1 2015-03-06 Lucas Forschler <lforschler@apple.com>
5 2015-02-17 Filip Pizlo <fpizlo@apple.com>
7 Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs
8 https://bugs.webkit.org/show_bug.cgi?id=141717
9 rdar://problem/19863382
11 Reviewed by Geoffrey Garen.
13 The best solution is to ensure that the engine catching an exception restores tag registers.
15 Each of these new test cases reliably crashed prior to this patch and they don't crash at all now.
18 (JSC::JIT::emit_op_catch):
19 * llint/LowLevelInterpreter.asm:
20 * llint/LowLevelInterpreter64.asm:
21 * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added.
22 * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added.
23 * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added.
25 2015-03-06 Lucas Forschler <lforschler@apple.com>
29 2015-03-04 Filip Pizlo <fpizlo@apple.com>
31 [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
32 https://bugs.webkit.org/show_bug.cgi?id=141180
33 rdar://problem/19677552
35 Reviewed by Benjamin Poulain.
37 If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
38 bounds check already terminates execution. This means we can skip the part where we
39 previously did an out-of-bound array access on the inlined call frame arguments vector.
41 * ftl/FTLLowerDFGToLLVM.cpp:
42 (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
43 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
44 (JSC::FTL::LowerDFGToLLVM::terminate):
45 (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
46 (JSC::FTL::LowerDFGToLLVM::crash):
47 * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
51 2015-03-04 Matthew Hanson <matthew_hanson@apple.com>
53 Merge r180101. rdar://problem/19913017
55 2015-02-13 Joseph Pecoraro <pecoraro@apple.com>
57 JSContext Inspector: Do not stash console messages for non-debuggable JSContext
58 https://bugs.webkit.org/show_bug.cgi?id=141589
60 Reviewed by Timothy Hatcher.
62 Consider developer extras disabled for JSContext inspection if the
63 RemoteInspector server is not enabled (typically a non-debuggable
64 process rejected by webinspectord) or if remote debugging on the
65 JSContext was explicitly disabled via SPI.
67 When developer extras are disabled, console message will not be stashed.
69 * inspector/JSGlobalObjectInspectorController.cpp:
70 (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled):
71 * inspector/JSGlobalObjectInspectorController.h:
73 2015-02-26 Lucas Forschler <lforschler@apple.com>
77 2015-02-20 Mark Lam <mark.lam@apple.com>
79 [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain.
80 <https://webkit.org/b/141809>
82 Reviewed by Geoffrey Garen.
84 A ObjC class that implement the JSExport protocol will have a JS prototype
85 chain and constructor automatically synthesized for its JS wrapper object.
86 However, if there are no more instances of that ObjC class reachable by a
87 JS GC root scan, then its synthesized prototype chain and constructors may
88 be released by the GC. If a new instance of that ObjC class is subsequently
89 instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype]
90 should re-construct the prototype chain and constructor (if they were
91 previously released). However, the current implementation only
92 re-constructs the immediate prototype, but not every other prototype
93 object upstream in the prototype chain.
95 To fix this, we do the following:
96 1. We no longer allocate the JSObjCClassInfo's prototype and constructor
97 eagerly. Hence, -initWithContext:forClass: will no longer call
98 -allocateConstructorAndPrototypeWithSuperClassInfo:.
99 2. Instead, we'll always access the prototype and constructor thru
100 accessor methods. The accessor methods will call
101 -allocateConstructorAndPrototype: if needed.
102 3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo
103 from the JSWrapperMap itself. This makes it so that we no longer
104 need to pass the superClassInfo all over.
105 4. -allocateConstructorAndPrototype: will get the super class prototype
106 by invoking -prototype: on the superClassInfo, thereby allowing the
107 super class to allocate its prototype and constructor if needed and
108 fixing the issue in this bug.
110 5. Also removed the GC warning comments, and ensured that needed JS
111 objects are kept alive by having a local var pointing to it from the
112 stack (which makes a GC root).
114 * API/JSWrapperMap.mm:
115 (-[JSObjCClassInfo initWithContext:forClass:]):
116 (-[JSObjCClassInfo allocateConstructorAndPrototype]):
117 (-[JSObjCClassInfo wrapperForObject:]):
118 (-[JSObjCClassInfo constructor]):
119 (-[JSObjCClassInfo prototype]):
120 (-[JSWrapperMap classInfoForClass:]):
121 (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted.
122 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted.
123 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted.
124 * API/tests/Regress141809.h: Added.
125 * API/tests/Regress141809.mm: Added.
126 (-[TestClassB name]):
127 (-[TestClassC name]):
129 * API/tests/testapi.mm:
130 * JavaScriptCore.xcodeproj/project.pbxproj:
132 2015-02-25 Babak Shafiei <bshafiei@apple.com>
134 Merge patch for r180247 and r180249.
136 2015-02-20 Michael Saboff <msaboff@apple.com>
138 CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode
139 https://bugs.webkit.org/show_bug.cgi?id=141730
141 Reviewed by Geoffrey Garen.
143 Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures
144 while processing DFG lowering. For debug builds, the failures are logged identical
145 to the way the DFG_CRASH() reports them. For release builds, the failures are reported
146 and that FTL compilation is terminated, but the process is allowed to continue.
147 Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and
148 line number are reported at the point of the inconsistancy.
150 Converted instances of DFG_CRASH to LOWERING_FAILED.
153 (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that
154 will fail the FTL compile.
156 * ftl/FTLLowerDFGToLLVM.cpp:
157 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
158 Added new member variable, m_loweringSucceeded, to stop compilation on the first
161 * ftl/FTLLowerDFGToLLVM.cpp:
162 (JSC::FTL::LowerDFGToLLVM::lower):
163 * ftl/FTLLowerDFGToLLVM.h:
164 Added check for compilation failures and now report those failures via a boolean
167 * ftl/FTLLowerDFGToLLVM.cpp:
168 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
169 (JSC::FTL::LowerDFGToLLVM::compileNode):
170 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
171 (JSC::FTL::LowerDFGToLLVM::compilePhi):
172 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
173 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
174 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
175 (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
176 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
177 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
178 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
179 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
180 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
181 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
182 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
183 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
184 (JSC::FTL::LowerDFGToLLVM::compileGetById):
185 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
186 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
187 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
188 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
189 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
190 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
191 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
192 (JSC::FTL::LowerDFGToLLVM::compileToString):
193 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
194 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
195 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
196 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
197 (JSC::FTL::LowerDFGToLLVM::compare):
198 (JSC::FTL::LowerDFGToLLVM::boolify):
199 (JSC::FTL::LowerDFGToLLVM::opposite):
200 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
201 (JSC::FTL::LowerDFGToLLVM::speculate):
202 (JSC::FTL::LowerDFGToLLVM::isArrayType):
203 (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
204 (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
205 (JSC::FTL::LowerDFGToLLVM::setInt52):
206 Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate.
208 (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function.
210 2015-02-25 Babak Shafiei <bshafiei@apple.com>
214 2015-02-23 Matthew Mirman <mmirman@apple.com>
216 r9 is volatile on ARMv7 for iOS 3 and up.
217 https://bugs.webkit.org/show_bug.cgi?id=141489
218 rdar://problem/19432916
220 Reviewed by Michael Saboff.
222 * jit/RegisterSet.cpp:
223 (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers.
224 * tests/stress/regress-141489.js: Added.
227 2015-02-20 Lucas Forschler <lforschler@apple.com>
231 2015-02-17 Filip Pizlo <fpizlo@apple.com>
233 StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
234 https://bugs.webkit.org/show_bug.cgi?id=141721
235 rdar://problem/17198633
237 Reviewed by Michael Saboff.
239 I've seen cases where the two are out of sync. We know we can trust the CodeBlock::usesArguments because
240 we use it everywhere else.
242 No test because I could never reproduce the crash.
245 (JSC::DFG::Graph::usesArguments):
246 * dfg/DFGStackLayoutPhase.cpp:
247 (JSC::DFG::StackLayoutPhase::run):
249 2015-02-20 Babak Shafiei <bshafiei@apple.com>
253 2015-01-09 Joseph Pecoraro <pecoraro@apple.com>
255 Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint
256 https://bugs.webkit.org/show_bug.cgi?id=140279
257 rdar://problem/19422299
259 Reviewed by Oliver Hunt.
261 * runtime/MapData.cpp:
262 (JSC::MapData::replaceAndPackBackingStore):
263 The cell table also needs to have its values fixed.
265 2015-02-20 Babak Shafiei <bshafiei@apple.com>
267 Merge patch for rdar://problem/19828630.
269 2015-02-13 Filip Pizlo <fpizlo@apple.com>
271 Effectful calls to length should only happen once on the varargs path.
272 rdar://problem/19828518
274 Reviewed by Michael Saboff.
276 * interpreter/Interpreter.cpp:
277 (JSC::sizeFrameForVarargs):
283 2015-02-10 Babak Shafiei <bshafiei@apple.com>
285 Merge r179576, r179648.
287 2015-02-04 Mark Lam <mark.lam@apple.com>
289 r179576 introduce a deadlock potential during GC thread suspension.
290 <https://webkit.org/b/141268>
292 Reviewed by Michael Saboff.
294 http://trac.webkit.org/r179576 introduced a potential for deadlocking.
295 In the GC thread suspension loop, we currently delete
296 MachineThreads::Thread that we detect to be invalid. This is unsafe
297 because we may have already suspended some threads, and one of those
298 suspended threads may still be holding the C heap lock which we need
299 for deleting the invalid thread.
301 The fix is to put the invalid threads in a separate toBeDeleted list,
302 and delete them only after GC has resumed all threads.
304 * heap/MachineStackMarker.cpp:
305 (JSC::MachineThreads::removeCurrentThread):
306 - Undo refactoring removeThreadWithLockAlreadyAcquired() out of
307 removeCurrentThread() since it is no longer needed.
309 (JSC::MachineThreads::tryCopyOtherThreadStacks):
310 - Put invalid Threads on a threadsToBeDeleted list, and delete those
311 Threads only after all threads have been resumed.
313 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted.
314 * heap/MachineStackMarker.h:
316 2015-02-03 Mark Lam <mark.lam@apple.com>
318 Workaround a thread library bug where thread destructors may not get called.
319 <https://webkit.org/b/141209>
321 Reviewed by Michael Saboff.
323 There's a bug where thread destructors may not get called. As far as
324 we know, this only manifests on darwin ports. We will work around this
325 by checking at GC time if the platform thread is still valid. If not,
326 we'll purge it from the VM's registeredThreads list before proceeding
327 with thread scanning activity.
329 Note: it is important that we do this invalid thread detection during
330 suspension, because the validity (and liveness) of the other thread is
331 only guaranteed while it is suspended.
333 * API/tests/testapi.mm:
335 - Added a test to enter the VM from another thread before we GC on
338 * heap/MachineStackMarker.cpp:
339 (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired):
340 (JSC::MachineThreads::removeCurrentThread):
341 - refactored removeThreadWithLockAlreadyAcquired() out from
342 removeCurrentThread() so that we can also call it for purging invalid
344 (JSC::suspendThread):
345 - Added a return status to tell if the suspension succeeded or not.
346 (JSC::MachineThreads::tryCopyOtherThreadStacks):
347 - Check if the suspension failed, and purge the thread if we can't
348 suspend it. Failure to suspend implies that the thread has
349 terminated without calling its destructor.
350 * heap/MachineStackMarker.h:
352 2015-02-10 Babak Shafiei <bshafiei@apple.com>
356 2015-01-27 Csaba Osztrogonác <ossy@webkit.org>
358 [ARM] Typo fix after r176083
359 https://bugs.webkit.org/show_bug.cgi?id=140937
361 Reviewed by Anders Carlsson.
363 * assembler/ARMv7Assembler.h:
364 (JSC::ARMv7Assembler::ldrh):
366 2015-02-10 Babak Shafiei <bshafiei@apple.com>
370 2014-11-13 Benjamin Poulain <benjamin@webkit.org>
372 ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset
373 https://bugs.webkit.org/show_bug.cgi?id=136914
375 Reviewed by Michael Saboff.
377 TLDR: the immediate offset of half-word load was divided by 2.
379 Story time: So I started getting those weird reports of :nth-child() behaving bizarrely
380 on ARMv7 and ARMv7s. To make things worse, the behavior changes depending on style updates.
382 I started looking the disassembly on the tests cases...
384 The first thing I noticed was that the computation of An+B looked wrong. For example,
385 in the case of n+6, the instruction should have been:
390 After spending a lot of time trying to find the error in the assembler, I discovered
391 the problem was not real, but just a bug in the disassembler.
392 This is the first fix: ARMv7DOpcodeAddSubtractImmediate3's immediate3() was truncating
393 the value to 2 bits instead of 3 bits.
395 The disassembler being fixed, I still have no lead on the weird bug. Some disassembly later,
396 I realize the LDRH instruction is not decoded at all. The reason is that both LDRH and STRH
397 were under the umbrella ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord but the pattern
400 I fix that next, ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord is split into
401 ARMv7DOpcodeStoreRegisterImmediateHalfWord and ARMv7DOpcodeLoadRegisterImmediateHalfWord,
402 each with their own pattern and their instruction group.
404 Now that I can see the LDRHs correctly, there is something fishy about them, their offset
405 is way too small for the data I load.
407 This time, looking at the binary, the generated code is indeed incorrect. It turns out that
408 the ARMv7 assembler shifted the offset of half-word load as if they were byte load: divided by 4.
409 As a result, all the load of half-words with more than zero offset were loading
410 values with a smaller offset than what they should have.
412 That being fixed, I dump the assembly: still wrong. I am ready to throw my keyboard through
413 my screen at that point.
415 Looking at the disassembler, there is yet again a bug. The computation of the scale() adjustment
416 of the offset was incorrect for anything but word loads.
417 I replaced it by a switch-case to make it explicit.
419 STRH is likely incorrect too. I'll fix that in a follow up, I want to survey all the 16 bits cases
420 that are not directly used by the CSS JIT.
422 * assembler/ARMv7Assembler.h:
423 (JSC::ARMv7Assembler::ldrh):
424 Fix the immediate scaling. Add an assertion to make sure the alignment of the input is correct.
426 * disassembler/ARMv7/ARMv7DOpcode.cpp:
427 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
428 Fix the scaling code. Just hardcode instruction-to-scale table.
430 * disassembler/ARMv7/ARMv7DOpcode.h:
431 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
432 The mask for a 3 bits immediate is not 3 :)
434 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): Deleted.
436 2015-02-05 Lucas Forschler <lforschler@apple.com>
440 2015-01-21 Joseph Pecoraro <pecoraro@apple.com>
442 Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits<T>::assertValueHasExpectedType
443 https://bugs.webkit.org/show_bug.cgi?id=140746
445 Reviewed by Timothy Hatcher.
447 * inspector/InjectedScriptSource.js:
448 Do not add impure properties to the descriptor object that will
449 eventually be sent to the frontend.
451 2015-02-05 Lucas Forschler <lforschler@apple.com>
455 2015-01-20 Joseph Pecoraro <pecoraro@apple.com>
457 Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values
458 https://bugs.webkit.org/show_bug.cgi?id=137306
460 Reviewed by Timothy Hatcher.
462 Provide another optional parameter to getProperties, to gather a list
463 of all own and getter properties.
465 * inspector/InjectedScript.cpp:
466 (Inspector::InjectedScript::getProperties):
467 * inspector/InjectedScript.h:
468 * inspector/InjectedScriptSource.js:
469 * inspector/agents/InspectorRuntimeAgent.cpp:
470 (Inspector::InspectorRuntimeAgent::getProperties):
471 * inspector/agents/InspectorRuntimeAgent.h:
472 * inspector/protocol/Runtime.json:
474 2015-02-04 Lucas Forschler <lforschler@apple.com>
478 2015-01-13 Geoffrey Garen <ggaren@apple.com>
480 Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
481 https://bugs.webkit.org/show_bug.cgi?id=140397
483 Reviewed by Geoffrey Garen.
485 Patch by Alexey Proskuryakov.
487 Reviewed, performance tested, and ChangeLogged by Geoffrey Garen.
489 No performance change.
491 No test, since this is a small past-the-end read, which is very
492 difficult to turn into a reproducible failing test -- and existing tests
493 crash reliably using ASan.
495 * bytecompiler/NodesCodegen.cpp:
496 (JSC::BracketAccessorNode::emitBytecode):
497 (JSC::DotAccessorNode::emitBytecode):
498 (JSC::FunctionCallBracketNode::emitBytecode):
499 (JSC::PostfixNode::emitResolve):
500 (JSC::DeleteBracketNode::emitBytecode):
501 (JSC::DeleteDotNode::emitBytecode):
502 (JSC::PrefixNode::emitResolve):
503 (JSC::UnaryOpNode::emitBytecode):
504 (JSC::BitwiseNotNode::emitBytecode):
505 (JSC::BinaryOpNode::emitBytecode):
506 (JSC::EqualNode::emitBytecode):
507 (JSC::StrictEqualNode::emitBytecode):
508 (JSC::ThrowableBinaryOpNode::emitBytecode):
509 (JSC::AssignDotNode::emitBytecode):
510 (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any
511 register used across a call to a function that might allocate a new
512 temporary register must be held in a RefPtr.
514 2015-02-04 Lucas Forschler <lforschler@apple.com>
518 2015-01-12 Geoffrey Garen <ggaren@apple.com>
520 Out of bounds read in IdentifierArena::makeIdentifier
521 https://bugs.webkit.org/show_bug.cgi?id=140376
523 Patch by Alexey Proskuryakov.
525 Reviewed and ChangeLogged by Geoffrey Garen.
527 No test, since this is a small past-the-end read, which is very
528 difficult to turn into a reproducible failing test -- and existing tests
529 crash reliably using ASan.
531 * parser/ParserArena.h:
532 (JSC::IdentifierArena::makeIdentifier):
533 (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a
534 zero-length string input, like we do in the literal parser, since it is
535 not valid to dereference characters in a zero-length string.
537 A zero-length string is allowed in JavaScript -- for example, "".
539 2015-01-28 Lucas Forschler <lforschler@apple.com>
543 2015-01-12 Michael Saboff <msaboff@apple.com>
545 Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
546 https://bugs.webkit.org/show_bug.cgi?id=140348
548 Reviewed by Mark Lam.
550 We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late
551 because those registers may have been spilled on the stack and replaced with other values by
552 the time we call down to gatherFromCurrentThread().
554 Now we get the register contents at the same place that we demarcate the current top of
555 stack using the address of a local variable, in Heap::markRoots(). The register contents
556 buffer is passed along with the demarcation pointer. These need to be done at this level
557 in the call tree and no lower, as markRoots() calls various functions that visit object
558 pointers that may be latter proven dead. Any of those pointers that are left on the
559 stack or in registers could be incorrectly marked as live if we scan the stack contents
560 from a called function or one of its callees. The stack demarcation pointer and register
561 saving need to be done in the same function so that we have a consistent stack, active
562 and spilled registers.
564 Because we don't want to make unnecessary calls to get the register contents, we use
565 a macro to allocated, and possibly align, the register structure and get the actual
570 (JSC::Heap::markRoots):
571 (JSC::Heap::gatherStackRoots):
573 * heap/MachineStackMarker.cpp:
574 (JSC::MachineThreads::gatherFromCurrentThread):
575 (JSC::MachineThreads::gatherConservativeRoots):
576 * heap/MachineStackMarker.h:
578 2015-01-27 Lucas Forschler <lforschler@apple.com>
582 2014-12-17 Chris Dumez <cdumez@apple.com>
584 [iOS] Make it possible to toggle FeatureCounter support at runtime
585 https://bugs.webkit.org/show_bug.cgi?id=139688
586 <rdar://problem/19266254>
588 Reviewed by Andreas Kling.
590 Stop linking against AppSupport framework as the functionality is no
591 longer in WTF (it was moved to WebCore).
593 * Configurations/JavaScriptCore.xcconfig:
595 2015-01-26 Lucas Forschler <lforschler@apple.com>
599 2014-12-15 Chris Dumez <cdumez@apple.com>
601 [iOS] Add feature counting support
602 https://bugs.webkit.org/show_bug.cgi?id=139652
603 <rdar://problem/19255690>
605 Reviewed by Gavin Barraclough.
607 Link against AppSupport framework on iOS as we need it to implement
608 the new FeatureCounter API in WTF.
610 * Configurations/JavaScriptCore.xcconfig:
612 2015-01-21 Babak Shafiei <bshafiei@apple.com>
616 2014-12-08 Mark Lam <mark.lam@apple.com>
618 CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
619 <https://webkit.org/b/139327>
621 Reviewed by Michael Saboff.
623 The code generator and runtime slow paths expects otherwise. This patch fixes
624 CFA to match the code generator's expectation.
626 * dfg/DFGArrayMode.h:
627 (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
628 (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
630 2015-01-20 Babak Shafiei <bshafiei@apple.com>
634 2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
636 REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
637 https://bugs.webkit.org/show_bug.cgi?id=135322
639 Reviewed by Oliver Hunt.
641 The prototype chain of the JSProxy object should match that of the JSGlobalObject.
643 This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
644 account for JSProxies. I also audited the rest of the C API to check that we correctly
645 handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
646 and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
649 I also added some new tests for these cases.
651 * API/JSObjectRef.cpp:
652 (JSObjectSetPrototype):
653 (JSObjectGetPrivateProperty):
654 (JSObjectSetPrivateProperty):
655 (JSObjectDeletePrivateProperty):
656 * API/JSWeakObjectMapRefPrivate.cpp:
657 * API/tests/CustomGlobalObjectClassTest.c:
658 (globalObjectSetPrototypeTest):
659 (globalObjectPrivatePropertyTest):
660 * API/tests/CustomGlobalObjectClassTest.h:
661 * API/tests/testapi.c:
664 2015-01-11 Mark Lam <mark.lam@apple.com>
666 Update WebKit branch to build with newer LLVM.
667 <https://webkit.org/b/140341>
669 Reviewed by Filip Pizlo.
671 * Configurations/LLVMForJSC.xcconfig:
672 - Add the ability to pick up LLVM_LIBS_iphoneos from AspenLLVM.xcconfig.
673 * llvm/LLVMAPIFunctions.h:
674 - Removed some erroneous and unused APIs.
675 * llvm/library/LLVMExports.cpp:
676 (initializeAndGetJSCLLVMAPI):
677 - Removed an unneeded option that is also not supported by the new LLVM.
679 2014-12-10 Babak Shafiei <bshafiei@apple.com>
683 2014-12-04 Oliver Hunt <oliver@apple.com>
685 Serialization of MapData object provides unsafe access to internal types
686 https://bugs.webkit.org/show_bug.cgi?id=138653
688 Reviewed by Geoffrey Garen.
690 Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious
691 that despite trying hard to be safe in all cases it's simply to easy
692 to use an iterator in an unsafe state.
695 (JSC::MapData::const_iterator::key):
696 (JSC::MapData::const_iterator::value):
698 2014-09-15 Babak Shafiei <bshafiei@apple.com>
700 <rdar://problem/18327341> Disable Web Timing on this branch.
702 Reviewed originally by Sam Weinig.
707 * Configurations/FeatureDefines.xcconfig:
709 2014-08-03 Babak Shafiei <bshafiei@apple.com>
711 Merge patch for <rdar://problem/17887398>.
713 2014-07-30 Filip Pizlo <fpizlo@apple.com>
715 NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
716 https://bugs.webkit.org/show_bug.cgi?id=135430
718 Reviewed by Mark Hahnenberg.
720 * dfg/DFGAbstractInterpreterInlines.h:
721 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
722 * tests/stress/new-function-expression-has-structures.js: Added.
727 2014-08-03 Babak Shafiei <bshafiei@apple.com>
731 2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
733 URTBF after r171946 to fix non-Apple builds.
735 * bytecode/InlineCallFrameSet.cpp:
737 2014-08-03 Babak Shafiei <bshafiei@apple.com>
741 2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
743 CodeBlock fails to visit the Executables of its InlineCallFrames
744 https://bugs.webkit.org/show_bug.cgi?id=135471
746 Reviewed by Geoffrey Garen.
748 CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
749 can be prematurely collected and cause crashes.
751 * bytecode/CodeBlock.cpp:
752 (JSC::CodeBlock::stronglyVisitStrongReferences):
753 * bytecode/CodeOrigin.h:
754 (JSC::InlineCallFrame::visitAggregate):
755 * bytecode/InlineCallFrameSet.cpp:
756 (JSC::InlineCallFrameSet::visitAggregate):
757 * bytecode/InlineCallFrameSet.h:
759 2014-07-29 Matthew Hanson <matthew_hanson@apple.com>
761 Merge r171689. <rdar://problem/17844890>
763 2014-07-28 Filip Pizlo <fpizlo@apple.com>
765 Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
766 https://bugs.webkit.org/show_bug.cgi?id=135350
767 <rdar://problem/17509889>
769 Reviewed by Mark Hahnenberg and Oliver Hunt.
771 If we have an exiting node that uses a conversion node, then that exiting node
772 needs to have a Phantom after it for the the original node. But we can't do that
773 for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
775 * dfg/DFGFixupPhase.cpp:
776 (JSC::DFG::FixupPhase::fixupNode):
777 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
778 * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
781 * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
785 2014-07-29 Matthew Hanson <matthew_hanson@apple.com>
787 Merge r171688. <rdar://problem/17364180>
789 2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
791 JSContext Inspector: crash when using step-into
792 https://bugs.webkit.org/show_bug.cgi?id=135345
794 Reviewed by Timothy Hatcher.
796 * inspector/agents/InspectorDebuggerAgent.cpp:
797 (Inspector::InspectorDebuggerAgent::stepInto):
798 Null check m_listener since it may not be set.
800 2014-07-25 Lucas Forschler <lforschler@apple.com>
804 2014-07-24 Brent Fulgham <bfulgham@apple.com>
806 [Win] Correct build order in JavaScriptCore.submit.sln
807 https://bugs.webkit.org/show_bug.cgi?id=135282
808 <rdar://problem/17805592>
810 Unreviewed build fix.
812 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
813 such that LLIntDesiredOffset is built prior to the rest of JSC.
815 2014-07-24 Lucas Forschler <lforschler@apple.com>
819 2014-07-24 Mark Lam <mark.lam@apple.com>
821 JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
822 <https://webkit.org/b/135258>
824 Reviewed by Mark Hahnenberg.
826 Where needed, we cache the prototype object pointer in a stack local var.
827 This allows it to be scanned by the GC, and hence be kept alive until
828 we use it. The constructor object will in turn be kept alive by the
831 Also added some comments to warn against future code additions that could
834 * API/JSWrapperMap.mm:
835 (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
836 (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
837 (-[JSObjCClassInfo wrapperForObject:]):
838 (-[JSObjCClassInfo constructor]):
840 2014-07-24 Lucas Forschler <lforschler@apple.com>
844 2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
846 JSLock release should only modify the AtomicStringTable if it modified in acquire
847 https://bugs.webkit.org/show_bug.cgi?id=135143
849 Reviewed by Darin Adler.
851 * runtime/JSLock.cpp:
852 (JSC::JSLock::JSLock):
853 Initialize the member variable to nullptr.
855 (JSC::JSLock::willDestroyVM):
856 Update style to use nullptr instead of 0.
858 (JSC::JSLock::willReleaseLock):
859 We should only reset the thread data's atomic string table if
860 didAcquireLock changed it. m_entryAtomicStringTable will have
861 been set by didAcquireLock if it changed, or nullptr if it didn't.
862 This way we are sure we are balanced, regardless of m_vm changes.
864 2014-07-24 Lucas Forschler <lforschler@apple.com>
868 2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
870 Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
871 https://bugs.webkit.org/show_bug.cgi?id=135250
873 Reviewed by Geoffrey Garen.
875 JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
876 JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
877 chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
878 the JSProxy's prototype fixes the issue.
880 * API/JSValueRef.cpp:
881 (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
882 would claim it wasn't of the specified class, even if the target was of the specified class.
883 * API/tests/CustomGlobalObjectClassTest.c: Added.
885 (customGlobalObjectClassTest):
886 * API/tests/CustomGlobalObjectClassTest.h: Added.
887 * API/tests/testapi.c:
890 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
891 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
892 * JavaScriptCore.xcodeproj/project.pbxproj:
893 * runtime/JSGlobalObject.cpp:
894 (JSC::JSGlobalObject::resetPrototype):
896 2014-07-24 Lucas Forschler <lforschler@apple.com>
900 2014-07-22 Brent Fulgham <bfulgham@apple.com>
902 Build fix for non-clang compile.
905 (WTF::RuntimeArray::put): Remove incorrect return statement
908 2014-07-24 Lucas Forschler <lforschler@apple.com>
912 2014-07-22 Brent Fulgham <bfulgham@apple.com>
914 Build fix for non-clang compile.
917 (WTF::RuntimeArray::deleteProperty): Need (fake) return
918 value when NO_RETURN_DUE_TO_CRASH is not defined.
920 2014-07-24 Lucas Forschler <lforschler@apple.com>
924 2014-07-22 Mark Lam <mark.lam@apple.com>
926 Array.concat() should work on runtime arrays too.
927 <https://webkit.org/b/135179>
929 Reviewed by Geoffrey Garen.
932 (WTF::RuntimeArray::create):
933 (WTF::RuntimeArray::~RuntimeArray):
934 (WTF::RuntimeArray::destroy):
935 (WTF::RuntimeArray::getOwnPropertySlot):
936 (WTF::RuntimeArray::getOwnPropertySlotByIndex):
937 (WTF::RuntimeArray::put):
938 (WTF::RuntimeArray::deleteProperty):
939 (WTF::RuntimeArray::getLength):
940 (WTF::RuntimeArray::createPrototype):
941 (WTF::RuntimeArray::createStructure):
942 (WTF::RuntimeArray::finishCreation):
943 (WTF::RuntimeArray::RuntimeArray):
944 (WTF::RuntimeArray::lengthGetter):
945 (GlobalObject::finishCreation):
946 (functionCreateRuntimeArray):
947 - Added support to create a runtime array for testing purpose.
948 * runtime/ArrayPrototype.cpp:
950 - Added fast case for when the array object is a JSArray.
951 (JSC::arrayProtoFuncJoin):
952 - Added a needed but missing exception check.
953 (JSC::arrayProtoFuncConcat):
954 - Use getLength() to compute the array length instead of assuming that
955 the array is a JSArray instance.
956 * tests/stress/regexp-matches-array.js: Added.
958 * tests/stress/runtime-array.js: Added.
961 2014-07-24 Lucas Forschler <lforschler@apple.com>
965 2014-07-21 Mark Lam <mark.lam@apple.com>
967 Refactor ArrayPrototype to use getLength() and putLength() utility functions.
968 https://bugs.webkit.org/show_bug.cgi?id=135139.
970 Reviewed by Oliver Hunt.
972 - Specialize putProperty() to putLength() because it is only used for setting
974 - Added a getLength() utility function to get the value of the length property.
975 - Use these getLength() and putLength() functions instead of the existing code
976 to get and put the length property. Less code to read, easier to understand.
978 * runtime/ArrayPrototype.cpp:
981 (JSC::arrayProtoFuncToString):
982 (JSC::arrayProtoFuncToLocaleString):
983 (JSC::arrayProtoFuncJoin):
984 (JSC::arrayProtoFuncPop):
985 (JSC::arrayProtoFuncPush):
986 (JSC::arrayProtoFuncReverse):
987 (JSC::arrayProtoFuncShift):
988 (JSC::arrayProtoFuncSlice):
989 (JSC::arrayProtoFuncSort):
990 (JSC::arrayProtoFuncSplice):
991 (JSC::arrayProtoFuncUnShift):
992 (JSC::arrayProtoFuncReduce):
993 (JSC::arrayProtoFuncReduceRight):
994 (JSC::arrayProtoFuncIndexOf):
995 (JSC::arrayProtoFuncLastIndexOf):
996 (JSC::putProperty): Deleted.
998 2014-07-23 Matthew Hanson <matthew_hanson@apple.com>
1000 Merge r171474 (rollout r171367 from trunk)
1002 2014-07-23 Lucas Forschler <lforschler@apple.com>
1006 2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
1008 JSLock release should only modify the AtomicStringTable if it modified in acquire
1009 https://bugs.webkit.org/show_bug.cgi?id=135143
1011 Reviewed by Pratik Solanki.
1013 * runtime/JSLock.cpp:
1014 (JSC::JSLock::willDestroyVM):
1015 (JSC::JSLock::willReleaseLock):
1016 Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
1018 2014-07-23 Lucas Forschler <lforschler@apple.com>
1022 2014-07-21 Sam Weinig <sam@webkit.org>
1024 [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
1025 https://bugs.webkit.org/show_bug.cgi?id=135148
1027 Reviewed by Geoffrey Garen.
1029 * runtime/CommonIdentifiers.h:
1030 Add a common identifier for the string "webkit".
1032 2014-07-23 Lucas Forschler <lforschler@apple.com>
1036 2014-07-22 Filip Pizlo <fpizlo@apple.com>
1038 ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
1039 https://bugs.webkit.org/show_bug.cgi?id=135155
1040 <rdar://problem/17763909>
1042 Reviewed by Oliver Hunt.
1044 The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
1045 contradiction, and that this is OK. In this case, we were speculating cell on an int.
1047 * dfg/DFGSpeculativeJIT64.cpp:
1048 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1049 * tests/stress/regress-135155.js: Added.
1053 2014-07-22 Dana Burkart <dburkart@apple.com>
1057 2014-07-18 Filip Pizlo <fpizlo@apple.com>
1064 2014-07-22 Dana Burkart <dburkart@apple.com>
1068 2014-07-15 Filip Pizlo <fpizlo@apple.com>
1070 Need ability to fuzz exception throwing
1071 https://bugs.webkit.org/show_bug.cgi?id=134945
1072 <rdar://problem/17722027>
1074 Reviewed by Sam Weinig.
1076 Adds the ability to instrument exception checks, and to force some random
1077 exception check to artificially throw an exception. Also adds new tests that
1078 are suitable for testing this. Note that this is closely tied to the Tools
1079 directory changes that are also part of this changeset.
1081 This also fixes an activation tear-off bug that arises if we ever throw an
1082 exception from operationOptimize, or if due to some other bug it's only due
1083 to the operationOptimize exception check that we realize that there is an
1084 exception to be thrown.
1086 * dfg/DFGJITCompiler.h:
1087 (JSC::DFG::JITCompiler::fastExceptionCheck):
1088 * ftl/FTLIntrinsicRepository.h:
1089 * ftl/FTLLowerDFGToLLVM.cpp:
1090 (JSC::FTL::LowerDFGToLLVM::callCheck):
1091 * interpreter/Interpreter.cpp:
1092 (JSC::unwindCallFrame):
1093 * jit/AssemblyHelpers.cpp:
1094 (JSC::AssemblyHelpers::callExceptionFuzz):
1095 (JSC::AssemblyHelpers::emitExceptionCheck):
1096 * jit/AssemblyHelpers.h:
1097 (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
1099 (JSC::JIT::privateCompileMainPass):
1100 * jit/JITOpcodes.cpp:
1101 (JSC::JIT::emit_op_enter):
1102 * jit/JITOperations.cpp:
1103 (JSC::numberOfExceptionFuzzChecks):
1104 * jit/JITOperations.h:
1107 * runtime/Options.h:
1108 * runtime/TestRunnerUtils.h:
1109 * tests/exceptionFuzz.yaml: Added.
1110 * tests/exceptionFuzz: Added.
1111 * tests/exceptionFuzz/3d-cube.js: Added.
1112 * tests/exceptionFuzz/date-format-xparb.js: Added.
1113 * tests/exceptionFuzz/earley-boyer.js: Added.
1115 2014-07-22 Dana Burkart <dburkart@apple.com>
1119 2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
1121 Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
1123 Rubber-stamped by Alexey Proskuryakov.
1125 Null / empty titles should be fine. Tests pass in release builds
1126 which allowed empty titles, and it looks like the LegacyProfiler
1127 stopProfiling handles empty titles as expected already.
1129 * profiler/LegacyProfiler.cpp:
1130 (JSC::LegacyProfiler::startProfiling):
1132 2014-07-22 Dana Burkart <dburkart@apple.com>
1136 2014-07-16 Filip Pizlo <fpizlo@apple.com>
1138 DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
1139 https://bugs.webkit.org/show_bug.cgi?id=134988
1140 <rdar://problem/17706349>
1142 Reviewed by Oliver Hunt.
1144 Luckily, we also don't need this optimization to be super powerful: the only place
1145 where it really matters is for getting rid of the redundancy between op_enter and
1146 op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
1147 two things. This change updates the store eliminator to know about only that small,
1148 obviously safe, set of nodes over which we can store-eliminate.
1150 This shouldn't have any performance impact in the DFG because this optimization kicks
1151 in relatively rarely already. And once we tier up into the FTL, we get a much better
1152 store elimination over LLVM IR, so this really shouldn't matter at all.
1154 The tricky part of this patch is that there is a close relative of this optimization,
1155 for uncaptured variables that got flushed. This happens for arguments to inlined calls.
1156 I make this work by splitting it into two different store eliminators.
1158 Note that in the process of crafting the tests, I realized that we were incorrectly
1159 DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
1160 negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
1161 to a check node followed by the actual allocation.
1163 * dfg/DFGCSEPhase.cpp:
1164 (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
1165 (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
1166 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1167 (JSC::DFG::CSEPhase::performNodeCSE):
1168 (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
1169 * dfg/DFGNodeType.h:
1170 * tests/stress/capture-escape-and-throw.js: Added.
1173 * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
1177 2014-07-17 Dean Jackson <dino@apple.com>
1179 <rdar://problem/17675068> Disable some features on this branch.
1181 Reviewed originally by Simon Fraser.
1187 - INPUT_TYPE_COLOR_POPUP
1189 - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
1192 - NAVIGATOR_HWCONCURRENCY
1195 - CSS3_CONDITIONAL_RULES
1196 - WILL_REVEAL_EDGE_EVENTS
1198 * Configurations/FeatureDefines.xcconfig:
1200 2014-07-15 Benjamin Poulain <benjamin@webkit.org>
1202 Reduce the overhead of updating the AssemblerBuffer
1203 https://bugs.webkit.org/show_bug.cgi?id=134659
1205 Reviewed by Gavin Barraclough.
1207 In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
1208 That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
1211 On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
1212 to get the real address of a lable. That is done by reusing the memory of AssemblerData.
1214 To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
1215 a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
1216 to make clang give up a bunch of optimizations.
1218 This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
1219 In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
1221 Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
1222 the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
1223 specific way that would make it unusable for the Assembler.
1225 -- Technical details --
1227 From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
1228 into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
1229 To make this easier to work with, I changed all the assembler specific function to be static. This way we know
1230 exactly what code access the Assembler instance. The code that does access the instance is then moved
1231 at the beginning, before we modify anything.
1233 The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
1234 to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
1235 to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
1239 This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
1240 On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
1243 I could not measure any difference on x86_64.
1245 * assembler/ARM64Assembler.h:
1246 (JSC::ARM64Assembler::jumpSizeDelta):
1247 (JSC::ARM64Assembler::canCompact):
1248 (JSC::ARM64Assembler::computeJumpType):
1249 (JSC::ARM64Assembler::link):
1250 (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
1251 * assembler/ARMv7Assembler.h:
1252 (JSC::ARMv7Assembler::ifThenElseConditionBit):
1253 (JSC::ARMv7Assembler::ifThenElse):
1254 (JSC::ARMv7Assembler::jumpSizeDelta):
1255 (JSC::ARMv7Assembler::canCompact):
1256 (JSC::ARMv7Assembler::computeJumpType):
1257 (JSC::ARMv7Assembler::link):
1258 (JSC::ARMv7Assembler::linkJumpT1):
1259 (JSC::ARMv7Assembler::linkJumpT3):
1260 (JSC::ARMv7Assembler::linkConditionalJumpT4):
1261 (JSC::ARMv7Assembler::linkConditionalBX):
1262 (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
1263 * assembler/AssemblerBuffer.h:
1264 (JSC::AssemblerData::AssemblerData):
1265 (JSC::AssemblerData::operator=):
1266 (JSC::AssemblerData::~AssemblerData):
1267 (JSC::AssemblerData::buffer):
1268 (JSC::AssemblerData::capacity):
1269 (JSC::AssemblerData::grow):
1270 (JSC::AssemblerBuffer::AssemblerBuffer):
1271 (JSC::AssemblerBuffer::isAvailable):
1272 (JSC::AssemblerBuffer::data):
1273 (JSC::AssemblerBuffer::releaseAssemblerData):
1274 (JSC::AssemblerBuffer::putIntegral):
1275 (JSC::AssemblerBuffer::putIntegralUnchecked):
1276 (JSC::AssemblerBuffer::append):
1277 (JSC::AssemblerBuffer::grow):
1278 (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
1279 (JSC::AssemblerBuffer::storage): Deleted.
1280 * assembler/LinkBuffer.cpp:
1281 (JSC::recordLinkOffsets):
1282 (JSC::LinkBuffer::copyCompactAndLinkCode):
1283 * assembler/LinkBuffer.h:
1284 (JSC::LinkBuffer::LinkBuffer):
1285 (JSC::LinkBuffer::executableOffsetFor):
1286 * assembler/MacroAssemblerARM64.h:
1287 (JSC::MacroAssemblerARM64::canCompact):
1288 (JSC::MacroAssemblerARM64::computeJumpType):
1289 (JSC::MacroAssemblerARM64::jumpSizeDelta):
1290 (JSC::MacroAssemblerARM64::link):
1291 (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
1292 * assembler/MacroAssemblerARMv7.h:
1293 (JSC::MacroAssemblerARMv7::canCompact):
1294 (JSC::MacroAssemblerARMv7::computeJumpType):
1295 (JSC::MacroAssemblerARMv7::jumpSizeDelta):
1296 (JSC::MacroAssemblerARMv7::link):
1297 (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
1299 2014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
1301 Stores to PropertyTable use the Structure as the owner
1302 https://bugs.webkit.org/show_bug.cgi?id=134595
1304 Reviewed by Darin Adler.
1306 Since PropertyTable is the object that does the marking of these references, it should be the owner.
1308 Also removed some unused parameters to other methods that historically used the Structure as the owner.
1310 * runtime/JSPropertyNameIterator.h:
1311 (JSC::StructureRareData::setEnumerationCache):
1312 * runtime/ObjectPrototype.cpp:
1313 (JSC::objectProtoFuncToString):
1314 * runtime/PropertyMapHashTable.h:
1315 (JSC::PropertyTable::copy):
1316 * runtime/PropertyTable.cpp:
1317 (JSC::PropertyTable::clone):
1318 (JSC::PropertyTable::PropertyTable):
1319 * runtime/Structure.cpp:
1320 (JSC::Structure::Structure):
1321 (JSC::Structure::materializePropertyMap):
1322 (JSC::Structure::addPropertyTransition):
1323 (JSC::Structure::changePrototypeTransition):
1324 (JSC::Structure::despecifyFunctionTransition):
1325 (JSC::Structure::attributeChangeTransition):
1326 (JSC::Structure::toDictionaryTransition):
1327 (JSC::Structure::preventExtensionsTransition):
1328 (JSC::Structure::takePropertyTableOrCloneIfPinned):
1329 (JSC::Structure::nonPropertyTransition):
1330 (JSC::Structure::copyPropertyTable):
1331 (JSC::Structure::copyPropertyTableForPinning):
1332 (JSC::Structure::putSpecificValue):
1333 * runtime/Structure.h:
1334 (JSC::Structure::setObjectToStringValue):
1335 (JSC::Structure::setPreviousID):
1336 * runtime/StructureInlines.h:
1337 (JSC::Structure::setEnumerationCache):
1338 * runtime/StructureRareData.h:
1339 * runtime/StructureRareDataInlines.h:
1340 (JSC::StructureRareData::setPreviousID):
1341 (JSC::StructureRareData::setObjectToStringValue):
1343 2014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
1345 ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
1346 https://bugs.webkit.org/show_bug.cgi?id=134928
1348 Reviewed by Andreas Kling.
1350 * bytecode/CodeBlock.h:
1351 (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
1353 2014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
1355 Buildfix if LLINT_SLOW_PATH_TRACING is enabled
1356 https://bugs.webkit.org/show_bug.cgi?id=133790
1358 Reviewed by Mark Lam.
1360 * llint/LLIntSlowPaths.cpp:
1361 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1363 2014-07-14 Filip Pizlo <fpizlo@apple.com>
1365 Allow for Int52Rep to see things other than Int32, and make this testable
1366 https://bugs.webkit.org/show_bug.cgi?id=134873
1367 <rdar://problem/17641915>
1369 Reviewed by Geoffrey Garen and Mark Hahnenberg.
1371 A major premise of our type inference is that prediction propagation can say whatever it
1372 wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
1373 We required some kind of agreement between prediction propagation and fixup over which
1374 data flow paths were Int52 and which weren't.
1376 It turns out that we basically had such an agreement, with the exception of code that was
1377 unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
1378 might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
1379 be a bug! Normally, we allow sloppiness in prediction propagation.
1381 This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
1382 ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
1383 int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
1384 empowered Int52Rep is actually correct - in case we end up using it on paths other than
1385 ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
1386 us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
1387 this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
1389 Note that it would still be a bug for prediction propagation to ever cause us to create an
1390 Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
1393 * dfg/DFGAbstractInterpreterInlines.h:
1394 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1395 * dfg/DFGAbstractValue.cpp:
1396 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
1397 * dfg/DFGByteCodeParser.cpp:
1398 (JSC::DFG::ByteCodeParser::handleIntrinsic):
1399 * dfg/DFGClobberize.h:
1400 (JSC::DFG::clobberize):
1401 * dfg/DFGFixupPhase.cpp:
1402 (JSC::DFG::FixupPhase::fixupNode):
1403 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
1405 (JSC::DFG::Graph::isMachineIntConstant):
1407 (JSC::DFG::Node::isMachineIntConstant):
1408 * dfg/DFGNodeType.h:
1409 * dfg/DFGOperations.cpp:
1410 * dfg/DFGOperations.h:
1411 * dfg/DFGPredictionPropagationPhase.cpp:
1412 (JSC::DFG::PredictionPropagationPhase::propagate):
1413 * dfg/DFGSafeToExecute.h:
1414 (JSC::DFG::SafeToExecuteEdge::operator()):
1415 (JSC::DFG::safeToExecute):
1416 * dfg/DFGSpeculativeJIT.cpp:
1417 (JSC::DFG::SpeculativeJIT::speculate):
1418 * dfg/DFGSpeculativeJIT.h:
1419 (JSC::DFG::SpeculativeJIT::callOperation):
1420 * dfg/DFGSpeculativeJIT32_64.cpp:
1421 (JSC::DFG::SpeculativeJIT::compile):
1422 * dfg/DFGSpeculativeJIT64.cpp:
1423 (JSC::DFG::SpeculativeJIT::compile):
1424 (JSC::DFG::SpeculativeJIT::convertMachineInt):
1425 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
1426 (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
1427 * dfg/DFGStrengthReductionPhase.cpp:
1428 (JSC::DFG::StrengthReductionPhase::handleNode):
1429 * dfg/DFGUseKind.cpp:
1430 (WTF::printInternal):
1432 (JSC::DFG::typeFilterFor):
1433 (JSC::DFG::isNumerical):
1434 (JSC::DFG::isDouble):
1435 * dfg/DFGValidate.cpp:
1436 (JSC::DFG::Validate::validate):
1437 * ftl/FTLCapabilities.cpp:
1438 (JSC::FTL::canCompile):
1439 * ftl/FTLIntrinsicRepository.h:
1440 * ftl/FTLLowerDFGToLLVM.cpp:
1441 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
1442 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
1443 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
1444 (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
1445 (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
1446 (JSC::FTL::LowerDFGToLLVM::speculate):
1447 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
1448 (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
1449 * jit/JITOperations.h:
1451 (GlobalObject::finishCreation):
1453 * runtime/Intrinsic.h:
1454 * runtime/JSCJSValue.h:
1455 * runtime/JSCJSValueInlines.h:
1456 (JSC::tryConvertToInt52):
1458 (JSC::JSValue::isMachineInt):
1459 * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
1461 * tests/stress/dead-fiat-double-to-int52.js: Added.
1463 * tests/stress/dead-fiat-int32-to-int52.js: Added.
1465 * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
1468 * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
1471 * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
1474 * tests/stress/dead-fiat-value-to-int52.js: Added.
1477 * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
1479 * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
1481 * tests/stress/fiat-double-to-int52-then-fold.js: Added.
1483 * tests/stress/fiat-double-to-int52.js: Added.
1485 * tests/stress/fiat-int32-to-int52.js: Added.
1487 * tests/stress/fiat-value-to-int52-double-path.js: Added.
1490 * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
1493 * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
1496 * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
1498 * tests/stress/fiat-value-to-int52-then-fold.js: Added.
1500 * tests/stress/fiat-value-to-int52.js: Added.
1503 * tests/stress/int52-force-osr-exit-path.js: Added.
1506 2014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
1508 Flattening dictionaries with oversize backing stores can cause crashes
1509 https://bugs.webkit.org/show_bug.cgi?id=134906
1511 Reviewed by Filip Pizlo.
1513 The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
1514 of the CopiedBlock header. This was always the case except for when flattening a dictionary
1515 caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
1516 Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
1517 would no longer be within the first 32 KB of the CopiedBlock and the next collection would
1518 choke on the Butterfly pointer.
1520 This patch fixes this issue by detect this situation during flattening and memmove-ing
1521 the Butterfly down to where the old base was.
1523 * runtime/JSObject.cpp:
1524 (JSC::JSObject::shiftButterflyAfterFlattening):
1525 * runtime/JSObject.h:
1526 (JSC::JSObject::butterflyPreCapacity):
1527 (JSC::JSObject::butterflyTotalSize):
1528 * runtime/Structure.cpp:
1529 (JSC::Structure::flattenDictionaryStructure):
1530 * tests/stress/flatten-oversize-dictionary-object.js: Added.
1533 2014-07-14 Benjamin Poulain <benjamin@webkit.org>
1535 Remove some dead code from FTLJITFinalizer
1536 https://bugs.webkit.org/show_bug.cgi?id=134874
1538 Reviewed by Geoffrey Garen.
1540 Not sure what that code was for...but it does not do anything :)
1542 * ftl/FTLJITFinalizer.cpp:
1543 (JSC::FTL::JITFinalizer::finalizeFunction):
1544 The pointer of the label is computed but never used.
1546 * ftl/FTLJITFinalizer.h:
1549 The label is never set to anything.
1551 2014-07-14 Bear Travis <betravis@adobe.com>
1553 [Feature Queries] Enable Feature Queries on Mac
1554 https://bugs.webkit.org/show_bug.cgi?id=134404
1556 Reviewed by Antti Koivisto.
1558 Enable Feature Queries on Mac and resume running the
1561 * Configurations/FeatureDefines.xcconfig: Turn on
1562 ENABLE_CSS3_CONDITIONAL_RULES.
1564 2014-07-11 Joseph Pecoraro <pecoraro@apple.com>
1566 Web Inspector: Debugger Pause button does not work
1567 https://bugs.webkit.org/show_bug.cgi?id=134785
1569 Reviewed by Timothy Hatcher.
1572 * DerivedSources.make:
1573 Minification strips the sourceURL command. Add it back with minification.
1575 2014-07-11 peavo@outlook.com <peavo@outlook.com>
1577 [Win] Enable DFG JIT.
1578 https://bugs.webkit.org/show_bug.cgi?id=123615
1580 Reviewed by Mark Lam.
1582 When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
1583 the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
1584 Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
1585 since the register allocation differs on 64-bit Windows.
1587 * assembler/MacroAssemblerX86_64.h:
1588 (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
1589 * jit/CCallHelpers.h:
1590 (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
1591 (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
1593 (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
1595 (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
1596 (JSC::JIT::callOperation): Call new method.
1598 2014-07-09 Benjamin Poulain <benjamin@webkit.org>
1600 Use 16bits instructions for push/pop on ARMv7 when possible
1601 https://bugs.webkit.org/show_bug.cgi?id=134753
1603 Reviewed by Geoffrey Garen.
1605 The patch r170839 mixed the code for push/pop pair and single push/pop.
1606 That part was reverted in r170909.
1608 This patch puts the code back but specialized for single push/pop.
1610 * assembler/ARMv7Assembler.h:
1611 (JSC::ARMv7Assembler::pop):
1612 (JSC::ARMv7Assembler::push):
1613 * assembler/MacroAssemblerARMv7.h:
1614 (JSC::MacroAssemblerARMv7::pop):
1615 (JSC::MacroAssemblerARMv7::push):
1617 2014-07-09 Brent Fulgham <bfulgham@apple.com>
1619 [Win] Remove uses of 'bash' in build system
1620 https://bugs.webkit.org/show_bug.cgi?id=134782
1621 <rdar://problem/17615533>
1623 Reviewed by Dean Jackson.
1625 Remove uses of 'bash' by replacing Windows-specific bash scripts
1626 with Perl equivalents.
1628 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
1629 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
1630 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
1631 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1632 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
1633 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
1634 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
1635 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
1636 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
1637 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
1638 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
1639 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
1640 * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
1641 * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
1642 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1643 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1644 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1646 2014-07-09 Brent Fulgham <bfulgham@apple.com>
1648 [Win] Remove use of 'grep' in build steps
1649 https://bugs.webkit.org/show_bug.cgi?id=134770
1650 <rdar://problem/17608783>
1652 Reviewed by Tim Horton.
1654 Replace uses of the grep command in Windows builds with the equivalent
1657 * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
1658 * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
1659 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
1660 * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
1662 2014-07-08 Benjamin Poulain <benjamin@webkit.org>
1664 Restore the assertion changed with 170839
1666 * assembler/ARMv7Assembler.h:
1667 (JSC::ARMv7Assembler::pop):
1668 (JSC::ARMv7Assembler::push):
1669 Revert the Assembler part of 170839. The assertions do not match both encoding.
1671 I'll add specific version of push and pop instead.
1673 2014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
1675 RemoteInspector::shared() should not call WTF::initializeMainThread()
1676 <https://bugs.webkit.org/show_bug.cgi?id=134747>
1677 <rdar://problem/17161482>
1679 Reviewed by Joseph Pecoraro.
1681 * inspector/remote/RemoteInspector.mm:
1682 (Inspector::RemoteInspector::shared):
1683 Don't call WTF::initializeMainThread(). WTF threading is initialized by
1684 JSC::initializeThreading().
1686 2014-07-08 Andreas Kling <akling@apple.com>
1688 VM::lastCachedString should be a Strong, not a Weak.
1689 <https://webkit.org/b/134746>
1691 Using Weak<JSString> for this regressed some of our bindings perf tests
1692 due to Weak having to allocate a new WeakImpl every time the last cached
1693 string changed. Make it a Strong instead should make that problem go away.
1695 Reviewed by Geoffrey Garen.
1697 * runtime/JSString.cpp:
1698 (JSC::jsStringWithCacheSlowCase):
1701 2014-07-07 Benjamin Poulain <bpoulain@apple.com>
1703 Fix the build after r170876
1705 * assembler/LinkBuffer.cpp:
1706 (JSC::LinkBuffer::linkCode):
1708 2014-07-07 Benjamin Poulain <benjamin@webkit.org>
1710 LinkBuffer should not keep a reference to the MacroAssembler
1711 https://bugs.webkit.org/show_bug.cgi?id=134668
1713 Reviewed by Geoffrey Garen.
1715 In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
1716 When that happens, the pointer m_assembler points to released memory. That was not causing
1717 issues because the attribute is not used after linking, but that was not particularily
1720 This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
1721 as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
1723 While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
1724 everywhere. I refactored some #include to avoid that.
1726 * assembler/LinkBuffer.cpp:
1727 (JSC::LinkBuffer::copyCompactAndLinkCode):
1728 (JSC::LinkBuffer::linkCode):
1729 * assembler/LinkBuffer.h:
1730 (JSC::LinkBuffer::LinkBuffer):
1731 * bytecode/Watchpoint.cpp:
1732 * dfg/DFGDisassembler.cpp:
1733 * dfg/DFGDisassembler.h:
1734 * dfg/DFGJITCompiler.cpp:
1735 (JSC::DFG::JITCompiler::link):
1736 (JSC::DFG::JITCompiler::linkFunction):
1737 * dfg/DFGOSRExitCompiler.cpp:
1739 * dfg/DFGThunks.cpp:
1740 (JSC::DFG::osrExitGenerationThunkGenerator):
1741 (JSC::DFG::osrEntryThunkGenerator):
1742 * ftl/FTLCompile.cpp:
1743 (JSC::FTL::generateICFastPath):
1744 (JSC::FTL::fixFunctionBasedOnStackMaps):
1745 * ftl/FTLJSCall.cpp:
1749 * ftl/FTLLowerDFGToLLVM.cpp:
1750 * ftl/FTLOSRExitCompiler.cpp:
1751 (JSC::FTL::compileStub):
1752 * ftl/FTLThunks.cpp:
1753 (JSC::FTL::osrExitGenerationThunkGenerator):
1754 (JSC::FTL::slowPathCallThunkGenerator):
1755 * jit/ArityCheckFailReturnThunks.cpp:
1756 (JSC::ArityCheckFailReturnThunks::returnPCsFor):
1758 (JSC::JIT::privateCompile):
1760 (JSC::JIT::privateCompileClosureCall):
1761 * jit/JITCall32_64.cpp:
1762 (JSC::JIT::privateCompileClosureCall):
1763 * jit/JITDisassembler.cpp:
1764 * jit/JITDisassembler.h:
1765 * jit/JITOpcodes.cpp:
1766 * jit/JITPropertyAccess.cpp:
1767 (JSC::JIT::stringGetByValStubGenerator):
1768 (JSC::JIT::privateCompileGetByVal):
1769 (JSC::JIT::privateCompilePutByVal):
1770 * jit/JITPropertyAccess32_64.cpp:
1771 (JSC::JIT::stringGetByValStubGenerator):
1772 * jit/RegisterPreservationWrapperGenerator.cpp:
1773 (JSC::generateRegisterPreservationWrapper):
1774 (JSC::registerRestorationThunkGenerator):
1776 (JSC::generateByIdStub):
1777 (JSC::tryCacheGetByID):
1778 (JSC::emitPutReplaceStub):
1779 (JSC::emitPutTransitionStub):
1780 (JSC::tryRepatchIn):
1781 (JSC::linkClosureCall):
1782 * jit/SpecializedThunkJIT.h:
1783 (JSC::SpecializedThunkJIT::finalize):
1784 * jit/ThunkGenerators.cpp:
1785 (JSC::throwExceptionFromCallSlowPathGenerator):
1786 (JSC::linkForThunkGenerator):
1787 (JSC::linkClosureCallForThunkGenerator):
1788 (JSC::virtualForThunkGenerator):
1789 (JSC::nativeForGenerator):
1791 * llint/LLIntThunks.cpp:
1792 (JSC::LLInt::generateThunkWithJumpTo):
1794 (JSC::Yarr::YarrGenerator::compile):
1796 2014-07-07 Andreas Kling <akling@apple.com>
1798 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1799 <https://webkit.org/b/134635>
1801 Reviewed by Darin Adler.
1803 Follow-up to r170818 addressing a review comment by Geoff Garen.
1805 * runtime/JSString.cpp:
1806 (JSC::jsStringWithCacheSlowCase):
1808 2014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
1810 Add missing ENABLE(FTL_JIT) guards
1811 https://bugs.webkit.org/show_bug.cgi?id=134680
1813 Reviewed by Darin Adler.
1815 * ftl/FTLDWARFDebugLineInfo.cpp:
1816 * ftl/FTLDWARFDebugLineInfo.h:
1817 * ftl/FTLGeneratedFunction.h:
1819 2014-07-07 Zan Dobersek <zdobersek@igalia.com>
1821 Enable ARMv7 disassembler for the GTK port
1822 https://bugs.webkit.org/show_bug.cgi?id=134676
1824 Reviewed by Benjamin Poulain.
1826 * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
1827 * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
1829 2014-07-06 Benjamin Poulain <benjamin@webkit.org>
1831 [ARMv7] Use 16 bits instructions for push/pop when possible
1832 https://bugs.webkit.org/show_bug.cgi?id=134656
1834 Reviewed by Andreas Kling.
1836 * assembler/ARMv7Assembler.h:
1837 (JSC::ARMv7Assembler::pop):
1838 (JSC::ARMv7Assembler::push):
1839 (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
1840 Add the 16 bits version of push and pop.
1842 * assembler/MacroAssemblerARMv7.h:
1843 (JSC::MacroAssemblerARMv7::pop):
1844 (JSC::MacroAssemblerARMv7::push):
1845 Use the new push/pop instead of a regular load/store.
1847 * disassembler/ARMv7/ARMv7DOpcode.cpp:
1848 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
1849 * disassembler/ARMv7/ARMv7DOpcode.h:
1850 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
1851 Fix the disassembler for push/pop:
1852 -The register mask was on 7 bits for some reason.
1853 -The code printing the registers was comparing a register ID with a register
1856 2014-07-06 Yoav Weiss <yoav@yoav.ws>
1858 Turn on img@sizes compile flag
1859 https://bugs.webkit.org/show_bug.cgi?id=134634
1861 Reviewed by Benjamin Poulain.
1863 * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
1865 2014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
1867 Flags value of SourceCodeKey should be unique for each case.
1868 https://bugs.webkit.org/show_bug.cgi?id=134435
1870 Reviewed by Darin Adler.
1872 Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
1873 the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
1874 Shift the value of CodeType one bit farther to the left so those values don't overlap.
1876 * runtime/CodeCache.h:
1877 (JSC::SourceCodeKey::SourceCodeKey):
1879 2014-07-04 Andreas Kling <akling@apple.com>
1881 Fast path for jsStringWithCache() when asked for the same string repeatedly.
1882 <https://webkit.org/b/134635>
1884 Also moved the whole thing from WebCore to JavaScriptCore since it
1885 makes more sense here, and inline the lightweight checks, leaving only
1886 the hashmap stuff out of line.
1888 Reviewed by Darin Adler.
1890 * runtime/JSString.cpp:
1891 (JSC::jsStringWithCacheSlowCase):
1892 * runtime/JSString.h:
1893 (JSC::jsStringWithCache):
1896 2014-07-03 Daniel Bates <dabates@apple.com>
1899 https://bugs.webkit.org/show_bug.cgi?id=134500
1901 Rubber-stamped by Anders Carlsson.
1903 Substitute WTF::move() for std::move().
1905 * bytecode/CodeBlock.h:
1906 * bytecode/UnlinkedCodeBlock.cpp:
1907 * bytecompiler/BytecodeGenerator.cpp:
1909 * dfg/DFGJITCompiler.cpp:
1910 * dfg/DFGStackLayoutPhase.cpp:
1911 * dfg/DFGWorklist.cpp:
1912 * heap/DelayedReleaseScope.h:
1913 * heap/HeapInlines.h:
1916 2014-07-03 Filip Pizlo <fpizlo@apple.com>
1918 SSA DCE should process blocks in forward order
1919 https://bugs.webkit.org/show_bug.cgi?id=134611
1921 Reviewed by Andreas Kling.
1923 * dfg/DFGDCEPhase.cpp:
1924 (JSC::DFG::DCEPhase::run):
1925 * ftl/FTLLowerDFGToLLVM.cpp:
1926 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1927 * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
1930 2014-07-03 Filip Pizlo <fpizlo@apple.com>
1932 JSActivation::symbolTablePut() should invalidate variable watchpoints
1933 https://bugs.webkit.org/show_bug.cgi?id=134602
1935 Reviewed by Oliver Hunt.
1937 Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
1938 during linking - we essentially assume that if it's at all possible for an inner function to store to a
1939 variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
1940 JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
1941 JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
1942 duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
1944 * runtime/JSActivation.cpp:
1945 (JSC::JSActivation::symbolTablePut):
1946 * runtime/JSSymbolTableObject.h:
1947 (JSC::symbolTablePut):
1948 * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
1951 2014-07-01 Mark Lam <mark.lam@apple.com>
1953 Debugger's breakpoint list should not be a Vector.
1954 <https://webkit.org/b/134514>
1956 Reviewed by Geoffrey Garen.
1958 The debugger currently stores breakpoint data as entries in a Vector (see
1959 BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
1960 the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
1961 compact or reallocate its backing store, this can causes all sorts of havoc.
1962 The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
1965 The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
1968 * debugger/Breakpoint.h:
1969 (JSC::Breakpoint::Breakpoint):
1970 (JSC::BreakpointsList::~BreakpointsList):
1971 * debugger/Debugger.cpp:
1972 (JSC::Debugger::setBreakpoint):
1973 (JSC::Debugger::removeBreakpoint):
1974 (JSC::Debugger::hasBreakpoint):
1975 * debugger/Debugger.h:
1977 2014-06-30 Michael Saboff <msaboff@apple.com>
1979 Add option to run-jsc-stress-testes to filter out tests that use large heaps
1980 https://bugs.webkit.org/show_bug.cgi?id=134458
1982 Reviewed by Filip Pizlo.
1984 Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
1986 * tests/mozilla/mozilla-tests.yaml:
1988 2014-06-30 Daniel Bates <dabates@apple.com>
1990 Avoid copying closed variables vector; actually use move semantics
1992 Rubber-stamped by Oliver Hunt.
1994 Currently we always copy the closed variables vector passed by Parser::closedVariables()
1995 to ProgramNode::setClosedVariables() because these member functions return and take a const
1996 rvalue reference, respectively. Instead, these member functions should take an return a non-
1997 constant rvalue reference so that we actually move the closed variables vector from the Parser
1998 object to the Node object.
2001 (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
2003 (JSC::ScopeNode::setClosedVariables): Ditto.
2005 (JSC::Parser::closedVariables): Remove const qualifier on return type.
2006 (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
2007 because Parser::closedVariables() returns an rvalue reference.
2009 2014-06-30 Joseph Pecoraro <pecoraro@apple.com>
2011 JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
2012 https://bugs.webkit.org/show_bug.cgi?id=134371
2014 Reviewed by Timothy Hatcher.
2016 * API/JSContextPrivate.h:
2018 (-[JSContext _debuggerRunLoop]):
2019 (-[JSContext _setDebuggerRunLoop:]):
2020 Private API for setting the CFRunLoop for a debugger to evaluate in.
2022 * API/JSContextRefInternal.h: Added.
2023 * API/JSContextRef.cpp:
2024 (JSGlobalContextGetDebuggerRunLoop):
2025 (JSGlobalContextSetDebuggerRunLoop):
2026 Internal API for setting a CFRunLoop on a JSContextRef.
2027 Set this on the debuggable.
2029 * inspector/remote/RemoteInspectorDebuggable.h:
2030 * inspector/remote/RemoteInspectorDebuggableConnection.h:
2031 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
2032 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
2033 (Inspector::RemoteInspectorBlock::operator=):
2034 (Inspector::RemoteInspectorBlock::operator()):
2035 Moved into the header.
2037 * runtime/JSGlobalObject.h:
2038 (JSC::JSGlobalObject::inspectorDebuggable):
2039 Lets store the RunLoop on the debuggable instead of this core
2040 platform agnostic class, so expose the debuggable.
2042 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
2043 (Inspector::RemoteInspectorHandleRunSourceGlobal):
2044 (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
2045 (Inspector::RemoteInspectorInitializeGlobalQueue):
2046 Rename the global functions for clarity.
2048 (Inspector::RemoteInspectorHandleRunSourceWithInfo):
2049 Handler for private run loops.
2051 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2052 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
2053 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
2054 (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2055 (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
2056 (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
2057 Setup and teardown and use private run loop sources if the debuggable needs it.
2059 2014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
2061 Add missing ENABLE(DFG_JIT) guards
2062 https://bugs.webkit.org/show_bug.cgi?id=134444
2064 Reviewed by Darin Adler.
2066 * dfg/DFGFunctionWhitelist.cpp:
2067 * dfg/DFGFunctionWhitelist.h:
2069 2014-06-29 Yoav Weiss <yoav@yoav.ws>
2071 Add support for HTMLImageElement's sizes attribute
2072 https://bugs.webkit.org/show_bug.cgi?id=133620
2074 Reviewed by Dean Jackson.
2076 Added an ENABLE_PICTURE_SIZES compile flag.
2078 * Configurations/FeatureDefines.xcconfig:
2080 2014-06-27 Filip Pizlo <fpizlo@apple.com>
2082 Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
2083 https://bugs.webkit.org/show_bug.cgi?id=134412
2085 Reviewed by Mark Hahnenberg.
2087 * dfg/DFGCSEPhase.cpp:
2088 (JSC::DFG::CSEPhase::setReplacement):
2089 * dfg/DFGStrengthReductionPhase.cpp:
2090 (JSC::DFG::StrengthReductionPhase::handleNode):
2091 * dfg/DFGValidate.cpp:
2092 (JSC::DFG::Validate::validate):
2093 * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
2098 2014-06-27 Peyton Randolph <prandolph@apple.com>
2100 Add feature flag for link long-press gesture.
2101 https://bugs.webkit.org/show_bug.cgi?id=134262
2103 Reviewed by Enrica Casucci.
2105 * Configurations/FeatureDefines.xcconfig:
2106 Add ENABLE_LINK_LONG_PRESS.
2108 2014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
2110 [JavaScriptCore] FTL buildfix for EFL platform.
2111 https://bugs.webkit.org/show_bug.cgi?id=133546
2113 Reviewed by Darin Adler.
2115 * ftl/FTLAbstractHeap.cpp:
2116 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
2117 * ftl/FTLLocation.cpp:
2118 (JSC::FTL::Location::forStackmaps):
2119 * ftl/FTLLowerDFGToLLVM.cpp:
2120 (JSC::FTL::LowerDFGToLLVM::opposite):
2121 * ftl/FTLOSRExitCompiler.cpp:
2122 (JSC::FTL::compileStub):
2123 * ftl/FTLStackMaps.cpp:
2124 (JSC::FTL::StackMaps::Constant::dump):
2125 * llvm/InitializeLLVMPOSIX.cpp:
2126 (JSC::initializeLLVMPOSIX):
2128 2014-06-26 Benjamin Poulain <benjamin@webkit.org>
2130 iOS 8 beta 2 ES6 'Set' clear() broken
2131 https://bugs.webkit.org/show_bug.cgi?id=134346
2133 Reviewed by Oliver Hunt.
2135 The object map was not cleared :(.
2137 Kudos to Ashley Gullen for tracking this and making a regression test.
2138 Credit to Oliver for finding the missing code.
2140 * runtime/MapData.h:
2141 (JSC::MapData::clear):
2143 2014-06-25 Brent Fulgham <bfulgham@apple.com>
2145 [Win] Expose Cache Information to WinLauncher
2146 https://bugs.webkit.org/show_bug.cgi?id=134318
2148 Reviewed by Dean Jackson.
2150 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
2151 MemoryStatistics files to the WIndows build.
2152 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2154 2014-06-26 David Kilzer <ddkilzer@apple.com>
2156 DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
2157 <http://webkit.org/b/134343>
2158 <rdar://problem/17459487>
2160 Reviewed by Michael Saboff.
2162 * dfg/DFGFunctionWhitelist.cpp:
2163 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
2164 Close the file handle, and log an error on failure.
2166 2014-06-25 Dana Burkart <dburkart@apple.com>
2168 Add support for 5-tuple versioning.
2170 Reviewed by David Farler.
2172 * Configurations/Version.xcconfig:
2174 2014-06-25 Geoffrey Garen <ggaren@apple.com>
2180 * runtime/JSDateMath.cpp:
2181 (JSC::parseDateFromNullTerminatedCharacters):
2183 (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
2184 constant since that constant doesn't exist anymore.
2186 2014-06-25 Geoffrey Garen <ggaren@apple.com>
2188 Unreviewed, rolling out r166876.
2190 Caused some ECMA test262 failures
2194 "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
2195 https://bugs.webkit.org/show_bug.cgi?id=131248
2196 http://trac.webkit.org/changeset/166876
2198 2014-06-25 Brent Fulgham <bfulgham@apple.com>
2200 [Win] Unreviewed gardening.
2202 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
2203 put various files in proper IDE categories.
2205 2014-06-25 peavo@outlook.com <peavo@outlook.com>
2207 [Win64] ASM LLINT is not enabled.
2208 https://bugs.webkit.org/show_bug.cgi?id=130638
2210 This patch adds a new LLINT assembler backend for Win64, and implements it.
2211 It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
2212 Also, LLINT and JIT is enabled for Win64.
2214 Reviewed by Mark Lam.
2216 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
2217 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2218 * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
2219 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
2220 * assembler/MacroAssemblerX86_64.h:
2221 (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
2222 * jit/JITStubsMSVC64.asm: Added.
2224 (JSC::emitPutTransitionStub): Compile fix.
2225 * jit/ThunkGenerators.cpp:
2226 (JSC::nativeForGenerator): Follow Win64 ABI spec.
2227 * llint/LLIntData.cpp:
2228 (JSC::LLInt::Data::performAssertions): Ditto.
2229 * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
2230 * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
2231 * llint/LowLevelInterpreter64.asm: Ditto.
2232 * offlineasm/asm.rb: Compile fix.
2233 * offlineasm/backends.rb: Add new llint backend for Win64.
2234 * offlineasm/settings.rb: Compile fix.
2235 * offlineasm/x86.rb: Implement new llint Win64 backend.
2237 2014-06-25 Laszlo Gombos <l.gombos@samsung.com>
2239 Remove build guard for progress element
2240 https://bugs.webkit.org/show_bug.cgi?id=134292
2242 Reviewed by Benjamin Poulain.
2244 * Configurations/FeatureDefines.xcconfig:
2246 2014-06-24 Michael Saboff <msaboff@apple.com>
2248 Add support routines to provide descriptive JavaScript backtraces
2249 https://bugs.webkit.org/show_bug.cgi?id=134278
2251 Reviewed by Mark Lam.
2253 * interpreter/CallFrame.cpp:
2254 (JSC::CallFrame::dump):
2255 (JSC::CallFrame::describeFrame):
2256 * interpreter/CallFrame.h:
2257 * runtime/JSCJSValue.cpp:
2258 (JSC::JSValue::dumpForBacktrace):
2259 * runtime/JSCJSValue.h:
2261 2014-06-24 Brady Eidson <beidson@apple.com>
2263 Enable GAMEPAD in the Mac build, but disabled at runtime.
2264 https://bugs.webkit.org/show_bug.cgi?id=134255
2266 Reviewed by Dean Jackson.
2268 * Configurations/FeatureDefines.xcconfig:
2270 * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
2271 functions at runtime.
2273 2014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
2275 REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
2276 https://bugs.webkit.org/show_bug.cgi?id=134046
2278 Reviewed by Filip Pizlo.
2280 * runtime/GetterSetter.h:
2281 (JSC::asGetterSetter):
2282 * runtime/JSObject.cpp:
2283 (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
2284 a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
2285 and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
2287 2014-06-24 Brent Fulgham <bfulgham@apple.com>
2289 [Win] MSVC mishandles enums in bitfields
2290 https://bugs.webkit.org/show_bug.cgi?id=134237
2292 Reviewed by Michael Saboff.
2294 Replace uses of enum types in bit fields with unsigned to
2295 avoid losing a bit to hold the sign value. This can result
2296 in Windows interpreting the value of the field improperly.
2298 * bytecode/StructureStubInfo.h:
2301 2014-06-23 Andreas Kling <akling@apple.com>
2303 Inline the UnlinkedInstructionStream::Reader logic.
2304 <https://webkit.org/b/134203>
2306 This class is only used by CodeBlock to unpack the unlinked instructions,
2307 and we were spending 0.5% of total time on PLT calling Reader::next().
2308 Move the logic to the header file and mark it ALWAYS_INLINE.
2310 Reviewed by Geoffrey Garen.
2312 * bytecode/UnlinkedInstructionStream.cpp:
2313 * bytecode/UnlinkedInstructionStream.h:
2314 (JSC::UnlinkedInstructionStream::Reader::Reader):
2315 (JSC::UnlinkedInstructionStream::Reader::read8):
2316 (JSC::UnlinkedInstructionStream::Reader::read32):
2317 (JSC::UnlinkedInstructionStream::Reader::next):
2319 2014-06-20 Sam Weinig <sam@webkit.org>
2321 Remove static tables for bindings that use eager reification
2322 https://bugs.webkit.org/show_bug.cgi?id=134126
2324 Reviewed by Oliver Hunt.
2326 * runtime/JSObject.cpp:
2327 (JSC::JSObject::putDirectCustomAccessor):
2328 * runtime/Structure.h:
2329 (JSC::Structure::setHasCustomGetterSetterProperties):
2330 Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
2331 the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
2332 Without this, JSObject::put() won't think there are any setters on the prototype chain of an
2333 object that has no static lookup table and uses eagerly reified custom getter/setter properties.
2335 2014-06-21 Brady Eidson <beidson@apple.com>
2337 Gamepad API - Deprecate the existing implementation
2338 https://bugs.webkit.org/show_bug.cgi?id=134108
2340 Reviewed by Timothy Hatcher.
2342 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2343 -Move some implementation files into a "deprecated" subdirectory.
2345 * Configurations/FeatureDefines.xcconfig:
2347 2014-06-21 Commit Queue <commit-queue@webkit.org>
2349 Unreviewed, rolling out r170244.
2350 https://bugs.webkit.org/show_bug.cgi?id=134157
2352 GTK/EFL bindings generator works differently, making this
2353 patch not work there. Will fix entire patch after a rollout.
2354 (Requested by bradee-oh on #webkit).
