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
22668 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
22669 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
22670 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
22671 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
22672 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
22673 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
22674 (JSC::FTL::LowerDFGToLLVM::compileGetById):
22675 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
22676 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
22677 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
22678 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
22679 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
22680 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
22681 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
22682 (JSC::FTL::LowerDFGToLLVM::compileToString):
22683 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
22684 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
22685 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
22686 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
22687 (JSC::FTL::LowerDFGToLLVM::compare):
22688 (JSC::FTL::LowerDFGToLLVM::boolify):
22689 (JSC::FTL::LowerDFGToLLVM::opposite):
22690 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
22691 (JSC::FTL::LowerDFGToLLVM::speculate):
22692 (JSC::FTL::LowerDFGToLLVM::isArrayType):
22693 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
22694 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
22695 (JSC::FTL::LowerDFGToLLVM::setInt52):
22696 (JSC::FTL::lowerDFGToLLVM):
22697 (JSC::FTL::LowerDFGToLLVM::loweringFailed): Deleted.
22698 * ftl/FTLLowerDFGToLLVM.h:
22699
227002015-02-18 Filip Pizlo <fpizlo@apple.com>
22701
22702 DFG should really support varargs
22703 https://bugs.webkit.org/show_bug.cgi?id=141332
22704
22705 Reviewed by Oliver Hunt.
22706
22707 This adds comprehensive vararg call support to the DFG and FTL compilers. Previously, if a
22708 function had a varargs call, then it could only be compiled if that varargs call was just
22709 forwarding arguments and we were inlining the function rather than compiling it directly. Also,
22710 only varargs calls were dealt with; varargs constructs were not.
22711
22712 This lifts all of those restrictions. Every varargs call or construct can now be compiled by both
22713 the DFG and the FTL. Those calls can also be inlined, too - provided that profiling gives us a
22714 sensible bound on arguments list length. When we inline a varargs call, the act of loading the
22715 varargs is now made explicit in IR. I believe that we have enough IR machinery in place that we
22716 would be able to do the arguments forwarding optimization as an IR transformation. This patch
22717 doesn't implement that yet, and keeps the old bytecode-based varargs argument forwarding
22718 optimization for now.
22719
22720 There are three major IR features introduced in this patch:
22721
22722 CallVarargs/ConstructVarargs: these are like Call/Construct except that they take an arguments
22723 array rather than a list of arguments. Currently, they splat this arguments array onto the stack
22724 using the same basic technique as the baseline JIT has always done. Except, these nodes indicate
22725 that we are not interested in doing the non-escaping "arguments" optimization.
22726
22727 CallForwardVarargs: this is a form of CallVarargs that just does the non-escaping "arguments"
22728 optimization, aka forwarding arguments. It's somewhat lazy that this doesn't include
22729 ConstructForwardVarargs, but the reason is that once we eliminate the lazy tear-off for
22730 arguments, this whole thing will have to be tweaked - and for now forwarding on construct is just
22731 not important in benchmarks. ConstructVarargs will still do forwarding, just not inlined.
22732
22733 LoadVarargs: loads all elements out of an array onto the stack in a manner suitable for a varargs
22734 call. This is used only when a varargs call (or construct) was inlined. The bytecode parser will
22735 make room on the stack for the arguments, and will use LoadVarars to put those arguments into
22736 place.
22737
22738 In the future, we can consider adding strength reductions like:
22739
22740 - If CallVarargs/ConstructVarargs see an array of known size with known elements, turn them into
22741 Call/Construct.
22742
22743 - If CallVarargs/ConstructVarargs are passed an unmodified, unescaped Arguments object, then
22744 turn them into CallForwardVarargs/ConstructForwardVarargs.
22745
22746 - If LoadVarargs sees an array of known size, then turn it into a sequence of GetByVals and
22747 PutLocals.
22748
22749 - If LoadVarargs sees an unmodified, unescaped Arguments object, then turn it into something like
22750 LoadForwardVarargs.
22751
22752 - If CallVarargs/ConstructVarargs/LoadVarargs see the result of a splice (or other Array
22753 prototype function), then do the splice and varargs loading in one go (maybe via a new node
22754 type).
22755
22756 * CMakeLists.txt:
22757 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
22758 * JavaScriptCore.xcodeproj/project.pbxproj:
22759 * assembler/MacroAssembler.h:
22760 (JSC::MacroAssembler::rshiftPtr):
22761 (JSC::MacroAssembler::urshiftPtr):
22762 * assembler/MacroAssemblerARM64.h:
22763 (JSC::MacroAssemblerARM64::urshift64):
22764 * assembler/MacroAssemblerX86_64.h:
22765 (JSC::MacroAssemblerX86_64::urshift64):
22766 * assembler/X86Assembler.h:
22767 (JSC::X86Assembler::shrq_i8r):
22768 * bytecode/CallLinkInfo.h:
22769 (JSC::CallLinkInfo::CallLinkInfo):
22770 * bytecode/CallLinkStatus.cpp:
22771 (JSC::CallLinkStatus::computeFor):
22772 (JSC::CallLinkStatus::setProvenConstantCallee):
22773 (JSC::CallLinkStatus::dump):
22774 * bytecode/CallLinkStatus.h:
22775 (JSC::CallLinkStatus::maxNumArguments):
22776 (JSC::CallLinkStatus::setIsProved): Deleted.
22777 * bytecode/CodeOrigin.cpp:
22778 (WTF::printInternal):
22779 * bytecode/CodeOrigin.h:
22780 (JSC::InlineCallFrame::varargsKindFor):
22781 (JSC::InlineCallFrame::specializationKindFor):
22782 (JSC::InlineCallFrame::isVarargs):
22783 (JSC::InlineCallFrame::isNormalCall): Deleted.
22784 * bytecode/ExitKind.cpp:
22785 (JSC::exitKindToString):
22786 * bytecode/ExitKind.h:
22787 * bytecode/ValueRecovery.cpp:
22788 (JSC::ValueRecovery::dumpInContext):
22789 * dfg/DFGAbstractInterpreterInlines.h:
22790 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
22791 * dfg/DFGArgumentsSimplificationPhase.cpp:
22792 (JSC::DFG::ArgumentsSimplificationPhase::run):
22793 * dfg/DFGByteCodeParser.cpp:
22794 (JSC::DFG::ByteCodeParser::flush):
22795 (JSC::DFG::ByteCodeParser::addCall):
22796 (JSC::DFG::ByteCodeParser::handleCall):
22797 (JSC::DFG::ByteCodeParser::handleVarargsCall):
22798 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
22799 (JSC::DFG::ByteCodeParser::inliningCost):
22800 (JSC::DFG::ByteCodeParser::inlineCall):
22801 (JSC::DFG::ByteCodeParser::attemptToInlineCall):
22802 (JSC::DFG::ByteCodeParser::handleInlining):
22803 (JSC::DFG::ByteCodeParser::handleMinMax):
22804 (JSC::DFG::ByteCodeParser::handleIntrinsic):
22805 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
22806 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
22807 (JSC::DFG::ByteCodeParser::parseBlock):
22808 (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): Deleted.
22809 (JSC::DFG::ByteCodeParser::undoFunctionChecks): Deleted.
22810 * dfg/DFGCapabilities.cpp:
22811 (JSC::DFG::capabilityLevel):
22812 * dfg/DFGCapabilities.h:
22813 (JSC::DFG::functionCapabilityLevel):
22814 (JSC::DFG::mightCompileFunctionFor):
22815 * dfg/DFGClobberize.h:
22816 (JSC::DFG::clobberize):
22817 * dfg/DFGCommon.cpp:
22818 (WTF::printInternal):
22819 * dfg/DFGCommon.h:
22820 (JSC::DFG::canInline):
22821 (JSC::DFG::leastUpperBound):
22822 * dfg/DFGDoesGC.cpp:
22823 (JSC::DFG::doesGC):
22824 * dfg/DFGFixupPhase.cpp:
22825 (JSC::DFG::FixupPhase::fixupNode):
22826 * dfg/DFGGraph.cpp:
22827 (JSC::DFG::Graph::dump):
22828 (JSC::DFG::Graph::dumpBlockHeader):
22829 (JSC::DFG::Graph::isLiveInBytecode):
22830 (JSC::DFG::Graph::valueProfileFor):
22831 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
22832 * dfg/DFGGraph.h:
22833 (JSC::DFG::Graph::valueProfileFor): Deleted.
22834 (JSC::DFG::Graph::methodOfGettingAValueProfileFor): Deleted.
22835 * dfg/DFGJITCompiler.cpp:
22836 (JSC::DFG::JITCompiler::compileExceptionHandlers):
22837 (JSC::DFG::JITCompiler::link):
22838 * dfg/DFGMayExit.cpp:
22839 (JSC::DFG::mayExit):
22840 * dfg/DFGNode.h:
22841 (JSC::DFG::Node::hasCallVarargsData):
22842 (JSC::DFG::Node::callVarargsData):
22843 (JSC::DFG::Node::hasLoadVarargsData):
22844 (JSC::DFG::Node::loadVarargsData):
22845 (JSC::DFG::Node::hasHeapPrediction):
22846 * dfg/DFGNodeType.h:
22847 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
22848 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
22849 * dfg/DFGOSRExitCompilerCommon.cpp:
22850 (JSC::DFG::reifyInlinedCallFrames):
22851 * dfg/DFGOperations.cpp:
22852 * dfg/DFGOperations.h:
22853 * dfg/DFGPlan.cpp:
22854 (JSC::DFG::dumpAndVerifyGraph):
22855 (JSC::DFG::Plan::compileInThreadImpl):
22856 * dfg/DFGPreciseLocalClobberize.h:
22857 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
22858 (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
22859 * dfg/DFGPredictionPropagationPhase.cpp:
22860 (JSC::DFG::PredictionPropagationPhase::propagate):
22861 * dfg/DFGSSAConversionPhase.cpp:
22862 * dfg/DFGSafeToExecute.h:
22863 (JSC::DFG::safeToExecute):
22864 * dfg/DFGSpeculativeJIT.h:
22865 (JSC::DFG::SpeculativeJIT::isFlushed):
22866 (JSC::DFG::SpeculativeJIT::callOperation):
22867 * dfg/DFGSpeculativeJIT32_64.cpp:
22868 (JSC::DFG::SpeculativeJIT::emitCall):
22869 (JSC::DFG::SpeculativeJIT::compile):
22870 * dfg/DFGSpeculativeJIT64.cpp:
22871 (JSC::DFG::SpeculativeJIT::emitCall):
22872 (JSC::DFG::SpeculativeJIT::compile):
22873 * dfg/DFGStackLayoutPhase.cpp:
22874 (JSC::DFG::StackLayoutPhase::run):
22875 (JSC::DFG::StackLayoutPhase::assign):
22876 * dfg/DFGStrengthReductionPhase.cpp:
22877 (JSC::DFG::StrengthReductionPhase::handleNode):
22878 * dfg/DFGTypeCheckHoistingPhase.cpp:
22879 (JSC::DFG::TypeCheckHoistingPhase::run):
22880 * dfg/DFGValidate.cpp:
22881 (JSC::DFG::Validate::validateCPS):
22882 * ftl/FTLAbbreviations.h:
22883 (JSC::FTL::functionType):
22884 (JSC::FTL::buildCall):
22885 * ftl/FTLCapabilities.cpp:
22886 (JSC::FTL::canCompile):
22887 * ftl/FTLCompile.cpp:
22888 (JSC::FTL::mmAllocateDataSection):
22889 * ftl/FTLInlineCacheSize.cpp:
22890 (JSC::FTL::sizeOfCall):
22891 (JSC::FTL::sizeOfCallVarargs):
22892 (JSC::FTL::sizeOfCallForwardVarargs):
22893 (JSC::FTL::sizeOfConstructVarargs):
22894 (JSC::FTL::sizeOfIn):
22895 (JSC::FTL::sizeOfICFor):
22896 (JSC::FTL::sizeOfCheckIn): Deleted.
22897 * ftl/FTLInlineCacheSize.h:
22898 * ftl/FTLIntrinsicRepository.h:
22899 * ftl/FTLJSCall.cpp:
22900 (JSC::FTL::JSCall::JSCall):
22901 * ftl/FTLJSCallBase.cpp:
22902 * ftl/FTLJSCallBase.h:
22903 * ftl/FTLJSCallVarargs.cpp: Added.
22904 (JSC::FTL::JSCallVarargs::JSCallVarargs):
22905 (JSC::FTL::JSCallVarargs::numSpillSlotsNeeded):
22906 (JSC::FTL::JSCallVarargs::emit):
22907 (JSC::FTL::JSCallVarargs::link):
22908 * ftl/FTLJSCallVarargs.h: Added.
22909 (JSC::FTL::JSCallVarargs::node):
22910 (JSC::FTL::JSCallVarargs::stackmapID):
22911 (JSC::FTL::JSCallVarargs::operator<):
22912 * ftl/FTLLowerDFGToLLVM.cpp:
22913 (JSC::FTL::LowerDFGToLLVM::lower):
22914 (JSC::FTL::LowerDFGToLLVM::compileNode):
22915 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
22916 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
22917 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
22918 (JSC::FTL::LowerDFGToLLVM::compileLoadVarargs):
22919 (JSC::FTL::LowerDFGToLLVM::compileIn):
22920 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
22921 (JSC::FTL::LowerDFGToLLVM::vmCall):
22922 (JSC::FTL::LowerDFGToLLVM::vmCallNoExceptions):
22923 (JSC::FTL::LowerDFGToLLVM::callCheck):
22924 * ftl/FTLOutput.h:
22925 (JSC::FTL::Output::call):
22926 * ftl/FTLState.cpp:
22927 (JSC::FTL::State::State):
22928 * ftl/FTLState.h:
22929 * interpreter/Interpreter.cpp:
22930 (JSC::sizeOfVarargs):
22931 (JSC::sizeFrameForVarargs):
22932 * interpreter/Interpreter.h:
22933 * interpreter/StackVisitor.cpp:
22934 (JSC::StackVisitor::readInlinedFrame):
22935 * jit/AssemblyHelpers.cpp:
22936 (JSC::AssemblyHelpers::emitExceptionCheck):
22937 * jit/AssemblyHelpers.h:
22938 (JSC::AssemblyHelpers::addressFor):
22939 (JSC::AssemblyHelpers::calleeFrameSlot):
22940 (JSC::AssemblyHelpers::calleeArgumentSlot):
22941 (JSC::AssemblyHelpers::calleeFrameTagSlot):
22942 (JSC::AssemblyHelpers::calleeFramePayloadSlot):
22943 (JSC::AssemblyHelpers::calleeArgumentTagSlot):
22944 (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
22945 (JSC::AssemblyHelpers::calleeFrameCallerFrame):
22946 (JSC::AssemblyHelpers::selectScratchGPR):
22947 * jit/CCallHelpers.h:
22948 (JSC::CCallHelpers::setupArgumentsWithExecState):
22949 * jit/GPRInfo.h:
22950 * jit/JIT.cpp:
22951 (JSC::JIT::privateCompile):
22952 * jit/JIT.h:
22953 * jit/JITCall.cpp:
22954 (JSC::JIT::compileSetupVarargsFrame):
22955 (JSC::JIT::compileOpCall):
22956 * jit/JITCall32_64.cpp:
22957 (JSC::JIT::compileSetupVarargsFrame):
22958 (JSC::JIT::compileOpCall):
22959 * jit/JITOperations.h:
22960 * jit/SetupVarargsFrame.cpp:
22961 (JSC::emitSetupVarargsFrameFastCase):
22962 * jit/SetupVarargsFrame.h:
22963 * runtime/Arguments.h:
22964 (JSC::Arguments::create):
22965 (JSC::Arguments::registerArraySizeInBytes):
22966 (JSC::Arguments::finishCreation):
22967 * runtime/Options.h:
22968 * tests/stress/construct-varargs-inline-smaller-Foo.js: Added.
22969 (Foo):
22970 (bar):
22971 (checkEqual):
22972 (test):
22973 * tests/stress/construct-varargs-inline.js: Added.
22974 (Foo):
22975 (bar):
22976 (checkEqual):
22977 (test):
22978 * tests/stress/construct-varargs-no-inline.js: Added.
22979 (Foo):
22980 (bar):
22981 (checkEqual):
22982 (test):
22983 * tests/stress/get-argument-by-val-in-inlined-varargs-call-out-of-bounds.js: Added.
22984 (foo):
22985 (bar):
22986 * tests/stress/get-argument-by-val-safe-in-inlined-varargs-call-out-of-bounds.js: Added.
22987 (foo):
22988 (bar):
22989 * tests/stress/get-my-argument-by-val-creates-arguments.js: Added.
22990 (blah):
22991 (foo):
22992 (bar):
22993 (checkEqual):
22994 (test):
22995 * tests/stress/load-varargs-then-inlined-call-exit-in-foo.js: Added.
22996 (foo):
22997 (bar):
22998 (checkEqual):
22999 * tests/stress/load-varargs-then-inlined-call-inlined.js: Added.
23000 (foo):
23001 (bar):
23002 (baz):
23003 (checkEqual):
23004 (test):
23005 * tests/stress/load-varargs-then-inlined-call.js: Added.
23006 (foo):
23007 (bar):
23008 (checkEqual):
23009 (test):
23010
230112015-02-17 Michael Saboff <msaboff@apple.com>
23012
23013 Unreviewed, Restoring the C LOOP insta-crash fix in r180184.
23014
23015 Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
23016 After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
23017
23018 * llint/LowLevelInterpreter.asm: Fixed a typo.
23019
230202015-02-18 Csaba Osztrogonác <ossy@webkit.org>
23021
23022 URTBF after r180258 to fix Windows build.
23023
23024 * runtime/MathCommon.cpp:
23025 (JSC::mathPowInternal):
23026
230272015-02-18 Joseph Pecoraro <pecoraro@apple.com>
23028
23029 REGRESSION(r180235): It broke the !ENABLE(PROMISES) build
23030 https://bugs.webkit.org/show_bug.cgi?id=141746
23031
23032 Unreviewed build fix.
23033
23034 * inspector/JSInjectedScriptHost.cpp:
23035 (Inspector::JSInjectedScriptHost::getInternalProperties):
23036 Wrap JSPromise related code in ENABLE(PROMISES) guard.
23037
230382015-02-18 Benjamin Poulain <benjamin@webkit.org>
23039
23040 Fix the C-Loop LLInt build
23041 https://bugs.webkit.org/show_bug.cgi?id=141618
23042
23043 Reviewed by Filip Pizlo.
23044
23045 I broke C-Loop when moving the common code of pow()
23046 to JITOperations because that file is #ifdefed out
23047 when the JITs are disabled.
23048
23049 It would be weird to move it back to MathObject since
23050 the function needs to know about the calling conventions.
23051
23052 To avoid making a mess, I just gave the function its own file
23053 that is used by both the runtime and the JIT.
23054
23055 * CMakeLists.txt:
23056 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
23057 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
23058 * JavaScriptCore.xcodeproj/project.pbxproj:
23059 * dfg/DFGAbstractInterpreterInlines.h:
23060 * jit/JITOperations.cpp:
23061 * jit/JITOperations.h:
23062 * runtime/MathCommon.cpp: Added.
23063 (JSC::fdlibmScalbn):
23064 (JSC::fdlibmPow):
23065 (JSC::isDenormal):
23066 (JSC::isEdgeCase):
23067 (JSC::mathPowInternal):
23068 (JSC::operationMathPow):
23069 * runtime/MathCommon.h: Added.
23070 * runtime/MathObject.cpp:
23071
230722015-02-17 Benjamin Poulain <bpoulain@apple.com>
23073
23074 Clean up OSRExit's considerAddingAsFrequentExitSite()
23075 https://bugs.webkit.org/show_bug.cgi?id=141690
23076
23077 Reviewed by Anders Carlsson.
23078
23079 Looks like some code was removed from CodeBlock::tallyFrequentExitSites()
23080 and the OSRExit were left untouched.
23081
23082 This patch cleans up the two loops and remove the boolean return
23083 on considerAddingAsFrequentExitSite().
23084
23085 * bytecode/CodeBlock.cpp:
23086 (JSC::CodeBlock::tallyFrequentExitSites):
23087 * dfg/DFGOSRExit.h:
23088 (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
23089 * dfg/DFGOSRExitBase.cpp:
23090 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
23091 * dfg/DFGOSRExitBase.h:
23092 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
23093 * ftl/FTLOSRExit.h:
23094 (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
23095
230962015-02-17 Alexey Proskuryakov <ap@apple.com>
23097
23098 Debug build fix after r180247.
23099
23100 * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::loweringFailed):
23101
231022015-02-17 Commit Queue <commit-queue@webkit.org>
23103
23104 Unreviewed, rolling out r180184.
23105 https://bugs.webkit.org/show_bug.cgi?id=141733
23106
23107 Caused infinite recursion on js/function-apply-aliased.html
23108 (Requested by ap_ on #webkit).
23109
23110 Reverted changeset:
23111
23112 "REGRESSION(r180060): C Loop crashes"
23113 https://bugs.webkit.org/show_bug.cgi?id=141671
23114 http://trac.webkit.org/changeset/180184
23115
231162015-02-17 Michael Saboff <msaboff@apple.com>
23117
23118 CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
23119 https://bugs.webkit.org/show_bug.cgi?id=141730
23120
23121 Reviewed by Geoffrey Garen.
23122
23123 Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
23124 while processing DFG lowering. For debug builds, the failures are logged identical
23125 to the way the DFG_CRASH() reports them. For release builds, the failures are reported
23126 and that FTL compilation is terminated, but the process is allowed to continue.
23127 Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
23128 line number are reported at the point of the inconsistancy.
23129
23130 Converted instances of DFG_CRASH to LOWERING_FAILED.
23131
23132 * dfg/DFGPlan.cpp:
23133 (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
23134 will fail the FTL compile.
23135
23136 * ftl/FTLLowerDFGToLLVM.cpp:
23137 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
23138 Added new member variable, m_loweringSucceeded, to stop compilation on the first
23139 reported failure.
23140
23141 * ftl/FTLLowerDFGToLLVM.cpp:
23142 (JSC::FTL::LowerDFGToLLVM::lower):
23143 * ftl/FTLLowerDFGToLLVM.h:
23144 Added check for compilation failures and now report those failures via a boolean
23145 return value.
23146
23147 * ftl/FTLLowerDFGToLLVM.cpp:
23148 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
23149 (JSC::FTL::LowerDFGToLLVM::compileNode):
23150 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
23151 (JSC::FTL::LowerDFGToLLVM::compilePhi):
23152 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
23153 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
23154 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
23155 (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
23156 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
23157 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
23158 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
23159 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
23160 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
23161 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
23162 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
23163 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
23164 (JSC::FTL::LowerDFGToLLVM::compileGetById):
23165 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
23166 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
23167 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23168 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
23169 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
23170 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
23171 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
23172 (JSC::FTL::LowerDFGToLLVM::compileToString):
23173 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
23174 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
23175 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
23176 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
23177 (JSC::FTL::LowerDFGToLLVM::compare):
23178 (JSC::FTL::LowerDFGToLLVM::boolify):
23179 (JSC::FTL::LowerDFGToLLVM::opposite):
23180 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
23181 (JSC::FTL::LowerDFGToLLVM::speculate):
23182 (JSC::FTL::LowerDFGToLLVM::isArrayType):
23183 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
23184 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
23185 (JSC::FTL::LowerDFGToLLVM::setInt52):
23186 Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate.
23187
23188 (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
23189
231902015-02-17 Filip Pizlo <fpizlo@apple.com>
23191
23192 StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
23193 https://bugs.webkit.org/show_bug.cgi?id=141721
23194 rdar://problem/17198633
23195
23196 Reviewed by Michael Saboff.
23197
23198 I've seen cases where the two are out of sync. We know we can trust the CodeBlock::usesArguments because
23199 we use it everywhere else.
23200
23201 No test because I could never reproduce the crash.
23202
23203 * dfg/DFGGraph.h:
23204 (JSC::DFG::Graph::usesArguments):
23205 * dfg/DFGStackLayoutPhase.cpp:
23206 (JSC::DFG::StackLayoutPhase::run):
23207
232082015-02-16 Joseph Pecoraro <pecoraro@apple.com>
23209
23210 Web Inspector: Improved Console Support for Bound Functions
23211 https://bugs.webkit.org/show_bug.cgi?id=141635
23212
23213 Reviewed by Timothy Hatcher.
23214
23215 * inspector/JSInjectedScriptHost.cpp:
23216 (Inspector::JSInjectedScriptHost::getInternalProperties):
23217 Expose internal properties of a JSBoundFunction.
23218
232192015-02-16 Joseph Pecoraro <pecoraro@apple.com>
23220
23221 Web Inspector: ES6: Improved Console Support for Promise Objects
23222 https://bugs.webkit.org/show_bug.cgi?id=141634
23223
23224 Reviewed by Timothy Hatcher.
23225
23226 * inspector/InjectedScript.cpp:
23227 (Inspector::InjectedScript::getInternalProperties):
23228 * inspector/InjectedScriptSource.js:
23229 Include internal properties in previews. Share code
23230 with normal internal property handling.
23231
23232 * inspector/JSInjectedScriptHost.cpp:
23233 (Inspector::constructInternalProperty):
23234 (Inspector::JSInjectedScriptHost::getInternalProperties):
23235 Provide internal state of Promises.
23236
23237 * inspector/protocol/Runtime.json:
23238 Provide an optional field to distinguish if a PropertyPreview
23239 is for an Internal property or not.
23240
232412015-02-17 Filip Pizlo <fpizlo@apple.com>
23242
23243 Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
23244 https://bugs.webkit.org/show_bug.cgi?id=141717
23245 rdar://problem/19863382
23246
23247 Reviewed by Geoffrey Garen.
23248
23249 The best solution is to ensure that the engine catching an exception restores tag registers.
23250
23251 Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
23252
23253 * jit/JITOpcodes.cpp:
23254 (JSC::JIT::emit_op_catch):
23255 * llint/LowLevelInterpreter.asm:
23256 * llint/LowLevelInterpreter64.asm:
23257 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
23258 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
23259 * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
23260
232612015-02-17 Csaba Osztrogonác <ossy@webkit.org>
23262
23263 [ARM] Add the necessary setupArgumentsWithExecState after bug141332
23264 https://bugs.webkit.org/show_bug.cgi?id=141714
23265
23266 Reviewed by Michael Saboff.
23267
23268 * jit/CCallHelpers.h:
23269 (JSC::CCallHelpers::setupArgumentsWithExecState):
23270
232712015-02-15 Sam Weinig <sam@webkit.org>
23272
23273 Add experimental <attachment> element support
23274 https://bugs.webkit.org/show_bug.cgi?id=141626
23275
23276 Reviewed by Tim Horton.
23277
23278 * Configurations/FeatureDefines.xcconfig:
23279
232802015-02-16 Michael Saboff <msaboff@apple.com>
23281
23282 REGRESSION(r180060): C Loop crashes
23283 https://bugs.webkit.org/show_bug.cgi?id=141671
23284
23285 Reviewed by Geoffrey Garen.
23286
23287 Fixed a typo that only affected the C Loop in the prologue() macro in LowLevelInterpreter.asm.
23288 After the stackHeightOKGetCodeBlock label, codeBlockSetter(t1) should be codeBlockGetter(t1).
23289 Fixed the processing of an out of stack exception in llint_stack_check to not get the caller's
23290 frame. This isn't needed, since this helper is only called to check the stack on entry. Any
23291 exception will be handled by a call ancestor.
23292
23293 * llint/LLIntSlowPaths.cpp:
23294 (JSC::LLInt::llint_stack_check): Changed to use the current frame for processing an exception.
23295 * llint/LowLevelInterpreter.asm: Fixed a typo.
23296
232972015-02-16 Joseph Pecoraro <pecoraro@apple.com>
23298
23299 Web Inspector: Scope details sidebar should label objects with constructor names
23300 https://bugs.webkit.org/show_bug.cgi?id=139449
23301
23302 Reviewed by Timothy Hatcher.
23303
23304 * inspector/JSInjectedScriptHost.cpp:
23305 (Inspector::JSInjectedScriptHost::internalConstructorName):
23306 * runtime/Structure.cpp:
23307 (JSC::Structure::toStructureShape):
23308 Share calculatedClassName.
23309
23310 * runtime/JSObject.h:
23311 * runtime/JSObject.cpp:
23312 (JSC::JSObject::calculatedClassName):
23313 Elaborate on a way to get an Object's class name.
23314
233152015-02-16 Filip Pizlo <fpizlo@apple.com>
23316
23317 DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed
23318 https://bugs.webkit.org/show_bug.cgi?id=141623
23319
23320 Reviewed by Oliver Hunt.
23321
23322 During development of https://bugs.webkit.org/show_bug.cgi?id=141332, I realized that I
23323 needed to use GetArgument for loading something that has magically already appeared on the
23324 stack, so currently trunk sort of allows this. But then I realized three things:
23325
23326 - A GetArgument with a non-JSValue flush format means speculating that the value on the
23327 stack obeys that format, rather than just assuming that that it already has that format.
23328 In bug 141332, I want it to assume rather than speculate. That also happens to be more
23329 intuitive; I don't think I was wrong to expect that.
23330
23331 - The node I really want is GetLocal. I'm just getting the value of the local and I don't
23332 want to do anything else.
23333
23334 - Maybe it would be easier if we just used GetLocal for all of the cases where we currently
23335 use GetArgument.
23336
23337 This changes the FTL to do argument speculations in the prologue just like the DFG does.
23338 This brings some consistency to our system, and allows us to get rid of the GetArgument
23339 node. The speculations that the FTL must do are now made explicit in the m_argumentFormats
23340 vector in DFG::Graph. This has natural DCE behavior: even if all uses of the argument are
23341 dead we will still speculate. We already have safeguards to ensure we only speculate if
23342 there are uses that benefit from speculation (which is a much more conservative criterion
23343 than DCE).
23344
23345 * dfg/DFGAbstractInterpreterInlines.h:
23346 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
23347 * dfg/DFGClobberize.h:
23348 (JSC::DFG::clobberize):
23349 * dfg/DFGDCEPhase.cpp:
23350 (JSC::DFG::DCEPhase::run):
23351 * dfg/DFGDoesGC.cpp:
23352 (JSC::DFG::doesGC):
23353 * dfg/DFGFixupPhase.cpp:
23354 (JSC::DFG::FixupPhase::fixupNode):
23355 * dfg/DFGFlushFormat.h:
23356 (JSC::DFG::typeFilterFor):
23357 * dfg/DFGGraph.cpp:
23358 (JSC::DFG::Graph::dump):
23359 * dfg/DFGGraph.h:
23360 (JSC::DFG::Graph::valueProfileFor):
23361 (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
23362 * dfg/DFGInPlaceAbstractState.cpp:
23363 (JSC::DFG::InPlaceAbstractState::initialize):
23364 * dfg/DFGNode.cpp:
23365 (JSC::DFG::Node::hasVariableAccessData):
23366 * dfg/DFGNodeType.h:
23367 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
23368 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
23369 (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
23370 * dfg/DFGPredictionPropagationPhase.cpp:
23371 (JSC::DFG::PredictionPropagationPhase::propagate):
23372 * dfg/DFGPutLocalSinkingPhase.cpp:
23373 * dfg/DFGSSAConversionPhase.cpp:
23374 (JSC::DFG::SSAConversionPhase::run):
23375 * dfg/DFGSafeToExecute.h:
23376 (JSC::DFG::safeToExecute):
23377 * dfg/DFGSpeculativeJIT32_64.cpp:
23378 (JSC::DFG::SpeculativeJIT::compile):
23379 * dfg/DFGSpeculativeJIT64.cpp:
23380 (JSC::DFG::SpeculativeJIT::compile):
23381 * ftl/FTLCapabilities.cpp:
23382 (JSC::FTL::canCompile):
23383 * ftl/FTLLowerDFGToLLVM.cpp:
23384 (JSC::FTL::LowerDFGToLLVM::lower):
23385 (JSC::FTL::LowerDFGToLLVM::compileNode):
23386 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
23387 (JSC::FTL::LowerDFGToLLVM::compileGetArgument): Deleted.
23388 * tests/stress/dead-speculating-argument-use.js: Added.
23389 (foo):
23390 (o.valueOf):
23391
233922015-02-15 Filip Pizlo <fpizlo@apple.com>
23393
23394 Rare case profiling should actually work
23395 https://bugs.webkit.org/show_bug.cgi?id=141632
23396
23397 Reviewed by Michael Saboff.
23398
23399 This simple adjustment appears to be a 2% speed-up on Octane. Over time, the slow case
23400 heuristic has essentially stopped working because the typical execution count threshold for a
23401 bytecode instruction is around 66 while the slow case threshold is 100: virtually
23402 guaranteeing that the DFG will never think that a bytecode instruction has taken the slow
23403 case even if it took it every single time. So, this changes the slow case threshold to 20.
23404
23405 I checked if we could lower this down further, like to 10. That is worse than 20, and about
23406 as bad as 100.
23407
23408 * runtime/Options.h:
23409
234102015-02-15 Brian J. Burg <burg@cs.washington.edu>
23411
23412 Web Inspector: remove unused XHR replay code
23413 https://bugs.webkit.org/show_bug.cgi?id=141622
23414
23415 Reviewed by Timothy Hatcher.
23416
23417 * inspector/protocol/Network.json: remove XHR replay methods.
23418
234192015-02-15 David Kilzer <ddkilzer@apple.com>
23420
23421 REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
23422 <http://webkit.org/b/141607>
23423
23424 More work towards fixing the Mavericks Debug build.
23425
23426 * inspector/ScriptDebugServer.h:
23427 (Inspector::ScriptDebugServer::Task):
23428 * inspector/agents/InspectorDebuggerAgent.h:
23429 (Inspector::InspectorDebuggerAgent::Listener):
23430 - Remove subclass exports. They did not help.
23431
23432 * runtime/JSCJSValue.h:
23433 (JSC::JSValue::toFloat): Do not mark inline method for export.
23434
234352015-02-09 Brian J. Burg <burg@cs.washington.edu>
23436
23437 Web Inspector: remove some unnecessary Inspector prefixes from class names in Inspector namespace
23438 https://bugs.webkit.org/show_bug.cgi?id=141372
23439
23440 Reviewed by Joseph Pecoraro.
23441
23442 * inspector/ConsoleMessage.cpp:
23443 (Inspector::ConsoleMessage::addToFrontend):
23444 (Inspector::ConsoleMessage::updateRepeatCountInConsole):
23445 * inspector/ConsoleMessage.h:
23446 * inspector/InspectorAgentBase.h:
23447 * inspector/InspectorAgentRegistry.cpp:
23448 (Inspector::AgentRegistry::AgentRegistry):
23449 (Inspector::AgentRegistry::append):
23450 (Inspector::AgentRegistry::appendExtraAgent):
23451 (Inspector::AgentRegistry::didCreateFrontendAndBackend):
23452 (Inspector::AgentRegistry::willDestroyFrontendAndBackend):
23453 (Inspector::AgentRegistry::discardAgents):
23454 (Inspector::InspectorAgentRegistry::InspectorAgentRegistry): Deleted.
23455 (Inspector::InspectorAgentRegistry::append): Deleted.
23456 (Inspector::InspectorAgentRegistry::appendExtraAgent): Deleted.
23457 (Inspector::InspectorAgentRegistry::didCreateFrontendAndBackend): Deleted.
23458 (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend): Deleted.
23459 (Inspector::InspectorAgentRegistry::discardAgents): Deleted.
23460 * inspector/InspectorAgentRegistry.h:
23461 * inspector/InspectorBackendDispatcher.cpp:
23462 (Inspector::BackendDispatcher::CallbackBase::CallbackBase):
23463 (Inspector::BackendDispatcher::CallbackBase::isActive):
23464 (Inspector::BackendDispatcher::CallbackBase::sendFailure):
23465 (Inspector::BackendDispatcher::CallbackBase::sendIfActive):
23466 (Inspector::BackendDispatcher::create):
23467 (Inspector::BackendDispatcher::registerDispatcherForDomain):
23468 (Inspector::BackendDispatcher::dispatch):
23469 (Inspector::BackendDispatcher::sendResponse):
23470 (Inspector::BackendDispatcher::reportProtocolError):
23471 (Inspector::BackendDispatcher::getInteger):
23472 (Inspector::BackendDispatcher::getDouble):
23473 (Inspector::BackendDispatcher::getString):
23474 (Inspector::BackendDispatcher::getBoolean):
23475 (Inspector::BackendDispatcher::getObject):
23476 (Inspector::BackendDispatcher::getArray):
23477 (Inspector::BackendDispatcher::getValue):
23478 (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase): Deleted.
23479 (Inspector::InspectorBackendDispatcher::CallbackBase::isActive): Deleted.
23480 (Inspector::InspectorBackendDispatcher::CallbackBase::sendFailure): Deleted.
23481 (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive): Deleted.
23482 (Inspector::InspectorBackendDispatcher::create): Deleted.
23483 (Inspector::InspectorBackendDispatcher::registerDispatcherForDomain): Deleted.
23484 (Inspector::InspectorBackendDispatcher::dispatch): Deleted.
23485 (Inspector::InspectorBackendDispatcher::sendResponse): Deleted.
23486 (Inspector::InspectorBackendDispatcher::reportProtocolError): Deleted.
23487 (Inspector::InspectorBackendDispatcher::getInteger): Deleted.
23488 (Inspector::InspectorBackendDispatcher::getDouble): Deleted.
23489 (Inspector::InspectorBackendDispatcher::getString): Deleted.
23490 (Inspector::InspectorBackendDispatcher::getBoolean): Deleted.
23491 (Inspector::InspectorBackendDispatcher::getObject): Deleted.
23492 (Inspector::InspectorBackendDispatcher::getArray): Deleted.
23493 (Inspector::InspectorBackendDispatcher::getValue): Deleted.
23494 * inspector/InspectorBackendDispatcher.h:
23495 (Inspector::SupplementalBackendDispatcher::SupplementalBackendDispatcher):
23496 (Inspector::SupplementalBackendDispatcher::~SupplementalBackendDispatcher):
23497 (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher): Deleted.
23498 (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher): Deleted.
23499 * inspector/InspectorFrontendChannel.h:
23500 (Inspector::FrontendChannel::~FrontendChannel):
23501 (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel): Deleted.
23502 * inspector/JSGlobalObjectInspectorController.cpp:
23503 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
23504 (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
23505 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
23506 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
23507 (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
23508 (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
23509 * inspector/JSGlobalObjectInspectorController.h:
23510 * inspector/agents/InspectorAgent.cpp:
23511 (Inspector::InspectorAgent::didCreateFrontendAndBackend):
23512 (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
23513 * inspector/agents/InspectorAgent.h:
23514 * inspector/agents/InspectorConsoleAgent.cpp:
23515 (Inspector::InspectorConsoleAgent::didCreateFrontendAndBackend):
23516 (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
23517 * inspector/agents/InspectorConsoleAgent.h:
23518 * inspector/agents/InspectorDebuggerAgent.cpp:
23519 (Inspector::InspectorDebuggerAgent::didCreateFrontendAndBackend):
23520 (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
23521 (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
23522 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
23523 (Inspector::InspectorDebuggerAgent::pause):
23524 (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
23525 (Inspector::InspectorDebuggerAgent::didPause):
23526 (Inspector::InspectorDebuggerAgent::breakProgram):
23527 (Inspector::InspectorDebuggerAgent::clearBreakDetails):
23528 * inspector/agents/InspectorDebuggerAgent.h:
23529 * inspector/agents/InspectorRuntimeAgent.cpp:
23530 (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
23531 * inspector/agents/InspectorRuntimeAgent.h:
23532 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
23533 (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
23534 (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
23535 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
23536 * inspector/augmentable/AlternateDispatchableAgent.h:
23537 * inspector/augmentable/AugmentableInspectorController.h:
23538 * inspector/remote/RemoteInspectorDebuggable.h:
23539 * inspector/remote/RemoteInspectorDebuggableConnection.h:
23540 * inspector/scripts/codegen/cpp_generator.py:
23541 (CppGenerator.cpp_type_for_formal_out_parameter):
23542 (CppGenerator.cpp_type_for_stack_out_parameter):
23543 * inspector/scripts/codegen/cpp_generator_templates.py:
23544 (AlternateBackendDispatcher):
23545 (Alternate):
23546 (void):
23547 (AlternateInspectorBackendDispatcher): Deleted.
23548 (AlternateInspector): Deleted.
23549 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
23550 (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.Alternate):
23551 (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
23552 (CppBackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector): Deleted.
23553 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
23554 (CppBackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
23555 (CppBackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
23556 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
23557 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
23558 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
23559 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
23560 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
23561 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
23562 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
23563 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
23564 * inspector/scripts/tests/expected/enum-values.json-result:
23565 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
23566 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
23567 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
23568 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
23569 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
23570 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
23571 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
23572 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
23573 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
23574 * runtime/JSGlobalObjectDebuggable.cpp:
23575 (JSC::JSGlobalObjectDebuggable::connect):
23576 (JSC::JSGlobalObjectDebuggable::disconnect):
23577 * runtime/JSGlobalObjectDebuggable.h:
23578
235792015-02-14 David Kilzer <ddkilzer@apple.com>
23580
23581 REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols
23582 <http://webkit.org/b/141607>
23583
23584 Work towards fixing the Mavericks Debug build.
23585
23586 * inspector/ScriptDebugServer.h:
23587 (Inspector::ScriptDebugServer::Task): Export class.
23588 * inspector/agents/InspectorDebuggerAgent.h:
23589 (Inspector::InspectorDebuggerAgent::Listener): Export class.
23590 * runtime/JSGlobalObject.h:
23591 (JSC::JSGlobalObject::setConsoleClient): Do not mark inline
23592 method for export.
23593
235942015-02-14 Joseph Pecoraro <pecoraro@apple.com>
23595
23596 Web Inspector: Symbol RemoteObject should not send sub-type
23597 https://bugs.webkit.org/show_bug.cgi?id=141604
23598
23599 Reviewed by Brian Burg.
23600
23601 * inspector/InjectedScriptSource.js:
23602
236032015-02-13 Benjamin Poulain <bpoulain@apple.com>
23604
23605 Attempt to fix 32bits build after r180098
23606
23607 * jit/JITOperations.cpp:
23608 * jit/JITOperations.h:
23609 I copied the attribute from the MathObject version of that function when I moved
23610 it over. DFG has no version of a function call taking those attributes.
23611
236122015-02-13 Joseph Pecoraro <pecoraro@apple.com>
23613
23614 JSContext Inspector: Do not stash console messages for non-debuggable JSContext
23615 https://bugs.webkit.org/show_bug.cgi?id=141589
23616
23617 Reviewed by Timothy Hatcher.
23618
23619 Consider developer extras disabled for JSContext inspection if the
23620 RemoteInspector server is not enabled (typically a non-debuggable
23621 process rejected by webinspectord) or if remote debugging on the
23622 JSContext was explicitly disabled via SPI.
23623
23624 When developer extras are disabled, console message will not be stashed.
23625
23626 * inspector/JSGlobalObjectInspectorController.cpp:
23627 (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
23628 * inspector/JSGlobalObjectInspectorController.h:
23629
236302015-02-13 Benjamin Poulain <bpoulain@apple.com>
23631
23632 Add a DFG node for the Pow Intrinsics
23633 https://bugs.webkit.org/show_bug.cgi?id=141540
23634
23635 Reviewed by Filip Pizlo.
23636
23637 Add a DFG Node for PowIntrinsic. This patch covers the basic cases
23638 need to avoid massive regression. I will iterate over the node to cover
23639 the missing types.
23640
23641 With this patch I get the following progressions on benchmarks:
23642 -LongSpider's math-partial-sums: +5%.
23643 -Kraken's imaging-darkroom: +17%
23644 -AsmBench's cray.c: +6.6%
23645 -CompressionBench: +2.2% globally.
23646
23647 * dfg/DFGAbstractInterpreterInlines.h:
23648 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
23649 Cover a couple of trivial cases:
23650 -If the exponent is zero, the result is always one, regardless of the base.
23651 -If both arguments are constants, compute the result at compile time.
23652
23653 * dfg/DFGByteCodeParser.cpp:
23654 (JSC::DFG::ByteCodeParser::handleIntrinsic):
23655 * dfg/DFGClobberize.h:
23656 (JSC::DFG::clobberize):
23657 * dfg/DFGDoesGC.cpp:
23658 (JSC::DFG::doesGC):
23659
23660 * dfg/DFGFixupPhase.cpp:
23661 (JSC::DFG::FixupPhase::fixupNode):
23662 We only support 2 basic cases at this time:
23663 -Math.pow(double, int)
23664 -Math.pow(double, double).
23665
23666 I'll cover Math.pow(int, int) in a follow up.
23667
23668 * dfg/DFGNode.h:
23669 (JSC::DFG::Node::convertToArithSqrt):
23670 (JSC::DFG::Node::arithNodeFlags):
23671 * dfg/DFGNodeType.h:
23672 * dfg/DFGPredictionPropagationPhase.cpp:
23673 (JSC::DFG::PredictionPropagationPhase::propagate):
23674 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
23675 * dfg/DFGSafeToExecute.h:
23676 (JSC::DFG::safeToExecute):
23677 * dfg/DFGSpeculativeJIT.cpp:
23678 (JSC::DFG::compileArithPowIntegerFastPath):
23679 (JSC::DFG::SpeculativeJIT::compileArithPow):
23680 * dfg/DFGSpeculativeJIT.h:
23681 * dfg/DFGSpeculativeJIT32_64.cpp:
23682 (JSC::DFG::SpeculativeJIT::compile):
23683 * dfg/DFGSpeculativeJIT64.cpp:
23684 (JSC::DFG::SpeculativeJIT::compile):
23685 * dfg/DFGStrengthReductionPhase.cpp:
23686 (JSC::DFG::StrengthReductionPhase::handleNode):
23687 * dfg/DFGValidate.cpp:
23688 (JSC::DFG::Validate::validate):
23689 * ftl/FTLCapabilities.cpp:
23690 (JSC::FTL::canCompile):
23691 * ftl/FTLIntrinsicRepository.h:
23692 * ftl/FTLLowerDFGToLLVM.cpp:
23693 (JSC::FTL::LowerDFGToLLVM::compileNode):
23694 (JSC::FTL::LowerDFGToLLVM::compileArithPow):
23695 * ftl/FTLOutput.h:
23696 (JSC::FTL::Output::doublePow):
23697 (JSC::FTL::Output::doublePowi):
23698 * jit/JITOperations.cpp:
23699 * jit/JITOperations.h:
23700 * runtime/MathObject.cpp:
23701 (JSC::mathProtoFuncPow):
23702 (JSC::isDenormal): Deleted.
23703 (JSC::isEdgeCase): Deleted.
23704 (JSC::mathPow): Deleted.
23705
23706 * tests/stress/math-pow-basics.js: Added.
23707 * tests/stress/math-pow-integer-exponent-fastpath.js: Added.
23708 * tests/stress/math-pow-nan-behaviors.js: Added.
23709 * tests/stress/math-pow-with-constants.js: Added.
23710 Start some basic testing of Math.pow().
23711 Due to the various transform, the value change when the code tiers up,
23712 I covered this by checking for approximate values.
23713
237142015-02-13 Benjamin Poulain <bpoulain@apple.com>
23715
23716 ArithSqrt should not be conditional on supportsFloatingPointSqrt
23717 https://bugs.webkit.org/show_bug.cgi?id=141546
23718
23719 Reviewed by Geoffrey Garen and Filip Pizlo.
23720
23721 Just fallback to the function call in the DFG codegen.
23722
23723 * dfg/DFGByteCodeParser.cpp:
23724 (JSC::DFG::ByteCodeParser::handleIntrinsic):
23725 * dfg/DFGSpeculativeJIT.cpp:
23726 (JSC::DFG::SpeculativeJIT::compileArithSqrt):
23727 * dfg/DFGSpeculativeJIT.h:
23728 * dfg/DFGSpeculativeJIT32_64.cpp:
23729 (JSC::DFG::SpeculativeJIT::compile):
23730 * dfg/DFGSpeculativeJIT64.cpp:
23731 (JSC::DFG::SpeculativeJIT::compile):
23732 * tests/stress/math-sqrt-basics.js: Added.
23733 Basic coverage.
23734
23735 * tests/stress/math-sqrt-basics-disable-architecture-specific-optimizations.js: Added.
23736 Same tests but forcing the function call.
23737
237382015-02-13 Michael Saboff <msaboff@apple.com>
23739
23740 REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled.
23741 https://bugs.webkit.org/show_bug.cgi?id=141577
23742
23743 Reviewed by Benjamin Poulain.
23744
23745 Changed the prologue of the baseline JIT to check for stack space for all
23746 types of code blocks. Previously, it was only checking Function. Now
23747 it checks Program and Eval as well.
23748
23749 * jit/JIT.cpp:
23750 (JSC::JIT::privateCompile):
23751
237522015-02-13 Benjamin Poulain <bpoulain@apple.com>
23753
23754 Generate incq instead of addq when the immediate value is one
23755 https://bugs.webkit.org/show_bug.cgi?id=141548
23756
23757 Reviewed by Gavin Barraclough.
23758
23759 JSC emits "addq #1 (rXX)" *a lot*.
23760 This patch replace that by incq, which is one byte shorter
23761 and is the adviced form.
23762
23763 Sunspider: +0.47%
23764 Octane: +0.28%
23765 Kraken: +0.44%
23766 AsmBench, CompressionBench: neutral.
23767
23768 * assembler/MacroAssemblerX86_64.h:
23769 (JSC::MacroAssemblerX86_64::add64):
23770 * assembler/X86Assembler.h:
23771 (JSC::X86Assembler::incq_m):
23772
237732015-02-13 Benjamin Poulain <benjamin@webkit.org>
23774
23775 Little clean up of Bytecode Generator's Label
23776 https://bugs.webkit.org/show_bug.cgi?id=141557
23777
23778 Reviewed by Michael Saboff.
23779
23780 * bytecompiler/BytecodeGenerator.h:
23781 * bytecompiler/BytecodeGenerator.cpp:
23782 Label was a friend of BytecodeGenerator in order to access
23783 m_instructions. There is no need for that, BytecodeGenerator
23784 has a public getter.
23785
23786 * bytecompiler/Label.h:
23787 (JSC::Label::Label):
23788 (JSC::Label::setLocation):
23789 (JSC::BytecodeGenerator::newLabel):
23790 Make it explicit that the generator must exist.
23791
237922015-02-13 Michael Saboff <msaboff@apple.com>
23793
23794 Google doc spreadsheet reproducibly crashes when sorting
23795 https://bugs.webkit.org/show_bug.cgi?id=141098
23796
23797 Reviewed by Oliver Hunt.
23798
23799 Moved the stack check to before the callee registers are allocated in the
23800 prologue() by movving it from the functionInitialization() macro. This
23801 way we can check the stack before moving the stack pointer, avoiding a
23802 crash during a "call" instruction. Before this change, we weren't even
23803 checking the stack for program and eval execution.
23804
23805 Made a couple of supporting changes.
23806
23807 * llint/LLIntSlowPaths.cpp:
23808 (JSC::LLInt::llint_stack_check): We can't just go up one frame as we
23809 may be processing an exception to an entry frame.
23810
23811 * llint/LowLevelInterpreter.asm:
23812
23813 * llint/LowLevelInterpreter32_64.asm:
23814 * llint/LowLevelInterpreter64.asm:
23815 (llint_throw_from_slow_path_trampoline): Changed method to get the vm
23816 from the code block to not use the codeBlock, since we may need to
23817 continue from an exception in a native function.
23818
238192015-02-12 Benjamin Poulain <benjamin@webkit.org>
23820
23821 Simplify the initialization of BytecodeGenerator a bit
23822 https://bugs.webkit.org/show_bug.cgi?id=141505
23823
23824 Reviewed by Anders Carlsson.
23825
23826 * bytecompiler/BytecodeGenerator.cpp:
23827 (JSC::BytecodeGenerator::BytecodeGenerator):
23828 * bytecompiler/BytecodeGenerator.h:
23829 Setup the default initialization at the declaration level
23830 instead of the constructor.
23831
23832 Also made m_scopeNode and m_codeType const to make it explicit
23833 that they are invariant after construction.
23834
23835 * parser/Nodes.cpp:
23836 * runtime/Executable.cpp:
23837 Remove 2 useless #includes.
23838
238392015-02-12 Benjamin Poulain <benjamin@webkit.org>
23840
23841 Move the generators for GetScope and SkipScope to the common core in DFGSpeculativeJIT
23842 https://bugs.webkit.org/show_bug.cgi?id=141506
23843
23844 Reviewed by Michael Saboff.
23845
23846 The generators for the nodes GetScope and SkipScope were
23847 completely identical between 32 and 64bits.
23848
23849 This patch moves the duplicated code to DFGSpeculativeJIT.
23850
23851 * dfg/DFGSpeculativeJIT.cpp:
23852 (JSC::DFG::SpeculativeJIT::compileGetScope):
23853 (JSC::DFG::SpeculativeJIT::compileSkipScope):
23854 * dfg/DFGSpeculativeJIT.h:
23855 * dfg/DFGSpeculativeJIT32_64.cpp:
23856 (JSC::DFG::SpeculativeJIT::compile):
23857 * dfg/DFGSpeculativeJIT64.cpp:
23858 (JSC::DFG::SpeculativeJIT::compile):
23859
238602015-02-11 Brent Fulgham <bfulgham@apple.com>
23861
23862 [Win] [64-bit] Work around MSVC2013 Runtime Bug
23863 https://bugs.webkit.org/show_bug.cgi?id=141498
23864 <rdar://problem/19803642>
23865
23866 Reviewed by Anders Carlsson.
23867
23868 Disable FMA3 instruction use in the MSVC math library to
23869 work around a VS2013 runtime crash. We can remove this
23870 workaround when we switch to VS2015.
23871
23872 * API/tests/testapi.c: Call _set_FMA3_enable(0) to disable
23873 FMA3 support.
23874 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add new files.
23875 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
23876 * JavaScriptCore.vcxproj/JavaScriptCoreDLL.cpp: Added.
23877 * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Call _set_FMA3_enable(0)
23878 to disable FMA3 support.
23879 * jsc.cpp: Ditto.
23880 * testRegExp.cpp: Ditto.
23881
238822015-02-11 Filip Pizlo <fpizlo@apple.com>
23883
23884 The callee frame helpers in DFG::SpeculativeJIT should be available to other JITs
23885 https://bugs.webkit.org/show_bug.cgi?id=141493
23886
23887 Reviewed by Michael Saboff.
23888
23889 * dfg/DFGSpeculativeJIT.h:
23890 (JSC::DFG::SpeculativeJIT::calleeFrameSlot): Deleted.
23891 (JSC::DFG::SpeculativeJIT::calleeArgumentSlot): Deleted.
23892 (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot): Deleted.
23893 (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot): Deleted.
23894 (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot): Deleted.
23895 (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot): Deleted.
23896 (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame): Deleted.
23897 * dfg/DFGSpeculativeJIT32_64.cpp:
23898 (JSC::DFG::SpeculativeJIT::emitCall):
23899 * dfg/DFGSpeculativeJIT64.cpp:
23900 (JSC::DFG::SpeculativeJIT::emitCall):
23901 * jit/AssemblyHelpers.h:
23902 (JSC::AssemblyHelpers::calleeFrameSlot):
23903 (JSC::AssemblyHelpers::calleeArgumentSlot):
23904 (JSC::AssemblyHelpers::calleeFrameTagSlot):
23905 (JSC::AssemblyHelpers::calleeFramePayloadSlot):
23906 (JSC::AssemblyHelpers::calleeArgumentTagSlot):
23907 (JSC::AssemblyHelpers::calleeArgumentPayloadSlot):
23908 (JSC::AssemblyHelpers::calleeFrameCallerFrame):
23909
239102015-02-11 Filip Pizlo <fpizlo@apple.com>
23911
23912 SetupVarargsFrame should not assume that an inline stack frame would have identical layout to a normal stack frame
23913 https://bugs.webkit.org/show_bug.cgi?id=141485
23914
23915 Reviewed by Oliver Hunt.
23916
23917 The inlineStackOffset argument was meant to make it easy for the DFG to use this helper for
23918 vararg calls from inlined code, but that doesn't work since the DFG inline call frame
23919 doesn't actually put the argument count at the JSStack::ArgumentCount offset. In fact there
23920 is really no such thing as an inlineStackOffset except when we OSR exit; while the code is
23921 running the stack layout is compacted so that the stackOffset is not meaningful.
23922
23923 * jit/JITCall.cpp:
23924 (JSC::JIT::compileSetupVarargsFrame):
23925 * jit/JITCall32_64.cpp:
23926 (JSC::JIT::compileSetupVarargsFrame):
23927 * jit/SetupVarargsFrame.cpp:
23928 (JSC::emitSetupVarargsFrameFastCase):
23929 * jit/SetupVarargsFrame.h:
23930
239312015-02-10 Filip Pizlo <fpizlo@apple.com>
23932
23933 Split FTL::JSCall into the part that knows about call inline caching and the part that interacts with LLVM patchpoints
23934 https://bugs.webkit.org/show_bug.cgi?id=141455
23935
23936 Reviewed by Mark Lam.
23937
23938 The newly introduced FTL::JSCallBase can be used to build other things, like the FTL portion
23939 of https://bugs.webkit.org/show_bug.cgi?id=141332.
23940
23941 * CMakeLists.txt:
23942 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
23943 * JavaScriptCore.xcodeproj/project.pbxproj:
23944 * bytecode/CallLinkInfo.h:
23945 (JSC::CallLinkInfo::specializationKindFor):
23946 (JSC::CallLinkInfo::specializationKind):
23947 * ftl/FTLJSCall.cpp:
23948 (JSC::FTL::JSCall::JSCall):
23949 (JSC::FTL::JSCall::emit): Deleted.
23950 (JSC::FTL::JSCall::link): Deleted.
23951 * ftl/FTLJSCall.h:
23952 * ftl/FTLJSCallBase.cpp: Added.
23953 (JSC::FTL::JSCallBase::JSCallBase):
23954 (JSC::FTL::JSCallBase::emit):
23955 (JSC::FTL::JSCallBase::link):
23956 * ftl/FTLJSCallBase.h: Added.
23957
239582015-02-10 Filip Pizlo <fpizlo@apple.com>
23959
23960 Unreviewed, fix build.
23961
23962 * jit/CCallHelpers.h:
23963 (JSC::CCallHelpers::setupArgumentsWithExecState):
23964
239652015-02-10 Filip Pizlo <fpizlo@apple.com>
23966
23967 op_call_varargs should only load the length once
23968 https://bugs.webkit.org/show_bug.cgi?id=141440
23969 rdar://problem/19761683
23970
23971 Reviewed by Michael Saboff.
23972
23973 Refactors the pair of calls that set up the varargs frame so that the first call returns the
23974 length, and the second call uses the length returned by the first one. It turns out that this
23975 gave me an opportunity to shorten a lot of the code.
23976
23977 * interpreter/Interpreter.cpp:
23978 (JSC::sizeFrameForVarargs):
23979 (JSC::loadVarargs):
23980 (JSC::setupVarargsFrame):
23981 (JSC::setupVarargsFrameAndSetThis):
23982 * interpreter/Interpreter.h:
23983 (JSC::calleeFrameForVarargs):
23984 * jit/CCallHelpers.h:
23985 (JSC::CCallHelpers::setupArgumentsWithExecState):
23986 * jit/JIT.h:
23987 * jit/JITCall.cpp:
23988 (JSC::JIT::compileSetupVarargsFrame):
23989 * jit/JITCall32_64.cpp:
23990 (JSC::JIT::compileSetupVarargsFrame):
23991 * jit/JITInlines.h:
23992 (JSC::JIT::callOperation):
23993 * jit/JITOperations.cpp:
23994 * jit/JITOperations.h:
23995 * jit/SetupVarargsFrame.cpp:
23996 (JSC::emitSetVarargsFrame):
23997 (JSC::emitSetupVarargsFrameFastCase):
23998 * jit/SetupVarargsFrame.h:
23999 * llint/LLIntSlowPaths.cpp:
24000 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
24001 * runtime/Arguments.cpp:
24002 (JSC::Arguments::copyToArguments):
24003 * runtime/Arguments.h:
24004 * runtime/JSArray.cpp:
24005 (JSC::JSArray::copyToArguments):
24006 * runtime/JSArray.h:
24007 * runtime/VM.h:
24008 * tests/stress/call-varargs-length-effects.js: Added.
24009 (foo):
24010 (bar):
24011
240122015-02-10 Michael Saboff <msaboff@apple.com>
24013
24014 Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
24015 https://bugs.webkit.org/show_bug.cgi?id=139398
24016
24017 Reviewed by Filip Pizlo.
24018
24019 Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
24020 was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq
24021 node are UntypedUse which we can't compile. Fixed this by checking that the IR before
24022 lowering can still be handled by the FTL.
24023
24024 Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
24025 a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument
24026 node. With the check right before lowering, we see this node.
24027
24028 * dfg/DFGPlan.cpp:
24029 (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
24030 to verify that after all the transformations we still have valid IR for the FTL.
24031 * ftl/FTLCapabilities.cpp:
24032 (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
24033
240342015-02-10 Filip Pizlo <fpizlo@apple.com>
24035
24036 Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
24037
24038 Rubber stamped by Michael Saboff.
24039
24040 Not only was this not used, I believe that the math was wrong. The callee frame doesn't
24041 actually land past m_nextMachineLocal; instead it lands just below wherever we put SP and
24042 that decision is made elsewhere. Also, it makes no sense to subtract 1 from
24043 m_nextMachineLocal when trying to deduce the number of in-use stack slots.
24044
24045 * dfg/DFGSpeculativeJIT.h:
24046 (JSC::DFG::SpeculativeJIT::calleeFrameOffset): Deleted.
24047
240482015-02-10 Saam Barati <saambarati1@gmail.com>
24049
24050 Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier
24051 https://bugs.webkit.org/show_bug.cgi?id=141272
24052
24053 Reviewed by Oliver Hunt.
24054
24055 This patch fixes a bug where the wrong text location would be
24056 assigned to a variable declaration inside a ForIn/ForOf loop.
24057 It also fixes a bug in the type profiler where the type profiler
24058 emits the wrong text offset for a ForIn loop's variable declarator
24059 when it's not a pattern node.
24060
24061 * bytecompiler/NodesCodegen.cpp:
24062 (JSC::ForInNode::emitLoopHeader):
24063 * parser/Parser.cpp:
24064 (JSC::Parser<LexerType>::parseVarDeclarationList):
24065 * tests/typeProfiler/loop.js:
24066 (testForIn):
24067 (testForOf):
24068
240692015-02-09 Saam Barati <saambarati1@gmail.com>
24070
24071 JSC's Type Profiler doesn't profile the type of the looping variable in ForOf/ForIn loops
24072 https://bugs.webkit.org/show_bug.cgi?id=141241
24073
24074 Reviewed by Filip Pizlo.
24075
24076 Type information is now recorded for ForIn and ForOf statements.
24077 It was an oversight to not have these statements profiled before.
24078
24079 * bytecompiler/NodesCodegen.cpp:
24080 (JSC::ForInNode::emitLoopHeader):
24081 (JSC::ForOfNode::emitBytecode):
24082 * tests/typeProfiler/loop.js: Added.
24083 (testForIn):
24084 (testForOf):
24085
240862015-02-09 Filip Pizlo <fpizlo@apple.com>
24087
24088 DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid
24089 https://bugs.webkit.org/show_bug.cgi?id=141412
24090
24091 Reviewed by Michael Saboff.
24092
24093 StackLayoutPhase was attempting to ensure that the register that
24094 CodeBlock::scopeRegister() points to is the right one for the DFG. But the DFG did nothing
24095 else to maintain the validity of the scopeRegister(). It wasn't captured as far as I can
24096 tell. StackLayoutPhase didn't explicitly mark it live. PreciseLocalClobberize didn't mark
24097 it as being live. So, by the time we got here the register referred to by
24098 CodeBlock::scopeRegister() would have been junk. Moreover, CodeBlock::scopeRegister() was
24099 not used for DFG code blocks, and was hardly ever used outside of bytecode generation.
24100
24101 So, this patch just removes the code to manipulate this field and replaces it with an
24102 unconditional setScopeRegister(VirtualRegister()). Setting it to the invalid register
24103 ensures that any attempst to read the scopeRegister in a DFG or FTL frame immediately
24104 punts.
24105
24106 * dfg/DFGStackLayoutPhase.cpp:
24107 (JSC::DFG::StackLayoutPhase::run):
24108
241092015-02-09 Filip Pizlo <fpizlo@apple.com>
24110
24111 Varargs frame set-up should be factored out for use by other JITs
24112 https://bugs.webkit.org/show_bug.cgi?id=141388
24113
24114 Reviewed by Michael Saboff.
24115
24116 Previously the code that dealt with varargs always assumed that we were setting up a varargs call
24117 frame by literally following the execution semantics of op_call_varargs. This isn't how it'll
24118 happen once the DFG and FTL do varargs calls, or when varargs calls get inlined. The DFG and FTL
24119 don't literally execute bytecode; for example their stack frame layout has absolutely nothing in
24120 common with what the bytecode says, and that will never change.
24121
24122 This patch makes two changes:
24123
24124 Setting up the varargs callee frame can be done in smaller steps: particularly in the case of a
24125 varargs call that gets inlined, we aren't going to actually want to set up a callee frame in
24126 full - we just want to put the arguments somewhere, and that place will not have much (if
24127 anything) in common with the call frame format. This patch factors that out into something called
24128 a loadVarargs. The thing we used to call loadVarargs is now called setupVarargsFrame. This patch
24129 also separates loading varargs from setting this, since the fact that those two things are done
24130 together is a detail made explicit in bytecode but it's not at all required in the higher-tier
24131 engines. In the process of factoring this code out, I found a bunch of off-by-one errors in the
24132 various calculations. I fixed them. The distance from the caller's frame pointer to the callee
24133 frame pointer is always:
24134
24135 numUsedCallerSlots + argCount + 1 + CallFrameSize
24136
24137 where numUsedCallerSlots is toLocal(firstFreeRegister) - 1, which simplifies down to just
24138 -firstFreeRegister. The code now speaks of numUsedCallerSlots rather than firstFreeRegister,
24139 since the latter is a bytecode peculiarity that doesn't apply in the DFG or FTL. In the DFG, the
24140 internally-computed frame size, minus the parameter slots, will be used for numUsedCallerSlots.
24141 In the FTL, we will essentially compute numUsedCallerSlots dynamically by subtracting SP from FP.
24142 Eventually, LLVM might give us some cleaner way of doing this, but it probably doesn't matter
24143 very much.
24144
24145 The arguments forwarding optimization is factored out of the Baseline JIT: the DFG and FTL will
24146 want to do this optimization as well, but it involves quite a bit of code. So, this code is now
24147 factored out into SetupVarargsFrame.h|cpp, so that other JITs can use it. In the process of factoring
24148 this code out I noticed that the 32-bit and 64-bit code is nearly identical, so I combined them.
24149
24150 * CMakeLists.txt:
24151 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24152 * JavaScriptCore.xcodeproj/project.pbxproj:
24153 * bytecode/CodeBlock.h:
24154 (JSC::ExecState::r):
24155 (JSC::ExecState::uncheckedR):
24156 * bytecode/VirtualRegister.h:
24157 (JSC::VirtualRegister::operator+):
24158 (JSC::VirtualRegister::operator-):
24159 (JSC::VirtualRegister::operator+=):
24160 (JSC::VirtualRegister::operator-=):
24161 * interpreter/CallFrame.h:
24162 * interpreter/Interpreter.cpp:
24163 (JSC::sizeFrameForVarargs):
24164 (JSC::loadVarargs):
24165 (JSC::setupVarargsFrame):
24166 (JSC::setupVarargsFrameAndSetThis):
24167 * interpreter/Interpreter.h:
24168 * jit/AssemblyHelpers.h:
24169 (JSC::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
24170 (JSC::AssemblyHelpers::emitGetFromCallFrameHeader32):
24171 (JSC::AssemblyHelpers::emitGetFromCallFrameHeader64):
24172 * jit/JIT.h:
24173 * jit/JITCall.cpp:
24174 (JSC::JIT::compileSetupVarargsFrame):
24175 * jit/JITCall32_64.cpp:
24176 (JSC::JIT::compileSetupVarargsFrame):
24177 * jit/JITInlines.h:
24178 (JSC::JIT::callOperation):
24179 (JSC::JIT::emitGetFromCallFrameHeaderPtr): Deleted.
24180 (JSC::JIT::emitGetFromCallFrameHeader32): Deleted.
24181 (JSC::JIT::emitGetFromCallFrameHeader64): Deleted.
24182 * jit/JITOperations.cpp:
24183 * jit/JITOperations.h:
24184 * jit/SetupVarargsFrame.cpp: Added.
24185 (JSC::emitSetupVarargsFrameFastCase):
24186 * jit/SetupVarargsFrame.h: Added.
24187 * llint/LLIntSlowPaths.cpp:
24188 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
24189 * runtime/Arguments.cpp:
24190 (JSC::Arguments::copyToArguments):
24191 * runtime/Arguments.h:
24192 * runtime/JSArray.cpp:
24193 (JSC::JSArray::copyToArguments):
24194 * runtime/JSArray.h:
24195
241962015-02-09 Filip Pizlo <fpizlo@apple.com>
24197
24198 DFG call codegen should resolve the callee operand as late as possible
24199 https://bugs.webkit.org/show_bug.cgi?id=141398
24200
24201 Reviewed by Mark Lam.
24202
24203 This is mostly a benign restructuring to help with the implementation of
24204 https://bugs.webkit.org/show_bug.cgi?id=141332.
24205
24206 * dfg/DFGSpeculativeJIT32_64.cpp:
24207 (JSC::DFG::SpeculativeJIT::emitCall):
24208 * dfg/DFGSpeculativeJIT64.cpp:
24209 (JSC::DFG::SpeculativeJIT::emitCall):
24210
242112015-02-08 Filip Pizlo <fpizlo@apple.com>
24212
24213 DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three
24214 https://bugs.webkit.org/show_bug.cgi?id=141369
24215
24216 Reviewed by Michael Saboff.
24217
24218 We previously used the NodeMightClobber and NodeClobbersWorld NodeFlags to describe
24219 effectfulness. Starting over a year ago, we introduced a more powerful mechanism - the
24220 DFG::clobberize() function. Now we only have one remaining client of the old NodeFlags,
24221 and everyone else uses DFG::clobberize(). We should get rid of those NodeFlags and
24222 finally switch everyone over to DFG::clobberize().
24223
24224 Unfortunately there is still another place where effectfulness of nodes is described: the
24225 AbstractInterpreter. This is because the AbstractInterpreter has special tuning both for
24226 compile time performance and there are places where the AI is more precise than
24227 clobberize() because of its flow-sensitivity.
24228
24229 This means that after this change there will be only two places, rather than three, where
24230 the effectfulness of a node has to be described:
24231
24232 - DFG::clobberize()
24233 - DFG::AbstractInterpreter
24234
24235 * dfg/DFGClobberize.cpp:
24236 (JSC::DFG::clobbersWorld):
24237 * dfg/DFGClobberize.h:
24238 * dfg/DFGDoesGC.cpp:
24239 (JSC::DFG::doesGC):
24240 * dfg/DFGFixupPhase.cpp:
24241 (JSC::DFG::FixupPhase::fixupNode):
24242 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
24243 (JSC::DFG::FixupPhase::convertToGetArrayLength):
24244 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
24245 * dfg/DFGGraph.h:
24246 (JSC::DFG::Graph::isPredictedNumerical): Deleted.
24247 (JSC::DFG::Graph::byValIsPure): Deleted.
24248 (JSC::DFG::Graph::clobbersWorld): Deleted.
24249 * dfg/DFGNode.h:
24250 (JSC::DFG::Node::convertToConstant):
24251 (JSC::DFG::Node::convertToGetLocalUnlinked):
24252 (JSC::DFG::Node::convertToGetByOffset):
24253 (JSC::DFG::Node::convertToMultiGetByOffset):
24254 (JSC::DFG::Node::convertToPutByOffset):
24255 (JSC::DFG::Node::convertToMultiPutByOffset):
24256 * dfg/DFGNodeFlags.cpp:
24257 (JSC::DFG::dumpNodeFlags):
24258 * dfg/DFGNodeFlags.h:
24259 * dfg/DFGNodeType.h:
24260
242612015-02-09 Csaba Osztrogonác <ossy@webkit.org>
24262
24263 Fix the !ENABLE(DFG_JIT) build
24264 https://bugs.webkit.org/show_bug.cgi?id=141387
24265
24266 Reviewed by Darin Adler.
24267
24268 * jit/Repatch.cpp:
24269
242702015-02-08 Benjamin Poulain <benjamin@webkit.org>
24271
24272 Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase
24273 https://bugs.webkit.org/show_bug.cgi?id=141363
24274
24275 Reviewed by Darin Adler.
24276
24277 * dfg/DFGPredictionPropagationPhase.cpp:
24278 (JSC::DFG::PredictionPropagationPhase::propagate):
24279 Some blocks were duplicated, they probably evolved separately
24280 to the same state.
24281
242822015-02-08 Benjamin Poulain <benjamin@webkit.org>
24283
24284 Remove useless declarations and a stale comment from DFGByteCodeParser.h
24285 https://bugs.webkit.org/show_bug.cgi?id=141361
24286
24287 Reviewed by Darin Adler.
24288
24289 The comment refers to the original form of the ByteCodeParser:
24290 parse(Graph&, JSGlobalData*, CodeBlock*, unsigned startIndex);
24291
24292 That form is long dead, the comment is more misleading than anything.
24293
24294 * dfg/DFGByteCodeParser.cpp:
24295 * dfg/DFGByteCodeParser.h:
24296
242972015-02-08 Benjamin Poulain <benjamin@webkit.org>
24298
24299 Encapsulate DFG::Plan's beforeFTL timestamp
24300 https://bugs.webkit.org/show_bug.cgi?id=141360
24301
24302 Reviewed by Darin Adler.
24303
24304 Make the attribute private, it is an internal state.
24305
24306 Rename beforeFTL->timeBeforeFTL for readability.
24307
24308 * dfg/DFGPlan.cpp:
24309 (JSC::DFG::Plan::compileInThread):
24310 (JSC::DFG::Plan::compileInThreadImpl):
24311 * dfg/DFGPlan.h:
24312
243132015-02-08 Benjamin Poulain <bpoulain@apple.com>
24314
24315 Remove DFGNode::hasArithNodeFlags()
24316 https://bugs.webkit.org/show_bug.cgi?id=141319
24317
24318 Reviewed by Michael Saboff.
24319
24320 * dfg/DFGNode.h:
24321 (JSC::DFG::Node::hasArithNodeFlags): Deleted.
24322 Unused code is unused.
24323
243242015-02-07 Chris Dumez <cdumez@apple.com>
24325
24326 Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions
24327 https://bugs.webkit.org/show_bug.cgi?id=141321
24328
24329 Reviewed by Darin Adler.
24330
24331 Use new Vector::removeFirstMatching() / removeAllMatching() methods.
24332
243332015-02-06 Filip Pizlo <fpizlo@apple.com>
24334
24335 DFG SSA shouldn't have SetArgument nodes
24336 https://bugs.webkit.org/show_bug.cgi?id=141342
24337
24338 Reviewed by Mark Lam.
24339
24340 I was wondering why we kept the SetArgument around for captured
24341 variables. It turns out we did so because we thought we had to, even
24342 though we didn't have to. The node is meaningless in SSA.
24343
24344 * dfg/DFGSSAConversionPhase.cpp:
24345 (JSC::DFG::SSAConversionPhase::run):
24346 * ftl/FTLLowerDFGToLLVM.cpp:
24347 (JSC::FTL::LowerDFGToLLVM::compileNode):
24348
243492015-02-06 Filip Pizlo <fpizlo@apple.com>
24350
24351 It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band
24352 https://bugs.webkit.org/show_bug.cgi?id=141337
24353
24354 Reviewed by Mark Lam.
24355
24356 This mainly involved ensuring that SetArgument behaves just like SetLocal from a CPS standpoint, but with a special case for those SetArguments that
24357 are associated with the prologue.
24358
24359 * dfg/DFGCPSRethreadingPhase.cpp:
24360 (JSC::DFG::CPSRethreadingPhase::run):
24361 (JSC::DFG::CPSRethreadingPhase::canonicalizeSet):
24362 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
24363 (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
24364 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal): Deleted.
24365 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument): Deleted.
24366
243672015-02-06 Mark Lam <mark.lam@apple.com>
24368
24369 MachineThreads should be ref counted.
24370 <https://webkit.org/b/141317>
24371
24372 Reviewed by Filip Pizlo.
24373
24374 The VM's MachineThreads registry object is being referenced from other
24375 threads as a raw pointer. In a scenario where the VM is destructed on
24376 the main thread, there is no guarantee that another thread isn't still
24377 holding a reference to the registry and will eventually invoke
24378 removeThread() on it on thread exit. Hence, there's a possible use
24379 after free scenario here.
24380
24381 The fix is to make MachineThreads ThreadSafeRefCounted, and have all
24382 threads that references keep a RefPtr to it to ensure that it stays
24383 alive until the very last thread is done with it.
24384
24385 * API/tests/testapi.mm:
24386 (useVMFromOtherThread): - Renamed to be more descriptive.
24387 (useVMFromOtherThreadAndOutliveVM):
24388 - Added a test that has another thread which uses the VM outlive the
24389 VM to confirm that there is no crash.
24390
24391 However, I was not actually able to get the VM to crash without this
24392 patch because I wasn't always able to the thread destructor to be
24393 called. With this patch applied, I did verify with some logging that
24394 the MachineThreads registry is only destructed after all threads
24395 have removed themselves from it.
24396
24397 (threadMain): Deleted.
24398
24399 * heap/Heap.cpp:
24400 (JSC::Heap::Heap):
24401 (JSC::Heap::~Heap):
24402 (JSC::Heap::gatherStackRoots):
24403 * heap/Heap.h:
24404 (JSC::Heap::machineThreads):
24405 * heap/MachineStackMarker.cpp:
24406 (JSC::MachineThreads::Thread::Thread):
24407 (JSC::MachineThreads::addCurrentThread):
24408 (JSC::MachineThreads::removeCurrentThread):
24409 * heap/MachineStackMarker.h:
24410
244112015-02-06 Commit Queue <commit-queue@webkit.org>
24412
24413 Unreviewed, rolling out r179743.
24414 https://bugs.webkit.org/show_bug.cgi?id=141335
24415
24416 caused missing symbols in non-WebKit clients of WTF::Vector
24417 (Requested by kling on #webkit).
24418
24419 Reverted changeset:
24420
24421 "Remove WTF::fastMallocGoodSize()."
24422 https://bugs.webkit.org/show_bug.cgi?id=141020
24423 http://trac.webkit.org/changeset/179743
24424
244252015-02-04 Filip Pizlo <fpizlo@apple.com>
24426
24427 Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers
24428 https://bugs.webkit.org/show_bug.cgi?id=141211
24429
24430 Reviewed by Mark Lam.
24431
24432 Previously, the way non-temporary registers were preserved (i.e. not reclaimed anytime
24433 we did newTemporary()) by calling preserveLastVar() after all non-temps are created. It
24434 would raise the refcount on the last (highest-numbered) variable created, and rely on
24435 the fact that register reclamation started at higher-numbered registers and worked its
24436 way down. So any retained register would block any lower-numbered registers from being
24437 reclaimed.
24438
24439 Also, preserveLastVar() sets a thing called m_firstConstantIndex. It's unused.
24440
24441 This removes preserveLastVar() and makes addVar() retain each register it creates. This
24442 is more explicit, since addVar() is the mechanism for creating non-temporary registers.
24443
24444 To make this work I had to remove an assertion that Register::setIndex() can only be
24445 called when the refcount is zero. This method might be called after a var is created to
24446 change its index. This previously worked because preserveLastVar() would be called after
24447 we had already made all index changes, so the vars would still have refcount zero. Now
24448 they have refcount 1. I think it's OK to lose this assertion; I can't remember this
24449 assertion ever firing in a way that alerted me to a serious issue.
24450
24451 * bytecompiler/BytecodeGenerator.cpp:
24452 (JSC::BytecodeGenerator::BytecodeGenerator):
24453 (JSC::BytecodeGenerator::preserveLastVar): Deleted.
24454 * bytecompiler/BytecodeGenerator.h:
24455 (JSC::BytecodeGenerator::addVar):
24456 * bytecompiler/RegisterID.h:
24457 (JSC::RegisterID::setIndex):
24458
244592015-02-06 Andreas Kling <akling@apple.com>
24460
24461 Remove WTF::fastMallocGoodSize().
24462 <https://webkit.org/b/141020>
24463
24464 Reviewed by Anders Carlsson.
24465
24466 * assembler/AssemblerBuffer.h:
24467 (JSC::AssemblerData::AssemblerData):
24468 (JSC::AssemblerData::grow):
24469
244702015-02-05 Michael Saboff <msaboff@apple.com>
24471
24472 CodeCache is not thread safe when adding the same source from two different threads
24473 https://bugs.webkit.org/show_bug.cgi?id=141275
24474
24475 Reviewed by Mark Lam.
24476
24477 The issue for this bug is that one thread, takes a cache miss in CodeCache::getGlobalCodeBlock,
24478 but in the process creates a cache entry with a nullptr UnlinkedCodeBlockType* which it
24479 will fill in later in the function. During the body of that function, it allocates
24480 objects that may garbage collect. During that garbage collection, we drop the all locks.
24481 While the locks are released by the first thread, another thread can enter the VM and might
24482 have exactly the same source and enter CodeCache::getGlobalCodeBlock() itself. When it
24483 looks up the code block, it sees it as a cache it and uses the nullptr UnlinkedCodeBlockType*
24484 and crashes. This fixes the problem by not dropping the locks during garbage collection.
24485 There are other likely scenarios where we have a data structure like this code cache in an
24486 unsafe state for arbitrary reentrance.
24487
24488 Moved the functionality of DelayedReleaseScope directly into Heap. Changed it into
24489 a simple list that is cleared with the new function Heap::releaseDelayedReleasedObjects.
24490 Now we accumulate objects to be released and release them when all locks are dropped or
24491 when destroying the Heap. This eliminated the dropping and reaquiring of locks associated
24492 with the old scope form of this list.
24493
24494 Given that all functionality of DelayedReleaseScope is now used and referenced by Heap
24495 and the lock management no longer needs to be done, just made the list a member of Heap.
24496 We do need to guard against the case that releasing an object can create more objects
24497 by calling into JS. That is why releaseDelayedReleasedObjects() is written to remove
24498 an object to release so that we aren't recursively in Vector code. The other thing we
24499 do in releaseDelayedReleasedObjects() is to guard against recursive calls to itself using
24500 the m_delayedReleaseRecursionCount. We only release at the first entry into the function.
24501 This case is already tested by testapi.mm.
24502
24503 * heap/DelayedReleaseScope.h: Removed file
24504
24505 * API/JSAPIWrapperObject.mm:
24506 * API/ObjCCallbackFunction.mm:
24507 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24508 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
24509 * JavaScriptCore.xcodeproj/project.pbxproj:
24510 * heap/IncrementalSweeper.cpp:
24511 (JSC::IncrementalSweeper::doSweep):
24512 * heap/MarkedAllocator.cpp:
24513 (JSC::MarkedAllocator::tryAllocateHelper):
24514 (JSC::MarkedAllocator::tryAllocate):
24515 * heap/MarkedBlock.cpp:
24516 (JSC::MarkedBlock::sweep):
24517 * heap/MarkedSpace.cpp:
24518 (JSC::MarkedSpace::MarkedSpace):
24519 (JSC::MarkedSpace::lastChanceToFinalize):
24520 (JSC::MarkedSpace::didFinishIterating):
24521 * heap/MarkedSpace.h:
24522 * heap/Heap.cpp:
24523 (JSC::Heap::collectAllGarbage):
24524 (JSC::Heap::zombifyDeadObjects):
24525 Removed references to DelayedReleaseScope and DelayedReleaseScope.h.
24526
24527 * heap/Heap.cpp:
24528 (JSC::Heap::Heap): Initialized m_delayedReleaseRecursionCount.
24529 (JSC::Heap::lastChanceToFinalize): Call releaseDelayedObjectsNow() as the VM is going away.
24530 (JSC::Heap::releaseDelayedReleasedObjects): New function that released the accumulated
24531 delayed release objects.
24532
24533 * heap/Heap.h:
24534 (JSC::Heap::m_delayedReleaseObjects): List of objects to be released later.
24535 (JSC::Heap::m_delayedReleaseRecursionCount): Counter to indicate that
24536 releaseDelayedReleasedObjects is being called recursively.
24537 * heap/HeapInlines.h:
24538 (JSC::Heap::releaseSoon): Changed location of list to add delayed release objects.
24539
24540 * runtime/JSLock.cpp:
24541 (JSC::JSLock::willReleaseLock):
24542 Call Heap::releaseDelayedObjectsNow() when releasing the lock.
24543
245442015-02-05 Youenn Fablet <youenn.fablet@crf.canon.fr> and Xabier Rodriguez Calvar <calvaris@igalia.com>
24545
24546 [Streams API] Implement a barebone ReadableStream interface
24547 https://bugs.webkit.org/show_bug.cgi?id=141045
24548
24549 Reviewed by Benjamin Poulain.
24550
24551 * Configurations/FeatureDefines.xcconfig:
24552
245532015-02-05 Saam Barati <saambarati1@gmail.com>
24554
24555 Crash in uninitialized deconstructing variable.
24556 https://bugs.webkit.org/show_bug.cgi?id=141070
24557
24558 Reviewed by Michael Saboff.
24559
24560 According to the ES6 spec, when a destructuring pattern occurs
24561 as the left hand side of an assignment inside a var declaration
24562 statement, the assignment must also have a right hand side value.
24563 "var {x} = {};" is a legal syntactic statement, but,
24564 "var {x};" is a syntactic error.
24565
24566 Section 13.2.2 of the latest draft ES6 spec specifies this requirement:
24567 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-variable-statement
24568
24569 * parser/Parser.cpp:
24570 (JSC::Parser<LexerType>::parseVarDeclaration):
24571 (JSC::Parser<LexerType>::parseVarDeclarationList):
24572 (JSC::Parser<LexerType>::parseForStatement):
24573 * parser/Parser.h:
24574
245752015-02-04 Gyuyoung Kim <gyuyoung.kim@samsung.com>
24576
24577 Unreviewed, fix a build break on EFL port since r179648.
24578
24579 * heap/MachineStackMarker.cpp: EFL port doesn't use previousThread variable.
24580 (JSC::MachineThreads::tryCopyOtherThreadStacks):
24581
245822015-02-04 Joseph Pecoraro <pecoraro@apple.com>
24583
24584 Web Inspector: ES6: Improved Console Support for Symbol Objects
24585 https://bugs.webkit.org/show_bug.cgi?id=141173
24586
24587 Reviewed by Timothy Hatcher.
24588
24589 * inspector/protocol/Runtime.json:
24590 New type, "symbol".
24591
24592 * inspector/InjectedScriptSource.js:
24593 Handle Symbol objects in a few places. They don't have properties
24594 and they cannot be implicitly converted to strings.
24595
245962015-02-04 Mark Lam <mark.lam@apple.com>
24597
24598 Undo gardening: Restoring the expected ERROR message since that is not the cause of the bot unhappiness.
24599
24600 Not reviewed.
24601
24602 * heap/MachineStackMarker.cpp:
24603 (JSC::MachineThreads::tryCopyOtherThreadStacks):
24604
246052015-02-04 Mark Lam <mark.lam@apple.com>
24606
24607 Gardening: Changed expected ERROR message to WARNING to make test bots happy.
24608
24609 Rubber stamped by Simon Fraser.
24610
24611 * heap/MachineStackMarker.cpp:
24612 (JSC::MachineThreads::tryCopyOtherThreadStacks):
24613
246142015-02-04 Mark Lam <mark.lam@apple.com>
24615
24616 r179576 introduce a deadlock potential during GC thread suspension.
24617 <https://webkit.org/b/141268>
24618
24619 Reviewed by Michael Saboff.
24620
24621 http://trac.webkit.org/r179576 introduced a potential for deadlocking.
24622 In the GC thread suspension loop, we currently delete
24623 MachineThreads::Thread that we detect to be invalid. This is unsafe
24624 because we may have already suspended some threads, and one of those
24625 suspended threads may still be holding the C heap lock which we need
24626 for deleting the invalid thread.
24627
24628 The fix is to put the invalid threads in a separate toBeDeleted list,
24629 and delete them only after GC has resumed all threads.
24630
24631 * heap/MachineStackMarker.cpp:
24632 (JSC::MachineThreads::removeCurrentThread):
24633 - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
24634 removeCurrentThread() since it is no longer needed.
24635
24636 (JSC::MachineThreads::tryCopyOtherThreadStacks):
24637 - Put invalid Threads on a threadsToBeDeleted list, and delete those
24638 Threads only after all threads have been resumed.
24639
24640 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
24641 * heap/MachineStackMarker.h:
24642
246432015-02-04 Joseph Pecoraro <pecoraro@apple.com>
24644
24645 Web Inspector: Clean up Object Property Descriptor Collection
24646 https://bugs.webkit.org/show_bug.cgi?id=141222
24647
24648 Reviewed by Timothy Hatcher.
24649
24650 * inspector/InjectedScriptSource.js:
24651 Use a list of options when determining which properties to collect
24652 instead of a few booleans with overlapping responsibilities.
24653
246542015-02-04 Joseph Pecoraro <pecoraro@apple.com>
24655
24656 Web Inspector: console.table with columnName filter for non-existent property should still show column
24657 https://bugs.webkit.org/show_bug.cgi?id=141066
24658
24659 Reviewed by Timothy Hatcher.
24660
24661 * inspector/ConsoleMessage.cpp:
24662 (Inspector::ConsoleMessage::addToFrontend):
24663 When a user provides a second argument, e.g. console.table(..., columnNames),
24664 then pass that second argument to the frontend.
24665
24666 * inspector/InjectedScriptSource.js:
24667 Add a FIXME about the old, unused path now.
24668
246692015-02-04 Saam Barati <saambarati1@gmail.com>
24670
24671 TypeSet can use 1 byte instead of 4 bytes for its m_seenTypes member variable
24672 https://bugs.webkit.org/show_bug.cgi?id=141204
24673
24674 Reviewed by Darin Adler.
24675
24676 There is no need to use 32 bits to store a TypeSet::RuntimeType set
24677 bit-vector when the largest value for a single TypeSet::RuntimeType
24678 is 0x80. 8 bits is enough to represent the set of seen types.
24679
24680 * dfg/DFGFixupPhase.cpp:
24681 (JSC::DFG::FixupPhase::fixupNode):
24682 * runtime/TypeSet.cpp:
24683 (JSC::TypeSet::doesTypeConformTo):
24684 * runtime/TypeSet.h:
24685 (JSC::TypeSet::seenTypes):
24686
246872015-02-04 Mark Lam <mark.lam@apple.com>
24688
24689 Remove concept of makeUsableFromMultipleThreads().
24690 <https://webkit.org/b/141221>
24691
24692 Reviewed by Mark Hahnenberg.
24693
24694 Currently, we rely on VM::makeUsableFromMultipleThreads() being called before we
24695 start acquiring the JSLock and entering the VM from different threads.
24696 Acquisition of the JSLock will register the acquiring thread with the VM's thread
24697 registry if not already registered. However, it will only do this if the VM's
24698 thread specific key has been initialized by makeUsableFromMultipleThreads().
24699
24700 This is fragile, and also does not read intuitively because one would expect to
24701 acquire the JSLock before calling any methods on the VM. This is exactly what
24702 JSGlobalContextCreateInGroup() did (i.e. acquire the lock before calling
24703 makeUsableFromMultipleThreads()), but is wrong. The result is that the invoking
24704 thread will not have been registered with the VM during that first entry into
24705 the VM.
24706
24707 The fix is to make it so that we initialize the VM's thread specific key on
24708 construction of the VM's MachineThreads registry instead of relying on
24709 makeUsableFromMultipleThreads() being called. With this, we can eliminate
24710 makeUsableFromMultipleThreads() altogether.
24711
24712 Performance results are neutral in aggregate.
24713
24714 * API/JSContextRef.cpp:
24715 (JSGlobalContextCreateInGroup):
24716 * heap/MachineStackMarker.cpp:
24717 (JSC::MachineThreads::MachineThreads):
24718 (JSC::MachineThreads::~MachineThreads):
24719 (JSC::MachineThreads::addCurrentThread):
24720 (JSC::MachineThreads::removeThread):
24721 (JSC::MachineThreads::gatherConservativeRoots):
24722 (JSC::MachineThreads::makeUsableFromMultipleThreads): Deleted.
24723 * heap/MachineStackMarker.h:
24724 * runtime/VM.cpp:
24725 (JSC::VM::sharedInstance):
24726 * runtime/VM.h:
24727 (JSC::VM::makeUsableFromMultipleThreads): Deleted.
24728
247292015-02-04 Chris Dumez <cdumez@apple.com>
24730
24731 Add removeFirst(value) / removeAll(value) methods to WTF::Vector
24732 https://bugs.webkit.org/show_bug.cgi?id=141192
24733
24734 Reviewed by Benjamin Poulain.
24735
24736 Use new Vector::removeFirst(value) / removeAll(value) API to simplify the
24737 code a bit.
24738
24739 * inspector/InspectorValues.cpp:
24740 (Inspector::InspectorObjectBase::remove):
24741
247422015-02-03 Mark Lam <mark.lam@apple.com>
24743
24744 Workaround a thread library bug where thread destructors may not get called.
24745 <https://webkit.org/b/141209>
24746
24747 Reviewed by Michael Saboff.
24748
24749 There's a bug where thread destructors may not get called. As far as
24750 we know, this only manifests on darwin ports. We will work around this
24751 by checking at GC time if the platform thread is still valid. If not,
24752 we'll purge it from the VM's registeredThreads list before proceeding
24753 with thread scanning activity.
24754
24755 Note: it is important that we do this invalid thread detection during
24756 suspension, because the validity (and liveness) of the other thread is
24757 only guaranteed while it is suspended.
24758
24759 * API/tests/testapi.mm:
24760 (threadMain):
24761 - Added a test to enter the VM from another thread before we GC on
24762 the main thread.
24763
24764 * heap/MachineStackMarker.cpp:
24765 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
24766 (JSC::MachineThreads::removeCurrentThread):
24767 - refactored removeThreadWithLockAlreadyAcquired() out from
24768 removeCurrentThread() so that we can also call it for purging invalid
24769 threads.
24770 (JSC::suspendThread):
24771 - Added a return status to tell if the suspension succeeded or not.
24772 (JSC::MachineThreads::tryCopyOtherThreadStacks):
24773 - Check if the suspension failed, and purge the thread if we can't
24774 suspend it. Failure to suspend implies that the thread has
24775 terminated without calling its destructor.
24776 * heap/MachineStackMarker.h:
24777
247782015-02-03 Joseph Pecoraro <pecoraro@apple.com>
24779
24780 Web Inspector: ASSERT mainThreadPthread launching remote debuggable JSContext app with Debug JavaScriptCore
24781 https://bugs.webkit.org/show_bug.cgi?id=141189
24782
24783 Reviewed by Michael Saboff.
24784
24785 * inspector/remote/RemoteInspector.mm:
24786 (Inspector::RemoteInspector::singleton):
24787 Ensure we call WTF::initializeMainThread() on the main thread so that
24788 we can perform automatic String <-> NSString conversions.
24789
247902015-02-03 Brent Fulgham <bfulgham@apple.com>
24791
24792 [Win] Project file cleanups after r179429.
24793
24794 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24795 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
24796
247972015-02-02 Filip Pizlo <fpizlo@apple.com>
24798
24799 arguments[-1] should have well-defined behavior
24800 https://bugs.webkit.org/show_bug.cgi?id=141183
24801
24802 Reviewed by Mark Lam.
24803
24804 According to JSC's internal argument numbering, 0 is "this" and 1 is the first argument.
24805 In the "arguments[i]" expression, "this" is not accessible and i = 0 refers to the first
24806 argument. Previously we handled the bounds check in "arguments[i]" - where "arguments" is
24807 statically known to be the current function's arguments object - as follows:
24808
24809 add 1, i
24810 branchAboveOrEqual i, callFrame.ArgumentCount, slowPath
24811
24812 The problem with this is that if i = -1, this passes the test, and we end up accessing
24813 what would be the "this" argument slot. That's wrong, since we should really be bottoming
24814 out in arguments["-1"], which is usually undefined but could be anything. It's even worse
24815 if the function is inlined or if we're in a constructor - in that case the "this" slot
24816 could be garbage.
24817
24818 It turns out that we had this bug in all of our engines.
24819
24820 This fixes the issue by changing the algorithm to:
24821
24822 load32 callFrame.ArgumentCount, tmp
24823 sub 1, tmp
24824 branchAboveOrEqual i, tmp, slowPath
24825
24826 In some engines, we would have used the modified "i" (the one that had 1 added to it) for
24827 the subsequent argument load; since we don't do this anymore I also had to change some of
24828 the offsets on the BaseIndex arguments load.
24829
24830 This also includes tests that are written in such a way as to get coverage on LLInt and
24831 Baseline JIT (get-my-argument-by-val-wrap-around-no-warm-up), DFG and FTL
24832 (get-my-argument-by-val-wrap-around), and DFG when we're being paranoid about the user
24833 overwriting the "arguments" variable (get-my-argument-by-val-safe-wrap-around). This also
24834 includes off-by-1 out-of-bounds tests for each of these cases, since in the process of
24835 writing the patch I broke the arguments[arguments.length] case in the DFG and didn't see
24836 any test failures.
24837
24838 * dfg/DFGSpeculativeJIT32_64.cpp:
24839 (JSC::DFG::SpeculativeJIT::compile):
24840 * dfg/DFGSpeculativeJIT64.cpp:
24841 (JSC::DFG::SpeculativeJIT::compile):
24842 * ftl/FTLLowerDFGToLLVM.cpp:
24843 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
24844 * jit/AssemblyHelpers.h:
24845 (JSC::AssemblyHelpers::offsetOfArguments):
24846 (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis): Deleted.
24847 * jit/JITOpcodes.cpp:
24848 (JSC::JIT::emit_op_get_argument_by_val):
24849 * jit/JITOpcodes32_64.cpp:
24850 (JSC::JIT::emit_op_get_argument_by_val):
24851 * llint/LowLevelInterpreter.asm:
24852 * llint/LowLevelInterpreter32_64.asm:
24853 * llint/LowLevelInterpreter64.asm:
24854 * tests/stress/get-my-argument-by-val-out-of-bounds-no-warm-up.js: Added.
24855 (foo):
24856 * tests/stress/get-my-argument-by-val-out-of-bounds.js: Added.
24857 (foo):
24858 * tests/stress/get-my-argument-by-val-safe-out-of-bounds.js: Added.
24859 (foo):
24860 * tests/stress/get-my-argument-by-val-safe-wrap-around.js: Added.
24861 (foo):
24862 * tests/stress/get-my-argument-by-val-wrap-around-no-warm-up.js: Added.
24863 (foo):
24864 * tests/stress/get-my-argument-by-val-wrap-around.js: Added.
24865 (foo):
24866
248672015-02-02 Filip Pizlo <fpizlo@apple.com>
24868
24869 MultiGetByOffset should be marked NodeMustGenerate
24870 https://bugs.webkit.org/show_bug.cgi?id=140137
24871
24872 Reviewed by Michael Saboff.
24873
24874 * dfg/DFGNode.h:
24875 (JSC::DFG::Node::convertToGetByOffset): We were sloppy - we should also clear NodeMustGenerate once it's a GetByOffset.
24876 (JSC::DFG::Node::convertToMultiGetByOffset): Assert that we converted from something that already had NodeMustGenerate.
24877 * dfg/DFGNodeType.h: We shouldn't DCE a node that does checks and could be effectful in baseline. Making MultiGetByOffset as NodeMustGenerate prevents DCE. FTL could still DCE the actual loads, but the checks will stay.
24878 * tests/stress/multi-get-by-offset-dce.js: Added. This previously failed because the getter wasn't called.
24879 (foo):
24880
248812015-02-02 Filip Pizlo <fpizlo@apple.com>
24882
24883 [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
24884 https://bugs.webkit.org/show_bug.cgi?id=141180
24885 rdar://problem/19677552
24886
24887 Reviewed by Benjamin Poulain.
24888
24889 If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
24890 bounds check already terminates execution. This means we can skip the part where we
24891 previously did an out-of-bound array access on the inlined call frame arguments vector.
24892
24893 * ftl/FTLLowerDFGToLLVM.cpp:
24894 (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
24895 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
24896 (JSC::FTL::LowerDFGToLLVM::terminate):
24897 (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
24898 (JSC::FTL::LowerDFGToLLVM::crash):
24899 * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
24900 (foo):
24901 (bar):
24902
249032015-02-02 Filip Pizlo <fpizlo@apple.com>
24904
24905 REGRESSION(r179477): arguments simplification no longer works
24906 https://bugs.webkit.org/show_bug.cgi?id=141169
24907
24908 Reviewed by Mark Lam.
24909
24910 The operations involved in callee/scope access don't exit and shouldn't get in the way
24911 of strength-reducing a Flush to a PhantomLocal. Then the PhantomLocal shouldn't get in
24912 the way of further such strength-reduction. We also need to canonicalize PhantomLocal
24913 before running arguments simplification.
24914
24915 * dfg/DFGMayExit.cpp:
24916 (JSC::DFG::mayExit):
24917 * dfg/DFGPlan.cpp:
24918 (JSC::DFG::Plan::compileInThreadImpl):
24919 * dfg/DFGStrengthReductionPhase.cpp:
24920 (JSC::DFG::StrengthReductionPhase::handleNode):
24921
249222015-02-02 Filip Pizlo <fpizlo@apple.com>
24923
24924 VirtualRegister should really know how to dump itself
24925 https://bugs.webkit.org/show_bug.cgi?id=141171
24926
24927 Reviewed by Geoffrey Garen.
24928
24929 Gives VirtualRegister a dump() method that pretty-prints the virtual register. The rest of
24930 the patch is all about using this new power.
24931
24932 * CMakeLists.txt:
24933 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
24934 * JavaScriptCore.xcodeproj/project.pbxproj:
24935 * bytecode/CodeBlock.cpp:
24936 (JSC::constantName):
24937 (JSC::CodeBlock::registerName):
24938 * bytecode/CodeBlock.h:
24939 (JSC::missingThisObjectMarker): Deleted.
24940 * bytecode/VirtualRegister.cpp: Added.
24941 (JSC::VirtualRegister::dump):
24942 * bytecode/VirtualRegister.h:
24943 (WTF::printInternal): Deleted.
24944 * dfg/DFGArgumentPosition.h:
24945 (JSC::DFG::ArgumentPosition::dump):
24946 * dfg/DFGFlushedAt.cpp:
24947 (JSC::DFG::FlushedAt::dump):
24948 * dfg/DFGGraph.cpp:
24949 (JSC::DFG::Graph::dump):
24950 * dfg/DFGPutLocalSinkingPhase.cpp:
24951 * dfg/DFGSSAConversionPhase.cpp:
24952 (JSC::DFG::SSAConversionPhase::run):
24953 * dfg/DFGValidate.cpp:
24954 (JSC::DFG::Validate::reportValidationContext):
24955 * dfg/DFGValueSource.cpp:
24956 (JSC::DFG::ValueSource::dump):
24957 * dfg/DFGVariableEvent.cpp:
24958 (JSC::DFG::VariableEvent::dump):
24959 (JSC::DFG::VariableEvent::dumpSpillInfo):
24960 * ftl/FTLExitArgumentForOperand.cpp:
24961 (JSC::FTL::ExitArgumentForOperand::dump):
24962 * ftl/FTLExitValue.cpp:
24963 (JSC::FTL::ExitValue::dumpInContext):
24964 * profiler/ProfilerBytecodeSequence.cpp:
24965 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
24966
249672015-02-02 Geoffrey Garen <ggaren@apple.com>
24968
24969 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
24970 https://bugs.webkit.org/show_bug.cgi?id=140900
24971
24972 Reviewed by Mark Hahnenberg.
24973
24974 Re-landing just the HandleBlock piece of this patch.
24975
24976 * heap/HandleBlock.h:
24977 * heap/HandleBlockInlines.h:
24978 (JSC::HandleBlock::create):
24979 (JSC::HandleBlock::destroy):
24980 (JSC::HandleBlock::HandleBlock):
24981 (JSC::HandleBlock::payloadEnd):
24982 * heap/HandleSet.cpp:
24983 (JSC::HandleSet::~HandleSet):
24984 (JSC::HandleSet::grow):
24985
249862015-02-02 Joseph Pecoraro <pecoraro@apple.com>
24987
24988 Web Inspector: Support console.table
24989 https://bugs.webkit.org/show_bug.cgi?id=141058
24990
24991 Reviewed by Timothy Hatcher.
24992
24993 * inspector/InjectedScriptSource.js:
24994 Include the firstLevelKeys filter when generating previews.
24995
24996 * runtime/ConsoleClient.cpp:
24997 (JSC::appendMessagePrefix):
24998 Differentiate console.table logs to system log.
24999
250002015-01-31 Filip Pizlo <fpizlo@apple.com>
25001
25002 BinarySwitch should be faster on average
25003 https://bugs.webkit.org/show_bug.cgi?id=141046
25004
25005 Reviewed by Anders Carlsson.
25006
25007 This optimizes our binary switch using math. It's strictly better than what we had before
25008 assuming we bottom out in some case (rather than fall through), assuming all cases get
25009 hit with equal probability. The difference is particularly large for large switch
25010 statements. For example, a switch statement with 1000 cases would previously require on
25011 average 13.207 branches to get to some case, while now it just requires 10.464.
25012
25013 This is also a progression for the fall-through case, though we could shave off another
25014 1/6 branch on average if we wanted to - though it would regress taking a case (not falling
25015 through) by 1/6 branch. I believe it's better to bias the BinarySwitch for not falling
25016 through.
25017
25018 This also adds some randomness to the algorithm to minimize the likelihood of us
25019 generating a switch statement that is always particularly bad for some input. Note that
25020 the randomness has no effect on average-case performance assuming all cases are equally
25021 likely.
25022
25023 This ought to have no actual performance change because we don't rely on binary switches
25024 that much. The main reason why this change is interesting is that I'm finding myself
25025 increasingly relying on BinarySwitch, and I'd like to know that it's optimal.
25026
25027 * jit/BinarySwitch.cpp:
25028 (JSC::BinarySwitch::BinarySwitch):
25029 (JSC::BinarySwitch::~BinarySwitch):
25030 (JSC::BinarySwitch::build):
25031 * jit/BinarySwitch.h:
25032
250332015-02-02 Joseph Pecoraro <pecoraro@apple.com>
25034
25035 Web Inspector: Extend CSS.getSupportedCSSProperties to provide values for properties for CSS Augmented JSContext
25036 https://bugs.webkit.org/show_bug.cgi?id=141064
25037
25038 Reviewed by Timothy Hatcher.
25039
25040 * inspector/protocol/CSS.json:
25041
250422015-02-02 Daniel Bates <dabates@apple.com>
25043
25044 [iOS] ASSERTION FAILED: m_scriptExecutionContext->isContextThread() in ContextDestructionObserver::observeContext
25045 https://bugs.webkit.org/show_bug.cgi?id=141057
25046 <rdar://problem/19068790>
25047
25048 Reviewed by Alexey Proskuryakov.
25049
25050 * inspector/remote/RemoteInspector.mm:
25051 (Inspector::RemoteInspector::receivedIndicateMessage): Modified to call WTF::callOnWebThreadOrDispatchAsyncOnMainThread().
25052 (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable): Deleted; moved logic to common helper function,
25053 WTF::callOnWebThreadOrDispatchAsyncOnMainThread() so that it can be called from both RemoteInspector::receivedIndicateMessage()
25054 and CryptoKeyRSA::generatePair().
25055
250562015-02-02 Saam Barati <saambarati1@gmail.com>
25057
25058 Create tests for JSC's Control Flow Profiler
25059 https://bugs.webkit.org/show_bug.cgi?id=141123
25060
25061 Reviewed by Filip Pizlo.
25062
25063 This patch creates a control flow profiler testing API in jsc.cpp
25064 that accepts a function and a string as arguments. The string must
25065 be a substring of the text of the function argument. The API returns
25066 a boolean indicating whether or not the basic block that encloses the
25067 substring has executed.
25068
25069 This patch uses this API to test that the control flow profiler
25070 behaves as expected on basic block boundaries. These tests do not
25071 provide full coverage for all JavaScript statements that can create
25072 basic blocks boundaries. Full coverage will come in a later patch.
25073
25074 * jsc.cpp:
25075 (GlobalObject::finishCreation):
25076 (functionHasBasicBlockExecuted):
25077 * runtime/ControlFlowProfiler.cpp:
25078 (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
25079 * runtime/ControlFlowProfiler.h:
25080 * tests/controlFlowProfiler: Added.
25081 * tests/controlFlowProfiler.yaml: Added.
25082 * tests/controlFlowProfiler/driver: Added.
25083 * tests/controlFlowProfiler/driver/driver.js: Added.
25084 (assert):
25085 * tests/controlFlowProfiler/if-statement.js: Added.
25086 (testIf):
25087 (noMatches):
25088 * tests/controlFlowProfiler/loop-statements.js: Added.
25089 (forRegular):
25090 (forIn):
25091 (forOf):
25092 (whileLoop):
25093 * tests/controlFlowProfiler/switch-statements.js: Added.
25094 (testSwitch):
25095 * tests/controlFlowProfiler/test-jit.js: Added.
25096 (tierUpToBaseline):
25097 (tierUpToDFG):
25098 (baselineTest):
25099 (dfgTest):
25100
251012015-01-28 Filip Pizlo <fpizlo@apple.com>
25102
25103 Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
25104 https://bugs.webkit.org/show_bug.cgi?id=140660
25105
25106 Reviewed by Geoffrey Garen.
25107
25108 When we first implemented polymorphic call inlining, we did the profiling based on a call
25109 edge log. The idea was to store each call edge (a tuple of call site and callee) into a
25110 global log that was processed lazily. Processing the log would give precise counts of call
25111 edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
25112 This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
25113 nonetheless.
25114
25115 Experience with this code shows three things. First, the call edge profiler is buggy and
25116 complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
25117 overhead for latency code that we care deeply about. Third, it's not at all clear that
25118 having call edge counts for every possible callee is any better than just having call edge
25119 counts for the limited number of callees that an inline cache would catch.
25120
25121 So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
25122 cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
25123 out-of-line stub that cases on the previously known callees. If that misses again, then we
25124 rewrite that stub to include the new callee. We do this up to some number of callees. If we
25125 hit the limit then we switch to using a plain virtual call.
25126
25127 Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
25128 caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
25129
25130 Rolling this back in after fixing https://bugs.webkit.org/show_bug.cgi?id=141107.
25131
25132 * CMakeLists.txt:
25133 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25134 * JavaScriptCore.xcodeproj/project.pbxproj:
25135 * bytecode/CallEdge.h:
25136 (JSC::CallEdge::count):
25137 (JSC::CallEdge::CallEdge):
25138 * bytecode/CallEdgeProfile.cpp: Removed.
25139 * bytecode/CallEdgeProfile.h: Removed.
25140 * bytecode/CallEdgeProfileInlines.h: Removed.
25141 * bytecode/CallLinkInfo.cpp:
25142 (JSC::CallLinkInfo::unlink):
25143 (JSC::CallLinkInfo::visitWeak):
25144 * bytecode/CallLinkInfo.h:
25145 * bytecode/CallLinkStatus.cpp:
25146 (JSC::CallLinkStatus::CallLinkStatus):
25147 (JSC::CallLinkStatus::computeFor):
25148 (JSC::CallLinkStatus::computeFromCallLinkInfo):
25149 (JSC::CallLinkStatus::isClosureCall):
25150 (JSC::CallLinkStatus::makeClosureCall):
25151 (JSC::CallLinkStatus::dump):
25152 (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
25153 * bytecode/CallLinkStatus.h:
25154 (JSC::CallLinkStatus::CallLinkStatus):
25155 (JSC::CallLinkStatus::isSet):
25156 (JSC::CallLinkStatus::variants):
25157 (JSC::CallLinkStatus::size):
25158 (JSC::CallLinkStatus::at):
25159 (JSC::CallLinkStatus::operator[]):
25160 (JSC::CallLinkStatus::canOptimize):
25161 (JSC::CallLinkStatus::edges): Deleted.
25162 (JSC::CallLinkStatus::canTrustCounts): Deleted.
25163 * bytecode/CallVariant.cpp:
25164 (JSC::variantListWithVariant):
25165 (JSC::despecifiedVariantList):
25166 * bytecode/CallVariant.h:
25167 * bytecode/CodeBlock.cpp:
25168 (JSC::CodeBlock::~CodeBlock):
25169 (JSC::CodeBlock::linkIncomingPolymorphicCall):
25170 (JSC::CodeBlock::unlinkIncomingCalls):
25171 (JSC::CodeBlock::noticeIncomingCall):
25172 * bytecode/CodeBlock.h:
25173 (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
25174 * dfg/DFGAbstractInterpreterInlines.h:
25175 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25176 * dfg/DFGByteCodeParser.cpp:
25177 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
25178 (JSC::DFG::ByteCodeParser::handleCall):
25179 (JSC::DFG::ByteCodeParser::handleInlining):
25180 * dfg/DFGClobberize.h:
25181 (JSC::DFG::clobberize):
25182 * dfg/DFGConstantFoldingPhase.cpp:
25183 (JSC::DFG::ConstantFoldingPhase::foldConstants):
25184 * dfg/DFGDoesGC.cpp:
25185 (JSC::DFG::doesGC):
25186 * dfg/DFGDriver.cpp:
25187 (JSC::DFG::compileImpl):
25188 * dfg/DFGFixupPhase.cpp:
25189 (JSC::DFG::FixupPhase::fixupNode):
25190 * dfg/DFGNode.h:
25191 (JSC::DFG::Node::hasHeapPrediction):
25192 * dfg/DFGNodeType.h:
25193 * dfg/DFGOperations.cpp:
25194 * dfg/DFGPredictionPropagationPhase.cpp:
25195 (JSC::DFG::PredictionPropagationPhase::propagate):
25196 * dfg/DFGSafeToExecute.h:
25197 (JSC::DFG::safeToExecute):
25198 * dfg/DFGSpeculativeJIT32_64.cpp:
25199 (JSC::DFG::SpeculativeJIT::emitCall):
25200 (JSC::DFG::SpeculativeJIT::compile):
25201 * dfg/DFGSpeculativeJIT64.cpp:
25202 (JSC::DFG::SpeculativeJIT::emitCall):
25203 (JSC::DFG::SpeculativeJIT::compile):
25204 * dfg/DFGTierUpCheckInjectionPhase.cpp:
25205 (JSC::DFG::TierUpCheckInjectionPhase::run):
25206 (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
25207 * ftl/FTLCapabilities.cpp:
25208 (JSC::FTL::canCompile):
25209 * heap/Heap.cpp:
25210 (JSC::Heap::collect):
25211 * jit/BinarySwitch.h:
25212 * jit/ClosureCallStubRoutine.cpp: Removed.
25213 * jit/ClosureCallStubRoutine.h: Removed.
25214 * jit/JITCall.cpp:
25215 (JSC::JIT::compileOpCall):
25216 * jit/JITCall32_64.cpp:
25217 (JSC::JIT::compileOpCall):
25218 * jit/JITOperations.cpp:
25219 * jit/JITOperations.h:
25220 (JSC::operationLinkPolymorphicCallFor):
25221 (JSC::operationLinkClosureCallFor): Deleted.
25222 * jit/JITStubRoutine.h:
25223 * jit/JITWriteBarrier.h:
25224 * jit/PolymorphicCallStubRoutine.cpp: Added.
25225 (JSC::PolymorphicCallNode::~PolymorphicCallNode):
25226 (JSC::PolymorphicCallNode::unlink):
25227 (JSC::PolymorphicCallCase::dump):
25228 (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
25229 (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
25230 (JSC::PolymorphicCallStubRoutine::variants):
25231 (JSC::PolymorphicCallStubRoutine::edges):
25232 (JSC::PolymorphicCallStubRoutine::visitWeak):
25233 (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
25234 * jit/PolymorphicCallStubRoutine.h: Added.
25235 (JSC::PolymorphicCallNode::PolymorphicCallNode):
25236 (JSC::PolymorphicCallCase::PolymorphicCallCase):
25237 (JSC::PolymorphicCallCase::variant):
25238 (JSC::PolymorphicCallCase::codeBlock):
25239 * jit/Repatch.cpp:
25240 (JSC::linkSlowFor):
25241 (JSC::linkFor):
25242 (JSC::revertCall):
25243 (JSC::unlinkFor):
25244 (JSC::linkVirtualFor):
25245 (JSC::linkPolymorphicCall):
25246 (JSC::linkClosureCall): Deleted.
25247 * jit/Repatch.h:
25248 * jit/ThunkGenerators.cpp:
25249 (JSC::linkPolymorphicCallForThunkGenerator):
25250 (JSC::linkPolymorphicCallThunkGenerator):
25251 (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
25252 (JSC::linkClosureCallForThunkGenerator): Deleted.
25253 (JSC::linkClosureCallThunkGenerator): Deleted.
25254 (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
25255 * jit/ThunkGenerators.h:
25256 (JSC::linkPolymorphicCallThunkGeneratorFor):
25257 (JSC::linkClosureCallThunkGeneratorFor): Deleted.
25258 * llint/LLIntSlowPaths.cpp:
25259 (JSC::LLInt::jitCompileAndSetHeuristics):
25260 * runtime/Options.h:
25261 * runtime/VM.cpp:
25262 (JSC::VM::prepareToDiscardCode):
25263 (JSC::VM::ensureCallEdgeLog): Deleted.
25264 * runtime/VM.h:
25265
252662015-01-30 Filip Pizlo <fpizlo@apple.com>
25267
25268 Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
25269 https://bugs.webkit.org/show_bug.cgi?id=141107
25270
25271 Reviewed by Michael Saboff.
25272
25273 See the bugzilla for a discussion of the problem. This addresses the problem by ensuring
25274 that Flushes are always strength-reduced to PhantomLocals, and CPS rethreading does a mini
25275 OSR availability analysis to determine the right MovHint value to use for the Phantom.
25276
25277 * dfg/DFGCPSRethreadingPhase.cpp:
25278 (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
25279 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
25280 (JSC::DFG::CPSRethreadingPhase::clearVariables):
25281 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
25282 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
25283 (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail): Deleted.
25284 * dfg/DFGNode.h:
25285 (JSC::DFG::Node::convertPhantomToPhantomLocal):
25286 (JSC::DFG::Node::convertFlushToPhantomLocal):
25287 (JSC::DFG::Node::convertToPhantomLocal): Deleted.
25288 * dfg/DFGStrengthReductionPhase.cpp:
25289 (JSC::DFG::StrengthReductionPhase::handleNode):
25290 * tests/stress/inline-call-that-doesnt-use-all-args.js: Added.
25291 (foo):
25292 (bar):
25293 (baz):
25294
252952015-01-31 Michael Saboff <msaboff@apple.com>
25296
25297 Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
25298 https://bugs.webkit.org/show_bug.cgi?id=141111
25299
25300 Reviewed by Filip Pizlo.
25301
25302 In LowerDFGToLLVM::compileNode(), if we determine while compiling a node that we would have
25303 exited, we don't need to process the OSR availability or abstract interpreter.
25304
25305 * ftl/FTLLowerDFGToLLVM.cpp:
25306 (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): Broke this out a a separate
25307 method since we need to call it at the top and near the bottom of compileNode().
25308 (JSC::FTL::LowerDFGToLLVM::compileNode):
25309
253102015-01-31 Sam Weinig <sam@webkit.org>
25311
25312 Remove even more Mountain Lion support
25313 https://bugs.webkit.org/show_bug.cgi?id=141124
25314
25315 Reviewed by Alexey Proskuryakov.
25316
25317 * API/tests/DateTests.mm:
25318 * Configurations/Base.xcconfig:
25319 * Configurations/DebugRelease.xcconfig:
25320 * Configurations/FeatureDefines.xcconfig:
25321 * Configurations/Version.xcconfig:
25322 * jit/ExecutableAllocatorFixedVMPool.cpp:
25323
253242015-01-31 Commit Queue <commit-queue@webkit.org>
25325
25326 Unreviewed, rolling out r179426.
25327 https://bugs.webkit.org/show_bug.cgi?id=141119
25328
25329 "caused a memory use regression" (Requested by Guest45 on
25330 #webkit).
25331
25332 Reverted changeset:
25333
25334 "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
25335 pages"
25336 https://bugs.webkit.org/show_bug.cgi?id=140900
25337 http://trac.webkit.org/changeset/179426
25338
253392015-01-30 Daniel Bates <dabates@apple.com>
25340
25341 Clean up: Remove unnecessary <dispatch/dispatch.h> header from RemoteInspectorDebuggableConnection.h
25342 https://bugs.webkit.org/show_bug.cgi?id=141067
25343
25344 Reviewed by Timothy Hatcher.
25345
25346 Remove the header <dispatch/dispatch.h> from RemoteInspectorDebuggableConnection.h as we
25347 do not make use of its functionality. Instead, include this header in RemoteInspectorDebuggableConnection.mm
25348 and RemoteInspector.mm. The latter depended on <dispatch/dispatch.h> being included via
25349 header RemoteInspectorDebuggableConnection.h.
25350
25351 * inspector/remote/RemoteInspector.mm: Include header <dispatch/dispatch.h>.
25352 * inspector/remote/RemoteInspectorDebuggableConnection.h: Remove header <dispatch/dispatch.h>.
25353 * inspector/remote/RemoteInspectorDebuggableConnection.mm: Include header <dispatch/dispatch.h>.
25354
253552015-01-30 Yusuke Suzuki <utatane.tea@gmail.com>
25356
25357 Implement ES6 Symbol
25358 https://bugs.webkit.org/show_bug.cgi?id=140435
25359
25360 Reviewed by Geoffrey Garen.
25361
25362 This patch implements ES6 Symbol. In this patch, we don't support
25363 Symbol.keyFor, Symbol.for, Object.getOwnPropertySymbols. They will be
25364 supported in the subsequent patches.
25365
25366 Since ES6 Symbol is introduced as new primitive value, we implement
25367 Symbol as a derived class from JSCell. And now JSValue accepts Symbol*
25368 as a new primitive value.
25369
25370 Symbol has a *unique* flagged StringImpl* as an `uid`. Which pointer
25371 value represents the Symbol's identity. So don't compare Symbol's
25372 JSCell pointer value for comparison.
25373 This enables re-producing Symbol primitive value from StringImpl* uid
25374 by executing`Symbol::create(vm, uid)`. This is needed to produce
25375 Symbol primitive values from stored StringImpl* in `Object.getOwnPropertySymbols`.
25376
25377 And Symbol.[[Description]] is folded into the string value of Symbol's uid.
25378 By doing so, we can represent ES6 Symbol without extending current PropertyTable key; StringImpl*.
25379
25380 * CMakeLists.txt:
25381 * DerivedSources.make:
25382 * JavaScriptCore.order:
25383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25384 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
25385 * JavaScriptCore.xcodeproj/project.pbxproj:
25386 * builtins/BuiltinExecutables.cpp:
25387 (JSC::BuiltinExecutables::createBuiltinExecutable):
25388 * builtins/BuiltinNames.h:
25389 * dfg/DFGOperations.cpp:
25390 (JSC::DFG::operationPutByValInternal):
25391 * inspector/JSInjectedScriptHost.cpp:
25392 (Inspector::JSInjectedScriptHost::subtype):
25393 * interpreter/Interpreter.cpp:
25394 * jit/JITOperations.cpp:
25395 (JSC::getByVal):
25396 * llint/LLIntData.cpp:
25397 (JSC::LLInt::Data::performAssertions):
25398 * llint/LLIntSlowPaths.cpp:
25399 (JSC::LLInt::getByVal):
25400 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25401 * llint/LowLevelInterpreter.asm:
25402 * runtime/CommonIdentifiers.h:
25403 * runtime/CommonSlowPaths.cpp:
25404 (JSC::SLOW_PATH_DECL):
25405 * runtime/CommonSlowPaths.h:
25406 (JSC::CommonSlowPaths::opIn):
25407 * runtime/ExceptionHelpers.cpp:
25408 (JSC::createUndefinedVariableError):
25409 * runtime/JSCJSValue.cpp:
25410 (JSC::JSValue::synthesizePrototype):
25411 (JSC::JSValue::dumpInContextAssumingStructure):
25412 (JSC::JSValue::toStringSlowCase):
25413 * runtime/JSCJSValue.h:
25414 * runtime/JSCJSValueInlines.h:
25415 (JSC::JSValue::isSymbol):
25416 (JSC::JSValue::isPrimitive):
25417 (JSC::JSValue::toPropertyKey):
25418
25419 It represents ToPropertyKey abstract operation in the ES6 spec.
25420 It cleans up the old implementation's `isName` checks.
25421 And to prevent performance regressions in
25422 js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html
25423 js/regress/fold-get-by-id-to-multi-get-by-offset.html
25424 we annnotate this function as ALWAYS_INLINE.
25425
25426 (JSC::JSValue::getPropertySlot):
25427 (JSC::JSValue::get):
25428 (JSC::JSValue::equalSlowCaseInline):
25429 (JSC::JSValue::strictEqualSlowCaseInline):
25430 * runtime/JSCell.cpp:
25431 (JSC::JSCell::put):
25432 (JSC::JSCell::putByIndex):
25433 (JSC::JSCell::toPrimitive):
25434 (JSC::JSCell::getPrimitiveNumber):
25435 (JSC::JSCell::toNumber):
25436 (JSC::JSCell::toObject):
25437 * runtime/JSCell.h:
25438 * runtime/JSCellInlines.h:
25439 (JSC::JSCell::isSymbol):
25440 (JSC::JSCell::toBoolean):
25441 (JSC::JSCell::pureToBoolean):
25442 * runtime/JSGlobalObject.cpp:
25443 (JSC::JSGlobalObject::init):
25444 (JSC::JSGlobalObject::visitChildren):
25445 * runtime/JSGlobalObject.h:
25446 (JSC::JSGlobalObject::symbolPrototype):
25447 (JSC::JSGlobalObject::symbolObjectStructure):
25448 * runtime/JSONObject.cpp:
25449 (JSC::Stringifier::Stringifier):
25450 * runtime/JSSymbolTableObject.cpp:
25451 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
25452 * runtime/JSType.h:
25453 * runtime/JSTypeInfo.h:
25454 (JSC::TypeInfo::isName): Deleted.
25455 * runtime/MapData.cpp:
25456 (JSC::MapData::find):
25457 (JSC::MapData::add):
25458 (JSC::MapData::remove):
25459 (JSC::MapData::replaceAndPackBackingStore):
25460 * runtime/MapData.h:
25461 (JSC::MapData::clear):
25462 * runtime/NameInstance.h: Removed.
25463 * runtime/NamePrototype.cpp: Removed.
25464 * runtime/ObjectConstructor.cpp:
25465 (JSC::objectConstructorGetOwnPropertyDescriptor):
25466 (JSC::objectConstructorDefineProperty):
25467 * runtime/ObjectPrototype.cpp:
25468 (JSC::objectProtoFuncHasOwnProperty):
25469 (JSC::objectProtoFuncDefineGetter):
25470 (JSC::objectProtoFuncDefineSetter):
25471 (JSC::objectProtoFuncLookupGetter):
25472 (JSC::objectProtoFuncLookupSetter):
25473 (JSC::objectProtoFuncPropertyIsEnumerable):
25474 * runtime/Operations.cpp:
25475 (JSC::jsTypeStringForValue):
25476 (JSC::jsIsObjectType):
25477 * runtime/PrivateName.h:
25478 (JSC::PrivateName::PrivateName):
25479 (JSC::PrivateName::operator==):
25480 (JSC::PrivateName::operator!=):
25481 * runtime/PropertyMapHashTable.h:
25482 (JSC::PropertyTable::find):
25483 (JSC::PropertyTable::get):
25484 * runtime/PropertyName.h:
25485 (JSC::PropertyName::PropertyName):
25486 (JSC::PropertyName::publicName):
25487 * runtime/SmallStrings.h:
25488 * runtime/StringConstructor.cpp:
25489 (JSC::callStringConstructor):
25490
25491 In ES6, String constructor accepts Symbol to execute `String(symbol)`.
25492
25493 * runtime/Structure.cpp:
25494 (JSC::Structure::getPropertyNamesFromStructure):
25495 * runtime/StructureInlines.h:
25496 (JSC::Structure::prototypeForLookup):
25497 * runtime/Symbol.cpp: Added.
25498 (JSC::Symbol::Symbol):
25499 (JSC::SymbolObject::create):
25500 (JSC::Symbol::toPrimitive):
25501 (JSC::Symbol::toBoolean):
25502 (JSC::Symbol::getPrimitiveNumber):
25503 (JSC::Symbol::toObject):
25504 (JSC::Symbol::toNumber):
25505 (JSC::Symbol::destroy):
25506 (JSC::Symbol::descriptiveString):
25507 * runtime/Symbol.h: Added.
25508 (JSC::Symbol::createStructure):
25509 (JSC::Symbol::create):
25510 (JSC::Symbol::privateName):
25511 (JSC::Symbol::finishCreation):
25512 (JSC::asSymbol):
25513 * runtime/SymbolConstructor.cpp: Renamed from Source/JavaScriptCore/runtime/NameConstructor.cpp.
25514 (JSC::SymbolConstructor::SymbolConstructor):
25515 (JSC::SymbolConstructor::finishCreation):
25516 (JSC::callSymbol):
25517 (JSC::SymbolConstructor::getConstructData):
25518 (JSC::SymbolConstructor::getCallData):
25519 * runtime/SymbolConstructor.h: Renamed from Source/JavaScriptCore/runtime/NameConstructor.h.
25520 (JSC::SymbolConstructor::create):
25521 (JSC::SymbolConstructor::createStructure):
25522 * runtime/SymbolObject.cpp: Renamed from Source/JavaScriptCore/runtime/NameInstance.cpp.
25523 (JSC::SymbolObject::SymbolObject):
25524 (JSC::SymbolObject::finishCreation):
25525 (JSC::SymbolObject::defaultValue):
25526
25527 Now JSC doesn't support @@toPrimitive. So instead of it, we implement
25528 Symbol.prototype[@@toPrimitive] as ES5 Symbol.[[DefaultValue]].
25529
25530 * runtime/SymbolObject.h: Added.
25531 (JSC::SymbolObject::create):
25532 (JSC::SymbolObject::internalValue):
25533 (JSC::SymbolObject::createStructure):
25534 * runtime/SymbolPrototype.cpp: Added.
25535 (JSC::SymbolPrototype::SymbolPrototype):
25536 (JSC::SymbolPrototype::finishCreation):
25537 (JSC::SymbolPrototype::getOwnPropertySlot):
25538 (JSC::symbolProtoFuncToString):
25539 (JSC::symbolProtoFuncValueOf):
25540 * runtime/SymbolPrototype.h: Renamed from Source/JavaScriptCore/runtime/NamePrototype.h.
25541 (JSC::SymbolPrototype::create):
25542 (JSC::SymbolPrototype::createStructure):
25543
25544 SymbolPrototype object is ordinary JS object. Not wrapper object of Symbol.
25545 It is tested in js/symbol-prototype-is-ordinary-object.html.
25546
25547 * runtime/VM.cpp:
25548 (JSC::VM::VM):
25549 * runtime/VM.h:
25550
255512015-01-30 Geoffrey Garen <ggaren@apple.com>
25552
25553 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
25554 https://bugs.webkit.org/show_bug.cgi?id=140900
25555
25556 Reviewed by Mark Hahnenberg.
25557
25558 Re-landing just the HandleBlock piece of this patch.
25559
25560 * heap/HandleBlock.h:
25561 * heap/HandleBlockInlines.h:
25562 (JSC::HandleBlock::create):
25563 (JSC::HandleBlock::destroy):
25564 (JSC::HandleBlock::HandleBlock):
25565 (JSC::HandleBlock::payloadEnd):
25566 * heap/HandleSet.cpp:
25567 (JSC::HandleSet::~HandleSet):
25568 (JSC::HandleSet::grow):
25569
255702015-01-30 Geoffrey Garen <ggaren@apple.com>
25571
25572 GC marking threads should clear malloc caches
25573 https://bugs.webkit.org/show_bug.cgi?id=141097
25574
25575 Reviewed by Sam Weinig.
25576
25577 Follow-up based on Mark Hahnenberg's review: Release after the copy
25578 phase, rather than after any phase, since we'd rather not release
25579 between marking and copying.