2358 "Gamepad API - Deprecate the existing implementation"
2359 https://bugs.webkit.org/show_bug.cgi?id=134108
2360 http://trac.webkit.org/changeset/170244
2362 2014-06-21 Brady Eidson <beidson@apple.com>
2364 Gamepad API - Deprecate the existing implementation
2365 https://bugs.webkit.org/show_bug.cgi?id=134108
2367 Reviewed by Timothy Hatcher.
2369 -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
2370 -Add the "Deprecated" suffix to some implementation files
2372 * Configurations/FeatureDefines.xcconfig:
2374 2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2376 Removing PAGE_VISIBILITY_API compile guard.
2377 https://bugs.webkit.org/show_bug.cgi?id=133844
2379 Reviewed by Gavin Barraclough.
2381 * Configurations/FeatureDefines.xcconfig:
2383 2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
2385 ARM traditional buildfix after r169942.
2386 https://bugs.webkit.org/show_bug.cgi?id=134100
2388 Reviewed by Zoltan Herczeg.
2390 * assembler/MacroAssemblerARM.h:
2391 (JSC::MacroAssemblerARM::abortWithReason): Added.
2393 2014-06-20 Andreas Kling <akling@apple.com>
2395 [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
2396 <https://webkit.org/b/134112>
2398 Reviewed by Mark Hahnenberg.
2400 * heap/BlockAllocator.h:
2402 2014-06-19 Alex Christensen <achristensen@webkit.org>
2404 Unreviewed fix after r170130.
2406 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
2407 Corrected directory so it can find common.props when opening Visual Studio.
2409 2014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
2411 Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
2412 https://bugs.webkit.org/show_bug.cgi?id=130389
2414 Reviewed by Mark Lam.
2416 Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
2417 into !ENABLE(JIT) since they are mutually exclusive.
2420 * assembler/MacroAssemblerCodeRef.h:
2421 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2422 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2423 * assembler/MaxFrameExtentForSlowPathCall.h:
2424 * bytecode/CallLinkStatus.cpp:
2425 (JSC::CallLinkStatus::computeFromLLInt):
2426 * bytecode/CodeBlock.cpp:
2427 (JSC::dumpStructure):
2428 (JSC::CodeBlock::printGetByIdCacheStatus):
2429 (JSC::CodeBlock::printCallOp):
2430 (JSC::CodeBlock::CodeBlock):
2431 (JSC::CodeBlock::~CodeBlock):
2432 (JSC::CodeBlock::propagateTransitions):
2433 (JSC::CodeBlock::finalizeUnconditionally):
2434 (JSC::CodeBlock::unlinkCalls):
2435 (JSC::CodeBlock::unlinkIncomingCalls):
2436 (JSC::CodeBlock::linkIncomingCall):
2437 (JSC::CodeBlock::frameRegisterCount):
2438 * bytecode/CodeBlock.h:
2439 * bytecode/GetByIdStatus.cpp:
2440 (JSC::GetByIdStatus::computeFromLLInt):
2441 * bytecode/Opcode.h:
2442 (JSC::padOpcodeName):
2443 * bytecode/PutByIdStatus.cpp:
2444 (JSC::PutByIdStatus::computeFromLLInt):
2445 * bytecompiler/BytecodeGenerator.cpp:
2446 (JSC::BytecodeGenerator::emitCall):
2447 (JSC::BytecodeGenerator::emitConstruct):
2449 (JSC::Heap::gatherJSStackRoots):
2450 * interpreter/Interpreter.cpp:
2451 (JSC::Interpreter::initialize):
2452 (JSC::Interpreter::isOpcode):
2453 * interpreter/Interpreter.h:
2454 (JSC::Interpreter::getOpcodeID):
2455 * interpreter/JSStack.cpp:
2456 (JSC::JSStack::JSStack):
2457 (JSC::JSStack::committedByteCount):
2458 * interpreter/JSStack.h:
2459 * interpreter/JSStackInlines.h:
2460 (JSC::JSStack::ensureCapacityFor):
2461 (JSC::JSStack::topOfFrameFor):
2462 (JSC::JSStack::setStackLimit):
2463 * jit/ExecutableAllocatorFixedVMPool.cpp:
2464 (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2466 (JSC::JIT::compileCTINativeCall):
2467 * jit/JITExceptions.h:
2468 * jit/JITThunks.cpp:
2469 (JSC::JITThunks::ctiNativeCall):
2470 (JSC::JITThunks::ctiNativeConstruct):
2471 * llint/LLIntCLoop.cpp:
2472 * llint/LLIntCLoop.h:
2473 * llint/LLIntData.cpp:
2474 (JSC::LLInt::initialize):
2475 (JSC::LLInt::Data::performAssertions):
2476 * llint/LLIntData.h:
2477 (JSC::LLInt::Data::performAssertions): Deleted.
2478 * llint/LLIntEntrypoint.cpp:
2479 * llint/LLIntEntrypoint.h:
2480 * llint/LLIntExceptions.cpp:
2481 * llint/LLIntExceptions.h:
2482 * llint/LLIntOfflineAsmConfig.h:
2483 * llint/LLIntOffsetsExtractor.cpp:
2484 (JSC::LLIntOffsetsExtractor::dummy):
2485 * llint/LLIntOpcode.h:
2486 * llint/LLIntSlowPaths.cpp:
2487 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2488 * llint/LLIntSlowPaths.h:
2489 * llint/LLIntThunks.cpp:
2490 * llint/LLIntThunks.h:
2491 * llint/LowLevelInterpreter.cpp:
2492 * llint/LowLevelInterpreter.h:
2493 * runtime/CommonSlowPaths.cpp:
2494 * runtime/CommonSlowPaths.h:
2495 * runtime/ErrorHandlingScope.cpp:
2496 (JSC::ErrorHandlingScope::ErrorHandlingScope):
2497 (JSC::ErrorHandlingScope::~ErrorHandlingScope):
2498 * runtime/Executable.cpp:
2500 * runtime/InitializeThreading.cpp:
2501 (JSC::initializeThreading):
2502 * runtime/JSCJSValue.h:
2503 * runtime/JSCJSValueInlines.h:
2504 * runtime/Options.cpp:
2505 (JSC::recomputeDependentOptions):
2508 (JSC::sanitizeStackForVM):
2510 (JSC::VM::canUseJIT): Deleted.
2512 2014-06-18 Alex Christensen <achristensen@webkit.org>
2514 Add FTL to Windows build.
2515 https://bugs.webkit.org/show_bug.cgi?id=134015
2517 Reviewed by Filip Pizlo.
2519 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2521 Added ftl source files.
2522 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
2523 Added ftl and llvm directories to include path.
2524 * JavaScriptCore.vcxproj/libllvmForJSC: Added.
2525 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
2526 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
2527 * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
2528 * ftl/FTLLowerDFGToLLVM.cpp:
2529 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
2530 MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
2531 * llvm/InitializeLLVMWin.cpp: Added.
2532 (JSC::initializeLLVMImpl):
2533 Implemented dynamic loading and linking for Windows.
2535 2014-06-18 Alex Christensen <achristensen@webkit.org>
2537 Unreviewed build fix after r170107.
2539 * dfg/DFGSpeculativeJIT.cpp:
2540 (JSC::DFG::SpeculativeJIT::compileArithMod):
2541 Use non-template sub for armv7s.
2543 2014-06-18 David Kilzer <ddkilzer@apple.com>
2545 -[JSContext setName:] leaks NSString
2546 <http://webkit.org/b/134038>
2548 Reviewed by Joseph Pecoraro.
2550 Fixes the following static analyzer warning:
2552 JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
2553 JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
2557 (-[JSContext setName:]): Autorelease the copy of |name|.
2559 2014-06-18 Mark Lam <mark.lam@apple.com>
2561 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2562 <https://webkit.org/b/133994>
2564 Reviewed by Geoffrey Garen.
2566 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2567 because it means two unfortunate things:
2568 - It will probably break for zero.
2569 - It will think that -0 is the same as +0 under some circumstances, size
2570 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2572 The fix is to use std::unordered_map which does not require special empty
2573 and deleted values, and to use the raw bits instead of the double value as
2577 * dfg/DFGJITCompiler.cpp:
2578 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2580 2014-06-18 Alex Christensen <achristensen@webkit.org>
2582 Remove duplicate code using sdiv.
2583 https://bugs.webkit.org/show_bug.cgi?id=133764
2585 Reviewed by Daniel Bates.
2587 * assembler/ARMv7Assembler.h:
2588 (JSC::ARMv7Assembler::sdiv):
2589 Make sdiv a template to match arm64.
2590 * dfg/DFGSpeculativeJIT.cpp:
2591 (JSC::DFG::SpeculativeJIT::compileArithDiv):
2592 (JSC::DFG::SpeculativeJIT::compileArithMod):
2593 Remove duplicate code that was identical except for sdiv not being a template.
2595 2014-06-17 Commit Queue <commit-queue@webkit.org>
2597 Unreviewed, rolling out r170082.
2598 https://bugs.webkit.org/show_bug.cgi?id=134006
2600 Breaks build. (Requested by mlam on #webkit).
2604 "DFGGraph::m_doubleConstantMap will not map 0 values
2606 https://bugs.webkit.org/show_bug.cgi?id=133994
2607 http://trac.webkit.org/changeset/170082
2609 2014-06-17 Mark Lam <mark.lam@apple.com>
2611 DFGGraph::m_doubleConstantMap will not map 0 values correctly.
2612 <https://webkit.org/b/133994>
2614 Reviewed by Geoffrey Garen.
2616 DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
2617 because it means two unfortunate things:
2618 - It will probably break for zero.
2619 - It will think that -0 is the same as +0 under some circumstances, size
2620 -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
2622 The fix is to use std::unordered_map which does not require special empty
2623 and deleted values, and to use the raw bits instead of the double value as
2627 * dfg/DFGJITCompiler.cpp:
2628 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
2630 2014-06-17 Oliver Hunt <oliver@apple.com>
2632 Fix error messages for incorrect hex literals
2633 https://bugs.webkit.org/show_bug.cgi?id=133998
2635 Reviewed by Mark Lam.
2637 Ensure that the error messages for bogus hex literals actually
2641 (JSC::Lexer<T>::lex):
2642 * parser/ParserTokens.h:
2644 2014-06-17 Matthew Mirman <mmirman@apple.com>
2646 Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
2647 https://bugs.webkit.org/show_bug.cgi?id=133814
2649 Reviewed by Filip Pizlo.
2651 Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
2652 script from using "*.o" as a file when no other files in the directory exist.
2654 * build-symbol-table-index.sh: Added license.
2655 * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
2657 2014-06-16 Sam Weinig <sam@webkit.org>
2659 Move forward declaration of bindings static functions into their implementation files
2660 https://bugs.webkit.org/show_bug.cgi?id=133943
2662 Reviewed by Geoffrey Garen.
2664 * runtime/CommonIdentifiers.h:
2665 Add a few identifiers that are needed by the DOM.
2667 2014-06-16 Mark Lam <mark.lam@apple.com>
2669 Parser statementDepth accounting needs to account for when a function body excludes its braces.
2670 <https://webkit.org/b/133832>
2672 Reviewed by Oliver Hunt.
2674 In some cases (e.g. when a Function object is instantiated from a string), the
2675 function body source may not include its braces. The parser needs to account
2676 for this when calculating its statementDepth.
2678 * bytecode/UnlinkedCodeBlock.cpp:
2679 (JSC::generateFunctionCodeBlock):
2680 (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2681 * bytecode/UnlinkedCodeBlock.h:
2682 * parser/Parser.cpp:
2683 (JSC::Parser<LexerType>::parseStatement):
2684 - Also fixed the error message for declaring nested functions in strict mode
2685 to be more accurate.
2687 (JSC::Parser<LexerType>::parse):
2689 * runtime/Executable.cpp:
2690 (JSC::ScriptExecutable::newCodeBlockFor):
2692 2014-06-16 Juergen Ributzka <juergen@apple.com>
2694 Change the order of the alias analysis passes to align with the opt pipeline of LLVM
2695 https://bugs.webkit.org/show_bug.cgi?id=133753
2697 Reviewed by Geoffrey Garen.
2699 The order in which the alias analysis passes are added affects also the
2700 order in which they are utilized. Change the order to align with the
2701 one use by LLVM itself. The last alias analysis pass added will be
2702 evaluated first. With this change we first perform a basic alias
2703 analysis and then use the type-based alias analysis (if required).
2705 * ftl/FTLCompile.cpp:
2706 (JSC::FTL::compile):
2708 2014-06-16 Juergen Ributzka <juergen@apple.com>
2710 Fix the arguments passed to the LLVM dylib
2711 https://bugs.webkit.org/show_bug.cgi?id=133757
2713 Reviewed by Geoffrey Garen.
2715 The LLVM command line argument parser assumes that the first argument
2716 is the program name. We need to add a fake program name, otherwise the
2717 first argument will be parsed as program name and ignored.
2719 * llvm/library/LLVMExports.cpp:
2720 (initializeAndGetJSCLLVMAPI):
2722 2014-06-16 Michael Saboff <msaboff@apple.com>
2724 Convert ASSERT in inlineFunctionForCapabilityLevel to early return
2725 https://bugs.webkit.org/show_bug.cgi?id=133903
2727 Reviewed by Mark Hahnenberg.
2729 Hardened code by Converting ASSERT to return CannotCompile.
2731 * dfg/DFGCapabilities.h:
2732 (JSC::DFG::inlineFunctionForCapabilityLevel):
2734 2014-06-13 Sam Weinig <sam@webkit.org>
2736 Store DOM constants directly in the JS object rather than jumping through a custom accessor
2737 https://bugs.webkit.org/show_bug.cgi?id=133898
2739 Reviewed by Oliver Hunt.
2742 (JSC::HashTableValue::attributes):
2743 Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
2744 and will make adding more flags possibles.
2746 (JSC::HashTableValue::propertyGetter):
2747 (JSC::HashTableValue::propertyPutter):
2748 Change assertion to use BuiltinOrFunctionOrConstant.
2750 (JSC::HashTableValue::constantInteger):
2753 (JSC::getStaticPropertySlot):
2754 (JSC::getStaticValueSlot):
2755 Use PropertySlot::setValue() for constants during static lookup.
2757 (JSC::reifyStaticProperties):
2758 Put the constant directly on the object when eagerly reifying.
2760 * runtime/PropertySlot.h:
2761 Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2763 2014-06-14 Michael Saboff <msaboff@apple.com>
2765 operationCreateArguments could cause a GC during OSR exit
2766 https://bugs.webkit.org/show_bug.cgi?id=133905
2768 Reviewed by Filip Pizlo.
2770 Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
2771 for use by OSR exit stubs.
2773 * dfg/DFGOSRExitCompilerCommon.cpp:
2774 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
2775 * dfg/DFGOperations.cpp:
2776 * dfg/DFGOperations.h:
2777 * jit/JITOperations.cpp:
2778 * jit/JITOperations.h:
2780 2014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
2782 OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
2783 https://bugs.webkit.org/show_bug.cgi?id=133880
2785 Reviewed by Filip Pizlo.
2787 We could have exited due to a value received from an inlined block that's no longer on
2788 the stack, so we should just barrier all InlineCallFrames.
2790 * dfg/DFGOSRExitCompilerCommon.cpp:
2791 (JSC::DFG::adjustAndJumpToTarget):
2793 2014-06-13 Alex Christensen <achristensen@webkit.org>
2795 Make css jit compile for armv7.
2796 https://bugs.webkit.org/show_bug.cgi?id=133596
2798 Reviewed by Benjamin Poulain.
2800 * assembler/MacroAssembler.h:
2801 Use branchPtr on ARM_THUMB2.
2802 * assembler/MacroAssemblerARMv7.h:
2803 (JSC::MacroAssemblerARMv7::addPtrNoFlags):
2804 (JSC::MacroAssemblerARMv7::or32):
2805 (JSC::MacroAssemblerARMv7::test32):
2806 (JSC::MacroAssemblerARMv7::branch):
2807 (JSC::MacroAssemblerARMv7::branchPtr):
2808 Added macros necessary for css jit.
2810 2014-06-13 Filip Pizlo <fpizlo@apple.com>
2812 Unreviewed, fix ARMv7.
2814 * assembler/MacroAssemblerARMv7.h:
2815 (JSC::MacroAssemblerARMv7::abortWithReason):
2817 2014-06-12 Filip Pizlo <fpizlo@apple.com>
2819 Even better diagnostics from DFG traps
2820 https://bugs.webkit.org/show_bug.cgi?id=133836
2822 Reviewed by Oliver Hunt.
2824 We now stuff the DFG::NodeType into a register before bailing. Also made the
2825 DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
2826 different numbers than any previous abort reasons.
2828 * assembler/AbortReason.h:
2829 * assembler/MacroAssemblerARM64.h:
2830 (JSC::MacroAssemblerARM64::abortWithReason):
2831 * assembler/MacroAssemblerARMv7.h:
2832 (JSC::MacroAssemblerARMv7::abortWithReason):
2833 * assembler/MacroAssemblerX86.h:
2834 (JSC::MacroAssemblerX86::abortWithReason):
2835 * assembler/MacroAssemblerX86_64.h:
2836 (JSC::MacroAssemblerX86_64::abortWithReason):
2837 * dfg/DFGSpeculativeJIT.cpp:
2838 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2839 (JSC::DFG::SpeculativeJIT::bail):
2840 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2841 * dfg/DFGSpeculativeJIT.h:
2843 2014-06-12 Simon Fraser <simon.fraser@apple.com>
2845 Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
2846 https://bugs.webkit.org/show_bug.cgi?id=133840
2848 Reviewed by Filip Pizlo.
2850 Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
2851 when running DFG tests.
2853 * API/JSCTestRunnerUtils.cpp:
2854 (JSC::numberOfDFGCompiles):
2855 (JSC::setNeverInline):
2857 2014-06-12 Brent Fulgham <bfulgham@apple.com>
2859 [Win] Avoid fork bomb during build
2860 https://bugs.webkit.org/show_bug.cgi?id=133837
2861 <rdar://problem/17296034>
2863 Reviewed by Tim Horton.
2865 * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
2866 reasonable default value when the 'num-cpus' script is not available.
2868 2014-06-12 Mark Lam <mark.lam@apple.com>
2870 Remove some dead / unused code.
2871 <https://webkit.org/b/133828>
2873 Reviewed by Filip Pizlo.
2875 * builtins/BuiltinExecutables.cpp:
2876 (JSC::BuiltinExecutables::createBuiltinExecutable):
2877 * bytecode/UnlinkedCodeBlock.cpp:
2878 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
2879 * bytecode/UnlinkedCodeBlock.h:
2880 (JSC::UnlinkedFunctionExecutable::create):
2881 * bytecompiler/BytecodeGenerator.h:
2882 (JSC::BytecodeGenerator::makeFunction):
2884 (JSC::DepthManager::DepthManager): Deleted.
2885 (JSC::DepthManager::~DepthManager): Deleted.
2886 * runtime/CodeCache.cpp:
2887 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2889 2014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
2891 Move structureHasRareData out of TypeInfo
2892 https://bugs.webkit.org/show_bug.cgi?id=133800
2894 Reviewed by Andreas Kling.
2896 StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
2897 but we have a few spare bits in Structure so it would be nice to remove this hack.
2899 * runtime/JSTypeInfo.h:
2900 (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
2901 (JSC::TypeInfo::structureHasRareData): Deleted.
2902 * runtime/Structure.cpp:
2903 (JSC::Structure::Structure):
2904 (JSC::Structure::allocateRareData):
2905 (JSC::Structure::cloneRareDataFrom):
2906 * runtime/Structure.h:
2907 (JSC::Structure::previousID):
2908 (JSC::Structure::objectToStringValue):
2909 (JSC::Structure::setObjectToStringValue):
2910 (JSC::Structure::setPreviousID):
2911 (JSC::Structure::clearPreviousID):
2912 (JSC::Structure::previous):
2913 (JSC::Structure::rareData):
2914 * runtime/StructureInlines.h:
2915 (JSC::Structure::setEnumerationCache):
2916 (JSC::Structure::enumerationCache):
2918 2014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
2920 Allow enum guards to be generated from the replay json files
2921 https://bugs.webkit.org/show_bug.cgi?id=133399
2923 Reviewed by Csaba Osztrogonác.
2925 * replay/scripts/CodeGeneratorReplayInputs.py:
2927 (InputsModel.parse_type_with_framework_name):
2928 (Generator.generate_header):
2929 (Generator.generate_implementation):
2930 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
2931 (Test::HandleWheelEvent::HandleWheelEvent):
2932 (Test::HandleWheelEvent::~HandleWheelEvent):
2933 (JSC::InputTraits<Test::HandleWheelEvent>::type):
2934 (JSC::InputTraits<Test::HandleWheelEvent>::encode):
2935 (JSC::InputTraits<Test::HandleWheelEvent>::decode):
2936 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
2937 (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
2938 * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
2939 (JSC::InputTraits<Test::HandleWheelEvent>::queue):
2940 (Test::HandleWheelEvent::platformEvent):
2941 * replay/scripts/tests/generate-enum-with-guard.json: Added.
2943 2014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
2945 Unreviewed. Fix GTK+ build after r169823.
2947 Include StructureInlines.h in a few more files to fix linking
2948 issues due to JSC::Structure::get undefined symbol.
2950 * runtime/ArrayIteratorConstructor.cpp:
2951 * runtime/ArrayIteratorPrototype.cpp:
2952 * runtime/JSConsole.cpp:
2953 * runtime/JSMapIterator.cpp:
2954 * runtime/JSSet.cpp:
2955 * runtime/JSSetIterator.cpp:
2956 * runtime/JSWeakMap.cpp:
2957 * runtime/MapIteratorPrototype.cpp:
2958 * runtime/MapPrototype.cpp:
2959 * runtime/SetIteratorPrototype.cpp:
2960 * runtime/SetPrototype.cpp:
2961 * runtime/WeakMapPrototype.cpp:
2963 2014-06-12 Csaba Osztrogonác <ossy@webkit.org>
2965 [EFL] One more URTBF after r169823 to make ARM64 build happy too.
2967 * runtime/JSMap.cpp:
2969 2014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
2971 Inline caching should try to flatten uncacheable dictionaries
2972 https://bugs.webkit.org/show_bug.cgi?id=133683
2974 Reviewed by Geoffrey Garen.
2976 There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
2977 which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
2978 If properties are deleted out of the object during its initialization, we can enable caching for that object by
2979 attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
2980 performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
2981 state then we can just give up on caching that object.
2983 In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
2984 the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
2985 the other inline caching functions to return this enum rather than the opaque booleans that we were previously
2989 (JSC::actionForCell):
2990 (JSC::tryCacheGetByID):
2991 (JSC::repatchGetByID):
2992 (JSC::tryBuildGetByIDList):
2993 (JSC::buildGetByIDList):
2994 (JSC::tryCachePutByID):
2995 (JSC::repatchPutByID):
2996 (JSC::tryBuildPutByIdList):
2997 (JSC::buildPutByIdList):
2998 (JSC::tryRepatchIn):
3000 * runtime/Structure.cpp:
3001 (JSC::Structure::Structure):
3002 (JSC::Structure::flattenDictionaryStructure):
3003 * runtime/Structure.h:
3004 (JSC::Structure::hasBeenFlattenedBefore):
3006 2014-06-11 Csaba Osztrogonác <ossy@webkit.org>
3008 [EFL] URTBF after r169823.
3010 * bindings/ScriptValue.cpp: Missing include added.
3012 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3014 Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
3016 Rubber-stamped by Andreas Kling.
3018 * runtime/JSObject.h:
3019 (JSC::JSObject::fastGetOwnPropertySlot):
3021 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3023 Turning on DUMP_PROPERTYMAP_STATS causes a build failure
3024 https://bugs.webkit.org/show_bug.cgi?id=133673
3026 Reviewed by Andreas Kling.
3028 Rewrote the property map statistics code because the old code wasn't building,
3029 and it was also mixing numbers for lookups and insertions/removals.
3031 New logging code records the number of calls to PropertyTable::find (finds) and
3032 PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
3033 the number of probing during updates and lookups.
3036 * runtime/PropertyMapHashTable.h:
3037 (JSC::PropertyTable::find):
3038 (JSC::PropertyTable::get):
3039 (JSC::PropertyTable::findWithString):
3040 (JSC::PropertyTable::add):
3041 (JSC::PropertyTable::remove):
3042 (JSC::PropertyTable::reinsert):
3043 (JSC::PropertyTable::rehash):
3044 * runtime/Structure.cpp:
3045 (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
3046 (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
3048 2014-06-11 Andreas Kling <akling@apple.com>
3050 Always inline JSValue::get() and Structure::get().
3051 <https://webkit.org/b/133755>
3053 Reviewed by Ryosuke Niwa.
3055 These functions get really hot, so ask the compiler to be more
3056 aggressive about inlining them.
3058 ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
3061 * runtime/JSArrayIterator.cpp:
3062 * runtime/JSCJSValue.cpp:
3063 * runtime/JSCJSValueInlines.h:
3064 (JSC::JSValue::get):
3065 * runtime/JSPromiseDeferred.cpp:
3066 * runtime/StructureInlines.h:
3067 (JSC::Structure::get):
3069 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3071 Structure::get should instantiate DeferGC only when materializing property map
3072 https://bugs.webkit.org/show_bug.cgi?id=133727
3074 Rubber-stamped by Andreas Kling.
3076 Make materializePropertyMapIfNecessary always inline.
3078 This is ~12% improvement on the microbenchmark attached in the bug.
3080 * runtime/Structure.h:
3081 (JSC::Structure::materializePropertyMapIfNecessary):
3082 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
3084 2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
3086 Structure::get should instantiate DeferGC only when materializing property map
3087 https://bugs.webkit.org/show_bug.cgi?id=133727
3089 Reviewed by Geoffrey Garen.
3091 DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
3092 collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
3093 when GCSafeConcurrentJITLocker goes out of scope.
3095 However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
3096 in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
3097 and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
3099 Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
3100 and immediately storing a pointer to the newly created property table in the stack before DeferGC
3101 goes out of scope so that the property table will be marked.
3103 This shows 13-16% improvement on the microbenchmark attached in the bug.
3105 * runtime/JSCJSValue.cpp:
3106 * runtime/JSObject.h:
3107 (JSC::JSObject::fastGetOwnPropertySlot):
3108 * runtime/Structure.h:
3109 (JSC::Structure::materializePropertyMapIfNecessary):
3110 * runtime/StructureInlines.h:
3111 (JSC::Structure::get):
3113 2014-06-11 Andreas Kling <akling@apple.com>
3115 Some JSValue::get() micro-optimzations.
3116 <https://webkit.org/b/133739>
3118 Tighten some of the property lookup code to improve performance of the
3119 eagerly reified prototype attributes:
3121 - Instead of converting the property name to an integer at every step
3122 in the prototype chain, move that to a separate pass at the end
3123 since it should be a rare case.
3125 - Cache the StructureIDTable in a local instead of fetching it from
3126 the Heap on every step.
3128 - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
3129 on the assumption that clients would mostly be cacheable GetByIds,
3130 and it gets pretty hot (~1%) in GetByVal.
3132 - Pass the Structure directly to fillCustomGetterPropertySlot instead
3133 of refetching it from the StructureIDTable.
3135 Reviewed by Geoff Garen.
3137 * runtime/JSObject.cpp:
3138 (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
3139 * runtime/JSObject.h:
3140 (JSC::JSObject::inlineGetOwnPropertySlot):
3141 (JSC::JSObject::fillCustomGetterPropertySlot):
3142 (JSC::JSObject::getOwnPropertySlot):
3143 (JSC::JSObject::fastGetOwnPropertySlot):
3144 (JSC::JSObject::getPropertySlot):
3145 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
3147 2014-06-10 Sam Weinig <sam@webkit.org>
3149 Don't create a HashTable for JSObjects that use eager reification
3150 https://bugs.webkit.org/show_bug.cgi?id=133705
3152 Reviewed by Geoffrey Garen.
3155 (JSC::reifyStaticProperties):
3156 Add a version of reifyStaticProperties that takes an array of HashTableValues
3157 rather than a HashTable.
3159 2014-06-10 Filip Pizlo <fpizlo@apple.com>
3161 Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
3162 https://bugs.webkit.org/show_bug.cgi?id=133698
3164 Reviewed by Geoffrey Garen and Mark Hahnenberg.
3166 * dfg/DFGPredictionPropagationPhase.cpp:
3167 (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
3168 * dfg/DFGVariableAccessData.cpp:
3169 (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
3170 (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
3171 (JSC::DFG::VariableAccessData::flushFormat):
3172 * dfg/DFGVariableAccessData.h:
3173 * tests/stress/int52-inlined-call-argument.js: Added.
3177 2014-06-10 Mark Lam <mark.lam@apple.com>
3179 Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
3180 <https://webkit.org/b/133356>
3182 Reviewed by Mark Hahnenberg.
3184 The root cause of this issue is that a nonPropertyTransition can transition
3185 a pinned dictionary structure to an unpinned dictionary structure. The new
3186 structure will get a copy of the property table from the original structure.
3187 However, when a GC occurs, the property table in the new structure will be
3188 cleared because it is unpinned. This leads to complications in subsequent
3189 derivative structures when flattening occurs, which eventually leads to the
3190 assertion failure in this bug.
3192 The fix is to ensure that the new dictionary structure generated by the
3193 nonPropertyTransition will have a copy of its predecessor's property table
3196 * runtime/Structure.cpp:
3197 (JSC::Structure::nonPropertyTransition):
3199 2014-06-10 Michael Saboff <msaboff@apple.com>
3201 In a certain app state, Array.prototype.filter() returns incorrect results
3202 https://bugs.webkit.org/show_bug.cgi?id=133577
3204 Reviewed by Oliver Hunt.
3206 Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
3208 * llint/LowLevelInterpreter32_64.asm:
3209 * llint/LowLevelInterpreter64.asm:
3211 2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
3213 Global HashTables contain references to atomic StringImpls
3214 https://bugs.webkit.org/show_bug.cgi?id=133661
3216 Reviewed by Geoffrey Garen.
3218 This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
3219 cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
3220 incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
3221 change the "keys" field of the static HashTables to be char** instead of StringImpl**.
3223 * runtime/JSObject.cpp:
3224 (JSC::getClassPropertyNames):
3225 * runtime/Lookup.cpp:
3226 (JSC::HashTable::createTable):
3227 (JSC::HashTable::deleteTable):
3229 (JSC::HashTable::ConstIterator::key):
3230 (JSC::HashTable::entry):
3232 2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
3234 Build fix after r169703
3236 * JavaScriptCore.xcodeproj/project.pbxproj:
3238 2014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
3240 Eagerly reify DOM prototype attributes
3241 https://bugs.webkit.org/show_bug.cgi?id=133558
3243 Reviewed by Oliver Hunt.
3245 This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
3246 By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
3247 getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
3251 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3252 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3253 * JavaScriptCore.xcodeproj/project.pbxproj:
3254 * llint/LLIntData.cpp:
3255 (JSC::LLInt::Data::performAssertions):
3256 * llint/LowLevelInterpreter.asm:
3257 * runtime/BatchedTransitionOptimizer.h:
3258 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
3259 * runtime/CustomGetterSetter.cpp: Added.
3260 (JSC::callCustomSetter):
3261 * runtime/CustomGetterSetter.h: Added.
3262 (JSC::CustomGetterSetter::create):
3263 (JSC::CustomGetterSetter::getter):
3264 (JSC::CustomGetterSetter::setter):
3265 (JSC::CustomGetterSetter::createStructure):
3266 (JSC::CustomGetterSetter::CustomGetterSetter):
3267 * runtime/JSCJSValue.cpp:
3268 (JSC::JSValue::putToPrimitive):
3269 * runtime/JSCJSValue.h:
3270 * runtime/JSCJSValueInlines.h:
3271 (JSC::JSValue::isCustomGetterSetter):
3273 * runtime/JSCellInlines.h:
3274 (JSC::JSCell::isCustomGetterSetter):
3275 (JSC::JSCell::canUseFastGetOwnProperty):
3276 * runtime/JSFunction.cpp:
3277 (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
3278 (JSC::JSFunction::isBuiltinFunction): Deleted.
3279 * runtime/JSFunction.h:
3280 * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
3281 (JSC::JSFunction::isBuiltinFunction):
3282 (JSC::JSFunction::isHostOrBuiltinFunction):
3283 * runtime/JSObject.cpp:
3284 (JSC::JSObject::put):
3285 (JSC::JSObject::putDirectCustomAccessor):
3286 (JSC::JSObject::fillGetterPropertySlot):
3287 (JSC::JSObject::fillCustomGetterPropertySlot):
3288 (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
3289 * runtime/JSObject.h:
3290 (JSC::JSObject::hasCustomGetterSetterProperties):
3291 (JSC::JSObject::convertToDictionary):
3292 (JSC::JSObject::inlineGetOwnPropertySlot):
3293 (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
3294 (JSC::JSObject::putOwnDataProperty):
3295 (JSC::JSObject::putDirect):
3296 (JSC::JSObject::putDirectWithoutTransition):
3299 (JSC::reifyStaticProperties):
3300 * runtime/PropertyDescriptor.h:
3301 (JSC::PropertyDescriptor::PropertyDescriptor):
3302 * runtime/Structure.cpp:
3303 (JSC::Structure::Structure):
3304 (JSC::nextOutOfLineStorageCapacity): Deleted.
3305 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
3306 (JSC::Structure::get): Deleted.
3307 * runtime/Structure.h:
3308 (JSC::Structure::hasCustomGetterSetterProperties):
3309 (JSC::Structure::setHasCustomGetterSetterProperties):
3310 * runtime/StructureInlines.h:
3311 (JSC::Structure::get): Inlined due to hotness.
3312 (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
3313 (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
3317 * runtime/WriteBarrier.h:
3318 (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
3320 2014-06-07 Mark Lam <mark.lam@apple.com>
3322 Structure should initialize its previousID in its constructor.
3323 <https://webkit.org/b/133606>
3325 Reviewed by Mark Hahnenberg.
3327 Currently, the Structure constructor that takes a previous structure will
3328 initialize its previousID to point to the previous structure's previousID.
3329 This is incorrect. However, the caller of the Structure::create() factory
3330 method (which instantiated the Structure) will later call setPreviousID()
3331 to set the previousID to the correct previous structure. This makes the
3332 code confusing to read and more error prone in that the structure relies
3333 on client code to fix its invalid previousID.
3335 This patch fixes this by making the Structure constructor initialize
3336 previousID correctly.
3338 * runtime/Structure.cpp:
3339 (JSC::Structure::Structure):
3340 (JSC::Structure::addPropertyTransition):
3341 (JSC::Structure::nonPropertyTransition):
3342 * runtime/Structure.h:
3343 * runtime/StructureInlines.h:
3344 (JSC::Structure::create):
3346 2014-06-06 Andreas Kling <akling@apple.com>
3348 Indexed getters should return values directly on the PropertySlot.
3349 <https://webkit.org/b/133586>
3351 Remove PropertySlot's custom index mode.
3353 Reviewed by Darin Adler.
3355 * runtime/JSObject.h:
3356 (JSC::PropertySlot::getValue):
3357 * runtime/PropertySlot.h:
3358 (JSC::PropertySlot::setCustomIndex): Deleted.
3360 2014-06-04 Timothy Horton <timothy_horton@apple.com>
3364 Rubber-stamped by Filip Pizlo.
3366 * Configurations/LLVMForJSC.xcconfig:
3367 Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
3369 2014-06-04 Oliver Hunt <oliver@apple.com>
3371 ArrayIterator should not be exposed in Safari 8
3372 https://bugs.webkit.org/show_bug.cgi?id=133494
3374 Reviewed by Michael Saboff.
3376 Separate out types that require constructor objects, and don't
3377 include the iterator types in that list.
3379 * runtime/JSGlobalObject.cpp:
3380 (JSC::JSGlobalObject::reset):
3381 * runtime/JSGlobalObject.h:
3383 2014-06-04 Filip Pizlo <fpizlo@apple.com>
3385 DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
3386 https://bugs.webkit.org/show_bug.cgi?id=133525
3387 <rdar://problem/16790296>
3389 Reviewed by Oliver Hunt.
3391 * dfg/DFGSafepoint.cpp:
3392 (JSC::DFG::Safepoint::begin):
3394 2014-06-03 Filip Pizlo <fpizlo@apple.com>
3396 LLVM soft-linking should be truly fail-silent
3397 https://bugs.webkit.org/show_bug.cgi?id=133482
3399 Reviewed by Mark Lam.
3401 * llvm/InitializeLLVMPOSIX.cpp:
3402 (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
3404 2014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3406 REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
3407 https://bugs.webkit.org/show_bug.cgi?id=133149
3409 Reviewed by Csaba Osztrogonác.
3411 * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
3413 2014-05-31 Anders Carlsson <andersca@apple.com>
3415 Add a LazyNeverDestroyed class template and use it
3416 https://bugs.webkit.org/show_bug.cgi?id=133425
3418 Reviewed by Darin Adler.
3420 * dfg/DFGFunctionWhitelist.cpp:
3421 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
3422 * dfg/DFGFunctionWhitelist.h:
3424 2014-05-28 Filip Pizlo <fpizlo@apple.com>
3426 DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
3427 https://bugs.webkit.org/show_bug.cgi?id=133368
3429 Reviewed by Mark Lam.
3431 * dfg/DFGDCEPhase.cpp:
3432 (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
3433 * tests/stress/new-array-dead.js: Added.
3436 2014-05-28 Filip Pizlo <fpizlo@apple.com>
3438 Unreviewed, fix not-x86 32-bit.
3440 * llint/LowLevelInterpreter32_64.asm:
3442 2014-05-27 Filip Pizlo <fpizlo@apple.com>
3444 Arrayify neglects to inform the clobberizer that it might fire watchpoints
3445 https://bugs.webkit.org/show_bug.cgi?id=133340
3447 Reviewed by Mark Lam.
3449 * dfg/DFGClobberize.h:
3450 (JSC::DFG::clobberize): Be honest.
3451 * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
3452 * tests/stress/arrayify-fires-watchpoint.js: Added.
3456 * tests/stress/arrayify-structure-bad-test.js: Added.
3460 2014-05-27 Jon Lee <jonlee@apple.com>
3462 Update ENABLE(MEDIA_SOURCE) on Mac
3463 https://bugs.webkit.org/show_bug.cgi?id=133141
3465 Reviewed by Darin Adler.
3467 * Configurations/FeatureDefines.xcconfig:
3469 2014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
3472 https://bugs.webkit.org/show_bug.cgi?id=132863
3474 Reviewed by Csaba Osztrogonác.
3476 * Configurations/FeatureDefines.xcconfig:
3478 2014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3480 Allow building CMake based ports with WEB_REPLAY
3481 https://bugs.webkit.org/show_bug.cgi?id=133154
3483 Reviewed by Csaba Osztrogonác.
3487 2014-05-25 Filip Pizlo <fpizlo@apple.com>
3489 Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
3490 https://bugs.webkit.org/show_bug.cgi?id=133136
3492 Reviewed by Oliver Hunt.
3496 - Except for the prediction propagation and type fixup phases, which are super early in
3497 the pipeline, nobody has to know about the fact that booleans may flow into numerical
3498 operations because there will just be a BooleanToNumber node that will take a value
3499 and, if that value is a boolean, will convert it to the equivalent numerical value. It
3500 will have a BooleanUse mode where it will also speculate that the input is a boolean
3501 but it can also do UntypedUse in which case it will pass through any non-booleans.
3502 This operation is very easy to model in all of the compiler tiers.
3504 - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
3505 inputs require taking the slow path and it will still report that it took slow path
3506 for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
3507 path profiling on operations that were known to have had boolean inputs. That's a
3508 little quirky, but it's probably easier than modifying the baseline JIT to track
3511 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
3513 * bytecode/SpeculatedType.h:
3514 (JSC::isInt32OrBooleanSpeculation):
3515 (JSC::isInt32SpeculationForArithmetic):
3516 (JSC::isInt32OrBooleanSpeculationForArithmetic):
3517 (JSC::isInt32OrBooleanSpeculationExpectingDefined):
3518 (JSC::isInt52Speculation):
3519 (JSC::isMachineIntSpeculation):
3520 (JSC::isFullNumberOrBooleanSpeculation):
3521 (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
3522 (JSC::isInt32SpeculationExpectingDefined): Deleted.
3523 (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
3524 (JSC::isMachineIntSpeculationForArithmetic): Deleted.
3525 (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
3526 (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
3527 * dfg/DFGAbstractInterpreterInlines.h:
3528 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3529 * dfg/DFGAllocator.h:
3530 (JSC::DFG::Allocator<T>::indexOf):
3531 * dfg/DFGByteCodeParser.cpp:
3532 (JSC::DFG::ByteCodeParser::makeSafe):
3533 (JSC::DFG::ByteCodeParser::makeDivSafe):
3534 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3535 * dfg/DFGCSEPhase.cpp:
3536 (JSC::DFG::CSEPhase::performNodeCSE):
3537 * dfg/DFGClobberize.h:
3538 (JSC::DFG::clobberize):
3540 * dfg/DFGConstantFoldingPhase.cpp:
3541 (JSC::DFG::ConstantFoldingPhase::foldConstants):
3542 * dfg/DFGFixupPhase.cpp:
3543 (JSC::DFG::FixupPhase::fixupNode):
3544 (JSC::DFG::FixupPhase::fixIntConvertingEdge):
3545 (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
3546 (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
3547 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
3548 (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
3550 (JSC::DFG::Graph::addSpeculationMode):
3551 (JSC::DFG::Graph::valueAddSpeculationMode):
3552 (JSC::DFG::Graph::arithAddSpeculationMode):
3553 (JSC::DFG::Graph::addShouldSpeculateInt32):
3554 (JSC::DFG::Graph::mulShouldSpeculateInt32):
3555 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
3556 (JSC::DFG::Graph::negateShouldSpeculateInt32):
3557 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
3558 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
3559 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
3561 (JSC::DFG::Node::sawBooleans):
3562 (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
3563 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
3564 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
3565 (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
3566 (JSC::DFG::Node::shouldSpeculateMachineInt):
3567 (JSC::DFG::Node::shouldSpeculateDouble):
3568 (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
3569 (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
3570 (JSC::DFG::Node::shouldSpeculateNumber):
3571 (JSC::DFG::Node::canSpeculateInt32):
3572 (JSC::DFG::Node::canSpeculateInt52):
3573 (JSC::DFG::Node::sourceFor):
3574 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
3575 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
3576 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
3577 (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
3578 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
3579 * dfg/DFGNodeFlags.cpp:
3580 (JSC::DFG::dumpNodeFlags):
3581 * dfg/DFGNodeFlags.h:
3582 (JSC::DFG::nodeMayOverflow):
3583 (JSC::DFG::nodeMayNegZero):
3584 (JSC::DFG::nodeCanSpeculateInt32):
3585 (JSC::DFG::nodeCanSpeculateInt52):
3586 * dfg/DFGNodeType.h:
3587 * dfg/DFGPredictionPropagationPhase.cpp:
3588 (JSC::DFG::PredictionPropagationPhase::run):
3589 (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
3590 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
3591 (JSC::DFG::PredictionPropagationPhase::propagate):
3592 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
3593 * dfg/DFGSafeToExecute.h:
3594 (JSC::DFG::safeToExecute):
3595 * dfg/DFGSpeculativeJIT.cpp:
3596 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3597 * dfg/DFGSpeculativeJIT32_64.cpp:
3598 (JSC::DFG::SpeculativeJIT::compile):
3599 * dfg/DFGSpeculativeJIT64.cpp:
3600 (JSC::DFG::SpeculativeJIT::compile):
3601 * ftl/FTLCapabilities.cpp:
3602 (JSC::FTL::canCompile):
3603 * ftl/FTLLowerDFGToLLVM.cpp:
3604 (JSC::FTL::LowerDFGToLLVM::compileNode):
3605 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
3606 (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
3607 * runtime/JSCJSValue.h:
3608 * runtime/JSCJSValueInlines.h:
3609 (JSC::JSValue::asInt32ForArithmetic):
3610 * tests/stress/max-boolean-exit.js: Added.
3613 * tests/stress/mul-boolean-exit.js: Added.
3616 * tests/stress/plus-boolean-exit.js: Added.
3619 * tests/stress/plus-boolean-or-double.js: Added.
3622 * tests/stress/plus-boolean-or-int.js: Added.
3626 2014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3628 Remove dead code from VM.cpp
3629 https://bugs.webkit.org/show_bug.cgi?id=133284
3631 Reviewed by Darin Adler.
3633 This workaround was added in r127505. Since the clang is the
3634 only used compiler in this case, this workaround is obsolete.
3637 (JSC::enableAssembler):
3639 2014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3641 JSC CLoop warning fix
3642 https://bugs.webkit.org/show_bug.cgi?id=133259
3644 Reviewed by Darin Adler.
3646 * llint/LLIntSlowPaths.cpp:
3647 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3649 2014-05-24 Andreas Kling <akling@apple.com>
3651 Object.prototype.toString() should use cached strings for null/undefined.
3652 <https://webkit.org/b/133261>
3654 Normally, when calling Object.prototype.toString() on a regular object,
3655 we'd cache the result of the stringification on the object's structure,
3656 making repeated calls fast.
3658 For null and undefined, we were not as smart. We'd instead construct a
3659 new string with either "[object Null]" or "[object Undefined]" each time.
3661 This was exposed by Dromaeo's JS library tests, where some prototype.js
3662 subtests generate millions of strings this way.
3664 This patch adds two VM-permanent cached strings to the SmallStrings.
3665 Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
3667 Reviewed by Darin Adler.
3669 * runtime/ObjectPrototype.cpp:
3670 (JSC::objectProtoFuncToString):
3671 * runtime/SmallStrings.cpp:
3672 (JSC::SmallStrings::SmallStrings):
3673 (JSC::SmallStrings::initializeCommonStrings):
3674 (JSC::SmallStrings::visitStrongReferences):
3675 * runtime/SmallStrings.h:
3676 (JSC::SmallStrings::nullObjectString):
3677 (JSC::SmallStrings::undefinedObjectString):
3679 2014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
3681 Remove operationCallGetter
3683 Rubber stamped by Filip Pizlo.
3685 Nobody calls this function.
3687 * JavaScriptCore.order:
3688 * jit/JITOperations.cpp:
3689 * jit/JITOperations.h:
3691 2014-05-23 Andreas Kling <akling@apple.com>
3693 Templatize GC's destructor invocation for dtor type.
3694 <https://webkit.org/b/133231>
3696 Get rid of a branch in callDestructor() by templatizing it for
3697 the DestructorType. Removed JSCell::methodTableForDestruction()
3698 since this was the only call site and it was jumping through
3699 a bunch of unnecessary hoops.
3701 Reviewed by Geoffrey Garen.
3703 * heap/MarkedBlock.cpp:
3704 (JSC::MarkedBlock::callDestructor):
3705 (JSC::MarkedBlock::specializedSweep):
3706 * heap/MarkedBlock.h:
3708 * runtime/JSCellInlines.h:
3709 (JSC::JSCell::methodTableForDestruction): Deleted.
3711 2014-05-23 Andreas Kling <akling@apple.com>
3713 Support inline caching of RegExpMatchesArray.length
3714 <https://webkit.org/b/133234>
3716 Give RegExpMatchesArray.length the same treatment as JSArray in
3717 repatch so we don't have to go out of line on every access.
3719 ~13% speed-up on Octane/regexp.
3721 Reviewed by Geoffrey Garen.
3724 (JSC::tryCacheGetByID):
3725 * runtime/RegExpMatchesArray.h:
3726 (JSC::isRegExpMatchesArray):
3728 2014-05-22 Mark Lam <mark.lam@apple.com>
3730 REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
3731 <https://webkit.org/b/133182>
3733 Reviewed by Oliver Hunt.
3735 Before r154797, we used to clear the VM exception before calling into the
3736 debugger. After r154797, we don't. This patch will restore this clearing
3737 of the exception before calling into the debugger.
3739 Also added assertions after returning from calls into the debugger to
3740 ensure that the debugger did not introduce any exceptions.
3742 * interpreter/Interpreter.cpp:
3743 (JSC::unwindCallFrame):
3744 (JSC::Interpreter::unwind):
3745 (JSC::Interpreter::debug):
3746 - Fixed the assertion here. Interpreter::debug() should never be called
3747 with a pending exception. Debugger callbacks for exceptions should be
3748 handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
3750 2014-05-21 Filip Pizlo <fpizlo@apple.com>
3752 Store barrier elision should run after DCE in both the DFG path and the FTL path
3753 https://bugs.webkit.org/show_bug.cgi?id=129718
3755 Rubber stamped by Mark Hahnenberg.
3758 (JSC::DFG::Plan::compileInThreadImpl):
3760 2014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
3762 [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
3763 https://bugs.webkit.org/show_bug.cgi?id=132907
3765 Reviewed by Gyuyoung Kim.
3769 2014-05-16 Martin Robinson <mrobinson@igalia.com>
3771 [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
3772 https://bugs.webkit.org/show_bug.cgi?id=132819
3774 Reviewed by Carlos Garcia Campos.
3776 * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
3777 use the common CMake ones directly.
3779 2014-05-21 Filip Pizlo <fpizlo@apple.com>
3781 Unreviewed, roll out http://trac.webkit.org/changeset/169159.
3783 This was a unilateral change and wasn't properly reviewed.
3785 * tests/mozilla/mozilla-tests.yaml:
3787 2014-05-21 Antoine Quint <graouts@webkit.org>
3789 Array.prototype.find and findIndex should skip holes
3790 https://bugs.webkit.org/show_bug.cgi?id=132658
3792 Reviewed by Geoffrey Garen.
3794 Skip holes in the array when iterating such that callback isn't called.
3796 * builtins/Array.prototype.js:
3800 2014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
3802 REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
3803 https://bugs.webkit.org/show_bug.cgi?id=133149
3805 Reviewed by Csaba Osztrogonác.
3807 * tests/mozilla/mozilla-tests.yaml:
3809 2014-05-20 Geoffrey Garen <ggaren@apple.com>
3811 Rolled out <http://trac.webkit.org/changeset/166184>
3812 https://bugs.webkit.org/show_bug.cgi?id=133144
3814 Reviewed by Gavin Barraclough.
3816 It caused a performance regression.
3818 * heap/BlockAllocator.cpp:
3819 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
3821 2014-05-20 Filip Pizlo <fpizlo@apple.com>
3823 DFG prediction propagation should agree with fixup phase over the return type of GetByVal
3824 https://bugs.webkit.org/show_bug.cgi?id=133134
3826 Reviewed by Mark Hahnenberg.
3828 Make prediction propagator use ArrayMode refinement to decide the return type.
3830 Also introduce a heap prediction intrinsic that allows us to test weird corner cases
3831 like this. The only way we'll see a mismatch like this in the real world is probably
3832 through a gnarly race condition.
3834 * dfg/DFGByteCodeParser.cpp:
3835 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3837 (JSC::DFG::Node::setHeapPrediction):
3838 * dfg/DFGPredictionPropagationPhase.cpp:
3839 (JSC::DFG::PredictionPropagationPhase::propagate):
3841 (GlobalObject::finishCreation):
3844 (functionUndefined1):
3845 (functionUndefined2):
3846 (functionFalse): Deleted.
3847 (functionOtherFalse): Deleted.
3848 (functionUndefined): Deleted.
3849 * runtime/Intrinsic.h:
3850 * tests/stress/get-by-val-double-predicted-int.js: Added.
3853 2014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
3855 Watchdog timer should be lazily allocated
3856 https://bugs.webkit.org/show_bug.cgi?id=133135
3858 Reviewed by Geoffrey Garen.
3860 We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
3861 There is no reason to do this checking if we never activated the Watchdog, which can only be done through
3862 JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
3864 By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
3865 these two API functions (which is true of most clients).
3867 * API/JSContextRef.cpp:
3868 (JSContextGroupSetExecutionTimeLimit):
3869 (JSContextGroupClearExecutionTimeLimit):
3870 * dfg/DFGByteCodeParser.cpp:
3871 (JSC::DFG::ByteCodeParser::parseBlock):
3872 * dfg/DFGSpeculativeJIT32_64.cpp:
3873 (JSC::DFG::SpeculativeJIT::compile):
3874 * dfg/DFGSpeculativeJIT64.cpp:
3875 (JSC::DFG::SpeculativeJIT::compile):
3876 * interpreter/Interpreter.cpp:
3877 (JSC::Interpreter::execute):
3878 (JSC::Interpreter::executeCall):
3879 (JSC::Interpreter::executeConstruct):
3880 * jit/JITOpcodes.cpp:
3881 (JSC::JIT::emit_op_loop_hint):
3882 (JSC::JIT::emitSlow_op_loop_hint):
3883 * jit/JITOperations.cpp:
3884 * llint/LLIntSlowPaths.cpp:
3885 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3887 * runtime/Watchdog.cpp:
3888 (JSC::Watchdog::Scope::Scope): Deleted.
3889 (JSC::Watchdog::Scope::~Scope): Deleted.
3890 * runtime/Watchdog.h:
3891 (JSC::Watchdog::Scope::Scope):
3892 (JSC::Watchdog::Scope::~Scope):
3894 2014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
3896 JSArray::shiftCountWith* could be more efficient
3897 https://bugs.webkit.org/show_bug.cgi?id=133011
3899 Reviewed by Geoffrey Garen.
3901 Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
3902 are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
3903 them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
3905 * runtime/ArrayStorage.h:
3906 (JSC::ArrayStorage::indexingHeader):
3907 (JSC::ArrayStorage::length):
3908 (JSC::ArrayStorage::hasHoles):
3909 * runtime/IndexingHeader.h:
3910 (JSC::IndexingHeader::publicLength):
3911 (JSC::IndexingHeader::from):
3912 * runtime/JSArray.cpp:
3913 (JSC::JSArray::shiftCountWithArrayStorage):
3914 (JSC::JSArray::shiftCountWithAnyIndexingType):
3915 (JSC::JSArray::unshiftCountWithArrayStorage):
3916 * runtime/JSArray.h:
3917 (JSC::JSArray::shiftCountForShift):
3918 (JSC::JSArray::shiftCountForSplice):
3919 (JSC::JSArray::shiftCount):
3920 * runtime/Structure.cpp:
3921 (JSC::Structure::holesRequireSpecialBehavior):
3922 * runtime/Structure.h:
3924 2014-05-19 Filip Pizlo <fpizlo@apple.com>
3926 Test gardening: skip some failing tests on not-X86.
3928 * tests/mozilla/mozilla-tests.yaml:
3930 2014-05-19 Mark Lam <mark.lam@apple.com>
3932 operationOptimize() should defer the GC for a while.
3933 <https://webkit.org/b/133103>
3935 Reviewed by Filip Pizlo.
3937 Currently, operationOptimize() only defers the GC until its end. As a result,
3938 a GC may be triggered just before we return from operationOptimize(), and it may
3939 jettison the optimize codeBlock that we're planning to OSR enter into when we
3940 return from this function. This is because the OSR entry on-ramp code hasn't
3941 been executed yet, and hence, there is not yet a reference to this new codeBlock
3942 from the stack, and there won't be until we've had a chance to return out of
3943 operationOptimize() to run the OSR entry on-ramp code.
3945 This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
3946 ensures that the GC will be deferred until after the OSR entry on-ramp can be
3949 * jit/JITOperations.cpp:
3951 2014-05-19 Filip Pizlo <fpizlo@apple.com>
3953 Take care of some ARM64 test failures
3954 https://bugs.webkit.org/show_bug.cgi?id=133090
3956 Reviewed by Geoffrey Garen.
3958 Constant blinding on ARM64 cannot use the scratch register.
3960 * assembler/MacroAssembler.h:
3961 (JSC::MacroAssembler::convertInt32ToDouble):
3962 (JSC::MacroAssembler::branchPtr):
3963 (JSC::MacroAssembler::storePtr):
3964 (JSC::MacroAssembler::store64):
3965 * assembler/MacroAssemblerARM64.h:
3966 (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
3968 2014-05-19 Tanay C <tanay.c@samsung.com>
3970 Removing some check-webkit-style warnings from ./dfg
3971 https://bugs.webkit.org/show_bug.cgi?id=132854
3973 Reviewed by Darin Adler.
3975 * dfg/DFGAbstractInterpreter.h:
3976 * dfg/DFGAbstractValue.h:
3977 * dfg/DFGBlockInsertionSet.h:
3978 * dfg/DFGCommonData.h:
3979 * dfg/DFGDominators.h:
3981 * dfg/DFGInPlaceAbstractState.h:
3982 * dfg/DFGPredictionPropagationPhase.h:
3984 2014-05-18 Filip Pizlo <fpizlo@apple.com>
3986 Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
3987 That was a long time ago.
3989 * ftl/FTLLowerDFGToLLVM.cpp:
3990 (JSC::FTL::LowerDFGToLLVM::compileReturn):
3992 2014-05-18 Rik Cabanier <cabanier@adobe.com>
3994 support for navigator.hardwareConcurrency
3995 https://bugs.webkit.org/show_bug.cgi?id=132588
3997 Reviewed by Filip Pizlo.
3999 * Configurations/FeatureDefines.xcconfig:
4001 2014-05-16 Michael Saboff <msaboff@apple.com>
4003 Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
4004 https://bugs.webkit.org/show_bug.cgi?id=133009
4006 Reviewed by Oliver Hunt.
4008 If we determine that any alternative requires a minumum match size greater than
4009 INT_MAX, we handle the match in the interpreter.
4011 Check to see if the pattern has unsigned lengths before invoking YARR JIT.
4012 * runtime/RegExp.cpp:
4013 (JSC::RegExp::compile):
4014 (JSC::RegExp::compileMatchOnly):
4016 * tests/stress/large-regexp.js: New test added.
4018 Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
4019 doesn't fit in an int.
4020 * yarr/YarrPattern.cpp:
4021 (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
4023 Clear new m_containsUnsignedLengthPattern flag.
4024 * yarr/YarrPattern.cpp:
4025 (JSC::Yarr::YarrPattern::YarrPattern):
4026 * yarr/YarrPattern.h:
4027 (JSC::Yarr::YarrPattern::reset):
4028 (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
4030 2014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
4032 JSDOMWindow should not claim HasImpureGetOwnPropertySlot
4033 https://bugs.webkit.org/show_bug.cgi?id=132918
4035 Reviewed by Geoffrey Garen.
4038 (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
4040 2014-05-15 Alex Christensen <achristensen@webkit.org>
4042 Add pointer lock to features without enabling it.
4043 https://bugs.webkit.org/show_bug.cgi?id=132961
4045 Reviewed by Sam Weinig.
4047 * Configurations/FeatureDefines.xcconfig:
4048 Added ENABLE_POINTER_LOCK to list of features.
4050 2014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
4052 Inline caching for proxies clobbers baseGPR too early
4053 https://bugs.webkit.org/show_bug.cgi?id=132916
4055 Reviewed by Filip Pizlo.
4057 We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
4058 gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
4059 until we know the inline cache is going to succeed.
4062 (JSC::generateByIdStub):
4064 2014-05-14 Brent Fulgham <bfulgham@apple.com>
4066 [Win] Unreviewed build fix.
4068 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
4069 was missing commands to build LLInt portions of JSC.
4070 * llint/LLIntData.cpp: 64-bit build fix.
4072 2014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
4074 ARM Traditional buildfix after r168776.
4075 https://bugs.webkit.org/show_bug.cgi?id=132903
4077 Reviewed by Darin Adler.
4079 * assembler/MacroAssemblerARM.h:
4080 (JSC::MacroAssemblerARM::abortWithReason): Added.
4082 2014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
4084 Remove CSS_STICKY_POSITION guards
4085 https://bugs.webkit.org/show_bug.cgi?id=132676
4087 Reviewed by Simon Fraser.
4089 * Configurations/FeatureDefines.xcconfig:
4091 2014-05-13 Filip Pizlo <fpizlo@apple.com>
4093 JIT breakpoints should be more informative
4094 https://bugs.webkit.org/show_bug.cgi?id=132882
4096 Reviewed by Oliver Hunt.
4098 Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
4099 failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
4100 at that platform's abort reason register (r11 on X86-64 for example).
4102 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4103 * JavaScriptCore.xcodeproj/project.pbxproj:
4104 * assembler/AbortReason.h: Added.
4105 * assembler/AbstractMacroAssembler.h:
4106 * assembler/MacroAssemblerARM64.h:
4107 (JSC::MacroAssemblerARM64::abortWithReason):
4108 * assembler/MacroAssemblerARMv7.h:
4109 (JSC::MacroAssemblerARMv7::abortWithReason):
4110 * assembler/MacroAssemblerX86.h:
4111 (JSC::MacroAssemblerX86::abortWithReason):
4112 * assembler/MacroAssemblerX86_64.h:
4113 (JSC::MacroAssemblerX86_64::abortWithReason):
4114 * dfg/DFGSlowPathGenerator.h:
4115 (JSC::DFG::SlowPathGenerator::generate):
4116 * dfg/DFGSpeculativeJIT.cpp:
4117 (JSC::DFG::SpeculativeJIT::bail):
4118 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
4119 (JSC::DFG::SpeculativeJIT::compileMakeRope):
4120 * dfg/DFGSpeculativeJIT.h:
4121 (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
4122 * dfg/DFGSpeculativeJIT32_64.cpp:
4123 (JSC::DFG::SpeculativeJIT::compile):
4124 * dfg/DFGSpeculativeJIT64.cpp:
4125 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
4126 (JSC::DFG::SpeculativeJIT::compile):
4127 * dfg/DFGThunks.cpp:
4128 (JSC::DFG::osrEntryThunkGenerator):
4129 * jit/AssemblyHelpers.cpp:
4130 (JSC::AssemblyHelpers::jitAssertIsInt32):
4131 (JSC::AssemblyHelpers::jitAssertIsJSInt32):
4132 (JSC::AssemblyHelpers::jitAssertIsJSNumber):
4133 (JSC::AssemblyHelpers::jitAssertIsJSDouble):
4134 (JSC::AssemblyHelpers::jitAssertIsCell):
4135 (JSC::AssemblyHelpers::jitAssertTagsInPlace):
4136 (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
4137 (JSC::AssemblyHelpers::jitAssertIsNull):
4138 (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
4139 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
4140 * jit/AssemblyHelpers.h:
4141 (JSC::AssemblyHelpers::checkStackPointerAlignment):
4142 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
4144 * jit/JITArithmetic.cpp:
4145 (JSC::JIT::emitSlow_op_div):
4146 * jit/JITOpcodes.cpp:
4147 (JSC::JIT::emitSlow_op_loop_hint):
4148 * jit/JITOpcodes32_64.cpp:
4149 (JSC::JIT::privateCompileCTINativeCall):
4150 * jit/JITPropertyAccess.cpp:
4151 (JSC::JIT::emit_op_get_by_val):
4152 (JSC::JIT::compileGetDirectOffset):
4153 (JSC::JIT::addStructureTransitionCheck): Deleted.
4154 (JSC::JIT::testPrototype): Deleted.
4155 * jit/JITPropertyAccess32_64.cpp:
4156 (JSC::JIT::emit_op_get_by_val):
4157 (JSC::JIT::compileGetDirectOffset):
4158 * jit/RegisterPreservationWrapperGenerator.cpp:
4159 (JSC::generateRegisterRestoration):
4161 (JSC::addStructureTransitionCheck):
4162 (JSC::linkClosureCall):
4163 * jit/ThunkGenerators.cpp:
4164 (JSC::emitPointerValidation):
4165 (JSC::nativeForGenerator):
4167 (JSC::Yarr::YarrGenerator::generate):
4169 2014-05-13 peavo@outlook.com <peavo@outlook.com>
4171 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
4172 https://bugs.webkit.org/show_bug.cgi?id=132772
4174 Reviewed by Geoffrey Garen.
4176 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
4177 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
4178 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
4179 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
4181 * assembler/MacroAssemblerARM.h:
4182 (JSC::MacroAssemblerARM::loadDouble):
4183 (JSC::MacroAssemblerARM::storeDouble):
4184 * assembler/MacroAssemblerARM64.h:
4185 (JSC::MacroAssemblerARM64::loadDouble):
4186 (JSC::MacroAssemblerARM64::storeDouble):
4187 * assembler/MacroAssemblerARMv7.h:
4188 (JSC::MacroAssemblerARMv7::loadDouble):
4189 (JSC::MacroAssemblerARMv7::storeDouble):
4190 * assembler/MacroAssemblerMIPS.h:
4191 (JSC::MacroAssemblerMIPS::loadDouble):
4192 (JSC::MacroAssemblerMIPS::storeDouble):
4193 * assembler/MacroAssemblerSH4.h:
4194 (JSC::MacroAssemblerSH4::loadDouble):
4195 (JSC::MacroAssemblerSH4::storeDouble):
4196 * assembler/MacroAssemblerX86.h:
4197 (JSC::MacroAssemblerX86::storeDouble):
4198 * assembler/MacroAssemblerX86Common.h:
4199 (JSC::MacroAssemblerX86Common::absDouble):
4200 (JSC::MacroAssemblerX86Common::negateDouble):
4201 (JSC::MacroAssemblerX86Common::loadDouble):
4202 * dfg/DFGSpeculativeJIT.cpp:
4203 (JSC::DFG::SpeculativeJIT::silentFill):
4204 (JSC::DFG::compileClampDoubleToByte):
4205 * dfg/DFGSpeculativeJIT32_64.cpp:
4206 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
4207 (JSC::DFG::SpeculativeJIT::compile):
4208 * jit/AssemblyHelpers.cpp:
4209 (JSC::AssemblyHelpers::purifyNaN):
4211 (JSC::JIT::emitLoadDouble):
4212 * jit/JITPropertyAccess.cpp:
4213 (JSC::JIT::emitFloatTypedArrayGetByVal):
4214 * jit/ThunkGenerators.cpp:
4215 (JSC::floorThunkGenerator):
4216 (JSC::roundThunkGenerator):
4217 (JSC::powThunkGenerator):
4219 2014-05-12 Commit Queue <commit-queue@webkit.org>
4221 Unreviewed, rolling out r168642.
4222 https://bugs.webkit.org/show_bug.cgi?id=132839
4224 Broke ARM build (Requested by jpfau on #webkit).
4228 "[Win] Enum type with value zero is compatible with void*,
4229 potential cause of crashes."
4230 https://bugs.webkit.org/show_bug.cgi?id=132772
4231 http://trac.webkit.org/changeset/168642
4233 2014-05-12 peavo@outlook.com <peavo@outlook.com>
4235 [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
4236 https://bugs.webkit.org/show_bug.cgi?id=132772
4238 Reviewed by Geoffrey Garen.
4240 Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
4241 This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
4242 This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
4243 The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
4245 * assembler/MacroAssemblerARM.h:
4246 (JSC::MacroAssemblerARM::loadDouble):
4247 (JSC::MacroAssemblerARM::storeDouble):
4248 * assembler/MacroAssemblerARM64.h:
4249 (JSC::MacroAssemblerARM64::loadDouble):
4250 (JSC::MacroAssemblerARM64::storeDouble):
4251 * assembler/MacroAssemblerARMv7.h:
4252 (JSC::MacroAssemblerARMv7::loadDouble):
4253 (JSC::MacroAssemblerARMv7::storeDouble):
4254 * assembler/MacroAssemblerMIPS.h:
4255 (JSC::MacroAssemblerMIPS::loadDouble):
4256 (JSC::MacroAssemblerMIPS::storeDouble):
4257 * assembler/MacroAssemblerSH4.h:
4258 (JSC::MacroAssemblerSH4::loadDouble):
4259 (JSC::MacroAssemblerSH4::storeDouble):
4260 * assembler/MacroAssemblerX86.h:
4261 (JSC::MacroAssemblerX86::storeDouble):
4262 * assembler/MacroAssemblerX86Common.h:
4263 (JSC::MacroAssemblerX86Common::absDouble):
4264 (JSC::MacroAssemblerX86Common::negateDouble):
4265 (JSC::MacroAssemblerX86Common::loadDouble):
4266 * dfg/DFGSpeculativeJIT.cpp:
4267 (JSC::DFG::SpeculativeJIT::silentFill):
4268 (JSC::DFG::compileClampDoubleToByte):
4269 * dfg/DFGSpeculativeJIT32_64.cpp:
4270 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
4271 (JSC::DFG::SpeculativeJIT::compile):
4272 * jit/AssemblyHelpers.cpp:
4273 (JSC::AssemblyHelpers::purifyNaN):
4275 (JSC::JIT::emitLoadDouble):
4276 * jit/JITPropertyAccess.cpp:
4277 (JSC::JIT::emitFloatTypedArrayGetByVal):
4278 * jit/ThunkGenerators.cpp:
4279 (JSC::floorThunkGenerator):
4280 (JSC::roundThunkGenerator):
4281 (JSC::powThunkGenerator):
4283 2014-05-12 Andreas Kling <akling@apple.com>
4285 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
4286 <https://webkit.org/b/132828>
4287 <rdar://problem/16886285>
4289 Reviewed by Michael Saboff.
4291 * runtime/JSObject.cpp:
4292 (JSC::JSObject::visitButterfly):
4293 (JSC::JSObject::visitChildren):
4295 Use JSCell::structure(VM&) to reduce the number of hoops we jump
4296 through to find Structures during marking.
4298 2014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
4300 [cmake] Add missing FTL source files to the build system.
4302 Reviewed by Csaba Osztrogonác.
4306 2014-05-09 Joseph Pecoraro <pecoraro@apple.com>
4308 Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
4309 https://bugs.webkit.org/show_bug.cgi?id=132409
4311 Reviewed by Timothy Hatcher.
4313 Proxy applications are applications which hold WebViews for other
4314 applications. The WebProcess (Web Content Service) is a proxy application.
4315 For legacy reasons we were supporting a scenario where proxy applications
4316 could potentially host WebViews for more then one other application. That
4317 was never the case for WebProcess and it is now a scenario we don't need
4318 to worry about supporting.
4320 With this change, a proxy application more naturally only holds WebViews
4321 for a single parent / host application. The proxy process can set the
4322 parent pid / audit_token data on the RemoteInspector singleton, and
4323 that data will be sent on to webinspectord later on to be validated.
4324 In the WebProcess<->UIProcess relationship that information is known
4325 and set immediately. In the Legacy iOS case that information is set
4326 soon after, but not immediately known at the point the WebView is created.
4328 This allows us to simplify the RemoteInspectorDebuggable interface.
4329 We no longer need a pid per-Debuggable.
4331 * inspector/remote/RemoteInspector.h:
4332 * inspector/remote/RemoteInspector.mm:
4333 (Inspector::RemoteInspector::RemoteInspector):
4334 (Inspector::RemoteInspector::setParentProcessInformation):
4335 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
4336 (Inspector::RemoteInspector::listingForDebuggable):
4337 (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
4338 Handle new proxy application setup message, and provide an API
4339 for a proxy application to set the parent process information.
4341 * inspector/remote/RemoteInspectorConstants.h:
4342 New setup and response message for proxy applications to pass
4343 their parent / host application information to webinspectord.
4345 * inspector/remote/RemoteInspectorDebuggable.cpp:
4346 (Inspector::RemoteInspectorDebuggable::info):
4347 * inspector/remote/RemoteInspectorDebuggable.h:
4348 (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
4349 (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
4350 pid per debuggable is no longer needed.
4352 2014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
4354 JSDOMWindow should disable property caching after a certain point
4355 https://bugs.webkit.org/show_bug.cgi?id=132751
4357 Reviewed by Filip Pizlo.
4359 This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
4360 hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
4361 that it has provided a cacheable value.
4363 * runtime/PropertySlot.h:
4364 (JSC::PropertySlot::PropertySlot):
4365 (JSC::PropertySlot::isCacheable):
4366 (JSC::PropertySlot::disableCaching):
4368 2014-05-09 Andreas Kling <akling@apple.com>
4370 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
4371 <https://webkit.org/b/132749>
4373 Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
4374 in Object.prototype.* by using JSString::toIdentifier() in the cases where
4375 we are converting JSString -> String -> Identifier.
4377 This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
4378 "The Great HTML5 Gaming Performance Test: 2014 edition"
4379 <http://www.scirra.com/demos/c2/sbperftest/>
4381 Reviewed by Oliver Hunt.
4383 * runtime/ObjectPrototype.cpp:
4384 (JSC::objectProtoFuncHasOwnProperty):
4385 (JSC::objectProtoFuncDefineGetter):
4386 (JSC::objectProtoFuncDefineSetter):
4387 (JSC::objectProtoFuncLookupGetter):
4388 (JSC::objectProtoFuncLookupSetter):
4390 2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
4392 JSDOMWindow should have a WatchpointSet to fire on window close
4393 https://bugs.webkit.org/show_bug.cgi?id=132721
4395 Reviewed by Filip Pizlo.
4397 This patch allows us to reset the inline caches that assumed they could skip
4398 the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
4399 been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
4401 PropertySlot now accepts a WatchpointSet which the inline cache code can look for
4402 to see if it should create a new Watchpoint for that particular inline cache site.
4404 * bytecode/Watchpoint.h:
4406 (JSC::generateByIdStub):
4407 (JSC::tryBuildGetByIDList):
4408 (JSC::tryCachePutByID):
4409 (JSC::tryBuildPutByIdList):
4410 * runtime/PropertySlot.h:
4411 (JSC::PropertySlot::PropertySlot):
4412 (JSC::PropertySlot::watchpointSet):
4413 (JSC::PropertySlot::setWatchpointSet):
4415 2014-05-09 Tanay C <tanay.c@samsung.com>
4417 Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
4418 https://bugs.webkit.org/show_bug.cgi?id=132331
4420 Reviewed by Darin Adler.
4422 * dfg/DFGFixupPhase.cpp:
4423 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
4425 2014-05-09 peavo@outlook.com <peavo@outlook.com>
4427 [Win] Crash when enabling DFG JIT.
4428 https://bugs.webkit.org/show_bug.cgi?id=132683
4430 Reviewed by Geoffrey Garen.
4432 On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
4433 results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
4434 where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
4435 This causes the register to be written to address 0, hence the crash.
4437 * dfg/DFGOSRExitCompiler32_64.cpp:
4438 (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
4439 * dfg/DFGOSRExitCompiler64.cpp:
4440 (JSC::DFG::OSRExitCompiler::compileExit): Ditto.
4442 2014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
4444 REGRESSION(r167094): JSC crashes on ARM Traditional
4445 https://bugs.webkit.org/show_bug.cgi?id=132738
4447 Reviewed by Zoltan Herczeg.
4449 PC is two instructions ahead of the current instruction
4450 on ARM Traditional, so the distance is 8 bytes not 2.
4452 * llint/LowLevelInterpreter.asm:
4454 2014-05-09 Alberto Garcia <berto@igalia.com>
4456 jsmin.py license header confusing, mentions non-free license
4457 https://bugs.webkit.org/show_bug.cgi?id=123665
4459 Reviewed by Darin Adler.
4461 Pull the most recent version from upstream, which has a clear
4464 * inspector/scripts/jsmin.py:
4466 2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
4468 Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
4469 https://bugs.webkit.org/show_bug.cgi?id=132695
4471 Reviewed by Filip Pizlo.
4473 We check in the case where we're accessing something other than the base object (e.g. the prototype),
4474 but we fail to do so for the base object.
4477 (JSC::tryCacheGetByID):
4478 (JSC::tryBuildGetByIDList):
4479 * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
4480 because all of the values that are returned that could be impure are set to uncacheable anyways.
4481 (WTF::ImpureGetter::ImpureGetter):
4482 (WTF::ImpureGetter::createStructure):
4483 (WTF::ImpureGetter::create):
4484 (WTF::ImpureGetter::finishCreation):
4485 (WTF::ImpureGetter::getOwnPropertySlot):
4486 (WTF::ImpureGetter::visitChildren):
4487 (WTF::ImpureGetter::setDelegate):
4488 (GlobalObject::finishCreation):
4489 (functionCreateImpureGetter):
4490 (functionSetImpureGetterDelegate):
4491 * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
4494 2014-05-08 Filip Pizlo <fpizlo@apple.com>
4496 deleteAllCompiledCode() shouldn't use the suspension worklist
4497 https://bugs.webkit.org/show_bug.cgi?id=132708
4499 Reviewed by Mark Hahnenberg.
4501 * bytecode/CodeBlock.cpp:
4502 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
4504 (JSC::DFG::Plan::isStillValid):
4506 (JSC::Heap::deleteAllCompiledCode):
4508 2014-05-08 Filip Pizlo <fpizlo@apple.com>
4510 SSA conversion should delete PhantomLocals for captured variables
4511 https://bugs.webkit.org/show_bug.cgi?id=132693
4513 Reviewed by Mark Hahnenberg.
4515 * dfg/DFGCommon.cpp:
4516 (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
4518 * dfg/DFGFixupPhase.cpp:
4519 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
4520 * dfg/DFGLivenessAnalysisPhase.cpp:
4521 (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
4522 * dfg/DFGSSAConversionPhase.cpp:
4523 (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
4524 * dfg/DFGValidate.cpp: Use the workaround.
4525 * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
4529 2014-05-07 Commit Queue <commit-queue@webkit.org>
4531 Unreviewed, rolling out r168451.
4532 https://bugs.webkit.org/show_bug.cgi?id=132670
4534 Not a speed-up, just do what other compilers do. (Requested by
4539 "[X86] Emit BT instruction for single-bit tests."