25580
25581 * heap/GCThread.cpp:
25582 (JSC::GCThread::waitForNextPhase):
25583 (JSC::GCThread::gcThreadMain):
25584
255852015-01-30 Geoffrey Garen <ggaren@apple.com>
25586
25587 GC marking threads should clear malloc caches
25588 https://bugs.webkit.org/show_bug.cgi?id=141097
25589
25590 Reviewed by Andreas Kling.
25591
25592 This is an attempt to ameliorate a potential memory use regression
25593 caused by https://bugs.webkit.org/show_bug.cgi?id=140900
25594 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages.
25595
25596 FastMalloc may accumulate a per-thread cache on each of the 8-ish
25597 GC marking threads, which can be expensive.
25598
25599 * heap/GCThread.cpp:
25600 (JSC::GCThread::waitForNextPhase): Scavenge the current thread before
25601 going to sleep. There's probably not too much value to keeping our
25602 per-thread cache between GCs, and it has some memory footprint.
25603
256042015-01-30 Chris Dumez <cdumez@apple.com>
25605
25606 Rename shared() static member functions to singleton() for singleton classes.
25607 https://bugs.webkit.org/show_bug.cgi?id=141088
25608
25609 Reviewed by Ryosuke Niwa and Benjamin Poulain.
25610
25611 Rename shared() static member functions to singleton() for singleton
25612 classes as per the recent coding style change.
25613
25614 * inspector/remote/RemoteInspector.h:
25615 * inspector/remote/RemoteInspector.mm:
25616 (Inspector::RemoteInspector::singleton):
25617 (Inspector::RemoteInspector::start):
25618 (Inspector::RemoteInspector::shared): Deleted.
25619 * inspector/remote/RemoteInspectorDebuggable.cpp:
25620 (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
25621 (Inspector::RemoteInspectorDebuggable::init):
25622 (Inspector::RemoteInspectorDebuggable::update):
25623 (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
25624 (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
25625 (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
25626 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
25627 (Inspector::RemoteInspectorDebuggableConnection::setup):
25628 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
25629
256302015-01-30 Geoffrey Garen <ggaren@apple.com>
25631
25632 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
25633 https://bugs.webkit.org/show_bug.cgi?id=140900
25634
25635 Reviewed by Mark Hahnenberg.
25636
25637 Re-landing just the CopyWorkListSegment piece of this patch.
25638
25639 * heap/CopiedBlockInlines.h:
25640 (JSC::CopiedBlock::reportLiveBytes):
25641 * heap/CopyWorkList.h:
25642 (JSC::CopyWorkListSegment::create):
25643 (JSC::CopyWorkListSegment::destroy):
25644 (JSC::CopyWorkListSegment::CopyWorkListSegment):
25645 (JSC::CopyWorkList::CopyWorkList):
25646 (JSC::CopyWorkList::~CopyWorkList):
25647 (JSC::CopyWorkList::append):
25648
256492015-01-29 Commit Queue <commit-queue@webkit.org>
25650
25651 Unreviewed, rolling out r179357 and r179358.
25652 https://bugs.webkit.org/show_bug.cgi?id=141062
25653
25654 Suspect this caused WebGL tests to start flaking (Requested by
25655 kling on #webkit).
25656
25657 Reverted changesets:
25658
25659 "Polymorphic call inlining should be based on polymorphic call
25660 inline caching rather than logging"
25661 https://bugs.webkit.org/show_bug.cgi?id=140660
25662 http://trac.webkit.org/changeset/179357
25663
25664 "Unreviewed, fix no-JIT build."
25665 http://trac.webkit.org/changeset/179358
25666
256672015-01-29 Geoffrey Garen <ggaren@apple.com>
25668
25669 Removed op_ret_object_or_this
25670 https://bugs.webkit.org/show_bug.cgi?id=141048
25671
25672 Reviewed by Michael Saboff.
25673
25674 op_ret_object_or_this was one opcode that would keep us out of the
25675 optimizing compilers.
25676
25677 We don't need a special-purpose opcode; we can just use a branch.
25678
25679 * bytecode/BytecodeBasicBlock.cpp:
25680 (JSC::isTerminal): Removed.
25681 * bytecode/BytecodeList.json:
25682 * bytecode/BytecodeUseDef.h:
25683 (JSC::computeUsesForBytecodeOffset):
25684 (JSC::computeDefsForBytecodeOffset): Removed.
25685
25686 * bytecode/CodeBlock.cpp:
25687 (JSC::CodeBlock::dumpBytecode): Removed.
25688
25689 * bytecompiler/BytecodeGenerator.cpp:
25690 (JSC::BytecodeGenerator::emitReturn): Use an explicit branch to determine
25691 if we need to substitute 'this' for the return value. Our engine no longer
25692 benefits from fused opcodes that dispatch less in the interpreter.
25693
25694 * jit/JIT.cpp:
25695 (JSC::JIT::privateCompileMainPass):
25696 * jit/JIT.h:
25697 * jit/JITCall32_64.cpp:
25698 (JSC::JIT::emit_op_ret_object_or_this): Deleted.
25699 * jit/JITOpcodes.cpp:
25700 (JSC::JIT::emit_op_ret_object_or_this): Deleted.
25701 * llint/LowLevelInterpreter32_64.asm:
25702 * llint/LowLevelInterpreter64.asm: Removed.
25703
257042015-01-29 Ryosuke Niwa <rniwa@webkit.org>
25705
25706 Implement ES6 class syntax without inheritance support
25707 https://bugs.webkit.org/show_bug.cgi?id=140918
25708
25709 Reviewed by Geoffrey Garen.
25710
25711 Added the most basic support for ES6 class syntax. After this patch, we support basic class definition like:
25712 class A {
25713 constructor() { }
25714 someMethod() { }
25715 }
25716
25717 We'll add the support for "extends" keyword and automatically generating a constructor in follow up patches.
25718 We also don't support block scoping of a class declaration.
25719
25720 We support both class declaration and class expression. A class expression is implemented by the newly added
25721 ClassExprNode AST node. A class declaration is implemented by ClassDeclNode, which is a thin wrapper around
25722 AssignResolveNode.
25723
25724 Tests: js/class-syntax-declaration.html
25725 js/class-syntax-expression.html
25726
25727 * bytecompiler/NodesCodegen.cpp:
25728 (JSC::ObjectLiteralNode::emitBytecode): Create a new object instead of delegating the work to PropertyListNode.
25729 Also fixed the 5-space indentation.
25730 (JSC::PropertyListNode::emitBytecode): Don't create a new object now that ObjectLiteralNode does this.
25731 (JSC::ClassDeclNode::emitBytecode): Added. Just let the AssignResolveNode node emit the byte code.
25732 (JSC::ClassExprNode::emitBytecode): Create the class constructor and add static methods to the constructor by
25733 emitting the byte code for PropertyListNode. Add instance methods to the class's prototype object the same way.
25734
25735 * parser/ASTBuilder.h:
25736 (JSC::ASTBuilder::createClassExpr): Added. Creates a ClassExprNode.
25737 (JSC::ASTBuilder::createClassDeclStatement): Added. Creates a AssignResolveNode and wraps it by a ClassDeclNode.
25738
25739 * parser/NodeConstructors.h:
25740 (JSC::ClassDeclNode::ClassDeclNode): Added.
25741 (JSC::ClassExprNode::ClassExprNode): Added.
25742
25743 * parser/Nodes.h:
25744 (JSC::ClassExprNode): Added.
25745 (JSC::ClassDeclNode): Added.
25746
25747 * parser/Parser.cpp:
25748 (JSC::Parser<LexerType>::parseStatement): Added the support for class declaration.
25749 (JSC::stringForFunctionMode): Return "method" for MethodMode.
25750 (JSC::Parser<LexerType>::parseClassDeclaration): Added. Uses parseClass to create a class expression and wraps
25751 it with ClassDeclNode as described above.
25752 (JSC::Parser<LexerType>::parseClass): Parses a class expression.
25753 (JSC::Parser<LexerType>::parseProperty):
25754 (JSC::Parser<LexerType>::parseGetterSetter): Extracted from parseProperty to share the code between parseProperty
25755 and parseClass.
25756 (JSC::Parser<LexerType>::parsePrimaryExpression): Added the support for class expression.
25757
25758 * parser/Parser.h:
25759 (FunctionParseMode): Added MethodMode.
25760
25761 * parser/SyntaxChecker.h:
25762 (JSC::SyntaxChecker::createClassExpr): Added.
25763 (JSC::SyntaxChecker::createClassDeclStatement): Added.
25764
257652015-01-29 Geoffrey Garen <ggaren@apple.com>
25766
25767 Try to fix the Windows build.
25768
25769 Not reviewed.
25770
25771 * heap/WeakBlock.h: Use the fully qualified name when declaring our friend.
25772
257732015-01-29 Geoffrey Garen <ggaren@apple.com>
25774
25775 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
25776 https://bugs.webkit.org/show_bug.cgi?id=140900
25777
25778 Reviewed by Mark Hahnenberg.
25779
25780 Re-landing just the WeakBlock piece of this patch.
25781
25782 * heap/WeakBlock.cpp:
25783 (JSC::WeakBlock::create):
25784 (JSC::WeakBlock::destroy):
25785 (JSC::WeakBlock::WeakBlock):
25786 * heap/WeakBlock.h:
25787 * heap/WeakSet.cpp:
25788 (JSC::WeakSet::~WeakSet):
25789 (JSC::WeakSet::addAllocator):
25790 (JSC::WeakSet::removeAllocator):
25791
257922015-01-29 Geoffrey Garen <ggaren@apple.com>
25793
25794 Use Vector instead of GCSegmentedArray in CodeBlockSet
25795 https://bugs.webkit.org/show_bug.cgi?id=141044
25796
25797 Reviewed by Ryosuke Niwa.
25798
25799 This is allowed now that we've gotten rid of fastMallocForbid.
25800
25801 4kB was a bit overkill for just storing a few pointers.
25802
25803 * heap/CodeBlockSet.cpp:
25804 (JSC::CodeBlockSet::CodeBlockSet):
25805 * heap/CodeBlockSet.h:
25806 * heap/Heap.cpp:
25807 (JSC::Heap::Heap):
25808
258092015-01-29 Filip Pizlo <fpizlo@apple.com>
25810
25811 Unreviewed, fix no-JIT build.
25812
25813 * jit/PolymorphicCallStubRoutine.cpp:
25814
258152015-01-28 Filip Pizlo <fpizlo@apple.com>
25816
25817 Polymorphic call inlining should be based on polymorphic call inline caching rather than logging
25818 https://bugs.webkit.org/show_bug.cgi?id=140660
25819
25820 Reviewed by Geoffrey Garen.
25821
25822 When we first implemented polymorphic call inlining, we did the profiling based on a call
25823 edge log. The idea was to store each call edge (a tuple of call site and callee) into a
25824 global log that was processed lazily. Processing the log would give precise counts of call
25825 edges, and could be used to drive well-informed inlining decisions - polymorphic or not.
25826 This was a speed-up on throughput tests but a slow-down for latency tests. It was a net win
25827 nonetheless.
25828
25829 Experience with this code shows three things. First, the call edge profiler is buggy and
25830 complex. It would take work to fix the bugs. Second, the call edge profiler incurs lots of
25831 overhead for latency code that we care deeply about. Third, it's not at all clear that
25832 having call edge counts for every possible callee is any better than just having call edge
25833 counts for the limited number of callees that an inline cache would catch.
25834
25835 So, this patch removes the call edge profiler and replaces it with a polymorphic call inline
25836 cache. If we miss the basic call inline cache, we inflate the cache to be a jump to an
25837 out-of-line stub that cases on the previously known callees. If that misses again, then we
25838 rewrite that stub to include the new callee. We do this up to some number of callees. If we
25839 hit the limit then we switch to using a plain virtual call.
25840
25841 Substantial speed-up on V8Spider; undoes the slow-down that the original call edge profiler
25842 caused. Might be a SunSpider speed-up (below 1%), depending on hardware.
25843
25844 * CMakeLists.txt:
25845 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25846 * JavaScriptCore.xcodeproj/project.pbxproj:
25847 * bytecode/CallEdge.h:
25848 (JSC::CallEdge::count):
25849 (JSC::CallEdge::CallEdge):
25850 * bytecode/CallEdgeProfile.cpp: Removed.
25851 * bytecode/CallEdgeProfile.h: Removed.
25852 * bytecode/CallEdgeProfileInlines.h: Removed.
25853 * bytecode/CallLinkInfo.cpp:
25854 (JSC::CallLinkInfo::unlink):
25855 (JSC::CallLinkInfo::visitWeak):
25856 * bytecode/CallLinkInfo.h:
25857 * bytecode/CallLinkStatus.cpp:
25858 (JSC::CallLinkStatus::CallLinkStatus):
25859 (JSC::CallLinkStatus::computeFor):
25860 (JSC::CallLinkStatus::computeFromCallLinkInfo):
25861 (JSC::CallLinkStatus::isClosureCall):
25862 (JSC::CallLinkStatus::makeClosureCall):
25863 (JSC::CallLinkStatus::dump):
25864 (JSC::CallLinkStatus::computeFromCallEdgeProfile): Deleted.
25865 * bytecode/CallLinkStatus.h:
25866 (JSC::CallLinkStatus::CallLinkStatus):
25867 (JSC::CallLinkStatus::isSet):
25868 (JSC::CallLinkStatus::variants):
25869 (JSC::CallLinkStatus::size):
25870 (JSC::CallLinkStatus::at):
25871 (JSC::CallLinkStatus::operator[]):
25872 (JSC::CallLinkStatus::canOptimize):
25873 (JSC::CallLinkStatus::edges): Deleted.
25874 (JSC::CallLinkStatus::canTrustCounts): Deleted.
25875 * bytecode/CallVariant.cpp:
25876 (JSC::variantListWithVariant):
25877 (JSC::despecifiedVariantList):
25878 * bytecode/CallVariant.h:
25879 * bytecode/CodeBlock.cpp:
25880 (JSC::CodeBlock::~CodeBlock):
25881 (JSC::CodeBlock::linkIncomingPolymorphicCall):
25882 (JSC::CodeBlock::unlinkIncomingCalls):
25883 (JSC::CodeBlock::noticeIncomingCall):
25884 * bytecode/CodeBlock.h:
25885 (JSC::CodeBlock::isIncomingCallAlreadyLinked): Deleted.
25886 * dfg/DFGAbstractInterpreterInlines.h:
25887 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25888 * dfg/DFGByteCodeParser.cpp:
25889 (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
25890 (JSC::DFG::ByteCodeParser::handleCall):
25891 (JSC::DFG::ByteCodeParser::handleInlining):
25892 * dfg/DFGClobberize.h:
25893 (JSC::DFG::clobberize):
25894 * dfg/DFGConstantFoldingPhase.cpp:
25895 (JSC::DFG::ConstantFoldingPhase::foldConstants):
25896 * dfg/DFGDoesGC.cpp:
25897 (JSC::DFG::doesGC):
25898 * dfg/DFGDriver.cpp:
25899 (JSC::DFG::compileImpl):
25900 * dfg/DFGFixupPhase.cpp:
25901 (JSC::DFG::FixupPhase::fixupNode):
25902 * dfg/DFGNode.h:
25903 (JSC::DFG::Node::hasHeapPrediction):
25904 * dfg/DFGNodeType.h:
25905 * dfg/DFGOperations.cpp:
25906 * dfg/DFGPredictionPropagationPhase.cpp:
25907 (JSC::DFG::PredictionPropagationPhase::propagate):
25908 * dfg/DFGSafeToExecute.h:
25909 (JSC::DFG::safeToExecute):
25910 * dfg/DFGSpeculativeJIT32_64.cpp:
25911 (JSC::DFG::SpeculativeJIT::emitCall):
25912 (JSC::DFG::SpeculativeJIT::compile):
25913 * dfg/DFGSpeculativeJIT64.cpp:
25914 (JSC::DFG::SpeculativeJIT::emitCall):
25915 (JSC::DFG::SpeculativeJIT::compile):
25916 * dfg/DFGTierUpCheckInjectionPhase.cpp:
25917 (JSC::DFG::TierUpCheckInjectionPhase::run):
25918 (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): Deleted.
25919 * ftl/FTLCapabilities.cpp:
25920 (JSC::FTL::canCompile):
25921 * heap/Heap.cpp:
25922 (JSC::Heap::collect):
25923 * jit/BinarySwitch.h:
25924 * jit/ClosureCallStubRoutine.cpp: Removed.
25925 * jit/ClosureCallStubRoutine.h: Removed.
25926 * jit/JITCall.cpp:
25927 (JSC::JIT::compileOpCall):
25928 * jit/JITCall32_64.cpp:
25929 (JSC::JIT::compileOpCall):
25930 * jit/JITOperations.cpp:
25931 * jit/JITOperations.h:
25932 (JSC::operationLinkPolymorphicCallFor):
25933 (JSC::operationLinkClosureCallFor): Deleted.
25934 * jit/JITStubRoutine.h:
25935 * jit/JITWriteBarrier.h:
25936 * jit/PolymorphicCallStubRoutine.cpp: Added.
25937 (JSC::PolymorphicCallNode::~PolymorphicCallNode):
25938 (JSC::PolymorphicCallNode::unlink):
25939 (JSC::PolymorphicCallCase::dump):
25940 (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
25941 (JSC::PolymorphicCallStubRoutine::~PolymorphicCallStubRoutine):
25942 (JSC::PolymorphicCallStubRoutine::variants):
25943 (JSC::PolymorphicCallStubRoutine::edges):
25944 (JSC::PolymorphicCallStubRoutine::visitWeak):
25945 (JSC::PolymorphicCallStubRoutine::markRequiredObjectsInternal):
25946 * jit/PolymorphicCallStubRoutine.h: Added.
25947 (JSC::PolymorphicCallNode::PolymorphicCallNode):
25948 (JSC::PolymorphicCallCase::PolymorphicCallCase):
25949 (JSC::PolymorphicCallCase::variant):
25950 (JSC::PolymorphicCallCase::codeBlock):
25951 * jit/Repatch.cpp:
25952 (JSC::linkSlowFor):
25953 (JSC::linkFor):
25954 (JSC::revertCall):
25955 (JSC::unlinkFor):
25956 (JSC::linkVirtualFor):
25957 (JSC::linkPolymorphicCall):
25958 (JSC::linkClosureCall): Deleted.
25959 * jit/Repatch.h:
25960 * jit/ThunkGenerators.cpp:
25961 (JSC::linkPolymorphicCallForThunkGenerator):
25962 (JSC::linkPolymorphicCallThunkGenerator):
25963 (JSC::linkPolymorphicCallThatPreservesRegsThunkGenerator):
25964 (JSC::linkClosureCallForThunkGenerator): Deleted.
25965 (JSC::linkClosureCallThunkGenerator): Deleted.
25966 (JSC::linkClosureCallThatPreservesRegsThunkGenerator): Deleted.
25967 * jit/ThunkGenerators.h:
25968 (JSC::linkPolymorphicCallThunkGeneratorFor):
25969 (JSC::linkClosureCallThunkGeneratorFor): Deleted.
25970 * llint/LLIntSlowPaths.cpp:
25971 (JSC::LLInt::jitCompileAndSetHeuristics):
25972 * runtime/Options.h:
25973 * runtime/VM.cpp:
25974 (JSC::VM::prepareToDiscardCode):
25975 (JSC::VM::ensureCallEdgeLog): Deleted.
25976 * runtime/VM.h:
25977
259782015-01-29 Joseph Pecoraro <pecoraro@apple.com>
25979
25980 Web Inspector: ES6: Improved Console Format for Set and Map Objects (like Arrays)
25981 https://bugs.webkit.org/show_bug.cgi?id=122867
25982
25983 Reviewed by Timothy Hatcher.
25984
25985 Add new Runtime.RemoteObject object subtypes for "map", "set", and "weakmap".
25986
25987 Upgrade Runtime.ObjectPreview to include type/subtype information. Now,
25988 an ObjectPreview can be used for any value, in place of a RemoteObject,
25989 and not capture / hold a reference to the value. The value will be in
25990 the string description.
25991
25992 Adding this information to ObjectPreview can duplicate some information
25993 in the protocol messages if a preview is provided, but simplifies
25994 previews, so that all the information you need for any RemoteObject
25995 preview is available. To slim messages further, make "overflow" and
25996 "properties" only available on previews that may contain properties.
25997 So, not primitives or null.
25998
25999 Finally, for "Map/Set/WeakMap" add an "entries" list to the preview
26000 that will return previews with "key" and "value" properties depending
26001 on the collection type. To get live, non-preview objects from a
26002 collection, use Runtime.getCollectionEntries.
26003
26004 In order to keep the WeakMap's values Weak the frontend may provide
26005 a unique object group name when getting collection entries. It may
26006 then release that object group, e.g. when not showing the WeakMap's
26007 values to the user, and thus remove the strong reference to the keys
26008 so they may be garbage collected.
26009
26010 * runtime/WeakMapData.h:
26011 (JSC::WeakMapData::begin):
26012 (JSC::WeakMapData::end):
26013 Expose iterators so the Inspector may access WeakMap keys/values.
26014
26015 * inspector/JSInjectedScriptHostPrototype.cpp:
26016 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
26017 (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
26018 * inspector/JSInjectedScriptHost.h:
26019 * inspector/JSInjectedScriptHost.cpp:
26020 (Inspector::JSInjectedScriptHost::subtype):
26021 Discern "map", "set", and "weakmap" object subtypes.
26022
26023 (Inspector::JSInjectedScriptHost::weakMapEntries):
26024 Return a list of WeakMap entries. These are strong references
26025 that the Inspector code is responsible for releasing.
26026
26027 * inspector/protocol/Runtime.json:
26028 Update types and expose the new getCollectionEntries command.
26029
26030 * inspector/agents/InspectorRuntimeAgent.h:
26031 * inspector/agents/InspectorRuntimeAgent.cpp:
26032 (Inspector::InspectorRuntimeAgent::getCollectionEntries):
26033 * inspector/InjectedScript.h:
26034 * inspector/InjectedScript.cpp:
26035 (Inspector::InjectedScript::getInternalProperties):
26036 (Inspector::InjectedScript::getCollectionEntries):
26037 Pass through to the InjectedScript and call getCollectionEntries.
26038
26039 * inspector/scripts/codegen/generator.py:
26040 Add another type with runtime casting.
26041
26042 * inspector/InjectedScriptSource.js:
26043 - Implement getCollectionEntries to get a range of values from a
26044 collection. The non-Weak collections have an order to their keys (in
26045 order of added) so range'd gets are okay. WeakMap does not have an
26046 order, so only allow fetching a number of values.
26047 - Update preview generation to address the Runtime.ObjectPreview
26048 type changes.
26049
260502015-01-28 Geoffrey Garen <ggaren@apple.com>
26051
26052 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
26053 https://bugs.webkit.org/show_bug.cgi?id=140900
26054
26055 Reviewed by Mark Hahnenberg.
26056
26057 Re-landing just the GCArraySegment piece of this patch.
26058
26059 * heap/CodeBlockSet.cpp:
26060 (JSC::CodeBlockSet::CodeBlockSet):
26061 * heap/CodeBlockSet.h:
26062 * heap/GCSegmentedArray.h:
26063 (JSC::GCArraySegment::GCArraySegment):
26064 * heap/GCSegmentedArrayInlines.h:
26065 (JSC::GCSegmentedArray<T>::GCSegmentedArray):
26066 (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
26067 (JSC::GCSegmentedArray<T>::clear):
26068 (JSC::GCSegmentedArray<T>::expand):
26069 (JSC::GCSegmentedArray<T>::refill):
26070 (JSC::GCArraySegment<T>::create):
26071 (JSC::GCArraySegment<T>::destroy):
26072 * heap/GCThreadSharedData.cpp:
26073 (JSC::GCThreadSharedData::GCThreadSharedData):
26074 * heap/Heap.cpp:
26075 (JSC::Heap::Heap):
26076 * heap/MarkStack.cpp:
26077 (JSC::MarkStackArray::MarkStackArray):
26078 * heap/MarkStack.h:
26079 * heap/SlotVisitor.cpp:
26080 (JSC::SlotVisitor::SlotVisitor):
26081
260822015-01-29 Csaba Osztrogonác <ossy@webkit.org>
26083
26084 Move HAVE_DTRACE definition back to Platform.h
26085 https://bugs.webkit.org/show_bug.cgi?id=141033
26086
26087 Reviewed by Dan Bernstein.
26088
26089 * Configurations/Base.xcconfig:
26090 * JavaScriptCore.xcodeproj/project.pbxproj:
26091
260922015-01-28 Geoffrey Garen <ggaren@apple.com>
26093
26094 Removed fastMallocForbid / fastMallocAllow
26095 https://bugs.webkit.org/show_bug.cgi?id=141012
26096
26097 Reviewed by Mark Hahnenberg.
26098
26099 Copy non-current thread stacks before scanning them instead of scanning
26100 them in-place.
26101
26102 This operation is uncommon (i.e., never in the web content process),
26103 and even in a stress test with 4 threads it only copies about 27kB,
26104 so I think the performance cost is OK.
26105
26106 Scanning in-place requires a complex dance where we constrain our GC
26107 data structures not to use malloc, free, or any other interesting functions
26108 that might acquire locks. We've gotten this wrong many times in the past,
26109 and I just got it wrong again yesterday. Since this code path is rarely
26110 tested, I want it to just make sense, and not depend on or constrain the
26111 details of the rest of the GC heap's design.
26112
26113 * heap/MachineStackMarker.cpp:
26114 (JSC::otherThreadStack): Factored out a helper function for dealing with
26115 unaligned and/or backwards pointers.
26116
26117 (JSC::MachineThreads::tryCopyOtherThreadStack): This is now the only
26118 constrained function, and it only calls memcpy and low-level thread APIs.
26119
26120 (JSC::MachineThreads::tryCopyOtherThreadStacks): The design here is that
26121 you do one pass over all the threads to compute their combined size,
26122 and then a second pass to do all the copying. In theory, the threads may
26123 grow in between passes, in which case you'll continue until the threads
26124 stop growing. In practice, you never continue.
26125
26126 (JSC::growBuffer): Helper function for growing.
26127
26128 (JSC::MachineThreads::gatherConservativeRoots):
26129 (JSC::MachineThreads::gatherFromOtherThread): Deleted.
26130 * heap/MachineStackMarker.h: Updated for interface changes.
26131
261322015-01-28 Brian J. Burg <burg@cs.washington.edu>
26133
26134 Web Inspector: remove CSS.setPropertyText, CSS.toggleProperty and related dead code
26135 https://bugs.webkit.org/show_bug.cgi?id=140961
26136
26137 Reviewed by Timothy Hatcher.
26138
26139 * inspector/protocol/CSS.json: Remove unused protocol methods.
26140
261412015-01-28 Dana Burkart <dburkart@apple.com>
26142
26143 Move ASan flag settings from DebugRelease.xcconfig to Base.xcconfig
26144 https://bugs.webkit.org/show_bug.cgi?id=136765
26145
26146 Reviewed by Alexey Proskuryakov.
26147
26148 * Configurations/Base.xcconfig:
26149 * Configurations/DebugRelease.xcconfig:
26150
261512015-01-27 Filip Pizlo <fpizlo@apple.com>
26152
26153 ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath, which is more precise
26154 https://bugs.webkit.org/show_bug.cgi?id=140980
26155
26156 Reviewed by Oliver Hunt.
26157
26158 * bytecode/CallLinkStatus.cpp:
26159 (JSC::CallLinkStatus::computeFor):
26160
261612015-01-27 Filip Pizlo <fpizlo@apple.com>
26162
26163 Move DFGBinarySwitch out of the DFG so that all of the JITs can use it
26164 https://bugs.webkit.org/show_bug.cgi?id=140959
26165
26166 Rubber stamped by Geoffrey Garen.
26167
26168 I want to use this for polymorphic stubs for https://bugs.webkit.org/show_bug.cgi?id=140660.
26169 This code no longer has DFG dependencies so this is a very clean move.
26170
26171 * CMakeLists.txt:
26172 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26173 * JavaScriptCore.xcodeproj/project.pbxproj:
26174 * dfg/DFGBinarySwitch.cpp: Removed.
26175 * dfg/DFGBinarySwitch.h: Removed.
26176 * dfg/DFGSpeculativeJIT.cpp:
26177 * jit/BinarySwitch.cpp: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.cpp.
26178 * jit/BinarySwitch.h: Copied from Source/JavaScriptCore/dfg/DFGBinarySwitch.h.
26179
261802015-01-27 Commit Queue <commit-queue@webkit.org>
26181
26182 Unreviewed, rolling out r179192.
26183 https://bugs.webkit.org/show_bug.cgi?id=140953
26184
26185 Caused numerous layout test failures (Requested by mattbaker_
26186 on #webkit).
26187
26188 Reverted changeset:
26189
26190 "Use FastMalloc (bmalloc) instead of BlockAllocator for GC
26191 pages"
26192 https://bugs.webkit.org/show_bug.cgi?id=140900
26193 http://trac.webkit.org/changeset/179192
26194
261952015-01-27 Michael Saboff <msaboff@apple.com>
26196
26197 REGRESSION(r178591): 20% regression in Octane box2d
26198 https://bugs.webkit.org/show_bug.cgi?id=140948
26199
26200 Reviewed by Geoffrey Garen.
26201
26202 Added check that we have a lexical environment to the arguments is captured check.
26203 It doesn't make sense to resolve "arguments" when it really isn't captured.
26204
26205 * bytecompiler/BytecodeGenerator.cpp:
26206 (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
26207
262082015-01-26 Geoffrey Garen <ggaren@apple.com>
26209
26210 Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
26211 https://bugs.webkit.org/show_bug.cgi?id=140900
26212
26213 Reviewed by Mark Hahnenberg.
26214
26215 Removes some more custom allocation code.
26216
26217 Looks like a speedup. (See results attached to bugzilla.)
26218
26219 Will hopefully reduce memory use by improving sharing between the GC and
26220 malloc heaps.
26221
26222 * API/JSBase.cpp:
26223 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26224 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26225 * JavaScriptCore.xcodeproj/project.pbxproj: Feed the compiler.
26226
26227 * heap/BlockAllocator.cpp: Removed.
26228 * heap/BlockAllocator.h: Removed. No need for a custom allocator anymore.
26229
26230 * heap/CodeBlockSet.cpp:
26231 (JSC::CodeBlockSet::CodeBlockSet):
26232 * heap/CodeBlockSet.h: Feed the compiler.
26233
26234 * heap/CopiedBlock.h:
26235 (JSC::CopiedBlock::createNoZeroFill):
26236 (JSC::CopiedBlock::create):
26237 (JSC::CopiedBlock::CopiedBlock):
26238 (JSC::CopiedBlock::isOversize):
26239 (JSC::CopiedBlock::payloadEnd):
26240 (JSC::CopiedBlock::capacity):
26241 * heap/CopiedBlockInlines.h:
26242 (JSC::CopiedBlock::reportLiveBytes): Each copied block now tracks its
26243 own size, since we can't rely on Region to tell us our size anymore.
26244
26245 * heap/CopiedSpace.cpp:
26246 (JSC::CopiedSpace::~CopiedSpace):
26247 (JSC::CopiedSpace::tryAllocateOversize):
26248 (JSC::CopiedSpace::tryReallocateOversize):
26249 * heap/CopiedSpaceInlines.h:
26250 (JSC::CopiedSpace::recycleEvacuatedBlock):
26251 (JSC::CopiedSpace::recycleBorrowedBlock):
26252 (JSC::CopiedSpace::allocateBlockForCopyingPhase):
26253 (JSC::CopiedSpace::allocateBlock):
26254 (JSC::CopiedSpace::startedCopying): Deallocate blocks directly, rather
26255 than pushing them onto the block allocator's free list; the block
26256 allocator doesn't exist anymore.
26257
26258 * heap/CopyWorkList.h:
26259 (JSC::CopyWorkListSegment::create):
26260 (JSC::CopyWorkListSegment::CopyWorkListSegment):
26261 (JSC::CopyWorkList::~CopyWorkList):
26262 (JSC::CopyWorkList::append):
26263 (JSC::CopyWorkList::CopyWorkList): Deleted.
26264 * heap/GCSegmentedArray.h:
26265 (JSC::GCArraySegment::GCArraySegment):
26266 * heap/GCSegmentedArrayInlines.h:
26267 (JSC::GCSegmentedArray<T>::GCSegmentedArray):
26268 (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
26269 (JSC::GCSegmentedArray<T>::clear):
26270 (JSC::GCSegmentedArray<T>::expand):
26271 (JSC::GCSegmentedArray<T>::refill):
26272 (JSC::GCArraySegment<T>::create):
26273 * heap/GCThreadSharedData.cpp:
26274 (JSC::GCThreadSharedData::GCThreadSharedData):
26275 * heap/GCThreadSharedData.h: Feed the compiler.
26276
26277 * heap/HandleBlock.h:
26278 * heap/HandleBlockInlines.h:
26279 (JSC::HandleBlock::create):
26280 (JSC::HandleBlock::HandleBlock):
26281 (JSC::HandleBlock::payloadEnd):
26282 * heap/HandleSet.cpp:
26283 (JSC::HandleSet::~HandleSet):
26284 (JSC::HandleSet::grow): Same as above.
26285
26286 * heap/Heap.cpp:
26287 (JSC::Heap::Heap):
26288 * heap/Heap.h: Removed the block allocator since it is unused now.
26289
26290 * heap/HeapBlock.h:
26291 (JSC::HeapBlock::destroy):
26292 (JSC::HeapBlock::HeapBlock):
26293 (JSC::HeapBlock::region): Deleted. Removed the Region pointer from each
26294 HeapBlock since a HeapBlock is just a normal allocation now.
26295
26296 * heap/HeapInlines.h:
26297 (JSC::Heap::blockAllocator): Deleted.
26298
26299 * heap/HeapTimer.cpp:
26300 * heap/MarkStack.cpp:
26301 (JSC::MarkStackArray::MarkStackArray):
26302 * heap/MarkStack.h: Feed the compiler.
26303
26304 * heap/MarkedAllocator.cpp:
26305 (JSC::MarkedAllocator::allocateBlock): No need to use a custom code path
26306 based on size, since we use a general purpose allocator now.
26307
26308 * heap/MarkedBlock.cpp:
26309 (JSC::MarkedBlock::create):
26310 (JSC::MarkedBlock::destroy):
26311 (JSC::MarkedBlock::MarkedBlock):
26312 * heap/MarkedBlock.h:
26313 (JSC::MarkedBlock::capacity): Track block size explicitly, like CopiedBlock.
26314
26315 * heap/MarkedSpace.cpp:
26316 (JSC::MarkedSpace::freeBlock):
26317 * heap/MarkedSpace.h:
26318
26319 * heap/Region.h: Removed.
26320
26321 * heap/SlotVisitor.cpp:
26322 (JSC::SlotVisitor::SlotVisitor): Removed reference to block allocator.
26323
26324 * heap/SuperRegion.cpp: Removed.
26325 * heap/SuperRegion.h: Removed.
26326
26327 * heap/WeakBlock.cpp:
26328 (JSC::WeakBlock::create):
26329 (JSC::WeakBlock::WeakBlock):
26330 * heap/WeakBlock.h:
26331 * heap/WeakSet.cpp:
26332 (JSC::WeakSet::~WeakSet):
26333 (JSC::WeakSet::addAllocator):
26334 (JSC::WeakSet::removeAllocator): Removed reference to block allocator.
26335
263362015-01-27 Csaba Osztrogonác <ossy@webkit.org>
26337
26338 [ARM] Typo fix after r176083
26339 https://bugs.webkit.org/show_bug.cgi?id=140937
26340
26341 Reviewed by Anders Carlsson.
26342
26343 * assembler/ARMv7Assembler.h:
26344 (JSC::ARMv7Assembler::ldrh):
26345
263462015-01-27 Csaba Osztrogonác <ossy@webkit.org>
26347
26348 [Win] Unreviewed gardening, skip failing tests.
26349
26350 * tests/exceptionFuzz.yaml: Skip exception fuzz tests due to bug140928.
26351 * tests/mozilla/mozilla-tests.yaml: Skip ecma/Date/15.9.5.28-1.js due to bug140927.
26352
263532015-01-26 Csaba Osztrogonác <ossy@webkit.org>
26354
26355 [Win] Enable JSC stress tests by default
26356 https://bugs.webkit.org/show_bug.cgi?id=128307
26357
26358 Unreviewed typo fix after r179165.
26359
26360 * tests/mozilla/mozilla-tests.yaml:
26361
263622015-01-26 Csaba Osztrogonác <ossy@webkit.org>
26363
26364 [Win] Enable JSC stress tests by default
26365 https://bugs.webkit.org/show_bug.cgi?id=128307
26366
26367 Reviewed by Brent Fulgham.
26368
26369 * tests/mozilla/mozilla-tests.yaml: Skipped on Windows.
26370 * tests/stress/ftl-arithcos.js: Skipped on Windows.
26371
263722015-01-26 Ryosuke Niwa <rniwa@webkit.org>
26373
26374 Parse a function expression as a primary expression
26375 https://bugs.webkit.org/show_bug.cgi?id=140908
26376
26377 Reviewed by Mark Lam.
26378
26379 Moved the code to generate an AST node for a function expression from parseMemberExpression
26380 to parsePrimaryExpression to match the ES6 specification terminology:
26381 https://people.mozilla.org/~jorendorff/es6-draft.html#sec-primary-expression
26382
26383 There should be no behavior change from this change since parsePrimaryExpression is only
26384 called in parseMemberExpression other than the fact failIfStackOverflow() is called.
26385
26386 * parser/Parser.cpp:
26387 (JSC::Parser<LexerType>::parsePrimaryExpression):
26388 (JSC::Parser<LexerType>::parseMemberExpression):
26389
263902015-01-26 Myles C. Maxfield <mmaxfield@apple.com>
26391
26392 [iOS] [SVG -> OTF Converter] Flip the switch off on iOS
26393 https://bugs.webkit.org/show_bug.cgi?id=140860
26394
26395 Reviewed by Darin Adler.
26396
26397 The fonts it makes are grotesque. (See what I did there? Typographic
26398 humor is the best humor.)
26399
26400 * Configurations/FeatureDefines.xcconfig:
26401
264022015-01-23 Joseph Pecoraro <pecoraro@apple.com>
26403
26404 Web Inspector: Rename InjectedScriptHost::type to subtype
26405 https://bugs.webkit.org/show_bug.cgi?id=140841
26406
26407 Reviewed by Timothy Hatcher.
26408
26409 We were using this to set the subtype of an "object" type RemoteObject
26410 so we should clean up the name and call it subtype.
26411
26412 * inspector/InjectedScriptHost.h:
26413 * inspector/InjectedScriptSource.js:
26414 * inspector/JSInjectedScriptHost.cpp:
26415 (Inspector::JSInjectedScriptHost::subtype):
26416 (Inspector::JSInjectedScriptHost::type): Deleted.
26417 * inspector/JSInjectedScriptHost.h:
26418 * inspector/JSInjectedScriptHostPrototype.cpp:
26419 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
26420 (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
26421 (Inspector::jsInjectedScriptHostPrototypeFunctionType): Deleted.
26422
264232015-01-23 Michael Saboff <msaboff@apple.com>
26424
26425 LayoutTests/js/script-tests/reentrant-caching.js crashing on 32 bit builds
26426 https://bugs.webkit.org/show_bug.cgi?id=140843
26427
26428 Reviewed by Oliver Hunt.
26429
26430 When we are in vmEntryToJavaScript, we keep the stack pointer at an
26431 alignment sutiable for pointing to a call frame header, which is the
26432 alignment post making a call. We adjust the sp when calling to JS code,
26433 but don't adjust it before calling the out of stack handler.
26434
26435 * llint/LowLevelInterpreter32_64.asm:
26436 Moved stack point down 8 bytes to get it aligned.
26437
264382015-01-23 Joseph Pecoraro <pecoraro@apple.com>
26439
26440 Web Inspector: Object Previews in the Console
26441 https://bugs.webkit.org/show_bug.cgi?id=129204
26442
26443 Reviewed by Timothy Hatcher.
26444
26445 Update the very old, unused object preview code. Part of this comes from
26446 the earlier WebKit legacy implementation, and the Blink implementation.
26447
26448 A RemoteObject may include a preview, if it is asked for, and if the
26449 RemoteObject is an object. Previews are a shallow (single level) list
26450 of a limited number of properties on the object. The previewed
26451 properties are always stringified (even if primatives). Previews are
26452 limited to just 5 properties or 100 indices. Previews are marked
26453 as lossless if they are a complete snapshot of the object.
26454
26455 There is a path to make previews two levels deep, that is currently
26456 unused but should soon be used for tables (e.g. IndexedDB).
26457
26458 * inspector/InjectedScriptSource.js:
26459 - Move some code off of InjectedScript to be generic functions
26460 usable by RemoteObject as well.
26461 - Update preview generation to use
26462
26463 * inspector/protocol/Runtime.json:
26464 - Add a new type, "accessor" for preview objects. This represents
26465 a getter / setter. We currently don't get the value.
26466
264672015-01-23 Michael Saboff <msaboff@apple.com>
26468
26469 Immediate crash when setting JS breakpoint
26470 https://bugs.webkit.org/show_bug.cgi?id=140811
26471
26472 Reviewed by Mark Lam.
26473
26474 When the DFG stack layout phase doesn't allocate a register for the scope register,
26475 it incorrectly sets the scope register in the code block to a bad value, one with
26476 an offset of 0. Changed it so that we set the code block's scope register to the
26477 invalid VirtualRegister instead.
26478
26479 No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
26480 We crash with that ASSERT in testapi and likely many other tests as well.
26481
26482 * bytecode/CodeBlock.cpp:
26483 (JSC::CodeBlock::CodeBlock):
26484 * bytecode/CodeBlock.h:
26485 (JSC::CodeBlock::setScopeRegister):
26486 (JSC::CodeBlock::scopeRegister):
26487 Added ASSERTs to catch any future improper setting of the code block's scope register.
26488
26489 * dfg/DFGStackLayoutPhase.cpp:
26490 (JSC::DFG::StackLayoutPhase::run):
26491
264922015-01-22 Mark Hahnenberg <mhahnenb@gmail.com>
26493
26494 EdenCollections unnecessarily visit SmallStrings
26495 https://bugs.webkit.org/show_bug.cgi?id=140762
26496
26497 Reviewed by Geoffrey Garen.
26498
26499 * heap/Heap.cpp:
26500 (JSC::Heap::copyBackingStores): Also added a GCPhase for copying
26501 backing stores, which is a significant portion of garbage collection.
26502 (JSC::Heap::visitSmallStrings): Check to see if we need to visit
26503 SmallStrings based on the collection type.
26504 * runtime/SmallStrings.cpp:
26505 (JSC::SmallStrings::SmallStrings):
26506 (JSC::SmallStrings::visitStrongReferences): Set the fact that we have
26507 visited the SmallStrings since the last modification.
26508 * runtime/SmallStrings.h:
26509 (JSC::SmallStrings::needsToBeVisited): If we're doing a
26510 FullCollection, we need to visit. Otherwise, it depends on whether
26511 we've been visited since the last modification/allocation.
26512
265132015-01-22 Ryosuke Niwa <rniwa@webkit.org>
26514
26515 Add a build flag for ES6 class syntax
26516 https://bugs.webkit.org/show_bug.cgi?id=140760
26517
26518 Reviewed by Michael Saboff.
26519
26520 Added ES6_CLASS_SYNTAX build flag and used it in tokenizer to recognize
26521 "class", "extends", "static" and "super" keywords.
26522
26523 * Configurations/FeatureDefines.xcconfig:
26524 * parser/Keywords.table:
26525 * parser/ParserTokens.h:
26526
265272015-01-22 Commit Queue <commit-queue@webkit.org>
26528
26529 Unreviewed, rolling out r178894.
26530 https://bugs.webkit.org/show_bug.cgi?id=140775
26531
26532 Broke JSC and bindings tests (Requested by ap_ on #webkit).
26533
26534 Reverted changeset:
26535
26536 "put_by_val_direct need to check the property is index or not
26537 for using putDirect / putDirectIndex"
26538 https://bugs.webkit.org/show_bug.cgi?id=140426
26539 http://trac.webkit.org/changeset/178894
26540
265412015-01-22 Mark Lam <mark.lam@apple.com>
26542
26543 BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
26544 <https://webkit.org/b/140743>
26545
26546 Reviewed by Oliver Hunt.
26547
26548 BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
26549 op_put_to_scope to an inappropriate value (i.e. 0). As a result, the execution
26550 of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
26551 for which ever captured variable is at local index 0. In practice, this turns
26552 out to be the local for the Arguments object. In this reproduction case in the
26553 bug, the wrong inferred value written there is the boolean true.
26554
26555 Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
26556 a check of the local for the Arguments object. But because that local has a
26557 wrong inferred value, the check always discovers a non-null value and we never
26558 actually create the Arguments object. Immediately after this, an OSR exit
26559 occurs leaving the Arguments object local uninitialized. Later on at arguments
26560 tear off, we run into a boolean true where we had expected to find an Arguments
26561 object, which in turn, leads to the crash.
26562
26563 The fix is to:
26564 1. In the case where the resolveModeType is LocalClosureVar, change the
26565 5th operand of op_put_to_scope to be a boolean. True means that the
26566 local var is watchable. False means it is not watchable. We no longer
26567 pass the local index (instead of true) and UINT_MAX (instead of false).
26568
26569 This allows us to express more clearer in the code what that value means,
26570 as well as remove the redundant way of getting the local's identifier.
26571 The identifier is always the one passed in the 2nd operand.
26572
26573 2. Previously, though intuitively, we know that the watchable variable
26574 identifier should be the same as the one that is passed in operand 2, this
26575 relationship was not clear in the code. By code analysis, I confirmed that
26576 the callers of BytecodeGenerator::emitPutToScope() always use the same
26577 identifier for operand 2 and for filling out the ResolveScopeInfo from
26578 which we get the watchable variable identifier later. I've changed the
26579 code to make this clear now by always using the identifier passed in
26580 operand 2.
26581
26582 3. In the case where the resolveModeType is LocalClosureVar,
26583 initializeCapturedVariable() and emitPutToScope() will now query
26584 hasWatchableVariable() to determine if the local is watchable or not.
26585 Accordingly, we pass the boolean result of hasWatchableVariable() as
26586 operand 5 of op_put_to_scope.
26587
26588 Also added some assertions.
26589
26590 * bytecode/CodeBlock.cpp:
26591 (JSC::CodeBlock::CodeBlock):
26592 * bytecompiler/BytecodeGenerator.cpp:
26593 (JSC::BytecodeGenerator::initializeCapturedVariable):
26594 (JSC::BytecodeGenerator::hasConstant):
26595 (JSC::BytecodeGenerator::emitPutToScope):
26596 * bytecompiler/BytecodeGenerator.h:
26597 (JSC::BytecodeGenerator::hasWatchableVariable):
26598 (JSC::BytecodeGenerator::watchableVariableIdentifier):
26599 (JSC::BytecodeGenerator::watchableVariable): Deleted.
26600
266012015-01-22 Ryosuke Niwa <rniwa@webkit.org>
26602
26603 PropertyListNode::emitNode duplicates the code to put a constant property
26604 https://bugs.webkit.org/show_bug.cgi?id=140761
26605
26606 Reviewed by Geoffrey Garen.
26607
26608 Extracted PropertyListNode::emitPutConstantProperty to share the code.
26609
26610 Also made PropertyListNode::emitBytecode private since nobody is calling this function directly.
26611
26612 * bytecompiler/NodesCodegen.cpp:
26613 (JSC::PropertyListNode::emitBytecode):
26614 (JSC::PropertyListNode::emitPutConstantProperty): Added.
26615 * parser/Nodes.h:
26616
266172015-01-22 Yusuke Suzuki <utatane.tea@gmail.com>
26618
26619 put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
26620 https://bugs.webkit.org/show_bug.cgi?id=140426
26621
26622 Reviewed by Geoffrey Garen.
26623
26624 In the put_by_val_direct operation, we use JSObject::putDirect.
26625 However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
26626 This patch changes Identifier::asIndex() to return Optional<uint32_t>.
26627 It forces callers to check the value is index or not explicitly.
26628 Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
26629
26630 * bytecode/GetByIdStatus.cpp:
26631 (JSC::GetByIdStatus::computeFor):
26632 * bytecode/PutByIdStatus.cpp:
26633 (JSC::PutByIdStatus::computeFor):
26634 * bytecompiler/BytecodeGenerator.cpp:
26635 (JSC::BytecodeGenerator::emitDirectPutById):
26636 * dfg/DFGOperations.cpp:
26637 (JSC::DFG::operationPutByValInternal):
26638 * jit/JITOperations.cpp:
26639 * jit/Repatch.cpp:
26640 (JSC::emitPutTransitionStubAndGetOldStructure):
26641 * jsc.cpp:
26642 * llint/LLIntSlowPaths.cpp:
26643 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
26644 * runtime/Arguments.cpp:
26645 (JSC::Arguments::getOwnPropertySlot):
26646 (JSC::Arguments::put):
26647 (JSC::Arguments::deleteProperty):
26648 (JSC::Arguments::defineOwnProperty):
26649 * runtime/ArrayPrototype.cpp:
26650 (JSC::arrayProtoFuncSort):
26651 * runtime/JSArray.cpp:
26652 (JSC::JSArray::defineOwnProperty):
26653 * runtime/JSCJSValue.cpp:
26654 (JSC::JSValue::putToPrimitive):
26655 * runtime/JSGenericTypedArrayViewInlines.h:
26656 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
26657 (JSC::JSGenericTypedArrayView<Adaptor>::put):
26658 (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
26659 (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
26660 * runtime/JSObject.cpp:
26661 (JSC::JSObject::put):
26662 (JSC::JSObject::putDirectAccessor):
26663 (JSC::JSObject::putDirectCustomAccessor):
26664 (JSC::JSObject::deleteProperty):
26665 (JSC::JSObject::putDirectMayBeIndex):
26666 (JSC::JSObject::defineOwnProperty):
26667 * runtime/JSObject.h:
26668 (JSC::JSObject::getOwnPropertySlot):
26669 (JSC::JSObject::getPropertySlot):
26670 (JSC::JSObject::putDirectInternal):
26671 * runtime/JSString.cpp:
26672 (JSC::JSString::getStringPropertyDescriptor):
26673 * runtime/JSString.h:
26674 (JSC::JSString::getStringPropertySlot):
26675 * runtime/LiteralParser.cpp:
26676 (JSC::LiteralParser<CharType>::parse):
26677 * runtime/PropertyName.h:
26678 (JSC::toUInt32FromCharacters):
26679 (JSC::toUInt32FromStringImpl):
26680 (JSC::PropertyName::asIndex):
26681 * runtime/PropertyNameArray.cpp:
26682 (JSC::PropertyNameArray::add):
26683 * runtime/StringObject.cpp:
26684 (JSC::StringObject::deleteProperty):
26685 * runtime/Structure.cpp:
26686 (JSC::Structure::prototypeChainMayInterceptStoreTo):
26687
266882015-01-21 Ryosuke Niwa <rniwa@webkit.org>
26689
26690 Consolidate out arguments of parseFunctionInfo into a struct
26691 https://bugs.webkit.org/show_bug.cgi?id=140754
26692
26693 Reviewed by Oliver Hunt.
26694
26695 Introduced ParserFunctionInfo for storing out arguments of parseFunctionInfo.
26696
26697 * JavaScriptCore.xcodeproj/project.pbxproj:
26698 * parser/ASTBuilder.h:
26699 (JSC::ASTBuilder::createFunctionExpr):
26700 (JSC::ASTBuilder::createGetterOrSetterProperty): This one takes a property name in addition to
26701 ParserFunctionInfo since the property name and the function name could differ.
26702 (JSC::ASTBuilder::createFuncDeclStatement):
26703 * parser/Parser.cpp:
26704 (JSC::Parser<LexerType>::parseFunctionInfo):
26705 (JSC::Parser<LexerType>::parseFunctionDeclaration):
26706 (JSC::Parser<LexerType>::parseProperty):
26707 (JSC::Parser<LexerType>::parseMemberExpression):
26708 * parser/Parser.h:
26709 * parser/ParserFunctionInfo.h: Added.
26710 * parser/SyntaxChecker.h:
26711 (JSC::SyntaxChecker::createFunctionExpr):
26712 (JSC::SyntaxChecker::createFuncDeclStatement):
26713 (JSC::SyntaxChecker::createClassDeclStatement):
26714 (JSC::SyntaxChecker::createGetterOrSetterProperty):
26715
267162015-01-21 Mark Hahnenberg <mhahnenb@gmail.com>
26717
26718 Change Heap::m_compiledCode to use a Vector
26719 https://bugs.webkit.org/show_bug.cgi?id=140717
26720
26721 Reviewed by Andreas Kling.
26722
26723 Right now it's a DoublyLinkedList, which is iterated during each
26724 collection. This contributes to some of the longish Eden pause times.
26725 A Vector would be more appropriate and would also allow ExecutableBase
26726 to be 2 pointers smaller.
26727
26728 * heap/Heap.cpp:
26729 (JSC::Heap::deleteAllCompiledCode):
26730 (JSC::Heap::deleteAllUnlinkedFunctionCode):
26731 (JSC::Heap::clearUnmarkedExecutables):
26732 * heap/Heap.h:
26733 * runtime/Executable.h: No longer need to inherit from DoublyLinkedListNode.
26734
267352015-01-21 Ryosuke Niwa <rniwa@webkit.org>
26736
26737 BytecodeGenerator shouldn't expose all of its member variables
26738 https://bugs.webkit.org/show_bug.cgi?id=140752
26739
26740 Reviewed by Mark Lam.
26741
26742 Added "private:" and removed unused data members as detected by clang.
26743
26744 * bytecompiler/BytecodeGenerator.cpp:
26745 (JSC::BytecodeGenerator::BytecodeGenerator):
26746 * bytecompiler/BytecodeGenerator.h:
26747 (JSC::BytecodeGenerator::lastOpcodeID): Added. Used in BinaryOpNode::emitBytecode.
26748 * bytecompiler/NodesCodegen.cpp:
26749 (JSC::BinaryOpNode::emitBytecode):
26750
267512015-01-21 Joseph Pecoraro <pecoraro@apple.com>
26752
26753 Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
26754 https://bugs.webkit.org/show_bug.cgi?id=140746
26755
26756 Reviewed by Timothy Hatcher.
26757
26758 * inspector/InjectedScriptSource.js:
26759 Do not add impure properties to the descriptor object that will
26760 eventually be sent to the frontend.
26761
267622015-01-21 Matthew Mirman <mmirman@apple.com>
26763
26764 Updated split such that it does not include the empty end of input string match.
26765 https://bugs.webkit.org/show_bug.cgi?id=138129
26766 <rdar://problem/18807403>
26767
26768 Reviewed by Filip Pizlo.
26769
26770 * runtime/StringPrototype.cpp:
26771 (JSC::stringProtoFuncSplit):
26772 * tests/stress/empty_eos_regex_split.js: Added.
26773
267742015-01-21 Michael Saboff <msaboff@apple.com>
26775
26776 Eliminate Scope slot from JavaScript CallFrame
26777 https://bugs.webkit.org/show_bug.cgi?id=136724
26778
26779 Reviewed by Geoffrey Garen.
26780
26781 This finishes the removal of the scope chain slot from the call frame header.
26782
26783 * dfg/DFGOSRExitCompilerCommon.cpp:
26784 (JSC::DFG::reifyInlinedCallFrames):
26785 * dfg/DFGPreciseLocalClobberize.h:
26786 (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
26787 * dfg/DFGSpeculativeJIT32_64.cpp:
26788 (JSC::DFG::SpeculativeJIT::emitCall):
26789 * dfg/DFGSpeculativeJIT64.cpp:
26790 (JSC::DFG::SpeculativeJIT::emitCall):
26791 * ftl/FTLJSCall.cpp:
26792 (JSC::FTL::JSCall::emit):
26793 * ftl/FTLLowerDFGToLLVM.cpp:
26794 (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
26795 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
26796 * interpreter/JSStack.h:
26797 * interpreter/VMInspector.cpp:
26798 (JSC::VMInspector::dumpFrame):
26799 * jit/JITCall.cpp:
26800 (JSC::JIT::compileOpCall):
26801 * jit/JITCall32_64.cpp:
26802 (JSC::JIT::compileOpCall):
26803 * jit/JITOpcodes32_64.cpp:
26804 (JSC::JIT::privateCompileCTINativeCall):
26805 * jit/Repatch.cpp:
26806 (JSC::generateByIdStub):
26807 (JSC::linkClosureCall):
26808 * jit/ThunkGenerators.cpp:
26809 (JSC::virtualForThunkGenerator):
26810 (JSC::nativeForGenerator):
26811 Deleted ScopeChain slot from JSStack. Removed all code where ScopeChain was being
26812 read or set. In most cases this was where we make JS calls.
26813
26814 * interpreter/CallFrameClosure.h:
26815 (JSC::CallFrameClosure::setArgument):
26816 (JSC::CallFrameClosure::resetCallFrame): Deleted.
26817 * interpreter/Interpreter.cpp:
26818 (JSC::Interpreter::execute):
26819 (JSC::Interpreter::executeCall):
26820 (JSC::Interpreter::executeConstruct):
26821 (JSC::Interpreter::prepareForRepeatCall):
26822 * interpreter/ProtoCallFrame.cpp:
26823 (JSC::ProtoCallFrame::init):
26824 * interpreter/ProtoCallFrame.h:
26825 (JSC::ProtoCallFrame::scope): Deleted.
26826 (JSC::ProtoCallFrame::setScope): Deleted.
26827 * llint/LLIntData.cpp:
26828 (JSC::LLInt::Data::performAssertions):
26829 * llint/LowLevelInterpreter.asm:
26830 * llint/LowLevelInterpreter64.asm:
26831 Removed the related scopeChainValue member from ProtoCallFrame. Reduced the number of
26832 registers that needed to be copied from the ProtoCallFrame to a callee's frame
26833 from 5 to 4.
26834
26835 * llint/LowLevelInterpreter32_64.asm:
26836 In addition to the prior changes, also deleted the unused macro getDeBruijnScope.
26837
268382015-01-21 Michael Saboff <msaboff@apple.com>
26839
26840 Eliminate construct methods from NullGetterFunction and NullSetterFunction classes
26841 https://bugs.webkit.org/show_bug.cgi?id=140708
26842
26843 Reviewed by Mark Lam.
26844
26845 Eliminated construct methods and change getConstructData() for both classes to return
26846 ConstructTypeNone as they can never be called.
26847
26848 * runtime/NullGetterFunction.cpp:
26849 (JSC::NullGetterFunction::getConstructData):
26850 (JSC::constructReturnUndefined): Deleted.
26851 * runtime/NullSetterFunction.cpp:
26852 (JSC::NullSetterFunction::getConstructData):
26853 (JSC::constructReturnUndefined): Deleted.
26854
268552015-01-21 Csaba Osztrogonác <ossy@webkit.org>
26856
26857 Remove ENABLE(INSPECTOR) ifdef guards
26858 https://bugs.webkit.org/show_bug.cgi?id=140668
26859
26860 Reviewed by Darin Adler.
26861
26862 * Configurations/FeatureDefines.xcconfig:
26863 * bindings/ScriptValue.cpp:
26864 (Deprecated::ScriptValue::toInspectorValue):
26865 * bindings/ScriptValue.h:
26866 * inspector/ConsoleMessage.cpp:
26867 * inspector/ConsoleMessage.h:
26868 * inspector/ContentSearchUtilities.cpp:
26869 * inspector/ContentSearchUtilities.h:
26870 * inspector/IdentifiersFactory.cpp:
26871 * inspector/IdentifiersFactory.h:
26872 * inspector/InjectedScript.cpp:
26873 * inspector/InjectedScript.h:
26874 * inspector/InjectedScriptBase.cpp:
26875 * inspector/InjectedScriptBase.h:
26876 * inspector/InjectedScriptHost.cpp:
26877 * inspector/InjectedScriptHost.h:
26878 * inspector/InjectedScriptManager.cpp:
26879 * inspector/InjectedScriptManager.h:
26880 * inspector/InjectedScriptModule.cpp:
26881 * inspector/InjectedScriptModule.h:
26882 * inspector/InspectorAgentRegistry.cpp:
26883 * inspector/InspectorBackendDispatcher.cpp:
26884 * inspector/InspectorBackendDispatcher.h:
26885 * inspector/InspectorProtocolTypes.h:
26886 * inspector/JSGlobalObjectConsoleClient.cpp:
26887 * inspector/JSGlobalObjectInspectorController.cpp:
26888 * inspector/JSGlobalObjectInspectorController.h:
26889 * inspector/JSGlobalObjectScriptDebugServer.cpp:
26890 * inspector/JSGlobalObjectScriptDebugServer.h:
26891 * inspector/JSInjectedScriptHost.cpp:
26892 * inspector/JSInjectedScriptHost.h:
26893 * inspector/JSInjectedScriptHostPrototype.cpp:
26894 * inspector/JSInjectedScriptHostPrototype.h:
26895 * inspector/JSJavaScriptCallFrame.cpp:
26896 * inspector/JSJavaScriptCallFrame.h:
26897 * inspector/JSJavaScriptCallFramePrototype.cpp:
26898 * inspector/JSJavaScriptCallFramePrototype.h:
26899 * inspector/JavaScriptCallFrame.cpp:
26900 * inspector/JavaScriptCallFrame.h:
26901 * inspector/ScriptCallFrame.cpp:
26902 (Inspector::ScriptCallFrame::buildInspectorObject):
26903 * inspector/ScriptCallFrame.h:
26904 * inspector/ScriptCallStack.cpp:
26905 (Inspector::ScriptCallStack::buildInspectorArray):
26906 * inspector/ScriptCallStack.h:
26907 * inspector/ScriptDebugServer.cpp:
26908 * inspector/agents/InspectorAgent.cpp:
26909 * inspector/agents/InspectorAgent.h:
26910 * inspector/agents/InspectorConsoleAgent.cpp:
26911 * inspector/agents/InspectorConsoleAgent.h:
26912 * inspector/agents/InspectorDebuggerAgent.cpp:
26913 * inspector/agents/InspectorDebuggerAgent.h:
26914 * inspector/agents/InspectorRuntimeAgent.cpp:
26915 * inspector/agents/InspectorRuntimeAgent.h:
26916 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
26917 * inspector/agents/JSGlobalObjectConsoleAgent.h:
26918 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
26919 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
26920 * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
26921 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
26922 * inspector/scripts/codegen/cpp_generator_templates.py:
26923 (CppGeneratorTemplates):
26924 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
26925 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
26926 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
26927 * inspector/scripts/tests/expected/enum-values.json-result:
26928 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
26929 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
26930 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
26931 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
26932 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
26933 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
26934 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
26935 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
26936 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
26937 * runtime/TypeSet.cpp:
26938 (JSC::TypeSet::inspectorTypeSet):
26939 (JSC::StructureShape::inspectorRepresentation):
26940
269412015-01-20 Joseph Pecoraro <pecoraro@apple.com>
26942
26943 Web Inspector: Clean up InjectedScriptSource.js
26944 https://bugs.webkit.org/show_bug.cgi?id=140709
26945
26946 Reviewed by Timothy Hatcher.
26947
26948 This patch includes some relevant Blink patches and small changes.
26949
26950 Patch by <aandrey@chromium.org>
26951 DevTools: Remove console last result $_ on console clear.
26952 https://src.chromium.org/viewvc/blink?revision=179179&view=revision
26953
26954 Patch by <eustas@chromium.org>
26955 [Inspect DOM properties] incorrect CSS Selector Syntax
26956 https://src.chromium.org/viewvc/blink?revision=156903&view=revision
26957
26958 * inspector/InjectedScriptSource.js:
26959
269602015-01-20 Joseph Pecoraro <pecoraro@apple.com>
26961
26962 Web Inspector: Cleanup RuntimeAgent a bit
26963 https://bugs.webkit.org/show_bug.cgi?id=140706
26964
26965 Reviewed by Timothy Hatcher.
26966
26967 * inspector/InjectedScript.h:
26968 * inspector/InspectorBackendDispatcher.h:
26969 * inspector/ScriptCallFrame.cpp:
26970 * inspector/agents/InspectorRuntimeAgent.cpp:
26971 (Inspector::InspectorRuntimeAgent::evaluate):
26972 (Inspector::InspectorRuntimeAgent::getProperties):
26973 (Inspector::InspectorRuntimeAgent::run):
26974 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
26975 (Inspector::recompileAllJSFunctionsForTypeProfiling):
26976 (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
26977
269782015-01-20 Matthew Mirman <mmirman@apple.com>
26979
26980 Made Identity in the DFG allocate a new temp register and move
26981 the old data to it.
26982 https://bugs.webkit.org/show_bug.cgi?id=140700
26983 <rdar://problem/19339106>
26984
26985 Reviewed by Filip Pizlo.
26986
26987 * dfg/DFGSpeculativeJIT64.cpp:
26988 (JSC::DFG::SpeculativeJIT::compile):
26989 Added scratch registers for Identity.
26990 * tests/mozilla/mozilla-tests.yaml: enabled previously failing test
26991
269922015-01-20 Joseph Pecoraro <pecoraro@apple.com>
26993
26994 Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
26995 https://bugs.webkit.org/show_bug.cgi?id=137306
26996
26997 Reviewed by Timothy Hatcher.
26998
26999 Provide another optional parameter to getProperties, to gather a list
27000 of all own and getter properties.
27001
27002 * inspector/InjectedScript.cpp:
27003 (Inspector::InjectedScript::getProperties):
27004 * inspector/InjectedScript.h:
27005 * inspector/InjectedScriptSource.js:
27006 * inspector/agents/InspectorRuntimeAgent.cpp:
27007 (Inspector::InspectorRuntimeAgent::getProperties):
27008 * inspector/agents/InspectorRuntimeAgent.h:
27009 * inspector/protocol/Runtime.json:
27010
270112015-01-20 Joseph Pecoraro <pecoraro@apple.com>
27012
27013 Web Inspector: Should show dynamic specificity values
27014 https://bugs.webkit.org/show_bug.cgi?id=140647
27015
27016 Reviewed by Benjamin Poulain.
27017
27018 * inspector/protocol/CSS.json:
27019 Clarify CSSSelector optional values and add "dynamic" property indicating
27020 if the selector can be dynamic based on the element it is matched against.
27021
270222015-01-20 Commit Queue <commit-queue@webkit.org>
27023
27024 Unreviewed, rolling out r178751.
27025 https://bugs.webkit.org/show_bug.cgi?id=140694
27026
27027 Caused 32-bit JSC test failures (Requested by JoePeck on
27028 #webkit).
27029
27030 Reverted changeset:
27031
27032 "put_by_val_direct need to check the property is index or not
27033 for using putDirect / putDirectIndex"
27034 https://bugs.webkit.org/show_bug.cgi?id=140426
27035 http://trac.webkit.org/changeset/178751
27036
270372015-01-20 Yusuke Suzuki <utatane.tea@gmail.com>
27038
27039 put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
27040 https://bugs.webkit.org/show_bug.cgi?id=140426
27041
27042 Reviewed by Geoffrey Garen.
27043
27044 In the put_by_val_direct operation, we use JSObject::putDirect.
27045 However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
27046 This patch changes Identifier::asIndex() to return Optional<uint32_t>.
27047 It forces callers to check the value is index or not explicitly.
27048 Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
27049
27050 * bytecode/GetByIdStatus.cpp:
27051 (JSC::GetByIdStatus::computeFor):
27052 * bytecode/PutByIdStatus.cpp:
27053 (JSC::PutByIdStatus::computeFor):
27054 * bytecompiler/BytecodeGenerator.cpp:
27055 (JSC::BytecodeGenerator::emitDirectPutById):
27056 * dfg/DFGOperations.cpp:
27057 (JSC::DFG::operationPutByValInternal):
27058 * jit/JITOperations.cpp:
27059 * jit/Repatch.cpp:
27060 (JSC::emitPutTransitionStubAndGetOldStructure):
27061 * jsc.cpp:
27062 * llint/LLIntSlowPaths.cpp:
27063 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
27064 * runtime/Arguments.cpp:
27065 (JSC::Arguments::getOwnPropertySlot):
27066 (JSC::Arguments::put):
27067 (JSC::Arguments::deleteProperty):
27068 (JSC::Arguments::defineOwnProperty):
27069 * runtime/ArrayPrototype.cpp:
27070 (JSC::arrayProtoFuncSort):
27071 * runtime/JSArray.cpp:
27072 (JSC::JSArray::defineOwnProperty):
27073 * runtime/JSCJSValue.cpp:
27074 (JSC::JSValue::putToPrimitive):
27075 * runtime/JSGenericTypedArrayViewInlines.h:
27076 (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
27077 (JSC::JSGenericTypedArrayView<Adaptor>::put):
27078 (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
27079 (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
27080 * runtime/JSObject.cpp:
27081 (JSC::JSObject::put):
27082 (JSC::JSObject::putDirectAccessor):
27083 (JSC::JSObject::putDirectCustomAccessor):
27084 (JSC::JSObject::deleteProperty):
27085 (JSC::JSObject::putDirectMayBeIndex):
27086 (JSC::JSObject::defineOwnProperty):
27087 * runtime/JSObject.h:
27088 (JSC::JSObject::getOwnPropertySlot):
27089 (JSC::JSObject::getPropertySlot):
27090 (JSC::JSObject::putDirectInternal):
27091 * runtime/JSString.cpp:
27092 (JSC::JSString::getStringPropertyDescriptor):
27093 * runtime/JSString.h:
27094 (JSC::JSString::getStringPropertySlot):
27095 * runtime/LiteralParser.cpp:
27096 (JSC::LiteralParser<CharType>::parse):
27097 * runtime/PropertyName.h:
27098 (JSC::toUInt32FromCharacters):
27099 (JSC::toUInt32FromStringImpl):
27100 (JSC::PropertyName::asIndex):
27101 * runtime/PropertyNameArray.cpp:
27102 (JSC::PropertyNameArray::add):
27103 * runtime/StringObject.cpp:
27104 (JSC::StringObject::deleteProperty):
27105 * runtime/Structure.cpp:
27106 (JSC::Structure::prototypeChainMayInterceptStoreTo):
27107
271082015-01-20 Michael Saboff <msaboff@apple.com>
27109
27110 REGRESSION(178696): Sporadic crashes while garbage collecting
27111 https://bugs.webkit.org/show_bug.cgi?id=140688
27112
27113 Reviewed by Geoffrey Garen.
27114
27115 Added missing visitor.append(&thisObject->m_nullSetterFunction).
27116
27117 * runtime/JSGlobalObject.cpp:
27118 (JSC::JSGlobalObject::visitChildren):
27119
271202015-01-19 Brian J. Burg <burg@cs.washington.edu>
27121
27122 Web Replay: code generator should take supplemental specifications and allow cross-framework references
27123 https://bugs.webkit.org/show_bug.cgi?id=136312
27124
27125 Reviewed by Joseph Pecoraro.
27126
27127 Some types are shared between replay inputs from different frameworks.
27128 Previously, these type declarations were duplicated in every input
27129 specification file in which they were used. This caused some type encoding
27130 traits to be emitted twice if used from WebCore inputs and WebKit2 inputs.
27131
27132 This patch teaches the replay inputs code generator to accept multiple
27133 input specification files. Inputs can freely reference types from other
27134 frameworks without duplicating declarations.
27135
27136 On the code generation side, the model could contain types and inputs from
27137 frameworks that are not the target framework. Only generate code for the
27138 target framework.
27139
27140 To properly generate cross-framework type encoding traits, use
27141 Type.encoding_type_argument in more places, and add the export macro for WebCore
27142 and the Test framework.
27143
27144 Adjust some tests so that enum coverage is preserved by moving the enum types
27145 into "Test" (the target framework for tests).
27146
27147 * JavaScriptCore.vcxproj/copy-files.cmd:
27148 For Windows, copy over JSInputs.json as if it were a private header.
27149
27150 * JavaScriptCore.xcodeproj/project.pbxproj: Make JSInputs.json a private header.
27151 * replay/JSInputs.json:
27152 Put all primitive types and WTF types in this specification file.
27153
27154 * replay/scripts/CodeGeneratorReplayInputs.py:
27155 (Input.__init__):
27156 (InputsModel.__init__): Keep track of the input's framework.
27157 (InputsModel.parse_specification): Parse the framework here. Adjust to new format,
27158 and allow either types or inputs to be missing from a single file.
27159
27160 (InputsModel.parse_type_with_framework):
27161 (InputsModel.parse_input_with_framework):
27162 (Generator.should_generate_item): Added helper method.
27163 (Generator.generate_header): Filter inputs to generate.
27164 (Generator.generate_implementation): Filter inputs to generate.
27165 (Generator.generate_enum_trait_declaration): Filter enums to generate.
27166 Add WEBCORE_EXPORT macro to enum encoding traits.
27167
27168 (Generator.generate_for_each_macro): Filter inputs to generate.
27169 (Generator.generate_enum_trait_implementation): Filter enums to generate.
27170 (generate_from_specifications): Added.
27171 (generate_from_specifications.parse_json_from_file):
27172 (InputsModel.parse_toplevel): Deleted.
27173 (InputsModel.parse_type_with_framework_name): Deleted.
27174 (InputsModel.parse_input): Deleted.
27175 (generate_from_specification): Deleted.
27176 * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
27177 * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Removed.
27178 * replay/scripts/tests/expected/fail-on-no-types.json-error: Removed.
27179 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
27180 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
27181 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
27182 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
27183 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
27184 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
27185 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
27186 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
27187 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
27188 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
27189 * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
27190 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
27191 * replay/scripts/tests/fail-on-c-style-enum-no-storage.json:
27192 * replay/scripts/tests/fail-on-duplicate-enum-type.json:
27193 * replay/scripts/tests/fail-on-duplicate-input-names.json:
27194 * replay/scripts/tests/fail-on-duplicate-type-names.json:
27195 * replay/scripts/tests/fail-on-enum-type-missing-values.json:
27196 * replay/scripts/tests/fail-on-missing-input-member-name.json:
27197 * replay/scripts/tests/fail-on-missing-input-name.json:
27198 * replay/scripts/tests/fail-on-missing-input-queue.json:
27199 * replay/scripts/tests/fail-on-missing-type-mode.json:
27200 * replay/scripts/tests/fail-on-missing-type-name.json:
27201 * replay/scripts/tests/fail-on-no-inputs.json:
27202 Removed, no longer required to be in a single file.
27203
27204 * replay/scripts/tests/fail-on-no-types.json:
27205 Removed, no longer required to be in a single file.
27206
27207 * replay/scripts/tests/fail-on-unknown-input-queue.json:
27208 * replay/scripts/tests/fail-on-unknown-member-type.json:
27209 * replay/scripts/tests/fail-on-unknown-type-mode.json:
27210 * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json:
27211 * replay/scripts/tests/generate-enum-encoding-helpers.json:
27212 * replay/scripts/tests/generate-enum-with-guard.json:
27213 Include enums that are and are not generated.
27214
27215 * replay/scripts/tests/generate-enums-with-same-base-name.json:
27216 * replay/scripts/tests/generate-event-loop-shape-types.json:
27217 * replay/scripts/tests/generate-input-with-guard.json:
27218 * replay/scripts/tests/generate-input-with-vector-members.json:
27219 * replay/scripts/tests/generate-inputs-with-flags.json:
27220 * replay/scripts/tests/generate-memoized-type-modes.json:
27221
272222015-01-20 Tomas Popela <tpopela@redhat.com>
27223
27224 [GTK] Cannot compile 2.7.3 on PowerPC machines
27225 https://bugs.webkit.org/show_bug.cgi?id=140616
27226
27227 Include climits for INT_MAX and wtf/DataLog.h for dataLogF
27228
27229 Reviewed by Csaba Osztrogonác.
27230
27231 * runtime/BasicBlockLocation.cpp:
27232
272332015-01-19 Michael Saboff <msaboff@apple.com>
27234
27235 A "cached" null setter should throw a TypeException when called in strict mode and doesn't
27236 https://bugs.webkit.org/show_bug.cgi?id=139418
27237
27238 Reviewed by Filip Pizlo.
27239
27240 Made a new NullSetterFunction class similar to NullGetterFunction. The difference is that
27241 NullSetterFunction will throw a TypeError per the ECMA262 spec for a strict mode caller.
27242
27243 * CMakeLists.txt:
27244 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
27245 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
27246 * JavaScriptCore.xcodeproj/project.pbxproj:
27247 Added new files NullSetterFunction.cpp and NullSetterFunction.h.
27248
27249 * runtime/GetterSetter.h:
27250 (JSC::GetterSetter::GetterSetter):
27251 (JSC::GetterSetter::isSetterNull):
27252 (JSC::GetterSetter::setSetter):
27253 Change setter instances from using NullGetterFunction to using NullSetterFunction.
27254
27255 * runtime/JSGlobalObject.cpp:
27256 (JSC::JSGlobalObject::init):
27257 * runtime/JSGlobalObject.h:
27258 (JSC::JSGlobalObject::nullSetterFunction):
27259 Added m_nullSetterFunction and accessor.
27260
27261 * runtime/NullSetterFunction.cpp: Added.
27262 (JSC::GetCallerStrictnessFunctor::GetCallerStrictnessFunctor):
27263 (JSC::GetCallerStrictnessFunctor::operator()):
27264 (JSC::GetCallerStrictnessFunctor::callerIsStrict):
27265 (JSC::callerIsStrict):
27266 Method to determine if the caller is in strict mode.
27267
27268 (JSC::callReturnUndefined):
27269 (JSC::constructReturnUndefined):
27270 (JSC::NullSetterFunction::getCallData):
27271 (JSC::NullSetterFunction::getConstructData):
27272 * runtime/NullSetterFunction.h: Added.
27273 (JSC::NullSetterFunction::create):
27274 (JSC::NullSetterFunction::createStructure):
27275 (JSC::NullSetterFunction::NullSetterFunction):
27276 Class with handlers for a null setter.
27277
272782015-01-19 Saam Barati <saambarati1@gmail.com>
27279
27280 Web Inspector: Provide a front end for JSC's Control Flow Profiler
27281 https://bugs.webkit.org/show_bug.cgi?id=138454
27282
27283 Reviewed by Timothy Hatcher.
27284
27285 This patch puts the final touches on what JSC needs to provide
27286 for the Web Inspector to show a UI for the control flow profiler.
27287
27288 * inspector/agents/InspectorRuntimeAgent.cpp:
27289 (Inspector::recompileAllJSFunctionsForTypeProfiling):
27290 * runtime/ControlFlowProfiler.cpp:
27291 (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
27292 * runtime/FunctionHasExecutedCache.cpp:
27293 (JSC::FunctionHasExecutedCache::getFunctionRanges):
27294 (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges): Deleted.
27295 * runtime/FunctionHasExecutedCache.h:
27296
272972015-01-19 David Kilzer <ddkilzer@apple.com>
27298
27299 [iOS] Only use LLVM static library arguments on 64-bit builds of libllvmForJSC.dylib
27300 <http://webkit.org/b/140658>
27301
27302 Reviewed by Filip Pizlo.
27303
27304 * Configurations/LLVMForJSC.xcconfig: Set OTHER_LDFLAGS_LLVM
27305 only when building for 64-bit architectures.
27306
273072015-01-19 Filip Pizlo <fpizlo@apple.com>
27308
27309 ClosureCallStubRoutine no longer needs codeOrigin
27310 https://bugs.webkit.org/show_bug.cgi?id=140659
27311
27312 Reviewed by Michael Saboff.
27313
27314 Once upon a time, we would look for the CodeOrigin associated with a return PC. This search
27315 would start with the CodeBlock according to the caller frame's call frame header. But if the
27316 call was a closure call, the return PC would be inside some closure call stub. So if the
27317 CodeBlock search failed, we would search *all* closure call stub routines to see which one
27318 encompasses the return PC. Then, we would use the CodeOrigin stored in the stub routine
27319 object. This was all a bunch of madness, and we actually got rid of it - we now determine
27320 the CodeOrigin for a call frame using the encoded code origin bits inside the tag of the
27321 argument count.
27322
27323 This patch removes the final vestiges of the madness:
27324
27325 - Remove the totally unused method declaration for the thing that did the closure call stub
27326 search.
27327
27328 - Remove the CodeOrigin field from the ClosureCallStubRoutine. Except for that crazy search
27329 that we no longer do, everyone else who finds a ClosureCallStubRoutine will find it via
27330 the CallLinkInfo. The CallLinkInfo also has the CodeOrigin, so we don't need this field
27331 anymore.
27332
27333 * bytecode/CodeBlock.h:
27334 * jit/ClosureCallStubRoutine.cpp:
27335 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
27336 * jit/ClosureCallStubRoutine.h:
27337 (JSC::ClosureCallStubRoutine::executable):
27338 (JSC::ClosureCallStubRoutine::codeOrigin): Deleted.
27339 * jit/Repatch.cpp:
27340 (JSC::linkClosureCall):
27341
273422015-01-19 Saam Barati <saambarati1@gmail.com>
27343
27344 Basic block start offsets should never be larger than end offsets in the control flow profiler
27345 https://bugs.webkit.org/show_bug.cgi?id=140377
27346
27347 Reviewed by Filip Pizlo.
27348
27349 The bytecode generator will emit code more than once for some AST nodes. For instance,
27350 the finally block of TryNode will emit two code paths for its finally block: one for
27351 the normal path, and another for the path where an exception is thrown in the catch block.
27352
27353 This repeated code emission of the same AST node previously broke how the control
27354 flow profiler computed text ranges of basic blocks because when the same AST node
27355 is emitted multiple times, there is a good chance that there are ranges that span
27356 from the end offset of one of these duplicated nodes back to the start offset of
27357 the same duplicated node. This caused a basic block range to report a larger start
27358 offset than end offset. This was incorrect. Now, when this situation is encountered
27359 while linking a CodeBlock, the faulty range in question is ignored.
27360
27361 * bytecode/CodeBlock.cpp:
27362 (JSC::CodeBlock::CodeBlock):
27363 (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
27364 * bytecode/CodeBlock.h:
27365 * bytecompiler/NodesCodegen.cpp:
27366 (JSC::ForInNode::emitMultiLoopBytecode):
27367 (JSC::ForOfNode::emitBytecode):
27368 (JSC::TryNode::emitBytecode):
27369 * parser/Parser.cpp:
27370 (JSC::Parser<LexerType>::parseConditionalExpression):
27371 * runtime/ControlFlowProfiler.cpp:
27372 (JSC::ControlFlowProfiler::ControlFlowProfiler):
27373 * runtime/ControlFlowProfiler.h:
27374 (JSC::ControlFlowProfiler::dummyBasicBlock):
27375
273762015-01-19 Myles C. Maxfield <mmaxfield@apple.com>
27377
27378 [SVG -> OTF Converter] Flip the switch on
27379 https://bugs.webkit.org/show_bug.cgi?id=140592
27380
27381 Reviewed by Antti Koivisto.
27382
27383 * Configurations/FeatureDefines.xcconfig:
27384
273852015-01-19 Brian J. Burg <burg@cs.washington.edu>
27386
27387 Web Replay: convert to is<T> and downcast<T> for decoding replay inputs
27388 https://bugs.webkit.org/show_bug.cgi?id=140512
27389
27390 Reviewed by Chris Dumez.
27391
27392 Generate a SPECIALIZE_TYPE_TRAITS_* chunk of code for each input. This cannot
27393 be done using REPLAY_INPUT_NAMES_FOR_EACH macro since that doesn't fully qualify
27394 input types, and the type traits macro is defined in namespace WTF.
27395
27396 * replay/NondeterministicInput.h: Make overridden methods public.
27397 * replay/scripts/CodeGeneratorReplayInputs.py:
27398 (Generator.generate_header):
27399 (Generator.qualified_input_name): Allow forcing qualification. WTF is never a target framework.
27400 (Generator.generate_input_type_trait_declaration): Added.
27401 * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Add a template.
27402 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
27403 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
27404 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
27405 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
27406 * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
27407 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
27408 * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
27409 * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
27410
274112015-01-19 Commit Queue <commit-queue@webkit.org>
27412
27413 Unreviewed, rolling out r178653.
27414 https://bugs.webkit.org/show_bug.cgi?id=140634
27415
27416 Broke multiple SVG tests on Mountain Lion (Requested by ap on
27417 #webkit).
27418
27419 Reverted changeset:
27420
27421 "[SVG -> OTF Converter] Flip the switch on"
27422 https://bugs.webkit.org/show_bug.cgi?id=140592
27423 http://trac.webkit.org/changeset/178653
27424
274252015-01-18 Dean Jackson <dino@apple.com>
27426
27427 ES6: Support Array.of construction
27428 https://bugs.webkit.org/show_bug.cgi?id=140605
27429 <rdar://problem/19513655>
27430
27431 Reviewed by Geoffrey Garen.
27432
27433 Add and implementation of Array.of, described in 22.1.2.3 of the ES6
27434 specification (15 Jan 2015). The Array.of() method creates a new Array
27435 instance with a variable number of arguments, regardless of number or type
27436 of the arguments.
27437
27438 * runtime/ArrayConstructor.cpp:
27439 (JSC::arrayConstructorOf): Create a new empty Array, then iterate
27440 over the arguments, setting them to the appropriate index.
27441
274422015-01-19 Myles C. Maxfield <mmaxfield@apple.com>
27443
27444 [SVG -> OTF Converter] Flip the switch on
27445 https://bugs.webkit.org/show_bug.cgi?id=140592
27446
27447 Reviewed by Antti Koivisto.
27448
27449 * Configurations/FeatureDefines.xcconfig:
27450
274512015-01-17 Brian J. Burg <burg@cs.washington.edu>
27452
27453 Web Inspector: highlight data for overlay should use protocol type builders
27454 https://bugs.webkit.org/show_bug.cgi?id=129441
27455
27456 Reviewed by Timothy Hatcher.
27457
27458 Add a new domain for overlay types.
27459
27460 * CMakeLists.txt:
27461 * DerivedSources.make:
27462 * inspector/protocol/OverlayTypes.json: Added.
27463
274642015-01-17 Michael Saboff <msaboff@apple.com>
27465
27466 Crash in JSScope::resolve() on tools.ups.com
27467 https://bugs.webkit.org/show_bug.cgi?id=140579
27468
27469 Reviewed by Geoffrey Garen.
27470
27471 For op_resolve_scope of a global property or variable that needs to check for the var
27472 injection check watchpoint, we need to keep the scope around with a Phantom. The
27473 baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
27474 fired.
27475
27476 * dfg/DFGByteCodeParser.cpp:
27477 (JSC::DFG::ByteCodeParser::parseBlock):
27478
274792015-01-16 Brian J. Burg <burg@cs.washington.edu>
27480
27481 Web Inspector: code generator should introduce typedefs for protocol types that are arrays
27482 https://bugs.webkit.org/show_bug.cgi?id=140557
27483
27484 Reviewed by Joseph Pecoraro.
27485
27486 Currently, there is no generated type name for "array" type declarations such as Console.CallStack.
27487 This makes it longwinded and confusing to use the type in C++ code.
27488
27489 This patch adds a typedef for array type declarations, so types such as Console::CallStack
27490 can be referred to directly, rather than using Inspector::Protocol::Array<Console::CallFrame>.
27491
27492 Some tests were updated to cover array type declarations used as parameters and type members.
27493
27494 * inspector/ScriptCallStack.cpp: Use the new typedef.
27495 (Inspector::ScriptCallStack::buildInspectorArray):
27496 * inspector/ScriptCallStack.h:
27497 * inspector/scripts/codegen/cpp_generator.py:
27498 (CppGenerator.cpp_protocol_type_for_type): If an ArrayType is nominal, use the typedef'd name instead.
27499 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
27500 (_generate_typedefs_for_domain): Also generate typedefs for array type declarations.
27501 (_generate_typedefs_for_domain.Inspector):
27502 * inspector/scripts/codegen/models.py: Save the name of an ArrayType when it is a type declaration.
27503 (ArrayType.__init__):
27504 (Protocol.resolve_types):
27505 (Protocol.lookup_type_reference):
27506 * inspector/scripts/tests/commands-with-async-attribute.json:
27507 * inspector/scripts/tests/commands-with-optional-call-return-parameters.json:
27508 * inspector/scripts/tests/events-with-optional-parameters.json:
27509 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
27510 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
27511 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
27512 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
27513 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
27514 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
27515 * inspector/scripts/tests/type-declaration-object-type.json:
27516
275172015-01-16 Brian J. Burg <burg@cs.washington.edu>
27518
27519 Web Replay: purge remaining PassRefPtr uses and minor cleanup
27520 https://bugs.webkit.org/show_bug.cgi?id=140456
27521
27522 Reviewed by Andreas Kling.
27523
27524 Get rid of PassRefPtr. Introduce default initializers where it makes sense.
27525 Remove mistaken uses of AtomicString that were not removed as part of r174113.
27526
27527 * replay/EmptyInputCursor.h:
27528 * replay/InputCursor.h:
27529 (JSC::InputCursor::InputCursor):
27530
275312015-01-16 Brian J. Burg <burg@cs.washington.edu>
27532
27533 Web Inspector: code generator should fail on duplicate parameter and member names
27534 https://bugs.webkit.org/show_bug.cgi?id=140555
27535
27536 Reviewed by Timothy Hatcher.
27537
27538 * inspector/scripts/codegen/models.py:
27539 (find_duplicates): Add a helper function to find duplicates in a list.
27540 (Protocol.parse_type_declaration):
27541 (Protocol.parse_command):
27542 (Protocol.parse_event):
27543 * inspector/scripts/tests/expected/fail-on-duplicate-command-call-parameter-names.json-error: Added.
27544 * inspector/scripts/tests/expected/fail-on-duplicate-command-return-parameter-names.json-error: Added.
27545 * inspector/scripts/tests/expected/fail-on-duplicate-event-parameter-names.json-error: Added.
27546 * inspector/scripts/tests/expected/fail-on-duplicate-type-member-names.json-error: Added.
27547 * inspector/scripts/tests/fail-on-duplicate-command-call-parameter-names.json: Added.
27548 * inspector/scripts/tests/fail-on-duplicate-command-return-parameter-names.json: Added.
27549 * inspector/scripts/tests/fail-on-duplicate-event-parameter-names.json: Added.
27550 * inspector/scripts/tests/fail-on-duplicate-type-member-names.json: Added.
27551
275522015-01-16 Michael Saboff <msaboff@apple.com>
27553
27554 REGRESSION (r174226): Header on huffingtonpost.com is too large
27555 https://bugs.webkit.org/show_bug.cgi?id=140306
27556
27557 Reviewed by Filip Pizlo.
27558
27559 BytecodeGenerator::willResolveToArguments() is used to check to see if we can use the
27560 arguments register or whether we need to resolve "arguments". If the arguments have
27561 been captured, then they are stored in the lexical environment and the arguments
27562 register is not used.
27563
27564 Changed BytecodeGenerator::willResolveToArguments() to also check to see if the arguments
27565 register is captured. Renamed the function to willResolveToArgumentsRegister() to
27566 better indicate what we are checking.
27567
27568 Aligned 32 and 64 bit paths in ArgumentsRecoveryGenerator::generateFor() for creating
27569 an arguments object that was optimized out of an inlined callFrame. The 32 bit path
27570 incorrectly calculated the location of the reified callee frame. This alignment resulted
27571 in the removal of operationCreateInlinedArgumentsDuringOSRExit()
27572
27573 * bytecompiler/BytecodeGenerator.cpp:
27574 (JSC::BytecodeGenerator::willResolveToArgumentsRegister):
27575 (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
27576 (JSC::BytecodeGenerator::emitCall):
27577 (JSC::BytecodeGenerator::emitConstruct):
27578 (JSC::BytecodeGenerator::emitEnumeration):
27579 (JSC::BytecodeGenerator::willResolveToArguments): Deleted.
27580 * bytecompiler/BytecodeGenerator.h:
27581 * bytecompiler/NodesCodegen.cpp:
27582 (JSC::BracketAccessorNode::emitBytecode):
27583 (JSC::DotAccessorNode::emitBytecode):
27584 (JSC::getArgumentByVal):
27585 (JSC::ApplyFunctionCallDotNode::emitBytecode):
27586 (JSC::ArrayPatternNode::emitDirectBinding):
27587 * dfg/DFGOSRExitCompilerCommon.cpp:
27588 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
27589 * dfg/DFGOperations.cpp:
27590 (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
27591 * dfg/DFGOperations.h:
27592 (JSC::operationCreateInlinedArgumentsDuringOSRExit): Deleted.
27593
275942015-01-15 Csaba Osztrogonác <ossy@webkit.org>
27595
27596 Remove ENABLE(SQL_DATABASE) guards
27597 https://bugs.webkit.org/show_bug.cgi?id=140434
27598
27599 Reviewed by Darin Adler.
27600
27601 * CMakeLists.txt:
27602 * Configurations/FeatureDefines.xcconfig:
27603 * DerivedSources.make:
27604 * inspector/protocol/Database.json:
27605
276062015-01-14 Alexey Proskuryakov <ap@apple.com>
27607
27608 Web Inspector and regular console use different source code locations for messages
27609 https://bugs.webkit.org/show_bug.cgi?id=140478
27610
27611 Reviewed by Brian Burg.
27612
27613 * inspector/ConsoleMessage.h: Expose computed source location.
27614
27615 * inspector/agents/InspectorConsoleAgent.cpp:
27616 (Inspector::InspectorConsoleAgent::addMessageToConsole):
27617 (Inspector::InspectorConsoleAgent::stopTiming):
27618 (Inspector::InspectorConsoleAgent::count):
27619 * inspector/agents/InspectorConsoleAgent.h:
27620 addMessageToConsole() now takes a pre-made ConsoleMessage object.
27621
27622 * inspector/JSGlobalObjectConsoleClient.cpp:
27623 (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
27624 (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
27625 * inspector/JSGlobalObjectInspectorController.cpp:
27626 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
27627 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
27628 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
27629 Updated for the above changes.
27630
276312015-01-15 Mark Lam <mark.lam@apple.com>
27632
27633 [Part 2] Argument object created by "Function dot arguments" should use a clone of argument values.
27634 <https://webkit.org/b/140093>
27635
27636 Reviewed by Geoffrey Garen.
27637
27638 * interpreter/StackVisitor.cpp:
27639 (JSC::StackVisitor::Frame::createArguments):
27640 - We should not fetching the lexicalEnvironment here. The reason we've
27641 introduced the ClonedArgumentsCreationMode is because the lexicalEnvironment
27642 may not be available to us at this point. Instead, we'll just pass a nullptr.
27643
27644 * runtime/Arguments.cpp:
27645 (JSC::Arguments::tearOffForCloning):
27646 * runtime/Arguments.h:
27647 (JSC::Arguments::finishCreation):
27648 - Use the new tearOffForCloning() to tear off arguments right out of the values
27649 passed on the stack. tearOff() is not appropriate for this purpose because
27650 it takes slowArgumentsData into account.
27651
276522015-01-14 Matthew Mirman <mmirman@apple.com>
27653
27654 Removed accidental commit of "invalid_array.js"
27655 http://trac.webkit.org/changeset/178439
27656
27657 * tests/stress/invalid_array.js: Removed.
27658
276592015-01-14 Matthew Mirman <mmirman@apple.com>
27660
27661 Fixes operationPutByIdOptimizes such that they check that the put didn't
27662 change the structure of the object who's property access is being
27663 cached. Also removes uses of the new base value from the cache generation code.
27664 https://bugs.webkit.org/show_bug.cgi?id=139500
27665
27666 Reviewed by Filip Pizlo.
27667
27668 * jit/JITOperations.cpp:
27669 (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
27670 (JSC::operationPutByIdNonStrictOptimize): ditto.
27671 (JSC::operationPutByIdDirectStrictOptimize): ditto.
27672 (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
27673 * jit/Repatch.cpp:
27674 (JSC::generateByIdStub):
27675 (JSC::tryCacheGetByID):
27676 (JSC::tryBuildGetByIDList):
27677 (JSC::emitPutReplaceStub):
27678 (JSC::emitPutTransitionStubAndGetOldStructure): Added.
27679 (JSC::tryCachePutByID):
27680 (JSC::repatchPutByID):
27681 (JSC::tryBuildPutByIdList):
27682 (JSC::tryRepatchIn):
27683 (JSC::emitPutTransitionStub): Deleted.
27684 * jit/Repatch.h:
27685 * llint/LLIntSlowPaths.cpp:
27686 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
27687 * runtime/JSPropertyNameEnumerator.h:
27688 (JSC::genericPropertyNameEnumerator):
27689 * runtime/Operations.h:
27690 (JSC::normalizePrototypeChainForChainAccess): restructured to not use the base value.
27691 (JSC::normalizePrototypeChain): restructured to not use the base value.
27692 * tests/mozilla/mozilla-tests.yaml:
27693 * tests/stress/proto-setter.js: Added.
27694 * tests/stress/put-by-id-build-list-order-recurse.js: Added.
27695 Added test that fails without this patch.
27696
276972015-01-13 Joseph Pecoraro <pecoraro@apple.com>
27698
27699 Web Inspector: Remove unused ResizeImage and DecodeImageData timeline events
27700 https://bugs.webkit.org/show_bug.cgi?id=140404
27701
27702 Reviewed by Timothy Hatcher.
27703
27704 * inspector/protocol/Timeline.json:
27705
277062015-01-13 Yusuke Suzuki <utatane.tea@gmail.com>
27707
27708 DFG can call PutByValDirect for generic arrays
27709 https://bugs.webkit.org/show_bug.cgi?id=140389
27710
27711 Reviewed by Geoffrey Garen.
27712
27713 Computed properties in object initializers (ES6) use the put_by_val_direct operation.
27714 However, current DFG asserts that put_by_val_direct is not used for the generic array,
27715 the assertion failure is raised.
27716 This patch allow DFG to use put_by_val_direct to generic arrays.
27717
27718 And fix the DFG put_by_val_direct implementation for string properties.
27719 At first, put_by_val_direct is inteded to be used for spread elements.
27720 So the property keys were limited to numbers (indexes).
27721 But now, it's also used for computed properties in object initializers.
27722
27723 * dfg/DFGOperations.cpp:
27724 (JSC::DFG::operationPutByValInternal):
27725 * dfg/DFGSpeculativeJIT64.cpp:
27726 (JSC::DFG::SpeculativeJIT::compile):
27727
277282015-01-13 Geoffrey Garen <ggaren@apple.com>
27729
27730 Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
27731 https://bugs.webkit.org/show_bug.cgi?id=140397
27732
27733 Reviewed by Geoffrey Garen.
27734
27735 Patch by Alexey Proskuryakov.
27736
27737 Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
27738
27739 No performance change.
27740
27741 No test, since this is a small past-the-end read, which is very
27742 difficult to turn into a reproducible failing test -- and existing tests
27743 crash reliably using ASan.
27744
27745 * bytecompiler/NodesCodegen.cpp:
27746 (JSC::BracketAccessorNode::emitBytecode):
27747 (JSC::DotAccessorNode::emitBytecode):
27748 (JSC::FunctionCallBracketNode::emitBytecode):
27749 (JSC::PostfixNode::emitResolve):
27750 (JSC::DeleteBracketNode::emitBytecode):
27751 (JSC::DeleteDotNode::emitBytecode):
27752 (JSC::PrefixNode::emitResolve):
27753 (JSC::UnaryOpNode::emitBytecode):
27754 (JSC::BitwiseNotNode::emitBytecode):
27755 (JSC::BinaryOpNode::emitBytecode):
27756 (JSC::EqualNode::emitBytecode):
27757 (JSC::StrictEqualNode::emitBytecode):
27758 (JSC::ThrowableBinaryOpNode::emitBytecode):
27759 (JSC::AssignDotNode::emitBytecode):
27760 (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
27761 register used across a call to a function that might allocate a new
27762 temporary register must be held in a RefPtr.
27763
277642015-01-12 Michael Saboff <msaboff@apple.com>
27765
27766 Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
27767 https://bugs.webkit.org/show_bug.cgi?id=140348
27768
27769 Reviewed by Mark Lam.
27770
27771 We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
27772 because those registers may have been spilled on the stack and replaced with other values by
27773 the time we call down to gatherFromCurrentThread().
27774
27775 Now we get the register contents at the same place that we demarcate the current top of
27776 stack using the address of a local variable, in Heap::markRoots(). The register contents
27777 buffer is passed along with the demarcation pointer. These need to be done at this level
27778 in the call tree and no lower, as markRoots() calls various functions that visit object
27779 pointers that may be latter proven dead. Any of those pointers that are left on the
27780 stack or in registers could be incorrectly marked as live if we scan the stack contents
27781 from a called function or one of its callees. The stack demarcation pointer and register
27782 saving need to be done in the same function so that we have a consistent stack, active
27783 and spilled registers.
27784
27785 Because we don't want to make unnecessary calls to get the register contents, we use
27786 a macro to allocated, and possibly align, the register structure and get the actual
27787 register contents.
27788
27789
27790 * heap/Heap.cpp:
27791 (JSC::Heap::markRoots):
27792 (JSC::Heap::gatherStackRoots):
27793 * heap/Heap.h:
27794 * heap/MachineStackMarker.cpp:
27795 (JSC::MachineThreads::gatherFromCurrentThread):
27796 (JSC::MachineThreads::gatherConservativeRoots):
27797 * heap/MachineStackMarker.h:
27798
277992015-01-12 Benjamin Poulain <benjamin@webkit.org>
27800
27801 Add basic pattern matching support to the url filters
27802 https://bugs.webkit.org/show_bug.cgi?id=140283
27803
27804 Reviewed by Andreas Kling.
27805
27806 * JavaScriptCore.xcodeproj/project.pbxproj:
27807 Make YarrParser.h private in order to use it from WebCore.
27808
278092015-01-12 Geoffrey Garen <ggaren@apple.com>
27810
27811 Out of bounds read in IdentifierArena::makeIdentifier
27812 https://bugs.webkit.org/show_bug.cgi?id=140376
27813
27814 Patch by Alexey Proskuryakov.
27815
27816 Reviewed and ChangeLogged by Geoffrey Garen.
27817
27818 No test, since this is a small past-the-end read, which is very
27819 difficult to turn into a reproducible failing test -- and existing tests
27820 crash reliably using ASan.
27821
27822 * parser/ParserArena.h:
27823 (JSC::IdentifierArena::makeIdentifier):
27824 (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
27825 zero-length string input, like we do in the literal parser, since it is
27826 not valid to dereference characters in a zero-length string.
27827
27828 A zero-length string is allowed in JavaScript -- for example, "".
27829
278302015-01-11 Sam Weinig <sam@webkit.org>
27831
27832 Remove support for SharedWorkers
27833 https://bugs.webkit.org/show_bug.cgi?id=140344
27834
27835 Reviewed by Anders Carlsson.
27836
27837 * Configurations/FeatureDefines.xcconfig:
27838
278392015-01-12 Myles C. Maxfield <mmaxfield@apple.com>
27840
27841 Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER)
27842 https://bugs.webkit.org/show_bug.cgi?id=136769
27843
27844 Reviewed by Antti Koivisto.
27845
27846 * Configurations/FeatureDefines.xcconfig:
27847
278482015-01-12 Commit Queue <commit-queue@webkit.org>
27849
27850 Unreviewed, rolling out r178266.
27851 https://bugs.webkit.org/show_bug.cgi?id=140363
27852
27853 Broke a JSC test (Requested by ap on #webkit).
27854
27855 Reverted changeset:
27856
27857 "Local JSArray* "keys" in objectConstructorKeys() is not
27858 marked during garbage collection"
27859 https://bugs.webkit.org/show_bug.cgi?id=140348
27860 http://trac.webkit.org/changeset/178266
27861
278622015-01-12 Michael Saboff <msaboff@apple.com>
27863
27864 Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
27865 https://bugs.webkit.org/show_bug.cgi?id=140348
27866
27867 Reviewed by Mark Lam.
27868
27869 Move the address of the local variable that is used to demarcate the top of the stack for
27870 conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
27871 the register values using setjmp(). That way we don't lose any callee save register
27872 contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
27873 If we lose any JSObject* that are only in callee save registers, they will be GC'ed
27874 erroneously.
27875
27876 * heap/Heap.cpp:
27877 (JSC::Heap::markRoots):
27878 (JSC::Heap::gatherStackRoots):
27879 * heap/Heap.h:
27880 * heap/MachineStackMarker.cpp:
27881 (JSC::MachineThreads::gatherFromCurrentThread):
27882 (JSC::MachineThreads::gatherConservativeRoots):
27883 * heap/MachineStackMarker.h:
27884
278852015-01-11 Eric Carlson <eric.carlson@apple.com>
27886
27887 Fix typo in testate.c error messages
27888 https://bugs.webkit.org/show_bug.cgi?id=140305
27889
27890 Reviewed by Geoffrey Garen.
27891
27892 * API/tests/testapi.c:
27893 (main): "... script did not timed out ..." -> "... script did not time out ..."
27894
278952015-01-09 Michael Saboff <msaboff@apple.com>
27896
27897 Breakpoint doesn't fire in this HTML5 game
27898 https://bugs.webkit.org/show_bug.cgi?id=140269
27899
27900 Reviewed by Mark Lam.
27901
27902 When parsing a single line cached function, use the lineStartOffset of the
27903 location where we found the cached function instead of the cached lineStartOffset.
27904 The cache location's lineStartOffset has not been adjusted for any possible
27905 containing functions.
27906
27907 This change is not needed for multi-line cached functions. Consider the
27908 single line source:
27909
27910 function outer(){function inner1(){doStuff();}; (function inner2() {doMoreStuff()})()}
27911
27912 The first parser pass, we parse and cache inner1() and inner2() with a lineStartOffset
27913 of 0. Later when we parse outer() and find inner1() in the cache, SourceCode start
27914 character is at outer()'s outermost open brace. That is what we should use for
27915 lineStartOffset for inner1(). When done parsing inner1() we set the parsing token
27916 to the saved location for inner1(), including the lineStartOffset of 0. We need
27917 to use the value of lineStartOffset before we started parsing inner1(). That is
27918 what the fix does. When we parse inner2() the lineStartOffset will be correct.
27919
27920 For a multi-line function, the close brace is guaranteed to be on a different line
27921 than the open brace. Hence, its lineStartOffset will not change with the change of
27922 the SourceCode start character
27923
27924 * parser/Parser.cpp:
27925 (JSC::Parser<LexerType>::parseFunctionInfo):
27926
279272015-01-09 Joseph Pecoraro <pecoraro@apple.com>
27928
27929 Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
27930 https://bugs.webkit.org/show_bug.cgi?id=140279
27931 rdar://problem/19422299
27932
27933 Reviewed by Oliver Hunt.
27934
27935 * runtime/MapData.cpp:
27936 (JSC::MapData::replaceAndPackBackingStore):
27937 The cell table also needs to have its values fixed.
27938
279392015-01-09 Joseph Pecoraro <pecoraro@apple.com>
27940
27941 Web Inspector: Remove or use TimelineAgent Resource related event types
27942 https://bugs.webkit.org/show_bug.cgi?id=140155
27943
27944 Reviewed by Timothy Hatcher.
27945
27946 Remove unused / stale Timeline event types.
27947
27948 * inspector/protocol/Timeline.json:
27949
279502015-01-09 Csaba Osztrogonác <ossy@webkit.org>
27951
27952 REGRESSION(r177925): It broke the !ENABLE(INSPECTOR) build
27953 https://bugs.webkit.org/show_bug.cgi?id=140098
27954
27955 Reviewed by Brian Burg.
27956
27957 * inspector/InspectorBackendDispatcher.h: Missing ENABLE(INSPECTOR) guard added.
27958
279592015-01-08 Mark Lam <mark.lam@apple.com>
27960
27961 Argument object created by "Function dot arguments" should use a clone of the argument values.
27962 <https://webkit.org/b/140093>
27963
27964 Reviewed by Geoffrey Garen.
27965
27966 After the change in <https://webkit.org/b/139827>, the dfg-tear-off-arguments-not-activation.js
27967 test will crash. The relevant code which manifests the issue is as follows:
27968
27969 function bar() {
27970 return foo.arguments;
27971 }
27972
27973 function foo(p) {
27974 var x = 42;
27975 if (p)
27976 return (function() { return x; });
27977 else
27978 return bar();
27979 }
27980
27981 In this case, foo() has no knowledge of bar() needing its LexicalEnvironment and
27982 has dead code eliminated the SetLocal that stores it into its designated local.
27983 In bar(), the factory for the Arguments object (for creating foo.arguments) tries
27984 to read foo's LexicalEnvironment from its designated lexicalEnvironment local,
27985 but instead, finds it to be uninitialized. This results in a null pointer access
27986 which causes a crash.
27987
27988 This can be resolved by having bar() instantiate a clone of the Arguments object
27989 instead, and populate its elements with values fetched directly from foo's frame.
27990 There's no need to reference foo's LexicalEnvironment (whether present or not).
27991
27992 * interpreter/StackVisitor.cpp:
27993 (JSC::StackVisitor::Frame::createArguments):
27994 * runtime/Arguments.h:
27995 (JSC::Arguments::finishCreation):
27996
279972015-01-08 Mark Lam <mark.lam@apple.com>
27998
27999 Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand.
28000 <https://webkit.org/b/140236>
28001
28002 Reviewed by Geoffrey Garen.
28003
28004 Will change the DFG to use the operand on a subsequent pass. For now,
28005 the DFG uses a temporary thunk (operationCreateArgumentsForDFG()) to
28006 retain the old behavior of getting the lexicalEnviroment from the
28007 ExecState.
28008
28009 * bytecompiler/BytecodeGenerator.cpp:
28010 (JSC::BytecodeGenerator::BytecodeGenerator):
28011 (JSC::BytecodeGenerator::emitGetArgumentByVal):
28012 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
28013 - When the lexicalEnvironment is not available, pass the invalid VirtualRegister
28014 instead of an empty JSValue as the lexicalEnvironment operand.
28015
28016 * dfg/DFGOperations.cpp:
28017 - Use the lexicalEnvironment from the ExecState for now.
28018
28019 * dfg/DFGSpeculativeJIT32_64.cpp:
28020 (JSC::DFG::SpeculativeJIT::compile):
28021 * dfg/DFGSpeculativeJIT64.cpp:
28022 (JSC::DFG::SpeculativeJIT::compile):
28023 - Use the operationCreateArgumentsForDFG() thunk for now.
28024
28025 * interpreter/CallFrame.cpp:
28026 (JSC::CallFrame::lexicalEnvironmentOrNullptr):
28027 * interpreter/CallFrame.h:
28028 - Added this convenience function to return either the
28029 lexicalEnvironment or a nullptr so that we don't need to do a
28030 conditional check on codeBlock->needsActivation() at multiple sites.
28031
28032 * interpreter/StackVisitor.cpp:
28033 (JSC::StackVisitor::Frame::createArguments):
28034 * jit/JIT.h:
28035 * jit/JITInlines.h:
28036 (JSC::JIT::callOperation):
28037 * jit/JITOpcodes.cpp:
28038 (JSC::JIT::emit_op_create_arguments):
28039 (JSC::JIT::emitSlow_op_get_argument_by_val):
28040 * jit/JITOpcodes32_64.cpp:
28041 (JSC::JIT::emit_op_create_arguments):
28042 (JSC::JIT::emitSlow_op_get_argument_by_val):
28043 * jit/JITOperations.cpp:
28044 * jit/JITOperations.h:
28045 * llint/LLIntSlowPaths.cpp:
28046 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
28047 * runtime/Arguments.h:
28048 (JSC::Arguments::create):
28049 (JSC::Arguments::finishCreation):
28050 * runtime/CommonSlowPaths.cpp:
28051 (JSC::SLOW_PATH_DECL):
28052 * runtime/JSLexicalEnvironment.cpp:
28053 (JSC::JSLexicalEnvironment::argumentsGetter):
28054
280552015-01-08 Joseph Pecoraro <pecoraro@apple.com>
28056
28057 Web Inspector: Pause Reason Improvements (Breakpoint, Debugger Statement, Pause on Next Statement)
28058 https://bugs.webkit.org/show_bug.cgi?id=138991
28059
28060 Reviewed by Timothy Hatcher.
28061
28062 * debugger/Debugger.cpp:
28063 (JSC::Debugger::Debugger):
28064 (JSC::Debugger::pauseIfNeeded):
28065 (JSC::Debugger::didReachBreakpoint):
28066 When actually pausing, if we hit a breakpoint ensure the reason
28067 is PausedForBreakpoint, otherwise use the current reason.
28068
28069 * debugger/Debugger.h:
28070 Make pause reason and pausing breakpoint ID public.
28071
28072 * inspector/agents/InspectorDebuggerAgent.h:
28073 * inspector/agents/InspectorDebuggerAgent.cpp:
28074 (Inspector::buildAssertPauseReason):
28075 (Inspector::buildCSPViolationPauseReason):
28076 (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
28077 (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
28078 (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
28079 (Inspector::buildObjectForBreakpointCookie):
28080 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
28081 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
28082 (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
28083 (Inspector::InspectorDebuggerAgent::pause):
28084 (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
28085 (Inspector::InspectorDebuggerAgent::currentCallFrames):
28086 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
28087 Clean up creation of pause reason objects and other cleanup
28088 of PassRefPtr use and InjectedScript use.
28089
28090 (Inspector::InspectorDebuggerAgent::didPause):
28091 Clean up so that we first check for an Exception, and then fall
28092 back to including a Pause Reason derived from the Debugger.
28093
28094 * inspector/protocol/Debugger.json:
28095 Add new DebuggerStatement, Breakpoint, and PauseOnNextStatement reasons.
28096
280972015-01-08 Joseph Pecoraro <pecoraro@apple.com>
28098
28099 Web Inspector: Type check NSArray's in ObjC Interfaces have the right object types
28100 https://bugs.webkit.org/show_bug.cgi?id=140209
28101
28102 Reviewed by Timothy Hatcher.
28103
28104 Check the types of objects in NSArrays for all interfaces (commands, events, types)
28105 when the user can set an array of objects. Previously we were only type checking
28106 they were RWIJSONObjects, now we add an explicit check for the exact object type.
28107
28108 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
28109 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
28110 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
28111 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
28112 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
28113 (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
28114 (ObjCProtocolTypesImplementationGenerator._generate_setter_for_member):
28115 * inspector/scripts/codegen/objc_generator.py:
28116 (ObjCGenerator.objc_class_for_array_type):
28117 (ObjCGenerator):
28118
281192015-01-07 Mark Lam <mark.lam@apple.com>
28120
28121 Add the lexicalEnvironment as an operand to op_get_argument_by_val.
28122 <https://webkit.org/b/140233>
28123
28124 Reviewed by Filip Pizlo.
28125
28126 This patch only adds the operand to the bytecode. It is not in use yet.
28127
28128 * bytecode/BytecodeList.json:
28129 * bytecode/BytecodeUseDef.h:
28130 (JSC::computeUsesForBytecodeOffset):
28131 * bytecode/CodeBlock.cpp:
28132 (JSC::CodeBlock::dumpBytecode):
28133 * bytecompiler/BytecodeGenerator.cpp:
28134 (JSC::BytecodeGenerator::emitGetArgumentByVal):
28135 * llint/LowLevelInterpreter32_64.asm:
28136 * llint/LowLevelInterpreter64.asm:
28137
281382015-01-07 Yusuke Suzuki <utatane.tea@gmail.com>
28139
28140 Investigate the character type of repeated string instead of checking is8Bit flag
28141 https://bugs.webkit.org/show_bug.cgi?id=140139
28142
28143 Reviewed by Darin Adler.
28144
28145 Instead of checking is8Bit flag of the repeated string, investigate
28146 the actual value of the repeated character since i8Bit flag give a false negative case.
28147
28148 * runtime/StringPrototype.cpp:
28149 (JSC::repeatCharacter):
28150 (JSC::stringProtoFuncRepeat):
28151 (JSC::repeatSmallString): Deleted.
28152
281532015-01-07 Joseph Pecoraro <pecoraro@apple.com>
28154
28155 Web Inspector: ObjC Generate types from the GenericTypes domain
28156 https://bugs.webkit.org/show_bug.cgi?id=140229
28157
28158 Reviewed by Timothy Hatcher.
28159
28160 Generate types from the GenericTypes domain, as they are expected
28161 by other domains (like Page domain). Also, don't include the @protocol
28162 forward declaration for a domain if it doesn't have any commands.
28163
28164 * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
28165 (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
28166 (ObjCBackendDispatcherHeaderGenerator): Deleted.
28167 (ObjCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains): Deleted.
28168 * inspector/scripts/codegen/objc_generator.py:
28169 (ObjCGenerator):
28170 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
28171 * inspector/scripts/tests/expected/enum-values.json-result:
28172 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
28173 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
28174 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
28175 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
28176 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
28177 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
28178 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
28179 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
28180 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
28181
281822015-01-07 Joseph Pecoraro <pecoraro@apple.com>
28183
28184 Web Inspector: Remove unnecessary copyRef for paramsObject in generated dispatchers
28185 https://bugs.webkit.org/show_bug.cgi?id=140228
28186
28187 Reviewed by Timothy Hatcher.
28188
28189 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
28190 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
28191 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
28192 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
28193 * inspector/scripts/tests/expected/enum-values.json-result:
28194 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
28195
281962015-01-07 Saam Barati <saambarati1@gmail.com>
28197
28198 interpret op_profile_type in the LLInt instead of unconditionally calling into the slow path
28199 https://bugs.webkit.org/show_bug.cgi?id=140165
28200
28201 Reviewed by Michael Saboff.
28202
28203 Inlining the functionality of TypeProfilerLog::recordTypeInformationForLocation
28204 into the LLInt speeds up type profiling.
28205
28206 * llint/LLIntOffsetsExtractor.cpp:
28207 * llint/LowLevelInterpreter.asm:
28208 * llint/LowLevelInterpreter32_64.asm:
28209 * llint/LowLevelInterpreter64.asm:
28210 * runtime/CommonSlowPaths.cpp:
28211 (JSC::SLOW_PATH_DECL):
28212 * runtime/CommonSlowPaths.h:
28213 * runtime/TypeProfilerLog.h:
28214 (JSC::TypeProfilerLog::recordTypeInformationForLocation): Deleted.
28215
282162015-01-07 Brian J. Burg <burg@cs.washington.edu>
28217
28218 Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
28219 https://bugs.webkit.org/show_bug.cgi?id=140053
28220
28221 Reviewed by Andreas Kling.
28222
28223 This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
28224 related to Web Inspector. It also converts many uses of RefPtr to Ref where
28225 references are always non-null. These two refactorings have been combined since
28226 they tend to require similar changes to the code.
28227
28228 Creation methods for subclasses of InspectorValue now return a Ref, and callsites
28229 have been updated to take a Ref instead of RefPtr.
28230
28231 Builders for typed protocol objects now return a Ref. Since there is no implicit
28232 call to operator&, callsites now must explicitly call .release() to convert a
28233 builder object into the corresponding protocol object once required fields are set.
28234 Update callsites and use auto to eliminate repetition of longwinded protocol types.
28235
28236 Tests for inspector protocol and replay inputs have been rebaselined.
28237
28238 * bindings/ScriptValue.cpp:
28239 (Deprecated::jsToInspectorValue):
28240 (Deprecated::ScriptValue::toInspectorValue):
28241 * bindings/ScriptValue.h:
28242 * inspector/ConsoleMessage.cpp:
28243 (Inspector::ConsoleMessage::addToFrontend):
28244 * inspector/ContentSearchUtilities.cpp:
28245 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
28246 (Inspector::ContentSearchUtilities::searchInTextByLines):
28247 * inspector/ContentSearchUtilities.h:
28248 * inspector/InjectedScript.cpp:
28249 (Inspector::InjectedScript::getFunctionDetails):
28250 (Inspector::InjectedScript::getProperties):
28251 (Inspector::InjectedScript::getInternalProperties):
28252 (Inspector::InjectedScript::wrapCallFrames):
28253 (Inspector::InjectedScript::wrapObject):
28254 (Inspector::InjectedScript::wrapTable):
28255 * inspector/InjectedScript.h:
28256 * inspector/InjectedScriptBase.cpp:
28257 (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
28258 * inspector/InspectorBackendDispatcher.cpp:
28259 (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
28260 (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
28261 (Inspector::InspectorBackendDispatcher::create):
28262 (Inspector::InspectorBackendDispatcher::dispatch):
28263 (Inspector::InspectorBackendDispatcher::sendResponse):
28264 (Inspector::InspectorBackendDispatcher::reportProtocolError):
28265 (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
28266 (Inspector::InspectorBackendDispatcher::getInteger):
28267 (Inspector::InspectorBackendDispatcher::getDouble):
28268 (Inspector::InspectorBackendDispatcher::getString):
28269 (Inspector::InspectorBackendDispatcher::getBoolean):
28270 (Inspector::InspectorBackendDispatcher::getObject):
28271 (Inspector::InspectorBackendDispatcher::getArray):
28272 (Inspector::InspectorBackendDispatcher::getValue):
28273 * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
28274 protocol error strings.
28275 (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
28276 Convert the supplemental dispatcher's reference to Ref since it is never null.
28277 * inspector/InspectorEnvironment.h:
28278 * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
28279 StructItemTraits. Add more versions of addItem to handle pushing various types.
28280 (Inspector::Protocol::Array::openAccessors):
28281 (Inspector::Protocol::Array::addItem):
28282 (Inspector::Protocol::Array::create):
28283 (Inspector::Protocol::StructItemTraits::push):
28284 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
28285 (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
28286 (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
28287 (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
28288 (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
28289 (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
28290 (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
28291 (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
28292 (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
28293 (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
28294 * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
28295 the same call signature as other getters. Use Ref where possible.
28296 (Inspector::InspectorObjectBase::getBoolean):
28297 (Inspector::InspectorObjectBase::getString):
28298 (Inspector::InspectorObjectBase::getObject):
28299 (Inspector::InspectorObjectBase::getArray):
28300 (Inspector::InspectorObjectBase::getValue):
28301 (Inspector::InspectorObjectBase::writeJSON):
28302 (Inspector::InspectorArrayBase::get):
28303 (Inspector::InspectorObject::create):
28304 (Inspector::InspectorArray::create):
28305 (Inspector::InspectorValue::null):
28306 (Inspector::InspectorString::create):
28307 (Inspector::InspectorBasicValue::create):
28308 (Inspector::InspectorObjectBase::get): Deleted.
28309 * inspector/InspectorValues.h:
28310 (Inspector::InspectorObjectBase::setValue):
28311 (Inspector::InspectorObjectBase::setObject):
28312 (Inspector::InspectorObjectBase::setArray):
28313 (Inspector::InspectorArrayBase::pushValue):
28314 (Inspector::InspectorArrayBase::pushObject):
28315 (Inspector::InspectorArrayBase::pushArray):
28316 * inspector/JSGlobalObjectConsoleClient.cpp:
28317 (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
28318 (Inspector::JSGlobalObjectConsoleClient::count):
28319 (Inspector::JSGlobalObjectConsoleClient::timeEnd):
28320 (Inspector::JSGlobalObjectConsoleClient::timeStamp):
28321 * inspector/JSGlobalObjectConsoleClient.h:
28322 * inspector/JSGlobalObjectInspectorController.cpp:
28323 (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
28324 * inspector/JSGlobalObjectInspectorController.h:
28325 * inspector/ScriptCallFrame.cpp:
28326 (Inspector::ScriptCallFrame::buildInspectorObject):
28327 * inspector/ScriptCallFrame.h:
28328 * inspector/ScriptCallStack.cpp:
28329 (Inspector::ScriptCallStack::create):
28330 (Inspector::ScriptCallStack::buildInspectorArray):
28331 * inspector/ScriptCallStack.h:
28332 * inspector/agents/InspectorAgent.cpp:
28333 (Inspector::InspectorAgent::enable):
28334 (Inspector::InspectorAgent::inspect):
28335 (Inspector::InspectorAgent::activateExtraDomain):
28336 * inspector/agents/InspectorAgent.h:
28337 * inspector/agents/InspectorDebuggerAgent.cpp:
28338 (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
28339 (Inspector::buildObjectForBreakpointCookie):
28340 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
28341 (Inspector::InspectorDebuggerAgent::setBreakpoint):
28342 (Inspector::InspectorDebuggerAgent::continueToLocation):
28343 (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
28344 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
28345 (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
28346 (Inspector::InspectorDebuggerAgent::currentCallFrames):
28347 (Inspector::InspectorDebuggerAgent::didParseSource):
28348 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
28349 (Inspector::InspectorDebuggerAgent::breakProgram):
28350 * inspector/agents/InspectorDebuggerAgent.h:
28351 * inspector/agents/InspectorRuntimeAgent.cpp:
28352 (Inspector::buildErrorRangeObject):
28353 (Inspector::InspectorRuntimeAgent::callFunctionOn):
28354 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
28355 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
28356 * inspector/agents/InspectorRuntimeAgent.h:
28357 * inspector/scripts/codegen/cpp_generator.py:
28358 (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
28359 (CppGenerator.cpp_type_for_type_with_name):
28360 (CppGenerator.cpp_type_for_formal_async_parameter):
28361 (CppGenerator.should_use_references_for_type):
28362 (CppGenerator):
28363 * inspector/scripts/codegen/cpp_generator_templates.py:
28364 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
28365 (CppBackendDispatcherHeaderGenerator.generate_output):
28366 (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
28367 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
28368 (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
28369 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
28370 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
28371 (CppFrontendDispatcherHeaderGenerator.generate_output):
28372 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
28373 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
28374 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
28375 (CppProtocolTypesHeaderGenerator.generate_output):
28376 (_generate_class_for_object_declaration):
28377 (_generate_unchecked_setter_for_member):
28378 (_generate_forward_declarations_for_binding_traits):
28379 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
28380 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
28381 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
28382 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
28383 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
28384 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
28385 (ObjCProtocolTypesImplementationGenerator.generate_output):
28386 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
28387 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
28388 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
28389 * inspector/scripts/tests/expected/enum-values.json-result:
28390 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
28391 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
28392 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
28393 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
28394 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
28395 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
28396 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
28397 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
28398 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
28399 * replay/EncodedValue.cpp:
28400 (JSC::EncodedValue::asObject):
28401 (JSC::EncodedValue::asArray):
28402 (JSC::EncodedValue::put<EncodedValue>):
28403 (JSC::EncodedValue::append<EncodedValue>):
28404 (JSC::EncodedValue::get<EncodedValue>):
28405 * replay/EncodedValue.h:
28406 * replay/scripts/CodeGeneratorReplayInputs.py:
28407 (Type.borrow_type):
28408 (Type.argument_type):
28409 (Generator.generate_member_move_expression):
28410 * runtime/ConsoleClient.cpp:
28411 (JSC::ConsoleClient::printConsoleMessageWithArguments):
28412 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
28413 (JSC::ConsoleClient::logWithLevel):
28414 (JSC::ConsoleClient::clear):
28415 (JSC::ConsoleClient::dir):
28416 (JSC::ConsoleClient::dirXML):
28417 (JSC::ConsoleClient::table):
28418 (JSC::ConsoleClient::trace):
28419 (JSC::ConsoleClient::assertCondition):
28420 (JSC::ConsoleClient::group):
28421 (JSC::ConsoleClient::groupCollapsed):
28422 (JSC::ConsoleClient::groupEnd):
28423 * runtime/ConsoleClient.h:
28424 * runtime/TypeSet.cpp:
28425 (JSC::TypeSet::allStructureRepresentations):
28426 (JSC::TypeSet::inspectorTypeSet):
28427 (JSC::StructureShape::inspectorRepresentation):
28428 * runtime/TypeSet.h:
28429
284302015-01-07 Commit Queue <commit-queue@webkit.org>
28431
28432 Unreviewed, rolling out r178039.
28433 https://bugs.webkit.org/show_bug.cgi?id=140187
28434
28435 Breaks ObjC Inspector Protocol (Requested by JoePeck on
28436 #webkit).
28437
28438 Reverted changeset:
28439
28440 "Web Inspector: purge PassRefPtr from Inspector code and use
28441 Ref for typed and untyped protocol objects"
28442 https://bugs.webkit.org/show_bug.cgi?id=140053
28443 http://trac.webkit.org/changeset/178039
28444
284452015-01-06 Brian J. Burg <burg@cs.washington.edu>
28446
28447 Web Inspector: purge PassRefPtr from Inspector code and use Ref for typed and untyped protocol objects
28448 https://bugs.webkit.org/show_bug.cgi?id=140053
28449
28450 Reviewed by Andreas Kling.
28451
28452 This patch replaces uses of PassRefPtr with uses of RefPtr&& and WTF::move() in code
28453 related to Web Inspector. It also converts many uses of RefPtr to Ref where
28454 references are always non-null. These two refactorings have been combined since
28455 they tend to require similar changes to the code.
28456
28457 Creation methods for subclasses of InspectorValue now return a Ref, and callsites
28458 have been updated to take a Ref instead of RefPtr.
28459
28460 Builders for typed protocol objects now return a Ref. Since there is no implicit
28461 call to operator&, callsites now must explicitly call .release() to convert a
28462 builder object into the corresponding protocol object once required fields are set.
28463 Update callsites and use auto to eliminate repetition of longwinded protocol types.
28464
28465 Tests for inspector protocol and replay inputs have been rebaselined.
28466
28467 * bindings/ScriptValue.cpp:
28468 (Deprecated::jsToInspectorValue):
28469 (Deprecated::ScriptValue::toInspectorValue):
28470 * bindings/ScriptValue.h:
28471 * inspector/ConsoleMessage.cpp:
28472 (Inspector::ConsoleMessage::addToFrontend):
28473 * inspector/ContentSearchUtilities.cpp:
28474 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
28475 (Inspector::ContentSearchUtilities::searchInTextByLines):
28476 * inspector/ContentSearchUtilities.h:
28477 * inspector/InjectedScript.cpp:
28478 (Inspector::InjectedScript::getFunctionDetails):
28479 (Inspector::InjectedScript::getProperties):
28480 (Inspector::InjectedScript::getInternalProperties):
28481 (Inspector::InjectedScript::wrapCallFrames):
28482 (Inspector::InjectedScript::wrapObject):
28483 (Inspector::InjectedScript::wrapTable):
28484 * inspector/InjectedScript.h:
28485 * inspector/InjectedScriptBase.cpp:
28486 (Inspector::InjectedScriptBase::makeEvalCall): Split the early exits.
28487 * inspector/InspectorBackendDispatcher.cpp:
28488 (Inspector::InspectorBackendDispatcher::CallbackBase::CallbackBase):
28489 (Inspector::InspectorBackendDispatcher::CallbackBase::sendIfActive):
28490 (Inspector::InspectorBackendDispatcher::create):
28491 (Inspector::InspectorBackendDispatcher::dispatch):
28492 (Inspector::InspectorBackendDispatcher::sendResponse):
28493 (Inspector::InspectorBackendDispatcher::reportProtocolError):
28494 (Inspector::getPropertyValue): Add a comment to clarify what this clever code does.
28495 (Inspector::InspectorBackendDispatcher::getInteger):
28496 (Inspector::InspectorBackendDispatcher::getDouble):
28497 (Inspector::InspectorBackendDispatcher::getString):
28498 (Inspector::InspectorBackendDispatcher::getBoolean):
28499 (Inspector::InspectorBackendDispatcher::getObject):
28500 (Inspector::InspectorBackendDispatcher::getArray):
28501 (Inspector::InspectorBackendDispatcher::getValue):
28502 * inspector/InspectorBackendDispatcher.h: Use a typed protocol object to collect
28503 protocol error strings.
28504 (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
28505 Convert the supplemental dispatcher's reference to Ref since it is never null.
28506 * inspector/InspectorEnvironment.h:
28507 * inspector/InspectorProtocolTypes.h: Get rid of ArrayItemHelper and
28508 StructItemTraits. Add more versions of addItem to handle pushing various types.
28509 (Inspector::Protocol::Array::openAccessors):
28510 (Inspector::Protocol::Array::addItem):
28511 (Inspector::Protocol::Array::create):
28512 (Inspector::Protocol::StructItemTraits::push):
28513 (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Assert argument.
28514 (Inspector::Protocol::StructItemTraits::pushRefPtr): Deleted.
28515 (Inspector::Protocol::ArrayItemHelper<String>::Traits::pushRaw): Deleted.
28516 (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw): Deleted.
28517 (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw): Deleted.
28518 (Inspector::Protocol::ArrayItemHelper<bool>::Traits::pushRaw): Deleted.
28519 (Inspector::Protocol::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr): Deleted.
28520 (Inspector::Protocol::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr): Deleted.
28521 (Inspector::Protocol::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr): Deleted.
28522 (Inspector::Protocol::ArrayItemHelper<Protocol::Array<T>>::Traits::pushRefPtr): Deleted.