4540 https://bugs.webkit.org/show_bug.cgi?id=132650
4541 http://trac.webkit.org/changeset/168451
4543 2014-05-07 Filip Pizlo <fpizlo@apple.com>
4545 Make Executable::clearCode() actually clear all of the entrypoints, and
4546 clean up some other FTL-related calling convention stuff.
4547 <rdar://problem/16720172>
4549 Rubber stamped by Mark Hahnenberg.
4551 * dfg/DFGOperations.cpp:
4552 * dfg/DFGOperations.h:
4553 * dfg/DFGWorklist.cpp:
4554 (JSC::DFG::Worklist::Worklist):
4555 (JSC::DFG::Worklist::finishCreation):
4556 (JSC::DFG::Worklist::create):
4557 (JSC::DFG::ensureGlobalDFGWorklist):
4558 (JSC::DFG::ensureGlobalFTLWorklist):
4559 * dfg/DFGWorklist.h:
4560 * heap/CodeBlockSet.cpp:
4561 (JSC::CodeBlockSet::dump):
4562 * heap/CodeBlockSet.h:
4563 * runtime/Executable.cpp:
4564 (JSC::ExecutableBase::clearCode):
4566 2014-05-07 Andreas Kling <akling@apple.com>
4568 [X86] Emit BT instruction for single-bit tests.
4569 <https://webkit.org/b/132650>
4571 Implement test-bit-and-branch slightly more efficiently by using
4572 BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
4575 Reviewed by Michael Saboff.
4577 * assembler/MacroAssemblerX86Common.h:
4578 (JSC::MacroAssemblerX86Common::singleBitIndex):
4579 (JSC::MacroAssemblerX86Common::branchTest32):
4580 * assembler/X86Assembler.h:
4581 (JSC::X86Assembler::bt_i8r):
4582 (JSC::X86Assembler::bt_i8m):
4584 2014-05-07 Mark Lam <mark.lam@apple.com>
4586 REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
4587 <https://webkit.org/b/131356>
4589 Reviewed by Geoffrey Garen.
4591 The issue is that GC needs to be made aware of writes to m_inferredValue
4592 in the VariableWatchpointSet, but was not. As a result, if a JSCell*
4593 is written to a VariableWatchpointSet m_inferredValue, and that JSCell
4594 does not survive an eden GC shortly after, we will end up with a stale
4595 JSCell pointer left in the m_inferredValue.
4597 This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
4598 using DumpRenderTree with the VM heap in zombie mode.
4600 The fix is to change VariableWatchpointSet m_inferredValue to type
4601 WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
4602 is executed by all the execution engines so that the WriteBarrier semantics
4605 We still check if the value to be written is the same as the one in the
4606 inferredValue. We'll by-pass calling the slow path notifyWrite() if the
4607 values are the same.
4609 * JavaScriptCore.xcodeproj/project.pbxproj:
4610 * bytecode/CodeBlock.cpp:
4611 (JSC::CodeBlock::CodeBlock):
4612 - need to pass the symbolTable to prepareToWatch() because it will be needed
4613 for instantiating the VariableWatchpointSet in prepareToWatch().
4615 * bytecode/VariableWatchpointSet.h:
4616 (JSC::VariableWatchpointSet::VariableWatchpointSet):
4617 - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
4618 write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
4619 (JSC::VariableWatchpointSet::inferredValue):
4620 (JSC::VariableWatchpointSet::invalidate):
4621 (JSC::VariableWatchpointSet::finalizeUnconditionally):
4622 (JSC::VariableWatchpointSet::addressOfInferredValue):
4623 (JSC::VariableWatchpointSet::notifyWrite): Deleted.
4624 * bytecode/VariableWatchpointSetInlines.h: Added.
4625 (JSC::VariableWatchpointSet::notifyWrite):
4627 * dfg/DFGByteCodeParser.cpp:
4628 (JSC::DFG::ByteCodeParser::cellConstant):
4629 - Added an assert in case we try to make constants of zombified JSCells again.
4631 * dfg/DFGOperations.cpp:
4632 * dfg/DFGOperations.h:
4633 * dfg/DFGSpeculativeJIT.h:
4634 (JSC::DFG::SpeculativeJIT::callOperation):
4635 * dfg/DFGSpeculativeJIT32_64.cpp:
4636 (JSC::DFG::SpeculativeJIT::compile):
4637 * dfg/DFGSpeculativeJIT64.cpp:
4638 (JSC::DFG::SpeculativeJIT::compile):
4639 - We now let the slow path handle the cases when the VariableWatchpointSet is
4640 in state ClearWatchpoint and IsWatched, and the slow path will ensure that
4641 we handle the needed write barrier semantics correctly.
4642 We will by-pass the slow path if the value being written is the same as the
4645 * ftl/FTLIntrinsicRepository.h:
4646 * ftl/FTLLowerDFGToLLVM.cpp:
4647 (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
4648 - Let the slow path handle the cases when the VariableWatchpointSet is
4649 in state ClearWatchpoint and IsWatched.
4650 We will by-pass the slow path if the value being written is the same as the
4654 (JSC::Zombify::operator()):
4655 - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
4656 which is used everywhere else).
4658 (JSC::Heap::isZombified):
4659 - Provide a convenience test function to check if JSCells are zombified. This is
4660 currently only used in an assertion in the DFG bytecode parser, but the intent
4661 it that we'll apply this test in other strategic places later to help with early
4662 detection of usage of GC'ed objects when we run in zombie mode.
4664 * jit/JITOpcodes.cpp:
4665 (JSC::JIT::emitSlow_op_captured_mov):
4666 * jit/JITOperations.h:
4667 * jit/JITPropertyAccess.cpp:
4668 (JSC::JIT::emitNotifyWrite):
4669 * jit/JITPropertyAccess32_64.cpp:
4670 (JSC::JIT::emitNotifyWrite):
4671 (JSC::JIT::emitSlow_op_put_to_scope):
4672 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
4673 is in state ClearWatchpoint and IsWatched.
4674 We will by-pass the slow path if the value being written is the same as the
4677 * llint/LowLevelInterpreter32_64.asm:
4678 * llint/LowLevelInterpreter64.asm:
4679 - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
4680 is in state ClearWatchpoint and IsWatched.
4681 We will by-pass the slow path if the value being written is the same as the
4684 * runtime/CommonSlowPaths.cpp:
4686 * runtime/JSCJSValue.h: Fixed some typos in the comments.
4687 * runtime/JSGlobalObject.cpp:
4688 (JSC::JSGlobalObject::addGlobalVar):
4689 (JSC::JSGlobalObject::addFunction):
4690 * runtime/JSSymbolTableObject.h:
4691 (JSC::symbolTablePut):
4692 (JSC::symbolTablePutWithAttributes):
4693 * runtime/SymbolTable.cpp:
4694 (JSC::SymbolTableEntry::prepareToWatch):
4695 (JSC::SymbolTableEntry::notifyWriteSlow):
4696 * runtime/SymbolTable.h:
4697 (JSC::SymbolTableEntry::notifyWrite):
4699 2014-05-06 Michael Saboff <msaboff@apple.com>
4701 Unreviewd build fix for C-LOOP after r168396.
4703 * runtime/TestRunnerUtils.cpp:
4704 (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
4706 2014-05-06 Michael Saboff <msaboff@apple.com>
4708 Add test for deleteAllCompiledCode
4709 https://bugs.webkit.org/show_bug.cgi?id=132632
4711 Reviewed by Phil Pizlo.
4713 Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
4714 the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
4715 to write a test that will queue up loads of DFG compiles and then call
4716 Heap::deleteAllCompiledCode() to make sure that it can handle compiled
4717 code as well as code being compiled.
4720 (GlobalObject::finishCreation):
4721 (functionDeleteAllCompiledCode):
4722 (functionOptimizeNextInvocation):
4723 * runtime/TestRunnerUtils.cpp:
4724 (JSC::optimizeNextInvocation):
4725 * runtime/TestRunnerUtils.h:
4726 * tests/stress/deleteAllCompiledCode.js: Added.
4730 2014-05-06 Andreas Kling <akling@apple.com>
4732 JSString::toAtomicString() should return AtomicString.
4733 <https://webkit.org/b/132627>
4735 Remove premature optimization where I was trying to avoid refcount
4736 churn when returning an already atomicized String.
4738 Instead of using reinterpret_cast to mangle the String member into
4739 a const AtomicString& return value, just return AtomicString.
4741 Reviewed by Geoff Garen.
4743 * runtime/JSString.h:
4744 (JSC::JSString::toAtomicString):
4746 2014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
4750 Rubber stamped by Geoff Garen.
4752 It broke some websites.
4754 * runtime/JSPropertyNameIterator.cpp:
4755 (JSC::JSPropertyNameIterator::create):
4756 * runtime/PropertyMapHashTable.h:
4757 (JSC::PropertyTable::hasDeletedOffset):
4758 (JSC::PropertyTable::hadDeletedOffset): Deleted.
4759 * runtime/Structure.cpp:
4760 (JSC::Structure::Structure):
4761 (JSC::Structure::materializePropertyMap):
4762 (JSC::Structure::removePropertyTransition):
4763 (JSC::Structure::changePrototypeTransition):
4764 (JSC::Structure::despecifyFunctionTransition):
4765 (JSC::Structure::attributeChangeTransition):
4766 (JSC::Structure::toDictionaryTransition):
4767 (JSC::Structure::preventExtensionsTransition):
4768 (JSC::Structure::addPropertyWithoutTransition):
4769 (JSC::Structure::removePropertyWithoutTransition):
4770 (JSC::Structure::pin):
4771 (JSC::Structure::pinAndPreventTransitions): Deleted.
4772 * runtime/Structure.h:
4773 * runtime/StructureInlines.h:
4774 (JSC::Structure::setEnumerationCache):
4775 (JSC::Structure::propertyTable):
4776 (JSC::Structure::checkOffsetConsistency):
4777 (JSC::Structure::hadDeletedOffsets): Deleted.
4778 * tests/stress/for-in-after-delete.js:
4781 2014-05-05 Andreas Kling <akling@apple.com>
4785 * runtime/JSCellInlines.h:
4786 (JSC::JSCell::fastGetOwnProperty):
4788 2014-05-05 Andreas Kling <akling@apple.com>
4790 Optimize GetByVal when subscript is a rope string.
4791 <https://webkit.org/b/132590>
4793 Use JSString::toIdentifier() in the various GetByVal implementations
4794 to try and avoid allocating extra strings.
4796 Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
4797 in that, to avoid calling JSString::value() which always resolves ropes
4798 into new strings and de-optimizes subsequent toIdentifier() calls.
4800 My iMac says ~9% progression on Dromaeo/dom-attr.html
4802 Reviewed by Phil Pizlo.
4804 * dfg/DFGOperations.cpp:
4805 * jit/JITOperations.cpp:
4807 * llint/LLIntSlowPaths.cpp:
4808 (JSC::LLInt::getByVal):
4810 * runtime/JSCellInlines.h:
4811 (JSC::JSCell::fastGetOwnProperty):
4812 (JSC::JSCell::canUseFastGetOwnProperty):
4814 2014-05-05 Andreas Kling <akling@apple.com>
4816 REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
4817 <https://webkit.org/b/168256>
4818 <rdar://problem/16816316>
4820 Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
4821 clear the fibers. The caller takes care of this.
4823 Test: fast/dom/getElementById-with-rope-string-arg.html
4825 Reviewed by Geoffrey Garen.
4827 * runtime/JSString.cpp:
4828 (JSC::JSRopeString::resolveRopeSlowCase8):
4830 2014-05-05 Michael Saboff <msaboff@apple.com>
4832 REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
4833 https://bugs.webkit.org/show_bug.cgi?id=132581
4835 Reviewed by Filip Pizlo.
4838 (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
4839 started compiling for is still the same at the end of compilation.
4840 Also did some minor restructuring.
4842 2014-05-05 Andreas Kling <akling@apple.com>
4844 Optimize PutByVal when subscript is a rope string.
4845 <https://webkit.org/b/132572>
4847 Add a JSString::toIdentifier() that is smarter when the JSString is
4848 really a rope string. Use this in baseline & DFG's PutByVal to avoid
4849 allocating new StringImpls that we immediately deduplicate anyway.
4851 Reviewed by Antti Koivisto.
4853 * dfg/DFGOperations.cpp:
4854 (JSC::DFG::operationPutByValInternal):
4855 * jit/JITOperations.cpp:
4856 * runtime/JSString.h:
4857 (JSC::JSString::toIdentifier):
4859 2014-05-05 Andreas Kling <akling@apple.com>
4861 Remove two now-incorrect assertions after r168256.
4863 * runtime/JSString.cpp:
4864 (JSC::JSRopeString::resolveRopeSlowCase8):
4865 (JSC::JSRopeString::resolveRopeSlowCase):
4867 2014-05-04 Andreas Kling <akling@apple.com>
4869 Optimize JSRopeString for resolving directly to AtomicString.
4870 <https://webkit.org/b/132548>
4872 If we know that the JSRopeString we are resolving is going to be used
4873 as an AtomicString, we can try to avoid creating a new string.
4875 We do this by first resolving the rope into a stack buffer, and using
4876 that buffer as a key into the AtomicString table. If there is already
4877 an AtomicString with the same characters, we reuse that instead of
4878 constructing a new StringImpl.
4880 JSString gains these two public functions:
4882 - AtomicString toAtomicString()
4884 Returns an AtomicString, tries to avoid allocating a new string
4887 - AtomicStringImpl* toExistingAtomicString()
4889 Returns a non-null AtomicStringImpl* if one already exists in the
4890 AtomicString table. If none is found, the rope is left unresolved.
4892 Reviewed by Filip Pizlo.
4894 * runtime/JSString.cpp:
4895 (JSC::JSRopeString::resolveRopeInternal8):
4896 (JSC::JSRopeString::resolveRopeInternal16):
4897 (JSC::JSRopeString::resolveRopeToAtomicString):
4898 (JSC::JSRopeString::clearFibers):
4899 (JSC::JSRopeString::resolveRopeToExistingAtomicString):
4900 (JSC::JSRopeString::resolveRope):
4901 (JSC::JSRopeString::outOfMemory):
4902 * runtime/JSString.h:
4903 (JSC::JSString::toAtomicString):
4904 (JSC::JSString::toExistingAtomicString):
4906 2014-05-04 Andreas Kling <akling@apple.com>
4908 Unreviewed, rolling out r168254.
4910 Very crashy on debug JSC tests.
4914 "jsSubstring() should be lazy"
4915 https://bugs.webkit.org/show_bug.cgi?id=132556
4916 http://trac.webkit.org/changeset/168254
4918 2014-05-04 Filip Pizlo <fpizlo@apple.com>
4920 jsSubstring() should be lazy
4921 https://bugs.webkit.org/show_bug.cgi?id=132556
4923 Reviewed by Andreas Kling.
4925 jsSubstring() is now lazy by using a special rope that is a substring instead of a
4926 concatenation. To make this patch super simple, we require that a substring's base is
4927 never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
4928 path, or we go down a concatenation path which may see exactly one level of substrings in
4931 This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
4933 * heap/MarkedBlock.cpp:
4934 (JSC::MarkedBlock::specializedSweep):
4935 * runtime/JSString.cpp:
4936 (JSC::JSRopeString::visitFibers):
4937 (JSC::JSRopeString::resolveRope):
4938 (JSC::JSRopeString::resolveRopeSlowCase8):
4939 (JSC::JSRopeString::resolveRopeSlowCase):
4940 (JSC::JSRopeString::outOfMemory):
4941 * runtime/JSString.h:
4942 (JSC::JSRopeString::finishCreation):
4943 (JSC::JSRopeString::append):
4944 (JSC::JSRopeString::create):
4945 (JSC::JSRopeString::offsetOfFibers):
4946 (JSC::JSRopeString::fiber):
4947 (JSC::JSRopeString::substringBase):
4948 (JSC::JSRopeString::substringOffset):
4949 (JSC::JSRopeString::substringSentinel):
4950 (JSC::JSRopeString::isSubstring):
4952 * runtime/RegExpMatchesArray.cpp:
4953 (JSC::RegExpMatchesArray::reifyAllProperties):
4954 * runtime/StringPrototype.cpp:
4955 (JSC::stringProtoFuncSubstring):
4957 2014-05-02 Michael Saboff <msaboff@apple.com>
4959 "arm64 function not 4-byte aligned" warnings when building JSC
4960 https://bugs.webkit.org/show_bug.cgi?id=132495
4962 Reviewed by Geoffrey Garen.
4964 Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
4966 * llint/LowLevelInterpreter.cpp:
4968 2014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
4970 Fix cloop build after r168178
4972 * bytecode/CodeBlock.cpp:
4974 2014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
4976 Add a DFG function whitelist
4977 https://bugs.webkit.org/show_bug.cgi?id=132437
4979 Reviewed by Geoffrey Garen.
4981 Often times when debugging, using bytecode ranges isn't enough to narrow down to the
4982 particular DFG block that's causing issues. This patch adds the ability to whitelist
4983 specific functions specified in a file to enable further filtering without having to recompile.
4986 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4987 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
4988 * JavaScriptCore.xcodeproj/project.pbxproj:
4989 * dfg/DFGCapabilities.cpp:
4990 (JSC::DFG::isSupported):
4991 (JSC::DFG::mightInlineFunctionForCall):
4992 (JSC::DFG::mightInlineFunctionForClosureCall):
4993 (JSC::DFG::mightInlineFunctionForConstruct):
4994 * dfg/DFGFunctionWhitelist.cpp: Added.
4995 (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
4996 (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
4997 (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
4998 (JSC::DFG::FunctionWhitelist::contains):
4999 * dfg/DFGFunctionWhitelist.h: Added.
5000 * runtime/Options.cpp:
5002 (JSC::Options::dumpOption):
5003 * runtime/Options.h:
5005 2014-05-02 Filip Pizlo <fpizlo@apple.com>
5007 DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
5008 https://bugs.webkit.org/show_bug.cgi?id=132446
5010 Reviewed by Mark Hahnenberg.
5012 Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
5013 our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
5014 to indicate a bound on the value. This is useful for knowing, for example, that
5015 Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
5016 ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
5017 But this means that all arithmetic operations must be careful to note that they may
5018 turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
5020 * dfg/DFGAbstractInterpreterInlines.h:
5021 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
5022 * dfg/DFGByteCodeParser.cpp:
5023 (JSC::DFG::ByteCodeParser::makeSafe):
5024 * tests/stress/int52-ai-add-then-filter-int32.js: Added.
5026 * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
5028 * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
5030 * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
5032 * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
5034 * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
5037 2014-05-01 Geoffrey Garen <ggaren@apple.com>
5039 JavaScriptCore fails to build with some versions of clang
5040 https://bugs.webkit.org/show_bug.cgi?id=132436
5042 Reviewed by Anders Carlsson.
5044 * runtime/ArgumentsIteratorConstructor.cpp: Since we call
5045 putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
5046 and both are marked inline, it's valid for the compiler to decide
5047 to inline both and emit neither in the binary. Therefore, we need
5048 both inline definitions to be available in the translation unit at
5049 compile time, or we'll try to link against a function that doesn't exist.
5051 2014-05-01 Commit Queue <commit-queue@webkit.org>
5053 Unreviewed, rolling out r167964.
5054 https://bugs.webkit.org/show_bug.cgi?id=132431
5056 Memory improvements should not regress memory usage (Requested
5057 by olliej on #webkit).
5061 "Don't hold on to parameter BindingNodes forever"
5062 https://bugs.webkit.org/show_bug.cgi?id=132360
5063 http://trac.webkit.org/changeset/167964
5065 2014-05-01 Filip Pizlo <fpizlo@apple.com>
5067 Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
5068 https://bugs.webkit.org/show_bug.cgi?id=132427
5070 Reviewed by Mark Hahnenberg.
5072 * bytecode/CallLinkStatus.cpp:
5073 (JSC::CallLinkStatus::computeFor):
5075 2014-04-30 Simon Fraser <simon.fraser@apple.com>
5077 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
5078 https://bugs.webkit.org/show_bug.cgi?id=132396
5080 Reviewed by Eric Carlson.
5082 Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
5084 * Configurations/FeatureDefines.xcconfig:
5086 2014-04-30 Filip Pizlo <fpizlo@apple.com>
5088 Argument flush formats should not be presumed to be JSValue since 'this' is weird
5089 https://bugs.webkit.org/show_bug.cgi?id=132404
5091 Reviewed by Michael Saboff.
5093 * dfg/DFGSpeculativeJIT.cpp:
5094 (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
5095 * dfg/DFGSpeculativeJIT32_64.cpp:
5096 (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
5097 * dfg/DFGSpeculativeJIT64.cpp:
5098 (JSC::DFG::SpeculativeJIT::compile): Ditto.
5099 * dfg/DFGValueSource.cpp:
5100 (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
5101 * dfg/DFGValueSource.h:
5102 (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
5103 * ftl/FTLOSREntry.cpp:
5104 (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
5105 * tests/stress/strict-to-this-int.js: Added.
5107 (Number.prototype.valueOf):
5110 2014-04-29 Oliver Hunt <oliver@apple.com>
5112 Don't hold on to parameterBindingNodes forever
5113 https://bugs.webkit.org/show_bug.cgi?id=132360
5115 Reviewed by Geoffrey Garen.
5117 Don't keep the parameter nodes anymore. Instead we store the
5118 original parameter string and reparse whenever we actually
5119 need them. Because we only actually need them for compilation
5120 this only results in a single extra parse.
5122 * bytecode/UnlinkedCodeBlock.cpp:
5123 (JSC::generateFunctionCodeBlock):
5124 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
5125 (JSC::UnlinkedFunctionExecutable::visitChildren):
5126 (JSC::UnlinkedFunctionExecutable::finishCreation):
5127 (JSC::UnlinkedFunctionExecutable::paramString):
5128 (JSC::UnlinkedFunctionExecutable::parameters):
5129 (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
5130 * bytecode/UnlinkedCodeBlock.h:
5131 (JSC::UnlinkedFunctionExecutable::create):
5132 (JSC::UnlinkedFunctionExecutable::parameterCount):
5133 (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
5134 (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
5135 * parser/ASTBuilder.h:
5136 (JSC::ASTBuilder::ASTBuilder):
5137 (JSC::ASTBuilder::setFunctionBodyParameters):
5139 (JSC::FunctionBodyNode::parametersStartOffset):
5140 (JSC::FunctionBodyNode::parametersEndOffset):
5141 (JSC::FunctionBodyNode::setParameterLocation):
5142 * parser/Parser.cpp:
5143 (JSC::Parser<LexerType>::parseFunctionInfo):
5144 (JSC::parseParameters):
5147 * parser/SourceCode.h:
5148 (JSC::SourceCode::subExpression):
5149 * parser/SyntaxChecker.h:
5150 (JSC::SyntaxChecker::setFunctionBodyParameters):
5152 2014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
5154 JSProxies should be cacheable
5155 https://bugs.webkit.org/show_bug.cgi?id=132351
5157 Reviewed by Geoffrey Garen.
5159 Whenever we encounter a proxy in an inline cache we should try to cache on the
5160 proxy's target instead of giving up.
5162 This patch adds support for a simple "recursive" inline cache if the base object
5163 we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
5164 are the only ones to benefit from this right now.
5166 This is performance neutral on the benchmarks we track. Currently we won't
5167 cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
5170 (JSC::generateByIdStub):
5171 (JSC::tryBuildGetByIDList):
5172 (JSC::tryCachePutByID):
5173 (JSC::tryBuildPutByIdList):
5175 (GlobalObject::finishCreation):
5176 (functionCreateProxy):
5177 * runtime/IntendedStructureChain.cpp:
5178 (JSC::IntendedStructureChain::isNormalized):
5179 * runtime/JSCellInlines.h:
5180 (JSC::JSCell::isProxy):
5181 * runtime/JSGlobalObject.h:
5182 (JSC::JSGlobalObject::finishCreation):
5183 * runtime/JSProxy.h:
5184 (JSC::JSProxy::createStructure):
5185 (JSC::JSProxy::targetOffset):
5187 * runtime/Operations.h:
5188 (JSC::isPrototypeChainNormalized):
5189 * runtime/Structure.h:
5190 (JSC::Structure::isProxy):
5191 * tests/stress/proxy-inline-cache.js: Added.
5192 (cacheOnTarget.getX):
5194 (cacheOnPrototypeOfTarget.getX):
5195 (cacheOnPrototypeOfTarget):
5196 (dontCacheOnProxyInPrototypeChain.getX):
5197 (dontCacheOnProxyInPrototypeChain):
5198 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
5199 (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
5201 2014-04-29 Filip Pizlo <fpizlo@apple.com>
5203 Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
5204 https://bugs.webkit.org/show_bug.cgi?id=112840
5206 Rubber stamped by Geoffrey Garen.
5208 * Configurations/FeatureDefines.xcconfig:
5210 2014-04-29 Geoffrey Garen <ggaren@apple.com>
5212 String.prototype.trim removes U+200B from strings.
5213 https://bugs.webkit.org/show_bug.cgi?id=130184
5215 Reviewed by Michael Saboff.
5217 * runtime/StringPrototype.cpp:
5219 (JSC::isTrimWhitespace): Deleted.
5221 2014-04-29 Mark Lam <mark.lam@apple.com>
5223 Zombifying sweep should ignore retired blocks.
5224 <https://webkit.org/b/132344>
5226 Reviewed by Mark Hahnenberg.
5228 By definition, retired blocks do not have "dead" objects, or at least
5229 none that we know of yet until the next marking phase has been run
5230 over it. So, we should not be sweeping them (even for zombie mode).
5233 (JSC::Heap::zombifyDeadObjects):
5234 * heap/MarkedSpace.cpp:
5235 (JSC::MarkedSpace::zombifySweep):
5236 * heap/MarkedSpace.h:
5237 (JSC::ZombifySweep::operator()):
5239 2014-04-29 Mark Lam <mark.lam@apple.com>
5241 Fix bit rot in zombie mode heap code.
5242 <https://webkit.org/b/132342>
5244 Reviewed by Mark Hahnenberg.
5246 Need to enter a DelayedReleaseScope before doing a sweep.
5249 (JSC::Heap::zombifyDeadObjects):
5251 2014-04-29 Tomas Popela <tpopela@redhat.com>
5253 LLINT loadisFromInstruction doesn't need special case for big endians
5254 https://bugs.webkit.org/show_bug.cgi?id=132330
5256 Reviewed by Mark Lam.
5258 The change introduced in r167076 was wrong. We should not apply the offset
5259 adjustment on loadisFromInstruction usage as the instruction
5260 (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
5261 operand variable). The offset of the other union members will be the
5262 same as the offset of the first one, that is 0. The behavior here is the
5263 same on little and big endian architectures. Thus we don't need
5264 special case for big endians.
5266 * llint/LowLevelInterpreter.asm:
5268 2014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
5270 Simplify tryCacheGetById
5271 https://bugs.webkit.org/show_bug.cgi?id=132314
5273 Reviewed by Oliver Hunt and Filip Pizlo.
5275 This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
5278 (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
5280 2014-04-28 Michael Saboff <msaboff@apple.com>
5282 REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
5283 https://bugs.webkit.org/show_bug.cgi?id=132315
5285 Reviewed by Mark Hahnenberg.
5287 Used the StringImpl version of utf8() instead of creating a String first.
5289 * bytecode/CodeBlock.cpp:
5290 (JSC::CodeBlock::dumpBytecode):
5292 2014-04-28 Filip Pizlo <fpizlo@apple.com>
5294 The LLInt is awesome and it should get more of the action.
5296 Rubber stamped by Geoffrey Garen.
5298 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
5300 * runtime/Options.h:
5302 2014-04-27 Filip Pizlo <fpizlo@apple.com>
5304 GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
5305 https://bugs.webkit.org/show_bug.cgi?id=132166
5307 Reviewed by Oliver Hunt and Mark Hahnenberg.
5309 The GC can aid type inference by removing structures that are dead and jettisoning
5310 code that relies on those structures. This can dramatically accelerate type inference
5311 for some tricky programs.
5313 Unfortunately, we previously pinned any structures that enqueued compilations depended
5314 on. This means that if you're on a machine that only runs a single compilation thread
5315 and where compilations are relatively slow, you have a high chance of large numbers of
5316 structures being pinned during any GC since the compilation queue is likely to be full
5319 This comprehensively fixes this issue by allowing the GC to remove compilation plans
5320 if the things they depend on are dead, and to even cancel safepointed compilations.
5322 * bytecode/CodeBlock.cpp:
5323 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
5324 (JSC::CodeBlock::isKnownToBeLiveDuringGC):
5325 (JSC::CodeBlock::finalizeUnconditionally):
5326 * bytecode/CodeBlock.h:
5327 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
5328 * dfg/DFGDesiredIdentifiers.cpp:
5329 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
5330 * dfg/DFGDesiredIdentifiers.h:
5331 * dfg/DFGDesiredWatchpoints.h:
5332 * dfg/DFGDesiredWeakReferences.cpp:
5333 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
5334 * dfg/DFGDesiredWeakReferences.h:
5335 * dfg/DFGGraphSafepoint.cpp:
5336 (JSC::DFG::GraphSafepoint::GraphSafepoint):
5337 * dfg/DFGGraphSafepoint.h:
5339 (JSC::DFG::Plan::Plan):
5340 (JSC::DFG::Plan::compileInThread):
5341 (JSC::DFG::Plan::compileInThreadImpl):
5342 (JSC::DFG::Plan::notifyCompiling):
5343 (JSC::DFG::Plan::notifyCompiled):
5344 (JSC::DFG::Plan::notifyReady):
5345 (JSC::DFG::Plan::checkLivenessAndVisitChildren):
5346 (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
5347 (JSC::DFG::Plan::cancel):
5348 (JSC::DFG::Plan::visitChildren): Deleted.
5350 * dfg/DFGSafepoint.cpp:
5351 (JSC::DFG::Safepoint::Result::~Result):
5352 (JSC::DFG::Safepoint::Result::didGetCancelled):
5353 (JSC::DFG::Safepoint::Safepoint):
5354 (JSC::DFG::Safepoint::~Safepoint):
5355 (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
5356 (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
5357 (JSC::DFG::Safepoint::cancel):
5358 (JSC::DFG::Safepoint::visitChildren): Deleted.
5359 * dfg/DFGSafepoint.h:
5360 (JSC::DFG::Safepoint::Result::Result):
5361 * dfg/DFGWorklist.cpp:
5362 (JSC::DFG::Worklist::compilationState):
5363 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
5364 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
5365 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
5366 (JSC::DFG::Worklist::visitWeakReferences):
5367 (JSC::DFG::Worklist::removeDeadPlans):
5368 (JSC::DFG::Worklist::runThread):
5369 (JSC::DFG::Worklist::visitChildren): Deleted.
5370 * dfg/DFGWorklist.h:
5371 * ftl/FTLCompile.cpp:
5372 (JSC::FTL::compile):
5374 * heap/CodeBlockSet.cpp:
5375 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
5377 (JSC::Heap::markRoots):
5378 (JSC::Heap::visitCompilerWorklistWeakReferences):
5379 (JSC::Heap::removeDeadCompilerWorklistEntries):
5380 (JSC::Heap::visitWeakHandles):
5381 (JSC::Heap::collect):
5382 (JSC::Heap::visitCompilerWorklists): Deleted.
5385 2014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
5387 Deleting properties poisons objects
5388 https://bugs.webkit.org/show_bug.cgi?id=131551
5390 Reviewed by Oliver Hunt.
5392 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
5394 * runtime/JSPropertyNameIterator.cpp:
5395 (JSC::JSPropertyNameIterator::create):
5396 * runtime/PropertyMapHashTable.h:
5397 (JSC::PropertyTable::hasDeletedOffset):
5398 (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
5399 iterating properties because we're required to iterate properties in insertion order.
5400 * runtime/Structure.cpp:
5401 (JSC::Structure::Structure):
5402 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
5403 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
5404 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
5405 delete transitions, but we allow transitioning from them.
5406 (JSC::Structure::changePrototypeTransition):
5407 (JSC::Structure::despecifyFunctionTransition):
5408 (JSC::Structure::attributeChangeTransition):
5409 (JSC::Structure::toDictionaryTransition):
5410 (JSC::Structure::preventExtensionsTransition):
5411 (JSC::Structure::addPropertyWithoutTransition):
5412 (JSC::Structure::removePropertyWithoutTransition):
5413 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
5414 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
5415 * runtime/Structure.h:
5416 * runtime/StructureInlines.h:
5417 (JSC::Structure::setEnumerationCache):
5418 (JSC::Structure::hadDeletedOffsets):
5419 (JSC::Structure::propertyTable):
5420 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
5421 * tests/stress/for-in-after-delete.js: Added.
5424 2014-04-25 Andreas Kling <akling@apple.com>
5426 Inline (C++) GetByVal with numeric indices more aggressively.
5427 <https://webkit.org/b/132218>
5429 We were already inlining the string indexed GetByVal path pretty well,
5430 while the path for numeric indices got neglected. No more!
5432 ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
5434 Before: 199.50 runs/s
5435 After: 218.58 runs/s
5437 Reviewed by Phil Pizlo.
5439 * dfg/DFGOperations.cpp:
5440 * runtime/JSCJSValueInlines.h:
5441 (JSC::JSValue::get):
5443 ALWAYS_INLINE all the things.
5445 * runtime/JSObject.h:
5446 (JSC::JSObject::getPropertySlot):
5448 Avoid fetching the Structure more than once. We have the same
5449 optimization in the string-indexed code path.
5451 2014-04-25 Oliver Hunt <oliver@apple.com>
5453 Need earlier cell test
5454 https://bugs.webkit.org/show_bug.cgi?id=132211
5456 Reviewed by Mark Lam.
5458 Move cell test to before the function call repatch
5459 location, as the repatch logic for 32bit assumes that the
5460 caller will already have performed a cell check.
5462 * jit/JITCall32_64.cpp:
5463 (JSC::JIT::compileOpCall):
5465 2014-04-25 Andreas Kling <akling@apple.com>
5467 Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
5469 * runtime/JSGlobalObject.h:
5470 (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
5471 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
5473 2014-04-25 Andreas Kling <akling@apple.com>
5475 Windows build fix attempt.
5477 * runtime/JSGlobalObject.h:
5478 (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
5480 2014-04-25 Mark Lam <mark.lam@apple.com>
5482 Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
5483 <https://webkit.org/b/132201>
5485 Reviewed by Joseph Pecoraro.
5487 BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
5488 BreakpointActions everywhere.
5490 * inspector/ScriptBreakpoint.h:
5491 (Inspector::ScriptBreakpoint::ScriptBreakpoint):
5492 * inspector/ScriptDebugServer.cpp:
5493 (Inspector::ScriptDebugServer::setBreakpoint):
5494 (Inspector::ScriptDebugServer::getActionsForBreakpoint):
5495 * inspector/ScriptDebugServer.h:
5496 * inspector/agents/InspectorDebuggerAgent.cpp:
5497 (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
5498 (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
5499 (Inspector::InspectorDebuggerAgent::setBreakpoint):
5500 (Inspector::InspectorDebuggerAgent::removeBreakpoint):
5501 * inspector/agents/InspectorDebuggerAgent.h:
5503 2014-04-24 Filip Pizlo <fpizlo@apple.com>
5505 DFG worklist scanning should not treat the key as a separate entity
5506 https://bugs.webkit.org/show_bug.cgi?id=132167
5508 Reviewed by Mark Hahnenberg.
5510 This simplifies the interface to the GC and will enable more optimizations.
5512 * dfg/DFGCompilationKey.cpp:
5513 (JSC::DFG::CompilationKey::visitChildren): Deleted.
5514 * dfg/DFGCompilationKey.h:
5516 (JSC::DFG::Plan::visitChildren):
5517 * dfg/DFGWorklist.cpp:
5518 (JSC::DFG::Worklist::visitChildren):
5520 2014-04-25 Oliver Hunt <oliver@apple.com>
5522 Remove unused parameter from codeblock linking function
5523 https://bugs.webkit.org/show_bug.cgi?id=132199
5525 Reviewed by Anders Carlsson.
5527 No change in behaviour. This is just a small change to make it
5528 slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
5531 * bytecode/UnlinkedCodeBlock.cpp:
5532 (JSC::UnlinkedFunctionExecutable::link):
5533 * bytecode/UnlinkedCodeBlock.h:
5534 * runtime/Executable.cpp:
5535 (JSC::ProgramExecutable::initializeGlobalProperties):
5537 2014-04-25 Andreas Kling <akling@apple.com>
5539 Mark some things with WTF_MAKE_FAST_ALLOCATED.
5540 <https://webkit.org/b/132198>
5542 Use FastMalloc for more things.
5544 Reviewed by Anders Carlsson.
5546 * builtins/BuiltinExecutables.h:
5547 * heap/GCThreadSharedData.h:
5548 * inspector/JSConsoleClient.h:
5549 * inspector/agents/InspectorAgent.h:
5550 * runtime/CodeCache.h:
5551 * runtime/JSGlobalObject.h:
5552 * runtime/Lookup.cpp:
5553 (JSC::HashTable::createTable):
5554 (JSC::HashTable::deleteTable):
5555 * runtime/WeakGCMap.h:
5557 2014-04-25 Antoine Quint <graouts@webkit.org>
5559 Implement Array.prototype.find()
5560 https://bugs.webkit.org/show_bug.cgi?id=130966
5562 Reviewed by Oliver Hunt.
5564 Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
5566 * builtins/Array.prototype.js:
5569 * runtime/ArrayPrototype.cpp:
5571 2014-04-24 Brady Eidson <beidson@apple.com>
5573 Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
5574 https://bugs.webkit.org/show_bug.cgi?id=132155
5576 Reviewed by Tim Horton.
5578 * Configurations/FeatureDefines.xcconfig:
5580 2014-04-24 Michael Saboff <msaboff@apple.com>
5582 REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
5583 https://bugs.webkit.org/show_bug.cgi?id=132147
5585 Reviewed by Mark Lam.
5587 Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
5589 * assembler/MacroAssemblerARM64.h:
5590 (JSC::MacroAssemblerARM64::or64):
5591 (JSC::MacroAssemblerARM64::xor32):
5592 (JSC::MacroAssemblerARM64::xor64):
5593 * tests/stress/regress-132147.js: Added test.
5595 2014-04-24 Mark Lam <mark.lam@apple.com>
5597 Make slowPathAllocsBetweenGCs a runtime option.
5598 <https://webkit.org/b/132137>
5600 Reviewed by Mark Hahnenberg.
5602 This will make it easier to more casually run tests with this configuration
5603 as well as to reproduce issues (instead of requiring a code mod and rebuild).
5604 We will now take --slowPathAllocsBetweenGCs=N where N is the number of
5605 slow path allocations before we trigger a collection.
5607 The option defaults to 0, which is reserved to mean that we will not trigger
5608 any collections there.
5611 * heap/MarkedAllocator.cpp:
5612 (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
5613 (JSC::MarkedAllocator::allocateSlowCase):
5614 * heap/MarkedAllocator.h:
5615 * runtime/Options.h:
5617 2014-04-23 Mark Lam <mark.lam@apple.com>
5619 The GC should only resume compiler threads that it suspended in the same GC pass.
5620 <https://webkit.org/b/132088>
5622 Reviewed by Mark Hahnenberg.
5624 Previously, this scenario can occur:
5625 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
5626 no worklists were created yet at the that time.
5627 2. Thread 2 starts to compile some functions and creates a DFG worklist, and
5628 acquires the worklist thread's lock.
5629 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
5630 This time, it sees the worklist created by Thread 2 and ends up unlocking
5631 the worklist thread's lock that is supposedly held by Thread 2.
5632 Thereafter, chaos ensues.
5634 The fix is to cache the worklists that were actually suspended by each GC pass,
5635 and only resume those when the GC is done.
5637 This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
5638 the fast/workers layout tests.
5641 (JSC::Heap::visitCompilerWorklists):
5642 (JSC::Heap::deleteAllCompiledCode):
5643 (JSC::Heap::suspendCompilerThreads):
5644 (JSC::Heap::resumeCompilerThreads):
5647 2014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
5649 Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
5650 https://bugs.webkit.org/show_bug.cgi?id=132079
5652 Reviewed by Michael Saboff.
5654 Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
5656 Also added a test that previously triggered this bug.
5658 * runtime/Arguments.cpp:
5659 (JSC::Arguments::copyBackingStore): D'oh!
5660 * tests/stress/arguments-copy-register-array-backing-store.js: Added.
5664 2014-04-23 Mark Rowe <mrowe@apple.com>
5666 [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
5667 <https://webkit.org/b/132053>
5669 Reviewed by Dan Bernstein.
5671 * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
5672 the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
5673 from /bin/sh since that generates unnecessary output.
5675 2014-04-22 Mark Lam <mark.lam@apple.com>
5677 DFG::Worklist should acquire the m_lock before iterating DFG plans.
5678 <https://webkit.org/b/132032>
5680 Reviewed by Filip Pizlo.
5682 Currently, there's a rightToRun mechanism that ensures that no compilation
5683 threads are running when the GC is iterating through the DFG worklists.
5684 However, this does not prevent a Worker thread from doing a DFG compilation
5685 and modifying the plans in the worklists thereby invalidating the plan
5686 iterator that the GC is using. This patch fixes the issue by acquiring
5687 the worklist m_lock before iterating the worklist plans.
5689 This issue was uncovered by running the fast/workers layout tests with
5690 COLLECT_ON_EVERY_ALLOCATION enabled.
5692 * dfg/DFGWorklist.cpp:
5693 (JSC::DFG::Worklist::isActiveForVM):
5694 (JSC::DFG::Worklist::visitChildren):
5696 2014-04-22 Brent Fulgham <bfulgham@apple.com>
5698 [Win] Support Python 2.7 in Cygwin
5699 https://bugs.webkit.org/show_bug.cgi?id=132023
5701 Reviewed by Michael Saboff.
5703 * DerivedSources.make: Use a conditional variable to define
5704 the path to Python/Perl.
5706 2014-04-22 Filip Pizlo <fpizlo@apple.com>
5708 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
5709 https://bugs.webkit.org/show_bug.cgi?id=130867
5710 <rdar://problem/16432456>
5712 Reviewed by Mark Hahnenberg.
5714 * Configurations/Base.xcconfig:
5715 * Configurations/LLVMForJSC.xcconfig:
5717 2014-04-22 Alex Christensen <achristensen@webkit.org>
5719 [Win] Unreviewed build fix after my r167666.
5721 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5722 Added ../../../ again to include headers in Source/JavaScriptCore.
5724 2014-04-22 Alex Christensen <achristensen@webkit.org>
5726 Removed old stdbool and inttypes headers.
5727 https://bugs.webkit.org/show_bug.cgi?id=131966
5729 Reviewed by Brent Fulgham.
5731 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
5732 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
5733 Removed references to os-win32 directory.
5734 * os-win32: Removed.
5735 * os-win32/inttypes.h: Removed.
5736 * os-win32/stdbool.h: Removed.
5738 2014-04-21 Filip Pizlo <fpizlo@apple.com>
5740 DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
5741 https://bugs.webkit.org/show_bug.cgi?id=131971
5742 <rdar://problem/16676511>
5744 Reviewed by Mark Lam.
5746 * dfg/DFGClobberize.h:
5747 (JSC::DFG::clobberize):
5749 2014-04-21 Filip Pizlo <fpizlo@apple.com>
5751 Switch statements that skip the baseline JIT should work
5752 https://bugs.webkit.org/show_bug.cgi?id=131965
5754 Reviewed by Mark Hahnenberg.
5756 * bytecode/JumpTable.h:
5757 (JSC::SimpleJumpTable::ensureCTITable):
5758 * dfg/DFGSpeculativeJIT.cpp:
5759 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
5760 * jit/JITOpcodes.cpp:
5761 (JSC::JIT::emit_op_switch_imm):
5762 (JSC::JIT::emit_op_switch_char):
5763 * jit/JITOpcodes32_64.cpp:
5764 (JSC::JIT::emit_op_switch_imm):
5765 (JSC::JIT::emit_op_switch_char):
5766 * tests/stress/inline-llint-with-switch.js: Added.
5771 2014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5773 Arguments objects shouldn't need a destructor
5774 https://bugs.webkit.org/show_bug.cgi?id=131899
5776 Reviewed by Oliver Hunt.
5778 This patch rids Arguments objects of their destructors. It does this by
5779 switching their backing stores to use CopiedSpace rather than malloc memory.
5781 * dfg/DFGSpeculativeJIT.cpp:
5782 (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
5783 Arguments allocation so that it only emits an extra write for strict mode code rather
5784 than unconditionally.
5785 * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
5786 * runtime/Arguments.cpp:
5787 (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
5788 (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
5789 (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
5790 (JSC::Arguments::deleteProperty):
5791 (JSC::Arguments::defineOwnProperty):
5792 (JSC::Arguments::allocateRegisterArray):
5793 (JSC::Arguments::tearOff):
5794 (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
5795 * runtime/Arguments.h:
5796 (JSC::Arguments::registerArraySizeInBytes):
5797 (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
5798 in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
5800 (JSC::Arguments::SlowArgumentData::slowArguments):
5801 (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
5802 (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
5803 (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
5804 (JSC::Arguments::Arguments):
5805 (JSC::Arguments::allocateSlowArguments):
5806 (JSC::Arguments::tryDeleteArgument):
5807 (JSC::Arguments::isDeletedArgument):
5808 (JSC::Arguments::isArgument):
5809 (JSC::Arguments::argument):
5810 (JSC::Arguments::finishCreation):
5811 * runtime/SymbolTable.h:
5813 2014-04-21 Eric Carlson <eric.carlson@apple.com>
5815 [Mac] implement WebKitDataCue
5816 https://bugs.webkit.org/show_bug.cgi?id=131799
5818 Reviewed by Dean Jackson.
5820 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
5822 2014-04-21 Filip Pizlo <fpizlo@apple.com>
5824 Unreviewed test gardening, run the repeat-out-of-bounds tests again.
5826 * tests/stress/float32-repeat-out-of-bounds.js:
5827 * tests/stress/int8-repeat-out-of-bounds.js:
5829 2014-04-21 Filip Pizlo <fpizlo@apple.com>
5831 OSR exit should know about Int52 and Double constants
5832 https://bugs.webkit.org/show_bug.cgi?id=131945
5834 Reviewed by Oliver Hunt.
5836 The DFG OSR exit machinery's ignorance would lead to some constants becoming
5837 jsUndefined() after OSR exit.
5839 The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
5840 stackmap constant rather than baking the constant into the OSRExit data structure.
5841 So, not a big deal, but worth fixing.
5843 Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
5845 * dfg/DFGByteCodeParser.cpp:
5846 (JSC::DFG::ByteCodeParser::handleIntrinsic):
5847 * dfg/DFGMinifiedNode.h:
5848 (JSC::DFG::belongsInMinifiedGraph):
5849 (JSC::DFG::MinifiedNode::hasConstantNumber):
5850 * ftl/FTLLowerDFGToLLVM.cpp:
5851 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
5853 (GlobalObject::finishCreation):
5854 (functionOtherFalse):
5855 (functionUndefined):
5856 * runtime/Intrinsic.h:
5857 * tests/stress/fold-to-double-constant-then-exit.js: Added.
5859 * tests/stress/fold-to-int52-constant-then-exit.js: Added.
5862 2014-04-21 Filip Pizlo <fpizlo@apple.com>
5864 Provide feedback when we encounter an unrecognied node in the FTL backend.
5866 Rubber stamped by Alexey Proskuryakov.
5868 * ftl/FTLLowerDFGToLLVM.cpp:
5869 (JSC::FTL::LowerDFGToLLVM::compileNode):
5871 2014-04-21 Andreas Kling <akling@apple.com>
5873 Move the JSString cache from DOMWrapperWorld to VM.
5874 <https://webkit.org/b/131940>
5876 Reviewed by Geoff Garen.
5880 2014-04-19 Filip Pizlo <fpizlo@apple.com>
5882 Take block execution count estimates into account when voting double
5883 https://bugs.webkit.org/show_bug.cgi?id=131906
5885 Reviewed by Geoffrey Garen.
5887 This was a drama in three acts.
5889 Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
5890 number of uses of a variable that want double or non-double. Easy as pie. This
5891 gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
5894 Act II: Realize that there were some programs where our previous double voting was
5895 just on the edge of disaster and making it more precise tipped it over. In
5896 particular, if you had an integer variable that would infrequently be used in a
5897 computation that resulted in a variable that was frequently used as an array index,
5898 the outer infrequentness would be the thing we'd use in the vote. So, an array
5899 index would become double. We fix this by reviving global backwards propagation
5900 and introducing the concept of ReallyWantsInt, which is used just for array
5901 indices. Any variable transitively flagged as ReallyWantsInt will never be forced
5902 double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
5903 be set in bitops for RageConversion but using it for double forcing is too much.
5904 Basically, it's cheaper to have to convert a double to an int for a bitop than it
5905 is to convert a double to an int for an array index; also a variable being used as
5906 an array index is a much stronger hint that it ought to be an int. This recovered
5907 performance on everything except programs that used FTL OSR entry.
5909 Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
5910 count, which then completely pollutes the weighting - essentially all votes go
5911 NaN. Fix this with some surgical defenses. Basically, any client of execution
5912 counts should allow for them to be NaN and shouldn't completely fall off a cliff
5915 This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
5916 7% speed-up on AsmBench and 2% speed-up on Kraken.
5919 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
5920 * JavaScriptCore.xcodeproj/project.pbxproj:
5921 * dfg/DFGBackwardsPropagationPhase.cpp:
5922 (JSC::DFG::BackwardsPropagationPhase::run):
5923 (JSC::DFG::BackwardsPropagationPhase::propagate):
5925 (JSC::DFG::Graph::dumpBlockHeader):
5927 (JSC::DFG::Graph::voteNode):
5928 (JSC::DFG::Graph::voteChildren):
5929 * dfg/DFGNodeFlags.cpp:
5930 (JSC::DFG::dumpNodeFlags):
5931 * dfg/DFGNodeFlags.h:
5932 * dfg/DFGOSREntrypointCreationPhase.cpp:
5933 (JSC::DFG::OSREntrypointCreationPhase::run):
5935 (JSC::DFG::Plan::compileInThreadImpl):
5936 * dfg/DFGPredictionPropagationPhase.cpp:
5937 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5938 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
5939 * dfg/DFGVariableAccessData.cpp: Added.
5940 (JSC::DFG::VariableAccessData::VariableAccessData):
5941 (JSC::DFG::VariableAccessData::mergeIsCaptured):
5942 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
5943 (JSC::DFG::VariableAccessData::predict):
5944 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
5945 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5946 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
5947 (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
5948 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
5949 (JSC::DFG::VariableAccessData::flushFormat):
5950 * dfg/DFGVariableAccessData.h:
5951 (JSC::DFG::VariableAccessData::vote):
5952 (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
5953 (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
5954 (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
5955 (JSC::DFG::VariableAccessData::predict): Deleted.
5956 (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
5957 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
5958 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
5959 (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
5960 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
5961 (JSC::DFG::VariableAccessData::flushFormat): Deleted.
5963 2014-04-21 Michael Saboff <msaboff@apple.com>
5965 REGRESSION(r167591): ARM64 and ARM traditional builds broken
5966 https://bugs.webkit.org/show_bug.cgi?id=131935
5968 Reviewed by Mark Hahnenberg.
5970 Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
5971 macro assemblers. Added a new test for the original patch.
5973 * assembler/MacroAssemblerARM.h:
5974 (JSC::MacroAssemblerARM::store8):
5975 * assembler/MacroAssemblerARM64.h:
5976 (JSC::MacroAssemblerARM64::store8):
5977 * tests/stress/dfg-create-arguments-inline-alloc.js: New test.
5979 2014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
5981 Inline allocate Arguments objects in the DFG
5982 https://bugs.webkit.org/show_bug.cgi?id=131897
5984 Reviewed by Geoffrey Garen.
5986 Many libraries/frameworks depend on the arguments object for overloaded API entry points.
5987 This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
5988 for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
5990 * dfg/DFGSpeculativeJIT.cpp:
5991 (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
5992 * dfg/DFGSpeculativeJIT.h:
5993 (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
5994 * dfg/DFGSpeculativeJIT32_64.cpp:
5995 (JSC::DFG::SpeculativeJIT::compile):
5996 * dfg/DFGSpeculativeJIT64.cpp:
5997 (JSC::DFG::SpeculativeJIT::compile):
5998 * runtime/Arguments.h:
5999 (JSC::Arguments::offsetOfActivation):
6000 (JSC::Arguments::offsetOfOverrodeLength):
6001 (JSC::Arguments::offsetOfIsStrictMode):
6002 (JSC::Arguments::offsetOfRegisterArray):
6003 (JSC::Arguments::offsetOfCallee):
6004 (JSC::Arguments::allocationSize):
6006 2014-04-20 Andreas Kling <akling@apple.com>
6008 Speed up jsStringWithCache() through WeakGCMap inlining.
6009 <https://webkit.org/b/131923>
6011 Always inline WeakGCMap::add() but move the slow garbage collecting
6014 Reviewed by Darin Adler.
6016 * runtime/WeakGCMap.h:
6017 (JSC::WeakGCMap::add):
6018 (JSC::WeakGCMap::gcMap):
6020 2014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
6022 JavaScriptCore: ARM build fix after r167094.
6023 https://bugs.webkit.org/show_bug.cgi?id=131612
6025 Reviewed by Michael Saboff.
6027 After r167094 there are many build errors on ARM like these:
6029 /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
6030 /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
6031 /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
6032 /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
6034 Problem is caused by the wrong generated assembly like:
6035 "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
6037 `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
6038 the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
6039 Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
6040 use case: move rn, (label1-label2) which is translated to movw and movt.
6042 * llint/LowLevelInterpreter.asm:
6043 * offlineasm/arm.rb:
6044 * offlineasm/instructions.rb:
6046 2014-04-20 Csaba Osztrogonác <ossy@webkit.org>
6048 [ARM] Unreviewed build fix after r167336.
6050 * assembler/MacroAssemblerARM.h:
6051 (JSC::MacroAssemblerARM::branchAdd32):
6053 2014-04-20 Commit Queue <commit-queue@webkit.org>
6055 Unreviewed, rolling out r167501.
6056 https://bugs.webkit.org/show_bug.cgi?id=131913
6058 It broke DYEBench (Requested by mhahnenberg on #webkit).
6062 "Deleting properties poisons objects"
6063 https://bugs.webkit.org/show_bug.cgi?id=131551
6064 http://trac.webkit.org/changeset/167501
6066 2014-04-19 Filip Pizlo <fpizlo@apple.com>
6068 It should be OK to store new fields into objects that have no prototypes
6069 https://bugs.webkit.org/show_bug.cgi?id=131905
6071 Reviewed by Mark Hahnenberg.
6073 * dfg/DFGByteCodeParser.cpp:
6074 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
6075 * tests/stress/put-by-id-transition-null-prototype.js: Added.
6078 2014-04-19 Benjamin Poulain <bpoulain@apple.com>
6080 Make the CSS JIT compile for ARM64
6081 https://bugs.webkit.org/show_bug.cgi?id=131834
6083 Reviewed by Gavin Barraclough.
6085 Extend the ARM64 MacroAssembler to support the code generation required by
6088 * assembler/MacroAssembler.h:
6089 * assembler/MacroAssemblerARM64.h:
6090 (JSC::MacroAssemblerARM64::addPtrNoFlags):
6091 (JSC::MacroAssemblerARM64::or32):
6092 (JSC::MacroAssemblerARM64::branchPtr):
6093 (JSC::MacroAssemblerARM64::test32):
6094 (JSC::MacroAssemblerARM64::branch):
6095 * assembler/MacroAssemblerX86Common.h:
6096 (JSC::MacroAssemblerX86Common::test32):
6098 2014-04-19 Andreas Kling <akling@apple.com>
6100 Two little shortcuts to the JSType.
6101 <https://webkit.org/b/131896>
6103 Tweak two sites that take the long road through JSCell::structure()->typeInfo()
6104 to look at data that's already in JSCell::type().
6106 Reviewed by Darin Adler.
6108 * runtime/NameInstance.h:
6110 * runtime/NumberPrototype.cpp:
6111 (JSC::toThisNumber):
6113 2014-04-19 Filip Pizlo <fpizlo@apple.com>
6115 Make it easier to check if an integer sum would overflow
6116 https://bugs.webkit.org/show_bug.cgi?id=131900
6118 Reviewed by Darin Adler.
6120 * dfg/DFGOperations.cpp:
6121 * runtime/Operations.h:
6124 2014-04-19 Filip Pizlo <fpizlo@apple.com>
6126 Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
6128 * dfg/DFGOperations.cpp:
6129 * runtime/JSString.h:
6130 (JSC::JSRopeString::RopeBuilder::append):
6132 2014-04-18 Mark Lam <mark.lam@apple.com>
6134 REGRESSION(r164205): WebKit crash @StructureIDTable::get.
6135 <https://webkit.org/b/130539>
6137 Reviewed by Geoffrey Garen.
6139 prepareOSREntry() prepares for OSR entry by first copying the local var
6140 values from the baseline frame to a scartch buffer, which is then used
6141 to fill in the locals in their new position in the DFG frame. Unfortunately,
6142 prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
6143 size of the baseline frame. As a result, some values of locals in the
6144 baseline frame were not saved off, and the DFG frame may get initialized
6145 with random content that happened to be in the uninitialized (and possibly
6146 unallocated) portions of the scratch buffer.
6148 The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
6149 number of locals in the baseline frame that we want to copy to the scratch
6152 Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
6153 at offset 0 in the scratch buffer. So, we continue to write that value
6154 there, not the baseline frame size.
6156 * dfg/DFGOSREntry.cpp:
6157 (JSC::DFG::prepareOSREntry):
6159 2014-04-18 Timothy Hatcher <timothy@apple.com>
6161 Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
6162 https://bugs.webkit.org/show_bug.cgi?id=131673
6164 Passes existing profiler and inspector tests.
6166 Reviewed by Joseph Pecoraro.
6169 * DerivedSources.make:
6170 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
6171 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
6172 * JavaScriptCore.xcodeproj/project.pbxproj:
6173 * inspector/JSConsoleClient.cpp:
6174 (Inspector::JSConsoleClient::JSConsoleClient):
6175 (Inspector::JSConsoleClient::profile):
6176 (Inspector::JSConsoleClient::profileEnd):
6177 (Inspector::JSConsoleClient::count): Deleted.
6178 * inspector/JSConsoleClient.h:
6179 * inspector/JSGlobalObjectInspectorController.cpp:
6180 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
6181 * inspector/agents/InspectorProfilerAgent.cpp: Added.
6182 (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
6183 (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
6184 (Inspector::InspectorProfilerAgent::addProfile):
6185 (Inspector::InspectorProfilerAgent::createProfileHeader):
6186 (Inspector::InspectorProfilerAgent::enable):
6187 (Inspector::InspectorProfilerAgent::disable):
6188 (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
6189 (Inspector::InspectorProfilerAgent::getProfileHeaders):
6190 (Inspector::buildInspectorObject):
6191 (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
6192 (Inspector::InspectorProfilerAgent::getCPUProfile):
6193 (Inspector::InspectorProfilerAgent::removeProfile):
6194 (Inspector::InspectorProfilerAgent::reset):
6195 (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
6196 (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
6197 (Inspector::InspectorProfilerAgent::start):
6198 (Inspector::InspectorProfilerAgent::stop):
6199 (Inspector::InspectorProfilerAgent::setRecordingProfile):
6200 (Inspector::InspectorProfilerAgent::startProfiling):
6201 (Inspector::InspectorProfilerAgent::stopProfiling):
6202 * inspector/agents/InspectorProfilerAgent.h: Added.
6203 * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
6204 (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
6205 (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
6206 * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
6207 * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
6208 * profiler/Profile.h:
6209 * runtime/ConsoleClient.h:
6211 2014-04-18 Commit Queue <commit-queue@webkit.org>
6213 Unreviewed, rolling out r167527.
6214 https://bugs.webkit.org/show_bug.cgi?id=131883
6216 Broke 32-bit build (Requested by ap on #webkit).
6220 "[Mac] implement WebKitDataCue"
6221 https://bugs.webkit.org/show_bug.cgi?id=131799
6222 http://trac.webkit.org/changeset/167527
6224 2014-04-18 Eric Carlson <eric.carlson@apple.com>
6226 [Mac] implement WebKitDataCue
6227 https://bugs.webkit.org/show_bug.cgi?id=131799
6229 Reviewed by Dean Jackson.
6231 * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
6233 2014-04-18 Filip Pizlo <fpizlo@apple.com>
6235 Actually address Mark's review feedback.
6237 * dfg/DFGOSRExitCompilerCommon.cpp:
6238 (JSC::DFG::handleExitCounts):
6240 2014-04-18 Filip Pizlo <fpizlo@apple.com>
6242 Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
6243 https://bugs.webkit.org/show_bug.cgi?id=131850
6245 Reviewed by Mark Hahnenberg.
6247 Templatize ExecutionCounter to allow for two different styles of calculating the
6248 checkpoint threshold.
6250 Appears to be a slight speed-up on DYEBench.
6252 * bytecode/CodeBlock.h:
6253 (JSC::CodeBlock::llintExecuteCounter):
6254 (JSC::CodeBlock::offsetOfJITExecuteCounter):
6255 (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
6256 (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
6257 (JSC::CodeBlock::jitExecuteCounter):
6258 * bytecode/ExecutionCounter.cpp:
6259 (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
6260 (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
6261 (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
6262 (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
6263 (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
6264 (JSC::applyMemoryUsageHeuristics):
6265 (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
6266 (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
6267 (JSC::ExecutionCounter<countingVariant>::setThreshold):
6268 (JSC::ExecutionCounter<countingVariant>::reset):
6269 (JSC::ExecutionCounter<countingVariant>::dump):
6270 (JSC::ExecutionCounter::ExecutionCounter): Deleted.
6271 (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
6272 (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
6273 (JSC::ExecutionCounter::setNewThreshold): Deleted.
6274 (JSC::ExecutionCounter::deferIndefinitely): Deleted.
6275 (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
6276 (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
6277 (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
6278 (JSC::ExecutionCounter::setThreshold): Deleted.
6279 (JSC::ExecutionCounter::reset): Deleted.
6280 (JSC::ExecutionCounter::dump): Deleted.
6281 * bytecode/ExecutionCounter.h:
6282 (JSC::formattedTotalExecutionCount):
6283 (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
6284 (JSC::ExecutionCounter::clippedThreshold):
6285 (JSC::ExecutionCounter::formattedTotalCount): Deleted.
6287 * dfg/DFGOSRExitCompilerCommon.cpp:
6288 (JSC::DFG::handleExitCounts):
6289 * llint/LowLevelInterpreter.asm:
6290 * runtime/Options.h:
6292 2014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
6294 Deleting properties poisons objects
6295 https://bugs.webkit.org/show_bug.cgi?id=131551
6297 Reviewed by Geoffrey Garen.
6299 This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
6301 * runtime/Structure.cpp:
6302 (JSC::Structure::Structure):
6303 (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
6304 (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
6305 Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
6306 delete transitions, but we allow transitioning from them.
6307 (JSC::Structure::changePrototypeTransition):
6308 (JSC::Structure::despecifyFunctionTransition):
6309 (JSC::Structure::attributeChangeTransition):
6310 (JSC::Structure::toDictionaryTransition):
6311 (JSC::Structure::preventExtensionsTransition):
6312 (JSC::Structure::addPropertyWithoutTransition):
6313 (JSC::Structure::removePropertyWithoutTransition):
6314 (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
6315 (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
6316 * runtime/Structure.h:
6317 * runtime/StructureInlines.h:
6318 (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
6320 2014-04-17 Filip Pizlo <fpizlo@apple.com>
6322 InlineCallFrameSet should be refcounted
6323 https://bugs.webkit.org/show_bug.cgi?id=131829
6325 Reviewed by Geoffrey Garen.
6327 And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
6328 became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
6329 Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
6330 the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
6332 So, just make the darn thing refcounted.
6334 * bytecode/InlineCallFrameSet.h:
6335 * dfg/DFGArgumentsSimplificationPhase.cpp:
6336 (JSC::DFG::ArgumentsSimplificationPhase::run):
6337 * dfg/DFGByteCodeParser.cpp:
6338 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6339 * dfg/DFGCommonData.h:
6341 (JSC::DFG::Graph::Graph):
6342 (JSC::DFG::Graph::requiredRegisterCountForExit):
6344 * dfg/DFGJITCompiler.cpp:
6345 (JSC::DFG::JITCompiler::link):
6347 (JSC::DFG::Plan::Plan):
6349 * dfg/DFGStackLayoutPhase.cpp:
6350 (JSC::DFG::StackLayoutPhase::run):
6356 2014-04-17 Filip Pizlo <fpizlo@apple.com>
6358 FTL::fail() should manage memory "correctly"
6359 https://bugs.webkit.org/show_bug.cgi?id=131823
6360 <rdar://problem/16384297>
6362 Reviewed by Oliver Hunt.
6367 2014-04-17 Filip Pizlo <fpizlo@apple.com>
6369 Prediction propagator should correctly model Int52s flowing through arguments
6370 https://bugs.webkit.org/show_bug.cgi?id=131822
6371 <rdar://problem/16641408>
6373 Reviewed by Oliver Hunt.
6375 * dfg/DFGPredictionPropagationPhase.cpp:
6376 (JSC::DFG::PredictionPropagationPhase::propagate):
6377 * tests/stress/int52-argument.js: Added.
6379 * tests/stress/int52-variable.js: Added.
6382 2014-04-17 Filip Pizlo <fpizlo@apple.com>
6384 REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
6385 https://bugs.webkit.org/show_bug.cgi?id=131798
6387 Reviewed by Alexey Proskuryakov.
6389 Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
6390 of this assertion can return. For now, it's not clear that the assertion is guarding
6391 any truly undesirable behavior - so it should just go away and be replaced with a
6394 * bytecode/GetByIdStatus.cpp:
6395 (JSC::GetByIdStatus::computeForStubInfo):
6396 * runtime/Structure.h:
6397 (JSC::Structure::takesSlowPathInDFGForImpureProperty):
6399 2014-04-17 David Kilzer <ddkilzer@apple.com>
6401 Blind attempt to fix Windows build after r166837
6402 <http://webkit.org/b/131246>
6404 Hoping to fix this build error:
6406 warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
6408 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
6409 boo-boo by changing the GCLogging.cpp ClCompile entry to a
6410 GCLogging.h ClInclude entry.
6412 2014-04-16 Filip Pizlo <fpizlo@apple.com>
6414 AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
6415 https://bugs.webkit.org/show_bug.cgi?id=131764
6417 Reviewed by Geoffrey Garen.
6419 The attached test case can be made to not crash by deleting old code. It used to be
6420 the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
6421 long ago. At this point, these guards just make life difficult. So get rid of them.
6423 * dfg/DFGAbstractInterpreterInlines.h:
6424 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6425 * dfg/DFGSpeculativeJIT32_64.cpp:
6426 (JSC::DFG::SpeculativeJIT::compile):
6427 * dfg/DFGSpeculativeJIT64.cpp:
6428 (JSC::DFG::SpeculativeJIT::compile):
6429 * tests/stress/bug-131764.js: Added.
6433 2014-04-17 Darin Adler <darin@apple.com>
6435 Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
6436 https://bugs.webkit.org/show_bug.cgi?id=131785
6437 rdar://problem/16003108
6439 Reviewed by Brady Eidson.
6441 * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
6443 2014-04-16 Alexey Proskuryakov <ap@apple.com>
6445 Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
6447 * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
6449 2014-04-16 Filip Pizlo <fpizlo@apple.com>
6451 Extra error reporting for invalid value conversions
6452 https://bugs.webkit.org/show_bug.cgi?id=131786
6454 Rubber stamped by Ryosuke Niwa.
6456 * dfg/DFGFixupPhase.cpp:
6457 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6459 2014-04-16 Filip Pizlo <fpizlo@apple.com>
6461 Sink NaN sanitization to uses and remove it when it's unnecessary
6462 https://bugs.webkit.org/show_bug.cgi?id=131419
6464 Reviewed by Oliver Hunt.
6466 This moves NaN purification to stores that could see an impure NaN.
6468 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
6469 though, because of the other bug that causes that benchmark to box doubles in a loop.
6471 * bytecode/SpeculatedType.h:
6472 (JSC::isInt32SpeculationForArithmetic):
6473 (JSC::isMachineIntSpeculationForArithmetic):
6474 (JSC::isDoubleSpeculation):
6475 (JSC::isDoubleSpeculationForArithmetic):
6476 * dfg/DFGAbstractInterpreterInlines.h:
6477 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6478 * dfg/DFGAbstractValue.cpp:
6479 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6480 * dfg/DFGFixupPhase.cpp:
6481 (JSC::DFG::FixupPhase::fixupNode):
6482 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6483 * dfg/DFGInPlaceAbstractState.cpp:
6484 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
6485 * dfg/DFGPredictionPropagationPhase.cpp:
6486 (JSC::DFG::PredictionPropagationPhase::propagate):
6487 * dfg/DFGSpeculativeJIT.cpp:
6488 (JSC::DFG::SpeculativeJIT::compileValueRep):
6489 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6491 (JSC::DFG::typeFilterFor):
6492 * ftl/FTLLowerDFGToLLVM.cpp:
6493 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
6494 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
6495 * runtime/PureNaN.h:
6496 * tests/stress/float32-array-nan-inlined.js: Added.
6499 * tests/stress/float32-array-nan.js: Added.
6502 * tests/stress/float64-array-nan-inlined.js: Added.
6506 * tests/stress/float64-array-nan.js: Added.
6511 2014-04-16 Brent Fulgham <bfulgham@apple.com>
6513 [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
6514 to 32-bit builds, and revise the comment to explain what we are
6517 * runtime/JSCJSValueInlines.h:
6518 (JSC::JSValue::isMachineInt): Provide motivation for the new
6519 'isinf' check for our 32-bit code path.
6521 2014-04-16 Juergen Ributzka <juergen@apple.com>
6523 Allocate the data section on the heap again for FTL on ARM64
6524 https://bugs.webkit.org/show_bug.cgi?id=130156
6526 Reviewed by Geoffrey Garen and Filip Pizlo.
6528 * ftl/FTLCompile.cpp:
6529 (JSC::FTL::mmAllocateDataSection):
6530 * ftl/FTLDataSection.cpp:
6531 (JSC::FTL::DataSection::DataSection):
6532 (JSC::FTL::DataSection::~DataSection):
6533 * ftl/FTLDataSection.h:
6535 2014-04-16 Mark Lam <mark.lam@apple.com>
6537 Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
6538 <https://webkit.org/b/131747>
6540 Reviewed by Filip Pizlo.
6542 When the debugger is about to activate (e.g. enter stepping mode), it first
6543 waits for all DFG compilations to complete. However, when the DFG completes,
6544 if compilation is successful, it will install a new DFG codeBlock. The
6545 CodeBlock installation process is required to register codeBlocks with the
6546 debugger. Debugger::registerCodeBlock() will eventually call
6547 CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
6548 trying to install. Thereafter, chaos ensues.
6550 This jettison'ing only happens because the debugger currently set its
6551 m_steppingMode flag before waiting for compilation to complete. The fix is
6552 simply to set that flag only after compilation is complete.
6554 * debugger/Debugger.cpp:
6555 (JSC::Debugger::setSteppingMode):
6556 (JSC::Debugger::registerCodeBlock):
6558 2014-04-16 Filip Pizlo <fpizlo@apple.com>
6560 Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
6561 https://bugs.webkit.org/show_bug.cgi?id=131420
6563 Reviewed by Oliver Hunt.
6565 Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
6566 replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
6567 goes through the purifyNaN() API.
6569 SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
6571 Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
6572 have to be too cautious since most prediction-based logic only cares about whether or not
6573 a value could be an integer.
6575 AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
6576 anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
6577 soundly and precisely.
6579 No performance change because this just unblocks
6580 https://bugs.webkit.org/show_bug.cgi?id=131419.
6582 * API/JSValueRef.cpp:
6583 (JSValueMakeNumber):
6585 * JavaScriptCore.xcodeproj/project.pbxproj:
6586 * bytecode/SpeculatedType.cpp:
6587 (JSC::dumpSpeculation):
6588 (JSC::speculationFromValue):
6589 (JSC::typeOfDoubleSum):
6590 (JSC::typeOfDoubleDifference):
6591 (JSC::typeOfDoubleProduct):
6592 (JSC::polluteDouble):
6593 (JSC::typeOfDoubleQuotient):
6594 (JSC::typeOfDoubleMinMax):
6595 (JSC::typeOfDoubleNegation):
6596 (JSC::typeOfDoubleAbs):
6597 (JSC::typeOfDoubleFRound):
6598 (JSC::typeOfDoubleBinaryOp):
6599 (JSC::typeOfDoubleUnaryOp):
6600 * bytecode/SpeculatedType.h:
6601 * dfg/DFGAbstractInterpreterInlines.h:
6602 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6603 * dfg/DFGByteCodeParser.cpp:
6604 (JSC::DFG::ByteCodeParser::handleInlining):
6605 (JSC::DFG::ByteCodeParser::parseCodeBlock):
6606 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
6607 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
6608 * dfg/DFGInPlaceAbstractState.cpp:
6609 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
6610 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
6611 (JSC::DFG::createPreHeader):
6613 (JSC::DFG::BranchTarget::BranchTarget):
6614 * dfg/DFGOSREntrypointCreationPhase.cpp:
6615 (JSC::DFG::OSREntrypointCreationPhase::run):
6616 * dfg/DFGOSRExitCompiler32_64.cpp:
6617 (JSC::DFG::OSRExitCompiler::compileExit):
6618 * dfg/DFGOSRExitCompiler64.cpp:
6619 (JSC::DFG::OSRExitCompiler::compileExit):
6620 * dfg/DFGPredictionPropagationPhase.cpp:
6621 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
6622 (JSC::DFG::PredictionPropagationPhase::propagate):
6623 * dfg/DFGSpeculativeJIT.cpp:
6624 (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
6625 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6626 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
6627 * dfg/DFGSpeculativeJIT32_64.cpp:
6628 (JSC::DFG::SpeculativeJIT::compile):
6629 * dfg/DFGSpeculativeJIT64.cpp:
6630 (JSC::DFG::SpeculativeJIT::compile):
6631 * dfg/DFGVariableAccessData.h:
6632 (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
6633 * ftl/FTLLowerDFGToLLVM.cpp:
6634 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
6635 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
6636 (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
6637 (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
6638 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
6639 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
6640 (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
6641 * ftl/FTLValueFormat.cpp:
6642 (JSC::FTL::reboxAccordingToFormat):
6643 * jit/AssemblyHelpers.cpp:
6644 (JSC::AssemblyHelpers::purifyNaN):
6645 (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
6646 * jit/AssemblyHelpers.h:
6647 * jit/JITPropertyAccess.cpp:
6648 (JSC::JIT::emitFloatTypedArrayGetByVal):
6649 * runtime/DateConstructor.cpp:
6650 (JSC::constructDate):
6651 * runtime/DateInstanceCache.h:
6652 (JSC::DateInstanceData::DateInstanceData):
6653 (JSC::DateInstanceCache::reset):
6654 * runtime/ExceptionHelpers.cpp:
6655 (JSC::TerminatedExecutionError::defaultValue):
6656 * runtime/JSArray.cpp:
6657 (JSC::JSArray::setLength):
6658 (JSC::JSArray::pop):
6659 (JSC::JSArray::shiftCountWithAnyIndexingType):
6660 (JSC::JSArray::sortVector):
6661 (JSC::JSArray::compactForSorting):
6662 * runtime/JSArray.h:
6663 (JSC::JSArray::create):
6664 (JSC::JSArray::tryCreateUninitialized):
6665 * runtime/JSCJSValue.cpp:
6666 (JSC::JSValue::toNumberSlowCase):
6667 * runtime/JSCJSValue.h:
6668 * runtime/JSCJSValueInlines.h:
6670 (JSC::JSValue::JSValue):
6671 (JSC::JSValue::getPrimitiveNumber):
6672 * runtime/JSGlobalObjectFunctions.cpp:
6674 (JSC::jsStrDecimalLiteral):
6678 * runtime/JSObject.cpp:
6679 (JSC::JSObject::createInitialDouble):
6680 (JSC::JSObject::convertUndecidedToDouble):
6681 (JSC::JSObject::convertInt32ToDouble):
6682 (JSC::JSObject::deletePropertyByIndex):
6683 (JSC::JSObject::ensureLengthSlow):
6684 * runtime/MathObject.cpp:
6685 (JSC::mathProtoFuncMax):
6686 (JSC::mathProtoFuncMin):
6687 * runtime/PureNaN.h: Added.
6691 * runtime/TypedArrayAdaptors.h:
6692 (JSC::FloatTypedArrayAdaptor::toJSValue):
6694 2014-04-16 Juergen Ributzka <juergen@apple.com>
6696 Enable system library calls in FTL for ARM64
6697 https://bugs.webkit.org/show_bug.cgi?id=130154
6699 Reviewed by Geoffrey Garen and Filip Pizlo.
6701 * ftl/FTLIntrinsicRepository.h:
6703 (JSC::FTL::Output::doubleRem):
6704 (JSC::FTL::Output::doubleSin):
6705 (JSC::FTL::Output::doubleCos):
6707 2014-04-16 peavo@outlook.com <peavo@outlook.com>
6709 Fix JSC Debug Regressions on Windows
6710 https://bugs.webkit.org/show_bug.cgi?id=131182
6712 Reviewed by Brent Fulgham.
6714 The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
6715 and set the st floating point register tags, if the value of the number parameter is infinite.