28523 * inspector/InspectorValues.cpp: Straighten out getArray and getObject to have
28524 the same call signature as other getters. Use Ref where possible.
28525 (Inspector::InspectorObjectBase::getBoolean):
28526 (Inspector::InspectorObjectBase::getString):
28527 (Inspector::InspectorObjectBase::getObject):
28528 (Inspector::InspectorObjectBase::getArray):
28529 (Inspector::InspectorObjectBase::getValue):
28530 (Inspector::InspectorObjectBase::writeJSON):
28531 (Inspector::InspectorArrayBase::get):
28532 (Inspector::InspectorObject::create):
28533 (Inspector::InspectorArray::create):
28534 (Inspector::InspectorValue::null):
28535 (Inspector::InspectorString::create):
28536 (Inspector::InspectorBasicValue::create):
28537 (Inspector::InspectorObjectBase::get): Deleted.
28538 * inspector/InspectorValues.h:
28539 (Inspector::InspectorObjectBase::setValue):
28540 (Inspector::InspectorObjectBase::setObject):
28541 (Inspector::InspectorObjectBase::setArray):
28542 (Inspector::InspectorArrayBase::pushValue):
28543 (Inspector::InspectorArrayBase::pushObject):
28544 (Inspector::InspectorArrayBase::pushArray):
28545 * inspector/JSGlobalObjectConsoleClient.cpp:
28546 (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
28547 (Inspector::JSGlobalObjectConsoleClient::count):
28548 (Inspector::JSGlobalObjectConsoleClient::timeEnd):
28549 (Inspector::JSGlobalObjectConsoleClient::timeStamp):
28550 * inspector/JSGlobalObjectConsoleClient.h:
28551 * inspector/JSGlobalObjectInspectorController.cpp:
28552 (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
28553 * inspector/JSGlobalObjectInspectorController.h:
28554 * inspector/ScriptCallFrame.cpp:
28555 (Inspector::ScriptCallFrame::buildInspectorObject):
28556 * inspector/ScriptCallFrame.h:
28557 * inspector/ScriptCallStack.cpp:
28558 (Inspector::ScriptCallStack::create):
28559 (Inspector::ScriptCallStack::buildInspectorArray):
28560 * inspector/ScriptCallStack.h:
28561 * inspector/agents/InspectorAgent.cpp:
28562 (Inspector::InspectorAgent::enable):
28563 (Inspector::InspectorAgent::inspect):
28564 (Inspector::InspectorAgent::activateExtraDomain):
28565 * inspector/agents/InspectorAgent.h:
28566 * inspector/agents/InspectorDebuggerAgent.cpp:
28567 (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
28568 (Inspector::buildObjectForBreakpointCookie):
28569 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
28570 (Inspector::InspectorDebuggerAgent::setBreakpoint):
28571 (Inspector::InspectorDebuggerAgent::continueToLocation):
28572 (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
28573 (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
28574 (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
28575 (Inspector::InspectorDebuggerAgent::currentCallFrames):
28576 (Inspector::InspectorDebuggerAgent::didParseSource):
28577 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
28578 (Inspector::InspectorDebuggerAgent::breakProgram):
28579 * inspector/agents/InspectorDebuggerAgent.h:
28580 * inspector/agents/InspectorRuntimeAgent.cpp:
28581 (Inspector::buildErrorRangeObject):
28582 (Inspector::InspectorRuntimeAgent::callFunctionOn):
28583 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
28584 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
28585 * inspector/agents/InspectorRuntimeAgent.h:
28586 * inspector/scripts/codegen/cpp_generator.py:
28587 (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
28588 (CppGenerator.cpp_type_for_type_with_name):
28589 (CppGenerator.cpp_type_for_formal_async_parameter):
28590 (CppGenerator.should_use_references_for_type):
28591 (CppGenerator):
28592 * inspector/scripts/codegen/cpp_generator_templates.py:
28593 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
28594 (CppBackendDispatcherHeaderGenerator.generate_output):
28595 (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
28596 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
28597 (CppBackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
28598 (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
28599 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
28600 (CppFrontendDispatcherHeaderGenerator.generate_output):
28601 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
28602 (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
28603 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
28604 (CppProtocolTypesHeaderGenerator.generate_output):
28605 (_generate_class_for_object_declaration):
28606 (_generate_unchecked_setter_for_member):
28607 (_generate_forward_declarations_for_binding_traits):
28608 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
28609 (ObjCConfigurationImplementationGenerator._generate_success_block_for_command):
28610 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
28611 (ObjCFrontendDispatcherImplementationGenerator._generate_event):
28612 (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
28613 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
28614 (ObjCProtocolTypesImplementationGenerator.generate_output):
28615 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
28616 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
28617 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
28618 * inspector/scripts/tests/expected/enum-values.json-result:
28619 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
28620 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
28621 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
28622 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
28623 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
28624 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
28625 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
28626 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
28627 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
28628 * replay/EncodedValue.cpp:
28629 (JSC::EncodedValue::asObject):
28630 (JSC::EncodedValue::asArray):
28631 (JSC::EncodedValue::put<EncodedValue>):
28632 (JSC::EncodedValue::append<EncodedValue>):
28633 (JSC::EncodedValue::get<EncodedValue>):
28634 * replay/EncodedValue.h:
28635 * replay/scripts/CodeGeneratorReplayInputs.py:
28636 (Type.borrow_type):
28637 (Type.argument_type):
28638 (Generator.generate_member_move_expression):
28639 * runtime/ConsoleClient.cpp:
28640 (JSC::ConsoleClient::printConsoleMessageWithArguments):
28641 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
28642 (JSC::ConsoleClient::logWithLevel):
28643 (JSC::ConsoleClient::clear):
28644 (JSC::ConsoleClient::dir):
28645 (JSC::ConsoleClient::dirXML):
28646 (JSC::ConsoleClient::table):
28647 (JSC::ConsoleClient::trace):
28648 (JSC::ConsoleClient::assertCondition):
28649 (JSC::ConsoleClient::group):
28650 (JSC::ConsoleClient::groupCollapsed):
28651 (JSC::ConsoleClient::groupEnd):
28652 * runtime/ConsoleClient.h:
28653 * runtime/TypeSet.cpp:
28654 (JSC::TypeSet::allStructureRepresentations):
28655 (JSC::TypeSet::inspectorTypeSet):
28656 (JSC::StructureShape::inspectorRepresentation):
28657 * runtime/TypeSet.h:
28658
286592015-01-06 Chris Dumez <cdumez@apple.com>
28660
28661 Drop ResourceResponseBase::connectionID and connectionReused members
28662 https://bugs.webkit.org/show_bug.cgi?id=140158
28663
28664 Reviewed by Sam Weinig.
28665
28666 Drop ResourceResponseBase::connectionID and connectionReused members.
28667 Those were needed by the Chromium port but are no longer used.
28668
28669 * inspector/protocol/Network.json:
28670
286712015-01-06 Mark Lam <mark.lam@apple.com>
28672
28673 Add the lexicalEnvironment as an operand to op_create_arguments.
28674 <https://webkit.org/b/140148>
28675
28676 Reviewed by Geoffrey Garen.
28677
28678 This patch only adds the operand to the bytecode. It is not in use yet.
28679
28680 * bytecode/BytecodeList.json:
28681 * bytecode/BytecodeUseDef.h:
28682 (JSC::computeUsesForBytecodeOffset):
28683 * bytecode/CodeBlock.cpp:
28684 (JSC::CodeBlock::dumpBytecode):
28685 * bytecompiler/BytecodeGenerator.cpp:
28686 (JSC::BytecodeGenerator::BytecodeGenerator):
28687 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
28688 - Adds the lexicalEnvironment register (if present) as an operand to
28689 op_create_arguments. Else, adds a constant empty JSValue.
28690 * llint/LowLevelInterpreter32_64.asm:
28691 * llint/LowLevelInterpreter64.asm:
28692
286932015-01-06 Alexey Proskuryakov <ap@apple.com>
28694
28695 ADDRESS_SANITIZER macro is overloaded
28696 https://bugs.webkit.org/show_bug.cgi?id=140130
28697
28698 Reviewed by Anders Carlsson.
28699
28700 * interpreter/JSStack.cpp: (JSC::JSStack::sanitizeStack): Use the new macro.
28701 This code is nearly unused (only compiled in when JIT is disabled at build time),
28702 however I've been told that it's best to keep it.
28703
287042015-01-06 Mark Lam <mark.lam@apple.com>
28705
28706 Fix Use details for op_create_arguments.
28707 <https://webkit.org/b/140110>
28708
28709 Rubber stamped by Filip Pizlo.
28710
28711 The previous patch was wrong about op_create_arguments not using its 1st operand.
28712 It does read from it (hence, used) to check if the Arguments object has already
28713 been created or not. This patch reverts the change for op_create_arguments.
28714
28715 * bytecode/BytecodeUseDef.h:
28716 (JSC::computeUsesForBytecodeOffset):
28717
287182015-01-06 Mark Lam <mark.lam@apple.com>
28719
28720 Fix Use details for op_create_lexical_environment and op_create_arguments.
28721 <https://webkit.org/b/140110>
28722
28723 Reviewed by Filip Pizlo.
28724
28725 The current "Use" details for op_create_lexical_environment and
28726 op_create_arguments are wrong. op_create_argument uses nothing instead of the
28727 1st operand (the output local). op_create_lexical_environment uses its 2nd
28728 operand (the scope chain) instead of the 1st (the output local).
28729 This patch fixes them to specify the proper uses.
28730
28731 * bytecode/BytecodeUseDef.h:
28732 (JSC::computeUsesForBytecodeOffset):
28733
287342015-01-06 Yusuke Suzuki <utatane.tea@gmail.com>
28735
28736 Implement ES6 String.prototype.repeat(count)
28737 https://bugs.webkit.org/show_bug.cgi?id=140047
28738
28739 Reviewed by Darin Adler.
28740
28741 Introducing ES6 String.prototype.repeat(count) function.
28742
28743 * runtime/JSString.h:
28744 * runtime/StringPrototype.cpp:
28745 (JSC::StringPrototype::finishCreation):
28746 (JSC::repeatSmallString):
28747 (JSC::stringProtoFuncRepeat):
28748
287492015-01-03 Michael Saboff <msaboff@apple.com>
28750
28751 Crash in operationNewFunction when scrolling on Google+
28752 https://bugs.webkit.org/show_bug.cgi?id=140033
28753
28754 Reviewed by Oliver Hunt.
28755
28756 In DFG code, the scope register can be eliminated because all uses have been
28757 dead code eliminated. In the case where one of the uses was creating a function
28758 that is never used, the baseline code will still create the function. If we OSR
28759 exit to a path where that function gets created, check the scope register value
28760 and set the new, but dead, function to undefined instead of creating a new function.
28761
28762 * jit/JITOpcodes.cpp:
28763 (JSC::JIT::emit_op_new_func_exp):
28764
287652015-01-01 Yusuke Suzuki <utatane.tea@gmail.com>
28766
28767 String includes methods perform toString on searchString before toInt32 on a offset
28768 https://bugs.webkit.org/show_bug.cgi?id=140031
28769
28770 Reviewed by Darin Adler.
28771
28772 * runtime/StringPrototype.cpp:
28773 (JSC::stringProtoFuncStartsWith):
28774 (JSC::stringProtoFuncEndsWith):
28775 (JSC::stringProtoFuncIncludes):
28776
287772015-01-01 Gyuyoung Kim <gyuyoung.kim@samsung.com>
28778
28779 Change to return std::unique_ptr<> in fooCreate()
28780 https://bugs.webkit.org/show_bug.cgi?id=139983
28781
28782 Reviewed by Darin Adler.
28783
28784 To avoid unnecessary std::unique_ptr<> casting, fooCreate() returns std::unique_ptr<> directly.
28785
28786 * create_regex_tables:
28787 * yarr/YarrPattern.h:
28788 (JSC::Yarr::YarrPattern::reset):
28789 (JSC::Yarr::YarrPattern::newlineCharacterClass):
28790 (JSC::Yarr::YarrPattern::digitsCharacterClass):
28791 (JSC::Yarr::YarrPattern::spacesCharacterClass):
28792 (JSC::Yarr::YarrPattern::wordcharCharacterClass):
28793 (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
28794 (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
28795 (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
28796
287972015-01-01 Jeff Miller <jeffm@apple.com>
28798
28799 Update user-visible copyright strings to include 2015
28800 https://bugs.webkit.org/show_bug.cgi?id=139880
28801
28802 Reviewed by Darin Adler.
28803
28804 * Info.plist:
28805
288062015-01-01 Darin Adler <darin@apple.com>
28807
28808 We often misspell identifier as "identifer"
28809 https://bugs.webkit.org/show_bug.cgi?id=140025
28810
28811 Reviewed by Michael Saboff.
28812
28813 * runtime/ArrayConventions.h: Fix it.
28814
288152014-12-29 Gyuyoung Kim <gyuyoung.kim@samsung.com>
28816
28817 Move JavaScriptCore/yarr to std::unique_ptr
28818 https://bugs.webkit.org/show_bug.cgi?id=139621
28819
28820 Reviewed by Anders Carlsson.
28821
28822 Final clean up OwnPtr|PassOwnPtr in JavaScriptCore/yarr.
28823
28824 * yarr/YarrInterpreter.cpp:
28825 (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
28826 * yarr/YarrInterpreter.h:
28827 (JSC::Yarr::BytecodePattern::BytecodePattern):
28828 * yarr/YarrJIT.cpp:
28829 (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
28830 (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
28831 (JSC::Yarr::YarrGenerator::opCompileBody):
28832 * yarr/YarrPattern.cpp:
28833 (JSC::Yarr::CharacterClassConstructor::charClass):
28834 (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
28835 (JSC::Yarr::YarrPatternConstructor::reset):
28836 (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
28837 (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
28838 (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
28839 (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
28840 (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
28841 (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
28842 (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
28843 * yarr/YarrPattern.h:
28844 (JSC::Yarr::PatternDisjunction::addNewAlternative):
28845 (JSC::Yarr::YarrPattern::newlineCharacterClass):
28846 (JSC::Yarr::YarrPattern::digitsCharacterClass):
28847 (JSC::Yarr::YarrPattern::spacesCharacterClass):
28848 (JSC::Yarr::YarrPattern::wordcharCharacterClass):
28849 (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
28850 (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
28851 (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):
28852
288532014-12-26 Dan Bernstein <mitz@apple.com>
28854
28855 <rdar://problem/19348208> REGRESSION (r177027): iOS builds use the wrong toolchain
28856 https://bugs.webkit.org/show_bug.cgi?id=139950
28857
28858 Reviewed by David Kilzer.
28859
28860 * Configurations/Base.xcconfig: Only define TOOLCHAINS when building for OS X, doing so
28861 in a manner that works with Xcode 5.1.1.
28862
288632014-12-22 Mark Lam <mark.lam@apple.com>
28864
28865 Use ctiPatchCallByReturnAddress() in JITOperations.cpp.
28866 <https://webkit.org/b/139892>
28867
28868 Reviewed by Michael Saboff.
28869
28870 The code in JITOperations.cpp sometimes calls RepatchBuffer::relinkCallerToFunction()
28871 directly, and sometimes uses a helper function, ctiPatchCallByReturnAddress().
28872 This patch changes it to use the helper function consistently.
28873
28874 * jit/JITOperations.cpp:
28875
288762014-12-22 Mark Lam <mark.lam@apple.com>
28877
28878 Fix some typos in a comment.
28879 <https://webkit.org/b/139882>
28880
28881 Reviewed by Michael Saboff.
28882
28883 * jit/JITPropertyAccess.cpp:
28884 (JSC::JIT::emit_op_get_by_val):
28885
288862014-12-22 Mark Lam <mark.lam@apple.com>
28887
28888 Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes.
28889 <https://webkit.org/b/138118>
28890
28891 Reviewed by Michael Saboff.
28892
28893 * runtime/JSObject.cpp:
28894 (JSC::JSObject::convertInt32ToArrayStorage):
28895 (JSC::JSObject::convertDoubleToArrayStorage):
28896 (JSC::JSObject::convertContiguousToArrayStorage):
28897
288982014-12-20 Eric Carlson <eric.carlson@apple.com>
28899
28900 [iOS] add optimized fullscreen API
28901 https://bugs.webkit.org/show_bug.cgi?id=139833
28902 <rdar://problem/18844486>
28903
28904 Reviewed by Simon Fraser.
28905
28906 * Configurations/FeatureDefines.xcconfig: Add ENABLE_VIDEO_PRESENTATION_MODE.
28907
289082014-12-20 David Kilzer <ddkilzer@apple.com>
28909
28910 Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
28911 <http://webkit.org/b/139463>
28912
28913 Reviewed by Mark Rowe.
28914
28915 * Configurations/JavaScriptCore.xcconfig:
28916 - Simplify SECTORDER_FLAGS.
28917
289182014-12-19 Andreas Kling <akling@apple.com>
28919
28920 Plug leak below LLVMCopyStringRepOfTargetData().
28921 <https://webkit.org/b/139832>
28922
28923 Reviewed by Michael Saboff.
28924
28925 LLVMCopyStringRepOfTargetData() returns a strdup()'ed string, so make sure
28926 to free() it after we're done using it.
28927
28928 * ftl/FTLCompile.cpp:
28929 (JSC::FTL::mmAllocateDataSection):
28930
289312014-12-19 Joseph Pecoraro <pecoraro@apple.com>
28932
28933 Web Inspector: CRASH inspector-protocol/debugger/breakpoint-action-detach.html
28934 https://bugs.webkit.org/show_bug.cgi?id=139797
28935
28936 Reviewed by Mark Lam.
28937
28938 * debugger/Debugger.h:
28939 * debugger/Debugger.cpp:
28940 (JSC::Debugger::isAttached):
28941 Check if we are the debugger for a particular global object.
28942 (JSC::Debugger::pauseIfNeeded):
28943 Pass the global object on when hitting a brekapoint.
28944
28945 * inspector/ScriptDebugServer.h:
28946 * inspector/ScriptDebugServer.cpp:
28947 (Inspector::ScriptDebugServer::handleBreakpointHit):
28948 Stop evaluting breakpoint actions if a previous action caused the
28949 debugger to detach from this global object.
28950 (Inspector::ScriptDebugServer::handlePause):
28951 Standardize on passing JSGlobalObject parameter first.
28952
289532014-12-19 Mark Lam <mark.lam@apple.com>
28954
28955 [Win] Endless compiler warnings created by DFGEdge.h.
28956 <https://webkit.org/b/139801>
28957
28958 Reviewed by Brent Fulgham.
28959
28960 Add a cast to fix the type just the way the 64-bit version does.
28961
28962 * dfg/DFGEdge.h:
28963 (JSC::DFG::Edge::makeWord):
28964
289652014-12-19 Commit Queue <commit-queue@webkit.org>
28966
28967 Unreviewed, rolling out r177574.
28968 https://bugs.webkit.org/show_bug.cgi?id=139821
28969
28970 "Broke Production builds by installing
28971 libWebCoreTestSupport.dylib in the wrong directory" (Requested
28972 by ddkilzer on #webkit).
28973
28974 Reverted changeset:
28975
28976 "Switch from using PLATFORM_NAME to SDK selectors in WebCore,
28977 WebInspectorUI, WebKit, WebKit2"
28978 https://bugs.webkit.org/show_bug.cgi?id=139463
28979 http://trac.webkit.org/changeset/177574
28980
289812014-12-19 Michael Saboff <msaboff@apple.com>
28982
28983 REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked
28984 https://bugs.webkit.org/show_bug.cgi?id=139808
28985
28986 Reviewed by Oliver Hunt.
28987
28988 There are three changes here.
28989 1) Create a VariableWatchpointSet for captured arguments variables.
28990 2) Properly use the VariableWatchpointSet* found in op_put_to_scope in the 64 bit LLInt code.
28991 3) Add the same putLocalClosureVar path to the 32 bit LLInt code that exists in the 64 bit version.
28992
28993 * bytecompiler/BytecodeGenerator.cpp:
28994 (JSC::BytecodeGenerator::BytecodeGenerator):
28995 * llint/LowLevelInterpreter32_64.asm:
28996 * llint/LowLevelInterpreter64.asm:
28997
289982014-12-19 David Kilzer <ddkilzer@apple.com>
28999
29000 Switch from using PLATFORM_NAME to SDK selectors in WebCore, WebInspectorUI, WebKit, WebKit2
29001 <http://webkit.org/b/139463>
29002
29003 Reviewed by Mark Rowe.
29004
29005 * Configurations/JavaScriptCore.xcconfig:
29006 - Simplify SECTORDER_FLAGS.
29007
290082014-12-18 Brent Fulgham <bfulgham@apple.com>
29009
29010 Unreviewed build fix.
29011
29012 * jsc.cpp: Remove typo.
29013
290142014-12-17 Michael Saboff <msaboff@apple.com>
29015
29016 Tests with infinite recursion frequently crash
29017 https://bugs.webkit.org/show_bug.cgi?id=139548
29018
29019 Reviewed by Geoffrey Garen.
29020
29021 While unwinding, if the call frame doesn't have a codeblock, then we
29022 are in native code, handle appropriately.
29023
29024 * interpreter/Interpreter.cpp:
29025 (JSC::unwindCallFrame):
29026 (JSC::UnwindFunctor::operator()):
29027 Added checks for null CodeBlock.
29028
29029 (JSC::Interpreter::unwind): Removed wrong ASSERT.
29030
290312014-12-17 Chris Dumez <cdumez@apple.com>
29032
29033 [iOS] Make it possible to toggle FeatureCounter support at runtime
29034 https://bugs.webkit.org/show_bug.cgi?id=139688
29035 <rdar://problem/19266254>
29036
29037 Reviewed by Andreas Kling.
29038
29039 Stop linking against AppSupport framework as the functionality is no
29040 longer in WTF (it was moved to WebCore).
29041
29042 * Configurations/JavaScriptCore.xcconfig:
29043
290442014-12-17 Brent Fulgham <bfulgham@apple.com>
29045
29046 [Win] Correct DebugSuffix builds under MSBuild
29047 https://bugs.webkit.org/show_bug.cgi?id=139733
29048 <rdar://problem/19276880>
29049
29050 Reviewed by Simon Fraser.
29051
29052 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Make sure to use the
29053 '_debug' suffix when building the DebugSuffix target.
29054
290552014-12-16 Enrica Casucci <enrica@apple.com>
29056
29057 Fix iOS builders for 8.0
29058 https://bugs.webkit.org/show_bug.cgi?id=139495
29059
29060 Reviewed by Michael Saboff.
29061
29062 * Configurations/LLVMForJSC.xcconfig:
29063 * llvm/library/LLVMExports.cpp:
29064 (initializeAndGetJSCLLVMAPI):
29065
290662014-12-16 Commit Queue <commit-queue@webkit.org>
29067
29068 Unreviewed, rolling out r177380.
29069 https://bugs.webkit.org/show_bug.cgi?id=139707
29070
29071 "Breaks js/regres/elidable-new-object-* tests" (Requested by
29072 msaboff_ on #webkit).
29073
29074 Reverted changeset:
29075
29076 "Fixes operationPutByIdOptimizes such that they check that the
29077 put didn't"
29078 https://bugs.webkit.org/show_bug.cgi?id=139500
29079 http://trac.webkit.org/changeset/177380
29080
290812014-12-16 Matthew Mirman <mmirman@apple.com>
29082
29083 Fixes operationPutByIdOptimizes such that they check that the put didn't
29084 change the structure of the object who's property access is being
29085 cached.
29086 https://bugs.webkit.org/show_bug.cgi?id=139500
29087
29088 Reviewed by Geoffrey Garen.
29089
29090 * jit/JITOperations.cpp:
29091 (JSC::operationPutByIdStrictOptimize): saved the structure before the put.
29092 (JSC::operationPutByIdNonStrictOptimize): ditto.
29093 (JSC::operationPutByIdDirectStrictOptimize): ditto.
29094 (JSC::operationPutByIdDirectNonStrictOptimize): ditto.
29095 * jit/Repatch.cpp:
29096 (JSC::tryCachePutByID): Added argument for the old structure
29097 (JSC::repatchPutByID): Added argument for the old structure
29098 * jit/Repatch.h:
29099 * tests/stress/put-by-id-build-list-order-recurse.js:
29100 Added test that fails without this patch.
29101
291022014-12-15 Chris Dumez <cdumez@apple.com>
29103
29104 [iOS] Add feature counting support
29105 https://bugs.webkit.org/show_bug.cgi?id=139652
29106 <rdar://problem/19255690>
29107
29108 Reviewed by Gavin Barraclough.
29109
29110 Link against AppSupport framework on iOS as we need it to implement
29111 the new FeatureCounter API in WTF.
29112
29113 * Configurations/JavaScriptCore.xcconfig:
29114
291152014-12-15 Commit Queue <commit-queue@webkit.org>
29116
29117 Unreviewed, rolling out r177284.
29118 https://bugs.webkit.org/show_bug.cgi?id=139658
29119
29120 "Breaks API tests and LayoutTests on Yosemite Debug"
29121 (Requested by msaboff on #webkit).
29122
29123 Reverted changeset:
29124
29125 "Make sure range based iteration of Vector<> still receives
29126 bounds checking"
29127 https://bugs.webkit.org/show_bug.cgi?id=138821
29128 http://trac.webkit.org/changeset/177284
29129
291302014-12-15 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
29131
29132 [EFL] FTL JIT not working on ARM64
29133 https://bugs.webkit.org/show_bug.cgi?id=139295
29134
29135 Reviewed by Michael Saboff.
29136
29137 Added the missing code for stack unwinding and some additional small fixes
29138 to get FTL working correctly.
29139
29140 * ftl/FTLCompile.cpp:
29141 (JSC::FTL::mmAllocateDataSection):
29142 * ftl/FTLUnwindInfo.cpp:
29143 (JSC::FTL::UnwindInfo::parse):
29144
291452014-12-15 Oliver Hunt <oliver@apple.com>
29146
29147 Make sure range based iteration of Vector<> still receives bounds checking
29148 https://bugs.webkit.org/show_bug.cgi?id=138821
29149
29150 Reviewed by Mark Lam.
29151
29152 Update code to deal with slightly changed iterator semantics.
29153
29154 * bytecode/UnlinkedCodeBlock.cpp:
29155 (JSC::UnlinkedCodeBlock::visitChildren):
29156 * bytecompiler/BytecodeGenerator.cpp:
29157 (JSC::BytecodeGenerator::emitComplexPopScopes):
29158 * dfg/DFGSpeculativeJIT.cpp:
29159 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
29160 * ftl/FTLAbbreviations.h:
29161 (JSC::FTL::mdNode):
29162 (JSC::FTL::buildCall):
29163 * llint/LLIntData.cpp:
29164 (JSC::LLInt::Data::performAssertions):
29165 * parser/Parser.h:
29166 (JSC::Scope::Scope):
29167 * runtime/JSArray.cpp:
29168 (JSC::JSArray::setLengthWithArrayStorage):
29169 (JSC::JSArray::sortCompactedVector):
29170 * tools/ProfileTreeNode.h:
29171 (JSC::ProfileTreeNode::dumpInternal):
29172 * yarr/YarrJIT.cpp:
29173 (JSC::Yarr::YarrGenerator::matchCharacterClass):
29174
291752014-12-14 Filip Pizlo <fpizlo@apple.com>
29176
29177 PutLocalSinkingPhase has an invalid assertion about incoming values, because both liveness and deferral analyses are conservative
29178 https://bugs.webkit.org/show_bug.cgi?id=139630
29179
29180 Reviewed by Oliver Hunt.
29181
29182 Replaces a faulty assertion with code to handle an awesome special case. Also adds a lot of
29183 comments that reconstruct my reasoning about this code. I had to work hard to remember how
29184 deferral worked so I wrote my discoveries down.
29185
29186 * dfg/DFGInsertionSet.h:
29187 (JSC::DFG::InsertionSet::insertBottomConstantForUse):
29188 * dfg/DFGPutLocalSinkingPhase.cpp:
29189 * tests/stress/put-local-conservative.js: Added.
29190 (foo):
29191 (.result):
29192 (bar):
29193
291942014-12-14 Andreas Kling <akling@apple.com>
29195
29196 Replace PassRef with Ref/Ref&& across the board.
29197 <https://webkit.org/b/139587>
29198
29199 Reviewed by Darin Adler.
29200
29201 * runtime/Identifier.cpp:
29202 (JSC::Identifier::add):
29203 (JSC::Identifier::add8):
29204 * runtime/Identifier.h:
29205 (JSC::Identifier::add):
29206 * runtime/IdentifierInlines.h:
29207 (JSC::Identifier::add):
29208
292092014-12-12 Matthew Mirman <mmirman@apple.com>
29210
29211 shiftCountWithArrayStorage should exit to slow path if the object has a sparse map.
29212 https://bugs.webkit.org/show_bug.cgi?id=139598
29213 <rdar://problem/18779367>
29214
29215 Reviewed by Filip Pizlo.
29216
29217 * runtime/JSArray.cpp:
29218 (JSC::JSArray::shiftCountWithArrayStorage): Added check for object having a sparse map.
29219 * tests/stress/sparse_splice.js: Added.
29220
292212014-12-12 Gyuyoung Kim <gyuyoung.kim@samsung.com>
29222
29223 Final clean up OwnPtr in JSC - runtime, ftl, and tool directories
29224 https://bugs.webkit.org/show_bug.cgi?id=139532
29225
29226 Reviewed by Mark Lam.
29227
29228 Final remove OwnPtr, PassOwnPtr in runtime, ftl, and tools directories of JSC.
29229
29230 * builtins/BuiltinExecutables.h:
29231 * bytecode/CodeBlock.h:
29232 * bytecode/UnlinkedCodeBlock.cpp:
29233 (JSC::generateFunctionCodeBlock):
29234 * ftl/FTLAbstractHeap.cpp:
29235 (JSC::FTL::IndexedAbstractHeap::atSlow):
29236 * ftl/FTLAbstractHeap.h:
29237 * ftl/FTLCompile.cpp:
29238 (JSC::FTL::mmAllocateDataSection):
29239 * ftl/FTLJITFinalizer.h:
29240 * jsc.cpp:
29241 (jscmain):
29242 * parser/Lexer.h:
29243 * runtime/PropertyMapHashTable.h:
29244 (JSC::PropertyTable::clearDeletedOffsets):
29245 (JSC::PropertyTable::addDeletedOffset):
29246 * runtime/PropertyTable.cpp:
29247 (JSC::PropertyTable::PropertyTable):
29248 * runtime/RegExpObject.cpp:
29249 * runtime/SmallStrings.cpp:
29250 * runtime/Structure.cpp:
29251 * runtime/StructureIDTable.cpp:
29252 (JSC::StructureIDTable::StructureIDTable):
29253 (JSC::StructureIDTable::resize):
29254 * runtime/StructureIDTable.h:
29255 * runtime/StructureTransitionTable.h:
29256 * runtime/VM.cpp:
29257 (JSC::VM::VM):
29258 (JSC::VM::~VM):
29259 * runtime/VM.h:
29260 * tools/CodeProfile.h:
29261 (JSC::CodeProfile::CodeProfile):
29262 (JSC::CodeProfile::addChild):
29263
292642014-12-11 Dan Bernstein <mitz@apple.com>
29265
29266 iOS Simulator production build fix.
29267
29268 * Configurations/JavaScriptCore.xcconfig: Don’t use an order file when building for the iOS
29269 Simulator, as we did prior to 177027.
29270
292712014-12-11 Joseph Pecoraro <pecoraro@apple.com>
29272
29273 Explicitly export somre more RWIProtocol classes.
29274 rdar://problem/19220408
29275
29276 Unreviewed build fix.
29277
29278 * inspector/scripts/codegen/generate_objc_configuration_header.py:
29279 (ObjCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
29280 * inspector/scripts/codegen/generate_objc_header.py:
29281 (ObjCHeaderGenerator._generate_event_interfaces):
29282 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
29283 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
29284 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
29285 * inspector/scripts/tests/expected/enum-values.json-result:
29286 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
29287 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
29288 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
29289 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
29290 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
29291 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
29292 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
29293 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
29294 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
29295
292962014-12-11 Alexey Proskuryakov <ap@apple.com>
29297
29298 Explicitly export some RWIProtocol classes
29299 rdar://problem/19220408
29300
29301 * inspector/scripts/codegen/generate_objc_header.py:
29302 (ObjCHeaderGenerator._generate_type_interface):
29303 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
29304 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
29305 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
29306 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
29307 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
29308 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
29309 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
29310
293112014-12-11 Mark Lam <mark.lam@apple.com>
29312
29313 Fix broken build after r177146.
29314 https://bugs.webkit.org/show_bug.cgi?id=139533
29315
29316 Not reviewed.
29317
29318 * interpreter/CallFrame.h:
29319 (JSC::ExecState::init):
29320 - Restored CallFrame::init() minus the unused JSScope* arg.
29321 * runtime/JSGlobalObject.cpp:
29322 (JSC::JSGlobalObject::init):
29323 - Remove JSScope* arg when calling CallFrame::init().
29324
293252014-12-11 Michael Saboff <msaboff@apple.com>
29326
29327 REGRESSION: Use of undefined CallFrame::ScopeChain value
29328 https://bugs.webkit.org/show_bug.cgi?id=139533
29329
29330 Reviewed by Mark Lam.
29331
29332 Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed
29333 all usages of these funcitons. In some cases the scope is passed in or determined
29334 another way. In some cases the scope is used to calculate other values. Lastly
29335 were places where these functions where used that are no longer needed. For
29336 example when making a call, the caller's ScopeChain was copied to the callee's
29337 ScopeChain. This change no longer uses the ScopeChain call frame header slot.
29338 That slot will be removed in a future patch.
29339
29340 * dfg/DFGByteCodeParser.cpp:
29341 (JSC::DFG::ByteCodeParser::parseBlock):
29342 * dfg/DFGSpeculativeJIT32_64.cpp:
29343 (JSC::DFG::SpeculativeJIT::compile):
29344 * dfg/DFGSpeculativeJIT64.cpp:
29345 (JSC::DFG::SpeculativeJIT::compile):
29346 * dfg/DFGSpeculativeJIT.h:
29347 (JSC::DFG::SpeculativeJIT::callOperation):
29348 * jit/JIT.h:
29349 * jit/JITInlines.h:
29350 (JSC::JIT::callOperation):
29351 * runtime/JSLexicalEnvironment.h:
29352 (JSC::JSLexicalEnvironment::create):
29353 (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
29354 * jit/JITOpcodes.cpp:
29355 (JSC::JIT::emit_op_create_lexical_environment):
29356 * jit/JITOpcodes32_64.cpp:
29357 (JSC::JIT::emit_op_create_lexical_environment):
29358 * jit/JITOperations.cpp:
29359 * jit/JITOperations.h:
29360 * llint/LLIntSlowPaths.cpp:
29361 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
29362 (JSC::LLInt::handleHostCall):
29363 (JSC::LLInt::setUpCall):
29364 (JSC::LLInt::llint_throw_stack_overflow_error):
29365 Pass the current scope value to the helper operationCreateActivation() and
29366 the call to JSLexicalEnvironment::create() instead of using the stack frame
29367 scope chain value.
29368
29369 * dfg/DFGFixupPhase.cpp:
29370 (JSC::DFG::FixupPhase::fixupNode):
29371 CreateActivation now has a second child, the scope.
29372
29373 * interpreter/CallFrame.h:
29374 (JSC::ExecState::init): Deleted. This is dead code.
29375 (JSC::ExecState::scope): Deleted.
29376 (JSC::ExecState::setScope): Deleted.
29377
29378 * interpreter/Interpreter.cpp:
29379 (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope
29380 chain slot.
29381
29382 (JSC::Interpreter::execute):
29383 (JSC::Interpreter::executeCall):
29384 (JSC::Interpreter::executeConstruct):
29385 Changed process to find JSScope values on the stack or by some other means.
29386
29387 * runtime/JSWithScope.h:
29388 (JSC::JSWithScope::JSWithScope): Deleted.
29389 Eliminated unused constructor.
29390
29391 * runtime/StrictEvalActivation.cpp:
29392 (JSC::StrictEvalActivation::StrictEvalActivation):
29393 * runtime/StrictEvalActivation.h:
29394 (JSC::StrictEvalActivation::create):
29395 Changed to pass in the current scope.
29396
293972014-12-10 Gyuyoung Kim <gyuyoung.kim@samsung.com>
29398
29399 Use std::unique_ptr instead of OwnPtr in JSC - heap, jit, runtime, and parser directories
29400 https://bugs.webkit.org/show_bug.cgi?id=139351
29401
29402 Reviewed by Filip Pizlo.
29403
29404 As a step to use std::unique_ptr<>, this cleans up OwnPtr and PassOwnPtr.
29405
29406 * bytecode/SamplingTool.h:
29407 (JSC::SamplingTool::SamplingTool):
29408 * heap/CopiedBlock.h:
29409 (JSC::CopiedBlock::didSurviveGC):
29410 (JSC::CopiedBlock::pin):
29411 * heap/CopiedBlockInlines.h:
29412 (JSC::CopiedBlock::reportLiveBytes):
29413 * heap/GCActivityCallback.h:
29414 * heap/GCThread.cpp:
29415 * heap/Heap.h:
29416 * heap/HeapInlines.h:
29417 (JSC::Heap::markListSet):
29418 * jit/ExecutableAllocator.cpp:
29419 * jit/JIT.cpp:
29420 (JSC::JIT::privateCompile):
29421 * jit/JIT.h:
29422 * jit/JITThunks.cpp:
29423 (JSC::JITThunks::JITThunks):
29424 (JSC::JITThunks::clearHostFunctionStubs):
29425 * jit/JITThunks.h:
29426 * parser/Parser.cpp:
29427 (JSC::Parser<LexerType>::Parser):
29428 * parser/Parser.h:
29429 (JSC::Scope::Scope):
29430 (JSC::Scope::pushLabel):
29431 * parser/ParserArena.cpp:
29432 * parser/ParserArena.h:
29433 (JSC::ParserArena::identifierArena):
29434 * parser/SourceProviderCache.h:
29435 * runtime/CodeCache.h:
29436 * runtime/Executable.h:
29437 * runtime/JSArray.cpp:
29438 (JSC::JSArray::sortVector):
29439 * runtime/JSGlobalObject.h:
29440
294412014-12-10 Geoffrey Garen <ggaren@apple.com>
29442
29443 Please disable the webkitFirstVersionWithInitConstructorSupport check on Apple TV
29444 https://bugs.webkit.org/show_bug.cgi?id=139501
29445
29446 Reviewed by Gavin Barraclough.
29447
29448 NSVersionOfLinkTimeLibrary only works if you link directly against
29449 JavaScriptCore, which is a bit awkward for our Apple TV client to do.
29450
29451 It's easy enough just to disable this check on Apple TV, since it has no
29452 backwards compatibility requirement.
29453
29454 * API/JSWrapperMap.mm:
29455 (supportsInitMethodConstructors):
29456
294572014-12-10 Matthew Mirman <mmirman@apple.com>
29458
29459 Fixes operationPutByIds such that they check that the put didn't
29460 change the structure of the object who's property access is being
29461 cached.
29462 https://bugs.webkit.org/show_bug.cgi?id=139196
29463
29464 Reviewed by Filip Pizlo.
29465
29466 * jit/JITOperations.cpp:
29467 (JSC::operationGetByIdOptimize): changed get to getPropertySlot
29468 (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
29469 (JSC::operationPutByIdNonStrictBuildList): ditto.
29470 (JSC::operationPutByIdDirectStrictBuildList): ditto.
29471 (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
29472 * jit/Repatch.cpp:
29473 (JSC::tryCachePutByID): fixed structure() to use the existant vm.
29474 (JSC::tryBuildPutByIdList): Added a check that the old structure's id
29475 is the same as the new.
29476 (JSC::buildPutByIdList): Added an argument
29477 * jit/Repatch.h:
29478 (JSC::buildPutByIdList): Added an argument
29479 * tests/stress/put-by-id-strict-build-list-order.js: Added.
29480
294812014-12-10 Csaba Osztrogonác <ossy@webkit.org>
29482
29483 URTBF after r177030.
29484
29485 Fix linking failure occured on ARM buildbots:
29486 lib/libjavascriptcore_efl.so.1.11.0: undefined reference to `JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&)'
29487
29488 * runtime/NullGetterFunction.cpp:
29489
294902014-12-09 Michael Saboff <msaboff@apple.com>
29491
29492 DFG Tries using an inner object's getter/setter when one hasn't been defined
29493 https://bugs.webkit.org/show_bug.cgi?id=139229
29494
29495 Reviewed by Filip Pizlo.
29496
29497 Added a new NullGetterFunction singleton class to use for getters and setters that
29498 haven't been set to a user defined value. The NullGetterFunction callReturnUndefined()
29499 and createReturnUndefined() methods return undefined. Changed all null checks of the
29500 getter and setter pointers to the newly added isGetterNull() and isSetterNull()
29501 helper methods.
29502
29503 * CMakeLists.txt:
29504 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
29505 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
29506 * JavaScriptCore.xcodeproj/project.pbxproj:
29507 Added NullGetterFunction.cpp & .h to build files.
29508
29509 * dfg/DFGAbstractInterpreterInlines.h:
29510 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
29511 * runtime/ObjectPrototype.cpp:
29512 (JSC::objectProtoFuncLookupGetter):
29513 (JSC::objectProtoFuncLookupSetter):
29514 * runtime/PropertyDescriptor.cpp:
29515 (JSC::PropertyDescriptor::setDescriptor):
29516 (JSC::PropertyDescriptor::setAccessorDescriptor):
29517 Changed checking getter and setter to null to use new isGetterNull() and isSetterNull()
29518 helpers.
29519
29520 * inspector/JSInjectedScriptHostPrototype.cpp:
29521 (Inspector::JSInjectedScriptHostPrototype::finishCreation):
29522 * inspector/JSJavaScriptCallFramePrototype.cpp:
29523 * jit/JITOperations.cpp:
29524 * llint/LLIntSlowPaths.cpp:
29525 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
29526 * runtime/JSObject.cpp:
29527 (JSC::JSObject::putIndexedDescriptor):
29528 (JSC::putDescriptor):
29529 (JSC::JSObject::defineOwnNonIndexProperty):
29530 * runtime/MapPrototype.cpp:
29531 (JSC::MapPrototype::finishCreation):
29532 * runtime/SetPrototype.cpp:
29533 (JSC::SetPrototype::finishCreation):
29534 Updated calls to GetterSetter::create(), setGetter(), setSetter(), withGetter()
29535 and withSetter() to provide a global object.
29536
29537 * runtime/GetterSetter.cpp:
29538 (JSC::GetterSetter::withGetter):
29539 (JSC::GetterSetter::withSetter):
29540 (JSC::callGetter):
29541 (JSC::callSetter):
29542 * runtime/GetterSetter.h:
29543 (JSC::GetterSetter::GetterSetter):
29544 (JSC::GetterSetter::create):
29545 (JSC::GetterSetter::isGetterNull):
29546 (JSC::GetterSetter::isSetterNull):
29547 (JSC::GetterSetter::setGetter):
29548 (JSC::GetterSetter::setSetter):
29549 Changed to use NullGetterFunction for unspecified getters / setters.
29550
29551 * runtime/JSGlobalObject.cpp:
29552 (JSC::JSGlobalObject::init):
29553 (JSC::JSGlobalObject::createThrowTypeError):
29554 (JSC::JSGlobalObject::visitChildren):
29555 * runtime/JSGlobalObject.h:
29556 (JSC::JSGlobalObject::nullGetterFunction):
29557 (JSC::JSGlobalObject::evalFunction):
29558 Added m_nullGetterFunction singleton. Updated calls to GetterSetter::create(),
29559 setGetter() and setSetter() to provide a global object.
29560
29561 * runtime/NullGetterFunction.cpp: Added.
29562 (JSC::callReturnUndefined):
29563 (JSC::constructReturnUndefined):
29564 (JSC::NullGetterFunction::getCallData):
29565 (JSC::NullGetterFunction::getConstructData):
29566 * runtime/NullGetterFunction.h: Added.
29567 (JSC::NullGetterFunction::create):
29568 (JSC::NullGetterFunction::createStructure):
29569 (JSC::NullGetterFunction::NullGetterFunction):
29570 New singleton class that returns undefined when called.
29571
295722014-12-09 Geoffrey Garen <ggaren@apple.com>
29573
29574 Re-enable function.arguments
29575 https://bugs.webkit.org/show_bug.cgi?id=139452
29576 <rdar://problem/18848149>
29577
29578 Reviewed by Sam Weinig.
29579
29580 Disabling function.arguments broke a few websites, and we don't have
29581 time right now to work through the details.
29582
29583 I'm re-enabling function.arguments but leaving in the infrastructure
29584 to re-disable it, so we can try this experiment again in the future.
29585
29586 * runtime/Options.h:
29587
295882014-12-09 David Kilzer <ddkilzer@apple.com>
29589
29590 Switch from using PLATFORM_NAME to SDK selectors in ANGLE, bmalloc, gtest, JavaScriptCore, WTF
29591 <http://webkit.org/b/139212>
29592
29593 Reviewed by Joseph Pecoraro.
29594
29595 * Configurations/Base.xcconfig:
29596 - Only set GCC_ENABLE_OBJC_GC, GCC_MODEL_TUNING and TOOLCHAINS
29597 on OS X.
29598 - Only set LLVM_LOCAL_HEADER_PATH and LLVM_SYSTEM_HEADER_PATH on
29599 OS X.
29600 - Set JAVASCRIPTCORE_CONTENTS_DIR and
29601 JAVASCRIPTCORE_FRAMEWORKS_DIR separately for iOS and OS X.
29602
29603 * Configurations/DebugRelease.xcconfig:
29604 - Only set MACOSX_DEPLOYMENT_TARGET and SDKROOT on OS X.
29605
29606 * Configurations/JSC.xcconfig:
29607 - Only set CODE_SIGN_ENTITLEMENTS for iOS hardware builds.
29608
29609 * Configurations/JavaScriptCore.xcconfig:
29610 - Set OTHER_LDFLAGS separately for iOS and OS X.
29611 - Set SECTORDER_FLAGS separately for iOS and OS X, but only for
29612 Production builds.
29613 - Only set EXCLUDED_SOURCE_FILE_NAMES for iOS.
29614
29615 * Configurations/LLVMForJSC.xcconfig:
29616 - Rename LLVM_LIBS_iphoneos to LLVM_LIBS_ios.
29617 - Set LLVM_LIBRARY_PATHS and OTHER_LDFLAGS_LLVM_ENABLE_FTL_JIT
29618 separately for iOS hardware and OS X.
29619 - Fix curly braces in LIBRARY_SEARCH_PATHS.
29620 - Merge OTHER_LDFLAGS_BASE into OTHER_LDFLAGS. (Could have been
29621 done before this patch.)
29622
29623 * Configurations/ToolExecutable.xcconfig:
29624 - Only set CODE_SIGN_ENTITLEMENTS for iOS, per target.
29625 - Only set CLANG_ENABLE_OBJC_ARC for i386 on the iOS Simulator.
29626 - Add missing newline.
29627
29628 * Configurations/Version.xcconfig:
29629 - Set SYSTEM_VERSION_PREFIX separately for iOS and OS X.
29630
296312014-12-08 Gyuyoung Kim <gyuyoung.kim@samsung.com>
29632
29633 Fix EFL build fix since r177001
29634 https://bugs.webkit.org/show_bug.cgi?id=139428
29635
29636 Unreviewed, EFL build fix.
29637
29638 Do not inherit duplicated class. ExpressionNode is already
29639 child of ParserArenaFreeable class.
29640
29641 * parser/Nodes.h:
29642
296432014-12-08 Shivakumar JM <shiva.jm@samsung.com>
29644
29645 Fix Build Warning in JavaScriptCore ControlFlowProfiler::dumpData() api.
29646 https://bugs.webkit.org/show_bug.cgi?id=139384
29647
29648 Reviewed by Mark Lam.
29649
29650 Fix Build Warning by using dataLog() function instead of dataLogF() function.
29651
29652 * runtime/ControlFlowProfiler.cpp:
29653 (JSC::ControlFlowProfiler::dumpData):
29654
296552014-12-08 Saam Barati <saambarati1@gmail.com>
29656
29657 Web Inspector: Enable runtime API for JSC's control flow profiler
29658 https://bugs.webkit.org/show_bug.cgi?id=139346
29659
29660 Reviewed by Joseph Pecoraro.
29661
29662 This patch creates an API that the Web Inspector can use
29663 to get information about which basic blocks have exectued
29664 from JSC's control flow profiler.
29665
29666 * inspector/agents/InspectorRuntimeAgent.cpp:
29667 (Inspector::InspectorRuntimeAgent::getBasicBlocks):
29668 * inspector/agents/InspectorRuntimeAgent.h:
29669 * inspector/protocol/Runtime.json:
29670
296712014-12-08 Geoffrey Garen <ggaren@apple.com>
29672
29673 Removed some allocation and cruft from the parser
29674 https://bugs.webkit.org/show_bug.cgi?id=139416
29675
29676 Reviewed by Mark Lam.
29677
29678 Now, the only AST nodes that require a destructor are the ones that
29679 relate to pickling a function's arguments -- which will required some
29680 deeper thinking to resolve.
29681
29682 This is a < 1% parser speedup.
29683
29684 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
29685 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
29686 * JavaScriptCore.xcodeproj/project.pbxproj: Removed NodeInfo because it
29687 was unused.
29688
29689 * bytecompiler/NodesCodegen.cpp:
29690 (JSC::CommaNode::emitBytecode):
29691 (JSC::SourceElements::lastStatement):
29692 (JSC::SourceElements::emitBytecode): Updated for interface change to linked list.
29693
29694 * parser/ASTBuilder.h:
29695 (JSC::ASTBuilder::ASTBuilder):
29696 (JSC::ASTBuilder::varDeclarations):
29697 (JSC::ASTBuilder::funcDeclarations):
29698 (JSC::ASTBuilder::createFuncDeclStatement):
29699 (JSC::ASTBuilder::addVar): Removed the ParserArenaData abstraction because
29700 it wasn't buying us anything. We can just use Vector directly.
29701
29702 (JSC::ASTBuilder::createCommaExpr):
29703 (JSC::ASTBuilder::appendToCommaExpr): Changed to use a linked list instead
29704 of a vector, to avoid allocating a vector with inline capacity in the
29705 common case in which an expression is not followed by a vector.
29706
29707 (JSC::ASTBuilder::Scope::Scope): Use Vector directly to avoid new'ing
29708 up a Vector*.
29709
29710 (JSC::ASTBuilder::appendToComma): Deleted.
29711 (JSC::ASTBuilder::combineCommaNodes): Deleted.
29712
29713 * parser/Lexer.cpp:
29714
29715 * parser/NodeConstructors.h:
29716 (JSC::StatementNode::StatementNode):
29717 (JSC::CommaNode::CommaNode):
29718 (JSC::SourceElements::SourceElements): Updated for interface change to linked list.
29719
29720 * parser/NodeInfo.h: Removed.
29721
29722 * parser/Nodes.cpp:
29723 (JSC::SourceElements::append):
29724 (JSC::SourceElements::singleStatement): Use a linked list instead of a
29725 vector to track the statements in a list. This removes some allocation
29726 and it means that we don't need a destructor anymore.
29727
29728 (JSC::ScopeNode::ScopeNode):
29729 (JSC::ProgramNode::ProgramNode):
29730 (JSC::EvalNode::EvalNode):
29731 (JSC::FunctionNode::FunctionNode): Updated for interface change to reference,
29732 since these values are never null.
29733
29734 * parser/Nodes.h:
29735 (JSC::StatementNode::next):
29736 (JSC::StatementNode::setNext):
29737 (JSC::CommaNode::append): Deleted. Updated for interface change to linked list.
29738
29739 * parser/Parser.cpp:
29740 (JSC::Parser<LexerType>::didFinishParsing): Updated for interface change to reference.
29741
29742 (JSC::Parser<LexerType>::parseVarDeclarationList):
29743 (JSC::Parser<LexerType>::parseExpression): Track comma expressions as
29744 an explicit list of CommaNodes, removing a use of vector and a destructor.
29745
29746 * parser/Parser.h:
29747 (JSC::Parser<LexerType>::parse):
29748 * parser/SyntaxChecker.h:
29749 (JSC::SyntaxChecker::createCommaExpr):
29750 (JSC::SyntaxChecker::appendToCommaExpr):
29751 (JSC::SyntaxChecker::appendToComma): Deleted. Updated for interface changes.
29752
297532014-12-08 Commit Queue <commit-queue@webkit.org>
29754
29755 Unreviewed, rolling out r176979.
29756 https://bugs.webkit.org/show_bug.cgi?id=139424
29757
29758 "New JSC test in this patch is failing" (Requested by mlam on
29759 #webkit).
29760
29761 Reverted changeset:
29762
29763 "Fixes operationPutByIds such that they check that the put
29764 didn't"
29765 https://bugs.webkit.org/show_bug.cgi?id=139196
29766 http://trac.webkit.org/changeset/176979
29767
297682014-12-08 Matthew Mirman <mmirman@apple.com>
29769
29770 Fixes operationPutByIds such that they check that the put didn't
29771 change the structure of the object who's property access is being
29772 cached.
29773 https://bugs.webkit.org/show_bug.cgi?id=139196
29774
29775 Reviewed by Filip Pizlo.
29776
29777 * jit/JITOperations.cpp:
29778 (JSC::operationGetByIdOptimize): changed get to getPropertySlot
29779 (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
29780 (JSC::operationPutByIdNonStrictBuildList): ditto.
29781 (JSC::operationPutByIdDirectStrictBuildList): ditto.
29782 (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
29783 * jit/Repatch.cpp:
29784 (JSC::tryCachePutByID): fixed structure() to use the existant vm.
29785 (JSC::tryBuildPutByIdList): Added a check that the old structure's id
29786 is the same as the new.
29787 (JSC::buildPutByIdList): Added an argument
29788 * jit/Repatch.h:
29789 (JSC::buildPutByIdList): Added an argument
29790 * tests/stress/put-by-id-build-list-order-recurse.js: Test that failed before the change
29791 * tests/stress/put-by-id-strict-build-list-order.js: Added.
29792
29793
297942014-12-08 Anders Carlsson <andersca@apple.com>
29795
29796 Change WTF::currentCPUTime to return std::chrono::microseconds and get rid of currentCPUTimeMS
29797 https://bugs.webkit.org/show_bug.cgi?id=139410
29798
29799 Reviewed by Andreas Kling.
29800
29801 * API/JSContextRef.cpp:
29802 (JSContextGroupSetExecutionTimeLimit):
29803 (JSContextGroupClearExecutionTimeLimit):
29804 * runtime/Watchdog.cpp:
29805 (JSC::Watchdog::setTimeLimit):
29806 (JSC::Watchdog::didFire):
29807 (JSC::Watchdog::startCountdownIfNeeded):
29808 (JSC::Watchdog::startCountdown):
29809 * runtime/Watchdog.h:
29810 * runtime/WatchdogMac.cpp:
29811 (JSC::Watchdog::startTimer):
29812
298132014-12-08 Mark Lam <mark.lam@apple.com>
29814
29815 CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
29816 <https://webkit.org/b/139327>
29817
29818 Reviewed by Michael Saboff.
29819
29820 The code generator and runtime slow paths expects otherwise. This patch fixes
29821 CFA to match the code generator's expectation.
29822
29823 * dfg/DFGArrayMode.h:
29824 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
29825 (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
29826
298272014-12-08 Chris Dumez <cdumez@apple.com>
29828
29829 Revert r176293 & r176275
29830
29831 Unreviewed, revert r176293 & r176275 changing the Vector API to use unsigned type
29832 instead of size_t. There is some disagreement regarding the long-term direction
29833 of the API and we shouldn’t leave the API partly transitioned to unsigned type
29834 while making a decision.
29835
29836 * bytecode/PreciseJumpTargets.cpp:
29837 * replay/EncodedValue.h:
29838
298392014-12-07 Csaba Osztrogonác <ossy@webkit.org>
29840
29841 Remove the unused WTF_USE_GCC_COMPUTED_GOTO_WORKAROUND after r129453.
29842 https://bugs.webkit.org/show_bug.cgi?id=139373
29843
29844 Reviewed by Sam Weinig.
29845
29846 * interpreter/Interpreter.cpp:
29847
298482014-12-06 Anders Carlsson <andersca@apple.com>
29849
29850 Fix build with newer versions of clang.
29851 rdar://problem/18978716
29852
29853 * ftl/FTLJITCode.h:
29854 Add missing overrides.
29855
298562014-12-05 Roger Fong <roger_fong@apple.com>
29857
29858 [Win] proj files copying over too many resources..
29859 https://bugs.webkit.org/show_bug.cgi?id=139315.
29860 <rdar://problem/19148278>
29861
29862 Reviewed by Brent Fulgham.
29863
29864 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Only copy resource folders and JavaScriptCore.dll.
29865
298662014-12-05 Juergen Ributzka <juergen@apple.com>
29867
29868 [JSC][FTL] Add the data layout to the module and fix the pass order.
29869 https://bugs.webkit.org/show_bug.cgi?id=138748
29870
29871 Reviewed by Oliver Hunt.
29872
29873 This adds the data layout to the module, so it can be used by all
29874 optimization passes in the LLVM optimizer pipeline. This also allows
29875 FastISel to select more instructions, because less non-legal types are
29876 generated.
29877
29878 Also fix the order of the alias analysis passes in the optimization
29879 pipeline.
29880
29881 * ftl/FTLCompile.cpp:
29882 (JSC::FTL::mmAllocateDataSection):
29883
298842014-12-05 Geoffrey Garen <ggaren@apple.com>
29885
29886 Removed an unused function.
29887
29888 Reviewed by Michael Saboff.
29889
29890 Broken out from https://bugs.webkit.org/show_bug.cgi?id=139305.
29891
29892 * parser/ParserArena.h:
29893
298942014-12-05 David Kilzer <ddkilzer@apple.com>
29895
29896 FeatureDefines.xcconfig: Workaround bug in Xcode 5.1.1 when defining ENABLE_WEB_REPLAY
29897 <http://webkit.org/b/139286>
29898
29899 Reviewed by Daniel Bates.
29900
29901 * Configurations/FeatureDefines.xcconfig: Switch back to using
29902 PLATFORM_NAME to workaround a bug in Xcode 5.1.1 on 10.8.
29903
299042014-12-04 Mark Rowe <mrowe@apple.com>
29905
29906 Build fix after r176836.
29907
29908 Reviewed by Mark Lam.
29909
29910 * runtime/VM.h:
29911 (JSC::VM::controlFlowProfiler): Don't try to export an inline function.
29912 Doing so results in a weak external symbol being generated.
29913
299142014-12-04 Saam Barati <saambarati1@gmail.com>
29915
29916 JavaScript Control Flow Profiler
29917 https://bugs.webkit.org/show_bug.cgi?id=137785
29918
29919 Reviewed by Filip Pizlo.
29920
29921 This patch introduces a mechanism for JavaScriptCore to profile
29922 which basic blocks have executed. This mechanism will then be
29923 used by the Web Inspector to indicate which basic blocks
29924 have and have not executed.
29925
29926 The profiling works by compiling in an op_profile_control_flow
29927 at the start of every basic block. Then, whenever this op code
29928 executes, we know that a particular basic block has executed.
29929
29930 When we tier up a CodeBlock that contains an op_profile_control_flow
29931 that corresponds to an already executed basic block, we don't
29932 have to emit code for that particular op_profile_control_flow
29933 because the internal data structures used to keep track of
29934 basic block locations has already recorded that the corresponding
29935 op_profile_control_flow has executed.
29936
29937 * CMakeLists.txt:
29938 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
29939 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
29940 * JavaScriptCore.xcodeproj/project.pbxproj:
29941 * bytecode/BytecodeList.json:
29942 * bytecode/BytecodeUseDef.h:
29943 (JSC::computeUsesForBytecodeOffset):
29944 (JSC::computeDefsForBytecodeOffset):
29945 * bytecode/CodeBlock.cpp:
29946 (JSC::CodeBlock::dumpBytecode):
29947 (JSC::CodeBlock::CodeBlock):
29948 * bytecode/Instruction.h:
29949 * bytecode/UnlinkedCodeBlock.cpp:
29950 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
29951 * bytecode/UnlinkedCodeBlock.h:
29952 (JSC::UnlinkedCodeBlock::addOpProfileControlFlowBytecodeOffset):
29953 (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets):
29954 * bytecompiler/BytecodeGenerator.cpp:
29955 (JSC::BytecodeGenerator::emitProfileControlFlow):
29956 * bytecompiler/BytecodeGenerator.h:
29957 * bytecompiler/NodesCodegen.cpp:
29958 (JSC::ConditionalNode::emitBytecode):
29959 (JSC::IfElseNode::emitBytecode):
29960 (JSC::WhileNode::emitBytecode):
29961 (JSC::ForNode::emitBytecode):
29962 (JSC::ContinueNode::emitBytecode):
29963 (JSC::BreakNode::emitBytecode):
29964 (JSC::ReturnNode::emitBytecode):
29965 (JSC::CaseClauseNode::emitBytecode):
29966 (JSC::SwitchNode::emitBytecode):
29967 (JSC::ThrowNode::emitBytecode):
29968 (JSC::TryNode::emitBytecode):
29969 (JSC::ProgramNode::emitBytecode):
29970 (JSC::FunctionNode::emitBytecode):
29971 * dfg/DFGAbstractInterpreterInlines.h:
29972 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
29973 * dfg/DFGByteCodeParser.cpp:
29974 (JSC::DFG::ByteCodeParser::parseBlock):
29975 * dfg/DFGCapabilities.cpp:
29976 (JSC::DFG::capabilityLevel):
29977 * dfg/DFGClobberize.h:
29978 (JSC::DFG::clobberize):
29979 * dfg/DFGDoesGC.cpp:
29980 (JSC::DFG::doesGC):
29981 * dfg/DFGFixupPhase.cpp:
29982 (JSC::DFG::FixupPhase::fixupNode):
29983 * dfg/DFGNode.h:
29984 (JSC::DFG::Node::basicBlockLocation):
29985 * dfg/DFGNodeType.h:
29986 * dfg/DFGPredictionPropagationPhase.cpp:
29987 (JSC::DFG::PredictionPropagationPhase::propagate):
29988 * dfg/DFGSafeToExecute.h:
29989 (JSC::DFG::safeToExecute):
29990 * dfg/DFGSpeculativeJIT32_64.cpp:
29991 (JSC::DFG::SpeculativeJIT::compile):
29992 * dfg/DFGSpeculativeJIT64.cpp:
29993 (JSC::DFG::SpeculativeJIT::compile):
29994 * inspector/agents/InspectorRuntimeAgent.cpp:
29995 (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
29996 * jit/JIT.cpp:
29997 (JSC::JIT::privateCompileMainPass):
29998 * jit/JIT.h:
29999 * jit/JITOpcodes.cpp:
30000 (JSC::JIT::emit_op_profile_control_flow):
30001 * jit/JITOpcodes32_64.cpp:
30002 (JSC::JIT::emit_op_profile_control_flow):
30003 * jsc.cpp:
30004 (GlobalObject::finishCreation):
30005 (functionFindTypeForExpression):
30006 (functionReturnTypeFor):
30007 (functionDumpBasicBlockExecutionRanges):
30008 * llint/LowLevelInterpreter.asm:
30009 * parser/ASTBuilder.h:
30010 (JSC::ASTBuilder::createFunctionExpr):
30011 (JSC::ASTBuilder::createGetterOrSetterProperty):
30012 (JSC::ASTBuilder::createFuncDeclStatement):
30013 (JSC::ASTBuilder::endOffset):
30014 (JSC::ASTBuilder::setStartOffset):
30015 * parser/NodeConstructors.h:
30016 (JSC::Node::Node):
30017 * parser/Nodes.h:
30018 (JSC::CaseClauseNode::setStartOffset):
30019 * parser/Parser.cpp:
30020 (JSC::Parser<LexerType>::parseSwitchClauses):
30021 (JSC::Parser<LexerType>::parseSwitchDefaultClause):
30022 (JSC::Parser<LexerType>::parseBlockStatement):
30023 (JSC::Parser<LexerType>::parseStatement):
30024 (JSC::Parser<LexerType>::parseFunctionDeclaration):
30025 (JSC::Parser<LexerType>::parseIfStatement):
30026 (JSC::Parser<LexerType>::parseExpression):
30027 (JSC::Parser<LexerType>::parseConditionalExpression):
30028 (JSC::Parser<LexerType>::parseProperty):
30029 (JSC::Parser<LexerType>::parseMemberExpression):
30030 * parser/SyntaxChecker.h:
30031 (JSC::SyntaxChecker::createFunctionExpr):
30032 (JSC::SyntaxChecker::createFuncDeclStatement):
30033 (JSC::SyntaxChecker::createGetterOrSetterProperty):
30034 (JSC::SyntaxChecker::operatorStackPop):
30035 * runtime/BasicBlockLocation.cpp: Added.
30036 (JSC::BasicBlockLocation::BasicBlockLocation):
30037 (JSC::BasicBlockLocation::insertGap):
30038 (JSC::BasicBlockLocation::getExecutedRanges):
30039 (JSC::BasicBlockLocation::dumpData):
30040 (JSC::BasicBlockLocation::emitExecuteCode):
30041 * runtime/BasicBlockLocation.h: Added.
30042 (JSC::BasicBlockLocation::startOffset):
30043 (JSC::BasicBlockLocation::endOffset):
30044 (JSC::BasicBlockLocation::setStartOffset):
30045 (JSC::BasicBlockLocation::setEndOffset):
30046 (JSC::BasicBlockLocation::hasExecuted):
30047 * runtime/CodeCache.cpp:
30048 (JSC::CodeCache::getGlobalCodeBlock):
30049 * runtime/ControlFlowProfiler.cpp: Added.
30050 (JSC::ControlFlowProfiler::~ControlFlowProfiler):
30051 (JSC::ControlFlowProfiler::getBasicBlockLocation):
30052 (JSC::ControlFlowProfiler::dumpData):
30053 (JSC::ControlFlowProfiler::getBasicBlocksForSourceID):
30054 * runtime/ControlFlowProfiler.h: Added. This class is in
30055 charge of generating BasicBlockLocations and also
30056 providing an interface that the Web Inspector can use to ping
30057 which basic blocks have executed based on the source id of a script.
30058
30059 (JSC::BasicBlockKey::BasicBlockKey):
30060 (JSC::BasicBlockKey::isHashTableDeletedValue):
30061 (JSC::BasicBlockKey::operator==):
30062 (JSC::BasicBlockKey::hash):
30063 (JSC::BasicBlockKeyHash::hash):
30064 (JSC::BasicBlockKeyHash::equal):
30065 * runtime/Executable.cpp:
30066 (JSC::ProgramExecutable::ProgramExecutable):
30067 (JSC::ProgramExecutable::initializeGlobalProperties):
30068 * runtime/FunctionHasExecutedCache.cpp:
30069 (JSC::FunctionHasExecutedCache::getUnexecutedFunctionRanges):
30070 * runtime/FunctionHasExecutedCache.h:
30071 * runtime/Options.h:
30072 * runtime/TypeProfiler.cpp:
30073 (JSC::TypeProfiler::logTypesForTypeLocation):
30074 (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
30075 (JSC::TypeProfiler::findLocation):
30076 (JSC::TypeProfiler::dumpTypeProfilerData):
30077 * runtime/TypeProfiler.h:
30078 (JSC::TypeProfiler::functionHasExecutedCache): Deleted.
30079 * runtime/VM.cpp:
30080 (JSC::VM::VM):
30081 (JSC::enableProfilerWithRespectToCount):
30082 (JSC::disableProfilerWithRespectToCount):
30083 (JSC::VM::enableTypeProfiler):
30084 (JSC::VM::disableTypeProfiler):
30085 (JSC::VM::enableControlFlowProfiler):
30086 (JSC::VM::disableControlFlowProfiler):
30087 (JSC::VM::dumpTypeProfilerData):
30088 * runtime/VM.h:
30089 (JSC::VM::functionHasExecutedCache):
30090 (JSC::VM::controlFlowProfiler):
30091
300922014-12-04 Filip Pizlo <fpizlo@apple.com>
30093
30094 printInternal(PrintStream& out, JSC::JITCode::JITType type) ends up dumping a literal %s
30095 https://bugs.webkit.org/show_bug.cgi?id=139274
30096
30097 Reviewed by Geoffrey Garen.
30098
30099 * jit/JITCode.cpp:
30100 (WTF::printInternal):
30101
301022014-12-04 Geoffrey Garen <ggaren@apple.com>
30103
30104 Removed the concept of ParserArenaRefCounted
30105 https://bugs.webkit.org/show_bug.cgi?id=139277
30106
30107 Reviewed by Oliver Hunt.
30108
30109 This is a step toward a parser speedup.
30110
30111 Now that we have a clear root node type for each parse tree, there's no
30112 need to have a concept for "I might be refcounted or arena allocated".
30113 Instead, we can just use unique_ptr to manage the tree as a whole.
30114
30115 * API/JSScriptRef.cpp:
30116 (parseScript):
30117 * builtins/BuiltinExecutables.cpp:
30118 (JSC::BuiltinExecutables::createBuiltinExecutable): Updated for type change.
30119
30120 * bytecode/UnlinkedCodeBlock.cpp:
30121 (JSC::generateFunctionCodeBlock): Use unique_ptr. No need to call
30122 destroyData() explicitly: the unique_ptr destructor will do everything
30123 we need, as Bjarne intended.
30124
30125 * parser/NodeConstructors.h:
30126 (JSC::ParserArenaRoot::ParserArenaRoot):
30127 (JSC::ParserArenaRefCounted::ParserArenaRefCounted): Deleted.
30128
30129 * parser/Nodes.cpp:
30130 (JSC::ScopeNode::ScopeNode):
30131 (JSC::ProgramNode::ProgramNode):
30132 (JSC::EvalNode::EvalNode):
30133 (JSC::FunctionNode::FunctionNode):
30134 (JSC::ProgramNode::create): Deleted.
30135 (JSC::EvalNode::create): Deleted.
30136 (JSC::FunctionNode::create): Deleted. All special create semantics can
30137 just go away now that we play by C++ constructor / destructor rules.
30138
30139 * parser/Nodes.h:
30140 (JSC::ParserArenaRoot::parserArena):
30141 (JSC::ParserArenaRoot::~ParserArenaRoot): Just a normal class now, which
30142 holds onto the whole parse tree by virtue of owning the arena in which
30143 all the parsed nodes (except for itself) were allocated.
30144
30145 (JSC::ProgramNode::closedVariables):
30146 (JSC::ParserArenaRefCounted::~ParserArenaRefCounted): Deleted.
30147
30148 (JSC::ScopeNode::destroyData): Deleted. No need to destroy anything
30149 explicitly anymore -- we can just rely on destructors.
30150
30151 (JSC::ScopeNode::parserArena): Deleted.
30152
30153 * parser/Parser.h:
30154 (JSC::Parser<LexerType>::parse):
30155 (JSC::parse): unique_ptr all the things.
30156
30157 * parser/ParserArena.cpp:
30158 (JSC::ParserArena::reset):
30159 (JSC::ParserArena::isEmpty):
30160 (JSC::ParserArena::contains): Deleted.
30161 (JSC::ParserArena::last): Deleted.
30162 (JSC::ParserArena::removeLast): Deleted.
30163 (JSC::ParserArena::derefWithArena): Deleted.
30164 * parser/ParserArena.h:
30165 (JSC::ParserArena::swap): Much delete. Such wow.
30166
30167 * runtime/CodeCache.cpp:
30168 (JSC::CodeCache::getGlobalCodeBlock):
30169 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
30170 * runtime/Completion.cpp:
30171 (JSC::checkSyntax):
30172 * runtime/Executable.cpp:
30173 (JSC::ProgramExecutable::checkSyntax): unique_ptr all the things.
30174
301752014-12-04 Andreas Kling <akling@apple.com>
30176
30177 REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box.
30178 <https://webkit.org/b/139076>
30179
30180 Reviewed by Geoffrey Garen.
30181
30182 The StringImpl* -> Weak<JSString> cache used by the DOM bindings
30183 had a bug where the key could become a stale pointer if the cached
30184 JSString had its internal StringImpl atomicized.
30185
30186 If a new StringImpl was then later constructed at the exact same
30187 address as the stale key, before the Weak<JSString> got booted out
30188 of the string cache, we'd now have a situation where asking the
30189 string cache for that key would return the old JSString.
30190
30191 Solve this by not allowing JSString::toExistingAtomicString() to
30192 change the JSString's internal StringImpl unless it's resolving a
30193 rope string. (The StringImpl nullity determines rope state.)
30194
30195 This means that calling toExistingAtomicString() may now have to
30196 query the AtomicString table on each call rather than just once.
30197 All clients of this API would be forced to do this regardless,
30198 since they return value will be used to key into containers with
30199 AtomicStringImpl* keys.
30200
30201 No test because this relies on malloc putting two StringImpls
30202 at the same address at different points in time and we have no
30203 mechanism to reliably test that.
30204
30205 * runtime/JSString.h:
30206 (JSC::JSString::toExistingAtomicString):
30207
302082014-12-04 Geoffrey Garen <ggaren@apple.com>
30209
30210 Marked some final things final.
30211
30212 Reviewed by Andreas Kling.
30213
30214 * parser/Nodes.h:
30215
302162014-12-04 Geoffrey Garen <ggaren@apple.com>
30217
30218 Split out FunctionNode from FunctionBodyNode
30219 https://bugs.webkit.org/show_bug.cgi?id=139273
30220
30221 Reviewed by Andreas Kling.
30222
30223 This is step toward a parser speedup.
30224
30225 We used to use FunctionBodyNode for two different purposes:
30226
30227 (1) "I am the root function you are currently parsing";
30228
30229 (2) "I am a lazy record of a nested function, which you will parse later".
30230
30231 This made for awkward lifetime semantics and interfaces.
30232
30233 Now, case (1) is handled by FunctionBodyNode, and case (2) is handled by
30234 a new node named FunctionNode.
30235
30236 Since case (1) no longer needs to handle being the root of the parse
30237 tree, FunctionBodyNode can be a normal arena-allocated node.
30238
30239 * bytecode/UnlinkedCodeBlock.cpp:
30240 (JSC::generateFunctionCodeBlock): Use FunctionNode instead of
30241 FunctionBodyNode, since we are producing the root of the function parse
30242 tree.
30243
30244 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): Removed
30245 some unused data, and default-initialized other data, which isn't filled
30246 in meaningfully until recordParse() is called. (The previous values were
30247 incorrect / meaningless, since the FunctionBodyNode didn't have
30248 meaningful values in this case.)
30249
30250 * bytecode/UnlinkedCodeBlock.h: Ditto.
30251
30252 (JSC::UnlinkedFunctionExecutable::forceUsesArguments): Deleted.
30253
30254 * bytecompiler/BytecodeGenerator.cpp:
30255 (JSC::BytecodeGenerator::BytecodeGenerator): Use FunctionNode instead of
30256 FunctionBodyNode, since we are generating code starting at the root of
30257 the parse tree.
30258
30259 (JSC::BytecodeGenerator::resolveCallee):
30260 (JSC::BytecodeGenerator::addCallee):
30261 * bytecompiler/BytecodeGenerator.h: Ditto.
30262
30263 * bytecompiler/NodesCodegen.cpp:
30264 (JSC::FunctionBodyNode::emitBytecode):
30265 (JSC::FunctionNode::emitBytecode): Moved the emitBytecode implementation
30266 to FunctionNode, since we never generate code for FunctionBodyNode,
30267 since it's just a placeholder in the AST.
30268
30269 * parser/ASTBuilder.h:
30270 (JSC::ASTBuilder::createFunctionBody):
30271 (JSC::ASTBuilder::setUsesArguments): Deleted. Updated for interface
30272 changes.
30273
30274 * parser/Nodes.cpp:
30275 (JSC::FunctionBodyNode::FunctionBodyNode):
30276 (JSC::FunctionBodyNode::finishParsing):
30277 (JSC::FunctionBodyNode::setEndPosition):
30278 (JSC::FunctionNode::FunctionNode):
30279 (JSC::FunctionNode::create):
30280 (JSC::FunctionNode::finishParsing):
30281 (JSC::FunctionBodyNode::create): Deleted.
30282
30283 * parser/Nodes.h:
30284 (JSC::FunctionBodyNode::parameters):
30285 (JSC::FunctionBodyNode::source):
30286 (JSC::FunctionBodyNode::startStartOffset):
30287 (JSC::FunctionBodyNode::isInStrictContext):
30288 (JSC::FunctionNode::parameters):
30289 (JSC::FunctionNode::ident):
30290 (JSC::FunctionNode::functionMode):
30291 (JSC::FunctionNode::startColumn):
30292 (JSC::FunctionNode::endColumn):
30293 (JSC::ScopeNode::setSource): Deleted.
30294 (JSC::FunctionBodyNode::parameterCount): Deleted. Split out the differences
30295 between FunctionNode and FunctionBodyNode.
30296
30297 * parser/SyntaxChecker.h:
30298 (JSC::SyntaxChecker::createClauseList):
30299 (JSC::SyntaxChecker::setUsesArguments): Deleted. Removed setUsesArguments
30300 since it wasn't used.
30301
30302 * runtime/Executable.cpp:
30303 (JSC::ProgramExecutable::checkSyntax): Removed a branch that was always
30304 false.
30305
303062014-12-02 Brian J. Burg <burg@cs.washington.edu>
30307
30308 Web Inspector: timeline probe records have inaccurate per-probe hit counts
30309 https://bugs.webkit.org/show_bug.cgi?id=138976
30310
30311 Reviewed by Joseph Pecoraro.
30312
30313 Previously, the DebuggerAgent was responsible for assigning unique ids to samples.
30314 However, this makes it impossible for the frontend's Timeline manager to associate
30315 a Probe Sample timeline record with the corresponding probe sample data. The record
30316 only included the probe batchId (misnamed as hitCount in ScriptDebugServer).
30317
30318 This patch moves both the batchId and sampleId counters into ScriptDebugServer, so
30319 any client of ScriptDebugListener will get the correct sampleId for each sample.
30320
30321 * inspector/ScriptDebugListener.h:
30322 * inspector/ScriptDebugServer.cpp:
30323 (Inspector::ScriptDebugServer::ScriptDebugServer):
30324 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
30325 (Inspector::ScriptDebugServer::handleBreakpointHit):
30326 * inspector/ScriptDebugServer.h:
30327 * inspector/agents/InspectorDebuggerAgent.cpp:
30328 (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
30329 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
30330 * inspector/agents/InspectorDebuggerAgent.h:
30331
303322014-12-04 Oliver Hunt <oliver@apple.com>
30333
30334 Serialization of MapData object provides unsafe access to internal types
30335 https://bugs.webkit.org/show_bug.cgi?id=138653
30336
30337 Reviewed by Geoffrey Garen.
30338
30339 Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
30340 that despite trying hard to be safe in all cases it's simply to easy
30341 to use an iterator in an unsafe state.
30342
30343 * runtime/MapData.h:
30344 (JSC::MapData::const_iterator::key):
30345 (JSC::MapData::const_iterator::value):
30346
303472014-12-03 Gyuyoung Kim <gyuyoung.kim@samsung.com>
30348
30349 Move JavaScriptCore/dfg to std::unique_ptr
30350 https://bugs.webkit.org/show_bug.cgi?id=139169
30351
30352 Reviewed by Filip Pizlo.
30353
30354 Use std::unique_ptr<>|std::make_unique<> in JavaScriptCore/dfg directory.
30355
30356 * dfg/DFGBasicBlock.h:
30357 * dfg/DFGJITCompiler.cpp:
30358 (JSC::DFG::JITCompiler::JITCompiler):
30359 (JSC::DFG::JITCompiler::compile):
30360 (JSC::DFG::JITCompiler::link):
30361 (JSC::DFG::JITCompiler::compileFunction):
30362 (JSC::DFG::JITCompiler::linkFunction):
30363 * dfg/DFGJITCompiler.h:
30364 * dfg/DFGPlan.cpp:
30365 (JSC::DFG::Plan::compileInThreadImpl):
30366 (JSC::DFG::Plan::cancel):
30367 * dfg/DFGPlan.h:
30368 * dfg/DFGSlowPathGenerator.h:
30369 * dfg/DFGWorklist.h:
30370 * ftl/FTLFail.cpp:
30371 (JSC::FTL::fail):
30372 * ftl/FTLState.cpp:
30373 (JSC::FTL::State::State):
30374
303752014-12-03 Michael Saboff <msaboff@apple.com>
30376
30377 REGRESSION (r176479): DFG ASSERTION beneath emitOSRExitCall running Kraken/imaging-gaussian-blur.js.ftl-no-cjit-osr-validation and other tests
30378 https://bugs.webkit.org/show_bug.cgi?id=139246
30379
30380 Reviewed by Geoffrey Garen.
30381
30382 * ftl/FTLLowerDFGToLLVM.cpp:
30383 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
30384 The DFG_ASSERT that checks liveness at exit time doesn't properly
30385 handle the case where the local is not available at OSR exit time,
30386 but the local is live in the bytecode. This now happens with the
30387 allocated scope register when we are compiling for FTLForOSREntryMode
30388 due to DCE done when the control flow was changed and a new entrypoint
30389 was added in the OSR entrypoint creation phase. Therefore we silence
30390 the assert when compiling for FTLForOSREntryMode.
30391
303922014-12-03 Geoffrey Garen <ggaren@apple.com>
30393
30394 Removed the global parser arena
30395 https://bugs.webkit.org/show_bug.cgi?id=139236
30396
30397 Reviewed by Sam Weinig.
30398
30399 Simplifies parser lifetime logic.
30400
30401 There's no need to keep a global arena. We can create a new arena
30402 each time we parse.
30403
30404 * bytecompiler/BytecodeGenerator.h: Global replace to pass around a
30405 ParserArena instead of VM*, since the VM no longer owns the arena.
30406 (JSC::BytecodeGenerator::parserArena):
30407
30408 * bytecompiler/NodesCodegen.cpp: Ditto.
30409 (JSC::ArrayNode::toArgumentList):
30410 (JSC::ApplyFunctionCallDotNode::emitBytecode):
30411 * parser/ASTBuilder.h: Ditto.
30412 (JSC::ASTBuilder::ASTBuilder):
30413 (JSC::ASTBuilder::createSourceElements):
30414 (JSC::ASTBuilder::createCommaExpr):
30415 (JSC::ASTBuilder::createLogicalNot):
30416 (JSC::ASTBuilder::createUnaryPlus):
30417 (JSC::ASTBuilder::createVoid):
30418 (JSC::ASTBuilder::thisExpr):
30419 (JSC::ASTBuilder::createResolve):
30420 (JSC::ASTBuilder::createObjectLiteral):
30421 (JSC::ASTBuilder::createArray):
30422 (JSC::ASTBuilder::createNumberExpr):
30423 (JSC::ASTBuilder::createString):
30424 (JSC::ASTBuilder::createBoolean):
30425 (JSC::ASTBuilder::createNull):
30426 (JSC::ASTBuilder::createBracketAccess):
30427 (JSC::ASTBuilder::createDotAccess):
30428 (JSC::ASTBuilder::createSpreadExpression):
30429 (JSC::ASTBuilder::createRegExp):
30430 (JSC::ASTBuilder::createNewExpr):
30431 (JSC::ASTBuilder::createConditionalExpr):
30432 (JSC::ASTBuilder::createAssignResolve):
30433 (JSC::ASTBuilder::createFunctionExpr):
30434 (JSC::ASTBuilder::createFunctionBody):
30435 (JSC::ASTBuilder::createGetterOrSetterProperty):
30436 (JSC::ASTBuilder::createArguments):
30437 (JSC::ASTBuilder::createArgumentsList):
30438 (JSC::ASTBuilder::createProperty):
30439 (JSC::ASTBuilder::createPropertyList):
30440 (JSC::ASTBuilder::createElementList):
30441 (JSC::ASTBuilder::createFormalParameterList):
30442 (JSC::ASTBuilder::createClause):
30443 (JSC::ASTBuilder::createClauseList):
30444 (JSC::ASTBuilder::createFuncDeclStatement):
30445 (JSC::ASTBuilder::createBlockStatement):
30446 (JSC::ASTBuilder::createExprStatement):
30447 (JSC::ASTBuilder::createIfStatement):
30448 (JSC::ASTBuilder::createForLoop):
30449 (JSC::ASTBuilder::createForInLoop):
30450 (JSC::ASTBuilder::createForOfLoop):
30451 (JSC::ASTBuilder::createEmptyStatement):
30452 (JSC::ASTBuilder::createVarStatement):
30453 (JSC::ASTBuilder::createEmptyVarExpression):
30454 (JSC::ASTBuilder::createReturnStatement):
30455 (JSC::ASTBuilder::createBreakStatement):
30456 (JSC::ASTBuilder::createContinueStatement):
30457 (JSC::ASTBuilder::createTryStatement):
30458 (JSC::ASTBuilder::createSwitchStatement):
30459 (JSC::ASTBuilder::createWhileStatement):
30460 (JSC::ASTBuilder::createDoWhileStatement):
30461 (JSC::ASTBuilder::createLabelStatement):
30462 (JSC::ASTBuilder::createWithStatement):
30463 (JSC::ASTBuilder::createThrowStatement):
30464 (JSC::ASTBuilder::createDebugger):
30465 (JSC::ASTBuilder::createConstStatement):
30466 (JSC::ASTBuilder::appendConstDecl):
30467 (JSC::ASTBuilder::combineCommaNodes):
30468 (JSC::ASTBuilder::createDeconstructingAssignment):
30469 (JSC::ASTBuilder::Scope::Scope):
30470 (JSC::ASTBuilder::createNumber):
30471 (JSC::ASTBuilder::makeTypeOfNode):
30472 (JSC::ASTBuilder::makeDeleteNode):
30473 (JSC::ASTBuilder::makeNegateNode):
30474 (JSC::ASTBuilder::makeBitwiseNotNode):
30475 (JSC::ASTBuilder::makeMultNode):
30476 (JSC::ASTBuilder::makeDivNode):
30477 (JSC::ASTBuilder::makeModNode):
30478 (JSC::ASTBuilder::makeAddNode):
30479 (JSC::ASTBuilder::makeSubNode):
30480 (JSC::ASTBuilder::makeLeftShiftNode):
30481 (JSC::ASTBuilder::makeRightShiftNode):
30482 (JSC::ASTBuilder::makeURightShiftNode):
30483 (JSC::ASTBuilder::makeBitOrNode):
30484 (JSC::ASTBuilder::makeBitAndNode):
30485 (JSC::ASTBuilder::makeBitXOrNode):
30486 (JSC::ASTBuilder::makeFunctionCallNode):
30487 (JSC::ASTBuilder::makeBinaryNode):
30488 (JSC::ASTBuilder::makeAssignNode):
30489 (JSC::ASTBuilder::makePrefixNode):
30490 (JSC::ASTBuilder::makePostfixNode):
30491
30492 * parser/NodeConstructors.h: Ditto.
30493 (JSC::ParserArenaFreeable::operator new):
30494 (JSC::ParserArenaDeletable::operator new):
30495 (JSC::ParserArenaRefCounted::ParserArenaRefCounted):
30496
30497 * parser/Nodes.cpp: Ditto.
30498 (JSC::ScopeNode::ScopeNode):
30499 (JSC::ProgramNode::ProgramNode):
30500 (JSC::ProgramNode::create):
30501 (JSC::EvalNode::EvalNode):
30502 (JSC::EvalNode::create):
30503 (JSC::FunctionBodyNode::FunctionBodyNode):
30504 (JSC::FunctionBodyNode::create):
30505
30506 * parser/Nodes.h: Ditto.
30507 (JSC::ScopeNode::parserArena):
30508
30509 * parser/Parser.cpp:
30510 (JSC::Parser<LexerType>::Parser):
30511 (JSC::Parser<LexerType>::parseInner):
30512 (JSC::Parser<LexerType>::parseProperty): The parser now owns its own
30513 arena, and transfers ownership of its contents when invoking the ScopeNode
30514 constructor.
30515
30516 * parser/Parser.h:
30517 (JSC::Parser<LexerType>::parse): No need to explicitly reset the arena,
30518 since its lifetime is tied to the parser's lifetime now.
30519
30520 * parser/SyntaxChecker.h:
30521 (JSC::SyntaxChecker::createProperty):
30522 (JSC::SyntaxChecker::createGetterOrSetterProperty):
30523
30524 * runtime/VM.cpp:
30525 (JSC::VM::VM):
30526 * runtime/VM.h: The point of the patch: no more global.
30527
305282014-12-03 Geoffrey Garen <ggaren@apple.com>
30529
30530 The parser should allocate all pieces of the AST
30531 https://bugs.webkit.org/show_bug.cgi?id=139230
30532
30533 Reviewed by Oliver Hunt.
30534
30535 This is a step toward a 14% parsing speedup.
30536
30537 Previously, allocation was split between the parser and certain node
30538 constructor functions. This made for some duplicated code and circular
30539 dependencies.
30540
30541 * parser/ASTBuilder.h:
30542 (JSC::ASTBuilder::createGetterOrSetterProperty): No need to pass through
30543 the VM, since our callee no longer needs to allocate anything.
30544
30545 (JSC::ASTBuilder::createProperty): Allocate the identifier for our
30546 callee, since that is simpler than requiring our callee to notice that
30547 we didn't do so, and do it for us.
30548
30549 (JSC::ASTBuilder::createForInLoop): Allocate the DeconstructingAssignmentNode
30550 for our callee, since that is simpler than requiring our callee to notice
30551 that we didn't do so, and do it for us.
30552
30553 Also, reuse some code instead of duplicating it.
30554
30555 (JSC::ASTBuilder::createForOfLoop): Ditto.
30556
30557 (JSC::ASTBuilder::createArrayPattern):
30558 (JSC::ASTBuilder::createObjectPattern):
30559 (JSC::ASTBuilder::createBindingLocation): No need to pass through a VM
30560 pointer, since our callee no longer needs to allocate anything.
30561
30562 (JSC::ASTBuilder::createBreakStatement): Deleted.
30563 (JSC::ASTBuilder::createContinueStatement): Deleted.
30564
30565 * parser/NodeConstructors.h:
30566 (JSC::PropertyNode::PropertyNode):
30567 (JSC::DeconstructionPatternNode::DeconstructionPatternNode):
30568 (JSC::ArrayPatternNode::ArrayPatternNode):
30569 (JSC::ArrayPatternNode::create):
30570 (JSC::ObjectPatternNode::ObjectPatternNode):
30571 (JSC::ObjectPatternNode::create):
30572 (JSC::BindingNode::create):
30573 (JSC::BindingNode::BindingNode):
30574 (JSC::ContinueNode::ContinueNode): Deleted.
30575 (JSC::BreakNode::BreakNode): Deleted.
30576 (JSC::EnumerationNode::EnumerationNode): Deleted.
30577 (JSC::ForInNode::ForInNode): Deleted.
30578 (JSC::ForOfNode::ForOfNode): Deleted. Deleted a bunch of special cases
30579 that don't exist anymore, now that the parser allocates all pieces of
30580 the AST unconditionally.
30581
30582 * parser/Nodes.h: Ditto.
30583
30584 * parser/Parser.cpp:
30585 (JSC::Parser<LexerType>::parseBreakStatement):
30586 (JSC::Parser<LexerType>::parseContinueStatement): Allocate the null
30587 identifier for our callee, since that is simpler than requiring our
30588 callee to notice that we didn't do so, and do it for us.
30589
30590 (JSC::Parser<LexerType>::parseProperty):
30591 * parser/SyntaxChecker.h:
30592 (JSC::SyntaxChecker::createProperty): No need to pass through a VM
30593 pointer, since our callee no longer needs to allocate anything.
30594
305952014-12-03 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
30596
30597 Remove unused JSC runtime options
30598 https://bugs.webkit.org/show_bug.cgi?id=133070
30599
30600 Reviewed by Csaba Osztrogonác.
30601
30602 * runtime/Options.h:
30603
306042014-12-02 Mark Lam <mark.lam@apple.com>
30605
30606 Rolling out r176592, r176603, r176616, and r176705 until build and perf issues are resolved.
30607 https://bugs.webkit.org/show_bug.cgi?id=138821
30608
30609 Not reviewed.
30610
30611 * bytecode/UnlinkedCodeBlock.cpp:
30612 (JSC::UnlinkedCodeBlock::visitChildren):
30613 * bytecompiler/BytecodeGenerator.cpp:
30614 (JSC::BytecodeGenerator::emitComplexPopScopes):
30615 * dfg/DFGSpeculativeJIT.cpp:
30616 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
30617 * ftl/FTLAbbreviations.h:
30618 (JSC::FTL::mdNode):
30619 (JSC::FTL::buildCall):
30620 * llint/LLIntData.cpp:
30621 (JSC::LLInt::Data::performAssertions):
30622 * parser/Parser.h:
30623 (JSC::Scope::Scope):
30624 * runtime/JSArray.cpp:
30625 (JSC::JSArray::setLengthWithArrayStorage):
30626 (JSC::JSArray::sortCompactedVector):
30627 * tools/ProfileTreeNode.h:
30628 (JSC::ProfileTreeNode::dumpInternal):
30629 * yarr/YarrJIT.cpp:
30630 (JSC::Yarr::YarrGenerator::matchCharacterClass):
30631
306322014-12-02 Michael Saboff <msaboff@apple.com>
30633
30634 Change CallFrame::globalThisValue() to not use CallFrame::scope()
30635 https://bugs.webkit.org/show_bug.cgi?id=139202
30636
30637 Reviewed by Mark Lam.
30638
30639 Changed to use the globalThis() on the globalObject associated with the
30640 callee. Moved the inline definition to JSGlobalObject.h instead of
30641 including JSGlobalObject.h in JSScope.h. Also moved it as JSScope
30642 objects are no longer involved in getting the value.
30643
30644 * runtime/JSGlobalObject.h:
30645 (JSC::ExecState::globalThisValue):
30646 * runtime/JSScope.h:
30647 (JSC::ExecState::globalThisValue): Deleted.
30648
306492014-12-02 Matthew Mirman <mmirman@apple.com>
30650
30651 Fixes inline cache fast path accessing nonexistant getters.
30652 <rdar://problem/18416918>
30653 https://bugs.webkit.org/show_bug.cgi?id=136961
30654
30655 Reviewed by Filip Pizlo.
30656
30657 Fixes a bug in inline caching where getters would have been able to
30658 modify the property they are getting during
30659 building the inline cache and then accessing that
30660 property through the inline cache site causing a recursive
30661 inline cache building and allowing the fast path of the cache to
30662 try to load a getter for the property that no longer exists.
30663
30664 * jit/JITOperations.cpp: Switched use of get to getPropertySlot.
30665 * runtime/JSCJSValue.h:
30666 added getPropertySlot for when you don't want to perform the get quite yet but want
30667 to fill out the slot.
30668 * runtime/JSCJSValueInlines.h: Added implementation for getPropertySlot
30669 (JSC::JSValue::get): changed to simply call getPropertySlot
30670 (JSC::JSValue::getPropertySlot): added.
30671 * tests/stress/recursive_property_redefine_during_inline_caching.js: Added test case for bug.
30672 (test):
30673
306742014-12-01 Michael Saboff <msaboff@apple.com>
30675
30676 Remove GetMyScope node from DFG
30677 https://bugs.webkit.org/show_bug.cgi?id=139166
30678
30679 Reviewed by Oliver Hunt.
30680
30681 Eliminated GetMyScope DFG node type.
30682
30683 * dfg/DFGAbstractInterpreterInlines.h:
30684 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
30685 * dfg/DFGClobberize.h:
30686 (JSC::DFG::clobberize):
30687 * dfg/DFGDoesGC.cpp:
30688 (JSC::DFG::doesGC):
30689 * dfg/DFGFixupPhase.cpp:
30690 (JSC::DFG::FixupPhase::fixupNode):
30691 * dfg/DFGGraph.cpp:
30692 (JSC::DFG::Graph::isLiveInBytecode):
30693 * dfg/DFGNodeType.h:
30694 * dfg/DFGPredictionPropagationPhase.cpp:
30695 (JSC::DFG::PredictionPropagationPhase::propagate):
30696 * dfg/DFGSafeToExecute.h:
30697 (JSC::DFG::safeToExecute):
30698 * dfg/DFGSpeculativeJIT32_64.cpp:
30699 (JSC::DFG::SpeculativeJIT::compile):
30700 * dfg/DFGSpeculativeJIT64.cpp:
30701 (JSC::DFG::SpeculativeJIT::compile):
30702 * ftl/FTLCapabilities.cpp:
30703 (JSC::FTL::canCompile):
30704 * ftl/FTLLowerDFGToLLVM.cpp:
30705 (JSC::FTL::LowerDFGToLLVM::compileNode):
30706 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted.
30707
307082014-12-01 Michael Saboff <msaboff@apple.com>
30709
30710 Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
30711 https://bugs.webkit.org/show_bug.cgi?id=139165
30712
30713 Reviewed by Oliver Hunt.
30714
30715 If we don't have any getById or putById variants, emit non-cached versions of these operations.
30716
30717 * dfg/DFGByteCodeParser.cpp:
30718 (JSC::DFG::ByteCodeParser::handleGetById):
30719 (JSC::DFG::ByteCodeParser::handlePutById):
30720
307212014-12-01 Andreas Kling <akling@apple.com>
30722
30723 Optimize constructing JSC::Identifier from AtomicString.
30724 <https://webkit.org/b/139157>
30725
30726 Reviewed by Michael Saboff.
30727
30728 Add constructors for Identifier taking AtomicString and AtomicStringImpl.
30729 This avoids branching on the string's isAtomic flag, which is obviously
30730 always true for AtomicString & AtomicStringImpl.
30731
30732 Had to add a Identifier(const char*) constructor to resolve implicit
30733 ambiguity between String / AtomicString.
30734
30735 Also made PrivateName::uid() return AtomicStringImpl* to take advantage
30736 of the new constructor in a few places.
30737
30738 * runtime/Identifier.h:
30739 (JSC::Identifier::Identifier):
30740 * runtime/IdentifierInlines.h:
30741 (JSC::Identifier::Identifier):
30742 * runtime/PrivateName.h:
30743 (JSC::PrivateName::uid):
30744
307452014-12-01 Alexey Proskuryakov <ap@apple.com>
30746
30747 Several JavaScriptCore date tests are flaky, because they expect time to be frozen during execution
30748 https://bugs.webkit.org/show_bug.cgi?id=139138
30749
30750 Reviewed by Mark Lam.
30751
30752 Merged a fix by Bob Clary.
30753
30754 * tests/mozilla/ecma/Date/15.9.1.1-1.js:
30755 * tests/mozilla/ecma/Date/15.9.1.1-2.js:
30756 * tests/mozilla/ecma/Date/15.9.2.1.js:
30757 * tests/mozilla/ecma/Date/15.9.2.2-1.js:
30758 * tests/mozilla/ecma/Date/15.9.2.2-2.js:
30759 * tests/mozilla/ecma/Date/15.9.2.2-3.js:
30760 * tests/mozilla/ecma/Date/15.9.2.2-4.js:
30761 * tests/mozilla/ecma/Date/15.9.2.2-5.js:
30762 * tests/mozilla/ecma/Date/15.9.2.2-6.js:
30763
307642014-11-17 Oliver Hunt <oliver@apple.com>
30765
30766 Make sure range based iteration of Vector<> still receives bounds checking
30767 https://bugs.webkit.org/show_bug.cgi?id=138821
30768
30769 Reviewed by Mark Lam.
30770
30771 There are a few uses of begin()/end() that explicitly require pointers,
30772 so we use getPtr() to extract the underlying pointer generically.
30773
30774 * bytecode/UnlinkedCodeBlock.cpp:
30775 (JSC::UnlinkedCodeBlock::visitChildren):
30776 * bytecompiler/BytecodeGenerator.cpp:
30777 (JSC::BytecodeGenerator::emitComplexPopScopes):
30778 * dfg/DFGSpeculativeJIT.cpp:
30779 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
30780 * ftl/FTLAbbreviations.h:
30781 (JSC::FTL::mdNode):
30782 (JSC::FTL::buildCall):
30783 * llint/LLIntData.cpp:
30784 (JSC::LLInt::Data::performAssertions):
30785 * parser/Parser.h:
30786 (JSC::Scope::Scope):
30787 * profiler/ProfileNode.cpp:
30788 (JSC::ProfileNode::debugPrintRecursively):
30789 * runtime/JSArray.cpp:
30790 (JSC::JSArray::setLengthWithArrayStorage):
30791 (JSC::JSArray::sortCompactedVector):
30792 * tools/ProfileTreeNode.h:
30793 (JSC::ProfileTreeNode::dumpInternal):
30794 * yarr/YarrJIT.cpp:
30795 (JSC::Yarr::YarrGenerator::matchCharacterClass):
30796
307972014-11-29 Andreas Kling <akling@apple.com>
30798
30799 PropertyTable keys should be AtomicStringImpl.
30800 <https://webkit.org/b/139096>
30801
30802 Reviewed by Sam Weinig.
30803
30804 Since PropertyTable keys are really always Identifiers, switch the key
30805 type from StringImpl* to AtomicStringImpl*.
30806
30807 We have code in the GetByVal opcode implementations that assumes things
30808 about this, so this change adds confidence to those algorithms.
30809
30810 * bytecode/ComplexGetStatus.cpp:
30811 (JSC::ComplexGetStatus::computeFor):
30812 * bytecode/ComplexGetStatus.h:
30813 * bytecode/GetByIdStatus.cpp:
30814 (JSC::GetByIdStatus::computeFromLLInt):
30815 (JSC::GetByIdStatus::computeFor):
30816 (JSC::GetByIdStatus::computeForStubInfo):
30817 * bytecode/GetByIdStatus.h:
30818 * bytecode/PutByIdStatus.cpp:
30819 (JSC::PutByIdStatus::computeFromLLInt):
30820 (JSC::PutByIdStatus::computeFor):
30821 (JSC::PutByIdStatus::computeForStubInfo):
30822 * bytecode/PutByIdStatus.h:
30823 * dfg/DFGByteCodeParser.cpp:
30824 (JSC::DFG::ByteCodeParser::parseBlock):
30825 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
30826 * dfg/DFGDesiredIdentifiers.cpp:
30827 (JSC::DFG::DesiredIdentifiers::addLazily):
30828 (JSC::DFG::DesiredIdentifiers::at):
30829 * dfg/DFGDesiredIdentifiers.h:
30830 (JSC::DFG::DesiredIdentifiers::operator[]):
30831 * dfg/DFGFixupPhase.cpp:
30832 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
30833 * runtime/Identifier.h:
30834 (JSC::Identifier::impl):
30835 * runtime/IntendedStructureChain.cpp:
30836 (JSC::IntendedStructureChain::mayInterceptStoreTo):
30837 * runtime/IntendedStructureChain.h:
30838 * runtime/PropertyMapHashTable.h:
30839 * runtime/Structure.cpp:
30840 (JSC::StructureTransitionTable::contains):
30841 (JSC::StructureTransitionTable::get):
30842 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
30843 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
30844 (JSC::Structure::getConcurrently):
30845 (JSC::Structure::add):
30846 (JSC::Structure::remove):
30847 * runtime/Structure.h:
30848 (JSC::PropertyMapEntry::PropertyMapEntry):
30849 * runtime/StructureInlines.h:
30850 (JSC::Structure::getConcurrently):
30851 * runtime/StructureTransitionTable.h:
30852 (JSC::StructureTransitionTable::Hash::hash):
30853
308542014-11-28 Gyuyoung Kim <gyuyoung.kim@samsung.com>
30855
30856 Use std::unique_ptr<>|make_unique<> in ftl, bytecode of JSC
30857 https://bugs.webkit.org/show_bug.cgi?id=139063
30858
30859 Reviewed by Andreas Kling.
30860
30861 Clean up OwnPtr and PassOwnPtr in JSC.
30862
30863 * bytecode/StructureStubClearingWatchpoint.cpp:
30864 (JSC::StructureStubClearingWatchpoint::push):
30865 * bytecode/StructureStubClearingWatchpoint.h:
30866 (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
30867 * ftl/FTLCompile.cpp:
30868 (JSC::FTL::mmAllocateDataSection):
30869 * ftl/FTLJITFinalizer.h:
30870 * ftl/FTLLink.cpp:
30871 (JSC::FTL::link):
30872 * parser/SourceProviderCacheItem.h:
30873
308742014-11-27 Gyuyoung Kim <gyuyoung.kim@samsung.com>
30875
30876 Use std::unique_ptr instead of OwnPtr in JSC classes
30877 https://bugs.webkit.org/show_bug.cgi?id=139009
30878
30879 Reviewed by Filip Pizlo.
30880
30881 As a step of using std::unique_ptr<>, this patch replaces OwnPtr with
30882 std::unique_ptr<>|std::make_unique<>.
30883
30884 * bytecode/DFGExitProfile.cpp:
30885 (JSC::DFG::ExitProfile::add):
30886 * bytecode/DFGExitProfile.h:
30887 * bytecode/LazyOperandValueProfile.cpp:
30888 (JSC::CompressedLazyOperandValueProfileHolder::add):
30889 * bytecode/LazyOperandValueProfile.h:
30890 * heap/MarkedBlock.cpp:
30891 (JSC::MarkedBlock::specializedSweep):
30892 (JSC::MarkedBlock::stopAllocating):
30893 * heap/MarkedBlock.h:
30894 (JSC::MarkedBlock::clearNewlyAllocated):
30895 * inspector/ContentSearchUtilities.cpp:
30896 (Inspector::ContentSearchUtilities::findMagicComment):
30897 * runtime/RegExp.cpp:
30898 (JSC::RegExp::invalidateCode):
30899 * runtime/RegExp.h:
30900 * yarr/RegularExpression.cpp:
30901 (JSC::Yarr::RegularExpression::Private::compile):
30902 (JSC::Yarr::RegularExpression::isValid):
30903 * yarr/YarrInterpreter.cpp:
30904 (JSC::Yarr::ByteCompiler::compile):
30905 (JSC::Yarr::ByteCompiler::regexBegin):
30906 (JSC::Yarr::byteCompile):
30907 * yarr/YarrInterpreter.h:
30908 (JSC::Yarr::BytecodePattern::BytecodePattern):
30909
309102014-11-24 Gyuyoung Kim <gyuyoung.kim@samsung.com>
30911
30912 Clean up OwnPtr and PassOwnPtr in JSC - bytecode, jit, inspector, and interpreter
30913 https://bugs.webkit.org/show_bug.cgi?id=139022
30914
30915 Reviewed by Filip Pizlo.
30916
30917 As a step of using std::unique_ptr<>, this patch replaces OwnPtr with
30918 std::unique_ptr<>|std::make_unique<>.
30919
30920 * bytecode/DFGExitProfile.cpp:
30921 (JSC::DFG::ExitProfile::add):
30922 * bytecode/DFGExitProfile.h:
30923 * dfg/DFGJITCompiler.cpp:
30924 (JSC::DFG::JITCompiler::link):
30925 (JSC::DFG::JITCompiler::linkFunction):
30926 * dfg/DFGJITFinalizer.cpp:
30927 (JSC::DFG::JITFinalizer::JITFinalizer):
30928 * dfg/DFGJITFinalizer.h:
30929 * heap/IncrementalSweeper.h:
30930 * inspector/ContentSearchUtilities.cpp:
30931 (Inspector::ContentSearchUtilities::findMagicComment):
30932 * inspector/agents/InspectorDebuggerAgent.h:
30933 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
30934 * interpreter/Interpreter.cpp:
30935 (JSC::Interpreter::enableSampler):
30936 * interpreter/Interpreter.h:
30937 * jit/ExecutableAllocator.cpp:
30938 (JSC::ExecutableAllocator::ExecutableAllocator):
30939 * jit/ExecutableAllocator.h:
30940
309412014-11-22 Gyuyoung Kim <gyuyoung.kim@samsung.com>
30942
30943 Clean up OwnPtr and PassOwnPtr in some of JS classes
30944 https://bugs.webkit.org/show_bug.cgi?id=138724
30945
30946 Reviewed by Filip Pizlo.
30947
30948 As a step to use std::unique_ptr<> and std::make_unique<>, this patch replaces
30949 OwnPtr with std::unique_ptr<>. Besides create() factory function is removed as well.
30950
30951 * builtins/BuiltinExecutables.h:
30952 (JSC::BuiltinExecutables::create): Deleted.
30953 * bytecode/CodeBlock.h:
30954 (JSC::CodeBlock::createRareDataIfNecessary):
30955 * bytecode/StructureStubInfo.h:
30956 * bytecode/UnlinkedCodeBlock.h:
30957 (JSC::UnlinkedCodeBlock::hasRareData):
30958 (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
30959 * runtime/CodeCache.cpp:
30960 (JSC::CodeCache::getGlobalCodeBlock):
30961 * runtime/CodeCache.h:
30962 (JSC::CodeCache::create): Deleted.
30963 * runtime/JSGlobalObject.cpp:
30964 (JSC::JSGlobalObject::clearRareData):
30965 * runtime/JSGlobalObject.h:
30966 (JSC::JSGlobalObject::createRareDataIfNeeded):
30967 * runtime/RegExpConstructor.h:
30968 * runtime/SmallStrings.cpp:
30969 (JSC::SmallStrings::createSingleCharacterString):
30970 (JSC::SmallStrings::singleCharacterStringRep):
30971 * runtime/SmallStrings.h:
30972 * runtime/VM.cpp:
30973 (JSC::VM::VM):
30974 * runtime/VM.h:
30975
309762014-11-21 Michael Saboff <msaboff@apple.com>
30977
30978 r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143)
30979 https://bugs.webkit.org/show_bug.cgi?id=139000
30980
30981 Reviewed by Darin Adler.
30982
30983 Check that the chainCount is non-zero before using a StructureChain.
30984
30985 * bytecode/ComplexGetStatus.cpp:
30986 (JSC::ComplexGetStatus::computeFor):
30987
309882014-11-21 Michael Saboff <msaboff@apple.com>
30989
30990 Allocate local ScopeChain register
30991 https://bugs.webkit.org/show_bug.cgi?id=138793
30992
30993 Reviewed by Geoffrey Garen.
30994
30995 Now we allocate the scope register as a local. The allocated register is stored in the
30996 CodeBlock for use by other components. Update the DFG to work with a local scope register.
30997 Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated
30998 local register.
30999
31000 * bytecode/BytecodeUseDef.h:
31001 (JSC::computeUsesForBytecodeOffset):
31002 (JSC::computeDefsForBytecodeOffset):
31003 Updated to properly represent the operand inputs and bytecode result.
31004
31005 * bytecode/CodeBlock.cpp:
31006 (JSC::CodeBlock::CodeBlock):
31007 * bytecode/CodeBlock.h:
31008 (JSC::CodeBlock::setScopeRegister):
31009 (JSC::CodeBlock::scopeRegister):
31010 * bytecode/UnlinkedCodeBlock.h:
31011 (JSC::UnlinkedCodeBlock::setScopeRegister):
31012 (JSC::UnlinkedCodeBlock::scopeRegister):
31013 Added scope register member and accessors.
31014
31015 * bytecompiler/BytecodeGenerator.cpp:
31016 (JSC::BytecodeGenerator::BytecodeGenerator):
31017 (JSC::BytecodeGenerator::allocateAndEmitScope):
31018 * bytecompiler/BytecodeGenerator.h:
31019 (JSC::BytecodeGenerator::scopeRegister):
31020 Change m_scopeRegister to an allocated register. Added allocateAndEmitScope helper to
31021 allocate the scope register, set the CodeBlock with its value and emit op_get_scope.
31022
31023 * debugger/DebuggerCallFrame.cpp:
31024 (JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention.
31025
31026 * dfg/DFGByteCodeParser.cpp:
31027 (JSC::DFG::ByteCodeParser::get):
31028 (JSC::DFG::ByteCodeParser::flush):
31029 (JSC::DFG::ByteCodeParser::inlineCall):
31030 (JSC::DFG::ByteCodeParser::parseBlock):
31031 Changed op_create_lexical_environment to set the scope VirtualRegister operand.
31032 Filled out op_get_scope processing to emit a GetScope node putting the result in
31033 the scope VirtualRegister result operand.
31034 Added Phantoms where appropriate to keep the Scope register alive in places where
31035 it use is optimized away, but where the baseline JIT would need to use its value.
31036 Eliminated uses of JSStack::ScopeChain.
31037
31038 * dfg/DFGStackLayoutPhase.cpp:
31039 (JSC::DFG::StackLayoutPhase::run):
31040 Make sure that the scope register stack location is allocated using the same place
31041 that the codeBlock expects.
31042
31043 * dfg/DFGStrengthReductionPhase.cpp:
31044 (JSC::DFG::StrengthReductionPhase::handleNode):
31045 Allow strength reduction of Flush to skip of GetScope nodes looking for a prior
31046 corresponding SetLocal.
31047
31048 * interpreter/CallFrame.h:
31049 (JSC::ExecState::scope):
31050 (JSC::ExecState::setScope):
31051 Added new scope() and setScope() helpers that take a VirtualRegister offset.
31052
31053 * interpreter/Interpreter.cpp:
31054 (JSC::eval):
31055 Changed eval() to get the scope from the caller's scope register instead of from the
31056 temporary frame created for eval.
31057
31058 * interpreter/Interpreter.cpp:
31059 (JSC::Interpreter::unwind):
31060 Changed unwind() to manipulate the scope n the allocated register instead of from the
31061 call frame slot.
31062
31063 * interpreter/StackVisitor.cpp:
31064 (JSC::StackVisitor::readNonInlinedFrame):
31065 (JSC::StackVisitor::readInlinedFrame):
31066 * interpreter/StackVisitor.h:
31067 (JSC::StackVisitor::Frame::callee):
31068 (JSC::StackVisitor::Frame::scope): Deleted.
31069 Eliminated the scope member as it needed to change and no StackVisitor users use it.
31070
31071 * jit/JITOperations.cpp:
31072 (JSC::operationPushNameScope):
31073 (JSC::operationPushWithScope):
31074 * runtime/JSNameScope.h:
31075 (JSC::JSNameScope::create):
31076 * runtime/JSWithScope.h:
31077 (JSC::JSWithScope::create): Deleted.
31078 * llint/LLIntSlowPaths.cpp:
31079 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
31080 Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot
31081 in the CallFrame header. Changed the only user of these function, op_push_name_scope and
31082 op_push_with_scope helpers, to use the remaining create variants that require explicit scope.
31083 Those operations get the scope from the register pointed to by their scope operands.
31084
31085 * llint/LowLevelInterpreter32_64.asm:
31086 * llint/LowLevelInterpreter64.asm:
31087 Changed resolveScope to use the allocated register.
31088
310892014-11-21 Csaba Osztrogonác <ossy@webkit.org>
31090
31091 [JSC] Disable verifyHeap
31092 https://bugs.webkit.org/show_bug.cgi?id=138962
31093
31094 Reviewed by Mark Lam.
31095
31096 * runtime/Options.h:
31097
310982014-11-20 Mark Lam <mark.lam@apple.com>
31099
31100 Add some comments to describe the DFG UseKind representations.
31101 <https://webkit.org/b/138934>
31102
31103 Reviewed by Filip Pizlo.
31104
31105 * dfg/DFGUseKind.h:
31106 - Also regrouped the UseKind enums by representation to be more readable.
31107
311082014-11-20 Mark Lam <mark.lam@apple.com>
31109
31110 Add Heap verification infrastructure.
31111 <https://webkit.org/b/138851>
31112
31113 Reviewed by Geoffrey Garen.
31114
31115 The verification infrastructure code is always built in but disabled by
31116 default. When disabled, the cost is minimal:
31117 1. Heap has a m_verifier field.
31118 2. GC does a few "if (m_verifier)" checks that should fail.
31119 3. HeapVerifier takes up code space though not used.
31120
31121 When enabled:
31122 1. The HeapVerifier will keep N number of GC cycle data.
31123 Each GC cycle will contain a "before marking" and "after marking" live
31124 object list.
31125 The GC cycles is a circular buffer. Only data for the last N GC cycles
31126 will be retained.
31127 2. During GC, the current GC cycle's live objects lists will be populated
31128 before and after marking.
31129 3. The current GC cycle's live object lists will be validated before GC,
31130 after marking, and after GC.
31131
31132 Currently, the only validation being done is to verify that object
31133 butterflies are allocated from valid blocks in the Storage (aka Copied)
31134 space.
31135
31136 * CMakeLists.txt:
31137 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
31138 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
31139 * JavaScriptCore.xcodeproj/project.pbxproj:
31140 * heap/Heap.cpp:
31141 (JSC::Heap::Heap):
31142 (JSC::Heap::collect):
31143 * heap/Heap.h:
31144 * heap/HeapVerifier.cpp: Added.
31145 (JSC::LiveObjectList::findObject):
31146 (JSC::HeapVerifier::HeapVerifier):
31147 (JSC::HeapVerifier::collectionTypeName):
31148 (JSC::HeapVerifier::phaseName):
31149 (JSC::getButterflyDetails):
31150 (JSC::HeapVerifier::initializeGCCycle):
31151 (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor):
31152 (JSC::GatherLiveObjFunctor::operator()):
31153 (JSC::HeapVerifier::gatherLiveObjects):
31154 (JSC::HeapVerifier::liveObjectListForGathering):
31155 (JSC::trimDeadObjectsFromList):
31156 (JSC::HeapVerifier::trimDeadObjects):
31157 (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
31158 (JSC::HeapVerifier::verify):
31159 (JSC::HeapVerifier::reportObject):
31160 (JSC::HeapVerifier::checkIfRecorded):
31161 * heap/HeapVerifier.h: Added.
31162 (JSC::LiveObjectData::LiveObjectData):
31163 (JSC::LiveObjectList::LiveObjectList):
31164 (JSC::LiveObjectList::reset):
31165 (JSC::HeapVerifier::GCCycle::GCCycle):
31166 (JSC::HeapVerifier::GCCycle::collectionTypeName):
31167 (JSC::HeapVerifier::incrementCycle):
31168 (JSC::HeapVerifier::currentCycle):
31169 (JSC::HeapVerifier::cycleForIndex):
31170 * runtime/Options.h:
31171
311722014-11-20 Yusuke Suzuki <utatane.tea@gmail.com>
31173
31174 Rename String.prototype.contains to String.prototype.includes
31175 https://bugs.webkit.org/show_bug.cgi?id=138923
31176
31177 As per the latest TC39 meeting[1, 2], String.prototype.contains is
31178 renamed to String.prototype.includes. This is because the name
31179 `contains` breaks the web since it conflicts with existing `contains`
31180 implementations in major libraries.
31181
31182 [1]: https://github.com/mathiasbynens/String.prototype.includes
31183 [2]: https://github.com/tc39/test262/pull/119
31184
31185 Reviewed by Geoffrey Garen.
31186
31187 * runtime/StringPrototype.cpp:
31188 (JSC::StringPrototype::finishCreation):
31189 (JSC::stringProtoFuncIncludes):
31190 (JSC::stringProtoFuncContains): Deleted.
31191
311922014-11-19 Mark Lam <mark.lam@apple.com>
31193
31194 WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com.
31195 <https://webkit.org/b/137642>
31196
31197 Reviewed by Filip Pizlo.
31198
31199 In the DFG, we have a ConstantFolding phase that occurs after all LocalCSE
31200 phases have already transpired. Hence, Identity nodes introduced in the
31201 ConstantFolding phase will be left in the node graph. Subsequently, the
31202 DFG code generator asserts that CSE phases have consumed all Identity nodes.
31203 This turns out to not be true. Hence, the crash. We fix this by teaching
31204 the DFG code generator to emit code for Identity nodes.
31205
31206 Unlike the DFG, the FTL does not have this issue. That is because the FTL
31207 plan has GlobalCSE phases that come after ConstantFolding and any other
31208 phases that can generate Identity nodes. Hence, for the FTL, it is true that
31209 CSE will consume all Identity nodes, and the code generator should not see any
31210 Identity nodes.
31211
31212 * dfg/DFGSpeculativeJIT32_64.cpp:
31213 (JSC::DFG::SpeculativeJIT::compile):
31214 * dfg/DFGSpeculativeJIT64.cpp:
31215 (JSC::DFG::SpeculativeJIT::compile):
31216
312172014-11-19 Joseph Pecoraro <pecoraro@apple.com>
31218
31219 Web Inspector: JSContext inspection Resource search does not work
31220 https://bugs.webkit.org/show_bug.cgi?id=131252
31221
31222 Reviewed by Timothy Hatcher.
31223
31224 * inspector/agents/InspectorDebuggerAgent.cpp:
31225 (Inspector::InspectorDebuggerAgent::searchInContent):
31226 * inspector/protocol/Debugger.json:
31227 Do some cleanup of the description and implementation of content searching.
31228
312292014-11-19 Joseph Pecoraro <pecoraro@apple.com>
31230
31231 Web Inspector: Provide $exception in the console for the thrown exception value
31232 https://bugs.webkit.org/show_bug.cgi?id=138726
31233
31234 Reviewed by Timothy Hatcher.
31235
31236 * debugger/DebuggerScope.cpp:
31237 (JSC::DebuggerScope::caughtValue):
31238 * debugger/DebuggerScope.h:
31239 Access the caught value if this scope is a catch scope.
31240
31241 * runtime/JSNameScope.h:
31242 (JSC::JSNameScope::isFunctionNameScope):
31243 (JSC::JSNameScope::isCatchScope):
31244 (JSC::JSNameScope::value):
31245 Provide an accessor for the single value in the JSNameScope (with / catch block).
31246
31247 * inspector/InjectedScriptSource.js:
31248 Save the exception value and expose it via $exception. Since the command line api
31249 is recreated on each evaluation, $exception is essentially readonly.
31250
31251 * inspector/ScriptDebugServer.h:
31252 * inspector/ScriptDebugServer.cpp:
31253 (Inspector::ScriptDebugServer::dispatchDidPause):
31254 (Inspector::ScriptDebugServer::exceptionOrCaughtValue):
31255 When pausing, get the exception or caught value. The exception will be provided
31256 if we are breaking on an explicit exception. When inside of a catch block, we
31257 can get the caught value by walking up the scope chain.
31258
31259 * inspector/agents/InspectorDebuggerAgent.h:
31260 * inspector/agents/InspectorDebuggerAgent.cpp:
31261 (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
31262 (Inspector::InspectorDebuggerAgent::resume):
31263 (Inspector::InspectorDebuggerAgent::stepOver):
31264 (Inspector::InspectorDebuggerAgent::stepInto):
31265 (Inspector::InspectorDebuggerAgent::stepOut):
31266 Clearing state can be done in didContinue.
31267
31268 (Inspector::InspectorDebuggerAgent::didPause):
31269 Set the exception value explicitly in the injected script when we have it.
31270
31271 (Inspector::InspectorDebuggerAgent::didContinue):
31272 Clear state saved when we had paused, including clearly an exception value if needed.
31273
31274 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
31275 (Inspector::InspectorDebuggerAgent::clearExceptionValue):
31276 Call into the injected script only when needed.
31277
31278 * inspector/InjectedScript.cpp:
31279 (Inspector::InjectedScript::setExceptionValue):
31280 (Inspector::InjectedScript::clearExceptionValue):
31281 * inspector/InjectedScript.h:
31282 * inspector/InjectedScriptManager.cpp:
31283 (Inspector::InjectedScriptManager::clearExceptionValue):
31284 * inspector/InjectedScriptManager.h:
31285 Clear on all injected scripts.
31286
312872014-11-19 Joseph Pecoraro <pecoraro@apple.com>
31288
31289 Unreviewed build fixes after r176329.
31290
31291 - export all of the codegen python files as they are included by the main generator
31292 - update the imports of the main generator to match __init__.py
31293 - remove bundling the python scripts as framework resources, just have them PrivateHeaders
31294
31295 * JavaScriptCore.xcodeproj/project.pbxproj:
31296 * inspector/scripts/generate-inspector-protocol-bindings.py:
31297
312982014-11-18 Brian J. Burg <burg@cs.washington.edu>
31299
31300 Web Inspector: standardize language-specific protocol generator file, class, and method prefixes
31301 https://bugs.webkit.org/show_bug.cgi?id=138237
31302
31303 Reviewed by Joseph Pecoraro.
31304
31305 Settle on cpp/objc/js file prefixes and Cpp/ObjC/JS class prefixes for generators.
31306 Move C++-specific static methods into CppGenerator and add cpp_ prefixes where relevant.
31307 Split the templates file into language-specific template files.
31308
31309 * CMakeLists.txt:
31310 * DerivedSources.make:
31311 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
31312 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
31313 * JavaScriptCore.xcodeproj/project.pbxproj:
31314 * inspector/scripts/codegen/__init__.py:
31315 * inspector/scripts/codegen/cpp_generator.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generator.py.
31316 * inspector/scripts/codegen/cpp_generator_templates.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generator_templates.py.
31317 (CppGeneratorTemplates):
31318 * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py.
31319 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_dispatcher_header.py.
31320 * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_dispatcher_implementation.py.
31321 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_frontend_dispatcher_header.py.
31322 * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py.
31323 * inspector/scripts/codegen/generate_cpp_protocol_types_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_protocol_types_header.py.
31324 * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_protocol_types_implementation.py.
31325 * inspector/scripts/codegen/generate_js_backend_commands.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_backend_commands.py.
31326 * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_backend_dispatcher_header.py.
31327 * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py.
31328 * inspector/scripts/codegen/generate_objc_configuration_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_configuration_header.py.
31329 * inspector/scripts/codegen/generate_objc_configuration_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_configuration_implementation.py.
31330 * inspector/scripts/codegen/generate_objc_conversion_helpers.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_conversion_helpers.py.
31331 * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py.
31332 * inspector/scripts/codegen/generate_objc_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_header.py.
31333 * inspector/scripts/codegen/generate_objc_internal_header.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_internal_header.py.
31334 * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c_types_implementation.py.
31335 * inspector/scripts/codegen/generator.py:
31336 * inspector/scripts/codegen/generator_templates.py:
31337 * inspector/scripts/codegen/objc_generator.py: Renamed from Source/JavaScriptCore/inspector/scripts/codegen/generate_objective_c.py.
31338 * inspector/scripts/codegen/objc_generator_templates.py: Added.
31339 * inspector/scripts/generate-inspector-protocol-bindings.py:
31340
313412014-11-19 Juergen Ributzka <juergen@apple.com>
31342
31343 Update WebKit to build with LLVM TOT
31344 https://bugs.webkit.org/show_bug.cgi?id=138519
31345
31346 Reviewed by Alexey Proskuryakov.
31347
31348 * Configurations/LLVMForJSC.xcconfig:
31349 * llvm/LLVMAPIFunctions.h:
31350 * llvm/library/LLVMExports.cpp:
31351 (initializeAndGetJSCLLVMAPI):
31352
313532014-11-18 David Kilzer <ddkilzer@apple.com>
31354
31355 FeatureDefines.xcconfig: Switch from using PLATFORM_NAME to SDK selectors
31356 <http://webkit.org/b/138813>
31357
31358 Reviewed by Mark Rowe.
31359
31360 * Configurations/FeatureDefines.xcconfig: Switch to using SDK
31361 selectors.
31362
313632014-11-18 Chris Dumez <cdumez@apple.com>
31364
31365 Update the Vector API to deal with unsigned types instead of size_t
31366 https://bugs.webkit.org/show_bug.cgi?id=138824
31367
31368 Reviewed by Andreas Kling.
31369
31370 Update code base to fix build errors related to the typing changes
31371 in the Vector API (size_t -> unsigned).
31372
31373 * bytecode/PreciseJumpTargets.cpp:
31374 * replay/EncodedValue.h:
31375
313762014-11-18 Commit Queue <commit-queue@webkit.org>
31377
31378 Unreviewed, rolling out r176207.
31379 https://bugs.webkit.org/show_bug.cgi?id=138836
31380
31381 Not ready yet (Requested by ap on #webkit).
31382
31383 Reverted changeset:
31384
31385 "Update WebKit to build with LLVM TOT"
31386 https://bugs.webkit.org/show_bug.cgi?id=138519
31387 http://trac.webkit.org/changeset/176207
31388
313892014-11-17 Mark Lam <mark.lam@apple.com>
31390
31391 Add printing functionality in JITted code for debugging purposes.
31392 <https://webkit.org/b/138660>
31393
31394 Reviewed by Geoffrey Garen.
31395
31396 Sometimes, for debugging, it'd be nice to be able to just print the
31397 values of constants or registers used in JITted code, or even just
31398 a string to log that certain pieces of JITted code have been executed.
31399 Using the JIT probe mechanism, we can make this happen.
31400
31401 * assembler/ARMv7Assembler.h:
31402 * assembler/AbstractMacroAssembler.h:
31403 (JSC::AbstractMacroAssembler::CPUState::registerName):
31404 (JSC::AbstractMacroAssembler::CPUState::registerValue):
31405 (JSC::AbstractMacroAssembler::print):
31406 (JSC::AbstractMacroAssembler::PrintArg::PrintArg):
31407 (JSC::AbstractMacroAssembler::appendPrintArg):
31408 (JSC::AbstractMacroAssembler::printInternal):
31409 (JSC::AbstractMacroAssembler::printCallback):
31410 * assembler/MacroAssemblerARM.cpp:
31411 (JSC::MacroAssemblerARM::printCPURegisters):
31412 (JSC::MacroAssemblerARM::printRegister):
31413 * assembler/MacroAssemblerARM.h:
31414 * assembler/MacroAssemblerARMv7.cpp:
31415 (JSC::MacroAssemblerARMv7::printCPURegisters):
31416 (JSC::MacroAssemblerARMv7::printRegister):
31417 * assembler/MacroAssemblerARMv7.h:
31418 * assembler/MacroAssemblerX86Common.cpp:
31419 (JSC::MacroAssemblerX86Common::printRegister):
31420 * assembler/MacroAssemblerX86Common.h:
31421
314222014-11-17 Anders Carlsson <andersca@apple.com>
31423
31424 Fix JavaScriptCore build with newer versions of clang.
31425 <rdar://problem/18978716>
31426
31427 * heap/Heap.cpp:
31428 (JSC::Heap::visitTempSortVectors):
31429 (JSC::Heap::deleteAllCompiledCode): Deleted.
31430 * inspector/agents/InspectorConsoleAgent.h:
31431
314322014-11-17 Juergen Ributzka <juergen@apple.com>
31433
31434 Update WebKit to build with LLVM TOT
31435 https://bugs.webkit.org/show_bug.cgi?id=138519
31436
31437 Reviewed by Alexey Proskuryakov.
31438
31439 * Configurations/LLVMForJSC.xcconfig:
31440 * llvm/LLVMAPIFunctions.h:
31441 * llvm/library/LLVMExports.cpp:
31442 (initializeAndGetJSCLLVMAPI):
31443
314442014-11-14 Benjamin Poulain <bpoulain@apple.com>
31445
31446 STRH can store values with the wrong offset
31447 https://bugs.webkit.org/show_bug.cgi?id=138723
31448
31449 Reviewed by Michael Saboff.
31450
31451 This is the counterpart of r176083 for the str instruction.
31452
31453 I believe this code is currently unreachable because there is only one client of strh()
31454 in the MacroAssembler and it always setup the scale explicitely.
31455
31456 * assembler/ARMv7Assembler.h:
31457 (JSC::ARMv7Assembler::strh):
31458
314592014-11-13 Mark Lam <mark.lam@apple.com>
31460
31461 Reduce amount of cut-and-paste needed for probe mechanism implementations.
31462 <https://webkit.org/b/138671>
31463
31464 Reviewed by Geoffrey Garen.
31465
31466 The existing code requires that each MacroAssembler implementation provide
31467 their own copy of all of the probe implementations even when most of it is
31468 identical. This patch hoists the common parts into AbstractMacroAssembler
31469 (with some minor renaming). Each target specific MacroAssembler now only
31470 need to implement a few target specific methods that are expected by and
31471 documented in AbstractMacroAssembler.h in the ENABLE(MASM_PROBE) section.
31472
31473 In this patch, I also simplified the X86 and X86_64 ports to use the same
31474 port implementation. The ARMv7 probe implementation should not conditionally
31475 exclude the higher FP registers (since the JIT doesn't). Fixed the ARMv7
31476 probe code to include the higher FP registers always.
31477
31478 This is all done in preparation to add printing functionality in JITted code
31479 for debugging.