6716 If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
6717 This can be avoided by checking for infinity first.
6719 * runtime/JSCJSValueInlines.h:
6720 (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
6721 * runtime/Options.cpp:
6722 (JSC::recomputeDependentOptions): Re-enable jit for Windows.
6724 2014-04-16 Oliver Hunt <oliver@apple.com>
6726 Simple ES6 feature:Array.prototype.fill
6727 https://bugs.webkit.org/show_bug.cgi?id=131703
6729 Reviewed by David Hyatt.
6731 Add support for Array.prototype.fill
6733 * builtins/Array.prototype.js:
6735 * runtime/ArrayPrototype.cpp:
6737 2014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
6739 [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
6740 https://bugs.webkit.org/show_bug.cgi?id=131728
6742 Reviewed by Darin Adler.
6744 * runtime/JSObject.cpp:
6745 (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
6746 path we expect to never take. Also shut up confused compilers about uninitialized things.
6748 2014-04-16 Filip Pizlo <fpizlo@apple.com>
6750 Unreviewed, ARMv7 build fix after r167336.
6752 * assembler/MacroAssemblerARMv7.h:
6753 (JSC::MacroAssemblerARMv7::branchAdd32):
6755 2014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
6757 Unreviewed, ARM64 buildfix after r167336.
6759 * assembler/MacroAssemblerARM64.h:
6760 (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
6762 2014-04-15 Filip Pizlo <fpizlo@apple.com>
6764 Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
6766 * dfg/DFGAbstractInterpreterInlines.h:
6767 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6769 2014-04-15 Filip Pizlo <fpizlo@apple.com>
6771 compileMakeRope does not emit necessary bounds checks
6772 https://bugs.webkit.org/show_bug.cgi?id=130684
6773 <rdar://problem/16398388>
6775 Reviewed by Oliver Hunt.
6777 Add string length bounds checks in a bunch of places. We should never allow a string
6778 to have a length greater than 2^31-1 because it's not clear that the language has
6779 semantics for it and because there is code that assumes that this cannot happen.
6781 Also add a bunch of tests to that effect to cover the various ways in which this was
6782 previously allowed to happen.
6784 * dfg/DFGOperations.cpp:
6785 * dfg/DFGSpeculativeJIT.cpp:
6786 (JSC::DFG::SpeculativeJIT::compileMakeRope):
6787 * ftl/FTLLowerDFGToLLVM.cpp:
6788 (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
6789 * runtime/JSString.cpp:
6790 (JSC::JSRopeString::RopeBuilder::expand):
6791 * runtime/JSString.h:
6792 (JSC::JSString::create):
6793 (JSC::JSRopeString::RopeBuilder::append):
6794 (JSC::JSRopeString::RopeBuilder::release):
6795 (JSC::JSRopeString::append):
6796 * runtime/Operations.h:
6798 (JSC::jsStringFromRegisterArray):
6799 (JSC::jsStringFromArguments):
6800 * runtime/StringPrototype.cpp:
6801 (JSC::stringProtoFuncIndexOf):
6802 (JSC::stringProtoFuncSlice):
6803 (JSC::stringProtoFuncSubstring):
6804 (JSC::stringProtoFuncToLowerCase):
6805 * tests/stress/make-large-string-jit-strcat.js: Added.
6807 * tests/stress/make-large-string-jit.js: Added.
6809 * tests/stress/make-large-string-strcat.js: Added.
6810 * tests/stress/make-large-string.js: Added.
6812 2014-04-15 Julien Brianceau <jbriance@cisco.com>
6814 Remove invalid sh4 specific code in JITInlines header.
6815 https://bugs.webkit.org/show_bug.cgi?id=131692
6817 Reviewed by Geoffrey Garen.
6820 (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
6821 anymore since r160244, so the sh4 specific code is invalid now
6822 and has to be removed.
6824 2014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6826 Fix precedence issue in JSCell:setRemembered
6828 Rubber stamped by Filip Pizlo.
6831 (JSC::JSCell::setRemembered):
6833 2014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
6835 Objective-C API external object graphs don't handle generational collection properly
6836 https://bugs.webkit.org/show_bug.cgi?id=131634
6838 Reviewed by Geoffrey Garen.
6840 If the set of Objective-C objects transitively reachable through an object changes, we
6841 need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
6842 won't rescan the external object graph, which would lead us to consider a newly allocated
6843 JSManagedValue to be dead.
6846 (JSSynchronousEdenCollectForDebugging):
6847 * API/JSVirtualMachine.mm:
6848 (-[JSVirtualMachine initWithContextGroupRef:]):
6849 (-[JSVirtualMachine dealloc]):
6850 (-[JSVirtualMachine isOldExternalObject:]):
6851 (-[JSVirtualMachine addExternalRememberedObject:]):
6852 (-[JSVirtualMachine addManagedReference:withOwner:]):
6853 (-[JSVirtualMachine removeManagedReference:withOwner:]):
6854 (-[JSVirtualMachine externalRememberedSet]):
6855 (scanExternalObjectGraph):
6856 (scanExternalRememberedSet):
6857 * API/JSVirtualMachineInternal.h:
6858 * API/tests/testapi.mm:
6860 (JSC::Heap::markRoots):
6862 (JSC::Heap::slotVisitor):
6863 * heap/SlotVisitor.h:
6864 * heap/SlotVisitorInlines.h:
6865 (JSC::SlotVisitor::containsOpaqueRoot):
6866 (JSC::SlotVisitor::containsOpaqueRootTriState):
6868 2014-04-15 Filip Pizlo <fpizlo@apple.com>
6870 DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
6871 https://bugs.webkit.org/show_bug.cgi?id=131423
6873 Reviewed by Geoffrey Garen.
6875 This introduces more static typing into DFG IR. Previously we just had the notion of
6876 JSValues and Storage. This was weird because doubles weren't always convertible to
6877 JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
6878 sort of insert explicit conversion nodes just for the places where we knew that an
6879 implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
6880 we'd get bugs from forgetting to do the right conversion.
6882 This patch introduces a hard and fast rule: doubles can never be implicitly converted to
6883 anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
6884 nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
6885 conversions. They are like Identity but return the same value using a different
6886 representation. Likewise, constants may now be represented using either JSConstant,
6887 Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
6888 Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
6889 Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
6890 we speculate DoubleReal and expect Double representation.
6892 In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
6893 this also makes it easier to introduce optimizations in the future. It's now possible for
6894 AI to model when/how conversion take place. For example if doing a conversion results in
6895 NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
6896 what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
6898 This was a big change, so I had to do some interesting things, like finally get rid of
6899 the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
6900 the ByteCodeParser no longer emits Identity nodes since that was always pointless.
6902 No performance change because this mostly just rationalizes preexisting behavior.
6904 * JavaScriptCore.xcodeproj/project.pbxproj:
6905 * assembler/MacroAssemblerX86.h:
6906 * bytecode/CodeBlock.cpp:
6907 * bytecode/CodeBlock.h:
6908 * dfg/DFGAbstractInterpreter.h:
6909 (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
6910 (JSC::DFG::AbstractInterpreter::setConstant):
6911 * dfg/DFGAbstractInterpreterInlines.h:
6912 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
6913 * dfg/DFGAbstractValue.cpp:
6914 (JSC::DFG::AbstractValue::set):
6915 (JSC::DFG::AbstractValue::fixTypeForRepresentation):
6916 (JSC::DFG::AbstractValue::checkConsistency):
6917 * dfg/DFGAbstractValue.h:
6918 * dfg/DFGBackwardsPropagationPhase.cpp:
6919 (JSC::DFG::BackwardsPropagationPhase::propagate):
6920 * dfg/DFGBasicBlock.h:
6921 * dfg/DFGBasicBlockInlines.h:
6922 (JSC::DFG::BasicBlock::appendNode):
6923 (JSC::DFG::BasicBlock::appendNonTerminal):
6924 * dfg/DFGByteCodeParser.cpp:
6925 (JSC::DFG::ByteCodeParser::parseBlock):
6926 * dfg/DFGCSEPhase.cpp:
6927 (JSC::DFG::CSEPhase::constantCSE):
6928 (JSC::DFG::CSEPhase::performNodeCSE):
6929 (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
6930 * dfg/DFGCapabilities.h:
6931 * dfg/DFGClobberize.h:
6932 (JSC::DFG::clobberize):
6933 * dfg/DFGConstantFoldingPhase.cpp:
6934 (JSC::DFG::ConstantFoldingPhase::foldConstants):
6935 * dfg/DFGDCEPhase.cpp:
6936 (JSC::DFG::DCEPhase::fixupBlock):
6938 (JSC::DFG::Edge::willNotHaveCheck):
6939 * dfg/DFGFixupPhase.cpp:
6940 (JSC::DFG::FixupPhase::run):
6941 (JSC::DFG::FixupPhase::fixupNode):
6942 (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
6943 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6944 (JSC::DFG::FixupPhase::fixIntEdge):
6945 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6946 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
6947 (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
6948 (JSC::DFG::FixupPhase::fixEdgeRepresentation):
6949 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
6950 (JSC::DFG::FixupPhase::addRequiredPhantom):
6951 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
6952 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
6953 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
6954 * dfg/DFGFlushFormat.h:
6955 (JSC::DFG::resultFor):
6956 (JSC::DFG::useKindFor):
6958 (JSC::DFG::Graph::dump):
6960 (JSC::DFG::Graph::addNode):
6961 * dfg/DFGInPlaceAbstractState.cpp:
6962 (JSC::DFG::InPlaceAbstractState::initialize):
6963 * dfg/DFGInsertionSet.h:
6964 (JSC::DFG::InsertionSet::insertNode):
6965 (JSC::DFG::InsertionSet::insertConstant):
6966 (JSC::DFG::InsertionSet::insertConstantForUse):
6967 * dfg/DFGIntegerCheckCombiningPhase.cpp:
6968 (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
6969 (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
6971 (JSC::DFG::Node::convertToIdentity):
6972 (WTF::printInternal):
6974 (JSC::DFG::Node::Node):
6975 (JSC::DFG::Node::setResult):
6976 (JSC::DFG::Node::result):
6977 (JSC::DFG::Node::isConstant):
6978 (JSC::DFG::Node::hasConstant):
6979 (JSC::DFG::Node::convertToConstant):
6980 (JSC::DFG::Node::valueOfJSConstant):
6981 (JSC::DFG::Node::hasResult):
6982 (JSC::DFG::Node::hasInt32Result):
6983 (JSC::DFG::Node::hasInt52Result):
6984 (JSC::DFG::Node::hasNumberResult):
6985 (JSC::DFG::Node::hasDoubleResult):
6986 (JSC::DFG::Node::hasJSResult):
6987 (JSC::DFG::Node::hasBooleanResult):
6988 (JSC::DFG::Node::hasStorageResult):
6989 (JSC::DFG::Node::defaultUseKind):
6990 (JSC::DFG::Node::defaultEdge):
6991 (JSC::DFG::Node::convertToIdentity): Deleted.
6992 * dfg/DFGNodeFlags.cpp:
6993 (JSC::DFG::dumpNodeFlags):
6994 * dfg/DFGNodeFlags.h:
6995 (JSC::DFG::canonicalResultRepresentation):
6996 * dfg/DFGNodeType.h:
6997 * dfg/DFGOSRExitCompiler32_64.cpp:
6998 (JSC::DFG::OSRExitCompiler::compileExit):
6999 * dfg/DFGOSRExitCompiler64.cpp:
7000 (JSC::DFG::OSRExitCompiler::compileExit):
7001 * dfg/DFGPredictionPropagationPhase.cpp:
7002 (JSC::DFG::PredictionPropagationPhase::propagate):
7003 * dfg/DFGResurrectionForValidationPhase.cpp:
7004 (JSC::DFG::ResurrectionForValidationPhase::run):
7005 * dfg/DFGSSAConversionPhase.cpp:
7006 (JSC::DFG::SSAConversionPhase::run):
7007 * dfg/DFGSafeToExecute.h:
7008 (JSC::DFG::SafeToExecuteEdge::operator()):
7009 (JSC::DFG::safeToExecute):
7010 * dfg/DFGSpeculativeJIT.cpp:
7011 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
7012 (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
7013 (JSC::DFG::SpeculativeJIT::silentFill):
7014 (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
7015 (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
7016 (JSC::DFG::JSValueRegsTemporary::regs):
7017 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
7018 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
7019 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7020 (JSC::DFG::SpeculativeJIT::compileDoubleRep):
7021 (JSC::DFG::SpeculativeJIT::compileValueRep):
7022 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7023 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
7024 (JSC::DFG::SpeculativeJIT::compileAdd):
7025 (JSC::DFG::SpeculativeJIT::compileArithSub):
7026 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7027 (JSC::DFG::SpeculativeJIT::compileArithMul):
7028 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7029 (JSC::DFG::SpeculativeJIT::compileArithMod):
7030 (JSC::DFG::SpeculativeJIT::compare):
7031 (JSC::DFG::SpeculativeJIT::compileStrictEq):
7032 (JSC::DFG::SpeculativeJIT::speculateNumber):
7033 (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
7034 (JSC::DFG::SpeculativeJIT::speculate):
7035 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
7036 (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
7037 (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
7038 * dfg/DFGSpeculativeJIT.h:
7039 (JSC::DFG::SpeculativeJIT::allocate):
7040 (JSC::DFG::SpeculativeJIT::use):
7041 (JSC::DFG::SpeculativeJIT::boxDouble):
7042 (JSC::DFG::SpeculativeJIT::spill):
7043 (JSC::DFG::SpeculativeJIT::jsValueResult):
7044 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
7045 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
7046 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
7047 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
7048 * dfg/DFGSpeculativeJIT32_64.cpp:
7049 (JSC::DFG::SpeculativeJIT::fillJSValue):
7050 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
7051 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7052 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7053 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7054 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7055 (JSC::DFG::SpeculativeJIT::emitBranch):
7056 (JSC::DFG::SpeculativeJIT::compile):
7057 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
7058 * dfg/DFGSpeculativeJIT64.cpp:
7059 (JSC::DFG::SpeculativeJIT::fillJSValue):
7060 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
7061 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
7062 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7063 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7064 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7065 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7066 (JSC::DFG::SpeculativeJIT::emitBranch):
7067 (JSC::DFG::SpeculativeJIT::compile):
7068 (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
7069 * dfg/DFGStrengthReductionPhase.cpp:
7070 (JSC::DFG::StrengthReductionPhase::handleNode):
7071 * dfg/DFGUseKind.cpp:
7072 (WTF::printInternal):
7074 (JSC::DFG::typeFilterFor):
7075 (JSC::DFG::shouldNotHaveTypeCheck):
7076 (JSC::DFG::mayHaveTypeCheck):
7077 (JSC::DFG::isNumerical):
7078 (JSC::DFG::isDouble):
7080 (JSC::DFG::usesStructure):
7081 (JSC::DFG::useKindForResult):
7082 * dfg/DFGValidate.cpp:
7083 (JSC::DFG::Validate::validate):
7084 * dfg/DFGVariadicFunction.h: Removed.
7085 * ftl/FTLCapabilities.cpp:
7086 (JSC::FTL::canCompile):
7087 * ftl/FTLLowerDFGToLLVM.cpp:
7088 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
7089 (JSC::FTL::LowerDFGToLLVM::compileNode):
7090 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
7091 (JSC::FTL::LowerDFGToLLVM::compilePhi):
7092 (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
7093 (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
7094 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
7095 (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
7096 (JSC::FTL::LowerDFGToLLVM::compileValueRep):
7097 (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
7098 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
7099 (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
7100 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
7101 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
7102 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
7103 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
7104 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
7105 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
7106 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
7107 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
7108 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
7109 (JSC::FTL::LowerDFGToLLVM::compare):
7110 (JSC::FTL::LowerDFGToLLVM::boolify):
7111 (JSC::FTL::LowerDFGToLLVM::lowInt52):
7112 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
7113 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
7114 (JSC::FTL::LowerDFGToLLVM::lowDouble):
7115 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
7116 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
7117 (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
7118 (JSC::FTL::LowerDFGToLLVM::speculate):
7119 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
7120 (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
7121 (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
7122 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
7123 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
7124 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
7125 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
7126 * ftl/FTLValueFormat.cpp:
7127 (JSC::FTL::reboxAccordingToFormat):
7128 * jit/AssemblyHelpers.cpp:
7129 (JSC::AssemblyHelpers::sanitizeDouble):
7130 * jit/AssemblyHelpers.h:
7131 (JSC::AssemblyHelpers::boxDouble):
7133 2014-04-15 Commit Queue <commit-queue@webkit.org>
7135 Unreviewed, rolling out r167199 and r167251.
7136 https://bugs.webkit.org/show_bug.cgi?id=131678
7138 Caused a DYEBench regression and does not seem to improve perf
7139 on relevant websites (Requested by rniwa on #webkit).
7141 Reverted changesets:
7143 "Rewrite Function.bind as a builtin"
7144 https://bugs.webkit.org/show_bug.cgi?id=131083
7145 http://trac.webkit.org/changeset/167199
7147 "Update test result"
7148 http://trac.webkit.org/changeset/167251
7150 2014-04-14 Commit Queue <commit-queue@webkit.org>
7152 Unreviewed, rolling out r167272.
7153 https://bugs.webkit.org/show_bug.cgi?id=131666
7155 Broke multiple tests (Requested by ap on #webkit).
7159 "Function.bind itself is too slow"
7160 https://bugs.webkit.org/show_bug.cgi?id=131636
7161 http://trac.webkit.org/changeset/167272
7163 2014-04-14 Geoffrey Garen <ggaren@apple.com>
7165 ASSERT when firing low memory warning
7166 https://bugs.webkit.org/show_bug.cgi?id=131659
7168 Reviewed by Mark Hahnenberg.
7171 (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
7172 called when no GC is happening because that is what we do when a low
7173 memory warning fires, and it is harmless.
7175 2014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
7177 emit_op_put_by_id should not emit a write barrier that filters on value
7178 https://bugs.webkit.org/show_bug.cgi?id=131654
7180 Reviewed by Filip Pizlo.
7182 The 32-bit implementation does this, and it can cause crashes if we later repatch the
7183 code to allocate and store new Butterflies.
7185 * jit/JITPropertyAccess.cpp:
7186 (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
7187 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
7188 load down into the if statement so that we don't do it if we're not filtering on the value.
7189 * jit/JITPropertyAccess32_64.cpp:
7190 (JSC::JIT::emit_op_put_by_id):
7192 2014-04-14 Oliver Hunt <oliver@apple.com>
7194 Function.bind itself is too slow
7195 https://bugs.webkit.org/show_bug.cgi?id=131636
7197 Reviewed by Geoffrey Garen.
7199 Rather than forcing creation of an activation, we now store
7200 bound function properties directly on the returned closure.
7201 This is necessary to deal with code that creates many function
7202 bindings, but does not call them very often.
7204 This is a 60% speed up in the included js/regress test.
7206 * builtins/BuiltinExecutables.cpp:
7207 (JSC::BuiltinExecutables::createBuiltinExecutable):
7208 * builtins/Function.prototype.js:
7209 (bind.bindingFunction):
7210 (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7211 (bind.else.switch.case.1.bindingFunction):
7212 (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7213 (bind.else.switch.case.2.bindingFunction):
7214 (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
7215 (bind.else.switch.case.3.bindingFunction):
7216 (bind.else.switch.bindingFunction):
7218 (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
7219 (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
7220 (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
7221 * runtime/CommonIdentifiers.h:
7223 2014-04-14 Julien Brianceau <jbriance@cisco.com>
7225 [sh4] Allow use of SubImmediates in LLINT.
7226 https://bugs.webkit.org/show_bug.cgi?id=131608
7228 Reviewed by Mark Lam.
7230 Allow use of SubImmediates with const pool so the sh4 architecture can
7231 share the arm path for setEntryAddress macro. It reduces architecture
7232 specific code and lead to a more optimal generated code for sh4.
7234 * llint/LowLevelInterpreter.asm:
7235 * offlineasm/sh4.rb:
7237 2014-04-14 Andreas Kling <akling@apple.com>
7239 Array.prototype.concat should allocate output storage only once.
7240 <https://webkit.org/b/131609>
7242 Do a first pass across 'this' and any arguments to compute the
7243 final size of the resulting array from Array.prototype.concat.
7244 This avoids having to grow the output incrementally as we go.
7246 This also includes two other micro-optimizations:
7248 - Mark getProperty() with ALWAYS_INLINE.
7250 - Use JSArray::length() instead of taking the generic property
7251 lookup path when we know an argument is an Array.
7253 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
7255 Reviewed by Oliver & Darin.
7257 * runtime/ArrayPrototype.cpp:
7259 (JSC::arrayProtoFuncConcat):
7261 2014-04-14 Commit Queue <commit-queue@webkit.org>
7263 Unreviewed, rolling out r167249.
7264 https://bugs.webkit.org/show_bug.cgi?id=131621
7266 broke 3 tests on cloop (Requested by kling on #webkit).
7270 "Array.prototype.concat should allocate output storage only
7272 https://bugs.webkit.org/show_bug.cgi?id=131609
7273 http://trac.webkit.org/changeset/167249
7275 2014-04-14 Alex Christensen <achristensen@webkit.org>
7277 Fixed potential integer truncation.
7278 https://bugs.webkit.org/show_bug.cgi?id=131615
7280 Reviewed by Darin Adler.
7282 * assembler/X86Assembler.h:
7283 (JSC::X86Assembler::fillNops):
7284 Truncate the size_t to an unsigned after it is limited to 15 instead of before.
7286 2014-04-14 Andreas Kling <akling@apple.com>
7288 Array.prototype.concat should allocate output storage only once.
7289 <https://webkit.org/b/131609>
7291 Do a first pass across 'this' and any arguments to compute the
7292 final size of the resulting array from Array.prototype.concat.
7293 This avoids having to grow the output incrementally as we go.
7295 This also includes two other micro-optimizations:
7297 - Mark getProperty() with ALWAYS_INLINE.
7299 - Use JSArray::length() instead of taking the generic property
7300 lookup path when we know an argument is an Array.
7302 My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
7304 Reviewed by Darin Adler.
7306 * runtime/ArrayPrototype.cpp:
7308 (JSC::arrayProtoFuncConcat):
7310 2014-04-14 Benjamin Poulain <benjamin@webkit.org>
7312 [JSC] Improve the call site of string comparison in some hot path
7313 https://bugs.webkit.org/show_bug.cgi?id=131605
7315 Reviewed by Darin Adler.
7317 When resolved, the String of a JSString is never null. It can be empty but not null.
7318 The null value is reserved for ropes but those would be resolved when getting the value.
7320 Consequently, we should use the equal() operation that do not handle null values.
7321 Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
7323 * jit/JITOperations.cpp:
7324 * runtime/JSCJSValueInlines.h:
7325 (JSC::JSValue::equalSlowCaseInline):
7326 (JSC::JSValue::strictEqualSlowCaseInline):
7327 (JSC::JSValue::pureStrictEqual):
7329 2014-04-08 Oliver Hunt <oliver@apple.com>
7331 Rewrite Function.bind as a builtin
7332 https://bugs.webkit.org/show_bug.cgi?id=131083
7334 Reviewed by Geoffrey Garen.
7336 This change removes the existing function.bind implementation
7337 entirely so JSBoundFunction is no more.
7339 Instead we just return a regular JS closure with a few
7340 private properties hanging off it that allow us to perform
7341 the necessary bound function fakery. While most of this is
7342 simple, a couple of key changes:
7344 - The parser and lexer now directly track whether they're
7345 parsing code for call or construct and convert the private
7346 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7347 This automatically gives us the ability to vary behaviour
7348 from within the builtin. It also leaves a lot of headroom
7349 for trivial future improvements.
7350 - The instanceof operator now uses the prototypeForHasInstance
7351 private name, and we have a helper function to ensure that
7352 all objects that need to can update their magical 'prototype'
7353 property pair correctly.
7355 * API/JSScriptRef.cpp:
7357 * JavaScriptCore.xcodeproj/project.pbxproj:
7358 * builtins/BuiltinExecutables.cpp:
7359 (JSC::BuiltinExecutables::createBuiltinExecutable):
7360 * builtins/Function.prototype.js:
7361 (bind.bindingFunction):
7362 (bind.else.bindingFunction):
7364 * bytecode/UnlinkedCodeBlock.cpp:
7365 (JSC::generateFunctionCodeBlock):
7366 * bytecompiler/NodesCodegen.cpp:
7367 (JSC::InstanceOfNode::emitBytecode):
7368 * interpreter/Interpreter.cpp:
7370 (JSC::Lexer<T>::Lexer):
7371 (JSC::Lexer<LChar>::parseIdentifier):
7372 (JSC::Lexer<UChar>::parseIdentifier):
7374 * parser/Parser.cpp:
7375 (JSC::Parser<LexerType>::Parser):
7376 (JSC::Parser<LexerType>::parseInner):
7379 * parser/ParserModes.h:
7380 * runtime/CodeCache.cpp:
7381 (JSC::CodeCache::getGlobalCodeBlock):
7382 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7383 * runtime/CommonIdentifiers.h:
7384 * runtime/Completion.cpp:
7386 * runtime/Executable.cpp:
7387 (JSC::ProgramExecutable::checkSyntax):
7388 * runtime/FunctionPrototype.cpp:
7389 (JSC::FunctionPrototype::addFunctionProperties):
7390 (JSC::functionProtoFuncBind): Deleted.
7391 * runtime/JSBoundFunction.cpp: Removed.
7392 * runtime/JSBoundFunction.h: Removed.
7393 * runtime/JSFunction.cpp:
7394 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7395 (JSC::RetrieveCallerFunctionFunctor::operator()):
7396 (JSC::retrieveCallerFunction):
7397 (JSC::JSFunction::getOwnPropertySlot):
7398 (JSC::JSFunction::defineOwnProperty):
7399 * runtime/JSGlobalObject.cpp:
7400 (JSC::JSGlobalObject::reset):
7401 * runtime/JSGlobalObjectFunctions.cpp:
7402 (JSC::globalFuncSetTypeErrorAccessor):
7403 * runtime/JSGlobalObjectFunctions.h:
7404 * runtime/JSObject.h:
7405 (JSC::JSObject::inlineGetOwnPropertySlot):
7407 2014-04-12 Filip Pizlo <fpizlo@apple.com>
7409 Math.fround() should be an intrinsic
7410 https://bugs.webkit.org/show_bug.cgi?id=131583
7412 Reviewed by Geoffrey Garen.
7414 Makes programs that use Math.fround() run up to 6x faster.
7416 * dfg/DFGAbstractInterpreterInlines.h:
7417 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
7418 * dfg/DFGByteCodeParser.cpp:
7419 (JSC::DFG::ByteCodeParser::handleIntrinsic):
7420 * dfg/DFGCSEPhase.cpp:
7421 (JSC::DFG::CSEPhase::performNodeCSE):
7422 * dfg/DFGClobberize.h:
7423 (JSC::DFG::clobberize):
7424 * dfg/DFGFixupPhase.cpp:
7425 (JSC::DFG::FixupPhase::fixupNode):
7426 * dfg/DFGNodeType.h:
7427 * dfg/DFGPredictionPropagationPhase.cpp:
7428 (JSC::DFG::PredictionPropagationPhase::propagate):
7429 * dfg/DFGSafeToExecute.h:
7430 (JSC::DFG::safeToExecute):
7431 * dfg/DFGSpeculativeJIT32_64.cpp:
7432 (JSC::DFG::SpeculativeJIT::compile):
7433 * dfg/DFGSpeculativeJIT64.cpp:
7434 (JSC::DFG::SpeculativeJIT::compile):
7435 * ftl/FTLCapabilities.cpp:
7436 (JSC::FTL::canCompile):
7437 * ftl/FTLLowerDFGToLLVM.cpp:
7438 (JSC::FTL::LowerDFGToLLVM::compileNode):
7439 (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
7440 * runtime/Intrinsic.h:
7441 * runtime/MathObject.cpp:
7442 (JSC::MathObject::finishCreation):
7444 2014-04-12 Filip Pizlo <fpizlo@apple.com>
7446 FTL should use stackmap register liveness
7447 https://bugs.webkit.org/show_bug.cgi?id=130791
7449 Reviewed by Goeffrey Garen.
7451 Enable the stackmap register liveness support by fixing the two last bugs:
7453 - If everything is dead after the patchpoint - a good possibility for a put_by_id -
7454 then we shouldn't crash due to a null scratch buffer.
7456 - Always consider callee-saves as if they were live. More precisely, we should
7457 consider those callee-saves that are not saved by the enclosing function to be live.
7458 For now we do the much simpler thing and consider callee-saves to be always live
7459 since it has minimal impact on the scratch register allocator. It will know not to
7460 preserve those for calls, anyway.
7462 I tried writing a test for the null scratch buffer thing, but failed. I will land the
7463 test anyway since it seems useful.
7465 * ftl/FTLCompile.cpp:
7466 (JSC::FTL::usedRegistersFor):
7467 * jit/ScratchRegisterAllocator.cpp:
7468 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
7469 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
7470 * runtime/Options.h:
7471 * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
7474 2014-04-11 Filip Pizlo <fpizlo@apple.com>
7476 DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
7477 https://bugs.webkit.org/show_bug.cgi?id=131424
7479 Reviewed by Geoffrey Garen.
7481 This defers type conversion injection until we've decided on types. This makes the
7482 process of deciding types a bit more flexible - for example we can naturally fixpoint
7483 and change our minds. Only when things are settled do we actually insert conversions.
7485 This is a necessary prerequisite for keeping double, int52, and JSValue data flow
7486 separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
7487 that there are typed uses. If we were eagerly inserting type conversions then we would
7488 first insert a to/from-JSValue conversion in some cases only to then replace it by
7489 the other conversions. It's probably trivial to remove those redundant conversions later
7490 but I think it's better if we don't insert them to begin with.
7492 * bytecode/CodeOrigin.h:
7493 (JSC::CodeOrigin::operator!):
7494 * dfg/DFGFixupPhase.cpp:
7495 (JSC::DFG::FixupPhase::run):
7496 (JSC::DFG::FixupPhase::fixupBlock):
7497 (JSC::DFG::FixupPhase::fixupNode):
7498 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
7499 (JSC::DFG::FixupPhase::fixEdge):
7500 (JSC::DFG::FixupPhase::fixIntEdge):
7501 (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
7502 (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
7503 (JSC::DFG::FixupPhase::addRequiredPhantom):
7504 (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
7505 (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
7506 (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
7507 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
7508 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
7510 2014-04-11 Brian J. Burg <burg@cs.washington.edu>
7512 Web Replay: code generator should consider enclosing class when computing duplicate type names
7513 https://bugs.webkit.org/show_bug.cgi?id=131554
7515 Reviewed by Timothy Hatcher.
7517 We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
7518 can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
7519 by the enclosing class and enum name.
7521 Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
7523 * replay/scripts/CodeGeneratorReplayInputs.py:
7524 (Type.type_name): Prepend the enclosing class name.
7525 (Type.type_name.is):
7526 * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
7527 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
7528 * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
7529 * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
7530 * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
7531 * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
7533 2014-04-11 Gavin Barraclough <baraclough@apple.com>
7535 Rollout - Rewrite Function.bind as a builtin
7536 https://bugs.webkit.org/show_bug.cgi?id=131083
7540 Rolling out r167020 while investigating a performance regression.
7542 * API/JSObjectRef.cpp:
7543 (JSObjectMakeConstructor):
7544 * API/JSScriptRef.cpp:
7547 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7548 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7549 * JavaScriptCore.xcodeproj/project.pbxproj:
7550 * builtins/BuiltinExecutables.cpp:
7551 (JSC::BuiltinExecutables::createBuiltinExecutable):
7552 * builtins/Function.prototype.js:
7554 (bind.bindingFunction): Deleted.
7555 (bind.else.bindingFunction): Deleted.
7557 * bytecode/UnlinkedCodeBlock.cpp:
7558 (JSC::generateFunctionCodeBlock):
7559 * bytecompiler/NodesCodegen.cpp:
7560 (JSC::InstanceOfNode::emitBytecode):
7561 * interpreter/Interpreter.cpp:
7563 (JSC::Lexer<T>::Lexer):
7564 (JSC::Lexer<LChar>::parseIdentifier):
7565 (JSC::Lexer<UChar>::parseIdentifier):
7567 * parser/Parser.cpp:
7568 (JSC::Parser<LexerType>::Parser):
7569 (JSC::Parser<LexerType>::parseInner):
7572 * parser/ParserModes.h:
7573 * runtime/ArgumentsIteratorConstructor.cpp:
7574 (JSC::ArgumentsIteratorConstructor::finishCreation):
7575 * runtime/ArrayConstructor.cpp:
7576 (JSC::ArrayConstructor::finishCreation):
7577 * runtime/BooleanConstructor.cpp:
7578 (JSC::BooleanConstructor::finishCreation):
7579 * runtime/CodeCache.cpp:
7580 (JSC::CodeCache::getGlobalCodeBlock):
7581 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
7582 * runtime/CommonIdentifiers.h:
7583 * runtime/Completion.cpp:
7585 * runtime/DateConstructor.cpp:
7586 (JSC::DateConstructor::finishCreation):
7587 * runtime/ErrorConstructor.cpp:
7588 (JSC::ErrorConstructor::finishCreation):
7589 * runtime/Executable.cpp:
7590 (JSC::ProgramExecutable::checkSyntax):
7591 * runtime/FunctionConstructor.cpp:
7592 (JSC::FunctionConstructor::finishCreation):
7593 * runtime/FunctionPrototype.cpp:
7594 (JSC::FunctionPrototype::addFunctionProperties):
7595 (JSC::functionProtoFuncBind):
7596 * runtime/JSArrayBufferConstructor.cpp:
7597 (JSC::JSArrayBufferConstructor::finishCreation):
7598 * runtime/JSBoundFunction.cpp: Added.
7599 (JSC::boundFunctionCall):
7600 (JSC::boundFunctionConstruct):
7601 (JSC::JSBoundFunction::create):
7602 (JSC::JSBoundFunction::destroy):
7603 (JSC::JSBoundFunction::customHasInstance):
7604 (JSC::JSBoundFunction::JSBoundFunction):
7605 (JSC::JSBoundFunction::finishCreation):
7606 (JSC::JSBoundFunction::visitChildren):
7607 * runtime/JSBoundFunction.h: Added.
7608 (JSC::JSBoundFunction::targetFunction):
7609 (JSC::JSBoundFunction::boundThis):
7610 (JSC::JSBoundFunction::boundArgs):
7611 (JSC::JSBoundFunction::createStructure):
7612 * runtime/JSFunction.cpp:
7613 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
7614 (JSC::RetrieveCallerFunctionFunctor::operator()):
7615 (JSC::retrieveCallerFunction):
7616 (JSC::JSFunction::getOwnPropertySlot):
7617 (JSC::JSFunction::getOwnNonIndexPropertyNames):
7618 (JSC::JSFunction::put):
7619 (JSC::JSFunction::defineOwnProperty):
7620 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
7621 (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
7622 * runtime/JSGlobalObject.cpp:
7623 (JSC::JSGlobalObject::reset):
7624 * runtime/JSGlobalObjectFunctions.cpp:
7625 (JSC::globalFuncSetTypeErrorAccessor): Deleted.
7626 * runtime/JSGlobalObjectFunctions.h:
7627 * runtime/JSObject.cpp:
7628 (JSC::JSObject::putDirectPrototypeProperty): Deleted.
7629 (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
7630 * runtime/JSObject.h:
7631 * runtime/JSPromiseConstructor.cpp:
7632 (JSC::JSPromiseConstructor::finishCreation):
7633 * runtime/MapConstructor.cpp:
7634 (JSC::MapConstructor::finishCreation):
7635 * runtime/MapIteratorConstructor.cpp:
7636 (JSC::MapIteratorConstructor::finishCreation):
7637 * runtime/NameConstructor.cpp:
7638 (JSC::NameConstructor::finishCreation):
7639 * runtime/NativeErrorConstructor.cpp:
7640 (JSC::NativeErrorConstructor::finishCreation):
7641 * runtime/NumberConstructor.cpp:
7642 (JSC::NumberConstructor::finishCreation):
7643 * runtime/ObjectConstructor.cpp:
7644 (JSC::ObjectConstructor::finishCreation):
7645 * runtime/RegExpConstructor.cpp:
7646 (JSC::RegExpConstructor::finishCreation):
7647 * runtime/SetConstructor.cpp:
7648 (JSC::SetConstructor::finishCreation):
7649 * runtime/SetIteratorConstructor.cpp:
7650 (JSC::SetIteratorConstructor::finishCreation):
7651 * runtime/StringConstructor.cpp:
7652 (JSC::StringConstructor::finishCreation):
7653 * runtime/WeakMapConstructor.cpp:
7654 (JSC::WeakMapConstructor::finishCreation):
7656 2014-04-11 David Kilzer <ddkilzer@apple.com>
7658 [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
7659 <http://webkit.org/b/131556>
7660 <rdar://problem/16591856>
7662 Reviewed by Brent Fulgham.
7664 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
7665 OTHER_LDFLAGS so the ASan build does not try to link to
7666 libclang_rt.asan_osx_dynamic.dylib.
7668 2014-04-11 Mark Lam <mark.lam@apple.com>
7670 JSMainThreadExecState::call() should clear exceptions before returning.
7671 <https://webkit.org/b/131530>
7673 Reviewed by Geoffrey Garen.
7675 Added a version of JSC::call() that return any uncaught exception instead
7676 of leaving it pending in the VM.
7678 As part of this change, I updated various parts of the code base to use the
7681 * bindings/ScriptFunctionCall.cpp:
7682 (Deprecated::ScriptFunctionCall::call):
7683 - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
7684 The injected scripts that will include Inspector scripts that should catch
7685 and handle any exceptions that were thrown. We should not be seeing any
7686 exceptions returned from this call. However, we do have checks for
7687 exceptions in case there are bugs in the Inspector scripts which allowed
7688 the exception to leak through. Hence, it is proper to clear the exception
7689 here, and only record the fact that an exception was seen (if present).
7691 * bindings/ScriptFunctionCall.h:
7692 * inspector/InspectorEnvironment.h:
7693 * runtime/CallData.cpp:
7695 * runtime/CallData.h:
7697 2014-04-11 Oliver Hunt <oliver@apple.com>
7699 Add BuiltinLog function to make debugging builtins easier
7700 https://bugs.webkit.org/show_bug.cgi?id=131550
7702 Reviewed by Andreas Kling.
7704 Add a logging function that builtins can use for debugging.
7706 * runtime/CommonIdentifiers.h:
7707 * runtime/JSGlobalObject.cpp:
7708 (JSC::JSGlobalObject::reset):
7709 * runtime/JSGlobalObjectFunctions.cpp:
7710 (JSC::globalFuncBuiltinLog):
7711 * runtime/JSGlobalObjectFunctions.h:
7713 2014-04-11 Julien Brianceau <jbriance@cisco.com>
7715 Fix LLInt for sh4 architecture (broken since C stack merge).
7716 https://bugs.webkit.org/show_bug.cgi?id=131532
7718 Reviewed by Mark Lam.
7720 This patch fixes build and also implements sh4 parts for initPCRelative and
7721 setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
7723 * llint/LowLevelInterpreter.asm:
7724 * llint/LowLevelInterpreter32_64.asm:
7725 * offlineasm/instructions.rb:
7726 * offlineasm/sh4.rb:
7728 2014-04-10 Michael Saboff <msaboff@apple.com>
7730 Crash beneath DFG JIT code @ video.disney.com
7731 https://bugs.webkit.org/show_bug.cgi?id=131447
7733 Reviewed by Geoffrey Garen.
7735 The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
7736 'tag not less than Undefined' check. The first check was incorrectly elided if we
7737 knew that the value *was* an int32, when it should have been elided if we already
7738 knew that the value *was not* an int32.
7740 * dfg/DFGSpeculativeJIT.cpp:
7741 (JSC::DFG::SpeculativeJIT::speculateMisc):
7742 * tests/stress/test-spec-misc.js: Added test.
7747 2014-04-08 Filip Pizlo <fpizlo@apple.com>
7749 Make room for additional types in SpeculatedType.h
7750 https://bugs.webkit.org/show_bug.cgi?id=131422
7752 Reviewed by Sam Weinig.
7754 This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
7756 * bytecode/SpeculatedType.h:
7758 2014-04-10 Alex Christensen <achristensen@webkit.org>
7760 Compile fix for Win64.
7761 https://bugs.webkit.org/show_bug.cgi?id=131508
7763 Reviewed by Geoffrey Garen.
7765 * assembler/X86Assembler.h:
7766 (JSC::X86Assembler::fillNops):
7767 Added unsigned template parameter to distinguish between size_t and unsigned long.
7769 2014-04-10 Michael Saboff <msaboff@apple.com>
7771 LLInt interpreter code should be generated as part of one function
7772 https://bugs.webkit.org/show_bug.cgi?id=131205
7774 Reviewed by Mark Lam.
7776 Changed the generation of llint opcodes so that they are all part of the same
7777 global function, llint_entry. That function is used to fill in an entry point
7778 table that includes each of the opcodes and helpers.
7781 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
7782 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
7783 * JavaScriptCore.xcodeproj/project.pbxproj:
7784 Added appropriate use of new -I option to offline assembler and offset
7787 * llint/LowLevelInterpreter.asm:
7788 * llint/LowLevelInterpreter.cpp:
7789 * llint/LowLevelInterpreter.h:
7790 * offlineasm/arm.rb:
7791 * offlineasm/arm64.rb:
7792 * offlineasm/asm.rb:
7793 * offlineasm/ast.rb:
7794 * offlineasm/backends.rb:
7795 * offlineasm/cloop.rb:
7796 * offlineasm/generate_offset_extractor.rb:
7797 * offlineasm/instructions.rb:
7798 * offlineasm/parser.rb:
7799 * offlineasm/registers.rb:
7800 * offlineasm/self_hash.rb:
7801 * offlineasm/settings.rb:
7802 * offlineasm/transform.rb:
7803 * offlineasm/x86.rb:
7804 Added a new "global" keyword to the offline assembler that denotes a label that
7805 should be exported. Added opcode and operand support to get the absolute
7806 address of a local label using position independent calculations. Updated the
7807 offline assembler to handle included files, both when generating the checksum
7808 as well as including files from other than the local directory via a newly
7809 added -I option. The offline assembler now automatically determines external
7810 functions by keeping track of referenced functions that are defined within the
7811 assembly source. This is used both for choosing the correct macro for external
7812 references as well as generating the needed EXTERN directives for masm.
7813 Updated the generation of the masm only .sym file to be written once at the end
7814 of the offline assembler.
7816 * assembler/MacroAssemblerCodeRef.h:
7817 (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
7818 (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
7819 * bytecode/CodeBlock.cpp:
7820 (JSC::CodeBlock::dumpBytecode):
7821 (JSC::CodeBlock::CodeBlock):
7822 * bytecode/GetByIdStatus.cpp:
7823 (JSC::GetByIdStatus::computeFromLLInt):
7824 * bytecode/Opcode.h:
7825 (JSC::padOpcodeName):
7826 * bytecode/PutByIdStatus.cpp:
7827 (JSC::PutByIdStatus::computeFromLLInt):
7829 (JSC::JIT::privateCompileMainPass):
7831 * llint/LLIntCLoop.cpp:
7832 (JSC::LLInt::initialize):
7833 * llint/LLIntData.h:
7834 (JSC::LLInt::getCodeFunctionPtr):
7835 (JSC::LLInt::getOpcode): Deleted.
7836 (JSC::LLInt::getCodePtr): Deleted.
7837 * llint/LLIntOpcode.h:
7838 * llint/LLIntSlowPaths.cpp:
7839 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
7840 * llint/LLIntThunks.cpp:
7841 (JSC::LLInt::functionForCallEntryThunkGenerator):
7842 (JSC::LLInt::functionForConstructEntryThunkGenerator):
7843 (JSC::LLInt::functionForCallArityCheckThunkGenerator):
7844 (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
7845 (JSC::LLInt::evalEntryThunkGenerator):
7846 (JSC::LLInt::programEntryThunkGenerator):
7847 * llint/LLIntThunks.h:
7848 Changed references to llint helpers to go through the entry point table populated
7849 by llint_entry. Added helpers to OpcodeID enum for all builds.
7851 * bytecode/BytecodeList.json:
7852 * generate-bytecode-files:
7853 * llint/LLIntCLoop.cpp:
7854 (JSC::LLInt::CLoop::initialize):
7855 Reordered sections to match the order that the functions are added to the entry point
7856 table. Added new "asmPrefix" property for symbols that have one name but are generated
7857 with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
7858 as we are using enums for all bytecode references. Changed the C Loop only
7859 llint_c_loop_init to llint_entry.
7861 2014-04-10 Matthew Mirman <mmirman@apple.com>
7863 WIP for inlining C++. Added a build target to produce LLVM IR.
7864 https://bugs.webkit.org/show_bug.cgi?id=130523
7866 Reviewed by Mark Rowe.
7868 * JavaScriptCore.xcodeproj/project.pbxproj:
7869 * build-symbol-table-index.py: Added.
7870 * build-symbol-table-index.sh: Added.
7871 * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
7872 * copy-llvm-ir-to-derived-sources.sh: Added.
7874 2014-04-10 Brian J. Burg <burg@cs.washington.edu>
7876 Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
7877 https://bugs.webkit.org/show_bug.cgi?id=131341
7879 Reviewed by Timothy Hatcher.
7881 Add support for encoding/decoding unsigned long with EncodedValue.
7882 It is a distinct type from uint32_t and uint64_t.
7884 * replay/EncodedValue.cpp:
7885 (JSC::EncodedValue::convertTo<unsigned long>):
7886 * replay/EncodedValue.h:
7888 2014-04-10 Mark Lam <mark.lam@apple.com>
7890 LLINT loadisFromInstruction should handle the big endian case.
7891 <https://webkit.org/b/131495>
7893 Reviewed by Mark Hahnenberg.
7895 The LLINT loadisFromInstruction macro aims to load the least significant
7896 32-bit word from the 64-bit bytecode instruction stream and sign extend
7897 it. For big endian machines, the current implementation would load the
7900 Without this fix, the JSC tests will crash on big endian machines.
7901 Thanks to Tomas Popela for diagnosing this issue.
7903 * llint/LowLevelInterpreter.asm:
7905 2014-04-09 Mark Lam <mark.lam@apple.com>
7907 Temporarily disable the JIT for the Windows port.
7908 <https://webkit.org/b/131470>
7910 Reviewed by Brent Fulgham.
7912 This is a temporary stop gap measure to green the Windows bots until
7913 we have a fix for https://webkit.org/b/131182.
7915 * runtime/Options.cpp:
7916 (JSC::recomputeDependentOptions):
7918 2014-04-09 Juergen Ributzka <juergen@apple.com>
7920 [FTL] Emit multibyte NOPs on X86-64
7921 https://bugs.webkit.org/show_bug.cgi?id=131394
7923 Reviewed by Michael Saboff.
7925 * assembler/X86Assembler.h:
7926 (JSC::X86Assembler::fillNops):
7928 2014-04-09 Julien Brianceau <jbriance@cisco.com>
7930 Get rid of JITOperationWrappers.h header file.
7931 https://bugs.webkit.org/show_bug.cgi?id=131450
7933 Reviewed by Michael Saboff.
7935 JITOperationWrappers header file contains architecture specific code that is
7936 not needed anymore, so get rid of it.
7938 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7939 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7940 * JavaScriptCore.xcodeproj/project.pbxproj:
7941 * dfg/DFGOperations.cpp:
7942 * jit/JITOperationWrappers.h: Removed.
7943 * jit/JITOperations.cpp:
7945 2014-04-09 Mark Lam <mark.lam@apple.com>
7947 Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
7948 <https://webkit.org/b/131449>
7950 Reviewed by Mark Hahnenberg.
7952 Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
7953 that it pads is of type int anyway. It doesn't need to be 64 bit. This
7954 also makes it work with the LLINT which is loading it with a loadi
7957 We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
7958 when loading the argCount.
7960 The paddedArgCount issue was causing failures when running the JSC tests on a
7961 64-bit big endian machine. In this case, the paddedArgCount in the
7962 ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
7963 as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
7964 that field, the LLINT got a value of 0 instead of the expected 2. With this
7965 patch, we now have a matching store and load of a 32-bit value, and endianness
7966 no longer comes into play.
7968 As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
7969 the payload field of the Register. In the definition of EncodedValueDescriptor,
7970 We already ensure that that the payload is in the least significant 32-bits for
7971 little endian machines, and in the most significant 32-bits for big endian
7972 machines. This means that there is no endianness bug when loading this value
7973 using loadi. However, adding the PayLoadOffset clarifies the intent of the
7974 code to load the payload part of the Register value.
7976 * interpreter/ProtoCallFrame.h:
7977 (JSC::ProtoCallFrame::setPaddedArgCount):
7978 * llint/LowLevelInterpreter32_64.asm:
7979 * llint/LowLevelInterpreter64.asm:
7981 2014-04-08 Oliver Hunt <oliver@apple.com>
7983 Rewrite Function.bind as a builtin
7984 https://bugs.webkit.org/show_bug.cgi?id=131083
7986 Reviewed by Geoffrey Garen.
7988 This change removes the existing function.bind implementation
7989 entirely so JSBoundFunction is no more.
7991 Instead we just return a regular JS closure with a few
7992 private properties hanging off it that allow us to perform
7993 the necessary bound function fakery. While most of this is
7994 simple, a couple of key changes:
7996 - The parser and lexer now directly track whether they're
7997 parsing code for call or construct and convert the private
7998 name @IsConstructor into TRUETOK or FALSETOK as appropriate.
7999 This automatically gives us the ability to vary behaviour
8000 from within the builtin. It also leaves a lot of headroom
8001 for trivial future improvements.
8002 - The instanceof operator now uses the prototypeForHasInstance
8003 private name, and we have a helper function to ensure that
8004 all objects that need to can update their magical 'prototype'
8005 property pair correctly.
8007 * API/JSScriptRef.cpp:
8009 * JavaScriptCore.xcodeproj/project.pbxproj:
8010 * builtins/BuiltinExecutables.cpp:
8011 (JSC::BuiltinExecutables::createBuiltinExecutable):
8012 * builtins/Function.prototype.js:
8013 (bind.bindingFunction):
8014 (bind.else.bindingFunction):
8016 * bytecode/UnlinkedCodeBlock.cpp:
8017 (JSC::generateFunctionCodeBlock):
8018 * bytecompiler/NodesCodegen.cpp:
8019 (JSC::InstanceOfNode::emitBytecode):
8020 * interpreter/Interpreter.cpp:
8022 (JSC::Lexer<T>::Lexer):
8023 (JSC::Lexer<LChar>::parseIdentifier):
8024 (JSC::Lexer<UChar>::parseIdentifier):
8026 * parser/Parser.cpp:
8027 (JSC::Parser<LexerType>::Parser):
8028 (JSC::Parser<LexerType>::parseInner):
8031 * parser/ParserModes.h:
8032 * runtime/CodeCache.cpp:
8033 (JSC::CodeCache::getGlobalCodeBlock):
8034 (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
8035 * runtime/CommonIdentifiers.h:
8036 * runtime/Completion.cpp:
8038 * runtime/Executable.cpp:
8039 (JSC::ProgramExecutable::checkSyntax):
8040 * runtime/FunctionPrototype.cpp:
8041 (JSC::FunctionPrototype::addFunctionProperties):
8042 (JSC::functionProtoFuncBind): Deleted.
8043 * runtime/JSBoundFunction.cpp: Removed.
8044 * runtime/JSBoundFunction.h: Removed.
8045 * runtime/JSFunction.cpp:
8046 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
8047 (JSC::RetrieveCallerFunctionFunctor::operator()):
8048 (JSC::retrieveCallerFunction):
8049 (JSC::JSFunction::getOwnPropertySlot):
8050 (JSC::JSFunction::defineOwnProperty):
8051 * runtime/JSGlobalObject.cpp:
8052 (JSC::JSGlobalObject::reset):
8053 * runtime/JSGlobalObjectFunctions.cpp:
8054 (JSC::globalFuncSetTypeErrorAccessor):
8055 * runtime/JSGlobalObjectFunctions.h:
8056 * runtime/JSObject.h:
8057 (JSC::JSObject::inlineGetOwnPropertySlot):
8059 2014-04-08 Jon Lee <jonlee@apple.com>
8061 Turn MSE on by default
8062 https://bugs.webkit.org/show_bug.cgi?id=131313
8063 <rdar://problem/16525223>
8065 Reviewed by Jer Noble.
8067 * Configurations/FeatureDefines.xcconfig:
8069 2014-04-08 Joseph Pecoraro <pecoraro@apple.com>
8071 Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
8072 https://bugs.webkit.org/show_bug.cgi?id=131406
8074 Reviewed by Timothy Hatcher.
8076 * inspector/remote/RemoteInspector.h:
8077 * inspector/remote/RemoteInspector.mm:
8078 (Inspector::RemoteInspector::stop):
8079 (Inspector::RemoteInspector::stopInternal):
8080 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
8081 Provide a way to stop externally and a path to stop when in
8082 the middle of handling a message already with the locked mutex.
8084 * inspector/remote/RemoteInspectorXPCConnection.h:
8085 * inspector/remote/RemoteInspectorXPCConnection.mm:
8086 (Inspector::RemoteInspectorXPCConnection::close):
8087 (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
8088 Provide a way to close externally and a path to close when in
8089 the middle of handling a message already with a mutex.
8091 2014-04-08 Joseph Pecoraro <pecoraro@apple.com>
8093 Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
8094 https://bugs.webkit.org/show_bug.cgi?id=131398
8096 Reviewed by Timothy Hatcher.
8098 * inspector/InjectedScriptSource.js:
8099 The console object can be deleted from a page or JSContext,
8100 so keep code that expects that it could have been deleted
8101 to be resilient in those cases.
8103 * inspector/JSGlobalObjectScriptDebugServer.h:
8104 * inspector/agents/JSGlobalObjectDebuggerAgent.h:
8105 * inspector/agents/JSGlobalObjectRuntimeAgent.h:
8106 Change the FIXMEs to NOTEs that explain why these functions
8107 have empty implementations for JSContext inspection.
8109 2014-04-08 Filip Pizlo <fpizlo@apple.com>
8111 Unreviewed, fix a goofy assertion to fix debug.
8113 * bytecode/PolymorphicPutByIdList.h:
8114 (JSC::PutByIdAccess::isSetter):
8115 (JSC::PutByIdAccess::oldStructure):
8116 (JSC::PutByIdAccess::chain):
8117 (JSC::PutByIdAccess::stubRoutine):
8118 (JSC::PutByIdAccess::customSetter):
8120 2014-04-08 Filip Pizlo <fpizlo@apple.com>
8122 Fail silently if the LLVM dylib isn't found
8123 https://bugs.webkit.org/show_bug.cgi?id=131385
8125 Reviewed by Mark Hahnenberg.
8128 (JSC::DFG::Plan::compileInThreadImpl):
8129 * llvm/InitializeLLVM.cpp:
8130 (JSC::initializeLLVM):
8131 * llvm/InitializeLLVM.h:
8132 * llvm/InitializeLLVMPOSIX.cpp:
8133 (JSC::initializeLLVMPOSIX):
8135 2014-04-07 Filip Pizlo <fpizlo@apple.com>
8137 Repatch should support setters and plant calls to them directly
8138 https://bugs.webkit.org/show_bug.cgi?id=130750
8140 Reviewed by Geoffrey Garen.
8142 All of the infrastructure was in place so this just enables setter optimization.
8144 This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
8146 * bytecode/PolymorphicPutByIdList.cpp:
8147 (JSC::PutByIdAccess::visitWeak):
8148 * bytecode/PolymorphicPutByIdList.h:
8149 (JSC::PutByIdAccess::setter):
8150 (JSC::PutByIdAccess::customSetter): Deleted.
8151 * bytecode/PutByIdStatus.cpp:
8152 (JSC::PutByIdStatus::computeForStubInfo):
8157 (JSC::generateByIdStub):
8158 (JSC::tryCachePutByID):
8159 (JSC::tryBuildPutByIdList):
8160 * runtime/JSObject.cpp:
8161 (JSC::JSObject::put):
8164 * runtime/PutPropertySlot.h:
8165 (JSC::PutPropertySlot::setCacheableSetter):
8166 (JSC::PutPropertySlot::isCacheableSetter):
8167 (JSC::PutPropertySlot::isCacheableCustom):
8168 (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
8169 (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
8170 * tests/stress/setter.js: Added.
8173 2014-04-07 Filip Pizlo <fpizlo@apple.com>
8175 Setters are just getters that take an extra argument and don't return a value
8176 https://bugs.webkit.org/show_bug.cgi?id=131336
8178 Reviewed by Geoffrey Garen.
8180 Other than that, they're totally the same thing.
8182 This isn't as dumb as it sounds.
8184 Most of the work in calling an accessor has to do with emitting the necessary checks for
8185 figuring out whether we're calling the accessor we expected, followed by the boilerplate
8186 needed for setting up a call inside of a stub. It makes sense for the code to be totally
8189 * jit/AssemblyHelpers.h:
8190 (JSC::AssemblyHelpers::storeValue):
8191 (JSC::AssemblyHelpers::moveTrustedValue):
8192 * jit/CCallHelpers.h:
8193 (JSC::CCallHelpers::setupResults):
8197 (JSC::generateByIdStub):
8198 (JSC::tryCacheGetByID):
8199 (JSC::tryBuildGetByIDList):
8200 (JSC::tryCachePutByID):
8201 (JSC::tryBuildPutByIdList):
8202 (JSC::generateGetByIdStub): Deleted.
8203 (JSC::emitCustomSetterStub): Deleted.
8204 * runtime/JSCJSValue.h:
8205 (JSC::JSValue::asValue):
8206 * runtime/PutPropertySlot.h:
8207 (JSC::PutPropertySlot::cachedOffset):
8209 2014-04-07 Joseph Pecoraro <pecoraro@apple.com>
8211 Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
8212 https://bugs.webkit.org/show_bug.cgi?id=131321
8214 Reviewed by Mark Rowe.
8216 * inspector/remote/RemoteInspector.mm:
8217 (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
8218 Avoid attempting to take the same lock twice. Move the received message
8219 lock grab after the WIRPermissionDenied branch, which takes the lock
8220 inside RemoteInspector::stop.
8222 2014-04-07 Filip Pizlo <fpizlo@apple.com>
8224 Make it possible to disable some of the FTL's more interesting features
8225 https://bugs.webkit.org/show_bug.cgi?id=131312
8227 Reviewed by Mark Hahnenberg.
8229 * dfg/DFGByteCodeParser.cpp:
8230 (JSC::DFG::ByteCodeParser::handleGetById):
8231 (JSC::DFG::ByteCodeParser::handlePutById):
8232 (JSC::DFG::ByteCodeParser::parse):
8233 * runtime/Options.h:
8235 2014-04-04 Mark Lam <mark.lam@apple.com>
8237 Date object needs to check for ES5 15.9.1.14 TimeClip limit.
8238 <https://webkit.org/b/131248>
8240 Reviewed by Mark Hahnenberg.
8242 The current Date object code does not adequately check for the ES5
8243 15.9.1.14 TimeClip limit. As a result, some calculations can underflow
8244 / overflow and produce unexpected results.
8246 For example, we were getting an assertion failure in
8247 WTF::equivalentYearForDST() due int underflows in this function, which
8248 in turn were due to an int overflow in WTF::msToYear().
8250 This patch adds the needed checks, and adds some assertions to ensure
8251 that the used values are sane.
8253 The changes have no noticeable impact on benchmark results.
8255 * runtime/DateConstructor.cpp:
8257 * runtime/JSDateMath.cpp:
8258 (JSC::localTimeOffset):
8259 (JSC::gregorianDateTimeToMS):
8260 (JSC::msToGregorianDateTime):
8261 (JSC::parseDateFromNullTerminatedCharacters):
8263 * runtime/JSDateMath.h:
8264 - parseDateFromNullTerminatedCharacters() does not need to be public.
8265 Made it a static function.
8267 (JSC::VM::resetDateCache):
8268 - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
8269 to be consistent with other Date code.
8271 2014-04-06 Csaba Osztrogonác <ossy@webkit.org>
8273 Unreviewed speculative 32-bit buildfix after r166837.
8276 (JSC::Heap::updateObjectCounts):
8278 2014-04-06 Dan Bernstein <mitz@apple.com>
8282 * runtime/JSGlobalObject.cpp:
8283 (JSC::JSGlobalObject::setInputCursor):
8285 2014-04-04 Brian J. Burg <burg@cs.washington.edu>
8287 Enable WEB_REPLAY for PLATFORM(MAC)
8288 https://bugs.webkit.org/show_bug.cgi?id=130700
8290 Reviewed by Timothy Hatcher.
8292 * Configurations/FeatureDefines.xcconfig:
8294 2014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
8296 Add missing files from r166837
8298 * heap/GCLogging.cpp: Added.
8299 (JSC::GCLogging::levelAsString):
8300 (JSC::LoggingFunctor::LoggingFunctor):
8301 (JSC::LoggingFunctor::~LoggingFunctor):
8302 (JSC::LoggingFunctor::operator()):
8303 (JSC::LoggingFunctor::log):
8304 (JSC::LoggingFunctor::reviveCells):
8305 (JSC::LoggingFunctor::returnValue):
8306 (JSC::GCLogging::dumpObjectGraph):
8307 * heap/GCLogging.h: Added.
8309 2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8312 https://bugs.webkit.org/show_bug.cgi?id=131246
8314 Reviewed by Geoff Garen.
8316 Getting data on the state of the JSC Heap at runtime is currently in a sad state.
8317 The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
8318 recompile to turn it on. It would be nice if we could runtime enable our GC logging
8319 infrastructure while incurring minimal cost when it is disabled.
8321 It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
8322 provides us with the discovered roots along with parent-child relationships as objects
8323 are scanned. However, once an object is scanned it will never be declared as the child
8324 of another object during that collection. This gives us a tree-like view of the
8325 Heap (i.e. each scanned node only reports having a single parent), where the actual
8326 Heap can be an arbitrary graph.
8328 This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
8329 our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
8330 logging levels. None means no logging is done, Basic is what logGC() = true would have done
8331 prior to this patch, and Verbose logs all object relationships.
8333 JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
8334 subclasses to override the default string representation that will be dumped. These
8335 methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
8336 the logging infrastructure in our compilers.
8338 This patch also adds a GCLogging class that handles dumping the relationships between objects.
8339 It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
8340 children of each live cell at the end of garbage collection.
8342 This change meets our goal of being neutral on the benchmarks we track.
8344 * JavaScriptCore.xcodeproj/project.pbxproj:
8345 * heap/GCLogging.cpp: Added.
8346 (JSC::GCLogging::levelAsString):
8347 (JSC::LoggingFunctor::LoggingFunctor):
8348 (JSC::LoggingFunctor::operator()):
8349 (JSC::LoggingFunctor::log):
8350 (JSC::LoggingFunctor::reviveCells):
8351 (JSC::LoggingFunctor::returnValue):
8352 (JSC::GCLogging::dumpObjectGraph):
8353 * heap/GCLogging.h: Added.
8354 * heap/GCSegmentedArray.h:
8355 (JSC::GCSegmentedArray::begin):
8356 (JSC::GCSegmentedArray::end):
8358 (JSC::Heap::markRoots):
8359 (JSC::Heap::visitSmallStrings):
8360 (JSC::Heap::visitConservativeRoots):
8361 (JSC::Heap::visitCompilerWorklists):
8362 (JSC::Heap::visitProtectedObjects):
8363 (JSC::Heap::visitTempSortVectors):
8364 (JSC::Heap::visitArgumentBuffers):
8365 (JSC::Heap::visitException):
8366 (JSC::Heap::visitStrongHandles):
8367 (JSC::Heap::visitHandleStack):
8368 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
8369 (JSC::Heap::visitWeakHandles):
8370 (JSC::Heap::updateObjectCounts):
8371 (JSC::Heap::collect):
8372 (JSC::Heap::didFinishCollection):
8375 * heap/SlotVisitor.cpp:
8376 (JSC::SlotVisitor::dump):
8377 * heap/SlotVisitor.h:
8378 (JSC::SlotVisitor::markStack):
8379 * heap/SlotVisitorInlines.h:
8380 (JSC::SlotVisitor::internalAppend):
8381 * runtime/ClassInfo.h:
8382 * runtime/JSCell.cpp:
8383 (JSC::JSCell::dump):
8384 (JSC::JSCell::dumpToStream):
8385 (JSC::JSCell::className):
8387 * runtime/JSCellInlines.h:
8388 (JSC::JSCell::visitChildren):
8389 * runtime/JSString.cpp:
8390 (JSC::JSString::dumpToStream):
8391 (JSC::JSString::visitChildren):
8392 * runtime/JSString.h:
8393 (JSC::JSString::length):
8394 (JSC::JSRopeString::RopeBuilder::length):
8395 * runtime/Options.cpp:
8397 (JSC::Options::setOption):
8398 (JSC::Options::dumpOption):
8399 * runtime/Options.h:
8401 2014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
8403 Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
8404 https://bugs.webkit.org/show_bug.cgi?id=131251
8406 Reviewed by Geoffrey Garen.
8408 * API/JSVirtualMachine.mm:
8409 (scanExternalObjectGraph):
8410 * API/tests/testapi.mm:
8412 2014-04-03 Brian J. Burg <burg@cs.washington.edu>
8414 Web Inspector: hook up probe samples to TimelineAgent's records
8415 https://bugs.webkit.org/show_bug.cgi?id=131127
8417 Reviewed by Timothy Hatcher.
8419 * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
8421 2014-04-04 Commit Queue <commit-queue@webkit.org>
8423 Unreviewed, rolling out r166820.
8424 https://bugs.webkit.org/show_bug.cgi?id=131256
8426 Broke builds. (Requested by bdash on #webkit).
8430 "WIP for inlining C++. Added a build target to produce llvm
8432 https://bugs.webkit.org/show_bug.cgi?id=130523
8433 http://trac.webkit.org/changeset/166820
8435 2014-04-04 Matthew Mirman <mmirman@apple.com>
8437 WIP for inlining C++. Added a build target to produce llvm ir.
8438 https://bugs.webkit.org/show_bug.cgi?id=130523
8440 Reviewed by Filip Pizlo.
8442 The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
8444 * JavaScriptCore.xcodeproj/project.pbxproj:
8445 * build_index.py: Added.
8446 * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
8448 2014-04-04 Joseph Pecoraro <pecoraro@apple.com>
8450 Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
8451 https://bugs.webkit.org/show_bug.cgi?id=131241
8453 Reviewed by Timothy Hatcher.
8455 * inspector/JSGlobalObjectInspectorController.cpp:
8456 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
8457 Log the exception to the system console if system console output is enabled.
8459 2014-04-04 Joseph Pecoraro <pecoraro@apple.com>
8461 Web Inspector: Provide a way for JSContext console to log to system console
8462 https://bugs.webkit.org/show_bug.cgi?id=131050
8464 Reviewed by Timothy Hatcher.
8466 Applications often re-expose some log -> NSLog functionality.
8467 We already have the capability ourselves, which includes extra
8468 information such as sourceURL:line:column, all arguments instead
8469 of just one argument, and backtrace information on console.trace.
8470 Therefore it would be convenient if developers could just use
8471 the built-in console.log and get rich output in both the inspector
8472 and the console, without writing their own logger.
8474 The logging will be enabled in debug builds by default, and can be enabled
8475 otherwise by setting a user default before creating the first context.
8477 For example, in the application itself:
8479 [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
8481 Or from outside the application:
8483 shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
8485 * inspector/JSConsoleClient.h:
8486 * inspector/JSConsoleClient.cpp:
8487 (Inspector::JSConsoleClient::logToSystemConsole):
8488 (Inspector::JSConsoleClient::setLogToSystemConsole):
8489 (Inspector::JSConsoleClient::initializeLogToSystemConsole):
8490 (Inspector::JSConsoleClient::JSConsoleClient):
8491 Global setting for logging to system console. Enabled on
8492 debug builds, and by a user default on supported platforms.
8494 (Inspector::JSConsoleClient::messageWithTypeAndLevel):
8495 Log to system console when the static setting is enabled.
8497 * runtime/ConsoleClient.h:
8498 * runtime/ConsoleClient.cpp:
8499 (JSC::appendURLAndPosition):
8500 (JSC::appendMessagePrefix):
8501 (JSC::ConsoleClient::printConsoleMessage):
8502 (JSC::ConsoleClient::printConsoleMessageWithArguments):
8503 Clean up printing. Build strings and use WTFLogAlways instead of printf
8504 for consistant logging.
8506 * runtime/ConsoleClient.cpp:
8507 (JSC::ConsoleClient::printConsoleMessageWithArguments):
8508 Clean up printing. If there is no source URL, don't print a leading colon.
8510 2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8512 Use JSCell::indexingType instead of Structure::indexingType wherever possible
8513 https://bugs.webkit.org/show_bug.cgi?id=131230
8515 Reviewed by Mark Lam.
8517 Avoid the indirection through the Structure.
8519 * bytecode/ArrayAllocationProfile.cpp:
8520 (JSC::ArrayAllocationProfile::updateIndexingType):
8521 * bytecode/ArrayAllocationProfile.h:
8522 (JSC::ArrayAllocationProfile::selectIndexingType):
8523 * heap/HeapStatistics.cpp:
8524 (JSC::StorageStatistics::operator()):
8525 * runtime/ArrayPrototype.cpp:
8526 (JSC::attemptFastSort):
8527 * runtime/JSGlobalObject.cpp:
8528 (JSC::JSGlobalObject::objectPrototypeIsSane):
8529 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
8530 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
8531 * runtime/JSPropertyNameIterator.cpp:
8532 (JSC::JSPropertyNameIterator::create):
8534 2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
8536 Use JSCell::type instead of TypeInfo::type wherever possible
8537 https://bugs.webkit.org/show_bug.cgi?id=131229
8539 Reviewed by Michael Saboff.
8541 Avoid going through the Structure and reifying the TypeInfo.
8543 * runtime/Executable.h:
8544 (JSC::ExecutableBase::isEvalExecutable):
8545 (JSC::ExecutableBase::isProgramExecutable):
8547 2014-04-03 Andreas Kling <akling@apple.com>
8549 Fast-path for casting JS wrappers to JSNode.
8550 <https://webkit.org/b/131196>
8552 Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
8553 a little bit. We do this by exposing a LastJSCObjectType constant so
8554 WebCore can encode its own wrapper types after that.
8556 Reviewed by Mark Hahnenberg and Geoff Garen.
8560 Added LastJSCObjectType for use by WebCore.
8562 * runtime/JSObject.h:
8563 (JSC::JSObject::isVariableObject):
8565 Updated since this can no longer assume that types >= VariableObjectType
8566 are all variable objects.
8568 2014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
8570 All Heap::writeBarriers should be inline
8571 https://bugs.webkit.org/show_bug.cgi?id=131197
8573 Reviewed by Mark Lam.
8575 One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
8576 enough and small enough to belong in HeapInlines.h. Also added the proper
8577 ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
8580 (JSC::Heap::writeBarrier): Deleted.
8582 * heap/HeapInlines.h:
8583 (JSC::Heap::writeBarrier):
8584 * runtime/JSCellInlines.h:
8585 (JSC::Heap::writeBarrier): Deleted.
8587 2014-04-03 Joseph Pecoraro <pecoraro@apple.com>
8589 Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
8590 https://bugs.webkit.org/show_bug.cgi?id=131186
8592 Reviewed by Geoffrey Garen.
8594 * API/JSContextPrivate.h:
8596 (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
8597 (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
8598 JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
8600 * API/JSContextRefPrivate.h:
8601 * API/JSContextRef.cpp:
8602 (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
8603 (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
8604 JSContext C SPI to opt-out of including native call stacks in exceptions.
8606 * inspector/JSGlobalObjectInspectorController.h:
8607 * inspector/JSGlobalObjectInspectorController.cpp:
8608 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
8609 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
8610 Only include the native call stack if the setting is enabled. It is enabled by default.
8612 2014-04-03 Mark Lam <mark.lam@apple.com>
8614 Fix bit rot in ARMv7 JIT probe mechanism.
8615 <https://webkit.org/b/131167>
8617 Reviewed by Geoffrey Garen.
8619 1. The macro assembler does not support pushing the SP register. Worked
8620 around this by pushing the LR register as a placeholder, and then
8621 writing the original SP value to that slot.
8622 2. The CPUState field in the ProbeContext needs to be aligned on a 4
8623 byte boundary, not an 8 byte boundary.
8625 * assembler/MacroAssemblerARMv7.cpp:
8626 (JSC::MacroAssemblerARMv7::probe):
8627 * jit/JITStubsARMv7.h:
8629 2014-04-02 Mark Lam <mark.lam@apple.com>
8631 ARMv7 compare32() should not use TST to do CMP's job.
8632 <https://webkit.org/b/131146>
8634 Reviewed by Geoffrey Garen.
8636 The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
8637 was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
8638 instruction doesn't set the Overflow (V) flag and this results in random
8639 results depending on whether there was a preceeding instruction that did set
8640 the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
8641 with a lot of OSR exits where not expected as well as producing wrong results.
8643 The fix is to use "cmp reg, #0" to do the job properly.
8645 * assembler/MacroAssemblerARMv7.h:
8646 (JSC::MacroAssemblerARMv7::compare32):
8648 2014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
8650 CodeBlockSet should be generational
8651 https://bugs.webkit.org/show_bug.cgi?id=127152
8653 Reviewed by Geoffrey Garen.
8655 During EdenCollections we now only visit those CodeBlocks that:
8656 a) Are new since the last collection if they were somehow otherwise reachable.
8657 b) Are reachable from an Executable that is part of the remembered set.
8659 * bytecode/CodeBlock.cpp:
8660 (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
8661 (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
8662 shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
8663 * bytecode/CodeBlock.h:
8664 (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
8665 We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
8666 (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
8667 (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
8668 * heap/CodeBlockSet.cpp:
8669 (JSC::CodeBlockSet::~CodeBlockSet):
8670 (JSC::CodeBlockSet::add):
8671 (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
8672 the set of old CodeBlocks.
8673 (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
8674 (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
8675 remembered set. When an Executable is added to the remembered set it's typically because we need to do something
8677 (JSC::CodeBlockSet::clearMarks):
8678 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
8679 to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
8680 (JSC::CodeBlockSet::remove):
8681 (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
8682 (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
8683 CodeBlocks because we no longer always do this at the beginning of EdenCollections.
8684 * heap/CodeBlockSet.h:
8685 (JSC::CodeBlockSet::iterate):
8687 (JSC::Heap::markRoots):
8688 (JSC::Heap::deleteAllCompiledCode):
8689 (JSC::Heap::deleteUnmarkedCompiledCode):
8690 * runtime/Executable.cpp:
8691 (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
8692 a) A CodeBlock is created and is compiled on a DFG worker thread.
8694 c) The CodeBlock has finished being compiled and is installed in the Executable.
8695 d) The function never executes before the next GC.
8696 e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
8697 it's added to the remembered set.
8699 2014-04-02 Mark Lam <mark.lam@apple.com>
8701 Added some more dataLog info for OSR exits.
8702 <https://webkit.org/b/131120>
8704 Reviewed by Michael Saboff.
8706 Adding info about the OSR exit index, the bytecode index of the bytecode
8707 that is OSR exiting, and the reason for the OSR exit. This change is
8708 for debugging code which only comes into play when we use the
8709 --printEachOSRExit option.
8712 * dfg/DFGOSRExitCompiler32_64.cpp:
8713 (JSC::DFG::OSRExitCompiler::compileExit):
8714 * dfg/DFGOSRExitCompiler64.cpp:
8715 (JSC::DFG::OSRExitCompiler::compileExit):
8716 * dfg/DFGOperations.cpp:
8718 2014-04-02 Martin Robinson <mrobinson@igalia.com>
8720 REGRESSION(r165704): [GTK] Inspector resources not correctly generated
8721 https://bugs.webkit.org/show_bug.cgi?id=130343
8723 Reviewed by Gustavo Noronha Silva.
8725 * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
8726 in which it should be distributed. This allows us to more easily package it for GTK+.
8728 2014-04-01 Timothy Hatcher <timothy@apple.com>
8730 Remove HeapProfiler from the Web Inspector protocol.
8732 https://bugs.webkit.org/show_bug.cgi?id=131070
8734 Reviewed by Joseph Pecoraro.
8736 * inspector/agents/InspectorConsoleAgent.h:
8737 * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
8738 (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
8739 * inspector/agents/JSGlobalObjectConsoleAgent.h:
8740 * inspector/protocol/Console.json:
8742 2014-03-31 Simon Fraser <simon.fraser@apple.com>
8744 Enable WEB_TIMING on Mac and iOS
8745 https://bugs.webkit.org/show_bug.cgi?id=128064
8747 Reviewed by Sam Weinig, Brent Fulgham.
8751 * Configurations/FeatureDefines.xcconfig:
8753 2014-03-31 Michael Saboff <msaboff@apple.com>
8755 REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
8756 https://bugs.webkit.org/show_bug.cgi?id=130992
8758 Reviewed by Mark Hahnenberg.
8760 Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
8762 * API/JSObjectRef.cpp:
8763 (JSObjectGetPrivate):
8764 (JSObjectSetPrivate):
8765 * API/tests/testapi.c:
8766 (main): Added new test case to validate we are properly foarwarding.