31480
31481 * assembler/AbstractMacroAssembler.h:
31482 (JSC::AbstractMacroAssembler::Label::Label):
31483 (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel):
31484 (JSC::AbstractMacroAssembler::DataLabelPtr::DataLabelPtr):
31485 (JSC::AbstractMacroAssembler::DataLabel32::DataLabel32):
31486 (JSC::AbstractMacroAssembler::DataLabelCompact::DataLabelCompact):
31487 (JSC::AbstractMacroAssembler::Jump::link):
31488 (JSC::AbstractMacroAssembler::Jump::linkTo):
31489 (JSC::AbstractMacroAssembler::JumpList::link):
31490 (JSC::AbstractMacroAssembler::JumpList::linkTo):
31491 (JSC::AbstractMacroAssembler::ProbeContext::print):
31492 (JSC::AbstractMacroAssembler::printIndent):
31493 (JSC::AbstractMacroAssembler::printCPU):
31494 (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
31495 - Except for the 3 printing methods (which are for the probe), the rest
31496 are touched simply because we need to add the MacroAssemblerType to the
31497 template args.
31498 The MacroAssemblerType is used by the abstract probe code to call the
31499 few probe methods that need to have CPU specific implementations.
31500
31501 * assembler/MacroAssemblerARM.cpp:
31502 (JSC::MacroAssemblerARM::printCPURegisters):
31503 - This was refactored from ProbeContext::dumpCPURegisters() which no
31504 longer exists.
31505 (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters): Deleted.
31506 (JSC::MacroAssemblerARM::ProbeContext::dump): Deleted.
31507
31508 * assembler/MacroAssemblerARM.h:
31509 * assembler/MacroAssemblerARM64.h:
31510
31511 * assembler/MacroAssemblerARMv7.cpp:
31512 (JSC::MacroAssemblerARMv7::printCPURegisters):
31513 - This was refactored from ProbeContext::dumpCPURegisters() which no
31514 longer exists.
31515 (JSC::MacroAssemblerARMv7::ProbeContext::dumpCPURegisters): Deleted.
31516 (JSC::MacroAssemblerARMv7::ProbeContext::dump): Deleted.
31517
31518 * assembler/MacroAssemblerARMv7.h:
31519 * assembler/MacroAssemblerMIPS.h:
31520 * assembler/MacroAssemblerSH4.h:
31521 * assembler/MacroAssemblerX86.h:
31522 (JSC::MacroAssemblerX86::trustedImm32FromPtr): Deleted.
31523 (JSC::MacroAssemblerX86::probe): Deleted.
31524
31525 * assembler/MacroAssemblerX86Common.cpp:
31526 (JSC::MacroAssemblerX86Common::printCPURegisters):
31527 - This was refactored from ProbeContext::dumpCPURegisters() which no
31528 longer exists.
31529 (JSC::MacroAssemblerX86Common::probe):
31530 - This implementation of probe() is based on the one originally in
31531 MacroAssemblerX86_64.h. It is generic and should work for both
31532 32-bit and 64-bit.
31533 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters): Deleted.
31534 (JSC::MacroAssemblerX86Common::ProbeContext::dump): Deleted.
31535
31536 * assembler/MacroAssemblerX86Common.h:
31537 * assembler/MacroAssemblerX86_64.h:
31538 (JSC::MacroAssemblerX86_64::trustedImm64FromPtr): Deleted.
31539 (JSC::MacroAssemblerX86_64::probe): Deleted.
31540 * jit/JITStubsARMv7.h:
31541
315422014-11-13 Michael Saboff <msaboff@apple.com>
31543
31544 Add scope operand to op_new_func* byte codes
31545 https://bugs.webkit.org/show_bug.cgi?id=138707
31546
31547 Reviewed by Mark Lam.
31548
31549 Added scope operand to op_new_func and op_new_func_expr to replace the implicit use
31550 of exec->scope().
31551
31552 * bytecode/BytecodeList.json: Increased size of op_new_func & op_new_func_expr bytecodes.
31553
31554 * bytecode/CodeBlock.cpp:
31555 (JSC::CodeBlock::dumpBytecode): Added scope operand to dump output.
31556
31557 * bytecompiler/BytecodeGenerator.cpp:
31558 (JSC::BytecodeGenerator::emitNewFunctionInternal):
31559 (JSC::BytecodeGenerator::emitNewFunctionExpression):
31560 Emit scope operand.
31561
31562 * dfg/DFGByteCodeParser.cpp:
31563 (JSC::DFG::ByteCodeParser::parseBlock):
31564 * dfg/DFGFixupPhase.cpp:
31565 (JSC::DFG::FixupPhase::fixupNode):
31566 Added new scope source nodes to NewFunction, NewFunctionExpression & NewFunctionNoCheck.
31567
31568 * dfg/DFGSpeculativeJIT.cpp:
31569 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
31570 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
31571 * dfg/DFGSpeculativeJIT32_64.cpp:
31572 (JSC::DFG::SpeculativeJIT::compile):
31573 * dfg/DFGSpeculativeJIT64.cpp:
31574 (JSC::DFG::SpeculativeJIT::compile):
31575 Use scope children when making new function JIT_Operation calls. Use JSScope* value instead of
31576 exec->scope().
31577
31578 * dfg/DFGOperations.h:
31579 * dfg/DFGOperations.cpp:
31580 * dfg/DFGSpeculativeJIT.h:
31581 (JSC::DFG::SpeculativeJIT::callOperation):
31582 * jit/JIT.h:
31583 * jit/JITInlines.h:
31584 (JSC::JIT::callOperation):
31585 * jit/JITOpcodes.cpp:
31586 (JSC::JIT::emit_op_new_func):
31587 (JSC::JIT::emit_op_new_func_exp):
31588 * jit/JITOperations.cpp:
31589 * jit/JITOperations.h:
31590 Added new Jsc JIT_Operation parameter type for JSScope* values. Created declarations and
31591 definitions for new JIT_Operations with Jsc parameters. Use the JSScope* parameters in lieu
31592 of exec->scope() in operationNewFunction().
31593 Removed comment for unused Jsa (JSLexicalEnvironment*) JIT_Operation parameter type.
31594
31595 * llint/LLIntSlowPaths.cpp:
31596 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
31597 Use the scope operand instead of exec->scope().
31598
31599 * llint/LowLevelInterpreter.asm:
31600 * llint/LowLevelInterpreter32_64.asm:
31601 * llint/LowLevelInterpreter64.asm:
31602 Changed the operand indecies for added scope operand.
31603
316042014-11-13 Mark Lam <mark.lam@apple.com>
31605
31606 Change X86/64 JIT probes to save/restore xmm regs as double instead of __m128. [Follow up]
31607 <https://webkit.org/b/138708>
31608
31609 Reviewed by Michael Saboff.
31610
31611 Removed a stale comment and a now unnecessary #include.
31612
31613 * assembler/X86Assembler.h:
31614
316152014-11-13 Commit Queue <commit-queue@webkit.org>
31616
31617 Unreviewed, rolling out r176087.
31618 https://bugs.webkit.org/show_bug.cgi?id=138714
31619
31620 Broke the build (Requested by ap on #webkit).
31621
31622 Reverted changeset:
31623
31624 "Update WebKit to build with LLVM TOT"
31625 https://bugs.webkit.org/show_bug.cgi?id=138519
31626 http://trac.webkit.org/changeset/176087
31627
316282014-11-13 Mark Lam <mark.lam@apple.com>
31629
31630 Change X86/64 JIT probes to save/restore xmm regs as double instead of __m128.
31631 <https://webkit.org/b/138708>
31632
31633 Reviewed by Michael Saboff.
31634
31635 The JIT code only uses the xmm regs as double registers. This patch changes
31636 the storage types of the FP registers in X86Assembler.h to double instead of
31637 __m128, and updates the X86 and X86_64 JIT probe implementations accordingly.
31638
31639 Also made some minor cosmetic changes in the output of the probe dump functions.
31640
31641 * assembler/MacroAssemblerX86Common.cpp:
31642 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
31643 * assembler/X86Assembler.h:
31644 * jit/JITStubsX86.h:
31645 * jit/JITStubsX86Common.h:
31646 * jit/JITStubsX86_64.h:
31647
316482014-11-13 Juergen Ributzka <juergen@apple.com>
31649
31650 Update WebKit to build with LLVM TOT
31651 https://bugs.webkit.org/show_bug.cgi?id=138519
31652
31653 Reviewed by Geoffrey Garen.
31654
31655 * Configurations/LLVMForJSC.xcconfig:
31656 * llvm/LLVMAPIFunctions.h:
31657 * llvm/library/LLVMExports.cpp:
31658 (initializeAndGetJSCLLVMAPI):
31659
316602014-11-13 Benjamin Poulain <benjamin@webkit.org>
31661
31662 ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset
31663 https://bugs.webkit.org/show_bug.cgi?id=136914
31664
31665 Reviewed by Michael Saboff.
31666
31667 TLDR: the immediate offset of half-word load was divided by 2.
31668
31669 Story time: So I started getting those weird reports of :nth-child() behaving bizarrely
31670 on ARMv7 and ARMv7s. To make things worse, the behavior changes depending on style updates.
31671
31672 I started looking the disassembly on the tests cases...
31673
31674 The first thing I noticed was that the computation of An+B looked wrong. For example,
31675 in the case of n+6, the instruction should have been:
31676 subs r1, r1, #6
31677 but was
31678 subs r1, r1, #2
31679
31680 After spending a lot of time trying to find the error in the assembler, I discovered
31681 the problem was not real, but just a bug in the disassembler.
31682 This is the first fix: ARMv7DOpcodeAddSubtractImmediate3's immediate3() was truncating
31683 the value to 2 bits instead of 3 bits.
31684
31685 The disassembler being fixed, I still have no lead on the weird bug. Some disassembly later,
31686 I realize the LDRH instruction is not decoded at all. The reason is that both LDRH and STRH
31687 were under the umbrella ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord but the pattern
31688 only matched SRTH.
31689
31690 I fix that next, ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord is split into
31691 ARMv7DOpcodeStoreRegisterImmediateHalfWord and ARMv7DOpcodeLoadRegisterImmediateHalfWord,
31692 each with their own pattern and their instruction group.
31693
31694 Now that I can see the LDRHs correctly, there is something fishy about them, their offset
31695 is way too small for the data I load.
31696
31697 This time, looking at the binary, the generated code is indeed incorrect. It turns out that
31698 the ARMv7 assembler shifted the offset of half-word load as if they were byte load: divided by 4.
31699 As a result, all the load of half-words with more than zero offset were loading
31700 values with a smaller offset than what they should have.
31701
31702 That being fixed, I dump the assembly: still wrong. I am ready to throw my keyboard through
31703 my screen at that point.
31704
31705 Looking at the disassembler, there is yet again a bug. The computation of the scale() adjustment
31706 of the offset was incorrect for anything but word loads.
31707 I replaced it by a switch-case to make it explicit.
31708
31709 STRH is likely incorrect too. I'll fix that in a follow up, I want to survey all the 16 bits cases
31710 that are not directly used by the CSS JIT.
31711
31712 * assembler/ARMv7Assembler.h:
31713 (JSC::ARMv7Assembler::ldrh):
31714 Fix the immediate scaling. Add an assertion to make sure the alignment of the input is correct.
31715
31716 * disassembler/ARMv7/ARMv7DOpcode.cpp:
31717 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
31718 Fix the scaling code. Just hardcode instruction-to-scale table.
31719
31720 * disassembler/ARMv7/ARMv7DOpcode.h:
31721 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
31722 The mask for a 3 bits immediate is not 3 :)
31723
31724 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): Deleted.
31725
317262014-11-13 Andreas Kling <akling@apple.com>
31727
31728 Generate put_by_id for bracket assignment with constant string subscript.
31729 <https://webkit.org/b/138702>
31730
31731 Reviewed by Geoffrey Garen.
31732
31733 Transform o["f"]=x to o.f=x when generating bytecode. This allows our JIT
31734 to inline-cache those accesses instead of always dropping out to C++.
31735
31736 Just like the get_by_id transformations, this gets a bunch of use on
31737 real-web content (and Speedometer) but little/none on raw JS benchmarks.
31738
31739 * bytecompiler/NodesCodegen.cpp:
31740 (JSC::AssignBracketNode::emitBytecode):
31741
317422014-11-12 Mark Lam <mark.lam@apple.com>
31743
31744 Create canonical lists of registers used by both the Assemblers and the JIT probes.
31745 <https://webkit.org/b/138681>
31746
31747 Reviewed by Filip Pizlo.
31748
31749 * assembler/ARMAssembler.h:
31750 * assembler/ARMv7Assembler.h:
31751 * assembler/X86Assembler.h:
31752 - The FP register storage type is still defined as __m128 because the JIT
31753 probe code still expects that amount of storage to be available. Will
31754 change this to double when the JIT probe code is updated accordingly in a
31755 later patch.
31756
317572014-11-12 Andreas Kling <akling@apple.com>
31758
31759 Generate get_by_id for bracket access with constant string subscript.
31760 <https://webkit.org/b/138663>
31761
31762 Reviewed by Michael Saboff.
31763
31764 Transform o["f"] into o.f when generating bytecode. This allows our JIT
31765 to inline-cache those accesses instead of always dropping out to C++.
31766
31767 This is surprisingly common in real-web content, less so in benchmarks.
31768 Interestingly, Speedometer does hit the optimization quite a bit.
31769
31770 * bytecompiler/NodesCodegen.cpp:
31771 (JSC::BracketAccessorNode::emitBytecode):
31772
317732014-11-12 Mark Lam <mark.lam@apple.com>
31774
31775 Rename USE(MASM_PROBE) to ENABLE(MASM_PROBE).
31776 <https://webkit.org/b/138661>
31777
31778 Reviewed by Michael Saboff.
31779
31780 Also move the switch for enabling the use of MASM_PROBE from JavaScriptCore's
31781 config.h to WTF's Platform.h. This ensures that the setting is consistently
31782 applied even when building WebCore parts as well.
31783
31784 * assembler/ARMAssembler.h:
31785 * assembler/ARMv7Assembler.h:
31786 * assembler/MacroAssemblerARM.cpp:
31787 * assembler/MacroAssemblerARM.h:
31788 * assembler/MacroAssemblerARMv7.cpp:
31789 * assembler/MacroAssemblerARMv7.h:
31790 * assembler/MacroAssemblerX86.h:
31791 * assembler/MacroAssemblerX86Common.cpp:
31792 * assembler/MacroAssemblerX86Common.h:
31793 * assembler/MacroAssemblerX86_64.h:
31794 * assembler/X86Assembler.h:
31795 * config.h:
31796 * jit/JITStubs.h:
31797 * jit/JITStubsARM.h:
31798 * jit/JITStubsARMv7.h:
31799 * jit/JITStubsX86.h:
31800 * jit/JITStubsX86Common.h:
31801 * jit/JITStubsX86_64.h:
31802
318032014-11-12 peavo@outlook.com <peavo@outlook.com>
31804
31805 [WinCairo] Incorrect names for test executables in debug mode.
31806 https://bugs.webkit.org/show_bug.cgi?id=138659
31807
31808 Reviewed by Alex Christensen.
31809
31810 In debug mode, jsc.exe, and testapi.exe are not created, causing JSC test failures.
31811
31812 * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
31813 * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
31814
318152014-11-11 Michael Saboff <msaboff@apple.com>
31816
31817 Change DFG to use scope operand for op_resolve_scope
31818 https://bugs.webkit.org/show_bug.cgi?id=138651
31819
31820 Reviewed by Geoffrey Garen.
31821
31822 Changed to use the provided scope VirtualRegister.
31823
31824 * dfg/DFGByteCodeParser.cpp:
31825 (JSC::DFG::ByteCodeParser::getScope): Changed to use an argument scope register.
31826 (JSC::DFG::ByteCodeParser::parseBlock): Created VirtualRegister from scope operand.
31827
318282014-11-11 Gyuyoung Kim <gyuyoung.kim@samsung.com>
31829
31830 Remove IncrementalSweeper::create()
31831 https://bugs.webkit.org/show_bug.cgi?id=138243
31832
31833 Reviewed by Filip Pizlo.
31834
31835 As a step to use std::unique_ptr<> and std::make_unique<>, this patch removes
31836 IncrementalSweeper::create(), then set constructor of IncrementalSweeper to public.
31837 Now we begins to use std::make_unique<> to create IncrementalSweeper instance.
31838
31839 * heap/Heap.cpp:
31840 (JSC::Heap::Heap):
31841 (JSC::Heap::setIncrementalSweeper):
31842 * heap/Heap.h:
31843 * heap/IncrementalSweeper.cpp:
31844 (JSC::IncrementalSweeper::create): Deleted.
31845 * heap/IncrementalSweeper.h:
31846
318472014-11-11 Joseph Pecoraro <pecoraro@apple.com>
31848
31849 Web Inspector: Handle activating extra agents properly after inspector has connected
31850 https://bugs.webkit.org/show_bug.cgi?id=138639
31851
31852 Reviewed by Timothy Hatcher.
31853
31854 Instead of having the protocol configuration directly add the extra agent
31855 to the inspector registry, isntead go through the augmentable controller.
31856 The controller will initialize as required if we are already connected or not,
31857 and will add to the registry.
31858
31859 The functional change here is that the frontend can be notified to activate
31860 extra agents multiple times as agents eventually become available.
31861
31862 * inspector/JSGlobalObjectInspectorController.cpp:
31863 (Inspector::JSGlobalObjectInspectorController::appendExtraAgent):
31864 * inspector/JSGlobalObjectInspectorController.h:
31865 * inspector/agents/InspectorAgent.cpp:
31866 (Inspector::InspectorAgent::activateExtraDomain):
31867 * inspector/agents/InspectorAgent.h:
31868 * inspector/augmentable/AugmentableInspectorController.h:
31869 * inspector/scripts/codegen/generator_templates.py:
31870 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
31871 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
31872 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
31873 * inspector/scripts/tests/expected/enum-values.json-result:
31874 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
31875 Rebased results.
31876
318772014-11-11 Michael Saboff <msaboff@apple.com>
31878
31879 Use scope register when processing op_resolve_scope in LLInt and Baseline JIT
31880 https://bugs.webkit.org/show_bug.cgi?id=138637
31881
31882 Reviewed by Mark Lam.
31883
31884 Filled out op_resolve_scope processing to use the scope operand to access the current
31885 scope chain.
31886
31887 * jit/JIT.h:
31888 * jit/JITInlines.h:
31889 (JSC::JIT::callOperation):
31890 * jit/JITOperations.cpp:
31891 * jit/JITOperations.h:
31892 Added scope virtual register parameter to emitResolveClosure(). Added new callOperation() to
31893 support the additional argument.
31894
31895 * jit/JITPropertyAccess.cpp:
31896 (JSC::JIT::emitResolveClosure):
31897 (JSC::JIT::emit_op_resolve_scope):
31898 (JSC::JIT::emitSlow_op_resolve_scope):
31899 * jit/JITPropertyAccess32_64.cpp:
31900 (JSC::JIT::emitResolveClosure):
31901 (JSC::JIT::emit_op_resolve_scope):
31902 (JSC::JIT::emitSlow_op_resolve_scope):
31903 * llint/LLIntSlowPaths.cpp:
31904 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
31905 Added "scope" parameter to emitResolveClosure(). Passed scope register index to slow path.
31906 Used scope virtual register instead of JSStack::ScopeChain.
31907
319082014-11-11 Joseph Pecoraro <pecoraro@apple.com>
31909
31910 Web Inspector: Don't require a debugger be attached for inspector auto attach
31911 https://bugs.webkit.org/show_bug.cgi?id=138638
31912
31913 Reviewed by Timothy Hatcher.
31914
31915 * inspector/remote/RemoteInspector.mm:
31916 (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
31917
319182014-11-11 Akos Kiss <akiss@inf.u-szeged.hu>
31919
31920 Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet
31921 https://bugs.webkit.org/show_bug.cgi?id=138543
31922
31923 Reviewed by Geoffrey Garen.
31924
31925 Exception fuzzing may may raise exceptions in places where they would be
31926 otherwise impossible. Therefore, a callFrame may lack activation even if
31927 the codeBlock signals need of activation. Also, even if codeBlock
31928 signals the use of arguments, the unmodifiedArgumentsRegister may not be
31929 initialized yet (neither locally nor in lexicalEnvironment).
31930
31931 If codeBlock()->needsActivation() is false, unmodifiedArgumentsRegister
31932 is already checked for Undefined. This patch applies the same check when
31933 the condition is true (and also checks whether
31934 callFrame()->hasActivation()).
31935
31936 * interpreter/CallFrame.h:
31937 (JSC::ExecState::hasActivation):
31938 Moved to interpreter/CallFrameInlines.h.
31939 * interpreter/CallFrameInlines.h:
31940 (JSC::CallFrame::hasActivation):
31941 Fixed to verify that the JSValue returned by uncheckedActivation() is a
31942 cell.
31943 * interpreter/StackVisitor.cpp:
31944 (JSC::StackVisitor::Frame::existingArguments):
31945
319462014-11-11 Andreas Kling <akling@apple.com>
31947
31948 Another assertion fix for debug builds after r175846.
31949
31950 generateByIdStub() can now be called with an empty prototype chain
31951 if kind == GetUndefined, so tweak the assertion to cover that.
31952
31953 * jit/Repatch.cpp:
31954 (JSC::generateByIdStub):
31955
319562014-11-10 Andreas Kling <akling@apple.com>
31957
31958 Assertion fix for debug builds after r175846.
31959
31960 PropertySlot::slotBase() will assert if the slot is unset, so reorder
31961 the tests to check for isCacheableValue() first.
31962
31963 * jit/Repatch.cpp:
31964 (JSC::tryCacheGetByID):
31965
319662014-11-10 Andreas Kling <akling@apple.com>
31967
31968 The JIT should cache property lookup misses.
31969 <https://webkit.org/b/135578>
31970
31971 Add support for inline caching of missed property lookups.
31972 Previously this would banish us to C++ slow path.
31973
31974 It's implemented as a simple GetById cache that returns jsUndefined()
31975 as long as the Structure chain check passes. There's no DFG exploitation
31976 of this knowledge in this patch.
31977
31978 Test: js/regress/undefined-property-access.js (~5.5x speedup)
31979
31980 Reviewed by Filip Pizlo.
31981
31982 * bytecode/PolymorphicGetByIdList.h:
31983 * bytecode/GetByIdStatus.cpp:
31984 (JSC::GetByIdStatus::computeForStubInfo):
31985
31986 Add GetByIdAccess::SimpleMiss so we can communicate to the DFG that
31987 the access has been cached.
31988
31989 * jit/Repatch.cpp:
31990 (JSC::toString):
31991 (JSC::kindFor):
31992 (JSC::generateByIdStub):
31993 (JSC::tryCacheGetByID):
31994 (JSC::tryBuildGetByIDList):
31995
31996 Added a GetUndefined stub kind, just a simple "store jsUndefined()" snippet.
31997 Use this to cache missed lookups, piggybacking mostly on the GetValue kind.
31998
31999 * runtime/PropertySlot.h:
32000 (JSC::PropertySlot::isUnset):
32001
32002 Exposed the unset state so PropertySlot can communicate that lookup failed.
32003
320042014-11-10 Michael Saboff <msaboff@apple.com>
32005
32006 Add scope operand to op_create_lexical_environment
32007 https://bugs.webkit.org/show_bug.cgi?id=138588
32008
32009 Reviewed by Geoffrey Garen.
32010
32011 Added a second operand to op_create_lexical_environment that contains the scope register
32012 to update. Note that the DFG relies on operationCreateActivation() to update the
32013 scope register since we can't issue a set() with a non-local, non-argument register.
32014 This is temporary until the scope register is allocated as a local.
32015
32016 * bytecode/BytecodeList.json:
32017 * bytecode/CodeBlock.cpp:
32018 (JSC::CodeBlock::dumpBytecode):
32019 Added the scope register operand.
32020
32021 * bytecompiler/BytecodeGenerator.cpp:
32022 (JSC::BytecodeGenerator::BytecodeGenerator):
32023 Filled in the scope register operand.
32024
32025 * jit/JITOpcodes.cpp:
32026 (JSC::JIT::emit_op_create_lexical_environment):
32027 * jit/JITOpcodes32_64.cpp:
32028 (JSC::JIT::emit_op_create_lexical_environment):
32029 * llint/LLIntSlowPaths.cpp:
32030 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32031 * llint/LowLevelInterpreter32_64.asm:
32032 * llint/LowLevelInterpreter64.asm:
32033 Set the scope register with the result of the appropriate create activation slow call.
32034
320352014-11-09 Akos Kiss <akiss@inf.u-szeged.hu>
32036
32037 Fix 'noreturn' function does return warning in LLVMOverrides.cpp
32038 https://bugs.webkit.org/show_bug.cgi?id=138306
32039
32040 Reviewed by Filip Pizlo.
32041
32042 Adding NO_RETURN where needed.
32043
32044 * llvm/library/LLVMExports.cpp:
32045 (initializeAndGetJSCLLVMAPI):
32046 * llvm/library/LLVMOverrides.cpp:
32047 * llvm/library/LLVMTrapCallback.h:
32048
320492014-11-07 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
32050
32051 Fix an alignment issue with operationPushCatchScope on ARMv7
32052 https://bugs.webkit.org/show_bug.cgi?id=138510
32053
32054 Reviewed by Csaba Osztrogonác.
32055
32056 * jit/CCallHelpers.h:
32057 (JSC::CCallHelpers::setupArgumentsWithExecState):
32058 * jit/JITInlines.h:
32059 (JSC::JIT::callOperation):
32060
320612014-11-07 Michael Saboff <msaboff@apple.com>
32062
32063 Update scope related slow path code to use scope register added to opcodes
32064 https://bugs.webkit.org/show_bug.cgi?id=138254
32065
32066 Reviewed by Mark Lam.
32067
32068 Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope.
32069 Added scope register index parameter to the front of the relevant argument lists of the
32070 slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough
32071 registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow
32072 paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate
32073 the last "type" argument.
32074
32075
32076 * assembler/MacroAssemblerCodeRef.h:
32077 (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments.
32078
32079 * jit/CCallHelpers.h:
32080 (JSC::CCallHelpers::setupArgumentsWithExecState):
32081 * jit/JIT.h:
32082 * jit/JITInlines.h:
32083 (JSC::JIT::callOperation):
32084 New variants of setupArgumentsWithExecState() and callOperation() to handle the new
32085 combinations of argument types and counts.
32086
32087 * jit/JITOpcodes.cpp:
32088 (JSC::JIT::emit_op_push_with_scope):
32089 (JSC::JIT::emit_op_pop_scope):
32090 (JSC::JIT::emit_op_push_name_scope):
32091 * jit/JITOpcodes32_64.cpp:
32092 (JSC::JIT::emit_op_push_with_scope):
32093 (JSC::JIT::emit_op_pop_scope):
32094 (JSC::JIT::emit_op_push_name_scope):
32095 Use the new slow paths.
32096
32097 * jit/JITOperations.cpp:
32098 * jit/JITOperations.h:
32099 Updates to set the scope result using the scope register index. Added operationPushCatchScope()
32100 and operationPushFunctionNameScope().
32101
32102 * llint/LLIntSlowPaths.cpp:
32103 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32104 Updated the scope slow paths to use the scope register index in the instruction to read and
32105 write the register instead of using CallFrame::scope() and CallFrame::setScope().
32106
321072014-11-07 Gyuyoung Kim <gyuyoung.kim@samsung.com>
32108
32109 Apply std::unique_ptr to slowPathCall()
32110 https://bugs.webkit.org/show_bug.cgi?id=138489
32111
32112 Reviewed by Mark Lam.
32113
32114 As a step to use std::unique_ptr<>, this patch makes slowPathCall() use std::unique_ptr<>,
32115 std::make_unique<>, and WTF::move().
32116
32117 * dfg/DFGSlowPathGenerator.h:
32118 (JSC::DFG::slowPathCall):
32119 (JSC::DFG::slowPathMove):
32120 * dfg/DFGSpeculativeJIT.cpp:
32121 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
32122 (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
32123 (JSC::DFG::SpeculativeJIT::arrayify):
32124 (JSC::DFG::SpeculativeJIT::compileIn):
32125 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
32126 * dfg/DFGSpeculativeJIT.h:
32127 * dfg/DFGSpeculativeJIT32_64.cpp:
32128 (JSC::DFG::SpeculativeJIT::cachedGetById):
32129 (JSC::DFG::SpeculativeJIT::cachedPutById):
32130 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
32131 (JSC::DFG::SpeculativeJIT::compile):
32132 * dfg/DFGSpeculativeJIT64.cpp:
32133 (JSC::DFG::SpeculativeJIT::cachedGetById):
32134 (JSC::DFG::SpeculativeJIT::cachedPutById):
32135 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
32136 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
32137 (JSC::DFG::SpeculativeJIT::compile):
32138
321392014-11-06 Mark Lam <mark.lam@apple.com>
32140
32141 slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
32142 <https://webkit.org/b/138476>
32143
32144 Reviewed by Michael Saboff.
32145
32146 slow_path_get_direct_pname() currently assumes that the baseValue is always a
32147 non-constant virtual register. However, this is not always the case like in the
32148 following:
32149
32150 function foo() {
32151 var o = { a:1 };
32152 for (var n in o)
32153 0[n];
32154 }
32155 foo();
32156
32157 This patch fixes it to also check for constant virtual register indexes.
32158
32159 * runtime/CommonSlowPaths.cpp:
32160 (JSC::SLOW_PATH_DECL):
32161
321622014-11-06 Michael Saboff <msaboff@apple.com>
32163
32164 REGRESSION (r174985-174986): Site display disappears
32165 https://bugs.webkit.org/show_bug.cgi?id=138082
32166
32167 Reviewed by Geoffrey Garen.
32168
32169 In support of the change in WebCore, this adds a new functor class to unwind to our
32170 caller's frame possibly skipping of intermediate C++ frames.
32171
32172 * interpreter/StackVisitor.h:
32173 (JSC::CallerFunctor::CallerFunctor):
32174 (JSC::CallerFunctor::callerFrame):
32175 (JSC::CallerFunctor::operator()):
32176
321772014-11-06 Gyuyoung Kim <gyuyoung.kim@samsung.com>
32178
32179 Use std::unique_ptr in CodeBlock class
32180 https://bugs.webkit.org/show_bug.cgi?id=138395
32181
32182 Reviewed by Darin Adler.
32183
32184 * bytecode/CodeBlock.h: Use std::unique_ptr.
32185 (JSC::CodeBlock::setJITCodeMap):
32186 * jit/CompactJITCodeMap.h: Use std::unique_ptr instead of OwnPtr|PassOwnPtr.
32187 (JSC::CompactJITCodeMap::CompactJITCodeMap):
32188 (JSC::CompactJITCodeMap::Encoder::finish): Use std::unique_ptr instead of PassOwnPtr.
32189
321902014-11-05 Mark Lam <mark.lam@apple.com>
32191
32192 PutById inline caches should have a store barrier when it triggers a structure transition.
32193 <https://webkit.org/b/138441>
32194
32195 Reviewed by Geoffrey Garen.
32196
32197 After r174025, we no longer insert DFG store barriers when the payload of a
32198 PutById operation is not a cell. However, this can lead to a crash when we have
32199 PutById inline cache code transitioning the structure and re-allocating the
32200 butterfly of an old gen object. The lack of a store barrier in that inline
32201 cache results in the old gen object not being noticed during an eden GC scan.
32202 As a result, its newly allocated butterfly will not be kept alive, which leads
32203 to a stale butterfly pointer and, eventually, a crash.
32204
32205 It is also possible that the new structure can be collected by the eden GC if
32206 (at GC time):
32207 1. It is in the eden gen.
32208 2. The inline cache that installed it has been evicted.
32209 3. There are no live eden gen objects referring to it.
32210
32211 The chances of this should be more rare than the butterfly re-allocation, but
32212 it is still possible. Hence, the fix is to always add a store barrier if the
32213 inline caches performs a structure transition.
32214
32215 * jit/Repatch.cpp:
32216 (JSC::emitPutTransitionStub):
32217 - Added store barrier code based on SpeculativeJIT::storeToWriteBarrierBuffer()'s
32218 implementation.
32219
322202014-11-05 Gyuyoung Kim <gyuyoung.kim@samsung.com>
32221
32222 Use std::unique_ptr in JSClassRef and JSCallbackObject
32223 https://bugs.webkit.org/show_bug.cgi?id=138402
32224
32225 Reviewed by Geoffrey Garen.
32226
32227 * API/JSCallbackObject.h: Use std::unique_ptr instead of OwnPtr|PassOwnPtr.
32228 (JSC::JSCallbackObjectData::setPrivateProperty): ditto.
32229 * API/JSClassRef.cpp: ditto.
32230 * API/JSClassRef.h: ditto.
32231
322322014-11-05 Michael Saboff <msaboff@apple.com>
32233
32234 Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
32235 https://bugs.webkit.org/show_bug.cgi?id=138381
32236
32237 Reviewed by Mark Lam.
32238
32239 Disabled these test for ARM64. Will address the failures and then re-enable.
32240
32241 * tests/stress/float32-repeat-out-of-bounds.js:
32242 * tests/stress/int8-repeat-out-of-bounds.js:
32243
322442014-11-05 Alexey Proskuryakov <ap@apple.com>
32245
32246 Incorrect sandbox_check in RemoteInspector.mm
32247 https://bugs.webkit.org/show_bug.cgi?id=138408
32248
32249 Reviewed by Joseph Pecoraro.
32250
32251 * inspector/remote/RemoteInspector.mm:
32252 (Inspector::canAccessWebInspectorMachPort):
32253
322542014-11-03 Dean Jackson <dino@apple.com>
32255
32256 Add ENABLE_FILTERS_LEVEL_2 feature guard.
32257 https://bugs.webkit.org/show_bug.cgi?id=138362
32258
32259 Reviewed by Tim Horton.
32260
32261 Add a new feature define for Level 2 of CSS Filters.
32262 http://dev.w3.org/fxtf/filters-2/
32263
32264 * Configurations/FeatureDefines.xcconfig:
32265
322662014-11-04 Mark Lam <mark.lam@apple.com>
32267
32268 Rename checkMarkByte() to jumpIfIsRememberedOrInEden().
32269 <https://webkit.org/b/138369>
32270
32271 Reviewed by Geoffrey Garen.
32272
32273 Write barriers are needed for GC Eden collections so that we can scan pointers
32274 pointing from old generation objects to eden generation objects. The barrier
32275 currently checks the mark byte in a cell to see if we should skip adding the
32276 cell to the GC remembered set. The addition should be skipped if:
32277
32278 1. The cell is in the young generation. It has no old to eden pointers by
32279 definition.
32280 2. The cell is already in the remembered set. While it is ok to add the cell
32281 to the GC remembered set more than once, it would be redundant. Hence,
32282 we skip this as an optimization to avoid doing unnecessary work.
32283
32284 The barrier currently names this check as checkMarkByte(). We should rename it
32285 to jumpIfIsRememberedOrInEden() to be clearer about its intent.
32286
32287 Similarly, Jump results of this check are currently named
32288 ownerNotMarkedOrAlreadyRemembered. This can be misinterpreted as the owner is
32289 not marked or not already remembered. We should rename it to
32290 ownerIsRememberedOrInEden which is clearer about the intent of the
32291 check. What we are really checking for is that the cell is in the eden gen,
32292 which is implied by it being "not marked".
32293
32294 * dfg/DFGOSRExitCompilerCommon.cpp:
32295 (JSC::DFG::osrWriteBarrier):
32296 * dfg/DFGSpeculativeJIT.cpp:
32297 (JSC::DFG::SpeculativeJIT::writeBarrier):
32298 * dfg/DFGSpeculativeJIT32_64.cpp:
32299 (JSC::DFG::SpeculativeJIT::writeBarrier):
32300 * dfg/DFGSpeculativeJIT64.cpp:
32301 (JSC::DFG::SpeculativeJIT::writeBarrier):
32302 * jit/AssemblyHelpers.h:
32303 (JSC::AssemblyHelpers::jumpIfIsRememberedOrInEden):
32304 (JSC::AssemblyHelpers::checkMarkByte): Deleted.
32305 * jit/JITPropertyAccess.cpp:
32306 (JSC::JIT::emitWriteBarrier):
32307 * llint/LowLevelInterpreter.asm:
32308 * llint/LowLevelInterpreter32_64.asm:
32309 * llint/LowLevelInterpreter64.asm:
32310 * runtime/JSCell.h:
32311
323122014-11-04 Joseph Pecoraro <pecoraro@apple.com>
32313
32314 Web Inspector: Pause on exceptions should show the actual exception
32315 https://bugs.webkit.org/show_bug.cgi?id=63096
32316
32317 Reviewed by Timothy Hatcher.
32318
32319 * debugger/Debugger.h:
32320 Expose accessor for the pause reason to subclasses.
32321
32322 * inspector/JSInjectedScriptHost.cpp:
32323 (Inspector::JSInjectedScriptHost::type):
32324 New "error" subtype for error objects.
32325
32326 * inspector/InjectedScriptSource.js:
32327 When an object is an error object, use toString to provide a richer description.
32328
32329 * inspector/protocol/Runtime.json:
32330 Expose a new "error" subtype for Error types (TypeError, ReferenceError, EvalError, etc).
32331
32332 * inspector/protocol/Debugger.json:
32333 Provide type checked objects for different Debugger.pause pause reasons.
32334 An exception provides the thrown object, but assert / CSP pauses provide
32335 a richer typed object as the auxiliary data.
32336
32337 * inspector/ScriptDebugServer.cpp:
32338 (Inspector::ScriptDebugServer::dispatchDidPause):
32339 When paused because of an exception, pass the exception on.
32340
32341 * inspector/agents/InspectorDebuggerAgent.h:
32342 * inspector/agents/InspectorDebuggerAgent.cpp:
32343 (Inspector::InspectorDebuggerAgent::handleConsoleAssert):
32344 (Inspector::InspectorDebuggerAgent::scriptExecutionBlockedByCSP):
32345 Provide richer data in pause events.
32346
32347 * inspector/scripts/codegen/generate_backend_commands.py:
32348 (BackendCommandsGenerator.generate_domain.is_anonymous_enum_param):
32349 (BackendCommandsGenerator.generate_domain):
32350 * inspector/scripts/tests/expected/enum-values.json-result:
32351 Generate frontend enums for anonymous enum event parameters.
32352
323532014-11-04 Michael Saboff <msaboff@apple.com>
32354
32355 Disable flakey float32-repeat-out-of-bounds.js and int8-repeat-out-of-bounds.js tests for ARM64
32356 https://bugs.webkit.org/show_bug.cgi?id=138381
32357
32358 Reviewed by Mark Lam.
32359
32360 Disabled these test for ARM64. Will address the failures and then re-enable.
32361
32362 * tests/stress/float32-repeat-out-of-bounds.js:
32363 * tests/stress/int8-repeat-out-of-bounds.js:
32364
323652014-11-04 Joseph Pecoraro <pecoraro@apple.com>
32366
32367 Web Inspector: Enum value collisions between different generators
32368 https://bugs.webkit.org/show_bug.cgi?id=138343
32369
32370 Reviewed by Brian Burg.
32371
32372 Each generator was using its own filtered list of domains_to_generate
32373 to build the shared unique list of enum value encodings. This list
32374 was slightly different across different generators. Instead always
32375 use the list of all non-supplemental domains to generate the shared
32376 list of enum values.
32377
32378 * inspector/scripts/codegen/generator.py:
32379 (Generator.non_supplemental_domains):
32380 (Generator.domains_to_generate):
32381 (Generator._traverse_and_assign_enum_values):
32382 * inspector/scripts/tests/enum-values.json: Added.
32383 * inspector/scripts/tests/expected/enum-values.json-result: Added.
32384
323852014-11-03 Akos Kiss <akiss@inf.u-szeged.hu>
32386
32387 Workaround for Cortex-A53 erratum 835769
32388 https://bugs.webkit.org/show_bug.cgi?id=138315
32389
32390 Reviewed by Filip Pizlo.
32391
32392 This patch introduces CMake variable and preprocessor macro
32393 WTF_CPU_ARM64_CORTEXA53 with the aim of enabling Cortex-A53-specific
32394 code paths, if set true. The patch also implements one case where such
32395 code paths are needed: the workaround for Cortex-A53 erratum 835769. If
32396 WTF_CPU_ARM64_CORTEXA53 is set then:
32397 - CMake checks whether the compiler already has support for a workaround
32398 and adds -mfix-cortex-a53-835769 to the compiler flags if so,
32399 - the ARM64 backend of offlineasm inserts a nop between memory and
32400 multiply-accumulate instructions, and
32401 - the ARM64 assembler also inserts a nop between memory and (64-bit)
32402 multiply-accumulate instructions.
32403
32404 * assembler/ARM64Assembler.h:
32405 (JSC::ARM64Assembler::madd):
32406 Call nopCortexA53Fix835769() to insert a nop if CPU(ARM64_CORTEXA53) and
32407 if necessary.
32408 (JSC::ARM64Assembler::msub): Likewise.
32409 (JSC::ARM64Assembler::smaddl): Likewise.
32410 (JSC::ARM64Assembler::smsubl): Likewise.
32411 (JSC::ARM64Assembler::umaddl): Likewise.
32412 (JSC::ARM64Assembler::umsubl): Likewise.
32413 (JSC::ARM64Assembler::nopCortexA53Fix835769):
32414 Added. Insert a nop if the previously emitted instruction was a load, a
32415 store, or a prefetch, and if the current instruction is 64-bit.
32416 * offlineasm/arm64.rb:
32417 Add the arm64CortexA53Fix835769 phase and call it from
32418 getModifiedListARM64 to insert nopCortexA53Fix835769 between appropriate
32419 macro instructions. Also, lower nopCortexA53Fix835769 to nop if
32420 CPU(ARM64_CORTEXA53), to nothing otherwise.
32421 * offlineasm/instructions.rb:
32422 Define macro instruction nopFixCortexA53Err835769.
32423
324242014-11-03 Commit Queue <commit-queue@webkit.org>
32425
32426 Unreviewed, rolling out r175509.
32427 https://bugs.webkit.org/show_bug.cgi?id=138349
32428
32429 broke some builds (Requested by msaboff on #webkit).
32430
32431 Reverted changeset:
32432
32433 "Update scope related slow path code to use scope register
32434 added to opcodes"
32435 https://bugs.webkit.org/show_bug.cgi?id=138254
32436 http://trac.webkit.org/changeset/175509
32437
324382014-11-03 Michael Saboff <msaboff@apple.com>
32439
32440 Update scope related slow path code to use scope register added to opcodes
32441 https://bugs.webkit.org/show_bug.cgi?id=138254
32442
32443 Reviewed by Mark Lam.
32444
32445 Updated slow paths for op_pop_scope, op_push_name_scope and op_push_with_scope.
32446 Added scope register index parameter to the front of the relevant argument lists of the
32447 slow functions. In the case of op_push_name_scope for x86 (32 bit), there aren't enough
32448 registers to accomodate all the parameters. Therefore, added two new JSVALUE32_64 slow
32449 paths called operationPushCatchScope() and operationPushFunctionNameScope() to eliminate
32450 the last "type" argument.
32451
32452
32453 * assembler/MacroAssemblerCodeRef.h:
32454 (JSC::FunctionPtr::FunctionPtr): Added a new template to take 6 arguments.
32455
32456 * jit/CCallHelpers.h:
32457 (JSC::CCallHelpers::setupArgumentsWithExecState):
32458 * jit/JIT.h:
32459 * jit/JITInlines.h:
32460 (JSC::JIT::callOperation):
32461 New variants of setupArgumentsWithExecState() and callOperation() to handle the new
32462 combinations of argument types and counts.
32463
32464 * jit/JITOpcodes.cpp:
32465 (JSC::JIT::emit_op_push_with_scope):
32466 (JSC::JIT::emit_op_pop_scope):
32467 (JSC::JIT::emit_op_push_name_scope):
32468 * jit/JITOpcodes32_64.cpp:
32469 (JSC::JIT::emit_op_push_with_scope):
32470 (JSC::JIT::emit_op_pop_scope):
32471 (JSC::JIT::emit_op_push_name_scope):
32472 Use the new slow paths.
32473
32474 * jit/JITOperations.cpp:
32475 * jit/JITOperations.h:
32476 Updates to set the scope result using the scope register index. Added operationPushCatchScope()
32477 and operationPushFunctionNameScope().
32478
32479 * llint/LLIntSlowPaths.cpp:
32480 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32481 Updated the scope slow paths to use the scope register index in the instruction to read and
32482 write the register instead of using CallFrame::scope() and CallFrame::setScope().
32483
324842014-11-03 Michael Saboff <msaboff@apple.com>
32485
32486 Add "get scope" byte code
32487 https://bugs.webkit.org/show_bug.cgi?id=138326
32488
32489 Reviewed by Mark Lam.
32490
32491 Added op_get_scope. Added implementations for the LLInt and baseline JIT.
32492 Provided nop implementation for DFG and FTL. The new byte code is emitted
32493 after op_enter for any function, program or eval. It is expected that the
32494 DFG will be implemented such that unneeded op_get_scope would be eliminated
32495 during DFG compilation.
32496
32497 * bytecode/BytecodeList.json:
32498 * bytecode/BytecodeUseDef.h:
32499 (JSC::computeUsesForBytecodeOffset):
32500 (JSC::computeDefsForBytecodeOffset):
32501 Added new op_get_scope bytecode.
32502
32503 * bytecompiler/BytecodeGenerator.cpp:
32504 (JSC::BytecodeGenerator::BytecodeGenerator):
32505 (JSC::BytecodeGenerator::emitGetScope):
32506 * bytecompiler/BytecodeGenerator.h:
32507 Emit new op_get_scope bytecode.
32508
32509 * dfg/DFGByteCodeParser.cpp:
32510 (JSC::DFG::ByteCodeParser::parseBlock):
32511 * dfg/DFGCapabilities.cpp:
32512 (JSC::DFG::capabilityLevel):
32513 Added framework for new op_get_scope bytecode.
32514
32515 * bytecode/CodeBlock.cpp:
32516 (JSC::CodeBlock::dumpBytecode):
32517 * jit/JIT.cpp:
32518 (JSC::JIT::privateCompileMainPass):
32519 * jit/JIT.h:
32520 * jit/JITOpcodes.cpp:
32521 (JSC::JIT::emit_op_get_scope):
32522 * jit/JITOpcodes32_64.cpp:
32523 (JSC::JIT::emit_op_get_scope):
32524 * llint/LowLevelInterpreter32_64.asm:
32525 * llint/LowLevelInterpreter64.asm:
32526 Implementation of op_get_scope bytecode.
32527
325282014-11-03 Joseph Pecoraro <pecoraro@apple.com>
32529
32530 Web Inspector: Fix RWIProtocol 64-to-32 bit conversion warnings
32531 https://bugs.webkit.org/show_bug.cgi?id=138325
32532
32533 Reviewed by Timothy Hatcher.
32534
32535 * inspector/InspectorValues.h:
32536 Vector's length really is an unsigned, so a static_cast here is fine.
32537
32538 * inspector/scripts/codegen/generate_objective_c.py:
32539 (ObjCGenerator.objc_type_for_raw_name):
32540 Use int instead of NSInteger for APIs that eventually map to
32541 InspectorObject's setInteger, which takes an int.
32542
32543 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
32544 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
32545 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
32546 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
32547 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
32548 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
32549 Rebaselined results with the type change.
32550
325512014-11-03 Joseph Pecoraro <pecoraro@apple.com>
32552
32553 Web Inspector: Show Selector's Specificity
32554 https://bugs.webkit.org/show_bug.cgi?id=138189
32555
32556 Reviewed by Timothy Hatcher.
32557
32558 * inspector/protocol/CSS.json:
32559 Create a new named type CSSSelector to include a selector's text and specificity.
32560 The specificity tuple is optional as it may soon be made dynamic in some cases.
32561
325622014-11-03 Joseph Pecoraro <pecoraro@apple.com>
32563
32564 Web Inspector: ObjC Protocol Interfaces should throw exceptions for nil arguments
32565 https://bugs.webkit.org/show_bug.cgi?id=138221
32566
32567 Reviewed by Timothy Hatcher.
32568
32569 The RWIProtocol APIs will now raise exceptions when:
32570
32571 - any properties are set on a type with a nil value or key (handled by RWIProtocolJSONObject)
32572 - required parameters in type constructors have nil value
32573 - required or optional command return parameters have nil values
32574 - required or optional event parameters have nil values
32575
32576 The exceptions include the name of the field when possible.
32577
32578 * inspector/scripts/codegen/generate_objective_c.py:
32579 (ObjCGenerator.is_type_objc_pointer_type):
32580 Provide a quick check to see if type would be a pointer or not
32581 in the ObjC API. Enums for example are not pointers in the API
32582 because we manage converting them to/from strings.
32583
32584 * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py:
32585 (ObjectiveCConfigurationImplementationGenerator._generate_success_block_for_command):
32586 * inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py:
32587 (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event):
32588 * inspector/scripts/codegen/generate_objective_c_types_implementation.py:
32589 (ObjectiveCTypesImplementationGenerator._generate_init_method_for_required_members):
32590 (ObjectiveCTypesImplementationGenerator._generate_setter_for_member):
32591 Throw exceptions when nil values are disallowed.
32592
32593 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
32594 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
32595 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
32596 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
32597 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
32598 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
32599 Rebaseline tests which include the exception raise calls.
32600
326012014-11-03 Joseph Pecoraro <pecoraro@apple.com>
32602
32603 Web Inspector: ALTERNATE_DISPATCHERS Let the frontend know about extra agents
32604 https://bugs.webkit.org/show_bug.cgi?id=138236
32605
32606 Reviewed by Brian Burg.
32607
32608 Inform the frontend about any extra domains the backend may have
32609 above and beyond the default list of domains for the debuggable type.
32610 This approach means there is almost no cost to normal debugging.
32611 When a JSContext is debugged with extra agents, a message is sent
32612 to the frontend letting it know which domains to then activate,
32613 and perform any initialization work that may be required.
32614
32615 * inspector/InspectorAgentBase.h:
32616 (Inspector::InspectorAgentBase::domainName):
32617 * inspector/InspectorAgentRegistry.cpp:
32618 (Inspector::InspectorAgentRegistry::appendExtraAgent):
32619 * inspector/InspectorAgentRegistry.h:
32620 * inspector/scripts/codegen/generator_templates.py:
32621 Provide a way to get a list of just the extra domains.
32622 To aggregate this list provide a different "append"
32623 specifically for extra agents.
32624
32625 * inspector/JSGlobalObjectInspectorController.h:
32626 * inspector/JSGlobalObjectInspectorController.cpp:
32627 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
32628 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
32629 When a frontend connects, inform it of the extra domains.
32630
32631 * inspector/protocol/Inspector.json:
32632 * inspector/agents/InspectorAgent.h:
32633 * inspector/agents/InspectorAgent.cpp:
32634 (Inspector::InspectorAgent::enable):
32635 (Inspector::InspectorAgent::activateExtraDomains):
32636 Send an event with the extra domains to activate.
32637
326382014-11-01 Michael Saboff <msaboff@apple.com>
32639
32640 Add scope operand to op_resolve_scope
32641 https://bugs.webkit.org/show_bug.cgi?id=138253
32642
32643 Reviewed by Mark Lam.
32644
32645 Added scope operand to op_resolve_scope. Although the scope register is filled in with
32646 the ScopeChain register, this operand is not used in the processing of the bytecode.
32647 That will be addressed in a future patch.
32648
32649 * bytecode/BytecodeList.json: Lengthened the three bytecodes.
32650 * bytecode/CodeBlock.cpp:
32651 (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand.
32652
32653 (JSC::CodeBlock::CodeBlock):
32654 (JSC::CodeBlock::finalizeUnconditionally):
32655 Updated the operand indecies for the processing of op_resolve_scope.
32656
32657 * bytecompiler/BytecodeGenerator.cpp:
32658 (JSC::BytecodeGenerator::emitResolveScope):
32659 (JSC::BytecodeGenerator::emitGetOwnScope):
32660 (JSC::BytecodeGenerator::emitReturn):
32661 Added scope register to these emit functions and the bytecodes they emit.
32662
32663 * dfg/DFGByteCodeParser.cpp:
32664 (JSC::DFG::ByteCodeParser::parseBlock):
32665 * dfg/DFGCapabilities.cpp:
32666 (JSC::DFG::capabilityLevel):
32667 * jit/JITPropertyAccess.cpp:
32668 (JSC::JIT::emit_op_resolve_scope):
32669 (JSC::JIT::emitSlow_op_resolve_scope):
32670 * jit/JITPropertyAccess32_64.cpp:
32671 (JSC::JIT::emit_op_resolve_scope):
32672 (JSC::JIT::emitSlow_op_resolve_scope):
32673 * llint/LLIntSlowPaths.cpp:
32674 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32675 * llint/LowLevelInterpreter32_64.asm:
32676 * llint/LowLevelInterpreter64.asm:
32677 Updated the operand indecies for the processing of op_resolve_scope.
32678
326792014-11-01 Carlos Garcia Campos <cgarcia@igalia.com>
32680
32681 REGRESSION(CMake): Make it possible to build without introspection
32682 https://bugs.webkit.org/show_bug.cgi?id=138006
32683
32684 Reviewed by Philippe Normand.
32685
32686 Do not install introspection files when introspection is disabled.
32687
32688 * PlatformGTK.cmake:
32689
326902014-10-31 Gyuyoung Kim <gyuyoung.kim@samsung.com>
32691
32692 Use std::unique_ptr for TypeCountSet
32693 https://bugs.webkit.org/show_bug.cgi?id=138242
32694
32695 Reviewed by Andreas Kling.
32696
32697 * heap/Heap.cpp:
32698 (JSC::Heap::protectedObjectTypeCounts):
32699 Use std::unique_ptr<> instead of PassOwnPtr|OwnPtr.
32700 (JSC::Heap::objectTypeCounts): ditto.
32701 * heap/Heap.h:
32702
327032014-10-31 Michael Saboff <msaboff@apple.com>
32704
32705 Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope
32706 https://bugs.webkit.org/show_bug.cgi?id=138252
32707
32708 Reviewed by Geoffrey Garen.
32709
32710 Added scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope.
32711 Although the scope register is filled in with the ScopeChain register for all
32712 three bytecodes, this operand is not used in the processing of the bytecodes.
32713 That will be addressed in a future patch.
32714
32715 * bytecode/BytecodeList.json: Lengthened the three bytecodes.
32716 * bytecode/CodeBlock.cpp:
32717 (JSC::CodeBlock::dumpBytecode): Added code to dump the scope operand.
32718 * bytecompiler/BytecodeGenerator.cpp:
32719 (JSC::BytecodeGenerator::BytecodeGenerator):
32720 (JSC::BytecodeGenerator::emitPushWithScope):
32721 (JSC::BytecodeGenerator::emitPopScope):
32722 (JSC::BytecodeGenerator::emitComplexPopScopes):
32723 (JSC::BytecodeGenerator::emitPopScopes):
32724 (JSC::BytecodeGenerator::emitPushFunctionNameScope):
32725 (JSC::BytecodeGenerator::emitPushCatchScope):
32726 * bytecompiler/BytecodeGenerator.h:
32727 (JSC::BytecodeGenerator::scopeRegister):
32728 Added scope register to these emit functions and the bytecodes they emit.
32729 New m_scopeRegister and accessor.
32730
32731 * bytecompiler/NodesCodegen.cpp:
32732 (JSC::ContinueNode::emitBytecode):
32733 (JSC::BreakNode::emitBytecode):
32734 (JSC::ReturnNode::emitBytecode):
32735 (JSC::WithNode::emitBytecode):
32736 (JSC::TryNode::emitBytecode):
32737 Created a RegisterID for the ScopeChain register and used it to emit the updated
32738 bytecodes.
32739
32740 * jit/JITOpcodes.cpp:
32741 (JSC::JIT::emit_op_push_with_scope):
32742 (JSC::JIT::emit_op_push_name_scope):
32743 * jit/JITOpcodes32_64.cpp:
32744 (JSC::JIT::emit_op_push_with_scope):
32745 (JSC::JIT::emit_op_push_name_scope):
32746 * llint/LLIntSlowPaths.cpp:
32747 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
32748 * llint/LowLevelInterpreter.asm:
32749 Updated the operand indecies for the processing of the updated bytecodes.
32750
327512014-10-31 Andreas Kling <akling@apple.com>
32752
32753 Make writes to RegExpObject.lastIndex cacheable.
32754 <https://webkit.org/b/138255>
32755
32756 Reviewed by Geoffrey Garen.
32757
32758 We were neglecting to IC the puts to RegExpObject.lastIndex on Octane/regexp,
32759 and ended up spending 4.5% of a time profile in operationPutByIdNonStrict.
32760
32761 ~3% progression on Octane/regexp.
32762
32763 * runtime/RegExpObject.cpp:
32764 (JSC::regExpObjectSetLastIndexStrict):
32765 (JSC::regExpObjectSetLastIndexNonStrict):
32766 (JSC::RegExpObject::put):
32767
327682014-10-31 Chris Dumez <cdumez@apple.com>
32769
32770 Fix a couple of warnings in JSC reported by clang static analyzer
32771 https://bugs.webkit.org/show_bug.cgi?id=138240
32772
32773 Reviewed by Geoffrey Garen.
32774
32775 Fix a couple of warnings in JSC reported by clang static analyzer about
32776 value stored in variables never being read. This is addressed by
32777 reducing the scope of the variable or removing the variable entirely.
32778
32779 * dfg/DFGConstantFoldingPhase.cpp:
32780 (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
32781 * runtime/VM.cpp:
32782 (JSC::VM::throwException):
32783
327842014-10-30 Dana Burkart <dburkart@apple.com>
32785
32786 <rdar://problem/18821260> Prepare for the mysterious future
32787
32788 Reviewed by Lucas Forschler.
32789
32790 * Configurations/Base.xcconfig:
32791 * Configurations/DebugRelease.xcconfig:
32792 * Configurations/FeatureDefines.xcconfig:
32793 * Configurations/Version.xcconfig:
32794
327952014-10-30 Saam Barati <saambarati1@gmail.com>
32796
32797 AST Nodes should keep track of their end offset
32798 https://bugs.webkit.org/show_bug.cgi?id=138143
32799
32800 Reviewed by Filip Pizlo.
32801
32802 AST nodes nodes now have an int property for their end text
32803 offsets. This change lays some foundational work that will be
32804 needed in profiling which basic blocks have executed.
32805
32806 * parser/ASTBuilder.h:
32807 (JSC::ASTBuilder::setEndOffset):
32808 * parser/Nodes.h:
32809 (JSC::Node::endOffset):
32810 (JSC::Node::setEndOffset):
32811 * parser/Parser.cpp:
32812 (JSC::Parser<LexerType>::parseStatement):
32813 (JSC::Parser<LexerType>::parseFunctionInfo):
32814 (JSC::Parser<LexerType>::parseExpression):
32815 (JSC::Parser<LexerType>::parseProperty):
32816 * parser/Parser.h:
32817 (JSC::Parser<LexerType>::parse):
32818 * parser/SyntaxChecker.h:
32819 (JSC::SyntaxChecker::operatorStackPop):
32820
328212014-10-30 Joseph Pecoraro <pecoraro@apple.com>
32822
32823 Web Inspector: Generate ObjC inspector protocol types and alternate dispatcher interfaces
32824 https://bugs.webkit.org/show_bug.cgi?id=138048
32825
32826 Reviewed by Brian Burg.
32827
32828 Generate Objective-C interfaces for inspector protocol types, command, and event dispatchers.
32829 This is very much like the InspectorProtocolTypes, BackendDispatchers, and FrontendDispatchers,
32830 but with an ObjC spin on things.
32831
32832 The private API that clients would use is all encapsulated in RWIProtocol.h. It includes the
32833 types interfaces, command handler protocol, and event dispatcher interface. Where possible the
32834 API uses real enums, which hides the raw protocol enum strings from clients.
32835
32836 Inspector protocol types are, like InspectorProtocolObjects, built on top of an InspectorObject.
32837 This offers the flexibilty of adding arbitrary key/values using the RWIProtocolJSONObject
32838 interface, which may be required for certain protocol objects like "Network.Headers" which
32839 have no fields, but expect arbitrary properties to be added.
32840
32841 Command handler protocols always have two callbacks. An error callback and a success callback.
32842 The signature is very much like BackendDispatchers. In parameters are passed directly to
32843 the selectors, and out parameters are defined by the success callback. It will be the client's
32844 responsibility to call either of these callbacks to complete handling of a request.
32845
32846 Event dispatcher interfaces are straight forward, just packaging up the arguments and sending
32847 the message to the frontend.
32848
32849 ObjC <-> Protocol conversion happens in each of the generated files. In type getters / setters,
32850 in commands parameters and event parameters. For this to work we generate conversion helpers
32851 for all enums, ObjC enum <-> protocol strings. For NSArray <-> InspectorArray there are some
32852 static helpers to do the conversions. We do lose some type safety in these conversions.
32853
32854 * JavaScriptCore.xcodeproj/project.pbxproj:
32855 * inspector/scripts/codegen/__init__.py:
32856 * inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py:
32857 (AlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
32858 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
32859 (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector):
32860 (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
32861 (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
32862 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
32863 (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
32864 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
32865 * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
32866 (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
32867 * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
32868 (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
32869 * inspector/scripts/codegen/generate_objective_c.py: Added.
32870 (join_type_and_name):
32871 (strip_comment_markers):
32872 (remove_duplicate_from_str):
32873 (ObjCTypeCategory):
32874 (ObjCTypeCategory.category_of_type):
32875 (ObjCGenerator):
32876 (ObjCGenerator.identifier_to_objc_identifier):
32877 (ObjCGenerator.objc_identifier_to_identifier):
32878 (ObjCGenerator.should_generate_domain_types_filter):
32879 (ObjCGenerator.should_generate_domain_types_filter.should_generate_domain_types):
32880 (ObjCGenerator.should_generate_domain_command_handler_filter):
32881 (ObjCGenerator.should_generate_domain_command_handler_filter.should_generate_domain_command_handler):
32882 (ObjCGenerator.should_generate_domain_event_dispatcher_filter):
32883 (ObjCGenerator.should_generate_domain_event_dispatcher_filter.should_generate_domain_event_dispatcher):
32884 (ObjCGenerator.objc_name_for_type):
32885 (ObjCGenerator.objc_enum_name_for_anonymous_enum_declaration):
32886 (ObjCGenerator.objc_enum_name_for_anonymous_enum_member):
32887 (ObjCGenerator.objc_enum_name_for_anonymous_enum_parameter):
32888 (ObjCGenerator.objc_enum_name_for_non_anonymous_enum):
32889 (ObjCGenerator.variable_name_prefix_for_domain):
32890 (ObjCGenerator.objc_accessor_type_for_raw_name):
32891 (ObjCGenerator.objc_type_for_raw_name):
32892 (ObjCGenerator.objc_class_for_raw_name):
32893 (ObjCGenerator.protocol_type_for_raw_name):
32894 (ObjCGenerator.protocol_type_for_type):
32895 (ObjCGenerator.objc_class_for_type):
32896 (ObjCGenerator.objc_accessor_type_for_member):
32897 (ObjCGenerator.objc_accessor_type_for_member_internal):
32898 (ObjCGenerator.objc_type_for_member):
32899 (ObjCGenerator.objc_type_for_member_internal):
32900 (ObjCGenerator.objc_type_for_param):
32901 (ObjCGenerator.objc_type_for_param_internal):
32902 (ObjCGenerator.objc_protocol_export_expression_for_variable):
32903 (ObjCGenerator.objc_protocol_import_expression_for_member):
32904 (ObjCGenerator.objc_protocol_import_expression_for_parameter):
32905 (ObjCGenerator.objc_protocol_import_expression_for_variable):
32906 (ObjCGenerator.objc_to_protocol_expression_for_member):
32907 (ObjCGenerator.protocol_to_objc_expression_for_member):
32908 (ObjCGenerator.objc_setter_method_for_member):
32909 (ObjCGenerator.objc_setter_method_for_member_internal):
32910 (ObjCGenerator.objc_getter_method_for_member):
32911 (ObjCGenerator.objc_getter_method_for_member_internal):
32912 * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py.
32913 (ObjectiveCBackendDispatcherHeaderGenerator):
32914 (ObjectiveCBackendDispatcherHeaderGenerator.output_filename):
32915 (ObjectiveCBackendDispatcherHeaderGenerator.domains_to_generate):
32916 (ObjectiveCBackendDispatcherHeaderGenerator.generate_output):
32917 (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations):
32918 (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_forward_declarations_for_domains):
32919 (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_handler_declarations_for_domain):
32920 (ObjectiveCBackendDispatcherHeaderGenerator._generate_objc_handler_declaration_for_command):
32921 * inspector/scripts/codegen/generate_objective_c_backend_dispatcher_implementation.py: Added.
32922 (ObjectiveCConfigurationImplementationGenerator):
32923 (ObjectiveCConfigurationImplementationGenerator.__init__):
32924 (ObjectiveCConfigurationImplementationGenerator.output_filename):
32925 (ObjectiveCConfigurationImplementationGenerator.domains_to_generate):
32926 (ObjectiveCConfigurationImplementationGenerator.generate_output):
32927 (ObjectiveCConfigurationImplementationGenerator._generate_handler_implementation_for_domain):
32928 (ObjectiveCConfigurationImplementationGenerator._generate_handler_implementation_for_command):
32929 (ObjectiveCConfigurationImplementationGenerator._generate_success_block_for_command):
32930 (ObjectiveCConfigurationImplementationGenerator._generate_conversions_for_command):
32931 (ObjectiveCConfigurationImplementationGenerator._generate_invocation_for_command):
32932 * inspector/scripts/codegen/generate_objective_c_configuration_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py.
32933 (ObjectiveCConfigurationHeaderGenerator):
32934 (ObjectiveCConfigurationHeaderGenerator.output_filename):
32935 (ObjectiveCConfigurationHeaderGenerator.generate_output):
32936 (ObjectiveCConfigurationHeaderGenerator._generate_configuration_interface_for_domains):
32937 (ObjectiveCConfigurationHeaderGenerator._generate_properties_for_domain):
32938 * inspector/scripts/codegen/generate_objective_c_configuration_implementation.py: Added.
32939 (ObjectiveCBackendDispatcherImplementationGenerator):
32940 (ObjectiveCBackendDispatcherImplementationGenerator.__init__):
32941 (ObjectiveCBackendDispatcherImplementationGenerator.output_filename):
32942 (ObjectiveCBackendDispatcherImplementationGenerator.generate_output):
32943 (ObjectiveCBackendDispatcherImplementationGenerator._generate_configuration_implementation_for_domains):
32944 (ObjectiveCBackendDispatcherImplementationGenerator._generate_ivars):
32945 (ObjectiveCBackendDispatcherImplementationGenerator._generate_dealloc):
32946 (ObjectiveCBackendDispatcherImplementationGenerator._generate_handler_setter_for_domain):
32947 (ObjectiveCBackendDispatcherImplementationGenerator._generate_event_dispatcher_getter_for_domain):
32948 * inspector/scripts/codegen/generate_objective_c_conversion_helpers.py: Added.