8768 2014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
8771 https://bugs.webkit.org/show_bug.cgi?id=130988
8773 Reviewed by Geoffrey Garen.
8775 GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
8776 but it doesn't distinguish between Eden and Full collections in the data it gathers. This
8777 patch updates it so that it can. It also adds the process ID to the beginning of each line
8778 of input to be able to distinguish between the output of multiple processes exiting at the
8782 (JSC::Heap::collect):
8784 2014-03-31 Dean Jackson <dino@apple.com>
8786 Remove WEB_ANIMATIONS
8787 https://bugs.webkit.org/show_bug.cgi?id=130989
8789 Reviewed by Simon Fraser.
8791 Remove this feature flag until we plan to implement.
8793 * Configurations/FeatureDefines.xcconfig:
8795 2014-03-31 Filip Pizlo <fpizlo@apple.com>
8797 More validation for FTL inline caches
8798 https://bugs.webkit.org/show_bug.cgi?id=130948
8800 Reviewed by Geoffrey Garen.
8802 * dfg/DFGByteCodeParser.cpp:
8803 (JSC::DFG::ByteCodeParser::handleGetById):
8804 (JSC::DFG::ByteCodeParser::handlePutById):
8805 * runtime/Options.h:
8807 2014-03-31 Filip Pizlo <fpizlo@apple.com>
8809 LLVM IR for store barriers should be nicely arranged and they don't need exception checks
8810 https://bugs.webkit.org/show_bug.cgi?id=130950
8812 Reviewed by Mark Hahnenberg.
8814 * ftl/FTLLowerDFGToLLVM.cpp:
8815 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
8817 2014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
8819 [CMake] Stop checking for WTF_USE_ICU_UNICODE.
8820 https://bugs.webkit.org/show_bug.cgi?id=130965
8822 Reviewed by Martin Robinson.
8824 This is somewhat of a follow-up to r162782, which got rid of
8825 WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
8826 CMakeLists.txt. This meant the includes and libraries were not
8827 being properly included since then.
8831 2014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
8833 Remove hostThisRegister() and hostThisValue()
8834 https://bugs.webkit.org/show_bug.cgi?id=130895
8836 Reviewed by Geoffrey Garen.
8838 Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
8840 * API/APICallbackFunction.h:
8841 (JSC::APICallbackFunction::call):
8842 * API/JSCallbackObjectFunctions.h:
8843 (JSC::JSCallbackObject<Parent>::call):
8844 * dfg/DFGOSREntry.cpp:
8845 (JSC::DFG::prepareOSREntry):
8846 * inspector/JSInjectedScriptHostPrototype.cpp:
8847 (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
8848 (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
8849 (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
8850 (Inspector::jsInjectedScriptHostPrototypeFunctionType):
8851 (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
8852 (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
8853 * inspector/JSJavaScriptCallFramePrototype.cpp:
8854 (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
8855 (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
8856 (Inspector::jsJavaScriptCallFrameAttributeCaller):
8857 (Inspector::jsJavaScriptCallFrameAttributeSourceID):
8858 (Inspector::jsJavaScriptCallFrameAttributeLine):
8859 (Inspector::jsJavaScriptCallFrameAttributeColumn):
8860 (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
8861 (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
8862 (Inspector::jsJavaScriptCallFrameAttributeThisObject):
8863 (Inspector::jsJavaScriptCallFrameAttributeType):
8864 * interpreter/CallFrame.h:
8865 (JSC::ExecState::hostThisRegister): Deleted.
8866 (JSC::ExecState::hostThisValue): Deleted.
8867 * runtime/Arguments.cpp:
8868 (JSC::argumentsFuncIterator):
8869 * runtime/ArrayPrototype.cpp:
8870 (JSC::arrayProtoFuncToString):
8871 (JSC::arrayProtoFuncToLocaleString):
8872 (JSC::arrayProtoFuncJoin):
8873 (JSC::arrayProtoFuncConcat):
8874 (JSC::arrayProtoFuncPop):
8875 (JSC::arrayProtoFuncPush):
8876 (JSC::arrayProtoFuncReverse):
8877 (JSC::arrayProtoFuncShift):
8878 (JSC::arrayProtoFuncSlice):
8879 (JSC::arrayProtoFuncSort):
8880 (JSC::arrayProtoFuncSplice):
8881 (JSC::arrayProtoFuncUnShift):
8882 (JSC::arrayProtoFuncReduce):
8883 (JSC::arrayProtoFuncReduceRight):
8884 (JSC::arrayProtoFuncIndexOf):
8885 (JSC::arrayProtoFuncLastIndexOf):
8886 (JSC::arrayProtoFuncValues):
8887 (JSC::arrayProtoFuncEntries):
8888 (JSC::arrayProtoFuncKeys):
8889 * runtime/BooleanPrototype.cpp:
8890 (JSC::booleanProtoFuncToString):
8891 (JSC::booleanProtoFuncValueOf):
8892 * runtime/ConsolePrototype.cpp:
8893 (JSC::consoleLogWithLevel):
8894 (JSC::consoleProtoFuncClear):
8895 (JSC::consoleProtoFuncDir):
8896 (JSC::consoleProtoFuncDirXML):
8897 (JSC::consoleProtoFuncTable):
8898 (JSC::consoleProtoFuncTrace):
8899 (JSC::consoleProtoFuncAssert):
8900 (JSC::consoleProtoFuncCount):
8901 (JSC::consoleProtoFuncProfile):
8902 (JSC::consoleProtoFuncProfileEnd):
8903 (JSC::consoleProtoFuncTime):
8904 (JSC::consoleProtoFuncTimeEnd):
8905 (JSC::consoleProtoFuncTimeStamp):
8906 (JSC::consoleProtoFuncGroup):
8907 (JSC::consoleProtoFuncGroupCollapsed):
8908 (JSC::consoleProtoFuncGroupEnd):
8909 * runtime/DatePrototype.cpp:
8910 (JSC::formateDateInstance):
8911 (JSC::dateProtoFuncToISOString):
8912 (JSC::dateProtoFuncToLocaleString):
8913 (JSC::dateProtoFuncToLocaleDateString):
8914 (JSC::dateProtoFuncToLocaleTimeString):
8915 (JSC::dateProtoFuncGetTime):
8916 (JSC::dateProtoFuncGetFullYear):
8917 (JSC::dateProtoFuncGetUTCFullYear):
8918 (JSC::dateProtoFuncGetMonth):
8919 (JSC::dateProtoFuncGetUTCMonth):
8920 (JSC::dateProtoFuncGetDate):
8921 (JSC::dateProtoFuncGetUTCDate):
8922 (JSC::dateProtoFuncGetDay):
8923 (JSC::dateProtoFuncGetUTCDay):
8924 (JSC::dateProtoFuncGetHours):
8925 (JSC::dateProtoFuncGetUTCHours):
8926 (JSC::dateProtoFuncGetMinutes):
8927 (JSC::dateProtoFuncGetUTCMinutes):
8928 (JSC::dateProtoFuncGetSeconds):
8929 (JSC::dateProtoFuncGetUTCSeconds):
8930 (JSC::dateProtoFuncGetMilliSeconds):
8931 (JSC::dateProtoFuncGetUTCMilliseconds):
8932 (JSC::dateProtoFuncGetTimezoneOffset):
8933 (JSC::dateProtoFuncSetTime):
8934 (JSC::setNewValueFromTimeArgs):
8935 (JSC::setNewValueFromDateArgs):
8936 (JSC::dateProtoFuncSetYear):
8937 (JSC::dateProtoFuncGetYear):
8938 (JSC::dateProtoFuncToJSON):
8939 * runtime/ErrorPrototype.cpp:
8940 (JSC::errorProtoFuncToString):
8941 * runtime/FunctionPrototype.cpp:
8942 (JSC::functionProtoFuncToString):
8943 (JSC::functionProtoFuncBind):
8944 * runtime/NamePrototype.cpp:
8945 (JSC::privateNameProtoFuncToString):
8946 * runtime/NumberPrototype.cpp:
8947 (JSC::numberProtoFuncToExponential):
8948 (JSC::numberProtoFuncToFixed):
8949 (JSC::numberProtoFuncToPrecision):
8950 (JSC::numberProtoFuncClz):
8951 (JSC::numberProtoFuncToString):
8952 (JSC::numberProtoFuncToLocaleString):
8953 (JSC::numberProtoFuncValueOf):
8954 * runtime/ObjectPrototype.cpp:
8955 (JSC::objectProtoFuncValueOf):
8956 (JSC::objectProtoFuncHasOwnProperty):
8957 (JSC::objectProtoFuncIsPrototypeOf):
8958 (JSC::objectProtoFuncDefineGetter):
8959 (JSC::objectProtoFuncDefineSetter):
8960 (JSC::objectProtoFuncLookupGetter):
8961 (JSC::objectProtoFuncLookupSetter):
8962 (JSC::objectProtoFuncPropertyIsEnumerable):
8963 (JSC::objectProtoFuncToLocaleString):
8964 (JSC::objectProtoFuncToString):
8965 * runtime/RegExpPrototype.cpp:
8966 (JSC::regExpProtoFuncTest):
8967 (JSC::regExpProtoFuncExec):
8968 (JSC::regExpProtoFuncCompile):
8969 (JSC::regExpProtoFuncToString):
8970 * runtime/StringPrototype.cpp:
8971 (JSC::stringProtoFuncReplace):
8972 (JSC::stringProtoFuncToString):
8973 (JSC::stringProtoFuncCharAt):
8974 (JSC::stringProtoFuncCharCodeAt):
8975 (JSC::stringProtoFuncConcat):
8976 (JSC::stringProtoFuncIndexOf):
8977 (JSC::stringProtoFuncLastIndexOf):
8978 (JSC::stringProtoFuncMatch):
8979 (JSC::stringProtoFuncSearch):
8980 (JSC::stringProtoFuncSlice):
8981 (JSC::stringProtoFuncSplit):
8982 (JSC::stringProtoFuncSubstr):
8983 (JSC::stringProtoFuncSubstring):
8984 (JSC::stringProtoFuncToLowerCase):
8985 (JSC::stringProtoFuncToUpperCase):
8986 (JSC::stringProtoFuncLocaleCompare):
8987 (JSC::stringProtoFuncBig):
8988 (JSC::stringProtoFuncSmall):
8989 (JSC::stringProtoFuncBlink):
8990 (JSC::stringProtoFuncBold):
8991 (JSC::stringProtoFuncFixed):
8992 (JSC::stringProtoFuncItalics):
8993 (JSC::stringProtoFuncStrike):
8994 (JSC::stringProtoFuncSub):
8995 (JSC::stringProtoFuncSup):
8996 (JSC::stringProtoFuncFontcolor):
8997 (JSC::stringProtoFuncFontsize):
8998 (JSC::stringProtoFuncAnchor):
8999 (JSC::stringProtoFuncLink):
9000 (JSC::stringProtoFuncTrim):
9001 (JSC::stringProtoFuncTrimLeft):
9002 (JSC::stringProtoFuncTrimRight):
9004 2014-03-28 Filip Pizlo <fpizlo@apple.com>
9006 Land the stackmap register liveness glue with the uses of the liveness disabled
9007 https://bugs.webkit.org/show_bug.cgi?id=130924
9009 Reviewed by Oliver Hunt.
9011 Add the liveness and fix other bugs I found.
9013 * bytecode/PutByIdStatus.cpp:
9014 (JSC::PutByIdStatus::computeFor):
9015 * ftl/FTLCompile.cpp:
9016 (JSC::FTL::usedRegistersFor):
9017 (JSC::FTL::fixFunctionBasedOnStackMaps):
9018 * ftl/FTLSlowPathCall.cpp:
9019 * ftl/FTLSlowPathCallKey.cpp:
9020 (JSC::FTL::SlowPathCallKey::dump):
9021 * ftl/FTLSlowPathCallKey.h:
9022 (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
9023 (JSC::FTL::SlowPathCallKey::argumentRegisters):
9024 (JSC::FTL::SlowPathCallKey::withCallTarget):
9025 * ftl/FTLStackMaps.cpp:
9026 (JSC::FTL::StackMaps::Record::locationSet):
9027 (JSC::FTL::StackMaps::Record::liveOutsSet):
9028 (JSC::FTL::StackMaps::Record::usedRegisterSet):
9029 * ftl/FTLStackMaps.h:
9030 * ftl/FTLThunks.cpp:
9031 (JSC::FTL::registerClobberCheck):
9032 (JSC::FTL::slowPathCallThunkGenerator):
9033 * jit/RegisterSet.cpp:
9034 (JSC::RegisterSet::stackRegisters):
9035 (JSC::RegisterSet::reservedHardwareRegisters):
9036 (JSC::RegisterSet::runtimeRegisters):
9037 (JSC::RegisterSet::specialRegisters):
9038 (JSC::RegisterSet::dump):
9039 * jit/RegisterSet.h:
9040 (JSC::RegisterSet::RegisterSet):
9041 (JSC::RegisterSet::setAny):
9042 (JSC::RegisterSet::setMany):
9044 (JSC::tryCacheGetByID):
9045 (JSC::tryCachePutByID):
9046 (JSC::tryRepatchIn):
9047 * runtime/Options.cpp:
9048 (JSC::recomputeDependentOptions):
9049 * runtime/Options.h:
9051 2014-03-28 Mark Lam <mark.lam@apple.com>
9053 mandreel throws a checksum error on 32-bit x86.
9054 <https://webkit.org/b/125706>
9056 Reviewed by Filip Pizlo.
9058 The 32-bit DFG can emit code that loads double constants from its
9059 CodeBlock's m_constantRegisters vector. The emitted instruction will
9060 embed the address of the constant from the vector's backing store.
9061 Subsequently, while inserting new constants, the DFG may resize the
9062 vector, thereby reallocating the backing store. This renders the
9063 previously embedded constant addresses stale.
9065 The fix is to use a dedicated doubles constant pool stored in the DFG
9066 CommonData instead. This constant pool won't be reallocated, and
9067 hence will not manifest this issue.
9069 * dfg/DFGCommonData.h:
9071 * dfg/DFGJITCompiler.cpp:
9072 (JSC::DFG::JITCompiler::link):
9073 (JSC::DFG::JITCompiler::addressOfDoubleConstant):
9074 * dfg/DFGJITCompiler.h:
9075 (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
9077 2014-03-28 Joseph Pecoraro <pecoraro@apple.com>
9079 Web Inspector: console.warn is showing as error instead of warning
9080 https://bugs.webkit.org/show_bug.cgi?id=130921
9082 Reviewed by Timothy Hatcher.
9084 * runtime/ConsolePrototype.cpp:
9085 (JSC::consoleProtoFuncWarn):
9086 console.warn should be MessageLevel Warning, not Error.
9088 2014-03-28 Oliver Hunt <oliver@apple.com>
9092 * bytecode/BytecodeList.json:
9094 2014-03-28 Michael Saboff <msaboff@apple.com>
9096 Unreviewed, rolling r166248 back in.
9098 Turns out r166070 didn't cause a 2% performance loss in page load times
9102 Unreviewed, rolling out r166126.
9103 Rollout r166126 in prepartion to roll out prerequisite r166070
9105 2014-03-27 Commit Queue <commit-queue@webkit.org>
9107 Unreviewed, rolling out r166376.
9108 https://bugs.webkit.org/show_bug.cgi?id=130887
9110 This was a misguided optimization. (Requested by kling on
9115 "Avoid fetching JSObject::structure() repeatedly in
9117 https://bugs.webkit.org/show_bug.cgi?id=130857
9118 http://trac.webkit.org/changeset/166376
9120 2014-03-27 Oliver Hunt <oliver@apple.com>
9122 Support spread operand in |new| expressions
9123 https://bugs.webkit.org/show_bug.cgi?id=130877
9125 Reviewed by Michael Saboff.
9127 Add support for the spread operator being applied in
9128 |new| expressions. This required adding support for
9129 a new opcode, op_construct_varargs. This is a relatively
9130 simple refactoring of the call_varargs implementation.
9132 * bytecode/BytecodeList.json:
9133 * bytecode/BytecodeUseDef.h:
9134 (JSC::computeUsesForBytecodeOffset):
9135 (JSC::computeDefsForBytecodeOffset):
9136 * bytecode/CallLinkInfo.cpp:
9137 (JSC::CallLinkInfo::unlink):
9138 * bytecode/CallLinkInfo.h:
9139 (JSC::CallLinkInfo::callTypeFor):
9140 (JSC::CallLinkInfo::specializationKind):
9141 * bytecode/CodeBlock.cpp:
9142 (JSC::CodeBlock::dumpBytecode):
9143 (JSC::CodeBlock::CodeBlock):
9144 * bytecompiler/BytecodeGenerator.cpp:
9145 (JSC::BytecodeGenerator::emitCallVarargs):
9146 (JSC::BytecodeGenerator::emitConstructVarargs):
9147 (JSC::BytecodeGenerator::emitConstruct):
9148 * bytecompiler/BytecodeGenerator.h:
9150 (JSC::JIT::privateCompileMainPass):
9151 (JSC::JIT::privateCompileSlowCases):
9154 (JSC::JIT::compileOpCall):
9155 (JSC::JIT::compileOpCallSlowCase):
9156 (JSC::JIT::emit_op_construct_varargs):
9157 (JSC::JIT::emitSlow_op_construct_varargs):
9158 * jit/JITCall32_64.cpp:
9159 (JSC::JIT::emitSlow_op_construct_varargs):
9160 (JSC::JIT::emit_op_construct_varargs):
9161 (JSC::JIT::compileOpCall):
9162 (JSC::JIT::compileOpCallSlowCase):
9163 * jit/JITOperations.cpp:
9164 * llint/LLIntSlowPaths.cpp:
9165 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9166 * llint/LLIntSlowPaths.h:
9167 * llint/LowLevelInterpreter.asm:
9168 * parser/Parser.cpp:
9169 (JSC::Parser<LexerType>::parseMemberExpression):
9171 2014-03-27 Filip Pizlo <fpizlo@apple.com>
9173 Revert http://trac.webkit.org/changeset/166386 because it broke builds.
9175 * Configurations/Base.xcconfig:
9176 * Configurations/LLVMForJSC.xcconfig:
9178 2014-03-27 Filip Pizlo <fpizlo@apple.com>
9180 Unreviewed, skip this test for now.
9182 * tests/stress/recurse-infinitely-on-getter.js:
9184 2014-03-27 Filip Pizlo <fpizlo@apple.com>
9186 Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
9187 https://bugs.webkit.org/show_bug.cgi?id=130867
9188 <rdar://problem/16432456>
9190 Reviewed by Mark Hahnenberg.
9192 * Configurations/Base.xcconfig:
9193 * Configurations/LLVMForJSC.xcconfig:
9195 2014-03-27 Andreas Kling <akling@apple.com>
9197 Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
9198 <https://webkit.org/b/130857>
9200 Use the cached Structure* instead of re-fetching it over and over since
9201 that's a non-trivial operation these days.
9203 Reviewed by Mark Hahnenberg.
9205 * runtime/JSObject.h:
9206 (JSC::JSObject::putDirectInternal):
9208 2014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
9210 Check the remembered set bit faster
9211 https://bugs.webkit.org/show_bug.cgi?id=130860
9213 Reviewed by Oliver Hunt.
9215 Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
9216 that bit is also stored in the object. We should look it up there whenever possible.
9218 * heap/CopiedBlockInlines.h:
9219 (JSC::CopiedBlock::shouldReportLiveBytes):
9221 (JSC::Heap::addToRememberedSet):
9223 * heap/HeapInlines.h: Removed.
9224 * heap/SlotVisitorInlines.h:
9225 (JSC::SlotVisitor::reportExtraMemoryUsage):
9227 2014-03-27 Joseph Pecoraro <pecoraro@apple.com>
9229 Web Inspector: Provide SPI to disallow remote inspection of a JSContext
9230 https://bugs.webkit.org/show_bug.cgi?id=130853
9232 Reviewed by Timothy Hatcher.
9234 * API/JSContextPrivate.h: Added.
9236 (-[JSContext _remoteInspectionEnabled]):
9237 (-[JSContext _setRemoteInspectionEnabled:]):
9238 ObjC SPI to enable/disable remote inspection.
9240 * API/JSContextRefPrivate.h:
9241 * API/JSContextRef.cpp:
9242 (JSGlobalContextGetRemoteInspectionEnabled):
9243 (JSGlobalContextSetRemoteInspectionEnabled):
9244 C SPI to enable/disable remote inspection.
9246 * JavaScriptCore.xcodeproj/project.pbxproj:
9247 Add new private header, and export as a private header.
9249 2014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
9251 Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
9252 https://bugs.webkit.org/show_bug.cgi?id=130845
9254 Reviewed by Filip Pizlo.
9256 There was a hack added to make sure C Loop LLInt worked which included overriding the
9257 global Options::useLLInt setting, which makes no sense to do here. We should put the
9258 update of the global setting in Options::recomputeDependentOptions along with the other
9259 execution engine flags.
9261 * runtime/Executable.cpp:
9262 (JSC::ScriptExecutable::prepareForExecutionImpl):
9263 * runtime/Options.cpp:
9264 (JSC::recomputeDependentOptions):
9266 2014-03-26 Filip Pizlo <fpizlo@apple.com>
9268 Enable LLVM stackmap liveOuts computation
9269 https://bugs.webkit.org/show_bug.cgi?id=130821
9271 Reviewed by Andy Estes and Sam Weinig.
9273 * ftl/FTLStackMaps.cpp:
9274 (JSC::FTL::StackMaps::Record::dump):
9275 * llvm/library/LLVMExports.cpp:
9276 (initializeAndGetJSCLLVMAPI):
9278 2014-03-26 Filip Pizlo <fpizlo@apple.com>
9280 Parse stackmaps liveOuts
9281 https://bugs.webkit.org/show_bug.cgi?id=130801
9283 Reviewed by Geoffrey Garen.
9285 This just adds the code to parse them but doesn't do anything with them, yet.
9287 * ftl/FTLLocation.cpp:
9288 (JSC::FTL::Location::forStackmaps):
9289 * ftl/FTLLocation.h:
9290 (JSC::FTL::Location::forRegister):
9291 (JSC::FTL::Location::forIndirect):
9292 * ftl/FTLStackMaps.cpp:
9293 (JSC::FTL::StackMaps::Location::parse):
9294 (JSC::FTL::StackMaps::Location::dump):
9295 (JSC::FTL::StackMaps::LiveOut::parse):
9296 (JSC::FTL::StackMaps::LiveOut::dump):
9297 (JSC::FTL::StackMaps::Record::parse):
9298 (JSC::FTL::StackMaps::Record::dump):
9299 * ftl/FTLStackMaps.h:
9301 2014-03-26 Mark Lam <mark.lam@apple.com>
9303 Build fix after r166307.
9308 - The inline function isAPIValueWrapper() should not be exported. This
9309 was causing a linkage error when building for 32-bit x86 on Mac.
9311 2014-03-26 Filip Pizlo <fpizlo@apple.com>
9313 Reasoning about DWARF register numbers should be moved out of FTL::Location
9314 https://bugs.webkit.org/show_bug.cgi?id=130792
9316 Reviewed by Oliver Hunt.
9318 Moving this code makes it possible for things other than FTL::Location to reason about
9319 DWARF register encoding. This refactoring also appears to reduce some code duplication
9320 and makes FTLLocation.cpp cleaner.
9322 * JavaScriptCore.xcodeproj/project.pbxproj:
9323 * ftl/FTLCompile.cpp:
9324 (JSC::FTL::fixFunctionBasedOnStackMaps):
9325 * ftl/FTLDWARFRegister.cpp: Added.
9326 (JSC::FTL::DWARFRegister::reg):
9327 (JSC::FTL::DWARFRegister::dump):
9328 * ftl/FTLDWARFRegister.h: Added.
9329 (JSC::FTL::DWARFRegister::DWARFRegister):
9330 (JSC::FTL::DWARFRegister::dwarfRegNum):
9331 * ftl/FTLLocation.cpp:
9332 (JSC::FTL::Location::dump):
9333 (JSC::FTL::Location::isGPR):
9334 (JSC::FTL::Location::gpr):
9335 (JSC::FTL::Location::isFPR):
9336 (JSC::FTL::Location::fpr):
9337 * ftl/FTLLocation.h:
9338 (JSC::FTL::Location::hasDwarfReg):
9339 (JSC::FTL::Location::dwarfReg):
9341 2014-03-26 Brent Fulgham <bfulgham@apple.com>
9343 Unreviewed build fix.
9345 * runtime/JSCell.h: VS2013 confused about argument type.
9347 2014-03-26 Zoltan Horvath <zoltan@webkit.org>
9349 [CSS Shapes] Remove shape-inside support
9350 https://bugs.webkit.org/show_bug.cgi?id=130698
9352 Reviewed by David Hyatt.
9354 * Configurations/FeatureDefines.xcconfig:
9356 2014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
9358 Rename hasFastArrayStorage to be more appropriate
9359 https://bugs.webkit.org/show_bug.cgi?id=130773
9361 Reviewed by Filip Pizlo.
9363 * dfg/DFGArrayMode.cpp:
9364 (JSC::DFG::ArrayMode::alreadyChecked):
9365 * dfg/DFGSpeculativeJIT32_64.cpp:
9366 (JSC::DFG::SpeculativeJIT::compile):
9367 * dfg/DFGSpeculativeJIT64.cpp:
9368 (JSC::DFG::SpeculativeJIT::compile):
9369 * dfg/DFGWatchpointCollectionPhase.cpp:
9370 (JSC::DFG::WatchpointCollectionPhase::handle):
9371 * ftl/FTLLowerDFGToLLVM.cpp:
9372 (JSC::FTL::LowerDFGToLLVM::compileNewArray):
9373 (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
9374 (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
9375 * runtime/ButterflyInlines.h:
9376 (JSC::Butterfly::unshift):
9377 (JSC::Butterfly::shift):
9378 * runtime/IndexingHeaderInlines.h:
9379 (JSC::IndexingHeader::preCapacity):
9380 * runtime/IndexingType.h:
9381 (JSC::hasArrayStorage):
9382 (JSC::hasAnyArrayStorage):
9383 (JSC::hasFastArrayStorage): Deleted.
9384 * runtime/JSArray.cpp:
9385 (JSC::JSArray::sortVector):
9386 (JSC::JSArray::compactForSorting):
9387 * runtime/JSArray.h:
9388 (JSC::JSArray::create):
9389 (JSC::JSArray::tryCreateUninitialized):
9390 * runtime/JSGlobalObject.cpp:
9391 * runtime/JSObject.cpp:
9392 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
9393 * runtime/JSObject.h:
9394 (JSC::JSObject::ensureArrayStorage):
9395 (JSC::JSObject::arrayStorage):
9396 * runtime/StructureTransitionTable.h:
9397 (JSC::newIndexingType):
9399 2014-03-26 Zan Dobersek <zdobersek@igalia.com>
9401 Unreviewed. Removing the remaining Automake cruft.
9403 * GNUmakefile.list.am: Removed.
9405 2014-03-25 Filip Pizlo <fpizlo@apple.com>
9407 Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
9408 https://bugs.webkit.org/show_bug.cgi?id=130764
9409 <rdar://problem/16304788>
9411 Reviewed by Sam Weinig.
9413 Being an arguments alias just means that your OSR exit recovery should attempt arguments
9414 creation. This is true of arguments locals. We had special cases that tried to make it not
9415 true of arguments locals. The only consequence of those special cases was to cause crashes
9416 in case of arguments that are also captured variables (i.e. we have SlowArguments). This
9417 change just removes those special cases.
9419 This change means that the FTL will now see SetLocals with a FlushedArguments format.
9420 Previously you wouldn't see them because previously only non-captured variable would be
9421 arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
9422 left. Adding handling for FlushedArguments is a benign and simple change since its
9423 behavior is identical to FlushedJSValue for that code's purposes.
9425 * dfg/DFGArgumentsSimplificationPhase.cpp:
9426 (JSC::DFG::ArgumentsSimplificationPhase::run):
9427 * ftl/FTLLowerDFGToLLVM.cpp:
9428 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
9429 * tests/stress/captured-arguments-variable.js: Added.
9433 2014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
9436 https://bugs.webkit.org/show_bug.cgi?id=130759
9438 Reviewed by Filip Pizlo.
9440 * GNUmakefile.list.am:
9441 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9442 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9443 * JavaScriptCore.xcodeproj/project.pbxproj:
9445 (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
9446 (JSC::MarkedBlockSnapshotFunctor::operator()):
9447 * heap/Heap.h: Also reindented while we're here.
9448 (JSC::Heap::writeBarrierBuffer):
9450 (JSC::Heap::objectSpace):
9451 (JSC::Heap::machineThreads):
9452 (JSC::Heap::operationInProgress):
9453 (JSC::Heap::allocatorForObjectWithoutDestructor):
9454 (JSC::Heap::allocatorForObjectWithNormalDestructor):
9455 (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
9456 (JSC::Heap::storageAllocator):
9457 (JSC::Heap::notifyIsSafeToCollect):
9458 (JSC::Heap::isSafeToCollect):
9459 (JSC::Heap::handleSet):
9460 (JSC::Heap::handleStack):
9461 (JSC::Heap::lastFullGCLength):
9462 (JSC::Heap::lastEdenGCLength):
9463 (JSC::Heap::increaseLastFullGCLength):
9464 (JSC::Heap::sizeBeforeLastEdenCollection):
9465 (JSC::Heap::sizeAfterLastEdenCollection):
9466 (JSC::Heap::sizeBeforeLastFullCollection):
9467 (JSC::Heap::sizeAfterLastFullCollection):
9468 (JSC::Heap::jitStubRoutines):
9469 (JSC::Heap::isDeferred):
9470 (JSC::Heap::structureIDTable):
9471 (JSC::Heap::removeCodeBlock):
9472 * heap/HeapInlines.h: Added.
9473 (JSC::Heap::shouldCollect):
9474 (JSC::Heap::isBusy):
9475 (JSC::Heap::isCollecting):
9477 (JSC::Heap::isLive):
9478 (JSC::Heap::isInRememberedSet):
9479 (JSC::Heap::isMarked):
9480 (JSC::Heap::testAndSetMarked):
9481 (JSC::Heap::setMarked):
9482 (JSC::Heap::isWriteBarrierEnabled):
9483 (JSC::Heap::writeBarrier):
9484 (JSC::Heap::reportExtraMemoryCost):
9485 (JSC::Heap::forEachProtectedCell):
9486 (JSC::Heap::forEachCodeBlock):
9487 (JSC::Heap::allocateWithNormalDestructor):
9488 (JSC::Heap::allocateWithImmortalStructureDestructor):
9489 (JSC::Heap::allocateWithoutDestructor):
9490 (JSC::Heap::tryAllocateStorage):
9491 (JSC::Heap::tryReallocateStorage):
9492 (JSC::Heap::ascribeOwner):
9493 (JSC::Heap::blockAllocator):
9494 (JSC::Heap::releaseSoon):
9495 (JSC::Heap::incrementDeferralDepth):
9496 (JSC::Heap::decrementDeferralDepth):
9497 (JSC::Heap::collectIfNecessaryOrDefer):
9498 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
9499 (JSC::Heap::markListSet):
9500 * runtime/JSCInlines.h:
9502 2014-03-25 Filip Pizlo <fpizlo@apple.com>
9504 DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
9505 https://bugs.webkit.org/show_bug.cgi?id=130760
9507 Reviewed by Mark Hahnenberg.
9509 * dfg/DFGByteCodeParser.cpp:
9510 (JSC::DFG::ByteCodeParser::setLocal):
9511 (JSC::DFG::ByteCodeParser::setArgument):
9512 (JSC::DFG::ByteCodeParser::handleInlining):
9513 (JSC::DFG::ByteCodeParser::parseBlock):
9514 * tests/stress/assign-argument-in-inlined-call.js: Added.
9519 * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
9524 2014-03-25 Filip Pizlo <fpizlo@apple.com>
9526 Fix 32-bit getter call alignment.
9528 Reviewed by Mark Hahnenberg.
9531 (JSC::generateGetByIdStub):
9533 2014-03-25 Filip Pizlo <fpizlo@apple.com>
9535 Repatch should plant calls to getters directly rather than through a C helper
9536 https://bugs.webkit.org/show_bug.cgi?id=129589
9538 Reviewed by Mark Hahnenberg.
9540 As the title says. All of the superstructure for this was already in place, so now it
9541 was just a matter of actually emitting the call.
9543 8x speed-up for getter microbenchmarks.
9546 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9547 * JavaScriptCore.xcodeproj/project.pbxproj:
9548 * bytecode/PolymorphicGetByIdList.h:
9549 (JSC::GetByIdAccess::doesCalls):
9550 * jit/AccessorCallJITStubRoutine.cpp: Added.
9551 (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
9552 (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
9553 (JSC::AccessorCallJITStubRoutine::visitWeak):
9554 * jit/AccessorCallJITStubRoutine.h: Added.
9555 * jit/AssemblyHelpers.h:
9556 (JSC::AssemblyHelpers::storeCell):
9557 * jit/GCAwareJITStubRoutine.h:
9559 (JSC::generateGetByIdStub):
9560 * runtime/GetterSetter.h:
9561 (JSC::GetterSetter::offsetOfGetter):
9562 (JSC::GetterSetter::offsetOfSetter):
9564 2014-03-25 Michael Saboff <msaboff@apple.com>
9566 Unreviewed, rolling out r166126.
9568 Rollout r166126 in prepartion to roll out prerequisite r166070
9572 "toThis() on a JSWorkerGlobalScope should return a JSProxy and
9574 https://bugs.webkit.org/show_bug.cgi?id=130554
9575 http://trac.webkit.org/changeset/166126
9577 2014-03-25 Oliver Hunt <oliver@apple.com>
9579 AST incorrectly conflates readable and writable locations
9580 https://bugs.webkit.org/show_bug.cgi?id=130734
9582 Reviewed by Filip Pizlo.
9584 We need to distinguish between "locations" that are valid for reading
9585 and writing, vs those that may only be written.
9587 * bytecompiler/NodesCodegen.cpp:
9588 (JSC::ForInNode::emitBytecode):
9589 (JSC::ForOfNode::emitBytecode):
9591 (JSC::ExpressionNode::isAssignmentLocation):
9593 2014-03-24 Oliver Hunt <oliver@apple.com>
9595 ASSERTION FAILED in Parser: dst != localReg
9596 https://bugs.webkit.org/show_bug.cgi?id=130710
9598 Reviewed by Filip Pizlo.
9600 Just make sure we don't try to write to a captured constant,
9601 following the change to track captured variables separately.
9603 * bytecompiler/NodesCodegen.cpp:
9604 (JSC::PostfixNode::emitResolve):
9605 (JSC::PrefixNode::emitResolve):
9607 2014-03-25 Martin Robinson <mrobinson@igalia.com>
9609 [GTK] Remove the autotools build
9610 https://bugs.webkit.org/show_bug.cgi?id=130717
9612 Reviewed by Anders Carlsson.
9614 * GNUmakefile.am: Removed.
9615 * config.h: Remove references to the autotools configure file.
9617 2014-03-24 Filip Pizlo <fpizlo@apple.com>
9619 More scaffolding for a stub routine to have a stub recursively embedded inside it
9620 https://bugs.webkit.org/show_bug.cgi?id=130770
9622 Reviewed by Oliver Hunt.
9624 * bytecode/CallLinkInfo.cpp:
9625 (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
9626 (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
9627 * bytecode/CallLinkInfo.h:
9628 * bytecode/CodeBlock.cpp:
9629 (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
9630 (JSC::CodeBlock::unlinkCalls):
9631 (JSC::CodeBlock::unlinkIncomingCalls):
9632 * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
9633 (JSC::GetByIdAccess::visitWeak):
9634 (JSC::PolymorphicGetByIdList::visitWeak):
9635 * bytecode/PolymorphicGetByIdList.h:
9636 * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
9637 (JSC::PutByIdAccess::visitWeak):
9638 (JSC::PolymorphicPutByIdList::visitWeak):
9639 * bytecode/PolymorphicPutByIdList.h:
9640 * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
9641 (JSC::StructureStubInfo::visitWeakReferences):
9642 * bytecode/StructureStubInfo.h:
9643 * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
9644 (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
9645 * jit/GCAwareJITStubRoutine.cpp:
9646 (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
9647 (JSC::createJITStubRoutine):
9648 * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
9649 (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
9650 * jit/JITStubRoutine.cpp:
9651 (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
9652 * jit/JITStubRoutine.h:
9654 (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
9655 (JSC::emitCustomSetterStub): Clean up some code.
9657 2014-03-24 Geoffrey Garen <ggaren@apple.com>
9659 Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
9660 when WebKit is compiled with fcatch-undefined-behavior
9661 https://bugs.webkit.org/show_bug.cgi?id=130652
9663 Reviewed by Mark Hahnenberg.
9665 Use a static member function because the butterfly we pass in might be
9666 NULL, and passing NULL to a member function is undefined behavior.
9668 Stylistically, I think this new way reads a little more clearly, since it
9669 matches createOrGrowArrayRight, and it helps to convey that m_butterfly
9670 might not exist yet.
9672 * runtime/Butterfly.h:
9673 * runtime/ButterflyInlines.h:
9674 (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
9675 because we might create. Split out the create path to avoid using NULL
9676 in a member function expression.
9678 Removed some unused versions of this function.
9680 * runtime/JSObject.cpp:
9681 (JSC::JSObject::growOutOfLineStorage): Updated for interface change.
9683 2014-03-24 Oliver Hunt <oliver@apple.com>
9685 Strict mode destructuring assignment crashes the parser.
9686 https://bugs.webkit.org/show_bug.cgi?id=130538
9688 Reviewed by Michael Saboff.
9690 The SyntaxChecker mode always return 1 for success, except
9691 for a small subset of functions where we needed exact information.
9692 This ends up just being a poor design decision as it means
9693 the parser can get confused between a function return 1, and
9694 the Resolve constant which was also 1. So we now use a unique
9695 type for every creation method.
9697 * parser/SyntaxChecker.h:
9698 (JSC::SyntaxChecker::createSourceElements):
9699 (JSC::SyntaxChecker::createFunctionBody):
9700 (JSC::SyntaxChecker::createArguments):
9701 (JSC::SyntaxChecker::createSpreadExpression):
9702 (JSC::SyntaxChecker::createArgumentsList):
9703 (JSC::SyntaxChecker::createPropertyList):
9704 (JSC::SyntaxChecker::createElementList):
9705 (JSC::SyntaxChecker::createFormalParameterList):
9706 (JSC::SyntaxChecker::createClause):
9707 (JSC::SyntaxChecker::createClauseList):
9708 (JSC::SyntaxChecker::createFuncDeclStatement):
9709 (JSC::SyntaxChecker::createBlockStatement):
9710 (JSC::SyntaxChecker::createExprStatement):
9711 (JSC::SyntaxChecker::createIfStatement):
9712 (JSC::SyntaxChecker::createForLoop):
9713 (JSC::SyntaxChecker::createForInLoop):
9714 (JSC::SyntaxChecker::createForOfLoop):
9715 (JSC::SyntaxChecker::createEmptyStatement):
9716 (JSC::SyntaxChecker::createVarStatement):
9717 (JSC::SyntaxChecker::createReturnStatement):
9718 (JSC::SyntaxChecker::createBreakStatement):
9719 (JSC::SyntaxChecker::createContinueStatement):
9720 (JSC::SyntaxChecker::createTryStatement):
9721 (JSC::SyntaxChecker::createSwitchStatement):
9722 (JSC::SyntaxChecker::createWhileStatement):
9723 (JSC::SyntaxChecker::createWithStatement):
9724 (JSC::SyntaxChecker::createDoWhileStatement):
9725 (JSC::SyntaxChecker::createLabelStatement):
9726 (JSC::SyntaxChecker::createThrowStatement):
9727 (JSC::SyntaxChecker::createDebugger):
9728 (JSC::SyntaxChecker::createConstStatement):
9729 (JSC::SyntaxChecker::appendConstDecl):
9730 (JSC::SyntaxChecker::combineCommaNodes):
9731 (JSC::SyntaxChecker::operatorStackPop):
9733 2014-03-24 Brent Fulgham <bfulgham@apple.com>
9735 Activate WebVTT Tests Once Merging is Complete
9736 https://bugs.webkit.org/show_bug.cgi?id=130420
9738 Reviewed by Eric Carlson.
9740 * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
9742 2014-03-24 Andreas Kling <akling@apple.com>
9744 Stop pulling in all the macro assemblers from VM.h
9745 <https://webkit.org/b/130691>
9747 Remove #include of "GPRInfo.h". This breaks WebCore's dependency
9748 on macro assemblers headers and removes 8 includes from every
9749 .cpp file in the JS bindings.
9751 Reviewed by Geoff Garen.
9755 2014-03-24 Gavin Barraclough <barraclough@apple.com>
9757 Add support for thread QoS
9758 https://bugs.webkit.org/show_bug.cgi?id=130688
9760 Reviewed by Andreas Kling.
9762 * heap/BlockAllocator.cpp:
9763 (JSC::BlockAllocator::blockFreeingThreadStartFunc):
9764 - block freeing is a utility activity.
9766 2014-03-24 Filip Pizlo <fpizlo@apple.com>
9768 Unreviewed, fix CLOOP build.
9770 * bytecode/CallLinkStatus.cpp:
9771 (JSC::CallLinkStatus::computeFor):
9772 * bytecode/CodeBlock.cpp:
9773 (JSC::CodeBlock::printCallOp):
9774 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9775 (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
9776 * bytecode/CodeBlock.h:
9777 (JSC::CodeBlock::callLinkInfosEnd): Deleted.
9779 2014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
9781 [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
9782 https://bugs.webkit.org/show_bug.cgi?id=130453
9784 Reviewed by Filip Pizlo.
9786 Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
9787 at sxtw and uxtw instructions.
9789 * offlineasm/arm64.rb:
9791 2014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
9793 Move all EFL typedefs into EflTypedefs.h.
9794 https://bugs.webkit.org/show_bug.cgi?id=130511
9796 Reviewed by Gyuyoung Kim
9798 * heap/HeapTimer.h: Remove EFL typedefs.
9800 2014-03-23 Filip Pizlo <fpizlo@apple.com>
9802 Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
9803 https://bugs.webkit.org/show_bug.cgi?id=130650
9804 <rdar://problem/16122966>
9806 Reviewed by Michael Saboff.
9808 Previously, it was only in the case of inlining that we would do SetLocal's beyond the
9809 previously established numLocals limit. But then we added generalized op_call_varargs
9810 handling, which results in us emitting SetLocals that didn't previously exist in the
9813 This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
9815 * dfg/DFGByteCodeParser.cpp:
9816 (JSC::DFG::ByteCodeParser::ensureLocals):
9817 (JSC::DFG::ByteCodeParser::handleInlining):
9818 (JSC::DFG::ByteCodeParser::parseBlock):
9819 (JSC::DFG::ByteCodeParser::parse):
9820 * ftl/FTLOSRExitCompiler.cpp:
9821 (JSC::FTL::compileStub): Make this do alignment correctly.
9822 * runtime/Options.h:
9823 * tests/stress/call-varargs-from-inlined-code.js: Added.
9824 * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
9826 2014-03-22 Filip Pizlo <fpizlo@apple.com>
9828 Unreviewed, adjust sizes for ARM64.
9830 * ftl/FTLInlineCacheSize.cpp:
9831 (JSC::FTL::sizeOfCall):
9833 2014-03-22 Filip Pizlo <fpizlo@apple.com>
9835 Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
9836 https://bugs.webkit.org/show_bug.cgi?id=130649
9837 <rdar://problem/16399949>
9839 Reviewed by Andreas Kling.
9841 * dfg/DFGSpeculativeJIT32_64.cpp:
9842 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9843 * dfg/DFGSpeculativeJIT64.cpp:
9844 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
9845 * tests/stress/fuzz-bug-16399949.js: Added.
9849 2014-03-22 Filip Pizlo <fpizlo@apple.com>
9851 Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
9852 https://bugs.webkit.org/show_bug.cgi?id=130644
9854 Reviewed by Andreas Kling.
9856 This is conceptually a really simple change but it involves the following:
9858 - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
9860 - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
9862 - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
9863 longer has a vector of slow path counts that shadows the CallLinkInfo vector.
9865 - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
9866 and not all relinking.
9868 This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
9869 the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
9870 with a op_call/op_construct instruction and a machine code return PC within such an
9873 * bytecode/CallLinkInfo.h:
9874 (JSC::getCallLinkInfoCodeOrigin):
9875 * bytecode/CallLinkStatus.cpp:
9876 (JSC::CallLinkStatus::computeFor):
9877 (JSC::CallLinkStatus::computeDFGStatuses):
9878 * bytecode/CallLinkStatus.h:
9879 * bytecode/CodeBlock.cpp:
9880 (JSC::CodeBlock::printCallOp):
9881 (JSC::CodeBlock::dumpBytecode):
9882 (JSC::CodeBlock::finalizeUnconditionally):
9883 (JSC::CodeBlock::getCallLinkInfoMap):
9884 (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
9885 (JSC::CodeBlock::addCallLinkInfo):
9886 (JSC::CodeBlock::unlinkCalls):
9887 * bytecode/CodeBlock.h:
9888 (JSC::CodeBlock::stubInfoBegin):
9889 (JSC::CodeBlock::stubInfoEnd):
9890 (JSC::CodeBlock::callLinkInfosBegin):
9891 (JSC::CodeBlock::callLinkInfosEnd):
9892 (JSC::CodeBlock::byValInfo):
9893 * dfg/DFGByteCodeParser.cpp:
9894 (JSC::DFG::ByteCodeParser::handleCall):
9895 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
9897 * dfg/DFGJITCompiler.cpp:
9898 (JSC::DFG::JITCompiler::link):
9899 * dfg/DFGJITCompiler.h:
9900 (JSC::DFG::JITCompiler::addJSCall):
9901 (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
9902 * dfg/DFGOSRExitCompilerCommon.cpp:
9903 (JSC::DFG::reifyInlinedCallFrames):
9904 * dfg/DFGSpeculativeJIT.cpp:
9905 (JSC::DFG::SpeculativeJIT::compile):
9906 * dfg/DFGSpeculativeJIT.h:
9907 * dfg/DFGSpeculativeJIT32_64.cpp:
9908 (JSC::DFG::SpeculativeJIT::emitCall):
9909 * dfg/DFGSpeculativeJIT64.cpp:
9910 (JSC::DFG::SpeculativeJIT::emitCall):
9911 * ftl/FTLCompile.cpp:
9912 (JSC::FTL::fixFunctionBasedOnStackMaps):
9913 * ftl/FTLInlineCacheSize.cpp:
9914 (JSC::FTL::sizeOfCall):
9915 * ftl/FTLJSCall.cpp:
9916 (JSC::FTL::JSCall::JSCall):
9917 (JSC::FTL::JSCall::emit):
9918 (JSC::FTL::JSCall::link):
9921 (JSC::JIT::privateCompileMainPass):
9922 (JSC::JIT::privateCompileSlowCases):
9923 (JSC::JIT::privateCompile):
9926 (JSC::JIT::compileOpCall):
9927 (JSC::JIT::compileOpCallSlowCase):
9928 * jit/JITCall32_64.cpp:
9929 (JSC::JIT::compileOpCall):
9930 (JSC::JIT::compileOpCallSlowCase):
9931 * jit/JITOperations.cpp:
9932 * jit/JITOperations.h:
9933 (JSC::operationLinkFor):
9934 (JSC::operationVirtualFor):
9935 (JSC::operationLinkClosureCallFor):
9937 (JSC::linkClosureCall):
9938 * jit/ThunkGenerators.cpp:
9940 (JSC::virtualForThunkGenerator):
9941 * tests/stress/eval-that-is-not-eval.js: Added.
9943 2014-03-22 Filip Pizlo <fpizlo@apple.com>
9945 Unreviewed, fix mispelled test name.
9947 * tests/stress/constand-folding-osr-exit.js: Removed.
9948 * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
9950 2014-03-22 Andreas Kling <akling@apple.com>
9952 CREATE_DOM_WRAPPER doesn't need the ExecState.
9953 <https://webkit.org/b/130648>
9955 Add a fast path from JSGlobalObject to the VM so we don't have
9956 to dance via the Heap.
9958 Reviewed by Darin Adler.
9960 * runtime/JSGlobalObject.cpp:
9961 (JSC::JSGlobalObject::JSGlobalObject):
9962 * runtime/JSGlobalObject.h:
9963 (JSC::JSGlobalObject::vm):
9965 2014-03-22 Filip Pizlo <fpizlo@apple.com>
9967 Unreviewed, fix FTL build.
9969 * ftl/FTLJITFinalizer.cpp:
9971 2014-03-22 Michael Saboff <msaboff@apple.com>
9973 toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
9974 https://bugs.webkit.org/show_bug.cgi?id=130554
9976 Reviewed by Geoffrey Garen.
9978 Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
9979 Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
9980 happen in finishCreation() so that it will also happen for other derived classes including
9981 JSWorkerGlobalScopeBase.
9983 * API/JSContextRef.cpp:
9984 (JSGlobalContextCreateInGroup):
9986 (GlobalObject::create):
9987 * API/tests/testapi.c:
9988 (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
9989 the result from JSContextGetGlobalObject() as that will return the proxy.
9990 * runtime/JSGlobalObject.cpp:
9991 (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
9992 we now call setGlobalThis in finishCreation().
9993 * runtime/JSGlobalObject.h:
9994 (JSC::JSGlobalObject::finishCreation):
9995 (JSC::JSGlobalObject::setGlobalThis): Made this a private method.
9997 2014-03-22 Andreas Kling <akling@apple.com>
10001 * bytecode/CodeBlock.cpp:
10002 * runtime/Executable.cpp:
10004 2014-03-22 Andreas Kling <akling@apple.com>
10006 Cut down on JSC profiler includes in WebCore & co.
10007 <https://webkit.org/b/130637>
10009 Most of WebKit was pulling in JSC's profiler headers via VM.h.
10011 Reviewed by Darin Adler.
10013 * dfg/DFGDisassembler.cpp:
10014 * dfg/DFGDisassembler.h:
10015 * dfg/DFGJITFinalizer.cpp:
10020 2014-03-22 Landry Breuil <landry@openbsd.org>
10022 Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
10023 https://bugs.webkit.org/show_bug.cgi?id=129965
10025 Reviewed By Anders Carlsson.
10027 2014-03-21 Mark Lam <mark.lam@apple.com>
10029 Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
10030 <https://webkit.org/b/124508>
10032 Reviewed by Oliver Hunt.
10034 The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
10035 pointer from the BytecodeGenerator's m_localScopes vector, and then it
10036 calls emitPopScopes(). emitPopScopes() may do finally clause handling
10037 which will require the m_localScopes to be cloned so that it can change
10038 the local scopes for the finally block, and then restore it after
10039 handling the finally clause. These modifications of the m_localScopes
10040 vector will result in the LabelScope pointer in BreakNode::emitBytecode()
10041 becoming stale, thereby causing the crash.
10043 The same issue applies to the ContinueNode as well.
10045 The fix is to use the existing LabelScopePtr abstraction instead of raw
10046 LabelScope pointers. The LabelScopePtr is resilient to the underlying
10047 vector re-allocating its backing store.
10049 I also changed the LabelScopePtr constructor that takes a LabelScopeStore
10050 to expect a reference to the owner store instead of a pointer because the
10051 owner store should never be a null pointer.
10053 * bytecompiler/BytecodeGenerator.cpp:
10054 (JSC::BytecodeGenerator::newLabelScope):
10055 (JSC::BytecodeGenerator::breakTarget):
10056 (JSC::BytecodeGenerator::continueTarget):
10057 * bytecompiler/BytecodeGenerator.h:
10058 * bytecompiler/LabelScope.h:
10059 (JSC::LabelScopePtr::LabelScopePtr):
10060 (JSC::LabelScopePtr::operator bool):
10061 (JSC::LabelScopePtr::null):
10062 * bytecompiler/NodesCodegen.cpp:
10063 (JSC::ContinueNode::trivialTarget):
10064 (JSC::ContinueNode::emitBytecode):
10065 (JSC::BreakNode::trivialTarget):
10066 (JSC::BreakNode::emitBytecode):
10068 2014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
10070 6% SunSpider commandline regression due to r165940
10071 https://bugs.webkit.org/show_bug.cgi?id=130617
10073 Reviewed by Michael Saboff.
10075 In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
10076 before. Some of the benchmarks are never running a single EdenCollection, which causes
10077 them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
10078 slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
10079 magnitude more than we normally would.
10081 The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
10086 2014-03-21 Filip Pizlo <fpizlo@apple.com>
10088 Constants folded by DFG::ByteCodeParser should not be dead.
10089 https://bugs.webkit.org/show_bug.cgi?id=130576
10091 Reviewed by Mark Hahnenberg.
10093 This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
10094 reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
10095 or more folders in LLVM). Doing so has no performance impact since the other constant folders
10096 already subsume this one.
10098 Also added a test case for the specific bug that instigated this.
10100 * dfg/DFGByteCodeParser.cpp:
10101 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
10102 (JSC::DFG::ByteCodeParser::getJSConstant):
10103 (JSC::DFG::ByteCodeParser::inferredConstant):
10104 (JSC::DFG::ByteCodeParser::handleIntrinsic):
10105 (JSC::DFG::ByteCodeParser::parseBlock):
10107 * dfg/DFGNodeFlags.h:
10108 * tests/stress/constand-folding-osr-exit.js: Added.
10113 2014-03-21 Mark Lam <mark.lam@apple.com>
10115 StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
10116 <https://webkit.org/b/130566>
10118 Reviewed by Filip Pizlo.
10120 * dfg/DFGStackLayoutPhase.cpp:
10121 (JSC::DFG::StackLayoutPhase::run):
10123 2014-03-20 Filip Pizlo <fpizlo@apple.com>
10125 FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
10126 https://bugs.webkit.org/show_bug.cgi?id=130562
10127 <rdar://problem/16382842>
10129 Reviewed by Geoffrey Garen.
10131 * ftl/FTLLowerDFGToLLVM.cpp:
10132 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
10133 * tests/stress/uint32array-unsigned-load.js: Added.
10136 2014-03-20 Brian Burg <bburg@apple.com>
10138 Web Inspector: add frontend controller and models for replay sessions
10139 https://bugs.webkit.org/show_bug.cgi?id=130145
10141 Reviewed by Joseph Pecoraro.
10143 * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
10145 2014-03-20 Filip Pizlo <fpizlo@apple.com>
10147 FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
10148 https://bugs.webkit.org/show_bug.cgi?id=130546
10149 <rdar://problem/16383308>
10151 Reviewed by Mark Hahnenberg.
10153 Make AI do a better job of folding this.
10155 Also made the FTL backend be more tolerant of data representations. In this case it
10156 didn't know that "constant" was a valid representation. There is a finite set of
10157 possible representations, but broadly, we don't write code that presumes anything
10158 about the representation of an input; that's what methods like lowJSValue() are for.
10159 ValueToInt32 was previously not relying on those methods at all because it had some
10160 hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
10163 * dfg/DFGAbstractInterpreterInlines.h:
10164 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
10165 * ftl/FTLLowerDFGToLLVM.cpp:
10166 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
10167 (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
10168 * tests/stress/value-to-int32-undefined-constant.js: Added.
10170 * tests/stress/value-to-int32-undefined.js: Added.
10173 2014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
10175 Add some assertions back
10176 https://bugs.webkit.org/show_bug.cgi?id=130531
10178 Reviewed by Geoffrey Garen.
10180 We removed a useful set of assertions for verifying that MarkedBlocks were
10181 in the state that we expected them to be in after clearing marks in the Heap.
10182 We should add these back to catch bugs earlier.
10184 * heap/MarkedBlock.h:
10185 * heap/MarkedSpace.cpp:
10186 (JSC::VerifyMarkedOrRetired::operator()):
10187 (JSC::MarkedSpace::clearMarks):
10189 2014-03-20 Filip Pizlo <fpizlo@apple.com>
10191 Implement stackmap header version check and support new stackmap formats
10192 https://bugs.webkit.org/show_bug.cgi?id=130535
10193 <rdar://problem/16164284>
10195 Reviewed by Geoffrey Garen.
10197 Add the notion of versioning so that LLVMers can happily implement new stackmap formats
10198 without worrying about WebKit getting version-locked to LLVM. In the future, we will have
10199 to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
10200 to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
10201 happy to move backward in time to older versions of LLVM.
10203 * ftl/FTLStackMaps.cpp:
10204 (JSC::FTL::readObject):
10205 (JSC::FTL::StackMaps::Constant::parse):
10206 (JSC::FTL::StackMaps::StackSize::parse):
10207 (JSC::FTL::StackMaps::Location::parse):
10208 (JSC::FTL::StackMaps::Record::parse):
10209 (JSC::FTL::StackMaps::parse):
10210 (JSC::FTL::StackMaps::dump):
10211 (JSC::FTL::StackMaps::dumpMultiline):
10212 * ftl/FTLStackMaps.h:
10214 2014-03-20 Filip Pizlo <fpizlo@apple.com>
10216 Crash beneath operationTearOffActivation running this JS compression demo
10217 https://bugs.webkit.org/show_bug.cgi?id=130295
10218 <rdar://problem/16332337>
10220 Reviewed by Oliver Hunt.
10222 Make sure that we flush things as if we were at a terminal, if we are at a block with
10223 no forward edges. This fixes infinitely loopy code with captured variables.
10225 Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
10227 Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
10228 it by itself. Now it's an artifact of CPS rethreading.
10230 Add a bunch of tests. All of them previously either crashed or returned bad output due
10231 to memory corruption.
10233 * bytecode/CodeBlock.cpp:
10234 (JSC::CodeBlock::isCaptured):
10235 * dfg/DFGByteCodeParser.cpp:
10236 (JSC::DFG::ByteCodeParser::flushForTerminal):
10237 (JSC::DFG::ByteCodeParser::flushForReturn):
10238 (JSC::DFG::ByteCodeParser::flushIfTerminal):
10239 (JSC::DFG::ByteCodeParser::branchData):
10240 (JSC::DFG::ByteCodeParser::parseBlock):
10241 * dfg/DFGCFGSimplificationPhase.cpp:
10242 (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
10243 * dfg/DFGCPSRethreadingPhase.cpp:
10244 (JSC::DFG::CPSRethreadingPhase::run):
10245 (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
10246 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
10247 (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
10248 * dfg/DFGCSEPhase.cpp:
10249 (JSC::DFG::CSEPhase::performNodeCSE):
10250 * dfg/DFGGraph.cpp:
10251 (JSC::DFG::Graph::clearFlagsOnAllNodes):
10254 * dfg/DFGNodeFlags.cpp:
10255 (JSC::DFG::dumpNodeFlags):
10256 * dfg/DFGNodeFlags.h:
10257 * dfg/DFGSSAConversionPhase.cpp:
10258 (JSC::DFG::SSAConversionPhase::run):
10259 * tests/stress/activation-test-loop.js: Added.
10260 (Inner.this.doStuff):
10262 (foo.inner.isDone):
10264 * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
10268 * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
10272 * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
10276 * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
10280 * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
10284 * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10289 * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10293 * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
10297 * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
10302 2014-03-20 Oliver Hunt <oliver@apple.com>
10304 Incorrect behavior when mutating a typed array during set.
10305 https://bugs.webkit.org/show_bug.cgi?id=130428
10307 Reviewed by Geoffrey Garen.
10309 This fixes a null derefence that occurs if a typed array
10310 is mutated during the set() operation. The patch gets rid
10311 of the "Quickly" version of setIndex that is assigning
10312 JSValues of unknown type, as the numeric conversion can trigger
10313 side effects that lead to neutering, and so we deref null.
10315 * runtime/JSGenericTypedArrayView.h:
10316 (JSC::JSGenericTypedArrayView::setIndex):
10317 * runtime/JSGenericTypedArrayViewInlines.h:
10318 (JSC::JSGenericTypedArrayView<Adaptor>::set):
10319 (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
10321 2014-03-20 Gavin Barraclough <barraclough@apple.com>
10323 Remove IdentifierTable typedef, isIdentifier()
10324 https://bugs.webkit.org/show_bug.cgi?id=130533
10326 Rubber stamped by Geoff Garen.
10328 Code should use AtomicStringTable, isAtomic() directly.
10330 * API/JSClassRef.cpp:
10331 (OpaqueJSClass::~OpaqueJSClass):
10332 (OpaqueJSClassContextData::OpaqueJSClassContextData):
10333 (OpaqueJSClass::className):
10334 * API/JSClassRef.h:
10335 * bytecode/SpeculatedType.cpp:
10336 (JSC::speculationFromCell):
10337 * bytecompiler/BytecodeGenerator.cpp:
10338 (JSC::BytecodeGenerator::BytecodeGenerator):
10339 * dfg/DFGSpeculativeJIT.cpp:
10340 (JSC::DFG::SpeculativeJIT::compileIn):
10341 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10342 * ftl/FTLLowerDFGToLLVM.cpp:
10343 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10345 (JSC::Heap::collect):
10346 * interpreter/CallFrame.h:
10347 (JSC::ExecState::atomicStringTable):
10348 * parser/ASTBuilder.h:
10349 (JSC::ASTBuilder::addVar):
10350 * parser/Parser.cpp:
10351 (JSC::Parser<LexerType>::createBindingPattern):
10352 * runtime/Completion.cpp:
10353 (JSC::checkSyntax):
10355 * runtime/Identifier.cpp:
10356 (JSC::Identifier::checkCurrentAtomicStringTable):
10357 * runtime/Identifier.h:
10358 (JSC::Identifier::Identifier):
10359 * runtime/IdentifierInlines.h:
10360 (JSC::Identifier::add):
10361 * runtime/JSCJSValue.cpp:
10362 (JSC::JSValue::dumpInContext):
10363 * runtime/JSLock.cpp:
10364 (JSC::JSLock::didAcquireLock):
10365 (JSC::JSLock::willReleaseLock):
10366 (JSC::JSLock::DropAllLocks::DropAllLocks):
10367 (JSC::JSLock::DropAllLocks::~DropAllLocks):
10368 * runtime/JSLock.h:
10369 * runtime/PropertyMapHashTable.h:
10370 (JSC::PropertyTable::find):
10371 (JSC::PropertyTable::get):
10372 (JSC::PropertyTable::findWithString):
10373 * runtime/PropertyName.h:
10374 (JSC::PropertyName::PropertyName):
10375 * runtime/PropertyNameArray.cpp:
10376 (JSC::PropertyNameArray::add):
10381 (JSC::VM::atomicStringTable):
10383 2014-03-20 Gavin Barraclough <barraclough@apple.com>
10385 Merge AtomicString, Identifier
10386 https://bugs.webkit.org/show_bug.cgi?id=128624
10388 Reviewed by Geoff Garen.
10390 WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
10391 Identifer - that is one too many.
10393 Remove Identifier in favour of AtomicString. Identifier had two interesting
10394 mechanisms that we preserve.
10396 (1) JSC API VMs each get their own string table, switch the string table on
10398 (2) JSC caches a pointer to the string table on the VM to avoid a thread
10399 specific access. Adds a new AtomicString::add method to support this.
10401 * API/JSAPIWrapperObject.mm:
10402 - updated includes.
10403 * JavaScriptCore.xcodeproj/project.pbxproj:
10404 - added IdentifierInlines.h.
10405 * inspector/JSInjectedScriptHostPrototype.cpp:
10406 * inspector/JSJavaScriptCallFramePrototype.cpp:
10407 - updated includes.
10408 * interpreter/CallFrame.h:
10409 (JSC::ExecState::atomicStringTable):
10410 - added, used via AtomicString::add to avoid thread-specific access.
10411 * runtime/ConsolePrototype.cpp:
10412 - updated includes.
10413 * runtime/Identifier.cpp:
10414 (JSC::Identifier::add):
10415 (JSC::Identifier::add8):
10416 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
10417 * runtime/Identifier.h:
10418 (JSC::Identifier::Identifier):
10420 (JSC::Identifier::add):
10421 - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
10422 * runtime/IdentifierInlines.h: Added.
10423 (JSC::Identifier::add):
10424 - moved from Identifier.h, use AtomicString::add.
10425 * runtime/JSCInlines.h:
10426 - added IdentifierInlines.h.
10427 * runtime/JSLock.h:
10428 - removed IdentifierTable.
10429 * runtime/PropertyNameArray.cpp:
10430 - updated includes.
10431 * runtime/SmallStrings.cpp:
10432 (JSC::SmallStringsStorage::SmallStringsStorage):
10433 - ensure all single character strings are Atomic.
10436 - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
10438 (JSC::VM::atomicStringTable):
10439 - added, used via AtomicString::add to avoid thread-specific access.
10441 2014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
10443 [ARM64] Fix assembler build issues and add cacheFlush support for Linux
10444 https://bugs.webkit.org/show_bug.cgi?id=130502
10446 Reviewed by Michael Saboff.
10448 Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
10449 because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
10450 Add cacheFlush support for Linux.
10452 * assembler/ARM64Assembler.h:
10453 (JSC::ARM64Assembler::linuxPageFlush):
10454 (JSC::ARM64Assembler::cacheFlush):
10455 * assembler/MacroAssemblerARM64.h:
10456 (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
10458 2014-03-19 Gavin Barraclough <barraclough@apple.com>
10460 https://bugs.webkit.org/show_bug.cgi?id=130494
10461 EmptyUnique strings are Identifiers/Atomic
10463 Reviewed by Geoff Garen.
10465 EmptyUnique strings should set the Identifier/Atomic flag.
10467 This fixes an unreproducible bug we believe exists in Identifier handling.
10468 Expected behaviour is that while Identifiers may reference EmptyUniques
10469 (StringImpls allocated as UIDs for PrivateNames), these are not created
10470 through the main Identifier constructor, the Identifier flag is not set
10471 on PrivateNames, and we should never lookup EmptyUnique strings in the
10474 Unfortunately that was happening. Some tables used to implement property
10475 access in the JIT hold StringImpl*s, and turn these back into Identifiers
10476 using the identfiier constructor. Since the code generator will now plant
10477 by-id (cachable) accesses to PrivateNames we can end up passing an
10478 EmptyUnique to Identifier::add, potentially leading to PrivateNames being
10479 uniqued together (though hard to prove, since the hash codes are random).
10481 * runtime/PropertyName.h:
10482 (JSC::PropertyName::PropertyName):
10483 (JSC::PropertyName::uid):
10484 (JSC::PropertyName::publicName):
10485 (JSC::PropertyName::asIndex):
10486 - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
10487 * runtime/Structure.cpp:
10488 (JSC::Structure::getPropertyNamesFromStructure):
10489 - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
10491 2014-03-19 Filip Pizlo <fpizlo@apple.com>
10493 Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
10497 2014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
10499 GC timer should intelligently choose between EdenCollections and FullCollections
10500 https://bugs.webkit.org/show_bug.cgi?id=128261
10502 Reviewed by Geoffrey Garen.
10504 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
10505 always does FullCollections. To reduce the impact of the GC timer on the system this patch
10506 changes Heap so that it has two timers, one for each type of collection. The FullCollection
10507 timer is notified at the end of EdenCollections how much the Heap has grown since the last
10508 FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
10509 be detected by an EdenCollection).
10512 * GNUmakefile.list.am:
10513 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10514 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
10515 * JavaScriptCore.xcodeproj/project.pbxproj:
10516 * heap/EdenGCActivityCallback.cpp: Added.
10517 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
10518 (JSC::EdenGCActivityCallback::doCollection):
10519 (JSC::EdenGCActivityCallback::lastGCLength):
10520 (JSC::EdenGCActivityCallback::deathRate):
10521 (JSC::EdenGCActivityCallback::gcTimeSlice):
10522 * heap/EdenGCActivityCallback.h: Added.
10523 (JSC::GCActivityCallback::createEdenTimer):
10524 * heap/FullGCActivityCallback.cpp: Added.
10525 (JSC::FullGCActivityCallback::FullGCActivityCallback):
10526 (JSC::FullGCActivityCallback::doCollection):
10527 (JSC::FullGCActivityCallback::lastGCLength):
10528 (JSC::FullGCActivityCallback::deathRate):
10529 (JSC::FullGCActivityCallback::gcTimeSlice):
10530 * heap/FullGCActivityCallback.h: Added.
10531 (JSC::GCActivityCallback::createFullTimer):
10532 * heap/GCActivityCallback.cpp:
10533 (JSC::GCActivityCallback::GCActivityCallback):
10534 (JSC::GCActivityCallback::doWork):
10535 (JSC::GCActivityCallback::scheduleTimer):
10536 (JSC::GCActivityCallback::cancelTimer):
10537 (JSC::GCActivityCallback::didAllocate):
10538 (JSC::GCActivityCallback::willCollect):
10539 (JSC::GCActivityCallback::cancel):
10540 * heap/GCActivityCallback.h:
10543 (JSC::Heap::reportAbandonedObjectGraph):
10544 (JSC::Heap::didAbandon):
10545 (JSC::Heap::collectAllGarbage):
10546 (JSC::Heap::collect):
10547 (JSC::Heap::willStartCollection):
10548 (JSC::Heap::updateAllocationLimits):
10549 (JSC::Heap::didFinishCollection):
10550 (JSC::Heap::setFullActivityCallback):
10551 (JSC::Heap::setEdenActivityCallback):
10552 (JSC::Heap::fullActivityCallback):
10553 (JSC::Heap::edenActivityCallback):
10554 (JSC::Heap::setGarbageCollectionTimerEnabled):
10555 (JSC::Heap::didAllocate):
10556 (JSC::Heap::shouldDoFullCollection):
10558 (JSC::Heap::lastFullGCLength):
10559 (JSC::Heap::lastEdenGCLength):
10560 (JSC::Heap::increaseLastFullGCLength):
10561 (JSC::Heap::sizeBeforeLastEdenCollection):
10562 (JSC::Heap::sizeAfterLastEdenCollection):
10563 (JSC::Heap::sizeBeforeLastFullCollection):
10564 (JSC::Heap::sizeAfterLastFullCollection):
10565 * heap/HeapOperation.h:
10566 * heap/HeapStatistics.cpp:
10567 (JSC::HeapStatistics::showObjectStatistics):
10568 * heap/HeapTimer.cpp:
10569 (JSC::HeapTimer::timerDidFire):
10573 * runtime/Options.h:
10575 2014-03-19 Commit Queue <commit-queue@webkit.org>
10577 Unreviewed, rolling out r165926.
10578 https://bugs.webkit.org/show_bug.cgi?id=130488
10580 broke the iOS build (Requested by estes on #webkit).
10582 Reverted changeset:
10584 "GC timer should intelligently choose between EdenCollections
10585 and FullCollections"
10586 https://bugs.webkit.org/show_bug.cgi?id=128261
10587 http://trac.webkit.org/changeset/165926
10589 2014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
10591 GC timer should intelligently choose between EdenCollections and FullCollections
10592 https://bugs.webkit.org/show_bug.cgi?id=128261
10594 Reviewed by Geoffrey Garen.
10596 Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
10597 always does FullCollections. To reduce the impact of the GC timer on the system this patch
10598 changes Heap so that it has two timers, one for each type of collection. The FullCollection
10599 timer is notified at the end of EdenCollections how much the Heap has grown since the last
10600 FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
10601 detected by an EdenCollection).
10603 * heap/GCActivityCallback.cpp:
10604 (JSC::GCActivityCallback::GCActivityCallback):
10605 (JSC::GCActivityCallback::doWork):
10606 (JSC::FullGCActivityCallback::FullGCActivityCallback):
10607 (JSC::FullGCActivityCallback::doCollection):
10608 (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
10609 (JSC::EdenGCActivityCallback::doCollection):
10610 (JSC::GCActivityCallback::scheduleTimer):
10611 (JSC::GCActivityCallback::cancelTimer):
10612 (JSC::GCActivityCallback::didAllocate):
10613 (JSC::GCActivityCallback::willCollect):
10614 (JSC::GCActivityCallback::cancel):
10615 * heap/GCActivityCallback.h:
10616 (JSC::GCActivityCallback::GCActivityCallback):
10617 (JSC::GCActivityCallback::createFullTimer):
10618 (JSC::GCActivityCallback::createEdenTimer):
10621 (JSC::Heap::didAbandon):
10622 (JSC::Heap::willStartCollection):
10623 (JSC::Heap::updateAllocationLimits):
10624 (JSC::Heap::setFullActivityCallback):
10625 (JSC::Heap::setEdenActivityCallback):
10626 (JSC::Heap::fullActivityCallback):
10627 (JSC::Heap::edenActivityCallback):
10628 (JSC::Heap::setGarbageCollectionTimerEnabled):
10629 (JSC::Heap::didAllocate):
10631 * heap/HeapTimer.cpp:
10632 (JSC::HeapTimer::timerDidFire):
10634 2014-03-19 Filip Pizlo <fpizlo@apple.com>
10636 REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
10637 https://bugs.webkit.org/show_bug.cgi?id=130134
10639 Reviewed by Mark Hahnenberg.
10641 * dfg/DFGFixupPhase.cpp:
10642 (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
10643 * dfg/DFGSpeculativeJIT32_64.cpp:
10644 (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
10645 (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
10646 * jit/JITInlineCacheGenerator.cpp:
10647 (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
10648 * jit/JITInlineCacheGenerator.h:
10650 (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
10652 2014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
10654 Normalize some of the older JSC options
10655 https://bugs.webkit.org/show_bug.cgi?id=128753
10657 Reviewed by Michael Saboff.
10659 * runtime/Options.cpp:
10660 (JSC::Options::initialize):
10662 2014-03-12 Mark Lam <mark.lam@apple.com>
10664 Update type of local vars to match the type of String length.
10665 <https://webkit.org/b/130077>
10667 Reviewed by Geoffrey Garen.
10669 * runtime/JSStringJoiner.cpp:
10670 (JSC::JSStringJoiner::join):
10672 2014-03-18 Filip Pizlo <fpizlo@apple.com>
10674 Get rid of Flush in SSA
10675 https://bugs.webkit.org/show_bug.cgi?id=130440
10677 Reviewed by Sam Weinig.
10679 This is basically a red patch. We used to use backwards flow for determining what was
10680 flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
10681 accomplish anything. Keeping them around in SSA can only make things hard.
10684 * GNUmakefile.list.am:
10685 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10686 * JavaScriptCore.xcodeproj/project.pbxproj:
10687 * dfg/DFGBasicBlock.cpp:
10688 (JSC::DFG::BasicBlock::SSAData::SSAData):
10689 * dfg/DFGBasicBlock.h:
10690 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
10691 * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
10692 * dfg/DFGGraph.cpp:
10693 (JSC::DFG::Graph::dump):
10695 (JSC::DFG::Plan::compileInThreadImpl):
10696 * dfg/DFGSSAConversionPhase.cpp:
10697 (JSC::DFG::SSAConversionPhase::run):
10698 * ftl/FTLLowerDFGToLLVM.cpp:
10699 (JSC::FTL::LowerDFGToLLVM::compileNode):
10701 2014-03-18 Filip Pizlo <fpizlo@apple.com>
10703 Unreviewed, fix iOS production build.
10705 * JavaScriptCore.xcodeproj/project.pbxproj:
10707 2014-03-18 Michael Saboff <msaboff@apple.com>
10709 Update RegExp Tracing code
10710 https://bugs.webkit.org/show_bug.cgi?id=130381
10712 Reviewed by Andreas Kling.
10714 Updated the regular expression tracing code for 8/16 bit JIT as
10715 well as match only entry points. Also added average string length
10718 * runtime/RegExp.cpp:
10719 (JSC::RegExp::RegExp):
10720 (JSC::RegExp::match):
10721 (JSC::RegExp::printTraceData):
10722 * runtime/RegExp.h:
10724 (JSC::VM::addRegExpToTrace):
10725 (JSC::VM::dumpRegExpTrace):
10728 (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
10729 (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
10730 (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
10731 (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
10733 2014-03-17 Filip Pizlo <fpizlo@apple.com>
10735 Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
10736 https://bugs.webkit.org/show_bug.cgi?id=130300
10738 Reviewed by Mark Hahnenberg.
10740 We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
10741 This makes the DFG aware of this.
10743 Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
10744 the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
10746 This also gives the DFG some abstractions for checking something is a cell or is other.
10747 This made this patch easier to write and also simplified a bunch of other stuff.
10749 1% speed-up on Octane.
10751 * assembler/AbstractMacroAssembler.h:
10752 (JSC::AbstractMacroAssembler::JumpList::JumpList):
10753 * bytecode/SpeculatedType.h:
10754 (JSC::isNotStringVarSpeculation):
10755 * dfg/DFGFixupPhase.cpp:
10756 (JSC::DFG::FixupPhase::fixupNode):
10758 (JSC::DFG::Node::childFor):
10759 (JSC::DFG::Node::shouldSpeculateNotStringVar):
10760 * dfg/DFGSafeToExecute.h:
10761 (JSC::DFG::SafeToExecuteEdge::operator()):
10762 * dfg/DFGSpeculativeJIT.cpp:
10763 (JSC::DFG::SpeculativeJIT::compileIn):
10764 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
10765 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
10766 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
10767 (JSC::DFG::SpeculativeJIT::compileStrictEq):
10768 (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
10769 (JSC::DFG::SpeculativeJIT::compileStringEquality):
10770 (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
10771 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
10772 (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
10773 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
10774 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
10775 (JSC::DFG::SpeculativeJIT::speculateString):
10776 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
10777 (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
10778 (JSC::DFG::SpeculativeJIT::speculateNotCell):
10779 (JSC::DFG::SpeculativeJIT::speculateOther):
10780 (JSC::DFG::SpeculativeJIT::speculate):
10781 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
10782 (JSC::DFG::SpeculativeJIT::emitSwitchString):
10783 * dfg/DFGSpeculativeJIT.h:
10784 (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
10785 (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
10786 (JSC::DFG::SpeculativeJIT::booleanResult):
10787 * dfg/DFGSpeculativeJIT32_64.cpp:
10788 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10789 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10790 (JSC::DFG::SpeculativeJIT::emitCall):
10791 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10792 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10793 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10794 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10795 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10796 (JSC::DFG::SpeculativeJIT::compile):
10797 (JSC::DFG::branchIsCell):
10798 (JSC::DFG::branchNotCell):
10799 (JSC::DFG::SpeculativeJIT::branchIsOther):
10800 (JSC::DFG::SpeculativeJIT::branchNotOther):
10801 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10802 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10803 (JSC::DFG::SpeculativeJIT::blessBoolean):
10804 * dfg/DFGSpeculativeJIT64.cpp:
10805 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
10806 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
10807 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
10808 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
10809 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
10810 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
10811 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
10812 (JSC::DFG::SpeculativeJIT::compile):
10813 (JSC::DFG::SpeculativeJIT::writeBarrier):
10814 (JSC::DFG::SpeculativeJIT::branchIsCell):
10815 (JSC::DFG::SpeculativeJIT::branchNotCell):
10816 (JSC::DFG::SpeculativeJIT::branchIsOther):
10817 (JSC::DFG::SpeculativeJIT::branchNotOther):
10818 (JSC::DFG::SpeculativeJIT::moveTrueTo):
10819 (JSC::DFG::SpeculativeJIT::moveFalseTo):
10820 (JSC::DFG::SpeculativeJIT::blessBoolean):
10821 * dfg/DFGUseKind.cpp:
10822 (WTF::printInternal):
10823 * dfg/DFGUseKind.h:
10824 (JSC::DFG::typeFilterFor):
10825 * ftl/FTLCapabilities.cpp:
10826 (JSC::FTL::canCompile):
10827 * ftl/FTLLowerDFGToLLVM.cpp:
10828 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
10829 (JSC::FTL::LowerDFGToLLVM::lowString):
10830 (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
10831 (JSC::FTL::LowerDFGToLLVM::speculate):
10832 (JSC::FTL::LowerDFGToLLVM::speculateString):
10833 (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
10834 (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
10835 * runtime/JSCJSValue.h:
10836 * tests/stress/string-ident-to-not-string-var-equality.js: Added.
10841 2014-03-18 Joseph Pecoraro <pecoraro@apple.com>
10843 Add Copyright to framework.sb
10844 https://bugs.webkit.org/show_bug.cgi?id=130413
10846 Reviewed by Timothy Hatcher.
10848 Other sb files got the copyright. Follow suit.
10852 2014-03-18 Matthew Mirman <mmirman@apple.com>
10854 Removed extra parens from if statement in a preprocessor define.
10855 https://bugs.webkit.org/show_bug.cgi?id=130408
10857 Reviewed by Filip Pizlo.
10859 * parser/Parser.cpp:
10861 2014-03-18 Filip Pizlo <fpizlo@apple.com>
10865 Rubber stamped by Dan Bernstein and Mark Hahnenberg.
10867 * Configurations/FeatureDefines.xcconfig:
10868 * ftl/FTLCompile.cpp:
10869 (JSC::FTL::compile):
10871 2014-03-17 Michael Saboff <msaboff@apple.com>
10873 V8 regexp spends most of its time in operationGetById
10874 https://bugs.webkit.org/show_bug.cgi?id=130380
10876 Reviewed by Filip Pizlo.
10878 Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
10879 When V8 regexp is run from the command line, this nets a 2% performance improvement.
10880 When the test is run for a longer amount of time, there is much less benefit as the
10881 DFG will emit the appropriate code for String.length. This does remove
10882 operationGetById as the hottest function whne run from the command line.
10885 (JSC::tryCacheGetByID):
10887 2014-03-17 Andreas Kling <akling@apple.com>
10889 Add one-deep cache to opaque roots hashset.
10890 <https://webkit.org/b/130357>
10892 The vast majority of WebCore JS wrappers will have their Document*
10893 as the root(). This change adds a simple optimization where we cache
10894 the last lookup and avoid going to the hashset for repeated queries.
10896 Looks like 0.4% progression on DYEB on my MBP.
10898 Reviewed by Mark Hahnenberg.
10900 * JavaScriptCore.xcodeproj/project.pbxproj:
10901 * heap/OpaqueRootSet.h: Added.
10902 (JSC::OpaqueRootSet::OpaqueRootSet):
10903 (JSC::OpaqueRootSet::contains):
10904 (JSC::OpaqueRootSet::isEmpty):
10905 (JSC::OpaqueRootSet::clear):
10906 (JSC::OpaqueRootSet::add):
10907 (JSC::OpaqueRootSet::size):
10908 (JSC::OpaqueRootSet::begin):
10909 (JSC::OpaqueRootSet::end):
10910 * heap/SlotVisitor.h:
10912 2014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
10914 Implement Math.hypot
10915 https://bugs.webkit.org/show_bug.cgi?id=129486
10917 Reviewed by Darin Adler.
10919 * runtime/MathObject.cpp:
10920 (JSC::MathObject::finishCreation):
10921 (JSC::mathProtoFuncHypot):
10923 2014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
10925 Fix the !ENABLE(PROMISES) build
10926 https://bugs.webkit.org/show_bug.cgi?id=130328
10928 Reviewed by Darin Adler.
10930 Add missing ENABLE(PROMISES) guards.
10932 * runtime/JSGlobalObject.cpp:
10933 (JSC::JSGlobalObject::reset):
10934 (JSC::JSGlobalObject::visitChildren):
10935 * runtime/JSGlobalObject.h:
10936 * runtime/JSPromiseDeferred.cpp:
10937 * runtime/JSPromiseDeferred.h:
10938 * runtime/JSPromiseReaction.cpp:
10939 * runtime/JSPromiseReaction.h:
10944 2014-03-16 Andreas Kling <akling@apple.com>
10946 REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
10947 <https://webkit.org/b/130304>
10949 Reviewed by Anders Carlsson.
10951 Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
10952 that doesn't put a potentially unwanted string into the Identifier table.
10954 * API/OpaqueJSString.cpp:
10955 (OpaqueJSString::identifier):
10957 2014-03-16 Brian Burg <bburg@apple.com>
10959 Web Inspector: generated backend commands should reflect build system ENABLE settings
10960 https://bugs.webkit.org/show_bug.cgi?id=130111
10962 Reviewed by Timothy Hatcher.
10966 Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
10967 instead of globbing any .json file.
10969 * DerivedSources.make:
10971 Force the combined inspector protocol file to be regenerated if
10972 the content or list of domains itself changes.
10974 2014-03-16 Brian Burg <bburg@apple.com>
10976 Web Inspector: vended backend commands file should be generated as part of the build
10977 https://bugs.webkit.org/show_bug.cgi?id=130110
10979 Reviewed by Timothy Hatcher.
10981 * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
10982 private headers directory.
10984 2014-03-16 Darin Adler <darin@apple.com>
10986 Remove all uses of deprecatedCharacters from JavaScriptCore
10987 https://bugs.webkit.org/show_bug.cgi?id=130304
10989 Reviewed by Anders Carlsson.
10991 * API/JSValueRef.cpp:
10992 (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
10993 * API/OpaqueJSString.cpp:
10994 (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
10995 (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
10996 juse use the standard one that takes a String.
10997 (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
10998 hand-written alternative.
11000 * bindings/ScriptValue.cpp:
11001 (Deprecated::jsToInspectorValue): Create InspectorString from String directly
11002 instead of involving a character pointer. Use the String from Identifier
11003 directly instead of making a new String.
11005 * inspector/ContentSearchUtilities.cpp:
11006 (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
11007 instead of building a String a character at a time. This is still a very slow
11008 way to do this. Also use strchr to search for a character instead of building
11009 a String every time just to use find on it.
11011 * inspector/InspectorValues.cpp:
11012 (Inspector::doubleQuoteString): Remove unnecessary trip through a
11013 character pointer. This is still a really slow way to do this.
11014 (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
11015 instead of String::deprecatedCharacters. Still slow to always upconvert.
11017 * runtime/DateConstructor.cpp: Removed unneeded include.
11018 * runtime/DatePrototype.cpp: Ditto.
11020 * runtime/Identifier.h: Removed deprecatedCharacters function.
11022 * runtime/JSGlobalObjectFunctions.cpp:
11023 (JSC::encode): Added a type cast to avoid ambiguity with the two character-
11024 appending functions from JSStringBuilder. Removed unneeded code duplicating
11025 what JSStringBuilder already does in its character append function.
11026 (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
11027 (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
11028 is used outside this file have external linkage. Added a new overload that takes
11030 (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
11031 (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
11034 * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
11036 * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
11037 (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
11038 Made one overload private. Fixed a performance bug where we would reserve capacity
11039 in the 8-bit buffer but then append to the 16-bit buffer.
11041 * runtime/ObjectPrototype.cpp: Removed unneeded include.
11043 * runtime/StringPrototype.cpp:
11044 (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
11045 (JSC::stringProtoFuncLink): Ditto.
11047 2014-03-15 Filip Pizlo <fpizlo@apple.com>
11049 FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
11050 https://bugs.webkit.org/show_bug.cgi?id=130296
11052 Reviewed by Andreas Kling.
11054 During the 32-bit structure ID work, the second load of the structure was removed.
11055 That's wrong. The whole point of loading the structure ID again is that the structure
11056 ID would have been changed by the arrayification call, and we're verifying that the
11057 arrayification succeeded in changing the structure. If we check the old structure - as
11058 the code was doing after the 32-bit structure ID work - then this check is guaranteed
11059 to fail, causing a significant performance regression.
11061 It's actually amazing that the regression wasn't bigger. The reason is that if FTL
11062 code pathologically exits but the equivalent DFG code doesn't, then the exponential
11063 backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
11064 the time at least, the DFG wasn't much slower so this didn't cause too much pain.
11066 * ftl/FTLLowerDFGToLLVM.cpp:
11067 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
11069 2014-03-15 Filip Pizlo <fpizlo@apple.com>
11071 FTL should support CheckHasInstance/InstanceOf
11072 https://bugs.webkit.org/show_bug.cgi?id=130285
11074 Reviewed by Sam Weinig.
11076 Fairly straightforward; I also discovered an inaccurate FIXME in the process.
11078 * dfg/DFGFixupPhase.cpp:
11079 (JSC::DFG::FixupPhase::fixupNode):
11080 * ftl/FTLAbstractHeapRepository.h:
11081 * ftl/FTLCapabilities.cpp:
11082 (JSC::FTL::canCompile):
11083 * ftl/FTLLowerDFGToLLVM.cpp:
11084 (JSC::FTL::LowerDFGToLLVM::compileNode):
11085 (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
11086 (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
11088 (JSC::FTL::Output::phi):
11089 * tests/stress/instanceof.js: Added.
11090 * tests/stress/instanceof-not-cell.js: Added.
11092 2014-03-15 Michael Saboff <msaboff@apple.com>
11094 It should be possible to adjust DFG and FTL compiler thread priorities
11095 https://bugs.webkit.org/show_bug.cgi?id=130288
11097 Reviewed by Filip Pizlo.
11099 Added ability to change thread priorities relative to its current priority.
11100 Created options to adjust the priority of the DFG and FTL compilation work thread
11101 pools. For two core systems, there might be three runnable threads, the main thread,
11102 the DFG compilation thread and the FTL compilation thread. With the same priority,
11103 the scheduler is free to schedule whatever thread it wants. By lowering the
11104 compilation threads, the main thread can run. Further tests may suggest better values
11105 for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
11107 For a two-core device, this change has a net positive improvement of 1-3% across
11108 SunSpider, Octane, Kraken and AsmBench.
11110 * dfg/DFGWorklist.cpp:
11111 (JSC::DFG::Worklist::finishCreation):
11112 (JSC::DFG::Worklist::create):
11113 (JSC::DFG::ensureGlobalDFGWorklist):
11114 (JSC::DFG::ensureGlobalFTLWorklist):
11115 * dfg/DFGWorklist.h:
11116 * runtime/Options.cpp:
11117 (JSC::computePriorityDeltaOfWorkerThreads):
11118 * runtime/Options.h:
11120 2014-03-15 David Kilzer <ddkilzer@apple.com>
11122 [iOS] Define SYSTEM_VERSION_PREFIX consistently
11123 <http://webkit.org/b/130293>
11124 <rdar://problem/15926359>
11126 Reviewed by Dan Bernstein.
11128 * Configurations/Version.xcconfig:
11129 (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
11130 Source/WebKit/mac/Version.xcconfig.
11132 2014-03-15 David Kilzer <ddkilzer@apple.com>
11134 Fix build: using integer absolute value function 'abs' when argument is of floating point type
11135 <http://webkit.org/b/130286>
11137 Reviewed by Filip Pizlo.
11139 Fixes the following build failure using trunk clang:
11141 JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
11142 value = abs(value);
11144 JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
11145 value = abs(value);
11149 * assembler/MacroAssembler.h:
11150 (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
11153 2014-03-14 Oliver Hunt <oliver@apple.com>
11155 Reinstate intialiser syntax in for-in loops
11156 https://bugs.webkit.org/show_bug.cgi?id=130269
11158 Reviewed by Michael Saboff.
11160 Disallowing the initialiser broke some sites so this patch re-allows
11161 the syntax. We still disallow the syntax in 'of' and pattern based
11164 * parser/ASTBuilder.h:
11165 (JSC::ASTBuilder::isBindingNode):
11166 * parser/Parser.cpp:
11167 (JSC::Parser<LexerType>::parseVarDeclarationList):
11168 (JSC::Parser<LexerType>::parseForStatement):
11169 * parser/SyntaxChecker.h:
11170 (JSC::SyntaxChecker::operatorStackPop):
11172 2014-03-14 Mark Lam <mark.lam@apple.com>
11174 Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
11175 <https://webkit.org/b/130279>
11177 Reviewed by Filip Pizlo.
11179 If neither the getter nor setter are defined, accessing __lookupGetter__
11180 and __lookupSetter__ will return undefined as expected. However, if the
11181 getter is defined but the setter is not, accessing __lookupSetter__ will
11182 crash the VM. Similarly, accessing __lookupGetter__ when only the setter
11183 is defined will crash the VM.
11185 The reason is because objectProtoFuncLookupGetter() and
11186 objectProtoFuncLookupSetter() did not check if the getter and setter
11187 value is non-null before returning it as an EncodedJSValue. The fix is
11188 to add the appropriate null checks.
11190 * runtime/ObjectPrototype.cpp:
11191 (JSC::objectProtoFuncLookupGetter):
11192 (JSC::objectProtoFuncLookupSetter):
11194 2014-03-14 Mark Rowe <mrowe@apple.com>
11196 Fix the production build.
11198 Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
11199 be at the expected relative path when working from installed source.
11201 * Configurations/Base.xcconfig:
11203 2014-03-14 Maciej Stachowiak <mjs@apple.com>
11205 Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
11206 https://bugs.webkit.org/show_bug.cgi?id=130276
11207 <rdar://problem/16266927>
11209 Reviewed by Simon Fraser.
11214 * API/JSBasePrivate.h:
11215 * API/JSCallbackConstructor.cpp:
11216 * API/JSCallbackConstructor.h:
11217 * API/JSCallbackFunction.cpp:
11218 * API/JSCallbackFunction.h:
11219 * API/JSCallbackObject.cpp:
11220 * API/JSCallbackObject.h:
11221 * API/JSCallbackObjectFunctions.h:
11222 * API/JSClassRef.cpp:
11223 * API/JSClassRef.h:
11224 * API/JSContextRef.cpp:
11225 * API/JSContextRef.h:
11226 * API/JSContextRefPrivate.h:
11227 * API/JSObjectRef.cpp:
11228 * API/JSObjectRef.h:
11229 * API/JSProfilerPrivate.cpp:
11230 * API/JSProfilerPrivate.h:
11231 * API/JSRetainPtr.h:
11232 * API/JSStringRef.cpp:
11233 * API/JSStringRef.h:
11234 * API/JSStringRefBSTR.cpp:
11235 * API/JSStringRefBSTR.h:
11236 * API/JSStringRefCF.cpp:
11237 * API/JSStringRefCF.h:
11238 * API/JSValueRef.cpp:
11239 * API/JSValueRef.h:
11240 * API/JavaScript.h:
11241 * API/JavaScriptCore.h:
11242 * API/OpaqueJSString.cpp:
11243 * API/OpaqueJSString.h:
11244 * API/tests/JSNode.c:
11245 * API/tests/JSNode.h:
11246 * API/tests/JSNodeList.c:
11247 * API/tests/JSNodeList.h:
11248 * API/tests/Node.c:
11249 * API/tests/Node.h:
11250 * API/tests/NodeList.c:
11251 * API/tests/NodeList.h:
11252 * API/tests/minidom.c:
11253 * API/tests/minidom.js:
11254 * API/tests/testapi.c:
11255 * API/tests/testapi.js:
11256 * DerivedSources.make:
11257 * bindings/ScriptValue.cpp:
11258 * bytecode/CodeBlock.cpp:
11259 * bytecode/CodeBlock.h:
11260 * bytecode/EvalCodeCache.h:
11261 * bytecode/Instruction.h:
11262 * bytecode/JumpTable.cpp:
11263 * bytecode/JumpTable.h:
11264 * bytecode/Opcode.cpp:
11265 * bytecode/Opcode.h:
11266 * bytecode/SamplingTool.cpp:
11267 * bytecode/SamplingTool.h:
11268 * bytecode/SpeculatedType.cpp:
11269 * bytecode/SpeculatedType.h:
11270 * bytecode/ValueProfile.h:
11271 * bytecompiler/BytecodeGenerator.cpp:
11272 * bytecompiler/BytecodeGenerator.h:
11273 * bytecompiler/Label.h:
11274 * bytecompiler/LabelScope.h:
11275 * bytecompiler/RegisterID.h:
11276 * debugger/DebuggerCallFrame.cpp:
11277 * debugger/DebuggerCallFrame.h:
11278 * dfg/DFGDesiredStructureChains.cpp:
11279 * dfg/DFGDesiredStructureChains.h:
11280 * heap/GCActivityCallback.cpp:
11281 * heap/GCActivityCallback.h:
11282 * inspector/ConsoleMessage.cpp:
11283 * inspector/ConsoleMessage.h:
11284 * inspector/IdentifiersFactory.cpp:
11285 * inspector/IdentifiersFactory.h:
11286 * inspector/InjectedScriptManager.cpp:
11287 * inspector/InjectedScriptManager.h:
11288 * inspector/InjectedScriptSource.js:
11289 * inspector/ScriptBreakpoint.h:
11290 * inspector/ScriptDebugListener.h:
11291 * inspector/ScriptDebugServer.cpp:
11292 * inspector/ScriptDebugServer.h:
11293 * inspector/agents/InspectorAgent.cpp:
11294 * inspector/agents/InspectorAgent.h:
11295 * inspector/agents/InspectorDebuggerAgent.cpp:
11296 * inspector/agents/InspectorDebuggerAgent.h:
11297 * interpreter/Interpreter.cpp:
11298 * interpreter/Interpreter.h:
11299 * interpreter/JSStack.cpp:
11300 * interpreter/JSStack.h:
11301 * interpreter/Register.h:
11302 * jit/CompactJITCodeMap.h:
11303 * jit/JITStubs.cpp:
11305 * jit/JITStubsARM.h:
11306 * jit/JITStubsARMv7.h:
11307 * jit/JITStubsX86.h:
11308 * jit/JITStubsX86_64.h:
11309 * os-win32/stdbool.h:
11310 * parser/SourceCode.h:
11311 * parser/SourceProvider.h:
11312 * profiler/LegacyProfiler.cpp:
11313 * profiler/LegacyProfiler.h:
11314 * profiler/ProfileNode.cpp:
11315 * profiler/ProfileNode.h:
11316 * runtime/ArrayBufferView.cpp:
11317 * runtime/ArrayBufferView.h:
11318 * runtime/BatchedTransitionOptimizer.h:
11319 * runtime/CallData.h:
11320 * runtime/ConstructData.h:
11321 * runtime/DumpContext.cpp:
11322 * runtime/DumpContext.h:
11323 * runtime/ExceptionHelpers.cpp:
11324 * runtime/ExceptionHelpers.h:
11325 * runtime/InitializeThreading.cpp:
11326 * runtime/InitializeThreading.h:
11327 * runtime/IntegralTypedArrayBase.h:
11328 * runtime/IntendedStructureChain.cpp:
11329 * runtime/IntendedStructureChain.h:
11330 * runtime/JSActivation.cpp:
11331 * runtime/JSActivation.h:
11332 * runtime/JSExportMacros.h:
11333 * runtime/JSGlobalObject.cpp:
11334 * runtime/JSNotAnObject.cpp:
11335 * runtime/JSNotAnObject.h:
11336 * runtime/JSPropertyNameIterator.cpp:
11337 * runtime/JSPropertyNameIterator.h:
11338 * runtime/JSSegmentedVariableObject.cpp:
11339 * runtime/JSSegmentedVariableObject.h:
11340 * runtime/JSSymbolTableObject.cpp:
11341 * runtime/JSSymbolTableObject.h:
11342 * runtime/JSTypeInfo.h:
11343 * runtime/JSVariableObject.cpp:
11344 * runtime/JSVariableObject.h:
11345 * runtime/PropertyTable.cpp:
11346 * runtime/PutPropertySlot.h:
11347 * runtime/SamplingCounter.cpp:
11348 * runtime/SamplingCounter.h:
11349 * runtime/Structure.cpp:
11350 * runtime/Structure.h:
11351 * runtime/StructureChain.cpp:
11352 * runtime/StructureChain.h:
11353 * runtime/StructureInlines.h:
11354 * runtime/StructureTransitionTable.h:
11355 * runtime/SymbolTable.cpp:
11356 * runtime/SymbolTable.h:
11357 * runtime/TypedArrayBase.h:
11358 * runtime/TypedArrayType.cpp:
11359 * runtime/TypedArrayType.h:
11362 * yarr/RegularExpression.cpp:
11363 * yarr/RegularExpression.h:
11365 2014-03-14 Filip Pizlo <fpizlo@apple.com>
11367 Final FTL iOS build magic
11368 https://bugs.webkit.org/show_bug.cgi?id=130281
11370 Reviewed by Michael Saboff.
11372 * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
11373 * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
11375 2014-03-14 Joseph Pecoraro <pecoraro@apple.com>
11377 Web Inspector: Gracefully handle nil name -[JSContext setName:]
11378 https://bugs.webkit.org/show_bug.cgi?id=130262
11380 Reviewed by Mark Hahnenberg.
11382 * API/JSContext.mm:
11383 (-[JSContext setName:]):
11384 Gracefully handle nil input.
11386 * API/tests/testapi.c:
11387 (globalContextNameTest):
11388 * API/tests/testapi.mm:
11389 Test for nil / NULL names in the ObjC and C APIs.
11391 2014-03-11 Oliver Hunt <oliver@apple.com>
11393 Improve dom error messages
11394 https://bugs.webkit.org/show_bug.cgi?id=130103
11396 Reviewed by Andreas Kling.
11398 Add new helper function.
11401 (JSC::throwVMTypeError):
11403 2014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
11405 Remove unused method declaration.
11406 https://bugs.webkit.org/show_bug.cgi?id=130238
11408 Reviewed by Filip Pizlo.
11410 The implementation of CallFrame::dumpCaller was removed in
11411 http://trac.webkit.org/changeset/153183, but the declaration of it was not.
11413 * interpreter/CallFrame.h:
11414 Remove CallFrame::dumpCaller() method declaration.
11416 2014-03-12 Sergio Villar Senin <svillar@igalia.com>
11418 Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
11419 https://bugs.webkit.org/show_bug.cgi?id=129612
11421 Reviewed by Darin Adler.
11423 For new code use static NeverDestroyed<T> instead.
11425 * API/JSAPIWrapperObject.mm:
11426 (jsAPIWrapperObjectHandleOwner):
11427 * API/JSManagedValue.mm:
11428 (managedValueHandleOwner):
11429 * inspector/agents/InspectorDebuggerAgent.cpp:
11430 (Inspector::objectGroupForBreakpointAction):
11431 * inspector/scripts/CodeGeneratorInspectorStrings.py:
11432 * interpreter/JSStack.cpp:
11433 (JSC::stackStatisticsMutex):
11434 * jit/ExecutableAllocator.cpp:
11435 (JSC::DemandExecutableAllocator::allocators):
11437 2014-03-12 Gavin Barraclough <barraclough@apple.com>
11439 Reduce memory use for static property maps
11440 https://bugs.webkit.org/show_bug.cgi?id=129986
11442 Reviewed by Andreas Kling.
11444 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11445 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11446 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11448 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11449 from string hashes to indicies into a densely packed array of values. Compute the index table at
11450 compile time as a part of the derived sources step, such that this may be read-only data.
11452 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11453 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11454 keys, which are Identifiers.
11456 * create_hash_table:
11457 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11458 * parser/Lexer.cpp:
11459 (JSC::Lexer<LChar>::parseIdentifier):
11460 (JSC::Lexer<UChar>::parseIdentifier):
11461 (JSC::Lexer<T>::parseIdentifierSlowCase):
11462 - HashEntry -> HashTableValue.
11464 (JSC::Keywords::getKeyword):
11465 - HashEntry -> HashTableValue.
11466 * runtime/ClassInfo.h:
11467 - removed HashEntry.
11468 * runtime/JSObject.cpp:
11469 (JSC::getClassPropertyNames):
11470 - use HashTable::ConstIterator.
11471 (JSC::JSObject::put):
11472 (JSC::JSObject::deleteProperty):
11473 (JSC::JSObject::findPropertyHashEntry):
11474 - HashEntry -> HashTableValue.
11475 (JSC::JSObject::reifyStaticFunctionsForDelete):
11476 - changed HashTable::ConstIterator interface.
11477 * runtime/JSObject.h:
11478 - HashEntry -> HashTableValue.
11479 * runtime/Lookup.cpp:
11480 (JSC::HashTable::createTable):
11481 - table -> keys, keys array is now densely packed.
11482 (JSC::HashTable::deleteTable):
11484 (JSC::setUpStaticFunctionSlot):
11485 - HashEntry -> HashTableValue.
11486 * runtime/Lookup.h:
11487 (JSC::HashTableValue::builtinGenerator):
11488 (JSC::HashTableValue::function):
11489 (JSC::HashTableValue::functionLength):
11490 (JSC::HashTableValue::propertyGetter):
11491 (JSC::HashTableValue::propertyPutter):
11492 (JSC::HashTableValue::lexerValue):
11493 - added accessor methods from HashEntry.
11494 (JSC::HashTable::copy):
11496 (JSC::HashTable::initializeIfNeeded):
11498 (JSC::HashTable::entry):
11499 - HashEntry -> HashTableValue.
11500 (JSC::HashTable::ConstIterator::ConstIterator):
11501 - iterate packed value array, so no need to skipInvalidKeys().
11502 (JSC::HashTable::ConstIterator::value):
11503 (JSC::HashTable::ConstIterator::key):
11504 (JSC::HashTable::ConstIterator::operator->):
11505 - accessors now get HashTableValue/StringImpl* separately.
11506 (JSC::HashTable::ConstIterator::operator++):
11507 - iterate packed value array, so no need to skipInvalidKeys().
11508 (JSC::HashTable::end):
11509 - end is now size of dense not sparse array.
11510 (JSC::getStaticPropertySlot):
11511 (JSC::getStaticFunctionSlot):
11512 (JSC::getStaticValueSlot):
11515 - HashEntry -> HashTableValue.
11517 2014-03-13 Filip Pizlo <fpizlo@apple.com>
11519 Unreviewed, fix Mac no-FTL build.
11521 * llvm/library/LLVMExports.cpp:
11522 (initializeAndGetJSCLLVMAPI):
11524 2014-03-13 Juergen Ributzka <juergen@apple.com>
11526 Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
11527 https://bugs.webkit.org/show_bug.cgi?id=130224
11529 Reviewed by Filip Pizlo.
11531 This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
11532 the LLVM dylib. This allows the dylib to be safely used with other LLVM
11533 dylibs on the same system. It also reduces the dynamic linking overhead
11534 and also reduces the size by 6MB, because the linker can now dead strip
11535 many unused functions.
11537 * Configurations/LLVMForJSC.xcconfig:
11539 2014-03-13 Andreas Kling <akling@apple.com>
11541 VM::discardAllCode() should clear the RegExp cache.
11542 <https://webkit.org/b/130144>
11544 Reviewed by Michael Saboff.
11547 (JSC::VM::discardAllCode):
11549 2014-03-13 Andreas Kling <akling@apple.com>
11551 Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
11552 <https://webkit.org/b/129995>
11554 This code path is not taken anymore on DYEB, and I can't explain why
11555 it was showing up in my profiles. Backing it out per JoePeck's suggestion.
11557 * inspector/JSGlobalObjectInspectorController.cpp:
11558 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
11560 2014-03-13 Filip Pizlo <fpizlo@apple.com>
11562 FTL should support IsBlah
11563 https://bugs.webkit.org/show_bug.cgi?id=130202
11565 Reviewed by Geoffrey Garen.
11567 * ftl/FTLCapabilities.cpp:
11568 (JSC::FTL::canCompile):
11569 * ftl/FTLIntrinsicRepository.h:
11570 * ftl/FTLLowerDFGToLLVM.cpp:
11571 (JSC::FTL::LowerDFGToLLVM::compileNode):
11572 (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
11573 (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
11574 (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
11575 (JSC::FTL::LowerDFGToLLVM::compileIsString):
11576 (JSC::FTL::LowerDFGToLLVM::compileIsObject):
11577 (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
11578 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
11579 (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
11580 (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
11581 (JSC::FTL::LowerDFGToLLVM::isNumber):
11582 (JSC::FTL::LowerDFGToLLVM::isNotNumber):
11583 (JSC::FTL::LowerDFGToLLVM::isBoolean):
11584 * ftl/FTLOSRExitCompiler.cpp:
11585 * tests/stress/is-undefined-exit-on-masquerader.js: Added.
11589 * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
11592 * tests/stress/is-undefined-masquerader.js: Added.
11596 2014-03-13 Mark Lam <mark.lam@apple.com>
11598 JS benchmarks crash with a bus error on 32-bit x86.
11599 <https://webkit.org/b/130203>
11601 Reviewed by Geoffrey Garen.
11603 The issue is that generateGetByIdStub() can potentially use the same register
11604 for the JSValue base register and the target tag register. After loading the
11605 tag value into the target tag register, the JSValue base address is lost.
11606 The code then proceeds to load the payload value using the base register, and
11607 this results in a crash.
11609 The fix is to check if the base register is the same as the target tag register.
11610 If so, we should make a copy the base register first before loading the tag
11611 value, and use the copy to load the payload value instead.
11614 (JSC::generateGetByIdStub):
11616 2014-03-12 Filip Pizlo <fpizlo@apple.com>
11618 WebKit shouldn't crash on uniprocessor machines
11619 https://bugs.webkit.org/show_bug.cgi?id=130176
11621 Reviewed by Michael Saboff.
11623 Previously the math for computing the number of JIT compiler threads would come up with
11624 zero threads on uniprocessor machines, and then the Worklist code would assert.
11626 * runtime/Options.cpp:
11627 (JSC::computeNumberOfWorkerThreads):
11628 * runtime/Options.h:
11630 2014-03-13 Radu Stavila <stavila@adobe.com>
11632 Webkit not building on XCode 5.1 due to garbage collection no longer being supported
11633 https://bugs.webkit.org/show_bug.cgi?id=130087
11635 Reviewed by Mark Rowe.
11637 Disable garbage collection on macosx when not using internal SDK.
11639 * Configurations/Base.xcconfig:
11641 2014-03-10 Darin Adler <darin@apple.com>
11643 Avoid copy-prone idiom "for (auto item : collection)"
11644 https://bugs.webkit.org/show_bug.cgi?id=129990
11646 Reviewed by Geoffrey Garen.
11648 * heap/CodeBlockSet.h:
11649 (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
11650 * inspector/ScriptDebugServer.cpp:
11651 (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
11652 make explicit that we are iterating through pointers.
11653 (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
11654 (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
11655 * inspector/agents/InspectorDebuggerAgent.cpp:
11656 (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
11657 get rid of an unneeded local variable.
11659 2014-03-13 Brian Burg <bburg@apple.com>
11661 Web Inspector: Remove unused callId parameter from evaluateInWebInspector
11662 https://bugs.webkit.org/show_bug.cgi?id=129744
11664 Reviewed by Timothy Hatcher.
11666 * inspector/agents/InspectorAgent.cpp:
11667 (Inspector::InspectorAgent::enable):
11668 (Inspector::InspectorAgent::evaluateForTestInFrontend):
11669 * inspector/agents/InspectorAgent.h:
11670 * inspector/protocol/InspectorDomain.json:
11672 2014-03-11 Filip Pizlo <fpizlo@apple.com>
11674 ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
11675 https://bugs.webkit.org/show_bug.cgi?id=130069
11677 Reviewed by Geoffrey Garen.
11679 This was a great assertion, and it represents our strictest interpretation of the rules of
11680 our intermediate representation. However, fixing DCE to actually preserve the relevant
11681 property would be hard, and it wouldn't have an observable effect right now because nobody
11682 actually uses the propery of CPS that this assertion is checking for.
11684 In particular, we do always require, and rely on, the fact that non-captured variables
11685 have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
11686 block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
11687 PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
11688 broken in this regard. But, in the strictest sense, CPS also means that for captured
11689 variables, variablesAtTail also continues to point to the last relevant use of the
11690 variable. In particular, if there are multiple GetLocals, then it should point to the last
11691 one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
11692 variables, except to check the VariableAccessData; but in that case, we don't really need
11693 the *last* relevant use of the variable - any node that mentions the same variable will do
11696 So, this change loosens the assertion and adds a detailed FIXME describing what we would
11697 have to do if we wanted to preserve the more strict property.
11699 This also makes changes to various debug printing paths so that validation doesn't crash
11700 during graph dump. This also adds tests for the interesting cases of DCE failing to
11701 preserve CPS in the strictest sense. This also attempts to win the record for longest test
11704 * bytecode/CodeBlock.cpp:
11705 (JSC::CodeBlock::hashAsStringIfPossible):
11706 (JSC::CodeBlock::dumpAssumingJITType):
11707 * bytecode/CodeBlock.h:
11708 * bytecode/CodeOrigin.cpp:
11709 (JSC::InlineCallFrame::hashAsStringIfPossible):
11710 (JSC::InlineCallFrame::dumpBriefFunctionInformation):
11711 * bytecode/CodeOrigin.h:
11712 * dfg/DFGCPSRethreadingPhase.cpp:
11713 (JSC::DFG::CPSRethreadingPhase::run):
11714 * dfg/DFGDCEPhase.cpp:
11715 (JSC::DFG::DCEPhase::cleanVariables):
11716 * dfg/DFGInPlaceAbstractState.cpp:
11717 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
11718 * runtime/FunctionExecutableDump.cpp:
11719 (JSC::FunctionExecutableDump::dump):
11720 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
11722 * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
11725 2014-03-12 Brian Burg <bburg@apple.com>
11727 Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
11728 https://bugs.webkit.org/show_bug.cgi?id=129445
11730 Reviewed by Timothy Hatcher.
11732 There was a bug in the replay inputs code generator that would include
11733 headers for definitions of enum classes, even though they can be safely
11736 * replay/scripts/CodeGeneratorReplayInputs.py:
11737 (Generator.generate_includes): Only include for copy constructor if the
11738 type is a heavy scalar (i.e., String, URL), not a normal scalar
11739 (i.e., int, double, enum classes).
11741 (Generator.generate_type_forward_declarations): Forward-declare scalars
11742 that are enums or enum classes.
11744 2014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11746 Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
11747 https://bugs.webkit.org/show_bug.cgi?id=130118
11749 Reviewed by Timothy Hatcher.
11751 * Configurations/FeatureDefines.xcconfig:
11753 2014-03-12 Joseph Pecoraro <pecoraro@apple.com>
11755 Web Inspector: Hang in Remote Inspection triggering breakpoint from console
11756 https://bugs.webkit.org/show_bug.cgi?id=130032
11758 Reviewed by Timothy Hatcher.
11760 * inspector/EventLoop.h:
11761 * inspector/EventLoop.cpp:
11762 (Inspector::EventLoop::remoteInspectorRunLoopMode):
11763 (Inspector::EventLoop::cycle):
11764 Expose the run loop mode name so it can be used if needed by others.
11766 * inspector/remote/RemoteInspectorDebuggableConnection.h:
11767 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
11768 (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
11769 (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
11770 (Inspector::RemoteInspectorBlock::operator=):
11771 (Inspector::RemoteInspectorBlock::operator()):
11772 (Inspector::RemoteInspectorQueueTask):
11773 Instead of a dispatch_queue, have our own static Vector of debugger tasks.
11775 (Inspector::RemoteInspectorHandleRunSource):
11776 (Inspector::RemoteInspectorInitializeQueue):
11777 Initialize the static queue and run loop source. When the run loop source
11778 fires, it will exhaust the queue of debugger messages.
11780 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
11781 (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
11782 When we get a debuggable connection add a run loop source for inspector commands.
11784 (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
11785 (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
11786 Enqueue blocks on our Vector instead of our dispatch_queue.
11788 2014-03-12 Commit Queue <commit-queue@webkit.org>
11790 Unreviewed, rolling out r165482.
11791 https://bugs.webkit.org/show_bug.cgi?id=130157
11793 Broke the windows build; "error C2466: cannot allocate an
11794 array of constant size 0" (Requested by jernoble on #webkit).
11796 Reverted changeset:
11798 "Reduce memory use for static property maps"
11799 https://bugs.webkit.org/show_bug.cgi?id=129986
11800 http://trac.webkit.org/changeset/165482
11802 2014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11804 Remove HandleSet::m_nextToFinalize
11805 https://bugs.webkit.org/show_bug.cgi?id=130109
11807 Reviewed by Mark Lam.
11809 This is a remnant of when HandleSet contained things that needed to be finalized.
11811 * heap/HandleSet.cpp:
11812 (JSC::HandleSet::HandleSet):
11813 (JSC::HandleSet::writeBarrier):
11814 * heap/HandleSet.h:
11815 (JSC::HandleSet::allocate):
11816 (JSC::HandleSet::deallocate):
11818 2014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
11820 Layout Test fast/workers/worker-gc.html is failing
11821 https://bugs.webkit.org/show_bug.cgi?id=130135
11823 Reviewed by Geoffrey Garen.
11825 When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
11826 main list of blocks, i.e. not in the retired list. When shutting down the VM this
11827 wasn't always the case which was causing ASSERTs to fire. We should rearrange things
11828 so that allocators are notified with lastChanceToFinalize. This will give them
11829 the chance to move their retired blocks back into the main list before removing them all.
11831 * heap/MarkedAllocator.cpp:
11832 (JSC::LastChanceToFinalize::operator()):
11833 (JSC::MarkedAllocator::lastChanceToFinalize):
11834 * heap/MarkedAllocator.h:
11835 * heap/MarkedSpace.cpp:
11836 (JSC::LastChanceToFinalize::operator()):
11837 (JSC::MarkedSpace::lastChanceToFinalize):
11839 2014-03-12 Gavin Barraclough <barraclough@apple.com>
11841 Reduce memory use for static property maps
11842 https://bugs.webkit.org/show_bug.cgi?id=129986
11844 Reviewed by Andreas Kling.
11846 Static property tables are currently duplicated on first use from read-only memory into dirty memory
11847 in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
11848 (we use a custom hash table without a rehash) a lot of memory may be wasted.
11850 First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
11851 from string hashes to indicies into a densely packed array of values. Compute the index table at
11852 compile time as a part of the derived sources step, such that this may be read-only data.
11854 Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
11855 directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
11856 keys, which are Identifiers.
11858 * create_hash_table:
11859 - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
11860 * parser/Lexer.cpp:
11861 (JSC::Lexer<LChar>::parseIdentifier):
11862 (JSC::Lexer<UChar>::parseIdentifier):
11863 (JSC::Lexer<T>::parseIdentifierSlowCase):
11864 - HashEntry -> HashTableValue.
11866 (JSC::Keywords::getKeyword):
11867 - HashEntry -> HashTableValue.
11868 * runtime/ClassInfo.h:
11869 - removed HashEntry.
11870 * runtime/JSObject.cpp:
11871 (JSC::getClassPropertyNames):
11872 - use HashTable::ConstIterator.
11873 (JSC::JSObject::put):
11874 (JSC::JSObject::deleteProperty):
11875 (JSC::JSObject::findPropertyHashEntry):
11876 - HashEntry -> HashTableValue.
11877 (JSC::JSObject::reifyStaticFunctionsForDelete):
11878 - changed HashTable::ConstIterator interface.
11879 * runtime/JSObject.h:
11880 - HashEntry -> HashTableValue.
11881 * runtime/Lookup.cpp:
11882 (JSC::HashTable::createTable):
11883 - table -> keys, keys array is now densely packed.
11884 (JSC::HashTable::deleteTable):
11886 (JSC::setUpStaticFunctionSlot):
11887 - HashEntry -> HashTableValue.
11888 * runtime/Lookup.h:
11889 (JSC::HashTableValue::builtinGenerator):
11890 (JSC::HashTableValue::function):
11891 (JSC::HashTableValue::functionLength):
11892 (JSC::HashTableValue::propertyGetter):
11893 (JSC::HashTableValue::propertyPutter):
11894 (JSC::HashTableValue::lexerValue):
11895 - added accessor methods from HashEntry.
11896 (JSC::HashTable::copy):
11898 (JSC::HashTable::initializeIfNeeded):
11900 (JSC::HashTable::entry):
11901 - HashEntry -> HashTableValue.
11902 (JSC::HashTable::ConstIterator::ConstIterator):
11903 - iterate packed value array, so no need to skipInvalidKeys().
11904 (JSC::HashTable::ConstIterator::value):
11905 (JSC::HashTable::ConstIterator::key):
11906 (JSC::HashTable::ConstIterator::operator->):
11907 - accessors now get HashTableValue/StringImpl* separately.
11908 (JSC::HashTable::ConstIterator::operator++):
11909 - iterate packed value array, so no need to skipInvalidKeys().
11910 (JSC::HashTable::end):
11911 - end is now size of dense not sparse array.
11912 (JSC::getStaticPropertySlot):
11913 (JSC::getStaticFunctionSlot):
11914 (JSC::getStaticValueSlot):
11917 - HashEntry -> HashTableValue.
11919 2014-03-11 Filip Pizlo <fpizlo@apple.com>
11921 It should be possible to build WebKit with FTL on iOS
11922 https://bugs.webkit.org/show_bug.cgi?id=130116
11924 Reviewed by Dan Bernstein.
11926 * Configurations/Base.xcconfig:
11928 2014-03-10 Filip Pizlo <fpizlo@apple.com>
11930 GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
11931 https://bugs.webkit.org/show_bug.cgi?id=129778
11933 Reviewed by Geoffrey Garen.
11935 Also deduplicate the GetById getter call caching. Also add some small tests for
11938 This change reduces the amount of code involved in GetById access caching and it
11939 creates data structures that can serve as an elegant scaffold for introducing other
11940 kinds of caches or improving current caching styles. It will definitely make getter
11941 performance improvements easier to implement.
11944 * GNUmakefile.list.am:
11945 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11946 * JavaScriptCore.xcodeproj/project.pbxproj:
11947 * bytecode/CodeBlock.cpp:
11948 (JSC::CodeBlock::printGetByIdCacheStatus):
11949 * bytecode/GetByIdStatus.cpp:
11950 (JSC::GetByIdStatus::computeForStubInfo):
11951 * bytecode/PolymorphicGetByIdList.cpp: Added.
11952 (JSC::GetByIdAccess::GetByIdAccess):
11953 (JSC::GetByIdAccess::~GetByIdAccess):
11954 (JSC::GetByIdAccess::fromStructureStubInfo):
11955 (JSC::GetByIdAccess::visitWeak):
11956 (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
11957 (JSC::PolymorphicGetByIdList::from):
11958 (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
11959 (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
11960 (JSC::PolymorphicGetByIdList::addAccess):
11961 (JSC::PolymorphicGetByIdList::isFull):
11962 (JSC::PolymorphicGetByIdList::isAlmostFull):
11963 (JSC::PolymorphicGetByIdList::didSelfPatching):
11964 (JSC::PolymorphicGetByIdList::visitWeak):
11965 * bytecode/PolymorphicGetByIdList.h: Added.
11966 (JSC::GetByIdAccess::GetByIdAccess):
11967 (JSC::GetByIdAccess::isSet):
11968 (JSC::GetByIdAccess::operator!):
11969 (JSC::GetByIdAccess::type):
11970 (JSC::GetByIdAccess::structure):
11971 (JSC::GetByIdAccess::chain):
11972 (JSC::GetByIdAccess::chainCount):
11973 (JSC::GetByIdAccess::stubRoutine):
11974 (JSC::GetByIdAccess::doesCalls):
11975 (JSC::PolymorphicGetByIdList::isEmpty):
11976 (JSC::PolymorphicGetByIdList::size):
11977 (JSC::PolymorphicGetByIdList::at):
11978 (JSC::PolymorphicGetByIdList::operator[]):
11979 * bytecode/StructureStubInfo.cpp:
11980 (JSC::StructureStubInfo::deref):
11981 (JSC::StructureStubInfo::visitWeakReferences):
11982 * bytecode/StructureStubInfo.h:
11983 (JSC::isGetByIdAccess):
11984 (JSC::StructureStubInfo::initGetByIdList):
11986 (JSC::generateGetByIdStub):
11987 (JSC::tryCacheGetByID):
11988 (JSC::patchJumpToGetByIdStub):
11989 (JSC::tryBuildGetByIDList):
11990 (JSC::tryBuildPutByIdList):
11991 * tests/stress/getter.js: Added.
11994 * tests/stress/polymorphic-prototype-accesses.js: Added.
11998 * tests/stress/prototype-getter.js: Added.
12001 * tests/stress/simple-prototype-accesses.js: Added.
12005 2014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
12007 MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
12008 https://bugs.webkit.org/show_bug.cgi?id=129920
12010 Reviewed by Geoffrey Garen.
12012 This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
12013 when the amount of free space in a MarkedBlock drops below a certain threshold.
12014 Retired blocks are not considered for sweeping.
12016 This is profitable because it reduces churn during sweeping. To build a free list,
12017 we have to scan through each cell in a block. After a collection, all objects that
12018 are live in the block will remain live until the next FullCollection, at which time
12019 we un-retire all previously retired blocks. Thus, a small number of objects in a block
12020 that die during each EdenCollection could cause us to do a disproportiante amount of
12021 sweeping for how much free memory we get back.
12023 This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
12026 (JSC::Heap::didRetireBlockWithFreeListSize):
12027 * heap/MarkedAllocator.cpp:
12028 (JSC::MarkedAllocator::tryAllocateHelper):
12029 (JSC::MarkedAllocator::removeBlock):
12030 (JSC::MarkedAllocator::reset):
12031 * heap/MarkedAllocator.h:
12032 (JSC::MarkedAllocator::MarkedAllocator):
12033 (JSC::MarkedAllocator::forEachBlock):
12034 * heap/MarkedBlock.cpp:
12035 (JSC::MarkedBlock::sweepHelper):
12036 (JSC::MarkedBlock::clearMarksWithCollectionType):
12037 (JSC::MarkedBlock::didRetireBlock):
12038 * heap/MarkedBlock.h:
12039 (JSC::MarkedBlock::willRemoveBlock):
12040 (JSC::MarkedBlock::isLive):
12041 * heap/MarkedSpace.cpp:
12042 (JSC::MarkedSpace::clearNewlyAllocated):
12043 (JSC::MarkedSpace::clearMarks):
12044 * runtime/Options.h:
12046 2014-03-11 Andreas Kling <akling@apple.com>
12048 Streamline PropertyTable for lookup-only access.
12049 <https://webkit.org/b/130060>
12051 The PropertyTable lookup algorithm was written to support both read
12052 and write access. This wasn't actually needed in most places.
12054 This change adds a PropertyTable::get() that just returns the value
12055 type (instead of an insertion iterator.) It also adds an early return
12058 Finally, up the minimum table capacity from 8 to 16. It was lowered
12059 to 8 in order to save memory, but that was before PropertyTables were
12060 GC allocated. Nowadays we don't have nearly as many tables, since all
12061 the unpinned transitions die off.
12063 Reviewed by Darin Adler.
12065 * runtime/PropertyMapHashTable.h:
12066 (JSC::PropertyTable::get):
12067 * runtime/Structure.cpp:
12068 (JSC::Structure::despecifyDictionaryFunction):
12069 (JSC::Structure::attributeChangeTransition):
12070 (JSC::Structure::get):
12071 (JSC::Structure::despecifyFunction):
12072 * runtime/StructureInlines.h:
12073 (JSC::Structure::get):
12075 2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12077 REGRESSION(r165407): DoYouEvenBench crashes in DRT
12078 https://bugs.webkit.org/show_bug.cgi?id=130066
12080 Reviewed by Geoffrey Garen.
12082 The baseline JIT does a conditional store barrier for the put_by_id, but we need
12083 an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
12086 * jit/JITPropertyAccess.cpp:
12087 (JSC::JIT::emit_op_put_by_id):
12088 (JSC::JIT::emitWriteBarrier):
12090 2014-03-10 Mark Lam <mark.lam@apple.com>
12092 Resurrect bit-rotted JIT::probe() mechanism.
12093 <https://webkit.org/b/130067>
12095 Reviewed by Geoffrey Garen.
12097 * jit/JITStubs.cpp:
12098 - Added the needed #include <wtf/InlineASM.h>.
12100 2014-03-10 Joseph Pecoraro <pecoraro@apple.com>
12102 Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
12104 Rubber-stamped by Dan Bernstein.
12106 * Configurations/JavaScriptCore.xcconfig:
12108 2014-03-10 Mark Lam <mark.lam@apple.com>
12110 r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
12111 <https://webkit.org/b/130065>
12113 Reviewed by Michael Saboff.
12115 There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
12116 being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
12117 FPRInfo::toIndex().
12119 The fix is to remove the "result != InvalidIndex" assertions.
12122 (JSC::FPRInfo::toIndex):
12124 (JSC::GPRInfo::toIndex):
12126 2014-03-10 Mark Lam <mark.lam@apple.com>
12128 Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
12129 <https://webkit.org/b/129955>
12131 Reviewed by Geoffrey Garen.
12133 The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
12134 stack memory every time it was called. This is now fixed.
12136 * jit/JITOperations.cpp:
12138 2014-03-10 Joseph Pecoraro <pecoraro@apple.com>
12140 Better JSContext API for named evaluations (other than //# sourceURL)
12141 https://bugs.webkit.org/show_bug.cgi?id=129911
12143 Reviewed by Geoffrey Garen.
12147 * API/JSContext.mm:
12148 (-[JSContext evaluateScript:]):
12149 (-[JSContext evaluateScript:withSourceURL:]):
12150 Add new evaluateScript:withSourceURL:.
12152 * API/tests/testapi.c:
12154 * API/tests/testapi.mm:
12155 (testObjectiveCAPI):
12156 Add tests for sourceURL in evaluate APIs. It should
12157 affect the exception objects.
12159 2014-03-10 Filip Pizlo <fpizlo@apple.com>
12161 Repatch should save and restore all used registers - not just temp ones - when making a call
12162 https://bugs.webkit.org/show_bug.cgi?id=130041
12164 Reviewed by Geoffrey Garen and Mark Hahnenberg.
12166 The save/restore code was written back when the only client was the DFG, which only uses a
12167 subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
12168 other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
12169 lead to data corruption on ARM64.
12171 * jit/RegisterSet.cpp:
12172 (JSC::RegisterSet::calleeSaveRegisters):
12173 (JSC::RegisterSet::numberOfSetGPRs):
12174 (JSC::RegisterSet::numberOfSetFPRs):
12175 * jit/RegisterSet.h:
12177 (JSC::storeToWriteBarrierBuffer):
12178 (JSC::emitPutTransitionStub):
12179 * jit/ScratchRegisterAllocator.cpp:
12180 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
12181 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12182 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12183 (JSC::ScratchRegisterAllocator::usedRegistersForCall):
12184 (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
12185 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
12186 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
12187 * jit/ScratchRegisterAllocator.h:
12189 2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12191 Remove ConditionalStore barrier
12192 https://bugs.webkit.org/show_bug.cgi?id=130040
12194 Reviewed by Geoffrey Garen.
12196 ConditionalStoreBarrier was created when barriers were much more expensive. Now that
12197 they're cheap(er), we can get rid of them. This also allows us to get rid of the write
12198 barrier logic in emitPutTransitionStub because we always will have executed a write barrier
12199 on the base object in the case where we are allocating and storing a new Butterfly into it.
12200 Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
12201 so we'd have to emit a write barrier in the transition case.
12203 This is performance neutral on the benchmarks we track.
12205 * dfg/DFGAbstractInterpreterInlines.h:
12206 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12207 * dfg/DFGClobberize.h:
12208 (JSC::DFG::clobberize):
12209 * dfg/DFGConstantFoldingPhase.cpp:
12210 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12211 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
12212 * dfg/DFGFixupPhase.cpp:
12213 (JSC::DFG::FixupPhase::fixupNode):
12214 (JSC::DFG::FixupPhase::insertStoreBarrier):
12216 (JSC::DFG::Node::isStoreBarrier):
12217 * dfg/DFGNodeType.h:
12218 * dfg/DFGPredictionPropagationPhase.cpp:
12219 (JSC::DFG::PredictionPropagationPhase::propagate):
12220 * dfg/DFGSafeToExecute.h:
12221 (JSC::DFG::safeToExecute):
12222 * dfg/DFGSpeculativeJIT.cpp:
12223 (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
12224 * dfg/DFGSpeculativeJIT32_64.cpp:
12225 (JSC::DFG::SpeculativeJIT::compile):
12226 * dfg/DFGSpeculativeJIT64.cpp:
12227 (JSC::DFG::SpeculativeJIT::compile):
12228 * ftl/FTLCapabilities.cpp:
12229 (JSC::FTL::canCompile):
12230 * ftl/FTLLowerDFGToLLVM.cpp:
12231 (JSC::FTL::LowerDFGToLLVM::compileNode):
12233 (JSC::emitPutTransitionStub):
12235 2014-03-10 Filip Pizlo <fpizlo@apple.com>
12237 DFG and FTL should know that comparing anything to Misc is cheap and easy
12238 https://bugs.webkit.org/show_bug.cgi?id=130001
12240 Reviewed by Geoffrey Garen.
12242 - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
12243 comparison is just Untyped:.
12245 - This obviates the need for CompareStrictEqConstant, so remove it.
12247 - FTL had a thing called "Nully" which is really "Other". Rename it and add
12250 9% speed-up on box2d.
12252 * dfg/DFGAbstractInterpreterInlines.h:
12253 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12254 * dfg/DFGByteCodeParser.cpp:
12255 (JSC::DFG::ByteCodeParser::parseBlock):
12256 * dfg/DFGClobberize.h:
12257 (JSC::DFG::clobberize):
12258 * dfg/DFGFixupPhase.cpp:
12259 (JSC::DFG::FixupPhase::fixupNode):
12261 (JSC::DFG::Node::isBinaryUseKind):
12262 (JSC::DFG::Node::shouldSpeculateOther):
12263 * dfg/DFGNodeType.h:
12264 * dfg/DFGPredictionPropagationPhase.cpp:
12265 (JSC::DFG::PredictionPropagationPhase::propagate):
12266 * dfg/DFGSafeToExecute.h:
12267 (JSC::DFG::safeToExecute):
12268 * dfg/DFGSpeculativeJIT.cpp:
12269 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
12270 (JSC::DFG::SpeculativeJIT::compare):
12271 (JSC::DFG::SpeculativeJIT::compileStrictEq):
12272 * dfg/DFGSpeculativeJIT.h:
12273 * dfg/DFGSpeculativeJIT32_64.cpp:
12274 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
12275 (JSC::DFG::SpeculativeJIT::compile):
12276 * dfg/DFGSpeculativeJIT64.cpp:
12277 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
12278 (JSC::DFG::SpeculativeJIT::compile):
12279 * ftl/FTLCapabilities.cpp:
12280 (JSC::FTL::canCompile):
12281 * ftl/FTLLowerDFGToLLVM.cpp:
12282 (JSC::FTL::LowerDFGToLLVM::compileNode):
12283 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
12284 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
12285 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
12286 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
12287 (JSC::FTL::LowerDFGToLLVM::isNotOther):
12288 (JSC::FTL::LowerDFGToLLVM::isOther):
12289 (JSC::FTL::LowerDFGToLLVM::speculate):
12290 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
12291 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
12292 (JSC::FTL::LowerDFGToLLVM::speculateOther):
12293 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
12294 * tests/stress/compare-strict-eq-integer-to-misc.js: Added.
12296 2014-03-10 Filip Pizlo <fpizlo@apple.com>
12298 Unreviewed, remove unintended change.
12300 * dfg/DFGDriver.cpp:
12301 (JSC::DFG::compileImpl):
12303 2014-03-10 Filip Pizlo <fpizlo@apple.com>
12305 jsc commandline shouldn't have a "console" because that confuses some tests into thinking
12306 that they're running in the browser.
12308 Rubber stamped by Mark Hahnenberg.
12311 (GlobalObject::finishCreation):
12313 2014-03-10 Filip Pizlo <fpizlo@apple.com>
12315 Out-line ScratchRegisterAllocator
12317 Rubber stamped by Mark Hahnenberg.
12320 * GNUmakefile.list.am:
12321 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12322 * JavaScriptCore.xcodeproj/project.pbxproj:
12323 * dfg/DFGDriver.cpp:
12324 (JSC::DFG::compileImpl):
12325 * jit/ScratchRegisterAllocator.cpp: Added.
12326 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
12327 (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
12328 (JSC::ScratchRegisterAllocator::lock):
12329 (JSC::ScratchRegisterAllocator::allocateScratch):
12330 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
12331 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
12332 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
12333 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
12334 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
12335 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
12336 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
12337 * jit/ScratchRegisterAllocator.h:
12339 2014-03-10 Brent Fulgham <bfulgham@apple.com>
12341 [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
12342 https://bugs.webkit.org/show_bug.cgi?id=130023
12344 Reviewed by Dean Jackson.
12346 * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
12347 path names to avoid accidental escaping of later string substitutions.
12349 2014-03-10 Andreas Kling <akling@apple.com>
12351 [X86_64] Smaller code for testb_i8r when register is accumulator.
12352 <https://webkit.org/b/130026>
12354 Generate the shorthand version of "test al, imm" when possible.
12356 Reviewed by Michael Saboff.
12358 * assembler/X86Assembler.h:
12359 (JSC::X86Assembler::testb_i8r):
12361 2014-03-10 Andreas Kling <akling@apple.com>
12363 [X86_64] Smaller code for sub_ir when register is accumulator.
12364 <https://webkit.org/b/130025>
12366 Generate the shorthand version of "sub eax, imm" when possible.
12368 Reviewed by Michael Saboff.
12370 * assembler/X86Assembler.h:
12371 (JSC::X86Assembler::subl_ir):
12372 (JSC::X86Assembler::subq_ir):
12374 2014-03-10 Andreas Kling <akling@apple.com>
12376 [X86_64] Smaller code for add_ir when register is accumulator.
12377 <https://webkit.org/b/130024>
12379 Generate the shorthand version of "add eax, imm" when possible.
12381 Reviewed by Michael Saboff.
12383 * assembler/X86Assembler.h:
12384 (JSC::X86Assembler::addl_ir):
12385 (JSC::X86Assembler::addq_ir):
12387 2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
12389 writeBarrier in emitPutReplaceStub is unnecessary
12390 https://bugs.webkit.org/show_bug.cgi?id=130030
12392 Reviewed by Filip Pizlo.
12394 We already emit write barriers for each put-by-id when they're first compiled, so it's
12395 redundant to emit a write barrier as part of the repatched code.
12398 (JSC::emitPutReplaceStub):
12400 2014-03-10 Andreas Kling <akling@apple.com>
12402 [X86_64] Smaller code for xor_ir when register is accumulator.
12403 <https://webkit.org/b/130008>
12405 Generate the shorthand version of "xor eax, imm" when possible.
12407 Reviewed by Benjamin Poulain.
12409 * assembler/X86Assembler.h:
12410 (JSC::X86Assembler::xorl_ir):
12411 (JSC::X86Assembler::xorq_ir):
12413 2014-03-10 Andreas Kling <akling@apple.com>
12415 [X86_64] Smaller code for or_ir when register is accumulator.
12416 <https://webkit.org/b/130007>
12418 Generate the shorthand version of "or eax, imm" when possible.
12420 Reviewed by Benjamin Poulain.
12422 * assembler/X86Assembler.h:
12423 (JSC::X86Assembler::orl_ir):
12424 (JSC::X86Assembler::orq_ir):
12426 2014-03-10 Andreas Kling <akling@apple.com>
12428 [X86_64] Smaller code for test_ir when register is accumulator.
12429 <https://webkit.org/b/130006>
12431 Generate the shorthand version of "test eax, imm" when possible.
12433 Reviewed by Benjamin Poulain.
12435 * assembler/X86Assembler.h:
12436 (JSC::X86Assembler::testl_i32r):
12437 (JSC::X86Assembler::testq_i32r):
12439 2014-03-10 Andreas Kling <akling@apple.com>
12441 [X86_64] Smaller code for cmp_ir when register is accumulator.
12442 <https://webkit.org/b/130005>
12444 Generate the shorthand version of "cmp eax, imm" when possible.
12446 Reviewed by Benjamin Poulain.
12448 * assembler/X86Assembler.h:
12449 (JSC::X86Assembler::cmpl_ir):
12450 (JSC::X86Assembler::cmpq_ir):
12452 2014-03-10 Andreas Kling <akling@apple.com>
12454 [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
12455 <https://webkit.org/b/130002>
12459 mov [address], imm32
12463 mov scratchRegister, imm32
12464 mov [address], scratchRegister
12466 For store64(imm, address) where the 64-bit immediate can be passed as
12467 a sign-extended 32-bit value.
12469 Reviewed by Benjamin Poulain.
12471 * assembler/MacroAssemblerX86_64.h:
12472 (CAN_SIGN_EXTEND_32_64):
12473 (JSC::MacroAssemblerX86_64::store64):
12475 2014-03-10 Andreas Kling <akling@apple.com>
12477 [X86_64] Smaller code for xchg_rr when one register is accumulator.
12478 <https://webkit.org/b/130004>
12480 Generate the 1-byte version of "xchg eax, reg" when possible.
12482 Reviewed by Benjamin Poulain.
12484 * assembler/X86Assembler.h:
12485 (JSC::X86Assembler::xchgl_rr):
12486 (JSC::X86Assembler::xchgq_rr):
12488 2014-03-09 Filip Pizlo <fpizlo@apple.com>
12490 GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
12491 https://bugs.webkit.org/show_bug.cgi?id=129998
12493 Reviewed by Geoffrey Garen.
12495 Not only is that the established contract, but this is used to signal to
12496 ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
12497 that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
12498 some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
12499 fine but previously it would have led to either an assertion failure, or data corruption, in
12500 the ScratchRegisterAllocator.
12503 (JSC::GPRInfo::toIndex):
12505 2014-03-09 Filip Pizlo <fpizlo@apple.com>
12507 FTL fails the new equals-masquerader strictEqualConstant test
12508 https://bugs.webkit.org/show_bug.cgi?id=129996
12510 Reviewed by Mark Lam.
12512 It turns out that the FTL was trying to do the masquerading stuff for ===null. But
12513 that's wrong since none of the other engines do it. The DFG even had an ancient
12514 FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
12515 don't do it and JSValue::strictEqual() doesn't do it.
12517 Remove the FIXME and remove the extra checks in the FTL.
12519 This is a glorious patch: nothing but red and it fixes a test failure.
12521 * dfg/DFGSpeculativeJIT.cpp:
12522 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
12523 * ftl/FTLLowerDFGToLLVM.cpp:
12524 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
12526 2014-03-09 Andreas Kling <akling@apple.com>
12528 Short-circuit JSGlobalObjectInspectorController when not inspecting.
12529 <https://webkit.org/b/129995>
12531 Add an early return in reportAPIException() when the console agent
12532 is disabled. This avoids expensive symbolication during exceptions
12533 if there's nobody expecting the fancy backtrace anyway.
12535 ~2% progression on DYEB on my MBP.
12537 Reviewed by Geoff Garen.
12539 * inspector/JSGlobalObjectInspectorController.cpp:
12540 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
12542 2014-03-09 Andreas Kling <akling@apple.com>
12544 Inline the trivial parts of GC deferral.
12545 <https://webkit.org/b/129984>
12547 Made most of the functions called by the DeferGC RAII object inline
12548 to avoid function call overhead.
12550 Looks like ~1% progression on DYEB.
12552 Reviewed by Geoffrey Garen.
12556 (JSC::Heap::incrementDeferralDepth):
12557 (JSC::Heap::decrementDeferralDepth):
12558 (JSC::Heap::collectIfNecessaryOrDefer):
12559 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
12561 2014-03-08 Mark Lam <mark.lam@apple.com>
12563 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
12564 <https://webkit.org/b/129969>
12566 Reviewed by Geoffrey Garen.
12568 The 32-bit version of handleUncaughtException was missing the handling of an
12569 edge case for stack overflows where the current frame may already be the
12570 sentinel frame. This edge case was handled in the 64-bit version. The fix
12571 is to bring the 32-bit version up to parity.
12574 (JSC::JIT::privateCompile):
12575 * llint/LowLevelInterpreter32_64.asm:
12577 2014-03-07 Mark Lam <mark.lam@apple.com>
12579 Fix bugs in 32-bit Structure implementation.
12580 <https://webkit.org/b/129947>
12582 Reviewed by Mark Hahnenberg.
12584 Added the loading of the Structure (from the JSCell) before use that was
12585 missing in a few places. Also added more test cases to equals-masquerader.js.
12587 * dfg/DFGSpeculativeJIT32_64.cpp:
12588 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
12589 (JSC::DFG::SpeculativeJIT::compile):
12590 * dfg/DFGSpeculativeJIT64.cpp:
12591 (JSC::DFG::SpeculativeJIT::compile):
12592 * llint/LowLevelInterpreter32_64.asm:
12593 * tests/stress/equals-masquerader.js:
12596 (strictEqualsNull):
12597 (strictNotEqualsNull):
12599 (notEqualsUndefined):
12600 (strictEqualsUndefined):
12601 (strictNotEqualsUndefined):
12605 2014-03-07 Andrew Trick <atrick@apple.com>
12607 Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
12608 https://bugs.webkit.org/show_bug.cgi?id=129954
12610 Reviewed by Filip Pizlo.
12612 * tests/stress/float32-repeat-out-of-bounds.js:
12613 * tests/stress/int8-repeat-out-of-bounds.js:
12615 2014-03-07 Michael Saboff <msaboff@apple.com>
12617 .cfi directives in LowLevelInterpreter.cpp are providing no benefit
12618 https://bugs.webkit.org/show_bug.cgi?id=129945
12620 Reviewed by Mark Lam.
12622 Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
12625 * llint/LowLevelInterpreter.cpp:
12627 2014-03-07 Oliver Hunt <oliver@apple.com>
12629 Continue hangs when performing for-of over arguments
12630 https://bugs.webkit.org/show_bug.cgi?id=129915
12632 Reviewed by Geoffrey Garen.
12634 Put the continue label in the right place
12636 * bytecompiler/BytecodeGenerator.cpp:
12637 (JSC::BytecodeGenerator::emitEnumeration):
12639 2014-03-07 peavo@outlook.com <peavo@outlook.com>
12641 [Win64] Compile error after r165128.
12642 https://bugs.webkit.org/show_bug.cgi?id=129807
12644 Reviewed by Mark Lam.
12646 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
12647 Check platform environment variable to determine if an assembler file should be generated.
12649 2014-03-07 Michael Saboff <msaboff@apple.com>
12651 Clarify how we deal with "special" registers
12652 https://bugs.webkit.org/show_bug.cgi?id=129806
12654 Already reviewed change being relanded.
12656 Relanding change set r165196 as it wasn't responsible for the breakage reported in
12657 https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
12659 Reviewed by Michael Saboff.
12660 configuration issue.
12662 * assembler/ARM64Assembler.h:
12663 (JSC::ARM64Assembler::lastRegister):
12664 * assembler/MacroAssembler.h:
12665 (JSC::MacroAssembler::nextRegister):
12666 * ftl/FTLLocation.cpp:
12667 (JSC::FTL::Location::restoreInto):
12668 * ftl/FTLSaveRestore.cpp:
12669 (JSC::FTL::saveAllRegisters):
12670 (JSC::FTL::restoreAllRegisters):
12671 * ftl/FTLSlowPathCall.cpp:
12672 * jit/RegisterSet.cpp:
12673 (JSC::RegisterSet::reservedHardwareRegisters):
12674 (JSC::RegisterSet::runtimeRegisters):
12675 (JSC::RegisterSet::specialRegisters):
12676 (JSC::RegisterSet::calleeSaveRegisters):
12677 * jit/RegisterSet.h:
12679 2014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12681 Move GCActivityCallback to heap
12682 https://bugs.webkit.org/show_bug.cgi?id=129457
12684 Reviewed by Geoffrey Garen.
12686 All the other GC timer related stuff is there already.
12689 * GNUmakefile.list.am:
12690 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12691 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
12692 * JavaScriptCore.xcodeproj/project.pbxproj:
12693 * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
12694 * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
12695 * runtime/GCActivityCallback.cpp: Removed.
12696 * runtime/GCActivityCallback.h: Removed.
12698 2014-03-07 Andrew Trick <atrick@apple.com>
12700 Correct a comment typo from:
12701 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12702 https://bugs.webkit.org/show_bug.cgi?id=129865
12704 Reviewed by Mark Lam.
12707 (JSC::FTL::Output::doubleRem):
12709 2014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
12711 Use OwnPtr in StructureIDTable
12712 https://bugs.webkit.org/show_bug.cgi?id=129828
12714 Reviewed by Geoffrey Garen.
12716 This reduces the amount of boilerplate and fixes a memory leak.
12718 * runtime/StructureIDTable.cpp:
12719 (JSC::StructureIDTable::StructureIDTable):
12720 (JSC::StructureIDTable::resize):
12721 (JSC::StructureIDTable::flushOldTables):
12722 (JSC::StructureIDTable::allocateID):
12723 (JSC::StructureIDTable::deallocateID):
12724 * runtime/StructureIDTable.h:
12725 (JSC::StructureIDTable::table):
12726 (JSC::StructureIDTable::get):
12728 2014-03-07 Andrew Trick <atrick@apple.com>
12730 FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
12731 https://bugs.webkit.org/show_bug.cgi?id=129865
12733 Reviewed by Filip Pizlo.
12735 * ftl/FTLIntrinsicRepository.h:
12737 (JSC::FTL::Output::doubleRem):
12739 2014-03-06 Filip Pizlo <fpizlo@apple.com>
12741 If the FTL is build-time enabled then it should be run-time enabled.
12743 Rubber stamped by Geoffrey Garen.
12745 * runtime/Options.cpp:
12746 (JSC::recomputeDependentOptions):
12747 * runtime/Options.h:
12749 2014-03-06 Joseph Pecoraro <pecoraro@apple.com>
12751 [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
12752 https://bugs.webkit.org/show_bug.cgi?id=129852
12754 Reviewed by Geoffrey Garen.
12756 * framework.sb: Added.
12757 Sandbox extension to allow access to "com.apple.webinspector".
12759 * JavaScriptCore.xcodeproj/project.pbxproj:
12760 Add a Copy Resources build phase and include framework.sb.
12762 * Configurations/JavaScriptCore.xcconfig:
12763 Do not copy framework.sb on iOS.
12765 2014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12767 JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
12768 https://bugs.webkit.org/show_bug.cgi?id=129858
12770 Reviewed by Mark Lam.
12772 It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
12773 but now it ends up overwriting the IdentifierTable that JSLock just restored.
12775 * API/JSContextRef.cpp:
12776 (JSGlobalContextRelease):
12778 2014-03-06 Oliver Hunt <oliver@apple.com>
12782 * dfg/DFGConstantFoldingPhase.cpp:
12783 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12785 2014-03-06 Brent Fulgham <bfulgham@apple.com>
12787 Unreviewed build fix after r165128.
12789 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
12790 performing 'Production' and 'DebugSuffix' type builds.
12792 2014-03-06 Julien Brianceau <jbriance@cisco.com>
12794 Unreviewed, fix style in my previous commit.
12795 https://bugs.webkit.org/show_bug.cgi?id=129833
12797 * runtime/JSConsole.cpp:
12799 2014-03-06 Julien Brianceau <jbriance@cisco.com>
12801 Build fix: add missing include in JSConole.cpp.
12802 https://bugs.webkit.org/show_bug.cgi?id=129833
12804 Reviewed by Oliver Hunt.
12806 * runtime/JSConsole.cpp:
12808 2014-03-06 Oliver Hunt <oliver@apple.com>
12812 * jit/CCallHelpers.h:
12813 (JSC::CCallHelpers::setupArgumentsWithExecState):
12815 2014-03-06 Commit Queue <commit-queue@webkit.org>
12817 Unreviewed, rolling out r165196.
12818 http://trac.webkit.org/changeset/165196
12819 https://bugs.webkit.org/show_bug.cgi?id=129822
12821 broke arm64 on hardware (Requested by bfulgham on #webkit).
12823 * assembler/ARM64Assembler.h:
12824 (JSC::ARM64Assembler::lastRegister):
12825 * assembler/MacroAssembler.h:
12826 (JSC::MacroAssembler::isStackRelated):
12827 (JSC::MacroAssembler::firstRealRegister):
12828 (JSC::MacroAssembler::nextRegister):
12829 (JSC::MacroAssembler::secondRealRegister):
12830 * ftl/FTLLocation.cpp:
12831 (JSC::FTL::Location::restoreInto):
12832 * ftl/FTLSaveRestore.cpp:
12833 (JSC::FTL::saveAllRegisters):
12834 (JSC::FTL::restoreAllRegisters):
12835 * ftl/FTLSlowPathCall.cpp:
12836 * jit/RegisterSet.cpp:
12837 (JSC::RegisterSet::specialRegisters):
12838 (JSC::RegisterSet::calleeSaveRegisters):
12839 * jit/RegisterSet.h:
12841 2014-03-06 Mark Lam <mark.lam@apple.com>
12843 REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
12844 <https://webkit.org/b/129813>
12846 Reviewed by Michael Saboff.
12848 Fixed broken C loop LLINT build.
12850 * llint/LowLevelInterpreter.cpp:
12851 (JSC::CLoop::execute):
12852 * offlineasm/cloop.rb:
12854 2014-03-03 Oliver Hunt <oliver@apple.com>
12856 Support caching of custom setters
12857 https://bugs.webkit.org/show_bug.cgi?id=129519
12859 Reviewed by Filip Pizlo.
12861 This patch adds caching of assignment to properties that
12862 are backed by C functions. This provides most of the leg
12863 work required to start supporting setters, and resolves
12864 the remaining regressions from moving DOM properties up
12865 the prototype chain.
12867 * JavaScriptCore.xcodeproj/project.pbxproj:
12868 * bytecode/PolymorphicPutByIdList.cpp:
12869 (JSC::PutByIdAccess::visitWeak):
12870 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
12871 (JSC::PolymorphicPutByIdList::from):
12872 * bytecode/PolymorphicPutByIdList.h:
12873 (JSC::PutByIdAccess::transition):
12874 (JSC::PutByIdAccess::replace):
12875 (JSC::PutByIdAccess::customSetter):
12876 (JSC::PutByIdAccess::isCustom):
12877 (JSC::PutByIdAccess::oldStructure):
12878 (JSC::PutByIdAccess::chain):
12879 (JSC::PutByIdAccess::stubRoutine):
12880 * bytecode/PutByIdStatus.cpp:
12881 (JSC::PutByIdStatus::computeForStubInfo):
12882 (JSC::PutByIdStatus::computeFor):
12883 (JSC::PutByIdStatus::dump):
12884 * bytecode/PutByIdStatus.h:
12885 (JSC::PutByIdStatus::PutByIdStatus):
12886 (JSC::PutByIdStatus::takesSlowPath):
12887 (JSC::PutByIdStatus::makesCalls):
12888 * bytecode/StructureStubInfo.h:
12889 * dfg/DFGAbstractInterpreterInlines.h:
12890 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
12891 * dfg/DFGByteCodeParser.cpp:
12892 (JSC::DFG::ByteCodeParser::emitPutById):
12893 (JSC::DFG::ByteCodeParser::handlePutById):
12894 * dfg/DFGClobberize.h:
12895 (JSC::DFG::clobberize):
12897 * dfg/DFGConstantFoldingPhase.cpp:
12898 (JSC::DFG::ConstantFoldingPhase::foldConstants):
12899 * dfg/DFGFixupPhase.cpp:
12900 (JSC::DFG::FixupPhase::fixupNode):
12902 (JSC::DFG::Node::hasIdentifier):
12903 * dfg/DFGNodeType.h:
12904 * dfg/DFGPredictionPropagationPhase.cpp:
12905 (JSC::DFG::PredictionPropagationPhase::propagate):
12906 * dfg/DFGSafeToExecute.h:
12907 (JSC::DFG::safeToExecute):
12908 * dfg/DFGSpeculativeJIT.cpp:
12909 (JSC::DFG::SpeculativeJIT::compileIn):
12910 * dfg/DFGSpeculativeJIT.h:
12911 * dfg/DFGSpeculativeJIT32_64.cpp:
12912 (JSC::DFG::SpeculativeJIT::cachedGetById):
12913 (JSC::DFG::SpeculativeJIT::cachedPutById):
12914 (JSC::DFG::SpeculativeJIT::compile):
12915 * dfg/DFGSpeculativeJIT64.cpp:
12916 (JSC::DFG::SpeculativeJIT::cachedGetById):
12917 (JSC::DFG::SpeculativeJIT::cachedPutById):
12918 (JSC::DFG::SpeculativeJIT::compile):
12919 * jit/CCallHelpers.h:
12920 (JSC::CCallHelpers::setupArgumentsWithExecState):
12921 * jit/JITInlineCacheGenerator.cpp:
12922 (JSC::JITByIdGenerator::JITByIdGenerator):
12923 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
12924 * jit/JITInlineCacheGenerator.h:
12925 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
12926 * jit/JITOperations.cpp:
12927 * jit/JITOperations.h:
12928 * jit/JITPropertyAccess.cpp:
12929 (JSC::JIT::emit_op_get_by_id):
12930 (JSC::JIT::emit_op_put_by_id):
12931 * jit/JITPropertyAccess32_64.cpp:
12932 (JSC::JIT::emit_op_get_by_id):
12933 (JSC::JIT::emit_op_put_by_id):
12935 (JSC::tryCacheGetByID):
12936 (JSC::tryBuildGetByIDList):
12937 (JSC::emitCustomSetterStub):
12938 (JSC::tryCachePutByID):
12939 (JSC::tryBuildPutByIdList):
12940 * jit/SpillRegistersMode.h: Added.