32949 (add_whitespace_separator):
32950 (ObjectiveCConversionHelpersGenerator):
32951 (ObjectiveCConversionHelpersGenerator.__init__):
32952 (ObjectiveCConversionHelpersGenerator.output_filename):
32953 (ObjectiveCConversionHelpersGenerator.domains_to_generate):
32954 (ObjectiveCConversionHelpersGenerator.generate_output):
32955 (ObjectiveCConversionHelpersGenerator._generate_enum_conversion_functions):
32956 (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_declaration):
32957 (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_member):
32958 (ObjectiveCConversionHelpersGenerator._generate_anonymous_enum_conversion_for_parameter):
32959 (ObjectiveCConversionHelpersGenerator._generate_enum_objc_to_protocol_string):
32960 (ObjectiveCConversionHelpersGenerator._generate_enum_from_protocol_string):
32961 * inspector/scripts/codegen/generate_objective_c_frontend_dispatcher_implementation.py: Added.
32962 (ObjectiveCFrontendDispatcherImplementationGenerator):
32963 (ObjectiveCFrontendDispatcherImplementationGenerator.__init__):
32964 (ObjectiveCFrontendDispatcherImplementationGenerator.output_filename):
32965 (ObjectiveCFrontendDispatcherImplementationGenerator.domains_to_generate):
32966 (ObjectiveCFrontendDispatcherImplementationGenerator.generate_output):
32967 (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
32968 (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event):
32969 (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_signature):
32970 (ObjectiveCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
32971 * inspector/scripts/codegen/generate_objective_c_header.py: Added.
32972 (add_whitespace_separator):
32973 (ObjectiveCHeaderGenerator):
32974 (ObjectiveCHeaderGenerator.__init__):
32975 (ObjectiveCHeaderGenerator.output_filename):
32976 (ObjectiveCHeaderGenerator.generate_output):
32977 (ObjectiveCHeaderGenerator._generate_forward_declarations):
32978 (ObjectiveCHeaderGenerator._generate_enums):
32979 (ObjectiveCHeaderGenerator._generate_types):
32980 (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_declaration):
32981 (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_member):
32982 (ObjectiveCHeaderGenerator._generate_anonymous_enum_for_parameter):
32983 (ObjectiveCHeaderGenerator._generate_enum):
32984 (ObjectiveCHeaderGenerator._generate_enum.NS_ENUM):
32985 (ObjectiveCHeaderGenerator._generate_type_interface):
32986 (ObjectiveCHeaderGenerator._generate_init_method_for_required_members):
32987 (ObjectiveCHeaderGenerator._generate_member_property):
32988 (ObjectiveCHeaderGenerator._generate_command_protocols):
32989 (ObjectiveCHeaderGenerator._generate_single_command_protocol):
32990 (ObjectiveCHeaderGenerator._callback_block_for_command):
32991 (ObjectiveCHeaderGenerator._generate_event_interfaces):
32992 (ObjectiveCHeaderGenerator._generate_single_event_interface):
32993 * inspector/scripts/codegen/generate_objective_c_internal_header.py: Copied from Source/JavaScriptCore/inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py.
32994 (ObjectiveCTypesInternalHeaderGenerator):
32995 (ObjectiveCTypesInternalHeaderGenerator.output_filename):
32996 (ObjectiveCTypesInternalHeaderGenerator.generate_output):
32997 (ObjectiveCTypesInternalHeaderGenerator._generate_event_dispatcher_private_interfaces):
32998 * inspector/scripts/codegen/generate_objective_c_types_implementation.py: Added.
32999 (add_whitespace_separator):
33000 (ObjectiveCTypesImplementationGenerator):
33001 (ObjectiveCTypesImplementationGenerator.__init__):
33002 (ObjectiveCTypesImplementationGenerator.output_filename):
33003 (ObjectiveCTypesImplementationGenerator.domains_to_generate):
33004 (ObjectiveCTypesImplementationGenerator.generate_output):
33005 (ObjectiveCTypesImplementationGenerator.generate_type_implementations):
33006 (ObjectiveCTypesImplementationGenerator.generate_type_implementation):
33007 (ObjectiveCTypesImplementationGenerator._generate_init_method_for_required_members):
33008 (ObjectiveCTypesImplementationGenerator._generate_setter_for_member):
33009 (ObjectiveCTypesImplementationGenerator._generate_getter_for_member):
33010 * inspector/scripts/codegen/generate_protocol_types_header.py:
33011 (ProtocolTypesHeaderGenerator._generate_forward_declarations):
33012 (_generate_typedefs_for_domain):
33013 (_generate_builders_for_domain):
33014 * inspector/scripts/codegen/generator.py:
33015 (Generator.wrap_with_guard_for_domain):
33016 (Generator):
33017 (Generator.wrap_with_guard):
33018 * inspector/scripts/codegen/generator_templates.py:
33019 (AlternateInspector):
33020 (ObjCInspector):
33021 * inspector/scripts/codegen/models.py:
33022 (Framework.fromString):
33023 (Frameworks):
33024 * inspector/scripts/generate-inspector-protocol-bindings.py:
33025 (generate_from_specification):
33026 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
33027 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
33028 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
33029 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
33030 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
33031 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
33032 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
33033 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
33034 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
33035 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
33036 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
33037 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
33038
330392014-10-30 Andreas Kling <akling@apple.com>
33040
33041 Unreviewed assertion fix.
33042
33043 RegExpCachedResult::m_reified is now the dedicated member that knows whether
33044 the result was reified into an array or not. Check that instead of m_result
33045 which is now single-purpose.
33046
33047 * runtime/RegExpCachedResult.cpp:
33048 (JSC::RegExpCachedResult::setInput):
33049
330502014-10-29 Andreas Kling <akling@apple.com>
33051
33052 Use plain JSArray for RegExp matches instead of a lazily populated custom object.
33053 <https://webkit.org/b/138191>
33054
33055 Reviewed by Geoffrey Garen.
33056
33057 We're already offering two RegExp matching APIs, one that collects subpattern
33058 matches (exec), and one that simply tests for a match (test).
33059 Given that, it was pretty overkill to lazily populate the resulting array of
33060 matches, since the user could simply use test() if they didn't need them.
33061
33062 This allows the JIT to generate better code for RegExp match arrays, and also
33063 enables some fast paths in the JSC runtime that check if an object isJSArray().
33064
33065 Looks like ~1.5% improvement on Octane/regexp according to run-jsc-benchmarks.
33066
33067 * jit/Repatch.cpp:
33068 (JSC::tryCacheGetByID):
33069 * runtime/JSArray.h:
33070 (JSC::createArrayButterflyWithExactLength): Deleted.
33071 * runtime/JSGlobalObject.cpp:
33072 (JSC::JSGlobalObject::init):
33073 * runtime/RegExpCachedResult.cpp:
33074 (JSC::RegExpCachedResult::visitChildren):
33075 (JSC::RegExpCachedResult::lastResult):
33076 (JSC::RegExpCachedResult::leftContext):
33077 (JSC::RegExpCachedResult::rightContext):
33078 * runtime/RegExpCachedResult.h:
33079 (JSC::RegExpCachedResult::RegExpCachedResult):
33080 (JSC::RegExpCachedResult::record):
33081 (JSC::RegExpCachedResult::input):
33082 * runtime/RegExpConstructor.cpp:
33083 (JSC::RegExpConstructor::getBackref):
33084 (JSC::RegExpConstructor::getLastParen):
33085 (JSC::RegExpConstructor::getLeftContext):
33086 (JSC::RegExpConstructor::getRightContext):
33087 * runtime/RegExpMatchesArray.cpp:
33088 (JSC::createRegExpMatchesArray):
33089 (JSC::RegExpMatchesArray::RegExpMatchesArray): Deleted.
33090 (JSC::RegExpMatchesArray::create): Deleted.
33091 (JSC::RegExpMatchesArray::finishCreation): Deleted.
33092 (JSC::RegExpMatchesArray::visitChildren): Deleted.
33093 (JSC::RegExpMatchesArray::reifyAllProperties): Deleted.
33094 (JSC::RegExpMatchesArray::reifyMatchProperty): Deleted.
33095 (JSC::RegExpMatchesArray::leftContext): Deleted.
33096 (JSC::RegExpMatchesArray::rightContext): Deleted.
33097 * runtime/RegExpMatchesArray.h:
33098 (JSC::RegExpMatchesArray::createStructure): Deleted.
33099 (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary): Deleted.
33100 (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary): Deleted.
33101 (JSC::RegExpMatchesArray::getOwnPropertySlot): Deleted.
33102 (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex): Deleted.
33103 (JSC::RegExpMatchesArray::put): Deleted.
33104 (JSC::RegExpMatchesArray::putByIndex): Deleted.
33105 (JSC::RegExpMatchesArray::deleteProperty): Deleted.
33106 (JSC::RegExpMatchesArray::deletePropertyByIndex): Deleted.
33107 (JSC::RegExpMatchesArray::getOwnPropertyNames): Deleted.
33108 (JSC::RegExpMatchesArray::defineOwnProperty): Deleted.
33109 (JSC::isRegExpMatchesArray): Deleted.
33110 * runtime/RegExpObject.cpp:
33111 (JSC::RegExpObject::exec):
33112 * runtime/StringPrototype.cpp:
33113 (JSC::stringProtoFuncMatch):
33114
331152014-10-29 Joseph Pecoraro <pecoraro@apple.com>
33116
33117 Web Inspector: Fix Type Dependency Issues
33118 https://bugs.webkit.org/show_bug.cgi?id=125664
33119
33120 Reviewed by Brian Burg.
33121
33122 Now that all JSON protocol files are processed together again
33123 in r174892, we can remove the duplicated types which were only
33124 needed when the domains were split.
33125
33126 * inspector/protocol/Console.json:
33127 * inspector/protocol/Runtime.json:
33128
331292014-10-28 Commit Queue <commit-queue@webkit.org>
33130
33131 Unreviewed, rolling out r175249.
33132 https://bugs.webkit.org/show_bug.cgi?id=138138
33133
33134 Appears to be failing some JS tests (Requested by mlam_ on
33135 #webkit).
33136
33137 Reverted changeset:
33138
33139 "Holes are not copied properly when Arrays change shape to
33140 ArrayStorage type."
33141 https://bugs.webkit.org/show_bug.cgi?id=138118
33142 http://trac.webkit.org/changeset/175249
33143
331442014-10-27 Mark Lam <mark.lam@apple.com>
33145
33146 Holes are not copied properly when Arrays change shape to ArrayStorage type.
33147 <https://webkit.org/b/138118>
33148
33149 Reviewed by Mark Hahnenberg.
33150
33151 When we convert non-ArrayStorage typed arrays into ArrayStorage typed arrays,
33152 we skipped the holes. As a result, the slots in the ArrayStorage vector that
33153 corresponds to those holes are uninitialize. This is now fixed.
33154
33155 * runtime/JSObject.cpp:
33156 (JSC::JSObject::convertUndecidedToArrayStorage):
33157 (JSC::JSObject::convertInt32ToArrayStorage):
33158 (JSC::JSObject::convertDoubleToArrayStorage):
33159 (JSC::JSObject::convertContiguousToArrayStorage):
33160
331612014-10-27 Mark Lam <mark.lam@apple.com>
33162
33163 Crash when attempting to perform array iteration on a non-array with numeric keys not initialized.
33164 <https://webkit.org/b/137814>
33165
33166 Reviewed by Geoffrey Garen.
33167
33168 The arrayIteratorNextThunkGenerator() thunk was not checking for the case where
33169 the butterfly may be NULL. This was the source of the crash, and is now fixed.
33170
33171 In addition, it is also not checking for the case where a property named "length"
33172 may have been set on the iterated object. The thunk only checks the butterfly's
33173 publicLength for its iteration operation. Array objects will work fine with this
33174 because it always updates its butterfly's publicLength when its length changes.
33175 In the case of iterable non-Array objects, the "length" property will require a
33176 look up outside of the scope of this thunk. The fix is simply to limit the fast
33177 case checks in this thunk to Array objects.
33178
33179 * jit/ThunkGenerators.cpp:
33180 (JSC::arrayIteratorNextThunkGenerator):
33181
331822014-10-27 Mark Lam <mark.lam@apple.com>
33183
33184 Simplified some JSObject methods for converting arrays to ArrayStorage shape.
33185 <https://webkit.org/b/138119>
33186
33187 Reviewed by Filip Pizlo.
33188
33189 Currently, for each Undecided, Int32, Double, and Contiguous array shapes,
33190 there are 3 JSObject methods to convert them to ArrayStorage shape:
33191 ArrayStorage* convert<shape>ToArrayStorage(VM&, NonPropertyTransition, unsigned neededLength);
33192 ArrayStorage* convert<shape>ToArrayStorage(VM&, NonPropertyTransition);
33193 ArrayStorage* convert<shape>ToArrayStorage(VM&);
33194
33195 However, the neededLength that is passed is always m_butterfly->vectorLength().
33196 Hence, the method that takes a neededLength is really not needed. This patch
33197 removes this unneeded verbosity.
33198
33199 * runtime/JSObject.cpp:
33200 (JSC::JSObject::convertUndecidedToArrayStorage):
33201 (JSC::JSObject::convertInt32ToArrayStorage):
33202 - Also reordered the placement of the DeferGC statement so this Int32 function
33203 will look more similar to the others.
33204 (JSC::JSObject::convertDoubleToArrayStorage):
33205 (JSC::JSObject::convertContiguousToArrayStorage):
33206 * runtime/JSObject.h:
33207
332082014-10-25 Brian J. Burg <burg@cs.washington.edu>
33209
33210 Web Inspector: timelines should not count time elapsed while paused in the debugger
33211 https://bugs.webkit.org/show_bug.cgi?id=136351
33212
33213 Unreviewed, follow-up fix after r175203. The debugger agent should not assume
33214 that the inspector environment's stopwatch has already been started.
33215
33216 * inspector/agents/InspectorDebuggerAgent.cpp:
33217 (Inspector::InspectorDebuggerAgent::didPause): Check if the stopwatch isActive() before stopping.
33218
332192014-10-18 Brian J. Burg <burg@cs.washington.edu>
33220
33221 Web Inspector: timelines should not count time elapsed while paused in the debugger
33222 https://bugs.webkit.org/show_bug.cgi?id=136351
33223
33224 Reviewed by Timothy Hatcher.
33225
33226 Now that we have a stopwatch to provide pause-aware timing data, we can remove the
33227 profiler's handling of debugger pause/continue callbacks. The debugger agent accounts
33228 for suspended execution by pausing and resuming the stopwatch.
33229
33230 * API/JSProfilerPrivate.cpp:
33231 (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
33232 * inspector/InspectorEnvironment.h:
33233 * inspector/JSGlobalObjectInspectorController.cpp:
33234 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
33235 (Inspector::JSGlobalObjectInspectorController::executionStopwatch):
33236 * inspector/JSGlobalObjectInspectorController.h:
33237 * inspector/ScriptDebugServer.cpp:
33238 (Inspector::ScriptDebugServer::handlePause):
33239 * inspector/agents/InspectorDebuggerAgent.cpp:
33240 (Inspector::InspectorDebuggerAgent::didPause):
33241 (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
33242 (Inspector::InspectorDebuggerAgent::didContinue):
33243 * inspector/agents/InspectorDebuggerAgent.h:
33244 * profiler/LegacyProfiler.cpp:
33245 (JSC::LegacyProfiler::profiler): Use nullptr.
33246 (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
33247 (JSC::LegacyProfiler::stopProfiling): Use nullptr.
33248 (JSC::LegacyProfiler::didPause): Deleted.
33249 (JSC::LegacyProfiler::didContinue): Deleted.
33250 * profiler/LegacyProfiler.h:
33251 * profiler/Profile.cpp: The root node should always have a start time of 0.0.
33252 (JSC::Profile::Profile):
33253 * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
33254 timestamp member that was used to track time elapsed by the debugger. Just use the
33255 stopwatch's elapsed times to generate start/elapsed times for function calls.
33256
33257 (JSC::ProfileGenerator::create):
33258 (JSC::ProfileGenerator::ProfileGenerator):
33259 (JSC::AddParentForConsoleStartFunctor::operator()): The parent node of |console.profile|
33260 should have a start time of 0.0, since it represents the starting node of profiling.
33261
33262 (JSC::ProfileGenerator::beginCallEntry):
33263 (JSC::ProfileGenerator::endCallEntry):
33264 (JSC::ProfileGenerator::didPause): Deleted.
33265 (JSC::ProfileGenerator::didContinue): Deleted.
33266 * profiler/ProfileGenerator.h:
33267
332682014-10-24 Mark Lam <mark.lam@apple.com>
33269
33270 Simplified IndexingType's hasAnyArrayStorage().
33271 <https://webkit.org/b/138051>
33272
33273 Reviewed by Michael Saboff.
33274
33275 IndexingType's hasAnyArrayStorage() currently does subtraction of ArrayStorageShape
33276 with the purpose of making non-ArrayStorage types underflow (with that subtraction)
33277 and have a result that exceeds SlowPutArrayStorageShape. What it is doing is
33278 basically checking for a shape value that is greater equal to ArrayStorageShape.
33279 We can just simplify the code as such.
33280
33281 Also added a comment to describe the structure of the bits in IndexingType.
33282
33283 * runtime/IndexingType.h:
33284 (JSC::hasAnyArrayStorage):
33285
332862014-10-23 Joseph Pecoraro <pecoraro@apple.com>
33287
33288 Web Inspector: Provide a way to have alternate inspector agents
33289 https://bugs.webkit.org/show_bug.cgi?id=137901
33290
33291 Reviewed by Brian Burg.
33292
33293 Provide a way to use alternate inspector agents debugging a JSContext.
33294 Expose a very slim private API that a client could use to know when
33295 an inspector has connected/disconnected, and a way to register its
33296 augmentative agents.
33297
33298 * Configurations/FeatureDefines.xcconfig:
33299 * JavaScriptCore.xcodeproj/project.pbxproj:
33300 New feature guard. New files.
33301
33302 * API/JSContextRef.cpp:
33303 (JSGlobalContextGetAugmentableInspectorController):
33304 * API/JSContextRefInspectorSupport.h: Added.
33305 Access to the private interface from a JSContext.
33306
33307 * inspector/JSGlobalObjectInspectorController.cpp:
33308 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
33309 (Inspector::JSGlobalObjectInspectorController::connectFrontend):
33310 (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
33311 * inspector/JSGlobalObjectInspectorController.h:
33312 * inspector/augmentable/AugmentableInspectorController.h: Added.
33313 (Inspector::AugmentableInspectorController::~AugmentableInspectorController):
33314 (Inspector::AugmentableInspectorController::connected):
33315 * inspector/augmentable/AugmentableInspectorControllerClient.h: Added.
33316 (Inspector::AugmentableInspectorControllerClient::~AugmentableInspectorControllerClient):
33317 * inspector/augmentable/AlternateDispatchableAgent.h: Added.
33318 (Inspector::AlternateDispatchableAgent::AlternateDispatchableAgent):
33319 Provide the private APIs a client could use to add alternate agents using alternate backend dispatchers.
33320
33321 * inspector/scripts/codegen/__init__.py:
33322 * inspector/scripts/generate-inspector-protocol-bindings.py:
33323 (generate_from_specification):
33324 New includes, and use the new generator.
33325
33326 * inspector/scripts/codegen/generate_alternate_backend_dispatcher_header.py: Added.
33327 (AlternateBackendDispatcherHeaderGenerator):
33328 (AlternateBackendDispatcherHeaderGenerator.__init__):
33329 (AlternateBackendDispatcherHeaderGenerator.output_filename):
33330 (AlternateBackendDispatcherHeaderGenerator.generate_output):
33331 (AlternateBackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
33332 (AlternateBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
33333 Generate the abstract AlternateInspectorBackendDispatcher interfaces.
33334
33335 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
33336 (BackendDispatcherHeaderGenerator.generate_output):
33337 (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains):
33338 (BackendDispatcherHeaderGenerator._generate_alternate_handler_forward_declarations_for_domains.AlternateInspector):
33339 Forward declare alternate dispatchers, and allow setting an alternate dispatcher on a domain dispatcher.
33340
33341 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
33342 (BackendDispatcherImplementationGenerator.generate_output):
33343 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
33344 Check for and dispatch on an AlternateInspectorBackendDispatcher if there is one for this domain.
33345
33346 * inspector/scripts/codegen/generator_templates.py:
33347 (AlternateInspectorBackendDispatcher):
33348 (AlternateInspector):
33349 Template boilerplate for prelude and postlude.
33350
33351 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
33352 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
33353 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
33354 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
33355 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
33356 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
33357 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
33358 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
33359 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
33360 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
33361 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
33362 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
33363 Rebaseline tests.
33364
333652014-10-23 Michael Saboff <msaboff@apple.com>
33366
33367 offsets.rb:183:in `buildOffsetsMap': unhandled exception - is offlineasm dependency tracking broken? (132668)
33368 https://bugs.webkit.org/show_bug.cgi?id=138017
33369
33370 Reviewed by Mark Lam.
33371
33372 Removed from the nput file $(SRCROOT)/llint/LowLevelAssembler.asm and output file
33373 $(BUILT_PRODUCTS_DIR)/LLIntOffsets/LLIntDesiredOffsets.h from the Generate Derived Sources
33374 build phase in the LLInt Offset target. There is no need for Xcode to do any dependency
33375 checking with these files as the ruby script offlineasm/generate_offset_extractor.rb will
33376 do that for us.
33377
33378 * JavaScriptCore.xcodeproj/project.pbxproj:
33379
333802014-10-23 Michael Saboff <msaboff@apple.com>
33381
33382 Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope
33383 https://bugs.webkit.org/show_bug.cgi?id=136901
33384
33385 Reviewed by Mark Lam.
33386
33387 Implement ExecState::lexicalGlobalObject() using Callee.
33388
33389 * runtime/JSScope.h:
33390 (JSC::ExecState::lexicalGlobalObject):
33391
333922014-10-22 Milan Crha <mcrha@redhat.com>
33393
33394 Prefix isnan() with std::.
33395 <https://webkit.org/b/137966>.
33396
33397 Reviewed by Carlos Garcia Campos.
33398
33399 * profiler/ProfileNode.h:
33400 (JSC::ProfileNode::Call::setStartTime):
33401 (JSC::ProfileNode::Call::setElapsedTime):
33402
334032014-10-22 Mark Lam <mark.lam@apple.com>
33404
33405 Refactoring to simplify some code in DatePrototype.cpp.
33406 <https://webkit.org/b/137997>
33407
33408 Reviewed by Filip Pizlo.
33409
33410 A bunch of functions in DatePrototype.cpp have the pattern of loading a
33411 constant into a local variable only to pass it to a callee function
33412 immediately after. There is no other use for that variable. This adds
33413 additional verbosity with no added benefit.
33414
33415 This patch refactors those functions to just pass the constant arg directly.
33416
33417 * runtime/DatePrototype.cpp:
33418 (JSC::dateProtoFuncSetMilliSeconds):
33419 (JSC::dateProtoFuncSetUTCMilliseconds):
33420 (JSC::dateProtoFuncSetSeconds):
33421 (JSC::dateProtoFuncSetUTCSeconds):
33422 (JSC::dateProtoFuncSetMinutes):
33423 (JSC::dateProtoFuncSetUTCMinutes):
33424 (JSC::dateProtoFuncSetHours):
33425 (JSC::dateProtoFuncSetUTCHours):
33426 (JSC::dateProtoFuncSetDate):
33427 (JSC::dateProtoFuncSetUTCDate):
33428 (JSC::dateProtoFuncSetMonth):
33429 (JSC::dateProtoFuncSetUTCMonth):
33430 (JSC::dateProtoFuncSetFullYear):
33431 (JSC::dateProtoFuncSetUTCFullYear):
33432
334332014-10-22 Byungseon Shin <sun.shin@lge.com>
33434
33435 String(new Date(Mar 30 2014 01:00:00)) is wrong in CET
33436 https://bugs.webkit.org/show_bug.cgi?id=130967
33437
33438 Reviewed by Mark Lam.
33439
33440 By definition of calculateLocalTimeOffset, input time should be UTC time.
33441 But there are many cases when input time is based on local time.
33442 So, it gives erroneous results while calculating offset of DST boundary time.
33443 By adding a argument to distinguish UTC and local time, we can get the correct offset.
33444
33445 * JavaScriptCore.order:
33446 * runtime/DateConstructor.cpp:
33447 (JSC::constructDate):
33448 (JSC::callDate):
33449 (JSC::dateUTC):
33450 * runtime/DateInstance.cpp:
33451 (JSC::DateInstance::calculateGregorianDateTime):
33452 (JSC::DateInstance::calculateGregorianDateTimeUTC):
33453 * runtime/DatePrototype.cpp:
33454 (JSC::setNewValueFromTimeArgs):
33455 (JSC::setNewValueFromDateArgs):
33456 (JSC::dateProtoFuncSetMilliSeconds):
33457 (JSC::dateProtoFuncSetUTCMilliseconds):
33458 (JSC::dateProtoFuncSetSeconds):
33459 (JSC::dateProtoFuncSetUTCSeconds):
33460 (JSC::dateProtoFuncSetMinutes):
33461 (JSC::dateProtoFuncSetUTCMinutes):
33462 (JSC::dateProtoFuncSetHours):
33463 (JSC::dateProtoFuncSetUTCHours):
33464 (JSC::dateProtoFuncSetDate):
33465 (JSC::dateProtoFuncSetUTCDate):
33466 (JSC::dateProtoFuncSetMonth):
33467 (JSC::dateProtoFuncSetUTCMonth):
33468 (JSC::dateProtoFuncSetFullYear):
33469 (JSC::dateProtoFuncSetUTCFullYear):
33470 (JSC::dateProtoFuncSetYear):
33471 * runtime/JSDateMath.cpp:
33472 (JSC::localTimeOffset):
33473 (JSC::gregorianDateTimeToMS):
33474 (JSC::msToGregorianDateTime):
33475 (JSC::parseDateFromNullTerminatedCharacters):
33476 * runtime/JSDateMath.h:
33477 * runtime/VM.h:
33478 (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache):
33479 (JSC::LocalTimeOffsetCache::reset):
33480 Passing TimeType argument to distingush UTC time and local time.
33481
334822014-10-22 Joseph Pecoraro <pecoraro@apple.com>
33483
33484 Web Inspector: Fix generator importing of protocol type "any", treat as value
33485 https://bugs.webkit.org/show_bug.cgi?id=137931
33486
33487 Reviewed by Timothy Hatcher.
33488
33489 Treat incoming "any" objects as InspectorValues, which can be any type.
33490 Add the necessary boilerplate to import.
33491
33492 * inspector/InspectorBackendDispatcher.cpp:
33493 (Inspector::AsMethodBridges::asValue):
33494 (Inspector::InspectorBackendDispatcher::getValue):
33495 * inspector/InspectorBackendDispatcher.h:
33496 * inspector/scripts/codegen/generator.py:
33497 (Generator.keyed_get_method_for_type):
33498 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
33499
335002014-10-22 Michael Saboff <msaboff@apple.com>
33501
33502 REGRESSION(r174996): Broke C_LOOP
33503 https://bugs.webkit.org/show_bug.cgi?id=137971
33504
33505 Reviewed by Mark Lam.
33506
33507 Removed incorrect move to cfr (CallFrameRegister) before we make the call to a native function.
33508 After r174996, the source register for the move contained garbage causing the crash. The move
33509 to cfr before making the call to the native function is wrong and should have been removed
33510 some time ago. This brings the ARM64 / C_LOOP code path inline with the other CPU paths.
33511 Tested on ARM64 as well as a C_LOOP build.
33512
33513 * llint/LowLevelInterpreter64.asm:
33514
335152014-10-21 Mark Lam <mark.lam@apple.com>
33516
33517 Remove erroneous canUseJIT() in the intrinsics version of JITThunks::hostFunctionStub().
33518 <https://webkit.org/b/137937>
33519
33520 Reviewed by Michael Saboff.
33521
33522 This version of JITThunks::hostFunctionStub() can only be called from the intrinsics
33523 version of VM::getHostFunction() which asserts canUseJIT(). Hence, we can eliminate
33524 the canUseJIT() check in JITThunks::hostFunctionStub(). We don't handle the
33525 !canUseJIT() case properly there anyway.
33526
33527 * jit/JITThunks.cpp:
33528 (JSC::JITThunks::hostFunctionStub):
33529
335302014-10-21 Michael Saboff <msaboff@apple.com>
33531
33532 Add operator==(PropertyName, const char*)
33533 https://bugs.webkit.org/show_bug.cgi?id=137925
33534
33535 Reviewed by Mark Lam.
33536
33537 * runtime/PropertyName.h:
33538 (JSC::operator==): Added to simplify comparison with string literals.
33539
33540
335412014-10-21 Michael Saboff <msaboff@apple.com>
33542
33543 Change native call frames to use the scope from their Callee instead of their caller's scope
33544 https://bugs.webkit.org/show_bug.cgi?id=137907
33545
33546 Reviewed by Mark Lam.
33547
33548 Changed setting of scope for native CallFrames to use the scope associated with the
33549 Callee instead of the caller's scope.
33550
33551 * jit/ThunkGenerators.cpp:
33552 (JSC::nativeForGenerator):
33553 * llint/LowLevelInterpreter32_64.asm:
33554 * llint/LowLevelInterpreter64.asm:
33555
335562014-10-21 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
33557
33558 Add missing ENABLE(FTL_NATIVE_CALL_INLINING) guard to BundlePath.cpp after r174940
33559 https://bugs.webkit.org/show_bug.cgi?id=137924
33560
33561 Reviewed by Csaba Osztrogonác.
33562
33563 * runtime/BundlePath.cpp:
33564
335652014-10-21 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
33566
33567 Fix FTL Native Inlining for EFL
33568 https://bugs.webkit.org/show_bug.cgi?id=137774
33569
33570 Reviewed by Michael Saboff.
33571
33572 Added required functionality for Native Inlining to EFL, and fixed a bug/typo in the original code,
33573 which caused incorrect memory allocation.
33574
33575 * CMakeLists.txt:
33576 * create-llvm-ir-from-source-file.py: Added.
33577 * create-symbol-table-index.py: Added.
33578 * ftl/FTLLowerDFGToLLVM.cpp:
33579 (JSC::FTL::LowerDFGToLLVM::lower):
33580 (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
33581 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
33582 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
33583 * runtime/BundlePath.cpp: Added.
33584 (JSC::bundlePath):
33585 * runtime/JSDataViewPrototype.cpp:
33586 (JSC::getData):
33587 (JSC::setData):
33588 * runtime/MathObject.cpp:
33589
335902014-10-21 Milan Crha <mcrha@redhat.com>
33591
33592 Move JSC::MacroAssemblerX86Common::s_sse2CheckState definition to MacroAssemblerX86Common.cpp.
33593 <https://webkit.org/b/137807>
33594
33595 Reviewed by Csaba Osztrogonác.
33596
33597 * assembler/MacroAssemblerX86Common.cpp:
33598 * jit/JIT.cpp:
33599
336002014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33601
33602 Unreviewed add back copyright line that was accidentally removed.
33603
33604 * inspector/scripts/codegen/generator_templates.py:
33605 (GeneratorTemplates):
33606
336072014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33608
33609 Web Inspector: InspectorBackendCommands should include when to activate particular domains
33610 https://bugs.webkit.org/show_bug.cgi?id=137753
33611
33612 Reviewed by Timothy Hatcher.
33613
33614 Add an availability property to domains that only activate for
33615 particular debuggable types. If missing, the domain is always
33616 activated. Otherwise it must be a debuggable type string.
33617 When a frontend is opened for that debuggable type, the domain
33618 will be activated.
33619
33620 * inspector/scripts/codegen/models.py:
33621 (Protocol.parse_domain):
33622 (Domain.__init__):
33623 (Domains):
33624 Parse and validate the Domain's "availability" property.
33625
33626 * inspector/scripts/codegen/generate_backend_commands.py:
33627 (BackendCommandsGenerator.generate_domain):
33628 Emit InspectorBackend.activateDomain with debuggable type filter.
33629
33630 * inspector/protocol/ApplicationCache.json:
33631 * inspector/protocol/CSS.json:
33632 * inspector/protocol/DOM.json:
33633 * inspector/protocol/DOMDebugger.json:
33634 * inspector/protocol/DOMStorage.json:
33635 * inspector/protocol/Database.json:
33636 * inspector/protocol/IndexedDB.json:
33637 * inspector/protocol/LayerTree.json:
33638 * inspector/protocol/Network.json:
33639 * inspector/protocol/Page.json:
33640 * inspector/protocol/Replay.json:
33641 * inspector/protocol/Timeline.json:
33642 * inspector/protocol/Worker.json:
33643 These domains only activate for Web debuggables.
33644
33645 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
33646 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
33647 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
33648 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
33649 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
33650 Update existing tests that now have activate output.
33651
33652 * inspector/scripts/tests/expected/fail-on-domain-availability.json-error: Added.
33653 * inspector/scripts/tests/fail-on-domain-availability.json: Added.
33654 Add a test for "availability" validation.
33655
336562014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33657
33658 [Win] Build fix for generated inspector files.
33659
33660 Rubberstamped by Brent Fulgham.
33661
33662 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
33663 (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
33664 * inspector/scripts/codegen/generator_templates.py:
33665 (GeneratorTemplates):
33666
336672014-10-20 Brent Fulgham <bfulgham@apple.com>
33668
33669 [Win] Unreviewed build fix.
33670
33671 We need to (1) pass the 'windows' argument to our script for checking feature definitions,
33672 and (2) we must use Cwd::realpath on our path input arguments to avoid Cygwin and Windows
33673 getting confused about path separators versus escape characters.
33674
33675
33676 * JavaScriptCore.vcxproj/build-generated-files.pl:
33677
336782014-10-20 Mark Lam <mark.lam@apple.com>
33679
33680 [Follow up] Web Process crash when starting the web inspector after r174025.
33681 <https://webkit.org/b/137340>
33682
33683 Reviewed by Geoffrey Garen.
33684
33685 Applied Geoff's feedback to clean up some code for better clarity after
33686 r174856.
33687
33688 * dfg/DFGFixupPhase.cpp:
33689 (JSC::DFG::FixupPhase::insertCheck):
33690 * dfg/DFGInsertionSet.h:
33691 (JSC::DFG::InsertionSet::insertOutOfOrder):
33692
336932014-10-20 Mark Lam <mark.lam@apple.com>
33694
33695 Factor out JITCode::typeName() for debugging use.
33696 <https://webkit.org/b/137888>
33697
33698 Reviewed by Geoffrey Garen.
33699
33700 JITCode's printInternal() currently decodes the JITType into a string and
33701 prints it. This change factors out the part that decodes the JITType into
33702 JITCode::typeName() so that we can call it from lldb while debugging to
33703 quickly decode a JITType value.
33704
33705 * jit/JITCode.cpp:
33706 (JSC::JITCode::typeName):
33707 (WTF::printInternal):
33708 * jit/JITCode.h:
33709
337102014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33711
33712 Unreviewed Windows Build Fix #2 after r174892.
33713
33714 * JavaScriptCore.vcxproj/build-generated-files.pl:
33715 Define FEATURE_DEFINES for JavaScriptCore's DerivedSources.make.
33716 This uses the same technique as WebCore.
33717
337182014-10-20 Mark Lam <mark.lam@apple.com>
33719
33720 Fix placement of a few items in vcxproj ItemGroups.
33721 <https://webkit.org/b/137886>
33722
33723 Reviewed by Geoffrey Garen.
33724
33725 https://webkit.org/b/137873 is likely a cut-and-paste error that manifested
33726 because we had ClCompile and ClInclude entries mixed up in the wrong ItemGroups.
33727 We should fix these so that ClCompile entries are in the ClCompile ItemGroup,
33728 and ClInclude entries in the ClInclude ItemGroup. This will help reduce the
33729 chance of future cut-and-paste errors of this nature.
33730
33731 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
33732 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
33733
337342014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33735
33736 Unreviewed Windows Build Fix after r174892.
33737
33738 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
33739 Update file name to the new generated file name.
33740
337412014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33742
33743 Web Inspector: Rename generated Inspector.json to CombinedDomains.json to prevent name collisions
33744 https://bugs.webkit.org/show_bug.cgi?id=137825
33745
33746 Reviewed by Timothy Hatcher.
33747
33748 * CMakeLists.txt:
33749 * DerivedSources.make:
33750 * JavaScriptCore.vcxproj/copy-files.cmd:
33751 * JavaScriptCore.xcodeproj/project.pbxproj:
33752 * inspector/protocol/Inspector.json: Renamed from Source/JavaScriptCore/inspector/protocol/InspectorDomain.json.
33753
337542014-10-20 Joseph Pecoraro <pecoraro@apple.com>
33755
33756 Web Inspector: Generate all Inspector domains together in JavaScriptCore
33757 https://bugs.webkit.org/show_bug.cgi?id=137748
33758
33759 Reviewed by Brian Burg.
33760
33761 * inspector/protocol/ApplicationCache.json: Renamed from Source/WebCore/inspector/protocol/ApplicationCache.json.
33762 * inspector/protocol/CSS.json: Renamed from Source/WebCore/inspector/protocol/CSS.json.
33763 * inspector/protocol/DOM.json: Renamed from Source/WebCore/inspector/protocol/DOM.json.
33764 * inspector/protocol/DOMDebugger.json: Renamed from Source/WebCore/inspector/protocol/DOMDebugger.json.
33765 * inspector/protocol/DOMStorage.json: Renamed from Source/WebCore/inspector/protocol/DOMStorage.json.
33766 * inspector/protocol/Database.json: Renamed from Source/WebCore/inspector/protocol/Database.json.
33767 * inspector/protocol/IndexedDB.json: Renamed from Source/WebCore/inspector/protocol/IndexedDB.json.
33768 * inspector/protocol/LayerTree.json: Renamed from Source/WebCore/inspector/protocol/LayerTree.json.
33769 * inspector/protocol/Network.json: Renamed from Source/WebCore/inspector/protocol/Network.json.
33770 * inspector/protocol/Page.json: Renamed from Source/WebCore/inspector/protocol/Page.json.
33771 * inspector/protocol/Replay.json: Renamed from Source/WebCore/inspector/protocol/Replay.json.
33772 * inspector/protocol/Timeline.json: Renamed from Source/WebCore/inspector/protocol/Timeline.json.
33773 * inspector/protocol/Worker.json: Renamed from Source/WebCore/inspector/protocol/Worker.json.
33774 Move all protocol files into this directory.
33775
33776 * inspector/InspectorProtocolTypesBase.h: Renamed from Source/JavaScriptCore/inspector/InspectorProtocolTypes.h.
33777 Renamed the base types file to not clash with the generated types file.
33778
33779 * CMakeLists.txt:
33780 * DerivedSources.make:
33781 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
33782 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
33783 * JavaScriptCore.vcxproj/copy-files.cmd:
33784 * JavaScriptCore.xcodeproj/project.pbxproj:
33785 Update build phases for new JSON files and new filenames.
33786
33787 * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
33788 * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
33789 * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
33790 * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
33791 * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
33792 * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
33793 * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
33794 * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
33795 * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
33796 * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
33797 * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
33798 * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
33799 Updated names of things now that prefixes are no longer needed.
33800
33801 * inspector/ConsoleMessage.h:
33802 * inspector/ContentSearchUtilities.cpp:
33803 * inspector/ContentSearchUtilities.h:
33804 * inspector/InjectedScript.h:
33805 * inspector/InjectedScriptBase.h:
33806 * inspector/ScriptCallFrame.h:
33807 * inspector/ScriptCallStack.h:
33808 * inspector/agents/InspectorAgent.h:
33809 * inspector/agents/InspectorConsoleAgent.h:
33810 * inspector/agents/InspectorDebuggerAgent.cpp:
33811 (Inspector::breakpointActionTypeForString):
33812 * inspector/agents/InspectorDebuggerAgent.h:
33813 * inspector/agents/InspectorRuntimeAgent.h:
33814 * runtime/TypeProfiler.cpp:
33815 * runtime/TypeSet.cpp:
33816 Update includes and update a few function names that are generated.
33817
33818 * inspector/scripts/codegen/generate_protocol_types_header.py:
33819 (ProtocolTypesHeaderGenerator.output_filename):
33820 (ProtocolTypesHeaderGenerator.generate_output):
33821 Include an export macro for type string constants defined in the implementation file.
33822
33823 * inspector/scripts/codegen/generate_backend_commands.py:
33824 (BackendCommandsGenerator.output_filename):
33825 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
33826 (BackendDispatcherHeaderGenerator.output_filename):
33827 (BackendDispatcherHeaderGenerator.generate_output):
33828 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
33829 (BackendDispatcherImplementationGenerator.output_filename):
33830 (BackendDispatcherImplementationGenerator.generate_output):
33831 (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
33832 (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
33833 * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
33834 (FrontendDispatcherHeaderGenerator.output_filename):
33835 (FrontendDispatcherHeaderGenerator.generate_output):
33836 * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
33837 (FrontendDispatcherImplementationGenerator.output_filename):
33838 (FrontendDispatcherImplementationGenerator.generate_output):
33839 (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
33840 (_generate_class_for_object_declaration):
33841 (_generate_builder_setter_for_member):
33842 (_generate_unchecked_setter_for_member):
33843 * inspector/scripts/codegen/generate_protocol_types_implementation.py:
33844 (ProtocolTypesImplementationGenerator.output_filename):
33845 (ProtocolTypesImplementationGenerator.generate_output):
33846 (ProtocolTypesImplementationGenerator._generate_enum_mapping):
33847 * inspector/scripts/codegen/models.py:
33848 (Framework.fromString):
33849 (Frameworks):
33850 * inspector/scripts/generate-inspector-protocol-bindings.py:
33851 Simplify generator now that prefixes are no longer needed. This updates
33852 filenames, includes, and the list of supported directories.
33853
338542014-10-20 Csaba Osztrogonác <ossy@webkit.org>
33855
33856 Remove obsolete comments after r99798
33857 https://bugs.webkit.org/show_bug.cgi?id=137871
33858
33859 Reviewed by Darin Adler.
33860
33861 r99798 removed the comment in MacroAssemblerARMv7::supportsFloatingPointTruncate(),
33862 so we should remove the stale references to this removed comment.
33863
33864 * assembler/MacroAssemblerX86.h:
33865 * assembler/MacroAssemblerX86_64.h:
33866
338672014-10-20 Csaba Osztrogonác <ossy@webkit.org>
33868
33869 MacroAssemblerX86Common.cpp should be built on Windows too
33870 https://bugs.webkit.org/show_bug.cgi?id=137873
33871
33872 Reviewed by Brent Fulgham.
33873
33874 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
33875 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
33876
338772014-10-20 Csaba Osztrogonác <ossy@webkit.org>
33878
33879 [cmake] Remove duplicated source files
33880 https://bugs.webkit.org/show_bug.cgi?id=137875
33881
33882 Reviewed by Gyuyoung Kim.
33883
33884 * CMakeLists.txt:
33885
338862014-10-18 Brian J. Burg <burg@cs.washington.edu>
33887
33888 Web Replay: code generator shouldn't complain about enums without a storage type if they are in an enclosing scope
33889 https://bugs.webkit.org/show_bug.cgi?id=137084
33890
33891 Reviewed by Joseph Pecoraro.
33892
33893 In order to generate encode/decode method declarations without pulling in lots of headers,
33894 the generator must forward declare enums (for enum classes or enums with explicit sizes).
33895
33896 Change the generator to not require an explicit size if an enum is declared inside a struct
33897 or class definition. In that case, it must pull in headers since scoped enums can't be
33898 forward declared.
33899
33900 This patch also fixes some chained if-statements that should be if-else statements.
33901
33902 Test: updated replay/scripts/tests/generate-enum-encoding-helpers.json to cover the new case.
33903
33904 * replay/scripts/CodeGeneratorReplayInputs.py:
33905 (InputsModel.parse_type_with_framework_name.is):
33906 (InputsModel.parse_type_with_framework_name.is.must):
33907 (Generator.generate_enum_trait_implementation):
33908 (InputsModel.parse_type_with_framework_name): Deleted.
33909 * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
33910 * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error:
33911 * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
33912 (JSC::EncodingTraits<WebCore::MouseButton>::decodeValue):
33913 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
33914 (JSC::EncodingTraits<WebCore::MouseButton>::decodeValue):
33915 (JSC::EncodingTraits<WebCore::PlatformEvent::Type>::encodeValue):
33916 (JSC::EncodingTraits<WebCore::PlatformEvent::Type>::decodeValue):
33917 * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
33918 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
33919 (JSC::EncodingTraits<WebCore::FormData1::Type>::decodeValue):
33920 (JSC::EncodingTraits<PlatformEvent1::Type>::decodeValue):
33921 * replay/scripts/tests/generate-enum-encoding-helpers.json: Added a new input to cover this case.
33922
339232014-10-17 Mark Lam <mark.lam@apple.com>
33924
33925 Web Process crash when starting the web inspector after r174025.
33926 <https://webkit.org/b/137340>
33927
33928 Reviewed by Filip Pizlo.
33929
33930 After r174025, we can generate a bad graph in the DFG fixup phase like so:
33931
33932 102:<!0:-> StoreBarrier(Check:KnownCell:@19, ..., bc#44)
33933 60:<!0:-> PutStructure(Check:KnownCell:@19, ..., bc#44)
33934 103:<!0:-> Check(Check:NotCell:@54, ..., bc#44)
33935 // ^-- PutByOffset's StoreBarrier has been elided and replaced
33936 // with a speculation check which can OSR exit.
33937 61:<!0:-> PutByOffset(Check:KnownCell:@19, ..., bc#44)
33938
33939 As a result, the structure change will get executed even if we end up OSR
33940 exiting before the PutByOffset. In the baseline JIT code, the structure now
33941 erroneously tells the put operation that there is a value in that property
33942 slot when it is actually uninitialized (hence, the crash).
33943
33944 The fix is to insert the Check at the earliest point possible:
33945
33946 1. If the checked node is in the same bytecode as the PutByOffset, then
33947 the earliest point where we can insert the Check is right after the
33948 checked node.
33949
33950 2. If the checked node is from a preceding bytecode (before the PutByOffset),
33951 then the earliest point where we can insert the Check is at the start
33952 of the current bytecode.
33953
33954 Also reverted the workaround from r174749: https://webkit.org/b/137758.
33955
33956 Benchmark results appear to be a wash on aggregate.
33957
33958 * dfg/DFGFixupPhase.cpp:
33959 (JSC::DFG::FixupPhase::indexOfNode):
33960 (JSC::DFG::FixupPhase::indexOfFirstNodeOfExitOrigin):
33961 (JSC::DFG::FixupPhase::fixupNode):
33962 (JSC::DFG::FixupPhase::insertCheck):
33963 * dfg/DFGInsertionSet.h:
33964 (JSC::DFG::InsertionSet::insertOutOfOrder):
33965 (JSC::DFG::InsertionSet::insertOutOfOrderNode):
33966
339672014-10-10 Oliver Hunt <oliver@apple.com>
33968
33969 Various arguments optimisations in codegen fail to account for arguments being in lexical record
33970 https://bugs.webkit.org/show_bug.cgi?id=137617
33971
33972 Reviewed by Michael Saboff.
33973
33974 Rework the way we track |arguments| references so that we don't try
33975 to use the |arguments| reference on the stack if it's not safe.
33976
33977 To do this without nuking performance it was necessary to update
33978 the parser to track modification of the |arguments| reference
33979 itself.
33980
33981 * bytecode/CodeBlock.cpp:
33982 * bytecompiler/BytecodeGenerator.cpp:
33983 (JSC::BytecodeGenerator::BytecodeGenerator):
33984 (JSC::BytecodeGenerator::willResolveToArguments):
33985 (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
33986 (JSC::BytecodeGenerator::emitCall):
33987 (JSC::BytecodeGenerator::emitConstruct):
33988 (JSC::BytecodeGenerator::emitEnumeration):
33989 (JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted.
33990 * bytecompiler/BytecodeGenerator.h:
33991 (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister):
33992 * bytecompiler/NodesCodegen.cpp:
33993 (JSC::BracketAccessorNode::emitBytecode):
33994 (JSC::DotAccessorNode::emitBytecode):
33995 (JSC::getArgumentByVal):
33996 (JSC::CallFunctionCallDotNode::emitBytecode):
33997 (JSC::ApplyFunctionCallDotNode::emitBytecode):
33998 (JSC::ArrayPatternNode::emitDirectBinding):
33999 * interpreter/StackVisitor.cpp:
34000 (JSC::StackVisitor::Frame::existingArguments):
34001 * parser/Nodes.h:
34002 (JSC::ScopeNode::modifiesArguments):
34003 * parser/Parser.cpp:
34004 (JSC::Parser<LexerType>::parseInner):
34005 * parser/Parser.h:
34006 (JSC::Scope::getCapturedVariables):
34007 * parser/ParserModes.h:
34008
340092014-10-17 Gyuyoung Kim <gyuyoung.kim@samsung.com>
34010
34011 Use WTF::move() instead of std::move() to help ensure move semantics in JavaScriptCore
34012 https://bugs.webkit.org/show_bug.cgi?id=137809
34013
34014 Reviewed by Csaba Osztrogonác.
34015
34016 Substitution of WTF::move() for std::move(). Clean up std::move() in JavaScriptCore.
34017
34018 * bytecode/GetByIdStatus.cpp:
34019 (JSC::GetByIdStatus::computeForStubInfo):
34020 * bytecode/PutByIdStatus.cpp:
34021 (JSC::PutByIdStatus::computeForStubInfo):
34022 * bytecode/PutByIdVariant.cpp:
34023 (JSC::PutByIdVariant::setter):
34024
340252014-10-15 Oliver Hunt <oliver@apple.com>
34026
34027 Use a single allocation for the Arguments object
34028 https://bugs.webkit.org/show_bug.cgi?id=137751
34029
34030 Reviewed by Filip Pizlo.
34031
34032 This patch removes the secondary allocation for parameters in the Arguments
34033 object. This is faily simple, but we needed to make it possible for the JIT
34034 to allocate a variable GC object. To do this i've added a new
34035 emitAllocateVariableSizedJSObject function to the JIT that does the work to
34036 find the correct heap for a variable sized allocation and then bump that
34037 allocator.
34038
34039 * dfg/DFGSpeculativeJIT.cpp:
34040 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
34041 * dfg/DFGSpeculativeJIT.h:
34042 (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
34043 * heap/CopyToken.h:
34044 * heap/Heap.h:
34045 (JSC::Heap::subspaceForObjectWithoutDestructor):
34046 (JSC::Heap::subspaceForObjectNormalDestructor):
34047 (JSC::Heap::subspaceForObjectsWithImmortalStructure):
34048 * heap/MarkedSpace.h:
34049 (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor):
34050 (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure):
34051 (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
34052 * interpreter/StackVisitor.cpp:
34053 (JSC::StackVisitor::Frame::createArguments):
34054 * runtime/Arguments.cpp:
34055 (JSC::Arguments::visitChildren):
34056 (JSC::Arguments::copyBackingStore):
34057 (JSC::Arguments::tearOff):
34058 (JSC::Arguments::allocateRegisterArray): Deleted.
34059 * runtime/Arguments.h:
34060 (JSC::Arguments::create):
34061 (JSC::Arguments::isTornOff):
34062 (JSC::Arguments::offsetOfRegisterArray):
34063 (JSC::Arguments::registerArraySizeInBytes):
34064 (JSC::Arguments::registerArray):
34065 (JSC::Arguments::allocationSize): Deleted.
34066
340672014-10-15 Filip Pizlo <fpizlo@apple.com>
34068
34069 Apparently we've had a hole in arguments capture all along
34070 https://bugs.webkit.org/show_bug.cgi?id=137767
34071
34072 Reviewed by Oliver Hunt.
34073
34074 * dfg/DFGByteCodeParser.cpp:
34075 (JSC::DFG::ByteCodeParser::getArgument):
34076 * tests/stress/arguments-captured.js: Added.
34077 (foo):
34078 (bar):
34079
340802014-10-16 Saam Barati <saambarati1@gmail.com>
34081
34082 Have the ProfileType node in the DFG convert to a structure check where it can
34083 https://bugs.webkit.org/show_bug.cgi?id=137596
34084
34085 Reviewed by Filip Pizlo.
34086
34087 TypeSet now keeps track of the live set of Structures it has seen.
34088 It no longer nukes everything during GC. It now only removes unmarked
34089 structures during GC. This modification allows the ProfileType node
34090 to convert into a CheckStructure node safely in the DFG.
34091
34092 This change brings up the conversion rate from ProfileType to Check
34093 or CheckStructrue from ~45% to ~65%. This change also speeds the
34094 type profiler up significantly: consistently between 2x-20x faster.
34095
34096 This patch also does some slight refactoring: a few type profiler
34097 related fields are moved from VM to TypeProfiler.
34098
34099 * bytecode/CodeBlock.cpp:
34100 (JSC::CodeBlock::CodeBlock):
34101 * dfg/DFGFixupPhase.cpp:
34102 (JSC::DFG::FixupPhase::fixupNode):
34103 * dfg/DFGNode.h:
34104 (JSC::DFG::Node::convertToCheckStructure):
34105 * heap/Heap.cpp:
34106 (JSC::Heap::collect):
34107 * runtime/SymbolTable.cpp:
34108 (JSC::SymbolTable::uniqueIDForVariable):
34109 * runtime/SymbolTable.h:
34110 * runtime/TypeLocationCache.cpp:
34111 (JSC::TypeLocationCache::getTypeLocation):
34112 * runtime/TypeProfiler.cpp:
34113 (JSC::TypeProfiler::TypeProfiler):
34114 (JSC::TypeProfiler::nextTypeLocation):
34115 (JSC::TypeProfiler::invalidateTypeSetCache):
34116 (JSC::TypeProfiler::dumpTypeProfilerData):
34117 * runtime/TypeProfiler.h:
34118 (JSC::TypeProfiler::getNextUniqueVariableID):
34119 * runtime/TypeProfilerLog.cpp:
34120 (JSC::TypeProfilerLog::processLogEntries):
34121 * runtime/TypeSet.cpp:
34122 (JSC::TypeSet::addTypeInformation):
34123 (JSC::TypeSet::invalidateCache):
34124 * runtime/TypeSet.h:
34125 (JSC::TypeSet::structureSet):
34126 * runtime/VM.cpp:
34127 (JSC::VM::VM):
34128 (JSC::VM::enableTypeProfiler):
34129 (JSC::VM::disableTypeProfiler):
34130 (JSC::VM::dumpTypeProfilerData):
34131 (JSC::VM::nextTypeLocation): Deleted.
34132 (JSC::VM::invalidateTypeSetCache): Deleted.
34133 * runtime/VM.h:
34134 (JSC::VM::typeProfiler):
34135 (JSC::VM::getNextUniqueVariableID): Deleted.
34136 * tests/typeProfiler/dfg-jit-optimizations.js:
34137
341382014-10-16 Adrien Destugues <pulkomandy@gmail.com>
34139
34140 Use isnan from std namespace in ProfileGenerator.cpp
34141 https://bugs.webkit.org/show_bug.cgi?id=137653
34142
34143 Reviewed by Darin Adler.
34144
34145 The C++ isnan() function is in the std namespace. The unprefixed isnan
34146 may be available because of C99 headers leakage in C++, but should not
34147 be used.
34148
34149 No new tests: no functional change, build fix on platforms which don't
34150 export C99 functions in C++.
34151
34152 * profiler/ProfileGenerator.cpp:
34153 (JSC::ProfileGenerator::beginCallEntry):
34154 (JSC::ProfileGenerator::endCallEntry):
34155 (JSC::ProfileGenerator::didPause):
34156 (JSC::ProfileGenerator::didContinue):
34157
341582014-10-15 Michael Saboff <msaboff@apple.com>
34159
34160 REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's JavaScript
34161 https://bugs.webkit.org/show_bug.cgi?id=137758
34162
34163 Rubber stamped by Filip Pizlo.
34164
34165 Reverted r174025 for just PutByOffset Nodes.
34166
34167 * dfg/DFGFixupPhase.cpp:
34168 (JSC::DFG::FixupPhase::fixupNode):
34169
341702014-10-14 Gyuyoung Kim <gyuyoung.kim@samsung.com>
34171
34172 Clean up unnecessary PassOwnPtr.h inclusion
34173 https://bugs.webkit.org/show_bug.cgi?id=137726
34174
34175 Reviewed by Chris Dumez.
34176
34177 * API/JSCallbackObject.h: Remove PassOwnPtr.h inclusion.
34178 * bytecode/DFGExitProfile.cpp: ditto.
34179
341802014-10-14 Brent Fulgham <bfulgham@apple.com>
34181
34182 [Win] Unreviewed gardening. Ignore Visual Studio *.sdf files.
34183
34184 * JavaScriptCore.vcxproj: Modified properties svn:ignore and svn:ignore.
34185 * JavaScriptCore.vcxproj/jsc: Modified property svn:ignore.
34186
341872014-10-14 Matthew Mirman <mmirman@apple.com>
34188
34189 Removes references to LLVMJIT which is no longer part of LLVM
34190 https://bugs.webkit.org/show_bug.cgi?id=137708
34191
34192 Reviewed by Filip Pizlo.
34193
34194 * Configurations/LLVMForJSC.xcconfig: removed -lLLVMJIT
34195 * llvm/LLVMAPIFunctions.h: removed LinkInJIT
34196
341972014-10-14 peavo@outlook.com <peavo@outlook.com>
34198
34199 [Win32] Thunk is not implemented.
34200 https://bugs.webkit.org/show_bug.cgi?id=137691
34201
34202 Reviewed by Mark Lam.
34203
34204 Thunks for functions with double operands (floor, etc.) are not implemented on Win32.
34205
34206 * jit/ThunkGenerators.cpp:
34207
342082014-10-12 Alexey Proskuryakov <ap@apple.com>
34209
34210 Adding svn:ignore so that .pyc files don't show up as new.
34211
34212 * inspector/scripts/codegen: Added property svn:ignore.
34213
342142014-10-10 Commit Queue <commit-queue@webkit.org>
34215
34216 Unreviewed, rolling out r174606.
34217 https://bugs.webkit.org/show_bug.cgi?id=137621
34218
34219 broke a JSC test (Requested by estes on #webkit).
34220
34221 Reverted changeset:
34222
34223 "Various arguments optimisations in codegen fail to account
34224 for arguments being in lexical record"
34225 https://bugs.webkit.org/show_bug.cgi?id=137617
34226 http://trac.webkit.org/changeset/174606
34227
342282014-10-10 Oliver Hunt <oliver@apple.com>
34229
34230 Various arguments optimisations in codegen fail to account for arguments being in lexical record
34231 https://bugs.webkit.org/show_bug.cgi?id=137617
34232
34233 Reviewed by Michael Saboff.
34234
34235 Rework the way we track |arguments| references so that we don't try
34236 to use the |arguments| reference on the stack if it's not safe.
34237
34238 To do this without nuking performance it was necessary to update
34239 the parser to track modification of the |arguments| reference
34240 itself.
34241
34242 * bytecode/CodeBlock.cpp:
34243 * bytecompiler/BytecodeGenerator.cpp:
34244 (JSC::BytecodeGenerator::BytecodeGenerator):
34245 (JSC::BytecodeGenerator::willResolveToArguments):
34246 (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
34247 (JSC::BytecodeGenerator::emitCall):
34248 (JSC::BytecodeGenerator::emitConstruct):
34249 (JSC::BytecodeGenerator::emitEnumeration):
34250 (JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted.
34251 * bytecompiler/BytecodeGenerator.h:
34252 (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister):
34253 * bytecompiler/NodesCodegen.cpp:
34254 (JSC::BracketAccessorNode::emitBytecode):
34255 (JSC::DotAccessorNode::emitBytecode):
34256 (JSC::getArgumentByVal):
34257 (JSC::CallFunctionCallDotNode::emitBytecode):
34258 (JSC::ApplyFunctionCallDotNode::emitBytecode):
34259 (JSC::ArrayPatternNode::emitDirectBinding):
34260 * interpreter/StackVisitor.cpp:
34261 (JSC::StackVisitor::Frame::existingArguments):
34262 * parser/Nodes.h:
34263 (JSC::ScopeNode::modifiesArguments):
34264 * parser/Parser.cpp:
34265 (JSC::Parser<LexerType>::parseInner):
34266 * parser/Parser.h:
34267 (JSC::Scope::getCapturedVariables):
34268 * parser/ParserModes.h:
34269
342702014-10-09 Joseph Pecoraro <pecoraro@apple.com>
34271
34272 Web Inspector: Remove unused generator code
34273 https://bugs.webkit.org/show_bug.cgi?id=137564
34274
34275 Reviewed by Brian Burg.
34276
34277 * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
34278 (BackendDispatcherHeaderGenerator.generate_output): Deleted.
34279 * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
34280 (BackendDispatcherImplementationGenerator.generate_output):
34281 * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
34282 (FrontendDispatcherHeaderGenerator.generate_output):
34283 * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
34284 (FrontendDispatcherImplementationGenerator.generate_output):
34285 * inspector/scripts/codegen/generate_protocol_types_header.py:
34286 (ProtocolTypesHeaderGenerator.generate_output):
34287 * inspector/scripts/codegen/generate_protocol_types_implementation.py:
34288 (ProtocolTypesImplementationGenerator.generate_output):
34289 inputFilename is now handled by the generic generator base class.
34290
34291 * inspector/scripts/codegen/models.py:
34292 (Framework.fromString):
34293 (Frameworks):
34294 * inspector/scripts/generate-inspector-protocol-bindings.py:
34295 The WTF framework is unused. Remove unexpected frameworks.
34296
342972014-10-09 Dean Jackson <dino@apple.com>
34298
34299 Remove ENABLE_CSS3_CONDITIONAL_RULES
34300 https://bugs.webkit.org/show_bug.cgi?id=137571
34301
34302 Reviewed by Simon Fraser.
34303
34304 * Configurations/FeatureDefines.xcconfig:
34305
343062014-10-09 Adrien Destugues <pulkomandy@gmail.com>
34307
34308 Fix compiler warning on noreturn function
34309 https://bugs.webkit.org/show_bug.cgi?id=137558
34310
34311 Reviewed by Darin Adler.
34312
34313 The function is marked "noreturn", but the stub implementation does
34314 return. No new tests: function is never called. Only fixes a warning.
34315
34316 * heap/HeapStatistics.cpp:
34317 (JSC::HeapStatistics::exitWithFailure):
34318
343192014-10-09 Akos Kiss <akiss@inf.u-szeged.hu>
34320
34321 Ensure that inline assembly Thunk functions don't conflict with the section designations of the compiler
34322 https://bugs.webkit.org/show_bug.cgi?id=137434
34323
34324 Reviewed by Michael Saboff.
34325
34326 The ARM64 version of the defineUnaryDoubleOpWrapper macro in
34327 ThunkGenerators.cpp contains inline assembly with .text assembler
34328 directive followed by a static variable declaration. This macro gets
34329 expanded several times afterwards, however, only during the compilation
34330 of the first expansion does gcc insert a .data assembler directive
34331 before the assembled version of the static variable. Thus, only the
34332 first variable gets allocated in the .data section, all the others
34333 remain in .text. If JavaScriptCore is built as a shared library then
34334 this causes a segmentation fault during dynamic linking.
34335
34336 This patch puts a .previous directive at the end of the inline assembly
34337 to ensure that the assumptions of the compiler about the sections are
34338 not broken and the following variable goes to the right place.
34339
34340 * jit/ThunkGenerators.cpp:
34341
343422014-10-08 Oliver Hunt <oliver@apple.com>
34343
34344 Make sure arguments tearoff is performed through the environment record if necessary
34345 https://bugs.webkit.org/show_bug.cgi?id=137538
34346
34347 Reviewed by Michael Saboff.
34348
34349 Fairly simple change. If we have a lexical record we need to pull the unmodified
34350 arguments object from the record and then use the standard op_tear_off_arguments
34351 instruction on the temporary.
34352
34353 * bytecompiler/BytecodeGenerator.cpp:
34354 (JSC::BytecodeGenerator::emitGetOwnScope):
34355 (JSC::BytecodeGenerator::emitReturn):
34356 * bytecompiler/BytecodeGenerator.h:
34357
343582014-10-08 peavo@outlook.com <peavo@outlook.com>
34359
34360 [WinCairo] Enable JIT on 32-bit.
34361 https://bugs.webkit.org/show_bug.cgi?id=137521
34362
34363 Reviewed by Mark Lam.
34364
34365 Enable JIT on Windows 32-bit, but disable it at runtime if SSE2 is not present.
34366
34367 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
34368 * runtime/Options.cpp:
34369 (JSC::recomputeDependentOptions):
34370
343712014-10-08 Brent Fulgham <bfulgham@apple.com>
34372
34373 [Win] Resolve some static analysis warnings in JavaScriptCore
34374 https://bugs.webkit.org/show_bug.cgi?id=137508
34375
34376 Reviewed by Geoffrey Garen.
34377
34378 * API/tests/testapi.c:
34379 (assertEqualsAsCharactersPtr): MSVC insists on using %Iu as its format specifier
34380 for size_t. Make the format string conditional on Windows.
34381 * bytecode/Watchpoint.h:
34382 (JSC::InlineWatchpointSet::encodeState): Silence warning about left-shifting 'state'
34383 as a 32-bit value before OR-ing it with a 64-bit value.
34384 * dfg/DFGFixupPhase.cpp:
34385 (JSC::DFG::FixupPhase::fixupNode): Silence warning about operator prescedence
34386 causing the || operation to take place before the >= test.
34387 * dfg/DFGInPlaceAbstractState.cpp:
34388 (JSC::DFG::InPlaceAbstractState::endBasicBlock): Ditto (|| before !=)
34389 * testRegExp.cpp:
34390 (testOneRegExp): Ditto %Iu format specifier.
34391 * yarr/YarrInterpreter.cpp:
34392 (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Silence warning about
34393 using a 32-bit value as part of a 64-bit calculation.
34394
343952014-10-07 Simon Fraser <simon.fraser@apple.com>
34396
34397 Roll-over Changelogs.
34398
34399 * ChangeLog-2014-10-07: Copied from Source/JavaScriptCore/ChangeLog.
34400
34401== Rolled over to ChangeLog-2014-10-07 ==