12941 * llint/LLIntSlowPaths.cpp:
12942 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
12943 * runtime/Lookup.h:
12945 * runtime/PutPropertySlot.h:
12946 (JSC::PutPropertySlot::setCacheableCustomProperty):
12947 (JSC::PutPropertySlot::customSetter):
12948 (JSC::PutPropertySlot::isCacheablePut):
12949 (JSC::PutPropertySlot::isCacheableCustomProperty):
12950 (JSC::PutPropertySlot::cachedOffset):
12952 2014-03-06 Filip Pizlo <fpizlo@apple.com>
12954 FTL arity fixup should work on ARM64
12955 https://bugs.webkit.org/show_bug.cgi?id=129810
12957 Reviewed by Michael Saboff.
12959 - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
12962 - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
12964 This makes some more tests pass.
12966 * dfg/DFGJITCompiler.cpp:
12967 (JSC::DFG::JITCompiler::compileFunction):
12970 * jit/AssemblyHelpers.h:
12971 (JSC::AssemblyHelpers::prologueStackPointerDelta):
12973 (JSC::JIT::privateCompile):
12974 * jit/ThunkGenerators.cpp:
12976 * llint/LowLevelInterpreter64.asm:
12977 * offlineasm/arm64.rb:
12978 * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
12980 2014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
12982 Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
12983 https://bugs.webkit.org/show_bug.cgi?id=129760
12985 Reviewed by Geoffrey Garen.
12987 r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
12988 The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
12990 * dfg/DFGSpeculativeJIT.cpp:
12991 (JSC::DFG::SpeculativeJIT::writeBarrier):
12992 * dfg/DFGSpeculativeJIT.h:
12993 * dfg/DFGSpeculativeJIT32_64.cpp:
12994 (JSC::DFG::SpeculativeJIT::writeBarrier):
12995 * dfg/DFGSpeculativeJIT64.cpp:
12996 (JSC::DFG::SpeculativeJIT::writeBarrier):
12997 * jit/AssemblyHelpers.h:
12998 (JSC::AssemblyHelpers::checkMarkByte):
13000 * jit/JITPropertyAccess.cpp:
13002 (JSC::writeBarrier):
13004 2014-03-06 Joseph Pecoraro <pecoraro@apple.com>
13006 Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
13007 https://bugs.webkit.org/show_bug.cgi?id=127944
13009 Reviewed by Geoffrey Garen.
13011 Always expose the Console object in JSContexts, just like we
13012 do for web pages. The default behavior will route to an
13013 attached JSContext inspector. This can be overriden by
13014 setting the ConsoleClient on the JSGlobalObject, which WebCore
13015 does to get slightly different behavior.
13018 * GNUmakefile.list.am:
13019 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13020 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
13021 * JavaScriptCore.xcodeproj/project.pbxproj:
13022 Update build systems.
13024 * API/tests/testapi.js:
13025 * API/tests/testapi.mm:
13026 Test that "console" exists in C and ObjC contexts.
13028 * runtime/ConsoleClient.cpp: Added.
13029 (JSC::ConsoleClient::printURLAndPosition):
13030 (JSC::ConsoleClient::printMessagePrefix):
13031 (JSC::ConsoleClient::printConsoleMessage):
13032 (JSC::ConsoleClient::printConsoleMessageWithArguments):
13033 (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
13034 (JSC::ConsoleClient::logWithLevel):
13035 (JSC::ConsoleClient::clear):
13036 (JSC::ConsoleClient::dir):
13037 (JSC::ConsoleClient::dirXML):
13038 (JSC::ConsoleClient::table):
13039 (JSC::ConsoleClient::trace):
13040 (JSC::ConsoleClient::assertCondition):
13041 (JSC::ConsoleClient::group):
13042 (JSC::ConsoleClient::groupCollapsed):
13043 (JSC::ConsoleClient::groupEnd):
13044 * runtime/ConsoleClient.h: Added.
13045 (JSC::ConsoleClient::~ConsoleClient):
13046 New private interface for handling the console object's methods.
13047 A lot of the methods funnel through messageWithTypeAndLevel.
13049 * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
13050 Moved to JSC namespace.
13052 * runtime/JSGlobalObject.cpp:
13053 (JSC::JSGlobalObject::JSGlobalObject):
13054 (JSC::JSGlobalObject::init):
13055 (JSC::JSGlobalObject::reset):
13056 (JSC::JSGlobalObject::visitChildren):
13057 Create the "console" object when initializing the environment.
13058 Also set the default console client to be the JS context inspector.
13060 * runtime/JSGlobalObject.h:
13061 (JSC::JSGlobalObject::setConsoleClient):
13062 (JSC::JSGlobalObject::consoleClient):
13063 Ability to change the console client, so WebCore can set a custom client.
13065 * runtime/ConsolePrototype.cpp: Added.
13066 (JSC::ConsolePrototype::finishCreation):
13067 (JSC::valueToStringWithUndefinedOrNullCheck):
13068 (JSC::consoleLogWithLevel):
13069 (JSC::consoleProtoFuncDebug):
13070 (JSC::consoleProtoFuncError):
13071 (JSC::consoleProtoFuncLog):
13072 (JSC::consoleProtoFuncWarn):
13073 (JSC::consoleProtoFuncClear):
13074 (JSC::consoleProtoFuncDir):
13075 (JSC::consoleProtoFuncDirXML):
13076 (JSC::consoleProtoFuncTable):
13077 (JSC::consoleProtoFuncTrace):
13078 (JSC::consoleProtoFuncAssert):
13079 (JSC::consoleProtoFuncCount):
13080 (JSC::consoleProtoFuncProfile):
13081 (JSC::consoleProtoFuncProfileEnd):
13082 (JSC::consoleProtoFuncTime):
13083 (JSC::consoleProtoFuncTimeEnd):
13084 (JSC::consoleProtoFuncTimeStamp):
13085 (JSC::consoleProtoFuncGroup):
13086 (JSC::consoleProtoFuncGroupCollapsed):
13087 (JSC::consoleProtoFuncGroupEnd):
13088 * runtime/ConsolePrototype.h: Added.
13089 (JSC::ConsolePrototype::create):
13090 (JSC::ConsolePrototype::createStructure):
13091 (JSC::ConsolePrototype::ConsolePrototype):
13092 Define the console object interface. Parse out required / expected
13093 arguments and throw expcetions when methods are misused.
13095 * runtime/JSConsole.cpp: Added.
13096 * runtime/JSConsole.h: Added.
13097 (JSC::JSConsole::createStructure):
13098 (JSC::JSConsole::create):
13099 (JSC::JSConsole::JSConsole):
13100 Empty "console" object. Everything is in the prototype.
13102 * inspector/JSConsoleClient.cpp: Added.
13103 (Inspector::JSConsoleClient::JSGlobalObjectConsole):
13104 (Inspector::JSConsoleClient::count):
13105 (Inspector::JSConsoleClient::profile):
13106 (Inspector::JSConsoleClient::profileEnd):
13107 (Inspector::JSConsoleClient::time):
13108 (Inspector::JSConsoleClient::timeEnd):
13109 (Inspector::JSConsoleClient::timeStamp):
13110 (Inspector::JSConsoleClient::warnUnimplemented):
13111 (Inspector::JSConsoleClient::internalAddMessage):
13112 * inspector/JSConsoleClient.h: Added.
13113 * inspector/JSGlobalObjectInspectorController.cpp:
13114 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
13115 (Inspector::JSGlobalObjectInspectorController::consoleClient):
13116 * inspector/JSGlobalObjectInspectorController.h:
13117 Default JSContext ConsoleClient implementation. Handle nearly
13118 everything exception profile/profileEnd and timeStamp.
13120 2014-03-06 Andreas Kling <akling@apple.com>
13122 Drop unlinked function code on memory pressure.
13123 <https://webkit.org/b/129789>
13125 Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
13126 are not currently being compiled.
13128 4.5 MB progression on Membuster.
13130 Reviewed by Geoffrey Garen.
13133 (JSC::Heap::deleteAllUnlinkedFunctionCode):
13136 (JSC::VM::discardAllCode):
13138 2014-03-06 Filip Pizlo <fpizlo@apple.com>
13140 Clarify how we deal with "special" registers
13141 https://bugs.webkit.org/show_bug.cgi?id=129806
13143 Reviewed by Michael Saboff.
13145 Previously we had two different places that defined what "stack" registers are, a thing
13146 called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
13147 "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
13148 one place and had a baked-in notion of what it meant for a register to be "real" or not.
13150 It's not cool to use words like "real" and "special" to describe registers, especially if you
13151 fail to qualify what that means. This originally made sense on X86 - "real" registers were
13152 the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
13153 you also have to worry about the LR register, which we'd want to say is "not real" but it's
13154 also not a "stack" register. This got super confusing.
13156 So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
13157 a "stack" register, and uses the word special only in places where it's clearly defined and
13158 where no better word comes to mind.
13160 This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
13161 Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
13162 magically didn't break anything because you never need to save/restore either FP or Q0, but
13163 it was still super weird.
13165 * assembler/ARM64Assembler.h:
13166 (JSC::ARM64Assembler::lastRegister):
13167 * assembler/MacroAssembler.h:
13168 (JSC::MacroAssembler::nextRegister):
13169 * ftl/FTLLocation.cpp:
13170 (JSC::FTL::Location::restoreInto):
13171 * ftl/FTLSaveRestore.cpp:
13172 (JSC::FTL::saveAllRegisters):
13173 (JSC::FTL::restoreAllRegisters):
13174 * ftl/FTLSlowPathCall.cpp:
13175 * jit/RegisterSet.cpp:
13176 (JSC::RegisterSet::reservedHardwareRegisters):
13177 (JSC::RegisterSet::runtimeRegisters):
13178 (JSC::RegisterSet::specialRegisters):
13179 (JSC::RegisterSet::calleeSaveRegisters):
13180 * jit/RegisterSet.h:
13182 2014-03-06 Filip Pizlo <fpizlo@apple.com>
13184 Unreviewed, fix build.
13186 * disassembler/ARM64Disassembler.cpp:
13188 2014-03-06 Filip Pizlo <fpizlo@apple.com>
13190 Use the LLVM disassembler on ARM64 if we are enabling the FTL
13191 https://bugs.webkit.org/show_bug.cgi?id=129785
13193 Reviewed by Geoffrey Garen.
13195 Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
13196 is strictly more capable at this point. Use it if it's available.
13198 * disassembler/ARM64Disassembler.cpp:
13199 (JSC::tryToDisassemble):
13201 2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13203 Web Inspector: Reduce RWI message frequency
13204 https://bugs.webkit.org/show_bug.cgi?id=129767
13206 Reviewed by Timothy Hatcher.
13208 This used to be 0.2s and changed by accident to 0.02s.
13210 * inspector/remote/RemoteInspector.mm:
13211 (Inspector::RemoteInspector::pushListingSoon):
13213 2014-03-05 Commit Queue <commit-queue@webkit.org>
13215 Unreviewed, rolling out r165141, r165157, and r165158.
13216 http://trac.webkit.org/changeset/165141
13217 http://trac.webkit.org/changeset/165157
13218 http://trac.webkit.org/changeset/165158
13219 https://bugs.webkit.org/show_bug.cgi?id=129772
13221 "broke ftl" (Requested by olliej_ on #webkit).
13223 * JavaScriptCore.xcodeproj/project.pbxproj:
13224 * bytecode/PolymorphicPutByIdList.cpp:
13225 (JSC::PutByIdAccess::visitWeak):
13226 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
13227 (JSC::PolymorphicPutByIdList::from):
13228 * bytecode/PolymorphicPutByIdList.h:
13229 (JSC::PutByIdAccess::transition):
13230 (JSC::PutByIdAccess::replace):
13231 (JSC::PutByIdAccess::oldStructure):
13232 (JSC::PutByIdAccess::chain):
13233 (JSC::PutByIdAccess::stubRoutine):
13234 * bytecode/PutByIdStatus.cpp:
13235 (JSC::PutByIdStatus::computeForStubInfo):
13236 (JSC::PutByIdStatus::computeFor):
13237 (JSC::PutByIdStatus::dump):
13238 * bytecode/PutByIdStatus.h:
13239 (JSC::PutByIdStatus::PutByIdStatus):
13240 (JSC::PutByIdStatus::takesSlowPath):
13241 * bytecode/StructureStubInfo.h:
13242 * dfg/DFGAbstractInterpreterInlines.h:
13243 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13244 * dfg/DFGByteCodeParser.cpp:
13245 (JSC::DFG::ByteCodeParser::emitPutById):
13246 (JSC::DFG::ByteCodeParser::handlePutById):
13247 * dfg/DFGClobberize.h:
13248 (JSC::DFG::clobberize):
13250 * dfg/DFGConstantFoldingPhase.cpp:
13251 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13252 * dfg/DFGFixupPhase.cpp:
13253 (JSC::DFG::FixupPhase::fixupNode):
13255 (JSC::DFG::Node::hasIdentifier):
13256 * dfg/DFGNodeType.h:
13257 * dfg/DFGPredictionPropagationPhase.cpp:
13258 (JSC::DFG::PredictionPropagationPhase::propagate):
13259 * dfg/DFGSafeToExecute.h:
13260 (JSC::DFG::safeToExecute):
13261 * dfg/DFGSpeculativeJIT.cpp:
13262 (JSC::DFG::SpeculativeJIT::compileIn):
13263 * dfg/DFGSpeculativeJIT.h:
13264 * dfg/DFGSpeculativeJIT32_64.cpp:
13265 (JSC::DFG::SpeculativeJIT::cachedGetById):
13266 (JSC::DFG::SpeculativeJIT::cachedPutById):
13267 (JSC::DFG::SpeculativeJIT::compile):
13268 * dfg/DFGSpeculativeJIT64.cpp:
13269 (JSC::DFG::SpeculativeJIT::cachedGetById):
13270 (JSC::DFG::SpeculativeJIT::cachedPutById):
13271 (JSC::DFG::SpeculativeJIT::compile):
13272 * ftl/FTLCompile.cpp:
13273 (JSC::FTL::fixFunctionBasedOnStackMaps):
13274 * jit/CCallHelpers.h:
13275 (JSC::CCallHelpers::setupArgumentsWithExecState):
13276 * jit/JITInlineCacheGenerator.cpp:
13277 (JSC::JITByIdGenerator::JITByIdGenerator):
13278 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
13279 * jit/JITInlineCacheGenerator.h:
13280 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
13281 * jit/JITOperations.cpp:
13282 * jit/JITOperations.h:
13283 * jit/JITPropertyAccess.cpp:
13284 (JSC::JIT::emit_op_get_by_id):
13285 (JSC::JIT::emit_op_put_by_id):
13286 * jit/JITPropertyAccess32_64.cpp:
13287 (JSC::JIT::emit_op_get_by_id):
13288 (JSC::JIT::emit_op_put_by_id):
13290 (JSC::tryCacheGetByID):
13291 (JSC::tryBuildGetByIDList):
13292 (JSC::tryCachePutByID):
13293 (JSC::tryBuildPutByIdList):
13294 * jit/SpillRegistersMode.h: Removed.
13295 * llint/LLIntSlowPaths.cpp:
13296 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13297 * runtime/Lookup.h:
13299 * runtime/PutPropertySlot.h:
13300 (JSC::PutPropertySlot::isCacheable):
13301 (JSC::PutPropertySlot::cachedOffset):
13303 2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13305 Web Inspector: Prevent possible deadlock in view indication
13306 https://bugs.webkit.org/show_bug.cgi?id=129766
13308 Reviewed by Geoffrey Garen.
13310 * inspector/remote/RemoteInspector.mm:
13311 (Inspector::RemoteInspector::receivedIndicateMessage):
13313 2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13315 JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
13316 https://bugs.webkit.org/show_bug.cgi?id=129754
13318 Reviewed by Geoffrey Garen.
13320 InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
13322 * runtime/JSCell.h:
13323 (JSC::JSCell::inlineTypeFlags):
13324 * runtime/JSObject.h:
13325 (JSC::JSObject::fastGetOwnPropertySlot):
13326 * runtime/JSTypeInfo.h:
13327 (JSC::TypeInfo::TypeInfo):
13328 (JSC::TypeInfo::overridesGetOwnPropertySlot):
13330 2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
13332 Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
13333 https://bugs.webkit.org/show_bug.cgi?id=129763
13335 Reviewed by Geoffrey Garen.
13337 Clear the list of all breakpoints, including unresolved breakpoints.
13339 * inspector/agents/InspectorDebuggerAgent.cpp:
13340 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13342 2014-03-05 Mark Lam <mark.lam@apple.com>
13344 llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
13345 <https://webkit.org/b/129768>
13347 Reviewed by Mark Hahnenberg.
13349 When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
13350 and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
13351 path llint_slow_path_check_has_instance(), and execute a code path that does the
13353 1. Adjusts the byte code PC to the jump target PC.
13354 2. For the purpose of storing the result, get the result registerIndex from the
13355 1st operand using the PC as if the PC is still pointing to op_check_has_instance
13358 The result is that whatever value resides after where the jump target PC is will
13359 be used as a result register value. Depending on what that value is, the result
13361 1. the code coincidently works correctly
13362 2. memory corruption
13365 The fix is to only adjust the byte code PC after we have stored the result.
13367 * llint/LLIntSlowPaths.cpp:
13368 (llint_slow_path_check_has_instance):
13370 2014-03-05 Ryosuke Niwa <rniwa@webkit.org>
13372 Another build fix attempt after r165141.
13374 * ftl/FTLCompile.cpp:
13375 (JSC::FTL::fixFunctionBasedOnStackMaps):
13377 2014-03-05 Ryosuke Niwa <rniwa@webkit.org>
13379 FTL build fix attempt after r165141.
13381 * ftl/FTLCompile.cpp:
13382 (JSC::FTL::fixFunctionBasedOnStackMaps):
13384 2014-03-05 Gavin Barraclough <barraclough@apple.com>
13386 https://bugs.webkit.org/show_bug.cgi?id=128625
13387 Add fast mapping from StringImpl to JSString
13389 Unreviewed roll-out.
13391 Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
13393 * runtime/JSString.cpp:
13394 * runtime/JSString.h:
13396 (JSC::VM::createLeaked):
13399 2014-03-03 Oliver Hunt <oliver@apple.com>
13401 Support caching of custom setters
13402 https://bugs.webkit.org/show_bug.cgi?id=129519
13404 Reviewed by Filip Pizlo.
13406 This patch adds caching of assignment to properties that
13407 are backed by C functions. This provides most of the leg
13408 work required to start supporting setters, and resolves
13409 the remaining regressions from moving DOM properties up
13410 the prototype chain.
13412 * JavaScriptCore.xcodeproj/project.pbxproj:
13413 * bytecode/PolymorphicPutByIdList.cpp:
13414 (JSC::PutByIdAccess::visitWeak):
13415 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
13416 (JSC::PolymorphicPutByIdList::from):
13417 * bytecode/PolymorphicPutByIdList.h:
13418 (JSC::PutByIdAccess::transition):
13419 (JSC::PutByIdAccess::replace):
13420 (JSC::PutByIdAccess::customSetter):
13421 (JSC::PutByIdAccess::isCustom):
13422 (JSC::PutByIdAccess::oldStructure):
13423 (JSC::PutByIdAccess::chain):
13424 (JSC::PutByIdAccess::stubRoutine):
13425 * bytecode/PutByIdStatus.cpp:
13426 (JSC::PutByIdStatus::computeForStubInfo):
13427 (JSC::PutByIdStatus::computeFor):
13428 (JSC::PutByIdStatus::dump):
13429 * bytecode/PutByIdStatus.h:
13430 (JSC::PutByIdStatus::PutByIdStatus):
13431 (JSC::PutByIdStatus::takesSlowPath):
13432 (JSC::PutByIdStatus::makesCalls):
13433 * bytecode/StructureStubInfo.h:
13434 * dfg/DFGAbstractInterpreterInlines.h:
13435 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13436 * dfg/DFGByteCodeParser.cpp:
13437 (JSC::DFG::ByteCodeParser::emitPutById):
13438 (JSC::DFG::ByteCodeParser::handlePutById):
13439 * dfg/DFGClobberize.h:
13440 (JSC::DFG::clobberize):
13442 * dfg/DFGConstantFoldingPhase.cpp:
13443 (JSC::DFG::ConstantFoldingPhase::foldConstants):
13444 * dfg/DFGFixupPhase.cpp:
13445 (JSC::DFG::FixupPhase::fixupNode):
13447 (JSC::DFG::Node::hasIdentifier):
13448 * dfg/DFGNodeType.h:
13449 * dfg/DFGPredictionPropagationPhase.cpp:
13450 (JSC::DFG::PredictionPropagationPhase::propagate):
13451 * dfg/DFGSafeToExecute.h:
13452 (JSC::DFG::safeToExecute):
13453 * dfg/DFGSpeculativeJIT.cpp:
13454 (JSC::DFG::SpeculativeJIT::compileIn):
13455 * dfg/DFGSpeculativeJIT.h:
13456 * dfg/DFGSpeculativeJIT32_64.cpp:
13457 (JSC::DFG::SpeculativeJIT::cachedGetById):
13458 (JSC::DFG::SpeculativeJIT::cachedPutById):
13459 (JSC::DFG::SpeculativeJIT::compile):
13460 * dfg/DFGSpeculativeJIT64.cpp:
13461 (JSC::DFG::SpeculativeJIT::cachedGetById):
13462 (JSC::DFG::SpeculativeJIT::cachedPutById):
13463 (JSC::DFG::SpeculativeJIT::compile):
13464 * jit/CCallHelpers.h:
13465 (JSC::CCallHelpers::setupArgumentsWithExecState):
13466 * jit/JITInlineCacheGenerator.cpp:
13467 (JSC::JITByIdGenerator::JITByIdGenerator):
13468 (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
13469 * jit/JITInlineCacheGenerator.h:
13470 (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
13471 * jit/JITOperations.cpp:
13472 * jit/JITOperations.h:
13473 * jit/JITPropertyAccess.cpp:
13474 (JSC::JIT::emit_op_get_by_id):
13475 (JSC::JIT::emit_op_put_by_id):
13476 * jit/JITPropertyAccess32_64.cpp:
13477 (JSC::JIT::emit_op_get_by_id):
13478 (JSC::JIT::emit_op_put_by_id):
13480 (JSC::tryCacheGetByID):
13481 (JSC::tryBuildGetByIDList):
13482 (JSC::emitCustomSetterStub):
13483 (JSC::tryCachePutByID):
13484 (JSC::tryBuildPutByIdList):
13485 * jit/SpillRegistersMode.h: Added.
13486 * llint/LLIntSlowPaths.cpp:
13487 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13488 * runtime/Lookup.h:
13490 * runtime/PutPropertySlot.h:
13491 (JSC::PutPropertySlot::setCacheableCustomProperty):
13492 (JSC::PutPropertySlot::customSetter):
13493 (JSC::PutPropertySlot::isCacheablePut):
13494 (JSC::PutPropertySlot::isCacheableCustomProperty):
13495 (JSC::PutPropertySlot::cachedOffset):
13497 2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13499 JSCell::m_gcData should encode its information differently
13500 https://bugs.webkit.org/show_bug.cgi?id=129741
13502 Reviewed by Geoffrey Garen.
13504 We want to keep track of three GC states for an object:
13506 1. Not marked (which implies not in the remembered set)
13507 2. Marked but not in the remembered set
13508 3. Marked and in the remembered set
13510 Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
13511 barrier, we only want to take the slow path if the object being stored to is in state #2.
13512 We'd like to make the test for state #2 as fast as possible, which means making it a
13515 * dfg/DFGOSRExitCompilerCommon.cpp:
13516 (JSC::DFG::osrWriteBarrier):
13517 * dfg/DFGSpeculativeJIT.cpp:
13518 (JSC::DFG::SpeculativeJIT::checkMarkByte):
13519 (JSC::DFG::SpeculativeJIT::writeBarrier):
13520 * dfg/DFGSpeculativeJIT.h:
13521 * dfg/DFGSpeculativeJIT32_64.cpp:
13522 (JSC::DFG::SpeculativeJIT::writeBarrier):
13523 * dfg/DFGSpeculativeJIT64.cpp:
13524 (JSC::DFG::SpeculativeJIT::writeBarrier):
13525 * ftl/FTLLowerDFGToLLVM.cpp:
13526 (JSC::FTL::LowerDFGToLLVM::allocateCell):
13527 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
13529 (JSC::Heap::clearRememberedSet):
13530 (JSC::Heap::addToRememberedSet):
13531 * jit/AssemblyHelpers.h:
13532 (JSC::AssemblyHelpers::checkMarkByte):
13534 * jit/JITPropertyAccess.cpp:
13535 (JSC::JIT::checkMarkByte):
13536 (JSC::JIT::emitWriteBarrier):
13538 (JSC::writeBarrier):
13539 * llint/LowLevelInterpreter.asm:
13540 * llint/LowLevelInterpreter32_64.asm:
13541 * llint/LowLevelInterpreter64.asm:
13542 * runtime/JSCell.h:
13543 (JSC::JSCell::mark):
13544 (JSC::JSCell::remember):
13545 (JSC::JSCell::forget):
13546 (JSC::JSCell::isMarked):
13547 (JSC::JSCell::isRemembered):
13548 * runtime/JSCellInlines.h:
13549 (JSC::JSCell::JSCell):
13550 * runtime/StructureIDBlob.h:
13551 (JSC::StructureIDBlob::StructureIDBlob):
13553 2014-03-05 Filip Pizlo <fpizlo@apple.com>
13556 https://bugs.webkit.org/show_bug.cgi?id=129755
13558 Reviewed by Geoffrey Garen.
13560 - Be more defensive about inline caches that have degenerate chains.
13562 - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
13563 platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
13565 - Don't even emit intrinsic declarations on non-x86 platforms.
13567 - More debug printing support.
13569 - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
13570 but somehow it gets lucky on x86.
13572 * bytecode/GetByIdStatus.cpp:
13573 (JSC::GetByIdStatus::appendVariant):
13574 (JSC::GetByIdStatus::computeForChain):
13575 (JSC::GetByIdStatus::computeForStubInfo):
13576 * bytecode/GetByIdStatus.h:
13577 * bytecode/PutByIdStatus.cpp:
13578 (JSC::PutByIdStatus::appendVariant):
13579 (JSC::PutByIdStatus::computeForStubInfo):
13580 * bytecode/PutByIdStatus.h:
13581 * bytecode/StructureSet.h:
13582 (JSC::StructureSet::overlaps):
13583 * ftl/FTLCompile.cpp:
13584 (JSC::FTL::mmAllocateDataSection):
13585 * ftl/FTLDataSection.cpp:
13586 (JSC::FTL::DataSection::DataSection):
13587 (JSC::FTL::DataSection::~DataSection):
13588 * ftl/FTLDataSection.h:
13589 * ftl/FTLLowerDFGToLLVM.cpp:
13590 (JSC::FTL::LowerDFGToLLVM::lower):
13592 (JSC::FTL::Output::doubleSin):
13593 (JSC::FTL::Output::doubleCos):
13594 * runtime/JSCJSValue.cpp:
13595 (JSC::JSValue::dumpInContext):
13596 * runtime/JSCell.h:
13597 (JSC::JSCell::structureID):
13599 2014-03-05 peavo@outlook.com <peavo@outlook.com>
13601 [Win32][LLINT] Crash when running JSC stress tests.
13602 https://bugs.webkit.org/show_bug.cgi?id=129429
13604 On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
13605 where the guard page is a barrier between committed and uncommitted memory.
13606 When data from the guard page is read or written, the guard page is moved, and memory is committed.
13607 This is how the system grows the stack.
13608 When using the C stack on Windows we need to precommit the needed stack space.
13609 Otherwise we might crash later if we access uncommitted stack memory.
13610 This can happen if we allocate stack space larger than the page guard size (4K).
13611 The system does not get the chance to move the guard page, and commit more memory,
13612 and we crash if uncommitted memory is accessed.
13613 The MSVC compiler fixes this by inserting a call to the _chkstk() function,
13614 when needed, see http://support.microsoft.com/kb/100775.
13616 Reviewed by Geoffrey Garen.
13618 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
13620 (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
13621 * offlineasm/x86.rb: Compile fix, and small simplification.
13623 (JSC::preCommitStackMemory): Added function to precommit stack memory.
13624 (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
13626 2014-03-05 Michael Saboff <msaboff@apple.com>
13628 JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
13629 https://bugs.webkit.org/show_bug.cgi?id=129746
13631 Reviewed by Filip Pizlo.
13633 Changed to use a union to manually assemble or disassemble the various types
13634 from / to the corresponding bytes. All memory access is now done using
13637 * runtime/JSDataViewPrototype.cpp:
13641 2014-03-05 Filip Pizlo <fpizlo@apple.com>
13643 FTL loadStructure always generates invalid IR
13644 https://bugs.webkit.org/show_bug.cgi?id=129747
13646 Reviewed by Mark Hahnenberg.
13648 As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
13649 of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
13650 to have a pointer to a type, and you can only load things of that type from that
13651 pointer. Pointer arithmetic is basically not possible except through the bizarre
13652 getelementptr operator. This doesn't fit with how the JS object model works since
13653 the JS object model doesn't consist of nice and tidy C types placed in C arrays.
13654 Also, it would be impossible to use getelementptr and LLVM pointers for accessing
13655 any of JSC's C or C++ objects unless we went through the exercise of redeclaring
13656 all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
13657 this for us, but that would require that to use the FTL, JSC itself would have to
13658 be compiled with clang. Worse, it would have to be compiled with a clang that uses
13659 a version of LLVM that is compatible with the one against which the FTL is linked.
13662 The solution is to NEVER use LLVM pointers. This has always been the case in the
13663 FTL. But it causes some confusion.
13665 Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
13666 pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
13667 "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
13668 pointer that has the type that we want. The load and store operations over pointers
13669 are called Output::load* and Output::store*, where * is one of "8", "16", "32",
13670 "64", "Ptr", "Float", or "Double.
13672 There is unavoidable confusion here. It would be bizarre for the FTL to call its
13673 "pointer-wide integers" anything other than "pointers", since they are, in all
13674 respects that we care about, simply pointers. But they are *not* LLVM pointers and
13675 they never will be that.
13677 There is one exception to this "no pointers" rule. The FTL does use actual LLVM
13678 pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
13679 confusion, we call these "references". So an "FTL reference" is actually an "LLVM
13680 pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
13681 methods for access called Output::get and Output::set. These lower to LLVM load
13682 and store, since FTL references are just LLVM pointers.
13684 This confusion appears to have led to incorrect code in loadStructure().
13685 loadStructure() was using get() and set() to access FTL pointers. But those methods
13686 don't work on FTL pointers and never will, since they are for FTL references.
13688 The worst part of this is that it was previously impossible to have test coverage
13689 for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
13690 patch fixes this by introducing a Masquerader object to jsc.cpp.
13692 * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
13693 * ftl/FTLLowerDFGToLLVM.cpp:
13694 (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
13695 * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
13696 * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
13697 (WTF::Masquerader::Masquerader):
13698 (WTF::Masquerader::create):
13699 (WTF::Masquerader::createStructure):
13700 (GlobalObject::finishCreation):
13701 (functionMakeMasquerader):
13702 * tests/stress/equals-masquerader.js: Added.
13706 2014-03-05 Anders Carlsson <andersca@apple.com>
13708 Tweak after r165109 to avoid extra copies
13709 https://bugs.webkit.org/show_bug.cgi?id=129745
13711 Reviewed by Geoffrey Garen.
13714 (JSC::Heap::visitProtectedObjects):
13715 (JSC::Heap::visitTempSortVectors):
13716 (JSC::Heap::clearRememberedSet):
13718 (JSC::Heap::forEachProtectedCell):
13720 2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13722 DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
13723 https://bugs.webkit.org/show_bug.cgi?id=129717
13725 Reviewed by Filip Pizlo.
13727 * dfg/DFGStoreBarrierElisionPhase.cpp:
13728 (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
13729 (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
13731 2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
13733 Use range-based loops where possible in Heap methods
13734 https://bugs.webkit.org/show_bug.cgi?id=129513
13736 Reviewed by Mark Lam.
13738 Replace old school iterator based loops with the new range-based loop hotness
13739 for a better tomorrow.
13741 * heap/CodeBlockSet.cpp:
13742 (JSC::CodeBlockSet::~CodeBlockSet):
13743 (JSC::CodeBlockSet::clearMarks):
13744 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
13745 (JSC::CodeBlockSet::traceMarked):
13747 (JSC::Heap::visitProtectedObjects):
13748 (JSC::Heap::visitTempSortVectors):
13749 (JSC::Heap::clearRememberedSet):
13751 (JSC::Heap::forEachProtectedCell):
13753 2014-03-04 Filip Pizlo <fpizlo@apple.com>
13755 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13756 https://bugs.webkit.org/show_bug.cgi?id=129563
13758 Reviewed by Geoffrey Garen.
13760 Rolling this back in after fixing an assertion failure. speculateMisc() should have
13761 said DFG_TYPE_CHECK instead of typeCheck.
13763 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13764 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13765 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13766 comparing undefined, null, and booleans to each other.
13768 This also adds support for miscellaneous things that I needed to make my various test
13769 cases work. This includes comparison over booleans and the various Throw-related node
13772 This also improves constant folding of CompareStrictEq and CompareEq.
13774 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13775 based on profiling, which caused some downstream badness. We don't actually support
13776 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13777 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13778 shouldn't factor out the bounds check since the access is not InBounds but then the
13779 backend would ignore the flag and assume that the bounds check was already emitted.
13780 This showed up on an existing test but I added a test for this explicitly to have more
13781 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13782 that we'll have a bounds check anyway.
13784 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13785 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13786 still a lot more coverage work to be done there.
13788 * bytecode/SpeculatedType.cpp:
13789 (JSC::speculationToAbbreviatedString):
13790 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13791 (JSC::valuesCouldBeEqual):
13792 * bytecode/SpeculatedType.h:
13793 (JSC::isMiscSpeculation):
13794 * dfg/DFGAbstractInterpreterInlines.h:
13795 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13796 * dfg/DFGArrayMode.cpp:
13797 (JSC::DFG::ArrayMode::refine):
13798 * dfg/DFGArrayMode.h:
13799 * dfg/DFGFixupPhase.cpp:
13800 (JSC::DFG::FixupPhase::fixupNode):
13801 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13803 (JSC::DFG::Node::shouldSpeculateMisc):
13804 * dfg/DFGSafeToExecute.h:
13805 (JSC::DFG::SafeToExecuteEdge::operator()):
13806 * dfg/DFGSpeculativeJIT.cpp:
13807 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13808 (JSC::DFG::SpeculativeJIT::speculateMisc):
13809 (JSC::DFG::SpeculativeJIT::speculate):
13810 * dfg/DFGSpeculativeJIT.h:
13811 * dfg/DFGSpeculativeJIT32_64.cpp:
13812 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13813 * dfg/DFGSpeculativeJIT64.cpp:
13814 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13815 * dfg/DFGUseKind.cpp:
13816 (WTF::printInternal):
13817 * dfg/DFGUseKind.h:
13818 (JSC::DFG::typeFilterFor):
13819 * ftl/FTLCapabilities.cpp:
13820 (JSC::FTL::canCompile):
13821 * ftl/FTLLowerDFGToLLVM.cpp:
13822 (JSC::FTL::LowerDFGToLLVM::compileNode):
13823 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13824 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13825 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13826 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13827 (JSC::FTL::LowerDFGToLLVM::isMisc):
13828 (JSC::FTL::LowerDFGToLLVM::speculate):
13829 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13830 * tests/stress/float32-array-out-of-bounds.js: Added.
13831 * tests/stress/weird-equality-folding-cases.js: Added.
13833 2014-03-04 Commit Queue <commit-queue@webkit.org>
13835 Unreviewed, rolling out r165085.
13836 http://trac.webkit.org/changeset/165085
13837 https://bugs.webkit.org/show_bug.cgi?id=129729
13839 Broke imported/w3c/html-templates/template-element/template-
13840 content.html (Requested by ap on #webkit).
13842 * bytecode/SpeculatedType.cpp:
13843 (JSC::speculationToAbbreviatedString):
13844 * bytecode/SpeculatedType.h:
13845 * dfg/DFGAbstractInterpreterInlines.h:
13846 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13847 * dfg/DFGArrayMode.cpp:
13848 (JSC::DFG::ArrayMode::refine):
13849 * dfg/DFGArrayMode.h:
13850 * dfg/DFGFixupPhase.cpp:
13851 (JSC::DFG::FixupPhase::fixupNode):
13852 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
13854 (JSC::DFG::Node::shouldSpeculateBoolean):
13855 * dfg/DFGSafeToExecute.h:
13856 (JSC::DFG::SafeToExecuteEdge::operator()):
13857 * dfg/DFGSpeculativeJIT.cpp:
13858 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13859 (JSC::DFG::SpeculativeJIT::speculate):
13860 * dfg/DFGSpeculativeJIT.h:
13861 * dfg/DFGSpeculativeJIT32_64.cpp:
13862 * dfg/DFGSpeculativeJIT64.cpp:
13863 * dfg/DFGUseKind.cpp:
13864 (WTF::printInternal):
13865 * dfg/DFGUseKind.h:
13866 (JSC::DFG::typeFilterFor):
13867 * ftl/FTLCapabilities.cpp:
13868 (JSC::FTL::canCompile):
13869 * ftl/FTLLowerDFGToLLVM.cpp:
13870 (JSC::FTL::LowerDFGToLLVM::compileNode):
13871 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13872 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13873 (JSC::FTL::LowerDFGToLLVM::speculate):
13874 * tests/stress/float32-array-out-of-bounds.js: Removed.
13875 * tests/stress/weird-equality-folding-cases.js: Removed.
13877 2014-03-04 Brian Burg <bburg@apple.com>
13879 Inspector does not restore breakpoints after a page reload
13880 https://bugs.webkit.org/show_bug.cgi?id=129655
13882 Reviewed by Joseph Pecoraro.
13884 Fix a regression introduced by r162096 that erroneously removed
13885 the inspector backend's mapping of files to breakpoints whenever the
13886 global object was cleared.
13888 The inspector's breakpoint mappings should only be cleared when the
13889 debugger agent is disabled or destroyed. We should only clear the
13890 debugger's breakpoint state when the global object is cleared.
13892 To make it clearer what state is being cleared, the two cases have
13893 been split into separate methods.
13895 * inspector/agents/InspectorDebuggerAgent.cpp:
13896 (Inspector::InspectorDebuggerAgent::disable):
13897 (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
13898 (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
13899 (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
13900 * inspector/agents/InspectorDebuggerAgent.h:
13902 2014-03-04 Andreas Kling <akling@apple.com>
13904 Streamline JSValue::get().
13905 <https://webkit.org/b/129720>
13907 Fetch each Structure and VM only once when walking the prototype chain
13908 in JSObject::getPropertySlot(), then pass it along to the functions
13909 we call from there, so they don't have to re-fetch it.
13911 Reviewed by Geoff Garen.
13913 * runtime/JSObject.h:
13914 (JSC::JSObject::inlineGetOwnPropertySlot):
13915 (JSC::JSObject::fastGetOwnPropertySlot):
13916 (JSC::JSObject::getPropertySlot):
13918 2014-03-01 Filip Pizlo <fpizlo@apple.com>
13920 DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
13921 https://bugs.webkit.org/show_bug.cgi?id=129563
13923 Reviewed by Geoffrey Garen.
13925 This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
13926 when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
13927 user of this was EarleyBoyer, and in that benchmark what it was really doing was
13928 comparing undefined, null, and booleans to each other.
13930 This also adds support for miscellaneous things that I needed to make my various test
13931 cases work. This includes comparison over booleans and the various Throw-related node
13934 This also improves constant folding of CompareStrictEq and CompareEq.
13936 Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
13937 based on profiling, which caused some downstream badness. We don't actually support
13938 compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
13939 emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
13940 shouldn't factor out the bounds check since the access is not InBounds but then the
13941 backend would ignore the flag and assume that the bounds check was already emitted.
13942 This showed up on an existing test but I added a test for this explicitly to have more
13943 certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
13944 that we'll have a bounds check anyway.
13946 This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
13947 general progressions across the board. No speed-up yet on EarleyBoyer, since there is
13948 still a lot more coverage work to be done there.
13950 * bytecode/SpeculatedType.cpp:
13951 (JSC::speculationToAbbreviatedString):
13952 (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
13953 (JSC::valuesCouldBeEqual):
13954 * bytecode/SpeculatedType.h:
13955 (JSC::isMiscSpeculation):
13956 * dfg/DFGAbstractInterpreterInlines.h:
13957 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
13958 * dfg/DFGFixupPhase.cpp:
13959 (JSC::DFG::FixupPhase::fixupNode):
13961 (JSC::DFG::Node::shouldSpeculateMisc):
13962 * dfg/DFGSafeToExecute.h:
13963 (JSC::DFG::SafeToExecuteEdge::operator()):
13964 * dfg/DFGSpeculativeJIT.cpp:
13965 (JSC::DFG::SpeculativeJIT::compileStrictEq):
13966 (JSC::DFG::SpeculativeJIT::speculateMisc):
13967 (JSC::DFG::SpeculativeJIT::speculate):
13968 * dfg/DFGSpeculativeJIT.h:
13969 * dfg/DFGSpeculativeJIT32_64.cpp:
13970 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13971 * dfg/DFGSpeculativeJIT64.cpp:
13972 (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
13973 * dfg/DFGUseKind.cpp:
13974 (WTF::printInternal):
13975 * dfg/DFGUseKind.h:
13976 (JSC::DFG::typeFilterFor):
13977 * ftl/FTLCapabilities.cpp:
13978 (JSC::FTL::canCompile):
13979 * ftl/FTLLowerDFGToLLVM.cpp:
13980 (JSC::FTL::LowerDFGToLLVM::compileNode):
13981 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
13982 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
13983 (JSC::FTL::LowerDFGToLLVM::compileThrow):
13984 (JSC::FTL::LowerDFGToLLVM::isNotMisc):
13985 (JSC::FTL::LowerDFGToLLVM::isMisc):
13986 (JSC::FTL::LowerDFGToLLVM::speculate):
13987 (JSC::FTL::LowerDFGToLLVM::speculateMisc):
13988 * tests/stress/float32-array-out-of-bounds.js: Added.
13989 * tests/stress/weird-equality-folding-cases.js: Added.
13991 2014-03-04 Andreas Kling <akling@apple.com>
13993 Spam static branch prediction hints on JS bindings.
13994 <https://webkit.org/b/129703>
13996 Add LIKELY hint to jsDynamicCast since it's always used in a context
13997 where we expect it to succeed and takes an error path when it doesn't.
13999 Reviewed by Geoff Garen.
14001 * runtime/JSCell.h:
14002 (JSC::jsDynamicCast):
14004 2014-03-04 Andreas Kling <akling@apple.com>
14006 Get to Structures more efficiently in JSCell::methodTable().
14007 <https://webkit.org/b/129702>
14009 In JSCell::methodTable(), get the VM once and pass that along to
14010 structure(VM&) instead of using the heavier structure().
14012 In JSCell::methodTable(VM&), replace calls to structure() with
14013 calls to structure(VM&).
14015 Reviewed by Mark Hahnenberg.
14017 * runtime/JSCellInlines.h:
14018 (JSC::JSCell::methodTable):
14020 2014-03-04 Joseph Pecoraro <pecoraro@apple.com>
14022 Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
14023 https://bugs.webkit.org/show_bug.cgi?id=129697
14025 Reviewed by Timothy Hatcher.
14027 * inspector/remote/RemoteInspectorXPCConnection.mm:
14028 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
14029 (Inspector::RemoteInspectorXPCConnection::handleEvent):
14031 2014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
14033 Merge API shims and JSLock
14034 https://bugs.webkit.org/show_bug.cgi?id=129650
14036 Reviewed by Mark Lam.
14038 JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
14039 to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
14041 * API/APICallbackFunction.h:
14042 (JSC::APICallbackFunction::call):
14043 (JSC::APICallbackFunction::construct):
14044 * API/APIShims.h: Removed.
14046 (JSEvaluateScript):
14047 (JSCheckScriptSyntax):
14048 (JSGarbageCollect):
14049 (JSReportExtraMemoryCost):
14050 (JSSynchronousGarbageCollectForDebugging):
14051 * API/JSCallbackConstructor.cpp:
14052 * API/JSCallbackFunction.cpp:
14053 * API/JSCallbackObjectFunctions.h:
14054 (JSC::JSCallbackObject<Parent>::init):
14055 (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
14056 (JSC::JSCallbackObject<Parent>::put):
14057 (JSC::JSCallbackObject<Parent>::putByIndex):
14058 (JSC::JSCallbackObject<Parent>::deleteProperty):
14059 (JSC::JSCallbackObject<Parent>::construct):
14060 (JSC::JSCallbackObject<Parent>::customHasInstance):
14061 (JSC::JSCallbackObject<Parent>::call):
14062 (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
14063 (JSC::JSCallbackObject<Parent>::getStaticValue):
14064 (JSC::JSCallbackObject<Parent>::callbackGetter):
14065 * API/JSContext.mm:
14066 (-[JSContext setException:]):
14067 (-[JSContext wrapperForObjCObject:]):
14068 (-[JSContext wrapperForJSObject:]):
14069 * API/JSContextRef.cpp:
14070 (JSContextGroupRelease):
14071 (JSContextGroupSetExecutionTimeLimit):
14072 (JSContextGroupClearExecutionTimeLimit):
14073 (JSGlobalContextCreateInGroup):
14074 (JSGlobalContextRetain):
14075 (JSGlobalContextRelease):
14076 (JSContextGetGlobalObject):
14077 (JSContextGetGlobalContext):
14078 (JSGlobalContextCopyName):
14079 (JSGlobalContextSetName):
14080 * API/JSManagedValue.mm:
14081 (-[JSManagedValue value]):
14082 * API/JSObjectRef.cpp:
14084 (JSObjectMakeFunctionWithCallback):
14085 (JSObjectMakeConstructor):
14086 (JSObjectMakeFunction):
14087 (JSObjectMakeArray):
14088 (JSObjectMakeDate):
14089 (JSObjectMakeError):
14090 (JSObjectMakeRegExp):
14091 (JSObjectGetPrototype):
14092 (JSObjectSetPrototype):
14093 (JSObjectHasProperty):
14094 (JSObjectGetProperty):
14095 (JSObjectSetProperty):
14096 (JSObjectGetPropertyAtIndex):
14097 (JSObjectSetPropertyAtIndex):
14098 (JSObjectDeleteProperty):
14099 (JSObjectGetPrivateProperty):
14100 (JSObjectSetPrivateProperty):
14101 (JSObjectDeletePrivateProperty):
14102 (JSObjectIsFunction):
14103 (JSObjectCallAsFunction):
14104 (JSObjectCallAsConstructor):
14105 (JSObjectCopyPropertyNames):
14106 (JSPropertyNameArrayRelease):
14107 (JSPropertyNameAccumulatorAddName):
14108 * API/JSScriptRef.cpp:
14112 (containerValueToObject):
14114 (valueToDictionary):
14116 * API/JSValueRef.cpp:
14118 (JSValueIsUndefined):
14120 (JSValueIsBoolean):
14124 (JSValueIsObjectOfClass):
14126 (JSValueIsStrictEqual):
14127 (JSValueIsInstanceOfConstructor):
14128 (JSValueMakeUndefined):
14130 (JSValueMakeBoolean):
14131 (JSValueMakeNumber):
14132 (JSValueMakeString):
14133 (JSValueMakeFromJSONString):
14134 (JSValueCreateJSONString):
14135 (JSValueToBoolean):
14137 (JSValueToStringCopy):
14140 (JSValueUnprotect):
14141 * API/JSVirtualMachine.mm:
14142 (-[JSVirtualMachine addManagedReference:withOwner:]):
14143 (-[JSVirtualMachine removeManagedReference:withOwner:]):
14144 * API/JSWeakObjectMapRefPrivate.cpp:
14145 * API/JSWrapperMap.mm:
14146 (constructorHasInstance):
14148 (tryUnwrapObjcObject):
14149 * API/ObjCCallbackFunction.mm:
14150 (JSC::objCCallbackFunctionCallAsFunction):
14151 (JSC::objCCallbackFunctionCallAsConstructor):
14152 (objCCallbackFunctionForInvocation):
14154 * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
14155 * GNUmakefile.list.am:
14156 * JavaScriptCore.xcodeproj/project.pbxproj:
14157 * dfg/DFGWorklist.cpp:
14158 * heap/DelayedReleaseScope.h:
14159 (JSC::DelayedReleaseScope::~DelayedReleaseScope):
14160 * heap/HeapTimer.cpp:
14161 (JSC::HeapTimer::timerDidFire):
14162 (JSC::HeapTimer::timerEvent):
14163 * heap/IncrementalSweeper.cpp:
14164 * inspector/InjectedScriptModule.cpp:
14165 (Inspector::InjectedScriptModule::ensureInjected):
14168 * runtime/GCActivityCallback.cpp:
14169 (JSC::DefaultGCActivityCallback::doWork):
14170 * runtime/JSGlobalObjectDebuggable.cpp:
14171 (JSC::JSGlobalObjectDebuggable::connect):
14172 (JSC::JSGlobalObjectDebuggable::disconnect):
14173 (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
14174 * runtime/JSLock.cpp:
14175 (JSC::JSLock::lock):
14176 (JSC::JSLock::didAcquireLock):
14177 (JSC::JSLock::unlock):
14178 (JSC::JSLock::willReleaseLock):
14179 (JSC::JSLock::DropAllLocks::DropAllLocks):
14180 (JSC::JSLock::DropAllLocks::~DropAllLocks):
14181 * runtime/JSLock.h:
14185 2014-03-04 Commit Queue <commit-queue@webkit.org>
14187 Unreviewed, rolling out r164812.
14188 http://trac.webkit.org/changeset/164812
14189 https://bugs.webkit.org/show_bug.cgi?id=129699
14191 it made things run slower (Requested by pizlo on #webkit).
14193 * interpreter/Interpreter.cpp:
14194 (JSC::Interpreter::execute):
14196 (GlobalObject::finishCreation):
14197 * runtime/BatchedTransitionOptimizer.h:
14198 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
14199 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
14201 2014-03-02 Filip Pizlo <fpizlo@apple.com>
14203 GetMyArgumentByVal in FTL
14204 https://bugs.webkit.org/show_bug.cgi?id=128850
14206 Reviewed by Oliver Hunt.
14208 This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
14209 They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
14210 caused it to think that the arity check had failed if the caller had passed more
14211 arguments than needed. This would cause the call frame copying to sort of go into
14212 reverse (because the amount-by-which-we-failed-arity would have opposite sign,
14213 throwing off a bunch of math) and the stack would end up being corrupted.
14215 The bug was revealed by two existing tests although as far as I could tell, neither
14216 test was intending to cover this case directly. So, I added a new test.
14218 * ftl/FTLCapabilities.cpp:
14219 (JSC::FTL::canCompile):
14220 * ftl/FTLLowerDFGToLLVM.cpp:
14221 (JSC::FTL::LowerDFGToLLVM::compileNode):
14222 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
14223 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
14224 (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
14225 (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
14226 * ftl/FTLOSRExitCompiler.cpp:
14227 (JSC::FTL::compileStub):
14229 * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
14230 * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
14231 * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
14232 * tests/stress/ftl-get-my-argument-by-val.js: Added.
14234 2014-03-04 Zan Dobersek <zdobersek@igalia.com>
14236 [GTK] Build the Udis86 disassembler
14237 https://bugs.webkit.org/show_bug.cgi?id=129679
14239 Reviewed by Michael Saboff.
14241 * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
14242 * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
14244 2014-03-04 Andreas Kling <akling@apple.com>
14246 Fix too-narrow assertion I added in r165054.
14248 It's okay for a 1-character string to come in here. This will happen
14249 if the VM small string optimization doesn't apply (ch > 0xFF)
14251 * runtime/JSString.h:
14252 (JSC::jsStringWithWeakOwner):
14254 2014-03-04 Andreas Kling <akling@apple.com>
14256 Micro-optimize Strings in JS bindings.
14257 <https://webkit.org/b/129673>
14259 Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
14260 This avoids branches in length() and operator[].
14262 Also call JSString::create() directly instead of jsString() and just
14263 assert that the string length is >1. This way we don't duplicate the
14264 optimizations for empty and single-character strings.
14266 Reviewed by Ryosuke Niwa.
14268 * runtime/JSString.h:
14269 (JSC::jsStringWithWeakOwner):
14271 2014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
14273 Implement Number.prototype.clz()
14274 https://bugs.webkit.org/show_bug.cgi?id=129479
14276 Reviewed by Oliver Hunt.
14278 Implemented Number.prototype.clz() as specified in the ES6 standard.
14280 * runtime/NumberPrototype.cpp:
14281 (JSC::numberProtoFuncClz):
14283 2014-03-03 Joseph Pecoraro <pecoraro@apple.com>
14285 Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
14286 https://bugs.webkit.org/show_bug.cgi?id=129631
14288 Reviewed by Timothy Hatcher.
14290 Avoid deref() too early if a client calls close(). The xpc_connection_close
14291 will cause another XPC_ERROR event to come in from the queue, deref then.
14292 Likewise, protect multithreaded access to m_client. If a client calls
14293 close() we want to immediately clear the pointer to prevent calls to it.
14295 Overall the multi-threading aspects of RemoteInspectorXPCConnection are
14296 growing too complicated for probably little benefit. We may want to
14297 clean this up later.
14299 * inspector/remote/RemoteInspector.mm:
14300 (Inspector::RemoteInspector::xpcConnectionFailed):
14301 * inspector/remote/RemoteInspectorXPCConnection.h:
14302 * inspector/remote/RemoteInspectorXPCConnection.mm:
14303 (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
14304 (Inspector::RemoteInspectorXPCConnection::close):
14305 (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
14306 (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
14307 (Inspector::RemoteInspectorXPCConnection::handleEvent):
14308 (Inspector::RemoteInspectorXPCConnection::sendMessage):
14310 2014-03-03 Michael Saboff <msaboff@apple.com>
14312 AbstractMacroAssembler::CachedTempRegister should start out invalid
14313 https://bugs.webkit.org/show_bug.cgi?id=129657
14315 Reviewed by Filip Pizlo.
14317 * assembler/AbstractMacroAssembler.h:
14318 (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
14319 - Invalidate all cached registers in constructor as we don't know the
14320 contents of any register at the entry to the code we are going to
14323 2014-03-03 Andreas Kling <akling@apple.com>
14325 StructureOrOffset should be fastmalloced.
14326 <https://webkit.org/b/129640>
14328 Reviewed by Geoffrey Garen.
14330 * runtime/StructureIDTable.h:
14332 2014-03-03 Michael Saboff <msaboff@apple.com>
14334 Crash in JIT code while watching a video @ storyboard.tumblr.com
14335 https://bugs.webkit.org/show_bug.cgi?id=129635
14337 Reviewed by Filip Pizlo.
14339 Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
14342 * jit/TempRegisterSet.cpp:
14343 (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
14344 * jit/TempRegisterSet.h:
14345 (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
14346 (JSC::TempRegisterSet::clearAll): New private helper.
14348 2014-03-03 Benjamin Poulain <benjamin@webkit.org>
14350 [x86] Improve code generation of byte test
14351 https://bugs.webkit.org/show_bug.cgi?id=129597
14353 Reviewed by Geoffrey Garen.
14355 When possible, test the 8 bit register to itself instead of comparing it
14358 * assembler/MacroAssemblerX86Common.h:
14359 (JSC::MacroAssemblerX86Common::test32):
14361 2014-03-03 Mark Lam <mark.lam@apple.com>
14363 Web Inspector: debugger statements do not break.
14364 <https://webkit.org/b/129524>
14366 Reviewed by Geoff Garen.
14368 Since we no longer call op_debug hooks unless there is a debugger request
14369 made on the CodeBlock, the op_debug for the debugger statement never gets
14372 With this fix, we check in the CodeBlock constructor if any debugger
14373 statements are present. If so, we set a m_hasDebuggerStatement flag that
14374 causes the CodeBlock to show as having debugger requests. Hence,
14375 breaking at debugger statements is now restored.
14377 * bytecode/CodeBlock.cpp:
14378 (JSC::CodeBlock::CodeBlock):
14379 * bytecode/CodeBlock.h:
14380 (JSC::CodeBlock::hasDebuggerRequests):
14381 (JSC::CodeBlock::clearDebuggerRequests):
14383 2014-03-03 Mark Lam <mark.lam@apple.com>
14385 ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
14386 <https://webkit.org/b/129393>
14388 Reviewed by Geoffrey Garen.
14390 The issue manifests because the debugger will iterate all CodeBlocks in
14391 the heap when setting / clearing breakpoints, but it is possible for a
14392 CodeBlock to have been instantiate but is not yet registered with the
14393 debugger. This can happen because of the following:
14395 1. DFG worklist compilation is still in progress, and the target
14396 codeBlock is not ready for installation in its executable yet.
14398 2. DFG compilation failed and we have a codeBlock that will never be
14399 installed in its executable, and the codeBlock has not been cleaned
14402 The code for installing the codeBlock in its executable is the same code
14403 that registers it with the debugger. Hence, these codeBlocks are not
14404 registered with the debugger, and any pending breakpoints that would map
14405 to that CodeBlock is as yet unset or will never be set. As such, an
14406 attempt to remove a breakpoint in that CodeBlock will fail that assertion.
14408 To fix this, we do the following:
14410 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
14411 compilation. This is achieved by providing a
14412 DeferredCompilationCallback::compilationDidComplete() that does this
14413 clean up, and have all sub classes call it at the end of their
14414 compilationDidComplete() methods.
14416 2. Before the debugger or profiler iterates CodeBlocks in the heap, they
14417 will wait for all compilations to complete before proceeding. This
14419 1. any zombie CodeBlocks would have been cleaned up, and won't be
14420 seen by the debugger or profiler.
14421 2. all CodeBlocks that the debugger and profiler needs to operate on
14422 will be "ready" for whatever needs to be done to them e.g.
14423 jettison'ing of DFG codeBlocks.
14425 * bytecode/DeferredCompilationCallback.cpp:
14426 (JSC::DeferredCompilationCallback::compilationDidComplete):
14427 * bytecode/DeferredCompilationCallback.h:
14428 - Provide default implementation method to clean up zombie CodeBlocks.
14430 * debugger/Debugger.cpp:
14431 (JSC::Debugger::forEachCodeBlock):
14432 - Utility function to iterate CodeBlocks. It ensures that all compilations
14433 are complete before proceeding.
14434 (JSC::Debugger::setSteppingMode):
14435 (JSC::Debugger::toggleBreakpoint):
14436 (JSC::Debugger::recompileAllJSFunctions):
14437 (JSC::Debugger::clearBreakpoints):
14438 (JSC::Debugger::clearDebuggerRequests):
14439 - Use the utility iterator function.
14441 * debugger/Debugger.h:
14442 * dfg/DFGOperations.cpp:
14443 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
14446 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
14447 - Remove unneeded code (that was not the best solution anyway) for ensuring
14448 that we don't generate new DFG codeBlocks after enabling the debugger or
14449 profiler. Now that we wait for compilations to complete before proceeding
14450 with debugger and profiler work, this scenario will never happen.
14452 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
14453 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
14454 - Call the super class method to clean up zombie codeBlocks.
14456 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
14457 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
14458 - Call the super class method to clean up zombie codeBlocks.
14460 * heap/CodeBlockSet.cpp:
14461 (JSC::CodeBlockSet::remove):
14462 * heap/CodeBlockSet.h:
14464 (JSC::Heap::removeCodeBlock):
14465 - New method to remove a codeBlock from the codeBlock set.
14467 * jit/JITOperations.cpp:
14468 - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
14470 * jit/JITToDFGDeferredCompilationCallback.cpp:
14471 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
14472 - Call the super class method to clean up zombie codeBlocks.
14475 (JSC::VM::waitForCompilationsToComplete):
14476 - Renamed from prepareToDiscardCode() to be clearer about what it does.
14478 (JSC::VM::discardAllCode):
14479 (JSC::VM::releaseExecutableMemory):
14480 (JSC::VM::setEnabledProfiler):
14481 - Wait for compilation to complete before enabling the profiler.
14485 2014-03-03 Brian Burg <bburg@apple.com>
14487 Another unreviewed build fix attempt for Windows after r164986.
14489 We never told Visual Studio to copy over the web replay code generator scripts
14490 and the generated headers for JavaScriptCore replay inputs as if they were
14493 * JavaScriptCore.vcxproj/copy-files.cmd:
14495 2014-03-03 Brian Burg <bburg@apple.com>
14497 Web Replay: upstream input storage, capture/replay machinery, and inspector domain
14498 https://bugs.webkit.org/show_bug.cgi?id=128782
14500 Reviewed by Timothy Hatcher.
14502 Alter the replay inputs code generator so that it knows when it is necessary to
14503 to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
14505 * JavaScriptCore.xcodeproj/project.pbxproj:
14506 * replay/scripts/CodeGeneratorReplayInputs.py:
14507 (Framework.fromString):
14508 (Frameworks): Add WTF as an allowed framework for code generation.
14509 (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
14510 (Generator.generate_includes.declaration):
14511 (Generator.generate_includes.or):
14512 (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
14514 2014-03-02 Filip Pizlo <fpizlo@apple.com>
14516 PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
14517 https://bugs.webkit.org/show_bug.cgi?id=129591
14519 Reviewed by Michael Saboff.
14521 * bytecode/PolymorphicPutByIdList.cpp:
14522 (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
14523 (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
14524 (JSC::PolymorphicPutByIdList::from):
14525 * bytecode/PolymorphicPutByIdList.h:
14526 (JSC::PutByIdAccess::stubRoutine):
14528 (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
14530 2014-03-02 Filip Pizlo <fpizlo@apple.com>
14532 Debugging improvements from my gbemu investigation session
14533 https://bugs.webkit.org/show_bug.cgi?id=129599
14535 Reviewed by Mark Lam.
14537 Various improvements from when I was investigating bug 129411.
14539 * bytecode/CodeBlock.cpp:
14540 (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
14542 (GlobalObject::finishCreation):
14543 (functionDescribe): Make describe() return a string rather than printing the string.
14544 (functionDescribeArray): Like describe(), but prints details about arrays.
14546 2014-02-25 Andreas Kling <akling@apple.com>
14548 JSDOMWindow::commonVM() should return a reference.
14549 <https://webkit.org/b/129293>
14551 Added a DropAllLocks constructor that takes VM& without null checks.
14553 Reviewed by Geoff Garen.
14555 2014-03-02 Mark Lam <mark.lam@apple.com>
14557 CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
14558 <https://webkit.org/b/129584>
14560 Reviewed by Darin Adler.
14562 * bytecode/CodeBlock.h:
14563 (JSC::CodeBlock::hasDebuggerRequests):
14565 2014-03-02 Mark Lam <mark.lam@apple.com>
14567 Clean up use of Options::enableConcurrentJIT().
14568 <https://webkit.org/b/129582>
14570 Reviewed by Filip Pizlo.
14572 DFG Driver was conditionally checking Options::enableConcurrentJIT()
14573 only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
14574 enableConcurrentJIT set to false.
14576 Instead we should configure Options::enableConcurrentJIT() to be false
14577 in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
14578 check Options::enableConcurrentJIT(). This makes the code read a little
14581 * dfg/DFGDriver.cpp:
14582 (JSC::DFG::compileImpl):
14583 * runtime/Options.cpp:
14584 (JSC::recomputeDependentOptions):
14586 2014-03-01 Filip Pizlo <fpizlo@apple.com>
14588 This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
14591 * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
14593 2014-03-01 Andreas Kling <akling@apple.com>
14595 JSCell::fastGetOwnProperty() should get the Structure more efficiently.
14596 <https://webkit.org/b/129560>
14598 Now that structure() is nontrivial and we have a faster structure(VM&),
14599 make use of that in fastGetOwnProperty() since we already have VM.
14601 Reviewed by Sam Weinig.
14603 * runtime/JSCellInlines.h:
14604 (JSC::JSCell::fastGetOwnProperty):
14606 2014-03-01 Andreas Kling <akling@apple.com>
14608 Avoid going through ExecState for VM when we already have it (in some places.)
14609 <https://webkit.org/b/129554>
14611 Tweak some places that jump through unnecessary hoops to get the VM.
14612 There are many more like this.
14614 Reviewed by Sam Weinig.
14616 * runtime/JSObject.cpp:
14617 (JSC::JSObject::putByIndexBeyondVectorLength):
14618 (JSC::JSObject::putDirectIndexBeyondVectorLength):
14619 * runtime/ObjectPrototype.cpp:
14620 (JSC::objectProtoFuncToString):
14622 2014-02-28 Filip Pizlo <fpizlo@apple.com>
14624 FTL should support PhantomArguments
14625 https://bugs.webkit.org/show_bug.cgi?id=113986
14627 Reviewed by Oliver Hunt.
14629 Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
14630 object into the FTL's OSR exit compiler.
14632 This isn't a speed-up yet, since there is still more to be done to fully support
14633 all of the arguments craziness that our varargs benchmarks do.
14635 * dfg/DFGOSRExitCompiler32_64.cpp:
14636 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
14637 * dfg/DFGOSRExitCompiler64.cpp:
14638 (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
14639 * dfg/DFGOSRExitCompilerCommon.cpp:
14640 (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
14641 (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
14642 (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
14643 * dfg/DFGOSRExitCompilerCommon.h:
14644 * ftl/FTLCapabilities.cpp:
14645 (JSC::FTL::canCompile):
14646 * ftl/FTLExitValue.cpp:
14647 (JSC::FTL::ExitValue::dumpInContext):
14648 * ftl/FTLExitValue.h:
14649 (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
14650 (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
14651 (JSC::FTL::ExitValue::valueFormat):
14652 * ftl/FTLLowerDFGToLLVM.cpp:
14653 (JSC::FTL::LowerDFGToLLVM::compileNode):
14654 (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
14655 (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
14656 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
14657 * ftl/FTLOSRExitCompiler.cpp:
14658 (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
14659 * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
14660 * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
14662 2014-02-28 Filip Pizlo <fpizlo@apple.com>
14664 Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
14666 * dfg/DFGCSEPhase.cpp:
14667 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
14669 2014-02-28 Andreas Kling <akling@apple.com>
14671 JSObject::findPropertyHashEntry() should take VM instead of ExecState.
14672 <https://webkit.org/b/129529>
14674 Callers already have VM in a local, and findPropertyHashEntry() only
14675 uses the VM, no need to go all the way through ExecState.
14677 Reviewed by Geoffrey Garen.
14679 * runtime/JSObject.cpp:
14680 (JSC::JSObject::put):
14681 (JSC::JSObject::deleteProperty):
14682 (JSC::JSObject::findPropertyHashEntry):
14683 * runtime/JSObject.h:
14685 2014-02-28 Joseph Pecoraro <pecoraro@apple.com>
14687 Deadlock remotely inspecting iOS Simulator
14688 https://bugs.webkit.org/show_bug.cgi?id=129511
14690 Reviewed by Timothy Hatcher.
14692 Avoid synchronous setup. Do it asynchronously, and let
14693 the RemoteInspector singleton know later if it failed.
14695 * inspector/remote/RemoteInspector.h:
14696 * inspector/remote/RemoteInspector.mm:
14697 (Inspector::RemoteInspector::setupFailed):
14698 * inspector/remote/RemoteInspectorDebuggableConnection.h:
14699 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14700 (Inspector::RemoteInspectorDebuggableConnection::setup):
14702 2014-02-28 Oliver Hunt <oliver@apple.com>
14704 REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
14705 https://bugs.webkit.org/show_bug.cgi?id=129488
14707 Reviewed by Mark Lam.
14709 Whoops, modify the right register.
14711 * jit/JITCall32_64.cpp:
14712 (JSC::JIT::compileLoadVarargs):
14714 2014-02-28 Filip Pizlo <fpizlo@apple.com>
14716 FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
14717 https://bugs.webkit.org/show_bug.cgi?id=129503
14719 Reviewed by Mark Lam.
14721 * ftl/FTLIntrinsicRepository.h:
14723 (JSC::FTL::Output::doubleSin):
14724 (JSC::FTL::Output::doubleCos):
14725 (JSC::FTL::Output::intrinsicOrOperation):
14727 2014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
14729 Fix !ENABLE(GGC) builds
14732 (JSC::Heap::markRoots):
14733 (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
14735 2014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
14737 Clean up Heap::collect and Heap::markRoots
14738 https://bugs.webkit.org/show_bug.cgi?id=129464
14740 Reviewed by Geoffrey Garen.
14742 These functions have built up a lot of cruft recently.
14743 We should do a bit of cleanup to make them easier to grok.
14746 (JSC::Heap::finalizeUnconditionalFinalizers):
14747 (JSC::Heap::gatherStackRoots):
14748 (JSC::Heap::gatherJSStackRoots):
14749 (JSC::Heap::gatherScratchBufferRoots):
14750 (JSC::Heap::clearLivenessData):
14751 (JSC::Heap::visitSmallStrings):
14752 (JSC::Heap::visitConservativeRoots):
14753 (JSC::Heap::visitCompilerWorklists):
14754 (JSC::Heap::markProtectedObjects):
14755 (JSC::Heap::markTempSortVectors):
14756 (JSC::Heap::markArgumentBuffers):
14757 (JSC::Heap::visitException):
14758 (JSC::Heap::visitStrongHandles):
14759 (JSC::Heap::visitHandleStack):
14760 (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
14761 (JSC::Heap::converge):
14762 (JSC::Heap::visitWeakHandles):
14763 (JSC::Heap::clearRememberedSet):
14764 (JSC::Heap::updateObjectCounts):
14765 (JSC::Heap::resetVisitors):
14766 (JSC::Heap::markRoots):
14767 (JSC::Heap::copyBackingStores):
14768 (JSC::Heap::deleteUnmarkedCompiledCode):
14769 (JSC::Heap::collect):
14770 (JSC::Heap::collectIfNecessaryOrDefer):
14771 (JSC::Heap::suspendCompilerThreads):
14772 (JSC::Heap::willStartCollection):
14773 (JSC::Heap::deleteOldCode):
14774 (JSC::Heap::flushOldStructureIDTables):
14775 (JSC::Heap::flushWriteBarrierBuffer):
14776 (JSC::Heap::stopAllocation):
14777 (JSC::Heap::reapWeakHandles):
14778 (JSC::Heap::sweepArrayBuffers):
14779 (JSC::Heap::snapshotMarkedSpace):
14780 (JSC::Heap::deleteSourceProviderCaches):
14781 (JSC::Heap::notifyIncrementalSweeper):
14782 (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
14783 (JSC::Heap::resetAllocators):
14784 (JSC::Heap::updateAllocationLimits):
14785 (JSC::Heap::didFinishCollection):
14786 (JSC::Heap::resumeCompilerThreads):
14789 2014-02-27 Ryosuke Niwa <rniwa@webkit.org>
14791 indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
14792 https://bugs.webkit.org/show_bug.cgi?id=129466
14794 Reviewed by Michael Saboff.
14796 Refactored the code to avoid calling JSString::value when needle is longer than haystack.
14798 * runtime/StringPrototype.cpp:
14799 (JSC::stringProtoFuncIndexOf):
14800 (JSC::stringProtoFuncLastIndexOf):
14802 2014-02-27 Timothy Hatcher <timothy@apple.com>
14804 Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
14806 https://bugs.webkit.org/show_bug.cgi?id=129458
14808 Reviewed by Joseph Pecoraro.
14810 * inspector/ContentSearchUtilities.cpp:
14811 (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
14812 (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
14813 line ending type and don't try to strip the line ending. Use size_t
14814 (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
14815 This will include the line ending in the lines, but that is okay.
14816 (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
14817 (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
14819 2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14821 [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
14822 https://bugs.webkit.org/show_bug.cgi?id=129446
14824 Reviewed by Timothy Hatcher.
14826 Remove duplicate header entries in Copy Header build phase.
14828 * JavaScriptCore.xcodeproj/project.pbxproj:
14830 2014-02-27 Oliver Hunt <oliver@apple.com>
14832 Whoops, include all of last patch.
14834 * jit/JITCall32_64.cpp:
14835 (JSC::JIT::compileLoadVarargs):
14837 2014-02-27 Oliver Hunt <oliver@apple.com>
14839 Slow cases for function.apply and function.call should not require vm re-entry
14840 https://bugs.webkit.org/show_bug.cgi?id=129454
14842 Reviewed by Geoffrey Garen.
14844 Implement call and apply using builtins. Happily the use
14845 of @call and @apply don't perform function equality checks
14846 and just plant direct var_args calls. This did expose a few
14847 codegen issues, but they're all covered by existing tests
14848 once call and apply are implemented in JS.
14850 * JavaScriptCore.xcodeproj/project.pbxproj:
14851 * builtins/Function.prototype.js: Added.
14854 * bytecompiler/NodesCodegen.cpp:
14855 (JSC::CallFunctionCallDotNode::emitBytecode):
14856 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14857 * dfg/DFGCapabilities.cpp:
14858 (JSC::DFG::capabilityLevel):
14859 * interpreter/Interpreter.cpp:
14860 (JSC::sizeFrameForVarargs):
14861 (JSC::loadVarargs):
14862 * interpreter/Interpreter.h:
14864 (JSC::JIT::compileLoadVarargs):
14865 * parser/ASTBuilder.h:
14866 (JSC::ASTBuilder::makeFunctionCallNode):
14867 * parser/Lexer.cpp:
14868 (JSC::isSafeBuiltinIdentifier):
14869 * runtime/CommonIdentifiers.h:
14870 * runtime/FunctionPrototype.cpp:
14871 (JSC::FunctionPrototype::addFunctionProperties):
14872 * runtime/JSObject.cpp:
14873 (JSC::JSObject::putDirectBuiltinFunction):
14874 (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
14875 * runtime/JSObject.h:
14877 2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14879 Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
14880 https://bugs.webkit.org/show_bug.cgi?id=129443
14882 Reviewed by Timothy Hatcher.
14884 This queue is specific to the JSContext debuggable connections,
14885 there is no XPC involved. Give it a better name.
14887 * inspector/remote/RemoteInspectorDebuggableConnection.mm:
14888 (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
14890 2014-02-27 David Kilzer <ddkilzer@apple.com>
14892 Remove jsc symlink if it already exists
14894 This is a follow-up fix for:
14896 Create symlink to /usr/local/bin/jsc during installation
14897 <http://webkit.org/b/129399>
14898 <rdar://problem/16168734>
14900 * JavaScriptCore.xcodeproj/project.pbxproj:
14901 (Create /usr/local/bin/jsc symlink): If a jsc symlink already
14902 exists where we're about to create the symlink, remove the old
14905 2014-02-27 Michael Saboff <msaboff@apple.com>
14907 Unreviewed build fix for Mac tools after r164814
14909 * Configurations/ToolExecutable.xcconfig:
14910 - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
14911 * JavaScriptCore.xcodeproj/project.pbxproj:
14912 - Changed productName to testRegExp for testRegExp target.
14914 2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
14916 Web Inspector: JSContext inspection should report exceptions in the console
14917 https://bugs.webkit.org/show_bug.cgi?id=128776
14919 Reviewed by Timothy Hatcher.
14921 When JavaScript API functions have an exception, let the inspector
14922 know so it can log the JavaScript and Native backtrace that caused
14925 Include some clean up of ConsoleMessage and ScriptCallStack construction.
14928 (JSEvaluateScript):
14929 (JSCheckScriptSyntax):
14930 * API/JSObjectRef.cpp:
14931 (JSObjectMakeFunction):
14932 (JSObjectMakeArray):
14933 (JSObjectMakeDate):
14934 (JSObjectMakeError):
14935 (JSObjectMakeRegExp):
14936 (JSObjectGetProperty):
14937 (JSObjectSetProperty):
14938 (JSObjectGetPropertyAtIndex):
14939 (JSObjectSetPropertyAtIndex):
14940 (JSObjectDeleteProperty):
14941 (JSObjectCallAsFunction):
14942 (JSObjectCallAsConstructor):
14944 (reportExceptionToInspector):
14946 (valueToDictionary):
14947 * API/JSValueRef.cpp:
14949 (JSValueIsInstanceOfConstructor):
14950 (JSValueCreateJSONString):
14952 (JSValueToStringCopy):
14954 When seeing an exception, let the inspector know there was an exception.
14956 * inspector/JSGlobalObjectInspectorController.h:
14957 * inspector/JSGlobalObjectInspectorController.cpp:
14958 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
14959 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
14960 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
14961 Log API exceptions by also grabbing the native backtrace.
14963 * inspector/ScriptCallStack.h:
14964 * inspector/ScriptCallStack.cpp:
14965 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
14966 (Inspector::ScriptCallStack::append):
14967 Minor extensions to ScriptCallStack to make it easier to work with.
14969 * inspector/ConsoleMessage.cpp:
14970 (Inspector::ConsoleMessage::ConsoleMessage):
14971 (Inspector::ConsoleMessage::autogenerateMetadata):
14972 Provide better default information if the first call frame was native.
14974 * inspector/ScriptCallStackFactory.cpp:
14975 (Inspector::createScriptCallStack):
14976 (Inspector::extractSourceInformationFromException):
14977 (Inspector::createScriptCallStackFromException):
14978 Perform the handling here of inserting a fake call frame for exceptions
14979 if there was no call stack (e.g. a SyntaxError) or if the first call
14980 frame had no information.
14982 * inspector/ConsoleMessage.cpp:
14983 (Inspector::ConsoleMessage::ConsoleMessage):
14984 (Inspector::ConsoleMessage::autogenerateMetadata):
14985 * inspector/ConsoleMessage.h:
14986 * inspector/ScriptCallStackFactory.cpp:
14987 (Inspector::createScriptCallStack):
14988 (Inspector::createScriptCallStackForConsole):
14989 * inspector/ScriptCallStackFactory.h:
14990 * inspector/agents/InspectorConsoleAgent.cpp:
14991 (Inspector::InspectorConsoleAgent::enable):
14992 (Inspector::InspectorConsoleAgent::addMessageToConsole):
14993 (Inspector::InspectorConsoleAgent::count):
14994 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
14995 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
14996 ConsoleMessage cleanup.
14998 2014-02-27 David Kilzer <ddkilzer@apple.com>
15000 Create symlink to /usr/local/bin/jsc during installation
15001 <http://webkit.org/b/129399>
15002 <rdar://problem/16168734>
15004 Reviewed by Dan Bernstein.
15006 * JavaScriptCore.xcodeproj/project.pbxproj:
15007 - Add "Create /usr/local/bin/jsc symlink" build phase script to
15008 create the symlink during installation.
15010 2014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
15012 Math.{max, min}() must not return after first NaN value
15013 https://bugs.webkit.org/show_bug.cgi?id=104147
15015 Reviewed by Oliver Hunt.
15017 According to the spec, ToNumber going to be called on each argument
15018 even if a `NaN` value was already found
15020 * runtime/MathObject.cpp:
15021 (JSC::mathProtoFuncMax):
15022 (JSC::mathProtoFuncMin):
15024 2014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
15026 JSType upper limit (0xff) assertion can be removed.
15027 https://bugs.webkit.org/show_bug.cgi?id=129424
15029 Reviewed by Geoffrey Garen.
15031 * runtime/JSTypeInfo.h:
15032 (JSC::TypeInfo::TypeInfo):
15034 2014-02-26 Michael Saboff <msaboff@apple.com>
15036 Auto generate bytecode information for bytecode parser and LLInt
15037 https://bugs.webkit.org/show_bug.cgi?id=129181
15039 Reviewed by Mark Lam.
15041 Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
15042 helpers. It also includes bytecode length and other information used to generate files.
15043 Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
15044 in DerivedSources/JavaScriptCore/.
15046 Added the generation of these files to the "DerivedSource" build step.
15047 Slighty changed the build order, since the Bytecodes.h file is needed by
15048 JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
15049 to be run after JSCLLIntOffsetsExtractor.
15051 Made related changes to OPCODE macros and their use.
15053 Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
15054 jsc to resolve Mac build issue.
15057 * Configurations/JSC.xcconfig:
15058 * DerivedSources.make:
15060 * GNUmakefile.list.am:
15061 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15062 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15063 * JavaScriptCore.vcxproj/copy-files.cmd:
15064 * JavaScriptCore.xcodeproj/project.pbxproj:
15065 * bytecode/Opcode.h:
15066 (JSC::padOpcodeName):
15067 * llint/LLIntCLoop.cpp:
15068 (JSC::LLInt::CLoop::initialize):
15069 * llint/LLIntCLoop.h:
15070 * llint/LLIntData.cpp:
15071 (JSC::LLInt::initialize):
15072 * llint/LLIntOpcode.h:
15073 * llint/LowLevelInterpreter.asm:
15075 2014-02-27 Julien Brianceau <jbriance@cisco.com>
15077 Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
15078 https://bugs.webkit.org/show_bug.cgi?id=129420
15080 Reviewed by Geoffrey Garen.
15082 * dfg/DFGSpeculativeJIT.h:
15083 (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
15084 Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
15086 2014-02-27 Filip Pizlo <fpizlo@apple.com>
15088 Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
15089 https://bugs.webkit.org/show_bug.cgi?id=129435
15091 Reviewed by Oliver Hunt.
15093 This is a 5-10% speed-up on Octane/closure.
15095 * interpreter/Interpreter.cpp:
15096 (JSC::Interpreter::execute):
15098 (GlobalObject::finishCreation):
15099 (functionClearCodeCache):
15100 * runtime/BatchedTransitionOptimizer.h:
15101 (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
15102 (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
15104 2014-02-27 Alexey Proskuryakov <ap@apple.com>
15106 Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
15108 * inspector/scripts: Added property svn:ignore.
15109 * replay/scripts: Added property svn:ignore.
15111 2014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
15113 r164764 broke the ARM build
15114 https://bugs.webkit.org/show_bug.cgi?id=129415
15116 Reviewed by Zoltan Herczeg.
15118 * assembler/MacroAssemblerARM.h:
15119 (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
15120 (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
15121 (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
15122 (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
15124 2014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
15126 r164764 broke the ARM build
15127 https://bugs.webkit.org/show_bug.cgi?id=129415
15129 Reviewed by Geoffrey Garen.
15131 * assembler/MacroAssemblerARM.h:
15132 (JSC::MacroAssemblerARM::moveWithPatch):
15134 2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15136 r164764 broke the ARM build
15137 https://bugs.webkit.org/show_bug.cgi?id=129415
15139 Reviewed by Geoffrey Garen.
15141 * assembler/MacroAssemblerARM.h:
15142 (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
15144 2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15148 * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
15149 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15150 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15152 2014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
15154 Make JSCells have 32-bit Structure pointers
15155 https://bugs.webkit.org/show_bug.cgi?id=123195
15157 Reviewed by Filip Pizlo.
15159 This patch changes JSCells such that they no longer have a full 64-bit Structure
15160 pointer in their header. Instead they now have a 32-bit index into
15161 a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
15164 This change frees up an additional 32 bits of information in our object headers.
15165 We then use this extra space to store the indexing type of the object, the JSType
15166 of the object, some various type flags, and garbage collection data (e.g. mark bit).
15167 Because this inline type information is now faster to read, it pays for the slowdown
15168 incurred by having to perform an extra indirection through the StructureIDTable.
15170 This patch also threads a reference to the current VM through more of the C++ runtime
15171 to offset the cost of having to look up the VM to get the actual Structure pointer.
15173 * API/JSContext.mm:
15174 (-[JSContext setException:]):
15175 (-[JSContext wrapperForObjCObject:]):
15176 (-[JSContext wrapperForJSObject:]):
15177 * API/JSContextRef.cpp:
15178 (JSContextGroupRelease):
15179 (JSGlobalContextRelease):
15180 * API/JSObjectRef.cpp:
15181 (JSObjectIsFunction):
15182 (JSObjectCopyPropertyNames):
15184 (containerValueToObject):
15185 * API/JSWrapperMap.mm:
15186 (tryUnwrapObjcObject):
15187 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
15188 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
15189 * JavaScriptCore.xcodeproj/project.pbxproj:
15190 * assembler/AbstractMacroAssembler.h:
15191 * assembler/MacroAssembler.h:
15192 (JSC::MacroAssembler::patchableBranch32WithPatch):
15193 (JSC::MacroAssembler::patchableBranch32):
15194 * assembler/MacroAssemblerARM64.h:
15195 (JSC::MacroAssemblerARM64::branchPtrWithPatch):
15196 (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
15197 (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
15198 (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
15199 (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
15200 * assembler/MacroAssemblerARMv7.h:
15201 (JSC::MacroAssemblerARMv7::store8):
15202 (JSC::MacroAssemblerARMv7::branch32WithPatch):
15203 (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
15204 (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
15205 (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
15206 (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
15207 * assembler/MacroAssemblerX86.h:
15208 (JSC::MacroAssemblerX86::branch32WithPatch):
15209 (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
15210 (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
15211 (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
15212 * assembler/MacroAssemblerX86_64.h:
15213 (JSC::MacroAssemblerX86_64::store32):
15214 (JSC::MacroAssemblerX86_64::moveWithPatch):
15215 (JSC::MacroAssemblerX86_64::branch32WithPatch):
15216 (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
15217 (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
15218 (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
15219 (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
15220 * assembler/RepatchBuffer.h:
15221 (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
15222 (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
15223 * assembler/X86Assembler.h:
15224 (JSC::X86Assembler::revertJumpTo_movq_i64r):
15225 (JSC::X86Assembler::revertJumpTo_movl_i32r):
15226 * bytecode/ArrayProfile.cpp:
15227 (JSC::ArrayProfile::computeUpdatedPrediction):
15228 * bytecode/ArrayProfile.h:
15229 (JSC::ArrayProfile::ArrayProfile):
15230 (JSC::ArrayProfile::addressOfLastSeenStructureID):
15231 (JSC::ArrayProfile::observeStructure):
15232 * bytecode/CodeBlock.h:
15233 (JSC::CodeBlock::heap):
15234 * bytecode/UnlinkedCodeBlock.h:
15235 * debugger/Debugger.h:
15236 * dfg/DFGAbstractHeap.h:
15237 * dfg/DFGArrayifySlowPathGenerator.h:
15238 * dfg/DFGClobberize.h:
15239 (JSC::DFG::clobberize):
15240 * dfg/DFGJITCompiler.h:
15241 (JSC::DFG::JITCompiler::branchWeakStructure):
15242 (JSC::DFG::JITCompiler::branchStructurePtr):
15243 * dfg/DFGOSRExitCompiler32_64.cpp:
15244 (JSC::DFG::OSRExitCompiler::compileExit):
15245 * dfg/DFGOSRExitCompiler64.cpp:
15246 (JSC::DFG::OSRExitCompiler::compileExit):
15247 * dfg/DFGOSRExitCompilerCommon.cpp:
15248 (JSC::DFG::osrWriteBarrier):
15249 (JSC::DFG::adjustAndJumpToTarget):
15250 * dfg/DFGOperations.cpp:
15251 (JSC::DFG::putByVal):
15252 * dfg/DFGSpeculativeJIT.cpp:
15253 (JSC::DFG::SpeculativeJIT::checkArray):
15254 (JSC::DFG::SpeculativeJIT::arrayify):
15255 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
15256 (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
15257 (JSC::DFG::SpeculativeJIT::compileInstanceOf):
15258 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
15259 (JSC::DFG::SpeculativeJIT::speculateObject):
15260 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
15261 (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
15262 (JSC::DFG::SpeculativeJIT::speculateString):
15263 (JSC::DFG::SpeculativeJIT::speculateStringObject):
15264 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
15265 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
15266 (JSC::DFG::SpeculativeJIT::emitSwitchString):
15267 (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
15268 (JSC::DFG::SpeculativeJIT::writeBarrier):
15269 * dfg/DFGSpeculativeJIT.h:
15270 (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
15271 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
15272 * dfg/DFGSpeculativeJIT32_64.cpp:
15273 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
15274 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
15275 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
15276 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15277 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15278 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
15279 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
15280 (JSC::DFG::SpeculativeJIT::compile):
15281 (JSC::DFG::SpeculativeJIT::writeBarrier):
15282 * dfg/DFGSpeculativeJIT64.cpp:
15283 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
15284 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
15285 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
15286 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
15287 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
15288 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
15289 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
15290 (JSC::DFG::SpeculativeJIT::compile):
15291 (JSC::DFG::SpeculativeJIT::writeBarrier):
15292 * dfg/DFGWorklist.cpp:
15293 * ftl/FTLAbstractHeapRepository.cpp:
15294 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
15295 * ftl/FTLAbstractHeapRepository.h:
15296 * ftl/FTLLowerDFGToLLVM.cpp:
15297 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
15298 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
15299 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
15300 (JSC::FTL::LowerDFGToLLVM::compileToString):
15301 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
15302 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
15303 (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
15304 (JSC::FTL::LowerDFGToLLVM::allocateCell):
15305 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15306 (JSC::FTL::LowerDFGToLLVM::isObject):
15307 (JSC::FTL::LowerDFGToLLVM::isString):
15308 (JSC::FTL::LowerDFGToLLVM::isArrayType):
15309 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
15310 (JSC::FTL::LowerDFGToLLVM::isType):
15311 (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
15312 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
15313 (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
15314 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
15315 (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
15316 (JSC::FTL::LowerDFGToLLVM::loadStructure):
15317 (JSC::FTL::LowerDFGToLLVM::weakStructure):
15318 * ftl/FTLOSRExitCompiler.cpp:
15319 (JSC::FTL::compileStub):
15321 (JSC::FTL::Output::store8):
15322 * heap/GCAssertions.h:
15324 (JSC::Heap::getConservativeRegisterRoots):
15325 (JSC::Heap::collect):
15326 (JSC::Heap::writeBarrier):
15328 (JSC::Heap::structureIDTable):
15329 * heap/MarkedSpace.h:
15330 (JSC::MarkedSpace::forEachBlock):
15331 * heap/SlotVisitorInlines.h:
15332 (JSC::SlotVisitor::internalAppend):
15333 * jit/AssemblyHelpers.h:
15334 (JSC::AssemblyHelpers::branchIfCellNotObject):
15335 (JSC::AssemblyHelpers::genericWriteBarrier):
15336 (JSC::AssemblyHelpers::emitLoadStructure):
15337 (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
15340 (JSC::JIT::compileOpCall):
15341 (JSC::JIT::privateCompileClosureCall):
15342 * jit/JITCall32_64.cpp:
15343 (JSC::JIT::emit_op_ret_object_or_this):
15344 (JSC::JIT::compileOpCall):
15345 (JSC::JIT::privateCompileClosureCall):
15346 * jit/JITInlineCacheGenerator.cpp:
15347 (JSC::JITByIdGenerator::generateFastPathChecks):
15348 * jit/JITInlineCacheGenerator.h:
15349 * jit/JITInlines.h:
15350 (JSC::JIT::emitLoadCharacterString):
15351 (JSC::JIT::checkStructure):
15352 (JSC::JIT::emitJumpIfCellNotObject):
15353 (JSC::JIT::emitAllocateJSObject):
15354 (JSC::JIT::emitArrayProfilingSiteWithCell):
15355 (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
15356 (JSC::JIT::branchStructure):
15357 (JSC::branchStructure):
15358 * jit/JITOpcodes.cpp:
15359 (JSC::JIT::emit_op_check_has_instance):
15360 (JSC::JIT::emit_op_instanceof):
15361 (JSC::JIT::emit_op_is_undefined):
15362 (JSC::JIT::emit_op_is_string):
15363 (JSC::JIT::emit_op_ret_object_or_this):
15364 (JSC::JIT::emit_op_to_primitive):
15365 (JSC::JIT::emit_op_jeq_null):
15366 (JSC::JIT::emit_op_jneq_null):
15367 (JSC::JIT::emit_op_get_pnames):
15368 (JSC::JIT::emit_op_next_pname):
15369 (JSC::JIT::emit_op_eq_null):
15370 (JSC::JIT::emit_op_neq_null):
15371 (JSC::JIT::emit_op_to_this):
15372 (JSC::JIT::emitSlow_op_to_this):
15373 * jit/JITOpcodes32_64.cpp:
15374 (JSC::JIT::emit_op_check_has_instance):
15375 (JSC::JIT::emit_op_instanceof):
15376 (JSC::JIT::emit_op_is_undefined):
15377 (JSC::JIT::emit_op_is_string):
15378 (JSC::JIT::emit_op_to_primitive):
15379 (JSC::JIT::emit_op_jeq_null):
15380 (JSC::JIT::emit_op_jneq_null):
15381 (JSC::JIT::emitSlow_op_eq):
15382 (JSC::JIT::emitSlow_op_neq):
15383 (JSC::JIT::compileOpStrictEq):
15384 (JSC::JIT::emit_op_eq_null):
15385 (JSC::JIT::emit_op_neq_null):
15386 (JSC::JIT::emit_op_get_pnames):
15387 (JSC::JIT::emit_op_next_pname):
15388 (JSC::JIT::emit_op_to_this):
15389 * jit/JITOperations.cpp:
15390 * jit/JITPropertyAccess.cpp:
15391 (JSC::JIT::stringGetByValStubGenerator):
15392 (JSC::JIT::emit_op_get_by_val):
15393 (JSC::JIT::emitSlow_op_get_by_val):
15394 (JSC::JIT::emit_op_get_by_pname):
15395 (JSC::JIT::emit_op_put_by_val):
15396 (JSC::JIT::emit_op_get_by_id):
15397 (JSC::JIT::emitLoadWithStructureCheck):
15398 (JSC::JIT::emitSlow_op_get_from_scope):
15399 (JSC::JIT::emitSlow_op_put_to_scope):
15400 (JSC::JIT::checkMarkWord):
15401 (JSC::JIT::emitWriteBarrier):
15402 (JSC::JIT::addStructureTransitionCheck):
15403 (JSC::JIT::emitIntTypedArrayGetByVal):
15404 (JSC::JIT::emitFloatTypedArrayGetByVal):
15405 (JSC::JIT::emitIntTypedArrayPutByVal):
15406 (JSC::JIT::emitFloatTypedArrayPutByVal):
15407 * jit/JITPropertyAccess32_64.cpp:
15408 (JSC::JIT::stringGetByValStubGenerator):
15409 (JSC::JIT::emit_op_get_by_val):
15410 (JSC::JIT::emitSlow_op_get_by_val):
15411 (JSC::JIT::emit_op_put_by_val):
15412 (JSC::JIT::emit_op_get_by_id):
15413 (JSC::JIT::emit_op_get_by_pname):
15414 (JSC::JIT::emitLoadWithStructureCheck):
15415 * jit/JSInterfaceJIT.h:
15416 (JSC::JSInterfaceJIT::emitJumpIfNotType):
15418 (JSC::repatchByIdSelfAccess):
15419 (JSC::addStructureTransitionCheck):
15420 (JSC::replaceWithJump):
15421 (JSC::generateProtoChainAccessStub):
15422 (JSC::tryCacheGetByID):
15423 (JSC::tryBuildGetByIDList):
15424 (JSC::writeBarrier):
15425 (JSC::emitPutReplaceStub):
15426 (JSC::emitPutTransitionStub):
15427 (JSC::tryBuildPutByIdList):
15428 (JSC::tryRepatchIn):
15429 (JSC::linkClosureCall):
15430 (JSC::resetGetByID):
15431 (JSC::resetPutByID):
15432 * jit/SpecializedThunkJIT.h:
15433 (JSC::SpecializedThunkJIT::loadJSStringArgument):
15434 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
15435 * jit/ThunkGenerators.cpp:
15436 (JSC::virtualForThunkGenerator):
15437 (JSC::arrayIteratorNextThunkGenerator):
15438 * jit/UnusedPointer.h:
15439 * llint/LowLevelInterpreter.asm:
15440 * llint/LowLevelInterpreter32_64.asm:
15441 * llint/LowLevelInterpreter64.asm:
15442 * runtime/Arguments.cpp:
15443 (JSC::Arguments::createStrictModeCallerIfNecessary):
15444 (JSC::Arguments::createStrictModeCalleeIfNecessary):
15445 * runtime/Arguments.h:
15446 (JSC::Arguments::createStructure):
15447 * runtime/ArrayPrototype.cpp:
15450 (JSC::arrayProtoFuncToString):
15451 (JSC::arrayProtoFuncPop):
15452 (JSC::arrayProtoFuncReverse):
15453 (JSC::performSlowSort):
15454 (JSC::arrayProtoFuncSort):
15455 (JSC::arrayProtoFuncSplice):
15456 (JSC::arrayProtoFuncUnShift):
15457 * runtime/CommonSlowPaths.cpp:
15458 (JSC::SLOW_PATH_DECL):
15459 * runtime/Executable.h:
15460 (JSC::ExecutableBase::isFunctionExecutable):
15461 (JSC::ExecutableBase::clearCodeVirtual):
15462 (JSC::ScriptExecutable::unlinkCalls):
15463 * runtime/GetterSetter.cpp:
15466 * runtime/InitializeThreading.cpp:
15467 * runtime/JSArray.cpp:
15468 (JSC::JSArray::unshiftCountSlowCase):
15469 (JSC::JSArray::setLength):
15470 (JSC::JSArray::pop):
15471 (JSC::JSArray::push):
15472 (JSC::JSArray::shiftCountWithArrayStorage):
15473 (JSC::JSArray::shiftCountWithAnyIndexingType):
15474 (JSC::JSArray::unshiftCountWithArrayStorage):
15475 (JSC::JSArray::unshiftCountWithAnyIndexingType):
15476 (JSC::JSArray::sortNumericVector):
15477 (JSC::JSArray::sortNumeric):
15478 (JSC::JSArray::sortCompactedVector):
15479 (JSC::JSArray::sort):
15480 (JSC::JSArray::sortVector):
15481 (JSC::JSArray::fillArgList):
15482 (JSC::JSArray::copyToArguments):
15483 (JSC::JSArray::compactForSorting):
15484 * runtime/JSCJSValueInlines.h:
15485 (JSC::JSValue::toThis):
15486 (JSC::JSValue::put):
15487 (JSC::JSValue::putByIndex):
15488 (JSC::JSValue::equalSlowCaseInline):
15489 * runtime/JSCell.cpp:
15490 (JSC::JSCell::put):
15491 (JSC::JSCell::putByIndex):
15492 (JSC::JSCell::deleteProperty):
15493 (JSC::JSCell::deletePropertyByIndex):
15494 * runtime/JSCell.h:
15495 (JSC::JSCell::clearStructure):
15496 (JSC::JSCell::mark):
15497 (JSC::JSCell::isMarked):
15498 (JSC::JSCell::structureIDOffset):
15499 (JSC::JSCell::typeInfoFlagsOffset):
15500 (JSC::JSCell::typeInfoTypeOffset):
15501 (JSC::JSCell::indexingTypeOffset):
15502 (JSC::JSCell::gcDataOffset):
15503 * runtime/JSCellInlines.h:
15504 (JSC::JSCell::JSCell):
15505 (JSC::JSCell::finishCreation):
15506 (JSC::JSCell::type):
15507 (JSC::JSCell::indexingType):
15508 (JSC::JSCell::structure):
15509 (JSC::JSCell::visitChildren):
15510 (JSC::JSCell::isObject):
15511 (JSC::JSCell::isString):
15512 (JSC::JSCell::isGetterSetter):
15513 (JSC::JSCell::isProxy):
15514 (JSC::JSCell::isAPIValueWrapper):
15515 (JSC::JSCell::setStructure):
15516 (JSC::JSCell::methodTable):
15517 (JSC::Heap::writeBarrier):
15518 * runtime/JSDataView.cpp:
15519 (JSC::JSDataView::createStructure):
15520 * runtime/JSDestructibleObject.h:
15521 (JSC::JSCell::classInfo):
15522 * runtime/JSFunction.cpp:
15523 (JSC::JSFunction::getOwnNonIndexPropertyNames):
15524 (JSC::JSFunction::put):
15525 (JSC::JSFunction::defineOwnProperty):
15526 * runtime/JSGenericTypedArrayView.h:
15527 (JSC::JSGenericTypedArrayView::createStructure):
15528 * runtime/JSObject.cpp:
15529 (JSC::getCallableObjectSlow):
15530 (JSC::JSObject::copyButterfly):
15531 (JSC::JSObject::visitButterfly):
15532 (JSC::JSFinalObject::visitChildren):
15533 (JSC::JSObject::getOwnPropertySlotByIndex):
15534 (JSC::JSObject::put):
15535 (JSC::JSObject::putByIndex):
15536 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
15537 (JSC::JSObject::enterDictionaryIndexingMode):
15538 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
15539 (JSC::JSObject::createInitialIndexedStorage):
15540 (JSC::JSObject::createInitialUndecided):
15541 (JSC::JSObject::createInitialInt32):
15542 (JSC::JSObject::createInitialDouble):
15543 (JSC::JSObject::createInitialContiguous):
15544 (JSC::JSObject::createArrayStorage):
15545 (JSC::JSObject::convertUndecidedToInt32):
15546 (JSC::JSObject::convertUndecidedToDouble):
15547 (JSC::JSObject::convertUndecidedToContiguous):
15548 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
15549 (JSC::JSObject::convertUndecidedToArrayStorage):
15550 (JSC::JSObject::convertInt32ToDouble):
15551 (JSC::JSObject::convertInt32ToContiguous):
15552 (JSC::JSObject::convertInt32ToArrayStorage):
15553 (JSC::JSObject::genericConvertDoubleToContiguous):
15554 (JSC::JSObject::convertDoubleToArrayStorage):
15555 (JSC::JSObject::convertContiguousToArrayStorage):
15556 (JSC::JSObject::ensureInt32Slow):
15557 (JSC::JSObject::ensureDoubleSlow):
15558 (JSC::JSObject::ensureContiguousSlow):
15559 (JSC::JSObject::ensureArrayStorageSlow):
15560 (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
15561 (JSC::JSObject::switchToSlowPutArrayStorage):
15562 (JSC::JSObject::setPrototype):
15563 (JSC::JSObject::setPrototypeWithCycleCheck):
15564 (JSC::JSObject::putDirectNonIndexAccessor):
15565 (JSC::JSObject::deleteProperty):
15566 (JSC::JSObject::hasOwnProperty):
15567 (JSC::JSObject::deletePropertyByIndex):
15568 (JSC::JSObject::getPrimitiveNumber):
15569 (JSC::JSObject::hasInstance):
15570 (JSC::JSObject::getPropertySpecificValue):
15571 (JSC::JSObject::getPropertyNames):
15572 (JSC::JSObject::getOwnPropertyNames):
15573 (JSC::JSObject::getOwnNonIndexPropertyNames):
15574 (JSC::JSObject::seal):
15575 (JSC::JSObject::freeze):
15576 (JSC::JSObject::preventExtensions):
15577 (JSC::JSObject::reifyStaticFunctionsForDelete):
15578 (JSC::JSObject::removeDirect):
15579 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
15580 (JSC::JSObject::putByIndexBeyondVectorLength):
15581 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
15582 (JSC::JSObject::putDirectIndexBeyondVectorLength):
15583 (JSC::JSObject::getNewVectorLength):
15584 (JSC::JSObject::countElements):
15585 (JSC::JSObject::increaseVectorLength):
15586 (JSC::JSObject::ensureLengthSlow):
15587 (JSC::JSObject::growOutOfLineStorage):
15588 (JSC::JSObject::getOwnPropertyDescriptor):
15589 (JSC::putDescriptor):
15590 (JSC::JSObject::defineOwnNonIndexProperty):
15591 * runtime/JSObject.h:
15592 (JSC::getJSFunction):
15593 (JSC::JSObject::getArrayLength):
15594 (JSC::JSObject::getVectorLength):
15595 (JSC::JSObject::putByIndexInline):
15596 (JSC::JSObject::canGetIndexQuickly):
15597 (JSC::JSObject::getIndexQuickly):
15598 (JSC::JSObject::tryGetIndexQuickly):
15599 (JSC::JSObject::getDirectIndex):
15600 (JSC::JSObject::canSetIndexQuickly):
15601 (JSC::JSObject::canSetIndexQuicklyForPutDirect):
15602 (JSC::JSObject::setIndexQuickly):
15603 (JSC::JSObject::initializeIndex):
15604 (JSC::JSObject::hasSparseMap):
15605 (JSC::JSObject::inSparseIndexingMode):
15606 (JSC::JSObject::getDirect):
15607 (JSC::JSObject::getDirectOffset):
15608 (JSC::JSObject::isSealed):
15609 (JSC::JSObject::isFrozen):
15610 (JSC::JSObject::flattenDictionaryObject):
15611 (JSC::JSObject::ensureInt32):
15612 (JSC::JSObject::ensureDouble):
15613 (JSC::JSObject::ensureContiguous):
15614 (JSC::JSObject::rageEnsureContiguous):
15615 (JSC::JSObject::ensureArrayStorage):
15616 (JSC::JSObject::arrayStorage):
15617 (JSC::JSObject::arrayStorageOrNull):
15618 (JSC::JSObject::ensureLength):
15619 (JSC::JSObject::currentIndexingData):
15620 (JSC::JSObject::getHolyIndexQuickly):
15621 (JSC::JSObject::currentRelevantLength):
15622 (JSC::JSObject::isGlobalObject):
15623 (JSC::JSObject::isVariableObject):
15624 (JSC::JSObject::isStaticScopeObject):
15625 (JSC::JSObject::isNameScopeObject):
15626 (JSC::JSObject::isActivationObject):
15627 (JSC::JSObject::isErrorInstance):
15628 (JSC::JSObject::inlineGetOwnPropertySlot):
15629 (JSC::JSObject::fastGetOwnPropertySlot):
15630 (JSC::JSObject::getPropertySlot):
15631 (JSC::JSObject::putDirectInternal):
15632 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
15633 * runtime/JSPropertyNameIterator.h:
15634 (JSC::JSPropertyNameIterator::createStructure):
15635 * runtime/JSProxy.cpp:
15636 (JSC::JSProxy::getOwnPropertySlot):
15637 (JSC::JSProxy::getOwnPropertySlotByIndex):
15638 (JSC::JSProxy::put):
15639 (JSC::JSProxy::putByIndex):
15640 (JSC::JSProxy::defineOwnProperty):
15641 (JSC::JSProxy::deleteProperty):
15642 (JSC::JSProxy::deletePropertyByIndex):
15643 (JSC::JSProxy::getPropertyNames):
15644 (JSC::JSProxy::getOwnPropertyNames):
15645 * runtime/JSScope.cpp:
15646 (JSC::JSScope::objectAtScope):
15647 * runtime/JSString.h:
15648 (JSC::JSString::createStructure):
15650 * runtime/JSType.h:
15651 * runtime/JSTypeInfo.h:
15652 (JSC::TypeInfo::TypeInfo):
15653 (JSC::TypeInfo::isObject):
15654 (JSC::TypeInfo::structureIsImmortal):
15655 (JSC::TypeInfo::zeroedGCDataOffset):
15656 (JSC::TypeInfo::inlineTypeFlags):
15657 * runtime/MapData.h:
15658 * runtime/ObjectConstructor.cpp:
15659 (JSC::objectConstructorGetOwnPropertyNames):
15660 (JSC::objectConstructorKeys):
15661 (JSC::objectConstructorDefineProperty):
15662 (JSC::defineProperties):
15663 (JSC::objectConstructorSeal):
15664 (JSC::objectConstructorFreeze):
15665 (JSC::objectConstructorIsSealed):
15666 (JSC::objectConstructorIsFrozen):
15667 * runtime/ObjectPrototype.cpp:
15668 (JSC::objectProtoFuncDefineGetter):
15669 (JSC::objectProtoFuncDefineSetter):
15670 (JSC::objectProtoFuncToString):
15671 * runtime/Operations.cpp:
15672 (JSC::jsTypeStringForValue):
15673 (JSC::jsIsObjectType):
15674 * runtime/Operations.h:
15675 (JSC::normalizePrototypeChainForChainAccess):
15676 (JSC::normalizePrototypeChain):
15677 * runtime/PropertyMapHashTable.h:
15678 (JSC::PropertyTable::createStructure):
15679 * runtime/RegExp.h:
15680 (JSC::RegExp::createStructure):
15681 * runtime/SparseArrayValueMap.h:
15682 * runtime/Structure.cpp:
15683 (JSC::Structure::Structure):
15684 (JSC::Structure::~Structure):
15685 (JSC::Structure::prototypeChainMayInterceptStoreTo):
15686 * runtime/Structure.h:
15687 (JSC::Structure::id):
15688 (JSC::Structure::idBlob):
15689 (JSC::Structure::objectInitializationFields):
15690 (JSC::Structure::structureIDOffset):
15691 * runtime/StructureChain.h:
15692 (JSC::StructureChain::createStructure):
15693 * runtime/StructureIDTable.cpp: Added.
15694 (JSC::StructureIDTable::StructureIDTable):
15695 (JSC::StructureIDTable::~StructureIDTable):
15696 (JSC::StructureIDTable::resize):
15697 (JSC::StructureIDTable::flushOldTables):
15698 (JSC::StructureIDTable::allocateID):
15699 (JSC::StructureIDTable::deallocateID):
15700 * runtime/StructureIDTable.h: Added.
15701 (JSC::StructureIDTable::base):
15702 (JSC::StructureIDTable::get):
15703 * runtime/SymbolTable.h:
15704 * runtime/TypedArrayType.cpp:
15705 (JSC::typeForTypedArrayType):
15706 * runtime/TypedArrayType.h:
15707 * runtime/WeakMapData.h:
15709 2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
15711 Unconditional logging in compileFTLOSRExit
15712 https://bugs.webkit.org/show_bug.cgi?id=129407
15714 Reviewed by Michael Saboff.
15716 This was causing tests to fail with the FTL enabled.
15718 * ftl/FTLOSRExitCompiler.cpp:
15719 (JSC::FTL::compileFTLOSRExit):
15721 2014-02-26 Oliver Hunt <oliver@apple.com>
15723 Remove unused access types
15724 https://bugs.webkit.org/show_bug.cgi?id=129385
15726 Reviewed by Filip Pizlo.
15728 Remove unused cruft.
15730 * bytecode/CodeBlock.cpp:
15731 (JSC::CodeBlock::printGetByIdCacheStatus):
15732 * bytecode/StructureStubInfo.cpp:
15733 (JSC::StructureStubInfo::deref):
15734 * bytecode/StructureStubInfo.h:
15735 (JSC::isGetByIdAccess):
15736 (JSC::isPutByIdAccess):
15738 2014-02-26 Oliver Hunt <oliver@apple.com>
15740 Function.prototype.apply has a bad time with the spread operator
15741 https://bugs.webkit.org/show_bug.cgi?id=129381
15743 Reviewed by Mark Hahnenberg.
15745 Make sure our apply logic handle the spread operator correctly.
15746 To do this we simply emit the enumeration logic that we'd normally
15747 use for other enumerations, but only store the first two results
15748 to registers. Then perform a varargs call.
15750 * bytecompiler/NodesCodegen.cpp:
15751 (JSC::ApplyFunctionCallDotNode::emitBytecode):
15753 2014-02-26 Mark Lam <mark.lam@apple.com>
15755 Compilation policy management belongs in operationOptimize(), not the DFG Driver.
15756 <https://webkit.org/b/129355>
15758 Reviewed by Filip Pizlo.
15760 By compilation policy, I mean the rules for determining whether to
15761 compile, when to compile, when to attempt compilation again, etc. The
15762 few of these policy decisions that were previously being made in the
15763 DFG driver are now moved to operationOptimize() where we keep the rest
15764 of the policy logic. Decisions that are based on the capabilities
15765 supported by the DFG are moved to DFG capabiliityLevel().
15767 I've run the following benchmarks:
15768 1. the collection of jsc benchmarks on the jsc executable vs. its
15770 2. Octane 2.0 in browser without the WebInspector.
15771 3. Octane 2.0 in browser with the WebInspector open and a breakpoint
15772 set somewhere where it won't break.
15774 In all of these, the results came out to be a wash as expected.
15776 * dfg/DFGCapabilities.cpp:
15777 (JSC::DFG::isSupported):
15778 (JSC::DFG::mightCompileEval):
15779 (JSC::DFG::mightCompileProgram):
15780 (JSC::DFG::mightCompileFunctionForCall):
15781 (JSC::DFG::mightCompileFunctionForConstruct):
15782 (JSC::DFG::mightInlineFunctionForCall):
15783 (JSC::DFG::mightInlineFunctionForClosureCall):
15784 (JSC::DFG::mightInlineFunctionForConstruct):
15785 * dfg/DFGCapabilities.h:
15786 * dfg/DFGDriver.cpp:
15787 (JSC::DFG::compileImpl):
15788 * jit/JITOperations.cpp:
15790 2014-02-26 Mark Lam <mark.lam@apple.com>
15792 ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
15793 <https://webkit.org/b/129364>
15795 Reviewed by Alexey Proskuryakov.
15797 InjectedScriptModule::ensureInjected() needs an APIEntryShim.
15799 * inspector/InjectedScriptModule.cpp:
15800 (Inspector::InjectedScriptModule::ensureInjected):
15801 - Added the needed but missing APIEntryShim.
15803 2014-02-25 Mark Lam <mark.lam@apple.com>
15805 Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
15806 <https://webkit.org/b/128766>
15808 Reviewed by Geoffrey Garen.
15810 Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
15811 The reasoning is that we don't know of any clients that need unordered
15812 re-entry into the VM from different threads. So, we're enforcing ordered
15813 re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
15815 The crash in this bug happened because we were allowing unordered re-entry,
15816 and the following type of scenario occurred:
15818 1. Thread T1 locks the VM, and enters the VM to execute some JS code.
15819 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
15820 first time it entered the VM.
15821 T1 sets VM::m_entryScope to T1's entryScope.
15822 3. T1 drops all locks.
15824 4. Thread T2 locks the VM, and enters the VM to execute some JS code.
15825 On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
15826 does not set the entryScope.
15827 5. T2 drops all locks.
15829 6. T1 re-grabs locks.
15830 7. T1 returns all the way out of JS code. On exit from the outer most
15831 JS function, T1 clears VM::m_entryScope (because T1 was the one who
15833 8. T1 unlocks the VM.
15835 9. T2 re-grabs locks.
15836 10. T2 proceeds to execute some code and expects VM::m_entryScope to be
15837 NOT null, but it turns out to be null. Assertion failures and
15840 With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
15841 the VM. Hence, the issue will no longer manifest.
15843 * runtime/JSLock.cpp:
15844 (JSC::JSLock::dropAllLocks):
15845 (JSC::JSLock::grabAllLocks):
15846 * runtime/JSLock.h:
15847 (JSC::JSLock::DropAllLocks::dropDepth):
15849 2014-02-25 Mark Lam <mark.lam@apple.com>
15851 Need to initialize VM stack data even when the VM is on an exclusive thread.
15852 <https://webkit.org/b/129265>
15856 Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
15859 (JSC::APIEntryShim::APIEntryShim):
15860 (JSC::APICallbackShim::shouldDropAllLocks):
15861 * heap/MachineStackMarker.cpp:
15862 (JSC::MachineThreads::addCurrentThread):
15863 * runtime/JSLock.cpp:
15864 (JSC::JSLockHolder::JSLockHolder):
15865 (JSC::JSLockHolder::init):
15866 (JSC::JSLockHolder::~JSLockHolder):
15867 (JSC::JSLock::JSLock):
15868 (JSC::JSLock::setExclusiveThread):
15869 (JSC::JSLock::lock):
15870 (JSC::JSLock::unlock):
15871 (JSC::JSLock::currentThreadIsHoldingLock):
15872 (JSC::JSLock::dropAllLocks):
15873 (JSC::JSLock::grabAllLocks):
15874 * runtime/JSLock.h:
15875 (JSC::JSLock::hasExclusiveThread):
15876 (JSC::JSLock::exclusiveThread):
15880 (JSC::VM::hasExclusiveThread):
15881 (JSC::VM::exclusiveThread):
15882 (JSC::VM::setExclusiveThread):
15883 (JSC::VM::currentThreadIsHoldingAPILock):
15885 2014-02-25 Filip Pizlo <fpizlo@apple.com>
15887 Inline caching in the FTL on ARM64 should "work"
15888 https://bugs.webkit.org/show_bug.cgi?id=129334
15890 Reviewed by Mark Hahnenberg.
15892 Gets us to the point where simple tests that use inline caching are passing.
15894 * assembler/LinkBuffer.cpp:
15895 (JSC::LinkBuffer::copyCompactAndLinkCode):
15896 (JSC::LinkBuffer::shrink):
15897 * ftl/FTLInlineCacheSize.cpp:
15898 (JSC::FTL::sizeOfGetById):
15899 (JSC::FTL::sizeOfPutById):
15900 (JSC::FTL::sizeOfCall):
15901 * ftl/FTLOSRExitCompiler.cpp:
15902 (JSC::FTL::compileFTLOSRExit):
15903 * ftl/FTLThunks.cpp:
15904 (JSC::FTL::osrExitGenerationThunkGenerator):
15906 * offlineasm/arm64.rb:
15908 2014-02-25 Commit Queue <commit-queue@webkit.org>
15910 Unreviewed, rolling out r164627.
15911 http://trac.webkit.org/changeset/164627
15912 https://bugs.webkit.org/show_bug.cgi?id=129325
15914 Broke SubtleCrypto tests (Requested by ap on #webkit).
15917 (JSC::APIEntryShim::APIEntryShim):
15918 (JSC::APICallbackShim::shouldDropAllLocks):
15919 * heap/MachineStackMarker.cpp:
15920 (JSC::MachineThreads::addCurrentThread):
15921 * runtime/JSLock.cpp:
15922 (JSC::JSLockHolder::JSLockHolder):
15923 (JSC::JSLockHolder::init):
15924 (JSC::JSLockHolder::~JSLockHolder):
15925 (JSC::JSLock::JSLock):
15926 (JSC::JSLock::lock):
15927 (JSC::JSLock::unlock):
15928 (JSC::JSLock::currentThreadIsHoldingLock):
15929 (JSC::JSLock::dropAllLocks):
15930 (JSC::JSLock::grabAllLocks):
15931 * runtime/JSLock.h:
15935 (JSC::VM::currentThreadIsHoldingAPILock):
15937 2014-02-25 Filip Pizlo <fpizlo@apple.com>
15939 ARM64 rshift64 should be an arithmetic shift
15940 https://bugs.webkit.org/show_bug.cgi?id=129323
15942 Reviewed by Mark Hahnenberg.
15944 * assembler/MacroAssemblerARM64.h:
15945 (JSC::MacroAssemblerARM64::rshift64):
15947 2014-02-25 Sergio Villar Senin <svillar@igalia.com>
15949 [CSS Grid Layout] Add ENABLE flag
15950 https://bugs.webkit.org/show_bug.cgi?id=129153
15952 Reviewed by Simon Fraser.
15954 * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
15956 2014-02-25 Michael Saboff <msaboff@apple.com>
15958 JIT Engines use the wrong stack limit for stack checks
15959 https://bugs.webkit.org/show_bug.cgi?id=129314
15961 Reviewed by Filip Pizlo.
15963 Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
15965 * dfg/DFGJITCompiler.cpp:
15966 (JSC::DFG::JITCompiler::compileFunction):
15968 (JSC::JIT::privateCompile):
15970 (JSC::JIT::compileLoadVarargs):
15971 * jit/JITCall32_64.cpp:
15972 (JSC::JIT::compileLoadVarargs):
15974 (JSC::VM::addressOfStackLimit):
15976 2014-02-25 Filip Pizlo <fpizlo@apple.com>
15978 Unreviewed, roll out http://trac.webkit.org/changeset/164493.
15980 It causes crashes, apparently because it's removing too many barriers. I will investigate
15983 * bytecode/SpeculatedType.cpp:
15984 (JSC::speculationToAbbreviatedString):
15985 * bytecode/SpeculatedType.h:
15986 * dfg/DFGFixupPhase.cpp:
15987 (JSC::DFG::FixupPhase::fixupNode):
15988 (JSC::DFG::FixupPhase::insertStoreBarrier):
15990 * ftl/FTLCapabilities.cpp:
15991 (JSC::FTL::canCompile):
15992 * ftl/FTLLowerDFGToLLVM.cpp:
15993 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
15994 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
15995 (JSC::FTL::LowerDFGToLLVM::isNotNully):
15996 (JSC::FTL::LowerDFGToLLVM::isNully):
15997 (JSC::FTL::LowerDFGToLLVM::speculate):
15998 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
15999 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
16001 2014-02-24 Oliver Hunt <oliver@apple.com>
16005 * jit/CCallHelpers.h:
16006 (JSC::CCallHelpers::setupArgumentsWithExecState):
16008 2014-02-24 Oliver Hunt <oliver@apple.com>
16010 Spread operator has a bad time when applied to call function
16011 https://bugs.webkit.org/show_bug.cgi?id=128853
16013 Reviewed by Geoffrey Garen.
16015 Follow on from the previous patch the added an extra slot to
16016 op_call_varargs (and _call, _call_eval, _construct). We now
16017 use the slot as an offset to in effect act as a 'slice' on
16018 the spread subject. This allows us to automatically retain
16019 all our existing argument and array optimisatons. Most of
16020 this patch is simply threading the offset around.
16022 * bytecode/CodeBlock.cpp:
16023 (JSC::CodeBlock::dumpBytecode):
16024 * bytecompiler/BytecodeGenerator.cpp:
16025 (JSC::BytecodeGenerator::emitCall):
16026 (JSC::BytecodeGenerator::emitCallVarargs):
16027 * bytecompiler/BytecodeGenerator.h:
16028 * bytecompiler/NodesCodegen.cpp:
16029 (JSC::getArgumentByVal):
16030 (JSC::CallFunctionCallDotNode::emitBytecode):
16031 (JSC::ApplyFunctionCallDotNode::emitBytecode):
16032 * interpreter/Interpreter.cpp:
16033 (JSC::sizeFrameForVarargs):
16034 (JSC::loadVarargs):
16035 * interpreter/Interpreter.h:
16036 * jit/CCallHelpers.h:
16037 (JSC::CCallHelpers::setupArgumentsWithExecState):
16040 (JSC::JIT::compileLoadVarargs):
16041 * jit/JITInlines.h:
16042 (JSC::JIT::callOperation):
16043 * jit/JITOperations.cpp:
16044 * jit/JITOperations.h:
16045 * llint/LLIntSlowPaths.cpp:
16046 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
16047 * runtime/Arguments.cpp:
16048 (JSC::Arguments::copyToArguments):
16049 * runtime/Arguments.h:
16050 * runtime/JSArray.cpp:
16051 (JSC::JSArray::copyToArguments):
16052 * runtime/JSArray.h:
16054 2014-02-24 Mark Lam <mark.lam@apple.com>
16056 Need to initialize VM stack data even when the VM is on an exclusive thread.
16057 <https://webkit.org/b/129265>
16059 Reviewed by Geoffrey Garen.
16061 We check VM::exclusiveThread as an optimization to forego the need to do
16062 JSLock locking. However, we recently started piggy backing on JSLock's
16063 lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
16064 and lastStackTop) to appropriate values for the current thread. This is
16065 needed because we may be acquiring the lock to enter the VM on a different
16068 As a result, we ended up not initializing the VM stack data when
16069 VM::exclusiveThread causes us to bypass the locking activity. Even though
16070 the VM::exclusiveThread will not have to deal with the VM being entered
16071 on a different thread, it still needs to initialize the VM stack data.
16072 The VM relies on that data being initialized properly once it has been
16075 With this fix, we push the check for exclusiveThread down into the JSLock,
16076 and handle the bypassing of unneeded locking activity there while still
16077 executing the necessary the VM stack data initialization.
16080 (JSC::APIEntryShim::APIEntryShim):
16081 (JSC::APICallbackShim::shouldDropAllLocks):
16082 * heap/MachineStackMarker.cpp:
16083 (JSC::MachineThreads::addCurrentThread):
16084 * runtime/JSLock.cpp:
16085 (JSC::JSLockHolder::JSLockHolder):
16086 (JSC::JSLockHolder::init):
16087 (JSC::JSLockHolder::~JSLockHolder):
16088 (JSC::JSLock::JSLock):
16089 (JSC::JSLock::setExclusiveThread):
16090 (JSC::JSLock::lock):
16092 (JSLock::currentThreadIsHoldingLock):
16093 (JSLock::dropAllLocks):
16094 (JSLock::grabAllLocks):
16095 * runtime/JSLock.h:
16096 (JSC::JSLock::exclusiveThread):
16100 (JSC::VM::exclusiveThread):
16101 (JSC::VM::setExclusiveThread):
16102 (JSC::VM::currentThreadIsHoldingAPILock):
16104 2014-02-24 Filip Pizlo <fpizlo@apple.com>
16106 FTL should do polymorphic PutById inlining
16107 https://bugs.webkit.org/show_bug.cgi?id=129210
16109 Reviewed by Mark Hahnenberg and Oliver Hunt.
16111 This makes PutByIdStatus inform us about polymorphic cases by returning an array of
16112 PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
16113 selection of multiple inlined PutByIdVariants.
16115 MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
16116 http://trac.webkit.org/changeset/164207.
16118 This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
16119 that generate similar code.
16121 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
16122 sometimes swaps field insertion order, creating fake polymorphism.
16125 * GNUmakefile.list.am:
16126 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16127 * JavaScriptCore.xcodeproj/project.pbxproj:
16128 * bytecode/PutByIdStatus.cpp:
16129 (JSC::PutByIdStatus::computeFromLLInt):
16130 (JSC::PutByIdStatus::computeFor):
16131 (JSC::PutByIdStatus::computeForStubInfo):
16132 (JSC::PutByIdStatus::dump):
16133 * bytecode/PutByIdStatus.h:
16134 (JSC::PutByIdStatus::PutByIdStatus):
16135 (JSC::PutByIdStatus::isSimple):
16136 (JSC::PutByIdStatus::numVariants):
16137 (JSC::PutByIdStatus::variants):
16138 (JSC::PutByIdStatus::at):
16139 (JSC::PutByIdStatus::operator[]):
16140 * bytecode/PutByIdVariant.cpp: Added.
16141 (JSC::PutByIdVariant::dump):
16142 (JSC::PutByIdVariant::dumpInContext):
16143 * bytecode/PutByIdVariant.h: Added.
16144 (JSC::PutByIdVariant::PutByIdVariant):
16145 (JSC::PutByIdVariant::replace):
16146 (JSC::PutByIdVariant::transition):
16147 (JSC::PutByIdVariant::kind):
16148 (JSC::PutByIdVariant::isSet):
16149 (JSC::PutByIdVariant::operator!):
16150 (JSC::PutByIdVariant::structure):
16151 (JSC::PutByIdVariant::oldStructure):
16152 (JSC::PutByIdVariant::newStructure):
16153 (JSC::PutByIdVariant::structureChain):
16154 (JSC::PutByIdVariant::offset):
16155 * dfg/DFGAbstractInterpreterInlines.h:
16156 (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
16157 * dfg/DFGByteCodeParser.cpp:
16158 (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
16159 (JSC::DFG::ByteCodeParser::handleGetById):
16160 (JSC::DFG::ByteCodeParser::emitPutById):
16161 (JSC::DFG::ByteCodeParser::handlePutById):
16162 (JSC::DFG::ByteCodeParser::parseBlock):
16163 * dfg/DFGCSEPhase.cpp:
16164 (JSC::DFG::CSEPhase::checkStructureElimination):
16165 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
16166 (JSC::DFG::CSEPhase::putStructureStoreElimination):
16167 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
16168 (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
16169 * dfg/DFGClobberize.h:
16170 (JSC::DFG::clobberize):
16171 * dfg/DFGConstantFoldingPhase.cpp:
16172 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16173 (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
16174 * dfg/DFGFixupPhase.cpp:
16175 (JSC::DFG::FixupPhase::fixupNode):
16176 * dfg/DFGGraph.cpp:
16177 (JSC::DFG::Graph::dump):
16180 (JSC::DFG::MultiPutByOffsetData::writesStructures):
16181 (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
16183 (JSC::DFG::Node::convertToPutByOffset):
16184 (JSC::DFG::Node::hasMultiPutByOffsetData):
16185 (JSC::DFG::Node::multiPutByOffsetData):
16186 * dfg/DFGNodeType.h:
16187 * dfg/DFGPredictionPropagationPhase.cpp:
16188 (JSC::DFG::PredictionPropagationPhase::propagate):
16189 * dfg/DFGSafeToExecute.h:
16190 (JSC::DFG::safeToExecute):
16191 * dfg/DFGSpeculativeJIT32_64.cpp:
16192 (JSC::DFG::SpeculativeJIT::compile):
16193 * dfg/DFGSpeculativeJIT64.cpp:
16194 (JSC::DFG::SpeculativeJIT::compile):
16195 * dfg/DFGTypeCheckHoistingPhase.cpp:
16196 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
16197 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
16198 * ftl/FTLCapabilities.cpp:
16199 (JSC::FTL::canCompile):
16200 * ftl/FTLLowerDFGToLLVM.cpp:
16201 (JSC::FTL::LowerDFGToLLVM::compileNode):
16202 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
16203 (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
16204 (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
16205 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
16206 (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
16207 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
16208 (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
16209 (JSC::FTL::LowerDFGToLLVM::loadProperty):
16210 (JSC::FTL::LowerDFGToLLVM::storeProperty):
16211 (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
16212 (JSC::FTL::LowerDFGToLLVM::storageForTransition):
16213 (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
16214 (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
16215 (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
16216 * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
16217 * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
16218 * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
16220 2014-02-24 peavo@outlook.com <peavo@outlook.com>
16222 JSC regressions after r164494
16223 https://bugs.webkit.org/show_bug.cgi?id=129272
16225 Reviewed by Mark Lam.
16227 * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
16229 2014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
16231 Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
16232 https://bugs.webkit.org/show_bug.cgi?id=129255
16234 Reviewed by Csaba Osztrogonác.
16236 ENABLE_WORKERS macro was removed in r159679.
16237 Support is now also removed from xcconfig files.
16239 * Configurations/FeatureDefines.xcconfig:
16241 2014-02-24 David Kilzer <ddkilzer@apple.com>
16243 Remove redundant setting in FeatureDefines.xcconfig
16245 * Configurations/FeatureDefines.xcconfig:
16247 2014-02-23 Sam Weinig <sam@webkit.org>
16249 Update FeatureDefines.xcconfig
16251 Rubber-stamped by Anders Carlsson.
16253 * Configurations/FeatureDefines.xcconfig:
16255 2014-02-23 Dean Jackson <dino@apple.com>
16257 Sort the project file with sort-Xcode-project-file.
16259 Rubber-stamped by Sam Weinig.
16261 * JavaScriptCore.xcodeproj/project.pbxproj:
16263 2014-02-23 Sam Weinig <sam@webkit.org>
16265 Move telephone number detection behind its own ENABLE macro
16266 https://bugs.webkit.org/show_bug.cgi?id=129236
16268 Reviewed by Dean Jackson.
16270 * Configurations/FeatureDefines.xcconfig:
16271 Add ENABLE_TELEPHONE_NUMBER_DETECTION.
16273 2014-02-22 Filip Pizlo <fpizlo@apple.com>
16275 Refine DFG+FTL inlining and compilation limits
16276 https://bugs.webkit.org/show_bug.cgi?id=129212
16278 Reviewed by Mark Hahnenberg.
16280 Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
16281 and set that limit quite high. Institute a limit on inlining-into. The idea here is
16282 that large functions tend to be autogenerated, and code generators like emscripten
16283 appear to leave few inlining opportunities anyway. Also, we don't want the code
16284 size explosion that we would risk if we allowed compilation of a large function and
16285 then inlined a ton of stuff into it.
16287 This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
16288 regression. This is a 9% speed-up on AsmBench.
16290 * bytecode/CodeBlock.cpp:
16291 (JSC::CodeBlock::noticeIncomingCall):
16292 * dfg/DFGByteCodeParser.cpp:
16293 (JSC::DFG::ByteCodeParser::handleInlining):
16294 * dfg/DFGCapabilities.h:
16295 (JSC::DFG::isSmallEnoughToInlineCodeInto):
16296 * ftl/FTLCapabilities.cpp:
16297 (JSC::FTL::canCompile):
16299 (JSC::FTL::shouldShowDisassembly):
16300 * runtime/Options.h:
16302 2014-02-22 Dan Bernstein <mitz@apple.com>
16304 REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
16305 https://bugs.webkit.org/show_bug.cgi?id=129227
16307 Reviewed by Eric Carlson.
16312 (JSEvaluateScript):
16313 (JSCheckScriptSyntax):
16314 * API/JSObjectRef.cpp:
16315 (JSObjectMakeFunction):
16316 (JSObjectMakeArray):
16317 (JSObjectMakeDate):
16318 (JSObjectMakeError):
16319 (JSObjectMakeRegExp):
16320 (JSObjectGetProperty):
16321 (JSObjectSetProperty):
16322 (JSObjectGetPropertyAtIndex):
16323 (JSObjectSetPropertyAtIndex):
16324 (JSObjectDeleteProperty):
16325 (JSObjectCallAsFunction):
16326 (JSObjectCallAsConstructor):
16329 (valueToDictionary):
16330 * API/JSValueRef.cpp:
16332 (JSValueIsInstanceOfConstructor):
16333 (JSValueCreateJSONString):
16335 (JSValueToStringCopy):
16337 * inspector/ConsoleMessage.cpp:
16338 (Inspector::ConsoleMessage::ConsoleMessage):
16339 (Inspector::ConsoleMessage::autogenerateMetadata):
16340 * inspector/ConsoleMessage.h:
16341 * inspector/JSGlobalObjectInspectorController.cpp:
16342 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16343 * inspector/JSGlobalObjectInspectorController.h:
16344 * inspector/ScriptCallStack.cpp:
16345 * inspector/ScriptCallStack.h:
16346 * inspector/ScriptCallStackFactory.cpp:
16347 (Inspector::createScriptCallStack):
16348 (Inspector::createScriptCallStackForConsole):
16349 (Inspector::createScriptCallStackFromException):
16350 * inspector/ScriptCallStackFactory.h:
16351 * inspector/agents/InspectorConsoleAgent.cpp:
16352 (Inspector::InspectorConsoleAgent::enable):
16353 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16354 (Inspector::InspectorConsoleAgent::count):
16355 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16356 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16358 2014-02-22 Joseph Pecoraro <pecoraro@apple.com>
16360 Remove some unreachable code (-Wunreachable-code)
16361 https://bugs.webkit.org/show_bug.cgi?id=129220
16363 Reviewed by Eric Carlson.
16365 * API/tests/testapi.c:
16366 (EvilExceptionObject_convertToType):
16367 * disassembler/udis86/udis86_decode.c:
16370 2014-02-22 Filip Pizlo <fpizlo@apple.com>
16372 Unreviewed, ARMv7 build fix.
16374 * assembler/ARMv7Assembler.h:
16376 2014-02-21 Filip Pizlo <fpizlo@apple.com>
16378 It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
16379 https://bugs.webkit.org/show_bug.cgi?id=124733
16381 Reviewed by Oliver Hunt.
16383 This also takes the opportunity to de-duplicate some branch compaction code.
16385 * assembler/ARM64Assembler.h:
16386 * assembler/ARMv7Assembler.h:
16387 (JSC::ARMv7Assembler::buffer):
16388 * assembler/AssemblerBuffer.h:
16389 (JSC::AssemblerData::AssemblerData):
16390 (JSC::AssemblerBuffer::AssemblerBuffer):
16391 (JSC::AssemblerBuffer::storage):
16392 (JSC::AssemblerBuffer::grow):
16393 * assembler/LinkBuffer.h:
16394 (JSC::LinkBuffer::LinkBuffer):
16395 (JSC::LinkBuffer::executableOffsetFor):
16396 (JSC::LinkBuffer::applyOffset):
16397 * assembler/MacroAssemblerARM64.h:
16398 (JSC::MacroAssemblerARM64::link):
16399 * assembler/MacroAssemblerARMv7.h:
16401 2014-02-21 Brent Fulgham <bfulgham@apple.com>
16403 Extend media support for WebVTT sources
16404 https://bugs.webkit.org/show_bug.cgi?id=129156
16406 Reviewed by Eric Carlson.
16408 * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
16410 2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16412 Web Inspector: JSContext inspection should report exceptions in the console
16413 https://bugs.webkit.org/show_bug.cgi?id=128776
16415 Reviewed by Timothy Hatcher.
16417 When JavaScript API functions have an exception, let the inspector
16418 know so it can log the JavaScript and Native backtrace that caused
16421 Include some clean up of ConsoleMessage and ScriptCallStack construction.
16424 (JSEvaluateScript):
16425 (JSCheckScriptSyntax):
16426 * API/JSObjectRef.cpp:
16427 (JSObjectMakeFunction):
16428 (JSObjectMakeArray):
16429 (JSObjectMakeDate):
16430 (JSObjectMakeError):
16431 (JSObjectMakeRegExp):
16432 (JSObjectGetProperty):
16433 (JSObjectSetProperty):
16434 (JSObjectGetPropertyAtIndex):
16435 (JSObjectSetPropertyAtIndex):
16436 (JSObjectDeleteProperty):
16437 (JSObjectCallAsFunction):
16438 (JSObjectCallAsConstructor):
16440 (reportExceptionToInspector):
16442 (valueToDictionary):
16443 * API/JSValueRef.cpp:
16445 (JSValueIsInstanceOfConstructor):
16446 (JSValueCreateJSONString):
16448 (JSValueToStringCopy):
16450 When seeing an exception, let the inspector know there was an exception.
16452 * inspector/JSGlobalObjectInspectorController.h:
16453 * inspector/JSGlobalObjectInspectorController.cpp:
16454 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16455 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
16456 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
16457 Log API exceptions by also grabbing the native backtrace.
16459 * inspector/ScriptCallStack.h:
16460 * inspector/ScriptCallStack.cpp:
16461 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
16462 (Inspector::ScriptCallStack::append):
16463 Minor extensions to ScriptCallStack to make it easier to work with.
16465 * inspector/ConsoleMessage.cpp:
16466 (Inspector::ConsoleMessage::ConsoleMessage):
16467 (Inspector::ConsoleMessage::autogenerateMetadata):
16468 Provide better default information if the first call frame was native.
16470 * inspector/ScriptCallStackFactory.cpp:
16471 (Inspector::createScriptCallStack):
16472 (Inspector::extractSourceInformationFromException):
16473 (Inspector::createScriptCallStackFromException):
16474 Perform the handling here of inserting a fake call frame for exceptions
16475 if there was no call stack (e.g. a SyntaxError) or if the first call
16476 frame had no information.
16478 * inspector/ConsoleMessage.cpp:
16479 (Inspector::ConsoleMessage::ConsoleMessage):
16480 (Inspector::ConsoleMessage::autogenerateMetadata):
16481 * inspector/ConsoleMessage.h:
16482 * inspector/ScriptCallStackFactory.cpp:
16483 (Inspector::createScriptCallStack):
16484 (Inspector::createScriptCallStackForConsole):
16485 * inspector/ScriptCallStackFactory.h:
16486 * inspector/agents/InspectorConsoleAgent.cpp:
16487 (Inspector::InspectorConsoleAgent::enable):
16488 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16489 (Inspector::InspectorConsoleAgent::count):
16490 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16491 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16492 ConsoleMessage cleanup.
16494 2014-02-21 Oliver Hunt <oliver@apple.com>
16496 Add extra space to op_call and related opcodes
16497 https://bugs.webkit.org/show_bug.cgi?id=129170
16499 Reviewed by Mark Lam.
16501 No change in behaviour, just some refactoring to add an extra
16502 slot to the op_call instructions, and refactoring to make similar
16503 changes easier in future.
16505 * bytecode/CodeBlock.cpp:
16506 (JSC::CodeBlock::printCallOp):
16507 * bytecode/Opcode.h:
16508 (JSC::padOpcodeName):
16509 * bytecompiler/BytecodeGenerator.cpp:
16510 (JSC::BytecodeGenerator::emitCall):
16511 (JSC::BytecodeGenerator::emitCallVarargs):
16512 (JSC::BytecodeGenerator::emitConstruct):
16513 * dfg/DFGByteCodeParser.cpp:
16514 (JSC::DFG::ByteCodeParser::handleIntrinsic):
16516 (JSC::JIT::compileOpCall):
16517 * jit/JITCall32_64.cpp:
16518 (JSC::JIT::compileOpCall):
16519 * llint/LowLevelInterpreter.asm:
16520 * llint/LowLevelInterpreter32_64.asm:
16521 * llint/LowLevelInterpreter64.asm:
16523 2014-02-21 Mark Lam <mark.lam@apple.com>
16525 gatherFromOtherThread() needs to align the sp before gathering roots.
16526 <https://webkit.org/b/129169>
16528 Reviewed by Geoffrey Garen.
16530 The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
16531 gatherFromOtherThread() defines the range of the other thread's stack as
16532 being bounded by the other thread's stack pointer and stack base. While
16533 the stack base will always be aligned to sizeof(void*), the stack pointer
16534 may not be. This is because the other thread may have just pushed a 32-bit
16535 value on its stack before we suspended it for scanning.
16537 The fix is to round the stack pointer up to the next aligned address of
16538 sizeof(void*) and start scanning from there. On 64-bit systems, we will
16539 effectively ignore the 32-bit word at the bottom of the stack (top of the
16540 stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
16541 64-bit pointers should always be stored on 64-bit aligned boundaries (our
16542 conservative scan algorithm already depends on this assumption).
16544 On 32-bit systems, the rounding is effectively a no-op.
16546 * heap/ConservativeRoots.cpp:
16547 (JSC::ConservativeRoots::genericAddSpan):
16548 - Hardened somne assertions so that we can catch misalignment issues on
16549 release builds as well.
16550 * heap/MachineStackMarker.cpp:
16551 (JSC::MachineThreads::gatherFromOtherThread):
16553 2014-02-21 Matthew Mirman <mmirman@apple.com>
16555 Added a GetMyArgumentsLengthSafe and added a speculation check.
16556 https://bugs.webkit.org/show_bug.cgi?id=129051
16558 Reviewed by Filip Pizlo.
16560 * ftl/FTLLowerDFGToLLVM.cpp:
16561 (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
16563 2014-02-21 peavo@outlook.com <peavo@outlook.com>
16565 [Win][LLINT] Many JSC stress test failures.
16566 https://bugs.webkit.org/show_bug.cgi?id=129155
16568 Reviewed by Michael Saboff.
16570 Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
16571 Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
16572 E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
16574 * offlineasm/x86.rb: Swap operand order on Windows.
16576 2014-02-21 Filip Pizlo <fpizlo@apple.com>
16578 DFG write barriers should do more speculations
16579 https://bugs.webkit.org/show_bug.cgi?id=129160
16581 Reviewed by Mark Hahnenberg.
16583 Replace ConditionalStoreBarrier with the cheapest speculation that you could do
16586 Miniscule speed-up on some things. It's a decent difference in code size, though.
16588 * bytecode/SpeculatedType.cpp:
16589 (JSC::speculationToAbbreviatedString):
16590 * bytecode/SpeculatedType.h:
16591 (JSC::isNotCellSpeculation):
16592 * dfg/DFGFixupPhase.cpp:
16593 (JSC::DFG::FixupPhase::fixupNode):
16594 (JSC::DFG::FixupPhase::insertStoreBarrier):
16595 (JSC::DFG::FixupPhase::insertPhantomCheck):
16597 (JSC::DFG::Node::shouldSpeculateOther):
16598 (JSC::DFG::Node::shouldSpeculateNotCell):
16599 * ftl/FTLCapabilities.cpp:
16600 (JSC::FTL::canCompile):
16601 * ftl/FTLLowerDFGToLLVM.cpp:
16602 (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
16603 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
16604 (JSC::FTL::LowerDFGToLLVM::isNotOther):
16605 (JSC::FTL::LowerDFGToLLVM::isOther):
16606 (JSC::FTL::LowerDFGToLLVM::speculate):
16607 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
16608 (JSC::FTL::LowerDFGToLLVM::speculateOther):
16609 (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
16611 2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16613 Revert r164486, causing a number of test failures.
16615 Unreviewed rollout.
16617 2014-02-21 Filip Pizlo <fpizlo@apple.com>
16619 Revive SABI (aka shouldAlwaysBeInlined)
16620 https://bugs.webkit.org/show_bug.cgi?id=129159
16622 Reviewed by Mark Hahnenberg.
16624 This is a small Octane speed-up.
16627 (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
16629 2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
16631 Web Inspector: JSContext inspection should report exceptions in the console
16632 https://bugs.webkit.org/show_bug.cgi?id=128776
16634 Reviewed by Timothy Hatcher.
16636 When JavaScript API functions have an exception, let the inspector
16637 know so it can log the JavaScript and Native backtrace that caused
16640 Include some clean up of ConsoleMessage and ScriptCallStack construction.
16643 (JSEvaluateScript):
16644 (JSCheckScriptSyntax):
16645 * API/JSObjectRef.cpp:
16646 (JSObjectMakeFunction):
16647 (JSObjectMakeArray):
16648 (JSObjectMakeDate):
16649 (JSObjectMakeError):
16650 (JSObjectMakeRegExp):
16651 (JSObjectGetProperty):
16652 (JSObjectSetProperty):
16653 (JSObjectGetPropertyAtIndex):
16654 (JSObjectSetPropertyAtIndex):
16655 (JSObjectDeleteProperty):
16656 (JSObjectCallAsFunction):
16657 (JSObjectCallAsConstructor):
16659 (reportExceptionToInspector):
16661 (valueToDictionary):
16662 * API/JSValueRef.cpp:
16664 (JSValueIsInstanceOfConstructor):
16665 (JSValueCreateJSONString):
16667 (JSValueToStringCopy):
16669 When seeing an exception, let the inspector know there was an exception.
16671 * inspector/JSGlobalObjectInspectorController.h:
16672 * inspector/JSGlobalObjectInspectorController.cpp:
16673 (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
16674 (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
16675 (Inspector::JSGlobalObjectInspectorController::reportAPIException):
16676 Log API exceptions by also grabbing the native backtrace.
16678 * inspector/ScriptCallStack.h:
16679 * inspector/ScriptCallStack.cpp:
16680 (Inspector::ScriptCallStack::firstNonNativeCallFrame):
16681 (Inspector::ScriptCallStack::append):
16682 Minor extensions to ScriptCallStack to make it easier to work with.
16684 * inspector/ConsoleMessage.cpp:
16685 (Inspector::ConsoleMessage::ConsoleMessage):
16686 (Inspector::ConsoleMessage::autogenerateMetadata):
16687 Provide better default information if the first call frame was native.
16689 * inspector/ScriptCallStackFactory.cpp:
16690 (Inspector::createScriptCallStack):
16691 (Inspector::extractSourceInformationFromException):
16692 (Inspector::createScriptCallStackFromException):
16693 Perform the handling here of inserting a fake call frame for exceptions
16694 if there was no call stack (e.g. a SyntaxError) or if the first call
16695 frame had no information.
16697 * inspector/ConsoleMessage.cpp:
16698 (Inspector::ConsoleMessage::ConsoleMessage):
16699 (Inspector::ConsoleMessage::autogenerateMetadata):
16700 * inspector/ConsoleMessage.h:
16701 * inspector/ScriptCallStackFactory.cpp:
16702 (Inspector::createScriptCallStack):
16703 (Inspector::createScriptCallStackForConsole):
16704 * inspector/ScriptCallStackFactory.h:
16705 * inspector/agents/InspectorConsoleAgent.cpp:
16706 (Inspector::InspectorConsoleAgent::enable):
16707 (Inspector::InspectorConsoleAgent::addMessageToConsole):
16708 (Inspector::InspectorConsoleAgent::count):
16709 * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
16710 (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
16711 ConsoleMessage cleanup.
16713 2014-02-20 Anders Carlsson <andersca@apple.com>
16715 Modernize JSGlobalLock and JSLockHolder
16716 https://bugs.webkit.org/show_bug.cgi?id=129105
16718 Reviewed by Michael Saboff.
16720 Use std::mutex and std::thread::id where possible.
16722 * runtime/JSLock.cpp:
16723 (JSC::GlobalJSLock::GlobalJSLock):
16724 (JSC::GlobalJSLock::~GlobalJSLock):
16725 (JSC::GlobalJSLock::initialize):
16726 (JSC::JSLock::JSLock):
16727 (JSC::JSLock::lock):
16728 (JSC::JSLock::unlock):
16729 (JSC::JSLock::currentThreadIsHoldingLock):
16730 * runtime/JSLock.h:
16732 2014-02-20 Mark Lam <mark.lam@apple.com>
16734 virtualForWithFunction() should not throw an exception with a partially initialized frame.
16735 <https://webkit.org/b/129134>
16737 Reviewed by Michael Saboff.
16739 Currently, when JITOperations.cpp's virtualForWithFunction() fails to
16740 prepare the callee function for execution, it proceeds to throw the
16741 exception using the callee frame which is only partially initialized
16742 thus far. Instead, it should be throwing the exception using the caller
16744 1. the error happened "in" the caller while preparing the callee for
16745 execution i.e. the caller frame is the top fully initialized frame
16747 2. the callee frame is not fully initialized yet, and the unwind
16748 mechanism cannot depend on the data in it.
16750 * jit/JITOperations.cpp:
16752 2014-02-20 Mark Lam <mark.lam@apple.com>
16754 DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
16755 <https://webkit.org/b/129131>
16757 Reviewed by Mark Hahnenberg.
16759 Currently, DefaultGCActivityCallback::doWork() does not check if the GC
16760 needs to be deferred before commencing. As a result, the GC may crash
16761 and/or corrupt data because the VM is not in the consistent state needed
16762 for the GC to run. With this fix, doWork() now checks if the GC is
16763 supposed to be deferred and re-schedules if needed. It only commences
16764 with GC'ing when it's safe to do so.
16766 * runtime/GCActivityCallback.cpp:
16767 (JSC::DefaultGCActivityCallback::doWork):
16769 2014-02-20 Geoffrey Garen <ggaren@apple.com>
16771 Math.imul gives wrong results
16772 https://bugs.webkit.org/show_bug.cgi?id=126345
16774 Reviewed by Mark Hahnenberg.
16776 Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
16777 Instead, take a slow path that will do the right thing.
16779 * jit/ThunkGenerators.cpp:
16780 (JSC::imulThunkGenerator):
16782 2014-02-20 Filip Pizlo <fpizlo@apple.com>
16784 DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
16785 https://bugs.webkit.org/show_bug.cgi?id=129129
16787 Reviewed by Geoffrey Garen.
16789 We estimate execution counts based on loop depth, and then use those to estimate branch
16790 weights. These weights then get carried all the way down to LLVM prof branch_weights
16793 This is better than letting LLVM do its own static estimates, since by the time we
16794 generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
16795 course, it would be even better if we just slurped in some kind of execution counts
16796 from profiling, but we don't do that, yet.
16799 * GNUmakefile.list.am:
16800 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
16801 * JavaScriptCore.xcodeproj/project.pbxproj:
16802 * dfg/DFGBasicBlock.cpp:
16803 (JSC::DFG::BasicBlock::BasicBlock):
16804 * dfg/DFGBasicBlock.h:
16805 * dfg/DFGBlockInsertionSet.cpp:
16806 (JSC::DFG::BlockInsertionSet::insert):
16807 (JSC::DFG::BlockInsertionSet::insertBefore):
16808 * dfg/DFGBlockInsertionSet.h:
16809 * dfg/DFGByteCodeParser.cpp:
16810 (JSC::DFG::ByteCodeParser::handleInlining):
16811 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16812 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16813 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16814 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
16815 (JSC::DFG::createPreHeader):
16816 * dfg/DFGNaturalLoops.h:
16817 (JSC::DFG::NaturalLoops::loopDepth):
16818 * dfg/DFGOSREntrypointCreationPhase.cpp:
16819 (JSC::DFG::OSREntrypointCreationPhase::run):
16821 (JSC::DFG::Plan::compileInThreadImpl):
16822 * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
16823 (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
16824 (JSC::DFG::StaticExecutionCountEstimationPhase::run):
16825 (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
16826 (JSC::DFG::performStaticExecutionCountEstimation):
16827 * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
16829 2014-02-20 Filip Pizlo <fpizlo@apple.com>
16831 FTL may not see a compact_unwind section if there weren't any stackmaps
16832 https://bugs.webkit.org/show_bug.cgi?id=129125
16834 Reviewed by Geoffrey Garen.
16836 It's OK to not have an unwind section, so long as the function also doesn't have any
16839 * ftl/FTLCompile.cpp:
16840 (JSC::FTL::fixFunctionBasedOnStackMaps):
16841 (JSC::FTL::compile):
16842 * ftl/FTLUnwindInfo.cpp:
16843 (JSC::FTL::UnwindInfo::parse):
16844 * ftl/FTLUnwindInfo.h:
16846 == Rolled over to ChangeLog-2014-02-20 ==
projects / apple / javascriptcore.git / blob